BGP

Descrição

Notas sobre BGP, criado por inga pinga em 26-03-2016.
inga pinga
Notas por inga pinga, atualizado more than 1 year ago
inga pinga
Criado por inga pinga quase 9 anos atrás
27
0

Resumo de Recurso

Página 1

BGP intro- BGP used TCP port 179- 3 way handshake between ngrs- Public AS : 1 - 64495- Private AS: 65512 - 65534eBGP requirements:1) ASN should be correct2) peer must be reachable by IGP. Default route won't work3) BGP router ID can't be same4) MD5 authentication must pass. password is set under TCP option field5) TCP connection6) TTL = 1eBGP update source and ebgp multihop:- when we say our nbr as 1.1.1.2, router is going to check routing table for destination and outgoing interface for source IP .iBGP:1) TTL = 255- if iBGP is not full mesh.. router which is not running iBGP can blackhole the traffic as that router doesn't know how to reach destinationBGP state machineall bgp msg are carried in IP/TCP header.stage 1: establish BGP nbrship1) Idle: admin down or couldn't find the route in routing table for BGP peer. 2) connect state: BGP process has detected an TCP connection request and BGP process is waiting for TCP to complete3) Active: BGP process has initiated a outbound TCP connection request and is waiting for the 3-way handshake to completesome issues: peer doesn't have BGP configured or firewall blocking 179.4) openSent: TCP is done. sent open to nbr. waiting nbgr to send open. send details like BGP remote as, BGP capabilities.- BGP capabilities:1) route refresh2) support VPNv4 3) or support ipv4 and ipv64)Outbound Route Filtering Capabilitysee full list here:http://www.iana.org/assignments/capability-codes/capability-codes.xhtml5) openconfirm: open msg send and received. keepalive has been exchanged6) established: BGP has established7) now lets start exchanging update8) now lets check for best routesBGP messages type:all msgs are send over TCP/IP1. open: type 1. 2. update: type 23. keepalive: type 44. notification : type 3 - tier down nbgrship due to xyz reasonBGP AS path1) AS sequence2) AS SET : 4 5 {1 2 3} - during summarizationInject route into BGP1) Network command: - check for routing table- check for non BGP routes in routing table- convert route into BGP table- advertise to neighbor #network subnet mask sub-maskif no mask: classful network mask2) redistribute command:- no need to give seed metric- 3) IBGP route update rules:1) only advertise the best route in any BGP update. 2) do not advertise iBGP learned routes iBGP peers - so we need full mesh bgp ngbrship. prevent iBGP loops3) rule of synchronization:-do not consider an iBGP-learned route as "best" unless the exact prefix was learned via an IGP and is currently in the routing table- synchronization is off by default- synchronizaton was designed in case of we have a router/routers between 2 iBGP peers which is not running iBGP.3) iBGP gives next hop of eBGP neighbor unless next-hop-self command is used4) next hop should reachable else route will not be added in routing table. IGP routing table should have next hop and should be reachableRIB failure reasons:-RIB failure: unable to put route in routing tablereasons:1) route has been learned from other routing table with lower AD2) memory failure .. in case of full routing table learned.3) we configured size of routing table4) running vrf and configured routing table limitR1#show ip bgp 100.100.100.0BGP routing table entry for 100.100.100.0/28, version 56Paths: (1 available, no best path)Flag: 0x820 Not advertised to any peer 300 1.1.1.33 (inaccessible) from 1.1.1.2 (1.1.1.2) Origin incomplete, metric 0, localpref 100, valid, internal5)BGP Peer groups-all neighbor in peer group needs to share same outbound policy- all neighbor in a peer group can have different inbound policy- updates are generated once for a peer gouprouter bgp 300neighbor peer-groupneighbor remote-as 300neighbor reoutemap <> outneighbor 2.2.2.2 peer-group neighbor 2.2.2.2 filter-list <> inBGP Filtering- can be done at any router- after filtering is applied, BGP ngbrship must be reset or cleared for the filter to take affect- BGP filtering is done per neighbor1) Filter listrouter bgp 123 neighbor x.x.xx filter-list 2 in/out!ip as-path access-list 2filter list uses as-path access-list- used to filter AS path2) route-map3) prefix-list4) distribute-list-BGP redistribution(study again)Add "bgp redistribute-internal" to your bgp process. By default, iBGP doesn't redistribute into an IGP. The reason for this is simply the amount of routes that a bgp router can receive could overload an igp very easily, so you would definitely want to filter routes out when doing this.BGP best path algorithm“We Love Oranges AS Oranges Mean Pure Refreshment”“We Love Oranges AS Oranges Mean Pure Refreshment” W Weight (Highest) L LOCAL_PREF (Highest) O Originate (local -0.0.0.0) AS AS_PATH (shortest) O ORIGIN Code (IGP > EGP > Incomplete) M MED (lowest) P Paths (External > Internal, eBGP>iBGP) R RID (lowest)Mandatory path attributes:next-hopAS-pathorigin codeoptional path attributes:1) transitive optional path attributeAS-path prepend2)non transitive optional path attribute:local preferencesteps:1) Next hop: it should be reachable2) weight: bigger is better- cisco proprietary- locally significant to a router- influence outbound traffic and applied inbound- default is 0 for learned routes and 32768 for locally injected routes- BGP only sends best path to its neighbora) Per prefix influenceR4#show ip bgp BGP table version is 10, local router ID is 1.1.1.4Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path*>i100.100.100.0/28 1.3.4.3 0 100 0 300 ?* 1.3.4.1 0 100 300 ? R4(config)#ip prefix-list INE permit 100.100.100.0/28 R4(config)#route-map INE permit 10 R4(config-route-map)#match ip address prefix-list INER4(config-route-map)#set weight 100R4(config-router)#neighbor 1.3.4.1 route-map INE in R4#show ip bgp BGP table version is 4, local router ID is 1.1.1.4Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path*> 100.100.100.0/28 1.3.4.1 100 100 300 ?* i 1.3.4.3 0 100 0 300 ?b) per neighbor3) local preference: bigger is better- default is 100- advertised to all iBGP peer- not advertised to eBGP peer- influence routes in a BGP AS- applied inbound to an external nbr4) locally originated routes: next hop 0.0.0.05) AS-Path length- 6) origin: i>e>?- i : by IGP routing protocol and by using Network command- e : by EGP routing protocol- ? : by redistribute commandigp > egp > ?7) MED :smaller is better- same like AS path prepend. influence inbound traffic.- non-transitive- travels to only 1 AS. propagate to one neighboring AS- default 0- in route-map "set metric"- MED is only compared when prefix is received from same AS but multiple source. if prefix is received from multiple AS - MED is not compared. we can change it using command:"bgp always compare med"-8) Nbgr: eBGP >iBGP 9) IGP metric to next hop : smaller is preferred- Weight, local preference and AS path can be used to change outbound traffic- As path and MED can be used for inbound traffic10) router id:BGP maximum path -BGP community:- Standard community is 4 byte number- AA:NN ( usually AA is BGP AS number and NN is locally significant value. eg 11179:143)- Well known BGP community:- No export: dont advertise to BGP peers- No advertise: do not advertise to any peer- Local as: do not advertise to confederation eBGP peersmBGP- address family supporting ipv4 nd ipv6- BGP will have ipv4 and ipv6 details- Route-reflectors- iBGP learned routes are not send to iBGP peers - this is to avoid loops- RR can reflect received iBGP updates to other iiBGP peer - if i am RR. to one more hop-Terminology:-RR- a router will can Reflect IBGP routes to other iBGP peers-client: RR client. RR will send iBGP updates to clients. we need to configure which neighbors will be RR clients in RR BGP config.-cluster - one or more RR and clients is a single cluster-not client - any neighbor in RR which is not configured as clientLoop Avoidance in RR:- We can have loop RR1-->RR2-->RR3. RR3-->RR1. this can cause loop- RRs will add below attributes in the routes while advetising to clients:1) Originator-ID: created by RR. carried the RID of the originator of the route in the local AS. route can be originated by 2 ways:a) learned from eBGP peerb) redistribute command2) Cluster_ID list:- RR will add cluster-ID. cluste_ID is same router-ID by default.- only RRs will add cluster-ID- if RR sees its own cluster-ID in a cluster list - its a loop and it will drop it.- change BGP cluster_ID:#bgp cluster-id x.x.x.x- non client learned prefix wont be advertised to non-client peers- RR can't change attributes like local preference, next hop, weight etc. its just a reflector.

Página 2

BGP ADVANCED TOPICS:BGP collisions:- if Router-id are known to each other, then router with highest router id will send SYN packet.- if router-id are unknown, bgp collision can happen:a) 2 BGP peers are connected over 2 parallel linksb) both BGP peers send SYN packet at same timec) both establish SYN,SYN ACK, ACK d) now 2 TCP sessionse) now open message will be send and router will know that they have 2 TCP sessionsf) router with highest router ID will keep TCP session and other router will terminate BGP session with CEASE BGP notificationhow to prevent:neighbor transport connection-mode -passive means i wont send SYN packetTTL-security:#neighbor x.x.x.x ttl-security hops <1-254>hops:255- = Xall incoming bgp packets must have TTL >=XBGP fall-over:Bi-directional forwarding detection (BFD)- keepalive mechanism- uses UDP and CEF2 types of packets:1) control:- session is created with peer by control packet- control packets use CPU2) echo: -echo packets are not received by CPU of peer, simply test forwarding path of the peer- echo packets has source and destination of sender(both mac and IP)- loss of echo packets means session will go down- since destination is of the sender, our peer CEF will see that destination and simply send back the echo packet back to me. CEF doesnt use CPU.mBGP- BGP supports various address families like:ipv4 unicastipv6 unicastipv4 multicastvpnc4 unicast- this capabilities are exchanged during bgp peer setup in open messages.ipv4 and ipv4 support:option 1) create 2 TCP sessions. each for ipv4 and ipv6option 2) Single BGP session using IPv4 and Multiple address familiesBGP backdoor:- we cant redistribute default route to BGP. even if default route is in routing table.-redistiribute routes are less preferred as network command (IGP > incomplete)BGP rules of advertising routes:1) only advertise the best route in any BGP update2) do not advertise iBGP-learned routes to iBGP peersNext-hop reachability issues- next hop is path attribute- eBGP: next-hop is changed by the advertising router- iBGP: next-hop IP address is not changed by advertising routernext-hop-self :- the next hop IP will be the source address which has been used for BGP peeringiBGP loop prevention- do not allow redistribution of iBGP routes into IGP- do not advertise iBGP leaned routes to other iBGP peersBGP default routes:- redistribution of IGP default route(or static default) wont work.2 methods:- Network 0.0.0.0 - make sure we have default route in routing table. control by distribute list to select which neighbor we want to advertise to- neighbor x.x.x.x default-originate : no need of default route in routing table. can't be control by distribute list etc BGP conditional advertisement:advertise-map: advertise what is in advertise map (advertise-map is using route-map) ifexist-map: prefix in exist-map is present in BGP table(prefix should be in BGP table, not routing table). exisit-map is using route-mapornon-exist-map: prefix in non-exist-map is not present in BGP table((prefix should be in BGP table, not routing table)). non-exist-map is using route-mapOutbound route filtering (ORF)- Customer can tell ISP which filter ISP needs to apply dynamically.- method of pushing prefix-lists created on one router upto another routerRequirements- exchange of ORF capabilities between eBGP peers- works with eBGP peers- only works with prefix-lists- only works with address family mode

Página 3

Path attributes:1)next-hop6)origin-codeNetwork statement - origin is IGP (i)redistribute statement - origin is incomplete(?)i > ?We can change origin code using route-mapset origin <>7) MED:-if MED is received for an update from 2 neighbors in same AS, lower MED will be selected- if MED is received from an update from 1st neighbor with AS 1 and 2nd update from AS 2 and 3rd update from AS 1. MED will not be compared between update 1 and update 3. update 1 will be best path.-

Página 4

BGP Filtering ToolsAS-path- use Reg Ex- filtering based on AS -pathconfig#ip as-path access-list <number> [permit/deny] regexReg EX_ (underscore) = don't match characters. its used to match space| = 55|26Delimiters:^ - beginning of the path$ - end of the pathranges and wildcards:[] - match any single digit in the rangeeg: [5-8,0] - match any of 5,6,7,8,0. - matches any single character, space or delimiting charactereg 67.9matches678967 9

Semelhante

CCNP TShoot Final
palciny
BGPv4 - RFC 4271 ( In progress )
Jonathan Brisson
CCNP - CH.2
Ali Sahar
CCNP TShoot Final
Jagdeep Gill
CCNP CH4
Ali Sahar
CCNP CH 5
Ali Sahar
Random OSPF fun time.
I L
CCNP CH3
Ali Sahar
CCIE RS Volume 1 - App E-F Chapter 1 - LAN Switching
Jonathan Brisson