--- CCIE R&S Advanced Lab ---

--- Session 5 BGP, Multicast ---

BGP Topics Covered

BGP Confederation

Order/Preference

Aggregation

Security

Peer Groups

Dampening

• Know where BGP is located on the DOC CD

• How can BGP be manipulated

BGP Confederations

Remove private AS

•Uses private AS for internal

•Need to remove the private AS information

BGP Path Selection

1. If the path specifies a next hop that is inaccessible, drop the update.

2. Prefer the path with the largest weight.

3. If the weights are the same, prefer the path with the largest local preference.

4. If the local preferences are the same, prefer the path that was originated by BGP running on this router.

5. If no route was originated, prefer the route that has the shortest AS_path.

6. If all paths have the same AS_path length, prefer the path with the lowest origin type (where IGP is lower than EGP, and EGP is lower than incomplete).

7. If the origin codes are the same, prefer the path with the lowest MED attribute.

8. If the paths have the same MED, prefer the external path over the internal path.

9. If the paths are still the same, prefer the path through the closest IGP neighbor.

10. Prefer the path with the lowest IP address, as specified by the BGP router ID.

Aggregating BGP Networks

• Aggregation creates summary routes (called aggregates) from networks already in BGP table

• Individual networks could be announced or suppressed Summarization is called aggregation in BGP

• Aggregation creates summary routes (called aggregates) from networks already in BGP table

• Individual networks could be announced or suppressed

Configuring Aggregation

router bgp as-number

aggregate-address address-prefix mask

• Specify aggregation range in BGP routing process

• The aggregate will be announced if there is at least one network in the specified range in the BGP table

• Individual networks will still be announced in outgoing BGP updates

Configuring BGP Communities

BGP communities are configured in the following steps:

• Configure BGP community propagation

• Define BGP community-lists to match BGP communities

• Configure route-maps that match on community-lists and filter routes or set other BGP attributes

• Apply route-maps to incoming or outgoing updates

Community Setting Through Route-Map

route-map name

match condition

set community value [ value … ] [additive]

• Any number of communities can be specified

• Communities specified in the set keyword overwrites existing communities unless you specify the additive option

Attaching Communities to a Route

neighbor ip-address route-map map in | out

router(config-router)#

• Applies a route-map to inbound or outbound BGP updates

• The route-map can set BGP communities or other BGP attributes

redistribute protocol route-map map

• Applies a route-map to redistributed routes

Configure Community Propagation

neighbor ip-address send-community

• By default, communities are stripped in outgoing BGP updates

• Community propagation to BGP neighbors has to be manually configured

Related Commands

• Set community none – Removes all community attributes

• Set comm-list delete – Removes specific communities

ip community-list 1 permit 200:100

route map REM_COM permit 10

set comm-list 1 delete

• Set community additive – Appends to existing communities

set community 450 additive

• ip community-list 1 permit 200:10 – Matches any route that has 200:10

• ip community-list 3 permit 200:10 100:10 - Matches any route that has either or both communities

AS Path Filtering

Several scenarios require BGP route filtering based on AS-path• Announce only local routes to the ISP - AS-path needs to be

• Select routes based on a specific AS-number in the AS-path

• Accept routes for specific AS only from some BGP neighbors

AS-path filters use regular expressions

Regular Expressions - Matching Delimiters

^ matches beginning of string

$ matches end of string

_ matches any delimiter (beginning, end, white space, tab, comma)

Regular Expressions - Operators

* matches zero or more instances

? matches zero or one instances

+ matches one or more instances

. Matches any single character

[ ] Matches characters or a range of characters

Sample Regular Expressions

^100_.*

^ [0-9]+$

Going through AS 100

Directly connected to AS 100

Originated in AS 100

networks behind AS 100

AS paths one AS long

networks originated in local AS

matches everything

Configuring BGP AS-path Filters

ip as-path access-list number permit | deny regexp

R1(config)#

• Configures AS-path access list

neighbor ip-address filter-list as-path-filter in | out

R1(config-router)#

• Configures inbound or outbound AS-path filter for specified BGP neighbor

Conditional Route Injection

• Used to inject more specific routes into BGP based on existence of certain routes

R1(config)# router bgp 50000 R1(config-router)# bgp inject-map ORIGIN exist-map LEARNED copy-attributes

R1(config)# ip prefix-list ROUTE permit 10.1.1.0/24 R1(config)# ip prefix-list ROUTE_SOURCE permit 10.2.1.1/32 R1(config)# ip prefix-list ORIGINATED_ROUTES permit 10.1.1.0/25

R1(config)# route-map LEARNED permit 10 R1(config-route-map)# match ip address prefix-list ROUTE R1(config-route-map)# match ip route-source prefix-list ROUTE_SOURCE

R1(config)# route-map ORIGIN permit 10 R1(config-route-map)# set ip address prefix-list ORIGINATED_ROUTES

BGP Authentication

•Authentication is MD5•Configured on a per neighbor basis

R1(config)# router bgp 10R1(config-router)# neighbor 10.1.1.2 remote-as 10R1(config-router)# neighbor 10.1.1.2 password CISCO

R2(config)# router bgp 10R2(config-router)# neighbor 10.1.1.1 remote-as 10R2(config-router)# neighbor 10.1.1.1 password CISCO

Route Flap Dampening

• Every time an eBGP route flaps it gets 1000 penalty points (only for eBGP)

• The penalty placed on a route is decayed using the exponential decay algorithm

• When the penalty exceeds “suppress limit”, the route is dampened (no longer used or propagated to other neighbors)

• A dampened route is propagated when the penalty points drops below “reuse limit”

Configuring BGP Route Flap Dampening

bgp dampening [half-time reuse-limit suppress-limit max-suppress] [route-map route-map]

R1(config-router)#

Parameter meaning:

Half-time Exponential decay half-time (time in which the penalty is halved)

Suppress-limit Penalty value where the route is starting to be dampened

Reuse-limit Penalty value where the dampened route is reused

Max-suppress Maximum suppression time

Route-map controls where BGP route dampening is enabled

Default BGP Dampening Parameter Values

The following default dampening parameter values are used if you don’t specify them:

• half-time 15 minutes

• per-flap penalty 1,000 (non-configurable)

• suppress limit 2,000

• reuse limit 750

• max-suppress-time 60 minutes

Limiting the Number of Routes Received from a Neighbor

Problem definition:

• A misconfigured BGP neighbor can send a huge number of prefixes that exhaust router’s memory or overload the CPU

• All other filtering mechanisms only specify what we’re willing to accept but not how much

• Need to control the number of prefixes received from a neighbor

Maximum-Prefix Command

neighbor ip-address maximum-prefix maximum [threshold] [warning-only]

R1(config-router)#

• Controls how many prefixes can be received from a neighbor

• Optional threshold parameter specifies the percentage where a warning message is logged (default is 75%)

• Optional warning-only keyword specifies the action on exceeding

the maximum number (default is to drop neighborship)

--- Session 5 continued, Multicast ---

Multicast

Address

Dense / Sparse mode

Source / shared tree

Static RP

Auto-RP

MSDP / Anycast

Multicast Address Range

Reverse Path Forwarding

RPF Calculation

RPF with two paths

Multicast Distribution Trees

Dense Mode uses SourcePush Technology

Shared Distribution Tree

Sparse mode uses Shared Pull Technology

Characteristics of Distribution TreesCharacteristics of Distribution Trees

Multicast Tree Creation

PIM Sparse Mode

How does the network know about the RP?

Static RPs

Auto RP

Uses • Intended for PIMv1

• C_RP Candidates

• Mapping Agent (Collects announcements and sends RP discovery messages on 224.0.1.40)

• The RPs announce on 224.0.1.39

• Recommended to locate C_RP and Mapping Agent on same router

• Uses dense mode to find the RP

Auto-RP configured

BSR Overview

PIM join messages that might inadvertently cross the borderip pim bsr-border

Configuring BSR

Hash MaskPriority

Anycast – RP Overview

Anycast RP

Anycast RP - cont.

Broadcast-Multicast-Broadcast

interface ethernet 0

ip pim sparse-mode

ip multicast helper-map broadcast 239.1.1.1 105

access-list 105 permit udp host 126.1.22.1 host 126.1.22.255 eq 4000

ip forward-protocol udp 4000

126.1.22.255

126.1.22.1

interface serial 0

ip pim sparse-mode

ip multicast helper-map 239.1.1.1 131.1.1.255 105

interface ethernet 1

ip directed-broadcast

access-list 105 permit udp host 126.1.22.1 any eq 4000

ip forward-protocol udp 4000

--- Session 6 QOS, Security ---

Modular QoS CLI (MQC)

CAR – Committed Access Rate

WRED, CBWRED

Marking

Shaping, FRTS

Fragmenting

NBAR – Network Based Application Recognition

MQC Class-maps

class-map [match-all | match-any] Lab (match all is the default)• match xxx• match yyy

match ? Classify • input interface f0/0• destination Mac address• source Mac address• fr-de, fr-dlci• cos, dscp, IP-prec• any• access-group• protocol NBAR (download PDLMs)

– CEF requires– Can run ip protocol NBAR protocol discovery

• packet length min or max

Policy-Map and DSCP

policy-map Testclass Lab

set cos, ip-dscp, ip-prec, …

bandwidth xxx

DSCP has 64 different colors to mark traffic

mls qos map dscp-mutation Map 31 to 41

•int f0/0

max reserve bandwidth 80 (75% is default)

•policy-map can use Kbps or Percent but not both

•policy-map Voice

class CONTROL

bandwidth 10

class Media

priority 1000

•can have 255 classes total

When applying a strict priority queueTo a class, it is referred to as a LLQ

CAR - Committed Access Rate

•Used on edge routers to classify and / or rate limit traffic

•Can be applied to all traffic or a subset of the traffic selected by an access list

•Configured on an interfacerate-limit {input|output} bps normal-burst max-burst conform-action action

exceed-action action

rate-limit {input|output} access-group index bps normal-burst max-burst conform-action action exceed-action action

• normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds

• extended burst = 2 * normal burst

CBWFQ Architecture policy

Applying RED

Configuring WRED on an interface

mark probability denominator

When the average queue size is above the minimum threshold, RED starts dropping packets.

The rate of packet drop increases linearly as the average queue size increases, until the average queue size reaches the maximum threshold.

The mark probability denominator is the fraction of packets dropped when the average queue size is at the maximum threshold. For example, one out of every 100 packets is dropped when the average queue size is at the maximum threshold.

minimum threshold (number of packets)

maximum threshold (number of packets)

Traffic Shaping

Shape Peak

Peak rate = CIR(1+Be/Bc)

Router(config-pmap-c)# shape {average | peak} cir [bc] [be]

Shape adaptive – BECN field set to 1

25% slow down is BECN received

if 16 TCs received with no BECNs increase 1/16 every TC

Can also use FECN-adapt to send information ahead to other end with BECN field.

Frame Relay Traffic Shaping

Time Committed (TC) = 125ms

Network Based Application Recognition (NBAR)

NBAR Application Support

Packet Description Language Module

NBAR Protocol Discovery

--- Session 6 continued security ---

Security

Unicast Reverse Path Forwarding (uRPF)

Context Based Access Control (CBAC)

Unicast Reverse Path Forwarding (uRPF)

Unicast Reverse Path Forwarding (uRPF) is a feature originally created to implement Network Ingress Filtering.

Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing

Configuring uRPF

By enabling Unicast Reverse Path Forwarding (uRPF), all spoofed packets will be dropped at the first device.

To enable uRPF, use the following commands.

R1(config)# ip cef

R1(config)# interface f0/0

R1(config-if)# ip verify unicast reverse-path

CBAC - Context-Based Access Control

The CBAC inspects TCP and UDP packets at the application layer.

CBAC monitors all the outgoing requests by creating temporary openings for outbound traffic at the firewall interface. The return traffic is allowed in only if it is the part of the original outgoing traffic.

CBAC inspects all the outgoing packets and maintains state information for every session.

CBAC then decides whether to deny or permit the incoming traffic, based on its state information

How CBAC Works

ip inspect name FWRULE tcp

1 Control traffic is inspected by the CBAC rule.

2 CBAC creates a dynamic ACL allowing return traffic back through the firewall.

Port2447

Port23

4 CBAC detects when an application terminates or times out and removes all dynamic ACLs for that session.

3 CBAC continues to inspect control traffic and dynamically creates and removes ACLs as required by the application.

access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447

CBAC Configuration

Enable Audit Trails and Alerts

Enable TCP SYN and FIN times

TCP UDP and DNS Idle Times

Port to Application Mapping

Port Mapping Configuration

Configuring Inspection Rules

Apply Inspection Rule to an Interface

--- CCIE R&S Advanced Lab ---

Documents

Ccie advanced mpls design

CCIE Lab Guide

CCIE SP Super Lab

Cisco Press CCIE Practical Studies CCIE Practice Lab...The Cisco Press CCIE Practical Studies Volume 1 book contains 5 simulated CCIE lab exams in chapter 18, and the solutions are

Table of Contents | Index | Examples Security/Cisco Press... · CCIE Security Self-Study Lab Part I: Basic Network Connectivity (4 Hours) CCIE Security Self-Study Lab Part II: Advanced

Ccie Sp Tshoot Lab

CCIE Voice Advanced Lab Workbook Volume 2 Version 3.0

Ccie Config Lab by ALOZIE CHARLES

CCIE Routing & Switching Lab Guide - RST Forum · This CCIE Routing & Switching Lab Guide is designed to assist candidates in the preparation for Cisco “ystes’ CCIE Routi vg &

Ccie Security Lab Checklist

CCIE Security Lab Workbook Volume I Version 3 - Lagout Security... · The following publication, CCIE Security Lab Workbook Volume I, ... Configuring VLANs and IP Addressing ... CCIE

CCIE R&S Advanced

Ccie Lab Qustions_1

CCIE Security Lab Workbook Volume I Version 3 Security... · CCIE Security Lab Workbook Volume I Version 3.0 ... CCIE Security Lab Workbook Volume I Version 3.0 ... 2007/01/05 03:25:23

CCIE Security Lab Workbook Volume I Version 3 - Lagout Security... · Cisco®,€Cisco®€Systems,€CCIE,€and€Cisco€Certified ... CCIE Security Lab Workbook Volume I ... CCIE

CCIE Service Provider v3.0 Sample Lab · CCIE Service Provider v3.0 Sample Lab Part 2/7 Vincent Jun Ling Zhou CCIE Service Provider –Product Manager Cisco Systems

CCIE Security Lab Exam Checklist

CCIE Data Center Lab Exam Questions

Official User Guide-Cisco CCIE Lab Builder · CCIE$Routing$and$Switching$Lab$Builder ... CCIE!Routing!andSwitching!candidates!likeyou!prepare!for!their ... The!CCIE!Routing!andSwitching!LabBuilder!uses!the

Internetwork Expert’s CCIE™ Routing and Switching Lab ...s3. · PDF fileCCIE™ Routing and Switching Lab Workbook (IEWB-RS) ... and QoS/Security ... CCIE R&S Advanced Technologies