Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

BGP Session Startup (Tuning this)

From the output below, you can see that on my two router network, either router can start the BGP session. The thing is, I only want one router (ATM-BB) to be able to start the session, ie open a TCP session to port 179. I dont ever want the other router (TEST2) to start a TCP session with a destination port of 179.

So, the only way I figure I can do this is by putting an inbound ACL on the ATM-BB router and it works fine (Config below)

Question is, is this what you have to do to make this work or is there an equiv of an DLSW Passive command for BGP? and, what is the criteria, for who starts the session first, say, no ACL is applied and you do a clear ip bgp (must be sommat to do with the active timer or sommat)

Many thx indeed,

Ken

Config on ATM-BB Router

-----------------------

!

interface FastEthernet1

ip address 200.201.1.1 255.255.255.0

ip access-group 111 in

!

router bgp 253

neighbor 200.201.1.2 remote-as 5

!

access-list 111 deny tcp any any eq bgp

access-list 111 permit ip any any

Config on TEST2 Router

----------------------

!

interface FastEthernet1

ip address 200.201.1.2 255.255.255.0

!

router bgp 5

neighbor 200.201.1.1 remote-as 253

Results with ACL, Test2 gets "access denied" when tring to start the BGP session and then by the syn-ack received

back on ATM-BB, you know that ATM-BB has sent the SYN and started the session.

ATM-BB#

ATM-BB#

ATM-BB#

ATM-BB#

00:53:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 44, access denie d

00:53:26: TCP src=11017, dst=179, seq=2342290847, ack=0, win=16384 SYN

ATM-BB#

ATM-BB#

ATM-BB#

ATM-BB#

ATM-BB#

ATM-BB#

ATM-BB#

ATM-BB#

00:53:40: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1 (FastEthernet1), len 44, rcvd 3

00:53:40: TCP src=179, dst=11018, seq=1245489616, ack=2525366980,

win=16384

ACK SYN

00:53:40: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 85, rcvd 0

00:53:40: TCP src=179, dst=11018, seq=1245489617, ack=2525367025,

win=16339

ACK PSH

00:53:40: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd 0

00:53:40: TCP src=179, dst=11018, seq=1245489662, ack=2525367044,

win=16320

ACK PSH

00:53:40: %BGP-5-ADJCHANGE: neighbor 200.201.1.2 Up

00:53:40: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd 0

00:53:40: TCP src=179, dst=11018, seq=1245489681, ack=2525367108,

win=16256

ACK PSH

00:53:40: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 40, rcvd 0

00:53:40: TCP src=179, dst=11018, seq=1245489700, ack=2525367146,

win=16218

ACK

ATM-BB#

ATM-BB#

ATM-BB#

********Router TEST2 starts the BGP session********************** ATM-BB# ATM-BB#

00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 44, rcvd 0

00:11:26: TCP src=11005, dst=179, seq=3186708026, ack=0, win=16384 SYN

00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 40, rcvd 0

00:11:26: TCP src=11005, dst=179, seq=3186708027, ack=243242607,

win=16384 A

CK

00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 85, rcvd 0

00:11:26: TCP src=11005, dst=179, seq=3186708027, ack=243242607,

win=16384 A

CK PSH

00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd 0

00:11:26: TCP src=11005, dst=179, seq=3186708072, ack=243242652,

win=16339 A

CK PSH

00:11:26: %BGP-5-ADJCHANGE: neighbor 200.201.1.2 Up

00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 40, rcvd 0

00:11:26: TCP src=11005, dst=179, seq=3186708091, ack=243242671,

win=16320 A

CK

00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd 0

00:11:26: TCP src=11005, dst=179, seq=3186708091, ack=243242773,

win=16218 A

CK PSH

ATM-BB#

ATM-BB#

ATM-BB#

ATM-BB#

00:12:27: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd 0

00:12:27: TCP src=11005, dst=179, seq=3186708110, ack=243242792,

win=16199 A

CK PSH

ATM-BB#

ATM-BB#

ATM-BB#

ATM-BB#

00:13:27: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd 0

00:13:27: TCP src=11005, dst=179, seq=3186708129, ack=243242811,

win=16180 A

CK PSH

00:13:27: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 111, rcvd 0

00:13:27: TCP src=11005, dst=179, seq=3186708148, ack=243242811,

win=16180 A

CK PSH

TEST2#

TEST2#

TEST2#

00:11:23: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2 (FastEthernet1), len 44, rcvd 3

00:11:23: TCP src=179, dst=11005, seq=243242606, ack=3186708027,

win=16384 A

CK SYN

00:11:23: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 85, rcvd 0

00:11:23: TCP src=179, dst=11005, seq=243242607, ack=3186708072,

win=16339 A

CK PSH

00:11:23: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd 0

00:11:23: TCP src=179, dst=11005, seq=243242652, ack=3186708091,

win=16320 A

CK PSH

00:11:23: %BGP-5-ADJCHANGE: neighbor 200.201.1.1 Up

00:11:23: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 142, rcvd 0

00:11:23: TCP src=179, dst=11005, seq=243242671, ack=3186708091,

win=16320 A

CK PSH

00:11:23: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd 0

00:11:23: TCP src=179, dst=11005, seq=243242773, ack=3186708110,

win=16301 A

CK

TEST2#

TEST2#

TEST2#

00:12:24: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd 0

00:12:24: TCP src=179, dst=11005, seq=243242773, ack=3186708110,

win=16301 A

CK PSH

00:12:24: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd 0

00:12:24: TCP src=179, dst=11005, seq=243242792, ack=3186708129,

win=16282 A

CK

TEST2#

TEST2#

TEST2#

TEST2#

TEST2#

TEST2#

TEST2#

TEST2#

00:13:24: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd 0

00:13:24: TCP src=179, dst=11005, seq=243242792, ack=3186708129,

win=16282 A

CK PSH

00:13:24: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd 0

00:13:24: TCP src=179, dst=11005, seq=243242811, ack=3186708148,

win=16263 A

CK

00:13:24: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd 0

00:13:24: TCP src=179, dst=11005, seq=243242811, ack=3186708219,

win=16192 A

CK

----------------------------------------------------------------------------

---------

********Router ATM-BB starts the BGP session********************** TEST2# TEST2# TEST2#

00:15:46: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 44, rcvd 0

00:15:46: TCP src=11004, dst=179, seq=1036704196, ack=0, win=16384 SYN

00:15:46: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd 0

00:15:46: TCP src=11004, dst=179, seq=1036704197, ack=3716649371,

win=16384

ACK

00:15:46: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 85, rcvd 0

00:15:46: TCP src=11004, dst=179, seq=1036704197, ack=3716649371,

win=16384

ACK PSH

00:15:46: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd 0

00:15:46: TCP src=11004, dst=179, seq=1036704242, ack=3716649416,

win=16339

ACK PSH

00:15:46: %BGP-5-ADJCHANGE: neighbor 200.201.1.1 Up

00:15:47: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd 0

00:15:47: TCP src=11004, dst=179, seq=1036704261, ack=3716649435,

win=16320

ACK

00:15:47: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd 0

00:15:47: TCP src=11004, dst=179, seq=1036704261, ack=3716649525,

win=16230

ACK PSH

00:16:47: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd 0

00:16:47: TCP src=11004, dst=179, seq=1036704280, ack=3716649525,

win=16230

ACK PSH

00:16:47: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd 0

00:16:47: TCP src=11004, dst=179, seq=1036704299, ack=3716649544,

win=16211

ACK

TEST2#

ATM-BB#

ATM-BB#

ATM-BB#

ATM-BB#

ATM-BB#

00:15:49: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1 (FastEthernet1), len

44, rcvd 3

00:15:49: TCP src=179, dst=11004, seq=3716649370, ack=1036704197,

win=16384

ACK SYN

00:15:49: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 85, rcvd 0

00:15:49: TCP src=179, dst=11004, seq=3716649371, ack=1036704242,

win=16339

ACK PSH

00:15:49: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd 0

00:15:49: TCP src=179, dst=11004, seq=3716649416, ack=1036704261,

win=16320

ACK PSH

00:15:49: %BGP-5-ADJCHANGE: neighbor 200.201.1.2 Up

00:15:50: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 130, rcvd 0

00:15:50: TCP src=179, dst=11004, seq=3716649435, ack=1036704261,

win=16320

ACK PSH

00:15:50: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 40, rcvd 0

00:15:50: TCP src=179, dst=11004, seq=3716649525, ack=1036704280,

win=16301

ACK

00:16:50: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd 0

00:16:50: TCP src=179, dst=11004, seq=3716649525, ack=1036704299,

win=16282

ACK PSH

ATM-BB#

  • Other Network Infrastructure Subjects
1 REPLY
Gold

Re: BGP Session Startup (Tuning this)

This is one way to do it, but there is another way.... If two BGP speakers start their sessions at the same time, and they both see it, they will both see the collision, and use the router ID to determine which session should drop, and which should be used. Looking at draft 22 of the BGP spec:

If a pair of BGP speakers try simultaneously to establish a BGP con-

nection to each other, then two parallel connections between this

pair of speakers might well be formed. If the source IP address used

by one of these connections is the same as the destination IP address

used by the other, and the destination IP address used by the first

connection is the same as the source IP address used by the other, we

refer to this situation as connection collision. Clearly in the

presence of connection collision, one of these connections MUST be

closed.

Based on the value of the BGP Identifier a convention is established

for detecting which BGP connection is to be preserved when a colli-

sion does occur. The convention is to compare the BGP Identifiers of

the peers involved in the collision and to retain only the connection

initiated by the BGP speaker with the higher-valued BGP Identifier.

This is in section 6.8, here:

http://www.ietf.org/internet-drafts/draft-ietf-idr-bgp4-22.txt

So, if you set the router which you always want to be the "active open" with a higher router ID, it should always wind up as the "active open" speaker. That doesn't mean that both won't initiate, but one of the first things in the FSM is to look for the collision, so both opens shouldn't survive very long.

Other than this, the use of an access list, as you've done above, is the only choice, as far as I know.

:-)

Russ.W

240
Views
0
Helpful
1
Replies
This widget could not be displayed.