During your BGP studies, you’ll come across BGP confederations a couple of times. There are a few things that are easy to miss, and I’d like to clear it up here.
This will be both theory and practical, and I’ll be using this topology to explain things (click image for full size topology):
The routers are the same that are in my topology that I normally use. The only thing that will change will be the IP addressing so it’ll be easier to see what’s going on. The topology can be found here: http://mellowd.co.uk/ccie/?p=243
Our company, AS 65535 has a multitude of routers running BGP in our core. N.B: R2 and R4 will NOT be running BGP at all. We are connected to 2 ISP’s – AS100 and AS200. We are also running OSPF internally inside the organisation.
BGP confederations allow your BGP deployment to scale quite nicely internally. Remember the rule of BGP split horizon – i.e. a BGP router learning a route from an iBGP peer will not advertise that to another iBGP peer. Confederations can help with this, as each intra-confederation connection is actually a special eBGP peering and not a regular iBGP peer.
BGP confederations can also help with splitting up your IGP domains. IGP’s like EIGRP or OSPF cannot scale to gigantic routing table sizes. IGP’s also put more emphasis on convergence speed as opposed to stability like BGP. I know the topology I have is no-where near big enough, but it does allow me to show you how it splits these IGP domains. I am going to run OSPF in both Sub-AS 10 and 30, as well as EIGRP in 10, 20 and 30 so I can seperate the OSPF portion out completely. I am going to be running OSPF in area 0 in Sub-AS 10 as well as in 30, but these will be completely independent of each other.
Each router has a loopback which will be advertised. R1 is 1.1.1.1, R4 is 4.4.4.4 and so on. All iBGP and intra-confederation peers will be peered using the loopback IP addresses.
Configuring:
The ISP itself will have a normal BGP config, nothing special needs to be done. You do need to ensure you are configuring a peer with AS 65535. ISP1 and ISP2 do not know anything about the fact that we are running a confederation.
R1 config:
R1# router bgp 100 no synchronization bgp log-neighbor-changes network 1.1.1.1 mask 255.255.255.255 neighbor 192.168.1.8 remote-as 65535 no auto-summary
R8′s config is like so. The BGP process must be configured under the Sub-AS number. In this case AS 10. The peer connectino between ISP1 and our company will NOT come up until I tell R8 that it should identify itself to ISP1 as being in AS 65535. As soon as the confederation identifier is in place, the peer connection will come up. BGP confederation peers just tells the router itself which AS’s are intra-confederation peers. If you do not add this then the router will assume any AS different to the one it’s using itself will be a full eBGP peer.
R1# router bgp 10 no synchronization bgp log-neighbor-changes bgp confederation identifier 65535 bgp confederation peers 20 30 network 8.8.8.8 mask 255.255.255.255 neighbor 9.9.9.9 remote-as 10 neighbor 9.9.9.9 update-source Loopback0 neighbor 192.168.1.1 remote-as 100 no auto-summary ! router ospf 1 log-adjacency-changes network 8.8.8.8 0.0.0.0 area 0 network 10.1.1.16 0.0.0.3 area 0 network 192.168.1.0 0.0.0.255 area 0
I’ve also added the next hop addresses into OSPF so I don’t need to use next-hop-self.
To do a quick check on the peer connection, have a look here:
R1#sh ip bgp sum Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.8 4 65535 17 17 4 0 0 00:10:06 1
The peer is up, and as far as R1 is concerned, R8 is in AS 65535
R2 is simply running OSPF and nothing else:
R2# router ospf 1 log-adjacency-changes network 2.2.2.2 0.0.0.0 area 0 network 10.1.1.16 0.0.0.3 area 0 network 10.1.1.20 0.0.0.3 area 0
Router 9 is running BGP, OSPF and EIGRP – I wouldn’t do this in the real world. It’s simply to prove a point later. It’s also peered with AS20, a Sub-AS. There is an important thing to note here. Basically iBGP sessions do not need the ‘ebgp-multihop’ command. iBGP peers do NOT have to be directly connected. When Sub-AS’s connect to each other they DO need it though otherwise the peer will simply not come up. You can see that the peer config to R8 does not have it while the peer config to R10 does have it. This is the config:
R9# router bgp 10 no synchronization bgp log-neighbor-changes bgp confederation identifier 65535 bgp confederation peers 20 30 network 9.9.9.9 mask 255.255.255.255 neighbor 8.8.8.8 remote-as 10 neighbor 8.8.8.8 update-source Loopback0 neighbor 10.10.10.10 remote-as 20 neighbor 10.10.10.10 ebgp-multihop 2 neighbor 10.10.10.10 update-source Loopback0 no auto-summary ! router ospf 1 log-adjacency-changes network 9.9.9.9 0.0.0.0 area 0 network 10.1.1.20 0.0.0.3 area 0 network 10.1.1.96 0.0.0.3 area 0 ! router eigrp 1 network 9.9.9.9 0.0.0.0 network 10.1.1.96 0.0.0.3 no auto-summary
Router10 is peered with 2 other Sub-AS’s. It’s also running EIGRP:
#R10 router bgp 20 no synchronization bgp log-neighbor-changes bgp confederation identifier 65535 bgp confederation peers 10 30 network 10.10.10.10 mask 255.255.255.255 neighbor 3.3.3.3 remote-as 30 neighbor 3.3.3.3 ebgp-multihop 2 neighbor 3.3.3.3 update-source Loopback0 neighbor 9.9.9.9 remote-as 10 neighbor 9.9.9.9 ebgp-multihop 2 neighbor 9.9.9.9 update-source Loopback0 no auto-summary ! router eigrp 1 network 10.1.1.36 0.0.0.3 network 10.1.1.96 0.0.0.3 network 10.10.10.10 0.0.0.0 no auto-summary
R3, R4, R11 and R12 are more of the same of what’s just been done. I’ll post just the configs here.
#R3 R3#sh run | begin eigrp router eigrp 1 network 3.3.3.3 0.0.0.0 network 10.1.1.36 0.0.0.3 auto-summary ! router ospf 1 log-adjacency-changes network 3.3.3.3 0.0.0.0 area 0 network 10.1.1.36 0.0.0.3 area 0 network 10.1.1.44 0.0.0.3 area 0 ! router bgp 30 no synchronization bgp log-neighbor-changes bgp confederation identifier 65535 bgp confederation peers 10 20 neighbor 10.10.10.10 remote-as 20 neighbor 10.10.10.10 ebgp-multihop 2 neighbor 10.10.10.10 update-source Loopback0 neighbor 11.11.11.11 remote-as 30 neighbor 11.11.11.11 update-source Loopback0 no auto-summary
R4# router ospf 1 log-adjacency-changes network 4.4.4.4 0.0.0.0 area 0 network 10.1.1.44 0.0.0.3 area 0 network 10.1.1.52 0.0.0.3 area 0
#R11 router ospf 1 log-adjacency-changes network 10.1.1.52 0.0.0.3 area 0 network 11.11.11.11 0.0.0.0 area 0 network 172.20.1.0 0.0.0.255 area 0 ! router bgp 30 no synchronization bgp log-neighbor-changes bgp confederation identifier 65535 bgp confederation peers 10 20 network 11.11.11.11 mask 255.255.255.255 neighbor 3.3.3.3 remote-as 30 neighbor 3.3.3.3 update-source Loopback0 neighbor 172.20.1.12 remote-as 200 no auto-summary
#R12 router bgp 200 no synchronization bgp log-neighbor-changes network 12.12.12.12 mask 255.255.255.255 neighbor 172.20.1.11 remote-as 65535 no auto-summary
Now there are a couple things we need to note about these special BGP peerings. Usually, the next-hop address will change when an update is given to an eBGP peer. If we check R10′s BGP table though, we can see that the next-hop addresses have NOT changed: (192.168.1.1 is R1′s IP address; 172.20.1.12 is R12′s)
R10#sh ip bgp
BGP table version is 8, local router ID is 10.10.10.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 1.1.1.1/32 192.168.1.1 0 100 0 (10) 100 i
* 8.8.8.8/32 8.8.8.8 0 100 0 (10) i
r> 9.9.9.9/32 9.9.9.9 0 100 0 (10) i
*> 10.10.10.10/32 0.0.0.0 0 32768 i
* 11.11.11.11/32 11.11.11.11 0 100 0 (30) i
* 12.12.12.12/32 172.20.1.12 0 100 0 (30) 200 i
That means updates to confederation peers will have the next-hop stay the same. You need to ensure that those next hop addresses are known by all confederation peers otherwise you’ll get what I have above, most have no valid route.
If we check the BGP table on R3, we see the following:
R3#sh ip bgp
BGP table version is 20, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
r> 9.9.9.9/32 9.9.9.9 0 100 0 (20 10) i
r> 10.10.10.10/32 10.10.10.10 0 100 0 (20) i
r>i11.11.11.11/32 11.11.11.11 0 100 0 i
*>i12.12.12.12/32 172.20.1.12 0 100 0 200 i
R3 can see that the IP 9.9.9.9 came through AS 20 and 10, even though all routers are in the same major AS.
The last thing I’d like to point out is the split of the IGP (OSPF in this case) Both Sub-AS 10 and 30 are running OSPF area 0. We can see how many times the SPF algorithm has run in each:
R9#sh ip ospf Routing Process "ospf 1" with ID 9.9.9.9SPF algorithm executed 3 times
R3#sh ip ospf Routing Process "ospf 1" with ID 3.3.3.3SPF algorithm executed 7 times
Let’s force the algorithm to run again by adding another loopback on Router9 and advertising it into OSPF:
R9#conf t Enter configuration commands, one per line. End with CNTL/Z. R9(config)#int lo2 R9(config-if)#ip address 99.99.99.99 255.255.255.255 R9(config-if)#router ospf 1 R9(config-router)#network 99.99.99.99 0.0.0.0 area 0
If we now check the SPF algorithm again in Both Sub-AS’s:
R9#sh ip ospf Routing Process "ospf 1" with ID 9.9.9.9SPF algorithm last executed 00:00:56.144 ago SPF algorithm executed 4 times
R3#sh ip ospf Routing Process "ospf 1" with ID 3.3.3.3SPF algorithm last executed 00:27:18.572 ago SPF algorithm executed 7 times
We can see in Sub-AS 10 the SPF algorithm ran 56 seconds ago. In Sub-AS 30 however, it has not forced the algorithm to run again, proving that these IGP domains are completely separate from each other.
So that’s the basics of Confederations. They can be very useful for a number of reasons. Just be sure to remember how exactly they operate. Any questions, feel free to ask
Topology used is over here: http://mellowd.co.uk/ccie/?p=243
BGP Lab 12:
- AS7, AS9 and AS11 are all customers of ISP1
- AS7 has it’s own address space – 77.48.16.0/24 advertised via a loopback
- ISP1 owns the address space 180.16.0.0/16
- AS9 has been assigned 180.16.9.0/24 from ISP1 – insert via loopback
- AS11 has been assigned 180.16.11.0/24 from ISP1 – insert via loopback
- Ensure that AS7′s address space is advertised to AS9 and AS11
- ISP1 needs to advertise the entire 180.16.0.0/16 range and not the more specific routes. Ensure AS7 sees only 180.16.0.0/16 HOWEVER it must still know that some routes have come from AS9 and AS11
- On AS9, configure an attribute so that ISP1 does not advertise the more specific 180.16.9.0/24 address to anyone.
- You should notice that ISP1 is now not advertising the aggregate because it has inherited the no-export community from above
- Now on ISP1, ensure that the community is changed so that the aggregate can be advertised again
Click on the thumbnail for the full size topology:
Sometimes when configuring BGP you’ll come accross routes that show rib-failure. What exactly does this mean?
Have a look at this output:
R3#sh ip bgp
Network Next Hop Metric LocPrf Weight Path
r> 172.16.220.0/24 172.16.220.1 0 0 3 i
*> 192.68.0.0/16 172.16.220.1 0 0 3 {2,1} i
*> 192.68.10.0 172.16.220.1 0 3 2 i
172.16.220.0/24 is showing up as r> – but what exactly is going on? There is a command you can use to see what’s happened: show ip bgp rib-failure
R3#sh ip bgp rib-failure Network Next Hop RIB-failure RIB-NH Matches 172.16.220.0/24 172.16.220.1 Higher admin distance n/a
Here it’s telling me that the BGP could not be injected into the routing table as there is already a route with a higher administrative distance there. This is proved with the ip routing table:
R3#sh ip route 172.16.220.0
Routing entry for 172.16.220.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via FastEthernet0/1
Route metric is 0, traffic share count is 1
Essentially a RIB-failure is a note letting you know that the route is in BGP, but it has not been injected into the IP routing table even though it is a valid and best route
Topology used is over here: http://mellowd.co.uk/ccie/?p=243
BGP Lab 11:
- All routers are peered via BGP
- Router9 has the network 24.83.176.1/24 attached via a loopback
- Router2 has the network 24.83.177.1/24 attached via a loopback
- All networks MUST be inserted into the BGP process
- Now ensure that Router8 and Router1 see the full aggregate of 24.83.176/23 advertised. More specific routes MUST be supressed. i.e. Router1 and Router8 should have the aggregate ONLY – Do this WITHOUT removing any of the networks from the BGP process
- Now change the configuration so that Router1 and Router8 get the aggregate as well as the more specific routes, however using a community tag (on Router2), ensure that Router1 does NOT advertise the more specific routes to Router6.
- Router6 should still get the aggregate route
- Check to make sure Router1 has all the routes and Router6 ONLY has the aggregate route
Click on the thumbnail for the full topology:
Topology used is over here: http://mellowd.co.uk/ccie/?p=243
BGP Lab 10:
- CompanyA is a customer of ISP1
- CompanyA is peered with CompanyB which is NOT a customer of ISP1
- ISP1 advertises the loopbacks of both Router8 and Router9, however wants to ensure that only it’s own customers know about 8.8.8.8
- ISP1 does not care that all routers know about 9.9.9.9
- ISP1 does not trust CustomerA to put the right measure in place, so you need to do it from the ISP1 side.
- In other words, make sure that CompanyA knows about 8.8.8.8 but force it not to advertise that route any further
Click on the thumbnail for the full topology:
Topology used is over here: http://mellowd.co.uk/ccie/?p=243
BGP Lab 9:
- ISP1 is running OSPF internally so that all loopbacks are accessible
- Router1 has the network 172.20.1.0/24 attached to it (via a loopback)
- Router8 has the network 172.20.8.0/24 attached to it (via a loopback)
- Ensure both these networks are advertised by both Router1 and Router8
- ISP1 contains the entire 172.20.0.0/16 network. Ensure this aggregate is always advertised out, no matter the condition of the more granular networks
- Using MED, ensure traffic from Router10 to 172.20.1.0/24 goes via Router2 and traffic to 172.20.8.0/24 goes via Router9
- Ensure the MED comes from the OSPF metric itself
Click on the thumbnail for the full topology:
Topology used is over here: http://mellowd.co.uk/ccie/?p=243
BGP Lab 8:
- Address as normal in the topology – Add the loopback of 99.99.99.99 and 22.22.22.22 to Router’s 9 and 2 respectively
- All routers are peered via BGP with OSPF running as well
- Use a filter on AS500 to ensure it is non-transit
- Company1 now wants to prepend it’s AS number 3 times for any route sent off to Customer2
- Allow Customer3 to transit through ISP1
- Ensure Customer3′s Private-AS number is stripped off before advertising it out
- Allow Company1 and Company2 to get to Customer3
Click on the thumbnail for the full topology:
New lab for today. This one is a little more complex than the rest I’ve posted thus far. It should give you good practice. Topology used is over here: http://mellowd.co.uk/ccie/?p=243
BGP Lab 7:
- Customer1 and Customer2 are both customers of ISP1
- ISP1 is running OSPF internally
- ISP1 has decided to give each of them a private AS number as these companies are rapidly expanding
- Customer1 and Customer2 then buy a high speed link between the 2 of them and run OSPF. You need to ensure that they use the high speed link when going to each others subnets and NOT transit through ISP1 – Though they need to transit when the frame-relay link is down
- Ensure that Customer1 and Customer2 will never use each other for transit when going out to ISP2
- Static routes are NOT allowed
- Ensure that ISP1 sends all routes to ISP2, but the private AS numbers need to be stripped
- Ensure that ISP2 uses the link to Router2 when getting to Customer2 and uses the link to Router3 when going to Customer1
Click on the thumbnail for the full topology:
New lab for today. I’ve just completed it myself and it’s a good one for practice. This will cover BGP, EIGRP, OSPF and RIPv2. It will cover redistribution of routes as well. Topology used is over here:http://mellowd.co.uk/ccie/?p=243
BGP Lab 6:
- Customer 1 is running RIPv2 internally and Customer 2 is running EIGRP internally
- Both customers have default routes pointing to ISP1
- Ensure this default route is redistributed into each customer via IGP redistribution
- ISP1 is running OSPF and BGP internally, however Router10 is NOT running BGP
- ISP1 and ISP2 are eBGP peers
- Using redistribution, ensure Customer 2 is able to get to all subnets in Customer1 and vice versa
- ISP2 should be able to get to all loopbacks
- Add another loopback on Router14 with the IP 140.140.140.140. Redistribute it into RIP and then ensure all other routers can ping it without modifying any config on any other router
Click the image for a larger picture of the lab
Third and last BGP lab for today. This one mainly concerns peer-groups, though there is a bit of as_path access lists thrown in as well. Topology used is over here: http://mellowd.co.uk/ccie/?p=243
BGP Lab 5:
- Create a peer group in AS950 so you don’t have to do the same configuration for R2, R9 and R8 all the time
- Ensure R8, R9 and R2 all use R1 as the next hop when leaving the AS
- Use loopbacks in AS950 for iBGP peerings
- Create an AS_PATH access list so that AS60 and AS70 don’t use AS950 as transit, however all routers in AS950 should be able to ping all routers
Click on the thumbnail for the full size image
Comments