Beruflich Dokumente
Kultur Dokumente
ROUTER STATE
Active
OpenSent
Open message Open message
OpenSent
OpenConfirm
UPDATE UPDATE
Established
Notification message
The message sent whenever is error detected .
ERROR codes
Error code Error sub code DATA 1 Message header error
Error code failure type Error sub code more specific info
Data- data relevant to error (bad header, wrong AS ,) 3 UPDATE message error
OPEN message
OPEN message
Version Orig AS BGP id Opt param length Optional param Hold time Version BGP3 or 4 Orig AS Autonomous system Hold time amount of time between receiving KEEPALIVE and UPDATE packets. BGP id senders router ID
KEEPALIVE message
Periodic messages exchanged between peers to ensure the peer reach ability Recommended interval is the 1/3 of hold timer
UPDATE messages
The update message can be devided as:
Prefix Unreachable routes Prefix length
Unfeasible route
Withdrawn route Total path attribute length Path attributes Length Prefix Length/prefix Well known mandatory: the attributes which should be included and recognized by any BGP implementation ORIGIN AS_PATH NEXT_HOP Optional/Transitive in that case the router even if he can not recognize attribute he will forward it: AGGREGATOR COMMUNITY Network layer reachability information Path attributes (for example AS_PATH) 1 bit field Optional/well known
Attribute flag Attribute type code Well known discretionary: the attributes which should be recognized but not necessary included into BGP implementation LOCAL_PREF ATOMIC_AGGREGATE Optional/nontransitive in that case the router if he can not recognize attribute he will drop it: MULTI_EXIT_DES CRIMINATOR ORIGINATOR_ID CLUSTER LIST
Attributes:
ORIGIN well-known mandatory attribute which defines the origin of the path can have the following values: 0 IGP interior to the originating AS 1 EGP network layer information learned via exterior gateway protocol 2 INCOMPLETE network layer info learned from somewhere else AS_PATH well-known mandatory attribute represents a chain of AS path segments. Segment represented (<path segment type, path segment length, path segment value>. ) (just a chain of ASs on the path) NEXT_HOP well-known mandatory attribute , the IP address of the router which should be used as the next hop for destination of network layer reachability of UPDATE message MED (MULTIEXIT_DESCREMINATOR) optional not transitive attribute, based on that attribute BGP speaker can make decision which exit point descriminate in multi-exit environment LOCAL_PREF well known discretionary attribute . Used by BGP speaker to inform other BGP speakers about preferences (inside AS) about advertised route ATOMIC_AGGREGATE well known discretionary. It is used by a BGP speaker to inform other BGP speakers that the local system selected a less specific route without selecting the more specific route which included in it AGGREGATOR transitive optional attribute which contain the last AS number followed with ip address of BGP speaker which formed the aggregated route COMMUNITY defines the common setting for BGP , for example community attribute 0xFFFFFF01 is NO_EXPORT , that route should not be advertised to peers outside AS, attribute 0xFFFFFF02 is NO_ADVERTISE the route will not advertised to any BGP peer (more attributes will be discussed later )
BAD DESIGHN
R1 IBGP R3 IBGP R4
EBGP
R2
EBGP R5
EBGP R6
In that configuration the main problem is: the routes learned via IBGP will never advertised to IBGP peer. In that example the routes learned from R2 will be advertised to R3 but R3 will not advertise those routes to R4
That situation can be handled by route reflectors which will be described lateer
Synchronization
When router is receiving the route from IBGP peer the BGP router before advertise that route to the EBGP will check if the other routers able to reach the next hop and if destination prefix exists in the IGP database and then advertise that route, otherwise if BGP will not recognize that route BGP will not Advertise it. The synchronization rule is that the router should not advertise the route into external destination untill it is not known through the IGP. Most of BGP implementations allow to disable synchronization , because the problem is : we can not inject all routes into IGP no one IGP protocol can not handle thousands of routes NOTE! It is very important : how routes injected into internet
Route reflectors
Route reflector server
Reflected route
EBGP
EBGP
The routers in large networks can have a dozens peers each , the idea behind route reflectors is to have one router to which the others will be peers to the one focal router and the route reflector will be peer to another route reflector, also the rule that route learned via IBGP peer will not advertised to another IBGP speaker , route reflector allow to reflect routes which allows to relax full-mesh topology. Route reflector server also can be optimized to send copies of UPDATE messages instead generate them for each peer separately.
Cluster
Cluster
The redundancy stands for several route reflectors servers in the network the main point to have logical redundant connections but it is nothing without redundant physical connections . Route reflector is not able to overwrite the attributes of reflected IBGP routes CLUSTER_LIST optional no transitive attribute
route injection
Dynamic : pour dynamic redistribution of all IGP routes into BGP and semi dynamic redistribution only certain routes into BGP (network command). The second case : the router will check ip routing table and the route will not found than BGP router will not advertise it. Full redistribution of IGP into BGP will cause some unwanted information be advertised. Mutual redistribution : redistribution in both directions BGP<->IGP , in that case route learned from external BGP and redistributed into IGP could be advertised back to EBGP peer with own AS like AS 1 presented bellow
- Route advertisement
AS 2
IGP
Routing process
Filtering, attributes manipulation Routes used by router Routes advertised by peers Inbound policy engine BGP Table Outbound policy engine Routes advertised to peers
Routing table
BGP RIBs
Inbound policy engine outbound policy engine
In-BGP-RIB
Out-BGP-RIB
In-BGP-RIB
Adj-BGP-RIB
Out-BGP-RIB
In-BGP-RIB
Route injection
Out-BGP-RIB
Routing table
Private AS usage
AS1 CUST2 ISP AS6 ISPB
AS65500
ISPA
CUST1 AS65
AS65501
In that case we have two customers multihomed to a single service provider. The private AS numbers range is : 64512 65535
. * + ?
Matches any single character, including white space. Matches 0 or more sequences of the pattern. Matches 1 or more sequences of the pattern. Matches 0 or 1 occurrences of the pattern.
caret
dollar sign
PEER GROUPS
Peer group is a group of neighbor BGP routers which share the same update settings. Peer groups allow to define the common for peers policies instead of defining them for each router. FOR EXAMPLE: In that case Router A have 2 external peers and 1 internal 2 peer groups is defined in router A .
Peer group 1
Peer group 2
Confederations
AS65502 AS65501
EBGP
EBGP
AS500
AS65500
The idea about confederations is that AS can be broken into few smaller ASs. Inside sub-AS all IBGP rules should be applied (like full mesh), between Sub-AS established EBGP. Route decision preferences is: External to AS External to SubAS - IBGP
The use and meaning of these fields are as follows: Capability Code: Capability Code is a one octet field that unambiguously Capability Value (variable) identifies individual capabilities. Capability Length: Capability Length is a one octet field that contains the length of the Capability Value field in octets. Capability Value is a variable length field that is interpreted according to the value of the Capability Code field. A particular capability, as identified by its Capability Code, may occur more than once within the Optional Parameter. Capability codes assignments doing organization IANA 0 is reserved 1 64 assigned according to IETF Consensus policy, 65128 first came first served policy, 129-255 for private use.
Capability Length (1 octet)
Route refresh message is the new type of BGP message. BGP speaker which wants to receive the route refresh message from his peer need to send route refresh capability using BGP capability advertising. The AFI SFI carried in such message should be AFI SFI advertised during session establishment via capability advertisement. If speaker received AFI, SFI which is not , then speaker shall ignore that message
Note: Otherwise, the BGP speaker shall re- advertise to that peer the Adj-RIB-Out of the <AFI, SAFI> carried in the message, based on its outbound route filtering policy
Route dampening
Route dampening is a mechanism of route stability control. Route which is flapping cause UPDATE/WITHDRAWN messages to be propagated. Route dampening categorize routes as good (well) behaved or bad (ill behaved). Good behaved route is the route which shows a high level of stability during long period of time Bad behaved route is the route which shows a low level of stability during short period of time TERMINOLOGY: Penalty a number of points which assigned to route each time the route flaps Suppress (suppressed not advertised) limit if the amount of points greater than suppress limit the route is suppressed Half-life the amount of time which should pass to amount of points would reduced by one-half Reuse limit the amount of points (if route is up) under which the route is not suppressed any more History entry to store the route flap information
Penalty points
Suppress limit
Reuse limit
time
Address Family Identifier (AFI) Subsequent Address Family Identifier (SAFI) Length of the next hop address Next hop address Reserved NLRI
AFI -SAFI identifies the set of network layer protocols Reserved 1 octet field which value shoud be set to 0 and ignored upon receipe NLRI Nettwork layer information NOTE! An UPDATE message that carries the MP_REACH_NLRI MUST also carry the ORIGIN and the AS_PATH attributes (both in EBGP and in IBGP exchanges). Moreover, in IBGP exchanges such a message MUST also carry the LOCAL_PREF attribute. MP_UNREACH_NLRI optional non transitive attribute which can be used for routes withdrown Address Family Identifier (AFI) Subsequent Address Family Identifier (SAFI) WOTHDRAW
Capability advertisement
End point address the address of BGP speaker originating update. The message which carries the MP_REACH_NLRI or MP_UNREACH_NLRI should also carry ORIGIN, AS_PATH, LOCAL_PREFERENCE for IBGP. TUNNEL ENCAPSULATION attribute structure is as follows:
Tunnel type Length Value Tunnel type type of tunneling technology, unknown types ignored and discarded Length number of octets of value field Value comprised of multiple SubTLV
SubTLV Type
SubTLV Length
Tunnel TLV
SubTLV Value
SubTLV Type - defines the certain propertiey about the tunnel , Type 1 is encapsulation Type 2 is protocol Type 4 is color (?)
If one bgp speaker receives the Encapsulation SAFI update from another bgp speaker then first bgp speaker must initiate an IPSec security association (SA) of the specified tunnel type and all the packets must be sent through that SA ATTRIBUTE sub-TLV :
Router6
15.1.1.1
15.1.1.2
Router5
AS 2
10.1.1.2
16.1.1.1
11.1.1.1 11.1.1.2 16.1.1.2 Router1 Router3 13.1.1.1 12.1.1.1 13.1.1.2 12.1.1.2 Router4 Router2 17.1.1.1 17.1.1.2
AS 3
10.1.1.1
Loppback : 192.1.1.1 192.1.2.1 192.1.3.1 192.1.4.1 Loopback 1.1.1.1
AS 1
Loppback : 192.3.1.1 192.3.2.1 192.3.3.1 192.3.4.1
Loopback 4.4.4.4
NOTE! That topology should be considered as 3 equal AS which need to advertise all their routes to each others, and not pretend to be best practice other wise (in case if one of AS is customer multihomed to 2 providers should be implemented routing policies to not allow customers AS became a transit AS for SP traffic)
Session establishment
Router# debug ip bgp all *Nov 21 16:19:41.231: BGP: 1.1.1.1 went from Idle to Connect *Nov 21 16:19:41.239: BGP: 1.1.1.1 rcv message type 1, length (excl. header) 26 *Nov 21 16:19:41.243: BGP: 1.1.1.1 rcv OPEN, version 4, holdtime 180 seconds *Nov 21 16:19:41.243: BGP: 1.1.1.1 went from Connect to OpenSent *Nov 21 16:19:41.243: BGP: 1.1.1.1 sending OPEN, version 4, my as: 1, holdtime 1 80 seconds *Nov 21 16:19:41.243: BGP: 1.1.1.1 rcv OPEN w/ OPTION parameter len: 16 *Nov 21 16:19:41.243: BGP: 1.1.1.1 rcvd OPEN w/ optional parameter type 2 (Capab ility) len 6 *Nov 21 16:19:41.247: BGP: 1.1.1.1 OPEN has CAPABILITY code: 1, length 4 *Nov 21 16:19:41.247: BGP: 1.1.1.1 OPEN has MP_EXT CAP for afi/safi: 1/1 *Nov 21 16:19:41.247: BGP: 1.1.1.1 rcvd OPEN w/ optional parameter type 2 (Capab ility) len 2
Router 1
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router1 ! (omitted) ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface Loopback1 ip address 192.168.1.1 255.255.255.0 ! interface Loopback2 ip address 192.1.2.1 255.255.255.0 ! interface Loopback3 ip address 192.1.3.1 255.255.255.0 ! interface Loopback4 ip address 192.1.4.1 255.255.255.0 ! interface FastEthernet0/0 ip address 13.1.1.1 255.255.255.0 duplex auto speed auto ! interface Serial0/0 ip address 10.1.1.1 255.255.255.0 no fair-queue clock rate 125000 ! interface FastEthernet0/1 ip address 11.1.1.1 255.255.255.0 duplex auto speed auto ! interface Serial0/1 no ip address shutdown clock rate 2000000 ! interface FastEthernet1/0 ip address 12.1.1.1 255.255.255.0 speed auto half-duplex ! router bgp 1 no synchronization bgp log-neighbor-changes redistribute connected neighbor 4.4.4.4 remote-as 1 neighbor 4.4.4.4 update-source Loopback0 neighbor 10.1.1.2 remote-as 2 neighbor 11.1.1.2 remote-as 1 neighbor 11.1.1.2 update-source Loopback0 neighbor 11.1.1.2 route-reflector-client neighbor 11.1.1.2 next-hop-self neighbor 12.1.1.2 remote-as 1 neighbor 12.1.1.2 route-reflector-client no auto-summary ! ip forward-protocol nd ip route 4.4.4.4 255.255.255.255 FastEthernet0/0 ! (omitted) alias exec s sh ip int brief (omitted end
Router 2
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router2 ! boot-start-marker boot-end-marker ! (omitted) ! interface FastEthernet0/0 no ip address shutdown duplex half ! interface FastEthernet1/0 ip address 12.1.1.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/1 ip address 17.1.1.2 255.255.255.0 duplex auto speed auto ! router bgp 1 no synchronization bgp log-neighbor-changes neighbor 12.1.1.1 remote-as 1 neighbor 17.1.1.1 remote-as 1 no auto-summary ! ! Alias exec s sh ip int brief no ip http server no ip http secure-server
Router2> en Router2# configure terminal Router2(config)#interface FastEthernet 1/0 Router2(config-if)# ip address 12.1.1.2 255.255.255.0
Router2> en Router2# configure terminal Router2(config)#router bgp 1 Router2(config-router)# neighbor 12.1.1.1 remote-as 1 Router2(config-router)# neighbor 17.1.1.1 remote-as 1 Router2(config-router)# no auto-summary
IBGP peers
Router 3
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router3 ! (omitted) ! ! interface Loopback1 ip address 192.3.1.1 255.255.255.0 ! interface Loopback2 ip address 192.3.2.1 255.255.255.0 ! interface Loopback3 ip address 192.3.3.1 255.255.255.0 ! interface Loopback4 ip address 192.3.4.1 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex half ! interface FastEthernet1/0 ip address 11.1.1.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/1 no ip address shutdown duplex auto speed auto ! interface Serial2/0 ip address 16.1.1.2 255.255.255.0 serial restart-delay 0 no fair-queue ! interface Serial2/1 no ip address shutdown serial restart-delay 0 ! interface Serial2/2 no ip address shutdown serial restart-delay 0 ! interface Serial2/3 no ip address shutdown serial restart-delay 0 ! interface Serial2/4 no ip address shutdown serial restart-delay 0 ! interface Serial2/5 no ip address shutdown serial restart-delay 0 ! interface Serial2/6 no ip address shutdown serial restart-delay 0 ! interface Serial2/7 no ip address shutdown serial restart-delay 0 ! router bgp 1 no synchronization bgp log-neighbor-changes redistribute connected neighbor 1.1.1.1 remote-as 1 neighbor 16.1.1.1 remote-as 3 neighbor 16.1.1.1 route-map mapasprepend out no auto-summary ! ip route 1.1.1.1 255.255.255.255 FastEthernet1/0 ip route 4.4.4.4 255.255.255.255 11.1.1.1 ! no ip http server no ip http secure-server ! ! access-list 1 permit 192.3.0.0 0.0.255.255 access-list 1 permit 192.168.1.0 0.0.0.255 ! route-map mapasprepend permit 10 match ip address 1 set as-path prepend 1 1 1 ! (omitted) ! alias exec s sh ip int brief
Router3> en Router3# configure terminal Router3(config)# access-list 1 permit 192.168.1.0 0.0.0.255 Router3(config)#route-map mapasprepend permit 10 Router3(config-route-map)# match ip address 1 Router3(config-route-map)# set as-path prepend 1 1 1 Note! The traffic for 192.168.1.0 sourced from Router5 will go now through Router6
Router 4
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router4 ! (omitted) interface Loopback0 ip address 4.4.4.4 255.255.255.255 ! interface Loopback1 ip address 192.4.1.1 255.255.255.0 ! interface Loopback2 ip address 192.4.2.1 255.255.255.0 ! interface Loopback3 ip address 192.4.3.1 255.255.255.0 ! interface Loopback4 ip address 192.4.4.1 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex half ! interface FastEthernet1/0 ip address 17.1.1.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/1 ip address 13.1.1.2 255.255.255.0 duplex auto speed auto ! router bgp 1 no synchronization bgp log-neighbor-changes redistribute connected neighbor 1.1.1.1 remote-as 1 neighbor 1.1.1.1 update-source Loopback0 neighbor 17.1.1.2 remote-as 1 no auto-summary ! ip route 1.1.1.1 255.255.255.255 FastEthernet1/1 ! no ip http server no ip http secure-server ! ! (omitted) ! ! end
Router 5
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router5 ! (omitted) ! interface Loopback1 ip address 192.5.1.1 255.255.255.0 ! interface Loopback2 ip address 192.5.2.1 255.255.255.0 ! interface Loopback3 ip address 192.5.3.1 255.255.255.0 ! interface Loopback4 ip address 192.5.4.1 255.255.255.0 ! interface FastEthernet0/0 ip address 15.1.1.2 255.255.255.0 duplex auto speed auto ! interface Serial0/0 ip address 16.1.1.1 255.255.255.0 clock rate 56000 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/1 no ip address shutdown clock rate 2000000 ! router bgp 3 no synchronization bgp log-neighbor-changes redistribute connected neighbor 15.1.1.1 remote-as 2 neighbor 16.1.1.2 remote-as 1 no auto-summary ! ip forward-protocol nd ! ! ip http server no ip http secure-server ip pim accept-rp auto-rp ! (omitted) ! ! end
Router 6
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router6 ! (omitted) ! ip multicast-routing ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! multilink bundle-name authenticated ! (omitted) ! interface Loopback1 ip address 192.6.1.1 255.255.255.0 ! interface Loopback2 ip address 192.6.2.1 255.255.255.0 ! interface Loopback3 ip address 192.6.3.1 255.255.255.0 ! interface Loopback4 ip address 192.6.4.1 255.255.255.0 ! interface FastEthernet0/0 ip address 15.1.1.1 255.255.255.0 duplex auto speed auto ! interface Serial0/0 ip address 10.1.1.2 255.255.255.0 clock rate 2000000 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/1 no ip address shutdown clock rate 2000000 ! router bgp 2 no synchronization bgp log-neighbor-changes redistribute connected neighbor 10.1.1.1 remote-as 1 neighbor 15.1.1.2 remote-as 3 no auto-summary ! ip forward-protocol nd ! ! ip http server no ip http secure-server ip pim accept-rp auto-rp ! alias exec s sh ip int brief ! (omitted) end
Router1
AS 65501 AS 100
Router4 AS 65500
Router 1
(omitted) ! interface FastEthernet0/0 ip address 13.1.1.1 255.255.255.0 duplex auto speed auto router bgp 65500 no synchronization bgp log-neighbor-changes bgp confederation identifier 100 bgp confederation peers 65501 redistribute connected neighbor 13.1.1.2 remote-as 65501 no auto-summary ! (omitted) Router3> en Router3# configure terminal Router3(config)# router bgp 65500 Router3(config-router)#bgp confederation identifier 100 Router3(config-router)# bgp confederation peers 65501 Router3(config-router)# redistribute connected Router1(config-router)# neighbor 13.1.1.2 remote-as 65501 Router1(config-router)# no auto-summary
Router 2
In that example router 2 havent any special configuration except static routes to provide ip connectivity between Router 4 and Router 5
Router 4
interface FastEthernet1/0 ip address 17.1.1.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/1 ip address 13.1.1.2 255.255.255.0 duplex auto speed auto ! router bgp 65501 no synchronization bgp log-neighbor-changes bgp confederation identifier 100 bgp confederation peers 65500 redistribute connected neighbor 12.1.1.1 remote-as 200 neighbor 12.1.1.1 ebgp-multihop 5 neighbor 13.1.1.1 remote-as 65500 no auto-summary
Router 5
interface FastEthernet1/0 ip address 17.1.1.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/1 ip address 13.1.1.2 255.255.255.0 duplex auto speed auto ! router bgp 65501 no synchronization bgp log-neighbor-changes bgp confederation identifier 100 bgp confederation peers 65500 redistribute connected neighbor 12.1.1.1 remote-as 200 neighbor 12.1.1.1 ebgp-multihop 5 neighbor 13.1.1.1 remote-as 65500 no auto-summary
Router 4 configuration
(omitted) ! bgp dampening route-map selectivedampening redistribute connected ! (omitted) ! route-map selectivedampening permit 10 match ip address 1 set dampening 30 5000 10000 30 ! (omitted)