Title: CCNP
1- CCNP Advanced Routing
- Ch. 9 Scaling BGP
-
2Scaling BGP
- BGPs main strength is its ability to impose
routing policy, primarily through route maps that
manipulate BGP path attributes. - These attributes allow for very precise and
complex policy implementation. - However, as ISPs scale their BGP routing to
include dozensand even hundredsof routers,
BGPs precision can become an administrative
nightmare.
3Scaling BGP
- The Cisco IOS offers several methods to make
scaling BGP easier on administrators and on the
BGP routers themselves - Route Reflectors
- Route Filtering
- COMMUNITIES Attribute
- Peer Groups
4Scaling BGP
- Autonomous systems consisting of hundreds of BGP
routers can pose a serious management problem. - If that many Internal BGP (IBGP) speakers are
configured as a logical full mesh, BGP operation
becomes extremely complex. - Imagine a network where over 100 neighbor
statements are required just to define the
remote-as of each peer!
5Route Reflector (RR)
- Recent addition to BGP (IOS 11.1)
- Offers an alternative to the logical full-mesh
requirement of IBGP. - Acts as a focal point for IBGP sessions.
- Multiple BGP routers can peer with a central
point (the RR), rather than peer with every other
router in a full mesh. - similar to OSPFs DR/BDR feature
- Provides large ISPs with added BGP scalability.
- The use of route reflectors is recommended only
for autonomous systems that support a large
internal BGP mesh, on the order of more than 100
sessions per router. - Introduces processing overhead on the routers
that act as route reflectors - If configured incorrectly, can cause routing
loops and instability.
6Route Reflector (RR)
IBGP routers are typically fully meshed.
7Route Reflector (RR)
A route reflector can be configured so that IBGP
routers dont have to be in a full mesh to
completely exchange routing information.
Route Reflector Server
8Route Reflector (RR)
RTA receives an update from an external peer and
passes it on to RTB, which is configured as a
route reflector server with two clients, RTA and
RTC. RTB will reflect the update from client
RTA to client RTC.
Route Reflector Server
9Route Reflector (RR)
- The IBGP peers of a route reflector fall under
two categories - Clients
- Nonclients
- A route reflector and its clients form a cluster.
- All IBGP peers of the route reflector that are
not part of the cluster are nonclients and must
be fully meshed to all other nonclients and RR
servers. - Never configure route reflector clients to peer
with IBGP speakers outside their cluster. - Clients and nonclients dont even know that route
reflection is occurring. - To identify clients and clusters, use the
neighbor command, which has the following syntax,
on the route reflector server - Router(config-router)neighbor IP-address
route-reflector-client
10Route Reflector (RR)
11- Configuring a RR server
- RTB(config)router bgp 100
- RTB(config-router)neighbor 1.1.1.1 remote-as 100
- RTB(config-router)neighbor 1.1.1.1
route-reflector-client - RTB(config-router)neighbor 2.2.2.2 remote-as 100
- RTB(config-router)neighbor 2.2.2.2
route-reflector-client - RTB(config-router)neighbor 4.4.4.4 remote-as 100
- RTB(config-router)neighbor 7.7.7.7 remote-as 100
- RTB(config-router)neighbor 8.8.8.8 remote-as 200
12- Configuring a RR client
- Doesnt even know!
- RTA(config)router bgp 100
- RTA(config-router)neighbor 3.3.3.3 remote-as 100
13- Without a route reflector, the network shown
would require a full IBGP mesh. - (That is, Router A would have to be a peer of
Router B.) - If Router C is configured as a route reflector,
IBGP peering between Routers A and B is not
required because Router C will reflect updates
from Router A to Router B and from Router B to
Router A.
- Router C
- router bgp 100
- neighbor 1.1.1.1 remote-as 100
- neighbor 1.1.1.1 route-reflector-client
- neighbor 2.2.2.2 remote-as 100
- neighbor 2.2.2.2 route-reflector-client
14- The router whose configuration includes neighbor
route-reflector-client router configuration
commands is the route reflector. - The routers identified by the neighbor
route-reflector-client commands are clients of
the route reflector. - When considered as a whole, the route reflector
and its clients are called a cluster. - Other IBGP peers of the route reflector that are
not clients are called nonclients.
- Router C
- router bgp 100
- neighbor 1.1.1.1 remote-as 100
- neighbor 1.1.1.1 route-reflector-client
- neighbor 2.2.2.2 remote-as 100
- neighbor 2.2.2.2 route-reflector-client
15- An AS can have more than one route reflector.
- When an AS has more than one route reflector,
each route reflector treats other route
reflectors as normal IBGP speakers. - There can be more than one route reflector in a
cluster, and there can be more than one cluster
in an AS. - The AS is divided into multiple clusters, with
each cluster having one route reflector. - Each route reflector is configured as a nonclient
peer of each other route reflector in a fully
meshed topology. - Note Route reflector clients should not
establish peer relationships with IBGP speakers
outside of their cluster.
16- Routers A, B, and C form a cluster, and Router C
is the route reflector. - Routers D, E, and F form a second cluster, of
which Router D is the route reflector. - Router G forms a third cluster.
- Note that Routers C, D, and G are fully meshed
and that the routers within a cluster are not
fully meshed.
17Route Reflector (RR)
18- When the route reflector receives an advertised
route, depending on the neighbor, it does the
following (IBGP is not RIP) - A route from an external BGP (from Router A)
speaker is advertised to all clients and
nonclient peers. - A route from a nonclient peer (from Router G, F,
or E) is advertised to all clients (must be fully
meshed with other nonclients). - A route from a client (from Router B, C, or D) is
advertised to all clients and nonclient peers. - Hence, the clients need not be fully meshed.
19BGP Route Filtering
- Route filtering empowers a BGP speaker to choose
what routes to exchange with any of its BGP
peers. - Route filtering is the cornerstone of policy
routing. - An AS can identify inbound traffic it is willing
to accept by filtering its outbound
advertisements - An AS can control what routes its outbound
traffic uses by specifying the routes to accept
from EBGP neighbors - Even more precise policies can be defined via
route filters. - For example, BGP routes passing through a filter
can have their attributes manipulated to affect
the best-path decision process. - You can apply route filters to or from a
particular neighbor by using the distribute-list
command.
20BGP Route Filtering
RTA filters update to RTC so it does not include
the 192.69.10.0/24 network.
The distribute-list command can be used to filter
updates so that AS3 does not receive transit
traffic to network 192.69.10.0 /24.
21RTA filters update to RTC so it does not include
the 192.69.10.0/24 network.
- RTA(config)router bgp 3
- RTA(config-router)neighbor 172.16.1.2 remote-as
3 - RTA(config-router)neighbor 172.16.20.1 remote-as
1 - RTA(config-router)neighbor 172.16.20.1
distribute-list 1 out - RTA(config-router)exit
- RTA(config)access-list 1 deny 192.69.10.0
0.0.0.255 - RTA(config)access-list 1 permit any
22- The distribute-list keyword, used as part of a
BGP neighbor statement, prevents RTA from
advertising prefix 192.69.10.0/24 to RTC. - The access list is used to identify the prefixes
to be filtered, and the distribute-list and out
keywords apply the filter to outgoing updates. - Whereas configuring BGP neighbor statements to
include the distribute-list keyword is effective
for filtering specific routes, controlling
supernets can be a bit trickier.
RTA filters update to RTC so it does not include
the 192.69.10.0/24 network.
- RTA(config)router bgp 3
- RTA(config-router)neighbor 172.16.1.2 remote-as
3 - RTA(config-router)neighbor 172.16.20.1 remote-as
1 - RTA(config-router)neighbor 172.16.20.1
distribute-list 1 out - RTA(config-router)exit
- RTA(config)access-list 1 deny 192.69.10.0
0.0.0.255 - RTA(config)access-list 1 permit any
23BGP Route Filtering
- Configuring a distribute list relies on creating
an access list. - If we use a standard access list, we are afforded
only limited functionality. - What if you want to advertise an aggregate
address of 172.16.0.0 /16, but not the individual
subnets themselves? - A standard access list would not work because it
permits more than is desired, since it filters
based on the network address only. - For example, this access list would permit not
only the 172.16.0.0/16 summary, but also all the
components of that summary as well - access-list 1 permit 172.16.0.0 0.0.255.255
24- To restrict the update to the 172.16.0.0/16
summary, you can use an extended access list. - In the case of a BGP route filter, an extended
list matches, first, the network address, and
second, the subnet mask of the prefix. - Both network and mask are paired with their own
wildcard bitmask, using the following syntax - Router(config)access-list number permitdeny
network network-wildcard mask mask-wildcard - Using this configuration, RTA would not send a
subnet route (such as 172.16.0.0 /17 or
172.16.10.0 /24) in an update to AS1. - RTA(config)router bgp 3
- RTA(config-router)neighbor 172.16.1.2 remote-as
3 - RTA(config-router)neighbor 172.16.20.1 remote-as
1 - RTA(config-router)neighbor 172.16.20.1
distribute-list 101 out - RTA(config-router)exit
- RTA(config)access-list 101 permit ip 172.16.0.0
0.0.255.255 255.255.0.0 0.0.0.0
25BGP Route Filtering Prefix lists
- If using an extended access list to accomplish
this type of filtering seems confusing to you,
you are not alone. - Improved user-friendliness was one of the factors
that motivated Cisco to include the ip
prefix-list command in IOS 12.0. - You can use prefix lists as an alternative to
access lists with many BGP route-filtering
commands. - You must define a prefix list before you can
apply it as a route filter. - The Cisco IOS allows a very flexible
configuration procedure, where each statement can
be assigned its own sequence numbers. - There is an implicit deny at the end of each
prefix list. - To define a prefix list, use the ip prefix-list
command, which has the following syntax - Router(config)ip prefix-list list-name seq
seq-value denypermit network/len ge ge-value
le le-value
26BGP Route Filtering
27Example
- RTA(config)ip prefix-list ELMO permit
172.16.0.0/16 - RTA(config)router bgp 100
- RTA(config-router)neighbor 192.168.1.1 remote-as
200 - RTA(config-router)neighbor 192.168.1.1
prefix-list ELMO out
28- The real power of the ip prefix-list command is
in its optional parameters. - The keywords ge and le can be used to specify the
range of the prefix length to be matched for
prefixes that are more specific than the
network/len value. - The prefix-length range is assumed to be from
ge-value to 32 if only the ge attribute is
specified, and from len to le-value if only the
le attribute is specified. - For example, to accept a mask length of up to 24
bits in routes with the prefix 192.0.0.0/8,
(ie.192.1.0.0/16, 192.2.10.0/24) and deny more
specific routes (192.168.10.128/25), use the
commands as shown in. - RTA(config)ip prefix-list GROVER permit
192.0.0.0/8 le 24 - RTA(config)ip prefix-list GROVER deny
192.0.0.0/8 ge 25 -
29- The le and ge keywords can be used together, in
the same statement - RTA(config)ip prefix-list OSCAR permit
10.0.0.0/8 ge 16 le 24 - This list permits all prefixes in the 10.0.0.0/8
address space that have a mask of between 16 and
24 bits.
30- Examples - The following examples show how a
prefix list can be used. - To deny the default route 0.0.0.0/0
- ip prefix-list abc deny 0.0.0.0/0
- To permit the prefix 35.0.0.0/8
- ip prefix-list abc permit 35.0.0.0/8
- The following examples show how to specify a
group of prefixes. - To accept a mask length of up to 24 bits in
routes with the prefix 192/8 - ip prefix-list abc permit 192.0.0.0/8 le 24
- To deny mask lengths greater than 25 bits in
routes with a prefix of 192/8 - ip prefix-list abc deny 192.0.0.0/8 ge 25
- To permit mask lengths from 8 to 24 bits in all
address space - ip prefix-list abc permit 0.0.0.0/0 ge 8 le 24
- To deny mask lengths greater than 25 bits in all
address space - ip prefix-list abc deny 0.0.0.0/0 ge 25
31- Each prefix list entry is assigned a sequence
number, either by default or manually by an
administrator. - By numbering the prefix list statements, new
entries can be inserted at any point in the list,
which is important because routers test for
prefix list matches from lowest sequence number
to highest. - By default, the entries of a prefix-list will
have sequence values of 5,10, 15, etc. - To disable this RTR(config) no ip prefix-list
sequence-number - Sequence numbers can be created using the
command - Router(config)ip prefix-list list-name seq
seq-value denypermit network/len ge ge-value
le le-value - RTAshow ip prefix-list
- ip prefix-list ELMO 3 entries
- seq 5 deny 0.0.0.0/0
- seq 10 permit 172.16.0.0/16
- seq 15 permit 192.168.0.0/16 le 24
32Communities and Peer Groups
33The COMMUNITIES attribute
- A BGP community is a group of destinations that
share some common property. - A community is not restricted to one network or
one AS. - Communities are used to simplify routing policies
by identifying routes based on a logical property
rather than an IP prefix or an AS number. - A BGP speaker can use this attribute in
conjunction with other attributes to control
which routes to accept, prefer, and pass on to
other BGP neighbors. - A route map is configured to manipulate community
values.
34The COMMUNITIES attribute
- NO_EXPORT
- A route carrying this community value should not
be advertised to peers outside a confederation
(or the AS if it is the only AS in the
confederation). - NO_ADVERTISE
- A route carrying this community value, when
received, should not be advertised to any BGP
peer - Internet
- A route carrying this community value, when
received, should be advertised to all other
routers. - Local-as
- A route carrying this community value, when
received, should be advertised to peers within
the AS, but not advertised to peers in an
external system.
35The COMMUNITIES attribute
36The COMMUNITIES attribute
X
To prevent AS2 from learning the 172.16.65.0/24
route from AS1, we can configure RTA (AS3) as
follows
37To prevent AS2 from learning the 172.16.65.0/24
route from AS1, we can configure RTA (AS3) as
follows
X
- RTA(config)router bgp 3
- RTA(config-router)no auto-summary
- RTA(config-router)network 172.16.1.0 mask
255.255.255.0 - RTA(config-router)network 172.16.10.0 mask
255.255.255.0 - RTA(config-router)network 172.16.65.0 mask
255.255.255.192 - RTA(config-router)network 172.16.220.0 mask
255.255.255.0 - RTA(config-router)neighbor 172.16.1.2 remote-as
3 - RTA(config-router)neighbor 172.16.1.2
update-source lo0 - RTA(config-router)neighbor 172.16.20.1 remote-as
1 - RTA(config-router)neighbor 172.16.20.1
send-community - RTA(config-router)neighbor 172.16.20.1 route-map
SETCOMMUNITY out - RTA(config-router)exit
- RTA(config)route-map SETCOMMUNITY permit 10
- RTA(config-route-map)match ip address 1
- RTA(config-route-map)set community no-export
- RTA(config)route-map SETCOMMUNITY permit 20
- RTA(config-route-map)exit
- RTA(config)access-list 1 permit 172.16.65.0
0.0.0.255
38RTA(config)router bgp 3 RTA(config-router)neighb
or 172.16.20.1 send-community RTA(config-router)n
eighbor 172.16.20.1 route-map SETCOMMUNITY
out RTA(config-router)exit RTA(config)route-map
SETCOMMUNITY permit 10 RTA(config-route-map)match
ip address 1 RTA(config-route-map)set community
no-export RTA(config)route-map SETCOMMUNITY
permit 20 RTA(config-route-map)exit RTA(config)a
ccess-list 1 permit 172.16.65.0 0.0.0.255
X
- RTA has defined a route map SETCOMMUNITY, and
will send that value toward neighbor 172.16.20.1
(RTC). - Clause 10 of the route map will match on prefix
172.16.65.0/24 and will set its COMMUNITIES
attribute to NO_EXPORT. - Clause 20 of the route map will enable all other
networks to be passed with no change. - Notice that RTA is configured with the
send-community option in the neighbor statement. - This option is necessary to instruct RTA to send
the assigned community value out to that neighbor.
39Peer Groups
- A BGP peer group is a group of BGP neighbors that
share the same update policies. - Instead of defining the same policies for each
individual neighbor, you can define a peer group
and then assign policies to the peer group
itself. - Not only do peer groups save you from having to
repetitively configure each BGP peer, they also
save the BGP router itself from the effort of
parsing the policies sequentially for each
neighbor. - With peer groups, the router formulates the
UPDATE once, based on the policies of the peer
group, and then floods the same UPDATE to all the
neighbors that fall within the group.
40- A BGP peer group is a group of BGP neighbors that
share the same update policies. - Update policies are usually set by route maps,
distribution lists, and filter lists. - Instead of defining the same policies for each
individual neighbor, you define a peer group name
and assign policies to the peer group. - Members of a peer group inherit all of the
configuration options of the peer group. - Peer group members can also be configured to
override configuration options if the options do
not affect outgoing updates. - That is, you can only override options that are
set for incoming updates.
- Router C
- router bgp 300
- neighbor INTERNALMAP peer-group
- neighbor INTERNALMAP remote-as 300
- neighbor INTERNALMAP route-map INTERNAL out
- neighbor INTERNALMAP filter-list 1 out
- neighbor INTERNALMAP filter-list 2 in
- neighbor 5.5.5.2 peer-group INTERNALMAP
- neighbor 6.6.6.2 peer-group INTERNALMAP
- neighbor 3.3.3.2 peer-group INTERNALMAP
-
41- The preceding configuration defines the following
policies for the INTERNALMAP peer group - A route map named INTERNAL
- A filter list for outgoing updates (filter list
1) - A filter list for incoming updates (filter list
2) - The configuration applies the peer group to all
internal neighbors Routers E, F, G. - The end result on this router is that the
neighbors 5.5.5.2, 6.6.6.2, and 3.3.3.2 all get
configurations which are applied to INTERNALMAP,
including the remote-as, route-map and the
filter-list statements.
- Router C
- router bgp 300
- neighbor INTERNALMAP peer-group
- neighbor INTERNALMAP remote-as 300
- neighbor INTERNALMAP route-map INTERNAL out
- neighbor INTERNALMAP filter-list 1 out
- neighbor INTERNALMAP filter-list 2 in
- neighbor 5.5.5.2 peer-group INTERNALMAP
- neighbor 6.6.6.2 peer-group INTERNALMAP
- neighbor 3.3.3.2 peer-group INTERNALMAP
-