800 likes | 1.04k Views
--- CCIE R&S Advanced Lab ---. --- Session 5 BGP, Multicast ---. BGP Topics Covered. BGP Confederation Order/Preference Aggregation Security Peer Groups Dampening. BGP. Know where BGP is located on the DOC CD How can BGP be manipulated. BGP Confederations. Remove private AS.
E N D
--- CCIE R&S Advanced Lab --- --- Session 5 BGP, Multicast ---
BGP Topics Covered • BGP Confederation • Order/Preference • Aggregation • Security • Peer Groups • Dampening
BGP • Know where BGP is located on the DOC CD • How can BGP be manipulated
Remove private AS • Uses private AS for internal • Need to remove the private AS information
BGP Path Selection • If the path specifies a next hop that is inaccessible, drop the update. • Prefer the path with the largest weight. • If the weights are the same, prefer the path with the largest local preference. • If the local preferences are the same, prefer the path that was originated by BGP running on this router. • If no route was originated, prefer the route that has the shortest AS_path. • If all paths have the same AS_path length, prefer the path with the lowest origin type (where IGP is lower than EGP, and EGP is lower than incomplete). • If the origin codes are the same, prefer the path with the lowest MED attribute. • If the paths have the same MED, prefer the external path over the internal path. • If the paths are still the same, prefer the path through the closest IGP neighbor. • Prefer the path with the lowest IP address, as specified by the BGP router ID.
Aggregating BGP Networks • Aggregating BGP Networks • Aggregation creates summary routes (called aggregates) from networks already in BGP table • Individual networks could be announced or suppressed Summarization is called aggregation in BGP • Aggregation creates summary routes (called aggregates) from networks already in BGP table • Individual networks could be announced or suppressed
Configuring Aggregation • router bgp as-number • aggregate-address address-prefixmask • Specify aggregation range in BGP routing process • The aggregate will be announced if there is at least one network in the specified range in the BGP table • Individual networks will still be announced in outgoing BGP updates
Configuring BGP Communities • BGP communities are configured in the following steps: • Configure BGP community propagation • Define BGP community-lists to match BGP communities • Configure route-maps that match on community-lists and filter routes or set other BGP attributes • Apply route-maps to incoming or outgoing updates
Community Setting Through Route-Map • route-map name • match condition • set community value [ value … ] [additive] • Any number of communities can be specified • Communities specified in the set keyword overwrites existing communities unless you specify the additive option
router(config-router)# neighbor ip-address route-map map in | out router(config-router)# redistribute protocol route-map map • Applies a route-map to redistributed routes Attaching Communities to a Route • Applies a route-map to inbound or outbound BGP updates • The route-map can set BGP communities or other BGP attributes
router(config-router)# neighbor ip-addresssend-community Configure Community Propagation • By default, communities are stripped in outgoing BGP updates • Community propagation to BGP neighbors has to be manually configured
Related Commands • Set community none – Removes all community attributes • Set comm-list delete – Removes specific communities ip community-list 1 permit 200:100 route map REM_COM permit 10 set comm-list 1 delete • Set community additive – Appends to existing communities set community 450 additive • ip community-list 1 permit 200:10 – Matches any route that has 200:10 • ip community-list 3 permit 200:10 100:10 - Matches any route that has either or both communities
AS Path Filtering • Several scenarios require BGP route filtering based on AS-path • Announce only local routes to the ISP - AS-path needs to be empty • Select routes based on a specific AS-number in the AS-path • Accept routes for specific AS only from some BGP neighbors • AS-path filters use regular expressions
Regular Expressions - Matching Delimiters • ^ matches beginning of string • $ matches end of string • _ matches any delimiter (beginning, end, white space, tab, comma)
Regular Expressions - Operators • * matches zero or more instances • ? matches zero or one instances • + matches one or more instances • . Matches any single character • [ ] Matches characters or a range of characters
Sample Regular Expressions • Going through AS 100 • Directly connected to AS 100 • Originated in AS 100 • networks behind AS 100 • AS paths one AS long • networks originated in local AS • matches everything • _100_ • ^100$ • _100$ • ^100_.* • ^ [0-9]+$ • ^$ • .*
Configuring BGP AS-path Filters R1(config)# ip as-path access-list number permit | deny regexp • Configures AS-path access list R1(config-router)# neighbor ip-address filter-list as-path-filter in | out • Configures inbound or outbound AS-path filter for specified BGP neighbor
Conditional Route Injection • Used to inject more specific routes into BGP based on existence of certain routes • R1(config)# router bgp 50000 • R1(config-router)# bgp inject-map ORIGIN exist-map LEARNED copy-attributes • R1(config)# ip prefix-list ROUTE permit 10.1.1.0/24 • R1(config)# ip prefix-list ROUTE_SOURCE permit 10.2.1.1/32 • R1(config)# ip prefix-list ORIGINATED_ROUTES permit 10.1.1.0/25 • R1(config)# route-map LEARNED permit 10 • R1(config-route-map)# match ip address prefix-list ROUTE • R1(config-route-map)# match ip route-source prefix-list ROUTE_SOURCE • R1(config)# route-map ORIGIN permit 10 • R1(config-route-map)# set ip address prefix-list ORIGINATED_ROUTES
BGP Authentication • Authentication is MD5 • Configured on a per neighbor basis • R1(config)# router bgp 10 • R1(config-router)# neighbor 10.1.1.2 remote-as 10 • R1(config-router)# neighbor 10.1.1.2 password CISCO • R2(config)# router bgp 10 • R2(config-router)# neighbor 10.1.1.1 remote-as 10 • R2(config-router)# neighbor 10.1.1.1 password CISCO
Route Flap Dampening • Every time an eBGP route flaps it gets 1000 penalty points (only for eBGP) • The penalty placed on a route is decayed using the exponential decay algorithm • When the penalty exceeds “suppress limit”, the route is dampened (no longer used or propagated to other neighbors) • A dampened route is propagated when the penalty points drops below “reuse limit”
Configuring BGP Route Flap Dampening R1(config-router)# bgp dampening [half-timereuse-limitsuppress-limit max-suppress] [route-map route-map] • Parameter meaning: • Half-time Exponential decay half-time (time in which the penalty is halved) • Suppress-limit Penalty value where the route is starting to be dampened • Reuse-limit Penalty value where the dampened route is reused • Max-suppress Maximum suppression time • Route-map controls where BGP route dampening is enabled
Default BGP Dampening Parameter Values • The following default dampening parameter values are used if you don’t specify them: • half-time 15 minutes • per-flap penalty 1,000 (non-configurable) • suppress limit 2,000 • reuse limit 750 • max-suppress-time 60 minutes
Limiting the Number of Routes Received from a Neighbor • Problem definition: • A misconfigured BGP neighbor can send a huge number of prefixes that exhaust router’s memory or overload the CPU • All other filtering mechanisms only specify what we’re willing to accept but not how much • Need to control the number of prefixes received from a neighbor
Maximum-Prefix Command R1(config-router)# neighbor ip-address maximum-prefix maximum [threshold] [warning-only] • Controls how many prefixes can be received from a neighbor • Optional threshold parameter specifies the percentage where a warning message is logged (default is 75%) • Optional warning-only keyword specifies the action on exceeding the maximum number (default is to drop neighborship)
--- CCIE R&S Advanced Lab --- --- Session 5 continued, Multicast ---
Multicast • Address • RPF • Dense / Sparse mode • Source / shared tree • Static RP • Auto-RP • BSR • B-M-B • MSDP / Anycast
Multicast Distribution Trees Dense Mode uses Source Push Technology
Shared Distribution Tree Sparse mode uses Shared Pull Technology
Characteristics of Distribution Trees Characteristics of Distribution Trees
Auto RP • Uses • Intended for PIMv1 • C_RP Candidates • Mapping Agent (Collects announcements and sends RP discovery messages on 224.0.1.40) • The RPs announce on 224.0.1.39 • Recommended to locate C_RP and Mapping Agent on same router • Uses dense mode to find the RP
BSR Overview PIM join messages that might inadvertently cross the border ip pim bsr-border
Configuring BSR Hash Mask Priority
MSDP MSDP
Broadcast-Multicast-Broadcast interface serial 0 ip pim sparse-mode ip multicast helper-map 239.1.1.1 131.1.1.255 105 interface ethernet 1 ip directed-broadcast access-list 105 permit udp host 126.1.22.1 any eq 4000 ip forward-protocol udp 4000 126.1.22.1 126.1.22.255 interface ethernet 0 ip pim sparse-mode ip multicast helper-map broadcast 239.1.1.1 105 access-list 105 permit udp host 126.1.22.1 host 126.1.22.255 eq 4000 ip forward-protocol udp 4000
--- CCIE R&S Advanced Lab --- --- Session 6 QOS, Security ---
QOS • Modular QoS CLI (MQC) • LLQ • CAR – Committed Access Rate • WRED, CBWRED • Marking • Shaping, FRTS • Fragmenting • NBAR – Network Based Application Recognition
MQC Class-maps • class-map [match-all | match-any] Lab (match all is the default) • match xxx • match yyy • match ? Classify • input interface f0/0 • destination Mac address • source Mac address • fr-de, fr-dlci • cos, dscp, IP-prec • any • access-group • protocol NBAR(download PDLMs) • CEF requires • Can run ip protocol NBAR protocol discovery • packet length min or max