Disable flapping BGP neighbors

From CT3

Jump to: navigation, search

By Ivan Pepelnjak

Symptom BGP protocol specifications require a BGP router to use BGP notification messages to reject invalid routing updates, updates with incorrect attribute combinations or other protocol errors (including AS number mismatch and duplicate router ID).

The notification messages cause termination of a BGP session and since the offending data (or configuration error) is usually not removed from the sending router, the impacted BGP session flaps continuously until a manual intervention, causing widespread propagation of unnecessary BGP routing updates.

Solution Embedded Event Manager applet or TCL policy can detect flapping BGP session and shut down the offending BGP neighbor.

The applets described in this article react to at least three BGP-3-NOTIFICATION syslog messages per minute.

EEM 3.0 applet

The following EEM applet requires the programming logic and regular expression support available in Embedded Event Manager 3.0 (first released with Cisco IOS release 12.4(22)T).

EEM 3.0 applet source code

event manager applet BGPNotification
 event syslog occurs 3 pattern "BGP-3-NOTIFICATION" period 60
 action 100 regexp "neighbor\s+([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" "$_syslog_msg" match id
 action 200 if $_regexp_result eq 1
 action 300  info type snmp oid bgp.2.0 get-type exact
 action 400  cli command "enable"
 action 410  cli command "configure terminal"
 action 420  cli command "router bgp $_info_snmp_value"
 action 430  cli command "neighbor $id shutdown"
 action 500  syslog msg "Shut down BGP neighbor $id"
 action 510  info type routername
 action 520  mail server $_mail_smtp to $_mail_rcpt from "$_info_routername@$_mail_domain" →
   subject "ALERT: BGP neighbor $id shutdown due to excessive notifications" body "\n$_syslog_msg"
 action 999 end

Additional configuration

The EEM applet expects several EEM environmental variables described in the Send e-mail from EEM applets article. A sample configuration is included in the following printout: 

event manager environment _mail_smtp 10.17.0.2
!
event manager environment _mail_domain example.com
event manager environment _mail_rcpt operator@example.com

BGP neighbor event logging has to be enabled with the bgp log-neighbor-changes router configuration command.

Retrieved from "http://wiki.nil.com/Disable_flapping_BGP_neighbors"
Personal tools

CT3

Main menu