PLNOG15: BGP New Advanced Features - Piotr Wojciechowski
3 likes225 views
This document provides an overview of new advanced BGP features including BGP Graceful Shutdown, BGP Additional Paths, support for multiple sourced paths per redistributed route, BGP Accumulated IGP Metric, and BGP FlowSpec. It describes each feature, how it works, and its configuration. The presenter is a senior network engineer and CCIE with experience designing networks and leading a large Cisco community.
![BGP ADDITIONAL PATHS
¢ Availability:
— Cisco IOS XE Release 3.7S
— Cisco IOS XE Release 3.6E
— IOS 15.3M
— NX-OS 6.2(8) [Nexus 7700]
— IOS XR 4.0 [CSR]
— Juniper JunOS 11.4 [SRX, M, MX, J, T Series]](https://image.slidesharecdn.com/plnog15-151015100502-lva1-app6891/85/PLNOG15-BGP-New-Advanced-Features-Piotr-Wojciechowski-23-320.jpg)
![BGP ACCUMULATED IGP METRIC
¢ Availability:
— Cisco IOS XE Release 3.12S
— 15.4(2)S
— IOS XR 4.2
— Juniper JunOS 12.3 [M, MX, T Series]](https://image.slidesharecdn.com/plnog15-151015100502-lva1-app6891/85/PLNOG15-BGP-New-Advanced-Features-Piotr-Wojciechowski-38-320.jpg)
PLNOG15: BGP New Advanced Features - Piotr Wojciechowski
- 1. BGP NEW ADVANCED FEATURES Piotr Wojciechowski (CCIE #25543)
- 2. ABOUT ME ¢ Senior Network Engineer MSO at VeriFone Inc. ¢ Previously Network Solutions Architect at one of top polish IT integrators ¢ CCIE #25543 (Routing & Switching) ¢ Administrator of CCIE.PL board — The biggest Cisco community in Europe — About 7800 users — 3 admin, 3 moderators — Over 60 polish CCIEs as members, 20 of them actively posting — About 100 new topics per month — About 800 posts per month — English section available
- 3. AGENDA ¢ BGP Graceful Shutdown ¢ BGP Additional Paths ¢ BGP Support for Multiple Sourced Paths Per Redistributed Route ¢ BGP Accumulated IGP Metric ¢ BGP Monitoring Protocol ¢ BGP FlowSpec
- 5. BGP GRACEFUL SHUTDOWN ¢ BGP convergence can take from few seconds to few minutes ¢ Maintenance periods may cause significant disruption in network ¢ For new applications customers are requesting tighter SLA requirements (ie. for VoIP traffic, corporate mission critical applications) ¢ BGP devices are temporarily unreachable during BGP convergence ¢ Historically RR’s have worsened the issue as they tend to hide the alternate path as they only forward the best path
- 6. BGP GRACEFUL SHUTDOWN ¢ This feature is used primarily for maintenance in MPLS networks on a link between: — PE-PE, — PE- Route Reflector (RR), — PE-Customer Edge (CE) and CE ¢ It may be used between Internet BGP routers
- 7. BGP GRACEFUL SHUTDOWN ¢ The goal of gracefully shutting down one or more BGP sessions is to minimize traffic loss during the planned shutdown and subsequent reestablishment of the sessions. ¢ Goal achieved - routers always have a valid route available during the convergence process
- 8. BGP GRACEFUL SHUTDOWN ¢ BGP Graceful Shutdown allows vendors to provide mechanism that does not require any router reconfiguration at maintenance time RFC 6198 Requirements for the Graceful Shutdown of BGP Sessions draft-ietf-grow-bgp-gshut-06 Graceful BGP session shutdown
- 9. BGP GRACEFUL SHUTDOWN Source Destination R2 R1 1. Router is down 2. Packet drops 3. Alternate path announces 4. Packets flow resume Router is unable to forward to a destination if a withdrawal arrives before the advertisement of alternate route
- 10. BGP GRACEFUL SHUTDOWN 1. Announce Lower Preference 2. Packets continue to flow 3. Alternate path announces 4. Packets reroute 5. Router restart Source Destination R2 R1
- 11. BGP GRACEFUL SHUTDOWN ¢ GSHUT well-known community ¢ The GSHUT community is always sent by the GSHUT initiator ¢ The GSHUT community is specified in a community list, which is referenced by a route map and then used to make policy routing decisions
- 12. BGP GRACEFUL SHUTDOWN Berlin(config-‐router)#neighbor 10.0.128.2 shutdown graceful 30 community 12345 *Sep 1 20:33:59.225: Graceful Shutdown after 30 seconds for neighbor: 10.0.128.2 *Sep 1 20:34:29.529: %BGP-‐3-‐NOTIFICATION: sent to neighbor 10.0.128.2 6/2 (Administrative Shutdown) 0 bytes *Sep 1 20:34:29.530: %BGP-‐5-‐NBR_RESET: Neighbor 10.0.128.2 reset (Admin. shutdown) *Sep 1 20:34:29.535: %BGP-‐5-‐ADJCHANGE: neighbor 10.0.128.2 Down Admin. shutdown *Sep 1 20:34:29.536: %BGP_SESSION-‐5-‐ADJCHANGE: neighbor 10.0.128.2 IPv4 Unicast topology base removed from session Admin. shutdown
- 13. BGP GRACEFUL SHUTDOWN ¢ Availability: — Cisco IOS XE Release 3.6S — IOS 15.2(4)M — IOS XR 3.5.2
- 15. BGP ADDITIONAL PATHS ¢ BGP routers and route reflectors (RRs) propagate only their best path over their sessions ¢ Path hiding can prevent efficient use of BGP multipath — It may prevent hitless planned maintenance — Sub-optimal routing — During failure it negatively affect fast and local recovery because the network has to wait for BGP control plane convergence to restore traffic
- 16. BGP ADDITIONAL PATHS ¢ Example of path hiding - prefix p with paths p1 and p2 advertised from BR1 and BR4 to RR1. RR1 selects the best path of the two and then advertises to PE only p1
- 17. BGP ADDITIONAL PATHS ¢ BGP routers and route reflectors (RR) propagate only their best path over their sessions ¢ The advertisement of a prefix replaces the previous announcement of that prefix (this in known as an implicit withdraw) ¢ The BGP Additional Paths feature is a BGP extension that allows the advertisement of multiple paths for the same prefix without the new paths implicitly replacing any previous paths
- 18. BGP ADDITIONAL PATHS ¢ BGP Additional Paths feature is implemented by adding a path identifier to each path in the NLRI — Path IDs are unique to a peering session and are generated for each network — 4 octets length ¢ Additional Paths feature allows the advertisement of more paths, in addition to the bestpath ¢ Additional Paths feature allows the advertisement of multiple paths for the same prefix, without the new paths implicitly replacing any previous paths
- 19. BGP ADDITIONAL PATHS router bgp 1 address-‐family ipv4 unicast bgp additional-‐paths select all neighbor 192.168.1.2 additional-‐paths send receive neighbor 192.168.1.2 advertise additional-‐paths all Three path selection (path marking) policies, and they are not mutually exclusive • best 2 or best 3 (best 2 means the bestpath and 2nd best path) • group-best (calculates the group-best for prefixes during bestpath calculation) • all (all paths with unique next hops are eligible for selection)
- 20. BGP ADDITIONAL PATHS router bgp 1 address-‐family ipv4 unicast bgp additional-‐paths select all neighbor 192.168.1.2 additional-‐paths send receive neighbor 192.168.1.2 advertise additional-‐paths all Enables the neighbor to send or receive additional paths after negotiation is completed.
- 21. BGP ADDITIONAL PATHS router bgp 1 address-‐family ipv4 unicast bgp additional-‐paths select all neighbor 192.168.1.2 additional-‐paths send receive neighbor 192.168.1.2 advertise additional-‐paths all Specifies the selection methods that control which additional paths are advertised for the neighbor.
- 22. BGP ADDITIONAL PATHS ¢ Configuration methods — per Address Family — per Neighbor — via Peer Policy Template ¢ Additional filtering or attributes may be applied via route-maps
- 23. BGP ADDITIONAL PATHS ¢ Availability: — Cisco IOS XE Release 3.7S — Cisco IOS XE Release 3.6E — IOS 15.3M — NX-OS 6.2(8) [Nexus 7700] — IOS XR 4.0 [CSR] — Juniper JunOS 11.4 [SRX, M, MX, J, T Series]
- 24. BGP SUPPORT FOR MULTIPLE SOURCED PATHS PER REDISTRIBUTED ROUTE
- 25. BGP SUPPORT FOR MULTIPLE SOURCED PATHS PER REDISTRIBUTED ROUTE ¢ Prior to this feature: — BGP accepted only one path from the Routing Information Base (RIB) to create a single BGP-sourced path for a redistributed network ¢ Redistribution ¢ Network command — If the RIB had more than one path for the same network only best one was used — Import of more than the default path into a VRF instance is already supported in BGP, however, these multiple paths had to be from different neighbors or sources and not from the same source
- 26. BGP SUPPORT FOR MULTIPLE SOURCED PATHS PER REDISTRIBUTED ROUTE
- 27. BGP SUPPORT FOR MULTIPLE SOURCED PATHS PER REDISTRIBUTED ROUTE ¢ With BGP Support for Multiple Sourced Paths Per Redistributed Route: — Multiple paths from the same source can be imported and exported across virtual routing and forwarding (VRF) instances — Customers can export Equal Cost Multipath (ECMP) sourced paths or next- hops from one VRF into hundreds of VRFs on the same device using BGP — Each of these paths are installed as multipaths into the RIB, and provides ECMP paths in other VRFs also
- 28. BGP SUPPORT FOR MULTIPLE SOURCED PATHS PER REDISTRIBUTED ROUTE Device(config-‐router)# address-‐family ipv4 vrf blue Device(config-‐router-‐af)# bgp sourced-‐paths per-‐net static all Device(config-‐router-‐af)# bgp sourced-‐paths per-‐net ospf all Device(config-‐router-‐af)# redistribute static Device(config-‐router-‐af)# redistribute ospf 2 Device(config-‐router-‐af)# exit-‐address-‐family Allows per network sourcing of all static paths in the RIB
- 29. BGP SUPPORT FOR MULTIPLE SOURCED PATHS PER REDISTRIBUTED ROUTE ¢ Availability: — Cisco IOS XE Release 3.15S — IOS 15.5M
- 30. BGP ACCUMULATED IGP METRIC
- 31. BGP ACCUMULATED IGP METRIC ¢ BGP Accumulated IGP feature is an optional nontransitive Border Gateway Protocol (BGP) path attribute ¢ It is required to simulate the current Open Shortest Path First (OSPF) behavior of computing the distance associated with a path
- 32. BGP ACCUMULATED IGP METRIC ¢ Problem example — ACME network is sub-divided into two BGP ASN’s, ASN 1 and ASN 2. They are peering at ASBR’s and the link IGP costs are representing bandwidth. The goal here is to have an end-to-end optimal path between PE1 and PE21 Example and diagrams from http://packetpushers.net/bgp-aigp
- 33. BGP ACCUMULATED IGP METRIC ¢ Solution #1 – MED attribute — Set MED 40 for prefix 21.21.21.21 /32 on ASBR21 and MED 20 on ASBR 22 representing there IGP cost for the prefix — Another problem – best path is via ASBR12 not ASBR11 Example and diagrams from http://packetpushers.net/bgp-aigp
- 34. BGP ACCUMULATED IGP METRIC ¢ Solution #2 – AIGP attribute — ASBR21 and ASBR22 advertise the Prefix 21.21.21.21 /32 to their respective ASBR’s in ASN1 with aigp-metric which contains the IGP-Cost to PE21 — PE1 adds the IGP cost to the ASBR11 and ASBR12 and chooses the BGP next hop which is on end to end optimal path from an IGP cost perspective — This create new problem – it can cause BGP route change if there is a change in the IGP cost Example and diagrams from http://packetpushers.net/bgp-aigp
- 35. BGP ACCUMULATED IGP METRIC ¢ AIGP modifies best-path selection algorithm 1. Highest Local-Preference 2. Shortest AS-Path 3. Lowest Origin Code 4. Lowest MED 5. … 1. Highest Local-Preference 2. Lowest AIGP Cost 3. Shortest AS-Path 4. Lowest Origin Code 5. Lowest MED 6. …
- 36. BGP ACCUMULATED IGP METRIC ¢ Configuration — Configuring AIGP metric value Device# configure terminal Device(config)# router bgp 40000 Device(config-‐router)# address-‐family ipv4 unicast Device(config-‐router-‐af)# redistribute bgp 100 route-‐map rtmap Device(config-‐router-‐af)# network 10.1.1.1 route-‐map rtmap Device(config-‐router-‐af)# exit Device(config)# route-‐map rtmap Device(config-‐route-‐map)# set aigp-‐metric igp-‐metric Device(config-‐route-‐map)# end
- 37. BGP ACCUMULATED IGP METRIC ¢ Configuration — EnablingAIGP Device# configure terminal Device(config)# router bgp 40000 Device(config-‐router)# address-‐family ipv4 unicast Device(config-‐router-‐af)# neighbor 192.168.1.1 aigp Device(config-‐router-‐af)# exit
- 38. BGP ACCUMULATED IGP METRIC ¢ Availability: — Cisco IOS XE Release 3.12S — 15.4(2)S — IOS XR 4.2 — Juniper JunOS 12.3 [M, MX, T Series]
- 40. BGP MONITORING PROTOCOL ¢ Several network tasks and services requires access to full routing table — Paths analysis — Prefix history during troubleshooting — Traffic engineering planning — Looking glass — Network simulations — Etc…
- 41. BGP MONITORING PROTOCOL ¢ BMP components: — BMP Server – device that will collect information, talk to BMP Clients ¢ ExaBMP ¢ Ryu BMP Server ¢ OpenBMP ¢ bmpreceiver — BMP Client – BGP neighbors configured to send data to specific BMP servers for monitoring purposes
- 43. BGP MONITORING PROTOCOL ¢ BMP Server configuration on Cisco Device(config)# router bgp 65000 Device(config-‐router)# bmp server 1 Device(config-‐router-‐bmpsrvr)# activate Device(config-‐router-‐bmpsrvr)# address 10.1.1.1 port-‐number 8000 Device(config-‐router-‐bmpsrvr)# description LINE SERVER1 Device(config-‐router-‐bmpsrvr)# failure-‐retry-‐delay 40 Device(config-‐router-‐bmpsrvr)# flapping-‐delay 120 Device(config-‐router-‐bmpsrvr)# initial-‐delay 20 Device(config-‐router-‐bmpsrvr)# set ip dscp 5 Device(config-‐router-‐bmpsrvr)# stats-‐reporting-‐period 30 Device(config-‐router-‐bmpsrvr)# update-‐source ethernet 0/0 Device(config-‐router-‐bmpsrvr)# exit-‐bmp-‐server-‐mode
- 44. BGP MONITORING PROTOCOL ¢ Configuration activation per neighbor Device(config)# router bgp 65000 Device(config-‐router)# neighbor 30.1.1.1 bmp-‐activate server 1 server 2 Device(config-‐router)# end
- 45. BGP MONITORING PROTOCOL ¢ Availability: — Cisco IOS XE Release 3.11S — 15.4(1)S — IOS XR 5.2.2 — Juniper JunOS 13.2
- 46. BGP FLOWSPEC
- 47. BGP FLOWSPEC The benefit of BGP Flow Spec is that it allows BGP speakers to use a new BGP NLRI defining flow filter information which can then be advertised to upstream neighbors via BGP The primary and immediate motivation of this protocol is to provide intra and inter provider distribution of traffic filtering rules to filter DoS and DDoS attacks, however it can be used for a wide variety of applications in which filtering information must be dynamically distributed throughout a network
- 48. BGP FLOWSPEC ¢ BGP FlowSpec is defined within the RFC 5575: “Dissemination of Flow Specification Rules” ¢ New NLRI that allows to convey flow specifications and traffic Action/Rules associated — FLOW specifications are encoded within the MP_REACH_NLRI and MP_UNREACH_NLRI attributes. — RULES (Actions associated) are encoded in Extended Community attribute. ¢ For IPv4 purposes, RFC defines the following AFI/SAFI value: AFI=1 SAFI=133
- 49. BGP FLOWSPEC Internet Web Server IP:212.111.1.50 eBGP: 212.111.1.0/24
- 50. BGP FLOWSPEC Internet Web Server IP:212.111.1.50 eBGP: 212.111.1.0/24 ¢ DDoS Attack DDoS Attack
- 51. BGP FLOWSPEC Internet Web Server IP:212.111.1.50 eBGP: 212.111.1.0/24 ¢ DDoS Attack Mittigation – BGP Blackholing DDoS Attack eBGP: 212.111.1.1/32 Community 12345:666 212.111.1.1/32 Discarded 212.111.1.1/32 Discarded
- 52. BGP FLOWSPEC ¢ DDoS Attack Mittigation – BGP Blackholing — DDoS attack successfully blocked! — … as well as all other traffic to web server
- 53. BGP FLOWSPEC Internet Web Server IP:212.111.1.50 eBGP: 212.111.1.0/24 ¢ DDoS Attack Mittigation – BGP FlowSpec DDoS Attack 212.111.1.50/32 IP Protocol 17 (UDP) Packet size <= 30KB Rate-limit 5M Legitimate Traffic
- 54. BGP FLOWSPEC ¢ In reality Service Provider does not trust Customer ¢ New AFI/SAFI combination need to be deployed between Customer and Service Provider ¢ In real scenarios SP utilize central FlowSpec speaker — Machine is tread as trusted — BGP meshed with other routers — Managed by service provider
- 55. BGP FLOWSPEC Internet Web Server IP:212.111.1.50 eBGP: 212.111.1.0/24 ¢ DDoS Attack Mittigation – BGP FlowSpec DDoS Attack 212.111.1.1/32 IP Protocol 17 (UDP) Packet size <= 30KB Rate-limit 5M Legitimate Traffic FlowSpec Speaker
- 56. BGP FLOWSPEC
- 57. BGP FLOWSPEC ¢ Availability: — Cisco IOS XE Release 3.15S — IOS 15.5(1)S — Cisco IOS-XR 5.2.0 — Juniper JunOS 7.3
- 58. QUESTIONS?
- 59. THANK YOU