Transcription

CCNPv7 ROUTEChapter 7 Lab 7-2, Using the AS PATH AttributeTopologyObjectives Use BGP commands to prevent private AS numbers from being advertised to the outside world. Use the AS PATH attribute to filter BGP routes based on their source AS numbers.BackgroundThe International Travel Agency’s ISP has been assigned an AS number of 300. This provider uses BGP to exchangerouting information with several customer networks. Each customer network is assigned an AS number from theprivate range, such as AS 65000. Configure the ISP router to remove the private AS numbers from the AS Pathinformation of CustRtr. In addition, the ISP would like to prevent its customer networks from receiving routeinformation from International Travel Agency’s AS 100. Use the AS PATH attribute to implement this policy. 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.Page 1 of 8

CCNPv7 ROUTELab 7-2, Using the AS PATH AttributeNote: This lab uses Cisco 1941 routers with Cisco IOS Release 15.4 with IP Base. The switches are Cisco WSC2960-24TT-L with Fast Ethernet interfaces, therefore the router will use routing metrics associated with a 100 Mb/sinterface. Depending on the router or switch model and Cisco IOS Software version, the commands available andoutput produced might vary from what is shown in this lab.Required Resources 3 routers (Cisco IOS Release 15.2 or comparable) Serial and Ethernet cablesStep 0: Suggested starting configurations.a. Apply the following configuration to each router along with the appropriate hostname. The exec-timeout 0 0command should only be used in a lab environment.Router(config)# no ip domain-lookupRouter(config)# line con 0Router(config-line)# logging synchronousRouter(config-line)# exec-timeout 0 0Step 1: Configure interface addresses.b. Using the addressing scheme in the diagram, create the loopback interfaces and apply IPv4 addresses to theseand the serial interfaces on SanJose (R1), ISP (R2), and CustRtr (R3). The ISP loopbacks simulate real networks.Set a clock rate on the DCE serial interfaces.SanJose(config)# interface Loopback0SanJose(config-if)# ip address 10.1.1.1 255.255.255.0SanJose(config-if)# exitSanJose(config)# interface Serial0/0/0SanJose(config-if)# ip address 192.168.1.5 255.255.255.252SanJose(config-if)# clock rate 128000SanJose(config-if)# no shutdownSanJose(config-if)# endSanJose#ISP(config)# interface Loopback0ISP(config-if)# ip address 10.2.2.1 255.255.255.0ISP(config-if)# interface Serial0/0/0ISP(config-if)# ip address 192.168.1.6 255.255.255.252ISP(config-if)# no shutdownISP(config-if)# exitISP(config)# interface Serial0/0/1ISP(config-if)# ip address 172.24.1.17 255.255.255.252ISP(config-if)# clock rate 128000ISP(config-if)# no shutdownISP(config-if)# endISP#CustRtr(config)# interface Loopback0CustRtr(config-if)# ip address 10.3.3.1 255.255.255.0CustRtr(config-if)# exitCustRtr(config)# interface Serial0/0/1CustRtr(config-if)# ip address 172.24.1.18 255.255.255.252CustRtr(config-if)# no shutdownCustRtr(config-if)# endCustRtr# 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.Page 2 of 8

CCNPv7 ROUTEc.Lab 7-2, Using the AS PATH AttributeUse ping to test the connectivity between the directly connected routers.Note: SanJose will not be able to reach either ISP's loopback (10.2.2.1) or CustRtr's loopback (10.3.3.1), nor willit be able to reach either end of the link joining ISP to CustRtr (172.24.1.17 and 172.24.1.18).Step 2: Configure BGP.a. Configure BGP for normal operation. Enter the appropriate BGP commands on each router so that they identifytheir BGP neighbors and advertise their loopback networks.SanJose(config)# router bgp 100SanJose(config-router)# neighbor 192.168.1.6 remote-as 300SanJose(config-router)# network 10.1.1.0 mask 255.255.255.0ISP(config)# nfig-router)#bgp 300neighbor 192.168.1.5 remote-as 100neighbor 172.24.1.18 remote-as 65000network 10.2.2.0 mask 255.255.255.0CustRtr(config)# router bgp 65000CustRtr(config-router)# neighbor 172.24.1.17 remote-as 300CustRtr(config-router)# network 10.3.3.0 mask 255.255.255.0b. Verify that these routers have established the appropriate neighbor relationships by issuing the show ip bgpneighbors command on each router.ISP# show ip bgp neighborsBGP neighbor is 172.24.1.18, remote AS 65000, external linkBGP version 4, remote router ID 10.3.3.1BGP state Established, up for 00:00:28Last read 00:00:28, last write 00:00:28, hold time is 180, keepalive interval is 60 seconds output omitted BGP neighbor is 192.168.1.5, remote AS 100, external linkBGP version 4, remote router ID 10.1.1.1BGP state Established, up for 00:01:34Last read 00:00:33, last write 00:00:06, hold time is 180, keepalive interval is 60 seconds output omitted Step 3: Remove the private AS.a. Display the SanJose routing table using the show ip route command. SanJose should have a route to both10.2.2.0 and 10.3.3.0. Troubleshoot if necessary.SanJose#show ip routeCodes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static route, H - NHRP, l - LISPa - application route - replicated route, % - next hop overrideGateway of last resort is not setCL10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks10.1.1.0/24 is directly connected, Loopback010.1.1.1/32 is directly connected, Loopback0 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.Page 3 of 8

CCNPv7 ROUTELab 7-2, Using the AS PATH AttributeBB10.2.2.0/24 [20/0] via 192.168.1.6, 00:04:2210.3.3.0/24 [20/0] via 192.168.1.6, 00:03:14192.168.1.0/24 is variably subnetted, 2 subnets, 2 masksC192.168.1.4/30 is directly connected, Serial0/0/0L192.168.1.5/32 is directly connected, Serial0/0/0SanJose#b. Ping the 10.3.3.1 address from SanJose.Why does this fail?c.Ping again, this time as an extended ping, sourcing from the Loopback0 interface address.SanJose# pingProtocol [ip]:Target IP address: 10.3.3.1Repeat count [5]:Datagram size [100]:Timeout in seconds [2]:Extended commands [n]: ySource address or interface: 10.1.1.1Type of service [0]:Set DF bit in IP header? [no]:Validate reply data? [no]:Data pattern [0xABCD]:Loose, Strict, Record, Timestamp, Verbose[none]:Sweep range of sizes [n]:Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.3.3.1, timeout is 2 seconds:Packet sent with a source address of 10.1.1.1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max 28/28/28 msSanJose#Note: You can bypass extended ping mode and specify a source address using one of these commands:SanJose# ping 10.3.3.1 source 10.1.1.1orSanJose# ping 10.3.3.1 source Lo0d. Check the BGP table from SanJose by using the show ip bgp command. Note the AS path for the 10.3.3.0network. The AS 65000 should be listed in the path to 10.3.3.0.SanJose# show ip bgpBGP table version is 5, local router ID is 10.1.1.1Status codes: s suppressed, d damped, h history, * valid, best, i - internal,r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,x best-external, a additional-path, c RIB-compressed,Origin codes: i - IGP, e - EGP, ? - incompleteRPKI validation codes: V valid, I invalid, N Not found* * Network10.1.1.0/2410.2.2.0/24Next Hop0.0.0.0192.168.1.6Metric LocPrf Weight Path032768 i00 300 i 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.Page 4 of 8

CCNPv7 ROUTE* 10.3.3.0/24SanJose#Lab 7-2, Using the AS PATH Attribute192.168.1.60 300 65000 iWhy is this a problem?e. Configure ISP to strip the private AS numbers from BGP routes exchanged with SanJose using the followingcommands.ISP(config)# router bgp 300ISP(config-router)# neighbor 192.168.1.5 remove-private-asf.After issuing these commands, use the clear ip bgp * command on ISP to reestablish the BGP relationshipbetween the three routers. Wait several seconds and then return to SanJose to check its routing table.Note: The clear ip bgp * soft command can also be used to force each router to resend its BGP table.ISP# clear ip bgp *ISP#*Sep 8 18:40:03.551: %BGP-5-ADJCHANGE: neighbor 172.24.1.18 Down User reset*Sep 8 18:40:03.551: %BGP SESSION-5-ADJCHANGE: neighbor 172.24.1.18 IPv4 Unicasttopology base removed from session User reset*Sep 8 18:40:03.551: %BGP-5-ADJCHANGE: neighbor 192.168.1.5 Down User reset*Sep 8 18:40:03.551: %BGP SESSION-5-ADJCHANGE: neighbor 192.168.1.5 IPv4 Unicasttopology base removed from session User reset*Sep 8 18:40:04.515: %BGP-5-ADJCHANGE: neighbor 172.24.1.18 Up*Sep 8 18:40:04.519: %BGPISP#5-ADJCHANGE: neighbor 192.168.1.5 UpISP#SanJose# show ip route output omitted 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masksC10.1.1.0/24 is directly connected, Loopback0L10.1.1.1/32 is directly connected, Loopback0B10.2.2.0/24 [20/0] via 192.168.1.6, 00:00:20B10.3.3.0/24 [20/0] via 192.168.1.6, 00:01:02192.168.1.0/24 is variably subnetted, 2 subnets, 2 masksC192.168.1.4/30 is directly connected, Serial0/0/0L192.168.1.5/32 is directly connected, Serial0/0/0SanJose#Does SanJose still have a route to 10.3.3.0?SanJose should be able to ping 10.3.3.1 using its loopback 0 interface as the source of the ping.SanJose# ping 10.3.3.1 source lo0Type escape sequence to abort. 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.Page 5 of 8

CCNPv7 ROUTELab 7-2, Using the AS PATH AttributeSending 5, 100-byte ICMP Echos to 10.3.3.1, timeout is 2 seconds:Packet sent with a source address of 10.1.1.1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max 28/28/32 msg. Now check the BGP table on SanJose. The AS PATH to the 10.3.3.0 network should be AS 300. It no longerhas the private AS in the path.SanJose# show ip bgpBGP table version is 9, local router ID is 10.1.1.1Status codes: s suppressed, d damped, h history, * valid, best, i - internal,r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,x best-external, a additional-path, c RIB-compressed,Origin codes: i - IGP, e - EGP, ? - incompleteRPKI validation codes: V valid, I invalid, N Not foundNetwork* 10.1.1.0/24* 10.2.2.0/24* 10.3.3.0/24SanJose#Next Hop0.0.0.0192.168.1.6192.168.1.6Metric LocPrf Weight Path032768 i00 300 i0 300 iStep 4: Use the AS PATH attribute to filter routes.As a final configuration, use the AS PATH attribute to filter routes based on their origin. In a complex environment,you can use this attribute to enforce routing policy. In this case, the provider router, ISP, must be configured so that itdoes not propagate routes that originate from AS 100 to the customer router CustRtr.AS-path access lists are read like regular access lists. The statements are read sequentially, and there is an implicitdeny at the end. Rather than matching an address in each statement like a conventional access list, AS path accesslists match on something called a regular expression. Regular expressions are a way of matching text patterns andhave many uses. In this case, you will be using them in the AS path access list to match text patterns in AS paths.a. Configure a special kind of access list to match BGP routes with an AS PATH attribute that both begins and endswith the number 100. Enter the following commands on ISP.ISP(config)# ip as-path access-list 1 deny 100 ISP(config)# ip as-path access-list 1 permit .*The first command uses the character to indicate that the AS path must begin with the given number 100. The character indicates that the AS PATH attribute must also end with 100. Essentially, this statement matches onlypaths that are sourced from AS 100. Other paths, which might include AS 100 along the way, will not match thislist.In the second statement, the . (period) is a wildcard, and the * (asterisk) stands for a repetition of the wildcard.Together, .* matches any value of the AS PATH attribute, which in effect permits any update that has not beendenied by the previous access-list statement.For more details on configuring regular expressions on Cisco routers, see:http://www.cisco.com/c/en/us/td/docs/ios/12 2/termserv/configuration/guide/ftersv lb. Apply the configured access list using the neighbor command with the filter-list option.ISP(config)# router bgp 300ISP(config-router)# neighbor 172.24.1.18 filter-list 1 outThe out keyword specifies that the list is applied to routing information sent to this neighbor. 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.Page 6 of 8

CCNPv7 ROUTEc.Lab 7-2, Using the AS PATH AttributeUse the clear ip bgp * command to reset the routing information. Wait several seconds and then check therouting table for ISP. The route to 10.1.1.0 should be in the routing table.Note: To force the local router to resend its BGP table, a less disruptive option is to use the clear ip bgp * out orclear ip bgp * soft command (the second command performs both outgoing and incoming route resync).ISP# clear ip bgp *ISP#*Sep 8 18:48:04.915: %BGP-5-ADJCHANGE: neighbor 172.24.1.18 Down User reset*Sep 8 18:48:04.915: %BGP SESSION-5-ADJCHANGE: neighbor 172.24.1.18 IPv4 Unicasttopology base removed from session User reset*Sep 8 18:48:04.915: %BGP-5-ADJCHANGE: neighbor 192.168.1.5 Down User reset*Sep 8 18:48:04.915: %BGP SESSION-5-ADJCHANGE: neighbor 192.168.1.5 IPv4 Unicasttopology base removed from session User reset*Sep 8 18:48:04.951: %BGP-5-ADJCHANGE: neighbor 172.24.1.18 Up*Sep 8 18:48:04.955: %BGPISP#5-ADJCHANGE: neighbor 192.168.1.5 UpISP#ISP# show ip route output omitted BCLBCLCLISP#10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks10.1.1.