Wednesday, 3 October 2012

BGP path manipulation with community tag, local-preference and ...

Physical topology


Layer 3 topology


BGP topology

The objective of this lab is to manipulate the traffic path of R5 going to and from R6 and R7.
If the packet from R5 going to R6, it should go through R5>R4>R1>R6, R6>R1>R4>R5.
If the destination is to R7, R5 could take either R3 or R4, but for the return path, it should take the path R7>R2>R3>R5.

R1 Config

interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
 ip address 1.1.1.11 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.134.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.16.1 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets route-map connected
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.134.1 0.0.0.0 area 0
!
router bgp 1234
 no synchronization
 bgp log-neighbor-changes
 network 1.1.1.11 mask 255.255.255.255
 neighbor 2.2.2.2 remote-as 1234
 neighbor 2.2.2.2 update-source Loopback0
 neighbor 2.2.2.2 route-map lower-lp in
 neighbor 4.4.4.4 remote-as 1234
 neighbor 4.4.4.4 update-source Loopback0
 neighbor 4.4.4.4 route-reflector-client
 neighbor 4.4.4.4 route-map domestic out
 neighbor 192.168.16.6 remote-as 6
 no auto-summary
!
ip bgp-community new-format
ip community-list standard 1234:5 permit 1234:5
ip as-path access-list 1 deny ^$
ip as-path access-list 1 permit .*
ip as-path access-list 2 permit ^7_
!
route-map domestic permit 10
 match as-path 2
!
route-map domestic deny 20
 match as-path 1
!
route-map domestic permit 100
!
route-map lower-lp permit 10
 match community 1234:5
 set local-preference 200
!
route-map lower-lp permit 100
!
route-map testing permit 10
!
route-map connected permit 10
 match interface FastEthernet0/1

R2 Config

interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback1
 ip address 2.2.2.21 255.255.255.255
!
interface FastEthernet1/0
 ip address 192.168.27.2 255.255.255.0
!
interface FastEthernet4/1
 switchport access vlan 134
!
interface FastEthernet4/3
 switchport access vlan 134
!
interface FastEthernet4/4
 switchport access vlan 134
!
interface FastEthernet4/5
 switchport access vlan 45
!
interface Vlan134
 ip address 192.168.134.2 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.134.2 0.0.0.0 area 0
 default-information originate
!
router bgp 1234
 no synchronization
 bgp log-neighbor-changes
 network 2.2.2.21 mask 255.255.255.255
 neighbor 1.1.1.1 remote-as 1234
 neighbor 1.1.1.1 update-source Loopback0
 neighbor 1.1.1.1 send-community
 neighbor 3.3.3.3 remote-as 1234
 neighbor 3.3.3.3 update-source Loopback0
 neighbor 3.3.3.3 route-reflector-client
 neighbor 3.3.3.3 send-community
 neighbor 192.168.27.7 remote-as 7
 neighbor 192.168.27.7 route-map tag in
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip bgp-community new-format
!
route-map tag permit 10
 set community 1234:7

R3 Config

interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Loopback1
 ip address 3.3.3.31 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.134.3 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.35.3 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets route-map connected
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.134.3 0.0.0.0 area 0
!
router bgp 1234
 no synchronization
 bgp log-neighbor-changes
 network 3.3.3.31 mask 255.255.255.255
 neighbor 2.2.2.2 remote-as 1234
 neighbor 2.2.2.2 update-source Loopback0
 neighbor 2.2.2.2 send-community
 neighbor 192.168.35.5 remote-as 5
 neighbor 192.168.35.5 route-map lp in
 neighbor 192.168.35.5 route-map domestic+local out
 no auto-summary
!
ip bgp-community new-format
ip community-list standard 1234:7 permit 1234:7
ip as-path access-list 1 permit ^$
!
route-map lp permit 10
 set local-preference 400
 set community 1234:5
!
route-map domestic+local permit 10
 match community 1234:7
!
route-map domestic+local permit 20
 match as-path 1
!
route-map connected permit 10
 match interface FastEthernet0/1

R4 Config

interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Loopback1
 ip address 4.4.4.41 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.45.4 255.255.255.0
!
interface FastEthernet1/0
 ip address 192.168.134.4 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets route-map connected
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.134.4 0.0.0.0 area 0
!
router bgp 1234
 no synchronization
 bgp log-neighbor-changes
 network 4.4.4.41 mask 255.255.255.255
 neighbor 1.1.1.1 remote-as 1234
 neighbor 1.1.1.1 update-source Loopback0
 neighbor 192.168.45.5 remote-as 5
 neighbor 192.168.45.5 default-originate
 neighbor 192.168.45.5 route-map lp in
 no auto-summary
!
route-map lp permit 10
 set local-preference 300
!
route-map connected permit 10
 match interface FastEthernet0/0

R5 Config

interface Loopback0
 ip address 5.5.5.5 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.35.5 255.255.255.0
!
interface FastEthernet1/0
 ip address 192.168.45.5 255.255.255.0
!
router bgp 5
 no synchronization
 bgp log-neighbor-changes
 network 5.5.5.5 mask 255.255.255.255
 neighbor 192.168.35.3 remote-as 1234
 neighbor 192.168.45.4 remote-as 1234
 no auto-summary

R6 Config

interface Loopback0
 ip address 6.6.6.6 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.16.6 255.255.255.0
!
router bgp 6
 no synchronization
 bgp log-neighbor-changes
 network 6.6.6.6 mask 255.255.255.255
 neighbor 192.168.16.1 remote-as 1234
 no auto-summary

R7 Config

interface Loopback0
 ip address 7.7.7.7 255.255.255.255
!
interface FastEthernet1/0
 ip address 192.168.27.7 255.255.255.0
!
router bgp 7
 no synchronization
 bgp log-neighbor-changes
 network 7.7.7.7 mask 255.255.255.255
 neighbor 192.168.27.2 remote-as 1234
 no auto-summary

Scenario 1:

Since R4 is not a powerful routing device, it should not have all the bgp updates except local and domestic bgp routes. R4 is the route-reflector-client of R1, by default R4 will receive all bgp updates.
So we need to control on R1 to filter unwanted bgp updates.

R1 configuration

route-map domestic permit 10
match as-path 2
!
route-map domestic deny 20
match as-path 1
!
route-map domestic permit 100
!
ip as-path access-list 1 deny ^$
ip as-path access-list 1 permit .*
ip as-path access-list 2 permit ^7_

Verification

R4#show ip bgp
   Network          Next Hop            Metric LocPrf Weight Path
*>i1.1.1.11/32      1.1.1.1                  0    100      0 i
*>i2.2.2.21/32      2.2.2.2                  0    100      0 i
*>i3.3.3.31/32      3.3.3.3                  0    100      0 i
*> 4.4.4.41/32      0.0.0.0                  0         32768 i
*> 5.5.5.5/32       192.168.45.5             0    300      0 5 i
*>i7.7.7.7/32       192.168.27.7             0    100      0 7 i

Scenario 2:

In order for R4 to reach R6 prefix, R2 will inject default default in OSPF.

R2 configuration

ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
router ospf 1
default-information originate

Verification

R4#show ip route
Gateway of last resort is 192.168.134.2 to network 0.0.0.0

O*E2 0.0.0.0/0 [110/1] via 192.168.134.2, 02:55:26, FastEthernet1/0

Scenarion 3:

R5 should use only R4 if destination is going to International.
So R3 need to filter international routes bgp updates to R5.
Whatever bgp updates received from R7, R2 will tag community tag of 1234:7, so that later on R3 can match that community tag and filter the advertisement to R5 based on the community tag.

R2 configuration

router bgp 1234
neighbor 3.3.3.3 send-community
neighbor 192.168.27.7 route-map tag in
!
route-map tag permit 10
set community 1234:7

R3 configuration

router bgp 1234
neighbor 192.168.35.5 route-map domestic+local out
!
route-map domestic+local permit 10
match community 1234:7
!
route-map domestic+local permit 20
match as-path 1
!
ip community-list standard 1234:7 permit 1234:7
ip as-path access-list 1 permit ^$
*Note: In order to use bgp new community format, we neet to use the command #ip bgp new-format

R3#show ip bgp neighbors 192.168.35.5 advertised-routes

   Network          Next Hop            Metric LocPrf Weight Path
*>i1.1.1.11/32      1.1.1.1                  0    100      0 i
*>i2.2.2.21/32      2.2.2.2                  0    100      0 i
*> 3.3.3.31/32      0.0.0.0                  0         32768 i
*>i4.4.4.41/32      4.4.4.4                  0    100      0 i
*>i7.7.7.7/32       192.168.27.7             0    100      0 7 i

Scenario 4:

For the return packet from R7 to R5 to use the path R7>R2>R3>R5, bgp updates of R5 received from R3 should always be the best on R2. In this case, local-preference of 400 from R3 versus 300 from R4.

R3 configuration

router bgp 1234
neighbor 192.168.35.5 route-map lp in
!
route-map lp permit 10
set local-preference 400
R4 configuration

router bgp 1234
neighbor 192.168.45.5 route-map lp in
!
route-map lp permit 10
set local-preference 400

Verification

R2#show ip bgp 5.5.5.5
BGP routing table entry for 5.5.5.5/32, version 5
Paths: (2 available, best #2, table Default-IP-Routing-Table)
  Advertised to update-groups:
     1          3
  5
    192.168.45.5 (metric 20) from 1.1.1.1 (1.1.1.1)
      Origin IGP, metric 0, localpref 300, valid, internal
      Originator: 4.4.4.4, Cluster list: 1.1.1.1
  5, (Received from a RR-client)
    192.168.35.5 (metric 20) from 3.3.3.3 (3.3.3.3)
      Origin IGP, metric 0, localpref 400, valid, internal, best
      Community: 1234:5

Scenarion 4:

Up to this point, R1 also use R3 as the prefer exit if the pacet is coming from R6 towards R5 due to the higher local preference of 400 from R3 compared to 300 from R4.
We need a way to configure not to prefer R3 as the prefer exit in order to fulfill the requirement of taking the path R7>R1>R4>R5.
So whatever routes R3 learns from R5, we will tag the community 1234:5 to the bgp updates, so that when the updates reach R1, R1 will match those bgp updates based on community tag 1234:5 and lower the original local-preference value to 200 becoming not a better value comparing with 300 from R4.

R3 configuration

router bgp 1234
neighbor 2.2.2.2 send-community
neighbor 192.168.35.5 route-map lp in
!
route-map lp permit 10
set local-preference 400
set community 1234:5

R2 configuration

router bgp 1234
neighbor 1.1.1.1 send-community

R1 configuration

router bgp 1234
neighbor 2.2.2.2 route-map lower-lp in
!
route-map lower-lp permit 10
match community 1234:5
set local-preference 200
!
route-map lower-lp permit 100
!
ip community-list standard 1234:5 permit 1234:5

Verification

R1#show ip bgp 5.5.5.5
BGP routing table entry for 5.5.5.5/32, version 32
Paths: (2 available, best #2, table Default-IP-Routing-Table)
  Advertised to update-groups:
     1          2
  5
    192.168.35.5 (metric 20) from 2.2.2.2 (2.2.2.21)
      Origin IGP, metric 0, localpref 200, valid, internal
      Community: 1234:5
      Originator: 3.3.3.3, Cluster list: 2.2.2.21
  5, (Received from a RR-client)
    192.168.45.5 (metric 20) from 4.4.4.4 (4.4.4.4)
      Origin IGP, metric 0, localpref 300, valid, internal, best


Posted by at 1 comment:
Labels:

Monday, 1 October 2012

IPv6 Tunnels


Automatic 6to4 Tunnel

Tunnel format

2002(16 bits) + IPv4 address(32 bits) + Subnet(16 bits) + Interface ID(64 bits)

First 16 bits of 6to4 tunnel always starts with 2002.
Tunnel is point-to-multipoint in nature.
IPv4 address bits are written in HEX value here, for example, 1.1.1.1 = 0101:0101
When routed a packet through the tunnel, router looks at the IPv4 bits portion and forwards to the appropriate destination router.

R1 Config

interface Loopback0
 ip address 1.1.1.1 255.255.255.255
 ipv6 address 2002:101:101:1::1/64
!
interface Tunnel0
 ipv6 address 2002:101:101::1/64
 tunnel source Loopback0
 tunnel mode ipv6ip 6to4
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.12.1 0.0.0.0 area 0
!
ipv6 route 2002::/16 Tunnel0

R2 Config

interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.23.2 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.12.2 0.0.0.0 area 0
 network 192.168.23.2 0.0.0.0 area 0

R3 Config

interface Loopback0
 ip address 3.3.3.3 255.255.255.255
 ipv6 address 2002:303:303:3::3/64
!
interface Tunnel0
 ipv6 address 2002:303:303::3/64
 tunnel source Loopback0
 tunnel mode ipv6ip 6to4
!
interface FastEthernet0/0
 ip address 192.168.23.3 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.23.3 0.0.0.0 area 0
!
ipv6 route 2002::/16 Tunnel0

Verification

R1#show ipv6 route

S   2002::/16 [1/0]
     via ::, Tunnel0
C   2002:101:101::/64 [0/0]
     via ::, Tunnel0
L   2002:101:101::1/128 [0/0]
     via ::, Tunnel0
C   2002:101:101:1::/64 [0/0]
     via ::, Loopback0
L   2002:101:101:1::1/128 [0/0]
     via ::, Loopback0
L   FE80::/10 [0/0]
     via ::, Null0
L   FF00::/8 [0/0]
     via ::, Null0

R1#ping 2002:0303:0303:3::3 source loopback 0
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/43/60 ms


-----------------------------------------------------------------------------------------------------

ISATAP Tunnel

Tunnel format

Prefix ID(64 bits) + 0000(16 bits) + 5EFE + IPv4 address(32 bits)

R1 Config

interface Loopback1
 ipv6 address 2001:1::1/64
!
interface Tunnel1
 no ip address
 no ip redirects
 ipv6 address 2001:13::/64 eui-64
 tunnel source Loopback0
 tunnel mode ipv6ip isatap
!
ipv6 route 2001:3::/64 2001:13::5EFE:303:303


R3 Config

interface Loopback1
 ipv6 address 2001:3::3/64
!
interface Tunnel1
 no ip address
 no ip redirects
 ipv6 address 2001:13::/64 eui-64
 tunnel source Loopback0
 tunnel mode ipv6ip isatap
!
ipv6 route 2001:1::/64 2001:13::5EFE:101:101

Verification


R1#show ipv6 interface brief | in Tunnel1

  Tunnel1                    [up/up]
    FE80::5EFE:101:101
    2001:13::5EFE:101:101


R3#show ipv6 interface brief | in Tunnel1

Tunnel1                    [up/up]
    FE80::5EFE:303:303
    2001:13::5EFE:303:303


R1#show ipv6 route | in 2001:3

S   2001:3::/64 [1/0]
     via 2001:13::5EFE:303:303

R1#ping 2001:3::3 source loopback 1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/36/48 ms
Posted by at 1 comment:
Labels: ,
Subscribe to: Posts (Atom)