Establishing iBGP Peerings

Lesson 1/21 | Study Time: 15 Min

Course: Ultimate BGP Labs for CCIE Enterprise Exam

Tasks

Note: You must download the file initial.bgp.zip (Check Lab0: Initial Configurations) and load "initial BGP" configurations on all routers before starting this lab.

● Configure BGP R1 - R8 routers using AS 100.

● Create a full mesh of iBGP peerings between these devices without using their Loopback0 interfaces.

● Advertise the Loopback0 prefixes of these devices into BGP.

● Ensure full IPv4 reachability for Loopback0 prefixes of R1 - R8 routers.

Configurations

R1:

enable
configure terminal
!
router bgp 100
network 170.1.1.1 mask 255.255.255.255
neighbor 177.1.0.2 remote-as 100
neighbor 177.1.0.3 remote-as 100
neighbor 177.1.0.4 remote-as 100
neighbor 177.1.0.5 remote-as 100
neighbor 177.1.58.8 remote-as 100
neighbor 177.1.67.7 remote-as 100
neighbor 177.1.146.6 remote-as 100
!
end
!
write
!

R2:

!
enable
configure terminal
!
router bgp 100
network 170.1.2.2 mask 255.255.255.255
neighbor 177.1.0.1 remote-as 100
neighbor 177.1.0.3 remote-as 100
neighbor 177.1.0.4 remote-as 100
neighbor 177.1.0.5 remote-as 100
neighbor 177.1.37.7 remote-as 100
neighbor 177.1.58.8 remote-as 100
neighbor 177.1.146.6 remote-as 100
!
end
!
write
!

R3:

!
enable
configure terminal
!
router bgp 100
network 170.1.3.3 mask 255.255.255.255
neighbor 177.1.0.1 remote-as 100
neighbor 177.1.0.2 remote-as 100
neighbor 177.1.0.4 remote-as 100
neighbor 177.1.0.5 remote-as 100
neighbor 177.1.37.7 remote-as 100
neighbor 177.1.58.8 remote-as 100
neighbor 177.1.146.6 remote-as 100
!
end
!
write
!

R4:

!
enable
configure terminal
!
router bgp 100
network 170.1.4.4 mask 255.255.255.255
neighbor 177.1.0.1 remote-as 100
neighbor 177.1.0.2 remote-as 100
neighbor 177.1.0.3 remote-as 100
neighbor 177.1.0.5 remote-as 100
neighbor 177.1.58.8 remote-as 100
neighbor 177.1.67.7 remote-as 100
neighbor 177.1.146.6 remote-as 100
!
end
!
write
!

R5:

!
enable
configure terminal
!
router bgp 100
network 170.1.5.5 mask 255.255.255.255
neighbor 177.1.0.1 remote-as 100
neighbor 177.1.0.2 remote-as 100
neighbor 177.1.0.3 remote-as 100
neighbor 177.1.0.4 remote-as 100
neighbor 177.1.37.7 remote-as 100
neighbor 177.1.58.8 remote-as 100
neighbor 177.1.146.6 remote-as 100
!
end
!
write
!

R6:

!
enable
configure terminal
!
router bgp 100
network 170.1.6.6 mask 255.255.255.255
neighbor 177.1.0.2 remote-as 100
neighbor 177.1.0.3 remote-as 100
neighbor 177.1.0.5 remote-as 100
neighbor 177.1.58.8 remote-as 100
neighbor 177.1.67.7 remote-as 100
neighbor 177.1.146.1 remote-as 100
neighbor 177.1.146.4 remote-as 100
!
end
!
write
!

R7:

!
enable
configure terminal
!
router bgp 100
network 170.1.7.7 mask 255.255.255.255
neighbor 177.1.0.5 remote-as 100
neighbor 177.1.23.2 remote-as 100
neighbor 177.1.37.3 remote-as 100
neighbor 177.1.58.8 remote-as 100
neighbor 177.1.67.6 remote-as 100
neighbor 177.1.146.1 remote-as 100
neighbor 177.1.146.4 remote-as 100
!
end
!
write
!

R8:

!
enable
configure terminal
!
router bgp 100
network 170.1.8.8 mask 255.255.255.255
neighbor 177.1.0.1 remote-as 100
neighbor 177.1.0.2 remote-as 100
neighbor 177.1.0.3 remote-as 100
neighbor 177.1.0.4 remote-as 100
neighbor 177.1.37.7 remote-as 100
neighbor 177.1.58.5 remote-as 100
neighbor 177.1.146.6 remote-as 100
!
end
!
write
!

Verifications

The first step in any BGP configuration is always to establish peering relationships between the BGP speaking devices. Recall that because BGP does not have its own transport protocol, underlying IGP reachability must already be established to allow the TCP port 179 sessions to be successful between neighbors.

BGP is a normal TCP application, which means that a TCP client initiates the session to the TCP server with a SYN packet going to the well-known port of 179. If the BGP server is configured to accept the session, a reply with SYN/ACK comes from port 179 back to the client, going to the high port number generated by the client. If both BGP peers attempt to establish the connection at the same time, RFC 4271 (A Border Gateway Protocol 4) defines a “BGP Connection Collision Detection” mechanism, in which essentially the session originated from the device with the higher BGP router-id is maintained, and the secondary session is dropped.

The below debug output shows the step-by-step formation of the iBGP peering between R1 and R2. Note that access-list 100 is used to filter the debug output and only show the output pertinent to the BGP session between R1 and R2:

configure terminal
access-list 100 permit tcp any host 177.1.0.2
access-list 100 permit tcp host 177.1.0.2 any
do debug ip packet detail 100
router bgp 100
neighbor 177.1.0.2 remote-as 100

R1 is configured with the neighbor statement pointing toward R2, and R2 is already configured with the neighbor statement pointing toward R1. A SYN is sent from R1 to initiate the session. Notice the source port of 11712 and the destination port of 179:

IP: s=177.1.0.2 (Tunnel0), d=177.1.0.1, len 59, input feature

TCP src=179, dst=22714, seq=691696439, ack=585846238, win=16191 ACK PSH, MCI Check(109), rtype 0,

Because R2 has a neighbor statement pointing back toward the address 177.1.0.1, a reply of ACK/SYN is received, with the source port of 179 and the destination port randomly generated by R1, 11712. These two steps indicate that R1 is the client and R2 is the server:

IP: s=177.1.0.1 (local), d=177.1.0.2 (Tunnel0), len 40, sending

TCP src=179, dst=54162, seq=0, ack=1369107974, win=0 ACK RST

R1 replies with ACK, completing the 3-way TCP handshake and opening the session for BGP attribute negotiation. Only after necessary parameters are correctly negotiated, such as remote-as numbers, authentication, and address-family support, will the BGP session actually be declared up:

IP: s=177.1.0.1 (local), d=177.1.0.2 (Tunnel0), len 40, sending

TCP src=179, dst=54162, seq=0, ack=1369107974, win=0 ACK

The details of the peering negotiation between R1 and R2, such as the router-id and timers, can be seen below. The neighbor capability of “Address family IPv4 Unicast: advertised and received” means that by default, they can exchange IPv4 prefixes, but not other such as IPv6 Unicast or VPNv4/VPNv6. The details for IPv4 unicast address family show that one prefix has been received from the neighbor and one prefix has been advertised to the neighbor:

R1:

show ip bgp neighbor 177.1.0.2

BGP neighbor is 177.1.0.2, remote AS 100, internal link

BGP version 4, remote router ID 170.1.2.2

BGP state = Established, up for 00:00:38

Last read 00:00:38, last write 00:00:38, hold time is 180, keepalive interval is 60 seconds

Neighbor sessions:

1 active, is not multisession capable (disabled)

Neighbor capabilities:

Route refresh: advertised and received(new)

Four-octets ASN Capability: advertised and received

Address family IPv4 Unicast: advertised and received

Enhanced Refresh Capability: advertised and received

Multisession Capability:

Stateful switchover support enabled: NO for session 1

Message statistics:

InQ depth is 0

OutQ depth is 0

Sent Rcvd

Opens: 1 1

Notifications: 0 0

Updates: 2 2

Keepalives: 2 2

Route Refresh: 0 0

Total: 7 7

Do log neighbor state changes (via global configuration)

Default minimum time between advertisement runs is 0 seconds

For address family: IPv4 Unicast

Session: 177.1.0.2

BGP table version 11, neighbor version 11/0

Output queue size : 0

Index 1, Advertise bit 0

1 update-group member

Slow-peer detection is disabled

Slow-peer split-update-group dynamic is disabled

Sent Rcvd

Prefix activity: ---- ----

Prefixes Current: 1 1 (Consumes 84 bytes)

Prefixes Total: 5 1

Implicit Withdraw: 4 0

Explicit Withdraw: 0 0

Used as bestpath: n/a 1

Used as multipath: n/a 0

Used as secondary: n/a 0

Outbound Inbound

IP: s=177.1.0.1 (local), d=177.1.0.2 (Tunnel0), len 40, sending full packet

TCP src=179, dst=52296, seq=1025041064, ack=2957836815, win=16126 ACK

Last detected as dynamic slow peer: never

Dynamic slow peer recovered: never

Refresh Epoch: 2

Last Sent Refresh Start-of-rib: 00:00:38

Last Sent Refresh End-of-rib: 00:00:38

Refresh-Out took 0 seconds

Last Received Refresh Start-of-rib: 00:00:38

Last Received Refresh End-of-rib: 00:00:38

Refresh-In took 0 seconds

Sent Rcvd

Refresh activity: ---- ----

Refresh Start-of-RIB 1 1

Refresh End-of-RIB 1 1

Address tracking is enabled, the RIB does have a route to 177.1.0.2

Route to peer address reachability Up: 1; Down: 0

Last notification 00:00:39

Connections established 1; dropped 0

Last reset never

Interface associated: (none) (peering address in same link)

Transport(tcp) path-mtu-discovery is enabled

Graceful-Restart is disabled

SSO is disabled

The TTL of the outbound session is set to 255, because this is an iBGP session. This means that the iBGP neighbors need not be directly connected, as long as IGP reachability exists between them. EBGP sessions have a TTL of 1 by default, which means that neighbors must be directly connected, unless further configuration is applied. Also note the “Local port: 11712” and “Foreign port: 179.” These essentially mean the source and destination ports from R1’s perspective, which again enforces the notion that R1 is the client for this session and R2 is the server:

Connection state is ESTAB, I/O status: 1, unread input bytes: 0

Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255

Local host: 177.1.0.1, Local port: 179

Foreign host: 177.1.0.2, Foreign port: 52296

Connection tableid (VRF): 0

Maximum output segment queue size: 50

The following show ip bgp summary output shows a concise aggregation of all configured neighbors, with the important fields being the local AS, router-id, table size in both prefixes and memory, peer addresses, remote ASs, neighbor uptime, and number of prefixes learned:

R1:

show ip bgp summary

BGP router identifier 170.1.1.1, local AS number 100

BGP table version is 11, main routing table version 11

8 network entries using 1152 bytes of memory

8 path entries using 672 bytes of memory

2/2 BGP path/bestpath attribute entries using 320 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 2144 total bytes of memory

BGP activity 9/1 prefixes, 9/1 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

177.1.0.2 4 100 16 16 11 0 0 00:08:16 1

177.1.0.3 4 100 31 33 11 0 0 00:24:57 1

177.1.0.4 4 100 30 31 11 0 0 00:24:42 1

177.1.0.5 4 100 30 30 11 0 0 00:24:24 1

177.1.58.8 4 100 30 32 11 0 0 00:23:33 1

177.1.67.7 4 100 30 32 11 0 0 00:23:41 1

177.1.146.6 4 100 29 31 11 0 0 00:24:05 1

Note that for devices running multiple address-families, such as IPv4 unicast VPNv4/VPNv6, show commands are expressed as show bgp [AFI] [SAFI] [args] , such as the show bgp ipv4 unicast summary seen below. Although the output is the same as the above show ip bgp summary , it can quickly become hard to tell what output you are viewing in larger-scale BGP deployments without this logical separation:

show bgp ipv4 unicast summary

BGP router identifier 170.1.1.1, local AS number 100

BGP table version is 11, main routing table version 11

8 network entries using 1152 bytes of memory

8 path entries using 672 bytes of memory

2/2 BGP path/bestpath attribute entries using 320 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 2144 total bytes of memory

BGP activity 9/1 prefixes, 9/1 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

177.1.0.2 4 100 17 17 11 0 0 00:09:06 1

177.1.0.3 4 100 32 34 11 0 0 00:25:48 1

177.1.0.4 4 100 31 32 11 0 0 00:25:32 1

177.1.0.5 4 100 31 31 11 0 0 00:25:15 1

177.1.58.8 4 100 31 33 11 0 0 00:24:23 1

177.1.67.7 4 100 31 33 11 0 0 00:24:31 1

177.1.146.6 4 100 30 32 11 0 0 00:24:55 1

After the peering relationships are established, the actual BGP prefixes learned can be viewed in the BGP table with show ip bgp or show bgp ipv4 unicast . This output is crucial to completely understand, especially when multiple paths to the same destination exist:

R1:

show ip bgp

BGP table version is 11, local router ID is 170.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

t secondary path,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

*> 170.1.1.1/32 0.0.0.0 0 32768 i

*>i 170.1.2.2/32 177.1.0.2 0 100 0 i

*>i 170.1.3.3/32 177.1.0.3 0 100 0 i

*>i 170.1.4.4/32 177.1.0.4 0 100 0 i

*>i 170.1.5.5/32 177.1.0.5 0 100 0 i

*>i 170.1.6.6/32 177.1.146.6 0 100 0 i

*>i 170.1.7.7/32 177.1.67.7 0 100 0 i

*>i 170.1.8.8/32 177.1.58.8 0 100 0 i

show ip route bgp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

170.1.0.0/32 is subnetted, 8 subnets

B 170.1.2.2 [200/0] via 177.1.0.2, 00:10:24

B 170.1.3.3 [200/0] via 177.1.0.3, 00:25:55

B 170.1.4.4 [200/0] via 177.1.0.4, 00:25:40

B 170.1.5.5 [200/0] via 177.1.0.5, 00:25:22

B 170.1.6.6 [200/0] via 177.1.146.6, 00:25:06

B 170.1.7.7 [200/0] via 177.1.67.7, 00:24:51

B 170.1.8.8 [200/0] via 177.1.58.8, 00:24:50

One of the most important fields in the above outputs is the next-hop value. Note that this field is set to the peering address for the neighbor from which the route is learned. For example, the prefix 170.1.7.7/32 is via the next-hop 177.1.67.7. To reach this prefix, a recursive lookup must now be performed on the next-hop until an outgoing interface is found:

show ip route 170.1.7.7

Routing entry for 170.1.7.7/32

Known via "bgp 100", distance 200, metric 0, type internal

Last update from 177.1.67.7 00:25:28 ago

Routing Descriptor Blocks:

* 177.1.67.7, from 177.1.67.7, 00:25:28 ago

Route metric is 0, traffic share count is 1

AS Hops 0

MPLS label: none

show ip route 177.1.67.7

Routing entry for 177.1.67.0/24

Known via "eigrp 100", distance 90, metric 3072, type internal

Redistributing via eigrp 100

Last update from 177.1.146.6 on GigabitEthernet0/2, 01:24:13 ago

Routing Descriptor Blocks:

* 177.1.146.6, from 177.1.146.6, 01:24:13 ago, via GigabitEthernet0/2

Route metric is 3072, traffic share count is 1

Total delay is 20 microseconds, minimum bandwidth is 1000000 Kbit

Reliability 255/255, minimum MTU 1500 bytes

Loading 1/255, Hops 1

R1#show ip route 177.1.146.6

Routing entry for 177.1.146.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Redistributing via eigrp 100

Routing Descriptor Blocks:

* directly connected, via GigabitEthernet0/2

Route metric is 0, traffic share count is 1

In the above case, recursion toward 170.1.7.7/32 continues until the outgoing interface GigabitEthernet0/2 is found. Note that unless route-recursion toward the next-hop of a BGP prefix is successful, the route cannot be considered for best path selection, which also implies that it cannot be installed in the IP routing table or advertised to any other BGP peer. This issue will be explored in detail in the coming tasks.

Also note that in this task, a full-mesh of iBGP peerings is established. This is because of the design requirement that an iBGP learned route cannot be advertised to another iBGP neighbor to prevent routing loops, unless exceptions such as route-reflection or confederation are implemented. The result is that the only routes advertised to the other BGP peers are the local Loopback0 prefixes, but not any of the routes learned from the other neighbors. This also implies that in this design, if any individual peering breaks, connectivity between prefixes advertised by those peers also breaks:

show ip bgp neighbors 177.1.0.2 advertised-routes

BGP table version is 11, local router ID is 170.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

t secondary path,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

*> 170.1.1.1/32 0.0.0.0 0 32768 i

Total number of prefixes 1

Previous Lesson Next Lesson