Download Powerpoint

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
page
72
page
73
page
74
page
75
page
76
page
77
page
78
page
79
page
80
page
81
page
82
page
83
page
84
page
85
page
86
page
87
page
88
page
89
page
90
page
91
page
92
page
93
page
94
page
95
page
96
page
97
page
98
page
99
page
100
page
101
page
102
page
103
page
104
page
105
page
106
page
107
page
108
page
109
page
110
page
111
page
112
page
113
page
114
page
115
page
116
page
117
page
118
page
119
page
120
page
121
page
122
page
123
page
124
page
125
page
126
page
127
page
128
page
129
page
130
page
131
page
132
page
133
page
134
page
135
page
136
page
137
page
138
page
139
Document related concepts

Deep packet inspection wikipedia , lookup

Net bias wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Distributed firewall wikipedia , lookup

Network tap wikipedia , lookup

Zero-configuration networking wikipedia , lookup

IEEE 802.1aq wikipedia , lookup

Computer network wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Multiprotocol Label Switching wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Airborne Networking wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Peering wikipedia , lookup

Routing in delay-tolerant networking wikipedia , lookup

Routing wikipedia , lookup

Transcript 
Border Gateway Protocol (BGP4)
AFNOG 2001
Border Gateway Protocol (BGP)
•
•
•
•
•
•
•
•
Review: Routing/Forwarding basics
Building blocks
Exercises
BGP protocol basics
Exercises
BGP path attributes
Best path computation
Exercises
Border Gateway Protocol (BGP)...
•
•
•
•
•
Typical BGP topologies
Routing Policy
Exercises
Redundancy/Load sharing
Best current practices
Routing/Forwarding
Basics
IP routing
• Each router or host makes its own routing
decisions
• Sending machine does not have to determine
the entire path to the destination
• Sending machine just determines the next-hop
along the path.
– This process is repeated until the destination is
reached
• Forwarding table consulted to determine the
next-hop
IP routing
• Classless routing
– route entries include
• destination
• next-hop
• mask (prefix-length) indicating size of address space
described by the entry
• Longest match
– for a given destination, find longest prefix match
in the routing table
– example: destination is 35.35.66.42
• routing table entries are 35.0.0.0/8, 35.35.64.0/19 and
0.0.0.0/0
IP routing
• Default route
– where to send packets if don’t have an entry for
the destination in the routing table
– most machines have a single default route
– often referred to as a default gateway
IP route lookup:Longest match
routing
R3
Packet: Destination
IP address: 10.1.1.1
R1
R2
10/8 -> R3
10.1/16 -> R4
20/8 -> R5
30/8 -> R6
…..
R2’s IP routing table
All 10/8 except
10.1/16
R4
10.1/16
IP route lookup: Longest match
routing
R3
Packet: Destination
IP address: 10.1.1.1
R1
R4
R2
10/8 -> R3
10.1/16 -> R4
20/8 -> R5
All 10/8 except
10.1/16
10.1/16
10.1.1.1 & FF.0.0.0
is equal to
10.0.0.0 & FF.0.0.0
…..
R2’s IP routing table
Match!
IP route lookup: Longest match
routing
R3
Packet: Destination
IP address: 10.1.1.1
R1
R4
R2
10/8 -> R3
10.1/16 -> R4
20/8 -> R5
All 10/8 except
10.1/16
10.1/16
10.1.1.1 & FF.FF.0.0
is equal to
10.1.0.0 & FF.FF.0.0
…..
R2’s IP routing table
Match as well!
IP route lookup: Longest match
routing
R3
Packet: Destination
IP address: 10.1.1.1
R1
R4
R2
10/8 -> R3
10.1/16 -> R4
20/8 -> R5
…..
All 10/8 except
10.1/16
10.1/16
10.1.1.1 & FF.0.0.0
is equal to
Does not match!
20.0.0.0 & FF.0.0.0
R2’s IP routing table
IP route lookup: Longest match
routing
R3
Packet: Destination
IP address: 10.1.1.1
R1
R2
All 10/8 except
10.1/16
R4
10.1/16
10/8 -> R3
10.1/16 -> R4
20/8 -> R5
…..
R2’s IP routing table
Longest match, 16 bit netmask
IP route lookup: Longest match
routing
• More specific/longest match always wins!!
• Default route is 0.0.0.0/0
– Can handle it using the normal longest match
algorithm
– Matches everything. Always the shortest
match.
Dynamic Routing
• routers compute routing tables dynamically
based on information provided by other
routers in the network
• routers communicate topology to each other
via different protocols
• routers then compute one or more next hops
for each destination - trying to calculate the
most optimal path
Forwarding Table/FIB
• Forwarding table determines how packets are
sent through the router
• Made from routing table built by routing
protocols
– Best routes from routing tables are installed
• Performs the lookup to find next-hop and
outgoing interface
• Switches the packet with new encapsulation as
per the outgoing interface
Building Blocks
Building Blocks
•
•
•
•
•
•
•
Autonomous System (AS)
Types of Routes
IGP/EGP
DMZ
Policy
Egress
Ingress
Autonomous System (AS)
AS 100
•
•
•
•
Collection of networks with same policy
Single routing protocol
Usually under single administrative control
IGP to provide internal connectivity
Autonomous System(AS)...
• Identified by ‘AS number’
• Public & Private AS numbers
• Examples:
– Service provider
– Multi-homed customers
– Anyone needing policy discrimination
Routing flow and packet flow
packet flow
egress
AS 1
accept
announce
announce
Routing flow
accept
AS2
ingress
packet
flow
For networks in AS1 and AS2 to communicate:
AS1 must announce routes to AS2
AS2 must accept routes from AS1
AS2 must announce routes to AS1
AS1 must accept routes from AS2
Egress Traffic
• Packets exiting the network
• Based on
– Route availability (what others send you)
– Route acceptance (what you accept from others)
– Policy and tuning (what you do with routes from
others)
– Peering and transit agreements
Ingress Traffic
• Packets entering your network
• Ingress traffic depends on:
– What information you send and to who
– Based on your addressing and ASes
– Based on others’ policy (what they accept from
you and what they do with it)
Types of Routes
• Static Routes
– configured manually
• Connected Routes
– created automatically when an interface is ‘up’
• Interior Routes
– Routes within an AS
– learned via IGP
• Exterior Routes
– Routes exterior to AS
– learned via EGP
What is Policy?
• Use your policy to control how you accept
and send routing updates to neighbors
– prefer cheaper connections, load-sharing, etc.
• Accepting routes from some ISPs and not
others
• Sending some routes to some ISPs and not
others
• Preferring routes from some ISPs over others
Why Do We Need an EGP?
• Scaling to large network
– Hierarchy
– Limit scope of failure
• Define administrative boundary
• Policy
– Control reachability to prefixes
Interior vs. Exterior
Routing Protocols
• Interior (IGP)
– Automatic discovery
– Generally trust your
IGP routers
– Routes go to all IGP
routers
• Exterior (EGP)
– Specifically configured
peers
– Connecting with
outside networks
– Set administrative
boundaries
Hierarchy of Routing Protocols
Other ISP’s
BGP4
BGP4 / OSPF
BGP4
Local NAP
FDDI
BGP4/Static
Customers
Demilitarized Zone (DMZ)
A
C
DMZ
Network
AS 100
B
AS 101
D
E
AS 102
• Shared network between ASes
Addressing - ISP
• Need to reserve address space for its
network.
• Need to allocate address blocks to its
customers.
• Need to take “growth” into consideration
• Upstream link address is allocated by
upstream provider
BGP Basics
•
•
•
•
•
•
Protocol Basics
Terminology
Messages
General Operation
Peering relationships (EBGP/IBGP)
Originating routes
Protocol Basics
Peering
A
C
AS 100
AS 101
B
• Routing protocol used
between ASes
– if you aren’t connected to
multiple ASes, you don’t need BGP
:)
• Runs over TCP
D
E
AS 102
Protocol Basics
• Incremental updates
• Path Vector protocol
– keeps track of the AS path of routing information
• Many options for policy enforcement
Terminology
• Neighbor
– Configured BGP peer
• NLRI/Prefix
– NLRI - network layer reachability information
– Reachability information for a IP address &
mask
• Router-ID
– Highest IP address configured on the router
• Route/Path
– NLRI advertised by a neighbor
Terminology
• Transit - carrying network traffic across a
network, usually for a fee
• Peering - exchanging routing information
and traffic
– your customers and your peers customers
network information only
• Default - where to send traffic when there is
no explicit route in the routing table
BGP Basics ...
•
•
•
•
Each AS originates a set of NLRI
NLRI is exchanged between BGP peers
Can have multiple paths for a given prefix
Picks the best path and installs in the IP
forwarding table
• Policies applied (through attributes)
influences BGP path selection
BGP Peers
A
C
AS 101
AS 100
220.220.16.0/24
220.220.8.0/24
B
BGP speakers
are called peers
Peers in different AS’s
are called External Peers
D
E
AS 102
220.220.32.0/24
eBGP TCP/IP
Peer Connection
Note: eBGP Peers normally should be directly connected.
BGP Peers
A
C
AS 101
AS 100
220.220.16.0/24
220.220.8.0/24
B
BGP speakers are
called peers
Peers in the same AS
are called Internal Peers
iBGP TCP/IP
Peer Connection
D
E
AS 102
220.220.32.0/24
Note: iBGP Peers don’t have to be directly connected.
BGP Peers
A
C
AS 101
AS 100
220.220.16.0/24
220.220.8.0/24
B
BGP Peers exchange
Update messages
containing Network
Layer Reachability
Information (NLRI)
BGP Update
Messages
D
E
AS 102
220.220.32.0/24
Configuring BGP Peers
AS 100
AS 101
eBGP TCP Connection
222.222.10.0/30
A
.2
220.220.8.0/24
.1
B
.2
.1
C
.2
220.220.16.0/24
.1
D
interface Serial 0
ip address 222.222.10.2 255.255.255.252
interface Serial 0
ip address 222.222.10.1 255.255.255.252
router bgp 100
network 220.220.8.0 mask 255.255.255.0
neighbor 222.222.10.1 remote-as 101
router bgp 101
network 220.220.16.0 mask 255.255.255.0
neighbor 222.222.10.2 remote-as 100
• BGP Peering sessions are established using the BGP
“neighbor” configuration command
– External (eBGP) is configured when AS numbers are different
Configuring BGP Peers
AS 101
AS 100
iBGP TCP Connection
222.222.10.0/30
A
.2
220.220.8.0/24
.1
B
.2
.1
C
.2
220.220.16.0/24
.1
D
interface Serial 1
ip address 220.220.16.2 255.255.255.252
interface Serial 1
ip address 222.220.16.1 255.255.255.252
router bgp 101
network 220.220.16.0 mask 255.255.255.0
neighbor 220.220.16.1 remote-as 101
router bgp 101
network 220.220.16.0 mask 255.255.255.0
neighbor 220.220.16.2 remote-as 101
• BGP Peering sessions are established using the BGP
“neighbor” configuration command
– External (eBGP) is configured when AS numbers are different
– Internal (iBGP) is configured when AS numbers are same
Configuring BGP Peers
AS 100
B
A
iBGP TCP/IP
Peer Connection
C
• Each iBGP speaker must peer with every other
iBGP speaker in the AS
Configuring BGP Peers
215.10.7.1
AS 100
B
A
215.10.7.3
iBGP TCP/IP
Peer Connection
215.10.7.2
C
• Loopback interface are normally used as
peer connection end-points
Configuring BGP Peers
215.10.7.1
AS 100
B
A
215.10.7.3
iBGP TCP/IP
interface
loopback 0
ip
address
215.10.7.1 255.255.255.255
Peer
Connection
router bgp 100
network 220.220.1.0
neighbor 215.10.7.2
neighbor 215.10.7.2
neighbor 215.10.7.3
neighbor 215.10.7.3
remote-as 100
update-source loopback0
remote-as 100
update-source loopback0
215.10.7.2
C
Configuring BGP Peers
215.10.7.1
AS 100
215.10.7.2
B
A
215.10.7.3
iBGP TCP/IP
Peer Connection
interface loopback 0
ip address 215.10.7.2 255.255.255.255
C
router bgp 100
network 220.220.5.0
neighbor 215.10.7.1
neighbor 215.10.7.1
neighbor 215.10.7.3
neighbor 215.10.7.3
remote-as 100
update-source loopback0
remote-as 100
update-source loopback0
Configuring BGP Peers
215.10.7.1
AS 100
B
A
215.10.7.3
iBGP TCP/IP
Peer Connection
C
interface loopback 0
ip address 215.10.7.3 255.255.255.255
router bgp 100
network 220.220.1.0
neighbor 215.10.7.1
neighbor 215.10.7.1
neighbor 215.10.7.2
neighbor 215.10.7.2
remote-as 100
update-source loopback0
remote-as 100
update-source loopback0
215.10.7.2
BGP Update Messages
The BGP UPDATE Message
Unfeasible Routes Length (2 Octets)
Length (I Octet)
Prefix (Variable)
Withdrawn Routes (Variable)
Attribute Type
Total path Attribute Length (2 Octets)
Path Attributes (Variable)
Attribute Length
Attribute Value
Network Layer Reachability Information (Variable)
Length (I Octet)
Prefix (Variable)
•
•
A BGP update is used to advertise a single feasible route to a peer,
or to withdraw multiple unfeasible routes
Each update message contains attributes, like origin, AS-Path,
Next-Hop, …….
BGP Updates — NLRI
• Network Layer Reachability Information
• Used to advertise feasible routes
• Composed of:
– Network Prefix
– Mask Length
BGP Updates — Attributes
• Used to convey information associated with
NLRI
–
–
–
–
–
–
–
AS path
Next hop
Local preference
Multi-Exit Discriminator (MED)
Community
Origin
Aggregator
AS-Path Attribute
• Sequence of ASes a route
has traversed
• Loop detection
• Apply policy
AS 300
AS 200
AS 100
170.10.0.0/16
180.10.0.0/16
Network
Path
180.10.0.0/16 300 200 100
170.10.0.0/16 300 200
AS 400
150.10.0.0/16
AS 500
Network
180.10.0.0/16
170.10.0.0/16
150.10.0.0/16
Path
300 200 100
300 200
300 400
Next Hop Attribute
AS 300
AS 200
150.10.0.0/16
140.10.0.0/16
192.10.1.0/30
C
.1
.2
D
E
B
.2
.1
A
AS 100
160.10.0.0/16
BGP Update
Messages
Network
Next-Hop
160.10.0.0/16 192.20.2.1
Path
100
• Next hop to reach a network
• Usually a local network is the next
hop in eBGP session
Next Hop Attribute
AS 300
AS 200
150.10.0.0/16
140.10.0.0/16
192.10.1.0/30
C
.1
.2
D
E
B
.2
.1
A
AS 100
160.10.0.0/16
BGP Update
Messages
Network
Next-Hop
150.10.0.0/16 192.10.1.1
160.10.0.0/16 192.10.1.1
Path
200
200 100
• Next hop to reach a network
• Usually a local network is the next
hop in eBGP session
• Next Hop updated between
eBGP Peers
Next Hop Attribute
AS 300
AS 200
150.10.0.0/16
140.10.0.0/16
192.10.1.0/30
C
.1
.2
D
E
B
.2
Network
Next-Hop
150.10.0.0/16 192.10.1.1
160.10.0.0/16 192.10.1.1
Path
200
200 100
.1
A
AS 100
160.10.0.0/16
BGP Update
Messages
• Next hop not changed
between iBGP peers
Next Hop Attribute (more)
•
•
•
•
IGP should carry route to next hops
Recursive route look-up
Unlinks BGP from actual physical topology
Allows IGP to make intelligent forwarding
decision
BGP Updates — Withdrawn Routes
• Used to “withdraw” network reachability
• Each Withdrawn Route is composed of:
– Network Prefix
– Mask Length
BGP Updates —
Withdrawn Routes
AS 321
AS 123
.1
192.168.10.0/24
.2
BGP Update
Message
Withdraw Routes
192.192.25.0/24
x
Connectivity lost
Network
Next-Hop
Path
150.10.0.0/16
192.168.10.2 321 200
192.192.25.0/24 192.168.10.2 321
192.192.25.0/24
BGP Routing Information Base
BGP RIB
Network
*>i160.10.1.0/24
*>i160.10.3.0/24
Next-Hop
192.20.2.2
192.20.2.2
Path
i
i
router bgp 100
network 160.10.0.0 255.255.0.0
no auto-summary
D
D
D
R
S
10.1.2.0/24
160.10.1.0/24
160.10.3.0/24
153.22.0.0/16
192.1.1.0/24
Route Table
BGP ‘network’ commands are normally
used to populate the BGP RIB with
routes from the Route Table
BGP Routing Information Base
BGP RIB
Network
*> 160.10.0.0/16
* i
s> 160.10.1.0/24
s> 160.10.3.0/24
Next-Hop
0.0.0.0
192.20.2.2
192.20.2.2
192.20.2.2
Path
i
i
i
i
router bgp 100
network 160.10.0.0 255.255.0.0
aggregate-address 160.10.0.0 255.255.0.0 summary-only
no auto-summary
D
D
D
R
S
10.1.2.0/24
160.10.1.0/24
160.10.3.0/24
153.22.0.0/16
192.1.1.0/24
Route Table
BGP ‘aggregate-address’ commands
may be used to install summary routes
in the BGP RIB
BGP Routing Information Base
BGP RIB
Network
*> 160.10.0.0/16
* i
s> 160.10.1.0/24
s> 160.10.3.0/24
*> 192.1.1.0/24
Next-Hop
0.0.0.0
192.20.2.2
192.20.2.2
192.20.2.2
192.20.2.2
Path
i
i
i
i
?
router bgp 100
network 160.10.0.0 255.255.0.0
redistribute static route-map foo
no auto-summary
D
D
D
R
S
10.1.2.0/24
160.10.1.0/24
160.10.3.0/24
153.22.0.0/16
192.1.1.0/24
Route Table
access-list 1 permit 192.1.0.0 0.0.255.255
route-map foo permit 10
match ip address 1
BGP ‘redistribute’ commands can also
be used to populate the BGP RIB with
routes from the Route Table
BGP Routing Information Base
IN Process
Update
Update
Network
Next-Hop
173.21.0.0/16 192.20.2.1
OUT Process
BGP RIB
Network
*>i160.10.1.0/24
*>i160.10.3.0/24
* > 173.21.0.0/16
Next-Hop
192.20.2.2
192.20.2.2
192.20.2.1
Path
i
i
100
Path
100
• BGP “in” process
• receives path information from peers
• results of BGP path selection placed in the BGP table
• “best path” flagged (denoted by “>”)
BGP Routing Information Base
IN Process
OUT Process
BGP RIB
Network
*>i160.10.1.0/24
*>i160.10.3.0/24
*> 173.21.0.0/16
Next-Hop
192.20.2.2
192.20.2.2
192.20.2.1
Path
i
i
100
Update
Network
160.10.1.0/24
160.10.3.0/24
173.21.0.0/16
Next-Hop
192.20.2.2
192.20.2.2
192.20.2.1
192.20.2.2
Update
Path
200
200
200 100
• BGP “out” process
• builds update using info from RIB
• may modify update based on config
• Sends update to peers
Next-Hop changed
BGP Routing Information Base
BGP RIB
Network
*>i160.10.1.0/24
*>i160.10.3.0/24
*> 173.21.0.0/16
D
D
D
R
S
B
10.1.2.0/24
160.10.1.0/24
160.10.3.0/24
153.22.0.0/16
192.1.1.0/24
173.21.0.0/16
Route Table
Next-Hop
192.20.2.2
192.20.2.2
192.20.2.1
Path
i
i
100
• Best paths installed in routing table if:
• prefix and prefix length are unique
• lowest “protocol distance”
An Example…
35.0.0.0/8
AS3561
A
AS200
F
B
AS21
C
D
AS101
E
AS675
Learns about 35.0.0.0/8 from F & D
Configuring BGP
Basic BGP commands
Configuration commands
router bgp <AS-number>
neighbor <ip address> remote-as <as-number>
no auto-summary
Show commands
show ip bgp summary
show ip bgp neighbors
Inserting prefixes into BGP
• Two main ways to insert prefixes into BGP
– redistribute static
– network command
Originating routes...
• Using network command or redistribution
network <ipaddress> <netmask>
redistribute <protocol name>
Requires the route to be present in the routing
table
Inserting prefixes into BGP redistribute static
• Configuration Example:
router bgp 109
redistribute static
ip route 198.10.4.0 255.255.254.0 serial0
• Static route must exist before redistribute
command will work
• Forces origin to be “incomplete”
• Care required!
Inserting prefixes into BGP redistribute static
• Care required with redistribution
– redistribute <routing-protocol> means
everything in the <routing-protocol> will be
transferred into the current routing protocol
– will not scale if uncontrolled
– best avoided if at all possible
– redistribute normally used with “route-maps”
and under tight administrative control
Inserting prefixes into BGP network command
• Configuration Example
network 198.10.4.0 mask 255.255.254.0
ip route 198.10.0.0 255.255.254.0 serial 0
• matching route must exist in the routing
table before network is announced!
• Origin: IGP
Inserting routes into BGP - aggregates and
Null0
• Remember! Matching route must exist in
routing table to be announced via BGP
router bgp 1
network 198.10.0.0 mask 255.255.0.0
ip route 198.10.0.0 255.255.0.0 null0 250
• Static route to “null0” often used for aggregation
– packets sent here if there is no more specific match
in routing table
– distance of 250 ensures last resort
• Often used to nail up routes for stability
– can’t flap!! :)
Stable iBGP peering
• Unlinks IBGP peering from physical
topology.
• Carry loopback address in IGP
router ospf <ID>
network <loopback-address> 0.0.0.0
• Unlink peering from physical topology
router bgp <AS1>
neighbor <x.x.x.x> remote-as <AS1>
neighbor <x.x.x.x> update-source loopback0
Policy Control - Prefix Lists
• Per neighbor prefix filter
– incremental configuration
• High performance access list
• Inbound or Outbound
• Based upon network numbers (using IPv4
address/mask format)
• Implicit Deny All as last entry in list
Prefix Lists - Examples
• Deny default route
– ip prefix-list Example deny 0.0.0.0/0
• Permit the prefix 35.0.0.0/8
– ip prefix-list Example permit 35.0.0.0/8
• Deny the prefix 172.16.0.0/12
– ip prefix-list Example deny 172.16.0.0/12
• In 192/8 allow up to /24
– ip prefix-list Example permit 192.0.0.0/8 le 24
– This will allow all prefix sizes in 192.0.0.0/8
address block, except /25, /26, /27, /28, /29, /30, /31
and /32
Prefix Lists - More Examples
• In 192/8 deny /25 and above
– ip prefix-list Example deny 192.0.0.0/8 ge 25
– This denies all prefix sizes /25, /26, /27, /28, /29, /30, /31
and /32 in the address block 192.0.0.0/8
– It has almost the same effect as the previous example
• In 192/8 permit prefixes between /12 and /20
– ip prefix-list Example permit 192.0.0.0/8 ge 12 le 20
– This denies all prefix sizes /8, /9, /10, /11, /21, /22 and
higher in the address block 193.0.0.0/8
• Permit all prefixes
– ip prefix-list Example 0.0.0.0/0 le 32
Policy Control - Using Prefix Lists
• Example Configuration
router bgp 200
network 215.7.0.0
neighbor 220.200.1.1 remote-as 210
neighbor 220.200.1.1 prefix-list PEER-IN in
neighbor 220.200.1.1 prefix-list PEER-OUT out
!
ip prefix-list PEER-IN deny 218.10.0.0/16
ip prefix-list PEER-IN permit 0.0.0.0/0 le 32
ip prefix-list PEER-OUT permit 215.7.0.0/16
ip prefix-list PEER-OUT deny 0.0.0.0/0 le 32
Accept everything except our network from our peer
Send only our network to our peer
Exercise 1 - Configuring BGP
PEERING SESSIONS and AS information
AS 1 A
B AS 2
AS 3 C
D AS 4
AS 5 E
F AS 6
AS 7 G
H AS 8
AS 9 I
EBGP peering session
J
AS 10
Exercise 2 - Configuring eBGP
and iBGP
Your AS
HUB
PC
HUB
Router
OSPF and IBGP
Ethernet
Serial
Router
Ethernet
Serial
EBGP
EBGP
to other AS
to other AS
PC
PEERING SESSIONS and AS information
AS 1 A
B
AS 3 C
D
AS 5 E
F
AS 7 G
H
AS 9 I
J
EBGP peering
OSPF and IBGP
A
213.172.133.96/28
C
213.172.133.128/28
E
213.172.133.160/28
G
213.172.133.192/28
I
213.172.133.224/28
B
213.172.133.112/28
D
213.172.133.144/28
F
213.172.133.176/28
H
213.172.133.208/28
J
213.172.133.240/28
BGP4 continued...
BGP Path Attributes: Why ?
•
•
•
•
•
Encoded as Type, Length & Value (TLV)
Transitive/Non-Transitive attributes
Some are mandatory
Used in path selection
To apply policy for steering traffic
BGP Path Attributes...
•
•
•
•
•
•
•
Origin
AS-path
Next-hop
Multi-Exit Discriminator (MED)
Local preference
BGP Community
Others...
AS-PATH
• Updated by the sending router with its AS
number
• Contains the list of AS numbers the update
traverses.
• Used to detect routing loops
– Each time the router receives an update, if it
finds its own AS number, it discards the update
AS-Path
AS 200
AS 100
170.10.0.0/16
180.10.0.0/16
• Sequence of ASes a route has
traversed
AS 300
• Loop detection
180.10.0.0/16
dropped
AS 400
150.10.0.0/16
AS 500
180.10.0.0/16
170.10.0.0/16
150.10.0.0/16
300 200 100
300 200
300 400
Next-Hop
150.10.1.1
150.10.1.2
AS 200
150.10.0.0/16
A
B
AS 300
150.10.0.0/16 150.10.1.1
160.10.0.0/16 150.10.1.1
AS 100
160.10.0.0/16
• Next hop router to reach a network
• Advertising router/Third party in EBGP
• Unmodified in IBGP
Third Party Next Hop
AS 200
192.68.1.0/24
C
150.1.1.1
peering
150.1.1.3
150.1.1.2
A
B
192.68.1.0/24
AS 201
• More efficient, but
bad idea!
150.1.1.3
Next Hop...
•
•
•
•
IGP should carry route to next hops
Recursive route look-up
Unlinks BGP from actual physical topology
Allows IGP to make intelligent forwarding
decision
Local Preference
• Not for EBGP, mandatory for IBGP
• Default value is 100 on Ciscos
• Local to an AS
• Used to prefer one exit over another
• Path with highest local preference wins
Local Preference
AS 100
160.10.0.0/16
AS 200
AS 300
D
500
800
A
160.10.0.0/16
> 160.10.0.0/16
500
800
B
AS 400
C
E
Multi-Exit Discriminator
• Non-transitive
• Represented as a numeric value (0-0xffffffff)
• Used to convey the relative preference of entry points
• Comparable if paths are from the same AS
• Path with lower MED wins
• IGP metric can be conveyed as MED
Multi-Exit Discriminator (MED)
AS 200
C
preferred
192.68.1.0/24
2000
192.68.1.0/24
A
B
192.68.1.0/24
AS 201
1000
Origin
• Conveys the origin of the prefix
• Three values:
– IGP - Generated using “network” statement
• ex: network 35.0.0.0
– EGP - Redistributed from EGP
– Incomplete - Redistribute IGP
• ex: redistribute ospf
• IGP < EGP < INCOMPLETE
Communities
•
•
•
•
Transitive, Non-mandatory
Represented as a numeric value (0-0xffffffff)
Used to group destinations
Each destination could be member of multiple
communities
• Flexibility to scope a set of prefixes within or
across AS for applying policy
Communities
Service Provider AS 200
C
Community
201:110
201:120
D
Community:201:110
Community:201:120
A
B
192.68.1.0/24
Customer AS 201
Local Preference
110
120
Weight
• Special Cisco attribute used when there is more
than one route to same destination.
• Local to the router on which it is assigned, and
not propagated in routing updates.
• Default is 32768 for paths that the router
originates and zero for other paths.
• Routes with a higher weight are preferred when
there are multiple routes to the same
destination.
Administrative Distance
• Routes can be learned via more than one protocol.
– used to discriminate between them
• Route with lowest is installed in IP routing table
• BGP defaults:
– local (routes originated on router): 200
– eBGP: 20
– iBGP: 200
• Does not influence the BGP path selection
algorithm, but influences whether BGP-learned
routes are installed in the IP routing table.
Synchronization
1880
C
A
D
OSPF
690
35/8
209
B
• C not running BGP (non-pervasive BGP)
• A won’t advertise 35/8 to D until the IGP is in sync
• Turn synchronization off!
– Run pervasive BGP
router bgp 1880
no sync
Synchronization
• In Cisco IOS, BGP does not advertise a route
before all routers in the AS have learned it via an
IGP
• Disable synchronization if:
– AS doesn’t pass traffic from one AS to another, or
– All transit routers in AS run BGP, or
– iBGP is used across backbone
BGP Route Selection (bestpath)
Only one path as the bestpath !
• Route has to be synchronized
Prefix in forwarding table
• Next-hop has to be accessible
Next-hop in forwarding table
• Largest weight
Local to the router
• Largest local preference
Spread within AS
• Locally sourced
Via redistribute or network statement
BGP Route Selection ...
• Shortest AS-path length
number of ASes in the AS-path attribute
• Lowest origin
IGP < EGP < INCOMPLETE
• Lowest MED
between paths from same AS
• External over internal
closest exit from a router
• Closest next-hop
Lower IGP metric, closer exit from as AS
• Lowest router-id
• Lowest IP address of neighbor
BGP Route Selection...
AS 100
AS 200
AS 300
D
Increase AS path attribute
length by at least 1
A
B
AS 400
AS 400’s Policy to reach AS100
AS 200 preferred path
AS 300 backup
Routing Policy - Prefix Lists,
Route Maps and Distribute Lists
Routing Policy
• Why?
– To steer traffic through preferred paths
– Inbound/Outbound prefix filtering
– To enforce Customer-ISP agreements
• How ?
– AS based route filtering - filter list
– Prefix based route filtering - distribute list
– BGP attribute modification - route maps
Policy Control - Prefix Lists
• Per neighbor prefix filter
– incremental configuration
• High performance access list
• Inbound or Outbound
• Based upon network numbers (using IPv4
address/mask format)
Prefix Lists - Examples
• Deny default route
– ip prefix-list Example deny 0.0.0.0/0
• Permit the prefix 35.0.0.0/8
– ip prefix-list Example permit 35.0.0.0/8
• Deny the prefix 172.16.0.0/12
– ip prefix-list Example deny 172.16.0.0/12
• In 192/8 allow up to /24
– ip prefix-list Example permit 192.0.0.0/8 le 24
– This will allow all prefix sizes in 192.0.0.0/8
address block, except /25, /26, /27, /28, /29, /30, /31
and /32
Prefix Lists - More Examples
• In 192/8 deny /25 and above
– ip prefix-list Example deny 192.0.0.0/8 ge 25
– This denies all prefix sizes /25, /26, /27, /28, /29, /30, /31
and /32 in the address block 192.0.0.0/8
– It has almost the same effect as the previous example
• In 192/8 permit prefixes between /12 and /20
– ip prefix-list Example permit 192.0.0.0/8 ge 12 le 20
– This denies all prefix sizes /8, /9, /10, /11, /21, /22 and
higher in the address block 193.0.0.0/8
• Permit all prefixes
– ip prefix-list Example 0.0.0.0/0 le 32
Policy Control - Using Prefix Lists
• Example Configuration
router bgp 200
network 215.7.0.0
neighbor 220.200.1.1 remote-as 210
neighbor 220.200.1.1 prefix-list PEER-IN in
neighbor 220.200.1.1 prefix-list PEER-OUT out
!
ip prefix-list PEER-IN deny 218.10.0.0/16
ip prefix-list PEER-IN permit 0.0.0.0/0 le 32
ip prefix-list PEER-OUT permit 215.7.0.0/16
ip prefix-list PEER-OUT deny 0.0.0.0/0 le 32
Accept everything except our network from our peer
Send only our network to our peer
Distribute list - using IP access lists
access-list 1 deny 10.0.0.0
access-list 1 permit any
access-list 2 permit 20.0.0.0
… more access-list lines as prefixes are added ...
router bgp
neighbor
neighbor
neighbor
100
171.69.233.33 remote-as 33
171.69.233.33 distribute-list 1 in
171.69.233.33 distribute-list 2 out
Filter list rules
Regular Expressions
• Regular Expression is a pattern to match
against an input string
• Used to match against AS-path attribute
• ex: ^3561.*100.*1$
• Flexible enough to generate complex filter list
rules
Filter list - using as-path access list
ip as-path access-list 1 permit 3561
ip as-path access-list 2 deny 35
ip as-path access-list 2 permit .*
router bgp 100
neighbor 171.69.233.33 remote-as 33
neighbor 171.69.233.33 filter-list 1 in
neighbor 171.69.233.33 filter-list 2 out
Listen to routes from AS 3561. Implicit deny everything
else inbound.
Don’t announce routes from AS 35, but announce
everything else (outbound).
Route Maps
router bgp 300
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 route-map SETCOMMUNITY out
!
route-map SETCOMMUNITY permit 10
match ip address 1
match community 1
set community 300:100
!
access-list 1 permit 35.0.0.0
ip community-list 1 permit 100:200
Route-map match & set clauses
Match Clauses
• AS-path
• Community
• IP address
Set Clauses
•
•
•
•
•
•
•
AS-path prepend
Community
Local-Preference
MED
Origin
Weight
Others...
Route-map Configuration Example
ISP2
C21
H
ethH
C22
H
eth H
ISP3
Inbound route-map
to set community
H
C31
eth
H
C32
H
eth
H
neighbor <y.y.y.y> route-map AS200_IN in
!
route-map AS200_IN permit 10
match community 1
set local-preference 200
!
ip community-list 1 permit 100:200
neighbor <x.x.x.x> route-map AS100_IN in
!
route-map AS100_IN permit 10
set community 100:200
BGP and Network Design
Stub AS
• Typically no need for BGP
• Point default towards the ISP
• ISP advertises the stub network to
Internet
• Policy confined within ISP policy
Stub AS
B
A
AS 100
Customer
AS 101
Provider
Multi-homed AS
• Only border routers speak BGP
• IBGP only between border routers
• Exterior routes must be redistributed in
a controlled fashion into IGP or use
defaults
Multi-homed AS
AS 100
provider
AS 300
D
A
C
B
AS 200
customer
• More details on multihoming coming up...
provider
Service Provider Network
• IBGP used to carry exterior routes
• IGP keeps track of topology
• Full IBGP mesh is required
Common Service Provider
Network
AS 100
A
H
B
C
AS 300
D
provider
E
G
AS 400
F
AS 200
Load-sharing - single path
Router A:
interface loopback 0
ip address 20.200.0.1 255.255.255.255
!
router bgp 100
neighbor 10.200.0.2 remote-as 200
neighbor 10.200.0.2 update-source loopback0
neighbor 10.200.0.2 ebgp-multi-hop 2
!
ip route 10.200.0.2 255.255.255.255 <DMZ-link1, link2>
A
AS100
Loopback 0
10.200.0.2
AS200
Loopback 0
20.200.0.1
Load Sharing - Multiple paths
from the same AS
Router A:
router bgp 100
neighbor 10.200.0.1 remote-as 200
neighbor 10.300.0.1 remote-as 200
maximum-paths 2
A
100
Note:A still only advertises one “best” path to ibgp peers
200
Redundancy - Multi-homing
• Reliable connection to Internet
• 3 common cases of multi-homing
– default from all providers
– customer + default from all providers
– full routes from all providers
• Address Space
– comes from upstream providers, or
– allocated directly from registries
Default from all providers
• Low memory/CPU solution
• Provider sends BGP default
– provider is selected based on IGP metric
• Inbound traffic decided by providers’ policy
– Can influence using outbound policy, example:
AS-path prepend
Default from all providers
Provider
Provider
AS 200
AS 300
D
E
Receive default from upstreams
Receive default from upstreams
A
B
AS 400
C
Customer + default from all
providers
• Medium memory and CPU solution
• Granular routing for customer routes and
default for the rest
– route directly to customers because have these
specific routes
• Inbound traffic decided by providers’ policy
– Can influence using outbound policy
Customer routes from all
providers
Customer
AS 100
160.10.0.0/16
Provider
Provider
AS 200
AS 300
D
C chooses shortest AS
path
E
A
B
AS 400
C
Full routes from all providers
• More memory/CPU
• Fine grained routing control
• Usually transit ASes take full routes
• Usually pervasive BGP
Full routes from all providers
AS 100
AS 500
AS 200
AS 300
D
C chooses shortest AS
path
E
A
B
AS 400
C
Best Practices
IGP in Backbone
• IGP connects your backbone together, not
your client’s routes
• IGP must converge quickly
• IGP should carry netmask information OSPF, IS-IS, EIGRP
Best Practices...
Connecting to a customer
• Static routes
– You control directly
– No route flaps
• Shared routing protocol or leaking
– You must filter your customers info
– Route flaps
• BGP for multi-homed customers
Best Practices...
Connecting to other ISPs
•
•
•
•
•
Advertise only what you serve
Take back as little as you can
Take the shortest exit
Aggregate your routes!!
FILTER! FILTER! FILTER!
Best Practices...
The Internet Exchange
• Long distance connectivity is expensive
• Connect to several providers at a single point
Exercise 3 - Connecting to an ISP
BIG GIANT TIER 1 ISP
192.168/16
ISP 4
AS 702
192.168.2.0/24
192.168.1.0/24
peer
ISP 2
AS 3351
ISP 3 AS1247
MEDIUM
TIER 2
ISP
MEDIUM
TIER 2 ISP
SMALL
TIER 3 ISP
ISP 1
AS 1849
192.168.1.128/25
Exercise 4 - Changing BGP Policy
Q &A
Related documents
Internet Traffic Engineering
Internet Traffic Engineering
Solutions
Solutions
Document
Document
25routing
25routing
Slides - Duke Computer Science
Slides - Duke Computer Science
HW2
HW2
A Survey of BGP Security: Issues and Solutions
A Survey of BGP Security: Issues and Solutions
Poster_ppt_version - Simon Fraser University
Poster_ppt_version - Simon Fraser University
BGP messages - ece.virginia.edu
BGP messages - ece.virginia.edu
Powerpoint - Workshops
Powerpoint - Workshops
pptx
pptx
Evolving Toward a Self-Managing Network Jennifer Rexford Princeton University
Evolving Toward a Self-Managing Network Jennifer Rexford Princeton University
Document 4461177
Document 4461177
Measuring BGP
Measuring BGP
Factors for exploring TR Key
Factors for exploring TR Key