Beruflich Dokumente
Kultur Dokumente
Border Gateway
Protocol
Anl ALBEYOLU
Network Consultant
CCIE #24974
Agenda
General Information,
Theory,
Explains every component in a very detailed fashion.
flow.
Reliable since it uses TCP as a transport protocol.
Scalable, hierarchical and loop-free.
Secure.
Open standard (RFC 4271).
Internet relies on BGP.
ISPs and enterprise customers can run BGP.
troubleshoot it,
Is appropriate when:
Multiple connections to ISPs,
Policies are used,
Enough memory & CPU are available,
Technical staff are qualified enough to operate &
troubleshoot it.
distance is 20.
BGP supports summarization and CIDR.
Uses incremented/triggered updates.
Only installs "best path" into the routing table and only
announces "best path" to other BGP peers (prefix will be
advertised must exist exactly in the routing table).
Can use MD5 authentication between peerings.
enabled, more than one path can be put into the routing table up to 16 multiple
path).
A BGP router with synchronization enabled does not install iBGP learned routes
into its routing table if it is not able to validate those routes in its IGP. (disable
sync. for best practice, mostly its not used)
If sync. is enabled and IGP is OSPF, neighbors OSPF & BGP router IDs must be
same.
Either disable sync. & run BGP in all routers inside the AS or keep it & redistribute
prefixes from BGP to IGP. (or Tunnel BGP over GRE, IPIPetc.)
BGP Split Horizon Rule). As you guess, iBGP peers dont modify the
NEXT_HOP attribute in UPDATE messages between each other.
This means when you have N routers in your AS, you can clearly see that
you should have (N x [N-1]) / 2 iBGP sessions in your BGP domain.
Of course its not scalable for large-scale deployments. Also number of
TCP sessions become extra overhead for the routers and multiple
duplicate routing traffic traverses all around the network. For this, there
are 2 options to solve this problem:
Route reflectors can be used (one or more routers are assigned as a
10
11
Theory Messages
BGP has 4 message types:
OPEN
KEEPALIVE
UPDATE
NOTIFICATION
12
13
14
15
16
17
18
19
20
21
22
between peers:
23
Theory States
BGP neighbor states are:
IDLE
ACTIVE
CONNECT
OPEN SENT
OPEN CONFIRM
ESTABLISHED
24
25
26
27
28
Theory Attributes
BGP has several attributes:
Well-Known Mandatory: Must be supported and recognised by all BGP
routers. These attributes must be included in UPDATE messages. They must
be passed on to other BGP routers.
Well-Known Discretionary: Must be supported and recognised by all BGP
routers. They must be passed on to other BGP routers. But these attributes
may/may not be included in UPDATE messages, its not mandatory.
Optional Transitive: May be recognised/not recognised by BGP routers. But
they must be passed on to other BGP routers. If these type of attributes arent
recognised, theyre marked as "partial".
Optional Non-transitive: May be recognised/not recognised by BGP routers
and isnt passed on to other BGP routers.
Also some vendors may use additional attribute to manipulate best path
selection algoritm such as Cisco Systems, they use weight attribute which is
locally significant, higher is better.
29
30
31
32
33
34
35
36
37
38
Implementation Topology
Will cover basic configurations as well as advanced scenarios.
Topology seen below will be used for all scenarios, well modify if
39
Implementation Addresses/Subnets
Other than pysical IP addresses, we will use loopback subnets as customer or
40
41
42
IP must be specified:
R1(config-router)#neighbor 6.6.6.6 update-source Loopback0 !OPEN
messages will be sent with this source IP address, since other side
expects to see this address for the peering.
43
below as examples:
44
Since 0 prefix has been received, show ip bgp command shows nothing (this
45
running on the router. BGP global parameters, route reflector clients, used filters
and neighbors can be seen with this command:
46
47
announced to other BGP peers. This command has several options such as routemap (to set attribute valuesetc.).
R1(config-router)#network 192.168.13.0 mask 255.255.255.0 !192.168.13.0/24
subnet is a connected subnet in Loopback 3, with this command, R1 will
announce this subnet to all BGP neighbors.
With aggregate command, we tell BGP router to summarize more specific routes
which already exist in its BGP table. This command has several options such as
route-map, as-set, summary-onlyetc.
R1(config-router)#aggregate-address 192.168.12.0 255.255.252.0 !192.168.1215.0/24 subnets exist in the BGP table (at least one of them), with this
command, R1 announces summary 192.168.12.0/22 subnet to all BGP neighbors
addition the specific ones.
With redistribute command, prefixes come from any routing information source
(IGP routes, connected or static routes) exist in the routing table can be announced to
other BGP neighbors, this command also has many different options.
R1(config-router)#redistribute connected !All connected subnets exist in the
routing table are redistributed in to the BGP table and announced to all BGP
neighbors.
48
compared to ? (e is for EGP which is not used anymore). (also other parameters can be changed with
route-maps). In the originating router, NEXT_HOP is 0.0.0.0 since its locally originated. Inside the AS,
AS_PATH is also empty.
Subnet and mask must be exactly same as its seen in routing table (e.g. If entry in routing table is
10.100.2.0/23, subnet and mask must be 10.100.2.0 & 255.255.254.0), otherwise it doesnt work.
Below example shows that R1 announces Loopback 9, then R2 receives this prefix with ORIGIN value i:
49
earlier, its not a preferred value compared to i. (route-maps can be used too)
Below example shows that R1 redistributes only Loopback 9 connected interface, then R2
receives this prefix with ORIGIN value ?:
50
51
one 192.168.72.0/22 subnet by R1, but also more specific subnets in the
aggregation are received by R2 additon to aggregated subnet, also AS_PATH
information is restored by R1 (since as-set keyword is added):
52
53
54
192.168.72.0/22 subnet by R1, and only 192.168.72.0/24 and 192.168.75.0/24 subnets are
suppressed (in other words 192.168.73.0/24 and 192.168.74.0/24 subnets are announced
addition the aggregated /22 subnet).
55
192.168.72.0/22 subnet by R1, more specific subnets are suppressed by R1(with summaryonly keyword), only R2 receives 192.168.73.0/24 and 192.168.74.0/24 subnets in addition
to the aggregated /22 subnet:
56
non-exist-map.
Advertise-map defines which routes will be announced in the case of
meeting the condition.
Exist-map and non-exist-map are used to define the condition.:
If exist-map command is used with advertise-map command, this means
that "announce prefixes defined in advertise-map ONLY IF prefixes defined in existmap exists in the BGP table"
If non-exist-map command is used with advertise-map command, this
means that "announce prefixes defined in advertise-map ONLY IF prefixes defined
in non-exist-map DOES NOT exist in the BGP table"
Conditional announcing is used as a neighbor basis. Syntax is:
R1(config-router)#neighbor <IP> advertise-map <route-map> exist-map
<route-map>
R1(config-router)#neighbor <IP> advertise-map <route-map> non-exist-map
<route-map>
57
subnets (3 subnets) are allowed to advertise to neighbor 10.0.12.2 (addition to other subnets). But if
192.168.71.0/21 disappears from R1s BGP table, these 3 subnets are not advertised to this
neighbor (other subnets are still advertised). Next page shows that condition is not met.
58
59
60
61
the aggregate/summary.
For this purpose inject-map and exist-map are used.
Inject-map defines prefix that will be originated from the aggregate.
Exist-map matches aggregate and source of the aggregate.
Command syntax is:
R1(config-router)#bgp inject-map <route-map> exist-map <route-map>
attributes are copied to the injected more specific subnet (normally theyre not copied).
In inject-map, prefix-list is set. In exist-map, source and aggregate are matched:
R1(config)#route-map INJECT_MAP permit 5
R1(config-route-map)#set ip address prefix-list <specific_subnet>
R1(config-route-map)#route-map EXIST_MAP permit 5
R1(config-route-map)#match ip address prefix-list <aggregate_subnet>
R1(config-route-map)#match ip route-source prefix-list <src_of_aggregate>
62
injects 192.168.73.0/24 from the /21 aggregate. R2 receives both aggregate and specific subnet,
but since we didnt add copy attributes keyword, as you see attributes are not set for
192.168.73.0/24 subnet.
63
64
65
66
67
68
First two of them are used for outbound traffic manipulation, applied as an
69
70
Below example shows that, R1 sets LOCAL_PREF attribute to 300 for 192.168.41.0/24, 192.168.42.0/24, 192.168.43.0/24, and
this policy is applied for neighbor R6 as an inbound policy. So, R1 receives those subnets from R6, and R1 modifies that
attribute for 3 subnets and announces to iBGP peers. Now all iBGP peers know that for any traffic going to these 3 subnets,
they will route them to R1. (as you see below, even if R3 is connected directly to R4, it chooses R1 R6 R5 R4 path) R1
changes the outbound traffic by doing this, all outbound traffic for these 3 subnets will go through R6.
71
Below example shows that, R1 sets WEIGHT attribute to 300 for 192.168.41.0/24, 192.168.42.0/24, 192.168.43.0/24, and this
policy is applied for neighbor R6 as an inbound policy. So, R1 receives those subnets from R6, and R1 modifies that attribute
for 3 subnets. But in this case, this only affects R1, because as you remember WEIGHT is only locally significant and is not
announced. R1 sends traffic to R6 for these 3 subnets but other iBGP peers dont, theyll use R3 to reach them. R1 changes
the outbound traffic by doing this, all outbound traffic for these 3 subnets will go through R6.
72
73
Below example shows that, R1 sets AS_PATH attribute by prepending 3 more AS numbers addition to original AS (1230 1230
1230 + 1230) for 192.168.11.0/24, 192.168.12.0/24, 192.168.13.0/24, and this policy is applied for neighbor R6 as an outbound
policy. So, R1 advertises those subnets to R6 with a modified AS_PATH attribute, and R6 sees that those subnets are 4 AS / 4
hop away to reach. R6 also sees 4570 1230 for same subnets from R5, so R6 prefers R5 to reach them. R1 changes the
inbound traffic by doing this, all inbound traffic for these 3 subnets will enter AS 1230 through R3.
74
Below example shows that, R1 sets MED (Metric) attribute to 1000 for 192.168.11.0/24, 192.168.12.0/24, 192.168.13.0/24, and
this policy is applied for neighbor R6 as an outbound policy (since AS_PATH has a higher preference than MED, to make both
paths same, weve prepended one more AS to our advertisements for 3 subnets). So, R1 advertises those subnets to R6 with a
modified MED (Metric) attribute, and R6 sees that those subnets have a MED (Metric) value 1000. R6 also sees 0 MED
(Metric) for same subnets from R5, so R6 prefers R5 to reach them. R1 changes the inbound traffic by doing this, all inbound
traffic for these 3 subnets will enter AS 1230 through R3.