Monday, January 4, 2016

BGP task #6. BGP configuration tasks

Topology:



For this task, add a second connection between R1 and R5.
Use configuration from BGP task #5 as initial configuration for this task.

Requirements: 

1. Configure second connection between R1 and R5. 
2. Traffic between AS5 and AS12 should load balance across the two links. 
        a. Do not create new BGP sessions. 
        b. Do not use ebgp-multihop command. 
        c. You are allowed to create a total of 4 new static routes. 
3. Security policy of AS12 requires to protect the edge routers running eBGP from DoS attacks, that       use address spoofing, on BGP protocol. 
4. Change the configuration of AS12 to reduce the number of iBGP sessions. 


Solution:

Highlight the text below to reveal the solution.

Understanding of the following technologies is required to complete this task: 
Multihop-eBGP configuration options. 
BGP TTL-security feature 
Route-reflectors

Requirements #2 - Since creating additional BGP session is not allowed, change the existing eBGP session to run between the loopback0 interfaces of R1 and R5. Configure static-routes toward the neighbors loopback via the two links. Use "disable-connected-check" to allows multihop eBGP session without using the ebgp-multihop command. Note that you need to redistribute the static routes on R1 into OSPF. 

Requirement #3 - TTL-security feature provides protection from DoS attacks on BGP protocol. Only packets with TTL higher than configures are processed, the rest are discarded. Note that IOS-XR does not allow to edit the TTL value, so for IOS-XR this feature only works for directly connected eBGP peers. 

Requirement #4 - configure R2 and R4 as route-reflectors, and R1 and R3 as clients. This allows to remove iBGP session between R1 and R3. 

R1:

!
router ospf 1
 router-id 12.0.1.1
 redistribute static subnets
 passive-interface Ethernet1/0
!
ip route 5.0.5.5 255.255.255.255 5.0.15.5
ip route 5.0.5.5 255.255.255.255 5.0.51.5
!
router bgp 12
 bgp log-neighbor-changes
 bgp maxas-limit 10
 neighbor IBGP peer-group
 neighbor IBGP remote-as 12
 neighbor IBGP update-source Loopback0
 neighbor IBGP send-community
 neighbor 5.0.5.5 remote-as 5
 neighbor 5.0.5.5 ttl-security hops 254
 neighbor 5.0.5.5 disable-connected-check
 neighbor 5.0.5.5 update-source Loopback0
 neighbor 5.0.5.5 route-map LAST out
 neighbor 12.0.2.2 peer-group IBGP
 neighbor 12.0.4.4 peer-group IBGP
!

R2: 

!
router bgp 12
 bgp log-neighbor-changes
 network 12.0.0.0 mask 255.255.0.0
 neighbor IBGP peer-group
 neighbor IBGP remote-as 12
 neighbor IBGP update-source Loopback0
 neighbor IBGP send-community
 neighbor CLIENT peer-group
 neighbor CLIENT remote-as 12
 neighbor CLIENT update-source Loopback0
 neighbor CLIENT route-reflector-client
 neighbor CLIENT send-community
 neighbor 12.0.1.1 peer-group CLIENT
 neighbor 12.0.3.3 peer-group CLIENT
 neighbor 12.0.4.4 peer-group IBGP
!

R3:

!
router bgp 12

 address-family ipv4 unicast
 !
 neighbor-group IBGP
  remote-as 12
  update-source Loopback0
  address-family ipv4 unicast
  !
 !
 neighbor 12.0.2.2
  use neighbor-group IBGP
 !
 neighbor 12.0.4.4
  use neighbor-group IBGP
 !
 neighbor 67.0.36.6
  remote-as 67
  ttl-security
  address-family ipv4 unicast
   route-policy SECONDARY_IN in
   route-policy SECONDARY_OUT out
  !
 !
 neighbor 67.0.37.7
  remote-as 67
  ttl-security
  address-family ipv4 unicast
   route-policy PRIMARY_IN in
   route-policy BGP_ALL out
  !
 !
!

R4: 

!
router bgp 12
 address-family ipv4 unicast
  network 12.0.0.0/16
 !
 neighbor-group IBGP
  remote-as 12
  update-source Loopback0
  address-family ipv4 unicast
  !
 !
 neighbor-group CLIENT
  use neighbor-group IBGP
  address-family ipv4 unicast
   route-reflector-client
  !
 !
 neighbor 12.0.1.1
  use neighbor-group CLIENT
 !
 neighbor 12.0.2.2
  use neighbor-group IBGP
 !
 neighbor 12.0.3.3
  use neighbor-group CLIENT
 !
!

R5:

!
ip route 12.0.1.1 255.255.255.255 5.0.15.1
ip route 12.0.1.1 255.255.255.255 5.0.51.1
!
router bgp 5
 bgp log-neighbor-changes
 bgp inject-map INJECT exist-map EXIST copy-attributes
 network 5.0.0.0 mask 255.255.0.0
 neighbor 8.0.58.8 remote-as 8
 neighbor 8.0.58.8 password STRONG
 neighbor 12.0.1.1 remote-as 12
 neighbor 12.0.1.1 ttl-security hops 254
 neighbor 12.0.1.1 disable-connected-check
 neighbor 12.0.1.1 update-source Loopback0
 neighbor 12.0.1.1 send-community
 neighbor 12.0.1.1 route-map NO_TRANSIT out
 neighbor 12.0.1.1 advertise-map ADVMAP exist-map NONEXIST
!

R6:

!
router bgp 67
 bgp log-neighbor-changes
 network 67.0.0.0 mask 255.255.0.0
 neighbor 8.0.68.8 remote-as 8
 neighbor 67.0.36.3 remote-as 12
 neighbor 67.0.36.3 ttl-security hops 254
 neighbor 67.0.36.3 send-community
 neighbor 67.0.36.3 route-map NO_TRANSIT out
 neighbor 67.0.67.7 remote-as 67
!

R7:

!
router bgp 67
 bgp log-neighbor-changes
 network 67.0.0.0 mask 255.255.0.0
 neighbor 8.0.78.8 remote-as 8
 neighbor 67.0.37.3 remote-as 12
 neighbor 67.0.37.3 ttl-security hops 254
 neighbor 67.0.37.3 send-community
 neighbor 67.0.37.3 route-map NO_TRANSIT out
 neighbor 67.0.67.6 remote-as 67
!

Verification:

RP/0/0/CPU0:R3#traceroute 1.0.1.1
Wed Dec 23 15:39:56.773 UTC

Type escape sequence to abort.
Tracing the route to 1.0.1.1

 1  12.0.10.2 0 msec  0 msec  0 msec
 2  12.0.20.1 0 msec  0 msec  0 msec
 3  5.0.51.5 0 msec  0 msec  0 msec
 4  8.0.58.8 0 msec  0 msec  0 msec

RP/0/0/CPU0:R4#traceroute 1.0.1.1
Wed Dec 23 15:40:10.982 UTC

Type escape sequence to abort.
Tracing the route to 1.0.1.1

 1  12.0.20.1 0 msec  0 msec  0 msec
 2  5.0.15.5 0 msec  0 msec  0 msec
 3  8.0.58.8 0 msec  0 msec  0 msec

R1#show bgp sum
BGP router identifier 12.0.1.1, local AS number 12
BGP table version is 27, main routing table version 27
11 network entries using 1628 bytes of memory
16 path entries using 1024 bytes of memory
9/7 BGP path/bestpath attribute entries using 1224 bytes of memory
2 BGP rrinfo entries using 48 bytes of memory
5 BGP AS-PATH entries using 120 bytes of memory
1 BGP community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 4068 total bytes of memory
BGP activity 22/11 prefixes, 78/62 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
5.0.5.5         4            5      47      43       27    0    0 00:34:01       10
12.0.2.2        4           12      28      31       27    0    0 00:19:38        3
12.0.4.4        4           12      27      23       27    0    0 00:15:26        3



No comments:

Post a Comment