CCNP

1

• CCNP Advanced Routing
• Ch. 9 Scaling BGP

2
Scaling BGP

• BGPs main strength is its ability to impose
  routing policy, primarily through route maps that
  manipulate BGP path attributes.
• These attributes allow for very precise and
  complex policy implementation.
• However, as ISPs scale their BGP routing to
  include dozensand even hundredsof routers,
  BGPs precision can become an administrative
  nightmare.

3
Scaling BGP

• The Cisco IOS offers several methods to make
  scaling BGP easier on administrators and on the
  BGP routers themselves
• Route Reflectors
• Route Filtering
• COMMUNITIES Attribute
• Peer Groups

4
Scaling BGP

• Autonomous systems consisting of hundreds of BGP
  routers can pose a serious management problem.
• If that many Internal BGP (IBGP) speakers are
  configured as a logical full mesh, BGP operation
  becomes extremely complex.
• Imagine a network where over 100 neighbor
  statements are required just to define the
  remote-as of each peer!

5
Route Reflector (RR)

• Recent addition to BGP (IOS 11.1)
• Offers an alternative to the logical full-mesh
  requirement of IBGP.
• Acts as a focal point for IBGP sessions.
• Multiple BGP routers can peer with a central
  point (the RR), rather than peer with every other
  router in a full mesh.
• similar to OSPFs DR/BDR feature
• Provides large ISPs with added BGP scalability.
• The use of route reflectors is recommended only
  for autonomous systems that support a large
  internal BGP mesh, on the order of more than 100
  sessions per router.
• Introduces processing overhead on the routers
  that act as route reflectors
• If configured incorrectly, can cause routing
  loops and instability.

6
Route Reflector (RR)
IBGP routers are typically fully meshed.
7
Route Reflector (RR)
A route reflector can be configured so that IBGP
routers dont have to be in a full mesh to
completely exchange routing information.
Route Reflector Server
8
Route Reflector (RR)
RTA receives an update from an external peer and
passes it on to RTB, which is configured as a
route reflector server with two clients, RTA and
RTC. RTB will reflect the update from client
RTA to client RTC.
Route Reflector Server
9
Route Reflector (RR)

• The IBGP peers of a route reflector fall under
  two categories
• Clients
• Nonclients
• A route reflector and its clients form a cluster.
• All IBGP peers of the route reflector that are
  not part of the cluster are nonclients and must
  be fully meshed to all other nonclients and RR
  servers.
• Never configure route reflector clients to peer
  with IBGP speakers outside their cluster.
• Clients and nonclients dont even know that route
  reflection is occurring.
• To identify clients and clusters, use the
  neighbor command, which has the following syntax,
  on the route reflector server
• Router(config-router)neighbor IP-address
  route-reflector-client

10
Route Reflector (RR)
11

• Configuring a RR server
• RTB(config)router bgp 100
• RTB(config-router)neighbor 1.1.1.1 remote-as 100
• RTB(config-router)neighbor 1.1.1.1
  route-reflector-client
• RTB(config-router)neighbor 2.2.2.2 remote-as 100
• RTB(config-router)neighbor 2.2.2.2
  route-reflector-client
• RTB(config-router)neighbor 4.4.4.4 remote-as 100
• RTB(config-router)neighbor 7.7.7.7 remote-as 100
• RTB(config-router)neighbor 8.8.8.8 remote-as 200

12

• Configuring a RR client
• Doesnt even know!
• RTA(config)router bgp 100
• RTA(config-router)neighbor 3.3.3.3 remote-as 100

13

• Without a route reflector, the network shown
  would require a full IBGP mesh.
• (That is, Router A would have to be a peer of
  Router B.)
• If Router C is configured as a route reflector,
  IBGP peering between Routers A and B is not
  required because Router C will reflect updates
  from Router A to Router B and from Router B to
  Router A.

• Router C
• router bgp 100
• neighbor 1.1.1.1 remote-as 100
• neighbor 1.1.1.1 route-reflector-client
• neighbor 2.2.2.2 remote-as 100
• neighbor 2.2.2.2 route-reflector-client

14

• The router whose configuration includes neighbor
  route-reflector-client router configuration
  commands is the route reflector.
• The routers identified by the neighbor
  route-reflector-client commands are clients of
  the route reflector.
• When considered as a whole, the route reflector
  and its clients are called a cluster.
• Other IBGP peers of the route reflector that are
  not clients are called nonclients.

• Router C
• router bgp 100
• neighbor 1.1.1.1 remote-as 100
• neighbor 1.1.1.1 route-reflector-client
• neighbor 2.2.2.2 remote-as 100
• neighbor 2.2.2.2 route-reflector-client

15

• An AS can have more than one route reflector.
• When an AS has more than one route reflector,
  each route reflector treats other route
  reflectors as normal IBGP speakers.
• There can be more than one route reflector in a
  cluster, and there can be more than one cluster
  in an AS.
• The AS is divided into multiple clusters, with
  each cluster having one route reflector.
• Each route reflector is configured as a nonclient
  peer of each other route reflector in a fully
  meshed topology.
• Note Route reflector clients should not
  establish peer relationships with IBGP speakers
  outside of their cluster.

16

• Routers A, B, and C form a cluster, and Router C
  is the route reflector.
• Routers D, E, and F form a second cluster, of
  which Router D is the route reflector.
• Router G forms a third cluster.
• Note that Routers C, D, and G are fully meshed
  and that the routers within a cluster are not
  fully meshed.

17
Route Reflector (RR)
18

• When the route reflector receives an advertised
  route, depending on the neighbor, it does the
  following (IBGP is not RIP)
• A route from an external BGP (from Router A)
  speaker is advertised to all clients and
  nonclient peers.
• A route from a nonclient peer (from Router G, F,
  or E) is advertised to all clients (must be fully
  meshed with other nonclients).
• A route from a client (from Router B, C, or D) is
  advertised to all clients and nonclient peers.
• Hence, the clients need not be fully meshed.

19
BGP Route Filtering

• Route filtering empowers a BGP speaker to choose
  what routes to exchange with any of its BGP
  peers.
• Route filtering is the cornerstone of policy
  routing.
• An AS can identify inbound traffic it is willing
  to accept by filtering its outbound
  advertisements
• An AS can control what routes its outbound
  traffic uses by specifying the routes to accept
  from EBGP neighbors
• Even more precise policies can be defined via
  route filters.
• For example, BGP routes passing through a filter
  can have their attributes manipulated to affect
  the best-path decision process.
• You can apply route filters to or from a
  particular neighbor by using the distribute-list
  command.

20
BGP Route Filtering
RTA filters update to RTC so it does not include
the 192.69.10.0/24 network.
The distribute-list command can be used to filter
updates so that AS3 does not receive transit
traffic to network 192.69.10.0 /24.
21
RTA filters update to RTC so it does not include
the 192.69.10.0/24 network.

• RTA(config)router bgp 3
• RTA(config-router)neighbor 172.16.1.2 remote-as
  3
• RTA(config-router)neighbor 172.16.20.1 remote-as
  1
• RTA(config-router)neighbor 172.16.20.1
  distribute-list 1 out
• RTA(config-router)exit
• RTA(config)access-list 1 deny 192.69.10.0
  0.0.0.255
• RTA(config)access-list 1 permit any

22

• The distribute-list keyword, used as part of a
  BGP neighbor statement, prevents RTA from
  advertising prefix 192.69.10.0/24 to RTC.
• The access list is used to identify the prefixes
  to be filtered, and the distribute-list and out
  keywords apply the filter to outgoing updates.
• Whereas configuring BGP neighbor statements to
  include the distribute-list keyword is effective
  for filtering specific routes, controlling
  supernets can be a bit trickier.

RTA filters update to RTC so it does not include
the 192.69.10.0/24 network.

• RTA(config)router bgp 3
• RTA(config-router)neighbor 172.16.1.2 remote-as
  3
• RTA(config-router)neighbor 172.16.20.1 remote-as
  1
• RTA(config-router)neighbor 172.16.20.1
  distribute-list 1 out
• RTA(config-router)exit
• RTA(config)access-list 1 deny 192.69.10.0
  0.0.0.255
• RTA(config)access-list 1 permit any

23
BGP Route Filtering

• Configuring a distribute list relies on creating
  an access list.
• If we use a standard access list, we are afforded
  only limited functionality.
• What if you want to advertise an aggregate
  address of 172.16.0.0 /16, but not the individual
  subnets themselves?
• A standard access list would not work because it
  permits more than is desired, since it filters
  based on the network address only.
• For example, this access list would permit not
  only the 172.16.0.0/16 summary, but also all the
  components of that summary as well
• access-list 1 permit 172.16.0.0 0.0.255.255

24

• To restrict the update to the 172.16.0.0/16
  summary, you can use an extended access list.
• In the case of a BGP route filter, an extended
  list matches, first, the network address, and
  second, the subnet mask of the prefix.
• Both network and mask are paired with their own
  wildcard bitmask, using the following syntax
• Router(config)access-list number permitdeny
  network network-wildcard mask mask-wildcard
• Using this configuration, RTA would not send a
  subnet route (such as 172.16.0.0 /17 or
  172.16.10.0 /24) in an update to AS1.
• RTA(config)router bgp 3
• RTA(config-router)neighbor 172.16.1.2 remote-as
  3
• RTA(config-router)neighbor 172.16.20.1 remote-as
  1
• RTA(config-router)neighbor 172.16.20.1
  distribute-list 101 out
• RTA(config-router)exit
• RTA(config)access-list 101 permit ip 172.16.0.0
  0.0.255.255 255.255.0.0 0.0.0.0

25
BGP Route Filtering Prefix lists

• If using an extended access list to accomplish
  this type of filtering seems confusing to you,
  you are not alone.
• Improved user-friendliness was one of the factors
  that motivated Cisco to include the ip
  prefix-list command in IOS 12.0.
• You can use prefix lists as an alternative to
  access lists with many BGP route-filtering
  commands.
• You must define a prefix list before you can
  apply it as a route filter.
• The Cisco IOS allows a very flexible
  configuration procedure, where each statement can
  be assigned its own sequence numbers.
• There is an implicit deny at the end of each
  prefix list.
• To define a prefix list, use the ip prefix-list
  command, which has the following syntax
• Router(config)ip prefix-list list-name seq
  seq-value denypermit network/len ge ge-value
  le le-value

26
BGP Route Filtering
27
Example

• RTA(config)ip prefix-list ELMO permit
  172.16.0.0/16
• RTA(config)router bgp 100
• RTA(config-router)neighbor 192.168.1.1 remote-as
  200
• RTA(config-router)neighbor 192.168.1.1
  prefix-list ELMO out

28

• The real power of the ip prefix-list command is
  in its optional parameters.
• The keywords ge and le can be used to specify the
  range of the prefix length to be matched for
  prefixes that are more specific than the
  network/len value.
• The prefix-length range is assumed to be from
  ge-value to 32 if only the ge attribute is
  specified, and from len to le-value if only the
  le attribute is specified.
• For example, to accept a mask length of up to 24
  bits in routes with the prefix 192.0.0.0/8,
  (ie.192.1.0.0/16, 192.2.10.0/24) and deny more
  specific routes (192.168.10.128/25), use the
  commands as shown in.
• RTA(config)ip prefix-list GROVER permit
  192.0.0.0/8 le 24
• RTA(config)ip prefix-list GROVER deny
  192.0.0.0/8 ge 25

29

• The le and ge keywords can be used together, in
  the same statement
• RTA(config)ip prefix-list OSCAR permit
  10.0.0.0/8 ge 16 le 24
• This list permits all prefixes in the 10.0.0.0/8
  address space that have a mask of between 16 and
  24 bits.

30

• Examples - The following examples show how a
  prefix list can be used.
• To deny the default route 0.0.0.0/0
• ip prefix-list abc deny 0.0.0.0/0
• To permit the prefix 35.0.0.0/8
• ip prefix-list abc permit 35.0.0.0/8
• The following examples show how to specify a
  group of prefixes.
• To accept a mask length of up to 24 bits in
  routes with the prefix 192/8
• ip prefix-list abc permit 192.0.0.0/8 le 24
• To deny mask lengths greater than 25 bits in
  routes with a prefix of 192/8
• ip prefix-list abc deny 192.0.0.0/8 ge 25
• To permit mask lengths from 8 to 24 bits in all
  address space
• ip prefix-list abc permit 0.0.0.0/0 ge 8 le 24
• To deny mask lengths greater than 25 bits in all
  address space
• ip prefix-list abc deny 0.0.0.0/0 ge 25

31

• Each prefix list entry is assigned a sequence
  number, either by default or manually by an
  administrator.
• By numbering the prefix list statements, new
  entries can be inserted at any point in the list,
  which is important because routers test for
  prefix list matches from lowest sequence number
  to highest.
• By default, the entries of a prefix-list will
  have sequence values of 5,10, 15, etc.
• To disable this RTR(config) no ip prefix-list
  sequence-number
• Sequence numbers can be created using the
  command
• Router(config)ip prefix-list list-name seq
  seq-value denypermit network/len ge ge-value
  le le-value
• RTAshow ip prefix-list
• ip prefix-list ELMO 3 entries
• seq 5 deny 0.0.0.0/0
• seq 10 permit 172.16.0.0/16
• seq 15 permit 192.168.0.0/16 le 24

32
Communities and Peer Groups
33
The COMMUNITIES attribute

• A BGP community is a group of destinations that
  share some common property.
• A community is not restricted to one network or
  one AS.
• Communities are used to simplify routing policies
  by identifying routes based on a logical property
  rather than an IP prefix or an AS number.
• A BGP speaker can use this attribute in
  conjunction with other attributes to control
  which routes to accept, prefer, and pass on to
  other BGP neighbors.
• A route map is configured to manipulate community
  values.

34
The COMMUNITIES attribute

• NO_EXPORT
• A route carrying this community value should not
  be advertised to peers outside a confederation
  (or the AS if it is the only AS in the
  confederation).
• NO_ADVERTISE
• A route carrying this community value, when
  received, should not be advertised to any BGP
  peer
• Internet
• A route carrying this community value, when
  received, should be advertised to all other
  routers.
• Local-as
• A route carrying this community value, when
  received, should be advertised to peers within
  the AS, but not advertised to peers in an
  external system.

35
The COMMUNITIES attribute
36
The COMMUNITIES attribute
X
To prevent AS2 from learning the 172.16.65.0/24
route from AS1, we can configure RTA (AS3) as
follows
37
To prevent AS2 from learning the 172.16.65.0/24
route from AS1, we can configure RTA (AS3) as
follows
X

• RTA(config)router bgp 3
• RTA(config-router)no auto-summary
• RTA(config-router)network 172.16.1.0 mask
  255.255.255.0
• RTA(config-router)network 172.16.10.0 mask
  255.255.255.0
• RTA(config-router)network 172.16.65.0 mask
  255.255.255.192
• RTA(config-router)network 172.16.220.0 mask
  255.255.255.0
• RTA(config-router)neighbor 172.16.1.2 remote-as
  3
• RTA(config-router)neighbor 172.16.1.2
  update-source lo0
• RTA(config-router)neighbor 172.16.20.1 remote-as
  1
• RTA(config-router)neighbor 172.16.20.1
  send-community
• RTA(config-router)neighbor 172.16.20.1 route-map
  SETCOMMUNITY out
• RTA(config-router)exit
• RTA(config)route-map SETCOMMUNITY permit 10
• RTA(config-route-map)match ip address 1
• RTA(config-route-map)set community no-export
• RTA(config)route-map SETCOMMUNITY permit 20
• RTA(config-route-map)exit
• RTA(config)access-list 1 permit 172.16.65.0
  0.0.0.255

38
RTA(config)router bgp 3 RTA(config-router)neighb
or 172.16.20.1 send-community RTA(config-router)n
eighbor 172.16.20.1 route-map SETCOMMUNITY
out RTA(config-router)exit RTA(config)route-map
SETCOMMUNITY permit 10 RTA(config-route-map)match
ip address 1 RTA(config-route-map)set community
no-export RTA(config)route-map SETCOMMUNITY
permit 20 RTA(config-route-map)exit RTA(config)a
ccess-list 1 permit 172.16.65.0 0.0.0.255
X

• RTA has defined a route map SETCOMMUNITY, and
  will send that value toward neighbor 172.16.20.1
  (RTC).
• Clause 10 of the route map will match on prefix
  172.16.65.0/24 and will set its COMMUNITIES
  attribute to NO_EXPORT.
• Clause 20 of the route map will enable all other
  networks to be passed with no change.
• Notice that RTA is configured with the
  send-community option in the neighbor statement.
• This option is necessary to instruct RTA to send
  the assigned community value out to that neighbor.

39
Peer Groups

• A BGP peer group is a group of BGP neighbors that
  share the same update policies.
• Instead of defining the same policies for each
  individual neighbor, you can define a peer group
  and then assign policies to the peer group
  itself.
• Not only do peer groups save you from having to
  repetitively configure each BGP peer, they also
  save the BGP router itself from the effort of
  parsing the policies sequentially for each
  neighbor.
• With peer groups, the router formulates the
  UPDATE once, based on the policies of the peer
  group, and then floods the same UPDATE to all the
  neighbors that fall within the group.

40

• A BGP peer group is a group of BGP neighbors that
  share the same update policies.
• Update policies are usually set by route maps,
  distribution lists, and filter lists.
• Instead of defining the same policies for each
  individual neighbor, you define a peer group name
  and assign policies to the peer group.
• Members of a peer group inherit all of the
  configuration options of the peer group.
• Peer group members can also be configured to
  override configuration options if the options do
  not affect outgoing updates.
• That is, you can only override options that are
  set for incoming updates.

• Router C
• router bgp 300
• neighbor INTERNALMAP peer-group
• neighbor INTERNALMAP remote-as 300
• neighbor INTERNALMAP route-map INTERNAL out
• neighbor INTERNALMAP filter-list 1 out
• neighbor INTERNALMAP filter-list 2 in
• neighbor 5.5.5.2 peer-group INTERNALMAP
• neighbor 6.6.6.2 peer-group INTERNALMAP
• neighbor 3.3.3.2 peer-group INTERNALMAP

41

• The preceding configuration defines the following
  policies for the INTERNALMAP peer group
• A route map named INTERNAL
• A filter list for outgoing updates (filter list
  1)
• A filter list for incoming updates (filter list
  2)
• The configuration applies the peer group to all
  internal neighbors Routers E, F, G.
• The end result on this router is that the
  neighbors 5.5.5.2, 6.6.6.2, and 3.3.3.2 all get
  configurations which are applied to INTERNALMAP,
  including the remote-as, route-map and the
  filter-list statements.

• Router C
• router bgp 300
• neighbor INTERNALMAP peer-group
• neighbor INTERNALMAP remote-as 300
• neighbor INTERNALMAP route-map INTERNAL out
• neighbor INTERNALMAP filter-list 1 out
• neighbor INTERNALMAP filter-list 2 in
• neighbor 5.5.5.2 peer-group INTERNALMAP
• neighbor 6.6.6.2 peer-group INTERNALMAP
• neighbor 3.3.3.2 peer-group INTERNALMAP