Monday, September 21, 2015

Facts to remember about BGP - Part 4

BGP Backdoor (it is a hidden command)
  • Change the distance of an eBGP prefix from 20 to 200 to prefer routes advertised by IGP
  • The syntax of the command is:  network <subnet> mask <netmask> backdoor
  • It uses the network command but it is not for advertising any route
In this example RTA knows about 160.10.0.0 by RTB and RTC, but it chooses the route by RTC cause a lower AD (90 vs 20). With backdoor we change eBGP AD (20) to iBGP AD (200) only for this prefix so RTA will choose RTB instead

RTA# 
router eigrp 10 
network 150.10.0.0 

router bgp 100 
neighbor 2.2.2.1 remote-as 300 
network 160.10.0.0 backdoor 

BGP Aggregation / BGP Aggregation - Summary Only
  • There must be a subnet in the BGP table that is encompassed by the summarized prefix.
  • For every aggregate, An automatic static route to Null0 will be installed to prevent routing loops. The aggregate addresses must be in the BGP table (Loc-RIB), but it does not necessarily need to be in the router’s routing table (RIB).
  • The original (specific) prefixes are still advertised, unlike in IGP where summarization automatically suppresses more specific prefixes
  • The syntax for the command is aggregate-address <prefix> <mask>
  • To generate just the summary prefix, use the option summary-only after the aggregate-address command.


 BGP Aggregation - Suppress Map
There is a big difference how to supress prefixes from the summary advertised route with route-map PERMIT and DENY. Check the examples

Make the summary prefix 150.1.0.0/16 for the networks  150.1.1.0/24, 150.1.2.0/24 and 150.1.3.0/24 but supress only the network 150.1.1.0/24
ip prefix-list SUPPRESS_PREFIX 150.1.1.0/24
!
route-map SUPPRESS_MAP permit 10
 match ip address prefix-list SUPPRESS_PREFIX
!
router bgp 200
 aggregate-address 150.1.0.0 mask 255.255.0.0 suppress-map SUPPRESS_MAP

Make the summary prefix 150.1.0.0/16 for the networks  150.1.1.0/24, 150.1.2.0/24 and 150.1.3.0/24. Supress all the networks but exclude only the network 150.1.1.0/24
ip prefix-list SUPPRESS_PREFIX 150.1.1.0/24
!
route-map SUPPRESS_MAP deny 10
 match ip address prefix-list SUPPRESS_PREFIX
!
router bgp 200
 aggregate-address 150.1.0.0 mask 255.255.0.0 suppress-map SUPPRESS_MAP



 BGP Aggregation - Unsuppress Map
  • Can only be configured on the router that performs prefix aggregation using the command aggregate-address with summary-only
  • Applied only on a per-neighbor basis as follows: neighbor <IP-ADDRESS> unsuppress-map <ROUTE-MAP>
  • summary address and unsuppressed prefixes are advertised
  • It can be used for  traffic engineering unsuppressing subnets for specific neighbors because classless routing always prefers the most specific prefix to reach the destinations, 

R3:
ip prefix-list NET_1 permit 10.0.1.0/24 
!
route-map UNSUPPRESS_MAP permit 10
 match ip address prefix-list NET_1
!
router bgp 200
 aggregate-address 10.0.0.0 255.255.252.0 summary-only
 neighbor 155.1.37.7 unsuppress-map UNSUPPRESS_MAP
This output shows R3 advertising the summay address but also the unsuppresed network 10.0.1.0/24
R3#show ip bgp neighbors 155.1.37.7 advertised-routes | include 10.0
 *>  10.0.0.0/22      0.0.0.0                            32768 i
 s>i 10.0.1.0/24      155.1.23.2               0    100      0 i

BGP Aggregation - AS-Set
  • Aggregation hides information previously found in the specific prefixes. such as NEXT_HOP, AS_PATH, and so on
  • This can cause loops cause now the AS_PATH for this summary prefix is empty
  • When as-set is used with the aggregate-address comand the new summary prefix will inherit the community and additive attributes of the subnets like AS_SET which contains the AS numbers found in all AS_PATHs of the specific prefixes. This list of AS numbers is unordered, it is only used is for routing loop prevention; when BGP receives a prefix
  • By default, the aggregated address in BGP will not include the AS_SET information. To force the use of this information, specify the as-set option as follows: aggregate-address <subnet> <mask> as-set summary-only
This example shows the unordered AS list of all the members of the summary addresses between{  }
R5#show ip bgp 
BGP table version is 46, local router ID is 150.1.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 s>i 112.0.0.0        155.1.108.10             0    100      0 54 50 60 i
 s i                  155.1.108.10             0    100      0 54 50 60 i
 *>  112.0.0.0/5      0.0.0.0                       100  32768 {54,50,60} i



BGP Aggregation - Attribute-Map
It is used with the aggregate-address and as-set to change or reset the community and additive attributes that the summary address will inherit from all the subnets when we use the as-set

In this example R5 receives a prefix from R8 with a community value of  "no-export". Because of that the summary address 112.0.0.0 will not be advertised to the neighbors. The solution is to reset the comunity value to "none"

R5:
route-map ATTR_MAP
 set community none
!
router bgp 200
 aggregate-address 112.0.0.0 248.0.0.0 summary-only as-set attribute-map ATTR_MAP
 neighbor 155.1.58.8 send-community
 neighbor 155.1.0.2 send-community
 neighbor 155.1.0.3 send-community

BGP Aggregation - Advertise Map
R5 wants to advertise  the summary 150.1.0.0/21 to R3 with aggregate-address and as-set. R3 will reject the summary cause its own AS number is inside AS_PATH. The solution is to take out that number from AS_PATH denying the prefix 150.1.3.3


R1, loopback 150.1.1.1 AS1
R2, loopback 150.1.2.2 AS2
R3, loopback 150.1.3.3 AS3
R5, loopback 150.1.5.5 AS5












R5(config)#route-map DENY3 deny 10
R5(config-route-map)#match ip address prefix-list R3
R5(config)#route-map DENY3 permit 20

R5(config)#router bgp 5
R5(config-router)#aggregate-address 150.1.0.0 255.255.248.0 as-set summary-only advertise-map DENY3



 BGP Communities
  • They are optional transitive attributes used mainly to associate an administrative tag to a route
  • All prefixes with the same community belong to the same group and share some properties
  • There are two formats to read a community value: raw, as a 32-bit number, and structured, as a pair AS Number:16-bit value
  • There are three well-known BGP community values from reserved range: NO_EXPORT (0xFFFF:0xFF01), NO_ADVERTISE (0xFFFF:0xFF02), and NO_EXPORT_SUBCONFED (0xFFFF:0xFF03)

  • R3 will announce 6.6.6.0/24 with a community attribute 100:300 to R1
  • R3 will announce 6.6.6.0/24 with a community attribute 100:250 to R2
  • R1 will set "local-preference" 130 for community 100:300
  • R1 will set "local-preference" 125 for community 100:25
--------------------------------------------------------------------------------------------------------------------------
R3                                                                                    R1
router bgp 30                                                                    router bgp 100        
 network 6.6.6.0 mask 255.255.255.0                              neighbor 10.10.12.2 remote-as 100
 network 7.7.7.0 mask 255.255.255.0                              neighbor 10.10.12.2 next-hop-self
                                                                                       
 neighbor 10.10.13.1 remote-as 100                                 neighbor 10.10.13.3 remote-as 30
 neighbor 10.10.13.1 send-community                             neighbor 10.10.13.3 route-map Peer-R3 in
 neighbor 10.10.13.1 route-map Peer-R1 out                
                                                                                         ip bgp-community new-format
 neighbor 10.10.23.2 remote-as 100
 neighbor 10.10.23.2 send-community                            ip community-list 1 permit 100:300
 neighbor 10.10.23.2 route-map Peer-R2 out                  ip community-list 2 permit 100:250

!--- attribute in AA:NN format.                                       route-map Peer-R3 permit 10
 ip bgp-community new-format                                          match community 1
                                                                                            set local-preference 130
!
access-list 101 permit ip host 6.6.6.0 host 255.255.255.0
!
route-map Peer-R1 permit 10                                            route-map Peer-R3 permit 20
 match ip address 101                                                            match community 2
 set community 100:300                                                        set local-preference 125
!
route-map Peer-R2 permit 10                                           route-map Peer-R3 permit 30
 match ip address 101
 set community 100:250
end

BGP Communities - No-Advertise  /  BGP Communities - No-Export
  • No-export means, do not export to any eBGP neighbors just iBGP neighbors.
  • No-advertise means, do not export to any BGP neighbor at all.
Configure R2 so that it does not advertise prefixes received from AS 254 to any peer
R2:
route-map SET_COMMUNITY
 set community no-advertise
!
router bgp 200
 neighbor 192.10.1.254 route-map SET_COMMUNITY in


BGP Communities - Local-AS or 
The NO_EXPORT_SUBCONFED (local-AS) community attribute basically tells the recipient, or a device that is originating a community attribute for a destination, not to advertise to EBGP neighbors including EBGP confederation peer ASs.



BGP Communities - Deleting
In this example R7 will add the community value 300:200 to the list of communities and it will also delete communities starting with “200" like "200:254”, and “200:123”, In this example we use  expanded access-lists to be able to remove community ranges—for example, by matching “200:[0-9]+_”
R7:
ip community-list expanded AS200 permit 200:[0-9]+_
!
route-map RESET_COMMUNITY permit 10
 set community 300:200 additive
 set comm-list AS200 delete
!
router bgp 300
 neighbor 155.1.67.6 send-community
 neighbor 155.1.37.3 route-map RESET_COMMUNITY in
!
ip bgp-community new-format


BGP Conditional Advertisement
The syntax for conditional advertisement is as follows:** neighbor <IP> advertise-map MAP1 {non-exist|exist-map} MAP2**. The configuration involves defining two route-maps. One route-map (MAP1) selects the prefixes to be advertised to the peer. These prefixes must already exist in the local BGP table. The other route-map (MAP2) selects the prefixes to be tracked in the local BGP table. If this is a “non-exist” map, the condition is triggered when no prefixes in the BGP table match the route-map. If this is an “exist” map, the condition is triggered when there is a prefix in the BGP table matching the route-map. The BGP process performs condition verification every time the BGP scanner runs (60 seconds by default), so it may take some time after your configuration change before the conditional advertisement occurs.
In our scenario, we advertise the link connecting R1 and R3 into BGP. We then create a route-map matching this prefix. This route-map is used as a “non-exist” condition for the advertisement of AS 254 prefixes. The prefixes are selected using an AS_PATH access-list matching the regular expression “254$”.
R3:
ip as-path access-list 1 permit 254$
!
route-map ADVERTISE_MAP permit 10
 match as-path 1
!
ip prefix-list LINK_R1_R3 permit 155.1.13.0/24
!
route-map NON_EXIST_MAP permit 10
 match ip address prefix-list LINK_R1_R3
!
router bgp 200
 network 155.1.13.0 mask 255.255.255.0
 neighbor 155.1.37.7 advertise-map ADVERTISE_MAP non-exist-map NON_EXIST_MAP


BGP Conditional Route Injection (CRI)

  • CRI is similar to the BGP unsuppress-map feature, but it will work on any router, not just the one originating the aggregate prefix
  • Because of the lack of information about the prefixes that were summarized, you must explicitly set the prefixes to be injected into the BGP table.
  • It needs two route-maps: "bgp inject-map <MAP1> exist-map <MAP2>"
  • The first route-map specifies the prefixes to be injected into the BGP table by means of the set "ip address prefix-list <MAP1>". Others attributes like weight, local preference, etc can also be changed
  • The second route-map must have two match statements. The first statement is match ip address prefix-list <MAP2>, and it matches the prefix list defining the aggregated prefix. The second statement is match ip route-source prefix-list <NAME>. This prefix-list should match the IP address of the BGP peer that advertised the aggregate to the local router. Remember that this is NOT the NEXT_HOP attribute of the aggregate prefix. It is the IP address used to establish the BGP session with a peer that sent the update to the local system

R8:
ip prefix-list INJECT_PREFIX permit 10.0.2.0/24
ip prefix-list AGGREGATE permit 10.0.0.0/22
ip prefix-list ROUTE_SOURCE permit 155.1.23.3/32
!
route-map INJECT_MAP permit 10
 set ip address prefix-list INJECT_PREFIX
 set origin igp
!
route-map EXIST_MAP permit 10
 match ip address prefix-list AGGREGATE
 match ip route-source ROUTE_SOURCE
!
route-map DENY_INJECT_PREFIX deny 10
 match ip address prefix-list INJECT_PREFIX
!
route-map DENY_INJECT_PREFIX permit 100
!
router bgp 200
 bgp inject-map INJECT_MAP exist-map EXIST_MAP
 neighbor 155.1.58.5 route-map DENY_INJECT_PREFIX out
 neighbor 155.1.23.3 route-map DENY_INJECT_PREFIX out


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)