# Fundamentals of BGP Operations


BGP Neighbor Summary

- TCP port: 179
- bgp timers _keepalive_ _holdtime_ and neighbor _ip-address_ timers _keepalive_ _holdtime_. Default to 60 and 180 seconds.
- Internal BGP neighbor: Neighbor is in the same AS.
- External BGP neighbor: Neighbor is in another AS.
- How is the BGP router ID (RID) determined? bgp router-id command, highest IP of an up/up loopback at start time of the BGP process, highest IP of another up/up interface at start time of the BGP process.
- How is the source IP selected to reach a neighbor? neighbor update-source, otherwise, uses the outgoing interface IP address.
- How is the destination IP selected to reach a neighbor? neighbor command.
- Auto-summary: Disabled by default.
- Neighbor authentication: MD5 only, using the neighbor _ip-address_ password _string_ command.

Internal BGP Neighbors

router bgp 123
 no synchronization
 bgp log-neighbor-changes
 no auto-summary
 bgp router-id 111.111.111.111
 neighbor 2.2.2.2 remote-as 123
 neighbor 2.2.2.2 update-source Loopback1
 neighbor 3.3.3.3 remote-as 123
 neighbor 3.3.3.3 password secret-pw
 neighbor 3.3.3.3 update-source Loopback1
router bgp 123
 no synchronization
 bgp log-neighbor-changes
 no auto-summary
 neighbor my-as peer-group
 neighbor my-as remote-as 123
 neighbor my-as update-source Loopback1
 neighbor 1.1.1.1 peer-group my-as
 neighbor 1.1.1.1 password secret-pw
 neighbor 2.2.2.2 peer-group my-as
The neighbor peer-group command simplifies the configuration and reduces some BGP processing and memory overhead.

External BGP Neighbors

router bgp 123
 neighbor 172.16.16.6 remote-as 678
router bgp 123
 neighbor 4.4.4.4 remote-as 45
 neighbor 4.4.4.4 update-source loopback1
 neighbor 4.4.4.4 ebgp-multihop 2
Checks Before Becoming BGP Neighbors

1. The router must receive a TCP connection with a source address configured in a neighbor command.
2. The router ASN must match de configured remote ASN (Not true for confederation configurations).
3. The BGP RIDs must not be the same.
4. If configured, MD5 authentication must pass.

BGP Open messages include BGP timers. If they do not match, each router uses the lower of the values.

BGP Messages and Neighbor States

- Idle.
- Connect: Listen for TCP.
- Active: Listen for TCP, Initiate TCP.
- Open sent: Listen for TCP, Initiate TCP, TCP up, Open sent.
- Open confirm: Listen for TCP, Initiate TCP, TCP up, Open sent, Open received.
- Established: Listen for TCP, Initiate TCP, TCP up, Open sent, Open received, Neighbor up.

BGP Message Types

- Open: to establish a neighbor relationship and exchange basic parameters.
- Keepalive: to maitain the neighbor relationship.
- Update: to exchange routing information.
- Notification: to reset a neighbor relationship (used when BGP errors occur).

Purposefully Resetting BGP Peer Connections

neighbor _ip-address_ shutdown and clear ip bgp _ip-address_ commands close the TCP connection to that neighbor, and removes all entries from the BGP table learned from that neighbor.

BGP network Command

The BGP network router subcommand instructs that router to look for a route in the router's IP routing table and if exists, put the equivalent NLRI (Network Layer Reachability Information) into the local BGP table.
With this logic, connected routes, static routes, or IGP routes could be taken from the IP routing table and placed into the BGP table for later advertisement. When the router removes that route from its IP routing table, BGP then removes the NLRI from the BGP table and notifies its neighbors.
Key features:

- No mask is configured: Assumes the default classful mask.
- No auto-summary configured: An IP route must match both the prefix and the prefix length.
- Auto-summary configured: A classful network matches if any subnets exist.
- NEXT_HOP path attribute: Uses next hop of IP route.
- Maximum number injected by the network command into one BGP process: Limited by NVRAM and RAM.
- Purpose of the route-map option on the network command: To filter routes and manipulate path attributes.

A NEXT_HOP path attribute equal to 0.0.0.0 in the BGP table implies a connected route or null0 route in the IP routing table.

Redistributing from an IGP, Static, or Connected Route

router bgp 678
 redistribute static metric 9
 redistribute eigrp 6 route-map just-30-something
Impact of Auto-Summary on Redistributed Routes and the network Command

The logic is summarized as follows:

- redistribute: if any subnets of a classful network would be redistributed, do not redistribute, but instead redistribute a route for the classfull network.
- network: if a network command list a classful network number, with the classfull default mask or no mask, and any subnets of the classful network exist, inject a route for the classful network.

Manual Summaries and the AS_PATH Path Attribute

BGP manual summarization with the aggregate-address command differs from using the auto-summary command.
It can summarize based on any routes in the BGP table, creating a summary of any prefix length. It does not always suppress the advertisement of the component subnets, although it can be configured to do so.
The AS_PATH PA consists of up to four different components, called segments:

- AS_SEQ
- AS_SET
- AS_CONFED_SEQ
- AS_CONFED_SET

The aggregate-address command can create a summary route for which the AS_SEQ must be null when the component subnets of the summary route have differing AS_SEQ values.
The AS_SET segment solves the problem when the summary route has a null AS_SEQ. It holds an unordered list of all the ASNs.
The router suppresses the advertisement of all component subnets if the summary-only keyword is used, advertises all of them if the summary-only keyword is omitted, or advertises a subset if the suppress-map option is configured.

Router(config-router)# aggregate-address 23.0.0.0 255.0.0.0 summary-only as-set
Adding Default Routes to BGP

- Using the network 0.0.0.0 bgp subcommand. A route to 0.0.0.0/0 must exist in the local routing table via any means.
- Using the redistribute command and the default-information originate bgp subcommand.
- Using the neighbor _neighbor-id_ default-originate route-map _route-map-name_ bgp subcommand. Does not add a default route to the local bgp table. It causes de advertisement of a default to the specified neighbor. With the route-map option, the referenced route map examines the existence of a default route in the IP routing table.

ORIGIN Path Attribute

There are three BGP ORIGIN PA codes: IGP (i), EGP (e), Incomplete (?).
Routes redistributed into BGP use ORIGIN code ?.
Routes originated by EGP (Exterior Gateway Protocol), deprecated predecessor to BGP, use ORIGIN code e.
Routes created with the aggregate-address and:

- The as-set option is not used, use ORIGIN code i.
- The as-set option is used, and all component subnets use ORIGIN code i, use ORIGIN code i.
- The as-set option is used, and at least one subnet uses ORIGIN code ?, use ORIGIN code ?.

BGP Update Message

Each Update message has three main parts:

- The withdrawn routes field to inform its neighbors about failed routes.
- The PA field lists the PA for each route.
- The prefix and prefix lenght fields define each individual NLRI.

All the prefixes listed in a single update message share the same set of PA values.

Determining the Contents of Updates

BGP only advertises a route to reach a particular subnet (NLRI) if that route is considered to be the best route and if is not matched by a deny clause in an outbound BGP filter:

- Choose the route with the shortest AS_PATH.
- Prefer an eBGP-learned route over one iBGP route.
- Prefer the route with the lowest IGP metric to the NEXT_HOP. The NEXT_HOP has to be:
- 0.0.0.0 (route injected on the local router), or
- Reachable according the IP routing table.
- Choose the iBGP-learned route with the lowest BGP RID of the advertising router.

When sending to an eBGP peer, the NEXT_HOP is changed to the same IP address used as the source IP address of the BGP Update message.
Can be changed via the command neighbor ... next-hop-unchanged
When sending to an iBGP peer, the default action is to leave the NEXT_HOP PA unchanged.
Can be changed via the command neighbor ... next-hop-self

Another important rule consists in do not advertise paths learned from iBGP neighbors to other iBGP neighbors.

Adding eBGP Routes to the IP Routing Table

The two requirements are:

- The eBGP route in the BGP table is the best route.
- The AD for eBGP routes must be lower than de ADs for other routing sources (IGP or via static routes).

The AD for eBGP routes is 20, for iBGP routes is 200 and for local (locally injected) routes is 200.
These values can be overriden by using:

- distance bgp _external-distance_ _internal-distance_ _local-distance_ BGP subcommand, or
- distance _distance_ _ip-address_ _wildcard_ _access-list_ BGP subcommand (change AD for routes received by neighbor)

Backdoor Routes

Using network _network_ backdoor BGP subcommand, routers use the local AD (200) for that network and do not advertise it with BGP.

Adding iBGP Routes to the IP Routing Table

The same two eBGP requirements plus the concept of BGP synchronization.
With no synchronization, BGP uses the same logic for iBGP routes as it does for eBGP routes.
With synchronization, BGP does not consider an iBGP route as best unless the exact prefix was learned via IGP and is currently in the routing table.

Using Sync and Redistributing Routes

Redistribution solves the routing black-hole problem and sync solves the problem of advertising a black-hole route to another AS.
Sync does not work if OSPF RID and BGP RID do not match.

Disabling Sync and Using BGP on All Routers in an AS

A second method is to simply use BGP to advertise all BGP-learned prefiexes to all routers in the AS.
The downside is the addition of iBGP neighbor connections between each pair of routers (performance and convergence time).
BGP needs the full mesh of iBGP peers because it does not advirtise iBGP-learned routes to another iBGP peer.
BGP offers two alternatives: confederations and route reflectors.

Confederations

- Inside a sub-AS, full mesh is required.
- The confederation eBGP connections act like normal eBGP connections in that iBGP routes are advertised.
- The confederation eBGP connections act like normal eBGP connections regarding TTL (1 by default).
- The confederation eBGP connections act like iBGP connections in every other regard (NEXT_HOP is not changed by default).
- Confederation ASNs are not considered part of the length of the AS_PATH when a router chooses the best routes.
- Confederation routers remove the confederation ASNs from the AS_PATH in updates sent outside the AS.
- Confederation routers use the AS_CONFED_SEQ and AS_CONFED_SET segments of the AS_PATH PA.

Configuring Confederations

router bgp 65001
 no synchronization
 bgp router-id 111.111.111.111
 bgp confederation identifier 123
 bgp confederation peers 65023
 neighbor 2.2.2.2 remote-as 65023
 neighbor 2.2.2.2 ebgp-multihop 2
 neighbor 2.2.2.2 update-source loopback1
 neighbor 2.2.2.2 next-hop-self
 neighbor 172.16.16.6 remote-as 678
router bgp 65023
 no synchronization
 bgp confederation identifier 123
 bgp confederation peers 65001
 neighbor 1.1.1.1 remote-as 65001
 neighbor 1.1.1.1 ebgp-multihop 2
 neighbor 1.1.1.1 update-source loopback1
 neighbor 3.3.3.3 remote-as 65023
 neighbor 3.3.3.3 ebgp-multihop 2
 neighbor 3.3.3.3 update-source loopback1
router bgp 65023
 no synchronization
 bgp log-neighbor-changes
 bgp confederation identifier 123
 neighbor 2.2.2.2 remote-as 65023
 neighbor 2.2.2.2 ebgp-multihop 2
 neighbor 2.2.2.2 update-source loopback1
 neighbor 2.2.2.2 next-hop-self
 neighbor 4.4.4.4 remote-as 45
 neighbor 4.4.4.4 ebgp-multihop 2
 neighbor 4.4.4.4 update-source loopback1
Route Reflectors

Some routers are configured as RR servers, some as clients an some others as non-clients (normal iBGP or eBGP neighbor).
A RR cluster contains one or more RR servers and one or more clients.
Clients only peer with the RR servers in a cluster.
RR servers peer with clients and non-clients.

To prevent loops, the RR feature uses:

- CLUSTER_LIST: RR servers add ther cluster ID into the CLUSTER_LIST PA before sending an update. When receiving an update, RR servers discard received prefixes for which they cluster ID already appears.
- ORIGINATOR_ID: This PA lists the RID of the first iBGP peer to advertise the route into the AS. If a router sees its own RID into the ORGINATOR_ID, it does not use or propagate the route.
- Only advertise the best routes: RR servers reflect routes only if the routes are the best ones in its own BGP table.

router bgp 123
 no synchronization
 neighbor 2.2.2.2 remote-as 123
 neighbor 2.2.2.2 update-source loopback1
 neighbor 2.2.2.2 next-hop-self
 neighbor 4.4.4.4 remote-as 45
 neighbor 4.4.4.4 ebgp-multihop 255
 neighbor 4.4.4.4 update-source loopback1
router bgp 123
 no synchronization
 bgp cluster-id 1 ! 0.0.0.1
 neighbor 3.3.3.3 remote-as 123
 neighbor 3.3.3.3 update-source loopback1
 neighbor 3.3.3.3 route-reflector-client
 neighbor 9.9.9.9 remote-as 123
 neighbor 9.9.9.9 update-source loopback1
router bgp 123
 no synchronization
 bgp router-id 9.9.9.9
 bgp cluster-id 2 ! 0.0.0.2
 neighbor 1.1.1.1 remote-as 123
 neighbor 1.1.1.1 update-source loopback1
 neighbor 1.1.1.1 route-reflector-client
 neighbor 2.2.2.2 remote-as 123
 neighbor 2.2.2.2 update-source loopback1
Summary: BGP PAs

- AS_PATH: List ASNs through which the route has been advertised. Well known and mandatory.
- NEXT_HOP: List the nex-hop IP to reach an NLRI. Well known and mandatory.
- AGGREGATOR: Lists the RID and ASN of the router that created a summary NLRI. Optional and transitive.
- ATOMIC_AGGREGATE: Tags a summary NLRI as being a summary. Well known and discretionary
- ORIGIN: Value from where the route was injected into BGP: i, e or ?. Well known and mandatory.
- ORIGINATOR_ID: Used by RR servers to know the RID of the iBGP neighbor that injected the NRLI into the AS. Optional and transitive.
- CLUSTER_LIST: Used by RR servers to list the cluster IDs in order to prevent loops. Optional and nontransitive.

- Well known: the PA must be supported by any BGP implementation.
- Mandatory: the PA must appear in every BGP update.
- Discretionary: the PA may or may not appear in a BGP update.
- Optional: the PA may or may not be supported in all BGP implementation.
- Transitive: If the PA is received but not recognized, it should be passed on to the next AS.
- Nontransitive: If the PA is received but not recognized, it is not required to pass it on.

Summary: Methods to introduce entries into the BGP table

- network command: Advertises a route into BGP. Depends on the existence of the network int the routing table.
- Redistribution: Takes IGP, static or connected routes.
- Manual summarization: Requires at least one component subnet in the BGP table.
- default-information originate: Requires a default route in the routing table plus the redistribute command.
- neighbor default-originate: An optional route map filters the default route advertisement.

No comments: