--- CCIE R&S Advanced Lab ---

--- CCIE R&S Advanced Lab ---

--- Session 5 BGP, Multicast ---

Copyright© Network Learning Inc. 2008 2

BGP Topics Covered

BGP Confederation

Order/Preference

Aggregation

Security

Peer Groups

Dampening


BGP

• Know where BGP is located on the DOC CD

• How can BGP be manipulated


BGP Confederations


Remove private AS

•Uses private AS for internal

•Need to remove the private AS information


BGP Path Selection

1. If the path specifies a next hop that is inaccessible, drop the update.

2. Prefer the path with the largest weight.

3. If the weights are the same, prefer the path with the largest local preference.

4. If the local preferences are the same, prefer the path that was originated by BGP running on this router.

5. If no route was originated, prefer the route that has the shortest AS_path.

6. If all paths have the same AS_path length, prefer the path with the lowest origin type (where IGP is lower than EGP, and EGP is lower than incomplete).

7. If the origin codes are the same, prefer the path with the lowest MED attribute.

8. If the paths have the same MED, prefer the external path over the internal path.

9. If the paths are still the same, prefer the path through the closest IGP neighbor.

10. Prefer the path with the lowest IP address, as specified by the BGP router ID.


Aggregating BGP Networks

Aggregating BGP Networks

• Aggregation creates summary routes (called aggregates) from networks already in BGP table

• Individual networks could be announced or suppressed Summarization is called aggregation in BGP

• Aggregation creates summary routes (called aggregates) from networks already in BGP table

• Individual networks could be announced or suppressed


Configuring Aggregation

router bgp as-number

aggregate-address address-prefix mask

• Specify aggregation range in BGP routing process

• The aggregate will be announced if there is at least one network in the specified range in the BGP table

• Individual networks will still be announced in outgoing BGP updates


Configuring BGP Communities

BGP communities are configured in the following steps:

• Configure BGP community propagation

• Define BGP community-lists to match BGP communities

• Configure route-maps that match on community-lists and filter routes or set other BGP attributes

• Apply route-maps to incoming or outgoing updates


Community Setting Through Route-Map

route-map name

match condition

set community value [ value … ] [additive]

• Any number of communities can be specified

• Communities specified in the set keyword overwrites existing communities unless you specify the additive option


Attaching Communities to a Route

neighbor ip-address route-map map in | out

router(config-router)#

• Applies a route-map to inbound or outbound BGP updates

• The route-map can set BGP communities or other BGP attributes

redistribute protocol route-map map


• Applies a route-map to redistributed routes


Configure Community Propagation

neighbor ip-address send-community


• By default, communities are stripped in outgoing BGP updates

• Community propagation to BGP neighbors has to be manually configured


Related Commands

• Set community none – Removes all community attributes

• Set comm-list delete – Removes specific communities

ip community-list 1 permit 200:100

route map REM_COM permit 10

set comm-list 1 delete

• Set community additive – Appends to existing communities

set community 450 additive

• ip community-list 1 permit 200:10 – Matches any route that has 200:10

• ip community-list 3 permit 200:10 100:10 - Matches any route that has either or both communities


AS Path Filtering

Several scenarios require BGP route filtering based on AS-path• Announce only local routes to the ISP - AS-path needs to be

empty

• Select routes based on a specific AS-number in the AS-path

• Accept routes for specific AS only from some BGP neighbors

AS-path filters use regular expressions


Regular Expressions - Matching Delimiters

^ matches beginning of string

$ matches end of string

_ matches any delimiter (beginning, end, white space, tab, comma)


Regular Expressions - Operators

* matches zero or more instances

? matches zero or one instances

+ matches one or more instances

. Matches any single character

[ ] Matches characters or a range of characters


Sample Regular Expressions

_100_

^100$

_100$

^100_.*

^ [0-9]+$

^$

.*

Going through AS 100

Directly connected to AS 100

Originated in AS 100

networks behind AS 100

AS paths one AS long

networks originated in local AS

matches everything


Configuring BGP AS-path Filters

ip as-path access-list number permit | deny regexp

R1(config)#

• Configures AS-path access list

neighbor ip-address filter-list as-path-filter in | out

R1(config-router)#

• Configures inbound or outbound AS-path filter for specified BGP neighbor


Conditional Route Injection

• Used to inject more specific routes into BGP based on existence of certain routes

R1(config)# router bgp 50000 R1(config-router)# bgp inject-map ORIGIN exist-map LEARNED copy-attributes

R1(config)# ip prefix-list ROUTE permit 10.1.1.0/24 R1(config)# ip prefix-list ROUTE_SOURCE permit 10.2.1.1/32 R1(config)# ip prefix-list ORIGINATED_ROUTES permit 10.1.1.0/25

R1(config)# route-map LEARNED permit 10 R1(config-route-map)# match ip address prefix-list ROUTE R1(config-route-map)# match ip route-source prefix-list ROUTE_SOURCE

R1(config)# route-map ORIGIN permit 10 R1(config-route-map)# set ip address prefix-list ORIGINATED_ROUTES


BGP Authentication

•Authentication is MD5•Configured on a per neighbor basis

R1(config)# router bgp 10R1(config-router)# neighbor 10.1.1.2 remote-as 10R1(config-router)# neighbor 10.1.1.2 password CISCO

R2(config)# router bgp 10R2(config-router)# neighbor 10.1.1.1 remote-as 10R2(config-router)# neighbor 10.1.1.1 password CISCO


Route Flap Dampening

• Every time an eBGP route flaps it gets 1000 penalty points (only for eBGP)

• The penalty placed on a route is decayed using the exponential decay algorithm

• When the penalty exceeds “suppress limit”, the route is dampened (no longer used or propagated to other neighbors)

• A dampened route is propagated when the penalty points drops below “reuse limit”


Configuring BGP Route Flap Dampening

bgp dampening [half-time reuse-limit suppress-limit max-suppress] [route-map route-map]

R1(config-router)#

Parameter meaning:

Half-time Exponential decay half-time (time in which the penalty is halved)

Suppress-limit Penalty value where the route is starting to be dampened

Reuse-limit Penalty value where the dampened route is reused

Max-suppress Maximum suppression time

Route-map controls where BGP route dampening is enabled


Default BGP Dampening Parameter Values

The following default dampening parameter values are used if you don’t specify them:

• half-time 15 minutes

• per-flap penalty 1,000 (non-configurable)

• suppress limit 2,000

• reuse limit 750

• max-suppress-time 60 minutes


Limiting the Number of Routes Received from a Neighbor

Problem definition:

• A misconfigured BGP neighbor can send a huge number of prefixes that exhaust router’s memory or overload the CPU

• All other filtering mechanisms only specify what we’re willing to accept but not how much

• Need to control the number of prefixes received from a neighbor


Maximum-Prefix Command

neighbor ip-address maximum-prefix maximum [threshold] [warning-only]

R1(config-router)#

• Controls how many prefixes can be received from a neighbor

• Optional threshold parameter specifies the percentage where a warning message is logged (default is 75%)

• Optional warning-only keyword specifies the action on exceeding

the maximum number (default is to drop neighborship)


--- Session 5 continued, Multicast ---


Multicast

Address

RPF

Dense / Sparse mode

Source / shared tree

Static RP

Auto-RP

BSR

B-M-B

MSDP / Anycast


Multicast Address Range


Reverse Path Forwarding


RPF Calculation


RPF with two paths


Multicast Distribution Trees

Dense Mode uses SourcePush Technology


Shared Distribution Tree

Sparse mode uses Shared Pull Technology


Characteristics of Distribution TreesCharacteristics of Distribution Trees


Multicast Tree Creation


PIM Sparse Mode


How does the network know about the RP?


Static RPs


Auto RP

Uses • Intended for PIMv1

• C_RP Candidates

• Mapping Agent (Collects announcements and sends RP discovery messages on 224.0.1.40)

• The RPs announce on 224.0.1.39

• Recommended to locate C_RP and Mapping Agent on same router

• Uses dense mode to find the RP


Auto-RP configured


BSR Overview

PIM join messages that might inadvertently cross the borderip pim bsr-border


Configuring BSR

Hash MaskPriority


Anycast – RP Overview


MSDP

MSDP


Anycast RP


Anycast RP - cont.


Broadcast-Multicast-Broadcast

interface ethernet 0

ip pim sparse-mode

ip multicast helper-map broadcast 239.1.1.1 105

access-list 105 permit udp host 126.1.22.1 host 126.1.22.255 eq 4000

ip forward-protocol udp 4000

126.1.22.255

126.1.22.1

interface serial 0

ip pim sparse-mode

ip multicast helper-map 239.1.1.1 131.1.1.255 105

interface ethernet 1

ip directed-broadcast

access-list 105 permit udp host 126.1.22.1 any eq 4000

ip forward-protocol udp 4000


--- Session 6 QOS, Security ---


QOS

Modular QoS CLI (MQC)

LLQ

CAR – Committed Access Rate

WRED, CBWRED

Marking

Shaping, FRTS

Fragmenting

NBAR – Network Based Application Recognition


MQC Class-maps

class-map [match-all | match-any] Lab (match all is the default)• match xxx• match yyy

match ? Classify • input interface f0/0• destination Mac address• source Mac address• fr-de, fr-dlci• cos, dscp, IP-prec• any• access-group• protocol NBAR (download PDLMs)

– CEF requires– Can run ip protocol NBAR protocol discovery

• packet length min or max


Policy-Map and DSCP

policy-map Testclass Lab

set cos, ip-dscp, ip-prec, …

bandwidth xxx

…

DSCP has 64 different colors to mark traffic

mls qos map dscp-mutation Map 31 to 41


CBWFQ

•int f0/0

max reserve bandwidth 80 (75% is default)

•policy-map can use Kbps or Percent but not both

•policy-map Voice

class CONTROL

bandwidth 10

class Media

priority 1000

•can have 255 classes total

When applying a strict priority queueTo a class, it is referred to as a LLQ


CAR - Committed Access Rate

•Used on edge routers to classify and / or rate limit traffic

•Can be applied to all traffic or a subset of the traffic selected by an access list

•Configured on an interfacerate-limit {input|output} bps normal-burst max-burst conform-action action

exceed-action action

rate-limit {input|output} access-group index bps normal-burst max-burst conform-action action exceed-action action

• normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds

• extended burst = 2 * normal burst


CBWFQ Architecture policy


Applying RED


Configuring WRED on an interface

mark probability denominator

When the average queue size is above the minimum threshold, RED starts dropping packets.

The rate of packet drop increases linearly as the average queue size increases, until the average queue size reaches the maximum threshold.

The mark probability denominator is the fraction of packets dropped when the average queue size is at the maximum threshold. For example, one out of every 100 packets is dropped when the average queue size is at the maximum threshold.

minimum threshold (number of packets)

maximum threshold (number of packets)


Traffic Shaping


Shape Peak

Peak rate = CIR(1+Be/Bc)

Router(config-pmap-c)# shape {average | peak} cir [bc] [be]

Shape adaptive – BECN field set to 1

25% slow down is BECN received

if 16 TCs received with no BECNs increase 1/16 every TC

Can also use FECN-adapt to send information ahead to other end with BECN field.

Test


Frame Relay Traffic Shaping

Time Committed (TC) = 125ms


Network Based Application Recognition (NBAR)


NBAR Application Support


Packet Description Language Module


NBAR Protocol Discovery


--- Session 6 continued security ---


Security

Unicast Reverse Path Forwarding (uRPF)

Context Based Access Control (CBAC)


Unicast Reverse Path Forwarding (uRPF)

Unicast Reverse Path Forwarding (uRPF) is a feature originally created to implement Network Ingress Filtering.

Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing


Configuring uRPF

By enabling Unicast Reverse Path Forwarding (uRPF), all spoofed packets will be dropped at the first device.

To enable uRPF, use the following commands.

R1(config)# ip cef

R1(config)# interface f0/0

R1(config-if)# ip verify unicast reverse-path


CBAC - Context-Based Access Control

The CBAC inspects TCP and UDP packets at the application layer.

CBAC monitors all the outgoing requests by creating temporary openings for outbound traffic at the firewall interface. The return traffic is allowed in only if it is the part of the original outgoing traffic.

CBAC inspects all the outgoing packets and maintains state information for every session.

CBAC then decides whether to deny or permit the incoming traffic, based on its state information


How CBAC Works

ip inspect name FWRULE tcp

1 Control traffic is inspected by the CBAC rule.

2 CBAC creates a dynamic ACL allowing return traffic back through the firewall.

Port2447

Port23

4 CBAC detects when an application terminates or times out and removes all dynamic ACLs for that session.

3 CBAC continues to inspect control traffic and dynamically creates and removes ACLs as required by the application.

access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447


CBAC Configuration


Enable Audit Trails and Alerts


Enable TCP SYN and FIN times

(30s)

(5s)


TCP UDP and DNS Idle Times

(3s)

(1h)

(30s)


Port to Application Mapping


Port Mapping Configuration


Configuring Inspection Rules


Apply Inspection Rule to an Interface


Documents

--- CCIE R&S Advanced Lab ---