Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
BRKRST-3371
What is BGP?
What a Google search bgp abbreviation finds?
Source: http://www.all-acronyms.com/BGP
BRKRST-3371
Cisco Public
The
Bloody Good Protocol
BRKRST-3371
Cisco Public
Agenda
BRKRST-3371
Cisco Public
Agenda
BRKRST-3371
Cisco Public
BRKRST-3371
Cisco Public
Evolution of offered BGP services go from basic technologies to very advanced infrastructures
BRKRST-3371
Cisco Public
Control-plane Evolution
Most of services are progressing towards BGP
Service/transport
IDR (Peering)
BGP
BGP (IPv6)
SP L3VPN
BGP
SP Multicast VPN
PIM
DDOS mitigation
CLI
BGP flowspec
Network Monitoring
SNMP
Security
Filters
Proximity
SP-L3VPN-DC
LDP
DC Interconnect L2VPN
MPLS transport
LDP
Data Center
OSPF/ISIS
BGP + Multipath
NHRP / EIGRP
Campus/Ent L3VPN
BGP (IOS)
BGP (NX-OS)
BRKRST-3371
Cisco Public
BRKRST-3371
Cisco Public
10
Agenda
BRKRST-3371
Cisco Public
11
Keepalive Enhancements
Loosing or delayed keep-alive message result in session flaps
Hence keep-alive processing is now placed into a separate process using priority queuing mechanism
BRKRST-3371
Cisco Public
12
BRKRST-3371
Cisco Public
13
Protection
Detection
BGP update timestamps
Cisco Public
14
Protection
Move slower peers out of update group
Separate slow update group with matching policies created
Any slow members are moved to slow update group
Automatic recovery
Slow peers are periodically checked for recovery
Cisco Public
15
for your
reference
Static protection
[no] neighbor slow-peer split-update-group static
Dynamic detection
[no] bgp slow-peer detection [threshold <seconds>]
[no] neighbor slow-peer detection [threshold <seconds>]
Dynamic protection
[no] bgp slow-peer split-update-group dynamic [permanent]
[no] neighbor slow-peer split-update-group dynamic [permanent]
BRKRST-3371
Cisco Public
16
ASR1000 RP2, RP1, ASR1001 and 7200 BGP Route and Session
for your
Scalability Comparison - RR
reference
ASR1000
RP1 (4GB)
ASR1001
(4GB)
ASR1001
(8GB)
ASR1001
(16GB)
ASR1000
RP2 (8GB)
ASR1000
RP2 (16GB)
ipv4 routes
4M
7M*
2M*
9M*
17M*
12M*
29M*
vpnv4 routes
7M
6M
2M
8M
16M
10M
24M
ipv6 routes
2M
5M*
2M*
8M*
15M*
9M*
24M*
vpnv6 routes
6M
5M
1.5M
7.5M
14.5M
9M
21M
<1000
4000
4000
4000
4000
8000
8000
BGP
sessions
Tested with BGP selective download feature for ipv4/ipv6 for dedicated RR application. This feature
prevents ipv4/ipv6 BGP routes to be installed in RIB and FIB. It reduces memory usage per ipv4/ipv6 prefix
and CPU utilization
ASR 1000 with RP1 allocates ~1.7GB to IOSd, ASR 1001 with 4GB allocates ~1.4GB to IOSd, whereas on
NPE-G2 entire 2G is used by IOS
BRKRST-3371
Cisco Public
17
ASR1001 (16GB)
Convergence
(in seconds)
for your
reference
1Billion
220
133
75
1Billion
680
489
221
1Billion
720
393
194
1Billion
877
811
293
2 Billion
375
270
138
2 Billion
1285
797
394
2 Billion
1126
897
284
2 Billion
1766
1691
551
Cisco Public
18
Agenda
BRKRST-3371
Cisco Public
19
4.1
4.1.1
RT-Constraint
BRKRST-3371
4.2
4.2.1
Multi-Instance/Multi-AS
4.2.3
4.2.4
4.3.0
4.3.1
Cisco Public
20
15.2(2)S
Gracefull Shutdown
iBGP NSR
mVPN BGP SAFI 129
NSR without Route-Refresh
Origin AS Validation
BRKRST-3371
15.3(1)S
15.2(4)S
15.3(2)S
Local-AS allow-policy
RT/VPN-ID Attribute Rewrite Wildcard
VRF Aware Conditional Announcement
Additional Path
Attribute Filtering and Error Handling
Diverse Path
Graceful Shutdown
IPv6 client for Single hop BFD
IPv6 PIC Core and Edge
RT Constraint
IP Prefix export from a VRF into global Table
Cisco Public
21
3.8
3.9
BRKRST-3371
IPv6 NSR
Local-AS Allow-policy
RT or VPN-ID Rewrite Wildcard
VRF Aware Conditional Advertisement
Cisco Public
22
6.0
6.1
BGP AddPath
BGP send community both
BGP Neighbor AF weight command
BRKRST-3371
6.2
Cisco Public
23
Agenda
The
Bloody Good Protocol
BRKRST-3371
Cisco Public
24
BGP Best-External project provides support for advertisement of BestExternal path to the iBGP/RR peers when a locally selected bestpath is from
an internal peer
BGP PIC Unipath provides a capability to install a backup path into the
forwarding table to provide prefix independent convergence in case of the PECE link failure
BRKRST-3371
Cisco Public
25
PE3
RR
Traffic Flow
10.1.1.0/24
VPN1 Site #1
MPLS Cloud
CE1
CE2
PE2
10.2.2.0/24
VPN1 Site
#2
PE4
Backup
BRKRST-3371
Cisco Public
26
PE3
RR
Traffic Flow
10.1.1.0/24
VPN1 Site #1
MPLS Cloud
CE1
CE2
PE2
10.2.2.0/24
VPN1 Site
#2
PE4
Backup
Cisco Public
27
PE3
RR
Traffic Flow
10.1.1.0/24
VPN1 Site #1
MPLS Cloud
CE1
CE2
PE2
10.2.2.0/24
VPN1 Site
#2
PE4
Backup
CEF (via BFD or link layer mechanism) detects PE3-CE2 link failure
CEF immediately swaps to repair path label
Traffic shunted to PE4 and across PE4-CE2 link
BRKRST-3371
Cisco Public
28
Primary
PE3
RR
Withdraw
route
via PE3
MPLS Cloud
10.1.1.0/24
VPN1 Site #1
CE1
CE2
PE2
10.2.2.0/24
VPN1 Site
#2
PE4
Backup
BRKRST-3371
Cisco Public
29
PE3
RR
Withdraw
route
via PE3
MPLS Cloud
10.1.1.0/24
VPN1 Site #1
CE1
CE2
10.2.2.0/24
VPN1 Site
#2
Traffic Flow
PE2
PE4
Backup
BRKRST-3371
Cisco Public
30
PE3
RR
Traffic Flow
10.1.1.0/24
VPN1 Site #1
MPLS Cloud
CE1
CE2
PE2
10.2.2.0/24
VPN1 Site
#2
PE4
Backup
Cisco Public
31
PE3
RR
Traffic Flow
10.1.1.0/24
VPN1 Site #1
MPLS Cloud
CE1
CE2
PE2
10.2.2.0/24
VPN1 Site
#2
PE4
Backup
Cisco Public
32
PE3
RR
Traffic Flow
PE3s /32
MPLS Cloud host route
removed from
IGP
10.1.1.0/24
VPN1 Site #1
CE1
PE2
CE2
10.2.2.0/24
VPN1 Site
#2
PE4
Backup
BRKRST-3371
Cisco Public
33
PE3
RR
Traffic Flow
PE3s /32
MPLS Cloud host route
removed from
IGP
10.1.1.0/24
VPN1 Site #1
CE1
PE2
CE2
10.2.2.0/24
VPN1 Site
#2
PE4
Backup
BRKRST-3371
Cisco Public
34
for your
reference
BGP PIC leverages IGP convergence Make sure IGP converges quickly
IOS-XR: IGP Timers pretty-much tuned by default
IOS: Sample OSPF config:
process-max-time 50
ip routing protocol purge interface
interface
carrier-delay msec 0
negotiation auto
ip ospf network point-to-point
bfd interval 100 min_rx 100 mul 3
router ospf 1
ispf
timers throttle spf 50 100 5000
timers throttle lsa all 0 20 1000
timers lsa arrival 20
timers pacing flood 15
passive-interface Loopback 0
bfd all-interfaces
BRKRST-3371
Cisco Public
35
for your
reference
Two BGP-PIC Edge Flavors: BGP PIC Edge Multipath and Unipath
Multipath: Re-routing router load-balances across multiple next-hops, backup next-hops
are actively taking traffic, are active in the routing/forwarding plane,
commonly found in active/active redundancy scenarios.
No configuration, apart from enabling BGP multipath (maximum-paths ... )
Unipath: Backup path(s) are NOT taking traffic, as found in active/standby scenarios
route-policy backup
! Currently, only a single backup path is supported
Cisco Public
36
for your
reference
http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_bgp_mp_pic.html
http://www.cisco.com/en/US/docs/ios/ios_xe/iproute_bgp/configuration/guide/irg_best_external_xe.html
BRKRST-3371
Cisco Public
37
NH:PE2, P:Z
Prefix Z
Via E0
NH:PE2, P:Z
RR
E0
PE2
Prefix Z
Via PE2
Z
E0
NH:PE3, P:Z
PE1
PE3
Prefix Z
Via E0
BRKRST-3371
Cisco Public
38
Prefix Z
Via PE2
Via PE3
RR1
NH:PE2, P:Z
PE2
NH:PE3, P:Z
Z
PE1
NH:PE3, P:Z
PE3
BRKRST-3371
Cisco Public
39
BGP Add-Path
Add-Path will signal diverse paths from 2 to X paths
Required all Add-Path receiver BGP router to support Add-Path capability.
RR1
Prefix Z
Via PE2
Via PE3
NH:PE2, P:Z AP 1
NH:PE2, P:Z
PE2
NH:PE3, P:Z AP 2
Z
PE1
NH:PE3, P:Z
PE3
BRKRST-3371
Cisco Public
40
for your
reference
Usecase: Primary + n-1 Backup scenario. (n is maximal for IOS-XR 2 and 3 for IOS).
Add-all-path: with add-all-path, the route reflector will do the primary best path computation
(only on first path) and then send all path to BR/PE.
BRKRST-3371
Cisco Public
41
Add-Path Applications
Fast convergence / connectivity restoration As the ingress routers have visibility to more
paths, they can switch to the backup paths faster once the primary path goes away. Requires
backup paths to be sent.
Load balancing As the ingress routers have visibility to more paths, they can do ECMP on
multiple paths. Requires either backup paths or all paths to be sent.
Churn reduction since alternate paths are available, withdraws can be suppressed (implicit
update).
Route oscillation see RFC 3345 for scenarios. Requires group best paths (in some cases all
paths) to be sent.
BRKRST-3371
Cisco Public
42
for your
reference
BRKRST-3371
43
BRKRST-3371
for your
reference
Cisco Public
44
for your
reference
Cisco Public
45
BRKRST-3371
for your
reference
Cisco Public
46
for your
reference
Node Failure
Link Failure
12-14 sec
8-17 sec
BFD Only
10-12 sec
6-12 sec
8 sec
4 sec
0 sec
0 sec
BRKRST-3371
Cisco Public
47
BRKRST-3371
Cisco Public
48
BRKRST-3371
Cisco Public
49
VRF- Blue
RT-Constraint:
VRF- Green
VRF- Red
PE-3
VRF- Purple
RT-Constraint:
PE-1
RR-1
RR-2
RT-Constraint:
NLRI={VRF-Green, VRF-Purple, VRF-Blue}
VRF- Red
VRF- Green
RT-Constraint:
PE-4
VRF- Purple
VRF- Blue
RT-Constraint:
NLRI= {VRF-Purple, VRF-Blue}
PE-2
Cisco Public
50
Accept own
This feature allows movement from a PE-Based service provisioning model to a centralized router
reflector (RR)-based service provisioning model. With this feature, you can define route TO serviceVRF mapping within a centralized route reflector and then propagate this information down to all the
PE clients of that RR. Without this feature, you would define the route TO service VRF mapping in all
PE devices, thereby incurring a high configuration overhead, which could result in more errors.
This feature enables a route reflector to modify the Route Target (RT) list of a VPN route that is
distributed by the route reflector, enabling the route reflector to control how a route originated within
one VRF is imported into other VRFs.
router#configure
router(config)#router bgp 100
router(config-bgp)#neighbor 10.2.3.4
router(config-bgp-nbr)#address-family vpnv4 unicast
router(config-bgp-nbr-af)#accept-own
BRKRST-3371
Cisco Public
51
Overview AIGP
Cisco Public
52
Overview AIGP
for your
reference
BRKRST-3371
Cisco Public
53
Overview AIGP
for your
reference
By Originator
AIGP value change triggers new AIGP computation for the route
AIGP carried across different AS with different IGP domain may not offer a
meaningful result.
BRKRST-3371
2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
54
Overview AIGP
for your
reference
Compute the interior cost as the cumulative AIGP value for the NH
Update generation
BRKRST-3371
Cisco Public
55
Overview AIGP
Route installation for BGP to tag AIGP metric during route installation
BRKRST-3371
Cisco Public
56
for your
reference
router bgp 1
address-family ipv4 unicast
redistribute ospf 1 route-policy set_aigp_1
Cisco Public
57
for your
reference
Cisco Public
58
for your
reference
Cisco Public
59
The BGP instances do not communicate with each other and do not set up
peering with each other
Each individual instance can set up peering with another router independently
BRKRST-3371
Cisco Public
60
BRKRST-3371
Cisco Public
61
Why Multi-Instance/Multi-AS?
It provides a mechanism to consolidate the services provided by
multiple routers using a common routing infrastructure into a single
IOS-XR router
It provides a mechanism to achieve AF isolation by configuring the
different AFs in different BGP instances
It provides a means to achieve higher session scale by distributing
the overall peering sessions between multiple instances
It provides a mechanism to achieve higher prefix scale (especially
on a RR) by having different instances carrying different BGP tables
IOS-XR CRS Multi-chassis systems can be used optimally by
placing the different BGP instances on different RP/DRPs
It is the base of Ciscos SP DDoS Mechanism
BRKRST-3371
Cisco Public
62
Configuration Example
BRKRST-3371
for your
reference
Cisco Public
63
for your
reference
ID Placed-Grp Name
AS
VRFs
Address Families
-------------------------------------------------------------------------------0
v4_routing ipv4
1
0
IPv4 Unicast
1
bgp2_1
ipv6
1
0
IPv6 Unicast
2
bgp3_1
vpn1
3
1
VPNv4 Unicast
3
bgp4_1
vpn2
3
1
VPNv4 Unicast
RP/0/0/CPU0:ios#sh bgp instance ?
WORD Specify the bgp instance name
all
Choose all BGP instances
RP/0/0/CPU0:ios#sh bgp instance all ?
A.B.C.D
IPv4 network
A.B.C.D/length
IPv4 network and masklength
advertised
Show advertised routes
af-group
Show config information on address family groups
all
Both ipv4 and ipv6 address families
attribute-key
Display networks with their associated attribute key index
cidr-only
Display only routes with non-natural netmasks
community
Display routes matching the communities
convergence
Test an address family for convergence
BRKRST-3371
Cisco Public
64
for your
reference
VRF
default
Spk
0
AS
1
InQ
0
OutQ
0
NBRState
Established
NSRState
-
Spk
1
AS
1
InQ
0
OutQ
0
NBRState
Established
NSRState
-
Spk
2
AS
200
InQ
0
OutQ
0
NBRState
Established
NSRState
-
Spk
3
AS
200
InQ
0
OutQ
0
NBRState
Established
NSRState
-
VRF
default
VRF
default
Neighbor
20.0.101.2
BRKRST-3371
VRF
default
Cisco Public
65
Error-handling
draft-ietf-idr-optional-transitive-04.txt
Punishment should not exceed the crime
Gracefully fix or ignore non-severe errors
Avoid session resets for most cases
Never discard update error, as that can lead to inconsistencies
BRKRST-3371
Cisco Public
66
Architecture
Malformed BGP Updates
Invalid
Attribute Contents
Transitive Attributes
Wrong Attribute
Length
Unknown Attributes
Unwanted Attributes
Attribute Filtering
Error-handling
NLRI processing
BRKRST-3371
Cisco Public
67
Attribute filtering
for your
reference
BRKRST-3371
Cisco Public
68
Error-handling
for your
reference
BRKRST-3371
Cisco Public
69
Error-handling details
for your
reference
Classification of errors
Actions taken
Local repair
Discard attribute
Treat-as-withdraw
Reset session
Discard Update message
BRKRST-3371
Cisco Public
70
BRKRST-3371
Cisco Public
71
Prefix hijacking
Announce someone elses prefix
Announce a more specific of someone elses prefix
Either way, you are trying to steal someone elses traffic by getting it routed to
you
Capture, sniff, redirect, manipulate traffic as you wish
Cisco Public
72
BRKRST-3371
Cisco Public
73
Configuration sample
for your
reference
BRKRST-3371
Cisco Public
74
for your
reference
BRKRST-3371
V
4
4
4
4
4
AS MsgRcvd MsgSent
TblVer
64726
17784
17789 11688639
64209
0
0
1
209 216390
4021 11688634
209 212278
4020 11688634
64726
70180 227968 11688639
Cisco Public
75
for your
reference
JSV-ASR#sho bgp
BGP table version is 11698585, local router ID is 66.77.8.142
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
V*>
V* i
N*
N*>
N*
N*>
N*
i
N*>
i
N*
N*>
N*
N*>
N*
Network
0.0.0.0/1
0.0.0.0
1.0.0.0/24
1.0.4.0/22
1.0.16.0/23
1.0.18.0/23
1.0.20.0/23
BRKRST-3371
Next Hop
0.0.0.0
66.77.8.150
66.77.8.130
66.77.8.129
66.77.8.130
66.77.8.129
66.77.8.130
66.77.8.129
8000039
66.77.8.130
66.77.8.129
66.77.8.130
66.77.8.129
66.77.8.130
8000039
8000039
8000039
8000039
8000039
1000
1000
1000
1000
1000
209
209
209
209
209
2914
2914
2914
2914
2914
2519
2519
2519
2519
2519
i
i
i
i
i
Cisco Public
76
IPv4
IPv6
Native
Native
C-Multicast
Signaling
Core Tree
Signaling
Encapsulation
/Forwarding
BRKRST-3371
IPv4
IPv6
mVPN
mVPN
PORT
PIM
BGP
PIM
MLDP
P2MP TE
(pt-mpt)
(pt-mpt | mpt-mpt)
(pt-mpt)
IP/GRE
LSM
Cisco Public
77
PE3
PE1
Source
CE1
PIM C-Join
(*,G) or (S,G)
BGP
CE3
Receiver
CE4
Receiver
PIM C-Join
(*,G) or (S,G)
BGP C-mroutes
PE2
RP
CE2
PE4
Advertisement of Customer
Multicast routes
BRKRST-3371
Cisco Public
78
BRKRST-3371
#Graceful Shutdown
Please wait
2
BGP/ Prefix 10.45 / localpref : 10
Traffic is
redirected
Cisco Public
79
Graceful Shutdown
GSHUT well-known community
The GSHUT community attribute is applied to a neighbor specified by the
neighbor shutdown graceful command, thereby gracefully shutting down the
link in an expected number of seconds
The GSHUT community is specified in a community list, which is referenced by
a route map and then used to make policy routing decisions.
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book.pdf
BRKRST-3371
Cisco Public
80
Phase II
IOS-XR 4.3.1
IOS-XE partial
Phase I
BRKRST-3371
ACL
RTBH
PBR
uRPF
Cisco Public
81
DDoS Overview
Distributed denial-of-service (DDoS) attacks target network infrastructures or
computer services by sending overwhelming number of service requests to the
server from many sources.
Server resources are used up in serving the fake requests resulting in denial or
degradation of legitimate service requests to be served
Addressing DDoS attacks
Detection Detect incoming fake requests
Mitigation
Diversion Send traffic to a specialized device that removes the fake packets from the traffic
stream while retaining the legitimate packets
Return Send back the clean traffic to the server
BRKRST-3371
Cisco Public
82
BRKRST-3371
Cisco Public
83
for your
reference
BRKRST-3371
Cisco Public
84
for your
reference
BRKRST-3371
Cisco Public
85
Security
Server
DDOS
Analyser
Sample
Netflow
DDOS
scrubber
BRKRST-3371
Cisco Public
86
Security
Server
DDOS
Analyser
Sample
Netflow
DDOS
scrubber
BRKRST-3371
Cisco Public
87
Security
Server
DDoS
Analyser
DDoS
scrubber
BRKRST-3371
Cisco Public
88
Solution support redirection of BGP less/more specific prefixes or local originated prefixes (static
route, redistributed route)
Support for multi-homed customers
During attack, send clean traffic from DDOS scrubber to multiple PEs
BRKRST-3371
Cisco Public
89
The concept
Traffic under normal conditions
Traffic under normalized
conditions
Server
Scrubber
PE2
PE3
Pre-provisioned DDoS
instrumentation
Security analyser
Security server
ISP
PE1
Traffic Scrubber
Separate clean and malicious traffic
Security Analyser
Analyses Netflow/IPFIX statistics from the
traffic flows
Security server
Actions upon traffic analysis by
communication to infrastructure routers
Internet users
BRKRST-3371
Cisco Public
90
Server
Scrubber
PE2
PE3
Security analyser
Security server
Goal
ISP
PE1
Internet users
BRKRST-3371
Cisco Public
91
Server
Scrubber
2.2.2.2
3.3.3.3
PE2
PE3
1.1.1.1/32
Security analyser
Security server
ISP
4.4.4.4
PE1
Destination
Next-hop
1.1.1.1/32
2.2.2.2
Internet users
BRKRST-3371
Cisco Public
92
5.5.5.5
Server
Scrubber
2.2.2.2
3.3.3.3
PE2
PE3
1.1.1.1/32
Security analyser
Security server
ISP
4.4.4.4
PE1
Destination
Next-hop
1.1.1.1/32
2.2.2.2
Internet users
BRKRST-3371
Cisco Public
93
DDoS
Route-Reflector
5.5.5.5
6.6.6.6
Destination
Next-hop
1.1.1.1/32
3.3.3.3
Server
Scrubber
2.2.2.2
3.3.3.3
PE2
PE3
1.1.1.1/32
Security server
ISP
4.4.4.4
PE1
Internet users
BRKRST-3371
Cisco Public
94
DDoS
Route-Reflector
5.5.5.5
6.6.6.6
Destination
Next-hop
1.1.1.1/32
3.3.3.3
Server
Scrubber
2.2.2.2
3.3.3.3
PE2
PE3
1.1.1.1/32
Security server
ISP
4.4.4.4
PE1
BGP Table
Destination
Next-hop
1.1.1.1/32
2.2.2.2
1.1.1.1/32
3.3.3.3
Routing Table
Destination
Next-hop
1.1.1.1/32
????????????
Internet users
BRKRST-3371
Cisco Public
95
Trick # 1
DDoS
Route-Reflector
5.5.5.5
6.6.6.6
Server
Scrubber
2.2.2.2
3.3.3.3
PE2
PE3
1.1.1.1/32
Security server
ISP
4.4.4.4
PE1
BGP Table
Destination
Next-hop
1.1.1.1/32
2.2.2.2
1.1.1.1/32
3.3.3.3
Routing Table
Destination
Next-hop
1.1.1.1/32
3.3.3.3
Internet users
BRKRST-3371
Cisco Public
96
DDoS
Route-Reflector
5.5.5.5
6.6.6.6
Clean
traffic
Server
Scrubber
2.2.2.2
3.3.3.3
PE2
PE3
1.1.1.1/32
ISP
4.4.4.4
PE1
BGP Table
Internet users
BRKRST-3371
Destination
Next-hop
1.1.1.1/32
2.2.2.2
1.1.1.1/32
3.3.3.3
Routing Table
Destination
Next-hop
1.1.1.1/32
3.3.3.3
Cisco Public
97
Problem
DDoS
Route-Reflector
5.5.5.5
6.6.6.6
Clean
traffic
Server
Scrubber
2.2.2.2
3.3.3.3
PE2
PE3
1.1.1.1/32
ISP
4.4.4.4
PE1
BGP Table
Internet users
BRKRST-3371
Destination
Next-hop
1.1.1.1/32
2.2.2.2
1.1.1.1/32
3.3.3.3
Routing Table
Destination
Next-hop
1.1.1.1/32
3.3.3.3
Cisco Public
98
Server
Scrubber
2.2.2.2
3.3.3.3
PE2
PE3
1.1.1.1/32
ISP
4.4.4.4
PE1
BGP Table
Internet users
BRKRST-3371
VPN Clean
Destination
Next-hop
1.1.1.1/32
2.2.2.2
1.1.1.1/32
3.3.3.3
Routing Table
Destination
Next-hop
VPN
1.1.1.1/32
3.3.3.3
Global
1.1.1.1/32
2.2.2.2
Cisco Public
Clean
99
Destination
Next-hop
VPN
1.1.1.1/32
3.3.3.3
Global
1.1.1.1/32
CE1
Clean
Server
Scrubber
2.2.2.2
CE1
3.3.3.3
PE2
PE3
1.1.1.1/32
ISP
4.4.4.4
HOLD on a minute!
PE1
Cisco Public
100
BGP Table
Destination
Nexthop
VPN
Destination
Next-hop
VPN
1.1.1.1/32
CE1
Global
1.1.1.1/32
3.3.3.3
Global
1.1.1.1/32
3.3.3.3
Global
1.1.1.1/32
CE1
Clean
1.1.1.1
CE1
clean
Trick # 2
Server
Scrubber
2.2.2.2
CE1
3.3.3.3
PE2
PE3
1.1.1.1/32
ISP
4.4.4.4
PE1
Internet users
BRKRST-3371
101
DDoS
Route-Reflector
5.5.5.5
5.5.5.5
Destination
Next-hop
1.1.1.1/32
3.3.3.3
Server
Scrubber
2.2.2.2
3.3.3.3
1.1.1.1/32
Security server
ISP
4.4.4.4
PE1
Internet users
BRKRST-3371
Cisco Public
102
Configuration (1)
router bgp 99 instance ddos
bgp router-id 3.3.3.3
bgp read-only
bgp install diversion
address-family ipv4 unicast
!
router bgp 99
bgp router-id 2.2.2.2
address-family ipv4 unicast
!
BRKRST-3371
for your
reference
Cisco Public
103
Configuration (2)
Importing the global routes in the clean VRF
vrf clean
address-family ipv4 unicast
import from default-vrf route-policy ddos advertise-as-vpn
export route-target
111:1
!
!
address-family ipv6 unicast
import from default-vrf route-policy ddos advertise-as-vpn
export route-target
111:1
!
!
!
BRKRST-3371
Cisco Public
104
show commands
for your
reference
RP/0/0/CPU0:hydra-prp-A#show route
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is not set
O
O
L
O
O
B
[...]
BRKRST-3371
Cisco Public
105
for your
reference
RP/0/0/CPU0:hydra-prp-A#show route
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate
default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is not set
O
O
L
O
O
BRKRST-3371
Cisco Public
106
for your
reference
BRKRST-3371
OK
Y
Interface
GigabitEthernet0/2/1/9
Address
87.0.1.2
Cisco Public
107
for your
reference
BRKRST-3371
Cisco Public
108
Summary
Motivation to Enhance BGP
Scale and Performance Enhancements
What happened in BGP Landscape?
Some new Cool features that may interest you
Cisco Public
109
110
Cisco Public
111