BGP on Cisco

In this guide we explain how to configure BGP, both for IPv4 and IPv6 in Cisco routers. In our example we use an ASR1001-X, which has 8GB of RAM so it can handle the full path table or Default-Free Zone (DFZ), but the steps are very similar for other models of equipment, although they do have low memory may not be able to handle the DFZ but better to only handle the default route delivered by BGP.

We recommend that you review the maximum size of routes that your team can manage to define if you can use the DFZ (complete route table) or not.

  • Introduction
  • Define the IP addresses of your interfaces for IP transit, Perú IX (PIT Peru sac) (pitperu.net) and your internal network, enable IP version 6 and configure interfaces
  • Define the ASN of your company (the ASN granted by LACNIC)
  • Create the IP Prefix Lists for the OUT filters and IN filters
  • Create the BGP Peer with your IP transit Provider
  • Create the BGP Peers with the Route Servers of the Perú IX (PIT Peru sac) (pitperu.net)
  • Define the prefixes that you are going to announce
  • Check operation

1. Introduction

In Peru IX we promote the use of IPv6, and our first advice is to lose your fear of it. Although at first it may seem somewhat difficult since the addresses are long and not only consider numbers but also some letters and the use of the colon, once you understand it it is very simple since it has great similarities with IPv4. In case you still do not have any contact with IPv6, I recommend you review this explanatory video about the basic concepts of IPv6https://www.youtube.com/watch?v=43VBLzwWwxU

In this example we are going to configure both IPv4 and IPv6 addresses, as well as BGP sessions for IPv4 and IPv6.

In order to exemplify the configurations, we will make use of some assumptions, which should be replaced with the IP addresses assigned by the IP transit provider, Perú IX (PIT Peru sac) and LACNIC.

Disclaimer: I am not an expert in Cisco equipment but I thank Manuel from WOW for the help with the commands for Cisco equipment.

2. Define the IPv4 and IPv6 addresses of your interfaces for IP transit, Perú IX (PIT Peru sac) (pitperu.net) and your internal network, enable IP version 6 and configure interfaces

Assumptions for the example:

  • The ASN granted by LACNIC to our organization is AS 123456
  • IPv4 block assigned by LACNIC is 100.100.100.0/22
  • IPv6 block assigned by LACNIC is 2803: cd10 :: / 32
  • IPv4 address for the point to point of the IP transit provider 198.51.100.2/30 (where the equipment on the side of the IP transit provider against which we will do the BGP is 198.51.100.1)
  • IPv6 address for the point-to-point of the IP transit provider 2803: dd99: 1111 :: 2/126 (where the equipment on the IP transit Provider side against which we will do the BGP is 2803: dd99: 1111 :: 1)
  • IPv4 address assigned by Perú IX (PIT Peru sac) (pitperu.net) is 45.183.47.254/24
  • IPv6 address assigned by Perú IX (PIT Peru sac) (pitperu.net) is 2803: cd60: 6411: 5 :: ff / 64

Enable IPv6 on your computer

The first thing we will do is enable IPv6 on our Router

Router> enable
Router# configure terminal
Router(config)# ipv6 unicast-routing

Configure IPv4 and IPv6 addresses on the interfaces

In order to simplify the explanation, we will assign both the IPv4 and IPv6 prefixes granted by LACNIC on the TenGigabitEthernet0 / 0/0 interface. However, it can also be allocated on a loopback interface and then sub-allocating smaller segments such as / 24 for IPv4 or / 48 for IPv6 to other interfaces or to other routers using static or dynamic routes either with OSPF or iBGP.

#Configure LAN interface of your ISP / WISP #
# It can be configured on a loopback interface as well, and then we do static or dynamic routes to other subnets #
Router(config)# interface TenGigabitEthernet0/0/0
Router(config-if)# ip address 100.100.100.1 255.255.252.0
Router(config-if)# description LAN
Router(config-if)# ipv6 enable
Router(config-if)# ipv6 address 2803:cd10::1/32
Router(config-if)# no shutdown

Then we are going to define the IPv4 and IPv6 addresses of the IP transit provider, in case they are not already defined on the device. In our example this connection is connected on the interface TenGigabitEthernet0 / 0/1.

#Configure the interface of your IP transit provider#
Router(config)# interface TenGigabitEthernet0/0/1
Router(config-if)# ip address 198.51.100.2 255.255.255.252
Router(config-if)# description IP_transit_AS1200
Router(config-if)# ipv6 enable
Router(config-if)# ipv6 address 2803:dd99:1111::2/126
Router(config-if)# no shutdown

Finally, we are going to configure the IP addresses granted by Perú IX (PIT Peru sac). In this example this connection is connected on interface TenGigabitEthernet0 / 0/2.

#Configure interface to Perú IX (PIT Peru sac) (pitperu.net) #
Router(config)# interface TenGigabitEthernet0/0/2
Router(config-if)# ip address 45.183.47.254 255.255.255.0
Router(config-if)# description PIT_Peru_sac
Router(config-if)# ipv6 enable
Router(config-if)# ipv6 address 2803:cd60:6411:5::ff/64
Router(config-if)# no shutdown

3. Define the ASN of your company (the ASN granted by LACNIC)

In our example we are going to assume that LACNIC granted us the ASN 123456, in router-id we are going to put the IPv4 address granted by Perú IX (PIT Peru sac) (pitperu.net).

#Define your public ASN on the computer #
router bgp 123456
bgp router-id 45.183.47.254
bgp graceful-restart
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360

Note: a good practice, although not mandatory, is to configure a loopback interface with a private IP range and then use it as router-id in the BGP configuration in order to avoid route flapping that occurs when the IP address of an interface is changed .

4. Create IP Prefix Lists for OUT filters and IN filters

Before starting the BGP sessions, it is VERY IMPORTANT to create the security filters, both inbound and outbound.

Important: in the filters the order of the factors does matter, that is, the first lines must be the lowest index (this in the case that they have multiple previous lines of ip-prefix in the same chain)

IPv4 outbound filters

#In this case, the chain for the outbound filter to the IP transit provider is IP_TRANSIT_AS1200_OUT, and what it allows is to send our IPv4 prefix as / 22 and not send anything else #
Router(config)# ip prefix-list IP_TRANSIT_AS1200_OUT permit 100.100.100.0/22
Router(config)# ip prefix-list IP_TRANSIT_AS1200_OUT deny 0.0.0.0/0 le 32
 
# In this case the chain for the output filter to the PIT Peru sac provider is PIT_PERU_RS_OUT, and what it allows is to send our IPv4 prefix as / 22 and as / 24 and not send anything else #
Router(config)# ip prefix-list PIT_PERU_RS_OUT permit 100.100.100.0/22 le 24
Router(config)# ip prefix-list PIT_PERU_RS_OUT deny 0.0.0.0/0 le 32

IPv6 outbound filters

#In this case we will use the chain IP_TRANSIT_AS1200_IPv6_OUT for our IP transit provider in IPv6 prefixes #
Router(config)# ipv6 prefix-list IP_TRANSIT_AS1200_IPv6_OUT permit 2803:cd10::/32 le 64
Router(config)# ipv6 prefix-list IP_TRANSIT_AS1200_IPv6_OUT deny ::/0 le 128
 
#In this case we will use the chain PIT_PERU_RS_IPv6_OUT for our filters to the PIT Peru sac (pitperu.net) for IPv6 prefixes #
Router(config)# ipv6 prefix-list PIT_PERU_RS_IPv6_OUT permit 2803:cd10::/32 le 64
Router(config)# ipv6 prefix-list PIT_PERU_RS_IPv6_OUT deny ::/0 le 128

Inbound IPv4 filters

Due to the limitations of the size of IPv4 routes that mid-range Cisco routers can handle, we will allow the IP transit Provider only to announce the default route to us. In the case that we have a router model (high-end) that supports more than 1,000,000 IPv4 routes, we can accept the complete table of routes.

#filters that only allow receiving default route from IP transit provider #
Router(config)# ip prefix-list IP_TRANSIT_AS1200_IN permit 0.0.0.0/0
Router(config)# ip prefix-list IP_TRANSIT_AS1200_IN deny 0.0.0.0/0 le 32
 
#filtros que permiten filtrar ruta por defecto, bogons y martians y permitir todo el resto#
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 0.0.0.0/0             // that is, we do not accept the default route
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 45.183.47.0/24 le 32  // that is, we do not accept the LAN route of the PIT Peru sac, since it must only be reachable through the assigned interface and not through another path
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 0.0.0.0/8 le 32       // rfc1122
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 10.0.0.0/8 le 32      // rfc1918
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 100.64.0.0/10 le 32   // rfc6598
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 127.0.0.0/8 le 32     // rfc1122
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 169.254.0.0/16 le 32  // rfc3927
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 172.16.0.0/12 le 32   // rfc1918
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 192.0.8.0/24 le 32    // rfc5737
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 192.88.99.0/24 le 32  // rfc7526
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 192.168.0.0/16 le 32  // rfc1918
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 198.18.0.0/15 le 32   // rfc2544
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 198.51.0.0/24 le 32   // rfc5737
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 203.0.113.0/24 le 32  // rfc5737
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 224.0.0.0/4 le 32     // multicast
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 240.0.0.0/4 le 32     // reservadas
Router(config)# ip prefix-list PIT_PERU_RS_IN deny 0.0.0.0/0 ge 25       // bogons filters prefixes smaller than a / 24
Router(config)# ip prefix-list PIT_PERU_RS_IN permit 0.0.0.0/0 le 32     // allow all the rest

Inbound IPv6 filters

Here we must accept all the prefixes that the Perú IX (PIT Peru sac) sends us except those that are recommended in the filtering of good practices.

#filters that only allow receiving IPv6 route by default from the IP transit provider #
Router(config)# ipv6 prefix-list IP_TRANSIT_AS1200_IPv6_IN permit ::/0
Router(config)# ipv6 prefix-list IP_TRANSIT_AS1200_IPv6_IN deny ::/0 le 128
 
 
Router(config)# ipv6 prefix-list PIT_PERU_RS_IPv6_IN deny 0100::/64 le 128        // RFC6666
Router(config)# ipv6 prefix-list PIT_PERU_RS_IPv6_IN deny 2001:2::/48 le 128      // RFC5180
Router(config)# ipv6 prefix-list PIT_PERU_RS_IPv6_IN deny 2001:10::/28 le 128     // RFC4843
Router(config)# ipv6 prefix-list PIT_PERU_RS_IPv6_IN deny 2001:db8::/32 le 128    // RFC3849
Router(config)# ipv6 prefix-list PIT_PERU_RS_IPv6_IN deny 2002::/16 le 128        // RFC7526
Router(config)# ipv6 prefix-list PIT_PERU_RS_IPv6_IN deny 3ffe::/16 le 128        // RFC3701
Router(config)# ipv6 prefix-list PIT_PERU_RS_IPv6_IN deny fc00::/7 le 128         // RFC4193
Router(config)# ipv6 prefix-list PIT_PERU_RS_IPv6_IN deny fe80::/10 le 128        // RFC4291
Router(config)# ipv6 prefix-list PIT_PERU_RS_IPv6_IN deny fec0::/10 le 128        // RFC3879
Router(config)# ipv6 prefix-list PIT_PERU_RS_IPv6_IN deny ff00::/8 le 128         // RFC4291
Router(config)# ipv6 prefix-list PIT_PERU_RS_IPv6_IN deny ::/0 ge 65                // Remove prefixes larger than / 64
Router(config)# ipv6 prefix-list PIT_PERU_RS_IPv6_IN permit ::/0 le 128           // Allow all the rest

5. Create the BGP Peer with your IP transit Provider

In our example our IP transit Provider has the ASN 1200, who in our example will use the IP 198.51.100.1. The 1200 should be replaced by the ASN of your IP transit provider and 198.51.100.1 by the IP for the BGP of the gateway that your IP transit provider gives you.

 #Define the IPv4 BGP session to the IP transit provider #
Router(config)# router bgp 123456
Router(config-router)# bgp soft-reconfig-backup (Not all teams support it)
Router(config-router)# neighbor 198.51.100.1 remote-as 1200 
Router(config-router)# neighbor 198.51.100.1 description BGP_IP_TRANSIT_IPv4_AS1200
Router(config-router)# neighbor 198.51.100.1 update-source Te0/0/1
Router(config-router)# neighbor 198.51.100.1 soft-reconfiguration inbound (Not all teams support it)
Router(config-router)# neighbor 198.51.100.1 prefix-list IP_TRANSIT_AS1200_OUT out
 
#Define the IPv6 BGP session to the IP transit provider#
Router(config-router)# neighbor 2803:dd99:1111::1 remote-as 1200
Router(config-router)# neighbor 2803:dd99:1111::1 description BGP_IP_TRANSIT_IPv6_AS1200
Router(config-router)# neighbor 2803:dd99:1111::1 update-source Te0/0/1
Router(config-router)# neighbor 2803:dd99:1111::1 ipv6-prefix IP_TRANSIT_AS1200_IPv6_OUT out
Router(config-router)# neighbor 2803:dd99:1111::1 ipv6-prefix IP_TRANSIT_AS1200_IPv6_IN in

If the BGP sessions have a password, use this command in addition, in our example the password is “my_IP_transit_password”.

Router(config-router)# neighbor 198.51.100.1 password my_IP_transit_password
Router(config-router)# neighbor 2803:dd99:1111::1 password my_IP_transit_password

6. Create the BGP Peers with the Route Servers of the Perú IX (PIT Peru sac) (pitperu.net)

In this example we are going to configure both Route Server IPv4 of Perú IX (PIT Peru sac), that is, RS1 and RS2, in our example we were assigned the BGP password “peeringinperu”

#Definir la sesión BGP a los dos Route Servers de PIT Peru sac#
Router(config)# bgp 123456
Router(config-router)# neighbor 45.183.47.1 remote-as 64115 
Router(config-router)# neighbor 45.183.47.1 description PIT_PERU_RS1_IPv4
Router(config-router)# neighbor 45.183.47.1 password peeringinperu
Router(config-router)# neighbor 45.183.47.1 update-source Te 0/0/2
Router(config-router)# neighbor 45.183.47.1 ip-prefix PIT_PERU_RS_OUT out
Router(config-router)# neighbor 45.183.47.1 ip-prefix PIT_PERU_RS_IN in
 
Router(config-router)# neighbor 45.183.47.2 remote-as 64115
Router(config-router)# neighbor 45.183.47.2 description PIT_PERU_RS2_IPv4
Router(config-router)# neighbor 45.183.47.2 password peeringinperu
Router(config-router)# neighbor 45.183.47.2 update-source Te 0/0/2
Router(config-router)# neighbor 45.183.47.2 ip-prefix PIT_PERU_RS_OUT out
Router(config-router)# neighbor 45.183.47.2 ip-prefix PIT_PERU_RS_IN in 

In a similar way we are going to configure the BGP sessions to RS1 and RS2 for IPv6

Router(config-router)# neighbor 2803:cd60:6411:5::1 remote-as 64115
Router(config-router)# neighbor 2803:cd60:6411:5::1 description PIT_PERU_RS1_IPv6
Router(config-router)# neighbor 2803:cd60:6411:5::1 password peeringinperu
Router(config-router)# neighbor 2803:cd60:6411:5::1 update-source Te 0/0/2
Router(config-router)# neighbor 2803:cd60:6411:5::1 ipv6-prefix PIT_PERU_RS_IPv6_OUT out
Router(config-router)# neighbor 2803:cd60:6411:5::1 ipv6-prefix PIT_PERU_RS_IPv6_IN in
 
Router(config-router)# neighbor 2803:cd60:6411:5::2 remote-as 64115
Router(config-router)# neighbor 2803:cd60:6411:5::2 description PIT_PERU_RS2_IPv6
Router(config-router)# neighbor 2803:cd60:6411:5::2 password peeringinperu
Router(config-router)# neighbor 2803:cd60:6411:5::2 update-source Te 0/0/2
Router(config-router)# neighbor 2803:cd60:6411:5::2 ipv6-prefix PIT_PERU_RS_IPv6_OUT out
Router(config-router)# neighbor 2803:cd60:6411:5::2 ipv6-prefix PIT_PERU_RS_IPv6_IN in  

7. Define the prefixes that you are going to advertise

Router(config)# bgp 123456
Router(config-router)# address-family ipv4
Router(config-router-af)# network 100.100.100.0 22
Router(config-router-af)# network 100.100.100.0 24
Router(config-router-af)# network 100.100.101.0 24
Router(config-router-af)# network 100.100.102.0 24
Router(config-router-af)# network 100.100.103.0 24
Router(config-router-af)# exit
 
Router(config-router)# address-family ipv6
Router(config-router-af)# network 2803:cd10:: 32
Router(config-router-af)# exit

8. Check operation

Check the status of the BGP Peers, if they are operational they should say status Established, if it says Connect or Idle it means that something is not well configured on your side or that of the provider.

sh ip bgp neighbors

show ip bgp neighbors <IPv4-IPv6> / XX

Show the prefixes we are currently advertising to our upstream provider

show bgp address-family

show ip bgp? (select the option that suits you)

Show route table received via BGP

show ip route bgp
show ip route | inc B