|
|
Changes introduced in the 2.0 version
BGP is the routing protocal that drives the Internet. Proper configuration of BGP is critical, as mistakes in BGP can result in disaster for both local and remote networks. Further, without a few additional steps to increase the security and defense of BGP, it is possible for miscreants to cause havoc with the BGP and, by extension, routing tables.
This document includes a template configuration for BGP. As with all such templates, this one must be modified to fit the specific requirements of the local network(s). It is not wise to simply cut and paste without a thorough understanding of each command. Comments are included with each command. A more thorough understanding of BGP can be obtained from:
o Internet Routing Architectures, by Bassam Halabi, published
by Cisco Press.
o BGP4, by John W. Stewart III, published by Addison-Wesley.
As an aside, debugging BGP issues can be difficult without an external view. To see how the rest of the Internet views my prefix announcements, I use the route servers. Simply telnet to these route servers and issue commands such as sh ip bgp NETBLOCK or sh ip route NETBLOCK. Here is a partial list:
My thanks to the following folks for providing input and suggestions!
Feedback is both welcome and encouraged! This document is a work-in-progress as changes to the Cisco IOS, BGP, or corrections to this document appear. Please send any questions along to robt@cymru.com.
The actual commands are in BOLD text so that they stand out from the comment blocks.
! Our ASN is 111
router bgp 111
!
! Don't wait for the IGP to catch up.
no synchronization
!
! Be a little more forgiving of an occasional missed keepalive.
no bgp fast-external-fallover
!
! Track and punt, via syslog, all interesting observations about our
! neighbors.
bgp log-neighbor-changes
!
! Enable our dampening parameters. See the route map and prefix-lists
! below.
bgp dampening route-map graded-flap-dampening
!
! Announce our netblock(s) in a manner that does not increase CPU
! utilization. Redistributing from an IGP is dangerous as it increases
! the likelihood of flapping and instability. Redistributing static is
! more stable, but requires the CPU to peruse the routing table at a set
! interval to capture any changes. The network statement, combined with
! a null route, is the least expensive (in terms of CPU utilization) and
! most reliable (in terms of stability) option.
network 1.88.0.0 mask 255.255.224.0
!
! Our first neighbor, 10.10.5.1, is an eBGP peer with the ASN of 333.
neighbor 10.10.5.1 remote-as 333
!
! Set for soft reconfiguration, thus preventing a complete withdrawal
! of all announced prefixes when clear ip bgp x.x.x.x is typed.
neighbor 10.10.5.1 soft-reconfiguration inbound
!
! Type in a description for future reference. Not everyone memorizes
! ASNs. :-)
neighbor 10.10.5.1 description eBGP with ISP333
!
! Set up a password for authentication.
neighbor 10.10.5.1 password bgpwith333
!
! Hard-set for version 4. Disabled BGP version negotiation, thus
! bringing the peering session on-line more quickly.
neighbor 10.10.5.1 version 4
!
! Block any inbound announcments that include bogon networks. A prefix
! list is used because it is:
! 1) Easier on the CPU than ACLs, and
! 2) Easier to modify.
! See the actual bogons prefix-list below.
neighbor 10.10.5.1 prefix-list bogons in
!
! Announce only those networks we specifically list. This also prevents
! the network from becoming a transit provider. An added bit of protection
! and good netizenship. See the announce prefix-list below.
neighbor 10.10.5.1 prefix-list announce out
!
! Prevent a mistake or mishap by our peer (or someone with whom our peer
! has a peering agreement) from causing router meltdown by filling the
! routing and BGP tables. This is a hard limit. At 75% of this limit,
! the IOS will issue log messages warning that the neighbor is approaching
! the limit. All log messages should be sent to a remote syslog host.
! The warning water mark can be modified by placing a value after the
! maximum prefix value, e.g. maximum-prefix 125000 50. This will set the
! IOS to issue warning messages when the neighbor reaches 50% of the limit.
neighbor 10.10.5.1 maximum-prefix 125000
!
! Our next neighbor is 10.10.10.1, an eBGP peer with the ASN of 222.
neighbor 10.10.10.1 remote-as 222
neighbor 10.10.10.1 soft-reconfiguration inbound
neighbor 10.10.10.1 description eBGP with ISP222
neighbor 10.10.10.1 password bgpwith222
neighbor 10.10.10.1 version 4
neighbor 10.10.10.1 prefix-list bogons in
neighbor 10.10.10.1 prefix-list announce out
neighbor 10.10.10.1 maximum-prefix 125000
!
! This is our iBGP peer, 172.17.70.2.
neighbor 172.17.70.2 remote-as 111
!
neighbor 172.17.70.2 soft-reconfiguration inbound
!
! Again, a handy description.
neighbor 172.17.70.2 description iBGP with our other router
!
neighbor 172.17.70.2 password bgpwith111
! Use the loopback interface for iBGP announcements. This increases the
! stability of iBGP.
neighbor 172.17.70.2 update-source Loopback0
neighbor 172.17.70.2 version 4
neighbor 172.17.70.2 next-hop-self
neighbor 172.17.70.2 prefix-list bogons in
neighbor 172.17.70.2 maximum-prefix 125000
!
! Do not automatically summarize our announcements.
no auto-summary
! If we have multiple links on the same router to the same AS, we like to
! put them to good use. Load balance, per destination, with maximum-paths.
! The limit is six. For our example, we will assume two equal size pipes
! to the same AS.
maximum-paths 2
!
! Now add our null route and the loopback/iBGP route. Remember to add
! more specific non-null routes so that the packets travel to their
! intended destination!
ip route 1.88.0.0 255.255.224.0 Null0
ip route 1.88.50.0 255.255.255.0 192.168.50.5
ip route 1.88.55.0 255.255.255.0 192.168.50.8
ip route 1.88.75.128 255.255.255.128 192.168.50.10
ip route 172.17.70.2 255.255.255.255 192.168.50.2
!
! We protect TCP port 179 (BGP port) from miscreants by limiting
! access. Allow our peers to connect and log all other attempts.
! Remember to apply this ACL to the interfaces of the router or
! add it to existing ACLs.
access-list 185 permit tcp host 10.10.5.1 host 172.17.70.1 eq 179
access-list 185 permit tcp host 10.10.10.1 host 172.17.70.1 eq 179
access-list 185 permit tcp host 172.17.70.2 host 172.17.70.1 eq 179
access-list 185 deny tcp any any eq 179 log-input
!
! The announce prefix list prevents us from announcing anything beyond
! our aggregated netblock(s).
ip prefix-list announce description Our allowed routing announcements
ip prefix-list announce seq 5 permit 1.88.0.0/19
ip prefix-list announce seq 10 deny 0.0.0.0/0 le 32
!
! The bogons prefix list prevents the acceptance of obviously bogus
! routing updates. This can be modified to fit local requirements.
ip prefix-list bogons description Bogon networks we won't accept.
ip prefix-list bogons seq 5 deny 0.0.0.0/8 le 32
ip prefix-list bogons seq 10 deny 1.0.0.0/8 le 32
ip prefix-list bogons seq 15 deny 2.0.0.0/8 le 32
ip prefix-list bogons seq 20 deny 10.0.0.0/8 le 32
ip prefix-list bogons seq 25 deny 23.0.0.0/8 le 32
ip prefix-list bogons seq 30 deny 31.0.0.0/8 le 32
ip prefix-list bogons seq 35 deny 67.0.0.0/8 le 32
ip prefix-list bogons seq 40 deny 68.0.0.0/6 le 32
ip prefix-list bogons seq 45 deny 72.0.0.0/6 le 32
ip prefix-list bogons seq 50 deny 76.0.0.0/6 le 32
ip prefix-list bogons seq 55 deny 80.0.0.0/6 le 32
ip prefix-list bogons seq 60 deny 84.0.0.0/6 le 32
ip prefix-list bogons seq 65 deny 88.0.0.0/6 le 32
ip prefix-list bogons seq 70 deny 92.0.0.0/6 le 32
ip prefix-list bogons seq 75 deny 96.0.0.0/6 le 32
ip prefix-list bogons seq 80 deny 100.0.0.0/6 le 32
ip prefix-list bogons seq 85 deny 104.0.0.0/6 le 32
ip prefix-list bogons seq 90 deny 108.0.0.0/6 le 32
ip prefix-list bogons seq 95 deny 112.0.0.0/6 le 32
ip prefix-list bogons seq 100 deny 116.0.0.0/6 le 32
ip prefix-list bogons seq 105 deny 120.0.0.0/6 le 32
ip prefix-list bogons seq 110 deny 124.0.0.0/7 le 32
ip prefix-list bogons seq 115 deny 126.0.0.0/8 le 32
ip prefix-list bogons seq 120 deny 127.0.0.0/8 le 32
ip prefix-list bogons seq 125 deny 169.254.0.0/16 le 32
ip prefix-list bogons seq 130 deny 172.16.0.0/12 le 32
ip prefix-list bogons seq 135 deny 192.0.2.0/24 le 32
ip prefix-list bogons seq 140 deny 192.168.0.0/16 le 32
ip prefix-list bogons seq 145 deny 198.18.0.0/16 le 32
ip prefix-list bogons seq 150 deny 201.0.0.0/8 le 32
ip prefix-list bogons seq 155 deny 223.255.255.0/24 le 32
ip prefix-list bogons seq 160 deny 224.0.0.0/3 le 32
! Allow all prefixes up to /27. Your mileage may vary,
! so adjust this to fit your specific requirements.
ip prefix-list bogons seq 170 permit 0.0.0.0/0 le 27
!
! Now we configure our prefix lists for our dampening requirements.
! These are configured along the lines of the recommendations made
! by RIPE. The goal is to minimalize the effect of dampening on
! the shorter and historically more stable prefixes as well as the
! netblocks that contain DNS root servers. The longer prefixes
! are dampened for longer periods of time, as these have been the
! the source of a greater percentage of the instability in the
! global routing table.
! Note that a longer prefix equates to a less-aggregated and smaller
! netblock.
!
! The damplongprefixes list is for prefixes of /24 and longer.
ip prefix-list damplongprefixes description Prefixes of /24 and longer.
ip prefix-list damplongprefixes seq 5 permit 0.0.0.0/0 ge 24
!
! The dampmediumprefixes list is for prefixes of /22 and /23.
ip prefix-list dampmediumprefixes description Prefixes of /22 and /23.
ip prefix-list dampmediumprefixes seq 5 permit 0.0.0.0/0 ge 22 le 23
!
! The dampshortprefixes list is for prefixes of /21 and shorter.
ip prefix-list dampshortprefixes description Prefixes of /21 and shorter.
ip prefix-list dampshortprefixes seq 5 permit 0.0.0.0/0 le 21
!
! The rootservers prefix list is to prevent dampening of
! the root DNS server netblocks.
ip prefix-list rootservers description DNS root server netblocks.
ip prefix-list rootservers seq 5 permit 198.41.0.0/24
ip prefix-list rootservers seq 10 permit 128.9.0.0/16
ip prefix-list rootservers seq 15 permit 192.33.4.0/24
ip prefix-list rootservers seq 20 permit 128.8.0.0/16
ip prefix-list rootservers seq 25 permit 192.203.230.0/24
ip prefix-list rootservers seq 30 permit 192.5.4.0/23
ip prefix-list rootservers seq 35 permit 192.112.36.0/24
ip prefix-list rootservers seq 40 permit 128.63.0.0/16
ip prefix-list rootservers seq 45 permit 192.36.148.0/24
ip prefix-list rootservers seq 50 permit 193.0.14.0/24
ip prefix-list rootservers seq 55 permit 198.32.64.0/24
ip prefix-list rootservers seq 60 permit 202.12.27.0/24
!
! We apply our dampening prefix-lists with our route-map entries.
! Don't dampen the rootservers prefix-list.
route-map graded-flap-dampening deny 10
match ip address prefix-list rootservers
! Dampen the /24 and greater prefixes for a maximum of 60 minutes.
route-map graded-flap-dampening permit 20
match ip address prefix-list damplongprefixes
set dampening 30 750 3000 60
! Dampen the /22 to /23 prefixes for a maximum of 45 minutes.
route-map graded-flap-dampening permit 30
match ip address prefix-list dampmediumprefixes
set dampening 15 750 3000 45
! Dampen the /21 and shorter prefixes for a maximum of 30 minutes.
route-map graded-flap-dampening permit 40
match ip address prefix-list dampshortprefixes
set dampening 10 1500 3000 30
!
! END