Archive

Posts Tagged ‘BGP’

Mitigating Source Specific DoS Attack Using Remotely Triggered BlackHole

January 28, 2011 Leave a comment

Remotely Triggered Black Hole method usualy used to dealing with the DDoS Attack that have specific destination. When we combine it with the Unicast Reverse Path Forwarding (RPF) feature, we can drop every DoS attack based on the source IP.

Here are the lab scenario to simulate that method (we are using Cisco routers):

To simulate the attacker, we are using loopback interface on router INET. INET has 2 connection to the AS 65000 (The Service Provider). In this scenario, we are prefering GW1 as the primary path for outgoing traffic to the Service Provider Network. Here are the relevant configuration from INET:

hostname INET
!
interface Loopback0
ip address 100.100.1.1 255.255.255.0
no ip directed-broadcast
!
interface Loopback1
ip address 200.200.1.1 255.255.255.0
no ip directed-broadcast
!
interface FastEthernet1/0
ip address 172.16.0.1 255.255.255.0
no ip directed-broadcast
duplex full
speed 100
!
interface FastEthernet1/1
ip address 172.16.1.1 255.255.255.0
no ip directed-broadcast
duplex full
speed 100
!
router bgp 65002
no synchronization
bgp log-neighbor-changes
network 100.100.1.0 mask 255.255.255.0
network 200.200.1.0
neighbor 172.16.0.2 remote-as 65000
neighbor 172.16.0.2 weight 65535
neighbor 172.16.1.2 remote-as 65000
neighbor 172.16.1.2 weight 32768
no auto-summary

For the Service Provider network, we are using 4 router, they are GW1, GW2, RR and PE-1. RR act as Route-Reflector for all the rest routers and as the trigger router. They use OSPF for IGP and BGP AS 65000. We are using BGP too to triggered router GW1 and GW2 to blackholing the attacker traffic.

Here are the relevant configuration for all of Service Provider routers:

hostname GW1
!
ip cef
!
interface Loopback0
ip address 1.1.1.2 255.255.255.255
!
interface FastEthernet1/0
ip address 172.16.0.2 255.255.255.0
!
interface FastEthernet1/1
ip address 10.1.1.2 255.255.255.0
ip ospf priority 0
!
router ospf 1
router-id 1.1.1.2
log-adjacency-changes
network 1.1.1.2 0.0.0.0 area 0
network 10.1.1.2 0.0.0.0 area 0
!
router bgp 65000
no synchronization
bgp router-id 1.1.1.2
bgp log-neighbor-changes
redistribute connected route-map TO-INET
neighbor 1.1.1.1 remote-as 65000
neighbor 1.1.1.1 update-source Loopback0
neighbor 172.16.0.1 remote-as 65002
no auto-summary
!
access-list 1 permit 172.16.0.0
!
route-map TO-INET permit 10
match ip address 1

hostname GW2
ip cef
interface Loopback0
ip address 1.1.1.3 255.255.255.255
!
interface FastEthernet1/0
ip address 172.16.1.2 255.255.255.0
!
interface FastEthernet1/1
ip address 10.1.1.3 255.255.255.0
ip ospf priority 50
!
router ospf 1
router-id 1.1.1.3
log-adjacency-changes
network 1.1.1.3 0.0.0.0 area 0
network 10.1.1.3 0.0.0.0 area 0
!
router bgp 65000
no synchronization
bgp router-id 1.1.1.3
bgp log-neighbor-changes
redistribute connected route-map INET-EDGE
neighbor 1.1.1.1 remote-as 65000
neighbor 1.1.1.1 update-source Loopback0
neighbor 172.16.1.1 remote-as 65002
no auto-summary
!
access-list 1 permit 172.16.1.0
!
route-map INET-EDGE permit 10
match ip address 1

hostname PE-1
!
interface Loopback0
ip address 1.1.1.4 255.255.255.255
!
interface FastEthernet1/0
ip address 10.1.1.4 255.255.255.0
ip ospf priority 0
!
interface FastEthernet1/1
ip address 192.168.0.2 255.255.255.0
!
router ospf 1
router-id 1.1.1.4
log-adjacency-changes
network 1.1.1.4 0.0.0.0 area 0
network 10.1.1.4 0.0.0.0 area 0
!
router bgp 65000
no synchronization
bgp router-id 1.1.1.4
bgp log-neighbor-changes
redistribute connected route-map TO-CE1
neighbor 1.1.1.1 remote-as 65000
neighbor 1.1.1.1 update-source Loopback0
neighbor 192.168.0.1 remote-as 65001
neighbor 192.168.0.1 default-originate
no auto-summary
!
access-list 1 permit 192.168.0.0
route-map TO-CE1 permit 10
match ip address 1

hostname RR
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
ip ospf priority 100
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.1.1.1 0.0.0.0 area 0
!
router bgp 65000
no synchronization
bgp router-id 1.1.1.1
bgp log-neighbor-changes
neighbor 1.1.1.2 remote-as 65000
neighbor 1.1.1.2 update-source Loopback0
neighbor 1.1.1.2 route-reflector-client
neighbor 1.1.1.2 send-community both
neighbor 1.1.1.3 remote-as 65000
neighbor 1.1.1.3 update-source Loopback0
neighbor 1.1.1.3 route-reflector-client
neighbor 1.1.1.3 send-community both
neighbor 1.1.1.4 remote-as 65000
neighbor 1.1.1.4 update-source Loopback0
neighbor 1.1.1.4 route-reflector-client
neighbor 1.1.1.4 send-community both
no auto-summary

And to simulate the Victim Network, we are using loopback interface on CE-1. Here are it relevant configuration:

hostname CE-1
!
interface Loopback0
ip address 9.9.9.9 255.255.255.0
!
interface Loopback1
ip address 8.8.8.8 255.255.255.0
!
interface FastEthernet1/0
ip address 192.168.0.1 255.255.255.0
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 8.8.8.0 mask 255.255.255.0
network 9.9.9.0 mask 255.255.255.0
neighbor 192.168.0.2 remote-as 65000
no auto-summary

In our scenario, host 100.100.1.1/32 is the DoS source.

After all BGP speaker in the Service Provider network have form adjancency, now on the GW1 and GW2 we create the IP next-hop for every DoS source, so we can manipulate it and forward it to dropped at Null interface. Usualy we use the non-allocated IP Address, for example 192.0.2.0/24 (Test-Net).

GW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
GW1(config)#ip route 192.0.2.1 255.255.255.255 Null0 tag 101
GW1(config)#route-map TEST-NET permit 10
GW1(config-route-map)#match tag 101
GW1(config-route-map)#set community no-export
GW1(config-route-map)#router bgp 65000
GW1(config-router)#redistribute static route-map TEST-NET
GW1(config-router)#^Z

GW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
GW2(config)#ip route 192.0.2.1 255.255.255.255 Null0 tag 101
GW2(config)#route-map TEST-NET permit 10
GW2(config-route-map)#match tag 101
GW2(config-route-map)#set community no-export
GW2(config-route-map)#router bgp 65000
GW2(config-router)#redistribute static route-map TEST-NET
GW2(config-router)#^Z


RR#sh ip bgp 192.0.2.1
BGP routing table entry for 192.0.2.1/32, version 37
Paths: (2 available, best #1, not advertised to EBGP peer)
Flag: 0x880
Advertised to update-groups:
1
Local, (Received from a RR-client)
1.1.1.2 (metric 2) from 1.1.1.2 (1.1.1.2)
Origin incomplete, metric 0, localpref 100, valid, internal, best
Community: no-export
Local, (Received from a RR-client)
1.1.1.3 (metric 2) from 1.1.1.3 (1.1.1.3)
Origin incomplete, metric 0, localpref 100, valid, internal
Community: no-export

Note that we attached community no-export to the 192.0.2.1/32 route, in order to prevent the Service Provider routers advertise it to neighbor AS.

After that, still in GW1 and GW2, we add Unicast RPF feature in the edge interfaces. In this scenario, we use “ip verify unicast source reachable-via any” command, in order to detect the incoming traffic based on the source Address, and because we have 2 gateway router (so the incoming and outgoing traffic can be assymetric or not must using the same edge interface).

GW1(config)#int f1/0
GW1(config-if)#ip verify unicast source reachable-via any
GW1(config-if)#^Z

GW1(config)#int f1/0
GW1(config-if)#ip verify unicast source reachable-via any
GW1(config-if)#^Z

Now, we prepare the blackhole trigger configuration at RR. We must add community no-export to for the manipulated route.

RR#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RR(config)#route-map TRIGGER permit 10
RR(config-route-map)#match tag 99
RR(config-route-map)#set community no-export
RR(config-route-map)#set ip next-hop 192.0.2.1
RR(config-route-map)#router bgp 65000
RR(config-router)#redistribute static route-map TRIGGER
RR(config-router)#^Z

Note that we are using 192.0.2.1/32 as the ip next-hop of the DoS source.

Now, lets we try to send the packets to the host 9.9.9.9 from host 100.100.1.1.

INET#ping
Protocol [ip]:
Target IP address: 9.9.9.9
Repeat count [5]: 10000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 100.100.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

GW1#sh ip bgp
BGP table version is 27, local router ID is 1.1.1.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*>i8.8.8.0/24 192.168.0.1 0 100 0 65001 i
*>i9.9.9.0/24 192.168.0.1 0 100 0 65001 i
*> 100.100.1.0/24 172.16.0.1 0 0 65002 i
*> 172.16.0.0/24 0.0.0.0 0 32768 ?
*>i172.16.1.0/24 1.1.1.3 0 100 0 ?
*> 192.0.2.1/32 0.0.0.0 0 32768 ?
*>i192.168.0.0 1.1.1.4 0 100 0 ?
*> 200.200.1.0 172.16.0.1 0 0 65002 i

GW1#sh ip bgp 100.100.1.1
BGP routing table entry for 100.100.1.0/24, version 17
Paths: (1 available, best #1)
Advertised to update-groups:
2
65002
172.16.0.1 from 172.16.0.1 (200.200.1.1)
Origin IGP, metric 0, localpref 100, valid, external, best
GW1#
GW1#sh ip route 100.100.1.1
Routing entry for 100.100.1.0/24
Known via “bgp 65000”, distance 20, metric 0
Tag 65002, type external
Last update from 172.16.0.1 04:16:53 ago
Routing Descriptor Blocks:
* 172.16.0.1, from 172.16.0.1, 04:16:53 ago
Route metric is 0, traffic share count is 1
AS Hops 1, BGP network version 0
Route tag 65002
GW1#debug ip packet 123
IP packet debugging is on for access list 123
01:13:34: IP: tableid=0, s=100.100.1.1 (FastEthernet1/0), d=9.9.9.9 (FastEtherne
t1/1), routed via FIB
01:13:34: IP: s=100.100.1.1 (FastEthernet1/0), d=9.9.9.9 (FastEthernet1/1), g=10
.1.1.4, len 100, forward

Now, let we assume that host 100.100.1.1 has send the DoS attack to the whatever host at the AS-65000 customer network. So, we want to drop every traffic that coming from host 100.100.1.1.

In RR (that act as a Black Hole Trigger router), we add the static IP route for 100.100.1.1/32 using tag 99, then RR will send the route via BGP with IP next-hop 192.0.2.1/32 that reside in the router GW1 and GW2.

RR#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RR(config)#ip route 100.100.1.1 255.255.255.255 null0 tag 99
RR(config)#^Z
RR#

GW1#sh ip bgp
BGP table version is 26, local router ID is 1.1.1.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight Path
*>i8.8.8.0/24 192.168.0.1 0 100 0 65001 i
*>i9.9.9.0/24 192.168.0.1 0 100 0 65001 i
*> 100.100.1.0/24 172.16.0.1 0 0 65002 i
*>i100.100.1.1/32 192.0.2.1 0 100 0 ?
*> 172.16.0.0/24 0.0.0.0 0 32768 ?
*>i172.16.1.0/24 1.1.1.3 0 100 0 ?
*> 192.0.2.1/32 0.0.0.0 0 32768 ?
*>i192.168.0.0 1.1.1.4 0 100 0 ?
*> 200.200.1.0 172.16.0.1 0 0 65002 i
GW1#
GW1#sh ip bgp 100.100.1.1
BGP routing table entry for 100.100.1.1/32, version 33
Paths: (1 available, best #1, not advertised to EBGP peer)
Not advertised to any peer
Local
192.0.2.1 from 1.1.1.1 (1.1.1.1)
Origin incomplete, metric 0, localpref 100, valid, internal, best
Community: no-export
GW1#sh ip route 100.100.1.1
Routing entry for 100.100.1.1/32
Known via “bgp 65000”, distance 200, metric 0, type internal
Last update from 192.0.2.1 03:09:15 ago
Routing Descriptor Blocks:
* 192.0.2.1, from 1.1.1.1, 03:09:15 ago
Route metric is 0, traffic share count is 1
AS Hops 0, BGP network version 0

GW1#sh ip route 192.0.2.1
Routing entry for 192.0.2.1/32
Known via “static”, distance 1, metric 0 (connected)
Tag 101
Redistributing via bgp 65000
Advertised by bgp 65000 route-map TEST-NET
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1
Route tag 101

INET#ping
Protocol [ip]:
Target IP address: 9.9.9.9
Repeat count [5]: 10000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 100.100.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
…………

GW1#debug ip packet 123
IP packet debugging is on for access list 123
GW1#
01:09:09: IP: s=100.100.1.1 (FastEthernet1/0), d=9.9.9.9, len 100, unicast rpf failed
01:09:11: IP: s=100.100.1.1 (FastEthernet1/0), d=9.9.9.9, len 100, unicast rpf failed

In the gateway router (in this case is GW1 because it is prefered by INET router), the incoming source ip packet is checked by Unicast RPF feature. It is check the reverse path/route to the source IP (in this case is 100.100.1.1/32) in the routing table. Because in the routing table the next-hop of the 100.100.1.1/32 is null0 interface, then the packet is dropped.

So, after the Blackhole route triggered, the DoS traffic is dropped in the gateway router before reach the customer. It is more effective than using Access-List method that more CPU extensive.

Advertisements

Securing MP-EBGP VPNv4 for Inter-AS MPLS VPN

February 21, 2009 4 comments

1. Securing Inter-AS interfaces

  • Permit only BGP traffic because the other traffic that traverse between ASBRs is IP Labelled traffic.
  • Apply inbound and outbound. Logging the denied traffic for further investigation

interface FastEthernet0/0
ip address 172.16.0.2 255.255.255.252
ip access-group ASBR-IN in
ip access-group ASBR-OUT out
!
ip access-list extended ASBR-IN
permit tcp any any eq bgp
permit tcp any eq bgp any
deny ip any any log
!
ip access-list extended ASBR-OUT
permit tcp any eq bgp any
permit tcp any any eq bgp
deny ip any any log
!

  • See the example of IPv4 and IP Labelled traffic that traverse beetwen ASBR routers below. Note that IPv4 is only BGP communication, and the remaining traffic is telnet or icmp traffic that has been labelled.

interas-mpls-ethereal

2. Securing MP-EBGP Peering Session

  • Use BGP MD5 Authentication to ensure that the BGP peer is the legitimate neighbor.

neighbor 172.16.0.1 password 7 011A08105E19071C

  • Use BGP TTL-Security with number of hop is 1. The BGP peering session between ASBRs usually using the back-to-back interface.

neighbor 172.16.0.1 ttl-security hops 1

  • Both ASBR did not communicating ini IPv4 (except BGP communication), so we must turn-off the IPv4 BGP Address-family

no bgp default ipv4-unicast

  • Use BGP Dampening to secure the ASBR CPU from frequently flapped routes

bgp dampening

  • Filter the Route-Target. Only allows Route-Target that need to extend across the AS. Disable BGP default RT filter to allow VPNv4 routes installed in the BGP VPNv4 table even the Route-Target is not configured on the ASBR.

Router BGP 100
no bgp default route-target filter
!
address-family vpnv4
neighbor 172.16.0.2 route-map ASBR in
exit address-family
!
route-map ASBR permit 10
match extcommunity 101
!
ip extcommunity-list 101 permit RT:200:123+
ip extcommunity-list 101 permit RT:200:222+

  • Set the BGP maximum-prefix filter.

neighbor 172.16.0.2 maximum-prefix 100 80

3. General Router Security

  • AAA Authentication
  • SSH Access for Management
  • Access-Class for Line VTY access
  • Read-Only SNMP with ACL
  • using NTP and disabling ntp on not appropriate interfaces
  • Enable CoPP if necessary
  • Specific and strict ACL for inter-AS interface
  • Enable Security Services
  1. Service Password-Encryption
  2. Service Timestamp for Debug and Logging
  3. Logging buffered
  • Disable small Services
  1. Disable udp-small-services (echo, discard)
  2. Disable tcp-small-service
  3. Disable finger-service
  4. Disable pad-service
  5. Disable unused bootp service
  6. Disable cdp
  7. Disable icmp unreachables on all interfaces including null0
  8. Disable ip source-route options
  9. Disable proxy-arp per interfaces
  10. Disable directed-broadcast per interfaces
  11. Disable icmp mask-reply per interfaces
  12. Disable http-service
  13. Disable ident-service

Inter-AS MPLS VPN using MP-EBGP VPNv4

February 16, 2009 3 comments

There are a requirement from one company, who want to connect their sites that connected to the different ISP MPLS VPN. To fulfill the requirement, the two ISPs need to interconnect their MPLS Autonomous Systems. For this purpose, we can use a few method below:

  • Back to back VRF
  • VPNv4 MP-EBGP
  • VPNv4 MP-EBGP between RR

The easy method and less security impact, is back to back VRF connection, but it is not scalable. The VPNv4 MP-EBGP without or with RR as ASBR, is more scalable, but need deeply security concern.

In this article, we will not discuss about how to secure the inter-AS MPLS connection (i hope i will cover it in the next article). We just highlight the mandatory configuration between the two ASBRs to provide the inter-AS MPLS connection.

Here are the connection diagram:

interas-mpls

Here are the important configuration on the PE-ABC-1 and PE-XYZ-1 for the interface and VRF.  For example we use vrf  Company. We don’t use CE routers, instead just loopback interfaces at the PEs acting like the interface that facing to the CE router:

hostname PE-ABC-1
!
ip cef
ip vrf Company
rd 100:111
route-target export 100:111
route-target import 100:111
route-target import 200:222
!
!
interface Loopback0
ip address 10.10.127.1 255.255.255.255
no ip directed-broadcast
!
interface Loopback111
ip vrf forwarding Company
ip address 10.10.111.1 255.255.255.255
no ip directed-broadcast
!
interface FastEthernet1/1
ip address 10.10.12.1 255.255.255.0
no ip directed-broadcast
duplex half
speed auto
mpls label protocol ldp
tag-switching ip
!
router bgp 100
no synchronization
bgp router-id 10.10.127.1
bgp log-neighbor-changes
neighbor 10.10.127.3 remote-as 100
neighbor 10.10.127.3 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 10.10.127.3 activate
neighbor 10.10.127.3 send-community both
exit-address-family
!
address-family ipv4 vrf Company
redistribute connected
no synchronization
exit-address-family
!

hostname PE-XYZ-1
ip cef
ip vrf Company
rd 200:222
route-target export 200:222
route-target import 200:222
route-target import 100:111
!
interface Loopback0
ip address 100.100.127.3 255.255.255.255
no ip directed-broadcast
!
interface Loopback222
ip vrf forwarding Company
ip address 10.10.222.1 255.255.255.255
no ip directed-broadcast
!
interface FastEthernet1/0
ip address 100.100.23.3 255.255.255.0
no ip directed-broadcast
duplex half
speed auto
mpls label protocol ldp
tag-switching ip
!
router bgp 200
no synchronization
bgp router-id 100.100.127.3
bgp log-neighbor-changes
neighbor 100.100.127.1 remote-as 200
neighbor 100.100.127.1 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 100.100.127.1 activate
neighbor 100.100.127.1 send-community extended
exit-address-family
!
address-family ipv4 vrf Company
redistribute connected
no synchronization
exit-address-family
!

And here are the important configuration for the two PE-ASBR for MP-EBGP VPNv4 connection:

hostname PE-ABC-ASBR
!

ip cef
interface Loopback0
ip address 10.10.127.3 255.255.255.255
no ip directed-broadcast
!
interface FastEthernet1/0
ip address 10.10.23.3 255.255.255.0
no ip directed-broadcast
duplex half
speed auto
mpls label protocol ldp
tag-switching ip
!
interface FastEthernet1/1
ip address 172.16.0.1 255.255.255.252
no ip directed-broadcast
!
router bgp 100
no synchronization
bgp router-id 10.10.127.3
no bgp default route-target filter
bgp log-neighbor-changes
neighbor 10.10.127.1 remote-as 100
neighbor 10.10.127.1 update-source Loopback0
neighbor 172.16.0.2 remote-as 200
no auto-summary
!
address-family vpnv4
neighbor 10.10.127.1 activate
neighbor 10.10.127.1 send-community extended
neighbor 10.10.127.1 next-hop-self
neighbor 172.16.0.2 activate
neighbor 172.16.0.2 send-community extended
exit-address-family
!

hostname PE-XYZ-ASBR
ip cef
!
interface Loopback0
ip address 100.100.127.1 255.255.255.255
!
interface FastEthernet0/0
ip address 172.16.0.2 255.255.255.252
!
interface FastEthernet1/0
ip address 100.100.12.1 255.255.255.0
duplex auto
speed auto
mpls label protocol ldp
mpls ip
!
router bgp 200
no synchronization
bgp router-id 100.100.127.1
no bgp default route-target filter
bgp log-neighbor-changes
neighbor 100.100.127.3 remote-as 200
neighbor 100.100.127.3 update-source Loopback0
neighbor 172.16.0.1 remote-as 100
no auto-summary
!
address-family vpnv4
neighbor 100.100.127.3 activate
neighbor 100.100.127.3 send-community extended
neighbor 100.100.127.3 next-hop-self
neighbor 172.16.0.1 activate
neighbor 172.16.0.1 send-community extended
exit-address-family
!

Note that because we don’t configure the vrf, rd and the route-target in the two PE-ASBRs, we need to turn off the BGP route-target filter, so we can receive the vpnv4 routes. We use “no bgp default route-target filter” command.

Verify the vpnv4 bgp connection and routes on PE-ASBRs:

PE-XYZ-ASBR#sh ip bgp vpnv4 all summary
BGP router identifier 100.100.127.1, local AS number 200
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
100.100.127.3   4   200      35      36       11    0    0 00:26:38        1
172.16.0.1      4   100      81      81       11    0    0 00:07:25        1

PE-XYZ-ASBR#sh ip bgp vpnv4 all
BGP table version is 11, local router ID is 100.100.127.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:111
*> 10.10.111.1/32   172.16.0.1                             0 100 ?
Route Distinguisher: 200:222
*>i10.10.222.1/32   100.100.127.3            0    100      0 ?

PE-ABC-ASBR#sh ip bgp vpnv4 all summary
BGP router identifier 10.10.127.3, local AS number 100
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.10.127.1     4   100      83      83        7    0    0 00:08:27        1
172.16.0.2      4   200      82      82        7    0    0 00:08:24        1

PE-ABC-ASBR#sh ip bgp vpnv4 all
BGP table version is 7, local router ID is 10.10.127.3
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:111
*>i10.10.111.1/32   10.10.127.1              0    100      0 ?
Route Distinguisher: 200:222
*> 10.10.222.1/32   172.16.0.2                             0 200 ?

Verify the IPv4 vrf routes on and connectivity the PE-ABC1 and PE-XYZ-1:

PE-ABC-1#sh ip route vrf Company
Gateway of last resort is not set
10.0.0.0/32 is subnetted, 2 subnets
C       10.10.111.1 is directly connected, Loopback111
B       10.10.222.1 [200/0] via 10.10.127.3, 00:10:23
PE-ABC-1#ping vrf BMW-EURO 10.10.222.1
Sending 5, 100-byte ICMP Echos to 10.10.222.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 168/205/268 ms

PE-XYZ-1#sh ip route vrf Company
Gateway of last resort is not set
10.0.0.0/32 is subnetted, 2 subnets
B       10.10.111.1 [200/0] via 100.100.127.1, 00:12:40
C       10.10.222.1 is directly connected, Loopback222
PE-XYZ-1#ping vrf Company 10.10.111.1
Sending 5, 100-byte ICMP Echos to 10.10.111.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/162/220 ms

BGP Confederation

June 14, 2008 Leave a comment

My friend who now work in Dar-es-Salaam, Tanzania, asked me about BGP Confederation. He asked me why we don’t use BGP Confederation on our IP Networks nationwide, so our country just use one AS Number, and every ISP use Private AS Number.

But the answer is, no we can’t. Because the purpose of using BGP as exterior routing protocol between ISPs is to manage routing policy as flexible as possible. One of the routing policy factor is AS-Path list. Unfortunately when we use BGP Confederation, our external BGP Peers (in this point is foreign country AS, as our upstream provider for example) just saw one AS Number, that is the Confederation ID.

The other BGP Confederation characteristic is some BGP Attribute like MED and Local-Preference is can crossing along the BGP Confederation AS members (sub AS). This is the characteristic of IBGP.

This is because the BGP Confederation function is to minimizing the need of full-mesh of the BGP speakers for the IBGP updates. One Autonomous-System (AS) is dividing to several sub AS. Every sub AS is peering with the other using EBGP rule.

Below is an example of the BGP Confederation implementation:

Assumed that the IGP of the AS 100 is already working. These is the network prefixes of every router:

  • R1 = 1.1.1.1/32
  • R2 = 2.2.2.2/32
  • R3 = 3.3.3.3/32
  • R4 = 4.4.4.4/32

AS 100 consist of two sub AS, that is AS 65001 and AS 65002. AS 100 peering with AS 200 via R2. We will find that AS 200 just see AS 100 in the AS-Path list for every prefix that send to AS 200. This is because list of Confederation sub AS attribute is stripped from every prefix that send to the external BGP peers of the AS. Beside that, the global AS number is prepended to the prefixes. See the BGP table of R1 below:

  • R1#sh ip bgp
  • BGP table version is 6, local router ID is 1.1.1.1
  • Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
  • r RIB-failure, S Stale
  • Origin codes: i – IGP, e – EGP, ? – incomplete
  • Network Next Hop Metric LocPrf Weight Path
  • *> 1.1.1.1/32 0.0.0.0 0 32768 i
  • *> 2.2.2.2/32 10.1.1.2 0 0 100 i
  • *> 3.3.3.3/32 10.1.1.2 0 100 i
  • *> 4.4.4.4/32 10.1.1.2 0 100 i
  • * 10.1.1.0/24 10.1.1.2 0 0 100 i
  • *> 0.0.0.0 0 32768 i
  • R1#

If we set the MED or Local-Preference attribute in R2 (for example 200) for every prefixes that receive from R1, we will see that those attributes is send across every sub AS. See the BGP table of R4 below:

  • R4#sh ip bgp
  • BGP table version is 8, local router ID is 4.4.4.4
  • Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
  • r RIB-failure, S Stale
  • Origin codes: i – IGP, e – EGP, ? – incomplete
  • Network Next Hop Metric LocPrf Weight Path
  • *> 1.1.1.1/32 10.1.1.1 200 200 0 (65002) 200 i
  • *> 2.2.2.2/32 10.2.2.1 0 100 0 (65002) i
  • *> 3.3.3.3/32 10.3.3.1 0 100 0 (65002) i
  • *> 4.4.4.4/32 0.0.0.0 0 32768 i
  • *> 10.1.1.0/24 10.2.2.1 0 100 0 (65002) i
  • R4#

CMIIW….

Categories: Service Provider Tags: ,