Sample BGP regular expressions that can be used on Cisco router.
_100_ Going through AS 100
^100$ Directly connected to AS 100
_100$ Originated in AS 100
^100. Networks behind AS 100
^[0-9]+$ AS paths one AS long
^([0-9]+)(_\1)*$ Networks originating in neighboring AS
^$ Networks originated in local AS
.* Matches everything
Sample applications.
AS 10 have two upstream, AS 20 and AS 30. You want routing to AS 40 going through AS 20.
First step, create as-path filter list that match this criteria.
ip as-path access-list 1 permit _100$
Second, create route-map to set some attribute so the routing have more preference. Let's say we use weight.
route-map AS-10-OUT permit 10
match as-path 1
set weight 1000
router-map AS-10-OUT permit 15
Third, implemet route-map on BGP configuration
router bgp 10
neighbor 192.168.1.2 remote-as 20
neighbor 192.168.1.2 route-map AS-10-OUT in
BGP route selection criteria (on Cisco router) :
1. Exclude route with inaccessible next-hop
2. Prefer highest weight (local to router)
3. Prefer highest local preference (globa within AS)
4. Prefer routes that router originated
5. Prefer shortest AS paths (only length is compared)
6. Prefer lowest origin code (IGP
7. Prefer lowest MED
8. Prefer external (EBGP) path over internal (IBGP)
9. For IBGP paths, prefer path through closest IGP neighbor
10. For EBGP paths, prefer oldest (most stable) path
11. Prefer paths from router with the lowest BGP router-id
The route selection criteria means, for example, when one prefix is learning from three upstream, A with 2 as paths, B with 3 paths, and C with 5, with weight, and local preference is the sama, it will choose A for next hop. It is usually weight, and local preference is same until we change it manipulate the routing. When we want to change preference of some prefixes, you can use weight, if the gateway just one, or when many router gateway in your AS, you need use local preference, because local preference affect in local AS, while weight affect in local router only.
Configuring BGP on Cisco router is simple enough. Before start configuring BGP, you need two consideration:
1. BGP only advertise routing entry that exist in IGP routing table
2. BGP is classfull routing protocol, you must include netmask in network statement BGP configuration if the network is not classfull.
Step for confiuring BGP
1. Check whether the network that you want advertise in in the IGP routing table.Simply check routing in the router. For example you want to advertise network 192.168.1.0/24, simply type this command
router#show ip route 192.168.1.0
If the network exist in the routing table, then you can go to next step, but if the network doesn't exist, or only the routing that more specific exist, you need statically route the network to Null0 using administrative distance that high enough. Example,
router(config)#ip route 192.168.1.0 255.255.255.0 null0 255
2. Configure BGP. Say your AS is 65000, and your neighbor AS is 65001 and peer IP 10.10.10.2
router(config)#router bgp 65000
router(config-router)#neigbor 10.10.10.2 remote-as 65001
router(config-router)#network 192.168.1.0 mask 255.255.255.0
That's it. If everything ok, then you can see the BGP is up.
router#sho ip bgp sum
The result will be something like this,
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.10.2 4 65001 382168 300922 537070 0 0 13w0d 5007
When state is Active or Idle, then connection have been up. You need check connectivity, with ping, or try telnet to port 179 (BGP use port 179 TCP), when it's not open, something doesn't allow port 179, so BGP doesn't up.
To check the routing that you received,
sh ip bgp neigh 10.10.10.2 received-route
sh ip bgp neigh 10.10.10.2 advertised-route
Using Next-Hop Self
BGP will advertise to network that have valid next-hop. Next-hop usually coming from IGP routing table. For the border router, that connect with internal router and external router, it is good useing next-hop-self for the following reason :
1. Sometime you don't redistribute connected interface to IGP routing protocol
2. For stability reason
Configure next-hop self in Cisco router is simply.
router(config)#router bgp 65000
router(config-router)#neighbor 172.16.1.1 remote-as 65000 ----> internal peer
router(config-router)#neighbor 172.16.1.1 next-hop-self
Before configuring BGP, you need gather information about your network and peer. Basically, configuring BGP on Juniper router is the same with Cisco or another router. Basic configuration is just configure BGP session the advertise our network.
Step for configuring BGP on Juniper to external AS.
Configure the autonomous system number and router ID:
[edit routing-options]
admin@BorderA# set autonomous-system 65500
admin@BorderA# set router-id 192.168.16.1
To configure an EBGP session to the border router in the other AS:
[edit protocols bgp]
admin@BorderA# set group session-to-AS65505 type external
admin@BorderA# set group session-to-AS65505 peer-as 65505
admin@BorderA# set group session-to-AS65505 neighbor 10.0.31.1
[edit protocols]
admin@BorderA# show
bgp {
group session-to-AS65505 {
type external;
peer-as 65505;
neighbor 10.0.31.1;
}
}
If the peer in AS 65505 just one, you also can exclude peer-as group, so the configuration will be
[edit protocols bgp]
admin@BorderA# set group EXTERNAL-PEER type external
admin@BorderA# set group EXTERNAL-PEER peer-as 65505
admin@BorderA# set group EXTERNAL-PEER neighbor 10.0.31.1 peer-as 65505
[edit protocols]
admin@BorderA# show
bgp {
group EXTERNAL-PEER {
type external;
neighbor 10.0.31.1 {
peer-as 65505;
To IBGP on the border router and on all the routers within your AS. On each router, configure an IBGP group:
[edit protocols bgp]
admin@BorderA# set group TO-INTERNAL type internal
admin@BorderA# set group TO-INTERNAL local-address 192.168.16.1
admin@BorderA# set group TO-INTERNAL neighbor 192.168.15.1
admin@BorderA# set group TO-INTERNAL neighbor 192.168.17.1
Advertise IP address need that IP exist in IGP routing table.
The way to add the network that want to advertise if it is not exist in IGP routing table is using atomic aggregate.
[edit routing-options]
admin@BorderA#set aggregate route 192.168.1.0/24 as-path atomic-aggregate
Then you need configure filter so that your IP will be advertise,
admin@BorderA#set policy-options policy-statement TO-EXTERNAL from route-filter 192.168.1.0/24 exact accept
Apply this policy in BGP configuration,
[edit protocols bgp]
admin@BorderA# set group EXTERNAL-PEER export TO-EXTERNAL
Using Next-Hop Self
BGP will advertise to network that have valid next-hop. Next-hop usually coming from IGP routing table.
For the border router, that connect with internal router and external router, it is good useing next-hop-self for the following reason:
1. Sometime you don't redistribute connected interface to IGP routing protocol
2. For stability reason
With configure next-hop feature, the next-hop address of the external BGP routing when advertised to internal peer will be next-hop address inside internal AS.
Configure next-hop self in Juniper router with policy-options
[edit policy-options]
admin@BorderA# set policy-statement next-hop-self term 1 from protocol bgp
admin@BorderA# set policy-statement next-hop-self term 1 then next-hop self
Then apply the policy as an export policy in the IBGP group on the border router:
[edit protocols bgp]
admin@BorderA# set group TO-INTERNAL export next-hop-self
Using Peer Group
Peer group can reduce router resource consumption, and configuration effort. Peer group is a group of neighbor with same policy. See another my post about configuring peer group.
Filtering Routes
If a network is not a transit AS, it must filter bgp routes that advertised to it's private peer, so your private peers not use your AS as transit to internet. You need to filter advertised routes so that only your local routing that advertised to your private peers. If your are transit AS, you can advertise all internet routing to your customer.
Filtering BGP routes can be done by filtering prefixes and AS path. Here are sample BGP filter using prefixes and AS path.
BGP Configuration
neighbor 192.168.1.1 {
description PEER1;
export TO-PEER1; #export policy refer to policy-option policy-statement TO-PEER1
peer-as 65000;
Policy Configuration
policy-statement TO-PEER1 {
term OUR-PREFIX {
from as-path LOCAL-AS; #only local AS that advertised
route-filter 192.168.0.0/20 upto /24; #only your IP That advertised
then accept;
}
term INTERNET {
then reject; #reject all internet routing to advertised
AS Path Configuration
as-path LOCAL-AS "()";