Cisco IOS offers several features to help in the management of BGP peer connections. The first is the neighbor description statement. Like the description statement that can be entered under an interface configuration, this statement has no functional impact on the router. Rather, it adds an informational text string to the configuration. You already have encountered many configuration options that apply to a BGP neighbor, and you will encounter several more in the remaining sections of this chapter. When the BGP configuration becomes elaborate, the neighbor description helps provide a reminder of who and where each neighbor is. Example 3-71 demonstrates the use of the neighbor description statement.
Example 3-71 The neighbor description Command Helps Alleviate Confusion with Elaborate BGP Configurations
router bgp 200 aggregate-address 192.168.192.0 255.255.248.0 as-set summary-only neighbor 192.168.1.1 remote-as 500 neighbor 192.168.1.1 description ******T1 to Sun, Ckt. ID 54.HCGS.123456 neighbor 192.168.1.237 remote-as 200 neighbor 192.168.1.237 description ****Ethernet to Diamond, Interface E0 neighbor 192.168.1.250 remote-as 300 neighbor 192.168.1.250 description ****T1 to Burke, Ckt. ID 54.HCGS.654321 neighbor 192.168.1.254 remote-as 100 neighbor 192.168.1.254 description ****56K to Stowe, Ckt. ID 54.DWDA.987654
The description can contain any useful information you want to add, up to 80 characters . This example includes the link type, the name of the neighboring router, and, where appropriate, the circuit ID.
Two BGP neighbors also can authenticate each other with a password using the neighbor password statement. In the configuration in Example 3-72, the password noT4U2n0 has been entered for the neighbor 192.168.1.253.
Example 3-72 BGP Neighbor Authentication
service password-encryption ! router bgp 100 redistribute eigrp 100 neighbor 192.168.1.253 remote-as 200 neighbor 192.168.1.253 description ****56K to Sugarbush, Ckt. ID 54.DWDA.987654 neighbor 192.168.1.253 password 7 14191D3F5831782574
Notice also that the service password-encryption option has been entered into the router's global configuration, causing the password to be encrypted when the configuration is displayed, for added privacy.
The passwords between different neighbor connections can differ , or they can all be the same. You also can apply a common password to a peer group rather than to individual neighbors by specifying the peer group name in place of an IP address. For each BGP connection, however, the two neighbors must have the same password.
The IOS uses MD5 authentication when a BGP neighbor password is configured. MD5 is a one-way message digest or secure hash function produced by RSA Data Security, Inc. It also is occasionally referred to as a cryptographic checksum, because it works in somewhat the same way as an arithmetic checksum. MD5 computes a 128-bit hash value from a plain-text message of arbitrary length (in this case, a BGP message) and a password. This " fingerprint " is transmitted along with the message. The receiver, knowing the same password, calculates its own hash value. If nothing in the message has changed, the receiver's hash value should match the sender's value transmitted with the message. The hash value is impossible to decipher (without a huge amount of computing power) without knowing the password so that an unauthorized router cannot, either maliciously or by accident , peer with a router running neighbor authentication.
Other options available for the neighbor connection are the neighbor advertisement-interval and neighbor version commands. The first command changes the default BGP update interval to a specified interval between 0 and 600 seconds. If a large number of routes must be exchanged across a link, using this command to increase the period between advertisements can reduce the impact on the link's available bandwidth. You should not change the advertisement interval, however, unless you fully understand the consequences, such as possible reduced reconvergence times.
The neighbor version command is useful if a neighbor cannot support the default BGP-4. Rather than have the version 4 router negotiate down to the neighbor's supported version, you can configure the router to speak a specific version to a specific neighbor. As a result, the time necessary to establish a BGP connection is reduced. If both neighbors speak version 4, you gain nothing with this command, and its use is unnecessary.
The BGP decision process implemented in the Cisco IOS takes into consideration the length of the AS_PATH attribute when choosing between multiple routes to the same destination. However, RFC 1771 does not include this step. As a result, a Cisco BGP speaker occasionally is peered with another vendor's router that does not consider the AS_PATH length. If this situation creates the potential for inconsistent routing decisions, you can instruct the Cisco router to ignore the AS_PATH length in its decision process with the command bgp bestpath as- path ignore.
In some policy situations, you might want to limit the number of prefixes a router is allowed to accept from a neighbor. For example, you might know that only a certain number of prefixes should be advertised from a particular AS. Any number above this probably indicates a configuration mistake by that autonomous system's administrator. Or perhaps there is a service agreement in place in which you agree to accept only a finite number of prefixes; to advertise a larger number, the administrator of the neighboring AS must first get your approval. To enforce such a policy, you can use the neighbor maximum-prefix command. Consider the configuration in Example 3-73.
Example 3-73 Limiting the Number of Prefixes That a Router Is Allowed to Accept from a Neighbor
router bgp 100 redistribute eigrp 100 neighbor 192.168.1.253 remote-as 200 neighbor 192.168.1.253 maximum-prefix 300
The router in Example 3-73 is configured to accept a maximum of 300 prefixes from neighbor 192.168.1.253. If the limit is exceeded, the router closes the BGP session with the neighbor, and the session cannot be reestablished until you issue the clear ip bgp 192.168.1.253 command.
Perhaps breaking the peering session might be too severe a consequence for exceeding the maximum prefixes, but you still want to be notified when it happens. The configuration in Example 3-74 does not close the session, but instead causes the router to generate a log message.
Example 3-74 Configuring the Router to Generate a Log Message When a Neighbor Exceeds the Number of Prefixes That Can Be Sent
router bgp 100 redistribute eigrp 100 neighbor 192.168.1.253 remote-as 200 neighbor 192.168.1.253 maximum-prefix 300 warning-only
A log message is generated when the neighbor's advertised prefix exceeds 75 percent of the maximum ”in this case, at 225 prefixes. You can change that default percentage. The configuration in Example 3-75 generates a log message when the neighbor's advertised prefixes exceed 90 percent of the maximum.
Example 3-75 Configuring the Router to Generate a Log Message When a Neighbor Exceeds 90 Percent of the Number of Prefixes That Can Be Sent
router bgp 100 redistribute eigrp 100 neighbor 192.168.1.253 remote-as 200 neighbor 192.168.1.253 maximum-prefix 300 90 warning-only
On occasion, you might need to temporarily disconnect a peer but not want to delete its neighbor configuration. The configuration in Example 3-76 uses the neighbor shutdown command to disconnect the neighbor 192.168.1.237.
Example 3-76 Temporarily Disconnecting a Neighbor Connection
aggregate-address 192.168.192.0 255.255.248.0 as-set summary-only neighbor 192.168.1.1 remote-as 500 neighbor 192.168.1.1 description ******T1 to Sun, Ckt. ID 54.HCGS.123456 neighbor 192.168.1.237 remote-as 200 neighbor 192.168.1.237 description ****Ethernet to Diamond, Interface E0 neighbor 192.168.1.237 shutdown neighbor 192.168.1.250 remote-as 300 neighbor 192.168.1.250 description ****T1 to Burke, Ckt. ID 54.HCGS.654321 neighbor 192.168.1.254 remote-as 100 neighbor 192.168.1.254 description ****56K to Stowe, Ckt. ID 54.DWDA.987654
The neighbor shutdown command in Example 3-76 closes the TCP port 179 connection to a specified neighbor, similar to the way the shutdown command disables a single interface. When the show ip bgp neighbor command is issued, the neighbor is indicated as administratively shut down.
Finally, you can use the timers bgp command to change the default BGP keepalive and hold time intervals of 60 seconds and 180 seconds. The argument can be made that reducing these intervals speeds the detection of an unreliable neighbor, but the real solution to such a problem is to eliminate the causes of the neighbor's unreliability. A change of the default intervals with this command applies to every neighbor, not just a single neighbor. Even if a neighbor has different default keepalive and hold time intervals, the intervals that are used are dynamically negotiated as part of the peering process. Therefore, under normal circumstances, there should be very few reasons to use this command.