BGP (cont) 1. BGP Peering 2. BGP Attributes 3. BGP Path Selection Criteria 4. BGP Authentication

1. BGP Peering BGP assumes that external neighbors are directly connected and that they are peering with the IP address of the directly connected interface of their neighbor. If not, you must tell BGP to look more than one hop away for its neighbor, with the neighbor ip-address ebgp-multihop number-of-hops command. You might use this command if you are peering with loopback interface IP addresses, for instance. BGP assumes that internal neighbors might not be directly connected, so this command is not needed with IBGP.

1. BGP Peering BGP Peering States The command show ip bgp neighbors shows a list of peers, and the status of their peering session. This status can include the following states: ■ Idle  No peering; router is looking for neighbor. Idle (admin) means that the neighbor relationship has been administratively shut down. ■ Connect  TCP handshake completed. ■ OpenSent, or Active  An open message was sent to try to establish the peering. ■ OpenConfirm  Router has received a reply to the open message. ■ Established  Routers have a BGP peering session. This is the desired state.

2. BGP Attributes BGP chooses a route to network based on the attributes of its path. Four categories of attributes exist: ■ Well-known mandatory  Must be recognized by all BGP routers, present in all BGP updates, and passed on to other BGP routers. For example, AS path, origin, and next hop. ■ Well-known discretionary  Must be recognized by all BGP routers and passed on to other BGP routers, but need not be present in an update. For example, local preference. ■ Optional transitive  Might or might not be recognized by a BGP router, but is passed on to other BGP routers. If not recognized, it is marked as partial. For example, aggregator, community. ■ Optional nontransitive  Might or might not be recognized by a BGP router and is not passed on to other routers. For example, Multi-Exit Discriminator (MED), originator ID.

2. BGP Attributes

3. BGP Path Selection Criteria + IGPs, such as EIGRP or OSPF, choose routes based on lowest metric. They attempt to find the shortest, fastest way to get traffic to its destination. + BGP,however, has a very different way of route selection. It assigns various attributes to each path; these attributes can be administratively manipulated in order to control the path that is selected. It then examines the value of these attributes in an ordered fashion until it is able to narrow all the possible routes down to one path.

3. BGP Path Selection Criteria BGP tries to narrow its path selection down to one best path; it does not load balance by default. To do so, it examines the path attributes of any loop-free synchronized (if synchronization is enabled) routes with a reachable next-hop following the order

3. BGP Path Selection Criteria 1. Choose the route with the highest weight. 2. If weight is not set, choose the route with the highest local preference. 3. Choose routes that you advertise. 4. Choose the path with the shortest autonomous system path. 5. Choose the path with the lowest origin code (i is lowest, e is next, ? Is last). 6. Choose the route with the lowest MED, if the same autonomous system advertises the possible routes. 7. Choose an eBGP route over an iBGP route. 8. Choose the route through the nearest IGP neighbor. 9. Choose the oldest route. 10. Choose a path through the neighbor with the lowest router ID. 11. Choose a path through the neighbor with the lowest IP address.

3. BGP Path Selection Criteria BGP load balancing To enable BGP to load balance over more than one path, you must enter the command maximum-paths number-of-paths. BGP can load balance over a maximum of six paths.

4. BGP Authentication + BGP supports MD5 authentication between neighbors, using a shared password. It is configured under BGP router configuration mode with the command neighbor {ip-address | peer-group-name} password password. + When authentication is configured, BGP authenticates every TCP segment from its peer and checks the source of each routing update. Most ISPs require authentication for their EBGP peers. + Peering will succeed only if both routers are configured for authentication and have the same password. If your router has authentication configured and the neighbor does not, your router will display the error message: “%TCP-6-BADAUTH: No MD5 digest from peer’s-IP-address:11003 to local-router’s-IP-address:179.”

4. BGP Authentication + If the neighbor router is configured with a nonmatching password, your router will display the error message: “%TCP-6-BADAUTH: Invalid MD5 digest from peer’s-IP-address:11004 to local-router’s-IP-address:179.” + If a router has a password configured for a neighbor, but the neighbor router does not, a message such as the following will display on the console while the routers attempt to establish a BGP session between them: “%TCP-6-BADAUTH: No MD5 digest from [peer’s IP address]:11003 to [local router’s IP address]:179” + Similarly, if the two routers have different passwords configured, a message such as the following will display on the screen: “%TCP-6-BADAUTH: Invalid MD5 digest from [peer’s IP address]:11004 to [local router’s IP address]:179”