Configuring Internal BGP Sessions

Internal BGP (IBGP) sessions (BGP sessions within your autonomous system) are identified by the neighbor’s AS number being identical to your AS number. While the external BGP (EBGP) sessions are usually established between directly connected routers, IBGP sessions are expected to be configured across the network.

The current best practice is to configure IBGP sessions between the loopback interfaces of the BGP neighbors, ensuring that the TCP session between them (and the BGP adjacency using the TCP session) will not be disrupted after a physical link failure as long as there is an alternate path toward the adjacent router.

To configure an IBGP session following that best practice on Cisco IOS, specify the neighbor’s loopback address in all neighbor commands and use the neighbor update-source command to specify the source IP address of the TCP session.

Without the neighbor update-source configuration command, the TCP session will use the IP address of the outgoing physical interface and the neighbor will reject the incoming TCP SYN packet as it’s not coming from a recognized BGP neighbor.

Sample Configuration

To configure IBGP session between R1 and R2 use the following configuration commands:

BGP configuration on R1
hostname R1
!
interface Loopback 0
 ip address 10.0.0.1
!
router bgp 65001
 neighbor 10.0.0.2 remote-as 65001
 neighbor 10.0.0.2 description R2 
 neighbor 10.0.0.2 update-source loopback 0
BGP configuration on R2
hostname R2
!
interface Loopback 0
 ip address 10.0.0.2
!
router bgp 65001
 neighbor 10.0.0.1 remote-as 65001
 neighbor 10.0.0.1 description R1
 neighbor 10.0.0.1 update-source loopback 0

Blog posts in BGP Essentials series

4 comments:

  1. Hi, thank you for the article. Could you go over some reasons why you would require IBGP in general as well as in a non-internet or non-mpls environment. For eg in typical extranet type enterprise environment often IBGP is used between redundant edge routers and redundant inside routers and EBGP between the edge and inside through a firewall. Is this a recommended design and if so what is the real advantage of running IBGP between the inside routers. Thx
  2. The nice thing about running BGP across firewall is that it's just another TCP session from the firewall's perspective, so you don't need any extra security rules. When I get a few hours of spare time, I'll write a post about typical design scenario.

    See also this thread in NIL forums for other reasons to use BGP in enterprise network.
  3. Hi Ivan,

    I recently took the ROUTE exam and, while studying BGP and playing with it in GNS3, I noticed that you need update-source loopback0 configured only on one side. I was a bit puzzled by this, so I googled around but I only found this link [1] mentioning it.

    After thinking a bit about this, it actually makes sense. BGP uses a client-server model when setting up the neighbor relationship. The "client" sends the first SYN from a port above 1024 and connects to the "server" on port 179. When configuring update-source loopback on both neighbors, the router that is configured first will probably initiate the connection and become the client.

    However, when update-source loopback is configured on only one of the peers (let's say 10.0.0.1), that peer will _always_ be the client because it is only itself that can correctly initiate the connection (by using the right source IP). The "server" (10.0.0.2) notices that the source address (10.0.0.1) of the incoming SYN matches its neighbor statement and replies with a packet that has as source address its own loopback (because that was the destination address of the first SYN - 10.0.0.2). The client matches that with its own neighbor statement, so the connection is established.

    Anyway, this is probably common knowledge and is as important as the master - slave election when 2 OSPF routers become neighbors, but it was fun investigating and discovering it on my own. :)

    Merry Christmas and a happy New Year to you and your loved ones!


    P.S.: Maybe it's just me, but when I read your post and saw AS11 and AS12, I was wondering "why would he choose routers in different ASes when configuring iBGP?". Then I looked at the actual config and realized that the hostnames were misleading. :)

    [1] http://www.mail-archive.com/[email protected]/msg16373.html
  4. Great job! You're obviously one of those seeking the in-depth understanding, not the quick recipes.

    Also: fixed the hostnames in the table, thanks for the hint.
Add comment
Sidebar