Who's Online
We have 17 guests and no members online
Products and Services
Home
BGP Tutorials
- Details
- Parent Category: Tutorials
- Hits: 4792
|
|
There are quite often situations when you want to discard inbound BGP updates from your upstreams if there is any private AS (64512 - 65535) in the update.
What is the best way to achieve this? Here is first example:
ip as-path access-list 1 permit _6451[2-9]_
ip as-path access-list 1 permit _645[2-9][0-9]_
ip as-path access-list 1 permit _64[6-9][0-9][0-9]_
ip as-path access-list 1 permit _65[0-4][0-9][0-9]_
ip as-path access-list 1 permit _655[0-2][0-9]_
ip as-path access-list 1 permit _6553[0-5]_
router bgp 1
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 route-map filter-private-as in
route-map filter-private-as deny 10
match as-path 1
Or an other example:
ip as-path access-list 1 deny _(6451[2-9]|645[2-9][0-9]|64[6-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5])_
ip as-path access-list 1 permit .*
router bgp 1
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 route-map filter-private-as in
route-map filter-private-as permit 10
match as-path 1
|
|
Note:
We use Hosting and VPS Hosting, from:
www.star-host.org
We like and trust them.
Good prices, high security.
|
- Details
- Parent Category: Tutorials
- Hits: 12023
In this tutorial I'll show you how BGP works. This is made for beginners and people who don't have too much time to consume for reading.
|
|
Transport: TCP port 179
Keepalive: 60 seconds (19 byte packet)
Table version number: increments each time the table changes. Rapid increase could indicate network instability, though this depends on the network size and carrying a full-routing table.
Authentication
Indicated by a 16 byte field (Marker)
OPEN msg does not have auth
Finite State Machine (FSM)
Can move up or remain in it’s current state (for example: from 3 to 3) by default & down or further up only to indicated state #. !# means that state # can’t remain in state 4, it’s limited by a timeout (Ack or Hello timeout).
Idle
Connect - 4
Active - 1
OpenSent - 1, !4
OpenConfirm - 1
Established - 1, !5
Message type
Used to establish a TCP session, FSM state 1 doesn’t generate any messages
OPEN: (2|3)-4
UPDATE: 6-6
NOTIFICATION: (4|5|6)-1
KEEPALIVE: (5|6)-6
FSM events
1-2: Start
2-3: TCP transport connection unsuccesful
(2|3)-4: TCP transport connection succesful
4-5: OPEN msg received from peer and is checked for correctness, start sending KEEPALIVE
5-6: KEEPALIVE received
2-1: Error
3-1: Stop (by operator cmd)
3-2: ConnectRetry timer expired
4-1: Stop | Error (in OPEN msg, hold timer exp, Stop event)
4-3: TCP transport disconnect
5-1: NOTIFICATION received | Stop
6-1: NOTIFICATION received | Stop
Oscillating between Connect (2) and Active (3) means that something is wrong with the TCP transport connection, either retransmits or reachability.
(i|e)BGP neighborship is determined in the OpenSent state (4)
When errors are found in an UPDATE packet, a NOTIFICATION msg is sent to the peer and status goes back to Idle (1)
Attribute & type (learn these by heart!)
ORIGIN: well known, mandatory
AS_PATH: well known, mandatory
NEXT_HOP: well known, mandatory
MULTI_EXIT_DISC: optional, nontransitive (MED)
LOCAL_PREF: well known, discretionary
ATOMIC_AGGREGATE: well known, discretionary
AGGREGATOR: optional, transitive
COMMUNITY: optional, transitive
ORIGINATOR_ID: optional, nontransitive
Cluster List: optional, nontransitive
DPA: Destination Point Attribute for BGP (expired inet draft)
Advertiser: BGP/IDRP Route Server (rfc1863)
RCID_PATH/CLUSTER_ID: BGP/IDRP Route Server (rfc1863)
MP_REACH_NLRI: optional, nontransitive (rfc2283)
MP_UNREACH_NLRI: optional, nontransitive (rfc2283)
Extended Communities: see rfc4360
MP_REACH_NLRI: Multiprotocol Reachable NLRI
MP_UNREACH_NLRI: Multiprotocol Unreachable NLRI
ORIGIN (in order of preference)
i: IGP (iBGP)
e: EGP (eBGP)
?: incomplete (learned from redistribution)
WEIGHT
0 - 65.535
directly-connected = 32.768
locally significant (not exchanged)
Communities (some well known ones, this does mean there are more…)
internet: advertise this route to the internet community (everyone)
no-export: do not advertise to eBGP peers
no-advertise: do not advertise to any peer
local-as: do advertise within the confederation (to other sub-AS’s) but not to other AS’s
Synchronisation
Theory: a BGP router should not advertise via eBGP, destinations learned via iBGP, unless the destinations are also known via an IGP
Practically: if the AS is passing traffic from another AS to a third AS, BGP shouldn’t advertise a route before all routers in the AS have learned about the route via an IGP
Black hole prevention (makes BGP convergence equal or slower than the IGP)
Multi-hop
Only useful for EBGP peers
Network backdoor: Make the IGP the preferred route by setting the (adm) distance of the specific route to 200.
Cisco about backdoor: You can indicate which networks are reachable by using a backdoor route that the border router should use. A backdoor network is treated as a local network, except that it is not advertised.
Administrative distance
external: 20
internal: 200
(local: 200)
Deterministic-med vs. always-compare-med
Deterministic: compare med when choosing routes from iBGP peers
Always-compare-med: compare med when choosing routes from eBGP peers (reorder routing entries by neighbor AS)
NLRI: lenght,prefix
CIDR: prefix/length
|
Regular expressions (Path filters)
. Any single character
^ Matches beginning of any input string
$ Matches the end of any input string
_ Matches a comma(,), braces ({|}), parenthesis ((|)), the beginning or end of the input string, or a space
* Matches 0 or any sequence in a pattern
.* All (any AS path)
^$ empty string (no path info), indicates a local route
Best path selection precess
If next hop is inaccessible then drop
If the path is internal and synchronisation enabled. Is the path in the IGP? No: drop
Prefer largest weight (Cisco specific, weight is not an attribute!)
Prefer largest LOCAL_PREF
Prefer local routes (network, redistribution then aggregate-address) (Cisco specific)
(if eBGP) Prefer shortest AS_PATH
Prefer lowest ORIGIN type (IGP, EGP then incomplete)
Prefer lowest MED (tiebreaker)
Prefer eBGP over iBGP (by means of administrative distance) (Cisco specific)
Prefer closest IGP neighbor (tiebreaker)
Prefer lowest RID neighbor
#6 intricacies
Ignored if “bgp bestpath as-path ignore” is configured
An as_set counts as 1
as_confed_sequence is not included in the AS_PATH length
Peer group
Cisco advice: based on identical outbound announcement policies
Confederation
Uses iBGP inside the confed / sub-AS
Uses eBGP outside the confed / sub-AS
The only exception to the rule of eBGP only to another AS
|
|
Note:
We use Hosting and VPS Hosting, from:
www.star-host.org
We like and trust them.
Good prices, high security.
|