Scaling and other new BGP FeaturesMark TurnerCisco Systemsmarkt@cisco.com

Queries: cs-iprouting-bgp@cisco.comUnless otherwise noted, these features are in 11.1(19)CC1http://www.cisco.com/univercd/cc/td/doc/product/software/ios111/cc111

AGENDA- Behavioral Changes- Knobs for the “Common Good”- Knobs for fun and profit (reading exercise)

Behavioral Changes- Peer Groups- Route Reflectors- CPU/Memory utilization improvements

What: Remove restrictions on BGP peer groups

Why: - Allow transit between EBGP peer-group members

- Allow EBGP peer groups to span multiple LIS

- Allow peer-group of Router Reflector Clients

How: No knob

CORE

Route Reflector

Client Peer GroupAggregation Router(RR Client)

Full RoutesPeer Group

“Default”Peer Group

Customer RoutesPeer Group

- Use “neighbor default-originate” for per neighbor default

What: Remove RR client cross-cluster peering restrictions

Why: Increase scalability/reliability of RR hierarchies

How: No knob - extra decision criteria

Notes: To avoid loops, ensure RR-RRC topology follows the physical topology

XXA and D choose EBGP path for X

C is RRC of A - route to X is via B to A

B is RRC of D - route to X is via C to D=> Loop B<->C

A (RR)

B (RRC) C (RRC)

D (RR)

Cluster B

Backbone

Cluster D

RR

RR

RR

RR

RRC RRC

RRC

RRC

RR

Cluster C

Cluster A

RR

Reflector relationshipsbetween Cluster C/Custer D andCluster B now ok.

What: Remove 200 “network” command restriction

Why: Customer demand. Limit now set bybox resources (memory/nvram)

How: No knob

Knobs for the “Common Good”

- Prefix Counts/Overload- Prefix Lists- Overriding 3rd party NH- AS transition support- Conditional advertisements- CEF RPF- MAC Accounting

What: Prefix count and “overload protection”

Why: - Some protection against peer“major mistakes”. - Consider applying to customer peer

groups.How:

neighbor <address/tag> maximum-prefix <n>[warning-only]

Notes: - prefix count always shows up in “sh ip bgp sum” output- Small counting discrepancy - fix in 11.1(20)CC

Log output:%BGP-4-MAXPFS: No of prefix received from y.y.y.y

reaches 0.75N, Max N%/BGP-4-MAXPFEXCEED: No of prefix received from

y.y.y.y:N+x exceed limit N

sh ip bgp output:

1.0.0.129 4 65000 37888 36523 113054 0 0 04:19:40 49938

1.0.0.129 4 65000 37992 36630 0 0 0 00:01:24 Idle (PfxCt)

sh ip bgp n 1.0.0.129BGP neighbor is 1.0.0.129, remote AS 65000, external link Index 8, Offset 1, Mask 0x1 BGP version 4, remote router ID 0.0.0.0 BGP state = Idle, table version = 0 Last read 00:02:15, hold time is 180, keepalive interval is 60 seconds Neighbor NLRI negotiation: Configured for unicast routes only Minimum time between advertisement runs is 30 seconds Received 37992 messages, 0 notifications, 0 in queue Sent 36630 messages, 0 notifications, 0 in queue Connections established 2; dropped 2 Last reset 00:02:15, due to Peer exceeding maximum prefix limit Peer had exceeded the max. no. of prefixes configured. Reduce the no. of prefix and clear ip bgp 1.0.0.129 to restore peering No active TCP connection

What: Prefix lists

Why: - Efficient handling of large route

filters,eg at peering points.

- Incremental configuration updates- Filtering on prefix-length

How:Prefix list definition:[no] ip prefix-list <list-name> [seq <seq-value>]

deny | permit <network>/<len> [ge <ge-value>] [le <le-value>]

Apply to Neighbor:neighbor <address/tag> prefix-list <list-name> in|out- can also be used with route-maps

Exact matchip prefix-list aaa permit 35.0.0.0/8

Prefix Length matchIn 192/8, accept up to /24

ip prefix-list aaa permit 192.0.0.0/8 le 24In 192/8, deny /25+

ip prefix-list aaa deny 192.0.0.0/8 ge 25In all address space, deny /0 - /7 ip prefix-list aaa deny 0.0.0.0/0 le 7

Notes: - prefix-list and distribute-list cannot be applied to single neighbor at the same time

- Improvements to the CLI parser led to a ~4 times speed increase - which is just aswell!!!!

What: Override inbound/outbound third-party NH

Why: - Force neighbor to transit traffic at NAP- Set next-hop per prefix, based on route-map=> more granularity than

“neighbor x.x.x.x next-hop-self”

How: route-map nukeNH permit 10set ip next-hop <address> |

peer-address

What: “OR” capability for peer AS number

Why: Smooth transition between ASnumbers (providers) for customers.

How: remote-as xxx or yyy or zzz

Caveats: Coming in 12.0 :-)

What: Conditional Advertisements

Why: For dual homed sites - limit sub- provider CIDR block prefix announcements to failure conditiononly. (Yakov’s ‘96 Nanog talk)

How: neighbor <address/tag> advertise-map <route-map> non-exist-map <route-map>

ISP1ISP2

R1

R2

R3

R4

24.10.6/24 140.15.7/24

24.10.6.14 140.15.7.4

24.10.6/24 140.15.7/24

24.10/16140.15.7/24(auto-injected)

140.15/16

neighbor <R1> advertise-map amap non-exist-map backboneroute-map amap permit 10match ip address 1route-map backbone permit 10match ip address 2access-list 1 permit 140.15.7.0 !Advertise this when...access-list 2 permit 140.15.0.0 !... this is not present.

What: RPF for CEF

Why: Efficient protection against yourcustomers sourcing ip spoof attacks

How: globalip cef [distributed]

Per interfaceinterface xyzip verify unicast reverse-path

To Internet

Customer Incoming packets

10/8 -> S020/8 -> S1

Router A’s routing table

S0 S1Src IP 10.1.1.1

Src IP 20.1.1.1

RPF for CEF

What: MAC accounting: 512 addresses/direction.

Why: eg NAP peer-flows without netflow analysis- USEFUL FOR DEBUGGING

How: int fddi xip accounting mac-address inputip accounting mac-address output

Notes: 512 MAC entries; ip only; CEF/dCEF(11.1(20)CC only)/flow/optimumethernet, fastethernet, fddi only

SNMP Accesshttp://www.cisco.com/public/mibs/supportlists/c7505/supportlist.html (look for CISCO-IP-STAT-MIB)

Example show output:

sh int Ethernet0/1/3 mac

Input (511 free) 0000.0c04.7ad5(167): 9 packets,1026 bytes, last: 20512ms ago Total: 9 packets, 1026 bytesOutput (510 free) ffff.ffff.ffff(0 ): 16 packets, 960 bytes, last: 58108ms ago 0000.0c04.7ad5(167): 9 packets,1026 bytes, last: 21060ms ago Total: 25 packets, 1986 byte

Knobs for Fun and Profit- MBGP (BGP+)- Per neighbor bgp timers- Clear all peers in single AS- Always strip private AS- bgp logging- per neighbor timers, description, shutdown- community regexp match- bgp policy propagation- IP precedence accounting

What: Multicast NLRI support in BGP

Why: Support incongruent multicast and unicast policyrouting in the Internet

How:

ftp://ftpeng.cisco.com/ipmulticast/mbgp_deployment_overview.txtftp://ftpeng.cisco.com/ipmulticast/mbgp_configuration_examples.txtftp://ftpeng.cisco.com/ipmulticast/html/ipmulticast.html

Notes: 11.1(20)CC only

What: Per neighbor bgp timers

Why: Allow fast-fall over of specific peering sessions (eg for backup purposes)

How: neighbor x.x.x.x times <keepalive> <holdtime>

What: A way to clear all sessions to a single AS

Why: Operations

How: clear ip bgp <AS number>

Caveats: none known

What: A way to always strip private -AS

Why: Allows pre-append of private-AS (before only adjacent private AS was stripped)

How: neighbor <address/tag> remove-private-as always

Caveats: none known

What: Neighbor/peer group description

Why: Operational

How: neighbor <address/tag> description <text>

What: Neighbor/peergroup shutdown commandsho ip bgp sum:1.0.0.1 4 1001 2810 353 0 0 0 00:00:02 Idle (Admin)

Why: Remove need to cut-and-paste config in orderto deactivate neighbor

How: neighbor <addr>/<tag> shutdown

What: Regular expression match for communities

Why: Community pattern matching in route-maps

How: ip community-list <100-199> permit|deny regexp

Notes: cisco regexp - not full perl/unix regexp!

What: Log neighbor up/down%BGP-5-RESET: neighbor 1.0.0.79 reset (Peer closing down the session)%BGP-5-ADJCHANGE: neighbor 1.0.0.131 Down%BGP-5-ADJCHANGE: neighbor 1.0.0.131 Up

Why: Operational

How: bgp log-neighbor-changes

Caveats: none known

What: BGP policy propagation

Why: Communicate QoS policy based on BGPattributes within and between ASs.

How: - allows IP precedence or (11.1.20(CC) onwards)internal QoS Flag to be set based on AS list,

community list, or IP address. Can then use CAR/WRED etc to enforce QoS policy.

See:http://www.cisco.com/univercd/cc/td/doc/product/software/ios111/cc111/bgpprop.htm

Notes: must enable CEF on interface

!router bgp 210 table-map as-path-precedence-map neighbor “R1” remote-as 200!ip as-path access-list 101 permit $200^!route-map as-path-precedence-map match ip as-path 101 set precedence 3!interface hssi/0/0/0 bgp-policy ip-prec-map!

AS200 AS210

R1 R2

AS Path ExampleSet ip precedence to 3 for trafficfrom traffic originating in AS200

router bgp 200 table-map qos-class neighbor...!ip community-list 100 permit ^100:0$!route-map as qos-class match community 100 set ip qos-group 2 ! “2” is the internal QoS classifier! ! of which there are 100!interface serial 0/0/0 !outgoing interface to AS400 rate output qos 2 8000 8000 8000 conform drop exceed dropinterface serial 0/0/1 !incoming interface from AS100bgp-policy input ip-qos-class

AS200 AS300

Unusual CAR Example- block traffic from community 100:0 to AS400

AS100

AS400

What: IP Precedence accounting (8 levels)sh int fddi 5/0/0 precedence Fddi5/0/0 Input Precedence 0: 439 packets, 39846 bytes Precedence 6: 10 packets, 745 bytes Output Precedence 6: 80 packets, 17302 byteshttp://www.cisco.com/public/mibs/supportlists/c7505/supportlist.htmlCISCO-IP-STAT-MIB

Why: non-netflow billing on precedence

How: int fddi xip precedence accounting inputip precedence accounting output

Caveats: CEF/DCEF/Flow/Optimum only