I used to think that everyone who configures BGP or MTA, in general outlines know how to do it. Now I see that Rout-faces - this is not the only random errors, and frighteningly mass phenomenon. So I think that the description of the banal and obvious for many things would not be amiss.
1. BGP-interactions are with the upstream, with customers and peering, ie, parity (for more complicated cases are not view). If Submarine little, peering not. If very small customers with BGP also there is only upstream. BGP must be configured so that upstream (and peering) went announcements only from clients but not from other upstream. Filter networks (access-list or prefix-list) does not solve this problem! customer may have an alternative you upstream, and the prefix of your client received not directly from him, and from upstream, will go to another upstream. Today may be all right, but tomorrow your client will be changed. Not only that: a filter for the as-path this problem, too, in general, does not solve: when you're the fifth time change upstream, carefully redraw all the filters you likely to forget. Correct this problem is solved by bgp community: on announcements received from upstream, putting a special community attribute, and announcements with this attribute upstream do not give. Or vice versa: a special attribute bet on announcements from customers and upstream give only them and nothing else. Then the announcements of your client's leave upstream, if you got them directly from the customer, and will not leave if they are received in a different way (from upstream).
2. Community are external and internal. External - the ones that you give to customers and are taking them. Internal - which use only within their own AS. To routing occurred correctly, the client or upstream should not be able to put the community on the basis of which will change the view of the origin of this announcement. For example, wrong to allow a situation where upstream announcement sent to your "client" community, and this announcement went to another upstream. To avoid this, internal community needs to be cleaned at a reception announcements from both customers and from upstream. For example, the internal community can be a two-or three-digit, and the external - Four-and five-digit, and at the reception, you can delete all of its two-and three-digit community. "Ours" - which is part of xxxx: yyyy Part xxxx - your Submarine.
3. Rule good taste: delete all your unwanted community when exporting announcements. That is, even when all its export upstream, and all except the special information, for export customers. Unnecessary clutter up your community memory routers (worldwide!) And increase the convergence time bgp.
4. Do you think that you have a routing All right? Dial the number to your Submarine here and click "show route-leaks". Most likely, you will learn many interesting things. If you suddenly found nothing - do not relax and look over a longer period of time, it was before.
5. Do not use any weight, unless you know exactly why and what you are doing. For separation prefixes on the priorities there local-preference. The difference is that localpref transmitted between your routers, it is enough to put on the outside of bgp.
6. When configuring BGP on Cisco and many other platforms, you must first register number of the Submarine at the other end (remote-as). Immediately thereafter, BGP strives to rise to the prescription of any filters. As a result, upstream collects from you fullview, or do you get fullview from his client. To this was not, bgp should not rise immediately, while it is not configured completely. In a more or less recent versions of IOS specifically for this at the command "neighbor ... remote-as ..." in the end you can say "shutdown". If this is not possible, first zadaunite sabinterfeys, then configure BGP with all filters, and only then say "no shutdown". Fortunately, at Juniper is no such problem: there can be everything first register and then to commit.
7. A that does not keep all configs routers in cvs or svn? And do not track changes difam? And how to live without it? ;-)
On a more complex version appears Rout-faces I'll write next time.
UPD: I forgot to mention about the much-needed for the client and the peer BGP configuration, as a restriction on the number of prefixes. Very helps against Rout-faces and other troubles. For example, for Cisco IOS: "
neighbor ... maximum-prefix 100 restart 10 ", for JunOS: " set protocols bgp group CLIENTS family inet unicast prefix-limit maximum 100 teardown idle-timeout 10 ". That is, if a client sends more than hundreds of announcements, BGP with it automatically zadaunitsya for 10 minutes, then automatically rises, and if the client by the time the error is corrected, he will live, and if not - again lie down for 10 minutes, and so on. Of course, this limit can be set individually for different customers. 
0 comments:
Post a Comment