BGP on IOS-XR#Ref500

Similar to other routing protocol configurations in IOS-XR, BGP is also made hierarchical #Ref4• Therefore, most of the configurations for IOS are valid for IOS-XR too (those that are not have beenspecifically shown)

•

IOS-XR vs IOS

Requirements on IOS-XR

#bgp router-id is mandatory in IOS-XR• address-family is mandatory in IOS-XR

under neighbor configuration mode - BGP/MBGP#neighbor address-family1. under router configuration mode - BGP/MBGP#router address-family2.

•

BGP uses (Router/Config/route-policy) on IOS-XR, instead of route-maps in IOS• Route Policy is mandatory for eBGP (because default is deny all), not for iBGP (because default is permitall)

•

Basic IOS-XR Configuration Example

# On IOS-XRrouter bgp 2 # Router ID is mandatory here bgp router-id 2.2.2.2 # Address family router config mode is mandatory here address-family ipv4 unicast # Only In this address family mode, you cannot apply route-policies # Only In this mode, you can apply network command network 2.0.0.0/8 ! neighbor 10.0.0.1 remote-as 1 # Address family neighbor config mode is mandatory here address-family ipv4 unicast # Route Policy is mandatory for eBGP route-policy pass-all in route-policy pass-all out ! !route-policy pass-all passend-policy!end

# On IOSrouter bgp $LOCAL_AS neighbor $NEIGHBOR remote-as $REMOTE_AS

BGP/Config

BGP on IOS-XR 1

network 1.1.1.0/24

RPL

Router/Config/route-policy•

as-path-set

Router/Config/route-policy#as-path-set•

community-set

Router/Config/route-policy#community-set•

delete community

Router/Config/route-policy#delete community•

Configuration Grouping

Like IOS uses #peer-group, IOS-XR uses:af-group1. session-group2. neighbor-group3.

•

Neighbor applies it using use command• Understand BGP/MBGP/Config#Address Family Independent vs Family Specific•

af-group

groups any address-family dependent configurations•

neighbor-group

groups address-family independent and dependent commands for each address family•

router bgp 2neighbor 1.0.0.1 remote-as 1 use neighbor-group ngtest ebgp-multihop 2 update-source Loopback0 address-family ipv4 unicast use af-group aftest route-policy passall in route-policy passall out ! ! Address-Family Dependent commands af-group aftest address-family ipv4 unicast soft-reconfiguration inbound

BGP/Config

Basic IOS-XR Configuration Example 2

! neighbor-group ngtest ! Address-Family independent commands timers 10 30

! Address-Family Dependent commands use neighbor-group $SOME_GROUP address-family ipv4 unicast use af-group aftest ! !!end

show bgp neighbor $NEIGHBOR configuration

session-group

Groups only address family-independent commands•

router bgp 1 timers bgp 31 100 bgp router-id 1.0.0.1 address-family ipv4 unicast ! af-group aftest address-family ipv4 unicast route-policy passall in route-policy passall out ! session-group test timers 10 30 ! neighbor-group ngtest address-family ipv4 unicast use af-group aftest ! ! neighbor 2.0.0.1 remote-as 2 use session-group test use neighbor-group ngtest ebgp-multihop 2 update-source Loopback0 address-family ipv4 unicast ! !!

log neighbor changes

Same as IOS's #log-neighbor-changes

BGP/Config

neighbor-group 3

ibgp policy out enforce-modifications

Configuring this on an IOS-XR BGP Peer will allow it to modify any BGP attributes for iBGP Routes thatits advertising out

•

This is part of configuration required for #Workaround for next-hop-self on route reflector• In general, makes the RR change BGP attributes for routes to be reflected to clients/non-clients•

! On IOS-XR! RR-Serverrouter bgp $ASN ibgp policy out enforce-modifications neighbor $RR_CLIENT address-family ipv4 unicast route-reflector-client route-policy $SET_ATTRS out

route-policy $SET_ATTRS set ipv4 next-hop $NEW_HOP

show bgp neighbor configuration

This feature is not present in IOS• In short, this command shows the entire configuration related to a neighbor expanding any session-group oraf-group

•

! OutputRP/0/RP0/CPU0:R1#show bgp neighbor 10.0.0.2 configurationneighbor 10.0.0.2remote-as 2 [s:RR-CLIENT]advertisement-interval 1 [s:RR-CLIENT]description R2 []password 123 [s:RR-CLIENT]update-source Loopback0 [s:RR-CLIENT]graceful-restart []address-family IPv4 Unicast [] policy AR-TO-UR-OUT out [a:RR-CLIENT-IPV4U] route-reflector-client [a:RR-CLIENT-IPV4U] soft-reconfiguration inbound always [a:RR-CLIENT-IPV4U]

! Actual configurationRP/0/RP0/CPU0:R1#show run router bgp | b neighbor 10.0.0.2neighbor 10.0.0.2 use session-group RR-CLIENT description R2 address-family ipv4 unicast use af-group RR-CLIENT-IPV4Usession-group RR-CLIENT remote-as 2 advertisement-interval 1 password 123 description Group used for RR clients update-source Loopback0af-group RR-CLIENT-IPV4U address-family ipv4 unicast route-reflector-client

BGP/Config

ibgp policy out enforce-modifications 4

route-policy AR-TO-UR-OUT out soft-reconfiguration inbound always

/32 Static Route must be configured for eBGP Sessions with labeled-unicast

When you are configuring eBGP session on IOS-XR over a directly connection link which is not /32, thenyou must configure a static route to remote peer with /32 as mask to make the local router resolve CEF(even though you have direct IP connectivity, you must configure this for labeled-unicast to work)

•

NOTE: This same situation is not seen when LDP is used b/w eBGP peers, because LDP cannot be used forallocating a label to BGP learnt route (LDP#Is it possible to allocate a local binding to a BGP learned route)

•

ExampleBGP/Labs/Lab17♦ MPLS/L3VPN/Config#eBGP Peering♦

•

BGP on IOSAll the sections below this are meant for IOS, IOS-XE• However, because there is so much overlap in IOS-XR and IOS configuration, most of the configurationsshown below are applicable to IOS-XR too (you still require the verification from #BGP on IOS-XR

•

Neighbor$MY_AS

is the ASN for the current AS router is in♦ •

$REMOTE_IPcan be any interface (loopback, fa, etc.) IP Address on the neighbor that it HAS connectivity with!♦ This IP is used for TCP connection setup♦ Note: When $REMOTE_IP is not the IP address of directly connected interface on the neighbor thatconnects to the local router (e.g when $REMOTE_IP is remote loopback), then you must useupdate-source on neighbor

♦

•

$REMOTE_ASN$REMOTE_ASN is the ASN for the neighbor?s AS (must have a command of ?router bgpREMOTE_ASN? on neighbor?s side)

♦

If $REMOTE_ASN==$MY_AS, then the BGP neighbor relationship being setup is iBGP♦

•

no synchronization is default setupBGP#iBGP Synchronization♦

•

no auto-summary is default setup•

! On Cisco IOS, IOS-XE! Configuration! Similar configuration must be applied on the neighbor torouter bgp $MY_AS no synchronization ! This allows incoming connection from $REMOTE_IP with destination port: 179 neighbor $REMOTE_IP remote-as $REMOTE_ASN no auto-summary

! Verification - On IOS!! Should be Established

BGP/Config

Neighbor 5

show ip bgp summaryshow ip bgp neighbor $REMOTE_IP | include BGP stateshow ip bgp neighbor $REMOTE_IP configurationshow tcp brief ! shows current TCP connections

! Verification - On IOS-XRshow bgp ...

update-source?By default, IOS chooses its BGP source IP address for a given neighbor as the interface IP address of theoutgoing interface of the route used to forward packets to that neighbor? #Ref2

•

If configured, you need to make sure that the neighbor is referring to IP present in{$LOCAL_INT|$LOCAL_IP}

•

TCP Connection will be setup between $REMOTE_IP and $LOCAL_IP• In case of redundant connections between R1 and R2, it?s better to use loopbacks and update-source.•

! On Cisco IOS, IOS-XE! Configurationrouter bgp $MY_AS neighbor $REMOTE_IP update-source {$LOCAL_INT|$LOCAL_IP}

! Verification!! Should be establishedshow ip bgp summaryshow ip bgp neighbor $REMOTE_IP | include BGP stateshow ip bgp neighbor $REMOTE_IP configuration

Template•

! On Cisco IOS, IOS-XE! Lo1-R1-R2-Lo2R1#router bgp $MY_AS neighbor $Lo2_IP remote-as $MY_AS neighbor $Lo2_IP update-source $Lo1_IP

R2#router bgp $MY_AS neighbor $Lo1_IP remote-as $MY_AS neighbor $Lo2_IP update-source $Lo2_IP

bgp router-idTo configure BGP RID• On Cisco IOS, by default (without this command) highest IP address is picked as RID• On Cisco IOS-XR, this command is mandatory• $RID must be different from its neighbor• $RID address need not exist anywhere (e.i on interface/lo)• Note: $RID is different from the peering IP address (shown as $REMOTE_IP in previous configurations)

Its because, $REMOTE_IP requires TCP connectivity, $RID doesn't♦ •

BGP/Config

bgp router-id 6

! On Cisco IOS, IOS-XE! Configurationrouter bgp $MY_AS bgp router-id $RID

! Verificationshow bgp | include local router ID

neighbor next-hop-selfConfiguration useful primarily to change the next-hop for any eBGP routes learned to itself• BGP#Rule of next-hop in BGP• This command is only configured against iBGP neighbors, not eBGP (because its not required due to therule)

Please note that this command will change the next-hop for only eBGP routes. If you wish tochange next-hop for iBGP routes (which can only happen if Route Reflector is running), you willneed to use #Workaround for next-hop-self on route reflector

♦

BGP/Labs/Lab5#Goal4♦

•

Configuration and verification,

! On Cisco IOS, IOS-XE! Configuration! Network: Nw1-R1-(R2-R3), with R2 and R3 in one AS and R1 in anotherR2#router bgp $AS23 neighbor $R3 remote-as $AS23 neighbor $R3 next-hop-self

! Verification!! Once configured, R2 will start sending eBGP routes!! to R3 with next-hop as R2's peer IP address!! See that the next-hop must be R2's IP address, not R1'sR3# show ip bgp Nw1

Workaround for next-hop-self on route reflector

IOS

#Ref1• Consider BGP -> Lab5 -> Goal4•

! On Cisco IOS, IOS-XE! Network: Nw1-R1-RR-R2, with all in one ASRR#show run | s route-maprouter bgp $AS12 ! For any eBGP learned routes neighbor $R2 next-hop-self ! For any iBGP RR learned routes neighbor $R2 route-map force-next-hop-self outroute-map force-next-hop-self permit 10 match ip address ibgp-route

BGP/Config

neighbor next-hop-self 7

set ip next-hop $RR_LOCAL_PEER_ADDRESSroute-map force-next-hop-self permit 20 ! permit restR3#show run | s access-listip access-list extended ibgp-route permit ip $Nw1 any logR3#

IOS-XR

Similar to IOS, but here you need an additional command of #ibgp policy out enforce-modifications

ASBR as RR Case

NOTE: ASBR and PE terms are used in MPLS/L3VPN/Config•

Its important to remember that whenever ASBR (a router which has iBGP connections in its local AS and eBGPdirectly connected connection to remote peers) is configured as RR (Route Reflector) in its local AS, ASBR mustbe use next-hop-self against its iBGP peers in order to change the NH (next-hop) for eBGP routes from directlyconnected link to its loopback0 (generally PEs in an AS will not have IP connectivity to directly connected link ofASBR but will have IP connectivity with ASBR's lo0)

! (PE1-ASBR1)-(ASBR2-PE2)! PE1-ASBR1 are in AS 11 and ASBR2-PE2 are in AS12! PE1-ASBR1 have iBGP connection over lo0! PE2-ASBR2 have iBGP connection over lo0! ASBR1-ASBR2 have eBGP directly connected session

! In above case, ASBR must use neighbor $PE1_lo0 next-hop-self

! ASBR1conf trouter bgp 11 neighbor $PE1_lo0 remote-as 11 neighbor $PE1_lo0 update-source lo0 neighbor $PE1_lo0 route-reflector-client neighbor $PE1_lo0 next-hop-self ! THIS IS REQUIRED FOR CHANGING NH of EBGP ROUTES LEARNT FROM ASBR2 neighbor $ASBR1_ASBR2_LAN remote-as 12end

neighbor next-hop-unchangedUsed on eBGP Multihop neighbors to advertise routes without changing the next-hop• By default, e.i without this command, eBGP neighbors will always change the next-hop to itself• MPLS/L3VPN/Config#Usecase Multihop EBGP VPNv4 where RR is not in the datapath• Similarly on IOS-XR•

router bgp neighhor $EBGP_MULTIHOP_PEER next-hop-unchanged

BGP/Config

neighbor next-hop-unchanged 8

address-familyBGP/MBGP/Config

ebgp-multihopThis command sends outgoing BGP messages (to an eBGP neighbor) with the specified $TTL_VAL

The configuration must be on both side. However, the TTL value can vary, but must be at least the real hopdistance value

•

Also the command neighbor $NEIGHBOR ebgp-multihop 1 is same as no nieghbor$NEIGHBOR ebgp-multihop 1, because if ebgp multihop is not configured, then its considered as amaximum hop count of 1.

•

The multi-hop allows eBGP neighbors to have TTL value greater than 1, e.i use loopbacks (therefore usingupdate-source) instead of directly connected interfaces

•

With default neighbor configuration (without any multihop), eBGP neighborship will fail if the IP TTL(time to live) exceeds 1 between the TCP connection IP addresses.

•

$TTL_VAL are how many max hops away is your neighbor (having REMOTE_IP)• NOTE: When IP Addresses of the loopback interfaces are used instead of outgoing interface for the eBGPneighbor setup, then multi-hop is necessary

•

! On Cisco IOS, IOS-XE! Similar Configuration on $REMOTE_PEER toorouter bgp $MY_AS neighbor $REMOTE_PEER remote-as $REMOTE_AS neighbor $REMOTE_PEER ebgp-multihop $TTL_VAL

! On the router you configured ebgp-multihop $TTL_VALR# show ip bgp neighbors $REMOTE_PEER | i TTLConnection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL $TTL_VAL!R#show ip bgp neighbors | i hop External BGP neighbor may be up to $TTL_VAL hops away.R#

ebgp-multihop Cases

! On Cisco IOS, IOS-XErouter bgp $ASN! neighbor $REMOTE_IP ebgp-multihop 1==no neighbor $REMOTE_IP ebgp-multihop! neighbor $REMOTE_IP ebgp-multihop==neighbor $REMOTE_IP ebgp-multihop 255

ebgp-multihop vs ttl-security

With ebgp-multihop configuration

Note that the incoming TTL 0 always remains 0 irrespective of other side configuration.• This means that BGP session forming packets need to have minimum of 0 TTL• This allows DoS attack and fix is using ttl-security (#ttl-security vs ebgp-multihop)•

BGP/Config

ebgp-multihop 9

ttl-securityThis command makes sures that incoming BGP messages (from a eBGP neighbor) has a minimum $TTL_VAL

TTL Security is a BGP configuration that is used primarily by eBGP peers (not iBGP) to avoid incomingDoS attack

•

On Cisco IOS, ttl-security hops $HOPSMinimum $TTL_VAL = 255 - $HOPS♦

•

On Cisco IOS-XR, ttl-security {disable}• ttl-security and ebgp-multihop are mutually exclusive, e.i both cannot be configured for same peer• Must be configured on both sides

This configuration changes the outgoing TTL_VAL to 255 and minimum required incoming TTL to255-$HOPS

♦ •

! On Cisco IOS, IOS-XE! Similar Configuration on $REMOTE_PEER toorouter bgp $MY_AS neighbor $REMOTE_PEER remote-as $REMOTE_AS neighbor $REMOTE_PEER ttl-security hops $HOPS

! On the router you configured ttl-security hops $HOPSR# show ip bgp neighbors $REMOTE_PEER | i TTL! $MIN_TTL = 255 - $HOPSConnection is ECN Disabled, Mininum incoming TTL $MIN_TTL, Outgoing TTL 255

Working of ttl-security and ebgp-multihop

In terms of TTL by default (e.i without ttl-security or ebgp-multihop),A BGP peer sends BGP packets (for setting up eBGP peering session) to external peer "with a TTLof 1 and accepts packets from external neighbors with a TTL of 0 or higher (as measured after thelocal router has decremented the TTL of the incoming packet)" #Ref10

♦

This enforces eBGP session to be allowed only for directly connected peers by default♦ This also makes the router vulnerable to incoming eBGP peering sessions DoS attack, that increasesthe CPU of the router and forces it to crash

♦

•

With ebgp-multihop $TTL_VAL configured,A BGP peer sends BGP packets to external per with a TTL of $TTL_VAL and always acceptspackets from external neighbors with minimum TTL of 0 (as shown by "show ip bgp neighbor |include TTL")

♦

So, this means that an attacker can easily send a DoS attack on the peering of BGP because all thepackets (irrespective of TTL and any packet at least has TTL of 0)

♦

•

With ttl-security $HOPS configured,A BGP peer sends BGP packets to external per with a TTL of 255 and accepts packets fromexternal neighbors with TTL of 225-$HOPS or higher "(as measured after the local router hasdecremented the TTL of the incoming packet)" #Ref10

♦

If the above condition is not met (e.i TTL is less), then the packet is dropped and ignored (e.i noICMP message is sent)

♦

•

BGP/Config

ttl-security 10

Because of a the higher limit put on the TTL, just any packet will not be allowed for peering withBGP; only those that meet the above requirement.

♦

ttl-security vs ebgp-multihop

The end result of eBGP multi-hop and TTL security is same, e.i allow not-directly connected peers to haveeBGP session

•

eBGP multi-hop has a security hole, as it does not block DoS attacks. Thats why, ttl-security wasintroduced in order to block DoS attacks

•

ttl-security and ebgp-multihop are mutually exclusive, e.i both cannot be configured for same peer•

What happens when multi-hop and ttl-security are configured on otherends

It works only if the TTL conditions are met on both sides. Look into BGP -> Lab7• Optionally, if TTL conditions are not met, you can always use disable-connected-check•

Network:

R1-R2-R3eBGP b/w R1 and R3

eBGP session is Established if:

If R1 is configured with ebgp-multihop 255, R2 needs to be configured with ttl-security 2• because R2 will accept then BGP messages with min TTL of 255-2=253 which perfectly matched what R1is sending (e.i by the time R1's messages reaches R3, TTL=253).

•

eBGP session is Not Established if:

If R1 is configured with ebgp-multihop 255 and R2 was configured with ttl-security 1• because R2 will accept then BGP messages with min TTL of 255-1=254 which does not match what R1 issending (e.i by the time R1's messages reaches R3, TTL=253)

•

Configuring Route FilteringThis command applies a route-map (or RPL to a BGP peer in order to modify or permit/deny specific BGPupdates incoming/outgoing to the peer

If you notice, the major difference compared to EIGRP is that BGP route filtering works only withneighbor specific traffic, not entire outbound or inbound traffic.

•

Use "clear ip bgp" for configuration to take effect• Used in #Path Attributes• Order (higher 1st) of preference of policy applied on BGP inbound:

route-policy, filter-list, prefix-list, distribute-list♦ •

BGP/Config

Configuring Route Filtering 11

IOS

neighbor route-map

This command is used for modifying, along with permitting/denying specific BGP updates from neighbor•

router bgp $MY_AS neighbor $REMOTE_IP route-map $ROUTE_MAP {in|out}

neighbor distributed-list

This command is only used for permitting/denying specific BGP updates from neighbor• Match prefix with length•

router bgp $MY_AS neighbor $REMOTE_IP distributed-list {$ACCESS_LIST|$PREFIX|$ROUTE_MAP}

neighbor prefix-list

This command is only used for permitting/denying specific BGP updates from neighbor• Match prefix with length•

router bgp $MY_AS neighbor $REMOTE_IP prefix-list $PREFIX_LIST

neighbor filter-list

This command is only used for permitting/denying specific BGP updates from neighbor• Match AS_PATH or prefix•

router bgp $MY_AS neighbor REMOTE_IP filter-list $LIST

IOS-XR

Similar to #neighbor route-map in IOS•

neighbor route-policy

router bgp $MY_AS neighbor $REMOTE_IP address-family {ipv4|ipv6} {unicast|multicast} route-policy $RPL {in|out}

clear ip bgpAfter configuring any BGP filtering, IOS will not take the new configurations into effect until neighbor•

BGP/Config

clear ip bgp 12

relationships are cleared or new update messages are sent.These can be manually triggered by the clear command.• Hard reset clears the TCP connection, breaks down the neighbor relationship and then reconnects the TCPand neighbor relationship. This is equal to ?neighbor shutdown, no neighbor shutdown?

•

Soft reset does not break down the neighbor relationship. It only resends the Update messages which arethen filtered by any new filters.

•

In means incoming update messages• Out means outgoing update messages•

Command Hard or Soft One or All Neighbors Directionclear ip bgp * Hard all bothclear ip bgp neighbor-id Hard one bothclear ip bgp neighbor-id out Soft one outclear ip bgp neighbor-id soft out Soft one outclear ip bgp neighbor-id in Soft one inclear ip bgp neighbor-id soft in Soft one inclear ip bgp * soft Soft all bothclear ip bgp neighbor-id soft Soft one both#Ref2

Advertising BGP RoutesThe goal is to inject public IP addressed prefixes into the BGP table so that the BGP router can advertise theseroutes to its neighbors. This happens two ways:

Network Command (#network)• Redistribute Command (#redistribute)•

network

$PREFIXis the network number♦ This network command is different from OSPF, EIGRP commands in that here in BGP, the$PREFIX must be already present in the IGP IP routing table and only then will BGP advertise theroute to its neighbor

♦

•

mask $MASKis the network mask which is optional.♦ By default (e.i if mask $MASK not configured), then ,irrespective of auto-summary, router will useclassful subnetting

♦

Make sure that $PREFIX $MASK exactly matches a local route in IP routing table for the localrouter to advertise the route

♦

In other words, ?Look for a route in the router?s current IP routing table that exactly matches theparameters of the network command; if a route for that exact prefix/length exists, put the equivalent

♦

•

BGP/Config

Advertising BGP Routes 13

prefix/length into the local BGP table? #Ref2

network command in IGP vs BGP

If you lookup network command in OSPF and EIGRP, they are primarily used for enabling interfaces in thatnetwork (along with advertising the same network). However, BGP solely uses network command to advertise thenetwork to its BGP neighbors.

IOS

! Configuring! On Cisco IOS, IOS-XErouter bgp $MY_AS network $PREFIX {mask $MASK|backdoor|nlri|route-map} ! or under address-family

! Verificationshow ip bgp neighbor $REMOTE_IP advertised-routes! Best way is to check the routing table of remote neighbors

IOS-XR

Use network under BGP/MBGP/Config#router address-family on IOS-XR

! Configuring! On Cisco IOS-XRrouter bgp $MY_AS address-family $FAMILY network $PREFIX/$MASK {backdoor|route-policy}

! Verificationshow bgp neighbors $REMOTE_IP advertised-routes! Best way is to check the routing table of remote neighbors

Cases

network without mask

! Irrespective of auto-summary! Network 1.0.0.0 is advertisedR1#int lo0 ip add 1.0.0.0 255.0.0.0!router bgp 1 network 1.0.0.0

! Network 1.0.0.1 is NOT advertised,! because not classfulR1#int lo0 ip add 1.0.0.1 255.255.255.255!

BGP/Config

network 14

router bgp 1 network 1.0.0.1

! Network 172.20.0.0 is advertisedR1#int lo0 ip add 172.20.0.0 255.255.0.0!router bgp 1 network 172.20.0.0

! Network 172.20.0.0 is NOT advertised,! because /16 not found in routing tableR1#int lo0 ip add 172.20.0.0 255.0.0.0!router bgp 1 network 172.20.0.0

network route-map

Since you are using route-map, make sure to do "clear ip route" and make sure that a route-map exists forthe network to be advertised accordinly

•

BGP -> Lab 14 -> Goal1•

network nlri

TODO

network backdoor

TODO

redistribute

Look into redistribution for basic redistribution. BGP is nothing special.• Redistributed routes do change the ORIGIN Path Attribute to INCOMPLETE• Look into Redistribution -> Lab5•

IOS

! On Cisco IOS, IOS-XErouter bgp $MY_AS redistribute $BASIC_REDISTRIBUTION ! or under address-family

IOS-XR

Use redistribute under BGP/MBGP/Config#router address-family on IOS-XR

! Configuring

BGP/Config

network without mask 15

! On Cisco IOS-XRrouter bgp $MY_AS address-family $FAMILY redistribute $BASIC_REDISTRIBUTION

Redistributing OSPF into BGP

The default command redistribute OSPF $PID will only be redistributing OSPF internal routes, meaningwith default match=?internal?

•

With match=?external?, it defaults to all type 1 and type 2.•

! On Cisco IOS, IOS-XErouter bgp $MY_AS address-family ipv4 unicast redistribute OSPF $PID {match external|internal}

Summarizing BGP Routes

IGP Summarization with BGP network command

! On Cisco IOS, IOS-XErouter eigrp 1 network $SUMMARIZED_PREFIX $SUMMARIZED_MASK auto-summary!router bgp $MY_AS address-family ipv4 unicast network $SUMMARIZED_PREFIX mask $SUMMARIZED_MASK

Static Null0

BGP#Static Null0•

aggregate-address

TODO LAB:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094826.shtml#aggregatingwiththeassetargument• Test each scenario• Test if IGP routes or only BGP routes are used as summarizing routes• Test what happens in case of:

advertise-map with/without summary-only♦ •

Use it under BGP/MBGP/Config#router address-family on IOS-XR•

Requirements:Depending on the options used, $PREFIX/$MASK exactly must be present or its specific routesmust be present in local IP Routing Table

♦

Must be configured on the aggregating router only♦

•

BGP/Config

Summarizing BGP Routes 16

NOTE: If specific routes have been leaked from some other routers, those specific routes will bepreferred over the aggregated routes

♦

Arguments:Default (e.i without any options)

will advertise aggregate (along with specific) route with #ATOMIC_AGGREGATE and#AGGREGATOR

◊

Requires specific routes to be present in local IP Routing Table, that fall under$PREFIX/$MASK

◊

♦ •

summary-onlywill advertise aggregate (without specific) route with #ATOMIC_AGGREGATE and#AGGREGATOR

◊

Requires $PREFIX/$MASK to be exactly present in local IP Routing Table◊

♦ •

as-setwill advertise route with #AS_SET◊

♦ •

suppress-mapwill suppress and not advertise matched specific routes◊ therefore, will advertise aggregate along with non-suppressed specific routes◊ "When you use the suppress-map configuration command along with the summary-onlyconfiguration command, the summary-only configuration command does not have anyeffect."

◊

♦ •

advertise-mapwill advertise aggregate that is built using matched specific routes◊ NOTE: Those specific routes that are not matched, are advertised, normally as BGP routes(e.i without any #ATOMIC_AGGREGATE/#AGGREGATOR attributes)

◊

"In general, when you use advertise-map, only the advertise-map influences the aggregate.In the absence of advertise-map, the aggregate inherits the attributes of the more-specificroutes, both suppressed and unsuppressed. In both the cases, you can use the attribute-mapconfiguration command to override the chosen attributes"

◊

♦ •

attribute-mapused for changing the attributes of the aggregated route (e.g community attribute)◊ Without this option, all the attributes of specific routes are inherited by aggregate route◊ "This option overrides attributes that are chosen with advertise-map"◊

♦ •

NOTE: When using #bgp confederation identifier, aggregate-address as-set within the confederationgenerates #AS_CONFED_SET

•

! On Cisco IOS, IOS-XErouter bgp $MY_AS aggregate-address $PREFIX $MASK {as-set | summary-only | suppress-map $SUP_MAP | advertise-map $ADV_MAP | attribute-map $ATTR_MAP}

! Verificationshow ip bgp $ROUTE

BGP/Config

aggregate-address 17

aggregate-address cases

! Nw1-R1-R2-R3-Nw3, eBGP setup, Summarize at R2

R2#! Nw2 = Nw1 + Nw3

! Advertises Nw2, with Nw1 and Nw3 (without AS_SET)router bgp 2 aggregate-address Nw2

! Advertises Nw2 (without AS_SET)ip route Nw2 ! Summarizing routerouter bgp 2 aggregate-address Nw2 summary-only

! Advertises Nw2 (with AS_SET)ip route Nw2 ! Summarizing routerouter bgp 2 aggregate-address Nw2 as-set summary-only

! Advertises Nw2 and suppressing Nw1 and Nw3 (with AS_SET)router bgp 2 aggregate-address Nw2 as-set suppress-map SUPP_MAPaccess-list 1 permit Nw1access-list 1 permit Nw3route-map SUPP_MAP permit 5 match ip address 1

! Aggregate Nw1 only with advertise-map, e.i Nw2=Nw1 (without AS_SET)router bgp 2 aggregate-address Nw2 advertise-map ADV_MAPaccess-list 1 permit Nw1ip as-path access-list 1 deny ^2_ip as-path access-list 1 permit .*route-map ADV_MAP permit 5 match as-path 1

auto-summary

Only on IOS, IOS-XE. Not available on IOS-XR• This enables the auto-summary. Similar to IGP auto-summary, "When auto-summary is enabled, itsummarizes the locally originated BGP networks to their classfull boundaries" #Ref15

•

We know that by default (with or without auto-summary), the prefix in the network command has to matchexactly a route in the IP routing table for the BGP router to advertise the prefix. However, withauto-summary enabled, the prefix in the network command can match subset routes of the classful networkof the prefix found in the IP routing table.

•

Therefore, following conditions must be met for the router to advertise the summarized route:network $PREFIX mask $MASK, where $MASK must be classful matching the prefix's class (e.i172.20.0.0 mask 255.255.0.0 and not 172.20.0.0 mask 255.255.255.0)

♦

auto-summary♦ Atleast one local IGP must be subset of $PREFIX/$MASK♦

•

Depending on the IOS version, latest ones have it disabled•

BGP/Config

aggregate-address cases 18

! On Cisco IOS, IOS-XErouter bgp $MY_AS auto-summary network $SUMMARIZED_PREFIX mask $CLASSFUL_MASK!! Subset IGP routeint lo0 ip add $SPECIFIC_PREFIX $SPECIFIC_MASK

auto-summary cases

int lo0 ip add 9.0.0.1 255.255.255.0!

! With no auto-summary! 9.0.0.0/24 is NOT advertised! because 9.0.0.0/24 exactly needs to be in IGProuter bgp 1 network 9.0.0.0 no auto-summary

! With auto-summary! 9.0.0.0/8 is advertised! because 9.0.0.0/24 belongs in existing /8 routerouter bgp 1 network 9.0.0.0 auto-summary

bgp redistribute-internalRedistribute iBGP Routes into IGP

This command is used with redistribute bgp under IGP routing• By default, (e.i without this bgp redistribute-internal and only redistribute bgp underIGP routing), only eBGP routes will be redistributed into IGP. This is because iBGP routes can causerouting loop

•

Look into Redistribution -> Lab5• Care must be taken here to not flood the IGP routers as it might cause routing loop. Use route-map to filter•

! On Cisco IOS, IOS-XErouter bgp $MY_AS bgp redistribute-internal

router $IGP redistribute bgp $MY_AS

disable-connected-checkIn order to skip #ebgp-multihop configuraton in situation of eBGP setup over loopbacks, use this command

Only on IOS, IOS-XE. Not available on IOS-XR•

BGP/Config

disable-connected-check 19

Only works with ebgp-multihop connection between two routers directly connected, but using loopbackinterfaces

•

Does not work with ttl-security• Does not work if routers are not directly connected.• #Ref14• BGP -> Lab7 -> Goal5•

! On Cisco IOS, IOS-XE! Configure on both sides, exactly the same away! Note the command ebgp-multihop 1 is not shown because thats the defaultrouter bgp $ASN neighbor $REMOTE_IP remote-as $REMOTE_AS neighbor $REMOTE_IP disable-connected-check neighbor $REMOTE_IP update-source $INT

maximum-prefixTo limit maximum no. of prefixes the local router can accept (or received) from $REMOTE_PEER

For IOS-XR, use maximum-prefix under BGP/MBGP/Config#neighbor address-family• By default, e.i without this command, BGP doesn't have any limits to no. of prefiex• Requirements:

Only needed to be configured on local router♦ •

Incase BGP Session is dropped due to max prefix and needs to be brought back again, you will need to do"clear ip bgp" to bring the BGP session up if restart isn't configured. If "restart" is configured, then BGPsession will restart in the given interval

•

IOS

Arguments:$MAX

Max. no. of prefixes allowed from neighbor. Once reached BGP session is dropped/warningmessage is seen

◊ ♦

$THRESHOLDIf not configured, defaults to 75◊ At $THRESHOLD percent of $MAX, Warnming messages will be generated◊

♦

warningIf not configured, at $MAX (or at $THRESHOLD if configured) BGP session is dropped◊ If configured, at $MAX warning message is seen (different from when $THRESHOLD ismet)

◊

♦

restart $RESTART_SECIf not configured, BGP session is dropped forever◊ If configured, BGP session is restarted after $RESTART_SEC from the time when BGPsession was dropped (due to $MAX hit)

◊

♦

•

! On Cisco IOS, IOS-XErouter bgp $ASN neighbor $REMOTE_PEER remote-as $REMOTE_AS neighbor $REMOTE_PEER maximum-prefix $MAX {$THRESHOLD {restart $RESTART_SEC} warning}

BGP/Config

maximum-prefix 20

! Verifyshow ip bgp neighbor $REMOTE_PEER | i accepted prefixesshow ip bgp neighbor $REMOTE_PEER | i warning messageshow ip bgp summary | i PfxRcd ! Prefix Receiveddebug ip bgp updates in

! If BGP session dropped, then you see thisshow ip bgp summary | i Idle (PfxCt)

! Examples:router bgp $ASN ! local router will log syslog message and ! drop BGP $REMOTE_PEER peering when ! 90% of 1000 prefixes are received from $REMOTE_PEER neighbor $REMOTE_PEER maximum-prefix 1000 90

! local router will only log syslog message and ! not drop BGP $REMOTE_PEER peering when ! 90% of 1000 prefixes are received from $REMOTE_PEER neighbor $REMOTE_PEER maximum-prefix 1000 90 warning-only

! local router will log syslog message and ! drop BGP $REMOTE_PEER peering when ! 90% of 1000 prefixes are received from $REMOTE_PEER ! but session will be reestablished in 10 seconds neighbor $REMOTE_PEER maximum-prefix 1000 90 restart 10

IOS-XR

Similar to IOS•

! On IOS-XRrouter bgp $ASN neighbor $REMOTE_PEER address-family $FAMILY maximum-prefix $MAX {$THRESHOLD {restart $RESTART_SEC} warning}

peer-groupOnly on IOS, IOS-XE. Use (#Configuration Grouping) on IOS-XR•

Configuring

! On Cisco IOS, IOS-XErouter bgp $BGP ! Creating peer neighbor $GP_NAME peer-group

! Grouping peers into a group neighbor $PEER1_IP peer-group $GP_NAME neighbor $PEER2_IP peer-group $GP_NAME

! Apply common commands that apply to entire group neighbor $GP_NAME $OPTIONS

BGP/Config

peer-group 21

! $OPTIONS can be route-reflector, route-map, etc.

Verifying

BGP Peer group is very neat for of applying a same set of BGP commands• Usecases

In case of Multiple BGP communities on a single route case, router can still set policies based onone or all BGP communities

♦

In case of BGP community with aggregated routes, "aggregate inherits all the COMMUNITYattributes of all the routes." #Ref3

♦

In case with route-map, all the routers in the group will use the same route-map♦ In case with route-reflector♦

•

# On Cisco IOS, network R1-RR-R2 # , where RR is the Route reflector server and R1, R2 are Clients

# On RR router bgp 100

# Create a peer group called rr-client neighbor rr-client peer-group

# Use the peer group to create a set of common commands # that you will later apply to Peers R1 and R2 neighbor rr-client remote-as 100 neighbor rr-client route-reflector neighbor rr-client update-source lo0

# Apply the peer to specific neighbors R1 and R2 neighbor $R1_IP peer-group rr-client neighbor $R2_IP peer-group rr-client

# On R1 and R2, # you don't need a peer group because there is nothing to group router bgp 100 neighbor $RR_IP remote-as 100 neighbor $RR_IP update-source lo0

Limitations of Peer Group

Only in IOS versions before 12.2• Not required for CCIE•

neighbor shutdownUseful in case you wish reroute traffic over another neighbor•

! Configuration! On Cisco IOS, IOS-XErouter bgp $MY_AS neighbor $REMOTE_IP shutdown! Shuts down the neighbor, and directly takes it to IDLE state

BGP/Config

neighbor shutdown 22

! Verificationshow ip bgp neighbor $REMOTE_IP

neighbor soft-reconfigurationUse soft-reconfiguration under BGP/MBGP/Config#neighbor address-family on IOS-XR• This command forces the router to store incoming BGP updates.• This command takes lot of RAM memory to store the above info. Therefore not recommended to be used inpractical scenario

•

NOTE: whichever router gives this command, the same router can do ?show ip neighbors $REMOTE_IPreceived-routes?

•

NOTE: This command shows all the BGP updates before applying any route-maps/filters on the localrouter. However, please note that these updates have already been filtered/route-mapped from the$REMOTE_IP neighbor

•

! Configuration! On Cisco IOS, IOS-XER1#router bgp $MY_AS neighbor $REMOTE_IP soft-reconfiguration inbound

R1# show ip bgp neighbors $REMOTE_IP received-route

log-neighbor-changesOnly on IOS, IOS-XE. Use #log neighbor changes on IOS-XR• Logs messages on console in case of neighbor state change•

! On Cisco IOS, IOS-XE! Configurationrouter bgp $MY_AS bgp log-neighbor-changes

! Verification!! You will simply see log messages incase of neighbor state changeshow log | include BGP

Configuring Route ReflectorsOnly on IOS, IOS-XE.• For IOS-XR, use route-reflector-client under BGP/MBGP/Config#neighbor address-family• Do not use Route Reflectors with #peer-group because of #Limitations of Peer Group in case where clientsdo not have direct iBGP session between one another

•

Requirements:RR and Clients must have Basic BGP Peering Setup (only on iBGP Peers)♦ Needs only to be configured on the RR (BGP#Route Reflectors) pointing to neighbors♦ neighbors need not support Route Reflection♦

•

BGP/Config

Configuring Route Reflectors 23

For changing the BGP attributes for routes being reflected from RR-Server to clients/non-clients,use #Workaround for next-hop-self on route reflector

♦

route-reflector-client

! On Cisco IOS, IOS-XE! Configuration# Configuration on Router Reflector ServerRR#router bgp $MY_AS neighbor $CLIENT_NEIGHBOR_IP remote-as $MY_AS neighbor $CLIENT_NEIGHBOR_IP update-source $SERVER_NEIGHBOR_IP neighbor $CLIENT_NEIGHBOR_IP route-reflector-client ! The router RR will be the route reflector server having neighbor with ! $CLIENT_NEIGHBOR_IP as its client

# Standard Configuration on Router Reflector ClientRR_Client#router bgp $MY_AS neighbor $SERVER_NEIGHBOR_IP remote-as $MY_AS neighbor $SERVER_NEIGHBOR_IP update-source $CLIENT_NEIGHBOR_IP

! Note: RR_Client does not need to support route reflector! functionality, only RR does

! Verification!! There is no verificaiton RR_ClientRR# show ip bgp neighbor $CLIENT_NEIGHBOR_IP | i Reflect

bgp client-to-client reflection

BGP#Route Reflector In Fully Meshed Networks• This configuration gets automatically enabled on the RR to reflect routes from clients to other clients• Therefore, disable this command in case Clients are Fully Meshed

Its generally used as "no bgp client-to-client reflection" on RR♦ •

Requirements:Router must be configured on RR (e.i router having #route-reflector-client)

This command will automatically enable "bgp client-to-client reflection"◊ ♦

•

! On Cisco IOS, IOS-XE! Configuration# Configuration on Router Reflector ServerRR#router bgp $MY_AS neighbor $CLIENT_NEIGHBOR_IP remote-as $MY_AS neighbor $CLIENT_NEIGHBOR_IP update-source $SERVER_NEIGHBOR_IP neighbor $CLIENT_NEIGHBOR_IP route-reflector-client ! Automatically configured with bgp client-to-client reflection

Real case use in case of fully meshed network is shown here:

C1-RR-C2 in a fully meshed network (e.i C1-C2 have iBGP too)

BGP/Config

route-reflector-client 24

! This disables route reflection of client routes to clients! However routes external to Cluster are still reflected! and routes from clients are still reflected to non-clientsRR#router bgp $MY_AS neighbor $C1 remote-as $MY_AS neighbor $C2 remote-as $MY_AS neighbor $C1 update-source $SERVER_NEIGHBOR_IP neighbor $C2 update-source $SERVER_NEIGHBOR_IP neighbor $C1 route-reflector-client neighbor $C2 route-reflector-client no bgp client-to-client reflection

Configuring Cluster

bgp cluster-id

Used to change the Cluster ID for a BGP#Clusters

Configured only on Route Reflectors (RR)• If not configured, then Cluster ID defaults to RR's RID• Must be configured to put multiple RR in one cluster

Must be configured on all RRs♦ •

Example•

! Configure! On Cisco IOS, IOS-XERR#router bgp bgp cluster-id $CLUSTER_LIST

! VerifyRR-Client#show ip bgp $CLIENT_ROUTE | i Cluster list

ConfederationBGP#Confederation

Requirements:#bgp confederation identifier♦ #bgp confederation peers♦

•

Note: $SUB_ASN is usually a Private ASN•

(R1-R2)-(R3-R4)! All are in AS 1! R1-R2 are in BGP Confed ASN: 65012! R3-R4 are in BGP Confed ASN: 65034

R1# ! Similarly on R4: router bgp 65034router bgp 65012 bgp confederation peers 65034

BGP/Config

Confederation 25

bgp confederation id 1 neighbor $R2 remote-as 65012 neighbor $R2 update-source lo0

R2# ! Similarly on R3: router bgp 65034router bgp 65012 bgp confederation peers 65034 bgp confederation id 1 neighbor $R2 remote-as 65012 neighbor $R2 update-source lo0 neighbor $R3 remote-as 65034 neighbor $R3 update-source lo0 neighbor $R3 multi-hop 255

bgp confederation identifier

Configures Confederation on the router

$SUB_ASN is the ASN of the Sub-AS to which the local router belongs to• $CONFED_ID is the BGP Confederation ID which is the real AS # that is seen to real eBGP peers outsidethe confederation

•

Must be configured on all the routers that are present in the confederation•

! On IOS, IOS-XE! Configurerouter bgp $SUB_ASN bgp confederation identifier $CONFED_ID

! Verify

bgp confederation peers

This commands tells the local router that $PEERS are the Sub-ASes that are directly connected to the localSub-AS

•

"This command tells the BGP process that the EBGP connection is confederation EBGP rather than normalEBGP." #Ref1

•

$SUB_ASN is the ASN of the Sub-AS to which the local router belongs to• $PEERS is a list of Sub-AS #s to which the router is connected to• Must be configured on ONLY those routers that are running confederation eBGP• NOTE: You don't have to include your own ASN in peers•

! On IOS, IOS-XE! Configurerouter bgp $SUB_ASN bgp confederation peers $PEERS

! Examplebgp confederation peers 65533 65535

! Verify

BGP/Config

bgp confederation identifier 26

BGP Version NegotiationOnly on IOS, IOS-XE. Not available on IOS-XR• By default, during a setup of BGP neighbor session, BGP version is exchanged and if it doesn't match, thenegotiation can lead to use the lower version.

•

In order turn off the negotiation and use a hard version # do:•

# On Cisco IOS conf t router bgp neighbor $NEIGHBOR version $VALUE

BGP Neighbor Communication via Default RouteAs we alredy know that for a BGP peer session to establish, there must be IP connectivity between the Peer IPaddresses. Now, the IP connectivity can be achieved using static or dynamic routing protocol

However, a default route cannot be used for setting up a BGP session.• But Default Route can be used to maintain a session which might have been started by a static route ordynamic routing protocol (and later removed)

•

Case: BGP with Default Route for Neighbor Setup

In short, BGP Peer passively accepts sessions when default route is used for communication.

Following situation will force the peers to be in active state:

Default route is configured on both peers and no static/dynamic routes. Therefore, both peers will waitpassively for other peer to start the session.

•

Both peers are at IDLE state at the beginning.• Incase if one peer reaches ESTABLISHED state (by temporarily adding a static route and then removing it)and other peer is still ACTIVE, then both will reach ESTABLISHED state. They will continue to be inESTABLISHED state even if the static route is removed, but default route must remain.

•

Case:

! Lo1-R1-R2-Lo2R1#router bgp $MY_AS neighbor $Lo2_IP remote-as $MY_AS neighbor $Lo2_IP update-source $Lo1_IP! No other IGPip route 0.0.0.0 0.0.0.0 $INT_TO_R2

R2#router bgp $MY_AS neighbor $Lo1_IP remote-as $MY_AS neighbor $Lo2_IP update-source $Lo2_IP! No other IGPip route 0.0.0.0 0.0.0.0 $INT_TO_R1

BGP/Config

BGP Neighbor Communication via Default Route 27

! End Result: Session was never established! Fix: Use IGP or static route

maximum-pathsConfigure maximum allowed multiple load balanced paths to a prefix that can go into the routing table #Ref5

Default values:Depends on SW #Ref200♦

•

Multi "paths are installed in the table together with the best path for load sharing. BGP Multipath does notaffect bestpath selection. For example, a router still designates one of the paths as the best path, accordingto the algorithm, and advertises this best path to its neighbors"

•

If $N = 1, then maximum-paths is disabled• Arguments:

import"The import keyword indicates how many routes can be imported from one VRF intoanother." #Ref1

◊ ♦

•

Where to configure this command?Its important to understand that because this command affects only the local router, and not thepeer, so this must be configured on the router that has two BGP paths to a destination, but only onepath is being preferred initially (before configuring this)

♦ •

Multicast/Labs/Lab9/Goals#Goal2•

Multipath Candidates

"In order to be candidates for multipath, paths to the same destination need to have these characteristicsequal to the best-path characteristics" #Ref203

Weight♦ LOCAL_PREF♦ AS_PATH's length♦ Origin♦ MED♦

•

For eBGP multipaths"The path should be learned from an external or confederation-external neighbor (eBGP)"♦ "The IGP metric to the BGP next hop should be equal to the best-path IGP metric"♦

•

For iBGP multipaths"The path should be learned from an internal neighbor"♦ "The IGP metric to the BGP next hop should be equal to the best-path IGP metric, unless the routeris configured for unequal-cost iBGP multipath"

♦

•

BGP/Config

maximum-paths 28

IOS

maximum-paths - For eBGP routes only• maximum-paths ibgp - For eBGP routes only• maximum-paths eibgp - For iBGP and eBGP routes only• maximum-paths eibgp = maximum-paths ibgp + maximum-paths. Therefore, cannot configure all together•

! On IOS-XRRouter#router bgp $ASN address-family $FAMILY maximum-paths {ibgp $MAX | $MAX}

IOS-XR

Compared to IOS, this command is more organized #Ref201•

! On IOS-XRRouter#router bgp $ASN address-family $FAMILY maximum-paths {ebgp | ibgp | eibgp $MAX} maximum {unequal-cost}

neighbor allowas-inConfiguring this on a router basically makes it ignore the loop prevention mechanism that usesBGP#AS_PATH for any incoming BGP updates

•

Similarily on IOS-XR, under neighbor address-family• This is primarily used as an alternate to #neighbor as-override in MPLS/L3VPN/Config#BGP as PE-CE•

! On IOSrouter bgp $ASN neighbor $REMOTE_IP allowas-in!! Verifyclear ip bgp *debug ip bgp updates!! "DENIED" will be seen if allowas-in is not configured!! for any BGP update containing AS_PATH creating loop

neighbor as-overrideBGP/MBGP/Config#neighbor as-override

neighbor local-asConfigure local router to use a different AS $LOCAL_AS to setup BGP session with neighbor instead ofusing original AS (router bgp $MYASN)

•

BGP/Config

neighbor local-as 29

Similarly on IOS-XR• By default, e.i without this configuration, local router will use $MYASN AS to setup BGP session withneighbor

•

NOTE: This will impact the AS_PATH• Argument:

no-prependIf not configured (e.i only local-as $LOCAL_AS is configured), if remote neighbor is using$LOCAL_AS to setup BGP session with local router, local router will advertise prefixes byprepending $LOCAL_AS to original $MYASN.

◊

If configured, $LOCAL_AS will NOT be prepended to the AS_PATH◊

♦

no-prepend replace-asIf configured, $MYASN will be replaced by $LOCAL_AS in the AS_PATH◊

♦

dual-asIf configured, remote neighbor can use "remote-as $MYASN" or "remote-as $LOCAL_AS"◊

♦

•

Multicast/Labs/Lab9/Goals#Goal2•

R1-R2! On IOSR1#router bgp $MYASN neighbor $REMOTE_NEIGHBOR_R2 local-as $LOCAL_AS {no-prepend replace-as dual-as}

R2#router bgp $R2ASN neighbor $REMOTE_NEIGHBOR_R1 remote-as $LOCAL_AS

! VerifyR2#show ip bgp neighbor $REMOTE_NEIGHBOR_R1 | i remote ASBGP neighbor is $REMOTE_NEIGHBOR_R1, remote AS $LOCAL_AS, external link

! Example that shows BGP AS_PATH Change:!! If R1 has: neighbor $REMOTE_NEIGHBOR_R2 local-as $LOCAL_ASR2#show ip bgp$Prefix_advertised_by_R1 $LOCAL_AS $MYASN i

!! If R1 has: neighbor $REMOTE_NEIGHBOR_R2 local-as $LOCAL_AS no-prependR2#show ip bgp$Prefix_advertised_by_R1 $MYASN i

!! If R1 has: neighbor $REMOTE_NEIGHBOR_R2 local-as $LOCAL_AS no-prepend replace-asR2#show ip bgp$Prefix_advertised_by_R1 $LOCALAS i

BGP/Config TimersBGP#BGP Timers•

timers

Configure BGP#keepalive-interval as $KA_T and BGP#hold-time as $HD_T• "BGP will negotiate the hold time with the neighbor. The smaller of the two hold times will be chosen"#Ref13

•

BGP/Config

BGP/Config Timers 30

However, the keepalive timer on neighbor is automatically calculated (holddowntimer/3)♦ Specific configuration always overrides generic command

e.i neighbor timers overrides timers bgp♦ •

Configuring on IOS, IOS-XR, IOS-XE is the same• NOTE: If configured after BGP session is established, then this doesn't take effect (need to clear ip bgp * orrestart BGP session for it to take effect)

•

Use $MIN_HD_T_FROM_NEIGHBOR to force the neighbor to have a minimum holdown timer. If thiscondition is not met, then BGP session goes to active

By default $MIN_HD_T_FROM_NEIGHBOR is 0 (e.i minimum of 0 seconds of holddown timer)♦

•

Defaults: Keepalive=$KA_T=60sec, Holddown=$HD_T=180sec #Ref12• BGP -> Lab8•

neighbor timers

! Configure! On Cisco IOS, IOS-XRrouter bgp $BGP timers bgp $NEIGHBOR_IP timers $KA_T $HD_T $MIN_HD_T_FROM_NEIGHBOR ! AND/OR neigbhor $NEIGHBOR_IP timers $KA_T $HD_T

! Verifyshow ip bgp neighbors | include time!! Displays configured value and value in use separately

timers bgp

! Configure! On Cisco IOS, IOS-XRrouter bgp $BGP timers bgp $NEIGHBOR_IP timers $KA_T $HD_T $MIN_HD_T_FROM_NEIGHBOR ! AND/OR neigbhor $NEIGHBOR_IP timers $KA_T $HD_T

! Verifyshow ip bgp neighbors | include time!! Displays configured value and value in use separately

advertisement-interval

BGP#advertisement-interval• Similarly on IOS-XR under neighbor configuration mode• By default, for EBGP peers its 30sec and for IBGP peers its 5sec/0sec depending on IOS Version orIOS-XR

•

! On IOS, IOS-XRrouter bgp $ASN neighbor $REMOTE_PEER advertisement-interval $ADV_INTERVAL

! Verifyshow bgp neighbor $REMOTE_PEER | include advertisement

BGP/Config

timers 31

update-delay

BGP#update-delay• Arguments (only on IOS-XR)

alwayswait for the entire $UPDATE_DELAY timer to expire even when neighbors have finishedsending initial BGP Updates

◊ ♦

•

Default is 120sec•

! On IOS, IOS-XRrouter bgp $ASN bgp update-delay $UPDATE_DELAY

! VerifyTODO

graceful-restartDistributed Router Architecture#GR in BGP• Only for Cisco distributed systems (not 3600, 7200, etc.)• This actually enables Distributed Router Architecture#NSF awareness on neighbor and local router•

Requirements:graceful-restart command without any options♦ Requires restarting of BGP session (clear bgp)♦ Needs to be enabled on local peer and all of its neighbors♦

•

Arguments:restart-time $RT

Default 120sec◊ After neighbor restarts, Local router will wait $RT seconds for Open Message from the peer(that is down) before deleting the stale routes

◊

♦

stalepath-time $STDefault 360sec◊ After neighbor restarts, Local router will wait $ST seconds for EOR Message from the peer(that is down) before deleting the stale routes

◊

♦

purge-time $PT (On IOS-XR only)Default 600sec◊ "maximum time before stale routes are purged from the routing information base (RIB)when the local BGP process restarts"

◊

♦

graceful-reset (On IOS-XR only)When configured, resets the peer after configuring graceful restart (e.i to avoid clear bgp)◊

♦

•

! On Cisco IOS, IOS-XE! Needs to be enabled on all R1's peersR1#router bgp $MY_AS bgp graceful-restart ! Separately configured ! Optional bgp graceful-restart {restart-time $RT stalepath-time $ST}

BGP/Config

graceful-restart 32

! Verification!! Prefixes with S Flag means Staleshow ip bgp | include Sshow ip bgp neighbors!! Displays EORdebug ip bgp

! On IOS-XRshow bgp process

nsrDistributed Router Architecture#NSR•

! Only on Cisco IOS-XR! Needs to be enabled on all R1's peersR1#router bgp $MY_AS nsr

! Verificationshow bgp neighbors nsrshow bgp nsr

bgp default

bgp default route-target filter

MPLS/L3VPN/Config#bgp default route-target filter

bgp dampeningConfigures BGP#Route Dampening• Requirements:

Just needs to be configured only this router only (no need to configure on peers)♦ Flapping route needs to be accessible by this router♦

•

On IOS, In case of using route-map, make sure that you DO NOT configure route-map with set dampeningand a separate bgp dampenining configuration both together

•

Arguments:Look into BGP#Route Dampening♦

•

IOS

router bgp address-family $FAMILY bgp dampening {$HALF_LIFE {$REUSE_PENALTY $SUPPRESS_LIMIT $MAX_SUPPRESS_TIME} route-map $RP}

BGP/Config

bgp dampening 33

! Verificationshow ip bgp $ROUTE | include penalty

show ip bgp dampeningclear ip bgp dampeningdebug ip bgp damp

In case of using route-map

router bgp address-family $FAMILY bgp dampening route-map DAMPEN

ip prefix-list $NW seq 5 permit permit 1.0.0.0/24 le 32

route-map DAMPEN permit 5 match ip address prefix-list $NW set dampenining $HALF_LIFE $REUSE_PENALTY $SUPPRESS_LIMIT $MAX_SUPPRESS_TIME

IOS-XR

router bgp address-family $FAMILY bgp dampening {$HALF_LIFE {$REUSE_PENALTY $SUPPRESS_LIMIT $MAX_SUPPRESS_TIME} route-policy $RP}

! Verificationshow bgp $ROUTE | include penalty

show bgp flap-statisticsshow bgp dampened-pathsshow bgp neighbors flap-statisticsshow bgp neighbors dampened-pathsclear bgp dampeningdebug bgp damp

How to see penalty

show ip bgp $FLAPPED_ROUTE

Path Attributes

LOCAL_PREF

Some of the routes will have no local pref. It?s because those routes are received from eBGP peers andsince eBGP peers do not include local preference, it?s empty here

•

BGP/Config

Path Attributes 34

set local-preference

On IOS, IOS-XE (using route-map), IOS-XR (using route-policy)• "Typically, a router uses set local-preference command with the inbound direction for routes received fromeBGP peers. Then, with no additional configuration required, the router then advertises the Local_Pref toany iBGP peers." #Ref2

•

route-map $ROUTE_MAP match $CONDITION set local-preference $LOCAL_PREF

router bgp $MY_AS neighbor $REMOTE_IP route-map $ROUTE_MAP {in|out}! ?In? is always used, if $REMOTE_IP is eBGP

! Verifyshow ip bgp $Nw

bgp default local-preference

On IOS, IOS-XE (using route-map), IOS-XR (using route-policy)•

router bgp $MY_AS bgp default local-preference $LOCAL_PREF! Changes the default local pref from 100 to LOCAL_PREF

Weight

set weight

On IOS, IOS-XE (using route-map), IOS-XR (using route-policy)• set weight used in a route-map that is applied always to incoming routing updates (route-map in)• $WEIGHT2 (set weight) overrides $WEIGHT1 (neighbor weight)•

! On IOS, IOS-XE! Configurationrouter bgp neighbor $NEIGHBOR weight $WEIGHT1 neighbor $NEIGHBOR route-map $SET_WEIGHT in

access-list 1 permit any anyroute-map $SET_WEIGHT permit 10 match ip address 1 set weight $WEIGHT2route-map permit 20

! Verification! On local routerclear ip bgp $REMOTE_IP softshow ip bgp $Nw longer-prefixes

BGP/Config

set local-preference 35

AS_PATH

On IOS, #set as-path• On IOS-XR, #prepend as-path•

IOS

set as-path

The same th• set as-path tag, will prepend the AS_PATH with tag that is found in redistributing routes

Applied only to redistribute♦ •

set as-path prenend $AS_NO1 {$AS_NO2 .. $AS_NOn}will prepend the AS_PATH with what you provide♦ The same is achieved on IOS-XR via #prepend as-path♦

•

Usually, applied to route-map out, but can also be applied to in•

route-map set-as-path-from-tag set as-path {tag | prepend $AS_NO1 {$AS_NO2 .. $AS_NOn}}!

! Examplesroute-map set-as-path-from-tag set as-path tag!router bgp 100 redistribute ospf 109 route-map set-as-path-from-tag

route-map set-as-path match as-path 1 set as-path prepend 100 100 100!router bgp 100 neighbor 10.108.1.1 route-map set-as-path out

IOS-XR

prepend as-path

Purpose: Same as #set as-path prepend in IOS• $AS_NO or most-recent AS No. or value of $PARAMETER will be prepended by these $TIMES• $TIMES is optional. Defaults to 1•

route-policy $RPL_NAME prepend as-path {$AS_NO|most-recent|$PARAMETER} {$TIMES}

BGP/Config

AS_PATH 36

ORIGIN

policy: route-map on IOS, IOS-XE and route-policy on IOS-XR• BGP#ORIGIN• There are following ways to modify the origin attribute:

#network command without any route-map having #set origin: Advertises as IGP♦ #redistribute: Advertises as INCOMPLETE♦ #network command with route-map having #set origin ebgp $AS_APPEND, the AS no.$AS_APPEND does gets appended

♦

#neighbor route-map out #set origin only changes the Origin code, but not the AS Path Prepend♦ #set origin can also be applied to #neighbor route-map in♦

•

set origin

! On Cisco IOS, IOS-XE

access-list permit $Nwroute-map $MAP match ip address $ACL set origin {egp $AS_APPEND | incomplete | igp}! Use egp $AS_APPEND with network command only

router bgp neighbor $NEIGHBOR route-map $MAP1 out ! OR neighbor $NEIGHBOR route-map $MAP2 in ! OR network $Nw route-map $MAP3

! Clear IP BGP must be done to activate the route-mapclear ip bgp * soft

! Verify on remote neighbor for route-map out or network route-map! Verify on local router for route-map inshow ip bgp $Nw

MED

set metric

Only on IOS, IOS-XE.• For IOS-XR, use "set med" which does exactly what this command does• policy: route-map on IOS, IOS-XE and route-policy on IOS-XR• Used on policy out with "set metric"• The neighbor for which the policy is applied must be eBGP neighbor• If the set metric is not used at all, then the default MED is the IGP metric of the local router•

! On Cisco IOS, IOS-XEroute-map $MAP match ip address $ACL set metric $METRIC! If $METRIC is not given, then the above command will not be used at all.

BGP/Config

ORIGIN 37

router bgp neighbor $NEIGHBOR route-map $MAP out

! Clear IP BGP must be done to activate the route-mapclear ip bgp * soft

! Verifyshow ip bgp $ROUTE

always-compare-med

To allow comparing of MEDs for multiple routes (for same prefix) travesing different ASes (e.i AS_PATH isdifferent)

By default, this configuration is disabled as MED, by definition, is supposed to compare MEDs for routesfrom same AS only

•

Only on IOS, IOS-XE. No such configuration in IOS-XR• Must be configured on the router that is comparing the MEDs (e.i the peer/upstream router must haveconfigured set metric)

•

! Nw1-R1-R2-R3-Nw1, eBGP sessions! On Cisco IOS, IOS-XE

R1# (same on R2)route-map $MAP match ip address $ACL set metric $METRIC!router bgp neighbor $R2 route-map $MAP out

R2# ! R2 has two routes to Nw1, via R1 and via R3router bgp bgp always-compare-med

ATOMIC_AGGREGATE

BGP#ATOMIC_AGGREGATE• #aggregate-address without as-set option•

AGGREGATOR

BGP#AGGREGATOR• #aggregate-address without as-set option

NOTE: Cisco implemented that ATOMIC_AGGREGATE always be sent with AGGREGATOR(containing RID and AS# of aggregating router)

♦ •

BGP/Config

set metric 38

AS_SET

#aggregate-address with as-set option• BGP#AS_SET•

AS_CONFED_SET

BGP#AS_CONFED_SET• #bgp confederation identifier and #aggregate-address with as-set option•

COMMUNITY

BGP#COMMUNITY• "While communities themselves do not alter the BGP decision making process, communities can be used asflags in order to mark a set of routes. Upstream service provider routers can then use these flags to applyspecific routing polices (for example, local preference) within their network." #Ref300

•

"The attribute consists of a set of four octet values that specify a community. The community attributevalues are encoded with an Autonomous System (AS) number in the first two octets, with the remainingtwo octets defined by the AS" #Ref300

In short, Community format: XX:YY (where XX is an AS# and YY is defined by AS♦

•

Requirements to set community, configure these on router that is setting community:#set community♦ Give this command #neighbor send-community on all routers that need to send community♦ On IOS, #ip bgp-community new-format to use XX:YY format (Default for IOS-XR)♦

•

Requirements to set community, configure these on router that is matching community:• #ip community-list• #match community

On IOS, #ip bgp-community new-format to use XX:YY format (Default for IOS-XR)♦ •

! On IOS, IOS-XE! Configurationrouter bgp $MY_AS neighbor $REMOTE_PEER route-map $MAP out neighbor $REMOTE_PEER send-community!route-map $MAP match ip address 1 set community 200 aditive ! OR set community no-advertise!clear ip bgp * out

! Verificationshow ip bgp $ROUTE | include Communityshow ip bgp community

BGP/Config

AS_SET 39

neighbor send-community

In order to send BGP COMMUNITY to neighbor in the Update Message, this command must be given

IOS

By default, "In IOS, communities (standard and extended) are never sent unless send-community isconfigured." #Ref301

•

Arguments:Type of Community to send - {standard|extended|both}♦ Defaults to standard (if not configured)♦ standard is used for all IPv4 address-family♦ extended is used in MPLS-VPN (BGP#Extended Community) or #BGP Cost Community♦

•

Must be configured on routers that need to send BGP community to $REMOTE_PEER (e.i on all iBGP andeBGP peers)

•

! On IOS, IOS-XE! Configure on all routers that need to send COMMUNITYrouter bgp $MY_AS neighbor $REMOTE_PEER send-community {standard|extended|both}

IOS-XR

By default, "in IOS-XR, communities (standard and extended) are sent by default on iBGP sessions but noton eBGP sessions." #Ref301

•

Arguments:Defaults to standard only for iBGP peers (if not configured)♦ send-community-ebgp on XR == send-community on IOS (standard community)♦ send-extended-community-ebgp on XR == send-community extended on IOS (extendedcommunity)

♦

•

! On IOS-XRrouter bgp $MY_AS neighbor $REMOTE_PEER {send-community-ebgp|send-extended-community-ebgp}

! Example!! The following XR config is equal to below IOS configrouter bgp $MY_AS neighbor $REMOTE_PEER send-community-ebgp neighbor $REMOTE_PEER send-extended-community-ebgp

!! The following IOS config is equal to above XR configrouter bgp $MY_AS neighbor $REMOTE_PEER send-community both

ip bgp-community new-format

Only on IOS, to use the BGP Community's new format of XX:YY instead of 4 octet• On IOS-XR, the new format is always used• Must be configured on all those routers that are doing #match community or #set community with newformat

•

BGP/Config

neighbor send-community 40

! Only on IOS, IOS-XEip bgp-community new-format

! Old Style (Before configuration)Router# show ip bgp 6.0.0.0 | include Community Community: 6553620! New Stlye (After configuration)Router# show ip bgp 6.0.0.0 | include Community Community: 100:20

ip community-list

Router/Config/route-map#ip community-list•

match community

Router/Config/route-map#match community• "if community" Router/Config/route-map#community-set•

set community

Router/Config/route-map#set community• Router/Config/route-policy#set community•

set comm-list

Router/Config/route-map#set comm-list•

Known Communities

internet: Advertise to all peers (generally, used to match any community by ip community-list)•

NO_EXPORT

Simple case shows the usage

Nw1-R1-R2-R3, each in its own AS

! Case where R1 will set no-export, and R2 will use itR1#router bgp 1 neighbor $R2 remote-as 2 neighbor $R2 send-community neighbore $R2 route-map SEND_COMM out!access-list 1 permit $Nw1!route-map SEND_COMM permit 10 match ip address 1 set community no-exportroute-map SEND_COMM permit 20

BGP/Config

ip bgp-community new-format 41

!R2#router bgp 2 neighbor $R1 remote-as 1!R3#show ip bgp Nw1! No route should be present

! Case where R1 will set no-export, and R2 will override itR2#router bgp 2 neighbor $R1 remote-as 1 neighbor $R1 send-community neighbore $R2 route-map OVERRIDE_COMM out no !route-map OVERRIDE_COMM permit 10 match ip address 1 set community noneroute-map OVERRIDE_COMM permit 20!R3#show ip bgp Nw1! Route should be present

BGP Cost CommunityBGP/MBGP#BGP Cost Community

neighbor sooOnly on IOS• Not frequently used, use Router/Config/route-map#set extcommunity soo instead•

neighbor send-labelThis allows the BGP speaker to send the MPLS label along with the prefix to the neighbor• This is primarily used in case where a BGP Speaker is also a LDP speaker and it has routes mapped toMPLS labels that are not present in IGP network, but only in BGP table

•

Usecase is: MPLS/L3VPN/Config#6PE, MPLS/L3VPN/Config#Multihop VPNv4 BGP Exchange• This is exactly the same purpose of MPLS/Config#mpls ip• Requirements:

Neighbor must also be configured with this (e.i bidirectional configuration)♦ next-hop-self must be configured to change the label(https://supportforums.cisco.com/thread/2114830)

NOTE: For network $Prefix-R1-R2-R3, say the $Prefix originated at R1, will be advertisedto R2, R3, ... with same label X until someone along the way, some BGP peer changes the$Prefix's next-hop.

If no next-hop-self is configured, you might get into a situation where same labelgets added, and next-hop doesn't have any entry for same label

⋅

◊

♦

•

BGP/Config

neighbor send-label 42

(MPLS/VPN/CSC/Config#Without next-hop-self on CSC_PE)NOTE: LDP#Is it possible to allocate a local binding to a BGP learned route• NOTE: send-label in relation to LDP

send-label only works (e.i the data plane, not control plane) for EBGP/IBGP directly connectedsession without LDP (BGP/Labs/Lab18)

♦

with EBGP/IBGP multi-hop with LDP♦ However, "mpls bgp forwarding" needs to be configured manually for IBGP directly connectedpeers, where as its automatically configured when using EBGP directly peers

♦

•

! On IOSrouter bgp $ASN neighbor $REMOT_PEER send-label neighbor $REMOT_PEER next-hop-self

! Verifyshow ip bgp | include labelshow ip bgp | include advertised and received

! Example! Network $Prefix-R1-R2-R3 with IBGP R1-R2 and R2-R3R1#router bgp 123 neighbor $R2 remote-as 123 neighbor $R2 send-label network $Prefix

R2#router bgp 123 neighbor $R2 remote-as 123 neighbor $R2 send-label neighbor $R3 remote-as 123 neighbor $R3 send-label ! If next-hop-self is not configured ! "R3#show mpls forwarding $Prefix" == "R2#show mpls forwarding $Prefix" neighbor $R3 next-hop-self

R3#router bgp 123 neighbor $R2 remote-as 123 neighbor $R2 send-label

! Label advertised by R1 to R2 is $Label_R1R1#show ip bgp labelsNetwork Next Hop In label/Out label$Prefix 0.0.0.0 $Label_R1/nolabel

! Because of next-hop changed for $Prefix at R2! new label is advertised by R2 to R3 called $Label_R2R2#show ip bgp labelsNetwork Next Hop In label/Out label$Prefix $R1 $Label_R2/$Label_R1

R3#show ip bgp labelsNetwork Next Hop In label/Out label$Prefix $R2 nolabel/$Label_R2

BGP/Config

neighbor send-label 43

IOS-XR

The equivalent of above under IOS-XR uses

BGP/MBGP/Config#address-family ipv4 labeled-unicast♦ BGP/MBGP/Config#allocate-label is similar to Router/Config/route-map#set mpls-label♦

•

mpls ip vs send-label

The general rule to remeber for MPLS Label preference is:

If the prefix in routing table is an IGP entry (where the IGP has LDP enabled), LDP label is preferred• If prefix in routing table is a BGP entry (where the BGP has send-label configured), BGP label is preferred•

Therefore, label from mpls ip is indepedent of send-label

e.i send-label can be configured without mpls ip and vice versa•

mpls bgp forwarding

Automatically configured when send-label is enabled• Also, Automatically configured when two different ASNs run VPNv4 and no MPLS LDP(MPLS/L3VPN/Config#VPNv4 BGP Exchange

•

Only on IOSOn IOS-XR, similar to mpls activate (BGP/MBGP/Config#address-family ipv4 labeled-unicast)♦

•

! On IOS! PE2_ISP1-PE1_ISP2PE2_ISP1#interface $TO_PE1_ISP2 mpls bgp forwarding

RTBHBGP#RTBH• Example• Destination-RTBH•

! Network: Attacker-Internet-EdgeRouters-*-TriggerRouter-*-Victim

TriggerRouter#!! $VICTIM_ROUTE present in Routing Tablerouter bgp network $VICTIM_ROUTE route-map SET_COMMUNTY!route-map SET_COMMUNTY permit 10 neighbor $ALL_NEIGHBORS send-community set community $RTBH_COMMUNITY!

BGP/Config

RTBH 44

EdgeRouters#router bgp neighbor $Neighbor_Connected_To_TRIGGER_Router route-map DEST-RTBH in neighbor $Neighbor_Connected_To_TRIGGER_Router send-community!ip community-list 1 permit $RTBH_COMMUNITYroute-map DEST-RTBH permit 10 match community 1 set ip next-hop $DUMMY_NWroute-map DEST-RTBH permit 20!! $DUMMY_NW - Private unreachable IPip route $DUMMY_NW Null0!int null0 no ip unreachable!

Source-RTBHUse of ip verify unicast source reachable-via any to make sure that any traffic on the interface ischecked for uRPF of source. Since Null0 is considered a RPF fail, the DoS Traffic doesn't go intothe Customer Network

♦ •

! Network: Attacker-Internet-EdgeRouters-*-TriggerRouter

EdgeRouters#! Same as Destination-RTBHint $INT_Facing_Internet ! Before sending DoS Traffic to Victim, do RPF check on $Source 1st ! Therefore failing, therefore not allowing traffic ip verify unicast source reachable-via any

TriggerRouter#!! $ATTACKER_ROUTE present in Routing Tablerouter bgp redistribute static route-map SOURCE-Trigger!route-map SOURCE-Trigger permit 10 match tag $TAG set community $RTBH_COMMUNITY, no-export!ip route $ATTACKER_ROUTE Null0 $TAG!

passwordConfiguring this will enable authentication b/w the TCP session of the BGP neighbors• Same password must be configured on both neighbors• Configuring this command takes affect right away. If neighbor doesn't have password configured, then thekeepalive messages received by local router are rejected and by hold-time expires, BGP session goes down

•

Only verification is to look for IP-TCP-BADAUTH syslog message• BGP/Tshoot#BGP Neighbor Password Mismatch•

BGP/Config

password 45

! On IOS, IOS-XRrouter bgp $ASN ! Similarly on $REMOTE_PEER neighbor $REMOTE_PEER password $PWD

! Verifyshow log | i BADAUTH

password-disable

Only on IOS-XR, in order to override the password configured under #session-group and disable it•

! On IOS-XR!! This router will not effectively use passwordrouter bgp $ASN session-group test password $PWD neighbor $REMOTE_PEER use session-group test password-disable

bgp scan-timebgp scan-time is the interval at which the router will scan the RIB table to verify that prefixes installed in routingtable have valid next-hops

Therefore, longer the interval, higher probably for a black hole forming

TODO: How to verify bgp scan-time•

BGP Support for Next-Hop Address Tracking

TODO: http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_adv_features.html#wp1056214

Configuring Table PolicyThis command allows the local router to apply a route-map (or RPL) to modify incoming BGP routing updatescoming from all BGP peers

Used in QPPB, or in generalOn IOS, "Using the BGP table-map command, prefixes added to the routing table are classified byBGP attribute, autonomous system number, or autonomous system path" #Ref700

Similarly on IOS-XR◊

♦

In other words, table-map/table-policy is used in modifying final local prefixes status, as the$ROUTE_MAP/$RPL applies to all incoming BGP updates

♦

•

BGP/Config

Configuring Table Policy 46

table-map

This command allows the local router to apply a route-map to modify incoming BGP routing updates coming frommatched BGP peers, thereby QoS marking the outgoing traffic to these matched BGP peers from local AS

Only on IOS• Compared to #neighbor route-map, table-map's route-map applies to all BGP peers•

! On IOSrouter bgp $ASN table-map $ROUTE_MAP!

! Example! Network: 3.0.0.1 - (AS3) - (AS1) - (AS2) - 2.0.0.1! All routers are eBGP peers! Apply table-map on AS1 to tag routes originating from AS2 with 2AS1#router bgp 1 table-map $TAG_AS2_NETWORKS_WITH_2!ip as-path access-list 1 permit _2$route-map $TAG_AS2_NETWORKS_WITH_2 match as-path 1 set tag 2! VerifyAS1#show ip bgp route 2.0.0.1 | include Route Route tag 2

table-policy

This command allows the local router to apply a route-map to modify incoming BGP routing updates coming fromall BGP peers

Only on IOS-XR• Compared to #neighbor route-policy, table-policy's route-policy applies to all BGP peers•

! On IOSrouter bgp $ASN address-family {ipv4|ipv6} {unicast|multicast} table-policy $RPL!

! Example! Network: 3.0.0.1 - (AS3) - (AS1) - (AS2) - 2.0.0.1! All routers are eBGP peers! Apply table-map on AS1 to tag routes originating from AS2 with 2AS1#!as-path-set AS2 ios-regex '_2$'end-set!route-policy TAG_AS2_NETWORKS_WITH_2

BGP/Config

table-map 47

if as-path in AS2 then set tag 2 else pass endifend-policy!router bgp 3 address-family ipv4 unicast table-policy ROUTE_MARKING !!! VerifyAS1#show bgp route 2.0.0.1 | include Route Route tag 2show bgp policy

Configuring PolicyThis is used to configure

QPPBThis command forces the packets coming into the $INT, that gets matched by source|destination IPaddress in the IP Routing table, to be marked depending on the QPPB#Route Marking done via#table-map

♦ •

BGP Policy Accounting•

IOS

bgp-policy

{source|destination ip-prec-map|ip-qos-map} - QPPB#Configuring QPPB• {accounting input} - BGP Policy Accounting#BGP/Config Policy Accounting• #Ref801•

! On IOSinterface $INT bgp-policy {source ip-prec-map|ip-qos-map | destination ip-prec-map|ip-qos-map | accounting input}

IOS-XR

bgp policy

{propagation} - QPPB#Configuring QPPB• {accounting} - BGP Policy Accounting#BGP/Config Policy Accounting• #Ref802•

! On IOS

BGP/Config

Configuring Policy 48

interface $INT ! QPPB {ipv4|ipv6} bgp policy propagation {input} {ip-precedence | qos-group} {destination | source}

! BGP Policy Accounting ipv6 bgp policy accounting { input | output { destination-accounting [source-accounting] | source-accounting [destination-accounting] } }

BGP PMTUDBGP#BGP PMTUD• By default, its enabled on latest IOS• Can be disabled by:• Not on IOS-XR•

! On IOSrouter bgp neighbor $PEER transport path-mtu-discovery disable! Verifyshow ip bgp neighbor | i Data|MTU|transport|MSS

NHTBGP#NHT• Enabled by default• To disable:• Not on IOS-XR•

! On IOSrouter bgp address-family $FAMILY ! To disable NHT no bgp nexthop trigger enable

! To increase the delay for BGP to wait before ! doing a full IGP table walk bgp nexthop trigger delay $DELAY

! Apply NHT for certain prefixes only bgp nexthop route-map $MAProute-map $MAP match ip address prefix-list $PL

PICBGP#PIC• Configuring: additional-paths install backup

Must be configured on all routers that have multiple paths to a prefix♦ •

BGP/Config

PIC 49

Its recommended not to configure maximum-path along with this configuration (TODO???)♦ Similarly on IOS-XR•

router bgp address-family $FAMILY additional-paths install backup

Link BandwidthBGP Link Bandwidth is an extended community that enables unequal load balancing over DMZ Link(eBGP links)

•

The BGP community used here carries the eBGP link's bandwidth• BGP/Labs/Lab16• Good Example• Config Requirements:

Configure #maximum-paths on router that has two paths a destination ($Dnw)1. Configure DMZ Links: "neighbor $EBGP_PEER dmzlink-bw" on IOS (On IOS-XR, use "neighbordmz-link-bandwidth")

2.

Exchange Link Bandwidth Community between IBGP Peers: "bgp dmzlink-bw" along with"send-community extended" on IOS (On IOS-XR, its not there, but use "bgp bestpath as-pathmultipath-relax" to allow multipath over different ASNs)

NOTE: You might have to enable "ip load-sharing per-packet" on all outgoing interfaces atR1_ISP1

◊

3.

•

More informaton on unequal cost load balancing: Ref•

- R2_ISP2 - | |$SNw - R1_ISP1 - | | | - R3_ISP2 --- $DNw!

! IOSR1_ISP1#router bgp 1 address-family ipv4 unicast ! DMZ Links maximum-paths 32 ! Allow eBGP multipath maximum-paths ibgp 32 ! Allow iBGP multipath neighbor $R2_ISP2 remote-as 2 neighbor $R2_ISP2 dmzlink-bw neighbor $R3_ISP2 remote-as 2 neighbor $R3_ISP2 dmzlink-bw ! ! Exchange Link Community bgp dmzlink-bw neighbor $R0_ISP1 remote-as 1 neighbor $R0_ISP1 send-community extended

BGP/Config

Link Bandwidth 50

BGP show commandsIMG_234•

show ip bgp

show ip bgp {Prefix}• Lists the BGP IP Table• If PREFIX not provided, lists the whole table, else specific to the prefix• If prefix == 0.0.0.0 0.0.0.0, lists default routes•

show ip bgp neighbors received-routes

show ip bgp neighbors <REMOTE_ID/RID> received-routes• Lists pre-inbound filter routes received from a neighbor• Requires neighbor <> soft-reconfiguration inbound• This takes lot of RAM memory•

show ip bgp neighbors routes

show ip bgp neighbors <REMOTE_ID/RID> routes• Lists post-inbound filtered best routes received from a neighbor• This goes into the BGP table (show ip bgp)•

show ip bgp neighbors advertised-routes

show ip bgp neighbors <REMOTE_ID/RID> advertised-routes• Lists post-outbound filter routes advertised to a neighbor•

show ip bgp rib-failure

This lists all the routes that didn't make it to the IP Routing table from the RTM (indicating the reason)•

FAQs

Can you configure multiple BGP sessions between two routers

Yes, using different IP addresses (interface or loopback)• BGP -> Lab5•

Why configuring multiple BGP sessions between two routers is not a goodidea

This will cause multiple BGP updates thereby increasing the size BGP table (show ip bgp)•

BGP/Config

FAQs 51

BGP -> Lab5•

Can multi-hop and ttl-security be applied on same router

No. They are mutually exclusive

What happens if eBGP-multihop session is established and later thecommand ebgp-multihop is removed

The BGP connection dies after holddown timer times out

How do you configure iBGP session

#Neighbor with $REMOTE_AS=$MY_AS

What happens to next-hop of iBGP routes incase next-hop-self isconfigured

Nothing, as you need the #Workaround for next-hop-self on route reflector

A customer would like to connect to a service provider. Which of thefollowing requirements should be considered before deciding for a type ofconnectivity?

Application Availablity• Redudancy•

Customer networks that can be summarized in a service provider networkshould be tagged with no-export BGP community when redistributed intoBGP?

Yes

What process can run in multiple instances in BGP

BGP speaker process can be distributed into multiple instances

RIP is redistributed into BGP, RIP's metric becomes what BGP Attribute

MED

BGP/Config

Why configuring multiple BGP sessions between two routers is not a goodidea 52

Is a route-policy required b/w iBGP neighbors in IOS-XR, like its requiredfor EBGP

No

LabsEnterprise Network ? Basic Peering - My Lab -> My GNS ? BGP -> Lab1• ISP Network ? BGP Basics - My Lab -> My GNS ? BGP -> Lab2• ISP Network ? BGP Policy - My Lab -> My GNS ? BGP -> Lab3•

References

Ref1

BGP Next Hop Propagation:http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fs_bgpnh.html#wp1027129

Ref2

Odom, W. (2010). CCNP Route 642-902 Official Certification Guide.

Ref3

Cisco Press, CCIE TCP-IP Vol II

Ref4

http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/routing/configuration/guide/rc3bgp.html

Ref5

https://learningnetwork.cisco.com/docs/DOC-11233

Ref10

http://www.networkworld.com/community/node/18760http://packetlife.net/blog/2009/nov/23/understanding-bgp-ttl-security/

BGP/Config

References 53

Ref11

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_btsh.html

Ref12

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfbgp.html#wp1002274

Ref13

http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.2/routing/configuration/guide/rc32bgp.html#wp1216268

Ref14

http://www.cisco.com/en/US/docs/ios/12_3t/ip_route/command/reference/ip2_n1gt.html#wp1109875

Ref15

http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a00800949e8.shtml#five

Ref200

http://www.cisco.com/en/US/docs/ios/12_3t/ip_route/command/reference/ip2_k1gt.html#wp1075487

Ref201

http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.7/routing/command/reference/rr37bgp.html#wp1361967

Ref203

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431.shtml#bgpmpath

Ref300

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00801475b2.shtml

Ref301

https://supportforums.cisco.com/thread/2213491

Ref500

Converting IOS to IOS-XR:http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.5/xr12000_conversion/reference/guide/cn35main.html

BGP/Config

Ref11 54

Ref600

route-policy vs route-map: http://indiciumlabs.com/wp-content/uploads/2011/10/Route_Policy_RPL_XR_v1.pdf

Ref700

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-pol-acct-out.html• http://www.sgtccie.com/blog/2013/05/bgp-table-maps/• https://learningnetwork.cisco.com/thread/6328• http://yuri.easytospell.net/?p=1000•

Ref800

Ref801

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/command/bgp-a1.html#wp2052159701

Ref802

http://www.cisco.com/en/US/docs/routers/crs/software/crs_r4.2/addr_serv/command/reference/b_ipaddr_cr42crs_chapter_011.html#wp2411102936

BGP/Config

Ref600 55