Professional Documents
Culture Documents
BGP Notes
BGP Notes
What is BGP?
Default routes from each provider: Internal IGP metrics determine the exit
router for all outbound traffic.
Def routes + more specific routes: Enables you to manipulate the exit path for
specific routes using BGP so that traffic takes a shorter path to networks in each
ISP.
All routes from all providers: Requires high bandwidth and router resources.
Path selection for all external routes can be controlled via BGP and policy
routing tools.
-network commands
-redistribution
Multihoming Cases:
Characteristics:
Routers running BGP are termed BGP speakers. Neighbors are peers; must be
statically assigned.
Runs on top of TCP (Port 179) - used for reliability.
Path-vector: Fancy distance vector based on hop count between autonomous
systems.
ASN #s 1-64550 – Assigned to you by IANA. BGP Version 4 is the only EGP.
Updates are incremental and triggered; only sends what has changed. Slow to
converge. Periodic keepalives. BGP leverages keepalive messages to maintain
neighbor relationships.
When an update about a network leaves an AS, that AS’s number is prepended
to the list of ASs that have handled that update. When an AS receives an update,
it examines the AS list. If it finds its own ASN in that list, the update is
discarded. Loop prevention.
Routing Information Base (RIB) A list of networks known by BGP along with
their paths and attributes “sh ip bgp”
Uses many attributes; each route has its own set. BGP goes through from top to
bottom to find attribute that isn’t a tie.
Default route: 0.0.0.0 route out one path, incoming traffic has two routes in; if
one ISP fails, routes will converge towards the alternate ISP.
Partial updates - Useful in a situation where two ISPs serve two areas
differently. One route out can prefer an ISP who is better in one area, while the
other route out prefers the other ISP. There are still backup routes out both ways
as a failover.
Full updates - Router will receive entire BGP table from each connected ISP
and decide best path for each network.
Packet types: 4
Open: Starts the session. Hello. After a neighbor is configured, BGP sends open
to establish peering, includes ASN RID, and hold time.
Keepalive: Resets hold down timer. 60 seconds by default.
Update: Most common. Network reachability exchanges, up/down, path
attributes.
Notification: Something bad has happened; error on conn, missed too many
packets, wrong AS; close session.
To add a neighbor:
When doing either of the above, you must also change the source IP for the
neighbors to form:
router) neighbor [IP] update-source [Loopback#]
BGP assumes that external neighbors are directly connected and that they are
peering with the IP of a directly connected interface of their neighbor. If not,
you must tell BGP to look more than one hop away for its neighbor. This breaks
the above. To resolve, use multihop:
router) neighbor [IP] eBGP-multihop [# of hops to
neighbor]
The network command tells BGP what networks to advertise, regardless of
interface. Hostmasks must be identical if advertising a subnet. Networks do not
have to be connected; they just have to be in the routing table:
router) network [IP] (mask) [hostmask]
Synchronization - Do not use or advertise a route learned via iBGP until the
same route has been learned via the internal routing protocol. If other internal
routers don’t know the route, the end network will be unreachable. Off by
default in newer releases.
Next-Hop Processing:
eBGP - Change next hop address on advertised routes.
iBPG - Do not change next hop address on advertised routes. Meant for
networks that share the same segment so routes don’t have an extra hop. iBGP
routers must have a route to the network connecting their AS to the edge router.
eBGP routes (iBGP neighbors) won’t have the correct next hop address without
setting:
router) network [IP] next-hop-self
BGP Confederation
#################
Reduces full mesh IBGP requirement by splitting AS into smaller Sub-Ases
-> inside Sub-AS full mesh or RR requirement remains
-> between sub-AS acts like EBGP
Devices outside the confederation do not know about the internal structure
-> Sub-AS numbers are stripped from advertisements to “true” EBGP peers
Typically uses ASNs in private range (64512-65635)
Attributes:
Attributes are ways you can tag incoming/outgoing BGP routes that make its
metric.
The BGP update message lists a set of PAs, plus any prefixes/lengths that use
those PAs. It can also list withdrawn routes in the same update message as
newly advertised routes. It can also list multiple prefixes in a single update
message.
Well-known mandatory: Must be recognized by all BGP routers & present in all
updates: AS Path, origin, next hop.
Attributes: Work top down. Tie usually broken in 1-4. Need to know 1-5!
N WLLA OMNI: Next hop > Weight > Local_Pref > Local source > AS-Path >
Origin > MED > Neighbor Type > IPG Metric
Autonomous system path (AS-Path - Mandatory)
Next hop address (Mandatory)
Origin (Mandatory)
Local preference (Discretionary)
Atomic aggregate (Discretionary)
Aggregator (Optional)
Multi-Exit Discriminator (MED/Metric) (Optional)
sh ip bgp summary:
BGP States:-
Active State:
If the router was unable to establish a successful TCP session, then it ends
up in the Active state.
If there is an error it is because one of the fields in the Open message doesn’t
match between the peers, e.g. BGP version mismatch, MD5 password
mismatch, the peering router expects a different My AS. The router will then
send a Notification message to the peer indicating why the error occurred.
If there is no error, a Keepalive message is sent, various timers are set and the
state is changed to Open Confirm.
Open Confirm: Router has received a reply to the open
message.
If there is any error in the Update message then a Notification message is sent to
the peer, and BGP transitions back to the Idle state.
If a timer expires before a Keepalive message is received, or if an error
condition occurs, the router transitions back to the Idle state.
* = valid path
Show commands:
❖ Local preference - Set under router BGP. 100 is default. Tells iBGP peers
which path to select for traffic leaving the AS.
router) bgp default local-preference [#]
Can also use a route-map to set per network.
router) neighbor [IP] route-map (NAME) [in/out]
BGP Filtering
###########
BGP updates filtering occurs on a per peer basis with..
-neighbor [address] distribute-list
-neighbor [address] filter-list
-neighbor [address] prefix-list
-neighbor [address] route-map
BGP Convergence
################
Defaults
keepalive: 60 seconds
holdtime: 180 seconds
Update timers
.neighbor advertisement-interval
-bgp nexthop {trigger {delay seconds | enable} | route-map map-name}
-bgp scan-time
-bgp update-delay
Route dampening: -
Route dampening is the feature that reduces propagation of flapping routes in
the Internet. Route flapping occurs when IP routes are removed and put back in
a routing table. This can be because of physical layer failure, routing protocol
failure, or router node failure, and so on. Route dampening applies to EBGP
neighbors only.
First, the routes to be “observed” must be identified using an access-list or
prefix-list:
Router(config)# ip prefix-list MYLIST seq 10 permit 10.1.0.0/16
Router(config)# ip prefix-list MYLIST seq 20 permit 10.2.0.0/16
Next, dampening values must be configured using a route-map:
Router(config)# route-map MYMAP permit 10
Router(config-route-map)# match ip address prefix-list MYLIST
Router(config-route-map)# set dampening 15 750 2000 60
#Show ip bgp dampened paths
BGP Backdoor:-
EBGP has an admin distance of 20,howevwe you may want to choose routes
from your IGP(OSPF,EIGRP etc) over eBGP.You can do this with the
Backdoor command. For example, if you want the network 172.0.0.0/8 to be
advertised via BGP with and AD of 200:
Router BGP 7500
Network 172.0.0.0 mask 255.0.0.0 backdoor.
BGP Troubleshooting.
Problem: BGP peer is not getting establish between routers.
Cause :
1) Peer ip address is not reachable .
2) port 179 is blocked by firewall or access-list.
3) BGP configuration is not correct like wrong peer address local-as or remote-
as, wrong AS number, wrong authentication/MD5 password or wrong update-
source loopback.
4) static route is missing for loopback address end to end.
5) TTL=1 for ebgp neigbor. ebgp-multihop is not configured.
6) MD5 authentication has "space" in password.
7)Duplicate router-id between BGP neighbors.
Debugging command :
debug ip bgp
debug ip tcp transaction
debug ip bgp events
Solution:
a) Ensure BGP local and remote AS configuration is correct.
b) MD5 authentication password is correct on both sides without spaces.
c)Verify update-source loopbak and ebgp-multihop.
d) port 179 is allowed in the path boh end via access-list. Ensure firwall is not
blocking.
Cause:
1. Keep alive mismatch
2. MTU mismatch.
3. Hellos are stuck in OutQ behind update packets.
4. Remote router rebooting continually (typical with a 3-5 minute BGP peering
cycle time)
5. Remote router BGP process unstable, restarting
6.Traffic Shaping & Rate Limiting parameters
7.MTU incorrectly set on links, PMTU discovery disabled on router.
8. Output drops on the interface or congestion on the queue.
9. High CPU on the router or CPU spike on router.
Solution :
a) Make sure you have same keep alive on both routes.
b) Make sure you have same MTU and can ping MTU 1500 with df bit set.
c) If MTU mismatch can not be fixed, can use path-mtu discovery to overcome.
Tip: BGP update packets are packed to the size of the MTU – keepalives and
BGP OPEN packets are not packed to the size of the MTU ⇒ Path MTU
problem.
Cause :
1. Paths that are marked as not synchronized in the show ip bgp longer-
prefixes output
2.Paths for which the NEXT_HOP is inaccessible
3.Paths from an external BGP (eBGP) neighbor if the local autonomous system
(AS) appears in the AS_PATH
4.If you enabled bgp enforce-first-as and the UPDATE does not contain the
AS of the neighbor as the first AS number in the AS_SEQUENCE
5.Paths that are marked as (received-only) in the show ip bgp longer-
prefixes output
Solution:
a) Be sure that there is an Interior Gateway Protocol (IGP) route to the
NEXT_HOP that is associated with the path.
Preliminary Checks
• Verify Configuration
• Peering IP Address
• AS Number
• MD5 Authentication (Optional)
• ebgp-multihop hop-count (eBGP only)
• Verify Reachability
• ping remote-ip source source-ip
• If reachability issues found:
• Use traceroute to verify where the trace is dropping
• BGP will not use the default route to reach a neighbor!
Or
disable-connected-check
• For eBGP peers, BGP takes two special precautions
• Uses TTL of 1
• Verifies if NEXTHOP is on a directly attached network
• For eBGP peers more than 1 hop away, a larger TTL must be used • This
automatically disables the NEXTHOP connected check • For eBGP peers 1 hop
away, use neighbor disable-connected-check • Ideal for peering direct neighbors
through their loopbacks;
Or
Some ACLs blocking on Firewall
• Verify any Firewall / ACLs in the path for TCP port 179
• If using ASA as a firewall, make sure BGP Pass-Through is configured
• ASA / PIX offsets TCP SeqNos with a random number for every TCP session
• Causes MD5 authentication to fail
• ASA strips off TCP option 19
Or
Problem With the TCP Process:
Or
Or
Or
Stable BGP peers going into Idle State
BGP Peering has been up for months, but all of a sudden, BGP session goes
down and never comes back up
Or
Notifications – Hold Time Expired
### #########################################
Stale Routes
Symptoms and Possible Causes
Symptoms
• Stale Entry to BGP Peer
• Traffic Black-Hole
• Outage
Possible Causes
How to Troubleshoot?
• On IOS, it is difficult to get to the root cause after the problem has occurred
• Enable conditional debugs and wait for the issue to happen again
• Reproduce the problem in lab environment (hard but not impossible)
• On IOS XR, use show bgp trace and BGP debugs to understand if the
advertisement has been sent/received
• Debug
• On NX-OS, use show bgp internal event-history { events | errors } to figure
out if the prefix has been received / advertised
##################################
Route Churn
Define “High”
• Know what normal CPU utilization is for the router in question
• Is the CPU spiking due to “BGP Scanner” or is it constant?
Some Scenarios: -