Mental model
Inside one organization’s network, internal protocols (OSPF, EIGRP) handle routing. They share full topology and react fast. They’re trust-everyone protocols — every router in OSPF area 0 knows every link.
Between organizations, that breaks down. Verizon shouldn’t see Comcast’s internal topology. Cloudflare shouldn’t trust everything its peering partners advertise. You need a routing protocol that:
- Treats networks as autonomous units — don’t peek inside the other network’s topology.
- Lets each unit set policy — prefer this neighbor over that, refuse to accept certain prefixes.
- Doesn’t share full topology — just “I can reach prefix X via this AS path.”
- Scales to a million prefixes — the global BGP table is around 950,000 IPv4 prefixes in 2026.
BGP — Border Gateway Protocol — is that protocol. It’s what makes the internet one network rather than thousands of disconnected ones. It’s a routing mesh of Autonomous Systems each making policy decisions about which prefixes to accept, prefer, and advertise.
Three things to internalize:
- BGP is policy, not optimality. Unlike OSPF, BGP doesn’t pick the shortest path automatically — it picks the path your policy prefers. “Shortest” is just one option.
- BGP runs on TCP (port 179). Not UDP, not raw IP — actual TCP for reliability + session management.
- BGP is the only routing protocol that runs the internet. There is no alternative at the inter-AS layer. Everything else (OSPF, EIGRP, IS-IS) is intra-AS.
Autonomous System (AS)
An AS is a network under one administrative control with a unique AS number.
| AS number range | Type | Used for |
|---|---|---|
| 1–64,511 | Public (16-bit) | Internet-facing — assigned by RIRs (ARIN, RIPE, APNIC) |
| 64,512–65,534 | Private | Inside large enterprises, MPLS providers, sub-AS designs |
| 65,535 | Reserved | — |
| 4,200,000,000–4,294,967,294 | Private (32-bit) | Modern private range |
| All other 32-bit | Public | New global ASNs since 2007 |
Known examples:
- Cloudflare: AS 13335
- Google: AS 15169
- Hurricane Electric: AS 6939 (top transit by reach)
- AT&T: AS 7018
- Comcast: AS 7922
- Microsoft: AS 8075
Two ASes that exchange BGP routes are BGP peers or neighbors.
eBGP vs iBGP
| Aspect | eBGP | iBGP |
|---|---|---|
| Between | Different ASes | Routers in the same AS |
| Purpose | Exchange routes across organization boundaries | Distribute externally-learned routes internally |
| TTL on packets | 1 by default (direct neighbors only) | 255 (multi-hop within AS) |
| Loop prevention | AS_PATH check | Split-horizon — iBGP routes aren’t re-advertised to other iBGP peers |
| Most common topology | Direct neighbor between border routers | Full mesh (or route reflectors) within the AS |
| AD | 20 | 200 |
The classic enterprise pattern:
- eBGP between your edge routers and your ISPs.
- iBGP between your internal routers so internally-routed traffic uses BGP-learned next-hops correctly.
The iBGP split-horizon rule
When an iBGP router learns a route from one iBGP peer, it does NOT re-advertise that route to another iBGP peer. Why? Loop prevention — there’s no AS_PATH increment within an AS (the same AS appears throughout), so you can’t detect loops with AS_PATH.
Consequence: every iBGP router needs a direct iBGP session with every other iBGP router. That’s a full mesh: N × (N-1) / 2 sessions. 10 routers = 45 iBGP sessions. 100 routers = 4,950 sessions. Doesn’t scale.
Solution: Route Reflectors (RR). One designated router (the RR) is allowed to re-advertise iBGP routes to its clients. Each client peers only with the RR(s), not with every other iBGP router. Full mesh of 100 routers → 100 sessions to the RR. Standard pattern in any large AS.
BGP is path-vector — what that means
Each route in BGP carries an AS_PATH — the list of ASes the route traversed:
10.0.0.0/24 → AS_PATH: 65002 65010 64500
Read: “This prefix originated in AS 64500, was sent through AS 65010, then through AS 65002, and is now here.” The first AS in the path is the most recent hop; the last is the originator.
Loop prevention via AS_PATH
If a route arrives with your own AS number already in the AS_PATH, you drop it. You can’t import your own routes back. Simple, effective loop prevention without computing topology.
AS_PATH prepending — a key traffic-engineering trick
You can artificially make a path longer by prepending your own AS multiple times:
R1(config-router)# route-map LONG-PATH out
R1(config-route-map)# set as-path prepend 65001 65001 65001
If you have two ISPs and want traffic to prefer the other one (without disabling this one), prepend your AS several times on the outbound side. Neighbors see this prefix as having a longer AS_PATH and prefer the shorter alternative.
BGP attributes — the full menu
BGP carries many attributes alongside each route. Some matter for path selection; others are informational.
| Attribute | Type | Used for |
|---|---|---|
| AS_PATH | Well-known mandatory | Loop prevention + path-length comparison |
| NEXT_HOP | Well-known mandatory | Where to send packets for this prefix |
| ORIGIN | Well-known mandatory | How was the prefix originated: IGP, EGP, Incomplete |
| LOCAL_PREF | Well-known discretionary | Prefer this path within the AS (iBGP attribute) |
| MED (Metric) | Optional non-transitive | Suggest preferred entry to a neighbor |
| COMMUNITY | Optional transitive | Tag routes for policy purposes |
| WEIGHT | Cisco-only, local | Override BGP path selection on a single router |
| Atomic Aggregate | Discretionary | Indicates summarization happened |
| Aggregator | Optional transitive | Identifies which router did the aggregation |
The four you’ll actually tune in real life: WEIGHT, LOCAL_PREF, AS_PATH (via prepending), MED.
Best-path selection — the full 13-step process
When BGP has multiple paths for the same prefix, it picks one as best. The selection runs in this order; first tie-breaker wins:
- Weight — highest wins (Cisco-only, local to the router)
- LOCAL_PREF — highest wins (within the AS)
- Locally originated — prefer routes this router originated (via
networkor aggregation) - AS_PATH length — shortest wins (after AS_SET / AS_CONFED removed)
- ORIGIN — IGP > EGP > Incomplete (lower is better)
- MED — lowest wins (only compared across same neighbor AS by default)
- eBGP over iBGP — prefer eBGP-learned
- IGP metric to next-hop — lowest cost back to the BGP next-hop wins
- Oldest route (eBGP only) — for stability, the longer-established eBGP route wins
- Lowest Router ID of the advertising peer
- Lowest Cluster List length (route reflectors)
- Lowest neighbor IP address of the BGP session
For CCNP / CCNA-level interview prep: memorize at least steps 1, 2, 4, 5, 6, 7. Those handle most real-world tuning.
Why so many tie-breakers
BGP must produce one and only one best path for each prefix, deterministically. With millions of paths in flux globally, you need a strict ordering to converge.
BGP neighbor states — the lifecycle
Idle → Connect → Active → OpenSent → OpenConfirm → Established
| State | What’s happening |
|---|---|
| Idle | Initial. Waiting to try a TCP connection. |
| Connect | TCP SYN sent, waiting for SYN-ACK |
| Active | TCP failed; retrying. Don’t confuse “Active” with “actively working” — it’s actually trying repeatedly to connect |
| OpenSent | TCP up. BGP OPEN message sent. |
| OpenConfirm | OPEN exchanged. Waiting for KEEPALIVE to confirm. |
| Established | Session up. Routes flow. ✓ |
The state to watch for: Established. Anything else = not yet exchanging routes.
The trap state: Active. Sounds good; means “still trying.” Usually indicates one of:
- TCP 179 blocked by firewall
- Neighbor IP unreachable
- AS number mismatch (OPEN messages rejected)
- Source-interface IP wrong
Configuration — minimal eBGP setup
! Edge router R1 in AS 65001, peering with ISP at 198.51.100.1 (AS 65002)
R1(config)# router bgp 65001
R1(config-router)# bgp router-id 1.1.1.1
R1(config-router)# neighbor 198.51.100.1 remote-as 65002
R1(config-router)# neighbor 198.51.100.1 description ISP-A
R1(config-router)# neighbor 198.51.100.1 password $tr0ngK3y
R1(config-router)# network 203.0.113.0 mask 255.255.255.0
Required minimum: neighbor IP remote-as ASN + network PREFIX mask MASK to advertise. Everything else is best practice (router ID, description, password).
The network statement gotcha: unlike OSPF where network enables the protocol on an interface, BGP’s network command only takes effect if the prefix exists exactly in the routing table (same mask). If you write:
R1(config-router)# network 203.0.113.0 mask 255.255.255.0
But your routing table has 203.0.113.0/26 from a connected interface, BGP won’t advertise. You need either a /24 static or /24 actually in the table.
iBGP configuration with route reflector
! Route Reflector R1 in AS 65001
R1(config)# router bgp 65001
R1(config-router)# bgp router-id 1.1.1.1
R1(config-router)# neighbor 10.0.0.2 remote-as 65001
R1(config-router)# neighbor 10.0.0.2 route-reflector-client
R1(config-router)# neighbor 10.0.0.3 remote-as 65001
R1(config-router)# neighbor 10.0.0.3 route-reflector-client
! RR Client R2
R2(config)# router bgp 65001
R2(config-router)# neighbor 10.0.0.1 remote-as 65001
R2(config-router)# neighbor 10.0.0.1 update-source Loopback0
The client only peers with the RR; the RR peers with all clients. The RR re-advertises routes between clients, breaking the strict iBGP split-horizon rule safely.
Multi-hop eBGP
Default eBGP uses TTL=1 — packets only reach directly-connected neighbors. If you want to peer between loopback IPs (more resilient — survives one of multiple physical links failing), you need to extend the TTL:
R1(config-router)# neighbor 10.255.255.2 remote-as 65002
R1(config-router)# neighbor 10.255.255.2 update-source Loopback0
R1(config-router)# neighbor 10.255.255.2 ebgp-multihop 2
ebgp-multihop 2 sets TTL = 2 (allows one intermediate router between peers).
Communities — the policy-tagging system
BGP communities are arbitrary 32-bit tags you attach to routes. They mean nothing on their own — but you and your peers can agree to treat them as policy signals.
! Tag a route with communities
R1(config-router)# neighbor 10.0.0.2 send-community
R1(config)# route-map TAG-CUSTOMER out
R1(config-route-map)# set community 65001:100 65001:200
Common community conventions (industry de-facto):
| Community | Meaning |
|---|---|
0:no-export | Don’t advertise to eBGP peers |
0:no-advertise | Don’t advertise to any peer |
0:local-AS | Don’t advertise outside the local AS |
<ASN>:100 | ”Customer route” (provider-specific) |
<ASN>:200 | ”Peer route” |
<ASN>:666 | ”Black-hole this — used in DDoS mitigation” |
Pre-arrange with your ISP what their communities mean. Then upstream tags routes to communicate “this is a customer,” “this is a peer,” etc.
Why BGP misconfigurations make news
BGP trusts what peers tell you. There’s no central truth. Without route filters or RPKI validation, anyone can claim to own any prefix and propagate that claim globally in seconds.
Examples that made global news:
- 2008 — Pakistan vs YouTube: Pakistan’s PCCW tried to block YouTube domestically by advertising a more-specific YouTube prefix. PCCW’s upstream propagated it globally. The entire internet’s YouTube traffic routed to Pakistan for hours.
- 2017 — Google routes via Russia: Russian ISPs accidentally announced Google prefixes, redirecting global Google traffic for a few hours.
- 2019 — Cloudflare via Verizon: A small ISP’s BGP optimizer leaked routes; Verizon propagated them; Cloudflare and Amazon traffic disrupted globally.
- 2021 — Facebook outage: A BGP configuration error withdrew Facebook’s prefixes globally — including the ones used by Facebook engineers to access the network. Five-hour outage.
- 2023 / 2024 — multiple ISP leaks: BGP leaks remain the #1 cause of internet outages affecting non-customer-related traffic.
In 2026, the defense layers are:
- Route filters / prefix lists — only accept what neighbors are entitled to advertise
- AS-path filters — match on origin AS to prevent obvious hijacks
- RPKI (Resource Public Key Infrastructure) — cryptographic signing of who owns what prefix
- MANRS (Mutually Agreed Norms for Routing Security) — industry framework
- BGP communities + community-based filters — agreed conventions for what can/can’t be re-advertised
For CCNP/CCNA: know that BGP misconfiguration is high-consequence and that RPKI + filters are the modern defense.
RPKI in 60 seconds
Resource Public Key Infrastructure lets prefix owners cryptographically sign “AS X is authorized to originate prefix Y.” Routers receive these ROAs (Route Origin Authorizations) from RPKI validators and can mark or reject BGP routes that don’t have valid origin authorization.
R1(config)# router bgp 65001
R1(config-router)# bgp rpki server tcp 10.99.99.10 port 3323
ROA states: Valid · Invalid · NotFound. Most networks tag invalids but don’t yet drop — adoption is growing. Cloudflare, Google, NTT, AT&T all drop invalids.
Verification commands
R1# show ip bgp summary
R1# show ip bgp neighbors
R1# show ip bgp neighbors 10.0.0.2 advertised-routes
R1# show ip bgp neighbors 10.0.0.2 received-routes
R1# show ip bgp
R1# show ip bgp 8.8.8.0/24
R1# show ip route bgp
R1# show ip bgp regexp _15169_ ! search by AS number in path
show ip bgp summary is the daily driver. The key column: State/PfxRcd:
- A number = peer is Established and you’re receiving that many prefixes.
- “Idle” / “Active” / “Connect” = peering not working.
show ip bgp 8.8.8.0/24 shows all paths known for a specific prefix with attributes — the debug command for “why isn’t this route preferred.”
The 6-step BGP debug
When a peering “isn’t working”:
- TCP reachability?
ping <neighbor IP>from the router (with appropriate source). If ping fails, BGP can’t form. - Port 179 reachable?
telnet <neighbor IP> 179. If telnet doesn’t connect, a firewall is blocking BGP. - AS numbers match? Your
remote-asand the neighbor’sremote-asfor you must match. AS mismatch = OPEN rejected = neighbor stuck in OpenSent. - Source interface configured? If using loopbacks, both sides need
neighbor X update-source Loopback0AND the loopback IP must be reachable from the other side. - eBGP TTL right? Direct neighbors don’t need
ebgp-multihop. Loopback peering does. - Password / authentication match? If MD5 password set on one side but not the other (or different keys), session fails silently. Check
show ip bgp neighbors | include password.
Worked scenarios
Scenario 1. R1 (AS 65001) configures neighbor 198.51.100.1 remote-as 65002. The neighbor configures neighbor 198.51.100.5 remote-as 65003. Will the session form?
Answer: No. AS mismatch — R1 expects AS 65002 from the neighbor, but the neighbor identifies itself as AS 65003. OPEN message validation fails. Both routers will show the neighbor in “Active” state, repeatedly retrying.
Scenario 2. Two paths to 10.5.0.0/24. Path A: AS_PATH 65002 65010, LOCAL_PREF 100. Path B: AS_PATH 65003, LOCAL_PREF 200. Which wins?
Answer: Path B. LOCAL_PREF is checked before AS_PATH length. 200 > 100 → Path B preferred, even though it goes through a different path.
Scenario 3. You have two ISPs and want primary egress via ISP-A. How do you express “prefer ISP-A for outbound” using BGP?
Answer: Set LOCAL_PREF higher on routes received from ISP-A:
route-map ISP-A-IN permit 10
set local-preference 200
router bgp 65001
neighbor <ISP-A-IP> route-map ISP-A-IN in
ISP-B’s routes default to LOCAL_PREF 100 → ISP-A’s 200 wins for outbound.
Scenario 4. You’re multi-homed with ISP-A and ISP-B. You want ISP-B to be only for backup — only used if ISP-A is down. The inbound direction is the issue (you can’t directly control which ISP sends you traffic). Best approach?
Answer: AS_PATH prepending on the ISP-B side. Announce your prefix to ISP-B with multiple prepends of your own AS:
route-map PREPEND-B out
set as-path prepend 65001 65001 65001 65001
router bgp 65001
neighbor <ISP-B-IP> route-map PREPEND-B out
External ASes see a longer AS_PATH via ISP-B and prefer ISP-A naturally. Backup behavior emerges from preference.
Scenario 5. Why does iBGP need a full mesh?
Answer: iBGP’s loop-prevention rule is split-horizon: routes learned from one iBGP peer are NOT re-advertised to other iBGP peers. So every internal router must hear external routes directly from a router that has them. With N routers, that’s N×(N-1)/2 sessions. Route Reflectors break the rule safely and let you use hub-and-spoke instead.
Scenario 6. A BGP session is stuck in “Active” state. What are the top three causes?
Answer:
- TCP 179 blocked by a firewall on the path
- Neighbor IP unreachable (no route, interface down)
- Source-interface mismatch (you’re sourcing from one IP, neighbor expects another)
Scenario 7. Your network 203.0.113.0 mask 255.255.255.0 statement isn’t advertising. Routing table has only the connected /26. What’s wrong?
Answer: BGP’s network command requires the prefix to exist exactly in the routing table. A /26 doesn’t match a /24 advertisement. Fix: add a static ip route 203.0.113.0 255.255.255.0 Null0 (a “summary” static that ensures the /24 exists in the routing table for BGP to find).
Scenario 8. You receive a BGP route with AS_PATH 65003 65004 65001 65005. You’re in AS 65001. What happens?
Answer: Ignored. AS 65001 (yours) appears in the AS_PATH → loop detected → route rejected. This is BGP’s primary loop-prevention mechanism for eBGP.
Common mistakes
-
Forgetting
networkstatement. Configured peering but no prefixes advertised → neighbor doesn’t get any routes from you. -
Mismatched AS numbers. Your
remote-asand the neighbor’s identity don’t match → OPEN rejected → session stuck in Active. -
TCP 179 blocked. Especially common when routing through a firewall. Test with
telnet <neighbor> 179. -
iBGP without full mesh (or RR). Internal routers don’t learn external routes → they default-route blindly or black-hole. Use RR.
-
eBGP TTL = 1 with non-directly-connected neighbors. For loopback-to-loopback peering use
ebgp-multihop 2. -
Trusting upstream blindly. Always filter what you accept from peers. RPKI + prefix lists + max-prefix limits are the minimum.
-
No
update-sourcewith loopback peering. TCP connection uses the wrong source IP, neighbor doesn’t recognize. -
No MD5/TCP-AO authentication on production peerings. Cheap protection against spoofing.
-
Default route in BGP without filter. Accepting
0.0.0.0/0from an unintended source can hijack all your egress traffic. -
networkcommand without exact prefix match in routing table. BGP won’t advertise unless the prefix exists exactly. Use a static-to-Null0 if needed. -
No
bgp router-idset. Auto-pick may pick a different IP each restart, causing session flaps. -
Forgetting
address-familyblocks on modern IOS-XE — IPv4 unicast advertisements live inside an explicitaddress-family ipv4block.
Lab to try tonight
-
Basic eBGP — Two routers (R1 in AS 65001, R2 in AS 65002). One link between them. Configure eBGP. Each advertises a loopback. Verify Established state and 1 PfxRcd.
-
AS_PATH inspection —
show ip bgpon each router. See the prefix learned from the neighbor with the neighbor’s AS in the AS_PATH. -
Add iBGP — Add R3 in the same AS as R1 (AS 65001). Configure iBGP between R1↔R3. Verify R3 learns external prefixes (R2’s loopback) via iBGP.
-
Route reflector — Add R4 and R5 in AS 65001. Make R1 the RR; R3, R4, R5 are clients. Verify R3↔R4↔R5 learn each other’s routes via the RR without direct iBGP.
-
Multi-hop loopback peering — Convert R1↔R2 eBGP to peer between loopbacks. Add
update-source Loopback0andebgp-multihop 2. Verify session survives a physical link replacement. -
LOCAL_PREF tuning — Bring up a second eBGP peering to a new AS. Set LOCAL_PREF higher on one side. Verify outbound traffic prefers that path.
-
AS_PATH prepending — Prepend your AS on outbound advertisements to one neighbor. Verify the other neighbor sees a longer AS_PATH and shifts inbound traffic.
-
MED tuning — Set MED on outbound routes to influence which peer the neighbor AS prefers as entry.
-
Communities — Tag routes with
set community 65001:100. Verify withshow ip bgp 10.0.0.0/24— community column populated. -
Bonus: simulate a peering failure —
clear ip bgp <neighbor>. Watch session transition Idle → Active → Established. Time the route reconvergence.
Cheat strip
| Concept | Plain English |
|---|---|
| BGP | Routing between Autonomous Systems. Runs the internet. |
| AS | One administrative network. Unique AS number. |
| eBGP | Between different ASes. Default TTL 1. AD 20. |
| iBGP | Within one AS. Distributes external routes internally. AD 200. |
| TCP 179 | BGP’s transport port |
| AS_PATH | List of ASes a route traversed — loop prevention + path-length metric |
| AS_PATH prepending | Trick: prepend your own AS to artificially lengthen a path |
| LOCAL_PREF | Within the AS, prefer this path. Highest wins. |
| MED | Hint to neighbor AS — lowest wins |
| WEIGHT | Cisco-only, local — highest wins. Overrides everything below it |
| Communities | Tags for policy. no-export, no-advertise, custom |
| Established | Session up, routes flowing |
| Active | Trying to connect; usually means it’s NOT connecting |
network cmd | Tell BGP to advertise this prefix (must exist exactly in routing table) |
| Private AS | 64,512–65,534 (16-bit) · 4,200,000,000+ (32-bit) |
| RPKI | Cryptographic origin authorization. Modern BGP security |
| Route Reflector | Workaround for iBGP full-mesh — RR re-advertises iBGP routes to clients |
| Multi-hop eBGP | ebgp-multihop to peer loopback-to-loopback with TTL > 1 |
| Best-path selection | 13 steps. Memorize: Weight → LP → AS_PATH → MED → eBGP > iBGP |
| BGP misconfigurations | Globally consequential. Defense = filters + RPKI + MANRS |
| Global table size | ~950k IPv4 prefixes (2026) — full table requires substantial RAM/FIB |
| CCNA depth | Recognize. CCNP/CCIE: deploy and tune. This page is CCNP-level. |