Routing Policies
The power of BGP unfolds when filtering comes into play. Consider a BGP edge device and the ingress and egress traffic traversing it (both signaling and forwarding traffic). Naturally, AS policies are enforced at the network edge or perimeter, thus at the contact points to other autonomous systems. As a rule of thumb, transit autonomous systems tend to have more elaborate policies than stub autonomous systems. The same statement is valid for multihomed autonomous systems.
Policies and configurations that are implemented to enforce such policies act on BGP path attributes. Remember that BGP is purely a signaling protocol that relies on an underlying IGP for next-hop resolution and forwarding. Nevertheless, no signaling equals no forwarding.
An important aspect of BGP mastery is a thorough understanding of regular expressions used extensively in BGP filter configuration statements (usually route maps with set and match clauses). Regular expressions essentially are an extended view of wildcard approaches used in a broad context in information sciences.
NOTE
For an in-depth discussion of regular expressions, consult the book Mastering Regular Expressions (O'Reilly and Associates, 2002) mentioned in the "Recommended Reading" section of this chapter. Cisco.com also contains several documents about regular expressions, especially with regard to BGP.
Defining an AS Policy
What actually constitutes a policy for an AS? It is a set of rules that govern ingress and egress behavior at the network perimeter to neighboring BGP speakers and foreign autonomous systems. It is concerned with traffic attracted as well as traffic leaving the AS at one or several attachment points to the world. Participation at public peering points or commercial exchanges and transit scenarios extend this set of rules.
How can we learn about other people's policies? We can do this easily by consulting the RADB or other databases of the IRR, such as the major databases of the RIPE, APNIC, ARIN, AfriNIC, and LACNIC. This can be either a simple whois query or a complete mirror of the IRR distributed database. These policies often form the foundation of automatically created router and route server configurations deployed at consecutive provisioning intervals. The vehicles of choice to represent policies are route maps, as discussed in the following section.
BGP Route Maps and Filters
Zebra/Quagga BGP provides extensive capabilities to filter incoming and outgoing announcements and set certain attributes or tags via route maps (see Figure 10-22).
Figure 10-22. BGP Filtering Context
You can choose from a rich set of filter mechanisms:
Filter lists (filter ASNs based on AS path lists)
Prefix lists (filter prefixes)
AS path lists
Distribute lists
Community lists
Extcommunity lists
Route maps (set, match, and on-match goto/next clauses)
The topic of BGP route maps and filters alone would cover hundreds of pages. The syntax is compatible with the Cisco IOS architecture, and their capabilities are too vast to be discussed in detail here. Therefore, the following introduction to route maps is not even close to exhaustive and is only a qualitative overview. For example, several (not necessarily meaningful) filters are deployed on the route server europa, whose configuration was rewritten to demonstrate views. The highlighted markers demonstrate the results of path prepending and community tagging via route maps (see Examples 10-31 and 10-32).
Example 10-31. Demonstration of Various BGP Filters on Europa
europa-bgpd# show running-config Current configuration: ! hostname europa-bgpd password 8 m6eyKycFMHniQ enable password 8 bjYlnA9YLBWyM log file /var/log/bgpd.log service advanced-vty service password-encryption ! bgp multiple-instance ! router bgp 65002 view ROUTESERVER bgp router-id 192.168.14.3 bgp dampening neighbor 192.168.14.1 remote-as 65000 neighbor 192.168.14.1 soft-reconfiguration inbound neighbor 192.168.14.1 maximum-prefix 50 warning-only neighbor 192.168.14.1 route-server-client neighbor 192.168.14.1 prefix-list callisto-out in neighbor 192.168.14.1 attribute-unchanged as-path next-hop neighbor 192.168.14.2 remote-as 65001 neighbor 192.168.14.2 soft-reconfiguration inbound neighbor 192.168.14.2 maximum-prefix 50 warning-only neighbor 192.168.14.2 route-server-client neighbor 192.168.14.2 route-map prepend in neighbor 192.168.14.2 route-map restrict out neighbor 192.168.14.2 attribute-unchanged as-path next-hop neighbor 192.168.14.254 remote-as 65003 neighbor 192.168.14.254 soft-reconfiguration inbound neighbor 192.168.14.254 maximum-prefix 50 warning-only neighbor 192.168.14.254 route-server-client neighbor 192.168.14.254 route-map comm in neighbor 192.168.14.254 filter-list aspath in neighbor 192.168.14.254 attribute-unchanged as-path next-hop ! access-list 1 remark vty-protection access-list 1 permit 127.0.0.1 access-list 1 permit 192.168.1.0 0.0.0.255 access-list prepend remark path-prepend-filter access-list prepend permit 172.16.0.0/16 access-list prepend deny any ! ip prefix-list callisto-out seq 5 deny 211.11.117.0/24 ip prefix-list callisto-out seq 10 permit any ! ip as-path access-list aspath deny _65000_ ip as-path access-list aspath permit _65003$ ! ip community-list 1 permit 65003:100 ! route-map prepend permit 10 match ip address prepend set as-path prepend 65001 65001 ! route-map comm permit 10 match as-path aspath set community 65003:100 ! route-map restrict permit 10 match community 1 set weight 400 ! line vty access-class 1 exec-timeout 0 0 ! end europa-bgpd# show ip access-list Standard IP access list 1 permit 127.0.0.1 permit 192.168.1.0, wildcard bits 0.0.0.255 Zebra IP access list prepend permit 172.16.0.0/16 deny any europa-bgpd# show ip prefix-list detail Prefix-list with the last deletion/insertion: callisto-out ip prefix-list callisto-out: count: 2, range entries: 0, sequences: 5 - 10 seq 5 deny 211.11.117.0/24 (hit count: 5, refcount: 52) seq 10 permit any (hit count: 47, refcount: 47) europa-bgpd# show ip community-list Community standard list 1 permit 65003:100 europa-bgpd# show ip bgp 172.16.0.0/25 BGP routing table entry for 172.16.0.0/25 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to non peer-group peers: 192.168.14.1 192.168.14.254 65001 65001 65001, (Received from an RS-client) 192.168.14.2 from 192.168.14.2 (172.16.0.254) Origin IGP, metric 0, localpref 100, valid, external, best Last update: Fri May 16 10:46:59 2003 europa-bgpd# show ip bgp 10.0.0.0/24 BGP routing table entry for 10.0.0.0/24 Paths: (2 available, best #2, table Default-IP-Routing-Table) Advertised to non peer-group peers: 192.168.14.1 192.168.14.2 65000 65003, (Received from a RS-client) (history entry) 192.168.14.1 from 192.168.14.1 (192.168.1.1) Origin IGP, localpref 100, external Dampinfo: penalty 601, flapped 1 times in 00:10:51 Last update: Fri May 16 10:47:02 2003 65003, (Received from a RS-client) 192.168.14.254 from 192.168.14.254 (10.0.0.1) Origin IGP, metric 0, localpref 100, valid, external, best Community: 65003:100 Last update: Fri May 16 10:47:01 2003 europa-bgpd# show ip bgp filter-list aspath BGP table version is 0, local router ID is 192.168.14.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0/24 192.168.14.254 0 0 65003 i *> 10.0.1.0/24 192.168.14.254 0 0 65003 i Total number of prefixes 2 europa-bgpd# show ip bgp route-map comm BGP table version is 0, local router ID is 192.168.14.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0/24 192.168.14.254 0 0 65003 i *> 10.0.1.0/24 192.168.14.254 0 0 65003 i Total number of prefixes 2 europa-bgpd# show ip bgp community 65003:100 BGP table version is 0, local router ID is 192.168.14.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0/24 192.168.14.254 0 0 65003 i *> 10.0.1.0/24 192.168.14.254 0 0 65003 i Total number of prefixes 2 europa-bgpd# show ip bgp neighbors 192.168.14.1 advertised-routes BGP table version is 0, local router ID is 192.168.14.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0/24 192.168.14.254 0 0 65003 i *> 10.0.1.0/24 192.168.14.254 0 0 65003 i *> 172.16.0.0/25 192.168.14.2 0 0 65001 65001 65001 i *> 172.16.0.128/25 192.168.14.2 0 0 65001 65001 65001 i Total number of prefixes 4 europa-bgpd# show ip bgp neighbors 192.168.14.254 received-routes BGP table version is 0, local router ID is 192.168.14.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0/24 192.168.14.254 0 0 65003 i *> 10.0.1.0/24 192.168.14.254 0 0 65003 i *> 192.168.2.0 192.168.14.254 0 65003 65000 ? *> 192.168.80.0 192.168.14.254 0 65003 65000 ? *> 192.168.99.1/32 192.168.14.254 0 65003 65000 ? *> 211.11.117.0 192.168.14.254 0 65003 65000 ? Total number of prefixes 6 europa-bgpd# show ip bgp BGP table version is 0, local router ID is 192.168.14.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path h 10.0.0.0/24 192.168.14.1 0 65000 65003 i *> 192.168.14.254 0 0 65003 i h 10.0.1.0/24 192.168.14.1 0 65000 65003 i *> 192.168.14.254 0 0 65003 i *> 172.16.0.0/25 192.168.14.2 0 0 65001 65001 65001 i *> 172.16.0.128/25 192.168.14.2 0 0 65001 65001 65001 i *> 192.168.1.0 192.168.14.1 0 65000 ? *> 192.168.2.0 192.168.14.1 20 0 65000 ? *> 192.168.44.0 192.168.14.1 20 0 65000 ? *> 192.168.45.0 192.168.14.1 0 65000 ? *> 192.168.80.0 192.168.14.1 20 0 65000 ? *> 192.168.99.1/32 192.168.14.1 10 0 65000 ? *> 192.168.99.2/32 192.168.14.1 0 65000 ? Total number of prefixes 11
Example 10-32. Effects on Laurel (AS 65001)
laurel(config)# ip bgp-community new-format laurel# show ip bgp 10.0.0.0/24 BGP routing table entry for 10.0.0.0/24, version 82 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer 65003, (received & used) 192.168.14.254 from 192.168.14.3 (192.168.14.3) Origin IGP, metric 0, localpref 100, valid, external, best Community: 65003:100
BGP Communities and Extended Communities
You can set the community attributes (RFC 1997) via route maps. They are a flexible and popular vehicle to tag destinations, implement policy routing, and apply routing decisions such as preference, acceptance, and redistribution of destination prefixes. The BGP community attribute is used most commonly to control transit scenarios and multihoming subscribers.
Extended communities play an important role in BGP-based MPLS VPN architectures. In a way, communities are used to categorize routes on a large scale similar to traditional class of service (CoS) and MPLS forwarding equivalent class (FEC) labeling approaches. All three approaches share the concept of treating similar traffic in the same way with regard to classes of service or, in the case of communities, being subject to manipulation by the same policy.
A few well-known communities have been predefined and associated with standard behavior. Zebra provides alias names for well-known community numbers, as demonstrated in Example 10-33. For instance, rt stands for route target, soo for site of origin. Well-known communities of global significance are as follows (quoted from RFC 1997):
NO_EXPORT (0xFFFFFF01)
All routes received carrying a communities attribute containing this value must not be advertised outside a BGP confederation boundary (a stand-alone autonomous system that is not part of a confederation should be considered a confederation itself).
NO_ADVERTISE (0xFFFFFF02)
All routes received carrying a communities attribute containing this value must not be advertised to other BGP peers.
NO_EXPORT_SUBCONFED (0xFFFFFF03)
All routes received carrying a communities attribute containing this value must not be advertised to external BGP peers (this includes peers in other members autonomous systems inside a BGP confederation).
Sending of communities (standard/extended) has to be enabled explicitly. Communities are 4 octets long and can replace existing tags (default) or can be used additive via the additive keyword in route map set statements. By convention, uniqueness requirements, and additive treatment requirements, the first 2 octets are representing the AS, the remaining 2 AS-related values. All state-of-the-art implementations support community values formatted as 65000:450, using the colon to separate the ASN part and the 2 low-order octets. By default, all prefixes belong to the general and global Internet community.
Example 10-33. Two Special Zebra Community List Examples
callisto-bgpd(config)# ip community-list 1 deny ? AA:NN Community number in aa:nn format or internet | local-AS | no-advertise | no-export <cr> callisto-bgpd# show running-config ... ! ip community-list 1 deny no-export ip community-list 1 permit 65003:333 ip community-list 1 deny 65003:444 ip extcommunity-list 1 deny rt 65001:1234333 ip extcommunity-list 1 deny soo 1.1.1.1:222222222 ...
Extended communities are 8 octets long (the 2 higher-order octets are used for the ASN) and were introduced with the advent of MPLS VPN technology. Zebra provides community-lists and extcommunity-lists to match and manipulate BGP (extended) communities in prefix updates. The relevant RFC draft is draft-ietf-idr-bgp-ext-communities-05.txt.
