Configuring and Verifying eBGP Between Directly Connected Neighbors (Best Path Selection Algorithm and Neighbor Relationships)
Introduction & Context
Ever found yourself in that late-night troubleshooting session, fiber patch panel humming away, and realize the only thing holding your WAN together is a couple of BGP sessions? That’s when you understand BGP isn’t just for massive ISPs—it’s foundational for any network with external connectivity: enterprises, cloud edges, SaaS providers, universities, you name it. eBGP (external Border Gateway Protocol) is the protocol that glues these networks together. It links your enterprise AS with your provider’s AS, enabling route exchange, redundancy, and policy enforcement. Whether dual-homing for uptime, leveraging cloud direct connects, or mitigating DDoS attacks, a reliable eBGP edge is essential.
For the CCNP 350-401 ENCOR exam—and in real-world ops—mastery of eBGP neighbor relationships, direct peering, and best path selection is non-negotiable. Direct eBGP peering (two routers in different ASes, directly connected) is the gold standard: it’s simple, secure, and straightforward to troubleshoot. And don’t assume eBGP is only for the “big guys”—every network that connects to anything external relies on it. Let’s dive into the technical essentials and practical scenarios you’ll need to ace both the exam and your next production change window.
BGP Fundamentals Recap
BGP is a path vector protocol managing routing between Autonomous Systems (ASes), each identified by an AS number (ASN). Originally 16-bit, ASNs are now 32-bit per RFC 4893, accommodating the explosion of edge and cloud networks.
BGP uses TCP port 179 for reliable session establishment. Always ensure firewalls and ACLs permit this port—blocked TCP/179 is a classic cause of session failures.
BGP Message Types:
- OPEN: Initiates a session, exchanging ASNs, router IDs, and optional authentication.
- UPDATE: Advertises/withdraws prefix information. Multiple prefixes can be included per UPDATE.
- NOTIFICATION: Signals errors, closes the session. Check error codes in debug output for rapid troubleshooting.
- KEEPALIVE: Maintains the session—sent periodically per the configured timer.
BGP Neighbor State Machine:
- Idle: No attempt to connect. Often due to config errors or admin shutdown.
- Connect: Trying to establish TCP. If unsuccessful, transitions to Active.
- Active: TCP connection attempts. If successful, moves to OpenSent.
- OpenSent: Sent OPEN, awaiting peer's OPEN.
- OpenConfirm: Both sides exchanged OPENs, waiting for KEEPALIVE.
- Established: Session up, routes exchanged.
Exam Tip: Stuck in Active or Connect? Check IP reachability, TCP/179, ASNs, and authentication. Established is the only “good” state.
Loop Prevention:
- AS_PATH: Each AS adds its ASN to the path. Now, here’s a neat trick BGP does: If a router spots its own ASN anywhere in the AS_PATH when a route update comes in, it’ll just toss that update out. That’s BGP’s way of saying, 'No thanks, I’m not getting caught in a routing loop today.'
- iBGP Split-Horizon Rule: Routes learned via iBGP are not advertised to other iBGP peers. That’s exactly why, in a bigger network, you either need every iBGP speaker connected to every other one (yep, a full mesh), or you’ve got to bring route reflectors into the mix to keep everything talking smoothly.
eBGP vs iBGP: Key Differences
Feature | eBGP | iBGP |
---|---|---|
Peers | Different ASes | Same AS |
Default TTL | 1 (directly connected) | 255 |
Loop Prevention | AS_PATH | Split-Horizon Rule |
Next-Hop Handling | Preserved | May require next-hop-self |
Full Mesh Required? | No | Yes, unless route reflectors/confederations used |
eBGP Neighbor Relationships
Direct eBGP peering means two routers—each in a distinct AS—are physically connected (usually via a /30 or /31 subnet). This minimizes complexity: no next-hop issues, straightforward policy enforcement, and clear fault domains.
- Router A initiates TCP handshake (port 179) to Router B.
- Routers exchange OPEN messages (ASNs, capabilities, authentication).
- State machine progresses to Established; UPDATEs flow.
Authentication: Cisco IOS supports MD5 authentication for BGP. Both sides must configure the same password:
And for security, I’m slapping on a password with 'neighbor 10.1.12.2 password MySecurePass'—just make sure both sides match, or BGP will be quick to complain. Watch out for the sneaky stuff like accidental spaces or weird characters when you set your BGP passwords—those little gotchas will trip you up and cause auth to fail, leaving you scratching your head. Just a heads up—MD5 isn’t exactly cutting-edge security anymore. If you really want to lock things down, keep an eye out for TCP-AO as a much better option, though you’ll find support for it still a bit lacking on a lot of devices.
TTL Security: By default, eBGP uses TTL=1, allowing only directly connected peers. To secure sessions further, implement GTSM (Generalized TTL Security Mechanism) with:
Here I’m locking down TTL security so only directly connected neighbors (1 hop away) can form a session: 'neighbor 10.1.12.2 ttl-security hops 1'. If a transparent firewall or L2 device is in the path, you may need to adjust ebgp-multihop
or TTL security hops.
Operational Gotchas:
- AS number or IP address mismatches (often due to subnet mask typos).
- Password mismatches (MD5 failures—check for NOTIFICATION messages).
- Physical redundancy is ideal; design for single-link failure even if budget constraints exist.
Exam Tip: Direct eBGP peering is the default. If you need to peer across an intermediate device, use neighbor x.x.x.x ebgp-multihop N
and adjust TTL security accordingly.
eBGP Configuration on Cisco IOS
Basic Configuration
Consider this topology:
Here’s what our simple topology looks like: R1 (in AS 65001) connects straight over to R2 (AS 65002), and then R2 links up to R3 (AS 65003) on the far end. 10.1.12.1/30 10.1.23.2/30
- So, on R1 (that’s our AS 65001 box), you’ll find the interface set to 10.1.12.1/30.
- Over on R2 (AS 65002), we’ve got two interfaces—one at 10.1.12.2/30 for R1, and another at 10.1.23.2/30 heading toward R3.
- And finishing up with R3 (AS 65003), it’s got 10.1.23.3/30 on its interface.
R1 Configuration:
Let’s start by hopping into the interface configuration—right now, I’m working with good old GigabitEthernet0/0. Here, I’m setting the interface to 10.1.12.1 with a /30 mask (so that’s 255.255.255.252) because, honestly, that tiny subnet is perfect for a straight point-to-point connection like this. ! You’ll see me jumping into BGP config mode with 'Hop back into BGP process 65001 for any other tweaks you need to make.'. bgp log-neighbor-changes You'll set the neighbor relationship with 'neighbor 10.1.12.2 remote-as 65002' so BGP knows you're talking to a different AS. And for security, I’m slapping on a password with 'neighbor 10.1.12.2 password MySecurePass'—just make sure both sides match, or BGP will be quick to complain. Here I’m locking down TTL security so only directly connected neighbors (1 hop away) can form a session: 'neighbor 10.1.12.2 ttl-security hops 1'. Underneath the BGP process, don’t forget to jump into the 'And don’t forget, you'll want to hop into 'Remember to slip this under the right address-family—'address-family ipv4 unicast' for your IPv4 prefixes.' here too—so BGP knows what routes you want it to advertise.' section—this is where the actual IPv4 routes get announced. I always make sure to activate my neighbor within the address-family—so you’ll see 'And yeah, you’ve got to 'activate' the neighbor for the address-family, or BGP won’t actually send any routes.' in there as well, otherwise, nothing’s actually getting exchanged. When I want to tell BGP to advertise a specific network, I toss in 'Last but not least, you add your actual network statement—'network 192.168.1.0 mask 255.255.255.0'—and you’re good to go.'. Now, if there are just specific routes I want my neighbor to see, I’ll attach a prefix-list to that neighbor—for example, 'neighbor 10.1.12.2 prefix-list PL-OUTBOUND out.' That way, only the stuff I’ve allowed actually gets sent over. exit-address-family ! My outbound prefix-list might look something like 'ip prefix-list PL-OUTBOUND permit 192.168.1.0/24'—super straightforward, right? Only that subnet's allowed out, nothing else. R2 Configuration:Let’s start by hopping into the interface configuration—right now, I’m working with good old GigabitEthernet0/0. I’ll give this interface the IP 10.1.12.2/30, which pairs it with R1. And then switch over to interface GigabitEthernet0/1 for the next link. Assign that interface 10.1.23.2/30 for reaching the next router, R3. ! router bgp 65002 bgp log-neighbor-changes neighbor 10.1.12.1 remote-as 65001 Again, make sure your neighbor password matches—on R2, that means 'neighbor 10.1.12.1 password MySecurePass'. TTL security gets set here too: 'neighbor 10.1.12.1 ttl-security hops 1' limits connections to those sitting directly on the other end. Underneath the BGP process, don’t forget to jump into the 'And don’t forget, you'll want to hop into 'Remember to slip this under the right address-family—'address-family ipv4 unicast' for your IPv4 prefixes.' here too—so BGP knows what routes you want it to advertise.' section—this is where the actual IPv4 routes get announced. Don’t forget to actually activate your neighbor under the right address-family—seriously, if you skip this, your BGP neighbor will just sit there twiddling its thumbs, not learning any routes. Want BGP to advertise something like 10.2.2.0/24? Just toss in a line like 'network 10.2.2.0 mask 255.255.255.0' under your BGP config and you’re all set. exit-address-family !
Notes:
bgp log-neighbor-changes
: Enables useful logging for session changes.neighbor ... activate
: Required under the address-family in modern IOS.network
: Prefix must be present in the RIB (routing table) as an exact match to be advertised.- Prefix-lists are your traffic cops—they decide which prefixes get in or out. Forget to set them up right, and you might accidentally spill way more routes than you meant to, or block stuff you need. Always verify order and logic.
Timer Tuning
You can absolutely tweak BGP timers for faster failover—just don’t get too aggressive or you’ll run into false alarms and flap your peers more than you’d like.
You’ll see me jumping into BGP config mode with 'Hop back into BGP process 65001 for any other tweaks you need to make.'. timers bgp 30 90 (Default: timers bgp 60 180
— 60s keepalive, 180s hold time.)
eBGP Neighbor Verification & Diagnostics
Verification Commands
show ip bgp summary
: Neighbor status, prefix count, session uptime. “Idle” or “Active” means session isn’t up.show ip bgp neighbors
: Deep dive—capabilities, authentication, last reset, received/advertised routes.show ip route bgp
: BGP-learned routes in the local routing table.show ip bgp
: View BGP RIB, best path selection, path attributes.debug ip bgp
: Real-time session events and update debugging. Warning: Resource intensive—use in lab or during maintenance only.
Sample Output & Troubleshooting
Let’s take a look at 'show ip bgp summary' on R1 to get the lay of the land. You’ll spot your BGP router ID and your AS number right at the top—for example, 'BGP router identifier 192.168.1.1, local AS number 65001'. Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.12.2 4 65002 102 100 5 0 0 00:10:05 1
Exam Tip: If State is not “Established,” check physical connectivity, firewall, ASNs, and authentication. If PfxRcd = 0, routes are not being exchanged—check network
statements and filters.
%BGP-3-NOTIFICATION: sent to neighbor 10.1.12.2 3/5 (authentication failure) 0 bytes
Indicates an MD5 password mismatch. Double-check for whitespace or copy-paste errors.
BGP Best Path Selection Algorithm
BGP doesn’t select the “shortest path,” but the “best path” based on a series of attributes, in this order (as soon as a tie is broken, evaluation stops):
- Weight (Cisco proprietary; higher is better; local to router)
- Local Preference (higher is better; propagated within AS)
- Locally Originated (via
network
, aggregate, or redistribution) - AS_PATH Length (shorter is better)
- Origin Type (IGP < EGP < Incomplete)
- MED (Multi-Exit Discriminator) (lower is better; compared for routes from same AS)
- eBGP over iBGP
- IGP Metric to Next Hop (lower is better)
- Router ID (lowest wins; tie-breaker)
- Neighbor IP Address (lowest wins; final tie-breaker)
Step | Attribute | Manipulation Example | Notes |
---|---|---|---|
1 | Weight | route-map set weight | Local only; never propagated |
2 | Local Preference | route-map set local-preference | Propagated within AS |
3 | Locally Originated | network/aggregate/redistribute | Prefer local origination |
4 | AS_PATH | AS_PATH prepending | Shorter path preferred |
5 | Origin | network vs redistribute | IGP wins |
6 | MED | route-map set metric | Lower is better; compared only for same AS |
7 | eBGP/iBGP | — | eBGP path preferred over iBGP |
8 | IGP Metric | Lower to next-hop | Lower is better |
9 | Router ID | — | Lowest wins (tie-breaker) |
10 | Neighbor IP | — | Lowest wins (final tie-breaker) |
Example: Prefer ISP1 for Outbound
route-map PREFER_ISP1 permit 10 match ip address ISP1-ROUTES set local-preference 200 ! Here’s a catch-all prefix-list: 'ip prefix-list ISP1-ROUTES permit 0.0.0.0/0 le 32'—basically, it matches any IPv4 route, no matter the size. You’ll see me jumping into BGP config mode with 'Hop back into BGP process 65001 for any other tweaks you need to make.'. Apply your inbound route-map with 'neighbor 10.1.12.2 route-map PREFER_ISP1 in' to bump up local preference for routes learned from ISP1.
Here’s how you do AS-PATH prepending on outbound announcements if you want to influence how upstream providers see your routes.
For this, I set up a route-map—let’s call it PREPEND_ISP2—and inside, I just add a regular permit statement: 'route-map PREPEND_ISP2 permit 10.' When I use 'set as-path prepend 65001 65001 65001', I’m basically adding my ASN three extra times to the path. It’s like putting a bunch of speed bumps in the way—upstream routers usually pick a different path because mine looks way longer and less appealing. You’ll see me jumping into BGP config mode with 'Hop back into BGP process 65001 for any other tweaks you need to make.'. neighbor 10.1.13.2 route-map PREPEND_ISP2 out
Exam Tip: Local Preference is set inbound, as it’s internal to your AS. AS-PATH and MED are used to influence how others select paths to you.
BGP Communities and Policy Control
BGP communities are tags attached to routes for policy signaling. They enable flexible, scalable policy: blackholing, selective advertisement, traffic engineering, and more.
Types of Communities
- Standard: Format ASN:NNNN (e.g., 65001:100). Used for general tagging.
- Well-known: Predefined, e.g.,
no-export
,no-advertise
. - Extended: 4-byte, allows more granular policy in MPLS/VPN/etc.
Tagging and Filtering Example
route-map TAG-BLACKHOLE permit 10 match ip address BLACKHOLE-PREFIX set community 65535:666 no-export ! For blackhole routing, you’ll see something like 'ip prefix-list BLACKHOLE-PREFIX permit 192.0.2.0/24' to target just that subnet. You’ll see me jumping into BGP config mode with 'Hop back into BGP process 65001 for any other tweaks you need to make.'. If you want to mark traffic for blackholing, tack on a route-map outbound—like 'neighbor 10.1.12.2 route-map TAG-BLACKHOLE out'—so your upstream knows what to do with it.
Use Cases:
- Blackhole Routing: Tag unwanted traffic for upstream discard.
- Selective Advertisement: Control which peers receive specific prefixes.
- Traffic Engineering: Influence provider routing based on agreed community values.
Implementation Scenarios
First off, let’s tackle a straight-up eBGP peering with some basic route swapping.
Here’s what we’re aiming for: R1 in AS 65001 and R2 in AS 65002 should be directly peered up and ready to share the 192.168.1.0/24 network. R2 and R3 (AS 65003) extend the chain.
You’ll see me jumping into BGP config mode with 'Hop back into BGP process 65001 for any other tweaks you need to make.'. You'll set the neighbor relationship with 'neighbor 10.1.12.2 remote-as 65002' so BGP knows you're talking to a different AS. Underneath the BGP process, don’t forget to jump into the 'And don’t forget, you'll want to hop into 'Remember to slip this under the right address-family—'address-family ipv4 unicast' for your IPv4 prefixes.' here too—so BGP knows what routes you want it to advertise.' section—this is where the actual IPv4 routes get announced. I always make sure to activate my neighbor within the address-family—so you’ll see 'And yeah, you’ve got to 'activate' the neighbor for the address-family, or BGP won’t actually send any routes.' in there as well, otherwise, nothing’s actually getting exchanged. When I want to tell BGP to advertise a specific network, I toss in 'Last but not least, you add your actual network statement—'network 192.168.1.0 mask 255.255.255.0'—and you’re good to go.'.
Verification:
R2# show ip bgp Network Next Hop Metric LocPrf Weight Path *> 192.168.1.0 10.1.12.1 0 100 0 65001 i Not seeing your route show up where you expect? Double-check that the prefix is actually in your local routing table and that you haven’t accidentally filtered it out with a prefix-list or route-map. (Happens to the best of us.)
b) Multi-Homing with Two ISPs, Attribute Manipulation
Customer (AS 65001) dual-homed to ISP1 and ISP2. Prefer ISP1 for outbound, ISP2 is backup.
route-map PREFER_ISP1 permit 10 set local-preference 200 You’ll see me jumping into BGP config mode with 'Hop back into BGP process 65001 for any other tweaks you need to make.'. Just point your neighbor at the right remote AS—'neighbor 10.1.12.2 remote-as 65010'—for ISP1, for example. And then you’d have something like 'neighbor 10.1.13.2 remote-as 65020' for your second ISP. Apply your inbound route-map with 'neighbor 10.1.12.2 route-map PREFER_ISP1 in' to bump up local preference for routes learned from ISP1.
Now let’s talk about prefix filtering—controlling exactly what goes in and out.
So, the plan here is simple: we’re going to advertise just 192.168.1.0/24 to our peer and make sure we don’t accidentally pick up a default route.
'ip prefix-list OUT_ONLY permit 192.168.1.0/24'—this one lets only that specific subnet out to your neighbor.168.1.0/24 To block the default, start your prefix-list like this: 'ip prefix-list BLOCK_DEFAULT seq 5 deny 0.0.0.0/0'. Followed by 'ip prefix-list BLOCK_DEFAULT seq 10 permit 0.0.0.0/1 le 32' to let through other routes. And 'ip prefix-list BLOCK_DEFAULT seq 20 permit 128.0.0.0/1 le 32'—that covers every other possible subnet except the full default. You’ll see me jumping into BGP config mode with 'Hop back into BGP process 65001 for any other tweaks you need to make.'. Tie your outbound prefix-list to the neighbor: 'neighbor 10.1.12.2 prefix-list OUT_ONLY out'. And protect yourself on inbound routes with 'neighbor 10.1.12.2 prefix-list BLOCK_DEFAULT in'.
Note: This filter denies only the default route and permits all other prefixes.
BGP Session Reset Types
Every now and then—usually after making a change or if something’s stuck—you’ll need to reset your BGP sessions to clear things up.
- Hard Reset:
clear ip bgp *
—Tears down and re-establishes the session; disruptive. - Soft Reset (Inbound):
clear ip bgp * soft in
—Reprocesses inbound updates without session flap. - Soft Reset (Outbound):
clear ip bgp * soft out
—Resends outbound updates.
Best practice: Use soft resets where possible to minimize disruption.
BGP Security Best Practices
- Prefix Filtering: Always filter inbound and outbound prefixes using
prefix-lists
orroute-maps
. Drop bogons and unexpected prefixes. - MD5 Authentication: Configure
neighbor x.x.x.x password ...
on both sides. For improved security, where supported, consider TCP-AO (RFC 5925). - TTL Security (GTSM):
neighbor x.x.x.x ttl-security hops 1
to prevent spoofed session attempts. - Max-Prefix Limit: Prevent route table overload:
neighbor x.x.x.x maximum-prefix 5000 80
(adjust to expected route count). - Infrastructure ACLs: Only allow BGP traffic from trusted addresses on port 179.
- RPKI/ROV: Use Resource Public Key Infrastructure and Route Origin Validation where available to prevent prefix hijacking.
- Logging & Monitoring:
bgp log-neighbor-changes
, SNMP traps, and syslog for session status. - MANRS Compliance: Follow Mutually Agreed Norms for Routing Security for global best practices.
Let’s talk route dampening. This is BGP’s way of keeping flappy routes from wreaking havoc on your network.
Suppresses flapping (unstable) routes to protect convergence and CPU/memory. Honestly, route dampening becomes huge when you’re running a big network or dealing with peers who can’t seem to make up their minds—constantly sending and withdrawing routes. It’s a lifesaver for stability.
You’ll see me jumping into BGP config mode with 'Hop back into BGP process 65001 for any other tweaks you need to make.'. bgp dampening 15 750 2000 60
- 15: Half-life (minutes)
- 750: Reuse limit
- 2000: Suppress limit
- 60: Max suppression (minutes)
Verify: show ip bgp dampened-paths
BGP Performance Tuning and Scalability
- Process Tuning: Adjust BGP scan interval (
bgp scan-time N
) to control how often BGP rescans the table (default: 60s). - Multipath (ECMP): Enable load balancing over multiple equal-cost eBGP paths: You’ll see me jumping into BGP config mode with 'Hop back into BGP process 65001 for any other tweaks you need to make.'. maximum-paths eibgp 4
- Route Reflectors/Confederations: For iBGP scalability, deploy route reflectors or confederations to avoid full mesh.
- Memory/CPU: Monitor resource impact when handling large numbers of prefixes (full Internet table scenarios).
BGP Troubleshooting Workflow
Symptom | Possible Cause | Key Commands | Solution |
---|---|---|---|
Neighbor stuck in Idle/Active | Physical down, wrong IP/AS, TCP/179 blocked, auth fail | show ip bgp summary show interfaces show tcp brief | Check cabling, IP, ASNs, firewall, password |
Session flapping | Timer mismatch, duplicate router-ID, unstable link, password mismatch | show log show ip bgp neighbors | Synchronize timers, fix router-IDs, check link quality, re-enter passwords |
No routes exchanged | Missing network statement, RIB mismatch, prefix-list/route-map filtering | show ip bgp show ip route show run | sec bgp | Ensure prefix in RIB, correct filtering |
Wrong path selected | Attribute manipulation, tie-breakers, upstream policy | show ip bgp show ip bgp neighbors | Review best path attributes, adjust as needed |
Exam Tip: For each troubleshooting scenario, identify the relevant commands and know the typical symptoms for common misconfigurations.
BGP and IGP Redistribution Deep Dive
Integrating BGP and IGPs (OSPF, EIGRP) is common in enterprise networks. Redistribution enables reachability between internal and external routes—but risks loops and route leaks without careful filtering.
router ospf 10 redistribute bgp 65001 subnets route-map FILTER-BGP ! You’ll see me jumping into BGP config mode with 'Hop back into BGP process 65001 for any other tweaks you need to make.'. redistribute ospf 10 route-map FILTER-OSPF
Always use route-maps or prefix-lists to tightly control which routes are redistributed. Never “redistribute all” without filters.
- Route-map Example: route-map FILTER-BGP permit 10 match ip address BGP-TO-OSPF ! ip access-list standard BGP-TO-OSPF permit 192.168.1.0 0.0.0.255
For MPLS/VRF environments, use address-family vpnv4
/vpnv6
and configure route distinguishers and route targets. Cloud edge scenarios such as those involving direct connections to cloud providers use similar eBGP principles with VRFs and specific filtering.
Let’s talk route dampening. This is BGP’s way of keeping flappy routes from wreaking havoc on your network.
Suppresses unstable (flapping) prefixes to protect network stability and prevent excessive route churn in large networks.
You’ll see me jumping into BGP config mode with 'Hop back into BGP process 65001 for any other tweaks you need to make.'. bgp dampening 15 750 2000 60
- 15: Half-life (minutes)
- 750: Reuse limit
- 2000: Suppress limit
- 60: Max suppression (minutes)
Verify:show ip bgp dampened-paths
IPv6 eBGP Basics
BGP configuration for IPv6 is almost identical to IPv4, but uses the address-family ipv6 unicast
:
You’ll see me jumping into BGP config mode with 'Hop back into BGP process 65001 for any other tweaks you need to make.'. address-family ipv6 unicast neighbor 2001:db8:1::2 remote-as 65002 neighbor 2001:db8:1::2 activate network 2001:db8:100::/64 exit-address-family Exam Tip: Remember to enable IPv6 routing and assign IPv6 addresses to interfaces.
Common Mistakes & Exam Scenarios
Mistake | Symptom | Solution |
---|---|---|
AS number mismatch | Session stuck in Idle | Check neighbor remote-as config |
MD5 password mismatch | Session flaps, authentication failure notification | Ensure passwords match exactly, check for whitespace |
Missing network statement or no matching route in RIB | Routes not advertised | Add static/connected route or correct network statement |
Prefix-list/route-map denies all | No routes exchanged | Review filter logic and order |
TTL security misconfigured | Session won’t establish | Match ebgp-multihop and ttl-security settings to topology |
Sample Exam Scenario: You see %BGP-3-NOTIFICATION: sent to neighbor 10.1.12.2 3/5 (authentication failure) 0 bytes
after a config change. What’s the next step? Answer: Validate and re-enter passwords on both routers, checking for hidden whitespace.
Integration Scenarios: Deeper Dive
In most enterprises, BGP peers at the WAN edge and exchanges routes with your internal IGP (OSPF/EIGRP). Proper redistribution is critical to prevent routing loops and unwanted leaks.
- Scenario: Receive a default route from ISP and inject it into OSPF, but only advertise select internal prefixes via BGP to the ISP. router ospf 10 redistribute bgp 65001 subnets route-map TO-OSPF ! You’ll see me jumping into BGP config mode with 'Hop back into BGP process 65001 for any other tweaks you need to make.'. redistribute ospf 10 route-map TO-BGP ! route-map TO-OSPF permit 10 match ip address DEFAULT ! route-map TO-BGP permit 10 match ip address INTERNALS ! ip prefix-list DEFAULT permit 0.0.0.0/0 ip prefix-list INTERNALS permit 192.168.1.0/24
- MPLS/VRF: For MPLS/VRF-lite, use per-VRF BGP process or address-family
vpnv4
with route distinguishers and route targets. - Cloud Edge Example: Cloud direct connect services require eBGP peering in a VRF context. Provider documentation provides details on supported communities and filtering.
Exam Tip: Redistribution without filtering is a common cause of route leaks—always apply route-maps.
Summary & Key Takeaways
Configuring and verifying eBGP between directly connected neighbors is the bedrock of WAN and Internet connectivity. Key skills:
- Master the BGP state machine and session establishment; memorize the troubleshooting flow.
- Lab Cisco IOS configuration for eBGP peering, route advertisement, and attribute manipulation.
- Understand and apply BGP route filtering, security (MD5, TTL-security), and max-prefix protection.
- Manipulate best path attributes (Weight, Local Preference, AS_PATH, MED, Communities) for policy control.
- Integrate BGP and IGPs safely, always using route-maps or prefix-lists for redistribution.
- Prepare for the exam by practicing configuration, verification, troubleshooting, and scenario-based tasks.
Exam Strategy: For CCNP 350-401 ENCOR, focus on configuration syntax, best path logic, filtering, and troubleshooting steps. Practice reading show
and debug
outputs, identifying common symptoms, and resolving misconfigurations efficiently.
Real-world tip: Always verify your configuration with show
commands, lock down your BGP sessions, and design with redundancy in mind. Lab everything—and when in doubt, break it in the lab, not in production.
References & Further Reading
- The Cisco IOS XE BGP Configuration Guide provides comprehensive details on BGP configuration and operational commands.
- RFC 4271 – Border Gateway Protocol 4 defines the BGP protocol standard.
- RFC 8212 – Default eBGP Route Propagation Security Requirements outlines security best practices for eBGP.
- RFC 7454 – BGP Operations and Security covers operational and security recommendations for BGP deployments.
- CCNP 350-401 ENCOR Exam Official Cert Guide offers exam-focused coverage of BGP and related topics.
- Cisco BGP Best Practices Whitepapers discuss real-world deployment and security strategies.
- Lab workbooks and CCIE/CCNP-level BGP lab guides provide hands-on configuration and troubleshooting scenarios.
- The MANRS initiative describes routing security best practices for global Internet stability.
Final Note: BGP is all about policy, precision, and practice. Stay curious, ask why, and keep building those labs—every real-world network depends on the skills you’re mastering now.