| 1 | % Network Design Workshop |
|---|
| 2 | % Basic BGP Lab |
|---|
| 3 | |
|---|
| 4 |  |
|---|
| 5 | |
|---|
| 6 | \pagebreak |
|---|
| 7 | |
|---|
| 8 | # Introduction |
|---|
| 9 | |
|---|
| 10 | The purpose of this exercise is to: |
|---|
| 11 | |
|---|
| 12 | * Understand the routing implications of |
|---|
| 13 | connecting to multiple external domains |
|---|
| 14 | * Learn to configure basic eBGP to exchange routing |
|---|
| 15 | information with multiple external peers and iBGP |
|---|
| 16 | to carry that information inside your network. |
|---|
| 17 | |
|---|
| 18 | # Pre-requisites |
|---|
| 19 | |
|---|
| 20 | This exercise builds upon the configurations implemented in |
|---|
| 21 | the OSPF + Static routing lab. You must be able to: |
|---|
| 22 | |
|---|
| 23 | * Ping your neighbor router in the same AS using its |
|---|
| 24 | loopback address (both IPv4 and IPv6!). |
|---|
| 25 | * Ping your neighbor routers in other ASs using their |
|---|
| 26 | point-to-point link addresses. |
|---|
| 27 | |
|---|
| 28 | *Note: Actually, if everyone configured their OSPF and static |
|---|
| 29 | routes properly in the previous exercise, you should be able |
|---|
| 30 | to ping every other router using their loopback address.* |
|---|
| 31 | |
|---|
| 32 | # Address Space Allocation |
|---|
| 33 | |
|---|
| 34 | ## Regional REN (RREN) |
|---|
| 35 | |
|---|
| 36 | We only need one: |
|---|
| 37 | |
|---|
| 38 | RREN IPv4 IPv6 ASN |
|---|
| 39 | ----- ------------ ------------- ------- |
|---|
| 40 | 1 10.100.0.0/16 fd00:100::/32 100 |
|---|
| 41 | |
|---|
| 42 | ## National RENs (NRENs) |
|---|
| 43 | |
|---|
| 44 | NREN IPv4 IPv6 ASN |
|---|
| 45 | ----- ------------ ------------- ------- |
|---|
| 46 | 1 10.101.0.0/16 fd00:101::/32 101 |
|---|
| 47 | 2 10.102.0.0/16 fd00:102::/32 102 |
|---|
| 48 | |
|---|
| 49 | ... and so on. |
|---|
| 50 | |
|---|
| 51 | # iBGP Configuration |
|---|
| 52 | |
|---|
| 53 | ## Enable the BGP process |
|---|
| 54 | |
|---|
| 55 | Before we set up iBGP, we need to do some basic preparation |
|---|
| 56 | on the router. The IOS defaults are not optimized, so before |
|---|
| 57 | we bring up BGP sessions, we should set the parameters that we |
|---|
| 58 | require. |
|---|
| 59 | |
|---|
| 60 | The default distance for eBGP is 20, the default distance for iBGP |
|---|
| 61 | is 200, and the default distance for OSPF is 110. This means that |
|---|
| 62 | there is a potential for a prefix learned by eBGP to override the |
|---|
| 63 | identical prefix carried by OSPF. To protect against accidents, the |
|---|
| 64 | eBGP distance is set to 200 also. |
|---|
| 65 | |
|---|
| 66 | The command to do this is the *distance bgp* subcommand: |
|---|
| 67 | |
|---|
| 68 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 69 | distance bgp <external-routes> <internal-routes> <local-routes> |
|---|
| 70 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 71 | |
|---|
| 72 | We also want to: |
|---|
| 73 | |
|---|
| 74 | * Enable logging of BGP neighbor state changes |
|---|
| 75 | * Disable the requirement that a route must be present in the IGP |
|---|
| 76 | table before it can be advertised by BGP (synchronization). |
|---|
| 77 | * Disable auto-summarization of routes to classful network boundaries |
|---|
| 78 | * Disable the automatic exchange of IPv4 unicast routes on every |
|---|
| 79 | peering session. |
|---|
| 80 | |
|---|
| 81 | This must be done in all future BGP configurations of this workshop: |
|---|
| 82 | |
|---|
| 83 | On both R11 and R12: |
|---|
| 84 | |
|---|
| 85 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 86 | router bgp 10 |
|---|
| 87 | distance bgp 200 200 200 |
|---|
| 88 | bgp log-neighbor-changes |
|---|
| 89 | no synchronization |
|---|
| 90 | no auto-summary |
|---|
| 91 | no bgp default ipv4-unicast |
|---|
| 92 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 93 | |
|---|
| 94 | |
|---|
| 95 | ## Configure iBGP neighbors |
|---|
| 96 | |
|---|
| 97 | Again, make sure that you can ping the other router |
|---|
| 98 | using its loopback address, otherwise the BGP session |
|---|
| 99 | will not come up! |
|---|
| 100 | |
|---|
| 101 | On R11: |
|---|
| 102 | |
|---|
| 103 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 104 | router bgp 10 |
|---|
| 105 | address-family ipv4 |
|---|
| 106 | neighbor 10.10.255.2 remote-as 10 |
|---|
| 107 | neighbor 10.10.255.2 update-source loopback 0 |
|---|
| 108 | neighbor 10.10.255.2 description iBGP to R12 |
|---|
| 109 | neighbor 10.10.255.2 password NSRC |
|---|
| 110 | neighbor 10.10.255.2 next-hop-self |
|---|
| 111 | address-family ipv6 |
|---|
| 112 | neighbor fd00:10:ff::2 remote-as 10 |
|---|
| 113 | neighbor fd00:10:ff::2 update-source loopback 0 |
|---|
| 114 | neighbor fd00:10:ff::2 description iBGP to R12 |
|---|
| 115 | neighbor fd00:10:ff::2 password NSRC |
|---|
| 116 | neighbor fd00:10:ff::2 next-hop-self |
|---|
| 117 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 118 | |
|---|
| 119 | On R12: |
|---|
| 120 | |
|---|
| 121 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 122 | router bgp 10 |
|---|
| 123 | address-family ipv4 |
|---|
| 124 | neighbor 10.10.255.1 remote-as 10 |
|---|
| 125 | neighbor 10.10.255.1 update-source loopback 0 |
|---|
| 126 | neighbor 10.10.255.1 description iBGP to R11 |
|---|
| 127 | neighbor 10.10.255.1 password NSRC |
|---|
| 128 | neighbor 10.10.255.1 next-hop-self |
|---|
| 129 | address-family ipv6 |
|---|
| 130 | neighbor fd00:10:ff::1 remote-as 10 |
|---|
| 131 | neighbor fd00:10:ff::1 update-source loopback 0 |
|---|
| 132 | neighbor fd00:10:ff::1 description iBGP to R11 |
|---|
| 133 | neighbor fd00:10:ff::1 password NSRC |
|---|
| 134 | neighbor fd00:10:ff::1 next-hop-self |
|---|
| 135 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 136 | |
|---|
| 137 | |
|---|
| 138 | Check that the BGP sessions are up on both sides. |
|---|
| 139 | |
|---|
| 140 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 141 | show ip bgp summary |
|---|
| 142 | show bgp ipv6 unicast summary |
|---|
| 143 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 144 | |
|---|
| 145 | ## Advertise end-user prefixes |
|---|
| 146 | |
|---|
| 147 | 1. Divide your end-user address space in two |
|---|
| 148 | halves and announce each half separately. |
|---|
| 149 | Refer to the address space allocation table |
|---|
| 150 | in the previous exercise. |
|---|
| 151 | |
|---|
| 152 | On R11: |
|---|
| 153 | |
|---|
| 154 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 155 | router bgp 10 |
|---|
| 156 | address-family ipv4 |
|---|
| 157 | network 10.10.0.0 mask 255.255.192.0 |
|---|
| 158 | address-family ipv6 |
|---|
| 159 | network fd00:10::/41 |
|---|
| 160 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 161 | |
|---|
| 162 | On R12: |
|---|
| 163 | |
|---|
| 164 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 165 | router bgp 10 |
|---|
| 166 | address-family ipv4 |
|---|
| 167 | network 10.10.64.0 mask 255.255.192.0 |
|---|
| 168 | address-family ipv6 |
|---|
| 169 | network fd00:10:80::/41 |
|---|
| 170 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 171 | |
|---|
| 172 | Get the list of learned paths: |
|---|
| 173 | |
|---|
| 174 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 175 | show ip bgp |
|---|
| 176 | show bgp ipv6 unicast |
|---|
| 177 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 178 | |
|---|
| 179 | Do you see any paths? Why not? |
|---|
| 180 | |
|---|
| 181 | 2. Create a static route for the prefix being |
|---|
| 182 | announced on each router: |
|---|
| 183 | |
|---|
| 184 | On R11: |
|---|
| 185 | |
|---|
| 186 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 187 | ip route 10.10.0.0 255.255.192.0 null0 |
|---|
| 188 | ipv6 route fd00:10::/41 null0 |
|---|
| 189 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 190 | |
|---|
| 191 | On R12: |
|---|
| 192 | |
|---|
| 193 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 194 | ip route 10.10.64.0 255.255.192.0 null0 |
|---|
| 195 | ipv6 route fd00:10:80::/41 null0 |
|---|
| 196 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 197 | |
|---|
| 198 | Get the list of learned paths again. You should see |
|---|
| 199 | both your prefix and the neighbor's. |
|---|
| 200 | |
|---|
| 201 | # Multihoming - eBGP Configuration |
|---|
| 202 | |
|---|
| 203 | ## Connect to the NREN |
|---|
| 204 | |
|---|
| 205 | 1. Configure your RX1 router to connect to the NREN |
|---|
| 206 | with a a point-to-point link. |
|---|
| 207 | |
|---|
| 208 | NRENs: Use configuration in Appendix. |
|---|
| 209 | |
|---|
| 210 | On R11: |
|---|
| 211 | |
|---|
| 212 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 213 | interface GigabitEthernet1/0 |
|---|
| 214 | description P2P Link to NREN1 |
|---|
| 215 | ip address 10.101.254.2 255.255.255.252 |
|---|
| 216 | ipv6 address fd00:101:fe::1/127 |
|---|
| 217 | no shutdown |
|---|
| 218 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 219 | |
|---|
| 220 | Make sure that it's up and that you can ping the other |
|---|
| 221 | side: |
|---|
| 222 | |
|---|
| 223 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 224 | ping 10.101.254.1 |
|---|
| 225 | ping fd00:101:fe::0 |
|---|
| 226 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 227 | |
|---|
| 228 | Do some traceroutes to other networks again: |
|---|
| 229 | |
|---|
| 230 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 231 | R11# traceroute 10.20.255.1 |
|---|
| 232 | R11# traceroute 10.30.255.1 |
|---|
| 233 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 234 | |
|---|
| 235 | Has anything changed since the last exercise? |
|---|
| 236 | |
|---|
| 237 | Notice that before we had only one connection to |
|---|
| 238 | the Internet - via the ISP. Now we have two. |
|---|
| 239 | But we are still using a default route pointing |
|---|
| 240 | to the ISP only! |
|---|
| 241 | |
|---|
| 242 | We could add another default route pointing to the |
|---|
| 243 | NREN, but that would not give us much flexibility |
|---|
| 244 | in terms of traffic policies. Keep going. |
|---|
| 245 | |
|---|
| 246 | ## BGP-peer with the NREN and the ISP |
|---|
| 247 | |
|---|
| 248 | 1. Configure eBGP sessions to the ISP and the NREN |
|---|
| 249 | |
|---|
| 250 | On R11: |
|---|
| 251 | |
|---|
| 252 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 253 | router bgp 10 |
|---|
| 254 | address-family ipv4 |
|---|
| 255 | neighbor 10.101.254.1 remote-as 101 |
|---|
| 256 | neighbor 10.101.254.1 description eBGP to NREN1 |
|---|
| 257 | neighbor 10.101.254.1 password NSRC |
|---|
| 258 | address-family ipv6 |
|---|
| 259 | neighbor fd00:101:fe:: remote-as 101 |
|---|
| 260 | neighbor fd00:101:fe:: description eBGP to NREN1 |
|---|
| 261 | neighbor fd00:101:fe:: password NSRC |
|---|
| 262 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 263 | |
|---|
| 264 | **Did you notice that with eBGP we no longer use the |
|---|
| 265 | loopback address as the endpoint of the BGP session, |
|---|
| 266 | as we did with iBGP?** |
|---|
| 267 | |
|---|
| 268 | On R12: |
|---|
| 269 | |
|---|
| 270 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 271 | router bgp 10 |
|---|
| 272 | address-family ipv4 |
|---|
| 273 | neighbor 10.201.254.1 remote-as 201 |
|---|
| 274 | neighbor 10.201.254.1 description eBGP to ISP1 |
|---|
| 275 | neighbor 10.201.254.1 password NSRC |
|---|
| 276 | address-family ipv6 |
|---|
| 277 | neighbor fd00:201:fe:: remote-as 201 |
|---|
| 278 | neighbor fd00:201:fe:: description eBGP to ISP1 |
|---|
| 279 | neighbor fd00:201:fe:: password NSRC |
|---|
| 280 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 281 | |
|---|
| 282 | Check that the BGP sessions are up on both routers: |
|---|
| 283 | |
|---|
| 284 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 285 | show ip bgp summary |
|---|
| 286 | show bgp ipv6 unicast summary |
|---|
| 287 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 288 | |
|---|
| 289 | Verify what you are advertising to the NREN: |
|---|
| 290 | |
|---|
| 291 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 292 | R11# show ip bgp nei 10.101.254.1 advertised-routes |
|---|
| 293 | R11# sh bgp ipv6 uni neigh fd00:101:fe:: advertised |
|---|
| 294 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 295 | |
|---|
| 296 | ... and to the ISP: |
|---|
| 297 | |
|---|
| 298 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 299 | R12# show ip bgp neighbor 10.201.254.1 advertised-routes |
|---|
| 300 | R12# sh bgp ipv6 uni neigh fd00:201:fe:: advertised |
|---|
| 301 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 302 | |
|---|
| 303 | Are you perhaps announcing other prefixes that don't |
|---|
| 304 | originate in your AS? If so, can you remember what |
|---|
| 305 | serious negative implications this could have? |
|---|
| 306 | Ask the instructor if you need clarification. |
|---|
| 307 | |
|---|
| 308 | ## Filter what you send and receive |
|---|
| 309 | |
|---|
| 310 | 1. Create prefix lists for your inbound/outbound |
|---|
| 311 | filters. |
|---|
| 312 | |
|---|
| 313 | On R11: |
|---|
| 314 | |
|---|
| 315 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 316 | ip prefix-list out-peer permit 10.10.0.0/16 le 32 |
|---|
| 317 | ip prefix-list nren-in-peer deny 10.10.0.0/16 le 32 |
|---|
| 318 | ip prefix-list nren-in-peer permit 0.0.0.0/0 le 32 |
|---|
| 319 | ipv6 prefix-list ipv6-out-peer permit fd00:10::/32 le 128 |
|---|
| 320 | ipv6 prefix-list ipv6-nren-in-peer deny fd00:10::/32 le 128 |
|---|
| 321 | ipv6 prefix-list ipv6-nren-in-peer permit ::/0 le 128 |
|---|
| 322 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 323 | |
|---|
| 324 | On R12: |
|---|
| 325 | |
|---|
| 326 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 327 | ip prefix-list out-peer permit 10.10.0.0/16 le 32 |
|---|
| 328 | ip prefix-list isp-in-peer deny 10.10.0.0/16 le 32 |
|---|
| 329 | ip prefix-list isp-in-peer permit 0.0.0.0/0 le 32 |
|---|
| 330 | ipv6 prefix-list ipv6-out-peer permit fd00:10::/32 le 128 |
|---|
| 331 | ipv6 prefix-list ipv6-isp-in-peer deny fd00:10::/32 le 128 |
|---|
| 332 | ipv6 prefix-list ipv6-isp-in-peer permit ::/0 le 128 |
|---|
| 333 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 334 | |
|---|
| 335 | 2. Now create inbound/outbound filters using those |
|---|
| 336 | prefix lists |
|---|
| 337 | |
|---|
| 338 | R11: |
|---|
| 339 | |
|---|
| 340 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 341 | router bgp 10 |
|---|
| 342 | address-family ipv4 |
|---|
| 343 | neighbor 10.101.254.1 prefix-list nren-in-peer in |
|---|
| 344 | neighbor 10.101.254.1 prefix-list out-peer out |
|---|
| 345 | address-family ipv6 |
|---|
| 346 | neighbor fd00:101:fe:: prefix-list ipv6-nren-in-peer in |
|---|
| 347 | neighbor fd00:101:fe:: prefix-list ipv6-out-peer out |
|---|
| 348 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 349 | |
|---|
| 350 | R12: |
|---|
| 351 | |
|---|
| 352 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 353 | router bgp 10 |
|---|
| 354 | address-family ipv4 |
|---|
| 355 | neighbor 10.201.254.1 prefix-list isp-in-peer in |
|---|
| 356 | neighbor 10.201.254.1 prefix-list out-peer out |
|---|
| 357 | address-family ipv6 |
|---|
| 358 | neighbor fd00:201:fe:: prefix-list ipv6-isp-in-peer in |
|---|
| 359 | neighbor fd00:201:fe:: prefix-list ipv6-out-peer out |
|---|
| 360 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 361 | |
|---|
| 362 | Use the *BGP refresh* capability to resend the |
|---|
| 363 | information to the peer: |
|---|
| 364 | |
|---|
| 365 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 366 | R11#clear ip bgp 10.101.254.1 out |
|---|
| 367 | R11#clear bgp ipv6 unicast fd00:101:fe:: out |
|---|
| 368 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 369 | |
|---|
| 370 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 371 | R12#clear ip bgp 10.201.254.1 out |
|---|
| 372 | R12#clear bgp ipv6 unicast fd00:201:fe:: out |
|---|
| 373 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 374 | |
|---|
| 375 | You should now be advertising only both halves of your |
|---|
| 376 | end-user address space. Check with the ISP and |
|---|
| 377 | NREN administrators to make sure that they are |
|---|
| 378 | receiving both routes from you. |
|---|
| 379 | |
|---|
| 380 | *Note: This is a form of load-balancing for |
|---|
| 381 | traffic coming into your AS.* |
|---|
| 382 | |
|---|
| 383 | But wait... that's not your whole address space! |
|---|
| 384 | |
|---|
| 385 | ## Announce your whole address space |
|---|
| 386 | |
|---|
| 387 | On R11 and R12: |
|---|
| 388 | |
|---|
| 389 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 390 | router bgp 10 |
|---|
| 391 | address-family ipv4 |
|---|
| 392 | aggregate-address 10.10.0.0 255.255.0.0 |
|---|
| 393 | address-family ipv6 |
|---|
| 394 | aggregate-address fd00:10::/32 |
|---|
| 395 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 396 | |
|---|
| 397 | Verify again what you are advertising from R11 |
|---|
| 398 | and R12. You should now be announcing three blocks, |
|---|
| 399 | the two halves of your end-user block, and your |
|---|
| 400 | whole address space. |
|---|
| 401 | |
|---|
| 402 | Confirm with the ISP and NREN administrators that |
|---|
| 403 | they are indeed receiving those routes from you. |
|---|
| 404 | |
|---|
| 405 | Announcing your smaller blocks in addition to your |
|---|
| 406 | whole block is a valid configuration. However, it |
|---|
| 407 | has an impact: it increases the size of the global BGP |
|---|
| 408 | routing table, causing more load on Internet backbone |
|---|
| 409 | routers. |
|---|
| 410 | |
|---|
| 411 | Let's assume, just for the sake of this exercise, |
|---|
| 412 | that we don't really need to load-balance our incoming |
|---|
| 413 | traffic like that. |
|---|
| 414 | |
|---|
| 415 | 6. Announce only a summary aggregate |
|---|
| 416 | |
|---|
| 417 | On R11 and R12: |
|---|
| 418 | |
|---|
| 419 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 420 | router bgp 10 |
|---|
| 421 | address-family ipv4 |
|---|
| 422 | aggregate-address 10.10.0.0 255.255.0.0 summary-only |
|---|
| 423 | address-family ipv6 |
|---|
| 424 | aggregate-address fd00:10::/32 summary-only |
|---|
| 425 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 426 | |
|---|
| 427 | Resend the information to the peer: |
|---|
| 428 | |
|---|
| 429 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 430 | R11#clear ip bgp 10.101.254.1 out |
|---|
| 431 | R11#clear bgp ipv6 unicast FD00:101:FE:: out |
|---|
| 432 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 433 | |
|---|
| 434 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 435 | R12#clear ip bgp 10.201.254.1 out |
|---|
| 436 | R12#clear bgp ipv6 unicast FD00:201:FE:: out |
|---|
| 437 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 438 | |
|---|
| 439 | Check again what you are advertising, and confirm |
|---|
| 440 | with your peers. |
|---|
| 441 | |
|---|
| 442 | ### Remove static routes |
|---|
| 443 | |
|---|
| 444 | 1. The ISPs remove their static routes towards |
|---|
| 445 | their customers. |
|---|
| 446 | |
|---|
| 447 | Now your ISP has learned a route to reach your |
|---|
| 448 | network, correct? The ISPs can now safely remove |
|---|
| 449 | the static routes pointing to you and the other |
|---|
| 450 | customers: |
|---|
| 451 | |
|---|
| 452 | ISP1: |
|---|
| 453 | |
|---|
| 454 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 455 | no ip route 10.10.0.0 255.255.0.0 10.201.254.2 |
|---|
| 456 | no ip route 10.20.0.0 255.255.0.0 10.201.254.6 |
|---|
| 457 | no ip route 10.30.0.0 255.255.0.0 10.201.254.10 |
|---|
| 458 | ! |
|---|
| 459 | no ipv6 route fd00:10::/32 fd00:201:fe::1 |
|---|
| 460 | no ipv6 route fd00:20::/32 fd00:201:fe::3 |
|---|
| 461 | no ipv6 route fd00:30::/32 fd00:201:fe::5 |
|---|
| 462 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 463 | |
|---|
| 464 | ISP2: |
|---|
| 465 | |
|---|
| 466 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 467 | no ip route 10.40.0.0 255.255.0.0 10.202.254.2 |
|---|
| 468 | no ip route 10.50.0.0 255.255.0.0 10.202.254.6 |
|---|
| 469 | no ip route 10.60.0.0 255.255.0.0 10.202.254.10 |
|---|
| 470 | ! |
|---|
| 471 | no ipv6 route fd00:40::/32 fd00:202:fe::1 |
|---|
| 472 | no ipv6 route fd00:50::/32 fd00:202:fe::3 |
|---|
| 473 | no ipv6 route fd00:60::/32 fd00:202:fe::5 |
|---|
| 474 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 475 | |
|---|
| 476 | 2. Remove your static default routes |
|---|
| 477 | |
|---|
| 478 | In the previous exercise, we created default |
|---|
| 479 | routes on both routers. But thanks to BGP, we |
|---|
| 480 | should now be receiving routes from our NREN and |
|---|
| 481 | our ISP. |
|---|
| 482 | |
|---|
| 483 | Let's check first (do this on both routers): |
|---|
| 484 | |
|---|
| 485 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 486 | show ip bgp |
|---|
| 487 | show bgp ipv6 unicast |
|---|
| 488 | show ip route |
|---|
| 489 | show ipv6 route |
|---|
| 490 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 491 | |
|---|
| 492 | You should be learning routes advertised by other |
|---|
| 493 | groups, and also from the NRENs and the ISPs. |
|---|
| 494 | |
|---|
| 495 | Remove your static default routes: |
|---|
| 496 | |
|---|
| 497 | R11: |
|---|
| 498 | |
|---|
| 499 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 500 | no ip route 0.0.0.0 0.0.0.0 10.10.254.2 |
|---|
| 501 | no ipv6 route ::/0 fd00:10:fe::1 |
|---|
| 502 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 503 | |
|---|
| 504 | R12: |
|---|
| 505 | |
|---|
| 506 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 507 | no ip route 0.0.0.0 0.0.0.0 10.201.254.1 |
|---|
| 508 | no ipv6 route ::/0 fd00:201:fe:: |
|---|
| 509 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 510 | |
|---|
| 511 | You should be able to ping any other router now. |
|---|
| 512 | If you can't, wait for other groups to finish, |
|---|
| 513 | or ask the instructors. |
|---|
| 514 | |
|---|
| 515 | Use traceroute to verify the paths that packets |
|---|
| 516 | are following towards various destinations: |
|---|
| 517 | |
|---|
| 518 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 519 | R11# traceroute 10.100.255.1 |
|---|
| 520 | R11# traceroute 10.30.255.2 |
|---|
| 521 | ... |
|---|
| 522 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 523 | |
|---|
| 524 | Repeat the same tests from the other router in |
|---|
| 525 | your AS and compare. Use the diagram to help you |
|---|
| 526 | visualize it. |
|---|
| 527 | |
|---|
| 528 | # Traffic Exchange (Peering) |
|---|
| 529 | |
|---|
| 530 | Direct traffic exchanges are usually established at no |
|---|
| 531 | charge between two autonomous systems that want to save |
|---|
| 532 | costs. The savings are achieved by not having to carry |
|---|
| 533 | that traffic over expensive transit links via commercial |
|---|
| 534 | providers. Also, these direct exchanges have the added |
|---|
| 535 | benefit of reducing latency because there are fewer hops. |
|---|
| 536 | |
|---|
| 537 | Usually traffic exchanges occur at public exchange points, |
|---|
| 538 | also known as IXPs. The simplest kind of exchange point is |
|---|
| 539 | a Layer-2 switch. In this exercise, we will simply configure |
|---|
| 540 | direct links between routers, which is basically the same |
|---|
| 541 | thing as connecting through a switch. |
|---|
| 542 | |
|---|
| 543 |  |
|---|
| 544 | |
|---|
| 545 | ## Connect to your neighbor AS |
|---|
| 546 | |
|---|
| 547 | 1. Configure a point to point link to your neighbor AS |
|---|
| 548 | as shown in the diagram. You will have to agree with |
|---|
| 549 | your peer on which address space to use. Make sure to |
|---|
| 550 | pick a point-to-point subnet that is not already used! |
|---|
| 551 | |
|---|
| 552 | The instructor will draw a map of the network at the front |
|---|
| 553 | of the class and will ask you to document the subnet |
|---|
| 554 | that was used for the peering session, so everybody can |
|---|
| 555 | use that information when troubleshooting. |
|---|
| 556 | |
|---|
| 557 | For example, on R12: |
|---|
| 558 | |
|---|
| 559 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 560 | interface GigabitEthernet3/0 |
|---|
| 561 | description Link to R21 |
|---|
| 562 | ip address 10.10.254.5 255.255.255.252 |
|---|
| 563 | ipv6 address fd00:10:fe::2/127 |
|---|
| 564 | no shutdown |
|---|
| 565 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 566 | |
|---|
| 567 | 2. Configure prefix lists for your inbound filters |
|---|
| 568 | |
|---|
| 569 | On R12: |
|---|
| 570 | |
|---|
| 571 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 572 | ip prefix-list AS20-in-peer permit 10.20.0.0/16 le 32 |
|---|
| 573 | ipv6 prefix-list ipv6-AS20-in-peer permit fd00:20::/32 le 128 |
|---|
| 574 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 575 | |
|---|
| 576 | *The equivalent needs to be done in R21.* |
|---|
| 577 | |
|---|
| 578 | 3. Configure prefix lists for your outbound filters |
|---|
| 579 | |
|---|
| 580 | You should have these from a previous step. You can verify |
|---|
| 581 | like this: |
|---|
| 582 | |
|---|
| 583 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 584 | R12#show ip prefix-list out-peer |
|---|
| 585 | R12#show ipv6 prefix-list ipv6-out-peer |
|---|
| 586 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 587 | |
|---|
| 588 | 4. Now create the BGP sessions and apply those |
|---|
| 589 | inbound/outbound filters: |
|---|
| 590 | |
|---|
| 591 | On R12: |
|---|
| 592 | |
|---|
| 593 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 594 | router bgp 10 |
|---|
| 595 | address-family ipv4 |
|---|
| 596 | neighbor 10.10.254.6 remote-as 20 |
|---|
| 597 | neighbor 10.10.254.6 description eBGP to AS20 |
|---|
| 598 | neighbor 10.10.254.6 password NSRC |
|---|
| 599 | neighbor 10.10.254.6 prefix-list out-peer out |
|---|
| 600 | neighbor 10.10.254.6 prefix-list AS20-in-peer in |
|---|
| 601 | address-family ipv6 |
|---|
| 602 | neighbor fd00:10:fe::3 remote-as 20 |
|---|
| 603 | neighbor fd00:10:fe::3 description eBGP to AS20 |
|---|
| 604 | neighbor fd00:10:fe::3 password NSRC |
|---|
| 605 | neighbor fd00:10:fe::3 prefix-list ipv6-out-peer out |
|---|
| 606 | neighbor fd00:10:fe::3 prefix-list ipv6-AS20-in-peer in |
|---|
| 607 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 608 | |
|---|
| 609 | The equivalent needs to be done in R21. |
|---|
| 610 | |
|---|
| 611 | Verify that the sessions are up: |
|---|
| 612 | |
|---|
| 613 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 614 | show ip bgp summary |
|---|
| 615 | show ipv6 bgp unicast summary |
|---|
| 616 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 617 | |
|---|
| 618 | ..and that you are learning the prefix directly |
|---|
| 619 | from the neighbor: |
|---|
| 620 | |
|---|
| 621 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 622 | R12#show ip bgp neighbor 10.10.254.6 routes |
|---|
| 623 | R12#show bgp ipv6 unicast neighbors fd00:10:fe::3 routes |
|---|
| 624 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 625 | |
|---|
| 626 | 5. Do some traceroutes towards your peer and |
|---|
| 627 | make sure that the path is direct. |
|---|
| 628 | |
|---|
| 629 | |
|---|
| 630 | Remember to save your configurations. |
|---|
| 631 | |
|---|
| 632 | You are done! You have configured BGP in a multihomed |
|---|
| 633 | environment and BGP is selecting the paths based on |
|---|
| 634 | default values. |
|---|
| 635 | |
|---|
| 636 | |
|---|
| 637 | \pagebreak |
|---|
| 638 | |
|---|
| 639 | # Appendix A - RREN Configuration |
|---|
| 640 | |
|---|
| 641 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 642 | hostname RREN |
|---|
| 643 | aaa new-model |
|---|
| 644 | aaa authentication login default local |
|---|
| 645 | aaa authentication enable default enable |
|---|
| 646 | username nsrc secret nsrc |
|---|
| 647 | enable secret nsrc |
|---|
| 648 | service password-encryption |
|---|
| 649 | line vty 0 4 |
|---|
| 650 | transport preferred none |
|---|
| 651 | line console 0 |
|---|
| 652 | transport preferred none |
|---|
| 653 | no logging console |
|---|
| 654 | logging buffered 8192 debugging |
|---|
| 655 | no ip domain-lookup |
|---|
| 656 | ip subnet-zero |
|---|
| 657 | ip classless |
|---|
| 658 | no ip source-route |
|---|
| 659 | ipv6 unicast-routing |
|---|
| 660 | ! |
|---|
| 661 | interface Loopback0 |
|---|
| 662 | ip address 10.100.255.1 255.255.255.255 |
|---|
| 663 | ipv6 address fd00:100:ff::1/128 |
|---|
| 664 | ! |
|---|
| 665 | interface GigabitEthernet1/0 |
|---|
| 666 | description P2P Link to RREN1 |
|---|
| 667 | ip address 10.100.254.1 255.255.255.252 |
|---|
| 668 | ipv6 address fd00:100:fe::/127 |
|---|
| 669 | no shutdown |
|---|
| 670 | ! |
|---|
| 671 | interface GigabitEthernet2/0 |
|---|
| 672 | description P2P Link to RREN2 |
|---|
| 673 | ip address 10.100.254.5 255.255.255.252 |
|---|
| 674 | ipv6 address fd00:100:fe::2/127 |
|---|
| 675 | no shutdown |
|---|
| 676 | ! |
|---|
| 677 | interface GigabitEthernet3/0 |
|---|
| 678 | description Link to IXP |
|---|
| 679 | ip address 10.251.1.3 255.255.255.0 |
|---|
| 680 | ipv6 address fd00:251:1::3/64 |
|---|
| 681 | no shutdown |
|---|
| 682 | ! |
|---|
| 683 | router bgp 100 |
|---|
| 684 | bgp log-neighbor-changes |
|---|
| 685 | no synchronization |
|---|
| 686 | no auto-summary |
|---|
| 687 | no bgp default ipv4-unicast |
|---|
| 688 | distance bgp 200 200 200 |
|---|
| 689 | address-family ipv4 |
|---|
| 690 | network 10.100.0.0 mask 255.255.0.0 |
|---|
| 691 | neighbor 10.100.254.2 remote-as 101 |
|---|
| 692 | neighbor 10.100.254.2 description eBGP to AS101 |
|---|
| 693 | neighbor 10.100.254.2 password NSRC |
|---|
| 694 | neighbor 10.100.254.6 remote-as 102 |
|---|
| 695 | neighbor 10.100.254.6 description eBGP to AS102 |
|---|
| 696 | neighbor 10.100.254.6 password NSRC |
|---|
| 697 | neighbor 10.251.1.1 remote-as 201 |
|---|
| 698 | neighbor 10.251.1.1 description eBGP to AS201 |
|---|
| 699 | neighbor 10.251.1.1 password NSRC |
|---|
| 700 | neighbor 10.251.1.2 remote-as 202 |
|---|
| 701 | neighbor 10.251.1.2 description eBGP to AS202 |
|---|
| 702 | neighbor 10.251.1.2 password NSRC |
|---|
| 703 | address-family ipv6 |
|---|
| 704 | network fd00:100::/32 |
|---|
| 705 | neighbor fd00:100:fe::1 remote-as 101 |
|---|
| 706 | neighbor fd00:100:fe::1 description eBGP to AS101 |
|---|
| 707 | neighbor fd00:100:fe::1 password NSRC |
|---|
| 708 | neighbor fd00:100:fe::3 remote-as 102 |
|---|
| 709 | neighbor fd00:100:fe::3 description eBGP to AS102 |
|---|
| 710 | neighbor fd00:100:fe::3 password NSRC |
|---|
| 711 | neighbor fd00:251:1::1 remote-as 201 |
|---|
| 712 | neighbor fd00:251:1::1 description eBGP to AS201 |
|---|
| 713 | neighbor fd00:251:1::1 password NSRC |
|---|
| 714 | neighbor fd00:251:1::2 remote-as 202 |
|---|
| 715 | neighbor fd00:251:1::2 description eBGP to AS202 |
|---|
| 716 | neighbor fd00:251:1::2 password NSRC |
|---|
| 717 | |
|---|
| 718 | ! |
|---|
| 719 | ip route 10.100.0.0 255.255.0.0 null0 |
|---|
| 720 | ipv6 route fd00:100::/32 null0 |
|---|
| 721 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 722 | |
|---|
| 723 | |
|---|
| 724 | \pagebreak |
|---|
| 725 | |
|---|
| 726 | # Appendix B - NREN1 Configuration |
|---|
| 727 | |
|---|
| 728 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 729 | hostname NREN1 |
|---|
| 730 | aaa new-model |
|---|
| 731 | aaa authentication login default local |
|---|
| 732 | aaa authentication enable default enable |
|---|
| 733 | username nsrc secret nsrc |
|---|
| 734 | enable secret nsrc |
|---|
| 735 | service password-encryption |
|---|
| 736 | line vty 0 4 |
|---|
| 737 | transport preferred none |
|---|
| 738 | line console 0 |
|---|
| 739 | transport preferred none |
|---|
| 740 | no logging console |
|---|
| 741 | logging buffered 8192 debugging |
|---|
| 742 | no ip domain-lookup |
|---|
| 743 | ip subnet-zero |
|---|
| 744 | ip classless |
|---|
| 745 | no ip source-route |
|---|
| 746 | ipv6 unicast-routing |
|---|
| 747 | ! |
|---|
| 748 | interface Loopback0 |
|---|
| 749 | ip address 10.101.255.1 255.255.255.255 |
|---|
| 750 | ipv6 address fd00:101:ff::1/128 |
|---|
| 751 | ! |
|---|
| 752 | interface GigabitEthernet1/0 |
|---|
| 753 | description P2P Link to RREN |
|---|
| 754 | ip address 10.100.254.2 255.255.255.252 |
|---|
| 755 | ipv6 address fd00:100:fe::1/127 |
|---|
| 756 | no shutdown |
|---|
| 757 | ! |
|---|
| 758 | interface GigabitEthernet2/0 |
|---|
| 759 | description P2P Link to ISP1 |
|---|
| 760 | ip address 10.101.254.13 255.255.255.252 |
|---|
| 761 | ipv6 address fd00:101:fe::6/127 |
|---|
| 762 | no shutdown |
|---|
| 763 | ! |
|---|
| 764 | interface GigabitEthernet3/0 |
|---|
| 765 | description P2P Link to R11 |
|---|
| 766 | ip address 10.101.254.1 255.255.255.252 |
|---|
| 767 | ipv6 address fd00:101:fe::0/127 |
|---|
| 768 | no shutdown |
|---|
| 769 | ! |
|---|
| 770 | interface GigabitEthernet4/0 |
|---|
| 771 | description P2P Link to R21 |
|---|
| 772 | ip address 10.101.254.5 255.255.255.252 |
|---|
| 773 | ipv6 address fd00:101:fe::2/127 |
|---|
| 774 | no shutdown |
|---|
| 775 | ! |
|---|
| 776 | interface GigabitEthernet5/0 |
|---|
| 777 | description P2P Link to R31 |
|---|
| 778 | ip address 10.101.254.9 255.255.255.252 |
|---|
| 779 | ipv6 address fd00:101:fe::4/127 |
|---|
| 780 | no shutdown |
|---|
| 781 | ! |
|---|
| 782 | ip prefix-list AS10-in-peer permit 10.10.0.0/16 le 32 |
|---|
| 783 | ipv6 prefix-list ipv6-AS10-in-peer permit fd00:10::/32 le 128 |
|---|
| 784 | ! |
|---|
| 785 | ip prefix-list AS20-in-peer permit 10.20.0.0/16 le 32 |
|---|
| 786 | ipv6 prefix-list ipv6-AS20-in-peer permit fd00:20::/32 le 128 |
|---|
| 787 | ! |
|---|
| 788 | ip prefix-list AS30-in-peer permit 10.30.0.0/16 le 32 |
|---|
| 789 | ipv6 prefix-list ipv6-AS30-in-peer permit fd00:30::/32 le 128 |
|---|
| 790 | ! |
|---|
| 791 | router bgp 101 |
|---|
| 792 | bgp log-neighbor-changes |
|---|
| 793 | no synchronization |
|---|
| 794 | no auto-summary |
|---|
| 795 | no bgp default ipv4-unicast |
|---|
| 796 | distance bgp 200 200 200 |
|---|
| 797 | address-family ipv4 |
|---|
| 798 | network 10.101.0.0 mask 255.255.0.0 |
|---|
| 799 | neighbor 10.101.254.2 remote-as 10 |
|---|
| 800 | neighbor 10.101.254.2 description eBGP to AS10 |
|---|
| 801 | neighbor 10.101.254.2 password NSRC |
|---|
| 802 | neighbor 10.101.254.2 prefix-list AS10-in-peer in |
|---|
| 803 | neighbor 10.101.254.6 remote-as 20 |
|---|
| 804 | neighbor 10.101.254.6 description eBGP to AS20 |
|---|
| 805 | neighbor 10.101.254.6 password NSRC |
|---|
| 806 | neighbor 10.101.254.6 prefix-list AS20-in-peer in |
|---|
| 807 | neighbor 10.101.254.10 remote-as 30 |
|---|
| 808 | neighbor 10.101.254.10 description eBGP to AS30 |
|---|
| 809 | neighbor 10.101.254.10 password NSRC |
|---|
| 810 | neighbor 10.101.254.10 prefix-list AS30-in-peer in |
|---|
| 811 | neighbor 10.101.254.14 remote-as 201 |
|---|
| 812 | neighbor 10.101.254.14 description eBGP to AS201 |
|---|
| 813 | neighbor 10.101.254.14 password NSRC |
|---|
| 814 | neighbor 10.100.254.1 remote-as 100 |
|---|
| 815 | neighbor 10.100.254.1 description eBGP to AS100 |
|---|
| 816 | neighbor 10.100.254.1 password NSRC |
|---|
| 817 | address-family ipv6 |
|---|
| 818 | network fd00:101::/32 |
|---|
| 819 | neighbor fd00:101:fe::1 remote-as 10 |
|---|
| 820 | neighbor fd00:101:fe::1 description eBGP to AS10 |
|---|
| 821 | neighbor fd00:101:fe::1 password NSRC |
|---|
| 822 | neighbor fd00:101:fe::1 prefix-list ipv6-AS10-in-peer in |
|---|
| 823 | neighbor fd00:101:fe::3 remote-as 20 |
|---|
| 824 | neighbor fd00:101:fe::3 description eBGP to AS20 |
|---|
| 825 | neighbor fd00:101:fe::3 password NSRC |
|---|
| 826 | neighbor fd00:101:fe::3 prefix-list ipv6-AS20-in-peer in |
|---|
| 827 | neighbor fd00:101:fe::5 remote-as 30 |
|---|
| 828 | neighbor fd00:101:fe::5 description eBGP to AS30 |
|---|
| 829 | neighbor fd00:101:fe::5 password NSRC |
|---|
| 830 | neighbor fd00:101:fe::5 prefix-list ipv6-AS30-in-peer in |
|---|
| 831 | neighbor fd00:201:fe::8 remote-as 201 |
|---|
| 832 | neighbor fd00:201:fe::8 description eBGP to AS201 |
|---|
| 833 | neighbor fd00:201:fe::8 password NSRC |
|---|
| 834 | neighbor fd00:100:fe:: remote-as 100 |
|---|
| 835 | neighbor fd00:100:fe:: description eBGP to AS100 |
|---|
| 836 | neighbor fd00:100:fe:: password NSRC |
|---|
| 837 | ! |
|---|
| 838 | ip route 10.101.0.0 255.255.0.0 null0 |
|---|
| 839 | ipv6 route fd00:101::/32 null0 |
|---|
| 840 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 841 | |
|---|
| 842 | \pagebreak |
|---|
| 843 | |
|---|
| 844 | # Appendix C - NREN2 Configuration |
|---|
| 845 | |
|---|
| 846 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 847 | hostname NREN2 |
|---|
| 848 | aaa new-model |
|---|
| 849 | aaa authentication login default local |
|---|
| 850 | aaa authentication enable default enable |
|---|
| 851 | username nsrc secret nsrc |
|---|
| 852 | enable secret nsrc |
|---|
| 853 | service password-encryption |
|---|
| 854 | line vty 0 4 |
|---|
| 855 | transport preferred none |
|---|
| 856 | line console 0 |
|---|
| 857 | transport preferred none |
|---|
| 858 | no logging console |
|---|
| 859 | logging buffered 8192 debugging |
|---|
| 860 | no ip domain-lookup |
|---|
| 861 | ip subnet-zero |
|---|
| 862 | ip classless |
|---|
| 863 | no ip source-route |
|---|
| 864 | ipv6 unicast-routing |
|---|
| 865 | ! |
|---|
| 866 | interface Loopback0 |
|---|
| 867 | ip address 10.102.255.1 255.255.255.255 |
|---|
| 868 | ipv6 address fd00:102:ff::1/128 |
|---|
| 869 | ! |
|---|
| 870 | interface GigabitEthernet1/0 |
|---|
| 871 | description P2P Link to RREN |
|---|
| 872 | ip address 10.100.254.6 255.255.255.252 |
|---|
| 873 | ipv6 address fd00:100:fe::3/127 |
|---|
| 874 | no shutdown |
|---|
| 875 | ! |
|---|
| 876 | interface GigabitEthernet2/0 |
|---|
| 877 | description P2P Link to ISP2 |
|---|
| 878 | ip address 10.102.254.13 255.255.255.252 |
|---|
| 879 | ipv6 address fd00:102:fe::6/127 |
|---|
| 880 | no shutdown |
|---|
| 881 | ! |
|---|
| 882 | interface GigabitEthernet3/0 |
|---|
| 883 | description P2P Link to R41 |
|---|
| 884 | ip address 10.102.254.1 255.255.255.252 |
|---|
| 885 | ipv6 address fd00:102:fe::0/127 |
|---|
| 886 | no shutdown |
|---|
| 887 | ! |
|---|
| 888 | interface GigabitEthernet4/0 |
|---|
| 889 | description P2P Link to R51 |
|---|
| 890 | ip address 10.102.254.5 255.255.255.252 |
|---|
| 891 | ipv6 address fd00:102:fe::2/127 |
|---|
| 892 | no shutdown |
|---|
| 893 | ! |
|---|
| 894 | interface GigabitEthernet5/0 |
|---|
| 895 | description P2P Link to R61 |
|---|
| 896 | ip address 10.102.254.9 255.255.255.252 |
|---|
| 897 | ipv6 address fd00:102:fe::4/127 |
|---|
| 898 | no shutdown |
|---|
| 899 | ! |
|---|
| 900 | ip prefix-list AS40-in-peer permit 10.40.0.0/16 le 32 |
|---|
| 901 | ipv6 prefix-list ipv6-AS40-in-peer permit fd00:40::/32 le 128 |
|---|
| 902 | ! |
|---|
| 903 | ip prefix-list AS50-in-peer permit 10.50.0.0/16 le 32 |
|---|
| 904 | ipv6 prefix-list ipv6-AS50-in-peer permit fd00:50::/32 le 128 |
|---|
| 905 | ! |
|---|
| 906 | ip prefix-list AS60-in-peer permit 10.60.0.0/16 le 32 |
|---|
| 907 | ipv6 prefix-list ipv6-AS60-in-peer permit fd00:60::/32 le 128 |
|---|
| 908 | ! |
|---|
| 909 | router bgp 102 |
|---|
| 910 | bgp log-neighbor-changes |
|---|
| 911 | no synchronization |
|---|
| 912 | no auto-summary |
|---|
| 913 | no bgp default ipv4-unicast |
|---|
| 914 | distance bgp 200 200 200 |
|---|
| 915 | address-family ipv4 |
|---|
| 916 | network 10.102.0.0 mask 255.255.0.0 |
|---|
| 917 | neighbor 10.102.254.2 remote-as 40 |
|---|
| 918 | neighbor 10.102.254.2 description eBGP to AS40 |
|---|
| 919 | neighbor 10.102.254.2 password NSRC |
|---|
| 920 | neighbor 10.102.254.2 prefix-list AS40-in-peer in |
|---|
| 921 | neighbor 10.102.254.6 remote-as 50 |
|---|
| 922 | neighbor 10.102.254.6 description eBGP to AS50 |
|---|
| 923 | neighbor 10.102.254.6 password NSRC |
|---|
| 924 | neighbor 10.102.254.6 prefix-list AS50-in-peer in |
|---|
| 925 | neighbor 10.102.254.10 remote-as 60 |
|---|
| 926 | neighbor 10.102.254.10 description eBGP to AS60 |
|---|
| 927 | neighbor 10.102.254.10 password NSRC |
|---|
| 928 | neighbor 10.102.254.10 prefix-list AS60-in-peer in |
|---|
| 929 | neighbor 10.102.254.14 remote-as 202 |
|---|
| 930 | neighbor 10.102.254.14 description eBGP to AS202 |
|---|
| 931 | neighbor 10.102.254.14 password NSRC |
|---|
| 932 | neighbor 10.100.254.5 remote-as 100 |
|---|
| 933 | neighbor 10.100.254.5 description eBGP to AS100 |
|---|
| 934 | neighbor 10.100.254.5 password NSRC |
|---|
| 935 | address-family ipv6 |
|---|
| 936 | network fd00:102::/32 |
|---|
| 937 | neighbor fd00:102:fe::1 remote-as 40 |
|---|
| 938 | neighbor fd00:102:fe::1 description eBGP to AS40 |
|---|
| 939 | neighbor fd00:102:fe::1 password NSRC |
|---|
| 940 | neighbor fd00:102:fe::1 prefix-list ipv6-AS40-in-peer in |
|---|
| 941 | neighbor fd00:102:fe::3 remote-as 50 |
|---|
| 942 | neighbor fd00:102:fe::3 description eBGP to AS50 |
|---|
| 943 | neighbor fd00:102:fe::3 password NSRC |
|---|
| 944 | neighbor fd00:102:fe::3 prefix-list ipv6-AS50-in-peer in |
|---|
| 945 | neighbor fd00:102:fe::5 remote-as 60 |
|---|
| 946 | neighbor fd00:102:fe::5 description eBGP to AS60 |
|---|
| 947 | neighbor fd00:102:fe::5 password NSRC |
|---|
| 948 | neighbor fd00:102:fe::5 prefix-list ipv6-AS60-in-peer in |
|---|
| 949 | neighbor fd00:102:fe::7 remote-as 202 |
|---|
| 950 | neighbor fd00:102:fe::7 description eBGP to AS202 |
|---|
| 951 | neighbor fd00:102:fe::7 password NSRC |
|---|
| 952 | neighbor fd00:100:fe::2 remote-as 100 |
|---|
| 953 | neighbor fd00:100:fe::2 description eBGP to AS100 |
|---|
| 954 | neighbor fd00:100:fe::2 password NSRC |
|---|
| 955 | ! |
|---|
| 956 | ip route 10.102.0.0 255.255.0.0 null0 |
|---|
| 957 | ipv6 route fd00:102::/32 null0 |
|---|
| 958 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 959 | |
|---|
| 960 | |
|---|
| 961 | |
|---|
| 962 | \pagebreak |
|---|
| 963 | |
|---|
| 964 | # Appendix D - ISP1 Configuration |
|---|
| 965 | |
|---|
| 966 | Note: *This is in addition to what was configured |
|---|
| 967 | in the previous exercise*. |
|---|
| 968 | |
|---|
| 969 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 970 | interface GigabitEthernet2/0 |
|---|
| 971 | description P2P Link to NREN1 |
|---|
| 972 | ip address 10.101.254.14 255.255.255.252 |
|---|
| 973 | ipv6 address fd00:101:fe::7/127 |
|---|
| 974 | no shutdown |
|---|
| 975 | ! |
|---|
| 976 | ip prefix-list AS10-in-peer permit 10.10.0.0/16 le 32 |
|---|
| 977 | ipv6 prefix-list ipv6-AS10-in-peer permit fd00:10::/32 le 128 |
|---|
| 978 | ip prefix-list AS20-in-peer permit 10.20.0.0/16 le 32 |
|---|
| 979 | ipv6 prefix-list ipv6-AS20-in-peer permit fd00:20::/32 le 128 |
|---|
| 980 | ip prefix-list AS30-in-peer permit 10.30.0.0/16 le 32 |
|---|
| 981 | ipv6 prefix-list ipv6-AS30-in-peer permit fd00:30::/32 le 128 |
|---|
| 982 | ! |
|---|
| 983 | router bgp 201 |
|---|
| 984 | bgp log-neighbor-changes |
|---|
| 985 | no synchronization |
|---|
| 986 | no auto-summary |
|---|
| 987 | no bgp default ipv4-unicast |
|---|
| 988 | bgp deterministic-med |
|---|
| 989 | distance bgp 200 200 200 |
|---|
| 990 | address-family ipv4 |
|---|
| 991 | network 10.201.0.0 mask 255.255.0.0 |
|---|
| 992 | neighbor 10.201.254.2 remote-as 10 |
|---|
| 993 | neighbor 10.201.254.2 description eBGP to AS10 |
|---|
| 994 | neighbor 10.201.254.2 password NSRC |
|---|
| 995 | neighbor 10.201.254.2 prefix-list AS10-in-peer in |
|---|
| 996 | neighbor 10.201.254.6 remote-as 20 |
|---|
| 997 | neighbor 10.201.254.6 description eBGP to AS20 |
|---|
| 998 | neighbor 10.201.254.6 password NSRC |
|---|
| 999 | neighbor 10.201.254.6 prefix-list AS20-in-peer in |
|---|
| 1000 | neighbor 10.201.254.10 remote-as 30 |
|---|
| 1001 | neighbor 10.201.254.10 description eBGP to AS30 |
|---|
| 1002 | neighbor 10.201.254.10 password NSRC |
|---|
| 1003 | neighbor 10.201.254.10 prefix-list AS30-in-peer in |
|---|
| 1004 | neighbor 10.101.254.13 remote-as 101 |
|---|
| 1005 | neighbor 10.101.254.13 description eBGP to AS101 |
|---|
| 1006 | neighbor 10.101.254.13 password NSRC |
|---|
| 1007 | neighbor 10.251.1.2 remote-as 202 |
|---|
| 1008 | neighbor 10.251.1.2 description eBGP to AS202 |
|---|
| 1009 | neighbor 10.251.1.2 password NSRC |
|---|
| 1010 | neighbor 10.251.1.3 remote-as 100 |
|---|
| 1011 | neighbor 10.251.1.3 description eBGP to AS100 |
|---|
| 1012 | neighbor 10.251.1.3 password NSRC |
|---|
| 1013 | address-family ipv6 |
|---|
| 1014 | network fd00:201::/32 |
|---|
| 1015 | neighbor fd00:201:fe::1 remote-as 10 |
|---|
| 1016 | neighbor fd00:201:fe::1 description eBGP to AS10 |
|---|
| 1017 | neighbor fd00:201:fe::1 password NSRC |
|---|
| 1018 | neighbor fd00:201:fe::1 prefix-list AS10-in-peer in |
|---|
| 1019 | neighbor fd00:201:fe::3 remote-as 20 |
|---|
| 1020 | neighbor fd00:201:fe::3 description eBGP to AS20 |
|---|
| 1021 | neighbor fd00:201:fe::3 password NSRC |
|---|
| 1022 | neighbor fd00:201:fe::3 prefix-list AS20-in-peer in |
|---|
| 1023 | neighbor fd00:201:fe::5 remote-as 30 |
|---|
| 1024 | neighbor fd00:201:fe::5 description eBGP to AS30 |
|---|
| 1025 | neighbor fd00:201:fe::5 password NSRC |
|---|
| 1026 | neighbor fd00:201:fe::5 prefix-list AS30-in-peer in |
|---|
| 1027 | neighbor fd00:101:fe::6 remote-as 101 |
|---|
| 1028 | neighbor fd00:101:fe::6 description eBGP to AS101 |
|---|
| 1029 | neighbor fd00:101:fe::6 password NSRC |
|---|
| 1030 | neighbor fd00:251:1::2 remote-as 202 |
|---|
| 1031 | neighbor fd00:251:1::2 description eBGP to AS202 |
|---|
| 1032 | neighbor fd00:251:1::2 password NSRC |
|---|
| 1033 | neighbor fd00:251:1::3 remote-as 100 |
|---|
| 1034 | neighbor fd00:251:1::3 description eBGP to AS100 |
|---|
| 1035 | neighbor fd00:251:1::3 password NSRC |
|---|
| 1036 | ! |
|---|
| 1037 | ip route 10.201.0.0 255.255.0.0 null0 |
|---|
| 1038 | ipv6 route fd00:201::/32 null0 |
|---|
| 1039 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 1040 | |
|---|
| 1041 | # Appendix E - ISP2 Configuration |
|---|
| 1042 | |
|---|
| 1043 | Note: *This is in addition to what was configured |
|---|
| 1044 | in the previous exercise*. |
|---|
| 1045 | |
|---|
| 1046 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 1047 | interface GigabitEthernet2/0 |
|---|
| 1048 | description P2P Link to NREN2 |
|---|
| 1049 | ip address 10.102.254.14 255.255.255.252 |
|---|
| 1050 | ipv6 address fd00:102:fe::7/127 |
|---|
| 1051 | no shutdown |
|---|
| 1052 | ! |
|---|
| 1053 | ip prefix-list AS40-in-peer permit 10.40.0.0/16 le 32 |
|---|
| 1054 | ipv6 prefix-list ipv6-AS40-in-peer permit fd00:40::/32 le 128 |
|---|
| 1055 | ip prefix-list AS50-in-peer permit 10.50.0.0/16 le 32 |
|---|
| 1056 | ipv6 prefix-list ipv6-AS50-in-peer permit fd00:50::/32 le 128 |
|---|
| 1057 | ip prefix-list AS60-in-peer permit 10.60.0.0/16 le 32 |
|---|
| 1058 | ipv6 prefix-list ipv6-AS60-in-peer permit fd00:60::/32 le 128 |
|---|
| 1059 | ! |
|---|
| 1060 | router bgp 202 |
|---|
| 1061 | bgp log-neighbor-changes |
|---|
| 1062 | no synchronization |
|---|
| 1063 | no auto-summary |
|---|
| 1064 | no bgp default ipv4-unicast |
|---|
| 1065 | distance bgp 200 200 200 |
|---|
| 1066 | address-family ipv4 |
|---|
| 1067 | network 10.202.0.0 mask 255.255.0.0 |
|---|
| 1068 | neighbor 10.202.254.2 remote-as 40 |
|---|
| 1069 | neighbor 10.202.254.2 description eBGP to AS40 |
|---|
| 1070 | neighbor 10.202.254.2 password NSRC |
|---|
| 1071 | neighbor 10.202.254.2 prefix-list AS40-in-peer in |
|---|
| 1072 | neighbor 10.202.254.6 remote-as 50 |
|---|
| 1073 | neighbor 10.202.254.6 description eBGP to AS50 |
|---|
| 1074 | neighbor 10.202.254.6 password NSRC |
|---|
| 1075 | neighbor 10.202.254.6 prefix-list AS50-in-peer in |
|---|
| 1076 | neighbor 10.202.254.10 remote-as 60 |
|---|
| 1077 | neighbor 10.202.254.10 description eBGP to AS60 |
|---|
| 1078 | neighbor 10.202.254.10 password NSRC |
|---|
| 1079 | neighbor 10.202.254.10 prefix-list AS60-in-peer in |
|---|
| 1080 | neighbor 10.102.254.13 remote-as 102 |
|---|
| 1081 | neighbor 10.102.254.13 description eBGP to AS102 |
|---|
| 1082 | neighbor 10.102.254.13 password NSRC |
|---|
| 1083 | neighbor 10.251.1.1 remote-as 201 |
|---|
| 1084 | neighbor 10.251.1.1 description eBGP to AS201 |
|---|
| 1085 | neighbor 10.251.1.1 password NSRC |
|---|
| 1086 | neighbor 10.251.1.3 remote-as 100 |
|---|
| 1087 | neighbor 10.251.1.3 description eBGP to AS100 |
|---|
| 1088 | neighbor 10.251.1.3 password NSRC |
|---|
| 1089 | address-family ipv6 |
|---|
| 1090 | network fd00:202::/32 |
|---|
| 1091 | neighbor fd00:202:fe::1 remote-as 40 |
|---|
| 1092 | neighbor fd00:202:fe::1 description eBGP to AS40 |
|---|
| 1093 | neighbor fd00:202:fe::1 password NSRC |
|---|
| 1094 | neighbor fd00:202:fe::1 prefix-list ipv6-AS40-in-peer in |
|---|
| 1095 | neighbor fd00:202:fe::3 remote-as 50 |
|---|
| 1096 | neighbor fd00:202:fe::3 description eBGP to AS50 |
|---|
| 1097 | neighbor fd00:202:fe::3 password NSRC |
|---|
| 1098 | neighbor fd00:202:fe::3 prefix-list ipv6-AS50-in-peer in |
|---|
| 1099 | neighbor fd00:202:fe::5 remote-as 60 |
|---|
| 1100 | neighbor fd00:202:fe::5 description eBGP to AS60 |
|---|
| 1101 | neighbor fd00:202:fe::5 password NSRC |
|---|
| 1102 | neighbor fd00:202:fe::5 prefix-list ipv6-AS60-in-peer in |
|---|
| 1103 | neighbor fd00:102:fe::7 remote-as 102 |
|---|
| 1104 | neighbor fd00:102:fe::7 description eBGP to AS102 |
|---|
| 1105 | neighbor fd00:102:fe::7 password NSRC |
|---|
| 1106 | neighbor fd00:251:1::1 remote-as 201 |
|---|
| 1107 | neighbor fd00:251:1::1 description eBGP to AS201 |
|---|
| 1108 | neighbor fd00:251:1::1 password NSRC |
|---|
| 1109 | neighbor fd00:251:1::3 remote-as 100 |
|---|
| 1110 | neighbor fd00:251:1::3 description eBGP to AS100 |
|---|
| 1111 | neighbor fd00:251:1::3 password NSRC |
|---|
| 1112 | ! |
|---|
| 1113 | ip route 10.202.0.0 255.255.0.0 null0 |
|---|
| 1114 | ipv6 route fd00:202::/32 null0 |
|---|
| 1115 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 1116 | |
|---|
| 1117 | |
|---|