BGP: Full mesh BGP without IGP

bgp speakers — AS65000 is the transit AS.

r1, r2 and r3 have full meshed BGP peering. No IGP was used.

BGP synchronization

Before a BGP route is advertised and added to the routing table, this route must be known via an IGP.

For the case of AS65000, no IGP is used, only pure iBGP peering hence BGP synchronization will stop bgp speaker from adding routes learned by its iBGP peer to its routing table. Synchronization must be turned off.

iBGP speakers peering with one another

This is necessary because of split horizon rule i.e. a router will never advertise the route learned from one router to another router. In order for iBGP routers to fully know the routes, the routers need to peer to one another. Take r2 for example, it needs to peer to r1 as well as r3.

All networks and subnets connecting to the iBGP routers must be known

r1 peers with r2 and r3 and r1 advertises the ebgp route and the ibgp routes, the prefix 192.168.0.0/30 and 192.168.0.4/30 are directly connected to r1.

r1 peers two ip addresses of r2 (192.168.0.2 and 192.168.0.9) and r3 (192.168.0.6 and 192.168.0.10), this is to ensure if a link between r1 and r2 fails r1 still able to reach r2. Likewise if a link between r1 and r3 fails, r1 still able to reach r3.


r1#sh run | s router
router bgp 65000
 no synchronization
 bgp router-id 11.11.11.11
 bgp log-neighbor-changes
 network 192.168.0.0 mask 255.255.255.252
 network 192.168.0.4 mask 255.255.255.252
 network 192.168.0.12 mask 255.255.255.252
 neighbor 192.168.0.2 remote-as 65000
 neighbor 192.168.0.6 remote-as 65000
 neighbor 192.168.0.9 remote-as 65000
 neighbor 192.168.0.10 remote-as 65000
 neighbor 192.168.0.14 remote-as 65100
 no auto-summary
r1#

r2 peers with r1 and r3, if it does not peer with r3 it will never know the route to r3 because r1 never advertises a route learned from r3 to r2. Apart from the ibgp routes, it also has other prefixes that are directly connected.

r2 actually peers to two addresses of r1 (192.168.0.1 and 192.168.0.5) and r3 (192.168.0.6 and 192.168.0.10), this is to ensure if interface between r2 and r3 has failed, r2 can still reach r3.


r2#sh run | s router bgp
router bgp 65000
 no synchronization
 bgp router-id 22.22.22.22
 bgp log-neighbor-changes
 network 10.20.0.0 mask 255.255.255.0
 network 10.20.1.0 mask 255.255.255.0
 network 10.20.2.0 mask 255.255.255.0
 network 192.168.0.0 mask 255.255.255.252
 network 192.168.0.8 mask 255.255.255.252
 neighbor 192.168.0.1 remote-as 65000
 neighbor 192.168.0.5 remote-as 65000
 neighbor 192.168.0.6 remote-as 65000
 neighbor 192.168.0.10 remote-as 65000
 no auto-summary
r2#

r3 peers to r1 and r2, it advertises its known ibgp routes as well. r3 peers to two addresses of r1(192.168.0.1, 192.168.0.5) and r2(192.168.0.2 and 192.168.0.9).

r3#sh run | s router bgp
router bgp 65000
 no synchronization
 bgp router-id 33.33.33.33
 bgp log-neighbor-changes
 network 192.168.0.4 mask 255.255.255.252
 network 192.168.0.8 mask 255.255.255.252
 neighbor 192.168.0.1 remote-as 65000
 neighbor 192.168.0.2 remote-as 65000
 neighbor 192.168.0.5 remote-as 65000
 neighbor 192.168.0.9 remote-as 65000
 no auto-summary
r3#

Next hop does not change if route advertises from ebgp to ibgp

r4 is an ebgp router, it advertises its own interface ip address as the next hop to r1. This next hop does not change in AS65000. However r1 has already advertises 192.168.0.12/30 ebgp route as well, its ibgp neighbours know how to reach 192.168.0.12/30 and hence also can reach the destination advertises by r4.

I have turned off next-hop-self on r1 which neighbor to r3, because r3 knows how to get to 192.168.0.12/30 networks it is not necessary to change the next hop at r1.

r3#sh ip route | begin Gateway
Gateway of last resort is not set

     3.0.0.0/32 is subnetted, 1 subnets
C       3.3.3.3 is directly connected, Loopback0
     10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
B       10.0.0.8/30 [200/0] via 192.168.0.14, 00:03:24
B       10.0.0.0/30 [200/0] via 192.168.0.14, 00:03:24
B       10.0.0.4/30 [200/0] via 192.168.0.14, 00:03:24
B       10.20.2.0/24 [200/0] via 192.168.0.9, 00:07:44
B       10.20.0.0/24 [200/0] via 192.168.0.9, 00:07:44
B       10.20.1.0/24 [200/0] via 192.168.0.9, 00:07:44
     192.168.0.0/30 is subnetted, 4 subnets
C       192.168.0.8 is directly connected, Serial0/0
B       192.168.0.12 [200/0] via 192.168.0.5, 00:17:13
B       192.168.0.0 [200/0] via 192.168.0.5, 00:07:51
C       192.168.0.4 is directly connected, Serial0/2
r3#ping 192.168.0.14

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r3#ping 10.0.0.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r3#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r3#ping 10.0.0.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r3#

The next-hop-self command should be activated if it involves IGP routers within AS65000, because IGP routing table does not contain the advertisement on how to reach 192.168.0.14, r1 has to change the next-hop address to its own interface address, and its own interface address must be in the IGP routing table entries.

bgp2 — AS65200 is added to the network diagram.

r5 has the following prefixes to advertise:

172.17.1.0/28, 172.17.1.16/28 and 172.17.1.32/28. r5 peers with r3.


r5#sh run | section router bgp
router bgp 65200
 no synchronization
 bgp router-id 5.5.5.5
 bgp log-neighbor-changes
 network 172.17.1.0 mask 255.255.255.240
 network 172.17.1.16 mask 255.255.255.240
 network 172.17.1.32 mask 255.255.255.240
 neighbor 192.168.0.17 remote-as 65000
 no auto-summary
r5#

the following configuration is added to r3 to peer r5 and advertise ebgp route to its ibgp neighbours.

r3#sh run | s router bgp
router bgp 65000
 no synchronization
 bgp router-id 33.33.33.33
 bgp log-neighbor-changes
 network 192.168.0.4 mask 255.255.255.252
 network 192.168.0.8 mask 255.255.255.252
 network 192.168.0.16 mask 255.255.255.252
 neighbor 192.168.0.1 remote-as 65000
 neighbor 192.168.0.2 remote-as 65000
 neighbor 192.168.0.5 remote-as 65000
 neighbor 192.168.0.9 remote-as 65000
 neighbor 192.168.0.18 remote-as 65200
 no auto-summary
r3#

Reachability test from r4 to r5 and vice versa


r4#sh ip route bgp | begin Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 9 subnets, 3 masks
B        10.20.0.0/24 [20/0] via 192.168.0.13, 01:52:09
B        10.20.1.0/24 [20/0] via 192.168.0.13, 01:52:09
B        10.20.2.0/24 [20/0] via 192.168.0.13, 01:52:09
      172.17.0.0/28 is subnetted, 3 subnets
B        172.17.1.0 [20/0] via 192.168.0.13, 00:29:53
B        172.17.1.16 [20/0] via 192.168.0.13, 00:29:53
B        172.17.1.32 [20/0] via 192.168.0.13, 00:29:53
      192.168.0.0/24 is variably subnetted, 5 subnets, 2 masks
B        192.168.0.0/30 [20/0] via 192.168.0.13, 01:59:34
B        192.168.0.4/30 [20/0] via 192.168.0.13, 01:59:34
B        192.168.0.16/30 [20/0] via 192.168.0.13, 00:30:23
r4#tclsh
r4(tcl)#foreach ip_address {
+>(tcl)#172.17.1.1
+>(tcl)#172.17.1.17
+>(tcl)#172.17.1.33} {ping $ip_address}
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.1.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.1.33, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r4(tcl)#exit
r4#

As shown above echo results, all prefixes advertised by r5 can be reached.


r5#sh ip route bgp | begin Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
B        10.0.0.0/30 [20/0] via 192.168.0.17, 00:35:41
B        10.0.0.4/30 [20/0] via 192.168.0.17, 00:35:41
B        10.0.0.8/30 [20/0] via 192.168.0.17, 00:35:41
B        10.20.0.0/24 [20/0] via 192.168.0.17, 00:35:41
B        10.20.1.0/24 [20/0] via 192.168.0.17, 00:35:41
B        10.20.2.0/24 [20/0] via 192.168.0.17, 00:35:41
      192.168.0.0/24 is variably subnetted, 5 subnets, 2 masks
B        192.168.0.0/30 [20/0] via 192.168.0.17, 00:35:41
B        192.168.0.4/30 [20/0] via 192.168.0.17, 00:35:41
B        192.168.0.12/30 [20/0] via 192.168.0.17, 00:35:41
r5#tclsh
r5(tcl)#foreach ip {
+>(tcl)#10.0.0.1
+>(tcl)#10.0.0.5
+>(tcl)#10.0.0.9} {ping $ip}

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
r5(tcl)#

Apart from reaching r4’s prefixes, r5 can also reach transit AS r2’s prefixes:


r5(tcl)#foreach ip20 {
+>(tcl)#10.20.0.1
+>(tcl)#10.20.1.1
+>(tcl)#10.20.2.1
+>(tcl)#} {ping $ip20}

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
r5(tcl)#

Suppose this is not desirable a route filter should be applied.

Filter prefixes to be advertised from r3 to r5
10.20.0.0/30, 10.20.1.0/30 and 10.20.2.0/30 should only be shared among the ibgp routers and these prefixes should not be made known to r5.

Step 1: Classify the prefixes that need to be filtered.


r3#sh run | s ip access-list
ip access-list standard r2-prefix
 deny   10.20.0.0 0.0.0.255
 deny   10.20.1.0 0.0.0.255
 deny   10.20.2.0 0.0.0.255
 permit any
r3#

Step 2: Apply the filter on the ebgp peer.


r3#sh run | s router bgp
router bgp 65000
 no synchronization
 bgp router-id 33.33.33.33
 bgp log-neighbor-changes
 network 192.168.0.4 mask 255.255.255.252
 network 192.168.0.8 mask 255.255.255.252
 network 192.168.0.16 mask 255.255.255.252
 neighbor 192.168.0.1 remote-as 65000
 neighbor 192.168.0.2 remote-as 65000
 neighbor 192.168.0.5 remote-as 65000
 neighbor 192.168.0.9 remote-as 65000
 neighbor 192.168.0.18 remote-as 65200
 neighbor 192.168.0.18 distribute-list r2-prefix out
 no auto-summary
r3#

The configuration means r3 filters the specified prefixes to be advertised to r5, hence the direction is out.

After the filter is applied, it will take 30sec for this config to be effective. BGP is triggered update, for external peer it is 30sec.


r5#sh ip route bgp | begin Gateway
Gateway of last resort is not set

      10.0.0.0/30 is subnetted, 3 subnets
B        10.0.0.0 [20/0] via 192.168.0.17, 01:03:16
B        10.0.0.4 [20/0] via 192.168.0.17, 01:03:16
B        10.0.0.8 [20/0] via 192.168.0.17, 01:03:16
      192.168.0.0/24 is variably subnetted, 5 subnets, 2 masks
B        192.168.0.0/30 [20/0] via 192.168.0.17, 01:03:16
B        192.168.0.4/30 [20/0] via 192.168.0.17, 01:03:16
B        192.168.0.12/30 [20/0] via 192.168.0.17, 01:03:16
r5#

A look at r5 routing table, the 10.20.0.0 prefixes disappear from its routing table.

BGP: Full mesh BGP without IGP

Published by cyruslab

Leave a Reply Cancel reply

Share this:

Like this:

Related

Published by cyruslab

Leave a Reply Cancel reply