1.5.BGBBCP_AfREN.pdf
-
Upload
shareefgs5560 -
Category
Documents
-
view
215 -
download
0
Transcript of 1.5.BGBBCP_AfREN.pdf
-
BGP Best Current Practices
Mark Tinka
Routing in the Campus Network(An ISPs Perspective)
-
What is BGP for?
What is an IGP not for?
-
BGP versus OSPF/ISIS Internal Routing Protocols (IGPs)
examples are IS-IS and OSPF used for carrying infrastructure
addresses NOT used for carrying Internet
prefixes or customer prefixes design goal is to minimise number of
prefixes in IGP to aid scalability and rapid convergence
-
BGP versus OSPF/ISIS BGP used internally (iBGP) and
externally (eBGP) iBGP used to carry
some/all Internet prefixes across backbone
customer prefixes eBGP used to
exchange prefixes with other ASes implement routing policy
-
BGP versus OSPF/ISIS DO NOT:
distribute BGP prefixes into an IGP distribute IGP routes into BGP use an IGP to carry customer prefixes
YOUR NETWORK WILL NOT SCALE
-
The Campus NetworkBorderRouter
CoreRouterCoreRouter FiberLinkstoremotebuildings
LocalInternetexchangeswitch
CoreSwitch
-
Aggregation
Quality, not Quantity!
-
Aggregation
ISPs receive address block from Regional Registry or upstream provider
Aggregation means announcing the address block only, not subprefixes
Aggregate should be generated internally
-
Configuring Aggregation: Cisco IOS
ISP has 101.10.0.0/19 address block To put into BGP as an aggregate:
routerbgp100network101.10.0.0mask255.255.224.0iproute101.10.0.0255.255.224.0null0
The static route is a pull up route more specific prefixes within this address block
ensure connectivity to ISPs customers longest match lookup
-
Aggregation Address block should be
announced to the Internet as an aggregate
Subprefixes of address block should NOT be announced to Internet unless fine-tuning multihoming And even then care and frugality is
required dont announce more subprefixes than absolutely necessary
-
Announcing Aggregate:Cisco IOS
Configuration Examplerouterbgp100network101.10.0.0mask255.255.224.0neighbor102.102.10.1remoteas101neighbor102.102.10.1prefixlistoutfilterout!iproute101.10.0.0255.255.224.0null0!ipprefixlistoutfilterpermit101.10.0.0/19ipprefixlistoutfilterdeny0.0.0.0/0le32
-
Announcing an Aggregate ISPs who dont and wont
aggregate are held in poor regard by community
Registries minimum allocation size is now at least a /21 no real reason to see anything much
longer than a /22 prefix in the Internet
BUT there are currently >115000 /24s!
-
Receiving Prefixes
-
Receiving Prefixes from downstream peers
ISPs should only accept prefixes which have been assigned or allocated to their downstream peer
For example downstream has 100.50.0.0/20 block should only announce this to peers peers should only accept this from them
-
Receiving Prefixes:Cisco IOS
Configuration Example on upstreamrouterbgp100neighbor102.102.10.1remoteas101neighbor102.102.10.1prefixlistcustomerin!ipprefixlistcustomerpermit100.50.0.0/20
ipprefixlistcustomerdeny0.0.0.0/0le32
-
Receiving Prefixes from upstream peers Not desirable unless really
necessary special circumstances
Ask upstream to either: originate a default-route announce one prefix you can use as
default
-
Receiving Prefixes from upstream peers
Downstream Router Configurationrouterbgp100network101.10.0.0mask255.255.224.0neighbor101.5.7.1remoteas101neighbor101.5.7.1prefixlistinfiltinneighbor101.5.7.1prefixlistoutfiltout!ipprefixlistinfiltpermit0.0.0.0/0ipprefixlistinfiltdeny0.0.0.0/0le32!ipprefixlistoutfiltpermit101.10.0.0/19ipprefixlistoutfiltdeny0.0.0.0/0le32
-
Receiving Prefixes from upstream peers Upstream Router Configuration
routerbgp101neighbor101.5.7.2remoteas100neighbor101.5.7.2defaultoriginateneighbor101.5.7.2prefixlistcustininneighbor101.5.7.2prefixlistcustoutout!ipprefixlistcustinpermit101.10.0.0/19ipprefixlistcustindeny0.0.0.0/0le32!ipprefixlistcustoutpermit0.0.0.0/0ipprefixlistcustoutdeny0.0.0.0/0le32
-
Receiving Prefixes from upstream peers
If necessary to receive prefixes from upstream provider, care is required dont accept RFC 1918 etc prefixes dont accept DSUAs/RFC 3330 prefixes dont accept your own prefix dont accept default (unless you need it) dont accept prefixes longer than /24
-
Receiving Prefixesrouterbgp100network101.10.0.0mask255.255.224.0neighbor101.5.7.1remoteas101neighbor101.5.7.1prefixlistinfilterin!ipprefixlistinfilterdeny0.0.0.0/0 !Blockdefaultipprefixlistinfilterdeny0.0.0.0/8le32ipprefixlistinfilterdeny10.0.0.0/8le32ipprefixlistinfilterdeny101.10.0.0/19le32!Blocklocalprefixipprefixlistinfilterdeny127.0.0.0/8le32ipprefixlistinfilterdeny169.254.0.0/16le32ipprefixlistinfilterdeny172.16.0.0/12le32ipprefixlistinfilterdeny192.0.2.0/24le32ipprefixlistinfilterdeny192.168.0.0/16le32ipprefixlistinfilterdeny224.0.0.0/3le32!Blockmulticastipprefixlistinfilterdeny0.0.0.0/0ge25!Blockprefixes>/24ipprefixlistinfilterpermit0.0.0.0/0le32
-
Generic University BGP prefix filter
This prefix-list MUST be applied to all external BGP peerings, in and out!
RFC3330 lists many special use addresses Check Rob Thomas list of bogons
http://www.cymru.com/Documents/bogon-list.html
ipprefixlistrfc1918suadeny0.0.0.0/8le32ipprefixlistrfc1918suadeny10.0.0.0/8le32ipprefixlistrfc1918suadeny127.0.0.0/8le32ipprefixlistrfc1918suadeny169.254.0.0/16le32ipprefixlistrfc1918suadeny172.16.0.0/12le32ipprefixlistrfc1918suadeny192.0.2.0/24le32ipprefixlistrfc1918suadeny192.168.0.0/16le32ipprefixlistrfc1918suadeny224.0.0.0/3le32ipprefixlistrfc1918suadeny0.0.0.0/0ge25ipprefixlistrfc1918suapermit0.0.0.0/0le32
http://www.cymru.com/Documents/bogon-list.html
-
The Campus Network: Scaled
BorderRouter
CoreRouterCoreRouter FiberLinkstoremotebuildings
LocalInternetexchangeswitch
CoreSwitch
-
Prefixes into iBGP
-
Injecting prefixes into iBGP
Use OSPF to create network infrastructure
Use iBGP to carry customer prefixes dont use IGP
Point static route to customer interface Use BGP network statement As long as static route exists (interface
active), prefix will be in BGP
-
Creating Infrastructure Use OSPF to create the infrastructure
interfaceloopback0ipaddress1.1.1.1255.255.255.255!interfacefastethernet0/0ipaddress2.2.2.2255.255.255.224!routerospf1passiveinterfacedefaultnopassiveinterfacefastethernet0/0network2.2.2.20.0.0.31area0network1.1.1.10.0.0.0area0
-
Router configuration:network statement
Example:interfaceloopback0ipaddress215.17.3.1255.255.255.255!interfaceSerial5/0ipunnumberedloopback0ipverifyunicastreversepath!iproute215.34.10.0255.255.252.0Serial5/0!routerbgp100network215.34.10.0mask255.255.252.0
-
Injecting prefixes into iBGP interface flap will result in prefix
withdraw and reannounce use ip routepermanent
many ISPs use redistribute static rather than network statement only use this if you understand why
-
Router Configuration:redistribute static Example:
iproute215.34.10.0255.255.252.0Serial5/0!routerbgp100redistributestaticroutemapstatictobgp
!routemapstatictobgppermit10matchipaddressprefixlistISPblocksetoriginigp
!ipprefixlistISPblockpermit215.34.10.0/22le30!
-
Injecting prefixes into iBGP Route-map ISP-block can be used for
many things: setting communities and other attributes setting origin code to IGP, etc
Be careful with prefix-lists and route-maps absence of either/both means all statically
routed prefixes go into iBGP
-
Configuration Tips
-
Templates Good practice to configure
templates for everything Vendor defaults tend not to be
optimal or even very useful for ISPs ISPs create their own defaults by
using configuration templates Sample iBGP and eBGP templates
follow for Cisco IOS
-
BGP Template iBGP peers
iBGPPeerGroupAS100
routerbgp100neighborinternalpeergroupneighborinternaldescriptionibgppeersneighborinternalremoteas100neighborinternalupdatesourceLoopback0neighborinternalnexthopselfneighborinternalsendcommunityneighborinternalversion4neighborinternalpassword703085A09neighbor1.0.0.1peergroupinternalneighbor1.0.0.2peergroupinternal
-
BGP Template iBGP peers Use peer-groups iBGP between loopbacks! Next-hop-self
Keep DMZ and point-to-point out of IGP Always send communities in iBGP
Otherwise accidents will happen Hardwire BGP to version 4
Yes, this is being paranoid! Use passwords on iBGP session
Not being paranoid, VERY necessary
-
BGP Template eBGP peers
RouterB:routerbgp100network10.60.0.0mask255.255.0.0neighborexternalpeergroupneighborexternalremoteas200neighborexternaldescriptionISPconnectionneighborexternalremoveprivateASneighborexternalversion4neighborexternalprefixlistispoutout!realfilterneighborexternalfilterlist1out!accidentfilterneighborexternalroutemapispoutoutneighborexternalprefixlistispininneighborexternalfilterlist2inneighborexternalroutemapispininneighborexternalpassword7020A0559neighborexternalmaximumprefix220000[warningonly]neighbor10.200.0.1peergroupexternal!iproute10.60.0.0255.255.0.0null0254
AS200
AS100
10.0.0.0
A
B
10.60.0.0/16
10.200.0.0
.1
.2
AS100isacustomerofAS200
-
BGP Template eBGP peers Remove private ASes from announcements
Common omission today Use extensive filters, with backup
Use as-path filters to backup prefix-lists Use route-maps for policy
Use password agreed between you and peer on eBGP session
Use maximum-prefix tracking Router will warn you if there are sudden increases
in BGP table size, bringing down eBGP if desired
-
Configuration Tips Summary Use configuration templates Standardise the configuration Anything to make your life easier,
network less prone to errors, network more likely to scale
Its all about scaling if your network wont scale, then it wont be successful
-
Summary BGP BCP BGP versus IGP Aggregation Sending & Receiving Prefixes Injecting Prefixes into iBGP Configuration Tips
-
END