Wednesday, November 13, 2013

Using the AS_PATH Attribute

Objectives


• Use BGP commands to prevent private AS numbers from being advertised to the outside world.
• Use the AS_PATH attribute to filter BGP routes based on their source AS numbers.


Background

The International Travel Agency’s ISP has been assigned an AS number of 300. This provider uses BGP to exchange routing information with several customer networks. Each customer network is assigned an AS number from the private range, such as AS 65000. Configure the ISP router to remove the private AS numbers from the AS Path information of CustRtr. In addition, the ISP would like to prevent its customer networks from receiving route information from International Travel Agency’s AS 100. Use the AS_PATH attribute to implement this policy.

Step 1: Prepare the routers for the lab.

Step 2: Configure the hostname and interface addresses.

Step 3: Configure BGP.

Step 4: Remove the private AS.

a. Display the SanJose routing table using the show ip route command. SanJose should have a route to both 10.2.2.0 and 10.3.3.0. Troubleshoot if necessary.

Ping the 10.3.3.1 address from SanJose.
Q : Why does this fail?

Ans : This fails because SanJose sources the ping with its closest connected interface s0/0/0 with IP address 192.168.1.5. CustRtr does not have a route back to that interface, so the ping replies cannot return to SanJose.

Configure ISP to strip the private AS numbers from BGP routes exchanged with SanJose using the following commands.

Step 5: Use the AS_PATH attribute to filter routes.
As a final configuration, use the AS_PATH attribute to filter routes based on their origin. In a complex environment, you can use this attribute to enforce routing policy. In this case, the provider router, ISP, must be configured so that it does not propagate routes that originate from AS 100 to the customer router CustRtr.
AS-path access lists are read like regular access lists. The statements are read sequentially, and there is an implicit deny at the end. Rather than matching an address in each statement like a conventional access list, AS path access lists match on something called a regular expression. Regular expressions are a way of matching text patterns and have many uses. In this case, you will be using them in the AS path access list to match text patterns in AS paths.

For more details on configuring regular expressions on Cisco routers, see:

http://www.cisco.com/en/US/docs/ios/12_2/termserv/configuration/guide/tcfaapre_ps1835_TSD_Products_Configuration_Guide_Chapter.html

Final Device Config :

=========================================================================
SanJose#sh running-config
Building configuration...

Current configuration : 1167 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SanJose
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!        
no ip domain lookup
!
interface Loopback0
 ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 192.168.1.5 255.255.255.252
 clock rate 128000
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 no ip address
 shutdown
 clock rate 2000000
!
router bgp 100
 no synchronization
 bgp log-neighbor-changes
 network 10.1.1.0 mask 255.255.255.0
 neighbor 192.168.1.6 remote-as 300
 no auto-summary
!
ip classless
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

=========================================================================
CustRtr#sh running-config
Building configuration...

Current configuration : 1170 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CustRtr
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!        
no ip domain lookup
!!
interface Loopback0
 ip address 10.3.3.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 172.24.1.18 255.255.255.252
 clock rate 2000000
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 no ip address
 shutdown
 clock rate 2000000
!        
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 network 10.3.3.0 mask 255.255.255.0
 neighbor 172.24.1.17 remote-as 300
 no auto-summary
!
ip classless
!
no ip http server
no ip http secure-server
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end
=========================================================================

ISP#sh running-config
Building configuration...

Current configuration : 1461 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!       
no ip domain lookup
!
interface Loopback0
 ip address 10.2.2.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 192.168.1.6 255.255.255.252
 clock rate 2000000
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 ip address 172.24.1.17 255.255.255.252
 clock rate 128000
!
interface Serial0/2
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/3
 no ip address
 shutdown
 clock rate 2000000
!
router bgp 300
 no synchronization
 bgp log-neighbor-changes
 network 10.2.2.0 mask 255.255.255.0
 neighbor 172.24.1.18 remote-as 65000
 neighbor 192.168.1.5 remote-as 100
 neighbor 192.168.1.5 remove-private-as
 no auto-summary
!
ip classless
!
ip as-path access-list 1 deny ^100$
ip as-path access-list 1 permit .*
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end
=========================================================================

No comments:

Post a Comment