3 - Advanced Junos Service Provider1
3 - Advanced Junos Service Provider1
NETWORKS
Student Guide
juniper
-
/ NETWORKS
5
i
Worldwide Education Services
This document or any part thereof may not be reproduced or transmitted in any form under penalty of law, without the prior written permission of Juniper Networks
Education Services.
Juniper Networks, Junos. Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other
countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered
trademarks, or registered service marks are the property of their respective owners.
Advanced Junos Semce Provider Routing Student Guide, Revision lO.a
Copyright © 2011 Juniper Networks, inc. All rights reserved,
Printed in USA.
Revision History:
Revision lO.a - March 2011
The information in this document has been carefully verified and is believed to be accurate for software Release 10.3R1.9. Juniper Networks assumes no
responsibilities for any inaccuracies that may appear in this document, in no event will Juniper Networks be liable for direct, indirect, special, exemplary,
incidental, or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages.
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice,
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has
no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an
agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and
agree to be bound by its iicense terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper
Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should
consult the software license for further details.
Contents
iv . Contents www.juniper.net
Course Overview
This four-day course is designed to provide students with detailed coverage of OSPF, IS-IS, BGP, and
routing policy. Through demonstrations and hands-on labs, students will gain experience in
configuring and monitoring the Junes operating system and in monitoring device and protocol
operations. This course is based on the Junos OS Release 10.3R1.9.
Objectives
After successfully completing this course, you should be able to:
Identify some scenarios in a service provider network that can be solved using routing
policy or specific configuration options.
.
Use routing policy and specific configuration options to implement solutions for
various scenarios.
.
Explain the route selection process for BGP.
Configure confederations.
Intended Audience
This course benefits Individuals responsible for Implementing, monitoring, and troubleshooting
Layer 3 components of a service provider's network.
Course Level
Prerequisites
Students should have intermediate-level networking knowledge and an understanding of the Open
Systems Interconnection (OSI) model and the TCP/IP protocol suite. Students should also attend
the introduction to the Junos Operating System (IJOS), Junos Routing Essentials (JRE), and Junos
Intermediate Routing (JIR) courses prior to attending this class.
Day 1
Chapter 1; Course Introduction
Chapter 2: OSPF
Day 2
Chapters: IS-IS
Day 3
Chapter 8: BGP
Lab 7: BGP
Day 4
Chapter 10: BGP Attributes and Policy-Part 2
Lab 9: BGP Attributes: Local Preference and Communities
Frequently throughout this course, we refer to text that appears in a command-line interface (CLI)
or a graphical user interface (GUi). To make the language of these documents easier to read, we
distinguish GUI and CLI text from chapter text according to the following table.
Franklin Gothic Normal text, Most of what you read in the Lab Guide
and Student Guide.
CLI Undefined Text where the variable's value is Type set policy policy-name.
the user's discretion or text where
ping IQ.O.x.y
the variable's value as shown in
GOT Undefined the lab guide might differ from the Select File > Save, and type
value the user must input filename in the Filename field.
according to the lab topology.
The AJSPR Student Guide was developed and tested using software Release 10.3R1.9. Previous
and later versions of software might behave differently so you should always consult the
documentation and release notes for the version of code you are running before reporting errors.
This document is written and maintained by the Juniper Networks Education Services development
team. Please send questions and suggestions for improvement to [email protected].
Technical Publications
You can print technical manuals and release notes directly from the internet in a variety of formats:
Go to http://www.Juniper.net/techpubs/.
Locate the specific software or hardware release and title you need, and choose the
format in which you want to view or print the document.
Documentation sets and CDs are available through your local Juniper Networks sales office or
account representative.
{ |j| 01
: 'A urldwicie lilucalion Ser.ices
Introductions
Introductions
The slide asks several questions for you to answer during class introductions.
Contents:
.
Chapter 1: Course Introduction
.
Chapter 2: OSPF
.
Chapters: OSPF Areas
.
Chapter 4: OSPF Case Studies and Solutions
.
Chapters: IS-IS
.
Chapter 6: Advanced IS-IS Operations and Configuration Options
.
Chapter?: Multilevel IS-IS Networks
.
Chapters: BGP
.
Chapter 9: BGP Attributes and Policy-Part One
.
Chapter 10: BGP Attributes and Policy-Part Two
.
Chapter 11: BGP Route Damping
.
Chapter 12: Route Reflection and Confederations
JUniPSf WorklwitleEtlucationSetvioes
Course Contents
Prerequisites
Prerequisites
The slide lists the prerequisites for this course.
The basics:
.
Sign-in sheet
. Schedule
. Class times
. Breaks
. Lunch
lillillllfl
,
itial Resources
Additional Resources
The slide provides links to additional resources available to assist you in the installation,
configuration, and operation of Juniper Networks products.
Satisfaction
Ell
Class
Feedback
m
m imii
PS
13
Mr
Satisfaction Feedback
Juniper Networks uses an electronic survey system to collect and analyze your comments and
feedback. Depending on the class you are taking, please complete the survey at the end of the class,
or be sure to look for an e-mail about two weeks from class completion that directs you to complete
an online survey form. (Be sure to provide us with your current e-mail address.)
Submitting your feedback entitles you to a certificate of class completion. We thank you in advance
for taking the time to help us improve our educational offerings.
Curriculum
Formats:
. Classroom-based instructor-led technical courses
. Online instructor-led technical courses
.
Hardware installation eLearning courses as well as technical
eLearning courses
Complete list of courses:
.
http://www.juniper.nel/training/technical education/ _
Course List
You can access the latest Education Services offerings covering a wide range of platforms at
http://www.Juniper.net/training/technical education/.
_
11 juniper
LL 1 I .J
junipec
jumper
juniper
Ce
,
J is Oniln ie
j-net | http://www.juniper.net/jnet
m http://www.juniper.net/facebook
IDii t
mj http://www.juniper.net/youtube
Q http://www.juniper.net/twitter
Find Us Online
The slide lists some online resources to learn and share information about Juniper Networks.
Any Questions?
If you have any questions or concerns about the class you are attending, we suggest that you voice
them now so that your instructor can best address your needs during class.
Chapter 2: OSPF
Advanced Junos Service Provider Routing
>0SPFv2 Review
Link-State Advertisements
Protocol Operations
OSPF Authentication
OSPFv2 Review
The slide lists the topics we cover in this chapter. We discuss the highlighted topic first.
OSFFv2 Mmlew (1 of 3)
Link-State Protocol
OSPF is an Interior gateway protocol (IGP) based on the concept of a link-state database (LSDB). As
such, each OSPF-speaking router in the network attempts to form an adjacency with each
neighboring OSPF router. When these adjacencies are in place, each router generates and floods
LSAs into the network in a reliable manner. The LSAs are placed into the LSDB on each router where
the SPF algorithm is calculated to find the best path to each end node in the network.
OSPF uses IP protocol number 89 and the AIISPFRouters multicast address of 224.0.0.5 to flood
link-state advertisements. OSPF routers forward all LSAs through all OSPF configured interfaces
except the one on which an LSA was received.
LSAs are Installed in the OSPF database which forms the topology map of the network.
The SPF algorithm is run to determine the shortest path to each destination subnet.
Hierarchical Design
OSPF gains scalability as a protocol through the use of a hierarchical design. Portions of the network
are designated as separate areas. These remote areas are then connected through a common area
known as the backbone.
Most Ethernet segments are point-to-point, full-duplex these days. This eliminates the need for a DR
election. Use the interface-type p2p command to change the default interface type.
:w (2 of 3)
R2
Rl
R4
In addition to discovering neighbors and fiooding LSAs, a third major task of the OSPF protocol is to
create and maintain the LSDB. The link-state, ortopological, database stores the LSAs as a series of
records. The contents stored within the LSDB include details such as the advertising router's ID, its
attached networks and neighboring routers, and the cost associated with those networks or
neighbors. According to the OSPF RFC, each router in an OSPF area must have an identical LSDB to
ensure accurate routing knowledge. We discuss OSPF areas later in this course.
The information recorded in the database is used as input data to calculate the shortest paths (that
is, least-cost paths) for all destination prefixes within the network. OSPF uses the SPF algorithm or
Dijkstra algorithm to calculate, all at once, the shortest paths to all destinations. It performs this
calculation by creating a tree of shortest paths incrementally and picking the best candidate from
that tree. The results of this calculation are then handed to the router's routing table for the actual
forwarding of data packets.
V m is of
Packet Types
Every OSPF router uses a specific set of packets to perform its functions. The packet types include
the following:
Hello: Sent by each router to form and maintain adjacencies with its neighbors.
Database description: Used by the router during the adjacency formation process. It
contains the header information for the contents of the LSDB on the router.
Link-state request: Used by the router to request an updated copy of a neighbor's LSA.
Link-state update: Used by the router to advertise LSAs into the network.
Link-state acknowledgment: Used by the router to ensure the reliable flooding of LSAs
throughout the network.
Backbone
(Area 0 or 0.0.0.0)
/
/
\
/
\
A \/
/
\
Area 1 Area 2 \ Area 3
Hierarchical Design
The slide graphically displays the hierarchical nature of OSPF. A backbone area (0.0.0.0) is the
connecting point for all other areas. By specification, each area must attach to the backbone in at
least one location.
Area 1, Area 2, and Area 3 each contain routers internal to that area as well as a single area border
router (ABR). The ABR generates summary LSAs that represent the routes within its area and floods
those to the backbone. The ABR is also responsible for generating summary LSAsthat represent the
backbone routes and injecting those into its attached area.
:
. r:::--."A::-.::.vr.,.:.:A::.
. ;-. .-
AS 65415
vurldwiiiu Education Se
OSPF Routers
OSPF routers can take on a number of different roles within an OSPF domain. The following list
shows the common types of OSPF routers along with a brief description:
.
Area border router (ABR): An OSPF router with links in two areas, the ABR is responsible
for connecting OSPF areas to the backbone. It transmits network information between
the backbone and other areas.
Autonomous system boundary router (ASBR): An OSPF router that injects routing
information from outside the OSPF AS, an ASBR is typically located in the backbone.
However, the OSPF specification allows an ASBR to be in other areas as well.
Backbone router. Defined as any OSPF router with a link to Area 0 (the backbone), this
router can also be an internal or ABR depending on whether it has links to other,
nonbackbone areas.
.
Internal router. An internal router is an OSPF router with ail its links within an area. If
that router is located within the backbone area (Area 0.0.0.0), it is also known as a
backbone router.
i
.
I i I r urat
[edit protocols]
usergrouterf show
ospf {
area <area-id> {
<area opt±om>;
interface <interface~name> {
<interface option3>;
/
}
}
'
iunrfernet 1 2-10
OSPF Interfaces
All logical interfaces associated with the area should be listed under the area. Remember the
loopback interface, if it should be advertised.
protocols {
ospf {
area area-id {
interface interface-name;
interface interface-name;
interface interface-name;
}
area area-id {
interface interface-name;
}
area area-id {
interface interface-name;
}
}
}
. interface-name can be IP address
Worldwide EciUGcrt id it Services
OSPF Interfaces
All logical interfaces associated with the particular area should be listed under that area. Remember
the loopback interface, if it should be advertised.
OSPFvS and OSPFv2 have much in common but there are many differences that take advantage of
the new features of IPv6. Some but not all of the differences are listed on this slide.
Agenias ©SPF
0SPFv2 Review
-
>Link-State Advertisements
Protocol Operations
OSPF Authentication
& .
.
. H', i-jf. i.' i Je -.or:--., lr. *,|. rv: t- t -j 1 JUn PG( vV'irlHv/iilt: tUllCaliun
Link-State Advertisements
in bytes
Version Packet Check- Authent-
Type RouterlD Area ID Authentication Data
ication
number length sum
type
4-- -
20 20 Va ria ble
Va ria ble
LSA Types
LSA Types
The following list provides the details of the LSA types:
Router LSA: Sent by each router to describe its individual links and their status.
Summary LSA: Sent by an area border router (ABR) to describe routes or other
information from one area into another.
.
AS external LSA: Sent by an autonomous system boundary router (ASBR) to describe
routes external to the OSPF domain.
NSSA LSA: Sent by an ASBR in a not-so-stubby area (NSSA) to describe routes external
to the OSPF domain.
.
External attributes LSA: Used to tunnel attributes used by other routing protocols
through OSPF.
.
Opaque LSAs: Used to transmit information not currently supported by other LSA types.
Examples include graceful restart and traffic engineering information.
Continued on the next page.
LSA Functions
Each of the LSA types iisted previously has a specific function within the OSPF domain. They each
describe a portion of the topology used by the Dijkstra (SPF) aigorithm to supply routing information
to a routing table. We discuss each LSA in more detail on future slides.
Each LSA has a maximum age of 3600 seconds (1 hour) associated with it. This maximum provides
a mechanism for removing stale information from the database. To ensure that its LSAs are
up-to-date, each OSPF router periodically refreshes them prior to reaching the maximum age limit.
The Junos operating system performs this refresh every 50 minutes (3000 seconds).
LSA
m
_
LSA Header
The following list details the information contained in the LSA header:
LS age (2 bytes): Measured in seconds, the LS age is the time since the LSA was first
originated. Each router increments this field prior to refloodingthe LSA.
Options (1 byte): Indicates support for OSPF options. Within the context of an individual
LSA, the E bit (position 7) is set in all External LSAs and the P bit (position 5) is set in all
NSSA external LSAs.
Link-state ID (4 bytes): Describes various portions of the OSPF domain. Each LSA type
uses this field in a different manner.
.
Advertising router (4 bytes): The router ID of the router that first originated the LSA.
LS sequence number (4 bytes): Verifies that each router has the most recent version of
an LSA. This field is incremented each time a new version is generated. Values range
from 0x80000000 to OxVFFFFFFF.
LS c/iecteum (2 bytes): The checksum of the entire LSA contents, minus the LS age
field. This field is used to ensure data integrity in the LSDB.
Length (2 bytes): The entire length of the individual LSA, including the header.
Router LSA
Each OSPF-speaking router generates a Type 1 LSA to describe the status and cost (metric) of all
interfaces on the router. This LSA is flooded to each router in the OSPF area. It is defined as having
an area scope; therefore, It is not flooded across an area boundary. In addition to the standard LSA
header, the router LSA also contains the following fields:
V E, and B bits (1 byte): Following five bits set to a value of 0, the V, E, and B bits
,
represent the characteristics of the originating router. The V bit is set when a virtual link
is established. An ASBR sets the E bit. An ABR sets the B bit.
Number of links (2 bytes): This value gives the total number of links represented by the
following set of fields.
Link ID (4 bytes): This field represents what the far side of the link is connected to. It Is
used in conjunction with the link type field.
.
Link data (4 bytes): This field represents what the nearside of the link is connected to.
It is used in conjunction with the link type field.
Number of ToS metrics (1 byte): This field lists the number of type of service metrics
encoded. Only a value of 0 is supported.
.
Metric (2 bytes): This field provides the cost to transmit data out of the interface.
The information in the router LSA's link iD and link data fields is associated with the type of link OSPF
is operating. The following link types are supported:
Point-to-point (Type 1): On a poinMo-point interface, an OSPF router always forms an
adjacency with its peer over an unnumbered connection. As such, the link ID field
contains the neighbor s router ID. The link data field contains the IP address of the
'
Transit (Type 2): A connection to a broadcast segment is always noted as a transit link.
The link ID field contains the interface IP address of the segment's designated router.
The link data field contains the interface IP address of the local router.
Stub (Type 3): A router advertises a stub network when a subnet does not connect to
any OSPF neighbors. Advertising a stub network occurs for the loopback interface and
any passive interfaces. In addition, the IP subnet for any point-to-point interface is
advertised as a stub because the adjacency was formed over an unnumbered interface.
The link ID field for a stub network contains the IP network number and the link data
field contains the subnet mask.
Virtual link (Type 4): A virtual link operates between an ABR connected to Area 0 and an
ABR that is not connected to Area 0. Once established, the virtual link appears in the
Area 0 router LSA of each endpoint. The link ID field contains the neighbor's router ID,
and the link data field contains the interface IP address of the local router.
IMA Examp
u3er@Rl> show ospf database router extensive
This router is both an ABR as well as an ASBR. We see this by the setting of bits 0x3.
Recall that position 7 (0x2) is for the E bit, which is set when the originating router is an
ASBR. Bit position 8 (Oxl) is for the B bit, which is set when the originating router is an
ABR. Combining these two fields results in a value of 0x3, which we see in the database
capture.
This router has three links connected to Area 0, which we can determine because of two
factors. First, the link count field is set to a value of 3. Second, the LSA is shown in the
database within the Area 0.0.0.0 section. Recall that a router LSA has area scope, so a
separate LSA is generated for each area representing the links only within that area.
A single point-to-point link exists, and two links are connected to stub networks. This
fact is clearly visible from the information in the type fields.
This router LSA was originated by the same router from which the capture was taken.
Notice the asterisk (*) next to the link-state ID value oi 192.168 .20.1. Also note that
the last line of the capture states that this LSA is Ours.
The router LSA was installed 2 minutes and 41 seconds ago. If not refreshed, the LSA
will expire in 57 minutes and 19 seconds when its 3600 second maximum age is
exceeded, and the LSA was last flooded 2 minutes and 41 seconds ago. These details
are shown in the Installed, expires and sent fields, and they are present for
every LSA in the show ospf database extensive output.
Type 1 ;4
Area 0
192.168.100.1
192.168,20,1 192,168,21.1
172,22,121,0/24 R2 172,22,122,0/24
ri
.
Two point-to-point subnets connect the three routers-172.22.121.0/24 and
172.22.122.0/24;
LSA 2}
Network LSA
Each OSPF router elected to be the designated router (DR) on a broadcast link generates a Type 2
LSA. This LSA lists each router connected to the broadcast link, including the DR itself. In addition to
the standard LSA header, the network LSA also contains the following fields:
Network mask (4 bytes): This field denotes the IP subnet mask for the interface
connected to the broadcast network.
Attached router (4 bytes): This field is repeated for each router connected to the
broadcast network. The value of each instance is the router ID of the attached routers.
You can deduce the total number of routers listed by the length of the LSA.
f©rlc;.:
Type ID """
Adv Rtr Seq Age Opt Cksum Len
Network 110 0 12 l ] 192.168 .20. 2 0x80000001 2765 0x22 0x8 cla 32
mask 255.255.255.0
attached router 192.168.20.2
attached router 192.168.20.1
Topology default (id 0)
Type: Transit, Mode ID: 192.168.20.1
Metric: 0, Bidirectional
Type: Transit, Mode ID: 192.168.20.2
Metric: 0, Bidirectional
The designated router for this network Is 10.0.12.1, which you can determine by
'
Because only two Instances of the attached router field are present, you can safely
deduce that only two routers are connected to the link. The router IDs of those two
routers are 192.168.20.2 and 192.168.20.1.
Area 0
192,168.100.1
192.168,20,1 192.168,21.1
172,22,121.0/24 172.22.122,0/24
Rl P3
R4
192,168,20.2 192,168,20,4
10.0.12.0/24
Area 10
The designated router for the segment is 192.168.20.2 and its interface address is
10.0.12.1.
mmm
Originated by ABRs
.
Has area scope
. Describes networks external to the area
.
Consists of the standard LSA header plus:
.
(4-byte) Network mask
.
(1-byte) Reserved (set to 0)
.
(3-byte) Metric
.
(1-byte)ToS (not used)
.
(3-byte)ToS metric (not used)
Summary LSA
Each ABR that transmits information from one OSPF area into another generates a Type 3 LSA to
describe that information. This LSA is flooded to each router in the OSPF area. This LSA has an area
scope; therefore, it is not refiooded across the area boundary by another ABR. Instead the receiving
,
ABR generates a new Type 3 LSA describing the link and floods it into the adjacent area.
In addition to the standard LSA header, the summary LSA also contains the following fields:
Network mask (4 bytes): This field represents the subnet mask associated with the
network advertised. It is used in conjunction with the link-state ID field which
,
Metric (3 bytes): This field provides the cost of the route to the network destination.
When the summary LSA is representing an aggregated route (using the area-range
command), this field is set to the largest current metric of the contributing routes.
ToS (1 byte): This field describes any optional type of service information encoded
within the network described. The Junos OS does not use this field.
This router Is an ABR because it contains a database for area 0.0.0.0. Within that area,
three summary LSAs are listed. Two of the LSAs (the first and second ones listed) are
from the router where the capture was taken. As with the router LSA earlier, notice that
there is an asterisk (*) next to the link-state ID values of 10. 0.10.0 and
10.0.12.0. Also note that the last line of the LSA states that the LSA is Ours.
A second router in the backbone (192.168.21.1) generates the other summary LSA.
The network advertised by that ABR is 10.0.14.0/24. The network has a metric of 1
encoded within the LSA. The local router adds the cost to reach 192.168.21.1 to the
metric of 1 prior to calculation of the SPF algorithm.
AreaO
l V 'fH 100.1
.
2 c-'* -» .2
192.16S.20.1 192.168.21.1
1
172.22.121,0/24 172.22.122.0/24
Rl
1D.0.10.
10.0.14.0/24 \
nr. ( 192.168.20.4 i
192.168.20.2
1 .
i .
2
10.0.12.0/24
192.168.21.2
Area 10
Area ?
We do not know the 32-bit value for the area, but we know that an internal area router
exists within it-192.168.21.2;
.
Using the metric values in the summary LSAs, we can determine that the area router
and the ABR are connected over the 10.0.14.0/24 subnet; and
Within area 0.0.0.10, we now know that the 192.168.20.2 router is directly connected
to our local router of 192.168.20.1. We use the summary LSA metric value to make that
determination.
Originated s
by ABRs
.
Has area scope
. Describes ASBRs external to the area
.
Consists of the standard LSA header plus:
.
(4-byte) Network mask
.
(1-byte) Reserved (set to 0)
-
(3-byte)Metric
.
(1-byte) ToS
.
(3-byte)ToS metric
Network mask (4 bytes): This field has no meaning in a Type 4 LSA and is set to 0.0.0.0.
The address of the ASBR is encoded in the link-state ID field.
Metric C3 bytes): This field provides the cost of the route to the ASBR.
ToS (1 byte): This field describes any optional type of service information used to reach
the ASBR described. This field is not used.
The second router in the backbone (192.168.21.1) generates the other ASBR summary
LSA.
The two ASBRs being advertised are 192.168.21.2 and 192.168.20.4. You can see this
information coded in the link-state ID fields. Because the router ID of the ASBR is a full
32-bit value, the network mask is not needed and is set to a value of 0.0.0.0.
The metrics to each of the ASBRs are encoded in the appropriate field in the LSA. As
with the summary LSA (Type 3), the local router must add the cost to reach a remote
ABR to the encoded metric prior to calculation of the SPF algorithm.
Area 0
192.1 r)'. km I
.
2 *a m. ;:
192.168.21.1 y
R2 172 22.122.0/24
.
10.0.14.0/24
192.168.20.2
1 .2
R6
Area 1
Area ?
Routers 192.168.20.4 and 192.168.21.2 both have export policies configured within
OSPF, which means that they have set the E bit in their router LSAs.
Based on the E bit setting In the router LSAs, the ABRs of 192.168.20.1 and
192.168.21.1 generate ASBR summary LSAs across the area boundaries. In our case,
we see the type 4 LSAs within area 0.0.0.0.
xtema
Originated by ASBRs
.
Has domain scope
. Describes networks external to the OSPF domain
.
Consists of the standard LSA header plus:
.
(4-byte) Network mask
.
(1-byte) E-bit followed by seven 0 bits-default Is E2
.
(3-byte) Metric
.
(4-byte) Forwarding address
.
(4-byte) External route tag
.
(4-byte) Optional ToS fields
AS External LSA
Each ASBR generates a Type 5 LSA to advertise any networks external to the OSPF domain. This LSA
is flooded to each nonstub router in the entire OSPF domain. In addition to the standard LSA header,
the AS external LSA also contains the following fields:
Network mask (4 bytes): This field represents the subnet mask associated with the
network advertised. It is used in conjunction with the link-state ID field which
,
E bit (1 byte): The E bit determines the type of external metric represented by the metric
field. It is followed by 7 bits, all set to 0 to make up the entire byte. A value of 0 the
,
default value, indicates that this is a Type 2 external metric. Thus, any local router
should use the encoded metric as the total cost for the route when performing an SPF
calculation. A value of 1 indicates that this is a Type 1 external metric. Therefore, the
encoded metric of the route should be added to the cost to reach the advertising ASBR.
This additive value then represents the total cost for the route.
Metric (3 bytes): This field represents the cost of the network as set by the ASBR.
Forwarding address (4 bytes): This field provides the address toward which packets
should be sent to reach the network. A value of 0.0.0.0 represents the ASBR itself.
.
External route tag (4 bytes): This 32-bit value field can be assigned to the external
route. OSPF does not use this value, but it might be interpreted by other protocols.
Optional ToS fields (4 bytes): These fields are unused.
Kmim
The external LSDB lists all the LSAs, This listing denotes their domain scope status as
not belonging to a particular OSPF area.
This router is generating the first LSA listed. As with the router LSA earlier, an asterisk
(*) exists next to the link-state ID value and the last line of the LSA states that the LSA
,
is Ours,
.
Different routers generate each of the other three LSAs because the advertising router
field is different for each LSA,
.
Examination of the link-state ID and the network mask fields shows that the four
different networks advertised are 20,20,1.0/24, 20,20,3,0/24, 20.20,5.0/24, and
20.20.6.0/24. Each of these networks has a metric value of 0 encoded. In addition,
each of these LSAs is a Type 2 metric (as seen by the type field). Type 2 is the default
type for route redistribution. It reflects only the cost of the path from the ASBR to the
destination. A Type 1 tells the local router to add the cost to reach the remote ASBR to
the encoded metric prior to calculation of the SPF algorithm. The metric to the ASBR is
used because the forwarding address field for each LSA Is listed as 0,0,0,0,
] mmm
Area 0
192.168,100.1
192.168,20.1 i92.iea.2ii
L 20,20,3.0/24
R2
20,20,1.0/24 172,22,121,0/24 172,22,122,0/24
Rl
R-1 RE 10,0,14.0/24
192,168,20,2 192,168,20,4
20,20.5,0/24
\ 10,0,12,0/24 192,168,21.2
20,20,6,0/24
\
Area 1
ij!
.
When multiple ABRs exist, the ABR with the highest RID
performs the translation
The format of the NSSA external LSA is exactly the same as the AS external LSA (Type 5) described on
an earlier slide. The only difference between the two LSAs is in the use of the forwarding address
field. With the Type 7 LSA, the forwarding address depends on whether the network connecting the
NSSA to the adjacent system is known as an internal route to the NSSA. If the network is known, the
next-hop address of the remote router is placed into the forwarding address field. If the network is
not known, the forwarding address field contains the router ID of the ASBR.
By definition, only NSSA-capable routers can interpret a Type 7 LSA. Having only NSSA-capable
routers able to interpret this LSA type causes a probiem with flooding the routing knowledge
throughout the OSPF domain because not all routers are configured to support NSSA. Furthermore,
the NSSA external LSA represents the same type of information as the AS external LSA, and each
OSPF router expects to receive an LSA for all external routes. This apparent contradiction is resolved
by allowing the ABR to generate an AS external LSA (Type 5) on behalf of the NSSA ASBR. For each
Type 7 LSA received, the ABR translates the information into a Type 5 LSA and sends that
information into the backbone. This translation is performed by the ABR with the highest router ID.
The other backbone routers do not know that the original information came from an NSSA and
perform their duties as previously discussed.
When an ASBR is also an ABR with an NSSA area attached to it, a Type 7 LSA is exported into the
NSSA area by default, if the ABR is attached to multiple NSSAs, a separate Type 7 LSA is exported
into each NSSA by default. Use the no-nssa-abr command to disable the export.
Notice that the LSA is listed within the area 0.0.0.20 database. This listing denotes its
area scope status as belonging to a single NSSA area.
An examination of the link-state ID and the network mask fields shows that the network
advertised is 20.20.6.0/24. This network has a metric value of O encoded. It also is
listed as a Type 2 metric (as seen by the type field).
The NSSA does know the network connecting the ASBR to the remote domain. You can
see this fact by examining the forwarding address field where it lists the router ID of the
ASBR, 192.168.21.2.
Area 0
102168.100.1
192.168.20.1 192.168,21.1
P2 20.20.3.0/24
172 22,121,0/24 172.22,122.0/24
20,20,1,0/24
10,010,0/24
\
R4 Kb 10,0,14,0/24 \
I RR
10,222,1,0/24
20,20,6,0/24
Area 20 /
Area 10
NSSA
The area attached to the 192.168.21.1 router is area 0.0.0.20. It is also currently
configured as an NSSA.
The 20.20.6.0/24 route is being injected into area 0.0.0.20 as a Type 7 LSA. It is
translated into a Type 5 LSA by the 192.168.21.1 router.
Future Extensibility
RFC 2370 defines the OSPF opaque LSA. It was designed to extend the protocol to support future
enhancements without generating new LSA types. As of this writing, production networks use both
the Type 9 and Type 10 opaque LSAs. The Type 9 LSA supports graceful restart. The Type 10 LSA
supports MPLS traffic engineering. The Type 11 opaque LSA is not used at this time.
Flooding Scope
The main difference between the opaque LSAs is in the flooding scope of each type: the Type 9 LSA
has a link-local scope, the Type 10 LSA has an area scope, and the Type 11 LSA has domain scope.
segmented into a 1-byte opaque type field and a 3-byte opaque ID field. The Internet Assigned
Numbers Authority (IANA) has the responsibility of assigning new opaque type codes in the
0-127 range Values between 128 and 255 are set aside for private and experimental use only.
.
Opaque-capable routers communicate their ability to each other by using a new bit in the options
field. Bit position 2 is defined as the 0 bit. A value of 1 in this bit position allows a remote router to
flood opaque LSAs to the local router. A value of 0 tells the remote router not to flood those LSA
types.
0SPFv2 Review
Link-State Advertisements
-
JfTPG'' W.irlriv.'iilMLiluraliunSRrviues
Protocol Operations
The slide highlights the topic we discuss next.
A Floodmg
External
Routes
AreaO Bach hone
Area 0 Area 0
n d n ni Injected
LSA 2 LSAS
LSA1 Area3
LSAS
Area 1 Area 2 Area 3 Area 3
LSAS LSAS i LSAS LSA 4
x
Area 1 Area 2 Area 3 Area 3
/ Area 1
LSA1 LSA 2 LSA1 3A 2 LSA1 LSA 2
. -
Area 3 AreaS
LSAS LSAS
Area 0 Area 3
LSA 5 LSA 5 V Injected
Area 1
VArea 2
In the diagram, two ASBRs inject routes into the OSPF domain. The AS external LSAs (Type 5) that
represent those routes have domain flooding scope (with the exception of stub areas). As such, they
exist within each OSPF area. To reach those external routes, the OSPF routers use either router LSAs
or ASBR summary LSAs (Type 4) to have knowledge of the ASBRs. Much like the Type 3 LSAs, the
ASBR summary LSAs have area scope, so the area border binds them. Each ABR regenerates the
Type 4 summary LSAs Into their respective areas to provide the knowledge of how to route towards
the ASBR that is advertising a given external prefix. This capability leads to Type 4 LSAs for Area 0
being injected into Area 1, Area 2, and Area 3, while a Type 4 for Area 3 is injected into Area 0, Area
1 and Area 2.
,
a Database
Summary 10.222.1.0
*
192.168.16.1 0x80000002 412 0x2 Oxfafa 28
Summary *
10.222 .29.0 192.168.16.1 0x80000002 631 0x2 Oxbblf 28
Summary
*
192.168 .20.1 192.168.16.1 0x80000001 412 0x2 0x87c6 28
ASBRSum 192.168.32.1 192.168.36.1 0x80000001 240 0x2 0x3b07 28
Multiple routers act as ASBRs and inject routes into the OSPF domain. Those routers
are 192.168.16.1,192.168.20.1,192.168.32.1, and 192.168.36.1. The routes
advertised by those ASBRs can be used once the local router has knowledge of how to
reach the ASBR.
One of the ASBRs is the local router, 192.168.16.1. One of the external LSAs lists this
router ID, and that ISA is marked with an asterisk (*). A second ASBR is a router within
Area 0.0.0.1 (192.168.20.1). This router ID Is found within a router LSA in the Area
000
. . . 1 database. A third ASBR is a router within the backbone (192.168.36.1). This
router ID is found within a router LSA in the Area 0.0.0.0 database. The fourth ASBR is a
router in an area beyond the backbone (192.168.32.1). This router ID is found within an
ASBR summary LSA In both the Area 0.0.0.0 and the Area 0.0.0.1 databases.
"
, . Ion
This feature limits the number of LSAs that were not generated by the local router. This protects the
LSDB from being flooded with excessive LSAs. This is a very useful feature if a VPN routing and
forwarding (VRF) instance is configured to use OSPF between the PE and CE routers.
I Of IT orlrlwiclc f (luuimionSori.iccs
Dijkstra Algorithm
After a router receives a new LSA and places it into the LSDB, the router runs an algorithm known as
the Dijkstra algorithm (also called the shortest-path-first algorithm). This computation uses the
database as a data source and results in a loop-free network topology using the best metric from the
local router to all nodes in the network.
During the course of this calculation, the algorithm uses three databases-the LSDB the candidate
,
database, and the tree database. As we have explored, the LSDB is the total compilation of routing
knowledge in the network. Conceptually, it consists of multiple tuples in the form of (router ID,
neighbor ID, cost), which describe each link in the network.
1 . Evaluate each tuple in the candidate database and delete any tuples whose neighbor ID
is currently in the tree database and whose cost to the root is greater than the entry
currently in the tree database. Return to Step 1.
router ID equal to the new tree entry s neighbor ID into the candidate database.
The router calculates the Dijkstra algorithm for each LSDB present on the iocal router. Recall from an
earlier slide that each OSPF area maintains a separate copy of the database. These copies allow
each area to have a separate forwarding topology independent of another area.
The action of calculating the best OSPF route prior to the route being placed into the routing table
has a consequence In regards to the filtering of routing knowledge. An individual filter (or policy)
operates on IP routes that enter the router as IP routes and are placed into the routing table. This
form of data flow is not present in OSPF because the routing information enters the router as an LSA
and is only placed into the routing table after the Dijkstra algorithm is performed. Hence, the best
method of filtering OSPF routing knowledge is to keep that information from being placed into the
database (on a per-area basis) in the first place.
OSPF does offer a limited import-policy functionality. You can use the import statement at [edit
protocols ospf ] configuration hierarchy to block external routes-those learned from Type 5
and Type 7 LSAs-from being installed in the routing table. This import policy does not, however,
prevent LSAs from being flooded. We strongly discourage the use of OSPF import policy because of
the potential for unknowingly discarding traffic.
11 w
Link-State
RTR-A
(A, A. 0)
A i
(A, B. 1)
(A, C. 2)
(B.A. 3)
(B. D, 3)
RTR-B TR-C (C,A. 4)
(C. D. 4)
(D.B, 1)
RTR-D (D,C. 2)
11
SPF Calculation Example: Part 1
In the following slides, a sample SPF calculation is displayed. This graphic shows the beginning state
of the network including the routers involved, the configured link metrics, and the LSDB. The network
and the LSDB have recently converged and the local router, RTR-A, is running a SPF calculation to
determine the shortest path to each node in the network.
lm (2
The lowest, and only, tupie in the candidate database is moved to the tree database and RTR-A
places itself on the network map.
RTR-B
All known nodes in the tree database are removed from the candidate, of which there are none. (For
example, if B were already in the tree database, the tuple (A,B,1) would be eliminated.)
The cost to each neighbor ID from the root is then calculated. It costs RTR-AOto reach itself and Ito
reach RTR-B, so the total cost to RTR-B is 1. The same calculation is done for RTR-C, and the total
cost of 2 is placed into the candidate database.
The lowest cost tuple in the candidate database, (A,B,1), is now moved to the tree database, and
RTR-B is placed on the network map.
ixamp
(A. D. 1) (A. A. 0) -
e
-
(A. B, 1) - 1
(A, C. 2) (A. D. 1) (A. C. 2) 2
(D.A. 3) (A. C. 2)
(B.D. 3) (D.A. 3)
RTR-A
(C.A, 4) (B.D, 3)
IIIIVJL~1
(C D.4) mjrM
(D, B, 1)
(D.C. 2)
RTR-B RTR-C
All known nodes in the tree database are then removed from the candidate. Thus, the (B,A,3) tuple is
removed because RTR-A already has the shortest path to RTR-A.
The cost to each neighbor ID from the root is then calculated. It costs RTR-B 3 to reach RTR-D, and it
costs 1 to reach RTR-B from the root. Therefore, the total cost to reach RTR-D from the root through
RTR-B is 4.
The lowest cost tuple in the candidate database, (A,C,2), Is now moved over to the tree database,
and RTR-C is placed on the network map.
"
. . {S of 0)
Link-State Candidate Tree
1 2
(D.C. 2)
RTR-B\3 RTR-C
®
RTR-D
HMBMMMWMI
Worldwide Education Services
All known nodes In the tree database are then removed from the candidate. Thus, the (C,A,4) tuple Is
removed because RTR-A already has the shortest path to RTR-A
The cost to each neighbor ID from the root is then calculated. It costs RTR-C 4 to reach RTR-D, and it
costs 2 to reach RTR-C from the root. So the total cost to reach RTR-A through RTR-C is 6.
The lowest cost tuple in the candidate database, (B,D,3), is moved to the tree database, and RTR-D
Is placed on the network map.
(B.A. 3) tA - *-)
(B. D. 3) RTR-A
(C. A. 4)
(C. D. 1) 1 (0. n, 4)
(D. D. 1)
(U, R
D, H 5
(D.C, 2) ! ±j
| (U. il)
1 RTR-E a RTR-C
RTR-D
Worldwide EducationServiEes
All known nodes in the tree database are then removed from the candidate. Thus, the (C,D,4),
(D,B,1), and (D,C,2) tuples are removed because RTR~A already has paths to RTR-B, RTR-C, and
RTR-D. The candidate database is now empty of all tuples, so the algorithm stops at this point.
RTR-A now has a complete network map built with the total cost to each node calculated. This
information is then passed to the Junes routing table for its use.
To enhance the convergence time of an OSPF network during a time of topology changes, the
Junos OS by default allows for the SPF calculation to be run three times in a back-to-back fashion
before encountering a mandatory hold-down period. The 5-second hold-down timer used to be
hardcoded into the software but is now configurable. The timer ensures that the network can
continue to forward packets, with potentially incorrect routing knowledge, during the convergence
period. The timer also allows the routing process (rpd) to not hog the CPU at the expense of other
router functions.
Regardless of the configuration of this timer, the mandatory 5-second hold-down timer still starts
after the third consecutive rapid SPF calculation.
A current best practice in today's networking environment is setting the spf-delay value to be
slightly larger than the worst possible propagation delay found in your network. For example, if the
delay across the network is 200 ms, you might set the spf-delay to 250 ms. This setting allows
time for all of the duplicate LSAs to arrive at all routers before the SPF calculation is performed.
}
interface at-1/0/1.100 {
metric 73;
Cost of an Interface
Prior to advertising a network into the OSPF domain, each router must determine the cost associated
with that network. Often referred to as the metric, the cost is simply what the router views as the
overhead associated with transmitting a packet on that interface. Because each OSPF-speaking
router advertises these cost vaiues in its router LSAs, each router can determine the totai cost (or
metric) to reach any destination in the network.
Each router uses an algorithm to determine the cost of each interface-the calculation is
100,000,000 divided by the bandwidth of the interface. If the result of this calculation is less than 1,
it is rounded up to a value of 1. Because 100,000,000 is the same as the bandwidth of a Fast
Ethernet interface (100 Mbps), ail interfaces operating at a faster bandwidth have their calculated
cost less than 1, which becomes rounded up to 1.
If you want to alter the automatic cost calculated by the formula above, you can manually set the
cost for each interface. Within the interface portion of the [edit protocols ospf]
configuration hierarchy, the metric command assigns a permanent cost to that interface. Each
individual interface on the router can have a separate cost assigned to it.
}
interface at-1/0/1.100;
}
The solution is to alter the values used In the bandwidth calculation. This alteration not only allows
for an automatic cost assignment but also maintains a consistent ratio across all the router
Interfaces.
Reference Bandwidth
To alterthe calculation values, use the reference-bandwidth command within the [edit
protocols ospf] configuration hierarchy. The value entered has a value in bits per second. You
can use the standard Junos shortcut notations of k (kilobits per second), m (megabits), and g
(gigabits). The entered value becomes the new numerator value in the bandwidth calculation. As
noted on the slide, you still can assign a metric statically to an individual interface.
io Mim is 20 Mim 25 30
Rl R2 R3 R4
After the OSPF process on a router decides what metric to assign to each interface, that information
is flooded into the OSPF domain within either a Type 1 LSA or a Type 2 LSA. Because these LSAs
have an area flooding scope, each router in the OSPF area receives a copy of the metric values.
SPF Caiculations
After receiving a new LSA from another router in the area, the local router performs an SPF
calculation using all the values contained in the router and network LSAs. As mentioned on a
previous slide, the cost is calculated from the root node to every other node in the network using the
metric cost of the outgoing interfaces.
While the configuration of different metrics for a single link does not affect the operation of OSPF,
asymmetric routing might occur within the network. Asymmetric routing might cause response delays
for some end users and make It challenging for network administrators to troubleshootthe network.
OSPF borrows the overtoad concept from the IS-IS protocol. Its function is to advertise information
into the OSPF area, but it is not to be used for transit traffic, if possible. This function can be useful in
two situations-when a router must be taken out of the network for maintenance, and when the
router has many BGP peers. In the first case, traffic should avoid the router because it can
compromise its ability to forward traffic. In the second case, a network administrator might want the
router to establish its BGP peering sessions fully before handling transit traffic.
Because the overload concept is not native to OSPF, the software is modified to allow for this
functionality. When you configure an OSPF-speaking router for overload, the metrics for all transit
Interfaces are set to the maximum value of 65,535. The overload router floods these LSAs into the
network, where an SPF calculation is performed in each router. The large metric values generally
ensure that transit traffic through the overload router uses alternative paths through the network.
Unlike IS-IS, traffic transits the overload router if no alternative path exists to a given destination.
Overload Settings
You can turn on the overload setting, turn it off as a permanent value, or have a timer associated
with it. If the timer is omitted, the metric values are changed when you commit the configuration. The
values will remain until you remove the overload setting from the configuration and commit it again.
However, if you assign a timer value, the metrics are not changed automatically. The timer
associated with the overload setting only initializes when the routing protocol daemon (RPD)
initializes. This timer can run from 60-1800 seconds. When the timer expires, the metrics return to
normal in the router LSAs, but the configuration still contains the overload option.
Overioaci
R2
Rl \gT / R4
Rl R4
R3
Case Study
Service provider networks are typically built with multiple paths from ingress and egress points for
redundancy. During maintenance operations on a router, it can be beneficial to prevent the router
from receiving and forwarding transit traffic. The overload feature provides this function.
In the graphic R2 is scheduled for maintenance. An alternate path exists through R3, Once R2 is put
in overload mode the other routers will be notified and transit traffic will traverse R3. Any traffic
destined for networks that terminate on R2 will be forwarded to R2.
osw mmwx hi
OSPF Router ID
Each OSPF-speaking router in a network must select a 32-bit value to use as the router ID (RID) of
the router. This RID uniquely identifies the router within the OSPF domain. It is transmitted within the
LSAs used to populate the LSDB and is used to calculate the shortest-path tree using the method
described on a previous slide.
It is very important In a link-state network that no two routers share the same RID value. If two
routers share the same RID value, the LSDB might not be consistent on all routers. This
inconsistency happens because the RID is one method to verify if an LSA is already present in the
database. Therefore, new critical information from one of the routers is never present in all the
routers. In addition, because the Dijkstra calculation uses the RID, it is possible that an individual
router might not generate a loop-free shortest path topology. This scenario could have a disastrous
affect on IP routing.
To avoid possible problems with the OSPF RID changing, you can set the router ID manually within
the Junos configuration. Within the [edit routing-options] configuration hierarchy, the
router-id command assigns a 32-bit value to the RID. By setting this value, the process of using
the router's primary interface value is not used.
Loo
-UK mrtti.-'i Up i\ , fi'k ' r'- - ., JUfllPE r WoHdWldR EducatiOfi Services. . . ... . wwwjuniperri&t f 2-60
As of version 8.5, the Junos OS no longer automatically advertises your loopback IP address, which
may also be your RID, into the network. However, there are several important points to keep in mind
when configuring your router.
If you do not configure interface loO . 0 within an OSPF area, the loopback IP address will be
not be advertised. Thus, the loopback address will not be reachable.
When you configure interface loO . 0 within a specific OSPF area, the loopback IP address will
then only be advertised in the router LSA for that specific area. The ABR attached to Area 2 has its
loopback configured within Area 0. It then advertises the loopback in its Area 0 router LSA only. The
address is still visible to Area 2, but it is encoded in a summary LSA as all the other backbone routes
are.
Agenda: OSPF
0SPFv2 Review
Link-State Advertisements
Protocol Operations
-
>OSPF Authentication
- - ..
.
. . - -
.
.. |
OSPF Authentication
Authentication
The three different forms of authentication that the Junos OS supports are none, simple, and MD5.
As of Junos version 8.3, IPsec was added. IPsec is configured atthe [edit protocols ospf
area area-id interface interface-name] hierarchy using the set ipsec-sa name;
command. See the Junos OS Routing Protocols Configuration Guide for more Information.
Authentication Default
The default operation of the OSPF process is the none mode. Thus, no authentication key Is
configured on any Interface.
Plain-Text Passwords
With simple authentication type configured, each OSPF packet includes a plain-text password. This
password can be captured easily through a packet analysis system. Therefore, although this
password protects against an Inadvertent configuration. It does not provide any security.
Encrypted Checksum
To provide better security in an OSPF network, we recommend that you use an authentication type of
MDS. MDS includes an encrypted checksum in all OSPF packets instead of a simple-text password.
Each OSPF-speaking router uses the same MDS algorithm to calculate the checksum value, so
interoperability and a correct result can be virtually guaranteed.
Authentication Keys
The actual password to verify and authenticate packets is contained within the authentication
command. You can configure each individual interface with an authentication value.
Key ID Values
You configure each individual interface with a key value. All interfaces in the area might share the
same key value, or each interface might contain a separate value.
example in the slide displays the format of the start-time command. When the local router s
time reaches the specified value, the router begins to transmit all OSPF packets using the new key ID
value and password. To begin using a new MD5 key ID immediately, you can use the keyword of now
in place of a specific time and date. The router automatically places the current system time in the
configuration for you.
Ver a
Auth type MD5, Active key id 4, Start time 20 03 Apr 14 11:05:00 UTC
"*
The show ospf interface detail command displays the type of authentication used on the
interface with the Auth type output. Displaying this output occurs regardless of whether you use
per-area or per-interface authentication in your network.
The possible values displayed in the output are None, Password, and MD5. When MD5
authentication is in use, the router also displays the current key ID value and the time which that ID
was first used. If start-time is not specified in the configuration, the value of the Start time
field in the show ospf interface detail command output is the UNIX epoch (1970 Jan 1
00:00:00 UTC).
Dec 1 04:04:58.291934 OSPF sent Hello 172.20.77.2 -> 224.0.0.5 (ge-0/0/l.D IFL S5 area 0.0.0.0)
Dec 1 04:04:58.291985 Version 2, length 44, ID 192.168.2.1, area 0.0.0.0
Dec 1 04:04:58.292047 mask 255.255.255.252, hello ivl 10, opts 0x2, prio 128
_
Dec 1 04:04:59.756848 OSPF packet ignored: [authentication type mismatch |(21 from 172.20.77.1
Dec 1 04:05:08.197177 OSPF periodic xmit from 172.20.77.2 to 224.0.0.5 (IFL 65 area 0.0.0.0)
Dec 1 04:05:09.047239 OSPF packet ignored: fauthiTjtication tvoe mismatch] (2) from 172.20.77.1
Ib ( ducatiun Seruoes
Authentication Mismatch
OSPF routers must agree on the authentication method to be neighbors. Use the traceoptions
commands if you suspect there may be an authentication mismatch.
The log shows that the iocai router Is "Ignoring" an OSPF packet from 172.20.77.1 due to an
authentication mismatch. No authentication method Is configured on the local router, so the type is
none. The remote router has MD5 authentication configured.
3 .
What are the different forms of OSPF
authentication?
irlifv.lil.' I dm .ii
. Sciviixs
Review Questions
i.
iectives
able to;
.
Describe OSPF area types and operations
.
Configure various OSPF area types
. Summarize and restrict routes
Sf WDrldwitteEdMcalionServices
The slide lists the topics we cover in this chapter. We discuss the highlighted topic first.
mam mmmm
c AreaO
***
**
i
®
AreaO
'
orltlwicle Eciucation Services
OSPF Scalability
With a iink-state protocol, flooding link-state update packets and runningthe shortest-path-first (SPF)
algorithm consume router resources. As the size of the network grows and more routers are added to
the autonomous system (AS), this use of resources becomes a bigger and bigger issue. This issue
stems from the RFC requirement that all OSPF routers share an identical link-state database (LSDB).
Eventually, the routers spend so much time flooding and runningthe SPF algorithm that they cannot
route data packets. Clearly, this scenario is not optimal.
In addition to adding new OSPF areas that restrict LSA flooding, you can also perform route
summarization on the borders between OSPF areas. Route summarization has two key benefits:
It reduces the size of the LSDB; and
It can hide some instabilities in one OSPF area from all other OSPF areas.
For route summarization to be effective, you must carefully plan the addressing within your OSPF
network so that subnets can be more easily summarized. Complete coverage of route summarization
is beyond the scope of this course.
Areas
.
An AS can be divided into smaller groups called areas
.
LSAflooding can be constrained to an area, which
effectively reduces the size of the LSDB
.
All routers maintain an identical copy of the LSDB on a
per-area basis
OSPF Areas
Using OSPF, you can segment an AS into smaller groups known as areas. Using areas achieves the
OSPF hierarchy that can facilitate growth and scalability. You can constrain LSA flooding by using
multiple areas, which can effectively reduce the size of the LSDB on an individual OSPF router. Each
OSPF router maintains a separate and identical LSDB for each area to which it is connected.
To ensure correct routing knowledge and connectivity, OSPF maintains a special area known as the
backbone area. The backbone area is designated as Area 0.0.0.0 (or simply Area 0). All other OSPF
areas must connect themselves to the backbone area. By default, all data traffic between OSPF
areas transits the backbone. You can aiter this default behavior and eliminate the requirement of all
interarea traffic transiting Area 0.0.0.0 by configuring a multiarea adjacency on the same logical
interface. The multiarea adjacency feature is documented in RFC 5185 and is discussed in the next
chapter.
RIP :
'
orldwiiJe Education Serviues
OSPF Routers
OSPF routers can perform several different roles within an OSPF domain. The following list shows the
common types of OSPF routers along with a brief description:
Area border router (ABR): An OSPF router with links in two areas, the ABR is responsible
for connecting OSPF areas to the backbone. It transmits network information between
the backbone and other areas.
.
Autonomous system boundary router (ASBR): An OSPF router that injects routing
information from outside the OSPF AS, an ASBR is typically located in the backbone.
However, the OSPF specification allows an ASBR to be in other areas as well.
Backbone router. Defined as any OSPF router with a link to Area 0 (the backbone), this
router can also be an internal or area border router depending on whether it has links to
other, nonbackbone areas.
Internal router: An internal router is an OSPF router with all its links within an area. If
that router is located within the backbone area (Area 0.0.0.0), it is also known as a
backbone router.
Backbone
(0.0.0.0)
Default Route
External Routes
Intra-area or internal routes: Routes that are generated from within an area, where the
destination belongs to the area;
Interarea or summary routes: Routes that originate from other areas; and
External routes: Routes that originate from other routing protocols, or different OSPF
processes, and that are injected into OSPF through redistribution.
When you configure an ABR for stub area operation, a default route Is normally advertised in the
place of the external routes that are blocked from stub areas. The default route provides routers in
the stub area with reachability to external destinations. In the Junos operating system, ABRs require
explicit configuration for default route generation.
Note that you cannot create a virtual link through a stub area, and a stub area cannot contain an AS
boundary router.
A stub area with no-summarles Is a stub area that receives only the default route from the backbone.
ABRs do not flood LSA Type 3, Type 4, or Type 5 Into totally stubby areas.
An OSPF stub area has no external routes In It, so you cannot redistribute routes from another
protocol into a stub area. A not-so-stubby-area (NSSA) allows external routes to be flooded within the
area. These routes are then leaked into other areas. However, external routes from other areas still
do not enter the NSSA. (ABR does not flood LSA Type 4 and Type 5 Into an attached NSSA.)
f
\J\
ASBR ASBR \
-
ABR
\
Originated by ABRs, Describe networks in
the AS butoutsideof area (interarea). Originated byan ASBR. Describe externa Used by not-so-stubby a reas to import
Also describe the location of the ASBR. destination prefixesora defaultroute. external routes intoa stubarea,
Router (Type 1): Router LSAs describe the interfaces and neighbors of each OSPF router
to all other OSPF routers within the same area (intra-area).
.
Network (Type 2): Network LSAs describe an Ethernet segment. These LSAs are sent by
the designated router to other OSPF routers within the same area (intra-area).
.
Summary (Type 3): Summary LSAs describe IP prefixes learned from router and network
LSAs. These LSAs are sent by the ABR attached to the area from where the prefix
Information was learned and sent to other OSPF areas (interarea). Note that as
summary LSAs are re-injected into different areas, the LSA type never changes, but the
cost and advertising router details do change.
ASBR Summary (Type 4): ASBR Summary LSAs describe the router-id of ASBR routers
located in remote areas. These LSAs are sent by the ABR attached to the area in which
the ASBR is located to other OSPF areas (interarea). Note that as ASBR summary LSAs
are re-injected into different areas, the LSA type never changes, but the cost and
advertising router details do change.
NSSA External (Type 7): NSSA External LSAs are similar to External LSAs (Type 5)
because they describe IP prefixes redistributed from other routing protocols, such as
RIP, BGP, or even static routes. These LSAs are sent by ASBRs In NSSA areas. These
LSAs are translated to Type 5 LSAs by the ABR attached to NSSA area in which the Type
7 LSAs originate.
In addition to the LSA types already discussed, the OSPF specification also Includes the following LSA
types:
Type 6: Multicast OSPF LSA;
Type 10: Opaque LSA (area scope-used for traffic engineering); and
External
Routes
Area 0
Backbone Injected
(0,0.0.0) Area 0
LSA1 LSA2
LSA5
Area r
LSAS
/
i Area 0
.
dA i LSA 2 LSA1
Area 0
LSA 2
f Area 0 Area 0
Area 0
LSA 3 LSA 3 LSA 4 LSA 3
LSA 41 ; LSA 4
Area 3 Area 3
LSAS LSAS
/
Area 0
LSAS
Area 3
LSA h
X Area 0
LSAn
Areas /External
LSAS
Houtes
1
\
AreaO
LSA c
__
Area 3
LSA 5
I
\ IArea 1 Area 2
Injected Vl 3 /
Note that LSA Types 1 and 2 are generated within each area. Because these LSAs have an area
flooding scope, they remain within their own particular area and are not seen in other areas. The
ABR places the routing information contained within these LSAs into a Type 3 LSA and forwards it
across the area boundary. In addition, existing Type 3 LSAs within the backbone are forwarded into
the non-backbone areas to provide routing information to those routers. This process results in Type
3 LSAs within every area that represent all OSPF internal routes. Within Area 1, for example, Type 3
LSAs exist that represent Area 0, Area 2, and Area 3.
In the diagram, two ASBRs inject routes into the OSPF domain. The AS external LSAs (Type 5)
representing those routes have a domain flooding scope (with the exception of stub areas). As such,
they exist within each OSPF area. The OSPF routers use either the router LSA or the ASBR summary
LSAs (Type 4) to gain knowledge of how to best route to the advertising ASBRs. Much like the Type 3
LSAs, the ASBR summary LSAs have area scope, so they are bound by the area border. However, the
ABR has the capability to regenerate and forward Type 4 LSAs across area boundaries to provide the
required knowledge of the best routes to each ASBR. This capability leads to Type 4 LSAs for Area 0
and Area 3 being within all the OSPF areas in the network.
The operation of an OSPF stub area reduces the size of the link-state database within that area by
'
eliminating AS external routing information. When all of an area s routers agree to operate in stub
mode, the ABR stops forwarding Type 5 external LSAs Into the area. In addition, the ABR also stops
generating Type 4 summary LSAs, because they are no longer needed due to the suppression of
Type 5 external LSAs.
Because the definition of a stub area does not allow the use of external LSA information within the
area, no functional AS boundary routers can exist within a stub area. If any ASBR configuration
exists, the router will generate one or more Type 5 LSAs and place them into its local database.
However, these external LSAs cannot be sent out any Interfaces supporting stub operation.
Continued on the next page.
For similar reasons, a stub area cannot support a virtual link because the area attached to the
backbone through the stub area might require external LSA information. Because the transit routers
cannot forward the Type 5 LSAs, the far-end area would not receive the correct information.
ea External
Routes
Backbone
Area 0 Area 0 Injected
(0,0.0.0) AreaO
LSA1 LSA 2
Area
/An 1
LSA1
Area 0
LSA 3 LSA 4 LSA 3
LSA 3 LSA 3 LSA 4
Area 3
LSAS
No
Type 5
\ Area 0
LSA 5
Area -
LSA 5 External
Area 3
LSA 5
/
Stub LSAs Alca A
Routes Area S
here! Injected
The operation of an OSPFstub area with no summaries further reduces the size of the LSDB within
that area by aiso omitting Type 3 summary LSAs. This behavior has the effect of the routers within
the area oniy having Type 1 router and Type 2 network LSAs in their databases. This type of area is
known as a Totally Stubby Area because a default route is now needed to reach AS external and
interarea prefixes.
As before, no functional AS boundary routers can exist within a stub area, regardless of whether
summaries are permitted.
Like a stub area, a stub area with no summaries cannot support virtual links.
External
Routes
Backbone
Area 0 AreaO
Injected
LSA2
(0.0.0.0)
LSAl
LSAS
Area 3
i f -
1I
Area 1
LSAS
Area 3
LSAS
R7
Area 0 Areas
/Type 5 LSAS Stub With
/ LSAs / External- Mo Summaries
As discussed previously, the ABR of Area 3 has stopped forwarding the Type 5 LSAs from Area 0 and
has also stopped generating the Type 4 LSAs from Area 0. In addition, Area 3's ABR also no longer
generates Type 3 LSAs for the other OSPF areas. This fact has left the LSDB for Area 3 quite small.
Another interesting phenomenon has occurred as well. Recall that one of the Area 3 routers
previously acted as an ASBR. While the ASBR portion of that router's configuration did not change,
its operation changed into a stub network. This change causes the router to generate Type 5 LSAs
and place them into its own database. However, because all interfaces are now operating in stub
mode, the router has no ability to forward them. As such, notice that the entire network has lost
knowledge of the Type 5 LSAs from Area 3.
Area ©nfiguration
interface so-0/1/1.0;
}
The need to manually assign the metric before the default route is generated provides additional
control. The administrator can control how, or if, traffic will leave the stub area by controlling which (if
any) ABRs advertise a default route as well as the metric for that route.
mmm:;m Area
PF Areas
>NSSA Operation
NSSA Configuration
Route Summarization
NSSA Operation
The slide highlights the topic we discuss next.
Not itiiiibfAirdaa
_ ; \
In a similar fashion to a stub area, an NSSA cannot support a virtual link. Again, the area attached to
the backbone through the NSSA area might require external LSA information. Because the transit
routers cannot forward the Type 5 LSAs, the far-end area does not receive the correct information.
Area 3
LSA 5
Area 0
Area 0 Area 3 LSA 3 Area 0 Area 1
LSAS LSAS LSA 4 LSAS
Area 1
Area 2
Area 2 LSAS Area 3
LSAS
LSAS LSA 4
Area 3
LSA 3
R7
Area 3
Area 3 Area 0
LSA 7
'
External
Area 1 Area 3
oType 5 or Routes .
Area 2 ISSA
Type 7 LSAs! Injected
Recall that an ASBR Is configured within Area 3. To allow that routing information to be propagated to
the rest of the OSPF domain, the ASBR generates a Type 7 LSA for these routes. Each of the routers
in Area 3 now can forward these LSAs because they each are configured as an NSSA router. When
the information reaches the Area 3 ABR, it performs a Type 7 LSA to Type 5 LSA conversion and
injects the Type 5 LSA into the backbone. All other OSPF routers In the domain use the Type 5 LSA as
normal and have no knowledge that the routes originated within an NSSA.
no-summaries
The operation of an OSPF NSSA with no summaries assists the routers within that area by further
reducing the size of the LSDB. In addition to the ABR not forwarding Type 5 external LSAs, and not
generating Type 4 summary LSAs, the ABR also stops flooding Type 3 LSAs into the NSSA. This
process has the effect of the routers within the area having only Type 1 router. Type 2 network, and
Type 7 (NSSA) LSAs in their databases.
Like a regular NSSA, an NSSA with no summaries cannot support a virtual link.
External
Routes
Backbone
Area 0 Area 0 Injected
(0.0.0,0) Area 0
LSA2
Area 3
LSA5
Area 0 Area 0
Area 0 Area 2 LSA 4
LSA 3
Area 1 Area 3
Area 3 Area 3
LSA 3 LSA 4
LSA 3 LSA 7
Area3
Area 3
Area 3 Area 0 NSbA
External
LSA 5 LSA 5
Area 1 Routes Summaries
Stub Area 2
LSAs!
Injected
>NSSA Configuration
Route Summarization
.-. -
NSSA Configuration
The slide highlights the topic we discuss next.
NS - 1 m
interface so-0/0/0.0;
j
Configuration on All Routers
To operate an OSPF NSSA successfully, you must configure each routerto participate. This
configuration alters the N/P bit setting in the Options field of the OSPF hello packet to notify all
neighbors that the local router does not support Type 5 external LSAs, but does support Type 7
external LSAs. An OSPF router only forms an adjacency with another router when the N/P bit values
match-hence, the requirement that all routers perform the configuration.
no-summaries;
Agenda;; \ .
*
Review of OSPF Areas
Route Summarization
The default operation of an ABR is to generate a Type 3 summary LSA into the backbone area for each
Type land Type 2 LSA in the LSDB. The configuration of a stub or stub area with no summaries does not
affect this operation because a stub configuration only alters information that enters the nonbackbone
area.
Route Summarization
To reduce the size of the LSDB in Area 0.0.0.0 (and other remote OSPF areas), you can configure the
ABR not to perform its default one-for-one mapping function. This is accomplished using an address
range statement on the ABR with the area-range command. All Type 1 and Type 2 LSAs that fall
within that address range will no longer be advertised individually into the backbone. Instead, a
single Type 3 summary LSA is advertised. The metric associated with this summary route will be
equal to the highest metric associated with the individual contributing routes.
Because only the ABR performs this mapping function, you configure the area-range command
on ABR routers only.
Route Summarization
To reduce the size of the LSDB in Area 0.0.0.0 (and other remote OSPF areas), you can configure the
ABR not to perform its default one-for-one mapping function. You can configure an address range on
the ABR by using the area-range command within the NSSA configuration hierarchy. All Type 7
LSAs that fall within that address range are not advertised individually into the backbone. Instead, a
single Type 5 external LSA is advertised.
Because only the ABR performs this mapping function, only the ABR is configured with the
area-range command.
Note that the area-range command referenced here is specific to the NSSA configuration
hierarchy and only affects Type 7 LSA routes. The area-range command discussed in the previous
slide was within the area hierarchy itself and affected Type 1 and Type 2 LSA routes. The
configuration can have these two commands in place at the same time, and they will summarize
different aspects of the local area routing domain.
Suppressing Routes
The default action of the area-range command causes the generation of a single Type 3 summary
LSA into the backbone for all prefixes that fall within the defined range. You can configure the ABR
with the restrict keyword to block one or more prefixes from advertisement into the OSPF
backbone. Such a configuration will prevent routing information from each Type 1 and Type 2 LSA
that fails within the address range from being advertised to the backbone, which in turn can block
connectivity to those prefixes for routers in other areas.
Use the restrict function when you want to prevent interarea routing, or when you want a default
route to be used Instead of the more preferred summary information that would otherwise be
generated.
Because only the ABR is responsible for this mapping function, you configure only ABR routers with
the area-range restrict command.
orgies r
Because only the ABR is responsible for this mapping function, you must configure only the ABR with the
area-range restrict command.
Summary
Review Questions
3 .
How do routers in a stub area or NSSA reach
addresses outside of the OSPF domain?
4 .
Which OSPF areas see the effect of the
area-range command?
Review Questions
i .
lm Objectives
>Virtual Links
Virtual Links
The slide lists the topics we cover in this chapter. We discuss the highlighted topic first.
fschnical OSPF (1 of 5)
R4
ri -10.200.1.1
: :
-
R2 - 10.200.1.2
R3 - 10.200.1.3 Area 1 fc t-J Area 2
R4 - 10.200.1.4 R5
R5 - 10.200.1.5
1 de Education Servioes
L _
Technically speaking, an area border router (ABR) is a router that connects two OSPF areas together.
In normal cases, ABRs will be connecting Area 0 to other areas. However, networks can actually
function without an Area 0 and with only two areas. So, is this router an ABR? How does OSPF
indicate its ABR status to other routers?
fee : mm 3
ri -10.200.1.1 Ri
R2 - 10.200.1.2
R3 - 10.200.1.3 Area 1 Area 2
R4 - 10.200.1.4 R2
R5 - 10.200.1.5
[edit]
use3:@R3# show ospf database
OSPF link state database. Area 0.0.0.1
Type ID Adv Rtr Seq Age Opt Cksum Len
Router *10.200.1.3 10.200.1.3 0x80000004 326 0x22 0xl2f8 60
jbits 0x1, j link count 3
id 10.200.11.1, data 10.200.11.2, Type Transit (2)
TOS count 0, TOS 0 metric 1
id 10.200.12.1, data 10.200.12.2, Type Transit (2)
TOS count 0, TOS 0 metric 1
id 10.200.1.3, data 255.255.255.255, Type Stub (3)
TOS count 0, TOS 0 metric 0
An OSPF router is an ABR when the b bit is set in the router link-state advertisement (LSA), also
referred to as a Type 1 LSA. The slide indicates this setting by the bits field of 0x1. The other bits in
the field are used to indicate virtual links or autonomous system boundary router (ASBR) routers.
cal
R2 - 10.200.1.2
R3 - 10.200.1.3 Area 1 Area 2
R4 - 10.200.1.4
R5
R5 - 10.200.1.5
Summary LSA
One of the primary jobs of the ABR router is to generate summary LSAs into its attached areas. This
function provides interarea connectivity for the non-ABR routers.
Technical OSFF (4 of S)
Rl - 10.200.1.1
R2 - 10.200.1.2
R3 - 10.200.1.3
R4 - 10.200.1.4
R5 - 10.200.1.5
Technical OSFF (S of S)
Summary 10.200 1 1
. 10.200.1.3 0x80000002 1083 0x22 0xd6b8 28
Sunmiacy 10.200 1 2
. 10.200.1.3 0x80000002 876 0x22 Oxcccl 28
Summary 10.200 1 3
. 10.200.1.3 0x80000002 148 3 0x22 0xi)8d5 28
*
Summary 10.200 1 6
. 10.200.1.5 0x80000001 272 0x22 OxSaee 28
B Educations
Even though the LSA's are present in the OSPF database, a show ospf route command does
not show the routes to Rland R2. The SPF calculation Is removing those entries in its decision tree.
The loop detection mechanism in OSPF causes this action. Essentiaiiy, R5 will only accept summary
LSAs from routers from the backbone. Because an ABR would have a full view of each connected
area, and it does not see Rl and R2, it ignores the summary LSA.
Wmmmvmm )
Technical OSPF
« An ABR not connected to Area 0
Technical OSPF
Any router running OSPF attached to multiple areas is known as Area Border Router
(ABR). An ABR will have topological information of ail attached areas and will run SPF for
"
each area. (Section 3.3)
Technically, you can create multiarea OSPF network with no Area 0. However we do not recommend
,
this configuration because SPF will process all LSAs in all areas and the ABR loses Its OSPF loop
detection mechanism.
Functional OSPF
in practice, an ABR should always be connected to Area 0. Because the ABR calculation Is similar to
a distance vector protocol when processing the Type 3 LSA, a loop avoidance mechanism must be in
place. This requirement is met with an Area 0 and a rule that SPF will only process LSAs within that
area database.
Unpredictable results
-
Loops
-
Missing routes
.
Can require temporary solutions
-
Virtual tunnels
. Permanentsolutions
-
Physical connectivity
company must connect their respective Area O s together to form a single contiguous backbone. The
easiest solution will be new physical connections between the routers in each company. However,
this Is often easier said then done, and time can be a deciding factor. For these cases, a temporary
solution such as virtual tunnels or virtual links can be deployed.
Wtym
Corporate
Headquarters Service
0315
Center
Distribution
Center
I
: OSPF OSPF
Area 0 Area 20
V Training ISPB
iit;i
Corpora
Net-vo Sales Off 7
o
OSPF
Area 0
Center
Dlstributiid
Distrib ution
.
Center
Center
"
OSPF
rea 100
Case Study
in this case study, Petroleum Inc. (ISP A) acquires Bob's Oil and Gas (ISP B). Both networks are
running muitiarea OSPF, and they must get the two networks communicating quickly.
Corporate
Io0i72 lh :n :-;
Headquarter
Data 100172.16.10.1 csn
Center
Distribution
Center
OSPF OSPF
Area 0 Area 20
ISPB
Corporate
Office
Sales
Network "
an n Office
-
Operation Center
Io0172?i6
Distributioh-
Cepter
Area 100 12
.
Frame Relay
Office DSP
Sales/Sen/ice OSPF Area 400
Center Area 200/ qSPF Sa les/Beivice
Cente
Connectivity Issues
As soon as the physical connection is created, limited connectivity is achieved. For example, the
'
sales office at Bob s (ISP B) can reach the neighbor router, but the corporate routers cannot. The
cause of this limited connectivity is the lack of a contiguous Area 0 backbone.
Virtual funnel (1 of 2)
Virtual link
.
Provides a logical connection
.
Used for areas not physically connected to Area 0
.
Usedto connecta discontiguous Area 0
.
Tunnels OSPF packets through a transit area
. Creates a virtual ABRto remote routers
.
Configuration on both ends of the tunnel
.
Control plane only
.
SPFwill calculate the shortest path to all routes
Virtual Tunnels
One soiution to the connectivity problem is to create a virtual tunnel between the two backbone
areas of the companies. This feature, known as a virtual link, provides a logical connection between
areas. Essentially, OSPF packets are tunneled through a transit area to establish an OSPF adjacency
and logically connect the two areas together. This establishes full connectivity between the two
companies.
Remember that a virtual tunnel is a control plane feature only. SPFwill still calculate the shortest
physical path between two points, which might not be the same path as the virtual tunnel. This could
create some confusion when troubleshooting, which is one of the primary reasons virtual tunnels are
not considered long term solutions.
of
Corporate
100172.16.10.3
Headquarters Sewice
Cc.rci [00172.18.10.1 nter
Center
Distribution
v
Uonter
OSPF OSPF
Area 0 Area 20
ISPB
Corporate
Offi
TrainingCenter Sales oO 192.168.1
Networ PR
Off!
Operation Center 100172.16.10.2 Area 0 ;
!00172.16.10.4 \
Distribution Center
Z Distribution
oO 172.16.20 Center
OSPF les/Setvice
A -ea 10 Center S 100192.168.1.2
Office
100172.16.20.2 OSPF
Area 400
Area 200 OSPF
Area 300
ioO 192.168.10.1
In this case, a virtual link is established between ABRs in each company. These ABRs must be
attached to Area 0.
fe-0/0/0.1Dl BDR 0 0 0 0
. . . 192.168.1.2 192 168.1 1 1
BDR 0 0 0 0
. . . 192.168.1.3 192 168.1 1 1
|vl-172.16.10.2| PtToPt 0 0 0 0
. . .
0 0 0 0
. . .
0 0 .
0 0
.
1
tl-0/O/Z.O PtToPt 0 0 0 10
. . .
0 0 0 0
. . . 0 0 .
0 0
.
1
Once the two ends of the link can communicate, the virtual link becomes an operational OSPF
interface. It appears in show commands and within the OSPF link-state database (LSDB). It is always
noted in a format of vl-neighbor-id, where vl denotes it as a virtual link, and the
neighbor-id is the RID of the far-end router.
Mmk urat
Contiguous Area 0
.
Type 1 LSAs are exchanged over the tunnel
bob8Corporate> show ospf clatatoase
.
Routes are installed in the routing table
bob@CorpDi:ate> show route protocol ospf
; Education Services
Contiguous Area 0
Once the neighbor is established over the virtual link, connectivity Is restored, all LSAs are
processed, and routes to each company are installed into the routing table.
Virtual Links
-
ivotlilwide [ din
.
ii .iii Services
Multiarea Adjacencies
RFC 5185 defines muitiarea OSPF adjacencies as the following:
"
mwm :ency (1 m
c Ri
SPF Area 0
PS
Traffic to
loO.O 192.163.10.2
loO.O 192.168.10.1
Rl
Rl -- R2:
R2: 10.:
10.200,1/24
Rl
Rl -- R3:
R3: 10.:
10.200.2/24
Rl
Rl -- R4: 10.:
R4: 10.200.3/24 R
R2 - R3: 10.:
10.200.4/24
R2
R2 -- R4:
R4: 10.:
10,200.5/24
loO.O 10.200.0.1 loO.O 10.200.0.2
Case Study
The slide displays the case study topology.
OSPFArea
Traffic to
loO.O 192,168,10,2
10.200,0.1
loO.O 192,16810,1
Rl - R2: 10,200.1/24
Rl - R3; 10.200,2/24
Rl - R4: 10,200,3/24
R2 - R3: 10,200,4/24
R2 - R4: 10.200.5/24
ioO.O 10.200.0.1 loO.O 10,200,0,2
Link Failure
In normal operation, if a link failure occurred between Rl and R3, traffic from Rl to R3 would flow
from R4to R2 and then to R3.This creates three hops to reach a router that was previously one hop
away.
Multiarea adjacency
=
Rl .2
OSPFArea 0
Traffic to 1 1
ioO 0 192.168.10.2
wmor
loO.O 192.168.10.1
OSPFArea 100
Rl - R2:
R2; 10.;
10.200.1/24
Rl - R3: 10.:
10.200.2/24
10.; R3 R
Rl - R4; 10.200.3/24
R2 - R3;
R3: 10.:
10.200.4/24
R2 - R4; 10.200.5/24
10.;
"
Adjacency Verification
Verify adjacencies with the show ospf neighbor command.
Normal Trace
lultiarea Adjacency (2 of 4)
.
The trace takes the R4 - R2 - R3 path
ge-l/0/4.1102 DR 0 0 0 100
. . . 192.168.10.1 10.200.0.2 1
Point-to-Point Interface
Interface ge-1/0/4.1100 now has two OSPF links, however, the secondary link show up as a point to
point interface.
Adjacency Is Formed
Two adjacencies are now formed over ge-i/0/4.1100 for Area 0 and Area 100.
With the multiarea adjacency feature configured, the trace now requires only 2 hops, compared with
the default case of 3 hops.
Virtual Links
>External Reachability
Qf Wnrltlwide EctuoatiotiServices
_
External Reachability
The slide highlights the topic we discuss next.
m React
Route Redistribution
In order for route distribution to occur, an export policy must be written and applied. Because
external routes in OSPF have an interarea flooding scope, the policies are applied globally. This
feature allows external routes to be sent into all areas that allow it. When an external route is brought
into OSPF, it appears as an external Type 5 LSA of Type 2. If an external LSA Type 1 must be
configured, you can modify it with a policy.
Mutual redistribution
.
Redistribution from multiple routers
.
Redistribution from multiple protocols
. Redistribution rule
.
Source route has a lower preference
-
No problem
.
Source route has a higher preference
-
Sub-optimal routing
-
Routing loops
Mutual Redistribution
Special care must be taken when redistribution is configured in a networks When multiple
redistribution points are present sub-optimal routing and loops could occur. Generally, if the source
route has a lower preference than the protocol into which it is being redistributed, no issues occur.
However, when the source route has a higher preference, issues can occur. Several methods exist to
resolve these issue, but the easiest method usually involves modifying route preference values.
v eternal Routes (1 of
OSPFArea 100
SPFArea 0
Not-So-Stubbv-Area
R4 3
10.200.0 loO 10.200.0.4
orlrtv/iileEduciitiunSemccs
-
Sti- m
V tudy xter t
Type 2, TOS 0x0, metric 2, |fwd addr 10. 200. 0. 1,[ tag 0.0.0.0
The Rl ASBR address is advertised in the forwarding
address of the Type 5 LSA
A Type 4 LSA is created in the Area 0 database
user@Rl> show ospf database asbrsiumnary
Wnrldwicle kflucalionSmices
ABR Translation
Because the route was originated from the NSSA, the ABR must convert the Type 7 LSA to a Type 5
for interarea advertisement.
Forwarding Address
When the ABR translates the Type 7 Into a Type 5, it places the ASBR's address Into the forwarding
address. This action supports optimal routing because only one ABR will translate the Type 7s to
Type 5s in the presence of multiple ABRs. This router might not be in the optimal path for routers in
other areas.
ASBR Summary
The ABR also create a Type 4 LSA to represent the ASBR to other areas.
0 0 0
. . . 0/0 * [RIB/100] 00:03:18, metric 2, tag 0
> to 10.200.5.2 via fe-0/0/1.210
[OSBE/150] 00:24:48, metric 11, tag 0
> to 10.200.62.9 via fe-0/0/0.221
The next step is to redistribute the default route into OSPF using an export policy under RIP. By
default, RIP has a lower preference than OSPF external routes.
Because RIP has a better preference, the default route for RIP is preferred. In the sample network,
this preference creates a loop, because the OSPF routers point to the RIP router as their gateway,
and the RIP router points to the OSPF ASBRs.
To fix the loop, modify the OSPF route preference to a lower value than the RIP route.
Mutual redistribution
. The default route has been fixed
.
The RIP route is now a higher preference (100) than the
external OSPF preference (90)
usereR2> show route 0/0
The Result
The result of the preference change is now a default that points properly to the ABRs in the NSSA.
SPF Review
After a router receives a new LSA and places it into the LSDB, the router runs an algorithm known as
the Dijkstra algorithm (also called the shortest-path-first [SPF] algorithm). This computation uses the
database as a data source and results in a loop-free network topology using the best metric from the
local router to all nodes in the network.
During the course of this calculation, the algorithm uses three databases-the LSDB, the candidate
database, and the tree database. As we have explored, the LSDB is the total compilation of routing
knowledge in the network. Conceptually, it consists of multiple tuples in the form of (router ID,
neighbor ID, cost), which describe each link In the network.
'
Sf WoridwtUeEUucationServices wwwiuniperiitt i 4-33
Import Policy
An import policy can be applied between the tree database and the routing table. This allows filtering
of routes from the LSDB to the routing table but it only applies to external routes, as in the case for
OSPF export policy. Note that the database stays consistent and the import policy does not block any
normal LSA flooding.
'
orldwirie Education Services
Modify Policy
To see prefix iimits in action, a policy is modified to send ali RIP routes into OSPF.
RIP Redistribution
Prefix Limit
To stop the large amount of LSAs that could enter the router, a prefix limit of zero is configured.
The Result
The result is that no RIP routes are distributed. This prefix limit setting ensures that a configuration
error does not affect your network.
Summary
Review Questions
Review Questions
i .
tut* NeM,i-i..
.
. n< -i. r.-v . r .. JUH PSf WiuliKviile tiluudlion Ser.iues vww mnipernef i 4-44
Chapter 5: IS-IS
Advanced Junos Service Provider Routing
actives
f.
>» orldv/iile Edutation Smices
Agenda: IS-IS
-
>Overview of IS-IS
IS-IS PDUs
Overview of IS-IS
The slide lists the topics we cover in this chapter. We discuss the highlighted topic first.
Overview of IS-IS
RFC2763
The IS-IS protocol is an IGPthat uses link-state information to make routing decisions. It also uses an
shortest-path-first (SPF) algorithm, similar to OSPF.
The ISO
The protocol was developed by Digital Equipment Corporation for its DECnet Phase V. The
International Organization for Standardization (ISO) standardized IS-IS to be the routing protocol for
the ISO's Connectionless Network Protocol (CLNP) and Is described in ISO 10589. The ISO was
working on IS-IS at the same time as the Internet Advisory Board (IAB) was working on OSPF. ISO
proposed that IS-IS be adopted as the routing protocol for TCP/IP in place of OSPF. This proposal was
driven by the opinion that TCP/IP was an interim protocol suite that would eventually be replaced by
the OSI suite.
Integrated IS-IS
CNLS
Connectionless Network Service (CLNS) is the service that Connectionless Network Protocol (CLNP)
provides to route messages to their destinations. This service is independent of any other messages
and can transmit data before a circuit is established.
Dual IS-IS
The Integrated IS-IS protocol was proposed to support the transition from TCP/IP to OSI. Integrated
IS-IS, also known as dual IS-IS, provides a single routing protocol capable of routing both CLNS and
IP. Integrated IS-IS was developed to operate in a CLNS, IP, or CLNS/1P setting.
Single Algorithm
Like all integrated routing protocols. Integrated IS-IS requires that all routers run a single routing
algorithm. Link-state protocol data units (PDUs) sent by routers running Integrated IS-IS include all
destinations running either IP or CLNP Network Layer protocols. Routers running Integrated IS-IS still
must support protocols such as Address Resolution Protocol (ARP), Internet Control Message
Protocol (ICMP) for IP, and the End System-to-lntermediate System (ES-IS) protocol for CLNP.
Link-State PDUs
Standard IS-IS packets must be modified to support multiple Network Layer protocols. IS-IS packet
formats were designed to support the addition of new fields without a loss of compatibility with
nonintegrated versions of IS-IS.
IS-IS adds type/length/value (TLV) objects (discussed further on the following pages) to support
integrated routing. These TLVs tell intermediate systems (ISs) which Network Layer protocols are
supported by other ISs and whether end stations running other protocols can be reached. They also
include any other required Network Layer, protocol-specific information.
Junos Support
M Series and MX Series Multiservice Edge Routers and T Series Core Routers only support IP routing
with IS-IS. They do not support CLNP or CLNS routing. SRX Series Services Gateways and J Series
Services Routers do support full IS-IS CLNP routing, including ES-IS routing.
Li '
.
PDUs: Protocol data units: term for IS-IS packets
A single AS can be divided into smaller groups called
areas, which are organized hierarchically
.
Level 1 intermediate systems route within an area or toward
a Level 2 system
. Attached bit
.
Level 2 intermediate systems route between areas and
toward other ASs
Operation of IS-IS
An IS-IS network is a single AS, also called a routing domain, that consists of end systems (ESs) and
intermed/ate systems (ISs). End systems are network entities that send and receive packets.
Intermediate systems-which Is the OSI term for a router-send and receive packets and relay, or
forward, packets. IS-IS packets are called protocol data units (PDUs).
IS-IS Areas
In IS-IS, a single AS can be divided Into smaller groups called areas. Routing between areas is
organized hierarchically, allowing a domain to be divided administratively into smaller areas. IS-IS
accomplishes this organization by configuring Level 1 and Level 2 intermediate systems. Level 1
systems route within an area, and Level 2 intermediate systems route between areas and toward
other ASs. A Levell/Level 2 system routes within an area on one interface and between areas on
another.
A Level 1/Level 2 system sets the attached bit in the Level 1 PDUs that it generates into a Level 1
area to indicate that it is a Level 2-attached backbone router and that It can be used to reach
prefixes outside the Level 1 area. Level 1 routers create a default route for Interarea prefixes, which
points to the closest (in terms of metrics) Levell/Level2-attached router.
ntity fltte
NET = 49.0001.1921.6801.6001.00
\ NET = 49.0002,1921.6802.4001.00
/ \
/\ 1
/ \/ :
NET = 49.0002.1921.6803.6001.00
IS-I$ and m
0 1
In IS-IS, links
separate areas
/
LI
Ll L1/L2
Ll
0
L1/L2
L2
Ll
L1/L2 L2
Ll
IS-IS Areas
IS IS and OSPF are link-state routing protocols with many similarities. Differences exist between
them as well. In IS-IS areas, a Level 1/Level 2 router fulfills the same purpose as an area border
router (ABR) in OSPF. Likewise, the collection of Level 2 routers in IS-IS is the backbone, while Area 0
is the backbone in OSPF. However, In IS-IS, all routers are completely within an area, and the area
borders are on the links, not on the routers. The routers that connect areas are Level 2 routers, and
routers that have no direct connectivity to another area are Level 1 routers. An intermediate system
can be a Level 1 router, a Level 2 router, or both (an L1/L2 router).
? ms
In OSPF, routers
separate areas
ABR
\
N .
/ ABRJ
ABR
OSPF Areas
The slide shows the same network as the previous slide, only configured with OSPF instead of IS-IS.
Compare the two slides to identify the similarities and differences. OSPF area borders are marked by
routers. Some interfaces are in one area, and other interfaces are in another area. When an OSPF
router has interfaces in more than one area, it is an ABR.
Overview of IS-IS
-
>IS-IS PDUs
IS-IS PDUs
LSP Format
In bytes [ PDU
Maximum
1 Protocol Header
Version
ID PDU
Headers
Version Reserved Area
1 Identifier Length Length Type
Addresses andTLVs
a 4 2 1 Va ia ble
r
PDU Remaining LSP ID
! Sequence Checksum
ATT OL, a nd
,
TLVs
Length Lifetime | Number IS Type Bits
Some fields of interest in the LSP header include the ID length and the maximum area address,
which are set to a constant value of 0x00. This value does not mean that the Junos operating system
does not support their functionality. Instead, these fields are used for backward compatibility with
older protocol implementations. The system ID is always 6 bytes in length, and the maximum area
addresses supported is always 3 bytes. By setting these two fields to a value of 0, the Junos OS is
reporting that it supports the default values for these two settings.
You might also notice that the LSP header contains two version fields. The first of these fields,
according to the original IS-IS specification, was designed as an extension of the protocol ID field.
Most modern implementations, including the Junos OS, do not support this function and instead
place a constant value of 0x01 in the field to represent the version of the protocol. The second
version field is the actual specified location for the protocol version, which is also set to a value of
0x01-the current version of the protocol.
Flooded Periodically
The IS-IS link-state PDUs are flooded when either a network change occurs or often enough to keep
the database from having stale information. Each link-state PDU has a 2-byte field named the
remaining lifetime. Each IS-IS router initializes this field to a certain value when the link-state PDU is
created. By default, this timer value is set to 1200 seconds, or 20 minutes. Each router takes this
value and begins a countdown towards 0. Before the timer expires (at approximately 317 seconds),
the originating system regenerates the link-state PDU and floods it to all of its neighbors.
LSP Notes
PDU Type
The 1-byte PDU type field denotes whether this is a Levei 1 or a Level 2 PDU. A value of 18
represents a Level 1 PDU and a value of 20 is a Level 2 PDU. With this exception as well as different
multicast destination addresses, the PDU contents and formats are identical to each other.
The ID of the link-state PDU uniquely identifies it within the IS-IS domain. The 8-octet field is
'
comprised of the router s system ID (6 bytes), the circuit ID (1 byte), and the LSP number (1 byte).
The system ID is located within the NET address of the router and is used exactly as is. The LSP
number field represents a fragmented link-state PDU. The initial link-state PDU receives a value of
0x00, and it is incremented by Ifor each following fragment.
The circuit ID field helps distinguish link-state PDUs advertised from a single router. By default, all
link-state PDUs representing the router as a node use a value of 0x00 for the circuit ID field. When a
router is operating as a DIS, it places the value of the circuit ID into this field and generates a
separate link-state PDU for the broadcast segment. The Junos OS uses a constant value circuit ID
value of 0x01 for the loopback interface as well as all point-to-point interfaces. Each broadcast
segment receives a unique circuit ID value beginning at 0x02 and incrementing to a maximum value
of Oxff.
Attached Bit
Any IS-IS router with a Level 2 adjacency to a system in another area sets the Attached bit in its Level
1 link-state PDU. Level 1 routers can then forward data packets to that attached router for transport
out of the local area.
Overload Bit
An IS-IS router can set the overload bit to inform the other routers in the network that it is incapable
of reliably transmitting transit packets to other portions of the network. While the original intent of
the bit was to ease memory problems on individual routers, modern-era routers do not have such
'
constraints. In today s network environment, the bit is often used to take a router out of service for
maintenance or to allow it to fully converge within the network before forwarding traffic.
IS Type Bits
The IS type bits inform other routers in the network about the capabilities of the local router. Two
possible settings are available for these bits. When the bits are set to a value of 01 (0x01), the local
router can only support Level 1 routing. A value of 11 (0x03), however, means that the local router
can support both Level land Level 2 routing. These settings are the only two settings possible for
these bits.
Hel ! mm
.
Point-to-point networks
IS-IS transmits hello PDUs at regular intervals
Hello PDUs:
.
Identify the device
.
Describe its capabilities
.
Describe the parameters of the interface
Hello Transmission
Routers send hello packets at a fixed interval on all interfaces to establish and maintain neighbor
relationships. The hello interval field advertises this interval in the hello packet. By default, a
designated intermediate system (DIS) router sends hello packets every 3 seconds, and a non-DIS
router sends hello packets every 9 seconds.
PDU Fields
Source ID: Identifies the system ID of the router that originated the hello PDU.
.
Holding time: Specifies the period a neighbor should wait to receive the next hello PDU
before declaring the originating router dead.
LAN ID: Identifies the system ID or the DIS plus one more octet (the pseudo-node ID) to
differentiate this LAN ID from another LAN ID that might have the same DIS.
Link-state PDUs
. Used to build the link-state database
. Similar to LSAs in OSPF
.
Separate LSPs for:
.
Level 1 systems
.
Level 2 systems
.
Sent as a result of a network change, during adjacency
formation, and in response to a sequence number PDU
(described on the next slide)
. Link-state PDUs:
.
Identifyan IS's adjacencies
*
Describe the state of Its adjacencies
.
Describe its reachable address prefixes (routes)
IS-IS sends link-state PDUs at regular intervals and when an IS discovers that:
Once link-state PDUs are distributed appropriately, IS-IS runs the Dijkstra algorithm to compute
optimal paths to each ES. This algorithm iterates on the length of a path, examining the link-state
PDUs of all ISs working outward from the host IS. At the end of the computation, IS-IS forms a
connectivity tree yielding the shortest paths, including all intermediate hops, to each IS.
ice K :m PDUs
TLV 1 (Area address): Provides the area address encoded within the IS-IS NET on the
loopback 0 (loO) interface.
TLV2 (IS reachability): Advertises the IS neighbors adjacent to the local router as well as
the metric used to reach those neighbors.
TLV 10 (Authentication): Contains the authentication type and the configured password.
TLV 22 (Extended IS reachability): Advertises the IS neighbors adjacent to the local
router and the routers that support traffic engineering capabilities. This TLV also
contains multiple sub-TLVs that describe the user constraints placed on the router by
the network administrator. This TLV also populates the traffic engineering database
(TED).
TLV 128 (IP internal reachability): Advertises the IP address and subnet mask for each
'
of the router sinterfaces capable of supporting IPv4 traffic.
.
TLV 129 (Protocols supported): Informs other routers in the network which Layer 3
protocols the local router supports. By default, the Junes OS supports both IPv4 and
IPv6. On the J Series Services Router and the SRX Series Services Gateways, you can
also use the Junos OS to support CLNS.
TLV Examp m
I :
TLVVariables: Part2
TLV 130 (IP external reachability): Advertises the network and subnet mask for all
routes advertised into IS-IS by using a policy.
TLV 132 (IP interface address): Advertises the host IP address for all router interfaces.
TLV 134 (Traffic engineering IP router ID): Advertises the 32-bit router ID of the local
router.
.
TLV 135 (Extended IP reachability): Advertises the IP address and subnet mask for
router interfaces that can support traffic engineering. This TLV also populates the TED.
.
TLV 137 (Dynamic hostname resolution): Advertises the ASCII hostname configured on
the local router. Other IS systems use this TLV to resolve the hostname of the router for
use In show command output and within certain TLVs.
TLV 222 (Multiple topology IS reachability): Advertises the IS neighbors adjacent to the
local router and the routers that support multiple topologies of IS-IS.
TLV 229 (Multiple topologies supported): Advertises which multiple topologies of IS-IS
the local router supports. Each topology is identified by a 12-bit ID field.
TLV235 (Multiple topology IP reachability): Advertises the IP information for interfaces
that support multiple topologies. This TLV contains multiple sub-TLVs, which define the
actual information. Each set of sub-TLVs is accompanied by the 12-bit topology ID field.
IPv6 TLVs
The following list provides the details of the TLVs that support IPv6:
TLV 232 (IPv6 interface address): Advertises the IPv6 interface address for those
interfaces that support iPv6 traffic.
TLV 236 C/Pv6 reachability): Advertises information about the network link on which the
IPv6 protocol is operating. This TLV contains multiple sub-TLVs that contain the actual
metric information, among other things.
Each IS-IS router sends this TLV in both its Level 1 and its Level 2 link-state PDUs. Up to three area
addresses are configurable per system, so the area ID field Is repeated for each unique area
address. The area address TLV contains the following fields:
TLV type (1 byte): The type of the TLV is encoded in this field with a constant value of 1.
TLV length (1 byte): This field contains the length of the remaining fields In the TLV.
Together, the TLV length and area length fields allow an IS-IS router to determine the
number of area addresses encoded within the TLV.
Area length (1 byte): The length of the following advertised area Is encoded in this field.
Area ID (variable): This field can range from 1 to 13 bytes. It contains the actual area
address configured within the NET ID of the router.
TLV 1 3 J
IS Reachability TLV
Each IS-IS router advertises its adjacencies with neighboring systems through this TLV. The various
metric fields as well as the neighbor ID field are repeated for each adjacent neighbor. The metric
values are encoded in a 6-bit field resulting in possible metrics between 0 and 63. These values are
sometimes referred to as old-style or small metrics. The IS reachability TLV contains the following
fields:
TLV type IbyteJ: The type of the TLV is encoded in this field with a constant value of 2.
TLV length (1 byte): The length of the remaining fields in the TLV is placed in this field.
This length allows the router to determine the number of neighbors encoded within the
TLV. Each set of neighbors and metrics occupies 11 octets of space. Therefore, the field
length minus 1 (for the virtual flag) should be divisible by 11, resulting in the number of
adjacent neighbors.
Virtual flag (1 byte): An IS-IS router sets this flag when the advertised Information
should be used to repair a nonadjacent Level 2 area. The Junos OS does not support
partition repair and this field is set to a constant value of 0x00.
indicating the metric type; internal and external metrics are not comparable. Because
this TLV is never leaked, the l/E bit is always coded to a zero to Indicate an internal type.
The remaining 6 bits are used to encode the metric cost to reach the adjacent neighbor.
Delay metric (1 byte): The Junos OS does not support the use of type of service (ToS)
metrics within IS-IS. TheS bit is set to a constant value of 1 (not supported), while the 1/
E and metric bits are all set to a constant value of 0.
Expense metric (1 byte): The Junos OS does not support the use of ToS metrics within
IS-IS. TheS bit is set to a constant value of 1 (not supported), while the l/E and metric
bits are all set to a constant value of 0.
Error metric (1 byte): The Junos OS does not support the use of ToS metrics within IS-IS.
The S bit is set to a constant value of 1 (not supported), while the l/E and metric bits are
all set to a constant value of 0.
Authentication TLV
if configured to support authentication, an iS-IS router includes this TLV in all advertised link-state
PDUs. The authentication TLV contains the following fields:
.
TLV type (1 byte): The type of the TLV is encoded in this field with a constant value of 10.
TLV length (1 byte): The length of the remaining fields in the TLV is placed in this field.
Authentication type (1 byte): The specific form of authentication is encoded in this field.
Plain-text authentication uses a value of 1, while MD5 authentication uses a value of
54.
Password (Variable): The actual authentication data is stored In this field. When MD5 is
used, the size of this field is always 16 bytes.
71V type (1 byte): The type of the TLV is encoded in this field with a constant value of 22.
TLV length (1 byte): The length of the remaining fields in the TLV is placed in this field.
System ID (7 bytes): The ID of the adjacent neighbor is encoded in this field. It is
comprised of the 6-byte system ID and the l-byte circuit ID of the neighbor.
Wide metric (3 bytes): The metric cost to reach the adjacent neighbor is encoded in this
field.
Sub-TLV length (1 byte): The length of any optional sub-TLVs is encoded in this field. If no
sub-TLVs are present, the field is set to a value of 0.
8-1 Roac' 1
TLV type fl bytej: The type of the TLV is encoded in this field, which holds a constant
value of 128.
TLV length (1 byte): The length of the remaining fields in the TLV is placed in this field.
This length allows the router to determine the number of prefixes advertised within the
TLV. Each set of metrics and addresses occupies 12 octets of space.
.
Default metric (1 byte): The first bit in this field is known as the Up/Down (U/D) bit. It is
used to provide information to IS-IS routers in a multilevel network to allow for prefix
advertisements across a level boundary and to prevent routing loops. The second bit in
this field can be used to indicate whether a given pair of metrics are comparable by
indicating a metric type of either internal or external. Although some Junos OS versions
made use of the l/E bit for TLV 128, the current release ignores this bit upon reception
and treats all prefixes as internal. The final 6 bits representthe metric cost to reach the
advertised prefix.
Expense metric (1 byte): The Junos OS does not support the use of ToS metrics within
IS-IS. The S bit, the R bit, and the metric bits are all set to a constant value of 0.
Error metric (1 byte): The Junos OS does not support the use of ToS metrics within IS-IS.
The S bit, the R bit, and the metric bits are all set to a constant value of 0.
TLV .
iportei
/ :
-
Network Layer protocol ID (1 byte): The 8-blt NLPID is placed within this field. By default,
the Junes OS supports both IPv4 (OxCC) and IPv6 (OxSE) and encodes those values in
this TLV. On J Series routers and SRX Series devices, you can also configure the Junes
OS to support the GLIMS protocol by configuring clns-routing at the [edit
protocols isis] configuration hierarchy.
TLV length (1 byte): The length of the remaining fields in the TLV is placed in this field.
This length allows the router to determine the number of prefixes advertised within the
TLV. Each set of metrics and addresses occupies 12 octets of space.
Default metric (1 byte): The first bit in this field is the U/D bit. It is used by IS-IS routers
in a multilevel network to allow for prefix advertisements across a level boundary and to
prevent routing loops. The second bit in this field can be used to indicate whether a
given pair of metrics are comparable by indicating a metric type of either internal or
external. Although some Junes OS versions made use of the l/E bit for TLV 130, the
current release ignores this bit upon reception and treats all prefixes as external by
virtue of their being carried within TLV 130. The final 6 bits represent the metric cost to
reach the advertised prefix.
.
Expense metric (1 byte): The Junos OS does not support the use of ToS metrics within
IS-IS. The S bit, the R bit, and the metric bits are all set to a constant value of 0.
Error metric (1 byte): The Junos OS does not support the use of ToS metrics within IS-IS.
The S bit, the R bit, and the metric bits are all set to a constant value of 0.
.
IP address (4 bytes): The IPv4 prefix being advertised in the TLV is encoded in this field.
Subnet mask (4 bytes): The subnet mask associated with the advertised prefix is stored
in this field.
iS-IS routers send this TLV in all link-state PDUs, which list IP addresses configured on the originating
router. At least one interface address must be advertised while each router interface can be
advertised. By default, the JunosOS encodes the router ID of the local system in this TLV. This router
ID is often the same as the primary address of the router's loO. 0 interface. The IP interface
address TLV contains the following fields:
TLV type (1 byte): The type of the TLV is encoded in this field with a constant value of
132.
.
TLV length (1 byte): The length of the remaining fields in the TLV is placed in this field.
This length allows a router to determine the number of addresses encoded within the
TLV.
/Pv4 address (4 bytes): The local router's interface address is placed in this field.
TLV OH
TE IP Router ID TLV
Aii routers configured to support traffic engineering, which is the Junos OS default setting, generate
this TLV. The router ID of the local router is placed in this field for use in the TED. The TE IP router ID
TLV contains the following fields:
71V type {1 byte): The type of the TLV is encoded in this field with a constant value of
134.
TLV length (1 byte): The length of the remaining fields in the TLV is placed in this field
with a constant value of 4.
/Pv4 address (4 bytes): The router ID of the local router is placed in this field.
The metric field uses 32 bits {wide metrics) for each advertised prefix, which results in possible
metrics between 0 and 4,294,967,295. The extended IP reachability TLV contains the following
fields:
TLV type (1 byte): The type of the TLV is encoded in this field with a constant value of
135.
TLV length (1 byte): The length of the remaining fields in the TLV is placed in this field.
This length allows the router to determine the number of prefixes advertised within the
TLV.
Metric (4 bytes): The metric of the advertised prefix is encoded in this field.
Prefix length (1 byte): The first bit in this field is the U/D bit, which is used to allow
prefixes to be advertised across a level boundary and to prevent routing loops. The
second bit in this field Is the sub bit, which denotes if any optional sub-TLVs are
associated with the advertised prefix. The final 6 bits represent the length of the
advertised prefix.
.
Prefix (variable): The advertised prefix is placed in this field.
Optional sub-TLV type (1 byte): The type of the sub-TLV is encoded in this field. The
Junes OS currently supports only one sub-TLV type, which is a 32-bit route tag with a
type code of 1.
Optional sub-TLV length (1 byte): The length of the remaining fields in the sub-TLV is
placed in this field.
Optional sub-TLV (variable): For the supported route tag sub-TLV, the 32-bit tag value is
placed in this field. IS-IS route tagging offers the same administrative filtering
capabilities as the OSPF protocol. IS-IS traffic engineering extensions, which enable TLV
135, must be enabled to support route tagging. TE extensions are enabled for IS-IS by
default.
TLV type (1 byte): The type of the TLV is encoded in this field with a constant value of
137.
TLV length (1 byte): The length of the hostname field is placed in this field. Possible
values range from 1 to 255 octets.
Hostname (Variable): The locally configured ASCII hostname of the router is placed in
this field.
TLV 132
IP router id: 192.168.48.1
IP address; 192.168.48.1
TLV 137 TLV2sma//
Hostname: SaoPaulo
metrics
IS neighbor: Sydney.00, Internal, Metric: default 1
IS extended neighbor: Sydney.00, Metric: rtffmlt: M
IP address: 10.222.60.2 4 subTLV 6
TLV 22 wide metrics
Neighbor's IP address: 10.222.60.1 subTLV 8
icf.r. it 0, Op
'
Authentication data; ~~
;
-
. -
The local router is configured within Area 49.0001, and the area length is 3 bytes. This
information is available in the Area Address field and TLV 1.
The local router's RID is 192.168.48.1. This information is available in the IP router
id field and TLV 134.
The link-state PDU was originated by the Sao Paulo router, because the Hostname field
of TLV 137 lists SaoPaulo in its payload.
The local router has an IS adjacency with the Sydney routers at a metric of 10. This
information Is available in the is Neighbor field and TLV 2.
The IP address of the router's interface towards Sydney is 10.222.60.2, as seen in TLV
22, sub-TLV 6.
The local router is advertising two internal local IS-iS routes, 10.222.60.0/24 and
192.168.48.1/32. This information is available from the IP Prefix field and TLV
128.
All three prefixes advertised by the local router are carried in TLV 135 and are visible in
the IP extended prefix field.
Agenda; IS-IS
Overview of IS-IS
IS-IS PDUs
-
jacencl-
an adjacency with a
Level 2 router L2
.
For Level 2 adjacencies, Level 1 Hello
area IDs can be different
uoallon Services
'
router)
The IS-IS network is considered a router-called a
pseudo-node
.
Each router advertises a single link to the pseudo-node,
including the DIS
.
Each router forms an adjacency with each of its neighbors on a
broadcast, multi-access network
DIS characteristics:
.
DIS acts as representative of the pseudo-node and advertises
the pseudo-node to all attached routers
.
Mo backup DIS in IS-IS immimiw
Pseudo-Node
IS-IS elects a DIS on broadcast and multi-access networks for the same reason as OSPF. Rather than
having each router connected to the LAN advertise an adjacency with every other router connected
to the LAN, the network itself is considered a router-a pseudo-node. Each router, including the DIS,
advertises a single link to the pseudo-node. The DIS also advertises, as the representative of the
pseudo-node, a link to ail of the attached routers.
DIS Characteristics
Unlike OSPF, however, an IS-IS router attached to a broadcast, multi-access network establishes
adjacencies with all of its neighbors on the network, not just the DIS. Each router multicasts its
link-state PDUs to all of its neighbors, and the DIS uses a system of PDUs-called sequence number
PDUs-to ensure that the flooding of link-state PDUs is reliable. Also unlike OSPF, no election of a
backup designated router occurs in IS-IS. If the IS-IS DIS falls, a new DIS Is elected. Another
characteristic is that if a new router with a higher priority than the existing DIS becomes active, or if
the new router has an equal priority and a higher subnetwork point of attachment (MAC address), the
new router becomes the DIS. When the DIS changes, a new set of link-state PDUs must be flooded.
VVnrWv/Ule WnrationSmices
IP Configuration Necessary
When establishing adjacencies in OSPF, all routers on a link must agree upon the IP subnet to which
they belong, except on point-to-point links, which can be unnumbered or use /32 addressing. The
Junos OS needs the IP portion of the network to function so that the IS-IS adjacency will work.
Troubleshooting No Adjacency
The slide provides a checklist to use when troubleshooting IS-IS adjacency problems.
Overview of IS-IS
IS-IS PDUs
'
router s interfaces (preferably the loopback Interface, loO), and configure the ISO family on all
The Junos OS supports the assignment of multiple ISO NETs to the router's loopback interface. Such
a configuration might prove helpful when migrating two previously independent IS-IS domains into a
single routing domain.
iirin S s m 2)
[edit protocols]
user8router# set isis interface ge-0/0/0.0 level 1 disable
[edit protocols]
user@router# set isis interface at-0/1/1.100 level 2 disable
[edit protocols]
user@router# show
isis {
interface ge-0/0/0.0 {
level 1 disable;
interface at-0/1/1.100 {
level 2 disable;
interface loO.O {
level 2 disable;
1p#
IS-IS Metric
[edit protocols]
userSrouter# show
isis {
interface so-0/0/0.0 {
level 2 metric 10;
level 1 metric 20;
}
interface ge-0/1/0.0 {
level 2 metric 5;
}
}
Each IS-IS router must determine the metric (or cost) associated with that network. Often referred to
as simply the metric, the cost is simply what the router views as the overhead associated with
transmitting a packet on that interface. Each IS-IS-speaking router advertises these costvaiues in its
LSPs, each router can determine the total cost {or metric) to reach any destination In the network.
Each router in as IS-IS network uses a default metric cost of 10 for all interfaces on the router. The
notable exception to this default setting Is the loopback Interface of the router, which has a default
metric cost of 0.
When you configure an IS-IS interface to operate in passive mode, the default metric cost is still set
to a value of 10. This default Is different from the operation of other router vendors, so be careful in
a multlvendor environment to ensure a consistent metric calculation.
If you want to alter the metrics In the network, you can set the cost for each interface. Within the
Interface portion of the [edit protocols isis] configuration hierarchy, the metric
command assigns a permanent cost to that interface for a particular level. Each interface on the
router can have a separate cost assigned to It.
The solution is to enable a bandwidth calculation similar to that used in OSPF. This calculation takes
a supplied value-the reference bandwidth-and divides it by the bandwidth of the physical interface.
This solution not only allows for an automatic cost assignment, but it also maintains a consistent
ratio across all the router interfaces.
Reference Bandwidth
To enable the calculation, use the reference-bandwidth command within the [edit
protocols isis] configuration hierarchy. The value entered has a value in bits per second. Use
the standard Junos shortcut notations of k (kilobits per second), m (megabits), and g (gigabits). The
entered value becomes the numerator value in the bandwidth calculation.
P#ration
.
Various show commands exist to provide detailed
information on the operation of IS-IS
. show isis interface
.
show isis route
:
.
orldvmlp I .Jin .iiiun Ser ir.es
Worldwide EducationSorvioes
Index (detail output only): Displays the interface index assigned by the Junes kernel.
circuit type (detail output only): Displays the circuit type, which can be 1-Level 1
only, 2-Level 2 only, or 3-Level 1 and Level 2.
lsp interval (detail output only): Displays the interface's link-state PDU interval.
Interface (brief output only): Displays the interface through which the adjacency is
made.
.
Adjacencies (detail output only): Displays the number of adjacencies established on
this interface.
Priority (detail output only): Displays the priority value for this interface.
Metric (detail output only): Displays the metric value for this interface.
Hello (s) (detail output only): Displays the interface's hello interval.
Hold (s) (detail output only): Displays the interface's hold time.
t
Expires in
System {brief output only): Displays the system identifier (sysid), printed as a name if
possible.
.
L; Displays the level, which can be 1-Level 1 only; 2-Level 2 only;
or 3-Level 1 and Level 2. An exclamation point (!) preceding the level number
indicates that the adjacency is missing an IP address.
State: Displays the state of the adjacency. It can be Up, Down, New, One-way,
Initializing, or Rejected.
Hold (sees) (brief/standard output only): Displays the remaining hold time of the
adjacency. Note that the show isis adjacency command returns brief output by
default.
snpa (brief output only): Displays the subnetwork point of attachment (MAC address of
the next hop).
'
Denver
Priority (detail output only): Displays the priority to become the designated
intermediate system.
.
Up/Down transitions (detail output only): Displays the count of adjacency status
changes from up to down or from down to up.
Last transition (detail output only): Displays the time of the last up/down
transition.
Circuit type (detail output only): Displays the bit mask of levels on this interface,
which can be 1-Level 1 router, 2-Level 2 router, or 1/2-both Level 1 and Level 2
routers.
Speaks (detail output only): Displays the protocols supported by this neighbor.
deEtiucationServic
SNPA: Displays the subnetwork point of attachment (MAC address of the next hop).
Start time (log output only): Displays the time that the SPF computation started.
Elapsed time (log output only): Displays the length of time required to complete the
SPF computation in seconds.
count (log output only): Displays the number of times the SPF was triggered.
Reason (log output only): Displays the reason that the SPF computation was
completed.
Received: Displays the number of PDUs received since IS-IS started or since the
statistics were zeroed.
Processed: Displays the number of PDUs received less the number dropped.
Sent: Displays the number of PDUs transmitted since IS-IS started or since the
statistics were zeroed.
Rexmit: Displays the number of PDUs retransmitted since IS-IS started or since the
statistics were zeroed.
Total packets received/sent: Displays the total number of PDUs received and
transmitted since IS-IS started or since the statistics were zeroed.
SNP queue length: Displays the number of CSNPs and PSNPs sitting on the SNP
queue waiting for processing. This value is almost always 0.
spf runs: Displays the number of SPF calculations performed. If this number is
incrementing rapidly, it indicates that the network is unstable.
Fragments rebuilt: Displays the number of link-state PDU fragments that the local
system has computed.
LSP regenerations: Displays the number of link-state PDUs that have been
regenerated. An link-state PDU is regenerated when it is nearingthe end of its lifetime
and it has not changed.
.
Purges initiated: Displays the number of purges that the system initiated. A
purge is initiated if the software decides that an link-state PDU must be removed from
the network.
Displaying IS-IS T
user@router> show isis route
IPv4/IPv6 Routes
Current version: Displays the number of the current version of the IS-IS routing
table.
l: Displays the level, which can be 1-Level 1 only; 2-Level 2 only; and 3-Level 1 and
Level 2.
Version: Displays the version (or run) of SPF that generated the route.
Metric: Displays the metric value associated with the route.
Type: Displays the metric type. It can be int (internal) or ext (external).
via: Displays the system identifier of the next hop, displayed as a name if possible.
Packet: LSP ID: Tokyo.00-00, Length: 140 bytes. Lifetime : 1200 sees
Checksum: OxlcSO, Sequence: 0x1, Attributes: 0x3 <L1 L2>
NLPID: 0x83, Fixed length: 27 bytes. Version: 1, Sysid length: 0 bytes
Packet type: 18, Packet version: 1, Max area: 0
TLVs:
Area address: 49.0001 (3)
Speaks: IP
Speaks: IPv6
IP router id: 192 . 38.20 .1
IP address: 192.1( .
20.1
Hostname: Tokyo
IP external prefix: 192.168.2 0.0/24, Internal, Metric: default 0, Up
deEducationServiGes
Lifetime (in seconds): Displays the remaining lifetime of the link-state PDU, in
seconds.
IP prefix (detail and extensive output only): Displays the prefix advertised by this
link-state PDU.
SUK','
Review Questions
Review Questions
i .
2 .
3 .
IS-lt tmmmmmm mm
0%
IS-IS Operations
IS-IS Configuration Options
IS-IS Routing Policy
IS-IS Operations
The slide lists the topics we cover in this chapter. We discuss the highlighted topic first.
External
Routes
Injected
L1L2 Lll 2
/ \
L1L2
/ L1L2
i
Area 49.1111 Area 49.2222 Area 49.3333
LI PDU LI PDU LI PDU
Note that the Level 1 link-state PDUs (LSPs) are generated within each area. Because these LSPs have a
Level 1 flooding scope, they remain within their own particular area and are not seen in other areas. The
L1/L2 router at the edge of the area places the routing information contained within the LSP into a
Level 2 LSP and forwards it across the area boundary.
All Level 2 LSPs are flooded across every contiguous Level 2 area. This flooding results in Level 2 LSPs
within every area that represent all IS-IS routes. Within Area 49.1111, for example. Level 2 LSPs exist
that represent Area 49.2222 and Area 49.3333.
small portions of the database through the use of the eKtensive keyword. Now, let s take a step back
and examine the database as a whole. You can gather details by examining the database closely:
This router has both Level 1 and Level 2 adjacencies. You can determine this fact by the
existence of two databases on the router.
Within the Level 1 area, Rl is the router that can communicate with other Level 2
systems. You can determine this fact by the Attached keyword in its Level 1 LSP.
The R2 and R3 routers are configured to operate at Level 1 only because their
attributes are set to 0x01 (not shown in the output). Notice the Ll designation and the
absence of a L2 notation within the Attributes field.
The R3 router is the designated intermediate system (DIS) for one of its links in the
network. You can determine this fact by the extra LSP advertised as R3.02-00. The
circuit ID of the interface upon which it is the DIS is 0x02.
1 mi
'
.
Tree database
Dijkstra Algorithm
After a router receives a new link-state PDU and places it into the LSDB, the router runs an algorithm
known as the Dijkstra algorithm (or shortest-path-first [SPF] algorithm). This computation uses the
database as a data source and results in a loop-free network topology using the best metric from the
local router to all nodes in the network.
During the course of this calculation, the algorithm uses three databases-the LSDB, the candidate
database, and the tree database. Remember that the link-state database is the total compilation of
routing knowledge in the network. Conceptually, it consists of multiple tuples In the form of (router
ID, neighbor ID, cost), which describe each link In the network.
When the algorithm operates, the local router moves Its own local tuple into the tree database and
all tuples for its links Into the candidate database. It then performs the following steps until the
candidate database Is empty:
1 . For each new entry In the candidate database, the router determines the cost from root
to each neighbor ID. Move the tuple with the lowest cost from the candidate database
Into the tree database. If multiple tuples exist with an equal cost, choose one randomly.
2 . If a new neighbor ID appears in the tree database, move all tuples In the LSDB with a
'
router ID equal to the new tree entry s neighbor ID Into the candidate database.
The Dijkstra algorithm is calculated for each LSDB present on the local router. Recall that each IS-IS
level maintains a separate copy of the database. These separate copies allow each level to have a
separate forwarding topology independent of another level.
The action of calculating the best IS-IS route prior to the route being placed into the routing table has
a consequence in regards to the filtering of routing knowledge. An Individual filter (or policy) operates
on IP routes that enter the router as IP routes and are placed into the routing table. This form of data
flow is not present in IS-IS because the routing information enters the router as an link-state PDU
and is only placed into the routing table after the router performs the Dijkstra algorithm. Hence, the
only method of filtering IS-IS routing knowledge is to keep that information from being placed into the
database (on a per-level basis) in the first place.
I
:
'
Link-State
RTR-A
(A. A. 0)
A (A. B. 1)
(A. C. 2)
(B.A. 3)
(B.D. 3)
rtr-b\
RTR-B RTR-C (C,A. 4)
(C D, 4)
(D.B. 1)
(D.C. 2)
RTR-D
(A. C. 2)
(B, A, 3)
(B. D, 3) RTR-A
(C,A, 4)
(C. D, 4)
{D.B. 1)
(D.C, 2)
WoiMwitls EducationSerwces
The lowest, and only, tuple in the candidate database is moved to the tree database and RTR-A
places itself on the network map.
7 Calculation Example (3 of 6)
(CA, 4)
(C. D. 4
(D,B, 1)
'D C, 2)
,
RTR-B
All known nodes in the tree database are removed from the candidate, of which there are none. (For
example, if B were already In the tree database, the tuple (A,B,1) would be eliminated.)
The cost to each neighbor ID from the root is then calculated. It costs RTR-AOto reach itself and Ito
reach RTR-B, so the total cost to RTR-B is 1. The same calculation Is done for RTR-C, and the totai
cost of 2 is placed into the candidate database.
The lowest cost tuple In the candidate database, (A,B,1), is now moved to the tree database, and
RTR-B is placed on the network map.
P .
A. 3
D D 3 (B. A. 3)
. .
RTR-A
(C, A, 4) (B. D, 3
(CD. 4)
(D, B, 1)
(D.C. 2)
RTR-B RTR-C
All known nodes in the tree database are then removed from the candidate. Thus, the (B,A,3) tuple is
removed because RTR-A already has the shortest path to RTR-A.
The cost to each neighbor ID from the root is then calculated. It costs RTR-B 3 to reach RTR-D, and it
costs 1 to reach RTR-B from the root. So the total cost to reach RTR-D from the root through RTR-B is
4 .
The lowest cost tuple in the candidate database, (A,C,2), is now moved over to the tree database,
and RTR-C is placed on the network map.
,
of S)
1
(A. A, 0) LS Entry Cost to Root (A.A,0)-0
(A. D. 1) i (A. A, 0) 0 (A. B. 1) -1
(A. C 2) (A. D. 1) L
_
(A. C. 2) - 2
(B.D. 3)-4 I
(B.A, 3) (A. C. 2)
(B.D. 3) (D.A. 3)
RTR-A
(C. A. 4) (D. D. 3)
(C. D. 1) (G, A. 4)
(D,B. 1) (C. D. 4)
(D,C. 2)
rtr-bV RTR-C
RTR-D
A orlriwiile bducatiunSnr.iiss
All known nodes in the tree database are then removed from the candidate. Thus, the (C,A,4) tuple is
removed because RTR-A already has the shortest path to RTR-A.
The cost to each neighbor ID from the root is then calculated. It costs RTR-C 4 to reach RTR-D, and it
costs 2 to reach RTR-C from the root. So the total cost to reach RTR-A through RTR-C is 6.
The lowest cost tuple in the candidate database, (B,D,3) is moved to the tree database, and RTR-D
,
RTR-BVa
RTR-D
All known nodes In the tree database are then removed from the candidate. Thus, the (C,D,4),
(D,B,1), and (D,C,2) tuples are removed because RTR-A already has paths to RTR-B, RTR-C, and
RTR-D. The candidate database is now empty of all tuples, so the algorithm stops.
RTR-A now has a complete network map built with the total cost to each node calculated. This
information is then passed to the Junos OS routing table for its use.
Cm !
To enhance the convergence time of IS-IS during topology changes, the Junos OS enables the SPF
calculation to be run three times in a back-to-back fashion before encountering a mandatory
hold-down period. The 5-second hold-down timer is hardcoded into the software and is not
configurable. The timer ensures that the network can continue to forward packets with potentially
incorrect routing knowledge during the convergence period. The timer also allows the routing
process to not control the CPU at the expense of other routing functions.
The mandatory 5-second hold-down timer is still brought to bear after the third consecutive rapid
SPF calculation, regardless of the spf-delay setting.
As a best practice, we recommend you set the spf-delay value slightly larger than the worst
possible propagation delay found in your network. For example, if the delay across the network is
200 ms, then you might set the spf-delay to 250 ms. This setting allows time for all of the
duplicate LSPs to arrive at ail routers before the SPF calculation begins.
on
Automatically Enabled
The functionality of the PRC is automatically enabled when you configure IS-IS within the Junos OS-
you do not have to do anything to benefit from the enhancement. Conversely, no configuration option
Is available to disable this feature.
ced is
urat mm
IS-IS Operations
-
Education Services
The iS-IS protocol uses 6 bits in type/length/values (TLVs)-2, 128, and 130-to advertise the metric
of an individual interface or external route respectively. Therefore, the largest possible metric that an
interface can be assigned is 63. Any larger value configured on the interface, or calculated using the
reference-bandwidth, is advertised as a 63 in those TLVs in all LSPs. This value does not affect the
total metric to reach a network as determined by the SPF algorithm. The algorithm adds multiple 63
values together to reach a total cost. The largest value possible for this total metric cost is 1023 to
any destination in the network.
With the creation of the traffic engineering TLVs (22 and 135), the concept of limiting an interface
cost to six bits was changed to allow for greater granularity and scalability. The new TLVs use 24 bits
to advertise the metric, for a maximum link cost of 16,777,215 and the field for the total cost is
expanded to 32 bits.
V; j rr . Ties Operr ,
.
: >f 3)
10 f'
i
mio 10, 10
If fe-O/Q/O.O
Rl iO-22.60/24 R2
We see that the current cost to the R2 router's loopback address of 192.168.48.1/32 is 10. This
accounts for the cost to reach R2 over the fe-0/0/0.0 interface (10.222.60.0/24) on Rl in addition
to the metric advertised by R2 for its loopback address (0 by default). A look at the LSDB information
advertised by Rl shows that both TLV 128 (IP prefix) and TLV 135 (IP extended prefix) are being sent
to announce the IP prefixes available on Rl.
10.000 10 Jl Hi 10
fe-0 /0/0 0
,
.
9
Rl 10.22.50/24 R2
Tkio.ooo io
4]ljic
V|||r fe-Q/Q/O.O lilF
_
Rl 10.22.60/24 R2
(Wide Metrics Only)
user@Rl> show route 192.168.48.1 terse
Fecte
10 15 20
® 25 30
Rl R2 R3 R4
After the IS-IS process on a router decides which metric to assign to each interface, that Information
is flooded Into the domain within either a Level 1 LSP or a Level 2 LSP.
SPF Calculations
After receiving a new link-state PDU from another router, the local router performs an SPF calculation
using all the values contained in the LSPs In the database. As mentioned on a previous slide, the
cost Is calculated from the root node to every other node In the network using the metric cost of the
outgoing Interfaces.
Although the configuration of different metrics for a single link does not affect the operation of IS-IS,
asynchronous routing can occur within the network. This might cause response delays for some end
users and make It challenging for network administrators to troubleshoot the network.
IS-IS Authentication
. Interface
Authentication at the interface level secures only hello PDUs. Again, this configuration occurs for
either Level 1 or Level 2.
Authentication Types
The Junos OS supports three different forms of authentication for the IS-IS protocol. These types are
none, simple, and Message Digest 5 (MD5). The type of authentication used must match on all
routers within a level.
For better security in an IS-IS network, we recommend you use authentication type MD5. MD5
includes an encrypted checksum in all IS-IS packets-not a simple text password. Each IS-IS router
uses the same MD5 algorithm to calculate the checksum value, so it virtually guarantees
interoperability and a correct result.
Level Authentication
Configuration of any authentication at either Level 1 or Level 2 secures hello, link-state, and
sequence number PDUs.
In the example on the slide, MD5 authentication is enabled for Level 1, and simple authentication is
configured for Level 2.
Note
As is a common practice within the Junos OS configuration hierarchy, IS-IS authentication options
configured at an interface level supercede any options configured at a higher level.
Interface fe-O/O/0.0 on the slide has MD5 authentication configured for helio PDUs sent at Level 2
using the hello-authentication commands. This hello authentication will be used only on
that specific interface.
Authentication Control
.
Complete sequence number PDUs
.
no-csnp-authentication
.
Partial sequence number PDUs
.
no-psnp-authentication
To aid you duringa migration period orfortroubleshootingan authentication problem, you can ignore
the verification on received packets with the no-authentication-check command.
Transmitted packets are still secured, but all received packets are used, regardless of any
authentication information contained in them.
Mesi Groups
Rl R4
R3
Full-Mesh Topologies
There are times when the default flooding mechanism might be a disadvantage. Such is the case
with a full-mesh physical or logical topology. In this type of an environment, each IS-IS router receives
extra copies of the same LSP. These extra copies are not needed and can be discarded safely.
In the example on the slide, the R4 router receives a LSP generated from the Rl router three times.
If a mesh group were configured in the example on the slide, the R4 router would receive only a
single copy of the LSP from the Rl router.
tCOv -1
[edit protocols]
user@router# show
isis {
interface ge-0/0/0.0 {
mesh-group 2;
}
interface ge-0/1/0.0 {
mesh-group 1;
}
interface ge-0/2/0.100 {
mesh-group blocked;
}
}
Group Numbers
To configure a mesh group within the Junos OS, assign each interface within IS-IS a group number by
using the mesh-group command. This number can be any 32-bit value. Within each local router,
any LSPs received on an interface assigned to a mesh group are not flooded out any interfaces
within that same mesh group.
Ovarfoad. ;
The concept of the overload bit was first available within the IS-IS protocol. Put simply, its function is
to advertise information into the IS-IS network, but to prevent transit traffic on the router. This
functionality can be useful in two situations-first, when a router must be taken out of the network for
maintenance, and second, when the router has many BGP peers. In the first case, traffic should
avoid the router because its ability to forward traffic can be compromised. In the second case, a
network administrator might want the router to fully establish its BGP peering sessions before
handling transit traffic.
When an IS-IS router is configured for overload, a bit is set to 1 within the attributes field in the LSP
header. This configuration is then visible to all other routers in the level within the LSDB.
In the example on the slide, the Router-2.00-00 LSP is advertised with the overload bit set.
Overload Settings
You can turn the overload setting on or off as a permanent value, or you can associate a timer
with it. If the timer is omitted, then the overioad bit is set once you commit the configuration. The bit
remains until you remove the overload setting from the configuration, and the configuration is
committed once again. However, if you assign a timer value, the bit is not set automatically. The timer
associated with the overload bit initializes only when the routing protocol daemon (rpd) also
initializes. This timer can run from between 60 and 1800 seconds. Once the timer expires, the bit is
removed from the LSPs, but the configuration still contains the overload command.
[edit]
user@router# set protocols isis interface ge-0/2/0 csnp-interval 40
[edit]
user@router# run show isis interface detail
IS-IS interface database;
ge-0/2/0.0
Index: 3, State: 0x6, circuit id: 0x2, Circuit type: 2
LSP interval: 100 ms, CSNP interval: 40 s
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
2 1 64 10 3 9 R1.02 (us)
By default, each DIS router on a LAN interface advertises a complete sequence number PDU (CSNP)
every 10 seconds. This advertisement allows other routers on the link to ensure that their databases
are complete. Perhaps more importantly, it allows the other IS-IS routers to know when the DIS is no
longer available. This fast CSNP timer allows IS-IS to not require the election of a backup DIS.
If you do not need the qulcktimer of the CSNP, you can change It. One possible situation where this
change might be useful is on a broadcast link with only two routers. If the DIS is not available any
longer, the other router becomes aware of this from a lost adjacency or downed network link.
To lengthen or shorten the timer value, you can use the csnp-interval command.
On a per-interface basis, you can set the timer value as short as 1 second eras long as 65,535
seconds.
.
alias Adva&iceci IS
Hons
IS-IS Operations
IS-IS Configuration Option?
-
WoHriwide BEtucationServiGes
'
111
[edit policy-options]
userSrouterf show
policy-statement redistribute-routes-into-isis {
term find-other-igp-routes {
from protocol [rip ospf];
then accept;
}
}
You can add routes to an advertised LSP through an export poiicy. A new TLV is added to the update
for each route accepted by the poiicy. These types of policies often match and accept all routes from
a particular protocol. For example, the redistribute-routes-into-isis policy on the slide
advertises all RIP and OSPF routes Into the network.
IS-IS [ iiutes on Ex .
[edit policy-options]
policy-statement example-isis-policy-l {
term set-static-metric {
from protocol static;
then {
metric 40;
tag 68;
accept;
}
Rl R3
r%loO 10.200.0.3
lU. UU.U.d
RIP
V
\ l-:;
:
FM Rt:
loO 10.200.0.2 oO 10.200.0.4 0010.200,0,6
. .
[edit]
Redistribute the RIP userSRl* show polloy-statement redlstrlbnte-rip
term 1 {
route into IS-IS from {
protocol rip;
route-filter 20.20.1.0/24 enact;
>
then accept;
}
[edit]
user@Rl# show protocols
isis {
export redistribute-rip;
)
[edit]
Redistribute the IS-IS user9R2# show policy-statement redlstribute-default
term 1 {
route into RIP from {
protocol isis;
route-filter 0.0.0.0/0 exact;
}
then accept;
)
[edit]
user@R2# show protocols
rip {
export redistribute-default;
>
The next step is to redistribute the default IS-IS route into RIP using an export policy under RIP. We
will use two match conditions again. This policy will be applied under [edit protocols rip].
0 0 0
. . 0/0
. *[RIP/10 0] 00:03:18, metric 2
> to 10.200.5.2 via fe-0/0/1. 210
[1SIS/160] 00:24:48, metric 11
> to 10.200. 62. 9 via fe-0/0/0.221
*
The RIP route is the active route
.
Modify the IS-IS external preference to 90
[edit]
user@R2# show policy-statement rip-prefejreuce
term 1 {
from {
protocol rip;
route-filter 0.0.0.0/0 exact;
}
then {
preference 90;
accept;
By default, RIP has a lower preference than IS-IS external routes. Because RIP has a better
preference, the default route for RIP is preferred. In this sample network, this preference creates a
loop, because the IS-IS routers point to the RIP router as its gateway while the RIP router points to the
IS-IS routers.
To fix the loop, modify the IS-IS route preference to a lower value than the RIP route.
Mutual redistribution
. The default route has been fixed
.
The RIP route is now a higher preference 100 then the
external IS-IS preference 90
user@R2> show route 0/0
0 0 0 0/0
. . . [ISlS/90] 00:03:09,
*
metric Z
> via ge-O/O/ 0. 0
[RIP/100] 00: 19:40,metric 2
> to 10.200.5.3 via ge-0/0/1.210
The Result
The result of the preference change is now a default that points properly to the IS-IS router.
j e Ix eKport'-lxmit J jj
level 2{
ucation Services
To help network administrators when a configuration mistake occurs, the Junos OS allows a limit to
be placed on the number of external routes exported into IS-IS. The prefix-export-limit
command informs the router how many routes to accept using a routing policy configuration. You
configure this option at a specific level using a 32-bit value, which provides a range of routes from 1
to 4,294,967,295. Once the route limit is reached, the router transitions into an overload state
where the bit is set in all link-state PDUs. The external routing information is no longer transmitted in
the link-state PDUs as well. The local router remains in this state until the number of external routes
returns to a level below the configured limit. This requires the administrator to manually change the
existing configuration; either the number of advertised routes must be reduced or the routing policy
must be changed.
Summary
Heview Questiogis
1 .
What is the maximum default IS-IS link metric? Can
this be changed? How?
2 .
What are the different forms of IS-IS authentication?
Review Questions
i.
2 .
3.
L2
-
2
/
® Area 49,1111
L2PDU
L2
L2
Area 49.2222
L2PDU
L2 L2
12 Area 49.3333 Area 49,1111
L2 PDU Area 49.1111
L2PDU
L2PDU
Area 49,2222
L2 Area 49,2222
2 L2PDU :
L2PDU
/
-
Area 49,3333
\ L2 PDU
Ai'os 49 333:-;
L2PDU
\
Area 49,1111
\ Area 49.2222 Area 49,3333
\
L2 = Interface configuration
Also recall that an IS-IS Level 1 LSP can be flooded only within a specific area because a Level 1
adjacency cannot form across an area boundary. Level 2 LSPs include the routing information
carried in Level 1 LSPs, which results in the L2 backbone knowing routes for all areas and levels.
In the example on the slide, routing information from all routers is present in ail databases in the
network. The presence of a single L2 database shared by all routers occurs because all of the
adjacencies in the network are at Level 2, and Level 2 LSPs are flooded both within, and across, IS-IS
area boundaries.
Area 49,4444
LI PDU
Area 49.4444
LI = interface configuration
Worldwide Educati
i :
iiJ
/
L2
LI
L2 LI
/
2
LI
LI
L2 L2
Area 49.5555
LI PDU
Area 49.5555
L2PDU Area 49.7777
LI PDU
Area 49.8666
LI i L2PDU L2 Li
L2
I Area
Area 49.7777
L2 PDU
LI or 12 = Interface configuration
Level 1 routers are isolated from routing changes in other areas, and summarization of Level 1
information prevents Level 2 routers from having to perform a full SPF calculation for topology
changes within a Level 1 area. This isolation and summarization of routing information improves the
scalability of a multilevel IS-IS network.
Operat
An L1/L2 IS-IS network operates in a similar fashion
to an OSPF NSSA with no summaries
. Local LI routes are advertised into Level 2
. External routes can be advertised into an LI area
To provide interarea reachability for Level 1 routers, an L1/L2 router with a Level 2 adjacency to a
router in another area sets its attached bit in its Level 1 LSPs. Level 1 routers install a 0.0.0.0/0
default route to the metrically closest attached router when they detect Level 1 LSPs with the
attached bit set. Note that while each possible metric type (default, delay, expense, and error) is
associated with its own attached bit, the Junos OS supports only the default metric type.
You can disable the generation of a default route by including the ignore-attaohed-bit
statement at the [edit protocols isis] configuration hierarchy.
A tac
L2
e \
Ll
2
ignore-attached-bit
12
Ll
1
.
?
.
L2
In this example, the network operator wants to leverage the built-in LSP flooding scope of a multilevel
IS-IS network to provide some level of isolation in the event that a malformed LSP is generated. For
example, if a malformed Level 1 LSP is generated in area 49.7777, this LSP will not be flooded into
the Level 2 backbone (the contents of Level 1 LSPs are repackaged into a Level 2 LSP for
submission to the Level 2 backbone by an attached router, but the Level 1 LSP itself is not flooded
into Level 2).
Another application for the ignore-attached-bit option relates to the fact that using the
metrically closest attached router might not always yield optimal interarea routing. In these cases it
might be desirable to use a locally defined static or generated route, in which case the IS-IS derived
default route might no longer be needed.
mm
Multilevel Configuration
The siide highlights the topic we discuss next.
protocols {
isis {
interface so-O/O/O.0 {
level 1 disable;
}
interface ge-0/1/0.0 {
level 2 disable;
}
interface loO.O;
}
}
We recommend that you explicitly configure the loO . 0 interface within the IS-IS protocol, even when
the router's NET is assigned to another interface. Although its omission does not harm the
operational aspects of IS-IS (adjacencies still form), the IP address configured on the loO interface
will not be advertised in TLV128 orTLV 135, making the loopback address unreachable. Note that in
most oases you must run the IS-IS protocol on the loO interface for proper operation because the
'
router s NET is normally assigned to loopback Interface for resiliency reasons.
and Level 2 LSPs generated by the router. You can restrict the advertisement of the router s
loopback address in a particular level by disabling that level in the loO. 0 statement in the isis
stanza.
R3 R5
Lv
/
11
Area 49.0001
You configure this policy within the [edit policy-options] configuration hierarchy, and then
apply the policy to the IS-IS instance at the global IS-IS level, that is, [edit protocols isis].
In the example on the slide, the match criterion within the route-leak policy is all IS-IS routes
within the subnet 192.168.16.0/20 that are currently Level 2 routes and are eligible to be sent to
Level 1. Once these routes are found, the configured action is to accept these routes. The use of the
from and to keywords allow granular control about the desired direction of route leaking.
Once the routing policy is applied to the IS-IS protocol using the export route-leak command,
the Level 2 routes are inserted into the Level 1LSP of the L1/L2 border router and are advertised
into the Level 1 area.
Recall from a previous slide that the L1/L2 border router also blocks external Level 1 routes from
being advertised into Level 2. A similar policy is used to advertise Level 1 external routes into the
Level 2 backbone. This new policy simply reverses the Level 2 and Level 1 notations and makes use
of an appropriate route filter statement. Once you apply this policy using an export command, the
external routes are included in the Level 2 LSPs.
For example, consider the case where both router Rl and router R2 are L1/L2 routers in IS-IS area
49.1111. If Rl has a policy to advertise Level 2 routes into Level 1, then Rl will include the Level 2
routes in its Level 1 LSP. As this LSP is flooded throughout area 49.1111 it eventually arrives at R2.
The default action for R2 is to take ali information from its Level 1 database and advertise it into the
backbone using its Level 2 LSP. If R2 advertises the Level 2 routes back into Level 2, a routing loop
can form.
The potential for route leaking-induced routing loops is averted by a bit in the LSP known as the
up/down (U/D) bit. The purpose of this bit is to inform the L1/L2 routers whether a configured policy
can advertise a route. Only routes marked with the up direction are eligible for advertisement from
Level 1 to Level 2. All internal Level 1 routes will have the up/down bit set in this manner. If the
up/down bit is set to down, the route has already been leaked from Level 2 into a Level 1 area and,
as such, the route cannot be sent back into the Level 2 backbone.
then accept;
}
- r:r
-
To advertise the aggregate route, you create a policy similar to the example shown on the slide. This
policy is applied as an export to the IS-IS instance at the global [edit protocols isis] level.
In this example, the goal is to advertise a 172.16.20.0/22 aggregate into the Level 2 backbone to
represent Level 1 external routing information in the Level 1 area.
When summarizing routes from one level into another, you might need to alter the default IS-IS
export policy to ensure that specific prefixes are not advertised along with the corresponding
aggregate. You can accomplish the altering of the export policy with a reject action associated
with a route filter that will match on the specific routes in question.
tudy
i oute mmmmmmmmm.
R3 RL
10.0.4.0/22
L2
LI
Rl
LI
Internal Level 1 routes are automatically advertised in a Level 2 LSP into the Level 2 backbone. The
Junes OS provides a method for altering this default action with a routing policy. The example on the
slide shows that the Level 1 Area 49.0001 contains multiple internal routes within the 10.0.4.0/22
address space. These routes are currently advertised individually to R5, as shown in the following
output:
Administratively, we want to suppress these specific internal Level 1 routes while advertising a single
10.0.4.0/22 summary in their place. We accomplish this configuration by using a combination of a
routing policy and a local aggregate route defined on R3.
Worldwitio EtluoationServiues
After applying the internal-Ll-summary-route policy asan export policy in R3's IS-IS
instance, we can confirm its success on R5:
}
interface at-0/2/1.0 {
level 2 disable;
}
interface loO.O;
When wanted, you can apply multiple export policies to the same IS-IS instance. The same effect is
normally possible through the use of a single policy containing multiple terms, but In some cases it
might be easier to reuse existing policies in such a manner. Note that normal policy processing will
proceed from left to right, and that policy processing will terminate once a given route meets with
either an accept or rej ect action.
mMmmmry
.
Configuration and monitoring a multilevel IS-IS network.
Review Questions
3 .
Where is IS-IS route leaking performed? What steps
are needed to accomplish this leaking?
4 . Where is IS-IS route summarization performed?
How is this route summarization accomplished?
What types of routes can be summarized?
i
,
/:
- . .
Review Questions
i .
2 .
3 .
Chapter 8: BGP
Advanced Junos Service Provider Routing
Chapfer Objectives
.
The route selection process;
-
>Review of BGP
BGP Operations
BGP Path Selection and Options
Configuration Options
Review of BGP
The slide lists the topics we cover in this chapter. We discuss the highlighted topic first.
mmmM
1
!
BdP AS 65504
S
!
&
1 AS 65503
Note: BGP Is an IETF standard defined in RFC 4271 (supersedes RFC 1771).
What Is BGP?
The Border Gateway Protocol (BGP) is a routing protocol between autonomous systems (ASs) and is
sometimes referred to as a path-vector routing protocol because it uses an AS path, used as a
vector, to prevent interdomain routing loops. The term path vector, in relation to BGP, means that
BGP routing information includes a series of AS numbers, indicating the path that a route takes
through the network. Although BGP is primarily used for inter-AS routing, BGP is also used in large
networks for MPLS-based VPNs and is used to separate large OSPF domains. BGP is much more
scalable and offers a greater amount of control through policy than an IGP.
BGP exchanges routing information among ASs. An AS is a set of routers that operate under the
same administration. BGP routing information includes the complete route to each destination. BGP
uses the routing information to maintain an information base of Network Layer reachability
information (NLRI), which it exchanges with other BGP systems.
BGP is a classless routing protocol, that supports prefix routing, regardless of the class definitions of
IPv4 addresses. BGP routers exchange routing information between peers. The peers must be
connected directly for inter-AS BGP routing (unless certain configuration changes are done). The
peers depend on established TCP connections, which we address later in this chapter.
BGP version 4 (BGP4) is essentially the only exterior gateway protocol (EGP) currently used in the
Internet. It is defined in RFC 4271, which made the former standard of more than 10 years,
RFC 1771, obsolete.
mm: m©
AS 65502
CustomerA
Single-homed customers
typically use a default route
BGP to the Internet.
AS 6550]
Customer B
s
/
Static Routing
AS 65503
Networks with a single upstream connection receive little benefit from running a dynamic routing
protocol with their Internet service provider (ISP). These customers typically use a static default route
to send all external traffic toward the Internet. Their provider also typically uses a static route to
direct traffic destined for the customer's addresses to the customer. Normally, a single-homed
'
network uses addresses assigned by the provider from the provider s aggregate. Because these
addresses are assigned to the provider and can only be used by the customer while they are a
customer of the provider, they are known as nonportable addresses. Using these addresses allows
the provider to announce a single aggregate route for many customer networks, reducing global
routing table growth. Currently, the Internet routing table contains hundreds of thousands of routes,
which highlights the need for a scalable and robust protocol such as BGP.
BGP is normally used when a network has multiple upstream connections, either to a single ISP or to
'
multiple ISPs. BGP s policy controls provide the ability to optimize inbound and outbound traffic flows
based on a network's technical and business constraints. Although BGP can detect and route around
failures In redundant environments, BGP sessions within the same AS do not typically react as
quickly as an IGP, and they often rely on the IGP used in the AS to remain operational when failures
occur.
Networks that are multihomed to a single ISP likely use nonportable addresses assigned by the
provider. Networks that are multihomed to multiple ISPs are likely to use portable addresses
assigned directly by the regional address registry.
V .
I
i
IGP ® EBGP IGP
1
AS 65501 AS 65504
IGP
IBGP
AS 65503
'
: : ,; ; .
BGP supports two different types of exchanges of routing information. Exchanges between ASs are
known as external BGP or EBGP sessions and handle inter-AS routing. Exchanges within an AS are
known as internal BGP or IBGP sessions, and handle intra-AS routing.
An EBGP peer connection is between a device in one AS and another device in a different AS. The
connection between the two ASs consists of a physical connection and a BGP connection. The
physical connection is a shared Data Link Layer subnetwork between the two ASs. On this shared
subnetwork, each AS has at least one border gateway belonging to that AS. The BGP connection
exists between BGP speakers in each of the ASs. This session can communicate destinations that
can be reached through the advertising AS. The EBGP connection typically is established between
immediately connected devices located in two different ASs because the time-to-live (TTL) value of
the EBGP packets is equal to 1, by default.
An IBGP connection is typically established between loopback interfaces of the routers not
immediately connected (of course, everything depends on the AS's topology). BGP uses the loopback
interfaces for stability reasons-these interfaces are always alive, unless the router itself dies.
Because the IBGP connection typically exists between remotely connected routers, an IGP is required
'
within the AS. BGP s TCP session is established using regular routing tables.
BGPNeighborStates
TCP Connectivity
Idle OpenSent
Connect OpenConfinn
Active Established
Rl R2
m -
TCP Connectivity
BGP Connectivity V
'
EsS biiihedNei
'
PGf lAorlriviiiletiliic-iiioriScriioei
BGP uses TCP as its transport protocol (port 179). TCP provides a full-duplex connection-oriented,
,
reliable, byte-stream service to BGP. BGP considers a connection between two peers to be idle until a
TCP connection is established between them. With the TCP connection established, the endpoints
are assured of a reliable connection. The following list describes the various BGP neighbor states:
Idle: The Idle state is the initial state when ail incoming BGP connections are refused. A
start event is required for the local system to initialize BGP resources and prepare for a
transport connection with the other BGP peer.
Connect: In the Connect state BGP Is waiting for the transport protocol connection to
,
be completed. If the transport protocol connection succeeds, the local system sends an
Open message and transitions to the OpenSent state. If the transport protocol
connection fails, the local system restarts the ConnectRetryTimer, searches for a
connection initiated by the remote BGP peer, and changes its state to Active.
Continued on the next page.
system s BGP state remains in the Active state, you should check physical connectivity
as well as the configuration on both peers.
OpenSent: In the OpenSent state, BGP waits for an Open message from its peer. When
an Open message is received. It is checked and verified to ensure that no errors exist. If
an error is detected, the system transitions back to the Idle state. If no errors are
detected, BGP sends a Keepalive message.
.
OpenConfirm: In the OpenConflrm state, BGP waits for a Keepalive or Notification
message. If no Keepalive message is received before the negotiated hold timer expires,
the local system sends a Notification message stating that the hold timer has expired
and changes its state to Idle. Likewise, if the local system receives a Notification
message. It changes its state to Idle. If the local system receives a Keepalive message,
It changes Its state to Established.
Established: In the Established state, BGP can exchange Update, Notification, and
Keepalive messages with its peer. When the local system receives an Update or
Keepalive message and when the negotiated hold timer value Is nonzero, it restarts its
hold timer. If the negotiated hold timer reaches zero, the local system sends out a
Keepalive message and restarts the hold timer.
mm:-
Open Keepalive
Update Notification
Refresh
Rl R2
© -
TCP Connectivity
BGP Connectivity V
V
Open: The open message is sent once the TCP three-way handshake is complete. The
open message initiates the BGP session and contains details about the BGP neighbor
and information about supported and negotiated options.
Update: BGP uses update messages to transport routing information between BGP
'
peers. Depending on the receiving device s routing policy, this routing information is
either added to the routing table or ignored.
Keepalive: BGP does not use keepalives at the Transport Layer-TCP fills this need.
Instead, peers exchange keepalives as often as needed to ensure that the hold timer
does not expire.
Refresh: Normally a BGP speaker cannot be made to readvertise routes that have
already been sent and acknowiedged (using TCP). The route refresh message supports
soft clearing of BGP sessions by ailowinga peer to readvertise routes that have already
been sent. This soft clearing has some very specific uses when working with
MPLS-based VPNs and adding new customer sites to existing customer VPN structures.
Each BGP message uses the same fixed size header, which is 19 bytes. BGP keepalive messages do
not include any data portion following the header.
e
Rl RouteX R2 RouteX fo
BGP uses TCP to provide reliable communication, which ensures that BGP neighbors never miss an
update. A system of keepalives also allows each BGP peer to ensure that its neighbor is still
functioning properly. If a neighbor goes down, the BGP speaker deletes all routes learned from that
peer and updates its other peers accordingly.
BGP uses the information within the update messages, in particular the BGP attributes, to detect
routing loops and determine the best path for a given destination prefix.
Route X
e RouteX
Rl R3
R2
BGP Attributes
The primary purpose of BGP is not to find the shortest path to a given destination; rather, its purpose
is to find the best path. Each AS determines the best path to a prefix by determining its own
'
outbound routing preferences, the inbound routing preferences of the route s originator (as updated
by ASs along the path between the source and destination ASs), and some information that is
collected about the path itself. All this information is contained in path attributes that describe the
path to a prefix. The path attributes contain the information that BGP uses to implement the routing
policies of source, destination, and transit ASs.
The slide lists some common BGP attributes. We cover the listed attributes in greater detail on
subsequent pages.
ligh- '
"
ISP A ISPC
(AS 65001) (AS 65003)
V
Static default
route to ISP A
Static route to Customer A
v
..
....
Because Customer A is a single-homed network, it has a static default route to reach all destinations
on the Internet through its connection to ISP A. Likewise, ISP A has a static route to reach Customer
'
A s prefix.
A9 s ¥mmmm
0 I can reach
16
172.20.0.0/16
'
r
:
R3
Hi :
ISP A R4
(AS 65001)
V I
X
/
Rl
The slide highlights a portion of ISP A's network. Internally, ISP A maintains reachability information
for each prefix within its aggregate address range. Therefore, every router in ISP A has knowledge
about the /24 prefix assigned to Customer A. This reachability information can be maintained by
either an IGP or by IBGP.
Even though ISP A has reachability information about each prefix internally, it advertises the
aggregate prefixes externally only. Because other networks use the same path to reach all prefixes
'
available on ISP A s network, other networks do not need the more specific information. To reduce
the size of the global routing table, ISPs typically do not transmit the prefixes of their statically routed
customers to their peers; rather, they just transmit the aggregate prefixes from which their
addresses are assigned.
172,20.0.0/16 is reachable
172.20,0.0/16 is reachable through AS 65003, AS 65002
ISPB and AS 65001
through AS 65001
(AS 65002)
AN
ISP A ISPC
.
A
BGPto ISP B
rx
CustomerB
Custom erA
(AS 65501)
172.31.128.0/20 is reachable
ISPB through AS 65003 and AS
(AS 65002) 65501
ISP A ISPC
(AS 65001) (AS 65003)
172.31.128.0/20 is
\\ reachable through AS
.
A
Defaultstatic route 65501
A
.
Wprldwicle EducatlonServio
ISP A does not have a BGP session to Customer A, so Customer A does not receive any routing
information for Customer B's prefix. However, receiving the route information is not necessary
because Customer A has a static default route that directs all Internet-bound traffic to ISP A. Once
the traffic reaches ISP A, ISP A follows the BGP-received route to Customer B.
Cus
ISP B chooses the best path and
advertises only that path
A
.
ISPC
Ts 172.31.128.0/20 is
w \\ reachable through
AS 65501
Default static route
\ %
Customer B advertises its f CustomerB
Customer A
172.31.128.0/20 network (AS 65501)
through BGP to ISP B and ISP C
6f i\orlilwicle tlo
Customer B decides to add a connection to ISP B. Therefore, Customer B now advertises its prefix to
both its providers. In this example, ISP B receives routing information for Customer B's prefix both
from ISPC and directly from Customer B. ISP B chooses one of the paths as the best path and places
a corresponding route for the prefix in the routing table. It then advertises the prefix with the
associated path attributes to ISP A. Because ISP B chose the path directly to Customer B as the best
path, it advertises the path attributes associated with that advertisement to ISP A. Note that it
advertises an AS path that reflects that it can directly reach Customer B and does not include any
information about ISP C. Because the path through ISP C was not chosen as the best path, ISP B
does not send ISP A any of the path attributes associated with the advertisement from ISP C.
If ISP B ceases to hear the announcement about Customer B's prefix directly from Customer B (for
example, because the circuit fails), it will begin using the path it received from ISP C and will send
updated announcements to its peers to reflect the new path.
Although not shown. Customer B now also receives two advertisements for ISP A's aggregate. It
chooses one of those advertisements as the best path and installs a corresponding route in the
routing table.
We cover the path selection process and many of the BGP attributes in greater detail later in this
chapter.
v AS 65503
I
\ ibgpV1
If failure occurs, loopback-
| based IBGP sessions stay up
over workinglinks
Loopback Peering
You maintain only one iBGP session between each internal peer. The IGP is used to maintain
reachability between the loopback addresses regardless of the physical topology, allowing the IBGP
sessions to stay up even when the physical topology changes.
The physical topology is relevant in one respect: each router along the path between BGP speakers
must have enough information to make consistent routing decisions about packet forwarding. In
many cases, this requirement means that all routers along all possible physical paths between BGP
speakers must run BGP; however, in some networks this requirement is not necessary.
Interface Peering
Recall that EBGP sessions are simply BGP sessions between two routers in different ASs. When two
EBGP peers have a single path between them, EBGP sessions are usually established over the
shared subnet between two peers, using the IP addresses assigned to the interfaces on that subnet
as the session endpoints. By establishing the EBGP session using the IP address assigned to the
interfaces on the shared subnet, you gain many advantages. One of these advantages is that you
prevent either AS from needing to maintain any routing information about the other AS (besides what
it received through BGP). You also ensure that all traffic flows over this particular shared subnet.
! ' - .'IP
[edit]
user@router# show routing-options
router-id 192 168 .100 .1;
autonomous-system |65503?| *--- Device s assigned AS number
[edit]
user@router# show protocols bgp
group jint-essoTI { BGPgroup names are user-defined
type [internai; |
local-address 192.168.100.1;
neighbor 192.168.100.2;
BGP session type determines if the
group ext-65501 { peeringsession is IBGP or EBGP
type laxternalTI
peer-as |65501; | EBGP peer s assigned AS number
neighbor 172.30.1.2;
Configuring BGP
The slide illustrates the sample configuration.
In this configuration example, we see some parameters defined under the [edit
routing-options] and [edit protocols bgp] hierarchies. Under the [edit
'
routing-options] hierarchy, we defined the system s router identifier (RID) and the local AS
number. Optionally, you can configure the system's local AS number under the global BGP hierarchy
for a specific BGP group, or, for a specific BGP neighbor, use the local-as configuration option.
When the AS number is configured at multiple hierarchy levels, the AS number specified at the most
specific hierarchy level is used. The ability to specify different AS numbers at different hierarchy
levels can be quite useful, especially when merging networks with different AS numbers.
Because we are using loopback-based peering for the internal BGP group, we must reference
loopback addresses in the related BGP configuration. In this case, the neighbor address is the
'
remote peer s loopback address. The local-address is the local device's loopback address. If
the local address is not specified, the system uses the interface address of the egress interface
used to reach the referenced peer address. Because the peer is expecting to form an IBGP peering
session using the 192.168.100.1 address, you must specify that address as the local-address
in the configuration.
z mm
type internal;
local-address 192.168.100.1;
neighbor 192.168.100.2;
(
group ext-655 01 (
type external;
peer-as 65501;
neighbor 172 .30 .1.2 (
jauthentication-key juniper; Neighbor Level
)
>
BGP Authentication
All BGP protocol exchanges can be authenticated to guarantee that only trusted routing devices
'
participate in the AS s routing. By default, authentication is disabled. You can configure IV1D5
authentication. The IVID5 algorithm creates an encoded checksum that is included in the transmitted
packet. The receiving routing device uses an authentication key (password) to verify the packet's
MD5 checksum.
ISP
Review of BGP
-
>BGP Operations
BGP Path Selection and Options
Configuration Options
BGP Operations
The slide highlights the topic we discuss next.
BGP uses three different storage tables known as routing information bases (RIB) as databases to
maintain routing knowledge. A separate Adjacency-RIB-IN table exists for each established BGP peer
to store all routes received from that peer. The RIB-LOCAL table is where BGP stores routes used for
traffic forwarding. A separate AdJacency-RIB-OUT table is also created for each established BGP peer
to house the routes that are to be advertised to that peer.
BGP can move only active BGP routes in the routing table into the Adjacency-RIB-OUT tables and
advertise them to BGP peers. In addition, BGP places only the single, best BGP path to each
separate IP route destination in the RIB-LOCAL and Adjacency-RIB-OUT tables.
At times, the best BGP path might not be advertised to a peer because the local router's routing
table rules. For example, if the router knows about a particular route through both 1S-IS and BGP, the
IS-IS route will be active in the local routing table because of the default Junos OS protoco
preference values. Therefore, the BGP version of that route is not sent to any peers because BGP
advertises only active routes (routes used by BGP). To override this default action, you can use the
advertise-inactive command. This command always forces the advertisement of the single,
best BGP path to any destination, regardless of whether the route is currently active in the local
routing table.
BGP
BGP
, y igp v.
-
BGP
AS 65502 AS 65503
By default, only active BGP routes are advertised. The slide illustrates the default BGP advertisement
rules. The rules are as follows:
1 . IBGP peers advertise routes received from EBGP peers to other IBGP peers.
2 . EBGP peers advertise routes learned from IBGP or EBGP peers to other EBGP peers.
3 . IBGP peers do not advertise routes received from IBGP peers to other IBGP peers.
The purpose of the advertisement rules is to prevent routing loops on a BGP network.
GP Route Propagation
AS 65502 l A
In the example on the slide, a full mesh of IBGP sessions does not exist. Rl receives the
announcement through an EBGP session. Because it is the best route it has for that prefix, it
propagates the route to its IBGP peer R2. R2 also determines that route to be its best path for the
prefix; however, it does not send the route to its IBGP peer R3. Because it received the route through
IBGP, it cannot send the route to any IBGP peers. Therefore, R3 does not receive or install a route for
the prefix advertised from AS 65502. This situation can be alleviated by adding an IBGP session
between Rl and R3. (It is irrelevant whether the two routers are directly connected.)
If IBGP routers readvertise IBGP routes to other IBGP peers, a loop would form. Because the AS path
is not updated by each router, but rather only when the associated prefix is advertised to an EBGP
peer, the AS path cannot be used to detect loops for BGP routes advertised within an AS. For this
reason, BGP enforces advertisement rules that require the full-mesh peering of IBGP routers to
ensure consistent routing information on all IBGP routers within the AS.
Using route reflectors or confederations can also alleviate this situation, both of which can reduce or
alleviate the full-mesh requirement. Route reflectors and confederations will be covered in a later
chapter of this class.
mmmm
AS path: 2 I
BGP next hop: 10. 10. 1. 2
Localpref: 10 0
Router ID: 192.168.10.1
Hidden Routes
You might expect ail routes received from a BGP peer would be installed in the RIB-LOCAL table and
be visible using the show route protocol bgp command. But hidden BGP routes occur for
several reasons:
Unresolvable Next-Hop
The most common reason for hidden BGP routes is an unresolvable next-hop. The BGP Update
message contains a protocol next-hop IP address. If the router cannot resolve this address using its
routing table, the route cannot be used and is not installed in the routing table.
The number of hidden routes is always shown in the output of the show route command. To view
why routes are hidden, issue the show route hidden extensive command.
®/{I} 172.24.1.0/30
You can send the appropriate external routes Into the IGP, if wanted; however, using the next-hop
self action in a policy has some advantages. Using the next-hop self action in a policy causes
the router to send BGP routes to Its peers using the same IP address it uses to establish that BGP
session. For the BGP session to remain established, the peer must have a route to that IP address.
Therefore, using next-hop self guarantees that a router's peers can reach the next hop of the
routes that router sends, as long as the BGP session remains established.
lap mmMmnem
The most commonly used (and recommended) solution is next-hop self. With this solution,
when a BGP router advertises an EBGP-learned route to an IBGP peer, it alters the BGP next-hop
'
attribute. The next-hop attribute s IP address of the remote EBGP peer is replaced with the IP
address of the BGP router itself. Because the IBGP session was most likely established using the
'
peer s loopback address, this new BGP next-hop value is reachable, and the advertised BGP route
can be used. We create next-hop self by using a policy to match specific routes with an action
of changing the next-hop attribute vaiue. The Junos OS then applies this policy as an export policy to
any IBGP peers.
The next two options listed (export direct routes and IGP passive) are almost identical in their results.
The difference between the two is in the approach that each takes to provide reachability. With
export direct, the IGP operating in the AS with a routing policy advertises the address assigned to the
point-to-point link between the two EBGP peers to all IBGP peers.
With IGP passive, the IGP is configured on the inter-AS link and advertises the interface addresses,
but forms no adjacency (it is passive). Both methods inject the interface addresses into the local
routing table for the IGPto use.
An IGP passive interface allows the local IGPto advertise the subnet on a particular interface without
forming an adjacency at the IGP level to the remote EBGP peer. This has the advantage of not using
a policy, but it requires explicit configuration for each interface and subnet address that you want to
advertise.
The last two options listed on the slide {static routes and forming an IGP adjacency relationship with
the remote EBGP router) have some severe disadvantages, but they both work.
Static routes have an inherent scalability problem. You must configure each IBGP router in the
network for a single static route for each remote EBGP peer. The more EBGP peers in the network,
the more static routes required. The more IBGP peers in the AS, the more places that additions and
changes must be made. Clearly, this is notareal world option.
With regard to the full IGP adjacency between AS networks, although reachability information can be
provided by forming an IGP relationship with the remote EBGP peer, we do not recommend this
practice because of the very trusting nature of the IGP protocols. Once this adjacency is formed, the
protocol accepts any routing information the remote EBGP peer provides. This behavior is very
dangerous because the remote AS might inject bad information into your network. In addition, this
method potentially violates the entire idea of having autonomous (independent of the IGP) systems
in the first place.
Agetida
Review of BGP
BGP Operations
-
UniPe" VmlrlwideEclui
uDation Services
Before the Junos OS installs a BGP route in the routing table, the route preference Is evaluated.
Remember that the route preference can be changed through policy so the route preference can
differ for the same prefix learned through different BGP paths. If the route preference for a BGP
prefix learned through different BGP paths differs, the BGP route with the lower route preference is
selected. Note that this evaluation occurs prior to the BGP selection process outlined on the slide.
When a BGP route is installed In the routing table, it must go through a path selection process if
multiple routes exist to the same destination prefix and the route preference is the same. The BGP
path selection process proceeds in the following order:
1 . The router compares routes for the/i/ghest local preference (the only choice based on a
higher, rather than lower, value).
2 . The router evaluates the AS-path attribute next, where a shorter path is preferred. This
attribute is often a common tiebreaker for routes.
3 . The router evaluates the origin code. The lowest origin code is preferred: ( I [IGP] < E
[EGP] < ? [Incomplete]).
10.222.29.2/24 (AS 2)
The Junos OS also utilizes the link bandwidth extended community to unequally load-balance traffic
in conjunction with the multipath command. If used, data packet forwarding is performed in a
proportional manner to the bandwidth advertised in the extended community.
The multipath command allows multiple copies of a route from the same remote router. It also
allows multiple copies of a route from two different routers in the same AS (either a local or remote
AS). The entire concept centers around resiliency and redundancy.
+ = Active Route, -
= Last Active, * = Both
* 100
172.16.20.8/30 B 170 >10.222 28 2 2 I
* 100 2
172.16.20.12/30 B 170 >10.222 28 . 2 I
* 170 100
172.16. 20.16/ 30 B >10.222 28 .2 2 I
1:- iiraytipatli
Configure multipath on Rl
The configuration of the Rl router now contains the multipath command within the peer group for
AS 2. After committing the configuration, we examine the contents of the locai routing table. We still
see the four routes advertised from AS 2 and each listing of the prefix still contains two versions of
,
the route. As before, the routes from the R2 router are marked active while the routes from the R3
router are marked inactive.
The effect of the multipath command on the routes from AS 2 is that the next hop for the routes
from R3 (10.222.29.2) are now added to the version of the route from R2. The next-hop information
for the inactive route version does not change in this environment.
As each active route now has two next hops in the routing table, the default Junos OS load-balancing
process can be used. Each route has a single next hop selected, and this single next hop is placed
into the forwarding table. All traffic for each route uses just that single next hop. The overall benefit
of this system is the total amount of traffic sent from AS Ito AS 2 can now be load-balanced over the
two inter-AS links. In our small example, just the 172.16.20.16/30 route is using the 10.222.29.2
next hop, while the other three routes maintained the 10.222.28.2 next hop. As more routes are
announced between the AS networks, the selection of the next hops becomes more evenly
distributed.
Although not shown on the slide, you can also see the effects of using multipath in the output of the
show bgp summary command. The route information from both R2 and R3 now appears as
4/4/0. The routes from R2 are active while the next-hop values from R3 are also used to forward
user traffic.
1 I
Rl jtff*. 10,10,1,2/24 10,10,1,1/24 Jgflh R2
(AS1) (AS 2)
10,10 2,2/24 10,10,2,1/24
First, each router must establish the peeringsession with the loopback address of the remote router.
You can configure this session using the local-address command, which alters the peer address
header Information In the BGP packets. Second, use the multihop command to alter the default
use of the neighbor's physical Interface address. In addition, you can also specify a time-to-live (TTL)
value In the BGP packets to control how far they propagate. On the slide, we use a TTL value of 1 to
ensure that the session cannot be established across any other backdoor links in the network. Third,
'
each router must have IP routing capability to the remote router s loopback address. As the slide
shows, we often accomplish this capability by using a static route to map the loopback address to
the interface physical addresses.
Note that when multihop is configured, the Junes OS sets the TTL value to 64, by default. You can
specify a TTL value explicitly to limit the scope of the EBGP session. Note that a TTL value of 1 Is
sufficient to enable an EBGP session to the loopback address of a directly connected neighbor
because the IP TTL is decremented for egress traffic only, and this traffic will be considered destined
for the local RE.
mmm 1
The slide shows the BGP route of 172.16.20.4/30, which is active in the routing table. This route has
two possible next hops it can use to forward traffic-10.10.1.1 and 10.10.2.1. It has currently
selected the 10.10.1.1 next hop, which we verify in the forwarding table with the show route
f orwarding-table command. The router output shows this single next hop in the table with a
type set to ucst, for unicast transmission.
indr 106 2
10. 10. 1. 1 ucst 47 4 fe-0/0/0. 0
indr 107 2
Load Balancing
You can alter the default behavior of the Junos OS to install a single next hop per route in the
forwarding table with a routing policy. The policy should contain the action of then
load-balance per-packet and be applied as an export policy to the forwarding table within
the [edit routing-options] configuration hierarchy.
After committing the configuration, we see the same 172.16.20.4/30 route in the routing table of
the local router. The same protocol information is displayed and again, a single next hop has been
selected. This selection mechanism is not affected by our load-balancing policy, so we cannot verify if
it is working by examining the routing table. Instead, a look at the forwarding table shows the
outcome of our policy. Both the 10.10.1.1 and the 10.10.2.1 next hops are listed as valid outbound
interfaces for the 172.16.20.4/30 route. Traffic destined for this route is now forwarded across both
available next hops using a microflow hashing algorithm. The default inputs to the microflow hash
are the incoming router interface, the source IP address, and the destination IP address. You can
modify the inputs to the hashing algorithm at the [edit f orwarding-options hash-key
family inet] configuration hierarchy. Specifying the layer-4 command at this configuration
hierarchy incorporates Layer 4 source and destination port Information into the hash key.
: W
Review of BGP
BGP Operations
BGP Path Selection and Options
Configuration Options
Configuration Options
The slide highlights the topic we discuss next.
'
¥m : " .j 7 j<r c -
ptions(1 of S)
passive Option
By default, a local router initiates a BGP open message to the remote router to establish the session.
The passive command stops this default action, and no open message is sent. The IP address and
AS of the remote peer are still configured, but the remote router must initiate the BGP session.
allow Option
The related option of allow also stops the sending of a BGP open message to the remote router. In
addition, the allow command also relaxes the requirement of explicitly configuring the remote
'
router s IP address by allowing you to define a subnet range for connections. BGP processes any
open message received from an IP address within the configured range and initiates a session with
that remote router.
urat fi ]
negotiation process
[edit protocols bgp]
group ext~peers {
type external;
hold-time 45;
peer-as 2;
neighbor 10.10.10.1;
}
firacsffai l#©tart
m
R3and R6are notawarea
restart event occurred.
Graceful Restart
Graceful restart (GR) addresses the situation described on the previous siide. GR allows a router
undergoing a restart event, including a restart of the routing protocol process (rpd), to inform its
adjacent neighbors and peers of its condition. The restarting router requests a grace period from the
neighbor or peer, which can then cooperate with the restarting router. When a restart event occurs
and GR is enabled, the restarting router can still forward traffic during the restart period, and
convergence in the network is not disrupted. The neighbors or peers of the restarting router, also
known as helper routers, hide the restart event from other devices not directly connected to the
restarting router. In other words, the restart is not visible to the rest of the network, and the
restarting router is not removed from the network topology.
The graceful restart request occurs only if the following conditions are met:
The network topology is stable;
The restarting router is not already cooperating with another restart already in progress;
and
.
Local router defers path selection algorithm until the
marker is received
ForwaidingPlane
-
Packets In PacketsOut
Packet Forwarding Engine
GR Support
As shown on the slide, GR is supported by several standards-based protocols. A number of RFCs and
drafts exist that document the operational details for GR and each of the protocols for which GR is
supported. While these different protocols implement GR slightly differently, the basic concepts and
operations are the same from a high availability point of view.
GR Requirements
Routers must have GR enabled to support both GR router modes-the restarting router mode and
helper router mode. By default, Junos devices can operate as helper routers but not as restarting
routers; restarting router mode functionality must be enabled through configuration. We cover GR
configuration on subsequent slides.
In addition to having the GR functionality enabled, the router must support nonstop forwarding
operations, which simply means the router must be able to continue forwarding traffic during times
of control plane instability. Nonstop forwarding is an inherent attribute of Junos devices because of
the architectural design, which cleanly separates the control and forwarding planes.
Conf m i1 A I
GR helper mode is enabled by default
.
You can disable GR helper mode globally at
the [edit routing-options] hierarchy or on a
per-protocol, per-group, or per-neighbor basis
(depending on the protocol)
[edit]
user@Rl# show routing-options
graceful-restart (
disable; « Disables helper mode globally for
) all protocols that support GR
[edit]
user@Rl# show protocols bgp
graceful-restart; « Enables helper mode for BGP
group my-group {
type internal;
local-address 192.168.1.1;
Note: The most specific application is preferred,
neighbor 192.168.1.2;
neighbor 192.168.2.2 (
graceful-restart {
disable; < Disables GR for BGP peer
}
)
)
[edit]
Liser@Rl# show protocols bgp
Enables restarting router mode for all g race ful-re sta rt;
protocols that support GR group my-group {
type internal;
local-address 192.168.1.1;
neighbor 192. 168. 1.2;
neighbor 192. 168. 2.2 (
graceful-restart {
>- disable;
Disables GR for BGP peer
}
configuration used to enable GR s restarting router mode globally and for all protocols along with a
sample configuration that disables GR for a specific BGP peer.
AS 65002
AS 65003
192.168.19.0/24
Rl
100=192.168.40.1
Local preference
[edit]
user@R2# set protocols bgp group int-peers local-preference 300
The exception to this rule are any routes whose attributes are modified by an applied routing policy.
These routes abide by the action defined in the policy and take precedence over the configured
value. In other words, the configuration option is applied before the routing policy Is applied for all
outbound BGP routes.
; remove-private
192.168.17.0/24: 1000
192.16818.0/24: 1000
192.168.19.0/24: 1000
Internet
® remove-private
AS 1000
IPef Work
One example of this type of configuration option is the remo-ve-private configuration statement.
This keyword allows an ISP to remove private AS numbers from paths received from BGP customers
when those customers are using private AS numbers. Because the customers are effectively within
the administrative scope of the ISP, the provider is allowed to remove the private AS numbers from
the path.
In the slide, AS 1000 has three different customers connected using BGP. The customers are using
AS 65001, AS 65002, and AS 65003 for the BGP peer communications. Within AS 1000, each of the
BGP routers sees the private AS numbers within the path.
You should not use this option in a BGP confederation network. We describe why the remove private
option should not be used with BGP confederation in a subsequent chapter.
. - Path: 1 , ,
Internet
172.16.10.0/24: 1222
172.16.12.0/24: 1333
AS1
172.16.10.0/24: 222
172.16.12.0/24: 333
AS 222 6333
Consider the normal BGP AS path operation first. AS 1 has two customers for which it provides
service: AS 222 and AS 333. As AS 1 announces these routes from AS 222 and AS 333 on to the
Internet, AS 1 injects its own AS number (1) into the AS path attribute, as the BGP RFC expects.
AS 777
172.16.10.0/24: 1222
172.16.12.0/24; 1333
172.16.10.0/24: 777 1 222
local-as 1
Mr
Internet
172.16.10.0/24; 222
172.16.12.0/24; 333
AS 222 AS 333
172.16.10.0/24 172.16.12.0/24
Suppose the resulting merged organization decides to use AS 777 as the official AS to represent
both networks on the Internet. To ease in the migration of the customer BGP configurations from
AS 1 to AS 777 the edge routers can use the local-as 1 configuration option.
,
The effect of this option is that the customer routes within AS 777 see both AS 1 and the customer
AS numbers (AS 222 and AS 333). As AS 777 advertises those routes to the Internet, it prepends its
own value of AS 777 onto each of the routes.
Therefore, even though AS 1 has been merged into AS 777, AS 1 still shows up on the paths sent to
the Internet.
.
-
as (3 of 3)
AS 777
172.16.10-0/24
172.16.12.0/24: 333
172.16.10.0/24; 777 222
local-as 1 private
r
Internet
172.16.10.0/24; 222 :
172.16.12.0/24: 333
AS 22 A3 333
172.16.10.0/24 172.16.12.0/24
JfMS:
On the slide, the edge router in the formerly intact AS 1 is configured with the option of local-as
1 private. As the edge router advertises the customer routes into AS 777, AS 1 information is
removed from the AS path attribute, as shown on the slide. At this point, the AS 777 routers, as well
as the Internet, have no knowledge of AS 1.
The local-as 1 private statement now has indeed removed AS path information. Again, this
example applies to a type of special case and should not be used arbitrarily to attempt to change AS
path information received from another AS.
as-override
10,222,4,2
AS 65022
10,222,4,1
172.16,10.0/24
AS 65432 AS 65022
/ ,.
.
-
as-override
[edit]
user@AS65432# set protocols bgp group AS-65022 as-override
AS 65432 is providing transit service to AS65022, which peers at two different locations. For
reasons that we do not discuss here, the two portions of AS 65022 do not have any other peering
links between them. In fact, these two sections of the network rely on AS 65432 for reachability
information to the other half of the AS.
By default, the router on the right-hand side of AS 65432 only prepends its own AS a single time
before advertising the 172.16.10.0/24 route to AS 65022. Unfortunately, this route is never received
by the peering router because of an AS path loop. After all, AS 65022 is already in the AS path. The
EBGP peer in AS 65432 alters its configuration with its peer in AS 65002 to include the
as-override command. This command allows the router in AS 65432 to examine the AS path
before advertising the route and look for any instances of AS 65022 already in the path. Should it
find any, they are replaced with the peer's own AS, 65432 in this case. The EBGP peer then performs
the default prepend action before advertising the route. The router in AS 65022 now receives the
route without an AS path loop and installs it in its local routing table.
: S Path: loops
AS 65022
AS 65432
172.16.10.0/24
AS 65022
[edit]
user(?AS65 022# s&t routing-options autonomous-system 65022 loops 2
The configuration option used in this example is performed on the router in AS 65022 itself. The
optional keyword loops is appended to the autonomous-system command within the [edit
routing-options] configuration hierarchy. This keyword allows the local AS number to appear
multiple times in the path. The route can then be received by the router in AS 65022.
This scenario also requires the EBGP peer in AS65432 to be configured with the
advertise-peer-as command. Otherwise, routes learned from one instance of AS 65022 will
not be advertised to the second instance of AS 65022.
mmmmfsf
.
Explained the route selection process for BGP
.
Described how to alter the route selection process
.
Configured some advanced options for BGP peers
.
The route selection process for BGP;
.
The alteration of the route selection process; and
Review Questions
1 .
What are the advantages of loopback peering for
IBGP sessions?
Review Questions
i.
2 .
3.
4 .
5 .
Lab 7: BGP
lion Service
>BGP Policy
Next Hop
Origin and MED
AS Path
BGP Policy
The slide lists the topics we cover in this chapter. We discuss the highlighted topic first.
You can use each of the BGP attributes as a match criterion for a policy and you can modify each
,
attribute using a poiicy action. You can further decide to act on a BGP attribute based on whether it
is an EBGP or IBGP route. To understand better where BGP import and export policies are applied to
BGP routes, we detail the process of how a router uses BGP routes.
BGP uses three different storage tables, known as routing information bases (RiBs) as databases to
,
maintain routing knowledge. A separate RIB-iN exists for each established BGP peer to store all
routes received from that peer. A RIB-LOCAL is where BGP stores routes used for traffic forwarding. A
separate RIB-OUT exists for each established BGP peer to store routes to be advertised to that peer.
Oniy active BGP routes in the routing table can be moved into the RIB-OUT tables and are advertised
to BGP peers. In addition, only the single best BGP path to each separate IP route destination is
placed in the RIB-LOCAL and RIB-OUT tables.
At times, it is possible that the best BGP path is not advertised to a peer because of the local router's
routing table rules. For example, if the router knows about a particular route through both IS-IS and
BGP, the IS-IS route will be active in the local routing table because of the default Junos OS route
preference values. Therefore, the BGP version of that route will not be sent to any peers because
BGP advertises only active routes (routes used by BGP). To override this default action, you can use
the advertise-inactive command. This command always forces the advertisement of the
single best BGP path to any destination, regardless of whether the route is currently active in the
local routing table.
art
Peers
Flltermgand
Choice of
attribute
best route
manipulation
IP routing
table
As BGP moves the routes that it received from peers to the RIB-LOCAL table, the Junos routing policy
framework can apply import policies. These policies can reject (filter) routes or can change attributes
and affect what the BGP route selection process uses to pick the best route.
After the BGP import policy or policies (if any are configured and applied) has filtered and
manipulated the BGP attributes, the BGP decision process chooses the best route to use and installs
that route into the IP routing table. Note that even if no routing policies are configured, the default
(and unseen) BGP import policy is always applied.
'
, : Policy ,
Import policies:
1) Reject 0.0.0.0/0 from AS 1
000
. 0/0
. .
2) Prefer 192.168.14.0/24 from AS 1
192.168.14.0/24 3) Accept all routes from AS 3
AS i
Filteringand
attribute
manipulation Choice of best route
Forwarding
000
. 0/0 :AS3
. .
table
192.16814.0/24 :AS1 000
. 0/0 :AS3
. .
AS 3
192.168.14.0/24 ASS 172.31.10.0/24 :Local
000
. 0/0. .
Some policies are configured that reject the default route (0/0) if received from AS 1, prefer the AS 1
version of 192.168.14.0/24, and accept all other routes from AS 3. These three policies, which
might be three separate policies or a single policy with three terms, are configured as import policies
for BGP.
Import policy is evaluated as the BGP process attempts to move routes from the RIB-IN table to the
BGP decision process, where the active route is selected.
The result of this policy example Is that the forwarding table correctly reflects the user's desire to
forward through AS 1 for traffic matching the 192.168.14.0/24 prefix and AS 3 for traffic matching
the 0/0 default route. Note that the routing table (not shown) will contain two entries for the
192.168.14.0/24 prefix, because the 192.168.14.0/24 prefix coming from AS 3 is not filtered in this
example. The AS 1 version of this prefix is preferred and is installed in the forwarding table as a
result. The following list summarizes the overall effects of this policy example:
The 0.0.0.0/0:ASl route Is rejected.
X 3 ml
Peers
Filterinaand
Choice of
attribute
best route
manipulation
'
Routes Export
RIB-OUT Routes sent to
used policy BGP peers
IP routing
table
Peers
As BGP moves the routes from the RIB-LOCAL table to the RIB-OUT table, the Junes routing policy
framework can apply export policies. These policies can reject (filter) routes and affect which BGP
routes are advertised to BGP peers or can change the BGP attributes of advertised routes.
In addition, the Junes OS can inject new routing Information Into the BGP routing process at this
point.
Export policies:
172.31.10.0/20
1) Do not send 0.0.0.0/0
192.16814.0/24
2) Send 192.168.14.0/24 to AS 2 with a metric of 10
3) Do not send 192.168.27.0/24 to AS 4
AS 4
4) Send aggregate for local routes
Fliteringand Choiceof
attribute best route
manipulation
Routes I Export
RIB-OUT Routes sent to
used
1 policy BGP peers
IP routing
table
0 0 0 0/0
. . . ASS
172.31.10.0/20
172.31.10.0/20 :Local Aggregate
192.168.14.0/24
192.168.14.0/24 :AS1
(metric = 10)
192.168.27.0/24 ASS
192.168.27.0/24
'orldwitle EtJucation Services
Some policies are configured that reject the default (0/0) route, do not send some routes to AS 4,
alter a BGP attribute on routes sent to AS 2, and inject new route information into the BGP process.
These four policies, which might be four separate policies or one policy with four terms, are then
configured as export policies within BGP.
As the BGP routing process attempts to move those routes from the RIB-LOCAL table to the RIB-OUT
tables, the Junos OS applies the export policies. The net result of this policy application is shown on
the slide and summarized as follows:
BGP Policy
-
>Next Hop
Origin and MED
AS Path
ducalion Services i
TWjunrpcr net \ 9-10
.
Next Hop
The slide highlights the topic we discuss next.
When new routing information is injected (or redistributed) into the BGP process, the coding of the
next-hop attribute depends on the specifics of the route being injected. When a redistributed route is
associated with a forwarding next hop, the BGP next-hop attribute is coded with that forwarding next
hop. This behavior accommodates optimal forwarding because it allows a BGP speaker to forward
directly to the source of a particular route, even though that source might not speak BGP. This
behavior is known as a third-party next hop. When a redistributed route is not associated with a
forwarding next hop, such as in the case of a locally defined static route with a reject next hop, the
next-hop attribute is set to the local router's peer ID. For IBGP sessions, the peer ID is typically the
local router's loopback address. For EBGP sessions, the peer ID is usually a peering address
associated with a physical link.
172.19.20.0/24
R2
192.168.10,2/32
R4 AS 2
Rl
192.168.10.3/32 30.3/24 lO-nv/v.1
10.10,1/24
10.40.4/24
R3
192.168.10.1/32
You can verify this activity with the show route terse output, where 172.19.20.0/24 is listed as
an active route from protocol BGP and a next hop of 10.10.1.2.
R2 172.19,20,0/24
.
168.10.2
Rl
192,168,10,3/32 10,20,2/24
10,30,3/24
10,10,1/24
10,40,4/24
R3
192,168,10.1/32
The output of the show bgp summary command shows that the Rl router is receiving one route
from the R3 router (peer 192.168.10.1), but it is not used to forward traffic (last column is 0/1/0).
In fact, a look at the show route output does not show 172.19.20.0/24 (the active BGP route on
the R3 router) listed at all. if the 172.19.20.0/24 route is received by the Rl router from the R3
router, then the route should appear as the active route (there is no chance of an AS 1IGP also
supplying this AS 2 route). What is the problem?
Hop
R2 172,19.20.0/24
AS 1 192.168.10.2/32 \
R4
AS 2
Rl
192.168.10.3/32 10.20.2/24
10.30.3/24
1 10,10.1/24
10 40,4/24
R3
i
192,168,10,1/32
user@Rl> show route hidden extensive
inet.O: 24 destinations, 24 routes (23 active, 0 holddown, 1 hidden)
172.19.20.0/24 (1 entry, 0 announced)
BGP Preference: 170/-1D1
Next hop type: Unusable
State: <Hidden Int Ext>
Local AS: 1 Peer AS: 1
AS path: 2 I
BGP next hop: 10. ID. 1.2
Localpref: 100
Router ID: 192.168.10.1
The output from this command shows the 172.19.20.0/24 route, but the route is hidden. By
examining the output a little more closely, you can determine that the next hop is unusable (Next
hop type: Unusable).
Why is this route unusable? Obviously, connectivity exists from Rlto R3. Notice, however, that the
current BGP next-hop attribute for the 172.19.20.0/24 route is set to 10.10.1.2 (the physical
interface IP address of the R4 router). The R3 router does not change the BGP next-hop attribute
before the route is advertised to the Rl router, which is the default EBGP-to-IBGP behavior-notto
change the advertised next-hop attribute value.
The show route terse output on the previous slide did not show a route to 10.10.1.2. Because
the Rl router does not have reachability to the IP address listed as the BGP next-hop attribute, it
cannot use the received BGP route. On a Juniper Networks router, this type of unusable route is
marked as a hidden route.
attribute. The next-hop attribute s IP address of the remote EBGP peer is replaced with the IP
address of the BGP router itself. Because the IBGP session was most likely established using the
'
peer s loopback address, this new BGP next-hop value is reachable, and the advertised BGP route
can be used. You create next-hop self by using a policy to match specific routes with an action of
changing the next-hop attribute value. The Junos OS then applies this policy as an export policy to
any IBGP peers.
The next two options listed (export d/'rect routes and IGP passive) are almost identical in their results.
The difference between the two is in the approach that each takes to provide reachability. With
export direct, the IGP operating in the AS with a routing policy advertises the address assigned to the
point-to-point link between the two EBGP peers to all IBGP peers.
With IGP passive, the IGP is configured on the inter-AS link and advertises the interface addresses,
but forms no adjacency (it is passive). Both methods inject the interface addresses into the local
routing table for the IGP to use.
An IGP passive interface allows the local IGP to advertise the subnet on a particular interface without
forming an adjacency at the IGP level to the remote EBGP peer. This option has the advantage of not
using a policy, but it requires explicit configuration for each interface and subnet address that you
want to advertise.
The last two options listed on the slide (static routes and forming an IGP adjacency relationship with
the remote EBGP router) have some severe disadvantages, but they both work.
Static routes have an inherent scalability problem. You must configure each IBGP router in the
network for a single static route for each remote EBGP peer. The more EBGP peers in the network,
the more static routes required. The more IBGP peers in the AS, the more places that additions and
changes must be made. Clearly, this is not a real world option.
With regard to the full IGP adjacency between AS networks, although reachability information can be
provided by forming an IGP relationship with the remote EBGP peer, we do not recommend this
practice because of the very trusting nature of the IGP protocols. Once this adjacency is formed, the
protocol accepts any routing information told to it by the remote EBGP peer. This behavior is very
dangerous because the remote AS might inject bad information into your network. In addition, this
method potentially violates the entire idea of having autonomous (independent of the IGP) systems
in the first place.
mmm H
R2 172.19.20.0/24
192.168.10.2/32
AS 1
R4
AS 2
Rl
10.20.2/24
192.168.10.3/32 10.30.3/24
10.10.1/24
10.40,4/24
1 R3
usergR3# show policy-options
policy-statement neirt-hop-self { 192.168.10.1/32
then i
next-hop self;
I
[edit]
user@R3# show protocols bgp
group int {
type internal;
local-address 192.168.10.1;
export neKt-hop-self;
neighbor 192.16B.10.2;
neighbor 192.168.10.3;
The R3 router is now configured with the next-hop-self policy shown on the slide as the output
of the show policy-options configuration command. The policy matches all routes (no from)
and replaces the BGP next-hop attribute (because only BGP has a next-hop attribute) with the value
'
self (a keyword for the local router s physical interface address on which the route is advertised).
This next-hop-self policy is applied as an export policy to the BGP group int, which includes
the Rl router.
R2 20.0/24
192.168,10.2/32
Rl
192,168.10.3/32 10,20,2/24
30,3/24
1 /10,10,1/24
10,40,4/24
R3
192,168.10.1/32
The output of the show bgp summary command now shows that the Rl router is receiving one
route from the R3 router (192.168.10.1) and that this route is actively used to forward traffic (last
column is 1/1/0).
A look at the show route terse output now shows the 172.19.20.0/24 listed as a BGP route
with a next hop of 10.40.4.1. This next-hop address is the self next-hop address advertised for the
route to the Rl router by the R3 router because the route was advertised on the 10.40.4.1 interface.
Hop to Self (3 of 3)
R2 /172.19.20.0/24
192.168.10.2/32
AS 1
Rl
192.168.10.3/32 10.20.2/24
10.30,3/24
10.10,1/24
10,40.4/24
R3
user@Rl> show route extensive 192.168.10,1/32
inet.O: 24 destinations, 24 routes (24 active, 0 holddown, 0 hidden)
172.19.2D.0/24 (1 entry, 1 announced)
*
BGP Preference: 170/-101
Source: 192.168.10.1
Nexthop: 10.40.4.1 via so-0/0/2.0, selected
State: <Active Int EKt>
Local AS: 1 Peer AS: 1
Age: 4:16 Metric2: 10
Task: BGBJL. 192. 163. 10. 1+179
Announcement bits (2): 0-KRT 4-BGS Sync Any
_ _
AS path: 2 I
BGP next hop: 192.168.10.1
Localpref: 10 0
Router ID: 192.168.10.1
.
'
f orltlwiUc I ducotion Sumces jijiiiper.nei, i ,3-20
The output lists the BGP next hop for the 172.19.20.0/24 prefix (which is in AS 2) as 192.168.10.1,
the loopback address of the R3 router. Because the Rl router has IGP reachability to the R3 router,
the Rl router also has reachability to the BGP next-hop value and can use the BGP route.
An EGBP peer can alter this default action through the use of a policy or a BGP configuration
statement. The advertised address could be an additional EBGP router on a broadcast network. The
address could be an IBGP router in the sending autonomous system (AS). Problems could arise in
this situation because the advertised next hop might not be reachable by the local router. This
situation would result in the routes being hidden and unusable.
AS 1 AS 2
Rl Ml 10.10.1/24
-1 R2
192.168.10.1/32
And 172.16.20.1/32
10.100.100.0/24
172.16.30 .1 2
.
I
10.101.101.0/24
172.16.30.1 2 I
10.102.102.0/24
172.16.30.1 2 I
The slide details the situation on the Rl router. The Rl router has a multihop EBGP connection to the
R2 router using 172.16.20.1.
The R2 router advertises routes to the Rl router with a BGP next hop of 172.16.30.1. Because the
Rl router does not currently have IP reachability to the advertised next-hop address, the received
routes are unusable. The routes then appear as hidden routes within the inet. 0 routing table.
'
AS1 AS 2
Rl 10.10.1/24 R2
192.168.10.1/32 172.16.20.1/32
[edit]
ussr0Rl# show policy-options
policy-statement neKt-hop-to-peer~address
tem all-bgp-routes {
then (
neKt-hop peer-address;
i
i
[edit]
ussr(?Rl# show protocols
bgp (
group ent {
type external;
multihop {
ttl 2;
>
local-address 192.16B.10.1;
import next-hop-to-peer-address;
peer-as 2;
neighbor 172.16.2D.1;
Peer : i>Iicy (3 of 3)
user@Rl> show route protoctol bgp extensive
Indi rectnexthopsj 1
Wotlriwiilt EtiucatiDii Sc - .
. Junipff.nei f 3-24
On the slide, note that the current Protocol Nexthop is listed as 172.16.20.1, which is the
peeringaddressof the R2 router. This address is then recursively associated with 10.10.1.2, which is
the physical next hop used to reach the R2 router's loopback address.
BGP Policy
Next Hop
-
The intent of the origin code is to provide a measure of believability as to the origin of a particular
route. In other words, the intent is to provide a kind of where did you get this from? clue for other
routers seeing the route.
Each of the origin tags is assigned a value for use in transmitting the attribute to other BGP
speakers. The values are 0 for internal origin (I), 1 for external origin (E), and 2 for unknown
(incomplete) origin (?). A lower value is better, so routes learned from an IGP are preferred over
routes learned from an EGP. EGP routes are better than incomplete routes.
Because all routing information eligible to be injected into BGP on a Juniper Networks router resides
in inet.O, the Junos OS sees all possible routes as internal routes. These internal routes all receive a
BGP origin code of internal when placed into BGP.
Export Direct:
192.168.14.0/24
Export Statics:
10,0.0.0/8
172.16.0.0/16
192.168.27.0/24 Export IGP: To other AS:
10.20.0.0/16
10.0.0.0/8; Origin IGP
10.20.0.0/16 [Origin IGP
172.16.0.0/16 : Origin IGP
172.31.0.0/24: Origin ?
From other AS 192.168.14.0/24: Origin IGP
192.168.27.0/24: Origin IGP
172.31.0.0/24: Origin ?
WorldwUle bilucHliuiiSorvinfib
To the Juniper Networks router, it does not matter that these routes are advertised to another AS
through EBGP; the BGP origin code is not altered as the routes are advertised to an EBGP peer. On
the basis of the origin attribute alone, the 172.31.0/24 prefix appears less attractive to the remote
AS.
©f
AS 3
AS 30
)
AS1
AS 20 AS 2
How will AS 40 send traffic to AS 1? Through AS 30, or AS 20, or AS 10? Assume that the
local-preference BGP attribute is the default, and that the AS-path BGP attribute accurately reflects
the actual path for the route.
Routers in AS 40 see the AS 1 routes advertised from both AS 20 and AS 10. Because the
local-preference values and AS-path lengths are the same for both sets of routes, the origin code is
examined.
For both sets of routes, the origin code is the same as well. Some other method must be used to
determine which path the AS 40 routers use. Although that determination is outside the scope of this
slide, the important point here is that AS 1 has no way to control how the AS 40 routers reach the
AS 1 networks, based on the default value of the origin code alone.
Other AS Networks
Note that routers in AS 30 use AS 20 to reach the networks in AS 1, due to a shorter AS-path length
through AS 20. Also, routers in AS 20 use AS 2 to reach the networks in AS 1, due to a shorter
AS-path length. Finally, routers in AS 10 use AS 3 to reach the networks in AS 1, due to a shorter
AS-path length. Why should AS 40 be the only AS confused about the best way to reach AS 1?
Clrlgil iMlliiiilltgi |2 mf 1|
AS 1 sends origin ? to AS 2
. How does AS 40 reach AS 1 now?
AS 30 AS 3
5
:
AC 1
ASl
AS 20 AS 2
However, perhaps AS 1 now decides that traffic sent to it from AS 40 should use AS 10 rather than
AS 20 (for reasons of economics, politics, or something else). By using a routing policy AS 1 alters
,
the BGP origin code to incomplete (?) on all routes advertised to AS 2. Consider the effect of this
policy on AS 40.
Routers in AS 40 still see the AS 1 routes advertised from both AS 20 and AS 10. Because the
local-preference and AS-path lengths are the same for both sets of routes, the origin code is
examined. The routes received by AS 40 from AS 10 have an origin of internal (0) while the routes
received from AS 20 have an origin code of incomplete (2). Internal is better (lower) than incomplete,
so the routes from AS 10 are used to reach the networks in AS 1. By altering the origin code, AS 1
can now influence the routing decisions in AS 40.
Other AS Networks
Note that routers in AS 30 stiil use AS 20 to reach the networks in AS 1, due to a shorter AS-path
length. Routers in AS 20 still use AS 2 to reach the networks in AS 1, due to a shorter AS-path length.
Routers in AS 10 still use AS 3 to reach the networks in AS 1, due to a shorter AS-path length.
Notice also that all the other AS networks on the slide (besides AS 40) still use the AS-path length for
route selection. The origin code is truly only effective when the AS-path lengths are equal.
In Cc
[edit protocols]
bgp {
export change-all-igps;
}
The match criteria for the policy are all active BGP routes that currently have an origin code of
internal. The action for the policy is to change the origin code to incomplete. Once applied as a BGP
export policy and committed, this policy starts altering the origin code for all BGP routes advertised
to all BGP peers.
The Junos OS has specific keywords to represent the different BGP origin codes. They are:
MEDs are an attempt by the local AS to influence the routing decisions in the remote AS for traffic
/nboundto the local AS, just like the origin attribute. And just like the origin attribute, MEDs are a
negative-bias mechanism to make some paths look worse than others.
Despite the best efforts on the part of a local AS to manipulate MED values to influence inbound
traffic flows to the local AS, other ASs can always preempt, or even ignore, the MED. This reaction is
not only because the MED is an optional BGP attribute, but also because several other BGP
attributes are more important than MED in the BGP route selection process. For example, an altered
local-preference attribute always overrides the MED.
1 .
AS1
Rl R2
R3 Acme
\
Traffic for 10.10.0.0/16
AS 1 assigned its IP address spaces so that it can summarize Its network into two major segments.
Furthermore, AS 1 is relatively cleanly divided into networks near the left most router (10.10.0.0/16
networks are nearby) and networks near the right most router (10.20.0.0/16 networks are nearby).
Perhaps the split is between Eastern and Western operations, but there are many other alternatives.
AS 1 has two EBGP sessions to the customer Acme and advertises both the 10.10.0.0/16 and the
10.20.0.0/16 networks to Acme on each EBGP session, as shown on the slide.
Naturally, AS 1 would like Acme to return traffic to the closest point in the network so that t/'me/y
packet delivery and low latency can be achieved. Ordinarily, AS 1 would have no real way to convey
this desire to Acme, and Acme would simply send traffic to AS 1 over whichever router Acme decides
to use based on its own routing policies.
However, the MED attribute offers a method for AS 1 to influence the routing policy on Acme for
traffic sent to AS 1. To accomplish this closest point goal, AS 1 alters the MED values on the routes
that it advertises to Acme with a BGP export routing policy.
'
ASl AS 2 "
v
@ ,,)MED'50 @
R2
R4
30.30.30.1
20.20.20.1
.
MED=200
192.168.13.0/24 advertised
MED=120
from all three routers
R3
LO.10.10.1
10.10.10.2
Consider the AS networks on the slide. Both AS 2 and AS 3 advertise the 192.168.13.0/24 route to
AS 1 and want to Influence the way AS 1 sends traffic to 192.168.13,0/24. All three of the
advertisements have Identical local-preference values, AS-path lengths, and BGP origin codes. The
other IP addresses on the slide represent the router IDs of the three routers in Rl, R3, and R4.
The MED value from the AS 2 router Is the lowest among the three advertisements. Yet, when the
router in AS 1 chooses the BGP path to use in its local routing table, the AS 1 router most likely
chooses Rl in AS 3. Why should this be?
The problem In this scenario is that the default evaluation of the MED attribute only happens when
route advertisements come from the same neighboring AS. In this scenario, only two of the three
advertisements come from the same AS: those from R3 and Rl. Between those two advertisements,
the route from Rl is the best, because of its lower MED value.
However, the routers in AS 1 can compare the MED values for all three of these routes with the use of
the always-compare-med configuration statement. With this configuration, the path to
192.168.13.0/24 through R4 should be chosen, based on the lowest MED value.
Selection and I: :
When configured, all routes that have the shortest AS-path length are compared to each other to
determine the route with the smallest MED value, not just routes from the same AS. The route with
the lowest MED value is then selected as the active BGP path, regardless of the AS the route came
from. The lowest MED value Is selected as long as other path selection values for the route, such as
local preference, are the same.
You must be cautious when comparing MED values from different ASs. Some inherent danger exists
when using the always-compare-med configuration option to compare MED values from more
than one AS because every AS in the Internet can set its own good and bad values for MEDs.
One AS might consider a MED of 50 as the best, while another AS might consider a MED of 5 to be
good. To complicate matters further, some AS networks might not set the MED value at all (MEDs are
optional), which essentially sets the MED value to 0.
term add-to-med {
from route-filter 192.168.32.0/20 orlonger;
then metric add 50;
}
term subtract-from-med {
from route-filter 10.124.0.0/16 upto /24;
then metric subtract 50;
}
s 1 I -
The example on the slide shows the MED attribute modified for certain routes. As mentioned, the
metric statement represents the MED value. Within a policy, you can set the metric to a value, you
can add to its current value, or you can subtract from its current value.
Increases the current MED value by 50 for all routes within the 192.168.32.0/20
network; and
Decreases the current MED value by 50 for all routes within the 10.124.0.0/16 network
with a mask shorter than /24. Should the current value be less than 50, the result of
this policy action will be a MED value of 0.
i mm4
Ics wi
MED values do not have to be arbitrary. In many cases, the MED values are coordinated with the
metric values used by an IGP. Thus, BGP can set the MED value on routes advertised based on the
IGP metric leading to the BGP peer from which the route was received.
The MED value changes every time the IGP metric to the peer changes. If this is undesirable, you can
associate the MED to the lowest possible IGP metric ever known for the specific IBGP peer. The MED
might decrease if the IGP metric lowers, but a network failure that increases the IGP cost does not
increase the MED value-the metric minimum-igp command alters this value. You can see this
setting within the term possible-minimum-igp-setting in the policy on the slide.
Lastly, you can use the addition and subtraction functions used with the add or subtract policy
functions of the metric command in conjunction with both the igp and minimum-igp options. To
alter the MED this way, use the metric igp offset or metric minimum-igp offset
command. You can both add to and subtract from the metric.
s a iv ates
172.17.63/24 MED=100
When a new aggregate route is created, any MED values currently assigned to any contributing route
remain only with those routes. The aggregate route has no MED value assigned to it which is a MED
,
value of 0. While at first this might seem to be a contradiction because 0 is a MED, the aggregate
,
route has no method for determining which one MED value to choose so a MED value of 0 is used.
,
No alternative really exists. Because a BGP route can have only one MED value, the aggregate must
choose what that value should be. Should the aggregate take the worst MED value from the
contributors and be conservative? Should the aggregate take the best MED value to not penalize
that contributing route? Should the aggregate average the contributors MED values together? None
of these would adequately represent all the contributing information, so the aggregate route takes
the ultimate conservative approach: MED equals 0, or no MED at all.
m m nm ates
192.168.16.0/20 MED=0
192.168.17.0/24 MED=10
192.168.17.0/24 MED=5
The router has a locally defined aggregate route, which a policy injects into BGP (the policy is not
shown on the slide).
By examining the show route advertising-protocol bgp output, you can see that both
the aggregate route and the more specific, received BGP route are advertised. The 192.168.17.0/24
route maintains its MED of 10, and the aggregate route of 192.168.16.0/20 has no MED value
(MED=0) assigned. Of course, you can always change the MED value on the aggregate with a routing
policy, but this lack of an aggregate MED value is the default behavior.
Thus, it is ironic that MEDs, which are most useful between AS pairs, are useless by default on
aggregates, which are exactly the types of routes you want to send between AS pairs!
BGP Policy
Next Hop
Origin and MED
-
>AS Path
AS Path
m Pmm Smiles
The AS-path attribute describes the path of autonomous systems that the route has been through
since it was sourced into BGP. When a BGP router receives routes in an update message, the first
action Is to examine the current AS path to see if the local AS number (ASN) is in the path. If It Is In
the path, It indicates that the route has been through the AS already; accepting the route would
cause a loop. Therefore, BGP drops the route. The Junes OS performs a verification to ensure that
the receiving router's AS number is not listed In the AS path. If the receiving router's AS number is
listed in the AS path, the router does not advertise the route.
By default, the AS-path value is changed as a route transitions between autonomous systems. The
AS-path value Is null until the associated route Is advertised out of the originating AS. As the route
leaves an AS, the BGP router adds the local AS numberto the front of the path before sending it to a
peer. Using routing policy, you can prepend your ASN information to the AS-path attribute. By
prepending your ASN information to the AS-path multiple times, you can affect the routing decision
made by routers in other autonomous systems and discourage those routes from using that path
because of the longer AS-path.
The AS-path attribute Is mandatory; thus. It must always be present for all BGP routes.
numbers, l.y numbers and 65535.65535 are reserved, and the remainder of the space is available
for allocation.
i mm Path P d
AS 40
AS 10
AS 30 AS 3
AS1
AS 20 AS 2
miaat
AS-Path Prepending
The only standard approach to alter the AS-path attribute is to add information to it by prepending.
You can use a routing policy to extend (by prepending) AS-path information artificially onto an existing
AS path. This type of a policy is often an attempt to influence traffic coming into an AS from another
AS.
Note that this behavior on the part of AS 2 (using AS 20 instead of sending directly to AS 1) Is
unexpected and would not occur without the routing policy. This behavior is extended to AS 20 as
well because AS 2 cannot shorten the AS path advertised by AS 1, even if AS 2 would like to shorten
it.
Path rrepeni 1
[edit routing-options]
autonomous-system 1;
[edit protocols]
bgp {
group peer-AS2 {
type external;
export longer-as-path;
peer-as 2;
neighbor 10.10.10.2;
}
}
[edit policy-options]
policy-statement longer-as-path {
then as-path-prepend "111 1";
}
A policy named longer-as-path was created on the AS 1 router. Because no from statement
exists, ail candidate routes match the policy. The action taken on all of the matched routes is to add
AS 1 to each route four times. This action is performed with the as-path-prepend statement.
This routing policy then Is applied for routes exported by BGP to the external BGP peer in AS 2.
AS 2000
AS 1000 AS 3000
s
:
-
P
192.168.18.0/24: 5000 192.168.18.0/24: 5000 5000 5000
AS 5000
192.168.18.0/24
SIS
ailows the customer to influence traffic flows into its AS from neighboring peers.
On the slide, the customer in AS 5000 has connections to AS 1000 and AS 3000. AS 5000 would
prefer to receive traffic from AS 2000 through the connection to AS 1000. This example uses
AS-path prependingto achieve this goal.
[edit routing-options]
autonomous-system 5000;
[edit protocols]
bgp {
group out-to-Internet-peer {
type external;
export lengthen-as-path;
peer-as 3000;
neighbor 172.16.32.2;
[edit policy-options]
policy-statement lengthen-as-path {
then as-path-prepend u5000 5000";
}
You created a policy named lengthen-as-path on the AS 5000 router. Because no from
statement exists, all candidate routes match the policy. The action taken on all the matched routes is
to prepend the most recent AS twice. You do this with an as-path-prepend "5000 5000"
directive in the lengthen-as-path policy.
Finally, you apply the lengthen-as-path routing policy to the peer in AS 3000 so that it can take
effect.
Brackets ([]): Enclose the local AS number associated with the AS path if more than one
AS number is configured on the router or if the AS number is being prepended.
Braces ({}): Enclose AS sets-groups of AS numbers in which the order does not matter.
A set commonly results from route aggregation. The numbers in each AS set are
displayed in ascending order.
.
Parentheses (()): Enclose a confederation.
Brackets inside parentheses (([])): Enclose a confederation set.
In the output on the slide, you can see four routes with different AS paths. The second route
represents a bracket output the third route represents an AS set, and the fourth route represents a
,
confederation.
; ir Expressio , s
Regular Expressions
Often, administrative BGP routing policies require that route announcements or prefixes be found
and acted on based on the information contained within the AS-path attribute. This requirement
might be to enforce some administrative policy regarding other AS networks. Sometimes, it is just
easier to find routes based on their AS path than by looking for many specific prefixes and routes
individually.
Other Uses
The slide lists some examples of the types of information that must be found in the AS path.
When used in a routing policy, regular expressions work not only on fixed strings, like wildcard
operators such as an asterisk (*), but also on variable patterns of text, through the combination of
basic text patterns and special operators.
Context-Sensitive Matching
Regular expressions allow information in a string to be found within a specific context, not just in
isolated instances. You can use regular expressions In conjunction with the BGP AS-path attribute to
match routes within a policy.
The regular expression term is the core matching component to be found by the pattern-matching
engine. The term is a mandatory object, and each regular expression must have at least one term.
Terms identify the AS number. This AS could be a single number (1024), a complete AS path
(1024 2685 3957), or a wildcard character (.) representing any single AS number (1024 . 3957).
Each AS Is an Entity
Within the Junos AS-path regular expression syntax, the term is a complete AS value. You can use the
wildcard character of the dot (.) to represent a single AS number as well. Thus, the Junos OS detects
an AS number of 1024 (for example) not as the four character text string of 1, 0, 2, 4, but as the
single entity of 1024. To the Junos OS, AS numbers are not sequences of characters.
Two special regular expression operators can appear between regular expression terms. These
special characters are the pipe ( | ) and the dash (-). You use the pipe ( | ) operator between terms
to indicate OR (1024 OR 2685 is 1024 | 2685). You use the dash {-) operator between terms to
indicate range (1024 through 2685 is 1024-2685).
The parentheses operator also has another special use. When used with no spaces in between,
parentheses represent a nullAS-path value. We cover the concept of the null AS path on future
slides.
Ixpression i
'
null AS path
Ito 4 instances of AS 1234 1234{1.4} 1234.1234 1934.1234 1
19341234.
1234 1234 1234 1234
The first column shows the AS-path string that the routing policy is trying to match. The second
column shows the regular expression used to match that pattern. The last column shows examples
of values of the BGP AS-path attribute that the regular expression will match. In some cases, the list
is not exhaustive, so more AS paths will match the pattern.
As before, the first column shows the AS-path string that the routing policy tries to match. The
second column shows the regular expression used to match that pattern. The last column shows
examples of values of the BGP AS-path attribute that the regular expression will match. In some
cases, the list is not exhaustive, so more AS paths will match the pattern.
Format
Both the definition and application of the AS-path regular expressions occurs within the
policy-options configuration hierarchy. The regular expression in proper term operator
format is given a name with the as-path statement.
AS-Path Name
policy-statement from-digits-route {
term digits {
from as-path digits-route;
then accept;
term reject-others {
then reject;
}
}
[edit protocols]
bgp {
import from-digits-route;
t
1
We defined an AS path named digits-route within the double quotation marks. The AS path
containsonly terms (no operators) and defines an exact AS-path match of "1234 56 78 9".
We then used the digits-route path definition within the f rom-digits-route policy to match
routes and accept them. A second term in the policy rejects all other routes.
When you apply this policy as an import BGP policy, only routes matching the AS path defined in
digits-route are accepted. Ail other routes seen by BGP are rejected.
policy-statement from-not-a-good-route {
term not-good {
from as-path not-a-good-route;
then reject;
}
}
[edit protocols]
bgp {
import from-not-a-good-route;
}
Vo rldwicleEdiicjtion Services
The goal this time is to reject routes that either originate in ASs 123-125, transited through ASs
123-125, or were advertised directly from ASs 123-125.
To do this, we defined an AS path named not-a-good-route. The AS path contains both terms
and operators. Thus, not-a-good-route defines an AS-path match as follows:
.
The AS path starts off with any AS value zero or more times, followed by...
When you apply this policy as an import BGP policy, only routes matching an AS path defined in
not-a-good-route are rejected.
path testing- 1 -
2 3
-
102 4"
"
8 set as -
path testing- 1 -
2 3
-
1024 .*"
. set as -
path testing- 1 -
2 3
-
1024 .*"
. set as -
path testing- 1 -
2 -
3 44{1,2} .*"
"
. set as -
path testing- 1 -
2 3
-
2685 44{1,3}
1024"
-
. set as -
path testing- 1 -
2 3
-
1024 44{1,3}
2685"
Wsrldwide Education Services
Given a Policy
Consider the routing policy shown on the slide.
Does this policy, when properly applied, accept a route with the path 1024 44 44 2685, given the
as-path statements listed on the slide?
Using the different as-path definitions within the testing-as-paths policy gives the following
results:
.
" * 1024": Starts with any AS zero or more times, followed by 1024. The route will not
.
match the term as-paths. This definition does not allow for AS numbers after 1024.
Therefore, it is rejected by the final action.
. "1024 *": Starts with 1024, followed by zero or more AS numbers. The route does
.
mmmmmts
Achieving the same result without the as-path-group feature requires that you define three
separate AS-path regular expressions that are evaluated as a logical OR:
[edit policy-options]
user@router# show
policy-statement not-ideal {
from as-path [ path l path 2 path 3
_ _ _
] ,-
}
as-path path l _
".* 1 .*";
as-path path 2 _
11 . * 2 .*";
as-path path 3 _
".* 3 . *";
..
. tiunSfirvircs
.
The concept of the nuli AS path is quite important for the Internet. Routes originating within a
particular AS have yet to prepend the BGP AS-path attribute. Therefore, no information Is contained
in the AS-path attribute for routes originating within the AS, and the AS path is assumed to be null
(empty).
So, how are routes originatingwithin the AS that were advertised with BGP to be found with a routing
policy using an AS-path policy? They are found by creating a match condition based on the null
AS path.
In the example on the slide, the router receives four routes from IBGP. By examining the routing table,
you can see that the AS path column Is empty (I is for the origin code). Therefore, these routes were
'
sourced within the router s own AS. The null AS path finds these routes.
Ml ft ft Path
.
Stop fti
10.200.0,0/16
172.31.0.0/16; 1
172.31,0.0/16; 1 AS 2
192,168,14/24; 1 192,168,14/24: 1
AS1
AS 4
172,31,0.0/16: 1
10.100,0,0/16: 3
192,168,14/24: 1
10,100.0,0/16 172,31,0,0/16: 3 1
AS 3 172.31.0.0/16: 1 192,168,14/24: 3 1
192.168.14/24: 1
In the example on the slide, the null AS path is used to halt BGP transit traffic from AS 1 through
AS 2. AS 2 does not want to readvertise the routes from AS 1 to AS 4, which could lead to AS 4
routing traffic for AS 1 through AS 2. However, AS 2 still must advertise its own routes to AS 4 so that
these prefixes are reachable. AS 2 defines an as-path applied as a BGP export policy towards AS 4
that rejects all routes except those with a null AS path.
AS Path In Action (1 of 2)
AS 1
192.168.48.0/24
192.168.17.0/24 IBGP
192.168.49.0/24
192.168.50,0/24
EBGP
192.168.51.0/24 pA
\ EBGP
policy-options {
policy-statement not-a-transit {
term accept-my-as {
from { 10,222. 11,1 \
protocol bgp;
as-path my-own-as;
)
then accept;
}
term reject-all-else {
then reject;
>
"
as-path my-own-as () ";
enport not~a~transit;
We applied the not-a-transit policy on the slide as an export policy on R2 towards the EBGP
peer on the right side of the diagram. The policy has a term called accept-my-as that matches
BGP routes with an as-path regular expression of () .The reject-all-else term rejects all
other routes.
: Path in Action (2 of 2)
ASl
192.168.48.0/24
192.168.17.0/24 192.168.49.0/24 iBGP
192.168,50.0/24
EBGP
Rl 192.168.51.0/24
EBGP
user@R2> show route protoc;ol bgp terse
inet.O: 43 destinationsf 43 routes (43 active, 0 holddown, 0 hidden) 10.222.11.1
The slide shows the results of the previously configured and applied policy.
The show route protocol bgp output shows that the router R2 receives five BGP routes from
its IBGP peer Rl. One of these routes is from AS 1, and the other four are souroed from within the AS.
The show route advertising-protocol bgp output shows that only the four routes
sourced from within the AS are sent to the EBGP peer. The null AS-path regular expression in the
routing policy rejects transit routes.
Sue
.
juniper n&f j 9-T2
Review Questions
4 .
What is the intent of prepending a local AS number
multiple times to all BGP routes?
Review Questions
i .
Chapter Objectives
Local Preference
The slide lists the topics we cover in this chapter. We discuss the highlighted topic first.
Local Preference
AS Path
Origin
I MED
Local-Preference Power
The BGP attribute of local preference is the highest tiebreaker in the BGP path selection process. If a
BGP next hop is reachable, and BGP knows multiple routes, BGP always chooses the route with the
highest local preference. Thus, local preference is the first BGP attribute that favors one path over
another.
nor the MED value matters. The route with the highest local-preference value is always chosen as the
exit point of the AS-the end.
Do not confuse the BGP attribute of local preference with the Junos OS concept of route preference.
The Junos OS route preference is local to an individual router and assists the routing table in
choosing the active route among many possible paths.
The BGP locahpreference attribute is used only within BGP itself. The BGP routers transmit the local
preference within an AS. If you do not explicitly configure a value for local preference, the default
value used on BGP routes is 100. You can change this value on a per-peer basis using the
local-preference command within the [edit protocols bgp] configuration hierarchy
directory. In addition, you can alter the value using a policy on a per-route basis. The policy action
also uses the local-preference command to alter the attribute value.
The default local preference applied to a BGP route is 100. However, the default route preference
applied to BGP itself is 170. The Junos preference applies to the entire routing protocol. Preference
is also set in the [edit protocols bgp] configuration hierarchy directory, but as
preference, not local-preference (which applies only to BGP).
Pay Attention
When it comes to routing policy configurations, make sure to change local preference on the BGP
routes, not the preference of the BGP protocol as a whole!
172.17.2.0/24
You typically use the local preference to set the preferred exit point for a particular route from an AS.
This use can be important when several links exist between two ASs.
Once the local preference for a route is set, IBGP propagates that information throughout the entire
AS.
/ \
Banana net '. Coco net
192.168.27.0/24 192.168.27.0/24
10 GE
1GE
Rl
IBGP
Applenet
The network administrators in Applenet decided that the routers in Applenet should use R2 to reach
the 192.168.27.0/24 network in Zebranet. This decision is because of the greater bandwidth
capacity available on that link: an OC-120 runs at 622 Mbps, while an 0C-3c runs at 155 Mbps.
To do this, the Applenet network administrators set the local preference on the route to
192.168.27.0/24 advertised to Rl by Banananetto 200, and set the local preference on the route to
192.168.27.0/24 advertised to R2 by Coconet to 300.
In contrast to almost every other metric associated with routing protocols, the highest local
preference is better. Thus, for this route, the exit point of the AS is through R2. IBGP makes these
values known to all other routers in Applenet.
The link onRl can still be used for inbound traffic flows from Zebranet and for outbound failover
traffic if the OC-12c is not useable because of a router or link failure.
Banananet Coconet
192.168.27.0/24
192.168
27-0/24\ lGE 10 GE
0
WW.W....Ji!!-'F «.!!lWafi
Applenet
Tl/El Tl/El
192.168.27.0/24 192.16S.27.0/24
Pearnet
urldv/iilc tducaiionSvniees
Local AS Only
The slide points out the local nature of local preference. Consider another AS called Pearnet linked
by two lower-speed, but equal, links to Applenet. Which link should Pearnet use to reach
192.168.27.0/24 in Zebranet?
Because EBGP does not propagate the local-preference values used inside Applenet, the Pearnet AS
has no knowledge of the local-preference routing decisions made within Applenet with regard to the
192.168.27.0/24 route. Applenet, of course, still wants traffic from Pearnet to flow towards R2 to
avoid shuttling all this traffic across its backbone.
However, Applenet cannot accomplish this goal with local preference. Applenet must use other BGP
'
attributes instead of local preference, such as AS path or MED, to influence Pearnet s flow of traffic
to Applenet. This is because of the strictly local nature of the local-preference attribute.
Summary:
.
Determines outbound AS traffic flow towards the highest
local-preference exit point
.
Most powerful BGP attribute
.
Very common usage within an AS
.
Should be applied consistently at AS borders
It is the most powerful BGP path selector and is commonly used to override other BGP
attributes in the path selection process. Local preference selects a BGP route
regardless of the values of AS path, origin, or MED.
It is very commonly used within an AS, but it is local to the AS only. The local preference
is never sent to another AS with EBGP.
It should be applied consistently at the edge of the AS for maximum efficiency. That is,
the local preference should be set on a route advertised from another AS at the border
router and not changed haphazardly within the AS.
[edit policy-options]
as-path look-for-path "124 44 13"
policy-statement check-the-patli {
term got-path {
from as-path look-for-path;
then {
local-preference 200;
accept;
}
}
}
The example on the slide alters the local-preference value for all received routes that match the
AS path of look-for-path. Within the term got-path, we specified an action of
local-preference 200. This action changes the local-preference attribute value for those
routes to 200.
This routing policy does not affect any other received BGP routes.
172.17/16
; 172.17/16
172.17/16
! LP=1000
LP - 1000
172.17/16
LP - 100C
172.17/16
Worldwide E
Considering that the local-preference attribute overrides all other BGP attributes in the path
selection process, it might be possible to create a routing loop in BGP. Routing loops are especially
bad because the destination is technically reachable, but some or even all routers within an AS
cannot find the proper path to the destination.
In the example on the slide, both Rl and R2 have an export policy in place that sets the local
preference to 1000 on EBGP routes before these routes are readvertised to IBGP peers. Note that
Rl and R2 have an IBGP peering relationship with each other, which means that both routers also
advertise the route to each other.
Theoretically, both Rl and R2 could see the preferred value of 1000 in the copy of the route they
receive from each other. This information makes each router determine that the IBGP version is
better than the local (EBGP) copy of the route! This determination occurs because the local
preference on the EBGP version of the route that is stored within the router is still set to 100. As a
result, Rl and R2 see each other as the best route to 172.17.0.0/16, and a routing loop occurs as
the two routers shuttle traffic back and forth.
Note that this situation is easily avoided by setting a route's local preference at ingress using an
import policy. In this case, the local copy of the route as received from an EBGP peer will correctly
reflect the local preference modification.
172.17/16 Rl
17217/16
LP = 1000
172.17/16
LP - 1000
Hi
17217/16
R2
LP = 1000
172.17/16
First, R2 receives the EBGP route of 172.17.0.0/16 from Its peer in the other AS. Because R2 detects
this route as the current best, Router 2 installs the route In its routing table.
Next, R2 alters the local preference to 1000 and advertises this route to its IBGP peers with this
locaLpreference value. At this point, both Rl and R3 receive the 172.17.0.0/16 route through IBGP.
Rl then also receives the EBGP route for 172.17.0.0/16 from the other AS. At this point, Rl
determines that it already has a route to 172.17.0.0/16 from R2, with a local preference of 1000.
The presence of this route to R2 overrides the EBGP-recelved route.
Because the current version of the route on Rl is from R2, and because IBGP Implements split
horizon, the routing loop never forms. Rl Just sends traffic for 172.17.0.0/16 to R2. And because
only active BGP routes are advertised, no confusion develops on R3 with regard to the best path to
reach 172.17.0.0/16-R2 Is the choice.
Local Preference
Communities
Communities
recognize and use communities. However, if BGP communities are associated with a BGP route, the
BGP community attribute must be passed along to all other BGP peers, both within an AS and
between AS networks (transitive).
You can use the community attribute within routing policies to accept or reject routes based on the
values of the BGP community tags. In addition, you can use the community attribute values with
other BGP attributes to implement routing policies that accept, prefer, or advertise BGP routes.
Notes on Communities (1 of 2)
BGP communities establish various logical categories for routes (prefixes). Think of BGP
communities as communff/es of interest or even clubs for routes. And just as people can belong to
more than one club, routes can fit into more than one BGP community.
The community attribute can assist you in the configuration and maintenance of policies. This cuts
down on the time needed for manual reconfiguration and the complexity of the overall maintenance
task.
Overlapping Communities
You should also avoid having too many overlapping communities. Customer routes belonging to
multiple communities can also be an issue.
Weil-Known Communities
Certain well-known communities have a global meaning and special purposes. They are defined in
RFC 1997. All BGP implementations that understand communities (communities are optional, but
transitive) must know these communities and respect their functions.
BGP communities that are not well-known are for local use. You must define local-use communities
locally, but because the BGP community attribute follows the BGP route wherever it goes, even
local-use communities are circulated outside the AS. So, you must take care in using BGP community
attribute values arriving from other AS networks. BGP communities are best thought of as a category
for a group of routes (such as, all customers).
Community Format
The BGP community attribute itself is just a list of the individual community attribute values
associated with the route (tags). Because no real limit exists on the number of tags in the list, a route
can belong to many communities. No predefined, upper limit exists on the number of communities
allowed on a route.
RFC 4360 provides support for an "extended community attribute". An extended community
attribute consists of eight octets. The BGP extended communities attribute format has three fields:
type.-ac(m/n;strator;ass;gned-number.
Three community attribute values are designated as weli-known communities. These well-known
communities share the AS value of 65535 (OxFFFFxxxx). The three communities are no-export,
no-advertise, and no-export-subconfed.
No-export (OxFFFFFFOl): This value tells routers to distribute routes with this
community tag within the confederation or AS, but no farther.
No-advertise (OxFFFFFFOl): This value tells routers not to advertise these routes to
other BGP peers at ali. (Despite appearances, this BGP community is quite useful.)
No-export-subconfed (OxFFFFFFOS): This value tells routers not to distribute routes with
this community tag to external BGP peers (thus, they are confined to the sub-AS).
No-Export
The no-export community typically makes sure that route aggregation is optimal by suppressing more
specific routes. The no-export-subconfed just extends this aggregate concept to the sub-AS.
No-Advertise
The no-advertise community has a very narrow scope. Routes go to a BGP peer and no farther,
usually because peers know the routes through other means. This community is often used in a
LAN-connected router environment or when two BGP peers have multiple links between them.
AS1
:
AS 65000
AS2
-
The well-known community attribute value of no-advertise is designed such that a route can be sent
to a single BGP peer and be advertised no farther. Routes are restricted to the next-hop router.
AS 65000
AS2
The well-known community attribute value of no-export-subconfed is designed such that a route can
be sent into a BGP confederation network and have the information remain with a particular sub-AS.
The routing information is advertised no farther than the sub-AS, as shown on the slide.
Export
ASl
\
/
AS 65000 -
AS2
172.17.0/17
Internet
172.17/16 \
172.17.128/17
172,17/16
172.17,128/17 (No-export)
A'otltlwiele EciuoatlonSetvioes
I
No-Export Example
The slide shows a typical use of the BGP no-export community.
AS 1 has multiple BGP sessions to its neighbor, AS 2. AS 1 also uses AS 2 as a transit AS for
connectivity to the internet. AS 1 wants to advertise 172.17.0.0/16 to the Internet because AS 1
owns that entire address space. In addition, AS 1 also wants to advertise more specific route
information (shown as 172.17.0/17 and 172.17.128/17) only to Its peer, AS 2.
Advertising the specifics as well as the aggregate to AS 2 would assist AS 2 to route user traffic into
AS 1 more efficiently because load sharing could be used on the more specific routes, as shown on
the slide. However, why should the whole Internet know or care about these specifics?
To assist AS 2 in finding and rejecting the more specific routes, AS 1 assigns the no-export
community to the 172.17.0.0/17 and the 172.17.128.0/17 routes. The BGP edge routers in AS 2 that
connect to the Internet automatically suppress and do not readvertlse the /17 routes. Only the /16
route Is readvertised to the Internet.
nternet
172.17/16
172.31/16
172,17/16 172,31/16
172,17/16 172,31/16
172,17,144/20
172.17/16 172,31/16
172.17.144/20
AS1 AS 2 -
Customer
172,17.144/20
AS 20
172.17.144/20 No-Export
172.17.144/20
One way to do this (among other ways) is with the BGP no-export community. In this example, the
customer has AS 1 as its main ISP.
Customer AS 65000 has address space 172.17.144.0/20, taken from AS 1's address space of
172.16.0.0/16. The 172.17.144.0/20 route is advertised with BGP to both AS 1 and AS 2. Because
AS 2 is not the primary ISP, and only traffic originating in AS 2 should reach AS 65000 directly, the
route advertised to AS 2 is given the BGP no-export community. This route goes no farther than AS 2.
AS 2 advertises 172.31.0.0/16 to AS 1 and the Internet, but does not advertise 172.17.144.0/20.
AS 1 covers the 172.17.144/20 address space with aggregate 172.17.0.0/16, as shown on the slide.
This is advertised to AS 2 and the Internet. Thus, AS 65000 is reachable through AS 1 from the
Internet, but AS 65000 is only reachable by local AS 2 users.
A drawback of this scenario is that if the link from AS 65000 to AS 1 fails, the 172.17.144.0/20 route
is not reachable from the Internet through AS 2. However, because AS 2 is not the primary ISP for AS
65000, this might be acceptable.
172.17/16 172.20/16
172.17/16 172.20/16
Cudomer
AS1
AS 2
In the example on the slide, the customer AS at the bottom agreed to provide backup transit service
to both AS 1 and AS 2 In case their links to each other are lost. The slide shows the address spaces
used. The customer AS uses 172.17.64.0/18 and 172.20.128.0/18.
The customer wants to make the 172.20.0.0/16 route sent to AS 1 to have a lower local preference
than the default of 100, and to make the 172.17.0.0/16 route sent to AS 2 to have a lower local
preference than the default of 100 there as well.
community 2:70. This says to AS 2, AS 2, within your AS, this route should have a local preference of
70." In this example, AS 1 and AS 2 only advertise aggregate routes to each other and the Internet.
if AS 1 and AS 2 set the local preferences on these routes as requested, the exit points through the
'
customer s AS are only active when there is no normal peering route available (local preference =
100).
Enforcing Communities
Of course, setting local preferences in other AS networks with communities requires all the AS
administrators to cooperate. Nothing mates an AS respect the community attribute value.
National SP#1
National #1 routes; NO
Small ISP's local routes: YES
National #1 routes
National #1 routes
R2 Small ISP
Small ISP's local routes
Sma///SP needs to advertise its own routes, but never be transit AS!
The BGP community attribute plays a key role in defining whether an AS is a transit or nontransit
network. A transit AS carries traffic that neither originates in that AS nor is destined for hosts within
the AS. A nontransit AS only carries traffic that has its own addresses appearing as either the source
or the destination. Nontransit AS networks must be careful when advertising BGP routes outside the
AS. A nontransit AS can advertise only local routes.
You can use routing policies in combination with BGP communities to make an AS appear to be a
transit AS or a nontransit AS. Communities make it much easier to hold back routes that might be
advertised and attract transit traffic.
Generally, a small ISP must advertise Its own local routes but never be a transit AS for larger ISPs.
Such a situation could easily swamp the operation of a small ISP.
The slide shows a small ISP linked to two larger, national ISPs: National ISP #1 and National ISP #2.
As an example of what could happen, consider that National ISP #1 advertises BGP routes to Rl of
the small ISP as shown on the left. Rl advertises not only its own local routes to R2 In the small ISP,
but also National ISP #l's routes, so that all users can reach these routes.
to National ISP #2, and the link (or links) between the two national ISPs ever fail. National ISP #2 will
think that a good way to reach National ISP #1 is through the small ISP! Hence, the small ISP is now
a transit network.
iring IP Community
Community ID format:
.
Community ID can also be:
.
no-export
. no-advertise
.
no-export-subconfed
Configuring Communities
You configure BGP communities in the Junos OS at the [edit policy-options] CLI hierarchy
level. You simply give the community a name and a number of members in the form of the
community ID. When you define multiple community members, a logical AND is between them. Thus,
a given name represents Communi tyl, AND Communi ty2, AND Communi ty3, and so on.
Community ID Format
The community ID has an as-number: communi ty-value format, with a colon (:) separating the
high-order and low-order octets. You can use the keywords no-export, no-advertise, and
no-export-subconf ed to specify the well-known community values.
[edit policy-options]
policy-statement community-actions {
term add-a-community
then community add test-comm;
}
}
community test-comm members 65001:1234;
"
aotlilrtiilutclucallfinSii
Route 192.168.0.0/24 currently has four community tags on the route: 64512:567,100:20, 50:70,
and 1234:66.
Because the policy cowmuni ty-actions has no from statement, all routes are matched. It is not
necessary to check for just the BGP routes because only BGP has a community attribute to change.
(Including a from protocol bgp statement does not change the action of the routing policy.)
All BGP routes have the community tag test-comm value of 65001:1234 acfefeef to the existing
community tags on the route. The action of then communitY add test-comm performs this
test.
After you correctly apply this routing policy, the 192.168.0.0/24 route has five community tags on
the route: 64512:567, 100:20, 50:70, 1234:66, and the added 65001:1234.
[adit policy-options]
policy-statement community-actions {
term add-a-community
then community delete test-comm;
}
}
community test-comm members 64512:567;
'
. . :::;--/!-:
-
-
:
:
-
.
; '
'
. rldviik' EUuCiiliun Six.ices
Route 192.168.0.0/24 currently has the same four community tags on the route: 64512:567,
100:20, 50:70, and 1234:66.
Because the policy community-actions has no from statement, all routes are matched.
All BGP routes have the community tag test-comm value of 64512:567 deleted from the existing
community tags on the route. The action of then community delete test-comm performs this
task.
After you correctly apply this routing policy, the 192.168.0.0/24 route has only three community tags
on the route: 100:20, 50:70, and 1234:66.
Commun lid
[edit policy-options]
policy-statement community-actions {
term add-a-community
then community set test-comm;
}
}
community test-comm members 65001:1234;
Route 192.168.0.0/24 currently has the same four community tags on the route: 64512:567,
100:20, 50:70, and 1234:66.
Because the policy communi ty-actions has no from statement, all routes are matched.
All BGP routes have the community tag tes t-comm value of 65001:1234 set as the existing
communitytagontheroute. The action of then community set test-comm performs this task.
After you correctly apply this routing policy, the 192.168.0.0/24 route has only one community tag
on the route: 65001:1234.
.
Set BGP local preference to 200 (instead of 100)
[edit policy-options]
community customers members [56:2379 23:46944];
policy-statement from-customers {
from community customers;
then {
metric 20;
local-preference 200;
next policy;
}
}
When we use this community in a routing policy to find (that is, match) routes, the community
matches routes that have both 56:2379 AND 23:46944 as a community tag value.
Once found, these routes are assigned a MED value (the BGP metric) of 20 and a local-preference
value of 200 (instead of the default 100).
The drop-specifics routing policy accepts the desired routes using a series of route filters that
are based upon address classes (A, B, and C) and the allowed prefix length. The community add
statement attaches the 567:1 community to any existing communities on routes that match the
route filters.
The final reject action serves to reject all routes that are not matched by the previous route filters.
It bears stressing that this rej act statement is part of a unnamed term with no match criteria.
Operators often forget that the final term in a policy can be unnamed, and it is easy to mistake the
reject action in this example as belonging to the drop-specifics term if you do not take
careful analysis.
In this approach, a series of class-based route filters are added to match on Class A, B, and C
addresses that have prefix lengths longer than 19,16, and 24 respectively. Note that the final series
of route filters do not have any actions specified in the route filter statement. As a result, traffic that
matches these statements is subjected to the unnamed term's re j ect action. Some might argue
that this approach is better because the policy's single term means that the J-tree is only evaluated
once. In reality, the performance benefit, if any, is negligible, making both policies equally workable.
policy-statement delete-all-communities {
term all-gone {
then community delete wild-match;
}
}
Default Is to Send
If you do not delete community attribute values, by default, all BGP communities are sent to all peers
Inside an AS and outside the AS. Why clutter up the routing updates with useless and potentially
harmful information?
The slide shows a routing policy that deletes all communities from a BGP route. This example uses
the wildcard asterisk character {*) to match all communities. The action of community delete
wild-match performs this task.
Note that you must apply the wildcard to both halves of the community-the AS number as well as
the community value. The syntax is therefore " * : *" to match all communities.
paths, also with BGP communities to produce a powerful pattern-matching system for finding
communities that match a given regex. Regular expressions used with communities Implement the
full capabilities of a complete regex implementation unlike the AS-path regex syntax, which used a
,
subset.
Consider two forms of regular expressions used with routing policies concerned with BGP
communities. These two forms are simple and ccmplex regular expressions. These are informal
terms, defined in this course as follows. Simple community regular expressions contain only the
asterisk (*) or dot (.) wildcard characters separately. Complex community regular expressions can
use the asterisk and dot in conjunction with each other. Further, the complex regex statements can
use additional operator syntax characters.
The asterisk matches any single AS number or community value. The dot matches any single digit
within the AS number or community value. Note that the combination of these characters (. *) is a
complex community regex, which we discuss on a later slide,
Continued on the next page.
,
' (1 of 2)
To find all routes having a community value of 20, regardless of AS number, use the command show
route community *:20 terse. This command shows the routes but not the complete
community attribute values associated with the routes. To see the communities and more detailed
information, use show route community *:20 detail.
'
ty tch 2
policy-options {
community community-l members 1:20;
}
The example on the slide shows a community called community-l defined within [edit
pel icy-opt ions]. This community represents the value of 1:20. You can use this community
name in the show route conununity-name comraunity-l detail command to view all
routes having this community assigned.
More -'G,j£>ic-;"
The format for the community regular expression is still term operator as in AS-path regular
expressions, but the application of the term and operator is different.
When formulated for use with communities, the regular expression anchors of start (") and end ($)
are not required, but these anchors can be helpful to organize and clearly represent the regular
expression.
You can use complex regular expressions in both the show route CLI commands and within a
policy as a match condition.
"
Match character at start of community
$ Match character at end of community
[] Match range or array of letters or digits
( ) () Used to group terms, or indicate null with no space
WotldwitlBEtlucation Services
The square brackets ([ ]) match a range ([2-8]) or array ([256]) of numbers. Thus the first
,
regular expression in the previous sentence matches 2 through 8 and the second one matches
,
2 or
5 or 6.
Of special note is the use of the parentheses. Typically, you use the parentheses ( ) operator to group
multiple terms in conjunction with an operator. The parentheses operator also has another special
use. When used with no spaces in between, parentheses represent a null value.
,
. \ jgen Examples
; Community pattern
u 4
' Regex: Matches:
to match: .
,
: .
:
- } .
[ J .. .
AS is 56 or 78 -
((56)|(78)):(.*)$" 56:1000.
78:65000
56:222
"
56:22,
2 and ends with any value 56:21197,
between 2 and 8 78:2678
1
'
The first column shows the BGP community string that the routing policy is trying to match. The
second column shows the community regular expression used to match that pattern. The last
column shows examples of values of the BGP community attribute that the regular expression
matches. In some cases, the list is not exhaustive, so more possible communities match the pattern.
Note the presence of the colon (:) to separate the AS number of community value sections of the
community.
,,
A ( (105) | (207) j (309) ) : ( (1. {3, 4} ) j ( [256] .*)
*
( . [3479] ) )$"
liiiii
Complicated Community Reguiar Expression Example
The answer to the question on the slide is yes, the community regular expression on the slide meets
the criteria outlined. This complex regular expression uses multiple temvoperator pairs in its
definition. To understand better how the expression operates, let's reconstruct it from the ground up.
First, we have a basic expression of " {) : () $. This part of the expression sets the foundation for the
complete expression. Loosely speaking, we search for an exact match of an AS number followed by a
colon (:), followed by an exact match of a community value.
Next, we assign the AS value. This AS value is actually a regular expression in itself that states the AS
is either 105, 207, or 309. The pipe ( | ) operator separates the three AS numbers into logical OR
groupings. The extra parentheses are used to set aside each AS number explicitly from the pipe
operator. The regular expression now appears as " ((105) / (207) / (309) ).
- ()$.
Now we can define the community values. As with the AS numbers, the values can be one of three
separate entities. Again, we use the pipe operator to separate the values and the parenthesis to
define the possible values explicitly. The regular expression is now
'
((105) j (207) j (309)) : (() j () j ())$. Each of the possible community values in this
'
that. Because the total value should be 4 or 5 digits, the wildcard can be operated upon with a
{3,4}, which means at least three instances of any number can appear, but no more than four
instances. Combined with the character of 1 to start the value, the wildcard-operator pair makes the
value a 4- or 5-digit number. The regular expression now appears as:
(105) | (207) | (309) ) : ( (1. {3,4}) | () | () )$.
The second possible value can be any length, but it must start with either a 2, 5, or 6. Again, the
community expressions are character based, so this value should also start with a character. These
are actually three possible characters in this single position, so the brackets are used ([256]) to
signify a range of possible values. Following that, there can be more characters in the value, or there
could be no characters in the value. To represent this possibility, we once again use the wildcard dot
( ) In this case, the wildcard is operated on by the asterisk (*), which results in a . * notation. This
. .
represents any possible value present zero or more times. Combined with the [256], this
wildcard-operator pair gives any possible value of any length as long as it starts with a 2, 5, or a 6.
The regular expression now appears as:
-
Review Questions
3 .
What are the well-known communities?
4 .
What is the difference between the add and set
community actions?
i I ,1 .
.
.
. i ,. ; i - .
Review Questions
i .
Lab 9: k mtmst
Local Preference and Coin in unities
Ohaptei" stives
oute mmm
Routing Is Dynamic
In any real network, routes can appear and disappear rapidly if a link fails and restores itself
repeatedly in a short period of time. This is because any routes (and there could be thousands) that
use the failed interface as a next hop must respond to the failure, and the change in next hop must
propagate to all other routers on the network. This rapid changing of routing next hops is called route
flapping or just lapping as the link flaps up and down.
f
Update/Withdrawn Pairs
Flapping results in a rapid sequence of BGP update or withdrawn messages. Recall that BGP routers
must maintain separate memory tables for inbound and outbound traffic on a per-peer basis. In
addition, the BGP routing protocol propagates information on an as-needed basis. These two factors
make BGP unstable in the face of a flapping link.
Every BGP router that receives one of these update or withdrawn messages must send this
information on to all its BGP router peers. Much like the link-state IGPs of OSPF and IS-IS, BGP must
also recalculate its routing tables and databases every time a new update is received. If the new
information alters the path selection process, a new route is chosen for the RIB-LOCAL, and the new
route must be sent downstream to all BGP peers.
If this type of update or withdrawal occurs on a very frequent basis, valuable resources in the router,
such as processing power normally used to forward packets, and bandwidth now needed for routing
updates, are consumed. Damping tells a router to ignore routes that are changing state (flapping) too
often to prevent protocol churn on a global basis.
Link congestion
.
Overloaded links drop BGP sessions
In the past some routers have had problems
,
.
Software problems (bugs, especially after upgrades)
.
Insufficient power (for example, busy CPU drops BGP
sessions)
.
Insufficient memory (tables are kept in memory)
.
Network upgrades and maintenance (adding equipment)
Bad Links
Routes in a network can flap for any number of reasons. Quite possibly, the most frequent reason for
a link flap is because of faulty circuit that is on the brink of outright failure. Any link that rapidly
changes from seemingly operational to failing is a potential source of route flapping.
Unstable IGPs
Route flapping is not totally a BGP phenomenon. IGPs that are unstable because of faulty links can
affect BGP when IGP routes are injected into BGP for advertising. BGP stability is always desirable
and can be enhanced with careful use of static definitions and aggregates instead of injecting raw
IGP routes Into BGP.
Congested Links
Link congestion can cause route flaps if the overloaded links drop the BGP sessions that keep the
BGP routes fresh.
Route Damping
Because route flapping can be so harmful to BGP, the protocol was extended to support route
damping. RFC 2439, BGP Route Flap Damping (November 1998), defines route damping.
Sometimes the term dampening is seen and used.
EBGP Only
Route damping is only applied to routes received from an EBGP peer. EBGP sessions can carry
information about thousands of routes. Each EBGP session must update or withdraw these routes as
required. Route damping seeks to reward route stabilities while penalizing route flapping. Once
damping is enabled, the router begins to maintain a database of instability. If an EBGP-received
route experiences enough flaps, the local BGP process ignores information about that route. This
reaction results in not including this information in the route selection process and not advertising
route changes to downstream BGP peers. Note that some ISPs no longer use damping.
ami mm n
172.31.0/20-up
AS1 172.31.128/20-up
172.31.0/20-up
172.31,128/20-up S
*R1
..
. ..
172.31.0/20-up
172.31.64/20-up/down/up/down
Customer 172.31.128/20-up
AS 1 provides transit service for this customer to the Internet, so the three routes are readvertised
within AS 1 and further to the Internet.
However, look what happens when the 172.31.64.0/20 route starts to experience stability problems ,
causing multiple update and withdraw messages to be sent to AS 1 (up/down/up/down, and so on).
Without route damping enabled, this flap action causes the router in AS 1 to send new update
messages to other routers in AS 1. These IBGP peers then also send new update messages to their
Internet peers.
Enabling route damping can halt this wave of instability at the edge of AS 1. Once enabled, the edge
router in AS 1 starts maintaining statistics for the routes received from the customer. Once the
172.31.64.0/20 route is deemed unstable, the AS 1 router stops generating new update messages
to its IBGP peers. The IBGP peers, in turn, also have no need to send update messages to the
Internet. This makes the Internet, as a whole, more stable.
. ini oatiorirServiKes
.
Figure of Merit
DefaultValue = 0
When a previously unknown (that is, new) route arrives at a BGP router that has damping enabled,
the new route is assigned a figure of merit value of 0.
Should the route experience any instability, the figure of merit is incremented according to the
following:
As the EBGP peer withdraws the route, the figure of merit is increased by a value of
1000;
As the EBGP peer readvertises the route, the figure of merit is increased by a value of
1000; and
.
As attributes for the route change through new update messages from the EBGP peer,
the figure of merit is increased by a value of 500.
Point Reduction
The points given to a route decay (that is, reduce in value) at a certain rate, known as the
half-life. As long as points decay faster than they accumulate, the route is not suppressed.
Should the figure of merit value increase beyond a configured cutoff (suppress) threshold, the
route is considered unusable, and new information about the route from the EBGP peer is ignored.
The suppress value is configurable, but it must be less than or equal to the merit ce/7/ng value
explained further on this page.
The route can once again be considered usable after the figure of merit decreases below a
configured threshold. The figure of merit is decreased on a time schedule you set. Should the figure
of merit not decrease below the bottom threshold in a configured amount of time, the route can
automatically be usable again (reuse).
ec<gre(ta)(ln2)
where er is the figure of merit reuse threshold, t is the maximum suppression (hold-down) time in
minutes, and k is the half-life in minutes.
Cutoff Threshold
The f igure-of-merit value interacts with the damping parameters. The slide lists these parameters.
The suppress variable is the configured threshold where a BGP route is considered unstable and is
not used. This variable represents the value of the penalty that establishes the point at which
damping is initiated. When this value is reached, the route is cutoff (suppressed). The default value
of suppress is 3000. Possible values range from 1-20000. If changed, this value must be less
than or equal to the merit ceiling ec, or damping never occurs.
Reuse Threshold
The reuse variable is the configured threshold where a BGP route is considered usable once again.
This variable is the value to which the penalty must decay before the router considers the route in its
path selection. The default value of the reuse is 750. Possible values range from 1-20000.
Decay Half-Life
The half-life variable is the rate at which the figure of merit is decreased to half its value once
the value is larger than 0. The default value of the half-life is 15 minutes. Possible values range
from 1-45 minutes.
The max-suppress variable is the configured maximum amount of time that a BGP route can be
deemed unusable. This variable is the longest time that the route can be suppressed until the route
is given another chance to behave. The default value of the max-suppress is 60 minutes. Possible
values range from 1-720 minutes. At the end of themax-suppress interval,all is forgiven and the
route becomes active again.
Down
After receiving a new BGP route, the figure of merit is 0 for some period of time. As soon as the route
is withdrawn (or the link is down), the figure of merit increments to 1000. As long as the route stays
down, the figure of merit decays somewhat. As the route is readvertised, the figure of merit is
incremented by another 1000. Again, the figure of merit starts to decay. Now the route is withdrawn
a second time, and again, the figure of merit is increased. Now, when the route is readvertised, the
figure of merit is increased by another 1000. This time, because not enough time has elapsed
between these events in this example, the route is over the suppress limit of 3000 and is
considered unusable. In short order, the route is withdrawn and readvertised, yet again. Each time,
the figure of merit increases 1000 for each action. Notice that the route is still damped and
considered unusable, but the figure of merit still increases and decreases, even while the route is
suppressed.
Internet
AS 100
AS1
Per-prefix
Aggressive
Default Dampin Damping
No Dampin
Customer
On the slide, AS 1 wants to enable damping for all its EBGP peers, based on the following
administrative decisions:
.
AS 1 wants to operate the default damping values for routes from AS 100;
AS 1 does not want to damp any routes from its customer; and
AS 1 wants to damp all routes aggressively from the Internet except for certain prefixes.
The next few slides in this sequence examine how you can implement these damping policies.
The next slide outlines the routing policies you can use to accomplish these goals. We detail the
application of these routing policies on a later slide.
[edit policy-options]
policy-statement customer-inbound
then damping do-not-damp;
}
policy-statement internet-inbound
term let-some-through {
from {
route-filter 192.168.10.0/24 orlonger damping do-not-damp;
route-filter 172.16.240.0/24 orlonger damping do-not-damp;
route-filter 172.27.3 2.64/26 orlonger damping do-not-damp;
route-filter 192.168.100.0/24 orlonger damping do-not-damp;
}
then accept;
}
term damp-all-others {
then damping aggressive-damp;
}
}
damping do-not-damp {
disable; Is my policy correct?
}
damping aggressive-damp
half-life 30;
reuse 200;
suppress 1500;
max-suppress 120;
}
suppress is 1500;
.
reuse is 200;
.
max-suppress is 120.
A policy named customer-inbound is defined with no from statement, so all possible routes
match the policy. The policy has an action of damping do-not-damp. This action sets the profile of
do-not-damp to all routes.
A policy named internet-inbound Is defined with two terms. The let-some-through term
has several route-filter statements with actions defined of damping do-not-damp. This term
further lists an action of then accept. A second term of damp-all-others has no from
statement defined, so all routes are subjected to the damping aggressive-damp action.
Warning: This version of the internet-inbound policy contains a logic flaw and does not work.
Please do not use this policy in your network. A corrected version is presented on a later slide. Can
you spot the flaw?
R2:
[edit protocols]
Internet
bgp {
damping;
AS 100
R3:
[edit protocols
bgp {
damping; Rl:
import customer-inbound; [edit protocols]
bgp {
damping;
import internet-inbound;
Customer }
Worldwide EducaticmServices
Router R2 simply defines damping within its BGP configuration. This configuration both enables
damping and operates with the default parameters on routes from AS 100. No policy is needed on
this router.
Router R3 defines damping within BGP and an import policy of customer-inbound. This
configuration enables damping on the router and applies profile parameters as per the policy.
Amm :6
[edit policy-options]
policy-statement internet-inbound {
term let-some-through {
from {
route-filter 192.168.10.0/24 orlonger;
route-filter 172.16.2 40.0/2 4 orlonger;
route-filter 172.27.32.64/2S orlonger;
route-filter 192.168.100.0/24 orlonger;
}
then {
damping do-not-damp;
accept;
}
}
term damp-all-others {
then damping aggressive-damp;
}
}
The issue is the do-not-damp action defined for the route-filter statements. When a
candidate route that matches one of the filters appears, the action of damping do-not-damp is
taken. Because we defined this action within the route-filter statement itself (it is an
immediate action), any further actions on the route specified within a then statement are skipped, in
this case, the then accept is skipped within the let-some-througrh term. But the
route-filter statements do not also define a terminating action (accept or reject). Thus ,
the damping profile is applied, but the route is passed to the next term in the policy for further
evaluation. When the route enters the damp-all -others term, the route matches the term
because we defined no from statement. The route is then applied the damping profile of
aggressive-damp. This causes the specified exempt routes to be damped at the aggressive rate!
This violates the administrative policies of the AS.
To correct the policy, we must remove the damping do-not-damp actions from the individual
route-filter statements and instead place them within the then portion of the term. After
making this change, the exempt routes match the let-some-through term, have the correct
damping profile applied, and are accepted.
AS path: 1 I
Localpref: 100
Router ID: 192 . 168.1. 1
Damping History
The slide shows the outputfrom the show route damping history command.
Any routes displayed by this command were withdrawn from the router. However, the router retains a
record of these routes should they be readvertised to the local router. Some notable details in the
display include the following:
The route is currently hidden. We see this in both the State: <Hidden Ext> field as
well as the Preference: /-101 field. Notice that no Junos OS protocol preference
value is defined.
.
There is a field (Merit) for the current figure-of-merit value. The two values that follow
list the value after the last BGP update (or withdrawal), and the current value after
experiencing some decay. For this route, the values are Meri t: 2777 / 2454. Thus,
the value at the last update/withdrawal was 2777 (note that this value need not
necessarily exceed the default suppress threshold of 3000), and the current value is
2454.
The default parameters are used (Default damping parameters used). If this
route were evaluated by a policy with a damping action, the new damping profile name
would appear in the output.
Decav 1 oute
Any routes displayed by this command were advertised to the router and are currently usable routes,
but these routes have a figure of merit greater than 0. Some things to note in the display are:
.
The route is currently active. We see this both by the asterisk {*) in the output as well as
the State: <Active Ext> field.
There is afield (Merit) for the current figure-of-merit value. The two values list the
value after the last update (or withdrawal) and the current value after experiencing
some decay. For this route, the values are Merit: 2 000/1954.
.
The default parameters are used (Default damping parameters used). If a
policy with a damping action evaluated this route, the new damping profile name would
appear in the output.
Damped Routes
The slide shows the output from the show route damping suppressed command.
Any routes displayed by this command were advertised to the router, but these routes have a figure
of merit that is currently above the suppress threshold, and the route is unusable.
Manual Clearing
The route remains in this state until the figure of merit crosses below the reuse threshold. A route
can have the figure of merit reduced to 0 administratively by using the clear bgp damping
command.
On the slide, the route 200.200.200.0/24 is currently suppressed and hidden. After we issue the
clear bgp damping command, the route is no longer hidden.
Ri $view Questions
Review Questions
i.
2.
3.
4 .
mimic
and
Unlike link-state routing protocols, internal BGP (IBGP) does not flood routing updates. Instead, IBGP
uses an explicit peering model that normally results in the exchange of routing information to peers
that are connected in a full mesh. The need for a full-mesh IBGP topology stems from the fact that
BGP uses the AS path attribute to provide loop detection, but IBGP speakers do not add the local AS
number in the updates they send to other IBGP speakers. Lacking AS number based loop detection,
IBGP speakers are normally precluded from readvertising routes to other IBGP speakers when the
route in question was learned from an IBGP speaker. This default IBGP behavior leads to the need for
a full mesh of IBGP peerings.
Requiring that all IBGP peers within an autonomous system (AS) be fully meshed has inherent
scalability problems. For example, every time a new router is added to the AS, each existing IBGP
router must have its configuration updated to include a peering statement for the router that has
been added. This process can become quite an issue when there are 100, 200, or even 1000
routers in an AS. In fact, with only 100 routers in a full IBGP mesh, each router is required to maintain
99 IBGP peering sessions, with the network having to support a total of 4,950 IBGP sessions! Surely
there has to be a better way.
.
Originator ID
BGP route reflection relaxes the restriction that an IBGP peer should not readvertlse IBGP-learned
routes to other IBGP speakers. The routers allowed to override this default behavior are known as
route reflectors (RR).
RRs only readvertlse the active routes to their clients. You configure an RR by using the cluster
statement within an IBGP peer-group configuration. BGP considers each of the peers configured
within that peer group to be clients of the RR. The RR clients require no configuration changes; they
do not have any knowledge of the presence of the RR-they simply see the RR as an IBGP peer.
Two new BGP attributes are defined to support route reflection; these attributes are the cluster list
and the originator ID. An RR creates or modifies these attributes when it readvertises the routes to
both clients and non-clients. The route reflector's cluster ID is added to ali routes that the RR
touches, meaning that both clients and non-clients receive the cluster list attribute. This attribute
contains a sequence of all cluster IDs that represent all RRs that have handled the route update.
tes Loops
Steps:
1 .
Client sends routes to RR
2 ,
RR sends routes to all clients in the cluster and all RRs
3 . Those RRs send the routes to all their peers forming a
loop
10.10.10,0/24
RR1 ri'R2
RRd
Clients \ 10.10.1C
10.10.10.0/24
Clients
'
ft Clients
2 .
RRI sends routes to all clients and to RR2 and RRS;
3 . Because route reflection allows IBGP peers to send routes to other IBGP peers, RR2
sends the routes to RRS; and
4 .
Because RRS has no way of knowing the routes received from RR2 came from RRI,
RRS sends them to RRI, forming a loop.
"
,
- ;fi@ tl©h - ~
Cluster list:
.
Operates like an AS path, used by RR for loop prevention
.
Also used in the route selection algorithm
.
Contains a sequence of cluster IDs
.
Cluster ID represents each RR cluster in the network
.
RR drops routes that have already transited the cluster
. Added to the cluster list when a RR touches a route
Originator ID:
.
Identifies the first router to inject a route in an RR network
Cluster List
The cluster list attribute is analogous to the AS path attribute and is used to prevent loops. If an RR
receives a route with its own cluster ID in the cluster list, it drops the route. In addition, each router in
the network can use this attribute in the BGP path selection algorithm prior to using the router ID
attribute. BGP chooses the route with the shortest cluster list length. This process follows the same
theory as the AS path attribute.
The cluster ID is very similar to an AS number and should be unique within an individual AS. The
cluster ID Is added to the cluster list attribute when a route is sent to clients and non-clients.
Originator ID
The originator ID attribute provides the router ID of the first router to advertise the route in the AS. It
also is used for loop prevention in the rare case where the cluster list does not prevent a loop.
oute Clew f mm
clients of a particular cluster. No configuration changes are needed in the client s configuration.
Once the clients are placed into their respective peer groups, use the cluster command to
activate the route reflection process of the route reflector. The cluster command is used to assign
each cluster its cluster ID. This cluster ID is a 32-bit value that uniquely describes the cluster within
the BGP AS. If only a single route reflector exists in the cluster, the router ID of the route reflector is
often used as the cluster ID.
The clients in the cluster must peer to the route reflector itself. The clients have no knowledge of the
cluster and see the reflector as a regular IBGP peer.
.
.
.
Client Client ..'* Client
RR
© .
.
.
t
Client X :
Client
® Between Route
Reflectors
Client
Client i RR
I
RR
Client Client
Client Client
'
Client
BGP-speaking routers along the edge of the network all have a single peer configured in the form of
the route reflector for the local cluster.
The route reflectors are, in turn, fully meshed using standard IBGP peering procedures. The result is
that all routes received by any BGP router will eventually be seen by all other BGP routers in the AS.
It is a common best practice to have the logical route reflection topology follow the physical topology
of the network.
on
Steps:
1 . Client sends routes to all peers (route reflector)
2 Route reflector sends routes to all clients in the cluster and
.
all peers
3 . Route reflector sends routes from peers to all clients in the
cluster
10.10.10.0/24
10.10.10.0/24
RR
Clients
Clients
C lents
Route Propagation
The next series of slides shows the flow of routing information in a route reflection network using a
basic topology.
We begin with a client in the left-most cluster advertising the 10.10.10.0/24 route to the cluster's
route reflector.
The slide details how the 10.10.10.0/24 route is readvertlsed to ail other clients in the cluster as well
as to ail non-client IBGP peers of the reflector. This process applies to all other routes the route
reflector receives from a client in its cluster.
This slide shows how the other route reflectors In the network readvertise all routes received from
IBGP peers (the other reflectors in this example) to all of their cluster clients.
neighbor 172.16.2.2;
neighbor 172.16.3.3;
)
'
.
-
.
4 k
[edit protocols bgp]
user9RR2# show
group int-peers { *
>
*
type internal;
local-address 172.16.1.2;
cluster 172. 16. 1.2; .
c
neighbor 172.16.2.2;
neighbor 172.IS.3.3;
>
The slide shows a cluster containing two route reflectors. This type of cluster design is popular
because it avoids a single point of network failure. When a cluster has only a single route reflector,
the clients might become segmented from the network in the event of a failure of that RR. A design
that includes two RRs in each cluster ensures that the failure of a single router does not segment the
network.
Each of the client routers simply configure two IBGP peers and forward EBGP-leamed routes to both
route reflectors. The route reflectors themselves can peer either within the cluster as clients of each
other or outside of the cluster as normal IBGP peers. Either way, routes from within the cluster are
dropped when advertised between the RRs because of cluster list routing loops.
Each of the route reflectors also establish IBGP peering sessions with the other RRs in the entire AS.
As previously mentioned, a debate exists as to whether each route reflector should be assigned the
same or unique cluster ID. In most cases, using unique cluster IDs is preferred. The drawback is that
using unique cluster IDs requires more BGP route state at the route reflectors. This generally does
not outweigh the advantage of maintaining connectivity.
The slide shows an AS network using a more complex, hierarchical, route reflection topology.
Hierarchical route reflection occurs when the route reflectors for some clusters are themselves
clients in another route reflection cluster. Very often AS networks evolve to this type of setup when
the reflector full mesh shown on a previous slide becomes too large to manage. In this case, the
internal route reflector full mesh might evolve into a route reflection cluster.
4 ent me
4 :
Clients within a cluster can peer with other clients in a full-mesh environment. This ability does not
change the operation or need for the route reflector. The reflector still sends routes from the clients
to the remainder of the IBGP network and forwards routes from the IBGP network into the cluster.
What the client full mesh does provide is the ability of clients to use other clients' routes natively
when logical BGP connectivity exists between the clients.
In this situation, each of the clients receives two versions of the route. One version is from the other
client, and one version is from the route reflector. Because the extra copy of the route from the
reflector is not needed, you can disable the Internal cluster readvertisements using the
no-client-reflect command. Once configured, the route reflectoronlyforwards to the clients
routes which arrive from outside of the cluster.
RR
172.16.1.1
192.168.0.0/16 192.168.0.0/16
BNH = 172.16.2.2 NH = 172.16.1.1
i n the example on the slide, the 172.16.2.2 ci uster client advertises the 192.168.0.0/16 route to the
'
cluster s RR with the BGP next hop set to its router ID. Because of sloppy next-hop-seif policy on the
RR, the BGP next hop Is overwritten with the router ID of the RR-172.16.1.1. When client 172.16.3.3
receives and installs this route, suboptimal forwarding occurs as packets are sent through the RR
instead of directly to 172.16.2.2. This situation might occur when the route reflector also has EBGP
peering sessions established. Most network designs avoid this problem by placing their route
reflectors within the core of their networks.
"
Route Reflection Operation
Configuration and Routing Knowledge
-
>BGP Confederations
BGP Confederations
Within a Sub-AS
The confederation sub-AS networks act just like a real AS; they require a full mesh of IBGP
connectivity within themselves. Should the full mesh of the sub-AS grow too large, route reflection
might be used within a sub-AS to scale the network.
Each sub-AS must have a unique AS number defined, and most administrators use a private AS
number from the 64512 to 65535 range.
Continued on the next page.
CBGP peers modify the AS path attribute to include the sub-AS numbers. This modification is
performed to provide loop prevention within only the confederation network. All other BGP attributes,
such as local preference and the BGP next hop, remain unchanged when sent across a CBGP link.
Because the router views connections between the sub-AS networks as being EBGP, some special
configuration might be warranted. The router expects to use the physical address of the CBGP for the
BGP session, but many administrators prefer to peer the CBGP routers using loopback addresses.
This is accomplished through the use of themultihop command.
Path me
AS confederation sequence:
.
Each sub-AS is added to the AS path attribute
.
(65000 65001 65002) 100 200 shows a sequence
.
Used for loop prevention only
.
Sequence values are not counted as AS hops
AS Confederation Sequence
As a route is advertised over a CBGP link, BGP modifies the AS path attribute to Include the sub-AS
number. BGP places this sub-AS number into an AS confederation sequence, as denoted by
parentheses, within the AS path attribute. The sequence is a new AS path segment attribute with a
type code of 3.
The sub-AS values are sequenced in the order in which the route has traversed the network, with the
primary purpose being loop prevention within the confederation network. The confederation
sequence is not used in the calculation of AS path length for the BGP active route selection
algorithm. For routers within a confederation network, the confederation sequence appears as a
single, internal BGP AS network.
AS Confederation Set
Should some routing aggregation occur within the confederation network, the granularity of the
confederation sequence might be lost. This process is very similar to conventional BGP route
aggregation.
In this situation, the AS confederation sequence becomes an AS confederation set and is denoted by
curly braces within the AS path output. The set is also a new AS path segment attribute with a type
code of 4.
The routers within the confederation view the AS confederation set in the same manner as a
sequence. That is, the set Is still used for loop prevention even though the ordering of the sub-AS
numbers Is no longer significant.
[edit routing-options]
u3er@router# show
autonomous-system 650 0 0;
confederation 201 members [ 65000 65001 65002 65003 65004 ];
To operate a confederation network effectively, all BGP routers in the AS must know the globally
unique AS number as well as all the configured sub-AS numbers. This information is defined using
the confederation command within the routing-options stanza, as shown on the slide.
At the edge of the confederation network, the routers remove ail confederation-related AS numbers,
both sequences and sets, from the AS path attribute of all routes prior to EBGP advertisement. This
removal allows the details of the confederation network to be hidden to all other networks in the
Internet.
Note that the remove-private command is not required to remove sub-AS numbers when you
operate a confederation network. This behavior is the default for a BGP confederation and is
controlled by the confederation command.
Cor
< -
Rl
.
CBGP
RR \
/ RR
= AS 65003
,
!AS 65000 . AS 201 .
i
CBGP
AS 65002 \ \ s
/
CBGP I v.
.
CBGP
'AS 65001 .»
AS 65004 .
v
CBGP
:© 3
UBGP
Ifi
Confederation Peering
The slide shows an example of a BGP confederation network. The global AS of 201 is split up into five
sub-AS networks-65000, 65001, 65002, 65003, and 65004. The sub-AS networks are connected
with EBGP-like connections (sometimes called CBGP). Because the CBGP links behave like EBGP,
there is no need for a full-mesh topology between each sub-AS. Therefore, you can provision CBGP
connections wherever it is logically, or physically, convenient.
Some of the sub-AS networks on the slide are using route reflection within the sub-AS to eliminate
the need for a full IBGP mesh. The combination of BGP confederations and route reflection
simultaneously allows for great flexibility in scaling your AS to hundreds or thousands of routers.
[edit]
[edit]
user@AS65001-R3# show protocols bgp
user@AS65003-Rl# show protocols bgp
group sub-AS-65001 {
group sub-AS-65000 {
type internal;
local-address 192.168.1.3;
type external;
multihop;
neighbor 192.168.1.1;
local-address 192.168.3,1;
neighbor 192.168.1.2;
neighbor 192.168.1.4; peer-as 65000;
} neighbor 19 2.168.0.1;
group sub-AS-65000 { }
type external; group sub-AS-65003 {
multihop; type internal;
local-address 192.168.1.3; local-address 192.168.3.1;
The configuration example on the right side of the slide represents Router 1 in sub-AS 65003. This
sub-AS uses route reflection to replace the IBGPfull mesh, and Router 1 is the route reflector for the
cluster. This configuration is seen in peer group sub-AS-65003 where the cluster command is
configured. The other peer group on the router represents the CBGP peering connection to
sub-AS 65000.
summary
Review Questions
Review Questions
4 .
5 .
6.
JUniPSr WorldwideEducatioiiServiees
link-state advertisement
L 305
-
link-state database
LSP link-state PDU
M0SPF
Multicast Open Shortest Path First
Nl-PID network layer protocol identifier
Nl-Rl network layer reachability information
NSSA
not-so-stubby area
PDU
protocol data unit
PSNP
partial sequence number PDU
RID router ID
routing protocol daemon
RR route reflector
SPF
shortest path first
T,-v
type/length/value
ToS
type of service
time-to-live
Chapter 2: OSPF
i.
The metric or cost of a router's links can be automatically altered with the reference-bandwidth
command.
3.
The different forms of OSPF authentication include none, simple, and MD5.
The ABR does not forward Type 4 and Type 5 LSAs into a stub area or NSSA. Type 3 LSAs are also not
forwarded in an OSPF NSSA with no summaries.
2 .
You must configure all routers that are in the stub area or NSSA.
3 .
The ABR of the stub area can optionally inject a 0.0.0.0/0 default route into the stub area or NSSA.
4 .
Although technically you do not need a backbone area, functionally you need one because of the loop
prevention mechanisms in OSPF.
2 .
Virtual links would be deployed if two companies were merging their networks together and physical link
connectivity was not an option. This could be due to cost or time constraints.
3 .
If the source route has a lower preference there usually are no issues. If a source route has a higher
preference, suboptimal routing or loops can occur.
Chapter 5: IS-IS
l .
A PDU is a protocol data unit. It is used to send information about the IS-IS configuration between network
devices.
The segments are called type/length/value (TLVs). They describe the originating router.
3 .
Because IS-IS is deterministic, the added IS will assume the role of the DIS immediately and flood out new
PDUs to all other ISs on that segment.
4 .
Set family iso and net on the physical and loopback interfaces. On the loopback interface, add an IP
address and an ISO address. Ensure that the Area Address portion of the NET is the same. Under
[protocols isis] disable Level 2.
The maximum default link metric is 63. By default, the Junos OS supports the sending and receiving of
wide metrics. To configure IS-IS to generate only the new pair of TLVs and thus to allow the wider range of
metric values, include the wide-metrics-only statement.
2 .
None, simple, and MD5 are the three forms of IS-IS authentication.
3 .
Import polices are not allowed for IS-IS, as this could lead to inconsistencies in the LSDB. The default
export policy for IS-IS is to reject everything. IS-IS floods link-state PDUs to announce local routes and any
routes learned by the protocol. Exporting can be used only to announce information from other protocols.
An IS-IS L1/L2 network is similar to an OSPF not-so-stubby-area (NSSA) with the no-summaries and
default-metric options configured.
3 .
Route leaking is performed on the L1/L2 ABR. A routing policy is written matching the Level 2 routes to be
leaked. This policy is then applied at the [edit protocols isis] hierarchy.
Summarization is performed on the L1/L2 ABR. An aggregate route encompassing the desired more
specific routes must be defined. Then a routing policy is created matching the aggregate with the to
level 2 and then accept actions. The policy should include a term to reject more specific routes. The
policy is applied at the [edit protocols isis] hierarchy.
Chapter 8: BGP
l .
Using loopback addresses for peering sessions between IBGP neighbors maintains reachability even when
the physical topology changes as long as a viable path exists.
2 .
EBGP-learned routes are advertised to both EBGP and IBGP peers. IBGP-learned routes are advertised to
EBGP peers. However, IBGP-learned routes are not advertised to other IBGP peers to prevent routing
loops.
With Junos OS, all new BGP routes have an origin code of Hnternal.
When you configure multipath on a BGP router, the route selection algorithm ignores both the router ID
and the peer ID selection criteria.
Five approaches can solve the BGP next hop issue: Next-hop self; IGP passive interfaces; Export direct
routes into IGP; Static routes; and IGP adjacency formed on inter-AS links to EBGP peers.
An import policy operates between the RIB-IN and the RIB-LOCAL. An export policy operates between the
RIB-LOCAL and the RIB-OUT.
2 .
The Junos OS sees all possible routes to be injected into BGP as internal routes and sets the origin code
as Hnternal.
3 .
Different ASs can set the MED values differently. A good MED value from one AS may be a bad value from
another AS.
The purpose of prepending the AS PATH is to make the route advertisement look undesirable.
Local preference is a BGP attribute that influences traffic flow. Route preference is local to an individual
router and assists the routing table in choosing the active route.
2 .
IBGP sessions usually peer to loopbacks, so IGP routes must be able to come and go so that IBGP sessions
always have a way to reach the loopback.
2 .
The half-life is the rate at which the figure of merit is decreased to half its value once the value is larger
than 0. The default value of the half-life is 15 minutes.
3 .
The max-suppress parameter establishes the maximum time that a route can be suppressed. The default
value is 60 minutes.
If the suppress threshold is set higher than the merit ceiling no damping will occur.
The command shows any routes that were advertised to the router and are currently usable routes, but
have a figure of merit greater than 0.
Routers in a sub-AS run IBGP. Routers across a confederation boundary run CBGP. Routers external to the
confederations run EBGP.