BGP Topic Notes - The Bit-Bucket

BGP Overview Summary

Function/Feature	Description
Protocol Type	Path Vector
RFC / Proprietary	RFC4271
Administrative Distance (AD)	20 – External BGP 200 – Internal BGP
Algorithm	BGP Best Path Selection Process
Transport protocol	TCP/179
Metric	AS Path Hop / Policy
Best path selection	BGP Best Path Selection Process
Hello interval	N/A
Update destination	Unicast neighbors
Update interval	External BGP – 30 seconds Internal BGP – 5 seconds
Full of partial updates	Partial updates
Triggered updates	No
Authentication	MD5
Route-tags	On redistribution into and out of BGP

Successor of EGP
BGP is an application used to exchange Network Layer Reachability Information (NLRI) – not a routing protocol
Advertising the prefix details but not the path details
- IPv4 NLRI contains:
  - Prefix/Length
  - Attributes
  - Next-Hop

BGP Rules

Synchronization

Synchronisation Rule

Prefixes learned via BGP must be validated by the Global Routing Table before they can be advertised to remote peers

To advertise a prefix in BGP, there needs to be an entry in the global routing table.
- This may mean inserting a route to null0
- For iBGP sessions this can be disabled by using the no synchronization command.

Prevents 'black-hole routing' to non-BGP peers in-between iBGP peers
Synchronization can be turned off manually
- Command:
  - (config-router)#no synchronization

[_/su_spoiler]

Split-Horizon

Synchronisation Rule

Prefixes learned via iBGP will never be sent to another iBGP peer

Assumes all IBGP neighbors will be fully meshed
Loop prevention mechanism
Can be bypassed with a Route Reflector or Confederation

[_/su_spoiler]

AS Path Loop Prevention

AS-Path Loop Prevention

AS Path Loop Prevention Rule

Prefixes received with local ASN in AS_PATH will be dropped

Prefix Loop prevention mechanism
Can be bypassed with allow-as in or AS Override for specific cases
- Other methods of loop prevention will need to be used

[_/su_spoiler]

BGP Databases

Database	Description	Command
Neighbor Table	Lists all neighbors and their state	#show ip bgp summary#show bgp ipv4 unicast summary
Adj-RIB-In	All unprocessed prefixes learned from neighbors	#show ip bgp neighbor <peer-ip> received-routes#show bgp ipv4 unicast neighbor <peer-ip> received-routes
Adj-RIB-out	Prefixes that are being sent to neighbors using UPDATE message	#show ip bgp neighbor <peer-ip> advertised-routes#show bgp ipv4 unicast neighbor <peer-ip> advertised-routes
Loc-RIB	Prefixes that have been learned from neighbors that have been processed by inbound policies/filters	#show ip bgp neighbor <peer-ip> routes
BGP Table	All prefixes learnedEach path and associated attributesBest paths are sent to Global Routing Table (GRT)	#show ip bgp#show bgp ipv4 unicast
Global Routing Table	Lists all best paths taken from BGP Table	#show ip route [bgp]

*Only available when soft-reconfiguration inbound is configured

BGP Neighbors

BGP Neighbor TCP Session Options

BGP uses TCP as transport so one peer is a server, one is a client
- If neither peers are configured to be the active peer (TCP server) then peer with highest Router-ID takes precedence as server

Active peer (server) can be configured manually
- Command:
  - (config-router)#neighbor <peer ip> transport-connection-mode active

Option	Usable Routes	Outgoing TTL	Inbound TTL Check
eBGP Multihop = 1	Connected routes	1	No
eBGP Multihop X > 1	All routes except Default Route	X	No
Disable Connected Check	All routes except Default Route	1	No
GTSM = 1	Connected routes	255	=> 254
GTSM X > 1	All routes except Default Route	255	=>255 - X
GTSM = 1 and Disable Connected Check	All routes except Default Route	255	=> 254

iBGP neighbors do not need to be directly connected
eBGP neighbors need to be directly connected
- TTL in TCP session set to 1
- Can be bypassed by setting TTL to multihop value
  - eBGP Multihop
    - Command:
      - (config-router)#neighbor <peer ip> ebgp-multihop <1-255>
  - Generalized TTL Security Mechanism (GTSM)
    - Uses reverse logic to perform check
      - Decrements value per-hop and matches value against TTL security value
    - Command:
      - (config-router)#neighbor <peer-ip> ttl-security hops <1-255>

Can manually specify the source interface IP of BGP peering session
- Commonly used for peering between loopback addresses
- If update-source is only configured on one peer, that peer will always be the TCP session client
  - Command:
    - (config-router)#neighbor <peer-ip> update-source <IF>
- eBGP neighbors will not form adjacency by default due to not being directly connected
  - Can disable a directly connected check
  - Does not alter TTL value from 1
  - Command:
    - (config-router)#neighbor <peer ip> disable-connected-check

[_/su_spoiler]

BGP Message Types

Message Types: OPEN

Sent after TCP session established
Specifies BGP operational parameters
Includes:
- BGP version number
  - 2, 3, or 4
- AS Number
  - Local AS of originating router
- Hold time
  - Max seconds that can elapse before requiring a keepalive
- BGP Identifier
  - IP address identifying neighbor
- Optional Parameters
  - authentication, multiprotocol support, route refresh

[__/su_spoiler]

Message Types: KEEPALIVE

Stops Hold timer expiring and tearing down BGP relationship

[__/su_spoiler]

Message Types: UPDATE

Advertises feasible routes, withdrawn routes or both.
Each message contains update on 1 x BGP route only
Includes:
- NLRI
- Path Attributes
- Withdrawn routes

[__/su_spoiler]

Message Types: NOTIFICATION

Error detected
More information on error included in message

[__/su_spoiler]

[_/su_spoiler]

BGP Neighbor Process Flow Diagram

Figure 1 - BGP Neighbor States

[_/su_spoiler]

BGP Neighbor States

Neighbor States: IDLE

BGP always begins in this state
Searches routing table for route to neighbor
Initializes a TCP connection to neighbor
Refuses all incoming BGP connections

[__/su_spoiler]

Neighbor States: CONNECT

Waiting for TCP 3-way handshake to be completed.
If connection successful:
- Clears ConnectRetry time
- Sends OPEN message
- transitions to OPEN SENT state
If connection unsuccessful:
- Continues to listen for connection
- Resets the ConnectRetry timer
- transitions to ACTIVE state

[__/su_spoiler]

Neighbor States: OPEN SENT

OPEN message sent with BGP parameters
Waiting to hear an OPEN from its neighbor
If no errors exist in OPEN message from neighbor:
- Keepalive sent
- Keepalive timer set
- Hold time is negotiated
- transitions to OPEN CONFIRM
If errors exist in OPEN message from neighbor:
- NOTIFICATION message sent
- transitions to IDLE

[__/su_spoiler]

Neighbor States: ACTIVE

Trying to initiate a TCP connection with neighbor
No response from open message
If successful:
- Clears ConnectRetry timer
- sends OPEN message
- Sets Hold timer to 4 minutes
If ConnectRetry timer expires
- Transitions back to CONNECT
- resets ConnectRetry timer
- Initiates a TCP connection to neighbor

[__/su_spoiler]

Neighbor States: OPEN CONFIRM

Waits for a Keepalive or Notification message
If Keepalive received then transitions to ESTABLISHED
If Notification received or TCP disconnect, transitions to IDLE
If hold timer expires, or a Stop event occurs, a NOTIFICATION message is sent and connection closed, transitioning to IDLE

[__/su_spoiler]

Neighbor States: ESTABLISHED

Peering fully established
Will never display ESTABLISHED, only displays number or prefixes learned
Peers can exchanged UPDATE, KEEPALIVE and NOTIFICATION messages
If UPDATE or KEEPALIVE received, Hold timer is restarted (if hold time is nonzero)

[__/su_spoiler]

[_/su_spoiler]

BGP Neighbor Peer Groups

Groups similar neighbor configuration together
For old versions of code every peer configuration used to be computed separately
- Peer Groups was designed to overcome this issue and compute BGP peers together in their groups
- Now default behaviour for these categories of peers
  - eBGP IPv4
  - eBGP IPv6
  - iBGP IPv4
  - iBGP IPv6

Individual neighbor command can be used to override specific settings from peer group
- Can not have per-neighbor outbound filtering within peer group
  - Has to be done at peer-group level

Configuration
- Create a peer-group:
  - (config-router)#neighbor <name> peer-group
- Apply other common configuration items to peer group
  - (config-router)#neighbor <name>........extra configuration
- Assign a neighbor to a peer group
  - (config-router)#neighbor <ip address> peer-group <name>

Verification:
- #show bgp ipv4 unicast update-group

[_/su_spoiler]

BGP Neighbor Peer Templates

Preferred over Peer Groups
Used only as configuration optimisation only
Two different types of template
- Peer Policy Templates
  - Policy information
  - NLRI manipulation information: filtering, redistribution....
- Peer Session Templates
  - Session specific information
  - Peer configuration information: remote-as, update-source....

Command:
- (config-router)#template [peer-session | peer-policy] <template-name>

Apply to specific neighbors
- Command:
  - (config-router)# neighbor <peer-ip> inherit [peer-session | peer-policy] <template-name>

[_/su_spoiler]

BGP Slow-Peer Detection

Cisco proprietary feature
Used with BGP update groups to separate out slow peers in separate 'slow' update group
Globally enabled for all neighbors
If peer can not keep up with the speed at which the OS is generating UPDATE messages
- Possible causes:
  - Packet loss or high traffic on link
  - Heavy CPU usage and can not process the messages quickly enough
Can detect slow peers but do nothing with them
- Command:
  - (config-router)#bgp slow-peer detection threshold <#>
Can put neighbors in new update group but then re-add them to original group once they are able to meet the processing speed requirements
- Command:
  - (config-router)#bgp slow-peer split-update-group dynamic
Can put neighbors in a new update group if responds slowly and keeps them there even if they meet the processing requirements
- Command:
  - (config-router)#bgp slow-peer split-update-group dynamic permanent

[_/su_spoiler]

BGP Dynamic Neighbors

Use case is to not have to statically configure DMVPN spokes
Creates a range of addresses to listen for BGP sessions on
Used in conjunction with BGP Peer Groups
- Set session information in peer group e.g. remote as, update source, etc.
Command:
- (config-router)#bgp listen range <network/len> peer-group <peer-group-name>

[_/su_spoiler]

BGP Best Path Selection Process

Exclude routes with inaccessible next hop
Weight – Highest (local to router) -default is 32768
Local Preference – Highest (Global within AS) -default 100
Originated locally – network or aggregate statement
AS path – Shortest
Origin code – Lowest (IGP<EGP<Incomplete)
MED (metric) – Lowest – default = 0
Path – eBGP over iBGP
1. For BGP paths, prefer path with lowest IGP cost to IBGP neighbour
Router-ID – Lowest BGP neighbour
Lowest neighbour IP address

Shortcut to remember order of preference:

We
Love
Oranges
As
Oranges
Mean
Pure
Refreshment

More information here:
http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html

BGP NLRI Attributes

Well-Known		Optional
Mandatory	Discretionary	Transitive	Non-Transitive
AS_PATH	LOCAL_PREFERENCE	COMMUNITY	MED
NEXT_HOP	ATOMIC_AGGREGATE	AGGREGATOR
ORIGIN

Well Known – Have to be supported by all routers running the BGP protocol
- Mandatory – Must be included in every routing update
- Discretionary – Does not have to be included in the updates

Optional – Doesn’t have to be supported by router manufacturers
- Transitive – Continue throughout AS even if not recognized by a BGP router
- Non-Transitive – Attribute stripped off

BGP Attribute: Weight

BGP Attribute: WEIGHT

CISCO PROPRIETARY

Applied to incoming routes, to define outgoing paths
Similar to local preference
Gives you control of routes on the same router
Defined locally, not sent to neighbors
Used if more than one exit from router
Value can be 0 to 65535
- Higher value is better
Router originated paths have a default value of 32768
- Others have value of 0

[_/su_spoiler]

BGP Attribute: AS_PATH

WELL KNOWN - MANDATORY

2 byte value (16 bit)
- 1 - 65535
- Private AS numbers range from 64512 - 65535
Can be changed to 4 byte value to handle more ASNs
- New format represented as dotted decimal
  - XXXXX.XXXXX
- Command:
  - (config-router)#bgp asnotation dot
Shorter AS paths preferred
AS-Path of inserted route initially empty
AS number is prepended when route crosses AS boundary or leaves local AS
Also used for eBGP loop prevention
- Will not accept routes with local ASN in path
- Can be over-ridden if needed using AS override
  - For things like BGP Site of Origin (SOO)
***This step in the best path selection can be disabled using the 'hidden' command***
- (config-router)#bgp bestpath as-path ignore

[_/su_spoiler]

BGP Attribute: NEXT_HOP

WELL KNOWN - MANDATORY

Indicates the Next-hop to get to the AS
- IGP must be able to perform recursion otherwise the route cannot be used
- Failed next hop recursion is failed best path selection
  - route not installed in RIB
Typically IP address of the sending router
Next-Hop on Shared Media:
- If receiving router is on the same subnet, next-hop remains the same original next-hop
- Doesn't change to advertising router
- Can cause issues in NBMA multipoint networks
iBGP updates do not modify the next-hop attribute regardless of iBGP peer type by default
- inbound and outbound NLRI can be modified by:
  - neighbor next-hop-self
  - route-map set action set ip next-hop
- Using next-hop-self on an edge router:
  - Pros:
    - Peer can use same next hop address on outbound updates to iBGP peers
    - Result is same dynamic update group
    - Don't need to include external links in IGP
  - Cons
    - Hinders fast convergence of external uplink failure
    - If external links are unstable, can cause churn in IGP
    - Type 5 LSAs are flooded to all non-stub areas
eBGP updates do modify the next-hop attribute, address of sending peer
- Can be changed by:
  - Route-map action set ip next-hop
  - neighbor next-hop-unchanged
  - e.g. "third party" next-hop
  - Limited application e.g. BGP peers over DMVPN
Third party next-hop can be used when multiple routers are connected on the same segment
- Not all routers form eBGP peerings
  - Hub and Spoke Design (DMVPN)
- Hub router doesn't change next-hop IP address when sending eBGP updates on same segment
- Routers not directly peering end up sending traffic directly to each other

[_/su_spoiler]

BGP Attribute: ORIGIN

WELL KNOWN - MANDATORY

Tells how the route originated
Can be 1 of 3 values (in order of preference):
- IGP (I)
- EGP (E) - Legacy protocol (BGP predecessor)
- Unknown (?) - usually using the redistribute command

[_/su_spoiler]

BGP Attribute: LOCAL_PREF

WELL KNOWN - DISCRETIONARY

Gives you control over preferred routes (AS level)
Applied to incoming routes to define outgoing paths
Higher preference is better
Default value = 100
Select outbound eBGP path
Sent to iBGP neighbours only
Stripped in outgoing eBGP updates
To change default local preference:
- (config-router)#bgp default local-preference <#>

[_/su_spoiler]

BGP Attribute: ATOMIC_AGGREGATE

WELL KNOWN - DISCRETIONARY

Informs router that a route has been summarized
Tags route to inform that it is a summary route

[_/su_spoiler]

BGP Attribute: AGGREGATOR

OPTIONAL - TRANSITIVE

Designates the IP address of the router who performed the summarization

[_/su_spoiler]

BGP Attribute: COMMUNITY

OPTIONAL - TRANSITIVE

BGP's implementation of a route tagging
- No route-tag matching or support in BGP
Not exchanged between peers by default
- Nodes can accept Communities by default but will not forward or preserve
- Need to manually enable on both peers using command:
  - (config-router)#neighbor [address] send-community [standard | extended | both]
Prefix Community values are set in route maps
- NO_EXPORT Can not be applied as outbound filters

Standard Community is a 4 byte field expressed as:
- Decimal (0 - 4294967296)
- AA:NN (0:0 - 65535:65535)
  - Not enabled by default
  - Needs to be enabled by command:
    - (config)ip bgp-community new-format

Not additive or appending by default
- Replaces current community received
Configured in route-map
- Command:
  - (config-route-map)#set community <community number [additive] [well-known community] | none>
Communities on prefix can be cleared by using 'none' option
- (config-route-map)#set community none

Can remove individual/multiple communities using route-map:
- (config-route-map)#set community <community> delete
- Can only use set comm-list to remove array of communities not add
  - (config-route-map)#set comm-list <community number list> delete
Can add individual/multiple communities using route-map:
- (config-route-map)#set community <community> additive

COMMUNITIES: Standard / Well Known

NO_EXPORT
- Hex Value: 0xFFFFFF01
- All prefixes received carrying this value MUST NOT be advertised outside a BGP Confederation boundary
NO_ADVERTISE
- Hex value: 0xFFFFFF02
- All routes received carrying this value MUST NOT be advertised to other BGP peers
LOCAL_AS
- Hex value: 0xFFFFFF03
- Cisco proprietary version
- NO_EXPORT_SUBCONFED is RFC version
- All routes received carrying this value MUST NOT be advertised to eBGP Confederation peers or from the Local-AS

[__/su_spoiler]

COMMUNITIES: Extended

Used for extended applications such as:
- MPLS VPN Route Distinguisher
- MPLS L3VPN Route Target
- MPLS L2VPN
- MPLS VPN EIGRP Cost Community
- MPLS VPN OSPF CE to PE routing information
  - OSPF Domain Identifier (OSPF Process ID)
  - OSPF Route Type
  - OSPF Router ID

[__/su_spoiler]

COMMUNITIES: Standard Community List

Standard Community List matching/setting name or number
- (config)#ip community-list standard <community-list-name> [permit | deny] <community-value>
To match all communities
- (config)#ip community-list standard <community-list-name> permit internet

[__/su_spoiler]

COMMUNITIES: Expanded Community List

Expanded Community list matching/setting regular expression
- (config)#ip community-list expanded <community-list-name> [permit | deny] <regular expression>
- e.g. (config)#ip community-list expanded AS100 permit 100:[0-9]+
  - matches AS 100

[__/su_spoiler]

[_/su_spoiler]

BGP Attribute: MED (Multi-Exit Discriminator)

OPTIONAL - NON-TRANSITIVE

Used to suggest an entry point in to your AS
Applied to outgoing routes, to suggest incoming paths
Default value of 0
Exchanged between AS's
Sent to eBGP peers, propagated with AS, not passed on
When update is passed on, metric set back to 0
- Unless bgp bestpath med missing-as-worst is enabled, then MED set to 4,294,967,295
Lower MED value is better
When redistributing from IGP to BGP the metric is copied from the IGP into the MED (metric) value
Router compares MED only for prefixes from neighbors in same AS
- Ignores Confederation sequence
- If bgp always-compare-med is enabled, MEDs are compared for all paths
- If bgp bestpath med-confed is enabled, MEDs are compared for all paths that consist only of AS_CONFED_SEQUENCE

[_/su_spoiler]

BGP NLRI Originate Methods

Methods to generate NLRI in to BGP.

Network Statement

The network statement doesn't start BGP on an interface, it indicates to BGP which networks should originate from this router
- Without the mask option, it only announces the classful network.

Must have exact match in routing table first
Administrative Distance (AD) of prefix set to 200 (iBGP)
WEIGHT of prefix set to 32768
ORIGIN of prefix set to IGP
Without the 'mask' statement assumes a classful mask
Command:
- (config-router)#network <network address> mask <subnet mask> [route-map <route-map-name>]

[_/su_spoiler]

Redistribute Statement

WEIGHT set to 32768
ORIGIN of prefix set to INCOMPLETE
Doesn't include OSPF External routes by default
- Loop prevention mechanism
- Can be redistributed using match external/internal command
Automatically copies IGP metric into MED
Redistributing BGP into IGP only redistributes eBGP prefixes
- redistributing iBGP prefixes can cause a loop
- Can enable redistribution of iBGP prefixes as well as eBGP prefixes with command:
  - (config-router)#bgp redistribute-internal
Command:
- (config-router)#redistribute [bgp | ospf | eigrp | rip | connected | static | isis | route-map] <process number> [route-map <route-map-name>]

[_/su_spoiler]

Aggregate Address Statement

Requires at least 1 x prefix in the BGP table first
See NLRI Manipulation: Prefix Aggregation
Command:
- (config-router)aggregate-address <network address> <mask> [summary-only | advertise-map | suppress-map | attribute-map | route-map]

[_/su_spoiler]

Conditional Advertisement

Control advertisements of prefixes based on other prefixes existing or not existing
Uses 2 different route maps
- ADVERTISE map
  - Selects the prefixes to be advertised to the peer
- EXIST or NON-EXIST map
  - Selects the prefixes to be tracked in the local BGP table
Exist map:
- If the <exist-map> exists in the local BGP table then advertise the <advertise-map> to the peer
- Command:
  - (config-router)#neighbor <peer ip> advertise-map <ADVERTISE-MAP> exist-map <EXIST-MAP>
Non-Exist map:
- If the <non-exist-map> does not exist in the local BGP table then advertise the <advertise-map> to the peer
- If the <non-exist-map> exists in the local BGP table then do not advertise the <advertise-map> to the peer
- Command:
  - (config-router)#neighbor <peer ip> advertise-map <ADVERTISE-MAP> non-exist-map <NON-EXIST-MAP>

Example: Exist-Map

If the prefix 1.1.1.0/24 (BGP peer link subnet) exists in the local BGP table then advertise all prefixes originating from AS100 to the BGP peer 2.2.2.2
- (config)#iip prefix-list EXIST_PREFIX permit 1.1.1.0/24
- (config)#ip as-path access-list 1 permit _100$
- (config)#route-map EXIST_MAP permit 10
- (config-route-map)#match ip address prefix-list EXIST_PREFIX
- (config)#iroute-map ADVERTISE_MAP permit 10
- (config-route-map)#match as-path 1
- (config-router)#neighbor 2.2.2.2 advertise-map ADVERTISE_MAP exist-map EXIST_MAP
- Under show ip bgp neigh 2.2.2.2 the status should be advertise providing 1.1.1.0/24 is in the local BGP table

[__/su_spoiler]

Example: Non-Exist-Map

If the prefix 1.1.1.0/24 (BGP peer link subnet) doesn't exist in the local BGP table then advertise all prefixes originating from AS100 to the BGP peer 3.3.3.3
- (config)#iip prefix-list NON_EXIST_PREFIX permit 1.1.1.0/24
- (config)#ip as-path access-list 1 permit _100$
- (config)#route-map NON_EXIST_MAP permit 10
- (config-route-map)#match ip address prefix-list NON_EXIST_PREFIX
- (config)#iroute-map ADVERTISE_MAP permit 10
- (config-route-map)#match as-path 1
- (config-router)#neighbor 3.3.3.3 advertise-map ADVERTISE_MAP non-exist-map NON_EXIST_MAP
- Under show ip bgp neigh 3.3.3.3 the status should be withdraw providing 1.1.1.0/24 is in the local BGP table

[__/su_spoiler]

[_/su_spoiler]

Conditional Route Injection

Similar to the BGP unsuppress-map feature but will work on any router, not just the one originating the aggregate prefix
Performs the opposite of route aggregation
- Similar to unsuppress-map feature but can be run on any router not just the aggregator
- Remove's individual prefixes from an aggregate and injects them into the local BGP table
Requires 2 route-maps:
- Inject Map:
  - Specifies prefix to be advertised/injected in to the BGP table
  - AS_PATH attribute reset to null to indicate originated by local AS
  - WEIGHT set to 0
    - as opposed to 32768
  - Can set other BGP attributes such as LOCAL_PREF, metric, WEIGHT, COMMUNITY
    - LOCAL_PREF not assigned by default
- Exist Map:
  - Defines conditions to be met for prefixes to be injected
  - Requires 2 match statements:
    - First defines the ATOMIC_AGGREGATE prefix
      - Command:
        
        (config-route-map)#match ip address prefix-list <list>
    - Second defines the address of the BGP peer that advertised the ATOMIC_AGGREGATE to the local router
      - Command:
        
        (config-route-map)#match ip route-source prefix-list <list>
Command:
- (config-router)#bgp inject-map <inject-map> exist-map <exist-map> [copy-attributes]

Example: Conditional Route Injection

Example:
- Receive an aggregate address of 155.1.0.0/16 and split it into 2 different subnets:
  - 155.1.0.0/17 and 155.1.128.0/17
    - Could be 4 x /18's etc

[_/su_spoiler]

Default Routing

Advertises a default route to all neighbors
- Requires a network statement to advertise and the route to exist in the RIB first
  - Command:
    - (config-router)#network 0.0.0.0 mask 0.0.0.0
- Command:
  - (config-router)#default-information originate
Can do conditional default routing to individual peers
- Based on route-map condition e.g. if a prefix exists/interface is up
- Command:
  - (config-router)#neighbor <peer ip> default-originate route-map <route-map>

Example: Individual Peer Conditional Default Route

Advertise a default route to peer 1.1.1.1 if the interface is up that hosts network 10.0.1.0/24
- (config)#ip prefix-list LINK permit 10.0.1.0/24
- (config)#route-map DR_1111
- (config-route-map)#match ip address prefix-list LINK
- (config-router)#neighbor 1.1.1.1 default-originate route-map DR_1111

[__/su_spoiler]

[_/su_spoiler]

BGP Route Reflectors and Confederations

Route Reflectors and Confederations

Route Reflectors and Confederations provide the same end-goal as each other.
They both eliminate the need for an iBGP full mesh topology
- Sends less updates throughout the network
- Less overhead to manage BGP relationships as there are not as many

Route Reflectors

Turning on Route Reflectors disables BGP Split Horizon rule
- don't advertise iBGP prefixes to other iBGP peers
Routers only need to peer with the Route Reflector (RR)

Table to display types of peers prefixes are reflected between

	eBGP	iBGP RR Clients	iBGP RR Non-Clients
eBGP	YES	YES	YES
iBGP RR Clients	YES	YES	YES
iBGP RR Non-Clients	YES	YES	NO

Behaves similarly to the OSPF DR router
- Send one update to the RR
- RR sends updates to everyone else
- Doesn't modify any other attributes of the route

Enabling RR can cause loops
- To prevent loops RR's can use Cluster IDs
- RR's discard routes with own Cluster ID
- Routes received from the RR client have the Originator-ID attribute set to the Router ID of the client
- Clusters provide redundancy and hierarchy
- Inter-Cluster peerings can be client or non-client, depending on redundancy design
- RR's in the same cluster use the same Cluster-ID
  - Based on the router-id
    - Can be manually specified using command:
      - (config-router)#bgp route-id <ip address>
  - By default all RR's are in separate cluster
Command
- (config-router)#neighbor <ip address> route-reflector-client

[_/su_spoiler]

Confederations

Used to manage the number of resources consumed on routers
A single AS can be split in to sub AS's
- Sub-AS's still require full mesh or RR internally
- Sub-AS eBGP peerings keep the same
  - Next-hop
  - Local Pref
  - MED
Uses private AS numbers (64512 - 65535) for Sub AS's
iBGP peers as part of the root AS can now become eBGP peers through Sub-AS's
2 new attribute within a BGP Confederation used for loop prevention
- AS_CONFED_SEQUENCE
- AS_CONFED_SET
- Not sent out of Confederation

Need to strip original BGP configuration to enable
- Create new BGP configuration with private AS
  - (config)#router bgp <confed (private) AS number>
- Set root AS number with confederation identifier option
  - (config-router)#bgp confederation identifier <root (public) AS number>
- Set other private AS number with confederation peers option
  - (config-router)#bgp confederation peers <other confederation (private) AS numbers>
- May be needed to strip private AS manually if router doesn't support automatically stripping confed AS
  - Command:
    - (config-router)#neighbor <ip address> remove-private-AS
  - Command needs to be enabled on all routers

[_/su_spoiler]

BGP NLRI and Path Manipulation

Different methods to manipulate NLRI in BGP

BGP NLRI Backdoor

NLRI Backdoor

Used to prefer IGP learned route (higher AD) over eBGP route (AD 20)
Sets prefix to AD of 200 if learned through eBGP, instead of default of AD 20
Network backdoor command performs the same action as the network command, but the backdoor command is for eBGP learned prefixes
Will not advertise prefix to eBGP, just change the AD of learned eBGP prefix
Command:
- (config-router)#network <network address> mask <subnet mask> backdoor

[_/su_spoiler]

BGP NLRI Prefix Dampening

NLRI Prefix Dampening

Allows suppression of flapping (down then up) prefixes and doesn't advertise them to peers.
Router assigns to each route a dynamic figure that refllects the prefixes stability
When a route flaps it is assigned a penalty
- Default 1000 per flap
- The more it flaps, the more penalties it accumulates
- If this is an attribute change such as LOCAL_PREF or AS_PATH
  - The penalty is halved
  - Default 500

There is a time period called HALF_LIFE
- Default 15 minutes
The penalty is decreased at a rate that reduces it to half the original value at the end of each HALF_LIFE
- BGP decreases every 5 seconds
- Eventually reduces to 0
- Penalties can be cleared manually
If the penalty exceeds the SUPPRESS LIMIT the route is suppressed/damped or no longer advertised
- Default limit is 2000
The route is dampened until the HALF_LIFE reduces the penalty to below the REUSE LIMIT
- Default REUSE LIMIT is 750
- Checked every 10 seconds
- Route is then advertised again
Route can not be suppressed longer than the MAXIMUM SUPPRESS LIMIT
- Normally 4 times the HALF_LIFE
  - 60 minutes is default (HALF_LIFE=15 mins)
- This ensures a route that continues to get penalties for flaps isn't permanently suppressed
Examples:
- If the penalty is set to 3000;
  - Route is suppressed/dampened at 2000 (SUPPRESS LIMIT)
  - It is reduced by 1500 over 15 minutes (updated every 5 seconds)
    - Half of 3000 is 1500
    - 15 minutes is the HALF_LIFE default time
  - Can only be suppressed for up to 60 minutes (MAXIMUM SUPPRESS LIMIT)
  - Route will be unsuppressed/undampened when penalty reaches below 750 (REUSE LIMIT)
- If the penalty is 300;
  - Route is not suppressed until reaching 2000 (SUPPRESS LIMIT)
  - It is reduced by 150 over 15 minutes
Can be applied globally to the BGP routing process or based on matching criteria in a route-map
Command:
- (config-router)#bgp dampening <HALF_LIFE> <REUSELIMIT> <SUPPRESSLIMIT> <MAXIMUMSUPPRESSTIME>
- Default Configuration:
  - (config-router)#bgp dampening 15 750 2000 60
- (config)#route-map <name>
- (config-route-map)#match as-path <as path>
- (config-route-map)#set dampening <half_life> <ReuseLimit> <SuppressLimit> <MaximumSuppressTime>
- (config-router)#bgp dampening route-map <name>
- #show ip bgp flap-statistics
- #show ip bgp dampened-paths

[_/su_spoiler]

BGP NLRI Prefix Filtering

Filtering order of preference:
- AS Path
- Prefix Lists/ACLs
- Route-Maps

Distribute Lists

Filters incoming or outgoing prefixes
Can be applied directly to a neighbor or through a route-map
Same configuration as Standard Access Lists
Need to perform a route refresh once applied
- Command:
  - #clear ip bgp * [in | out]
Command:
- (config-router)#neighbor <peer ip> distribute-list <acl-name> [in | out]

Example

Example:

Filter the 10.0.0.0 route being sent to the neighbor but allow all others
- (config)#access-list 25 deny 10.0.0.0 0.0.0.0
- (config)#access-list 25 permit any
- (config-router)# neighbor <ip address> distribute-list 25 out

[___/su_spoiler]

[__/su_spoiler]

Prefix Lists

Can be applied directly to a neighbor or through a route-map
Commands:
- (config)#ip prefix-list <name> [permit|deny] <network/prefix> [ge] <prefix> [le] <prefix>

Example

Example:

Filter the 172.0.0.0 prefix being sent to the neighbor 1.1.1.1
- (config)#ip prefix-list filter_bgp deny 172.0.0.0/8 le 32
  - Match anything between 8 and 32
- (config)#ip prefix-list filter_bgp permit 0.0.0.0/0 le 32
  - Permit any statement
- Those 24 bits become the wildcard bits
- (config-router)neighbor 1.1.1.1 prefix-list filter_bgp out

[___/su_spoiler]

[__/su_spoiler]

Access Lists

Similar to prefix lists
Can be applied directly to a neighbor (using distribute-list) or through a route-map

Access Lists: Standard

Permit of deny prefix lists per peer
Can't do subnet mask matching
Same configuration as Distribute Lists
Not as performance-effective as prefix lists
Commands:
- (config)# ip access-list <name> [permit|deny] <network> <wildcard-mask>
- (config-router)#neighbor <ip address> distribute-list <access-list name> [in|out]

[___/su_spoiler]

Access Lists: Extended

Able to do subnet mask matching
Protocol field and other options are ignored
<src-subnet> and <src-mask> are used for prefix matching
<dst-subnet> and <dst-mask> are used to match prefixes subnet mask
- <dst-subnet> - where to start mask matching
  - e.g. 255.255.255.0 = /24, 255.255.255.128 = /25
- <dst-mask> - where to stop mask matching
  - e.g. 255.255.255.240 - /28, 255.255.255.252 = /30

Examples

Examples:

Example 1:
- Match any subnet in range of 10.0.0.0 to 10.0.255.255 and having the prefix length of /24 to /32
- (config-ext-nacl)#permit ip 10.0.0.0 0.0255.255 255.255.255.0 0.0.0.255

Example 2:
- Match 10.0.0.0/16 only
- (config-ext-nacl)#permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0

Example 3:
- Match 10.0.0.0/24 only
- (config-ext-nacl)#permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0

Example 4:
- Match 10.0.X.0/24 only
- (config-ext-nacl)#permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0

Example 5:
- Match 10.X.X.X/16 to 10.X.X.X/32
- (config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 255.255.0.0 0.0.0.255

Example 6:
- Match 10.X.0.X/8 to 10.X.0.X/32
- (config-ext-nacl)#permit ip 10.0.0.0 0.255.0.255 255.0.0.0 0.255.255.255

Example 7:
- Match every even 2nd octet with a mask of 20 to 32
- (config-ext-nacl)#permit ip 0.0.0.0 255.254.255.255 255.255.240.0 0.0.240.255

[____/su_spoiler]

[___/su_spoiler]

[__/su_spoiler]

Route-Maps

Most preferred method for filtering
Commands:
(config)#route-map <name>
(config-route-map)#match ip address <access-list>
(config-router) neighbor <ip address> route-map <name> out - this filters the 172.0.0.0 route being sent to the neighbor
Can be used to set ANY BGP attribute
Route map deny statement can be an alternate configuration if the access lists has a permit statement

[__/su_spoiler]

Table Maps

Filters/manipulates prefixes based on entire BGP table before being sent to Global Routing Table
References route-map
Commands:
- (config)#route-map <route-map-name> deny <#>
- (config-route-map)#match <statement>
- (config-router)#table-map <route-map-name> filter

[__/su_spoiler]

Maximum Prefix

Good security feature
Can filter on maximum number of prefixes learned from a neighbor
If exceeds maximum prefix:
- Generates a warning message by default @ 75%
- Can tear the peering down
  - Can also attempt to restart peering after <1-65535> minutes
- Can generate warning messages only
- State of connection goes to Idle (PfxCt)
  - Using #show ip bgp summary
Commands:
- (config-router)#neighbor <ip address> maximum-prefix <##> <threshold warning> [restart <1-65535>]
- (config-router)#neighbor <ip address> maximum-prefix <##> warning-only
  - Generates a warning only message and doesn't tear down peering
  - Generates 2 warning messages:
    - One at 75% of <##>
    - One when <##> is reached

[__/su_spoiler]

Suppress Inactive Prefixes

Prevents prefixes being advertised that are not in use
- Example RIB failure prefixes
Command:
- (config-router)#bgp suppress-inactive

[__/su_spoiler]

AS Path Filtering

Can filter prefixes based on AS_ SET information
Uses Regular Expressions to define AS_SET as an as-path access list and applied to a route-map
Command:
- (config)#ip as-path access-list <#> <regular expression>
- (config-route-map)#match as-path <#>

Regular Expressions

[__/su_spoiler]

[_/su_spoiler]

BGP NLRI Prefix Aggregation

BGP NLRI Route Aggregation

Used to summarize prefixes
Can be used at any point in the network
- Prefixes don't have to originate from inside local AS
Creates a new summary prefix
- Prefix is tagged as ATOMIC_AGGREGATE to indicate to neighbors that it is a summary prefix
- AGGREGATOR is also added to NLRI to indicate who did the summarization
- Removes all original prefix information such as AS_SET, NEXT_HOP, ORIGIN etc. from aggregate address
- New summary prefix originates from local AS
  - Summary prefix AS_SET only contains local AS number
- All original prefixes are still advertised to neighbors
Command:
- (config-router)#aggregate-address <network-summary> <subnet-mask>

Example: Prefix Aggregation

Example: Route Aggregation

(config-router)#network 10.0.0.0 mask 255.255.255.0
(config-router)#network 10.0.1.0 mask 255.255.255.0
(config-router)#network 10.0.2.0 mask 255.255.255.0
(config-router)#network 10.0.3.0 mask 255.255.255.0
(config-router)#aggregate address 10.0.0.0 255.255.252.0
The following prefixes will be advertised to neighbors:
- 10.0.0.0/24
- 10.0.1.0/24
- 10.0.2.0/24
- 10.0.3.0/24
- 10.0.0.0/22

[__/su_spoiler]

Prefix Aggregation: Summary-Only

Advertises a summary prefix only
- Suppresses all other prefixes that are covered by aggregation address
Command:
- (config-router)#aggregate-address <network-summary> <subnet-mask> summary-only

Example: Summary-Only

(config-router)#network 10.0.0.0 mask 255.255.255.0
(config-router)#network 10.0.1.0 mask 255.255.255.0
(config-router)#network 10.0.2.0 mask 255.255.255.0
(config-router)#network 10.0.3.0 mask 255.255.255.0
(config-router)#aggregate address 10.0.0.0 255.255.252.0 summary-only
The following prefixes will be advertised to neighbors
- 10.0.0.0/22

[___/su_spoiler]

[__/su_spoiler]

Prefix Aggregation: Suppress Map

Advertises the summary address, all individual prefixes and suppresses all prefixes assigned in the route-map
Command:
- (config-router)#aggregate-address <network-summary> <subnet-mask> suppress-map <route-map>

Example: Suppress Map

(config)#ip prefix-list SUPPRESS_LIST permit 10.0.2.0/24
(config)#route-map SUPPRESS permit 10
(config-route-map)#match ip address prefix-list SUPPRESS_LIST
(config-router)#network 10.0.0.0 mask 255.255.255.0
(config-router)#network 10.0.1.0 mask 255.255.255.0
(config-router)#network 10.0.2.0 mask 255.255.255.0
(config-router)#network 10.0.3.0 mask 255.255.255.0
(config-router)#aggregate address 10.0.0.0 255.255.252.0 suppress-map SUPPRESS
The following prefixes will be advertised to neighbors
- 10.0.0.0/24
- 10.0.1.0/24
- 10.0.3.0/24
- 10.0.0.0/22

[___/su_spoiler]

[__/su_spoiler]

Prefix Aggregation: Unsuppress Map

Generally used with summary-only keyword
Overrides aggregate summary suppression and unsupresses prefixes defined in route-map
Applied to individual neighbors
Command:
- (config-router)#neighbor <peer IP> unsupress-map <route-map-name>

Example: Unsuppress Map

(config)#ip prefix-list UNSUPPRESS_LIST permit 10.0.2.0/24
(config)#route-map UNSUPPRESS permit 10
(config-route-map)#match ip address prefix-list UNSUPPRESS_LIST
(config-router)#network 10.0.0.0 mask 255.255.255.0
(config-router)#network 10.0.1.0 mask 255.255.255.0
(config-router)#network 10.0.2.0 mask 255.255.255.0
(config-router)#network 10.0.3.0 mask 255.255.255.0
(config-router)#aggregate address 10.0.0.0 255.255.252.0 summary-only
(config-router)#neighbor 1.1.1.1 unsuppress-map UNSUPPRESS
The following prefixes will be advertised to neighbor 1.1.1.1
- 10.0.2.0/24
- 10.0.0.0/22
The following will be advertised to all other neighbors:
- 10.0.0.0/22

[___/su_spoiler]

[__/su_spoiler]

Prefix Aggregation: AS-SET

Loss of NLRI information from summary prefix including AS_PATH, NEXT_HOP, LOCAL_PREF etc;
- Can cause sub-optimal routing
- Can cause routing loops as AS_PATH is reset and prevents BGP loop detection mechanisms working correctly
Can be altered by inserting a new attribute in to the summarization prefix called AS_SET
- Contains the AS numbers found in all AS_PATH of the specific prefixes along with other attributes such as Communities
- AS numbers are not in any order
- Only used for loop prevention
  - If local AS number is found in the AS_SET or AS_SEQUENCE, the prefix is dropped
Command:
- (config-router)#aggregate-address <network summary> <subnet mask> as-set

Prefix Aggregation: AS-SET - Attribute Map

Control attributes assigned to the summary prefix such as COMMUNITY passed through from individual prefixes with the AS-SET command
In the route-map you are not required to match any information as it will be only applied to the summary prefix. Only required to use the set function

Command:
- (config-router)#aggregate-address <network summary> <subnet mask> as-set attribute-map <route-map>

Example: AS-SET - Attribute Map

(config)#route-map SET_COMMUNITY permit 10
(config-route-map)#set community none
(config-router)#aggregate-address 10.0.0.0 255.255.252.0 as-set attribute-map SET_COMMUNITY
This example removes all communities from the summary prefix picked up by individual prefixes from the AS-SET command

[____/su_spoiler]

[___/su_spoiler]

Prefix Aggregation: AS-SET - Advertise Map

Control which attributes to assign to the summary prefix from the AS-SET command
- Can specify which original prefixes to copy the attributes from into the new summary prefix, specifically the AS_PATH or AS_SET

Command:
- (config-router)#aggregate-address <network summary> <subnet mask> as-set advertise-map <route-map>

Example: AS-SET - Advertise Map

Example: AS-SET Advertise Map

(config)#ip prefix-list ADVERTISE permit 10.0.2.0/24
(config)#route-map ADVERTISE permit 10
(config-route-map)#match ip address prefix-list ADVERTISE
(config-router)#aggregate-address 10.0.0.0 255.255.252.0 as-set advertise-map ADVERTISE
This example copies the attributes from the 10.0.2.0/24 prefix and assigns them to the new summary prefix attributes. All other prefix(s) attributes are ignored.

[____/su_spoiler]

[___/su_spoiler]

[__/su_spoiler]

[_/su_spoiler]

BGP NLRI Load Balancing

Load Balancing

Load balancing conditions:
- Must have the same path attributes:
  - WEIGHT
  - LOCAL PREFERENCE
  - ORIGIN
  - MED
  - Learned via either iBGP or eBGP
  - Same IGP cost to reach their NEXT_HOP IP address
    - Step can be disabled manually
      - Command:
        
        (config-router)#bgp bestpath igp-metric ignore

BGP NLRI Equal Cost Load Balancing

Equal Cost Load Balancing

Configured by globally enabling the maximum paths feature in BGP
Enabled by default only for eBGP paths
Command:
- (config-router)#maximum-paths <1-32>
Command for iBGP peers:
- (config-router)#maximum-paths ibgp <1-32>

[__/su_spoiler]

BGP NLRI Unequal Cost Load Balancing

Unequal Cost Load Balancing

Used with a group of commands in BGP:
- DMZ link bandwidth needs to be enabled globally in BGP and to each neighbor to load-balance
  - (config-router)#bgp dmzlink-bw
- Bandwidth needs to be set on the interface or use the default administrative bandwidth
  - (config-if)#bandwidth <# in bps>
- Set the maximum number of paths globally in BGP
  - (config-router)#maximum-paths <1-32>
- Set which peers to use for load balancing prefixes
  - (config-router)#neighbor <ip address> dmzlink-bw

[__/su_spoiler]

BGP NLRI Global AS Load Balancing

Global AS Load Balancing

To enable Global AS BGP load balancing:
- When enabling dmzlink-bw on all border BGP routers
  - The bandwidth value is copied to a new extended community attribute associated with the prefix's received from those eBGP peers
- All BGP peers in the AS should be configured to exchange extended communities across the iBGP links
  - (config-router)#neighbor <iBGP Peer IP> send-community extended
- Need to enable maximum paths for iBGP peers as well.
  - (config-router)#maximum-paths eibgp <1-32>

If the next AS is not the same in prefix it will not perform load balancing
- For loop prevention
- Can manually disable
  - (config-router)#bgp bestpath as-path multipath relax

[__/su_spoiler]

[_/su_spoiler]

BGP Outbound Route Filtering (ORF)

Outbound Route Filtering (ORF)

There are 2 types of ORF defined in IETF's draft:
- Prefix based
- Community based
- Cisco IOS only supports Prefix based

Used to reduce the amount of prefixes being sent to the Local AS across a link
Pushes a prefix-filter to the remote peer
- Tells the neighbor what prefixes to filter before sending to local device
- Neighbor applies prefix-filter to the outbound updates sent to the local device
ORF is negotiated during BGP session establishment
- Capability must be enabled on each peer before configuring ORFs.
  - Command:
    - (config-router)#neighbor <IP address> capability orf prefix-list [send | receive | both]
  - You must reset the BGP session to negotiate the capability
    - Command:
      - #clear ip bgp * soft
To push an ORF you must define a prefix-list and apply it to the peer's session:
- Command:
  - (config-router)#neighbor <IP address> prefix-list <NAME> in
- The list must be inbound because this is the natural direction for ORF

[_/su_spoiler]

BGP Local-AS

Local-AS

Used to hide the local AS number
Useful when migrating from one AS number to another
Used between eBGP peers
Commands:
- (config)#router bgp <new AS>
- (config-router)#neighbor <eBGP peer> local-as <old AS> [no-prepend]
Sends the <old AS> number in the BGP OPEN Message
All prefixes from this ASN would have the AS_PATH <old AS> <new AS>
This allows external systems to continue using the old AS number looking like they first transited the new AS.
If NO-PREPEND is specified any routes received from the eBGP peer will not have the <old AS> prepended upon reception
Can also use the replace-as function so external peers are not aware of the new ASN being used
- Command:
  - (config)#router bgp <new AS>
  - (config-router)#neighbor <eBGP peer> local-as <old AS> no-prepend replace-as
Can peer with eBGP peers using the new ASN for a dual-AS option
- Command:
  - (config)#router bgp <new AS>
  - (config-router)#neighbor <eBGP peer> local-as <old AS> no-prepend replace-as dual-as

[_/su_spoiler]

BGP Remove Private-AS

Remove Private-AS

Private AS numbers range from 64512 - 65535
Private AS numbers are similar to RFC1918 IP addresses
Shouldn't appear on public Internet
Private AS's can be removed from the AS_PATH on a per-neighbor basis in the outbound direction
- Command:
  - (config-router)#neighbor <peer ip> remove-private-as [all] [replace-as]
- Without keywords only removes prefixes that don't have public AS's in the path
- The 'all' keyword removes private AS from prefixes where there are public AS paths in the middle of the path
- The 'replace-as' keyword replaces each private AS removed with its own ASN to keep the AS_PATH length

[_/su_spoiler]

BGP Allow-AS In

Allow-AS In

Allows prefixes with local AS in AS_PATH
- Goes against loop prevention mechanism
- Will need to implement a different loop prevention mechanism
Required for 2 common scenarios
1. The companies network is partitioned and every partition connects to a carrier
  1. Every network has its own set of prefixes but uses the same AS number.
  2. In this case for the partitions to exchange prefixes they must accept NLRI's with the same AS number
2. The company connects to a carrier and wants to use it as a transit path in case the companies network becomes segmented
  - In this case the prefixes advertised to the ISP must be accepted back by the border routers
Configured on a per neighbor bases using the command:
- (config-router)# neighbor <IP address> allowas-in [<1-10>]
  - <count> refers to the number of times the local AS number occurs in the AS_PATH attribute
  - Default is 3

[_/su_spoiler]

BGP AS Override

AS-Override

Used primarily with MP-BGP where a customer has multiple sites through a Service Provider MPLS core and only has a singe AS number assigned
This can be used instead of Allow-AS in function
- Allow AS in configured on CE device
- AS Override configured on PE device
The PE device strips the Customers ASN from the AS_PATH before sending on to the CE device and replaces it with its own ASN
Command:
- (config-router)#neighbor <peer-ip> as-override

[_/su_spoiler]

MP-BGP for IPv6

Similar process as IPv4 MP-BGP
Transport can be IPv4 or IPv6
- NLRI and Transport are independent of each other
NLRI information advertised as AFI 2 (IPv6), SAFI 1 (Unicast)
- Command:
  - (config-router)#address-family ipv6 unicast
By default Peers are shutdown and need to be manually activated
- Command:
  - (config-router-af)#neighbor <peer address> activate
Troubleshooting commands:
- #show ipv6 bgp
- #show ipv6 bgp summary

IPv6 Peering

To peer BGP neighbors using IPv6 Link-Local addressing you need to specify the outgoing interface with the IPv6 address, separated by a % sign
Update source needs to be changed
- Command:
  - (config-router-af)#neighbor FE80::XXXX%<IF> remote-as <ASN>
  - (config-router-af)#neighbor FE80::XXXX%<IF> update-source <IF>
  - (config-router-af)#neighbor FE80::XXXX%<IF> activate
- Example:
  - (config-router-af)#neighbor FE80::1%GigabitEthernet0/0 remote-as 100
  - (config-router-af)#neighbor FE80::1%GigabitEthernet0/0 update-source loopback0
  - (config-router-af)#neighbor FE80::1%GigabitEthernet0/0 activate
Link Local addressing prevents TCP attacks due to link-local not being routed or accessible outside of the local segment

[_/su_spoiler]

Multiprotocol BGP Attributes

Uses 2 new BGP attributes that are OPTIONAL NONTRANSITIVE
- MP_REACH_NLRI
  - Announces new reachable multiprotocol prefixes
- MP_UNREACH_NLRI
  - Withdraws prefixes announced by MP_REACH_NLRI
- For peers to exchange multiprotocol data, they must be agreed upon during the capabilities exchange

[_/su_spoiler]

IPv6 NLRI over IPv4 Transport

BGP speakers peer with each other using IPv4
- IPv6 Next-Hop issue as address will be IPv4 encoded IPv6 address
  - ::FFFF:<IPv4 address>
  - Unable to recurse to next-hop address, so prefix doesn't get installed in RIB
- Can be resolved with either
  - Route-map changing the IPv6 next-hop address manually
  - Disabling the IPv6 default next-hop
    - Changes the next-hop to the address configured on the interface
    - Command:
      - (config-router-af)#no bgp default ipv6-nexthop

[_/su_spoiler]

BGP Convergence

Convergence improvements

BGP Timers

BGP Scanner

Performs the following functions;
- Checks prefixes in BGP table and reachability of the BGP NEXT_HOP attribute
- Performs conditional advertisement and route injection
- Imports new prefixes into the BGP table from RIB
  - via network and redistribute commands
- Performs route dampening
BGP Scanner runs every 60 seconds by default
Can be adjusted manually
- Command:
  - (config-router)#bgp scan-time <5-60>
- Shorter the interval, better the routing convergence, but more load on CPU
Can be checked by using the command:
- #debug ip bgp events

[__/su_spoiler]

BGP I/O

Handles the reading, writing and execution of BGP UPDATE and KEEPALIVE messages
- Processes incomming messages as received
BGP batches all prefixes and delays sending an update to the peer until the next advertisement interval timer expires
- eBGP default minimum is 30 seconds
- iBGP default minimum is 0 seconds
Configured on a per-peer basis using command:
- (config-router)#neighbor <ip address> advertisement-interval <0-600 seconds>
Minimum value is 0
- Instantly send updates
- Generates more BGP traffic
- Increases CPU load

[__/su_spoiler]

BGP Session Keepalive Interval

Validates BGP session health
BGP peers advertise the hold time interval when establishing the peering session
Peers may advertise different hold-time intervals
- Important that the peer receive a keepalive message before hold-time expires
Default values are
- Keepalive: 60 seconds
- Holdtime: 180 seconds (3x keepalive)
Can be manually changed on a per-process level
- Command:
  - (config-router)#timers bgp <keepalive> <holdtime>
Can be checked using command:
- #debug ip bgp keepalive

[__/su_spoiler]

[_/su_spoiler]

BGP Next-Hop Trigger

Used to tune convergence to IGP
BGP Next hop tracking is event driven
- From IOS 12.3(14)T
- Previous to that it used to rely on the BGP Scanner periodic changes
BGP process registers the NEXT_HOP attribute with the RIB table watch process
As soon as any change that affects the exiting NEXT_HOP occurs, the watch process notifies the BGP router process
If the change results in prefix withdrawn, BGP process immediately removes the prefix
All other notifications are delayed and batched until the time interval expires specified by:
- Command:
  - (config-router)bgp nexthop trigger delay <seconds>
- After this a full BGP table walk occurs performing best path computations for all prefixes
- The delay value should be tuned according to the IGP convergence speed to avoid unnecessary full table walks
Behaviour enabled by default using the following command:
- (config-router)#bgp nexthop trigger enable

[_/su_spoiler]

BGP Fast-Fallover

Fast Fallover

Enabled by default for eBGP peers
As soon as the interface connecting to an eBGP peer signals protocols down, BGP process deactivates the peering session without waiting for the hold-down timer to expire.
Only efficient when peering session is across a non-shared link.
- Using on NBMA and Ethernet might be inefficient
Command:
- (config-router)#bgp fast-external-fallover
Can be configured on a per neighbor basis
- Command:
  - (config-router)#neighbor <IP address> fall-over
  - Applies to both iBGP and eBGP neighbors
- Per-neighbor can use conditional checking if peer is reachable by a route
  - Command:
    - (config-router)#neighbor <IP address> fall-over route-map <route-map>
Convergence improvements result in a less stable topology

[_/su_spoiler]

BGP Soft Reconfiguration

Soft Reconfiguration

Feature depreciated with the Route Refresh capability
- Signals a remote BGP peer to re-advertise the prefixes to the local peer
  - Command:
    - #clear ip bgp * soft in | out

When local BGP speaker is configured to apply soft-reconfiguration to a peer, the speaker will accept ALL prefixes from the remote peer
Stores them in a separate buffer
Requires a session reset for this operation to initialise
Prefixes then processed and imported in to Adj-RIB-In and finally to the BGP table.
Every time local policy changes, no need to re-establish the peering session but apply the filters to the stored information
Command:
- (config-router)#neighbor <IP address> soft-reconfiguration inbound
- #show ip bgp neighbors <IP address> received-routes
To display all received routes in BGP table
- #show ip bgp
  - prefix displays as (received-only)

[_/su_spoiler]

BGP Commands

List of all the BGP commands
(config)# router bgp 65010 – Globally enable BGP

Neighbor Configuration

(config-router)#neighbor <ip address> remote-as 65010
- iBGP peer
(config-router)#neighbor <ip address> remote-as 65030
- eBGP peer
(config-router)#neighbor <ip address> next-hop-self
- Overrides default next-hop for iBGP neighbors
(config-router)#neighbor <ip address> ebgp-multihop <(1-255)>
- If eBGP neighbors are not directly connected
(config-router)#neighbor <ip address> ttl-security hops <(1-255)>
- Better implementation of above command (control plane security). Uses reverse logic. Sets TTL to 255 and counts the decrements of the TTL to see if its valid against the ttl-security hops.
(config-router)#neighbor <ip address> disable-connected-check
- Removes the check for directly connected eBGP neighbors. Only if directly connected and using loopback addresses for peering.
(config-router)#neighbor <ip address> update-source <interface>
- Set where the updates are sourced from e.g. if using a loopback address.
(config-router)#neighbor <ip address> route-reflector-client
- Enables peer router as a route reflector client. Enables router as a RR.
(config-router)#neighbor <ip address> remove-private-AS
- May be needed to strip private AS manually if router doesn't support automatically stripping private AS from confederation configuration
(config-router)#neighbor <name> peer-group
- Create a peer group configuration
(config-router)#neighbor <name> [extra configuration]
- Create neighbor configuration on peer group
(config-router)#neighbor <ip address> peer-group <name>
- Applies peer group configuration to neighbor
(config-router)#neighbor <ip address> route-map [out|in]
- Applied route-map to routes learned from neighbor either inbound or outbound
(config-router)#neighbor <ip address> unsuppress-map [route-map name]
- unsuppresses certain routes to a particular neighbor from an atomic aggregate
(config-router)#neighbor <ip address> maximum-prefix <number> <threshold> restart <minutes>
- tears down peering if <number> of prefixes is exceeded and attempts to restore peering after <minutes>
(config-router)#bgp fast-external-fallover
- Links eBGP peers to Interface Link status and tears down peering (before hold timer expires) if interface goes down. Enabled by default.

[_/su_spoiler]

Advertisement Configuration

(config-router)#network <ip subnet> mask <subnet-mask>
- Advertise network into BGP
(config-router)#network <ip subnet> mask <subnet-mask> backdoor
- Backdoor function prefers IGP learned routes over eBGP routes
(config-router)#default-metric <#>
- Changes MED value
(config-router)#no synchronization
- Disables the rule of synchronization between BGP peers (Route doesn't need to be learned by an IGP)
(config-router)#no auto-summary
- Disables summarization or routes
(config-router)#bgp suppress-inactive
- Stops RIB-failure routes being advertised to other neighbors
(config-router)# bgp maxas-limit <1-254>
- Sets the maximum number of ASN's allowed in the path
- Default value 75.
(config-router)# maximum-paths <1-32>
- Enables BGP multi-pathing

[_/su_spoiler]

Community Configuration

(config-router)#neighbor <ip address> send-community [standard | extended | both]
- Enabled the distribution of Communities between peers
(config-route-map)#set community [community number [additive] [well-known community] | [none]
- Sets the community of prefixes specified in route map
(config-route-map)#set comm-list <community-list number> delete
- removes community number(s) from prefix(es)

[_/su_spoiler]

Confederation Configuration

(config-router)#bgp confederation identifier <root AS number>
- Tells router what the Public BGP AS is when peering with eBGP peers
(config-router)#bgp confederation peers <other private AS number>
- Tells router about other private confederation AS numbers

[_/su_spoiler]

Aggregation Configuration

(config-router)#aggregate-address <network summary> <subnet mask> [summary-only]
- Advertises only the summary address and removes individual routes from routing table
(config-router)#aggregate-address <network summary> <subnet mask> suppress-map <route-map-name>
- Advertises the summary address and suppresses routes defined in route-map
(config-router)#neighbor <ip address> unsuppress-map <route-map-name>
- Overrides aggregate summary suppression and unsuppresses routes defined in route-map for specific neighbor

[_/su_spoiler]

Redistribution Configuration

(config-router)#redistribute bgp <ASN> metric <metric details>
- Redistributes eBGP learned routes only into IGP
(config-router)#bgp redistribute-internal
- Allows iBGP routes to be redistributed in to an IGP

[_/su_spoiler]

Show Configuration

Show configuration

#show ip bgp
- Shows the BGP table routes
#show ip bgp summary
- Shows the summary status of neighbors
#show ip bgp rib-failure
- Show BGP routes that have failed to go into the Routing Table
#show ip bgp update-group
- Shows the bgp peer-group information
#show ip bgp replication
- Shows the bgp peer-group replication statistics (only for the peer-group leader)
#show tcp brief all
- Show TCP sessions to/from the router
#show control-plane host open-ports
- To display TCP connections
#clear ip bgp *
- Tears down and clears all BGP sessions
#clear ip bgp * soft in | out
- Performs a Route Refresh

[_/su_spoiler]