BGP Internet Edge


Border Gateway Protocol (BGP) is a widely used routing protocol. This blog will discuss the configuration of two BGP internet edge routers advertising a /23 subnet and working as primary and secondary for each other for the /24 subnet.

Talk to an expert

 

Internet_edge_BGP_topology

 

Requirements:  

  • Internet traffic should use ISP public /29 subnet.  
  • 200.1.2.0/29 from ISP2  
  • 100.1.2.0/29 from ISP1  
  • BGP neighborship  
  • 200.1.1.0/31 to form the BGP neighborship with ISP2  
  • 100.1.1.0/31 to form the BGP neighborship with ISP1  
  • Our BGP subnet is 20.20.20.0/23, and the /24 subnet priority should be  
  • 20.20.20.0/24 to prefer ISP1 and backup ISP2  
  • 20.20.21.0/24 to prefer ISP2 and backup ISP1  
  • ASN
  • Our ASN is 6000
  • ISP1 100
  • ISP2 200
  • The firewall will do all the nating.
  • ISP already configure the routers from their end. 

 

 

 

We will start by forming the BGP neighborship:

 
Under the BGP process we specify that our ASN is 6000 then we provide the neighbor's IP for the Router1 is 100.1.1.1 and the neighbors AS is 100 and for router2 the neighbors IP is 200.1.1.1 and ASN is 200

IntRouter1

router bgp 6000
    neighbor 100.1.1.1 remote-as 100

IntRouter2

router bgp 6000
    neighbor 200.1.1.1 remote-as 200

 

To check the BGP neighborship status  

 

Troubleshooting BGP neighborship

 

  • Check the number of routes you are receiving under PfXRcd
  • BGP State peer Stuck in IDLE  
  • Configuration  
  • check AS Number, Network, Neighbor IP, Multi-Hope, TTL-Security  
  • BGP authentication, ACLs  
  • Reachability  
  • Check the ICMP ping source  
  • verify port 179 is open: Telnet /source-interface  
  • no connected route to the peer  
  • BGP State peer Stuck in Active: TCP connection is initiated but is not completed.  
  • Configuration  
  • The subnet is not in the routing table (ex: the interface is down or can’t reach the subnet)  
  • The source interface is wrong  
  • AS number is incorrect on either router.  
  • Peer IP misconfigured.  
  • BGP configuration error.  
  • Reachability  
  • connection error  
  • Interface flapping.  
  • BGP State peer Flapping Active/IDLE  
  • TCP was established, but BGP negotiation failed (missing configured AS ...)  
  • BGP State peer Flapping IDLE/Established  
  • Bad update, TCP problem (MSS size in multi-hope) (MTU)  
  • Verify MTU by ping with the DF-bit set

 

To check for a specific route, you can run the below command and check if the prefix exists  

show ip bgp neighbor [neighbor-ip-address] received-routes

 

You might need to configure soft-reconfiguration” so your router will store a copy of all received routes in memory, even if they are not installed in the routing table.

 

 

 

Advertise our BGP subnet: 
 

To advertise our BGP subnet to the ISP router. We also need to prioritize the 20.20.20.0/24 from router1 and 20.20.21.0/24 from router2, both routers should be the backup of the other.

So, we will advertise the 20.20.20.0/23 and 20.20.20.0/24 from router1 and 20.20.21.0/24 from router2. Because when the router decides where to send the packet, it picks the most specific route and then looks at other criteria like metrics.  

 

 

IntRouter1

! we need to add our /23 and /24 BGP subnet to the router  
! routing table and point the route to the firewall
ip route 20.20.20.0/23 100.1.2.2
ip route 20.20.20.0/24 100.1.2.2
!
!  
router bgp 6000
! adding the network command to advertise to the neighbors  
    network 20.20.20.0/23
    network 20.20.20.0/24
! Check with ISP if you must advertise their subnet
    network 100.1.2.0/29

 
IntRouter2

! we need to add our /23 and /24 BGP subnet to the router  
! routing table and point the route to the firewall
ip route 20.20.20.0/23 200.1.2.2
ip route 20.20.21.0/24 200.1.2.2
!
!  
router bgp 6000
! adding the network command to advertise to the neighbos
    network 20.20.20.0/23
    network 20.20.21.0/24
! Check with ISP if you must advertise their subnet
    network 200.1.2.0/29

 

Check if we are advertising the route to the ISP  

 

show ip bgp neighbor [neighbor-ip-address] advertised-routes  

BGP table version is 27, local router ID is 172.16.232.181
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop     Metric LocPrf Weight Path
*> 20.20.20.0/23    100.1.1.0      -      -       -    6000 ?
*> 100.1.2.0/29     100.1.1.0      -      -       -    6000 i


  • BGP table version
  • Internal version number of the table. The number increases when the table updates.
  • local router ID
  • IP address of the local BGP router
  • Status codes
  • S - Suppressed.
  • D - Dampened meaning it will not be advertised to BGP neighbors.
  • H - Does not contain the best path based on historical information.
  • * - Valid.
  • > - Best route
  • I - Learned via an internal BGP (iBGP) session.
  • Origin codes
  • Origin of the entry. The origin code is placed at the end of each line in the table. It can be one of the following values:
  • i—Entry originated from Interior Gateway Protocol (IGP) and was advertised with a network router configuration command.
  • e—Entry originated from Exterior Gateway Protocol (EGP).
  • ?—Origin of the path is not clear. Usually, this is a route that is redistributed into BGP from an IGP.
  • Network: Subnet
  • Next Hop
  • IP address of the next system used to forward a packet to the destination network. An entry of 0.0.0.0 indicates that there are non-BGP routes in the path to the destination network.
  • Metric
  • If shown, this is the value of the inter autonomous system metric. This field is not used frequently.
  • LocPrf
  • Local preference value as set with the set local-preference route-map configuration command. The default value is 100.
  • Weight
  • Weight of the route as set via autonomous system filters.
  • Path
  • Autonomous system paths to the destination network. There can be one entry in this field for each autonomous system in the path.

 

 

 

Configure IBGP between our 2 routers: 

 

IntRouter1

router bgp 6000
neighbor 172.16.16.1 remote-as 6000
! We also don’t want to advertise the subnet between R1 and the ISP
neighbor 172.16.16.1 next-hop-self

IntRouter2

router bgp 6000
neighbor172.16.16.0 remote-as 6000
! We also don’t want to advertise the subnet between R1 and the ISP
neighbor 172.16.16.0 next-hop-self

 
check for the neighborship is up
show ip bgp summary
check the number of routes you are receiving under PfXRcd

To check if we are advertising the route to the ISP  
show ip bgp neighbor [neighbor-ip-address] advertised-routes 
 
If you want to check what subnets you are receiving  
show ip bgp neighbor [neighbor-ip-address] received-routes
You might need to configure soft-reconfiguration” so your router will store a copy of all received routes in memory, even if they are not installed in the routing table.
Verify that the next hope is reachable.  

 

Also, some engineers prefer to configure the IBGP with the router loopbacks in place of the physical address as it is clearer and easier to troubleshoot but this will also require the configuration of IGP between the 2 routers.

 

 

configure route filtering

Now we want to configure some route filtering because we don’t want to advertise everything to our ISP as we don’t want to route traffic between the 2 ISP and we don’t want to advertise the ISP /29 subnets. Sally the isp will also perform some filtering from there end but we should be deviantizing the routes in the first place  

 

 
 IntRouter1 
ip prefix-list isp-subnet-bgp sep 10 permit 100.1.2.0/29
ip prefix-list our-subnet-bgp sep 10 permit 20.20.20.0/24
ip prefix-list our-subnet-bgp sep 20 permit 20.20.20.0/23

!
route-map isp-bgp permit 10
    match ip address prefix-list isp-subnet-bgp
route-map isp-bgp permit 20 
    match ip address prefix-list our-subnet-bgp
! Now to deny /29 subnet to be advertise to the R2
route-map isp-ibgp deny 10
    match ip address prefix-list isp-subnet-bgp
! And this will allow everything else
route-map isp-ibgp permit 20
router bgp 6000
    neighbor 100.1.1.1 route-map isp-bgp out
    neighbor 172.16.16.1 route-map isp-ibgp out

! To check that the filters are working  properly
show ip bgp neighbor 100.1.1.1 advertised-routes
show ip bgp neighbor 172.16.16.1 advertised-routes

 

IntRouter2 
ip prefix-list isp-subnet-bgp sep 10 permit 200.1.2.0/29
ip prefix-list our-subnet-bgp sep 10 permit 20.20.21.0/24
ip prefix-list our-subnet-bgp sep 20 permit 20.20.20.0/23

!
route-map isp-bgp permit 10
    match ip address prefix-list isp-subnet-bgp
route-map isp-bgp permit 20
    match ip address prefix-list our-subnet-bgp
! Now to deny /29 subnet to be advertise to the R2
route-map isp-ibgp deny 10
    match ip address prefix-list isp-subnet-bgp
route-map isp-ibgp permit 20
router bgp 6000
    neighbor 200.1.1.1 route-map isp-bgp out
    neighbor 172.16.16.0 route-map isp-ibgp out

! To check that the filters are working  
show ip bgp neighbor 200.1.1.1 advertised-routes
show ip bgp neighbor 172.16.16.0 advertised-routes

 

 

 

Configuring PBR:


We must configure a PBR policy-based route to force traffic source from the ISP /29 subnet to flow to the proper ISP because if the traffic goes to the other routers the other ISP will drop this traffic  

 
IntRouter1

!We start by creating an ACL
ip access-list isp-subnet

    10 permit ip 100.1.2.0/29  any
route-map isp-pbr permit 10

    match ip address access-list isp-subnet

    set next-hop 100.1.1.1

IntRouter2
!We start by creating an ACL
ip access-list isp-subnet

    10 permit ip 200.1.2.0/29  any
route-map isp-pbr permit 10

    match ip address access-list isp-subnet

    set next-hop 200.1.1.1

 

 

Security:

Finally, after finishing the routing we must secure our router in this example we will only cover how to secure the BGP process for the router. Some of those percussions will achieve the same outcome.
in the below example, we will go over router2 only, but these configurations should be applied on both routers  

 

  • We start by an acl on the incoming interface there is no need for unauthorised BGP traffic to reach the CPU in the first place  
     ip access-list outside
    10 permit tcp host 200.1.1.1 host 200.1.1.0 eq bgp
    20 permit tcp host 200.1.1.1 eq bgp host 200.1.1.0  
    30 deny tcp any any eq bgp  
    40 deny tcp any eq bgp any
    50 permit ip any any  

    ! applying the ACL tothe outside interface
    interface eth1
    ip access-group outside in

  • We also have to enable authentication between us and the ISP
    router bgp 6000
    neighbor 200.1.1.1 password 7 [ password ]

  • Configuring TTL security is a good idea to be sure that the router is at the same hope
    router bgp 6000
    neighbor 200.1.1.1 ttl maximum-hops 1

  • Enable logging  
    router bgp 6000
    bgp log-neighbor-changes

  • We also like tp specify the max number of route so we
    router bgp 6000
    neighbor 200.1.1.1 maximum-routes 1000

  • We can do filtering with AS
    ip as-path access-list 1 permit ^200 any
    route-map incoming-bgp-filter permit 10  
    match as-path 1
    router bgp 6000
    neighbor 200.1.1.1 route-map incoming-bgp-filter in  

 





Thank you for reading. I hope this has been helpful. If you need any help, don't hesitate to reach out. We are more than happy to help you in any way we can.

Talk to an expert

List of titles