You are on page 1of 26

BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.cisco.com/%7Emarkt/avi.

html

NOTES:

Diagrams will be up in a couple of days.
The HTMLizing of this document is NOT finished.
I haven't gone through to re-check it for accuracy.

This is intended for the first-time multi-homing small ISP. Feel free to give this to
any of your customers, and send me comments and updates to bgp@netaxs.com if
you think something can be illustrated or explained more clearly.

Have fun,

Avi Freedman Net Access

BGP ROUTING PART I: BGP AND MULTI-HOMING
Everyone wants to know about BGP. What is it? How do you use it? What is it used for? We'll try to
explain at least the basics of BGP in this document.

This document is Copyright Avi Freedman, 1997. Distribution of the original or modified versions
for profit is prohibited, but please feel free to give it away.

Index
BGP
A WARNING
PREREQUISITES
BGP ROUTING: INTERNAL (INTERIOR) AND EXTERNAL
SO WHY IS BGP INTERESTING?
BEING "CONNECTED" TO THE INTERNET
HARDWARE AND SOFTWARE FOR SPEAKING BGP
PEERING SESSIONS AND ASNs: PART I
WHAT DO YOU DO WITH BGP?
PEERING SESSIONS
eBGP vs. iBGP
BGP AND THE SINGLE-HOMED
AS-PATHS
AS-PATH LENGTH AND BGP ROUTE SELECTION
AS-PATH ACCESS LISTS (FILTERS)
ENTERING, MODIFYING, AND DELETING as-path access-lists
BGP METRICS (ATTRIBUTES) AND ROUTE SELECTION: INTRODUCTION
BGP PATH SELECTION PROCESS ACCORDING TO CISCO
BGP ATTRIBUTE TYPES
EGP vs. IGP
WHAT IS ROUTE FLAP AND WHY IS IT BAD?
WHAT TO KEEP IN MIND WHEN CONFIGURING BGP
BGP AND PEERING

1 of 26 04/02/00 15:05

BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.cisco.com/%7Emarkt/avi.html

INTERNET CONNECTIVITY WITHOUT BGP
BGP AND THE SINGLE-HOMED
BGP AND THE MULTI-HOMED
MULTI-HOMING AND LOAD-BALANCING
HOW TO ANNOUNCE YOUR NETWORKS
BEING ADVERTISED BY MULTIPLE PROVIDERS WITHOUT PI-SPACE
CONTROLLING OUTGOING DATA FLOW: "FULL ROUTING"
CONTROLLING OUTGOING DATA FLOW: "PARTIAL ROUTING": "CUSTOMER ROUTES
ONLY"
SO WHAT'S TO BE DONE?
AS-PATH PADDING
QUESTIONS AND COMMENTS
THANKS TO
TO BE DONE

Sidebars
Sidebar on Cisco BGP commands
Sidebar on next-hop-self
Sidebar on Outgoing Data Flow Control Without BGP

A WARNING
This is dangerous stuff. It's always best if you can test BGP configurations in a "lab" made up of a
few Cisco 2501s before implementing them in a live network connected to the Internet.
Unfortunately, there's no good reference on "using BGP" to refer people to. Reading the RFCs (the
Request For Comment documents that define the protocol at a low-to-mid-level), or even Cisco
documentation (Cisco did not invent BGP, but Cisco's BGP implementation is almost definitely the
most widely-used) does not really tell you enough. Many of the "routing gurus" out there got started
by looking at and working on running networks, where the architecture and implementation were
already done. Most of the rest, however, started with the basics and expanded their knowledge and
experience as their networks grew.

PREREQUISITES
You need to know a bit about IP routing to digest this material. It also doesn't hurt to have a few of
the aforementioned test routers (at least two, one configured as you and one configured as your
provider). Don't be afraid to ask for help. Read your vendor's BGP documentation - all of it, even the
parts you don't understand. Try to get a number of "live configs" for whatever router you're using -
preferably from someone with a similar topology and similar goals.

BGP
BGP stands for Border Gateway Protocol. The popular "BGP" protocol that people speak of ("Can a
Cisco 2501 speak BGP?") in use is actually BGP4 (which differs from BGP3 the same way that
RIPv2 differs from the old RIP protocol - in that BGP4 and RIPv2 (the result of what some call
"unsuccessful brain surgery" on the original RIP protocol) allow the announcement of "classless
routes" - routes that aren't strictly on "Class A", "Class B", or "Class C" boundaries - but instead can

2 of 26 04/02/00 15:05

Think everything that you do through in terms of how it could screw up. you promise that if someone sends you data destined for any address in 192. Needless to say. you've got to have a running and happy network to take the data. MCI's.or to "multi-home" to multiple providers and have a little bit more control over where your data goes on the Internet.com/%7Emarkt/avi. This is called "black-holing" someone . If you default route into one or more providers. all of the data on the Internet destined for the black-holed IP space will flow to your border router. a friend's.cisco. or anyone's. RIPv2. you know how to carry that data to its ultimate destination. The cardinal sin of BGP routing is advertising routes that you don't know how to get to.4.255). see April's Boardwatch column. one way of thinking of those route "advertisements" is as "promises" to carry data to the IP space represented in the route being advertised. or Autonomous System. But if you do want to "peer" with someone . one terminology note: Classless routes are sometimes called "prefixes". When you "advertise" routes to other entities (ASs).4. When someone talks 3 of 26 04/02/00 15:05 . But it is much more useful to tell people outside your network (upstream providers or "peers") about what routes (or portions of the IP address space) you "know how to get to" inside your network.4. typically called a NOC. this makes that address space "disconnected from the 'net" for the provider that owns the space. with static routes. It's obviously critical that any box inside your network know how to get (directly or indirectly) to any other box inside your network. or in a more complicated but robust way.0/24. is a way of referring to "someone's network". The second most heinous sin of BGP routing is not having strict enough filters on the routes you advertise (more on this later). you will be taking at least some external routes into your network (and will do so with BGP). external routing isn't something you have in your network.0 and ending at 192. Anyway. OSPF. and IS-IS. with active internal routing protocols such as RIP. ROUTING: INTERNAL (INTERIOR) AND EXTERNAL Internal routing is the art of getting each router in your network to know how to get to every location (destination) in your network. as well as a simple or complicated internal routing scheme so that every router in that AS knows how to get to every other router and destination within that AS. Also.4.0/24 (the "Class C" starting at 192. Normally an AS will have someone or ones responsible for it (a point of contact. and makes many people unhappy. as mentioned above. That network could be yours. or Network Operations Center) and one or multiple "border routers" (where routers in that AS peer and exchange routes with other ASs). and that advertisement is more specific than the one made by the owner of that IP space. You can do this simply. SO WHY IS BGP INTERESTING? Well. For example.204. if you advertise 192.204.because if you advertise. The primary purpose of BGP4 (as we're studying it here) is to advertise routes to other networks ("Autonomous Systems"). An AS.204.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. it's nice to have routing data for parts of the Internet in your routers. or promise to carry data to. Sprintlink's.204. Before you invite people to send data to your network. the bottom line: Test your configs and watch out for typos. some part of the IP space that is owned by someone else. For more information on "classless" or "CIDR" routes.html also be "subnets" or "supernets").

96.which.and there's a huge community of routing engineers that's familiar with the Cisco implementation and algorithms (there's much that isn't specified in the RFCs and is left up to the vendor to decide). for each host that is "on the Internet". but note the "Home Dialup User".but you've then got hardware that's not really as tested or reliable as a Cisco or Bay router. Take a look at Figure 1.0/16).and a program called gated to manage BGP. (Apologies to Riscom and ET.0/8.0/24 and 207. BSD. Most networks will "filter" the RFC 1918 reserved space (10. just as critically.1 (for example) is that the ISP (AS 64512) advertised that route to the two upstream providers (AS 4969 and AS 701). and.0/12. the leading vendors of T1 cards-for. get examples for. In this example.the cost savings is usually not worth doing it this way. or some other Unix variant . so people use them in examples because they don't get you into too much trouble if you accidentally try to use them (sort of like the film industry's yyy-555-xxxx phone number convention). no one on the Internet will be able to reach it. HARDWARE AND SOFTWARE FOR SPEAKING BGP The most commonly used implementations of BGP are Cisco routers.10.0/24 as an example.168. or you will not have connectivity to the host in question.0.20.or third-largest community of BGP-speaking computers. We'll explain more of the details below.cisco. Trust me on this . This means that whoever provides "Internet connectivity" to that host has to have a path to you . In particular. 4 of 26 04/02/00 15:05 . means that they have to "hear a route" which covers the section of the IP space you're using. ultimately.10. In order to be connected to the Internet.PCs). and debug . We're using 10. the Cisco implementation of BGP is relatively easy to use.16. Cisco's online documentation (UniverCD) isn't the best (it lacks a large number of case studies) but is a very good learning tool.96.10. somewhere.8. you need to be able to: Send a packet out a path that will ultimately wind up at that host. which is served by ANS (AOL actually owns ANS).BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.0/20 are not the same prefix (route).8.x. He's connected to AOL.0. which provides IP service for AOL). and PC clones running Linux. Every IP address that you can get to on the Internet is reachable because someone. The 10. We'll mostly use "route" in this document.com/%7Emarkt/avi. who in turn advertised that route to AS 690 (ANS.0. That host has to have a path back to you. PC-compatibles using gated are either the second. You can build cheap PC routers that route Ethernet and t1 and have more than enough CPU and memory to handle all the routes you'd need for quite some time .0.x IP addresses are often used in examples because they're "reserved" space. 172. So 207.html about a prefix they're talking about a route with a particular starting point and a particular specificity (length). The corollary to this is that if there is not a generally-advertised route to cover an IP address. the reason that an AOL dialup user can send a packet to 10.20. BEING "CONNECTED" TO THE INTERNET Throughout this discussion it's critical to think about what it means to be "connected" to the Internet. Bay routers. I recommend using Cisco routers (for many reasons). and 192. has advertised a route that covers it.

39.106.106. most networks out there use (or at least show to the world) only one ASN. and I promise to retract in print my slam of Bay when their command line interface looks featureful. is just that . In order to bring up a "peering session".speaking Ciscos out there.127. A typical "neighbor clause" is: router bgp 64512 (omitted lines) neighbor 207.a number used to represent that Autonomous System to the world.127.10. PEERING SESSIONS AND ASNs: PART I There's a bunch of terminology associated with BGP.122 route-map prepend-once out neighbor 207. this is what it means to "peer with someone".122 remote-as 701 (omitted lines) neighbor 137.122 filter-list 2 in (omitted lines) WHAT DO YOU DO WITH BGP? 5 of 26 04/02/00 15:05 .but we're talking about a very small percentage of the number of BGP.122 send-communities neighbor 207. See Fig 1 for a diagram of the network layout used in this example.122 remote-as 4969 neighbor 207. A snippet of a Cisco "BGP clause" is: router bgp 64512 neighbor 207.106. that is.127. This means "What follows is a list of commands that describe how to speak BGP on behalf of ASN 64512". or Autonomous System Number.html Bay routers are the second-largest community of BGP-speaking boxes . What I've seen of BCC looks quite promising. you almost always use more than that one line to tell BGP how to exchange routes with that "neighbor" via that "peering session". Except for Sprintlink. pretty responsive to customers (though Cisco is as well). 207. At a technical level. all you need to do is have that one line.106.127.46 remote-as 4969 (omitted lines) The "clause" starts out by saying "router bgp 64512". 64512 is also a "reserved" number .10. Remote. Bay claims they're working on a command-line interface. On the other hand.com/%7Emarkt/avi.122 next-hop-self neighbor 207. fast.127. We're going to talk about Cisco routers in these documents (and in this document in particular).127.46 is the remote IP address of a UUNET router (UUNET is ASN 701).BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.127.106. (BCC. In practice.106. (It's much easier to debug BGP or other routing problems from a telnet session or over the phone than it is to have to guide someone through a GUI to examine or reconfigure a router). the Bays do have a better architecture and are finally showing themselves to be more or less as stable as Ciscos. An ASN. Bay is cheaper than Cisco.39. with respect to the customer's router. but in the mean time most are throwing money at Cisco. BGP-speaking routers exchange routes with other BGP-speaking routers via peering sessions.cisco. and almost all configuration is done through a GUI (windowing) interface that drives most routing engineers nuts.122 is the remote IP address of a Net Access router (Net Access is ASN 4969).106. 137. That number "identifies" your network to the world. In this example. or "Blatant Cisco Clone"). and solid. however. We already talked about Autonomous Systems (ASs).it's a number in the "reserved" section of ASNs (ASNs go from 1-65535).

159.16 4 64512 6128 6782 1159870 0 0 4d03h 207.245.127. For the purposes of this document. Every time a neighbor session comes up.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.1 4 64514 1145670 237369 1159873 0 0 4d03h 207. PEERING SESSIONS The purpose of the "neighbor" clauses is to bring up "peering sessions" with neighbors. something is very wrong! BGP version 3 doesn't understand about Classless ("CIDR") routing and is thus dangerous. InQ is the number of routes left to be sent to us.44. Most of it is pretty self-explanatory.106.4 4 3564 6086 274182 1159853 0 0 4d03h 207.106. which we'll talk about in a future document) - those ASNs are not shown to the world.33.90.91. The AS column is the remote ASN.92.com#sho ip bgp summ BGP table version is 1159873.com/%7Emarkt/avi. for them to in turn to announce to others (transit) or just use internally (in the case of peers). Announce your routes to those providers. main routing table version 1159873 44796 network entries (98292/144814 paths) using 9596344 bytes of memory 16308 BGP path attribute entries using 2075736 bytes of memory 12967 BGP route-map cache entries using 207472 bytes of memory 16200 BGP filter-list cache entries using 259200 bytes of memory Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State 205.33.106.92.17 4 64512 5962 6894 1159870 0 0 10:08:46 206. Any routes that "pass" the filter are sent to the remote end.1 4 6313 0 0 0 0 0 never Active 207. While the session is up.3 4 64513 164708 724571 1159866 0 0 3d23h 207.cisco.106.106. "BGP Updates" will be sent from one router to the other each time one of the routers knows about a new BGP route or needs to "withdraw" a previous announcement ("promise"). FDDI). and. The "sho ip bgp summ" command will show you a list of all peering sessions: brain.106.7. as opposed to simply setting a default route from your border router(s) into your provider(s)).but "eBGP multihop" is a more advanced topic and has many potential pitfalls.25 4 3564 6109 310292 1159867 0 0 22:40:50 207.17 4 4231 161072 276660 1159870 0 0 2d05h 207.5 4 64515 6078 5960 1159869 0 0 4d03h 207. The 6451X ASes are BGP sessions to other Net Access routers (using confederations. It is possible to have BGP peering sessions that go over multiple "hops" . OutQ is the number of routes left to be sent to the other side. 6 of 26 04/02/00 15:05 .5.html Speaking BGP to your provider(s) and/or peers lets you do two things: Make (semi-)intelligent routing decisions (decide what is the "best" path for a particular route to take outbound from your network. Fast Ethernet.6 4 6078 5793 310011 1159869 0 0 2d03h This is a session summary from one of Net Access's core routers. briefly: The "V" column is the BGP version number. all neighbors must be either on the other end of a leased-line from you - or on a LAN interface (Ethernet.netaxs. each router will evaluate every BGP route it has by running it through any filters you specificity in the "neighbor" clause.106. more importantly. If it is not 4.160.

eBGP vs.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.0/16 route covers that space as well.96.96.106.106. The solution to this is "BGP confederations". For example. Anything in the State column indicates that the session is not up. each router has to peer with every other router.html The Up/Down column is the time that the session has been up (if nothing is in the State column) or down (if something is).106.com/%7Emarkt/avi.106. Note: A State of Active means that the session is inactive. iBGP doesn't do as good a job at "convergence" (closing the gap and re-routing around failed network segments) as OSPF and IS-IS. while iBGP is used to exchange routes between the same Autonomous System. it is rarely desirable to speak BGP to them. Also. If you have 20 routers. since all of those routes point to the same place (your one upstream provider).106. In this case your provider is not going to advertise your more "specific" routes because: It's pointless to waste slots in thousands of routers around the world . So filling your router with 45. The main one is the necessity to "peer up" every set of routers in your network (or in one POP if you're using confederations). RIPv2. if you are using 207.if you are in your provider's address space.106. The only way to reach you is going to be through your provider . This is called a "routing mesh" and. So the world would prefer to not see that 207. iBGP has major drawbacks as an IGP. since the 207. Also. eBGP and iBGP share the same low-level protocol for exchanging routes.0/20 out of your provider's 207. We'll talk more about iBGP in a future document when we cover all of the major interior routing protocols: OSPF. BGP AND THE SINGLE-HOMED When you have one upstream provider.0. also a topic for a future document.0 be "out there" is redundant.000 BGP routes isn't going to do you any good. iBGP is one of the "interior routing protocols" that you can use to do "active routing" inside your network. The major difference between eBGP and iBGP is that eBGP tries like crazy to advertise every BGP route it knows to everyone . but eBGP is used to exchange routes between different Autonomous Systems. iBGP is actually pretty difficult to get working because it tries like crazy not to redistribute routes .96. all iBGP-speakers inside your network have to peer with all other iBGP "speakers" in order to make it work. and also share some of the algorithms. since it takes up an 7 of 26 04/02/00 15:05 .in fact. RIP. This can be a pain (you don't want to accidentally merge your IGP with a customer's or peer's) but turning off broadcasting on certain ports is easier than turning on peering sessions between a new router and every other router on your network.the packet still goes to the same place.0/16 or 207.0. In fact.0.96. to be precise) of their larger IP blocks ("aggregates"). you only have one path out of your network.you have to put "filters" in place to stop it from doing so. IS-IS.0/16 netblock. And if you have one upstream provider. Just one of the nomenclature flaws of BGP. as you can imagine. Protocols like OSPF and IS-IS just "find" each other over serial and Ethernet interfaces (they're "broadcast" protocols). having the 207.whether the outside world sends a packet to that provider based on a 207. is quite a mess. iBGP. iBGP We're talking about eBGP in this document.0/20 route makes no difference . it's almost guaranteed that you are using sub-allocations (CIDR delegations. More on all of this below.0.cisco.106. Why? Well. other networks will get to you just as well by following the announcements of the aggregate blocks as if they also saw your more specific routes being advertised.

) If there's always one and only one path to your network.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. And if your network is fairly simple (as 90% of the networks out there are). you won't need anything fancier for quite some time. Why would you want to do this? Perhaps you only want to take UUNET. While it's true that most filtering is now done with communities (a community is another number which you can stamp on a route heard or to be announced via BGP .106. as-path length is going to be the deciding factor in choosing which of multiple routes gets used by the router (i.) It is one of a number of metrics that determine how routes "heard" via BGP are inserted into the actual IP routing table. AS-PATHS Every time a route is advertised via BGP. There are many reasons (which will become clear as you read on) why you'd want to filter based on the AS-PATH. MCI. you can find the route that encompasses a particular IP address and see which ASNs have advertised it.0/16. you won't be black-holed unless your provider flaps their /16 announcement (which should in theory be less likely .cisco.the blocks that show the routes as they move from hop to hop show you the AS-PATH accumulating as the route moves from network to network. The AS-PATH is useful for a number of reasons: It provides a "diagnostic trace" of routing on the 'net. it builds up an "AS-PATH".basically. choose another provider). And only the a route of the same specificity can be considered another "view" of a route. Also. your provider should always advertise your routes (specific or in the aggregate) to minimize CPU consumption on routers world-wide due to "route flap". or have "query access" to a router that does (such as telnet://route-server.e. If you go up and down enough times to flap.html extra slot in the global routing tables. AS-PATH filtering the best "first step" that you can work with to get comfortable with filtering routes.96. AS-PATH LENGTH AND BGP ROUTE SELECTION For routes of the same specificity.if it isn't. 8 of 26 04/02/00 15:06 .net).cerf.. they have to withdraw that routing assertion.we'll go into communities shortly). put into the IP routing table) when you're just starting out. you use the AS-PATH to filter routes. If you have "full routes" in one of your routers. you can even see how a provider is actually connected (as opposed to what they might claim. you'll be "black-holed" from large sections of the Internet. represented by the regular expression "^$". But if you're behind 207. If you do some poking around. it is "stamped" with the ASN of the router doing the advertising. Why? If your T1 goes down and your provider is advertising you as 207. so watch out) .com/%7Emarkt/avi. As a route moves from Autonomous System to Autonomous System (network to network).0. Each route starts out with a "null AS-PATH". (Hearing another "view" of a route takes up almost 10 times less memory than hearing another route. and ANS route from one provider (because of limited memory in your router). Or perhaps you want to make sure you only send routes originating in your network. enough routers out there severely penalize you if your route(s) "flap" that you want your provider to always advertise you (and thus not make internal instability reflect itself on a global level). It is something that allows you to do "policy routing" of sorts (though policy routing has many different definitions.0/20. See Fig 1 ..106.

though. 0-9. and regexp is very similar to Unix "regular expressions". Each line of a Cisco AS-PATH filter looks like: ip as-path access-list NNN permit regexp or: ip as-path access-list NNN deny regexp Where NNN is the number (same as the name in the case of as-path access-lists). Fig 3 Regexp characters: NNN match the characters NNN (where each digit of NNN is from 0-9) ^ match the beginning of a string $ match the end of a string _ match any of {space. Each charN expression can be an actual number or other symbol. the regexp "_1_" will match the string "3561 1 64000" but not "3561". Notice. Thus.com/%7Emarkt/avi. 1.and further explanation. If you want to match any of the special symbols. (regexp) enclosing another regexp in parens means that the appearance of that regexp is optional * the * operator means that the previous regexp can be matched 0.cisco. or a range (i. The ">" indicates the route that the router currently thinks is "best" when there are multiple choices. only use * in conjunction with parens. etc. you can escape them by putting a \ in front of them. (regexp)* matches the regexp inside the parens 0 or any number of times. and the O'Reilly and Associates Regexp book for more information about regular expressions).. the >'s to the left of the some of the routes.html See Fig 2 for a sample list of routes from an actual BGP routing table . char3. AS-PATH ACCESS LISTS (FILTERS) We'll use Cisco commands to illustrate AS-PATH filtering and "regexp matching". 2. To be safe.. a-z). char2. beginning of a string. which pop up in 9 of 26 04/02/00 15:06 . Thus. or end of a string} _NNN_ match the "word" or "distinct number" NNN. [char1char2char3] matches any one of char1.e. or any number of times.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. (See Fig 3 for a summary of regexp characters. (The problem is that if you don't anchor NNN with "_"s on either side. Fig 2. you might match something you don't really want to). A SNIPPET OF A BGP ROUTING TABLE COMING SOON TO A TUTORIAL NEAR YOU. The only special symbols you'll want to escape when matching against AS-PATHs are the parens.

it permits every route to flow through the filter. We'll explore regular expressions and as-path access-lists by example. as you'll see below. A quick note: For those playing with BGP confederations on your own (a topic we'll talk about in a 10 of 26 04/02/00 15:06 . regexps are matched against the AS-PATH as if the whole thing is a string. Each rule is listed in the order it will be applied. each route is passed through the access-list. the decision on whether to pass the route through the filter or to drop it (and thus not let it pass) is made immediately. The "deny . Example 3: ip as-path access-list 3 permit ^$ ip as-path access-list 3 deny .*" rule is useless here. by default. Thus.* This is also a handy one to have around. there's an implicit "deny . If you have these three as-path access-lists installed and remember their numbers you'll save yourself a lot of time you'd otherwise spend searching online or through config files to find where you put your "send everything".* at the end of every access list. Even so. the "deny . Remember the first rule of Cisco access-lists: There's an implicit deny . not a sequence of numbers.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. a portion of UUNET could start sending all of its Sprintlink traffic through your t1 and you'd hurt a reasonable chunk of the Internet. but you should always be paranoid when dealing with BGP. How do access-lists work? When used as a filter.the opposite of the "permit everything" list above. cause a router to redistribute every BGP route that the router knows about. This could lead to VERY BAD THINGS happening. since the router would insert that rule anyway (remember. except as a safety precaution.html AS-PATHs when you use BGP confederations.cisco. Important note: On Ciscos. (If you redistributed all of Sprintlink's routes into UUNET.*" at the end of every Cisco filter list). Once a route has been matched by any rule.) Again. or "send only my routes" filter. it never hurts to add one just to be safe (we'll do that below).*" is completely extraneous to the filter . Example 2: ip as-path access-list 2 deny . Both Sprintlink and UUNET do things to prevent you from doing this. you need to enclose ASNs within underscores to be sure of matching only the ASN you're looking for.* ip as-path access-list 1 deny . Example 1: ip as-path access-list 1 permit .* This access-list is the other of the triad of ever-handy ones: It permits only routes that originate within your AS (because of network statements or "redistribute" statements in "router bgp" clauses somewhere within your network).com/%7Emarkt/avi. "send nothing".* This is a good one to have around. Remember: BGP between different ASNs (eBGP) will.every route has already passed through the first line and the second line is never actually used. you might well want to always remember the number of this "deny everything" access-list . and no further rules are processed.

edu/ipma/routing_table or telnet to route-server.in the AS-PATH).this as-path access list permits. should be retired by now) 4969 Net Access (which will appear in the examples) There are hundreds of ASNs in use in the Internet.000 routes. 3830.cerf.. If you want to take a look at live ASN info. Example 5: ip as-path access-list 20 deny _3561_ ip as-path access-list 20 deny _1239_ ip as-path access-list 20 permit . and permits all other routes. To find out who "owns" an ASN (funny concept .. For Examples 4 and 5. If you had a Cisco 2501. but 1239 will always appear somewhere in the AS-PATH when looking at Sprintlink routes from some other provider) 701 UUNET 174 PSI 1673 ANS (the old ANS ASN. and denies all other routes. a Cisco that cerf.merit. and "3561 1" . where NNN is the ASN. especially if you're doing the whois query from a command line. Note: You may actually need to put quotes around the "ASN NNN".. (ASN 1 is used by BBN. should be retired by now) 1 BBN 4200 AGIS (the old Net99 ASN. "3561 1 6000". As of 4/97.* The _NNN_ notation means "match NNN as a distinct word". ANS. this should yield about 45.but not "701".com/%7Emarkt/avi. PSI.net. 690.html future document) note that your "permit internal routes only" filter might have to look something different ("permit ^$" will no longer be enough) .or both .* This filter denies any MCI or Sprintlink route. and AGIS routes.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. you might want to do this to accept some routes from one of your providers in an attempt to load-balance traffic a certain way (perhaps you've noticed that provider B gets better BBN connectivity than provider A. 11 of 26 04/02/00 15:06 . UUNET. issue a WHOIS query on "ASN NNN".. ----------------------------------------------------------------------------- Fig 4 Common ASNs 3561 MCI 1239 Sprintlink (Sprintlink also uses other ASNs.something like: "ip as-path access-list 30 permit ^(\([0-9 ]*\))*$". in order. and thousands of ASNs in use in internal networks all over the world. "_1_" would match "1". which has a bit of history in the Internet. Or you'll be using BGP communities instead of AS-PATH filtering to control which routes you redistribute Everyone else please ignore this paragraph. This means that NNN must have whitespace on either side of it (or must be the first or last word . ----------------------------------------------------------------------------- Example 4: ip as-path access-list 20 permit _1_ ip as-path access-list 20 permit _701_ ip as-path access-list 20 permit _174_ ip as-path access-list 20 permit _1673_ ip as-path access-list 20 permit _4200_ ip as-path access-list 20 deny . BBN. unless you want to try to parse the regexp above as an exercise. check out http://www.net loads with multiple full BGP routing tables.cisco.) So . please consult Fig 4 for a list of common ASNs you'll see when examining routes.owning a 16-bit integer).

"as-path access-list 3" above).b. replace the old as-path access-list and change the "neighbor a.cisco. So.d filter-list . Then.b. since every route would either be permitted or denied by the time the router had finished evaluating the second rule (the "deny . This is the safe way to do things. modify the "router bgp" clause's "neighbor a. Please use the first method.c.c. If you have anything but "permit" clauses in your access-lists. appending an explicit "deny .*" mode until the new list is in place. all filter-lists in Ciscos) is that if you already have an as-path access-list of a certain number (say. But if you had: ip as-path access-list 3 permit ^$ ip as-path access-list 3 deny . or both will fit in a 2501 and still let it function at at least a single t1's worth of throughput. AND DELETING as-path access-lists The major reason we usually append an explicit "deny ." clause back to its original state.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.*") and the third rule would never be looked at. you can do damage (redistribute routes you shouldn't) by not using the first method. or: If you know what you're doing. ENTERING. as opposed to simply typing the new list in.d filter-list NNN in" clause by just typing "neighbor a. and you try to re-enter it. Let's say you had: ip as-path access-list 3 permit ^$ And then you configured (perhaps as a typo. MODIFYING. then enter the new list (preferably via cut-and-paste or tftp. either: Enter a new list with a different number. 12 of 26 04/02/00 15:06 . you can just enter "no ip as-path access-list NNN" to delete the list.*" at the end of as-path access-lists (actually. Now. to modify an existing access list. since any filter that refers to that list will be in a "deny . as a security blanket. perhaps as a brain-o): ip as-path access-list 3 permit _1239_ You would alter the functionality of an existing filter list and potentially start redistributing Sprintlink routes to your peers and/or upstream providers.com/%7Emarkt/avi.*" to a list ensures that you will at least not be able to modify an existing list's functionality.and that the 2501 could still function..* Then adding a third rule of: ip as-path access-list 3 permit _1239_ Would have no effect.. So. It used to be that all routes on the 'net fit in a 2501 with 16mb . Sprintlink.html This will fill up a 2501 with absolutely all of the routes it can take and still function well.c. the Cisco has no way of knowing that you want to delete the old list. the routes would fit in but the 2501 didn't have enough CPU.d filter-list new-number in" (use the same method for outbound as-path filter-lists).b. Then. all of the routes on the 'net except for MCI.

and local_pref metrics are just integers associated with each route. drop the update. 8. There are. the most likely way the router's going to pick the best route (if you aren't playing games with weights) is by looking at the AS-PATH lengths. 9. MED. prefer the route that has the shortest AS_path. Prefer the path with the lowest IP address." 13 of 26 04/02/00 15:06 . it's unlikely that you'll have to worry about them. remember the primary rule of IP routing: The most specific route always wins. prefer the external path over the internal path. prefer the path that was originated by BGP running on this router. If the path specifies a next hop that is inaccessible.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. as specified by the BGP router ID. Externally originated AS-PATH length BGP metric (MED) BGP weight. rules for how a Cisco will select the "best BGP" route when there are multiple BGP route possibilities of the same specificity. 10. Prefer the path with the largest weight.html BGP METRICS (ATTRIBUTES) AND ROUTE SELECTION: INTRODUCTION First. prefer the path with the lowest MED attribute. 7. If the paths are still the same. prefer the path with the largest local preference. 2. If all paths have the same AS_path length. 6. to select a path for a destination: 1. They can be unset (zero) or can be set. It goes (basically): Route specificity and reachability and reachability BGP weight metric BGP local_pref metric Internally originated vs. however. If the paths have the same MED. If the origin codes are the same. 3. 4. If the local preferences are the same. For "competing" BGP routes. prefer the path with the lowest origin type (where IGP is lower than EGP. and EGP is lower than Incomplete).cisco. in the order presented. Unless you set them yourself.com/%7Emarkt/avi. 5. When the path is selected. prefer the path through the closest IGP neighbor. If no route was originated. BGP PATH SELECTION PROCESS ACCORDING TO CISCO It is: "BGP selects only one path as the best path. BGP puts the selected path in its routing table and propagates the path to its neighbors. BGP uses the following criteria. If the weights are the same.

2 (Incomplete) This attribute specifies the origin of a route. Present if this route was not the most specific one known by the advertiser. a higher weight is better.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. 6 ATOMIC_AGGREGATE TRUE/FALSE: If present. 3 NEXT_HOP IP Address The most critical attribute. and 0 for routes coming from other routers. Straightforward except that "Incomplete" means that the route got into BGP by redistribution from an IGP.Ip address} pair. Again. The rules above are fairly straightforward. The BGP weight is not actually an attribute (in that it's not redistributed from one router to another as part of a BGP route update). how long it is (the "specificity").cisco. designed to go outside and inside of an ASN. BGP weights are 32768 for routes originated by. and what the next hop is. 7 AGGREGATOR {ASN. false. where to send data destined for this route. 9 ORIGINATOR_ID Used for BGP Route Reflection To be covered in a future document. not designed to go outside of an ASN. most of which are either used for route selection or for additional debugging information for humans. 10 CLUSTER_LIST Used for BGP Route Reflection To be covered in a future document. go to: http://www.txt BGP ATTRIBUTE TYPES Value Code Possible Values ---. Data to indicate who formed the route if the route is an aggregate of smaller routes. Fig 8: BGP attributes For more info. see: RFC 2042: Registering New BGP Attribute Types RFC 1997: BGP Communities Attribute RFC 1773: Experience with the BGP-4 protocol RFC 1771: A Border Gateway Protocol 4 (BGP-4) To get an RFC.---------------. but use some of the route attributes that we'll be getting into in more detail in the future. and is set to 100 by default.net/rfc/rfcXXXX. true. (Rule 3) The local_pref is a BGP attribute.----------------------------------------------- 1 ORIGIN 0 (IGP). 14 of 26 04/02/00 15:06 . 8 COMMUNITY 0-N 4-byte values ("communities") To be covered in a future document. 1 (EGP). 2 AS_PATH 0-N 2-byte values A list of the ASNs of all ASs the route has traversed. 4 MULTI_EXIT_DISC 0-2^32 A weight.internic.com/%7Emarkt/avi. A higher weight is "better" (means the route will be preferred over a route with a lower weight). there is other data embedded in BGP routes. Dangerous stuff.html In addition to the "core" data about a route (where in the IP space it starts. otherwise. 5 LOCAL_PREF 0-2^32 A weight. Briefly: (Rule 2) If you don't set them explicitly.

If you want to experiment in the mean-time. local_prefs.or configured statically (in the router's configuration store). metric}.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. We'll explain this more.but it could make your customers very unhappy. Cisco chose to make this the final factor. Another very big caution: BGP weights and local_prefs are very powerful. you're not going to advertise them to your transit providers any more. and since BGP router ID should be unique. (Rules 7-8) A MED (or "BGP metric") is Yet Another Weight you get to play with. BGP routes migrate into the IP routing table only if: 15 of 26 04/02/00 15:06 . EGP vs.. that document shows you how to set these metrics.AS-PATH-length. In that table are one or more routes of a particular {starting point. routes - one from each border . equal.to send the packet towards the closest router of the two routers advertising the route.. filtering based on AS-PATH data should be more than sufficient.cisco. as it involves an understanding of how IGPs such as OSPF and IS-IS function. though it can get confusing. IGP EGP usually means "External Gateway Protocol". Again. Since I am a Cisco proponent.html (Rules 2-3.and that no weights. length. (Rule 9) If you run "active routing" internally (an IGP other than static routes). see for more details.if you prefer an external route for that customer. This IP routing table gets filled with routes heard from various sources . IGP means a route was injected into BGP with a "network" statement. (Rule 6) Origin isn't something you get to play around with. For further reading. There has to be some tie-breaker. there's some notion kept with each route of the "distance" for each route as it's passed around your network. with diagrams. with a Cisco dialect. or MEDs have been set. because different people and vendors use different terminology for the same thing.5) Setting weights and local_prefs gives you some control over "routing policy". IGP usually means "Interior Gateway Protocol". Realize that if you advertise routes for a customer that you hear via BGP.. EGP means it was heard via BGP from a remote AS. you typically won't be setting this until you have worked more with BGP. We'll be talking about using these metrics in the near future. Please experiment first on test or lab networks! If you've got proper filters in place. you could wind up preferring an external route for that customer if you set the BGP weight or local_pref too high (or at all) for external routes. but for beginners. We use MEDs internally at Net Access to tune things (because we prefer to let the router first pick the route with the shortest AS-PATH. and BGP weights and local_prefs are looked at before AS-PATH length). and incomplete means it was injected into BGP by "redistributing" from an IGP. in a future document. Routers which route IP packets have to have an "IP routing table". Let's say you have two border routers and you're selecting between two equal-specificity. experimenting with these things won't affect the outside world . This rule ensures that the router will do what is most natural .com/%7Emarkt/avi. (Rule 10) Now we're down to guessing. The customer won't like this . these documents use terminology used by the routing community.. which will probably not please that customer.

).cisco. the natural (and previously-though-to-be-correct-thing-to-do) is to "withdraw" that assertion if you in fact no longer know how to get to 192. You'll hear people say "damp" and "dampen". or considering how to do BGP in general. WHAT IS ROUTE FLAP AND WHY IS IT BAD? When you "assert" a route . but again . the things to keep in mind for each peer are: What routes do you want them to hear? Do you want to "tune" your announcements somehow (more on this later).204.204. you will be dampened by many providers for at least an hour or so. So even if you're only "single-homed". you will be dampened if your provider withdraws your routes every time your t1 flips up and down a few times because some Bell guy tripped over a wire.0/24" based on some internal knowledge that you actually do know how to get to 192.if you don't play with weights. What this means in practice today is that if your routes flap more than one or two complete up-down-up cycles. RIPv2. IS-IS.saying "I know how to get to 192. So do not ask your upstream provider to announce you unless it makes a difference (the benefit of being multiply-announced outweighs the possible negative effects of being dampened due to instability in either your or your provider's network). it was consuming so much CPU time a few years ago that Sean Doran of Sprintlink said "this must stop" and a few people came up with an idea (which Cisco implemented in record time) to "damp"(en) the "route flap"s. There's no real consensus about which is the correct term. OSPF. then Routes learned via BGP and other EGPs. In fact.. The exact order can be found in the Cisco documentation. and insert it as the current best path in their IP routing table.4/0. Here's a brief outline of the "order of preference" for filling the IP routing table. Connected routes (IP addresses and routes of router interfaces) first. Your provider(s) must then also withdraw that assertion.204.html They are more specific that any other route of "lower preference".4.4. this shouldn't be a worry. thousands of routers around the world now have to look at that route and decide if they have a next-best path in their BGP (or other routing) table. And then their provider(s) and peer(s) must do the same.com/%7Emarkt/avi. But look at what happens when you withdraw that assertion. there are ways to get other IGP-learned routes (say. via OSPF) to be preferred over static routes. though: Since static routes are really considered an "IGP" routing mechanism. The most important thing is to ensure that you do not redistribute routes that you are 16 of 26 04/02/00 15:06 . All in all. ..0. WHAT TO KEEP IN MIND WHEN CONFIGURING BGP When you're bringing up a new BGP session. This consumes many CPU-seconds on routers that are sometimes very busy. then Static routes (routes configured in router configurations with 'ip route' statements). One note.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. then Routes learned via an IGP (RIP. or They are the only route of a particular specificity.

which is just mutual sharing of customer routes.cisco. but in general. etc. as most networks are. and listens to your route announcements and then redistributes some or all of those to their peers and customers. With BGP. You create a default route towards your upstream provider.com/%7Emarkt/avi. This is the hard part (for them .. we'll devote a whole document to this in a month or two.. you could say "practice".just worry about understanding and configuring your end for now). you won't be advertised to the outside world specifically .getting global transit from upstream providers as opposed to peering.) your provider will just statically announce those routes to the world and statically route them inside their network to your leased-line/ router interface(s). BGP AND THE SINGLE-HOMED If you've only got one upstream provider. and all non. if you have any address space "inside" of your provider's larger "netblock" or "aggregate". and then probably redistributes their IGP into BGP . What we're talking about in this document is BGP and transit . Since every packet destined for the Internet (as opposed to your internal network ) is going to go out the 17 of 26 04/02/00 15:06 .local packets go out the interface specified by the route.unless all of their BGP is done statically (more on this in a future document). and redistributes those static routes into their IGP. And you don't really need "full routes" so that you can "run defaultless" if you're single-homed. customers with address space. to prevent the accidental "leaking" of more specific routes) or that the routes that they normally advertise for you under just their ASN will now have your ASN attached as well. and Your provider probably put static routes towards you on their side. Basically. your provider gives you all of the routes they have (the easy part). and What do you want to do with the routes that you hear via the session? Do you want to "tune them"? Only take some? Take them all? Do you have the memory and CPU in your router to really do what you want? BGP AND PEERING Actually.your provider will just advertise their larger block. why speak BGP to them? Well. If you have any other networks (an old Class C. no upstream provider's going to waste their time configuring BGP with you (since it generally involves a fair amount of behind-the-scenes work on their part) unless you have a good reason.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. INTERNET CONNECTIVITY WITHOUT BGP Let's review what happens when you are connected to the Internet without speaking BGP to your provider.html not providing "Internet connectivity" to. The net difference is "just" that they may start advertising a more specific route (no mean task in a complicated network designed.

The solution is to do good filtering on your end . you would black-hole Yahoo for a period of time. so you're multi-homed.com/%7Emarkt/avi. and either filter all incoming routes . they would not be very happy with you.or accept them if you feel you really want to. If you were to announce a route that was more specific than. But don't count on it.connected to the 'net. you might really want to wait and read the "Configuring a Cisco Router" document (also coming out in the next few months). If your provider is smart. To repeat: Screwups with BGP route advertisements can be felt all over the Internet. they will also implement "filters" to prevent you from screwing them and the Internet up. You'd also like "fail-over" routing. If you think you have a good case. Doing this basic level of route advertisement is not hard. Ideally. you'll have to argue around the flap argument even if you have your own provider-independent address space (if you're singly. So the most important thing about being multi-homed is the ability to have your routes advertised to your providers . If you do want to configure BGP and are single-homed. BGP AND THE MULTI-HOMED OK. Needless to say. (More on this later in this document). If you screw up BGP routing you may get slapped down pretty hard.e. or perhaps send a question off to the inet-access list and see if anyone can help.and may even be useful . why pollute the routing tables with an extra few routes by announcing your routes more specifically? You're on your own for the answers to these questions. Of course.and by them to their providers and peers (i. And for a summary of BGP-related Cisco commands. either talk to your current or potential provider. why bother all of the routers in the world by telling them whether you're reachable or not currently) and the routing-table space argument (if you're in your provider's IP space or "aggregate announcement"). What is the most important thing about BGP to you? The ability to have it announce routes. MULTI-HOMING AND LOAD-BALANCING Generally.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. The only really valid reason is that you want to be able to have more control in advertising your routes. Before you start playing with BGP. Getting "full" or "partial" routes from your providers is "cool" . see the BGP Cisco Commands sidebar. Screwups with BGP route advertisements can be felt all over the Internet. you'd like roughly half the traffic to go in and out of each connection. get a friend or another provider to review your proposed configs for you before implementing them. You just have to do it in a paranoid way. follow the instructions on how to announce your networks (routes). to "the rest of the Internet").000 or more routes heard via BGP. the goal of multi-homing is to use both connections in a sane manner and "load-balance" them somehow. it doesn't matter whether it's via one default route or via searching a list of 45. say. the otherwise-best route for Yahoo's web servers.cisco.but you can do almost as well by just load-balancing all outgoing traffic in either a "round-robin" or "route-caching" manner. If you do go ahead and are implementing BGP for the first time. where if one connection goes down the other one keeps you connected to 18 of 26 04/02/00 15:06 .and for your provider to also do excellent filtering wherever possible.html same router interface.

0) You'd first configure your router with: int Loopback0 descr Loopback interface for routes to be nailed to.100.0.255.100.0 Loopback0 10 ip route 192.0 255. You'll always set "next-hop-self" on all peering sessions. Incoming traffic is controlled by how you announce your routes to the world (packets will flow into your network because someone out there heard and is using a route announcement).no internal routes are ever passed from one of our routers to another one of our routers with BGP.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.255.and is thus much easier to control and tune. We'll talk a bit about how you load-balance incoming and outgoing traffic to and from your network. we set our routers up the way described below. Outgoing traffic is controlled by the routes that you allow to flow into your border router(s) .255. Configure a router BGP clause like the one below.44.8.255.0/17 (a /17 has a netmask of 255.0.128.128.204. For example.0 255.128.0 255. To do this: Add a static route for it to the Interface Loopback0 with a weight higher than any other static route for that network (higher numbers for static route weights mean that the routes are less preferred).0 Loopback0 10 ip route 206.0/16 (a /16 has a netmask of 255. While we do run BGP inside our network.0. into BGP.* ip as-path access-list 3 permit ^$ 19 of 26 04/02/00 15:06 .0) 192.126. with static network statements to announce your routes. some of which we'll talk about in future document. The way we at Net Access do it is by redistributing from our IGP (IS-IS).0.0) 207. You can think of the process described below as turning networks into route announcements. HOW TO ANNOUNCE YOUR NETWORKS We'll now describe the safest way to announce your routes via BGP.0. But when we first started speaking BGP.0 255.0/18 (a /18 has a netmask of 255.126. ip route 170.0/24 (a /24 has a netmask of 255. and "sanity filters" in place to make sure you only announce your routes and only take the routes you want.8.128.192.0 Loopback0 10 Then: ip as-path access-list 2 deny .204.0 Loopback0 10 ip route 207. See the sidebar on next-hop-self for an explanation.255.cisco.0.255.44.0) 206.255.html the Internet. you'd be able to have any one of your connections to the 'net go down and still maintain connectivity and speed. through a filter list.192. The safest way to announce your routes with BGP is to configure everything statically. In an ideal network.255. let's say you're routing the following networks (also called "netblocks" sometimes): 170. it's strictly to pass external route announcements through the various parts of our network .255. There are many other ways.255.com/%7Emarkt/avi.

0 mask 255.10.0 mask 255.127.cisco. To add more peers. Ciscos give you 30 seconds to finish typing the neighbor statement before they start trying to establish the session.255.0. (Loopback0 routes always stay installed since there's no physical interface to go down and cause the route to be withdrawn .0 mask 255.121 filter-list 2 in BEING ADVERTISED BY MULTIPLE PROVIDERS WITHOUT PI-SPACE Remember April 1997's document on getting provider-independent (PI) space? The reason it's so important to have "your own" ip space is that without it multi-homing is quite tricky and requires a lot of cooperation from your original provider.121 filter-list 3 out neighbor 137.0.0 mask 255.com/%7Emarkt/avi.121 next-hop-self neighbor 137. Why? 20 of 26 04/02/00 15:06 .0 network 207.127.10.127.126.html ip as-path access-list 3 deny .126.45 remote-as 4969 neighbor 207.192. so it will only announce routes .0.but it's better by far to be explicit about these things.10.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.10.255.106.128.and the effect would be the same .121 remote-as 701 neighbor 137.10.10.) This example uses a "deny everything" incoming filter.204.204.255. Actually.0 network 206.0 network 192. It is critical that you get those "neighbor somebody filter-list xxx . In order to nail them down. and (2) Those underlying static routes must not go away.45 next-hop-self neighbor 207.0.255.45 filter-list 3 out neighbor 207.255.192.106. the Loopback0 route (with a weight of 10.128. there must be: (1) Underlying static routes with the same netmask as each route being advertised with a network statement. based on the example above (note that the 64512 is a fictitious IP address).128. replace the "filter-list 2 in" with "filter-list 1 in".106.127. you could just not specify an "inbound as-path filter" . just create another similar neighbor statement.it won't accept any.0 neighbor remote-as neighbor next-hop-self neighbor filter-list 3 out neighbor filter-list 2 in Explanation: This method "statically nails down" the route announcements being advertised with the "network" statements. so the routes pointed to them will always be installed.0.0 mask 255.8.44.100.0 mask 255. router bgp 64512 network 170.0.10.0 network 206.255.10.100.0 neighbor 207.0 network 192.44.255.0 mask 255. which means it's only a "backup" route to any route without a weight at the end) will kick in and keep the BGP route advertisement stable. The purpose of the Loopback0 routes is to ensure that even if an existing primary route which matches the netmask of the route being announced (and this is often not the case) goes away.255.* router bgp 64512 network 170.128.255. If you want to accept all incoming routes. Here's an example of a completely filled-in bgp clause.the interface Loopback0 will always be up.106." statements in there by then.0 mask 255.0 network 207.8.. The best way by far to do it is to either cut and paste or tftp in a complete neighbor statement to the router.45 filter-list 2 in neighbor 137.255.

CONTROLLING OUTGOING DATA FLOW: "FULL ROUTING" Believe it or not. everywhere that oldprovider peers with anyone else (and this is usually at least 5-10 places). it's going to take modifications in oldprovider's 'border' routers to make incoming load-balancing work properly for you .0/20. This is why it's important to choose a primary provider based on how cooperative they'll be when you want to multi-home.96. but it's true that if you are multi-homed and have a sufficiently studly router (a Cisco 4500. CONTROLLING OUTGOING DATA FLOW: "PARTIAL ROUTING": "CUSTOMER ROUTES ONLY" If you can't take full routes from your providers. certain parts of oldprovider's network may actually prefer newprovider's t1 to get to you! The problem is that most large-ish providers use something called "aggregate-address statements" - and they certainly have some sort of filter to keep the more specific routes floating around inside of their networks from being advertised to the world.106.106.0/16. or 75xx will do. So filling your router with routes from all of your upstream providers means that.96.106.0/16 to the world.96. though AS-PATH length is a pretty poor selection tool. AS-PATH length will decide which one actually gets used. There is no advertisement for 207. You set up BGP with both oldprovider and newprovider. Now you want to multi-home. for routes of the same specificity. 4700.0.106.0.0. of your incoming traffic! In fact. they have to modify their aggregation statements or other filters to "allow" your more specific route announcement to pass through. There are many arguments for and against.0. So oldprovider announces only 207.html Let's say you are using 207. you're going to have to either not use BGP to balance 21 of 26 04/02/00 15:06 . advertised by newprovider.0 are not multi-homed.106.0/16 if the little. the world only wants to hear about 207. each provider obviously knows best the way to get to its customers. So you buy a T1 from newprovider. Suddenly.0/20 in this case . but Cisco 4000s and 2501s will not).cisco. Remember. so newprovider will wind up carry almost all. So what does oldprovider have to do? Blow holes in their "filter". See Fig 7 for examples and explanation. Basically.106. Remember. more specific routes inside of 207.com/%7Emarkt/avi. First.106.0.0. it's what we've got right now . advertised by oldprovider.and oldprovider may not want to do this. if not all. One way or another.any packet destined to 207. the most specific route always wins. Second.0/20. and 207. Your provider (let's call him oldprovider) has 207.0/20 will be picked up by the less specific (more general) route 207.106.106. There are a couple of reasons. accepting full BGP routing from your multiple providers is a Good Thing. you always want to send data to Sprintlink customers out your Sprintlink T1 and data to UUNET customers out your UUNET T1.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.106. 70x0. you don't need BGP to balance the flow of traffic from your network (outbound traffic).0/16.96. 720x.and it does bear some relation to an indicator of how "close" a given provider is to some other provider. if you're multi-homed to Sprintlink and UUNET. the world sees two routes for you: 207. See the sidebar for an explanation of how to balance outbound traffic without BGP.0./16. Meaning.

The minimum set of "less than full" routes you'll want to take is customer routes from each provider (from each provider. You can tell your providers to only send you customer routes . You should. Use something like the following: (Ciscos use ! at the beginning of a line to denote a comment line. Let's say you're triply-homed to Sprintlink. This is a problem if your providers include Sprintlink and MCI. For each provider. for example) then they may blast more than enough routes at you to "melt your router". since Sprintlink and MCI customer routes together are such a large percentage of "full routes" that you can't really put Sprintlink and MCI routes in Cisco 2501s or 4000s either. do not handle running out of memory gracefully at all. Unfortunately. get only the routes for them and their customers). however. The problem is getting just customer routes (also called "peering routes"). and will gleefully consume so much memory with routing data that basic command functionality gets trashed and someone needs to physically power cycle the router. they don't just shut down BGP routing .but put sanity filters in place to protect yourself.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.cisco. in particular. and Net Access.com/%7Emarkt/avi.* router bgp 64512 neighbor remote-as 1239 neighbor next-hop-self neighbor filter-list 3 out neighbor filter-list 40 in neighbor remote-as 701 22 of 26 04/02/00 15:06 . however.but if any one of your providers screws up (changes a filter list slowly.* ! Filter everything but UUNET (ASN 701) from UUNET ip as-path access-list 41 deny _3561_ ip as-path access-list 41 deny _1239_ ip as-path access-list 41 deny _1673_ ip as-path access-list 41 deny _174_ ip as-path access-list 41 deny _1_ ip as-path access-list 41 deny _4200_ ip as-path access-list 41 permit .* ! Filter the major providers from Net Access ip as-path access-list 42 deny _3561_ ip as-path access-list 42 deny _1239_ ip as-path access-list 42 deny _701_ ip as-path access-list 42 deny _1673_ ip as-path access-list 42 deny _174_ ip as-path access-list 42 deny _1_ ip as-path access-list 42 deny _4200_ ip as-path access-list 42 permit .) ! Filter everything but Sprintlink (ASN 1239) from Sprintlink ip as-path access-list 40 deny _3561_ ip as-path access-list 40 deny _701_ ip as-path access-list 40 deny _1673_ ip as-path access-list 40 deny _174_ ip as-path access-list 40 deny _1_ ip as-path access-list 40 deny _4200_ ip as-path access-list 40 permit . build an as-path access-list to use as a filter of what you will not accept from them.or crash and restart. Ciscos. UUNET.or take less than full routes. be able to put Sprintlink and any other few sets of customer routes or MCI and any other few sets in even a 2501 or 4000. when many brands of routers (Ciscos included) run out of memory.and most providers that do a significant amount of BGP can do this pretty easily .html outbound traffic . SO WHAT'S TO BE DONE? Get customer routes from your providers .

And thanks to Alec Peterson (ahp@hilander.and who 23 of 26 04/02/00 15:06 . and AGIS) make up the vast majority of routes . which I and many of my routing-geek friends patrol regularly.com/%7Emarkt/avi.com) for reviewing this document .or at least some ASN other than 1239. Sprintlink uses ASNs for each major POP (as do many other providers) . or Net Access screw up and blow you all of the routes they know about.com.but unlike other providers. Thanks to Dave Siegel (dsiegel@rtd. So if you want to make one path preferred or another one not preferred. The bottom line is that instead of below you'll have whatever ASN Sprintlink actually has you peer with. you'll still take their customer routes but won't take the vast majority of other routes from them. THANKS TO In no particular order: Thanks to Alexis Rosen at Panix (alexis@panix. will still have the ASN 1239 (which is Sprintlink's "peering" ASN) in the AS-PATH. you'll probably be peering with AS 179x . Any non-Sprintlink customer route.html neighbor next-hop-self neighbor filter-list 3 out neighbor filter-list 41 in neighbor remote-as 4969 neighbor filter-list 3 out neighbor filter-list 42 out That will ensure that even if Sprintlink.well over 80-85% of the routes out there. though. and we'll go into it in more detail next month. Thanks. or bgp@netaxs. BBN. UUNET. AS-PATH PADDING Some people just aren't content to leave things the way nature intended them.cisco. Note: If you're a Sprintlink customer. which we'll talk more about next month.or start optimizing ("tuning") routing. these ASNs are visible to the outside world. ANS. QUESTIONS AND COMMENTS I expect that this document will generate a lot of questions. This is done with route-maps. who told me about something new called BGP in 1993 at a Science Fiction convention in the DC area. AS-PATH padding is probably the most widely-used BGP tuning method. you can "pad" the AS-PATH with extra ASNs to make one path look longer than another. If you don't give them work to do they'll either sit and read news or Cisco documentation . if you make sure not to set weights or local_prefs. though (any route from the outside world). Please use either the inet-access list. AS-PATH length is going to decide which of multiple BGP routes of the same specificity will be preferred.net) who's shared his BGP experience with others since 1995. who sent me some last-minute suggestions for clarification and pointed out an ugly factual error. Bored routing engineers are very dangerous. (Sprintlink. Basically.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. Thanks to John Hawkinson (jhawk@panix.com). UUNET. PSI.com.com) of BBN. MCI. Please do not send them to freedman@netaxs.

192. but it's not going to be as strenuously objected to as not using next-hop-self. AS 4969 sets next-hop-self. Ciscos keep the originating address of a route intact in the next-hop field when they pass it from eBGP peer to eBGP peer. We'll use an exchange point environment to illustrate next-hop-self.87.69. etc.41. AS 64500 advertises it to AS 64600 (see the top diagram) without next-hop-self. When AS 64600 processes the route and installs it into the IP routing table.177.right to AS 4969's router. In this case. Refer to the figure (XXX) below. It turns out that this behavior is sometimes useful in large networks where there's an IGP running to tell every router which way to send a packet that says it came from 192. the next-hop used will be 192.41. the route as heard by 64600 has 192. Some people don't even like this (since it's a form of providing service to downstream customers over the "shared medium" of the exchange-point switches).NNN (AS 64500's mae-east IP address) in the next-hop field - though the AS-PATH and certain other fields still show that AS 4969 is the origin of the route. Setting next-hop-self causes a Cisco to override the originating address of a route and stamp instead its own address as the "next-hop" part of the route. When AS 4969 advertises 250..0/16 to AS 64500. the joy of route-maps) using my network when I didn't have the time. Sidebar on next-hop-self If you've followed the "peering and transit" discussions. Now.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. Remember that the critical parts of a route are: What the base IP address is.41.157. so the next-hop is 192. Sidebar on Outgoing Data Flow Control Without BGP 24 of 26 04/02/00 15:06 . you may have heard of the "next-hop-self issue"..41.x (some other provider's Pennsauken router). So when AS 64600 wants to send data to AS 4969 based on this route it'll "bounce the traffic off of" AS 64500's router. If AS 4969 really wants to. it can find out who the culprit is by passing a bogus route or two to each peer in turn.177. But this is really subtle and can screw you up big-time.177. but we're talking about eBGP here). But AS 64600 doesn't peer with AS 4969 . In the worst case you'll cause routing loops for yourself (examples of this will be given when we talk more about IGPs).87 (AS 4969's mae-east IP address). how big the route is (the specificity or netmask). AS 4969 might discover this "behavior" by running a few careful probes of other routers at mae-east.cisco. In the best case you'll piss someone off (if you forget to set "next-hop-self" in an exchange-point peering environment.html explored some of the more advanced BGP features (oh. People generally do not like this.com/%7Emarkt/avi.177. and what destination (next-hop) to use to send data to the IP space represented by the route. The solution is for 64500 to use next-hop-self as well (see the bottom diagram). AS 4969 would then look to see how it hears AS 64600 (who is announcing AS 64600 to AS 4969) and see if they're the culprits. In this case. and see when AS 64600's router starts using the bogus route.0. Here's the problem.x (some other provider's MAE-East router).yet it's going to send data to a route advertised by AS 4969 .20. (And ditto for iBGP.

the Cisco will keep a cache of all destinations you're sending packets to. If you do it this way.0 Serial1 You will almost certainly not be happy with the result! Unless "ip route-cache" is set on the interfaces in question. If you do this. with a weight of 10". If Serial0 goes down for some reason (actually. if the "line protocol" on Serial0 goes down).0. Data sent to site X out Serial1 may arrive in 30-100ms. and site X is on Provider A's network (and let's say that Provider A is at the other end of Serial0). 5. however: int Serial0 ip route-cache int Serial1 ip route-cache Note. Why is this bad? Well.0/0. the route will be invalidated and will go away.0 Serial0 ip route 0.0) goes out Serial0 with a preference of 0 (if you don't put a 4th field in an "ip route" statement on a Cisco. it doesn't hurt to be explicit. and be sent out the router interface towards the provider(s).0 0. the route with a lower weight will be around when Serial0 is up.0.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. the Cisco will simply "round-robin" outgoing packets. the "ip route-cache" command might be "ip route-cache cbus" or "ip route-cache optimum" or some other command.html Without BGP. This means that packets 1 and 3 could arrive before packets two in a pathologically worst-case scenario.0 Serial0 ip route 0. or 0.0.0. and will "lock 25 of 26 04/02/00 15:06 .com/%7Emarkt/avi. which will be the route through Serial1. Or even packets 1. it'll assume a weight of 0).0.0. Even though it has a lower weight. data sent to site X out Serial0 may arrive in 10ms.but even so." "Another default route is out Serial1. and 7 could arrive before packet2 does. Outgoing Data Flow: Option 1 Option 1 is to default to one provider and install a "backup default" to your other provider.0.0 0.0. it's the only valid route left to consider.0 Serial1 10 This says: "The default route (0.0.0.0. This kind of out-of-order (or even worse. that if you are using any Cisco bigger than a 2500 series. And actually.0.0.cisco.0 0. However. 3.0. so the Cisco will look for the next-best route. packet-lossy) performance spells doom for IP traffic.0.0.0.0.0 0. sending packet N out Serial0 and packet N+1 out Serial1. if you are sending data to site X. There are a few ways you can do this. Any packet not destined to the inside of the ISP's network will then hit the "wildcard". your only way to send data out (and the way 90% or more of the ISPs out there run their networks) is to default route into their provider(s). so it'll "win". this is done with: ip route 0. though.0. On a Cisco. or "default" route. Outgoing Data Flow: Option 2 Option 2 is to default equally to both providers.0. The fix is easy. many Ciscos come pre-configured with "ip route-cache" set on all of the interfaces .0. If you just do: ip route 0.0. there's a catch. netmask 0.0.

In general.html in" each destination to one specific interface. this kind of load-balancing works pretty well and is what people use when they can't accept "full BGP routes" from multiple providers. but poor use of your additional bandwidth (which can.cisco. this method leads to decent load-balancing (in the 40/60 to 50/50 split range). Anyway. TO BE DONE aggregate-address transit bgp and peering bgp: the provider's side: filtering as-path padding sync 26 of 26 04/02/00 15:06 . The worst case in this scenario is not IP degradation.com/%7Emarkt/avi. of course. lead to IP degradation if you need your second outgoing pipe because your first has a tendency to get full).BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.