advances bgp

8/9/2019 Advances BGP

1/89


2/89

Advances in BGPBRKRST-3371

Gunter Van de Velde

Sr. Technical Leader


3/89

© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public

What is BGP?

Without BGP the Internet woucurrent stable and simple form

It is the plumbing technology o

What a Google search “bgp abbreviation” finds?

– Source: http://www.all-acronyms.com/BGP

Border Gateway Protocol Bacterial Growth Potential Battlegroup Becker, Green and Pearson

Bermuda grass pollen Berri Gas Plant beta-glycerophosphate biliary glycoprotein

blood group bone gamma-carboxyglutamic acid protei… bone gamma-carboxyglutamic acid-contai… bone gla protein bone Gla-containing protein Borders Group, Inc. brain-type glycogen phosphorylase Bridge Gateway Protocol Broader Gateway Protocol Bureau de Gestion de Projet Brain Gain Program

http://www.all-acronyms.com/BGP/Border_Gateway_Protocol/4870http://www.all-acronyms.com/BGP/Bacterial_Growth_Potential/851409http://www.all-acronyms.com/BGP/Battlegroup/1129015http://www.all-acronyms.com/BGP/Becker,_Green_and_Pearson/1003328http://www.all-acronyms.com/BGP/Bermuda_grass_pollen/849470http://www.all-acronyms.com/BGP/Berri_Gas_Plant/1223429http://www.all-acronyms.com/BGP/beta-glycerophosphate/848267http://www.all-acronyms.com/BGP/biliary_glycoprotein/846387http://www.all-acronyms.com/BGP/blood_group/55208http://www.all-acronyms.com/BGP/bone_gamma-carboxyglutamic_acid_protein/850178http://www.all-acronyms.com/BGP/bone_gamma-carboxyglutamic_acid-containing_protein/847202http://www.all-acronyms.com/BGP/bone_gla_protein/55209http://www.all-acronyms.com/BGP/bone_Gla-containing_protein/850193http://www.all-acronyms.com/BGP/Borders_Group,_Inc./42974http://www.all-acronyms.com/BGP/brain-type_glycogen_phosphorylase/849876http://www.all-acronyms.com/BGP/Bridge_Gateway_Protocol/1279817http://www.all-acronyms.com/BGP/Broader_Gateway_Protocol/96403http://www.all-acronyms.com/BGP/Bureau_de_Gestion_de_Projet/197282http://www.all-acronyms.com/BGP/Brain_Gain_Program/1319634http://www.all-acronyms.com/BGP/Brain_Gain_Program/1319634http://www.all-acronyms.com/BGP/Bureau_de_Gestion_de_Projet/197282http://www.all-acronyms.com/BGP/Broader_Gateway_Protocol/96403http://www.all-acronyms.com/BGP/Bridge_Gateway_Protocol/1279817http://www.all-acronyms.com/BGP/brain-type_glycogen_phosphorylase/849876http://www.all-acronyms.com/BGP/Borders_Group,_Inc./42974http://www.all-acronyms.com/BGP/bone_Gla-containing_protein/850193http://www.all-acronyms.com/BGP/bone_gla_protein/55209http://www.all-acronyms.com/BGP/bone_gamma-carboxyglutamic_acid-containing_protein/847202http://www.all-acronyms.com/BGP/bone_gamma-carboxyglutamic_acid_protein/850178http://www.all-acronyms.com/BGP/blood_group/55208http://www.all-acronyms.com/BGP/biliary_glycoprotein/846387http://www.all-acronyms.com/BGP/beta-glycerophosphate/848267http://www.all-acronyms.com/BGP/Berri_Gas_Plant/1223429http://www.all-acronyms.com/BGP/Bermuda_grass_pollen/849470http://www.all-acronyms.com/BGP/Becker,_Green_and_Pearson/1003328http://www.all-acronyms.com/BGP/Battlegroup/1129015http://www.all-acronyms.com/BGP/Bacterial_Growth_Potential/851409http://www.all-acronyms.com/BGP/Border_Gateway_Protocol/4870


4/89


Agenda

Motivation to Enhance BGP

Scale and Performance Enhancements What happened in BGP Landscape?

Some new Cool features that may interest you


5/89© 2013 Cisco and/or its affiliates. All rights reserved.BRKRST-3371 Cisco Public

Agenda






BGP started in 1989…

Motivation and Development ofBGP:

When the Internet grew andmoved to an autonomous system(AS) mesh architecture it was neededto have stable, non-chatty and lowCPU consuming protocol to connectall of these AS’s together.

In June 1989, the first version of thisnew routing protocol was formalized,with the publishing of RFC 1105, ABorder Gateway Protocol (BGP).



Service Provider Routing and Services prog

Multimedia, Mobile Internet and Cloud Services will generate massive bandwidth explosion

Prefix growth is almost a linear curve

Evolution of offered BGP services go from basic technologies to very advanced infrastructur



Control-plane EvolutionMost of services are progressing towards BGP

Service/transp ort Before 2008 2013 and futu re

IDR (Peering) BGP BGP (IPv6)

SP L3VPN BGP BGP + FRR + Scalability

SP Multicast VPN PIM BGP Multicast VPN

DDOS mitigation CLI BGP flowspec

Network Monitoring SNMP BGP monitoring protocol

Security Filters BGP Sec (RPKI), DDoS Mitigation

Proximity BGP connected app API

SP-L3VPN-DC BGP Inter-AS, VPN4DC

Business & CE L2VPN LDP BGP PW Sign (VPLS)

DC Interconnect L2VPN BGP MAC Sign (EVPN)

MPLS transport LDP BGP+Label (Unified MPLS)

Data Center OSPF/ISIS BGP + Multipath

Massive Scale DMVPN NHRP / EIGRP BGP + Path Diversity

Campus/Ent L3VPN BGP (IOS) BGP (NX-OS)



Why BGP is so successful ?

Robustness: Run over TCP

Low Overhead protocol: sends an update once and then remains silentScalability: Path Vector Protocol, allows full mesh

High Availability: NSR, PIC,…

Well Known : Tons of engineers know BGP

Simplicity: BGP is simple (even if knobs make BGP BIG and sometimes less

Multi-protocol: IPv4, IPv6, L2VPN, L3VPN, Multicast

Incremental: easy to extend: NLRI,Path Attribute, Community

Flexible: Policy



Scale & Performance Enhancements

Update Generation Enhancements – Update generation is the most important, time-critical task

– Is now a separate process, to provide more CPU Quantum

Parallel Route Refresh – Significant delay (up to 15-30 minutes) seen in advertising incremental updates while RR is servicing rout

converging newly established peers

– Refresh and incremental updates run in parrallel

Keepalive Enhancements – Loosing or delayed keep-alive message result in session flaps – Hence keep-alive processing is now placed into a separate process using priority queuing mechanism

Adaptive Update Cache Size – Instead of using a fixed cache size, the new code dynamically adapts to the address family used, the avai

and the number of peers in an update group

BGP Scaling


11/89


Agenda





12/89


Scale & Performance Enhancements

PE Scaling – PE-CE Optimization In old code slow convergence was experienced with large numbers of CE’s Improved by intelligently evaluating VPN prefixes based upon the prefixes in the CE’s VRF

– VRF-Based Advertise Bits Increased memory consumption when number of VRF’s was scaled on a PE Smart reuse of advertise bit space for VRF

Route Reflector Scaling

– Selective RIB Download A Route-Reflector needs to receive the full RIB, however not all prefixes MUST be in the Forwarding In So, we now allow by using user policy to only download selected prefixes in the FIB

More about BGP Performance tuning in BRKRST-3321


13/89


BGP Resiliency/HA Enhancement

Issue: Slow peers in update groups block convergence of o

update group members by filling message queues/transmitt

Persistent network issue affecting all BGP routers

Two components to solution

DetectionProtection

Detection

BGP update timestamps

Peer’s TCP connection characteristics

Slow Peer Management


14/89



Protection

Move slower peers out of update group

Separate slow update group with matching policies crea

Any slow members are moved to slow update group

Detection can be automatic or manual with CLI comman

Automatic recoverySlow peers are periodically checked for recovery

Recovered peers rejoin the main update group

Isolation of slow peers unblocks faster peers and lets them coas fast as possible

Slow Peer Management


15/89


ASR1000 RP2, RP1, ASR1001 and 7200 BGP Route andScalabil ity Comparison - RR

• Tested with BGP selective download feature for ipv4/ipv6 for dedicated RR application. This featureprevents ipv4/ipv6 BGP routes to be installed in RIB and FIB. It reduces memory usage per ipv4/ipv6 preand CPU utilization

• ASR 1000 with RP1 allocates ~1.7GB to IOSd, ASR 1001 with 4GB allocates ~1.4GB to IOSd, whereas NPE-G2 entire 2G is used by IOS

7200 NPE-

G2 (2GB)

ASR1000

RP1 (4GB)

ASR1001

(4GB)

ASR1001

(8GB)

ASR1001

(16GB)

ASR1000

RP2 (8GB

ipv4 routes 4M 7M* 2M* 9M* 17M* 12M*

vpnv4 routes 7M 6M 2M 8M 16M 10M

ipv6 routes 2M 5M* 2M* 8M* 15M* 9M*

vpnv6 routes 6M 5M 1.5M 7.5M 14.5M 9M

BGPsessions


16/89


ASR 1000 RP1 and RP2 Convergence Performance Comparison

Tested with peer groups (1K RR clients per peer group) 7200 NPE-G2 can not converge in the above test cases. ASR1000 RP2 converges about twice faster than 7200 NPE-G2 based on RR customer profile testing CPU utilization below 5% after convergence

Link to Isocore report http://www.cisco.com/en/US/prod/collateral/routers/ps9343/ITD13029-ASR1000-RP2Validation

Tested with 1M Total Unique

Routes

Total Routes Reflected by RR

to All Clients (Number of

routes x Number of Clients)

ASR1000 RP1 (4GB)

Convergence

(in seconds)

ASR1001 (16GB)

Convergence

(in seconds)

A

C

(

ipv4 (1K RR clients) 1Billion 220 133

vpnv4 (1K RR clients , 8K RT) 1Billion 680 489

ipv6 (1K RR clients) 1Billion 720 393

vpnv6 (1K RR clients , 8K RT) 1Billion 877 811

ipv4 (2K RR clients) 2 Billion 375 270

vpnv4 (2K RR clients , 8K RT) 2 Billion 1285 797 ipv6 (2K RR clients) 2 Billion 1126 897

vpnv6 (2K RR clients , 8K RT) 2 Billion 1766 1691

http://www.cisco.com/en/US/prod/collateral/routers/ps9343/ITD13029-ASR1000-RP2Validationv1_1.pdfhttp://www.cisco.com/en/US/prod/collateral/routers/ps9343/ITD13029-ASR1000-RP2Validationv1_1.pdf


17/89


Agenda


Scale and Performance Enhancements

What happened in BGP Landscape?



18/89


What Happened in XR Landscape?

4.0 4.1 4.1.1 4.2 4.2.1 4.2.3 4.2.4 4.

• Add Path Support• Accumulated

Interior GatewayProtocol (AIGP)

Metric Attribute• Unipath PIC for

non-VPN address-families(6PE/IPv6/IPv4Unicast)

• RT-Constraint

• BGP Accept Own

• Multi-Instance/Multi-AS

• BGP 3107 PIC Updatefor Global Prefixes

• Prefix Origin Validationbased on RPKI

• PIC for RIB and FIB

• Attribute Filtering andError handling

• DMZ Link B

Unequal CoLoad Balan

• Selective V• 6PE/6vPE o• Next-Gener

Multicast VP


19/89


What Happened in IOS Landscape?

15.2(1)S 15.2(2)S 15.2(4)S 15.3(1)S 15.3(2)S

Origin AS Validation

Gracefull ShutdowniBGP NSRmVPN BGP SAFI 129NSR without Route-Refresh

Additional Path Attribute Filtering and Error HandlingDiverse PathGraceful ShutdownIPv6 client for Single hop BFDIPv6 PIC Core and EdgeRT ConstraintIP Prefix export from a VRF into global Table

mVPNv6 Extranet Support

Local-AS allow-policyRT/VPN-ID Attribute RewriteVRF Aware Conditional Anno


20/89


What Happened in XE Landscape?

3.8 3.9

Multicast VPN BGP DampeningMultiple Cluster IDsVPN Distinguisher Attribute

IPv6 NSRLocal-AS Allow-policyRT or VPN-ID Rewrite Wildcard

VRF Aware Conditional Advertisement


21/89


What Happened NXOS Landscape?

5.2 6.0 6.1 6.2

Default information originate su

Flexible distance manipulationInject mapUnsupress mapas-format command for AS-plaEnhancements for removal of enable route target import-expInterAS option B-liteBGP Authentication for Prefix-

BGP AddPathBGP send community bothBGP Neighbor AF weight command

BGP med confed and AS multipath-relaxBGP next hop self for route reflector

Prefix Independent Convergence (Core)local-as AS Override (allowas-in)Disable 4-byte AS advertisementMP BGP – MPLS VPNs, 6PE, MDT


22/89


Agenda





23/89


PIC Edge Feature Overview

Internet Service Providers provide strict SLAs to their Financial a

Business VPN customers where they need to offer a sub-second cin the case of Core/Edge Link or node failures in their network

Prefix Independent Convergence (PIC) has been supported in IOfor a while for CORE link failures as well as edge node failures

BGP Best-External project provides support for advertisement of

External path to the iBGP/RR peers when a locally selected bestpan internal peer

BGP PIC Unipath provides a capability to install a backup path inforwarding table to provide prefix independent convergence in casCE link failure


24/89


10.1.1.0/24VPN1 Site #1

MPLS Cloud

Traffic Flow10V

PE1

PE2

PE3

PE4

CE1 CE2

Primary

Backup

RR

PIC Edge: PE-CE Link Protection

PE3 configured as primary, PE4 as backup – PE3 preferred over PE4 by local preference

– CE2 has different RDs in VRFs on PE3 and PE4

– PE4: advertise-best-external, to advertise route via PE4-CE2 link

– PE3: additional-paths install, to install primary and backup path



25/89


10.1.1.0/24VPN1 Site #1

MPLS Cloud

Traffic Flow10.2VPN

PE1

PE2

PE3

PE4

CE1 CE2

Primary

Backup

RR

PIC Edge: Link Protection

PE3 has primary and backup path

– Primary via directly connected PE3-CE2 link

– Backup via PE4 best external route

What happens when PE3-CE2 link fails?



26/89


10.1.1.0/24VPN1 Site #1

MPLS Cloud

Traffic Flow10.2VPN

PE1

PE2

PE3

PE4

CE1 CE2

Primary

Backup

RR


CEF (via BFD or link layer mechanism) detects PE3-CE2 link failur

– CEF immediately swaps to repair path labelTraffic shunted to PE4 and across PE4-CE2 link



27/89


10.1.1.0/24VPN1 Site #1

MPLS Cloud

Traffic Flow

10.2VPN

PE1

PE2

PE3

PE4

CE1 CE2

Primary

Backup

RR

Withdrawroute v ia PE3


PE3 withdraws route via PE3-CE2 link

– Update propagated to remote PE routers



28/89


10.1.1.0/24VPN1 Site #1

MPLS Cloud

Traffic Flow

10.2.2.0VPN1 S

#2

PE1

PE2

PE3

PE4

CE1 CE2

Primary

Backup

RR

Withdrawroute vi a PE3


BGP on remote PEs selects new bestpath

– New bestpath is via PE4

– Traffic flows directly to PE4 instead of via PE3



29/89


10.1.1.0/24VPN1 Site #1

MPLS Cloud

Traffic Flow10.2VP

PE1

PE2

PE3

PE4

CE1 CE2

Primary

Backup

RR

PIC Edge: Edge Node Protection

PE3 configured as primary, PE4 as backup

– PE3 preferred over PE4 by local preference

– CE2 has different RDs in VRFs on PE3 and PE4

– PE4: advertise-best-external, to advertise route via PE4-CE2 link

– PE1: additional-paths install, to install primary and backup path



30/89


10.1.1.0/24VPN1 Site #1

MPLS Cloud

Traffic Flow

1V

PE1

PE2

PE3

PE4

CE1 CE2

Primary

Backup

RR


PE1 has primary and backup path – Primary via PE3

– Backup via PE4 best external route

What happens when node PE3 fails?



31/89


10.1.1.0/24VPN1 Site #1

MPLS Cloud

Traffic Flow

10.2VP

PE1

PE2

PE3

PE4

CE1 CE2

Primary

Backup

RR

PE3

s /32host route

removed fromIGP


BGP Resil iency/HA Enhancement



32/89


10.1.1.0/24VPN1 Site #1

MPLS Cloud

Traffic Flow

10.2.VPN

#

PE1

PE2

PE3

PE4

CE1 CE2

Primary

Backup

RR

PE3

s /32host route

removed fromIGP


PE1 detects loss of PE3’s /32 host route in IGP – CEF immediately swaps forwarding destination label from

PE3 to PE4 using backup path

BGP on PE1 computes a new bestpath later, choosing PE4


Enabling BGP PIC – Enabling IP Routing Fas


33/89


g g gConvergence

BGP PIC leverages IGP convergence Make sure IGP converge

IOS-XR: IGP Timers pretty-much tuned by default

IOS: Sample OSPF config:

process-max-time 50

ip routing protocol purge interface

interface …

carrier-delay msec 0

negotiation auto

ip ospf network point-to-point

bfd interval 100 min_rx 100 mul 3

router ospf 1

ispf

timers throttle spf 50 100 5000

timers throttle lsa all 0 20 1000

timers lsa arrival 20

timers pacing flood 15

passive-interface Loopback 0

bfd all-interfaces


34/89


Enabling BGP PIC Edge: IOS-XR

Two BGP-PIC Edge Flavors: BGP PIC Edge Multipath and Unipath

Multipath: Re-routing router load-balances across multiple next-hops, bac

are actively taking traffic, are active in the routing/forwarding plane,commonly found in active/active redundancy scenarios. – No configuration, apart from enabling BGP multipath (maximum-paths ... )

Unipath: Backup path(s) are NOT taking traffic, as found in active/standby

route-policy backup! Currently, only a single backup path is supported

set path-selection backup 1 install [multipath-protect] [advertise]

end-policy

router bgp ...

address-family ipv4 unicast

additional-paths selection route-policy backup

!

address-family vpnv4 unicast

additional-paths selection route-policy backup

!


35/89


Enabling BGP PIC Edge: IOS

As in IOS-XR, PIC-Edge w/ multipath requires no additional config

PIC-Edge unipath needs to be enabled explicitly ...

router bgp ...

address-family ipv4 [vrf ...]

or

address-family vpnv4

bgp additional-paths install

http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_bgp_mp_pic.htm

http://www.cisco.com/en/US/docs/ios/ios_xe/iproute_bgp/configuration/guide/irg_best_exte

... or implicitly when enabling best external

router bgp ...

address-family ipv4 [vrf ...]

or

address-family vpnv4

bgp advertise-best-external

Question: How wil l my PE’s learn about the


36/89


yalternate Paths?

By default my RR Only-Reflects the Best-Route

RR

PE2

PE3

Z

NH:PE3, P:Z

NH:PE2, P:Z

PE1

Prefix ZVia PE2

E0

E0

Prefix ZVia E0

Prefix ZVia E0

NH:PE2, P:Z

Diverse BGP Path Distribution


37/89


Shadow Session

Easy deployment – no upgrade of any existing router is required, juiBGP session per each extra path (CLI knob in RR1)

Diverse iBGP session does announce the 2nd best path

RR1

NH:PE2, P:Z

NH:PE2, P:Z

Prefix Via PEVia PENH:PE3, P:Z

NH:PE3, P:Z

PE2

PE3

ZPE1

BGP Add P th


38/89


BGP Add-Path

Add-Path will signal diverse paths from 2 to X paths

Required all Add-Path receiver BGP router to support Add-Path ca

RR1 NH:PE2, P:Z AP 1NH:PE2, P:Z

Prefix ZVia PE2Via PE3NH:PE3, P:Z AP 2

NH:PE3, P:Z

PE2

PE3

Z

PE1

BGP Add th fl


39/89


BGP Add-path flavors

IETF defines 5 flavors of Add-x-Path. 2 are implemented by Cisco:

Add-n-path: with add-n-path the route reflector will do best path computation fo

send n best to BR/PE. – Usecase: Primary + n-1 Backup scenario. (n is maximal for IOS-XR 2 and 3 for IOS).

Add-all -path: with add-all-path, the route reflector will do the primary best path (only on first path) and then send all path to BR/PE. – Usecase: Large DC ECMP load balancing, hot potato routing scenario

Add th l ti d b t


40/89


Add-path: selecting second best

1. Select best

2. Remove all paths whose next-hop == best’s (including best)

3. Run bestpath selection again on the remaining paths to select ba

Simple rule

Add P th C fi ti IOS XR


41/89


Add-Path Configuration – IOS-XR

Enable in global address-family mode – Enables for all IBGP neighbors

Enable/Disable in neighbor mode

router bgp 100

address-family ipv4 unicastadditional-paths send

!address-family vpnv4 unicastadditional-paths send

!neighbor 1.1.1.1remote-as 100address-family ipv4 unicast!

address-family vpnv4 unicast!!neighbor 2.2.2.2remote-as 100capability additional-paths se

address-family ipv4 unicast!

Add Path Configuration IOS XR


42/89


Add-Path Configuration – IOS-XR

Enable in global address-family mode – Enables for all IBGP neighbors

Enable/Disable in neighbor mode

router bgp 100address-family ipv4 unicastadditional-paths receive

!address-family vpnv4 unicastadditional-paths receive

!neighbor 1.1.1.1remote-as 100address-family ipv4 unicast!address-family vpnv4 unicast!

!neighbor 2.2.2.2remote-as 100capability addit ional-paths receive

disable

address-family ipv4 unicast!!!

PIC Edge: Test Results


43/89


PIC Edge: Test Results

Test Setup Node Failure Link F

No PIC Edge, No BFD 12-14 sec 8-17

BFD Only 10-12 sec 6-12

PIC Edge Only 8 sec 4 s

PIC Edge, BFD 0 sec 0 s


Automated Route Target Filtering


44/89



Increased VPN service deployment increases load on VPN routers

– 10% YOY VPN table growth – Highly desirable to filter unwanted VPN routes

Multiple filtering approaches – New RT filter address family

– Extended community ORF

BGP Feature



45/89



Derive RT filtering information from VPN RT import lists automatica

Exchange filtering info via RT filter AF or extended community OR

Translate filter info received from neighbors into outbound filtering

Generate incremental updates for received RT update queries

Incremental deployment possible/desirable

BGP Feature



46/89


PE-1

PE-2

PE-3

PE-4

RR-1 RR-2

VRF- Blue

VRF- Red

VRF- Red

VRF- Green

RT-Constraint:

NLRI= {VRF-Blue, VRF-Red}

RT-Constraint:

NLRI= {VRF-Green, VRF-Purple}

RT-Constraint:

NLRI= {VRF-Purple, VRF-Blue}

RT-Constraint:

NLRI= {VRF-Red, VRF-Green}

RT-Constraint:

NLRI= {VRF-Blue, VRF-Red, VRF-Green}

RT-Constraint:

NLRI={VRF-Green, VRF-Purple, VRF-Blue}

VRF- G

VRF- P

VRF- P

VRF- B


Improves PE and RR scaling and performance by sending only relevaroutes

IOS XR - Accept own


47/89


IOS XR - Accept own

Accept own

This feature allows movement from a PE-Based service provisioning model to acentralized router reflector (RR)-based serviceprovisioning model. With this feature, you candefine route TO service-VRF mapping within acentralized route reflector and then propagatethis information down to all the PE clients ofthat RR. Without this feature, you would definethe route TO service VRF mapping in all PEdevices, thereby incurring a high configuration

overhead, which could result in more errors.

This feature enables a route reflector to modifythe Route Target (RT) list of a VPN route thatis distributed by the route reflector, enablingthe route reflector to control how a routeoriginated within one VRF is imported intoother VRFs.

router#configure

router(config)#router bgp 100

router(config-bgp)#neighbor 10.2.

router(config-bgp-nbr)#address-fa

router(config-bgp-nbr-af)#accept-o

Overview – AIGP


48/89


AIGP (Accumulated IGP Metric Attribute for BGP)

http://tools.ietf.org/html/draft-ietf-idr-aigp-09

Optional, non-transitive BGP path attribute

BGP attribute to provide BGP a way to make its routing decthe IGP metric, to choose the “shortest” path between two ndifferent AS.

The main driving force for this feature is to solve the IGP sc

in some ISP core network. Mainly to be deployed to carry nexthop prefixes/labels acro

within the same administrative domain.

The remote ingress PE select its best path using the modifiselection process using AIGP metric.

Overview – AIGP

Overview – AIGP


49/89


Overview AIGP

Passing AIGP attribute to non-AIGP capable neighbors• Translate AIGP into cost-community

• 2 POI of pre-best-path and igp-cost are supported• A transitive keyword to make cost-comm transitive to eBGP neighbors• Redistribute BGP (with AIGP) into IGP –• Translate AIGP value into BGP MED

Other software components• Route installation – for BGP to tag AIGP metric during route installation• NH notification – when AIGP metric changed

– Update generation throttling is not supported in 4.0 – It is highly recommended to deploy BGP best-external and Additional-path in co

the AIGP attribute, to effectively achieve the desired routing policy.

AIGP: Originating AIGP


50/89


AIGP: Originating AIGP

router bgp 1

address-family ipv4 unicast

redistribute ospf 1 route-pol

route-policy set_aigp_1

if destination in (61.1.1.0/24 le 32) then

set aigp-metric 111

elseif destination in (2100::1:0/112,2100::2:0/112) then

set aigp-metric igp-cost

Endif

end-policy

AIGP is enabled between iBGP neighbors by default

AIGP between eBGP neighbors need to be enabled

AIGP can be originated by using redistribute ospf, redistribute isis, redistrib

static or the BGP network command. AIGP can also be originated using neighbor address-family inbound oroutbound policy to set AIGP to be the IGP cost or to a fixed value.

What is Multi-Instance BGP?


51/89


What is Multi Instance BGP?

A new IOS-XR BGP architecture to support multiple instances alonof OSPF instances

Each BGP instance is a separate process running on the same or aRP/DRP node

The BGP instances do not share any prefix table between them

No need for a common adj-rib-in (bRIB) as is the case with distribu

The BGP instances do not communicate with each other and do nopeering with each other

Each individual instance can set up peering with another router ind

What is Multi-AS BGP?


52/89


What is Multi AS BGP?

It will be possible to configure each instance of a multi-instances BGP

different AS number Global address families can’t be configured under more than one AS e

vpnv4 and vpnv6

VPN address-families may be configured under multiple AS instancesnot share any VRFs

Configuration Example


53/89


Configuration Example

Attribute Filtering and error-handling


54/89


Attribute Filtering and error handling

Attribute filtering – Unwanted optional transitive attribute such as ATTR_SET, CONFED seg

AS4_PATH causing outage in some equipments. – Prevent unwanted/unknown BGP attributes from hitting legacy equipmen Block specific attributes Block a range of non-mandatory attributes

Error-handling – draft-ietf-idr-optional-transitive-04.txt

– Punishment should not exceed the crime – Gracefully fix or ignore non-severe errors

– Avoid session resets for most cases

– Never discard update error, as that can lead to inconsistencies

Architecture


55/89


Invalid Attribute Contents

Wrong AttributeLength

Unknown Attributes Unwanted Attributes

Malformed BGP Updates Transitive Attributes

Attribute Filtering

Error-handling

NLRI processing…

Attribute filtering


56/89


g

First level of inbound filtering

Filtering is configured as a range of attribute codes and a correspo

to take (Note: Never Discard Update as that can lead towards inco Actions

– Discard the attribute

– Treat-as-withdraw

Applied when parsing each attribute in the received Update messa – When a attribute matches the filter, further processing of the attribute is s

the corresponding action is taken

Error-handling


57/89


g

Comes into play after attribute-filtering is applied

When we detect one or more malformed attributes or NLRIs or oth

the Update message Steps

– Classification of errors

– Actions to be taken

– Logging


58/89

Prefix hijacking


59/89


j g

Announce someone else’s prefix

Announce a more specific of someone else’s prefix

Either way, you are trying to “steal” someone else’s traffic by gettinyou – Capture, sniff, redirect, manipulate traffic as you wish

Source: nanog 46 preso

How does the Solution look like?


60/89


Multicast VPN Solution Space


61/89


(complete solution is now available)

LSMEncapsulation

/Forwarding IP/GRE

P2MP T(pt-mpt)

PIM(pt-mpt)

Core TreeSignaling

MLDP(pt-mpt | mpt-mpt)

mVPN

IPv4

Native

IPv6

mVP

IPv

Service Native

IPv4

BGPPIMC-Multicast

Signaling

PORT

Multicast VPN – BGP Signaling


62/89


BGP customer-multicast signaling and BGPauto-discover is now added to the multicastVPN solution.

BGP as overlay allows Service Providers tocapitalize on a single protocol

Auto-Discovery of PEs andCore tree/tunnel informatio

PE1

PE2

PE3

PE4

CE1CE3

RR

Re

Source

CE4ReCE2

RP

BGP Auto-Discovery

BGP C-mroutes

PIM C-Join(*,G) or (S,G)

PIM C-Join(*,G) or (S,G)

Advertisement of CustomeMulticast routes

BGP

BGP Graceful Shutdown


63/89


RFC 6198 – April 2011

Old Behaviour – If session drops then BGP will

withdraw all prefixes learned over thatsession

– BGP has no mechanism to signalprefix will soon be unreachable (formaintenance for example)

Historically RR’s have worsened theissue as they tend to hide thealternate path as they only forwardthe best path

BGP Graceful Shutdown allows to do maintwithout service disruption.

This new knob allows a router to notify neigtraffic to other paths and after some time sessions.

The notification could be done using Local or user community attribute

#Graceful Shutdown

Please wait…

BGP/ Prefix 10.45 / localpref : 10

12

Graceful Shutdown


64/89


GSHUT well-known community

The GSHUT community attribute is applied to a neighbor specifiedneighbor shutdown graceful command, thereby gracefully shuttilink in an expected number of seconds

The GSHUT community is specified in a community list, which is rea route map and then used to make policy routing decisions.

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdf

neighbor {ipv4-address | ipv6-address | peer-group-name} shutdown graceful seconds

value [local-preference value] | local-preference value}

DDoS Mitigation – a stepstone approach

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdf


65/89


Phase III

– Dynamic application aware redirection and traffic handling

Phase II

– Malicious traffic mitigation

– Cleaning of Malicious traffic

– Dirty and clean traffic handling

– Usage of Multi-instance BGP

Phase I

– ACL

– RTBH

– PBR

– uRPF

IOS-XR 4.3.1IOS-XE partial

IOS-XR 5.2.0IOS-XE 3.1.2


66/89

DDOS impact on Customer Business


67/89


DDoS mitigation architecture1. Detection (no DDoS)


68/89

© 2013 Cisco and/or its affiliates All rights reservedBRKRST-3371 Cisco Public

DDOSscrubber

SecurityServer

DDOS Analyser

SampleNetflow

Scan Netflow datato detect DDOS attacks

DDoS mitigation architecture2. Detection (DDOS)


69/89


DDOSscrubber

SecurityServer

DDOS Analyser

SampleNetflow

Scan Netflow dataFind DDOS signature


70/89

DDoS Mitigation: Architecture Considera


71/89


Normal traffic flow when there is no attack

Redirect traffic from any edge PE to any specific DDoS scrubber

Including the PE that is connected to the host network

Granular (prefix level/network) diversion

Customers buy DDoS mitigation service for some prefixes

Pre-provisioned DDoS service for those prefixes (using policy such as standard community flag)

Centralized controller that injects the diversion route

VPN based Labeled return path for the clean traffic

To prevent routing loops

Solution support redirection of BGP less/more specific prefixes or local originated prefroute, redistributed route)

Support for multi-homed customersDuring attack, send clean traffic from DDOS scrubber to multiple PE’s

The concept


72/89


Traffic under normal conditions

Internet users

Traffic under norm

conditions

• Traffic takes shortest p• Upstream and downstrtraditional routingServer

Scrubber

ISP

Pre-provisioned D

instrumentation• Traffic Scrubber

Separate clean an

• Security Analyser Analyses Netflow/traffic flows

• Security server Actions upon trafficommunication to

Security analyser

Security server

PE3

PE2

PE1

BGP based DDoS


73/89


Traffic under DDoS condition

Internet users

Traffic under DD• Traffic is redirected

• Scrubber separatethe malicious traffi

• Clean traffic is retudestination server

Goal

• Do not drop all tr• Collect traffic intell• Operational simpli• Easy to remove re

normalizes

ServerScrubber

ISP

Security analyser

Security server

PE3

PE2

PE1

How does it work?


74/89


Normal traffic condition

Internet users

• All PE’s peer with th

• All PE’s exchange bInternet and VPN p

• All PE interfaces ar• Security analyser is

doing analyses

ServerScrubber

ISP

Internet and VPN

Route-Reflector

1.1.1.1/32

2.2.2.2

3.3.3.3

4.4.4.4

5.5.5.5

Security analyser

Security server

Destination Next-hop

1.1.1.1/32 2.2.2.2

PE3

PE2

PE1

How does it work?


75/89


Server is under DDoS

Internet users

• Flow is detected a

Security analyser• Result : Server is u• Traffic needs to be

scrubber to mitigate

ServerScrubber

ISP

Internet and VPN

Route-Reflector

1.1.1.1/32

2.2.2.2

3.3.3.3

4.4.4.4

5.5.5.5

Security analyser

Security server


1.1.1.1/32 2.2.2.2

PE3

PE2

PE1

How does it work?


76/89


Internet users

• DDoS Route-Refvisioned

• Mitigation route toinjected on the DDSecurity server

• Mitigation route topointing to 3.3.3.3mitigation RR

ServerScrubber

ISP

Internet and VPN

Route-Reflector

1.1.1.1/32

2.2.2.2

3.3.3.3

4.4.4.4

5.5.5.5

Security server

DDoS

Route-Reflector

5.5.5.5

Destination Next-h

1.1.1.1/32 3.3.3.3

PE3

PE2

PE1


How does it work?Destination Next-hop


77/89


Internet users

• Mitigation route to

pointing to 3.3.3.3PE’s

• All PE’s receive thfrom the DDoS Mi

• Each PE will nowreach 1.1.1.1/32

• Which route will

ServerScrubber

ISP

Internet and VPN

Route-Reflector

1.1.1.1/32

2.2.2.2

3.3.3.3

4.4.4.4

5.5.5.5

Security server

DDoS

Route-Reflector

5.5.5.5

1.1.1.1/32 3.3.3.3


1.1.1.1/32 2.2.2.2

1.1.1.1/32 3.3.3.3


1.1.1.1/32 ????????????

BGP Table Routing Table

PE3

PE2

PE1


How does it work?


78/89


Internet users

Trick #• The DDoS mitigati

ALWAYS be prefer• Both prefix lensame

• DDoS prefix is• Original prefix

administrative

ServerScrubber

ISP

Internet and VPN

Route-Reflector

1.1.1.1/32

2.2.2.2

3.3.3.3

4.4.4.4

5.5.5.5

Security server

DDoS

Route-Reflector

5.5.5.5


1.1.1.1/32 2.2.2.2

1.1.1.1/32 3.3.3.3


1.1.1.1/32 3.3.3.3

Routing TableBGP Table

PE3

PE2

PE1


How does it work?

Th iti t d t ffi


79/89


Internet users

• The mitigated trafficPE3 (3.3.3.3)

• PE3 is sending the towards the scrubb

• The scrubber will• Handle and re

traffic within th• Send the clea

towards the or(1.1.1.1 at PE2

ServerScrubber

ISP

Internet and VPN

Route-Reflector

1.1.1.1/32

2.2.2.2

3.3.3.3

4.4.4.4

5.5.5.5

DDoS

Route-Reflector

5.5.5.5


1.1.1.1/32 2.2.2.2

1.1.1.1/32 3.3.3.3


1.1.1.1/32 3.3.3.3


PE3

PE2

Clean

traffic

PE1


How does it work?


80/89


Internet users

Problem• Scrubber sends tra• PE3 does routing

and finds that it is • ROUTING LOOP!• How do we fix this

• We use a newtable for the c

• This routing tprovisioned I

ServerScrubber

ISP

Internet and VPN

Route-Reflector

1.1.1.1/32

2.2.2.2

3.3.3.3

4.4.4.4

5.5.5.5

DDoS

Route-Reflector

5.5.5.5


1.1.1.1/32 2.2.2.2

1.1.1.1/32 3.3.3.3


1.1.1.1/32 3.3.3.3


PE3

PE2

Clean

traffic

PE1


How does it work?


81/89


Internet users

ServerScrubber

ISP

1.1.1.1/32

2.2.2.2

3.3.3.3

4.4.4.4


1.1.1.1/32 2.2.2.2

1.1.1.1/32 3.3.3.3


1.1.1.1/32 3.3.3.3

1.1.1.1/32 2.2.2.2


PE3

PE2

• The clean traffic will bon an interface memb

• PE3 will now do a rou

lookup for 1.1.1.1 in V• The matching routingpointing towards PE2

• The clean flow, whichClean is sent towards2.2.2.2

VPN Clean

PE1


How does it work?

Ro ting Table


82/89


Internet users

ServerScrubber

ISP

1.1.1.1/32

2.2.2.2

3.3.3.3

4.4.4.4

PE3

PE2CE1

Destination Next-hop VPN

1.1.1.1/32 3.3.3.3 Global

1.1.1.1/32 CE1 Clean

Routing Table • PE2 receivewithin VPN

• PE2 does arouting look

• A matchingclean

• Flow is forwonwards to

HOLD on a mPE2 does not have any interface

All interfaces on PE2 are gloso how did that clean route for 1.

clean?

PE1


How does it work?

BGP T bl Routing Table


83/89


Internet users

ServerScrubber

ISP

1.1.1.1/32

2.2.2.2

3.3.3.3

4.4.4.4

Destination Next-

hop

VPN

1.1.1.1/32 CE1 Global

1.1.1.1/32 3.3.3.3 Global

1.1.1.1 CE1 clean

BGP Table

PE3

PE2CE1

Trick• Copy the locally B

directly into VPN • Neighbour details

the global table (i• Outgoing int• Next-hop

• Interface pointinNOT VPN aware

• This VPN clean dVPN

• New CLI commanimport from default-vr

advertise-as-vpn

Destination Next-hop VPN

1.1.1.1/32 3.3.3.3 Global

1.1.1.1/32 CE1 Clean

Routing Table

PE1

Going back to traditional traffic flow

S i d DD S


84/89


Internet users

• Remove the routMitigation DDoS

• No more route isthe DDoS Mitiga

• Traffic flows norm

ServerScrubber

ISP

Internet and VPN

Route-Reflector

1.1.1.1/32

2.2.2.2

3.3.3.3

4.4.4.4

5.5.5.5

Security server

DDoS

Route-Reflector

5.5.5.5


1.1.1.1/32 3.3.3.3

PE1



85/89


86/89


87/89

Complete Your Online Session Evaluation


88/89


Maximize your Cisco Live expfree Cisco Live 365 account. DPDFs, view sessions on-demalive activities throughout the yCisco Live 365 button in your log in.

Give us your feedback andyou could win fabulous prizes.Winners announced daily.

Receive 20 Cisco Daily Challengepoints for each session evaluationyou complete.

Complete your session evaluationonline now through either the mobileapp or internet kiosk stations.


89/89

advances bgp

Documents