The Border Gateway Protocol (BGP) is the routing protocol that makes the Internet possible. As the glue that holds together thousands of autonomous networks, BGP enables the global exchange of routing information and determines the path data takes across the Internet. Understanding BGP is essential for network engineers, system administrators, and anyone interested in Internet infrastructure.
What is BGP?
BGP is a path-vector routing protocol that exchanges routing information between autonomous systems (AS). An autonomous system is a collection of IP networks under the control of a single organization with a clearly defined routing policy.
Key Characteristics
- Protocol Type: Path-vector routing protocol
- Transport: TCP port 179
- Version: BGP-4 (defined in RFC 4271)
- Scope: Inter-domain routing (between different organizations)
- Routing Decisions: Based on policies, not just shortest path
BGP Fundamentals
Autonomous Systems (AS)
Each organization operating BGP is assigned a unique AS number (ASN):
AS Number Ranges:
- 16-bit ASN: 1-65535 (original)
- Public: 1-64511
- Private: 64512-65534
- Reserved: 64535
- 32-bit ASN: 0-4294967295 (newer)
- Public: Many ranges
- Private: 4200000000-4294967294
Example AS numbers:
- AS15169: Google
- AS32934: Facebook/Meta
- AS16509: Amazon
- AS2906: Netflix
BGP Session Types
eBGP (External BGP)
BGP sessions between different autonomous systems:
[AS 65001] ------ eBGP ------ [AS 65002]
Router A Router B
- Used between ISPs and customers
- Directly connected neighbors
- TTL typically set to 1 (can be modified for multihop)
iBGP (Internal BGP)
BGP sessions within the same autonomous system:
[AS 65001]
|
+-- Router A ---- iBGP ---- Router B
|
+-- Router C ---- iBGP ---- Router D
- Distributes external routes within AS
- Full mesh or route reflectors required
- Prevents routing loops within AS
BGP Operation
BGP State Machine
BGP sessions progress through multiple states:
1. Idle
↓
2. Connect
↓
3. Active
↓
4. OpenSent
↓
5. OpenConfirm
↓
6. Established
State Descriptions:
- Idle: Initial state, waiting to initiate connection
- Connect: TCP connection being established
- Active: Trying to establish TCP connection
- OpenSent: TCP established, OPEN message sent
- OpenConfirm: OPEN received, waiting for KEEPALIVE
- Established: Session established, exchanging routing updates
BGP Message Types
BGP uses four message types:
1. OPEN Message
Establishes BGP session and negotiates parameters:
OPEN Message Contents:
- BGP Version (4)
- My AS Number
- Hold Time
- BGP Identifier (Router ID)
- Optional Parameters (capabilities)
Example configuration:
router bgp 65001
bgp router-id 192.0.2.1
neighbor 203.0.113.1 remote-as 65002
neighbor 203.0.113.1 description eBGP to AS65002
2. UPDATE Message
Advertises or withdraws routes:
UPDATE Message Contents:
- Withdrawn Routes Length
- Withdrawn Routes
- Path Attributes Length
- Path Attributes
- Network Layer Reachability Information (NLRI)
Example UPDATE:
Prefix: 10.1.0.0/16
AS_PATH: 65001 65002 65003
NEXT_HOP: 203.0.113.1
LOCAL_PREF: 100
MED: 50
3. KEEPALIVE Message
Maintains BGP session:
- Sent periodically (default: 60 seconds)
- Hold time: 180 seconds (3x keepalive)
- No payload data
4. NOTIFICATION Message
Reports errors and closes session:
Error Codes:
- Message Header Error (1)
- OPEN Message Error (2)
- UPDATE Message Error (3)
- Hold Timer Expired (4)
- Finite State Machine Error (5)
- Cease (6)
BGP Attributes
BGP uses path attributes to make routing decisions. Attributes are categorized by type and transitivity.
Well-Known Mandatory Attributes
AS_PATH
List of AS numbers the route has traversed:
Route Advertisement Chain:
AS 65003 → AS 65002 → AS 65001
AS_PATH at AS 65001: 65002 65003
Purpose:
- Loop prevention (reject routes containing own AS)
- Path length consideration
- Route origin verification
Example:
# View AS_PATH
show ip bgp 10.1.0.0
Network Next Hop AS_PATH
10.1.0.0/16 203.0.113.1 65002 65003 i
NEXT_HOP
IP address of next hop router:
eBGP: Next hop is the advertising router's IP
iBGP: Next hop is preserved from eBGP
Configuration example:
## Modify next-hop for eBGP
router bgp 65001
neighbor 203.0.113.1 next-hop-self
## For iBGP peers
router bgp 65001
neighbor 192.168.1.2 remote-as 65001
neighbor 192.168.1.2 next-hop-self
ORIGIN
Indicates how route was learned:
i = IGP (network statement)
e = EGP (historical, rarely used)
? = Incomplete (redistributed)
Example:
router bgp 65001
network 10.1.0.0 mask 255.255.0.0 ! Origin: i
redistribute ospf 1 ! Origin: ?
Well-Known Discretionary Attributes
LOCAL_PREF
Preference for outbound traffic (higher is better):
Default: 100
Range: 0-4294967295
Scope: Within AS only (not sent to eBGP peers)
Use case example:
## Prefer primary link over backup
route-map PREFER-PRIMARY permit 10
set local-preference 200
route-map PREFER-BACKUP permit 10
set local-preference 150
router bgp 65001
neighbor 203.0.113.1 route-map PREFER-PRIMARY in
neighbor 203.0.113.2 route-map PREFER-BACKUP in
ATOMIC_AGGREGATE
Indicates route aggregation:
Set when aggregating routes with different attributes
Signals potential loss of information
Optional Transitive Attributes
AGGREGATOR
AS and router that performed aggregation:
AGGREGATOR: AS 65001, Router ID 192.0.2.1
COMMUNITY
Tags for grouping routes:
Well-known communities:
- NO_EXPORT (65535:65281)
- NO_ADVERTISE (65535:65282)
- NO_EXPORT_SUBCONFED (65535:65283)
Example:
## Tag customer routes
ip community-list 10 permit 65001:100
route-map TAG-CUSTOMER permit 10
set community 65001:100
router bgp 65001
neighbor 10.1.1.1 route-map TAG-CUSTOMER out
Optional Non-Transitive Attributes
MED (Multi-Exit Discriminator)
Suggests preferred entry point (lower is better):
Default: 0
Range: 0-4294967295
Scope: Between adjacent AS only
Example:
## Prefer primary link for incoming traffic
route-map SET-MED-PRIMARY permit 10
set metric 50
route-map SET-MED-BACKUP permit 10
set metric 100
router bgp 65001
neighbor 203.0.113.1 route-map SET-MED-PRIMARY out
neighbor 203.0.113.2 route-map SET-MED-BACKUP out
BGP Decision Process
BGP selects the best path using this algorithm (in order):
1. Highest Weight (Cisco proprietary, local to router)
2. Highest Local Preference
3. Locally originated (network/redistribute)
4. Shortest AS_PATH
5. Lowest Origin (i < e < ?)
6. Lowest MED (if comparing routes from same AS)
7. eBGP over iBGP
8. Lowest IGP metric to NEXT_HOP
9. Oldest route (for eBGP)
10. Lowest Router ID
11. Lowest neighbor IP address
Example decision:
Route 1: LOCAL_PREF 200, AS_PATH length 3
Route 2: LOCAL_PREF 100, AS_PATH length 2
Selected: Route 1 (LOCAL_PREF checked before AS_PATH)
Route Aggregation
Combining multiple routes into a single advertisement:
## Aggregate specific routes
router bgp 65001
aggregate-address 10.0.0.0 255.0.0.0
## Aggregate without specific routes
aggregate-address 10.0.0.0 255.0.0.0 summary-only
## Aggregate with AS_SET to preserve AS_PATH info
aggregate-address 10.0.0.0 255.0.0.0 as-set
Example:
Before aggregation:
10.1.0.0/16
10.2.0.0/16
10.3.0.0/16
10.4.0.0/16
After aggregation:
10.0.0.0/8 (with summary-only)
BGP Route Filtering
Prefix Lists
## Allow specific prefixes
ip prefix-list CUSTOMER-IN permit 192.0.2.0/24
ip prefix-list CUSTOMER-IN permit 198.51.100.0/24
ip prefix-list CUSTOMER-IN deny 0.0.0.0/0 le 32
router bgp 65001
neighbor 203.0.113.1 prefix-list CUSTOMER-IN in
AS Path Filtering
## Block routes from specific AS
ip as-path access-list 1 deny _65003_
ip as-path access-list 1 permit .*
route-map FILTER-AS permit 10
match as-path 1
router bgp 65001
neighbor 203.0.113.1 route-map FILTER-AS in
Route Maps
## Complex filtering with multiple criteria
route-map CUSTOMER-POLICY permit 10
match ip address prefix-list CUSTOMER-PREFIXES
match as-path 10
set local-preference 150
set community 65001:100
router bgp 65001
neighbor 203.0.113.1 route-map CUSTOMER-POLICY in
BGP Security
Authentication
## MD5 authentication
router bgp 65001
neighbor 203.0.113.1 password MyS3cureP@ssw0rd
RPKI (Resource Public Key Infrastructure)
Validates route origin:
## Enable RPKI validation
router bgp 65001
bgp rpki server tcp 192.0.2.100 port 323 refresh 60
## Use validation in policy
route-map RPKI-FILTER permit 10
match rpki valid
route-map RPKI-FILTER permit 20
match rpki not-found
set local-preference 50
route-map RPKI-FILTER deny 30
match rpki invalid
BGPsec
Cryptographically secures AS_PATH:
Current Status: Standardized but limited deployment
RFC 8205: BGPsec Protocol Specification
Prefix Filtering Best Practices
## Block private IP space
ip prefix-list BOGONS deny 10.0.0.0/8 le 32
ip prefix-list BOGONS deny 172.16.0.0/12 le 32
ip prefix-list BOGONS deny 192.168.0.0/16 le 32
ip prefix-list BOGONS deny 169.254.0.0/16 le 32
ip prefix-list BOGONS deny 127.0.0.0/8 le 32
## Block default route (unless expected)
ip prefix-list NO-DEFAULT deny 0.0.0.0/0
ip prefix-list NO-DEFAULT permit 0.0.0.0/0 ge 1
router bgp 65001
neighbor 203.0.113.1 prefix-list BOGONS in
neighbor 203.0.113.1 prefix-list NO-DEFAULT in
BGP Troubleshooting
Common Commands
## Verify BGP session status
show ip bgp summary
## View BGP table
show ip bgp
## Check specific prefix
show ip bgp 10.1.0.0/16
## View detailed neighbor info
show ip bgp neighbors 203.0.113.1
## Check advertised routes
show ip bgp neighbors 203.0.113.1 advertised-routes
## Check received routes
show ip bgp neighbors 203.0.113.1 received-routes
## View route map processing
show route-map CUSTOMER-POLICY
## Debug BGP (use carefully in production)
debug ip bgp updates
debug ip bgp keepalives
Common Issues
Session not establishing
Troubleshooting steps:
1. Verify TCP connectivity (telnet <neighbor> 179)
2. Check AS numbers match configuration
3. Verify authentication passwords match
4. Check firewall rules
5. Review router-id configuration
Routes not advertised
Checklist:
1. Route exists in routing table
2. network statement configured
3. Outbound route-map/prefix-list allows prefix
4. BGP synchronization disabled (older IOS)
5. next-hop reachable
Routes not installed
Reasons:
1. Better path exists (check decision process)
2. next-hop unreachable
3. Route filtered by inbound policy
4. AS_PATH contains own AS (loop)
BGP Scaling Considerations
Route Reflectors
Eliminate iBGP full mesh requirement:
Traditional iBGP: n(n-1)/2 sessions for n routers
Route Reflector: n-1 sessions
Configuration:
router bgp 65001
neighbor 192.168.1.2 remote-as 65001
neighbor 192.168.1.2 route-reflector-client
Confederations
Divide AS into sub-AS:
Main AS: 65001
Sub-AS: 65001.1, 65001.2, 65001.3
router bgp 65001.1
bgp confederation identifier 65001
bgp confederation peers 65001.2 65001.3
Peer Groups
Simplify configuration:
router bgp 65001
neighbor CUSTOMERS peer-group
neighbor CUSTOMERS remote-as 65002
neighbor CUSTOMERS route-map CUSTOMER-IN in
neighbor CUSTOMERS route-map CUSTOMER-OUT out
neighbor 203.0.113.1 peer-group CUSTOMERS
neighbor 203.0.113.2 peer-group CUSTOMERS
neighbor 203.0.113.3 peer-group CUSTOMERS
Real-World BGP Scenarios
Multihoming
Connecting to multiple ISPs:
Objectives:
1. Redundancy
2. [Load balancing](https://terabyte.systems/posts/load-balancing-algorithms-and-strategies/)
3. Optimal path selection
Strategies:
- Accept default route only
- Accept partial routes
- Accept full routes (requires significant resources)
Traffic Engineering
Controlling inbound and outbound traffic:
## Outbound: Use LOCAL_PREF
route-map PREFER-ISP1 permit 10
set local-preference 200
## Inbound: Use AS_PATH prepending
route-map PREPEND-AS permit 10
set as-path prepend 65001 65001 65001
router bgp 65001
neighbor 203.0.113.1 route-map PREFER-ISP1 in
neighbor 203.0.113.2 route-map PREPEND-AS out
Internet Exchange Points (IXP)
Peering at IXPs:
Benefits:
- Reduced latency
- Lower costs
- Increased resilience
- Direct interconnection
Setup:
router bgp 65001
neighbor 198.51.100.10 remote-as 65002
neighbor 198.51.100.10 description IXP-PEER-AS65002
neighbor 198.51.100.10 route-map IXP-IN in
neighbor 198.51.100.10 route-map IXP-OUT out
BGP Best Practices
Always filter routes
- Inbound: Accept only expected prefixes
- Outbound: Advertise only owned prefixes
Use authentication
- MD5 passwords minimum
- Consider TCP AO (RFC 5925)
Monitor BGP health
- Session states
- Route counts
- Update rates
Document policies
- Maintain clear routing policies
- Document communities and their meanings
- Keep AS-path filters up to date
Plan for growth
- Route reflectors for scaling
- Adequate memory/CPU resources
- Consider full table requirements
Implement security measures
- RPKI validation
- Maximum prefix limits
- Route origin validation
Test changes carefully
- Use route simulation
- Test in lab environment
- Implement during maintenance windows
Related Articles
- Cloudflare DDoS Protection. How is it so good AND free?
- Network Troubleshooting with tcpdump and Wireshark
- How to use Batfish
- How to Fix DNS Resolution Issues
Conclusion
BGP is the critical protocol that enables the Internet’s interconnected network of networks. Its flexibility through policy-based routing makes it powerful but also complex. Understanding BGP fundamentals—autonomous systems, attributes, decision process, and security considerations—is essential for managing Internet-scale networks.
Key takeaways:
- BGP uses path attributes, not metrics, for routing decisions
- Policy control is achieved through route filtering and attribute manipulation
- Security measures like RPKI are increasingly important
- Proper filtering protects both your network and the global Internet
- Scalability requires careful design with route reflectors or confederations
As networks continue to grow and evolve, BGP remains the cornerstone of Internet routing, adapting through extensions and best practices to meet new challenges while maintaining backward compatibility with decades of existing infrastructure.