Routing Workshop for Internet Service Providers

Transcription

1 Routing Workshop for Internet Service Providers Cisco Proprietary 1 Introduction feel free to ask questions some material may not be covered (can t do everything) Workshop is CASUAL :-) Cisco Proprietary 2 Introduction Routing Protocols Addressing and CIDR Routing Domains and Autonomous Systems Cisco Proprietary 3 1

2 What Is Routing? Step 1 Build Routing Table A B C Q Z X Routing Information Step 2 Switch packets based on routing table information A B C Q Z X ? User Traffic Cisco Proprietary 4 Protocol Classes Internal Gateway Protocol (IGP) External Gateway Protocol (EGP) Differences IGP - For routing internal to an AS Carries internal routes and BGP next-hop information Example: OSPF, IS-IS, EIGRP, RIP EGP - For routing between ASes Propagates Prefix Information Propagates Policy Information Example: BGP4 Cisco Proprietary 5 Why Do We Need an EGP? Scaling to large network Hierarchy Limit scope of failure Limiting the scope of instability Policy Control reach-ability to prefixes Merge separate organizations Connect multiple IGPs 6 2

3 Interior vs. Exterior Routing Protocols Interior Automatic discovery Generally trust your IGP routers Routes go to all IGP routers Exterior Specifically configured peers Connecting with outside networks Set administrative boundaries 7 What do you need in a Routing Protocol? Select optimal paths and basis for selection should be configurable. Prevent Loops. Converge quickly. Provide mechanisms to support heirarchical implementation. Standards-based Security Efficient use of router resources (CPU, Memory) Scalability (able to map to physical architecture and handle large amount of information) Configuration Extensibility (e.g. Opaque LSA in OSPF, Attributes in BGP) Cisco Proprietary 8 Routing Protocol Characteristics Algorithm Example Traditional Bellman-Ford RIP, IGRP Distance Vector Link State Dijkstra SPF OSPF, IS-IS Advanced Distance Vector Path Vector DUAL Path Selection EIGRP BGP Cisco Proprietary 9 3

4 Link State Z s Link States Flood LSAs, Build Topology Database, Build Routing Table from Topology Database Routing Table Q s Link States Y A B C Q Z X Topology Database X s Link States Cisco Proprietary 10 Traditional Distance Vector A B C Q s Table Q:1 Z s Table A B C A B C Z:1 Y X: X s Table A B C Y s Table Q Z X Routing Information Is Exchanged by Propagating Summarized Information from Each Node Cisco Proprietary 11 Advanced Distance Vector A B C Q s Table Q:1 Z s Table A B C A B C Z:1 Y X: X s Table A B C Y s Table Q Z X A 27 Z 1 Q 5 X B 12 Z Topology Database On Startup, Routing Tables are Exchanged. Routing Table Built Based on Best Paths fromtopology Table. Cisco Proprietary 12 4

5 Route Calculation and Dissemination Route Dissemination Using Routing Protocols OSPF/IS-IS Flooding of LSAs Adjacency establishment Distance Vector (Traditional) Broadcast (RIP 30 secs - entire table) BGP4 TCP Connection to neighbors Delta Advertisements Cisco Proprietary 13 Which Protocol(s) Do I Choose? Selection criteria and considerations: Ease of planning, design, configuration, installation, migration, integration, troubleshooting, debugging Resources and overhead Performance: convergence time Security, policy Required structure/hierarchy, scalability Interoperability Cisco Proprietary 14 Routing Protocol Comparison Feature/Type LS TDV ADV Scalability Good Good Excellent Convergence Fast Slow Fast Memory High Low Moderate CPU High Low Low Configuration Moderate Easy Easy Bandwidth Low High Low Standard Extensibility Hierarchy OSPF/ISIS Yes OSPF Good IS-IS Very Good Good (OSPF) Cisco Proprietary RIP V1& V2 Yes IGRP - Semi- Proprietary RIP V1 & V2, IGRP Restrictive Fair (not structured) EIGRP Proprietary EIGRP - Restrictive Fair (not structured) * Path Vector (PV) not presented since there is no comparative data. 15 5

6 Addressing and Packet Structure Dest. Source Dotted Decimal Notation: Byte1.Byte2.Byte3.Byte4 <--- Most Significant Each Byte has values from 0 to "This Network" Broadcast Examples: Cisco Proprietary 16 Network Masks Notation options: a) > 24-bit Mask b) /24 <- Represents the number of bits to be masked from the beginning of the address. Values of: 255 represent a byte with each bit set to a value of "1" 192 represent a byte with the first two bits set to a value of "1" and the remainder of the bits each set to a value of "0" Contiguous vs. Non-Contiguous Masks Use contiguous masking. Cisco Proprietary 17 IP Network Address(es) IP Address and Mask combination define a range of host addresses. One or more discontiguous net-blocks may exist within a single routing protocol domain. Aggregation permits the definition of multiple levels of abstraction through the use of varying mask lengths. An aggregate can be comprised of multiple contiguous or discontiguous networks. Cisco Proprietary 18 6

7 Uniqueness of Addressing in the Internet Each address/mask pair (also referred to as a Prefix/Mask pair) in the Internet Routing tables MUST BE UNIQUE. Cisco Proprietary 19 Private Addressing and NAT Private Addressing is for Inside the AS ONLY! RFC1918 defines address ranges which are NOT to be announced > > > Network Address Translation (NAT) Cisco Proprietary 20 Reasons for using NAT Customer move from one ISP to another and address space is non-transferable. Private ISP customer wishes to implement private addressing. Cisco Proprietary 21 7

8 Address Allocation Three Regional Addressing Authorities APNIC - Asia-Pacific ARIN - USA, Latin America, Sub-Saharan Africa RIPE - Europe National Authority - typically the national academic network IANA/ICANN Cisco Proprietary 22 What is CIDR? No distinction between different classes of networks. Class A, B, C, etc are no longer relevant. Variable- Length Subnet Masks (VLSMs) are permitted. BGP Version4 for designed for CIDR. OSPF first IGP to allow VLSMs. Group many class C or class B networks in one update (aggregation) Aggreagates can be used and more specific routes can be suppressed, reducing information. See RFC Cisco Proprietary 23 Why CIDR was Introduced? Routing Table Size IP Address Depletion Cisco Proprietary 24 8

9 Classful vs. Classless Addressing Classful Class A - [0] B2. B3. B /8 -> /8 Mask or /8 Class B - [10] B2. B3. B /16 -> /16 Mask or /16 Class C - [110] B2. B3. B /24 -> /24 Mask or /24 Classless No longer any Class Boundaries Variable-Length Subnetting /8 Reserved for Default route /8 Reserved for loopback function. Multi-cast Broadcast Directed/Subnetwork All networks This Network ip subnet-zero Cisco Proprietary 25 Number of Routes in the Internet Today Approximately ~60,000 Routes Source: Tony Bate s CIDR Report http// Cisco Proprietary 26 Internet Routing Table Growth Table Created by Geoff Huston, Telstra, Australia Cisco Proprietary 27 9

10 Routing Protocol Domain Protocol Domain - this term is generally used to describe a set of physically contiguous routers which are running the same routing protocol process (as denoted by their protocol process ID sometimes also called ASN). Cisco Proprietary 28 Autonomous System An Autonomous System is a set of physically contiguous routers managed by the same administrative organization and sharing the same policy (ownership, trust, control). It likely implements multiple routing protocol processes (such as OSPF and BGP for e.g.), to include multiple IGP processes. ASN values are 2 bytes and range from 1 to The range to is reserved for private ASN use. Size and geography can sometimes justify multiple Ases for the same administrative domain. Multiple copies of the same policy must be managed (or different policies). Do you need to create an AS? See RFC Cisco Proprietary 29 Architecture Internet Architecture Points of Presence (POP) Internet Exchange Points and NAPs Backbone Architectures Cisco Proprietary 30 10

11 Old NSFnet Architecture The old NSFnet architecture was based on a single, explicit backbone. 31 Internet Topology and Architecture rapidly increasing complexity more providers and locations increased meshing global providers capital, regulatory, and technical reasons limit the scope of coverage of a single provider many new interconnect points (IXPs) 32 Internet Hierarchy Multi-Homed ISP BGP4 is used to glue the different Autonomous Systems together that form the Internet. 2 Cisco Proprietary 1 CORE Network of Networks (ASes), no explicit backbone

12 Icons Router (layer 3, IP datagram forwarding) ATM or Frame relay switch (layer 2, frame or cell forwarding) 34 Definitions POP - Point of Presence Routing - building a forwarding table Forwarding - switching packets between interfaces Transit - carrying traffic across a network, usually for a fee Peering - exchanging routing information and traffic Default - a next hop indication when no explicit match is in the forwarding table 35 POP Topologies Core routers - high speed trunk connections Distribution/Access routers and Access (specialized such as dial-up, VoIP) routers high port density Connections to customers (ISPs and/or Private) Services (Servers, Web Servers, AAA) Border/Gateway routers - connections to other providers Some functions may be collapsed into a single box Some functions can be handled by switches 36 12

13 Routed POP Architecture Internet Core Routers CORE POP Gateway/Border Router Core Interconnect Distribution Routers REMOTE POP ISP Customer Private Customer Network Access Routers 37 Ring POP Architecture Internet Core Routers CORE POP Gateway/Border Router Core Interconnect Distribution Routers REMOTE POP ISP Customer Private Customer Network Access Routers 38 Switched POP Architecture Internet Core Routers CORE POP Gateway/Border Router Core Interconnect Distribution Routers REMOTE POP ISP Customer Private Customer Network Access Routers 39 13

14 Internet Exchange Points (IXP s) local IXP s - peering point for a group of local/regional providers transit IXP s - connects local providers to backbone (transit) providers hybrid (IXP s) - combines the function of local and transit 40 Internet Exchange Points DS-3 DS-3/OC-3 FDDI Ring DS-3 DS-3 41 Public Interconnect (e.g NAP) Network 1 Network 4 Network 2 Network 5 Network 3 Network 6 each of these represents a border router in a different autonomous system 42 14

15 Public Interconnect Point Centralized (in one facility) Distributed (connected via WAN links) Shared, switched or routed interconnect Router, FDDI, Ethernet, ATM, Frame relay, etc. Much easier if it is homogeneous DMZ Network - typically a network which interconnects various ASes (i.e. IXP members). 43 Default Free Zone The default free zone is made up of Internet routers which have explicit routing information about the rest of the Internet, and therefore do not need to use a default route. 44 Direct (private) Interconnect AS 334 network B border border network A AS

16 Route Server Network 1 Network 4 Network 2 Network 5 Network 3 Network 6 Route Server 46 Route Server Benefits: reduces resource burden on border routers (CPU, memory, configuration complexity) reduces administrative burden on providers Disadvantage: providers must rely on a third party (for configuration, routing software updates, etc ) 47 Network Backbone Topologies Routed backbone HDLC or PPP links between routers Easier routing configuration and debugging 48 16

17 Network Backbone Topologies Switched backbone frame relay or ATM switches in the core, surrounded by routers more complex routing and debugging traffic management 49 Concepts Forwarding Routing Policy Cisco Proprietary 50 Forwarding policies Is the process of receiving the packet on the ingress interface and sending it out the egress interface (filtering etc. included) Packet filtering or queue manipulation Based on individual packet content IP, TCP, UDP headers considerable granularity possible Usually impacts switching performance Typically done at the edge of the network Not the same as routing policy! 51 17

18 Routing - building the table Several alternative paths can exist (in the protocol databases and/or in the routing table as equal-cost paths) Decisions are updated periodically or as topology changes (event driven) Decisions are based on: prefix length* distance* topology metrics (hop count, delay, bandwidth, etc.) policies 52 Routing flow and traffic flow Traffic flow is always in the opposite direction of the flow of routing information filtering outgoing routing information affects traffic flowing in filtering incoming routing information affects traffic flowing out 53 Explicit and Default Routing Explicit Routing All possible routes are in the routing table. Default Routing Packets are forwarded based on a default route because an explicit route for the destination does not exist in the routing table

19 Explicit vs. Default routing (benefits and disadvantages) Default: simple, cheap (cycles, memory, bandwidth) low granularity (metric games) Explicit (default free zone) [full routes from all peers] high overhead, complex, high cost high granularity Hybrid [partial routes and default routes] minimize overhead provide useful granularity requires some filtering knowledge 55 Default Free Zone The default free zone is made up of Internet routers which have explicit routing information about the rest of the Internet, and therefore do not need to use a default route. 56 Ingress Traffic Packets entering your network How packets get to your network and your customers networks (downstream) Ingress traffic depends on: what information you send and to whom based on your addressing and ASs based on others policy (what they accept from you and what they do with it) 57 19

20 Egress Traffic Packets exiting your network this traffic is based on route availability (what others send you) route acceptance (what you accept from others) policy and tuning (what you do with routes from others) Peering and transit agreements (e.g. whom you peer with) 58 Definition of terms Neighbors: AS s which directly exchange routing information Announce: send routing information to a neighbor Accept: receive and use routing information sent by a neighbor Originate: insert routing information into external announcements (usually as a result of the IGP). Peer: a router in a neighbor AS (ebgp) or within your own AS (ibgp) with which routing and policy information is being exchanged. Sometimes synonymous with exchange of routing information without use of defaulting. 59 Routing and packet flow AS 1 accept announce routing flow packet flow routing flow packet flow announce accept AS2 For networks in AS1 and AS2 to communicate:» AS1 must announce to AS2» AS2 must accept from AS1» AS2 must announce to AS1» AS1 must accept from AS

21 Routing policy limitations autonomous systems grouped by g r g color r r g r g r g Internet red traffic flow green packet flow AS99 AS99 uses red link for traffic in red AS s (r) and green link for traffic in green AS s (g) To implement this policy for AS99: accept routes originating in red AS s on red link accept all other routes on green link (no problems) 61 Routing policy limitations (cont d) g r g r r g r g r g AS22 traffic flow Intermediate autonomous systems For packets flowing toward AS 99: Unless AS 22 and all other intermediate AS s cooperate in pushing green traffic (g) to the green link and red traffic (r) to the red link then some reasonable policies cannot be implemented. red green AS99 62 Peering provider A Peering and Transit IXP - East Backbone Provider Transit Across Backbone Provider IXP-West provider B A and B can peer, but need transit arrangements to get packets to/from C provider C 63 21

22 Routing policy with multiple AS s N1 AS 1 AS 34 AS 8 N16 AS16 For net N1 in AS1 to send traffic to net N16 in AS16: AS16 must originate and announce N16 to AS8. AS8 must accept N16 from AS16. AS8 must announce N16 to AS1 and/or AS34. AS1 must accept N16 from AS8 and/or AS34. (For two-way packet flow, comparable policies must exist for N1 in the opposite direction.) 64 Routing policy with multiple AS s N1 AS 1 AS 34 AS 8 N16 AS16 As multiple paths between sites are implemented it is easy to see how policies can become quite complex. 65 Routing policy problem AS4 AS3 AS1 AS2 AS5 AS1 does not accept any path traversing AS4 If AS2 prefers to reach AS3 via AS4 result is no connectivity from AS1 to AS3 If AS2 prefers to reach AS3 via AS5 result is connectivity from AS1 to AS3 Connectivity indirectly depends on AS2 s policy 66 22

23 Autonomous System Number Information Africa Telecom SPRINTlink ICM Atlantic UUNET France Telecom MCI Teleglobe (European AS UK, Fr., Ger.) EBONE Internal (EBONE Consortium) MikNet GmbH IntraNet GmbH (DE-CIX AS) Routing policy problem AS4 AS3 AS1 AS2 AS5 Since AS2 prefers to reach AS3 via AS4, there is normally no connectivity from AS1 to AS3 If the AS2 - AS4 link fails, then there is connectivity from AS1 to AS3. Connectivity only in the presence of network problems is quite difficult to diagnose! 67 Routing Asymmetry (Egress) Africa Telecom 98 Internet Connectivity (Outgoing Path) gw6.ipf.net MAE-F Frankfurt MAE-E++ LINX MAE-F Frankfurt bone-gw.frankfurt.core.ipf.net 1800 MAE-W SPRINT NAP PAIX Autonomous System Number Information Africa Telecom SPRINTlink ICM Atlantic UUNET France Telecom MCI Teleglobe (European AS UK, Fr., Ger.) EBONE Internal (EBONE Consortium) MikNet GmbH IntraNet GmbH (DE-CIX AS) Cisco Proprietary 68 Routing Asymmetry (Ingress) Africa Telecom 98 Internet Connectivity (AS Return Path) gw6.ipf.net MAE-F Frankfurt MAE-E++ LINX MAE-F Frankfurt bone-gw.frankfurt.core.ipf.net 1800 MAE-W SPRINT NAP PAIX Cisco Proprietary 69 23

24 Multihomed Provider AS 333 AS123 IXP-2 AS 111 AS 222 IXP-1 AS Multihomed provider AS 222 and AS 333 are large backbone providers. IXP-1 is a local interconnect. IXP-2 is a major transit interconnect. What are some routing policy strategies that could be used by AS 111, AS 123, and AS 555? 71 Granularity of policy description What to announce What to accept Preferences between multiple accepts single route routes originated by single AS routes originated by a group of ASs routes traversing specific path routes traversing specific AS routes belonging to other groupings (including combinations) 72 24

25 Granularity of policy description (cont d) ~60,000 prefixes (not realistic to set policy on all of them individually) hundreds of AS s (still too many) routes tied to a specific AS or path may be unstable regardless of connectivity groups of AS s are a natural abstraction for filtering purposes 73 Routing Policy Issues Destination based limitations Global topology not known (and constantly changing) details of connectivity are not known paths restricted due to policy are not known Route groupings are not known AS membership or AS groups Set of all routes in the Internet is not known 74 Addressing Issues Geographical addressing ARIN/APNIC/RIPE assigned Nationally Assigned Provider-based addressing Addresses assigned by upstream provider To a large degree is geographic 75 25

26 Geographical Addressing Advantages: probably reduces global routing table in the long run (as connectivity continues to increase) not tied to non-local backbone provider (may not need to renumber when changing providers) good local routing when interconnects are implemented Disadvantages: routing may be non-optimal in the near term may increase global routing table in the near term renumbering is still fairly likely global providers can cause a problem with this scheme if addressing is allocated to providers without regard to geography. Cisco Proprietary 76 Provider-Based Addressing Advantages: easy way to get started no increase in global routing table initially Disadvantages: must renumber to change providers, or use address translation causes inefficiencies with geographic address allocation Cisco Proprietary 77 Provider based addressing / /24 Subscribers A B Backbone # /16 IXP /24 C /24 D Backbone # /16 A and C are in one city, B and D are in a different city 78 26

27 Provider based addressing with local interconnect points /24 A /24 B Subscribers /24 C /24 D IXP Backbone # /16 IXP Backbone # / / /24 B Subscribers / /24 Provider based addressing limitations C A D If B s primary link goes down, and D is providing backup, a hole is created. IXP Backbone #2 may now have to advertise /24 Other providers may not receive or see /24 because they may be filtering on a /19 boundary. Backbone # /16 IXP Backbone # /16 80 Provider based addressing limitations / /24 Subscribers A B If B wants to change to BB #2, a hole is punched in #1 s address space. Backbone # /16 IXP /24 C /24 D This may require that B re-address to Provider #2 s address space. Backbone # /

28 Geographical/Independent Addressing /24 A /24 B Subscribers /24 C The subscribers have their own addresses, and they are not part of the provider s address space. Backbone # /16 IXP Backbone # /24 D /16 A and C are in one city, B and D are in a different city 82 Geographical Addressing /24 A /24 B Subscribers /24 C IXP Local Exchange Point Backbone # /16 IXP Backbone # /24 D /16 B, D, and others in that metro area can interconnect easily 83 Challenges in geographical addressing Cooperation between providers is necessary for it to be effective. Suboptimal routing or lack of connectivity can occur. Address coordination issues remain. Global providers addressing can bypass neat geographical aggregation

29 Renumbering Renumbering may be necessary in many cases in order to come into line with geographic or provider - based addressing and to support summarization/aggregation. Renumbering can allow a range of addresses (a prefix) to be aggregated or summarized as part of a larger block of addresses which are topologically close in the network. Address summarization allows the routing hierarchy to be efficient. See RFC 2071 and 2072 for more information. 85 Network Address Translation An alternative to renumbering. Packet headers are translated in real time on the edge of the network. See RFC 1631, which describes NAT functions NAT can be used with RFC 1918 addresses to allow an organization more flexibility in address space use. Concern has been expressed regarding data integrity and security of network address translators. 86 Border Gateway Protocol, Version 4 (BGP4) BGP Basics Aggregation and Announcements Routing Table Derivation and Path Selection Policy Control Administrative and ibgp Scaling Other BGP4 Issues BGP4 Management Cisco Proprietary 87 29

30 BGP Basics 88 BGP4 General Operation Learns multiple paths via internal (ibgp) and external (ebgp) speakers/peers. Picks the best path for installation into the IP routing table. Policies applied by influencing the best path selection as well as controlling what is announced and what is accepted 89 External BGP Peering Peering A C ebgp AS 100 AS 101 Runs over TCP Use directly-connected next-hop Incremental updates Between speakers in different ASes B ebgp D ebgp E AS

31 Demilitarized Zone (DMZ) DMZ Network A C ebgp AS 100 AS 101 DMZ Network B D ebgp ebgp E AS 102 Shared network between ASs 91 ebgp Configuration Configuration: AS /16 Router B router bgp 110 network mask neighbor remote-as 109 ip route null0 Router A router bgp 109 network mask neighbor remote-as 110 ip route null0.1 A / AS 110 B 92 Internal BGP Peering ibgp AS 100 A B D ibgp ibgp peers are within the same AS Not required to be directly physically connected (uses TCP) - May be several hops away ibgp neighbors should be fully meshed (announcements are NOT forwarded) Peer between loopback interfaces for stability Advertise loopback as next-hop ibgp hold timer larger than 2x IGP timer E ibgp 93 31

32 ibgp Configuration Loopback /32 A AS 109 B Configuration Router B router bgp 109 neighbor remote-as 109 Router A router bgp 109 neighbor remote-as 109 ibgp /16 Loopback /32 94 Stable IBGP Peering Peer with loop-back address ibgp session is not dependent on a single interface Loop-back interface does not go down Set BGP hold timer to 2x IGP timer. 95 Route Propagation with ibgp ibgp speakers do not forward route information with they receive from the first peer to a third peer. Full meshing is required between all ibgp speakers within the same AS in order for each ibgp speaker to learn information from all other ibgp speakers. Route Reflectors simplify complex meshing. Cisco Proprietary 96 32

33 Stub Network Static default A B AS /24 Stub Network /24 AS 100 ISP ebgp ebgp Announce: /24 (or aggregate) Announce: /24 (or aggregate) 97 Stub Network No need for BGP (use static routes) Point default towards the ISP ISP advertises the stub network Policy confined within ISP policy 98 Multi-Homed AS /24 AS 100 A ebgp Transit Path B C ibgp /24 AS 300 D ebgp AS /

34 Multi-Homed AS Many different situations can be considered multihomed Multiple sessions to same ISP Multiple sessions to multiple ISPs Many reason for muti-homing Backup paths Load-sharing Proximity to particular destinations Asymmetry of BGP paths and load balancing Policy can become quite complex vs. single-homing 100 Multiple Sessions to same neighbor AS (same peer router) Use ebgp multi-hop to load share across multiple, equalcost links (paths) ebgp to loopback address ebgp prefixes learned with loopback address as nexthop Parallel paths to loopback address allows load sharing AS ebgp Multi-hop Configuration Configuration: Router B router bgp 200 neighbor remote-as 300 neighbor update-source loopback 0 neighbor ebgp-multihop /16 AS 300 Loopback /32 A ebgp Router A router bgp 300 neighbor remote-as 200 B neighbor update-source loopback 0 Loopback 0 neighbor ebgp-multihop / /16 AS 200 Cisco Proprietary

35 Multiple Sessions to same neighbor AS (different peer routers) Simplest scheme is to use defaults Learn/advertise prefixes from/to both peers for better control ISP D F A B AS Multiple Sessions to same neighbor AS (different peer routers) Use EBGP multipath to install multiple paths in IP table of router A. Loadshare over the alternate paths Configuration: Router A: router bgp 201 neighbor remote-as 301 neighbor remote-as 301 max-paths 2 (use directly-connected next-hop) Same prefix/mask pair from each router with same attribute values will be weighted the same and two paths will be implemented. AS 301 D A AS /16 F Multiple sessions to multiple neighbor ASes /24 AS 100 A ebgp Transit Path B C ibgp /24 AS 300 D ebgp AS /16 Cisco Proprietary

36 Multiple sessions to multiple neighbor ASes Difficult to achieve load-sharing (due to path asymmetry nature) Some options include: Point default towards one AS (higher-distance secondary default pointed to other AS) take partial routes from other AS Learn selected prefixes from second AS Announce selected prefixes to each neighbor AS Modify the number of prefixes learned or control which paths to use to achieve acceptable load-sharing 106 BGP in Large (NSP) ISP Backbones All routers take part in BGP BGP carries full Internet routing table (possible multiple views in gateway routers) IGPs are used to carry next hop and internal route information Routes are never redistributed from BGP into IGP Recursive route lookup 107 BGP in smaller transit ISPs Implement ibgp along transit path routers only Default up to gateway routers Careful of non-optimal routing Don t usually require full routes (I.e. partial routes from neighbors) IGPs carry next hop and internal network information No IGP <-> BGP redistribution Recursive route lookup

37 Synchronization RTA knows about /24 from RTC via ibgp RTA RTB AS 100 RTB knows nothing about /24 (because it is not participating in BGP) but may know about next-hop on RTY (if injected into IGP) ibgp RTC RTX AS 200 ebgp ebgp Forwarding via RTA-RTB- RTC-RTY will break in this case since RTB knows nothing about / /24 RTY AS Synchronization If transit is provided, Transit AS should not advertise route until all routers within AS have learned about the route via the/an IGP. The only way that this can happen is if external routes are injected into the IGP (which may not be a good idea). So, turning synch off and implementing BGP in the routers along the transit path is the usual procedure. Route will not be announced until it is seen via the IGP (with synch turned on). Disable synchronization if: Transit is not provided (e.g. stub BGP connected network) All transit routers in AS run BGP (so route is known to each router in transit path via BGP) Synchronization is employed to ensure that a path exists through the Transit AS. 110 Configuring Aggregation and Announcements

38 Configuring Aggregation Three ways to configure route aggregation redistribute static network mask command aggregate-address command dynamic redistribution NOTE: no auto-summary command 112 Configuring Aggregation redistribute static Configuration: router bgp 109 redistribute static... ip route null 0 Forces Origin attribute to Incomplete 113 Configuring Aggregation Network and mask command Configuration: router bgp 109 network mask ip route null < A matching prefix/mask or more-specific (i.e. longerprefix) must exist in the routing table here implemented using a static route. > Can be a good idea to use 210 to weight route (any other route to /16 will have a smaller weight). If <no auto-summary> is implemented, more-specifics will be advertised

39 Configuring Aggregation Aggregate-address command router bgp 109 network mask aggregate-address as-set summary-only... ip route null0 {summary-only} keyword Ensures that only the summary is announced, but only if a morespecific prefix exists in the bgp table. 115 Aggregation Policies Suppress map Unsuppress map 116 Aggregation Policies Suppress Map Used to suppress the announcement of selected morespecific prefixes (e.g. defined through a route-map) in the absence of the {summary-only} keyword. Unsuppress Map Used to permit announcement of selected morespecific prefixes in the presence of {summaryonly} keyword

40 Aggregation Policies Suppress map (on neighbor ) router bgp 900 network network network network network aggregate-address suppress-map foo1 neighbor remote-as 1000 (static null0 routes omitted because of space constraints) access-list 3 deny access-list 3 permit any route-map foo1 permit 10 match ip address 3 Routes which are not denied by the access-list foo1 will be suppressed. 118 Aggregation Policies Suppress map (sh ip bgp on neighbor ) rtd#sh ip bgp BGP table version is 9, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / i *> i *> i *> i *> i 119 Aggregation Policies Unsuppress map (on neighbor ) router bgp 900 network network network network network aggregate-address summary-only neighbor remote-as 1000 neighbor unsuppress-map foo1 (static null0 routes omitted because of space constraints) access-list 3 deny access-list 3 permit any route-map foo1 permit 10 match ip address 3 Routes which are not denied by the access-list foo1 will be un-suppressed

41 Aggregation Policies Unsuppress map (on neighbor ) rtd#sh ip bgp BGP table version is 23, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / i *> i *> i *> i 121 Routing Table Derivation and Path Selection 122 Routing Table Derivation BGP in process receives NLRI (prefix/mask pairs with respective attributes) as announcements from BGP (iether ibgp or ebgp peers) and filters them by (1) omitting received prefix announcements based on prefixmask pair and/or attribute values, on ingress. Manipulation of NLRI attributes can also be implemented to influence path selection process. BGP path selection takes place and the results are placed in BGP table. Best path(s) is flagged in table (see slide describing Path Selection algorithm). BGP out announces BEST path information to peers. Route announcements can be filtered and omitted or have attributes manipulated at egress. This works for ebgp and in most cases for ibgp. Best paths are copied to IP routing table process and are installed if: Prefix and mask (also called prefix length) are unique, if not (if they are not unique then it is assumed that the same prefix/mask has been derived by other routing protocols) then: Protocol distances for all identical prefix/mask pairs are compared and lowest distance wins. Winner is installed in routing table

42 Default Administrative Distances Route Source Default Distance Connected Interface 0 Static Route 1 Enhanced IGRP Summary Route 5 External BGP 20 Internal Enhanced IGRP 90 IGRP 100 OSPF 110 IS-IS 115 RIP 120 EGP 140 External Enhanced IGRP 170 Internal BGP 200 Unknown BGP Path Selection Algorithm (summarized) BEST-MATCH SEARCH, IF EQUAL PREFER LOWEST PROTOCOL DISTANCE 1. AS_SEQUENCE or AS_SET CONTAIN LOCAL ASN IGNORE/DISCARD 2. NEXT_HOP INACCESSIBLE IGNORE PREFIX/PATH 3. SYNCH ENABLED, PATH INTERNAL, ROUTE NOT IN IGP IGNORE 4. LARGEST WEIGHT 5. LARGEST LOCAL_PREF 6. LOCALLY ORIGINATED 7. SHORTEST AS_PATH 8. LOWEST ORIGIN TYPE 9. LOWEST MED 10. ebgp DERIVED PATH PREFERRED OVER ibgp PATH 11. SELECT ROUTE WITH LOWEST METRIC TO NEXT_HOP 12. EXISTING BEST ROUTE AND THIS ROUTE =, AND MAXPATHS > 1 ADD ROUTE IF MAXPATHS = 1 (DEFAULT) PREFER LOWEST ROUTER ID Cisco Proprietary 125 BGP Path Selection Algorithm The whole basis for BGP decision making about which route to implement is found in the Path Selection algorithm shown on the previous slide. The decision process is based on a comparison of the relative values of the attributes for each route or path to the same prefix/mask pair. Under normal circumstances, a comparison of the values of the attributes, as outlined on the previous slide, is used to make the decision as to which of two or more identical prefix/mask pairs denotes the best route or path. Manipulation of BGP attributes is the mechanism used to control selection of one route (or path ) over another (when two or more paths to the same destination are present). Attributes can be manipulated on outgoing announcements to affect ingress traffic. Attributes which have been manipulted on ingress announcsments will affect egress traffic. Cisco Proprietary

43 BGP4 Attributes AS-Path Next Hop Local Preference Multi-Exit Discriminator Origin Atomic Aggregator Aggregator Communities Weight (not an attribute) 127 What Is an Attribute?... Next Hop AS Path MED Describe the characteristics of prefix Transitive or non-transitive Mandatory, non-mandatory 128 AS-Path Path traversed one or more members of a set {1880, 1881, 1882} (as-set) A list of AS s that a route has traversed (sequence) / / / / / / / /22 {1880,1881,1882}

44 Next Hop AS /16 A B AS / / AS /16 Next hop to reach a network Usually a local network is the next hop in EBGP session 130 Third-Party Next Hop Routers C and B have no peering agreement and are not peering using BGP Traffic destined for /24 will be forwarded from C to B because next-hop was carried from B->A->C. Use next-hop-self to remedy this problem. AS C ebgp A B ebgp AS / / traffic flow AS ibgp Next Hop AS / ibgp C A B AS 300 AS /16 ebgp sessions / / Next hop not changed

45 Next Hop IGP should carry route to next hops Recursive route lookup is necessary because next-hop carried internally through ibgp as prefix attribute. De-couples BGP from the actual physical topology (BGP routes not redistributed into the IGP). Allows IGP to make intelligent fowarding decision by forwarding based on route(s) to next-hop. 133 Recursive Look-Ups 7505A#sh ip bgp BGP table version is 35, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *>i i *>i i * i i *>i / i *>i i *>i i The BGP next-hop for the destination, is found to be by looking in the BGP table. Cisco Proprietary 134 Recursive Look-Ups (cont d) 7505A#sh ip route Gateway of last resort is not set /8 is variably subnetted, 2 subnets, 2 masks C /24 is directly connected, Ethernet1/0/ /8 is variably subnetted, 2 subnets, 2 masks B /32 [200/0] via , 2w3d B /8 [200/0] via , 18:02: /16 is variably subnetted, 2 subnets, 2 masks O /30 [110/74] via , 2w2d, Serial2/1/0 O /32 [110/65] via , 2w2d, Serial2/1/0 When forwarding, a first lookup is conducted to determine the next-hop. The BGP next-hop is actually (from the previous slide). The next-hop s subnet is shown here as /30. A second, recursive lookup is required in order to determine the actual, directlyconnected next-hop which turns out to be Cisco Proprietary

46 Local Preference Local Preference is sent to all routers in the local AS Influences best path selection Paths with the highest Local_Pref value are most desireable. Local_pref default = 100 (even when not visible in sh ip bgp command displays) Higher Local_Pref value is preferred. 136 Local Preference Configuration of router A: router bgp 109 neighbor remote-as 1880 neighbor route-map foo in route-map foo 10 match as-path 2 set local-preference 120 route-map foo 20 match as-path 3 ip as-path access-list 2 permit _690$ ip as-path access-list 3 permit.* 137 Local Preference Local_Pref = 120 A Needs to go to Local_Pref = 100 In this case path via 1880_1755_690 has Local_Pref of 120. Default Local_Pref is 100 and the path via 666_690 is therefore less preferred

47 Multi-Exit Discriminator (MED) Affects all routes from same AS path Advertised to external neighbors Lower MED value is more preferable Default = Multi-Exit Discriminator (MED) Non-transitive (reset prior to being sent out as part of announcement to third AS). When using compare mechanism, must be set to desired value on annoucements sent by third AS. Used to convey the relative preference of entry points to a neighbor, thus affecting ingress traffic to the announcing AS Influences best path selection Comparable if paths are from same AS (Comparison of MED on same prefix from two different ASes possible) IGP metric can be conveyed as MED (redistribution) 140 Multi-Exit Discriminator (MED) Configuration for router B: router bgp 1755 neighbor remote-as 1880 neighbor route-map foo out route-map foo 10 match as-path 2 set metric 25 route-map foo 20 match as-path 3 ip as-path access-list 2 permit _690$ ip as-path access-list 3 permit.*

48 Multi-Exit Discriminator (MED) Local_Pref=100 Default 690 Router B Set: MED= Set: Local_Pref=150 MED=50 Default 142 Multi-Exit Discriminator (MED) Comparison of MED on same prefix from two different ASes Permits an AS to compare MED values for path information propagated directly from the originating neighboring AS as well as through an intermediate AS. Requires that the intermediate AS set the MED value for the path information since MED is non-transitive. 143 Multi-Exit Discriminator (MED) MED Comparison between multiple ASes router bgp 100 neighbor remote-as 300 neighbor remote-as 300 bgp always-compare-med

49 Origin IGP Network statement under router BGP EGP Redistributed from EGP Incomplete Redistribute IGP under router BGP Example: redistribute static IGP<EGP<Incomplete Lowest origin type is preferred 145 Atomic Aggregate Used to inform BGP speaker that less specific routes are aggregated into the prefix BGP speaker receiving this attribute shall NOT remove the attribute when propagating it 146 Aggregator Last AS number that formed the aggregate route IP address (RID - largest IP address or loopback interface address - loopback preferred) of the BGP speaker that formed the aggregate route

50 Communities Used to tag prefixes for a variety of purposes. These tags are sent along with the prefixes as they are announced (this must be manually configured) Examples include: grouping destinations (to associate prefixes into sets ), to send signals to neighbor ASes which could be used to derive path preference (e.g. RFC1998). Useful for applying policies. Four byte value. Can consist of a string of four-byte values. Each destination could be member of multiple communities (communities can be additive) Community attribute carried across ASes (transitive but discretionary) New-format: byte 1 & 2 = ASN, byte 3 & 4 free-form. 148 Communities (influencing ingress traffic flow) AS 100 LP=90 LP=100 C=150 LP=150 Requires that AS 200 forward the community value of 150 originated by AS300. AS 200 C=90 C=100 C=150 AS / Communities (influencing ingress traffic flow) Set Community=1000 for all prefixes received on router A AS /16 RTA RTB /16 C RTD RTC D / /

51 Weight Not an attribute, local to router but can be used to influence path selection (within a single router) Highest weight wins Default value: 0 Can be applied to all routes from a neighbor neighbor weight 100 Can be assigned to specific routes based on filter list or route-map mechanism: neighbor filter-list 3 weight BGP Path Selection Algorithm If multiple routes (paths) to the same prefix exist: (1) If the next-hop is inaccessible, the route is ignored. (2) If synchronization is enabled, the path is internal, and the route is not in the IGP, it is ignored. (3) Prefer the path with the largest weight. (4) If weights are the same, prefer the route with the largest local preference. 152 BGP Path Selection Algorithm (cont d) (5) If the routes have the same local preference, prefer the route that was locally originated (originated in this router). (6) If the routes have the same local preference, prefer the route with the shortest AS_Path. (7) If the AS_Path length is the same, prefer the route with the lowest origin type (IGP<EGP<Incomplete). (8) If the origin type is the same, prefer the route with the lowest MED. The comparison is only done if the neighboring AS is the same, unless the bgp always-compare-med command is enabled

52 BGP Path Selection Algorithm (cont d) (9) If the routes have the same MED, prefer the route in the following manner: External (ebgp-derived) is better than internal (ibgp-derived). Confederation paths are considered internal paths. (10) If all the preceding scenarios are identical, prefer the route that can be reached via the closest IGP neighbor - that is, take the shortest internal path inside the AS to reach the destination (follow the shortest path the BGP next-hop). (11) If the best route and this route are both external and from the neighboring AS, and maximum-paths is enabled, insert the route for this path into the IP routing table. 154 BGP Path Selection Algorithm (cont d) (12) If the internal path is the same, and multipath is not enabled, prefer the route coming from the BGP router with the lowest router ID (RID). The router ID is usually the highest IP address on the router or the loopback interface address. THE END 155 Policy Control

53 Applying Policy with BGP Policy-based on AS path, community or the prefix Rejecting/accepting selected announcements Filtering outgoing announcements Setting attributes to influence path selection 157 Policy Control Tools: Distribute list Filter list Route-maps Communities Prefix Lists 158 Policy Control Distribute List Per neighbor access list Inbound or outbound Based upon network numbers (e.g. through use of access-lists)

54 Policy Control Distribute List Configuration: router bgp 109 network neighbor distribute-list 5 in... access-list 5 deny access-list 5 permit any 160 Policy Control Filter List Per neighbor Based on AS_Path access-list In-bound or outbound Cisco Proprietary 161 Policy Control Filter List Filter routes based on AS path Inbound or outbound Configuration: router bgp 109 network neighbor filter list 5 out ip as-path access-list 5 permit ^200$

55 Policy Control Route Maps Configuration: router bgp 109 neighbor remote-as 200 neighbor route-map FILTER-ON-COMMUNITY in route-map FILTER-ON-COMMUNITY 10 permit match community 1 set metric 500 route-map FILTER-ON-COMMUNITY 20 permit match community 2 exact-match set local-preference 200 route-map FILTER-ON-COMMUNITY 30 permit match community 3 ip community-list 1 permit ip community-list 2 permit Policy Control Route Maps - MATCH Articles as-path community-list interface ip address ip next-hop ip route-source length metric route-type tag 164 Policy Control Route Maps - SET Articles as-path automatic-tag community default interface interface ip default next-hop ip next-hop Level Local Preference metric metric-type next-hop origin tag weight

56 Configuration: router bgp 109 Policy Control Route Maps (cont d) neighbor remote-as 200 neighbor route-map FILTER-ON-AS_PATH in route-map FILTER-ON-AS_PATH 10 permit match as-path 1 set local_preference 100 route-map FILTER-ON-AS_PATH 20 permit match as-path 2 set local-preference 200 route-map FILTER-ON-AS_PATH 30 permit match as-path 3 ip as-path access-list 1 permit _2120$ ip as-path access-list 2 permit _3561_ ip as-path access-list 3 permit.* 166 Policy Control Route Maps (cont d) - AS_Path Prepend Configuration: router bgp 300 network neighbor remote-as 100 neighbor route-map SETPATH out route-map SETPATH permit 10 set as-path prepend This example will do a prepend on ALL outgoing announcements to the neighbor Standard practice is to implement two instances of the ASN when prepending. 167 Policy Control Route Maps (cont d) - Route Redistribution Example Configuration: router ospf 1001 network area 0 redistribute bgp 109 route-map set-metric... router bgp 109 network mask neighbor remote-as route-map set-metric 10 permit match ip address 1 set metric 100 route-map set-metric 20 permit... access-list 1 permit

57 Like UNIX Regular Expressions. Policy Control Regular Expressions Match one character * Match any number of preceding expression ^ Beginning of line $ End of line _ Beginning, end, whitespace, brace 169 Policy Control Regular Expressions.* Match anything ^$ Match routes local to this AS _1800$ Originated by 1800 ^1800_ Received from 1800 _1800_ Via 1800 _790_1800_ Passing through 1800 then 790 ^1829$ From this neighbor 170 Policy Control Communities Grouping destinations into a community for applying a common policy Each destination can belong to multiple communities (communities can be additive)

58 Policy Control Communities Aggregation results in loss of information Next hop information is lost Normally more specific routes are leaked to neighbor AS More specifics manually filtered in neighboring AS 172 Policy Control Communities Local AS:Do not send it outside local AS No-export: Do not advertise this route to external peer No-advertise: Do not advertise this route to any peer Additive: Add to existing community 173 Policy Control Communities Special communities internet - Advertise this route to the Internet community. All routers belong to it. no-export - Do not advertise this route to EBGP peers. no-advertise - Do not advertise this route to any peer (internal or external). local-as - Send this route to peers in other sub-autonomous systems within the local confederation. Do not advertise this route to an external system. No-export routes are automatically filtered