Categories
CCNP Enterprise Core (350-401) Cisco Revision Topics Routing

BGP Path Attributes: Accumulated Interior Gateway Protocol

AIGP, Accumulated Interior Gateway Protocol, is an optional nontransitive path attribute that is included with advertisements throughout an AS. It is the fourth decider in a BGP best path after ‘Locally Originated via Network or Aggregate Advertisement’

Interior Gateway Protocols, OSPF or EIGRP, use the lowest path metric to identify the shortest path to a destination. They can not other scale to the same magnitude as BGP.

AIGP provides an ability for BGP to maintain and compute a path metric in an environment that utilises multiple ASs with a unique IGP routing domain in each AS.

There are some guidelines to AIGP metrics:

  • A path with a AIGP metric is preferred to a path without one
  • If a next hop address requires a recursive look-up, the AIGP path needs to calculate the metric to include the distance to the next-hop address. The metric is the original AIGP metric plus the next-hop AIGP metric
  • A path with a lower AIGP metric is preferred

Categories
CCNP Enterprise Core (350-401) Cisco Revision Topics Routing

BGP Communities

BGP communities can provide additional capability by tagging routers and modifying the BGP policy on other routers that are upstream or downstream.

BGP communities are an optional transitive BGP attribute that can travel from AS to AS on a route.

The BGP community itself is a 32-bit integer that is included with a route. It is displayed on routers a single 32-bit number or two 16-bit numbers in a format of x:y. The x:y format is known as the new format.

Private BGP communities typically follow a convention where the first 16 bits of the new format are the originating AS number, and the second 16 bits represent a pattern defined by the originating AS. The community pattern can vary between organisations, but they do not need to be registered or published.

RFC4360 expanded BGP communities by adding the extended format. The extended BGP communities provides structures for various parts of information and are commonly used for VPN services.

There is an additional RFC8092 which provides support for communities larger than 32 bits.

Enabling BGP Community Support

On Cisco IOS and IOS XE routers, community advertisement is not enabled by default. It can be turned on a neighbour specific basis with the following command:

neighbor 1.2.3.4 send-community

An optional keyword to this command is what communities are to be sent, with the choices standard, extended, or both. If no keyword is specified, standard is chosen by default.

Conditional Matching with BGP Communities

By matching BGP communities set on a condition, it can control the routes that are advertised to neighbours or routes that are accepted inbound by neighbours.

To conditionally match a route based on its community, it requires the creation of a Community Access Control List which can be used with a route-map. An example of the commands use is:

ip community-list 10 standard permit 123:456

route-map CHECK-COMMUNITY deny 10
 match community 10

router bgp 65164
 address-family ipv4 unicast
  neighbor 192.168.5.2 route-map CHECK-COMMUNITY in

Well Known Communities

RFC 1997 defines a set of well known communities that use the range 4,294,901,760 to 4,294,967,295.

All routers that implement BGP must also implement well-known communities. Examples of three well known communities are:

Internet

This well known community is used for identifying routes that should be advertised out to the internet. Where there are larger BGP networks used in enterprise, advertised routes that should be advertised out to the internet should have this community set. This is an safeguard that can be set on the edge BGP routers to ensure only routes with the ‘Internet’ tag are advertised out to the internet. Additional configuration is required for this to work correctly on the edge BGP routers – it is not automatic.

No_Advertise

Routes with the No_Advertise community set should not be advertised to any BGP peer, iBGP or eBGP.

No_Export

Routes with the No_Export community set should not be advertised to any eBGP peer. The route will be advertised to iBGP peers

Private Communities

A private community can be set through a route-map, using the set community keywords. Any previous communities set to the route are overwritten, but can be kept using the additive keyword.

Categories
CCNP Enterprise Core (350-401) Cisco Revision Topics Routing

BGP Access Control Lists

Access Control Lists, ACLs, are traditionally used for a basic filtering of network packets going through as routers interface. Access Control Lists can also be used for providing classification for a number of other router features such as identifying particular networks in a routing protocol like BGP.

An ACL consists of Access Control Entries, ACEs. They are entries that identify the network, ports, and the action to be taken against that network. The evaluation of these access control entries begin at the top of the access control list and work their way down until a matching entry is found. At the bottom of every access control list is a hidden ‘deny all’ access control entry.

Access control lists are separated into two categories, standard access control lists and extended control lists.

Standard Access Control Lists

Standard access control lists match rules based only on the source network.

Standard access control lists are defined with a numbered entry between 1 to 99, or 1300 to 1999, or a named ACL.

A standard access control list can be defined using the command ip access-list standard followed by the relevant ACL number or name.

Extended Access Control Lists

Extended access control lists match rules based on the source network, destination network, packet protocol, network port or a combination of these attributes

Extended access control lists use a numbered entry between 100 to 199, 2000 to 2699 or a named ACL.

An extended standard access control list can be defined using the command ip access-list extended followed by the relevant ACL number or a chosen name.

ACL Use With Interior Routing Protocols

Access control lists can be used with routing protocols and their network selection. The source fields of the access control list are used to identify the network, and the destination fields identify the smallest prefix length in the network range.

Examples

permit ip any any – Permits all networks

permit ip host 192.168.0.0 host 255.255.0.0 – Permits all networks in the 192.168.0.0/16 range

permit ip host 192.168.0.0 host 255.255.255.0 – Permits all networks in the 192.168.0.0/24 range

permit ip host 192.168.0.1 – Permits only the host address 192.168.0.1

ACL Use With Border Gateway Protocol

Access control list behaviour acts differently with BGP over the IGP routing protocols. The source field will match the network portion of the route, and the destination field will match the network mask.

Examples

permit ip 192.168.0.0 0.0.0.0 255.255.0.0 0.0.0.0 – Matches only the 192.168.0.0/16 network

permit ip 192.168.0.0 0.0.255.0 255.255.255.0 0.0.0.0 - Matches any 192.168.X.0 network with a prefix length of /24 (or subnet mask of 255.255.255.0)

permit ip 192.168.0.0 0.0.255.255 25.5255.255.0 0.0.0.255 – Matches any 192.168.X.X network with a /24 to /32 prefix length

permit ip 192.168.0.0 0.0.255.255 255.255.255.128 0.0.0.127 – Matches any 192.168.X.X network with a /25 to /32 prefix length

Categories
CCNP Enterprise Core (350-401) Cisco Revision Topics Routing

BGP Route Summarisation

By reducing the number of routes presented, it can reduce the router resources required to operate the BGP process and reduce the overall size of the BGP table.

By summarising routes dynamic route flaps from downstream routers can be hidden from BGP advertisements, providing stability.

There are two main techniques for summarising routes:

Static

Create a static route with a destination next-hop of Null0, and then advertise that prefix out of BGP with the network statement.

The summary route is always advertised, although it will still be advertised even if the summarised networks are not available.

Dynamic

With a aggregation network prefix created, and routes that match the aggregate network prefix are entered into the BGP table, the summarised/aggregated network prefix is entered into the BGP table. The next-hop of this route is set to Null0 to prevent route loops.

Aggregate Routes

Dynamic aggregate route summarisation is accomplished with the command aggregate-address 192.168.0.0 255.255.0.0 with option keywords of summary-only and as-set

Without the summary-only suffix, the non-summarised routes and the summarised route will be be advertised into the BGP table. To advertise only the aggregated/summarised routes, use the suffix summary-only

Atomic Aggregate

Aggregated routes act like brand new BGP routes with a shorter prefix length. When being advertised as a summarised route, BGP does not advertise the AS_Path information from prior to the summarisation. The same is true for the MED and BGP communities.

The attribute ‘Atomic Aggregate’ indicates to other routes via a flag that a loss of path information has occurred.

To keep this AS_Path history, use the suffix as-set on the aggregate-address command