Bgp Keychains; Bgp Nonstop Routing - Cisco ASR 9000 Series Routing Configuration Manual
Aggregation services router
Hide thumbs
Also See for ASR 9000 Series:
- Command reference manual (1138 pages) ,
- Reference manual (696 pages) ,
- Configuration manuallines (694 pages)
Table of Contents
Advertisement
BGP Keychains
BGP Keychains
BGP keychains enable keychain authentication between two BGP peers. The BGP endpoints must both comply
with draft-bonica-tcp-auth-05.txt and a keychain on one endpoint and a password on the other endpoint does
not work.
See the Cisco ASR 9000 Series Aggregation Services Router System Security Configuration Guide for
information on keychain management.
BGP is able to use the keychain to implement hitless key rollover for authentication. Key rollover specification
is time based, and in the event of clock skew between the peers, the rollover process is impacted. The
configurable tolerance specification allows for the accept window to be extended (before and after) by that
margin. This accept window facilitates a hitless key rollover for applications (for example, routing and
management protocols).
The key rollover does not impact the BGP session, unless there is a keychain configuration mismatch at the
endpoints resulting in no common keys for the session traffic (send or accept).
BGP Nonstop Routing
The Border Gateway Protocol (BGP) Nonstop Routing (NSR) with Stateful Switchover (SSO) feature enables
all bgp peerings to maintain the BGP state and ensure continuous packet forwarding during events that could
interrupt service. Under NSR, events that might potentially interrupt service are not visible to peer routers.
Protocol sessions are not interrupted and routing states are maintained across process restarts and switchovers.
BGP NSR provides nonstop routing during the following events:
• Route processor switchover
• Process crash or process failure of BGP or TCP
During route processor switchover and In-Service System Upgrade (ISSU), NSR is achieved by stateful
switchover (SSO) of both TCP and BGP.
Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.3.x
54
BGP NSR is enabled by default. Use the nsr disable command to turn off BGP NSR.
Note
The no nsr disable command can also be used to turn BGP NSR back on if it has been
disabled.
In case of process crash or process failure, NSR will be maintained only if nsr
process-failures switchover command is configured. In the event of process failures
of active instances, the nsr process-failures switchover configures failover as a recovery
action and switches over to a standby route processor (RP) or a standby distributed route
processor (DRP) thereby maintaining NSR. An example of the configuration command
is RP/0/RSP0/CPU0:router(config) # nsr process-failures switchover
The nsr process-failures switchover command maintains both the NSR and BGP
sessions in the event of a BGP or TCP process crash. Without this configuration, BGP
neighbor sessions flap in case of a BGP or TCP process crash. This configuration does
not help if the BGP or TCP process is restarted in which case the BGP neighbors are
expected to flap.
Implementing BGP
- Quick Links:
- Prefix-Set
Hide quick links:
Advertisement
Table of Contents
