06_bgp_bcp

8/10/2019 06_BGP_BCP

1/67

BGP Best CurrentPractices

ISP Workshops

1Last updated 28 October 2013

8/10/2019 06_BGP_BCP

2/67

Configuring BGP

Where do we start?

2

8/10/2019 06_BGP_BCP

3/67

IOS Good Practices

! ISPs should start off with the following BGPcommands as a basic template:

router bgp 64511

bgp deterministic-med

distance bgp 200 200 200no synchronization

no auto-summary

!

If supporting more than just IPv4 unicastneighbours

no bgp default ipv4-unicast" Turns off IOS assumption that all neighbours will

exchange IPv4 prefixes

3

Make ebgp and ibgpdistance the same

Replace with public ASN

8/10/2019 06_BGP_BCP

4/67

Cisco IOS Good Practices! BGP in Cisco IOS is permissive by default

! Configuring BGP peering without using filters means:

" All best paths on the local router are passed to the neighbour

" All routes announced by the neighbour are received by thelocal router

" Can have disastrous consequences

! Good practice is to ensure that each eBGP neighbour hasinbound and outbound filter applied:

router bgp 64511

neighbor 1.2.3.4 remote-as 64510

neighbor 1.2.3.4 prefix-list as64510-in in

neighbor 1.2.3.4 prefix-list as64510-out out

4

8/10/2019 06_BGP_BCP

5/67

What is BGP for??

What is an IGP not for?

5

8/10/2019 06_BGP_BCP

6/67

BGP versus OSPF/ISIS

! Internal Routing Protocols (IGPs)

"

examples are ISIS and OSPF

" used for carrying infrastructureaddresses

" NOTused for carrying Internet prefixes or

customer prefixes

" design goal is to minimisenumber of prefixesin IGP to aid scalability and rapid convergence

6

8/10/2019 06_BGP_BCP

7/67


! BGP used internally (iBGP) and externally(eBGP)

! iBGP used to carry

"

some/all Internet prefixes across backbone"

customer prefixes

! eBGP used to

" exchange prefixes with other ASes

" implement routing policy

7

8/10/2019 06_BGP_BCP

8/67


! DO NOT:

"

distribute BGP prefixes into an IGP

" distribute IGP routes into BGP

" use an IGP to carry customer prefixes

! YOUR NETWORK WILL NOT SCALE

8

8/10/2019 06_BGP_BCP

9/67

Aggregation

9

8/10/2019 06_BGP_BCP

10/67

Aggregation

! Aggregation means announcing the address blockreceived from the RIR to the other ASesconnected to your network

!

Subprefixes of this aggregate may be:

" Used internally in the ISP network" Announced to other ASes to aid with multihoming

! Unfortunately too many people are still thinking

about class Cs, resulting in a proliferation of /24sin the Internet routing table

" Note: Same is happening for /48s with IPv6" October 2013: 5900 /48s in IPv6 table of 14700 prefixes

10

8/10/2019 06_BGP_BCP

11/67

Configuring Aggregation CiscoIOS

! ISP has 101.10.0.0/19 address block

! To put into BGP as an aggregate:

router bgp 64511

network 101.10.0.0 mask 255.255.224.0

ip route 101.10.0.0 255.255.224.0 null0! The static route is a pull uproute

" more specific prefixes within this address block ensureconnectivity to ISPs customers

" longest match lookup

11

8/10/2019 06_BGP_BCP

12/67

Aggregation

! Address block should be announced to theInternet as an aggregate

! Subprefixes of address block should NOT

be announced to Internet unless for trafficengineering

" See BGP Multihoming presentations

! Aggregate should be generated internally

"

Not on the network borders!

12

8/10/2019 06_BGP_BCP

13/67

Announcing Aggregate Cisco IOS

! Configuration Examplerouter bgp 64511

network 101.10.0.0 mask 255.255.224.0


neighbor 102.102.10.1 prefix-list out-filterout

!

ip route 101.10.0.0 255.255.224.0 null0

!

ip prefix-list out-filterpermit 101.10.0.0/19

ip prefix-list out-filterdeny 0.0.0.0/0 le 32

13

8/10/2019 06_BGP_BCP

14/67

Announcing an Aggregate

! ISPs who dont and wont aggregate are held inpoor regard by community

! Registries publish their minimum allocation size

" For IPv4:!

Now ranging from a /20 to a /24 depending on RIR! Different sizes for different address blocks

! (APNIC changed its minimum allocation to /24 in October 2010)

" For IPv6:! /48 for assignment, /32 for allocation

! Until recently there was no real reason to see

anything longer than a /22 IPv4 prefix in theInternet

" BUT there are currently (October 2013) >249000 /24s!

" IPv4 run-out is starting to have an impact14

8/10/2019 06_BGP_BCP

15/67

Aggregation Example

15

! Customer has /23 network assigned fromAS100s /19 address block

! AS100 announces customersindividualnetworks to the Internet

AS100

customer

100.10.10.0/23Internet

100.10.10.0/23100.10.0.0/24100.10.4.0/22

8/10/2019 06_BGP_BCP

16/67

Aggregation Bad Example

! Customer link goes down" Their /23 network

becomes unreachable

" /23 is withdrawn fromAS100s iBGP

! Their ISP doesn

taggregate its /19 network

block" /23 network withdrawal

announced to peers

" starts rippling throughthe Internet

" added load on allInternet backbonerouters as network isremoved from routingtable

! Customer link returns" Their /23 network is now

visible to their ISP

" Their /23 network is re-advertised to peers

" Starts rippling throughInternet

" Load on Internetbackbone routers asnetwork is reinserted intorouting table

" Some ISPs suppress the

flaps" Internet may take 10-20

min or longer to bevisible

" Where is the Quality ofService???

16

8/10/2019 06_BGP_BCP

17/67

Aggregation Example

17

! Customer has /23 network assigned from

AS100s /19 address block! AS100 announced /19 aggregate to the

Internet

AS100

customer

100.10.10.0/23

100.10.0.0/19aggregate

Internet

100.10.0.0/19

8/10/2019 06_BGP_BCP

18/67

Aggregation Good Example

!

Customer link goesdown" their /23 network

becomes unreachable

" /23 is withdrawn fromAS100s iBGP

!/19 aggregate is stillbeing announced" no BGP hold down

problems

" no BGP propagationdelays

" no damping by otherISPs

! Customer link returns

! Their /23 network is

visible again

" The /23 is re-injected

into AS100s iBGP

! The whole Internetbecomes visibleimmediately

!

Customer has Qualityof Service perception

18

8/10/2019 06_BGP_BCP

19/67

Aggregation Summary

! Good example is what everyone shoulddo!

" Adds to Internet stability

" Reduces size of routing table

" Reduces routing churn

" Improves Internet QoS for everyone

! Bad example is what too many still do!

" Why? Lack of knowledge?

"

Laziness?

19

8/10/2019 06_BGP_BCP

20/67

Separation of iBGP and eBGP! Many ISPs do not understand the importance of

separating iBGP and eBGP" iBGP is where all customer prefixes are carried

" eBGP is used for announcing aggregate to Internet andfor Traffic Engineering

! Do NOTdo traffic engineering with customeroriginated iBGP prefixes" Leads to instability similar to that mentioned in the

earlier bad example

" Even though aggregate is announced, a flappingsubprefix will lead to instability for the customer

concerned! Generate traffic engineering prefixes on the

Border Router20

8/10/2019 06_BGP_BCP

21/67

The Internet Today (October 2013)

! Current Internet Routing Table Statistics" BGP Routing Table Entries 469725

" Prefixes after maximum aggregation 188940

" Unique prefixes in Internet 232915

"

Prefixes smaller than registry alloc 164052"/24s announced 249009

" ASes in use 45306

21

8/10/2019 06_BGP_BCP

22/67

Efforts to improve aggregation

! The CIDR Report" Initiated and operated for many years by Tony Bates

" Now combined with Geoff Hustons routing analysis

! www.cidr-report.org

! (covers both IPv4 and IPv6 BGP tables)

" Results e-mailed on a weekly basis to most operationslists around the world

" Lists the top 30 service providers who could do better ataggregating

! RIPE Routing WG aggregation recommendations

" IPv4: RIPE-399 www.ripe.net/ripe/docs/ripe-399.html

" IPv6: RIPE-532 www.ripe.net/ripe/docs/ripe-532.html

22

8/10/2019 06_BGP_BCP

23/67

Efforts to Improve AggregationThe CIDR Report

! Also computes the size of the routing tableassuming ISPs performed optimal aggregation

! Website allows searches and computations of

aggregation to be made on a per AS basis

" Flexible and powerful tool to aid ISPs" Intended to show how greater efficiency in terms of BGP

table size can be obtained without loss of routing andpolicy information

" Shows what forms of origin AS aggregation could beperformed and the potential benefit of such actions to

the total table size" Very effectively challenges the traffic engineering excuse

23

8/10/2019 06_BGP_BCP

24/67

24

8/10/2019 06_BGP_BCP

25/67

25

8/10/2019 06_BGP_BCP

26/67

26

8/10/2019 06_BGP_BCP

27/67

Importance of Aggregation

! Size of routing table" Router Memory is not so much of a problem as it was in

the 1990s

" Routers routinely carry over 1 million prefixes

!

Convergence of the Routing System" This is a problem

" Bigger table takes longer for CPU to process

" BGP updates take longer to deal with

" BGP Instability Report tracks routing system updateactivity

" bgpupdates.potaroo.net/instability/bgpupd.html

27

8/10/2019 06_BGP_BCP

28/67

28

8/10/2019 06_BGP_BCP

29/67

29

8/10/2019 06_BGP_BCP

30/67

Receiving Prefixes

30

8/10/2019 06_BGP_BCP

31/67

Receiving Prefixes

! There are three scenarios for receivingprefixes from other ASNs

" Customer talking BGP

" Peer talking BGP

" Upstream/Transit talking BGP

! Each has different filtering requirements

and need to be considered separately

31

8/10/2019 06_BGP_BCP

32/67

Receiving Prefixes:From Customers

! ISPs should only accept prefixes which have beenassigned or allocated to their downstreamcustomer

!

If ISP has assigned address space to its

customer, then the customer IS entitled toannounce it back to his ISP

! If the ISP has NOT assigned address space to its

customer, then:" Check in the five RIR databases to see if this address

space really has been assigned to the customer" The tool: whois h jwhois.apnic.net x.x.x.0/24

! (jwhois queries all RIR databases)

32

8/10/2019 06_BGP_BCP

33/67

Receiving Prefixes:From Customers! Example use of whois to check if customer is

entitled to announce address space:$ whois -h whois.apnic.net 202.12.29.0

inetnum: 202.12.28.0 - 202.12.29.255

netname: APNIC-AP

descr: Asia Pacific Network Information Centre

descr: Regional Internet Registry for the Asia-Pacificdescr: 6 Cordelia Street

descr: South Brisbane, QLD 4101

descr: Australia

country: AU

admin-c: AIC1-AP

tech-c: NO4-AP

mnt-by: APNIC-HM

mnt-irt: IRT-APNIC-AP

changed: [email protected]

status: ASSIGNED PORTABLE

changed: [email protected] 20110309

source: APNIC33

Portable means its anassignment to the customer, thecustomer can announce it to you

8/10/2019 06_BGP_BCP

34/67

Receiving Prefixes:From Customers! Example use of whois to check if customer is entitled

to announce address space:$ whois -h whois.ripe.net 193.128.0.0

inetnum: 193.128.0.0 - 193.133.255.255

netname: UK-PIPEX-193-128-133

descr: Verizon UK Limited

country: GB

org: ORG-UA24-RIPE

admin-c: WERT1-RIPE

tech-c: UPHM1-RIPE

status: ALLOCATED UNSPECIFIED

remarks: Please send abuse notification to [email protected]

mnt-by: RIPE-NCC-HM-MNT

mnt-lower: AS1849-MNT

mnt-routes: AS1849-MNT

mnt-routes: WCOM-EMEA-RICE-MNT

mnt-irt: IRT-MCI-GB

source: RIPE # Filtered34

ALLOCATED means that this isProvider Aggregatable addressspace and can only be announcedby the ISP holding the allocation(in this case Verizon UK)

8/10/2019 06_BGP_BCP

35/67

Receiving Prefixes from customer:Cisco IOS

! For Example:" downstream has 100.50.0.0/20 block

" should only announce this to upstreams

" upstreams should only accept this from them

! Configuration on upstream

router bgp 100


neighbor 102.102.10.1 prefix-list customer in

!ip prefix-list customer permit 100.50.0.0/20

35

8/10/2019 06_BGP_BCP

36/67

Receiving Prefixes:From Peers

! A peer is an ISP with whom you agree toexchange prefixes you originate into theInternet routing table

"

Prefixes you accept from a peer are only those

they have indicated they will announce

" Prefixes you announce to your peer are onlythose you have indicated you will announce

36

8/10/2019 06_BGP_BCP

37/67

Receiving Prefixes:From Peers

! Agreeing what each will announce to theother:

" Exchange of e-mail documentation as part ofthe peering agreement, and then ongoing

updatesOR

"

Use of the Internet Routing Registry andconfiguration tools such as the IRRToolSet

www.isc.org/sw/IRRToolSet/

37

8/10/2019 06_BGP_BCP

38/67

Receiving Prefixes from peer:Cisco IOS

! For Example:" Peer has 220.50.0.0/16, 61.237.64.0/18 and

81.250.128.0/17 address blocks

! Configuration on local router

router bgp 100


neighbor 102.102.10.1 prefix-list my-peer in

!

ip prefix-list my-peer permit 220.50.0.0/16



ip prefix-list my-peer deny 0.0.0.0/0 le 3238

8/10/2019 06_BGP_BCP

39/67

Receiving Prefixes:From Upstream/Transit Provider

! Upstream/Transit Provider is an ISP who you payto give you transit to the WHOLEInternet

! Receiving prefixes from them is not desirable

unless really necessary"

Traffic Engineering see BGP Multihoming presentations! Ask upstream/transit provider to either:

" originate a default-route

OR

" announce one prefix you can use as default

39

8/10/2019 06_BGP_BCP

40/67


! Downstream Router Configurationrouter bgp 100

network 101.10.0.0 mask 255.255.224.0


neighbor 101.5.7.1 prefix-list infilterin

neighbor 101.5.7.1 prefix-list outfilterout

!

ip prefix-list infilterpermit 0.0.0.0/0

!

ip prefix-list outfilterpermit 101.10.0.0/19

40

8/10/2019 06_BGP_BCP

41/67


! Upstream Router Configurationrouter bgp 101


neighbor 101.5.7.2 default-originate

neighbor 101.5.7.2 prefix-list cust-inin

neighbor 101.5.7.2 prefix-list cust-outout

!

ip prefix-list cust-inpermit 101.10.0.0/19

!

ip prefix-list cust-outpermit 0.0.0.0/0

41

8/10/2019 06_BGP_BCP

42/67

Receiving Prefixes:From Upstream/Transit Provider! If necessary to receive prefixes from any

provider, care is required." Dont accept default (unless you need it)

" Dont accept your own prefixes

! For IPv4:"

Dont accept private (RFC1918) and certain special useprefixes:

http://www.rfc-editor.org/rfc/rfc5735.txt

" Dont accept prefixes longer than /24 (?)

! For IPv6:" Dont accept certain special use prefixes:

http://www.rfc-editor.org/rfc/rfc5156.txt

" Dont accept prefixes longer than /48 (?)

42

8/10/2019 06_BGP_BCP

43/67


! Check Team Cymrus list of bogonswww.team-cymru.org/Services/Bogons/http.html

! For IPv4 also consult:www.rfc-editor.org/rfc/rfc6441.txt

! For IPv6 also consult:

www.space.net/~gert/RIPE/ipv6-filters.html

! Bogon Route Server:

www.team-cymru.org/Services/Bogons/routeserver.html

" Supplies a BGP feed (IPv4 and/or IPv6) of address blocks

which should not appear in the BGP table

43

8/10/2019 06_BGP_BCP

44/67

Receiving IPv4 Prefixes

44

router bgp 100

network 101.10.0.0 mask 255.255.224.0


neighbor 101.5.7.1 prefix-list in-filter in

!

ip prefix-list in-filter deny 0.0.0.0/0 ! Default

ip prefix-list in-filter deny 0.0.0.0/8 le 32 ! Network Zero

ip prefix-list in-filter deny 10.0.0.0/8 le 32 ! RFC1918

ip prefix-list in-filter deny 100.64.0.0/10 le 32 ! RFC6598 shared addr

ip prefix-list in-filter deny 101.10.0.0/19 le 32 ! Local prefix

ip prefix-list in-filter deny 127.0.0.0/8 le 32 ! Loopback

ip prefix-list in-filter deny 169.254.0.0/16 le 32 ! Auto-config


ip prefix-list in-filter deny 192.0.2.0/24 le 32 ! TEST1


ip prefix-list in-filter deny 198.18.0.0/15 le 32 ! Benchmarking



ip prefix-list in-filter deny 224.0.0.0/3 le 32 ! Multicast

ip prefix-list in-filter deny 0.0.0.0/0 ge 25 ! Prefixes >/24

ip prefix-list in-filter permit 0.0.0.0/0 le 32

8/10/2019 06_BGP_BCP

45/67

Receiving IPv6 Prefixes

45

router bgp 100

network 2020:3030::/32

neighbor 2020:3030::1 remote-as 101

neighbor 2020:3030::1 prefix-list v6in-filter in

!

ipv6 prefix-list v6in-filter permit 2001::/32 ! Teredo

ipv6 prefix-list v6in-filter deny 2001::/32 le 128 ! Teredo subnets

ipv6 prefix-list v6in-filter deny 2001:db8::/32 le 128 ! Documentation

ipv6 prefix-list v6in-filter permit 2002::/16 ! 6to4

ipv6 prefix-list v6in-filter deny 2002::/16 le 128 ! 6to4 subnets

ipv6 prefix-list v6in-filter deny 2020:3030::/32 le 128 ! Local Prefix

ipv6 prefix-list v6in-filter deny 3ffe::/16 le 128 ! Old 6bone

ipv6 prefix-list v6in-filter permit 2000::/3 le 48 ! Global Unicast

ipv6 prefix-list v6in-filter deny ::/0 le 128

8/10/2019 06_BGP_BCP

46/67

Receiving Prefixes

! Paying attention to prefixes received fromcustomers, peers and transit providersassists with:

"

The integrity of the local network

" The integrity of the Internet

! Responsibility of all ISPs to be good

Internet citizens

46

8/10/2019 06_BGP_BCP

47/67

Prefixes into iBGP

47

8/10/2019 06_BGP_BCP

48/67

Injecting prefixes into iBGP

! Use iBGP to carry customer prefixes

"

dont use IGP

! Point static route to customer interface

!

Use BGP network statement! As long as static route exists (interface

active), prefix will be in BGP

48

8/10/2019 06_BGP_BCP

49/67

Router Configuration:network statement

! Example:interface loopback 0

ip address 215.17.3.1 255.255.255.255

!

interface Serial 5/0

ip unnumbered loopback 0

ip verify unicast reverse-path

!

ip route 215.34.10.0 255.255.252.0 Serial 5/0

!

router bgp 100network 215.34.10.0 mask 255.255.252.0

49

8/10/2019 06_BGP_BCP

50/67


! Interface flap will result in prefix withdrawand reannounce

" use ip route . . . permanent

! Many ISPs redistribute static routes into

BGP rather than using the networkstatement

" Only do this if you understand why

50

8/10/2019 06_BGP_BCP

51/67

Router Configuration:redistribute static! Example:

ip route 215.34.10.0 255.255.252.0 Serial 5/0

!

router bgp 100

redistribute static route-map static-to-bgp

!

route-map static-to-bgp permit 10

match ip address prefix-list ISP-block

set origin igp

!

ip prefix-list ISP-block permit 215.34.10.0/22 le 30

51

8/10/2019 06_BGP_BCP

52/67


! Route-map ISP-block can be used formany things:

" setting communities and other attributes

" setting origin code to IGP, etc

! Be careful with prefix-lists and route-maps

"

absence of either/both means all staticallyrouted prefixes go into iBGP

52

8/10/2019 06_BGP_BCP

53/67

Summary

! Best Practices Covered:

"

When to use BGP

" When to use ISIS/OSPF

" Aggregation

"

Receiving Prefixes

" Prefixes into BGP

53

8/10/2019 06_BGP_BCP

54/67

Configuration Tips

Of passwords, tricks andtemplates

8/10/2019 06_BGP_BCP

55/67

iBGP and IGPsReminder!

! Make sure loopback is configured onrouter

" iBGP between loopbacks, NOT real interfaces

! Make sure IGP carries loopback /32

address

! Consider the DMZ nets:

" Use unnumbered interfaces?

" Use next-hop-self on iBGP neighbours

" Or carry the DMZ /30s in the iBGP

"

Basically keep the DMZ nets out of the IGP!

8/10/2019 06_BGP_BCP

56/67

iBGP: Next-hop-self

! BGP speaker announces external networkto iBGP peers using routers local address(loopback) as next-hop

! Used by many ISPs on edge routers

" Preferable to carrying DMZ /30 addresses inthe IGP

"

Reduces size of IGP to just core infrastructure

" Alternative to using unnumbered interfaces

" Helps scale network"

Many ISPs consider this best practice

8/10/2019 06_BGP_BCP

57/67

Limiting AS Path Length

! Some BGP implementations haveproblems with long AS_PATHS

" Memory corruption

" Memory fragmentation

! Even using AS_PATH prepends, it is notnormal to see more than 20 ASes in atypical AS_PATH in the Internet today

" The Internet is around 5 ASes deep on average

" Largest AS_PATH is usually 16-20 ASNs

8/10/2019 06_BGP_BCP

58/67

Limiting AS Path Length! Some announcements have ridiculous lengths of AS-paths:

*> 3FFE:1600::/24 22 11537 145 12199 1031810566 13193 1930 2200 3425 293 5609 5430 13285 6939

14277 1849 33 15589 25336 6830 8002 2042 7610 i

This example is an error in one IPv6 implementation

*> 96.27.246.0/24 2497 1239 12026 12026 12026

12026 12026 12026 12026 12026 12026 12026 12026 12026

12026 12026 12026 12026 12026 12026 12026 12026 12026

12026 i

This example shows 21 prepends (for no obvious reason)

! If your implementation supports it, consider limiting the

maximum AS-path length you will accept

8/10/2019 06_BGP_BCP

59/67

BGP TTL hack

! Implement RFC5082 on BGP peerings" (Generalised TTL Security Mechanism)

" Neighbour sets TTL to 255

" Local router expects TTL of incoming BGP packets to be254

" No one apart from directly attached devices can sendBGP packets which arrive with TTL of 254, so anypossible attack by a remote miscreant is dropped due toTTL mismatch

ISP AS 100Attacker

TTL 254

TTL 253 TTL 254

R1 R2

8/10/2019 06_BGP_BCP

60/67

BGP TTL hack

! TTL Hack:

"

Both neighbours must agree to use the feature

" TTL check is much easier to perform than MD5

" (Called BTSH BGP TTL Security Hack)

! Provides securityfor BGP sessions

" In addition to packet filters of course

" MD5 should still be used for messages whichslip through the TTL hack

" See www.nanog.org/mtg-0302/hack.html formore details

8/10/2019 06_BGP_BCP

61/67

Templates

! Good practice to configure templates foreverything

" Vendor defaults tend not to be optimal or evenvery useful for ISPs

" ISPs create their own defaults by usingconfiguration templates

! eBGP and iBGP examples follow

" Also see Team Cymrus BGP templates

! http://www.team-cymru.org/ReadingRoom/Documents/

8/10/2019 06_BGP_BCP

62/67

iBGP TemplateExample

! iBGP between loopbacks!

! Next-hop-self

" Keep DMZ and external point-to-point out of

IGP

! Always send communities in iBGP

" Otherwise accidents will happen

! Hardwire BGP to version 4

"

Yes, this is being paranoid!

8/10/2019 06_BGP_BCP

63/67

iBGP TemplateExample continued

! Use passwords on iBGP session

"

Not being paranoid, VERY necessary

" Its a secret shared between you and your peer

" If arriving packets dont have the correct MD5

hash, they are ignored" Helps defeat miscreants who wish to attack

BGP sessions

! Powerful preventative tool, especially

when combined with filters and the TTLhack

G T l

8/10/2019 06_BGP_BCP

64/67

eBGP TemplateExample

! BGP damping" Do NOT use it unless you understand the impact

" Do NOT use the vendor defaults without thinking

!

Remove private ASes from announcements" Common omission today

! Use extensive filters, with backup

" Use as-path filters to backup prefix filters

" Keep policy language for implementing policy, ratherthan basic filtering

!

Use password agreed between you and peer oneBGP session

BGP T l

8/10/2019 06_BGP_BCP

65/67

eBGP TemplateExample continued

! Use maximum-prefix tracking

"

Router will warn you if there are suddenincreases in BGP table size, bringing downeBGP if desired

! Limit maximum as-path length inbound

! Log changes of neighbour state

" and monitor those logs!

! Make BGP admin distance higher than that

of any IGP" Otherwise prefixes heard from outside your

network could override your IGP!!

8/10/2019 06_BGP_BCP

66/67

Summary

! Use configuration templates

! Standardise the configuration

! Be aware of standard tricksto avoid

compromise of the BGP session

! Anything to make your life easier, network

less prone to errors, network more likelyto scale

! Its all about scaling if your networkwont scale, then it wont be successful

8/10/2019 06_BGP_BCP

67/67

BGP Best CurrentPractices

ISP Workshops

67