I have read an article that a few months ago, there was one ISP that advertised the whole internet routing table and originated all the routes. A mistake will most likely affect the routers in the internet, or could take the internet down if there are no counter measures done. One more possible thing I can imagine that might happen is that private ip addresses from a customer might be advertised out to the internet if the ISP failed to filter the private address. ( I dunno if this happened before)
Limiting the number of prefixes received from a BGP neighbor is one of the best ways to make sure these mistakes never affect the whole internet. The best practice is to check the number of prefixes received from a neighbor and then give a little allowance on the number of prefixes allowed. R1 on the diagram below is announcing prefixes to R2, let's see what happens if these prefixes reach the limit and what happens if it exceeds the limit.
Let's see how many prefixes R2 learns from R1.
R2#sh ip bgp summary
BGP router identifier 10.10.10.2, local AS number 234
BGP table version is 101, main routing table version 101
100 network entries using 11700 bytes of memory
100 path entries using 5200 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 17172 total bytes of memory
BGP activity 100/0 prefixes, 100/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.10.1 4 123 13 12 101 0 0 00:06:03 100
It's learning 100 prefixes from R1. Now lets configure BGP so that R2 will only allow 101 routes from R1. The command we will use is "neighbor neighboraddress
R2(config)#router bgp 234
R2(config-router)#neighbor 10.10.10.1 remote-as 123
R2(config-router)#neighbor 10.10.10.1 maximum-prefix 101
Let's advertise one route to BGP in R1. I will configure as well a static route pointing to Null0, to make sure the new route will be advertised. I didn't configure any loopback addresses on R1.
R1(config)#router bgp 123
R1(config-router)#network 1.1.1.101 mask 255.255.255.255
R1(config-router)#ip route 1.1.1.101 255.255.255.255 Null0
Let's see how R2 reacted to this configuration.
R2#
*Aug 5 13:08:58.959: %BGP-4-MAXPFX: No. of prefix received from 10.10.10.1 (afi 0) reaches 101, max 101
Oh, it reacted by generating a log message that the number of prefixes learned from R1 has reached its maximum. Lets add one more route in R1 and see what happens.
R1(config)#router bgp 123
R1(config-router)#network 1.1.1.102 mask 255.255.255.255
R1(config-router)#ip route 1.1.1.102 255.255.255.255 Null0
Let's check R1 and R2 syslog messages.
R1#
*Aug 5 13:11:16.415: %BGP-3-NOTIFICATION: received from neighbor 10.10.10.2 3/1 (update malformed) 0 bytes
*Aug 5 13:11:16.415: %BGP-5-ADJCHANGE: neighbor 10.10.10.2 Down BGP Notification received
R2#
*Aug 5 13:11:20.199: %BGP-3-MAXPFXEXCEED: No. of prefix received from 10.10.10.1 (afi 0): 102 exceed limit 101
*Aug 5 13:11:20.199: %BGP-5-ADJCHANGE: neighbor 10.10.10.1 Down BGP Notification sent
*Aug 5 13:11:20.199: %BGP-3-NOTIFICATION: sent to neighbor 10.10.10.1 3/1 (update malformed) 0 bytes FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 0035 0200 0000 1940 0101 0040 0204 0201 007B 4003 040A 0A0A 0180 0404 0000 0000 2001 0101 66
This time it gave also a notification in R2 and also generated a hexadecimal code. ( I have yet to review what this means :)) Right then and there, when it exceeded the limit R2 dropped the peering to R1. Let's see what the BGP table summary looks like after the violation.
R2#sh ip bgp sum
BGP router identifier 10.10.10.2, local AS number 234
BGP table version is 203, main routing table version 203
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.10.1 4 123 21 19 0 0 0 00:04:26 Idle (PfxCt)
The state is in Idle and included a description (PfxCt) which means the neighbor exceeded the prefix limit set. The peering will only be established once the prefixes goes below the threshold set and "clear ip bgp *" needs to be issued to renegotiate the connection. Again, this command is very useful to protect your own AS from over flooding of prefixes and protect other ASes as well.
it is not necessary to notify the MAX prefixes just when it reaches the MAX of its configured value !!
For example:
June 12 16:14:34: %BGP-4-MAXPFX: No. of prefix received from 195.229.0.52 (afi 0) reaches 100324, max 200000
is a message shown on my IBR router, just when the peering keeps advertise the prefixes continually!!!
Where:
neighbor X.Y.Z.W maximum-prefix 200000 warning-only
By default it will generate a syslog message when its 75% of the limit set. You can also set a threshold if you want for you to be alert of an impending issue. I intend it to be 75% so i dont need to put any value in there.
this text saved me today ! (PfxCt) helped me find you !
Thank you for the info. It sounds pretty user friendly. I guess I’ll pick one up for fun. thank u
Cisco Dubai