Jaycee's Networking

May 17, 2009

Basic BGP Configuration – IOS

Filed under: BGP, IOS — Tags: , — Jaycee @ 4:19 pm

A. Basic BGP Commands:

router bgp 64512
 no synchronization
 bgp dampening
 network 10.10.2.0 mask 255.255.254.0
 neighbor 192.168.1.5 remote-as 64513
 neighbor 192.168.1.5 next-hop-self
 neighbor 192.168.1.5 default-originate
 no auto-summary

1. “network” command: BGP assumes the old classful addressing scheme when a mask isn’t provided explicitly.

2. “neighbor” command: Use it only to specify our peers. If BGP neighbors aren’t communicating, make sure they can actually reach each other. BGP neighbors will not peer if they can’t reach each other.

3. Local-AS numbers: AS numbers reserved for local use range from 64512 to 65535.

4. Synchronization: a BGP router is not allowed to advertise a route that is learned from another BGP peer until the router knows about the route via an IGP. Synchronization can be disabled safely under either of two conditions:

a. If your network doesn’t pass traffic from one AS to another (i.e. other networks don’t route their traffic through you)

b. If all your border routers are running BGP.

5. “no auto-summary” disables automatic summarization.

6. “default-originatecauses the BGP router to advertise a default route to other BGP routers, even if it doesn’t have a default route defined for itself.

7. “next-hope-self” tells thr router to rewrite the route’s next hop as itself.

8. “bgp dampening” command: Route dampening controls the effect that a flapping route has on the network. Route flapping occurs when a route changes state repeatedly. BGP handles route flapping with the bgp dampening command.

a. When this feature is activated, the router tolerates only a certain number of state changes for a route within a certain amount of time.

b. If the state-change threshold (tolerance) is reached, the route is placed in a hold-down (ignored) state for a period.

c. After the hold-down time passes, the route is again allowed into the routing table to see if it behaves.

Dampening doesn’t stop the route from receiving unstable routes. It prevents the routing from forwarding what it considers to be unstable routes.

B. iBGP Checklist:

There are 2 ways to get iBGP to work correctly.

1. Redistribute all external routes into all of your iBGP routers. (<= not a good idea)

Problem: Routing table might be large, and some of the routers may not be able to handle it.

2. Full Mesh:

a. Disable synchronization.

b. Make sure all iBGP routers are fully meshed.

c. Make sure all networks and subnets that connect iBGP routers are known. That is, a route exists between all of your routers and and your interior routing protocol is doing its job and distributing those routes. If the routers cannot talk to one another, they wont be able to peer.

C. Simple BGP Configuration:

a simple bgp network

office-r1:

interface Ethernet0
 ip address 192.168.1.1 255.255.255.0
interface Serial0
 ip address 172.16.1.2 255.255.255.0
interface Serial1
 ip address 192.168.3.1 255.255.255.0
!
router bgp 3000
 no synchronization
 network 192.168.3.0
 network 192.168.1.0
 neighbor 172.16.1.1 remote-as 100
 neighbor 192.168.3.2 remote-as 3000
 neighbor 192.168.3.2 next-hop-self
 neighbor 192.168.3.2 default-originate
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1

office-r2:

interface Ethernet0
 ip address 192.168.2.1 255.255.255.0
interface Serial0
 ip address 192.168.3.2 255.255.255.0
!
router bgp 3000
 no synchronization
 network 192.168.2.0
 neighbor 192.168.3.1 remote-as 3000

ISP:

interface Ethernet0
 ip address 10.1.1.1 255.255.255.0
interface Serial1
 ip address 172.16.1.1 255.255.255.0
 clockrate 64000
!
router bgp 100
 network 172.16.0.0
 neighbor 10.1.1.2 remote-as 200
 neighbor 172.16.1.2 remote-as 3000

Verify:

office-r2#show ip route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0

B    172.16.0.0/16 [200/0] via 192.168.3.1, 00:03:10
B    172.16.1.0/24 [200/0] via 192.168.3.1, 00:03:15
C    192.168.2.0/24 is directly connected, Ethernet0
C    192.168.3.0/24 is directly connected, Serial0
B*   0.0.0.0/0 [200/0] via 192.168.3.1, 00:03:16

1. The gateway of last resort is set because we have “default-originate” set on the office-r1 router (192.168.3.1).

2. The route for 172.16.0.0/16 is via 192.168.3.1 because we used the “next-hop-self” option. If we hadn’t put that command in, the route would have looked like this:

B    172.16.0.0/16 [200/0] via 172.16.1.1, 00:00:17

In this configuration, this route would work as well as the route to 192.168.3.2 because the default route tells our router how to get to that address. If we didn’t have the default route, we would have to add an extra network statement, defining 172.16.0.0, to office-r1‘s configuration.

office-r2#show ip bpg
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network      Next Hop       Metric  LocPrf  Weight  Path
*>i0.0.0.0      192.168.3.1               100       0  i
*>i172.16.0.0   192.168.3.1         0     100       0  100 i
*>i192.168.1.0  192.168.3.1         0     100       0  i
*> 192.168.2.0  0.0.0.0             0          32768   i
*>i192.168.3.0  192.168.3.1         0     100       0  i

3. “i” means the route was learned through an interior protocol and therefore doesn’t cross autonomous system boundaries.

4. 172.16.0.0 network is in another autonomous system (AS 100). For this route to reach office-r1, BGP must learn the route from some sort of interior protocol. Therefore, the path for this network is 100 i.

5. If there is a network 172.30.0.0 attached to the ISP router and has an AS number of 200. The route might look like this:

office-r2#show ip bgp

  Network       Next Hop       Metric  LocPrf  Weight  Path
...
*>i172.30.0.0   192.168.3.1         0     100       0  100 200 i
...

6. This path shows that to reach 172.30.0.0, you must cross AS 100, then enter AS 200, which learned the route through an interior protocol such as RIP. Therefore, you don’t need to cross any more AS boundaries.

D. Neighbor Authentication:

1. BGP authentication are using an MD5 message digest.

2. As the example above, we can enable password authentication between office-r1 and office-r2.

office-r1:

router bgp 3000
neighbor 192.168.3.2 remote-as 3000
neighbor 192.168.3.2 password letmein

office-r2:

router bgp 3000
neighbor 192.168.3.1 remote-as 3000
neighbor 192.168.3.1 password letmein

E. Peer Groups:

1. Peer groups eliminate redundant configuration lines by allowing you to define a group and then make each neighbor a part of that group.

2. For example, assume you have a route map that enforces some routing policy. Instead of applying that route map separately on each neighbor, you can add all the neighbors to a peer group and then apply the route map for the group as a whole.

ibgp network with peer-group configuration

R1:

router bgp 500
 neighbor policy1 peer-group
 neighbor policy1 remote-as 500
 neighbor policy1 next-hop-self
 neighbor policy1 route-map map1 in
!
neighbor 10.10.2.1 peer-group policy1
neighbor 10.10.3.1 peer-group policy1

F. Route Reflectors:

1. BGP does NOT advertise a route learned from one iBGP router to another.

2. A router is advertised via iBGP ONLY IF it’s learned from the iBGP router that first advertised it.

3. An iBGP router cannot advertise a route it learned from another iBGP router to a third iBGP router. (Because of this restriction, if you have multiple routers connected to different AS networks, all of the routers must be fully meshed.)

4. One solution is to use router reflectors.

5. Route reflectors ease the advertisement restriction by allowing a BGP router to reflect BGP routes it learns about to a third BGP router.

route-reflectors

6. As the graph above, let’s setup a route reflector on R1 that propagates iBGP routes between R2 and R3.

R1:

router bgp 500
 neighbor 10.10.2.1 remote-as 500
 neighbor 10.10.2.1 route-reflector-client
 neighbor 10.10.3.1 remote-as 500
 neighbor 10.10.3.1 route-reflector-client

7. With the above configuration, R1 can advertise R2’s iBGP routes to R3, and R3’s routes to R2.

G. BGP Confederacies:

1. Confederacies allow you to divide an AS into smaller, more manageable pieces.

2. Inside each little AS, all the iBGP oruters are fully meshed.

3. Outside, all the little ASes are fully meshed to each other.

BGP confederacies

4. In above example, problem with using route reflectors: we would need more than one reflector, and managing them could easily get out of control.

R1:

router bgp 10000
 bgp confederation identifier 500
 bgp confederation peers 10010 10020
 neighbor 10.10.2.1 remote-as 10010
 neighbor 10.10.3.1 remote-as 10020
 neighbor 10.11.1.1 remote-as 600

R2:

router bgp 10010
 bgp confederation identifier 500
 bgp confederation peers 10000 10020
 neighbor 10.10.1.1 remote-as 10000
 neighbor 10.10.3.1 remote-as 10020
 neighbor 10.12.1.1 remote-as 700

R3:

router bgp 10020
 bgp confederation identifier 500
 bgp confederation peers 10000 10010
 neighbor 10.10.1.1 remote-as 10000
 neighbor 10.10.2.1 remote-as 10010
 neighbor 10.13.1.1 remote-as 800

H. BGP TTL Security:

1. It’s possible for a rogue router to hijack a BGP peer connection and inject bogus routes.

2. To prevent this, you can use TTL checking between peers.

3. It’s extremely difficult or impossible to forge TTL counts, we can apply a rule that only accepts IP packets with a TTL count that is equal to our configured hop-count. (TTL can be considered a hop-count).

4. If the BGP peer was directly connected, we could set the hop-count (TTL) to 2, and our BGP process accepts only packets with that hop-count from that neighbor’s IP address.

neighbor 10.10.1.1 ttl-security hops 2

5. With this seting, if the hop-count is less than 253, the packet is dropped. (You get 253 by subtracting our hop-count of 2 from 255). The only TTL values that will be accepted are 254 and 253.

6. This command is NOT support for iBGP peers. It applies ONLY to eBGP peers.

Advertisements

2 Comments »

  1. only TTL 255 and 254 will be accepted but not 253 🙂

    Comment by X — October 29, 2010 @ 12:36 pm

  2. Hey There. I found your weblog using msn. This is
    a very neatly written article. I’ll be sure to bookmark it and come back to read more of your useful info.
    Thank you for the post. I will definitely comeback.

    Comment by ios 8 apps — September 22, 2014 @ 3:11 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: