Darren's Blog

EBGP:

• BGP neighbour addresses have to be in the local routing table. Following a default route will NOT work
• Next-hop for eBGP routes will NOT follow a default route. i.e. if you have a BGP speaker advertising eBGP routes to it’s iBGP peers, those iBGP will not install that route into their rib if they don’t have a route to the next-hop. A default route doesn’t count!
• When advertising a network in BGP via the network command, there has to be a match in the local RIB, otherwise it won’t be advertised – An Inject-map can be used to change this slightly

• By default eBGP neighbours are expected to be directly connected. If not, or peering via loopbacks, there are 3 ways to change this behaviour

1. ebgp multihop (ttl)
2. disable-connected-check
3. ttl-security hops

• ebgp multihop will increase the ttl to whatever value you want it to be
• disable-connected-check does not increase the ttl, but will allow routers to peer if the peer address is directly connected (like a loopback)
• ttl-security hops will send BGP requests out with a ttl of 255, but the incoming value needs to be 255 minus the value you set

Communities:

• ip bgp-community new-format is a global config command that will show the communitys in the new x:x format
• Communities are NOT sent to neighbours by default. You need to configure the send-community option on the nieghbour statement
• no-export – route not sent outside AS, but will be sent to confederation peers
• local-as - as above, but NOT advertised to confederation peers
• no-advertise – don’t advertise to anyone
• If you set a community via a route-map, it WILL overwrite all previous communities, unless you set the additive keyword

2 easy ways of stopping your AS becoming a transit AS:

• Create an incoming route-map from eBGP peers that adds the no-export community
• Create an as-path access-list matching ^$ and filter on that outbound to eBGP peers

Regular expressions:

• show ip bgp regexp (expression) is handy to work out what your expressions will match in your current BGP table
• ^    beginning of string
• _    Contains (anything before or after)
• $    End of string
• []    Range of numbers
• -     Used to specify range [0-9]
• ()     Logical grouping
• \     Special character to follow (confederations)
• .     Single character wildcard
• *     0 or more of the preceeding character
• +    1 or more of the preceeding character
• ?     0 or 1 of the preceeding character
  

Peer groups:

• Peer groups are used to simplify your BGP configuration by confguring options under a group, and then assigning neighbours to a group
• Neighbours in a single group must have the same outbound policies
• neighbor (group name) peer-group
• neighbor (group name) remote-as xxx
• neighbor (group name) (options)
• neighbor x.x.x.x peer-group (group name)

Route-reflectors:

• If you have more than 1 route-reflector in a single AS for fault-tolerence, ensure both have matching cluster-id’s BEFORE you set up the clients.
• If set up before, reboot the route-reflector
• If you only have a single route-reflector, it’s unnecessary to set the cluster-id

Confederations:

• inter-sub-as neighbours will need ebgp multihop configured if not directly connected!
• bgp confederation peers x x x only really needs to be configured on the confederation BGP speakers that connect to different confederation AS numbers in the same confederation. It doesn’t hurt to configure it all on all of them though
• bgp confederation identifier (external AS) needs to be configured on all confederation BGP speakers

Dampening:

• bgp dampening is a global command that enabled dampening
• bgp dampening (half-life) (reuse) (supress) (max-suppress) [route-map](map)

1. Half-life – Time before penalty cut in half (15min default)
2. Reuse – Low threshold where route reused (750 default)
3. Supress – High threshold where route supressed (2000 default)
4. Max-supression – Max time to be supressed (60 min default)

• The default penalty for a flap is 1000
• These are sliding scales. i.e. if a route flaps it’ll get 1000 points, but will start losing points 1 by 1 straight away
• If you want to ensure certain routes are NOT dampened, create a route-map that denys the routes you don’t want dampened, and allow everything else
• When dampening though a route-map, you need to set the dampening values in the route-map itself, even if they are the defaults!

Redistribution:

• When reditributing from BGP into an IGP, by default no iBGP routes will be reditributed, ONLY eBGP. To ensure iBGP routes are distributed, you need to configure bgp redistribute internal under the BGP process. This can VERY easily cause loops so be careful!

Misc:

• Supress-maps are configured under the aggregate command, while unsuprsess maps are configured under the neighbour statements (check this though, supress might also be for neighbour as well)
• When configuring an aggregate, the AS numbers of the source addresses part of that aggregate are lost. You can keep sending them as an as-set by adding the as-set command at the end of the aggregate
• An aggregate will inherit the community values of it’s parent routes when using as-set configured above. This includes communities like no-export. You can override this with an attribute-map at the end of an aggregate command. The attribute-map calls a route-map in which you can remove the communities, or set new ones
• Exist and non-exist maps will match routes in the BGP table, not the RIB
• When using an inject map, the exist map MUST have both a match route term AND a match route-source term
• You can see the effects of a filter before applying it by doing a show ip bgp filter-list (filter); show ip bgp community-list (filter) etc etc
• An extended ACL actually acts like a prefix list in BGP. The source bits tell what IP address/range to match, while the destination bits tell what subnet mask to match. The protocol is ignored. – permit ip 172.16.1.0 0.0.0.255 255.255.255.0 0.0.0.0 – matches 172.16.1.x/24 only – permit ip 172.16.1.50 0.0.0.0 255.255.255.0 0.0.0.255 matches 172.16.1.50/24-32 only – etc…
• When configuring maximum prefix values to receive from a neighbour, the first variable is the amount of prefixes while the second number is the percentage to warn on, not the number received!
• BGP timers can be configured under the bgp process, or neighbour-specific timers