[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring Promiscuous Peers and Dynamic Peering

You can use the neighbor allow command to enable a peer group to accept incoming BGP connections from any remote address that matches an access list. Such a peer group is known as a promiscuous peer group; the member peers are sometimes referred to as promiscuous peers.

Promiscuous peers are useful when the remote address of the peer is not known ahead of time. An example is in B-RAS applications, in which interfaces for subscribers are created dynamically and the remote address of the subscriber is assigned dynamically from a local pool or by using RADIUS or some other method.

BGP automatically creates a dynamic peer when a peer group member accepts the incoming BGP connection. Dynamic peers are passive, meaning that when they are not in the established state, they will accept inbound connections but they will not initiate outbound connections. You cannot configure any attributes for the dynamic peers. You cannot remove a dynamic peer with the no neighbor ip-address command.

When a dynamic peer goes from the established state to the idle state for any reason, BGP removes the dynamic peer only if it does not go back to the established state within 1 minute. This delay enables you to see the dynamic peer in show command output; for example, you might want to see the reason for the last reset or how many times the session flapped.

While a dynamic peer is not in the established state, the show ip bgp neighbor command displays the number of seconds remaining until the dynamic peer will be removed.

If you have configured the neighbor allow command for multiple peer groups, when an incoming BGP connection matches the access list of more than one of these peer groups, the dynamic peer is created only in the first peer group. (BGP orders peer groups alphabetically by name.)

When the BGP speaker receives an open message from a dynamic peer, the remote AS number must match one of the following criteria; the connection is closed if it does not:

If the peer group has a configured remote AS number, then the received AS number must be the same as the configured remote AS number.
If the peer group does not have a configured AS number, then the received AS number must be consistent with the peer type of the peer group. Use the neighbor peer-type command to configure the type of the peer-group.

If a peer group has been configured with a peer type but not a remote AS, then the remote AS for dynamic peers is not known until an open message has been received from the peer. Until then, show commands display the remote AS as “ ?” or “ unknown.”

Static peers that you configure with the neighbor remote-as or neighbor peer-group commands take precedence over the dynamic peers created as a result of the neighbor allow command. If the remote address of an incoming BGP connection matches both a static peer and the access list, the static peer is used and no dynamic peer is created. If you configure a new static peer while a dynamic peer for the same remote address already exists, BGP automatically removes the dynamic peer.

You can optionally specify the maximum number of dynamic peers that BGP can create for the peer group. There is no default maximum. In the absence of a specified maximum, the number of dynamic peers allowed is determined by the available memory and CPU. Dynamic peers consume about the same resources as static peers.

When the maximum number of dynamic peers has been created for a peer group, BGP rejects all subsequent connection attempts for that group. This behavior means that you can specify a maximum to help protect against denial-of-service attacks that attempt to create many dynamic peers to overwhelm your router resources.

BGP generates a log message whenever a dynamic peer is created, rejected because the maximum has been reached, or removed. BGP maintains counters for each peer group for the current number of dynamic peers, the highest number of concurrent dynamic peers ever reached, and the number of times a dynamic peer was rejected because the maximum was reached.

Because dynamic peers always fully inherit their configuration from a peer group, any features that are available for peers but not for peer group members are not supported for the dynamic peers. Currently, only ORFs are not supported for peer group members and therefore are not supported for dynamic peers.

clear bgp ipv6 dynamic-peers

clear ip bgp dynamic-peers

Use to remove all dynamic peers in the specified scope.
You can specify the IP address of a BGP neighbor or the name of a BGP peer group as the scope. For IPv4 only, you can also include a VRF in the scope.
Use the asterisk (*) to remove all BGP dynamic peers.
This command takes effect immediately.
Examplehost1#clear ip bgp 192.168.1.158 vrf boston5 dynamic-peers
There is no no version.
See clear bgp ipv6 dynamic-peers.
See clear ip bgp dynamic-peers.

neighbor allow

Use to configure a peer group to accept incoming BGP connections from any remote address that matches the specified access list.
When the BGP connection is accepted, a dynamic peer is automatically created.
This command is supported only for peer groups; it is not available for individual peers. These dynamic peers are not displayed by the show configuration command and are not stored in NVS. However, the dynamic peers are displayed by show commands that display information about BGP peers, such as show ip bgp neighbors, show ip bgp summary, and so on.
Incoming connections that match the specified access list are rejected if no peer type has been configured for the peer group.
This command takes effect immediately. Any existing dynamic BGP sessions that are no longer allowed by the new configuration are removed automatically and immediately. Preexisting dynamic peers that are still allowed by the new configuration are not affected.
All the members of the peer group inherit the characteristic configured with this command. It cannot be overridden for a specific peer, because the command applies only to peer groups.
Examplehost1(config-router)#neighbor promispeers allow remotelist1 max-peers 1023
Use the no version to remove the configuration from the peer group.
See neighbor allow.

[Contents] [Prev] [Next] [Index] [Report an Error]