Tuesday, October 21, 2008

BGP Lab


Hi all,
I started studying for CCIP certification, 642-661 BGP will be the next goal, so yesterday I created a lab for "Configure basic BGP" practice:





Finally a protocol that is supported by all mylab equipment! ;-)
Here some configuration principles that I used:
-used Loopbacks for iBGP neighbors and a IGP protocol with redistribution of connected interfaces and passive interface as default
-for the different Bgp AS I used private addressing (RFC1918 ;-) with several overlapping networks, because IGP routes aren't propagated between ASs.

-The AS64512 called "The Internet" is the main injection point, here i used random prefixes, initially I injected about 20000 prefixes copyed from a real route server, but my old 3550 had troubles save with a so big configuration, nvram doesn't have enough space ;-(

Now the lab is ready for Transit/non-Transit configuration, prefix lists, aggregation and so on... I will try each feature and post a small portion of configuration using this topology.

Some tasks to solve for this lab:

1) Configure CustomerA (AS65400) to use the link CON15 <-> CON4 only as backup for both directions (in/out) using weight and AS Prepend

Here a CON15 configuration part:
CON15# sh run | beg router bgp
router bgp 65400
no synchronization
bgp log-neighbor-changes
neighbor 10.0.3.1 remote-as 65002
neighbor 10.0.3.1 description CON3 (AS65002)
neighbor 10.0.3.1 update-source FastEthernet0/1
neighbor 10.0.3.1 route-map BACKUP-LINK-in in !-- for inbound routes, I will set weight = 1000, so this neighbor will be preferred for outbound traffic
neighbor 10.0.3.5 remote-as 65002
neighbor 10.0.3.5 description CON4 (AS65002)
neighbor 10.0.3.5 update-source FastEthernet0/0.3
neighbor 10.0.3.5 route-map BACKUP-LINK-out out !-- for outbound routes, I will set as-path with 65400 3 prepends, so the provider will use the main link for incoming traffic
neighbor 172.31.0.16 remote-as 65400
neighbor 172.31.0.16 description CON16
neighbor 172.31.0.16 update-source Loopback8
no auto-summary
!
route-map BACKUP-LINK-in permit 100
set weight 1000
!
route-map BACKUP-LINK-out permit 100
set as-path prepend 65400 65400 65400

The result, after a clear ip bgp for both neighbors is:

CON4#sh ip bgp
BGP table version is 66, local router ID is 192.168.0.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
* 16.17.19.0/24 10.0.3.6 0 65400 65400 65400 65400 i
*>i 10.0.3.2 0 100 0 65400 i
* 130.25.16.0/20 10.0.3.6 0 65400 65400 65400 65400 i
*>i 10.0.3.2 0 100 0 65400 i

and:
CON15# sh ip bgp
BGP table version is 97, local router ID is 10.0.4.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
* 16.17.18.0/24 10.0.3.5 0 65002 65300 i
*> 10.0.3.1 1000 65002 65300 i
*>i16.17.19.0/24 172.31.0.16 0 100 0 i
* 130.20.0.0 10.0.3.5 0 65002 65200 64512 i
*> 10.0.3.1 1000 65002 65200 64512 i
r>i130.25.16.0/20 172.31.0.16 0 100 0 i
* 130.25.32.0/20 10.0.3.5 0 65002 65300 i
*> 10.0.3.1 1000 65002 65300 i
* 140.24.0.0/13 10.0.3.5 0 65002 65200 64512 i
*> 10.0.3.1 1000 65002 65200 64512 i
* 140.30.0.0 10.0.3.5 0 0 65002 i
*> 10.0.3.1 0 1000 65002 i
* 150.15.5.0/24 10.0.3.5 0 65002 65200 64512 i
*> 10.0.3.1 1000 65002 65200 64512 i
*> 150.15.10.0/24 10.0.3.5 0 65002 ?
*> 150.15.15.0/24 10.0.3.5 0 65002 ?
CON15#
Ok, now AS 65400 and AS 65002 will use CON15-CON3 link as preferred path.


2) Configure CON3 and CON4 to accept updates only for the customer's assigned prefixes (to avoid customer's mistakes) using prefix-lists

On both CON3 and CON4 I configured two prefix lists and applyed to the Customers neighbor in inbound direction as follows:
CON3#sh run | beg router bgp
router bgp 65002
no synchronization
bgp log-neighbor-changes
aggregate-address 140.30.0.0 255.255.0.0 summary-only
neighbor 10.0.3.2 remote-as 65400
neighbor 10.0.3.2 description CON15 CustA
neighbor 10.0.3.2 update-source Vlan2
neighbor 10.0.3.2 prefix-list CustA in
neighbor 10.0.4.2 remote-as 65300
neighbor 10.0.4.2 description CON6 CustB
neighbor 10.0.4.2 update-source Vlan4
neighbor 10.0.4.2 prefix-list CustB in
neighbor 172.18.0.2 remote-as 65002
neighbor 172.18.0.2 update-source Loopback1
neighbor 172.18.0.3 remote-as 65002
neighbor 172.18.0.3 update-source Loopback1
no auto-summary
!
ip prefix-list CustA seq 100 permit 130.25.16.0/20
ip prefix-list CustA seq 200 permit 16.17.19.0/24
!
ip prefix-list CustB seq 100 permit 130.25.32.0/20
ip prefix-list CustB seq 200 permit 16.17.18.0/24


3) Configure CustomerB (AS65300) as NON-Transit using as-path filter lists

To accomplish this task I simply used a single as-path filter list, on CON6 I applyed that using route-maps, con CON10 using filter-list directly on neighbor

CON6#sh run | beg router bgp
router bgp 65300
no synchronization
bgp log-neighbor-changes
neighbor 10.0.4.1 remote-as 65002
neighbor 10.0.4.1 description CON3 (AS65002)
neighbor 10.0.4.1 update-source FastEthernet0/0
neighbor 10.0.4.1 route-map ALLOW-LOCALLY-ORIGINATED_ONLY out
neighbor 10.0.4.5 remote-as 65002
neighbor 10.0.4.5 description CON4 (AS65002)
neighbor 10.0.4.5 update-source FastEthernet0/1
neighbor 10.0.4.5 route-map ALLOW-LOCALLY-ORIGINATED_ONLY out
neighbor 10.25.5.9 remote-as 65300
neighbor 10.25.5.9 description Neighbor CON9
neighbor 10.25.5.9 update-source Loopback5
neighbor 10.25.5.10 remote-as 65300
neighbor 10.25.5.10 description Neighbor CON10
neighbor 10.25.5.10 update-source Loopback5
neighbor 172.17.5.17 remote-as 65100
neighbor 172.17.5.17 description SP2 CON13
neighbor 172.17.5.17 route-map ALLOW-LOCALLY-ORIGINATED_ONLY out
no auto-summary
!
ip as-path access-list 1 permit ^$
!
route-map ALLOW-LOCALLY-ORIGINATED_ONLY permit 10
match as-path 1

and on CON10:

CON10#sh run | beg router bgp
router bgp 65300
no synchronization
bgp log-neighbor-changes
neighbor 10.25.5.6 remote-as 65300
neighbor 10.25.5.6 description Neighbor CON6
neighbor 10.25.5.6 update-source Loopback5
neighbor 10.25.5.9 remote-as 65300
neighbor 10.25.5.9 description Neighbor CON9
neighbor 10.25.5.9 update-source Loopback5
neighbor 192.168.23.1 remote-as 65200
neighbor 192.168.23.1 description Neighbor with SP1
neighbor 192.168.23.1 filter-list 1 out
no auto-summary
!
ip as-path access-list 1 permit ^$


4) Configure CustomerB (AS65300) to use CON6 <-> CON13 link as preferred path for both directions using MED and local preference.

here MED is insufficent, because MED attribute isn't propagated always, but only within the first AS... if i set MED on CON6 for outbound prefixes to CON13, only AS 65100 will receive MED. When the same prefixes are received to AS65002, through CON8, MED value is removed.
So I must use something like this:

CON6#sh run | beg router bgp
router bgp 65300
no synchronization
bgp log-neighbor-changes
neighbor 10.0.4.1 remote-as 65002
neighbor 10.0.4.1 description CON3 (AS65002)
neighbor 10.0.4.1 update-source FastEthernet0/0
neighbor 10.0.4.1 route-map ALLOW-LOCALLY-ORIGINATED+MED+PREPEND out
neighbor 10.0.4.5 remote-as 65002
neighbor 10.0.4.5 description CON4 (AS65002)
neighbor 10.0.4.5 update-source FastEthernet0/1
neighbor 10.0.4.5 route-map ALLOW-LOCALLY-ORIGINATED+MED+PREPEND out
neighbor 10.25.5.9 remote-as 65300
neighbor 10.25.5.9 description Neighbor CON9
neighbor 10.25.5.9 update-source Loopback5
neighbor 10.25.5.10 remote-as 65300
neighbor 10.25.5.10 description Neighbor CON10
neighbor 10.25.5.10 update-source Loopback5
neighbor 172.17.5.17 remote-as 65100
neighbor 172.17.5.17 description SP2 CON13
neighbor 172.17.5.17 route-map Local-Pref-1000 in
neighbor 172.17.5.17 route-map ALLOW-LOCALLY-ORIGINATED_ONLY out
no auto-summary
!
ip as-path access-list 1 permit ^$
!
route-map ALLOW-LOCALLY-ORIGINATED+MED+PREPEND permit 100
match as-path 1
set metric 100
set as-path prepend 65300 65300
!
route-map ALLOW-LOCALLY-ORIGINATED_ONLY permit 10
match as-path 1
!
route-map Local-Pref-1000 permit 100
set local-preference 1000
(Similar config for CON10)
With this configuration i set MED and AS Path-prepend for the backup links (Biggest MED = worst path) and i allowed only locally generated prefixes as specified in task 3.
This means that MED is right for tell to neighbors what is your preferred link, but it works well only if your neighbors are in the same AS.


No comments: