BGP Protocol Makes the Internet Work


Published on

Bgp protocol makes the internet work

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

BGP Protocol Makes the Internet Work

  1. 1. BGP Essentials: The Protocol that Makes the Internet WorkService providers working with IP networks are very clear that the Border GatewayProtocol (BGP) is the most complex and difficult to configure Internet protocol. Itsemphasis on security and scalability makes it essential, however. This guide offersyou a detailed look at how and why BGP-enabled routers in core networks exchangeinformation securely with several hundred thousand IP prefixes, as well as simpleand advanced approaches for troubleshooting connectivity problems.Introduction to Border Gateway Protocol (BGP)If you have to explain to someone new to the service provider environment whatBorder Gateway Protocol (BGP) is, the best definition would be that its the routingprotocol that makes the Internet work. As the address allocation in the Internet isnowhere nearly as hierarchical as the telephone dialing plan, most of the routers inthe service provider core networks have to exchange information about severalhundred thousand IP prefixes. BGP is still able to accomplish that task, which is agood proof that its a highly scalable routing protocol.The Border Gateway Protocol routing information is usually exchanged betweencompeting business entities -- Internet Service Providers (ISPs) -- in an open, hostileenvironment (public Internet). BGP is thus very security-focused (for example, alladjacent routers have to be configured manually), and decent BGP implementationsprovide a rich set of route filters to allow the ISPs to defend their networks andcontrol what they advertise to their competitors.In BGP terminology, an independent routing domain (which almost always means anISP) is called an autonomous system.BGP is always used as the routing protocol of choice between ISPs (external BGP) butalso as the core routing protocol within large ISP networks (internal BGP).All other routing protocols are concerned solely with finding the optimal path towardall known destinations. BGP cannot take this simplistic approach because the peeringagreements between ISPs almost always result in complex routing policies. To helpnetwork operators implement these policies, BGP carries a large number ofattributes with each IP prefix, for example: AS path -- the complete path documenting which autonomous systems a packet would have to travel through to reach the destination. Local preference -- the "internal cost" of a destination, used to ensure AS-wide consistency. Multi-exit discriminator -- this attribute gives adjacent ISPs the ability to prefer one peering point over another. Communities -- a set of generic tags that can be used to signal various administrative policies between BGP routers.
  2. 2. As the focus of BGP design and implementation was always on security and scalability,its harder to configure than other routing protocols, more complex (more so whenyou start configuring various routing policies), and one of the slowest convergingrouting protocols.The slow BGP convergence dictates a two-protocol design of an ISP network: An internal routing protocol (most often, OSPF or IS-IS) is used to achieve fast convergence for internal routes (including IP addresses of BGP routers). BGP is used to exchange Internet routes.A failure within the core network would thus be quickly bypassed thanks to fastconvergence of OSPF or IS-IS, whereas BGP on top of an internal routing protocolwould meet the scalability, security and policy requirements. Even more, if youmigrate all your customer routes into BGP, the customer problems (for example, linkflaps between your router and customers router) will not affect the stability of yourcore network.Because of inherent BGP complexity, customers and small ISPs would deploy BGPonly where needed, for example on peering points and a minimal subset of corerouters (the ones between the peering points), as shown in the following diagram.The BGP-speaking routers would also have to generate a default route into theinternal routing protocol to attract the traffic for Internet destinations not known toother routers in your network.As your ISP business grows, however, your customers will start requiring BGPconnectivity (any customer who wants to achieve truly redundant Internet access hasto have its own AS and exchange BGP information with its ISPs), and youll be forced
  3. 3. to deploy BGP on more and more core and edge routers (see the following picture).Its therefore best that you include BGP on all core and major edge routers as part ofyour initial network design. Even though you might not deploy it everywhere withthe initial network deployment, having a good blueprint will definitely help you whenyou have to scale the BGP-speaking part of your network.BGP requires a full mesh of internal BGP sessions (sessions between routers in thesame autonomous system). You could use BGP route reflectors or BGPconfederations to make your network scalable.There is also another excellent reason why youd want to deploy BGP throughoutyour network: Novel network service, for example MPLS-based virtual privatenetworks (VPNs), large-scale quality-of-service deployments, or large-scaledifferentiated Web caching implementations rely on BGP to transport theinformation they need.BGP troubleshooting: Simple ApproachBorder Gateway Protocol (BGP) is without doubt the most complex IP routingprotocol currently deployed in the Internet. Its complexity is primarily due to its focuson security and routing policies – BGP is used to exchange cooperative information(Internet routes) between otherwise competing entities (service providers) and hasto be able to implement whatever has been agreed upon in the inter-providerpeering agreements. (These agreements often have little to do with technicallyoptimum solutions.)However, a structured approach to BGP troubleshooting, as illustrated in this and thenext section can quickly lead you from initial problem diagnosis to the solution. Herewe focus on a simple scenario with a single BGP-speaking router in your network (see
  4. 4. the following diagram). Similar designs are commonly used by multi-homedcustomers and small Internet service providers (ISPs) that do not offer BGPconnectivity to their customers.Is it a BGP problem?Before jumping into BGP troubleshooting, you have to identify the source of theconnectivity problem youre debugging (usually you suspect that BGP might beinvolved if one of your customers reports limited or no Internet connectivity beyondyour network). Perform a traceroute from a workstation on the problematic LAN; ifthe trace reaches the first BGP-speaking router (or, even better, gets beyond the edgeof your network) router, youre probably dealing with a BGP issue. Otherwise, checkwhether the BGP-speaking router advertises a default route into your network(without a default route, other routers in your network cannot reach the Internetdestinations).If you dont have access to a LAN-attached workstation, you can perform thetraceroute from the customer premises router, but you have to ensure that thesource IP address used in the trace route packets is the routers LAN address.Troubleshooting BGP adjacenciesBGP has to establish TCP session between adjacent BGP routers before they canexchange routes. The first check is thus the status of the BGP sessions between therouters.The BGP neighbors are configured manually, and the two most probableconfiguration errors are: Neighbor IP address mismatch: The destination IP address configured on one BGP neighbor has to match the source IP address (or the IP address of the directly connected interface) configured on the other. AS number mismatch: The neighbor AS number configured on one side of the BGP session has to match the actual BGP AS number used by the neighbor.You could also have a problem with packet filters deployed on the BGP-speakingrouter. These filters have to allow packets to and from TCP port 179.Troubleshooting Route PropagationIf your users want to receive traffic from the Internet, the IP prefix assigned to yournetwork must be visible throughout the Internet. To get there, three steps areneeded: Your BGP router must insert your IP prefix into its BGP table.
  5. 5. The IP prefix must be advertised to its BGP neighbors. The IP prefix must be propagated throughout the Internet.Is The Route inserted into BGP?Most routing protocols automatically insert directly connected IP subnets into theirrouting tables (or databases). Owing to security requirements, BGP is an exception; itwill originate an IP prefix only if its manually configured to do so (for example, Ciscorouters use the network statement to configure advertised IP prefixes). Anotheroption is route redistribution, which is highly discouraged in the Internetenvironment.Furthermore, to avoid attracting unroutable traffic, BGP will announce a configuredIP prefix only if theres a matching route in the IP routing table. You could generatethe matching IP route through route summarization, but its usually best to configurea static route pointing to a null interface (or its equivalent).To check whether your IP prefix is in your BGP routing table, use a BGP showcommand (for example, show ip bgp prefix mask on a Cisco router).Is the Route Advertised to Your Neighbors?By default, all IP prefixes residing in the BGP table are announced to all BGPneighbors. Owing to security and routing policy requirements, the default behavior isusually modified with a set of output and input filters. If you have applied outputfilters toward your BGP neighbors, you have to check whether these filters allow yourIP prefix to be propagated to the external BGP neighbors. The command to displayroutes advertised to a BGP neighbor on a Cisco router is show ip bgp neighborip-address advertised.Is the route visible throughout the Internet?Even if youve successfully announced your IP prefix to your BGP neighbors, it mightstill not be propagated throughout the Internet. Its hard to figure out exactly whatspropagated beyond the boundaries of your network; the tools that can help you arecalled BGP looking glasses. Using these tools, you can inspect BGP tables at variouspoints throughout the Internet and check whether your IP prefix has made it to thosedestinations.There are a few factors that could cause your IP prefix to be blocked somewhere inthe Internet. The most common one is BGP route flap dampening: If an IP prefix flaps(disappears and reappears) too often in a short period of time -- for example, youclear your BGP sessions or change your BGP configuration -- the prefix gets blockedfor an extended period of time (by default, up to an hour). If your IP prefix isdampened, theres nothing you can do except wait it out. You could also have aninvalid (or missing) entry in IP routing registries, or there may be inbound filters atone of the upstream ISPs. In all these cases, its best if your upstream ISP can help
  6. 6. you resolve the problem (which is, at this point, beyond the scope of technical BGPtroubleshooting).BGP Troubleshooting: Advanced ApproachIn the previous section of this e-guide we addressed some basic BGP troubleshootingskills: How to identify whether a routing problem is a BGP problem, How to troubleshoot BGP sessions, How to troubleshoot IP route origination and propagation.Now lets we focus on a more advanced scenario: transit Internet service provider(ISP) networks (see the next diagram).NOTE: Before reading this section, make sure youve read section and two to becomefamiliar with basic Border Gateway Protocol technology as well as simple BGPtroubleshooting.To establish end-to-end connectivity across a service provider network, the ISP has toreceive customers IP prefixes via BGP and announce them to other ISPs. The sameprocess has to happen in reverse direction (or at least the default route has to beannounced to the customer). The network-wide BGP troubleshooting is thuscomposed of three steps: Have we received the prefix? Is the prefix propagated across our network? Is the prefix sent to external BGP neighbors at the other edge of the network?Have We Received the Prefix?Troubleshooting inbound BGP problems is the toughest part of BGP troubleshootingyoull encounter. There are two potential reasons that an IP prefix is not in your BGPtable as you would expect it to be: The neighbor is not sending the prefix. Your inbound filters are blocking the prefix.
  7. 7. The only tool that can help you identify the problem is the debugging facility on youredge router (as you normally dont have access to the other BGP neighbor). Whendoing BGP debugging, be aware that a BGP neighbor can send you several hundredthousand routes, so you have to ensure that the debugging output produced by thetroubleshooting session does not overwhelm the router. Furthermore, the BGPprefixes are sent only when they change, not on a periodic basis (like RIP updates orOSPF LSA floods). Your debugging tool will thus not show you an IP prefix until it hasactually changed (or youve cleared the BGP session with your neighbor).Some BGP routers have the ability to store a separate copy of all routes sent by aneighbor into a parallel BGP table. (To enable this functionality on Cisco IOS, youhave to configuresoft-reconfiguration in for a BGP neighbor.) With the parallelper-neighbor table, you can exactly pinpoint what the neighbor has sent you (thecontent of the parallel table) and what routes have passed your input filters (thecontents of the main BGP table), but of course the parallel per-neighbor tableconsumes a large amount of memory.Is the Prefix Propagated Across Our Network?Even when an edge router receives an IP prefix via BGP, it may not be propagated tothe other end of your network. To start with, internal BGP (BGP within a singleautonomous system) requires a full mesh of BGP sessions among all BGP routers. Asevery router between every pair of edge routers has to run BGP (otherwise the trafficcould be dropped inside your network), the number of BGP sessions could becomeexcessively large. (The next diagram illustrates the BGP sessions needed in a smallfour-router network.)There are two tools (BGP route reflectors and BGP confederations) that can help youkeep the number of BGP sessions to a sensible level, with BGP route reflectors beingthe most commonly used.The BGP route reflector rules are quite simple: Whatever is received from a route-reflector client or an external BGP peer will
  8. 8. be sent to every other BGP peer. Whatever is received from a router that is not a route-reflector client will be sent only to clients and external BGP peers?With these rules in hand, you have to step through the graph of BGP sessions in yournetwork, checking every BGP router on the way and ensuring that the route reflectorrules are not violated (and that, using the rules, the BGP prefixes get from every edgerouter to all other routers).There is another common reason an IP prefix is not propagated across your network:The external subnets on the edge of your network are not advertised to your corerouters.The IP address of the next-hop router is not changed when an IP prefix is sent to aninternal BGP neighbor. The IP next-hop of an external route is thus always the IPaddress of a routerone hop beyond the edge of your autonomous system. The IPsubnets connecting your edge routers to their external neighbors thus have to beinserted into your internal routing protocol (for example, OSPF or IS-IS), otherwisesome internal BGP router will decide that the BGP next-hop is not reachable andignore the IP prefix. (It will appear in the BGP table but will not be used orpropagated to other BGP peers.)Is the Prefix Sent to External Neighbors?As the last step in troubleshooting BGP route propagation, you have to checkwhether the IP prefixes transported across your network are announced to yourexternal BGP peers. The techniques for troubleshooting outbound BGP routepropagation are explained in the Border Gateway Protocol (BGP) troubleshooting:Simple approach article.Is the Traffic Traversing the Network?Even if your BGP route propagation works flawlessly, the IP packets may not be ableto traverse your network. (Remember, were talking about pure IP networks here;things change a bit if you add MPLS to the mix.) The most common cause of a "blackhole" in your network is a router in the transit path that does not run BGP andconsequently has no idea how to route the received IP packet toward the destinationnetwork.IP routing works hop by hop. Even though the ingress edge router knows exactlywhich egress edge router to use and how to get there, it cannot pass thatinformation to the intermediate routers. All of them must therefore run BGP as well.To identify a black hole in your network, perform a traceroute from your customersnetwork to a destination in the Internet. The last router responding to the tracerouteis one hop before the black hole.
  9. 9. Even though all core routers in your network have to run BGP, the internal BGPsessions dont have to follow the physical structure of the network. For example, youcould have a few central routers acting as BGP route reflectors for all BGP routers inyour network.--- is BGP? (Border Gateway Protocol)BGP is a protocol for exchanging routing information between gatewayhosts (eachwith its ownrouter) in a network ofautonomous systems. BGP is often the protocolused between gateway hosts on the Internet. The routing table contains a list ofknown routers, the addresses they can reach, and a cost metricassociated with thepath to each router so that the best available route is chosen.Hosts using BGP communicate using the Transmission Control Protocol (TCP) andsend updated router table information only when one host has detected a change.Only the affected part of the routing table is sent. BGP-4, the latest version, letsadministrators’ configure cost metrics based on policy statements. (BGP-4 issometimes called BGP4, without the hyphen.)BGP communicates with autonomous (local) networks using Internal BGP (IBGP)since it doesnt work well with IGP. The routers inside the autonomous network thusmaintain two routing tables: one for the interior gateway protocol and one for IBGP.BGP-4 makes it easy to use Classless Inter-Domain Routing (CIDR), which is a way tohave more addresses within the network than with the current IP addressassignmentscheme.BGP is a more recent protocol than the Exterior Gateway Protocol (EGP). Also see theInterior Gateway Protocol (IGP) and the Open Shortest Path First (OSPF) interiorgateway protocol.More Related Cisco and Network Tutorials:BGP Protocol is Essential in Your IP NetworkBGP Routing Protocol Tips You Need to Know