Upload
anil-alibeyoglu
View
2.715
Download
2
Embed Size (px)
DESCRIPTION
Citation preview
Anıl ALİBEYOĞLU
Network Consultant
CCIE #24974
1
Border Gateway
Protocol
Agenda
• General Information,
• Theory,
Explains every component in a very detailed fashion.
To understand theory, basic data communication + clear
routing knowledge is a pre-req.
• Implementation,
Cisco Systems IOS 12.4(25d) Advanced Enterprise code
is used during the whole implementation.
GNS3 is used for the lab. and Wireshark is used as a
packet sniffer.
2
General Information (1)
• Used for routing between "Autonomous Systems".
• Classified as a "Path Vector" routing protocol.
• Uses "Attributes" to manipulate inside/outside traffic
flow.
• Reliable since it uses TCP as a transport protocol.
• Scalable, hierarchical and loop-free.
• Secure.
• Open standard (RFC 4271).
• Internet relies on BGP.
• ISPs and enterprise customers can run BGP.
3
General Information (2)
• Is not appropriate when:
Single connection to ISP,
Policies aren’t used,
Enough memory & CPU aren’t available,
Technical staff aren’t qualified enough to operate &
troubleshoot it,
• Is appropriate when:
Multiple connections to ISPs,
Policies are used,
Enough memory & CPU are available,
Technical staff are qualified enough to operate &
troubleshoot it.
4
Theory – General Concepts (1)
• BGP can be assumed just a regular TCP application
that uses TCP port 179. So, to open a TCP connection;
proper route for the destination IP address (BGP peer in
other words) must exist in the routing table. Then
prefixes can be exchanged via established TCP
connection.
• BGP neighbors can’t be discovered, they must be
defined manually.
• Only one TCP session is maintained even if both ends
attempt for succesful TCP connection.
• All BGP messages are sent as unicast.
5
Theory – General Concepts (2)
• BGP has 2 types of neighborship:
iBGP (internal-BGP; BGP neighbors are in the same AS)
eBGP (external-BGP; BGP neighbors are in different AS’s)
• iBGP administrative distance is 200, eBGP administrative
distance is 20.
• BGP supports summarization and CIDR.
• Uses incremented/triggered updates.
• Only installs "best path" into the routing table and only
announces "best path" to other BGP peers (prefix will be
advertised must exist exactly in the routing table).
• Can use MD5 authentication between peerings.
6
Theory – General Concepts (3)
• BGP maintains 2 table:
Neighbor table (contains BGP timers and related information, prefix related information,
BGP messages sent/received to/from neighbors, address-family and denied prefixes
information…etc. In other words, contains all neighbor related information)
BGP table (contains all learned BGP prefixes, their attributes, best/all paths)
• Only best paths are put in to the routing table (if multi-path load sharing is
enabled, more than one path can be put into the routing table –up to 16 multiple
path).
• A BGP router with synchronization enabled does not install iBGP learned routes
into its routing table if it is not able to validate those routes in its IGP. (disable
sync. for best practice, mostly it’s not used)
• If sync. is enabled and IGP is OSPF, neighbors’ OSPF & BGP router IDs must be
same.
• Either disable sync. & run BGP in all routers inside the AS or keep it & redistribute
prefixes from BGP to IGP. (or Tunnel BGP over GRE, IPIP…etc.)
7
Theory – General Concepts (4)
• BGP has a Split Horizon rule which means; a prefix learned from an iBGP
neighbor can not be advertised to an other iBGP peer.
• When a router receives an UPDATE message that contains its own AS number in
AS_PATH attribute, it ignores it (this is known as AS-Path loop prevention
mechanism). Because when an UPDATE message leaves an AS, the AS number
is prepended and then UPDATE message is sent with this new AS_PATH
information.
8
Theory – General Concepts (5)
• Inside the AS, all routers must be full-meshed iBGP peer (because of
BGP Split Horizon Rule). As you guess, iBGP peers don’t modify the
NEXT_HOP attribute in UPDATE messages between each other.
• This means when you have N routers in your AS, you can clearly see that
you should have (N x [N-1]) / 2 iBGP sessions in your BGP domain.
• Of course it’s not scalable for large-scale deployments. Also number of
TCP sessions become extra overhead for the routers and multiple
duplicate routing traffic traverses all around the network. For this, there
are 2 options to solve this problem:
Route reflectors can be used (one or more routers are assigned as a
"reflector", these routers advertise routing information to clients –to non-clients
in some cases)
Confederations can be used (main AS is divided into sub-ASs, all rules
remain same; each sub-AS establishes eBGP session between each
other…etc.).
9
Theory – General Concepts (6)
• A router can belong to only one AS.
• BGP AS numbers can be between 0 to 65535.
• 0, 59392–64511 and 65535 are reserved by IANA.
• 64512-65534 can be used as a private AS (e.g. in
confederation deployments, as a sub-AS).
• Remaining part can be used as a public AS.
• In eBGP peerings, TTL value is 1. NEXT_HOP attribute
is modified between eBGP peers.
• In iBGP peerings, TTL value is 255. NEXT_HOP
attribute isn’t modified between iBGP peers.
10
Theory – Messages
• BGP has 4 message types:
OPEN
KEEPALIVE
UPDATE
NOTIFICATION
• Additionally ROUTE REFRESH message
(type 5) can be used if it’s aggreed up on the
peering.
11
Theory – OPEN Message
• After a neighbor has been configured and TCP session
has been established, firstly an OPEN message (type 1)
is sent to neighbor to form a BGP peering.
• This message contains several information such as
version of BGP (currently it’s 4), AS number, hold time
(timers are negotitated between peers) value, BGP
router-ID. Also it contains some optional parameters like
capabilities. Capabilities contain which address-family-
identifier (AFI) and sub-AFI (SAFI) can be used, also
some features such as Route Refresh.
• Next slide you can see the capture file of an OPEN
message.
12
Theory – OPEN Message Structure
13
Theory – KEEPALIVE Message
• After BGP peering has been established, periodical
KEEPALIVE messages (type 4) are sent every 60 seconds
by default.
• It’s just a simple message that doesn’t contain too much
information, it just ensures that BGP peering is UP and
working without any problem.
• If KEEPALIVE messages are not received by a neighbor in
a time frame defined in hold time value in OPEN message,
then this neighbor assumes that other side is no more a
BGP peer and it finishes the BGP session by sending a
NOTIFICATION message (we’ll see later) and also it finishes
the TCP session by sending TCP FIN packet.
14
Theory – KEEPALIVE Message Structure
15
Theory – UPDATE Message (1)
• As we mentioned in previous slides, firstly TCP connection has been
established, secondly BGP peering has been established with OPEN
messages, now it’s time to exchange prefix information between
these peers. As you guess, UPDATE messages (type 2) are used to
exchange prefix information.
• UPDATE messages contain so much information about related
prefix/prefixes and their attributes. NLRI term is used instead of prefix
in BGP world, it stands for Network Layer Reachability Information.
When the NLRI becomes unreachable somehow, UPDATE message
carries this information as "withdrawn routes".
• One UPDATE message can contain multiple NLRI information with
their attributes. And also with one TCP segment, multiple BGP
messages can be transported (see next slide).
16
Theory – UPDATE Message (2)
17
• As you see above, there’s a succesful TCP connection
and after that there’s a successful BGP peering
connection. Next, UPDATE messages are exchanged
between two BGP peers.
Theory – UPDATE Message Structure
18
• UPDATE message format with withdrawn routes:
• UPDATE message format with new routes:
Theory – NOTIFICATION Message
• NOTIFICATION message (type 3) is sent when there is a
problem. This message closes the BGP connection.
• There may be many reasons to send the NOTIFICATION
message (wrong neighbor AS number configuration, hold
timer expiration…etc.).
• Reason is put in the NOTIFICATION message, so you
can troubleshoot it easily.
19
Theory – NOTIFICATION Message
Structure • Below you can see that hold timer expired here:
• Also in the below example, wrong neighbor AS number
has been configured, which means other side doesn’t
expect that AS number in the OPEN message:
20
Theory – ROUTE REFRESH Message
• ROUTE REFRESH message (type 5) is a special message that
informs BGP peer to exchange prefix information again which are
exchanged before. It doesn’t contain too much information
(contains AFI/SAFI), it’s just for information for the BGP peer.
• In early deployments of BGP, whenever you change the routing
policy, related BGP connection was reset. To avoid this, this open
standard feature is used (Route Refresh Capability –RFC 2918).
• When you change the routing policy, router sends this message
for impacted AFI/SAFI to it’s peer, then if the peer router
understands that message, it re-advertises the prefixes.
• This capability is sent during the BGP peering (as you learn from
previous slides, there’re "capabilities" in "Optional Parameter"
field, in the OPEN message).
21
Theory – ROUTE REFRESH Message
Structure • Below you can see that routing policy is changed for
unicast IPv4 traffic:
• As soon as it’s sent, UPDATE messages are exchanged
between peers:
22
Theory – States
• BGP neighbor states are:
IDLE
ACTIVE
CONNECT
OPEN SENT
OPEN CONFIRM
ESTABLISHED
23
Theory – IDLE & CONNECT State
• In IDLE state, router does not allocate any BGP
resources and during this time, router does not
accept any incoming BGP session.
• In CONNECT state, BGP waits for a successful
TCP connection. If TCP connection is successful,
BGP FSM goes to OPENSENT since it immediately
sends an OPEN message to the peer after a
successful TCP connection. If TCP connection is
not completed, BGP FSM goes to ACTIVE,
CONNECT or IDLE state depending on the failure
reason.
24
Theory – ACTIVE & OPENSENT State
• In ACTIVE state, a TCP connection is initiated. If it’s
successful, BGP router sends an OPEN message
immediately and BGP FSM goes to OPENSENT state.
In the case of failure, BGP FSM goes to ACTIVE or
IDLE state .
• In OPENSENT state, BGP router has already sent an
OPEN message and is waiting OPEN message from its
peer. If OPEN message is received succesfully from its
peer, BGP FSM goes to OPENCONFIRM state and a
KEEPALIVE message has been sent to its peer. In the
case of failure, BGP FSM goes to ACTIVE or IDLE
state.
25
Theory – OPENCONFIRM &
ESTABLISHED State • In OPENCONFIRM state, BGP router has already received
OPEN message from its peer and is waiting a KEEPALIVE
message from its peer. If it receives a KEEPALIVE, BGP
FSM goes to ESTABLISHED state, otherwise BGP FSM
goes to IDLE state (as you guess, BGP FSM is one step
away from its final state).
• In ESTABLISHED state, BGP router receives a
KEEPALIVE message from its peer. From this time, BGP
peers can exchange information between each other with
UPDATE messages (also KEEPALIVE messages are sent
periodically between each other, NOTIFICATION messages
can be sent in the case of failure).
26
Theory – BGP Finite State Machine
27
Theory – Attributes
• BGP has several attributes:
Well-Known Mandatory: Must be supported and recognised by all BGP
routers. These attributes must be included in UPDATE messages. They must
be passed on to other BGP routers.
Well-Known Discretionary: Must be supported and recognised by all BGP
routers. They must be passed on to other BGP routers. But these attributes
may/may not be included in UPDATE messages, it’s not mandatory.
Optional Transitive: May be recognised/not recognised by BGP routers. But
they must be passed on to other BGP routers. If these type of attributes aren’t
recognised, they’re marked as "partial".
Optional Non-transitive: May be recognised/not recognised by BGP routers
and isn’t passed on to other BGP routers.
Also some vendors may use additional attribute to manipulate best path
selection algoritm such as Cisco Systems, they use weight attribute which is
locally significant, higher is better.
28
Theory – Well-Known Mandatory
Attributes (1) • NEXT_HOP: Holds IP address of the BGP router that
advertises the UPDATE message. Doesn’t change when
UPDATE message is sent to an iBGP peer by default,
changes when UPDATE message is sent to an eBGP
peer.
• AS_PATH: Holds an ordered list of AS numbers through
that UPDATE message has traversed. With this attribute,
incoming traffic to an AS will be manipulated (you can
prepend it).
• ORIGIN: Holds the information that explains how this
NLRI has been learned (will be discussed in more detail in
"Implementation" section).
29
Theory – Well-Known Mandatory
Attributes (2)
30
• First packet shows that; this UPDATE message is originated from this router,
this NLRI has been learned from IGP (you’ll see later what it means) and to
reach this destination, next hop must be 10.0.12.1).
• Second packet shows that; this UPDATE message is originated from AS
4570 and passed through the AS 60, this NLRI has been learned from IGP
(you’ll see later what it means) and to reach this destination, next hop must
be 10.0.16.6).
Theory – Well-Known Discretionary
Attributes (1) • LOCAL_PREF: Holds the value that tells iBGP peers
which path they should select to reach a specific NLRI
which are outside the AS. In other words it’s a metric for
iBGP peers inside the AS to reach destinations that are
outside the AS (higher is better). With this attribute, traffic
leaving the AS can be manipulated. This attribute is
propagated through the local AS (will be discussed in
more detail in "Implementation" section).
• ATOMIC_AGGREGATE: Informs the i/eBGP neighbor
that the originating router aggregated the routes.
31
Theory – Well-Known Discretionary
Attributes (2) • This packet shows that; the LOCAL_PREF attribute value
is 100 for this/these NLRI(s) and NLRIs are aggregated
by a BGP router which originates more specific NLRIs.
32
Theory – Optional Transitive Attributes (1)
• AGGREGATOR: Holds the IP address and the AS
number of the BGP router that performed the
summarization/aggregation.
• COMMUNITIES: Route tags that are used for
filtering/building specific policies/manupilating routing
process.
33
Theory – Optional Transitive Attributes (2)
• This packet shows that; BGP router with router-id 1.1.1.1
in AS 1230 has aggregated this NLRI and this packet has
a community attribute set to NO_ADVERTISE (will be
discussed in more detail in "Implementation" section).
34
Theory – Optional Non-Transitive
Attributes (1) • MED (MULTI_EXIT_DISC): This attribute is a metric for eBGP
peers, according this attribute, neighbor AS will select the entrance
to our AS (lower is better).
• CLUSTER_LIST: Holds the IP addresses of the Route Reflectors
that UPDATE message has been passed through. With this
information, loops are avoided (e.g. A route reflector ignores the
UPDATE messages that contain its BGP router-ID in
CLUSTER_LIST attribute, that means UPDATE message already
traversed its cluster). This attribute isn’t used between RR & its
client.
• ORIGINATOR_ID: Holds the IP address of the first announcer
(originator) of the NLRI in topologies that contain Route Reflectors
(you’ll see what it means in next slide). This attribute isn’t used
between RR & its client.
35
Theory – Optional Non-Transitive
Attributes (2) • First packet shows that; this UPDATE message is originated from 4.4.4.4,
then it passes through route-reflector (3.3.3.3) somehow, then this UPDATE
message enters an other RR cluster (RR is 1.1.1.1). MED is 0.
• Second packet shows that; this UPDATE message is originated from 3.3.3.3
(which may or may not be a Route Reflector, we don’t know), and an RR
cluster 1.1.1.1 has received that UPDATE message somehow. MED is again
0.
36
Theory – Best Path Selection Algorithm
• Firstly exclude routes which have inaccessible NEXT_HOP.
• If NEXT_HOP is accessible, then prefer the path which has higher WEIGHT (for Cisco Systems
devices), this is locally significant. In standard implementation, it’s not a selection criteria.
• If WEIGHT is not set or same, then prefer the path which has higher LOCAL_PREF.
• If LOCAL_PREF attributes are same, then prefer the path that you advertised by yourself as a BGP
router.
• If LOCAL_PREF attributes are same and you don’t advertise those routes, then prefer the path
which has the shortest AS_PATH length.
• If AS_PATH lengths are same, then prefer the path which has the lowest ORIGIN type; i (IGP;
native) < EGP < ? (incomplete; redistributed).
• If ORIGIN types are same, then prefer the path which has the lowest MED (if candidate routes are
announced from the same AS).
• If MED is not a tie-breaker, then prefer the eBGP routes over iBGP routes (if any confederation
exists, then selection order becomes; eBGP over eBGP confederation over iBGP).
• If routes are iBGP-learned in previous step, then prefer the path which has the lowest IGP metric
for its NEXT_HOP. If routes are eBGP-learned in previous step, then prefer the path which is the
oldest one (means more stable). Also if multipath is enabled in BGP and the same IGP metric exists,
then traffic is loadbalanced.
• As a last tie-breaker, prefer the path which has the lowest BGP router-ID.
37
Implementation – Topology
• Will cover basic configurations as well as advanced scenarios.
• Topology seen below will be used for all scenarios, we’ll modify if
we need. Also pysical IP addresses are seen below:
38
Implementation – Addresses/Subnets
• Other than pysical IP addresses, we will use loopback subnets as customer or
production subnets. We will announce, filter, summarize, redistribute…etc. these
subnets. We will play them
• Loopback0 will be used as a Router-ID and format is X.X.X.X/32 where X is a
router number (like R1, R3).
• Loopback1-9 format is like that 192.168.[X][Y].1/24 where X is a router number
and Y is a Loopback number. E.g. 192.168.53.0/24 subnet belongs to R5-
Loopback3.
39
Implementation – Initial Steps
• First initiate the BGP process with an AS number: R1(config)#router bgp 1230 !BGP process for AS 1230.
• Enable BGP peering logging: R1(config-router)#bgp log-neighbor-changes !In most cases
it’s on by default, but if it’s not, it’s good to turn it
on. With this, BGP neighbor UP/DOWN and reset reasons are
logged as a SYSLOG messages.
• Disable the synchronization process: R1(config-router)#no synchronization !It turns off the
sync.rule (it’s explained in previous slides).
• Disable the auto-summarization: R1(config-router)#no auto-summary !It’s advisable to
disable the auto-summarization.
40
Implementation – Peering (1)
• Manually define the neighbors and their AS numbers: R1(config-router)#neighbor 10.0.12.2 remote-as 1230
!Neighbor 10.0.12.2 is in AS 1230, we’ll accept a TCP
connection from this IP and will initiate TCP connection to
this IP.
• You can modify NEXT_HOP attribute manually because this
attribute isn’t modified for iBGP peerings as i mentioned before,
since inter-router segment is not a customer/neighbor AS subnet,
you don’t need to advertise it: R1(config-router)#neighbor 10.0.12.2 next-hop-self !
NEXT_HOP attribute of UPDATE messages sent to 10.0.12.2 are
modified with the outgoing interfaces’ IP address of R1
(outgoing interface to reach 10.0.12.2).
41
Implementation – Peering (2)
• If authentication is done between peers, same passwords must be
defined in both ends: R1(config-router)#neighbor 10.0.12.2 password 0 neteksper_lab !If
you use type 7 instead of 0, encrypted form must be entered,
otherwise in type 0 you must enter the plain text.
• If eBGP peering is established through the Loopback addresses, TTL of
the IP packet must be changed: R1(config-router)#neighbor 6.6.6.6 ebgp-multihop 20 !As i mentioned
before, default TTL value is 1 for eBGP peerings, with this command
you change the TTL value to 20, if you dont’t enter any number, it
will choose the max.value 255.
• If eBGP peering is established through the Loopback addresses, source
IP must be specified: R1(config-router)#neighbor 6.6.6.6 update-source Loopback0 !OPEN
messages will be sent with this source IP address, since other side
expects to see this address for the peering.
42
Implementation – Peering (3)
• Basic peering configurations between R1-R2 and R1-R6 are seen
below as examples:
43
Implementation – Peering (4)
• With show ip bgp neighbors command, you can see all information related
with BGP peering. It shows very detailed information.
• With show ip bgp summary command, you can see what’s the neighbor IP
address, BGP version (4 for current standard), what’s neighbors’ AS number, how
many messages are sent and received to/from this neighbor, table version, input
& output queue values, for how long neighborship is UP and state (if it’s not
ESTABLISHED) & how many prefixes are received from that neighbor (if the state
is ESTABLISHED it shows the prefix number):
• Since 0 prefix has been received, show ip bgp command shows nothing (this
command show the BGP table):
44
Implementation – Peering (5)
• Also show ip protocols command shows all routing protocols’ information
running on the router. BGP global parameters, route reflector clients, used filters
and neighbors can be seen with this command:
45
Implementation – Announcing Prefixes (1)
• Prefixes can be announced in 3 ways:
With network command,
With aggregation (with aggregate command)
With redistribution (with redistribute command)
• In each method, AS_PATH attribute remains
empty (with default parameters), since prefixes
are originated from router itself. Other parameters
can be affected differently (such as ORIGIN).
46
Implementation – Announcing Prefixes (2)
• With network command, we tell BGP router which routes (with their subnets) are
announced to other BGP peers. This command has several options such as route-
map (to set attribute values…etc.).
R1(config-router)#network 192.168.13.0 mask 255.255.255.0 !192.168.13.0/24
subnet is a connected subnet in Loopback 3, with this command, R1 will
announce this subnet to all BGP neighbors.
• With aggregate command, we tell BGP router to summarize more specific routes
which already exist in its BGP table. This command has several options such as route-map, as-set, summary-only…etc.
R1(config-router)#aggregate-address 192.168.12.0 255.255.252.0 !192.168.12-
15.0/24 subnets exist in the BGP table (at least one of them), with this
command, R1 announces summary 192.168.12.0/22 subnet to all BGP neighbors
addition the specific ones.
• With redistribute command, prefixes come from any routing information source
(IGP routes, connected or static routes) exist in the routing table can be announced to
other BGP neighbors, this command also has many different options. R1(config-router)#redistribute connected !All connected subnets exist in the
routing table are redistributed in to the BGP table and announced to all BGP
neighbors.
47
Implementation – Announcing Prefixes with network • With network command, ORIGIN attribute is set to IGP (‘i’), as mentioned earlier, it’s a preferred value
compared to ‘?’ (‘e’ is for EGP which is not used anymore). (also other parameters can be changed with
route-maps). In the originating router, NEXT_HOP is 0.0.0.0 since it’s locally originated. Inside the AS,
AS_PATH is also empty.
• Subnet and mask must be exactly same as it’s seen in routing table (e.g. If entry in routing table is
10.100.2.0/23, subnet and mask must be 10.100.2.0 & 255.255.254.0), otherwise it doesn’t work.
• Below example shows that R1 announces Loopback 9, then R2 receives this prefix with ORIGIN value ‘i’:
48
Implementation – Announcing Prefixes with redistribute • With redistribute command, ORIGIN attribute is set to incomplete (‘?’), as mentioned
earlier, it’s not a preferred value compared to ‘i’. (route-maps can be used too)
• Below example shows that R1 redistributes only Loopback 9 connected interface, then R2
receives this prefix with ORIGIN value ‘?’:
49
Implementation – Announcing Prefixes with aggregate-address (1) • With aggregate-address <address> <mask> command, ORIGIN
attribute is set to IGP (‘i’) just like network command.
• It has a requirement that needs at least one subnet in the aggregation must be in the BGP table (by network command, by redistribution or by
receiving prefix(es) from an other BGP peer) otherwise aggregated subnet is
not announced.
• If aggregate-address <address> <mask> summary-only command
is used, more specific subnets are suppressed in the aggregation range.
• If aggregate-address <address> <mask> as-set command is used,
it regenerates AS_PATH information for the aggregated subnet (because
during the aggregation, AS_PATH information is destroyed, it’s set to empty
just like an internal announcement).
• There’re other specific parameters/options for aggregate-address
command, i’ll try to explain most of them which are used in real world
scenarios.
50
Implementation – Announcing Prefixes with aggregate-address (2) • In below example, 192.168.72-75.0/24 subnets (4 subnets) are aggregated to
one 192.168.72.0/22 subnet by R1, but also more specific subnets in the
aggregation are received by R2 additon to aggregated subnet, also AS_PATH information is restored by R1 (since as-set keyword is added):
•
51
Implementation – Announcing Prefixes with aggregate-address (3) • In below example, 192.168.72-75.0/24 subnets (4 subnets) are aggregated
as one 192.168.72.0/22 subnet by R1, more specific subnets are suppressed by R1(with summary-only keyword) and AS_PATH information isn’t restored
by R1. So R2 only receives 192.168.72.0/22 with no AS_PATH information. In
R1s’ BGP table, suppressed routes are tagged with ‘s’:
•
52
Implementation – Announcing Prefixes with suppress-map & unsuppress-map • Also with suppress-map, some specific routes can be selectively suppressed rather than all
specific routes. The syntax is:
R1(config-router)#aggregate-address <address> <mask> suppress-map
<route-map>
• For that, firstly we define subnets, then we match these subnets with the route-map and
finally we assign this route-map as a suppress-map in the aggregation.
• Matched routes ARE NOT announced to the neighbors, they’re tagged with ‘s’ in the BGP
table of the router itself (who performs the aggregation).
• Suppress-map can’t be defined as a neighbor basis, it affects globally all BGP neighbors.
• Also with unsuppress-map, some specific routes can be selectively announced.
• As you guess, this can be defined as a neighbor basis, you can selectively send specific
subnets to any neighbor.
• The configuration of unsuppress-map is same (defining subnets, matching them, applying
unsuppress-map). The difference is here that matched subnets ARE announced to the
neighbor. The syntax is:
R1(config-router)#neighbor <address> unsuppress-map <route-map>
• Next 2 pages you can see both suppress-map and unsuppress-map cases between R1 &
R2.
53
Implementation – Announcing Prefixes with suppress-map • In below example, 192.168.72-75.0/24 subnets (4 subnets) are aggregated as one
192.168.72.0/22 subnet by R1, and only 192.168.72.0/24 and 192.168.75.0/24 subnets are
suppressed (in other words 192.168.73.0/24 and 192.168.74.0/24 subnets are announced
addition the aggregated /22 subnet).
54
Implementation – Announcing Prefixes with unsuppress-map • In below example, 192.168.72-75.0/24 subnets (4 subnets) are aggregated as one
192.168.72.0/22 subnet by R1, more specific subnets are suppressed by R1(with summary-
only keyword), only R2 receives 192.168.73.0/24 and 192.168.74.0/24 subnets in addition
to the aggregated /22 subnet:
55
Implementation – Conditionally Announcing Prefixes • For conditionally announcing prefixes, we use advertise-map, exist-map and
non-exist-map.
• Advertise-map defines which routes will be announced in the case of
meeting the condition.
• Exist-map and non-exist-map are used to define the condition.:
If exist-map command is used with advertise-map command, this means
that "announce prefixes defined in advertise-map ONLY IF prefixes defined in exist-
map exists in the BGP table"
If non-exist-map command is used with advertise-map command, this
means that "announce prefixes defined in advertise-map ONLY IF prefixes defined
in non-exist-map DOES NOT exist in the BGP table"
• Conditional announcing is used as a neighbor basis. Syntax is: R1(config-router)#neighbor <IP> advertise-map <route-map> exist-map
<route-map>
R1(config-router)#neighbor <IP> advertise-map <route-map> non-exist-map
<route-map>
• Next pages will show both cases.
56
Implementation – Conditionally Announcing Prefixes with advertise-map & exist-map (1)
• Below example shows that, if 192.168.72.0/21 subnet exists in BGP table of R1, 192.168.72-74.0/24
subnets (3 subnets) are allowed to advertise to neighbor 10.0.12.2 (addition to other subnets). But if
192.168.71.0/21 disappears from R1s’ BGP table, these 3 subnets are not advertised to this
neighbor (other subnets are still advertised). Next page shows that condition is not met.
57
Implementation – Conditionally Announcing Prefixes with advertise-map & exist-map (2)
• Here condition is not met (192.168.72.0/21 subnet does NOT exist in R1s’ BGP table). As you see, 3
subnets are NOT sent to the neighbor 10.0.12.2.
58
Implementation – Conditionally Announcing Prefixes with advertise-map & non-exist-map (1)
• Below example shows that, if 192.168.72.0/21 subnet does NOT exist in BGP table of R1,
192.168.72-74.0/24 subnets (3 subnets) are allowed to advertise to neighbor 10.0.12.2 (addition to
other subnets). But if 192.168.71.0/21 exists in R1s’ BGP table, these 3 subnets are not advertised
to this neighbor (other subnets are still advertised). Next page shows that condition is not met.
59
Implementation – Conditionally Announcing Prefixes with advertise-map & non-exist-map (2)
• Here condition is not met (192.168.72.0/21 subnet exists in R1s’ BGP table). As you see, 3 subnets
are NOT sent to the neighbor 10.0.12.2.
60
Implementation – Conditionally Route Injection (1) • Conditionally route injection means that, BGP router originates specific subnets from
the aggregate/summary.
• For this purpose inject-map and exist-map are used.
• Inject-map defines prefix that will be originated from the aggregate.
• Exist-map matches aggregate and source of the aggregate.
• Command syntax is: R1(config-router)#bgp inject-map <route-map> exist-map <route-map>
• Also if copy-attributes keyword is added to the above command, original
attributes are copied to the injected more specific subnet (normally they’re not copied).
• In inject-map, prefix-list is set. In exist-map, source and aggregate are matched: R1(config)#route-map INJECT_MAP permit 5
R1(config-route-map)#set ip address prefix-list <specific_subnet>
R1(config-route-map)#route-map EXIST_MAP permit 5
R1(config-route-map)#match ip address prefix-list <aggregate_subnet>
R1(config-route-map)#match ip route-source prefix-list <src_of_aggregate>
61
Implementation – Conditionally Route
Injection (2) • Here condition is met (R1 learns 192.168.72.0/21 aggregate from R3 which is 10.0.13.3), so R1
injects 192.168.73.0/24 from the /21 aggregate. R2 receives both aggregate and specific subnet, but since we didn’t add copy attributes keyword, as you see attributes are not set for
192.168.73.0/24 subnet.
62
Implementation – Route Reflectors (1)
• Route Reflector theory and traffic flow between RR–Client
Router–Non-Client Router is explained before in theory
section.
• Configuration syntax is very basic, assume that R1 is
route reflector for R2 & R3, command syntax is: R1(config-router)#neighbor 10.0.12.2
route-reflector-client
R1(config-router)#neighbor 10.0.13.3
route-reflector-client
• There’s no specific configuration in client router, standard
neighbor configuration is applied
63
Implementation – Route Reflectors (2)
• Below example shows that R1 is configured as an RR, R2
& R3 are configured as an RR clients.
64
Implementation – Confederations (1)
• Confederation theory is explained before in theory section.
• Configuration syntax is very basic, BGP process is started
for sub-AS, main AS is defined under BGP process and for
each peered sub-AS, they are defined under BGP process
too. R1(config)#router bgp 64520 !initiates BGP process for
sub-AS 64520
R1(config-router)#bgp confederation identifier 1230
!defines main AS
R1(config-router)#bgp confederation peers 64530 !means R1
has a peering with a router in sub-AS 64530, this has to
be defined as a confederation peer.
• Everything else is same, eBGP peerings, iBGP peerings…etc.
65
Implementation – Confederations (2)
• Below example shows that, R1 & R2 are in sub-AS 64520 and R3 is in sub-
AS 64530. All those routers are in AS 1230. In confederations, NEXT_HOP
attribute is not modified even if peering is eBGP, for that, it has to be modified manually (with next-hop-self keyword). Also sub-AS is seen in BGP table
in paranthesis:
66
Implementation – Traffic Manipulation (1)
• Traffic manipulation can be divided into 2 sections; outbound
traffic manipulation and inbound traffic manipulation.
• Outbound traffic manipulation deals how data traffic
leaves your AS.
• Inbound traffic manipulation deals how data traffic arrives
at your AS.
• To manipulate traffic, you have 2 choices; you can change
BGP attributes, you can announce/filter subnets by utilizing
route decision mechanism of the router based on longer
prefix criteria.
67
Implementation – Traffic Manipulation (2)
• BGP attributes used for path selection are seen in order below:
• WEIGHT (if your equipment is Cisco) (higher is preferrable)
• LOCAL_PREF (higher is preferrable)
• AS-PATH (shorter is preferrable)
• MED (Metric) (lower is preferrable)
• First two of them are used for outbound traffic manipulation, applied as an
inbound policy on the router.
• Last two of them are used for inbound traffic manipulation, applied as an
outbound policy on the router.
• As you see, you have control over outbound traffic (if peer AS sets
LOCAL_PREF during the reception of the prefixes from us, it doesn’t matter how
we set AS-PATH and MED values during the advertisement of these prefixes to
peer AS, because peer AS router checks LOCAL_PREF before AS-PATH or
MED).
• After the attribute(s) are set, you may trigger it by soft or hard resetting the BGP
peerings, it depends on the attribute, software, vendor…etc.
68
Implementation – Outbound Traffic
Manipulation (1) • To manipulate outbound traffic, you can change LOCAL_PREF or WEIGHT (if
your equipment is Cisco) attributes and apply them as an inbound policy.
• This applied inbound policy affects outbound traffic.
• You decide for which prefix(es) you will change attribute(s) to manipulate traffic
flow (e.g. by defining a prefix-list), then you create a route-map to match prefix(es)
& set attribute(s), finally you apply this policy under BGP process for a specific
neighbor.
• You can find the syntax below: R1(config)#route-map <X> permit 10
R1(config-route-map)#match ip address prefix-list <Y> !matches the subnets.
R1(config-route-map)#set local-preference <value> !sets the LOCAL_PREF
attribute.
R1(config)#route-map <X> permit 20 !accepts the other remaining subnets,
but does not modify anything on them.
R1(config-router)#neighbor <a.a.a.a> route-map <X> in !under BGP process,
inbound policy is applied for the neighbor.
69
Implementation – Outbound Traffic
Manipulation (2) • Below example shows that, R1 sets LOCAL_PREF attribute to 300 for 192.168.41.0/24, 192.168.42.0/24, 192.168.43.0/24, and
this policy is applied for neighbor R6 as an inbound policy. So, R1 receives those subnets from R6, and R1 modifies that
attribute for 3 subnets and announces to iBGP peers. Now all iBGP peers know that for any traffic going to these 3 subnets,
they will route them to R1. (as you see below, even if R3 is connected directly to R4, it chooses R1 R6 R5 R4 path) R1
changes the outbound traffic by doing this, all outbound traffic for these 3 subnets will go through R6.
70
Implementation – Outbound Traffic
Manipulation (3) • Below example shows that, R1 sets WEIGHT attribute to 300 for 192.168.41.0/24, 192.168.42.0/24, 192.168.43.0/24, and this
policy is applied for neighbor R6 as an inbound policy. So, R1 receives those subnets from R6, and R1 modifies that attribute
for 3 subnets. But in this case, this only affects R1, because as you remember WEIGHT is only locally significant and is not
announced. R1 sends traffic to R6 for these 3 subnets but other iBGP peers don’t, they’ll use R3 to reach them. R1 changes
the outbound traffic by doing this, all outbound traffic for these 3 subnets will go through R6.
71
Implementation – Inbound Traffic
Manipulation (1) • To manipulate inbound traffic, you can change AS_PATH or MED (Metric)
attributes and apply them as an outbound policy.
• This applied outbound policy affects inbound traffic.
• You decide for which prefix(es) you will change attribute(s) to manipulate traffic
flow (e.g. by defining a prefix-list), then you create a route-map to match prefix(es)
& set attribute(s), finally you apply this policy under BGP process for a specific
neighbor.
• You can find the syntax below: R1(config)#route-map <X> permit 10
R1(config-route-map)#match ip address prefix-list <Y> !matches the subnets.
R1(config-route-map)#set metric <value> !sets the MED attribute.
R1(config)#route-map <X> permit 20 !advertises the other remaining subnets,
but does not modify anything on them.
R1(config-router)#neighbor <a.a.a.a> route-map <X> out !under BGP process,
outbound policy is applied for the neighbor.
72
Implementation – Inbound Traffic
Manipulation (2) • Below example shows that, R1 sets AS_PATH attribute by prepending 3 more AS numbers addition to original AS (1230 1230
1230 + 1230) for 192.168.11.0/24, 192.168.12.0/24, 192.168.13.0/24, and this policy is applied for neighbor R6 as an outbound
policy. So, R1 advertises those subnets to R6 with a modified AS_PATH attribute, and R6 sees that those subnets are 4 AS / 4
hop away to reach. R6 also sees 4570 1230 for same subnets from R5, so R6 prefers R5 to reach them. R1 changes the
inbound traffic by doing this, all inbound traffic for these 3 subnets will enter AS 1230 through R3.
73
Implementation – Inbound Traffic
Manipulation (3) • Below example shows that, R1 sets MED (Metric) attribute to 1000 for 192.168.11.0/24, 192.168.12.0/24, 192.168.13.0/24, and
this policy is applied for neighbor R6 as an outbound policy (since AS_PATH has a higher preference than MED, to make both
paths same, we’ve prepended one more AS to our advertisements for 3 subnets). So, R1 advertises those subnets to R6 with a
modified MED (Metric) attribute, and R6 sees that those subnets have a MED (Metric) value 1000. R6 also sees 0 MED
(Metric) for same subnets from R5, so R6 prefers R5 to reach them. R1 changes the inbound traffic by doing this, all inbound
traffic for these 3 subnets will enter AS 1230 through R3.
74