Common BGP Misconfigurations and Ways to Fix Them
BGP (Border Gateway Protocol) is the routing protocol that runs the Internet. It allows multiple autonomous systems to exchange routing information and establish paths to forward traffic. However, BGP can be quite complex to configure, and it’s easy to introduce misconfigurations that can cause routing issues and instability.
In this article, we’ll go over 5 common BGP misconfigurations, exploring their impacts and addressing how to fix them.
Before we dive in, make sure you have read through my previous BGP posts.
- What is BGP in Networking
- BGP Message Types
- BGP States
- How to advertise routes in BGP – 5 Simple Techniques
- eBGP vs iBGP
- What is BGP Regular Expression
- BGP Security Best Practices
Let’s get started.
TL;DR
- BGP Misconfiguration 1 – Incorrect ASN
- BGP Misconfiguration 2 – Incorrect neighbor IP address
- BGP Misconfiguration 3 – Missing or incorrect authentication configuration
- BGP Misconfiguration 4 – Route policy conflicts
- BGP Misconfiguration 5 – Incorrect neighbor address family
- BGP Misconfiguration 5.1 – Missing neighbor activation for a particular address family
BGP Misconfiguration 1 – Incorrect ASN
The ASN or Autonomous System Number is the most fundamental configuration element of BGP, and if it’s misconfigured, BGP will not function properly. There are a few common issues here:
- Using a private ASN (64512-65535) on the public Internet. Private ASNs are meant for internal BGP use and will not establish connections with other public Internet routers.
- Wrong AS number– If you enter the wrong AS number, your BGP router will not be able to establish any neighbor relationships or properly exchange routes.
- Using a duplicate ASN as another network on the Internet. Each ASN must be unique.
Impact on Network: If two BGP neighbors have different AS numbers configured, they will not establish a BGP session and will not exchange routes. This means routes to networks learned via that neighbor will be lost, potentially causing a loss of connectivity to those networks.
Steps to Resolve: Double-check that the correct ASN is configured for your BGP instance and that it is unique if you are directly peering with public ASNs. You can check BGP-looking glasses or other resources to verify no other network is using your ASN.
Sample Misconfiguration:
Router1
router bgp 65000
bgp log-neighbor-changes
neighbor 10.1.1.2 remote-as 65001
Router2
router bgp 65001
bgp log-neighbor-changes
neighbor 10.1.1.1 remote-as 65002
In this sample misconfiguration, Router1 actual ASN is 65000, and Router2 ASN is 65001, but Router2 is configured to peer with AS 65002 instead of 65000 with Router1, causing the BGP session to not establish.
This will result in routes not being exchanged between the two routers, potentially causing a loss of connectivity to networks reachable through those routers.
To resolve this issue, configure the correct ASNs on each router.
BGP Misconfiguration 2 – Incorrect neighbor IP address
BGP establishes connections to neighbors using TCP and requires you to specify the IP address of the neighbor BGP router. If you enter the wrong IP address, no connection will be made, and routes will not be exchanged.
A few common issues include:
- Using the wrong IP address for the neighbor, e.g. an internal address instead of an external address.
- Forgetting to configure a neighbor at all, which results in no BGP peering establishment.
- Forgetting to source the IP address from the correct interface.
Impact on Network: If a BGP neighbor has the wrong IP address configured, the TCP session will not come up, and routes will not be exchanged. This can cause blackholing of traffic destined for the networks learned from that neighbor.
Steps to Resolve: Check that you are using the correct IP address of the external or internal BGP neighbor, and make sure you source it from the correct interface.
Sample Misconfiguration: You can consider the previous ASN example and can think of a scenario where Router2 is configured to peer with 10.1.1.4 instead of 10.1.1.1, causing the BGP session to not establish.
This will prevent the BGP session from establishing, leading to a lack of route exchange and potential connectivity loss.
Ensure that the correct IP address is used for the BGP neighbor on both routers.
BGP Misconfiguration 3 – Missing or incorrect authentication configuration
For security, BGP peering relationships can be authenticated using a password or MD5 hash. If you configure a neighbor to require authentication but don’t configure the correct authentication password or authentication type on both sides, the BGP peering will fail to establish.
Impact on Network: If MD5 authentication is misconfigured between neighbors, they will not establish a BGP session and exchange routes. This can lead to route loss similar to the incorrect neighbor configuration.
Steps to Resolve: Verify that you have authentication configured properly on both the local and neighbor BGP router with matching passwords or MD5 hashes.
Sample Misconfiguration:
Router1
router bgp 64500
bgp log-neighbor-changes
neighbor 203.0.113.2 remote-as 64501
neighbor 203.0.113.2 password cisco123
Router2
router bgp 64501
bgp log-neighbor-changes
neighbor 203.0.113.1 remote-as 64500
In this sample misconfiguration, MD5 authentication is configured only on Router 1, causing the BGP session to not establish.
To resolve this issue, configure matching authentication passwords on both routers.
BGP Misconfiguration 4 – Route policy conflicts
If you implement inbound or outbound route policies (prefix lists, route-maps, etc.) on one side of a BGP peering but not the other, it can cause routing conflicts and prevent routes from being exchanged properly. For example, if a filter is implemented to only accept routes with AS path lengths less than 3, longer paths to legitimate destinations would be rejected. To resolve, review BGP filtering configurations and ensure they are not too restrictive and are implemented as desired. Filters should be tested to ensure that desired connectivity is maintained.
Impact on Network: Incorrect or overly restrictive route filtering and prefix lists can inadvertently filter desired routes, leading to loss of connectivity to those destinations. Route filtering should be carefully tested to ensure it is implemented as intended. Also, Bogons (fake routes) can be advertised if route origination or AS path checks are not properly configured, potentially sending traffic to the wrong destinations. This highlights the need for strong route filtering and verification practices.
Steps to Resolve: Review both sides of the BGP peering and ensure any route policies, like prefix lists, route maps, etc., are implemented consistently. Route policies should include the same criteria for accepting and denying routes on both sides.
Sample Misconfiguration:
Router1
router bgp 64500
bgp log-neighbor-changes
neighbor 203.0.113.2 remote-as 64501
neighbor 203.0.113.2 prefix-list my-prefix-list in
!
ip prefix-list my-prefix-list seq 10 permit 192.0.2.0/24
Router2
router bgp 64501
bgp log-neighbor-changes
neighbor 203.0.113.1 remote-as 64500
In this sample misconfiguration, Router 1 has an inbound prefix list that filters routes from Router 2, allowing only the 192.0.2.0/24 network. This may inadvertently block other desired routes.
Review BGP filtering configurations on both routers and ensure they are consistent and not overly restrictive.
BGP Misconfiguration 5 – Incorrect neighbor address family
BGP can carry multiple address families, such as IPv4, IPv6, VPNv4, and more. It is important that neighboring BGP routers are configured to support the same address families. If one router expects to receive IPv4 and IPv6 routes, but the neighbor only has IPv4 configured, the IPv6 routes will be rejected.
Impact on Network: If address families are mismatched between neighbors, the neighbor that expects certain address families may reject routes of those types from the other neighbor. For example, if one neighbor only has IPv4 configured, but the other advertises both IPv4 and IPv6 routes, the IPv6 routes will be rejected, causing potential connectivity loss.
Steps to Resolve: To resolve, verify neighbor configurations have the appropriate address family configured to match on both sides.
Sample Misconfiguration:
Router1
router bgp 64500
bgp log-neighbor-changes
neighbor 203.0.113.2 remote-as 64501
!
address-family ipv4
neighbor 203.0.113.2 activate
!
address-family ipv6
neighbor 203.0.113.2 activate
Router2
router bgp 64501
bgp log-neighbor-changes
neighbor 203.0.113.1 remote-as 64500
!
address-family ipv4
neighbor 203.0.113.1 activate
In this sample misconfiguration, Router 1 is configured to exchange both IPv4 and IPv6 routes with Router 2, but Router 2 is only configured for the IPv4 address family. This will result in Router 2 rejecting IPv6 routes from Router 1, causing potential connectivity loss for IPv6 networks.
To resolve this issue, configure the IPv6 address family on Router 2 and activate the neighbor relationship for IPv6.
BGP Misconfiguration 5.1 – Missing neighbor activation for a particular address family
If BGP neighbor activation is not configured (with the “neighbor activate” command) for a particular address family, no routing updates will be exchanged for that address family.
Impact: This leads to routes not being advertised or learned properly for that particular address family.
Resolution: Configure “neighbor <neighbor IP> activate” on the BGP router to activate the BGP neighbor relationship.
Sample Misconfiguration:
Router1
router bgp 64500
bgp log-neighbor-changes
neighbor 203.0.113.2 remote-as 64501
!
address-family ipv4
neighbor 203.0.113.2 activate
!
address-family ipv6
Router2
router bgp 64501
bgp log-neighbor-changes
neighbor 203.0.113.1 remote-as 64500
!
address-family ipv4
neighbor 203.0.113.1 activate
!
address-family ipv6
neighbor 203.0.113.1 remote-as 64500
In this sample misconfiguration, Router 1 is missing the “neighbor activate” command for the IPv6 address family, causing the BGP session to not exchange IPv6 routes. This will result in a lack of IPv6 route exchange between the two routers, potentially causing connectivity loss for IPv6 networks. To resolve this issue, activate the IPv6 address family for the BGP neighbor on Router 1 by adding the “neighbor 203.0.113.2 activate” command under the “address-family ipv6” section.
Conclusion
In conclusion, BGP is a crucial routing protocol that powers the Internet by enabling autonomous systems to exchange routing information and establish paths for traffic forwarding. However, due to its complexity, misconfigurations can easily occur, leading to routing issues and network instability. This article presented six common BGP misconfigurations involving incorrect ASN, wrong neighbor IP address, missing or incorrect authentication, route policy conflicts, mismatched address families, and missing neighbor activation. Each misconfiguration’s impact on the network was discussed, along with the steps to resolve them.
To ensure stable and efficient BGP operation, it is essential to carefully plan, configure, and verify BGP settings on routers. Network administrators should be familiar with the potential pitfalls and misconfigurations to quickly identify and rectify any issues that may arise. Regular audits, monitoring, and proper documentation of BGP configurations can also help minimize the risks associated with misconfigurations, ultimately leading to a more resilient and robust network infrastructure.
- NETGEAR Nighthawk (RAX54S) WiFi 6 Router Review - August 24, 2024
- TP-Link AX1800 Archer AX21 WiFi 6 Router Review - August 24, 2024
- How to Connect Nanit to Hotel WiFi? - August 12, 2024