Category: BGP

Rich sent me a question about temporary traffic blackholing in networks where every router is running IGP (OSPF or IS-IS) and iBGP.

He started with a very simple network diagram:

It’s amazing how long it can take to get some sanity into networking technologies. RFC 8212 specifies that a BGP router should not announce prefixes over EBGP until its routing policy has been explicitly configured. It took us only 22 years to get there…

For more technical details, read this email by Job Snijders.

Running BGP instead of an IGP in your leaf-and-spine fabric sounds interesting (mainly if your fabric is large enough). Configuring a zillion BGP knobs on every box doesn’t.

However, BGP doesn’t have to be complex. In the Simplify BGP Configurations video (part of leaf-and-spine fabric designs webinar) Dinesh Dutt explains how you can make BGP configurations simple and easy-to-understand.

Here’s a trick question:

• Imagine you have a network running IPv4 and VPNv4 services;
• You want to use neighbor next-hop-self on IPv4 sessions, but not on VPNv4 sessions;

To implement this request you use the following configuration commands (plenty of other commands removed because they don’t impact the results):

router bgp 64500
 address-family ipv4
  maximum-paths ibgp 32
  maximum-paths 32
  neighbor 192.168.0.4 next-hop-self
  neighbor 192.168.0.1 next-hop-self
 address-family vpnv4
  maximum-paths ibgp 32
  maximum-paths 32
  no neighbor 192.168.0.4 next-hop-self
  no neighbor 192.168.0.1 next-hop-self

Try to figure out what the end-result will be without connecting to a router or reading the rest of this blog post.

Ok, here’s what totally threw me off (and wasted an hour of my life): next-hop-self is removed from neighbors in the IPv4 address family. Here’s why:

• There is no maximum-paths ibgp command in VPNv4 address family;
• The moment you enter maximum-paths ibgp command the configuration parser exits the address-family vpnv4 context and enters router bgp context;
• Because the ipv4 address family is the default context within router bgp (for legacy reasons) all the subsequent commands are executed within the address-family ipv4 context removing next-hop self from neighbors in IPv4 address family.

No wonder David Barroso named his library NAPALM (you’ll find the full story in this or this podcast).

Over a month ago I decided to create a lab network to figure out how to solve an interesting Inter-AS MPLS/VPN routing challenge. Instead of configuring half a dozen routers I decided to develop a fully-automated deployment because it will make my life easier.

I finally got to a point where OSPF, LDP, BGP (IPv4 and VPNv4) and MPLS/VPN configurations are created, deployed and verified automatically.

I encountered an ancient problem during one of my ExpertExpress engagements:

• Customer network is split into two autonomous systems (core and access);
• Links within access network are way slower than links within core network;
• Customer would like to have optimal core-to-access traffic flow.

Challenge: what’s the simplest possible configuration to get it done?

While we were preparing for the Cumulus Networks’ Routing on Hosts webinar Dinesh Dutt sent me a message along these lines:

You categorically reject the use of OSPF, but we have a couple of customers using it quite happily. I’m sure you have good reasons, and the reasons you list [in the presentation] are ones I agree with. OTOH, why not use totally stubby areas with hosts in such an area?

How about:

One of my readers left this question on the blog post resurfacing the idea of running BGP between servers and ToR switches:

When using BGP on a VM for mobility, what is the best way to establish a peer relationship with a new TOR switch after a live migration? The VM won't inherently know the peer address or the ASN.

As always, the correct answer is it depends.

In the Leaf-and-Spine Fabric Designs webinar series we started with the simplest possible design: non-redundant server connectivity with bridging within a ToR switch and routing across the fabric.

After I explained the basics (including routing protocol selection, route summarization, link aggregation and addressing guidelines), Dinesh Dutt described how network architects use BGP when building leaf-and-spine fabrics.

Anyone following the popular networking blogs and podcasts is probably familiar with the claim that BGP is way too complex to be used in whatever environment. On the other hand, more and more smart people use it when building their data center or WAN infrastructure. There’s something wrong with this picture.

The BGP-based SDN Solutions webinar triggered another interesting question from one the attendees:

It seems like the BGP route reflector functionality can be implemented as a Virtual Machine. Will a VM have enough resources to meet the requirements of a RR?

Short answer: Yes.

One of my ExpertExpress engagements focused on BGP route maps and setting BGP attributes based on BGP communities, so I wanted to brush up my RouteMapFoo before the online session.

Here are a few (not-so-unexpected) results gathered from IOSv release 15.5(3)M.

One of my readers sent me this observation while reviewing my BGP-Based SDN Solutions webinar:

I am a bit surprised the SDN controller can actually be so lightweight.

Well, that's the benefit of augmenting an existing well-developed ecosystem instead of reinventing the wheel and reimplementing every single bit of functionality we had to develop to make networks work throughout the last 5 decades.

Continuing our routing-on-hosts discussions, Enno Rey (of the Troopers and IPv6 security fame) made another interesting remark “years ago we were so happy when we finally got rid of gated on Solaris” and I countered with “there are still people who fondly remember the days of running gated on Solaris” because it’s a nice solution to host-to-network multihoming problem.

I had a great chat with Enno Rey the morning before Troopers 2016 started in which he he made an interesting remark:

I disagree with your idea of running BGP on servers because I think sysadmins shouldn’t be involved with routing.

As (almost) always, it turned out that we were still in violent agreement ;)