BGP Cookbook for Connecting to AIXP Exchanges
Prerequisites
- Public Autonomous System Number (ASN) as issued by ARIN. See the application form at https://www.arin.net/resources/request/asn.html
- Edge router capable of running BGP4+. The memory requirements for peering with our exchanges are moderate since there are fewer than 200,000 routes. However peering with an ISP may require handling almost 1,000,000 IPv4 routes and can be a memory hog if you do not use default routing. If you need more info, please ask.
Router Config
This router configuration is for Cisco. It can be adapted for JunOS, Quagga, BIRD, and others. Fields that are in red italics are ones that must be customized for each client and each exchange. Fields that are in blue italics are typical for peering at HFXIX, but must be updated for peering at our other exchanges.
Configure your router port. The actual IP addresses will be assigned to you by AIXP. The lines that start “ipv6 nd” are there to make sure the router port does not advertise itself to IXP peers with IPv6 autoconfig router advertisements. Different router models may use slightly different syntax (e.g. “ipv6 nd prefix default no-advertise” and “ipv6 nd ra suppress”).
interface Gigx/x description HFXIX peering ip address 206.130.15.x 255.255.255.0 ipv6 address 2001:504:37:10::xxx/64 ipv6 nd prefix default no-autoconfig no-rtr-address ipv6 nd suppress-ra
Define a filter list called “My_IPv4_routes_out” (or whatever you want to call it) for locally sourced IPv4 routes, and do the same for IPv6. This is a useful filter for all your BGP peers since it prevents accidentally advertising one to the other and making you a transit between them.
ip prefix-list My_IPv4_routes_out description Outbound IPv4 routes filter list
ip prefix-list My_IPv4_routes_out permit 192.168.0.0/16
ipv6 prefix-list My_IPv6_routes_out description Outbound IPv6 routes filter list
ipv6 prefix-list My_IPv6_routes_out permit 2001:DB8:10::/48
Start the BGP configuration by identifying your own ASN. Both 16 bit and 32 bit ASNs are usable. An IXP such as HFXIX will not add its own ASN to BGP announcements, so the second line is required for the IXP announcements to be accepted.
router bgp 123456
no bgp enforce-first-as
Define the neighbors and set a password. The IP numbers and password in this example have to be coordinated with AIXP technical staff.
neighbor 206.130.15.2 remote-as 13770 neighbor 206.130.15.2 description >>HFXIX RS1<< neighbor 206.130.15.2 password password neighbor 206.130.15.3 remote-as 13770 neighbor 206.130.15.3 description >>HFXIX RS2<< neighbor 206.130.15.3 password password
Same thing for IPv6.
neighbor 2001:504:37:10::20 remote-as 13770 neighbor 2001:504:37:10::20 description >>HFXIX RS1<< neighbor 2001:504:37:10::20 password password neighbor 2001:504:37:10::30 remote-as13770 neighbor 2001:504:37:10::30 description >>HFXIX RS2<< neighbor 2001:504:37:10::30 password password
Still working under the “router bgp” clause, activate the IPv4 protocol and apply the prefix filter. The sample route map “HFXIX_community_out” and the filter-list “55” are also used to control route distribution (see “Filter ISP Routes” below).
Some peers may have their own policy about exchanging traffic with you via our exchange. You can control whether you exchange BGP routes with them, in accordance with their policies, with the statements in green italics in this and the following sections.
address-family ipv4 neighbor 206.130.15.2 activate neighbor 206.130.15.2 send-community neighbor 206.130.15.2 soft-reconfiguration inbound neighbor 206.130.15.2 route-map HFXIX_community_out out neighbor 206.130.15.2 filter-list 55 in neighbor 206.130.15.2 prefix-list My_IPv4_routes_out out neighbor 206.130.15.3 activate neighbor 206.130.15.3 soft-reconfiguration inbound neighbor 206.130.15.3 send-community neighbor 206.130.15.3 route-map HFXIX_community_out out neighbor 206.130.15.3 filter-list 55 in neighbor 206.130.15.3 prefix-list My_IPv4_routes_out out exit-address-family
…and activate the IPv6 sessions
address-family ipv6 neighbor 2001:504:37:10::20 activate neighbor 2001:504:37:10::20 send-community neighbor 2001:504:37:10::20 soft-reconfiguration inbound neighbor 2001:504:37:10::20 route-map HFXIX_community_out out neighbor 2001:504:37:10::20 filter-list 55 in neighbor 2001:504:37:10::20 prefix-list My_IPv6_routes_out out neighbor 2001:504:37:10::30 activate neighbor 2001:504:37:10::30 send-community neighbor 2001:504:37:10::30 soft-reconfiguration inbound neighbor 2001:504:37:10::30 route-map HFXIX_community_out out neighbor 2001:504:37:10::30 filter-list 55 in neighbor 2001:504:37:10::30 prefix-list My_IPv6_routes_out out exit-address-family
Filter ISP Routes
Configurations from here down are optional depending on your arrangements with other peers.
You may not want to peer with everyone via this connection, and they may not want you to either. AIXP can provide other mechanisms to easily set up custom peering. Statements in green italics in this and the previous sections will do the filtering.
Add a community string to your advertisements to prevent them from being sent to your ISP. For the sake of this example we have assumed you wish to have custom peering with two others at the exchange with AS numbers 999 and 12345. This community string says “do not advertise me to ASN 999 or ASN 12345, but do advertise me to everyone else”. See https://aixp.ca/tech-notes/
ip bgp-community new-format
route-map HFXIX_community_out permit 10
set community 0:999
set community 0:12345
set community 13770:13770
You may also want to filter out incoming routes from those networks. In that case you should filter all incoming routes that have their ASN as the first entry. We do that by defining an as-path access list that matches the other network’s ASN as the first entry using a regular expression (regexp). The regexp in the example below says “filter out any AS path that starts with ASN 999 (note: not 9990 or 99923 etc.) or ASN 12345 and may include zero or more ASNs after that, but allow all others”.
For information on regular expressions, especially as they apply to BGP strings, see https://www.cisco.com/c/en/us/td/docs/ios/termserv/configuration/guide/15-mt/tsv-15-MT-book/tsv_reg_express.html
ip as-path access-list 55 deny ^999_
ip as-path access-list 55 deny ^12345_
ip as-path access-list 55 permit .*
