BGP Cheat Sheet =============== Cheat Sheet for the OSPF+iBGP+eBGP exercise. iBGP example ------------ Note the use of peer-groups to simply the iBGP configuration, as per the presentation prior to the OSPF+iBGP+eBGP lab exercise. ! no logging console ! switch off annoying console messages logging buffer 4096 debug ! log messages go to memory buffer ! ! interface loopback 0 description All routers need a Loopback interface ip address 196.200.220.1 255.255.255.255 ! interface serial 0/0 description Link to Router 2 ip address 196.200.220.193 255.255.255.252 ! interface serial 0/1 description Link to Router 3 ip address 196.200.220.197 255.255.255.252 ip router isis as42 isis circuit-type level-2-only isis metric 10 level-2 isis authentication mode md5 level-2 isis authentication key-chain isis-sec-level2 level-2 ! interface ethernet 0/0 description PC LAN for Router 1 ip address 196.200.220.17 255.255.255.240 ! router ospf 1 area 0 authentication message-digest passive-interface Loopback 0 passive-interface ethernet 0/0 log-adjacency-changes no passive-interface serial 0/0 no passive-interface serial 0/1 network 196.200.220.168 0.0.0.3 area 0 network 196.200.220.196 0.0.0.3 area 0 network 196.200.220.244 0.0.0.0 area 0 ! ip bgp-community new-format ! use RFC1998 community format ! router bgp 42 ! 42 is our AS number log-neighbor-changes ! log neighbor changes no synchronization ! switch off IGP synchronization no auto-summary ! switch off auto-summisation bgp dampening ! enable BGP flap damping network 196.200.220.0 mask 255.255.255.0 ! class address block in BGP network 196.200.220.16 mask 255.255.255.240 ! PC LAN address block in BGP ! set up iBGP peer-groups neighbor ibgp-peers peer-group ! give it a name neighbor ibgp-peers remote-as 42 ! this is our AS => so iBGP neighbor ibgp-peers version 4 ! hardwire to version 4 - safe neighbor ibgp-peers password ! password on iBGP session neighbor ibgp-peers update-source loop 0 ! iBGP runs between loopbacks neighbor ibgp-peers send-community ! always send comms for iBGP neighbor ibgp-peers next-hop-self ! change ext nexthops to local neighbor ibgp-peers descr iBGP peer group ! documentation ! and now configure each peer... neighbor 196.200.220.2 peer-group ibgp-peers ! first iBGP peer neighbor 196.200.220.3 peer-group ibgp-peers ! second iBGP peer neighbor 196.200.220.4 peer-group ibgp-peers ! third iBGP peer !...and the other iBGP peers go here ! ip route 196.200.220.0 255.255.255.0 null0 250 ! for BGP network statement ip route 196.200.220.16 255.255.255.240 null0 250 ! static route to null0 just in case eth0/0 goes down ! eBGP with peer (Example 1) -------------------------- Example 1: Private peering, using prefix-lists This example builds on the previous example by adding in an eBGP peer. It uses prefix-lists to filter what you send to your peer, and what your peer sends to you. This is very safe as you have to explicitly configure each network into the prefix-list. When your peer announces a new net, or you announce a new net, the prefix-lists have to be updated. router bgp 42 log-neighbor-changes no synchronization no auto-summary network 196.200.220.0 mask 255.255.255.0 network 196.200.220.16 mask 255.255.255.240 ! set up iBGP peer-groups neighbor ibgp-peers peer-group ! give it a name neighbor ibgp-peers remote-as 42 ! this is our AS => so iBGP neighbor ibgp-peers version 4 ! hardwire to version 4 - safe neighbor ibgp-peers password ! password on iBGP session neighbor ibgp-peers update-source loop 0 ! iBGP runs between loopbacks neighbor ibgp-peers send-community ! always send comms for iBGP neighbor ibgp-peers next-hop-self ! change ext nexthops to local neighbor ibgp-peers descr iBGP peer group ! documentation ! and now configure each peer... neighbor 196.200.220.2 peer-group ibgp-peers ! first iBGP peer neighbor 196.200.220.3 peer-group ibgp-peers ! second iBGP peer neighbor 196.200.220.4 peer-group ibgp-peers ! third iBGP peer !...and the other iBGP peers go here ! eBGP neighbour neighbor 196.200.220.254 remote-as 200 ! Peer ISP's AS Number neighbor 196.200.220.254 version 4 ! Hardwire for safety neighbor 196.200.220.254 password ! password on eBGP neighbor 196.200.220.254 description eBGP with Peer ! Description line neighbor 196.200.220.254 prefix-list to-AS200 out ! Filter outbound prefixes neighbor 196.200.220.254 prefix-list from-AS200 in ! Filter inbound prefixes ! ip route 196.200.220.0 255.255.255.0 null0 250 ip route 196.200.220.16 255.255.255.240 null0 250 ! ! allow my networks out only - stops me from providing unintentional transit ! NOTE - only send aggregates, not subprefixes ! ip prefix-list to-AS200 permit 196.200.220.0/24 ip prefix-list to-AS200 deny 0.0.0.0/0 le 32 ! ! allow their networks in only - stops them from sending prefixes I don't want ! ip prefix-list from-AS200 permit 196.200.208.0/20 ip prefix-list from-AS200 deny 0.0.0.0/0 le 32 ! eBGP with peer (Example 2) -------------------------- Example 2: Private peering, using AS PATH filters This example uses AS PATH filters to filter what you send to your peer, and what you receive from your peer. This method is less safe than using prefix lists as it assumes that you trust your peer not to originate prefixes he is not entitled to originate. Note that it also leaks your PC LAN subprefixes to your neighbouring AS - this is bad practice. router bgp 42 log-neighbor-changes no synchronization no auto-summary bgp dampening network 196.200.220.0 mask 255.255.255.0 network 196.200.220.16 mask 255.255.255.240 ! set up iBGP peer-groups neighbor ibgp-peers peer-group ! give it a name neighbor ibgp-peers remote-as 42 ! this is our AS => so iBGP neighbor ibgp-peers version 4 ! hardwire to version 4 - safe neighbor ibgp-peers password ! password on iBGP session neighbor ibgp-peers update-source loop 0 ! iBGP runs between loopbacks neighbor ibgp-peers send-community ! always send comms for iBGP neighbor ibgp-peers next-hop-self ! change ext nexthops to local neighbor ibgp-peers descr iBGP peer group ! documentation ! and now configure each peer... neighbor 196.200.220.2 peer-group ibgp-peers ! first iBGP peer neighbor 196.200.220.3 peer-group ibgp-peers ! second iBGP peer neighbor 196.200.220.4 peer-group ibgp-peers ! third iBGP peer !...and the other iBGP peers go here ! eBGP neighbour neighbor 196.200.220.254 remote-as 200 ! Peer ISP's AS Number neighbor 196.200.220.254 version 4 ! Hardwire for safety neighbor 196.200.220.254 password ! password on eBGP neighbor 196.200.220.254 description eBGP with Peer ! Description line neighbor 196.200.220.254 filter-list 1 out ! Filter outbound ASes neighbor 196.200.220.254 filter-list 2 in ! Filter inbound ASes ! ip route 196.200.220.0 255.255.255.0 null0 250 ip route 196.200.220.16 255.255.255.240 null0 250 ! ! allow my AS out only - stops me from providing unintentional transit ! ip as-path access-list 1 permit ^$ ip as-path access-list 1 deny .* ! ! allow their AS in only - stops them from sending ASes I don't want ! ip as-path access-list 2 permit ^200$ ip as-path access-list 2 deny .* ! eBGP with upstream ------------------ This example assumes the upstream is sending the full routing table. router bgp 42 log-neighbor-changes no synchronization no auto-summary bgp dampening network 196.200.220.0 mask 255.255.255.0 network 196.200.220.16 mask 255.255.255.240 ! set up iBGP peer-groups neighbor ibgp-peers peer-group ! give it a name neighbor ibgp-peers remote-as 42 ! this is our AS => so iBGP neighbor ibgp-peers version 4 ! hardwire to version 4 - safe neighbor ibgp-peers password ! password on iBGP session neighbor ibgp-peers update-source loop 0 ! iBGP runs between loopbacks neighbor ibgp-peers send-community ! always send comms for iBGP neighbor ibgp-peers next-hop-self ! change ext nexthops to local neighbor ibgp-peers descr iBGP peer group ! documentation ! and now configure each peer... neighbor 196.200.220.2 peer-group ibgp-peers ! first iBGP peer neighbor 196.200.220.3 peer-group ibgp-peers ! second iBGP peer neighbor 196.200.220.4 peer-group ibgp-peers ! third iBGP peer !...and the other iBGP peers go here ! eBGP neighbour neighbor 196.200.220.254 remote-as 200 ! Peer ISP's AS Number neighbor 196.200.220.254 version 4 ! Hardwire for safety neighbor 196.200.220.254 password ! password on eBGP neighbor 196.200.220.254 description eBGP with Peer ! Description line neighbor 196.200.220.254 prefix-list to-AS200 out ! Filter outbound prefixes neighbor 196.200.220.254 prefix-list from-AS200 in ! Filter inbound prefixes ! ip route 196.200.220.0 255.255.255.0 null0 250 ip route 196.200.220.16 255.255.255.240 null0 250 ! ! allow my networks out only ! ip prefix-list to-AS200 permit 196.200.220.0/24 ip prefix-list to-AS200 deny 0.0.0.0/0 le 32 ! ! take all the prefixes they send apart from special use addresses and ! my own address space ! ip prefix-list from-AS200 deny 0.0.0.0/8 le 32 ! block all special use addresses ip prefix-list from-AS200 deny 10.0.0.0/8 le 32 ip prefix-list from-AS200 deny 127.0.0.0/8 le 32 ip prefix-list from-AS200 deny 169.254.0.0/16 le 32 ip prefix-list from-AS200 deny 172.16.0.0/12 le 32 ip prefix-list from-AS200 deny 192.0.2.0/24 le 32 ip prefix-list from-AS200 deny 192.168.0.0/16 le 32 ip prefix-list from-AS200 deny 224.0.0.0/3 le 32 ip prefix-list from-AS200 deny 0.0.0.0/0 ge 25 ! deny all prefixes > /24 ip prefix-list from-AS200 deny 196.200.220.0/24 le 32 ! block my own address from upstream ip prefix-list from-AS200 permit 0.0.0.0/0 le 32 ! let in everything else ! eBGP with upstream ------------------ This example assumes the upstream is sending just the default route router bgp 42 log-neighbor-changes no synchronization no auto-summary bgp dampening network 196.200.220.0 mask 255.255.255.0 network 196.200.220.16 mask 255.255.255.240 ! set up iBGP peer-groups neighbor ibgp-peers peer-group ! give it a name neighbor ibgp-peers remote-as 42 ! this is our AS => so iBGP neighbor ibgp-peers version 4 ! hardwire to version 4 - safe neighbor ibgp-peers password ! password on iBGP session neighbor ibgp-peers update-source loop 0 ! iBGP runs between loopbacks neighbor ibgp-peers send-community ! always send comms for iBGP neighbor ibgp-peers next-hop-self ! change ext nexthops to local neighbor ibgp-peers descr iBGP peer group ! documentation ! and now configure each peer... neighbor 196.200.220.2 peer-group ibgp-peers ! first iBGP peer neighbor 196.200.220.3 peer-group ibgp-peers ! second iBGP peer neighbor 196.200.220.4 peer-group ibgp-peers ! third iBGP peer !...and the other iBGP peers go here ! eBGP neighbour neighbor 196.200.220.254 remote-as 200 ! Peer ISP's AS Number neighbor 196.200.220.254 version 4 ! Hardwire for safety neighbor 196.200.220.254 password ! password on eBGP neighbor 196.200.220.254 description eBGP with Peer ! Description line neighbor 196.200.220.254 prefix-list to-AS200 out ! Filter outbound prefixes neighbor 196.200.220.254 prefix-list from-AS200 in ! Filter inbound prefixes ! ip route 196.200.220.0 255.255.255.0 null0 250 ip route 196.200.220.16 255.255.255.240 null0 250 ! ! allow my networks out only ! ip prefix-list to-AS200 permit 196.200.220.0/24 ip prefix-list to-AS200 deny 0.0.0.0/0 le 32 ! ! take just the default route from my upstream ! ip prefix-list from-AS200 permit 0.0.0.0/0 ip prefix-list from-AS200 deny 0.0.0.0/0 le 32 !