BGP Essentials: Configuring Internal BGP Sessions

Internal BGP (IBGP) sessions (BGP sessions within your autonomous system) are identified by the neighbor’s AS number being identical to your AS number. While the external BGP (EBGP) sessions are usually established between directly-connected routers, IBGP sessions are expected to be configured across the network.

The current best practice is to configure IBGP sessions between the loopback interfaces of the BGP neighbors, ensuring that the TCP session between them (and the BGP adjacency using the TCP session) will not be disrupted after a physical link failure as long as there is an alternate path toward the adjacent router.

To configure IBGP session on a Cisco router, specify the neighbor’s loopback address in all neighbor commands and use the neighbor update-source command to specify the source IP address of the TCP session. Without the neighbor update-source configuration command, the TCP session will use the IP address of the outgoing physical interface and the neighbor will reject the incoming TCP SYN packet as it’s not coming from a recognized BGP neighbor.

The following table shows the configuration commands necessary to configure an IBGP session between loopback interfaces of two routers:

R1R2
interface Loopback 0
ip address 10.0.0.1
!
router bgp 65001
neighbor 10.0.0.2 remote-as 65001
neighbor 10.0.0.2 update-source loopback 0
interface Loopback 0
ip address 10.0.0.2
!
router bgp 65001
neighbor 10.0.0.1 remote-as 65001
neighbor 10.0.0.1 update-source loopback 0

If you're looking for more in-depth BGP knowledge, try our Configuring BGP on Cisco Routers e-learning solution. If you just need to enhance your hands-on skill, the BGP Remote Lab Bundle is the perfect choice.

4 comments:

  1. Hi, thank you for the article. Could you go over some reasons why you would require IBGP in general as well as in a non-internet or non-mpls environment. For eg in typical extranet type enterprise environment often IBGP is used between redundant edge routers and redundant inside routers and EBGP between the edge and inside through a firewall. Is this a recommended design and if so what is the real advantage of running IBGP between the inside routers. Thx

    ReplyDelete
  2. The nice thing about running BGP across firewall is that it's just another TCP session from the firewall's perspective, so you don't need any extra security rules. When I get a few hours of spare time, I'll write a post about typical design scenario.

    See also this thread in NIL forums for other reasons to use BGP in enterprise network.

    ReplyDelete
  3. Hi Ivan,

    I recently took the ROUTE exam and, while studying BGP and playing with it in GNS3, I noticed that you need update-source loopback0 configured only on one side. I was a bit puzzled by this, so I googled around but I only found this link [1] mentioning it.

    After thinking a bit about this, it actually makes sense. BGP uses a client-server model when setting up the neighbor relationship. The "client" sends the first SYN from a port above 1024 and connects to the "server" on port 179. When configuring update-source loopback on both neighbors, the router that is configured first will probably initiate the connection and become the client.

    However, when update-source loopback is configured on only one of the peers (let's say 10.0.0.1), that peer will _always_ be the client because it is only itself that can correctly initiate the connection (by using the right source IP). The "server" (10.0.0.2) notices that the source address (10.0.0.1) of the incoming SYN matches its neighbor statement and replies with a packet that has as source address its own loopback (because that was the destination address of the first SYN - 10.0.0.2). The client matches that with its own neighbor statement, so the connection is established.

    Anyway, this is probably common knowledge and is as important as the master - slave election when 2 OSPF routers become neighbors, but it was fun investigating and discovering it on my own. :)

    Merry Christmas and a happy New Year to you and your loved ones!


    P.S.: Maybe it's just me, but when I read your post and saw AS11 and AS12, I was wondering "why would he choose routers in different ASes when configuring iBGP?". Then I looked at the actual config and realized that the hostnames were misleading. :)

    [1] http://www.mail-archive.com/cisco@groupstudy.com/msg16373.html

    ReplyDelete
  4. Great job! You're obviously one of those seeking the in-depth understanding, not the quick recipes.

    Also: fixed the hostnames in the table, thanks for the hint.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.