BGP on IOS-XR

BGP/Config

BGP on IOS-XR #Ref500 • Similar to other routing protocol configurations in IOS-XR, BGP is also made hierarchical #Ref4 • Therefore, most of the configurations for IOS are valid for IOS-XR too (those that are not have been specifically shown)

IOS-XR vs IOS Requirements on IOS-XR • #bgp router-id is mandatory in IOS-XR • address-family is mandatory in IOS-XR 1. under neighbor configuration mode - BGP/MBGP#neighbor address-family 2. under router configuration mode - BGP/MBGP#router address-family • BGP uses (Router/Config/route-policy) on IOS-XR, instead of route-maps in IOS • Route Policy is mandatory for eBGP (because default is deny all), not for iBGP (because default is permit all)

Basic IOS-XR Configuration Example # On IOS-XR router bgp 2 # Router ID is mandatory here bgp router-id 2.2.2.2 # Address family router config mode is mandatory here address-family ipv4 unicast # Only In this address family mode, you cannot apply route-policies # Only In this mode, you can apply network command network 2.0.0.0/8 ! neighbor 10.0.0.1 remote-as 1 # Address family neighbor config mode is mandatory here address-family ipv4 unicast # Route Policy is mandatory for eBGP route-policy pass-all in route-policy pass-all out ! ! route-policy pass-all pass end-policy ! end # On IOS router bgp $LOCAL_AS neighbor $NEIGHBOR remote-as $REMOTE_AS

BGP on IOS-XR

1

BGP/Config network 1.1.1.0/24

RPL • Router/Config/route-policy

as-path-set • Router/Config/route-policy#as-path-set

community-set • Router/Config/route-policy#community-set

delete community • Router/Config/route-policy#delete community

Configuration Grouping • Like IOS uses #peer-group, IOS-XR uses: 1. af-group 2. session-group 3. neighbor-group • Neighbor applies it using use command • Understand BGP/MBGP/Config#Address Family Independent vs Family Specific

af-group • groups any address-family dependent configurations

neighbor-group • groups address-family independent and dependent commands for each address family router bgp 2 neighbor 1.0.0.1 remote-as 1 use neighbor-group ngtest ebgp-multihop 2 update-source Loopback0 address-family ipv4 unicast use af-group aftest route-policy passall in route-policy passall out ! ! Address-Family Dependent commands af-group aftest address-family ipv4 unicast soft-reconfiguration inbound

Basic IOS-XR Configuration Example

2

BGP/Config ! neighbor-group ngtest ! Address-Family independent commands timers 10 30 ! Address-Family Dependent commands use neighbor-group $SOME_GROUP address-family ipv4 unicast use af-group aftest ! ! ! end show bgp neighbor $NEIGHBOR configuration

session-group • Groups only address family-independent commands router bgp 1 timers bgp 31 100 bgp router-id 1.0.0.1 address-family ipv4 unicast ! af-group aftest address-family ipv4 unicast route-policy passall in route-policy passall out ! session-group test timers 10 30 ! neighbor-group ngtest address-family ipv4 unicast use af-group aftest ! ! neighbor 2.0.0.1 remote-as 2 use session-group test use neighbor-group ngtest ebgp-multihop 2 update-source Loopback0 address-family ipv4 unicast ! ! !

log neighbor changes Same as IOS's #log-neighbor-changes

neighbor-group

3

BGP/Config

ibgp policy out enforce-modifications • Configuring this on an IOS-XR BGP Peer will allow it to modify any BGP attributes for iBGP Routes that its advertising out • This is part of configuration required for #Workaround for next-hop-self on route reflector • In general, makes the RR change BGP attributes for routes to be reflected to clients/non-clients ! On IOS-XR ! RR-Server router bgp $ASN ibgp policy out enforce-modifications neighbor $RR_CLIENT address-family ipv4 unicast route-reflector-client route-policy $SET_ATTRS out route-policy $SET_ATTRS set ipv4 next-hop $NEW_HOP

show bgp neighbor configuration • This feature is not present in IOS • In short, this command shows the entire configuration related to a neighbor expanding any session-group or af-group ! Output RP/0/RP0/CPU0:R1#show bgp neighbor 10.0.0.2 configuration neighbor 10.0.0.2 remote-as 2 [s:RR-CLIENT] advertisement-interval 1 [s:RR-CLIENT] description R2 [] password 123 [s:RR-CLIENT] update-source Loopback0 [s:RR-CLIENT] graceful-restart [] address-family IPv4 Unicast [] policy AR-TO-UR-OUT out [a:RR-CLIENT-IPV4U] route-reflector-client [a:RR-CLIENT-IPV4U] soft-reconfiguration inbound always [a:RR-CLIENT-IPV4U] ! Actual configuration RP/0/RP0/CPU0:R1#show run router bgp | b neighbor 10.0.0.2 neighbor 10.0.0.2 use session-group RR-CLIENT description R2 address-family ipv4 unicast use af-group RR-CLIENT-IPV4U session-group RR-CLIENT remote-as 2 advertisement-interval 1 password 123 description Group used for RR clients update-source Loopback0 af-group RR-CLIENT-IPV4U address-family ipv4 unicast route-reflector-client

ibgp policy out enforce-modifications

4

BGP/Config route-policy AR-TO-UR-OUT out soft-reconfiguration inbound always

/32 Static Route must be configured for eBGP Sessions with labeled-unicast • When you are configuring eBGP session on IOS-XR over a directly connection link which is not /32, then you must configure a static route to remote peer with /32 as mask to make the local router resolve CEF (even though you have direct IP connectivity, you must configure this for labeled-unicast to work) • NOTE: This same situation is not seen when LDP is used b/w eBGP peers, because LDP cannot be used for allocating a label to BGP learnt route (LDP#Is it possible to allocate a local binding to a BGP learned route) • Example ♦ BGP/Labs/Lab17 ♦ MPLS/L3VPN/Config#eBGP Peering

BGP on IOS • All the sections below this are meant for IOS, IOS-XE • However, because there is so much overlap in IOS-XR and IOS configuration, most of the configurations shown below are applicable to IOS-XR too (you still require the verification from #BGP on IOS-XR

Neighbor • $MY_AS ♦ is the ASN for the current AS router is in • $REMOTE_IP ♦ can be any interface (loopback, fa, etc.) IP Address on the neighbor that it HAS connectivity with! ♦ This IP is used for TCP connection setup ♦ Note: When $REMOTE_IP is not the IP address of directly connected interface on the neighbor that connects to the local router (e.g when $REMOTE_IP is remote loopback), then you must use update-source on neighbor • $REMOTE_ASN ♦ $REMOTE_ASN is the ASN for the neighbor?s AS (must have a command of ?router bgp REMOTE_ASN? on neighbor?s side) ♦ If $REMOTE_ASN==$MY_AS, then the BGP neighbor relationship being setup is iBGP • no synchronization is default setup ♦ BGP#iBGP Synchronization • no auto-summary is default setup ! On Cisco IOS, IOS-XE ! Configuration ! Similar configuration must be applied on the neighbor to router bgp $MY_AS no synchronization ! This allows incoming connection from $REMOTE_IP with destination port: 179 neighbor $REMOTE_IP remote-as $REMOTE_ASN no auto-summary ! Verification - On IOS !! Should be Established

Neighbor

5

BGP/Config show show show show

ip bgp summary ip bgp neighbor $REMOTE_IP | include BGP state ip bgp neighbor $REMOTE_IP configuration tcp brief ! shows current TCP connections

! Verification - On IOS-XR show bgp ...

update-source • ?By default, IOS chooses its BGP source IP address for a given neighbor as the interface IP address of the outgoing interface of the route used to forward packets to that neighbor? #Ref2 • If configured, you need to make sure that the neighbor is referring to IP present in {$LOCAL_INT|$LOCAL_IP} • TCP Connection will be setup between $REMOTE_IP and $LOCAL_IP • In case of redundant connections between R1 and R2, it?s better to use loopbacks and update-source. ! On Cisco IOS, IOS-XE ! Configuration router bgp $MY_AS neighbor $REMOTE_IP update-source {$LOCAL_INT|$LOCAL_IP} ! Verification !! Should be established show ip bgp summary show ip bgp neighbor $REMOTE_IP | include BGP state show ip bgp neighbor $REMOTE_IP configuration

• Template ! On Cisco IOS, IOS-XE ! Lo1-R1-R2-Lo2 R1# router bgp $MY_AS neighbor $Lo2_IP remote-as $MY_AS neighbor $Lo2_IP update-source $Lo1_IP R2# router bgp $MY_AS neighbor $Lo1_IP remote-as $MY_AS neighbor $Lo2_IP update-source $Lo2_IP

bgp router-id • To configure BGP RID • On Cisco IOS, by default (without this command) highest IP address is picked as RID • On Cisco IOS-XR, this command is mandatory • $RID must be different from its neighbor • $RID address need not exist anywhere (e.i on interface/lo) • Note: $RID is different from the peering IP address (shown as $REMOTE_IP in previous configurations) ♦ Its because, $REMOTE_IP requires TCP connectivity, $RID doesn't bgp router-id

6

BGP/Config ! On Cisco IOS, IOS-XE ! Configuration router bgp $MY_AS bgp router-id $RID ! Verification show bgp | include local router ID

neighbor next-hop-self • Configuration useful primarily to change the next-hop for any eBGP routes learned to itself • BGP#Rule of next-hop in BGP • This command is only configured against iBGP neighbors, not eBGP (because its not required due to the rule) ♦ Please note that this command will change the next-hop for only eBGP routes. If you wish to change next-hop for iBGP routes (which can only happen if Route Reflector is running), you will need to use #Workaround for next-hop-self on route reflector ♦ BGP/Labs/Lab5#Goal4 Configuration and verification, ! On Cisco IOS, IOS-XE ! Configuration ! Network: Nw1-R1-(R2-R3), with R2 and R3 in one AS and R1 in another R2# router bgp $AS23 neighbor $R3 remote-as $AS23 neighbor $R3 next-hop-self ! Verification !! Once configured, R2 will start sending eBGP routes !! to R3 with next-hop as R2's peer IP address !! See that the next-hop must be R2's IP address, not R1's R3# show ip bgp Nw1

Workaround for next-hop-self on route reflector IOS • #Ref1 • Consider BGP -> Lab5 -> Goal4 ! On Cisco IOS, IOS-XE ! Network: Nw1-R1-RR-R2, with all in one AS RR#show run | s route-map router bgp $AS12 ! For any eBGP learned routes neighbor $R2 next-hop-self ! For any iBGP RR learned routes neighbor $R2 route-map force-next-hop-self out route-map force-next-hop-self permit 10 match ip address ibgp-route

neighbor next-hop-self

7

BGP/Config set ip next-hop $RR_LOCAL_PEER_ADDRESS route-map force-next-hop-self permit 20 ! permit rest R3#show run | s access-list ip access-list extended ibgp-route permit ip $Nw1 any log R3#

IOS-XR Similar to IOS, but here you need an additional command of #ibgp policy out enforce-modifications

ASBR as RR Case • NOTE: ASBR and PE terms are used in MPLS/L3VPN/Config Its important to remember that whenever ASBR (a router which has iBGP connections in its local AS and eBGP directly connected connection to remote peers) is configured as RR (Route Reflector) in its local AS, ASBR must be use next-hop-self against its iBGP peers in order to change the NH (next-hop) for eBGP routes from directly connected link to its loopback0 (generally PEs in an AS will not have IP connectivity to directly connected link of ASBR but will have IP connectivity with ASBR's lo0) ! ! ! ! !

(PE1-ASBR1)-(ASBR2-PE2) PE1-ASBR1 are in AS 11 and ASBR2-PE2 are in AS12 PE1-ASBR1 have iBGP connection over lo0 PE2-ASBR2 have iBGP connection over lo0 ASBR1-ASBR2 have eBGP directly connected session

! In above case, ASBR must use neighbor $PE1_lo0 next-hop-self

! ASBR1 conf t router bgp 11 neighbor $PE1_lo0 remote-as 11 neighbor $PE1_lo0 update-source lo0 neighbor $PE1_lo0 route-reflector-client neighbor $PE1_lo0 next-hop-self ! THIS IS REQUIRED FOR CHANGING NH of EBGP ROUTES LEAR neighbor $ASBR1_ASBR2_LAN remote-as 12 end

neighbor next-hop-unchanged • Used on eBGP Multihop neighbors to advertise routes without changing the next-hop • By default, e.i without this command, eBGP neighbors will always change the next-hop to itself • MPLS/L3VPN/Config#Usecase Multihop EBGP VPNv4 where RR is not in the datapath • Similarly on IOS-XR router bgp neighhor $EBGP_MULTIHOP_PEER next-hop-unchanged

neighbor next-hop-unchanged

8

BGP/Config

address-family BGP/MBGP/Config

ebgp-multihop This command sends outgoing BGP messages (to an eBGP neighbor) with the specified $TTL_VAL • The configuration must be on both side. However, the TTL value can vary, but must be at least the real hop distance value • Also the command neighbor $NEIGHBOR ebgp-multihop 1 is same as no nieghbor $NEIGHBOR ebgp-multihop 1, because if ebgp multihop is not configured, then its considered as a maximum hop count of 1. • The multi-hop allows eBGP neighbors to have TTL value greater than 1, e.i use loopbacks (therefore using update-source) instead of directly connected interfaces • With default neighbor configuration (without any multihop), eBGP neighborship will fail if the IP TTL (time to live) exceeds 1 between the TCP connection IP addresses. • $TTL_VAL are how many max hops away is your neighbor (having REMOTE_IP) • NOTE: When IP Addresses of the loopback interfaces are used instead of outgoing interface for the eBGP neighbor setup, then multi-hop is necessary ! On Cisco IOS, IOS-XE ! Similar Configuration on $REMOTE_PEER too router bgp $MY_AS neighbor $REMOTE_PEER remote-as $REMOTE_AS neighbor $REMOTE_PEER ebgp-multihop $TTL_VAL ! On the router you configured ebgp-multihop $TTL_VAL R# show ip bgp neighbors $REMOTE_PEER | i TTL Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL $TTL_VAL ! R#show ip bgp neighbors | i hop External BGP neighbor may be up to $TTL_VAL hops away. R#

ebgp-multihop Cases ! On Cisco router bgp ! neighbor ! neighbor

IOS, IOS-XE $ASN $REMOTE_IP ebgp-multihop 1==no neighbor $REMOTE_IP ebgp-multihop $REMOTE_IP ebgp-multihop==neighbor $REMOTE_IP ebgp-multihop 255

ebgp-multihop vs ttl-security With ebgp-multihop configuration • Note that the incoming TTL 0 always remains 0 irrespective of other side configuration. • This means that BGP session forming packets need to have minimum of 0 TTL • This allows DoS attack and fix is using ttl-security (#ttl-security vs ebgp-multihop) ebgp-multihop

9

BGP/Config

ttl-security This command makes sures that incoming BGP messages (from a eBGP neighbor) has a minimum $TTL_VAL • TTL Security is a BGP configuration that is used primarily by eBGP peers (not iBGP) to avoid incoming DoS attack • On Cisco IOS, ttl-security hops $HOPS ♦ Minimum $TTL_VAL = 255 - $HOPS • On Cisco IOS-XR, ttl-security {disable} • ttl-security and ebgp-multihop are mutually exclusive, e.i both cannot be configured for same peer • Must be configured on both sides ♦ This configuration changes the outgoing TTL_VAL to 255 and minimum required incoming TTL to 255-$HOPS ! On Cisco IOS, IOS-XE ! Similar Configuration on $REMOTE_PEER too router bgp $MY_AS neighbor $REMOTE_PEER remote-as $REMOTE_AS neighbor $REMOTE_PEER ttl-security hops $HOPS ! On the router you configured ttl-security hops $HOPS R# show ip bgp neighbors $REMOTE_PEER | i TTL ! $MIN_TTL = 255 - $HOPS Connection is ECN Disabled, Mininum incoming TTL $MIN_TTL, Outgoing TTL 255

Working of ttl-security and ebgp-multihop • In terms of TTL by default (e.i without ttl-security or ebgp-multihop), ♦ A BGP peer sends BGP packets (for setting up eBGP peering session) to external peer "with a TTL of 1 and accepts packets from external neighbors with a TTL of 0 or higher (as measured after the local router has decremented the TTL of the incoming packet)" #Ref10 ♦ This enforces eBGP session to be allowed only for directly connected peers by default ♦ This also makes the router vulnerable to incoming eBGP peering sessions DoS attack, that increases the CPU of the router and forces it to crash • With ebgp-multihop $TTL_VAL configured, ♦ A BGP peer sends BGP packets to external per with a TTL of $TTL_VAL and always accepts packets from external neighbors with minimum TTL of 0 (as shown by "show ip bgp neighbor | include TTL") ♦ So, this means that an attacker can easily send a DoS attack on the peering of BGP because all the packets (irrespective of TTL and any packet at least has TTL of 0) • With ttl-security $HOPS configured, ♦ A BGP peer sends BGP packets to external per with a TTL of 255 and accepts packets from external neighbors with TTL of 225-$HOPS or higher "(as measured after the local router has decremented the TTL of the incoming packet)" #Ref10 ♦ If the above condition is not met (e.i TTL is less), then the packet is dropped and ignored (e.i no ICMP message is sent)

ttl-security

10

BGP/Config

♦ Because of a the higher limit put on the TTL, just any packet will not be allowed for peering with BGP; only those that meet the above requirement.

ttl-security vs ebgp-multihop • The end result of eBGP multi-hop and TTL security is same, e.i allow not-directly connected peers to have eBGP session • eBGP multi-hop has a security hole, as it does not block DoS attacks. Thats why, ttl-security was introduced in order to block DoS attacks • ttl-security and ebgp-multihop are mutually exclusive, e.i both cannot be configured for same peer

What happens when multi-hop and ttl-security are configured on other ends • It works only if the TTL conditions are met on both sides. Look into BGP -> Lab7 • Optionally, if TTL conditions are not met, you can always use disable-connected-check Network: R1-R2-R3 eBGP b/w R1 and R3

eBGP session is Established if: • If R1 is configured with ebgp-multihop 255, R2 needs to be configured with ttl-security 2 • because R2 will accept then BGP messages with min TTL of 255-2=253 which perfectly matched what R1 is sending (e.i by the time R1's messages reaches R3, TTL=253). eBGP session is Not Established if: • If R1 is configured with ebgp-multihop 255 and R2 was configured with ttl-security 1 • because R2 will accept then BGP messages with min TTL of 255-1=254 which does not match what R1 is sending (e.i by the time R1's messages reaches R3, TTL=253)

Configuring Route Filtering This command applies a route-map (or RPL to a BGP peer in order to modify or permit/deny specific BGP updates incoming/outgoing to the peer • If you notice, the major difference compared to EIGRP is that BGP route filtering works only with neighbor specific traffic, not entire outbound or inbound traffic. • Use "clear ip bgp" for configuration to take effect • Used in #Path Attributes • Order (higher 1st) of preference of policy applied on BGP inbound: ♦ route-policy, filter-list, prefix-list, distribute-list Configuring Route Filtering

11

BGP/Config

IOS neighbor route-map • This command is used for modifying, along with permitting/denying specific BGP updates from neighbor router bgp $MY_AS neighbor $REMOTE_IP route-map $ROUTE_MAP {in|out}

neighbor distributed-list • This command is only used for permitting/denying specific BGP updates from neighbor • Match prefix with length router bgp $MY_AS neighbor $REMOTE_IP distributed-list {$ACCESS_LIST|$PREFIX|$ROUTE_MAP}

neighbor prefix-list • This command is only used for permitting/denying specific BGP updates from neighbor • Match prefix with length router bgp $MY_AS neighbor $REMOTE_IP prefix-list $PREFIX_LIST

neighbor filter-list • This command is only used for permitting/denying specific BGP updates from neighbor • Match AS_PATH or prefix router bgp $MY_AS neighbor REMOTE_IP filter-list $LIST

IOS-XR • Similar to #neighbor route-map in IOS

neighbor route-policy router bgp $MY_AS neighbor $REMOTE_IP address-family {ipv4|ipv6} {unicast|multicast} route-policy $RPL {in|out}

clear ip bgp • After configuring any BGP filtering, IOS will not take the new configurations into effect until neighbor clear ip bgp

12

BGP/Config

relationships are cleared or new update messages are sent. • These can be manually triggered by the clear command. • Hard reset clears the TCP connection, breaks down the neighbor relationship and then reconnects the TCP and neighbor relationship. This is equal to ?neighbor shutdown, no neighbor shutdown? • Soft reset does not break down the neighbor relationship. It only resends the Update messages which are then filtered by any new filters. • In means incoming update messages • Out means outgoing update messages

Command clear ip bgp * clear ip bgp neighbor-id clear ip bgp neighbor-id out clear ip bgp neighbor-id soft out clear ip bgp neighbor-id in clear ip bgp neighbor-id soft in clear ip bgp * soft clear ip bgp neighbor-id soft #Ref2

Hard or Soft Hard Hard Soft Soft Soft Soft Soft Soft

One or All Neighbors all one one one one one all one

Direction both both out out in in both both

Advertising BGP Routes The goal is to inject public IP addressed prefixes into the BGP table so that the BGP router can advertise these routes to its neighbors. This happens two ways: • Network Command (#network) • Redistribute Command (#redistribute)

network • $PREFIX ♦ is the network number ♦ This network command is different from OSPF, EIGRP commands in that here in BGP, the $PREFIX must be already present in the IGP IP routing table and only then will BGP advertise the route to its neighbor • mask $MASK ♦ is the network mask which is optional. ♦ By default (e.i if mask $MASK not configured), then ,irrespective of auto-summary, router will use classful subnetting ♦ Make sure that $PREFIX $MASK exactly matches a local route in IP routing table for the local router to advertise the route ♦ In other words, ?Look for a route in the router?s current IP routing table that exactly matches the parameters of the network command; if a route for that exact prefix/length exists, put the equivalent Advertising BGP Routes

13

BGP/Config

prefix/length into the local BGP table? #Ref2

network command in IGP vs BGP If you lookup network command in OSPF and EIGRP, they are primarily used for enabling interfaces in that network (along with advertising the same network). However, BGP solely uses network command to advertise the network to its BGP neighbors.

IOS ! Configuring ! On Cisco IOS, IOS-XE router bgp $MY_AS network $PREFIX {mask $MASK|backdoor|nlri|route-map} ! or under address-family ! Verification show ip bgp neighbor $REMOTE_IP advertised-routes ! Best way is to check the routing table of remote neighbors

IOS-XR Use network under BGP/MBGP/Config#router address-family on IOS-XR ! Configuring ! On Cisco IOS-XR router bgp $MY_AS address-family $FAMILY network $PREFIX/$MASK {backdoor|route-policy} ! Verification show bgp neighbors $REMOTE_IP advertised-routes ! Best way is to check the routing table of remote neighbors

Cases network without mask ! Irrespective of auto-summary ! Network 1.0.0.0 is advertised R1# int lo0 ip add 1.0.0.0 255.0.0.0 ! router bgp 1 network 1.0.0.0 ! Network 1.0.0.1 is NOT advertised, ! because not classful R1# int lo0 ip add 1.0.0.1 255.255.255.255 !

network

14

BGP/Config router bgp 1 network 1.0.0.1 ! Network 172.20.0.0 is advertised R1# int lo0 ip add 172.20.0.0 255.255.0.0 ! router bgp 1 network 172.20.0.0 ! Network 172.20.0.0 is NOT advertised, ! because /16 not found in routing table R1# int lo0 ip add 172.20.0.0 255.0.0.0 ! router bgp 1 network 172.20.0.0

network route-map • Since you are using route-map, make sure to do "clear ip route" and make sure that a route-map exists for the network to be advertised accordinly • BGP -> Lab 14 -> Goal1 network nlri TODO network backdoor TODO

redistribute • Look into redistribution for basic redistribution. BGP is nothing special. • Redistributed routes do change the ORIGIN Path Attribute to INCOMPLETE • Look into Redistribution -> Lab5

IOS ! On Cisco IOS, IOS-XE router bgp $MY_AS redistribute $BASIC_REDISTRIBUTION ! or under address-family

IOS-XR Use redistribute under BGP/MBGP/Config#router address-family on IOS-XR ! Configuring

network without mask

15

BGP/Config ! On Cisco IOS-XR router bgp $MY_AS address-family $FAMILY redistribute $BASIC_REDISTRIBUTION

Redistributing OSPF into BGP • The default command redistribute OSPF $PID will only be redistributing OSPF internal routes, meaning with default match=?internal? • With match=?external?, it defaults to all type 1 and type 2. ! On Cisco IOS, IOS-XE router bgp $MY_AS address-family ipv4 unicast redistribute OSPF $PID {match external|internal}

Summarizing BGP Routes IGP Summarization with BGP network command ! On Cisco IOS, IOS-XE router eigrp 1 network $SUMMARIZED_PREFIX $SUMMARIZED_MASK auto-summary ! router bgp $MY_AS address-family ipv4 unicast network $SUMMARIZED_PREFIX mask $SUMMARIZED_MASK

Static Null0 • BGP#Static Null0

aggregate-address TODO LAB:

• http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094826.shtml#aggregatingwiththeas • Test each scenario • Test if IGP routes or only BGP routes are used as summarizing routes • Test what happens in case of: ♦ advertise-map with/without summary-only • Use it under BGP/MBGP/Config#router address-family on IOS-XR • Requirements: ♦ Depending on the options used, $PREFIX/$MASK exactly must be present or its specific routes must be present in local IP Routing Table ♦ Must be configured on the aggregating router only

Summarizing BGP Routes

16

BGP/Config

♦ NOTE: If specific routes have been leaked from some other routers, those specific routes will be preferred over the aggregated routes • Arguments: ♦ Default (e.i without any options) ◊ will advertise aggregate (along with specific) route with #ATOMIC_AGGREGATE and #AGGREGATOR ◊ Requires specific routes to be present in local IP Routing Table, that fall under $PREFIX/$MASK •

♦ summary-only ◊ will advertise aggregate (without specific) route with #ATOMIC_AGGREGATE and #AGGREGATOR ◊ Requires $PREFIX/$MASK to be exactly present in local IP Routing Table

•

♦ as-set ◊ will advertise route with #AS_SET

•

♦ suppress-map ◊ will suppress and not advertise matched specific routes ◊ therefore, will advertise aggregate along with non-suppressed specific routes ◊ "When you use the suppress-map configuration command along with the summary-only configuration command, the summary-only configuration command does not have any effect."

•

♦ advertise-map ◊ will advertise aggregate that is built using matched specific routes ◊ NOTE: Those specific routes that are not matched, are advertised, normally as BGP routes (e.i without any #ATOMIC_AGGREGATE/#AGGREGATOR attributes) ◊ "In general, when you use advertise-map, only the advertise-map influences the aggregate. In the absence of advertise-map, the aggregate inherits the attributes of the more-specific routes, both suppressed and unsuppressed. In both the cases, you can use the attribute-map configuration command to override the chosen attributes"

•

♦ attribute-map ◊ used for changing the attributes of the aggregated route (e.g community attribute) ◊ Without this option, all the attributes of specific routes are inherited by aggregate route ◊ "This option overrides attributes that are chosen with advertise-map"

• NOTE: When using #bgp confederation identifier, aggregate-address as-set within the confederation generates #AS_CONFED_SET ! On Cisco IOS, IOS-XE router bgp $MY_AS aggregate-address $PREFIX $MASK {as-set | summary-only | suppress-map $SUP_MAP | advertise-map $ADV_MAP | attribute-map $ATTR_MAP} ! Verification show ip bgp $ROUTE

aggregate-address

17

BGP/Config

aggregate-address cases ! Nw1-R1-R2-R3-Nw3, eBGP setup, Summarize at R2 R2# ! Nw2 = Nw1 + Nw3 ! Advertises Nw2, with Nw1 and Nw3 (without AS_SET) router bgp 2 aggregate-address Nw2 ! Advertises Nw2 (without AS_SET) ip route Nw2 ! Summarizing route router bgp 2 aggregate-address Nw2 summary-only ! Advertises Nw2 (with AS_SET) ip route Nw2 ! Summarizing route router bgp 2 aggregate-address Nw2 as-set summary-only ! Advertises Nw2 and suppressing Nw1 and Nw3 (with AS_SET) router bgp 2 aggregate-address Nw2 as-set suppress-map SUPP_MAP access-list 1 permit Nw1 access-list 1 permit Nw3 route-map SUPP_MAP permit 5 match ip address 1 ! Aggregate Nw1 only with advertise-map, e.i Nw2=Nw1 (without AS_SET) router bgp 2 aggregate-address Nw2 advertise-map ADV_MAP access-list 1 permit Nw1 ip as-path access-list 1 deny ^2_ ip as-path access-list 1 permit .* route-map ADV_MAP permit 5 match as-path 1

auto-summary • Only on IOS, IOS-XE. Not available on IOS-XR • This enables the auto-summary. Similar to IGP auto-summary, "When auto-summary is enabled, it summarizes the locally originated BGP networks to their classfull boundaries" #Ref15 • We know that by default (with or without auto-summary), the prefix in the network command has to match exactly a route in the IP routing table for the BGP router to advertise the prefix. However, with auto-summary enabled, the prefix in the network command can match subset routes of the classful network of the prefix found in the IP routing table. • Therefore, following conditions must be met for the router to advertise the summarized route: ♦ network $PREFIX mask $MASK, where $MASK must be classful matching the prefix's class (e.i 172.20.0.0 mask 255.255.0.0 and not 172.20.0.0 mask 255.255.255.0) ♦ auto-summary ♦ Atleast one local IGP must be subset of $PREFIX/$MASK • Depending on the IOS version, latest ones have it disabled

aggregate-address cases

18

BGP/Config ! On Cisco IOS, IOS-XE router bgp $MY_AS auto-summary network $SUMMARIZED_PREFIX mask $CLASSFUL_MASK ! ! Subset IGP route int lo0 ip add $SPECIFIC_PREFIX $SPECIFIC_MASK

auto-summary cases int lo0 ip add 9.0.0.1 255.255.255.0 ! ! With no auto-summary ! 9.0.0.0/24 is NOT advertised ! because 9.0.0.0/24 exactly needs to be in IGP router bgp 1 network 9.0.0.0 no auto-summary ! With auto-summary ! 9.0.0.0/8 is advertised ! because 9.0.0.0/24 belongs in existing /8 route router bgp 1 network 9.0.0.0 auto-summary

bgp redistribute-internal Redistribute iBGP Routes into IGP • This command is used with redistribute bgp under IGP routing • By default, (e.i without this bgp redistribute-internal and only redistribute bgp under IGP routing), only eBGP routes will be redistributed into IGP. This is because iBGP routes can cause routing loop • Look into Redistribution -> Lab5 • Care must be taken here to not flood the IGP routers as it might cause routing loop. Use route-map to filter ! On Cisco IOS, IOS-XE router bgp $MY_AS bgp redistribute-internal router $IGP redistribute bgp $MY_AS

disable-connected-check In order to skip #ebgp-multihop configuraton in situation of eBGP setup over loopbacks, use this command • Only on IOS, IOS-XE. Not available on IOS-XR disable-connected-check

19

BGP/Config

• Only works with ebgp-multihop connection between two routers directly connected, but using loopback interfaces • Does not work with ttl-security • Does not work if routers are not directly connected. • #Ref14 • BGP -> Lab7 -> Goal5 ! On Cisco IOS, IOS-XE ! Configure on both sides, exactly the same away ! Note the command ebgp-multihop 1 is not shown because thats the default router bgp $ASN neighbor $REMOTE_IP remote-as $REMOTE_AS neighbor $REMOTE_IP disable-connected-check neighbor $REMOTE_IP update-source $INT

maximum-prefix To limit maximum no. of prefixes the local router can accept (or received) from $REMOTE_PEER • For IOS-XR, use maximum-prefix under BGP/MBGP/Config#neighbor address-family • By default, e.i without this command, BGP doesn't have any limits to no. of prefiex • Requirements: ♦ Only needed to be configured on local router • Incase BGP Session is dropped due to max prefix and needs to be brought back again, you will need to do "clear ip bgp" to bring the BGP session up if restart isn't configured. If "restart" is configured, then BGP session will restart in the given interval

IOS • Arguments: ♦ $MAX ◊ Max. no. of prefixes allowed from neighbor. Once reached BGP session is dropped/warning message is seen ♦ $THRESHOLD ◊ If not configured, defaults to 75 ◊ At $THRESHOLD percent of $MAX, Warnming messages will be generated ♦ warning ◊ If not configured, at $MAX (or at $THRESHOLD if configured) BGP session is dropped ◊ If configured, at $MAX warning message is seen (different from when $THRESHOLD is met) ♦ restart $RESTART_SEC ◊ If not configured, BGP session is dropped forever ◊ If configured, BGP session is restarted after $RESTART_SEC from the time when BGP session was dropped (due to $MAX hit) ! On Cisco IOS, IOS-XE router bgp $ASN neighbor $REMOTE_PEER remote-as $REMOTE_AS neighbor $REMOTE_PEER maximum-prefix $MAX {$THRESHOLD {restart $RESTART_SEC} warning}

maximum-prefix

20

BGP/Config ! Verify show ip bgp neighbor $REMOTE_PEER | i accepted prefixes show ip bgp neighbor $REMOTE_PEER | i warning message show ip bgp summary | i PfxRcd ! Prefix Received debug ip bgp updates in ! If BGP session dropped, then you see this show ip bgp summary | i Idle (PfxCt) ! Examples: router bgp $ASN ! local router will log syslog message and ! drop BGP $REMOTE_PEER peering when ! 90% of 1000 prefixes are received from $REMOTE_PEER neighbor $REMOTE_PEER maximum-prefix 1000 90 ! local router will only log syslog message and ! not drop BGP $REMOTE_PEER peering when ! 90% of 1000 prefixes are received from $REMOTE_PEER neighbor $REMOTE_PEER maximum-prefix 1000 90 warning-only ! local router will log syslog message and ! drop BGP $REMOTE_PEER peering when ! 90% of 1000 prefixes are received from $REMOTE_PEER ! but session will be reestablished in 10 seconds neighbor $REMOTE_PEER maximum-prefix 1000 90 restart 10

IOS-XR • Similar to IOS ! On IOS-XR router bgp $ASN neighbor $REMOTE_PEER address-family $FAMILY maximum-prefix $MAX {$THRESHOLD {restart $RESTART_SEC} warning}

peer-group • Only on IOS, IOS-XE. Use (#Configuration Grouping) on IOS-XR Configuring ! On Cisco IOS, IOS-XE router bgp $BGP ! Creating peer neighbor $GP_NAME peer-group ! Grouping peers into a group neighbor $PEER1_IP peer-group $GP_NAME neighbor $PEER2_IP peer-group $GP_NAME ! Apply common commands that apply to entire group neighbor $GP_NAME $OPTIONS

peer-group

21

BGP/Config ! $OPTIONS can be route-reflector, route-map, etc.

Verifying • BGP Peer group is very neat for of applying a same set of BGP commands • Usecases ♦ In case of Multiple BGP communities on a single route case, router can still set policies based on one or all BGP communities ♦ In case of BGP community with aggregated routes, "aggregate inherits all the COMMUNITY attributes of all the routes." #Ref3 ♦ In case with route-map, all the routers in the group will use the same route-map ♦ In case with route-reflector # On Cisco IOS, network R1-RR-R2 # , where RR is the Route reflector server and R1, R2 are Clients # On RR router bgp 100 # Create a peer group called rr-client neighbor rr-client peer-group # Use the peer group to create a set of common commands # that you will later apply to Peers R1 and R2 neighbor rr-client remote-as 100 neighbor rr-client route-reflector neighbor rr-client update-source lo0 # Apply the peer to specific neighbors R1 and R2 neighbor $R1_IP peer-group rr-client neighbor $R2_IP peer-group rr-client

# On R1 and R2, # you don't need a peer group because there is nothing to group router bgp 100 neighbor $RR_IP remote-as 100 neighbor $RR_IP update-source lo0

Limitations of Peer Group • Only in IOS versions before 12.2 • Not required for CCIE

neighbor shutdown • Useful in case you wish reroute traffic over another neighbor ! Configuration ! On Cisco IOS, IOS-XE router bgp $MY_AS neighbor $REMOTE_IP shutdown ! Shuts down the neighbor, and directly takes it to IDLE state

neighbor shutdown

22

BGP/Config ! Verification show ip bgp neighbor $REMOTE_IP

neighbor soft-reconfiguration • Use soft-reconfiguration under BGP/MBGP/Config#neighbor address-family on IOS-XR • This command forces the router to store incoming BGP updates. • This command takes lot of RAM memory to store the above info. Therefore not recommended to be used in practical scenario • NOTE: whichever router gives this command, the same router can do ?show ip neighbors $REMOTE_IP received-routes? • NOTE: This command shows all the BGP updates before applying any route-maps/filters on the local router. However, please note that these updates have already been filtered/route-mapped from the $REMOTE_IP neighbor ! Configuration ! On Cisco IOS, IOS-XE R1# router bgp $MY_AS neighbor $REMOTE_IP soft-reconfiguration inbound R1# show ip bgp neighbors $REMOTE_IP received-route

log-neighbor-changes • Only on IOS, IOS-XE. Use #log neighbor changes on IOS-XR • Logs messages on console in case of neighbor state change ! On Cisco IOS, IOS-XE ! Configuration router bgp $MY_AS bgp log-neighbor-changes ! Verification !! You will simply see log messages incase of neighbor state change show log | include BGP

Configuring Route Reflectors • Only on IOS, IOS-XE. • For IOS-XR, use route-reflector-client under BGP/MBGP/Config#neighbor address-family • Do not use Route Reflectors with #peer-group because of #Limitations of Peer Group in case where clients do not have direct iBGP session between one another • Requirements: ♦ RR and Clients must have Basic BGP Peering Setup (only on iBGP Peers) ♦ Needs only to be configured on the RR (BGP#Route Reflectors) pointing to neighbors ♦ neighbors need not support Route Reflection Configuring Route Reflectors

23

BGP/Config

♦ For changing the BGP attributes for routes being reflected from RR-Server to clients/non-clients, use #Workaround for next-hop-self on route reflector

route-reflector-client ! On Cisco IOS, IOS-XE ! Configuration # Configuration on Router Reflector Server RR# router bgp $MY_AS neighbor $CLIENT_NEIGHBOR_IP remote-as $MY_AS neighbor $CLIENT_NEIGHBOR_IP update-source $SERVER_NEIGHBOR_IP neighbor $CLIENT_NEIGHBOR_IP route-reflector-client ! The router RR will be the route reflector server having neighbor with ! $CLIENT_NEIGHBOR_IP as its client # Standard Configuration on Router Reflector Client RR_Client# router bgp $MY_AS neighbor $SERVER_NEIGHBOR_IP remote-as $MY_AS neighbor $SERVER_NEIGHBOR_IP update-source $CLIENT_NEIGHBOR_IP ! Note: RR_Client does not need to support route reflector ! functionality, only RR does ! Verification !! There is no verificaiton RR_Client RR# show ip bgp neighbor $CLIENT_NEIGHBOR_IP | i Reflect

bgp client-to-client reflection • BGP#Route Reflector In Fully Meshed Networks • This configuration gets automatically enabled on the RR to reflect routes from clients to other clients • Therefore, disable this command in case Clients are Fully Meshed ♦ Its generally used as "no bgp client-to-client reflection" on RR • Requirements: ♦ Router must be configured on RR (e.i router having #route-reflector-client) ◊ This command will automatically enable "bgp client-to-client reflection" ! On Cisco IOS, IOS-XE ! Configuration # Configuration on Router Reflector Server RR# router bgp $MY_AS neighbor $CLIENT_NEIGHBOR_IP remote-as $MY_AS neighbor $CLIENT_NEIGHBOR_IP update-source $SERVER_NEIGHBOR_IP neighbor $CLIENT_NEIGHBOR_IP route-reflector-client ! Automatically configured with bgp client-to-client reflection

Real case use in case of fully meshed network is shown here: C1-RR-C2 in a fully meshed network (e.i C1-C2 have iBGP too)

route-reflector-client

24

BGP/Config ! This disables route reflection of client routes to clients ! However routes external to Cluster are still reflected ! and routes from clients are still reflected to non-clients RR# router bgp $MY_AS neighbor $C1 remote-as $MY_AS neighbor $C2 remote-as $MY_AS neighbor $C1 update-source $SERVER_NEIGHBOR_IP neighbor $C2 update-source $SERVER_NEIGHBOR_IP neighbor $C1 route-reflector-client neighbor $C2 route-reflector-client no bgp client-to-client reflection

Configuring Cluster bgp cluster-id Used to change the Cluster ID for a BGP#Clusters • Configured only on Route Reflectors (RR) • If not configured, then Cluster ID defaults to RR's RID • Must be configured to put multiple RR in one cluster ♦ Must be configured on all RRs • Example ! Configure ! On Cisco IOS, IOS-XE RR# router bgp bgp cluster-id $CLUSTER_LIST ! Verify RR-Client# show ip bgp $CLIENT_ROUTE | i Cluster list

Confederation BGP#Confederation • Requirements: ♦ #bgp confederation identifier ♦ #bgp confederation peers • Note: $SUB_ASN is usually a Private ASN (R1-R2)-(R3-R4) ! All are in AS 1 ! R1-R2 are in BGP Confed ASN: 65012 ! R3-R4 are in BGP Confed ASN: 65034 R1# ! Similarly on R4: router bgp 65034 router bgp 65012 bgp confederation peers 65034

Confederation

25

BGP/Config bgp confederation id 1 neighbor $R2 remote-as 65012 neighbor $R2 update-source lo0 R2# ! Similarly on R3: router bgp 65034 router bgp 65012 bgp confederation peers 65034 bgp confederation id 1 neighbor $R2 remote-as 65012 neighbor $R2 update-source lo0 neighbor $R3 remote-as 65034 neighbor $R3 update-source lo0 neighbor $R3 multi-hop 255

bgp confederation identifier Configures Confederation on the router • $SUB_ASN is the ASN of the Sub-AS to which the local router belongs to • $CONFED_ID is the BGP Confederation ID which is the real AS # that is seen to real eBGP peers outside the confederation • Must be configured on all the routers that are present in the confederation ! On IOS, IOS-XE ! Configure router bgp $SUB_ASN bgp confederation identifier $CONFED_ID ! Verify

bgp confederation peers • This commands tells the local router that $PEERS are the Sub-ASes that are directly connected to the local Sub-AS • "This command tells the BGP process that the EBGP connection is confederation EBGP rather than normal EBGP." #Ref1 • $SUB_ASN is the ASN of the Sub-AS to which the local router belongs to • $PEERS is a list of Sub-AS #s to which the router is connected to • Must be configured on ONLY those routers that are running confederation eBGP • NOTE: You don't have to include your own ASN in peers ! On IOS, IOS-XE ! Configure router bgp $SUB_ASN bgp confederation peers $PEERS ! Example bgp confederation peers 65533 65535 ! Verify

bgp confederation identifier

26

BGP/Config

BGP Version Negotiation • Only on IOS, IOS-XE. Not available on IOS-XR • By default, during a setup of BGP neighbor session, BGP version is exchanged and if it doesn't match, the negotiation can lead to use the lower version. • In order turn off the negotiation and use a hard version # do: # On Cisco IOS conf t router bgp neighbor $NEIGHBOR version $VALUE

BGP Neighbor Communication via Default Route As we alredy know that for a BGP peer session to establish, there must be IP connectivity between the Peer IP addresses. Now, the IP connectivity can be achieved using static or dynamic routing protocol • However, a default route cannot be used for setting up a BGP session. • But Default Route can be used to maintain a session which might have been started by a static route or dynamic routing protocol (and later removed)

Case: BGP with Default Route for Neighbor Setup In short, BGP Peer passively accepts sessions when default route is used for communication. Following situation will force the peers to be in active state: • Default route is configured on both peers and no static/dynamic routes. Therefore, both peers will wait passively for other peer to start the session. • Both peers are at IDLE state at the beginning. • Incase if one peer reaches ESTABLISHED state (by temporarily adding a static route and then removing it) and other peer is still ACTIVE, then both will reach ESTABLISHED state. They will continue to be in ESTABLISHED state even if the static route is removed, but default route must remain. Case: ! Lo1-R1-R2-Lo2 R1# router bgp $MY_AS neighbor $Lo2_IP remote-as $MY_AS neighbor $Lo2_IP update-source $Lo1_IP ! No other IGP ip route 0.0.0.0 0.0.0.0 $INT_TO_R2 R2# router bgp $MY_AS neighbor $Lo1_IP remote-as $MY_AS neighbor $Lo2_IP update-source $Lo2_IP ! No other IGP ip route 0.0.0.0 0.0.0.0 $INT_TO_R1

BGP Neighbor Communication via Default Route

27

BGP/Config ! End Result: Session was never established ! Fix: Use IGP or static route

maximum-paths Configure maximum allowed multiple load balanced paths to a prefix that can go into the routing table #Ref5 • Default values: ♦ Depends on SW #Ref200 • Multi "paths are installed in the table together with the best path for load sharing. BGP Multipath does not affect bestpath selection. For example, a router still designates one of the paths as the best path, according to the algorithm, and advertises this best path to its neighbors" • If $N = 1, then maximum-paths is disabled • Arguments: ♦ import ◊ "The import keyword indicates how many routes can be imported from one VRF into another." #Ref1 • Where to configure this command? ♦ Its important to understand that because this command affects only the local router, and not the peer, so this must be configured on the router that has two BGP paths to a destination, but only one path is being preferred initially (before configuring this) • Multicast/Labs/Lab9/Goals#Goal2

Multipath Candidates • "In order to be candidates for multipath, paths to the same destination need to have these characteristics equal to the best-path characteristics" #Ref203 ♦ Weight ♦ LOCAL_PREF ♦ AS_PATH's length ♦ Origin ♦ MED • For eBGP multipaths ♦ "The path should be learned from an external or confederation-external neighbor (eBGP)" ♦ "The IGP metric to the BGP next hop should be equal to the best-path IGP metric" • For iBGP multipaths ♦ "The path should be learned from an internal neighbor" ♦ "The IGP metric to the BGP next hop should be equal to the best-path IGP metric, unless the router is configured for unequal-cost iBGP multipath"

maximum-paths

28

BGP/Config

IOS • maximum-paths - For eBGP routes only • maximum-paths ibgp - For eBGP routes only • maximum-paths eibgp - For iBGP and eBGP routes only • maximum-paths eibgp = maximum-paths ibgp + maximum-paths. Therefore, cannot configure all together ! On IOS-XR Router# router bgp $ASN address-family $FAMILY maximum-paths {ibgp $MAX | $MAX}

IOS-XR • Compared to IOS, this command is more organized #Ref201 ! On IOS-XR Router# router bgp $ASN address-family $FAMILY maximum-paths {ebgp | ibgp | eibgp $MAX} maximum {unequal-cost}

neighbor allowas-in • Configuring this on a router basically makes it ignore the loop prevention mechanism that uses BGP#AS_PATH for any incoming BGP updates • Similarily on IOS-XR, under neighbor address-family • This is primarily used as an alternate to #neighbor as-override in MPLS/L3VPN/Config#BGP as PE-CE ! On IOS router bgp $ASN neighbor $REMOTE_IP allowas-in ! ! Verify clear ip bgp * debug ip bgp updates !! "DENIED" will be seen if allowas-in is not configured !! for any BGP update containing AS_PATH creating loop

neighbor as-override BGP/MBGP/Config#neighbor as-override

neighbor local-as • Configure local router to use a different AS $LOCAL_AS to setup BGP session with neighbor instead of using original AS (router bgp $MYASN) neighbor local-as

29

BGP/Config

• Similarly on IOS-XR • By default, e.i without this configuration, local router will use $MYASN AS to setup BGP session with neighbor • NOTE: This will impact the AS_PATH • Argument: ♦ no-prepend ◊ If not configured (e.i only local-as $LOCAL_AS is configured), if remote neighbor is using $LOCAL_AS to setup BGP session with local router, local router will advertise prefixes by prepending $LOCAL_AS to original $MYASN. ◊ If configured, $LOCAL_AS will NOT be prepended to the AS_PATH ♦ no-prepend replace-as ◊ If configured, $MYASN will be replaced by $LOCAL_AS in the AS_PATH ♦ dual-as ◊ If configured, remote neighbor can use "remote-as $MYASN" or "remote-as $LOCAL_AS" • Multicast/Labs/Lab9/Goals#Goal2 R1-R2 ! On IOS R1# router bgp $MYASN neighbor $REMOTE_NEIGHBOR_R2 local-as $LOCAL_AS {no-prepend replace-as dual-as} R2# router bgp $R2ASN neighbor $REMOTE_NEIGHBOR_R1 remote-as $LOCAL_AS ! Verify R2#show ip bgp neighbor $REMOTE_NEIGHBOR_R1 | i remote AS BGP neighbor is $REMOTE_NEIGHBOR_R1, remote AS $LOCAL_AS, external link ! Example that shows BGP AS_PATH Change: !! If R1 has: neighbor $REMOTE_NEIGHBOR_R2 local-as $LOCAL_AS R2#show ip bgp $Prefix_advertised_by_R1 $LOCAL_AS $MYASN i !! If R1 has: neighbor $REMOTE_NEIGHBOR_R2 local-as $LOCAL_AS no-prepend R2#show ip bgp $Prefix_advertised_by_R1 $MYASN i !! If R1 has: neighbor $REMOTE_NEIGHBOR_R2 local-as $LOCAL_AS no-prepend replace-as R2#show ip bgp $Prefix_advertised_by_R1 $LOCALAS i

BGP/Config Timers • BGP#BGP Timers

timers • Configure BGP#keepalive-interval as $KA_T and BGP#hold-time as $HD_T • "BGP will negotiate the hold time with the neighbor. The smaller of the two hold times will be chosen" #Ref13 BGP/Config Timers

30

BGP/Config

♦ However, the keepalive timer on neighbor is automatically calculated (holddowntimer/3) • Specific configuration always overrides generic command ♦ e.i neighbor timers overrides timers bgp • Configuring on IOS, IOS-XR, IOS-XE is the same • NOTE: If configured after BGP session is established, then this doesn't take effect (need to clear ip bgp * or restart BGP session for it to take effect) • Use $MIN_HD_T_FROM_NEIGHBOR to force the neighbor to have a minimum holdown timer. If this condition is not met, then BGP session goes to active ♦ By default $MIN_HD_T_FROM_NEIGHBOR is 0 (e.i minimum of 0 seconds of holddown timer) • Defaults: Keepalive=$KA_T=60sec, Holddown=$HD_T=180sec #Ref12 • BGP -> Lab8

neighbor timers ! Configure ! On Cisco IOS, IOS-XR router bgp $BGP timers bgp $NEIGHBOR_IP timers $KA_T $HD_T $MIN_HD_T_FROM_NEIGHBOR ! AND/OR neigbhor $NEIGHBOR_IP timers $KA_T $HD_T ! Verify show ip bgp neighbors | include time !! Displays configured value and value in use separately

timers bgp ! Configure ! On Cisco IOS, IOS-XR router bgp $BGP timers bgp $NEIGHBOR_IP timers $KA_T $HD_T $MIN_HD_T_FROM_NEIGHBOR ! AND/OR neigbhor $NEIGHBOR_IP timers $KA_T $HD_T ! Verify show ip bgp neighbors | include time !! Displays configured value and value in use separately

advertisement-interval • BGP#advertisement-interval • Similarly on IOS-XR under neighbor configuration mode • By default, for EBGP peers its 30sec and for IBGP peers its 5sec/0sec depending on IOS Version or IOS-XR ! On IOS, IOS-XR router bgp $ASN neighbor $REMOTE_PEER advertisement-interval $ADV_INTERVAL ! Verify show bgp neighbor $REMOTE_PEER | include advertisement

timers

31

BGP/Config

update-delay • BGP#update-delay • Arguments (only on IOS-XR) ♦ always ◊ wait for the entire $UPDATE_DELAY timer to expire even when neighbors have finished sending initial BGP Updates • Default is 120sec ! On IOS, IOS-XR router bgp $ASN bgp update-delay $UPDATE_DELAY ! Verify TODO

graceful-restart • Distributed Router Architecture#GR in BGP • Only for Cisco distributed systems (not 3600, 7200, etc.) • This actually enables Distributed Router Architecture#NSF awareness on neighbor and local router • Requirements: ♦ graceful-restart command without any options ♦ Requires restarting of BGP session (clear bgp) ♦ Needs to be enabled on local peer and all of its neighbors • Arguments: ♦ restart-time $RT ◊ Default 120sec ◊ After neighbor restarts, Local router will wait $RT seconds for Open Message from the peer (that is down) before deleting the stale routes ♦ stalepath-time $ST ◊ Default 360sec ◊ After neighbor restarts, Local router will wait $ST seconds for EOR Message from the peer (that is down) before deleting the stale routes ♦ purge-time $PT (On IOS-XR only) ◊ Default 600sec ◊ "maximum time before stale routes are purged from the routing information base (RIB) when the local BGP process restarts" ♦ graceful-reset (On IOS-XR only) ◊ When configured, resets the peer after configuring graceful restart (e.i to avoid clear bgp) ! On Cisco IOS, IOS-XE ! Needs to be enabled on all R1's peers R1# router bgp $MY_AS bgp graceful-restart ! Separately configured ! Optional bgp graceful-restart {restart-time $RT stalepath-time $ST}

graceful-restart

32

BGP/Config ! Verification !! Prefixes with S Flag means Stale show ip bgp | include S show ip bgp neighbors !! Displays EOR debug ip bgp ! On IOS-XR show bgp process

nsr • Distributed Router Architecture#NSR ! Only on Cisco IOS-XR ! Needs to be enabled on all R1's peers R1# router bgp $MY_AS nsr ! Verification show bgp neighbors nsr show bgp nsr

bgp default bgp default route-target filter MPLS/L3VPN/Config#bgp default route-target filter

bgp dampening • Configures BGP#Route Dampening • Requirements: ♦ Just needs to be configured only this router only (no need to configure on peers) ♦ Flapping route needs to be accessible by this router • On IOS, In case of using route-map, make sure that you DO NOT configure route-map with set dampening and a separate bgp dampenining configuration both together • Arguments: ♦ Look into BGP#Route Dampening

IOS router bgp address-family $FAMILY bgp dampening {$HALF_LIFE {$REUSE_PENALTY $SUPPRESS_LIMIT $MAX_SUPPRESS_TIME} route-map $RP}

bgp dampening

33

BGP/Config ! Verification show ip bgp $ROUTE | include penalty show ip bgp dampening clear ip bgp dampening debug ip bgp damp

In case of using route-map router bgp address-family $FAMILY bgp dampening route-map DAMPEN ip prefix-list $NW seq 5 permit permit 1.0.0.0/24 le 32 route-map DAMPEN permit 5 match ip address prefix-list $NW set dampenining $HALF_LIFE $REUSE_PENALTY $SUPPRESS_LIMIT $MAX_SUPPRESS_TIME

IOS-XR router bgp address-family $FAMILY bgp dampening {$HALF_LIFE {$REUSE_PENALTY $SUPPRESS_LIMIT $MAX_SUPPRESS_TIME} route-policy $RP} ! Verification show bgp $ROUTE | include penalty show bgp flap-statistics show bgp dampened-paths show bgp neighbors flap-statistics show bgp neighbors dampened-paths clear bgp dampening debug bgp damp

How to see penalty show ip bgp $FLAPPED_ROUTE

Path Attributes LOCAL_PREF • Some of the routes will have no local pref. It?s because those routes are received from eBGP peers and since eBGP peers do not include local preference, it?s empty here

Path Attributes

34

BGP/Config

set local-preference • On IOS, IOS-XE (using route-map), IOS-XR (using route-policy) • "Typically, a router uses set local-preference command with the inbound direction for routes received from eBGP peers. Then, with no additional configuration required, the router then advertises the Local_Pref to any iBGP peers." #Ref2 route-map $ROUTE_MAP match $CONDITION set local-preference $LOCAL_PREF router bgp $MY_AS neighbor $REMOTE_IP route-map $ROUTE_MAP {in|out} ! ?In? is always used, if $REMOTE_IP is eBGP ! Verify show ip bgp $Nw

bgp default local-preference • On IOS, IOS-XE (using route-map), IOS-XR (using route-policy) router bgp $MY_AS bgp default local-preference $LOCAL_PREF ! Changes the default local pref from 100 to LOCAL_PREF

Weight set weight • On IOS, IOS-XE (using route-map), IOS-XR (using route-policy) • set weight used in a route-map that is applied always to incoming routing updates (route-map in) • $WEIGHT2 (set weight) overrides $WEIGHT1 (neighbor weight) ! On IOS, IOS-XE ! Configuration router bgp neighbor $NEIGHBOR weight $WEIGHT1 neighbor $NEIGHBOR route-map $SET_WEIGHT in access-list 1 permit any any route-map $SET_WEIGHT permit 10 match ip address 1 set weight $WEIGHT2 route-map permit 20 ! Verification ! On local router clear ip bgp $REMOTE_IP soft show ip bgp $Nw longer-prefixes

set local-preference

35

BGP/Config

AS_PATH • On IOS, #set as-path • On IOS-XR, #prepend as-path

IOS set as-path • The same th • set as-path tag, will prepend the AS_PATH with tag that is found in redistributing routes ♦ Applied only to redistribute • set as-path prenend $AS_NO1 {$AS_NO2 .. $AS_NOn} ♦ will prepend the AS_PATH with what you provide ♦ The same is achieved on IOS-XR via #prepend as-path • Usually, applied to route-map out, but can also be applied to in route-map set-as-path-from-tag set as-path {tag | prepend $AS_NO1 {$AS_NO2 .. $AS_NOn}} ! ! Examples route-map set-as-path-from-tag set as-path tag ! router bgp 100 redistribute ospf 109 route-map set-as-path-from-tag route-map set-as-path match as-path 1 set as-path prepend 100 100 100 ! router bgp 100 neighbor 10.108.1.1 route-map set-as-path out

IOS-XR prepend as-path • Purpose: Same as #set as-path prepend in IOS • $AS_NO or most-recent AS No. or value of $PARAMETER will be prepended by these $TIMES • $TIMES is optional. Defaults to 1 route-policy $RPL_NAME prepend as-path {$AS_NO|most-recent|$PARAMETER} {$TIMES}

AS_PATH

36

BGP/Config

ORIGIN • policy: route-map on IOS, IOS-XE and route-policy on IOS-XR • BGP#ORIGIN • There are following ways to modify the origin attribute: ♦ #network command without any route-map having #set origin: Advertises as IGP ♦ #redistribute: Advertises as INCOMPLETE ♦ #network command with route-map having #set origin ebgp $AS_APPEND, the AS no. $AS_APPEND does gets appended ♦ #neighbor route-map out #set origin only changes the Origin code, but not the AS Path Prepend ♦ #set origin can also be applied to #neighbor route-map in

set origin ! On Cisco IOS, IOS-XE access-list permit $Nw route-map $MAP match ip address $ACL set origin {egp $AS_APPEND | incomplete | igp} ! Use egp $AS_APPEND with network command only router bgp neighbor $NEIGHBOR route-map $MAP1 out ! OR neighbor $NEIGHBOR route-map $MAP2 in ! OR network $Nw route-map $MAP3 ! Clear IP BGP must be done to activate the route-map clear ip bgp * soft ! Verify on remote neighbor for route-map out or network route-map ! Verify on local router for route-map in show ip bgp $Nw

MED set metric • Only on IOS, IOS-XE. • For IOS-XR, use "set med" which does exactly what this command does • policy: route-map on IOS, IOS-XE and route-policy on IOS-XR • Used on policy out with "set metric" • The neighbor for which the policy is applied must be eBGP neighbor • If the set metric is not used at all, then the default MED is the IGP metric of the local router ! On Cisco IOS, IOS-XE route-map $MAP match ip address $ACL set metric $METRIC ! If $METRIC is not given, then the above command will not be used at all.

ORIGIN

37

BGP/Config router bgp neighbor $NEIGHBOR route-map $MAP out ! Clear IP BGP must be done to activate the route-map clear ip bgp * soft ! Verify show ip bgp $ROUTE

always-compare-med To allow comparing of MEDs for multiple routes (for same prefix) travesing different ASes (e.i AS_PATH is different) • By default, this configuration is disabled as MED, by definition, is supposed to compare MEDs for routes from same AS only • Only on IOS, IOS-XE. No such configuration in IOS-XR • Must be configured on the router that is comparing the MEDs (e.i the peer/upstream router must have configured set metric) ! Nw1-R1-R2-R3-Nw1, eBGP sessions ! On Cisco IOS, IOS-XE R1# (same on R2) route-map $MAP match ip address $ACL set metric $METRIC ! router bgp neighbor $R2 route-map $MAP out R2# ! R2 has two routes to Nw1, via R1 and via R3 router bgp bgp always-compare-med

ATOMIC_AGGREGATE • BGP#ATOMIC_AGGREGATE • #aggregate-address without as-set option

AGGREGATOR • BGP#AGGREGATOR • #aggregate-address without as-set option ♦ NOTE: Cisco implemented that ATOMIC_AGGREGATE always be sent with AGGREGATOR (containing RID and AS# of aggregating router)

set metric

38

BGP/Config

AS_SET • #aggregate-address with as-set option • BGP#AS_SET

AS_CONFED_SET • BGP#AS_CONFED_SET • #bgp confederation identifier and #aggregate-address with as-set option

COMMUNITY • BGP#COMMUNITY • "While communities themselves do not alter the BGP decision making process, communities can be used as flags in order to mark a set of routes. Upstream service provider routers can then use these flags to apply specific routing polices (for example, local preference) within their network." #Ref300 • "The attribute consists of a set of four octet values that specify a community. The community attribute values are encoded with an Autonomous System (AS) number in the first two octets, with the remaining two octets defined by the AS" #Ref300 ♦ In short, Community format: XX:YY (where XX is an AS# and YY is defined by AS • Requirements to set community, configure these on router that is setting community: ♦ #set community ♦ Give this command #neighbor send-community on all routers that need to send community ♦ On IOS, #ip bgp-community new-format to use XX:YY format (Default for IOS-XR) • Requirements to set community, configure these on router that is matching community: • #ip community-list • #match community ♦ On IOS, #ip bgp-community new-format to use XX:YY format (Default for IOS-XR) ! On IOS, IOS-XE ! Configuration router bgp $MY_AS neighbor $REMOTE_PEER route-map $MAP out neighbor $REMOTE_PEER send-community ! route-map $MAP match ip address 1 set community 200 aditive ! OR set community no-advertise ! clear ip bgp * out ! Verification show ip bgp $ROUTE | include Community show ip bgp community

AS_SET

39

BGP/Config

neighbor send-community In order to send BGP COMMUNITY to neighbor in the Update Message, this command must be given IOS • By default, "In IOS, communities (standard and extended) are never sent unless send-community is configured." #Ref301 • Arguments: ♦ Type of Community to send - {standard|extended|both} ♦ Defaults to standard (if not configured) ♦ standard is used for all IPv4 address-family ♦ extended is used in MPLS-VPN (BGP#Extended Community) or #BGP Cost Community • Must be configured on routers that need to send BGP community to $REMOTE_PEER (e.i on all iBGP and eBGP peers) ! On IOS, IOS-XE ! Configure on all routers that need to send COMMUNITY router bgp $MY_AS neighbor $REMOTE_PEER send-community {standard|extended|both}

IOS-XR • By default, "in IOS-XR, communities (standard and extended) are sent by default on iBGP sessions but not on eBGP sessions." #Ref301 • Arguments: ♦ Defaults to standard only for iBGP peers (if not configured) ♦ send-community-ebgp on XR == send-community on IOS (standard community) ♦ send-extended-community-ebgp on XR == send-community extended on IOS (extended community) ! On IOS-XR router bgp $MY_AS neighbor $REMOTE_PEER {send-community-ebgp|send-extended-community-ebgp} ! Example !! The following XR config is equal to below IOS config router bgp $MY_AS neighbor $REMOTE_PEER send-community-ebgp neighbor $REMOTE_PEER send-extended-community-ebgp !! The following IOS config is equal to above XR config router bgp $MY_AS neighbor $REMOTE_PEER send-community both

ip bgp-community new-format • Only on IOS, to use the BGP Community's new format of XX:YY instead of 4 octet • On IOS-XR, the new format is always used • Must be configured on all those routers that are doing #match community or #set community with new format neighbor send-community

40

BGP/Config ! Only on IOS, IOS-XE ip bgp-community new-format ! Old Style (Before configuration) Router# show ip bgp 6.0.0.0 | include Community Community: 6553620 ! New Stlye (After configuration) Router# show ip bgp 6.0.0.0 | include Community Community: 100:20

ip community-list • Router/Config/route-map#ip community-list

match community • Router/Config/route-map#match community • "if community" Router/Config/route-map#community-set

set community • Router/Config/route-map#set community • Router/Config/route-policy#set community

set comm-list • Router/Config/route-map#set comm-list

Known Communities • internet: Advertise to all peers (generally, used to match any community by ip community-list)

NO_EXPORT Simple case shows the usage Nw1-R1-R2-R3, each in its own AS ! Case where R1 will set no-export, and R2 will use it R1# router bgp 1 neighbor $R2 remote-as 2 neighbor $R2 send-community neighbore $R2 route-map SEND_COMM out ! access-list 1 permit $Nw1 ! route-map SEND_COMM permit 10 match ip address 1 set community no-export route-map SEND_COMM permit 20

ip bgp-community new-format

41

BGP/Config ! R2# router bgp 2 neighbor $R1 remote-as 1 ! R3# show ip bgp Nw1 ! No route should be present ! Case where R1 will set no-export, and R2 will override it R2# router bgp 2 neighbor $R1 remote-as 1 neighbor $R1 send-community neighbore $R2 route-map OVERRIDE_COMM out no ! route-map OVERRIDE_COMM permit 10 match ip address 1 set community none route-map OVERRIDE_COMM permit 20 ! R3# show ip bgp Nw1 ! Route should be present

BGP Cost Community BGP/MBGP#BGP Cost Community

neighbor soo • Only on IOS • Not frequently used, use Router/Config/route-map#set extcommunity soo instead

neighbor send-label • This allows the BGP speaker to send the MPLS label along with the prefix to the neighbor • This is primarily used in case where a BGP Speaker is also a LDP speaker and it has routes mapped to MPLS labels that are not present in IGP network, but only in BGP table • Usecase is: MPLS/L3VPN/Config#6PE, MPLS/L3VPN/Config#Multihop VPNv4 BGP Exchange • This is exactly the same purpose of MPLS/Config#mpls ip • Requirements: ♦ Neighbor must also be configured with this (e.i bidirectional configuration) ♦ next-hop-self must be configured to change the label (https://supportforums.cisco.com/thread/2114830) ◊ NOTE: For network $Prefix-R1-R2-R3, say the $Prefix originated at R1, will be advertised to R2, R3, ... with same label X until someone along the way, some BGP peer changes the $Prefix's next-hop. ⋅ If no next-hop-self is configured, you might get into a situation where same label gets added, and next-hop doesn't have any entry for same label neighbor send-label

42

BGP/Config

(MPLS/VPN/CSC/Config#Without next-hop-self on CSC_PE) • NOTE: LDP#Is it possible to allocate a local binding to a BGP learned route • NOTE: send-label in relation to LDP ♦ send-label only works (e.i the data plane, not control plane) for EBGP/IBGP directly connected session without LDP (BGP/Labs/Lab18) ♦ with EBGP/IBGP multi-hop with LDP ♦ However, "mpls bgp forwarding" needs to be configured manually for IBGP directly connected peers, where as its automatically configured when using EBGP directly peers ! On IOS router bgp $ASN neighbor $REMOT_PEER send-label neighbor $REMOT_PEER next-hop-self ! Verify show ip bgp | include label show ip bgp | include advertised and received ! Example ! Network $Prefix-R1-R2-R3 with IBGP R1-R2 and R2-R3 R1# router bgp 123 neighbor $R2 remote-as 123 neighbor $R2 send-label network $Prefix R2# router bgp 123 neighbor $R2 remote-as 123 neighbor $R2 send-label neighbor $R3 remote-as 123 neighbor $R3 send-label ! If next-hop-self is not configured ! "R3#show mpls forwarding $Prefix" == "R2#show mpls forwarding $Prefix" neighbor $R3 next-hop-self R3# router bgp 123 neighbor $R2 remote-as 123 neighbor $R2 send-label ! Label advertised by R1 to R2 is $Label_R1 R1#show ip bgp labels Network Next Hop In label/Out label $Prefix 0.0.0.0 $Label_R1/nolabel ! Because of next-hop changed for $Prefix at R2 ! new label is advertised by R2 to R3 called $Label_R2 R2#show ip bgp labels Network Next Hop In label/Out label $Prefix $R1 $Label_R2/$Label_R1 R3#show ip bgp labels Network Next Hop $Prefix $R2

neighbor send-label

In label/Out label nolabel/$Label_R2

43

BGP/Config

IOS-XR The equivalent of above under IOS-XR uses •

♦ BGP/MBGP/Config#address-family ipv4 labeled-unicast ♦ BGP/MBGP/Config#allocate-label is similar to Router/Config/route-map#set mpls-label

mpls ip vs send-label The general rule to remeber for MPLS Label preference is: • If the prefix in routing table is an IGP entry (where the IGP has LDP enabled), LDP label is preferred • If prefix in routing table is a BGP entry (where the BGP has send-label configured), BGP label is preferred Therefore, label from mpls ip is indepedent of send-label • e.i send-label can be configured without mpls ip and vice versa

mpls bgp forwarding • Automatically configured when send-label is enabled • Also, Automatically configured when two different ASNs run VPNv4 and no MPLS LDP (MPLS/L3VPN/Config#VPNv4 BGP Exchange • Only on IOS ♦ On IOS-XR, similar to mpls activate (BGP/MBGP/Config#address-family ipv4 labeled-unicast) ! On IOS ! PE2_ISP1-PE1_ISP2 PE2_ISP1# interface $TO_PE1_ISP2 mpls bgp forwarding

RTBH • BGP#RTBH • Example • Destination-RTBH ! Network: Attacker-Internet-EdgeRouters-*-TriggerRouter-*-Victim TriggerRouter# !! $VICTIM_ROUTE present in Routing Table router bgp network $VICTIM_ROUTE route-map SET_COMMUNTY ! route-map SET_COMMUNTY permit 10 neighbor $ALL_NEIGHBORS send-community set community $RTBH_COMMUNITY !

RTBH

44

BGP/Config EdgeRouters# router bgp neighbor $Neighbor_Connected_To_TRIGGER_Router route-map DEST-RTBH in neighbor $Neighbor_Connected_To_TRIGGER_Router send-community ! ip community-list 1 permit $RTBH_COMMUNITY route-map DEST-RTBH permit 10 match community 1 set ip next-hop $DUMMY_NW route-map DEST-RTBH permit 20 ! ! $DUMMY_NW - Private unreachable IP ip route $DUMMY_NW Null0 ! int null0 no ip unreachable !

• Source-RTBH ♦ Use of ip verify unicast source reachable-via any to make sure that any traffic on the interface is checked for uRPF of source. Since Null0 is considered a RPF fail, the DoS Traffic doesn't go into the Customer Network ! Network: Attacker-Internet-EdgeRouters-*-TriggerRouter EdgeRouters# ! Same as Destination-RTBH int $INT_Facing_Internet ! Before sending DoS Traffic to Victim, do RPF check on $Source 1st ! Therefore failing, therefore not allowing traffic ip verify unicast source reachable-via any TriggerRouter# !! $ATTACKER_ROUTE present in Routing Table router bgp redistribute static route-map SOURCE-Trigger ! route-map SOURCE-Trigger permit 10 match tag $TAG set community $RTBH_COMMUNITY, no-export ! ip route $ATTACKER_ROUTE Null0 $TAG !

password • Configuring this will enable authentication b/w the TCP session of the BGP neighbors • Same password must be configured on both neighbors • Configuring this command takes affect right away. If neighbor doesn't have password configured, then the keepalive messages received by local router are rejected and by hold-time expires, BGP session goes down • Only verification is to look for IP-TCP-BADAUTH syslog message • BGP/Tshoot#BGP Neighbor Password Mismatch

password

45

BGP/Config ! On IOS, IOS-XR router bgp $ASN ! Similarly on $REMOTE_PEER neighbor $REMOTE_PEER password $PWD ! Verify show log | i BADAUTH

password-disable • Only on IOS-XR, in order to override the password configured under #session-group and disable it ! On IOS-XR !! This router will not effectively use password router bgp $ASN session-group test password $PWD neighbor $REMOTE_PEER use session-group test password-disable

bgp scan-time bgp scan-time is the interval at which the router will scan the RIB table to verify that prefixes installed in routing table have valid next-hops Therefore, longer the interval, higher probably for a black hole forming • TODO: How to verify bgp scan-time

BGP Support for Next-Hop Address Tracking TODO: http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_adv_features.html#wp1056214

Configuring Table Policy This command allows the local router to apply a route-map (or RPL) to modify incoming BGP routing updates coming from all BGP peers • Used in QPPB, or in general ♦ On IOS, "Using the BGP table-map command, prefixes added to the routing table are classified by BGP attribute, autonomous system number, or autonomous system path" #Ref700 ◊ Similarly on IOS-XR ♦ In other words, table-map/table-policy is used in modifying final local prefixes status, as the $ROUTE_MAP/$RPL applies to all incoming BGP updates

Configuring Table Policy

46

BGP/Config

table-map This command allows the local router to apply a route-map to modify incoming BGP routing updates coming from matched BGP peers, thereby QoS marking the outgoing traffic to these matched BGP peers from local AS • Only on IOS • Compared to #neighbor route-map, table-map's route-map applies to all BGP peers ! On IOS router bgp $ASN table-map $ROUTE_MAP ! ! Example ! Network: 3.0.0.1 - (AS3) - (AS1) - (AS2) - 2.0.0.1 ! All routers are eBGP peers ! Apply table-map on AS1 to tag routes originating from AS2 with 2 AS1# router bgp 1 table-map $TAG_AS2_NETWORKS_WITH_2 ! ip as-path access-list 1 permit _2$ route-map $TAG_AS2_NETWORKS_WITH_2 match as-path 1 set tag 2 ! Verify AS1#show ip bgp route 2.0.0.1 | include Route Route tag 2

table-policy This command allows the local router to apply a route-map to modify incoming BGP routing updates coming from all BGP peers • Only on IOS-XR • Compared to #neighbor route-policy, table-policy's route-policy applies to all BGP peers ! On IOS router bgp $ASN address-family {ipv4|ipv6} {unicast|multicast} table-policy $RPL ! ! Example ! Network: 3.0.0.1 - (AS3) - (AS1) - (AS2) - 2.0.0.1 ! All routers are eBGP peers ! Apply table-map on AS1 to tag routes originating from AS2 with 2 AS1# ! as-path-set AS2 ios-regex '_2$' end-set ! route-policy TAG_AS2_NETWORKS_WITH_2

table-map

47

BGP/Config if as-path in AS2 then set tag 2 else pass endif end-policy ! router bgp 3 address-family ipv4 unicast table-policy ROUTE_MARKING ! ! ! Verify AS1#show bgp route 2.0.0.1 | include Route Route tag 2 show bgp policy

Configuring Policy This is used to configure • QPPB ♦ This command forces the packets coming into the $INT, that gets matched by source|destination IP address in the IP Routing table, to be marked depending on the QPPB#Route Marking done via #table-map • BGP Policy Accounting

IOS bgp-policy • {source|destination ip-prec-map|ip-qos-map} - QPPB#Configuring QPPB • {accounting input} - BGP Policy Accounting#BGP/Config Policy Accounting • #Ref801 ! On IOS interface $INT bgp-policy {source ip-prec-map|ip-qos-map | destination ip-prec-map|ip-qos-map | accounting input}

IOS-XR bgp policy • {propagation} - QPPB#Configuring QPPB • {accounting} - BGP Policy Accounting#BGP/Config Policy Accounting • #Ref802 ! On IOS

Configuring Policy

48

BGP/Config interface $INT ! QPPB {ipv4|ipv6} bgp policy propagation {input} {ip-precedence | qos-group} {destination | source} ! BGP Policy Accounting ipv6 bgp policy accounting { input | output { destination-accounting [source-accounting] | source-accounting [destination-accounting] } }

BGP PMTUD • BGP#BGP PMTUD • By default, its enabled on latest IOS • Can be disabled by: • Not on IOS-XR ! On IOS router bgp neighbor $PEER transport path-mtu-discovery disable ! Verify show ip bgp neighbor | i Data|MTU|transport|MSS

NHT • BGP#NHT • Enabled by default • To disable: • Not on IOS-XR ! On IOS router bgp address-family $FAMILY ! To disable NHT no bgp nexthop trigger enable ! To increase the delay for BGP to wait before ! doing a full IGP table walk bgp nexthop trigger delay $DELAY ! Apply NHT for certain prefixes only bgp nexthop route-map $MAP route-map $MAP match ip address prefix-list $PL

PIC • BGP#PIC • Configuring: additional-paths install backup ♦ Must be configured on all routers that have multiple paths to a prefix PIC

49

BGP/Config

♦ Its recommended not to configure maximum-path along with this configuration (TODO???) • Similarly on IOS-XR router bgp address-family $FAMILY additional-paths install backup

Link Bandwidth • BGP Link Bandwidth is an extended community that enables unequal load balancing over DMZ Link (eBGP links) • The BGP community used here carries the eBGP link's bandwidth • BGP/Labs/Lab16 • Good Example • Config Requirements: 1. Configure #maximum-paths on router that has two paths a destination ($Dnw) 2. Configure DMZ Links: "neighbor $EBGP_PEER dmzlink-bw" on IOS (On IOS-XR, use "neighbor dmz-link-bandwidth") 3. Exchange Link Bandwidth Community between IBGP Peers: "bgp dmzlink-bw" along with "send-community extended" on IOS (On IOS-XR, its not there, but use "bgp bestpath as-path multipath-relax" to allow multipath over different ASNs) ◊ NOTE: You might have to enable "ip load-sharing per-packet" on all outgoing interfaces at R1_ISP1 • More informaton on unequal cost load balancing: Ref - R2_ISP2 | $SNw - R1_ISP1 |

| | | - R3_ISP2 --- $DNw

! ! IOS R1_ISP1# router bgp 1 address-family ipv4 unicast ! DMZ Links maximum-paths 32 ! Allow eBGP multipath maximum-paths ibgp 32 ! Allow iBGP multipath neighbor $R2_ISP2 remote-as 2 neighbor $R2_ISP2 dmzlink-bw neighbor $R3_ISP2 remote-as 2 neighbor $R3_ISP2 dmzlink-bw ! ! Exchange Link Community bgp dmzlink-bw neighbor $R0_ISP1 remote-as 1 neighbor $R0_ISP1 send-community extended

Link Bandwidth

50

BGP/Config

BGP show commands • IMG_234

show ip bgp • show ip bgp {Prefix} • Lists the BGP IP Table • If PREFIX not provided, lists the whole table, else specific to the prefix • If prefix == 0.0.0.0 0.0.0.0, lists default routes

show ip bgp neighbors received-routes • show ip bgp neighbors received-routes • Lists pre-inbound filter routes received from a neighbor • Requires neighbor soft-reconfiguration inbound • This takes lot of RAM memory

show ip bgp neighbors routes • show ip bgp neighbors routes • Lists post-inbound filtered best routes received from a neighbor • This goes into the BGP table (show ip bgp)

show ip bgp neighbors advertised-routes • show ip bgp neighbors advertised-routes • Lists post-outbound filter routes advertised to a neighbor

show ip bgp rib-failure • This lists all the routes that didn't make it to the IP Routing table from the RTM (indicating the reason)

FAQs Can you configure multiple BGP sessions between two routers • Yes, using different IP addresses (interface or loopback) • BGP -> Lab5

Why configuring multiple BGP sessions between two routers is not a good idea • This will cause multiple BGP updates thereby increasing the size BGP table (show ip bgp) FAQs

51

BGP/Config

• BGP -> Lab5

Can multi-hop and ttl-security be applied on same router No. They are mutually exclusive

What happens if eBGP-multihop session is established and later the command ebgp-multihop is removed The BGP connection dies after holddown timer times out

How do you configure iBGP session #Neighbor with $REMOTE_AS=$MY_AS

What happens to next-hop of iBGP routes incase next-hop-self is configured Nothing, as you need the #Workaround for next-hop-self on route reflector

A customer would like to connect to a service provider. Which of the following requirements should be considered before deciding for a type of connectivity? • Application Availablity • Redudancy

Customer networks that can be summarized in a service provider network should be tagged with no-export BGP community when redistributed into BGP? Yes

What process can run in multiple instances in BGP BGP speaker process can be distributed into multiple instances

RIP is redistributed into BGP, RIP's metric becomes what BGP Attribute MED

Why configuring multiple BGP sessions between two routers is not a goodidea

52

BGP/Config

Is a route-policy required b/w iBGP neighbors in IOS-XR, like its required for EBGP No

Labs • Enterprise Network ? Basic Peering - My Lab -> My GNS ? BGP -> Lab1 • ISP Network ? BGP Basics - My Lab -> My GNS ? BGP -> Lab2 • ISP Network ? BGP Policy - My Lab -> My GNS ? BGP -> Lab3

References Ref1 BGP Next Hop Propagation: http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fs_bgpnh.html#wp1027129

Ref2 Odom, W. (2010). CCNP Route 642-902 Official Certification Guide.

Ref3 Cisco Press, CCIE TCP-IP Vol II

Ref4 http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/routing/configuration/guide/rc3bgp.html

Ref5 https://learningnetwork.cisco.com/docs/DOC-11233

Ref10 http://www.networkworld.com/community/node/18760 http://packetlife.net/blog/2009/nov/23/understanding-bgp-ttl-security/

References

53

BGP/Config

Ref11 http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_btsh.html

Ref12 http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfbgp.html#wp1002274

Ref13 http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.2/routing/configuration/guide/rc32bgp.html#wp1216268

Ref14 http://www.cisco.com/en/US/docs/ios/12_3t/ip_route/command/reference/ip2_n1gt.html#wp1109875

Ref15 http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a00800949e8.shtml#five

Ref200 http://www.cisco.com/en/US/docs/ios/12_3t/ip_route/command/reference/ip2_k1gt.html#wp1075487

Ref201 http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.7/routing/command/reference/rr37bgp.html#wp1361967

Ref203 http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431.shtml#bgpmpath

Ref300 http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00801475b2.shtml

Ref301 https://supportforums.cisco.com/thread/2213491

Ref500 Converting IOS to IOS-XR: http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.5/xr12000_conversion/reference/guide/cn35main.html Ref11

54

BGP/Config

Ref600 route-policy vs route-map: http://indiciumlabs.com/wp-content/uploads/2011/10/Route_Policy_RPL_XR_v1.pdf

Ref700 • http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-pol-acct-out.html • http://www.sgtccie.com/blog/2013/05/bgp-table-maps/ • https://learningnetwork.cisco.com/thread/6328 • http://yuri.easytospell.net/?p=1000

Ref800 Ref801 http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/command/bgp-a1.html#wp2052159701

Ref802

http://www.cisco.com/en/US/docs/routers/crs/software/crs_r4.2/addr_serv/command/reference/b_ipaddr_cr42crs_chapte

Ref600

55