conf t
sdm prefer dual-ipv4-and-ipv6 default
A reload is needed for this to take effect.
Archive for January, 2009
CAT 3560 how to active ipv6
Posted by Peter Kurdziel on January 16, 2009
Posted in CATALYST, Routing & Switching Lab | Leave a Comment »
BGP regexp
Posted by Peter Kurdziel on January 15, 2009
.* Matches anything .+ Match at least one character ^$ Match routes local to this AS _1800$ Originated by 1800 ^1800_ Received from 1800 _1800_ Via 1800 _790_1800_ Passing through 1800 then 790 _(1800_)+ Match at least one of 1800 in sequence _\(65350\)_ Via 65350 (confederation AS) ^[0-9]+$ Match AS_PATH length of one ^[0-9]+_[0-9]+$ Match AS_PATH length of two ^[0-9]*_[0-9]+$ Match AS_PATH length of one or two ^[0-9]*_[0-9]*$ Match AS_PATH length of one or two, and will also match zero ^[0-9]+_[0-9]+_[0-9]+$ Match AS_PATH length of three _(701|1800)_ Match anything which has gone through AS701 or AS1800 _1849(_.+._)12163$ Match anything of origin AS12163 and passed through AS1849
Posted in BGP, Routing & Switching Lab | Leave a Comment »
BGP notes
Posted by Peter Kurdziel on January 9, 2009
BGP notes
config routers in AS100 to form IBGP peering and advertise each
routers loopback0 into AS 100
r1
router bgp 100
neighbor 10.1.1.2 remote-as 100
no sync
network 1.0.0.0
r2
router bgp 100
neighbor 10.1.1.1 remote-as 100
no sync
net 2.0.0.0
————————-
config a full mesh
r1
router bgp 100
neighbor 10.1.1.2 remote-as 200
neighbor 10.1.1.3 remote-as 300
no sync
no auto
network 1.0.0.0
r2
router bgp 200
neighbor 10.1.1.1 remote-as 100
neighbor 10.1.1.3 remote-as 300
no sync
no auto
net 2.0.0.0
r3
router bgp 300
no auto
no sync
neighbor 10.1.1.1 remote-as 100
neighbor 10.1.1.2 remote-as 200
net 3.0.0.0…R1(config-router)#do sho ip bgp
BGP table version is 11, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 0.0.0.0 0 32768 i
* 2.0.0.0 10.1.1.2 0 300 200
i
* 10.1.1.2 0 400 200
i
*> 10.1.1.2 0 0 200 i
* 3.0.0.0 10.1.1.3 0 400 300
i
* 10.1.1.3 0 200 300
i
*> 10.1.1.3 0 0 300 i
* 4.0.0.0 10.1.1.4 0 300 400
i
* 10.1.1.4 0 200 400
i
*> 10.1.1.4 0 0 400 i
Note there is no local preference. This is because the prefixes are
advertised by and EBGP peer.
The best selection is the shortest as path.
The metric (MED) is zero on some prefixes and on others it is not
assigned. this is because when the prefix is advertised by the
oORIGINATING AS the metric is set to 0. But when the same prefix is
advertised by ANOTHER AS the MED value is removed.
w. l. a. m.
weight & local pref
as-path and med
—————————————-
peer-groups
router-bgp 999
no auto
net 172.16.0.0
neighbor BGPPG peer-group
neighbor BGPPG remote-as 888
neighbor BGPPG update-source loopback0
neighbor BGPPG password cisco
you need an IGP for NLRI
router rip
no au
ver 2
net 10.0.0.0
net 1.0.0..0
sho ip bgp
sho ip bgp peer-group
NOTE: for peers with an identical outbound policy.
—————————————
template peer-session
router bgp 999
no auto
net 172.16.0.0
template peer-session COMMON
password cisco
ver 4
template peer-session IBGP
inherit peer-session COMMON
update-source loop0
remote-as 100
nei 1.1.1.1 inherit peer-session IBGP
nei 2.2.2.2 inherit peer-session IBGP
NOTE:
used to apply specific commands to a group of neighbors. Support for
nested peer-sessions via INHERIT PEER-SESSIOn command.
only session specific cmds supported.
—————————————–
config R2 to change the next hop ip address fo rall networks
advertised by R1.
router bgp 200
template peer-policy PEERPOLICYTEST
next-hop-self
neighbor 172.16.31.3 inherit peer-policy PEERPOLICYTEST
neighbor 172.16.31.4 inherit peer-policy PEERPOLICYTEST
NOTE:
peer-policy templates can only inherit peer-policy’s.
before:
Network Next Hop Metric LocPrf Weight Path
* i1.1.0.0/24 10.1.12.1 0 100 0 100 i
* i1.1.1.0/24 10.1.12.1 0 100 0 100 i
* i1.1.2.0/24 10.1.12.1 0 100 0 100 i
* i1.1.3.0/24 10.1.12.1 0 100 0 100 i
*>i2.0.0.0 10.1.234.2 0 100 0 i
*>i3.0.0.0 10.1.234.3 0 100 0 i
*> 4.0.0.0 0.0.0.0 0 32768 i
* i100.1.1.0/24 10.1.12.1 0 100 0 100 i
* i100.2.2.0/24 10.1.12.1 0 100 0 100 i
R4(config-router)#
AFTER:
Network Next Hop Metric LocPrf Weight Path
*>i1.1.0.0/24 10.1.234.2 0 100 0 100 i
*>i1.1.1.0/24 10.1.234.2 0 100 0 100 i
*>i1.1.2.0/24 10.1.234.2 0 100 0 100 i
*>i1.1.3.0/24 10.1.234.2 0 100 0 100 i
*>i2.0.0.0 10.1.234.2 0 100 0 i
*>i3.0.0.0 10.1.234.3 0 100 0 i
*> 4.0.0.0 0.0.0.0 0 32768 i
*>i100.1.1.0/24 10.1.234.2 0 100 0 100 i
*>i100.2.2.0/24 10.1.234.2 0 100 0 100 i
————————————————————
35 additional routers will be added to this AS in the near future to
minimize peer relationships use route reflectors.
Every IBGP speaker must be fully meshed (every router has a peer
session to every router). If they are not you must use a route
reflector.
The RR must have a peer session established to every RR client.
Clients only need a peer relationship with the RR.
The RR will reflect routes learned from on client to the other
client/s.
r1
router bgp 123
neighbor 10.1.12.2 route-reflector-client
neighbor 10.1.13.3 route-reflector-client
r2
neighbor 10.1.13.1 remote-as 100
no neighbor 10.1.13.3 remote-as 100
r3
neighbor 10.1.12.1 remote-as 100
no neighbor 10.1.12.2 remote-as 100
——————————————–
when using multiple RR’s. A cluster is a RR and it’s client.
when using multiple RR’s make sure the cluster-id is unique. The
cluster-id uses the router-id!!! Make sure you set the router ID.
sh ip bgp 6.0.0.0
BGP routing table entry for 6.0.0.0/8, version 6
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to update-groups:
2
Local
10.1.46.6 (metric 1) from 10.1.14.4 (4.4.4.4)
Origin IGP, metric 0, localpref 100, valid, internal, best
Originator: 6.6.6.6, Cluster list: 4.4.4.4
———————————————————-
If you lose the link between r2 <> r 3 you will loseconnectivity to
loopb1 on both routers. Advertise lo1 on both routers
r2
Router bgp 200
network 2.2.2.0 mask 255.255.255.0
r3
router bgp 300
network 3.3.3.0 mask 255.255.255.0
————————————————————-
After you advertised loop1(previous task) you discovered that
traffic is not using the directly connected link.
Before:
R2(config-router)#do trace 150.1.3.3
Type escape sequence to abort.
Tracing the route to 150.1.3.3
1 10.1.12.1 44 msec 56 msec 16 msec
2 10.1.13.3 24 msec * 76 msec
R2(config-router)#netw 150.1.3.0 mask 255.255.255.0 backdoor
R2(config-router)#do trace 150.1.3.3
Type escape sequence to abort.
Tracing the route to 150.1.3.3
1 150.1.23.3 36 msec * 40 msec
R2(config-router)#
EBGP is 20 and EIGRP is 90 so the backdoor command assigns as admin
distance of 200 making eigrp more believable.
SO here you configured the neighbors loopback address and made it a
backdoor route.
——————————————
If net 2.0.0.0 is up and it’s advertised to R1, R1 should take the
following actions:
-r1 should NOT advertise it’s network 1.0.0.0/8 to R3
-r1 should oNLY advertise network 2.0.0.0/8 to R3
However is net 2.0.0.0/8 is down then R1 should take the following
actions:
-R1 should advertise network 1.0.0.0/8 to R3
-R1 should remove network 2.0.0.0/8 from it’s BGP table.
to conditionally advertise selected router we can use the following
commands:
advertise-map
non-exist-map
exist-map.
r1
access-list 1 permit 1.0.0.0 0.255.255.255
access-list 2 permit 2.0.0.0 0.255.255.255
route-map ADV per 10
match ip add 1
route-map NotThere per 10
match ip add 2
router bgp 100
neighbor 10.1.13.3 advertise-map ADV non-exist-map NotThere
advertise-map map-name
Specifies the name of the route map that will be advertised if the
conditions of the exist map or nonexist map are met.
exist-map map-name
Specifies the name of the route map that will be compared to the
advertise map. If the condition is met and a match occurs between the
advertise map and exist map, the route will be advertised. If no
match occurs, then the condition is not met, and the route is
withdrawn.
non-exist-map map-name
Specifies the name of the route map that will be compared to the
advertise map. If the condition is met and no match occurs, the route
will be advertised. If a match occurs, then the condition is not met,
and the route is withdrawn.
note: the advertise-map specifies the name of the route-map that will
be advertised if the condition of the non-exsit-map is met.
neighbor 10.1.13.3 advertise-map ADV(match 1.0.0.0) non-exist-map
NotThere (match 2.0.0.0)
so bgp will advertise 1.0.0.0 if 2.0.0.0 is not there. But if the
2.0.0.0 is there then it will not advertise the 1.0.0.0 prefix.
note: the non-exist-map specifies the route-map that will be compared
to the advertise-map. If the condition is met then the route will be
advertised. If a match occurs then the condition is NOT met and the
route will be withdrawn.
neighbor 10.1.13.3 advertise-map ADV(match 1.0.0.0) non-exist-map
NotThere (match 2.0.0.0)
so because 2.0.0.0 is there when the non-exist-map looks to match the
2.0.0.0 prefix then the 1.0.0.0 prefix is not advertised
sho ip bgp nei 10.1.13.3 advertised-routes
————————————————————-
config the following policy
1- if both 1.0.0.0 & 2.0.0.0 are up then both networks should be
advertised to R3.
2-if net 1.0.0.0 is down, R1 should NOT advertise net 2.0.0.0 to R3
3-if net 2.0.0.0 is down, then R1 should only advertise 1.0.0.0 to R3
access-list 1 per 1.0.0.0 0.255.255.255
access-list 2 per 2.0.0.0 0.255.255.255
route-map ADV per 10
match ip add 2.0.0.0
route-map EXIST per 10
match ip add 1.0.0.0
router bgp 100
neig 10.1.13.3 advertise-map ADV (2.0.0.0) exist-map EXIST (1.0.0.0)
so if the exist-map matches the prefix’s in EXIST (1.0.0.0) and in
the advertise-map ADV (2.0.0.0) then the prefix is advertised.
to test condition #1
sh ip bgp nei 10.1.13.3 advertised-routes
BGP table version is 20, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 0.0.0.0 0 32768 i
*> 2.0.0.0 10.1.12.2 0 0 200 i
note: since EXIST and ADV both match the prefix’s in the bgp table
both networks are advertised. So since 1.0.0.0 exists both 1.0.0.0
and 2.0.0.0 will be advertised.
to test conditon #2 – so if 1.0.0.0 is down it should not advertise
2.0.0.0
r1
int lo0
shut
sh ip bgp nei 10.1.13.3 advertised-routes
Total number of prefixes 0
note:since the exist-map did not match EXIST (because 1.0.0.0 is down
and hte prefix is not in the bgp table) the EXIST prefix and ADV
prefix is not advertised.
to test condition #3 – if 2.0.0.0 is down it should advertise 1.0.0.0
sho ip bgp nei 10.1.13.3 adver
BGP table version is 21, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 0.0.0.0 0 32768 i
Total number of prefixes 1
note: since the advertise-map (2.0.0.0 is down) did not match ADV
2.0.0.0 was not advertised.
————————————————
neig 10.1.13.3 advertise-map ADV (2.0.0.0) exist-map EXIST (1.0.0.0)
if 1.0.0.0 prefix esists advertsise both 1.0.0.0 & 2.0.0.0.
if 1.0.0.0 does not exist do not advertise anything.
if 1.0.0.0 exists but 2.0.0.0 does not exist advertise 1.0.0.0.
neighbor 10.1.13.3 advertise-map ADV(match 1.0.0.0) non-exist-map
NotThere (match 2.0.0.0)
if 2.0.0.0 does not exist advertise 1.0.0.0
if 2.0.0.0 does exist 2.0.0.0 will be advertised and ADV 1.0.0.0
will not be advertised. THe point of a non-exist-map is that there
should be no match and if there is a match then the advertise-map is
not advertised even if the prefix is in the bgp table.
so bgp will advertise 1.0.0.0 if 2.0.0.0 is not there. But if the
2.0.0.0 is there then it will not advertise the 1.0.0.0 prefix
——————————————————————————
As a general rule, weight and local-preference are used to effect how traffic leaves the autonomous
system, while AS-Path and MED are used to affect how traffic enters the AS.
Prefixes with a higher weight value are preferred. The default weight value for all prefixes is 0, with
the exception of locally originated prefixes which receive a weight of 32768 (half of maximum).
———————
Normal prefix-list syntax is as follows:
ip prefix-list [name] [permit | deny] [prefix]/[len]
Where name is any name or number, prefix is the exact routing prefix (network),
and len is the exact prefix-length (subnet mask). Take the following examples:
ip prefix-list LIST permit 1.2.3.0/24
The above is an exact match for the network 1.2.3.0 with the exact subnet mask
of 255.255.255.0. This list does not match 1.2.0.0/24, nor does it match
1.2.3.4/32, nor anything in between.
ip prefix-list LIST permit 0.0.0.0/0
The above is an exact match for the network 0.0.0.0 with the exact subnet mask
of 0.0.0.0. This is used to match a default route.
Typical confusion about the prefix-list comes into play when the keywords “GE”
(greater than or equal to) and “LE” (less than or equal to) are added to the prefixlist.
This is due to the fact that the “len” value changes meaning when the GE or
LE keywords are used.
This alternate syntax is as follows:
ip prefix-list [name] [permit | deny] [prefix]/[len] ge [min_length] le [max_length]
Where name is any name or number, prefix is the routing prefix to be checked
against, len is the amount of bits starting from the most significant (left most) to
check, min_length is the minimum subnet mask value, and max_length is the
maximum subnet mask value.
When using the GE and LE values, the following condition must be satisfied:
len < GE <= LE
The above syntax, while confusing at first, simply means that a range of
addresses will be matched based on the prefix and the subnet mask range.
Take the following examples:
ip prefix-list LIST permit 1.2.3.0/24 le 32
The above syntax means that the first 24 bits of the prefix 1.2.3.0 must match.
Additionally, the subnet mask must be less than or equal to 32.
ip prefix-list LIST permit 0.0.0.0/0 le 32
The above syntax means that zero bits of the prefix must match. Additionally,
the subnet mask must be less than or equal to 32. Since all networks have a
subnet mask less than or equal to 32, and no bits of the prefix are matched, this
statement equates to an explicit permit any.
ip prefix-list LIST permit 10.0.0.0/8 ge 21 le 29
The above syntax means that the first 8 bits of the prefix 10.0.0.0 must match.
Additionally, the subnet mask is between 21 and 29 inclusive.
The above task states that prefixes with a subnet mask greater than /20 should
not be accepted from AS 54. Therefore, zero bits of the actual prefix need to be
checked. Instead, it must only be true that the subnet mask is less than or equal
to /20. The syntax for this list is therefore as follows:
ip prefix-list SLASH_20_AND_UNDER seq 5 permit 0.0.0.0/0 le 20
Note
A prefix-list cannot be used to match on arbitrary bit patterns like an accesslist
can. Prefix-lists cannot be used to check if a number is even or odd, nor
check if a number is divisible by 15, etc… Bit checking in a prefix-list is
sequential, and must start with the most significant (leftmost) bit.
—————————————————————————–
There are four (previously three) ways to originate prefixes in BGP. The first is to
use the network statement. Secondly, a route may be originated through the
redistribute statement. Next, the aggregate-address command can originate a
summary route based on more specific routes in the BGP table. A new method
of BGP route generation is the inject-map, and will be covered in later scenarios.
—————————————————————————————
router bgp 100
bgp dampening
sho ip bgp damp para
dampening 15 750 2000 60 (DEFAULT)
—————————————–
Config r9 as follows:
-net 90.9.9.0/24 damp parameters: max-suppress-tim 90, reuse 800, supress 2400, half-time 20
-net 99.9.9.0/24 damp parameters: max-suppress-tim 60, reuse 700, supress 2000, half-time 15
ip access-list standard NET90
permit 90.9.9.0 0.0.0.255
ip access-list stan NET99
permit 99.9.9.0 0.0.0.255
route-map DAMP per 10
match ip add NET90
set damp 20 800 2400 90
route-map DAMP per 20
match ip address NET99
set damp 15 700 2000 60
router bgp 999
bgp dampening route-map DAMP
sh ip bgp damp para
dampening 20 800 2400 90 (route-map DAMP)
Half-life time : 20 mins Decay Time : 3490 secs
Max suppress penalty: 18075 Max suppress time: 90 mins
Suppress penalty : 2400 Reuse penalty : 800
dampening 15 700 2000 60 (route-map DAMP)
Half-life time : 15 mins Decay Time : 2235 secs
Max suppress penalty: 11200 Max suppress time: 60 mins
Suppress penalty : 2000 Reuse penalty : 700
————————————————————
config route dampening on r2 so all existing and future PREFIXES from AS 300 use these dampening
parameters:
max-suppress-time 80
reuse 750
suppress 2200
half-time 30
r2
ip as-path access-list 1 permit ^300$
route-map ALL300 per 10
match as-path 1
set dampening 30 750 2200 80
route-map ALL300 per 20
router bgp 200
bpg damp route-map ALL300
———————————
config r2 so it summarizes all its loopbacks and advertises a single summary. DO not use an atomic-
aggregate.
router bgp 200
summary-address 2.2.0.0 255.255.252.0 summary-only as-set
note: By default the aggregate and all the specific routers are advertised. The summary-only will supress
the prefixes on r2 so r2′s neighbors will not see the more specific routes.
When you aggregate by default the ATOMIC-AGGREGATE attribute is attached to the aggregate address alarming
administrators that certin info could be hidden. To prevent the atomic-aggregate from being advertised
append the as-set to the aggregate-address.
r1 – before
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 0.0.0.0 0 32768 i
*> 2.2.0.0/24 10.1.12.2 0 0 200 i
*> 2.2.0.0/22 10.1.12.2 0 0 200 i
*> 2.2.1.0/24 10.1.12.2 0 0 200 i
*> 2.2.2.0/24 10.1.12.2 0 0 200 i
*> 2.2.3.0/24 10.1.12.2 0 0 200 i
ho ip bgp 2.2.0.0/22
BGP routing table entry for 2.2.0.0/22, version 13
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
200, (aggregated by 200 2.2.2.2)
10.1.12.2 from 10.1.12.2 (2.2.2.2)
Origin IGP, metric 0, localpref 100, valid, external, atomic-aggregate, best
r1 – after
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 0.0.0.0 0 32768 i
*> 2.2.0.0/22 10.1.12.2 0 0 200 i
sho ip bgp 2.2.0.0/22
BGP routing table entry for 2.2.0.0/22, version 14
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Flag: 0×820
Not advertised to any peer
200, (aggregated by 200 2.2.2.2)
10.1.12.2 from 10.1.12.2 (2.2.2.2)
Origin IGP, metric 0, localpref 100, valid, external, best
r2 – before
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 10.1.12.1 0 0 100 i
*> 2.2.0.0/24 0.0.0.0 0 32768 i
*> 2.2.0.0/22 0.0.0.0 32768 i
*> 2.2.1.0/24 0.0.0.0 0 32768 i
*> 2.2.2.0/24 0.0.0.0 0 32768 i
*> 2.2.3.0/24 0.0.0.0 0 32768 i
r2 – after
BGP table version is 11, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 10.1.12.1 0 0 100 i
s> 2.2.0.0/24 0.0.0.0 0 32768 i
*> 2.2.0.0/22 0.0.0.0 32768 i
s> 2.2.1.0/24 0.0.0.0 0 32768 i
s> 2.2.2.0/24 0.0.0.0 0 32768 i
s> 2.2.3.0/24 0.0.0.0 0 32768 i
note:another way to advetise and aggregate is via a static route that matches the aggregate route and then
advertising the aggregate in BGP (but in this scenerio we can not do it this way).
ip route 2.2.0.0 255.255.252.0 null0
router bgp 200
network 2.2.0.0 mask 255.255.252.0
———————————————————————–
1 – R2 should aggregate all the networks in 3.1.0.0 address space and advertise a single route that only
aggregates the specific routes for subnets under the 3.0.0.0 network, make sure the atomic-aggregate is
not attached to the aggregate route.
2 – R1 in AS100 should be the only AS that receives the aggregate route. R3 or future peers. should not
receive the route. R1 should use R2 as he next hop to reach any of the specific routes withing the
aggregate.
3 - R1 should not use R2 if it’s net 3.1.11.0/24 is down. R3 does not need NLRI to net 3.1.11.0/24
advertised by R1.
1- R2 should aggregate all the networks in 3.1.0.0 address space and advertise a single route that only
aggregates the specific routes for subnets under the 3.0.0.0 network, make sure the atomic-aggregate is
not attached to the aggregate route.
r2
router bgp 200
aggregate-address 3.1.0.0 255.255.240.0 summary-only as-set
2 – R1 in AS100 should be the only AS that receives the aggregate route. R3 or future peers. should not
receive the route. R1 should use R2 as he next hop to reach any of the specific routes within the
aggregate.
r2
ip as-path access-list 1 permit ^300$
route-map ONLYsendtoR1 perm 10
match as-path 1
router bgp 200
aggregate-address 3.1.0.0 255.255.240.0 as-set summary-only advertise-map ONLYsendtoR1
3 - R1 should not use R2 if it’s net 3.1.11.0/24 is down. R3 does not need NLRI to net 3.1.11.0/24
advertised by R1.
r1
ip route 3.1.11.0 255.255.255.0 null0
note:3.1.11.0/24 is directly connected via loopback0. If I shut down loop0 the static route taks effect
other wise the directly connected interface wins. both have an admin distance of 0.
———————————————————————————————–
config R2 so that the aggregate route has a metric of 50
route-map COST permit 10
set metric 50
route-map COST permit 20
router bgp 200
aggregate-address 3.1.0.0 255.255.240.0 summary-only advertise-map ONLYsendtoR1 as-set attribute-map COST
———————————————————————————————————
the policy R1 requires that it should receive the aggregate route plus one of the more specific subnets
(3.1.3.0/24). this policy should be configured and tested in three differenet ways using a suppress-map
and unsuppress-map.
1.
access-list 1 deny 3.1.3.0 0.0.0.255
access-list 1 permit any
route-map SUPPRESS per 10
matc ip add 1
router bgp 200
aggregate-address 3.1.0.0 255.255.240.0 summary-only advertise-map ONLYsendtoR1 as-set attribute-map COST
suppress-map SUPPRESS
clear ip bpg *
r1
sh ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 2.0.0.0 10.1.12.2 0 0 200 i
*> 3.1.0.0/20 10.1.12.2 50 0 200 300 i
*> 3.1.3.0/24 10.1.12.2 0 200 300 i
*> 3.1.11.0/24 0.0.0.0 0 32768 i
2.
no access-list 1
access-list 1 permit 3.1.3.0 0.0.0.255
route-map SUPPRESS deny 10
matc ip add 1
route-map SUPPRESS permit 20
router bgp 200
aggregate-address 3.1.0.0 255.255.240.0 summary-only advertise-map ONLYsendtoR1 as-set attribute-map COST
suppress-map SUPPRESS
clear ip bpg *
r1
sh ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 2.0.0.0 10.1.12.2 0 0 200 i
*> 3.1.0.0/20 10.1.12.2 50 0 200 300 i
*> 3.1.3.0/24 10.1.12.2 0 200 300 i
*> 3.1.11.0/24 0.0.0.0 0 32768 i
3.
no route-map SUPPRESS
route-map SUPPRESS per 10
matc ip add 1
router bgp 200
aggregate-address 3.1.0.0 255.255.240.0 summary-only advertise-map ONLYsendtoR1 as-set attribute-map COST
suppress-map SUPPRESS
neighbor 10.1.12.1 unsuppress-map SUPPRESS
clear ip bpg *
r1
sh ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 2.0.0.0 10.1.12.2 0 0 200 i
*> 3.1.0.0/20 10.1.12.2 50 0 200 300 i
*> 3.1.3.0/24 10.1.12.2 0 200 300 i
*> 3.1.11.0/24 0.0.0.0 0 32768 i
=====================
aggregate-address 3.1.0.0 255.255.240.0 <– creates and advertses an aggregate route 3.1.0.0/22
aggregate-address 3.1.0.0 255.255.240.0 summary-only <- summary-only = does NOT advertise the more
specific routes.
aggregate-address 3.1.0.0 255.255.240.0 summary-only advertise-map ONLYsendtoR1 <– advertise-map
ONLYsendtoR1= only advertise to R1
aggregate-address 3.1.0.0 255.255.240.0 summary-only advertise-map ONLYsendtoR1 as-set <- as-set = do NOT
send the atomic-aggregate.
aggregate-address 3.1.0.0 255.255.240.0 summary-only advertise-map ONLYsendtoR1 as-set attribute-map COST
<- attribute-map COST = route-map sets the cost to 50
aggregate-address 3.1.0.0 255.255.240.0 summary-only advertise-map ONLYsendtoR1 as-set attribute-map COST
suppress-map SUPPRESS <– suppress-map SUPPRESS =
1= route-map SUPPRESS permits but acl denies so the more specific route is advertised.
2= route-map SUPPRESS denies but the acl permits so the more specific route is advertised.
3=route-map SUPPRESS permits and the acl permits but it is dropped from the aggregate address via neighbor
10.1.12.1 unsuppress-map SUPPRESS so the more specific route is advertised.
————————————————————————–
Config r1 so it has the aggregate address plus the specific route 3.1.3.0/24. R1 should NOT adverise this
subnet. (Config a static route or redistribute to accomplish this task.** is this a typo) Do not config R2
r1
router bgp 100
ip prefix-list NET permit 3.1.3.0/24
ip prefix-ist AGG permit 3.1.0.0/20
ip prefix-list R2 permit 10.1.12.2/32
route-map EXIST per 10
match ip addr prefix-list AGG
match ip route-source prefix-list R2
route-map INJECT per 10
set ip addr prefix-list NET
router bgp 100
bgp inject-map INJECT exist-map EXIST
note:If the condition in the EXIST map is true the route is injected by the INJECT-MAP.
—————————————————————————————–
When EBGP peers are Frame-Relay spokes it is necessary to increase
the starting TTL with the neighbor ebgp-multihop command. This
command is also required when EBGP peers are on separate subnets,
or when they are peered to loopbacks.
———————————————————–
using the community attribute config r1 so that when it advertises
net 1.0.0.0/8 to r1 in as200. R2 does not advertise that network to
any IBGP or EBGP peers
community attribute buy default is not sent to a neighbor. You must
use NEIGHBOR SEND-COMMUNITY.
Well Known communities
INTERNET – advertise to everyone.
LOCAL-AS – only advertise within an AS
NO-ADVERTISE – do NOT advertise to any BGP neighbor
NO-EXPOERT – do NOT advertise to an EBGP neighbor
r1
access-list 1 permit 1.0.0.0 0.255.255.255
route-map NOADVERTISE per 10
match ip add 1
set community no-advertise
route-map NOADVERTISE per 20 < — this is a default catch all
route map. It basically matches any network not matched with route
-map NOADVERTISE per 10. (like an ACL permit any)
on r2
sho ip bgp 1.0.0.0
BGP routing table entry for 1.0.0.0/8, version 7
Paths: (1 available, best #1, table Default-IP-Routing-Table, not
advertised to any peer)
Flag: 0×880
Not advertised to any peer
100
10.1.12.1 from 10.1.12.1 (1.1.1.1)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: no-advertise
R3-R5 do not have any knowlege of 1.0.0.0/8
——————————————————-
config r5 so that when it advertises net 5.0.0.0 to R3 AS2300 the
routers in AS 2300 do NOT advetise 5.0.0.0 to any of their EBGP
peers.
r5
access-list 5 per 5.0.0.0
route-map NOEXPORT per 10
match ip add 5
set community no-export
route-map NOEXPORT per 20
router bgp 500
nei 10.1.23.3 send-community
nei 10.1.23.3 route-map NOEXPORT out
note:net 5.0.0.0 will only be advertied to as2300. routers in
AS2300 will not advertise tho any EBGP neighbors. BY DEFAULT
ROUTERS WILL STRIP THE COMMUNITY ATRIBUTE so we need to config r3
to send-community to r2 if we do NOT do this then r2 will send to
it’s EBGP peers.
r3
router bgp 300
nei10.1.23.2 send-community
r3 – r2 sho ip bgp 5.0.0.0
sho 5.0.0.0 no-export attribute
r1 – sho ip bgp 5.0.0.0
% Network not in table
———————————————–
config r3 to advertise to AS2300 only. do not advertise to external
peers
route-map LOCAL_AS per 10
set communnity local-as
<—————————— no route-map perm 20? no acl
needed.
router bgp 2300
network 3.0.0.0 route-map LOCAL_AS
nei 10.1.23.2 send-community <—– neighbor in as2300
r2-r3 sho ip bpp 3.0.0.0 show this net with the community local-as
atribute. 3.0.0.0 is not advertised to any EBGP.
———————————————————-
r1 is advertisign 1.0.0.0 to r2 with the no-advertise attribute.
Config so that r2 advertises 1.0.0.0 to IBGP and EBGP neighbors.
r2
sho access-list
access-list 1 per 1.0.0.0
route-map ADVERTISEtoALL per 10
match ip add 1
set community internet
router bgp 2300
neighbor 10.1.12.1 route-map ADVERTISEtoALL in
note: ?send-community is not needed. I tested with and without and
it works.
REMEMBER THAT THE ROUTER WILL STRIP THE COMMUNITY ATTRIBUTE.
————————————————————–
config so r1 uses AS200 to connect to 20.1.2.0/24 and 30.1.2.0/24.
config so r1 uses AS300 to connect to 20.1.3.0/24 and 30.1.3.0/24.
You must use community tages in AS 200 & AS 300and nei cmd on R1.
r2
access-list 2 per 20.1.2.0 0.0.0.255
access-list 3 per 30.1.2.0 0.0.0.255
route-map TAG per 10
match ip add 2
set community 2
route-map TAG per 20
match ip add 3
set community 3
route-map TAG per 30
router bgp 200
nei 10.1.12.1 send-community
nie 10.1.12.1 route-map TAG out
r3
access-list 2 per 20.1.3.0 0.0.0.255
access-list 3 per 30.1.3.0 0.0.0.255
route-map TAG per 10
match ip add 2
set community 2
route-map TAG per 20
match ip add 3
set community 3
route-map TAG per 30
router bgp 300
nei 10.1.13.1 send-community
nie 10.1.13.1 route-map TAG out
r1
ip community-list standard TAG2 per 2
ip community-list standard TAG3 per 3
route-map TAG per 10
match community TAG2
set ip next-hop 10.1.12.2
route-map TAG per 20
match community TAG3
set ip next-hop 10.12.3
route-map TAG per 30
router bgp 100
nei 10.1.12.2 route-map TAG in
nei 10.1.13.3 route-map TAG in
sho ip bgp community 2
sho ip bgp community 3
———————————————————-config r4 in AS400 to pass a MED of 100 to R1 in AS 100. config r2
in AS200 to pass a MED of 120 to R1 in AS 100.
r4
route-map MED100 per 10
set metic 100
router bgp 400
nei 10.1.14.1 route-map MED100 out
r2
route-map MED120 per 10
set metic 120
router bgp 200
nei 10.1.12.1 route-map MED120 out
——————————————-
Ensure that R1 in AS 100 always takes R4 to reach all other
prefixes advertised in this topology. Config R1.
router bgp 100
bgp always-compare-med
bgp bestpath as-path ignore (as-path ignore is a hidden cmd)
note: bgp always-compare-med forces the router to compare MED’s. A
lower MED is better. you need BGP BESTPATH AS-PATH IGNORE because
the as-path and origin attributes are looked at before the MED.
—————————————————————–
config r4 in AS400 to pass a MED value of 100 to R1 in AS100. R2
should not pass a MED. Make sure R1 in AS 100 takes R4 to reach any
prefix advertised in this topology except the ones originated by
R2. DO NO USE A GLOBAL CMD.
r1
router bgp 100
bgp always compare-med
bgp bestpath as-path ignore
bgp bestpath med missing-as-worst
————————————–
config r2 to block network 1.1.4.0/24 from getting into it’s
routing and BGP tables. Use a distribute-list / access-list to
accomplish this task
do a sho ip bgp to see where 1.1.4.0/24 is coming from.
r2
access-list 4 deny 1.1.4.0 0.0.0.255
access-list 4 permit any
router bgp 200
nei 10.1.12.1 distribute-list 4 in
nei 10.1.23.3 distribute-list 4 in
——————————————–
config r2 to block network 1.1.4.0/24 from getting into it’s
routing and BGP tables. Use a prefix-list to accomplish this task.
r2
ip prefix-list FILTER1140 seq 5 deny 1.1.4.0/24
ip prefix-list FILTER1140 seq 5 permit 0.0.0.0/0 le 32
router bgp 200
nei 10.1.12.1 prefix-list FILTER1140 in
nei 10.1.23.3 prefix-list FILTER1140 in
——————————————-
config r3 to block net 22.0.0.0/8 from entering the routing domain.
do not use a prefix or distribute list.
r3
access-list 22 deny 22.0.0.0
access-list 22 permit any
route-map FILTER22 pe in
match ip add 22
router bgp 300
nei 10.1.23.2 route-map FILTER22 in
nei 10.1.13.1 route-map FILTER22 in
——————————————-
Use a minimum number of lines (see if you can do it in one line) in
the access-list to filter net 22.0.0.0/8 from the BGP and IP
routing table of R3. Use an access-list and route-map
r3
access-list 22 per 22.0.0.0
route-map FILTER22 deny 10
match ip add 22
route-map FILTER22 per 20
router bgp 300
nei 10.1.23.2 route-map FILTER22 in
nei 10.1.13.1 route-map FILTER22 in
-=—————————————-
config r4 to filter 1.1.0.0/24-1.1.4.0/24. Filtering should be done
on R4 but R1 and R3 should actually perform the filtering.
r4
ip prefix-list FILTER1net seq 5 deny 1.1.0.0/24
ip prefix-list FILTER1net seq 10 deny 1.1.1.0/24
ip prefix-list FILTER1net seq 15 deny 1.1.2.0/24
ip prefix-list FILTER1net seq 20 deny 1.1.3.0/24
ip prefix-list FILTER1net seq 25 deny 1.1.4
ip prefix-list FILTER1net seq 30 per 0.0.0.0/0 le 32
router bgp 400
nei 10.1.14.1 prefix-list FILTER1net in
nei 10.1.34.3 prefix-list FILTER1net in
address-family ipv4 unicast
nei 10.1.14.1 capability orf prefix-list send
nei 10.1.34.3 capability orf prefix-list send
r1
router bgp 100
address-family ipv4 unicast
nei 10.1.14.4 capability orf prefix-list receive
r3
router bgp 300
address-family ipv4 unicast
——————————————–
Filter only AS 300 from R1
r1
ip as-path access-list 1 _300$
ip as-path access-list .*
router bgp 100
nei 10.1.12.2 filter-list 1 in
—————————————————–
config r1 so it blocks all traffic that passed through from AS 300
r1
ip as-path access-list 1 _300_
ip as-path access-list 1 .*
router bgp 100
nei 10.1.12.2 filter-list 1 in
————————————-
config r3 so that it doesn’t advertise the prefixes that originated
in it’s own AS to any of it’s neighbors.
r3
ip as-path access-list 1 deny ^$
ip as-path access-list 1 per .*
router bgp 300
nei (r2) filter-list 1 out
nei (r4) filter-list 1 out
——————————–
config r3 to it blocks all traffic from it’s neighbor in AS200.
r3
ip as-path access-list 1 deny ^200&
ip as-path access-list 1 per .*
router bgp 300
nei 10.1.23.2 filter-list 1 in
———————————————–
config r3 so that it blocks all prefixes from it’s directly
connected neighbors(r2/r4).
r3
ip as-path access-list 1 deny ^[0-9]+$
ip as-path access-list 1 permit .*
router bgp 300
nei (r2) filter-list 1 in
nei (r4) filter-list 1 in
———————————————
config r1 to block all the prefixes that originated in AS 300 and
traversed through AS 200.
ip as-path access-list 1 _200_300$
ip as-path access-list 1 permit .*
router bgp 100
nei 10.1.12.2 filter-list 1 in
———————————————–
If your router uses a lot of resources when running complex regexp.
use BGP REGEXP DETERMINISTIC
—————————————–
.* Matches anything
.+ Match at least one character
^$ Match routes local to this AS
_1800$ Originated by 1800
^1800_ Received from 1800
_1800_ Via 1800
_790_1800_ Passing through 1800 then 790
_(1800_)+ Match at least one of 1800 in sequence
_(65350)_ Via 65350 (confederation AS)
^[0-9]+$ Match AS_PATH length of one
^[0-9]+_[0-9]+$ Match AS_PATH length of two
^[0-9]*_[0-9]+$ Match AS_PATH length of one or two
^[0-9]*_[0-9]*$ Match AS_PATH length of one or two, and
will also match zero
^[0-9]+_[0-9]+_[0-9]+$ Match AS_PATH length of three
_(701|1800)_ Match anything which has gone through AS701
or AS1800
_1849(_.+._)12163$ Match anything of origin AS12163 and passed
through AS1849
——————————————————–
config r2 to so that if any of it’s neighbors goes down the routes
are NOT removed from the bgp table. The routes should only be
removed is a neighbor is down for 5 min.
r2
router bgp 200
no bgp fast-external-fallover
nei 10.1.12.1 timers 60 300
nei 10.1.23.3 timers 60 300
r1&r3 also need this command since they are directly connected to
R2. this only works for directly connected neighbors. If BGP FAST-
EXTERNAL-FALLOVER is disabled BGP will wait until the configured
hold timer expires before the session is reset.
—————————————————————–
default 60 sec keepalive / 180 sec holdtime
————————————————–
config r4 to remove private as when sending to r5
r4
router bgp 400
nei 10.1.45.5 remove-private-as
———————————-
config r1 so that it sets the minimum time between sending BGP
advertisement for EBGP nei to 60 seconds.
r1
router bgp 65501
nei 10.1.12.2 advertisement-interval 60
———————————————
reconfig r4/r5 to peer via loop address
r4
no nei 10.1.45.5 remote-as 500
nei 55.5.5.5 remote-as 500
nei 55.5.5.5 update-source loo1
nei 55.5.5.5 disable-connected-check
r5
no nei 10.1.45.4 remote-as 400
nei 44.4.4.4 remote-as 500
nei 44.4.4.4 update-source loo1
nei 44.4.4.4 disable-connected-check
note: the disable-connected-check will bypass bgp’s default
behavior of checking if the connected interface is on the same
subnet and if not it will drop the session.
—————————————————
config r1/r2 so they only accecpt packets with a ttl that is equal
or greater then 253. If the ttl is less then 252 then the routers
should ignore the packet.
r1
router bgp 65501
nei 10.1.12.2 ttl-security hops 2
r2
router bgp 65502
nei 10.1.12.1 ttl-security hops 2
note: provides light weight security against cpu utilization
attacks. these attacks flood the net with forged ip packets.
So 255-2= 253….tricky I must remember that the packet carries the
higher number.
————————————————–
config r4 to connect to r5 as 555 and r5 to conenct to r4 as 400
problem is that r5 is in as 500 not as 555.
r4
router bgp 400
nei 10.1.45.5 remote-as 555
r5
nei 10.1.45.4 remote-as 400
nei 10.1.45.4 local-as 555
note: this is typically used in a migration.
———————————————–
config r3 to replace it’s as 65503 with as 300 but do not remove or
reconfig as 65503
r3
router bgp 65503
nei 10.1.34.4 local-as 300 no-prepend replace-as
r4
no nei (r3) remote-as 65503
nei (r3) remote-as 300
NOTE: the no-prepend argument does NOT prepend the local as number
to the as-path attribure. REPLACE-AS argument prepends ONLY the
local AS number to the AS-PATH attribute that is configured after
the local-as argument.
————————————-
config r3 so it limits the mumber of AS-path segments that are
permitted in inbound routes to 20.
r3
router bgp 65503
bgp maxas-limit 20
note: the maxas-limit cmd discards that have over 20 segments. the
default is 75.
—————————————–
config r3 to inject a default route to nei 10.1.34.4 ONLY if there
is a route to 2.0.0.0/8 in R3′s routing table.
r3
access-list 2 per 2.0.0.0
route-map ALLOW2ifPRESENT pe 10
match ip add 2
router bgp 65503
nei 10.1.34.4 defualt-originate route-map ALLOW2ifPRESENT
—————————————
config r2 so that it changes the admin distance off all prefixes
received from R3 to 150.
r2
router bgp 200
distance 150 10.1.23.3 0.0.0.0
—————————————————
config r2 so that only chnagees the admin distance of 33.0.0.0/8
only
r2
access-list 33 per 33.0.0.0.0
router bgp 120
distance 150 10.1.23.3 0.0.0.0
——————————————-
change the admin distance of external to 60, internal to 90 and
local to 20. use a minimal number of commands. This should be done
on all routers.
all routers
router bgp xxx
distance bgp 60 90 20
—————————–
config r5 to peer with AS 100 neighbor R4. (config r1-r4 as
conferation.
r1
router bgp 65511
no synchronization
bgp router-id 1.1.1.1
bgp log-neighbor-changes
bgp confederation identifier 100
bgp confederation peers 65522
network 1.0.0.0
neighbor 10.1.12.2 remote-as 65522
no auto-summary
r2
router bgp 65522
no synchronization
bgp router-id 2.2.2.2
bgp log-neighbor-changes
bgp confederation identifier 100
bgp confederation peers 65511 65534
network 2.0.0.0
neighbor 10.1.12.1 remote-as 65511
neighbor 10.1.23.3 remote-as 65534
no auto-summary
r3
router bgp 65534
no synchronization
bgp router-id 3.3.3.3
bgp log-neighbor-changes
bgp confederation identifier 100
bgp confederation peers 65522
network 3.0.0.0
neighbor 10.1.23.2 remote-as 65522
neighbor 10.1.34.4 remote-as 65534
no auto-summary
r4
router bgp 65534
no synchronization
bgp router-id 4.4.4.4
bgp log-neighbor-changes
bgp confederation identifier 100
network 4.0.0.0
neighbor 10.1.34.3 remote-as 65534
neighbor 10.1.45.5 remote-as 500
no auto-summary
r5
router bgp 500
no synchronization
bgp router-id 5.5.5.5
bgp log-neighbor-changes
bgp confederation peers 100
network 5.0.0.0
neighbor 10.1.45.4 remote-as 100
no auto-summary
BGP table version is 25, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i
- internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 10.1.45.4 0 100 i
*> 2.0.0.0 10.1.45.4 0 100 i
*> 3.0.0.0 10.1.45.4 0 100 i
*> 4.0.0.0 10.1.45.4 0 0 100 i
*> 5.0.0.0 0.0.0.0 0 32768 i
if I add 65534 to r3 I will get an error. This is because
conferations are for EBGP.
Note: R1-R4 are in conferation 100 - and R5 peers with AS 100.
Note that R5 does not see any other AS’s besides AS100.
——————————————————–
R1#sh ip bgp
BGP table version is 17, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i
- internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 0.0.0.0 0 32768 i
*> 2.0.0.0 10.1.12.2 0 100 0 (65522) i
*> 3.0.0.0 10.1.23.3 0 100 0 (65522 65534) i
*> 4.0.0.0 10.1.34.4 0 100 0 (65522 65534) i
*> 5.0.0.0 10.1.45.5 0 100 0 (65522 65534) 500 i
NOTE: the (65522) signifies a private AS’s within the confederation.
————————————–
Let’s say you need to advertise the summary + one of the specific routes:
aggregate-address 10.1.0.0 255.255.252.0 summary-only suppress-map TST
roue-map TST permit 10
match ip addr 1
Access-list 1 deny 10.1.1.0 0.0.0.255
access-list 1 permit any
You see in the above configuration you are advertising the aggregate address
of 10.1.0.0/22 + the 10.1.1.0/24 which is one of the specific routes of that
aggregate, and you are advertising it to all neighbors; in this command you
are denying 10.1.1.0/24 from getting suppressed.
Now with unsuppress-map:
Aggregate-address 10.1.0.0 255.255.252.0 summary-only
Neighbor 200.1.1.1 unsuppress-map TST
Route-map TST permit 10
match ip addr 1
access-list 1 permit 10.1.1.0 0.0.0.255
Note now ONLY neighbor 200.1.1.1 gets the specific route, which is the
10.1.1.0/24 and every one else get the aggregate.
———————————————————————
hide local as
config so you see *> 1.0.0.0 10.1.1.1 0
0 100 111 i on R2
r1
router bgp 111
net 1.0.0.0
nei 10.1.1.2 remote-as 200
nei 10.1.1.2 local-as 100
r2
router bgp 200
net 2.0.0.0
nei 10.1.1.1 remote-as 100
r2
sh ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 10.1.1.1 0 0 100 111 i
*> 2.0.0.0 0.0.0.0 0 32768 i
r1
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 0.0.0.0 0 32768 i
*> 2.0.0.0 10.1.1.2 0 0 100 200 i
———————————————————————–
config r1 so that when r2 advertises net 2.0.0.o to R1 it looks like this:
r1
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 0.0.0.0 0 32768 i
*> 2.0.0.0 10.1.1.2 0 0 200 i
r1
router bgp 111
net 1.0.0.0
nei 10.1.1.2 remote-as 200
nei 10.1.1.2 local-as 100 no-prepend
note: you will see the change on R1.
———————————————
config r1 so that R2′s sh ip bgp looks like this:
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 10.1.1.1 0 0 100 i
*> 2.0.0.0 0.0.0.0 0 32768 i
BEFORE:
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 10.1.1.1 0 0 100 111 i
*> 2.0.0.0 0.0.0.0 0 32768 i
After:
r1
router bgp 111
nei 10.1.1.2 local-as 100 no-prepend replace-as
r2
sh ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 10.1.1.1 0 0 100 i
*> 2.0.0.0 0.0.0.0 0 32768 i
—————————————————————–
NOTE: I could use this for migrations or where the router is configured
wiht a differnet AS i need ot peer with and I can not change the AS
already configured.
—————————————————–
Peering with loopbacks:
neighbor 3.3.3.3 remote-as 200
neighbor 3.3.3.3 update-source Loopback0
neighbor 4.4.4.4 remote-as 200
neighbor 4.4.4.4 update-source Loopback0
——————————————–
before:
r2(config-router)#do sho ip bgp | b Network
Network Next Hop Metric LocPrf Weight Path
* i100.1.1.0/24 10.1.13.1 0 100 0 100 i
*> 10.1.12.1 0 0 100 i
* i200.1.1.0 10.1.13.1 0 100 0 100 i
*> 10.1.12.1 0 0 100 i
MAke it look like this:
r2(config-router)#do sho ip bgp | b Network
Network Next Hop Metric LocPrf Weight Path
* i100.1.1.0/24 3.3.3.3 0 100 0 100 i
*> 10.1.12.1 0 0 100 i
* i200.1.1.0 3.3.3.3 0 100 0 100 i
*> 10.1.12.1 0 0 100 i
r3
router bgp 200
neighbor 2.2.2.2 remote-as 200
neighbor 2.2.2.2 update-source Loopback0
neighbor 2.2.2.2 next-hop-self
neighbor 4.4.4.4 remote-as 200
neighbor 4.4.4.4 update-source Loopback0
neighbor 4.4.4.4 next-hop-self
r2/r3/r4 config not shown here.
So if I want to change the net hop output on a neighbor router I need to
use next-hop-self
——————————————-
config r4 to match this sh ip bpg output
r4
Network Next Hop Metric LocPrf Weight Path
*>i100.1.1.0/24 3.3.3.3 0 100 0 100 i
* i 2.2.2.2 0 100 0 100 i
*>i200.1.1.0 3.3.3.3 0 100 0 100 i
* i 2.2.2.2 0 100 0 100 i
r4
r4(config-router)#do sho ip bgp | b Network
Network Next Hop Metric LocPrf Weight Path
* i100.1.1.0/24 3.3.3.3 0 100 0 100 i
*>i 2.2.2.2 0 100 0 100 i
* i200.1.1.0 3.3.3.3 0 100 0 100 i
*>i 2.2.2.2 0 100 0 100 i
So I need to change the route preference to prefer routes from 3.3.3.3
Here I need the cost extended community attribute
r4
access-list 1 per 100.1.1.0 0.0.0.255
route-map COSTCOMM per 10
match ip add 1
set extcommunity cost 1 1
route-map COSTCOMM per 20
router bgp 200
nei 3.3.3.3 route-map COSTCOMM in
clear ip bpg * soft
sh ip bgp
Network Next Hop Metric LocPrf Weight Path
*>i100.1.1.0/24 2.2.2.2 0 100 0 100 i
* i 3.3.3.3 0 100 0 100 i
*>i200.1.1.0 2.2.2.2 0 100 0 100 i
* i 3.3.3.3 0 100 0 100 i
note: cost is a non-transitive extended community attribute that allows
you to customize the local route preference which can influence the best
path selection process. A lower cost value is preffered and in the event
of a tie the lower cost community id value is the tie breaker.
——————————————————————
two way to test a regular expression
1. sh ip bgp regexp
2. sh ip bpg filter-list X
———————————————
config r1 in AS100 to only allow prefixes from the existing and futire
directly connected AS’s.
r1
ip as-path access-list 1 permit ^([0-9]+)(_1/)*$
router bgp 100
bgp nei 10.1.12.2 filter-list 1 in
note:(_1/) this is like a calculators memory button.
————————————————-
prepend my AS# 9 x.
r1
route-map pre
set as-path prepend 100 100 100 100 100 100 100 100 100
router bgp 100
nei 10.1.12.2 route-map pre out
clear ip bgp * out
r2
sh ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 10.1.12.1 0 0 100 100 100
100 100 100 100 100 100 100 i
—————————————————
cofig r2 to allow as-path prepend from AS100 oNLY if they have prepended
their OWN AS and NOT another AS.
r2
ip as-path access-list 1 permit ^([0-9]+)(_1)*$
router bgp 200
nei 10.1.12.1 filter-list 1 in
—————————————
config an ebgp session between r1 and r2 make sure they load balance using
both links.
r1 <> r2
e0/0 <> e0/0
e0/1 <> e0/1
For this we need to use the loopbacks.
r1
router bgp 100
nei 2.2.2.2 remote-as 200
nei 2.2.2.2 update-source lo0
nei 2.2.2.2 ebgp-multihop 2
r2
router bgp 200
nei 1.1.1.1 remote-as 100
nei 1.1.1.1 update-source lo0
nei 1.1.1.1 ebgp-multihop 2
——————————————
config r1 so that it used both neighbors (r2/r3) to perform equal coat
load balancing.
r1
router bgp 100
maximum-paths 2
note: bgp will ONLY user one path to a given destination. BGP does not
perfomr load blalancing amoungst multiple equal cost paths. Use maximum-
paths to change this behavior.
————————————-
r2 is advertising prefix from R5 to r4 but r4 is disgarding it because
it’s in the same AS (asw100)
solution
r4
router bgp 100
nei (r2) allowas-in
same problem on R5. r3 is advertising the prefix from R4 utb R5 is
digarding it because it’s in the same AS (AS100). This is a loop
prevention mechanism.
solution
r5
router-bgp 100
nei (r3) allowsas-in
——————————–
Posted in BGP, Routing & Switching Lab | Leave a Comment »
OSPF notes
Posted by Peter Kurdziel on January 4, 2009
OSPF notes
———————————-
Always define the ROUTER-ID!!!!!!
—————————————–
to ignore MOSPF (LSA type 6)
router ospf 1
net 0.0.0.0 0.0.0.0 a 0
ignore lsa mospf
———————————–
to ensure fast detection of a neighbor being down, config r2/r3 to send their hellos
four times a second with a hold time of one second.
r2/r3
int e0/0
ip ospf dead-interval minimal hello-multiplier 4 <—- by specifying the MINIMAL and
HELLO-MULTIPLIER I am enabling OSPF fast hello packets.
The MINIMAL keyword sets the dead interval to 1 second and the HELLO-MULTIPLIER
setsthe number of hello packets sent during that 1 second.
sho ip ospf inter e0/0
——————————————————-
make sure routers lookup DNS names
ip ospf name-lookup
ip host R1 1.1.1.1
——————————————
Config R2 so if it does not receive an acknowledgement from R3 for a LSA then it
should wait 10 seconds before it resends the LSA.
ip ospf retransmit-interval 10
—————————————–
limit the number of non-self-originated LSA’s that an OSPF routing process keeps in
the database (default is limitless)
router ospf 1
max-lsa 900
——————–
control the rate at which LSA retransmitted updates occur.
router ospf 1
timers pacing restransmission 60
———————————–
config ospf hello’s for 15 seconds and a 60 seconds dead interval.
int s1/0
ip ospf hello-interval 15
note:the dead is 4 times the hello. Hello on ethernet is 10 sec. On non-broadcast
it’s 30 seconds.
sho ip ospf int < — to verify
———————————————————————————-
all interfaces in are 5
router ospf 1
router-id 1.1.1.1
netw 0.0.0.0 0.0.0.0 a 5
——————————-
ALWAYs configure the router-id when using ospf.
———————————————————-
advertise loopback in ospf with the true mask
int loop1
ip ospf network point-to-point
or
area range 1 range 3.3.3.3 255.255.255.0
or
redistribute connected < — but this will not advertise the area in routing updates
——————————————————————————-
All ospf area’s must have a connection to area 0
r1 a0 <> r2 a3 <> r3 a2
r1 area 3 virtual-link 3.3.3.3
r3 area 3 virtual-link 1.1.1.1
AREA transit_area_id VIRTUAL-LINK router_id_of_remote
note: area 3 is the transit area.
————————————————————
Ospf MD5 area authentication
router ospf 1
area 2 authentication message-digest
int s1/0.1
ip ospf message-digest-key 1 md5 cisco12
note: no global key chain command needs to be configured. Pay attention because
under the interface there is also a ip ospf authentication and ip ospf
authentication-key command but that is used for clear text.
1. allow authentication under the interface.
2. enable authentication for the area under the routing process.
3. make sure you configure area 0 authen messsage-digest for area 0 where you have a
the far end of the virtual link,
—————————————————————–
interface-based clear test authentication
int s1/0.12
ip ospf authentication
ip ospf authentication-key cisco2
—————————————
have OSPF advertise the correct mask of the loopback address
before
sh ip route
1.0.0.0/32
after
int lo0
ip add 1.1.1.1 255.255.255.0
ip ospf network point-to-point
sh ip route
1.0.0.0/24
—————————————————–
to change the cost of loop0
int loop0
ip ospf cost 20
before: O 2.2.2.0 [110/65] 100,000,000 / 1,544,000 = 64 + the cost of the
loopback 100,000,000/8,000,000,000 = 1
after: O 2.2.2.0 [110/84]
——————————————If you have interfaces with bandwidth
higher than 100 million (100mbps) you should use the auto-cost reference-bandwidth
command to change the default value so OSPF will be able to differentiate the
difference between a 100mbps and a higher mbps interface. YOU MUST USE THIS COMMAND
ON EVERY ROUTER in the OSPF routing domain.
router ospf 1
auto-cost reference-bandwidth 1000
—————————————————–
change the cost on fastethernet interfaces on all routers to 70 without using an
interface command.
router ospf 1
auto-cost reference-bandwidth 7000 ( for dynamips ethernet interfaces use 700)
The formula to get 7000 is reference 7,000,000,000 / 100,000,000 bandwidth = cost.
But we need to ge the reference bandwidth first. The forumula is reference = cost x
bandwidth … 70 x 100,000,000 = 7,000,000,000.
———————————————————————————
The difference between redistribute connected and redistribute connected subnets
r4
router ospf 1
redistribute connected
R3(config-router)#do sho ip route os
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/65] via 131.1.34.4, 00:00:02, Serial1/0.34
==== now lets try redistribute connected subnets ====
r4
router ospf 1
redistribute connected subnets
R3(config-router)#do sho ip route os
4.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O 4.4.4.4/32 [110/65] via 131.1.34.4, 00:00:12, Serial1/0.34
O E2 4.4.0.0/24 [110/20] via 131.1.34.4, 00:00:03, Serial1/0.34
O E2 4.4.1.0/24 [110/20] via 131.1.34.4, 00:00:03, Serial1/0.34
O E2 4.4.2.0/24 [110/20] via 131.1.34.4, 00:00:03, Serial1/0.34
O E2 4.4.3.0/24 [110/20] via 131.1.34.4, 00:00:03, Serial1/0.34
———————————————————————-
summarize ospf routes
Summarization can be configured on 2 types of routers
ABR = connected to the backbone and multiple area’s. Internal routes can only be
summarized on ABR’s with the AREA xx RANGE command. ( you don’t have to summarize on
the router where the route originates. You can summarize on any router with the
route in the routing table.)
ASBR = routers that act as gateways between OSPF and other protocols. External
routes can only summarized on ASBR’s with the SUMMARY-ADDRESS command. This includes
redistribute connected routes!
ABR = AREA xx RANGE
ASBR = SUMMARY-ADDRESS
———————————————-
When you summarize routes OSPF injects a discard route (Null route) to stop loops.
To get rid of the Null route =
ABR
router ospf 1
no discard-route internal
ASBR
router ospf 1
no discard-route external
———————————————
join two area O’s but do not use a virtual link
r1
router ospf 1
net 15.1.1.1 0.0.0.0 a 0
int tun15
ip add 15.1.1.1 255.255.255.0
tunnel source 15.1.1.1
tunnel destination 15.1.1.2
r2
router ospf 1
net 15.1.1.2 0.0.0.0 a 0
int tun 15
ip address 15.1.1.2 255.255.255.0
tun source 15.1.1.2
tun dest 15.1.1.1
———————————-
| type | cmd | lsa | default route injected without :default-info originate? | |||||||||
| stub | area xx stub | 1,2,3,4 | yes | |||||||||
| totally stubby | area x stub no-summary | 12, default of 3 | yes | |||||||||
| nssa | area x nssa | 1,2,3,4,7 | no | |||||||||
| not so totally stubby | area x nssa no-summary | 1,2, default of 3, 7 | yes | |||||||||
…………………………………………………………….
OSPF network types
elects a DR
broadcast
non-broadcast – unicast – need neighbor cmd
does NOT elect a DR
point-to-point
point-to-multipoint – generates a /32
point-to-multipoint non-boradcast – generates a /32 – unicast – needs neighbor command.
Broadcast and non-broascast elect a DR.
point-to-multipoint and point-to-multipoint non-broadcast generate a /32
non-broadcast and point-to-multipoint non-broadcast are unicast and need a neighbor command.
————————————————–
————————————————
Ospf MD5 area authentication
router ospf 1
area 2 authentication message-digest
int s1/0.1
ip ospf message-digest-key 1 md5 cisco12
note: no global key chain command needs to be configured. Pay
attention because under the interface there is also a ip ospf
authentication and ip ospf authentication-key command but that is
used for clear text.
1. enable authentication under the interface
2. enable authentication for the area under the routing process
3. make sure you configure area 0 authen messsage-digest for area 0
where you have a the far end of the virtual link.
clear text area for a virtual-link
router ospf 1
area 1 virtual-link 2.2.2.2 authentication
area 1 virtual-link 2.2.2.2 authentication-key cisco
MD5 authentication for a virtual-link
router ospf 1
area 1 virtual-link 2.2.2.2 authenticaton message-digest
area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 cisco
– change the password to CCIE without interrupting the link
router ospf 1
area 2 virtual-link 3.3.3.3 message-digest-key 2 md5 CCIE
—————————————————————
Stub area
- stub area can not be a transit area for a virtual link. use GRE
instead.
- stub can not have an ASBR
- back bone area can not be configured as a stub area
- every router and the ABR should have the area xx stub configured.
- no LSA type 5 (e1 or e2) is allowed in a stub area. You can connect
to external routes via default route injected but the ABR.
- Cost of a default route is 1. you can adjust with the AREA xx
DEFAULT-COST ##.
r1
router ospf 1
area 1 stub
sh ip route | ex C
Gateway of last resort is 131.1.12.2 to network 0.0.0.0
1.0.0.0/24 is subnetted, 1 subnets
2.0.0.0/24 is subnetted, 1 subnets
O 2.2.2.0 [110/65] via 131.1.12.2, 00:14:02, Serial1/0.12
3.0.0.0/24 is subnetted, 1 subnets
O IA 3.3.3.0 [110/75] via 131.1.12.2, 00:14:02, Serial1/0.12
4.0.0.0/24 is subnetted, 1 subnets
O IA 4.4.4.0 [110/139] via 131.1.12.2, 00:14:02, Serial1/0.12
5.0.0.0/24 is subnetted, 1 subnets
O IA 5.5.5.0 [110/149] via 131.1.12.2, 00:01:53, Serial1/0.12
22.0.0.0/24 is subnetted, 1 subnets
O IA 22.2.2.0 [110/65] via 131.1.12.2, 00:14:02, Serial1/0.12
131.1.0.0/24 is subnetted, 4 subnets
O IA 131.1.23.0 [110/74] via 131.1.12.2, 00:14:02, Serial1/0.12
O IA 131.1.34.0 [110/138] via 131.1.12.2, 00:14:02, Serial1/0.12
O IA 131.1.45.0 [110/148] via 131.1.12.2, 00:01:44, Serial1/0.12
44.0.0.0/24 is subnetted, 1 subnets
O IA 44.4.4.0 [110/139] via 131.1.12.2, 00:14:02, Serial1/0.12
O*IA 0.0.0.0/0 [110/65] via 131.1.12.2, 00:14:02, Serial1/0.12
r2
routers ospf 1
area 1 stub
If I use area 1 stub no-summary **ON R2** I will see all it the IA
and E routes filtered.
R1
sh ip route | ex C
Gateway of last resort is 131.1.12.2 to network 0.0.0.0
1.0.0.0/24 is subnetted, 1 subnets
2.0.0.0/24 is subnetted, 1 subnets
O 2.2.2.0 [110/65] via 131.1.12.2, 00:07:33, Serial1/0.12
131.1.0.0/24 is subnetted, 1 subnets
O*IA 0.0.0.0/0 [110/65] via 131.1.12.2, 00:07:33, Serial1/0.12
—————————————–
area 1 should only use lsa 1,2,3 and 7. no ability to connect to any
external redistributed routes in the routing domain.
access-list 1 per 11.1.0.0 0.0.3.255
route-map TEST per
match ip add 1
router ospf 1
area 1 nssa
redistribute connected route-map TEST subnets
NOTE: NSSA area’s you will not see the 0.0.0.0/0 route injected by
the ASBR. so you need to add the default-information-originate
command to the nssa.
———————————-
config r5 with loopback 1-3 and redistribute into ospf. After
redistribution the area should only maintain and propagte LSA type
1,2,3,7 and a default route.
note: NSSA’s propagate type 1,2,3,7 LSA’s but you need nssa default-
information-originate to propagate the default route.
r4
router ospf 1
area 2 nssa default-information-originate
r5
access-list 5 perm 155.1.0.0 0.0.3.255
route-map RC2OSPFA2 perm 10
match ip add 5
router ospf1
area 2 nssa
redistribute connected subnets route-map RC2OSPFA2
note:
r4
default-information originate
area 2 nssa
I tested and it will not work. It generated a default route on R3 and
not on R5!!!
——————————-
area 1 should receive/propagate type 1,2,7 LSA’s and a default route.
so this needs to Not so totally stubby area.
router ospf 1
area 1 nssa no-summary < — the no-summary means that it filers LSA
type 3 routes
———————————-
change the cost of the injected default route to 50.
note: a default routes cost is 1.
router ospf 1
area 1 default-cost 1
before:
sho ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via “ospf 1″, distance 110, metric 65 (64 + cost of default-
route (1))
after:
sho ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via “ospf 1″, distance 110, metric 114 (64 + 50)
———————————————————–
configure the loopbacks to advertise the actual subnets mask
int loo0
ip ospf network point-to-point
———————————-
config r5 so that routers in area 5 do not receive any LSA’s from
other area’s, but other area’s should receive routes from area 5.
Don’t user distribute-list, access-list, or any command under the
routing process to accomplish this task.
r3
int s1/0.34
des connection to r4 – area 5
ip ospf database-filter all out < — this filters all outgoing lsa’s
to R4.
————————————–
config r2 so that it filters al locally generated LSA’s and prevents
the LSA’s from R1 to reach R3 and R4. R3 and R4 should receive all
LSA’s from R3 & R4. Do not use any global config commands to solve
this task.
R2
int f0/0
ip opsf net point-to-mulitpoint
router ospf 1
neigh 131.1.23.3 database-filter all out
NOTE: this question is confusing because I can do this without the
global command or chaning the OSPF interface type by doing this:
r2
int f0/0
ip ospf database-filter all out
—————————————
config r3 or R4 so that r4 does no have reachability to network
3.0.0.0. You must use a distribute list.
r4
access-list 3 deny 3.0.0.0 0.255.255.255
access-list 3 permit any
router ospf 1
distribute-list 3 in s1/0.43
NOTE: DISTRIBUTE-LIST OUT will not work in OSPF unless it’s perfomred
on the ASBR
——————————————–
Redistributing connected will turn the router into and ASBR
————————————————————–
ensure net 3.3.0.0 – 3.3.3.0 are seen as external routes
r3
access-list 33 per 3.3.0.0 0.0.2.255
route-map 3EXTROUTE per 10
match ip add 33
router ospf 1
redistribute connected subnets route-map 3EXTROUTE
—————————————————–
config ospf routers so they do not have access to net 4.4.2.0/24. Do
not use any global, neighbor, interface, or any ip ospf cmd to
accomplish this task.
router ospf 1
summary-address 4.4.3.0 255.255.255.0 not-advertise
NOTE:by adding the not-advertise command you actually filter that
net. Can be used on ASBR. External routes only.
another way but only on ABR. Internal only. Can not filter external
routes.
router ospf 1
area 1 range 4.4.3.0 255.255.255.0 not-advertise
——————————————————
config router so that net 2.2.2.0/24 is not advertised to area 2
R3
ip prefix-list FILTER2 seq 5 deny 2.2.2.0/24
ip prefix-list FILTER2 seq 10 permit 0.0.0.0/0 le 32
router ospf 1
area 2 filter-list prefix FILTER in
NOTE: this filters LSA type 3 – sho ip ospf data = look for router
link states.
I tested to see if you do not use le 32 what would happen. I found
that r4 will not have any ospf routes.
———————————————–
sh ip ospf database database-summary
OSPF Router with ID (2.2.2.2) (Process ID 1)
Area 0 database summary
LSA Type Count Delete Maxage
Router 2 0 0 <—- LSA Type 1
Network 1 0 0 <—- LSA Type 2
Summary Net 6 0 0 <—- LSA Type 3
Summary ASBR 1 0 0 <—- LSA Type 4
Type-7 Ext 0 0 0 <—- LSA Type 7
Prefixes redistributed in Type-7 0
Opaque Link 0 0 0
Opaque Area 0 0 0
Subtotal 10 0 0
Process 1 database summary
LSA Type Count Delete Maxage
Router 4 0 0
Network 1 0 0
Summary Net 10 0 0
Summary ASBR 2 0 0
Type-7 Ext 0 0 0
Opaque Link 0 0 0
Opaque Area 0 0 0
Type-5 Ext 3 0 0 <—- LSA Type 5
Prefixes redistributed in Type-5 0
Opaque AS 0 0 0
Total 20 0 0
————————————————
ospf 02 jan 2009
r1 has two paths to net 4.0.0.0 via r2 & r3. R1 should use r2 to get ot 4.0.0.0 and r3 to get
to 3.0.0.0. If r2 goes down R1 should user r3 t oget into 4.0.0.0
router ospf 1
max-metric router-lsa < — set the lsa to infinity. this is donw so that other routers do
not prefer the routes as a transit hop in their path to a given network.
—————————-
redistribute between ospf and eigrp
router ei 100
redistribute ospf 100 metrci 1500 10000 255 1 1500 < — you must add the metric. or use
default metric.
router ospf 100
redistribute eigpr 100 subnets
NOTE: when you redistribure routes into OSPF they will be redistributed with a metric of 20.
———————————————–
the max # of prefix redistributed into OSPF is 9. At 80% generate a warning message.
router ospf 1
redistribute maximum-prefix 9 80 warning-only
note: if you wanted to ignore all prefixs DO NOT add the warning-only command.ooooo
——————————————————
make sure routers in area 2 can for an adjecency. (Full state) do not make any changes on R2
note: r1 & r2 are in area 2. R1 is the hub.
r1 int s1/.0.12 – ospf net type p-to-p
r2 int s1/0 – non-broadcast
r1
router ospf 1
nei 111.1.12.2
int s1.0.12
ip ospf net point-to-multipoint nonbroadcast
note: with non_broadcast you need a neightbor statement. With p2p or p2m a DR is not elected.
——————————————————————————————
make sure routers in area 5 can establish a neighbor adjacency. do not change anything on r5
r1
int s1.0.15
ip ospf net non_broadcast
ip ospf pri 255
router ospf 1
neigh 155.1.15.5
NOTE: always make the hub router the DR! non_broadcast/broadcast elect a DR. Non_br needs a
nei statement.
—————————————————————————–
R1 should be the DR (FR hub router should be the hub)
r1
int s1/0.x
ip ospf priority 255 < — 255 means always elect this the DR router.
r2-4
int s1/0 or int s1/0.xx
ip ospf priority 0 <—- this means that this router will never be elected a DR.
—————————————–
r1 s1/0.12 non_Broascast <> r1 s1/0.21 non_Broascast – make these two routers exchange
routes. No not change the network type.
r1
int tun 1
ip add 222.0.0.1 255.255.255.0
tun source 12.1.1.1
tun dest 12.1.1.2
router ospf 1
no network 12.1.1.1 0.0.0.0 a 0 < — removed to prevent recursive loop
net 222.0.0.1 0.0.0.0 a 0
r2
int tun 1
ip add 222.0.0.2 255.255.255.0
tun sour 12.1.1.2
tun dest 12.1.1.1
router ospf 1
no net 12.1.1.2 0.0.0.0 a 0
net 222.0.0.2 0.0.0.0 a 0
————————————-
r6 should redistribute e0/0 into ospf – no acl or prefix list is allowed.
r6
route-map MATCHINT per 10
match interface e0/0
router ospf 1
redistribute connected route-map MATCHINT subnets
—————————————————————-
configure area 3 as nssa
note: all routers in a area 3 need to be configured with nssa.
r3-6 ( r4-6 and spoked of R3)
router ospf 1
area 3 nssa
r3
sh ip route osfp | in N2
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
O N2 4.0.0.0/8 [110/20] via 200.1.34.4, 00:00:17, Serial1/0.34
O N2 5.0.0.0/8 [110/20] via 200.1.35.5, 00:00:17, Serial1/0.35
O N2 6.0.0.0/8 [110/20] via 200.1.36.6, 00:00:17, Serial1/0.36
r1 (connects to r2 <> r 3)
R1(config-router)#do sho ip route | in E2
E1 – OSPF external type 1, E2 – OSPF external type 2
O E2 4.0.0.0/8 [110/20] via 200.1.12.2, 00:04:11, Serial1/0.12
O E2 5.0.0.0/8 [110/20] via 200.1.12.2, 00:03:50, Serial1/0.12
O E2 6.0.0.0/8 [110/20] via 200.1.12.2, 00:03:40, Serial1/0.12
NOTE:so the hub rtr see’s all the spoked as N2 routes and all the routers behind r3 see the
routes as E2.)
——————————————————————
filter these networks:
200.1.34.0/24 r3<>r4
200.1.35.0/24 r3<>r5
200.1.36.0/24 r3<>r6
router ospf 1
area 1 range 200.1.34.0 255.255.255.0 not-advertise
area 1 range 200.1.35.0 255.255.255.0 not-advertise
area 1 range 200.1.36.0 255.255.255.0 not-advertise
Note: these routes will not be advertised outisde of area 1
———————————————————–
config r3 so that routers in area 0 can reach the networks that were redistributed on r4-6
e0/0.
r3
router ospf 1
area 1 nssa translate type7 suppress-fa
R2
before: ( this is after the route were filtered via the area range cmd above)
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/65] via 200.1.12.1, 00:08:06, Serial1/0.21
C 2.0.0.0/8 is directly connected, Loopback0
C 200.1.23.0/24 is directly connected, Serial1/0.23
3.0.0.0/32 is subnetted, 1 subnets
O IA 3.3.3.3 [110/65] via 200.1.23.3, 00:08:06, Serial1/0.23
C 200.1.12.0/24 is directly connected, Serial1/0.21
after:
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/65] via 200.1.12.1, 00:14:10, Serial1/0.21
3.0.0.0/32 is subnetted, 1 subnets
O IA 3.3.3.3 [110/65] via 200.1.23.3, 00:14:10, Serial1/0.23
O E2 4.0.0.0/8 [110/20] via 200.1.23.3, 00:00:05, Serial1/0.23
O E2 5.0.0.0/8 [110/20] via 200.1.23.3, 00:00:05, Serial1/0.23
O E2 6.0.0.0/8 [110/20] via 200.1.23.3, 00:00:05, Serial1/0.23
——————————————————————————
lo1 should be redistributed into OSPF as metric-type 2 and tagged wthi 44 as its
redistributed in the OSPF domain.
route-map TAG44 per 10
match int lo1
set tag 44
router ospf 1
redistribute connected subnets route-map test
net 4.4.4.4 0.0.0.0 are 1
————————————————–
on r1 filer routes tagged with 44
route-map TASK-8-filtertag44 deny 10
match tag 44
route-map TASK-8-filtertag44 perm 20
router ospf 1
distribute-list route-map TASK-8-filtertag44 in
——————————————————
filter all external type 2 prefixes – do not use an acccess-list.
route-map FILTER_E2 deny 10
match route-type external type-2
route-map FILTER_E2 perm 20
router ospf 1
distribute-list route-map FILTER_E2 in
——————————————————–
hub
ip ospf pri 255
spokes
ip ospf pri 0
————————
non_broadcast / neighbor command…… frame-relay map broadcast command is not needed.
Because it’s using UNICAST vs multicast.
——————————————-
ip ospf network trypes must match, except
ip ospf net point-to-multipoint nonbroadcast <> ip ospf net point-to-point
on thie p2m nb you need to change the ospf hello to match the other sidee.
ip ospf hello-interval 10 and a neighbor statement.
—————————————————
config plain text on all frame interfaces – all area’s are 0
int s1/0
ip ospf authentication-key cisco
router ospf 1
area 0 authentication
————————————————
r1<>r2 md 5 authentication is enabled. All routers have the above config.
r1 & r2
int s1/0.xx
ip ospf message-digest-key 1 md5 cisco
router ospf 1
area 0 authen message-digest
R2 does not see routes from r3-5.(they are enabled for clear text)
r3-r5
router ospf 1
area 0 authentication message-digest
now r2 will see all the routes. The interface command was not used???
————————————————————————-
you can also disable authentication in the interface facing r3 and then r3-r5 do not need
authentication enabled.
r2
int s1/0.23
ip ospf authentication null
———————————————————————————-
to enable authentication on the interface
interface Serial1/0
ip ospf authentication message-digest < — enable authentication on the interface vs under
the routing process.
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cciers
This is called per interface authentication. When using per interface authentication other
routers in the area do not need to be configured for authentication.
—————————————————————————-
reditribute lo0 & lo1 this creates E2 routes
r3
route-map REDISTRIBUTE_LO0_LO1 per 10
match interface loop0 loop 1 < —- cool, I did not know you can match multiple int’s.
router ospf 1
redistribute connected subnets route-map REDISTRIBUTE_LO0_LO1
r1
r1(config-subif)#do sho ip route ospf
O 2.0.0.0/8 [110/65] via 10.1.12.2, 00:00:23, Serial1/0.21
O E2 33.0.0.0/8 [110/20] via 10.1.12.2, 00:00:23, Serial1/0.21 <—-
O E2 3.0.0.0/8 [110/20] via 10.1.12.2, 00:00:23, Serial1/0.21 <—-
O IA 4.0.0.0/8 [110/193] via 10.1.12.2, 00:00:23, Serial1/0.21
5.0.0.0/24 is subnetted, 1 subnets
O IA 5.5.5.0 [110/193] via 10.1.12.2, 00:00:23, Serial1/0.21
———————————————————————-
Config area 1&2 as a NSSA. Config R3 so that r4 & r5 get a default route
r3 – ABR for area 0,1,2
r4 area 1
r5 area 2
r3
router ospf 1
area 1 nssa default-information-originate
area 2 nssa default-information-originate
r4
ho ip route
Gateway of last resort is 10.1.34.3 to network 0.0.0.0
O IA 1.0.0.0/8 [110/193] via 10.1.34.3, 00:00:02, Serial1/0.43
O IA 2.0.0.0/8 [110/129] via 10.1.34.3, 00:00:02, Serial1/0.43
O N2 33.0.0.0/8 [110/20] via 10.1.34.3, 00:00:02, Serial1/0.43
O N2 3.0.0.0/8 [110/20] via 10.1.34.3, 00:00:02, Serial1/0.43
C 4.0.0.0/8 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 4 subnets
O IA 10.1.12.0 [110/192] via 10.1.34.3, 00:00:02, Serial1/0.43
O IA 10.1.23.0 [110/128] via 10.1.34.3, 00:00:02, Serial1/0.43
O IA 10.1.35.0 [110/128] via 10.1.34.3, 00:00:02, Serial1/0.43
C 10.1.34.0 is directly connected, Serial1/0.43
O*N2 0.0.0.0/0 [110/1] via 10.1.34.3, 00:00:02, Serial1/0.43 <– injected external default
route
————————————————————–
config so the default route injected by the ABR is an internal route
r3
router ospf 1
area 1 nssa no-summary
r4
r4(config-router)#do sho ip route os
O N2 33.0.0.0/8 [110/20] via 10.1.34.3, 00:01:32, Serial1/0.43
O N2 3.0.0.0/8 [110/20] via 10.1.34.3, 00:01:32, Serial1/0.43
O*IA 0.0.0.0/0 [110/65] via 10.1.34.3, 00:01:37, Serial1/0.43
————-
config r3 so that area 1 (r4) does not get redistributed routes
r3
router ospf 1
area 1 nssa no-redistribution
—————————————–
NOTE: when doing the labs I see that the commands are nested.
eg.
area 1 nssa
area 1 nssa default-information-originate
area 1 nssa no-summary = area 1 nssa default-information-originate no-summary
area 1 nssa no-redistribution = area 1 nssa default-information-originate no-summary no-
redistribution
———————————————
configure area 1 on r1-3 but do not use the network command
r1 – R2
int s1/0
ip ospf 1 area 0
R2-R3
int e0/0
ip ospf 1 area 0
———————————–
do not allow seconday interfaces to be advertised
r2
int e0/0
ip ospf 1 area 0 secondaries none
—————————————
loopbacks should be advertised
int lo0
ip add 1.1.1.1 255.255.255.0
ip ospf ne point-to-p
router ospf 1
net 1.1.1.1 0.0.0.0 a 1
——————————–
filfter 1.1.1.0/24 from r2 only
access-list 1 deny 1.1.1.0 0.0.0.155
access-list 1 permit any
router ospf 1
distribute-list 1 in
r3-r5 will still learn 1.1.1.1 from R2. It’s just filtered from r2′s routing table.
————————————-
05 Jan 2008 OSPF
————————–
make sure routers in a area 99 do not receive 111.1.1.0/24 in thier routing table
NOTE: you must do this on the Area Border Router (ABR)
ip prefix-list FILTER_111NET_FROM_AREA99 seq 5 deny 111.1.1.0/24
ip prefix-list FILTER_111NET_FROM_AREA99 seq 10 permit 0.0.0.0/0 le 32
router ospf 1
area 99 filter-list prefix FILTER_111NET_FROM_AREA99 in
on area 99 routers you will not see 111.1.1.0/24 in the routing table and you will not see it if you
sho ip ospf database summary 11.1.1.0
You will see it on the ABR in the routing table and via sho ip ospf database summary 11.1.1.0 BUT
YOU WILL SEE IT AS A SUMMMARY IN AREA 0 not area 2.
—————————————————————–
COOL command
r3#sh ip ospf data database-summary
OSPF Router with ID (3.3.3.3) (Process ID 1)
Area 0 database summary
LSA Type Count Delete Maxage
Router 2 0 0 <—- LSA type 1
Network 0 0 0 <—- LSA type 2
Summary Net 7 0 0 <—- LSA type 3
Summary ASBR 0 0 0 <—- LSA type 4
Type-7 Ext 0 0 0
Prefixes redistributed in Type-7 0
Opaque Link 0 0 0
Opaque Area 0 0 0
Subtotal 9 0 0
——————————————————
to filter lSA type 1 – only on ABR
router ospf 1
area 1 range 111.111.111.0 255.255.255.0
to filter lsa type 3 – only on ABR – only lsa type 3 (network summary)
ip prefix-list FILTERLSA3 seq 5 deny 111.111.111.0/24
ip prefix-list FILTERLSA3 seq 10 permit 0.0.0.0/0 le 32
router ospf 1
area 1 range filter-list FILTERLSA3 in
——————————————————
COnfigure the routers so only R1 can see 100.1.1.0/24.
r2-4
sho access-list
access-list 1 deny 100.1.1.0 0.0.0.255
access-list 1 permit 100.1.1.0 0.0.0.255
router ospf 1
distribute-list 1 in
NOTE: this will filter net 100.1.1.0/25 fro the local router only so this needs to be done on all
the routers.
———————————————————————–
Config so that the loopback on r5 is seen as an E2 route in it’s neighbors routing table.
r5
route-map REDIST_L0 per 10
match inter lo0
router ospf 1
redistribute connected subnets route-map REDIST_L0
———————————————————–
ALWAYS use the subnets keywork when redistributing OSPF and EIGRP.
———————————————————————-
Filter 5.5.5.0/24 so that only R5 will see 5.5.5.0/25 in it’s routing table.
int lo0
ip address 5.5.5.5 255.255.255.0
ip access-list FILTER5NET
deny 5.5.5.0 0.0.0.255
permit any
or
access-list 1 deny 5.5.5.0
access-list per any
route-map REDIST_L0 per 10
match inter lo0
router ospf 1
redistribute connected subnets route-map REDIST_L0 <—- redistributing makes this an ASBR
distribute-list FILTER5NET out
NOTE: This is the only scenario where “distribute-list out” will work in OSPF. This can only be
done on the ASBR. This filters type 5 or 7 lsa’s. (Here it’s a LSA type 5)
————————————————————————————-
config r5 so that only it can see 50.5.5.0/24.
R5 is an ASBR
router ospf1
summary-address 50.5.5.0 255.255.255.0 not-advertise
————————————————————–
Filter net 55.5.5.0 from R1
sh access-list
access-list 1 deny 55.5.5.0
access-list 1 permit any
router ospf 1
distribute-list in
————————————
config so that routers in area 2 do not see any networks advertised by any other router in the
topology.
r1 a1 <> r2 a1
r1a1 <> r3 a1 <> r4 a2 <> r5 a2
r4
int s1/0.45
ip ospf database-filter all out
clear ip ospf pro
The “ip ospf database-filter all out” will prevent all routes from being advertised to R5. All other
routers will see all of R5′s advertised networks.
——————————————————————
config so that r1/2/3 (area1) only see routes in thier own are and r4 (area2) only see’s it’s own
routes.
r3
router ospf 1
neighbor 10.1.1.4 database-filter all out
r3(config-router)#neighbor 10.1.34.4 database-filter all out
OSPF: Neighbor command is allowed only on NBMA and point-to-multipoint networks
int s1/0.34
ip ospf net point-to-multipoint
clear ip ospf pro
——————————————-
OSPF ABR Type 3 LSA filtering -sent between different Area’s.
router ospf1
area 1 filter-list prefix FILTERtype3 in
ip prefix-list FILTERtype3 seq 5 deny 1.1.1.0/24
ip prefix-list FILTERtype3 seq 10 permint 0.0.0.0/0 le 32
To filter interarea routes:
router ospf 1
area 1 filter-list prefix FILTERIA out
ip prefix-list FILTERIA seq 5 deny 1.1.1.0/24
ip prefix-list FILTERIA seq 10 permint 0.0.0.0/0 le 32
show ip ospf
———————————————————
OSPF Forwarding Address Suppression in Translated Type-5 LSAs
causes a not-so-stubby area (NSSA) area border router (ABR) to translate Type-7 link state advertisements (LSAs) to Type-5 LSAs, but use the address 0.0.0.0 for the forwarding address instead of that specified in the Type-7 LSA.
This feature causes routers that are configured not to advertise forwarding addresses into the backbone to direct forwarded traffic to the translating NSSA ABRs.
1. enable
2. configure terminal
3. router ospf process-id
4. area area-id nssa translate type7 suppress-fa
5. end
—————————————————-
How to Configure OSPF Inbound Filtering Using Route Maps
1. enable
2. configure terminal
3. route-map map-tag [permit | deny] [sequence-number]
4. match tag tag-name
or other match commands.
5. Repeat Steps 3 and 4 with other route-map and match commands if you choose.
6. exit
7. router ospf process-id
8. distribute-list route-map map-tag in
9. end
route-map tag-filter deny 10
match tag 777
route-map tag-filter permit 20
!
router ospf 1
router-id 10.0.0.2
log-adjacency-changes
network 172.16.2.1 0.0.0.255 area 0
distribute-list route-map tag-filter in
———————————————–
OSPF Limit on Number of Redistributed Routes
SUMMARY STEPS
1. enable
2. configure terminal
3. router ospf process-id
4. redistribute protocol [process-id] [as-number] [metric metric-value] [metric-type type-value] [match {internal | external 1 | external 2}] [tag tag-value] [route-map map-tag] [subnets]
5. redistribute maximum-prefix maximum [threshold]
6. end
7. show ip ospf [process-id]
redistribute maximum-prefix maximum [threshold]
Example:
Router(config-router)# redistribute maximum-prefix 100 80
Sets a maximum number of IP prefixes that are allowed to be redistributed into OSPF.
•There is no default value for the maximum argument.
•The threshold value defaults to 75 percent.
Note If the warning-only keyword had been configured in this command, no limit would be enforced; a warning message is simply logged.
—————————–
OSPF Area Transit Capability
The OSPF Area Transit Capability feature provides an OSPF Area Border Router (ABR) with the ability to discover shorter paths through the transit area for forwarding traffic that would normally need to travel through the virtual-link path. This functionality allows Cisco IOS software to be compliant with RFC 2328.
1. enable
2. configure terminal
3. router ospf process-id [vrf vpn-name]
4. no capability transit
——————————————————
ABR = area XXX range
ASBR = summary-address
filter lsa 4 /5
aera 1 stub
filter lsa 3/4/5
r5
area 1 stub
r4
area 1 stub no-summary
after redistribution should receive las 1,2,3 7
area 1 nssa ( need a default route)
after redistribution should propogate las 1,2,3 7 & default
route
r5
area 2 nssa
r 4
area 2 nssa default-information-originate
Posted in OSPF, Routing & Switching Lab | Leave a Comment »
