Thursday, September 24, 2015

Facts to remember about BGP - Part 5

BGP Filtering with Maximum Prefix
Configure R8 so that the peering session to R10 is torn down if R8 learns more than 20 BGP prefixes from that neighbor.
  • When 16 prefixes are received from R10, R8 should begin generating warning messages.
  • When down, the peering should attempt to restart after three minutes.
Configure R7 so that if it receives 20 prefixes from R3, a warning message is generated, but the peering session is NOT terminated.
R8:
router bgp 200
 neighbor 155.1.108.10 maximum-prefix 20 80 restart 3

R7:
router bgp 300
 neighbor 155.1.37.3 maximum-prefix 20 100 warning-only


BGP Default Routing
  • Configure R2 to originate a default route to R3 and R5 via BGP.
  • This default route should be withdrawn if R2's link to R10 goes down.
R2:
ip prefix-list LINK_TO_R10 permit 192.10.1.0/24
!
route-map DEFAULT permit 10
 match ip address prefix-list LINK_TO_R10
!
router bgp 200
 neighbor 155.1.23.3 default-originate route-map DEFAULT
 neighbor 155.1.0.5 default-originate route-map DEFAULT


BGP Local AS / Local AS No prepend
  • When planning to change your AS number but not all your eBGP peerings are ready
  • "Local AS" lets you to advertise the old and new AS number to the eBGP peerings
  •  The external peers will see both the local-AS and the real AS number prepended in front of the AS_PATH
  • If you specify the no-prepend keyword, any routes received from the eBGP peer will not have <OldAS> prepended upon reception.
  • The no-prepend option applies to incoming updates and not outgoing which
  • In the next examples R2 change its AS number to 2 but .R1 still doesn't know about it because it has no changed its configuration

This is an example with local-as

R1                                                                             R2
router bgp 1                                                              router bgp 2
 network 10.10.10.0 mask 255.255.255.0                    neighbor 192.168.2.1 remote-as 1
 neighbor 192.168.2.2 remote-as 200                           neighbor 192.168.2.1 local-as 200

R2#show ip bgp
   Network          Next Hop            Metric LocPrf Weight Path
*> 10.10.10.0/24    192.168.2.1              0             0 200 1 i



In this example with local-as/no-prepend, the AS number 200 disappear in AS-PATH updates comming from R1

R1                                                                             R2
router bgp 1                                                              router bgp 2
 network 10.10.10.0 mask 255.255.255.0                    neighbor 192.168.2.1 remote-as 1
 neighbor 192.168.2.2 remote-as 200                           neighbor 192.168.2.1 local-as 200 no-prepend

R2#show ip bgp
   Network          Next Hop            Metric LocPrf Weight Path
*> 10.10.10.0/24    192.168.2.1              0             0 1 i



BGP Local AS Replace-AS/Dual-AS
Sometimes it is desirable to completely hide the “real” AS number (the one configured via the router bgp <RealAS> command).

In this example R1 is receiving updates from R2 only with the local-as number

R1                                                                  R2
router bgp 1                                                    router bgp 2
 network 10.10.10.0 mask 255.255.255.0      neighbor 192.168.2.1 remote-as 1
 neighbor 192.168.2.2 remote-as 200             neighbor 192.168.2.1 local-as 200 no-prepend replace-as

R1#show ip bgp
   Network          Next Hop            Metric LocPrf Weight Path
*> 10.10.10.0/24    0.0.0.0                  0         32768 i
*> 22.22.22.0/24    192.168.2.2              0             0 200 i


The parameter "dual-as" (Optional) Configures the eBGP neighbor to establish a peering session using the real autonomous system number (from the local BGP routing process) or by using the autonomous-system number configured with the ip-address argument (local-as).

 Router(config-router)# neighbor 10.3.3.33 local-as 300 no-prepend replace-as dual-as

BGP Remove Private AS
  • Private AS numbers in the range 64512–65535 are often assigned to small enterprises that use BGP to peer with their ISPs
  • remove-private-as remove privates AS numbers at the begining of AS_PATH
  • when the private AS sequence is not located in the beginning of the AS_PATH, the stripping will not work and the AS_PATH will remain unmodified.
R2:
router bgp 200
 neighbor 192.10.1.254 remove-private-as


BGP Outbound Route Filtering
  • Allows a BGP peer to “push” a filter to the remote neighbor. 
  • Applying filtering outbound on the remote peer instead of inbound on the local peer significantly decreases the amount of routing information sent across the link
  • There are two types of ORF filters defined in IETF’s draft: prefix-list based and community based. Cisco supports the first one
  • The willingness for using ORF must be enable in both peers with the command. neighbor <IP> capability orf prefix-list [send|receive|both]
  • To configure and push an ORF, you must define a prefix list and apply it to the peer’s session using the command neighbor <IP> prefix-list <NAME> in. The list must be inbound, because this is the natural direction for ORF
R7:
router bgp 300
 neighbor 155.1.67.6 capability orf prefix-list both

R6:
ip prefix-list ORF deny 112.0.0.0/8
ip prefix-list ORF deny 114.0.0.0/8
ip prefix-list ORF permit 0.0.0.0/0 le 32
!
router bgp 100
 neighbor 155.1.67.7 capability orf prefix-list both
 neighbor 155.1.67.7 prefix-list ORF in


BGP Next-Hop Trigger
  • Before BGP was accounting for IGP information changes only during periodic BGP scans with the interval defined by the command bgp scan-time <seconds> (default 60 segs)
  • Now BGP process registers the NEXT_HOP attribute values with the RIB table watch process. As soon as any change that affects an existing NEXT_HOP occurs, the watch process notifies the BGP router process. If the change results in prefix withdrawn, the BGP process immediately removes the prefix. 
  • All other notification are delayed and batched until the time-interval specified by the command bgp nexthop trigger delay <seconds> expires. After this, a full BGP table walk occurs, performing best-path computations for all prefixes
In this example R3 will respond to BGP prefixes’ next-hop changes within 30 seconds of IGP prefix change
router bgp 200
 bgp nexthop trigger delay 30



 BGP TTL Security
  • This command applies to eBGP peering sessions only (either directly-connected or multihop) and specifies the number of hops the remote peer could be away from the local speaker. 
  • Remember that the internal BGP sessions are not protected, and therefore the internal network is assumed to be “trusted.” All incoming TCP packets targeted at the BGP port with an IP TTL value below (255 - <hop-count>) are silently discarded by the router
R3:
router bgp 200
 neighbor 155.1.13.1 ttl-security hops 1
 neighbor 155.1.37.7 ttl-security hops 1



BGP AllowAS in

  • Cisco IOS allows for accepting the prefixes with the local AS number from a specific peer using the command "neighbor <IP> allowas-in [<count>]". Here, <count> is the number of the local AS number occurrences in the AS_PATH attribute, which defaults to three. This parameter serves a purpose similar to the hop-count limit in distance-vector protocol and implements the well-known count-to-infinity loop prevention technique.
  • Specifically, only one “partition” or border peer can implement summarization, or summarization should not be used at all. Otherwise, the upstream ASs will have trouble selecting the proper entry point to the AS partitions

R3:
router bgp 200
 neighbor  155.1.13.1 allowas-in



Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)