Tuesday, January 17, 2012

BGP OVERVIEW

BGP Overview
---------------
Open standards based (rfs 4271)
classless path vector protoocl
 - uses multiple attribtues for routing decisions
 - supports vlsm and summarization
 -extensible
   - ipv4,multicast,ipv6,mpls etc

AS (Autonomous System)
   - a set of routers under single technical admin
   - ASNs are allocated by IANA
BGP ASN VALUES
---------------
Originally 2 byte field
value 0-65535
with the public being 1-64511
private being 64512-65535
currently a 4 byte field
 - rfc 4803 "BGP support for 4 octet AS Number"
 - IOS support as of 12.4(24)T

4 Byte BGP ASN
---------------
-0.0-65535.65535
-o.[0-65535] denot original byte ASN
requires backward compatability with old code
  - 4 byte ASN support is negotiated during the capability exchange
  -"old" bgp speakers are sent AS dot numbers encoded as ASN "23456"
  - real as path encoded with optional transitive attributes (ASLI-AGGREGATOR and AS4
    PATH)

BGP PACKET TYPES
----------------------------


ESTABLISHING BGP PEERINGS
--------------------------
Like IGP first step in BGP Is to find neighbors to exchange info with
unlike IGP
     - BGP does not have it own transport (runs on top of TCP)
     - BGP has different types of neighbors (IBGP,EBGP,RR,Confed peer
     - BGP neighbors are not discovered dynamically
     - BGP neighbors do not have to be conneced (since we are using TCP implied sd   
    long as we have reachanility with IGP to form tcp we should be fine)
BGP TRANSPORT
--------------
- BGP uses TCP port 179 for transport
   - implies that bgp needs igp first for tcp connectivity
BGP neighbor statement tells the process to
   - listen for remote address via tcp 179
   - intiate a session to remote address via tcp 179
   - if collision i.e 2 bgp speaker initating connection at same time the router     
neighboring issues there will be the collision the router with the higher router
     id will be elected meaning it will iniate the syn open message
TCP server must agree on where the client session is coming from (via neighbor
statement)
    - if server does not expect a connection/session it will refuse it
    - client packet by default are sourced from the outgoing interface in the routing
      table. This can be changed with
   Update-source command this is changed on per neighbor basis
BGP Peering Type
----------------
External BGP (EBGP) peers
  - neighbors outside of AS
Internal BGP (IBGP) Peers
  - neighbors inside AS
Update + path selection rules change depending on what type of peer a route is being
sent to/recieved from
EBGP Peering Rules
-------------------
EBGP packets default to TTL of 1
    - this can be modified if neighbors are multiple hops away
with neighbor ebgp-multihop [ttl
or
neighbor ttl=security hops [ttl]
The neighbor ttl-security hops [ttl] is security to feature to stop certain attacks
there can be attackers that predict the tcp synchronisation number and originate a
spoofed tcp rst to take down a bgp connections. TTL security fights against this by
admin knowing how many hops away a neighbor is it know if a neighbor is 2 hops away
the incoming will be (255-2) = 253 the admin sets this as the security ttl if
anything is recieved with different hop count less than 253 the router will not
accept the connection the thinking is that most of these attack originate from the
internet the hop count is going to be larger than 2 in this case. The md5
authentication in a way prevents this also but attackers in recent have used the
authentication mechanism as an attack. THe authentication in bgp is md5 where the md5
is part of each tcp segment so every packet recieves needs the md5 hash checked which
takes processing hackers have flood bgp routers with packets with random md5 in
attempt to overflow the md5 control plane and stop further connections the ttl
security can be used as lightweight precheck before going to md5 checking


NON MUlthop peers must be directly connected by default
   - can be modified if a connected neighbor peer via loopback
WHen ebgp is sending a open packet if left at the default it will only originate the
open packet if the neighbor int is in the routing table as connected interface if you
are peering loopback it will not as this is not connected interface to disable this
behaviour
we can use
neighbor disable-connected-check
loopback is only 1 ttl away so we do not have to edit multihop also

Loop prevention is done via AS Path
  - any time a route is advertised on the local asn is prepended to the outbound    
update
  - In update field the rightmost AS is the originator and the left most is the last 
   AS went through
 - if an update is recieved with the local AS it is discarded
    this can be modified wiht
    neighbor allowas-in 
    we may want to do this if there is 2 AS with same number with a different AS    
between
- next hop processing
    When you send an update to an ebgp neighbor the source that you specify is the   
    next hop your neighbor will put in the routing table
   - you can modify with route-map and set ip next hop generally you should not

IBGP PEERING RULES
------------------
-IBGP packets default to ttl 255
   - implies neighbors do not need to be directly connected as long as they have tcp 
     reachability via IGP
-Loop Prevention via route filtering
    - IBGP learned routes cannot be advertised on to another IBGP neighbor
    - Implies need for either full mesh,route reflectors or confedertation
    - from path selection full mesh is the best but in large enviorments this would  
    cause far too much overhead with tcp connections and packet updates etc
-Next hop processing
    - Outbound IBGP updates do not modify the next hop attribute regardless of IBGP  
      peer type (ibgp,rr,confed peer)
    - we can modify with the command
        neighbor next-hop=self or route-map with set ip next-hop
   
LAB
----
We will look ebgp neighbor formation between few routes with debug on.
OK for the underlying igp for connectivity we will use EIGRP
SO all these are configured under eigrp 1 so should have connectivity I will start on
forming a neighbor relationship over the frame relay between r4 and r5




I will put on debug on r4 and r5
first i will
r5(config)#access-list 180 deny eigrp any any
r5(config)#access-list 180 permit ip any any

this is to filter eigrp from debug of ip packet detail

r5#debug ip bgp
BGP debugging is on for address family: unknown
r5#debug ip packet detail 180

same on r4

on
r5
---
I will start BGP
r5(config)#router bgp 64513
r5(config-router)#neighbor 10.229.254.4 remote-as 64512

r4
--

r4#
*Jan 15 15:29:24.447: IP: s=10.229.254.5 (Serial0/0/0), d=10.229.254.4, len 44, rcvd
0
*Jan 15 15:29:24.447:     TCP src=34337, dst=179, seq=1517807408, ack=0, win=16384
SYN
*Jan 15 15:29:24.447: IP: tableid=0, s=10.229.254.4 (local), d=10.229.254.5
(Serial0/0/0), routed via FIB
*Jan 15 15:29:24.447: IP: s=10.229.254.4 (local), d=10.229.254.5 (Serial0/0/0), len
40, sending
*Jan 15 15:29:24.447:     TCP src=179, dst=34337, seq=0, ack=1517807409, win=0 ACK
RST

we can see on r4 we are recieving a bgp packet from 10.229.254.5 on serial0/0/0
with a source of tcp src=34337 and dst of tcp 179 which is bgp as we do not have a
neighbor statement r4 will not continue with this and has sent back to r5 a ACK RST
resetting the connection
ok on r4 i will not configure the neighbor statement

r4(config)#router bgp 64512
r4(config-router)#neighbor 10.229.254.5 remote-as 64513

Jan 15 15:31:49.895: BGP: 10.229.254.5 went from Idle to Active
*Jan 15 15:31:49.895: BGP: 10.229.254.5 open active delayed 30260ms (35000ms max, 28%
jitter)
*Jan 15 15:32:00.907: IP: s=10.229.254.5 (Serial0/0/0), d=10.229.254.4, len 44, rcvd
0
*Jan 15 15:32:00.907:     TCP src=14210, dst=179, seq=4017340293, ack=0, win=16384
SYN
*Jan 15 15:32:00.911: IP: tableid=0, s=10.229.254.4 (local), d=10.229.254.5
(Serial0/0/0), routed via FIB
*Jan 15 15:32:00.911: IP: s=10.229.254.4 (local), d=10.229.254.5 (Serial0/0/0), len
44, sending
*Jan 15 15:32:00.911:     TCP src=179, dst=14210, seq=3873578286, ack=4017340294,
win=16384 ACK SYN
*Jan 15 15:32:00.943: IP: s=10.229.254.5 (Serial0/0/0), d=10.229.254.4, len 40, rcvd
0
*Jan 15 15:32:00.943:     TCP src=14210, dst=179, seq=4017340294, ack=3873578287,
win=16384 ACK
*Jan 15 15:32:00.947: BGP: 10.229.254.5 passive open to 10.229.254.4
*Jan 15 15:32:00.947: BGP: 10.229.254.5 went from Active to Idle
*Jan 15 15:32:00.947: BGP: 10.229.254.5 went from Idle to Connect
*Jan 15 15:32:00.963: IP: s=10.229.254.5 (Serial0/0/0), d=10.229.254.4, len 85, rcvd
0
*Jan 15 15:32:00.963:     TCP src=14210, dst=179, seq=4017340294, ack=3873578287,
win=16384 ACK PSH
*Jan 15 15:32:00.967: BGP: 10.229.254.5 rcv message type 1, length (excl. header) 26
*Jan 15 15:32:00.967: BGP: 10.229.254.5 rcv OPEN, version 4, holdtime 180 seconds
*Jan 15 15:32:00.967: BGP: 10.229.254.5 went from Connect to OpenSent
*Jan 15 15:32:00.967: BGP: 10.229.254.5 sending OPEN, version 4, my as: 64512,
holdtime 180 seconds
*Jan 15 15:32:00.967: BGP: 10.229.254.5 rcv OPEN w/ OPTION parameter len: 16
*Jan 15 15:32:00.967: BGP: 10.229.254.5 rcvd OPEN w/ optional parameter type 2
(Capability) len 6
*Jan 15 15:32:00.967: BGP: 10.229.254.5 OPEN has CAPABILITY code: 1, length 4
*Jan 15 15:32:00.967: BGP: 10.229.254.5 OPEN has MP_EXT CAP for afi/safi: 1/1
*Jan 15 15:32:00.967: BGP: 10.229.254.5 rcvd OPEN w/ optional parameter type 2
(Capability) len 2
*Jan 15 15:32:00.967: BGP: 10.229.254.5 OPEN has CAPABILITY code: 128, length 0
*Jan 15 15:32:00.967: BGP: 10.229.254.5 OPEN has ROUTE-REFRESH capability(old) for
all address-families
*Jan 15 15:32:00.967: BGP: 10.229.254.5 rcvd OPEN w/ optional parameter type 2
(Capability) len 2
*Jan 15 15:32:00.967: BGP: 10.229.254.5 OPEN has CAPABILITY code: 2, length 0
*Jan 15 15:32:00.967: BGP: 10.229.254.5 OPEN has ROUTE-REFRESH capability(new) for
all address-families
BGP: 10.229.254.5 rcvd OPEN w/ remote AS 64513
*Jan 15 15:32:00.967: BGP: 10.229.254.5 went from OpenSent to OpenConfirm
*Jan 15 15:32:00.967: BGP: 10.229.254.5 send message type 1, length (incl. header) 45
*Jan 15 15:32:00.967: IP: tableid=0, s=10.229.254.4 (local), d=10.229.254.5
(Serial0/0/0), routed via FIB
*Jan 15 15:32:00.967: IP: s=10.229.254.4 (local), d=10.229.254.5 (Serial0/0/0), len
104, sending
*Jan 15 15:32:00.967:     TCP src=179, dst=14210, seq=3873578287, ack=4017340339,
win=16339 ACK PSH
*Jan 15 15:32:01.027: IP: s=10.229.254.5 (Serial0/0/0), d=10.229.254.4, len 59, rcvd
0
*Jan 15 15:32:01.027:     TCP src=14210, dst=179, seq=4017340339, ack=3873578351,
win=16320 ACK PSH
*Jan 15 15:32:01.031: BGP: 10.229.254.5 went from OpenConfirm to Established
*Jan 15 15:32:01.031: %BGP-5-ADJCHANGE: neighbor 10.229.254.5 Up

OK so r4 goes from idle to active
----------------------------------

(Serial0/0/0), routed via FIB
*Jan 15 15:32:00.911: IP: s=10.229.254.4 (local), d=10.229.254.5 (Serial0/0/0), len
44, sending
*Jan 15 15:32:00.911:     TCP src=179, dst=14210, seq=3873578286, ack=4017340294,
win=16384 ACK SYN

As it is the server it is recieving on tcp 179 the destination for r5 so it responds
with src 179 to dst 14210 the random port r5 was soucing from

next
-----
*Jan 15 15:32:00.947: BGP: 10.229.254.5 went from Active to Idle
*Jan 15 15:32:00.947: BGP: 10.229.254.5 went from Idle to Connect
*Jan 15 15:32:00.963: IP: s=10.229.254.5 (Serial0/0/0), d=10.229.254.4, len 85, rcvd
0
*Jan 15 15:32:00.963:     TCP src=14210, dst=179, seq=4017340294, ack=3873578287,
win=16384 ACK PSH
*Jan 15 15:32:00.967: BGP: 10.229.254.5 rcv message type 1, length (excl. header) 26
*Jan 15 15:32:00.967: BGP: 10.229.254.5 rcv OPEN, version 4, holdtime 180 seconds
*Jan 15 15:32:00.967: BGP: 10.229.254.5 went from Connect to OpenSent
*Jan 15 15:32:00.967: BGP: 10.229.254.5 sending OPEN, version 4, my as: 64512,
holdtime 180 seconds
*Jan 15 15:32:00.967: BGP: 10.229.254.5 rcv OPEN w/ OPTION parameter len: 16
*Jan 15 15:32:00.967: BGP: 10.229.254.5 rcvd OPEN w/ optional parameter type 2
(Capability) len 6
*Jan 15 15:32:00.967: BGP: 10.229.254.5 OPEN has CAPABILITY code: 1, length 4
*Jan 15 15:32:00.967: BGP: 10.229.254.5 OPEN has MP_EXT CAP for afi/safi: 1/1
*Jan 15 15:32:00.967: BGP: 10.229.254.5 rcvd OPEN w/ optional parameter type 2
(Capability) len 2
*Jan 15 15:32:00.967: BGP: 10.229.254.5 OPEN has CAPABILITY code: 128, length 0
*Jan 15 15:32:00.967: BGP: 10.229.254.5 OPEN has ROUTE-REFRESH capability(old) for
all address-families
*Jan 15 15:32:00.967: BGP: 10.229.254.5 rcvd OPEN w/ optional parameter type 2
(Capability) len 2
*Jan 15 15:32:00.967: BGP: 10.229.254.5 OPEN has CAPABILITY code: 2, length 0
*Jan 15 15:32:00.967: BGP: 10.229.254.5 OPEN has ROUTE-REFRESH capability(new) for
all address-families
BGP: 10.229.254.5 rcvd OPEN w/ remote AS 64513
*Jan 15 15:32:00.967: BGP: 10.229.254.5 went from OpenSent to OpenConfirm
we go from active to idle to idle to connect
then we start agreeing on parameter so r5 sends me saying it can support route
refersh it using ipv4 etc
at the end r4 sends an OPENCONFIRM this is basically saying that yes i agree with all
them parameters and we can use them if it was not to agree it would go to
Notification
Notice r5 has send holdtime 180 seconds if r4 had a lower hold time we would use r4
hold time we would not go to notification it is whoever has the lowest hold time
we will try this out

so on r5
--------
r5(config)#router bgp 64513
r5(config-router)#timers bgp 10 40
r5(config-router)#
r4
---
*Jan 16 18:39:51.099: BGP: 10.229.254.5 rcv OPEN, version 4, holdtime 40 seconds
*Jan 16 18:39:51.099: BGP: 10.229.254.5 went from Connect to OpenSent
*Jan 16 18:39:51.099: BGP: 10.229.254.5 sending OPEN, version 4, my as: 64512,
holdtime 180 seconds
*Jan 16 18:39:51.099: BGP: 10.229.254.5 rcv OPEN w/ OPTION parameter len: 16
*Jan 16 18:39:51.099: BGP: 10.229.254.5 rcvd OPEN w/ optional parameter type 2
(Capability) len 6
*Jan 16 18:39:51.099: BGP: 10.229.254.5 OPEN has CAPABILITY code: 1, length 4
*Jan 16 18:39:51.099: BGP: 10.229.254.5 OPEN has MP_EXT CAP for afi/safi: 1/1
*Jan 16 18:39:51.099: BGP: 10.229.254.5 rcvd OPEN w/ optional parameter type 2
(Capability) len 2
*Jan 16 18:39:51.099: BGP: 10.229.254.5 OPEN has CAPABILITY code: 128, length 0
*Jan 16 18:39:51.099: BGP: 10.229.254.5 OPEN has ROUTE-REFRESH capability(old) for
all address-families
*Jan 16 18:39:51.099: BGP: 10.229.254.5 rcvd OPEN w/ optional parameter type 2
(Capability) len 2
*Jan 16 18:39:51.099: BGP: 10.229.254.5 OPEN has CAPABILITY code: 2, length 0
*Jan 16 18:39:51.099: BGP: 10.229.254.5 OPEN has ROUTE-REFRESH capability(new) for
all address-families
BGP: 10.229.254.5 rcvd OPEN w/ remote AS 64513
*Jan 16 18:39:51.099: BGP: 10.229.254.5 went from OpenSent to OpenConfirm
*Jan 16 18:39:51.099: BGP: 10.229.254.5 send message type 1, length (incl. header) 45
*Jan 16 18:39:51.099: IP: tableid=0, s=10.229.254.4 (local), d=10.229.254.5
(Serial0/0/0), routed via FIB
*Jan 16 18:39:51.099: IP: s=10.229.254.4 (local), d=10.229.254.5 (Serial0/0/0), len
104, sending
*Jan 16 18:39:51.099:     TCP src=179, dst=21883, seq=3669835903, ack=1346259300,
win=16339 ACK PSH
*Jan 16 18:39:51.159: IP: s=10.229.254.5 (Serial0/0/0), d=10.229.254.4, len 59, rcvd
0
*Jan 16 18:39:51.159:     TCP src=21883, dst=179, seq=1346259300, ack=3669835967,
win=16320 ACK PSH
*Jan 16 18:39:51.159: BGP: 10.229.254.5 went from OpenConfirm to Established
*Jan 16 18:39:51.159: %BGP-5-ADJCHANGE: neighbor 10.229.254.5 Up

we can see the hold time recieved is 40 seconds neighbor still goes up
r4#sh ip bgp neighbors
BGP neighbor is 10.229.254.5,  remote AS 64513, external link
  BGP version 4, remote router ID 5.5.5.5
  BGP state = Established, up for 00:02:36
  Last read 00:00:06, last write 00:00:10, hold time is 40, keepalive interval i     
                                                                       s 13 seconds
Since the hold was 40 the keepalive is 3 into 40 rounded off 13 seconds

NOw we look at update source

in this topology we have 2 ways to get from r4 to r5 via the frame or via the serial
connection
in the above we could form a neighbor relationship via the serial so lets do this

r4
---
router bgp 64512
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.229.254.5 remote-as 64513
 neighbor 172.25.13.5 remote-as 64513

i have added the neighbor 172.25.13.5

on
r5
----
router bgp 64513
 no synchronization
 bgp log-neighbor-changes
 timers bgp 10 40
 neighbor 10.229.254.4 remote-as 64512
 neighbor 172.25.13.4 remote-as 64512
 no auto-summary

so lets trying advertising a route from r5 to r4 we will create a new loopback
55.55.55.0/24

r5(config)#int lo55
r5(config-if)#ip address 555
*Jan 16 20:16:10.823: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback55,
chang
r5(config-if)#ip address 55.55.55.55 255.255.255.0
r5(config-if)#

r5(config)#router bgp 64513
r5(config-router)#network 55.55.55.0 mask 255.255.255.0
r5(config-router)#

r4
--
we will set the maximum path in bgp process on r4 so we will see multiple paths to
the destination otherwise we would only see one route either via the frame-relay

r4(config)#router bgp 64512
r4(config-router)#max?
maximum-paths
r4(config-router)#maximum-path 2
r4#sh ip
*Jan 16 20:05:11.827: %SYS-5-CONFIG_I: Configured from console by console route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/32 is subnetted, 1 subnets
D       1.1.1.1 [90/2300416] via 172.25.13.5, 01:32:27, Serial0/1/0
                [90/2300416] via 10.229.254.5, 01:32:27, Serial0/0/0
     4.0.0.0/32 is subnetted, 1 subnets
C       4.4.4.4 is directly connected, Loopback0
     55.0.0.0/24 is subnetted, 1 subnets
B       55.55.55.0 [20/0] via 172.25.13.5, 00:00:04
                   [20/0] via 10.229.254.5, 00:00:04
     5.0.0.0/24 is subnetted, 1 subnets
D       5.5.5.0 [90/2297856] via 172.25.13.5, 00:36:36, Serial0/1/0
                [90/2297856] via 10.229.254.5, 00:36:36, Serial0/0/0
     172.25.0.0/24 is subnetted, 1 subnets
C       172.25.13.0 is directly connected, Serial0/1/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.229.254.0 is directly connected, Serial0/0/0
D       10.164.49.0 [90/2172416] via 172.25.13.5, 01:32:30, Serial0/1/0
                    [90/2172416] via 10.229.254.5, 01:32:30, Serial0/0/0

we see in the routing table 2 paths to 55.55.5.0 via the serial link and via the
frame-relay

this means we are recieving the update twice once over the frame-relay and once over
the serial

With bgp being used for internet this would be alot of routes there is more efficent
way of doing this dual pathing with increasign the control plane traffic
we can peer with the loopbacks

r4
----
r4(config)#router bgp 64512
r4(config-router)#no neighbor 10.229.254.5 remote-as 64513
r4(config-router)#no neighbor 10.229.254.5 remote-as 64513
*Jan 16 21:08:12.951: %BGP-5-ADJCHANGE: neighbor 10.229.254.5 Down Neighbor deleted
r4(config-router)#no neighbor 172.25.13.5 remote-as 64513
r4(config-router)#
*Jan 16 21:08:27.931: %BGP-5-ADJCHANGE: neighbor 172.25.13.5 Down Neighbor deleted
r4(config-router)#neighbor 5.5.5.5 remote-as 64513
r4(config-router)#neighbor 5.5.5.5 update-source lo0
r4(config-router)#

r5
---
r5(config)#router bgp 64513
r5(config-router)#no neighbor 10.229.254.4 remote-as 64512
r5(config-router)#no neighbor 172.25.13.4 remote-as 64512
r5(config-router)#neighbor 4.4.4.4 remote-as 64512
r5(config-router)#neighbor 4.4.4.4 update-source lo0
r5(config-router)#

r5#
*Jan 16 21:27:51.507: %SYS-5-CONFIG_I: Configured from console by console
r5#debug ip bgp
BGP debugging is on for address family: IPv4 Unicast
r5#debug ip packet detail 180
IP packet debugging is on (detailed) for access list 180
r5#

we are not getting any iniating of bgp session from r4

r5#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
r5#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/32 is subnetted, 1 subnets
D       1.1.1.1 [90/156160] via 10.164.49.1, 00:37:25, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
D       4.4.4.4 [90/2297856] via 172.25.13.4, 00:37:25, Serial0/1/0
                [90/2297856] via 10.229.254.4, 00:37:25, Serial0/0/0
     55.0.0.0/24 is subnetted, 1 subnets
C       55.55.55.0 is directly connected, Loopback55
     5.0.0.0/24 is subnetted, 1 subnets
C       5.5.5.0 is directly connected, Loopback0
     172.25.0.0/24 is subnetted, 1 subnets
C       172.25.13.0 is directly connected, Serial0/1/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.229.254.0 is directly connected, Serial0/0/0
C       10.164.49.0 is directly connected, FastEthernet0/0
r5#
we can ping but the issue is that the 4.4.4.4 network is not directly connected even
though is only one hop away
r5#traceroute 4.4.4.4
Type escape sequence to abort.
Tracing the route to 4.4.4.4
  1 10.229.254.4 32 msec
    172.25.13.4 20 msec
    10.229.254.4 32 msec
r5#

r5(config)#router bgp 64513
r5(config-router)#neighbor 4.4.4.4 disable-connected-check
r5(config-router)#

r4
--
r4#debug ip packet detail 180
IP packet debugging is on (detailed) for access list 180
r4#debug ip bgp
BGP debugging is on for address family: IPv4 Unicast
r4#
*Jan 16 21:20:59.075: IP: s=5.5.5.5 (Serial0/1/0), d=4.4.4.4, len 44, rcvd 0
*Jan 16 21:20:59.075:     TCP src=33547, dst=179, seq=569951317, ack=0, win=16384 SYN
*Jan 16 21:20:59.075: IP: tableid=0, s=4.4.4.4 (local), d=5.5.5.5 (Serial0/0/0),
routed via FIB
*Jan 16 21:20:59.075: IP: s=4.4.4.4 (local), d=5.5.5.5 (Serial0/0/0), len 40, sending
*Jan 16 21:20:59.075:     TCP src=179, dst=33547, seq=0, ack=569951318, win=0 ACK RST

we are now recieving a open message as we have disabled the connection check but we
are sending a reset as we have not disabled the connected check on r4

r4(config)#router bgp 64512
r4(config-router)#neighbor 5.5.5.5 disable-connected-check
r4(config-router)#

*Jan 16 21:22:31.947: BGP: 5.5.5.5 went from Idle to Active
*Jan 16 21:22:31.947: BGP: 5.5.5.5 open active delayed 30999ms (35000ms max, 28%
jitter)
*Jan 16 21:22:37.535: IP: s=5.5.5.5 (Serial0/1/0), d=4.4.4.4, len 44, rcvd 0
*Jan 16 21:22:37.535:     TCP src=34022, dst=179, seq=2708136984, ack=0, win=16384
SYN
*Jan 16 21:22:37.539: IP: tableid=0, s=4.4.4.4 (local), d=5.5.5.5 (Serial0/0/0),
routed via FIB
*Jan 16 21:22:37.539: IP: s=4.4.4.4 (local), d=5.5.5.5 (Serial0/0/0), len 44, sending
*Jan 16 21:22:37.539:     TCP src=179, dst=34022, seq=3558333867, ack=2708136985,
win=16384 ACK SYN
*Jan 16 21:22:37.555: IP: s=5.5.5.5 (Serial0/1/0), d=4.4.4.4, len 40, rcvd 0
*Jan 16 21:22:37.555:     TCP src=34022, dst=179, seq=2708136985, ack=3558333868,
win=16384 ACK
*Jan 16 21:22:37.559: IP: s=5.5.5.5 (Serial0/1/0), d=4.4.4.4, len 85, rcvd 0
*Jan 16 21:22:37.559:     TCP src=34022, dst=179, seq=2708136985, ack=3558333868,
win=16384 ACK PSH
*Jan 16 21:22:37.559: BGP: 5.5.5.5 passive open to 4.4.4.4
*Jan 16 21:22:37.559: BGP: 5.5.5.5 went from Active to Idle
*Jan 16 21:22:37.559: BGP: 5.5.5.5 went from Idle to Connect
*Jan 16 21:22:37.563: BGP: 5.5.5.5 rcv message type 1, length (excl. header) 26
*Jan 16 21:22:37.563: BGP: 5.5.5.5 rcv OPEN, version 4, holdtime 40 seconds
*Jan 16 21:22:37.563: BGP: 5.5.5.5 went from Connect to OpenSent
*Jan 16 21:22:37.563: BGP: 5.5.5.5 sending OPEN, version 4, my as: 64512, holdtime
180 seconds
*Jan 16 21:22:37.563: BGP: 5.5.5.5 rcv OPEN w/ OPTION parameter len: 16
*Jan 16 21:22:37.563: BGP: 5.5.5.5 rcvd OPEN w/ optional parameter type 2
(Capability) len 6
*Jan 16 21:22:37.563: BGP: 5.5.5.5 OPEN has CAPABILITY code: 1, length 4
*Jan 16 21:22:37.563: BGP: 5.5.5.5 OPEN has MP_EXT CAP for afi/safi: 1/1
*Jan 16 21:22:37.563: BGP: 5.5.5.5 rcvd OPEN w/ optional parameter type 2
(Capability) len 2
*Jan 16 21:22:37.563: BGP: 5.5.5.5 OPEN has CAPABILITY code: 128, length 0
*Jan 16 21:22:37.563: BGP: 5.5.5.5 OPEN has ROUTE-REFRESH capability(old) for all
address-families
*Jan 16 21:22:37.563: BGP: 5.5.5.5 rcvd OPEN w/ optional parameter type 2
(Capability) len 2
*Jan 16 21:22:37.563: BGP: 5.5.5.5 OPEN has CAPABILITY code: 2, length 0
*Jan 16 21:22:37.563: BGP: 5.5.5.5 OPEN has ROUTE-REFRESH capability(new) for all
address-families
BGP: 5.5.5.5 rcvd OPEN w/ remote AS 64513
*Jan 16 21:22:37.563: BGP: 5.5.5.5 went from OpenSent to OpenConfirm
*Jan 16 21:22:37.563: BGP: 5.5.5.5 send message type 1, length (incl. header) 45
*Jan 16 21:22:37.563: IP: tableid=0, s=4.4.4.4 (local), d=5.5.5.5 (Serial0/0/0),
routed via FIB
*Jan 16 21:22:37.563: IP: s=4.4.4.4 (local), d=5.5.5.5 (Serial0/0/0), len 104,
sending
*Jan 16 21:22:37.563:     TCP src=179, dst=34022, seq=3558333868, ack=2708137030,
win=16339 ACK PSH
*Jan 16 21:22:37.607: IP: s=5.5.5.5 (Serial0/1/0), d=4.4.4.4, len 59, rcvd 0
*Jan 16 21:22:37.607:     TCP src=34022, dst=179, seq=2708137030, ack=3558333932,
win=16320 ACK PSH
*Jan 16 21:22:37.607: IP: s=5.5.5.5 (Serial0/1/0), d=4.4.4.4, len 92, rcvd 0
*Jan 16 21:22:37.607:     TCP src=34022,
r4#dst=179, seq=2708137049, ack=3558333932, win=16320 ACK PSH
*Jan 16 21:22:37.607: BGP: 5.5.5.5 went from OpenConfirm to Established
*Jan 16 21:22:37.607: %BGP-5-ADJCHANGE: neighbor 5.5.5.5 Up

the neighbor relationship comes fine

r4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/32 is subnetted, 1 subnets
D       1.1.1.1 [90/2300416] via 172.25.13.5, 00:45:49, Serial0/1/0
                [90/2300416] via 10.229.254.5, 00:45:49, Serial0/0/0
     4.0.0.0/32 is subnetted, 1 subnets
C       4.4.4.4 is directly connected, Loopback0
     55.0.0.0/24 is subnetted, 1 subnets
B       55.55.55.0 [20/0] via 5.5.5.5, 00:01:04
     5.0.0.0/24 is subnetted, 1 subnets
D       5.5.5.0 [90/2297856] via 172.25.13.5, 00:45:49, Serial0/1/0
                [90/2297856] via 10.229.254.5, 00:45:49, Serial0/0/0
     172.25.0.0/24 is subnetted, 1 subnets
C       172.25.13.0 is directly connected, Serial0/1/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.229.254.0 is directly connected, Serial0/0/0
D       10.164.49.0 [90/2172416] via 172.25.13.5, 00:45:51, Serial0/1/0
                    [90/2172416] via 10.229.254.5, 00:45:51, Serial0/0/0
r4#

now we can see with the route to 55.55.55.0 we are only seeing one copy of the update

let look at potential issue
we will advertise the loopback 4.4.4.0 in bgp
r4(config)#router bgp 64512
r4(config-router)#network 4.4.4.4 mask 255.255.255.255
r4(config-router)#


on r5
------
r5#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/32 is subnetted, 1 subnets
D       1.1.1.1 [90/156160] via 10.164.49.1, 00:50:07, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
B       4.4.4.4 [20/0] via 4.4.4.4, 00:00:13
     55.0.0.0/24 is subnetted, 1 subnets
C       55.55.55.0 is directly connected, Loopback55
     5.0.0.0/24 is subnetted, 1 subnets
C       5.5.5.0 is directly connected, Loopback0
     172.25.0.0/24 is subnetted, 1 subnets
C       172.25.13.0 is directly connected, Serial0/1/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.229.254.0 is directly connected, Serial0/0/0
C       10.164.49.0 is directly connected, FastEthernet0/0
r5#
*Jan 16 21:42:26.987: %BGP-3-NOTIFICATION: received from neighbor 4.4.4.4 4/0 (hold
time expired) 0 bytes
*Jan 16 21:42:26.987: %BGP-5-ADJCHANGE: neighbor 4.4.4.4 Down BGP Notification
received

it is saying to reach 4.4.4.4 go via 4.4.4.4 so the routing process does not know how
to reach 4.4.4.4 and the neighbor relationship goes down so do not advertise the bgp
connecting loopback via bgp there must be a underlying igp to reach it for neighbor
relationship to work

OK now we will look at forming a bgp relationship between r4 and sw1
so from r4
------------

I will do the neighbor statement and make sure i have the underlying connectivity
which i do
r4(config-router)#router bgp 64512
r4(config-router)#neighbor 10.164.49.1 remote-as 64514
r4(config-router)#neighbor 10.164.49.1 disable-connected-check
r4(config-router)#exit
r4(config)#exit
r4#ping 1
*Jan 16 21:37:59.399: %SYS-5-CONFIG_I: Configured from console by console0.164.49.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.164.49.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
r4#


s1
---
switch1(config)#router bgp 64514
switch1(config-router)#neighbor 172.25.13.4 remote-as 64512
switch1(config-router)#neighbor 172.25.13.4 disable-connected-check
switch1(config-router)#exit
switch1(config)#do ping 172.25.13.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.25.13.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 33/33/34 ms
switch1(config)#

we have got the neighbor configured and they have connectivity but the relationship
is not coming up

On r4
we keep recieving the icmp timeout from r5
*Jan 17 18:32:58.039: IP: s=10.229.254.5 (Serial0/1/0), d=172.25.13.4 (Serial0/1/0),
len 56, rcvd 3
*Jan 17 18:32:58.039:     ICMP type=11, code=0
*Jan 17 18:33:06.023: IP: tableid=0, s=172.25.13.4 (local), d=10.164.49.1
(Serial0/0/0), routed via FIB
*Jan 17 18:33:06.023: IP: s=172.25.13.4 (local), d=10.164.49.1 (Serial0/0/0), len 44,
sending
*Jan 17 18:33:06.023:     TCP src=39282, dst=179, seq=2937899099, ack=0, win=16384
SYN
*Jan 17 18:33:06.039: IP: tableid=0, s=10.229.254.5 (Serial0/1/0), d=172.25.13.4
(Serial0/1/0), routed via RIB
*Jan 17 18:33:06.039: IP: s=10.229.254.5 (Serial0/1/0), d=172.25.13.4 (Serial0/1/0),
len 56, rcvd 3
*Jan 17 18:33:06.039:     ICMP type=11, code=0
The problem by default ebgp sends with ttl of 1 so it is reaching r5 but can not go
beyond we need to change this

r4
--
r4(config)#router bgp 64512
r4(config-router)#neighbor 10.164.49.1 ebgp-multi
r4(config-router)#
access#3

we enable multihop if we leave at the default to 255
r4#sh run | sec router
router bgp 64512
 no synchronization
 bgp log-neighbor-changes
 neighbor 5.5.5.5 remote-as 64513
 neighbor 5.5.5.5 disable-connected-check
 neighbor 5.5.5.5 update-source Loopback0
 neighbor 10.164.49.1 remote-as 64514
 neighbor 10.164.49.1 ebgp-multihop 255
 neighbor 10.164.49.1 disable-connected-check
we need to do the same s1
s1
--

switch1(config)#router bgp 64514
switch1(config-router)#neighbor 172.25.13.4 ebgp-mult
switch1(config-router)#exit
switch1(config)#exit
switch1#sh run
00:34:19: %SYS-5-CONFIG_I: Configured from console by console |
00:34:21: %BGP-5-ADJCHANGE: neighbor 172.25.13.4 Up

we can see by the last output the neighbor relationship has come up

we will now take a look at the ttl security feature this feature will reject incoming
connections if they do not have the expected ttl as specfied in the command so
currently s1 is 2 hops away so the ttl would we expect is 255-2= 253

r4(config-router)#router bgp 64512
r4(config-router)#neighbor 10.164.49.1 ttl-security hops 253
Remove ebgp-multihop before configuring ttl-security
r4(config-router)#

we see the parser has returned an error while trying to enable saying that we must
remove ebgp-multihop these commands are either not both
so we will remove
r4(config)#router bgp 64512
r4(config-router)#no neighbor 10.164.49.1 ebgp-multihop
*Jan 17 18:57:49.531: %BGP-3-NOTIFICATION: received from neighbor 10.164.49.1 4/0
(hold time expired) 0 bytes t
r4(config)#
*Jan 17 18:57:49.531: %BGP-5-ADJCHANGE: neighbor 10.164.49.1 Down BGP Notification
received
notice our neighbor relationship has gone down as our keepalives have gone back to
ttl 1 and sw1 is 2 hops away

We will now enable ttl-security hops
r4(config)#router bgp 64512
r4(config-router)#neighbor 10.164.49.1 ttl-security hops 253
r4(config-router)#

*Jan 17 19:01:53.955: %BGP-5-ADJCHANGE: neighbor 10.164.49.1 Up

are neighbor relationship has come back up now let us test this security feature
we will shutdown the interface from r5 to s1 and on r5 we will create a new interface
loopback with the ip
10.164.49.1 and we will source a new bgp relationship with with r4
we can see fromt the output on r4 we keep getting connection refused

l0/0/0), routed via FIB
*Jan 17 19:06:43.435: IP: s=172.25.13.4 (local), d=10.164.49.1 (Serial0/0/0), len 44,
sending
*Jan 17 19:06:43.435:     TCP src=34290, dst=179, seq=1088976206, ack=0, win=16384
SYN
*Jan 17 19:06:43.451: IP: tableid=0, s=10.164.49.1 (Serial0/1/0), d=172.25.13.4
(Serial0/1/0), routed via RIB
*Jan 17 19:06:43.451: IP: s=10.164.49.1 (Serial0/1/0), d=172.25.13.4 (Serial0/1/0),
len 40, rcvd 3
*Jan 17 19:06:43.451:     TCP src=179, dst=34290, seq=0, ack=1088976207, win=0 ACK
RST
*Jan 17 19:06:43.455: BGP: 10.164.49.1 open failed: Connection refused by remote
host, open active delayed 27691ms (35000ms max, 28% jitter)

No comments:

Post a Comment