1

22 v1.0

IXP & Routing Tutorial– BGP Basics

W E B I N A R C O U R S E

3 v1.03

Acknowledgements

• Philip Smith

• Cisco Systems

4 v1.04

Overview

• What is BGP?

• BGP Features

• Path Vector Routing Protocol

• BGP General Operation

• BGP Terminology

• Inserting Prefixes into BGP

5 v1.05

What is BGP?

• Border Gateway Protocol

• A Routing Protocol used to exchange routing information between different

networkso Exterior gateway protocol

• Described in RFC4271o RFC4276 gives an implementation report on BGP

o RFC4277 describes operational experiences using BGP

Interior Gateway Protocol Exterior Gateway Protocol

OSPF, IS-IS … BGP

6 v1.06

BGP Features

• Path Vector Protocol

• Incremental Updates

• Many options for policy enforcement

• Widely used for Internet backbone

• Autonomous systems

• Classless Inter Domain Routing (CIDR)

7 v1.07

What is an Autonomous System?

• Group of Internet Protocol-based networks with the same routing policyo Usually under single ownership, trust or administrative control

• The AS is used both in the exchange of exterior routing information (between

neighboring ASes) and as an identifier of the AS itself

• The Autonomous System is the cornerstone of BGPo It is used to uniquely identify networks with a common routing policy

8 v1.08

Autonomous System Number (ASN)

• Globally unique identifiers for IP networks

• ASN uniquely identifies each network on the Internet, allocated to each

Autonomous System (AS) for use in BGP routing

• 2-byte only AS number range : 0 – 65535

• 4-byte only AS number range : 65,536 - 4,294,967,295

9 v1.09

Autonomous System Number (ASN)Number Bits Description Reference 0 16 Reserved RFC7607 1 - 23455 16 Public ASN's

23456 16 Reserved for AS_TRANS RFC6793

23457 - 64495 16 Public ASN's

64496 - 64511 16 Reserved for use in documentation and sample code RFC5398

64512 - 65534 16 Reserved for private use RFC6996 65535 16 Reserved RFC7300

65536 - 65551 32 Reserved for use in documentation and sample code RFC5398

65552 - 131071 32 Reserved 131072 - 4199999999 32 Public 32-bit ASN's

4200000000 - 4294967294 32 Reserved for private use RFC6996

4294967295 32 Reserved RFC7300

https://www.iana.org/assignments/as-numbers/as-numbers.xhtml

10 v1.010

What is Path Vector Routing Protocol

• A path vector routing protocol is used to span different autonomous systems

• It defines a route as a collection of a number of AS that it passes through from

source AS to destination AS, i.e.

{65001 65002 65003 65007}

• This list of AS numbers is called AS path and used to avoid routing loop

• AS path is also used to select path to destination

11 v1.011

Path Vector Routing Protocol

AS64500 AS64501

AS64502AS64503

172.16.0.0/16

172.16.0.0/16 64503172.16.0.0/16

64501 64503

172.16.0.0/16

12 v1.012

Definitions

• Transit

§ carrying traffic across a network, usually for a fee

• Peering

§ exchanging routing information and traffic

13 v1.013

Peering and Transit example

A and B can peer, but

need transit

arrangements with D to

get packets to/from C

provider A

provider C

provider B

Backbone Provider D

IXP-EastIXP-West

14 v1.014

BGP General Operation

• Learns multiple paths via internal and external BGP speakers

• Picks the best path and installs it in the routing table (RIB)

• Best path is sent to external BGP neighbours

• Policies are applied by influencing the best path selection

15 v1.015

BGP Attributes

• Well-known attributes – must be supported by every BGP implementationo Mandatory attributes – must be included with every route entry. If one attribute is missing, it will result in an

error message

o Ex: ORIGIN, AS_PATH, NEXT_HOP

o Discretionary attributes – every BGP router must recognize, but they don’t have to be present with every

route entry

o Ex. ATOMIC_AGGREGATE, LOCAL_PREF

• Optional attributes – not necessarily supported by all BGP implementations. It can be either

transitive or non-transitive.o COMMUNITY, AGGREGATOR, MULTI_EXIT_DISC

16 v1.016

Internal & External BGP

• eBGP used to:o Exchange networks/routes between ASes

- Aggregates and sub-aggregates

o Implement routing policies- To manipulate inbound and outbound traffic

• iBGP is used to:o Carry customer networks/prefixes

o Internet routes (some or all) across the AS backbone

17 v1.017

BGP Message Types

• There are 5 types of BGP messages for communication:o Openo Keepaliveo Updateo Notificationo Route-Refresh

18 v1.018

BGP Message Types

• Open:o After a TCP connection has been established between two BGP routers, an Open message is

sent- Once the open message is confirmed (keepalive), the BGP session is established – become BGP

peers/neighbors!

o Contains:- Sender’s ASN

- BGP version

- BGP router ID

- Hold-time (3 x keepalive interval)

19 v1.019

BGP Message Types

• Keepalive:o Exchanged initially to acknowledge Open messages

o Exchanged periodically (60 secs) to maintain BGP session- Dataless packet

• Update:o BGP peers exchange network information through Update messages

- One update for each path!

o Contains:- Withdrawn routes – no more reachable- Path attributes – attributes for this path to reach the destinations specified by the NLRI- NLRI – list of networks reachable through this path

20 v1.020

BGP Message Types

• Notification:o Sent when an error condition is detected

o The BGP session is torn down immediately!

o Contains:- Error code

- Error sub-code

- Data related to error

21 v1.021

BGP Neighbor States

• There are six BGP neighbour states:

o Idle

o Connect

o Active

o OpenSent

o OpenConfirm

o Established

22 v1.022

BGP Neighbor States

• A BGP router goes through six different states• Idle

- The router is looking for a route to its neighbor

• Connect- BGP router moves from Idle to Connect state if it has found a route to its neighbor, and has started

the TCP handshake

- If the TCP session successful, sends an Open message (and transitions to OpenSent)

- Else, move to Active state

23 v1.023

BGP Neighbor States

• Active- A router transitions to Active state if the initial TCP connection was not successful (in Connect state)

- Restarts the TCP connection

- If successful, sends an Open message

- Else, falls back to Idle state

• OpenSent- An Open message has been sent to the neighbour

- Waiting for Open message from neighbour

- If it receives an Open message and there are no mismatches (version, source addr same as TCP

addr, ASN, router-ID, TTL, md5), sends KeepAlive, moves to OpenConfirm

- Else (if mismatches/errors), sent Notification and falls back to Idle

24 v1.024

BGP Neighbor States

• OpenConfirm- waiting for the initial KeepAlive

- If received, transitions to Established

- If holdtimer expires or Notification received, moves to Idle

• Established- The BGP neighbor relationship (session) is established!

- Routing information can now be exchanged

- If holdtimer expires/error, moves back to Idle

25 v1.025

BGP State Machine

Idle

Active

Connect

OpenSent

OpenConfirm

Established

26 v1.026

BGP/IGP model used in ISP networks

• BGP is used internally (iBGP) and externally (eBGP)

• iBGP – used to carry some/all Internet prefixes across ISP backbone and ISP’s

customer prefixes

IGP

iBGP

IGP

iBGP

IGP

iBGP

IGP

iBGP

eBGP eBGP eBGP

AS65001 AS65002 AS65003 AS65004

• eBGP – used to

exchange prefixes

with other ASes and

implement routing

policy

27 v1.027

eBGP Neighbor Relationship

• eBGP neighbors/peerso BGP session established between routers in different ASes

o Generally directly connected!- Session established using directly connected interface IP

- Peering address must match the TCP session!

o Else, we need a static route to reach the neighbor and change the eBGP TTL value

(default 1)

AS 65001 AS 65000

router bgp 65001neighbor 172.16.12.2 remote-as 65000!address-family ipv4neighbor 172.16.12.2 activate!

172.16.12.0/30

.1

28 v1.028

iBGP Neighbor Relationship

• iBGP neighbors/peerso BGP session established between routers within the same AS

o Does not need to be directly connected

- IGP ensure reachability (TCP connection)

o Generally using loopback addresses

AS 65001 router bgp 65001neighbor 10.10.10.2 remote-as 65001

!

29 v1.029

iBGP Operation

• iBGP routers must:

o Originate directly connected routes

• Carry routes learned from outside the AS to all routers within the ASo Fully-meshed instead of redistributing!

o Advertise routes learned from eBGP peers to all iBGP peers!

• To prevent routing loops (in a fully-meshed network)o iBGP routers are not allowed to advertise iBGP learned routes to other iBGP peers!

30 v1.030

iBGP full-mesh

router bgp 65400neighbor 10.10.10.2 remote-as 65400neighbor 10.10.10.3 remote-as 65400neighbor 10.10.10.4 remote-as 65400!

AS65400

R1

R2

R3

R4

R1:

router bgp 65400neighbor 10.10.10.1 remote-as 65400neighbor 10.10.10.3 remote-as 65400neighbor 10.10.10.4 remote-as 65400!

R2:

Example configuration on R1 and R2

31 v1.031

Sourcing iBGP from Loopback

• By default, routers use the exit-interface address as the source address for locally

originated packets (updates)o If the BGP TCP session was established using any other interface (loopbacks) addresses, the

source address for BGP updates must match!

• In Cisco IOS, the update-source loopback command achieves this

router bgp 65400neighbor 10.10.10.1 remote-as 65400neighbor 10.10.10.1 update-source loopback 0!

32 v1.032

Insert Prefixes into BGP

Examples in IOS Functionnetwork 192.168.1.0 mask 255.255.255.0

Add the specific route 192.168.1.0/24 into BGP routing table.

redistribute OSPF redistribute all the routes in OSPF routing table into BGP routing table.

33 v1.033

Inserting prefixes into BGP – network command

• Configuration Example

• A matching route must exist in the routing table before the network is announced

• Forces origin to be “IGP”

router bgp 65400network 10.10.32.0 mask 255.255.254.0

ip route 10.10.32.0 255.255.254.0

34 v1.034

Configuring Aggregation – Network Command

• Configuration Example

• A matching route must exist in the routing table before the network is announced

• Easiest and best way of generating an aggregate

10.10.1.0 255.255.255.0

10.10.2.0 255.255.255.0

10.10.3.0 255.255.255.0

…

router bgp 64500network 10.10.0.0 mask 255.255.0.0

ip route 10.10.0.0 255.255.0.0 null0

3535 v1.0

IXP & Routing Tutorial– BGP Attributes

W E B I N A R C O U R S E

36 v1.036

BGP Path Attributes

• Attributes describe the path to a network(s)/NLRIo Used to enforce routing policies for path control!

Well-known Mandatory

Well-known Discretionary

Optional Transitive

Optional Non-transitive

AS_PATHNEXT_HOP

ORIGIN

LOCAL_PREFATOMIC_AGGREGATE

COMMUNITYAGGREGATOR

MED

Always included in BGP updates Can be included (for path control)!

37 v1.037

AS_PATH

• Indicates the list of ASes a route has passed through to reach the local ASo the list of ASes to reach a destinationo can influence path selection!

AS6450110.10.0.0/16

AS6450210.20.0.0/16

AS64503 AS64509

10.10.0.0/16 64503 64502 6450110.20.0.0/16 64503 64502

10.10.0.0/16 64502 64501 10.20.0.0/16 64502

38 v1.038

AS_PATH

• Used to ensure a loop-free exchange of routing info between ASes o If own AS is seen in an update from an eBGP peer, loop is detected (Update is

dropped)!

AS6450110.10.0.0/16

AS6450210.20.0.0/16

10.10.0.0/16 64503 64502 6450110.20.0.0/16 64503 6450210.30.0.0/16 64503AS64503

10.30.0.0/16

X

39 v1.039

NEXT_HOP

• Indicates the next hop address to reach the destinationo Source of the update packet!

• For eBGPo eBGP neighbor address (to reach the next AS)

• For iBGPo Generally the loopback address

40 v1.040

NEXT_HOP

• eBGP learned routes are advertised to iBGP peers without changing the next hopo Routers within the AS need to be able to reach the next hop (IGP or static)o Else, external routes not installed in the routing table!

AS 6450210.20.0.0/16

AS 6450310.30.0.0/16

10.20.0.0/30

.1 .2AS 64501eBGP

iBGP

R1 R2

R3R3:10.30.0.0/16 130.10.0.110.20.0.0/16 130.10.0.1

41 v1.041

NEXT-HOP-SELF

• Override the eBGP next hop default behavior with next-hop-self commando Advertises itself as the next hop for external routes

▸ Reachable through IGP

AS 6450210.20.0.0/16

AS 6450310.30.0.0/16

10.20.0.0/30.1 .2AS 64501eBGP

iBGP

R1 R2

R3

10.10.0.12

10.10.0.13

R2:router bgp 64501neighbor 10.10.0.13 remote-as 64501neighbor 10.10.0.13 next-hop-self

!

R3:10.20.0.0/16 10.10.0.1210.30.0.0/16 10.10.0.12

42 v1.042

ORIGIN

• Indicates the origin of the route

Origin Methods Examples

IGP(i) Interior to the originating AS. Generated by BGP “network” statement

network 172.16.16.0 mask 255.255.254.0

EGP(e) By EGP (not used now)

Incomplete(?) Route’s origin is unknown. Usually redistributed from another routing protocol

redistribute ospf

43 v1.043

ORIGIN

44 v1.044

LOCAL_PREF

• Local preference tells routers within the AS (local) the preferred path to exit the ASo Path with highest local_pref wins

▸ Outbound traffic!

• Local to the ASo Advertised only to iBGP peers!

AS 64502130.10.0.0/16

AS 64503

AS 64501

R1

R2AS 64505

LP-200

LP-500

R3

45 v1.045

MED

• Multi-exit discriminator is inter-AS non-transitive o Indicates to neighbor AS about the preferred entry points into the local AS (incoming

traffic)

• The path with lowest MED wins!

AS 200

160.10.0.0/16R1

R2

MED-10

MED-200

MED-10

MED-200R4

R3AS 300

R5

46 v1.046

COMMUNITY

• Used to group prefixes (incoming/outgoing) and apply policies to the communitieso A prefix can belong to more than one community

• Is (was?) a 32-bit integer o Represented as two 16-bit integers [ASN:number], for example: 64501:200

▸ Works well for 2-byte ASN

• With 4-byte ASNso Common to see [private-ASN:number]o RFC 8092 (BGP Large Communities): 96-bit integer

▸ [32-bit ASN:32-bit:32-bit], for example: 64496:4294967295:2

47 v1.047

BGP Best Path Selection

Highest Local Preference

Locally originated routes

Shortest AS Path

Lowest Origin Code (i

48 v1.048

BGP Operation

• BGP learns routes from iBGP and eBGP peers

o Selects best path based on the attributes

o Installs best path in the routing table

o Advertises the best paths to its other BGP peers▸ eBGP learned routes to iBGP peers▸ iBGP learned routes to eBGP peers

49 v1.049

BGP Operation

Routing Table

Local Router

PeerPeer

Inbound updates

Outbound updates

(best paths)BGP Table

Best Paths

Filters (Policy)

50 v1.050

BGP Tables

• Neighbor Tableo List of all BGP neighbors

• BGP Tableo List of routes learned from all BGP neighborso (And locally originated routes!)

• Routing (Forwarding) Tableo All best paths

▸ selected based on attributes and whose next-hops are reachable!

5151 v1.0

IXP & Routing Tutorial– BGP ScalingW E B I N A R C O U R S E

52 v1.052

Agenda

• BGP Peer Group

• BGP Route Reflection

53 v1.053

BGP Peer Group

• Problem: number of BGP updates in an iBGP mesho BGP updates generated for each neighbor individually

▸ CPU wasted on repeat calculations

o iBGP neighbors receive the same update▸ Contain same info

• Solution: Peer Groupso Group neighbors with the same outbound update policyo Updates are generated once per group

54 v1.054

BGP Peer Group

• Still need to establish TCP sessions individually

• Useful when many neighbors have the same outbound policieso Runs through the outbound filters only once for the group (applied to all members)

• Members can have a different inbound policy!

• Simplifies configurationo Define the peer groupo Add neighbors to the peer group

▸ Still need to configure peering individually

o Apply filters (outbound) to the group

55 v1.055

Peer Group – Best Practices

• Always configure peer-groups for iBGPo Even if there are only a few iBGP peerso Easier to scale network in the future

• Consider using peer-groups for eBGPo Especially useful for multiple BGP customers using same AS (RFC 2270)o Also at IXPs where ISP policy is generally the same for each IX peer

56 v1.056

BGP Loop Prevention

• eBGPo AS-PATH attributeo If the local ASN is seen in a route received from a eBGP peer, a routing loop has

occurred▸ Drop the route!

• iBGPo BGP router is not allowed to advertise iBGP learned routes to other iBGP peers within

the ASo How do all iBGP routers learn about each other’s networks?

▸ iBGP full-mesh!

57 v1.057

Scaling iBGP mesh

• Number of iBGP sessions n(n-1)/2

▸ 10 routers = 45 sessions▸ 100 routers = 4950 sessions

• Number of BGP updateso Every update needs to be sent to all iBGP

peer

10 routers = 45 iBGP sessions

58 v1.058

Solution

• Route Reflection (RFC4456)o RR client peers only with the RRo RR and its clients form a CLUSTERo Non-clientso An AS can have multiple clusters

RRs do not affect the actual traffic path; only affects the path BGP messages take!

59 v1.059

RR Operation

• When a RR receives an Update:o If from a client peer, the route is

reflected (advertised) to other clients, and non-client peers.

o If from a non-client, only reflected to client peers

o If from a eBGP peer, reflected to both client and non-client peers.

AS 65001

AS 17821

Clients

Route Reflector

D

A C

B

Routing loops can happen with RRs!

60 v1.060

Avoiding loops in RR

• Originator_ID attributeo The BGP router id of the originator, created by the RR

▸ If you see your router id in the Originator_ID attribute, loop has occurred.

• Cluster_List attributeo In a cluster with a single RR, the Cluster ID is the router ID of the RRo If more than one RR in a cluster, a 4-byte Cluster ID configuredo Cluster_List reflects the sequence of clusters a route has passed througho When a RR reflects routes (from clients) to non-clients, it appends the local Cluster ID to the

Cluster_List▸ When a RR receives an update, if the local Cluster ID is seen in the list, a loop has occurred!

(drops the update)

61 v1.061

RR Design

• Divide the AS into multiple clusterso At least one RR and few clients in a clustero Could have more than one RR in a cluster for redundancy

▸ NOT recommended!

• Peering between clients in a cluster not necessary (but could be)o The RR reflects routes between them

• RRs in different clusters must be fully meshed with each other and with any iBGP router that’s not a part of any cluster

62 v1.062

RR example

• RR configuration

• RR Client config

router bgp 17821

neighbor 2406:6400:2 remote-as 17821neighbor 2406:6400:2 route-reflector-clientneighbor 2406:6400:3 remote-as 17821neighbor 2406:6400:3 route-reflector-clientneighbor 2406:6400:4 remote-as 17821neighbor 2406:6400:4 route-reflector-client

router bgp 17821

neighbor 2406:6400:1 remote-as 17821

Only peers with the RR

63 v1.063

RR Selection

• Best practice is to follow the physical topology

o Ensures traffic forwarding paths wont be affected

o Prevents routing loops

E – client to both RRs

LOOP!

2406:6400:A8::1

BA

RR - DRR - C

2400:6400:C8::/64

2406:6400:B8::1

64 v1.064

RR Redundancy

• Most ISP networks would overlay two clusters o Each client peers with RRs in different clusters (same POP) for redundancy (NEVER two RRs

in the same cluster!)o All RRs fully-meshed!o Can have full-mesh between clients in the same cluster

RR2RR1

X

A

X

router bgp 17821bgp cluster-id 1.1.1.1

CLUSTER_LIST

AS 17821

Cluster 1Cluster 2

A

RR

RR

RR

RR

AS 65000

6565 v1.0

IXP & Routing Tutorial– Policy ControlW E B I N A R C O U R S E

66 v1.066

Influence Path Selection – Policy Control

Routing Table

Local Router

PeerPeer

Inbound updates

Outbound updates

(best paths)BGP Table

Route-map

Filter-list

Prefix-list

Best Paths

67 v1.067

Policy Tools

• Prefix-listo To filter routes/prefixes

▸ More granularity than as-path filters

• Filter-listo To filter based on AS-patho To apply AS-path ACLs

• Route-mapo modify attributes based on condition matches

68 v1.068

Path control - Attributes

• Inbound Traffic:o AS-Path, MED, Community

• Outbound Traffic:o Local Preference

69 v1.069

Prefix List

• Ex 1:

– Allows any prefix with prefix length between 8 and 24– Implicit DENY at the end!

ip prefix-list name/num [seq#] permit | denyprefix/length [ge value][le value]

ip prefix-list TEST permit 0.0.0.0/0 ge 8 le 24

• Ex 2:

– Permit the prefix 2406:6400::/32 up to /48– Implicit DENY at the end!

ipv6 prefix-list TEST-v6 permit 2406:6400::/32 le 48

70 v1.070

Prefix List

• Ex 3:

– Deny default route

ip prefix-list TEST deny 0.0.0.0/0

• Ex 4:

– Deny IPv6 default routes

ipv6 prefix-list TEST-v6 deny ::/0

71 v1.071

Prefix List

router bgp 17821network 100.100.0.0 mask 255.255.224.0neighbor 20.20.20.1 remote-as 20neighbor 20.20.20.1 prefix-list MY-PREFIX outneighbor 20.20.20.1 prefix-list PEER-PREFIX in!ip prefix-list MY-PREFIX permit 100.100.0.0/19 ip prefix-list MY-PREFIX deny 0.0.0.0/0 le 32!ip prefix-list PEER-PREFIX permit 200.200.0.0/16ip prefix-list PEER-PREFIX deny 0.0.0.0/0 le 32

72 v1.072

AS-path ACL

• AS-path access list use regular expressions

. Matches any one character* Matches any sequence of pattern before *+ match at least one preceding expression^ beginning with$ ending with_ matches start, end, space, comma, braces

ip as-path access-list num [permit|deny] regex

73 v1.073

AS-path ACL

• Example regular expressions:^$ locally originated routes_100$ originated by AS 100_100_200_ passing through 100 and 200^(_100)+$ originated by 100, multiple occurrence

ip as-path access-list 10 permit ^100$

• Example 1:

– Allow any prefix originated and received from AS100– Implicit DENY at the end

• Use filter-list to apply AS-PATH access-lists

74 v1.074

AS-path ACL

router bgp 17821network 100.100.0.0 mask 255.255.224.0neighbor 30.30.30.1 remote-as 30neighbor 30.30.30.1 filter-list 30 outneighbor 30.30.30.1 filter-list 40 in!ip as-path access-list 30 permit ^$ip as-path access-list 40 permit ^30$

75 v1.075

Route Map

• Default is permito Implicit DENY at the end!

route-map name [permit | deny] [sequence]

If {(A or B or C)and D} matchThen {set X and Y}

ElseIf E matchesThen set Z

Else (for everything else)Do/set nothing

route-map TEST permit 20match Eset Z

route-map TEST permit 30

route-map TEST permit 10match A B Cmatch Dset Xset Y

76 v1.076

Match (conditions) & Set (actions)

Command Descriptionmatch community BGP community tagmatch as-path AS-path access listmatch ip address Access list or prefix-list

Command Descriptionset as-path Modify AS-pathset community Apply BGP community tagset metric Modify MEDset local-preference Modify local preference

77 v1.077

Route Map

router bgp 17821neighbor 30.30.30.1 remote-as 30neighbor 30.30.30.1 route-map AS-OUT outneighbor 30.30.30.1 route-map LP-IN in!route-map AS-OUT permit 10set as-path prepend 17821 17821 17821!route-map LP-IN permit 10match as-path 1set local-preference 150!route-map LP-IN permit 20!ip as-path access-list 1 permit _30$

78 v1.078

Route Map

router bgp 17821network 100.100.0.0 mask 255.255.224.0 route-map SET-AGGneighbor 20.20.20.1 remote-as 20neighbor 20.20.20.1 send-communityneighbor 20.20.20.1 route-map TR-IN in

!route-map SET-AGG permit 10set community 100:1000

!route-map TR-IN permit 10match community 5set local-preference 150

!route-map TR-IN permit 20!ip community-list 5 permit 20:3000ip community-list 5 permit 20:4000

• Setting and Matching communities:

79 v1.079

Applying Policy Filters

• Incoming/Outgoing updates are filtered through policieso BGP table does not contain routes rejected by policies

• Whenever there is a BGP policy change, we need too Trigger an update to force in/outbound routes through the new filters (else only the

ones already in BGP table)o either through a Hard Reset or a Soft Reset (Route Refresh)

• If the filter is applied to:o Outbound routes: need to resend its BGP table through the filtero Inbound routes: need its neighbors to resend their BGP tables

80 v1.080

Hard Reset

• Hard reset of a BGP sessiono Tears down the TCP connectiono Re-establish the TCP sessiono Resend the BGP table to neighbors affected by the reseto Relearn all routes from neighbors

o Disrupts network connectivity▸ Same as a router reboot!

clear ip bgp *clear ip bgp clear bgp ipv6 unicast *clear bgp ipv6 unicast

81 v1.081

Route Refresh

• Route refresh (soft reset) does not tear down BGP sessiono Not disruptive!

• No manual configuration requiredo Negotiated automaticallyo Peering routers need to support route refresh

sh ip bgp neighbor sh ip bgp all neighborssh bgp ipv6 unicast neihgbors

Neighbor capabilities: Route refresh: advertised and received

82 v1.082

Route Refresh

o Tells neighbor to resend its BGP table

o Resends full BGP table to its neighbor

clear ip bgp [soft] inclear bgp ipv6 unicast [soft] in

clear ip bgp [soft] outclear bgp ipv6 unicast [soft] out

83 v1.083

Soft Reconfiguration

• All current routers should support route refresho If the router (local or peer) does not have route refresh capability, use soft-

reconfiguration

• With soft-reconfiguration, the router stores a copy of the received routes in addition to the BGP table (allowed by policy filters)o Thus, requires additional memory!

8484 v1.0

IXP & Routing Tutorial– Introduction of Route Servers

W E B I N A R C O U R S E

85 v1.085

What is a Route Server?

• A route server is for internet exchange (IX) operators that provides an alternative to full eBGP mesh peering among the service providers who have a presence at the IXP.

• Also:o Announces routes to participating IXP members according to their routing policy

definitions

86 v1.086

Features of a Route Server

• Helps scale routing for large IXPs

• Simplifies Routing Processes on ISP Routers

• Optional participationo Provided as service, is NOT mandatory

• Optionally uses Policy registered in IRR

87 v1.087

Diagram of N-squared Peering Mesh

• For large IXPs (dozens for participants) maintaining a larger peering mesh becomes cumbersome and often too hard

88 v1.088

Peering Mesh with Route Servers

• ISP routers peer with the Route Servers– Only need to have two eBGP sessions rather than N

RS RS

89 v1.089

RS based Exchange Point Routing Flow

TRAFFIC FLOWROUTING INFORMATION FLOW

RS

90 v1.090

Advantages of Using a Route Server

• Helps scale Routing for very large IXPs

• Separation of Routing and Forwarding

• Simplify Routing Configuration Management on ISPs routers

90

91 v1.091

Disadvantages of using a Route Server

• ISPs can lose direct policy controlo If RS is only peer, ISPs have no control over who their prefixes are distributed to

▸ Some IXPs provide community based filtering option

• Completely dependent on 3rd partyo Configuration, troubleshooting, etc…

92 v1.092

Typical usage of a Route Server

• Route Servers may be provided as an OPTIONAL serviceo Most common at large IXPs (>50 participants)o Examples: LINX, HKIX, AMS-IX, etc

• ISPs peer:o Directly with significant peerso With Route Server for the rest

93 v1.093

Things to think about...

• Would using a route server benefit you?o Avoids having to maintain a large number of eBGP peerso But can you afford to lose policy control? (An ISP not in control of their routing policy

is what?)

9494 v1.0

IXP & Routing Tutorial– Multihoming Techniques

W E B I N A R C O U R S E

95 v1.095

ISP Hierarchy

95

Tier-1

Tier-1 Tier-1

Tier-1

Regional ISPs Regional

ISPsRegional

ISPs

Regional ISPs

Access ISPs Access

ISPs

Access ISPs

Access ISPs Access

ISPs

Access ISPs

IXP IXP

Source: Philip Smith “Introduction to Internet”

96 v1.096

Exchanging Routes

• Pay someone to advertise your networkso TRANSITo Make sure they have good onward peering/transit!

• Interconnect with as other ASes to exchange locally originated routes and traffico PEERINGo Private Peering

▸ Between two ASes o Public Peering

▸ at an IXP (domestic/global)

96

97 v1.097

Achieving Redundancy

97

• More than one path to the same ISP– Dual-homed

YOU

YOU ISP

ISPYOU

ISP

Single-homed

Dual-homed

98 v1.098

Achieving Redundancy – Multihoming

98

• More than one upstream ISP– Multi-homed

ISP2

ISP1

YOU

YOU

ISP2

ISP1

99 v1.099

Multihoming

99

• One upstream and local peering

You

ISP-A

Internet

Transit

Local PeerPeering

100 v1.0100

Multihoming

100

• More than one upstream ISP and local peering

You

ISP-BISP-A

Internet

Transit

Local PeerPeering

101 v1.0101

Multihoming

101

• More than one upstream ISP with local and public peering

You

ISP-BISP-A

Internet

Transit

Local PeerPeering

IXP

Peering

102 v1.0102

Recap: Path control Attributes

• Inbound Traffic:o AS-PATH, MED, Community (sub-aggregates/more specifics)

• Outbound Traffic:o Local Preference

103 v1.0103

Two Upstream – One backup

• We want:o Both incoming and outgoing traffic via AS20 (R1)o AS30 (R2) path to be used only if the link to AS20 fails

• AS-PATH to control incoming traffico Prepend outbound on R2

• LOCAL-PREF for outgoing traffico Higher LP for inbound routes on R1 AS 17821

AS 30AS 20

Internet

Primary BackupR1 R2

104 v1.0104

Two Upstream – One backup

• Always announce the aggregate on both links!

• R1 (main link) config:

router bgp 17821network 61.45.248.0 mask 255.255.248.0neighbor 20.20.20.1 remote-as 20neighbor 20.20.20.1 prefix-list AGGR outneighbor 20.20.20.1 prefix-list DEF in

!ip prefix-list AGGR permit 61.45.248.0/21ip prefix-list DEF permit 0.0.0.0/0!ip route 61.45.248.0 255.255.248.0 null0

Prefix-list applied to outbound routes

Prefix-list applied to inbound routes

Advertise aggregate

Define the prefix-lists

Aggregate should exist in the routing table

(pull-up route)

105 v1.0105

Two Upstream – One backup

• R2 (backup) config:

router bgp 17821network 61.45.248.0 mask 255.255.248.0neighbor 30.30.30.1 remote-as 30neighbor 30.30.30.1 prefix-list AGGR outneighbor 30.30.30.1 route-map BACKUP-OUT outneighbor 30.30.30.1 prefix-list DEF inneighbor 30.30.30.1 route-map BACKUP-IN in!ip prefix-list AGGR permit 61.45.248.0/21ip prefix-list DEF permit 0.0.0.0/0!ip route 61.45.248.0 255.255.248.0 null0!route-map BACKUP-OUT permit 10set as-path prepend 17821 17821 17821!route-map BACKUP-IN permit 10set local-preference 80

Route-map applied to outbound routes

Advertise aggregate in BGP

Define the prefix-lists

BACKUP-OUT prepends the AS-PATH for all outbound

BGP updates

Route-map applied to inbound routes

BACKUP-IN sets lower local pref for all inbound BGP

updates

106 v1.0106

Two Upstream – Load Sharing (Inbound Traffic)

• Load share incoming and outgoing traffic on the two links

• Announce one-half of the sub-aggregate on first, and the other half on the second linko Always announce the aggregate on both!

• Requires good address planningo Customers need to be assigned from both

address blocksAS 17821

AS 30AS 20

Internet

Load Share

R1 R2

107 v1.0107

Two Upstream – Load Sharing (Inbound Traffic)

• R1 config:

router bgp 17821network 61.45.248.0 mask 255.255.248.0network 61.45.248.0 mask 255.255.252.0neighbor 20.20.20.1 remote-as 20neighbor 20.20.20.1 prefix-list SUB-A outneighbor 20.20.20.1 prefix-list DEF in!ip prefix-list SUB-A permit 61.45.248.0/21ip prefix-list SUB-A permit 61.45.248.0/22ip prefix-list DEF permit 0.0.0.0/0!ip route 61.45.248.0 255.255.248.0 null0ip route 61.45.248.0 255.255.252.0 null0

Advertise sub-aggregate along with

the aggregate

Advertise both aggregate and first sub-prefix in BGP

Sub-aggregate should exist in the routing

table (pull-up route)

108 v1.0108

Two Upstream – Load Sharing (Inbound Traffic)

• R2 config:

router bgp 17821network 61.45.248.0 mask 255.255.248.0network 61.45.252.0 mask 255.255.252.0neighbor 30.30.30.1 remote-as 30neighbor 30.30.30.1 prefix-list SUB-B outneighbor 30.30.30.1 prefix-list DEF in!ip prefix-list SUB-B permit 61.45.248.0/21ip prefix-list SUB-B permit 61.45.252.0/22ip prefix-list DEF permit 0.0.0.0/0!ip route 61.45.248.0 255.255.248.0 null0ip route 61.45.252.0 255.255.252.0 null0

Advertise sub-aggregate along with

the aggregate

Advertise both aggregate and second

sub-prefix in BGP

Sub-aggregate should exist in the routing

table (pull-up route)

109 v1.0109

Load Sharing – Outbound (Full)

• What about outbound traffic load balancing?

• Case I: Full Internet routes (more memory/CPU)o Accept full route from both (AS20 and AS30)

o For routes from AS30 (R2)▸ Higher local pref prefixes originated by AS30 and its immediate neighbors (one AS hop away) –

traffic goes via AS30

▸ Lower local pref all other routes (lower than 100) – traffic to these goes via AS20

o For routes learned from AS20 (R1)▸ default local pref

110 v1.0110

Load Sharing – Outbound (Full)

AS 17821

AS 30

AS 20

Internet

Rest of the Internet

R1 R2

AS X

111 v1.0111

Load Sharing – Outbound (Full)

• R1 configuration: nothing doing

router bgp 17821neighbor 20.20.20.1 remote-as 20neighbor 20.20.20.1 prefix-list ALL in

!ip prefix-list ALL permit 0.0.0.0/0 le 32!

Accept full internet feed(default local-pref)

112 v1.0112

Load Sharing – Outbound (Full)

• R2 config:

router bgp 17821neighbor 30.30.30.1 remote-as 30neighbor 30.30.30.1 prefix-list ALL inneighbor 30.30.30.1 route-map TWO-HOPS in!!ip prefix-list ALL permit 0.0.0.0/0 le 32!ip as-path access-list 30 permit ^(30_)+$ip as-path access-list 30 permit ^(30_)+_[0-9]+$!route-map TWO-HOPS permit 10match as-path 30set local-preference 150route-map TWO-HOPS permit 20set local-preference 50

Accept full internet feed

Accept routes local to and received from AS30

(AS-path prepend included)

Received from AS30 but AS-PATH length of two

(its neighbor ASes) High-pref AS30 and its neighbor AS originated

routesLow-pref everything else

113 v1.0113

Load Sharing – Outbound (Partial)

• Partial Routes – less HW resources!

• Case II: Partial Internet routeso Accept default from AS20o Default and full from AS30 (well-connected than AS20)o filter to only accept prefixes originated by AS30 and its neighbor ASes (AS-Path ACLs)

▸ Higher pref those routes

▸ Low pref the default route▸ so that traffic to these goes via AS20

o Traffic to rest of Internet via AS 20

114 v1.0114

Load Sharing – Outbound (Partial)

AS 17821

AS 30

AS 20

Internet

Rest of the Internet

R1 R2

AS X

115 v1.0115

Load Sharing – Outbound (Partial)

• R1 configuration:

router bgp 17821neighbor 20.20.20.1 remote-as 20neighbor 20.20.20.1 prefix-list DEF in!ip prefix-list DEF permit 0.0.0.0/0!

116 v1.0116

Load Sharing – Outbound (Partial)

• R2 config:

router bgp 17821neighbor 30.30.30.1 remote-as 30neighbor 30.30.30.1 filter-list 30 inneighbor 30.30.30.1 prefix-list ALL inneighbor 30.30.30.1 route-map DEF-LOW in!ip prefix-list DEF permit 0.0.0.0/0prefix-!!ip prefix-list ALL permit 0.0.0.0/0 le 32!ip as-path access-list 30 permit ^(30_)+$ip as-path access-list 30 permit ^(30_)+_[0-9]+$!route-map DEF-LOW permit 10match ip address prefix-list DEFset local-preference 90route-map DEF-LOW permit 20

Accept full internet feed

Filter inbound routes with AS-PATH ACL using filter-list

Purely for redundancy (if path via AS 20 fails)

Accept routes local to and received from AS30

(AS-path prepend included)

Received from AS30 but AS-PATH length of two

(its neighbor ASes)

Low-pref default route

117 v1.0117

Using Communities

• Community attribute provides greater flexibility for traffic shaping than prefix-listo Simplifies BGP configurationo Greater policy control

• Not sent by default to BGP peerso explicitly send (neighbor x.x.x.x send-community)

• Can carry policy informationo Example:

▸ ASN:80 (set local-pref 80)▸ ASN:1 (set as-path prepend ASN)▸ ASN:888 (set ip next-hop 192.0.2.1 – Cymru bogons)

118 v1.0118

Route Server Policy

0:(IXP-AS) Do not announce prefixes to all peers0:(PEER-AS) Do not announce prefixes to certain peer(IX-AS):(PEER-AS) Advertise to a certain peer(IX-AS):(IX-AS) Advertise prefixes to all peers

119 v1.0119

Setting Communities

router bgp 17821neighbor 20.20.20.1 remote-as 20neighbor 20.20.20.1 send-community!address-family ipv4 unicastnetwork 61.45.248.0 mask 255.255.248.0 route-map SET-COMM-AGGnetwork 61.45.248.0 mask 255.255.254.0 route-map SET-COMM-4Gnetwork 61.45.250.0 mask 255.255.254.0 route-map SET-COMM-BBnetwork 61.45.252.0 mask 255.255.254.0 route-map SET-COMM-ENTnetwork 61.45.254.0 mask 255.255.254.0 route-map SET-COMM-CORP

!ip route 61.45.248.0 255.255.248.0 null0ip route 61.45.248.0 255.255.254.0 null0 254ip route 61.45.250.0 255.255.254.0 null0 254ip route 61.45.252.0 255.255.254.0 null0 254ip route 61.45.254.0 255.255.254.0 null0 254!

120 v1.0120

Setting Communities

!route-map SET-COMM-AGG permit 10set community 17821:1000

!route-map SET-COMM-4G permit 10set community 17821:1101

!route-map SET-COMM-BB permit 10set community 17821:1102

!route-map SET-COMM-ENT permit 10set community 17821:1103

!route-map SET-COMM-CORP permit 10set community 17821:1104

!

121 v1.0121

Grouping Communities

• We can group communities together using community-list:

!ip community-list 20 permit 17821:1000ip community-list 21 permit 17821:1101ip community-list 22 permit 17821:1102ip community-list 23 permit 17821:1103ip community-list 24 permit 17821:1104!

122 v1.0122

Two Upstream and IXP – using Communities

AS 17821

AS 30AS 20

Internet

Transit

IXP

Peering

AS111 AS222

R1 R2

R3

123 v1.0123

Two Upstream and IXP – IX Router

• R3 (IXP) configuration:o both incoming and outgoing traffic, IXP should be the preferred path!

router bgp 17821neighbor IX-PEERS peer-groupneighbor 12.12.12.111 remote-as 111neighbor 12.12.12.111 peer-group IX-PEERSneighbor 12.12.12.222 remote-as 222neighbor 12.12.12.222 peer-group IX-PEERS

!address-family ipv4neighbor IX-PEERS send-communityneighbor IX-PEERS remove-private-asneighbor IX-PEERS route-map IX-IN inneighbor IX-PEERS route-map IX-OUT out

Add neighbors to the peer group

Define peer-groups for all IX peers

Define common policies applied to all neighbors on the peer-group- Send communities- Remove private

ASNs

Apply inbound and outbound routing policies

124 v1.0124

Two Upstream and IXP – IX Router

• R3 (IXP) configuration (contd..):

!ip community-list 20 permit 17821:1000ip community-list 21 permit 17821:1101ip community-list 22 permit 17821:1102ip community-list 23 permit 17821:1103ip community-list 24 permit 17821:1104!route-map IX-IN permit 10set local-preference 250set community 17821: add

!route-map IX-OUT permit 10match community 20 21 22 23 24set metric 10

!

Define the communities

High-pref routes received from IX peers

(outbound traffic via IX)

Send all our prefixes (aggregates and sub-aggregates)

Define a community for all routes learned via IXP

Set lower MED for all routes sent to IX peers

(inbound traffic via IX)

125 v1.0125

Two Upstream and IXP – Transit Router

• For Transit/Upstream:o Tier-1 ISPs (or ISPs who are run properly) use communities to group their regional

prefixeso Filter based on those to shape outbound traffic to Internet!

▸ Ex: receive US routes from one ISP, and Europe routes from the other

o Example:▸ NTT US – 2914:3000▸ NTT Europe – 2914:3200▸ NTT Asia – 2914:3400▸ NTT South America – 2914:3600

126 v1.0126

Two Upstream and IXP – Transit Router

• For Inbound traffic:o We can use our sub-prefixes to balance incoming traffic

o Ex: Advertise half of our routes to one, and the other half to the other ▸ keep playing until we reach symmetry!

o But remember to announce the aggregates to both (REDUNDANCY!)

127 v1.0127

Two Upstream and IXP – TR1

• R1 configuration:o Let us assume NTT (AS2914) as transit here

router bgp 17821neighbor 29.29.29.1 remote-as 2914neighbor 29.29.29.1 description eBGP with NTT

!address-family ipv4neighbor 29.29.29.1 send-communityneighbor 29.29.29.1 route-map NTT-IN inneighbor 29.29.29.1 route-map NTT-OUT out

!! We want Asia, US and SA routesip community-list 1 permit 2914:3000 !USip community-list 1 permit 2914:3400 !ASip community-list 1 permit 2914:3600 !SAip community-list 2 permit 2914:3200 !EU

- Send communities- Apply inbound and

outbound routing policies

Define communities for NTT global routes- In this example, we

will source US and Asia routes from NTT

128 v1.0128

Two Upstream and IXP – TR1

• R1 configuration (contd..):!route-map NTT-IN permit 10match community 1set local-preference 210

route-map NTT-IN permit 20match community 2set local-preference 50

route-map NTT-IN permit 40!route-map NTT-OUT permit 10match community 20match community 21match community 22

!

Route-map to influence outbound traffic- Set higher local-pref for US, Asia,

and SA routes (outbound traffic)- Still lower than IX!

Lower local-pref for EU routes (will prefer the second ISP, but available if that link fails)

Route-map to influence inbound traffic- Send our aggregate (in case ISP2

fails)- And half of our sub-prefixes

129 v1.0129

Two Upstream and IXP – TR2

• R2 configuration:o Let us assume Zayo (AS6461) as transit here

router bgp 17821neighbor 64.64.64.1 remote-as 6461neighbor 64.64.64.1 description eBGP with Zayo

!address-family ipv4neighbor 64.64.64.1 send-communityneighbor 64.64.64.1 route-map ZAYO-IN inneighbor 64.64.64.1 route-map ZAYO-OUT out

!! Zayo Europe routesip community-list 3 permit 6461:5996ip community-list 3 permit 6461:5998ip community-list 3 permit 6461:5999! Zayo Global routesip community-list 4 permit 6461:5997

- Send communities- Apply inbound and

outbound routing policies

Define communities for Zayo global routes- In this example, we will

source EU routes from Zayo

130 v1.0130

Two Upstream and IXP – TR2

• R2 configuration (contd..):!route-map ZAYO-IN permit 10match community 3set local-preference 210

route-map ZAYO-IN permit 20match community 4set local-preference 50

route-map ZAYO-IN permit 40!route-map ZAYO-OUT permit 10match community 20match community 23match community 24

!

Route-map to influence outbound traffic- Set higher local-pref for EU

routes (outbound traffic)- Still lower than IX!

Lower local-pref for global routes (NTT is preferred, but will work if that link fails)

Route-map to influence inbound traffic- Send our aggregate (in case

ISP1 fails), and- other second-half of our sub-

prefixes

131 v1.0131

Acknowledgements

• Philip Smith

• Cisco Systems

132132 v1.0

Thank You!END OF SESSIONThank You!

END OF SESSION

133