Restricting the Number of Routes Advertised to a BGP Peer

Problem

You want to control the number of routes that your peers send you.

Solution

Set the maximum number of routes that you will accept from each of your peers:

	[edit protocols bgp group session-to-AS65505  neighbor 10.0.31.1 ]
	aviva@RouterF# set family inet unicast prefix-limit maximum 7500 
	aviva@RouterF# set family inet unicast prefix-limit teardown 

Discussion

As an ISP, you keep track of how many routes each of your peers and customers normally send you. This number generally increases slowly over time. To place a limit on the number of routes a peer or customer can send you, set a maximum number of routes to accept. This type of administrative policy guards against an inadvertent policy misconfiguration, which, in the worst case, could result in a peer or customer redistributing the full Internet routing table to you. You decide on the maximum number of prefixes you accept based on the normal number of routes exchanged with the peer, and, when the limit is reached, BGP tears down the session with the peer. Typically, you take the current number of routes exchanged and add about 50 percent.

In this recipe, we know that neighbor 10.0.31.1 typically sends 5,000 prefixes, so we set the limit to 7,500 prefixes. For example, if the peer tries to send the entire Internet routing table (on the order of 170,000 prefixes), BGP on the local router will shut down the peering session with the neighbor. This shutdown tells both you and the peer that something has gone wrong at his end.

To verify the configuration, look at the BGP neighbors information:

	aviva@RouterF> show bgp neighbor 10.0.31.1
	Peer: 10.0.31.1+4051 AS 65505 Local: 10.0.31.2+179 AS 65500
	 Description: EBGP to Customer A
	 Type: External State: Established Flags: 
	 Last State: OpenConfirm Last Event: RecvKeepAlive
	 Last Error: None
	 Export: [ send-statics ]
	 Options: PrefixLimit Refresh>
	 Address families configured: inet-unicast
	 Holdtime: 90 Preference: 170
	 Number of flaps: 2
	 Peer ID: 192.168.14.1 Local ID: 192.168.16.1 Active Holdtime: 90
	 Keepalive Interval: 30 Peer index: 0
	 Local Interface: t1-0/0/3.0
	 NLRI 
advertised by peer: inet-unicast
	 NLRI for this session: inet-unicast
	 Peer supports Refresh capability (2)
	 Table inet.0 Bit: 10000
	 RIB State: BGP restart is complete
	 Send state: in sync
	 Active prefixes: 5
	 Received prefixes: 8
	 Suppressed due to damping: 0
	 Advertised prefixes: 8
	 Last traffic (seconds): Received 3 Sent 28 Checked 28
	 Input messages: Total 253 Updates 4 Refreshes 0 Octets 4967
	 Output messages: Total 261 Updates 12 Refreshes 0 Octets 5411
	 Output Queue[0]: 0

On the Options line, the option PrefixLimit indicates that the number of prefixes this neighbor can send has been limited.

When the prefix limit is reached and the EBGP session is torn down, a message is logged to the system logging files:

	Aug 6 22:19:21 M20-R7 rpd[2254]: 10.1.6.2 (External AS 65501): Configured maximum
	prefix-limit(10) exceeded for inet-unicast nlri: 13

If you want some advanced warning that the peer is nearing the maximum number of prefixes you will accept from it, you can have BGP log a message when the peer has sent some percentage of the maximum allowed prefixes. The following example uses a percentage that is about halfway between the normal number of prefixes and the maximum:

	[edit protocols bgp group session-to-AS65505  neighbor 10.0.31.1 ]
	aviva@RouterF# set family inet unicast prefix-limit teardown 85 

After the session is torn down, it will be re-established a short time later. In most cases, this behavior is fine. You might want to force the session to stay down for a fixed amount of time to give you time to investigate what might be causing the prefix overflow or to contact the administrator of the remote AS. This command keeps the session down for 5 minutes (300 seconds):

	[edit protocols bgp group session-to-AS65505  neighbor 10.0.31.1 ]
	aviva@RouterF# set family inet unicast prefix-limit idle-timeout 300 

Under extreme conditions, you might want the session to stay down until you manually restart it:

	[edit protocols bgp group session-to-AS65505  neighbor 10.0.31.1 ]
	aviva@RouterF# set family inet unicast prefix-limit idle-timeout forever 

Use the clear bgp neighbor command to restart the session:

	aviva@RouterF> clear bgp neighbor 10.0.31.1
	Cleared 1 connections

After the session is reestablished, the Error line in the show bgp neighbor output reports Cease to indicate that the session was cleared:

	aviva@RouterF> show bgp neighbor 10.0.31.1
	Peer: 10.0.31.1 AS 65505 Local: 10.0.31.2 AS 0
	 Description: EBGP to Customer A
	 Type: External State: Active Flags: <>
	 Last State: Idle Last Event: Start
	 Last Error: Cease
	 Export: [ send-statics ]
	 Options: 
	 Address families configured: inet-unicast
	 Holdtime: 90 Preference: 170
	 Number of flaps: 3
	 Error: Cease Sent: 1 Recv: 0
	…

See Also

Recipe 13.15


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net