Border Gateway Protocol (BGP) is the routing protocol of the Internet. Proper BGP configuration is critical for network stability, security, and optimal routing.
BGP Fundamentals Review
What is BGP?
- Path vector protocol: Maintains complete path information
- Policy-based routing: Flexible route selection using attributes
- Autonomous System (AS) focused: Routes between different networks
- TCP-based: Uses port 179 for reliable communication
- Slow convergence: Designed for stability over speed
When to Use BGP
- Multi-homed connections (multiple ISPs)
- Transit AS (passing traffic between networks)
- Internet Exchange Point (IXP) participation
- Complex routing policies required
- AS path manipulation needed
Neighbor Establishment
1. Authentication
Modern BGP authentication options (in order of preference):
Option 1: TCP-AO (TCP Authentication Option) - RFC 5925
TCP-AO uses modern cryptographic algorithms and is the recommended replacement for MD5.
Cisco IOS-XR
key chain BGP-KEYCHAIN
key 1
accept-lifetime 00:00:00 january 01 2025 infinite
key-string password BGP-Secret-Key-2025
send-lifetime 00:00:00 january 01 2025 infinite
cryptographic-algorithm HMAC-SHA-256
router bgp 65001
neighbor 10.0.0.2
remote-as 65002
tcp ao key-chain BGP-KEYCHAIN
Juniper
security {
authentication-key-chains {
key-chain BGP-KEYCHAIN {
key 1 {
secret "$9$encrypted_key";
start-time "2025-1-1.00:00:00 +0000";
algorithm hmac-sha-256;
}
}
}
}
protocols {
bgp {
group external {
neighbor 10.0.0.2 {
tcp-ao {
keychain BGP-KEYCHAIN;
}
}
}
}
}
Option 2: MD5 Authentication (Legacy - Deprecated)
⚠️ Warning: MD5 is cryptographically broken. Only use if TCP-AO is not supported.
Cisco IOS
router bgp 65001
neighbor 10.0.0.2 password 7 encrypted_password
Juniper
protocols {
bgp {
group external {
authentication-key "$9$encrypted_key";
}
}
}
Option 3: IPsec Tunnel
For maximum security, run BGP over IPsec encrypted tunnels.
Best Practices
- Prefer TCP-AO over MD5 (HMAC-SHA-256 or stronger)
- Use strong, unique passwords per neighbor (minimum 20 characters)
- Rotate passwords periodically (every 90 days recommended)
- Store passwords in encrypted vaults (HashiCorp Vault, AWS Secrets Manager)
- Use different keys for send and receive directions if supported
- Document password rotation procedures
- Plan migration from MD5 to TCP-AO where possible
2. TTL Security (GTSM)
Enable TTL security to prevent spoofed BGP packets from distant sources.
Cisco
router bgp 65001
neighbor 10.0.0.2 ttl-security hops 1
Juniper
protocols {
bgp {
group external {
multihop {
ttl 255;
}
}
}
}
When to Use
- Direct connections:
hops 1 - Multi-hop eBGP: Calculate actual hops + 1
- iBGP sessions: Usually not needed (loopback peering)
3. Source Address Specification
Use loopback interfaces for iBGP stability.
Cisco
router bgp 65001
neighbor 10.255.0.2 remote-as 65001
neighbor 10.255.0.2 update-source Loopback0
Juniper
protocols {
bgp {
group ibgp {
local-address 10.255.0.1;
}
}
}
Benefits
- Session survives physical interface failures
- Multiple paths to neighbor increase redundancy
- Consistent source for all BGP sessions
Prefix Filtering
1. Inbound Filtering
Filter what you accept from neighbors to prevent route leaks and attacks.
Prefix Lists (Cisco)
! Allow only customer prefixes
ip prefix-list CUSTOMER-IN seq 10 permit 192.0.2.0/24
ip prefix-list CUSTOMER-IN seq 20 permit 198.51.100.0/24
ip prefix-list CUSTOMER-IN seq 30 deny 0.0.0.0/0 le 32
router bgp 65001
neighbor 10.0.0.2 prefix-list CUSTOMER-IN in
Route Filters (Juniper)
policy-options {
policy-statement CUSTOMER-IN {
term accept-customer {
from {
route-filter 192.0.2.0/24 exact;
route-filter 198.51.100.0/24 exact;
}
then accept;
}
term reject-all {
then reject;
}
}
}
2. Outbound Filtering
Control what you advertise to neighbors.
Cisco
! Allow only own prefixes
ip prefix-list OWN-PREFIXES seq 10 permit 203.0.113.0/24
ip prefix-list OWN-PREFIXES seq 20 deny 0.0.0.0/0 le 32
router bgp 65001
neighbor 10.0.0.1 prefix-list OWN-PREFIXES out
AS Path Filtering
! Prevent AS path loops
ip as-path access-list 10 deny _65001_
ip as-path access-list 10 permit .*
router bgp 65001
neighbor 10.0.0.1 filter-list 10 out
3. Maximum Prefix Limits
Protect against route leaks by limiting accepted prefixes.
Cisco
router bgp 65001
neighbor 10.0.0.2 maximum-prefix 100 80 warning-only
! Warn at 80%, don't tear down session
Juniper
protocols {
bgp {
group customer {
family inet {
unicast {
prefix-limit {
maximum 100;
teardown 80 idle-timeout 30;
}
}
}
}
}
}
Recommended Limits
- Customer: Expected prefixes + 20% buffer
- Peer: Current count × 1.5
- Transit provider: 900,000+ (full table ~950k in 2025)
- Internal: Number of sites × average prefixes per site
Bogon and Martian Filtering
Filter Invalid Prefixes
Block RFC 1918, loopback, multicast, and other invalid ranges.
Cisco Prefix List
ip prefix-list BOGONS seq 10 deny 0.0.0.0/8 le 32
ip prefix-list BOGONS seq 20 deny 10.0.0.0/8 le 32
ip prefix-list BOGONS seq 30 deny 127.0.0.0/8 le 32
ip prefix-list BOGONS seq 40 deny 169.254.0.0/16 le 32
ip prefix-list BOGONS seq 50 deny 172.16.0.0/12 le 32
ip prefix-list BOGONS seq 60 deny 192.0.2.0/24 le 32
ip prefix-list BOGONS seq 70 deny 192.168.0.0/16 le 32
ip prefix-list BOGONS seq 80 deny 198.18.0.0/15 le 32
ip prefix-list BOGONS seq 90 deny 198.51.100.0/24 le 32
ip prefix-list BOGONS seq 100 deny 203.0.113.0/24 le 32
ip prefix-list BOGONS seq 110 deny 224.0.0.0/3 le 32
ip prefix-list BOGONS seq 120 permit 0.0.0.0/0 le 32
Apply to All External Neighbors
router bgp 65001
neighbor 10.0.0.1 prefix-list BOGONS in
Regularly Update Bogon List
- Subscribe to Team Cymru bogon feed
- Automate updates via scripts
- Review IANA special-purpose registries
Route Map Policies
1. Local Preference (iBGP)
Influence outbound traffic by setting local preference.
Prefer Primary ISP
route-map PRIMARY-ISP permit 10
set local-preference 200
route-map BACKUP-ISP permit 10
set local-preference 100
router bgp 65001
neighbor 10.0.1.1 route-map PRIMARY-ISP in
neighbor 10.0.2.1 route-map BACKUP-ISP in
Typical Values
- Primary path: 200
- Default: 100
- Backup path: 50
- Last resort: 10
2. AS Path Prepending (eBGP)
Influence inbound traffic by making paths less attractive.
Make Backup Link Less Preferred
route-map PREPEND-PATH permit 10
set as-path prepend 65001 65001 65001
router bgp 65001
neighbor 10.0.2.1 route-map PREPEND-PATH out
Best Practices
- Prepend your own AS only
- Use 2-4 prepends maximum (more is ignored)
- Test effectiveness with looking glass servers
- Document why prepending is applied
3. MED (Multi-Exit Discriminator)
Suggest entry point to neighboring AS.
Prefer Entry via Router A
route-map SET-MED-LOW permit 10
set metric 50
route-map SET-MED-HIGH permit 10
set metric 100
router bgp 65001
neighbor 10.0.1.1 route-map SET-MED-LOW out
neighbor 10.0.2.1 route-map SET-MED-HIGH out
Important Notes
- MED is a suggestion, not a guarantee
- Only compared between routes from same AS
- Lower MED is preferred
- Default is 0 (most preferred)
Community Tagging
Standard Communities
Tag routes for policy application.
Cisco
ip community-list standard CUSTOMER permit 65001:100
ip community-list standard PEER permit 65001:200
ip community-list standard TRANSIT permit 65001:300
route-map TAG-CUSTOMER permit 10
set community 65001:100
router bgp 65001
neighbor 10.0.0.2 route-map TAG-CUSTOMER in
Common Community Schemes
65001:100 Customer routes
65001:200 Peer routes
65001:300 Transit provider routes
65001:400 Internal routes
65001:1000 Primary path
65001:2000 Secondary path
65001:9999 Blackhole
Well-Known Communities
Standard BGP communities with special meaning.
NO_EXPORT (65535:65281) - Don't advertise to eBGP peers
NO_ADVERTISE (65535:65282) - Don't advertise to any peer
LOCAL_AS (65535:65283) - Keep within local confederation
route-map NO-EXPORT permit 10
set community no-export
router bgp 65001
neighbor 10.0.0.1 send-community
Blackhole Community
Remotely triggered blackhole (RTBH) for DDoS mitigation.
Provider Configuration
ip prefix-list BLACKHOLE permit 192.0.2.1/32
ip community-list standard BLACKHOLE permit 65001:666
route-map BLACKHOLE permit 10
match community BLACKHOLE
match ip address prefix-list BLACKHOLE
set ip next-hop 192.0.2.1
set local-preference 200
set community no-export
router bgp 65001
neighbor 10.0.0.2 route-map BLACKHOLE in
Customer Triggers Blackhole
ip route 203.0.113.5 255.255.255.255 Null0
router bgp 65002
network 203.0.113.5 mask 255.255.255.255 route-map SET-BLACKHOLE
route-map SET-BLACKHOLE permit 10
set community 65001:666
Convergence Optimization
1. Timers
Adjust BGP timers for faster failure detection.
Cisco
router bgp 65001
neighbor 10.0.0.2 timers 10 30
! Keepalive 10s, Holdtime 30s (default 60/180)
Recommendations
- iBGP: 10/30 (faster convergence)
- eBGP direct: 10/30 or 3/9 (very fast)
- eBGP multi-hop: 60/180 (default, more stable)
- Internet peers: 30/90 (balance)
2. BFD (Bidirectional Forwarding Detection)
Sub-second failure detection for BGP sessions.
Cisco
interface GigabitEthernet0/0
bfd interval 50 min_rx 50 multiplier 3
router bgp 65001
neighbor 10.0.0.2 fall-over bfd
Juniper
protocols {
bgp {
group external {
bfd-liveness-detection {
minimum-interval 50;
multiplier 3;
}
}
}
}
Benefits
- Detects failures in milliseconds vs. seconds
- Offloads detection to hardware
- Works with any routing protocol
- Reduces convergence time dramatically
3. Fast External Failover
Tear down eBGP sessions immediately when interface goes down.
Cisco
router bgp 65001
bgp fast-external-fallover
! Enabled by default
When to Disable
- Using BFD instead
- Interface flapping issues
- Multi-hop eBGP sessions
Scalability
1. Route Reflection
Scale iBGP without full mesh.
Route Reflector Configuration (Cisco)
router bgp 65001
neighbor 10.255.0.10 remote-as 65001
neighbor 10.255.0.10 route-reflector-client
Best Practices
- Use at least 2 route reflectors for redundancy
- Place RRs centrally for optimal topology
- Use cluster IDs to prevent loops
- Monitor RR CPU and memory usage
Cluster ID
router bgp 65001
bgp cluster-id 10.255.255.1
2. Confederation
Alternative to route reflection for very large networks.
Cisco
router bgp 65001
bgp confederation identifier 65000
bgp confederation peers 65002 65003
When to Use
- Very large AS (1000+ routers)
- Administrative boundaries within AS
- Migration from separate ASes
3. Peer Groups
Simplify configuration for neighbors with common policies.
Cisco
router bgp 65001
neighbor CUSTOMERS peer-group
neighbor CUSTOMERS remote-as 65002
neighbor CUSTOMERS prefix-list CUSTOMER-IN in
neighbor CUSTOMERS prefix-list OWN-PREFIXES out
neighbor 10.0.0.2 peer-group CUSTOMERS
neighbor 10.0.0.3 peer-group CUSTOMERS
Juniper
protocols {
bgp {
group customers {
type external;
import CUSTOMER-IN;
export OWN-PREFIXES;
neighbor 10.0.0.2 {
peer-as 65002;
}
neighbor 10.0.0.3 {
peer-as 65003;
}
}
}
}
Security Hardening
1. TTL Security Check
Already covered above - prevents spoofed packets.
2. Maximum Prefixes
Already covered - prevents route leaks.
3. Prefix Length Filtering
Prevent too-specific routes from being accepted.
Cisco
ip prefix-list MAX-LENGTH deny 0.0.0.0/0 ge 25
ip prefix-list MAX-LENGTH permit 0.0.0.0/0 le 24
router bgp 65001
neighbor 10.0.0.1 prefix-list MAX-LENGTH in
Recommended Maximums
- From customers: /24 (IPv4), /48 (IPv6)
- From peers: /24 (IPv4), /48 (IPv6)
- From transit: /24 (IPv4), /48 (IPv6)
4. Private AS Removal
Strip private ASNs before advertising to Internet.
Cisco
router bgp 65001
neighbor 10.0.0.1 remove-private-as all
Juniper
protocols {
bgp {
group transit {
remove-private;
}
}
}
5. BGP Session Encryption
Modern authentication and encryption for high-security environments.
TCP-AO (Recommended)
# See "Authentication" section above for full TCP-AO configuration
# TCP-AO provides:
# - HMAC-SHA-256 or stronger algorithms
# - Key rollover support
# - Protection against replay attacks
# - Better scalability
IPsec for Maximum Security
# Run BGP over IPsec tunnel
crypto isakmp policy 10
encryption aes 256
hash sha256
authentication pre-share
group 14
crypto ipsec transform-set STRONG-ENCRYPT esp-aes 256 esp-sha256-hmac
crypto map BGP-CRYPTO 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set STRONG-ENCRYPT
match address BGP-TRAFFIC
interface GigabitEthernet0/0
crypto map BGP-CRYPTO
Migration Path: MD5 → TCP-AO → IPsec (for highest security requirements)
Monitoring and Troubleshooting
1. Essential Show Commands
Cisco
show ip bgp summary
show ip bgp neighbors 10.0.0.2
show ip bgp 192.0.2.0/24
show ip bgp regexp _65002$
show ip route bgp
Juniper
show bgp summary
show bgp neighbor 10.0.0.2
show route protocol bgp
show route advertising-protocol bgp 10.0.0.2
show route receive-protocol bgp 10.0.0.2
2. Logging
Enable BGP logging for troubleshooting.
Cisco
router bgp 65001
bgp log-neighbor-changes
Syslog Messages to Monitor
- Neighbor up/down events
- Maximum prefix threshold exceeded
- AS path loops detected
- Update errors
3. Route Dampening
Suppress flapping routes to improve stability.
Cisco
router bgp 65001
bgp dampening 15 750 2000 60
! half-life, reuse, suppress, max-suppress-time
Best Practices
- Use conservative values
- Don’t apply to customer routes
- Monitor suppressed routes
- Consider disabling (many operators do)
4. Soft Reconfiguration
Store unmodified routes for policy changes.
Cisco
router bgp 65001
neighbor 10.0.0.2 soft-reconfiguration inbound
Alternative: Route refresh (less memory)
clear ip bgp 10.0.0.2 soft in
IPv6 BGP
Configuration Differences
Cisco - Separate Address Family
router bgp 65001
neighbor 2001:db8::2 remote-as 65002
address-family ipv6
neighbor 2001:db8::2 activate
network 2001:db8::/32
exit-address-family
Juniper - Family inet6
protocols {
bgp {
group ipv6-peers {
family inet6 {
unicast;
}
neighbor 2001:db8::2;
}
}
}
IPv6-Specific Considerations
- Filter bogons: Similar to IPv4 but different ranges
- Prefix lengths: /48 typical minimum, /32 for allocations
- Next-hop: Link-local or global (link-local preferred)
- MTU: Watch for fragmentation issues
Common Mistakes to Avoid
1. No Prefix Filtering
Problem: Accept all routes, vulnerable to leaks Solution: Always filter inbound and outbound
2. Trusting Default Routes from Customers
Problem: Customers shouldn’t send you default Solution: Explicit prefix lists, deny 0.0.0.0/0
3. No Maximum Prefix Limits
Problem: Route table explosion from leaks Solution: Set conservative limits with warnings
4. Weak or No Authentication
Problem: BGP session hijacking, man-in-the-middle attacks Solution: Use TCP-AO with HMAC-SHA-256 minimum; avoid MD5 (cryptographically broken)
5. Not Using Loopbacks for iBGP
Problem: Sessions flap when links fail Solution: Always peer iBGP via loopbacks
6. Over-prepending
Problem: Prepending 10+ times looks suspicious Solution: Use 2-4 prepends maximum
7. Advertising Too-Specific Prefixes
Problem: Pollutes global routing table Solution: Aggregate when possible, /24 minimum
8. Ignoring Communities
Problem: Missing powerful policy tool Solution: Implement community tagging scheme
9. No Monitoring
Problem: Issues go unnoticed Solution: Monitor neighbors, prefixes, paths
10. Forgetting to Document
Problem: Nobody knows why configs exist Solution: Document every policy decision
RPKI (Resource Public Key Infrastructure)
ROA (Route Origin Authorization)
Validate route origins using RPKI.
Cisco IOS-XR
router bgp 65001
rpki server 192.0.2.1
transport tcp port 323
!
address-family ipv4 unicast
bgp origin-as validation enable
Route Validation States
- Valid: Origin AS matches ROA
- Invalid: Origin AS doesn’t match ROA
- Not Found: No ROA exists
Policy Based on Validation
route-policy RPKI
if validation-state is invalid then
set local-preference 10
elseif validation-state is valid then
set local-preference 200
else
set local-preference 100
endif
end-policy
Benefits
- Prevents route hijacking
- Validates route origins
- Improves Internet security
- Free and automated
Graceful Shutdown
Properly Decommission BGP Sessions
Cisco
router bgp 65001
neighbor 10.0.0.2 shutdown graceful 300
! Drains traffic for 5 minutes before shutdown
Set Community to Signal Planned Shutdown
route-map GRACEFUL-SHUTDOWN permit 10
set community graceful-shutdown
router bgp 65001
neighbor 10.0.0.1 route-map GRACEFUL-SHUTDOWN out
Benefits
- Traffic shifts before session down
- Reduces packet loss
- Allows gradual migration
Conclusion
BGP is complex and unforgiving. Follow these best practices to ensure:
- Security: Filter, authenticate, limit
- Stability: Conservative timers, dampening, monitoring
- Scalability: Route reflection, peer groups, aggregation
- Performance: BFD, optimized policies, proper attributes
Key Principles
- Filter everything (bogons, prefixes, AS paths)
- Authenticate all sessions
- Set maximum prefix limits
- Document all policies
- Monitor continuously
- Test changes in lab first
- Have rollback plans
- Keep configs consistent
Remember: BGP mistakes can affect not just your network, but the entire Internet. Take time to understand what you’re configuring and why.