BGP Lab Exercise 1 ------------------ 1. Remove OSPF from your router and shutdown your serial links. We will only be using the Ethernet link for this exercise. OSPF can be removed by doing "no router ospf ". The instructors will reconfigure the network following the completion of the OSPF exercise. 2. Confirm that you are no longer receiving OSPF routes by doing a "show ip route ospf". 3. Figure out your AS number from the diagram and write it down here: AS: 4. Verify the IP address block used for your PC link. Your group was assigned an address block. You need to sub-divide it, using part of it for the LAN with your PC, and part of it for point to point links between routers. Aggregate address block: Mask: More-specific block used for LAN: 5. We will set up peering sessions according to the map. Decide which IP addresses you are going to use for your Point-to-Point links with your neighbouring peer. More-specific block used for point to point link: 6. Configure BGP on your router to announce your network. This is an example for RouterA team: RouterA#config term Enter configuration commands, one per line. End with CNTL/Z. RouterA(config)#ip bgp-community new-format RouterA(config)#router bgp 1 ! use your AS number RouterA(config-router)#network 196.200.220.16 mask 255.255.255.240 ! use your network and mask RouterA(config-router)#no synchronization RouterA(config-router)#no auto-summary BGP is now configured on your router, but not yet talking to any other routers yet. 7. Set up a peering session with your upstream neighbor: RouterA(config)#router bgp 1 ! use your AS number RouterA(config-router)#neighbor 196.200.220.177 remote-as 100 ! use the IP address and AS number of your neighbour RouterA(config-router)#neighbor 196.200.220.177 descr My-Peer-with-AS100 8. Check to see if the peering session is up: RouterA#show ip bgp summary BGP router identifier 196.200.220.177, local AS number 1 BGP table version is 3, main routing table version 3 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 196.200.220.177 4 1 0 0 0 0 0 never Idle 9. Check to see if you are sending routes to your neighbour? Why or why not? If you aren't, what do you think could be wrong? RouterA#sh ip bgp neighbor x.x.x.x advertised-routes 10. Check to see if you are receiving routes from your neighbour. RouterA#show ip bgp What routes are you receiving? Other commands to monitor BGP: RouterA#sh ip route RouterA#sh ip bgp RouterA#sh ip bgp neighbor RouterA#sh ip bgp neighbor x.x.x.x routes BGP Lab Exercise 2 ------------------ 11. Building on the previous exercise, we are now going to connect to a neighbouring ISP in our locality. For the lab, you will connect to the Router Team directly opposite you. For example, Router A will connect to Router B. Use the Serial interface and the supplied serial cable to do this. 12. Agree between you and your neighbouring AS whose address block you will take IP addresses from for the point to point link. Address Block for the Point to Point Link: 13. Write down the AS number of the network you are connecting to: AS Number: 14. As in step 7 above, configure eBGP with this AS. 15. Check the BGP process using "sh ip bgp" and sub commands to see what prefixes you are receiving from your neighbouring AS. 16. What routes do you see? What paths are available? Describe what you see in the space below: 17. We are now at the stage where we are talking BGP with our upstream ISP and BGP with the neighbouring ISP in our locality. But we have no filters and as you saw in the previous step. We are now going to fix this using two different methods in the next two exercises. BGP Lab Exercise 3 ------------------ 18. This exercise will use AS Path filters on the BGP sessions. These will ensure that we only announce our prefixes to our neighbours. Create an AS Path filter which permits only prefixes originated by your peer AS to enter your network RouterA(config)#ip as-path access-list 1 permit ^2$ ! permit prefixes originated by AS2 19. Create an AS Path filter which permits only prefixes originated by your AS to leave your network RouterA(config)#ip as-path access-list 2 permit ^$ ! permit prefixes originated by local AS 20. Enable soft reconfiguration for the BGP session. This is only so that we can analyse the effect the applying the filter on our BGP session later on in this exercise. The use of soft reconfiguration in general ISP operations is not recommended apart from during session debugging (as it requires extra memory and has been superceded by a BGP feature called "route refresh"). RouterA(config)#router bgp 1 RouterA(config-router)#neighbor 196.200.220.xxx soft-reconfiguration in 21. Now apply filter-list 1 inbound on the eBGP session you have with your peer AS. RouterA(config-router)#neighbor 196.200.220.xxx filter-list 1 in ! apply as-path filter 1 inbound And apply filter-list 2 to outbound on the eBGP session you have with both AS100 and your peer AS. RouterA(config-router)#neighbor 196.200.220.xxx filter-list 1 in RouterA(config-router)#neighbor 196.200.220.177 filter-list 2 out ! apply as-path filter 2 outbound 22. Now that you have applied the policy, you need to tell the BGP session to refresh the prefixes it has received from the neighbour. To do this, we use the route refresh capability of BGP. routerA#clear ip bgp 2 in ! refresh the peering with AS2 routerA#clear ip bgp 2 out ! refresh the peering with AS2 routerA#clear ip bgp 100 out ! refresh the peering with AS100 23. Check the BGP process using "sh ip bgp" to see what prefixes you are now receiving from your neighbouring AS. Use the more specific commands "sh ip bgp neighbor 196.200.220.xxx routes" and "sh ip bgp neighbor 196.200.220.xxx received-routes". What difference do you see? Write your answer here: BGP Lab Exercise 4 ------------------ 24. This exercise will investigate the use of prefix-lists for filtering BGP announcements from both BGP neighbours. Before you begin, remove the AS-path filter configuration you added in Lab Exercise 3. 25. Define the prefix-lists that you will need. This first one specifies which routes you will send out to any BGP neighbour. RouterA(config)#ip prefix-list my-routes description My routes outbound RouterA(config)#ip prefix-list my-routes permit 196.200.220.16/28 RouterA(config)#ip prefix-list my-routes deny 0.0.0.0/0 le 32 Double check that you set your "my-routes" outbound filter to contain the networks you wish to announce. 26. Now define the prefix-list for the prefixes you expect to hear from your peer AS. RouterA(config)#ip prefix-list peer-AS2 description routes from AS2 inbound RouterA(config)#ip prefix-list peer-AS2 permit 196.200.220.32/28 RouterA(config)#ip prefix-list peer-AS2 deny 0.0.0.0/0 le 32 27. Finally define the sanity prefix-list for prefixes you would expect to hear from your upstream ISP. In this example we assume we receive the full Internet Routing Table, or the default route, so we simply permit everything and discard the prefixes we should never hear on the Internet. See RFC3330 and www.cymru.com/Documents for more information on these special prefixes and the sanity filter. RouterA(config)#ip prefix-list sanity-filter description Sanity Inbound RouterA(config)#ip prefix-list sanity-filter deny 10.0.0.0/8 le 32 RouterA(config)#ip prefix-list sanity-filter deny 127.0.0.0/8 le 32 RouterA(config)#ip prefix-list sanity-filter deny 169.254.0.0/16 le 32 RouterA(config)#ip prefix-list sanity-filter deny 172.16.0.0/12 le 32 RouterA(config)#ip prefix-list sanity-filter deny 192.0.2.0/24 le 32 RouterA(config)#ip prefix-list sanity-filter deny 192.168.0.0/16 le 32 RouterA(config)#ip prefix-list sanity-filter permit 0.0.0.0/0 le 32 In most classroom exercises, you trust your provider enough that you can use a simple sanity filter that denies a few things and then permits everything else. 28. Now apply the prefix filter to the BGP session you have with your peer. RouterA(config-router)#neighbor 196.200.220.xxx prefix-list my-routes out RouterA(config-router)#neighbor 196.200.220.xxx prefix-list peer-AS2 in 29. And now apply the prefix filter to the BGP session you have with your upstream in AS100. RouterA(config-router)#neigh 196.200.220.177 prefix-list my-routes out RouterA(config-router)#neigh 196.200.220.177 prefix-list sanity-filter in 30. To implement the new policy, don't forget to request a "route refresh" on the two BGP sessions. The following commands will do the needful. clear ip bgp 100 in ! apply new policy outbound to AS100 clear ip bgp 100 out ! apply new policy inbound from AS100 clear ip bgp 2 in ! apply new policy outbound to AS2 clear ip bgp 2 out ! apply new policy inbound to AS2 31. Check the BGP process using "sh ip bgp" to see what prefixes you are receiving from your neighbouring AS. 32. What routes do you see? What paths are available? BGP Lab Exercise 5 ------------------ 33. The final exercise in the BGP labs is to simulate a situation which is commonly found in many service provider networks around the world. The situation is where an ISP multihomes between two upstream ISPs, and uses two local routers for redundancy. This necessitates using eBGP towards the upstreams, and iBGP between the two local routers. 34. To prepare for this remove the eBGP configuration with your local peer. RouterA(config-router)#no neigh 192.200.220.xxx remote 2 35. The teams on the left hand side of the room, (A,C,E,G,I) will have to change the BGP AS Number the one they are using to the one used by their neighbours on the right hand side of the room. The best way to do this is to make a note of the BGP configuration, then do "no router bgp " before entering the configuration as "router bgp . RouterA(config)#no router bgp 1 RouterA(config)#router bgp 2 RouterA(config-router)#neigh 196.200.220.177 remote-as 100 RouterA(config-router)#neigh 196.200.220.177 prefix-list my-routes out RouterA(config-router)#neigh 196.200.220.177 prefix-list sanity-filter in RouterA(config-router)#no synchronization ...etc... 36. The teams on the right hand side of the room, (B,D,F,H,J) will have to delete the BGP session with AS100 and replace it with a BGP session with AS200. RouterB(config)#router bgp 2 RouterB(config-router)#no neigh 196.200.220.181 remote-as 100 RouterB(config-router)#neigh 196.200.220.181 remote-as 200 RouterB(config-router)#neigh 196.200.220.181 prefix-list my-routes out RouterB(config-router)#neigh 196.200.220.181 prefix-list sanity-filter in 37. Note that the prefix-list "my-routes" used in the eBGP filters in the previous two steps will need to include the address block from both routers. So it will have two /28 networks in it, one from the router on the left. For example: RouterB(config)#ip prefix-list my-routes permit 196.200.220.16/28 RouterB(config)#ip prefix-list my-routes permit 196.200.220.32/28 RouterB(config)#ip prefix-list my-routes deny 0.0.0.0/0 le 32 38. Now each of AS 2, AS 4, AS 6, AS 8 and AS 10 needs to configure OSPF in their AS. Before starting the OSPF process, configure a loopback interface and give it an IP address so that OSPF will use it as the OSPF Router ID. For the loopback interface, assign a /32 IP address from your block. RouterA(config)#interface loopback0 RouterA(config-if)#ip addr 196.200.220.yy 255.255.255.255 RouterA(config)#router ospf 2 RouterA(config)#passive-interface default RouterA(config)#network 196.200.220.yy 0.0.0.0 area 0 RouterA(config)#network 196.200.220.xx 0.0.0.3 area 0 RouterA(config)#no passive-interface Serial 0/0 Note that we only run OSPF on the Serial link between the two routers in the AS. 39. Now each of AS 2, AS 4, AS 6, AS 8 and AS 10 needs to configure iBGP in their AS. Remember that iBGP runs between loopback interfaces on the router. RouterA(config-router)#router bgp 2 RouterA(config-router)#neighbor 196.200.220.xx remote-as 2 RouterA(config-router)#neighbor 196.200.220.xx next-hop-self RouterA(config-router)#neighbor 196.200.220.xx update-source loopback 0 Note that the iBGP session does not need any prefix filters to be applied. In an ISP network, iBGP prefixes are distributed throughout the whole iBGP speaking network. Notice the purpose of the next-hop-self command in iBGP. It replaces the external next-hop (refer to the BGP presentation) with the IP address of the local router. This ensures that external point to point links do not need to be carried in OSPF. This is a current Best Practice technique in most ISP networks around the world today. 40. Check the BGP process using "sh ip bgp" to see if both the eBGP and iBGP neighbours are active. 41. Also check to see what prefixes you are receiving from all your BGP neighbours. What paths do you see? Can you explain what is happening? BGP Testing ----------- 1. Verify that you can see routes for all networks in your AS by using "show ip route". Test connectivity using ping and traceroute, as well as "show ip bgp" and "show ip route". 2. Add some additional routes to simulate connections to customers. Obtain IP address allocations from the registry (instructors), add routes to "null 0", and use bgp "network" statements to bring the routes into BGP. Adjust your filters as appropriate. Get your peers to adjust their filters too. 3. Review your filters. Make sure that you are seeing the right information from everyone. 4. What routes do you see in your routing table? What do the ASpaths look like? Which routes are preferred? 5. Look at the routing table of other ASes to understand how traffic flows in the network. 6. Verify that you can get to all the PCs in the entire classroom (not just in your own AS). 7. Experiment with breaking connections. See how the routing changes.