© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Implementing BGP Configuring Basic BGP Operations

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v BGP Commands router bgp autonomous-system Router(config)# This command enters router configuration mode only; subcommands must be entered to activate BGP. Only one instance of BGP can be configured on the router at a single time. The autonomous system number identifies the autonomous system to which the router belongs. The autonomous system number in this command is compared to the autonomous system numbers listed in neighbor statements to determine if the neighbor is an internal or external neighbor.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v BGP neighbor remote-as Command neighbor {ip-address | peer-group-name} remote-as autonomous-system Router(config-router)# The neighbor command activates a BGP session with this neighbor. The IP address that is specified is the destination address of BGP packets going to this neighbor. This router must have an IP path to reach this neighbor before it can set up a BGP relationship. The remote-as option shows what AS this neighbor is in. This AS number is used to determine if the neighbor is internal or external. This command is used for both external and internal neighbors.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example: BGP neighbor Command

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v BGP neighbor shutdown Command neighbor {ip-address | peer-group-name} shutdown Router(config-router)# no neighbor {ip-address | peer-group-name} shutdown Router(config-router)# Administratively brings down a BGP neighbor Used for maintenance and policy changes to prevent route flapping Re-enables a BGP neighbor that has been administratively shut down

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v BGP Issues with Source IP Address When creating a BGP packet, the neighbor statement defines the destination IP address and the outbound interface defines the source IP address. When a BGP packet is received for a new BGP session, the source address of the packet is compared to the list of neighbor statements: –If a match is found, a relationship is established. –If no match is found, the packet is ignored. Make sure that the source IP address matches the address that the other router has in its neighbor statement.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example: IBGP Peering Issue

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v BGP neighbor update-source Command neighbor {ip-address | peer-group-name} update-source interface-type interface-number Router(config-router)# This command allows the BGP process to use the IP address of a specified interface as the source IP address of all BGP updates to that neighbor. A loopback interface is usually used, because it will be available as long as the router is operational. The IP address used in the neighbor command on the other router will be the destination IP address of all BGP updates and should be the loopback interface of this router. The neighbor update-source command is normally used only with IBGP neighbors. The address of an EBGP neighbor must be directly connected by default; the loopback of an EBGP neighbor is not directly connected.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example: BGP Using Loopback Addresses

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v BGP neighbor ebgp-multihop Command neighbor {ip-address | peer-group-name} ebgp-multihop [ttl] Router(config-router)# This command increases the default of one hop for EBGP peers. It allows routes to the EBGP loopback address (which will have a hop count greater than 1).

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example: ebgp-multihop Command

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Next-Hop Behavior BGP is an AS-by-AS routing protocol, not a router-by-router routing protocol. In BGP, the next hop does not mean the next router; it means the IP address to reach the next AS. For EBGP, the default next hop is the IP address of the neighbor router that sent the update. For IBGP, the BGP protocol states that the next hop advertised by EBGP should be carried into IBGP.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example: Next-Hop Behavior Router A advertises network to router B in EBGP, with a next hop of Router B advertises in IBGP to router C, keeping as the next-hop address.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v BGP neighbor next-hop-self Command Forces all updates for this neighbor to be advertised with this router as the next hop. The IP address used for the next-hop-self option will be the same as the source IP address of the BGP packet. neighbor {ip-address | peer-group-name} next-hop-self Router(config-router)#

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example: next-hop-self Configuration

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v The following takes place in a multiaccess network: Router B advertises network to router A in EBGP with a next hop of , not This avoids an unnecessary hop. BGP is being efficient by informing AS of the best entry point into AS for network Router B in AS also advertises to AS that the best entry point for each network in AS is the next hop of router C because that is the best path to move through AS to AS Example: Next Hop on a Multiaccess Network

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v neighbor peer-group-name peer-group Router(config-router)# This command creates a peer group. Using a Peer Group neighbor ip-address peer-group peer-group-name Router(config-router)# This command defines a template with parameters set for a group of neighbors instead of individually. This command is useful when many neighbors have the same outbound policies. Members can have a different inbound policy. Updates are generated once per peer group. Configuration is simplified.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Router C Using a Peer Group Router C Without a Peer Group router bgp neighbor remote-as neighbor update-source Loopback 0 neighbor next-hop-self neighbor distribute-list 20 out neighbor remote-as neighbor update-source Loopback 0 neighbor next-hop-self neighbor distribute-list 20 out neighbor remote-as neighbor update-source Loopback 0 neighbor next-hop-self neighbor distribute-list 20 out router bgp neighbor internal peer-group neighbor internal remote-as neighbor internal update-source Loopback 0 neighbor internal next-hop-self neighbor internal distribute-list 20 out neighbor peer-group internal neighbor peer-group internal neighbor peer-group internal Example: Using a Peer Group

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v BGP network Command network network-number [mask network-mask] [route-map map-tag] Router(config-router)# This command tells BGP what network to advertise. The command does not activate the protocol on an interface. Without a mask option, the command advertises classful networks. If a subnet of the classful network exists in a routing table, the classful address is announced. With the mask option, BGP looks for an exact match in the local routing table before announcing the route.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example: BGP network Command network mask Router(config-router)# The router looks for exactly /24 in the routing table, but cannot find it, so it will not announce anything. network mask Router(config-router)# The router looks for exactly /16 in the routing table. If the exact route is not in the table, you can add a static route to null0 so that the route can be announced.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v BGP Synchronization Synchronization rule: Do not use or advertise to an external neighbor a route learned by IBGP until a matching route has been learned from an IGP Ensures consistency of information throughout the AS Safe to have it off only if all routers in the transit path in the AS are running full-mesh IBGP; off by default in Cisco IOS software release 12.2(8)T and later no synchronization Router(config-router)# Disables BGP synchronization so that a router will advertise routes in BGP without learning them in an IGP synchronization Router(config-router)# Enables BGP synchronization so that a router will not advertise routes in BGP until it learns them in an IGP

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example: BGP Synchronization If synchronization is on, then: –Routers A, C, and D would not use or advertise the route to until they receive the matching route via an IGP. –Router E would not hear about If synchronization is off (the default), then: –Routers A, C, and D would use and advertise the route that they receive via IBGP; router E would hear about –If router E sends traffic for , routers A, C, and D would route the packets correctly to router B.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example: BGP Configuration

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v BGP Example Configuration 1. RouterB(config)# router bgp RouterB(config-router)# neighbor remote-as RouterB(config-router)# neighbor remote-as RouterB(config-router)# neighbor update-source Loopback 0 5. RouterB(config-router)# neighbor next-hop-self 6. RouterB(config-router)# network mask RouterB(config-router)# network RouterB(config-router)# network RouterB(config-router)# no synchronization

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v BGP States When establishing a BGP session, BGP goes through the following states: 1.Idle: Router is searching routing table to see whether a route exists to reach the neighbor. 2.Connect: Router found a route to the neighbor and has completed the three-way TCP handshake. 3. Open sent: Open message sent, with the parameters for the BGP session. 4. Open confirm: Router received agreement on the parameters for establishing session. –Alternatively, router goes into active state if no response to open message 5.Established: Peering is established; routing begins.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v BGP Established and Idle States Idle: The router in this state cannot find the address of the neighbor in the routing table. Check for an IGP problem. Is the neighbor announcing the route? Established: The established state is the proper state for BGP operations. In the output of the show ip bgp summary command, if the state column has a number, then the route is in the established state. The number is how many routes have been learned from this neighbor.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v RouterA#sh ip bgp neighbors BGP neighbor is , remote AS 64998, external link BGP version 4, remote router ID BGP state = Established, up for 00:19:10 Last read 00:00:10, last write 00:00:10, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(old & new) Address family IPv4 Unicast: advertised and received Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 7 7 Notifications: 0 0 Updates: Example: show ip bgp neighbors Command

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v BGP Active State Troubleshooting Active: The router has sent an open packet and is waiting for a response. The state may cycle between active and idle. The neighbor may not know how to get back to this router because of the following reasons: Neighbor does not have a route to the source IP address of the BGP open packet generated by this router. Neighbor is peering with the wrong address. Neighbor does not have a neighbor statement for this router. AS number is misconfiguration.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example: BGP Active State Troubleshooting AS number misconfiguration: – At the router with the wrong remote AS number: %BGP-3-NOTIFICATION: sent to neighbor /2 (peer in wrong AS) 2 bytes FDE6 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 002D 0104 FDE6 00B4 AC1F – At the remote router: %BGP-3-NOTIFICATION: received from neighbor /2 (peer in wrong AS) 2 bytes FDE6

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example: BGP Peering RouterA# show ip bgp summary BGP router identifier , local AS number BGP table version is 124, main routing table version network entries using 1053 bytes of memory 22 path entries using 1144 bytes of memory 12/5 BGP path/bestpath attribute entries using 1488 bytes of memory 6 BGP AS-PATH entries using 144 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 3829 total bytes of memory BGP activity 58/49 prefixes, 72/50 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd :02: :01: :01:11 6

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v BGP Neighbor Authentication BGP authentication uses MD5. Configure a key (password); router generates a message digest, or hash, of the key and the message. Message digest is sent; key is not sent. Router generates and checks the MD5 digest of every segment sent on the TCP connection. Router authenticates the source of each routing update packet that it receives neighbor {ip-address | peer-group-name} password string Router(config-router)#

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example: BGP Neighbor Authentication

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example: show ip bgp Command RouterA# show ip bgp BGP table version is 14, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> / i * i i *> / i *>i / i *> / i * i * i i *> / i * i * i i r> / i r i r i i *> / i Displays networks from lowest to highest

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example: show ip bgp rib-failure Command RouterA# show ip bgp rib-failure Network Next Hop RIB-failure RIB-NH Matches / Higher admin distance n/a / Higher admin distance n/a Displays networks that are not installed in the RIB and the reason that they were not installed

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Clearing the BGP Session When policies such as access lists or attributes are changed, the change takes effect immediately, and the next time that a prefix or path is advertised or received, the new policy is used. It can take a long time for the policy to be applied to all networks. You must trigger an update to ensure that the policy is immediately applied to all affected prefixes and paths. Ways to trigger an update: –Hard reset –Soft reset –Route refresh

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v clear ip bgp * router# Resets all BGP connections with this router. Entire BGP forwarding table is discarded. BGP session makes the transition from established to idle; everything must be relearned. Hard Reset of BGP Sessions clear ip bgp [neighbor-address] router# Resets only a single neighbor. BGP session makes the transition from established to idle; everything from this neighbor must be relearned. Less severe than clear ip bgp *.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Soft Reset Outbound clear ip bgp {*|neighbor-address} [soft out] Router# Routes learned from this neighbor are not lost. This router resends all BGP information to the neighbor without resetting the connection. The connection remains established. This option is highly recommended when you are changing outbound policy. The soft out option does not help if you are changing inbound policy.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Inbound Soft Reset neighbor [ip-address] soft-reconfiguration inbound Router(config-router)# This router stores all updates from this neighbor in case the inbound policy is changed. The command is memory-intensive. clear ip bgp {*|neighbor-address} soft in Router# Uses the stored information to generate new inbound updates

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v clear ip bgp {*|neighbor-address} [soft in | in] Router# Routes advertised to this neighbor are not withdrawn. Does not store update information locally. The connection remains established. Introduced in Cisco IOS software release 12.0(2)S and 12.0(6)T. Route Refresh: Dynamic Inbound Soft Reset

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v debug ip bgp updates Command RouterA#debug ip bgp updates Mobile router debugging is on for address family: IPv4 Unicast RouterA#clear ip bgp *Feb 24 11:06:41.309: %BGP-5-ADJCHANGE: neighbor Up *Feb 24 11:06:41.309: BGP(0): send UPDATE (format) /24, next , metric 0, path Local *Feb 24 11:06:41.309: BGP(0): send UPDATE (prepend, chgflags: 0x0) /24, next , metric 0, path Local *Feb 24 11:06:41.309: BGP(0): NEXT_HOP part 1 net /24, next *Feb 24 11:06:41.309: BGP(0): send UPDATE (format) /24, next , metric 0, path *Feb 24 11:06:41.309: BGP(0): NEXT_HOP part 1 net /24, next *Feb 24 11:06:41.309: BGP(0): send UPDATE (format) /24, next , metric 0, path *Feb 24 11:06:41.349: BGP(0): rcvd UPDATE w/ attr: nexthop , origin i, localpref 100, metric 0 *Feb 24 11:06:41.349: BGP(0): rcvd /24 *Feb 24 11:06:41.349: BGP(0): rcvd /24

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Summary BGP is configured with the following basic BGP commands: –router bgp autonomous-system –neighbor ip-address remote-as autonomous-system –network network-number [mask network-mask] The neighbor command activates a BGP session with a neighboring router. The neighbor shutdown command administratively shuts down a BGP neighbor. When creating a BGP packet, the neighbor statement defines the destination IP address and the outbound interface defines the source IP address. When establishing a BGP session, BGP goes through the following states: idle, connect, open sent, open confirm, and established. You can configure MD5 authentication between two BGP peers, meaning that each segment sent on the TCP connection between the peers is verified. The show and debug commands are used to troubleshoot the BGP session.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v