The iBGP peers expects other iBGP peers to known the next-hop address, or have reachability to the next-hop. These bgp iBGP peers do NOT modify the BGP next-hop information. So let's do some changes to my original design, and hopefully you will learn 2 unique behavior with BGP.
Here's the new topology;
R1 = AS1
R2 = AS2
R3 = AS2
Okay R1 config stays the same for this demo & training session ;
R1:
But on R2, we made some changes, 1> we remove the neighbor 2.2.2.2 remote-as 3 and 2> converted her to AS#2;
And R3 is also now in AS#2
Okay good so far ?
Well let's see, 1st let's look at the R2 bgp table to ensure we still see 10.10.10.0/24 from R1 ( AS#1 ).
Well let's see, 1st let's look at the R2 bgp table to ensure we still see 10.10.10.0/24 from R1 ( AS#1 ).
Okay nothing changed. It looks good. Well let's see what R3 who's now in AS#2 and what does he see.
Okay you should see 2 things & I highlighted one of them.
1st the bigger issue; <1.1.1.1> is inaccessible due to the next_hop path_attribute was not changed by 2.2.2.1 ( R2 with in AS#2 )
2nd, we find the mertric value offered via R1 ( 1.1.1.1 ) is now included for 10.10.10.0/24 on R3. Yes the metric stayed within the AS#2. So any iBGP peers would learn the same metric as the direct attached R2 router.
Okay so how do we get past this inaccessible issue?
Easy I will show you the rookie method, if they would even noticed it. They typically would install a static route point to R2 on R3 route table.
Easy I will show you the rookie method, if they would even noticed it. They typically would install a static route point to R2 on R3 route table.
Okay that fixed the problem or at least removed the inaccessible warning. But that's not the right recommended way or means or is it? We could also redistribute the 1.1.1.0/32 network from r2 perspective into AS2. And most service-provider does that in some cases.
But, you have one more option; the execution of next-hop-self on the iBGP peer that learns the eBGP paths.
Okay we are going to do the following & demonstrate this behavior;
1: first we remove the static route that a rookie would install on R3
2: and on R2 we will set the iBGP neighbor with the next-hop-self
3: we will clear the iBGP relationship and re-monitor the bgp table on R3
on R2
and on R3
Notice the next-hop information is now populated with 2.2.2.1 address ( R2 ) vrs the original 1.1.1.1 address ( R1 ). Cool, we have reachability via iBGP to this route advertised via R1. And R3 has no knowledge in this case of the R1 bgp speaker. It's only BGP relationship is known and established with R2 via it's iBGP session.
Key take aways;
- metrics stay within the AS that learns it, but is not delivered outside of that AS
- be cautious of how BGP next-hop reachability works & with your iBGP peers
- iBGP peer that learns a eBGP path do NOT by default , re-adjust the path_attribute NEXT_HOP
Ken Felix
Freelance Network / Security Engineer
kfelix ----a----t----socpuppets ---d---o---t---com
^ ^
=( * * )=
@
/ \
No comments:
Post a Comment