Using Communities
Deploying BGP in an ISP network
What is BGP?
Border Gateway Protocol
A Routing Protocol used to exchange routing
information between different networks
Exterior gateway protocol
Described in RFC4271 RFC4276 gives an implementation report on BGP
RFC4277 describes operational experiences using BGP
The Autonomous System is the cornerstone of BGP
It is used to uniquely identify networks with a common routing policy
Autonomous System (AS)
AS 100
Collection of networks with same routing policy
Single routing protocol
Usually under single ownership, trust and administrative control
Identified by a unique 32-bit integer (ASN)
Autonomous System Number (ASN)
Two ranges
0-65535 (original 16-bit range)
65536-4294967295 (32-bit range - RFC4893)
Usage:
0 and 65535 (reserved)
1-64495 (public Internet)
64496-64511 (documentation - RFC5398)
64512-65534 (private use only)
23456 (represent 32-bit range in 16-bit world)
65536-65551 (documentation - RFC5398)
65552-4294967295 (public Internet)
32-bit range representation specified in RFC5396 Defines “asplain” (traditional format) as standard notation
Autonomous System Number (ASN)
ASNs are distributed by the Regional Internet Registries
They are also available from upstream ISPs who are members of one of the RIRs
Current 16-bit ASN allocations up to 58367 have been
made to the RIRs
Around 3600 are visible on the Internet
Each RIR has also received a block of 32-bit ASNs Out of 1063 assignments, around 600 are visible on the Internet
See wwwianaorg/assignments/as-numbers
BGP Basics
Peering
A
C
AS 100 AS 101
B
D
Runs over TCP port 179 E
Path vector protocol Incremental updates AS 102
“Internal” & “External” BGP
Demarcation Zone (DMZ)
A
C
DMZ AS 100 AS 101
Network
B
D
E
AS 102
Shared network between ASes
BGP General Operation
Learns multiple paths via internal and external BGP speakers
Picks the best path and installs in the forwarding table
Best path is sent to external BGP neighbours
Policies are applied by influencing the best path selection
eBGP & iBGP
BGP used internally (iBGP) and externally (eBGP)
iBGP used to carry Some/all Internet prefixes across ISP backbone ISP’s customer prefixes
eBGP used to Exchange prefixes with other ASes Implement routing policy
BGP/IGP model used in ISP networks
Model representation
eBGP eBGP eBGP
iBGP
iBGP
iBGP
iBGP
IGP
IGP
IGP
IGP
AS1 AS2 AS3 AS4
External BGP Peering (eBGP)
A
AS 100
AS 101
C
B
Between BGP speakers in different AS
Should be directly connected
Never run an IGP between eBGP peers
Internal BGP (iBGP)
BGP peer within the same AS
Not required to be directly connected IGP takes care of inter-BGP speaker connectivity
iBGP speakers must to be fully meshed: They originate connected networks They pass on prefixes learned from outside the ASN They do not pass on prefixes learned from other iBGP
speakers
Internal BGP Peering (iBGP)
AS 100
B
A
C
D
Topology independent
Each iBGP speaker must peer with every other iBGP speaker in the AS
Peering to Loopback Interfaces
AS 100
Peer with loop-back interface Loop-back interface does not go down ever!
Do not want iBGP session to depend on state of a single interfaceor the physical topology
Information about BGP
AS-Path
Sequence of ASes a
route has traversed
AS 200
AS 100 1701000/16 1801000/16
Used for: Loop detection
1801000/16 300 200 100 1701000/16 300 200
Applying policy
AS 300
AS 400 1501000/16
1801000/16 300 200 100
AS 500
1701000/16 300 200 1501000/16 300 400
AS-Path (with 16 and 32-bit ASNs)
Internet with 16-bit and 32-bit ASNs
AS 80000
AS 70000 1701000/16 1801000/16
32-bit ASNs are65536
and above
1801000/16 300 23456 23456
AS-PATH length
1701000/16 300 23456
AS 300
maintained
AS 400 1501000/16
1801000/16 300 80000 70000
AS 90000
1701000/16 300 80000 1501000/16 300 400
AS-Path loop detection
AS 200
AS 100 1701000/16 1801000/16
1401000/16 500 300 1701000/16 500 300 200 AS 300
1401000/16
1801000/16 is not
AS 500
accepted by AS100 as the prefix has AS100 in its ASPATH this is loop
1801000/16 300 200 100
detection in action
1701000/16 300 200
1401000/16 300
Next Hop
1501011 1501012
iBGP
C
AS 200
A
1501000/16 eBGP B
AS 300
1501000/16 1501011 1601000/16 1501011
AS 100
1601000/16 eBGP address of external neighbour
iBGP NEXT_HOP from eBGP
Mandatory non-transitive attribute
iBGP Next Hop
120120/23 120110/24
Loopback
iBGP
C
12012543/32
B
Loopback 12012542/32
AS 300
D
A
120110/24 12012542 120120/23 12012543
Next hop is ibgp router loopback address
Recursive route look-up
Third Party Next Hop
AS 200
1206810/24 150113
150111 C
eBGP between Router A
and Router C
eBGP between RouterA and
150112 150113 RouterB
A
1206810/24 AS 201 B
120681/24 prefix has nexthop address of 150113 this is passed on to RouterC instead of 150112 More efficient
No extra config needed
Next Hop Best Practice
BGP default is for external next-hop to be propagated unchanged to iBGP peers This means that IGP has to carry external next-hops
Forgetting means external network is invisible With many eBGP peers, it is unnecessary extra load on IGP
ISP Best Practice is to change external next-hop to be that of the local router
Next Hop (Summary)
IGP should carry route to next hops
Recursive route look-up
Unlinks BGP from actual physical topology
Change external next hops to that of local router
Allows IGP to make intelligent forwarding decision
Origin
Conveys the origin of the prefix
Historical attribute Used in transition from EGP to BGP
Transitive and Mandatory Attribute
Influences best path selection
Three values: IGP, EGP, incomplete IGP generated by BGP network statement EGP generated by EGP incomplete redistributed from another routing protocol
Aggregator
Conveys the IP address of the router or BGP speaker generating the aggregate route
Optional & transitive attribute
Useful for debugging purposes
Does not influence best path selection
Local Preference
AS 100
1601000/16
AS 200 AS 300
D
500 800 E
A
B
1601000/16 500 AS 400
> 1601000/16 800
C
Local Preference
Non-transitive and optional attribute
Local to an AS non-transitive Default local preference is 100 (Cisco IOS)
Used to influence BGP path selection determines best path for outbound traffic
Path with highest local preference wins
Multi-Exit Discriminator (MED)
1206810/24 2000 AS 200
> 1206810/24 1000
C
D
1206810/24 2000 1206810/24 1000
A
B
1206810/24 AS 201
Multi-Exit Discriminator
Inter-AS non-transitive & optional attribute
Used to convey the relative preference of entry points determines best path for inbound traffic
Comparable if paths are from same AS
Implementations have a knob to allow comparisons of MEDs from different ASes
Path with lowest MED wins
Absence of MED attribute implies MED value of zero (RFC4271)
Multi-Exit Discriminator “metric confusion”
MED is non-transitive and optional attribute
Some implementations send learned MEDs to iBGP peers by default, others do not
Some implementations send MEDs to eBGP peers by default, others do not
Default metric varies according to vendorimplementation Original BGP spec (RFC1771) made no recommendation Some implementations handled absence of metric as meaning a metric of 0 Other implementations handled the absence of metric as
meaning a metric of 232-1 (highest possible) or 232-2
Potential for “metric confusion”
Community
Communities are described in RFC1997 Transitive and Optional Attribute
32 bit integer Represented as two 16 bit integers (RFC1998) Common format is <local-ASN>:xx
0:0 to 0:65535 and 65535:0 to 65535:65535 are reserved
Used to group destinations Each destination could be member of multiple communities
Very useful in applying policies within and between ASes
CommunityExample(before)
permit1601000/16in
permit1701000/16in
ISP 2 permit1601000/16out
X
1001000/16 permit1701000/16out F
AS 400
permit1001000/16in D
ISP 1 E
AS 300
C
B
A
AS 100
AS 200
1601000/16 1701000/16
CommunityExample
(after)
ISP 2
1601000/16 300:1
1701000/16 300:1
X
AS 400
1001000/16
F
E
1001000/16 300:9
D
ISP 1 AS 300
1601000/16 300:1 C
1701000/16 300:1
B
A
AS 100
AS 200 1601000/16
1701000/16
Well-Known Communities
Several well known communities
wwwianaorg/assignments/bgp-well-known-communities
no-export 65535:65281 do not advertise to any eBGP peers
no-advertise 65535:65282 do not advertise to any BGP peer
no-export-subconfed 65535:65283
do not advertise outside local AS (only used withconfederations)
no-peer 65535:65284 do not advertise to bi-lateral peers (RFC3765)
No-Export Community
AS100 announces aggregate and subprefixes Intention is to improve loadsharing by leaking subprefixes
Subprefixes marked with no-export community
Router G in AS200 does not announce prefixes with no-export community set
No-PeerCommunity
105700/16 1057XX No-Peer upstream D
C&D&E are
peersegTier-1s
105700/16
C
A
upstream E
B
upstream
Sub-prefixes marked with no-peer community are not sent to bi-lateral
peers They areonly senttoupstream providers
What about 4-byte ASNs?
Communities are widely used for encoding ISP routing
policy
32 bit attribute
RFC1998 format is now “standard” practice
ASN:number
Fine for 2-byte ASNs, but 4-byte ASNs cannot be encoded
Solutions: Use “private ASN” for the first 16 bits Wait for wwwietforg/internet-drafts/draft-ietf-idr-as4octetextcomm-generic-subtype-02txt to be implemented
Community
Implementation details
Community is an optional attribute
Some implementations send communities to iBGP peers by default, some do not
Some implementations send communities to eBGP peers by default, some do not
Being careless can lead to community “confusion” ISPs need consistent community policy within their own networks And they need to inform peers, upstreams and customers about their community expectations
Why Is This the Best Path?
BGP Path Selection Algorithm for IOSPart One
Do not consider path if no route to next hop
Do not consider iBGP path if not synchronised (Cisco IOS only)
Highest weight (local to router)
Highest local preference (global within AS)
Prefer locally originated route
Shortest AS path
BGP Path Selection Algorithm for IOSPart Two
Lowest origin code IGP < EGP < incomplete
Lowest Multi-Exit Discriminator (MED) If bgp deterministic-med, order the paths before comparing (BGP spec does not specify in which order the paths should be comparedThis means best path depends on order in which the paths are compared)
If bgp always-compare-med, then compare for all paths
otherwise MED only considered if paths are from the same AS (default)
BGP Path Selection Algorithm for IOSPart Three
Prefer eBGP path over iBGP path
Path with lowest IGP metric to next-hop
Lowest router-id (originator-id for reflected routes)
Shortest Cluster-List Client must be aware of Route Reflector attributes!
Lowest neighbour IP address
BGP Path Selection Algorithm
In multi-vendor environments:
Make sure the path selection processes are understood for each brand of equipment Each vendor has slightly different implementations, extra steps,
extra features, etc
Watch out for possible MED confusion
Controlling Traffic Flow & Traffic Engineering
Applying Policy in BGP:Why?
Network operators rarely “plug in routers and go”
External relationships: Control who they peer with Control who they give transit to Control who they get transit from
Traffic flow control:
Efficiently use the scarce infrastructure resources (external link load balancing) Congestion avoidance Terminology: Traffic Engineering
Applying Policy in BGP:How?
Policies are applied by:
Setting BGP attributes (local-pref, MED, AS-PATH, community), thereby influencing the path selection process
Advertising or Filtering prefixes
Advertising or Filtering prefixes according to ASN and AS-PATHs
Advertising or Filtering prefixes according to Community membership
Applying Policy with BGP:Tools
Most implementations have tools to apply policies to
BGP:
Prefix manipulation/filtering
AS-PATH manipulation/filtering
Community Attribute setting and matching
Implementations also have policy language which can do various match/set constructs on the attributes of chosen BGP routes
Extending BGP
BGP Capabilities
Documented in RFC2842
Capabilities parameters passed in BGP open message
Unknown or unsupported capabilities will result in NOTIFICATION message
Codes: 0 to 63 are assigned by IANA by IETF consensus 64 to 127 are assigned by IANA “first come first served” 128 to 255 are vendor specific
BGP Capabilities
Current capabilities are:
0 Reserved [RFC3392]
1 Multiprotocol Extensions for BGP-4 [RFC4760]
2 Route Refresh Capability for BGP-4 [RFC2918]
3 Outbound Route Filtering Capability [RFC5291]
4 Multiple routes to a destination capability [RFC3107]
5 Extended Next Hop Encoding [RFC5549]
64 Graceful Restart Capability [RFC4724]
65 Support for 4 octet ASNs [RFC4893]
66 Deprecated
67 Support for Dynamic Capability [ID]
68 Multisession BGP [ID]
69 Add Path Capability [ID]
See wwwianaorg/assignments/capability-codes
APRICOT 2011 ⓒ 2011 Cisco Systems, IncAll rights reserved 53
BGP Capabilities
Multiprotocol extensions
This is a whole different world, allowing BGP to support more than IPv4 unicast routes Examples include: v4 multicast, IPv6, v6 multicast, VPNs Another tutorial (or many!)
Route refresh is a well known scaling technique covered shortly
32-bit ASNs have recently arrived
The other capabilities are still in development or not widely implemented or deployed yet
BGP for Internet Service Providers
BGP Basics
Scaling BGP
Using Communities
Deploying BGP in an ISP network
BGP Scaling Techniques
Original BGP specification and implementation was fine
for the Internet of the early 1990s
But didn’t scale
Issues as the Internet grew included: Scaling the iBGP mesh beyond a few peers? Implement new policy without causing flaps and route churning? Keep the network stable, scalable, as well as simple?
BGP Scaling Techniques
Current Best Practice Scaling Techniques Route Refresh Peer-groups Route Reflectors (and Confederations)
Deploying 4-byte ASNs
Deprecated Scaling Techniques Route Flap Damping
Route Refresh
Route Refresh
BGP peer reset required after every policy change
Because the router does not store prefixes which are rejectedby policy
Hard BGP peer reset: Terminates BGP peering & Consumes CPU Severely disrupts connectivity for all networks
Soft BGP peer reset (or Route Refresh): BGP peering remains active Impacts only those prefixes affected by policy change
Route Refresh Capability
Facilitates non-disruptive policy changes
For most implementations, no configuration is needed Automatically negotiated at peer establishment
No additional memory is used
Requires peering routers to support “route refresh capability” RFC2918
Dynamic Reconfiguration
Use Route Refresh capability if supported find out from the BGP neighbour status display Non-disruptive, “Good For the Internet”
If not supported, see if implementation has a workaround
Only hard-reset a BGP peering as a last resort
Scaling the iBGP mesh
Scaling iBGP mesh
Avoid ½n(n-1) iBGP mesh
n=1000 ⇒ nearly
half a million
ibgp sessions!
Two solutions Route reflector simpler to deploy and run Confederation more complex, has corner case advantages
Route Reflector: Principle
Route Reflector
A
AS 100
B
C
Route Reflector
Reflector receives path from clients and non-clients
Selects best path
If best path is from client, reflect to other clients and non-clients
If best path is from non-client, reflect to clients only
Non-meshed clients
Described in RFC4456
Clients
Reflectors
A
B
C
AS 100
Route Reflector: Topology
Divide the backbone into multiple clusters
At least one route reflector and few clients per cluster
Route reflectors are fully meshed
Clients in a cluster could be fully meshed
Single IGP to carry next hop and local routes
Route Reflector: Loop Avoidance
Originator_ID attribute
Carries the RID of the originator of the route in the local AS (created by the RR)
Cluster_list attribute The local cluster-id is added when the update is sent by the RR Best to set cluster-id is from router-id (address of loopback) (Some ISPs use their own cluster-id assignment strategy but
needs to be well documented!)
Route Reflector: Redundancy
Multiple RRs can be configured in the same cluster not advised!
All RRs in the cluster must have the same cluster-id (otherwise it is a different cluster)
A router may be a client of RRs in different clusters
Common today in ISP networks to overlay two clusters redundancy achieved that way
→ Each client has two RRs = redundancy
Route Reflectors: Redundancy
Cluster Two
Route Reflector: Benefits
Solves iBGP mesh problem
Packet forwarding is not affected
Normal BGP speakers co-exist
Multiple reflectors for redundancy
Easy migration
Multiple levels of route reflectors
Route Reflector: Deployment
Where to place the route reflectors?
Always follow the physical topology!
This will guarantee that the packet forwarding won’t be affected
Typical ISP network: PoP has two core routers Core routers are RR for the PoP Two overlaid clusters
Route Reflector: Migration
Typical ISP network: Core routers have fully meshed iBGP Create further hierarchy if core mesh too big
Split backbone into regions
Configure one cluster pair at a time Eliminate redundant iBGP sessions Place maximum one RR per cluster Easy migration, multiple levels
Route Reflector: Migration
AS 300
A
B
C
AS 100
D
AS 200 E
F
G
Migrate small parts of the network, one part at a time
Confederations
Divide the AS into sub-AS eBGP between sub-AS, but some iBGP information is kept
Preserve NEXT_HOP across the
sub-AS (IGP carries this information)
Preserve LOCAL_PREF and MED
Usually a single IGP
Described in RFC5065
Confederations (Cont)
Visible to outside world as single AS “Confederation Identifier”
Each sub-AS uses a number from the private AS range (6451265534)
iBGP speakers in each sub-AS are fully meshed
The total number of neighbours is reduced by limiting the full mesh requirement to only the peers in the sub-AS
Can also use Route-Reflector within sub-AS
Confederations
Sub-AS 65530 AS 200
A
Sub-AS Sub-AS 65532 65531
C B
Configuration (Router C):
router bgp 65532 bgp confederation identifier 200 bgp confederation peers 65530 65531neighbor 141153121 remote-as 65530neighbor 141153172 remote-as 65531
Confederations: AS-Sequence
Route Propagation Decisions
Same as with “normal” BGP: From peer in same sub-AS → only to external peers From external peers → to all neighbors
“External peers” refers to Peers outside the confederation Peers in a different sub-AS
Preserve LOCAL_PREF, MED and NEXT_HOP
RRs or Confederations
Internet Connectivity Multi-Level Hierarchy Policy Control Scalability MigrationComplexity
Confederations Route Reflectors Anywherein the Network Anywherein the Network Yes Yes Yes Yes Medium Very High Very Low Medium to High
Most new service provider networks now deploy Route Reflectors from Day One
More points about Confederations
Can ease “absorbing” other ISPs into you ISP eg, if one ISP buys another
Or can use AS masquerading feature available in some implementations to do a similar thing
Can use route-reflectors with confederation sub-AS to reduce the sub-AS iBGP mesh
How to support customers using the extended ASN range
32-bit ASNs
Standards documents Description of 32-bit ASNs
wwwrfc-editororg/rfc/rfc4893txt
Textual representation
wwwrfc-editororg/rfc/rfc5396txt
New extended community
wwwrfc-editororg/rfc/rfc5668txt
AS 23456 is reserved as interface between 16-bit and 32-bit ASN world
32-bit ASNs terminology
16-bit ASNs Refers to the range 0 to 65535
32-bit ASNs Refers to the range 65536 to 4294967295 (or the extended range)
32-bit ASN pool Refers to the range 0 to 4294967295
Getting a 32-bit ASN
Sample RIR policy
wwwapnicnet/docs/policy/asn-policyhtml
From 1st January 2007 32-bit ASNs were available on request
From 1st January 2009 32-bit ASNs were assigned by default 16-bit ASNs were only available on request
From 1st January 2010 No distinction ASNs assigned from the 32-bit pool
Representation
Representation of 0-4294967295 ASN range Most operators favour traditional format (asplain) A few prefer dot notation (XY):
asdot for 65536-4294967295, eg 24
asdot+ for 0-4294967295, eg 064513
But regular expressions will have to be completely rewritten for asdot and asdot+ !!!
For example: ^[0-9]+$ matches any ASN (16-bit and asplain) This and equivalents extensively used in BGP multihoming
configurations for traffic engineering
Equivalent regexp for asdot is: ^([0-9]+)|([0-9]+\\[0-9]+)$
Equivalent regexp for asdot+ is: ^[0-9]+\\[0-9]+$
Changes
32-bit ASNs are backward compatible with 16-bit ASNs
There is no flag day
You do NOT need to: Throw out your old routers Replace your 16-bit ASN with a 32-bit ASN
You do need to be aware that: Your customers will come with 32-bit ASNs ASN 23456 is not a bogon! You will need a router supporting 32-bit ASNs to use a 32-bit
ASN locally
If you have a proper BGP implementation, 32-bit ASNswill be transported silently across your network
How does it work?
If local router and remote router supports configuration
of 32-bit ASNs BGP peering is configured as normal using the 32-bit ASN
If local router and remote router does not support
configuration of 32-bit ASNs
BGP peering can only use a 16-bit ASN
If local router only supports 16-bit ASN and remote
router/network has a 32-bit ASN
Compatibility mode is initiated…
Compatibility Mode:
Local router only supports 16-bit ASN and remote router uses 32bit ASN
BGP peering initiated: Remote asks local if 32-bit supported (BGP capability negotiation) When local says “no”, remote then presents AS23456 Local needs to be configured to peer with remote using AS23456
BGP peering initiated (cont): BGP session established using AS23456 32-bit ASN included in a new BGP attribute called AS4_PATH
(as opposed to AS_PATH for 16-bit ASNs)
Result:
16-bit ASN world sees 16-bit ASNs and 23456 standing in for 32-bitASNs 32-bit ASN world sees 16 and 32-bit ASNs
Example:
Internet with 32-bit and 16-bit ASNs
AS 70000 AS 80000
AS-PATH length 1701000/16 1801000/16 maintained
1801000/16 123 23456 23456 1701000/16 123 23456
AS 123
AS 321 1501000/16
1801000/16 123 70000 80000
AS 90000
1701000/16 123 70000 1501000/16 123 321
What has changed?
Two new BGP attributes: AS4_PATH Carries 32-bit ASN path info AS4_AGGREGATOR Carries 32-bit ASN aggregator info
Well-behaved BGP implementations will simply pass these along if they don’t understand them
AS23456 (AS_TRANS)
What do they look like?
IPv4 prefix originated by AS196613
as4-7200#sh ip bgp 14512500/20BGP routing table entry for 14512500/20, version 58734Paths: (1 available, best #1, table default)
asplain
131072 12654 196613
format
2046920025 from 2046920025 (2046920025)Origin IGP, localpref 100, valid, internal, best
IPv4 prefix originated by AS35
as4-7200#sh ip bgp 14512500/20BGP routing table entry for 14512500/20, version 58734Paths: (1 available, best #1, table default)
asdot 20 12654 35format 2046920025 from 2046920025 (2046920025)Origin IGP, localpref 100, valid, internal, best
What do they look like?
IPv4 prefix originated by AS196613 But 16-bit AS world view:
BGP-view1>sh ip bgp 14512500/20BGP routing table entry for 14512500/20, version 113382Paths: (1 available, best #1, table Default-IP-Routing-
Table)
23456 12654 23456
2046920025 from 2046920025 (2046920025)Origin IGP, localpref 100, valid, external, best
Transition
AS
If 32-bit ASN not supported:
Inability to distinguish between peer ASes using 32-bit ASNs They will all be represented by AS23456 Could be problematic for transit provider’s policy
Inability to distinguish prefix’s origin AS How to tell whether origin is real or fake? The real and fake both represented by AS23456
(There should be a better solution here!)
Incorrect NetFlow summaries: Prefixes from 32-bit ASNs will all be summarised under AS23456 Traffic statistics need to be measured per prefix and aggregated Makes it hard to determine peerability of a neighbouring network
Implementations (Feb 2011)
Cisco IOS-XR 34 onwards
Cisco IOS-XE 23 onwards
Cisco IOS 120(32)S12, 124(24)T, 122SRE, 122(33)SXI1 onwards
Cisco NX-OS 40(1) onwards
Quagga 09910 (patches for 0996)
OpenBGPd 42 (patches for 39 & 40)
Juniper JunOSe 410 & JunOS 91 onwards
Redback SEOS
Force10 FTOS771 onwards
http://as4clueponnet/indexphp/Software_Support for a complete list
Network Stability for the 1990s
Network Instability for the 21st Century!
Route Flap Damping
For many years, Route Flap Damping was a strongly recommended practice
Now it is strongly discouraged as it appears to cause far greater network instability than it cures
But first, the theory…
Route Flap Damping
Route flap Going up and down of path or change in attribute BGP WITHDRAW followed by UPDATE = 1 flap eBGP neighbour going down/up is NOT a flap
Ripples through the entire Internet
Wastes CPU
Damping aims to reduce scope of route flap propagation
Route Flap Damping (continued)
Requirements Fast convergence for normal route changes History predicts future behaviour Suppress oscillating routes Advertise stable routes
Implementation described in RFC 2439
Operation
Add penalty (1000) for each flap
Change in attribute gets penalty of 500
Exponentially decay penalty half life determines decay rate
Penalty above suppress-limit do not advertise route to BGP peers
Penalty decayed below reuse-limit re-advertise route to BGP peers penalty reset to zero when it is half of reuse-limit
Operation
4000
3000
Penalty
2000
1000
0
01234 5
Network Network Network Announced Not Announced Re-announced
Operation
Only applied to inbound announcements from eBGP peers
Alternate paths still usable
Controllable by at least: Half-life reuse-limit suppress-limit maximum suppress time
Configuration
Implementations allow various policy control with flap
damping
Fixed damping, same rate applied to all prefixes
Variable damping, different rates applied to different ranges of prefixes and prefix lengths
Route Flap Damping History
First implementations on the Internet by 1995
Vendor defaults too severe
RIPE Routing Working Group recommendations in ripe-178, ripe-210, and ripe-229
http://wwwripenet/ripe/docs
But many ISPs simply switched on the vendors’ default values without thinking
Serious Problems:
\"Route Flap Damping Exacerbates Internet Routing Convergence“
Zhuoqing Morley Mao, Ramesh Govindan, George Varghese & Randy HKatz, August 2002
“What is the sound of one route flapping?” Tim Griffin, June 2002
Various work on routing convergence by Craig Labovitz and Abha Ahuja a few years ago
“Happy Packets” Closely related work by Randy Bush et al
Problem 1:
One path flaps:
BGP speakers pick next best path, announce to all peers, flap counter incremented Those peers see change in best path, flap counter incremented After a few hops, peers see multiple changes simply caused by
a single flap → prefix is suppressed
Problem 2:
Different BGP implementations have different transit
time for prefixes
Some hold onto prefix for some time before advertising
Others advertise immediately
Race to the finish line causes appearance of flapping, caused by a simple announcement or path change → prefix is suppressed
Solution:
Do NOT use Route Flap Damping whatever you do!
RFD will unnecessarily impair access to your network and to the Internet
More information contained in RIPE Routing Working Group recommendations:
wwwripenet/ripe/docs/ripe-378[pdf,html,txt]
BGP for Internet Service Providers
BGP Basics
Scaling BGP
Using Communities
Deploying BGP in an ISP network
Some examples of how ISPs make life easier forthemselves
BGP Communities
Another ISP “scaling technique”
Prefixes are grouped into different “classes” or communities within the ISP network
Each community means a different thing, has a different result in the ISP network
BGP Communities
Communities are generally set at the edge of the ISP network
Customer edge: customer prefixes belong to different communities depending on the services they have purchased
Internet edge: transit provider prefixes belong to difference communities, depending on the loadsharing or traffic engineering requirements of the local ISP, or what the demands from its BGP customers might be
Two simple examples follow to explain the concept
Community Example: Customer Edge
This demonstrates how communities might be used at the customer edge of an ISP network
ISP has three connections to the Internet: IXP connection, for local peers Private peering with a competing ISP in the region Transit provider, who provides visibility to the entire Internet
Customers have the option of purchasing combinations of the above connections
Community Example: Customer Edge
Community assignments: IXP connection: community 100:2100 Private peer: community 100:2200
Customer who buys local connectivity (via IXP) is put in community100:2100
Customer who buys peer connectivity is put in community100:2200
Customer who wants both IXP and peer connectivity is put in100:2100 and 100:2200
Customer who wants “the Internet” has no community set We are going to announce his prefix everywhere
Community Example: Customer Edge
Customers Customers Customers
Communities set at the aggregation router where the prefix isinjected into the ISP’s iBGP
Community Example: Customer Edge
No need to alter filters at the network border when adding a new customer
New customer simply is added to the appropriate
community Border filters already in place take care of announcements
⇒ Ease of operation!
Community Example: Internet Edge
This demonstrates how communities might be used at the peering edge of an ISP network
ISP has four types of BGP peers: Customer IXP peer Private peer Transit provider
The prefixes received from each can be classified usingcommunities
Customers can opt to receive any or all of the above
Community Example: Internet Edge
Community assignments: Customer prefix: community 100:3000 IXP prefix: community 100:3100 Private peer prefix: community 100:3200
BGP customer who buys local connectivity gets 100:3000
BGP customer who buys local and IXP connectivity receivescommunity 100:3000 and 100:3100
BGP customer who buys full peer connectivity receives community100:3000, 100:3100, and 100:3200
Customer who wants “the Internet” gets everything Gets default route originated by aggregation router Or pays money to get all 220k prefixes
Community Example: Internet Edge
No need to create customised filters when adding customers Border router already sets communities
Installation engineers pick the appropriate community set when establishing the customer BGP session
⇒ Ease of operation!
Community Example Summary
Two examples of customer edge and internet edge can be combined to form a simple community solution for ISP prefix policy control
More experienced operators tend to have more sophisticated options available
Advice is to start with the easy examples given, and then proceed onwards as experience is gained
ISP BGP Communities
There are no recommended ISP BGP communities apart from RFC1998 The five standard communities
wwwianaorg/assignments/bgp-well-known-communities
Efforts have been made to document from time to time
toteminfouclacbe/publications/papers-elec-versions/draft-quoitinbgp-comm-survey-00pdf
But so far… nothing more… Collection of ISP communities at wwwonescnet/communities NANOG Tutorial:
wwwnanogorg/meetings/nanog40/presentations/BGPcommunitiespdf
ISP policy is usually published On the ISP’s website Referenced in the AS Object in the IRR
Some ISP Examples:
NTT
More info at
wwwusnttnet/about/policy/routingcfm
ISP Examples:
Verizon Business Europe
aut-num: AS702 descr: Verizon Business EMEA -Commercial IP service provider in Eur remarks: VzBi uses the following communities with its customers:
702:80 Set Local Pref 80 within AS702
702:120 Set Local Pref 120 within AS702
702:20 702:30 702:1 702:2 702:3 Announce only to VzBi AS\'es and VzBi customersKeep within Europe, don\'t announce to other VzBi ASPrepend AS702 once at edges of VzBi to PeersPrepend AS702 twice at edges of VzBi to PeersPrepend AS702 thrice at edges of VzBi to Peers
Advanced communities for customers
702:7020 Do not announce to AS702 peers with a scope ofNational but advertise to Global Peers, EuropeanPeers and VzBi customers
702:7001 Prepend AS702 once at edges of VzBi to AS702 peers with a scope of National702:7002 Prepend AS702 twice at edges of VzBi to AS702 peers with a scope of National (more)
ISP Examples:
Verizon Business Europe
(more) 702:7003 Prepend AS702 thrice at edges of VzBi to AS702 peers with a scope of National 702:8020 Do not announce to AS702 peers with a scope ofEuropean but advertise to Global Peers, NationalPeers and VzBi customers 702:8001 Prepend AS702 once at edges of VzBi to AS702 peers with a scope of European702:8002 Prepend AS702 twice at edges of VzBi to AS702 peers with a scope of European702:8003 Prepend AS702 thrice at edges of VzBi to AS702 peers with a scope of European-------------------------------------------------------------Additional details of the VzBi communities are located at: http://wwwverizonbusinesscom/uk/customer/bgp/
mnt-by: WCOM-EMEA-RICE-MNT source: RIPE
Some ISP ExamplesBT Ignite
Some ISP ExamplesLevel 3
BGP for Internet Service Providers
BGP Basics
Scaling BGP
Using Communities
Deploying BGP in an ISP network
Okay, so we’ve learned all about BGP now; how do we use it on our network??
Deploying BGP
The role of IGPs and iBGP
Aggregation
Receiving Prefixes
Configuration Tips
Ships in the night?
Or
Good foundations?
BGP versus OSPF/ISIS
Internal Routing Protocols (IGPs) examples are ISIS and OSPF used for carrying infrastructure addresses NOT used for carrying Internet prefixes or customer prefixes design goal is to minimise number of prefixes in IGP to aid
scalability and rapid convergence
BGP versus OSPF/ISIS
BGP used internally (iBGP) and externally (eBGP)
iBGP used to carry some/all Internet prefixes across backbone customer prefixes
eBGP used to exchange prefixes with other ASes implement routing policy
BGP/IGP model used in ISP networks
Model representation
eBGP eBGP eBGP
iBGP
iBGP
iBGP
iBGP
IGP
IGP
IGP
IGP
AS1 AS2 AS3 AS4
BGP versus OSPF/ISIS
DO NOT: distribute BGP prefixes into an IGP distribute IGP routes into BGP use an IGP to carry customer prefixes
YOUR NETWORK WILL NOT SCALE
Injecting prefixes into iBGP
Use iBGP to carry customer prefixes Don’t ever use IGP
Point static route to customer interface
Enter network into BGP process
Ensure that implementation options are used so that the prefixalways remains in iBGP, regardless of state of interface
ieavoid iBGP flaps caused by interface flaps
Quality or Quantity?
Aggregation
Aggregation means announcing the address block received from the RIR to the other ASes connected to your network
Subprefixes of this aggregate may be: Used internally in the ISP network
Announced to other ASes to aid with multihoming
Unfortunately too many people are still thinking about class Cs, resulting in a proliferation of /24s in the Internet routing table
Aggregation
Address block should be announced to the Internet as an aggregate
Subprefixes of address block should NOT be announced to Internet unless for traffic engineering purposes
(see BGP Multihoming Tutorial)
Aggregate should be generated internally Not on the network borders!
Announcing an Aggregate
ISPs who don’t and won’t aggregate are held in poor regard by community
Registries publish their minimum allocation size Anything from a /20 to a /22 depending on RIR
Different sizes for different address blocks
No real reason to see anything longer than a /22 prefix
in the Internet
BUT there are currently >180000 /24s!
But: APNIC changed (Oct 2010) its minimum allocation
size on all blocks to /24
IPv4 run-out is starting to have an impact
Aggregation Example
10010100/231001000/241001040/22 …
customer
AS100
Internet
10010100/23
Customer has /23 network assigned from AS100’s /19 address block
AS100 announces customers’ individual networks to the Internet
Aggregation Bad Example
Customer link goes down
Their /23 network becomes unreachable
/23 is withdrawn from AS100’s iBGP
Their ISP doesn’t aggregate its /19 network block
/23 network withdrawal announced to peers
starts rippling through the Internet
added load on all Internet backbone routers as network is removed from routing table Their /23 network is now visible to their ISP
Their /23 network is re-advertised to peers
Starts rippling through Internet
Load on Internet backbone routers as network is reinserted into routing table
Some ISP’s suppress the flaps
Internet may take 10-20 min or longer to be visible
Where is the Quality of Service???
Aggregation Example
1001000/19
1001000/19 aggregate customer Internet
AS100
10010100/23
Customer has /23 network assigned from AS100’s /19 address block
AS100 announced /19 aggregate to the Internet
Aggregation Good Example
Customer link goes down
their /23 network becomes unreachable
/23 is withdrawn from AS100’s iBGP
/19 aggregate is still being announced no BGP hold down problems
no BGP propagation delays no damping by other ISPs
Customer link returns
Their /23 network is visible
again The /23 is re-injected into AS100’s iBGP
The whole Internet becomes visible immediately
Customer has Quality of Service perception
Aggregation Summary
Good example is what everyone should do! Adds to Internet stability Reduces size of routing table Reduces routing churn Improves Internet QoS for everyone
Bad example is what too many still do! Why? Lack of knowledge? Laziness?
Separation of iBGP and eBGP
Many ISPs do not understand the importance ofseparating iBGP and eBGP iBGP is where all customer prefixes are carried
eBGP is used for announcing aggregate to Internet and forTraffic Engineering
Do NOT do traffic engineering with customer originatediBGP prefixes Leads to instability similar to that mentioned in the earlier badexample
Even though aggregate is announced, a flapping subprefix will lead to instability for the customer concerned
Generate traffic engineering prefixes on the Border Router
The Internet Today (February 2011)
Current Internet Routing Table Statistics
BGP Routing Table Entries 345357
Prefixes after maximum aggregation 155769
Unique prefixes in Internet 170883
Prefixes smaller than registry alloc 142680
/24s announced 180715
ASes in use 35825
“The New Swamp”
Swamp space is name used for areas of poor aggregation The original swamp was 192000/8 from the former class C block Name given just after the deployment of CIDR
The new swamp is creeping across all parts of the Internet Not just RIR space, but “legacy” space too
“The New Swamp”
RIR Space February 1999
Block Networks Block Networks Block Networks Block Networks
41/8 024/8 165 80/8 0 79/8 0 119/8 0 118/8 0 202/8 2276 201/8 0
58/8 0 81/8 0 120/8 0 203/8 3622
59/8 0 82/8 0 121/8 0 204/8 3792
60/8 0 83/8 0 122/8 0 205/8 2584
61/8 3 84/8 0 123/8 0 206/8 3127
62/8 87 85/8 0 124/8 0 207/8 2723
63/8 20 86/8 0 125/8 0 208/8 2817
64/8 0 87/8 0 126/8 0 209/8 2574
65/8 0 88/8 0 173/8 0 210/8 617
66/8 0 89/8 0 174/8 0 211/8 0
67/8 0 90/8 0 186/8 0 212/8 717
68/8 0 91/8 0 187/8 0 213/8 1
69/8 0 96/8 0 189/8 0 216/8 943
70/8 0 97/8 0 190/8 0 217/8 0
71/8 0 98/8 0 192/8 6275 218/8 0
72/8 0 99/8 0 193/8 2390 219/8 0
73/8 0 112/8 0 194/8 2932 220/8 0
74/8 0 113/8 0 195/8 1338 221/8 0
75/8 0 114/8 0 196/8 513 222/8 0
76/8 0 115/8 0 198/8 4034
77/8 0 116/8 0 199/8 3495
78/8 0 117/8 0 200/8 1348
“The New Swamp”
RIR Space February 2010
RIR blocks contribute about 87% of the Internet Routing Table
Block Networks Block Networks Block Networks Block Networks
24/8 3328 79/8 1119 118/8 1349 201/8 4136
41/8 3448 80/8 2335 119/8 1694 202/8 11354
58/8 1675 81/8 1709 120/8 531 203/8 11677
59/8 1575 82/8 1358 121/8 1756 204/8 5744
60/8 888 83/8 1357 122/8 2687 205/8 3037
61/8 2890 84/8 1341 123/8 2400 206/8 3951
62/8 2418 85/8 2492 124/8 2259 207/8 4635
63/8 3114 86/8 780 125/8 2514 208/8 6498
64/8 6601 87/8 1466 126/8 106 209/8 5536
65/8 3966 88/8 1068 173/8 1994 210/8 4977
66/8 7782 89/8 3168 174/8 1089 211/8 3130
67/8 3771 90/8 377 186/8 1223 212/8 3550
68/8 3221 91/8 4555 187/8 1501 213/8 3442
69/8 5280 96/8 778 189/8 3063 216/8 7645
70/8 2008 97/8 725 190/8 6945 217/8 3136
71/8 1327 98/8 1312 192/8 6952 218/8 1512
72/8 4050 99/8 288 193/8 6820 219/8 1303
73/8 4 112/8 883 194/8 5177 220/8 2108
74/8 5074 113/8 890 195/8 5325 221/8 980
75/8 1164 114/8 996 196/8 1857 222/8 1058
76/8 1034 115/8 1616 198/8 4504
77/8 1964 116/8 1755 199/8 4372
78/8 1397 117/8 1611 200/8 8884
“The New Swamp” Summary
RIR space shows creeping deaggregation
It seems that an RIR /8 block averages around 5000 prefixes (and upwards) once fully allocated
Food for thought: The 120 RIR /8s combined will cause: 635000 prefixes with 5000 prefixes per /8 density 762000 prefixes with 6000 prefixes per /8 density Plus 12% due to “non RIR space deaggregation”
→ Routing Table size of 853440 prefixes
“The New Swamp” Summary
Rest of address space is showing similar deaggregation too
What are the reasons? Main justification is traffic engineering
Real reasons are: Lack of knowledge Laziness Deliberate & knowing actions
Efforts to improve aggregation
The CIDR Report Initiated and operated for many years by Tony Bates Now combined with Geoff Huston’s routing analysis wwwcidr-reportorg Results e-mailed on a weekly basis to most operations lists around the world Lists the top 30 service providers who could do better at aggregating
RIPE Routing WG aggregation recommendation
RIPE-399 http://wwwripenet/ripe/docs/ripe-399html
Efforts to Improve AggregationThe CIDR Report
Also computes the size of the routing table assuming ISPs performed optimal aggregation
Website allows searches and computations of
aggregation to be made on a per AS basis
Flexible and powerful tool to aid ISPs
Intended to show how greater efficiency in terms of BGP table size can be obtained without loss of routing and policy information
Shows what forms of origin AS aggregation could be performed and the potential benefit of such actions to the total table size
Very effectively challenges the traffic engineering excuse
Importance of Aggregation
Size of routing table
Router Memory is not so much of a problem as it was in the 1990s Routers can be specified to carry 1 million+ prefixes
Convergence of the Routing System This is a problem Bigger table takes longer for CPU to process BGP updates take longer to deal with BGP Instability Report tracks routing system update activity
http://bgpupdatespotaroonet/instability/bgpupdhtml
Aggregation Potential
(source: bgppotaroonet/as20/)
AggregationSummary
Aggregation on the Internet could be MUCH better 35% saving on Internet routing table size is quite feasible Tools are available
Commands on the routers are not hard
CIDR-Report webpage
Receiving Prefixes
There are three scenarios for receiving prefixes from other ASNs Customer talking BGP
Peer talking BGP
Upstream/Transit talking BGP
Each has different filtering requirements and need to be considered separately
Receiving Prefixes:From Customers
ISPs should only accept prefixes which have been assigned or allocated to their downstream customer
If ISP has assigned address space to its customer, then
the customer IS entitled to announce it back to his ISP
If the ISP has NOT assigned address space to its customer, then:
Check the five RIR databases to see if this address space really has been assigned to the customer
The tool: whois
Receiving Prefixes:From Customers
Example use of whois to check if customer is entitled to announceaddress space:
$ whois -h whoisapnicnet 20212290 inetnum: 20212280 -2021229255 netname: APNIC-AP descr: Asia Pacific Network Information Center descr: Level 1 -33 Park Roaddescr: Milton QLD 4064 descr: Australia country: AU admin-c: AIC1-AP tech-c: NO4-AP mnt-by: APNIC-HM changed: technical@apnicnet 19980918 status: ASSIGNED PORTABLE source: APNIC
Receiving Prefixes:From Customers
Example use of whois to check if customer is entitled to announce address space:
$ whois -h whoisripenet 19312800
inetnum: 19312800 -193133255255
netname: UK-PIPEX-193-128-133
descr: Verizon UK Limited
country: GB ALLOCATED means that this is org: ORG-UA24-RIPE Provider Aggregatable address spaceadmin-c: WERT1-RIPE and can only be announced by the ISPtech-c: UPHM1-RIPE
holding the allocation (in this casestatus: ALLOCATED UNSPECIFIED Verizon UK) remarks: Please send abuse notification to abuse@ukuunet mnt-by: RIPE-NCC-HM-MNT mnt-lower: AS1849-MNT mnt-routes: AS1849-MNT mnt-routes: WCOM-EMEA-RICE-MNT mnt-irt: IRT-MCI-GB source: RIPE # Filtered
Receiving Prefixes:From Peers
A peer is an ISP with whom you agree to exchange
prefixes you originate into the Internet routing table
Prefixes you accept from a peer are only those they have indicated they will announce
Prefixes you announce to your peer are only those you have indicated you will announce
Receiving Prefixes:From Peers
Agreeing what each will announce to the other:
Exchange of e-mail documentation as part of the peering agreement, and then ongoing updates
OR
Use of the Internet Routing Registry and configuration tools such as the IRRToolSet
wwwiscorg/sw/IRRToolSet/
Receiving Prefixes:
From Upstream/Transit Provider
Upstream/Transit Provider is an ISP who you pay to give you transit to the WHOLE Internet
Receiving prefixes from them is not desirable unless
really necessary
Traffic Engineering see BGP Multihoming Tutorial
Ask upstream/transit provider to either: originate a default-route OR announce one prefix you can use as default
Receiving Prefixes:
From Upstream/Transit Provider
If necessary to receive prefixes from any provider, careis required
Don’t accept default (unless you need it)
Don’t accept your own prefixes
For IPv4:
Don’t accept private (RFC1918) and certain special use prefixes:
http://wwwrfc-editororg/rfc/rfc5735txt
Don’t accept prefixes longer than /24 (?)
For IPv6: Don’t accept certain special use prefixes: http://wwwrfc-editororg/rfc/rfc5156txt Don’t accept prefixes longer than /48 (?)
Receiving Prefixes:
From Upstream/Transit Provider
Check Team Cymru’s list of “bogons”
wwwteam-cymruorg/Services/Bogons/httphtml
For IPv4 also consult:
wwwietforg/internet-drafts/draft-vegoda-no-more-unallocatedslash8s-00txt
For IPv6 also consult:
wwwspacenet/~gert/RIPE/ipv6-filtershtml
Bogon Route Server:
wwwteam-cymruorg/Services/Bogons/routeserverhtml
Supplies a BGP feed (IPv4 and/or IPv6) of address blocks which should not appear in the BGP table
Receiving Prefixes
Paying attention to prefixes received from customers, peers and transit providers assists with:
The integrity of the local network
The integrity of the Internet
Responsibility of all ISPs to be good Internet citizens
Of passwords, tricks and templates
iBGP and IGPs Reminder!
Make sure loopback is configured on router iBGP between loopbacks, NOT real interfaces
Make sure IGP carries loopback /32 address
Consider the DMZ nets: Use unnumbered interfaces? Use next-hop-self on iBGP neighbours Or carry the DMZ /30s in the iBGP Basically keep the DMZ nets out of the IGP!
iBGP: Next-hop-self
BGP speaker announces external network to iBGP peers using router’s local address (loopback) as next-hop
Used by many ISPs on edge routers Preferable to carrying DMZ /30 addresses in the IGP Reduces size of IGP to just core infrastructure Alternative to using unnumbered interfaces Helps scale network Many ISPs consider this “best practice”
Limiting AS Path Length
Some BGP implementations have problems with long
AS_PATHS
Memory corruption
Memory fragmentation
Even using AS_PATH prepends, it is not normal to see more than 20 ASes in a typical AS_PATH in the Internet today
The Internet is around 5 ASes deep on average
Largest AS_PATH is usually 16-20 ASNs
Limiting AS Path Length
Some announcements have ridiculous lengths of AS-paths: *> 3FFE:1600::/24 22 11537 145 12199 10318 10566 13193 1930 2200 3425 293 5609 5430 13285 6939 14277 1849 33 15589 25336 6830 8002 2042 7610 i
This example is an error in one IPv6 implementation
*> 96272460/24 2497 1239 12026 12026 12026 12026 12026 12026 12026 12026 12026 12026 12026 12026 12026 12026 12026 12026 12026 12026 12026 12026 12026 12026 i
This example shows 21 prepends (for no obvious reason)
If your implementation supports it, consider limiting the maximum AS-path length you will accept
BGP TTL “hack”
Implement RFC5082 on BGP peerings (Generalised TTL Security Mechanism) Neighbour sets TTL to 255 Local router expects TTL of incoming BGP packets to be 254 No one apart from directly attached devices can send BGP
packets which arrive with TTL of 254, so any possible attack by a remote miscreant is dropped due to TTL mismatch
BGP TTL “hack”
TTL Hack: Both neighbours must agree to use the feature TTL check is much easier to perform than MD5 (Called BTSH BGP TTL Security Hack)
Provides “security” for BGP sessions In addition to packet filters of course MD5 should still be used for messages which slip through the
TTL hack See wwwnanogorg/mtg-0302/hackhtml for more details
Templates
Good practice to configure templates for everything
Vendor defaults tend not to be optimal or even very useful for ISPs ISPs create their own defaults by using configuration templates
eBGP and iBGP examples follow Also see Team Cymru’s BGP templates
http://wwwteam-cymruorg/ReadingRoom/Documents/
iBGP TemplateExample
iBGP between loopbacks!
Next-hop-self Keep DMZ and external point-to-point out of IGP
Always send communities in iBGP Otherwise accidents will happen
Hardwire BGP to version 4 Yes, this is being paranoid!
iBGP TemplateExample continued
Use passwords on iBGP session Not being paranoid, VERY necessary It’s a secret shared between you and your peer If arriving packets don’t have the correct MD5 hash, they are
ignored Helps defeat miscreants who wish to attack BGP sessions
Powerful preventative tool, especially when combined with filters and the TTL “hack”
eBGP TemplateExample
BGP damping Do NOT use it unless you understand the impact Do NOT use the vendor defaults without thinking
Remove private ASes from announcements Common omission today
Use extensive filters, with “backup” Use as-path filters to backup prefix filters Keep policy language for implementing policy, rather than basic
filtering
Use password agreed between you and peer on eBGPsession
eBGP TemplateExample continued
Use maximum-prefix tracking
Router will warn you if there are sudden increases in BGP table size, bringing down eBGP if desired
Limit maximum as-path length inbound
Log changes of neighbour state …and monitor those logs!
Make BGP admin distance higher than that of any IGP
Otherwise prefixes heard from outside your network could override your IGP!!
Summary
Use configuration templates
Standardise the configuration
Be aware of standard “tricks” to avoid compromise of the BGP session
Anything to make your life easier, network less prone to errors, network more likely to scale
It’s all about scaling if your network won’t scale, then it won’t be successful
Philip Smith <pfs@ciscocom> APRICOT 2011 Hong Kong, SAR, China 15 -25 February 2011
