Monday, November 3, 2014

Enforcing minimum bgp holdtime IOS/IOS-XR

The BGP neighbor-ship timers between 2 bgp-speakers does not need to match. What this means;
 " the bgp keepalives and holddown timers between 2 speakers could be totally different "

So the service-provider arena, you can protect your router from aggressive bgp  keepalive & hold down timers. I will demonstrate both IOS and IOS-XR configurations.

Bgp timers are defined per peer-group or by each neighbor. The timers are defined by setting the keepalive interval, hold-down and optional hold-down-minimum interval

e.g  by a specific bgp neighbor

router bgp 65001
    neighbor timer 15 45 45

or by a  peer-group

router bgp 65001
 bgp log-neighbor-changes
 neighbor socpuppets peer-group
 neighbor socpuppets remote-as 65009
 neighbor socpuppets timers 30 90 90
 #neighbor peer-group socpuppets



Bgp timers are defined per neighbor-group, session-group or by each neighbor. The timers are defined via the keepalibe interval, hold-down and optional hold-down-minimum.

e.g using a session-group

router bgp 65002
session-group peer-iBGP2
  remote-as 65001

  timers 30 180 180

or  by a  specific neighbor or neighbor-group

router bgp 65001
  timers 15 64 64

router bgp 65001
 neighbor-group cust1-peers
  timers 45 90 90

When you have peer that  doesn't meet the set  minum BGP hold-down  interval, you will see an error message similar to these below

( debug bgp IOS & log  )

( show log IOS-XR )

So if you encounter a BGP peer that just flat out refuses to establish during the initial open, check for any minimum BGP hold-down restrictions.

IMHO:  All SPs should set a minimum bgp hold down timer for  bgp sessions external to peers that they don't manage. Most do not but it's a good preventive practice.

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
      /  \

No comments:

Post a Comment