R&S Advanced Day3
Download
Report
Transcript R&S Advanced Day3
--- CCIE R&S Advanced Lab ----- Session 5 BGP, Multicast ---
BGP Topics Covered
BGP Confederation
Order/Preference
Aggregation
Security
Peer Groups
Dampening
Copyright© Network Learning Inc. 2008
2
BGP
• Know where BGP is located on the DOC CD
• How can BGP be manipulated
Copyright© Network Learning Inc. 2008
3
BGP Confederations
Copyright© Network Learning Inc. 2008
4
Remove private AS
• Uses private AS for internal
• Need to remove the private AS information
Copyright© Network Learning Inc. 2008
5
BGP Path Selection
1.
If the path specifies a next hop that is inaccessible, drop the update.
2.
Prefer the path with the largest weight.
3.
If the weights are the same, prefer the path with the largest local preference.
4.
If the local preferences are the same, prefer the path that was originated by BGP
running on this router.
5.
If no route was originated, prefer the route that has the shortest AS_path.
6.
If all paths have the same AS_path length, prefer the path with the lowest origin
type (where IGP is lower than EGP, and EGP is lower than incomplete).
7.
If the origin codes are the same, prefer the path with the lowest MED attribute.
8.
If the paths have the same MED, prefer the external path over the internal path.
9.
If the paths are still the same, prefer the path through the closest IGP neighbor.
10. Prefer the path with the lowest IP address, as specified by the BGP router ID.
Copyright© Network Learning Inc. 2008
6
Aggregating BGP Networks
Aggregating BGP Networks
• Aggregation creates summary routes (called aggregates) from networks
already in BGP table
• Individual networks could be announced or suppressed Summarization
is called aggregation in BGP
• Aggregation creates summary routes (called aggregates) from networks
already in BGP table
• Individual networks could be announced or suppressed
Copyright© Network Learning Inc. 2008
7
Configuring Aggregation
router bgp as-number
aggregate-address address-prefix mask
• Specify aggregation range in BGP routing
process
• The aggregate will be announced if there is at
least one network in the specified range in the
BGP table
• Individual networks will still be announced in
outgoing BGP updates
Copyright© Network Learning Inc. 2008
8
Configuring BGP Communities
BGP communities are configured in the following steps:
• Configure BGP community propagation
• Define BGP community-lists to match BGP communities
• Configure route-maps that match on community-lists and filter
routes or set other BGP attributes
• Apply route-maps to incoming or outgoing updates
Copyright© Network Learning Inc. 2008
9
Community Setting Through
Route-Map
route-map name
match condition
set community value [ value … ] [additive]
• Any number of communities can be specified
• Communities specified in the set keyword
overwrites existing communities unless you specify
the additive option
Copyright© Network Learning Inc. 2008
10
Attaching Communities to a Route
router(config-router)#
neighbor ip-address route-map map in | out
• Applies a route-map to inbound or outbound BGP
updates
• The route-map can set BGP communities or other
BGP attributes
router(config-router)#
redistribute protocol route-map map
• Applies a route-map to redistributed routes
Copyright© Network Learning Inc. 2008
11
Configure Community Propagation
router(config-router)#
neighbor ip-address send-community
• By default, communities are stripped in outgoing BGP
updates
• Community propagation to BGP neighbors has to be
manually configured
Copyright© Network Learning Inc. 2008
12
Related Commands
• Set community none – Removes all community attributes
• Set comm-list delete – Removes specific communities
ip community-list 1 permit 200:100
route map REM_COM permit 10
set comm-list 1 delete
• Set community additive – Appends to existing communities
set community 450 additive
• ip community-list 1 permit 200:10 – Matches any route that has
200:10
• ip community-list 3 permit 200:10 100:10 - Matches any route that
has either or both communities
Copyright© Network Learning Inc. 2008
13
AS Path Filtering
Several scenarios require BGP route filtering
based on AS-path
• Announce only local routes to the ISP - AS-path needs to be
empty
• Select routes based on a specific AS-number in the AS-path
• Accept routes for specific AS only from some BGP neighbors
AS-path filters use regular expressions
Copyright© Network Learning Inc. 2008
14
Regular Expressions - Matching Delimiters
^
matches beginning of string
$
matches end of string
_
matches any delimiter (beginning, end, white
space, tab, comma)
Copyright© Network Learning Inc. 2008
15
Regular Expressions - Operators
* matches zero or more instances
?
matches zero or one instances
+
matches one or more instances
. Matches any single character
[ ] Matches characters or a range of characters
Copyright© Network Learning Inc. 2008
16
Sample Regular Expressions
_100_
Going through AS 100
^100$
Directly connected to AS 100
_100$
Originated in AS 100
^100_.*
networks behind AS 100
^ [0-9]+$
AS paths one AS long
^$
networks originated in local AS
.*
matches everything
Copyright© Network Learning Inc. 2008
17
Configuring BGP AS-path Filters
R1(config)#
ip as-path access-list number permit | deny regexp
• Configures AS-path access list
R1(config-router)#
neighbor ip-address filter-list as-path-filter in | out
• Configures inbound or outbound AS-path filter
for specified BGP neighbor
Copyright© Network Learning Inc. 2008
18
Conditional Route Injection
• Used to inject more specific routes into BGP based on existence
of certain routes
R1(config)# router bgp 50000
R1(config-router)# bgp inject-map ORIGIN exist-map LEARNED copy-attributes
R1(config)# ip prefix-list ROUTE permit 10.1.1.0/24
R1(config)# ip prefix-list ROUTE_SOURCE permit 10.2.1.1/32
R1(config)# ip prefix-list ORIGINATED_ROUTES permit 10.1.1.0/25
R1(config)# route-map LEARNED permit 10
R1(config-route-map)# match ip address prefix-list ROUTE
R1(config-route-map)# match ip route-source prefix-list ROUTE_SOURCE
R1(config)# route-map ORIGIN permit 10
R1(config-route-map)# set ip address prefix-list ORIGINATED_ROUTES
Copyright© Network Learning Inc. 2008
19
BGP Authentication
• Authentication is MD5
• Configured on a per neighbor basis
R1(config)# router bgp 10
R1(config-router)# neighbor 10.1.1.2 remote-as 10
R1(config-router)# neighbor 10.1.1.2 password CISCO
R2(config)# router bgp 10
R2(config-router)# neighbor 10.1.1.1 remote-as 10
R2(config-router)# neighbor 10.1.1.1 password CISCO
Copyright© Network Learning Inc. 2008
20
Route Flap Dampening
• Every time an eBGP route flaps it gets 1000 penalty points (only
for eBGP)
• The penalty placed on a route is decayed using the exponential
decay algorithm
• When the penalty exceeds “suppress limit”, the route is
dampened (no longer used or propagated to other neighbors)
• A dampened route is propagated when the penalty points drops
below “reuse limit”
Copyright© Network Learning Inc. 2008
21
Configuring BGP Route Flap Dampening
R1(config-router)#
bgp dampening [half-time reuse-limit suppress-limit max-suppress] [route-map
route-map]
Parameter meaning:
Half-time
Exponential decay half-time (time in which the penalty is
halved)
Suppress-limit
Penalty value where the route is starting to be dampened
Reuse-limit
Penalty value where the dampened route is reused
Max-suppress
Maximum suppression time
Route-map
controls where BGP route dampening is enabled
Copyright© Network Learning Inc. 2008
22
Default BGP Dampening
Parameter Values
The following default dampening parameter values are used if you
don’t specify them:
• half-time
15 minutes
• per-flap penalty
1,000 (non-configurable)
• suppress limit
2,000
• reuse limit
750
• max-suppress-time
60 minutes
Copyright© Network Learning Inc. 2008
23
Limiting the Number of Routes Received from a
Neighbor
Problem definition:
• A misconfigured BGP neighbor can send a huge
number of prefixes that exhaust router’s memory or
overload the CPU
• All other filtering mechanisms only specify what we’re
willing to accept but not how much
• Need to control the number of prefixes received from a
neighbor
Copyright© Network Learning Inc. 2008
24
Maximum-Prefix Command
R1(config-router)#
neighbor ip-address maximum-prefix maximum [threshold] [warning-only]
• Controls how many prefixes can be received from a neighbor
• Optional threshold parameter specifies the percentage where a
warning message is logged (default is 75%)
• Optional warning-only keyword specifies the action on exceeding
the maximum number (default is to drop neighborship)
Copyright© Network Learning Inc. 2008
25
--- CCIE R&S Advanced Lab ----- Session 5 continued, Multicast ---
Multicast
Address
RPF
Dense / Sparse mode
Source / shared tree
Static RP
Auto-RP
BSR
B-M-B
MSDP / Anycast
Copyright© Network Learning Inc. 2008
27
Multicast Address Range
Copyright© Network Learning Inc. 2008
28
Reverse Path Forwarding
Copyright© Network Learning Inc. 2008
29
RPF Calculation
Copyright© Network Learning Inc. 2008
30
RPF with two paths
Copyright© Network Learning Inc. 2008
31
Multicast Distribution Trees
Dense Mode uses Source
Push Technology
Copyright© Network Learning Inc. 2008
32
Shared Distribution Tree
Sparse mode uses Shared Pull
Technology
Copyright© Network Learning Inc. 2008
33
Characteristics of Distribution Trees
Copyright© Network Learning Inc. 2008
34
Multicast Tree Creation
Copyright© Network Learning Inc. 2008
35
PIM Sparse Mode
Copyright© Network Learning Inc. 2008
36
How does the network know about the RP?
Copyright© Network Learning Inc. 2008
37
Static RPs
Copyright© Network Learning Inc. 2008
38
Auto RP
Uses
• Intended for PIMv1
• C_RP Candidates
• Mapping Agent (Collects announcements and sends RP
discovery messages on 224.0.1.40)
• The RPs announce on 224.0.1.39
• Recommended to locate C_RP and Mapping Agent on same
router
• Uses dense mode to find the RP
Copyright© Network Learning Inc. 2008
39
Auto-RP configured
Copyright© Network Learning Inc. 2008
40
BSR Overview
PIM join messages that might inadvertently cross the border
ip pim bsr-border
Copyright© Network Learning Inc. 2008
41
Configuring BSR
Hash Mask
Priority
Copyright© Network Learning Inc. 2008
42
Anycast – RP Overview
Copyright© Network Learning Inc. 2008
43
MSDP
Copyright© Network Learning Inc. 2008
44
Anycast RP
Copyright© Network Learning Inc. 2008
45
Anycast RP - cont.
Copyright© Network Learning Inc. 2008
46
Broadcast-Multicast-Broadcast
interface serial 0
ip pim sparse-mode
ip multicast helper-map 239.1.1.1 131.1.1.255 105
interface ethernet 1
ip directed-broadcast
126.1.22.1
access-list 105 permit udp host 126.1.22.1 any eq 4000
ip forward-protocol udp 4000
126.1.22.255
interface ethernet 0
ip pim sparse-mode
ip multicast helper-map broadcast 239.1.1.1 105
access-list 105 permit udp host 126.1.22.1 host 126.1.22.255 eq 4000
ip forward-protocol udp 4000
Copyright© Network Learning Inc. 2008
47
--- CCIE R&S Advanced Lab ----- Session 6 QOS, Security ---
QOS
Modular QoS CLI (MQC)
LLQ
CAR – Committed Access Rate
WRED, CBWRED
Marking
Shaping, FRTS
Fragmenting
NBAR – Network Based Application Recognition
Copyright© Network Learning Inc. 2008
49
MQC Class-maps
class-map [match-all | match-any] Lab (match all is the default)
• match xxx
• match yyy
match ? Classify
•
•
•
•
•
•
•
•
input interface f0/0
destination Mac address
source Mac address
fr-de, fr-dlci
cos, dscp, IP-prec
any
access-group
protocol NBAR (download PDLMs)
– CEF requires
– Can run ip protocol NBAR protocol discovery
• packet length min or max
Copyright© Network Learning Inc. 2008
50
Policy-Map and DSCP
policy-map Test
class Lab
set cos, ip-dscp, ip-prec, …
bandwidth xxx
…
DSCP has 64 different colors to mark traffic
mls qos map dscp-mutation Map 31 to 41
Copyright© Network Learning Inc. 2008
51
CBWFQ
•int f0/0
max reserve bandwidth 80 (75% is default)
•policy-map can use Kbps or Percent but not both
•policy-map Voice
class CONTROL
bandwidth 10
class Media
When applying a strict priority queue
To a class, it is referred to as a LLQ
priority 1000
•can have 255 classes total
Copyright© Network Learning Inc. 2008
52
CAR - Committed Access Rate
•Used on edge routers to classify and / or rate limit traffic
•Can be applied to all traffic or a subset of the traffic selected
by an access list
•Configured on an interface
rate-limit {input|output} bps normal-burst max-burst conform-action action
exceed-action action
rate-limit {input|output} access-group index bps normal-burst max-burst
conform-action action exceed-action action
• normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds
• extended burst = 2 * normal burst
Copyright© Network Learning Inc. 2008
53
CBWFQ Architecture policy
Copyright© Network Learning Inc. 2008
54
Applying RED
Copyright© Network Learning Inc. 2008
55
Configuring WRED on an interface
mark probability
denominator
minimum threshold
(number of packets)
maximum threshold
(number of packets)
When the average queue size is above the minimum threshold, RED starts dropping
packets.
The rate of packet drop increases linearly as the average queue size increases, until the
average queue size reaches the maximum threshold.
The mark probability denominator is the fraction of packets dropped when the average
queue size is at the maximum threshold. For example, one out of every 100 packets is
dropped when the average queue size is at the maximum threshold.
Copyright© Network Learning Inc. 2008
56
Traffic Shaping
Copyright© Network Learning Inc. 2008
57
Shape Peak
Peak rate = CIR(1+Be/Bc)
Router(config-pmap-c)# shape {average | peak} cir [bc] [be]
Test
Shape adaptive – BECN field set to 1
25% slow down is BECN received
if 16 TCs received with no BECNs increase 1/16 every TC
Can also use FECN-adapt to send information ahead to other end
with BECN field.
Copyright© Network Learning Inc. 2008
58
Frame Relay Traffic Shaping
Time Committed (TC) = 125ms
Copyright© Network Learning Inc. 2008
59
Network Based Application Recognition (NBAR)
Copyright© Network Learning Inc. 2008
60
NBAR Application Support
Copyright© Network Learning Inc. 2008
61
Packet Description Language Module
Copyright© Network Learning Inc. 2008
62
NBAR Protocol Discovery
Copyright© Network Learning Inc. 2008
63
--- CCIE R&S Advanced Lab ----- Session 6 continued security ---
Security
Unicast Reverse Path Forwarding (uRPF)
Context Based Access Control (CBAC)
Copyright© Network Learning Inc. 2008
65
Unicast Reverse Path Forwarding (uRPF)
Unicast Reverse Path Forwarding (uRPF) is a
feature originally created to implement Network
Ingress Filtering.
Defeating Denial of Service Attacks Which
Employ IP Source Address Spoofing
Copyright© Network Learning Inc. 2008
66
Configuring uRPF
By enabling Unicast Reverse Path Forwarding
(uRPF), all spoofed packets will be dropped at the
first device.
To enable uRPF, use the following commands.
R1(config)# ip cef
R1(config)# interface f0/0
R1(config-if)# ip verify unicast reverse-path
Copyright© Network Learning Inc. 2008
67
CBAC - Context-Based Access Control
The CBAC inspects TCP and UDP packets at the
application layer.
CBAC monitors all the outgoing requests by creating
temporary openings for outbound traffic at the firewall
interface. The return traffic is allowed in only if it is the
part of the original outgoing traffic.
CBAC inspects all the outgoing packets and maintains
state information for every session.
CBAC then decides whether to deny or permit the
incoming traffic, based on its state information
Copyright© Network Learning Inc. 2008
68
How CBAC Works
2
1
CBAC creates a dynamic ACL
allowing return traffic back
through the firewall.
Control traffic is inspected by the
CBAC rule.
access-list 102 permit TCP host 172.30.1.50
eq 23 host 10.0.0.3 eq 2447
ip inspect name FWRULE tcp
Port
2447
3
Port
23
CBAC continues to inspect control
traffic and dynamically creates and
removes ACLs as required by the
application.
Copyright© Network Learning Inc. 2008
69
4
CBAC detects when an application
terminates or times out and
removes all dynamic ACLs for that
session.
CBAC Configuration
Copyright© Network Learning Inc. 2008
70
Enable Audit Trails and Alerts
Copyright© Network Learning Inc. 2008
71
Enable TCP SYN and FIN times
(30s)
(5s)
Copyright© Network Learning Inc. 2008
72
TCP UDP and DNS Idle Times
(1h)
(30s)
(3s)
Copyright© Network Learning Inc. 2008
73
Port to Application Mapping
Copyright© Network Learning Inc. 2008
74
Port Mapping Configuration
Copyright© Network Learning Inc. 2008
75
Configuring Inspection Rules
Copyright© Network Learning Inc. 2008
76
Apply Inspection Rule to an Interface
Copyright© Network Learning Inc. 2008
77
Copyright© Network Learning Inc. 2008
78