Introduction
Border Gateway Protocol (BGP) is the routing protocol that holds the Internet together. Whether you are peering with upstream ISPs, connecting multiple data-centre sites over a private WAN, or building an MPLS backbone, BGP is the control plane you rely on. This run book provides complete, copy-paste-ready configurations for both external BGP (eBGP) and internal BGP (iBGP) on Cisco IOS-XE platforms — specifically the ASR 1000 series and ISR 4000 series — but the syntax applies to any IOS-XE device running 16.x or 17.x code.
We will walk through every building block: basic neighbour establishment, prefix-lists, route-maps, communities, local-preference, MED, AS-path prepending, route reflectors, soft reconfiguration, and operational verification. Every example uses the InfraRunBook lab topology so you can replicate it on real hardware or CML.
Lab Topology
The topology used throughout this guide consists of four routers:
- rtr-infrarunbook-01 — AS 65001, Loopback0: 10.255.0.1/32, border router peering eBGP with ISP
- rtr-infrarunbook-02 — AS 65001, Loopback0: 10.255.0.2/32, iBGP peer and route reflector client
- rtr-infrarunbook-03 — AS 65001, Loopback0: 10.255.0.3/32, iBGP peer and route reflector client
- rtr-infrarunbook-isp — AS 65002, simulated ISP peer at 203.0.113.1/30
Point-to-point links use 10.0.12.0/30, 10.0.13.0/30, and 10.0.23.0/30 subnets. OSPF area 0 provides the IGP underlay for iBGP next-hop reachability. The eBGP peering between rtr-infrarunbook-01 and rtr-infrarunbook-isp uses the 203.0.113.0/30 transit link.
1 — Prerequisites and IGP Underlay
Before BGP neighbours can form, iBGP peers need an IGP (OSPF, IS-IS, or static routes) to resolve each other's loopback addresses. We assume OSPF is already running per our OSPF Run Book. Verify reachability first:
! On rtr-infrarunbook-01
ping 10.255.0.2 source 10.255.0.1
ping 10.255.0.3 source 10.255.0.1
Both pings must succeed before proceeding. If they fail, check OSPF adjacencies with
show ip ospf neighbor.
2 — Basic eBGP Configuration
2.1 — Establishing the eBGP Peer
! rtr-infrarunbook-01
router bgp 65001
bgp router-id 10.255.0.1
bgp log-neighbor-changes
no bgp default ipv4-unicast
!
neighbor 203.0.113.1 remote-as 65002
neighbor 203.0.113.1 description eBGP_to_infrarunbook-isp
neighbor 203.0.113.1 password 7 InfraRunBook$ecure!
neighbor 203.0.113.1 timers 10 30
!
address-family ipv4 unicast
neighbor 203.0.113.1 activate
neighbor 203.0.113.1 soft-reconfiguration inbound
network 172.16.0.0 mask 255.255.0.0
network 10.255.0.1 mask 255.255.255.255
exit-address-family
2.2 — ISP Side (for lab simulation)
! rtr-infrarunbook-isp
router bgp 65002
bgp router-id 203.0.113.1
bgp log-neighbor-changes
no bgp default ipv4-unicast
!
neighbor 203.0.113.2 remote-as 65001
neighbor 203.0.113.2 description eBGP_to_infrarunbook-01
neighbor 203.0.113.2 password 7 InfraRunBook$ecure!
!
address-family ipv4 unicast
neighbor 203.0.113.2 activate
neighbor 203.0.113.2 soft-reconfiguration inbound
network 0.0.0.0
network 203.0.113.0 mask 255.255.255.252
exit-address-family
Key points:
no bgp default ipv4-unicast
prevents all neighbours from being auto-activated in IPv4 — best practice on IOS-XE.- MD5 authentication protects the TCP session from spoofed RST attacks.
- Timers 10/30 are aggressive; production ISP peerings typically use 60/180 or BFD.
3 — Basic iBGP Configuration
3.1 — Full-Mesh iBGP (before Route Reflectors)
! rtr-infrarunbook-01
router bgp 65001
neighbor 10.255.0.2 remote-as 65001
neighbor 10.255.0.2 description iBGP_to_infrarunbook-02
neighbor 10.255.0.2 update-source Loopback0
neighbor 10.255.0.2 next-hop-self
!
neighbor 10.255.0.3 remote-as 65001
neighbor 10.255.0.3 description iBGP_to_infrarunbook-03
neighbor 10.255.0.3 update-source Loopback0
neighbor 10.255.0.3 next-hop-self
!
address-family ipv4 unicast
neighbor 10.255.0.2 activate
neighbor 10.255.0.2 soft-reconfiguration inbound
neighbor 10.255.0.3 activate
neighbor 10.255.0.3 soft-reconfiguration inbound
exit-address-family
! rtr-infrarunbook-02
router bgp 65001
bgp router-id 10.255.0.2
bgp log-neighbor-changes
no bgp default ipv4-unicast
!
neighbor 10.255.0.1 remote-as 65001
neighbor 10.255.0.1 description iBGP_to_infrarunbook-01
neighbor 10.255.0.1 update-source Loopback0
!
neighbor 10.255.0.3 remote-as 65001
neighbor 10.255.0.3 description iBGP_to_infrarunbook-03
neighbor 10.255.0.3 update-source Loopback0
!
address-family ipv4 unicast
neighbor 10.255.0.1 activate
neighbor 10.255.0.1 soft-reconfiguration inbound
neighbor 10.255.0.3 activate
neighbor 10.255.0.3 soft-reconfiguration inbound
network 172.16.10.0 mask 255.255.255.0
exit-address-family
Repeat a similar config on rtr-infrarunbook-03 with appropriate neighbour statements to both 10.255.0.1 and 10.255.0.2.
Why next-hop-self
? When rtr-infrarunbook-01 advertises routes learned from the ISP (next-hop 203.0.113.1) to iBGP peers, those peers have no route to 203.0.113.1.
next-hop-selfrewrites the next-hop to the advertising router's loopback, which is reachable via OSPF.
4 — Route Reflectors
Full-mesh iBGP does not scale. With N routers you need N×(N−1)/2 sessions. Route reflectors (RR) solve this. We designate rtr-infrarunbook-01 as the route reflector and the other two as clients.
! rtr-infrarunbook-01 — Route Reflector
router bgp 65001
address-family ipv4 unicast
neighbor 10.255.0.2 route-reflector-client
neighbor 10.255.0.3 route-reflector-client
exit-address-family
On the clients (rtr-infrarunbook-02 and rtr-infrarunbook-03), remove the iBGP neighbour statements to each other — they only peer with the route reflector now:
! rtr-infrarunbook-02 — RR Client
router bgp 65001
no neighbor 10.255.0.3 remote-as 65001
! rtr-infrarunbook-03 — RR Client
router bgp 65001
no neighbor 10.255.0.2 remote-as 65001
Best practice: Deploy two route reflectors for redundancy. Add a second RR (e.g., rtr-infrarunbook-04) and have each client peer with both.
5 — Prefix-Lists
Prefix-lists are the most efficient way to filter BGP routes. They match on prefix and prefix length.
5.1 — Permit Only Your Aggregates Outbound
ip prefix-list INFRARUNBOOK-OUT seq 10 permit 172.16.0.0/16
ip prefix-list INFRARUNBOOK-OUT seq 20 permit 10.255.0.0/24 le 32
ip prefix-list INFRARUNBOOK-OUT seq 100 deny 0.0.0.0/0 le 32
5.2 — Accept Default + Specific Prefixes Inbound
ip prefix-list INFRARUNBOOK-IN seq 10 permit 0.0.0.0/0
ip prefix-list INFRARUNBOOK-IN seq 20 permit 203.0.113.0/24 le 30
ip prefix-list INFRARUNBOOK-IN seq 30 deny 0.0.0.0/0 le 32
5.3 — Bogon Filter (Deny RFC 1918 from ISP)
ip prefix-list BOGON-FILTER seq 10 deny 10.0.0.0/8 le 32
ip prefix-list BOGON-FILTER seq 20 deny 172.16.0.0/12 le 32
ip prefix-list BOGON-FILTER seq 30 deny 192.168.0.0/16 le 32
ip prefix-list BOGON-FILTER seq 40 deny 100.64.0.0/10 le 32
ip prefix-list BOGON-FILTER seq 50 deny 169.254.0.0/16 le 32
ip prefix-list BOGON-FILTER seq 60 deny 224.0.0.0/4 le 32
ip prefix-list BOGON-FILTER seq 100 permit 0.0.0.0/0 le 32
6 — Route-Maps
Route-maps combine matching (prefix-lists, AS-path ACLs, community lists) with actions (set local-preference, MED, community, prepend).
6.1 — Inbound from ISP: Set Local-Preference and Filter Bogons
route-map RM-INFRARUNBOOK-ISP-IN permit 10
match ip address prefix-list BOGON-FILTER
set local-preference 200
!
route-map RM-INFRARUNBOOK-ISP-IN deny 999
6.2 — Outbound to ISP: Advertise Only Your Prefixes
route-map RM-INFRARUNBOOK-ISP-OUT permit 10
match ip address prefix-list INFRARUNBOOK-OUT
!
route-map RM-INFRARUNBOOK-ISP-OUT deny 999
6.3 — Apply Route-Maps to Neighbour
router bgp 65001
address-family ipv4 unicast
neighbor 203.0.113.1 route-map RM-INFRARUNBOOK-ISP-IN in
neighbor 203.0.113.1 route-map RM-INFRARUNBOOK-ISP-OUT out
exit-address-family
7 — AS-Path Prepending
AS-path prepending makes a path look longer so remote ASes prefer an alternative. Use it on the outbound direction of the less-preferred link.
route-map RM-INFRARUNBOOK-ISP-BACKUP-OUT permit 10
match ip address prefix-list INFRARUNBOOK-OUT
set as-path prepend 65001 65001 65001
!
router bgp 65001
address-family ipv4 unicast
neighbor 203.0.113.5 route-map RM-INFRARUNBOOK-ISP-BACKUP-OUT out
exit-address-family
Warning: Never prepend more than 3-4 times. Excessive prepending has diminishing returns and exposes you to AS-path-based hijack attacks.
8 — BGP Communities
Communities are 32-bit tags attached to routes. They let you signal policy intent to upstream providers or between your own routers.
8.1 — Define Community Lists
ip community-list standard INFRARUNBOOK-INTERNAL permit 65001:100
ip community-list standard INFRARUNBOOK-CUSTOMER permit 65001:200
ip community-list standard INFRARUNBOOK-BLACKHOLE permit 65001:666
8.2 — Set Communities in a Route-Map
route-map RM-SET-COMMUNITY permit 10
match ip address prefix-list INFRARUNBOOK-OUT
set community 65001:100 additive
8.3 — Match and Act on Communities
route-map RM-COMMUNITY-LP permit 10
match community INFRARUNBOOK-CUSTOMER
set local-preference 300
!
route-map RM-COMMUNITY-LP permit 20
8.4 — Enable Community Sending to Neighbours
router bgp 65001
address-family ipv4 unicast
neighbor 203.0.113.1 send-community both
neighbor 10.255.0.2 send-community both
neighbor 10.255.0.3 send-community both
exit-address-family
9 — MED (Multi-Exit Discriminator)
MED tells an eBGP neighbour which of your entry points to prefer when you are multi-homed to the same AS.
! Primary link — lower MED preferred
route-map RM-INFRARUNBOOK-ISP-PRIMARY-OUT permit 10
match ip address prefix-list INFRARUNBOOK-OUT
set metric 100
!
! Backup link
route-map RM-INFRARUNBOOK-ISP-BACKUP-OUT permit 10
match ip address prefix-list INFRARUNBOOK-OUT
set metric 200
Note: MED is only compared between paths received from the same AS, unless you enable
bgp always-compare-med.
10 — BGP Best-Path Selection
Understanding the decision process is critical for troubleshooting. IOS-XE evaluates in this order:
- Highest Weight (Cisco-proprietary, local to router)
- Highest Local Preference (propagated within AS)
- Locally originated (
network
,redistribute
,aggregate
) - Shortest AS-Path
- Lowest Origin (IGP < EGP < incomplete)
- Lowest MED (compared from same neighbouring AS)
- eBGP over iBGP
- Lowest IGP metric to next-hop
- Oldest eBGP route
- Lowest Router ID
- Lowest Neighbour IP
Use
show ip bgp 172.16.0.0/16 bestpathto see why a path was selected.
11 — Aggregation and Summarisation
router bgp 65001
address-family ipv4 unicast
aggregate-address 172.16.0.0 255.255.0.0 summary-only
exit-address-family
summary-onlysuppresses the more-specific routes. Without it, both the aggregate and the specifics are advertised. You can selectively unsuppress with a route-map:
route-map RM-UNSUPPRESS permit 10
match ip address prefix-list INFRARUNBOOK-CRITICAL-SUBNETS
!
router bgp 65001
address-family ipv4 unicast
neighbor 203.0.113.1 unsuppress-map RM-UNSUPPRESS
exit-address-family
12 — BFD for Fast Failure Detection
BGP default timers (60/180 seconds) are too slow. Bidirectional Forwarding Detection (BFD) detects link failures in milliseconds:
interface GigabitEthernet0/0/0
description Link_to_infrarunbook-isp
bfd interval 300 min_rx 300 multiplier 3
!
router bgp 65001
neighbor 203.0.113.1 fall-over bfd
This gives a detection time of ~900 ms (300ms × 3). Adjust intervals based on your platform's control-plane capacity.
13 — Maximum Prefix Protection
Protect your router from a neighbour accidentally advertising the full Internet table when you only expect a default route:
router bgp 65001
address-family ipv4 unicast
neighbor 203.0.113.1 maximum-prefix 100 80 restart 5
exit-address-family
This means: warn at 80% of 100 prefixes, tear down the session if 100 is exceeded, and auto-restart after 5 minutes.
14 — Graceful Shutdown
Before performing maintenance, signal your peers to de-prefer your routes using the GRACEFUL_SHUTDOWN community (RFC 8326):
! On the router being taken down
router bgp 65001
address-family ipv4 unicast
neighbor 203.0.113.1 send-community both
!
route-map RM-GRACEFUL-SHUTDOWN permit 10
set community graceful-shutdown additive
set local-preference 0
!
router bgp 65001
address-family ipv4 unicast
neighbor 203.0.113.1 route-map RM-GRACEFUL-SHUTDOWN out
!
! Wait for convergence (~60-90 seconds), then shut down
15 — Verification and Troubleshooting Commands
! Neighbour summary
show ip bgp summary
! Detailed neighbour info
show ip bgp neighbors 203.0.113.1
! BGP table for a specific prefix
show ip bgp 172.16.0.0/16
! Best path reason
show ip bgp 172.16.0.0/16 bestpath
! Routes received from a peer (before inbound policy)
show ip bgp neighbors 203.0.113.1 received-routes
! Routes advertised to a peer
show ip bgp neighbors 203.0.113.1 advertised-routes
! Routes accepted from a peer (after inbound policy)
show ip bgp neighbors 203.0.113.1 routes
! Check for dampened routes
show ip bgp dampening dampened-paths
! Clear soft inbound (apply new inbound policy without reset)
clear ip bgp 203.0.113.1 soft in
! BGP event debugging (use with caution in production)
debug ip bgp updates
debug ip bgp events
16 — Security Hardening Checklist
- MD5 authentication — always set on eBGP peers to prevent TCP RST attacks.
- TTL security (GTSM) — ensures packets arrive with expected TTL, defeating remote spoofing.
- Prefix limits —
maximum-prefix
on every eBGP peer. - Bogon filtering — deny RFC 1918, RFC 6598, link-local, multicast inbound from ISP.
- Outbound filtering — only advertise your own prefixes. Never leak transit.
- RPKI/ROV — enable Route Origin Validation on IOS-XE 17.3+ for production.
TTL Security Example
router bgp 65001
neighbor 203.0.113.1 ttl-security hops 1
This sets the expected TTL to 254 (1 hop). Packets with a lower TTL are silently dropped.
17 — Complete Running Configuration: rtr-infrarunbook-01
hostname rtr-infrarunbook-01
!
ip prefix-list INFRARUNBOOK-OUT seq 10 permit 172.16.0.0/16
ip prefix-list INFRARUNBOOK-OUT seq 100 deny 0.0.0.0/0 le 32
!
ip prefix-list BOGON-FILTER seq 10 deny 10.0.0.0/8 le 32
ip prefix-list BOGON-FILTER seq 20 deny 172.16.0.0/12 le 32
ip prefix-list BOGON-FILTER seq 30 deny 192.168.0.0/16 le 32
ip prefix-list BOGON-FILTER seq 40 deny 100.64.0.0/10 le 32
ip prefix-list BOGON-FILTER seq 100 permit 0.0.0.0/0 le 32
!
ip community-list standard INFRARUNBOOK-INTERNAL permit 65001:100
!
route-map RM-INFRARUNBOOK-ISP-IN permit 10
match ip address prefix-list BOGON-FILTER
set local-preference 200
!
route-map RM-INFRARUNBOOK-ISP-IN deny 999
!
route-map RM-INFRARUNBOOK-ISP-OUT permit 10
match ip address prefix-list INFRARUNBOOK-OUT
set community 65001:100 additive
!
route-map RM-INFRARUNBOOK-ISP-OUT deny 999
!
interface Loopback0
ip address 10.255.0.1 255.255.255.255
!
interface GigabitEthernet0/0/0
description Link_to_infrarunbook-isp
ip address 203.0.113.2 255.255.255.252
bfd interval 300 min_rx 300 multiplier 3
no shutdown
!
interface GigabitEthernet0/0/1
description Link_to_infrarunbook-02
ip address 10.0.12.1 255.255.255.252
no shutdown
!
interface GigabitEthernet0/0/2
description Link_to_infrarunbook-03
ip address 10.0.13.1 255.255.255.252
no shutdown
!
router ospf 1
router-id 10.255.0.1
passive-interface Loopback0
network 10.255.0.1 0.0.0.0 area 0
network 10.0.12.0 0.0.0.3 area 0
network 10.0.13.0 0.0.0.3 area 0
!
router bgp 65001
bgp router-id 10.255.0.1
bgp log-neighbor-changes
no bgp default ipv4-unicast
!
neighbor 203.0.113.1 remote-as 65002
neighbor 203.0.113.1 description eBGP_to_infrarunbook-isp
neighbor 203.0.113.1 password InfraRunBook$ecure!
neighbor 203.0.113.1 ttl-security hops 1
neighbor 203.0.113.1 fall-over bfd
!
neighbor 10.255.0.2 remote-as 65001
neighbor 10.255.0.2 description iBGP_to_infrarunbook-02
neighbor 10.255.0.2 update-source Loopback0
neighbor 10.255.0.2 next-hop-self
!
neighbor 10.255.0.3 remote-as 65001
neighbor 10.255.0.3 description iBGP_to_infrarunbook-03
neighbor 10.255.0.3 update-source Loopback0
neighbor 10.255.0.3 next-hop-self
!
address-family ipv4 unicast
neighbor 203.0.113.1 activate
neighbor 203.0.113.1 soft-reconfiguration inbound
neighbor 203.0.113.1 route-map RM-INFRARUNBOOK-ISP-IN in
neighbor 203.0.113.1 route-map RM-INFRARUNBOOK-ISP-OUT out
neighbor 203.0.113.1 maximum-prefix 100 80 restart 5
neighbor 203.0.113.1 send-community both
!
neighbor 10.255.0.2 activate
neighbor 10.255.0.2 soft-reconfiguration inbound
neighbor 10.255.0.2 route-reflector-client
neighbor 10.255.0.2 send-community both
!
neighbor 10.255.0.3 activate
neighbor 10.255.0.3 soft-reconfiguration inbound
neighbor 10.255.0.3 route-reflector-client
neighbor 10.255.0.3 send-community both
!
network 172.16.0.0 mask 255.255.0.0
aggregate-address 172.16.0.0 255.255.0.0 summary-only
exit-address-family
!
end
18 — Monitoring with SNMP and Syslog
! SNMP for BGP MIB polling
snmp-server community infrarunbook-ro RO
snmp-server enable traps bgp
!
! Syslog
logging host 10.1.1.50
logging trap informational
Monitor these OIDs for neighbour state changes:
cbgpPeer2State(CISCO-BGP4-MIB) and
bgpPeerState(BGP4-MIB).
Frequently Asked Questions
Q1: What is the difference between eBGP and iBGP?
eBGP peers reside in different Autonomous Systems, while iBGP peers share the same AS number. eBGP increments the AS-path; iBGP does not. iBGP requires either a full mesh, route reflectors, or confederations to ensure all routers learn all routes.
Q2: Why do I need next-hop-self
on iBGP sessions?
When a border router advertises an eBGP-learned route to iBGP peers, the next-hop is the external peer's IP. Internal routers have no route to that IP.
next-hop-selfrewrites the next-hop to the border router's loopback, which is reachable via the IGP.
Q3: How many route reflectors should I deploy?
At minimum two for redundancy. In large networks, deploy route reflectors in a hierarchy or cluster. Each cluster should have two RRs sharing the same
bgp cluster-id.
Q4: How do I prevent my AS from becoming a transit AS?
Apply a strict outbound prefix-list or route-map that only permits prefixes you originate. Never redistribute eBGP-learned routes to another eBGP peer without explicit policy. The
INFRARUNBOOK-OUTprefix-list in this guide achieves exactly this.
Q5: What is the purpose of soft-reconfiguration inbound
?
It stores a copy of all routes received from a peer before your inbound policy is applied. This allows you to modify inbound route-maps and apply them with
clear ip bgp <peer> soft inwithout tearing down the session. The trade-off is extra memory usage.
Q6: When should I use weight
vs local-preference
?
Weight is Cisco-proprietary and local to a single router — it is never propagated. Local-preference is a standard BGP attribute propagated to all iBGP peers within the AS. Use weight for per-router decisions and local-preference for AS-wide policy.
Q7: How does BFD improve BGP convergence?
BFD runs in the data plane and detects link failures in sub-second intervals (as low as 50ms × 3 = 150ms). Without BFD, BGP relies on its hold timer (default 180 seconds) to detect a dead peer, causing prolonged traffic black-holing.
Q8: Can I use BGP communities with eBGP peers?
Yes, but you must explicitly enable it with
neighbor <ip> send-community both. By default, IOS-XE strips communities from eBGP updates. Many ISPs define action communities (e.g., no-export, blackhole) in their peering guides.
Q9: What is the maximum-prefix restart
timer?
When a peer exceeds the maximum-prefix limit, the session is torn down. The
restart <minutes>keyword automatically re-establishes the session after the specified interval. Without it, the session stays down until you manually clear it.
Q10: How do I verify which path BGP has selected and why?
Use
show ip bgp <prefix>to see all paths, then
show ip bgp <prefix> bestpathfor the decision reason. You can also use
show ip bgp <prefix> longer-prefixesto check for more-specific route leaks. For detailed comparison,
debug ip bgp updatesshows real-time update processing (use with caution in production).
Q11: Should I filter inbound routes from my ISP?
Absolutely. At a minimum, deny bogon prefixes (RFC 1918, RFC 6598, link-local, multicast, and your own prefixes). If you only need a default route, accept only 0.0.0.0/0 and deny everything else. Never trust an ISP not to leak routes accidentally.
Q12: What is RPKI/ROV and should I enable it?
Resource Public Key Infrastructure (RPKI) with Route Origin Validation (ROV) uses cryptographic certificates to verify that an AS is authorized to originate a prefix. IOS-XE 17.3+ supports it via
rpki serverconfiguration. It is strongly recommended for any network peering on the public Internet to mitigate BGP hijacking.