Upload
elvis
View
86
Download
7
Tags:
Embed Size (px)
DESCRIPTION
--- CCIE R&S Advanced Lab ---. --- Session 5 BGP, Multicast ---. BGP Topics Covered. BGP Confederation Order/Preference Aggregation Security Peer Groups Dampening. BGP. Know where BGP is located on the DOC CD How can BGP be manipulated. BGP Confederations. Remove private AS. - PowerPoint PPT Presentation
Citation preview
--- CCIE R&S Advanced Lab ---
--- Session 5 BGP, Multicast ---
Copyright© Network Learning Inc. 2008 2
BGP Topics Covered
BGP Confederation
Order/Preference
Aggregation
Security
Peer Groups
Dampening
Copyright© Network Learning Inc. 2008 3
BGP
• Know where BGP is located on the DOC CD
• How can BGP be manipulated
Copyright© Network Learning Inc. 2008 4
BGP Confederations
Copyright© Network Learning Inc. 2008 5
Remove private AS
•Uses private AS for internal
•Need to remove the private AS information
Copyright© Network Learning Inc. 2008 6
BGP Path Selection
1. If the path specifies a next hop that is inaccessible, drop the update.
2. Prefer the path with the largest weight.
3. If the weights are the same, prefer the path with the largest local preference.
4. If the local preferences are the same, prefer the path that was originated by BGP running on this router.
5. If no route was originated, prefer the route that has the shortest AS_path.
6. If all paths have the same AS_path length, prefer the path with the lowest origin type (where IGP is lower than EGP, and EGP is lower than incomplete).
7. If the origin codes are the same, prefer the path with the lowest MED attribute.
8. If the paths have the same MED, prefer the external path over the internal path.
9. If the paths are still the same, prefer the path through the closest IGP neighbor.
10. Prefer the path with the lowest IP address, as specified by the BGP router ID.
Copyright© Network Learning Inc. 2008 7
Aggregating BGP Networks
Aggregating BGP Networks
• Aggregation creates summary routes (called aggregates) from networks already in BGP table
• Individual networks could be announced or suppressed Summarization is called aggregation in BGP
• Aggregation creates summary routes (called aggregates) from networks already in BGP table
• Individual networks could be announced or suppressed
Copyright© Network Learning Inc. 2008 8
Configuring Aggregation
router bgp as-number
aggregate-address address-prefix mask
• Specify aggregation range in BGP routing process
• The aggregate will be announced if there is at least one network in the specified range in the BGP table
• Individual networks will still be announced in outgoing BGP updates
Copyright© Network Learning Inc. 2008 9
Configuring BGP Communities
BGP communities are configured in the following steps:
• Configure BGP community propagation
• Define BGP community-lists to match BGP communities
• Configure route-maps that match on community-lists and filter routes or set other BGP attributes
• Apply route-maps to incoming or outgoing updates
Copyright© Network Learning Inc. 2008 10
Community Setting Through Route-Map
route-map name
match condition
set community value [ value … ] [additive]
• Any number of communities can be specified
• Communities specified in the set keyword overwrites existing communities unless you specify the additive option
Copyright© Network Learning Inc. 2008 11
Attaching Communities to a Route
neighbor ip-address route-map map in | out
router(config-router)#
• Applies a route-map to inbound or outbound BGP updates
• The route-map can set BGP communities or other BGP attributes
redistribute protocol route-map map
router(config-router)#
• Applies a route-map to redistributed routes
Copyright© Network Learning Inc. 2008 12
Configure Community Propagation
neighbor ip-address send-community
router(config-router)#
• By default, communities are stripped in outgoing BGP updates
• Community propagation to BGP neighbors has to be manually configured
Copyright© Network Learning Inc. 2008 13
Related Commands
• Set community none – Removes all community attributes
• Set comm-list delete – Removes specific communities
ip community-list 1 permit 200:100
route map REM_COM permit 10
set comm-list 1 delete
• Set community additive – Appends to existing communities
set community 450 additive
• ip community-list 1 permit 200:10 – Matches any route that has 200:10
• ip community-list 3 permit 200:10 100:10 - Matches any route that has either or both communities
Copyright© Network Learning Inc. 2008 14
AS Path Filtering
Several scenarios require BGP route filtering based on AS-path• Announce only local routes to the ISP - AS-path needs to be
empty
• Select routes based on a specific AS-number in the AS-path
• Accept routes for specific AS only from some BGP neighbors
AS-path filters use regular expressions
Copyright© Network Learning Inc. 2008 15
Regular Expressions - Matching Delimiters
^ matches beginning of string
$ matches end of string
_ matches any delimiter (beginning, end, white space, tab, comma)
Copyright© Network Learning Inc. 2008 16
Regular Expressions - Operators
* matches zero or more instances
? matches zero or one instances
+ matches one or more instances
. Matches any single character
[ ] Matches characters or a range of characters
Copyright© Network Learning Inc. 2008 17
Sample Regular Expressions
_100_
^100$
_100$
^100_.*
^ [0-9]+$
^$
.*
Going through AS 100
Directly connected to AS 100
Originated in AS 100
networks behind AS 100
AS paths one AS long
networks originated in local AS
matches everything
Copyright© Network Learning Inc. 2008 18
Configuring BGP AS-path Filters
ip as-path access-list number permit | deny regexp
R1(config)#
• Configures AS-path access list
neighbor ip-address filter-list as-path-filter in | out
R1(config-router)#
• Configures inbound or outbound AS-path filter for specified BGP neighbor
Copyright© Network Learning Inc. 2008 19
Conditional Route Injection
• Used to inject more specific routes into BGP based on existence of certain routes
R1(config)# router bgp 50000 R1(config-router)# bgp inject-map ORIGIN exist-map LEARNED copy-attributes
R1(config)# ip prefix-list ROUTE permit 10.1.1.0/24 R1(config)# ip prefix-list ROUTE_SOURCE permit 10.2.1.1/32 R1(config)# ip prefix-list ORIGINATED_ROUTES permit 10.1.1.0/25
R1(config)# route-map LEARNED permit 10 R1(config-route-map)# match ip address prefix-list ROUTE R1(config-route-map)# match ip route-source prefix-list ROUTE_SOURCE
R1(config)# route-map ORIGIN permit 10 R1(config-route-map)# set ip address prefix-list ORIGINATED_ROUTES
Copyright© Network Learning Inc. 2008 20
BGP Authentication
•Authentication is MD5•Configured on a per neighbor basis
R1(config)# router bgp 10R1(config-router)# neighbor 10.1.1.2 remote-as 10R1(config-router)# neighbor 10.1.1.2 password CISCO
R2(config)# router bgp 10R2(config-router)# neighbor 10.1.1.1 remote-as 10R2(config-router)# neighbor 10.1.1.1 password CISCO
Copyright© Network Learning Inc. 2008 21
Route Flap Dampening
• Every time an eBGP route flaps it gets 1000 penalty points (only for eBGP)
• The penalty placed on a route is decayed using the exponential decay algorithm
• When the penalty exceeds “suppress limit”, the route is dampened (no longer used or propagated to other neighbors)
• A dampened route is propagated when the penalty points drops below “reuse limit”
Copyright© Network Learning Inc. 2008 22
Configuring BGP Route Flap Dampening
bgp dampening [half-time reuse-limit suppress-limit max-suppress] [route-map route-map]
R1(config-router)#
Parameter meaning:
Half-time Exponential decay half-time (time in which the penalty is halved)
Suppress-limit Penalty value where the route is starting to be dampened
Reuse-limit Penalty value where the dampened route is reused
Max-suppress Maximum suppression time
Route-map controls where BGP route dampening is enabled
Copyright© Network Learning Inc. 2008 23
Default BGP Dampening Parameter Values
The following default dampening parameter values are used if you don’t specify them:
• half-time 15 minutes
• per-flap penalty 1,000 (non-configurable)
• suppress limit 2,000
• reuse limit 750
• max-suppress-time 60 minutes
Copyright© Network Learning Inc. 2008 24
Limiting the Number of Routes Received from a Neighbor
Problem definition:
• A misconfigured BGP neighbor can send a huge number of prefixes that exhaust router’s memory or overload the CPU
• All other filtering mechanisms only specify what we’re willing to accept but not how much
• Need to control the number of prefixes received from a neighbor
Copyright© Network Learning Inc. 2008 25
Maximum-Prefix Command
neighbor ip-address maximum-prefix maximum [threshold] [warning-only]
R1(config-router)#
• Controls how many prefixes can be received from a neighbor
• Optional threshold parameter specifies the percentage where a warning message is logged (default is 75%)
• Optional warning-only keyword specifies the action on exceeding
the maximum number (default is to drop neighborship)
--- CCIE R&S Advanced Lab ---
--- Session 5 continued, Multicast ---
Copyright© Network Learning Inc. 2008 27
Multicast
Address
RPF
Dense / Sparse mode
Source / shared tree
Static RP
Auto-RP
BSR
B-M-B
MSDP / Anycast
Copyright© Network Learning Inc. 2008 28
Multicast Address Range
Copyright© Network Learning Inc. 2008 29
Reverse Path Forwarding
Copyright© Network Learning Inc. 2008 30
RPF Calculation
Copyright© Network Learning Inc. 2008 31
RPF with two paths
Copyright© Network Learning Inc. 2008 32
Multicast Distribution Trees
Dense Mode uses SourcePush Technology
Copyright© Network Learning Inc. 2008 33
Shared Distribution Tree
Sparse mode uses Shared Pull Technology
Copyright© Network Learning Inc. 2008 34
Characteristics of Distribution TreesCharacteristics of Distribution Trees
Copyright© Network Learning Inc. 2008 35
Multicast Tree Creation
Copyright© Network Learning Inc. 2008 36
PIM Sparse Mode
Copyright© Network Learning Inc. 2008 37
How does the network know about the RP?
Copyright© Network Learning Inc. 2008 38
Static RPs
Copyright© Network Learning Inc. 2008 39
Auto RP
Uses • Intended for PIMv1
• C_RP Candidates
• Mapping Agent (Collects announcements and sends RP discovery messages on 224.0.1.40)
• The RPs announce on 224.0.1.39
• Recommended to locate C_RP and Mapping Agent on same router
• Uses dense mode to find the RP
Copyright© Network Learning Inc. 2008 40
Auto-RP configured
Copyright© Network Learning Inc. 2008 41
BSR Overview
PIM join messages that might inadvertently cross the borderip pim bsr-border
Copyright© Network Learning Inc. 2008 42
Configuring BSR
Hash MaskPriority
Copyright© Network Learning Inc. 2008 43
Anycast – RP Overview
Copyright© Network Learning Inc. 2008 44
MSDP
MSDP
Copyright© Network Learning Inc. 2008 45
Anycast RP
Copyright© Network Learning Inc. 2008 46
Anycast RP - cont.
Copyright© Network Learning Inc. 2008 47
Broadcast-Multicast-Broadcast
interface ethernet 0
ip pim sparse-mode
ip multicast helper-map broadcast 239.1.1.1 105
access-list 105 permit udp host 126.1.22.1 host 126.1.22.255 eq 4000
ip forward-protocol udp 4000
126.1.22.255
126.1.22.1
interface serial 0
ip pim sparse-mode
ip multicast helper-map 239.1.1.1 131.1.1.255 105
interface ethernet 1
ip directed-broadcast
access-list 105 permit udp host 126.1.22.1 any eq 4000
ip forward-protocol udp 4000
--- CCIE R&S Advanced Lab ---
--- Session 6 QOS, Security ---
Copyright© Network Learning Inc. 2008 49
QOS
Modular QoS CLI (MQC)
LLQ
CAR – Committed Access Rate
WRED, CBWRED
Marking
Shaping, FRTS
Fragmenting
NBAR – Network Based Application Recognition
Copyright© Network Learning Inc. 2008 50
MQC Class-maps
class-map [match-all | match-any] Lab (match all is the default)• match xxx• match yyy
match ? Classify • input interface f0/0• destination Mac address• source Mac address• fr-de, fr-dlci• cos, dscp, IP-prec• any• access-group• protocol NBAR (download PDLMs)
– CEF requires– Can run ip protocol NBAR protocol discovery
• packet length min or max
Copyright© Network Learning Inc. 2008 51
Policy-Map and DSCP
policy-map Testclass Lab
set cos, ip-dscp, ip-prec, …
bandwidth xxx
…
DSCP has 64 different colors to mark traffic
mls qos map dscp-mutation Map 31 to 41
Copyright© Network Learning Inc. 2008 52
CBWFQ
•int f0/0
max reserve bandwidth 80 (75% is default)
•policy-map can use Kbps or Percent but not both
•policy-map Voice
class CONTROL
bandwidth 10
class Media
priority 1000
•can have 255 classes total
When applying a strict priority queueTo a class, it is referred to as a LLQ
Copyright© Network Learning Inc. 2008 53
CAR - Committed Access Rate
•Used on edge routers to classify and / or rate limit traffic
•Can be applied to all traffic or a subset of the traffic selected by an access list
•Configured on an interfacerate-limit {input|output} bps normal-burst max-burst conform-action action
exceed-action action
rate-limit {input|output} access-group index bps normal-burst max-burst conform-action action exceed-action action
• normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds
• extended burst = 2 * normal burst
Copyright© Network Learning Inc. 2008 54
CBWFQ Architecture policy
Copyright© Network Learning Inc. 2008 55
Applying RED
Copyright© Network Learning Inc. 2008 56
Configuring WRED on an interface
mark probability denominator
When the average queue size is above the minimum threshold, RED starts dropping packets.
The rate of packet drop increases linearly as the average queue size increases, until the average queue size reaches the maximum threshold.
The mark probability denominator is the fraction of packets dropped when the average queue size is at the maximum threshold. For example, one out of every 100 packets is dropped when the average queue size is at the maximum threshold.
minimum threshold (number of packets)
maximum threshold (number of packets)
Copyright© Network Learning Inc. 2008 57
Traffic Shaping
Copyright© Network Learning Inc. 2008 58
Shape Peak
Peak rate = CIR(1+Be/Bc)
Router(config-pmap-c)# shape {average | peak} cir [bc] [be]
Shape adaptive – BECN field set to 1
25% slow down is BECN received
if 16 TCs received with no BECNs increase 1/16 every TC
Can also use FECN-adapt to send information ahead to other end with BECN field.
Test
Copyright© Network Learning Inc. 2008 59
Frame Relay Traffic Shaping
Time Committed (TC) = 125ms
Copyright© Network Learning Inc. 2008 60
Network Based Application Recognition (NBAR)
Copyright© Network Learning Inc. 2008 61
NBAR Application Support
Copyright© Network Learning Inc. 2008 62
Packet Description Language Module
Copyright© Network Learning Inc. 2008 63
NBAR Protocol Discovery
--- CCIE R&S Advanced Lab ---
--- Session 6 continued security ---
Copyright© Network Learning Inc. 2008 65
Security
Unicast Reverse Path Forwarding (uRPF)
Context Based Access Control (CBAC)
Copyright© Network Learning Inc. 2008 66
Unicast Reverse Path Forwarding (uRPF)
Unicast Reverse Path Forwarding (uRPF) is a feature originally created to implement Network Ingress Filtering.
Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing
Copyright© Network Learning Inc. 2008 67
Configuring uRPF
By enabling Unicast Reverse Path Forwarding (uRPF), all spoofed packets will be dropped at the first device.
To enable uRPF, use the following commands.
R1(config)# ip cef
R1(config)# interface f0/0
R1(config-if)# ip verify unicast reverse-path
Copyright© Network Learning Inc. 2008 68
CBAC - Context-Based Access Control
The CBAC inspects TCP and UDP packets at the application layer.
CBAC monitors all the outgoing requests by creating temporary openings for outbound traffic at the firewall interface. The return traffic is allowed in only if it is the part of the original outgoing traffic.
CBAC inspects all the outgoing packets and maintains state information for every session.
CBAC then decides whether to deny or permit the incoming traffic, based on its state information
Copyright© Network Learning Inc. 2008 69
How CBAC Works
ip inspect name FWRULE tcp
1 Control traffic is inspected by the CBAC rule.
2 CBAC creates a dynamic ACL allowing return traffic back through the firewall.
Port2447
Port23
4 CBAC detects when an application terminates or times out and removes all dynamic ACLs for that session.
3 CBAC continues to inspect control traffic and dynamically creates and removes ACLs as required by the application.
access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447
Copyright© Network Learning Inc. 2008 70
CBAC Configuration
Copyright© Network Learning Inc. 2008 71
Enable Audit Trails and Alerts
Copyright© Network Learning Inc. 2008 72
Enable TCP SYN and FIN times
(30s)
(5s)
Copyright© Network Learning Inc. 2008 73
TCP UDP and DNS Idle Times
(3s)
(1h)
(30s)
Copyright© Network Learning Inc. 2008 74
Port to Application Mapping
Copyright© Network Learning Inc. 2008 75
Port Mapping Configuration
Copyright© Network Learning Inc. 2008 76
Configuring Inspection Rules
Copyright© Network Learning Inc. 2008 77
Apply Inspection Rule to an Interface
Copyright© Network Learning Inc. 2008 78