CP-1007 – Optimizing BGP Jeff Doyle Principal Architect FishNet Security Agenda • Introduction • Improving Failure D
Views 166 Downloads 2 File size 1MB
CP-1007 – Optimizing BGP
Jeff Doyle Principal Architect
FishNet Security
Agenda • Introduction • Improving Failure Detection and Convergence • Improving BGP Performance
• Improving BGP Management • Conclusion
© 2014 Cisco and/or its affiliates. All rights reserved.
3
Introduction
What’s So Special About BGP? • Optimized for complex policy support – Menu of path attributes – Control incoming, internal, and outgoing routes separately – Menu of tools for setting policy • • • •
Route maps Prefix filters AS_PATH filters Policy maps
• Segmentation – Routes between (EBGP) or through (IBGP) Autonomous Systems – Path Vector protocol
• Multiple address family support – Enables one protocol to support a multiservice core © 2014 Cisco and/or its affiliates. All rights reserved.
5
BGP Overview Path Vector
AS1
AS6
AS3
AS2
AS4
218.54.0.0/16
AS5
© 2014 Cisco and/or its affiliates. All rights reserved.
6
BGP Overview Path Vector
AS1
218.54.0.0/16 [1]
218.54.0.0/16
AS6
AS3
> 218.54.0.0/16 [1]
218.54.0.0/16 [1]
AS5
AS2
> 218.54.0.0/16 [1]
© 2014 Cisco and/or its affiliates. All rights reserved.
7
AS4
BGP Overview Path Vector
AS1
AS6
218.54.0.0/16
> 218.54.0.0/16 [1]
AS5
218.54.0.0/16 [5, 1]
> 218.54.0.0/16 [1]
© 2014 Cisco and/or its affiliates. All rights reserved.
AS2 > 218.54.0.0/16 [5, 1]
8
218.54.0.0/16 [6, 1]
AS3 > 218.54.0.0/16 [6, 1]
AS4
BGP Overview Path Vector
AS1
AS6
AS3
218.54.0.0/16
> 218.54.0.0/16 [1]
> 218.54.0.0/16 [6, 1]
AS5
AS2
> 218.54.0.0/16 [1]
> 218.54.0.0/16 [5, 1]
© 2014 Cisco and/or its affiliates. All rights reserved.
9
218.54.0.0/16 [2, 5, 1]
AS4 > 218.54.0.0/16 [2, 5, 1]
BGP Overview Path Vector
AS1
AS6
218.54.0.0/16
> 218.54.0.0/16 [1]
AS3 > 218.54.0.0/16 [6, 1] 218.54.0.0/16 [4, 2, 5,1]
218.54.0.0/16 [4, 2, 5, 1]
AS5
AS2
AS4
> 218.54.0.0/16 [1]
> 218.54.0.0/16 [5, 1]
> 218.54.0.0/16 [2, 5, 1]
© 2014 Cisco and/or its affiliates. All rights reserved.
10
BGP Overview Path Vector
AS1
AS6
218.54.0.0/16
> 218.54.0.0/16 [1]
AS5
AS2
AS4
> 218.54.0.0/16 [1]
> 218.54.0.0/16 [5, 1]
> 218.54.0.0/16 [2, 5, 1]
© 2014 Cisco and/or its affiliates. All rights reserved.
11
AS3 > 218.54.0.0/16 [6, 1] 218.54.0.0/16 [4, 2, 5,1]
BGP Overview BGP Messages • Open • Update • Notification
• Keepalive • Route Refresh
© 2014 Cisco and/or its affiliates. All rights reserved.
12
BGP Overview BGP Messages • Open – Type 1 – Requests BGP session open to a neighbor – Sent after TCP session is established
• Update • Notification • Keepalive • Route Refresh
© 2014 Cisco and/or its affiliates. All rights reserved.
13
BGP Overview BGP Messages • Open • Update – – – –
Type 2 Network Layer Reachability Information (NLRI) Path attributes Withdrawn routes
• Notification
• Keepalive • Route Refresh
© 2014 Cisco and/or its affiliates. All rights reserved.
14
BGP Overview BGP Messages • Open • Update • Notification – Type 3 – Notifies neighbor of detected error – BGP session always closed after sending Notification
• Keepalive • Route Refresh
© 2014 Cisco and/or its affiliates. All rights reserved.
15
BGP Overview BGP Messages • Open • Update • Notification
• Keepalive – Type 4 – Periodically sent after BGP session is open – Default 60 seconds
• Route Refresh
© 2014 Cisco and/or its affiliates. All rights reserved.
16
BGP Overview BGP Messages • Open • Update • Notification
• Keepalive • Route Refresh – – – –
Type 5 RFC 2918 Asks neighbor to re-send Adj-RIB-Out Allows non-disruptive application of new inbound policies
© 2014 Cisco and/or its affiliates. All rights reserved.
17
BGP Overview BGP Routing Information Base (RIB)
Outgoing Route Policies
Incoming Route Policies
Adj-RIBs-In
BGP Decision Process
Loc-RIB
Locally Injected Routes
Incoming Updates
Routing Table © 2014 Cisco and/or its affiliates. All rights reserved.
18
Adj-RIBs-Out
Outgoing Updates
BGP Overview
Eldora#show processes cpu | include BGP 225 636 335 1898 0.08% 0.11% 0.12% 0 BGP Router 226 120 75 1600 0.00% 0.04% 0.02% 0 BGP I/O 227 92 10 9200 0.00% 0.07% 0.02% 0 BGP Scanner 228 0 1 0 0.00% 0.00% 0.00% 0 BGP Event Eldora#
The IOS BGP Process Incoming BGP Updates
Outgoing BGP Updates TCP Socket
BGP I/O
InQ
BGP Router
BGP Scanner
BGP Router
© 2014 Cisco and/or its affiliates. All rights reserved.
BGP Router
BGP Table
Routing Table (RIB) 19
OutQ
BGP I/O
TCP Socket
BGP Overview Stuff We Don’t Have Time to Cover • Neighbor states • Differences in EBGP and IBGP rules
• BGP decision process • Policy configuration • Scaling tools – Route Reflectors – Confederations
© 2014 Cisco and/or its affiliates. All rights reserved.
20
BGP Challenges Failure Detection • Default keepalive interval:
60 seconds
• Default hold time:
180 seconds
• Neighbor “declared dead” only after hold time expires • Aggressive keepalives and hold times can cause false flapping
© 2014 Cisco and/or its affiliates. All rights reserved.
21
BGP Challenges Slow Convergence
© 2014 Cisco and/or its affiliates. All rights reserved.
22
BGP Challenges Slow Convergence
X
© 2014 Cisco and/or its affiliates. All rights reserved.
23
BGP Challenges Slow Convergence
X
1. Failure detected 2. Invalid routes deleted (BGP table, FIB, RIB) 3. Alternate routes (if any) installed
© 2014 Cisco and/or its affiliates. All rights reserved.
24
BGP Challenges Slow Convergence
X
1. Failure detected 2. Invalid routes deleted (BGP table, FIB, RIB) 3. Alternate routes (if any) installed 4. Update(s) generated and sent, withdrawing effected routes
© 2014 Cisco and/or its affiliates. All rights reserved.
25
BGP Challenges Slow Convergence
X
1. Failure detected 2. Invalid routes deleted (BGP table, FIB, RIB) 3. Alternate routes (if any) installed 4. Update(s) generated and sent, withdrawing effected routes
5. Update(s) processed, withdrawn routes removed 6. Alternate routes (if any) evaluated, new best paths installed
© 2014 Cisco and/or its affiliates. All rights reserved.
26
BGP Challenges Slow Convergence
X
1. Failure detected 2. Invalid routes deleted (BGP table, FIB, RIB) 3. Alternate routes (if any) installed 4. Update(s) generated and sent, withdrawing effected routes
5. Update(s) processed, withdrawn routes removed 6. Alternate routes (if any) evaluated, new best paths installed 7. Update(s) generated and sent, withdrawing effected routes and advertising new best paths
© 2014 Cisco and/or its affiliates. All rights reserved.
27
BGP Challenges Slow Convergence
X
1. Failure detected 2. Invalid routes deleted (BGP table, FIB, RIB) 3. Alternate routes (if any) installed 4. Update(s) generated and sent, withdrawing effected routes
5. Update(s) processed, withdrawn routes removed 6. Alternate routes (if any) evaluated, new best paths installed 7. Update(s) generated and sent, withdrawing effected routes and advertising new best paths 8. Repeat….
© 2014 Cisco and/or its affiliates. All rights reserved.
28
BGP Challenges Route Storage and Processing
Source: www.potaroo.net
© 2014 Cisco and/or its affiliates. All rights reserved.
29
BGP Challenges Route Storage and Processing
Source: www.potaroo.net
route-views>show ip bgp summary [Information removed] Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 4.69.184.193 4 3356 1594049 16329 8730261 0 0 1w3d 497768 12.0.1.63 4 7018 2444534 11750 8730261 0 0 1w3d 499387 66.59.190.221 4 6539 658504 18212 8730261 0 0 1w3d 503979 66.110.0.86 4 6453 932399 11758 8730261 0 0 1w3d 499327 66.110.0.124 4 6453 0 0 1 0 0 never Idle 66.185.128.48 4 1668 2019709 34221 8730261 0 0 1w3d 496950 69.31.111.244 4 4436 1528658 27161 8730261 0 0 1w1d 500482 89.149.178.10 4 3257 808553 2996 8730261 0 0 1w2d 499700 114.31.199.1 4 4826 1055694 18230 8730261 0 0 1w3d 508501 128.223.253.10 4 3582 1040285 34215 8730261 0 0 1w3d 501209 129.250.0.11 4 2914 1755917 32286 8730261 0 0 1w3d 499711 134.222.87.1 4 286 3930199 14884 8730261 0 0 1w2d 500985 144.228.241.130 4 1239 319848 5412 8730261 0 0 5d15h 498997 154.11.11.113 4 852 0 0 1 0 0 never Active 154.11.98.225 4 852 1368774 16301 8730261 0 0 1w3d 503369 157.130.10.233 4 701 814025 32262 8730261 0 0 1w3d 498385 162.250.137.254 4 4901 579351 32271 8730261 0 0 1w3d 500811 164.128.32.11 4 3303 603220 9836 8730261 0 0 1w3d 443763 192.203.116.253 4 22388 105312 9844 8730261 0 0 1w3d 14454 193.0.0.56 4 3333 2726844 32254 8730261 0 0 1w3d 506291 194.85.40.15 4 3267 1295694 16286 8730261 0 0 1w3d 508215 194.85.102.33 4 3277 1309804 9841 8730261 0 0 1w3d 511982 195.66.232.239 4 5459 865295 9838 8730261 0 0 1w3d 420027 196.7.106.245 4 2905 10531 3968 8730261 0 0 2d11h 3761 202.232.0.2 4 2497 1065618 9839 8730261 0 0 1w3d 501413 202.249.2.86 4 7500 410442 7578 8730261 0 0 4d18h 508870 203.62.252.186 4 1221 591747 9829 8730261 0 0 1w3d 501338 203.181.248.168 4 7660 1051042 2993 8730261 0 0 1w2d 506877 206.24.210.80 4 3561 944009 5409 8730261 0 0 5d15h 499857 207.46.32.34 4 8075 0 0 1 0 0 never Active 207.172.6.1 4 6079 1039070 16270 8730261 0 0 1w3d 499438 207.172.6.20 4 6079 1042677 16282 8730261 0 0 1w3d 499446 208.51.134.254 4 3549 1035057 14823 8730261 0 0 1w2d 500149 208.74.64.40 4 19214 1038983 16289 8730261 0 0 1w3d 500582 209.124.176.223 4 101 3626021 32214 8730261 0 0 1w3d 506792 216.218.252.164 4 6939 2588621 16274 8730261 0 0 1w3d 504974 217.75.96.60 4 16150 1080296 9828 8730261 0 0 1w3d 499310 route-views>
Source: University of Oregon Route Views Project © 2014 Cisco and/or its affiliates. All rights reserved.
30
BGP Challenges Configuration Management • BGP and policy configurations can be huge • Session and policy configurations are often repetitive – Or at least share common characteristics
• Processing policy configurations can be CPU intensive
© 2014 Cisco and/or its affiliates. All rights reserved.
31
What Do We Mean By BGP Optimization? • Faster failure detection • Faster convergence
• Better local performance • More efficient configuration management
© 2014 Cisco and/or its affiliates. All rights reserved.
32
Improving Failure Detection and Convergence
Changing BGP Hold Time • Default keepalive interval:
60 seconds
• Default hold time:
180 seconds
• If hold time is reduced, reduce keepalive interval accordingly • Overly aggressive timers can cause mistaken flaps – BGP busy with other things
• Keepalives, hold times processed in software
timers bgp keepalive holdtime [min-holdtime]
© 2014 Cisco and/or its affiliates. All rights reserved.
34
Fast External Failover • Tears down EBGP session as soon as link to neighbor fails • Enabled by default
• Fast failover flapping links can cause BGP instabilities Global configuration: bgp fast-external-failover
Interface configuration (for more granularity): ip bgp fast-external-failover [permit | deny]
© 2014 Cisco and/or its affiliates. All rights reserved.
35
Bidirectional Forwarding Detection (BFD) • Very fast failure detection • Processed in hardware
• Independent of media types and encapsulations • BFD can be shared by multiple protocols Interface configuration: bfd interval milliseconds min_rx milliseconds multiplier interval-multiplier
BGP configuration: neighbor ip-address fall-over bfd
© 2014 Cisco and/or its affiliates. All rights reserved.
36
Next-Hop Tracking (NHT) • Event-driven removal of BGP prefixes from RIB • Improves IBGP convergence time • IGP changes in next-hop addresses scanned quickly – Default trigger time: 5 seconds – Does not wait for BGP Scanner – Does not wait for hold timer
• BGP routes with no next-hop are removed • Enabled by default
bgp nexthop {trigger delay seconds | route-map map-name}
© 2014 Cisco and/or its affiliates. All rights reserved.
37
Prefix-Independent Convergence (PIC) • Can reduce reconvergence to sub-second for individual prefixes – Assuming there is another path available
• Similar concept to EIGRP feasible routes – Alternate path pre-installed in FIB
bgp additional-paths select best-external
© 2014 Cisco and/or its affiliates. All rights reserved.
38
TCP Transport • TCP port 179 • Default TCP Maximum Segment Size (MSS) = 536 octets • Path MTU Discovery can negotiate larger MSS sizes – More efficient packing of Update messages
• PMTU enabled by default in modern IOS
bgp transport path-mtu-discovery
© 2014 Cisco and/or its affiliates. All rights reserved.
39
Improving BGP Performance
BGP Scan Timer
Eldora#debug ip bgp events BGP events debugging is on Eldora# *Mar 9 07:33:20.943: BGP: Performing BGP general scanning *Mar 9 07:33:20.947: BGP(0): scanning IPv4 Unicast routing tables *Mar 9 07:33:20.947: BGP(IPv4 Unicast): Performing BGP Nexthop scanning for general scan *Mar 9 07:33:20.951: BGP(0): Future scanner version: 74, current scanner version: 73 *Mar 9 07:33:20.951: BGP(1): scanning IPv6 Unicast routing tables *Mar 9 07:33:20.955: BGP(IPv6 Unicast): Performing BGP Nexthop scanning for general scan *Mar 9 07:33:20.955: BGP(1): Future scanner version: 75, current scanner version: 74 . . . *Mar 9 07:33:20.959: BGP(NSAP Unicast): Performing BGP Nexthop scanning for general scan *Mar 9 07:33:20.959: BGP(6): Future scanner version: 75, current scanner version: 74 *Mar 9 07:33:35.959: BGP: Import timer expired. Walking from 1 to 1 *Mar 9 07:33:50.967: BGP: Import timer expired. Walking from 1 to 1 *Mar 9 07:34:05.979: BGP: Import timer expired. Walking from 1 to 1 *Mar 9 07:34:20.983: BGP: Performing BGP general scanning *Mar 9 07:34:20.983: BGP(0): scanning IPv4 Unicast routing tables *Mar 9 07:34:20.987: BGP(IPv4 Unicast): Performing BGP Nexthop scanning for general scan *Mar 9 07:34:20.987: BGP(0): Future scanner version: 75, current scanner version: 74 *Mar 9 07:34:20.991: BGP(1): scanning IPv6 Unicast routing tables *Mar 9 07:34:20.991: BGP(IPv6 Unicast): Performing BGP Nexthop scanning for general scan *Mar 9 07:34:20.991: BGP(1): Future scanner version: 76, current scanner version: 75 . . . *Mar 9 07:35:21.047: BGP: Performing BGP general scanning *Mar 9 07:35:21.051: BGP(0): scanning IPv4 Unicast routing tables *Mar 9 07:35:21.051: BGP(IPv4 Unicast): Performing BGP Nexthop scanning for general scan *Mar 9 07:35:21.055: BGP(0): Future scanner version: 76, current scanner version: 75
© 2014 Cisco and/or its affiliates. All rights reserved.
41
BGP Scan Timer • Scan time is time between scans • Scan of large tables can take tens of seconds • Reducing scan time: – Can increase BGP performance – But will increase CPU utilization – Scan is low priority process, should not interfere with other processes
bgp scan-time scanner-interval
© 2014 Cisco and/or its affiliates. All rights reserved.
42
BGP Advertisement Interval • Minimum route advertisement interval (MRAI) between Update messages – Allows time for multiple route changes to be collected into single Update
• Defaults: – EBGP = 30 seconds – IBGP = 0 seconds (Update sent immediately upon change)
• Reducing MRAI: – Decreases convergence time – Decreases BGP performance (efficiency) neighbor ip-address advertisement-interval seconds
© 2014 Cisco and/or its affiliates. All rights reserved.
43
Controlling Table Size • Accept partial tables instead of full tables – Default route for prefixes not accepted – Advertised or locally configured
Remember to account for AS_PATH prepending
• AS_PATH filters • Community filters
Good guide for major ISPs’ Community policies:
• Example: – – – –
Accept upstream peer’s customer routes Accept upstream peer’s partner routes Accept upstream peer’s locally generated routes Default route to everything else
http://onesc.net/communities/
Use distant next-hops for default routes to insure reachability
• Loss of route information increases chances of sub-optimal routing © 2014 Cisco and/or its affiliates. All rights reserved.
44
Outbound Route Filters • BGP Updates carrying thousands of prefixes can take time, bandwidth • Often, many or most prefixes are dropped on reception • Outbound Route Filtering (ORF): – Allows a router to tell a neighbor what incoming prefixes it will filter – Neighbor can then suppress transmission of prefixes that will be dropped on reception
• Caution: Configuring ORF causes a session reset
neighbor ip-address capability orf prefix-list [receive | send | both ]
© 2014 Cisco and/or its affiliates. All rights reserved.
45
BGP Route Dampening Route Suppressed
2250
Suppress Threshold
2000
POINTS
1750 1500
1250
Flap
1000
Reuse Threshold
750 500
Suppression Removed
Flap
250 0
Flap 5
10
15
20
25
30
35
MINUTES © 2014 Cisco and/or its affiliates. All rights reserved.
46
40
45
50
55
60
Route Dampening Precautions • Current best practice recommends not using route damping – Effects of dampening can cascade through network – Un-intuitively, dampening can cause more instabilities than it solves
• Default dampening parameters vary widely among vendors – Change defaults to match in multi-vendor networks
• Dampening defaults are generally too aggressive – Change defaults to be more tolerant
© 2014 Cisco and/or its affiliates. All rights reserved.
47
Peer Groups A Little History • Configuration scaling – Group peers sharing the same policies and session parameters – Changes can be performed just once for entire group
• BGP performance (legacy) – Original motivation for peer groups – Without peer groups: • Router scans routing table separately for each peer • 150,000 routes + 30 peers = 4,500,000 NLRI updates generated
– With peer groups: • Each peer group represents an Update Group • Router scans routing table once for each peer group • 150,000 routes + 30 peers = 150,000 NLRI updates generated
– Dynamic peer groups eliminate this driver © 2014 Cisco and/or its affiliates. All rights reserved.
48
Dynamic Update Groups Why Peer Groups Are Obsolete • Introduced in IOS 12.0(24)S – Automatically groups neighbors sharing the same outbound policies – Eliminates need for peer groups to improve performance – Eliminates need for many small peer groups when outbound policies vary slightly
• No configuration, built into IOS • Session and policy templates are a better way to scale configuration
© 2014 Cisco and/or its affiliates. All rights reserved.
49
Improving BGP Management
Session and Policy Templates • Improvement over Peer Groups – Dynamic Update Groups Performance – Policy and Session Templates Reduced configuration size
• Peer Groups and Session / Policy Templates are mutually exclusive • Session templates for shared session parameters • Policy templates for shared policies
• One session template and one policy template per neighbor • “Inheritance” enables nested templates
© 2014 Cisco and/or its affiliates. All rights reserved.
51
Route Refresh • Eliminates: – Need to reset BGP session – Need to store incoming prefixes
• BGP Route Refresh message – Sent to neighbor, to request re-send of prefixes • Route Refresh capability negotiated during session establishment – Neighbors must understand and support Route Refresh messages • If neighbor supports Route Refresh capability: clear ip bgp {* | as-number | ip-address | peer-group-name} in
© 2014 Cisco and/or its affiliates. All rights reserved.
52
Conclusion
Conclusions • BGP is effective but notoriously slow – This is not always a bad thing
• Don’t expect BGP to behave similarly to an IGP – They’re built for different purposes
• “Tweaking” timers can sometimes backfire • A good BGP implementation will have built-in optimizations
• Controlling the information can be as effective as controlling the process • Know your routers’ limits – CPU – Memory © 2014 Cisco and/or its affiliates. All rights reserved.
54