BGP

Download as pdf or txt
Download as pdf or txt
You are on page 1of 51

<Course Title>

BGP

LY
N
O
SE
U
AL
N
R
TE
IN
BGP

LY
N
O
SE
U
AL

What Is BGP?
N

The Border Gateway Protocol (BGP) is a routing protocol between autonomous systems (ASs) and is
sometimes referred to as a path-vector routing protocol because it uses an AS path, used as a
R

vector, to prevent interdomain routing loops. The term path vector, in relation to BGP, means that
BGP routing information includes a series of AS numbers, indicating the path that a route takes
TE

through the network. Although BGP is primarily used for inter-AS routing, BGP is also used in large
networks for MPLS-based VPNs and is used to separate large OSPF domains. BGP is much more
scalable and offers a greater amount of control through policy than an IGP.
BGP exchanges routing information among ASs. An AS is a set of routers that operate under the
IN

same administration. BGP routing information includes the complete route to each destination. BGP
uses the routing information to maintain an information base of Network Layer reachability
information (NLRI), which it exchanges with other BGP systems.
BGP is a classless routing protocol, that supports prefix routing, regardless of the class definitions of
IPv4 addresses. BGP routers exchange routing information between peers. The peers must be
connected directly for inter-AS BGP routing (unless certain configuration changes are done). The
peers depend on established TCP connections, which we address later in this material.
BGP version 4 (BGP4) is essentially the only exterior gateway protocol (EGP) currently used in the
Internet. It is defined in RFC 4271, which made the former standard of more than 10 years,
RFC 1771, obsolete.

2 www.juniper.net
BGP

LY
N
O
SE
U
AL

When Should I Use BGP?


N

Networks with a single upstream connection receive little benefit from running a dynamic routing
protocol with their Internet service provider (ISP). These customers typically use a static default route
R

to send all external traffic toward the Internet. Their provider also typically uses a static route to
direct traffic destined for the customer’s addresses to the customer. Normally, a single-homed
TE

network uses addresses assigned by the provider from the provider’s aggregate. Because these
addresses are assigned to the provider and can only be used by the customer while they are a
customer of the provider, they are known as nonportable addresses. Using these addresses allows
the provider to announce a single aggregate route for many customer networks, reducing global
routing table growth. Currently, the Internet routing table contains hundreds of thousands of routes,
IN

which highlights the need for a scalable and robust protocol such as BGP.
BGP is normally used when a network has multiple upstream connections, either to a single ISP or to
multiple ISPs. BGP’s policy controls provide the ability to optimize inbound and outbound traffic flows
based on a network’s technical and business constraints. Although BGP can detect and route around
failures in redundant environments, BGP sessions within the same AS do not typically react as
quickly as an IGP, and they often rely on the IGP used in the AS to remain operational when failures
occur.
Networks that are multihomed to a single ISP likely use nonportable addresses assigned by the
provider. Networks that are multihomed to multiple ISPs are likely to use portable addresses
assigned directly by the regional address registry.

www.juniper.net 3
BGP

LY
N
O
SE
U
AL

EBGP and IBGP Peers


N

BGP supports two different types of exchanges of routing information. Exchanges between ASs are
known as external BGP or EBGP sessions and handle inter-AS routing. Exchanges within an AS are
R

known as internal BGP or IBGP sessions, and handle intra-AS routing.


An EBGP peer connection is between a device in one AS and another device in a different AS. The
TE

connection between the two ASs consists of a physical connection and a BGP connection. The
physical connection is a shared Data Link Layer subnetwork between the two ASs. On this shared
subnetwork, each AS has at least one border gateway belonging to that AS. The BGP connection
exists between BGP speakers in each of the ASs. This session can communicate destinations that
IN

can be reached through the advertising AS. The EBGP connection typically is established between
immediately connected devices located in two different ASs because the time-to-live (TTL) value of
the EBGP packets is equal to 1, by default.
An IBGP connection is typically established between loopback interfaces of the routers not
immediately connected (of course, everything depends on the AS’s topology). BGP uses the loopback
interfaces for stability reasons—these interfaces are always alive, unless the router itself dies.
Because the IBGP connection typically exists between remotely connected routers, an IGP is required
within the AS. BGP’s TCP session is established using regular routing tables.

4 www.juniper.net
BGP

LY
N
O
SE
U
AL

BGP Peering Sessions


N

Unlike other dynamic protocols, BGP requires that you manually define the neighbors with which you
want the local device to peer. Because BGP peers must be manually defined, no automatic neighbor
R

discovery exists as with other protocols.


BGP uses TCP as its transport protocol (port 179). TCP provides a full-duplex, connection-oriented,
TE

reliable, byte-stream service to BGP. BGP considers a connection between two peers to be idle until a
TCP connection is established between them. With the TCP connection established, the endpoints
are assured of a reliable connection. The following list describes the various BGP neighbor states:
• Idle: The Idle state is the initial state when all incoming BGP connections are refused. A
IN

start event is required for the local system to initialize BGP resources and prepare for a
transport connection with the other BGP peer.
• Connect: In the Connect state, BGP is waiting for the transport protocol connection to
be completed. If the transport protocol connection succeeds, the local system sends an
Open message and transitions to the OpenSent state. If the transport protocol
connection fails, the local system restarts the ConnectRetryTimer, searches for a
connection initiated by the remote BGP peer, and changes its state to Active.
Continued on the next page.

www.juniper.net 5
BGP
BGP Peering Sessions (contd.)
• Active: In the Active state, BGP is trying to acquire a peer by initiating a transport
protocol connection. If the transport protocol connection succeeds, the local system
sends an Open message to its peer and transitions to the OpenSent state. If the local
system’s BGP state remains in the Active state, you should check physical connectivity
as well as the configuration on both peers.
• OpenSent: In the OpenSent state, BGP waits for an Open message from its peer. When
an Open message is received, it is checked and verified to ensure that no errors exist. If
an error is detected, the system transitions back to the Idle state. If no errors are
detected, BGP sends a Keepalive message.
• OpenConfirm: In the OpenConfirm state, BGP waits for a Keepalive or Notification
message. If no Keepalive message is received before the negotiated hold timer expires,

LY
the local system sends a Notification message stating that the hold timer has expired
and changes its state to Idle. Likewise, if the local system receives a Notification
message, it changes its state to Idle. If the local system receives a Keepalive message,
it changes its state to Established.

N
• Established: In the Established state, BGP can exchange Update, Notification, and
Keepalive messages with its peer. When the local system receives an Update or

O
Keepalive message and when the negotiated hold timer value is nonzero, it restarts its
hold timer. If the negotiated hold timer reaches zero, the local system sends out a
Keepalive message and restarts the hold timer.

SE
U
AL
N
R
TE
IN

6 www.juniper.net
BGP

LY
N
O
SE
U
AL

BGP Message Types


N

BGP processes a message only after the entire message is received. The maximum message size is
4096 octets; the smallest BGP message is a header without any data, or 19 octets. The following list
R

details the BGP message types:


• Open: The open message is sent once the TCP three-way handshake is complete. The
TE

open message initiates the BGP session and contains details about the BGP neighbor
and information about supported and negotiated options.
• Update: BGP uses update messages to transport routing information between BGP
peers. Depending on the receiving device’s routing policy, this routing information is
IN

either added to the routing table or ignored.


• Keepalive: BGP does not use keepalives at the Transport Layer—TCP fills this need.
Instead, peers exchange keepalives as often as needed to ensure that the hold timer
does not expire.
Continued on the next page.

www.juniper.net 7
BGP
BGP Message Types (contd.)
• Notification: BGP uses notification messages to signal when something is wrong with
the BGP session. A notification is sent when an unsupported option is sent in an open
message and when a peer fails to send an update or keepalive. When an error is
detected, the BGP session is closed.
• Refresh: Normally a BGP speaker cannot be made to readvertise routes that have
already been sent and acknowledged (using TCP). The route refresh message supports
soft clearing of BGP sessions by allowing a peer to readvertise routes that have already
been sent. This soft clearing has some very specific uses when working with
MPLS-based VPNs and adding new customer sites to existing customer VPN structures.
Each BGP message uses the same fixed size header, which is 19 bytes. BGP keepalive messages do
not include any data portion following the header.

LY
N
O
SE
U
AL
N
R
TE
IN

8 www.juniper.net
BGP

LY
N
O
SE
U
AL

BGP Update Messages


N

BGP update messages describe a single path and then list multiple prefixes that can be reached
through this same path. BGP peers assume that this information is unchanged unless a subsequent
R

update advertises a new path for a prefix or lists the prefix as unreachable. Updates can list any
prefixes that are no longer reachable, regardless of the path associated with those prefixes. BGP
TE

peers use update messages to ensure that their neighbors have the most up-to-date information
about BGP routes.
BGP uses TCP to provide reliable communication, which ensures that BGP neighbors never miss an
update. A system of keepalives also allows each BGP peer to ensure that its neighbor is still
IN

functioning properly. If a neighbor goes down, the BGP speaker deletes all routes learned from that
peer and updates its other peers accordingly.
BGP uses the information within the update messages, in particular the BGP attributes, to detect
routing loops and determine the best path for a given destination prefix.

www.juniper.net 9
BGP

LY
N
O
SE
U
AL

BGP Attributes
N

The primary purpose of BGP is not to find the shortest path to a given destination; rather, its purpose
is to find the best path. Each AS determines the best path to a prefix by determining its own
R

outbound routing preferences, the inbound routing preferences of the route’s originator (as updated
by ASs along the path between the source and destination ASs), and some information that is
TE

collected about the path itself. All this information is contained in path attributes that describe the
path to a prefix. The path attributes contain the information that BGP uses to implement the routing
policies of source, destination, and transit ASs.
The slide lists some common BGP attributes. We cover the listed attributes in greater detail on
IN

subsequent pages.

10 www.juniper.net
BGP

LY
N
O
SE
U
AL

High-Level BGP Example


N

The example on the slide explains the operation of BGP at a very high level. Consider the way traffic
is routed to Customer A. Customer A has a single connection to ISP A. ISP A has assigned Customer A
R

a prefix (172.20.21.0/24) from its aggregate address range (172.20.0.0/16).


Because Customer A is a single-homed network, it has a static default route to reach all destinations
TE

on the Internet through its connection to ISP A. Likewise, ISP A has a static route to reach Customer
A’s prefix.
IN

www.juniper.net 11
BGP

LY
N
O
SE
U
AL

ISP A’s Network


N

The slide highlights a portion of ISP A’s network. Internally, ISP A maintains reachability information
for each prefix within its aggregate address range. Therefore, every router in ISP A has knowledge
R

about the /24 prefix assigned to Customer A. This reachability information can be maintained by
either an IGP or by IBGP.
TE

Even though ISP A has reachability information about each prefix internally, it advertises the
aggregate prefixes externally only. Because other networks use the same path to reach all prefixes
available on ISP A’s network, other networks do not need the more specific information. To reduce
the size of the global routing table, ISPs typically do not transmit the prefixes of their statically routed
IN

customers to their peers; rather, they just transmit the aggregate prefixes from which their
addresses are assigned.

12 www.juniper.net
BGP

LY
N
O
SE
U
AL

ISP A Advertises Its Aggregate


N

ISP A advertises its aggregate address range of 172.20.0.0/16 through BGP along with some
information about the path to reach that route. One of these path attributes is the AS path, which is
R

a list of the autonomous systems through which the path to this aggregate passes. By examining the
AS path, ISP B knows that the 172.20.0.0/16 network was originated within ISP A.
TE

ISP B then advertises the 172.20.0.0/16 prefix to ISP C. It updates the path attributes, including the
AS path, when it transmits the route. ISP C further advertises this prefix to Customer B, again
updating the path attributes when it transmits the route.
IN

www.juniper.net 13
BGP

LY
N
O
SE
U
AL

Customer B’s Aggregate


N

Customer B is currently a single-homed network but is planning on adding a second connection to


another ISP in the near future. Customer B advertises its portable /20 prefix to ISP C with an AS
R

path, indicating that it was originated locally. ISP C sends the advertisement to ISP B, who sends it to
ISP A, with each ISP updating the path attributes as it sends the route.
TE

ISP A does not have a BGP session to Customer A, so Customer A does not receive any routing
information for Customer B’s prefix. However, receiving the route information is not necessary
because Customer A has a static default route that directs all Internet-bound traffic to ISP A. Once
the traffic reaches ISP A, ISP A follows the BGP-received route to Customer B.
IN

14 www.juniper.net
BGP

LY
N
O
SE
U
AL

Customer B Becomes Multi-Homed


N

Customer B decides to add a connection to ISP B. Therefore, Customer B now advertises its prefix to
both its providers. In this example, ISP B receives routing information for Customer B’s prefix both
R

from ISP C and directly from Customer B. ISP B chooses one of the paths as the best path and places
a corresponding route for the prefix in the routing table. It then advertises the prefix with the
TE

associated path attributes to ISP A. Because ISP B chose the path directly to Customer B as the best
path, it advertises the path attributes associated with that advertisement to ISP A. Note that it
advertises an AS path that reflects that it can directly reach Customer B and does not include any
information about ISP C. Because the path through ISP C was not chosen as the best path, ISP B
does not send ISP A any of the path attributes associated with the advertisement from ISP C.
IN

If ISP B ceases to hear the announcement about Customer B’s prefix directly from Customer B (for
example, because the circuit fails), it will begin using the path it received from ISP C and will send
updated announcements to its peers to reflect the new path.
Although not shown, Customer B now also receives two advertisements for ISP A’s aggregate. It
chooses one of those advertisements as the best path and installs a corresponding route in the
routing table.
We cover the path selection process and many of the BGP attributes in greater detail later in this
material.

www.juniper.net 15
BGP

LY
N
O
SE
U
AL

Loopback Peering
N

You maintain only one IBGP session between each internal peer. The IGP is used to maintain
reachability between the loopback addresses regardless of the physical topology, allowing the IBGP
R

sessions to stay up even when the physical topology changes.


The physical topology is relevant in one respect: each router along the path between BGP speakers
TE

must have enough information to make consistent routing decisions about packet forwarding. In
many cases, this requirement means that all routers along all possible physical paths between BGP
speakers must run BGP; however, in some networks this requirement is not necessary.
IN

Interface Peering
Recall that EBGP sessions are simply BGP sessions between two routers in different ASs. When two
EBGP peers have a single path between them, EBGP sessions are usually established over the
shared subnet between two peers, using the IP addresses assigned to the interfaces on that subnet
as the session endpoints. By establishing the EBGP session using the IP address assigned to the
interfaces on the shared subnet, you gain many advantages. One of these advantages is that you
prevent either AS from needing to maintain any routing information about the other AS (besides what
it received through BGP). You also ensure that all traffic flows over this particular shared subnet.

16 www.juniper.net
BGP

LY
N
O
SE
U
AL

Configuring BGP
N

The slide illustrates the sample configuration.


R

In this configuration example, we see some parameters defined under the [edit
routing-options] and [edit protocols bgp] hierarchies. Under the [edit
routing-options] hierarchy, we defined the system’s router identifier (RID) and the local AS
TE

number. Optionally, you can configure the system’s local AS number under the global BGP hierarchy
for a specific BGP group, or, for a specific BGP neighbor, use the local-as configuration option.
When the AS number is configured at multiple hierarchy levels, the AS number specified at the most
specific hierarchy level is used. The ability to specify different AS numbers at different hierarchy
IN

levels can be quite useful, especially when merging networks with different AS numbers.
Because we are using loopback-based peering for the internal BGP group, we must reference
loopback addresses in the related BGP configuration. In this case, the neighbor address is the
remote peer’s loopback address. The local-address is the local device’s loopback address. If
the local address is not specified, the system uses the interface address of the egress interface
used to reach the referenced peer address. Because the peer is expecting to form an IBGP peering
session using the 192.168.100.1 address, you must specify that address as the local-address
in the configuration.
Continued on the next page.

www.juniper.net 17
BGP
Configuring BGP (contd.)
As mentioned on the slide, the session type determines if the peering session is IBGP or EBGP. You
specify an external session type for EBGP and an internal session type for IBGP. If you omit
the session type, you must specify the peer-as number, which can be a remote AS number or the
local AS number. If the specified AS number does not match the AS number defined on the router,
BGP assumes the session type is external. If the specified AS number does match the AS number
defined on the router, BGP assumes the session type is internal. The software notifies you if you did
not include the required details, as shown in the following sample output:
[edit protocols bgp]
user@router# show
group x100 {
neighbor 10.1.1.1;

LY
}

[edit protocols bgp]


user@R1# commit

N
[edit protocols]
'bgp'
Error in neighbor 10.1.1.1 of group x100:

O
peer AS number must be configured for an external peer
error: configuration check-out failed

SE
U
AL
N
R
TE
IN

18 www.juniper.net
BGP

LY
N
O
SE
U
AL

BGP Authentication
N

All BGP protocol exchanges can be authenticated to guarantee that only trusted routing devices
participate in the AS’s routing. By default, authentication is disabled. You can configure MD5
R

authentication. The MD5 algorithm creates an encoded checksum that is included in the transmitted
packet. The receiving routing device uses an authentication key (password) to verify the packet’s
TE

MD5 checksum.

Hitless Key Rollover


Hitless authentication key rollover allows users to choose the algorithm through which
IN

authentication is established. The user associates a keychain and an authentication algorithm with a
BGP neighbor session. The keychain includes multiple keys. Each key contains an identifier and a
secret. The key is also configured with a unique start time and an end time.
[edit protocols bgp]
authentication-key-chain “bgp key chain”
group int-65503 {
type internal;
local-address 192.168.100.1;
neighbor 192.168.100.2
}
Continued on the next page.

www.juniper.net 19
BGP
Hitless Key Rollover (contd.)
[edit security]
authentication-key-chains {
key-chain “bgp key chain” {
key 1 {
secret juniper1;
start-time 2011-03-01.02:00:00;
}
key 2 {
secret juniper2;
start-time 2011-04-01.02:00:00;
}
}

LY
}

N
O
SE
U
AL
N
R
TE
IN

20 www.juniper.net
BGP

LY
N
O
SE
U
AL

BGP Route Tables


N

BGP uses three different storage tables known as routing information bases (RIB) as databases to
maintain routing knowledge. A separate Adjacency-RIB-IN table exists for each established BGP peer
R

to store all routes received from that peer. The RIB-LOCAL table is where BGP stores routes used for
traffic forwarding. A separate Adjacency-RIB-OUT table is also created for each established BGP peer
TE

to house the routes that are to be advertised to that peer.

BGP Active Routes


BGP can move only active BGP routes in the routing table into the Adjacency-RIB-OUT tables and
IN

advertise them to BGP peers. In addition, BGP places only the single, best BGP path to each
separate IP route destination in the RIB-LOCAL and Adjacency-RIB-OUT tables.
At times, the best BGP path might not be advertised to a peer because the local router’s routing
table rules. For example, if the router knows about a particular route through both IS-IS and BGP, the
IS-IS route will be active in the local routing table because of the default Junos OS protocol
preference values. Therefore, the BGP version of that route is not sent to any peers because BGP
advertises only active routes (routes used by BGP). To override this default action, you can use the
advertise-inactive command. This command always forces the advertisement of the single,
best BGP path to any destination, regardless of whether the route is currently active in the local
routing table.

www.juniper.net 21
BGP

LY
N
O
SE
U
AL

Default BGP Advertisement Rules


N

By default, only active BGP routes are advertised. The slide illustrates the default BGP advertisement
rules. The rules are as follows:
R

1. IBGP peers advertise routes received from EBGP peers to other IBGP peers.
TE

2. EBGP peers advertise routes learned from IBGP or EBGP peers to other EBGP peers.
3. IBGP peers do not advertise routes received from IBGP peers to other IBGP peers.
The purpose of the advertisement rules is to prevent routing loops on a BGP network.
IN

22 www.juniper.net
BGP

LY
N
O
SE
U
AL

IBGP Route Propagation


N

IBGP speakers send routes to their IBGP peers that they received from EBGP peers and routes that
they originated themselves. IBGP speakers never send routes to IBGP peers that they learned from
R

other IBGP peers. For all IBGP speakers in an AS to have consistent routing information, a full mesh
of IBGP sessions must exist between all BGP speakers. Without this full mesh, some BGP speakers
TE

might not receive all the required routing information.


In the example on the slide, a full mesh of IBGP sessions does not exist. R1 receives the
announcement through an EBGP session. Because it is the best route it has for that prefix, it
propagates the route to its IBGP peer R2. R2 also determines that route to be its best path for the
IN

prefix; however, it does not send the route to its IBGP peer R3. Because it received the route through
IBGP, it cannot send the route to any IBGP peers. Therefore, R3 does not receive or install a route for
the prefix advertised from AS 65502. This situation can be alleviated by adding an IBGP session
between R1 and R3. (It is irrelevant whether the two routers are directly connected.)
If IBGP routers readvertise IBGP routes to other IBGP peers, a loop would form. Because the AS path
is not updated by each router, but rather only when the associated prefix is advertised to an EBGP
peer, the AS path cannot be used to detect loops for BGP routes advertised within an AS. For this
reason, BGP enforces advertisement rules that require the full-mesh peering of IBGP routers to
ensure consistent routing information on all IBGP routers within the AS.
Using route reflectors or confederations can also alleviate this situation, both of which can reduce or
alleviate the full-mesh requirement.

www.juniper.net 23
BGP

LY
N
O
SE
U
AL

Hidden Routes
N

You might expect all routes received from a BGP peer would be installed in the RIB-LOCAL table and
be visible using the show route protocol bgp command. But hidden BGP routes occur for
R

several reasons:
• The route might be a martian route;
TE

• An import policy might exist that prevents the route from being installed; or
• The route’s protocol next-hop might be unresolvable.
IN

Unresolvable Next-Hop
The most common reason for hidden BGP routes is an unresolvable next-hop. The BGP Update
message contains a protocol next-hop IP address. If the router cannot resolve this address using its
routing table, the route cannot be used and is not installed in the routing table.
The number of hidden routes is always shown in the output of the show route command. To view
why routes are hidden, issue the show route hidden extensive command.

24 www.juniper.net
BGP

LY
N
O
SE
U
AL

IBGP Next-Hop Propagation


N

By default, the next-hop attribute attached to a route is unchanged as it passes through an AS.
Because routers can use the BGP routes only if they already have a route to the next hop, you must
R

either configure the routers to advertise external interfaces through the IGP, or configure the routers
to change the next-hop attribute attached to BGP routes using policy.
TE

When EBGP speakers send routes to a peer, they set the next-hop attribute to the interface they
share with that peer. In this example, R1 receives a route from its EBGP peer with the next-hop
attribute set to 172.24.1.1. R1 sends this route to R2 without changing the next-hop attribute.
Therefore, to use this route, R2 either must know how to reach 172.24.1.1 through the IGP or static
IN

routing, or R1 must send the routes with a different next hop.


You can send the appropriate external routes into the IGP, if wanted; however, using the next-hop
self action in a policy has some advantages. Using the next-hop self action in a policy causes
the router to send BGP routes to its peers using the same IP address it uses to establish that BGP
session. For the BGP session to remain established, the peer must have a route to that IP address.
Therefore, using next-hop self guarantees that a router’s peers can reach the next hop of the
routes that router sends, as long as the BGP session remains established.

www.juniper.net 25
BGP

LY
N
O
SE
U
AL

BGP Next-Hop Solutions


N

Numerous ways exist to solve this BGP next-hop reachability problem, and five examples are listed
on the slide. Some of these examples do technically solve the reachability issue but are not best
R

practices in a networking environment.


The most commonly used (and recommended) solution is next-hop self. With this solution,
TE

when a BGP router advertises an EBGP-learned route to an IBGP peer, it alters the BGP next-hop
attribute. The next-hop attribute’s IP address of the remote EBGP peer is replaced with the IP
address of the BGP router itself. Because the IBGP session was most likely established using the
peer’s loopback address, this new BGP next-hop value is reachable, and the advertised BGP route
IN

can be used. We create next-hop self by using a policy to match specific routes with an action
of changing the next-hop attribute value. The Junos OS then applies this policy as an export policy to
any IBGP peers.
The next two options listed (export direct routes and IGP passive) are almost identical in their results.
The difference between the two is in the approach that each takes to provide reachability. With
export direct, the IGP operating in the AS with a routing policy advertises the address assigned to the
point-to-point link between the two EBGP peers to all IBGP peers.
Continued on the next page.

26 www.juniper.net
BGP
BGP Next-Hop Solutions (contd.)
Export direct uses a Junos OS routing policy to retrieve the subnet information from the local routing
table. Within inet.0, these networks are known as protocol direct. The policy matches these
direct routes and accepts them. The Junos OS then applies this policy as an export policy to the local
IGP.
With IGP passive, the IGP is configured on the inter-AS link and advertises the interface addresses,
but forms no adjacency (it is passive). Both methods inject the interface addresses into the local
routing table for the IGP to use.
An IGP passive interface allows the local IGP to advertise the subnet on a particular interface without
forming an adjacency at the IGP level to the remote EBGP peer. This has the advantage of not using
a policy, but it requires explicit configuration for each interface and subnet address that you want to
advertise.

LY
The last two options listed on the slide (static routes and forming an IGP adjacency relationship with
the remote EBGP router) have some severe disadvantages, but they both work.
Static routes have an inherent scalability problem. You must configure each IBGP router in the

N
network for a single static route for each remote EBGP peer. The more EBGP peers in the network,
the more static routes required. The more IBGP peers in the AS, the more places that additions and
changes must be made. Clearly, this is not a real world option.

O
With regard to the full IGP adjacency between AS networks, although reachability information can be
provided by forming an IGP relationship with the remote EBGP peer, we do not recommend this
practice because of the very trusting nature of the IGP protocols. Once this adjacency is formed, the

SE
protocol accepts any routing information the remote EBGP peer provides. This behavior is very
dangerous because the remote AS might inject bad information into your network. In addition, this
method potentially violates the entire idea of having autonomous (independent of the IGP) systems
in the first place.
U
AL
N
R
TE
IN

www.juniper.net 27
BGP

LY
N
O
SE
U
AL

Summary of BGP Active Route Selection


N

Before the router installs a BGP route, it must ensure that the BGP next-hop attribute is reachable
and that no routing loops exist. If the BGP next hop cannot be resolved or if a loop is detected, the
R

route is not evaluated through the BGP route selection process or installed in the route table.
Before the Junos OS installs a BGP route in the routing table, the route preference is evaluated.
TE

Remember that the route preference can be changed through policy so the route preference can
differ for the same prefix learned through different BGP paths. If the route preference for a BGP
prefix learned through different BGP paths differs, the BGP route with the lower route preference is
selected. Note that this evaluation occurs prior to the BGP selection process outlined on the slide.
IN

When a BGP route is installed in the routing table, it must go through a path selection process if
multiple routes exist to the same destination prefix and the route preference is the same. The BGP
path selection process proceeds in the following order:
1. The router compares routes for the highest local preference (the only choice based on a
higher, rather than lower, value).
2. The router evaluates the AS-path attribute next, where a shorter path is preferred. This
attribute is often a common tiebreaker for routes.
3. The router evaluates the origin code. The lowest origin code is preferred: ( I [IGP] < E
[EGP] < ? [Incomplete]).
Continued on the next page.

28 www.juniper.net
BGP
Summary of BGP Active Route Selection (contd.)
4. If any of the remaining routes are advertised from the same neighboring AS, the router
checks the MED attributes for the lowest value. The absence of a MED value is
interpreted as a MED of 0.
5. If multiple routes remain, the router prefers any routes learned through an EBGP peer
over routes learned through an IBGP peer. If all remaining routes were learned through
EBGP, the router skips to Step 9.
6. If the remaining routes were learned through IBGP, use the path with the lowest IGP
cost to the IBGP peer. For each IBGP peer, install a physical next hops based on the
following three rules:
a. BGP examines both the inet.0 and the inet.3 routing tables for the BGP

LY
next-hop value. The physical next hops of the instance with the lowest Junos OS
preference is used. Often, this means that BGP uses the inet.3 version of the
next hop, through an MPLS LSP.
b. Should the preference values in the inet.0 and the inet.3 routing tables tie,

N
the physical next hops of the instance in inet.3 is used.
c. When a preference tie exists and the instances are in the same routing table, the

O
number of equal-cost paths of each instance are examined. The physical next
hops of the instance with more paths is installed. This tie might occur when the
traffic-engineering bgp-igp option is used for MPLS.
7.

SE
BGP then uses the route advertised from the peer with the lowest router ID (usually the
loopback IP address). When comparing external routes from two distinct neighboring
ASs, if the routes are equal up to the router ID comparison step, the currently active
route is preferred. This preference helps prevent issues with MED-related route
oscillation. The external-router-id command overrides this behavior and prefers
U
the external route with the lowest router ID, regardless of which route is currently active.
8. The router then examines the cluster-list attribute for the shortest length. The cluster list
is similar in function to an AS path.
AL

9. The router prefers routes from the router with the lowest peer IP address.
N
R
TE
IN

www.juniper.net 29
BGP

LY
N
O
SE
U
AL

Router ID and Peer ID Ignored


N

When you configure multipath on a BGP router, the selection algorithm ignores both the router ID
and the peer ID selection criteria. Should multiple copies of a route reach those portions of the route
R

selection process, BGP installs all copies into the local routing table. Each version is listed in the
table with only one of them marked as active. This active route is the version of the route that would
TE

have been selected by the algorithm had the multipath option not been configured. However, the
next-hop values for the nonactive routes are also listed as valid next hops for the active route. This
listing allows the Junos OS default load-balancing options to be used.
The Junos OS also utilizes the link bandwidth extended community to unequally load-balance traffic
IN

in conjunction with the multipath command. If used, data packet forwarding is performed in a
proportional manner to the bandwidth advertised in the extended community.
The multipath command allows multiple copies of a route from the same remote router. It also
allows multiple copies of a route from two different routers in the same AS (either a local or remote
AS). The entire concept centers around resiliency and redundancy.
Continued on the next page.

30 www.juniper.net
BGP
Router ID and Peer ID Ignored (contd.)
The slide shows the R1 router peering with two routers in AS 2—R2 and R3. Both of the AS 2 routers
are advertising the same four routes. Currently, the versions of the routes from R2 (10.222.28.2) are
selected and placed into the routing table. We have some clues into this behavior by examining the
output of the show bgp summary command. The route information from R2 shows 4/4/0, which
means that the four received routes are active in the local routing table. R3, on the other hand, has
route information of 0/4/0. Its four advertised routes are not active in the routing table.

LY
N
O
SE
U
AL
N
R
TE
IN

www.juniper.net 31
BGP

LY
N
O
SE
U
AL

Single Next Hop for All Routes


N

The local routing table of the R1 router is shown on the slide. We see the four routes advertised from
AS 2; 172.16.20.4/30, 172.16.20.8/30, 172.16.20.12/30, and 172.16.20.16/30. Each listing of
R

the prefix contains two versions of the route. One route is from the R2 router (10.222.28.2), and this
route is marked active. The other version of the route is from the R3 router (10.222.29.2), and it is
marked inactive.
TE
IN

32 www.juniper.net
BGP

LY
N
O
SE
U
AL

Configure multipath on R1
N

The configuration of the R1 router now contains the multipath command within the peer group for
AS 2. After committing the configuration, we examine the contents of the local routing table. We still
R

see the four routes advertised from AS 2, and each listing of the prefix still contains two versions of
the route. As before, the routes from the R2 router are marked active while the routes from the R3
TE

router are marked inactive.


The effect of the multipath command on the routes from AS 2 is that the next hop for the routes
from R3 (10.222.29.2) are now added to the version of the route from R2. The next-hop information
for the inactive route version does not change in this environment.
IN

As each active route now has two next hops in the routing table, the default Junos OS load-balancing
process can be used. Each route has a single next hop selected, and this single next hop is placed
into the forwarding table. All traffic for each route uses just that single next hop. The overall benefit
of this system is the total amount of traffic sent from AS 1 to AS 2 can now be load-balanced over the
two inter-AS links. In our small example, just the 172.16.20.16/30 route is using the 10.222.29.2
next hop, while the other three routes maintained the 10.222.28.2 next hop. As more routes are
announced between the AS networks, the selection of the next hops becomes more evenly
distributed.
Although not shown on the slide, you can also see the effects of using multipath in the output of the
show bgp summary command. The route information from both R2 and R3 now appears as
4/4/0. The routes from R2 are active while the next-hop values from R3 are also used to forward
user traffic.

www.juniper.net 33
BGP

LY
N
O
SE
U
AL

BGP Multihop Peering


N

The default for an EBGP connection is to peer over a single physical hop using the physical interface
address of the peer. In some cases, it is advantageous to alter this default, one-hop, physical peering
R

EBGP behavior. One such case is when multiple physical links connect two routers that are to be
EBGP peers. In this case, if one of the point-to-point links fails, reachability on the alternate link still
TE

exists. You must take three extra configuration steps to accomplish a single BGP peering session
across these multiple physical links.
First, each router must establish the peering session with the loopback address of the remote router.
You can configure this session using the local-address command, which alters the peer address
IN

header information in the BGP packets. Second, use the multihop command to alter the default
use of the neighbor’s physical interface address. In addition, you can also specify a time-to-live (TTL)
value in the BGP packets to control how far they propagate. On the slide, we use a TTL value of 1 to
ensure that the session cannot be established across any other backdoor links in the network. Third,
each router must have IP routing capability to the remote router’s loopback address. As the slide
shows, we often accomplish this capability by using a static route to map the loopback address to
the interface physical addresses.
Note that when multihop is configured, the Junos OS sets the TTL value to 64, by default. You can
specify a TTL value explicitly to limit the scope of the EBGP session. Note that a TTL value of 1 is
sufficient to enable an EBGP session to the loopback address of a directly connected neighbor
because the IP TTL is decremented for egress traffic only, and this traffic will be considered destined
for the local RE.

34 www.juniper.net
BGP

LY
N
O
SE
U
AL

Routes with Multiple Next Hops


N

Within the context of a BGP network, both the multihop and multipath tools can result in a route
being installed in the local routing table with multiple next hops. As we previously discussed, this
R

route allows the Junos OS to perform per-prefix load balancing as the total amount of traffic sent
towards the destinations is spread across the multiple next hops. However, each route selects a
TE

single next hop for forwarding traffic, which is installed into the forwarding table on the Packet
Forwarding Engine (PFE).
The slide shows the BGP route of 172.16.20.4/30, which is active in the routing table. This route has
two possible next hops it can use to forward traffic—10.10.1.1 and 10.10.2.1. It has currently
IN

selected the 10.10.1.1 next hop, which we verify in the forwarding table with the show route
forwarding-table command. The router output shows this single next hop in the table with a
type set to ucst, for unicast transmission.

www.juniper.net 35
BGP

LY
N
O
SE
U
AL

Load Balancing
N

You can alter the default behavior of the Junos OS to install a single next hop per route in the
forwarding table with a routing policy. The policy should contain the action of then
R

load-balance per-packet and be applied as an export policy to the forwarding table within
the [edit routing-options] configuration hierarchy.
TE

After committing the configuration, we see the same 172.16.20.4/30 route in the routing table of
the local router. The same protocol information is displayed and again, a single next hop has been
selected. This selection mechanism is not affected by our load-balancing policy, so we cannot verify if
it is working by examining the routing table. Instead, a look at the forwarding table shows the
IN

outcome of our policy. Both the 10.10.1.1 and the 10.10.2.1 next hops are listed as valid outbound
interfaces for the 172.16.20.4/30 route. Traffic destined for this route is now forwarded across both
available next hops using a microflow hashing algorithm. The default inputs to the microflow hash
are the incoming router interface, the source IP address, and the destination IP address. You can
modify the inputs to the hashing algorithm at the [edit forwarding-options hash-key
family inet] configuration hierarchy. Specifying the layer-4 command at this configuration
hierarchy incorporates Layer 4 source and destination port information into the hash key.

36 www.juniper.net
BGP

LY
N
O
SE
U
AL

passive Option
N

By default, a local router initiates a BGP open message to the remote router to establish the session.
The passive command stops this default action, and no open message is sent. The IP address and
R

AS of the remote peer are still configured, but the remote router must initiate the BGP session.
TE

allow Option
The related option of allow also stops the sending of a BGP open message to the remote router. In
addition, the allow command also relaxes the requirement of explicitly configuring the remote
router’s IP address by allowing you to define a subnet range for connections. BGP processes any
IN

open message received from an IP address within the configured range and initiates a session with
that remote router.

www.juniper.net 37
BGP

LY
N
O
SE
U
AL

Limiting the Number of Prefixes Accepted


N

By default, each BGP router accepts any number of routes sent from each of its peers. You might
want to alter this default setting for either security or memory reasons. You can use the
R

prefix-limit command to set a limit on the maximum number of routes received from any
individual peer. Use the maximum option to set the total amount of routes able to be received. When
TE

a BGP peer sends more routes than allowed, the peering session is terminated and restarted
immediately with the teardown option. The value that immediately follows the teardown option is
a percentage of routes upon which the router starts to generate system log messages. You can halt
the BGP peering session between the two routers for up to 40 hours by specifying a value (in
minutes) with the idle-timeout option. In addition, you can specify a value of forever. This
IN

value requires you to intervene manually to restart the peering session.

Altering the Session Hold Time


When two BGP peers establish their peering session, they negotiate the hold time for that
relationship. By default, the Junos OS uses a value of 90 seconds to negotiate for the hold time of
the session. The hold-time command allows you to alter this value from as short as 20 seconds to
as long as 65,535 seconds (18 hours, 12 minutes, and 15 seconds).

38 www.juniper.net
BGP

LY
N
O
SE
U
AL

Disabling Suppression of Route Advertisements


N

By default, the Junos OS does not advertise the routes learned from an EBGP peer back to the same
EBGP peer. In addition, the software does not advertise those routes back to any EBGP peer that is in
R

the same AS as the originating peer. You can modify the default behavior with the
advertise-peer-as command. Before Junos OS Release 7.0, advertise-peer-as was the
TE

Junos OS default behavior.


IN

www.juniper.net 39
BGP

LY
N
O
SE
U
AL

Graceful Restart
N

Graceful restart (GR) addresses the situation described on the previous slide. GR allows a router
undergoing a restart event, including a restart of the routing protocol process (rpd), to inform its
R

adjacent neighbors and peers of its condition. The restarting router requests a grace period from the
neighbor or peer, which can then cooperate with the restarting router. When a restart event occurs
TE

and GR is enabled, the restarting router can still forward traffic during the restart period, and
convergence in the network is not disrupted. The neighbors or peers of the restarting router, also
known as helper routers, hide the restart event from other devices not directly connected to the
restarting router. In other words, the restart is not visible to the rest of the network, and the
restarting router is not removed from the network topology.
IN

The graceful restart request occurs only if the following conditions are met:
• The network topology is stable;
• The neighbor or peer cooperates;
• The restarting router is not already cooperating with another restart already in progress;
and
• The grace period does not expire.

40 www.juniper.net
BGP

LY
N
O
SE
U
AL

GR Support
N

As shown on the slide, GR is supported by several standards-based protocols. A number of RFCs and
drafts exist that document the operational details for GR and each of the protocols for which GR is
R

supported. While these different protocols implement GR slightly differently, the basic concepts and
operations are the same from a high availability point of view.
TE

GR Requirements
Routers must have GR enabled to support both GR router modes—the restarting router mode and
helper router mode. By default, Junos devices can operate as helper routers but not as restarting
IN

routers; restarting router mode functionality must be enabled through configuration. We cover GR
configuration on subsequent slides.
In addition to having the GR functionality enabled, the router must support nonstop forwarding
operations, which simply means the router must be able to continue forwarding traffic during times
of control plane instability. Nonstop forwarding is an inherent attribute of Junos devices because of
the architectural design, which cleanly separates the control and forwarding planes.

www.juniper.net 41
BGP

LY
N
O
SE
U
AL

Configuring GR: Part 1


N

GR helper mode is enabled by default on all Junos devices. You can disable GR helper mode globally
for all supported protocols at the [edit routing-options] hierarchy or on a per-protocol,
R

per-group, or per-neighbor basis, depending on the specific protocol. The slide illustrates the syntax
required to disable GR helper mode globally, enable GR helper mode for the BGP protocol, and
TE

disable GR for a BGP peer. As with many similar configuration scenarios, the most specific definition
is used.
IN

42 www.juniper.net
BGP

LY
N
O
SE
U
AL

Configuring GR: Part 2


N

GR’s restarting router mode is not enabled by default. You can enable GR restarting router mode
through configuration at the [edit routing-options] hierarchy. The slide provides a sample
R

configuration used to enable GR’s restarting router mode globally and for all protocols along with a
sample configuration that disables GR for a specific BGP peer.
TE

The following are the available GR configuration options for BGP:


[edit protocols]
user@R1# set bgp graceful-restart ?
Possible completions:
IN

<[Enter]> Execute this command


+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
disable Disable graceful restart
restart-time Restart time used when negotiating with a peer (1..600)
stale-routes-time Maximum time for which stale routes are kept (1..600)
| Pipe through a command

www.juniper.net 43
BGP

LY
N
O
SE
U
AL

Modifying the Local Preference


N

The Junos OS provides a configuration option within BGP that alters the local preference attribute
value for all advertised routes. You can use the local-preference command at the global,
R

group, or peer level in the BGP configuration. All advertised routes will inherit this value for the local
preference attribute.
TE

The exception to this rule are any routes whose attributes are modified by an applied routing policy.
These routes abide by the action defined in the policy and take precedence over the configured
value. In other words, the configuration option is applied before the routing policy is applied for all
outbound BGP routes.
IN

44 www.juniper.net
BGP

LY
N
O
SE
U
AL

Eliminating Private AS Numbers


N

In spite of the wording in the BGP RFC, many vendors include configuration options in their BGP
implementations that remove information from the AS path, which is technically not allowed. This
R

removal, however, only operates on specific information in the AS path attribute, and it does not
apply to making arbitrary changes to the actual AS path. Typically, the information removed was
TE

placed there by the AS itself or by other routers within the administrative control of the AS. Thus, it is
not a question of one AS trampling on the path information another AS has put into the AS path
attribute.
One example of this type of configuration option is the remove-private configuration statement.
IN

This keyword allows an ISP to remove private AS numbers from paths received from BGP customers
when those customers are using private AS numbers. Because the customers are effectively within
the administrative scope of the ISP, the provider is allowed to remove the private AS numbers from
the path.
In the slide, AS 1000 has three different customers connected using BGP. The customers are using
AS 65001, AS 65002, and AS 65003 for the BGP peer communications. Within AS 1000, each of the
BGP routers sees the private AS numbers within the path.
Continued on the next page.

www.juniper.net 45
BGP
Eliminating Private AS Numbers (contd.)
The remove-private option is enabled on the edge router in AS 1000 that faces the Internet or
other EBGP peers. As BGP advertises the customer routes out of AS 1000, the private AS numbers
are removed from the AS path attribute. In this case, BGP views all customer networks as having
originated within AS 1000.
You should not use this option in a BGP confederation network.

LY
N
O
SE
U
AL
N
R
TE
IN

46 www.juniper.net
BGP

LY
N
O
SE
U
AL

Modifying the AS Path Attribute: Part 1


N

Another option for removing AS path attribute information is the local-as configuration statement.
The purpose of the local-as keyword is to aid an ISP in migrating BGP customers to a new AS
R

number. The following slides display an example of how you can use the local-as option.
Consider the normal BGP AS path operation first. AS 1 has two customers for which it provides
TE

service: AS 222 and AS 333. As AS 1 announces these routes from AS 222 and AS 333 on to the
Internet, AS 1 injects its own AS number (1) into the AS path attribute, as the BGP RFC expects.
So far, there is nothing unusual about the AS path operation.
IN

www.juniper.net 47
BGP

LY
N
O
SE
U
AL

Modifying the AS Path Attribute: Part 2


N

Next, consider what happens if AS 1 merges with AS 777. This situation is shown on the slide.
R

Suppose the resulting merged organization decides to use AS 777 as the official AS to represent
both networks on the Internet. To ease in the migration of the customer BGP configurations from
AS 1 to AS 777, the edge routers can use the local-as 1 configuration option.
TE

The effect of this option is that the customer routes within AS 777 see both AS 1 and the customer
AS numbers (AS 222 and AS 333). As AS 777 advertises those routes to the Internet, it prepends its
own value of AS 777 onto each of the routes.
IN

Therefore, even though AS 1 has been merged into AS 777, AS 1 still shows up on the paths sent to
the Internet.

48 www.juniper.net
BGP

LY
N
O
SE
U
AL

Modifying the AS Path Attribute: Part 3


N

You can use an optional parameter with the local-as configuration statement that actually does
remove AS path information from the BGP AS path attribute. This optional parameter restricts
R

knowledge of AS 1 to the edge router connected to the customer (AS 222 and AS 333) only. This
situation is shown on the slide.
TE

On the slide, the edge router in the formerly intact AS 1 is configured with the option of local-as
1 private. As the edge router advertises the customer routes into AS 777, AS 1 information is
removed from the AS path attribute, as shown on the slide. At this point, the AS 777 routers, as well
as the Internet, have no knowledge of AS 1.
IN

The local-as 1 private statement now has indeed removed AS path information. Again, this
example applies to a type of special case and should not be used arbitrarily to attempt to change AS
path information received from another AS.
Other options are:
• local-as autonomous-system alias-A BGP peer considers any local AS to
which it is assigned as equivalent to the primary AS number configured for the
routing device. When you use the alias option, only the AS (global or local) used
to establish the BGP session is prepended in the AS path sent to the BGP
neighbor.
• local-as loops number-Specify the maximum number of times that the local
AS number can appear in an AS path received from a BGP peer. For number,
include a value from 1 through 10.

www.juniper.net 49
BGP

LY
N
O
SE
U
AL

Overriding the Default Prepend Action


N

In certain situations, the default mechanics of the AS path prepend mechanism might cause routes
to not be received by a peer. One such situation is displayed in the slide.
R

AS 65432 is providing transit service to AS65022, which peers at two different locations. For
reasons that we do not discuss here, the two portions of AS 65022 do not have any other peering
TE

links between them. In fact, these two sections of the network rely on AS 65432 for reachability
information to the other half of the AS.
By default, the router on the right-hand side of AS 65432 only prepends its own AS a single time
before advertising the 172.16.10.0/24 route to AS 65022. Unfortunately, this route is never received
IN

by the peering router because of an AS path loop. After all, AS 65022 is already in the AS path. The
EBGP peer in AS 65432 alters its configuration with its peer in AS 65002 to include the
as-override command. This command allows the router in AS 65432 to examine the AS path
before advertising the route and look for any instances of AS 65022 already in the path. Should it
find any, they are replaced with the peer’s own AS, 65432 in this case. The EBGP peer then performs
the default prepend action before advertising the route. The router in AS 65022 now receives the
route without an AS path loop and installs it in its local routing table.

50 www.juniper.net
BGP

LY
N
O
SE
U
AL

Allowing AS Paths Loops


N

The Junos OS allows you to configure your router to accept an AS path loop in certain situations. The
slide once again shows AS 65432 providing transit service to AS65022. As before, the
R

172.16.10.0/24 route is not accepted by the router in AS 65022 because of an AS path loop.
The configuration option used in this example is performed on the router in AS 65022 itself. The
TE

optional keyword loops is appended to the autonomous-system command within the [edit
routing-options] configuration hierarchy. This keyword allows the local AS number to appear
multiple times in the path. The route can then be received by the router in AS 65022.
This scenario also requires the EBGP peer in AS65432 to be configured with the
IN

advertise-peer-as command. Otherwise, routes learned from one instance of AS 65022 will
not be advertised to the second instance of AS 65022.

www.juniper.net 51

You might also like