BGP Weight Attribute

The BGP Weight attribute is a Cisco Proprietary attribute that influences a router how to reach a certain prefix. The difference between Local Preference and Weight is that the former is propagated within an AS and the latter is router locally significant. Weight can be used if there is one router connected to two or more AS's or just to just one with two or more eBGP peers. Now, lets configure weight and later use a route-map for more complex use of weight.


Weight is a Cisco Proprietary attribute for BGP that is "locally significant."

Local Preference is a Well-known Discretionary attribute, Weight doesn't belong to any category.
Default Weight for locally originated routes is 32768.Zero is the default for other routes.
Weight is not propagated to other routers within the AS.



All routers have BGP established and within its own AS.R4 is announcing 4 prefixes and the condition is
for R1 to reach routes 4.4.4.4/32, 44.44.4.44/32 and 144.144.144.144/32, it must take AS2. Then later
configure a route-map to so that R1 with take AS 3 to reach 144.144.144.144/32.

Lets see how R1 reaches the prefixes announced by R4.


R1#sh ip bgp
BGP table version is 12, local router ID is 13.13.13.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
* 4.4.4.4/32 12.12.12.2 0 2 4 i
*> 13.13.13.3 0 3 4 i
* 44.44.44.44/32 12.12.12.2 0 2 4 i
*> 13.13.13.3 0 3 4 i
* 144.144.144.144/32
12.12.12.2 0 2 4 i
*> 13.13.13.3 0 3 4 i

Ok, it takes AS3 to reach the prefixes. Now, lets configure Weight to make AS2 the more preferred path to reach the prefixes.


R1(config)#router bgp 1
R1(config-router)#neighbor 12.12.12.2 weight 100
R1(config-router)#do clear ip bgp * soft

Now let's see if that changes after clearing the BGP session "softly".


R1#sh ip bgp
BGP table version is 15, local router ID is 13.13.13.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.4/32 12.12.12.2 100 2 4 i
* 13.13.13.3 0 3 4 i
*> 44.44.44.44/32 12.12.12.2 100 2 4 i
* 13.13.13.3 0 3 4 i
*> 144.144.144.144/32
12.12.12.2 100 2 4 i
* 13.13.13.3 0 3 4 i

It's now taking AS 2. Let's configure a route-map so R1 will take AS3 to reach 144.144.144.144/32. The weight should be 200. We will apply the route-map towards neighbor 13.13.13.3.


R1(config)#access-list 1 permit host 144.144.144.144
R1(config)#route-map TAKE_AS3 permit 10
R1(config-route-map)#match address 1
R1(config-route-map)#set weight 200
R1(config-router)#neighbor 13.13.13.3 route-map TAKE_AS3 in
R1(config-router)# do clear ip bgp * soft

The ACL is to filter which routes be given a weight of 200. The reason the route-map was configured inbound direction because we are receiving the routes from that neighbor. Let's see what happens to the BGP table.


R1#sh ip bgp
BGP table version is 16, local router ID is 13.13.13.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.4/32 12.12.12.2 100 2 4 i
*> 44.44.44.44/32 12.12.12.2 100 2 4 i
* 144.144.144.144/32
12.12.12.2 100 2 4 i
*> 13.13.13.3 200 3 4 i

Now, R1 will take AS3 to reach 144.144.144.144/32. Notice that the weight now is 200, and its more prefered.

Comparing Config Differences

When I started as a network engineer, whenever I configured something and forgot what it was, I usually do "show start" and "show run" to compare the difference manually before I do a "write mem". Believe me, it was an eyesore comparing the start-up and running-config line by line. There is a easy way though to compare the configs and the command is "show archive config differences" for the router to compare the start-up and the running-config. Check the output below.


Router#show archive config differences
Contextual Config Diffs:
+no aaa new-model
interface FastEthernet0/0
+description to LAN
+ip ospf cost 100
+duplex half
+mpls ip
-aaa new-model
-aaa session-id common
interface FastEthernet0/0
-description to Building 2
-ip ospf cost 800
-duplex full

The commands prepended with a "+" means that this commands are in the "start-up config". The ones with "-" are in the running config. Of course when you do a "write mem" after this and you issue the command, you won't be seing any differences :). Good day!

EBGP Multihop

Configuring iBGP doesn't require the neighbor address to be directly connected. The best practice for iBGP is to use the loopback address as the ip address configured on the BGP neighbor statement. Loopback interfaces never go down so provided that there is an alternate route to the loopback ip address through an IGP, BGP session will not be torn down.

Using loopback addresses for eBGP is also a good practice if there are multiple links between two routers on different autonomous system as shown on the example diagram below. This will also achieve load balancing.


The initial configuration for this lab is shown below.


R1#
!
interface Serial1/0
ip address 10.10.10.1 255.255.255.0
serial restart-delay 0
end
!
interface Serial1/1
ip address 10.10.20.1 255.255.255.0
serial restart-delay 0
end
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 2
no auto-summary
!
ip route 2.2.2.2 255.255.255.255 10.10.10.2
ip route 2.2.2.2 255.255.255.255 10.10.20.2

R2#
!
interface Serial1/0
ip address 10.10.10.2 255.255.255.0
serial restart-delay 0
end
!
interface Serial1/1
ip address 10.10.20.2 255.255.255.0
serial restart-delay 0
end
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
router bgp 2
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1
no auto-summary
!
ip route 1.1.1.1 255.255.255.255 10.10.10.1
ip route 1.1.1.1 255.255.255.255 10.10.20.1

Notice that in both routers we put 2 static routes to achieve load balancing. Currently the BGP session is not established eventhough both loopbacks are reachable. Now, lets configure "ebgp-multihop" on both routers and see if this will make the BGP session establish.


The purpose of "ebgp-multihop" is to connect to eBGP neighbors that are not directly connected.
As we know, BGP expects eBGP peers to be directly connected but this command will make
neighborship possible even though they are not directly connected.

Now let's configure the routers.



R1(config)#router bgp 1
R1(config-router)#neighbor 2.2.2.2 ebgp-multihop 2

R2(config)#router bgp 2
R2(config-router)#neighbor 1.1.1.1 ebgp-multihop 2

R1#sh ip bgp sum
BGP router identifier 1.1.1.1, local AS number 1
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
2.2.2.2 4 2 0 0 0 0 0 never Active

The BGP session is not established even though we configured the "ebgp-multihop" command. Before we find out why, lets first discuss the "ebgp-multihop" command. The default value of this command if we don't put anything will be 255. We put a value of 2 because it will take 2 hops to reach 2.2.2.2 from 1.1.1.1 as they are not directly connected. Provided all the requirements are met except the hop count value, if the hop count value is lesser than what it should be, the eBGP neighborship will not be established.

Going back to why its not established, its because by default for BGP to establish the TCP session it will use the outgoing interface ip address as the source. The other router will reject the incoming TCP SYN packets because it doesn't recognize the source IP address as a configured neighbor. In our case, it will source the TCP session using the two physical interfaces ip addresses.


The BGP session updates should be sourced from the IP address that the the neighbor
configured for eBGP Multihop to work. The command "neighbor ip_address update-source
Loopback0" in our example is needed.

Now lets configure, the update-source command sourcing all BGP negiotiations and updates from Loopback0 which are the ip addresses configured on our neighbor statements.


R1(config)#router bgp 1
R1(config-router)#neighbor 2.2.2.2 update-source Loopback0

R2(config)#router bgp 2
R2(config-router)#neighbor 1.1.1.1 update-source Loopback0

R1#sh ip bgp su
*Aug 13 14:41:43.175: %SYS-5-CONFIG_I: Configured from console by consolem
BGP router identifier 1.1.1.1, local AS number 1
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
2.2.2.2 4 2 11 11 1 0 0 00:00:47 0

R2#sh ip bgp sum
*Aug 13 14:41:38.099: %SYS-5-CONFIG_I: Configured from console by console
BGP router identifier 2.2.2.2, local AS number 2
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.1 4 1 11 11 1 0 0 00:00:42 0

BGP session now established. We can see in CEF that this is load balanced.


R1#sh ip cef 2.2.2.2
2.2.2.2/32, version 27, epoch 0, per-destination sharing
0 packets, 0 bytes
via 10.10.20.2, 0 dependencies, recursive
traffic share 1
next hop 10.10.20.2, Serial1/1 via 10.10.20.0/24
valid adjacency
via 10.10.10.2, 0 dependencies, recursive
traffic share 1
next hop 10.10.10.2, Serial1/0 via 10.10.10.0/24
valid adjacency
0 packets, 0 bytes switched through the prefix
tmstats: external 0 packets, 0 bytes
internal 0 packets, 0 bytes

Now, BGP session is established. Let's try shutting down one link and see if the session is still established.


R2(config)#int se1/0
R2(config-if)#shut
R2(config-if)#^Z
R2#sh ihp b
*Aug 13 14:42:38.871: %SYS-5-CONFIG_I: Configured from console by console
*Aug 13 14:42:39.095: %LINK-5-CHANGED: Interface Serial1/0, changed state to administrativ
*Aug 13 14:42:39.095: %ENTITY_ALARM-6-INFO: ASSERT INFO Se1/0 Physical Port Administrative State Down
*Aug 13 14:42:40.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down
R2#sh ip bgp sum
BGP router identifier 2.2.2.2, local AS number 2
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.1 4 1 12 12 1 0 0 00:01:45 0

BGP session still established. Thats all about EBGP Multihop feature.:)

Show Command Multiple Filtering

Normally when we do show command we make use of the "|" to filter and put in keywords after like include, exclude, begin and section. As we all know "include" means show only that matches the string like for the example below.


R1#sh run | inc CISCO
neighbor CISCO peer-group

We can do some multiple command filtering like the example below using the "include" keyword. Let's say we want to see the interface name, then the description, the OSPF cost and if its configured with the "mpls ip" command.


R1#sh run | inc interface |^ description |^ ip ospf cost |^ mpls ip
interface FastEthernet0/0
description towards LAN
ip ospf cost 100
mpls ip

The trick is to use multiple "|" and then the regular expression "^". Then put a space before the string because the configurations under the interface configuration if you do a "show run" has a space before the line. This also applies to the "exclude" keyword but who the heck uses "exclude" that much? There goes another stupid blog entry post. :)

My Next Target: CCDA

Currently I am working as a Change Management Engineer and my job involves planning and preparing configuration for new site setups, partner vpn and just about anything in the WAN/LAN side of the network. There are times that it is required for me to do some proposals on how the network should be designed and I really need to do some research on how this should be done the proper way. As a network engineer, I believe we are not only only into configuring routers and do it for a lifetime.:) I think its best if we also know how the network should be designed and it pays a lot if you work for pre-sales job which requires designing knowledge and experience.

I first started reading Dianne Teare's book on CCDA a few months ago. I find it boring at first but when I went into the succeeding chapters, I find it more interesting. The book is so nice, you have to read it twice or thrice!:)

My journey towards the CCIE, doesn't mean I am not open for other certifications. I believe certifications like the CCDA and CCDP can greatly help not only for the exam but also for your value as an individual in the networking industry. Certifications like ITIL which I currently have, are also good in terms of the business and process side of the networking job.Being multi vendor certified is also good because there are also good networking products out there. Juniper and Checkpoints are my next targets after I have achieved my CCDP certification. I only need two more exams and I hope to accomplish the certifications I mentioned this year. I will learn as much as I can but will not forget on my target and my focus.

BGP Confederation

This is feature is used to split an autonomous system into smaller autonomous systems or the reverse which is to combine several autonomous systems into one. Reasons of splitting might be IGP's like OSPF might not be able to handle the routes of a really big enterprise so splitting the AS into smaller will help OSPF scale better, or perhaps the enterprise wants to have separate administrative control per region and wants to control the routing policies on their specific regions. This could also be used if there are company mergers and they want to appear as one AS to other EBGP peers. One thing that intrigues me though is that one of the materials I was using mentioned that this could also be a work around for the BGP Split Horizon Rule. I really doubt that Confederations can be a work around for that. I'll find out for sure in this lab.

The diagram below shows 5 Routers with each its own AS number. The goal here to group these routers into one confederation and make them appear as AS1234 to R5 in AS5.


Below are the configurations I have placed on the routers.


R1#sh run | section router bgp
router bgp 1
no synchronization
bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.255
neighbor 2.2.2.2 remote-as 2
neighbor 2.2.2.2 ebgp-multihop 2
neighbor 2.2.2.2 update-source Loopback0
neighbor 3.3.3.3 remote-as 3
neighbor 3.3.3.3 ebgp-multihop 2
neighbor 3.3.3.3 update-source Loopback0
no auto-summary

R2#sh run | section router bgp
router bgp 2
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 ebgp-multihop 2
neighbor 1.1.1.1 update-source Loopback0
neighbor 4.4.4.4 remote-as 4
neighbor 4.4.4.4 ebgp-multihop 2
neighbor 4.4.4.4 update-source Loopback0
no auto-summary

R3#sh run | section router bgp
router bgp 3
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 ebgp-multihop 2
neighbor 1.1.1.1 update-source Loopback0
neighbor 4.4.4.4 remote-as 4
neighbor 4.4.4.4 ebgp-multihop 2
neighbor 4.4.4.4 update-source Loopback0
no auto-summary

R4#sh run | section router bgp
router bgp 4
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 2
neighbor 2.2.2.2 ebgp-multihop 2
neighbor 2.2.2.2 update-source Loopback0
neighbor 3.3.3.3 remote-as 3
neighbor 3.3.3.3 ebgp-multihop 2
neighbor 3.3.3.3 update-source Loopback0
neighbor 5.5.5.5 remote-as 5
neighbor 5.5.5.5 ebgp-multihop 2
neighbor 5.5.5.5 update-source Loopback0
no auto-summary

R5#sh run | section router bgp
router bgp 5
no synchronization
bgp log-neighbor-changes
neighbor 4.4.4.4 remote-as 4
neighbor 4.4.4.4 ebgp-multihop 2
neighbor 4.4.4.4 update-source Loopback0
no auto-summary

I have configured static routes for reachability. Notice as well that I am using EBGP-multihop feature for EBGP neighbors. I have configured Loopback10 11.11.11.11/32 in R1 and lets see how R2,R3,R4 and R5 see this prefix.


R2# sh ip bgp | beg Network
Network Next Hop Metric LocPrf Weight Path
*> 11.11.11.11/32 1.1.1.1 0 0 1 i

R3#sh ip bgp | beg Network
Network Next Hop Metric LocPrf Weight Path
* 11.11.11.11/32 4.4.4.4 0 4 2 1 i
*> 1.1.1.1 0 0 1 i

R4#sh ip bgp | beg Network
Network Next Hop Metric LocPrf Weight Path
* 11.11.11.11/32 3.3.3.3 0 3 1 i
*> 2.2.2.2 0 2 1 i

R5#sh ip bgp | beg Network
Network Next Hop Metric LocPrf Weight Path
*> 11.11.11.11/32 4.4.4.4 0 4 2 1 i

All of them is seeing this prefix sourcing from an EBGP. Now let's configure R1, R2, R3 and R4 as one confederation and let's see how the BGP table looks like after that. To configure BGP confederations, what are needed is the confederation ID and the peer ASes belonging to that confederation.


R1(config)#router bgp 1
R1(config-router)#bgp confederation identifier 1234
R1(config-router)#bgp confederation peers 2 3 4

R2(config)#router bgp 2
R2(config-router)#bgp confederation identifier 1234
R2(config-router)#bgp confederation peers 1 3 4

R3(config)#router bgp 3
R3(config-router)#bgp confederation identifier 1234
R3(config-router)#bgp confederation peers 1 2 4

R4(config)#router bgp 4
R4(config-router)#bgp confederation identifier 1234
R4(config-router)#bgp confederation peers 1 2 3
R4(config-router)#bgp confederation peers 4
4 Local member-AS not allowed in confed peer list
4 Local member-AS not allowed in confed peer list

As you noticed, you are not allowed to configure your own AS on the "bgp confederation peer command". Ok now let's check how R2,R3,R4 and R5 sees this prefix.


R2#sh ip bgp | beg Network
Network Next Hop Metric LocPrf Weight Path
*> 11.11.11.11/32 1.1.1.1 0 100 0 (1) i

R3#sh ip bgp | beg Network
Network Next Hop Metric LocPrf Weight Path
*> 11.11.11.11/32 1.1.1.1 0 100 0 (1) i

R4#sh ip bgp | beg Network
Network Next Hop Metric LocPrf Weight Path
* 11.11.11.11/32 1.1.1.1 0 100 0 (3 1) i
* 1.1.1.1 0 100 0 (2 1) i

R5#sh ip bgp

It's clear that its now behaving like they are in one AS. In R4, you can see that it enclosed the AS path in parenthesis, which means AS is using BGP confederation. I have not configured any route reflector here but R4 is still learning the prefix as advertised by R2 and R3. Therefore in some way it circumvents the BGP Split Horizon rule. In a confederation, it may appear like its one AS but it functions how the peering is configured whether its IBGP or EBGP. Going back, R5 is not seeing anything. You know why? It's because R4 doesn't know how to get to 1.1.1.1 inorder to reach 11.11.11.11/32. It won't advertise anything to R5 until it knows how to get to the destination. Let's configure a static route.


R4(config)#ip route 1.1.1.1 255.255.255.255 24.24.24.2
R4(config)#ip route 1.1.1.1 255.255.255.255 34.34.34.3

Then let's see if R4 now sees the best path to 11.11.11.11 in its BGP table.


R4#sh ip bgp | beg Network
Network Next Hop Metric LocPrf Weight Path
*> 11.11.11.11/32 1.1.1.1 0 100 0 (2 1) i

EBGP peering between R4 and R5 is still there but R5 is still using 4 as the remote-as of R4. It may learn the prefix even though the remote-as number for 4.4.4.4 hasn't been changed, however if the link goes down or the BGP session is cleared, BGP will generate now an error that neighbor in wrong AS. Let's change that config to 1234 and check if R5 now sees 11.11.11.11/32.


R5(config)#router bgp 5
R5(config-router)#neighbor 4.4.4.4 remote 1234
R5(config-router)#neighbor 4.4.4.4 update-source Lo0
*Aug 6 16:09:00.259: %BGP-5-ADJCHANGE: neighbor 4.4.4.4 Down Remote AS changed.4.4.4
*Aug 6 16:09:02.567: %BGP-5-ADJCHANGE: neighbor 4.4.4.4 Up update lo0
R5(config-router)#neighbor 4.4.4.4 ebgp 2

R5#sh ip bgp | beg Network
Network Next Hop Metric LocPrf Weight Path
*> 11.11.11.11/32 4.4.4.4 0 1234 i

The AS path to get to 11.11.11.11/32 is now only 1234 and R5 is now seeing the groups of AS as one AS. Well that's all about it regarding Confederations.

Fun with TCL: Generating 100 Loopbacks in 1 Minute

When I did the BGP Maximum-Prefix post, I used Excel to generate 100 ip addresses, just by typing 1.1.1.1 then dragging all the way down to 100. On the cell to the left, I put "network" then to the right "mask 255.255.255.255". I pasted, it under BGP and I noticed there are some errors because of the line breaking. I hate to paste over and over again. I'd rather be effective than persistent.:)

So after an hour of research and experimentation, I found a way to generate 100 ip route commands without any problem. I tried it on loopback interfaces configuration and it worked fine! Check the script below.


foreach number {
1
2
3
4
5
6
} { puts [ ios_config "interface Loopback$number" ] }

It's almost the same as the common TCL ping script I use but the keyword "ios_config" made the difference. This keyword makes you execute any global configuration command in TCL. For example's sake I used only 6 numbers. I will post later the 100 loopbacks I created.

Now what the heck is a loopback without any ip address. Useless isn't it? I also found a way to map an ip address to a loopback in TCL. You use multiple variables.


foreach {number address} {
1 3.3.4.1
2 3.3.4.2
3 3.3.4.3
4 3.3.4.4
5 3.3.4.5
6 3.3.4.6

} { puts [ ios_config "interface Loopback$number" "ip address $address 255.255.255.255" ] }

Now, if you notice after the "interface Loopack$number" there is a subcommand for interface configuration mode. You can add as many commands as you want like descriptions. Just enclose it with parenthesis.

Just be creative with your script. I also used it to announce 500 prefixes in BGP just for fun. As promised here is my "show ip interface brief" showing the loopbacks.


Router#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
Loopback1 3.3.4.1 YES unset up up
Loopback2 3.3.4.2 YES unset up up
Loopback3 3.3.4.3 YES unset up up
Loopback4 3.3.4.4 YES unset up up
Loopback5 3.3.4.5 YES unset up up
Loopback6 3.3.4.6 YES unset up up
Loopback7 3.3.4.7 YES unset up up
Loopback8 3.3.4.8 YES unset up up
Loopback9 3.3.4.9 YES unset up up
Loopback10 3.3.4.10 YES unset up up
Loopback11 3.3.4.11 YES unset up up
Loopback12 3.3.4.12 YES unset up up
Loopback13 3.3.4.13 YES unset up up
Loopback14 3.3.4.14 YES unset up up
Loopback15 3.3.4.15 YES unset up up
Loopback16 3.3.4.16 YES unset up up
Loopback17 3.3.4.17 YES unset up up
Loopback18 3.3.4.18 YES unset up up
Loopback19 3.3.4.19 YES unset up up
Loopback20 3.3.4.20 YES unset up up
Loopback21 3.3.4.21 YES unset up up
Loopback22 3.3.4.22 YES unset up up
Loopback23 3.3.4.23 YES unset up up
Loopback24 3.3.4.24 YES unset up up
Loopback25 3.3.4.25 YES unset up up
Loopback26 3.3.4.26 YES unset up up
Loopback27 3.3.4.27 YES unset up up
Loopback28 3.3.4.28 YES unset up up
Loopback29 3.3.4.29 YES unset up up
Loopback30 3.3.4.30 YES unset up up
Loopback31 3.3.4.31 YES unset up up
Loopback32 3.3.4.32 YES unset up up
Loopback33 3.3.4.33 YES unset up up
Loopback34 3.3.4.34 YES unset up up
Loopback35 3.3.4.35 YES unset up up
Loopback36 3.3.4.36 YES unset up up
Loopback37 3.3.4.37 YES unset up up
Loopback38 3.3.4.38 YES unset up up
Loopback39 3.3.4.39 YES unset up up
Loopback40 3.3.4.40 YES unset up up
Loopback41 3.3.4.41 YES unset up up
Loopback42 3.3.4.42 YES unset up up
Loopback43 3.3.4.43 YES unset up up
Loopback44 3.3.4.44 YES unset up up
Loopback45 3.3.4.45 YES unset up up
Loopback46 3.3.4.46 YES unset up up
Loopback47 3.3.4.47 YES unset up up
Loopback48 3.3.4.48 YES unset up up
Loopback49 3.3.4.49 YES unset up up
Loopback50 3.3.4.50 YES unset up up
Loopback51 3.3.4.51 YES unset up up
Loopback52 3.3.4.52 YES unset up up
Loopback53 3.3.4.53 YES unset up up
Loopback54 3.3.4.54 YES unset up up
Loopback55 3.3.4.55 YES unset up up
Loopback56 3.3.4.56 YES unset up up
Loopback57 3.3.4.57 YES unset up up
Loopback58 3.3.4.58 YES unset up up
Loopback59 3.3.4.59 YES unset up up
Loopback60 3.3.4.60 YES unset up up
Loopback61 3.3.4.61 YES unset up up
Loopback62 3.3.4.62 YES unset up up
Loopback63 3.3.4.63 YES unset up up
Loopback64 3.3.4.64 YES unset up up
Loopback65 3.3.4.65 YES unset up up
Loopback66 3.3.4.66 YES unset up up
Loopback67 3.3.4.67 YES unset up up
Loopback68 3.3.4.68 YES unset up up
Loopback69 3.3.4.69 YES unset up up
Loopback70 3.3.4.70 YES unset up up
Loopback71 3.3.4.71 YES unset up up
Loopback72 3.3.4.72 YES unset up up
Loopback73 3.3.4.73 YES unset up up
Loopback74 3.3.4.74 YES unset up up
Loopback75 3.3.4.75 YES unset up up
Loopback76 3.3.4.76 YES unset up up
Loopback77 3.3.4.77 YES unset up up
Loopback78 3.3.4.78 YES unset up up
Loopback79 3.3.4.79 YES unset up up
Loopback80 3.3.4.80 YES unset up up
Loopback81 3.3.4.81 YES unset up up
Loopback82 3.3.4.82 YES unset up up
Loopback83 3.3.4.83 YES unset up up
Loopback84 3.3.4.84 YES unset up up
Loopback85 3.3.4.85 YES unset up up
Loopback86 3.3.4.86 YES unset up up
Loopback87 3.3.4.87 YES unset up up
Loopback88 3.3.4.88 YES unset up up
Loopback89 3.3.4.89 YES unset up up
Loopback90 3.3.4.90 YES unset up up
Loopback91 3.3.4.91 YES unset up up
Loopback92 3.3.4.92 YES unset up up
Loopback93 3.3.4.93 YES unset up up
Loopback94 3.3.4.94 YES unset up up
Loopback95 3.3.4.95 YES unset up up
Loopback96 3.3.4.96 YES unset up up
Loopback97 3.3.4.97 YES unset up up
Loopback98 3.3.4.98 YES unset up up
Loopback99 3.3.4.99 YES unset up up
Loopback100 3.3.4.100 YES unset up up

I wonder how many loopbacks I can create in a Cisco router. Maybe I'll try that some other time. Good day mates! :)

BGP Maximum-Prefix

BGP handles over 100,000 routes in the internet and it is doing a very good job in doing so. I tried doing the "show ip bgp" command on our internet router with a Public AS and takes quite a long time to show all the prefixes. I have to hit the space bar a lot of times. You can imagine how much CPU this number of routes will take on the router.

I have read an article that a few months ago, there was one ISP that advertised the whole internet routing table and originated all the routes. A mistake will most likely affect the routers in the internet, or could take the internet down if there are no counter measures done. One more possible thing I can imagine that might happen is that private ip addresses from a customer might be advertised out to the internet if the ISP failed to filter the private address. ( I dunno if this happened before)

Limiting the number of prefixes received from a BGP neighbor is one of the best ways to make sure these mistakes never affect the whole internet. The best practice is to check the number of prefixes received from a neighbor and then give a little allowance on the number of prefixes allowed. R1 on the diagram below is announcing prefixes to R2, let's see what happens if these prefixes reach the limit and what happens if it exceeds the limit.


Let's see how many prefixes R2 learns from R1.


R2#sh ip bgp summary
BGP router identifier 10.10.10.2, local AS number 234
BGP table version is 101, main routing table version 101
100 network entries using 11700 bytes of memory
100 path entries using 5200 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 17172 total bytes of memory
BGP activity 100/0 prefixes, 100/0 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.10.1 4 123 13 12 101 0 0 00:06:03 100

It's learning 100 prefixes from R1. Now lets configure BGP so that R2 will only allow 101 routes from R1. The command we will use is "neighbor neighboraddress maximum-prefix number ".


R2(config)#router bgp 234
R2(config-router)#neighbor 10.10.10.1 remote-as 123
R2(config-router)#neighbor 10.10.10.1 maximum-prefix 101

Let's advertise one route to BGP in R1. I will configure as well a static route pointing to Null0, to make sure the new route will be advertised. I didn't configure any loopback addresses on R1.


R1(config)#router bgp 123
R1(config-router)#network 1.1.1.101 mask 255.255.255.255
R1(config-router)#ip route 1.1.1.101 255.255.255.255 Null0

Let's see how R2 reacted to this configuration.


R2#
*Aug 5 13:08:58.959: %BGP-4-MAXPFX: No. of prefix received from 10.10.10.1 (afi 0) reaches 101, max 101

Oh, it reacted by generating a log message that the number of prefixes learned from R1 has reached its maximum. Lets add one more route in R1 and see what happens.


R1(config)#router bgp 123
R1(config-router)#network 1.1.1.102 mask 255.255.255.255
R1(config-router)#ip route 1.1.1.102 255.255.255.255 Null0

Let's check R1 and R2 syslog messages.


R1#
*Aug 5 13:11:16.415: %BGP-3-NOTIFICATION: received from neighbor 10.10.10.2 3/1 (update malformed) 0 bytes
*Aug 5 13:11:16.415: %BGP-5-ADJCHANGE: neighbor 10.10.10.2 Down BGP Notification received

R2#
*Aug 5 13:11:20.199: %BGP-3-MAXPFXEXCEED: No. of prefix received from 10.10.10.1 (afi 0): 102 exceed limit 101
*Aug 5 13:11:20.199: %BGP-5-ADJCHANGE: neighbor 10.10.10.1 Down BGP Notification sent
*Aug 5 13:11:20.199: %BGP-3-NOTIFICATION: sent to neighbor 10.10.10.1 3/1 (update malformed) 0 bytes FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 0035 0200 0000 1940 0101 0040 0204 0201 007B 4003 040A 0A0A 0180 0404 0000 0000 2001 0101 66

This time it gave also a notification in R2 and also generated a hexadecimal code. ( I have yet to review what this means :)) Right then and there, when it exceeded the limit R2 dropped the peering to R1. Let's see what the BGP table summary looks like after the violation.


R2#sh ip bgp sum
BGP router identifier 10.10.10.2, local AS number 234
BGP table version is 203, main routing table version 203

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.10.1 4 123 21 19 0 0 0 00:04:26 Idle (PfxCt)

The state is in Idle and included a description (PfxCt) which means the neighbor exceeded the prefix limit set. The peering will only be established once the prefixes goes below the threshold set and "clear ip bgp *" needs to be issued to renegotiate the connection. Again, this command is very useful to protect your own AS from over flooding of prefixes and protect other ASes as well.

VRF Route Target

MPLS VPN implementation requires VRF and also exporting and importing routes for that VRF. I mentioned on my previous posts about VRF that the VRF name is locally significant and even the RD number. What counts is what you import and export. Importing and exporting route targets use the same syntax as the RD and it is ASN:NN as shown by the example below.


!
ip vrf ALL-VRF
rd 123:4
route-target export 123:4
route-target import 123:1
route-target import 123:2
route-target import 123:3

By definition the routes that you "export" are only the routes you advertise on the vrf address family in BGP. The routes that you import are the cummulative routes with the same label that were exported from the other routers participating in the MPLS VPN. Remember that you don't export what you have learned through importation. Check the diagram below and the scenario we need to accomplish in this lab.


Scenario Conditions:

1. EMEA should have full ip reachability to APAC and AMERICAS but APAC and AMERICAS should not see each other.
2. RR should only see the all the routes but will not be seen by the routers.

I have setup everything and configured MPLS as well. I have configured the clients on the RR on both ipv4 and vpnv4 address-families. The command "show ip bgp vpnv4 all sum" on the RR should show that its learning prefixes from the clients.

RR#sh ip bgp vpnv4 all sum
BGP router identifier 123.123.123.4, local AS number 123
BGP table version is 13, main routing table version 13
12 network entries using 1644 bytes of memory
12 path entries using 816 bytes of memory
4/3 BGP path/bestpath attribute entries using 496 bytes of memory
3 BGP extended community entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 3028 total bytes of memory
BGP activity 12/0 prefixes, 12/0 paths, scan interval 15 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
123.123.123.1 4 123 52 57 13 0 0 00:40:41 2
123.123.123.2 4 123 53 61 13 0 0 00:41:26 2
123.123.123.3 4 123 43 44 13 0 0 00:36:44 2

We can clearly see that its learning prefixes in the vpnv4 but will not put those routes in the routing table until it has been imported in one of the VRF's. In our case, I have configured vrf ALL-VRF in RR and imported all the route-targets 123:1, 123:2 and 123:4. In a VRF you can export and import as many route-targets as needed. Lets see if RR can see the routes now

RR

!
ip vrf ALL-VRF
rd 123:4
route-target export 123:4
route-target import 123:1
route-target import 123:2
route-target import 123:3

RR#sh ip route vrf ALL-VRF

Routing Table: ALL-VRF
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 [200/0] via 123.123.123.1, 00:46:26
2.0.0.0/32 is subnetted, 1 subnets
B 2.2.2.2 [200/0] via 123.123.123.2, 00:46:26
33.0.0.0/32 is subnetted, 1 subnets
B 33.33.33.33 [200/0] via 123.123.123.3, 00:46:26
3.0.0.0/32 is subnetted, 1 subnets
B 3.3.3.3 [200/0] via 123.123.123.3, 00:46:26
22.0.0.0/32 is subnetted, 1 subnets
B 22.22.22.22 [200/0] via 123.123.123.2, 00:46:26
11.0.0.0/32 is subnetted, 1 subnets
B 11.11.11.11 [200/0] via 123.123.123.1, 00:46:28
123.0.0.0/32 is subnetted, 1 subnets
C 123.123.123.14 is directly connected, Loopback40

Ok, we have meet the first condition. RR is now able to see the routes exported by the RR clients. They won't see the route advertised in RR because the clients are not even importing that route. Full reachability in MPLS VPN requires that one router's exported route-target should be imported by another and vice-versa, otherwise you can only see the route but you won't be able to reach it. The networks should be in the corresponding VRF routing table of the routers.

To illustrate this point, let's configure the second scenario. Below are the VRF configurations on the 3 clients.

APAC#

!
ip vrf APAC
rd 123:1
route-target export 123:1
route-target import 123:3

AMERICAS#

!
ip vrf AMERICAS
rd 123:2
route-target export 123:2
route-target import 123:2

EMEA#
!
ip vrf EMEA
rd 123:3
route-target export 123:3
route-target export 123:2
route-target import 123:1
route-target import 123:2

APAC is exporting route-target 123:1 and its importing 123:3 which is exported by EMEA. EMEA on the other hand is importing 123:1 and exporting 123:3. There should be full ip reachability between the two. By the way the route-target ID doesn't necessarily match with the RD. Normally for networks that should see each other in MPLS VPN both the export and import route target ID's are the same. It will get rid of any unnecessary confusion created by using different RT ID's. Take into consideration AMERICAS and EMEA routers. As you can see on the config above, AMERICAS is importing and exporting 123:2. One command can generate the both export and import and that is "route-target both 123:2". EMEA is importing and exporting also 123:2 which means they will reach each other. Let's test if we have accomplished the condition, we will show the routing table in APAC and AMERICAS and let's ping the networks in EMEA. The ping should be sourced on the loopback interfaces where we configured the VRF's.

APAC#sh ip route vrf APAC

Routing Table: APAC
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
33.0.0.0/32 is subnetted, 1 subnets
B 33.33.33.33 [200/0] via 123.123.123.3, 01:04:51
3.0.0.0/32 is subnetted, 1 subnets
B 3.3.3.3 [200/0] via 123.123.123.3, 01:04:51
11.0.0.0/32 is subnetted, 1 subnets
C 11.11.11.11 is directly connected, Loopback10

APAC#ping vrf APAC 3.3.3.3 source lo0


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 248/346/436 ms


AMERICAS#sh ip route vrf AMERICAS

Routing Table: AMERICAS
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback0
33.0.0.0/32 is subnetted, 1 subnets
B 33.33.33.33 [200/0] via 123.123.123.3, 00:56:20
3.0.0.0/32 is subnetted, 1 subnets
B 3.3.3.3 [200/0] via 123.123.123.3, 00:56:20
22.0.0.0/32 is subnetted, 1 subnets
C 22.22.22.22 is directly connected, Loopback10

AMERICAS#ping vrf AMERICAS 3.3.3.3 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 184/593/1020 ms


EMEA#sh ip route vrf EMEA

Routing Table: EMEA
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 [200/0] via 123.123.123.1, 00:00:00
2.0.0.0/32 is subnetted, 1 subnets
B 2.2.2.2 [200/0] via 123.123.123.2, 01:07:06
33.0.0.0/32 is subnetted, 1 subnets
C 33.33.33.33 is directly connected, Loopback10
3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback0
22.0.0.0/32 is subnetted, 1 subnets
B 22.22.22.22 [200/0] via 123.123.123.2, 01:07:06
11.0.0.0/32 is subnetted, 1 subnets
B 11.11.11.11 [200/0] via 123.123.123.1, 00:00:03

It will take a while to get used to VRF Route-target if you are just learning it but this should be pretty easy. Remember, you can't reach a network that you have imported unless it exported your network. In MPLS VRF, entries in your VRF routing table doesn't assure reachability, the router in the destination network should also have your network in its VRF routing table. Ok, we are done! :)

Improving the Pages

I spent this whole Sunday on improving the pages. For a long time, I have been looking to put the routers' show output command in a textbox so the alignment will be correct but sadly textarea sucks in blogger. I happen to run accross an CSS code somewhere and I applied it to my page. To my surprise, it worked fine and I am now able to put the show commands and configurations on these boxes without any problem or any weird text coming out. Now, I am looking for visio stencils/ symbols I can use for my drawings cause I find my drawings really sucky! :) If someone happens to have a pretty neat collection of visio symbols, kindly let me know where to get it. Some modern and funky styles will do! Ok, now I'll resume putting the show commands in textboxes on my previous posts. Good day!


Certifications

Certifications

The Dreamer

A fun loving person who enjoys learning new things. Currently working as a Network Engineer supporting the global network of a Fortune 500 company. This blog serves as my notes for the labs I created for my CCIE journey. I can guarantee there are errors in my posts. If you spot them, please let me know.

Join my Facebook Page I WANT TO BE A CCIE

Donate to the Cause

My aim is to create materials for free and possibly a free lab. If you wish to help out, please send any amount. Thanks.

Join my Bandwagon

Blogs that I Read