§ 5 BGP Attributes, Best Path, Reflection, Security, and DC Fabrics
Path-vector routing from wire session to production policy: attributes, deterministic best-path selection, iBGP scaling, communities, RPKI, convergence, multipath, DC BGP, BMP, and telemetry.
1. Overview
BGP is not just an exterior routing protocol; it is the policy engine used between enterprises, providers, cloud fabrics, and many modern data centers. It chooses one best path per prefix by comparing attributes, then advertises only what policy allows.
2. § 5.1 — BGP Fundamentals
eBGP crosses AS boundaries and usually expects directly connected peers because TTL is 1 by default. iBGP runs inside one AS; because iBGP-learned routes are not advertised to other iBGP peers by default, a full mesh or a scaling mechanism is required.
The full-mesh requirement grows quadratically. Route reflectors solve the common case by centralizing reflection without changing the external AS identity.
3. § 5.2 — Path Attributes
A BGP UPDATE carries attributes that describe both reachability and policy. Mandatory attributes make the route usable; optional attributes let operators steer traffic, tag intent, and prevent reflection loops.
LOCAL_PREF controls outbound exit selection inside your AS, whileMED is a hint to a neighboring AS about how it should enter yours.
| Attribute | Scope | Direction | Rule of thumb |
|---|---|---|---|
| AS_PATH | Inter-AS | Transitive | Shorter is preferred; reject routes containing your own AS. |
| NEXT_HOP | Reachability | Mandatory | Must be resolvable by IGP or connected route. |
| LOCAL_PREF | Inside one AS | iBGP only | Higher wins; best knob for outbound traffic engineering. |
| MED | Neighbor AS hint | Optional non-transitive | Lower wins; compared between paths from the same neighboring AS by default. |
| COMMUNITY | Policy tag | Optional transitive | Attach intent such as blackhole, no-export, prepending, or customer class. |
4. § 5.3 — Best-Path Selection
BGP compares candidate paths in a fixed order and stops at the first attribute that produces a winner. Cisco weight is local to one router; LOCAL_PREF is the first AS-wide policy lever; IGP metric to next hop produces hot-potato routing when earlier attributes tie.
Minimal C Demo — BGP Best-Path Selector
5. § 5.4 — Route Reflectors and Confederation
A route reflector has clients and non-clients. It reflects client routes to other clients and non-clients, reflects non-client routes only to clients, and uses ORIGINATOR_ID plusCLUSTER_LIST to stop loops.
Confederation splits a large AS into private sub-ASes. Inside, sessions behave more like eBGP for scaling; outside, the network still appears as the public confederation identifier.
6. § 5.5 — Communities
Communities are policy tags carried with routes. Standard communities fit theAS:value model, extended communities power VPN route targets, and large communities use ASN:value1:value2 for modern 4-byte ASN scale.
NO_EXPORTkeeps a route inside the AS boundary.NO_ADVERTISEprevents advertisement to any BGP peer.LOCAL_ASkeeps a route inside the local confederation sub-AS.- Remote-triggered blackhole communities let a customer ask the provider to discard attack traffic near ingress.
7. § 5.6 — BGP Security
RPKI validates whether an AS is authorized to originate a prefix. It does not prove the whole AS_PATH, but it blocks the most common origin hijack class when invalid routes are rejected.
maximum-prefixlimits route leaks by warning or resetting a peer above a threshold.- GTSM accepts packets with TTL 255 from expected near peers, reducing off-path spoofing and reset risk.
- BGPsec signs AS_PATH propagation but is operationally heavy and far less deployed than RPKI origin validation.
8. § 5.7 — BGP Convergence
BGP favors stability: keepalive and hold timers are slow, MRAI dampens repeated advertisements, and policy churn can be expensive. Fast designs add BFD for detection and BGP-PIC so backup paths are already installed in hardware.
- BFD tears down the session quickly; BGP then withdraws or switches paths.
- Graceful Restart preserves forwarding while the control plane restarts and sends End-of-RIB after resync.
- ADD-PATH lets a route reflector advertise more than one path, improving backup visibility for clients.
9. § 5.8 and § 5.9 — Multipath and Data Center BGP
BGP multipath installs several equal candidates into the FIB. Data center fabrics lean on this heavily: eBGP unnumbered removes address-management burden, private ASNs isolate leaves, and ECMP spreads traffic across a Clos underlay.
maximum-paths 4enables eBGP ECMP when core attributes match.maximum-paths ibgp 4enables iBGP multipath under stricter constraints.bgp bestpath as-path multipath-relaxis common in DC fabrics with different leaf ASNs.- FRRouting, BIRD, and GoBGP make host or container BGP practical on Linux.
10. § 5.10 — BGP Monitoring
BMP exports BGP message and RIB views to collectors without scraping CLI output. gNMI streams structured BGP state from YANG models, giving lower-latency operational data than SNMP polling.
11. Interview Prep
- Why does iBGP need full mesh or route reflectors? iBGP-learned routes are not advertised to other iBGP peers by default.
- LOCAL_PREF or MED for outbound traffic? LOCAL_PREF; it is AS-wide and higher wins.
- What prevents RR loops? ORIGINATOR_ID blocks a route returning to its originator, and CLUSTER_LIST blocks reflection loops across clusters.
- What does RPKI INVALID mean? A ROA exists, but the announcing AS or prefix length does not match the authorization.
- Why use BGP-PIC? Backup next hops are pre-installed in FIB, so failure does not require scanning and rewriting every affected prefix.