Describe, configure, and verify BGP peer relationships and authentication

The border gateway protocol is the standardized exterior gateway protocol proposed to exchange routing and the reachability information between the autonomous systems on the internet. The BGP neighbors are called as peers. This peer is established by the manual configuration between the routers to create the TCP session on the port. The BGP speakers sends the 19 byte keep alive message for every 30 seconds to maintain the connections. Among the other routing protocol, the BGP is very unique in using the TCP as the transport protocol. In this chapter, you can learn how to configure and verify the BGP peer relationship and authentication.

3.30.a Peer group

The peer group is the set of the BGP neighbors which shares a same outbound policy, when the inbound policies are different. The iBGP peers will receive a same update all the time, creating it ideal for arrangement for the peer group. The advantage behind this ease configuration is the fact which updates are generated once per peer group. The BGP peer groups are mainly used to improve the performance and to simply the configuration. The other advantage of using this BGP peer group is in the reduction of the resource by the routers when it makes the updates to the BGP neighbors. It also reduces the amount of configuration which requires to be done on a router and also centralize the BGP administration.

Peer groups need the following requirements:

  • You can customize an inbound update policy for any of the members of the peer group.
  • The peer group should be either external or internal. Members of the external peer group have the various autonomous system numbers.
  • All the members of the peer group should share the identical inbound announcement policies, except for the default originate, that is handled on the per peer basis even for the peer group members.

How to use peer group:
  • Normally the BGP peers on the router may be grouped into the peer group based on the outbound update policies. The list of peer group mostly used by the ISP as given below:
  • iBGP client peer group for the reflection peers on the route reflector
  • Normal iBGP peer groups for the normal iBGP peer
  • eBGP full routes for the peer to get full internet routes
  • eBGP default routes for the peers to get a default route and also possible some other routes.
  • eBGP customer routes for the peers to get only routes from the direct customers of an ISP.

Follow the below steps to create and use the peer group:

Type neighbor group name peer-group command to create the peer group, where the group name is the name which is assigned for the peer group in the below example.

Enter the command neighbor ip-address peer-group group name, which will make the neighbor to be a part of the peer group.

You can reset the connections to the member of the group by using the command clear ip bgp peer- group group name.

The above show you how to configure the BGP peer group on the border router in the AS 64520. The loopback ip address is used as the source of the BGP packet. Assume that the connection from the border router to all the devices in AS 64520. If BGP peer group is not used, then the configuration on the border router will be like below:

With that configuration, the BGP update is generated for each neighbor, but the peer group is used, update is generated once per peer group. If the peer group is used, the border router configuration will be as follows:

The BGP peer group name is local, which is used in the configuration. In order to verify the configuration, use the command "show ip peer group peer group name".

The BGP supports for the MD5 authentication between the neighbors by using the shared password. It is merely configured under the BGP router configuration mode with the neighbor {ip-address | peer-group-name} password password command. When the authentication is configured, then the BGP authenticates each TCP segment from the peers and check the source of the each routing update. Most of the ISP need authentication for the eBGP peers. The peering succeed only both the routers are configured for the authentication and have a same password. If the router has the password configured for the neighbor, but a neighbor router will not message, then you will get the console when routers attempts to accomplish the BGP session.

%TCP-6-BADAUTH: No MD5 digest from [peer's IP address]:11003 to

[local router's IP address]:179

In the same way, if 2 routers have the different password configured, the message will be like the below:

%TCP-6-BADAUTH: Invalid MD5 digest from [peer's IP

address]:11004 to [local router's IP address]:179

3.30.b Active, Passive

The routing protocol is mainly used to exchange the routing information across the internet. The BGP is the inter autonomous system routing protocol. In the active state, it was unable to accomplish the successful TCP connection with the peers. The BGP peers ignore a start event. And reset the connect retry timer.

The BGP routing process tries to accomplish the TCP session with a peer. If a session established successfully, then open message is sent to a peer, a hold timer is set to the largest value and a local router transition to an open sent state. If the TCP session fails to establish, then a local router will initiate the other session, set the connect retry timer.

A Neighbor with a lower IP address can establish the connection to a remote peer on the TCP port with the random source port. In that case, a remote peer can become the server as well as the local peer can become the client. This relationship of peering can change when clear the BGP process on the either peer or underlying BGP connections get served for some reasons. The IOS will support, if you want to set one peer as the client and one as the server.

Here R2 and R1 have the eBGP peering where the R1 is on the AS 100 as well as R2 is on 200.

Redistributed the connected routes to ensure that the BGP is in exchanging prefixed. Given below is the BGP connection information.

R1 is the client and R2 is a server with a local port 179. In the below session, peering arrangement is changed from R1 being a client to server.

In the case, if the hard core the one peer as a client and the other as a server. It is possible under the IOS. When you have some kind of the firewalling on peer side or set which neighbor has to become a server and which one has to be a client. It can accomplish under a neighbor statement and configuring R1 as a server and R2 as a client.


Active being a client

Passive being a server

Here, the server/ client relationship is not changed.

3.30.c States and timers

In order to make the decisions in the operations with the peers, the BGP peer uses a simple finite state machine which consists of 6 states. Foe each peer to peer section, the BGP implementation maintains the state variable. The BGP times are such as hold down and keepalive timer intervals. By default, the keepalive timer is 60 seconds and the hold down timer is 180 seconds or 3 times keepalive. The BGP defines the messages that each peer must exchange in order to exchange a session from one state to the other.

Idle state:

In this state, the BGP refuses all the incoming BGP connections. In response to start the event the local system will initialize all the BGP resources, initiates the transport connection to other BGP peer, starts the connectivity timer when listening for the connection which can be initiated by a remote BGP peer and also changes the state to connect. No resource is allocated to a peer. The exact value of connectretry timer is the local matter, but must be sufficiently large enough to allow the TCP initialization.

If the BGP speaker detects any error, then it shuts down the connections and changes the state to Idle. In this, getting out of an Idle state needs generated automatically, persistent BGP errors can result in the speaker persistent flapping. To avoid this condition, it is highly recommended that start event must not generated immediately for the peers, which was previously transitioned to the Idle due to the error. For the peers that was transitioned previously to idle due to error, a time between the consecutive generation of the start event, if that event is automatically generated, shall increase exponentially. The initial timer value shall be sixty seconds. The time can be doubled for the each consecutive retry. In this state, any other events received in this Idle state is mostly ignored.

Connect state:

It waits for the successful TCP negotiation with the peer. The BGP will not spend more time in this state, if a TCP session has been established successfully. It sends an open message to the peer and changes the state to opensent. If a transport protocol fails to connect, a local system restart a connectretry timer, then continues to listen for the connection which is initiated by a remote BGP peer and also changes the state to an active state. The start events are ignored in an active state. The local system releases all the BGP resource associated with the connection and also change the state to idle in response to any of the other events. If an error occurs, the BGP moves to an active state. The reason for the error includes TCP port 179 is not open, the random TCP port over the 1023 is not open, the AS number configured mostly incorrectly on either router and the peer address configured mostly incorrectly on either router.

Active state:

If a router was unable to accomplish the successful TCP session, it ends in an active state. The BGP finite state machine tries to restart the other TCP session with a peer end, if successful, it sends the open message to a peer. Suppose it is again unsuccessful, then the FSM is reset to an Idle state. The repeated failure will result in the router cycling in between the active and Idle states. In that, reasons include the flapping network interface, network congestion, TCP port 179 is not at all open and the random TCP port over the 1023 is not open.

Opensent state:

In this state, the BGP finite state machine for the open message from their peers. In that, once the message has been reached, a router checks the open message validity. If there was an error, it is due to any one of the field in an open message will not match in between the peers. The examples include ND5 password mismatch, BGP version mismatch, peering router expect the different my AS and much more. A router will sends the notification message to a peer which will indicate the reason for the error. If there was no error occurred, then a keepalive message is sent, different timers are set and a state is changes to the openconfirm.

Openconfirm state:

In this state, the peer is listening for the keepalive message from the peer. If the keepalive message is reached and no timer is expired before the reception of a keepalive, the BGP transitions to an established state.

Established state:

The peers sends the update message to exchange the information about the each route being advertised to a BGP peer.

Most of the internet service providers have to use the BGP to accomplish the routing between one another. The BGP is one among the most important protocols of the internet. When the BGP runs between the 2 peers in a same autonomous system, it is referred as the internal BGP and when it runs between the different autonomous systems, then it is referred as the external BGP. The BGP is the glue which connects the internet together. It is suitable for indicating liveliness in both the directions. It gives you the idea about active and passive BGP and states and timers of the BGP.

VCE Exam Simulator Free DemoVCE Exam Simulator Free Demo
Read about VCE Exam Simulator
Download VCE Exam Simulator
Prep4sure - Professional IT Certification Training
BrainDumps - Get Real Exam Questions
Actual Tests - Lifetime Access to IT Exams

Site Search:


July Special! 30% Off

ExamCollection PREMIUM

Get Unlimited Access to all ExamCollection's PREMIUM files!

Enter Your Email Address to Receive Your 30% Off Discount Code

A Confirmation Link will be sent to this email address to verify your login

We value your privacy.
We will not rent or sell your email address

Download Free Demo of VCE
Exam Simulator

Experience Avanset VCE Exam Simulator for yourself.

Simply submit your e-mail address below to get started with our interactive software demo of your free trial.

Enter Your Email Address

Free Demo Limits: In the demo version you will be able to access only first 5 questions from exam.