Wednesday, November 27, 2013
Tuesday, November 26, 2013
BGP Case Study
Objectives
• Plan, design, and implement the International Travel Agency core network.• Plan, design, and implement the Travel Data Providers network.
• Allow the networks to communicate via BGP.
• Verify that all implementations are operational and functional according to the guidelines.
Requirements
1. Use the addressing scheme shown in the diagram.
2. Configure the ITA network to be in EIGRP AS 65001.
3. Configure the TDP network to be in EIGRP AS 65002.
4. Disable automatic summarization in both EIGRP domains.
5. Configure the ITA network to be in BGP AS 65001, and the TDP network to be in BGP AS 65002.
6. Advertise the 192.168.14.0/30 and 192.168.34.0/30 networks in both EIGRP autonomous systems.
7. Configure the interfaces on the border routers between the two EIGRP autonomous systems, so they do not send EIGRP packets.
8. All routers will be participating in BGP. Configure all routers for a full mesh of IBGP peers in each system.
9. Peer R1 and R2 using loopback addresses, not their directly connected interfaces.
10. Advertise all loopback interfaces into the BGP process, except on R2, where the only loopback advertised should be loopback 2.
11. On R2, create a static summary route for the rest of its loopback interfaces and advertise this static route in BGP.
12. R4 should send a summary route to ITA representing all the R4 loopback interfaces.
13. R4 should prefer the path to ITA networks via the Ethernet link between R1 and R4. Accomplish this by modifying the MED advertised to TDP.
14. Routers in the ITA AS should prefer the path to TDP networks via the Ethernet link between R1 and R4. Accomplish this by modifying the local preference of routes being advertised in from TDP.
Wednesday, November 13, 2013
Using the AS_PATH Attribute
• Use BGP commands to prevent private AS numbers from being advertised to the outside world.
• Use the AS_PATH attribute to filter BGP routes based on their source AS numbers.
Background
The International Travel Agency’s ISP has been assigned an AS number of 300. This provider uses BGP to exchange routing information with several customer networks. Each customer network is assigned an AS number from the private range, such as AS 65000. Configure the ISP router to remove the private AS numbers from the AS Path information of CustRtr. In addition, the ISP would like to prevent its customer networks from receiving route information from International Travel Agency’s AS 100. Use the AS_PATH attribute to implement this policy.
Step 1: Prepare the routers for the lab.
Step 2: Configure the hostname and interface addresses.
Step 3: Configure BGP.
Step 4: Remove the private AS.
a. Display the SanJose routing table using the show ip route command. SanJose should have a route to both 10.2.2.0 and 10.3.3.0. Troubleshoot if necessary.
Ping the 10.3.3.1 address from SanJose.
Q : Why does this fail?
Ans : This fails because SanJose sources the ping with its closest connected interface s0/0/0 with IP address 192.168.1.5. CustRtr does not have a route back to that interface, so the ping replies cannot return to SanJose.
Configure ISP to strip the private AS numbers from BGP routes exchanged with SanJose using the following commands.
Step 5: Use the AS_PATH attribute to filter routes.
As a final configuration, use the AS_PATH attribute to filter routes based on their origin. In a complex environment, you can use this attribute to enforce routing policy. In this case, the provider router, ISP, must be configured so that it does not propagate routes that originate from AS 100 to the customer router CustRtr.
AS-path access lists are read like regular access lists. The statements are read sequentially, and there is an implicit deny at the end. Rather than matching an address in each statement like a conventional access list, AS path access lists match on something called a regular expression. Regular expressions are a way of matching text patterns and have many uses. In this case, you will be using them in the AS path access list to match text patterns in AS paths.
For more details on configuring regular expressions on Cisco routers, see:
http://www.cisco.com/en/US/docs/ios/12_2/termserv/configuration/guide/tcfaapre_ps1835_TSD_Products_Configuration_Guide_Chapter.html
Final Device Config :
=========================================================================
SanJose#sh running-config
Building configuration...
Current configuration : 1167 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SanJose
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
no ip domain lookup
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 192.168.1.5 255.255.255.252
clock rate 128000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
router bgp 100
no synchronization
bgp log-neighbor-changes
network 10.1.1.0 mask 255.255.255.0
neighbor 192.168.1.6 remote-as 300
no auto-summary
!
ip classless
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
=========================================================================
CustRtr#sh running-config
Building configuration...
Current configuration : 1170 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CustRtr
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
no ip domain lookup
!!
interface Loopback0
ip address 10.3.3.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 172.24.1.18 255.255.255.252
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
router bgp 65000
no synchronization
bgp log-neighbor-changes
network 10.3.3.0 mask 255.255.255.0
neighbor 172.24.1.17 remote-as 300
no auto-summary
!
ip classless
!
no ip http server
no ip http secure-server
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
=========================================================================
ISP#sh running-config
Building configuration...
Current configuration : 1461 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
no ip domain lookup
!
interface Loopback0
ip address 10.2.2.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 192.168.1.6 255.255.255.252
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
ip address 172.24.1.17 255.255.255.252
clock rate 128000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
router bgp 300
no synchronization
bgp log-neighbor-changes
network 10.2.2.0 mask 255.255.255.0
neighbor 172.24.1.18 remote-as 65000
neighbor 192.168.1.5 remote-as 100
neighbor 192.168.1.5 remove-private-as
no auto-summary
!
ip classless
!
ip as-path access-list 1 deny ^100$
ip as-path access-list 1 permit .*
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
=========================================================================
Tuesday, November 12, 2013
Configuring BGP with Default Routing
Objectives
• Configure BGP to exchange routing information with two ISPs.
Step 1: Prepare the routers for the lab.
Step 2: Configure the hostname and interface addresses.
Step 3: Configure BGP on the ISP routers
Step 4: Configure BGP on the ITA boundary router.
Step 5: Verify BGP on the routers.
Q : What is the local router ID?
Ans : The local router ID is 192.168.1.1.
Q : Which table version is displayed?
Ans : The table version displayed is 5.
An asterisk (*) next to a route indicates that it is valid. An angle bracket (>) indicates that the route has been selected as the best route.
Q : From ISP1, what is the path to network 172.16.1.0/24?
Ans : The path is through AS 100 (ITA) and AS 300 (ISP2).
Q: Which table version is displayed? Why?
Ans : The table version displayed is an increment of the last one, which is 6 in the example. The shutdown command causes a routing table update, so the version should be one higher than the last.
Q : What happened to the route for network 10.1.1.0/24?
Ans : It is no longer in the BGP table because interface Lo0 on ISP1 is down.
Q : Based on the output of this command, what is the BGP state between this router and ISP2?
Ans : The BGP state is established.
Q : How long has this connection been up?
Ans : The connection has been up for 00:16:00.
Step 6: Configure route filters.
If ITA advertises a route belonging to ISP1, ISP2 installs that route in its table. ISP2 might then attempt to route transit traffic through the ITA. Configure the ITA router so that it advertises only ITA networks 192.168.0.0 and 192.168.1.0 to both providers.
Note: The clear ip bgp * command is disruptive because it completely resets all BGP adjacencies. This is acceptable in a lab environment but could be problematic in a production network. Instead, if only a change of inbound/outbound routing policies is to be performed, it is sufficient to issue the clear ip bgp * in or clear ip bgp * out commands. These commands perform only a new BGP database synchronization without the disruptive effects of a complete BGP adjacency reset. All current Cisco IOS versions support the route refresh capability that replaces the inbound soft reconfiguration feature that previously had to be configured on a per-neighbor basis.
Step 7: Configure primary and backup routes using floating static routes.
With bidirectional communication established with each ISP via BGP, configure the primary and backup routes. This can be done with floating static routes or BGP.
Step 8: Configure primary and backup routes using a default network and a static route.
Another method for configuring primary and backup routes is to use the ip default-network command instead of a 0.0.0.0/0 route.
Q : Should ISP1 and ISP2 be able to ping all networks in the topology?'
Ans : No. Router ITA has been configured with route filters and does not advertise the ISP1 networks to ISP2 and vice versa. The ITA router advertises only ITA networks 192.168.0.0 and 192.168.1.0 to both providers. Pings from ISP1 to any of the ISP2 172.16.x.x networks will fail. Pings from ISP2 to any of the ISP1 10.x.x.x networks will fail.
Note: Another option for setting up default routing is to inject a default route via BGP. The following example configures the ISP1 router to inject a default route to itself that can be used by the ITA router:
Run the following Tcl script on router ITA to verify connectivity.
ITA# tclsh
foreach address {
10.0.0.1
10.0.0.2
10.1.1.1
172.16.0.1
172.16.0.2
172.16.1.1
192.168.0.1
192.168.1.1
192.168.100.1
} {
ping $address }
Final Device Config :
ISP1#sh running-config
Building configuration...
Current configuration : 1272 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
ip cef
!
no ip domain lookup
ip domain name lab.local
!
!
interface Loopback0
description ISP1 Internet Network
ip address 10.1.1.1 255.255.255.0
!
interface Loopback1
ip address 192.168.100.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
description ISP1 -> ITA
ip address 10.0.0.1 255.255.255.252
clock rate 128000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
router bgp 200
no synchronization
bgp log-neighbor-changes
network 10.1.1.0 mask 255.255.255.0
network 192.168.100.0
neighbor 10.0.0.2 remote-as 100
no auto-summary
!
ip classless
!
no ip http server
no ip http secure-server
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
=======================================================
ISP2#sh running-config
Building configuration...
Current configuration : 1196 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
ip cef
!
no ip domain lookup
ip domain name lab.local
!
interface Loopback0
description ISP2 Internet Network
ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
description ISP2 -> ITA
ip address 172.16.0.1 255.255.255.252
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
router bgp 300
no synchronization
bgp log-neighbor-changes
network 172.16.1.0 mask 255.255.255.0
neighbor 172.16.0.2 remote-as 100
no auto-summary
!
ip classless
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
========================================================
ITA#sh running-config
Building configuration...
Current configuration : 1573 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ITA
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
ip cef
!
no ip domain lookup
ip domain name lab.local
!
interface Loopback0
description Core router network link 1
ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
description Core router network link 2
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
description ITA -> ISP1
ip address 10.0.0.2 255.255.255.252
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
description ITA -> ISP2
ip address 172.16.0.2 255.255.255.252
clock rate 128000
!
router bgp 100
no synchronization
bgp log-neighbor-changes
network 192.168.0.0
network 192.168.1.0
neighbor 10.0.0.1 remote-as 200
neighbor 10.0.0.1 distribute-list 1 out
neighbor 172.16.0.1 remote-as 300
neighbor 172.16.0.1 distribute-list 1 out
no auto-summary
!
ip classless
ip default-network 192.168.100.0
ip route 0.0.0.0 0.0.0.0 172.16.0.1 220
!
no ip http server
no ip http secure-server
!
access-list 1 permit 192.168.0.0 0.0.1.255
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end
=========================================================
Subscribe to:
Posts (Atom)