Border Gateway Protocol Guide

The document provides an in-depth overview of Border Gateway Protocol (BGP), emphasizing its importance in cloud networking and its role in routing traffic across the internet. It explains how BGP operates as a dynamic routing protocol, facilitating the exchange of routing information between routers and enabling organizations to connect with Internet Service Providers and cloud service providers. Key concepts such as autonomous systems, BGP messages, and the finite state machine (FSM) are discussed to highlight the technical aspects of BGP and its application in cloud computing environments.

Uploaded by

Online Email

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

20 views22 pages

Border Gateway Protocol Guide

Uploaded by

Online Email

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 22

3

Are you ready to learn about cloud can help the network “self-heal” if a
networking and Border Gateway Pro router or link becomes unusable.
tocol (BGP)? Should any failure occur, BGP will
I began my tech career as a calculate a new path for traffic to
network engineer and have more reach its destination as a GPS would
than 25 years of networking recalculate a path around a blocked
experience. I love BGP and use it road or freeway.
everywhere. I’m so passionate about
it that I’ve spent more than 10,000 When connecting to external organiza
hours work tions, BGP is used as an exterior
ing with BGP. For cloud architects, gateway protocol. For the last few
cloud solution architects, network decades, organ izations have used
architects, and cloud network BGP to connect to Inter net Service
engineers, BGP is the most Providers. BGP is also used to
important routing protocol to connect Internet Service Providers to
understand. BGP knowledge is each other. BGP also connects
extremely critical for building an elite organizations to cloud service
cloud computing career. In this providers (CSPs). Why? Be cause
article, we explain why we use BGP, CSPs are external organizations, the
how BGP works, and how to optimize same as Internet Service Providers
BGP routing for traffic engineering. (ISPs).
This article takes you closer to
building a successful cloud architect BGP is widely used because it’s
or cloud networking career! incredi bly scalable. Routers on the
global internet traffic move both IPv4
Inroduction to BGP and IPv6 traffic. The Internet IPv4
BGP is the primary routing routing table has more than 800,000
protocol of the Internet. Did you routes. It is common for Internet
know that every time you visit a service providers to connect to 10
website or surf the Internet, you are other In ternet service providers, all
using BGP? BGP is a dynamic rout providing 800k routes per ISP,
ing protocol, meaning it helps to totaling 8 million routes!
determine the best path for traffic to
reach its destina tion. BGP helps
routers exchange routing (network
layer reachability information)
between routers running the BGP
routing protocol. Being dynamic,
BGP determines the best path for
traffic to reach its destina tion and
destination is blocked thus preventing
anyone from accessing their intended
website, portal, or other destination.
Also of note is that static routing
would require the manual
configuration of all 800k routes on
every router - that’s a lot of
configuring!

Dynamic routing is about calculating

4 the best path to the destination. A
BGP is also widely used as it is Global Po sitioning System (GPS)
incredibly tunable, thus enabling works very much like dynamic
security and traffic engineering routing. For example, if you
between organizations. wanted to visit a friend for dinner, and
a road was blocked, your GPS would
Routing: A Quick Review Before reroute you to your destination. This
the Technical Materials is effectively what dynamic routing
Routers are network devices protocols do. Dy
that di rect traffic through the network. namic routing protocols exchange
Consider a router as a computer with routing information and are
a bunch of net work cards in it. Each constantly aware of the status of all
router builds a map of the network paths in the network. As the network
that tells the router “to go to this changes, dynamic routing pro
destination, use this interface”. It’s tocols redirect traffic to the best path,
like the large directional signs above so the network traffic gets to its
a freeway when going on a road trip! destination as fast as possible.
That’s what the router does: it directs
your traffic through the network. It Autonomous Systems
makes traffic go from point A to point An autonomous system is a
B, making routers critical for com network under the control of a single
munication and accessibility. organization or company. Being
independent organiza tions, individual
Directing Traffic: Static vs. autonomous systems have different
Dynamic Routing sets of routing rules and policies.
Remember, routers need to BGP is used to connect these
know how to get your traffic from disparate or ganizations.
Point A to Point B. In static routing, Organizations will identify
routers are manually configured with themselves and differentiate
only one path to and from the organizations by autonomous system
destination. However, there’s going numbers.
to be a problem if the only path to the
ments:
Autonomous system numbers were •Proof of a publicly allocated
created with 2 bytes (16-bit) that net work range
created 65,535 unique autonomous •Proof that Internet connectivity
system numbers, how ever, as is provided through multiple
Internet usage increased more connec tions
numbers were required. The Internet •A need for a unique route
Engi neering Task Force RFC 4893 policy from your providers
doubled the number of bytes from 2 How BGP Works
bytes (16-bit) to 4 bytes (32-bit) BGP is a path vector routing protocol.
which multiplied the num ber of Unlike other routing protocols that
autonomous system numbers from commu nicate over multicast, BGP is
65,535 to 4,294,967,295. unicast, mean ing messages are sent
to pre-defined BGP routers. BGP
There are two types of autonomous operates using the transmis sion
sys tem numbers, public Autonomous control protocol (TCP) port 179. A
System Numbers, and private TCP connection is established,
Autonomous Sys tem Numbers. before being able to share any
Public Autonomous System routing information. Un derstanding
that BGP uses TCP port 179 is
5
critical, if anything like a firewall were
Numbers are required when
to block TCP port 179, the BGP will
connecting over the Internet to
not work. So, if there are any access
communicate with other
control lists or firewalls in the path,
organizations. Private Autonomous
make sure TCP port 179 is allowed.
System Numbers are used when it is
Also, if you are taking any
not necessary to connect to external
networking certifications such as
organizations.
Cisco, Ju niper, or AWS Advanced
Networking ex pect a question on
Organizations requiring an
BGP using TCP port 179.
autonomous system number can
apply for one from The Internet
When using BGP in a cloud
Assigned Numbers Authority (IANA),
computing space there will be
as they oversee the distribution of
significant limitations. While it’s
public autonomous system numbers
normal to take 800k plus routes
and verify that all Autonomous
when connecting to an internet
system numbers are globally unique.
service pro
vider, cloud providers have strict
limitations on the number of routes
To be eligible, the organization they will accept. Usually, between
must first meet these 3 require 100 and 1,000 in gen
terms of the peering relationship. After
the TCP session is created between
BGP routers, then the peering session
must be established. BGP peering
starts with a BGP OPEN message. In
the BGP OPEN message, routers must
agree on the BGP version, Hold Time,
BGP autonomous systems numbers
as well as some optional parameters.

Let’s discuss Hold Time as it is a

critical component of BGP. For
accurate routing, routers must know of
6 available routes and
eral. A cloud provider will have if the information they receive is
hundreds of thousands of customers, current. Hold Time is how long a
each with many routes. So, when router will wait for a keepalive
using BGP in a cloud com puting message before declaring a BGP
space, route summarization is criti cal. neighbor relationship is dead. BGP
uses Hold Time to increase reliability.
With BGP, we need to get very Hold Time is essentially a health
technical about how it operates. There check to deter
is no other way than to get into some mine the status of a BGP peering
serious network engineering concepts session. If a KEEPALIVE message is
for BGP. So, strap in as we dive deep not received in a specified period the
into BGP! neighbor relationship is torn down and
the routing path is recal
BGP Messages culated.
I’m putting on my tech hat. Let’s
re view the messages that are KEEPALIVE Message
exchanged between BGP peers. BGP Let’s quickly shift away from BGP
peers exchange messages. That is to what most cloud architects are
how they know to update the map - familiar with, load balancers. A load
just like a GPS. We’ll discuss four balancer takes traf fic in and splits the
messages: open message, keepalive load among multiple servers and says
mes sage, update message, and the to the servers, “Are you there?” The
notification message. server responds by saying, “I’m here.”
As long as the servers respond with,
OPEN Message “I’m here” they stay and are used. How
To start a BGP peering session ever, if the load balancer reaches out
the routers participating in BGP need to a server, “Are you there?” and it
to agree to be peers, as well as the
doesn’t respond, the load balancer received within a specific hold time,
determines it’s not there, gets marked the BGP session is ended. On Cisco
as unhealthy, and gets removed from routers, the hold time is 180 seconds
the rotation. BGP does the same thing (3 minutes) and KEEPALIVE
and has done so for the past 30 years. messages are sent every 60 seconds.
This is tunable on the routers. Shorter
Routers send KEEPALIVE messages hold times will increase the speed
to verify that the neighbor is still there. when a network failure is detect-
If KEEPALIVE messages are not
7
ed but will impact scalability. In most
cases, it makes sense to architect
BGP uses TCP port
the system with default hold times. 179.
Next, let’s discuss how BGP tells sage.
routers about new or lost routes. NOTIFICATION Message
If something goes wrong, BGP sends
UPDATE Message a NOTIFICATION message. A
Regarding the UPDATE NOTIFICA TION message occurs
message, let’s say there’s a BGP when an error is de tected such as if
neighbor estab lished, and you the hold timer expires. A
learned about a new route and NOTIFICATION message causes the
shared it with your neighbor. That is BGP
what the UPDATE message is used
for. It’s saying, “I’ve learned a new
BGP Message Summary
route,” or “I’ve learned a route that
•An OPEN message initiates
went away,” that is the UPDATE
the connection
message.
•A KEEPALIVE message
keeps the session open and
An UPDATE message gives you the
operates like a health check
prefix or the subnet that you are
•An UPDATE message
attempting to reach. The UPDATE
provides information on
message provides path attributes,
newly learned or withdrawn
like your next hop, origin code, AS
routes
path, and other BGP attributes. The
next topic is about the •A NOTIFICATION message is
NOTIFICATION mes sent when there is a problem
and closes the connection
Always remember:
8
BGP Finite State Machine (FSM) The
next part of our technical expla nation
of BGP is how BGP forms a neighbor Source: Cisco Press
relationship. This is particularly
When the BGP forms a neighbor
important in cloud network training
relation ship, we have several states:
and let’s face it, if you want to work
in networking or cloud computing,
you need to know BGP. So, let’s States
continue and have fun with it! •Idle
•Connect
•Active
•OpenSent
•OpenConfirm
•Established

I’ll break these concepts down as

OpenSent much as possible. Knowledge of the
BGP FSM is crit ical as things don’t
always work as planned.
OpenConfirm Understanding the BGP FSM gives
you the ability to troubleshoot the
problem when needed. the timer runs out before completion,
it resets again, attempts another
FSM: Idle connection and moves on to Active.
Idle is the first step of the Finite State
Machine. When a BGP router comes FSM: Active
on line it attempts a TCP connection During Active State, BGP starts
to the BGP peer or neighbor while up a new 3-way TCP handshake.
listening for a new connection. If When con nected, an OPEN
anything goes wrong, it re verts back message is sent with a timer set to 4
to Idle state for 60 seconds be fore minutes and transitions to the
trying again. If the next attempt OpenSent state. However, if an error
doesn’t work, it won’t try for 120 oc curs, it falls back to ConnectState
seconds and dou bles in length for and re sets the timer.
each attempt thereafter.
FSM: OpenSent
FSM: Connect Next, now that the OPEN message is
For the next step, if the 3-way sent and the router receives the
TCP connection completes, the timer OPEN mes sage, both OPEN
resets and sends an OPEN messages are checked for errors
message to the neighbor and using the following checklist:
transitions to the OpenSent state. If
9
to the Idle state.
Checklist:
•BGP versions must match
FSM: OpenConfirm
•Source IP address of OPEN
When the KEEPALIVE or
mes sage must match the IP
NOTIFICA TION message is
address of the neighbor
received, the state gets moved to
•AS number must match
Established. If anything goes wrong,
neighbor •BGP Identifiers (RID)
it bounces back to Idle state.
must be unique
FSM: Established State
When established, Update
If everything goes well, a KEEPALIVE messages are exchanged and the
is sent. Then, the connection is HoldTimer is reset. Again, if any error
moved to OpenCon firm state. happens then the state is moved
However, if it doesn’t work, it gets back to Idle.
moved back to Idle. Also, if a Path Attributes
disconnection occurs, BGP closes BGP is a path vector routing
the connection, resets the timer, and protocol. BGP looks at elements in
sets back to Active state. Any the path to deter mine the best route
other input gets moved back to the destination. These path
attributes will be used later for traffic external BGP (eBGP) vs internal
engineering. First, let’s describe the BGP (iBGP). Ex ternal BGP is used
attrib utes at a high level, and then between autonomous systems to
describe them in more depth. The exchange routing information.
path attributes change as Internal BGP is used to carry routes
organizations (autonomous systems) learned from external autonomous
ex change routing information. systems across the organization’s
network. When it comes to BGP path
There are four kinds of path attributes, they are added when
attributes: •Well-known connecting to external organizations
mandatory — eBGP.
•Well-known discretionary
•Optional transitive According to the BGP specification,
•Optional nontransitive RFC 4271, well-known attributes
must be rec
Before we begin, let’s define

10
ognized by all BGP routers. Well-known tive and stay with the route
mandatory attributes must be included advertisement
with from AS to AS. Unrecognized optional at
every prefix advertisement. This is tributes should be accepted and passed
different to other BGP peers. If it is accepted and
from well-known discretionary attributes, passed from one BGP peer to another
which may or may not be included in then
prefix going forward it must continue to be
advertisements. passed.
Other Path Attributes (PAs) are
Now, optional attributes are not required nontransitive
to and cannot be shared from AS to AS.
be recognized by all BGP routers.
Optional In eBGP, the Network Layer Reachability
attributes can be set so that they are Information (NLRI) consists of the
transi
network
prefix, prefix length, and any BGP attrib
utes. BGP attributes are mandatory
when
eBGP and iBGP exchange NLRI in the
up
date message.

BGP Attributes
BGP attributes are characteristics
of the route. BGP attributes are related
to
the origin of the route, AS Path, Next
Hop
IP, Multi-Exit Discriminator, Local Prefer
ence, Atomic Aggregate, and Weight.
These attributes will be discussed in the
following section.

11
Origin
The Origin is a mandatory attrib
ute that defines the origin of the path discretionary attribute. Local preference
and associated routing information and is
is gen erated by the BGP speaker. The used to help determine the best path. All
Origin can be learned from the IGP (i.e things being equal, routers prefer the
OSPF) from BGP (EGP) or incomplete. path
BGP prefers IGP learned routes over with the highest local preference.
EGP learned routes over incomplete
routes. Atomic Aggregate
Atomic Aggregate is also a well
AS (Autonomous Systems) Path An AS known discretionary attribute. This
Path is an attribute that iden tifies the attribute
different autonomous systems a route is carried out when BGP routes are
has passed through. Anytime a BGP aggre
speaker creates a route or learns about gated (summarized) and routes inside
a route from another BGP speaker, the the
AS Path is updated – depending on the summary address are suppressed.
loca tion of the BGP speaker.
Weight
Next Hop Weight was a Cisco proprietary
Next hop is another well-known means to influence outbound traffic.
mandatory BGP attribute. The next hop Now,
at tribute defines the IP address that the it’s supported by AWS and some other
router should send traffic to for the organizations as well. Weight is another
specified route. This attribute is so attribute used for traffic engineering. For
critical because if the next hop is not
routers that support the weight attribute,
available the route will not be placed in
the
the routing table.
higher the weight the more preferred the
route.
Multi-Exit Discriminator (MED) The
Multi-Exit-Discriminator or MED is an
BGP Path Selection
optional, non-transitive attribute used to
How does BGP select a path? The
determine the best path. It is part of the
BGP decision process. When all factors BGP prefers the path with the highest
are equal, BGP prefers the path with the weight.
low If the weights are equal, then it prefers
est MED (Multi-Exit Discriminator). You the
can route with the highest local preference. If
consider it a metric for the route. the
local preferences are the same, prefer
Local Preference the
Local Preference is a well-known route that originated locally on the router.
If the local preferences are the same
prefer If the AS Path is the same, then prefer
the route with the shortest AS path. the paths with the best origin code. This
is where we talk about an IGP being
better than an EGP versus better than
incomplete. Now, if the origin codes are
the same, then prefer the route with the
lowest MED, or multi-ex
it discriminator. If the MEDs are the
same, then prefer an eBGP route
versus an iBGP route. At this point,
we’re getting far into the process and
BGP must find some way to choose a
preferred path.

If the routes are still equal, prefer the

route with the shortest path to the BGP
next hop. This is determined by the
lowest IGP metric, meaning how far it is
to get to the next hop IP address. And if
the routes are still equal, prefer the
router that told you first. This kind of
improves stability and that keeps things
from flopping up and down. Here’s the
funny part. If all the routes are still equal,
prefer the route advertised or that you
learn from the router with the lowest IP
address. Please refer to the end of this
document for additional information.

Get ready for the fun part!

We have covered a lot so far - good job!
Next, we will cover BGP for traffic en
gineering. Regardless if it’s AWS BGP,
Az ure BGP, or Google Cloud Platform
BGP, these are critical cloud architect
skills. We view network skills training to
be some of the most critical concepts to
know. Why? Because the cloud is a
virtualized network in a data center.
Without networking knowl edge, it would
be impossible to design (ar chitect) any
12 cloud solution.
Symmetric vs. Asymmetric Routing vider fails. So, when you have very high
BGP works in both directions, mean availability and high-performance needs,
ing traffic enters and leaves your you must use two direct connections,
system. and
When designing for high availability VPN backup. Additionally, you will be run
(HA), ning BGP on both direct connections
multiple links across service providers and
are the VPN. You could block one path and
required. When traffic enters and leaves only
the same link that’s symmetric routing. use one, which they typically teach on
Con ba
versely, asymmetric routing occurs when sic networking like the AWS advanced
traffic does not come back the same way net
it left. If we don’t achieve symmetric
routing
we could get out-of-order packets.

BGP Traffic Engineering

Now we will discuss high availabili
ty and traffic engineering. We will use
the
BGP attributes discussed above to
ensure
that we achieve load sharing across con
nections, achieve symmetric routing, and
provide high availability. These attributes
will be used in an election-like manner
for
optimal path selection.

Designing for High Availability

Designing for high availability will re
quire multiple connections. In many
cases
this will mean multiple private lines
(direct
connections) and a VPN backup. It’s
essen
tial that these private lines are on
different
service providers in case one service pro
working curriculum. However, that would
be very expensive and wasteful to not
utilize all the links. To become an
excellent cloud architect, you should
know how to design, load-share across
multiple links, and maxi
mize performance without having any
type of out-of-order packets. You’ll learn
it here at Go Cloud Careers. Remember
that BGP routing is bi-directional;
meaning that traffic engineering needs
to be configured in both directions. For
simplicity’s sake, we will il
lustrate one direction. In real life a
similar policy will need to be configured
on both sides of the connection.

Leaking Specific Routes

The easiest way to load-share across
multiple links is to do it with basic rout
ing. Routers always prefer the path with
the most specific route. Meaning, if you
can look at the diagram below, note the
two links. You will see that the organiza
tion’s data center is using the CIDR
range of [Link]/15. Realistically
speaking, these are multiple subnets.
For example, we have two routers in our
data center, and on the top router, we
desire to tell the cloud to reach the
[Link]/16 subnet, take the top link.
What if we tell the cloud provider on the
bottom link to take [Link]/16? We
create a specific link on the top and a
specific route on the bottom. And guess
what, the top link will be used to reach
[Link]/16, and the bottom link is cho
sen to use [Link]/16 because it’s
the most specific route.
13 Everything will work perfectly until we
6 lose a router, or until we lose a link.
Whichev er subnet we have not
advertised into BGP will not be 172 .17.0.0/16s can be summarized
reachable. So, what do you do when into [Link]/15. By sending the
you create an environment like this? summa ry address, things will work in
You do the following: Per this diagram, case of a link-specific failure. If the top
I’d send the specific link on both sides, link goes away, the bottom link will
and send a summary link or the CIDR have a more spe cific route including
range on both links. The traffic will use the summary route; so that everything
the more spe is reachable. This is typically the
cific routes. simplest and most elegant way of
using BGP to load-share across
redundant links.
VPC
So, look carefully, [Link]/16 and
[Link]/16
[Link]/15

Availability Zone
[Link]/16
[Link]/15

VGW
Availability Zone