You are on page 1of 26




Diagrams will be up in a couple of days.
The HTMLizing of this document is NOT finished.
I haven't gone through to re-check it for accuracy.

This is intended for the first-time multi-homing small ISP. Feel free to give this to
any of your customers, and send me comments and updates to if
you think something can be illustrated or explained more clearly.

Have fun,

Avi Freedman Net Access

Everyone wants to know about BGP. What is it? How do you use it? What is it used for? We'll try to
explain at least the basics of BGP in this document.

This document is Copyright Avi Freedman, 1997. Distribution of the original or modified versions
for profit is prohibited, but please feel free to give it away.

eBGP vs. iBGP

1 of 26 04/02/00 15:05



Sidebar on Cisco BGP commands
Sidebar on next-hop-self
Sidebar on Outgoing Data Flow Control Without BGP

This is dangerous stuff. It's always best if you can test BGP configurations in a "lab" made up of a
few Cisco 2501s before implementing them in a live network connected to the Internet.
Unfortunately, there's no good reference on "using BGP" to refer people to. Reading the RFCs (the
Request For Comment documents that define the protocol at a low-to-mid-level), or even Cisco
documentation (Cisco did not invent BGP, but Cisco's BGP implementation is almost definitely the
most widely-used) does not really tell you enough. Many of the "routing gurus" out there got started
by looking at and working on running networks, where the architecture and implementation were
already done. Most of the rest, however, started with the basics and expanded their knowledge and
experience as their networks grew.

You need to know a bit about IP routing to digest this material. It also doesn't hurt to have a few of
the aforementioned test routers (at least two, one configured as you and one configured as your
provider). Don't be afraid to ask for help. Read your vendor's BGP documentation - all of it, even the
parts you don't understand. Try to get a number of "live configs" for whatever router you're using -
preferably from someone with a similar topology and similar goals.

BGP stands for Border Gateway Protocol. The popular "BGP" protocol that people speak of ("Can a
Cisco 2501 speak BGP?") in use is actually BGP4 (which differs from BGP3 the same way that
RIPv2 differs from the old RIP protocol - in that BGP4 and RIPv2 (the result of what some call
"unsuccessful brain surgery" on the original RIP protocol) allow the announcement of "classless
routes" - routes that aren't strictly on "Class A", "Class B", or "Class C" boundaries - but instead can

2 of 26 04/02/00 15:05

204. you know how to carry that data to its ultimate destination. some part of the IP space that is owned by someone else.html also be "subnets" or "supernets"). with static routes. The second most heinous sin of BGP routing is not having strict enough filters on the routes you advertise (more on this later). it's nice to have routing data for parts of the Internet in your routers. or Network Operations Center) and one or multiple "border routers" (where routers in that AS peer and exchange routes with other ASs).4.0/24 (the "Class C" starting at 192. MCI's. one way of thinking of those route "advertisements" is as "promises" to carry data to the IP space represented in the route being advertised. and makes many people unhappy. RIPv2. Before you invite people to send data to your network. Normally an AS will have someone or ones responsible for it (a point of contact.because if you advertise. You can do this simply.0 and ending at 192. For more information on "classless" or "CIDR" routes. But if you do want to "peer" with someone . you will be taking at least some external routes into your network (and will do so with BGP). Think everything that you do through in terms of how it could screw up. Anyway. typically called a NOC. or in a more complicated but robust way. external routing isn't something you have in your network. If you default route into one or more providers. all of the data on the Internet destined for the black-holed IP space will flow to your border router. if you advertise 192. SO WHY IS BGP INTERESTING? Well.204. That network could be yours.or to "multi-home" to multiple providers and have a little bit more control over where your data goes on the Internet. one terminology note: Classless routes are sometimes called "prefixes". But it is much more useful to tell people outside your network (upstream providers or "peers") about what routes (or portions of the IP address space) you "know how to get to" inside your network. or anyone's. Sprintlink's. with active internal routing protocols such as RIP.204. or promise to carry data to.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. or Autonomous System. ROUTING: INTERNAL (INTERIOR) AND EXTERNAL Internal routing is the art of getting each router in your network to know how to get to every location (destination) in your network. The primary purpose of BGP4 (as we're studying it here) is to advertise routes to other networks ("Autonomous Systems").0/24.255).204. The cardinal sin of BGP routing is advertising routes that you don't know how to get to. is a way of referring to "someone's network". this makes that address space "disconnected from the 'net" for the provider that owns the space. and that advertisement is more specific than the one made by the owner of that IP space. you've got to have a running and happy network to take the data.4. you promise that if someone sends you data destined for any address in 192. as well as a simple or complicated internal routing scheme so that every router in that AS knows how to get to every other router and destination within that AS. as mentioned above. When you "advertise" routes to other entities (ASs). It's obviously critical that any box inside your network know how to get (directly or indirectly) to any other box inside your network. Also. a friend's. Needless to say. see April's Boardwatch column. This is called "black-holing" someone . An AS. For example.4. and IS-IS. When someone talks 3 of 26 04/02/00 15:05 . the bottom line: Test your configs and watch out for

0/20 are not the same prefix (route). Trust me on this .10. ultimately. just as critically. no one on the Internet will be able to reach it. Bay routers. 4 of 26 04/02/00 15:05 .20. That host has to have a path back to you. This means that whoever provides "Internet connectivity" to that host has to have a path to you . which provides IP service for AOL). the reason that an AOL dialup user can send a packet to 10. and PC clones running Linux.x. He's connected to AOL. HARDWARE AND SOFTWARE FOR SPEAKING BGP The most commonly used implementations of BGP are Cisco routers. BSD.which.10.8. We're using 10.8. (Apologies to Riscom and ET. who in turn advertised that route to AS 690 (ANS.96. and 192. you need to be able to: Send a packet out a path that will ultimately wind up at that host.0. We'll explain more of the details below.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.10. Take a look at Figure 1.0/16). So 207. for each host that is "on the Internet". the Cisco implementation of BGP is relatively easy to use. PC-compatibles using gated are either the second. has advertised a route that covers it. but note the "Home Dialup User".but you've then got hardware that's not really as tested or reliable as a Cisco or Bay router.0/12. 172. Most networks will "filter" the RFC 1918 reserved space (10.168. so people use them in examples because they don't get you into too much trouble if you accidentally try to use them (sort of like the film industry's yyy-555-xxxx phone number convention).0/24 and 207. BEING "CONNECTED" TO THE INTERNET Throughout this discussion it's critical to think about what it means to be "connected" to the Internet. You can build cheap PC routers that route Ethernet and t1 and have more than enough CPU and memory to handle all the routes you'd need for quite some time . the leading vendors of T1 cards-for. which is served by ANS (AOL actually owns ANS). The corollary to this is that if there is not a generally-advertised route to cover an IP address.0/24 as an example. The 10. means that they have to "hear a route" which covers the section of the IP space you're using. In particular. We'll mostly use "route" in this document.1 (for example) is that the ISP (AS 64512) advertised that route to the two upstream providers (AS 4969 and AS 701).16.or third-largest community of BGP-speaking computers.PCs). or you will not have connectivity to the host in question.and a program called gated to manage BGP.x IP addresses are often used in examples because they're "reserved" space.the cost savings is usually not worth doing it this way. Every IP address that you can get to on the Internet is reachable because someone. I recommend using Cisco routers (for many reasons).cisco.0.and there's a huge community of routing engineers that's familiar with the Cisco implementation and algorithms (there's much that isn't specified in the RFCs and is left up to the vendor to decide).96.0/8.html about a prefix they're talking about a route with a particular starting point and a particular specificity (length). and debug . Cisco's online documentation (UniverCD) isn't the best (it lacks a large number of case studies) but is a very good learning tool. or some other Unix variant . somewhere.20. In order to be connected to the Internet.0.0. In this example. get examples for.

html Bay routers are the second-largest community of BGP-speaking boxes . A snippet of a Cisco "BGP clause" is: router bgp 64512 neighbor 207. however.106. In this example. the Bays do have a better architecture and are finally showing themselves to be more or less as stable as Ciscos. is just that .106.10. or Autonomous System Number. all you need to do is have that one line.46 is the remote IP address of a UUNET router (UUNET is ASN 701).a number used to represent that Autonomous System to the world. A typical "neighbor clause" is: router bgp 64512 (omitted lines) neighbor 207. you almost always use more than that one line to tell BGP how to exchange routes with that "neighbor" via that "peering session". and almost all configuration is done through a GUI (windowing) interface that drives most routing engineers nuts. Bay claims they're working on a command-line interface.122 is the remote IP address of a Net Access router (Net Access is ASN 4969).127. Remote.46 remote-as 4969 (omitted lines) The "clause" starts out by saying "router bgp 64512". 207. with respect to the customer's router. What I've seen of BCC looks quite promising. Bay is cheaper than Cisco.but we're talking about a very small percentage of the number of BGP. and solid. An ASN.127.'s a number in the "reserved" section of ASNs (ASNs go from 1-65535). PEERING SESSIONS AND ASNs: PART I There's a bunch of terminology associated with BGP.122 remote-as 701 (omitted lines) neighbor 137. BGP-speaking routers exchange routes with other BGP-speaking routers via peering sessions.127. most networks out there use (or at least show to the world) only one ASN.122 route-map prepend-once out neighbor 207.106. fast. 64512 is also a "reserved" number .cisco. and I promise to retract in print my slam of Bay when their command line interface looks featureful. pretty responsive to customers (though Cisco is as well).122 next-hop-self neighbor 207. On the other That number "identifies" your network to the world. See Fig 1 for a diagram of the network layout used in this example. but in the mean time most are throwing money at Cisco.10.127.106.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. Except for Sprintlink. We're going to talk about Cisco routers in these documents (and in this document in particular). or "Blatant Cisco Clone").106.127.122 send-communities neighbor 207. In practice.speaking Ciscos out there.127.106. This means "What follows is a list of commands that describe how to speak BGP on behalf of ASN 64512".127.122 filter-list 2 in (omitted lines) WHAT DO YOU DO WITH BGP? 5 of 26 04/02/00 15:05 .39. this is what it means to "peer with someone". In order to bring up a "peering session". that is. We already talked about Autonomous Systems (ASs). (BCC.39.122 remote-as 4969 neighbor 207. (It's much easier to debug BGP or other routing problems from a telnet session or over the phone than it is to have to guide someone through a GUI to examine or reconfigure a router). At a technical level.106.

160. "BGP Updates" will be sent from one router to the other each time one of the routers knows about a new BGP route or needs to "withdraw" a previous announcement ("promise"). Fast Ethernet.17 4 64512 5962 6894 1159870 0 0 10:08:46 206. For the purposes of this The 6451X ASes are BGP sessions to other Net Access routers (using confederations.44. all neighbors must be either on the other end of a leased-line from you - or on a LAN interface (Ethernet. PEERING SESSIONS The purpose of the "neighbor" clauses is to bring up "peering sessions" with neighbors. The "sho ip bgp summ" command will show you a list of all peering sessions: brain.245.5 4 64515 6078 5960 1159869 0 0 4d03h 207. each router will evaluate every BGP route it has by running it through any filters you specificity in the "neighbor" clause.106.1 4 6313 0 0 0 0 0 never Active 207.1 4 64514 1145670 237369 1159873 0 0 4d03h 207. The AS column is the remote ASN. which we'll talk about in a future document) - those ASNs are not shown to the world. main routing table version 1159873 44796 network entries (98292/144814 paths) using 9596344 bytes of memory 16308 BGP path attribute entries using 2075736 bytes of memory 12967 BGP route-map cache entries using 207472 bytes of memory 16200 BGP filter-list cache entries using 259200 bytes of memory Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State 205.106. Announce your routes to those providers.92. something is very wrong! BGP version 3 doesn't understand about Classless ("CIDR") routing and is thus dangerous.106.BGP ROUTING PART I: BGP AND MULTI-HOMING 4 3564 6109 310292 1159867 0 0 22:40:50 207.17 4 4231 161072 276660 1159870 0 0 2d05h 207. Every time a neighbor session comes up.91. and. InQ is the number of routes left to be sent to us. 6 of 26 04/02/00 15:05 .106.127. FDDI).but "eBGP multihop" is a more advanced topic and has many potential pitfalls.16 4 64512 6128 6782 1159870 0 0 4d03h 207.4 4 3564 6086 274182 1159853 0 0 4d03h 207. briefly: The "V" column is the BGP version number.33.92. While the session is up.106.3 4 64513 164708 724571 1159866 0 0 3d23h 207.159. If it is not 4.7.5. for them to in turn to announce to others (transit) or just use internally (in the case of peers). Any routes that "pass" the filter are sent to the remote end. It is possible to have BGP peering sessions that go over multiple "hops" .6 4 6078 5793 310011 1159869 0 0 2d03h This is a session summary from one of Net Access's core routers. OutQ is the number of routes left to be sent to the other side.90.html Speaking BGP to your provider(s) and/or peers lets you do two things: Make (semi-)intelligent routing decisions (decide what is the "best" path for a particular route to take outbound from your network. more ip bgp summ BGP table version is 1159873. as opposed to simply setting a default route from your border router(s) into your provider(s)). Most of it is pretty self-explanatory.106.

com/%7Emarkt/ have to put "filters" in place to stop it from doing so. while iBGP is used to exchange routes between the same Autonomous System. Why? Well. since the 207.0/16 route covers that space as well. BGP AND THE SINGLE-HOMED When you have one upstream provider. it's almost guaranteed that you are using sub-allocations (CIDR delegations.106. if you are using 207. This is called a "routing mesh" and. Just one of the nomenclature flaws of BGP. This can be a pain (you don't want to accidentally merge your IGP with a customer's or peer's) but turning off broadcasting on certain ports is easier than turning on peering sessions between a new router and every other router on your network. iBGP We're talking about eBGP in this document. RIPv2.0/16 netblock. RIP.0. Anything in the State column indicates that the session is not up.if you are in your provider's address space. it is rarely desirable to speak BGP to them.000 BGP routes isn't going to do you any good. IS-IS. as you can imagine. More on all of this below. each router has to peer with every other router. all iBGP-speakers inside your network have to peer with all other iBGP "speakers" in order to make it work.106. also a topic for a future document.96. The only way to reach you is going to be through your provider .0/20 route makes no difference .0.106. and also share some of the algorithms. having the 207. eBGP vs. iBGP is actually pretty difficult to get working because it tries like crazy not to redistribute routes . iBGP. but eBGP is used to exchange routes between different Autonomous Systems. If you have 20 routers.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. The major difference between eBGP and iBGP is that eBGP tries like crazy to advertise every BGP route it knows to everyone . For example.96. since all of those routes point to the same place (your one upstream provider). iBGP has major drawbacks as an IGP. We'll talk more about iBGP in a future document when we cover all of the major interior routing protocols: OSPF. you only have one path out of your network.106. In this case your provider is not going to advertise your more "specific" routes because: It's pointless to waste slots in thousands of routers around the world .the packet still goes to the same place.0 be "out there" is redundant. The solution to this is "BGP confederations". In fact.106. other networks will get to you just as well by following the announcements of the aggregate blocks as if they also saw your more specific routes being advertised. is quite a mess. So filling your router with 45.html The Up/Down column is the time that the session has been up (if nothing is in the State column) or down (if something is).cisco. Note: A State of Active means that the session is inactive.whether the outside world sends a packet to that provider based on a 207. iBGP is one of the "interior routing protocols" that you can use to do "active routing" inside your network. iBGP doesn't do as good a job at "convergence" (closing the gap and re-routing around failed network segments) as OSPF and IS-IS. So the world would prefer to not see that 207. The main one is the necessity to "peer up" every set of routers in your network (or in one POP if you're using confederations).96. to be precise) of their larger IP blocks ("aggregates"). And if you have one upstream provider.0/20 out of your provider's 207. Also.0.0. since it takes up an 7 of 26 04/02/00 15:05 .in fact. Also. Protocols like OSPF and IS-IS just "find" each other over serial and Ethernet interfaces (they're "broadcast" protocols). eBGP and iBGP share the same low-level protocol for exchanging routes.96.0/16 or 207.106.106.

If you have "full routes" in one of your routers. enough routers out there severely penalize you if your route(s) "flap" that you want your provider to always advertise you (and thus not make internal instability reflect itself on a global level). If you do some poking around. As a route moves from Autonomous System to Autonomous System (network to network). you won't be black-holed unless your provider flaps their /16 announcement (which should in theory be less likely .if it isn't. And only the a route of the same specificity can be considered another "view" of a route.0/16.html extra slot in the global routing tables. it is "stamped" with the ASN of the router doing the advertising. But if you're behind 207.106.0/ blocks that show the routes as they move from hop to hop show you the AS-PATH accumulating as the route moves from network to network. Or perhaps you want to make sure you only send routes originating in your network. While it's true that most filtering is now done with communities (a community is another number which you can stamp on a route heard or to be announced via BGP . Each route starts out with a "null AS-PATH". put into the IP routing table) when you're just starting out. There are many reasons (which will become clear as you read on) why you'd want to filter based on the AS-PATH. you'll be "black-holed" from large sections of the Internet. they have to withdraw that routing assertion. AS-PATHS Every time a route is advertised via BGP. you can find the route that encompasses a particular IP address and see which ASNs have advertised it.. you use the AS-PATH to filter The AS-PATH is useful for a number of reasons: It provides a "diagnostic trace" of routing on the 'net.0. Why? If your T1 goes down and your provider is advertising you as 207. you won't need anything fancier for quite some time. (Hearing another "view" of a route takes up almost 10 times less memory than hearing another route. AS-PATH LENGTH AND BGP ROUTE SELECTION For routes of the same specificity. See Fig 1 . your provider should always advertise your routes (specific or in the aggregate) to minimize CPU consumption on routers world-wide due to "route flap". MCI.) It is one of a number of metrics that determine how routes "heard" via BGP are inserted into the actual IP routing table. choose another provider).cerf.basically.96. represented by the regular expression "^$". you can even see how a provider is actually connected (as opposed to what they might claim.we'll go into communities shortly). 8 of 26 04/02/00 15:06 .BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. so watch out) . Also. AS-PATH filtering the best "first step" that you can work with to get comfortable with filtering routes.) If there's always one and only one path to your network. and ANS route from one provider (because of limited memory in your router). as-path length is going to be the deciding factor in choosing which of multiple routes gets used by the router (i. or have "query access" to a router that does (such as telnet:// Why would you want to do this? Perhaps you only want to take UUNET.106.e. And if your network is fairly simple (as 90% of the networks out there are). It is something that allows you to do "policy routing" of sorts (though policy routing has many different definitions.. If you go up and down enough times to flap. it builds up an "AS-PATH".

and regexp is very similar to Unix "regular expressions".html See Fig 2 for a sample list of routes from an actual BGP routing table . the regexp "_1_" will match the string "3561 1 64000" but not "3561". etc. Each charN expression can be an actual number or other symbol. (The problem is that if you don't anchor NNN with "_"s on either side. AS-PATH ACCESS LISTS (FILTERS) We'll use Cisco commands to illustrate AS-PATH filtering and "regexp matching".BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. The only special symbols you'll want to escape when matching against AS-PATHs are the parens. (See Fig 3 for a summary of regexp characters. only use * in conjunction with parens.. and the O'Reilly and Associates Regexp book for more information about regular expressions). [char1char2char3] matches any one of char1. which pop up in 9 of 26 04/02/00 15:06 . Fig 3 Regexp characters: NNN match the characters NNN (where each digit of NNN is from 0-9) ^ match the beginning of a string $ match the end of a string _ match any of {space. a-z).. To be safe. Notice. (regexp) enclosing another regexp in parens means that the appearance of that regexp is optional * the * operator means that the previous regexp can be matched 0. beginning of a string.e. Fig further explanation. or end of a string} _NNN_ match the "word" or "distinct number" NNN. or a range (i. char3. Thus. Each line of a Cisco AS-PATH filter looks like: ip as-path access-list NNN permit regexp or: ip as-path access-list NNN deny regexp Where NNN is the number (same as the name in the case of as-path access-lists). A SNIPPET OF A BGP ROUTING TABLE COMING SOON TO A TUTORIAL NEAR YOU. 1. you can escape them by putting a \ in front of them. the >'s to the left of the some of the routes. Thus. If you want to match any of the special symbols. char2. or any number of times. The ">" indicates the route that the router currently thinks is "best" when there are multiple choices. (regexp)* matches the regexp inside the parens 0 or any number of times. you might match something you don't really want to). 0-9. 2.

it never hurts to add one just to be safe (we'll do that below). Important note: On Ciscos. Each rule is listed in the order it will be applied.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.* This is also a handy one to have around. Remember the first rule of Cisco access-lists: There's an implicit deny .* ip as-path access-list 1 deny . or "send only my routes" filter. Example 1: ip as-path access-list 1 permit . by default. you need to enclose ASNs within underscores to be sure of matching only the ASN you're looking for.html AS-PATHs when you use BGP confederations. a portion of UUNET could start sending all of its Sprintlink traffic through your t1 and you'd hurt a reasonable chunk of the Internet. and no further rules are processed.*" at the end of every Cisco filter list). but you should always be paranoid when dealing with BGP. Once a route has been matched by any rule.*" rule is useless here. the decision on whether to pass the route through the filter or to drop it (and thus not let it pass) is made immediately. Thus. regexps are matched against the AS-PATH as if the whole thing is a string. each route is passed through the access-list. This could lead to VERY BAD THINGS happening. Both Sprintlink and UUNET do things to prevent you from doing this. not a sequence of numbers. as you'll see below.* at the end of every access list. A quick note: For those playing with BGP confederations on your own (a topic we'll talk about in a 10 of 26 04/02/00 15:06 .*" is completely extraneous to the filter . since the router would insert that rule anyway (remember.every route has already passed through the first line and the second line is never actually used. Example 2: ip as-path access-list 2 deny . except as a safety precaution. you might well want to always remember the number of this "deny everything" access-list .cisco.* This access-list is the other of the triad of ever-handy ones: It permits only routes that originate within your AS (because of network statements or "redistribute" statements in "router bgp" clauses somewhere within your network). it permits every route to flow through the filter. cause a router to redistribute every BGP route that the router knows about. (If you redistributed all of Sprintlink's routes into UUNET.* This is a good one to have around.the opposite of the "permit everything" list Example 3: ip as-path access-list 3 permit ^$ ip as-path access-list 3 deny . If you have these three as-path access-lists installed and remember their numbers you'll save yourself a lot of time you'd otherwise spend searching online or through config files to find where you put your "send everything". there's an implicit "deny . "send nothing". Remember: BGP between different ASNs (eBGP) will. We'll explore regular expressions and as-path access-lists by example. How do access-lists work? When used as a filter. Even so. the "deny . The "deny .) Again.

) So . UUNET. Or you'll be using BGP communities instead of AS-PATH filtering to control which routes you redistribute Everyone else please ignore this paragraph. Note: You may actually need to put quotes around the "ASN NNN". unless you want to try to parse the regexp above as an loads with multiple full BGP routing tables. this should yield about 45. 11 of 26 04/02/00 15:06 . where NNN is the ASN. and AGIS routes.or both . ----------------------------------------------------------------------------- Example 4: ip as-path access-list 20 permit _1_ ip as-path access-list 20 permit _701_ ip as-path access-list 20 permit _174_ ip as-path access-list 20 permit _1673_ ip as-path access-list 20 permit _4200_ ip as-path access-list 20 deny . PSI.. should be retired by now) 4969 Net Access (which will appear in the examples) There are hundreds of ASNs in use in the Internet. and permits all other routes. To find out who "owns" an ASN (funny concept . 690. "3561 1 6000". If you want to take a look at live ASN info.but not "701". please consult Fig 4 for a list of common ASNs you'll see when examining routes.. Example 5: ip as-path access-list 20 deny _3561_ ip as-path access-list 20 deny _1239_ ip as-path access-list 20 permit . a Cisco that cerf. As of 4/97. should be retired by now) 1 BBN 4200 AGIS (the old Net99 ASN. "_1_" would match "1". which has a bit of history in the Internet. issue a WHOIS query on "ASN NNN".this as-path access list permits. especially if you're doing the whois query from a command line.* The _NNN_ notation means "match NNN as a distinct word". you might want to do this to accept some routes from one of your providers in an attempt to load-balance traffic a certain way (perhaps you've noticed that provider B gets better BBN connectivity than provider A. check out http://www. and thousands of ASNs in use in internal networks all over the world.. BBN.owning a 16-bit integer). 3830.something like: "ip as-path access-list 30 permit ^(\([0-9 ]*\))*$". (ASN 1 is used by BBN.html future document) note that your "permit internal routes only" filter might have to look something different ("permit ^$" will no longer be enough) . but 1239 will always appear somewhere in the AS-PATH when looking at Sprintlink routes from some other provider) 701 UUNET 174 PSI 1673 ANS (the old ANS ASN. This means that NNN must have whitespace on either side of it (or must be the first or last word .cerf. ----------------------------------------------------------------------------- Fig 4 Common ASNs 3561 MCI 1239 Sprintlink (Sprintlink also uses other the AS-PATH).com/%7Emarkt/avi.merit. If you had a Cisco 2501. and "3561 1" . and denies all other routes. For Examples 4 and 5.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.* This filter denies any MCI or Sprintlink route.000 or telnet to route-server.. in order.

b.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. ENTERING.d filter-list new-number in" (use the same method for outbound as-path filter-lists). 12 of 26 04/02/00 15:06 . So. the routes would fit in but the 2501 didn't have enough CPU. appending an explicit "deny . the Cisco has no way of knowing that you want to delete the old list.*" at the end of as-path access-lists (actually. It used to be that all routes on the 'net fit in a 2501 with 16mb . So. This is the safe way to do replace the old as-path access-list and change the "neighbor as opposed to simply typing the new list in.b. Then. "as-path access-list 3" above).*") and the third rule would never be looked at. as a security blanket." clause back to its original state. If you have anything but "permit" clauses in your access-lists. Sprintlink. or: If you know what you're doing. since every route would either be permitted or denied by the time the router had finished evaluating the second rule (the "deny . to modify an existing access list.d filter-list . MODIFYING.b. perhaps as a brain-o): ip as-path access-list 3 permit _1239_ You would alter the functionality of an existing filter list and potentially start redistributing Sprintlink routes to your peers and/or upstream providers.c. you can just enter "no ip as-path access-list NNN" to delete the list. all of the routes on the 'net except for MCI. modify the "router bgp" clause's "neighbor a.* Then adding a third rule of: ip as-path access-list 3 permit _1239_ Would have no effect. either: Enter a new list with a different number. Please use the first method. Now. AND DELETING as-path access-lists The major reason we usually append an explicit "deny . But if you had: ip as-path access-list 3 permit ^$ ip as-path access-list 3 deny . or both will fit in a 2501 and still let it function at at least a single t1's worth of throughput.d filter-list NNN in" clause by just typing "neighbor a.*" to a list ensures that you will at least not be able to modify an existing list's functionality.*" mode until the new list is in place..c. all filter-lists in Ciscos) is that if you already have an as-path access-list of a certain number (say. Then.. Let's say you had: ip as-path access-list 3 permit ^$ And then you configured (perhaps as a typo.c. you can do damage (redistribute routes you shouldn't) by not using the first method. and you try to re-enter it. then enter the new list (preferably via cut-and-paste or tftp.and that the 2501 could still function.html This will fill up a 2501 with absolutely all of the routes it can take and still function well. since any filter that refers to that list will be in a "deny .

html BGP METRICS (ATTRIBUTES) AND ROUTE SELECTION: INTRODUCTION First. prefer the path with the lowest origin type (where IGP is lower than EGP. remember the primary rule of IP routing: The most specific route always wins. BGP uses the following criteria. and EGP is lower than Incomplete). rules for how a Cisco will select the "best BGP" route when there are multiple BGP route possibilities of the same specificity. If all paths have the same AS_path If the origin codes are the same.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. 5. BGP PATH SELECTION PROCESS ACCORDING TO CISCO It is: "BGP selects only one path as the best path. If the weights are the same. the most likely way the router's going to pick the best route (if you aren't playing games with weights) is by looking at the AS-PATH lengths. 9. to select a path for a destination: 1. 10. If the local preferences are the same. For "competing" BGP routes. 7. prefer the path that was originated by BGP running on this router. prefer the external path over the internal path. Prefer the path with the largest weight. Unless you set them yourself. Externally originated AS-PATH length BGP metric (MED) BGP weight. When the path is selected. prefer the path with the lowest MED attribute. It goes (basically): Route specificity and reachability and reachability BGP weight metric BGP local_pref metric Internally originated vs. They can be unset (zero) or can be set. 8. 4. prefer the path with the largest local preference. BGP puts the selected path in its routing table and propagates the path to its neighbors. If the paths have the same MED. If the path specifies a next hop that is inaccessible. and local_pref metrics are just integers associated with each route. MED. 6. If no route was originated. 2. prefer the route that has the shortest AS_path. 3. prefer the path through the closest IGP neighbor. If the paths are still the same. drop the update. however." 13 of 26 04/02/00 15:06 . as specified by the BGP router ID. There are. in the order presented. it's unlikely that you'll have to worry about them. Prefer the path with the lowest IP

Dangerous stuff. 4 MULTI_EXIT_DISC 0-2^32 A weight. designed to go outside and inside of an ASN. 14 of 26 04/02/00 15:06 . BGP weights are 32768 for routes originated by. a higher weight is better. false. 8 COMMUNITY 0-N 4-byte values ("communities") To be covered in a future document. go to: http://www. 9 ORIGINATOR_ID Used for BGP Route Reflection To be covered in a future document. Straightforward except that "Incomplete" means that the route got into BGP by redistribution from an IGP. 2 (Incomplete) This attribute specifies the origin of a route. 10 CLUSTER_LIST Used for BGP Route Reflection To be covered in a future document. and 0 for routes coming from other 1 ORIGIN 0 (IGP). otherwise. 1 (EGP). true. 5 LOCAL_PREF 0-2^32 A weight.html In addition to the "core" data about a route (where in the IP space it starts. Data to indicate who formed the route if the route is an aggregate of smaller routes. Briefly: (Rule 2) If you don't set them explicitly. see: RFC 2042: Registering New BGP Attribute Types RFC 1997: BGP Communities Attribute RFC 1773: Experience with the BGP-4 protocol RFC 1771: A Border Gateway Protocol 4 (BGP-4) To get an RFC. Present if this route was not the most specific one known by the advertiser. where to send data destined for this route.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. 3 NEXT_HOP IP Address The most critical not designed to go outside of an ASN. and what the next hop is. Fig 8: BGP attributes For more info. 2 AS_PATH 0-N 2-byte values A list of the ASNs of all ASs the route has traversed.Ip address} pair. there is other data embedded in BGP routes.txt BGP ATTRIBUTE TYPES Value Code Possible Values and is set to 100 by default. The rules above are fairly straightforward. A higher weight is "better" (means the route will be preferred over a route with a lower weight). how long it is (the "specificity"). 7 AGGREGATOR {ASN. 6 ATOMIC_AGGREGATE TRUE/FALSE: If present. but use some of the route attributes that we'll be getting into in more detail in the future. The BGP weight is not actually an attribute (in that it's not redistributed from one router to another as part of a BGP route update).---------------. Again. most of which are either used for route selection or for additional debugging information for humans. (Rule 3) The local_pref is a BGP attribute.

if you prefer an external route for that customer.or configured statically (in the router's configuration store).AS-PATH-length. Since I am a Cisco proponent.. with a Cisco dialect. EGP means it was heard via BGP from a remote AS.but it could make your customers very experimenting with these things won't affect the outside world . In that table are one or more routes of a particular {starting point. you could wind up preferring an external route for that customer if you set the BGP weight or local_pref too high (or at all) for external routes. EGP vs. local_prefs. and incomplete means it was injected into BGP by "redistributing" from an IGP. IGP means a route was injected into BGP with a "network" statement. Again. metric}. We'll be talking about using these metrics in the near future. This IP routing table gets filled with routes heard from various sources . Realize that if you advertise routes for a customer that you hear via BGP. or MEDs have been set. Routers which route IP packets have to have an "IP routing table".5) Setting weights and local_prefs gives you some control over "routing policy". (Rules 7-8) A MED (or "BGP metric") is Yet Another Weight you get to play with. Please experiment first on test or lab networks! If you've got proper filters in place. there's some notion kept with each route of the "distance" for each route as it's passed around your network. There has to be some tie-breaker. routes - one from each border . length. though it can get confusing. these documents use terminology used by the routing community. with diagrams. Another very big caution: BGP weights and local_prefs are very powerful. The customer won't like this . as it involves an understanding of how IGPs such as OSPF and IS-IS function. (Rule 10) Now we're down to guessing.. We use MEDs internally at Net Access to tune things (because we prefer to let the router first pick the route with the shortest AS-PATH. BGP routes migrate into the IP routing table only if: 15 of 26 04/02/00 15:06 . filtering based on AS-PATH data should be more than sufficient. equal. We'll explain this more. you're not going to advertise them to your transit providers any more. see for more details. IGP EGP usually means "External Gateway Protocol". which will probably not please that customer. in a future document. Cisco chose to make this the final factor.. because different people and vendors use different terminology for the same thing. that document shows you how to set these metrics.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.and that no weights. (Rule 6) Origin isn't something you get to play around with. but for beginners. IGP usually means "Interior Gateway Protocol". and BGP weights and local_prefs are looked at before AS-PATH length). (Rule 9) If you run "active routing" internally (an IGP other than static routes). If you want to experiment in the mean-time. you typically won't be setting this until you have worked more with BGP. This rule ensures that the router will do what is most natural . Let's say you have two border routers and you're selecting between two send the packet towards the closest router of the two routers advertising the route.html (Rules 2-3. For further reading. and since BGP router ID should be

WHAT TO KEEP IN MIND WHEN CONFIGURING BGP When you're bringing up a new BGP session. you will be dampened if your provider withdraws your routes every time your t1 flips up and down a few times because some Bell guy tripped over a wire. OSPF. In fact. Connected routes (IP addresses and routes of router interfaces) first.. the natural (and previously-though-to-be-correct-thing-to-do) is to "withdraw" that assertion if you in fact no longer know how to get to 192. this shouldn't be a there are ways to get other IGP-learned routes (say. and insert it as the current best path in their IP routing table.204. The exact order can be found in the Cisco documentation. it was consuming so much CPU time a few years ago that Sean Doran of Sprintlink said "this must stop" and a few people came up with an idea (which Cisco implemented in record time) to "damp"(en) the "route flap" then Static routes (routes configured in router configurations with 'ip route' statements).. or They are the only route of a particular specificity. IS-IS. you will be dampened by many providers for at least an hour or so. There's no real consensus about which is the correct term. then Routes learned via an IGP (RIP. RIPv2.if you don't play with weights. but again . So do not ask your upstream provider to announce you unless it makes a difference (the benefit of being multiply-announced outweighs the possible negative effects of being dampened due to instability in either your or your provider's network).4/0. .204. The most important thing is to ensure that you do not redistribute routes that you are 16 of 26 04/02/00 15:06 . One note.0/24" based on some internal knowledge that you actually do know how to get to 192.html They are more specific that any other route of "lower preference". But look at what happens when you withdraw that assertion. Here's a brief outline of the "order of preference" for filling the IP routing table.0. What this means in practice today is that if your routes flap more than one or two complete up-down-up cycles. or considering how to do BGP in general. This consumes many CPU-seconds on routers that are sometimes very busy.204. All in all. And then their provider(s) and peer(s) must do the same. via OSPF) to be preferred over static routes. the things to keep in mind for each peer are: What routes do you want them to hear? Do you want to "tune" your announcements somehow (more on this later).).4.saying "I know how to get to 192. WHAT IS ROUTE FLAP AND WHY IS IT BAD? When you "assert" a route . though: Since static routes are really considered an "IGP" routing mechanism.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.4. So even if you're only "single-homed". then Routes learned via BGP and other EGPs. thousands of routers around the world now have to look at that route and decide if they have a next-best path in their BGP (or other routing) table. Your provider(s) must then also withdraw that assertion. You'll hear people say "damp" and "dampen".

html not providing "Internet connectivity" to. to prevent the accidental "leaking" of more specific routes) or that the routes that they normally advertise for you under just their ASN will now have your ASN attached as well.getting global transit from upstream providers as opposed to peering.local packets go out the interface specified by the route. if you have any address space "inside" of your provider's larger "netblock" or "aggregate". you could say "practice".BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. and Your provider probably put static routes towards you on their side. customers with address space. Since every packet destined for the Internet (as opposed to your internal network ) is going to go out the 17 of 26 04/02/00 15:06 .unless all of their BGP is done statically (more on this in a future document). INTERNET CONNECTIVITY WITHOUT BGP Let's review what happens when you are connected to the Internet without speaking BGP to your provider. and all non. you won't be advertised to the outside world specifically . but in and then probably redistributes their IGP into BGP . BGP AND THE SINGLE-HOMED If you've only got one upstream provider.just worry about understanding and configuring your end for now).cisco. we'll devote a whole document to this in a month or two.. Basically. And you don't really need "full routes" so that you can "run defaultless" if you're single-homed. You create a default route towards your upstream provider. as most networks are. why speak BGP to them? Well. and What do you want to do with the routes that you hear via the session? Do you want to "tune them"? Only take some? Take them all? Do you have the memory and CPU in your router to really do what you want? BGP AND PEERING Actually. your provider gives you all of the routes they have (the easy part).) your provider will just statically announce those routes to the world and statically route them inside their network to your leased-line/ router interface(s). If you have any other networks (an old Class C. and listens to your route announcements and then redistributes some or all of those to their peers and customers. no upstream provider's going to waste their time configuring BGP with you (since it generally involves a fair amount of behind-the-scenes work on their part) unless you have a good reason. which is just mutual sharing of customer routes.. With BGP. and redistributes those static routes into their IGP. The net difference is "just" that they may start advertising a more specific route (no mean task in a complicated network designed. etc. What we're talking about in this document is BGP and transit . This is the hard part (for them .your provider will just advertise their larger block.

You'd also like "fail-over" routing. So the most important thing about being multi-homed is the ability to have your routes advertised to your providers . Screwups with BGP route advertisements can be felt all over the Internet. If your provider is smart. see the BGP Cisco Commands sidebar. you might really want to wait and read the "Configuring a Cisco Router" document (also coming out in the next few months).cisco. and either filter all incoming routes .e. If you were to announce a route that was more specific than.html same router interface. What is the most important thing about BGP to you? The ability to have it announce routes. Of course.or accept them if you feel you really want to.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. Doing this basic level of route advertisement is not hard. Getting "full" or "partial" routes from your providers is "cool" . To repeat: Screwups with BGP route advertisements can be felt all over the Internet. so you're multi-homed.000 or more routes heard via BGP. the otherwise-best route for Yahoo's web servers. You just have to do it in a paranoid way. you would black-hole Yahoo for a period of time.and for your provider to also do excellent filtering wherever possible. you'd like roughly half the traffic to go in and out of each connection. why pollute the routing tables with an extra few routes by announcing your routes more specifically? You're on your own for the answers to these Before you start playing with BGP. either talk to your current or potential provider. BGP AND THE MULTI-HOMED OK. why bother all of the routers in the world by telling them whether you're reachable or not currently) and the routing-table space argument (if you're in your provider's IP space or "aggregate announcement"). MULTI-HOMING AND LOAD-BALANCING Generally.but you can do almost as well by just load-balancing all outgoing traffic in either a "round-robin" or "route-caching" manner. the goal of multi-homing is to use both connections in a sane manner and "load-balance" them somehow. If you think you have a good case. If you screw up BGP routing you may get slapped down pretty hard. If you do go ahead and are implementing BGP for the first time. The solution is to do good filtering on your end . The only really valid reason is that you want to be able to have more control in advertising your routes. Ideally. Needless to say. to "the rest of the Internet"). If you do want to configure BGP and are single-homed. you'll have to argue around the flap argument even if you have your own provider-independent address space (if you're singly. it doesn't matter whether it's via one default route or via searching a list of 45.and by them to their providers and peers (i. say. (More on this later in this document). get a friend or another provider to review your proposed configs for you before implementing them. or perhaps send a question off to the inet-access list and see if anyone can help. follow the instructions on how to announce your networks (routes). they would not be very happy with you.connected to the 'net. they will also implement "filters" to prevent you from screwing them and the Internet up. But don't count on it. And for a summary of BGP-related Cisco commands. where if one connection goes down the other one keeps you connected to 18 of 26 04/02/00 15:06 .and may even be useful .

0.44.0/16 (a /16 has a netmask of 255.0. We'll talk a bit about how you load-balance incoming and outgoing traffic to and from your network.255.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. You'll always set "next-hop-self" on all peering sessions. For example.8.0 Loopback0 10 ip route 192. See the sidebar on next-hop-self for an explanation.44.0.192.and is thus much easier to control and tune.0 Loopback0 10 ip route (a /17 has a netmask of 255.0/18 (a /18 has a netmask of 255. and "sanity filters" in place to make sure you only announce your routes and only take the routes you want.128.100.255. Configure a router BGP clause like the one below.0 Loopback0 10 Then: ip as-path access-list 2 deny .0 Loopback0 10 ip route 206. To do this: Add a static route for it to the Interface Loopback0 with a weight higher than any other static route for that network (higher numbers for static route weights mean that the routes are less preferred).0) internal routes are ever passed from one of our routers to another one of our routers with BGP.255.255.255. While we do run BGP inside our network. HOW TO ANNOUNCE YOUR NETWORKS We'll now describe the safest way to announce your routes via BGP. The way we at Net Access do it is by redistributing from our IGP (IS-IS). There are many other ways.0/24 (a /24 has a netmask of 255.192.126. some of which we'll talk about in future document. through a filter list.255.255. into BGP. ip route 170.html the Internet. In an ideal network. let's say you're routing the following networks (also called "netblocks" sometimes): 170.204. Incoming traffic is controlled by how you announce your routes to the world (packets will flow into your network because someone out there heard and is using a route announcement).204. The safest way to announce your routes with BGP is to configure everything statically. Outgoing traffic is controlled by the routes that you allow to flow into your border router(s) .126.0 255. we set our routers up the way described 255.0 255. you'd be able to have any one of your connections to the 'net go down and still maintain connectivity and speed.128.255. You can think of the process described below as turning networks into route announcements.0) 207. it's strictly to pass external route announcements through the various parts of our network .0. with static network statements to announce your routes. But when we first started speaking BGP.0) You'd first configure your router with: int Loopback0 descr Loopback interface for routes to be nailed* ip as-path access-list 3 permit ^$ 19 of 26 04/02/00 15:06 .0) 206. mask 255.0 network there must be: (1) Underlying static routes with the same netmask as each route being advertised with a network statement.and the effect would be the same .cisco.255.0 neighbor remote-as neighbor next-hop-self neighbor filter-list 3 out neighbor filter-list 2 in Explanation: This method "statically nails down" the route announcements being advertised with the "network" statements.0 mask 255.0.0 network 192.45 filter-list 3 out neighbor 207.10.0 mask 255.121 next-hop-self neighbor 137.255.127." statements in there by then. It is critical that you get those "neighbor somebody filter-list xxx .0 network 206.0 mask 255.0. router bgp 64512 network 170.0.html ip as-path access-list 3 deny .0 network 192.204.10.the interface Loopback0 will always be up.0. so it will only announce routes .10.0 mask 255. If you want to accept all incoming routes.0 mask 255.10. so the routes pointed to them will always be installed.8.255. The purpose of the Loopback0 routes is to ensure that even if an existing primary route which matches the netmask of the route being announced (and this is often not the case) goes won't accept any.0 mask 255.45 filter-list 2 in neighbor filter-list 3 out neighbor just create another similar neighbor statement.204.44. The best way by far to do it is to either cut and paste or tftp in a complete neighbor statement to the router.45 next-hop-self neighbor mask 255.106. based on the example above (note that the 64512 is a fictitious IP address). Actually.but it's better by far to be explicit about these things.10. Why? 20 of 26 04/02/00 15:06 .126.0 network 207.100.0 network 206. In order to nail them down.10. and (2) Those underlying static routes must not go away.192.* router bgp 64512 network 170. you could just not specify an "inbound as-path filter" . remote-as 4969 neighbor Ciscos give you 30 seconds to finish typing the neighbor statement before they start trying to establish the session..) This example uses a "deny everything" incoming filter. replace the "filter-list 2 in" with "filter-list 1 in". filter-list 2 in BEING ADVERTISED BY MULTIPLE PROVIDERS WITHOUT PI-SPACE Remember April 1997's document on getting provider-independent (PI) space? The reason it's so important to have "your own" ip space is that without it multi-homing is quite tricky and requires a lot of cooperation from your original provider.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. To add more peers. (Loopback0 routes always stay installed since there's no physical interface to go down and cause the route to be withdrawn . Here's an example of a completely filled-in bgp clause.121 remote-as 701 neighbor 137. which means it's only a "backup" route to any route without a weight at the end) will kick in and keep the BGP route advertisement stable.127.0 neighbor 207. the Loopback0 route (with a weight of 10.

There are a couple of reasons. Your provider (let's call him oldprovider) has 207. you're going to have to either not use BGP to balance 21 of 26 04/02/00 15:06 .106.0/20 will be picked up by the less specific (more general) route Basically. of your incoming traffic! In fact.0. First.0. See the sidebar for an explanation of how to balance outbound traffic without BGP.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. Suddenly. So you buy a T1 from newprovider. advertised by oldprovider. certain parts of oldprovider's network may actually prefer newprovider's t1 to get to you! The problem is that most large-ish providers use something called "aggregate-address statements" - and they certainly have some sort of filter to keep the more specific routes floating around inside of their networks from being advertised to the world.106.html Let's say you are using the most specific route always wins. though AS-PATH length is a pretty poor selection tool. You set up BGP with both oldprovider and newprovider. There is no advertisement for 207. CONTROLLING OUTGOING DATA FLOW: "PARTIAL ROUTING": "CUSTOMER ROUTES ONLY" If you can't take full routes from your providers. There are many arguments for and against. but it's true that if you are multi-homed and have a sufficiently studly router (a Cisco 4500.0/16. Meaning. AS-PATH length will decide which one actually gets used. or 75xx will do. you always want to send data to Sprintlink customers out your Sprintlink T1 and data to UUNET customers out your UUNET T1. Remember. the world sees two routes for you: 207.106. So filling your router with routes from all of your upstream providers means that. for routes of the same specificity. each provider obviously knows best the way to get to its customers. Remember. This is why it's important to choose a primary provider based on how cooperative they'll be when you want to multi-home.0 are not multi-homed. accepting full BGP routing from your multiple providers is a Good Thing.0/16 to the world. 70x0.0.106. it's what we've got right now .0/20.0/20.106. and 207. but Cisco 4000s and 2501s will not). Second. so newprovider will wind up carry almost all./16.106. it's going to take modifications in oldprovider's 'border' routers to make incoming load-balancing work properly for you .and it does bear some relation to an indicator of how "close" a given provider is to some other provider. they have to modify their aggregation statements or other filters to "allow" your more specific route announcement to pass through. Now you want to multi-home. if you're multi-homed to Sprintlink and UUNET.0/20 in this case . So oldprovider announces only 207. more specific routes inside of 207. everywhere that oldprovider peers with anyone else (and this is usually at least 5-10 places).106.0. 720x.106.106.0/16.0/16 if the little.0. you don't need BGP to balance the flow of traffic from your network (outbound traffic).and oldprovider may not want to do this. the world only wants to hear about 207. advertised by newprovider. One way or another. CONTROLLING OUTGOING DATA FLOW: "FULL ROUTING" Believe it or not. See Fig 7 for examples and explanation.96.any packet destined to 207. So what does oldprovider have to do? Blow holes in their "filter".com/%7Emarkt/avi. 4700. if not all.106.96.

SO WHAT'S TO BE DONE? Get customer routes from your providers . do not handle running out of memory gracefully at all. be able to put Sprintlink and any other few sets of customer routes or MCI and any other few sets in even a 2501 or 4000. and will gleefully consume so much memory with routing data that basic command functionality gets trashed and someone needs to physically power cycle the router. For each provider.html outbound traffic . This is a problem if your providers include Sprintlink and put sanity filters in place to protect UUNET. for example) then they may blast more than enough routes at you to "melt your router".and most providers that do a significant amount of BGP can do this pretty easily .* ! Filter the major providers from Net Access ip as-path access-list 42 deny _3561_ ip as-path access-list 42 deny _1239_ ip as-path access-list 42 deny _701_ ip as-path access-list 42 deny _1673_ ip as-path access-list 42 deny _174_ ip as-path access-list 42 deny _1_ ip as-path access-list 42 deny _4200_ ip as-path access-list 42 permit .but if any one of your providers screws up (changes a filter list slowly. Use something like the following: (Ciscos use ! at the beginning of a line to denote a comment line. and Net Access. The minimum set of "less than full" routes you'll want to take is customer routes from each provider (from each provider. since Sprintlink and MCI customer routes together are such a large percentage of "full routes" that you can't really put Sprintlink and MCI routes in Cisco 2501s or 4000s either. Ciscos. when many brands of routers (Ciscos included) run out of memory. You can tell your providers to only send you customer routes . get only the routes for them and their customers).or crash and restart.or take less than full routes.* router bgp 64512 neighbor remote-as 1239 neighbor next-hop-self neighbor filter-list 3 out neighbor filter-list 40 in neighbor remote-as 701 22 of 26 04/02/00 15:06 . build an as-path access-list to use as a filter of what you will not accept from them. in particular. Unfortunately. they don't just shut down BGP routing . You should. The problem is getting just customer routes (also called "peering routes"). however.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. however.* ! Filter everything but UUNET (ASN 701) from UUNET ip as-path access-list 41 deny _3561_ ip as-path access-list 41 deny _1239_ ip as-path access-list 41 deny _1673_ ip as-path access-list 41 deny _174_ ip as-path access-list 41 deny _1_ ip as-path access-list 41 deny _4200_ ip as-path access-list 41 permit . Let's say you're triply-homed to Sprintlink.) ! Filter everything but Sprintlink (ASN 1239) from Sprintlink ip as-path access-list 40 deny _3561_ ip as-path access-list 40 deny _701_ ip as-path access-list 40 deny _1673_ ip as-path access-list 40 deny _174_ ip as-path access-list 40 deny _1_ ip as-path access-list 40 deny _4200_ ip as-path access-list 40 permit .

PSI. will still have the ASN 1239 (which is Sprintlink's "peering" ASN) in the AS-PATH. BBN. AS-PATH PADDING Some people just aren't content to leave things the way nature intended them. Thanks. If you don't give them work to do they'll either sit and read news or Cisco documentation .net) who's shared his BGP experience with others since though. And thanks to Alec Peterson ( for reviewing this document . you'll still take their customer routes but won't take the vast majority of other routes from This is done with route-maps. So if you want to make one path preferred or another one not preferred. if you make sure not to set weights or local_prefs. Basically. which we'll talk more about next month. or bgp@netaxs. Bored routing engineers are very dangerous. you'll probably be peering with AS 179x . AS-PATH length is going to decide which of multiple BGP routes of the same specificity will be preferred. ANS. Please do not send them to freedman@netaxs. (Sprintlink. Sprintlink uses ASNs for each major POP (as do many other providers) .com). and AGIS) make up the vast majority of routes . who told me about something new called BGP in 1993 at a Science Fiction convention in the DC start optimizing ("tuning") routing. UUNET. Please use either the inet-access list. and we'll go into it in more detail next month.and who 23 of 26 04/02/00 15:06 .html neighbor next-hop-self neighbor filter-list 3 out neighbor filter-list 41 in neighbor remote-as 4969 neighbor filter-list 3 out neighbor filter-list 42 out That will ensure that even if Sprintlink. QUESTIONS AND COMMENTS I expect that this document will generate a lot of questions. you can "pad" the AS-PATH with extra ASNs to make one path look longer than another. who sent me some last-minute suggestions for clarification and pointed out an ugly factual error.but unlike other providers. these ASNs are visible to the outside world. Thanks to John Hawkinson (jhawk@panix. Note: If you're a Sprintlink customer.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. The bottom line is that instead of below you'll have whatever ASN Sprintlink actually has you peer with. THANKS TO In no particular order: Thanks to Alexis Rosen at Panix (alexis@panix. MCI. though (any route from the outside world). or Net Access screw up and blow you all of the routes they know about.well over 80-85% of the routes out there. UUNET. which I and many of my routing-geek friends patrol regularly. AS-PATH padding is probably the most widely-used BGP tuning method.or at least some ASN other than Thanks to Dave Siegel (dsiegel@rtd. Any non-Sprintlink customer of BBN.

We'll use an exchange point environment to illustrate next-hop-self.x (some other provider's MAE-East router). AS 4969 sets next-hop-self. so the next-hop is 192. you may have heard of the "next-hop-self issue". It turns out that this behavior is sometimes useful in large networks where there's an IGP running to tell every router which way to send a packet that says it came from 192.41.x (some other provider's Pennsauken router).html explored some of the more advanced BGP features (oh. AS 4969 might discover this "behavior" by running a few careful probes of other routers at mae-east.87.right to AS 4969's router. Sidebar on next-hop-self If you've followed the "peering and transit" discussions. When AS 64600 processes the route and installs it into the IP routing table. how big the route is (the specificity or netmask). Some people don't even like this (since it's a form of providing service to downstream customers over the "shared medium" of the exchange-point switches).41. Sidebar on Outgoing Data Flow Control Without BGP 24 of 26 04/02/00 15:06 . But this is really subtle and can screw you up big-time. but we're talking about eBGP here). Remember that the critical parts of a route are: What the base IP address is.. The solution is for 64500 to use next-hop-self as well (see the bottom diagram). Now.87 (AS 4969's mae-east IP address).0/16 to AS 64500. In the best case you'll piss someone off (if you forget to set "next-hop-self" in an exchange-point peering So when AS 64600 wants to send data to AS 4969 based on this route it'll "bounce the traffic off of" AS 64500's router.20.69. the joy of route-maps) using my network when I didn't have the time. But AS 64600 doesn't peer with AS 4969 . and see when AS 64600's router starts using the bogus route. Here's the problem. People generally do not like this.157. Refer to the figure (XXX) below. (And ditto for iBGP.yet it's going to send data to a route advertised by AS 4969 . Setting next-hop-self causes a Cisco to override the originating address of a route and stamp instead its own address as the "next-hop" part of the route. etc.177.177. it can find out who the culprit is by passing a bogus route or two to each peer in turn. When AS 4969 advertises 250.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people.177.41. the next-hop used will be 192.NNN (AS 64500's mae-east IP address) in the next-hop field - though the AS-PATH and certain other fields still show that AS 4969 is the origin of the route. AS 4969 would then look to see how it hears AS 64600 (who is announcing AS 64600 to AS 4969) and see if they're the culprits. Ciscos keep the originating address of a route intact in the next-hop field when they pass it from eBGP peer to eBGP peer. In the worst case you'll cause routing loops for yourself (examples of this will be given when we talk more about IGPs).. In this case. In this case.177. the route as heard by 64600 has 192.0. AS 64500 advertises it to AS 64600 (see the top diagram) without next-hop-self. If AS 4969 really wants to. but it's not going to be as strenuously objected to as not using next-hop-self. and what destination (next-hop) to use to send data to the IP space represented by the route.

html Without BGP.0 0. Any packet not destined to the inside of the ISP's network will then hit the "wildcard".0. and be sent out the router interface towards the provider(s). packet-lossy) performance spells doom for IP traffic. if the "line protocol" on Serial0 goes down).BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. netmask 0.0. If you do this. This means that packets 1 and 3 could arrive before packets two in a pathologically worst-case scenario. Even though it has a lower weight.0. If you just do: ip route 0.0. it'll assume a weight of 0).0.0. the route will be invalidated and will go away." "Another default route is out Serial1. many Ciscos come pre-configured with "ip route-cache" set on all of the interfaces .0 0.0 Serial0 ip route 0. Data sent to site X out Serial1 may arrive in 30-100ms. there's a catch. There are a few ways you can do this. the Cisco will simply "round-robin" outgoing packets. However.0. If Serial0 goes down for some reason ( or "default" route.0. 3. Or even packets 1.0. sending packet N out Serial0 and packet N+1 out Serial1. If you do it this way.0.0 0. that if you are using any Cisco bigger than a 2500 series. or 0.0. the route with a lower weight will be around when Serial0 is up.0.0) goes out Serial0 with a preference of 0 (if you don't put a 4th field in an "ip route" statement on a Cisco.0 Serial1 10 This says: "The default route (0. The fix is easy. On a Cisco. this is done with: ip route 0.0. and will "lock 25 of 26 04/02/00 15:06 . though.0 Serial1 You will almost certainly not be happy with the result! Unless "ip route-cache" is set on the interfaces in question. and 7 could arrive before packet2 does. Outgoing Data Flow: Option 1 Option 1 is to default to one provider and install a "backup default" to your other provider. if you are sending data to site X. so the Cisco will look for the next-best route. so it'll "win". with a weight of 10". your only way to send data out (and the way 90% or more of the ISPs out there run their networks) is to default route into their provider(s).0.0.0 0.0. which will be the route through Serial1. however: int Serial0 ip route-cache int Serial1 ip route-cache Note. 5.0. and site X is on Provider A's network (and let's say that Provider A is at the other end of Serial0).0/0.0. And actually. Outgoing Data Flow: Option 2 Option 2 is to default equally to both providers. it's the only valid route left to consider.0 Serial0 ip route data sent to site X out Serial0 may arrive in 10ms.0.but even so. the "ip route-cache" command might be "ip route-cache cbus" or "ip route-cache optimum" or some other command. the Cisco will keep a cache of all destinations you're sending packets to. it doesn't hurt to be explicit. This kind of out-of-order (or even worse.0.0. Why is this bad? Well.

cisco. this kind of load-balancing works pretty well and is what people use when they can't accept "full BGP routes" from multiple providers. of course. lead to IP degradation if you need your second outgoing pipe because your first has a tendency to get full). The worst case in this scenario is not IP TO BE DONE aggregate-address transit bgp and peering bgp: the provider's side: filtering as-path padding sync 26 of 26 04/02/00 15:06 . but poor use of your additional bandwidth (which can.BGP ROUTING PART I: BGP AND MULTI-HOMING http://wwwin-people. Anyway. In general.html in" each destination to one specific interface. this method leads to decent load-balancing (in the 40/60 to 50/50 split range).