1.42k likes | 1.64k Views
Configuring BGP. Andrei Bot. June 18 th , 2012. References: 1. Routing TCP/IP, Volume II (CCIE Professional Development) By Jeff Doyle - CCIE No. 1919, Jennifer Carroll - CCIE No. 1402 2. CCIE Routing & Switching Lab Workbook for CCIEv4.0, volume I by internetworkexpert.com
E N D
Configuring BGP Andrei Bot June 18th, 2012
References: 1. Routing TCP/IP, Volume II (CCIE Professional Development) By Jeff Doyle - CCIE No. 1919, Jennifer Carroll - CCIE No. 1402 2. CCIE Routing & Switching Lab Workbook for CCIEv4.0, volume I by internetworkexpert.com 3. Internet Routing Architectures, Second Edition by Sam Halabi with Danny McPherson 4. Practical BGP By Russ White, Danny McPherson, SangliSrihari 5. Cisco® BGP-4 Command and Configuration Handbook (CCIE Professional Development) By William R. Parkhurst CCIE #2969
Introduction BGP Basics BGP Basic configuration IBGP deployment(Route Reflectors, Confederations, BGP over GRE) BGP Best Path Selection and BGP Attributes BGP Communities BGP Filtering BGP Aggregation
The Origins of BGP In the early 1980s, routers(gateways) that made up the network, ran a distant vector routing protocol known as the Gateway-to-Gateway Protocol(GGP). Every router knew a route to every reachable network, at a distance measured in router hops. As the network grew, its architects foresaw the same problem that any growing internetwork encounter today. Their routing protocol did not scale very well. The solution proposed in RFC 872 was that the network be migrated from a single internetwork to a system of interconnected , autonomously controlled internetworks. From a single network(a network of networks) to a network of ASs(each of which is itself an internetwork)
Within each internetwork, known as an Autonomous System(AS), the administrative authority for that AS is free to manage the internetwork as it chooses. In effect, the concept of AS adds a hierarchical structure of the network. As a network is identified by an IP address, an AS is identified by an 16 bit AS number(1 – 65535) Because the routers are interior to an AS, their routing protocols are known as Interior Gateway Protocols(IGP). Because GGP was the routing protocol used on that time, it becomes by default first IGP and will be replaced later on by more advanced protocols like RIP, RIPv2, EIGRP, OSPF and ISIS Each AS is connected to other AS via one or more exterior routers. RFC 827 proposed that the exterior routers share routing information between each other via a protocol known as EGP Contrary to popular belief, although EGP is a distance vector protocol, is not a routing protocol because It had no algorithm for choosing an optimal path between networks. EGP was used to exchange reach ability information with other exterior routers. This reach ability information is a simple list of major networks addresses and the address by which they can be reached.
Introduction to Border Gateway Protocol v4 BGP was first introduced as an entirely new inter-AS routing protocol in 1989 in RFC-1105. Over the years initial version suffered several modifications. The current version BGP-4 was introduced in 1995 in RFC 1771 Who needs BGP? An important principle to remember when working with inter-AS traffic is that each physical link actually represents two logical links: one for incoming traffic and one for outgoing traffic.
A Single-Homed Autonomous System • BGP, or any other type of routing protocol is unnecessary. If a single link fails, no routing decision need to be made, because no alternative route exists. A routing protocol accomplishes nothing. • The obvious vulnerability of the topology is that the entire connection is made up of single point of failure. What is lacking? … Redundancy.
Multi-homing to a Single Autonomous System The one consideration is whether asymmetric traffic patterns will become a concern. If the geographical separation between the two points is large enough, you might have a need for a better control of the routing. You might now consider BGP. Although this design it’s an improvement over the single-homed scenario because of the redundant link, the ISP itself might represent a single point of failure.
Multi-homing to Multiple Autonomous Systems In this scenario the subscriber could still forego BGP by using a primary/backup ISP or double default routes injected into subscriber domain(load balance).
For incoming traffic, the most reliable solution is to have all internal routes advertised to both providers. This setup ensure that all destinations within the subscriber AS are reachable via either ISP. For outgoing traffic, if full routes are accepted from both providers, the best route for every Internet destination is chosen. In some cases, however one provider might be preferred for full Internet connectivity and the other provider is preferred for only some destinations.
If router CPU and memory limitations prohibit taking full routes, partial routes from both providers it’s also an option. However, some routing accuracy is traded for savings in router hardware. In a partial-routes scenario, each ISP might send its customer routes and also the customer routes of its upstream provider
BGP it’s similar to a distant vector protocol in that each BGP node relies on downstream neighbors to pass along routes from their routing tables. A distant vector protocols quantify the distance with a single number(hop count, cost, … etc). In contrast, BGP uses a list of AS numbers through which a packet must pass to reach the destination. Because the list describe the path a packet must take, BGP is called a path vector routing protocol. The list of AS numbers associated with a BGP route is called the AS_PATH and is one of several path attributes associated with each route. AS_PATH attribute is what qualify BGP as a routing protocol(loop free and shortest path)
BGP peers are also known as BGP neighbors and can be either internal or external to the autonomous system. When BGP is running between routers in different autonomous systems, it’s called EBGP and between routers within the same autonomous system, IBGP. By default routers running EBGP should be directly connected to each other. Routers running IBGP do not have to be directly connected to each other as long as they reach each other so that a TCP connection can be established
BGP Databases A router running BGP keeps its own tables, to store BGP information that it receives from and send to other routers, including a neighbors table and a BGP table(forwarding DB) For BGP to establish an adjacency, a neighbor is manually configured. Once an adjacency is established, the neighbors exchange BGP routes which are installed in the routing table. Each router collects this routes from each neighbor and place them in the BGP table. The best route for each network is selected from the BGP table, by using best path selection algorithm and then the route is sent to the routing table.
BGP Message Types Before establishing a BGP peer connection, the two neighbors must perform the standard TCP three-way handshake and open a TCP connection to port 179. TCP provides the fragmentation, retransmission, acknowledgement and sequencing functions necessary for a reliable connection, relieving BGP of those duties.
The four BGP message types are OPEN, KEEPALIVE, UPDATE and NOTIFICATION. After a TCP session is established, in order to have a BGP session established, the first message sent by each side is an OPEN message. Each neighbor uses this message to identify itself and to specify its BGP operational capabilities
BGP peers initially exchange their full BGP routing tables. Afterwards, incremental updates are sent only after topology changes in the network.
Keepalive messages are sent between peers to ensure that connection between BGP peers still exists. A BGP notification message is sent when an error condition is detected. BGP connection is closed immediately after this is sent.
Prefix-lists • Prefix-lists are used to match on prefix and prefix-length pairs. Normal prefix-list syntax is as follows: • ip prefix-list LIST permit 1.2.3.0/24 would be an exact match for the prefix 1.2.3.0 with a subnet mask of 255.255.255.255 • When you add the keywords “ge” or “le” to the prefix-list, the “len” value change its meaning. When using GE and LE, the “len” value specifies how many bits of the prefix you are checking, starting the most significant bit. • check the first 24 bits of the prefix 1.2.3.0. The subnet mask be less than equal to 32 • This match everything • This match a default route • In many situations a prefix-list can be replaced with an access-list, however there might be scenarios where an ACL does not match the exact prefix
On R2 we cannot filter 10.0.0.0/24 by using an ACL without filtering also the summary address coming from R1, 10.0.0.0/22 10.0.0.0 255.255.255.0 – will match first 24 bits, however first 22 will match the same bits from our summary address. By using following ACL, access-list 1 deny 10.0.0.0 0.0.0.255 we drop 10.0.0.0/24 and 10.0.0.0/22
Using a prefix-list we can deny the /24 prefix while /22 will be permited
Route Maps Route maps is a powerful tool for creating customized routing policies. They are similar to ALC, both having criteria for matching the details of certain packets and an action of permitting or denying those packets. Unlike access-lists, route maps can add to each “match” criteria a “set” criteria that actually changes the packet in a specific manner Each route map statement has a “permit” or “deny” action and a sequence number. At the end, an implicit deny exist as for ACLs. A packet or route is passed sequentially through route-map statement . If a match is made, any set statement are executed and the permit or deny action is executed. As with ACLs, processing stops when a match is made and the specific action is executed. The route or packet is not passed to subsequent statements.
Establishing a BGP Peer Only one instance of BGP can be configured on the router. The autonomous-system number identify the autonomous system to which the router belongs The autonomous system number is compared with the autonomous system number in the neighbor statement to determine if the neighbor is internal or external The remote-as specify the autonomous system of the remote peer. For administratively purpose a neighbor can be shutdown. Used for maintenance and policy changes to prevent route flapping
BGP Network Command The network command controls the networks originated from this box. This concept is different than the regular network statement within an IGP where the network statement will match interfaces to participate in that IGP. Under BGP, network statement is not trying to run BGP on a certain interface but try to indicate to BGP process what networks BGP should originate from current IGP routing table.
BGP Next Hop Attribute The BGP next-hop attribute is the next-hop IP address to use in order to reach a certain destination. For eBGP, the next-hop is always the IP address of the neighbor that the neighbor command specifies. For iBGP, the protocol states that the next-hop that eBGP advertises should be carried into iBGP.
Next-hop-self command allows you to force BGP to change next-hop of external learned routes to it’s own IP
iBGP For an AS to become a transit system for other ASs, iBGP is recommended. The same result can be achieved via redistribution of eBGP into IGP. However, iBGP offer more flexibility and offer a more efficient solution inside an AS When a BGP speaker receives an update from other BGP speaker in its own AS(iBGP), the BGP speaker that receives the update does not redistribute the information to other BGP speaker in its own AS. Therefore, sustain a full mesh between iBGP speakers within an AS is required(Route Reflectors and Confederations are also a solution).
Synchronization Synchronization states that, if your AS passes traffic from an extern AS to a third AS, BGP should not advertise a route before all the routers in the AS have learned about the route via IGP. BGP waits until IGP has propagated the route within the AS. Then, BGP advertises the route to external peers.
R4 advertise Lo0 into BGP R1 receives the update and advertise it to its IBGP neighbor R2 R2 receives the update from R1 and R5 and installs it in the routing table as best, via R5
On R2 will shutdown R5 neighbor to force installing 120.1.4.0 via R1 Synchronization is disabled by default, therefore R2 will install the update about R4’s Lo0 in the routing table
If we are checking on R3 we can see that we receive a packet with a source ip address R3 is not aware of, therefore packet is dropped and an ICMP host unreachable is sent to the source of the packet Now, if we enable sync on R1 and R2, R4’s lo0 update will not be installed in the routing table preventing backhauling traffic
R2 receives R4’s Lo0 update, however it will not be installed in the routing table because is not synchronized Once R1 redistribute R4’s lo0 into OSPF and R2 will learn this via OSPF, 120.1.4.0 will be installed into the BGP table
R2 will have R4’s lo0 learned via a better AD therefore we’ll get a RIB failure for this entry in the BGP table A test ping with a source of lo0(advertised in BGP) will be now, successful
Using a peer-group On Cisco routers, neighboring routers with the same update policies can be grouped into peer-groups to simplify configuration and to make updating more efficient and improve performance Peer groups are more efficient because updates are generated only once per peer group rather then individual for each neighboring router. The generated update is replicated for each neighbor that is part of that peer group. The peer group name is local to the router on which is configured. Peer groups make the router configuration easier to read and manage.
BGP Authentication BGP neighbor authentication can be configured to authenticate the source of each routing update packet it receives. This is accomplished by the exchange of an authentication key(password) that is known to both(the sending and the receiving router). BGP supports MD5 neighbor authentication MD5 sends a “message digest” (also called “hash”) which is created using the key and a message. The message digest is then sent instead of the key. The key itself is not sent, preventing it from being read while it is being transmitted. no password on one neighbor Password mismatch
BGP Backdoor BGP prefixes learned from eBGP peers have AD value of 20(lowest among all dynamic routing protocols). This was done intentionally to prevent possible routing loops caused by redistribution of BGP routes into IGP.
BGP default-routing • BGP default routing could be helpful when a stub AS uses just one uplink or uses primary-backup uplinks scenario. The upstream eBGP peers could be configured to advertise just the default route information. • You may inject a default route into BGP by using network 0.0.0.0 mask 0.0.0.0 command, provided that there is a default route into RIB. However, this will advertise the default route to all BGP neighbors. • To selectively generate a default route, use the following command • neighbor <IP> default-originate [route-map <CONDITION>] • Without the route-map parameter, this command will generate a default route and send it to the configured peer. It is not required to have a matching default route in the BGP table or the RIB. • We can make the default-route advertisement conditional by associating a route-map with the neighbor statement. In this case, the default route is advertised if the route-map match conditions are satisfied.