BGP Part-1.

Similar documents
Border Gateway Protocol - BGP

Introduction. Keith Barker, CCIE #6783. YouTube - Keith6783.

Module 6 Implementing BGP

Inter-Domain Routing: BGP

Chapter 13 Configuring BGP4

BGP can also be used for carrying routing information for IPv6 prefix over IPv6 networks.

Routing Between Autonomous Systems (Example: BGP4) RFC 1771

Internet Interconnection Structure

Configuring a Basic BGP Network

Internetwork Expert s CCNP Bootcamp. Border Gateway Protocol (BGP) What Is BGP?

Multiprotocol BGP (MBGP)

Configuring Advanced BGP

Chapter 17 BGP4 Commands

Connecting to a Service Provider Using External BGP

internet technologies and standards

Configuring BGP community 43 Configuring a BGP route reflector 44 Configuring a BGP confederation 44 Configuring BGP GR 45 Enabling Guard route

BGP. Autonomous system (AS) BGP version 4

BGP. Autonomous system (AS) BGP version 4

Configuring a Basic BGP Network

BGP. Autonomous system (AS) BGP version 4

BGP Configuration. BGP Overview. Introduction to BGP. Formats of BGP Messages. Header

Q&As. CCIP Configuring BGP on Cisco Routers (BGP) Pass Cisco Exam with 100% Guarantee

Symbols. Numerics I N D E X

scope scope {global vrf vrf-name} no scope {global vrf vrf-name} Syntax Description

Configuration prerequisites 45 Configuring BGP community 45 Configuring a BGP route reflector 46 Configuring a BGP confederation 46 Configuring BGP

CertifyMe. CertifyMe

Operation Manual BGP. Table of Contents

Configuring BGP. Cisco s BGP Implementation

PART III. Implementing Inter-Network Relationships with BGP

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0945_05F9_c1.scr 1. RST _05_2001_c1

Table of Contents. BGP Configuration 1

BGP. Autonomous system (AS) BGP version 4. Definition (AS Autonomous System)

MPLS VPN Carrier Supporting Carrier IPv4 BGP Label Distribution

Routing Protocols --- Exterior Gateway Protocol

BGP Commands. Network Protocols Command Reference, Part 1 P1R-355

BGP. Autonomous system (AS) BGP version 4. Definition (AS Autonomous System)

BGP. Autonomous system (AS) BGP version 4. Definition (AS Autonomous System)

Routing Configuration Guide, Cisco IOS XE Everest a (Catalyst 9300 Switches)

Announcements. CS 5565 Network Architecture and Protocols. Project 2B. Project 2B. Project 2B: Under the hood. Routing Algorithms

Internet Routing Seminar. September/2000

BGP Protocol & Configuration. Scalable Infrastructure Workshop AfNOG2008

Border Gateway Protocol (an introduction) Karst Koymans. Monday, March 10, 2014

Border Gateway Protocol (an introduction) Karst Koymans. Tuesday, March 8, 2016

Routing Protocol Type Primarily IGP or EGP RIP Distance-Vector IGP EIGRP OSPF IS-IS BGP

Bidirectional Forwarding Detection

Table of Contents 1 BGP Configuration 1-1

MPLS VPN Carrier Supporting Carrier IPv4 BGP Label Distribution

Connecting to a Service Provider Using External BGP

Lecture 19: Network Layer Routing in the Internet

BGP Commands on Cisco ASR 9000 Series Router

BGP Nonstop Routing was made a default feature.

MPLS VPN Inter-AS IPv4 BGP Label Distribution

Vendor: Alcatel-Lucent. Exam Code: 4A Exam Name: Alcatel-Lucent Border Gateway Protocol. Version: Demo

Implementing BGP on Cisco ASR 9000 Series Router

BGP. Border Gateway Protocol (an introduction) Karst Koymans. Informatics Institute University of Amsterdam. (version 17.3, 2017/12/04 13:20:08)

Protecting an EBGP peer when memory usage reaches level 2 threshold 66 Configuring a large-scale BGP network 67 Configuring BGP community 67

BGP. Autonomous system (AS) BGP version 4. Definition (AS Autonomous System)

Implementing BGP. BGP Functional Overview. Border Gateway Protocol (BGP) is an Exterior Gateway Protocol (EGP) that allows you to create loop-free

BGP Commands. Network Protocols Command Reference, Part 1 P1R-355

The Border Gateway Protocol

An Operational Perspective on BGP Security. Geoff Huston February 2005

BGP. Border Gateway Protocol A short introduction. Karst Koymans. Informatics Institute University of Amsterdam. (version 18.3, 2018/12/03 13:53:22)

BGP Cost Community. Prerequisites for the BGP Cost Community Feature

Ravi Chandra cisco Systems Cisco Systems Confidential

Unit 3: Dynamic Routing

Chapter 4: outline. Network Layer 4-1

set active-probe (PfR)

LAB1: BGP IPv4. BGP: Initial Config. Disclaimer

BGP-v4 Theory and Practice

Multihoming with BGP and NAT

IP Routing: BGP Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

FiberstoreOS BGP Configuration

FlexVPN HA Dual Hub Configuration Example

FiberstoreOS BGP Command Line Reference

MPLS LDP. Agenda. LDP Overview LDP Protocol Details LDP Configuration and Monitoring 9/27/16. Nurul Islam Roman

BGP. BGP Overview. BGP Operation. BGP Neighbors

Contents. Configuring MSDP 1

BGP Route Reflector Commands

Implementing BGP on Cisco ASR 9000 Series Routers

Module 6 ibgp and Basic ebgp

Vendor: Alcatel-Lucent. Exam Code: 4A Exam Name: Alcatel-Lucent Interior Routing Protocols and High Availability.

Networkers 2001, Australia

BGP Tutorial AFNOG2000 Class IP Assignments

BGP-4 Border Gateway Protocol 4 (BGP-4) Primer

IP Routing Volume Organization

Configuring BGP on Cisco Routers Volume 1

Lecture 07c Routing Border Gateway Protocol

BGP. Inter-domain routing with the Border Gateway Protocol. Iljitsch van Beijnum Amsterdam, 13 & 16 March 2007

Testking Cisco _formatted

BGP. BGP Overview. Formats of BGP Messages. I. Header

Advanced Networking: Routing & Switching 2 Chapter 7

Chapter 1. Getting Started

TDC 363 Introduction to LANs

R&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell

IPv6 Module 6x ibgp and Basic ebgp

Configuring Internal BGP Features

Network Configuration Example

Module 16 An Internet Exchange Point

Chapter 6 Lab 6-3, Configuring IBGP and EBGP Sessions, Local Preference, and MED

Chapter 4: Network Layer

Transcription:

BGP Part-1 www.ine.com

Comparison between IGPs & BGP» Similarities and differences between BGP and IGPs (OSPF and EIGRP): BGP needs to form neighborship like IGPs. BGP needs to advertise prefixes, just like IGPs. BGP also advertises Next Hops for those prefixes. Neighbor IP address may not be on a common subnet for BGP. BGP uses TCP (179) and unicast IGPs do not.

Comparison between IGPs & BGP» Neighbors versus Peers IGP routers are called neighbors which typically denotes a directconnection. BGP routers are called peers because there is no need for directconnection.» Routes versus NLRI IGP protocols exchange unicast routes BGP also exchanges unicast routes, but can also exchange other types of information. For this reason we say BGP exchanges NLRI (Network-Layer Reachability Information)

Overview of ibgp and ebgp www.ine.com

Overview of ibgp and ebgp» There are two types of neighbors in BGP: internal BGP (ibgp) and external BGP (ebgp).» A BGP router behaves differently in several ways depending on whether the peer (neighbor) is an ibgp or ebgp peer. Router BGP 1 neighbor 2.2.2.2 remote-as 2 Router BGP 1 neighbor 2.2.2.2 remote-as 1 ebgp Peering ibgp Peering

ibgp and ebgp Differences (Overview)» Peer establishment ebgp imposes certain rules/restrictions not imposed by ibgp» Prefix exchange BGP updates received from external peers can be forwarded on to any other type of peer. BGP updates received from internal peers can ONLY be forwarded on to external peers.» Update modification Certain BGP Path Attributes may only be forwarded to external or internal peers.

BGP Neighborship Requirements www.ine.com

BGP Peering Overview 1.1.1.1 1.1.1.2 1 BGP Peering Establishment 2 router bgp 1 TCP Sync (179) TCP Sync + Ack (179) TCP ACK (179) router bgp 2 neighbor 1.1.1.1 remote-as 1 AS# 1 neighbor 1.1.1.2 remote-as 2 AS# 2 BGP Update Exchange I ve got better paths for these same prefixes!! 1 Ensure BGP peers have IP reachability to each other. 2 Configure basic ebgp on each router. These are the best paths I ve seen so far! 3 TCP 3-Way Handshake must complete 4 BGP Peering must complete 5 BGP Update Exchange 6 BGP Bestpath Selection Process

ebgp Neighborship Overview» To configure BGP Peers, use the following commands: router bgp asn (global command) neighbor ip-address remote-as remote-asn (BGP subcommand)» The asn in the router bgp command is the local AS number of the router.

BGP Peering Sanity Checks 1.1.1.1 1.1.1.2 1 BGP Peering Establishment 2 router bgp 1 AS# 1 neighbor 1.1.1.2 remote-as 2 AS# 2 1 Source IP address of incoming TCP connection must be from an expected/configured BGP peer. 2 Peer s advertisement of his BGP AS# must be what we expect. 3 If BGP authentication is used, same password must be configured. 4 Peers must have unique BGP Router-IDs 5 Peers must use the same BGP version. TCP Sync (179) TCP Sync + Ack (179) TCP ACK (179) router bgp 2 neighbor 1.1.1.1 remote-as 1

BGP Router-ID» Just like any IGP, BGP elects a Router-ID.» The BGP router-id is elected as follows: Use the setting of the bgp router-id <x.x.x.x> router subcommand. Choose the highest numeric IP address of any up/up loopback interface, at the time the BGP process initializes. Choose the highest numeric IP address of any up/up nonloopback interface, at the time the BGP process initializes.

BGP Authentication» To configure authentication for BGP, use the following command: neighbor neighbor-ip password key (BGP subcommand)» This command must be configured on both routers.» If keys do not match or this command is only configured on one router, peer-establishment will not be formed.

BGP Update-Source & Multihop Requirement www.ine.com

BGP Update-Source» TCP Connection must first form between BGP peers.» This TCP connection must form before BGP messages flow over this TCP connection.» Source IP address used in TCP connection usually must match what your neighbor is expecting from you in his neighbor command.» The local router tries to form a TCP connection with the IP address defined in the neighbor remote-as command.

BGP Update-Source» When peers are directly-connected, source-ip address of incoming BGP messages is trusted. 2 TCP Sync (src=1.1.1.1 dest port=179) 1.1.1.1 1.1.1.2 1 Fast0/0 TCP Sync + Ack (src = 1.1.1.2 src port=179) Fast0/0 2 router bgp 1 4 router bgp 2 AS# 1 neighbor 1.1.1.2 remote-as 2 neighbor 1.1.1.1 remote-as 1 AS# 2 TCP ACK (179) 5 1 How do I reach 1.1.1.2? Oh via FastEthernet0/ 0! I ll use that as my source IP. 3 Am I configured to expect/ trust BGP from 1.1.1.1? Yes!! How do I reply back to 1.1.1.1? Oh via FastEthernet0/ 0! I ll use that as my source IP.

BGP Update-Source (2)» What if peers are NOT directly connected? IP Routing Table D 3.3.3.0/24 via 1.2.1.2 (Fast0/0) AS# 1 1.2.1.1 3.3.3.3 AS# 1 Fast0/0 1.2.1.2 Fast0/0 router bgp 1 neighbor 3.3.3.3 remote-as 1 Serial0/0 2 TCP Sync (src=1.2.1.1 dest port=179) TCP Reset (src = 3.3.3.3 src port=179) 4 Serial0/0 1 2 1.1.1.1 router bgp 1 neighbor 1.1.1.1 remote-as 1 1 How do I reach 3.3.3.3? Oh via FastEthernet0/ 0! I ll use that as my source IP. 3 1.2.1.1?? Who are you??? I don t know you!!

BGP Update-Source (3)» Redundant Links between connected peers IP Routing Table C 1.2.1.0/24 via Fast0/0 D C 1.1.1.0/24 via 1.2.1.2 Fast0/1 (Fast0/10) AS# 1 AS# 1 Fast0/0 router bgp 1 neighbor 1.1.1.2 remote-as 1 1.2.1.1 4 TCP Sync (src=1.2.1.1 dest port=179) TCP Reset (src = 3.3.3.3 src port=179) 6 0/1 Fast0/0 1.2.1.2 Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2 1 2 0/3 TCP Sync (179) TCP Sync + Ack (179) TCP ACK (179) router bgp 1 neighbor 1.1.1.1 remote-as 1 1 How do I reach 1.1.1.2? Oh via FastEthernet0/ 1! I ll use that as my source IP. 5 1.2.1.1?? 1.1.1.1? Who Great I are you??? 3 I don t was know expecting you!! you!

BGP Update-Source» The failure in one link can cause BGP neighborship to fail.» There are two solutions to resolve this issue: Configure two neighbor commands on each router. Use loopback interfaces as the TCP connection endpoints.» The use of two BGP Peerings between the same pair of routers can consume bandwidth and more memory in the BGP table.

BGP Update-Source (Fix# 1) IP Routing Table D 3.3.3.0/24 via 1.2.1.2 (Fast0/0) AS# 1 1.2.1.1 3.3.3.3 AS# 1 Fast0/0 1.2.1.2 Fast0/0 Serial0/0 1 2 1.1.1.1 router bgp 1 neighbor 3.3.3.3 remote-as 1 neighbor 3.3.3.3 update-source Serial0/0 2 TCP Sync (src=1.1.1.1 dest port=179) Serial0/0 router bgp 1 neighbor 1.1.1.1 remote-as 1 neighbor 1.1.1.1 update-source FastEthernet0/0 How do I reach 3.3.3.3? 1 Oh via FastEthernet0/ 0! I ll use that as my source IP. 3 I was waiting for you 1.1.1.1!

BGP Parallel Links (Solution #1) AS# 1 AS# 1 Fast0/0 1.2.1.2 Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2 1 2 router bgp 1 neighbor 1.2.1.2 remote-as 1 neighbor 1.1.1.2 remote-as 1 1.2.1.1 TCP Sync (179) TCP Sync + Ack (179) TCP ACK (179) 0/1 0/3 TCP Sync (179) TCP Sync + Ack (179) TCP ACK (179) Fast0/0 router bgp 1 neighbor 1.2.1.1 remote-as 1 neighbor 1.1.1.1 remote-as 1

BGP Parallel Links (Solution# 2) IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1 S 12.12.12.12/32 via 1.1.1.2 via 1.2.1.2 Loop0 11.11.11.11 / 32 AS# 1 AS# 1 Fast0/0 1.2.1.1 1.2.1.2 Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2 1 2 router bgp 1 neighbor 12.12.12.12 remote-as 1 neighbor 12.12.12.12 update-source Loop0! ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 12.12.12.12 255.255.255.255 1.2.1.2 TCP Sync (179) TCP Sync + Ack (179) TCP ACK (179) 0/1 0/3 Fast0/0 IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1 S 11.11.11.11/32 via 1.1.1.1 via 1.2.1.1 Loop0 12.12.12.12 / 32 router bgp 1 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 update-source Loop0! ip route 11.11.11.11 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2

Case where Update-Source not needed 1.1.1.1 1.1.1.2 1 2 Router bgp <whatever> neighbor 2.2.2.2 remote-as <whatever> 1 TCP Sync (Dest Port=179) Src=1.1.1.1 Dest = 2.2.2.2 TCP Sync+ACK (Source Port=179) Src=2.2.2.2 Dest = 1.1.1.1 Loopback0 2.2.2.2 Router bgp <whatever> neighbor 1.1.1.1 remote-as <whatever> Notice that in this instance, Router-2 responds using it s Loopback Interface IP Address as a source IP even without update-source configured. 2

ebgp Problem IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1 S 12.12.12.12/32 via 1.1.1.2 via 1.2.1.2 I can t even start the TCP process because my peer is NOT directly-connected!! IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1 S 11.11.11.11/32 via 1.1.1.1 via 1.2.1.1 Loop0 11.11.11.11 / 32 AS# 1 AS# 2 Fast0/0 1.2.1.1 1.2.1.2 Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2 1 2 router bgp 1 neighbor 12.12.12.12 remote-as 2 neighbor 12.12.12.12 update-source Loop0! ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 12.12.12.12 255.255.255.255 1.2.1.2 0/1 0/3 Fast0/0 Loop0 12.12.12.12 / 32 router bgp 2 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 update-source Loop0! ip route 11.11.11.11 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2

ebgp Solution #1 - Multihop IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1 S 12.12.12.12/32 via 1.1.1.2 via 1.2.1.2 IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1 S 11.11.11.11/32 via 1.1.1.1 via 1.2.1.1 Loop0 11.11.11.11 / 32 AS# 1 AS# 2 Fast0/0 1.2.1.1 1.2.1.2 Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2 1 2 router bgp 1 neighbor 12.12.12.12 remote-as 2 neighbor 12.12.12.12 update-source Loop0 neighbor 12.12.12.12 ebgp-multihop! ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 12.12.12.12 255.255.255.255 1.2.1.2 TCP Sync (179) IP TTL = 255 0/1 0/3 Fast0/0 Loop0 12.12.12.12 / 32 router bgp 2 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 update-source Loop0 neighbor 11.11.11.11 ebgp-multihop! ip route 11.11.11.11 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2

ebgp Solution #2 Disable Connected IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1 S 12.12.12.12/32 via 1.1.1.2 via 1.2.1.2 IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1 S 11.11.11.11/32 via 1.1.1.1 via 1.2.1.1 Loop0 11.11.11.11 / 32 AS# 1 AS# 2 Fast0/0 1.2.1.1 1.2.1.2 Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2 1 2 router bgp 1 neighbor 12.12.12.12 remote-as 2 neighbor 12.12.12.12 update-source Loop0 neighbor 12.12.12.12 disable-connected-check! ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 12.12.12.12 255.255.255.255 1.2.1.2 TCP Sync (179) IP TTL = 1 0/1 0/3 Fast0/0 Loop0 12.12.12.12 / 32 router bgp 2 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 update-source Loop0 neighbor 11.11.11.11 disable-connected-check! ip route 11.11.11.11 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2

BGP Message Types, BGP Table, & BGP Routes www.ine.com

BGP Message Header and Types» All BGP messages carried within IP/TCP Headers IP Header TCP Header Marker (All Fs ) 16-bytes Length (2-bytes) Type (1 byte) BGP Data» BGP uses four types of messages for its operation: Open Update Keepalive Notification

BGP Message Types - Open» BGP Open Message: Used in Neighbor Establishment BGP values and capabilities are exchanged. Marker (All Fs ) 16-bytes Length (2-bytes) Type = 1 Version = 4 My AS# Hold Time Router-ID Optional Parameters Length BGP Capabilities

BGP Open Message (Sniffer Trace)

BGP Message Types - Update» BGP Update Message: Informs neighbors about withdrawn routes, changed routes, and new routes. Used to exchange PAs and the associated prefix/length (NLRI) that use those attributes. Marker (All Fs ) 16-bytes Length (2-bytes) Type = 2 Unfeasible Routes Length Withdrawn Routes (if any) Total Path Attributes Length Path Attributes (TLV) NLRI Prefix Length NLRI Prefix

BGP Update Message (Sniffer Trace)

BGP Message Types - Notification» BGP Notification message: Used to signal a BGP error; typically results in a reset to the neighbor relationship Marker (All Fs ) 16-bytes Length (2-bytes) Type = 3 Error Code Error Subcode Data

BGP Notification Message (Sniffer Trace)

BGP Message Types - Keepalive» BGP Keepalive message: Sent on a periodic basis to maintain the neighbor relationship. The lack of receipt of a Keepalive message within the negotiated Hold timer causes BGP to bring down the neighbor connection. IP Header TCP Header Marker (All Fs ) 16-bytes Length (2-bytes) Type = 4

BGP Keepalive Message (Sniffer Trace)

Examining the BGP Table» To verify the BGP table, use the command show ip bgp.» The output will list all the BGP learned routes, locally injected plus learned from neighbors.» With each prefix it will have multiple attributes that can be examined and used for best path selection.» Each prefix can have multiple paths with different nexthops.

Examining the BGP Table

Examining the BGP Table» Prefixes with * are valid to be considered for best-path algorithm.» Best path is presented by >.» The Path heading shows the AS_Pa t h Attribute.» The BGP show commands list the AS_Pa t h with the first-added ASN on the right and the last-added ASN on the left.

Verification Commands for ebgp Learned Routes» show ip bgp prefix [subnet-mask]» show ip bgp neighbors ip-address received-routes» show ip bgp neighbors ip-address routes» show ip bgp neighbors ip-address advertised-routes» show ip bgp summary

BGP Neighbor States www.ine.com

BGP Neighbor States» BGP goes to through the following neighborship states:» Idle: The BGP process is either administratively down or awaiting the next retry attempt.» Connect: The BGP process has detected an incoming TCP connection request and is waiting for the TCP connection to be completed.

BGP Neighbor States» Active: BGP has initiated an outbound TCP connection request and is waiting for the 3-way handshake to complete. BGP can enter this state either because: This router was the first router to initiate a connection (from Idle-to-Active) This router received an initial, inbound connnection request that failed to complete the TCP handshake (Idle-Connect-Active)» Opensent: The TCP connection exists, and a BGP Open message has been sent to the peer, but the matching Open message has not yet been received from the other router.

BGP Neighbor States» Openconfirm: An Open message has been both sent to and received from the other router.» Est ablished: All neighbor parameters match, the neighbor relationship works, and the peers can now exchange Update messages.

State Transitions: TCP Handshake Failure Possibility #1 ConnectRetry Timer Idle Start event TCP Sync Received Connect Initiate TCP Active Initiate TCP TCP timeout TCP Sync+ACK TCP Sync Transmited EXPIRED! ConnectRetry Timer

State Transitions: TCP Resets Idle Start event BGP invokes/starts TCP Active Initiate TCP TCP Sync Sent TCP Reset Received ConnectRetry Timer ConnectRetry Timer (stopped) Possibility #2

Moving to OpenSent Idle Start event Active Initiate TCP TCP ConnectRetry Timer TCP AcK sent TCP Sync+AcK received Send BGP Open Sync Sent OpenSent Possibility #3

Moving from OpenSent (1) OpenSent Open Received but bad BGP header or bad Open parameters BGP Notification Idle ACTIVE Initiate TCP

Moving from OpenSent (2) OpenSent Open Received everything looks good! BGP Keepalive sent Open Confirm BGP Keepalive received Established I m ready to send my BGP Update(s) now!!

BGP Peering Collisions www.ine.com

Peering and Router-IDs» When two routers are initially configured to peer with each other, they don t know each other s BGP Router-IDs.» Normally, the router with highest Router-ID will initiate the TCP handshake with the router that has lowest Router-ID.» That can t happen if Router-IDs are unknown.

BGP Collisions?» If BGP Router-IDs are unknown, a peering collision may occur. TCP Sync (179) Hey, I ve already got a session with you! Loop0 11.11.11.11 / 32 TCP Sync + Ack (179) TCP ACK (179) AS# 1 AS# 2 Fast0/0 1.2.1.1 Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2 1 2 router bgp 1 neighbor 12.12.12.12 remote-as 2 neighbor 12.12.12.12 update-source Loop0 neighbor 12.12.12.12 ebgp-multihop bgp router-id 11.11.11.11! ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 12.12.12.12 255.255.255.255 1.2.1.2 BGP Open (RiD=11.11.11.11) BGP Notification (Cease!!) 0/1 0/3 TCP Sync (179) TCP Sync + Ack (179) TCP ACK (179) BGP Open (RiD=12.12.12.12) Fast0/0 Hey, I ve already got a session with you! Loop0 12.12.12.12 / 32 1.2.1.2 router bgp 2 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 update-source Loop0 neighbor 11.11.11.11 ebgp-multihop bgp router-id 12.12.12.12! ip route 11.11.11.11 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2

How do we prevent collisions?» Router can be configured to only accept inbound connections, but not ACTIVELY initiate outbound connections. router bgp 1 neighbor 12.12.12.12 remote-as 2 neighbor 12.12.12.12 update-source Loop0 neighbor 12.12.12.12 ebgp-multihop neighbor 12.12.12.12 transport connection-mode passive bgp router-id 11.11.11.11! ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 12.12.12.12 255.255.255.255 1.2.1.2 TCP Sync (179) TCP Sync + Ack (179) TCP ACK (179) AS# 1 AS# 2 Fast0/0 1.2.1.1 BGP Open (RiD=12.12.12.12) 0/1 0/3 Fast0/0 1.2.1.2 Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2 1 2 router bgp 2 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 update-source Loop0 neighbor 11.11.11.11 ebgp-multihop bgp router-id 12.12.12.12! ip route 11.11.11.11 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2

Who initiated the connection? If the Local Port is NOT 179 that means your local router INITIATED the TCP connection.

Defeating BGP DoS Attacks with TTL Security www.ine.com

BGP DoS Example ebgp s reliance on TTL=1 leaves it open to attack. Guess I need to kill my BGP peering with 12.12.12.12! AS# 2 router bgp 1 neighbor 1.2.1.2 remote-as 2 bgp router-id 11.11.11.11! IP TTL=1 Dest=1.2.1.1 Source=1.2.1.2 Fast0/0 1.2.1.1 Fast0/0 1.2.1.2 1 2 AS# 1 BGP Notification= CEASE!! (RiD=12.12.12.12) router bgp 2 neighbor 1.2.1.1 remote-as 1 bgp router-id 12.12.12.12! IP TTL=4 Dest=1.2.1.1 Source=1.2.1.2 Destination 1.2.1.1? I can forward that! BGP Notification= CEASE!! (RiD=12.12.12.12) Evil Person

TTL and ebgp Sessions» ebgp sessions assume neighbor is directly-connected.» TTL in ebgp sessions set to 1 if Connected route is found.» If neighbor NOT directly connected, additional configuration needed to start BGP peering process (which affects outbound TTL) ebgp-multihop (sets TTL in outbound BGP packets to 255) Disable-connected-check (sets TTL to 1 in outbound BGP packets. TTL-Security (to be discussed next)

TTL-Security» By default, any TTL value (>0) of received BGP packets is accepted from ebgp peers.» TTL-Security = Mechanism to enforce TTL values to prevent DoS (config-rtr)#neighbor x.x.x.x ttl-security hops <1-254>» How is hops used? 255 - <hops> = X All incoming BGP packets must have TTL X

TTL-Security with Direct-Connection Peering 1 R1 BGP packets sent with TTL=255 R2 2 R1 BGP packets received-and-processed with TTL 254 R2 3 BGP packets silently discarded with TTL < 254 R1 TTL=252 TTL=253 TTL=254 TTL=255 Attacker Fast0/0 1.2.1.1 Fast0/0 1.2.1.2 1 2 x Y neighbor 1.2.1.2 ttl-security hops 1 neighbor 1.2.1.1 ttl-security hops 1 Evil Person AS# 1 (customer) AS# 2 (ISP)

TTL-Security with Multihop Peering 1 R1 BGP packets sent with TTL=255 R2 2 R1 BGP packets received-and-processed with TTL 253 R2 3 BGP packets silently discarded with TTL < 252 R1 TTL=250 TTL=253 TTL=254 TTL=255 Attacker 1.2.1.1 2.2.2.2 a b 1 2 x Y neighbor 2.2.2.2 ttl-security hops 2 neighbor 1.2.1.1 ttl-security hops 2 Evil Person AS# 1 (customer) AS# 2 (ISP)

TTL-Security with Loopback Peering (Method #1) 1 R1 BGP packets sent with TTL=255 R2 2 R1 BGP packets received-and-processed with TTL 253 R2 3 BGP packets silently discarded with TTL < 253 R1 Loop0 11.11.11.11 /32 Loop0 22.22.22.22 /32 neighbor 22.22.22.22 update-source loop0 neighbor 22.22.22.22 ttl-security hops 2 1.2.1.1 1.2.1.2 1 2 neighbor 22.22.22.22 update-source loop0 neighbor 11.11.11.11 ttl-security hops 2 AS# 1 (customer) AS# 2 (ISP)

TTL-Security with Loopback Peering (Method #2) 1 R1 BGP packets sent with TTL=255 R2 2 R1 BGP packets received-and-processed with TTL 254 R2 3 BGP packets silently discarded with TTL < 254 R1 Loop0 11.11.11.11 /32 Loop0 22.22.22.22 /32 neighbor 22.22.22.22 update-source loop0 neighbor 22.22.22.22 ttl-security hops 1 neighbor 22.22.22.22 disable-connected-check AS# 1 (customer) 1.2.1.1 1.2.1.2 1 2 neighbor 11.11.11.11 update-source loop0 neighbor 11.11.11.11 ttl-security hops 1 neighbor 11.11.11.11 disable-connected-check AS# 2 (ISP)

BGP Neighbor Failure Detection www.ine.com

Neighbor Failures Direct Connections» BGP neighbors may be directly, or indirectly connected.» Failures of direct-connection = immediate teardown of BGP peer. 1.1.1.1 1.1.1.2 1 Fast0/0 Fast0/0 2 router bgp 1 router bgp 2 neighbor 1.1.1.1 remote-as 1 AS# 1 neighbor 1.1.1.2 remote-as 2 AS# 2

Neighbor Failures Indirect Connections» Indirect neighbor failures rely on BGP Holddown timer = 180-seconds.

Adjusting BGP Timers» BGP Keepalives can be reduced to a minimum of 1- second with a minimum holdtime of 3-secs.

Other ways of failure detection» Several other options exist for neighbor failure detection which don t affect CPU: Neighbor Fall-Over Neighbor Fall-Over Route-Map Neighbor Fall-Over BFD» All of the above are called, BGP Fast Peering Session Deact ivat ion

Neighbor Fall-Over» The neighbor x.x.x.x fall-over command has several options: Tracks IGP route to BGP peer (ibgp or ebgp). When route is lost, peer immediately taken down. Does NOT work if router ALSO contains a default route.

Neighbor Fall-Over Loopback0 11.11.11.11 AS# 1 1.1.1.1 1.1.1.2 1 Fast0/0 Fast0/0 2 router bgp 1 neighbor 22.22.22.2 remote-as 1 neighbor 22.22.22.2 fall-over EIGRP Loopback0 22.22.22.2 router bgp 1 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 fall-over Without neighbor fall-over, Holddown Timer must expire.

Neighbor Fall-Over The Problem ISP-A Loop0 199.10.1.1/32 ibgp peering ibgp peering ibgp peering Loop0 199.11.1.3/ 32 ISP-C 1 1.1.1.2 2 7.7.7.2 Fast0/0 3 A 199.11.0.0/16 via Rtr-X!! 199.10.x.x/16 EIGRP AS 100 199.11.x.x/16 199.10.0.0 /16 via Rtr-Y!! C X Corporate Intranet Routers Y router bgp 1 neighbor 1.1.1.2 remote-as 1 neighbor 199.11.1.3 remote-as 1 neighbor 199.11.1.3 fall-over ISP-B: BGP AS# 1 router bgp 1 neighbor 7.7.7.2 remote-as 1 neighbor 199.10.1.1 remote-as 1 neighbor 199.10.1.1 fall-over

BGP Fast Peering Session Deactivation with Next-Hop Address Tracking» A Route-Map can be associated to the neighbor x.x.x.x fall-over command: Tracks IGP route to BGP peer (ibgp or ebgp). When route is lost, peer immediately taken down. Doesn t care if a default route (or aggregate) exists or not.

Neighbor Fall-Over The Solution! ISP-A A Loop0 199.10.1.1/32 1 ibgp peering 199.11.0.0/16 via Rtr-X!! X ibgp peering 2 3 1.1.1.2 7.7.7.2 Fast0/0 199.10.x.x/16 EIGRP AS 100 199.11.x.x/16 Corporate Intranet Routers ibgp peering 199.10.0.0 /16 via Rtr-Y!! Y Loop0 199.11.1.3/ 32 ISP-C C router bgp 1 neighbor 1.1.1.2 remote-as 1 neighbor 199.11.1.3 remote-as 1 neighbor 199.11.1.3 fall-over route-map FALLOVER! access-list 1 permit 199.11.1.3 0.0.0.0! Route-map FALLOVER permit 10 match ip address 1 router bgp 1 neighbor 7.7.7.2 remote-as 1 neighbor 199.10.1.1 remote-as 1 neighbor 199.10.1.1 fall-over route-map FALLOVER! access-list 1 permit 199.10.1.1 0.0.0.0! Route-map FALLOVER permit 10 match ip address 1

Indirect Link Failure AS# 3 AS# 4 A B AS# 1 AS# 2 7.7.7.0/24 Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2 1 2 router bgp 1 neighbor 1.1.1.2 remote-as 2 neighbor a.a.a.a remote-as 3 network 7.7.7.0 mask 255.255.255.0 router bgp 2 neighbor 1.1.1.1 remote-as 1 neighbor b.b.b.b remote-as 4 Previous two solutions will not work. Router-2 will continue to use path to Router-1 until holddown timer expires.

BFD yes, it is a Big, Fantastic Deal!!» BFD = Bi-Directional Forwarding Detection» Utilizes UDP and CEF» BFD session setup between BFD peers.» Sub-second failover utilizing BFD/UDP pings» Originally designed for directly-connected peers.» Not just for BGP.

BFD Echo and Control Packets» BFD can utilize two types of packets Echo Control» Control packets are mandatory and processed by CPU.» Echo packets are optional (on by default). Echo packets are not received by CPU of peer, simply test forwarding path of peer. Echo packets contain source-and-destination address of the sender.

BFD Basic Configuration» Initial BFD timers configured on physical interface.» Echo Mode on by default Router(config-if)#bfd interval 100 min_rx 200 multiplier 3 I would like to transmit BFD Echo packets every 100msecs! The fastest I can process incoming BFD ECHO packets is every 200msecs so please don t send them any faster! If YOUR min_rx is LESS than my interval, I ll respect your value and transmit Echo packets at that rate. And I ll declare you dead after 3x that value!

Indirect Link Failure with BFD AS# 3 AS# 4 A B AS# 1 AS# 2 7.7.7.0/24 Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2 1 2 Interface FastEthernet0/1 ip address 1.1.1.1 255.255.255.252 bfd interval 100 min_rx 100 multiplier 3! router bgp 1 neighbor 1.1.1.2 remote-as 2 neighbor 1.1.1.2 fall-over bfd neighbor a.a.a.a remote-as 3 network 7.7.7.0 mask 255.255.255.0 Interface FastEthernet0/1 ip address 1.1.1.2 255.255.255.252 bfd interval 100 min_rx 100 multiplier 3! router bgp 2 neighbor 1.1.1.1 remote-as 1 neighbor 1.1.1.1 fall-over bfd neighbor b.b.b.b remote-as 4

Indirect Link Failure with BFD (1) Loop0 11.11.11.11 / 32 AS# 1 AS# 2 7.7.7.0/24 Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2 1 2! router bgp 1 neighbor 22.22.22.22 remote-as 2 neighbor 22.22.22.22 ebgp-multihop neighbor 22.22.22.22 update-source loopback0 neighbor 1.3.1.3 remote-as 3 network 7.7.7.0 mask 255.255.255.0! Ip route 22.22.22.22 255.255.255.255 1.1.1.2 AS# 3 AS# 4 A 1.3.1.3 2.4.2.4 1.3.1.1 2.4.2.2 B Loop0 22.22.22.22/ 32! router bgp 2 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 ebgp-multihop neighbor 11.11.11.11 update-source loopback0 neighbor 2.4.2.4 remote-as 4! Ip route 11.11.11.11 255.255.255.255 1.1.1.1 Multihop peers can be reachable via several physical links. Upon which link should BFD be configured?

Indirect Link Failure with BFD (2) Loop0 11.11.11.11 / 32 AS# 1 AS# 2 Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2 1 2 7.7.7.0/24 bfd-template multi-hop BGP interval min-tx 200 min-rx 200 multiplier 3! bfd map ipv4 22.22.22.22/32 0.0.0.0/0 BGP! router bgp 1 neighbor 22.22.22.22 remote-as 2 neighbor 22.22.22.22 ebgp-multihop neighbor 22.22.22.22 update-source loopback0 neighbor 22.22.22.22 fall-over bfd multihop neighbor 1.3.1.3 remote-as 3 network 7.7.7.0 mask 255.255.255.0! Ip route 22.22.22.22 255.255.255.255 1.1.1.2 AS# 3 AS# 4 A 1.3.1.3 2.4.2.4 1.3.1.1 2.4.2.2 B Loop0 22.22.22.22/ 32 bfd-template multi-hop BGP interval min-tx 200 min-rx 200 multiplier 3! bfd map ipv4 11.11.11.11/32 0.0.0.0/0 BGP! router bgp 2 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 ebgp-multihop neighbor 11.11.11.11 update-source loopback0 neighbor 11.11.11.11 fall-over bfd multihop neighbor 2.4.2.4 remote-as 4! Ip route 11.11.11.11 255.255.255.255 1.1.1.2

Quiz!!! Given the configurations shown above, answer these questions: 1. How often will Router-1 receive BFD Echo packets from Router-2? 2. How long will it take for Router-2 to tear down the BGP peering session with Router-1 when port 0/2 on the switch goes down?

Answer Given the configurations shown above, answer these questions: 1. How often will Router-1 receive BFD Echo packets from Router-2? Every 300mSecs 2. How long will it take for Router-2 to tear down the BGP peering session with Router-1 when port 0/2 on the switch goes down? After roughly 900msecs.

Quiz!!! ISP-A Loop0 11.11.11.11/32 ibgp peering ibgp peering ibgp peering Loop0 33.33.33.33/ 32 ISP-C 1 Fast0/0 2 Fast0/0 3 A 0.0.0.0/0 via Rtr-X (EIGRP) EIGRP AS 100 C X Corporate Intranet Routers Y Which of the features that we ve learned about in this series would quickly teardown the ibgp Peering between Router-1 and Router-3 if FastEthernet0/0 on Router-1 went down WITHOUT consuming any additional bandwidth on any of the links shown here?

Answer ISP-A Loop0 199.10.1.1/32 ibgp peering ibgp peering ibgp peering Loop0 199.11.1.3/ 32 ISP-C 1 2 3 1.1.1.2 7.7.7.2 Fast0/0 A 199.11.0.0/16 via Rtr-X!! 199.10.x.x/16 EIGRP AS 100 199.11.x.x/16 199.10.0.0 /16 via Rtr-Y!! C X Corporate Intranet Routers Y BGP Fast Peering Session Deactivation with Next-Hop Address Tracking

Q&A All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback