Solved: When exactly BGP Sync. should be enabled?

turbo_engine26 · ‎09-28-2011

Hello,

I am facing difficulty in fully understanding how BGP sync. work. I already understand that Sync. must be disabled in case if i have a full meshed IBGP in order for IBGP routes to be entered in the IGP routing table. However, i don't understand the part when sync. is turned on. I tried to test it with EIGRP but i see no effect.

My question is: If i turn on Sync. on EBGP router and that router is connected to an inside EIGRP router, shall i see bgp routes in EIGRP route table automatically without redistribution from BGP to EIGRP? ... Sorry i am confused and maybe i can't explain more but you know what i mean anyways.

Appreciate if someone can clarify this point by providing some scenarios.

Thx

Regards,

A.M.

Peter Paluch · ‎09-28-2011

Hi,

BGP synchronization assumed an older approach of BGP deployment for a transit autonomous system. In this approach, BGP would be configured only on ASBRs, not on internal routers. The ASBRs would have eBGP peerings with outside autonomous systems, and they would also have iBGP peerings to each other. Internal routers, however, would not be running BGP.

Naturally, this constellation would result in blackholing traffic because while the ASBRs know all routes thanks to their eBGP and iBGP peerings, any internal router would have no idea about external networks. So as an additional step, the BGP routes were redistributed into the internal routing protocol. The full reachability would be therefore gained by combining the BGP on and between the ASBRs, and the redistribution of BGP routes into IGP within an AS. The internal routers are therefore spared the need to run full BGP.

Now, an ASBR can know about an external network from another iBGP peer via iBGP and theoretically, it can immediately install it into its routing table and advertise it to further eBGP neighbors. However, if the internal protocol, say, EIGRP, does not yet have that route fully advertised to all internal routers, advertising the route to eBGP neighbors would be futile: the traffic would be still misrouted or blackholed inside our AS until the EIGRP has truly advertised the network.

This is where BGP Synchronization comes in. An ASBR can know about a route via iBGP peering with another ASBR. However, it will not consider that route as valid until the same route comes through an IGP, say, EIGRP, and gets installed in the routing table. Seeing the route learned via iBGP installed as an IGP route means that the neighboring ASBR has redistributed the route correctly into EIGRP and that it is already known to all internal routers between that ASBR and your ASBR, and that means that the path is truly valid - each router on the path between you and the neighboring ASBR knows how to route packets to that destination.

So the state of seeing an iBGP-learned route as IGP-learned in your routing table means that the route itself is synchronized. Only now, you can consider the route as valid, subject it to BGP bestpath algorithm and advertise it to eBGP peers - not sooner.

I already understand that Sync. must be disabled in case if i have a  full meshed IBGP in order for IBGP routes to be entered in the IGP  routing table.

iBGP peers must always be fully meshed (let us ignore route reflectors and confederations for now). However, the BGP synchronization should be deactivated if all your routers within an AS are BGP speakers and are supposed to learn the external routes via BGP. In such case, you would never redistribute BGP-learned routes into an IGP (there would be no sense in doing that as all routers speak BGP already) but the activated synchronization would prevent these routers from treating these iBGP-learned routes as valid.

In other words, the BGP Synchronization must be deactivated in all iBGP scenarios where BGP routes are not redistributed into IGP protocol. Otherwise, an iBGP speaker will wait for an iBGP-learned route to be also learned via IGP - which will never happen.

Please feel welcome to ask further!

Best regards,

Peter

View solution in original post

Peter Paluch · ‎09-29-2011

Hello,

Alright, let's make it practical and plain - after correcting some of your assumptions.

In  my humble understanding, i thought Sync. is a way that will   automatically inject learned external routes to internal IGP without   redist. or whatever.

Not, not at all. This is probably the point where we are misunderstanding each other.

BGP Sync does not refer to some process of redistributing BGP routes into IGP. In fact, turning Sync on or off has absolutely no effect on the BGP-to-IGP redistribution at all. BGP Sync is about making an iBGP-learned route conditionally valid or conditionally invalid for BGP, depending on whether that route has also been learned and installed into the routing table via an IGP. I have tried to explain the reason for such validity check in my previous reply. Once more, the Sync operation has nothing to do with redistribution itself.

An iBGP-learned route is synchronized if it has been learned both via iBGP and via IGP, and is installed into the routing table via IGP. It is not synchronized in all other cases. There is no concept of synchronization for eBGP-learned routes. So much and nothing more - it's as simple as that. Are you OK with this concept of synchronization?

However, you've missed the practical side again.

Ooops, do I miss it often?

You didn't mention where should i turn on Sync., on which router ? on  ASBR ? ..

The BGP Sync is only usable and should only be used in those networks where you actually perform BGP-to-IGP redistribution. In those networks, usually only ASBRs are running BGP and speaking iBGP to each other, all other routers are running IGP only. So in these networks, indeed, you would be running Sync on ASBRs only as there are no other BGP speakers at all. In networks with partial BGP deployment, you would be running Sync on all routers that are running both BGP and your internal IGP. So, simply put, you would run Sync on all BGP speakes within your AS that run both IGP and BGP. Note, however, that the Sync is only going to make sanity checks of iBGP-learned routes and declare them either usable or unusable. It is not going to perform the redistribution for you automatically.

Also, i don't see any benefit from Synchronization. if i use  redistribution because redistribution is of course will inject routes to  IGP and this is normal

The benefit was explained in my previous reply. I'll repeat it and make it short: You should not advertise an iBGP-learned network to an eBGP peer if it is not guaranteed that your AS is capable of routing the traffic towards that network. That means that all routers in your AS, i.e. ASBRs and internal routers, must know about this route. The knowledge of ASBRs about that route is easily verified - if they did not know about the route, they would not have advertised it to you via iBGP in the first place. The internal routers must know about that route either via iBGP as well, or via IGP, but here we assume that there are no internal routers speaking BGP. So the only way to be sure is to wait for the BGP-to-IGP redistribution take place on the neighboring ASBR that advertised the route via iBGP to you, wait for the redistributed route to propagate in IGP and get installed into your own routing table via IGP - and only then start actually using that route in your BGP RIB as usable and advertise it further.

Once again, Sync only makes sure that routes you advertise via eBGP are valid. It does not cause these routes to be carried from BGP into IGP.

I uploaded a topology so you can convert this theory into practical.

The only AS in your example that is eligible for using the BGP Sync is AS 100 as it is a transit AS. No other AS in your exhibit is a transit AS, and therefore it does not need to make sanity (read - successful reachability via own AS) checks on routes advertised in BGP.

You can configure AS 100 in two ways:

Run an IGP, say, EIGRP, in the AS 100, on all three routers. Furthermore, peer Vail and Telluride in BGP. Do not run BGP on Aspen. Here, you need to redistribute BGP on Vail and Telluride into EIGRP because otherwise, Aspen would not know about networks in different AS. Now, consider a route from AS300: 192.168.250.0/24. Telluride may learn about that network via iBGP from Vail. However, it should not advertise it further to AS400 until it is certain that it is possible to route packets towards 192.168.250.0/24 through the AS300 successfully. What if the route is not known to Aspen yet? This is the purpose of BGP Sync. You may activate the BGP Sync on Telluride to force it to wait until the 192.168.250.0/24 is also learned via EIGRP. Then you can be sure that Aspen knows about this route, and you may further advertise that route further to AS400. For similar checks about routes learned from AS 400 being advertised to AS300 and 200, you can configure the BGP Sync on Vail as well. So here, the BGP Sync makes sure that you do not advertise routes via eBGP that are not yet reachable through your own AS.
Run an IGP, say, EIGRP in the AS 100, and also run BGP on all three routers, configured properly (either a full mesh iBGP peering or using route reflectors). You do not perform any redistribution from BGP to EIGRP and instead use BGP to carry all external routes. Here, you do not need and do not want the BGP Sync to be configured anywhere. You have no way of verifying if the route has been advertised via iBGP to all internal BGP speakers, and you can not wait for the route to be learned via EIGRP because this redistribution is not used. In this case, the BGP Sync is useless and actually harmful, and should not be activated.

Does this make more sense now? Please do ask further - you are welcome.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎09-29-2011

Hello,

Using the next-hop-self is not strictly necessary but certainly helpful, and I would personally suggest using it.

As an example, if you did not configure your iBGP peers in AS 100 using the next-hop-self, the Telluride would see, say, the network 192.168.250.0/24 learned via iBGP with the next hop set to 192.168.1.210 - the Tahoe's IP address. That would require you to advertise the inter-AS links into the IGP in the AS 100 to make the next hop known - otherwise the BGP on Telluride would again consider the route unusable because of an unreachable next hop.

If, however, the Vail referred to the Telluride in BGP configuration using the next-hop-self, it would change the next hop address when advertising the 192.168.250.0/24 to Telluride its own address. That would make the route reachable without actually needing to advertise the 192.168.1.208/30 into AS100 IGP. Also, it makes the routing table more readable - you are more accustomed seeing your own ASBRs as next hops, rather than ASBRs of neighboring AS-es as next hops.

Best regards,

Peter

View solution in original post

cadet alain · ‎09-29-2011

Hi,

Just permitting myself to add a little more about nex-hop-self command and alternatives.

eBGP peers when advertising an update change the next-hop attribute to their update-source address.

iBGP peers by defult do not change the next-hop when advertising an update.

The first condition for a route to be considered best by BGP is the next-hop must be reachable.

only best prefixes are advertised by BGP and are installed in the routing table.

Now let's suppose R1 is ASBR and has an eBGP peering with R3 and an iBGP peering with R2:

when R3 send BGPupdate to R1 about a prefix it will change the next-hop to its update-source ip address which by default is IP address of directly connected interface towards R1.this address is not known by IGP in your AS but known by R1.R1 then does an iBGP update to R2 and doesn't change the next-hop so when R2 receives this update the next-hop is not reachable and so it is not a best path so won't be propagated to any other BGP peer and won't get installed in the routing table, so this prefix will be unreachable.

Now to remedy to this problem there are different solutions:

- redistribute the next-hop subnet into the IGP in yout AS

- advertise this subnet in your IGP with a network command

- configure a static route to this subnet on R2 pointing to R1

-use the next-hop-self command on R1-R2 iBGP peering

- set the next-hop with a route-map and apply this route-map to your iBGP neighbour R2 outbound

Now you also talked about RR as a solution against synchronisation but the RR addresses a totlly different issue:

it addresses the iBGP split horizon rule which states that an iBGP learned route can never be advertised to other iBGP peers.To remedy to this problem we can:

-use an iBGP full mesh

- use an MPLS BGP-free core network between our iBGP ASBRs peers

-use Route-refelctor which is a router which doesn't follow the split horizon rule

-use confederations

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

Peter Paluch · ‎09-28-2011

Hi,

BGP synchronization assumed an older approach of BGP deployment for a transit autonomous system. In this approach, BGP would be configured only on ASBRs, not on internal routers. The ASBRs would have eBGP peerings with outside autonomous systems, and they would also have iBGP peerings to each other. Internal routers, however, would not be running BGP.

Naturally, this constellation would result in blackholing traffic because while the ASBRs know all routes thanks to their eBGP and iBGP peerings, any internal router would have no idea about external networks. So as an additional step, the BGP routes were redistributed into the internal routing protocol. The full reachability would be therefore gained by combining the BGP on and between the ASBRs, and the redistribution of BGP routes into IGP within an AS. The internal routers are therefore spared the need to run full BGP.

Now, an ASBR can know about an external network from another iBGP peer via iBGP and theoretically, it can immediately install it into its routing table and advertise it to further eBGP neighbors. However, if the internal protocol, say, EIGRP, does not yet have that route fully advertised to all internal routers, advertising the route to eBGP neighbors would be futile: the traffic would be still misrouted or blackholed inside our AS until the EIGRP has truly advertised the network.

This is where BGP Synchronization comes in. An ASBR can know about a route via iBGP peering with another ASBR. However, it will not consider that route as valid until the same route comes through an IGP, say, EIGRP, and gets installed in the routing table. Seeing the route learned via iBGP installed as an IGP route means that the neighboring ASBR has redistributed the route correctly into EIGRP and that it is already known to all internal routers between that ASBR and your ASBR, and that means that the path is truly valid - each router on the path between you and the neighboring ASBR knows how to route packets to that destination.

So the state of seeing an iBGP-learned route as IGP-learned in your routing table means that the route itself is synchronized. Only now, you can consider the route as valid, subject it to BGP bestpath algorithm and advertise it to eBGP peers - not sooner.

I already understand that Sync. must be disabled in case if i have a  full meshed IBGP in order for IBGP routes to be entered in the IGP  routing table.

iBGP peers must always be fully meshed (let us ignore route reflectors and confederations for now). However, the BGP synchronization should be deactivated if all your routers within an AS are BGP speakers and are supposed to learn the external routes via BGP. In such case, you would never redistribute BGP-learned routes into an IGP (there would be no sense in doing that as all routers speak BGP already) but the activated synchronization would prevent these routers from treating these iBGP-learned routes as valid.

In other words, the BGP Synchronization must be deactivated in all iBGP scenarios where BGP routes are not redistributed into IGP protocol. Otherwise, an iBGP speaker will wait for an iBGP-learned route to be also learned via IGP - which will never happen.

Please feel welcome to ask further!

Best regards,

Peter

cadet alain · ‎09-29-2011

Hi Peter,

How I wish I could explain things the way you do.You definitely rock man.

Regards.

Alain.

Don't forget to rate helpful posts.

Peter Paluch · ‎09-29-2011

Hi Alain,

Thank you... I am very, very honored by your words. Honestly.

Best regards,

Peter

turbo_engine26 · ‎09-29-2011

Hi Peter,

Thx for the outstanding theoritical explanation and it's good to see you again. However, you've missed the practical side again. You didn't mention where should i turn on Sync., on which router ? on ASBR ? .. Also, i don't see any benefit from Synchronization if i use redistribution because redistribution is of course will inject routes to IGP and this is normal. So where is exactly the role of Sync.? ... In my humble understanding, i thought Sync. is a way that will automatically inject learned external routes to internal IGP without redist. or whatever.

Sorry man, i need you to give me a practical explanation beside this theoritical explanation.

I uploaded a topology so you can convert this theory into practical.

Regards,

A.M.

Peter Paluch · ‎09-29-2011

Hello,

Alright, let's make it practical and plain - after correcting some of your assumptions.

In  my humble understanding, i thought Sync. is a way that will   automatically inject learned external routes to internal IGP without   redist. or whatever.

Not, not at all. This is probably the point where we are misunderstanding each other.

BGP Sync does not refer to some process of redistributing BGP routes into IGP. In fact, turning Sync on or off has absolutely no effect on the BGP-to-IGP redistribution at all. BGP Sync is about making an iBGP-learned route conditionally valid or conditionally invalid for BGP, depending on whether that route has also been learned and installed into the routing table via an IGP. I have tried to explain the reason for such validity check in my previous reply. Once more, the Sync operation has nothing to do with redistribution itself.

An iBGP-learned route is synchronized if it has been learned both via iBGP and via IGP, and is installed into the routing table via IGP. It is not synchronized in all other cases. There is no concept of synchronization for eBGP-learned routes. So much and nothing more - it's as simple as that. Are you OK with this concept of synchronization?

However, you've missed the practical side again.

Ooops, do I miss it often?

You didn't mention where should i turn on Sync., on which router ? on  ASBR ? ..

The BGP Sync is only usable and should only be used in those networks where you actually perform BGP-to-IGP redistribution. In those networks, usually only ASBRs are running BGP and speaking iBGP to each other, all other routers are running IGP only. So in these networks, indeed, you would be running Sync on ASBRs only as there are no other BGP speakers at all. In networks with partial BGP deployment, you would be running Sync on all routers that are running both BGP and your internal IGP. So, simply put, you would run Sync on all BGP speakes within your AS that run both IGP and BGP. Note, however, that the Sync is only going to make sanity checks of iBGP-learned routes and declare them either usable or unusable. It is not going to perform the redistribution for you automatically.

Also, i don't see any benefit from Synchronization. if i use  redistribution because redistribution is of course will inject routes to  IGP and this is normal

The benefit was explained in my previous reply. I'll repeat it and make it short: You should not advertise an iBGP-learned network to an eBGP peer if it is not guaranteed that your AS is capable of routing the traffic towards that network. That means that all routers in your AS, i.e. ASBRs and internal routers, must know about this route. The knowledge of ASBRs about that route is easily verified - if they did not know about the route, they would not have advertised it to you via iBGP in the first place. The internal routers must know about that route either via iBGP as well, or via IGP, but here we assume that there are no internal routers speaking BGP. So the only way to be sure is to wait for the BGP-to-IGP redistribution take place on the neighboring ASBR that advertised the route via iBGP to you, wait for the redistributed route to propagate in IGP and get installed into your own routing table via IGP - and only then start actually using that route in your BGP RIB as usable and advertise it further.

Once again, Sync only makes sure that routes you advertise via eBGP are valid. It does not cause these routes to be carried from BGP into IGP.

I uploaded a topology so you can convert this theory into practical.

The only AS in your example that is eligible for using the BGP Sync is AS 100 as it is a transit AS. No other AS in your exhibit is a transit AS, and therefore it does not need to make sanity (read - successful reachability via own AS) checks on routes advertised in BGP.

You can configure AS 100 in two ways:

Run an IGP, say, EIGRP, in the AS 100, on all three routers. Furthermore, peer Vail and Telluride in BGP. Do not run BGP on Aspen. Here, you need to redistribute BGP on Vail and Telluride into EIGRP because otherwise, Aspen would not know about networks in different AS. Now, consider a route from AS300: 192.168.250.0/24. Telluride may learn about that network via iBGP from Vail. However, it should not advertise it further to AS400 until it is certain that it is possible to route packets towards 192.168.250.0/24 through the AS300 successfully. What if the route is not known to Aspen yet? This is the purpose of BGP Sync. You may activate the BGP Sync on Telluride to force it to wait until the 192.168.250.0/24 is also learned via EIGRP. Then you can be sure that Aspen knows about this route, and you may further advertise that route further to AS400. For similar checks about routes learned from AS 400 being advertised to AS300 and 200, you can configure the BGP Sync on Vail as well. So here, the BGP Sync makes sure that you do not advertise routes via eBGP that are not yet reachable through your own AS.
Run an IGP, say, EIGRP in the AS 100, and also run BGP on all three routers, configured properly (either a full mesh iBGP peering or using route reflectors). You do not perform any redistribution from BGP to EIGRP and instead use BGP to carry all external routes. Here, you do not need and do not want the BGP Sync to be configured anywhere. You have no way of verifying if the route has been advertised via iBGP to all internal BGP speakers, and you can not wait for the route to be learned via EIGRP because this redistribution is not used. In this case, the BGP Sync is useless and actually harmful, and should not be activated.

Does this make more sense now? Please do ask further - you are welcome.

Best regards,

Peter

turbo_engine26 · ‎09-29-2011

Hi Peter,

I really thank you from my deep heart for your kind patience and God bless you for sure. I got the point from Sync. It is nothing more than a sanity checking to make sure that your own AS is responsible enough to route a traffic toward a destination. Oh my god! it is even simple more than i can imagine .. And of course, redistribution still need to be performed in order for Sync to do the checking properly. hmmm.. it does make sense now about why IBGP learned routes are not shown in the routing table when Sync is turned on in meshed IBGP routers, because simply no IGP running to put these routes there. Why don't we save all these pains and just run IBGP only in RR/client structure better?

"Ooops, do I miss it often? "

Haha, not in this topic but in another post about classful and classless differences.

Peter, i really thank you again and may God will reward you for helping people without getting bored and with patience.

Please tell me how can i rate this post? ... Does accepting your answer enough or is there another way for rating?

Regards,

A.M.

Peter Paluch · ‎09-29-2011

Hello,

God bless both of us. You are welcome

It is nothing more than a sanity checking to make sure that your own AS  is responsible enough to route a traffic toward a destination.

Exactly - 100% correct.

"Ooops, do I miss it often? "

Haha, not in this topic but in another post about classful and classless differences.

Oh... I am genuinely sorry about that. Don't hesitate about telling me whenever you need a plain working example instead of having it described theoretically without a practical reference. Some people are fine with principial explanations, others like to see how it applies to real things - there is nothing wrong with that. It is my responsibility to convey the information in a way most comprehensible to you. I am saying this absolutely honestly: please help me to be of most help to you.

Please tell me how can i rate this post? ... Does accepting your answer enough or is there another way for rating?

If you believe that a particular post of mine solved your issue, there should be a button saying "Correct answer". That would be the proper way to mark thread as solved. It is automatically rated as well. Thank you very much for your generosity.

As I said earlier - please feel welcome to ask about anything, and feel welcome to tell me or anyone else if you need to put things from a particular perspective.

Best regards,

Peter

turbo_engine26 · ‎09-29-2011

Thanks Peter

Just final question please.

In all IBGP peers that advertises routes, should i issue the "next-hop-self" command on each of them manually,right?

Regards,

A.M.

Peter Paluch · ‎09-29-2011

Hello,

Using the next-hop-self is not strictly necessary but certainly helpful, and I would personally suggest using it.

As an example, if you did not configure your iBGP peers in AS 100 using the next-hop-self, the Telluride would see, say, the network 192.168.250.0/24 learned via iBGP with the next hop set to 192.168.1.210 - the Tahoe's IP address. That would require you to advertise the inter-AS links into the IGP in the AS 100 to make the next hop known - otherwise the BGP on Telluride would again consider the route unusable because of an unreachable next hop.

If, however, the Vail referred to the Telluride in BGP configuration using the next-hop-self, it would change the next hop address when advertising the 192.168.250.0/24 to Telluride its own address. That would make the route reachable without actually needing to advertise the 192.168.1.208/30 into AS100 IGP. Also, it makes the routing table more readable - you are more accustomed seeing your own ASBRs as next hops, rather than ASBRs of neighboring AS-es as next hops.

Best regards,

Peter

turbo_engine26 · ‎09-29-2011

Right, this explains why we remove the "network" statements if we configure the "next-hop-self" instead.

Thanks again Peter, i am out of questions at the moment, maybe my next question will be about MPLS

Take care and have a nice day

Regards,

A.M.

cadet alain · ‎09-29-2011