Restricting the Number of Routes Advertised to a BGP Peer
Problem
You want to control the number of routes that your peers send you.
Solution
Set the maximum number of routes that you will accept from each of your peers:
[edit protocols bgp group session-to-AS65505 neighbor 10.0.31.1 ] aviva@RouterF# set family inet unicast prefix-limit maximum 7500 aviva@RouterF# set family inet unicast prefix-limit teardown
Discussion
As an ISP, you keep track of how many routes each of your peers and customers normally send you. This number generally increases slowly over time. To place a limit on the number of routes a peer or customer can send you, set a maximum number of routes to accept. This type of administrative policy guards against an inadvertent policy misconfiguration, which, in the worst case, could result in a peer or customer redistributing the full Internet routing table to you. You decide on the maximum number of prefixes you accept based on the normal number of routes exchanged with the peer, and, when the limit is reached, BGP tears down the session with the peer. Typically, you take the current number of routes exchanged and add about 50 percent.
In this recipe, we know that neighbor 10.0.31.1 typically sends 5,000 prefixes, so we set the limit to 7,500 prefixes. For example, if the peer tries to send the entire Internet routing table (on the order of 170,000 prefixes), BGP on the local router will shut down the peering session with the neighbor. This shutdown tells both you and the peer that something has gone wrong at his end.
To verify the configuration, look at the BGP neighbors information:
aviva@RouterF> show bgp neighbor 10.0.31.1
Peer: 10.0.31.1+4051 AS 65505 Local: 10.0.31.2+179 AS 65500
Description: EBGP to Customer A
Type: External State: Established Flags:
Address families configured: inet-unicast
Holdtime: 90 Preference: 170
Number of flaps: 2
Peer ID: 192.168.14.1 Local ID: 192.168.16.1 Active Holdtime: 90
Keepalive Interval: 30 Peer index: 0
Local Interface: t1-0/0/3.0
NLRI
advertised by peer: inet-unicast
NLRI for this session: inet-unicast
Peer supports Refresh capability (2)
Table inet.0 Bit: 10000
RIB State: BGP restart is complete
Send state: in sync
Active prefixes: 5
Received prefixes: 8
Suppressed due to damping: 0
Advertised prefixes: 8
Last traffic (seconds): Received 3 Sent 28 Checked 28
Input messages: Total 253 Updates 4 Refreshes 0 Octets 4967
Output messages: Total 261 Updates 12 Refreshes 0 Octets 5411
Output Queue[0]: 0
On the Options line, the option PrefixLimit indicates that the number of prefixes this neighbor can send has been limited. When the prefix limit is reached and the EBGP session is torn down, a message is logged to the system logging files:
Aug 6 22:19:21 M20-R7 rpd[2254]: 10.1.6.2 (External AS 65501): Configured maximum
prefix-limit(10) exceeded for inet-unicast nlri: 13
If you want some advanced warning that the peer is nearing the maximum number of prefixes you will accept from it, you can have BGP log a message when the peer has sent some percentage of the maximum allowed prefixes. The following example uses a percentage that is about halfway between the normal number of prefixes and the maximum:
[edit protocols bgp group session-to-AS65505 neighbor 10.0.31.1 ]
aviva@RouterF# set family inet unicast prefix-limit teardown 85
After the session is torn down, it will be re-established a short time later. In most cases, this behavior is fine. You might want to force the session to stay down for a fixed amount of time to give you time to investigate what might be causing the prefix overflow or to contact the administrator of the remote AS. This command keeps the session down for 5 minutes (300 seconds):
[edit protocols bgp group session-to-AS65505 neighbor 10.0.31.1 ]
aviva@RouterF# set family inet unicast prefix-limit idle-timeout 300
Under extreme conditions, you might want the session to stay down until you manually restart it:
[edit protocols bgp group session-to-AS65505 neighbor 10.0.31.1 ]
aviva@RouterF# set family inet unicast prefix-limit idle-timeout forever
Use the
clear bgp neighbor command to restart the session:
aviva@RouterF> clear bgp neighbor 10.0.31.1
Cleared 1 connections
After the session is reestablished, the Error line in the show bgp neighbor output reports Cease to indicate that the session was cleared:
aviva@RouterF> show bgp neighbor 10.0.31.1
Peer: 10.0.31.1 AS 65505 Local: 10.0.31.2 AS 0
Description: EBGP to Customer A
Type: External State: Active Flags: <>
Last State: Idle Last Event: Start
Last Error: Cease
Export: [ send-statics ]
Options:
Address families configured: inet-unicast
Holdtime: 90 Preference: 170
Number of flaps: 3
Error: Cease Sent: 1 Recv: 0
…
Recipe 13.15See Also
Категории