BGP Peering 2026: The Only Configuration Guide You'll Need (With CLI Examples)

Look, I’ve been doing BGP for over a decade. And I still manage to screw up the basics sometimes.

Last month I was setting up an EBGP peering between AS64500 and AS65000. Should have been a 30-minute job. Took me four hours. Why? Because I forgot to check the ACL on the transit link. Classic.

This guide is the one I wish I had when I started. No fluff. Just CLI commands, topology, and the gotchas that’ll bite you.

The Lab Topology

[AS 64500]                  [AS 65000]
   R1 (10.0.12.1) --------- (10.0.12.2) R2
   Loopback0: 1.1.1.1       Loopback0: 2.2.2.2
   Network: 172.16.1.0/24   Network: 192.168.1.0/24

Simple enough. But I’ve seen people fumble this exact setup.

Step 1: The Bare Minimum BGP Config

! R1 Configuration
router bgp 64500
 bgp router-id 1.1.1.1
 neighbor 10.0.12.2 remote-as 65000
 ! Critical: EBGP TTL defaults to 1. If you're not directly connected, you need this.
 neighbor 10.0.12.2 ebgp-multihop 2
 neighbor 10.0.12.2 timers 10 30
 !
 address-family ipv4 unicast
  network 172.16.1.0 mask 255.255.255.0
  neighbor 10.0.12.2 activate
 exit-address-family

! R2 Configuration
router bgp 65000
 bgp router-id 2.2.2.2
 neighbor 10.0.12.1 remote-as 64500
 neighbor 10.0.12.1 ebgp-multihop 2
 neighbor 10.0.12.1 timers 10 30
 !
 address-family ipv4 unicast
  network 192.168.1.0 mask 255.255.255.0
  neighbor 10.0.12.1 activate
 exit-address-family

Gotcha #1: ebgp-multihop. If you’re peering over a directly connected subnet, you don’t need it. But the moment you use loopback interfaces or there’s a router in between? You’ll be staring at an Idle state forever.

Gotcha #2: Default timers (60s keepalive, 180s hold) are trash for modern networks. I drop them to 10/30. Any lower and you’ll burn CPU on keepalive processing. Any higher and failure detection is glacial.

Step 2: Verification (The Command That Saves Your Ass)

show ip bgp summary
show ip bgp neighbors 10.0.12.2

Here’s what those states actually mean:

BGP State	What’s Happening	Why You’re Stuck Here
Idle	Initial state or error	Neighbor unreachable, wrong AS number
Connect	TCP handshake in progress	Routing issue, ACL blocking port 179
Active	Active connection attempt failed	Peer not configured, or peer’s ACL drops your SYN
OpenSent	OPEN message sent	Usually fine, waiting for peer
OpenConfirm	OPEN received and acknowledged	Almost there
Established	Peering is up	Pop the champagne

Real talk: If you’re stuck in Active for more than 30 seconds, don’t guess. Run debug ip bgp events and read the output. I once spent two hours debugging an Active state only to find the upstream firewall was dropping TCP/179. The debug told me in 10 seconds.

Step 3: Route Policy (Non-Negotiable in 2026)

Running BGP without filters is like leaving your front door open. Every EBGP peer needs three things:

Inbound prefix filter — prevents route table pollution
Outbound AS_PATH filter — stops private AS leakage
Maximum prefix limit — DDoS protection

! R1 prefix list and route-maps
ip prefix-list ALLOW_FROM_R2 seq 5 permit 192.168.1.0/24

route-map RM_IN_FROM_R2 permit 10
 match ip address prefix-list ALLOW_FROM_R2
 set local-preference 150

route-map RM_OUT_TO_R2 permit 10
 match ip address prefix-list ALLOW_FROM_R2
 set as-path prepend 64500 64500 64500

router bgp 64500
 neighbor 10.0.12.2 route-map RM_IN_FROM_R2 in
 neighbor 10.0.12.2 route-map RM_OUT_TO_R2 out
 neighbor 10.0.12.2 maximum-prefix 100 80 restart 5

Pro tip: maximum-prefix 100 80 restart 5 is my go-to. It warns at 80% capacity, tears down the session at 100%, and auto-recovers after 5 minutes. This single command has saved my network from route leaks twice.

Step 4: Security (2026 Edition)

BGP hijacking is real. In 2024, a major CDN got hijacked for 6 hours. Don’t be that guy.

! TCP MD5 authentication (old but gold)
router bgp 64500
 neighbor 10.0.12.2 password MySuperSecretKey2026

! GTSM (Generalized TTL Security Mechanism)
! Only accepts BGP packets with TTL >= 255
 neighbor 10.0.12.2 ttl-security hops 1

Warning: ttl-security hops 1 and ebgp-multihop are mutually exclusive. Use TTL security for directly connected peers (it’s more secure). Use MD5 for multi-hop sessions.

FAQ

Q1: Why is my BGP neighbor stuck in Idle?

A: 99% of the time, the neighbor IP is unreachable. Start with ping. Then check if you typed the remote-as correctly. I’ve seen someone put their own AS number instead of the peer’s. That’ll keep it in Idle forever.

Q2: What’s the difference between EBGP and IBGP configuration?

A: EBGP uses directly connected IPs (usually), different AS numbers, TTL=1, and no next-hop-self needed. IBGP uses loopback interfaces, same AS number, needs next-hop-self, and requires full mesh or Route-Reflectors. EBGP is between organizations; IBGP is within.

Q3: Local Preference vs MED — when to use what?

A: Local Preference influences outbound traffic. MED influences inbound traffic. Want traffic to leave through a specific router? Give it a higher Local Pref. Want your peer to prefer a specific entry point? Give it a lower MED. But remember: MED is only comparable between the same AS. Different AS? MED is meaningless.

Lessons I Learned the Hard Way

Always write memory after BGP changes — I learned this after a power cycle wiped my config.
Deploy maximum-prefix before going live — In 2024, a route leak from a misconfigured peer blew up our BGP table. CPU hit 100%. Network went down.
Default BGP convergence is too slow — Change timers. Add BFD. In 2026, BFD isn’t optional. It’s mandatory.
Don’t trust default behavior — Cisco sends all connected routes by default. Juniper doesn’t. Know your vendor.

BGP isn’t hard. What’s hard is the stuff your peer will send you. Filter aggressively, secure everything, and you’ll sleep better at night.