Describe, configure, and verify BGP peer relationships and authentication

Exam: Cisco 300-101 - CCNP Implementing Cisco IP Routing (ROUTE v2.0)


Peer Groups

The BGP neighbors sharing the same outbound policies together can be grouped in BGP peer groups. Instead of configuring each neighbor with same policy individually, a peer group allows you to group the policies which can be applied to individual peers thus making efficient update calculation. The benefit of specifying BGP peer group is that it reduces the amount of system resources that are unnecessary used in update calculations.

A BGP peer group reduces the load on system resources by allowing the routing table to be checked only once and replicate the updates to all peer group members instead of updates being done individually for each peer in the peer group. In BGP, BGP peer groups are used to simplify the configuration tasks by incorporating repetitive statements into one or more peer groups. Each neighbor is assigned to a peer group and the router determines the peer’s configuration based on that peer group.

The steps for the configuration of BGP peer group are:

Enable the privilege mode

RouterR1 > enable

Enter the global configuration mode

RouterR1# config t

Configure the router with autonomous system (AS) using command router bgp. Number 100 is used as autonomous system number.

RouterR1(config) #router bgp 100

Configure the router using command neighbor by creating a group name as Cisco.

RouterR1(config–router) #neighbor cisco peer-group

Configure the router with remote autonomous system number on which neighboring router resides. Number 200 is represented as remote autonomous system number.

RouterR1(config–router) #neighbor cisco remote-as 200

Configure the router with IP address of neighboring router having IP 10.10.10.1 using neighbor command, which will make a neighbor to be a part of peer group.

RouterR1(config–router) #neighbor 10.10.10.1 peer-group cisco

Returns to privileged EXEC mode

RouterR1 (config–router) # end

BGP authentication

BGP authentication is used to prevent the interface with routing table. Border Gateway Protocol routing peers can be configured with Message digest 5 (MD5) algorithm which is used to support routing authentication. This algorithm was introduced in RFC 2385 and is a standard part of BGP.

When MD5 authentication is enabled on BGP peers, each segment sent on the TCP connection between the peers is verified and established. The peers must be configures with same password, so that the connection between the peers can be established.

Following configuration commands are used to enable message digest 5 (MD5) authentication for BGP peers:

Enable the privilege mode

RouterR1 > enable

Enter the global configuration mode

RouterR1# config t

Configure the router with autonomous system (AS) using command router bgp. Number 3100 is used as autonomous system number.

RouterR1(config) #router bgp 3100

Configure the router with an IP address of neighboring router having an IP address 10.10.10.3 and remote autonomous system number on which neighboring router (peer)resides. Number 3101 is represented as remote autonomous system number.

RouterR1(config–router) #neighbor 10.10.10.3 remote-as 3101

Enable the message digest 5 (MD5) authentication on the router using password string. cisco123 is used as the password.

RouterR1(config–router) #neighbor 10.10.10.3 password cisco123

Returns to privileged EXEC mode

RouterR1 (config–router) # end

Active and Passive BGP

When the adjacency between Active BGP router and its neighboring router is established, the standby BGP creates a passive BGP session with the same neighboring router without any knowledge of neighboring BGP. When Active BGP router dies then the standby takes the role of active and the entire passive BGP sessions is turned active. To configure the router as Active or Passive BGP peer use following commands:

Enable the privilege mode

RouterR1 > enable

Enter the global configuration mode

RouterR1# config t

Configure the router with autonomous system (AS) using command router bgp. Number 200 is used as autonomous system number.

RouterR1(config) #router bgp 200

Configure the router as active peer using connection-mode command. IP 10.10.10.8 represents IP address of neighboring router.

RouterR1(config–router) #neighbor 10.10.10.8 connection-mode active

Configure the router as passive peer using connection-mode command. IP 10.10.10.9 represents IP address of neighboring router.

RouterR1(config–router) #neighbor 10.10.10.9 connection-mode passive

Returns to privileged EXEC mode

RouterR1 (config–router) # end

BGP States

In order to form a peer session, BGP will pass through several states. This process is also known as BGP finite state machine (FSM). Different states of BGP are:

  • Idle - This is the first state of BGP, also called as initial BGP state.
  • Connect- BGP waits to establish the TCP connection with remote peer. If successful, an open message is sent and if unsuccessful, the session is placed in active state.
  • Active - Again BGP initiates a TCP connection with remote peer. If successful, an open message is sent and if unsuccessful, BGP waits for the expiry of connect retry timer, and place the session back in connect state.
  • Open Sent - In this state TCP connection is established. Router sends an open message and waits for its reply. Once the reply for open message is received, the BGP peer will send a keep alive message.
  • Open Confirm - BGP listen for a reply to keep alive message.
  • Established - BGP peer session is fully established and the update message containing routing information will be sent.

BGP Timers

To control the periodic activities such as sending the keep alive messages and the interval after not receiving keep alive messages, BGP uses certain timers after which peers are declared dead by Cisco IOS software. The default keep alive and hold-time timer are 60 seconds and 180 seconds. These timers are adjustable. When a connection is started, BGP negotiates the hold time with the neighbor and chooses the smaller hold time. The keepalive timer is then set on the basis of the negotiated hold time and the configured keep alive time.

The configuration steps for configuring BGP timer are:

Enable the privilege mode

RouterR1 > enable

Enter the global configuration mode

RouterR1# config t

Configure the router with autonomous system (AS) using command router bgp. Number 100 is used as autonomous system number.

RouterR1(config) #router bgp 100

Configure the router with hold time and keepalive timer for a neighbor having an IP address 10.10.10.6 Number 30 and 90 represents keepalive and hold time timers.

RouterR1(config–router) #neighbor 10.10.10.6 timers 30 90

Returns to privileged EXEC mode

RouterR1 (config–router) # end

Verification Of eBGP

Once the BGP is enabled on Cisco routers, the process started. You can face several problems such as BGP peer are configured but still the neighbors are not responding or TCP connection is not established. For that you need to verify the configuration.

The commands for verifying BGP are:

Displays the entries in the routing table of BGP

Show ip bgp

Displays the summarized information if BGP states

Show ip bgp summary

Displays BGP global information

Show bgp processes

Displays information about a peer-session

Show bgp peer-session

Displays the session information for all peers

Show bgp sessions

Displays the information about BGP neighbors

Show ip bgp neighbors

Displays all TCP sessions

Show tcp brief

Exam Question:

Which statement is true about eBGP neighbor relationship?

  1. Static routes or an interior gateway protocol is required between EBGP neighbours.
  2. Loopback address should be used between EBGP neighbors.
  3. EBGP neighbors use TCP port 179 to exchange BGP routing tables.
  4. When an EBGP neighbor receives an update from another EBGP neighbor, it should not forward the update to other EBGP neighbours.

Answer: 3

Explanation: An underlying connection between two BGP speakers is established before any routing information is exchanged. This connection takes place on TCP port 179. Port 179 is also used to send routing updates.


Related IT Guides

  1. Configure and verify default routing
  2. Configure and verify IPv4 and IPv6 DHCP
  3. Configure and Verify network types, area types, and router types
  4. Configure and Verify RIPv2
  5. Configure and verify static routing
  6. Describe administrative distance
  7. Describe device security using IOS AAA with TACACS+ and RADIUS
  8. Describe DMVPN (single hub)
  9. Describe IPv6 NAT
  10. Explain BGP attributes and best-path selection
  11. Explain Frame Relay
  12. Explain general network challenges
  13. Layer 3 technologies - Describe administrative distance
  14. Use Cisco IOS troubleshooting tools