External BGP Configuration

Module Introduction

Before you start the hands-on part of this module, you should load the appropriate configuration and verify that the testbed is up and running by executing the corresponding robot file:

student@tour:~/trainings_resources/robot$ robot bgp_ebgp/bgp_ebgp_setup.robot

Configuring Local BGP Setting

The RBFS implementation of BGP uses two daemons for handling BGP-related processing:

  • The bgp.iod is the input/output daemon which establishes and maintains the BGP peering and is responsible for sending and receiving BGP packet.

  • The bgp.appd is an application daemon that is responible for best path selection.

Before configuring a BGP peer, we will configure a few general parameters that define the local BGP speaker:

  • BGP Hostname

  • BGP Domain name

  • BGP AS number

  • Router ID

  • Address Families (e.g., IPv4 unicast, IPv6 unicast, etc.)

  • BGP Timers (holdtime, keepalive time)

  • Protocol Preference

All of these options are configured using the set instance <instance> protocol bgp hierarchy.

Exercise 1: BGP Node Configuration

Configure BGP in instance default with ASN 64501 and appropriate values for hostname and router ID. BGP should support IPv4 Unicast only. Also configure keepalive time of 10sec and holdtime of 30s.

Click to reveal the answer 
cfg> set instance default protocol bgp hostname R1
cfg> set instance default protocol bgp local-as 64501
cfg> set instance default protocol bgp router-id 192.168.0.1
cfg> set instance default protocol bgp timer hold-time 30
cfg> set instance default protocol bgp timer keepalive 10
cfg> set instance default protocol bgp address-family ipv4 unicast
cfg> commit

The correct setting can be verified using the command

cfg> show bgp summary
Instance: default
  General information
    Hostname: R1, Domain name:
    Local AS: 64501, Version: 4
    Local preference: 100, eBGP Protocol preference: 20, iBGP Protocol preference: 200    (1)
    Router ID: 192.168.0.1, Cluster ID: 192.168.0.1
  Capabilities
    Route refresh: True, AS4: True, Graceful restart: False
  Best route selection
    Always compare MED: False, Ignore as path: False
    Ignore local preference: False, Ignore origin: False
    Ignore MED: False, Ignore route source: False
    Ignore router ID: False, Ignore uptime: True
    Ignore cluster length: False, Ignore peer IP: False
    Route select parameter: 0
  Timers
    Connect retry: 30s, Keepalive: 10s, Holdtime: 30s
  Statistics
    Peers configured: 0, Peers auto discovery: 0
      Peers in idle          : 0
      Peers in connect       : 0
      Peers in active        : 0
      Peers in opensent      : 0
      Peers in openconfirm   : 0
      Peers in established   : 0
1 The default value for protocol preference is 20 (eBGP) and 200 (iBGP).
The protcol preference defines the priority that the ribd uses to select routes from different route sources. The smaller numerical value wins. In general, the iBGP protocol preference should be worse than the IGP protocol preference. Both parameters can be modified using the set instance default protocol bgp protocol-preference external|internal <value> command.

Configuring BGP Peering

Now that we have configured some local parameters, we want to setup external BGP peerings to neighboring routers. We use the following setup:

ebgp lab
Figure 1. External BGP Lab Setup

The BGP peers must manually be defined as there is no auto-detection of neighbors.

As different autonomous systems usually belong to different organizations, there is no IGP running between them. This implies that the eBGP peering configuration most often uses the IP addresses of the directly connected interface between the two BGP peers.

BGP has many different attributes that can be associated with a BGP peer, e.g.

  • BGP peer IP address

  • AS number of remote peer

  • Authentication

  • Supported Address Families

  • Nexthop settings

  • TTL value (eBGP only)

  • Policies to filter and modify BGP routes

  • Prefix limits

  • BFD Session Parameteres

By default, external BGP messages are sent with TTL of 1, i.e., the BGP peers must be directly connected. If you want to setup a BGP peering between nodes that are not directly connected or between two loopback interfaces, you need to modify the TTL setting with the multihop option.

Depending on your peering rules, a lot of these settings are shared by multiple BGP peers. Thus, BGP defines the concept of BGP Peer Groups, which is a template of BGP settings that is defined once and then applied to one or more BGP peers. The BGP peer groups are defined in the set instance <instance> protocol bgp peer-group <pgname>.

Exercise 2: eBGP Peer Configuration

Configure TCP Authentication under set instance default tcp authentication with key-id 1, password rtbrick and type HMAC-SHA-256-128.

Afterwards configure two peer groups and two peers according to the following table:

Peer Peer Group Peer Address Peer AS Address Family

R2

ISP2

172.16.0.2

64502

IPv4 Unicast

R3

ISP3

172.16.0.6

64503

IPv4 Unicast
Click to reveal the answer 
cfg> set instance default tcp authentication BGP type HMAC-SHA-256-128
cfg> set instance default tcp authentication BGP key1-id 1
cfg> set instance default tcp authentication BGP key1-plain-text rtbrick
cfg> set instance default protocol bgp peer ipv4 172.16.0.2 172.16.0.1 authentication-id BGP
cfg> set instance default protocol bgp peer ipv4 172.16.0.2 172.16.0.1 peer-group ISP2
cfg> set instance default protocol bgp peer ipv4 172.16.0.6 172.16.0.5 authentication-id BGP
cfg> set instance default protocol bgp peer ipv4 172.16.0.6 172.16.0.5 peer-group ISP3
cfg> set instance default protocol bgp peer-group ISP2 remote-as 64502
cfg> set instance default protocol bgp peer-group ISP2 address-family ipv4 unicast
cfg> set instance default protocol bgp peer-group ISP3 remote-as 64503
cfg> set instance default protocol bgp peer-group ISP3 address-family ipv4 unicast
cfg> commit

If everything is configured correctly, you should see two BGP peers:

cfg> show bgp peer
Instance: default
  Peer            Remote AS    State         Up/Down Time           PfxRcvd     PfxSent
  R2              64502        Established   0d:20h:00m:09s         6           6
  R3              64503        Established   0d:20h:00m:25s         6           6
Exercise 3: BGP Peer Details

You have successfully setup two BGP sessions. Use the show bgp peer command to get some more details on the BGP session to R3.

  • What is the peers keepalive and holddown timer set to? Which value is used on the session?

  • What BGP address families does R3 support?

Click to reveal the answer 
cfg> show bgp peer R3
Peer: R3, Peer IP: 172.16.0.6, Remote AS: 64503, Local: 172.16.0.5, Local AS: 64501, Any AS: False
  Type: ebgp, State: Established, Up/Down Time:
  Discovered on interface: -
  Last transition: Wed Mar 29 11:16:13 GMT +0000 2023, Flap count: 0
  Peer ID        : 192.168.0.3, Local ID  : 192.168.0.1
  Instance       : default, Peer group: ISP3
  6PE enabled    : False
  Timer values:
    Peer keepalive : 30s, Local keepalive: 10s             (1)
    Peer holddown  : 90s, Local holddown : 30s             (2)
    Connect retry  : 30s
  Timers:
    Connect retry timer : 0s
    keepalive timer     : expires in 734739us
    Holddown timer      : expires in 27s 283608us
  NLRIs:
    Sent           : ['ipv4-unicast']
    Received       : ['ipv4-unicast', 'ipv6-unicast']      (3)
    Negotiated     : ['ipv4-unicast']
  <...>
1 The local keepalive timer is configured to be 10sec, while the peer keepalive timer is 30sec.
2 The local holddown timer is configured to be 30sec, while R3 has the holddown timer set to 90sec.
3 The peer router supports both, IPv4 and IPv6 unicast.

In case of a mismatch the lower value is used on the session. You can verify this in the Timers section: the value after expires in will never be more than 30sec.

From the NLRI section, you can see that R3 supports IPv4 Unicast and IPv6 Unicast. While R1 is only configured for IPv4 Unicast, both peers agree on the address-families they both support.

Let’s have another look at the information that RBFS provides on the BGP peer. For sake of clarity, we will split the output in several chunks:

cfg> show bgp peer R3
Peer: R3, Peer IP: 172.16.0.6, Remote AS: 64503, Local: 172.16.0.5, Local AS: 64501, Any AS: False
  Type: ebgp, State: Established, Up/Down Time: , Reason: Cease, Sub-Code: Admin shutdown
  Discovered on interface: -
  Last transition: Wed Jul 31 07:31:43 GMT +0000 2024, Flap count: 1
  Peer ID        : 192.168.0.3, Local ID  : 192.168.0.1
  Instance       : default, Peer group: ISP3
  6PE enabled    : False
<...>

In the above output, the second line shows the current status of the BGP Finite State Machine (Established). Additionally, information about the latest transition is provided. In our example, a BGP NOTIFICATION message was sent or received. NOTIFICATION messages contain an error code and a sub-error code to provide additional information. In this particular example, a NOTIFICATION with error code CEASE was generated, which is sent when a BGP peer closes its BGP connection without a fatal error. The error subcodes usually contain more details. In this example, the peer has been administratively shut down, e.g., through a restart, configuration change, etc.

<...>
  Timer values:
    Peer keepalive : 30s, Local keepalive: 10s
    Peer holddown  : 90s, Local holddown : 30s
    Connect retry  : 30s
  Timers:
    Connect retry timer : 0s
    keepalive timer     : expires in 3s 878162us
    Holddown timer      : expires in 25s 774783us
  NLRIs:
    Sent           : ['ipv4-unicast']
    Received       : ['ipv4-unicast', 'ipv6-unicast']
    Negotiated     : ['ipv4-unicast']
<...>

In the solution to the last exercise, we already pointed out that two BGP peers must agree on common keepalive and holddown timer values. If both peers have different timers configured, then the smaller values are used.

The same is true for address families. In order to exchange routing information, both BGP peers need to agree on the intersection of supported address families.

<...>
  Capabilities:
    Addpath sent                  : None
    Addpath received              : None
    Addpath negotiated            : None
    Extended nexthop sent         : None
    Extended nexthop received     : None
    Extended nexthop negotiated   : None
    Capabilities:
      Feature                      Sent            Received        Negotiated
      Route refresh                True            True            True
      4 byte AS                    True            True            True
      Graceful restart             False           False           False
      Link local only              False           False           False
<...>

BGP is a protocol that has continually expanded its functionality since its original specification. On the one hand, it is of course useful to be able to easily add new features without having to adapt essential protocol mechanisms. On the other hand, there is the problem that two different BGP implementations may not support the same extensions. Therefore, BGP has introduced the capability negotiation. During session establishment, a BGP peer lists all the capabilities it supports in the OPEN message. If the remote side finds any capability that it does not support, it sends back a NOTIFICATION with corresponding information. This process is repeated until a both BGP peers agree on a common subset.

In this example we can see there is no mismatch of features, i.e., both BGP peers agreed to support BGP route refresh messages as well as 4-byte AS numbers on top of the original BGP specification.

It is possible to administratively disable a BGP peer without deleting the whole configuration, e.g., that way a new BGP peer can be pre-configured before it is actually connected.

cfg> show bgp peer
Instance: default
  Peer                                     Remote AS    State         Up/Down Time               PfxRcvd              PfxSent
  R2                                       64502        Established   0d:00h:00m:36s             6                    14
  R3                                       64503        Established   0d:15h:21m:04s             7                    14
cfg> set instance default protocol bgp peer ipv4 172.16.0.2 172.16.0.1 deactivate true
cfg> commit
cfg> show bgp peer
Instance: default
  Peer                                     Remote AS    State         Up/Down Time               PfxRcvd              PfxSent
  172.16.0.2                               64502        Idle          0d:00h:00m:02s             0                    0
  R3                                       64503        Established   0d:15h:21m:20s             7                    14

BGP Route Tables

Now that we have established some BGP peerings, we need to understand how BGP peers exchange route update messages and how they are processed.

bgp route processing
Figure 2. BGP Route Processing in RBFS

BGP UPDATE messages received from a BGP neighbor are stored in a table called the RIB-IN. In BDS, the RIB-IN table name has the format <instance_name>.bgp.rib-in.afi.safi.<peer_ip>.<local_ip>, e.g., the IPv4 route updates received from R2 are stored in default.bgp.rib-in.ipv4.unicast.172.16.0.2.172.16.0.1. These tables are populated by the bgp.iod. The command show bgp rib-in can be used to view the content of the table:

cfg> show bgp rib-in ipv4 unicast peer R2
Instance: default, AFI: ipv4, SAFI: unicast
 Hostname: R2, Peer IP: 172.16.0.2
 Source IP: 172.16.0.1, Received routes: 6
    Prefix                         Next Hop                  MED        Lpref      AS Path    Status
    172.16.102.0/24                172.16.0.2                0          -          64502      Valid
    172.16.103.0/24                172.16.0.2                0          -          64502, 64503 Valid
    172.16.104.0/24                172.16.0.2                0          -          64502, 64504 Valid
    192.168.0.102/32               172.16.0.2                0          -          64502      Valid
    192.168.0.103/32               172.16.0.2                0          -          64502, 64503 Valid
    192.168.0.104/32               172.16.0.2                0          -          64502, 64504 Valid

The routes will then be passed from bgp.iod to the bgp.appd which does a BGP best path selection based on standard BGP rules. The results are stored in the BGP FIB. The corresponding BDS table is named <instance_name>.bgp.1.fib-local.afi.safi, e.g., the IPv4 BGP FIB is stored in default.bgp.1.fib-local.ipv4.unicast. In this table, all BGP route information from all peers is consolidated. The content of the BGP FIB can be retrieved by show bgp fib command:

cfg> show bgp fib ipv4 unicast
Instance: default, AFI: ipv4, SAFI: unicast
  Prefix                      Preference      Out Label            Next Hop
  172.16.102.0/24             20              -                    172.16.0.2
  172.16.103.0/24             20              -                    172.16.0.6
  172.16.104.0/24             20              -                    172.16.0.2
  192.168.0.102/32            20              -                    172.16.0.2
  192.168.0.103/32            20              -                    172.16.0.6
  192.168.0.104/32            20              -                    172.16.0.2

As BGP is not the only routing protocol running on the system, the routing information base daemon (ribd) is responsible for evaluating all the route sources (e.g., BGP, static routes, direct routes, …​) and choosing the best path which will then be installed into the RIB and used to forward traffic. The show route command is used to retrieve the information stored in the RIB.

On the other hand, bgp.appd provides the BGP FIB for route update advertisements to BGP peers. These route updates are stored in the BGP RIB-OUT. Apart from the nexthop information, all BGP peers which belong to the same peer-group will get identical BGP updates. Therefore, the BGP RIB-OUT is stored in BDS on a per peer-group basis namely <instance_name>.bgp.1.peer-group.<pgname>.afi.safi, e.g., default.bgp.1.peer-group.ISP2.ipv4.unicast. The `show bgp rib-out`is used to view the RIB-OUT table:

cfg> show bgp rib-out ipv4 unicast peer R2
Instance: default, AFI: ipv4, SAFI: unicast
  Peer: R2, Sent routes: 6
    Prefix                    MED     Lpref      Origin          Next Hop           AS Path
    172.16.102.0/24           0       -          Incomplete      -                  64501, 64502
    172.16.103.0/24           0       -          Incomplete      -                  64501, 64503
    172.16.104.0/24           0       -          Incomplete      -                  64501, 64502, 64504
    192.168.0.102/32          0       -          Incomplete      -                  64501, 64502
    192.168.0.103/32          0       -          Incomplete      -                  64501, 64503
    192.168.0.104/32          0       -          Incomplete      -                  64501, 64502, 64504
As you can see, the AS_PATH attribute is already updated in the RIB-Out with the local AS number.
Exercise 4: BGP RIB-IN

You have received the route 192.168.0.104/32 from both of your peers? Please check in which way the route received from R2 differs from the route received from R3. Which of those routes is selected as best path?

Click to reveal the answer 
cfg> show bgp rib-in ipv4 unicast peer R2 192.168.0.104/32
Instance: default, AFI: ipv4, SAFI: unicast
  Peer: R2, Received routes: 1
    192.168.0.104/32, Received path ID: 0, Next hop: 172.16.0.2
      Status: Valid
      Protocol source: bgp, Send path ID: 130982003
      AS path: 64502, 64504                      (1)
      MED: 0, Local preference: -
      Community: ['64502:1']                     (2)
      Extended community: -
      Large community: -
      Originator ID: -
      Cluster list: -
      Label: -, Last update: 0d:00h:02m:24s
  Peer: R3, Received routes: 1
    192.168.0.104/32, Received path ID: 0, Next hop: 172.16.0.6
      Status: Valid
      Protocol source: bgp, Send path ID: 198092479
      AS path: 64503, 64504                      (1)
      MED: 0, Local preference: -
      Community: ['64503:123']                   (2)
      Extended community: -
      Large community: -
      Originator ID: -
      Cluster list: -
      Label: -, Last update: 0d:00h:00m:04s

Comparing the various attributes shown in the above output, the main difference is the

1 the as-path ("64502, 64504" vs "64503, 64504") and
2 the community.

From this output we have learned that this route is originated in AS64504 which is connected to both AS64502 and AS64503.

The output of show bgp fib shows that the route from R2 is preferred.

cfg> show bgp fib ipv4 unicast 192.168.0.104/32
Instance: default, AFI: ipv4, SAFI: unicast
  Prefix: 192.168.0.104/32
    Next hop key: 0edbd854883b4fd3f4dfdf3965f11d7a3a1510885453c7b7
    Peer: None, Peer domain: None
    Route source: bgp, Send path ID: 130982003, Received path ID: None, Path hash: None
    As path: 64502, 64504, Originator ID: None, Origin: Incomplete
    Community: ['64502:1']
    Extended community: None
    Large community: None
    Cluster list: None
    IGP metric: 4294967295, Local preference: None, Multi exit discriminator: 0
    Preference: 20, External route: None, Readvertised route: None
    Route up: None
    Next hop:
      172.16.0.2, Label -
By default, BGP only selects a single best path and installs it into the BGP FIB.

If you want to use load sharing, you must enable the multipath option. The BGP multipath option is configured under the set instance <instance> protocol bgp <afi> <safi> hierarchy, i.e., it can be set on a per address-family basis.

Exercise 5: BGP Multipath

Please set the BGP multipath to 4 for IPv4 Unicast. What has changed for 192.168.0.104/32 in the BGP FIB.

Click to reveal the answer 
cfg> set instance default protocol bgp address-family ipv4 unicast multipath 4
cfg> commit
cfg> show bgp fib ipv4 unicast 192.168.0.104/32
Instance: default, AFI: ipv4, SAFI: unicast
  Prefix: 192.168.0.104/32
    Next hop key: e6c5e998e3b00a943e66690709e0d89a1676c256b4e181c8
    Peer: None, Peer domain: None
    Route source: bgp, Send path ID: 130982003, Received path ID: None, Path hash: None
    As path: 64502, 64504, Originator ID: None, Origin: Incomplete
    Community: ['64502:1']
    Extended community: None
    Large community: None
    Cluster list: None
    IGP metric: 4294967295, Local preference: None, Multi exit discriminator: 0
    Preference: 20, External route: None, Readvertised route: None
    Route up: None
    Next hop:
      172.16.0.2, Label -
    Next hop:
      172.16.0.6, Label -

Now you have two next hops because both routes are equally good.

BGP Redistribution

Unlike IGP protocols, BGP is not enabled on any interfaces. If we look at the output of the show bgp rib-out command, we notice that R1 is only advertising routes to its peers which were learned from these peers before. As a consequence, no destination within AS64501 is reachable from the outside so far.

The process of injecting non-BGP routes into the BGP tables is called redistribution just like in IGPs. In order to make routes reachable from outside our AS, we need to redistribute direct routes, static routes or routes from other dynamic protocols into BGP using the set instance <instance_name> protocol bgp address-family <afi> <safi> redistribute …​ syntax.

Exercise 6: Redistribution

Configure R1 to redistribute direct and static routes into BGP. For demonstration purposes, configure a static route for 172.16.101.0/24. Verify that both, the loopback address and the static route, are advertised to the neighboring peers.

Click to reveal the answer 
cfg> set instance default protocol bgp address-family ipv4 unicast redistribute static
cfg> set instance default protocol bgp address-family ipv4 unicast redistribute direct
cfg> set instance default static nexthop-profile NULL exit-interface null0
cfg> set instance default static route ipv4 172.16.101.0/24 unicast NULL
cfg> commit
cfg> show bgp rib-out ipv4 unicast peer R2 192.168.0.1/32
Instance: default, AFI: ipv4, SAFI: unicast
  Peer: R2, Sent routes: 1
    Prefix: 192.168.0.1/32, RD: None, Send path ID: 0, Next hop: None
      Peer: -, Peer domain: -, Route source: -, Received path ID: None, Path hash: f7cb8a23dfebdc1ba5c6e33afab4bbcb7a4a46c663c47094
      AS path: 64501, Originator ID: None, Origin: Incomplete
      Community: None, Extended community: None, Large community: None
      Cluster list: None
      IGP metric: None, Local preference: None, Multi exit discriminator: 0
      Preference: None, External route: None, Readvertised route: None
      Label: -, Last update: 0d:00h:01m:09s
As a rule, you want to hide the details of your autonomous system from the outside world. Best practice is to generate a couple of summary routes by configuring static routes with nexthop pointing to null and only redistribute these summaries into BGP.

Modifiying Path Attributes

In the last section we saw that a BGP route can have many path attributes. Some of these path attributes (e.g., local preference, AS_PATH, or MED) have a direct impact on selecting the best path, while other path attributes (e.g., community values) have no direct impact in the route selection process.

In the BGP Introduction module we created an ordered list of criteria that are evaluated when selecting the best path. To make a particular route better or worse, individual path attributes can be changed. The most flexible way to do this is with the Policy Framework, which we will introduce in detail in X.

MED and Local Preference

Some parameters such as MED or local preference can also be changed without a policy by changing the value in the BGP settings using the set instance <instance> protocol bgp local-preference|med <value> syntax. However, these settings then apply to all updates that are sent (MED for eBGP and local preference of iBGP).

Exercise 7: Modifying MED and Local_Pref

Configure R1 to set the MED value to 50 for all incoming BGP updates and the local preference to 200 for all outgoing BGP updates. Verify the correct execution.

Click to reveal the answer 
cfg> set instance default protocol bgp local-preference 200
cfg> set instance default protocol bgp med 50
cfg> commit
cfg> show bgp rib-out ipv4 unicast peer R2
Instance: default, AFI: ipv4, SAFI: unicast
  Peer: R2, Sent routes: 10
    Prefix                                  MED     Lpref      Origin          Next Hop                AS Path
    172.16.0.0/30                           50      -          Incomplete      -                       64501
    172.16.102.0/24                         50      -          Incomplete      -                       64501, 64502
    172.16.103.0/24                         50      -          Incomplete      -                       64501, 64503
<...>
cfg> show bgp rib-in ipv4 unicast peer R2
Instance: default, AFI: ipv4, SAFI: unicast
 Hostname: R2, Peer IP: 172.16.0.2
 Source IP: 172.16.0.1, Received routes: 6
    Prefix                                   Next Hop                                 MED        Lpref      AS Path    Status
    172.16.102.0/24                          172.16.0.2                               0          -          64502      Valid
    172.16.103.0/24                          172.16.0.2                               0          -          64502, 64503 Valid
<...>

We can see that all outgoing are now sent with MED of 50. However, there is no local preference attached to received updates. This is because R2 is an eBGP peer. However, we can see from the BGP process summary, that the configuration is enforced:

cfg> show bgp summary
Instance: default
  General information
    Hostname: R1, Domain name:
    Local AS: 64501, Version: 4
    Local preference: 200, eBGP Protocol preference: 20, iBGP Protocol preference: 200
<...>

AS_PATH Manipulation

We have seen that the AS number of a BGP speaker is configured via set instance <instance> protocol bgp local-as and is the same for all BGP peerings. However, in some migration scenarios it would be useful if the router could peer with its neighbors under a second ASN, e.g., because you not able to re-configure the peer router. RBFS supports to use another ASN on a per peer-group basis.

Exercise 8: Peering with another ASN

Configure a BGP peering to legacy router R5 with peer IP address 172.16.0.22. R5 uses ASN 65005 and assumes that R1 is in AS 65001. There is no authentication method uses between R1 and R5.

Click to reveal the answer 
cfg> set instance default protocol bgp peer ipv4 172.16.0.22 172.16.0.21 peer-group Old_Peer
cfg> set instance default protocol bgp peer-group Old_Peer local-as 65001
cfg> set instance default protocol bgp peer-group Old_Peer remote-as 65005
cfg> set instance default protocol bgp peer-group Old_Peer address-family ipv4 unicast
cfg> commit
cfg> show bgp peer
Instance: default
  Peer                                     Remote AS    State         Up/Down Time               PfxRcvd              PfxSent
  R2                                       64502        Established   0d:03h:16m:13s             6                    12
  R3                                       64503        Established   0d:03h:04m:13s             6                    12
  R5                                       65005        Established   0d:00h:04m:16s             2                    12
cfg> show bgp peer R5
Peer: R5, Peer IP: 172.16.0.22, Remote AS: 65005, Local: 172.16.0.21, Local AS: 65001, Any AS: False
  Type: ebgp, State: Established, Up/Down Time: , Reason: Cease, Sub-Code: Admin shutdown
  Discovered on interface: -
  Last transition: Wed Jul 31 10:31:40 GMT +0000 2024, Flap count: 1
  Peer ID        : 192.168.0.5, Local ID  : 192.168.0.1
  Instance       : default, Peer group: Old_Peer
  6PE enabled    : False
  Timer values:
    Peer keepalive : 30s, Local keepalive: 10s
    Peer holddown  : 90s, Local holddown : 30s
    Connect retry  : 30s
<...>

Now, if we look at the BGP updates which R1 sends to R5, we see that the AS_PATH attribute is updated with both AS numbers - the "global" ASN and the peer specific ASN:

cfg> show bgp rib-out ipv4 unicast peer R5
Instance: default, AFI: ipv4, SAFI: unicast
  Peer: R5, Sent routes: 12
    Prefix                                  MED     Lpref      Origin          Next Hop                AS Path
    172.16.0.0/30                           50      -          Incomplete      -                       65001, 64501
    172.16.102.0/24                         50      -          Incomplete      -                       65001, 64501, 64502
    172.16.103.0/24                         50      -          Incomplete      -                       65001, 64501, 64503
<...>

As both, ASN 65001 and AS 64501 represent the autonomous system of R1, we can suppress the propagation of ASN 64501 towards R5 by using the replace-as know in the peer-group configuration.

Exercise 9: Suppressing Global AS Number

Configure R1 to suppress ASN 64501 as part of the AS_PATH sent to R5.

Click to reveal the answer 
cfg> set instance default protocol bgp peer-group Old_Peer replace-as true
cfg> commit
cfg> show bgp rib-out ipv4 unicast peer R5
Instance: default, AFI: ipv4, SAFI: unicast
  Peer: R5, Sent routes: 12
    Prefix                                  MED     Lpref      Origin          Next Hop                AS Path
    172.16.0.0/30                           50      -          Incomplete      -                       65001
    172.16.102.0/24                         50      -          Incomplete      -                       65001, 64502
    172.16.103.0/24                         50      -          Incomplete      -                       65001, 64503
<...>

You might have noticed that the peering between R1 and R5 uses private 2-byte AS numbers. Private AS numbers are often used for peers which do not have an officially registered AS number. However, when sending updates to other BGP peers, these private AS numbers should not appear in the AS_PATH. We received an update for prefix 192.168.0.105/32 from R5. So, let’s seen how the update towards R2 looks like:

cfg> show bgp rib-out ipv4 unicast peer R2 192.168.0.105/32
Instance: default, AFI: ipv4, SAFI: unicast
  Peer: R2, Sent routes: 1
    Prefix: 192.168.0.105/32, RD: None, Send path ID: 0, Next hop: None
      Peer: -, Peer domain: -, Route source: -, Received path ID: None, Path hash: 3e61d5dfe39c0bf7a878545c4933c1f21138abe1ea9cacf9
      AS path: 64501, 65001, 65005, Originator ID: None, Origin: Incomplete
      Community: None, Extended community: None, Large community: None
      Cluster list: None
      IGP metric: None, Local preference: None, Multi exit discriminator: 50
      Preference: None, External route: None, Readvertised route: None
      Label: -, Last update: 0d:00h:19m:26s

As expected, the AS_PATH contains the private AS numbers 65005 (R5) and 65001 (R1 secondary AS number). We can remove any private AS number from the AS_PATH attribute using the remove-private-as knob in the address-family configuration of the peer group.

Exercise 10: Removing Private AS Numbers

Configure the peer groups for R2 and R3 to remove private AS numbers from the updates.

Click to reveal the answer 
cfg> set instance default protocol bgp peer-group ISP2 address-family ipv4 unicast remove-private-as true
cfg> set instance default protocol bgp peer-group ISP3 address-family ipv4 unicast remove-private-as true
cfg> commit
cfg> show bgp rib-out ipv4 unicast peer R2 192.168.0.105/32
Instance: default, AFI: ipv4, SAFI: unicast
  Peer: R2, Sent routes: 1
    Prefix: 192.168.0.105/32, RD: None, Send path ID: 0, Next hop: None
      Peer: -, Peer domain: -, Route source: -, Received path ID: None, Path hash: 793558c8dbb4924e2887105aec5502155284d544fe1f3288
      AS path: 64501, Originator ID: None, Origin: Incomplete
      Community: None, Extended community: None, Large community: None
      Cluster list: None
      IGP metric: None, Local preference: None, Multi exit discriminator: 50
      Preference: None, External route: None, Readvertised route: None
      Label: -, Last update: 0d:00h:00m:25s

We have already learned that BGP updates containing the lcoal AS number in the AS_PATH attribute are silently dropped due to loop prevention. However, sometimes an autonomous systems is split into several parts, that have no direct connection. This occurs with customers that are spread across multiple locations and are interconnected through one or more internet service providers in between. In this particular case there is a need to accept updates that include the local AS number in the AS_PATH. On a per peer basis, you can configure to accept such update using the set instance <instance> protocol bgp peer ipv4 <peer-ip> <local-ip> allow-as-in <n> command, where n defines the frequency with which the local AS number is allowed in the path.

ebgp allowasin
Figure 3. Allow-as-in Feature
Exercise 11: Accepting Local ASN in Updates

Configure the peering to router R3 in such a way that the local AS number is allowed to appear in the AS_PATH once.

Click to reveal the answer 
cfg> set instance default protocol bgp peer ipv4 172.16.0.6 172.16.0.5 allow-as-in
cfg> commit

Now let’s check the result:

cfg> show bgp rib-in ipv4 unicast peer R3
Instance: default, AFI: ipv4, SAFI: unicast
 Hostname: R3, Peer IP: 172.16.0.6
 Source IP: 172.16.0.5, Received routes: 7
    Prefix                             Next Hop              MED       Lpref        AS Path              Status
    172.16.102.0/24                    172.16.0.6            0         -            64503, 64502         Valid
    172.16.103.0/24                    172.16.0.6            0         -            64503                Valid
    172.16.104.0/24                    172.16.0.6            0         -            64503, 64504         Valid
    172.16.110.0/24                    172.16.0.6            0         -            64503, 64504, 64501  Valid  (1)
    192.168.0.102/32                   172.16.0.6            0         -            64503, 64502         Valid
    192.168.0.103/32                   172.16.0.6            0         -            64503                Valid
    192.168.0.104/32                   172.16.0.6            0         -            64503, 64504         Valid
1 Update containing AS 64501 is accepted. Compare this output with the updates received from R2 where this prefix is absent.

Summary

If you have completed the exercise, you can check the results by executing

student@tour:~/trainings_resources/robot$ robot bgp_ebgp/bgp_ebgp_verify.robot