Scribd
Upload
252 views112 pages

BRKRST-3371 - Advances in BGP (2013 Orlando) - 90 Mins

BRKRST-3371 - Advances in BGP (2013 Orlando) - 90 Mins

Uploaded by

kds20850
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
252 views112 pages

BRKRST-3371 - Advances in BGP (2013 Orlando) - 90 Mins

BRKRST-3371 - Advances in BGP (2013 Orlando) - 90 Mins

Uploaded by

kds20850
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 112

Advances in BGP

BRKRST-3371

Gunter Van de Velde


Sr. Technical Leader
[email protected]

What is BGP?
What a Google search bgp abbreviation finds?
Source: http://www.all-acronyms.com/BGP

Without BGP the Internet would not exist in its


current stable and simple form
It is the plumbing technology of the Internet

Border Gateway Protocol


Bacterial Growth Potential
Battlegroup
Becker, Green and Pearson
<sensored entry>
Bermuda grass pollen
Berri Gas Plant
beta-glycerophosphate
biliary glycoprotein
blood group
bone gamma-carboxyglutamic acid protei
bone gamma-carboxyglutamic acid-contai
bone gla protein
bone Gla-containing protein
Borders Group, Inc.
brain-type glycogen phosphorylase
Bridge Gateway Protocol
Broader Gateway Protocol
Bureau de Gestion de Projet
Brain Gain Program

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

What is BGP? What it truly is?

The
Bloody Good Protocol
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Agenda

Motivation to Enhance BGP


Scale and Performance Enhancements
What happened in BGP Landscape?
Some new Cool features that may interest you

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Agenda

Motivation to Enhance BGP


Scale and Performance Enhancements
What happened in BGP Landscape?
Some new Cool features that may interest you

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

BGP started in 1989


Motivation and Development of
BGP: When the Internet grew and
moved to an autonomous system
(AS) mesh architecture it was needed
to have stable, non-chatty and low
CPU consuming protocol to connect
all of these ASs together.
In June 1989, the first version of this
new routing protocol was formalized,
with the publishing of RFC 1105, A
Border Gateway Protocol (BGP).

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Service Provider Routing and Services progress


Multimedia, Mobile Internet and Cloud Services will generate massive bandwidth explosion
Prefix growth is almost a linear curve

Evolution of offered BGP services go from basic technologies to very advanced infrastructures

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Control-plane Evolution
Most of services are progressing towards BGP
Service/transport

2008x and before

2013 and future

IDR (Peering)

BGP

BGP (IPv6)

SP L3VPN

BGP

BGP + FRR + Scalability

SP Multicast VPN

PIM

BGP Multicast VPN

DDOS mitigation

CLI

BGP flowspec

Network Monitoring

SNMP

BGP monitoring protocol

Security

Filters

BGP Sec (RPKI), DDoS Mitigation

Proximity

BGP connected app API

SP-L3VPN-DC

BGP Inter-AS, VPN4DC

Business & CE L2VPN

LDP

DC Interconnect L2VPN

BGP PW Sign (VPLS)


BGP MAC Sign (EVPN)

MPLS transport

LDP

BGP+Label (Unified MPLS)

Data Center

OSPF/ISIS

BGP + Multipath

Massive Scale DMVPN

NHRP / EIGRP

BGP + Path Diversity

Campus/Ent L3VPN

BGP (IOS)

BGP (NX-OS)

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Why BGP is so successful ?


Robustness: Run over TCP
Low Overhead protocol: sends an update once and then remains silent
Scalability: Path Vector Protocol, allows full mesh
High Availability: NSR, PIC,
Well Known : Tons of engineers know BGP
Simplicity: BGP is simple (even if knobs make BGP BIG and sometimes less trivial to read)
Multi-protocol: IPv4, IPv6, L2VPN, L3VPN, Multicast
Incremental: easy to extend: NLRI,Path Attribute, Community
Flexible: Policy

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

10

Agenda

Motivation to Enhance BGP


Scale and Performance Enhancements
What happened in BGP Landscape?
Some new Cool features that may interest you

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

11

Scale & Performance Enhancements


BGP Scaling

Update Generation Enhancements


Update generation is the most important, time-critical task
Is now a separate process, to provide more CPU Quantum

Parallel Route Refresh


Significant delay (up to 15-30 minutes) seen in advertising incremental updates while RR is servicing route refresh requests or
converging newly established peers
Refresh and incremental updates run in parallel

Keepalive Enhancements
Loosing or delayed keep-alive message result in session flaps
Hence keep-alive processing is now placed into a separate process using priority queuing mechanism

Adaptive Update Cache Size


Instead of using a fixed cache size, the new code dynamically adapts to the address family used, the available router memory
and the number of peers in an update group

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

12

Scale & Performance Enhancements


PE Scaling
PE-CE Optimization
In old code slow convergence was experienced with large numbers of CEs
Improved by intelligently evaluating VPN prefixes based upon the prefixes in the CEs VRF

VRF-Based Advertise Bits


Increased memory consumption when number of VRFs was scaled on a PE
Smart reuse of advertise bit space for VRF

Route Reflector Scaling


Selective RIB Download
A Route-Reflector needs to receive the full RIB, however not all prefixes MUST be in the Forwarding Information Base (FIB)
So, we now allow by using user policy to only download selected prefixes in the FIB

More about BGP Performance tuning in BRKRST-3321

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

13

Slow Peer Management


BGP Resiliency/HA Enhancement

Issue: Slow peers in update groups block convergence of other


update group members by filling message queues/transmitting slowly

Persistent network issue affecting all BGP routers

Two components to solution


Detection

Protection

Detection
BGP update timestamps

Peers TCP connection characteristics


BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

14

Slow Peer Management


BGP Resiliency/HA Enhancement

Protection
Move slower peers out of update group
Separate slow update group with matching policies created
Any slow members are moved to slow update group

Detection can be automatic or manual with CLI command

Automatic recovery
Slow peers are periodically checked for recovery

Recovered peers rejoin the main update group


Isolation of slow peers unblocks faster peers and lets them converge
as fast as possible
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

15

Slow Peer Management

for your
reference

BGP Resiliency/HA Enhancement

Static protection
[no] neighbor slow-peer split-update-group static

Dynamic detection
[no] bgp slow-peer detection [threshold <seconds>]
[no] neighbor slow-peer detection [threshold <seconds>]

Dynamic protection
[no] bgp slow-peer split-update-group dynamic [permanent]
[no] neighbor slow-peer split-update-group dynamic [permanent]

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

16

ASR1000 RP2, RP1, ASR1001 and 7200 BGP Route and Session
for your
Scalability Comparison - RR
reference

7200 NPEG2 (2GB)

ASR1000
RP1 (4GB)

ASR1001
(4GB)

ASR1001
(8GB)

ASR1001
(16GB)

ASR1000
RP2 (8GB)

ASR1000
RP2 (16GB)

ipv4 routes

4M

7M*

2M*

9M*

17M*

12M*

29M*

vpnv4 routes

7M

6M

2M

8M

16M

10M

24M

ipv6 routes

2M

5M*

2M*

8M*

15M*

9M*

24M*

vpnv6 routes

6M

5M

1.5M

7.5M

14.5M

9M

21M

<1000

4000

4000

4000

4000

8000

8000

BGP
sessions

Tested with BGP selective download feature for ipv4/ipv6 for dedicated RR application. This feature
prevents ipv4/ipv6 BGP routes to be installed in RIB and FIB. It reduces memory usage per ipv4/ipv6 prefix
and CPU utilization
ASR 1000 with RP1 allocates ~1.7GB to IOSd, ASR 1001 with 4GB allocates ~1.4GB to IOSd, whereas on
NPE-G2 entire 2G is used by IOS
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

17

ASR 1000 RP1 and RP2 Convergence Performance Comparison - RR

Tested with 1M Total Unique


Routes

Total Routes Reflected by RR


to All Clients (Number of
routes x Number of Clients)

ASR1000 RP1 (4GB)


Convergence
(in seconds)

ASR1001 (16GB)
Convergence
(in seconds)

for your
reference

ASR1000 RP2 (16GB)


Convergence
(in seconds)

ipv4 (1K RR clients)

1Billion

220

133

75

vpnv4 (1K RR clients, 8K RT)

1Billion

680

489

221

ipv6 (1K RR clients)

1Billion

720

393

194

vpnv6 (1K RR clients, 8K RT)

1Billion

877

811

293

ipv4 (2K RR clients)

2 Billion

375

270

138

vpnv4 (2K RR clients, 8K RT)

2 Billion

1285

797

394

ipv6 (2K RR clients)

2 Billion

1126

897

284

vpnv6 (2K RR clients, 8K RT)

2 Billion

1766

1691

551

Tested with peer groups (1K RR clients per peer group)


7200 NPE-G2 can not converge in the above test cases.
ASR1000 RP2 converges about twice faster than 7200 NPE-G2 based on RR customer profile testing
CPU utilization below 5% after convergence
Link to Isocore report http://www.cisco.com/en/US/prod/collateral/routers/ps9343/ITD13029-ASR1000-RP2Validationv1_1.pdf
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

18

Agenda

Motivation to Enhance BGP


Scale and Performance Enhancements
What happened in BGP Landscape?
Some new Cool features that may interest you

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

19

What Happened in XR Landscape?


4.0

4.1

4.1.1

RT-Constraint

Add Path Support


Accumulated
Interior Gateway
Protocol (AIGP)
Metric Attribute
Unipath PIC for
non-VPN addressfamilies
(6PE/IPv6/IPv4
Unicast)

BRKRST-3371

4.2

4.2.1

Multi-Instance/Multi-AS

4.2.3

4.2.4

Attribute Filtering and


Error handling

4.3.0

4.3.1

BGP Based DDoS


Mitigation

BGP Accept Own

BGP 3107 PIC Update


for Global Prefixes
Prefix Origin Validation
based on RPKI
PIC for RIB and FIB

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

DMZ Link Bandwidth for


Unequal Cost Recursive
Load Balancing
Selective VRF Download
6PE/6vPE over L2TPv3
Next-Generation
Multicast VPN

20

What Happened in IOS Landscape?


15.2(1)S

15.2(2)S

Gracefull Shutdown
iBGP NSR
mVPN BGP SAFI 129
NSR without Route-Refresh

Origin AS Validation

BRKRST-3371

15.3(1)S

15.2(4)S

15.3(2)S

mVPNv6 Extranet Support

Local-AS allow-policy
RT/VPN-ID Attribute Rewrite Wildcard
VRF Aware Conditional Announcement

Additional Path
Attribute Filtering and Error Handling
Diverse Path
Graceful Shutdown
IPv6 client for Single hop BFD
IPv6 PIC Core and Edge
RT Constraint
IP Prefix export from a VRF into global Table

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

21

What Happened in XE Landscape?

3.8

3.9

Multicast VPN BGP Dampening


Multiple Cluster IDs
VPN Distinguisher Attribute

BRKRST-3371

IPv6 NSR
Local-AS Allow-policy
RT or VPN-ID Rewrite Wildcard
VRF Aware Conditional Advertisement

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

22

What Happened NXOS Landscape?


5.2

6.0

Prefix Independent Convergence (Core)


local-as
AS Override (allowas-in)
Disable 4-byte AS advertisement
MP BGP MPLS VPNs, 6PE, MDT

6.1

BGP AddPath
BGP send community both
BGP Neighbor AF weight command

BGP med confed and AS multipath-relax


BGP next hop self for route reflector

BRKRST-3371

6.2

2013 Cisco and/or its affiliates. All rights reserved.

Default information originate support


Flexible distance manipulation with
Inject map
Unsupress map
as-format command for AS-plain & AS-dot
Enhancements for removal of private AS
enable route target import-export in default VRF
InterAS option B-lite
BGP Authentication for Prefix-based neighbors

Cisco Public

23

Agenda

Motivation to Enhance BGP


Scale and Performance Enhancements
What happened in BGP Landscape?
Some new Cool features that may interest you

The
Bloody Good Protocol
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

24

PIC Edge Feature Overview


Internet Service Providers provide strict SLAs to their Financial and
Business VPN customers where they need to offer a sub-second convergence
in the case of Core/Edge Link or node failures in their network
Prefix Independent Convergence (PIC) has been supported in IOS-XR/IOS
for a while for CORE link failures as well as edge node failures

BGP Best-External project provides support for advertisement of BestExternal path to the iBGP/RR peers when a locally selected bestpath is from
an internal peer
BGP PIC Unipath provides a capability to install a backup path into the
forwarding table to provide prefix independent convergence in case of the PECE link failure

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

25

PIC Edge: PE-CE Link Protection


BGP Resiliency/HA Enhancement
Primary
PE1

PE3
RR

Traffic Flow
10.1.1.0/24
VPN1 Site #1

MPLS Cloud
CE1

CE2

PE2

10.2.2.0/24
VPN1 Site
#2

PE4

Backup

PE3 configured as primary, PE4 as backup


PE3 preferred over PE4 by local preference
CE2 has different RDs in VRFs on PE3 and PE4
PE4: advertise-best-external, to advertise route via PE4-CE2 link
PE3: additional-paths install, to install primary and backup path

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

26

PIC Edge: Link Protection


BGP Resiliency/HA Enhancement
Primary
PE1

PE3
RR

Traffic Flow
10.1.1.0/24
VPN1 Site #1

MPLS Cloud
CE1

CE2

PE2

10.2.2.0/24
VPN1 Site
#2

PE4

Backup

PE3 has primary and backup path


Primary via directly connected PE3-CE2 link
Backup via PE4 best external route

What happens when PE3-CE2 link fails?


BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

27

PIC Edge: Link Protection


BGP Resiliency/HA Enhancement
Primary
PE1

PE3
RR

Traffic Flow
10.1.1.0/24
VPN1 Site #1

MPLS Cloud
CE1

CE2

PE2

10.2.2.0/24
VPN1 Site
#2

PE4

Backup

CEF (via BFD or link layer mechanism) detects PE3-CE2 link failure
CEF immediately swaps to repair path label
Traffic shunted to PE4 and across PE4-CE2 link

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

28

PIC Edge: Link Protection


BGP Resiliency/HA Enhancement
Traffic Flow
PE1

Primary
PE3

RR

Withdraw
route
via PE3
MPLS Cloud

10.1.1.0/24
VPN1 Site #1
CE1

CE2

PE2

10.2.2.0/24
VPN1 Site
#2

PE4

Backup

PE3 withdraws route via PE3-CE2 link


Update propagated to remote PE routers

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

29

PIC Edge: Link Protection


BGP Resiliency/HA Enhancement
Primary
PE1

PE3
RR

Withdraw
route
via PE3
MPLS Cloud

10.1.1.0/24
VPN1 Site #1
CE1

CE2

10.2.2.0/24
VPN1 Site
#2

Traffic Flow
PE2

PE4

Backup

BGP on remote PEs selects new bestpath


New bestpath is via PE4
Traffic flows directly to PE4 instead of via PE3

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

30

PIC Edge: Edge Node Protection


BGP Resiliency/HA Enhancement
Primary
PE1

PE3
RR

Traffic Flow
10.1.1.0/24
VPN1 Site #1

MPLS Cloud
CE1

CE2

PE2

10.2.2.0/24
VPN1 Site
#2

PE4

Backup

PE3 configured as primary, PE4 as backup


PE3 preferred over PE4 by local preference
CE2 has different RDs in VRFs on PE3 and PE4
PE4: advertise-best-external, to advertise route via PE4-CE2 link
PE1: additional-paths install, to install primary and backup path
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

31

PIC Edge: Edge Node Protection


BGP Resiliency/HA Enhancement
Primary
PE1

PE3
RR

Traffic Flow
10.1.1.0/24
VPN1 Site #1

MPLS Cloud
CE1

CE2

PE2

10.2.2.0/24
VPN1 Site
#2

PE4

Backup

PE1 has primary and backup path


Primary via PE3
Backup via PE4 best external route

What happens when node PE3 fails?


BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

32

PIC Edge: Edge Node Protection


BGP Resiliency/HA Enhancement
Primary
PE1

PE3
RR

Traffic Flow

PE3s /32
MPLS Cloud host route
removed from
IGP

10.1.1.0/24
VPN1 Site #1
CE1

PE2

CE2

10.2.2.0/24
VPN1 Site
#2

PE4

Backup

BGP Resiliency/HA Enhancement

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

33

PIC Edge: Edge Node Protection


BGP Resiliency/HA Enhancement
Primary
PE1

PE3
RR

Traffic Flow

PE3s /32
MPLS Cloud host route
removed from
IGP

10.1.1.0/24
VPN1 Site #1
CE1

PE2

CE2

10.2.2.0/24
VPN1 Site
#2

PE4

Backup

PE1 detects loss of PE3s /32 host route in IGP


CEF immediately swaps forwarding destination label from
PE3 to PE4 using backup path

BGP on PE1 computes a new bestpath later, choosing PE4

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

34

Enabling BGP PIC Enabling IP Routing Fast


Convergence

for your
reference

BGP PIC leverages IGP convergence Make sure IGP converges quickly
IOS-XR: IGP Timers pretty-much tuned by default
IOS: Sample OSPF config:
process-max-time 50
ip routing protocol purge interface

interface
carrier-delay msec 0
negotiation auto
ip ospf network point-to-point
bfd interval 100 min_rx 100 mul 3
router ospf 1
ispf
timers throttle spf 50 100 5000
timers throttle lsa all 0 20 1000
timers lsa arrival 20
timers pacing flood 15
passive-interface Loopback 0
bfd all-interfaces
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

35

Enabling BGP PIC Edge: IOS-XR

for your
reference

Two BGP-PIC Edge Flavors: BGP PIC Edge Multipath and Unipath
Multipath: Re-routing router load-balances across multiple next-hops, backup next-hops
are actively taking traffic, are active in the routing/forwarding plane,
commonly found in active/active redundancy scenarios.
No configuration, apart from enabling BGP multipath (maximum-paths ... )

Unipath: Backup path(s) are NOT taking traffic, as found in active/standby scenarios

route-policy backup
! Currently, only a single backup path is supported

set path-selection backup 1 install [multipath-protect] [advertise]


end-policy
router bgp ...
address-family ipv4 unicast
additional-paths selection route-policy backup
!
address-family vpnv4 unicast
additional-paths selection route-policy backup
!
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

36

Enabling BGP PIC Edge: IOS

for your
reference

As in IOS-XR, PIC-Edge w/ multipath requires no additional configuration


PIC-Edge unipath needs to be enabled explicitly ...
router bgp ...
address-family ipv4 [vrf ...]
or
address-family vpnv4
bgp additional-paths install

... or implicitly when enabling best external


router bgp ...
address-family ipv4 [vrf ...]
or
address-family vpnv4
bgp advertise-best-external

http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_bgp_mp_pic.html
http://www.cisco.com/en/US/docs/ios/ios_xe/iproute_bgp/configuration/guide/irg_best_external_xe.html
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

37

Question: How will my PEs learn about the


alternate Paths?
By default my RR Only-Reflects the Best-Route

NH:PE2, P:Z

Prefix Z
Via E0

NH:PE2, P:Z

RR
E0

PE2
Prefix Z
Via PE2

Z
E0

NH:PE3, P:Z

PE1

PE3
Prefix Z
Via E0

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

38

Diverse BGP Path Distribution


Shadow Session
Easy deployment no upgrade of any existing router is required, just new
iBGP session per each extra path (CLI knob in RR1)
Diverse iBGP session does announce the 2nd best path
NH:PE2, P:Z

Prefix Z
Via PE2
Via PE3

RR1
NH:PE2, P:Z

PE2

NH:PE3, P:Z

Z
PE1
NH:PE3, P:Z

PE3

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

39

BGP Add-Path
Add-Path will signal diverse paths from 2 to X paths
Required all Add-Path receiver BGP router to support Add-Path capability.

RR1

Prefix Z
Via PE2
Via PE3

NH:PE2, P:Z AP 1

NH:PE2, P:Z

PE2

NH:PE3, P:Z AP 2

Z
PE1
NH:PE3, P:Z

PE3

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

40

BGP Add-path flavors

for your
reference

IETF defines 5 flavors of Add-x-Path. 2 are implemented by Cisco:


Add-n-path: with add-n-path the route reflector will do best path computation for all paths and
send n best to BR/PE.

Usecase: Primary + n-1 Backup scenario. (n is maximal for IOS-XR 2 and 3 for IOS).

Add-all-path: with add-all-path, the route reflector will do the primary best path computation
(only on first path) and then send all path to BR/PE.

Usecase: Large DC ECMP load balancing, hot potato routing scenario

Cisco innovation: Add-all-multipath and Add-all-multipath+backup in XR 4.3.1

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

41

Add-Path Applications
Fast convergence / connectivity restoration As the ingress routers have visibility to more
paths, they can switch to the backup paths faster once the primary path goes away. Requires
backup paths to be sent.
Load balancing As the ingress routers have visibility to more paths, they can do ECMP on
multiple paths. Requires either backup paths or all paths to be sent.
Churn reduction since alternate paths are available, withdraws can be suppressed (implicit
update).
Route oscillation see RFC 3345 for scenarios. Requires group best paths (in some cases all
paths) to be sent.

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

42

Add-Path Configuration IOS-XR

for your
reference

Enable in global address-family mode


Enables for all IBGP neighbors

Enable/Disable in neighbor mode

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

router bgp 100


address-family ipv4 unicast
additional-paths send
!
address-family vpnv4 unicast
additional-paths send
!
neighbor 1.1.1.1
remote-as 100
address-family ipv4 unicast
!
address-family vpnv4 unicast
!
!
neighbor 2.2.2.2
remote-as 100
capability additional-paths send disable
address-family ipv4 unicast
!
Cisco Public

43

Add-Path Configuration IOS-XR


Enable in global address-family mode
Enables for all IBGP neighbors

Enable/Disable in neighbor mode

BRKRST-3371

for your
reference

router bgp 100


address-family ipv4 unicast
additional-paths receive
!
address-family vpnv4 unicast
additional-paths receive
!
neighbor 1.1.1.1
remote-as 100
address-family ipv4 unicast
!
address-family vpnv4 unicast
!
!
neighbor 2.2.2.2
remote-as 100
capability additional-paths receive
disable
address-family ipv4 unicast
!
!
!

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

44

Add-Path Configuration IOS-XR

for your
reference

Path selection is configured in a route-policy


Configuration in VPNv4 mode applies to all VRF IPv4-Unicast AF modes
unless overridden at individual VRFs
route-policy ap1
if community matches-any (1:1) then
set path-selection backup 1 install
elseif destination in (150.0.0.0/16, 151.0.0.0/16) then
set path-selection backup 1 advertise install
endif
end-policy
!
route-policy ap2
set path-selection all advertise
end-policy
!
route-policy ap3
set path-selection backup 1 install
end-policy
!
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

45

Add-Path Configuration IOS-XR


Add-Path Path Selection

BRKRST-3371

for your
reference

router bgp 100


address-family ipv4 unicast
additional-paths selection route-policy ap1
!
address-family vpnv4 unicast
additional-paths selection route-policy ap2
!
vrf foo
rd 1:1
address-family ipv4 unicast
additional-paths selection route-policy ap3
!
!
vrf bar
rd 2:2
address-family ipv4 unicast
!

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

46

PIC Edge: Test Results

for your
reference

BGP Resiliency/HA Enhancement


Test Setup

Node Failure

Link Failure

No PIC Edge, No BFD

12-14 sec

8-17 sec

BFD Only

10-12 sec

6-12 sec

PIC Edge Only

8 sec

4 sec

PIC Edge, BFD

0 sec

0 sec

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

47

Automated Route Target Filtering


BGP Feature
Increased VPN service deployment increases load on VPN routers
10% YOY VPN table growth
Highly desirable to filter unwanted VPN routes

Multiple filtering approaches


New RT filter address family
Extended community ORF

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

48

Automated Route Target Filtering


BGP Feature
Derive RT filtering information from VPN RT import lists automatically
Exchange filtering info via RT filter AF or extended community ORF
Translate filter info received from neighbors into outbound filtering policies
Generate incremental updates for received RT update queries
Incremental deployment possible/desirable

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

49

Automated Route Target Filtering


RT-Constraint:

VRF- Blue

RT-Constraint:

NLRI= {VRF-Blue, VRF-Red}

VRF- Green

NLRI= {VRF-Green, VRF-Purple}

VRF- Red
PE-3

VRF- Purple

RT-Constraint:

PE-1

NLRI= {VRF-Blue, VRF-Red, VRF-Green}

RR-1

RR-2

RT-Constraint:
NLRI={VRF-Green, VRF-Purple, VRF-Blue}

VRF- Red
VRF- Green

RT-Constraint:

PE-4

NLRI= {VRF-Red, VRF-Green}

VRF- Purple
VRF- Blue

RT-Constraint:
NLRI= {VRF-Purple, VRF-Blue}

PE-2

Improves PE and RR scaling and performance by sending only relevant VPN


routes
router bgp as-number
address-family rtfilter unicast
neighbor {ip-address | peer-group-name} activate
neighbor {ip-address | peer-group-name} send-community extended
end
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

50

Accept own
This feature allows movement from a PE-Based service provisioning model to a centralized router
reflector (RR)-based service provisioning model. With this feature, you can define route TO serviceVRF mapping within a centralized route reflector and then propagate this information down to all the
PE clients of that RR. Without this feature, you would define the route TO service VRF mapping in all
PE devices, thereby incurring a high configuration overhead, which could result in more errors.
This feature enables a route reflector to modify the Route Target (RT) list of a VPN route that is
distributed by the route reflector, enabling the route reflector to control how a route originated within
one VRF is imported into other VRFs.

router#configure
router(config)#router bgp 100

router(config-bgp)#neighbor 10.2.3.4
router(config-bgp-nbr)#address-family vpnv4 unicast
router(config-bgp-nbr-af)#accept-own

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

51

Overview AIGP

AIGP (Accumulated IGP Metric Attribute for BGP)


http://tools.ietf.org/html/draft-ietf-idr-aigp-09
Optional, non-transitive BGP path attribute
BGP attribute to provide BGP a way to make its routing decision based on
the IGP metric, to choose the shortest path between two nodes across
different AS.
The main driving force for this feature is to solve the IGP scale issue seen
in some ISP core network.
Mainly to be deployed to carry nexthop prefixes/labels across different AS
within the same administrative domain.
The remote ingress PE select its best path using the modified best path
selection process using AIGP metric.
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

52

Overview AIGP

for your
reference

Sending/Receiving AIGP attribute


Per-session configuration
Enabled for iBGP session by default
Disabled for eBGP session by default, a knob to enable the AIGP
capability
AIGP attribute received on an AIGP-disabled sessions should be
treated as an unrecognized non-transitive attribute.

Origination of AIGP metric


By configuration

BRKRST-3371

Redistribution IGP or static


BGP network
Inbound/outbound policy

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

53

Overview AIGP

for your
reference

Modification of AIGP attribute

By Originator

A new BGP update should be issued


Configurable threshold to minimize IGP instability not in 4.0
By non-originator

When NH is not changed no change for the AIGP attribute value

When NH is changed to non-recursive IGP or static route increase


the AIGP attribute value by the NH distance

When NH is changed to recursive BGP-learned or static route


increase the AIGP attribute value by recursively resolving and
increasing the AIGP attribute value of the NHs until either the NH is
non-recursive or the NH is a BGP route without AIGP attribute

AIGP value change triggers new AIGP computation for the route

AIGP carried across different AS with different IGP domain may not offer a
meaningful result.
BRKRST-3371
2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public

54

Overview AIGP

Modified best path calculation

Modifications in the tie breaking procedures


Changes made after local_preference comparison
When a route has AIGP attribute

for your
reference

Remove from considering routes without AIGP attribute


- this can be overruled by configuring a knob

Compare routes of the cumulative AIGP value


When the NH has AIGP attribute

Compute the interior cost as the cumulative AIGP value for the NH

Compare routes using the modified IGP cost

Update generation

Different update groups for neighbors of AIGP-capable, non-AIGP capable or


neighbors enabled to send AIGP value in cost-community.
BGP update is generated upon AIGP value change

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

55

Overview AIGP

Passing AIGP attribute to non-AIGP capable neighbors

Translate AIGP into cost-community


2 POI of pre-best-path and igp-cost are supported
A transitive keyword to make cost-comm transitive to eBGP neighbors
Redistribute BGP (with AIGP) into IGP
Translate AIGP value into BGP MED

Other software components

Route installation for BGP to tag AIGP metric during route installation

NH notification when AIGP metric changed


Update generation throttling is not supported in XR4.0
It is highly recommended to deploy BGP best-external and Additional-path in conjunction with
the AIGP attribute, to effectively achieve the desired routing policy.

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

56

AIGP: Originating AIGP


AIGP

for your
reference

is enabled between iBGP neighbors by default

AIGP between eBGP neighbors need to be enabled


AIGP can be originated by using redistribute ospf, redistribute isis, redistribute
static or the BGP network command.
AIGP can also be originated using neighbor address-family inbound or
outbound policy to set AIGP to be the IGP cost or to a fixed value.
route-policy set_aigp_1
if destination in (61.1.1.0/24 le 32) then
set aigp-metric 111

router bgp 1
address-family ipv4 unicast
redistribute ospf 1 route-policy set_aigp_1

elseif destination in (2100::1:0/112,


2100::2:0/112) then

set aigp-metric igp-cost


Endif
end-policy
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

57

AIGP capability verification #1:

for your
reference

RP/0/0/CPU0:router-RR#show bgp neighbor 110.33.33.3


BGP neighbor is 110.33.33.3
Remote AS 1, local AS 1, internal link
Remote router ID 110.30.30.3
Cluster ID 110.50.50.5
BGP state = Established, up for 3w4d
NSR State: NSR Ready
Last read 00:00:24, Last read before reset 00:00:00
Hold time is 180, keepalive interval is 60 seconds
Configured hold time: 180, keepalive: 60, min acceptable hold time: 3
Last write 00:00:55, attempted 19, written 19
Second last write 00:01:55, attempted 19, written 19
Last write before reset 00:00:00, attempted 0, written 0
Second last write before reset 00:00:00, attempted 0, written 0
Last write pulse rcvd Aug 6 11:48:49.296 last full Jul 12 12:05:24.042 pulse count
72908
Last write pulse rcvd before reset 00:00:00
Socket not armed for io, armed for read, armed for write
Last write thread event before reset 00:00:00, second last 00:00:00
Last KA expiry before reset 00:00:00, second last 00:00:00
Last KA error before reset 00:00:00, KA not sent 00:00:00
Last KA start before reset 00:00:00, second last 00:00:00
Precedence: internet
Non-stop routing is enabled
Graceful restart is enabled
Restart time is 120 seconds
Stale path timeout time is 360 seconds
Neighbor capabilities:
Route refresh: advertised and received
Graceful Restart (GR Awareness): received
4-byte AS: advertised and received
Address family IPv4 Unicast: advertised and received
Address family IPv4 Labeled-unicast: advertised and received
Address family VPNv4 Unicast: advertised and received
Address family IPv6 Labeled-unicast: advertised and received
Address family VPNv6 Unicast: advertised and received
Received 36025 messages, 0 notifications, 0 in queue
Sent 42771 messages, 0 notifications, 0 in queue
MinimumBRKRST-3371
time between advertisement runs is
0 2013
secsCisco and/or its affiliates. All rights reserved.

For Address Family: IPv4 Unicast


BGP neighbor version 34101
Update group: 0.3
Route-Reflector Client
AF-dependent capabilities:
Graceful Restart capability advertised and received
Neighbor preserved the forwarding state during latest restart
Local restart time is 120, RIB purge time is 600 seconds
Maximum stalepath time is 360 seconds
Remote Restart time is 120 seconds
Additional-paths Send: advertised
Additional-paths Receive: advertised and received
Route refresh request: received 0, sent 0
0 accepted prefixes, 0 are bestpaths
Cumulative no. of prefixes denied: 0.
Prefix advertised 31470, suppressed 0, withdrawn 3525
Maximum prefixes allowed 524288
Threshold for warning message 75%, restart interval 0 min
AIGP is enabled
An EoR was received during read-only mode
Last ack version 34101, Last synced ack version 34101
Outstanding version objects: current 0, max 4
Additional-paths operation: Send

Cisco Public

58

AIGP metric verification #2:


receive route with AIGP metric from RR
best-path calculation considered AIGP metric

for your
reference

RP/0/1/CPU0:olympic-12c-lr1#sh bgp 61.1.1.0/24 bestpath-compare


BGP routing table entry for 61.1.1.0/24
Versions:
Process
bRIB/RIB SendTblVer
Speaker
31709
31709
Last Modified: Aug 6 06:05:44.392 for 00:26:12
Paths: (2 available, best #1)
Not advertised to any peer
Path #1: Received by speaker 0
Not advertised to any peer
Local
110.11.11.1 (metric 2) from 110.55.55.5 (110.10.10.1)
Origin incomplete, metric 3, localpref 100, aigp metric 111, valid, internal, best, groupbest
Received Path ID 1, Local Path ID 1, version 31709
Originator: 110.10.10.1, Cluster list: 110.50.50.5
best of local AS, Overall best
Path #2: Received by speaker 0
Not advertised to any peer
Local
110.22.22.2 (metric 2) from 110.55.55.5 (110.20.20.2)
Origin incomplete, metric 3, localpref 100, aigp metric 211, valid, internal, backup,
add-path
Received Path ID 3, Local Path ID 3, version 31709
Originator: 110.20.20.2, Cluster list: 110.50.50.5
Higher AIGP metric than best path (path #1)
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

RP/0/1/CPU0:olympic-12c-lr1#sh route 61.1.1.0/24


Routing entry for 61.1.1.0/24
Known via "bgp 1", distance 200, metric 113 (AIGP metric)
Number of pic paths 1 , type internal
Installed Aug 6 06:05:44.152 for 00:33:50
Routing Descriptor Blocks
110.11.11.1, from 110.55.55.5
Route metric is 113
110.22.22.2, from 110.55.55.5, BGP backup path
Route metric is 113
No advertising protos.

Cisco Public

59

What is Multi-Instance BGP?


A new IOS-XR BGP architecture to support multiple instances along the lines
of OSPF instances
Each BGP instance is a separate process running on the same or a different
RP/DRP node
The BGP instances do not share any prefix table between them
No need for a common adj-rib-in (bRIB) as is the case with distributed BGP

The BGP instances do not communicate with each other and do not set up
peering with each other
Each individual instance can set up peering with another router independently

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

60

What is Multi-AS BGP?


It will be possible to configure each instance of a multi-instances BGP with a
different AS number
Global address families cant be configured under more than one AS except
vpnv4 and vpnv6
VPN address-families may be configured under multiple AS instances that do
not share any VRFs

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

61

Why Multi-Instance/Multi-AS?
It provides a mechanism to consolidate the services provided by
multiple routers using a common routing infrastructure into a single
IOS-XR router
It provides a mechanism to achieve AF isolation by configuring the
different AFs in different BGP instances
It provides a means to achieve higher session scale by distributing
the overall peering sessions between multiple instances
It provides a mechanism to achieve higher prefix scale (especially
on a RR) by having different instances carrying different BGP tables
IOS-XR CRS Multi-chassis systems can be used optimally by
placing the different BGP instances on different RP/DRPs
It is the base of Ciscos SP DDoS Mechanism
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

62

Configuration Example

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

for your
reference

Cisco Public

63

Show Command Example

for your
reference

RP/0/0/CPU0:ios#sh bgp instances


Number of BGP instances: 4

ID Placed-Grp Name
AS
VRFs
Address Families
-------------------------------------------------------------------------------0
v4_routing ipv4
1
0
IPv4 Unicast
1
bgp2_1
ipv6
1
0
IPv6 Unicast
2
bgp3_1
vpn1
3
1
VPNv4 Unicast
3
bgp4_1
vpn2
3
1
VPNv4 Unicast
RP/0/0/CPU0:ios#sh bgp instance ?
WORD Specify the bgp instance name
all
Choose all BGP instances
RP/0/0/CPU0:ios#sh bgp instance all ?
A.B.C.D
IPv4 network
A.B.C.D/length
IPv4 network and masklength
advertised
Show advertised routes
af-group
Show config information on address family groups
all
Both ipv4 and ipv6 address families
attribute-key
Display networks with their associated attribute key index
cidr-only
Display only routes with non-natural netmasks
community
Display routes matching the communities
convergence
Test an address family for convergence

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

64

Show Command Example

for your
reference

RP/0/0/CPU0:ios#sh bgp instance all sessions


Wed Sep 28 20:45:56.917 PDT
BGP instance 0: 'ipv4'
======================
Neighbor
10.0.101.1

VRF
default

Spk
0

AS
1

InQ
0

OutQ
0

NBRState
Established

NSRState
-

Spk
1

AS
1

InQ
0

OutQ
0

NBRState
Established

NSRState
-

Spk
2

AS
200

InQ
0

OutQ
0

NBRState
Established

NSRState
-

Spk
3

AS
200

InQ
0

OutQ
0

NBRState
Established

NSRState
-

BGP instance 1: 'ipv6'


======================
Neighbor
10.0.101.2

VRF
default

BGP instance 2: 'vpn1'


======================
Neighbor
20.0.101.1

VRF
default

BGP instance 3: 'vpn2'


======================

Neighbor
20.0.101.2
BRKRST-3371

VRF
default

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

65

Attribute Filtering and error-handling


Attribute filtering
Unwanted optional transitive attribute such as ATTR_SET, CONFED segment in
AS4_PATH causing outage in some equipments.
Prevent unwanted/unknown BGP attributes from hitting legacy equipment
Block specific attributes
Block a range of non-mandatory attributes

Error-handling

draft-ietf-idr-optional-transitive-04.txt
Punishment should not exceed the crime
Gracefully fix or ignore non-severe errors
Avoid session resets for most cases
Never discard update error, as that can lead to inconsistencies

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

66

Architecture
Malformed BGP Updates
Invalid
Attribute Contents

Transitive Attributes

Wrong Attribute
Length

Unknown Attributes

Unwanted Attributes

Attribute Filtering

Error-handling

NLRI processing
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

67

Attribute filtering

for your
reference

First level of inbound filtering


Filtering is configured as a range of attribute codes and a corresponding action
to take (Note: Never Discard Update as that can lead towards inconsistencies)
Actions
Discard the attribute
Treat-as-withdraw

Applied when parsing each attribute in the received Update message


When a attribute matches the filter, further processing of the attribute is stopped and
the corresponding action is taken

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

68

Error-handling

for your
reference

Comes into play after attribute-filtering is applied


When we detect one or more malformed attributes or NLRIs or other fields in
the Update message
Steps
Classification of errors
Actions to be taken
Logging

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

69

Error-handling details

for your
reference

Classification of errors

Minor: invalid flags, zero length, duplicates, optional-transitive attributes


Medium: Non-optional-transitive attributes, inconsistent attribute length
Major: Invalid or 0 length nexthop
Critical: NLRI parsing, inconsistent message / total attributes length

Actions taken

Local repair
Discard attribute
Treat-as-withdraw
Reset session
Discard Update message

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

70

BGP Origin Validation


Support client functionality of RPKI RTR protocol
Separate database to store record entries from the cache

Support to announce path validation state to IBGP neighbors using a well


known path validation state extended community
Modified route policies to incorporate path validation states

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

71

Prefix hijacking
Announce someone elses prefix
Announce a more specific of someone elses prefix
Either way, you are trying to steal someone elses traffic by getting it routed to
you
Capture, sniff, redirect, manipulate traffic as you wish

Source: nanog 46 preso


BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

72

How does the Solution look like?

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

73

Configuration sample

for your
reference

router bgp 64726


bgp always-compare-med
bgp log-neighbor-changes
bgp deterministic-med
no bgp default ipv4-unicast
bgp rpki server tcp 217.193.137.117 port 30000 refresh 60
bgp rpki server tcp 2001:918:FFF9:0:250:56FF:FE15:159 port 8282 refresh 60
bgp rpki server tcp 2001:918:FFF9:0:250:56FF:FE15:159 port 30000 refresh 60
bgp rpki server tcp 217.193.137.117 port 8282 refresh 600
neighbor 2001:428:7000:A:0:1:0:1 remote-as 64209
neighbor 2001:428:7000:A:0:1:0:1 description "To Qwest MPLS"

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

74

Valid vs Unknown vs Invalid routes?

for your
reference

JSV-ASR#sho bgp sum


BGP router identifier 66.77.8.142, local AS number 64726
BGP table version is 11688639, main routing table version 11688639
Path RPKI states: 38286 valid, 1574331 not found, 4558 invalid
404300 network entries using 59836400 bytes of memory
1617175 path entries using 103499200 bytes of memory
66778/66761 BGP path/bestpath attribute entries using 9081808 bytes of memory
62642 BGP AS-PATH entries using 2273670 bytes of memory
1347 BGP community entries using 70456 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 174761534 total bytes of memory
808583 received paths for inbound soft reconfiguration
BGP activity 744131/330548 prefixes, 7084275/5448612 paths, scan interval 60 secs
Neighbor
63.231.216.9
65.119.97.101
66.77.8.129
66.77.8.130
66.77.8.150
JSV-ASR#

BRKRST-3371

V
4
4
4
4
4

AS MsgRcvd MsgSent
TblVer
64726
17784
17789 11688639
64209
0
0
1
209 216390
4021 11688634
209 212278
4020 11688634
64726
70180 227968 11688639

2013 Cisco and/or its affiliates. All rights reserved.

InQ OutQ Up/Down State/PfxRcd


0
0 1d01h
3
0
0 16:57:38 Idle (Admin)
0
0 2d12h
404293
0
0 2d12h
404290
0
0 1d16h
3

Cisco Public

75

What do you see in the BGP table?

for your
reference

JSV-ASR#sho bgp
BGP table version is 11698585, local router ID is 66.77.8.142
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
V*>
V* i
N*
N*>
N*
N*>
N*
i
N*>
i
N*
N*>
N*
N*>
N*

Network
0.0.0.0/1
0.0.0.0
1.0.0.0/24

1.0.4.0/22

1.0.16.0/23
1.0.18.0/23
1.0.20.0/23

BRKRST-3371

Next Hop
0.0.0.0
66.77.8.150
66.77.8.130
66.77.8.129
66.77.8.130
66.77.8.129
66.77.8.130

Metric LocPrf Weight Path


0
32768 i
0
100
100 i
0
1000 209 i
0
1000 209 i
7800038
1000 209 15169 i
7800038
1000 209 15169 i
8000039
1000 209 4323 7545 7545 7545 7545 56203

66.77.8.129

8000039

1000 209 4323 7545 7545 7545 7545 56203

66.77.8.130
66.77.8.129
66.77.8.130
66.77.8.129
66.77.8.130

8000039
8000039
8000039
8000039
8000039

1000
1000
1000
1000
1000

2013 Cisco and/or its affiliates. All rights reserved.

209
209
209
209
209

2914
2914
2914
2914
2914

2519
2519
2519
2519
2519

i
i
i
i
i

Cisco Public

76

Multicast VPN Solution Space


(complete solution is now available)
Service

IPv4

IPv6

Native

Native

C-Multicast
Signaling
Core Tree
Signaling
Encapsulation
/Forwarding
BRKRST-3371

IPv4

IPv6

mVPN

mVPN

PORT

PIM

BGP

PIM

MLDP

P2MP TE

(pt-mpt)

(pt-mpt | mpt-mpt)

(pt-mpt)

IP/GRE

2013 Cisco and/or its affiliates. All rights reserved.

LSM

Cisco Public

77

Multicast VPN BGP Signaling


BGP Auto-Discovery
RR

PE3

PE1

Source

CE1

PIM C-Join
(*,G) or (S,G)

BGP

CE3

Receiver

CE4

Receiver

PIM C-Join
(*,G) or (S,G)

BGP C-mroutes
PE2

RP
CE2

PE4

BGP customer-multicast signaling and BGP


auto-discover is now added to the multicast
VPN solution.

Auto-Discovery of PEs and


Core tree/tunnel information

BGP as overlay allows Service Providers to


capitalize on a single protocol

Advertisement of Customer
Multicast routes

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

78

BGP Graceful Shutdown


BGP Graceful Shutdown allows to do maintenance on router
without service disruption.

RFC 6198 April 2011


Old Behaviour
If session drops then BGP will
withdraw all prefixes learned over that
session
BGP has no mechanism to signal
prefix will soon be unreachable (for
maintenance for example)

Historically RRs have worsened the


issue as they tend to hide the
alternate path as they only forward
the best path

BRKRST-3371

#Graceful Shutdown
Please wait

2
BGP/ Prefix 10.45 / localpref : 10

Traffic is
redirected

This new knob allows a router to notify neighbor to redirect


traffic to other paths and after some time will drop BGP
sessions.
The notification could be done using Local Preference attribute
or user community attribute

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

79

Graceful Shutdown
GSHUT well-known community
The GSHUT community attribute is applied to a neighbor specified by the
neighbor shutdown graceful command, thereby gracefully shutting down the
link in an expected number of seconds
The GSHUT community is specified in a community list, which is referenced by
a route map and then used to make policy routing decisions.

neighbor {ipv4-address | ipv6-address | peer-group-name} shutdown graceful seconds {community


value [local-preference value] | local-preference value}

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdf
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

80

DDoS Mitigation a stepstone approach


Phase III
Dynamic application aware redirection and traffic handling

Phase II

Malicious traffic mitigation


Cleaning of Malicious traffic
Dirty and clean traffic handling
Usage of Multi-instance BGP

IOS-XR 4.3.1
IOS-XE partial

Phase I

BRKRST-3371

ACL
RTBH
PBR
uRPF

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

81

DDoS Overview
Distributed denial-of-service (DDoS) attacks target network infrastructures or
computer services by sending overwhelming number of service requests to the
server from many sources.
Server resources are used up in serving the fake requests resulting in denial or
degradation of legitimate service requests to be served
Addressing DDoS attacks
Detection Detect incoming fake requests
Mitigation
Diversion Send traffic to a specialized device that removes the fake packets from the traffic
stream while retaining the legitimate packets
Return Send back the clean traffic to the server

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

82

DDOS impact on Customer Business

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

83

DDOS impact on customer Business

for your
reference

Enterprise customer cant defend themselve, when


DDoS hit the FW its already too late.
SP could protect enterprise by cleaning DDoS traffic at
ingress peering point.
New revenue for SP.
Mandated service to propose to Financial and visible
customers.

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

84

DDoS trends (Nanog source)

for your
reference

Any Internet Operator Can Be a Target for


DDoS
Ideologically-motivated Hacktivism and On-line
vandalism DDoS attacks are the most commonly
identified attack motivations

Size and Scope of Attacks Continue to Grow


at an Alarming Pace
High-bandwidth DDoS attacks are the new normal
as over 40% of respondents report attacks greater
than 1 Gbps and 13% report attacks greater than
10Gbps
Increased sophistication and complexity of layer-7
DDoS attacks, multi-vector DDoS attacks
becoming more common

First-Ever Reports of IPv6 DDoS Attacks 'in


the Wild' on Production Networks

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

85

DDoS mitigation architecture


1. Detection (no DDoS)
Scan Netflow data
to detect DDOS attacks

Security
Server

DDOS
Analyser
Sample
Netflow

DDOS
scrubber
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

86

DDoS mitigation architecture


2. Detection (DDOS)
Scan Netflow data
Find DDOS signature

Security
Server

DDOS
Analyser
Sample
Netflow

DDOS
scrubber
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

87

DDoS mitigation architecture


3. Redirect traffic to DDOS scruber
Scan Netflow data
Find DDoS signature

Security
Server

DDoS
Analyser

BGP DDoS Mitigation


Action: redirect to DDoS
scrubber

DDoS
scrubber
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

88

DDoS Mitigation: Architecture Considerations


Normal traffic flow when there is no attack
Redirect traffic from any edge PE to any specific DDoS scrubber
Including the PE that is connected to the host network

Granular (prefix level/network) diversion


Customers buy DDoS mitigation service for some prefixes
Pre-provisioned DDoS service for those prefixes (using policy such as standard community flag)

Centralized controller that injects the diversion route


VPN based Labeled return path for the clean traffic
To prevent routing loops

Solution support redirection of BGP less/more specific prefixes or local originated prefixes (static
route, redistributed route)
Support for multi-homed customers
During attack, send clean traffic from DDOS scrubber to multiple PEs

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

89

The concept
Traffic under normal conditions
Traffic under normalized
conditions

Traffic takes shortest path


Upstream and downstream traffic follow
traditional routing

Server
Scrubber
PE2
PE3

Pre-provisioned DDoS
instrumentation

Security analyser
Security server

ISP

PE1

Traffic Scrubber
Separate clean and malicious traffic
Security Analyser
Analyses Netflow/IPFIX statistics from the
traffic flows
Security server
Actions upon traffic analysis by
communication to infrastructure routers

Internet users
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

90

BGP based DDoS


Traffic under DDoS condition
Traffic under DDoS condition

Server
Scrubber

PE2

Traffic is redirected to a scrubber


Scrubber separates the clean from
the malicious traffic
Clean traffic is returned to original
destination server

PE3
Security analyser
Security server

Goal

ISP

PE1

Do not drop all traffic


Collect traffic intelligence
Operational simplicity
Easy to remove redirect when traffic
normalizes

Internet users
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

91

How does it work?


Normal traffic condition

Internet and VPN


Route-Reflector
5.5.5.5

Server
Scrubber

2.2.2.2
3.3.3.3

PE2

PE3

1.1.1.1/32

All PEs peer with the RR


All PEs exchange both Global
Internet and VPN prefixes
All PE interfaces are non-VPN
Security analyser is performing
doing analyses

Security analyser
Security server

ISP
4.4.4.4

PE1

Destination

Next-hop

1.1.1.1/32

2.2.2.2

Internet users
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

92

How does it work?


Server is under DDoS
Internet and VPN
Route-Reflector

5.5.5.5

Server
Scrubber

2.2.2.2
3.3.3.3

PE2

Flow is detected as dirty by


Security analyser
Result: Server is under attack
Traffic needs to be redirected to the
scrubber to mitigate the attack

PE3

1.1.1.1/32

Security analyser
Security server

ISP
4.4.4.4

PE1

Destination

Next-hop

1.1.1.1/32

2.2.2.2

Internet users
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

93

How does it work?


Server is under DDoS
Internet and VPN
Route-Reflector

DDoS
Route-Reflector

5.5.5.5

6.6.6.6

Destination

Next-hop

1.1.1.1/32

3.3.3.3

Server
Scrubber

2.2.2.2
3.3.3.3

PE2

PE3

1.1.1.1/32

Security server

ISP
4.4.4.4

PE1

DDoS Route-Reflector was previsioned


Mitigation route to 1.1.1.1/32 is
injected on the DDoS RR by the
Security server
Mitigation route to 1.1.1.1/32 is
pointing to 3.3.3.3 on DDoS
mitigation RR

Internet users
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

94

How does it work?


Server is under DDoS
Internet and VPN
Route-Reflector

DDoS
Route-Reflector

5.5.5.5

6.6.6.6

Destination

Next-hop

1.1.1.1/32

3.3.3.3

Server
Scrubber

2.2.2.2

3.3.3.3

PE2

PE3

1.1.1.1/32

Security server

Mitigation route to 1.1.1.1/32 is


pointing to 3.3.3.3 is signalled to all
PEs
All PEs receive the mitigation route
from the DDoS Mitigation RR
Each PE will now have 2 routes to
reach 1.1.1.1/32
Which route will the PE use?

ISP
4.4.4.4

PE1

BGP Table
Destination

Next-hop

1.1.1.1/32

2.2.2.2

1.1.1.1/32

3.3.3.3

Routing Table
Destination

Next-hop

1.1.1.1/32

????????????

Internet users
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

95

How does it work?


Server is under DDoS

Trick # 1

Internet and VPN


Route-Reflector

DDoS
Route-Reflector

5.5.5.5

6.6.6.6

Server
Scrubber

2.2.2.2
3.3.3.3

PE2

PE3

1.1.1.1/32

The DDoS mitigation route will


ALWAYS be preferred, even if
Both prefix lengths are the
same
DDoS prefix is shorter
Original prefix has better
administrative distance

Security server

ISP
4.4.4.4

PE1

BGP Table
Destination

Next-hop

1.1.1.1/32

2.2.2.2

1.1.1.1/32

3.3.3.3

Routing Table
Destination

Next-hop

1.1.1.1/32

3.3.3.3

Internet users
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

96

How does it work?

Server is under DDoS


Internet and VPN
Route-Reflector

DDoS
Route-Reflector

5.5.5.5

6.6.6.6

Clean
traffic

Server

Scrubber

2.2.2.2
3.3.3.3

PE2

PE3

1.1.1.1/32

The mitigated traffic flows towards


PE3 (3.3.3.3)
PE3 is sending the dirty flow
towards the scrubber
The scrubber will
Handle and remove the dirty
traffic within the original flow
Send the cleaned traffic
towards the original destination
(1.1.1.1 at PE2 (2.2.2.2))

ISP
4.4.4.4

PE1

BGP Table
Internet users
BRKRST-3371

Destination

Next-hop

1.1.1.1/32

2.2.2.2

1.1.1.1/32

3.3.3.3

2013 Cisco and/or its affiliates. All rights reserved.

Routing Table
Destination

Next-hop

1.1.1.1/32

3.3.3.3

Cisco Public

97

How does it work?


Server is under DDoS

Problem

Internet and VPN


Route-Reflector

DDoS
Route-Reflector

5.5.5.5

6.6.6.6

Clean
traffic

Server

Scrubber

2.2.2.2
3.3.3.3

PE2

PE3

1.1.1.1/32

Scrubber sends traffic to PE3


PE3 does routing lookup for 1.1.1.1
and finds that it is directly attached
ROUTING LOOP!!!
How do we fix this?
We use a new isolated routing
table for the clean traffic
This routing table is Preprovisioned Inside a VPN

ISP
4.4.4.4

PE1

BGP Table
Internet users
BRKRST-3371

Destination

Next-hop

1.1.1.1/32

2.2.2.2

1.1.1.1/32

3.3.3.3

2013 Cisco and/or its affiliates. All rights reserved.

Routing Table
Destination

Next-hop

1.1.1.1/32

3.3.3.3

Cisco Public

98

How does it work?


Server is under DDoS

Server
Scrubber

2.2.2.2
3.3.3.3

PE2

PE3

1.1.1.1/32

The clean traffic will be injected upon PE3


on an interface member of VPN Clean
PE3 will now do a routing destination
lookup for 1.1.1.1 in VPN Clean
The matching routing table entry is
pointing towards PE2 at 2.2.2.2
The clean flow, which is now part of VPN
Clean is sent towards PE2 reachable at
2.2.2.2

ISP
4.4.4.4

PE1

BGP Table
Internet users
BRKRST-3371
VPN Clean

Destination

Next-hop

1.1.1.1/32

2.2.2.2

1.1.1.1/32

3.3.3.3

2013 Cisco and/or its affiliates. All rights reserved.

Routing Table
Destination

Next-hop

VPN

1.1.1.1/32

3.3.3.3

Global

1.1.1.1/32

2.2.2.2
Cisco Public

Clean
99

How does it work?


Routing Table

Server is under DDoS

Destination

Next-hop

VPN

1.1.1.1/32

3.3.3.3

Global

1.1.1.1/32

CE1

Clean

Server

Scrubber

2.2.2.2
CE1

3.3.3.3

PE2

PE2 receives the clean flow


within VPN clean
PE2 does a destination address
routing lookup in VPN clean
A matching route is found in VPN
clean
Flow is forwarded towards CE1
onwards to Server

PE3

1.1.1.1/32

ISP
4.4.4.4

HOLD on a minute!

PE1

PE2 does not have any interface part of VPN clean


All interfaces on PE2 are global interfaces
so how did that clean route for 1.1.1.1 get into VPN
clean?
Internet users
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

100

How does it work?


Routing Table

BGP Table
Destination

Nexthop

VPN

Destination

Next-hop

VPN

1.1.1.1/32

CE1

Global

1.1.1.1/32

3.3.3.3

Global

1.1.1.1/32

3.3.3.3

Global

1.1.1.1/32

CE1

Clean

1.1.1.1

CE1

clean

Trick # 2

Server

Scrubber

2.2.2.2
CE1

3.3.3.3

PE2

PE3

1.1.1.1/32

ISP
4.4.4.4

PE1

Internet users
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Copy the locally BGP inserted route


directly into VPN clean BGP table
Neighbour details are inherited from
the global table (i.e.)
Outgoing interface
Next-hop
Interface pointing towards CE1 is
NOT VPN aware
This VPN clean distributed as normal
VPN
New CLI command to do that
import from default-vrf route-policy ddos
advertise-as-vpn
Cisco Public

101

Going back to traditional traffic flow


Server is under DDoS
Internet and VPN
Route-Reflector

DDoS
Route-Reflector

5.5.5.5

5.5.5.5

Destination

Next-hop

1.1.1.1/32

3.3.3.3

Server
Scrubber

2.2.2.2
3.3.3.3

1.1.1.1/32

Security server

ISP
4.4.4.4

Remove the routing entry on the


Mitigation DDoS RR
No more route is remaining on
the DDoS Mitigation RR
Traffic flows normally again

PE1

Internet users
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

102

Configuration (1)
router bgp 99 instance ddos
bgp router-id 3.3.3.3
bgp read-only
bgp install diversion
address-family ipv4 unicast
!

router bgp 99
bgp router-id 2.2.2.2
address-family ipv4 unicast
!

BRKRST-3371

for your
reference

Creation of DDoS BGP


instance
Allows config of 2th IPv4 or IPv6 instance
Suppresses BGP Update Generation

Triggers BGP ddos instance to install


diversion path to RIB, so that the paths
are pushed down to FIB

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

103

Configuration (2)
Importing the global routes in the clean VRF
vrf clean
address-family ipv4 unicast
import from default-vrf route-policy ddos advertise-as-vpn
export route-target
111:1
!
!
address-family ipv6 unicast
import from default-vrf route-policy ddos advertise-as-vpn
export route-target
111:1
!
!
!
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

104

show commands

for your
reference

RP/0/0/CPU0:hydra-prp-A#show route
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is not set
O
O
L
O
O
B
[...]

BRKRST-3371

1.0.11.0/24 [110/2] via 13.0.3.1, 00:36:19, GigabitEthernet0/2/1/5


1.1.1.1/32 [110/2] via 13.0.3.1, 00:36:19, GigabitEthernet0/2/1/5
2.2.2.2/32 is directly connected, 00:37:24, Loopback0
3.3.3.3/32 [110/2] via 87.0.1.2, 00:36:19, GigabitEthernet0/2/1/9
4.4.4.4/32 [110/3] via 13.0.3.1, 00:36:19, GigabitEthernet0/2/1/5
[110/3] via 87.0.1.2, 00:36:19, GigabitEthernet0/2/1/9
5.5.5.5/32 [200/0] via 1.1.1.1, 00:34:22
B > [200/0] via 123.0.0.2, 00:34:22

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

105

show commands (1)

for your
reference

RP/0/0/CPU0:hydra-prp-A#show route
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate
default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is not set
O
O
L
O
O

1.0.11.0/24 [110/2] via 13.0.3.1, 00:36:19, GigabitEthernet0/2/1/5


1.1.1.1/32 [110/2] via 13.0.3.1, 00:36:19, GigabitEthernet0/2/1/5
2.2.2.2/32 is directly connected, 00:37:24, Loopback0
3.3.3.3/32 [110/2] via 87.0.1.2, 00:36:19, GigabitEthernet0/2/1/9
4.4.4.4/32 [110/3] via 13.0.3.1, 00:36:19, GigabitEthernet0/2/1/5
[110/3] via 87.0.1.2, 00:36:19, GigabitEthernet0/2/1/9
B
5.5.5.5/32 [200/0] via 1.1.1.1, 00:34:22
B > [200/0] via 123.0.0.2, 00:34:22
[...]

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

106

show commands (2)

for your
reference

RP/0/0/CPU0:hydra-prp-A#show route 5.5.5.5/32


Routing entry for 5.5.5.5/32
Known via "bgp 2394-ro", distance 200, metric 0, type internal
Installed Feb 19 22:56:45.896 for 00:34:33
Routing Descriptor Blocks
1.1.1.1, from 1.1.1.1
Route metric is 0
123.0.0.2, from 101.0.0.4, Diversion Path (bgp)
Route metric is 0
No advertising protos.
RP/0/0/CPU0:hydra-prp-A#show cef 5.5.5.5/32 det
5.5.5.5/32, version 60652, internal 0x14000001 (ptr 0xaf6e3840) [1], 0x0 (0x0), 0x0 (0x0)
Updated Feb 19 22:56:46.723
local adjacency 87.0.1.2
Prefix Len 32, traffic index 0, precedence n/a, priority 4
gateway array (0xae07a310) reference count 2, flags 0x8020, source rib (5), 0 backups
[1 type 3 flags 0xd0141 (0xae10f8c0) ext 0x420 (0xaec261e0)]
LW-LDI[type=0, refc=0, ptr=0x0, sh-ldi=0x0]
via 123.0.0.2, 2 dependencies, recursive [flags 0x6000]
path-idx 0 [0xaf6e3c00 0x0]
next hop 123.0.0.2 via 123.0.0.0/24
Load distribution: 0 (refcount 1)
Hash
0

BRKRST-3371

OK
Y

Interface
GigabitEthernet0/2/1/9

Address
87.0.1.2

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

107

show commands (3)

for your
reference

RP/0/0/CPU0:hydra-prp-A# show route 123.0.0.2


Routing entry for 123.0.0.0/24
Known via "ospf 100", distance 110, metric 2, type intra area
Installed Feb 19 22:54:48.363 for 00:39:01
Routing Descriptor Blocks
87.0.1.2, from 3.3.3.3, via GigabitEthernet0/2/1/9
Route metric is 2
No advertising protos.
RP/0/0/CPU0:hydra-prp-A#

RP/0/0/CPU0:hydra-prp-A#show route 1.1.1.1


Routing entry for 1.1.1.1/32
Known via "ospf 100", distance 110, metric 2, type intra area
Installed Feb 19 22:54:49.259 for 00:49:20
Routing Descriptor Blocks
13.0.3.1, from 1.1.1.1, via GigabitEthernet0/2/1/5
Route metric is 2
No advertising protos.

BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

108

Summary
Motivation to Enhance BGP
Scale and Performance Enhancements
What happened in BGP Landscape?
Some new Cool features that may interest you

Bloody Good Protocol


BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

109

110

Complete Your Online Session Evaluation


Give us your feedback and
you could win fabulous prizes.
Winners announced daily.
Receive 20 Cisco Daily Challenge
points for each session evaluation
you complete.
Complete your session evaluation
online now through either the mobile
app or internet kiosk stations.
Maximize your Cisco Live experience with your
free Cisco Live 365 account. Download session
PDFs, view sessions on-demand and participate in
live activities throughout the year. Click the Enter
Cisco Live 365 button in your Cisco Live portal to
log in.
BRKRST-3371

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

111

You might also like