Dynamic BGP Peers
This chapter provides information about dynamic BGP peers.
Topics in this chapter include:
Applicability
This chapter was initially written for SR OS Release 14.0.R7, but the MD-CLI in the current edition corresponds to SR OS Release 20.7.R1.
Overview
SR OS supports static and dynamic BGP sessions, where the static sessions are initiated toward explicitly configured non-passive neighbors, which are identified through an IPv4 or IPv6 address.
Neighbors must be part of a BGP peer group, and all neighbors in the same group share the same characteristics unless more specific characteristics are defined at the neighbor level.
SR OS will initiate TCP sessions toward explicitly configured non-passive neighbors, and listen for incoming TCP connections on port 179 for these configured neighbors. Sessions established with explicitly configured neighbors are considered static BGP sessions.
Dynamic BGP sessions can be established without explicitly configured neighbors; see Establishing dynamic BGP sessions. The source address of a dynamic peer should match one of the configured IPv4 or IPv6 prefixes for the allowed peer Autonomous Systems (ASs). SR OS will only listen for incoming TCP connections on port 179 for these prefixes (which defines passive mode). SR OS will never initiate connections toward dynamic peers. This is consistent with RFC 4271, which allows a BGP speaker to accept connections from unconfigured BGP peers.
Dynamic BGP peering is also supported for ESM-routed subscriber hosts to improve deployment flexibility, but this is out of the scope of this chapter.
Characteristics
In SR OS, BGP groups and dynamic BGP peers have the following characteristics:
-
A BGP group can support static and dynamic peers simultaneously.
-
To support dynamic, unconfigured peers, multiple prefixes (IPv4/IPv6) in multiple allowed peer ASs can be associated with a group.
-
A dynamic peer will be associated with a group, based on the source IP address of an incoming TCP connection. If multiple overlapping prefixes match, the prefix with the longest prefix length is used.
-
A maximum number of dynamic peers can be configured per group and for the entire BGP instance. Whenever an incoming connection for a new dynamic session would cause either a group limit or the overall BGP limit to be exceeded, the connection attempt is rejected with a BGP Notification message.
-
Dynamic peers are supported in the base router as well as in VPRN BGP instances.
Behavior
When a dynamic session is established, the following behavior will be observed when changes are made:
-
If a new prefix entry is added to a group and this entry will become the longest prefix match for the IP address, then the session remains up, without interruption, if the new entry belongs to the same group as the one previously used to set up the dynamic session.
-
If a new prefix entry is added to a group and this entry becomes the longest prefix match for the IP address, then the session is torn down immediately if the new entry belongs to a different group from the one previously used to set up the dynamic session. When the remote end attempts to reestablish the session, the parameters used locally are inherited from the new group.
-
If a neighbor command is added to any group and its IP address matches the source IP address of an established dynamic session, then the dynamic session is torn down and the new session that is established inherits its local parameters from the neighbor configuration.
Using dynamic BGP peers can reduce the configuration file size of an SR OS router considerably, and is mainly used on route reflectors.
Configuration
In this section, the following two examples are shown:
-
Dynamic BGP peers on a route reflector in an AS
-
Dynamic BGP peers in multiple ASs
Dynamic BGP peers on a route reflector in an AS
Dynamic BGP peers shows the example topology, and has the following characteristics:
-
All nodes are part of AS 64496.
-
BGP sessions are established between the routers of AS 64496, using RR-5 as route reflector with PE-1, PE-2, PE-3, and PE-4 being the route reflector clients.
The initial configuration on the nodes includes:
-
cards, MDAs, and ports
-
router interfaces
-
IS-IS between the routers
BGP is configured between the route reflector clients and the route reflector for the IPv4 address family. The configuration on PE-1 is as follows:
# on PE-1:
configure {
router "Base" {
autonomous-system 64496
bgp {
loop-detect discard-route
split-horizon true
group "iBGP" {
peer-as 64496
}
neighbor "192.0.2.5" {
group "iBGP"
}
The BGP configuration on PE-2 is as follows. The BGP configuration on PE-3 and PE-4 is similar, but the prefix-lists are different.
# on PE-2:
configure {
policy-options {
prefix-list "local-lb" {
prefix 172.31.2.0/24 type exact {
}
}
policy-statement "exp-local-lb" {
entry 10 {
from {
prefix-list ["local-lb"]
}
action {
action-type accept
}
}
}
}
router "Base" {
autonomous-system 64496
bgp {
loop-detect discard-route
split-horizon true
group "iBGP" {
peer-as 64496
export {
policy ["exp-local-lb"]
}
}
neighbor "192.0.2.5" {
group "iBGP"
}
The initial route reflector RR-5 BGP configuration is as follows:
# on RR-5:
configure {
router "Base" {
autonomous-system 64496
bgp {
loop-detect discard-route
split-horizon true
dynamic-neighbor-limit 20
group "iBGP" {
peer-as 64496
dynamic-neighbor-limit 10
cluster {
cluster-id 5.5.5.5
}
dynamic-neighbor {
match {
prefix 192.0.2.0/24 {
allowed-peer-as ["64496"]
}
}
}
}
Dynamic neighbors are shown with the "D" flag, as follows:
[]
A:admin@RR-5# show router bgp summary all
===============================================================================
BGP Summary
===============================================================================
Legend : D - Dynamic Neighbor
===============================================================================
Neighbor
Description
ServiceId AS PktRcvd InQ Up/Down State|Rcv/Act/Sent (Addr Family)
PktSent OutQ
-------------------------------------------------------------------------------
192.0.2.1(D)
Def. Instance 64496 64 0 00h30m53s 0/0/3 (IPv4)
67 0
192.0.2.2(D)
Def. Instance 64496 66 0 00h31m11s 1/1/2 (IPv4)
67 0
192.0.2.3(D)
Def. Instance 64496 67 0 00h31m49s 1/1/2 (IPv4)
68 0
192.0.2.4(D)
Def. Instance 64496 65 0 00h30m47s 1/1/2 (IPv4)
66 0
-------------------------------------------------------------------------------
The details for neighbor PE-2 show that the session is dynamic, as follows:
[]
A:admin@RR-5# show router bgp neighbor 192.0.2.2
===============================================================================
BGP Neighbor
===============================================================================
-------------------------------------------------------------------------------
Peer : 192.0.2.2
Description : (Not Specified)
Group : iBGP
-------------------------------------------------------------------------------
Peer AS : 64496 Peer Port : 49704
Peer Address : 192.0.2.2
Local AS : 64496 Local Port : 179
Local Address : 192.0.2.5
Peer Type : Internal Dynamic Peer : Yes
State : Established Last State : Established
Last Event : recvOpen
Last Error : Cease (Connection Collision Resolution)
Local Family : IPv4
Remote Family : IPv4
Hold Time : 90 Keep Alive : 30
Min Hold Time : 0
Active Hold Time : 90 Active Keep Alive : 30
Cluster Id : 5.5.5.5
---snip---
-------------------------------------------------------------------------------
Neighbors shown : 1
===============================================================================
* indicates that the corresponding row element may have been truncated.
The BGP configuration on route reflector RR-5 is modified with static BGP neighbor PE-1, as follows:
# on RR-5:
configure {
router "Base" {
autonomous-system 64496
bgp {
loop-detect discard-route
split-horizon true
dynamic-neighbor-limit 20
group "iBGP" {
peer-as 64496
dynamic-neighbor-limit 10
cluster {
cluster-id 5.5.5.5
}
dynamic-neighbor {
match {
prefix 192.0.2.0/24 {
allowed-peer-as ["64496"]
}
}
}
}
neighbor "192.0.2.1" { # defines PE-1 as a static neighbor
group "iBGP"
keepalive 20
hold-time {
seconds 60
}
}
Therefore, the properties of BGP group iBGP are as follows:
[]
A:admin@RR-5# show router bgp group "iBGP"
===============================================================================
BGP Group : iBGP
===============================================================================
Group : iBGP
Description : (Not Specified)
Group Type : No Type State : Up
Peer AS : 64496 Local AS : 64496
Local Address : n/a Loop Detect : Discard
Import Policy : None Specified - Default Reject
Export Policy : None Specified - Default Reject
Hold Time : 90 Keep Alive : 30
Min Hold Time : 0
Cluster Id : 5.5.5.5 Client Reflect : Enabled
NLRI : Unicast Preference : 170
TTL Security : Disabled Min TTL Value : n/a
Graceful Restart : Disabled Stale Routes Time: n/a
Restart Time : n/a
Auth key chain : n/a
Bfd Enabled : Disabled Disable Cap Nego : Disabled
Creation Origin : manual
Flowspec Validate: Disabled
Default Route Tgt: Disabled
Aigp Metric : Disabled
Split Horizon : Enabled
Damp Peer Oscill*: Disabled
GR Notification : Disabled Fault Tolerance : Disabled
Next-Hop Unchang*: None
Routes Resolve T*: Disabled
List of Static Peers
- 192.0.2.1 :
List of Dynamic Peers
- 192.0.2.2
- 192.0.2.3
- 192.0.2.4
Total Peers : 4 Established : 4
-------------------------------------------------------------------------------
Peer Groups : 1
===============================================================================
* indicates that the corresponding row element may have been truncated.
The BGP session toward PE-1 is static. The short session time is an indication that the BGP session toward PE-1 has been reestablished, as follows:
[]
A:admin@RR-5# show router bgp summary all
===============================================================================
BGP Summary
===============================================================================
Legend : D - Dynamic Neighbor
===============================================================================
Neighbor
Description
ServiceId AS PktRcvd InQ Up/Down State|Rcv/Act/Sent (Addr Family)
PktSent OutQ
-------------------------------------------------------------------------------
192.0.2.1
Def. Instance 64496 95 0 00h01m33s 0/0/3 (IPv4)
16 0
192.0.2.2(D)
Def. Instance 64496 7 0 00h47m44s 1/1/2 (IPv4)
8 0
192.0.2.3(D)
Def. Instance 64496 94 0 00h45m04s 1/1/2 (IPv4)
99 0
192.0.2.4(D)
Def. Instance 64496 92 0 00h44m02s 1/1/2 (IPv4)
97 0
-------------------------------------------------------------------------------
Reestablishment of the BGP session is also indicated in log 99, as follows:
76 2020/08/19 16:41:37.265 CEST MINOR: BGP #2038 Base Peer 1: 192.0.2.1
"(ASN 64496) VR 1: Group iBGP: Peer 192.0.2.1: moved into established state"
75 2020/08/19 16:41:37.255 CEST WARNING: BGP #2011 Base Peer 1: 192.0.2.1
"(ASN 64496) VR 1: Group iBGP: Peer 192.0.2.1: remote end closed connection"
74 2020/08/19 16:41:37.255 CEST WARNING: BGP #2005 Base Peer 1: 192.0.2.1
"(ASN 64496) VR 1: Group iBGP: Peer 192.0.2.1: sending notification: code CEASE
subcode CONN_COLL_RES"
73 2020/08/19 16:41:37.234 CEST WARNING: BGP #2039 Base Peer 1: 192.0.2.1
"(ASN 64496) VR 1: Group iBGP: Peer 192.0.2.1: sending notification: code CEASE subcode CONFIG_CHG"
72 2020/08/19 16:41:37.225 CEST WARNING: BGP #2011 Base Peer 1: 192.0.2.1
"(ASN 64496) VR 1: Group iBGP: Peer 192.0.2.1: moved from higher state ESTABLISHED to lower state IDLE due to event CONFIG_CHG"
New and more specific settings apply to static neighbor PE-1, as follows:
[]
A:admin@RR-5# show router bgp neighbor 192.0.2.1
===============================================================================
BGP Neighbor
===============================================================================
-------------------------------------------------------------------------------
Peer : 192.0.2.1
Description : (Not Specified)
Group : iBGP
-------------------------------------------------------------------------------
Peer AS : 64496 Peer Port : 49436
Peer Address : 192.0.2.1
Local AS : 64496 Local Port : 179
Local Address : 192.0.2.5
Peer Type : Internal Dynamic Peer : No
State : Established Last State : Established
Last Event : recvOpen
Last Error : Cease (Connection Collision Resolution)
Local Family : IPv4
Remote Family : IPv4
Hold Time : 60 Keep Alive : 20
Min Hold Time : 0
Active Hold Time : 60 Active Keep Alive : 20
Cluster Id : 5.5.5.5
---snip---
The properties of all dynamic peers can be displayed using a single command, as follows:
[]
A:admin@RR-5# show router bgp neighbor dynamic
===============================================================================
BGP Neighbor
===============================================================================
-------------------------------------------------------------------------------
Peer : 192.0.2.2
Description : (Not Specified)
Group : iBGP
-------------------------------------------------------------------------------
Peer AS : 64496 Peer Port : 49704
Peer Address : 192.0.2.2
Local AS : 64496 Local Port : 179
Local Address : 192.0.2.5
Peer Type : Internal Dynamic Peer : Yes
State : Established Last State : Established
---snip---
-------------------------------------------------------------------------------
Peer : 192.0.2.3
Description : (Not Specified)
Group : iBGP
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Peer AS : 64496 Peer Port : 49636
Peer Address : 192.0.2.3
Local AS : 64496 Local Port : 179
Local Address : 192.0.2.5
Peer Type : Internal Dynamic Peer : Yes
State : Established Last State : Established
---snip---
-------------------------------------------------------------------------------
Peer : 192.0.2.4
Description : (Not Specified)
Group : iBGP
-------------------------------------------------------------------------------
Peer AS : 64496 Peer Port : 49840
Peer Address : 192.0.2.4
Local AS : 64496 Local Port : 179
Local Address : 192.0.2.5
Peer Type : Internal Dynamic Peer : Yes
State : Established Last State : Established
---snip---
-------------------------------------------------------------------------------
Neighbors shown : 3
===============================================================================
* indicates that the corresponding row element may have been truncated.
Lowering the dynamic peer limit will not tear down any existing BGP sessions, as follows:
# on RR-5:
configure {
router "Base" {
bgp {
group "iBGP" {
dynamic-neighbor-limit 2
}
A hard reset of a running BGP session will result in that BGP session being torn down, as follows:
[]
A:admin@RR-5# clear router bgp neighbor 192.0.2.4 hard
The BGP peer fails to reconnect to the route reflector, because the peer limit has been reached, as follows:
80 2020/08/19 17:12:39.585 CEST MINOR: BGP #2037 Base VR 1: Group iBGP
"192.0.2.4: Closing connection: reached dynamic peer limit (2) for BGP group iBGP"
79 2020/08/19 17:12:39.574 CEST WARNING: BGP #2005 Base Peer 1: 192.0.2.4
"(ASN 64496) VR 1: Group iBGP: Peer 192.0.2.4: sending notification: code CEASE
subcode HARD_RESET"
78 2020/08/19 17:12:39.574 CEST WARNING: BGP #2039 Base Peer 1: 192.0.2.4
"(ASN 64496) VR 1: Group iBGP: Peer 192.0.2.4: moved from higher state ESTABLISHED
to lower state IDLE due to event ADMIN_RESET_HARD"
77 2020/08/19 17:12:39.562 CEST INDETERMINATE: LOGGER #2010 Base Clear BGP
"Clear function clearRtrBgpNbr has been run with parameters: rtr-name="Base"
neighbor="192.0.2.4" type="hard". The completion result is: success.
Additional error text, if any, is: "
Dynamic BGP peers in multiple ASs
In SR OS Release 19.5.R1 and later, dynamic BGP sessions associated with a single BGP peer group can belong to different peer Autonomous Systems (ASs), both in the base router and in VPRNs. Example topology with VPRN 1 in different ASs shows the example topology with VPRN 1 configured in different ASs. Each interface in VPRN 1 has an IPv4 and an IPv6 address.
EBGP sessions are established between VPRN 1 on PE-1 and VPRN 1 on the other nodes. In VPRN 1 on PE-2, PE-3, and PE-4, static BGP neighbors are configured. The VPRN configuration on PE-2 is as follows:
# on PE-2:
configure {
service {
vprn "VPRN 1" {
admin-state enable
service-id 1
customer "1"
autonomous-system 64502
router-id 172.31.0.2
route-distinguisher "1:1"
vrf-target {
community "target:1:1"
}
bgp {
router-id 172.31.0.2
split-horizon true
group "eBGPv4" {
next-hop-self true
peer-as 64501
family {
ipv4 true
}
}
group "eBGPv6" {
next-hop-self true
peer-as 64501
family {
ipv6 true
}
}
neighbor "172.16.12.1" {
group "eBGPv4"
export {
policy ["exp-vprn-1-v4"]
}
}
neighbor "2001:db8::12:1" {
group "eBGPv6"
export {
policy ["exp-vprn-1-v6"]
}
}
}
interface "int-VPRN1-PE-2-PE-1" {
ipv4 {
primary {
address 172.16.12.2
prefix-length 30
}
}
sap 1/1/1:1 {
}
ipv6 {
address 2001:db8::12:2 {
prefix-length 126
}
}
}
interface "system" {
loopback true
ipv4 {
primary {
address 172.31.0.2
prefix-length 32
}
}
ipv6 {
address 2001:db8::31:0:2 {
prefix-length 128
}
}
}
}
In VPRN 1 on PE-1, dynamic BGP peering is configured for IPv4 prefixes matching 172.16.0.0/16 in AS 64502 (PE-2) or AS 64504 (PE-4) and IPv6 prefixes matching 2001:db8::/107 ASN range from 64502 (PE-2) to 64503 (PE-3). The BGP configuration in VPRN 1 on PE-1 is as follows:
# on PE-1:
configure {
service {
vprn "VPRN 1" {
bgp {
router-id 172.31.0.1
split-horizon true
group "eBGPv4" {
next-hop-self true
dynamic-neighbor-limit 10
family {
ipv4 true
}
import {
policy ["1:1"]
}
export {
policy ["exp-vprn-1-v4" "1:1"]
}
dynamic-neighbor {
match {
prefix 172.16.0.0/16 {
allowed-peer-as ["64502" "64504"]
}
}
}
}
group "eBGPv6" {
next-hop-self true
dynamic-neighbor-limit 10
family {
ipv6 true
}
export {
policy ["exp-vprn-1-v6" "1:1"]
}
import {
policy ["1:1"]
}
dynamic-neighbor {
match {
prefix 2001:db8::/107 {
allowed-peer-as ["64502..64503"]
}
}
}
}
}
A dynamic BGP session can be rejected if receiving neighbor BGP OPEN message does not report an AS number in an allowed list: in the "eBGPv4" group, AS 64503 is not allowed and in the "eBGPv6" group, AS 64504 is not allowed. PE-1 sends a notification message with code OPEN and subcode INCORRECT_AS to PE-3 in AS 64503 and the following notification is logged in log 99:
14 2020/08/19 16:55:19.697 CEST WARNING: BGP #2005 vprn1 Peer 2: 172.16.13.2
"(ASN 0) VR 2: Group eBGPv4: Peer 172.16.13.2: sending notification: code OPEN subcode INCORRECT_AS"
When debugging is enabled for BGP OPEN messages and BGP notifications, the following messages are logged on PE-1: a BGP OPEN message received from PE-3 in AS 64503 and a BGP notification with code OPEN and subcode Bad Peer AS.
7 2020/08/19 16:55:19.697 CEST MINOR: DEBUG #2001 vprn1 Peer 2: 172.16.13.2
"Peer 2: 172.16.13.2: NOTIFICATION
Peer 2: 172.16.13.2 - Send BGP NOTIFICATION: Code = 2 (OPEN) Subcode = 2 (Bad Peer AS)
"
6 2020/08/19 16:55:19.697 CEST MINOR: DEBUG #2001 vprn1 BGP
"BGP: OPEN
Peer 2: 172.16.13.2 - Received BGP OPEN: Version 4
AS Num 64503: Holdtime 90: BGP_ID 172.31.0.3: Opt Length 20 (ExtOpt F)
Opt Para: Type CAPABILITY: Length = 18: Data:
Cap_Code GRACEFUL-RESTART: Length 2
Bytes: 0x0 0x78
Cap_Code MP-BGP: Length 4
Bytes: 0x0 0x1 0x0 0x1
Cap_Code ROUTE-REFRESH: Length 0
Cap_Code 4-OCTET-ASN: Length 4
Bytes: 0x0 0x0 0xfb 0xf7 # AS 64503
"
The following BGP summary on PE-1 shows four dynamic BGP neighbors: 172.16.12.2 (in AS 64502), 172.16.14.2 (in AS 64504), 2001:db8::12:2 (in AS 64502), and 2001:db8::13:2 (in AS 64503):
[]
A:admin@PE-1# show router bgp summary all
===============================================================================
BGP Summary
===============================================================================
Legend : D - Dynamic Neighbor
===============================================================================
Neighbor
Description
ServiceId AS PktRcvd InQ Up/Down State|Rcv/Act/Sent (Addr Family)
PktSent OutQ
-------------------------------------------------------------------------------
192.0.2.5
Def. Instance 64496 19 0 00h04m34s 2/2/0 (IPv4)
17 0
172.16.12.2(D)
Svc: 1 64502 8 0 00h01m36s 1/1/2 (IPv4)
9 0
172.16.14.2(D)
Svc: 1 64504 8 0 00h01m56s 1/1/2 (IPv4)
9 0
2001:db8::12:2(D)
Svc: 1 64502 8 0 00h01m54s 1/1/2 (IPv6)
9 0
2001:db8::13:2(D)
Svc: 1 64503 8 0 00h01m57s 1/1/2 (IPv6)
9 0
-------------------------------------------------------------------------------
The following command shows that BGP group "eBGPv4" has two dynamic peers (172.16.12.2 and 172.16.14.2) and group "eBGPv6" has two dynamic peers (2001:db8::12:2 and 2001:db8::13:2):
[]
A:admin@PE-1# show router 1 bgp group
===============================================================================
BGP Group
===============================================================================
Group : eBGPv4
Description : (Not Specified)
Group Type : No Type State : Up
Peer AS : n/a Local AS : 64501
Local Address : n/a Loop Detect : Ignore
Import Policy : 1:1
: Default Reject
Export Policy : exp-vprn-1-v4
: 1:1
: Default Reject
---snip---
List of Static Peers
List of Dynamic Peers
- 172.16.12.2
- 172.16.14.2
Total Peers : 2 Established : 2
Group : eBGPv6
Description : (Not Specified)
Group Type : No Type State : Up
Peer AS : n/a Local AS : 64501
Local Address : n/a Loop Detect : Ignore
Import Policy : 1:1
: Default Reject
Export Policy : exp-vprn-1-v6
: 1:1
: Default Reject
---snip---
List of Static Peers
List of Dynamic Peers
- 2001:db8::12:2
- 2001:db8::13:2
Total Peers : 2 Established : 2
-------------------------------------------------------------------------------
Peer Groups : 2
===============================================================================
* indicates that the corresponding row element may have been truncated.
Conclusion
The use of dynamic BGP peers provides ISPs the means to reduce the configuration file size for routers. This reduces the number of configuration changes to be made to the network over time, which lowers the operational cost of running the network.