Sunday, September 16, 2012

BGP Authentication

BGP authentication configuration example

BGP authentication is provided through TCP Option 19, the MD5 hash.

We will use Cisco IOS routers in this example.Here is the basic BGP authentication configurations:

on R1:

router bgp 100
neighbor 10.10.10.2 remote-as 200
neighbor 10.10.10.2 password PASSWORD1

on R2:

router bgp 200
neighbor 10.10.10.1 remote-as 100
neighbor 10.10.10.1 password PASSWORD1

R2#show ip bgp neighbors 10.10.10.1 | include BGP state|Flags
BGP state = Established, up for 00:01:38
Flags: active open, nagle, md5

We will change the BGP password at one of the routers for testing:

R2(config)#router bgp 200
R2(config-router)#neighbor 10.10.10.1 password PASSWORD2
R2(config-router)#end
R2#clear ip bgp *
%BGP-5-ADJCHANGE: neighbor 10.10.10.1 Down User reset
%TCP-6-BADAUTH: Invalid MD5 digest from 10.10.10.1(179) to 192.10.1.2(19999)

We understand that the passwords must be matched.

Thursday, September 6, 2012

BGP Conditional default-route advertisement


BGP Conditional default-route advertisement

Conditional default-route advertisement is done by associating a route-map with the “neighbor default-originate” statement. The default route is advertised if the route-map matches the prefix which is in the routing table.If the route is not in the routing table, the related prefix will not be advertised to the neighbor.

We can match ip prefixes with the route-map using either access-lists or prefix-lists.

Here is the example:

We will send default-route when 10.1.10.0/24 network is in the routing table:

ip prefix-list test seq 5 permit 10.1.10.0/24

route-map test permit 10
 match ip address prefix-list test


router bgp 1
 no synchronization
 bgp log-neighbor-changes
 bgp redistribute-internal
 timers bgp 10 30
 neighbor 10.10.10.6 remote-as 1
 neighbor 10.10.10.6 default-originate route-map test
 no auto-summary

R1#sh run int f0/0.10
Building configuration...

Current configuration : 112 bytes
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 10.1.10.1 255.255.255.0
 end

R1#debug ip bgp update (to see updates)
BGP updates debugging is on for address family: IPv4 Unicast

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int f0/0.10
R1(config-subif)#shut
R1(config-subif)#
*Mar  1 00:28:52.063: BGP(0): 10.10.10.6 send unreachable 0.0.0.0/0
*Mar  1 00:28:52.063: BGP(0): 10.10.10.6 enqueued default-originate update
R1(config-subif)#no shut
R1(config-subif)#
*Mar  1 00:29:00.031: BGP(0): 10.10.10.6 enqueued default-originate update

BGP Timers


BGP Timers


BGP peers send keepalive message(default interval is 60 seconds) to inform each other of their availability.

They advertise their hold-time interval(default value is 180 seconds) when establishing BGP session.

Peers may advertise different hold-time interval.Lower values are used.

We can change the keepalive and hold-time intervals in BGP configuration mode  using the command timers bgp <keepalive> <holdtime>

Or per neighbor

Neighbor <ip> timers <keepalive> <holdtime>


Here is the example

First router

router bgp 1
 no synchronization
 bgp log-neighbor-changes
 timers bgp 10 30
 neighbor 10.10.10.1 remote-as 1
 neighbor 10.10.10.1 timers 15 45

R6#show ip bgp nei 10.10.10.1
BGP neighbor is 10.10.10.1,  remote AS 1, internal link
  BGP version 4, remote router ID 192.168.1.1
  BGP state = Established, up for 00:03:41
  Last read 00:00:00, last write 00:00:00, hold time is 30, keepalive interval is 10 seconds
  Configured hold time is 45,keepalive interval is 15 seconds  Minimum holdtime

Second Router

router bgp 1
 no synchronization
 bgp log-neighbor-changes
 timers bgp 10 30
 neighbor 10.10.10.6 remote-as 1
 no auto-summary

R1#show ip bgp neighbor
BGP neighbor is 10.10.10.6,  remote AS 1, internal link
  BGP version 4, remote router ID 192.168.2.6
  BGP state = Established, up for 00:04:36
  Last read 00:00:05, last write 00:00:05, hold time is 30, keepalive interval is 10 seconds
  Configured hold time is 30,keepalive interval is 10 seconds, Minimum holdtime