Index
What is Active and Passive BGP peer
Behavior of OS10
Configuring Dell OS10 as Passive Peer
Sample configuration
Initially BGP Peer-1 is in Idle state, it sends a TCP SYN to configured Peer-1 with source port is a random port and destination port 179. Peer-2 respond to peer with a TCP SYN, ACK with source port is 179 and Destination port is the random port used by Peer-1. Peer-1 responds with a TCP SYN ACK.
After TCP session is formed BGP moves to OPENSENT state.
In the above scenario
,
Peer-1 is the Active or connecting side as it is sending the TCP SYN.
Peer-2 is the Passive or listening side as it is listening to TCP Port 179 and responds with an ACK.
When a BGP speaker is configured as active, it may end up on either the active or passive side of the connection that eventually gets established. Once the TCP connection is completed, it does not matter which end was active and which was passive. The only difference is in which side of the TCP connection has port number 179.
- Initially If OS10 receives a TCP SYN packet with a destination port 179 from a neighbor to form BGP Neighborship, it responds with a TCP ACK
- If it does not receive any TCP SYN, OS10 tries to actively form BGP Neighborship by sending a TCP SYN with destination port 179
Note |
- If the peer cannot accept TCP packet with destination Port 179 i.e can only act as Active or connecting side, then we must enable passive peering in OS10.
- If you enable passive peering for the peer template, the system does not send an OPEN message but responds to an OPEN message.
- BGP Passive Peering (IPv4/IPv6) do not support password until 10.5.4.4. Check the release notes/User guide of newer firmware to check if support has been added later.
- You can restrict the number of passive sessions the neighbor accepts using the limit command.
|
When passive peering is enabled switch does not initiates TCP connection, but it listens on TCP connection Port 179.
Configuration Syntax
Configuration |
Explanation |
OS10# configure |
Configure |
OS10(config)# router bgp <AS Number> |
Configure BGP |
OS10(conf-router-bgp-AS)# template <template-name> |
Configure Peer template to apply passive peering |
OS10(conf-router-template)# listen <IP address/subnet> |
Enable peer listening and Ip address/subnet (Dynamic Peers*) |
OS10(conf-router-template)# listen <IP address/subnet> limit <limit > |
Optional: Enter maximum passive peers (Dynamic Peer*) count, which can dynamically be learned by peer listening. After the specified limit is reached, the next neighbor in the subnet will be treated as normal BGP peer. |
OS10(conf-router-template)#exit |
Exit out of template |
OS10(config-router-bgp-AS)# neighbor <Ip address> |
Configure router Neighbor mode |
OS10(config-router-neighbor)# inherit template <Name> |
Assign a peer-template with a peer-group name from which to inherit to the neighbor in ROUTER-NEIGHBOR mode. |
*Dynamic Peers = Group of BGP neighbors that are defined by a range of IP addresses. Here we define the range of IP address by IP/subnet mask.
Consider the DELLOS10 switch is connected forming a BGP peering to Router and Server. Router has no restriction.
The Server has an incoming Firewall rule to block TCP destination port 179.
DELLOS10#
DELLOS10# configure terminal
DELLOS10(config)# router bgp 100
DELLOS10(config-router-bgp-100)# template TEST-BGP-PASSIVE
DELLOS10(config-router-template)# listen 10.0.0.2/32
DELLOS10(config-router-template)# exit
DELLOS10(config-router-bgp-100)# neighbor 10.0.0.2
DELLOS10(config-router-neighbor)# inherit template TEST-BGP-PASSIVE
Or
We can also specify an IP range to listen rather than a specific host and limit number of connection. In Below sample configuration, we have 10.0.0.0/24
subnet configured as listen to 5 Neighbor. After this limit is reached, the next neighbor in the subnet will be treated as normal BGP peer.
DELLOS10#
DELLOS10# configure terminal
DELLOS10(config)# router bgp 100
DELLOS10(config-router-bgp-100)# template TEST-BGP-PASSIVE
DELLOS10(config-router-template)# listen 10.0.0.0/24 limit 5
DELLOS10(config-router-template)# exit
DELLOS10(config-router-bgp-100)# neighbor 10.0.0.2
DELLOS10(config-router-neighbor)# inherit template TEST-BGP-PASSIVE