Thursday, December 6, 2012

Cisco BGP Dynamic Neighbor


Cisco BGP Dynamic Neighbor

After an IPv4 subnet range is configured for a iBGP peer group and a TCP session is initiated
by another router which has an IP address in the IPv4 subnet range, a new BGP neighbor will be dynamically established as a member of that group.

 Here is the example:

router bgp 1
 bgp listen range 10.1.1.0/24 peer-group SPOKES
 bgp listen limit 1000
 neighbor SPOKES peer-group
 neighbor SPOKES remote-as 1
 neighbor SPOKES transport connection-mode passive
 neighbor SPOKES route-reflector-client



HUB#show ip bgp sum

Neighbor    V      AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
*10.1.1.3    4        1   70069   70100      160    0    0 5w0d            3
*10.1.1.4    4        1   80416   80459      160    0    0 5w1d            3
* Dynamically created based on a listen range command
Dynamically created neighbors: 2 Subnet ranges: 1
BGP peergroup DMVPN listen range group members:
  10.1.1.0/24
Total dynamically created neighbors: 2/(1000 max), Subnet ranges: 1
at 4:08 PM 0 comments

Sunday, September 16, 2012

BGP Authentication

BGP authentication configuration example

BGP authentication is provided through TCP Option 19, the MD5 hash.

We will use Cisco IOS routers in this example.Here is the basic BGP authentication configurations:

on R1:

router bgp 100
neighbor 10.10.10.2 remote-as 200
neighbor 10.10.10.2 password PASSWORD1

on R2:

router bgp 200
neighbor 10.10.10.1 remote-as 100
neighbor 10.10.10.1 password PASSWORD1

R2#show ip bgp neighbors 10.10.10.1 | include BGP state|Flags
BGP state = Established, up for 00:01:38
Flags: active open, nagle, md5

We will change the BGP password at one of the routers for testing:

R2(config)#router bgp 200
R2(config-router)#neighbor 10.10.10.1 password PASSWORD2
R2(config-router)#end
R2#clear ip bgp *
%BGP-5-ADJCHANGE: neighbor 10.10.10.1 Down User reset
%TCP-6-BADAUTH: Invalid MD5 digest from 10.10.10.1(179) to 192.10.1.2(19999)

We understand that the passwords must be matched.
at 4:37 PM 0 comments
Labels:

Thursday, September 6, 2012

BGP Conditional default-route advertisement


BGP Conditional default-route advertisement

Conditional default-route advertisement is done by associating a route-map with the “neighbor default-originate” statement. The default route is advertised if the route-map matches the prefix which is in the routing table.If the route is not in the routing table, the related prefix will not be advertised to the neighbor.

We can match ip prefixes with the route-map using either access-lists or prefix-lists.

Here is the example:

We will send default-route when 10.1.10.0/24 network is in the routing table:

ip prefix-list test seq 5 permit 10.1.10.0/24

route-map test permit 10
 match ip address prefix-list test


router bgp 1
 no synchronization
 bgp log-neighbor-changes
 bgp redistribute-internal
 timers bgp 10 30
 neighbor 10.10.10.6 remote-as 1
 neighbor 10.10.10.6 default-originate route-map test
 no auto-summary

R1#sh run int f0/0.10
Building configuration...

Current configuration : 112 bytes
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 10.1.10.1 255.255.255.0
 end

R1#debug ip bgp update (to see updates)
BGP updates debugging is on for address family: IPv4 Unicast

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int f0/0.10
R1(config-subif)#shut
R1(config-subif)#
*Mar  1 00:28:52.063: BGP(0): 10.10.10.6 send unreachable 0.0.0.0/0
*Mar  1 00:28:52.063: BGP(0): 10.10.10.6 enqueued default-originate update
R1(config-subif)#no shut
R1(config-subif)#
*Mar  1 00:29:00.031: BGP(0): 10.10.10.6 enqueued default-originate update
at 9:51 PM 0 comments
Labels:

BGP Timers


BGP Timers


BGP peers send keepalive message(default interval is 60 seconds) to inform each other of their availability.

They advertise their hold-time interval(default value is 180 seconds) when establishing BGP session.

Peers may advertise different hold-time interval.Lower values are used.

We can change the keepalive and hold-time intervals in BGP configuration mode  using the command timers bgp <keepalive> <holdtime>

Or per neighbor

Neighbor <ip> timers <keepalive> <holdtime>


Here is the example

First router

router bgp 1
 no synchronization
 bgp log-neighbor-changes
 timers bgp 10 30
 neighbor 10.10.10.1 remote-as 1
 neighbor 10.10.10.1 timers 15 45

R6#show ip bgp nei 10.10.10.1
BGP neighbor is 10.10.10.1,  remote AS 1, internal link
  BGP version 4, remote router ID 192.168.1.1
  BGP state = Established, up for 00:03:41
  Last read 00:00:00, last write 00:00:00, hold time is 30, keepalive interval is 10 seconds
  Configured hold time is 45,keepalive interval is 15 seconds  Minimum holdtime

Second Router

router bgp 1
 no synchronization
 bgp log-neighbor-changes
 timers bgp 10 30
 neighbor 10.10.10.6 remote-as 1
 no auto-summary

R1#show ip bgp neighbor
BGP neighbor is 10.10.10.6,  remote AS 1, internal link
  BGP version 4, remote router ID 192.168.2.6
  BGP state = Established, up for 00:04:36
  Last read 00:00:05, last write 00:00:05, hold time is 30, keepalive interval is 10 seconds
  Configured hold time is 30,keepalive interval is 10 seconds, Minimum holdtime

at 9:25 PM 0 comments
Labels:

Thursday, July 12, 2012

BGP Advertise-map

BGP Advertise-map

In this example we have two routers:R1 and R2.

R1 advertises default route with as-path prepending and metric value of 10 if it does not have 3.3.3.3/32 prefix in its BGP table.Here is the configuration:

interface Loopback0
 ip address 10.1.2.1 255.255.255.0 secondary
 ip address 10.1.3.1 255.255.255.0 secondary
 ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 1.1.1.1 255.255.255.0
 !
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 network 0.0.0.0
 network 3.3.3.3 mask 255.255.255.255
 network 10.0.0.0
 network 10.1.1.0 mask 255.255.255.0
 network 10.1.2.0 mask 255.255.255.0
 network 10.1.3.0 mask 255.255.255.0
 neighbor 1.1.1.2 remote-as 2
 neighbor 1.1.1.2 advertise-map AD non-exist-map NONEXIST
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Null0
ip route 3.3.3.3 255.255.255.255 Null0
!       
ip prefix-list default seq 5 permit 0.0.0.0/0
!
ip prefix-list exist seq 5 permit 3.3.3.3/32
!
route-map AD permit 10
 match ip address prefix-list default
 set metric 10
 set as-path prepend 1 1 1
!
route-map NONEXIST permit 10
 match ip address prefix-list exist



Verifying:

With this configuration R2 has not the default route, it has only these routes:

R2#sh ip bgp
BGP table version is 21, local router ID is 1.1.1.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 3.3.3.3/32       1.1.1.1                  0             0 1 i
*> 10.1.1.0/24      1.1.1.1                  0             0 1 i
*> 10.1.2.0/24      1.1.1.1                  0             0 1 i
*> 10.1.3.0/24      1.1.1.1                  0             0 1 i

Lets remove the 3.3.3.3/32 route and turn on "debug ip bgp" on R1:

R1#debug ip bgp  
BGP debugging is on for address family: IPv4 Unicast
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#no ip route 3.3.3.3 255.255.255.255 null0
R1(config)#
*Mar  1 02:08:38.747: BGP(0): route 3.3.3.3/32 down
*Mar  1 02:08:38.751: BGP(0): no valid path for 3.3.3.3/32
*Mar  1 02:08:38.751: BGP(0): nettable_walker 3.3.3.3/32 no best path
*Mar  1 02:08:38.755: BGP(0): 1.1.1.2 send unreachable 3.3.3.3/32
*Mar  1 02:08:38.755: BGP(0): 1.1.1.2 send UPDATE 3.3.3.3/32 -- unreachable
R1(config)#
*Mar  1 02:08:48.399: BPG(0): Condition exist changes to Advertise
*Mar  1 02:08:48.399: BPG(0): Condition exist changes to Advertise
*Mar  1 02:08:48.403: BGP(0): net 0.0.0.0/0 matches ADV MAP AD bump version to 26
*Mar  1 02:08:48.859: BGP(0): nettable_walker 0.0.0.0/0 route sourced locally
R1(config)#
*Mar  1 02:09:09.227: BGP(0): 1.1.1.2 0.0.0.0/0 matches advertise map AD, state: Advertise
*Mar  1 02:09:09.227: BGP(0): 1.1.1.2 send UPDATE (format) 0.0.0.0/0, next 1.1.1.1, metric 10, path Local

R2`s BGP table:

R2#show ip bgp
BGP table version is 23, local router ID is 1.1.1.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 0.0.0.0          1.1.1.1                 10             0 1 1 1 1 i
*> 10.1.1.0/24      1.1.1.1                  0             0 1 i
*> 10.1.2.0/24      1.1.1.1                  0             0 1 i
*> 10.1.3.0/24      1.1.1.1                  0             0 1 i



at 1:42 PM 0 comments
Labels:

Friday, April 20, 2012

BGP filtering with Prefix-Lists

BGP filtering with Prefix-Lists
In this example, we will filter the BGP routes by using prefix-list
Here is the initial configuration of the router:

interface Loopback4
 ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet1/0
 ip address 192.168.45.4 255.255.255.0
 !
router bgp 4
 no synchronization
 bgp log-neighbor-changes
 network 4.4.4.4 mask 255.255.255.255
 neighbor 192.168.45.5 remote-as 5
 no auto-summary

Here is the BGP table:

R4#show ip bgp
BGP table version is 4, local router ID is 192.168.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       0.0.0.0                  0         32768 i
*> 5.5.5.5/32       192.168.45.5             0             0 5 i
*> 55.55.55.0/24    192.168.45.5             0             0 5 i

Lets filter the 55.55.55.0/24:
Firstly we will create a prefix-list  access-list.
Prefix-list name is R5-in

ip prefix-list R5-in seq 5 deny 55.55.55.0/24
ip prefix-list R5-in seq 10 permit 0.0.0.0/0 le 32

Then, we apply the prefix-list to the BGP configuration:

R4(config)#router bgp 4                                     
R4(config-router)#neighbor 192.168.45.5 prefix-list R5-in in

Then we see that 55.55.55.0/24 IP prefix is no longer exists:

R4#show ip bgp
BGP table version is 5, local router ID is 192.168.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       0.0.0.0                  0         32768 i
*> 5.5.5.5/32       192.168.45.5             0             0 5 i
at 1:28 PM 0 comments
Labels:

BGP filtering with Extended Access-list

BGP filtering with Extended Access-list
In this example, we will filter the BGP routes by using extended access-list.
Here is the initial configuration of the router:

interface Loopback4
 ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet1/0
 ip address 192.168.45.4 255.255.255.0
 !
router bgp 4
 no synchronization
 bgp log-neighbor-changes
 network 4.4.4.4 mask 255.255.255.255
 neighbor 192.168.45.5 remote-as 5
 no auto-summary

Here is the BGP table:

R4#show ip bgp
BGP table version is 4, local router ID is 192.168.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       0.0.0.0                  0         32768 i
*> 5.5.5.5/32       192.168.45.5             0             0 5 i
*> 55.55.55.0/24    192.168.45.5             0             0 5 i

Lets filter the 55.55.55.0/24:
Firstly we will create an extended access-list.
Access-list name is R5-in.
We are matching both IP prefix and subnet mask in this extended access-list(Standard access-list matches just the prefix, not subnet mask):

ip access-list extended R5-in
 deny   ip host 55.55.55.0 host 255.255.255.0
 permit ip any any

Then, we apply the named extended access-list to the BGP configuration by using distribute-list command:

R4(config)#router bgp 4                                    
R4(config-router)#neighbor 192.168.45.5 distribute-list R5-in in

Then we see that 55.55.55.0/24 network is no longer exists:

R4#show ip bgp
BGP table version is 5, local router ID is 192.168.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       0.0.0.0                  0         32768 i
*> 5.5.5.5/32       192.168.45.5             0             0 5 i

R4# show access-lists
Extended IP access list R5-in
    10 deny ip host 55.55.55.0 host 255.255.255.0 (2 matches)
    20 permit ip any any (2 matches)
at 1:07 PM 0 comments
Labels:
Subscribe to: Posts (Atom)