Implementing Internet and MPLS BGP

15,875 views

Published on

For enterprise network engineers, implementing BGP can be an intimidating task. This presentation was given to address common architectures for internet and MPLS BGP usage, along with best practices.

Published in: Technology
2 Comments
36 Likes
Statistics
Notes
No Downloads
Views
Total views
15,875
On SlideShare
0
From Embeds
0
Number of Embeds
60
Actions
Shares
0
Downloads
1,016
Comments
2
Likes
36
Embeds 0
No embeds

No notes for slide
  • http://tools.ietf.org/html/rfc1930http://www.iana.org/assignments/as-numbers
  • http://tools.ietf.org/html/rfc1930http://tools.ietf.org/html/rfc4893http://www.iana.org/assignments/as-numbers
  • BGP Scannerhttp://www.cisco.com/warp/public/459/highcpu-bgp.html
  • BGP Path Selection BGP could possibly receive multiple advertisements for the same route from multiple sources. BGP selects only one path as the best path. When the path is selected, BGP puts the selected path in the IP routing table and propagates the path to its neighbors. BGP uses the following criteria, in the order presented, to select a path for a destination: •If the path specifies a next hop that is inaccessible, drop the update. •Prefer the path with the largest weight. •If the weights are the same, prefer the path with the largest local preference. •If the local preferences are the same, prefer the path that was originated by BGP running on this router. •If no route was originated, prefer the route that has the shortest AS_path. •If all paths have the same AS_path length, prefer the path with the lowest origin type (where IGP is lower than EGP, and EGP is lower than incomplete). •If the origin codes are the same, prefer the path with the lowest MED attribute. •If the paths have the same MED, prefer the external path over the internal path. •If the paths are still the same, prefer the path through the closest IGP neighbor. •Prefer the path with the lowest IP address, as specified by the BGP router ID.
  • http://www.cisco.com/en/US/docs/internetworking/technology/handbook/bgp.html#wp1020565
  • http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00801c4f48.shtmlBGP-Router# sh proc cpu | i CPU|PID|BGPCPU utilization for five seconds: 10%/4%; one minute: 6%; five minutes: 5% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 215 3212220 28919634 111 0.00% 0.05% 0.07% 0 BGP Router 234 937744 13995769 67 0.00% 0.01% 0.00% 0 BGP I/O 235 38969228 512967 75969 6.14% 0.77% 0.63% 0 BGP Scanner
  • http://www.iana.org/assignments/ipv4-address-spacehttp://en.wikipedia.org/wiki/Regional_Internet_RegistryThe Internet Assigned Numbers Authority (IANA) delegates Internet resources to the RIRs, and in turn, the RIRs follow their regional policies for further sub-delegation of resources to their customers, which include Internet service providers and end-user organizations.
  • http://www.arin.net/announcements/20070521.htmlhttp://www.networkworld.com/news/2007/060707-arin-registry-backs-ipv6.htmlhttp://en.wikipedia.org/wiki/IPv4_address_exhaustionhttp://www.oecd.org/dataoecd/7/1/40605942.pdf
  • Memory Requirementshttp://bgp.potaroo.net/http://bgp.potaroo.net/bgprpts/rva-index.htmlhttp://www.cidr-report.org/as2.0/#General_Statushttp://www.caida.org/research/topology/as_core_network/http://thyme.apnic.net/http://thyme.apnic.net/current/data-summaryneighbor maximum-prefixWhen the number of received prefixes exceeds the maximum number configured, the router terminates the peering (by default). However, if the warning-only keyword is configured, the router instead only sends a log message, but continues peering with the sender. If the peer is terminated, the peer stays down until the clear ipbgpcommand is issued.
  • http://www.iana.org/assignments/ipv4-address-spacehttp://www.iana.org/numbershttp://www.afrinic.net/statistics/resource_search.htmhttp://www.arin.net/reference/ip_blocks.html
  • http://www.nanog.org/mtg-0710/smith.html
  • Full, No DefaultMost organizations don’t need full routesPartial, with DefaultGood balance between load sharing and memory control. ISP or CE controlledDefault OnlyLowest memory requirements, but least amount of available BGP policy options
  • http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a92.shtmlhttp://www.911networks.com/index.php/Cisco/BGPRegexOriginated in AS 31915 + allow prependingip as-path access-list 1 permit ^(31915_)+$Use “show ipbgpregex” to test
  • http://thyme.apnic.net/current/data-summary
  • http://www.team-cymru.org/Services/Bogons/routeserver.htmlhttp://www.team-cymru.org/Services/ip-to-asn.html#whoishttp://www.ietf.org/rfc/rfc2827.txtThe bogon prefixes are announced unaggregated; as of 28 SEP 2005 this includes 71 prefixes. The ASN used by all of the bogon route-servers is 65333. A private ASN is used to ensure that leakage is easily detected and prevented. Each prefix is tagged with a community, 65333:888, to more readily enable filtering. Peering sessions include the use of a password. The bogon route-servers accept no prefixes from their peers.
  • BGP community policies can be found in the whois database for the ISP ASNhttp://www.onesc.net/communities/Sprint - https://www.sprint.net/index.php?p=policy_bgp
  • http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00801475b2.shtml
  • http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/VPN.htmlEach VPN is associated with one or more VPN routing/forwarding instances (VRFs). A VRF defines the VPN membership of a customer site attached to a PE router. A VRF consists of an IP routing table, a derived Cisco Express Forwarding (CEF) table, a set of interfaces that use the forwarding table, and a set of rules and routing protocol parameters that control the information that is included into the routing table.Based on routing information stored in the VRF IP routing table and VRF CEF table, packets are forwarded to their destination using MPLS. A PE router binds a label to each customer prefix learned from a CE router and includes the label in the network reachability information for the prefix that it advertises to other PE routers. When a PE router forwards a packet received from a CE router across the provider network it labels the packet with the label learned from the destination PE router. When the destination PE router receives the labeled packet it pops the label and uses it to direct the packet to the correct CE router. Label forwarding across the provider backbone, is based on either dynamic label switching or traffic engineered paths. A customer data packet carries two levels of labels when traversing the backbone: 1 Top label directs the packet to the correct PE router 2 Second label indicates how that PE router should forward the packet to the CE router
  • Verizon AT&T AS7018Sprint AS1803
  • neighbor 1.1.1.1 default-originate This command does not require the presence of 0.0.0.0 in the local router. When used with a route map, the default route 0.0.0.0 is injected if the route map contains a match ip address clause and there is a route that matches the IP access list exactly. The route map can contain other match clauses also. You can use standard or extended access lists with the neighbor default-originate command.
  • http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431.shtmlBGP Multipath BGP Multipath allows installation into the IP routing table of multiple BGP paths to the same destination. These paths are installed in the table together with the best path for load sharing. BGP Multipath does not affect bestpath selection. For example, a router still designates one of the paths as the best path, according to the algorithm, and advertises this best path to its neighbors.
  • bgp fast-external-falloverTo immediately reset the BGP sessions of any directly adjacent external peers if the link used to reach them goes down, use thebgp fast-external-fallover command. The behavior of this command is enabled by default.
  • http://www.cisco.com/en/US/tech/tk365/tk80/tsd_technology_support_sub-protocol_home.htmlhttp://www.nanog.org/mtg-0802/smith1.htmlhttp://www.nanog.org/mtg-0802/presentations/PSmith_BGP.pdf
  • http://www.cisconet.com/route-server/world_map.htmlTelnet to route-views.oregon-ix.net
  • http://www.cisconet.com/route-server/world_map.htmlhttp://stat.qwest.net/looking_glass.htmlTelnet to route-views.oregon-ix.net
  • http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00801c4f48.shtmlReduce amount of receivedBGP prefixes
  • http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00801c4f48.shtmlWhile BGP scanner runs, low priority processes need to wait a longer time to access the CPU. One low priority process controls Internet Control Message Protocol (ICMP) packets such as pings. Packets destined to or originated from the router may experience higher than expected latency since the ICMP process must wait behind BGP scanner. The cycle is that BGP scanner runs for some time and suspends itself, and then ICMP runs. In contrast, pings sent through a router should be switched via Cisco Express Forwarding (CEF) and should not experience any additional latency. When troubleshooting periodic spikes in latency, compare forwarding times for packets forwarded through a router against packets processed directly by the CPU on the router.
  • Implementing Internet and MPLS BGP

    1. 1. Implementing & Troubleshooting<br />BGP<br />Tanner <br />5/23/2008<br />5/30/2008<br />
    2. 2. Agenda<br />PART 1<br />BGP Fundamentals<br />BGP and the Internet<br />PART 2<br />BGP and the WAN<br />Troubleshooting<br />2<br />
    3. 3. PART 1<br />BGP Fundamentals<br />BGP and the Internet<br />3<br />
    4. 4. BGP Fundamentals<br />Operations<br />4<br />
    5. 5. Where is BGP used?<br />Internet<br />Same, Unique, or Mixed ASN<br />MPLS WAN<br />Public or Private ASN<br />5<br />
    6. 6. ASAutonomous Systems<br />Textbook answer:<br />An AS is a connected group of one or more IP prefixes run by one or more network operators which has a SINGLE and CLEARLY DEFINED routing policy.<br />6<br />
    7. 7. ASN’sAutonomous System Numbers<br />16-bit ASN’s (RFC1930)<br />Range: 0-65535<br />Public: 1-64511<br />Private: 64512-65534 <br />32-bit ASN’s (RFC4893)<br />4-octets<br />0.0 to 65535.65535<br />Only 46 32-bit ASN’s currently allocated<br />7<br />
    8. 8. EIGRP and BGP Comparison<br />8<br />
    9. 9. Path Selection<br />Attributes<br />Highest Weight<br />Highest Local Preference<br />Internally Originated<br />Shortest AS-Path<br />Manipulating these attributes changes BGP path selection<br />9<br />
    10. 10. Terminology<br />attribute [noun]<br />Pronunciation: a-trə-byüt <br />3: a word ascribing a quality; especially<br />attribute [transitive verb]<br />Pronunciation: ə-tri-byüt, -byət <br />1: to explain by indicating a cause &lt;attributed his success to his coach&gt;<br />10<br />
    11. 11. BGP AttributesRFC1771 attributes its success to its attributes<br />11<br />
    12. 12. BGP AttributesMost Used<br />Influence INBOUNDTraffic<br />The transit path to you is determined by how you announce your routes<br />AS Path Prepend (shorter is more preferred)<br />route-map RM-ISP-OUT<br /> set as-path prepend123 123 123<br />Influence OUTBOUNDtraffic<br />Local Preference (higher is more preferred)<br />route-map RM-ISP-IN<br /> set local-preference 50<br />12<br />
    13. 13. BGP Process Operations<br />13<br />
    14. 14. Section ReviewFundamentals<br />What is an autonomous system?<br />What are BGP attributes that affect inbound traffic?<br />What are BGP attributes that affect outbound traffic?<br />Name 4 common BGP path selection criteria<br />What maintenance task happens every 60 seconds in BGP?<br />14<br />
    15. 15. BGP & the Internet<br />15<br />23nd Ave / I-40 Junction<br />
    16. 16. Global IP Assignments<br />IANA<br />Regional Registrars<br />ISP’s<br />End Users<br />16<br />
    17. 17. Address Space DepletionBGP Movie (6 min)<br />17<br />
    18. 18. Global Routing tableHow large is it?<br />.:: Limit Prefixes on Cisco routers<br />router bgp 12345<br /> neighbor 1.1.1.1 maximum-prefix 300000 90<br />18<br />
    19. 19. RIR whois<br />ARIN IP Lookup<br /><ul><li>AfriNIC Country Lookup</li></ul>19<br />
    20. 20. Typical ISP Routing Options<br />Single-homed, Single ISP<br />Private AS or Static (No BGP)<br />Multi-homed, Single ISP<br />Private AS<br />Multi-homed, Dual ISP<br />Public AS<br />20<br />
    21. 21. Prefix OriginationInbound Traffic<br />Common Elements<br />ISP’s won’t accept anything longer than /24<br />Provider Aggregate address block (PA)<br />/24 or shorter from ISP<br />Justification paperwork, but usually easy<br />Announcing another ISP’s prefix<br />Provider Independent address block (PI)<br />Applied for from RIR (e.g., ARIN)<br />More Paperwork (and solid justification)!<br />21<br />
    22. 22. What Kind of Routes?Outbound Traffic<br />1Based on 2 upstream eBGP peers<br />2 Varies depending on quantity of ISP customers announcing prefixes<br />3Varies depending on size of upstream carrier<br />4 Inbound bogon filtering is still possible, however outbound will not function due to default route<br />22<br />
    23. 23. Memory RequirementsFull BGP Routes<br />Based on 255K routes + soft reconfig<br />BGP Summary shows 57MB Used<br />BGP-Router# shipbgp sum<br />...<br />BGP using 57060899 total bytes of memory<br /><ul><li>Adding up processes shows 153MB Used</li></ul>BGP-Router# sh proc mem | i PID|BGP<br /> PID TTY Allocated Freed Holding GetbufsRetbufs Process<br /> 215 0 152845892 1430904 145443600 16 16 BGP Router <br /> 234 0 239016 0 6984 5164371 5164371 BGP I/O <br /> 235 0 0 82472 9972 0 0 BGP Scanner <br />23<br />
    24. 24. BGP Policy Components<br />Prefix-lists to filter prefixes <br />ip prefix-list PL-ANNOUNCE seq 10 permit 1.0.0.0/8<br />Filter-lists to filter ASNs<br />ip as-path access-list 1 ^1234<br />Route-maps to apply policy<br />route-map RM-ISP-OUT permit 10 set as-path prepend 1234<br />Distribute-lists to sit and watch (don’t use)<br />Source: NANOG 23, Phillip Smith<br />24<br />
    25. 25. Configuration ExampleISP eBGP Peer with Partial Routes<br />router bgp 1234<br /> no auto-summary<br /> no synchronization<br /> no bgp fast-external-fallover<br />bgp log-neighbor-changes<br /> neighbor 192.0.2.233 remote-as 209<br /> neighbor 192.0.2.233 description eBGP with Qwest AS209. Password: 1234abcd<br /> neighbor 192.0.2.233 password 1234abcd<br /> neighbor 192.0.2.233 version 4<br /> neighbor 192.0.2.233 soft-reconfiguration inbound<br /> neighbor 192.0.2.233 maximum-prefix 300000 90 warning-only<br /> neighbor 192.0.2.233 prefix-list PL-BOGONS in<br /> neighbor 192.0.2.233 prefix-list PL-ANNOUNCE out<br /> neighbor 192.0.2.233 route-map RM-QWEST-OUT out<br /> neighbor 192.0.2.233 route-map RM-QWEST-IN in<br /> neighbor 192.0.2.233 filter-list 1 out<br /> neighbor 192.0.2.233 filter-list 10 in<br /> network 205.93.251.0 mask 255.255.254.0<br /> network 205.93.251.0<br />ip route 205.93.251.0 255.255.254.0 Null0 name BGP-STABILITY<br />ip route 205.93.251.0 255.255.255.0 205.93.251.4<br />ip route 205.93.251.125 255.255.255.255 205.93.251.121 name IBGP-PEER<br />ip route 205.93.251.125 255.255.255.255 205.93.251.2 250 name IBGP-PEER-BACKUP<br />ip as-path access-list 1 permit ^$<br />ip as-path access-list 10 permit _(209|7018)$<br />ip prefix-list PL-ANNOUNCE seq 10 permit 205.93.251.0/23 le 24<br />ip prefix-list PL-ANNOUNCE seq 99 deny 0.0.0.0/0 le 32<br />route-map RM-QWEST-OUT permit 10<br /> set as-path prepend 1234 1234<br />route-map RM-QWEST-IN permit 10<br /> set local-pref 50<br />25<br />
    26. 26. Regular ExpressionsBGP AS Filtering<br />Defining our AS<br />ip as-path access-list 1 permit ^$<br />Originating in AS 3549<br />ip as-path access-list 1 permit ^3549$<br />Originating in AS 3549 or Upstream AS<br />ip as-path access-list 1 permit ^3549$<br />ip as-path access-list 1 permit ^3549 1239$<br />ip as-path access-list 1 permit ^3549_(1239)?$<br />Deny all nets originating from AS 1239 and permit all other routes<br />ip as-path access-list 1 deny _1239$ <br />ip as-path access-list 1 permit .*<br />26<br />
    27. 27. BGP Routing Table Analysis<br />Daily BGP Stats Available<br />BGP routing table entries examined: 255572<br /> Prefixes after maximum aggregation: 127106<br />Deaggregation factor: 2.01<br /> Unique aggregates announced to Internet: 123962<br />Total ASes present in the Internet Routing Table: 28151<br /> Prefixes per ASN: 9.08<br />Average AS path length visible in the Internet Routing Table: 3.6<br /> Max AS path length visible: 25<br /> Max AS path prepend of ASN (39375) 13<br />Prefixes from unregistered ASNs in the Routing Table: 25414<br /> Unregistered ASNs in the Routing Table: 1885<br />Prefixes being announced from unallocated address space: 786<br />Number of addresses announced to Internet: 1,851,293,088<br />WojciechMisiaszek<br />TelekomunikacjaPodlasie Sp.<br />ul. Dobra 14A <br />15-034 Bialystok <br />Poland<br />27<br />
    28. 28. Bogon FilteringManual Method<br />28<br />Outbound traffic (via inbound route filter)<br />ip prefix-list BOGONS descBogon networks we won&apos;t accept<br />ip prefix-list BOGONS seq 2 deny 0.0.0.0/0<br />ip prefix-list BOGONS seq 5 deny 0.0.0.0/8 le 32<br />ip prefix-list BOGONS seq 20 deny 5.0.0.0/8 le 32<br />ip prefix-list BOGONS seq 390 deny 127.0.0.0/8 le 32<br />ip prefix-list BOGONS seq 400 deny 172.16.0.0/12 le 32<br />ip prefix-list BOGONS seq 520 deny 224.0.0.0/3 le 32<br />ip prefix-list BOGONS seq 700 permit 0.0.0.0/0 le 27<br />Inbound traffic<br />ip access-list extended ACL-OUTSIDE-IN<br /> remark --- Basic Spoof Filtering<br /> deny ip 0.0.0.0 0.255.255.255 any <br /> deny ip 10.0.0.0 0.255.255.255 any <br /> deny ippublic-ip-blocksubnet-mask any<br />
    29. 29. Bogon FilteringAutomatic Method<br />Do not try this at home!<br />Make sure you are aware of potential complications<br />29<br />router bgp &lt;your asn&gt;<br /> neighbor x.x.x.x remote-as 65333<br /> neighbor x.x.x.xebgp-multihop 255<br /> neighbor x.x.x.x description CymruBogon Route Server Project<br /> neighbor x.x.x.x prefix-list PL-CYMRU-OUT out<br /> neighbor x.x.x.x route-map RM-CYMRUBOGONS-IN in<br /> neighbor x.x.x.x password 31337PW<br /> neighbor x.x.x.x maximum-prefix 100 threshold 90<br />Configure a community list to accept the bogon prefixes into the route-map.<br />ipbgp-community new-format<br />ip community-list 10 permit 65333:888<br />Configure the route-map. Remember to apply it to the proper peering sessions.<br />route-map RM-CYMRUBOGONS-IN permit 10<br /> description Filter bogons learned from cymru.com bogon route-servers<br /> match community 10<br /> set ip next-hop 192.0.2.1<br />Set a bogon next-hop on all routers that receive the bogons.<br />ip route 192.0.2.1 255.255.255.255 null0<br />ip prefix-list PL-CYMRU-OUT seq 5 deny 0.0.0.0/0 le 32<br />
    30. 30. BGP Communities<br />WELL KNOWN<br />TE Custom Communities<br />no-advertise<br />no-export<br />ISP must support it<br />TE via AS path prepends, local prefs, trig. blackhole<br />30<br />
    31. 31. BGP CommunitiesConfiguration Example<br />ipbgp-community new-format<br />ipprefix-list PL-ANNOUNCE seq 10 permit 205.93.251.0/24<br />ipprefix-list PL-ANNOUNCE seq 10 deny 0.0.0.0/0 le 32<br />route-map RM-ISP-OUT permit 10<br /> match ip address prefix-list PL-ANNOUNCE <br /> set community 65011:209<br />route-map RM-ISP-OUT permit 20<br />router bgp 64512<br /> neighbor 1.1.1.1 send-community<br /> neighbor 1.1.1.1 route-map RM-ISP-OUT out<br />31<br />
    32. 32. Section ReviewBGP & the Internet<br />What kind of route options are typically received from an ISP?<br />Who is the global controller of IP space on the internet?<br />Describe bogon filtering<br />What do the ^ and $ symbols mean in regular expressions?<br />32<br />
    33. 33. PART 2<br />BGP and the MPLS WAN<br />Troubleshooting BGP<br />33<br />
    34. 34. BGP & MPLS<br />Theory<br />Design<br />Configuration<br />Best Practices<br />34<br />
    35. 35. MPLS Basics<br />Topology<br />Full Mesh<br />Single peer to WAN cloud<br />L1 Transport<br />T1<br />DS3<br />L2 Transport<br />PPP / MLP<br />ATM / IMA<br />Frame Relay<br />Ethernet<br />Routing Protocols<br />BGP<br />EIGRP<br />RIP<br />Public/Private AS’s<br />35<br />
    36. 36. MPLS Terminology<br />CE Router<br />Customer Edge<br />PE Router<br />Provider Edge<br />P/LSR Router<br />Provider Backbone/Label Switching Router<br />VRF<br />Virtual Routing and Forwarding<br />Everything else is standard BGP!<br />36<br />
    37. 37. Typical MPLS Topology Options<br />Single-homed, Single ISP<br />Easiest routing policies<br />Multi-homed, Single ISP<br />Most common<br />Multi-homed, Dual Provider<br />Lots of TE<br />37<br />
    38. 38. BGP TableHow do you read this thing???<br />38<br />&gt; is the path installed in the routing table<br />rmeans there is already a route with a better AD<br />32768means prefix originated on this router<br />? means prefix was originated via redistribution<br />Next Hopis the neighbor IP of eBGP peer(s)<br />WAN-Router# shipbgp<br />BGP table version is 7345, local router ID is 172.16.254.3<br />Status codes: s suppressed, d damped, h history, * valid, &gt; best, i - internal,<br /> r RIB-failure, S Stale<br />Origin codes: i - IGP, e - EGP, ? - incomplete<br /> Network Next Hop Metric LocPrf Weight Path<br />* i12.86.42.44/30 172.16.254.4 0 100 0 7018 ?<br />*&gt; 12.122.14.185 0 7018 ?<br />r&gt;i172.16.254.4/32 172.16.254.4 0 100 0 ?<br />*&gt; 172.16.254.16/29 0.0.0.0 0 32768 ?<br />*&gt; 172.16.254.24/29 0.0.0.0 0 32768 ?<br />* i172.30.32.0/20 172.16.254.4 0 100 0 7018 7018 i<br />*&gt; 12.122.14.185 0 7018 7018 i<br />*&gt; 172.30.64.0/20 12.122.14.185 0 7018 7018 ?<br />imeans prefix was originated via network statement<br />AS set is the list of AS’s prefix has passed through<br />CIDR Mask try to summarize where possible<br />* means route is OK to inject in routing table<br />imeans prefix learned from iBGP peer<br />
    39. 39. Default Route Origination<br />39<br />*Policies include: Conditional advertisement, AS prepending, and communities<br />
    40. 40. Best Path Selection<br />Review<br />BGP Table (BRIB)<br />Routing Table (RIB)<br />BGP Multipath<br />Multi-VRF w/Sub-interfaces<br />40<br />Weight<br />Local Pref<br />Local Originate<br />AS Path<br />Origin Type<br />Lowest MED<br />eBGP over iBGP<br />IGP Metric to NH<br />Received First<br />Lowest RID<br />Originator ID<br />Neighbor IP<br />WAN-router# shipbgpnei 172.16.16.249 advertised-routes<br />Originating default network 0.0.0.0<br />   Network          Next Hop      Metric LocPrf Weight Path<br />*&gt; 10.0.0.0/24      10.20.40.5         0         32768 ?<br />*&gt; 10.20.20.0/24    0.0.0.0            0         32768 ?<br />...<br />Only send the very best!<br />WAN-router&gt; shipbgp<br />   Network          Next Hop       Metric LocPrf Weight Path<br />*&gt; 0.0.0.0          172.14.16.250                     0 65000 i<br />* 0.0.0.0          10.217.13.102                     0 65001 i<br />WAN-router&gt; shipbgp<br />   Network       Next Hop        Metric LocPrf Weight Path<br />*&gt; 0.0.0.0       172.11.132.193                     0 1803 65000 i<br />
    41. 41. Route Redistribution<br />“Seek first to summarize…”<br />Do you need to redistribute?<br />Yes = Redistribution<br />No = Summarization<br />Maybe = Both?<br />BGP to EIGRP<br />router eigrp 111<br />redistribute bgp 222 metric 1500 1000 255 1 1500<br />EIGRP to BGP<br />router bgp 222<br />redistribute eigrp 111<br />41<br />
    42. 42. Miscellaneous Features<br />Peer Groups<br />Object-groups for BGP! (Kind of…)<br />router bgp 64512<br />! Setup peer-group policies<br /> neighbor PARTIAL-ROUTES peer-group<br /> neighbor PARTIAL-ROUTES version 4<br /> neighbor PARTIAL-ROUTES filter-list 5 out<br /> neighbor FULL-ROUTES peer-group<br /> neighbor FULL-ROUTES version 4<br />! Apply it to a neighbor<br /> neighbor 192.0.2.228 peer-group FULL-ROUTES<br />ip as-path access-list 5 permit ^(209|36270|6298_)[0-9]*_[0-9]*$<br />Route Reflectors<br />42<br />
    43. 43. Best Practices<br />Avoid redistributing everything under the sun<br />connected, static, every routing protocol, etc.<br />Look for ways to reduce routing tables<br />Summarize<br />Advertise only what is necessary<br />Use a network statement for default origination<br />network 0.0.0.0 mask 0.0.0.0<br />43<br />
    44. 44. Case StudyRequirements<br />WAN to Internet<br />Use DC as primary<br />Use Campus as secondary<br />Use Internet VPN as tertiary<br />WAN to Hubs<br />Use each hub MPLS DS3<br />Use other hub DS3 as secondary<br />Use Internet VPN as tertiary<br />Hub to Hub<br />Use LAN link as primary<br />Don’t use MPLS DS3’s as secondary<br />44<br />Smokey the Router says… <br />“Routing works both ways!”<br />
    45. 45. Case StudyPossible Solution<br />45<br /><ul><li>WAN to Internet
    46. 46. Use DC as primary
    47. 47. Use Campus as secondary
    48. 48. Use Internet VPN as tertiary
    49. 49. WAN to Hubs
    50. 50. Use each hub MPLS DS3
    51. 51. Use other hub DS3 as secondary
    52. 52. Use Internet VPN as tertiary
    53. 53. Hub to Hub
    54. 54. Use LAN link as primary
    55. 55. Don’t use MPLS DS3’s as secondary</li></ul>Default Networks:<br />1 via eBGP to MPLS<br />1 via iBGP to VPN<br />Advertised Networks:<br />Shortest AS path (DC)<br />Advertised Networks:<br />network 0.0.0.0<br />network 10.112.0.0<br />Received Networks:<br />0.0.0.0/0 ge 29 le 32<br />Advertised Networks:<br />network 0.0.0.0<br />Received Networks:<br />0.0.0.0/0 ge 29 le 32<br />Summarized Networks:<br />summary-addr 10.x.0.0/20<br />summary-addr &lt;WAN nets&gt;<br />Advertised Networks:<br />network 0.0.0.0<br />Received Networks:<br />0.0.0.0/0 ge 29 le 32<br />Summarized Networks:<br />summary-addr 10.112.0.0/16<br />Default Route<br />Static route redistributed into EIGRP<br />Campus to WAN:<br />EIGRP Metric better via Router 1  WAN<br />DC to Campus:<br />Only 1 route via Interlink<br />
    56. 56. Configuration Example (Hub)MPLS eBGP Peer with Default Advertisement<br />46<br />router bgp 100<br /> network 0.0.0.0<br /> network 10.112.0.0 mask 255.255.0.0<br /> neighbor 192.0.2.105 remote-as 65000<br /> neighbor 192.0.2.105 description eBGP with MPLS SP. Password: 1234abcd<br /> neighbor 192.0.2.105 password 1234abcd<br /> neighbor 192.0.2.105 version 4<br /> neighbor 192.0.2.105 send-community<br /> neighbor 192.0.2.105 soft-reconfiguration inbound<br /> neighbor 192.0.2.105 route-map RM-MPLS-IN in<br /> neighbor 192.0.2.105 route-map RM-MPLS-OUT out<br /> no auto-summary<br />ip prefix-list PL-DEFAULT seq 10 permit 0.0.0.0/0<br />route-map RM-MPLS-IN deny 10<br /> description Block learning default route from DC Router. Use IGP instead.<br /> match ip address prefix-list PL-DEFAULT<br />route-map RM-MPLS-IN permit 20<br />route-map RM-MPLS-OUT permit 10<br /> description Set BGP policies for outbound route advertisements to MPLS Provider<br /> set community 112<br />route-map RM-MPLS-OUT permit 20<br /> description Prepend Default Route for Backup Link<br /> match ip address prefix-list PL-DEFAULT<br /> set as-path prepend 100 100<br />route-map RM-MPLS-OUT permit 30<br />
    57. 57. Configuration Example (Hub)MPLS EIGRP Redistribution<br />router eigrp 1<br /> redistribute bgp 100 metric 1500 1000 255 1 1500 route-map PL-WAN-SERIALS<br /> network 10.112.2.0 0.0.0.255<br /> no auto-summary<br />ip prefix-list PL-WAN-SERIALS seq 10 permit 0.0.0.0/0 ge 29<br />route-map RM-WAN-SERIALS permit 10<br /> description Only redistribute WAN serials (/29 to /32 prefixes) into EIGRP process<br /> match ip address prefix-list PL-WAN-SERIALS<br />Advertise learned BGP networks with prefixes /29 or longer<br />47<br />
    58. 58. Section ReviewBGP & MPLS<br />What are the 3 default route origination methods?<br />What does the &gt; symbol mean in the BGP table?<br />What are 3 clues that tell you a route &quot;originated here&quot; in the BGP table?<br />48<br />
    59. 59. BGP Troubleshooting<br />Interpreting and Troubleshooting BGP Operations<br />49<br />
    60. 60. Peer Establishment<br />Peer Reachability<br />MD5 Password Mismatch<br />Wrong neighbor IP<br />Wrong update-source<br />Wrong peer AS<br />TTL / ebgp-multihop<br />Stuck in OpenSent/OpenConfirm<br />Asymmetric routing & TTL problem<br />ACL’s between peers<br />Blocking TCP/179<br />50<br />
    61. 61. Flapping Peer<br />*May 20 04:02:39.240 MST: %BGP-5-ADJCHANGE: neighbor 192.0.2.133 Down Peer closed the session<br />*May 20 04:02:54.468 MST: %BGP-5-ADJCHANGE: neighbor 192.0.2.133 Up <br />*May 20 04:20:44.999 MST: %BGP-5-ADJCHANGE: neighbor 192.0.2.133 Down BGP Notification sent<br />*May 20 04:20:44.999 MST: %BGP-3-NOTIFICATION: sent to neighbor 192.0.2.133 4/0 (hold time expired) 0 bytes <br />*May 20 04:21:04.243 MST: %BGP-5-ADJCHANGE: neighbor 192.0.2.133 Up <br />*May 20 04:52:18.132 MST: %BGP-5-ADJCHANGE: neighbor 192.0.2.133 Down BGP Notification sent<br />*May 20 04:52:18.132 MST: %BGP-3-NOTIFICATION: sent to neighbor 192.0.2.133 4/0 (hold time expired) 0 bytes <br />*May 20 04:55:16.469 MST: %BGP-5-ADJCHANGE: neighbor 192.0.2.133 Up <br />*May 20 04:56:17.169 MST: %BGP-5-ADJCHANGE: neighbor 192.0.2.133 Down Peer closed the session<br />*May 20 04:56:36.533 MST: %BGP-5-ADJCHANGE: neighbor 192.0.2.133 Up <br />*May 20 05:09:28.555 MST: %BGP-5-ADJCHANGE: neighbor 192.0.2.133 Down Peer closed the session<br />*May 20 05:09:35.087 MST: %BGP-5-ADJCHANGE: neighbor 192.0.2.133 Up <br />*May 20 05:47:57.350 MST: %BGP-5-ADJCHANGE: neighbor 192.0.2.133 Down BGP Notification sent<br />Remote router rebooting (BGP crash?)<br />MTU Incorrect<br />L2 Problem<br />Interface output drops (QoS, CoPP, etc.)<br />51<br />
    62. 62. Received RoutesPre/Post Filter<br />Show received routes before policy is applied<br />shipbgpnei 1.1.1.1 received-routes<br />Requires soft-reconfiguration inbound (more mem)<br />Show received routes after policy is applied<br />shipbgpnei 1.1.1.1 routes<br />Show AS Paths to via all neighbors<br />BGP-router&gt; shipbgp paths <br />Address Hash Refcount Metric Path<br />0xC4125EDC 1 8 0 7018 209 701 23520 3816 ?<br />0x68397C58 1 18 0 4323 6389 6198 27266 25747 i<br />0x74151970 1 2 0 4323 1299 13249 44600 i<br />0x70FF72D4 1 2 0 4323 3257 1241 20506 i<br />52<br />
    63. 63. Missing Routes<br />Next hop IP address must be accessible<br />iBGP next-hop-self<br />Route with better AD already exists in RIB<br />Filters<br />Prefix<br />AS-Path<br />Route-maps<br />53<br />
    64. 64. AnnouncementsVerify advertised routes<br />Show advertised routes to peer<br />shipbgpnei 192.0.2.233 advertised-routes<br />54<br />BGP-Router&gt; shipbgpnei 192.0.2.233 advertised-routes <br />BGP table version is 20753141, local router ID is 205.93.251.126<br />Status codes: s suppressed, d damped, h history, * valid, &gt; best, i - internal,<br /> r RIB-failure, S Stale<br />Origin codes: i - IGP, e - EGP, ? - incomplete<br /> Network Next Hop Metric LocPrf Weight Path<br />*&gt; 205.93.251.0 205.93.251.4 0 32768 i<br />*&gt; 205.93.251.0/23 0.0.0.0 0 32768 i<br />Total number of prefixes 2 <br /><ul><li>What if nothing shows up?
    65. 65. Route must exist in the RIB</li></li></ul><li>BGP TableAnalyzing and Interpreting<br />Router# shipbgp<br />BGP table version is 24849, local router ID is 205.215.216.193<br />Status codes: s suppressed, d damped, h history, * valid, &gt; best, i - internal,<br /> r RIB-failure, S Stale<br />Origin codes: i - IGP, e - EGP, ? - incomplete<br /> Network Next Hop Metric LocPrf Weight Path<br />*&gt;i0.0.0.0 205.93.251.125 0 100 0 7018 i<br />*&gt; 3.0.0.0 192.0.2.233 0 4323 1239 701 703 80 i<br />*&gt; 4.0.0.0/9 192.0.2.233 0 4323 3549 3356 i<br />* i 205.93.251.125 0 100 0 7018 209 3356 i<br />*&gt; 4.0.0.0 192.0.2.233 0 4323 3549 3356 i<br />* i 205.93.251.125 0 100 0 7018 209 3356 i<br />*&gt; 4.23.112.0/24 192.0.2.233 0 4323 174 21889 i<br />*&gt;i12.2.60.0/22 205.93.251.125 0 100 0 7018 209 7018 32719 i<br />* 192.0.2.233 0 4323 6539 19092 26794 26794 26794 26794 26794 26794 26794 26794 26794 26794 26794 32719 i<br />Note to self: 10 prepends is excessive<br />Average AS path length is 3.6<br />55<br />
    66. 66. Looking GlassPublic BGP Route Servers - CLI<br />Verify how the global internet routing table views your prefix announcement<br />route-views.oregon-ix.net&gt; shipbgp205.93.251.0 | i64512<br /> 3333 3356 1239 4323 64512<br /> 2905 701 209 7018 64512<br /> 4513 13789 22212 4323 64512<br /> 7018 4323 64512<br /> ...<br />56<br />
    67. 67. Looking GlassPublic BGP Route Servers – Web/CLI<br />57<br />
    68. 68. High CPU<br />BGP-Router# sh proc cpu | i CPU|PID|BGP<br />CPU utilization for five seconds: 93%/2%; one minute: 32%; five minutes: 22%<br /> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process <br /> 319 2319628 11589466 200 0.15% 0.05% 0.04% 0 BGP Router <br /> 320 568684 2305861 246 0.00% 0.01% 0.00% 0 BGP I/O <br /> 321 246815548 1497615 164807 76.47% 9.23% 6.50% 0 BGP Scanner<br />58<br />
    69. 69. High Memory<br />L3-Switch# sh proc mem | i PID|BGP<br /> PID TTY Allocated Freed Holding GetbufsRetbufs Process<br /> 319 0 541682808 353471992 177441136 0 0 BGP Router <br /> 320 0 1377432 2361312 7048 0 0 BGP I/O <br /> 321 0 136 323920 10216 0 0 BGP Scanner<br />L3-Switch# shipbgp sum<br />Neighbor V AS MsgRcvdMsgSentTblVerInQOutQ Up/Down State/PfxRcd<br />32.124.75.251 4 209 1741759 68344 9564122 0 0 6w5d 251577<br />52.111.238.129 4 5555 2798645 68231 9564122 0 0 1w2d 254104<br />192.0.1.148 4 22222 68448 2134480 9564122 0 0 3w3d 35<br />192.0.2.228 4 33333 67386 2381477 9564122 0 0 5d01h 118<br />192.0.3.254 4 11111 2140027 2272911 9564130 0 0 6w5d 254360<br />750K routes (if no soft-reconfig)<br />1.5M routes (if soft-reconfig)<br />542MB of memory for BGP<br />59<br />
    70. 70. LatencyPerception v. Reality<br />What could cause this horrible latency???<br />Reply from 209.85.171.100: bytes=32 time=5ms TTL=247<br />Reply from 209.85.171.100: bytes=32 time=5ms TTL=247<br />Reply from 209.85.171.100: bytes=32 time=6ms TTL=247<br />Reply from 209.85.171.100: bytes=32 time=99ms TTL=247<br />Reply from 209.85.171.100: bytes=32 time=225ms TTL=247<br />Reply from 209.85.171.100: bytes=32 time=248ms TTL=247<br />Reply from 209.85.171.100: bytes=32 time=66ms TTL=247<br />Reply from 209.85.171.100: bytes=32 time=8ms TTL=247<br />Reply from 209.85.171.100: bytes=32 time=5ms TTL=247<br />Reply from 209.85.171.100: bytes=32 time=5ms TTL=247<br />60<br />BGP scanner process takes higher priority than ICMP processing. Move on, nothing to see here.<br />
    71. 71. Section ReviewTroubleshooting<br />What are 3 reasons that could cause peer establishment problems?<br />What are the advantages and disadvantages of soft reconfiguration?<br />What is required in ordered to announce a prefix?<br />What kind of information can you get from the looking glass route servers?<br />61<br />
    72. 72. BGP Resources<br />North American Network Operators Group (NANOG)<br />http://www.nanog.org<br />www.traceroute.org<br />62<br />

    ×