ccie workshop cisco expo 2011 · bgp basics. bgp forms sessions over tcp with dest. port 179 4 bgp...

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 1

Tomáš [email protected] Systems EngineerCCIE #24395

CCIE WorkshopCisco Expo 2011

mailto:[email protected]�


Agenda

eBGP

iBGP

Attributes

Advanced features (filtering, redistribution, summarization, other features)


BGP – RFC 1771eBGP

R1 R2

S0/0 10.0.12.2/24

ISP1: R1:router bgp 1 router bgp 2

bgp router-id 1.1.1.1 bgp router-id 2.2.2.1

nei 10.0.12.2 remot 2 nei 10.0.12.1 remot 1

ISP1 ISP2

AS 2

AS 1 AS 3

S0/0 10.0.12.1/24

S0/0 10.0.23.2/24

S0/0 10.0.23.1/24


BGP – RFC 1771eBGP

R1

S0/0

R1:ip route 10.1.255.1 255.255.255.255 s0/0

ip route 10.1.255.1 255.255.255.255 s0/1

router bgp 2

nei 10.1.255.1 remot 1

nei 10.1.255.1 updat lo0

nei 10.1.255.1 ebgp-multihop 2

ISP1:ip route 10.2.255.1 255.255.255.255 s0/0

ip route 10.2.255.1 255.255.255.255 s0/1

router bgp 1

nei 10.2.255.1 remot 2

nei 10.2.255.1 updat lo0

nei 10.2.255.1 ebgp-multihop 2

ISP1

AS 2

AS 1

S0/0

eBGP load balancing

S0/1

S0/1

10.2.255.1/32 lo0

lo0 10.1.255.1/32


BGP basicsBGP forms sessions over TCP with dest. port 1794 BGP messages: OPEN, KEEPALIVE, UPDATE, NOTIFICATIONBGP session forming starts with OPEN message, peers verify:BGP version, hold time, peer IP address and AS number (peer must be in our neighbor list with correct AS number), MD5 hash if configured6 BGP states: IDLE, CONNECT, ACTIVE, OPEN, OPENCONFIRM, ESTABLISHEDYou want your neighbors in Established stateWatch out for ACL configuration in CCIE lab that may prevent BGP sessions from forming

BGPForming BGP sessions


BGP basics (cont.)3 BGP tables:ADJ-RIB-IN – stores unprocessed routes learned from peers, use “sh ip bgp nei ADDR received-routes” to see its contentsNeeds soft reconfiguration inbound comandLOC-RIB – contains the routes that have been selected by the local BGP Speaker’s Decision Process. It stores processed routes from all peers, use “sh ip bgp” to see its contentsBy default only one route to same prefix (marked as “*>”) is installed into routing table (“sh ip ro”) from LOC-RIBADJ-RIB-OUT – stores routes to be advertised to other peers, use “sh ip bgp nei ADDR adv” to see its contentsThere is one ADJ-RIB-IN and one ADJ-RIB-OUT per neighbor

BGPForming BGP sessions


In order for “network” command to inject routes into BGP it must exactly match the prefix and mask from RIB

BGPAdvertising networks to BGP

R1 R2

ISP1:router bgp 1

net 11.0.0.0 m 255.255.255.0 [route-map MAP]

ISP1 ISP2

AS 2

AS 1 AS 3F0/0

11.0.0.1/24

S0/0 10.0.12.2/24

S0/0 10.0.12.1/24

S0/0 10.0.23.2/24

S0/0 10.0.23.1/24


BGP updatePrefixes in BGP are exchanged as NLRI touplesThere are 3 attributes that must be included in each update known as “well-known mandatory”:ORIGIN, NEXT-HOP, AS-PATHBGP update received by R1 looks like:[11.0.0.0, 24], Orig: IGP, NH: 10.0.12.1, ASP: 1BGP update received by R2 looks like:[11.0.0.0, 24], Orig: IGP, NH: 10.0.12.1, ASP: 1BGP update received by ISP2 looks like:[11.0.0.0, 24], Orig: IGP, NH: 10.0.23.2, ASP: 2,1IGP origin is set by “network” command, incomplete origin is set by “redistribute” command, EGP can be set using “route-map”

BGPAdvertising networks to BGP


BGPiBGP

R1 R2

R1: R2: R3:int f0/0 int f0/0 int f0/0

ip os 1 a 0 ip os 1 a 0 ip os 1 a 0

router bgp 2 router bgp 2 int f0/0

nei 172.16.13.3 remot 2 nei 172.16.23.3 remot 2 ip os 1 a 0

nei 172.16.23.2 remot 2 nei 172.16.13.1 remot 2 router bgp 2

nei 172.16.13.1 remot 2

nei 172.16.23.2 remot 2

AS 2

R3

172.16.13.1/24 F0/0

172.16.13.3/24 F0/0 F0/1 172.16.23.3/24

F0/0 172.16.23.2/24


iBGP ruleBGP update received by iBGP router is not forwarded to other iBGP neighborsBecause of this you need full mesh iBGP (just logical, not physical)This is fundamental iBGP loop preventioneBGP loop prevention is to not accept BGP update if the AS-PATH contains local router’s AS numberWhen you have full iBGP mesh you can disable synchronization (disabled automatically with IOS 12.2(8)T and later)

BGPiBGP


iBGP resiliency

BGPiBGP resiliency

R1 R2

R1: R2: R3:int lo0 int lo0 int lo0

ip os 1 a 0 ip os 1 a 0 ip os 1 a 0

router bgp 2 router bgp 2 router bgp 2

nei 192.168.255.2 remot 2 nei 192.168.255.1 remot 2 nei 192.168.255.1 remot 2

nei 192.168.255.2 updat lo0 nei 192.168.255.1 updat lo0 nei 192.168.255.1 upd lo0

nei 192.168.255.3 remot 2 nei 192.168.255.3 remot 2 nei 192.168.255.2 remot 2

nei 192.168.255.3 updat lo0 nei 192.168.255.3 updat lo0 nei 192.168.255.2 upd lo0

AS 2

R3

172.16.13.1/24 F0/0

172.16.13.3/24 F0/0 F0/1 172.16.23.3/24

F0/0 172.16.23.2/24

F0/1 172.16.12.1/24

172.16.12.2/24 F0/1192.168.255.1/32

lo0

192.168.255.3/32 lo0

192.168.255.2/32 lo0


In order for R2 to place 11.0.0.0/24 network from LOC-RIB into routing table, it needs next hop of 10.0.12.1 reachable

BGPiBGP external next hop reachability issue

R1 R2

R1: or R1:router bgp 1 router bgp 1

net 10.0.12.0 m 255.255.255.0 nei 192.168.255.2 next-hop-self

ISP1 ISP2

AS 2

AS 1 AS 3F0/0

11.0.0.1/24

S0/0 10.0.12.2/24

S0/0 10.0.12.1/24

S0/0 10.0.23.2/24

S0/0 10.0.23.1/24


Fighting iBGP full meshConfederations – our AS 2 divided into two sub-AS

BGPiBGP

iBGP

eBGP

iBGP

Sub-AS 65000

Sub-AS 65001


Fighting iBGP full meshConfederations configurationSub-AS 65000 internal routers:Router(config)# router bgp 65000Router(config-router)# bgp confed id 2Router(config-router)# nei ADDR remot 65000Sub-AS 65000 edge routers:Router(config)# router bgp 65000Router(config-router)# bgp confed id 2Router(config-router)# bgp confed pe 65001Router(config-router)# nei ADDR remot 65001Router(config-router)# nei ADDR remot 65000Router(config-router)# nei ADDR remot 1

BGPiBGP


Fighting iBGP full meshRoute reflectors – iBGP routers that send updates to other iBGP neighbors

BGPiBGP

RR cluster 1

RR cluster 2

Non-client

RR RR

client client

client client

client

client

client

client

client client

Non-client


Fighting iBGP full meshRR configuration (only on RR routers)Router(config)# router bgp 2Router(config-router)# bgp cluster id IDRouter(config-router)# nei ADDR route-refBGP cluster ID is optional, by default set to BGP RID, you need to explicitly set this if you want RR redundancyCluster ID is a way how to prevent loops in RR topologyRR uses two attributes:ORIGINATOR_ID – RID of originating RRCLUSTER_LIST – RIDs of all RRs that the route has passed

BGPiBGP


WeightCisco proprietaryNever included in any updateInfluences path local router takes to reach prefixes

Task – prefer ISP2 to reach 10.0.0.0/24

BGPAttributes

R1

ISP1 ISP2

10.0.0.0/24 R1 – for all routes learned from peer:router bgp 2

nei ISP2 wei 100

R1 – selectively per prefix:ip pref PREF p 10.0.0.0/24

route-map MAP p 10

ma ip add pref PREF

set wei 100

route-map MAP p 20

router bgp 1

nei ISP2 route-map MAP in


LOCAL_PREFWell-known optionalDefault is 100, higher is preferredInfluences path local AS takes to reach prefixes

Task: Default preference should be changed to 50 on all routers.Router(config-router)# bgp defa loca 50Task:Prefer ISP1 to reach 1.0.0.0/24, ISP2 to reach 2.0.0.0/8.

BGPAttributes

R1

ISP1 ISP2

1.0.0.0/8

2.0.0.0/8

R2

R3 AS 2


LOCAL_PREFR1(config)# ip pref R1 p 1.0.0.0/8R1(config)# route-map R1 pR1(config-route-map)# ma ip add pref R1R1(config-route-map)# set local 150R1(config-route-map)# route-map R1 p 20

R1(config)# router bgp 2R1(config-router)# nei ISP1 route-map R1 inOr:R1(config-router)# nei R2 route-map R1 outR1(config-router)# nei R3 route-map R1 out

BGPAttributes


LOCAL_PREFR2(config)# ip pref R2 p 2.0.0.0/8R2(config)# route-map R2 pR2(config-route-map)# ma ip add pref R2R2(config-route-map)# set local 150R2(config-route-map)# route-map R2 p 20

R2(config)# router bgp 2R2(config-router)# nei ISP2 route-map R2 inOr:R2(config-router)# nei R1 route-map R2 outR2(config-router)# nei R3 route-map R2 out

BGPAttributes


AS_PATHWell-known mandatoryYou may use AS_PATH prepending to influence peers which of your edge router will be used to route traffic back to your AS

Task:AS1 should use R1 to reach 1.0.0.0/24 and use R2 to reach 2.0.0.0/8.Configure AS2 for this purpose.

BGPAttributes

R1

ISP1 ISP2

R2

R3 AS 2

1.0.0.0/8

2.0.0.0/8

AS 1


AS_PATHR1(config)# ip pref R1 p 2.0.0.0/8R1(config)# route-map R1 pR1(config-route-map)# ma ip add pref R1R1(config-route-map)# set as prep 2R1(config-route-map)# route-map R1 p 20R1(config)# router bgp 2R1(config-router)# nei ISP1 route-map R1 out

R2(config)# ip pref R2 p 1.0.0.0/8R2(config)# route-map R2 pR2(config-route-map)# ma ip add pref R2R2(config-route-map)# set as prep 2R2(config-route-map)# route-map R2 p 20R2(config)# router bgp 2R2(config-router)# nei ISP2 route-map R2 out

BGPAttributes


AS_PATHAccording to RFC 1771 AS_PATH is not included in BGP bestpathUse following to turn off AS_PATH checking in bestpath:Router(config-router)# bgp bestpath as-path ignore

BGPAttributes


MED (MULTI_EXIT_DISC)Optional non-transitiveYou may use MED to influence neighboring AS which of your edge router will be used to route traffic back to your ASLower value is preferred, default is zeroIn route-map referred to as “metric”MED is compared only if AS_PATH for compared routes is identicalTo compare MED for same routes learned via different AS:Router(config-router)# bgp always-compare-medTo consider missing MED as MED with highest value use:Router(config-router)# bgp best med missing-as-worst

BGPAttributes


COMMUNITY (RFC 1997)Optional transitiveCommunity is a group of destinations which share same propertiesCisco router does not send community if not configured to:Router(config-router)# nei ADDR send-comWell-known communities:Internet – default, advertise to all routersNO_EXPORT – do not advertise to peer ASNO_ADVERTISE – do not advertise to other peersLocal-AS – do not advertise outside local sub-AS (in RFC known as NO_EXPORT_SUBCONFED)Display communities in AS:NN format:Router(config)# ip bgp-commu new

BGPAttributes


COMMUNITY (RFC 1997)BGP communities example:

R2 must instruct AS3 not to advertise 1.0.0.0/8 prefix outside its AS. Do not use as-path acl, prefix-lists or access-lists on R2 to configure this feature.

BGPAttributes

R1 R2

AS 1

1.0.0.0/8

2.0.0.0/8

AS 2

R3

AS 3


COMMUNITY (RFC 1997)BGP communities example (cont.):R1(config)# ip bgp-commu newR1(config)# ip pref R1 p 1.0.0.0/8R1(config)# route-map R1 p 10R1(config-route-map)# ma ip add pref R1R1(config-route-map)# set community 1:10R1(config-route-map)# route-map R1 p 20R1(config)# router bgp 1R1(config-router)# nei R2 send-commuR1(config-router)# nei R2 route-map R1 out

BGPAttributes


COMMUNITY (RFC 1997)BGP communities example (cont.):R2(config)# ip bgp-commu newR2(config)# ip community-list 1 permit 1:10R2(config)# route-map R2 p 10R2(config-route-map)# ma commu 1R2(config-route-map)# set commu no-expR2(config-route-map)# route-map R2 p 20R2(config)# router bgp 2R2(config-router)# nei R3 send-commuR2(config-router)# nei R1 route-map R2 in

BGPAttributes


BGP BestpathNEXT_HOP must be reachable1.) Higher weight2.) Higher LOCAL_PREF3.) Prefer locally originated path via network then redistribute then aggregate command4.) Shortest AS_PATH5.) IGP > EGP > Incomplete origin6.) Lowest MED7.) Prefer eBGP over iBGP learned path8.) Prefer path with lowest IGP metric to BGP next hop9.) Determine if more than 1 route can be installed to local routing table (Router(config-router)# maximum-paths [ibgp] 2)

BGPAttributes


BGP Bestpath (cont.)10.) If both paths are external, prefer path that was received first (oldest one)11.) Prefer path from BGP peer with lowest RID12.) In RR environment – if RID or Originator ID is same, prefer path with shortest cluster list13.) Prefer path from BGP peer with lowest neighbor address

BGPAttributes


MD5 AuthenticationRouter(config-router)# nei ADDR pass PASS

Removing private ASRouter(config-router)# nei ADDR remove-private-as

BGP Local AS

R1 should form eBGP peering with R2 using AS3 instead AS2:R2(config)# router bgp 2R2(config-router)# nei R1 remot 1R2(config-router)# nei R1 local-as 3 [no-prep [replace-as| dual ]]

BGPAdvanced features

R1 R2

AS 1 AS 2


AggregationCreated aggregate routes have two attributes set:ATOMIC_AGGREGATE (well-known discretionary) – indicates this is aggregated route and AS_PATH of component routes is not includedAGGREGATOR (optional transitive) – indicates ASN and RID of router who performed aggregationRouter(config-router)# aggre ADDR MASK [as-set] [summ] [suppress-map SUPP] [advertise-map ADV] [attribute-map ATT]as-set – aggregate should included AS_SET attribute, which is unordered set of all AS numbers that component routes have, ATOMIC_AGGREGATE attribute is not setsumm – send only created aggregated routesuppress-map – send aggregate and all component routes except routes defined as permit in this route-map, suppressed routes are indicated as “s>” in LOC-RIBadvertise-map – using prefixes defined as permit in this route-map, create unordered AS_SET attributeattribute-map – change BGP attributes of created aggregate



Prefix filteringWith route-maps:Match prefixes using ACLs, Prefix-lists, Communities, AS-path access listsYou may modify attributes of learned and advertised routesRoute-maps are specified per neighborWith distribute-lists:Match prefixes using ACLs or Prefix-listsYou cannot modify BGP attributesFilter prefixes per neighbor or globally for all neighborsWith prefix and filter lists:Match prefixes based on prefix-list or AS-path access-listsYou cannot modify BGP attributesFilter prefixes on per neighbor basis only



BGP and redistributionFrom IGP to BGP – metric of redistributed prefixes is copied into MED attributeFrom BGP into IGP – iBGP routes are not redistributed into IGP unless “bgp redistribute-internal” command is not configured under BGP routing process



AS_PATH attribute filteringRouter(config)# ip as-path acc NUM p | d REGEXPRouter(config-route-map)# ma ip as NUMRouter(config-router)# nei ADDR filter NUM in | outREGEXP examples:.* anything^$ routes originated in our local AS^10_ routes learned from neighboring AS10_10$ routes originated in AS10_10_ routes that traversed AS10^[0-9]+$ routes originated in any neighboring AS^[0-9]+(_[0-9]+)?$ routes originated in any neighboring AS (CTRL+V+ ? to enter?) and/or their customers



Peer groupsUsually you will configure this if you are asked to use minimum number of neighbor commandsPeer-groups work only for iBGP or eBGP neighbors sharing same set of policiesFirst define peer-group name:Router(config-router)# nei GROUP-NAME peer-gThen assign policies to the peer-group:Router(config-router)# nei GROUP-NAME remot ASNFinally assign members to the peer-group:Router(config-router)# nei ADDR peer-g GROUP-NAME



Conditional advertisementsAdvertise prefixes specified as permit in ADV route-map only if prefixes specified as permit in EXIST route-map are installed in BGP LOC-RIB (“sh ip bgp”):Router(config-router)# nei ADDR advertise-map ADV exist-map EXISTAdvertise prefixes specified as permit in ADV route-map only if prefixes specified as permit in NON route-map are not installed in BGP LOC-RIB (“sh ip bgp”):Router(config-router)# nei ADDR advertise-map ADV non-exist-map NONPrefixes specified defined in ADV route-map must also exist in BGP LOC-RIB



Creating components of aggregated routeRouter(config-router)# bgp inject-map INJ exist-map EXI [cop]Creates aggregated route components specified in route-map INJ as long as aggregated route defined in route-map EXI exists in BGP LOC-RIBCreated components are installed first into BGP LOC-RIBRoute-map EXI must additionally match on aggregated route source[cop] keyword copies all attributes from existing aggregated to created component route



Creating components of aggregated route (cont.)Example configuration:Router(config)#ip pref AGGREGATE p 10.1.1.0/24Router(config)#ip pref ROUTE_SRC p 10.2.1.1/32Router(config)#route-map EXIRouter(config-route-map)#ma ip add pref AGGREGATERouter(config-route-map)#ma ip route-s pref ROUTE_SRC

Router(config)#ip pref ORIGINATE p 10.1.1.0/25Router(config)#route-map INJRouter(config-route-map)#set ip add pref ORIGINATERouter(config-route-map)#set commu no-exp

Router(config)#router bgp 5Router(config-router)#bgp inject-map INJ exist-map EXI



ORF (outbound route filtering)Minimizes number of BGP updates sent between two peersTwo peers exchange route-filters created using prefix lists and then create BGP update containing only unfiltered routesTask for 3 points:

Configure ORF between R1 and R2. R1 should send only 172.16.0.0/16, 172.17.0.0/16, 172.18.0.0/16, 172.19.0.0/16 and 172.20.0.0/16 to R2. Do not configure any filter on R1. Use prefix-list with minimum number of lines.


R1 R2

AS 1 AS 2

172.16.0.0/16

…

172.31.0.0/16


ORF (outbound route filtering)R1 configuration:R1(config)# router bgp 1R1(config-router)# nei R2 remot 2R1(config-router)# addr ipv4R1(config-router-af)# nei R2 activateR1(config-router-af)# nei R2 cap orf pref rec



ORF (outbound route filtering)R2 configuration:R2(config)# ip pref ORF p 172.16.0.0/14 ge 16 le 16R2(config)# ip pref ORF p 172.20.0.0/16R2(config)# router bgp 2R2(config-router)# nei R1 remot 1R2(config-router)# addr ipv4R2(config-router-af)# nei R1 activateR2(config-router-af)# nei R1 cap orf pref sendR2(config-router-af)# nei R1 pref ORF in



Backdoor routesRouter(config-router)# net PREF m MASK backChanges AD of eBGP route from 20 to 200You may want to use this if you want to prefer IGP learned route over eBGPExample:R2 should route usingshortest pathto 10.0.0.0/24


R4

R2

AS 1

AS 2

10.0.0.0/24

R1 R3

AS 3

EIGRP 4


Route dampeningWith dampening enabled, each time route is withdrawn its penalty is increased by 1000Attribute change increases penalty by 500HALF – 15min default, after 15 minutes penalty is decreased by halfREUSE – 750 default, penalty must drop below this in order for route to be installed into routing table and advertisedSUP – 2000 default, route is suppressed when it exceeds this penaltyMAX – 60min, how long should route be suppressedDefaults mean: If route flaps 3 times within 15 minutes it is suppressed. It is unsuppressed after 45 minutes if no additional route flap occurs.



Route dampeningConfiguration for all routes:Router(config-router)# bgp damp HALF REUSE SUP MAXConfiguration for specific routes:Router(config-router)# bgp damp route-m DAMPRouter(config)# route-map DAMPRouter(config-route-map)# ma ip add pref PREFOptional route-map command:Router(config-route-map)# set damp HALF REUSE SUP MAX



Other featuresOriginate default route to BGP peer, default route does not have to be in advertising peer routing table:Router(config-router)# nei ADDR default-oriAdd short description about neighbor peering:Router(config-router)# nei ADDR descrDisable BGP peering, but leave configuration intact:Router(config-router)# nei ADDR shutAlternative to eBGP multihop:Router(config-router)# nei ADDR disable-connected-checkFast peering deactivation:Router(config-router)# nei ADDR fall-over



Other featuresKeepalive and holdtime modification:Global: Router(config-router)# timers bgp KEEP HOLDPer neighbor: Router(config-router)# nei ADDR time KEEP HOLDShutdown BGP session after 1000 prefixes have been received, issue warning message when 500 prefixes have been received and restart BGP session after 30 minutes:Router(config-router)# nei ADDR maximum-prefix 1000 50 rest 30Do not shutdown BGP session, just issue warning only:Router(config-router)# nei ADDR max 1000 warn



BGP show commandssh ip bgp | b Netwsh ip bgp PREFIXsh ip bgp sumsh ip bgp nei [ADDR] [routes | adv]sh ip bgp regexp REGEXPsh ip bgp filter AS-PATH-ACLsh ip bgp damp param | flapdeb ip bgpcle ip bgp {* | ADDR} [in | out]



BGP and IPv6IPv6 is exchanged using MP-BGPExample:

MP-BGP (RFC 2858)Advanced features

R1 R2

AS 1 AS 2

2001:1::1/64 2001:2::1/64

2001:2::2/64


BGP and IPv6R1(config)# router bgp 1R1(config-router)# bgp router-id 1.1.1.1R1(config-router)# no bgp defa ipv4-uniR1(config-router)# nei 2001:2::2 remot 2R1(config-router)# add ipv6R1(config-router-af)# nei 2001:2::2 actR1(config-router-af)# net 2001:1::/64

R2(config)# router bgp 2R1(config-router)# bgp router-id 2.2.2.2R2(config-router)# no bgp defa ipv4-uniR2(config-router)# nei 2001:2::1 remot 2R2(config-router)# add ipv6R2(config-router-af)# nei 2001:2::1 act

MP-BGPAdvanced features


IPv6 MP-BGP show commandssh bgp ipv6 uni | b Netwsh bgp ipv6 uni PREFIXsh bgp ipv6 uni sumsh bgp ipv6 uni nei [ADDR] [routes | adv]sh bgp ipv6 uni regexp REGEXPsh bgp ipv6 uni filter AS-PATH-ACLsh bgp ipv6 dampening dampeneddeb bgp ipv6 unicle bgp ipv6 uni {* | ADDR} [in | out]

MP-BGPAdvanced features


Q and ABGP

ccie workshop cisco expo 2011 · bgp basics. bgp forms sessions over tcp with dest. port 179 4 bgp...

Documents