cis185-ROUTE-lecture6-BGP-Part1

advertisement
CIS 185 CCNP ROUTE
Ch. 6 Border Gateway Protocol Solution
for ISP Connectivity – Part 1
Rick Graziani
Cabrillo College
graziani@cabrillo.edu
Last Updated: Fall 2010
Materials
 Book:
 Implementing Cisco IP Routing
(ROUTE) Foundation Learning
Guide: Foundation learning for the
ROUTE 642-902 Exam
 By Diane Teare
 Book
 ISBN-10: 1-58705-882-0
 ISBN-13: 978-1-58705-882-0
 eBook
 ISBN-10: 0-13-255033-4
 ISBN-13: 978-0-13-255033-8
2
Terms
 What is an IGP (Interior Gateway Protocol)?
 Routing protocol used to exchange routing information within an
autonomous system.
 RIP, IGRP, EIGRP, OSPF, IS-IS
 What is an EGP (Exterior Gateway Protocol)?
 Routing protocol used to exchange routing information between
autonomous systems.
 BGP (Border Gateway Protocol) is an Interdomain Routing Protocol
(IDRP), which is also known as an EGP.
 BGP - is a path vector routing protocol.
 What is an Autonomous System ?
 (From RFC 1771) “A set of routers under the single technical
administration, using an IGP and common metrics to route packets
within the AS, and using an EGP to route packets to other AS’s.”
3
 BGP version 4 (BGP-4) (latest version of BGP)
 It is defined in Requests for Comments (RFC) 4271, A Border Gateway
Protocol (BGP-4).
 As noted in this RFC, the classic definition of an AS is “A set of routers
under a single technical administration, using an Interior Gateway Protocol
(IGP) and common metrics to determine how to route packets within the AS,
and using an inter-AS routing protocol to determine how to route packets to
other [autonomous systems].”
 Extensions to BGP-4 (known as BGP4+) includes IPv6.
4
BGP Use Between Autonomous Systems
 Main goal is to provide an interdomain routing systems that guarantees the
loop-free exchange of routing information between AS’s.
 BGP is a successor to Exterior Gateway Protocol (EGP). (Note the dual use
of the EGP acronym.)
 BGP-4 is a classless routing protocols so it supports:
 VLSM
 CIDR
 There are more than 300,000 CIDR blocks
 Without CIDR full Internet routing tables would contain more than
2,000,000 entries.
5
Comparison with Other Scalable Routing
Protocols
 BGP does not look at speed for the best path.
 BGP is a policy-based routing protocol that allows an AS to control traffic
flow using multiple BGP attributes.
 Routers exchange network reachability information, called path vectors or
attributes
 These include a list of the full path of BGP AS numbers that a router
should take to reach a destination network.
6
When to use BGP and when not to use BGP
Use BGP when the effects of BGP are well understood and one of the following
conditions exist:
 The AS allows packets to transit through it to reach another AS (transit AS).
 The AS has multiple connections to other AS’s.
 The flow of traffic entering or exiting the AS must be manipulated.
 This is policy based routing and based on attributes.
7
When to use BGP and when not to use BGP
Do not use BGP if you have one or more of the following conditions:
 A single connection to the Internet or another AS
 No concern for routing policy or routing selection
 A lack of memory or processing power on your routers to handle constant
BGP updates
 A limited understanding of route filtering and BGP path selection process
 Low bandwidth between AS’s
8
Who needs BGP?
 Not as many internetworks as you may think.
 “You should implement BGP only when a sound engineering reason
compels you to do so, such as when the IGPs do not provide the
tools necessary to implement the required routing policies or when
the size of the routing table cannot be controlled with
summarization.”
 “The majority of the cases calling for BGP involve Internet
connectivity – either between a subscriber and an ISP or (more
likely) between ISPs.”
 “Yet even when interconnecting autonomous systems, BGP might
be unnecessary.”
Jeff Dolye, Routing TCP/IP Vol. II
9
Overview of autonomous systems
 AS - A group of routers that share similar routing policies and operate
within a single administrative domain.
 An AS can be a:
 Collection of routers running a single IGP (Single company)
 Collection of routers running different protocols all belonging to one
organization (ISP)
 In either case, the outside world views the entire Autonomous System as a
single entity.
10
Overview of autonomous systems
AS Numbers
 Assigned by an Internet registry or a service provider.
 Between 1 and 65,535.
 0 - Reserved
 1 through 64,495 – Assignable for public use
 64,512 through 65,535 - Private use
 This is similar to RFC 1918 IP addresses.
 65,535 - Reserved
 Because of the finite number of available AS numbers, an organization must
present justification of its need before it will be assigned an AS number.
11
 Today, the Internet Assigned Numbers Authority (IANA) is enforcing a policy
whereby organizations that connect to a single provider and share the
provider's routing policies use an AS number from the private pool, 64,512
to 65,535.
12
 RFC 4893 BGP Support for Four-Octet AS Number Space describes 32 bit
AS numbers the anticipated depletion of current BGP 16-bit AS numbers
 http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599
/white_paper_C11_516823.html
 http://www.potaroo.net/tools/asn16/
 http://www.iana.org/assignments/as-numbers/as-numbers.xml
13
Using BGP
 BGP dynamically exchanges routing information
 BGP reacts to topology changes including those changes beyond a
customer-to-ISP link failure.
14
 Connection Redundancy
 The ISP connection can also be made redundant.
 A customer can be connected to a single ISP or to multiple ISPs.
15
Single-homed autonomous systems
 Single-homed system AS
 One Link per ISP, One ISP
 Only one exit point to outside networks.
 Often referred to as stub networks or stubs.
 Usually use a default route to handle all traffic destined for non-local
networks.
 BGP is not normally needed in this situation
16
Single-homed autonomous systems
IGP Option
 IGP: Both the provider and the customer use an IGP to share information
regarding the customer's networks.
 Customer:
 Sends public network address
 Receives default route
17
Single-homed autonomous systems
BGP Option
 In a single-homed autonomous system the customer's routing policies
are an extension of the policies of the provider.
 Internet number registries are unlikely to assign public AS number.
 AS number from the private pool of AS numbers, 64,512 to 65,535.
 The provider will strip off these numbers when advertising the
customer's routes towards the core of the Internet. (later)
18
Dual Homed
Option 3
Dual-homed AS
 Two or more links per ISP, One ISP
 Same options as single-homed
 Additional advantages:
 Primary and backup link functionality
 Load Balancing
19
Single Multi-homed
Multi-homed or Single Multi-homed
 One link per ISP, two or more ISPs
 Typically recommended to run BGP
 Options: (more later on these)
 ISP1 and ISP2: Full Internet routes
 ISP1: Full Internet routes; ISP2: Partial updates (selected)
 ISP1: Default route; ISP2: Partial updates (selected)
20
http://bgp.potaroo.net/ 10/31/2010
 Caution in receiving full Internet routes:
 Over 300,000 summarized routes (over 2,000,000 un-summarized)
 100,000 routes require about 70 MB of RAM for the BGP table
21
Dual Multi-homed
Dual Multi-homed
 Two or more links per ISP, Two or more ISPs
 Similar options as Single Multi-homed
 Same benefits as single multi-homed but with enhanced resiliency.
22
Using BGP in an Enterprise Network
 External BGP (EBGP) - When BGP is running between routers in different
autonomous systems.
 Internal BGP (IBGP) - When BGP is running between routers in the same
AS.
 Understanding how BGP works is important to avoid creating problems for
your AS as a result of running BGP.
23
Transit
AS
 Multihomed system
 More than one exit point to outside networks.
 May be a:
 Transit
 Non-transit AS
 Transit traffic - Traffic that has a source and destination outside the AS.
 Transit AS - allows transit traffic
 Non-transit AS - does not allow transit traffic.
 Advertises only its own routes to both the providers
 Does not advertise routes it learned from one provider to another.
 Therefore, ISP1 will not use AS 24 to reach destinations that belong to ISP2
24
and visa versa.
 AS 65500 is learning routes from both ISP-A and ISP-B via EBGP
 Also running IBGP on all of its routers. (later)
 Learns about routes and chooses the best way to each one based on
the configuration of the routers in the AS and the BGP routes passed
from the ISPs.
 If one of the connections to the ISPs goes down, traffic will be sent
through the other ISP.
25
Transit AS
 AS 65500 wants to have a redundant Internet connection, but does not want
to act as a transit AS between ISP-A and ISP-B.
 AS 65500 learns from ISP-A is the route to 172.18.0.0/16.
 If that route is:
 Propagated through AS 65500 using IBGP
 And mistakenly announced to ISP-B
 Then ISP-B might decide that the best way to get to 172.18.0.0/16 is
through AS 65500, instead of through the Internet.
 AS 65500 would then be considered a transit AS (an ISP)
 Not a very undesirable situation
 Careful BGP configuration is required to avoid this situation.
26
Default Route
Default Route
 If an organization has determined that it will
perform multihoming with BGP, three
common ways to do this are as follows:
 Each ISP passes only a default route to
the AS
 The default route is passed to the
internal routers.
 Each ISP passes only a default route and
provider-owned specific routes to the AS
 These routes can be passed to internal
routers, or all internal routers in the
transit path can run BGP and pass
these routes between them.
 Each ISP passes all routes to the AS
 All internal routers in the transit path run
BGP and pass these routes between
them.
Default Route
+ ISP1 Routes
Default Route
+ ISP2 Routes
All Internet
Routes
All Internet
Routes
27
Multihoming with Default
Routes from All Providers
Send
0.0.0.0/0
 First multihoming option is to receive
only a default route from each ISP.
AS 65500
Networks
Send
0.0.0.0/0
?
 Both edge routers learn a default route from their attached ISP
 Propagate it into the routing domain via an IGP
 Requires the least resources
 AS 65500 propagates its “owned” routes to both ISPs
 If a router within the AS learns about multiple default routes, the local IGP
installs the best default route into the routing table.
 This does allow AS 65500 the capability of adding new customers (new
networks) without relying on upstream provider.
 Otherwise ISP would have to create the network and add a static
route pointing to AS 65500
28
Multihoming with Default
Routes and Partial Table
from All Providers
Sends ISPA
Prefixes and
0.0.0.0/0
AS 65500
Networks
Sends ISPB
Prefixes and
0.0.0.0/0
 Both ISPs pass default routes
plus select specific routes to
the AS.
 The internal routers of the customer can receive these routes via:
 Redistribution into IGP
 IBGP transit path (later)
 The internal routers route packets:
 ISP A networks via ISP A
 ISP B networks via ISP B
 Default routes via nearest edge router (possible suboptimal routing)
29
Multihoming with Full
Routes from All Providers
 All ISPs pass all routes to the
AS
 IBGP is run on at least all the
routers in the transit path in this
AS.
 Requires a lot of resources
within the AS because it must
process all the external routes.
Sends all
Internet
Routes
AS 65500
Networks
Sends all
Internet
Routes
 The internal routers of the customer can receive these routes via:
 Redistribution into IGP (ex: OSPF): Not recommended!
 IBGP transit path (later): We’ll say this is the case.
 The ISP that a specific router within AS 64500 uses to reach the external
networks is determined by the IBGP protocol.
 The routers in AS 64500 can be configured to influence the path to certain
networks.
 For example, Router A and Router B can influence the outbound traffic from AS
64500. (Later - Attributes)
30
BGP Path Vector Characteristics
Path Advertised:
64520 64600 64700
Networks in AS 64700:
192.168.24.0
192.168.25.0
172.20.0.0
 IGP routing protocols use metrics to determine best path.
 Cost (Bandwidth), BW+DLY-REL-Load, Hop Count
 BGP routers exchange network reachability information, called path vectors,
made up of path attributes
 The path vector information includes a list of the full path of BGP AS
numbers (hop-by-hop) necessary to reach a destination network.
 Other attributes include:
 IP address of the next-hop AS (the next-hop attribute)
 How the network was introduced into BGP (the origin code attribute)
 And more… later!
31
 AS Path information is used to construct a graph of loop-free AS’s and to
identify routing policies (later)
 AS 64512: AS Path to 192.168.24.0 = 64520 > 64600 > 64700
 BGP AS Path is guaranteed to be loop free.
 BGP router does not accept a routing update that already includes its
own AS number in the AS Path list.
32
Loop Free Path
172.16.0.0/16
(4, 2, 1)
172.16.0.0/16
(6, 5, 3, 1)
AS7
AS4
AS6
AS2
AS5
AS3
AS1
172.16.0.0/16
 AS_PATH
 List of AS numbers associated with a BGP route
 One of several path attributes associated with each route.
 Path attributes will be discussed in much more detail later.
 We will discuss how BGP chooses best path later.
 The shortest inter-AS path is very simply determined by the least number of
AS numbers.
 In this example, AS7 will choose the shortest path (4, 2, 1).
 We will see later what happens with equal cost paths.
33
172.16.0.0/16
(7,4,2,1)
Loop Free Path
AS8
172.16.0.0/16
(8,7,4,2,1)
AS9
X
172.16.0.0/16
(9,8,7,4,2,1)
172.16.0.0/16
(4, 2, 1)
AS7
AS4
AS6
AS2
AS5
AS3
AS1
172.16.0.0/16
Routing Loop Avoidance
 Route loops can be easily detected when a router receives an update
containing its local AS number in the AS_PATH.
 When this occurs, the router will not accept the update, thereby avoiding a
potential routing loop.
34
 Possible paths for AS 64512 to reach networks in AS 64700, through AS
64520:
 64520 64600 64700
 64520 64600 64540 64550 64700
 64520 64540 64600 64700
 64520 64540 64550 64700
 AS 64512 does NOT see all these possibilities.
 AS 64520 advertises to AS 64512 only its best path:
 64520 64600 64700 (assuming no other policies supersede AS Path)
 AS 64512 could also get a best path from AS 64530
 AS 64512 would then decide which path is best (via 64530 or via 64520)
based on its own AS policies.
35
Multihomed nontransit autonomous systems
Here are the
networks you
can reach
through me.
Here are the
networks you can
reach through me.
I will try and make it
so that you prefer
me.
We have a choice
on which way to
send our traffic.
 Incoming route advertisements influence your outgoing traffic, and
outgoing advertisements influence your incoming traffic.
36
Multihomed nontransit autonomous systems
These are the
networks you
can reach
through me, but
I will not include
ISP2 networks.
These are the networks you
can reach through me.
I will include ISP1 networks
but include my AS number
multiple times so you may
prefer another route.
 Incoming route advertisements influence your outgoing traffic, and
outgoing advertisements influence your incoming traffic.
37
BGP Hazards – Inadvertent Transit Domain




We inadvertently advertise routes learned from ISP2 to ISP1.
ISP1 customers will see our network as the best path to ISP2 customers.
We have become a transit domain for packets from ISP1 to ISP2.
More later…
38
BGP Hazards – Doyle, Routing TCP/IP
BGP Peering
 Creating a BGP “peering” relationship involves an interesting
combination of trust and mistrust.
 You must trust the network administrator on that end to know what
they are doing.
 At the same time, if you are smart, you will take every practical
measure to protect yourself in the event that a mistake is made on
the other end.
 “Paranoia is your friend.”
39
BGP Hazards – Doyle, Routing TCP/IP
 Your ISP will show little patience with you if you make mistakes in your BGP
configuration.
 Suppose, for example, that through some misconfiguration you advertise
207.46.0.0/16 to your ISP.
 On the receiving side, the ISP does not filter out this incorrect route, allowing
it to be advertised to the rest of the Internet.
 This particular CIDR block belongs to Microsoft, and you have just claimed
to have a route to that destination.
 A significant portion of the Internet community could decide that the best
path to Microsoft is through your domain.
 You will receive a flood of unwanted packets across your Internet connection
and, more importantly, you will have black-holed traffic that should have
gone to Microsoft.
 They will be neither amused nor understanding.
40
YouTube Hijacking: A RIPE NCC
RIS case study
YouTube Hijacking: A RIPE NCC RIS case study
 This presentation is taken from RIPE NCC web site.
 For more detailed information, please consult this web site:
 http://www.ripe.net/news/study-youtube-hijacking.html
 Movie: BBC Report
 Movie: RIPE NCC
 The following presentation is an accurate representation of what
took place, but using a simplified topology.
 On Sunday, 24 February 2008, Pakistan Telecom (AS17557)
started an unauthorised announcement of the prefix
208.65.153.0/24.
 One of Pakistan Telecom's upstream providers, PCCW Global
(AS3491) forwarded this announcement to the rest of the Internet,
which resulted in the hijacking of YouTube traffic on a global
scale.
42
Before, during and after Sunday, 24 February 2008
Internet
BGP
•
DNS servers resolve www.youtube.com to:
• 208.65.153.251
• 208.65.153.253
• 208.65.153.238
43
Before, during and after Sunday, 24 February 2008
Internet
BGP
208.65.152.0/22
YouTube summarizes (CIDR) its /24 networks as a single /22:
208.65.152.0/24 11010000. 01000001.10011000.00000000
208.65.153.0/24 11010000. 01000001.10011001.00000000
208.65.154.0/24 11010000. 01000001.10011010.00000000
-------------------------------------208.65.152.0/22 11010000. 01000001.10011000.00000000
44
Before, during and after Sunday, 24 February 2008
Internet
BGP
208.65.152.0/22
Before, during and after Sunday, 24 February 2008:
 AS36561 (YouTube) announces 208.65.152.0/22.
 Note that AS36561 also announces other prefixes, but they are not involved
in the event.
45
Before, during and after Sunday, 24 February 2008
Internet
2 hops
1 hop
BGP
4 hops
3 hops
208.65.152.0/22
3 hops
1 hop
2 hops
BGP
 Unless other policies are used, routers will choose the shortest AS path.
 This is a simplification of BGP, assuming shortest AS-Path is being used.
46
Before, during and after Sunday, 24 February 2008
www.youtube.com
206.65.153.0/24
ip route 206.63.153.0 255.255.255.0 null0
Internet
2 hops
1 hop
BGP
4 hops
3 hops
208.65.152.0/22
3 hops
1 hop
2 hops
Pakistan Telecom
 Wants to block traffic within it’s own AS from going to www.youtube.com.
 Note: Details of how they did this is not known at them time this presentation
was created.
 Most likely they created a route within their own AS that sent any traffic to
208.65.153.0/24 (DNS address for www.youtube.com) to a non-existent
network, in effect denying their own customers access to www.youtube.com.
 Their mistake was that they propagated this route to PCCW Global.
47
Sunday, 24 February 2008, 18:47 (UTC)
Internet
2 hops
2 hops
1 hop
3 hops
BGP
4 hops
208.65.153.0/24
3 hops
1 hop
208.65.152.0/22
3 hops
2 hops
2 hops
3 hops
1 hop
4 hops
Sunday, 24 February 2008, 18:47 (UTC):
 AS17557 (Pakistan Telecom) starts announcing the more specific route of
208.65.153.0/24.
 AS3491 (PCCW Global) propagates the announcement.
 Routers around the world receive the announcement, and YouTube traffic is
redirected to Pakistan.
48
Internet
Routed traffic to
youtube.com
BGP
?
208.65.152.0/22
208.65.153.0/24
Dest IP = 208.65.153.251


Why do the ISP routers forward traffic to Pakistan Telecom?
When a router receives packets for 208.65.153.251 which path will it
choose?
 Routers will learn about both 208.65.153.0/24 and 208.65.152.0/22
networks and install the both routes in their routing tables.
 When a router receives packets for 208.65.153.251 it will choose the
longest prefix match (more specific match): 208.65.153.0/24
 24 bits is a longer (better) match than 22 bits
49
Sunday, 24 February 2008, 20:07 (UTC):
Internet
Routed traffic to
youtube.com
BGP
208.65.153.0/24
208.65.152.0/22
208.65.153.0/24
Sunday, 24 February 2008, 20:07 (UTC):
 AS36561 (YouTube) starts announcing the same, more specific prefix of
208.65.153.0/24.
 With two identical prefixes in the routing system, BGP policy rules, such as
preferring the shortest AS path, determine which route is chosen.
 This means that AS17557 (Pakistan Telecom) continues to attract some of
YouTube's traffic.
50
Sunday, 24 February 2008, 20:07 (UTC):
Internet
Routed traffic to
youtube.com
BGP
208.65.153.0/24
208.65.152.0/22
208.65.153.0/24
208.65.153.0/25
208.65.153.128/25
Sunday, 24 February 2008, 20:18 (UTC):
 AS36561 (YouTube) starts announcing an even more specific prefixes of
208.65.153.128/25 and 208.65.153.0/25.
 Because of the longest prefix match rule, every router that receives these
announcements will send the traffic to YouTube.
51
Sunday, 24 February 2008, 20:07 (UTC):
For CCNP students
Internet
Routed traffic to
youtube.com
BGP
208.65.153.0/24
For CCNP students
208.65.152.0/22
208.65.153.0/24
208.65.153.0/25
208.65.153.128/25
Sunday, 24 February 2008, 20:51 (UTC):
 All prefix announcements, including the hijacked /24 which was originated
by AS17557 (Pakistan Telecom) via AS3491 (PCCW Global), are seen
prepended by another 17557.
 This makes the route via AS17557 look like more hops.
 The longer AS path means that more routers prefer the announcement
originated by YouTube.
52
Sunday, 24 February 2008, 20:07 (UTC):
Internet
Routed traffic to
youtube.com
X
208.65.153.0/24
BGP
208.65.152.0/22
208.65.153.0/24
208.65.153.0/25
208.65.153.128/25
Sunday, 24 February 2008, 21:01 (UTC):
 AS3491 (PCCW Global) withdraws all prefixes originated by AS17557
(Pakistan Telecom), thus stopping the hijack of 208.65.153.0/24.
 Note that AS17557 was not completely disconnected by AS3491.
 Prefixes originated by other Pakistani ASs were still announced by
AS17557 through AS3491.
53
Back to BGP…
BGP
Characteristics
 BGP updates are carried using TCP on port 179.
 In contrast:
 RIP updates use UDP port 520
 EIGRP uses EIGRP’s RTP
 OSPF does not use a Layer 4 protocol but uses OSPF
mechanisms for reliability (OSPF ACKs)
 Because BGP requires TCP:
 IP connectivity must exist between BGP peers.
 TCP connections must also be negotiated between them before
updates can be exchanged.
 BGP inherits those reliable, connection-oriented properties from TCP.
 Flow control properties as well (sliding windows)
 BGP assumes that its communication is reliable and therefore, BGP does
not have to implement any retransmission or error-recovery mechanisms,
like EIGRP or OSPF does.
55
BGP Neighbor Relationships
 Neighbors or peers - Two routers that establish a TCP-enabled BGP
connection between each other.
 BGP speaker - Each router running BGP.
 A BGP speaker has a limited number of BGP neighbors with which it
peers and forms a TCP-based relationship.
 BGP peers can be either:
 Internal to the AS
 External to the AS
56
External BGP Neighbors
 EBGP: BGP is running between routers in different autonomous systems.
 Routers running EBGP are “usually” directly connected to each other
 EBGP multi-hop allows EBGP neighbors not to be directly connected
(later)
57
There are several requirements for EBGP neighborship:
 Different AS number:
 EBGP neighbors must reside in different autonomous systems to be
able to form an EBGP relationship.
 Define neighbors:
 A TCP session must be established prior to starting BGP routing update
exchanges.
 Reachability:
 The IP addresses used in the neighbor command must be reachable
 EBGP neighbors are “usually” directly connected.
58
EBGP
RTA(config)#router bgp 100
RTA(config-router)#
RTB(config)#router bgp 200
RTB(config-router)#
Configuring EBGP neighbors (more later)
 To begin configuring a BGP process, issue the following familiar command:
Router(config)#router bgp AS-number
 BGP configuration commands appear similar to familiar IGP but it is different!
 Note: Cisco IOS permits only one BGP process to run at a time, thus, a router
cannot belong to more than one AS.
 Because the two AS numbers are different, BGP will start an EBGP connection with
RTA.
59
EBGP
RTA(config)#router bgp 100
RTA(config-router)#neighbor 10.1.1.1 remote-as 200
RTB(config)#router bgp 200
RTB(config-router)#neighbor 10.1.1.2 remote-as 100
Configuring EBGP neighbors (more later)
 Neighbor command - Used to establish a neighbor relationship with another
BGP router.
Router(config-router)#neighbor ip-address remote-as AS-number
 Identifies a peer router with which the local router will establish a session.
 The AS-number argument determines whether the neighbor router is an EBGP or an
IBGP neighbor
 Different AS numbers mean EBGP peers
 Same AS numbers mean IBG peers
60
Internal BGP Neighbors
 IBGP: When BGP is running between routers within the same AS
 IBGP is run within an AS to exchange BGP information so that:
 All internal BGP routers have the same BGP routing information about
outside autonomous systems
 This information can be passed to other autonomous systems.
 Typically full-mesh on all routers in the transit path between AS’s
61
There are several requirements for IBGP neighborship:
 Same AS number:
 IBGP neighbors must reside in the same AS to be able to form an IBGP
relationship.
 Define neighbors:
 A TCP session must be established between neighbors prior to start
exchanging BGP routing updates.
 Reachability:
 IBGP neighbors must be reachable; an IGP typically runs inside the AS.
 Do not have to be directly connected.
62
RTB(config)#router bgp 200
RTB(config-router)#neighbor 172.16.1.2 remote-as 200
RTC(config)#router bgp 200
RTC(config-router)#neighbor 172.16.1.1 remote-as 200
 The remote-as value (200) is the same routers will attempt to establish an
IBGP session.
 Note: AS 200 is not a remote AS , for simplicity, the keyword remote-as is
used.
63
Transit Path
Transit Path
 Described more in the next section…
 You must set up IBGP sessions between all routers in the transit path in AS
65500 so that each router in the transit path within the AS learns about
paths to the external networks via IBGP.
 Note: Can also redistribute into the IGP but this is not usually
recommended.
64
IBGP in a Transit AS
Transit Path
Transit Path
 BGP was originally intended to run along the borders of an AS, with the
routers in the middle of the AS ignorant of the details of BGP
 A transit AS is an AS that routes traffic from one external AS to another
external AS.
 Transit autonomous systems are typically ISPs.
 All routers in a transit path must have complete knowledge of external
routes.
 Run IBGP on all routers within the AS transit path
 Redistribute BGP routes into an IGP at the edge routers (however, this
approach has problems)
65
IBGP in a Nontransit AS
X
X
I learned about networks from
ISP2 but I can’t tell ISP1 or ISP1
might forward packets to me to get
to those networks making me a
transit AS.
 A Nontransit AS:
 AS multihoming with two ISPs
 But does not pass routes between the ISPs
66
BGP Peers
IBGP
EBGP
IBGP
 The designers of BGP could not guarantee that an AS would run BGP on all routers
 So a method had to be developed to ensure that IBGP speakers could pass updates to one
another while ensuring that no routing loops would exist.
 All IBGP routers (in the transit path) need to peer with each other (full mesh)
 Note: Although this presentation refers to “all IBGP routers in the transit path must be
fully-meshed”, it is recommended that all IBGP routers in the AS are fully-meshed
IBGP. This will be discussed in Part 2.
 BGP specifies that routes learned through IBGP are never propagated to other IBGP
peers.
 By default, each BGP speaker is assumed to have a neighbor statement for all other IBGP
speakers in the AS—this is known as full mesh IBGP.
 When a change is received from an external AS:
 The BGP router is responsible for informing all other IBGP neighbors of the change.
67
 IBGP neighbors that receive this update do not send it to other IBGP neighbors
BGP Partial-Mesh and Full-Mesh Examples
68
IBGP update behavior in a partially meshed neighbor environment
BGP Update
 Router B receives a BGP update from Router A.
 Router B has two IBGP neighbors, Routers C and D
 Router B does not have an IBGP neighbor relationship with Router E.
 Routers C and D learn about any networks that were added or withdrawn
behind Router B.
 Routers C and D have IBGP neighbor sessions with Router E but do not
replicate the update and send it to Router E.
 Sending the IBGP update to Router E is Router B’s responsibility
 Router E does not learn of any networks through Router B and does not
use Router B to reach any networks in AS 65101 or other autonomous
systems behind AS 65101.
69
IBGP update behavior in a fully meshed neighbor environment
BGP Update
 When Router B receives an update from Router A
 Router B updates all three of its IBGP peers, Router C, Router D, and
Router E.
 OSPF, the IGP, is used to route the TCP segment containing the BGP
update from Router B to Router E, because these two routers are not
directly connected.
 The update is sent once to each neighbor and not duplicated by any other
IBGP neighbor
 Reduces unnecessary traffic.
 In fully meshed IBGP, each router assumes that every other internal router
has a neighbor statement that points to each IBGP neighbor.
70
Routing Issues if BGP Not on in All Routers in a Transit Path
BGP Update
 In this example, Routers A, B, E, and F are the only ones running BGP.
 Router B has an:
 EBGP neighbor statement for Router A
 IBGP neighbor statement for Router E
 Router E has an:
 EBGP neighbor statement for Router F
 IBGP neighbor statement for Router B.
 Routers C and D are not running BGP.
 Routers B, C, D and E are running OSPF as their IGP.
71
BGP Update
Network
10.0.0.0
 Network 10.0.0.0 is owned by AS 65101 and is advertised by Router A to
Router B via an EBGP session.
 Router B advertises it to Router E via an IBGP session.
 Routers C and D never learn about this network because:
 BGP is not redistributed into the local routing protocol (OSPF)
 Routers C and D are not running BGP
 Router E advertises this network to Router F in AS 65103
72
BGP Update
Packet to
Network
10.0.0.0
Network
10.0.0.0
No route to 10.0.0.0
Drop packet
 So far…
 Routers A, B, E and E all know about the 10.0.0.0 network
 Routers C and D do not have a route for the 10.0.0.0 network
 If Router F has a packet for 10.0.0.0
 Router F would forward the packet to Router E
 Router E would send the packets to its BGP peer, Router B
 To get to Router B packets must go through Router C or D
 Neither of these routers have an entry in their routing tables for
network 10.0.0.0.
 When this packet to 10.0.0.0 is forwarded to either Routers C or D,
those packets would be discarded.
73
BGP Update
Network
10.0.0.0
Transit Path
Transit Path
Packet to
Network
10.0.0.0
Default Route
 Even if Routers C and D have a default route going to the exit points of the
AS (Routers B and E)
 Those packet for 10.0.0.0 might go back to Router E causing a routing
loop.
 To solve this problem:
 BGP must be implemented on all routers in the transit path
 Routers C and/or D
 This leads us to the question… Can BGP help ensure that all routers AS
65102 know about these external networks in other AS’s?
74
BGP Synchronization
I learned about 172.16.0.0 via IBGP from
Router B. I will not advertise 172.16.0.0 to
Router E via EBGP unless I see this network
in my routing table leaned via an IGP (OSPF).
Note: There is not a physical
link b/t A and B
?
OSPF
IBGP
AS 65000 networks
Into OSPF
 BGP synchronization rule states: A BGP router should not use or
advertise to an external BGP neighbor a route learned by IBGP, unless that
route is directly connected or learned from the IGP.
 In the past this use to be the default.
 If there were small enough number of BGP routes they could be
redistributed into the IGP (by Router A and Router B).
 Routers C and D would then know about 172.16.0.0 and all AS 65000
networks via redistribution by Router B.
 Then IBGP would not have to run on all routers in the transit path.
75
BGP Synchronization
I learned about 172.16.0.0 via IBGP from
Router B. I will not advertise 172.16.0.0 to
Router E via EBGP unless I see this network
in my routing table leaned via an IGP (OSPF).
?
OSPF
IBGP
AS 65000 networks
Into OSPF
 It is important that Router C and Router D learn about the networks from AS
650000 (172.16.0.0).
 Otherwise, when Router A forwards a packet to Router C destined for
172.16.0.0, Router C would drop the packet because that network is not in
its routing table.
 This is why synchronization was the default on BGP routers.
 However, in the modern Internet it not practical to redistribute so my
networks into the IGP – this is no longer the best practice!
76
No BGP
Synchronization
I learned about 172.16.0.0 via IBGP from
Router B. I can
will not
advertise
advertise
172.16.0.0
172.16.0.0
to Router
to
Router
E
via EBGP
E via even
EBGP
if this
unless
network
I see in
this
NOT
network
in my
in my routing
routing
table leaned
table leaned
via anvia
IGPan(OSPF).
IGP (OSPF).
?
OSPF
IBGP
AS 65000 networks
Into OSPF




Best practice is to no longer redistribute BGP networks into the IGP.
Instead, all routers in the transit path should be fully meshed IBGP.
Synchronization is disabled by default in Cisco IOS 12.2(8)T and later.
This means that a BGP router can advertise to an external BGP neighbor a
route learned by IBGP regardless whether or not that network is in the
routing table via IGP.
 All routers in the in the transit path must be running IBPG and be fully
meshed.
 Each transit router in the AS must have a neighbor relationship with all
other transit routers.
77
No BGP
Synchronization
I learned about 172.16.0.0 via IBGP from
Router B. I can advertise 172.16.0.0 to Router
E via EBGP even if this network in NOT in my
routing table leaned via an IGP (OSPF).
OSPF
 The BGP synchronization rule does ensure consistency of information
throughout the AS and avoids black holes
 For example, advertising a destination to an external neighbor when not
all the routers within the AS can reach the destination) within the
autonomous system.
 So, when synchronization is disabled you must make sure that all routers
in the transit path are fully meshed via IBGP.
 Otherwise, when Router A forwards a packet to Router C destined for
172.16.0.0, Router C would drop the packet because that network is not in its
routing table.
 This allows the routers to carry fewer routes in IGP and allows BGP to
78
converge more quickly because it can advertise the routes as they are learned.
How does BGP choose the best path?
Is this the best path?
Does it meet the path
selection criteria? If so,
add to routing table.
BGP Update
BGP
Table
Network
Routing
Table
Network
 BGP selects only one path as the best path.
 When the path is selected, BGP puts the selected path in its routing
table and propagates the path to its neighbors.
 How does BGP choose the best path?
79
WLam
Summary of the BGPWeight
Path Selection Process
 BGP uses the following
criteria,
in the order presented, to select a path for a
Local
Preference
destination:
as path
 NOTE: Not all of these
are commonly used and will be examined in more
detail later in this presentation and in the next presentation.
med
1. If the path specifies a next hop that is inaccessible, drop the update.
2. Prefer the path with the largest weight.
3. If the weights are the same, prefer the path with the largest local preference.
4. If the local preferences are the same, prefer the path that was originated by
BGP running on this router.
5. If no route was originated, prefer the route that has the shortest AS_path.
6. If all paths have the same AS_path length, prefer the path with the lowest
origin type (where IGP is lower than EGP, and EGP is lower than
Incomplete).
7. If the origin codes are the same, prefer the path with the lowest MED
attribute.
8. If the paths have the same MED, prefer the external path over the internal
path.
9. If the paths are still the same, prefer the path through the closest IGP
neighbor.
10. Prefer the path with the lowest IP address, as specified by the BGP router ID
80
BGP Message Types
 Before establishing a BGP peer connection the two neighbors must perform
the standard TCP three-way handshake and open a TCP connection to port
179.
 After the TCP session is established, BGP peers exchanges several
messages to open and confirm connection parameters and to send BGP
routing information.
 All BGP messages are unicast to the one neighbor over the TCP
connection.
 There are four BGP message types:




Type 1: OPEN
Type 2: KEEPALIVE
Type 3: UPDATE
Type 4: NOTIFICATION
81
Type 1:
BGP Open Message
 After the TCP session is established, both neighbors send Open messages.
 This message is used to establish connections with peers.
 Each neighbor uses this message to identify itself and to specify its BGP
operational parameters including:
 BGP version number (defaults to version 4)
 AS number: AS number of the originating router, determines if BGP
session is EBGP or IBGP.
 BGP identifier: IP address that identifies the neighbor using the same
method as OSPF router ID.
 Optional parameter: authentication, multiprotocol support and route
refresh.
82
Type 2: BGP Keepalive Message
 This message type is sent periodically between peers to maintain
connections and verify paths held by the router sending the keepalive.
 If a router accepts the parameters specified in its neighbor’s Open
message, it responds with a Keepalive.
 Subsequent Keepalives are sent every 60 seconds
 Holdtime: The maximum number of seconds that can elapse between
successive keepalives or update messages.
 Cisco default holdtime is 180 seconds
 Will use the smaller of the two neighbor holdtimes.
 Router ID is includeds (determined same as OSPF or EIGRP Router ID)
83
Type 3: BGP Update Message
 The UPDATE messages contain all the information BGP uses to construct a
loop-free picture of the internetwork.
 Update messages advertises feasible routes, withdrawn routes, or both.
 The three basic components of an UPDATE message are:
 Network-Layer Reachability Information (NLRI)
 Path Attributes
 Withdrawn Routes
84
Type 3: BGP Update Message
Path
Attributes
…
Networks
…
Path
Attributes
…
Networks
…
Path
Attributes
…
Networks
…
Update message includes Paths and associated Attributes and Networks
Path Attributes
 This is described later, providing the information that allows BGP to choose
a shortest path, detect routing loops, and determine routing policy.
Withdrawn Routes
 These are (Length, Prefix) tuples describing destination that have become
unreachable and are being withdrawn from service.
Network-Layer Reachability Information (NLRI)
 This is one or more networks (IP address prefix and prefix lengths) that can
be reached by this path.
85
Type 4: BGP Notification Message
 A NOTIFICATION message is sent whenever an error is detected and
always causes the BGP connection to close.
 The NOTIFICATION message is composed of the Error Code (8 bits), Error
Subcode (8 bits), and a Data fields (variable length).
86
BGP FSM
 The BGP neighbor negotiation process proceeds through
various states, or stages, which can be described in terms of
a finite-state machine (FSM).
87
BGP FSM
BGP FSM includes six states:
1. Idle
2. Connect
3. Active
4. OpenSent
5. Open Confirm
6. Established
Note: Curved arrows should show
pointing back to the same state.
88
 This process can be viewed with:
 debug ip bgp ipv4 unicast
 debug ip bgp events (older IOS’s)
 After you enter the neighbor command
 BGP starts in the idle state, and the BGP process checks that it has a route to the IP
address listed.
 BGP should be in the idle state for only a few seconds.
 If BGP does not find a route to the neighboring IP address, it stays in the idle
state.
 If it finds a route, it goes to the connect state when the TCP handshaking
synchronize acknowledge (SYN ACK) packet returns (when the TCP three-way
handshake is complete).
 After the TCP connection is set up, the BGP process creates a BGP open
message and sends it to the neighbor.
 After BGP dispatches this open message, the BGP peering session changes to the
open sent state.
 If there is no response for 5 seconds, the state changes to the active state.
 If a response does come back in a timely manner, BGP goes to the open confirm
state and starts scanning (evaluating) the routing table for the paths to send to the
neighbor.
 When these paths have been found, BGP then goes to the established state and
begins routing between the neighbors.
89
Idle State
 BGP always begins in the Idle state, in which it refuses all incoming connections.
 It is normally initiated by an administrator or a network event.
 If BGP does not find a route to the neighboring IP address, it stays in the idle
state.
 When Start event occurs, the BGP process:
 Initializes all BGP resources
 Starts the ConnectRetry timer
 Initializes a TCP connection the the neighbor
 Listens for a TCP initialization from the neighbor
 Changes its state to Connect
90
Connect State
 In this state, the BGP process is waiting for the TCP connection to be
completed.
 If it finds a route, it goes to the connect state when the TCP handshaking
synchronize acknowledge (SYN ACK) packet returns (when the TCP threeway handshake is complete).
 If the connection is successful, the BGP process:
 Clears the ConnectRetry timer
 Completes initialization
 Sends an Open message to the neighbor
 Transitions to the OpenSent state
91
Connect State
 If the connection is unsuccessful, the BGP process:
 Continues to listen for a connection to be initiated by the
neighbor
 Resets the ConnectRetry timer
 Transitions to the Active state
92
Active State
 In this state, the BGP process is trying to initiate a TCP connection with the
neighbor.
 If the TCP connection is successful:
 Clears the ConnectRetry timer
 Completes initialization
 Sends an Open message to the neighbor
 Transitions to the OpenSent state
93
Problem
Active State
 If the ConnectRetry timer expires while BGP is in the Active State, the BGP
process:
 Transitions back to the Connect state
 Resets the ConnectRetry timer
 In general, a neighbor state that is switching between "Connect" and
"Active" is an indication that something is wrong and that there are
problems with the TCP connection.
 It could be because of many TCP retransmissions, or the incapability of a
neighbor to reach the IP address of its peer.
94
OpenSent State
errors
No errors
 In this state an Open message has been sent and BGP is waiting to hear an
Open message from its neighbor.
 After the TCP connection is set up, the BGP process creates a BGP open
message and sends it to the neighbor.
 After BGP dispatches this open message, the BGP peering session changes
to the open sent state.
 When an Open message is received, all its fields are checked.
 If errors exist, a Notification message is sent and the state transitions to
Idle.
 If no errors exist, a Keepalive message is sent and the Keepalive timer is
set, the peer is determined to be internal or external, and state is changed
95
OpenConfirm
State
error
No errors
 In this state, the BGP process waits for a Keepalive or Notification
message.
 If a Keepalive message is received, the state transitions to
Established.
 If a Notification message is received, or a TCP disconnect is
received, the state transitions to Idle.
96
Established
State
 In this state, the BGP connection is fully established and the peers can
exchange Update, Keepalive and Notification messages.
 If an Update or Keepalive message is received, the Hold timer is
restarted.
 If a Notification message is received, the state transitions to Idle.
97
CIS 185 CCNP ROUTE
Ch. 6 Border Gateway Protocol Solution
for ISP Connectivity – Part 1
Rick Graziani
Cabrillo College
graziani@cabrillo.edu
Last Updated: Fall 2010
Download