Tuesday, August 2, 2011

notes: BGP Next Hop Processing

- When a packet is passed between iBGP peers, NO next-hop processing is done, unless confederations are used.
- When a packet is passed between eBGP peers, the next-hop field is modified to the IP address of the sending eBGP router.
- If the receiving BGP router is in the same subnet as the current next-hop address,
the next-hop field remains unchanged to optimize packet forwarding. Typically seen on multiaccess networks.
- Careful with next-hop processing on NBMA networks. The next-hop must be reachable. Rather use a sub-interface interface on different subnet or alternatively disable next-hop processing.

- Next-hop processing could be changed in one of two ways:
> As mentioned above with the 'neighbor next-hop-self' command.
> or with a route-map by setting the 'ip next-hop'.
-----------
COMMANDS
-----------

1.  using route-map - Changes the next-hop to the IP specified
- Applies the route-map to the iBGP peer to change next-hop processing

route-map SET-NEXT-HOP
set ip next-hop {ip}
!
router bgp {asn}
neighbor {ip|peer-group} route-map {name} {in|out}


2.  next hop self- Changes next-hop processing at edge router to the local peering address
- Instructs iBGP to use this router as the next-hop for routes advertised


neighbor {ip|peer-group} next-hop-self

notes: BGP eBGP Sessions

- Cisco AD (Administrative Distance) for eBGP peers is 20.
- By default the time-to-live (TTL) is set to 1 for eBGP sessions.
- If a eBGP session is configured between two non-directly connected peers, the TTL must be increased with "ebgp multihop"
command for the session to come up (This also applies when a loopback interface is used, as a loopback counts as 1 hop).

- eBGP loop prevention is done via the AS-path list
A router will not accept a prefix if the locally configured ASN is listed in the received as-path list.
This default behaviour can be changed with the 'neighbor allowas-in' command.

BGP Backdoor
- When a router learns a prefix via two paths, one via eBGP and the other via IGP, eBGP route based on the AD(20) will be chosen as best.
- This might not always be the required best route.
- The AD of that one route could be changed or the BGP backdoor feature could be used, which makes the IGP route the preferred route.

BGP Maximum-Paths
- To control the max number of parallel internal/external BGP routes that can be installed in a routing table.
 2 required conditions:
a. All attributes must be the same, ie weight, local-pref, as-path, origin, med and igp distance.
b. The next hop router for each multipath must be different.

BGP Dmzlink Bandwidth
- Used to enable multipath load balancing for external links with unequal bandwidth capacity.
- To advertise the bandwidth of the link that is used to exit as AS.

commands:

- By default, eBGP neighbors must be directly connected. (TTL=1)
- This declares a peer to be several hops away. (Specified with TTL)
- Typically used to run eBGP between loopbacks interfaces for load-sharing purposes
- If no TTL entered, the command default 255 is assumed

neighbor {ip|peer-group} ebgp-multihop [ttl]

- Disables the default eBGP loop-prevention for the specified amount of entries
- Thereby allowing the local ASN to be listed in a received as-path list
- {no} The number of times the local ASN can be listed only on the LEFT

neighbor {ip|peer-group} allowas-in {no}

- (value from 1-254)
- Lightweight security mechanism to protect eBGP sessions from CPU-based attacks
- Max number of hops that can separate the eBGP peer from the local router

neighbor {ip} ttl-security hops {hop-count}

- Sets the AD for eBGP, iBGP, and local routes. Defaults: eBGP-20 & Local/iBGP-200
- This change applies only to routes received after the command has been entered
- {local}: Locally originated routes like aggregates, network command,
and redistribution

distance bgp {external ad} {internal ad} {local}

 - Makes the IGP route more preferred than the eBGP route for the destination

network {ip/range} backdoor

 - Control the max number of parallel routes that is allowed to be installed (def=1)

maximum-paths eibgp {max-number}

 - Used to advertise the bandwidth of the equal links that are used to exit an AS

neighbor {IP} dmzlink-bw

notes: BGP authentication

- BGP only supports MD5 authentication on a per neighbor basis.

-----------
COMMANDS
-----------
neighbor {ip|peer-group} password {pwd} 

- Enables MD5 authentication on a specific BGP session
- {pwd}: Must match on both sides
- CaSe-SenSiTive, the first character cannot be a number