Hour 65: BGP Review Part 1

Consult the symbols legend at the end of the post for information on symbols.

Metric:

  • AD 20 EBGP
  • AD 200 IBGP
  • BGP Best Path Selection is used to determine the path used. Decision process mnemonic:

We Love Oranges As Oranges Mean Pure Perfect Refreshment

1. Weight – largest preferred

  • [(RTR)neighbor <ip> weight <weight>] Sets the weight for a metric ( 0 by another BGP peer and localy originated 32768 by default)
  • [(RTR)neighbor filter-list <acl> weight <#>] references an AS_PATH ACL. Any routes from the peer whose weights are not set by the [(RTR)neighbor filter-list <acl> weight <#>] command have their weights set by [(RTR)neighbor <ip> weight <weight>]
  • [(route-map)set weight <weight>] only the AS_PATH can be matched
  • Any routes locally originated (network, aggregate, redistribute) is assigned weight 32768

2. Local-preference – largest preferred

  • Default Local-preference is 100
  • [(RTR)bgp default local-preference <pref>] Globally set
  • [(Route-map)set local-preference <pref>]

3. Originated Locally (in decreasing preference)

  • [(RTR)neighbor <ip> default-originate] does not require default route to be in routing table
  • [(RTR)network 0.0.0.0] default-route must be in routing table
  • [(RTR)default-information originate] use explicitly with redistribution & has to be in routing table
  • [(RTR)aggregate-address <net> <mask>] route must be in routing table

4. AS_PATH – Shortest preferred

  • Private AS range: 64512-65535( last 1024)
  • [(RTR)bgp bestpath as-path ignore] HIDDEN COMMAND
  • Up to 4 different components: AS_SEQ, AS_SET, AS_CONFED_SEQ, AS_CONFED_SET
  • [(RTR)neighbor <ip> remove-private-as] Private AS is removed toward that neighbor. Only tail AS is removed.
  • [(RTR)neighbor <ip> local-as <as> %no-prepend% %replace-as%%dual-as%%] Local AS is also seen on the router where it is configured. Local AS is prepended to all paths received from that peer, so internal routers with that native as will see a loop. no prepend: works for prefixes send toward own AS. Local AS is removed. replace-as: works for outbound prefixes, replaces real AS in path with local AS.
  • [(Route-map)set as-path prepend <as> %<as>%]
  • [(RTR)bgp maxas-limit <#>] Drop paths with number of AS’s exceeding this number. Default is 75.
  • [(RTR)neighbor <ip> allowas-in] Allow own AS in the path (split AS)

5. ORIGIN Code – Lowest preferred

  • i(IGP): [(RTR)neighbor <ip> default-originate] or [(RTR)network <net>]
  • i(IGP): [(RTR)aggregate-address <network> <mask> as-set] If all component summarized subnets use origin i
  • ?(Incom.): [(RTR)redistribute X] or [(RTR)default-information originate]
  • ?(Incom): [(RTR)aggregate-address <network> <mask> as-set] If atleast one summarized subnet use origin ?

6. MED – Lowest preferred

  • Set to 0 when passed to another AS. Manipulates traffic going from remote network to our prefix
  • [(RTR)default-metric <med>] Set globally
  • [(Route-map)set metric <med>]
  • [(RTR) bgp always-compare-med] Compares MED from different AS’s
  • [(RTR)bgp bestpath med missing-med-worst] if MED is not set it is treated as 0, may not be optimal
  • [(RTR)bgp bestpath med confed] compared MED from sub-AS’s in confederations
  • [(RTR)bgp deterministic-med] paths from the same AS are grouped, best is selected using MED first (not the IGP cost) and compared to other paths from different AS’s (if always-compare-med command is enabled). If this feature is not enabled the route selection can be affected by the order in which the routes are received. If it is enabled, then the result of the selection algorithm will always be the same.
  • [(Route-map) set metric-type internal] Sets MED of BGP route to the same metric as IGP route to the same destination

7. Prefer eBGP over iBGP (Confed paths are treated as iBGP paths)
8. Prefer older paths if multiple exist
9. RID – lowest preferred
10. Cluster-list length (RR) Environment
11. Neighbor address – Lowest

Neighbors:

  • Uses TCP/179
  • [(RTR)neighbor <ip> remote-as <as>] Establish an IBGP or EBGP session, must be two way
  • If [(RTR)neighbor <ip> ebgp-multihop %<ttl>%] is used, there must be a specific route to the remote peer. Default route will not work, even if you can ping it.
  • [(RTR)neighbor <ip> disable-connected-check] can be used for directly connected multihop EBGP peers (loopback)
  • [(RTR)neighbor <ip> update-source <IF>] For not directly connected sessions outgoing interface must be set (with IP defined as a neighbor on remote peer)
  • [(RTR)neighbor <ip> maximum-prefix <max> %<threshold%>% %warning-only% %restart <sec>%]
  • Automatic Neighborship can be done: [(RTR)bgp listen range <prefix> peer-group <name> Prefix defines from which addresses session is accepted, [(RTR)neighbor <group-name> alternate-as <list of AS’s>] Accept neighboring defined AS’s only (list separated with spaces), [(RTR)bgp listen limit <#>] Limits number of automatic neighbors

Timers:

  • Keepalives every 60 sec (19 bytes header); Holdtime 180 sec
  • [(RTR)bgp scan-time <scanner-interval in sec>] Default is 60sec
  • [(RTR)neighbor <ip> advertisement-interval <sec>] Updates are rate limited 5 sec for IBGP and 30 sec for EBGP
  • [(RTR)timers bgp <keepalive><hold>%<min-hold>%] Globally
  • [(RTR)neighbor <ip> timers <keepalive> <hold> %<min-hold>%] By default lowest negotiated holdtime is used. To prevent low holdtimes set by neighbor, minimum accepted can be defined.

Summary (aggregation):

 BGP_Aggregation

Default route(decreasing preference):

  • [(RTR)neighbor <ip> default-originate] does not require default route to be in routing table
  • [(RTR)network 0.0.0.0] Must have default route in routing table.
  • [(RTR)default-information originate] Requires redistribution and by default not redistributed from other protocols with any outbound filters (prefix-list, route-map, filter-list)

Security:

  • [(RTR)neighbor <ip> password <string>] MD5 Authentication is used
  • [(RTR)neighbor <ip> ttl-security hops <#>] Outgoing BGP packets set TTL to 255 – <hop#>, both sides must be configured with this feature and does not prevent attacks from the same segment of distance.

Filtering:

 BGP_Filtering

Symbols Legend:

[ ] = command

<> = input

% % = optional

{  } = available options separated by |

(RTR) = in router bgp <AS>

(IF) = interface <interface name> x/x , for example: interface fastethernet0/0

Thank you to Krzysztof Zaleski for his notes.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s