Skip to content

Archive

Category: BGP

eBGP Peering

Jun 13

eBGP Peering
——————-

We can peer with a device in other Autonomous System using eBGP.
The AD(administrative distance) for eBGP peers is 20.
By default the time-to-live(TTL) is set to 1 for eBGP sessions.
If a eBGP session is configured between two non-directly connected peers,the TTL
must be increased or manipulated.
This is also applies when a loopback interface is used to connect two eBGP neighbors.
The common way to increase a eBGP TTL is by using command “ebgp multihop [TTL value]”.

There are Three ways to manipulate TTL field in eBGP sessions.

The syntax for eBGP peering with loopback interfaces is:-
Suppose here in figure R1 is in AS 100 and R2 is in AS 200,and we want to establish
connectivity using there respective loopbacks.
R1(conf)#router bgp 100
R1(config-router)#neighbor 2.2.2.2 remote-as 200
R1(config-router)#neighbor 2.2.2.2 update-source loopback0
R1(config-router)#neighbor 2.2.2.2 ebgp-multihop 2
R1(config-router)#end

For R2
R2(conf)#router bgp 200
R2(config-router)#neighbor 1.1.1.1 remote-as 100
R2(config-router)#neighbor 1.1.1.1 update-source loopback0
R2(config-router)#neighbor 1.1.1.1 ebgp-multihop 2
R2(config-router)#end

Here in the above scenario “update-source loopback0” command is used because
we are peering with loopback interfaces here and by default BGP takes the
connected interface as update source and if we have not updated the source
of the BGP packets by default it had taken the FastEthernet  interface.
Also we have taken “ebgp-multihop 2” because router counts loopback interface
as hops so the first hop is from R1 FastEthernet  to R2 FastEthernet and then the second
hop as R2 loopback0 interface,thats why we have used “ebgp-multihop 2”.
If we have not-mentioned the hop(2) in the command “ebgp-multihop “the BGP has

taken as maximum hop as 255.

There are two more ways to manipulate TTL field in eBGP,first i have mentioned
as “ebgp-multihop”.
The second is “disable-connected-check” feature,it is mostly used where the eBGP
session between two devices is routed over another transit router,the syntax is:-
R2(config-router)#neighbor 1.1.1.1 disable-connected-check

The third option is “TTL-security hops [hop count]”,the syntax is:-
R2(config-router)#neighbor 1.1.1.1 ttl-security hops 2
The “ttl-security” ,When this feature is enabled, BGP will establish and maintain
the session only if the TTL value in the IP packet header is equal to or greater
than the TTL value configured for the peering session. If the value is less than
the configured value, the packet is silently discarded and no Internet Control
Message Protocol (ICMP) message is generated. This feature is both effective and
easy to deploy.
Here in the above example we are saying to router that the TTL must be equal to
or greater than 2 to establish eBGP peering,if the TTL is less than 2 the
neighborship will not form.

BGP Reachability

=================

R1
|
|     
|      
R2—FR CLOUD—R6
|
|
|
R5

Here in the above scenario R1 and R2 both connected to R6 via Frame-relay cloud and OSPF area 0 is running between all of them, and R6 is advertising default route into OSPF domain.R2 is in BGP AS 100,R6 is in BGP AS 200 and R5 is in AS 54.Here BGP is not running on R1.

The above task describes a case where reachabilty is lost to certain BGP networks when the primary Frame Realy connection of R2 is down.When the Frame Relay connection is down,all of R2’s traffic destined to R6 must transit R1.The problem , however is that R1 does not participate in BGP routing.Therefore,although BGP NLRI(Network Layer Reachability Information) is successfully transmitted throughout the network,traffic may be black holed when it reaches R1.

In order to resolve this issue, BGP has been redistributed into OSPF(IGP).R2 has been configured to redistribute all BGP information learned from AS 54 into OSPF.For traffic in the opposite direction, it doesnt matter,since R6 is originating a default route. The syntax of the commands will be:- on R2

router ospf 1 

redistribute bgp 100 subnets route-map BGP2OSPF

 ip as-path access-list 1 permit ^54_

route-map BGP2OSPF permit 10

match as-path 1

>>>Here _ matching everything in between that is starting ^ from 54.

 

BGP Filtering

===========

One of the most important thing in BGP to prevent our own public AS to be used as transit AS for other BGP AS’s. There are several ways to accomplish this as we can also use BGP Communities to accomplish this one simple way that i have found while doing lab today.

 >> Suppose our AS is 300 and we dont want AS 200 to use our AS as transit AS. We can accomplish this by using an “ip as-path access-list”matching the as-path and then filtering it to the specified neighbor by BGP “filter-list”.Here is the example.

>>The syntax of AS-PATH access-list.

 RTC(conf)#ip as-path access-list 13 permit ^$

 Here ^ is matching the begining of the string.

Here $ is matching the end of the string.

>>The syntax of BGP filter-list.

router bgp 300

neighbor[ip address] filter-list 13 out

Therefore by only advertising prefixes that were originated inside AS 300,AS 200 cannot use AS 300 to reach any other ASs like AS 100 in this scenario.In the above solution this is accomplished through the usage of filtering based on AS-PATH information. Since the AS-PATH of a prefix is not added until the prefix leaves the AS,prefixes which have been originated within AS will have an empty AS-PATH.This can be easily matched with a REGULAR EXPRESSION which specifies that the end of the line comes immediately after the start of the line,and is denoted as ^$. We can verify this configuration by the command:-

R1#show ip bgp neighbors [ip address of EBGP Neighbor] advertised-routes

BGP Default Route Origination
=============================

We can originate default route to specific BGP neighbor through

route bgp [AS No.]
neighbor [ip address] default-originate

Note:-By doing this the Default route is originated to the BGP peer along with the other routes in the BGP table.If you want to advertise only Default-route then do backup your configuration with a prefix-list or access-list or route-map.

>>router bgp [AS No.]
neighbor [ip address of neighbor] prefix-list ONLY_DEFAULT_ORIGINATE  out

Your Prefix-list could look like this.
>>ip prefix-list ONLY_DEFAULT_ORIGINATE seq 5 permit 0.0.0.0/0

Here in the above prefix-list we are only permitting Default-route by “0.0.0.0/0” if we have taken “0.0.0.0/0 le 32” then all the routes including Default route will advertise to the neighbor.Do watch for the granular things while doing configurations in BGP.

Important thing:-One very important thing to remember to check the routing table of the IBGP neighbor where we are advertising the Default route,whether the route that we have redistributed into IBGP neighbor is installed into routing table or not.check with the command:-
>>sh ip route | inc 0.0.0.0
 
if the Neighbor routing table is already learing the default route from other IGP then do deny this route by access-list,suppose we have originated earlier a default route via ospf in the routing domain , it will look like this.

R1#sh ip route | include  0.0.0.0
Gateway of last resort is X.X.X.X to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via X.X.X.X, 00:33:11, FastEthernet1/12

Here we are already learing the default route from OSPF as the OSPF has lower Admin Distance(110) than IBGP(200) the default route via OSPF is installed in the routing table.
We can deny it in OSPF by.
>>router ospf 1
distribute-list PREFER_DEFAULT_VIA_BGP in

>>ip access-list standard PREFER_DEFAULT_VIA_BGP
 deny   0.0.0.0
 permit any