BGP Cheat Sheet (for Thursday afternoon OSPF+iBGP+eBGP exercise) iBGP example ------------ ! no logging console ! switch off annoying console messages logging buffer 4096 debug ! log messages go to memory buffer ! interface loopback 0 description All routers need a Loopback interface ip address 196.200.220.1 255.255.255.255 ! interface serial 0/0 description Link to Router 2 ip address 196.200.220.193 255.255.255.252 ip ospf message-digest key 1 md5 ! interface serial 0/1 description Link to Router 3 ip address 196.200.220.197 255.255.255.252 ip ospf message-digest key 1 md5 ! interface ethernet 0/0 description PC LAN for Router 1 ip address 196.200.220.17 255.255.255.240 ! router ospf 42 log-adjacency-changes ! log changes in adjacencies passive-interface default ! don't talk OSPF anywhere no passive-interface serial 0/0 ! enable OSPF to Router 2 no passive-interface serial 0/1 ! enable OSPF to Router 3 network 196.200.220.192 0.0.0.3 area 0 ! put Router 2 p2p in OSPF network 196.200.220.196 0.0.0.3 area 0 ! put Router 3 p2p in OSPF network 196.200.220.1 0.0.0.0 area 0 ! put Loopback addr in OSPF area 0 authentication message-digest ! ip bgp-community new-format ! use RFC1998 community format ! router bgp 42 ! 42 is our AS number log-neighbor-changes ! log neighbor changes no synchronization ! switch off IGP synchronization no auto-summary ! switch off auto-summisation bgp dampening ! enable BGP flap damping network 196.200.220.0 mask 255.255.255.0 ! class address block in BGP network 196.200.220.16 mask 255.255.255.240 ! PC LAN address block in BGP ! first iBGP peer neighbor 196.200.220.2 remote-as 42 ! same as own AS => this is iBGP neighbor 196.200.220.2 version 4 ! hardwire to version 4 - safe neighbor 196.200.220.2 password ! password on iBGP session neighbor 196.200.220.2 descr iBGP with X ! for documentation neighbor 196.200.220.2 update-source loop 0 ! iBGP runs between loopbacks neighbor 196.200.220.2 send-community ! send communities for iBGP ! second iBGP peer neighbor 196.200.220.3 remote-as 42 neighbor 196.200.220.3 version 4 neighbor 196.200.220.3 password neighbor 196.200.220.3 description iBGP with Y neighbor 196.200.220.3 update-source loopback 0 neighbor 196.200.220.3 send-community !...and the other iBGP peers go here ! ip route 196.200.220.0 255.255.255.0 null0 250 ! for BGP network statement ip route 196.200.220.16 255.255.255.240 null0 250 ! static route to null0 just in case eth0/0 goes down ! eBGP with peer -------------- This example uses prefix-lists to filter what you send to your peer, and what your peer sends to you. This is very safe as you have to explicitly configure each network into the prefix-list. router bgp 42 log-neighbor-changes no synchronization no auto-summary bgp dampening network 196.200.220.0 mask 255.255.255.0 network 196.200.220.16 mask 255.255.255.240 ! first iBGP peer neighbor 196.200.220.2 remote-as 42 neighbor 196.200.220.2 version 4 neighbor 196.200.220.2 password neighbor 196.200.220.2 descr iBGP with X neighbor 196.200.220.2 update-source loop 0 neighbor 196.200.220.2 send-community ! second iBGP peer neighbor 196.200.220.3 remote-as 42 neighbor 196.200.220.3 version 4 neighbor 196.200.220.3 password neighbor 196.200.220.3 description iBGP with Y neighbor 196.200.220.3 update-source loopback 0 neighbor 196.200.220.3 send-community !...and the other iBGP peers go here ! eBGP neighbour neighbor 196.200.220.254 remote-as 200 ! Peer ISP's AS Number neighbor 196.200.220.254 version 4 ! Hardwire for safety neighbor 196.200.220.254 password ! password on eBGP neighbor 196.200.220.254 description eBGP with Peer ! Description line neighbor 196.200.220.254 prefix-list to-AS200 out ! Filter outbound prefixes neighbor 196.200.220.254 prefix-list from-AS200 in ! Filter inbound prefixes ! ip route 196.200.220.0 255.255.255.0 null0 250 ip route 196.200.220.16 255.255.255.240 null0 250 ! ! allow my networks out only - stops me from providing unintentional transit ! NOTE - only send aggregates, not subprefixes ! ip prefix-list to-AS200 permit 196.200.220.0/24 ip prefix-list to-AS200 deny 0.0.0.0/0 le 32 ! ! allow their networks in only - stops them from sending prefixes I don't want ! ip prefix-list from-AS200 permit 196.200.208.0/20 ip prefix-list from-AS200 deny 0.0.0.0/0 le 32 ! eBGP with peer -------------- This example uses AS PATH filters to filter what you send to your peer, and what you receive from your peer. This method is less safe than using prefix lists as it assumes that you trust your peer not to originate prefixes he is not entitled to originate. Note that it also leaks your PC LAN subprefixes to your neighbouring AS - this is bad practice. router bgp 42 log-neighbor-changes no synchronization no auto-summary bgp dampening network 196.200.220.0 mask 255.255.255.0 network 196.200.220.16 mask 255.255.255.240 ! first iBGP peer neighbor 196.200.220.2 remote-as 42 neighbor 196.200.220.2 version 4 neighbor 196.200.220.2 password neighbor 196.200.220.2 descr iBGP with X neighbor 196.200.220.2 update-source loop 0 neighbor 196.200.220.2 send-community ! second iBGP peer neighbor 196.200.220.3 remote-as 42 neighbor 196.200.220.3 version 4 neighbor 196.200.220.3 password neighbor 196.200.220.3 description iBGP with Y neighbor 196.200.220.3 update-source loopback 0 neighbor 196.200.220.3 send-community !...and the other iBGP peers go here ! eBGP neighbour neighbor 196.200.220.254 remote-as 200 ! Peer ISP's AS Number neighbor 196.200.220.254 version 4 ! Hardwire for safety neighbor 196.200.220.254 password ! password on eBGP neighbor 196.200.220.254 description eBGP with Peer ! Description line neighbor 196.200.220.254 filter-list 1 out ! Filter outbound ASes neighbor 196.200.220.254 filter-list 2 in ! Filter inbound ASes ! ip route 196.200.220.0 255.255.255.0 null0 250 ip route 196.200.220.16 255.255.255.240 null0 250 ! ! allow my AS out only - stops me from providing unintentional transit ! ip as-path access-list 1 permit ^$ ip as-path access-list 1 deny .* ! ! allow their AS in only - stops them from sending ASes I don't want ! ip as-path access-list 2 permit ^200$ ip as-path access-list 2 deny .* ! eBGP with upstream ------------------ This example assumes the upstream is sending the full routing table router bgp 42 log-neighbor-changes no synchronization no auto-summary bgp dampening network 196.200.220.0 mask 255.255.255.0 network 196.200.220.16 mask 255.255.255.240 ! first iBGP peer neighbor 196.200.220.2 remote-as 42 neighbor 196.200.220.2 version 4 neighbor 196.200.220.2 password neighbor 196.200.220.2 descr iBGP with X neighbor 196.200.220.2 update-source loop 0 neighbor 196.200.220.2 send-community ! second iBGP peer neighbor 196.200.220.3 remote-as 42 neighbor 196.200.220.3 version 4 neighbor 196.200.220.3 password neighbor 196.200.220.3 description iBGP with Y neighbor 196.200.220.3 update-source loopback 0 neighbor 196.200.220.3 send-community !...and the other iBGP peers go here ! eBGP neighbour neighbor 196.200.220.254 remote-as 200 ! Peer ISP's AS Number neighbor 196.200.220.254 version 4 ! Hardwire for safety neighbor 196.200.220.254 password ! password on eBGP neighbor 196.200.220.254 description eBGP with Peer ! Description line neighbor 196.200.220.254 prefix-list to-AS200 out ! Filter outbound prefixes neighbor 196.200.220.254 prefix-list from-AS200 in ! Filter inbound prefixes ! ip route 196.200.220.0 255.255.255.0 null0 250 ip route 196.200.220.16 255.255.255.240 null0 250 ! ! allow my networks out only ! ip prefix-list to-AS200 permit 196.200.220.0/24 ip prefix-list to-AS200 deny 0.0.0.0/0 le 32 ! ! take all the prefixes they send apart from special use addresses and ! my own address space ! ip prefix-list from-AS200 deny 0.0.0.0/8 le 32 ! block all special use addresses ip prefix-list from-AS200 deny 10.0.0.0/8 le 32 ip prefix-list from-AS200 deny 127.0.0.0/8 le 32 ip prefix-list from-AS200 deny 169.254.0.0/16 le 32 ip prefix-list from-AS200 deny 172.16.0.0/12 le 32 ip prefix-list from-AS200 deny 192.0.2.0/24 le 32 ip prefix-list from-AS200 deny 192.168.0.0/16 le 32 ip prefix-list from-AS200 deny 224.0.0.0/3 le 32 ip prefix-list from-AS200 deny 0.0.0.0/0 ge 25 ! deny all prefixes > /24 ip prefix-list from-AS200 deny 196.200.220.0/24 le 32 ! block my own address from upstream ip prefix-list from-AS200 permit 0.0.0.0/0 le 32 ! let in everything else ! eBGP with upstream ------------------ This example assumes the upstream is sending just the default route router bgp 42 log-neighbor-changes no synchronization no auto-summary bgp dampening network 196.200.220.0 mask 255.255.255.0 network 196.200.220.16 mask 255.255.255.240 ! first iBGP peer neighbor 196.200.220.2 remote-as 42 neighbor 196.200.220.2 version 4 neighbor 196.200.220.2 password neighbor 196.200.220.2 descr iBGP with X neighbor 196.200.220.2 update-source loop 0 neighbor 196.200.220.2 send-community ! second iBGP peer neighbor 196.200.220.3 remote-as 42 neighbor 196.200.220.3 version 4 neighbor 196.200.220.3 password neighbor 196.200.220.3 description iBGP with Y neighbor 196.200.220.3 update-source loopback 0 neighbor 196.200.220.3 send-community !...and the other iBGP peers go here ! eBGP neighbour neighbor 196.200.220.254 remote-as 200 ! Peer ISP's AS Number neighbor 196.200.220.254 version 4 ! Hardwire for safety neighbor 196.200.220.254 password ! password on eBGP neighbor 196.200.220.254 description eBGP with Peer ! Description line neighbor 196.200.220.254 prefix-list to-AS200 out ! Filter outbound prefixes neighbor 196.200.220.254 prefix-list from-AS200 in ! Filter inbound prefixes ! ip route 196.200.220.0 255.255.255.0 null0 250 ip route 196.200.220.16 255.255.255.240 null0 250 ! ! allow my networks out only ! ip prefix-list to-AS200 permit 196.200.220.0/24 ip prefix-list to-AS200 deny 0.0.0.0/0 le 32 ! ! take just the default route from my upstream ! ip prefix-list from-AS200 permit 0.0.0.0/0 ip prefix-list from-AS200 deny 0.0.0.0/0 le 32 !