101
0/228
Loading content...
BGP operates in two fundamentally different modes depending on whether peers are in the same Autonomous System or different ones. External BGP (eBGP) connects different ASes across organizational boundaries. Internal BGP (iBGP) distributes external routing information within an AS.
Although both use the same protocol messages and attributes, their behaviors differ significantly. Understanding these differences is crucial for designing scalable BGP deployments, troubleshooting routing issues, and avoiding common pitfalls that trap inexperienced network engineers.
By the end of this page, you will understand the key behavioral differences between eBGP and iBGP, why iBGP requires full mesh or scaling solutions, how route reflectors and confederations solve iBGP scaling, best practices for deploying each session type, and troubleshooting techniques for common eBGP/iBGP issues.
The distinction between eBGP and iBGP is based on a simple criterion: do the peers share the same AS number?
| Session Type | Condition | Purpose |
|---|---|---|
| eBGP | Peers have different AS numbers | Exchange routes between organizations |
| iBGP | Peers have the same AS number | Distribute external routes within organization |
This simple difference triggers cascading behavioral changes designed to prevent routing loops and enable scalable operation.
| Behavior | eBGP | iBGP |
|---|---|---|
| AS_PATH modification | Prepends local ASN | No modification |
| NEXT_HOP modification | Sets to self | Preserves original NEXT_HOP |
| LOCAL_PREF | Stripped when sending | Propagated |
| Loop prevention | AS_PATH check | Split-horizon rule |
| TTL default | 1 (directly connected) | 255 (any distance) |
| Administrative distance | 20 (preferred) | 200 (less preferred) |
| Session topology | Typically point-to-point | Requires full mesh (or RR/confed) |
| Route propagation | To all peers (with policy) | Split-horizon restrictions |
eBGP's AS_PATH prepending provides automatic loop prevention across ASes. iBGP can't use AS_PATH (the ASN is the same!), so it uses split-horizon rules instead: a route learned from an iBGP peer is not re-advertised to other iBGP peers. This prevents loops but creates the full-mesh requirement.
eBGP sessions connect different Autonomous Systems. They are the glue that holds the Internet together, enabling routing information to flow between organizations.
eBGP Session Characteristics:
1. Direct Connectivity Requirement
By default, eBGP peers must be directly connected (TTL=1 in IP packets). This is a security feature—it ensures peers are actually adjacent and not spoofed from elsewhere.
However, multihop eBGP allows peering over multiple network hops:
neighbor 192.0.2.1 remote-as 65002
neighbor 192.0.2.1 ebgp-multihop 3
Multihop is used when peering via loopbacks or across intermediate devices.
2. AS_PATH Prepending
When advertising a route via eBGP, the local AS number is prepended to the AS_PATH. This:
# Basic eBGP Configuration router bgp 65001 ! Basic eBGP neighbor with directly connected peer neighbor 192.0.2.1 remote-as 65002 neighbor 192.0.2.1 description "Primary Transit Provider" ! eBGP neighbor via loopbacks (requires multihop) neighbor 10.0.0.1 remote-as 65003 neighbor 10.0.0.1 ebgp-multihop 2 neighbor 10.0.0.1 update-source Loopback0 ! eBGP with authentication (recommended!) neighbor 192.0.2.1 password s3cr3t_k3y ! Apply route policies neighbor 192.0.2.1 route-map TRANSIT-IN in neighbor 192.0.2.1 route-map MY-ROUTES-OUT out ! Limit prefix acceptance (protection against leaks) neighbor 192.0.2.1 maximum-prefix 100000 80 restart 5 ! Accept max 100k prefixes, warn at 80%, restart after 5 min if exceeded3. NEXT_HOP Setting
When advertising to an eBGP peer, NEXT_HOP is set to the local router's interface address (or update-source if configured). This ensures the receiving AS can reach the advertising router.
4. eBGP Load Balancing
With multiple eBGP sessions to the same destination AS, load balancing is possible:
router bgp 65001
maximum-paths 4 ! Up to 4 equal-cost eBGP paths
maximum-paths ibgp 4 ! Up to 4 equal-cost iBGP paths
For paths to be considered equal, they must have identical:
eBGP sessions cross trust boundaries. Always use: (1) TCP MD5 authentication to protect session integrity, (2) Prefix filters to limit accepted routes, (3) Maximum-prefix limits to protect against route leaks, (4) RPKI validation when supported.
iBGP sessions connect routers within the same Autonomous System. Their purpose is to distribute routing information learned from eBGP peers to all routers that need it.
Why Do We Need iBGP?
Consider an AS with two edge routers (R1 and R2) receiving routes from external peers:
iBGP Session Characteristics:
| Characteristic | Behavior | Rationale |
|---|---|---|
| AS_PATH | Not modified | Same AS; no new hop to record |
| NEXT_HOP | Preserved by default | Original eBGP next-hop retained |
| LOCAL_PREF | Propagated | Internal policy coordination |
| Session distance | Any (via IGP routing) | Peers don't need to be adjacent |
| TTL | 255 | Can traverse internal hops |
| Split-horizon | Don't re-advertise to iBGP peers | Loop prevention mechanism |
The iBGP Split-Horizon Rule:
The critical iBGP behavior is the split-horizon rule:
A route learned from an iBGP peer is not re-advertised to other iBGP peers.
This prevents routing loops within the AS. Without AS_PATH prepending (since ASN is unchanged), loops could form if routes were freely re-advertised.
The Problem This Creates:
The split-horizon rule means that every iBGP router must peer directly with every other iBGP router—a full mesh.
The number of iBGP sessions in a full mesh grows as O(n²). For 100 routers, you need 4,950 sessions. For 1,000 routers, 499,500 sessions. This is operationally unmanageable. Solutions: Route Reflectors or Confederations.
Route Reflectors (RRs) are the most common solution to iBGP scaling. They relax the split-horizon rule, allowing designated routers to "reflect" routes between iBGP peers.
Route Reflector Concept:
Instead of full mesh, routers peer with Route Reflectors:
Reflection Rules:
| Route Learned From | Reflection Target | Action |
|---|---|---|
| eBGP peer | RR clients and non-clients | Reflect to all |
| RR client | Other clients and non-clients | Reflect to all |
| Non-client (iBGP) | RR clients only | Reflect to clients |
Loop Prevention in RR:
Route reflectors introduce two attributes for loop prevention:
1. ORIGINATOR_ID
2. CLUSTER_LIST
# Route Reflector Configuration router bgp 65001 bgp cluster-id 1.1.1.1 ! Explicit cluster ID (optional) ! Clients - will reflect routes to/from these peers neighbor 10.0.0.1 remote-as 65001 neighbor 10.0.0.1 route-reflector-client neighbor 10.0.0.1 update-source Loopback0 neighbor 10.0.0.2 remote-as 65001 neighbor 10.0.0.2 route-reflector-client neighbor 10.0.0.2 update-source Loopback0 neighbor 10.0.0.3 remote-as 65001 neighbor 10.0.0.3 route-reflector-client neighbor 10.0.0.3 update-source Loopback0 # Client Configuration (no special config needed)router bgp 65001 neighbor 10.0.0.100 remote-as 65001 ! Peer with RR neighbor 10.0.0.100 update-source Loopback0 ! That's it - client doesn't know it's a clientRR Design Best Practices:
Route reflectors don't alter the BGP decision process. They reflect the best path they select. This can cause suboptimal routing when the RR's best path differs from what a client would choose with full information. Advanced designs use ADD-PATH to advertise multiple paths.
Confederations are an alternative iBGP scaling solution that divides an AS into smaller sub-ASes. To the outside world, the confederation appears as a single AS.
Confederation Concept:
How It Works:
Confederation AS_PATH Handling:
Confederation sessions modify AS_PATH, but use special segment types:
| Segment Type | Usage |
|---|---|
| AS_CONFED_SEQUENCE | Ordered list of confederation member ASes |
| AS_CONFED_SET | Unordered set of confederation member ASes |
Key Behaviors:
Example AS_PATH transformation:
| Internal View | External View |
|---|---|
| (65502 65501) 65001 | 65001 |
| Parentheses denote confed path | Confed segments stripped |
# Confederation Configuration # Router in Sub-AS 65501router bgp 65501 bgp confederation identifier 65001 ! Public AS number bgp confederation peers 65502 ! Other sub-ASes ! iBGP peer within same sub-AS neighbor 10.0.0.2 remote-as 65501 ! Confederation eBGP peer in different sub-AS neighbor 10.0.1.1 remote-as 65502 ! True eBGP peer (external) neighbor 192.0.2.1 remote-as 65002 # Key points:# - bgp confederation identifier: the AS number external peers see# - bgp confederation peers: list of other sub-ASes in confederation# - Intra-confederation sessions use sub-AS numbers# - External sessions advertise confederation identifierConfederations were designed before route reflectors and are more complex to configure. Today, most networks use route reflectors due to their simpler operation. Confederations are still used in very large service provider networks or specific organizational structures. Both can be combined.
| Aspect | Route Reflector | Confederation |
|---|---|---|
| Configuration complexity | Simpler (one command per client) | More complex (sub-AS design) |
| Path diversity | Limited (RR selects best) | Better (eBGP between sub-ASes) |
| Hop count preservation | Full preservation | Confed hops added then stripped |
| Typical use case | Enterprise, most SPs | Very large SPs, mergers |
| Combination with RR | N/A | Often used together (RR within sub-AS) |
Understanding operational differences between eBGP and iBGP is critical for troubleshooting. Here are the most common issues and their diagnosis:
Common eBGP Issues:
| Symptom | Likely Cause | Diagnosis |
|---|---|---|
| Session stuck in Active | TCP connectivity failure | Check IP reachability, ACLs, firewall rules for TCP 179 |
| Session stuck in Connect | TTL too low (multihop needed) | Verify ebgp-multihop if peers not adjacent |
| Session flapping | Physical link issues | Check interface errors, link stability |
| No routes received | Prefix filtering by peer | Request peer's outbound policy; check BGP logs |
| Routes received but not in RIB | Route marked invalid | Check NEXT_HOP reachability, AS_PATH for own AS |
| Authentication failure | Mismatched MD5 password | Verify password on both sides (common typo issue) |
Common iBGP Issues:
| Symptom | Likely Cause | Diagnosis |
|---|---|---|
| Session stuck in Active | IGP not carrying loopback | Verify IGP reachability to neighbor's update-source |
| Routes not propagating | iBGP split-horizon (missing full mesh/RR) | Verify full mesh, RR configuration, or confederation |
| Routes received but not used | NEXT_HOP unreachable | Check IGP route to external NEXT_HOP; use next-hop-self |
| Suboptimal routing | RR hiding path diversity | Consider ADD-PATH or redesign cluster topology |
| Route loop detected | Misconfigured RR cluster | Check CLUSTER_LIST, ORIGINATOR_ID in route attributes |
| Different best paths on routers | Non-deterministic MED comparison | Enable bgp deterministic-med, verify LOCAL_PREF consistency |
# Essential BGP Troubleshooting Commands # View neighbor statusshow ip bgp summaryshow ip bgp neighbors 192.0.2.1 # Check why route is/isn't being usedshow ip bgp 10.0.0.0/8show ip bgp 10.0.0.0/8 bestpath # View received routes (before policy)show ip bgp neighbors 192.0.2.1 received-routes # View advertised routes (after policy)show ip bgp neighbors 192.0.2.1 advertised-routes # Check NEXT_HOP reachabilityshow ip route 192.0.2.1 # Verify RR behaviorshow ip bgp 10.0.0.0/8 | include ORIGINATOR|CLUSTER # Debug BGP updates (use carefully in production!)debug ip bgp updatesdebug ip bgp updates neighbor 192.0.2.1The #1 iBGP issue is unreachable NEXT_HOP. Before anything else, verify the NEXT_HOP address from 'show ip bgp' is in the routing table. If not: (1) Use next-hop-self on edge routers, or (2) Ensure IGP carries the external network, or (3) Redistribute connected on edge routers.
Building a robust BGP deployment requires careful attention to both eBGP and iBGP design. Here are consolidated best practices:
Scalability Guidelines:
| Network Size | iBGP Recommendation |
|---|---|
| < 10 routers | Full mesh acceptable |
| 10-50 routers | Route reflectors recommended |
| 50-200 routers | Hierarchical route reflectors |
| 200+ routers | Confederations or advanced RR design |
Session Monitoring:
Always monitor:
Modern data centers often use BGP for internal routing instead of traditional IGPs—called 'BGP in the data center' or 'eBGP everywhere'. This approach uses private ASNs for each rack/pod with eBGP between them, avoiding iBGP complexity entirely. Facebook, Microsoft, and Google have published extensively on these designs.
The distinction between eBGP and iBGP is fundamental to understanding BGP operation. Let's consolidate the key lessons:
Module Complete:
With this page, you have completed the comprehensive study of BGP. You now understand:
This knowledge forms the foundation for working with routing in enterprise networks, service provider environments, cloud architectures, and beyond.
Congratulations! You have mastered the fundamentals of BGP—the protocol that makes the Internet work. From path vector theory to practical eBGP/iBGP deployment, you now have the knowledge to configure, troubleshoot, and design BGP networks. The next module explores BGP Operation in greater depth, including advanced topics like BGP sessions, route advertisement mechanics, and route selection in complex scenarios.