Monday, 13 February 2012

STUDIES BEGIN AGAIN:
I have decided to restart the CCNP programme from the begging, as i feel since i started (beginning of Novemeber, and my last study session was around my b-day 16th decemeber, to much time, WAY TO MUCH TIME HAS PASSED!)

So, lets recap and start from nugget 1;
 
Completed "EIGRP Routing: Concepts and Planning" nugget tonight;
Even though Cisco designed EIGRP to be a simple protocol, there are a few concepts you'll want to be aware of before you move forward with implementation. This nugget walks through the key tables, terms, and calculations you'll need to get started with using EIGRP.

NOTES

WHY USE EIGRP?

1) Backup routes (fast convergence / DUAL)
2) Simple configuration
3) Flexability in summarisation
with OSPF you have to summarise at the ABR's or ASBR's
EIGRP = any point/interface can be do summarisation
4) Unequal cost load-balancing
ONLY protocol to do this (done via variance command)
5) Combines best of distance vector and link state
OSPF is fast, but not as fast as EIGRP due to the Topology table
It is a distance vector protocol (or advanced) because it only knows what it neighbours told it


Router running EIGRP maintains 3 tables;

Neighbour Table
If an adjanacy is formed, the relationship goes in here, done via hello protocol (as opposed to broadcast/multicast like RIP)

Topology Table
Holds the Sucessor routes in here (they are also in the routing table) along with Fessiable successor routes (could be 2 or 3 or so, so long as not "too bad" a route)

Routing Table
Sucessor routes in here along with routing table (Only best routes)




 
EIGRP NEIGHBOURS MSGS

Hello:
Updates (unicast) and Neighbor discovery on multicast 224.0.0.10
NBMA network (i.e virtual circuit, frame relay, ATM etc) hello is every 60 seconds and HOLD time of 180 seconds
Point to Point (other) hello is every 5 seconds and HOLD time of 15 seconds.
Update: 
Once neighbour is formed, router sends FULL routing table and waits for ACK back
Once formed only Hellos will be seen unless route goes down then updates will be sent (msg generally multicast*)
Query:
If network is not available then a DUAL QUERY is sent out for a backup route if one is not in the topology table
Reply:
Are sent in response to query packets, and a reply packet indicates that a new route to the destination has been found.  Update, query and reply packets all use RTP and are considered reliable
Ack:
EIGRP requires acknowledgements from routing updates. (msg considered unreliable)


* During the initial exchange of routes between two new EIGRP neighbors, update packets are unicast rather than multicast

EIGRP = IP Protocol 88

Metric of 47019776 is infinite metric/unreachable, just like hop count of 16 in RIP, this will be used if the neighbour does not have a route to the network


UNDERSTANDING EIGRP METRIC CALCULATION

Bandwidth (K1)
Delay (K3)
Reliabilty (K4 & K5)
Loading (K2)
Does not use MTU (although that is seen)

An EIGRP update to a neighbor contains the cumulative value of each K weight (such as the sum of delays, and lowest bandwidth).  From that, the neighbor receiving the update can calculate the sending neighbors metric for that route


Calculating the EIGRP default metric:

[(10,000,000/lowest Bandwidth) + (sum of delays in 10's of usec)] * 256
10,000,000 is what 10^7 equals

lowest Bandwidth = 10^7/BW, In kbits, BW output from ‘show interface’
Delay in 10′s of usec = DLY output from ‘show interface’

* Note: If the bandwidth division results in a decimal number, round down


So taking a route from my old lab,




Lets take this route that Router A knows about to the network on Router C/D

D       10.14.0.132/30 [90/2174976] via 10.14.0.2, 00:00:58, FastEthernet0/0

2610XM-A#show ip route 10.14.0.132
Routing entry for 10.14.0.132/30
  Known via "eigrp 20", distance 90, metric 2174976, type internal
  Redistributing via eigrp 20
  Last update from 10.14.0.2 on FastEthernet0/0, 00:45:25 ago
  Routing Descriptor Blocks:
  * 10.14.0.2, from 10.14.0.2, 00:45:25 ago, via FastEthernet0/0
      Route metric is 2174976, traffic share count is 1
      Total delay is 20200 microseconds, minimum bandwidth is 1544 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 2

2610XM-A#show ip eigrp topology 10.14.0.132 255.255.255.252
IP-EIGRP (AS 20): Topology entry for 10.14.0.132/30
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 2174976
  Routing Descriptor Blocks:
  10.14.0.2 (FastEthernet0/0), from 10.14.0.2, Send flag is 0x0
      Composite metric is (2174976/2172416), Route is Internal
      Vector metric:
        Minimum bandwidth is 1544 Kbit
        Total delay is 20200 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 2

We can see the following information for this route 10.14.0.132/30
Route metric is 2174976 
Total delay is 20200 microseconds
Minimum bandwidth is 1544 Kbit

So applying the above calculations to work out the metric;

10^7 = 10000000 ÷ 1544kbits (min bandwidth) = 6476.6839.... (round down to 6476)
6476 + all delay links which is 20200ms (20200ms ÷ 10 = 2020usec) = 8496
8496 X 256 = 2174976 is the metric for that route :0)

GOD I HATE MATHS!!! but there you go, i think cisco thought hang on a minute, we have a super kool routing protocol but we have made it tooo easy, lets complicate this a little .... jesus!

Posted by at No comments:

Tuesday, 7 February 2012



VPNs and IPHONE's

Interesting one today, worth a post,

Been working on a VPN RAS for IOS devices for work, and it appears i have been struggling with DNS for the iphone devices, but not PCs connecting via the VPN, why you ask,

have a read of my findings, could save you some time!!


SOLUTION: is split-dns;
 
The iPhone doesn't seem to accept the DNS servers that the VPN endpoint tries to assign to it, so the only way to get this to work if split-tunnel is in play is via the split-dns method.
 
To have this feature we need IOS 12.4, we are running 12.3.x
 
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htspldns.html#wp1446542
 
Basically, it looks like if your VPN is NOT configured to use split-tunnel, you're all set and everything works out of the box, BUT all traffic will pass through the VPN - tested this and yes it works, we are now resolving internal names,  but its not pratical.
 
As we are using split-tunnelling (encryption domains), then it needs to be configured for split-dns on each of the domains that need to resolve through the tunnel. 


upgraded to 12.4 from 12.3 and there she is! split-dns!!!

ISAKMP group policy config commands:
  access-restrict    Restrict clients in this group to an interface
  acl                Specify split tunneling inclusion access-list number
  backup-gateway     Specify backup gateway
  dns                Specify DNS Addresses
  domain             Set default domain name to send to client
  exit               Exit from ISAKMP client group policy configuration mode
  firewall           Enforce group firewall feature
  group-lock         Enforce group lock feature
  include-local-lan  Enable Local LAN Access with no split tunnel
  key                pre-shared key/IKE password
  max-logins         Set maximum simultaneous logins for users in this group
  max-users          Set maximum number of users for this group
  netmask            netmask used by the client for local connectivity
  no                 Negate a command or set its defaults
  pfs                The client should propose PFS
  pool               Set name of address pool
  save-password      Allows remote client to save XAUTH password
  split-dns          DNS name to append for resolution

enter the command followed by your companys domain(s)
 split-dns mydomain.com

and magic! its all working

P.S
Looks like this bug has been around since 2008 and apple still have not fixed it!!!

ON ANOTHER NOTE, CCNP STUDIES STARTING BACK UP THIS WEEK!
Posted by at No comments:

Wednesday, 11 January 2012

currently in progress of moving house etc, also getting boxing training off to a good start -  will continue studyies beginning of feb, gotta make up for lost time
Posted by at No comments:

Wednesday, 21 December 2011

xmas!

On break till new year, then going to hit this up hard!
Posted by at No comments:

Tuesday, 6 December 2011

Nugget 22
BGP Routing - Tuning Attributes 1





Right, THE NEW LAB, boys and gals!!!!!


Gonna clock off now and i will set this up tomorrow and we can get BGP'ing!
Posted by at No comments:

Sunday, 4 December 2011

Nugget 21
BGP Routing - Implementing Basic BGP Part 2



Lets look at the following:
  • Advertising networks into BGP
  • BGP auto-summary
  • Understanding BGP synchronisation
  • How BGP handles next hop addresses

Lets setup the loopbacks as per the lab above;


Router-5(config)#inter loopback0
Router-5(config-if)#ip address 200.1.1.1 255.255.255.0
Router-5(config-if)#inter loopback1
Router-5(config-if)#ip address 200.1.2.1 255.255.255.0
Router-5(config-if)#inter loopback2
Router-5(config-if)#ip address 200.1.3.1 255.255.255.0
Router-5(config-if)#inter loopback3
Router-5(config-if)#ip address 200.1.4.1 255.255.255.0
Router-5(config-if)#inter loopback4
Router-5(config-if)#ip address 200.1.5.1 255.255.255.0
Router-5(config-if)#inter loopback6
Router-5(config-if)#ip address 200.1.6.1 255.255.255.0
Router-5(config-if)#inter loopback7
Router-5(config-if)#ip address 50.1.1.1 255.255.255.0


Router-5#show ip int brie
Interface                  IP-Address      OK? Method Status               Protocol
ATM0/0                     unassigned      YES NVRAM  up                    up
FastEthernet0/0            10.14.0.1       YES NVRAM  up                    up
FastEthernet0/0.1          10.14.10.1      YES NVRAM  up                    up
FastEthernet0/0.2          10.14.20.1      YES NVRAM  up                    up
FastEthernet0/0.3          10.14.30.1      YES NVRAM  up                    up
FastEthernet0/0.4          10.14.40.1      YES NVRAM  up                    up
FastEthernet0/0.5          10.14.50.1      YES NVRAM  up                    up
BRI0/0                     unassigned      YES NVRAM  administratively down down
BRI0/0:1                   unassigned      YES unset  administratively down down
BRI0/0:2                   unassigned      YES unset  administratively down down
NVI0                       10.14.0.1       YES unset  up                    up
Virtual-Access1            unassigned      YES unset  up                    up
Virtual-Access2            unassigned      YES unset  up                    up
Dialer0                    109.170.1xx.x5  YES IPCP   up                    up
Loopback0                  200.1.1.1       YES manual up                    up
Loopback1                  200.1.2.1       YES manual up                    up
Loopback2                  200.1.3.1       YES manual up                    up
Loopback3                  200.1.4.1       YES manual up                    up
Loopback4                  200.1.5.1       YES manual up                    up
Loopback5                  5.5.5.5         YES manual up                    up
Loopback6                  200.1.6.1       YES manual up                    up
Loopback7                  50.1.1.1        YES manual up                    up

Now we have our loopbacks configured we are going to advertise the 50.1.1.1 network in BGP;
This is normally done via the network command, and then network/subnet we want to advertise - although BGPs network command is unlike the network command as in other routing protocols, as this wont be selecting the interfaces on which to form neighbours - that is done STATICALLY!

BUT, for some reason they made BGP auto-summarise!!! *slaps head* so the command we have typed below will be advertising any networks encompassed within its class A network form

Router-5(config)#router bgp 6500
Router-5(config-router)#network 50.0.0.0

Instead of now either leaving the network command or following it up with no auto-summary like we normally do in other protocols, we have to use the mask option;

Router-5(config-router)#network 50.0.0.0 mask ?
  A.B.C.D  Network mask

NOW the mask we specify here HAS TO MATCH EXACTLY the interfaces IP/Subnet mask otherwise it will not work!!

but just to investigate i we will leave off the mask for the time being:


Router-5(config-router)#network 50.0.0.0
Router-5(config-router)#auto-summary <--by default auto-summary is disabled (thank god!)...well on IOS 12.2(8)T and above

Router-5#show ip bgp
BGP table version is 2, local router ID is 109.170.187.55
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 50.0.0.0         0.0.0.0                  0         32768 i


SO we can see the network is advertising the CLASS A network of 50.0.0.0, the next hop address is itself.

* = valid
> = the best route
i = internal
Lets see what Router-4 has for us;

Router-4#show ip bgp
BGP table version is 2, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 50.0.0.0         5.5.5.5                  0             0 6500 i

Sure enough, he is recieving the route


Router-4#show ip route

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/66] via 10.1.34.1, FastEthernet0/1
B    50.0.0.0/8 [20/0] via 5.5.5.5
     4.0.0.0/32 is subnetted, 1 subnets
C       4.4.4.4 is directly connected, Loopback4
     5.0.0.0/32 is subnetted, 1 subnets
S       5.5.5.5 [1/0] via 10.1.45.2
     10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks
C       10.14.0.0/25 is directly connected, FastEthernet0/0
O       10.1.13.0/30 [110/65] via 10.1.34.1, FastEthernet0/1
O       10.1.12.0/24 [110/74] via 10.1.24.1, Serial0/0
C       10.1.24.1/32 is directly connected, Serial0/0
C       10.1.24.0/30 is directly connected, Serial0/0
C       10.1.45.0/30 is directly connected, FastEthernet0/0
C       10.1.34.0/30 is directly connected, FastEthernet0/1
Router-4#ping 50.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 50.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Router-4#

Right, lets start tidying up that network config, as we are recieving a /8 advertisement for the 50.1.1.0 network, yet on the interface it is a /24


Router-5(config)#router bgp 6500
Router-5(config-router)#no network 50.0.0.0


REMEMBER the network statement has to match the subnet mask EXACTLY;

Router-5#show int Loopback7
Loopback7 is up, line protocol is up
  Hardware is Loopback
  Internet address is 50.1.1.1/24

SO, we use a CLASS C advertisement to match;

Router-5(config-router)#network 50.1.1.0 mask 255.255.255.0
Back over to Router-4:


Router-4#show ip route

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/66] via 10.1.34.1, FastEthernet0/1
     50.0.0.0/24 is subnetted, 1 subnets
B       50.1.1.0 [20/0] via 5.5.5.5


SWEEEET! theres that BGP route baby, with the correct mask!


Router-4# show ip bgp sum
BGP router identifier 4.4.4.4, local AS number 5500
BGP table version is 4, main routing table version 4
1 network entries and 1 paths using 121 bytes of memory
1 BGP path attribute entries using 96 bytes of memory
BGP activity 2/1 prefixes, 2/1 paths
0 prefixes revised.

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.1         4  5500      91      93        4    0    0 01:27:52        0
5.5.5.5         4  6500      95      91        4    0    0 01:28:36        1

Notice the State/PfxRcd column against our 5.5.5.5 neighbour now has a 1 for the BGP database version.


As the diagram at the beginning of this topic stated, we could also get the network into BGP via re-distribution tooo ...

Although generally not recommended, as these routes that your internal routing protocol are handling are PRIVATE and internal links, you dont want to beadvertising these out to your ISP.

Lets re-distribute the first 4 networks on 200.1.x.x on Router-5:

Loopback0                  200.1.1.1       YES manual up                    up
Loopback1                  200.1.2.1       YES manual up                    up
Loopback2                  200.1.3.1       YES manual up                    up
Loopback3                  200.1.4.1       YES manual up                    up
Loopback4                  200.1.5.1       YES manual up                    up
Loopback6                  200.1.6.1       YES manual up                    up


Lets start off, with an access-list to deny the networks i dont want to re-distribute and permit the others:

Router-5(config)#ip access-list standard REDIST_BGP
Router-5(config-std-nacl)#deny 200.1.5.0
Router-5(config-std-nacl)#deny 200.1.6.0
Router-5(config-std-nacl)#permit any

Lets apply this ACL to a route-map;

Router-5(config)#route-map REDIST_FILTER
Router-5(config-route-map)#match ip address REDIST_BGP

So the above route-map will permit (permit by default) any ip addresses/networks in the ACL named REDIST_BGP



SO, we now have:

Router-5#show route-map REDIST_FILTER
route-map REDIST_FILTER, permit, sequence 10
  Match clauses:
    ip address (access-lists): REDIST_BGP
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

Router-5#show access-list REDIST_BGP
Standard IP access list REDIST_BGP
    10 deny   200.1.5.0
    20 deny   200.1.6.0
    30 permit any

Now, lets go under the BGP process and look at the redistribution:

Router-5(config)#router bgp 6500
Router-5(config-router)#redistribute ?
  bgp        Border Gateway Protocol (BGP)
  connected  Connected
  dvmrp      Redistribution of DVMRP into BGP IPv4 Multicast
  eigrp      Enhanced Interior Gateway Routing Protocol (EIGRP)
  isis       ISO IS-IS
  iso-igrp   IGRP for OSI networks
  mobile     Mobile routes
  odr        On Demand stub Routes
  ospf       Open Shortest Path First (OSPF)
  rip        Routing Information Protocol (RIP)
  static     Static routes
How kool is that, we can also do static routes as well as connected interfaces!

Router-5(config-router)#redistribute connected ?

....AH, hang on, i dont want to advertise my WAN IP, Public IP nor the simulated WAN link between R5 and R4 (10.1.45.x) lets just add them into the ACL real quick;

Router-5(config)#ip access-l st REDIST_BGP
Router-5(config-std-nacl)#21 deny 10.0.0.0 0.255.255.255
Router-5(config-std-nacl)#22 deny 109.0.0.0 0.255.255.255
Router-5(config-std-nacl)#23 deny 62.0.0.0 0.255.255.255



right ...


Router-5(config)#router bgp 6500
Router-5(config-router)#redistribute connected route-map REDIST_FILTER

SO now, we will pass all connected interfaces thru the route-map to see if they are allowed to be redistributed.

lets check BGP:

Router-5#show ip bgp
BGP table version is 10, local router ID is 109.170.187.55
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 50.1.1.0/24      0.0.0.0                  0         32768 i
*> 200.1.1.0        0.0.0.0                  0         32768 ?
*> 200.1.2.0        0.0.0.0                  0         32768 ?
*> 200.1.3.0        0.0.0.0                  0         32768 ?
*> 200.1.4.0        0.0.0.0                  0         32768 ?


KOOOL, however now i think about it, a better way of doing the ACL under the route-map would have been to only permit the x4 200.x.x.x networks and then deny everything else, because if i ever add a loopback or add an interface card, that bad boi is going to redistributed into BGP!

lets fix that:


Router-5(config)#no ip access-li st REDIST_BGP
Router-5(config)#ip access-li st REDIST_BGP
Router-5(config-std-nacl)#permit 200.1.1.0
Router-5(config-std-nacl)#permit 200.1.2.0
Router-5(config-std-nacl)#permit 200.1.3.0
Router-5(config-std-nacl)#permit 200.1.4.0


lets check again:

Router-4#show ip bgp
BGP table version is 10, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 50.1.1.0/24      5.5.5.5                  0             0 6500 i
*> 200.1.1.0        5.5.5.5                  0             0 6500 ?
*> 200.1.2.0        5.5.5.5                  0             0 6500 ?
*> 200.1.3.0        5.5.5.5                  0             0 6500 ?
*> 200.1.4.0        5.5.5.5                  0             0 6500 ?


Sweet, 50.1.1.0/24 is showing as we have explictly said we want to advertise that under BGP:

Router-5#show run | s bgp
router bgp 6500
 no synchronization
 bgp log-neighbor-changes
 network 50.1.1.0 mask 255.255.255.0
 redistribute connected route-map REDIST_FILTER
 neighbor 4.4.4.4 remote-as 5500
 neighbor 4.4.4.4 ebgp-multihop 2
 neighbor 4.4.4.4 update-source Loopback5
 no auto-summary

Router-4's routing table:
Router-4#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
       U - per-user static route, o - ODR, P - periodic downloaded static route
       T - traffic engineered route

Gateway of last resort is not set

B    200.1.4.0/24 [20/0] via 5.5.5.5
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/66] via 10.1.34.1, FastEthernet0/1
     50.0.0.0/24 is subnetted, 1 subnets
B       50.1.1.0 [20/0] via 5.5.5.5
     4.0.0.0/32 is subnetted, 1 subnets
C       4.4.4.4 is directly connected, Loopback4
     5.0.0.0/32 is subnetted, 1 subnets
S       5.5.5.5 [1/0] via 10.1.45.2
B    200.1.1.0/24 [20/0] via 5.5.5.5
B    200.1.2.0/24 [20/0] via 5.5.5.5
B    200.1.3.0/24 [20/0] via 5.5.5.5
     10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks
C       10.14.0.0/25 is directly connected, FastEthernet0/0
O       10.1.13.0/30 [110/65] via 10.1.34.1, FastEthernet0/1
O       10.1.12.0/24 [110/74] via 10.1.24.1, Serial0/0
C       10.1.24.1/32 is directly connected, Serial0/0
C       10.1.24.0/30 is directly connected, Serial0/0
C       10.1.45.0/30 is directly connected, FastEthernet0/0
C       10.1.34.0/30 is directly connected, FastEthernet0/1

So thats how we can do it, via redistribution :0)




BGP SYNCHRONISATION RULE

Well, before we look at what it is, lets just check if Router-1 has picked up the routes via iBGP:

Router-1# show ip bgp
BGP table version is 1, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
* i50.1.1.0/24      5.5.5.5                  0    100      0 6500 i
* i200.1.1.0        5.5.5.5                  0    100      0 6500 ?
* i200.1.2.0        5.5.5.5                  0    100      0 6500 ?
* i200.1.3.0        5.5.5.5                  0    100      0 6500 ?
* i200.1.4.0        5.5.5.5                  0    100      0 6500 ?

yes we have, but notice we have question marks in some of the routes, these are the redistributed networks and BGP does not know where these originally came from.

We have no > best flag though, so they are not showing the routing table!


Router-1#show ip route

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback1
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/75] via 10.1.12.2, 02:29:48, Ethernet0/0
                [110/75] via 10.1.13.2, 02:29:48, Serial0/0
     10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
C       10.1.13.2/32 is directly connected, Serial0/0
C       10.1.13.0/30 is directly connected, Serial0/0
C       10.1.12.0/24 is directly connected, Ethernet0/0
O       10.1.24.0/30 [110/74] via 10.1.12.2, 02:29:48, Ethernet0/0
O       10.1.45.0/30 [110/75] via 10.1.12.2, 02:29:48, Ethernet0/0
                     [110/75] via 10.1.13.2, 02:29:48, Serial0/0
O       10.1.34.0/30 [110/74] via 10.1.13.2, 02:29:48, Serial0/0



WHY do we have this rule, well you may recall me answering this in the previous nugget, BUT.....

We can see Router-1 has learnt about the network 200.1.1.0 via iBGP, so Router-1 sends the packet to Router-3 and router he looks in his routing table;


Router-3#show ip route

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 10.1.13.1, 02:39:58, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/11] via 10.1.34.2, 02:39:58, Ethernet0/0
     10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
C       10.1.13.0/30 is directly connected, Serial0/0
C       10.1.13.1/32 is directly connected, Serial0/0
O       10.1.12.0/24 [110/74] via 10.1.13.1, 02:39:58, Serial0/0
O       10.1.24.0/30 [110/74] via 10.1.34.2, 02:39:58, Ethernet0/0
O       10.1.45.0/30 [110/11] via 10.1.34.2, 02:39:58, Ethernet0/0
C       10.1.34.0/30 is directly connected, Ethernet0/0

NOPE, he knows nothing about the 200.1.x.x networks! so the packets are dropped and we have a blackhole .... NOW THE RULE MAKES SENSE, YES!



Only once R1 has learnt the routes via an internal routing protocol, will he advertise and then use the iBGP routes for traffic.


QUICK NOTE:
BGP Sync is:
turned on by default in 12.2(8)T and less
turned off by default in 12.2(8)T and higher

So if BGP sync is turned off, IT DOES NOT LOOK AT SATISFYING THAT RULE! they turned it off in later realeses because if you planned your network right then you would not run BGP how we have in this example, you would be running iBGP on the other OSPF only routers too!


It looks like my two iBGP routers are running early IOS versions, so lets turn off BGP sync


Router-1#conf t
Router-1(config)#router bgp 5500
Router-1(config-router)#no synchronization



Router-4#conf t
Router-4(config)#router bgp 5500
Router-4(config-router)#no synchronization


Sweet, lets check to see if we have the routes now:

Router-1# show ip bgp
BGP table version is 1, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
* i50.1.1.0/24      5.5.5.5                  0    100      0 6500 i
* i200.1.1.0        5.5.5.5                  0    100      0 6500 ?
* i200.1.2.0        5.5.5.5                  0    100      0 6500 ?
* i200.1.3.0        5.5.5.5                  0    100      0 6500 ?
* i200.1.4.0        5.5.5.5                  0    100      0 6500 ?

NOPE .....
There is another reason why these routes are not being used! ... check out the next hop column.

5.5.5.5 ... thats Router-5, our ISP router!!! D-A-M!!! no wonder why thats not working! does Router-1 know how to get to 5.5.5.5


Router-1#show ip route 5.5.5.5
% Network not in table

NO, no he does not and that why in BGP why the route is not marked with the best route flag (>)

now for iBGP Peers, one way we could fix this would be to use this command:

Router-4(config)#router bgp 5500
Router-4(config-router)#neighbor 1.1.1.1 next-hop-self

So for routes we advertise to Router-1 we use ourself (4.4.4.4) as the next hop address



AND HERE WE GO (took bloody ages for the changes to show!!!):

Router-1#show ip bgp
BGP table version is 8, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i50.1.1.0/24      4.4.4.4                  0    100      0 6500 i
*>i200.1.1.0        4.4.4.4                  0    100      0 6500 ?
*>i200.1.2.0        4.4.4.4                  0    100      0 6500 ?
*>i200.1.3.0        4.4.4.4                  0    100      0 6500 ?
*>i200.1.4.0        4.4.4.4                  0    100      0 6500 ?

now we have the next hop, as 4.4.4.4 and now, if we check the routing table;

Router-1#show ip route

B    200.1.4.0/24 [200/0] via 4.4.4.4, 00:04:51
     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback1
     50.0.0.0/24 is subnetted, 1 subnets
B       50.1.1.0 [200/0] via 4.4.4.4, 00:04:51
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/75] via 10.1.12.2, 00:04:41, Ethernet0/0
                [110/75] via 10.1.13.2, 00:04:41, Serial0/0
B    200.1.1.0/24 [200/0] via 4.4.4.4, 00:04:51
B    200.1.2.0/24 [200/0] via 4.4.4.4, 00:04:51
B    200.1.3.0/24 [200/0] via 4.4.4.4, 00:04:51
     10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
C       10.1.13.2/32 is directly connected, Serial0/0
C       10.1.13.0/30 is directly connected, Serial0/0
C       10.1.12.0/24 is directly connected, Ethernet0/0
O       10.1.24.0/30 [110/74] via 10.1.12.2, 00:04:42, Ethernet0/0
O       10.1.45.0/30 [110/75] via 10.1.12.2, 00:04:42, Ethernet0/0
                     [110/75] via 10.1.13.2, 00:04:42, Serial0/0
O       10.1.34.0/30 [110/74] via 10.1.13.2, 00:04:42, Serial0/0


WOW! thats alot to take in, and stuff you need to know!!! BGP sync and next-hop-self .... debugs are not going to show you that! you need to know that sh1t!.... sure is alot to BGP

Posted by at No comments:

Saturday, 3 December 2011

Nugget 20
BGP Routing - Implementing Basic BGP Part 1





The lab is now setup as above, with OSPF being the interior routing protocol and BGP the external ... and well we will configure an internal BGP peering between R4 and R1 later.

Lets check out the commands at our disposal in BGP:


Router-5(config)#router bgp 6500
Router-5(config-router)#neighbor 10.1.45.1 ?
  activate                 Enable the Address Family for this Neighbor
  advertise-map            specify route-map for conditional advertisement
  advertisement-interval   Minimum interval between sending BGP routing updates
  allowas-in               Accept as-path with my AS present in it
  capability               Advertise capability to the peer
  default-originate        Originate default route to this neighbor
  description              Neighbor specific description
  disable-connected-check  One-hop away EBGP peer using loopback address
  distribute-list          Filter updates to/from this neighbor
  dmzlink-bw               Propagate the DMZ link bandwidth
  ebgp-multihop            Allow EBGP neighbors not on directly connected networks
  fall-over                session fall on peer route lost
  filter-list              Establish BGP filters
  inherit                  Inherit a template
  local-as                 Specify a local-as number
  maximum-prefix           Maximum number of prefixes accepted from this peer
  next-hop-self            Disable the next hop calculation for this neighbor
  next-hop-unchanged       Propagate the iBGP paths's next hop unchanged for this neighbor
  password                 Set a password
  peer-group               Member of the peer-group
  prefix-list              Filter updates to/from this neighbor
  remote-as                Specify a BGP neighbor
  remove-private-as        Remove private AS number from outbound updates
  route-map                Apply route map to neighbor
  route-reflector-client   Configure a neighbor as Route Reflector client
  send-community           Send Community attribute to this neighbor
  shutdown                 Administratively shut down this neighbor
  soft-reconfiguration     Per neighbor soft reconfiguration
  timers                   BGP per neighbor timers
  translate-update         Translate Update to MBGP format
  transport                Transport options
  ttl-security             BGP ttl security check
  unsuppress-map           Route-map to selectively unsuppress suppressed routes
  update-source            Source of routing updates
  version                  Set the BGP version to match a neighbor
  weight                   Set default weight for routes from this neighbor

Check out all them options!!! wow boi!
First thing we need to do, in order to get started and get this relationship up and running is the remote-as command, this will get the conversation flowing with OPEN msgs to the neighbour statement we are configuring.

Router-5(config-router)#neighbor 10.1.45.1 remote-as 5500



Router-5#show ip bgp summ
BGP router identifier 109.170.1x7.xx, local AS number 6500
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd <--seq of the DB it has recieved
10.1.45.1       4  5500       0       0        0    0    0 never    Active

Here we can see we have our configured neighbor .... totally dead (Up/Down column) at the moment, no messages sent or recieved.  Notice the state/PfxRcd is set to ACTIVE, this means the exact same thing as in the EIGRP world:

ACTIVE = BAD

It is actively trying to bring the relationship up (whereas EIGRP was actively trying to find a backup route)


Lets configure his buddy;

Router-4(config)#router bgp 5500
Router-4(config-router)#neighbor 10.1.45.2 remote-as 6500

Now, lets see how long it takes for the relationship to come up!.... remember this is a SLOW protocol:



Router-5#show clock
21:48:35.778 GB Sat Nov 19 2011
Router-5#
013151: Nov 19 21:48:50.025: %BGP-5-ADJCHANGE: neighbor 10.1.45.1 Up
Okay, 15 seconds, that came up pretty quick (bit dissapointed in away as jeremy - the instructor was saying it can take as long as 60 seconds!)


Router-4#show ip bgp sum
BGP router identifier 10.1.45.1, local AS number 5500
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.1.45.2       4  6500       8       7        1    0    0 00:04:36        0

So notice we have msgs being sent and recieved, BUT the state/PfxRcd column is still 0, thats because with BGP you can establish a neighbour and not send/exchange any routes/information ..... SO different to what we are used to!! (so is statically configuring the neighbours too! lol BUT i guess if it did auto discover neighbours, imagine the issues ISPs would have, peoples home routers bringing up BGP, peering with them and then injecting routes all over the place LOL)


Now for iBGP, there is no funky command or any funny business, it will just be when we enter the remote-as command we enter "our" internal AS and the router will know it will be an iBGP speaker.


As the plan goes, we plan to get a iBGP peering going with routers 1&4, even though, they are not directly connected :0)


First though, we need to setup some loopbacks for the peering of the relationships, as it would be silly peering with x1 of the physical interfaces, as if x1 of those interfaces where to go down, we would loose the BGP peering.
We also then need to advertise the loopbacks into the internal routing protocol (OSPF) so the rest of the network knows about them (otherwise the BGP messages would not make it from either iBGP speaker)



Router-4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router-4(config)#inter loopback4
Router-4(config-if)#ip address 4.4.4.4 255.255.255.255
Router-4(config-if)#exit
Router-4(config)#router ospf 1
Router-4(config-router)#network 4.4.4.4 0.0.0.0 area 0


lets do the same for Router-1, but first double check he is now seeing this new loopback;

Router-1#show ip route

     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/75] via 10.1.12.2, 00:01:02, Ethernet0/0
                [110/75] via 10.1.13.2, 00:01:02, Serial0/0


Swweeet, lets do the loopback on this router too;


Router-1(config)#inter loopback1
Router-1(config-if)#ip address 1.1.1.1 255.255.255.255
Router-1(config-if)#exit
Router-1(config)#router ospf 1
Router-1(config-router)#network 1.1.1.1 0.0.0.0 area 0

lets configure the BGP part now on both routers;

Router-4(config)#router bgp 5500
Router-4(config-router)#neighbor 1.1.1.1 remote-as 5500

Router-1(config)#router bgp 5500
Router-1(config-router)#neighbor 4.4.4.4 remote-as 5500

BUT the neighbourship will NEVER form;

Router-1#show ip bgp summary
BGP router identifier 1.1.1.1, local AS number 5500
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
4.4.4.4         4  5500       0       0        0    0    0 never    Active

BECAUSE .... the BGP packets will be hitting the neighbour with a source interface IP address which wont be the loopback (whichever OSPF determines the quicker path to the neighbour), therefore the relationship will not form as the BGP router has no idea who that interface is/belongs too, it wont be the statically configured IP in the neighbour command!!

So to fix this, we can use the update-source command, here we can specify the loopback of Router-4
Router-4(config)#router bgp 5500
Router-4(config-router)#neighbor 1.1.1.1 update-source loopback 4


lets go do the other router:


Router-1(config)#router bgp 5500
Router-1(config-router)#neighbor 4.4.4.4 update-source loopback 1


ah ha ...

Router-1#
000018: *Mar  1 01:52:30.823: %BGP-5-ADJCHANGE: neighbor 4.4.4.4 Up


Router-1#show ip bgp summ
BGP router identifier 1.1.1.1, local AS number 5500
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
4.4.4.4         4  5500       3       4        1    0    0 00:00:37        0


Notice, we now have no ACTIVE state and a 0 for the revision of the BGP database.

Over on router-4 we have the iBGP and eBGP neighbourships up;

Router-4#show ip bgp summ
BGP router identifier 10.1.45.1, local AS number 5500
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.1         4  5500      10       9        1    0    0 00:06:10        0
10.1.45.2       4  6500      52      51        1    0    0 00:48:19        0

just for clarification and sanity checking:

Router-4#show ip bgp neighbors
BGP neighbor is 1.1.1.1,  remote AS 5500, internal link  <---iBGP
 Index 2, Offset 0, Mask 0x4
  BGP version 4, remote router ID 1.1.1.1
  BGP state = Established, table version = 1, up for 00:08:10
  Last read 00:00:10, hold time is 180, keepalive interval is 60 seconds
  Minimum time between advertisement runs is 5 seconds
  Received 12 messages, 0 notifications, 0 in queue
  Sent 11 messages, 0 notifications, 0 in queue
  Prefix advertised 0, suppressed 0, withdrawn 0
  Connections established 1; dropped 0
  Last reset never
  0 accepted prefixes consume 0 bytes
  0 history paths consume 0 bytes
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Local host: 4.4.4.4, Local port: 11012
Foreign host: 1.1.1.1, Foreign port: 179


BGP neighbor is 10.1.45.2,  remote AS 6500, external link  <----eBGP
 Index 1, Offset 0, Mask 0x2
  BGP version 4, remote router ID 109.170.1x7.xx (my public IP range)
  BGP state = Established, table version = 1, up for 00:50:50
  Last read 00:00:50, hold time is 180, keepalive interval is 60 seconds
  Minimum time between advertisement runs is 30 seconds
  Received 54 messages, 0 notifications, 0 in queue
  Sent 53 messages, 0 notifications, 0 in queue
  Prefix advertised 0, suppressed 0, withdrawn 0
  Connections established 1; dropped 0
  Last reset never
  0 accepted prefixes consume 0 bytes
  0 history paths consume 0 bytes


BUT, we still have no BGP routes;

Router-4#show ip bgp

Becuase the neighbours and networks/routes are seperated in BGP unlike other routing protocols, whereby you have neighbours and you are told of the routes they know (via the network command under the routing protocol, which would tell the router what interfaces to advertise on and what networks to advertise into the process) ...

So with BGP, we have neighbour commands to bring up neighbour relationships BUT then to get the routing aspect we have to then apply the network commands, so they are totally seperate with BGP.


Right before we get BGP exchanging routes, lets just look at an example and at the same time tidy up our relationship with Router-5 (lets get it using a loopack interface tooo)



Router-5(config)#interface loopback5
Router-5(config-if)#ip address 5.5.5.5 255.255.255.255
Plus we need a static route to our neighbour, as if we were an ISP, we would not be running an interior routing protocol;
Router-5(config-if)#ip route 4.4.4.4 255.255.255.255 10.1.45.1



test;
Router-5#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms


Now lets set a static on Router-4 to reach Router-5's (the ISP) loopback, as currently this router does not no anything about the 5.5.5.5 network;

Router-4(config)#ip route 5.5.5.5 255.255.255.255 10.1.45.2
Router-4#ping 5.5.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms


Lets just say for a moment, that say we had to links (T1 lines) going to the same ISP, we could have another static route on the ISP end and have that point to a 2nd loopback interface and then the cisco router would perform load balancing (see diagram above)


 HOWEVER there is a rule for eBGP, and that is the neighbours MUST BE DIRECTLY CONNECTED, although we may be thinking well, yeah they are, the router has to pass through the routers interface to get to the loopback, and so see's it as being more than 1 hop away ...


SO, this can be fixed by apply the update-source command and setting it to the loopback 4.4.4.4 and then with this command:


Router-4(config-router)#neighbor 5.5.5.5 ebgp-multihop ?
  <1-255>  maximum hop count
  <cr>

Router-4(config-router)#neighbor 5.5.5.5 ebgp-multihop 2

But again, be careful as for routing loops!! recommended is no more than 5!

RIGHT, so lets watch the neighbourship come up after i apply this on both routers;



Router-4(config)#router bgp 5500
Router-4(config-router)#neighbor 5.5.5.5 ebgp-multihop 2
Router-4(config-router)#neighbor 5.5.5.5 update-source loopback 4


Router-5(config)#router bgp 6500
Router-5(config-router)#neighbor 4.4.4.4 ebgp-multihop 2
Router-5(config-router)#neighbor 4.4.4.4 update-source loopback 5
Router-5(config-router)#
013233: Nov 19 23:22:28.467: %BGP-5-ADJCHANGE: neighbor 4.4.4.4 Up

Router-5#show ip bgp summ

BGP router identifier 109.170.1x7.xx, local AS number 6500
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
4.4.4.4         4  5500       3       4        1    0    0 00:00:57        0

SWEEET, without that multihop command this neighbour would never of come up.

RIGHT, lets get on with part 2
Posted by at No comments:
Subscribe to: Posts (Atom)