tag:blogger.com,1999:blog-61765242947598318992024-03-19T17:04:01.303+05:30Networking ConceptsEasy to Learn and Apply Network concepts.Unknownnoreply@blogger.comBlogger200125tag:blogger.com,1999:blog-6176524294759831899.post-54179036101553853962009-11-24T12:44:00.001+05:302009-11-24T12:46:33.068+05:30Multicast - BasicsUnknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-9697895019057504972009-07-21T12:47:00.001+05:302009-07-21T12:49:22.640+05:30What is Promiscuous Mode<span style="font-size:100%;"><span style="color: rgb(0, 0, 153); font-family: arial;">1) In a network, promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety. This mode of operation is sometimes given to a network snoop server that captures and saves all packets for analysis (for example, for monitoring network usage). </span><br /><span style="color: rgb(0, 0, 153); font-family: arial;">2) In an Ethernet local area network (LAN), promiscuous mode is a mode of operation in which every data packet transmitted can be received and read by a network adapter. Promiscuous mode must be supported by each network adapter as well as by the input/output driver in the host operating system. Promiscuous mode is often used to monitor network activity. </span><br /><br /><span style="color: rgb(0, 0, 153); font-family: arial;">Promiscuous mode is the opposite of non-promiscuous mode. When a data packet is transmitted in non-promiscuous mode, all the LAN devices "listen to" the data to determine if the network address included in the data packet is theirs. If it isn't, the data packet is passed onto the next LAN device until the device with the correct network address is reached. That device then receives and reads the data. </span><br /><br /></span>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-54315866145630538122009-02-12T18:14:00.001+05:302016-07-09T12:32:27.906+05:30Multicast TTL-Threshold<span style="color: rgb(51 , 0 , 51);">ip multicast ttl-threshold</span><br />
<br />
<span style="color: rgb(51 , 0 , 51); font-weight: bold;">Usage Guidelines</span><br />
<br />
<span style="color: rgb(51 , 0 , 51);">"Only multicast packets with a TTL value greater than the threshold are forwarded out the interface."</span><br />
<br />
<span style="color: rgb(51 , 0 , 51);">Oh yeah?! I guess it depends on when you look at the TTL. Consider the network:</span><br />
<br />
<span style="color: rgb(51 , 0 , 51);">R1----R2----R3----R4</span><br />
<br />
<span style="color: rgb(51 , 0 , 51);">PIM-DM is enabled everywhere.</span><br />
<span style="color: rgb(51 , 0 , 51);">R4 has joined 239.0.0.1</span><br />
<span style="color: rgb(51 , 0 , 51);">R1 is sending pings which have 255 TTL when sent from R1.</span><br />
<span style="color: rgb(51 , 0 , 51);">R2 receives the PING, decrements the TTL to 254 before sending to R3.</span><br />
<br />
<span style="color: rgb(51 , 0 , 51);">So if we set TTL threshold to 254 on R2's interface to R3, it should block it right? No:</span><br />
<pre style="color: #330033;">
R2(config)#int s1/0
R2(config-if)#ip multicast ttl-threshold 254
R1#ping 239.0.0.1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 239.0.0.1, timeout is 2 seconds:
Reply to request 0 from 192.168.34.4, 164 ms
R1#</pre>
<br />
<span style="color: rgb(51 , 0 , 51);">The router will still pass packets that have a TTL equal to the threshold if it was the router that decremented the TTL to reach that value. Here we see 255 will fail:</span><br />
<pre style="color: #330033;">
R2(config)#int s1/0
R2(config-if)#ip multicast ttl-threshold 255
R1#ping 239.0.0.1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 239.0.0.1, timeout is 2 seconds:
.
R1#</pre>
Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-12220908204561754952009-02-12T18:11:00.001+05:302009-02-12T18:11:58.340+05:30WCCP notes<div style="text-align: justify; color: rgb(51, 0, 51);">WCCPv1<br />---------<br />-Single router serves a cluster<br />-Cache engine is configured with ip address of control router (max 32)<br />-Cache engines send ip's to router via control port udp 2048<br />-Control creates a cluster view, sends to cache engines<br />-Lead cache engine selected, decides how traffic is redirected.<br />-HTTP only<br /><br />WCCPv2<br />---------<br />-Multiple routers can server a cluster<br />-Service group: routers + cache engines<br />-Unicast or multicast control (ip wccp group-listen)<br />-Non-HTTP support, TCP and UDP<br />-MD5 security<br />-Error handling keeps track of cache misses<br />-Load distribution (hot spot handling, load balancing, load shedding)<br />-IP only<br />-Multicast TTL must be 15 or lower<br />-32 cache engines and 32 routers max per service group<br />-Dynamic services are defined by the cache engines<br /><br />Configuration<br />--------------<br />Router(config)# ip wccp version 2<br />Router(config)# ip wccp {web-cache | service-number} [group-address groupaddress] [redirect-list access-list] [group-list access-list] [password password]<br />Router(config)# interface type number<br />Router(config-if)# ip wccp {web-cache | service-number} redirect {out | in}<br /><br />Exclude an interface from redirecting inbound traffic:<br />Router(config-if)# ip wccp redirect exclude in </div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-91477709025568734602009-02-12T18:09:00.000+05:302009-02-12T18:10:27.649+05:30Troubleshooting OSPF over Frame-Relay<div style="text-align: justify;"> <span style="color: rgb(51, 0, 51);"> Scenario:</span><br /><span style="color: rgb(51, 0, 51);">Full mesh of PVCs between 3 routers: R4 R5 and R6</span><br /><span style="color: rgb(51, 0, 51);">Frame-relay map statements DO NOT have broadcast statement</span><br /><span style="color: rgb(51, 0, 51);">Adjacencies do not form.</span><br /><br /><span style="color: rgb(51, 0, 51);">This is from debug ip packet on R6:</span><br /><br /><span style="color: rgb(51, 0, 51);">R6#debug ip packet</span><br /><span style="color: rgb(51, 0, 51);">IP packet debugging is on</span><br /><span style="color: rgb(51, 0, 51);">*Mar 1 01:00:26.367: IP: s=172.12.45.6 (local), d=224.0.0.5 (Serial1/1), len 76, sending broad/multicast</span><br /><span style="color: rgb(51, 0, 51);">*Mar 1 01:00:26.371: IP: s=172.12.45.6 (local), d=224.0.0.5 (Serial1/1), len 76, encapsulation failed</span><br /><br /><span style="color: rgb(51, 0, 51);">After enabling broadcast on the frame maps, adjacencies came up</span><br /><br /><span style="color: rgb(51, 0, 51);">Solution:</span><br /><span style="color: rgb(51, 0, 51);">Point-to-multipoint ospf networks need broadcast keyword on frame-relay map.</span><br /><span style="color: rgb(51, 0, 51);">Without it you will see "encapsulation failed" when the router tries to send multicast hellos.</span></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-27050464783429897732009-02-12T18:08:00.001+05:302009-02-12T18:08:48.841+05:30Frame-relay Compression<div style="text-align: justify;"><span style="color: rgb(51, 0, 51);" class="post-labels"></span> </div><div style="color: rgb(51, 0, 51); text-align: justify;" class="post hentry"> <a name="9013079095994239220"></a> <h3 class="post-title entry-title"> <a href="http://ccietobe.blogspot.com/2008/06/frame-relay-compression.html"><br /></a></h3> <div class="post-body entry-content"> Compression must be configured on both ends for it to be enabled:<br /><br />R5 --- FR CLOUD --- R6<br /><br />R6(config)#interface s1/1<br />R6(config-if)#frame-relay map ip 172.14.45.5 605 payload-compression FRF9 stac<br /><br />R6#ping 172.14.45.5<br /><br />Type escape sequence to abort.<br />Sending 5, 100-byte ICMP Echos to 172.14.45.5, timeout is 2 seconds:<br />!!!!!<br />Success rate is 100 percent (5/5), round-trip min/avg/max = 32/52/76 ms<br /><br />R6#show compress<br />Serial1/1 - DLCI: 605<br /> Compression not active<br /> uncompressed bytes xmt/rcv 0/0<br /> compressed bytes xmt/rcv 0/0<br /> Compressed bytes sent: 0 bytes 0 Kbits/sec<br /> Compressed bytes recv: 0 bytes 0 Kbits/sec<br /> 1 min avg ratio xmt/rcv 0.000/0.000<br /> 5 min avg ratio xmt/rcv 0.000/0.000<br /> 10 min avg ratio xmt/rcv 0.000/0.000<br /> no bufs xmt 0 no bufs rcv 0<br /> resyncs 0<br /> Additional Stac Stats:<br /> Transmit bytes: Uncompressed = 0 Compressed = 0<br /> Received bytes: Compressed = 0 Uncompressed = 0<br /><br />Now on R5:<br /><br />R6(config)#interface s1/0<br />R6(config-if)#frame-relay map ip 172.14.45.6 506 payload-compression FRF9 stac<br /><br />Check R6 and see compression is enabled:<br /><br />R6#ping 172.14.45.5<br /><br />Type escape sequence to abort.<br />Sending 5, 100-byte ICMP Echos to 172.14.45.5, timeout is 2 seconds:<br />!!!!!<br />Success rate is 100 percent (5/5), round-trip min/avg/max = 28/76/168 ms<br /><br />R6#show compress<br />Serial1/1 - DLCI: 605<br /> Software compression enabled<br /> uncompressed bytes xmt/rcv 1232/1232<br /> compressed bytes xmt/rcv 381/382<br /> Compressed bytes sent: 381 bytes 0 Kbits/sec ratio: 3.233<br /> Compressed bytes recv: 382 bytes 0 Kbits/sec ratio: 3.225<br /> 1 min avg ratio xmt/rcv 0.055/0.057<br /> 5 min avg ratio xmt/rcv 0.113/0.118<br /> 10 min avg ratio xmt/rcv 0.113/0.118<br /> no bufs xmt 0 no bufs rcv 0<br /> resyncs 0<br /> Additional Stac Stats:<br /> Transmit bytes: Uncompressed = 0 Compressed = 290<br /> Received bytes: Compressed = 291 Uncompressed = 0</div></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-60292078655571448732009-02-12T18:04:00.001+05:302009-02-12T18:04:58.053+05:30Frame-relay Fragmentation<div style="text-align: justify; color: rgb(51, 0, 51);">R4 --- FR CLOUD --- R6<br /><br />Both ends configured:<br /><br />R6(config)#int s1/1<br />R6(config-if)#frame-relay fragment 200 end-to-end<br />R6(config-if)#^Z<br /><br />R6#ping 172.14.45.4 size 8000<br /><br />Type escape sequence to abort.<br />Sending 5, 8000-byte ICMP Echos to 172.14.45.4, timeout is 2 seconds:<br />!!!!!<br />Success rate is 100 percent (5/5), round-trip min/avg/max = 676/756/796 ms<br /><br />R6#show frame-relay fragment<br />interface dlci frag-type size in-frag out-frag dropped-frag<br />Se1/1 604 end-to-end 200 220 220 0<br />Se1/1 605 end-to-end 200 0 0 0</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-22867917817786849002009-02-12T18:03:00.000+05:302009-02-12T18:04:03.254+05:30Configuring multipoint subinterface so the interface status reflects status of the PVC<div style="text-align: justify;"><span style="color: rgb(51, 0, 51);">On a physical frame-relay interface, if the opposite end goes down, the local interface will remain up/up. When using multipoint subinterfaces this is not the case. When the remote interface goes down (taking the dlci with it), the local ends puts its interface in a down/down state.</span><br /><br /><span style="color: rgb(51, 0, 51);">R1, R3 and R5 connect via full mesh frame-relay, subnet 190.1.135.0/24</span><br /><br /><span style="color: rgb(51, 0, 51);">R1 dlci 103 maps to R3 dlci 301</span><br /><span style="color: rgb(51, 0, 51);">R1 dlci 105 maps to R5 dlci 501</span><br /><span style="color: rgb(51, 0, 51);">R3 dlci 305 maps to R5 dlci 503</span><br /><br /><span style="color: rgb(51, 0, 51);">Configure all routers on the physical interfaces.</span><br /><br /><span style="color: rgb(51, 0, 51);">Here is the outlook so far from R3:</span><br /><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R3#show ip int brief serial 1/0</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">Interface IP-Address OK? Method Status Protocol</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">Serial1/0 190.1.135.1 YES manual up up </span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R3# </span></span><br /><br /><span style="color: rgb(51, 0, 51);">Now Let's shut the physical interfaces On R5 and R1:</span><br /><br /><span style="font-family: courier new; color: rgb(51, 0, 51); font-size: 85%;">R5(config)#int s0/0</span><br /><span style="font-family: courier new; color: rgb(51, 0, 51); font-size: 85%;">R5(config-if)#shut</span><br /><span style="font-family: courier new; color: rgb(51, 0, 51); font-size: 85%;"></span><br /><span style="font-family: courier new; color: rgb(51, 0, 51); font-size: 85%;">R1(config)#int s0/0</span><br /><span style="font-family: courier new; color: rgb(51, 0, 51); font-size: 85%;">R1(config-if)#shut</span><br /><br /><span style="color: rgb(51, 0, 51);">R3 still has its interface up/up:</span><br /><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R3#show ip int brief serial 1/0</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">Interface IP-Address OK? Method Status Protocol</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">Serial1/0 190.1.135.1 YES manual up up </span></span> <br /><br /><span style="color: rgb(51, 0, 51);">If we want R3's interface to go down when R5 and R1 are no longer available we need to use multipoint subinterface. Let's create one on R3 and move the config over:</span><br /><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R3(config)#interface Serial1/0</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R3(config-if)# no ip address 190.1.135.1 255.255.255.0</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R3(config-if)# no frame-relay map ip 190.1.135.1 301</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R3(config-if)# no frame-relay map ip 190.1.135.5 305</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R3(config-if)#int s1/0.3 multipoint</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R3(config-subif)# ip address 190.1.135.1 255.255.255.0</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R3(config-subif)# frame-relay map ip 190.1.135.1 301 broadcast</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R3(config-subif)# frame-relay map ip 190.1.135.5 305 broadcast</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R3(config-subif)# no frame-relay inverse-arp</span></span><br /><br /><span style="color: rgb(51, 0, 51);">Bring up R5 and R1 again and now we have:</span><br /><br /><span style="font-family: courier new; color: rgb(51, 0, 51); font-size: 85%;">R3#show ip int brief s1/0.3</span><br /><span style="font-family: courier new; color: rgb(51, 0, 51); font-size: 85%;">Interface IP-Address OK? Method Status Protocol</span><br /><span style="font-family: courier new; color: rgb(51, 0, 51); font-size: 85%;">Serial1/0.3 190.1.135.1 YES manual up up </span> <br /><br /><span style="color: rgb(51, 0, 51);">Shut down R5 and R3 is stil up but look at the debug frame-relay lmi. The status of PVC 305 is 0x0 which is inactive</span><br /><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R3#show ip int brief s1/0.3</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">Interface IP-Address OK? Method Status Protocol</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">Serial1/0.3 190.1.135.1 YES manual up up </span></span><br /><span style="color: rgb(51, 204, 255); font-size: 85%;"></span></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-88299118763064902932009-02-12T18:01:00.000+05:302009-02-12T18:02:50.080+05:30Back to Back Multilink Frame-Relay<div style="text-align: justify;"><span style="color: rgb(51, 0, 51);">I had this task on a recent lab. I was surprised I actually got it to work (with some help from the DocCD). Sometimes I skip these boring WAN technology tasks, but sometimes they can be fun if you get them to work :)</span><br /><br /><span style="color: rgb(51, 0, 51);">R6 ==== R9</span><br /><br /><span style="color: rgb(51, 0, 51);">R6 and R6 are connected via two serial links, serial 0/2/0 and serial 0/2/1. The task says to configure these with a /31 on the subnet 172.30.96.0 network. R6 should use DLCI 609 and R9 should use DLCI 906. Now let me say the PG was mistaken in its answer, it didn't have any frame-relay whatsoever - still waiting to hear via email what the deal was. So this is my "tentative" solution, which works great.</span><br /><br /><span style="color: rgb(51, 0, 51);">Here is my R6 config:</span><br /><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">interface MFR1</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> ip address 172.30.96.0 255.255.255.254</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"></span><span style="font-family: courier new;"> no keepalive</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> frame-relay map ip 172.30.96.0 609</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> frame-relay map ip 172.30.96.1 906 broadcast</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> frame-relay interface-dlci 609</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">!</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">interface Serial0/2/0</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> no ip address</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> encapsulation frame-relay MFR1</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> clock rate 2000000</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> no arp frame-relay</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">!</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">interface Serial0/2/1</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> no ip address</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> encapsulation frame-relay MFR1</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> clock rate 2000000</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> no arp frame-relay</span></span><br /><br /><span style="color: rgb(51, 0, 51);">Here is the R9 config:</span><br /><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">interface MFR1</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> ip address 172.30.96.1 255.255.255.254</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"></span><span style="font-family: courier new;"> no keepalive</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> frame-relay map ip 172.30.96.0 609 broadcast</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> frame-relay map ip 172.30.96.1 906</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> frame-relay interface-dlci 609</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">!</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">interface Serial0/2/0</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> no ip address</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> encapsulation frame-relay MFR1</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> no arp frame-relay</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">!</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">interface Serial0/2/1</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> no ip address</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> encapsulation frame-relay MFR1</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"> no arp frame-relay</span></span><br /></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-8068214434576259412009-02-10T19:46:00.000+05:302009-02-10T19:49:30.888+05:30ip subnetting<div><p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">IP subnetting is a fundamental subject that's critical for any IP network engineer to understand, yet students have traditionally had a difficult time grasping it. Over the years, I've watched students needlessly struggle through school and in practice when dealing with subnetting because it was never explained to them in an easy-to-understand way. I've helped countless individuals learn what subnetting is all about using my own graphical approach and calculator shortcuts, and I've put all that experience into this article.</span></span></span></p> <h2 style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">IP addresses and subnets</span></span></span></h2><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"><br /></span></span></span></div> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Although IP stands for Internet Protocol, it's a communications protocol used from the smallest private network to the massive global Internet. An IP address is a unique identifier given to a single device on an IP network. The IP address consists of a 32-bit number that ranges from 0 to 4294967295. This means that theoretically, the Internet can contain approximately 4.3 billion unique objects. But to make such a large address block easier to handle, it was chopped up into four 8-bit numbers, or "octets," separated by a period. Instead of 32 binary base-2 digits, which would be too long to read, it's converted to four base-256 digits. Octets are made up of numbers ranging from 0 to 255. The numbers below show how IP addresses increment.</span></span></span></p> <p></p><div style="text-align: justify;"><span class="Apple-style-span" style="font-weight: bold; "><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">0.0.0.0</span></span></span></span><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"><br /></span></span></span></div><b><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">0.0.0.1<br /></span></span></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">...increment 252 hosts...<br /></span></span></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">0.0.0.254<br /></span></span></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">0.0.0.255<br /></span></span></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">0.0.1.0<br /></span></span></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">0.0.1.1<br /></span></span></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">...increment 252 hosts...<br /></span></span></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">0.0.1.254<br /></span></span></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">0.0.1.255<br /></span></span></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">0.0.2.0<br /></span></span></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">0.0.2.1<br /></span></span></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">...increment 4+ billion hosts...<br /></span></span></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">255.255.255.255<br /></span></span></span></div></b><p></p> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">The word </span></span></span><i><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">subnet</span></span></span></i><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"> is short for </span></span></span><i><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">sub network</span></span></span></i><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">--a smaller network within a larger one. The smallest subnet that has no more subdivisions within it is considered a single "broadcast domain," which directly correlates to a single LAN (local area network) segment on an Ethernet switch. The broadcast domain serves an important function because this is where devices on a network communicate directly with each other's MAC addresses, which don't route across multiple subnets, let alone the entire Internet. MAC address communications are limited to a smaller network because they rely on ARP broadcasting to find their way around, and broadcasting can be scaled only so much before the amount of broadcast traffic brings down the entire network with sheer broadcast noise. For this reason, the most common smallest subnet is 8 bits, or precisely a single octet, although it can be smaller or slightly larger.</span></span></span></p> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Subnets have a beginning and an ending, and the beginning number is always even and the ending number is always odd. The beginning number is the "Network ID" and the ending number is the "Broadcast ID." You're not allowed to use these numbers because they both have special meaning with special purposes. The Network ID is the official designation for a particular subnet, and the ending number is the broadcast address that every device on a subnet listens to. Anytime you want to refer to a subnet, you point to its Network ID and its subnet mask, which defines its size. Anytime you want to send data to everyone on the subnet (such as a multicast), you send it to the Broadcast ID. Later in this article, I'll show you an easy mathematical and graphical way to determine the Network and Broadcast IDs.</span></span></span></p> <h2 style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">The graphical subnet ruler</span></span></span></h2><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"><br /></span></span></span></div> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Over the years, as I watched people struggle with the subject of IP subnetting, I wanted a better way to teach the subject. I soon realized that many students in IT lacked the necessary background in mathematics and had a hard time with the concept of binary numbers. To help close this gap, I came up with the graphical method of illustrating subnets shown in </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Figure A</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">. In this example, we're looking at a range of IP addresses from 10.0.0.0 up to 10.0.32.0. Note that the ending IP of 10.0.32.0 itself is actually the beginning of the next subnet. This network range ends at the number right before it, which is 10.0.31.255.</span></span></span></p> <center> <table style="text-align: justify;"> <tbody> <tr> <td align="middle"> <p><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Figure A</span></span></span></b></p></td></tr> <tr> <td align="middle"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"><img src="http://techrepublic.com.com/i/tr/downloads/images/subnetting/subnetting_a.png" /></span></span></span></td></tr></tbody></table></center> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Note that for every bit increase, the size of the subnet doubles in length, along with the number of hosts. The smallest tick mark represents 8 bits, which contains a subnet with 256 hosts--but since you can't use the first and last IP addresses, there are actually only 254 usable hosts on the network. The easiest way to compute how many usable hosts are in a subnet is to raise 2 to the power of the bit size minus 2. Go up to 9 bits ,and we're up to 510 usable hosts, because 2 to the 9th is 512, and we don't count the beginning and ending. Keep on going all the way up to 13 bits, and we're up to 8,190 usable hosts for the entire ruler shown above.</span></span></span></p> <h2 style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Learning to properly chop subnets</span></span></span></h2><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"><br /></span></span></span></div> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Subnets can be subdivided into smaller subnets and even smaller ones still. The most important thing to know about chopping up a network is that you can't arbitrarily pick the beginning and ending. The chopping must be along clean binary divisions. The best way to learn this is to look at my subnet ruler and see what's a valid subnet. In </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Figure B</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">, green subnets are valid and red subnets are not.</span></span></span></p> <center> <table style="text-align: justify;"> <tbody> <tr> <td align="middle"> <p><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Figure B</span></span></span></b></p></td></tr> <tr> <td align="middle"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"><img src="http://techrepublic.com.com/i/tr/downloads/images/subnetting/subnetting_b.png" /></span></span></span></td></tr></tbody></table></center> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">The ruler was constructed like any other ruler, where we mark it down the middle and bisect it. Then, we bisect the remaining sections and with shrinking markers every time we start a new round of bisecting. In the sample above, there were five rounds of bisections. If you look carefully at the edge of any valid (green) subnet blocks, you'll notice that none of the markers contained within the subnet is higher than the edge's markers. There is a mathematical reason for this, which we'll illustrate later, but seeing it graphically will make the math easier to understand.</span></span></span></p> <h2 style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">The role of the subnet mask</span></span></span></h2><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"><br /></span></span></span></div> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">The subnet mask plays a crucial role in defining the size of a subnet. Take a look at </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Figure C</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">. Notice the pattern and pay special attention to the numbers in red. Whenever you're dealing with subnets, it will come in handy to remember eight special numbers that reoccur when dealing with subnet masks. They are </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">255</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">, </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">254</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">, </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">252</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">, </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">248</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">, </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">240</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">, </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">224</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">, </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">192</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">, and </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">128</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">. You'll see these numbers over and over again in IP networking, and memorizing them will make your life much easier.</span></span></span></p> <center> <table style="text-align: justify;"> <tbody> <tr> <td align="middle"> <p><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Figure C</span></span></span></b></p></td></tr> <tr> <td align="middle"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"><img src="http://techrepublic.com.com/i/tr/downloads/images/subnetting/subnetting_c.png" /></span></span></span></td></tr></tbody></table></center> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">I've included three class sizes. You'll see the first two classes, with host bit length from 0 to 16, most often. It's common for DSL and T1 IP blocks to be in the 0- to 8-bit range. Private networks typically work in the 8- to 24-bit range.</span></span></span></p> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Note how the binary mask has all those zeros growing from right to left. The subnet mask in binary form always has all ones to the left and all zeros to the right. The number of zeros is identical to the </span></span></span><i><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">subnet length</span></span></span></i><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">. I showed only the portion of the binary subnet in the octet that's interesting, since all octets to the right consist of zeros and all octets to the left consist of ones. So if we look at the subnet mask where the subnet length is 11 bits long, the full binary subnet mask is 11111111.11111111.11111000.00000000. As you can see under </span></span></span><i><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">mask octet</span></span></span></i><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">, the subnet mask transitions from 1 to 0 in the third octet. The particular binary subnet mask translates directly to base-256 form as 255.255.248.0.</span></span></span></p> <h2 style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">The "mask" in subnet mask</span></span></span></h2><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"><br /></span></span></span></div> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">The subnet mask not only determines the size of a subnet, but it can also help you pinpoint where the end points on the subnet are if you're given any IP address within that subnet. The reason it's called a subnet "mask" is that it literally masks out the host bits and leaves only the Network ID that begins the subnet. Once you know the beginning of the subnet and how big it is, you can determine the end of the subnet, which is the Broadcast ID.</span></span></span></p> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">To calculate the Network ID, you simply take any IP address within that subnet and run the AND operator on the subnet mask. Let's take an IP address of 10.20.237.15 and a subnet mask of 255.255.248.0. Note that this can be and often is written in shorthand as </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">10.20.237.15/21</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"> because the subnet mask length is 21. </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Figure D</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"> and </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Figure E</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"> show the Decimal and Binary versions of the AND operation.</span></span></span></p> <center> <table style="text-align: justify;"> <tbody> <tr> <td align="middle"> <p><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Figure D</span></span></span></b></p></td></tr> <tr> <td align="middle"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"><img src="http://techrepublic.com.com/i/tr/downloads/images/subnetting/subnetting_d.png" /></span></span></span></td></tr> <tr> <td align="middle"><small><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Decimal math</span></span></span></small></td></tr></tbody></table></center> <center> <table style="text-align: justify;"> <tbody> <tr> <td align="middle"> <p><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Figure E</span></span></span></b></p></td></tr> <tr> <td align="middle"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"><img src="http://techrepublic.com.com/i/tr/downloads/images/subnetting/subnetting_e.png" /></span></span></span></td></tr> <tr> <td align="middle"><small><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Binary math</span></span></span></small></td></tr></tbody></table></center> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">The binary version shows how the </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">0</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">s act as a mask on the IP address on top. Inside the masking box, the </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">0</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">s convert all numbers on top into zeros, no matter what the number is. When you take the resultant binary Network ID and convert it to decimal, you get 10.20.232.0 as the Network ID.</span></span></span></p> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">One thing that's always bothered me about the way subnetting is taught is that students are not shown a simple trick to bypass the need for binary conversions when doing AND operations. I even see IT people in the field using this slow and cumbersome technique to convert everything to binary, run the AND operation, and then convert back to decimal using the Windows Calculator. But there's a really simple shortcut using the Windows Calculator, since the AND operator works directly on decimal numbers. Simply punch in 237, hit the AND operator, and then 248 and [Enter] to instantly get 232, as shown in </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Figure F</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">. I'll never understand why this isn't explained to students, because it makes mask calculations a lot easier.</span></span></span></p> <center> <table style="text-align: justify;"> <tbody> <tr> <td align="middle"> <p><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Figure F</span></span></span></b></p></td></tr> <tr> <td align="middle"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"><img src="http://techrepublic.com.com/i/tr/downloads/images/subnetting/subnetting_f.png" /></span></span></span></td></tr></tbody></table></center> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Since there are 11 zeros in the subnet mask, the subnet is 11 bits long. This means there are 2^11, or 2,048, maximum hosts in the subnet and the last IP in this subnet is 10.20.239.255. You could compute this quickly by seeing there are three zeros in the third octet, which means the third octet of the IP address can have a variance of 2^3, or 8. So the next subnet starts at 10.20.232+8.0, which is 10.20.240.0. If we decrease that by 1, we have 10.20.239.255, which is where this subnet ends. To help you visualize this, </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Figure G</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"> shows it on my subnet ruler.</span></span></span></p> <center> <table style="text-align: justify;"> <tbody> <tr> <td align="middle"> <p><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Figure G</span></span></span></b></p></td></tr> <tr> <td align="middle"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"><img src="http://techrepublic.com.com/i/tr/downloads/images/subnetting/subnetting_g.png" /></span></span></span></td></tr></tbody></table></center> <h2 style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">IP classes made simple</span></span></span></h2><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"><br /></span></span></span></div> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">For an arbitrary classification of IP subnets, the creators of the Internet chose to break the Internet into multiple classes. Note that these aren't important as far as your subnet calculations are concerned; this is just how the Internet is "laid out." The Internet is laid out as Class A, B, C, D, and E. Class A uses up the first half of the entire Internet, Class B uses half of the remaining half, Class C uses the remaining half again, Class D (Multicasting) uses up the remaining half again, and whatever is left over is reserved for Class E. I've had students tell me that they struggled with the memorization of IP classes for weeks until they saw this simple table shown in </span></span></span><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Figure H</span></span></span></b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">. This is because you don't actually need to memorize anything, you just learn the technique for constructing the ruler using half of what's available.</span></span></span></p> <center> <table style="text-align: justify;"> <tbody> <tr> <td align="middle"> <p><b><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Figure H</span></span></span></b></p></td></tr> <tr> <td align="middle"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"><img src="http://techrepublic.com.com/i/tr/downloads/images/subnetting/subnetting_h.png" /></span></span></span></td></tr></tbody></table></center> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Remember that all subnets start with EVEN numbers and all subnet endings are ODD. Note that 0.0.0.0/8 (0.0.0.0 to 0.255.255.255) isn't used and 127.0.0.0/8 (127.0.0.0 to 127.255.255.255) is reserved for loopback addresses.</span></span></span></p> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">All Class A addresses have their first octet between 1 to 126 because 0 and 127 are reserved. Class A subnets are all 24 bits long, which means the subnet mask is only 8 bits long. For example, we have the entire 3.0.0.0/8 subnet owned by GE, since GE was lucky enough to get in early to be assigned 16.8 million addresses. The U.S. Army owns 6.0.0.0/8. Level 3 Communications owns 8.0.0.0/8. IBM owns 9.0.0.0/8. AT&T owns 12.0.0.0/8. Xerox owns 13.0.0.0/8. HP owns 15.0.0.0/8 and 16.0.0.0/8. Apple owns 17.0.0.0/8.</span></span></span></p> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">All Class B addresses have their first octet between 128 and 191. Class B subnets are all 16 bits long, which means the subnet masks are 16 bits long. For example, BBN Communications owns 128.1.0.0/16, which is 128.1.0.0 to 128.1.255.255. Carnegie Mellon University owns 128.2.0.0/16.</span></span></span></p> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">All Class C addresses have their first octet between 192 and 223. Class C subnets are all 8 bits long, so the subnet mask is only 24 bits long. Note that </span></span></span><a href="http://www.arin.net/" target="-blank"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">ARIN</span></span></span></a><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"> (the organization that assigns Internet addresses) will sell blocks of four Class C addresses only to individual companies and you have to really justify why you need 1,024 Public IP addresses. If you need to run BGP so you can use multiple ISPs for redundancy, you have to have your own block of IP addresses. Also note that this isn't the old days, where blocks of 16.8 million Class A addresses were handed out for basically nothing. You have to pay an annual fee for your block of 1,024 addresses with a subnet mask of /22, or 255.255.252.0.</span></span></span></p> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">The concept of subnet classes can cause harm in actual practice. I've actually seen people forget to turn classes off in their old Cisco router and watch large subnet routes get hijacked on a large WAN configured for dynamic routing whenever some routes were added. This is because a Cisco router will assume the subnet mask is the full /8 or /16 or /24 even if you define something in between. All newer Cisco IOS software versions turn off the concept of subnet classes and uses classless routing by default. This is done with the default command "IP Classless."</span></span></span></p> <h2 style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Public versus private IP addresses</span></span></span></h2><div style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"><br /></span></span></span></div> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">Besides the reserved IP addresses (0.0.0.0/8 and 127.0.0.0/8) mentioned above, there are other addresses not used on the public Internet. These </span></span></span><i><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">private subnets</span></span></span></i><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"> consist of private IP addresses and are usually behind a firewall or router that performs NAT (network address translation). NAT is needed because private IP addresses are nonroutable on the public Internet, so they must be translated into public IP addresses before they touch the Internet. Private IPs are never routed because no one really owns them. And since anyone can use them, there's no right place to point a private IP address to on the public Internet. Private IP addresses are used in most LAN and WAN environments, unless you're lucky enough to own a Class A or at least a Class B block of addresses, in which case you might have enough IPs to assign internal and external IP addresses.</span></span></span></p> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">The following blocks of IP addresses are allocated for private networks:</span></span></span></p> <ul> <li style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">10.0.0.0/8 (10.0.0.0 to 10.255.255.255) </span></span></span></li><li style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">172.16.0.0/12 (172.16.0.0 to 172.31.255.255) </span></span></span></li><li style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">192.168.0.0/16 (192.168.0.0 to 192.168.255.255) </span></span></span></li><li style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">169.254.0.0/16 (169.254.0.0 to 169.254.255.255)*</span></span></span></li></ul> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">*Note that 169.254.0.0/16 is a block of private IP addresses used for random self IP assignment where </span></span></span><a href="http://techrepublic.com.com/5100-6345-5034551.html" target="_blank"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">DHCP</span></span></span></a><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';"> servers are not available.</span></span></span></p> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">10.0.0.0/8 is normally used for larger networks, since there are approximately 16.8 million IP addresses available within that block. They chop it up into lots of smaller groups of subnets for each geographic location, which are then subdivided into even smaller subnets. Smaller companies typically use the 172.16.0.0/12 range, chopped up into smaller subnets, although there's no reason they can't use 10.0.0.0/8 if they want to. Home networks typically use a /24 subnet within the 192.168.0.0/16 subnet.</span></span></span></p> <p style="text-align: justify;"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">The use of private IP addresses and NAT has prolonged the life of IPv4 for the foreseeable future because it effectively allows a single public IP address to represent thousands of private IP addresses. At the current rate that IPv4 addresses are handed out, we have enough IPv4 addresses for </span></span></span><a href="http://news.zdnet.com/2100-1009_22-1020653.html" target="_blank"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">approximately 17 years</span></span></span></a><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">. ARIN is much more stingy now about handing them out, and small blocks of IP addresses are relatively expensive compared to the old days, when companies like Apple were simply handed a block of 16.8 million addresses. The next version of IP addresses, called </span></span></span><a href="http://en.wikipedia.org/wiki/IPv6" target="_blank"><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">IPv6</span></span></span></a><span class="Apple-style-span" style="font-size: medium;"><span class="Apple-style-span" style="color: rgb(0, 0, 153);"><span class="Apple-style-span" style="font-family: 'courier new';">, is 128 bits long--and there are more than 79 thousand trillion trillion times more IP addresses than IPv4. Even if you assigned 4.3 billion people on the planet with 4.3 billion IP addresses each, you would still have more than 18 million trillion IPv6 addresses left!</span></span></span></p></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-89151571821888461652009-02-08T15:58:00.000+05:302009-02-08T16:01:19.288+05:30CBAC with APPFW<div style="text-align: justify;"> <span style="color: rgb(51, 51, 255);"> I have begun my goal of reading the entire 12.4 Security Configuration Guide. I likely won't read it all because many things are probably unrelated to CCIE R&S, but you never really can tell. Especially since the blueprint has "Other Security Features" on it. This configuration is part of CBAC and so I thought I would test a small scenario.</span><br /><br /><span style="color: rgb(51, 51, 255);">R4----s1/0 R5----R6</span><br /><br /><span style="color: rgb(51, 51, 255);">R4 is the http server and R6 is the client. Here is how I set them up to verify it's working:</span><br /><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">R4#copy run test.html</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Destination filename [test.html]?</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Erase flash: before copying? [confirm]</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Erasing the flash filesystem will remove all files! Continue? [confirm]</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Erase of flash: complete</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Verifying checksum... OK (0x7071)</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">1942 bytes copied in 4.628 secs (420 bytes/sec)</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">R4#</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">R4#dir</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Directory of flash:/</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"></span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> 1 -rw- 1942 <no> test.html</no></span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"><no></no></span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"><no>7864316 bytes total (7862308 bytes free)</no></span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"><no>R4#conf t</no></span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"><no>R4(config)#ip http path flash:</no></span><br /><br /><span style="color: rgb(51, 51, 255);">R4 is setup, let's test R6 the client:</span><br /><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">R6#copy http://192.168.45.4/test.html flash:</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Destination filename [test.html]?</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Erase flash: before copying? [confirm]</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Erasing the flash filesystem will remove all files! Continue? [confirm]</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Erase of flash: complete</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Loading http://192.168.45.4/test.html !</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Verifying checksum... OK (0x7071)</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">1942 bytes copied in 0.688 secs (2823 bytes/sec)</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">R6#</span><br /><br /><span style="color: rgb(51, 51, 255);">Good, so we know that works. Now we can configure R5 as the HTTP Application FW. This does require CBAC as well as some new appfw commands which I have never used. There are </span><span style="font-weight: bold; color: rgb(51, 51, 255);">MANY</span> more options besides this, so I suggest you read the DocCD for a more in depth explanation. I just wanted to get the gist of it here:<br /><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">ip inspect name APPFW appfw HTTPFW</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">ip inspect name APPFW http</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">!</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">appfw policy-name HTTPFW</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> application http</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> strict-http action allow alarm</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> content-length minimum 1945 action reset alarm</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> port-misuse tunneling action reset</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">interface Serial1/0</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> description TO R4</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> ip inspect APPFW out</span></span><br /><br /><span style="color: rgb(51, 51, 255);">Notice the minimum content length is 1945 byes. This will prevent R6 from copying the file via HTTP (test.html is 1942 bytes as we can see above):</span><br /><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">6#copy http://192.168.45.4/test.html flash:</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Destination filename [test.html]?</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Erase flash: before copying? [confirm]n</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">%Error opening http://192.168.45.4/test.html (I/O error)</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">R6#</span><br /><br /><span style="color: rgb(51, 51, 255);">Jump to R5 and see the message:</span><br /><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R5#</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">*Mar 2 05:34:02.708: %APPFW-4-HTTP_CONT_TYPE_SIZE: Sig:11 Content size 1942 out of range - Reset - Content size out-of-bounds from 192.168.56.6:25101 to 192.168.45.4:80</span></span><br /><br /><span style="color: rgb(51, 51, 255);">If we change the minimum content legth to 1942, everything works as expected:</span><br /><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R5(config)#appfw policy-name HTTPFW </span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R5(cfg-appfw-policy)#application http </span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R5(cfg-appfw-policy-http)#content-length minimum 1942 action reset alarm</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R6#copy http://192.168.45.4/test.html flash:</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">Destination filename [test.html]? </span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">%Warning:There is a file already existing with this name </span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">Do you want to over write? [confirm]y</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">Erase flash: before copying? [confirm]n</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">Loading http://192.168.45.4/test.html !</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">Verifying checksum... OK (0x7071)</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">1942 bytes copied in 0.396 secs (4904 bytes/sec)</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R6#<br /><br /></span></span></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-23366061511851576942009-02-08T15:55:00.000+05:302009-02-08T15:56:08.419+05:30BGP aggregation with suppress-map<div style="text-align: justify; color: rgb(51, 51, 255);"> This scenario involves use of the suppress-map with BGP aggregate-address command. It is fairly simple to understand but I could use the practice.<br /><br />R1 is getting the following routes from R2 in AS 200:<br /><br />R1#show ip bgp | Begin Network<br /> Network Next Hop Metric LocPrf Weight Path<br />*> 2.2.2.2/32 172.12.12.22 0 0 200 i<br />r> 2.2.2.3/32 172.12.12.22 0 0 200 i<br />*> 200.1.1.2/32 172.12.12.22 0 0 200 i<br />*> 200.2.2.2/32 172.12.12.22 0 0 200 i<br />*> 200.3.3.2/32 172.12.12.22 0 0 200 i<br /><br />On R2 we can configure aggregation with the following command:<br /><br />R2(config-router)#aggregate-address 200.0.0.0 255.0.0.0<br /><br />Without clearing BGP, here is R1's BGP table with the aggregate 200.0.0.0/8:<br /><br />R1#show ip bgp | Begin Network<br /> Network Next Hop Metric LocPrf Weight Path<br />*> 2.2.2.2/32 172.12.12.22 0 0 200 i<br />r> 2.2.2.3/32 172.12.12.22 0 0 200 i<br />*> 200.0.0.0/8 172.12.12.22 0 0 200 i<br />*> 200.1.1.2/32 172.12.12.22 0 0 200 i<br />*> 200.2.2.2/32 172.12.12.22 0 0 200 i<br />*> 200.3.3.2/32 172.12.12.22 0 0 200 i<br /><br />Suppose we wanted to suppress only some of the "component routes", but not all. With the summary-only keyword we would suppress all, but with a suppress-map we can supress a few.<br /><br />on R2 we add the following:<br /><br />access-list 50 permit 200.1.1.2<br />access-list 50 permit 200.3.3.2<br />!<br />route-map BLOCK permit 10<br />match ip address 50<br />!<br />router bgp 200<br />aggregate-address 200.0.0.0 255.0.0.0 suppress-map BLOCK<br />!<br /><br />Note that the access-list "permits" the networks and the supress-map matches whatever networks are permitted by the ACL and suppresses them.<br /><br />Now on R1 we have:<br /><br />R1#show ip bgp | Begin Network<br /> Network Next Hop Metric LocPrf Weight Path<br />*> 2.2.2.2/32 172.12.12.22 0 0 200 i<br />r> 2.2.2.3/32 172.12.12.22 0 0 200 i<br />*> 200.0.0.0/8 172.12.12.22 0 0 200 i<br />*> 200.2.2.2/32 172.12.12.22 0 0 200 i </div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-84659097916828585592009-02-08T15:54:00.002+05:302009-02-08T15:55:36.236+05:30BGP aggregation with unsuppress-map option<div style="text-align: justify; color: rgb(51, 51, 255);"> R1 [AS 100] connects to R2 [AS 200]<br /><br />R1 is currently summarizing a bunch of subnets in the 1.0.0.0/8 range.<br /><br />R1# show ip route | in C<br />Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP<br />C 1.1.1.1/32 is directly connected, Loopback0<br />C 1.3.3.3/32 is directly connected, Loopback3<br />C 1.2.2.2/32 is directly connected, Loopback2<br />C 1.5.5.5/32 is directly connected, Loopback5<br />C 1.4.4.4/32 is directly connected, Loopback4<br />C 1.7.7.7/32 is directly connected, Loopback7<br />C 1.6.6.6/32 is directly connected, Loopback6<br /><br />R1 is configured as such:<br /><br />router bgp 100<br />no synchronization<br />bgp log-neighbor-changes<br />network 1.1.1.1 mask 255.255.255.255<br />network 1.2.2.2 mask 255.255.255.255<br />network 1.3.3.3 mask 255.255.255.255<br />network 1.4.4.4 mask 255.255.255.255<br />network 1.5.5.5 mask 255.255.255.255<br />aggregate-address 1.0.0.0 255.0.0.0 summary-only<br />neighbor 172.12.12.2 remote-as 200<br />neighbor 172.12.14.4 remote-as 100<br /><br />The following route shows up on R2:<br /><br />R2#show ip bgp | begin Network<br /> Network Next Hop Metric LocPrf Weight Path<br />* 1.0.0.0 172.12.23.3 0 300 100 i<br />*> 172.12.12.1 0 100 i<br /><br />As you can see we are supressing all of the 1.0.0.0 subnets. Suppose we wanted to advertise one of the subnets as well, to do so we can use the unsuppress-map option on the neighbor command.<br /><br />On R1:<br /><br />R1(config)#access-list 12 permit 1.1.1.1<br />R1(config)#access-list 12 permit 1.2.2.2<br />R1(config)#access-list 12 permit 1.3.3.3<br />R1(config)#route-map ALLOW<br />R1(config-route-map)#match ip address 12<br />R1(config-route-map)#exit<br />R1(config)#router bgp 100<br />R1(config-router)#neighbor 172.12.12.2 unsuppress-map ALLOW<br /><br />Clear BGP:<br /><br />R1#clear ip bgp *<br />R1#<br />00:41:47: %BGP-5-ADJCHANGE: neighbor 172.12.12.2 Down User reset<br />00:42:28: %BGP-5-ADJCHANGE: neighbor 172.12.12.2 Up<br /><br />Now on R2 we have "unsuppressed" 3 routes:<br /><br />R2#show ip bgp | inc 1\.<br />* 1.0.0.0 172.12.23.3 0 300 100 i<br />*> 1.1.1.1/32 172.12.12.1 0 0 100 i<br />*> 1.2.2.2/32 172.12.12.1 0 0 100 i<br />*> 1.3.3.3/32 172.12.12.1 0 0 100 i </div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-21726745315073699712009-02-08T15:54:00.001+05:302009-02-08T15:54:41.974+05:30BGP no-export community<div style="text-align: justify; color: rgb(51, 51, 255);"> This is gonna be short and hopefully sweet. I'll leave some blanks in here so you can fill in the rest...<br /><br />R4 (AS3) connects to R1 via EBGP<br />R1 connects to R2 via IBGP (AS 2)<br />R2 connects to R5 (AS1) via EBGP<br /><br />We don't want AS2 to become a transit AS between R4 and R5 so we can use the no-export community to accomplish this. There are several ways to do is but here is a way with using the as-path access-lists. AS-path access-lists are awesome because they use regexp.<br /><br />So on R1 we create an AS-path access list to match any routes originating in R4 AS:<br /><br />ip as-path access-list 1 permit _3$<br /><br />Then we create a route-map and apply it to the R2 neighbor going outbound:<br /><br />route-map noexport permit 10<br />match as-path 1<br />set community no-export<br /><br />route-map noexport permit 20<br /><br />router bgp 2<br />neighbor 155.1.23.2 send-community<br />neighbor 155.1.23.2 route-map noexport out<br /><br />Now on R2 we have this:<br /><br />R2#show ip bgp 204.12.1.0 | inc Community<br /> Community: no-export<br /><br />R5 does not have the route!<br /><br />R5#show ip bgp 204.12.1.0<br />% Network not in table<br />R5#<br /><br />You can do the reverse on R2 to accomplish the two way restriction. Also note that R4 can bypass this by prepending an AS# to its routes! A better way would be to add the no-export community to all routes learned from R4 not just the ones originating in R4's AS. But I just wanted to see the flexibility of route-maps and as-path access lists with communities. </div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-23951335307279101692009-02-08T15:53:00.000+05:302009-02-08T15:54:04.849+05:30BGP - External confedration peers<div style="text-align: justify;"> <span style="color: rgb(51, 51, 255);"> It is important to remember when doing confederations that although external confederation peers behave like EBGP peers in several ways, they do NOT modify the next hop without manual configuration.</span><br /><br /><span style="color: rgb(51, 51, 255);">Example:</span><br /><br /><span style="color: rgb(51, 51, 255);">R4 --- [[R1---R3]---[R2]]---R5</span><br /><br /><span style="color: rgb(51, 51, 255);">R1, R2 and R3 are in AS#2 as far as R4 and R5 are concerned. But R1 and R3 share sub-AS 65013, and R2 is in sub-AS 65002. Confederations allow R3 to advertise routes learned from R1 to R2 and vice-versa. Without confederations, this would not happen because routes learned from IBGP neighbors do not get advertise to other IBGP neighbors.</span><br /><br /><span style="color: rgb(51, 51, 255);">Confederations allow this to happen but be careful with the next hop attribute. When R2 passes routes learned from R5 to R3, it will not modify the next hop, but instead leave it pointing to R5. You must use the next-hop-self argument on the neighbor command to allow R3 to install these routes (unless R3 has a route to the R2-R5 network).</span><br /><br /><span style="color: rgb(51, 51, 255);">Suppose the network in questions is 155.1.5.0/24. Here is the output of show ip bgp before the change:</span><br /><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R3#show ip bgp 155.1.5.0</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">BGP routing table entry for 155.1.5.0/24, version 5</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">Paths: (1 available, no best path)</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">Flag: 0x208</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> Not advertised to any peer</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> (65002) 1</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> 155.1.0.5 (inaccessible) from 155.1.23.2 (155.1.23.2)</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> Origin IGP, metric 0, localpref 100, valid, external</span><span style="font-family: courier new;"></span></span><br /><br /><span style="color: rgb(51, 51, 255);">And after the change:</span><br /><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">R3#show ip bgp 155.1.5.0</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">BGP routing table entry for 155.1.5.0/24, version 7</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Paths: (1 available, best #1, table Default-IP-Routing-Table)</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Flag: 0x208</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Advertised to non peer-group peers:</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">155.1.13.1</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">(65002) 1</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> 155.1.23.2 from 155.1.23.2 (155.1.23.2)</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> Origin IGP, metric 0, localpref 100, valid, external, best</span></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-86647304987520856682009-02-08T15:52:00.002+05:302009-02-08T15:53:23.920+05:30BGP - Troubleshooting AS Paths with confederations<div style="text-align: justify; color: rgb(51, 51, 255);"> I ran into an issue while doing BGP confederations today. In the topology below, I was seeing sub-AS 65013 in the AS PATH on R5 for routes to VLAN4. I found out the problem but I decided to post this so if you ever see this issue, you can tell what it looks like.<br /><br />VLAN4--R4---[[R1---R3]---[R2]]---R5--VLAN5 and 58<br /><br />R4 = AS 3<br />R1,R3 = sub-AS 65013, AS 2<br />R2 = sub-AS 65002, AS 2<br />R5 = AS 1<br /><br />VLAN4 = 204.1.12.0<br />VLAN5 = 155.1.5.0<br />VLAN58 = 155.1.58.0<br /><br />Study the outputs below. Notice that R5 still sees sub-AS 65013 in it's routes to R4. The AS PATH should be: 2 3. What is the error I made?<br /><br />-------------------------------------------------------------------------------<br /><br />In the below output, R4 sees R5's VLAN coming from AS 1 and AS 2. There is no way of telling these come from condeferations.<br /><span style="font-size: 85%;"></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R4#show ip bgp</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">BGP table version is 20, local router ID is 4.4.4.4</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Status codes: s suppressed, d damped, h history, * valid, > best, i - internal</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Origin codes: i - IGP, e - EGP, ? - incomplete</span></span><br /><span style="font-size: 85%;"></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 155.1.5.0/24 155.1.146.1 0 2 1 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 155.1.58.0/24 155.1.146.1 0 2 1 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 204.12.1.0 0.0.0.0 0 32768 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R4#</span></span><br /><br />-------------------------------------------------------------------------------<br /><br />R1 sees both of R5's VLANS as coming from AS 1 and sub-AS 65002. R1 is confederation peer with sub-AS 65002.<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1#show ip bgp</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">BGP table version is 8, local router ID is 155.1.146.1</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Status codes: s suppressed, d damped, h history, * valid, > best, i - internal</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Origin codes: i - IGP, e - EGP, ? - incomplete</span></span><br /><span style="font-size: 85%;"></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*>i155.1.5.0/24 155.1.23.2 0 100 0 (65002) 1 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*>i155.1.58.0/24 155.1.23.2 0 100 0 (65002) 1 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 204.12.1.0 155.1.146.4 0 0 3 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1#</span></span><br /><br />-------------------------------------------------------------------------------<br /><br />R3 sees the same thing as R1.<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R3#show ip bgp</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">BGP table version is 8, local router ID is 155.1.37.3</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Status codes: s suppressed, d damped, h history, * valid, > best, i - internal</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Origin codes: i - IGP, e - EGP, ? - incomplete</span></span><br /><span style="font-size: 85%;"></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 155.1.5.0/24 155.1.23.2 0 100 0 (65002) 1 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 155.1.58.0/24 155.1.23.2 0 100 0 (65002) 1 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*>i204.12.1.0 155.1.13.1 0 100 0 3 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R3#</span></span><br /><br />-------------------------------------------------------------------------------<br /><br />R2 sees R5's vlan as originating from AS 1. It also sees R4's VLAN as coming from AS 3 and AS 65013 - not sure why there isn't parenthesis around 65013 in this case...<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R2#sho ip bgp</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">BGP table version is 4, local router ID is 155.1.23.2</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Status codes: s suppressed, d damped, h history, * valid, > best, i - internal</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Origin codes: i - IGP, e - EGP, ? - incomplete</span></span><br /><span style="font-size: 85%;"></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 155.1.5.0/24 155.1.0.5 0 0 1 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 155.1.58.0/24 155.1.0.5 0 0 1 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 204.12.1.0 155.1.13.1 0 100 0 65013 3 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R2#</span></span><br /><br />-------------------------------------------------------------------------------<br /><br />Here are R5 sees R4's VLAN as coming throigh AS 3 65013 and then from AS 2. Why is 65013 appearing?<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5#show ip bgp</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">BGP table version is 22, local router ID is 5.5.5.5</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Status codes: s suppressed, d damped, h history, * valid, > best, i - internal</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Origin codes: i - IGP, e - EGP, ? - incomplete</span></span><br /><span style="font-size: 85%;"></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 155.1.5.0/24 0.0.0.0 0 32768 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 155.1.58.0/24 0.0.0.0 0 32768 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 204.12.1.0 155.1.0.2 0 2 65013 3 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5#</span></span><br /><br />-------------------------------------------------------------------------------<br /><br />It turns out the error was on R3:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">router bgp 65013</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> no synchronization</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> bgp log-neighbor-changes</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> bgp confederation peers 65002</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> neighbor 155.1.13.1 remote-as 65013</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> neighbor 155.1.23.2 remote-as 65002</span></span><br /><br />I dont have a bgp confederation identifier!<br /><br />Let's fix it:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R3(config)#router bgp 65013</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R3(config-router)#bgp confederation identifier 2</span></span><br /><br />That's much better:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5#show ip bg</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">BGP table version is 24, local router ID is 5.5.5.5</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Status codes: s suppressed, d damped, h history, * valid, > best, i - internal</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Origin codes: i - IGP, e - EGP, ? - incomplete</span></span><br /><span style="font-size: 85%;"></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 155.1.5.0/24 0.0.0.0 0 32768 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 155.1.58.0/24 0.0.0.0 0 32768 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 204.12.1.0 155.1.0.2 0 2 3 i</span></span></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-86032589380894398192009-02-08T15:52:00.001+05:302009-02-08T15:52:36.077+05:30BGP - Aggregation with advertise-map<div style="text-align: justify;"> <span style="color: rgb(51, 51, 255);"> R1,R2 and R3 connect to R5 via Frame-relay</span><br /><br /><span style="color: rgb(51, 51, 255);">R1-\</span><br /><span style="color: rgb(51, 51, 255);">R2---R5</span><br /><span style="color: rgb(51, 51, 255);">R3-/</span><br /><br /><span style="color: rgb(51, 51, 255);">These 3 spokes are EBGP peers with R5.</span><br /><span style="color: rgb(51, 51, 255);">These routes are advertised into bgp:</span><br /><br /><span style="color: rgb(51, 51, 255);">R1, loopback 150.1.1.1 AS1</span><br /><span style="color: rgb(51, 51, 255);">R2, loopback 150.1.2.2 AS2</span><br /><span style="color: rgb(51, 51, 255);">R3, loopback 150.1.3.3 AS3</span><br /><span style="color: rgb(51, 51, 255);">R5, loopback 150.1.5.5 AS5</span><br /><br /><span style="color: rgb(51, 51, 255);">Here are R3's and R5's BGP table before any aggregation:</span><br /><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R5#show ip bgp | begin Network</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">*> 150.1.1.0/24 155.1.0.1 0 0 1 i</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">*> 150.1.2.0/24 155.1.0.2 0 0 2 i</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">*> 150.1.3.0/24 155.1.0.3 0 0 3 i</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">*> 150.1.5.0/24 0.0.0.0 0 32768 i</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R3#show ip bgp | begin Network</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">*> 150.1.1.0/24 155.1.0.1 0 5 1 i</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">*> 150.1.2.0/24 155.1.0.2 0 5 2 i</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">*> 150.1.3.0/24 0.0.0.0 0 32768 i</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">*> 150.1.5.0/24 155.1.0.5 0 0 5 i</span></span><br /><br /><span style="color: rgb(51, 51, 255);">Suppose R5 wants to advertise a summary-only aggregate to R3:</span><br /><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">R5(config)#router bgp 5</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">R5(config-router)#aggregate-address 150.1.0.0 255.255.248.0 as-set summary-only</span><br /><br /><span style="color: rgb(51, 51, 255);">R3 will deny the route because of the as-set option which forces R5 to include the AS numbers as an unordered set in the AS PATH:</span><br /><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R3#show ip bgp | begin Network</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">*> 150.1.3.0/24 0.0.0.0 0 32768 i</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R3#debug ip bgp updates</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">00:37:37: BGP(0): 155.1.0.5 rcv UPDATE w/ attr: nexthop 155.1.0.5, origin i, aggregated by 5 150.1.5.5, originator 0.0.0.0, path 5 {1,2,3}, community , extended community</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">00:37:37: BGP(0): 155.1.0.5 rcv UPDATE about 150.1.0.0/21 -- DENIED due to: AS-PATH contains our own AS;</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R3#</span></span><br /><br /><span style="color: rgb(51, 51, 255);">We can have R5 remove R3's attributes (AS PATH) in the aggregate by using an advertise-map. This will allow R3 to recieve the aggregate.</span><br /><br /><span style="color: rgb(51, 51, 255);">First we create a prefix-list to match the route:</span><br /><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"><span style="font-family: courier new;">R5(config)#ip prefix-list R3 permit 150.1.3.0/24</span></span><br /><br /><span style="color: rgb(51, 51, 255);">The we create a route-map, note that we are denying the prefix. This means any matches will NOT have their attributes populated to the aggregate's attributes:</span><br /><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R5(config)#route-map DENY3 deny 10</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R5(config-route-map)#match ip address prefix-list R3</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R5(config-route-map)#exit</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R5(config)#route-map DENY3 permit 20</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R5(config-route-map)#exit</span></span><br /><br /><span style="color: rgb(51, 51, 255);">Finally, we apply the advertise-map to the aggregate-address command under the bgp process:</span><br /><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R5(config)#router bgp 5</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R5(config-router)#aggregate-address 150.1.0.0 255.255.248.0 as-set summary-only advertise-map DENY3</span></span><br /><br /><span style="color: rgb(51, 51, 255);">Here are the final results:</span><br /><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R5#show ip bgp | begin Network</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">*> 150.1.0.0/21 0.0.0.0 32768 {1,2} i</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">s> 150.1.1.0/24 155.1.0.1 0 0 1 i</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">s> 150.1.2.0/24 155.1.0.2 0 0 2 i</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">s> 150.1.3.0/24 155.1.0.3 0 0 3 i</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">s> 150.1.5.0/24 0.0.0.0 0 32768 i</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R5#</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R3#</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">00:46:26: BGP(0): 155.1.0.5 update run completed, afi 0, ran for 4ms, neighbor v</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">ersion 35, start version 38, throttled to 38</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">00:46:26: BGP(0): 155.1.0.5 rcvd UPDATE w/ attr: nexthop 155.1.0.5, origin i, at</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">omic-aggregate, aggregated by 5 150.1.5.5, path 5 {1,2}</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">00:46:26: BGP(0): 155.1.0.5 rcvd 150.1.0.0/21</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">00:46:26: BGP(0): Revise route installing 150.1.0.0/21 -> 155.1.0.5 to main IP t</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">able</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R3#</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R3#show ip bgp | begin Network</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">*> 150.1.0.0/21 155.1.0.5 0 5 {1,2} i</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">*> 150.1.3.0/24 0.0.0.0 0 32768 i</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R3#</span></span><br /><br /><span style="color: rgb(51, 51, 255);">Notice that the aggregate only has AS1 and AS2 in the AS PATH. This allows R3 to install the aggregate in it's BGP table. </span></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-50423568768758215452009-02-08T15:51:00.001+05:302009-02-08T15:51:57.450+05:30BGP - Conditional Advertisement with non-exist-map<div style="text-align: justify;"> <span style="color: rgb(51, 51, 255);"> It took me awhile to get this going for some reason but here is the doc that helped me out:</span><br /><br /><span style="color: rgb(51, 51, 255);">Configuring and Verifying the BGP Conditional Advertisement Feature</span><br /><br /><span style="color: rgb(51, 51, 255);">Here's my example</span><br /><br /><span style="color: rgb(51, 51, 255);">[R1]---[R4]---[R5]</span><br /><br /><span style="color: rgb(51, 51, 255);">Each router is in its own AS.</span><br /><br /><span style="color: rgb(51, 51, 255);">R1 is advertising 10.1.0.0/16 to R4.</span><br /><span style="color: rgb(51, 51, 255);">if this route should fail, then R4 should advertise 4.4.4.0/24 to R5.</span><br /><span style="color: rgb(51, 51, 255);">If 10.1.0.0/16 appears in R4's BGP table, then it should stop advertising 4.4.4.0/24.</span><br /><br /><span style="color: rgb(51, 51, 255);">R4 is where the action is so let's have a look:</span><br /><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">!</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">interface Loopback0</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> ip address 4.4.4.4 255.255.255.0</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">!</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">router bgp 4</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> no synchronization</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> bgp log-neighbor-changes</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> network 4.4.4.0 mask 255.255.255.0</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> neighbor 155.1.45.5 remote-as 5</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> neighbor 155.1.45.5 advertise-map ADV non-exist-map NON</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> neighbor 155.1.146.1 remote-as 1</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> no auto-summary</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">!</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">access-list 10 permit 10.1.0.0 0.0.255.255</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">access-list 40 permit 4.4.4.0 0.0.0.255</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">!</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">route-map NON permit 10</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> match ip address 10</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">!</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">route-map ADV permit 10</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;"> match ip address 40</span></span><br /><br /><span style="color: rgb(51, 51, 255);">10.1.0.0 is actually the loopback network on R1 so we can test easy by shutting/no shutting the interface. Right now it is up. Let's check the BGP tables on R4 and R5:</span><br /><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">R4#show ip bgp | begin Network</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> Network Next Hop Metric LocPrf Weight Path</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">*> 4.4.4.0/24 0.0.0.0 0 32768 i</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">*> 10.1.0.0/16 155.1.146.1 0 0 1 i</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"></span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">R5#show ip bgp | begin Network</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> Network Next Hop Metric LocPrf Weight Path</span><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">*> 10.1.0.0/16 155.1.45.4 0 4 1 i</span><br /><br /><span style="color: rgb(51, 51, 255);">Now let's shut the interface on R1:</span><br /><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R1(config)#int lo 1</span></span><br /><span style="color: rgb(51, 51, 255); font-size: 85%;"><span style="font-family: courier new;">R1(config-if)#shut</span></span><br /><br /><span style="color: rgb(51, 51, 255);">Now check R4 and R5 again:</span><br /><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"><span style="font-family: courier new;">R4#show ip bgp | begin Network</span></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"><span style="font-family: courier new;">*> 4.4.4.0/24 0.0.0.0 0 32768 i</span></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"><span style="font-family: courier new;">R5#debug ip bgp updates</span></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"><span style="font-family: courier new;">BGP updates debugging is on for address family: IPv4 Unicast</span></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"><span style="font-family: courier new;">*Mar 1 01:59:35.787: BGP(0): 155.1.45.4 rcvd UPDATE w/ attr: nexthop 155.1.45.4, origin i, metric 0, path 4</span></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"><span style="font-family: courier new;">*Mar 1 01:59:35.791: BGP(0): 155.1.45.4 rcvd 4.4.4.0/24</span></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"><span style="font-family: courier new;">*Mar 1 01:59:35.799: BGP(0): Revise route installing 1 of 1 routes for 4.4.4.0/24 -> 155.1.45.4(main) to main IP table</span></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"><span style="font-family: courier new;">R5#show ip bgp | begin Network</span></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"><span style="font-family: courier new;">*> 4.4.4.0/24 155.1.45.4 0 0 4 i</span></span></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-44064625510399114462009-02-08T15:50:00.000+05:302009-02-08T15:51:12.849+05:30BGP - expanded community-lists<div style="text-align: justify; color: rgb(51, 51, 255);"> <span style="font-size: 100%;">BGP expanded community-lists are more flexible than their standard counterparts because they can match on regexp instead of just a community string. Here you can see the differences:</span><br /><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;"></span><span style="font-size: 85%;"><span style="font-family: courier new;">R4(config)#ip community-list standard STANDARD permit ?</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> <1-4294967295> community number</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> aa:nn community number</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> internet Internet (well-known community)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> local-AS Do not send outside local AS (well-known community)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> no-advertise Do not advertise to any peer (well-known community)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> no-export Do not export to next AS (well-known community)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> <cr></cr></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R4(config)#ip community-list expanded EXPANDED permit ?</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> LINE An ordered list as a regular-expression</span></span><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;">Now for a little lab. R1 and R2 are both going to EBGP peer with R4. R4 will then EBGP peer with R3. R1 and R2 will each send routes with different community strings to R4, along with routes without a community. We will use an expanded list to match certain community values. Hopefully, we can get it done with one permit statement.</span><br /><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;">R1 has 4 loopback networks:</span><br /><span style="font-size: 100%;">1.0.0.0/24</span><br /><span style="font-size: 100%;">1.0.1.0/24</span><br /><span style="font-size: 100%;">1.0.2.0/24</span><br /><span style="font-size: 100%;">1.0.3.0/24</span><br /><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;">R2 has 4 loopback networks:</span><br /><span style="font-size: 100%;">2.0.0.0/24</span><br /><span style="font-size: 100%;">2.0.1.0/24</span><br /><span style="font-size: 100%;">2.0.2.0/24</span><br /><span style="font-size: 100%;">2.0.3.0/24</span><br /><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;">R1 is sending community 100 with its first two loopbacks</span><br /><span style="font-size: 100%;">R2 is sending community 200 with its first two loopbacks</span><br /><span style="font-size: 100%;">The other loopbacks do not have a community attached.</span><br /><span style="font-size: 100%;">Here is how we do it on R1, R2 is similar:</span><br /><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;"></span><span style="font-size: 85%;"><span style="font-family: courier new;">R1(config)#ip prefix-list LOOP1 permit 1.0.0.0/24</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1(config)#ip prefix-list LOOP1 permit 1.0.1.0/24</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1(config)#route-map setcom</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1(config-route-map)#match ip address prefix LOOP1</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1(config-route-map)#set commu 100</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1(config-route-map)#exit</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1(config)#route-map setcom perm 20</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1(config-route-map)#exit</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1(config)#router bgp 65000</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1(config-router)#neighbor 172.12.14.4 send-community</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1(config-router)#neighbor 172.12.14.4 route-map setcom out</span></span><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;">Verify on R4 (this shows R4 is receiving all loopbacks)</span><br /><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;"></span><span style="font-size: 85%;"><span style="font-family: courier new;">R4#sho ip bgp | begin Network</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 1.0.0.0/24 172.12.14.1 0 0 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 1.0.1.0/24 172.12.14.1 0 0 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 1.0.2.0/24 172.12.14.1 0 0 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 1.0.3.0/24 172.12.14.1 0 0 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.0.0.0/24 172.12.24.2 0 0 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.0.1.0/24 172.12.24.2 0 0 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.0.2.0/24 172.12.24.2 0 0 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.0.3.0/24 172.12.24.2 0 0 65000 i</span></span><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;">Here are the loopbacks with community attributes:</span><br /><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;"><span style="font-family: courier new; font-size: 85%;">R4#show ip bgp community 100 | begin Net</span><span style="font-size: 85%;"></span></span><br /><span style="font-size: 100%;"><span style="font-size: 85%;"></span><span style="font-family: courier new; font-size: 85%;"> Network Next Hop Metric LocPrf Weight Path</span><span style="font-size: 85%;"></span></span><br /><span style="font-size: 100%;"><span style="font-size: 85%;"></span><span style="font-family: courier new; font-size: 85%;">* 1.0.0.0/24 172.12.14.1 0 0 65000 i</span><span style="font-size: 85%;"></span></span><br /><span style="font-size: 100%;"><span style="font-size: 85%;"></span><span style="font-family: courier new; font-size: 85%;">* 1.0.1.0/24 172.12.14.1 0 0 65000 i</span><span style="font-size: 85%;"></span></span><br /><span style="font-size: 100%;"><span style="font-size: 85%;"></span><span style="font-family: courier new; font-size: 85%;">R4#show ip bgp community 200 | begin Net</span><span style="font-size: 85%;"></span></span><br /><span style="font-size: 100%;"><span style="font-size: 85%;"></span><span style="font-family: courier new; font-size: 85%;"> Network Next Hop Metric LocPrf Weight Path</span><span style="font-size: 85%;"></span></span><br /><span style="font-size: 100%;"><span style="font-size: 85%;"></span><span style="font-family: courier new; font-size: 85%;">* 2.0.0.0/24 172.12.24.2 0 0 65000 i</span><span style="font-size: 85%;"></span></span><br /><span style="font-size: 100%;"><span style="font-size: 85%;"></span><span style="font-family: courier new; font-size: 85%;">* 2.0.1.0/24 172.12.24.2 0 0 65000 i</span></span><br /><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;">Here is R3:</span><br /><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;"></span><span style="font-size: 85%;"><span style="font-family: courier new;">R3#show ip bgp</span></span><br /><span style="font-size: 85%;"></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 1.0.0.0/24 172.12.34.4 0 400 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 1.0.1.0/24 172.12.34.4 0 400 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 1.0.2.0/24 172.12.34.4 0 400 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 1.0.3.0/24 172.12.34.4 0 400 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.0.0.0/24 172.12.34.4 0 400 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.0.1.0/24 172.12.34.4 0 400 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.0.2.0/24 172.12.34.4 0 400 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.0.3.0/24 172.12.34.4 0 400 65000 i</span></span><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;">Now we will configure R4 to send only routes with community 100 or 200 to R3:</span><br /><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;"></span><span style="font-family: courier new; font-size: 100%;"><span style="font-size: 85%;">R4(config)#ip community-list expanded EXPANDED permit [1-2]00</span></span><br /><span style="font-family: courier new; font-size: 100%;"><span style="font-size: 85%;">R4(config)#route-map filtercom</span></span><br /><span style="font-family: courier new; font-size: 100%;"><span style="font-size: 85%;">R4(config-route-map)#match community ?</span></span><br /><span style="font-family: courier new; font-size: 100%;"><span style="font-size: 85%;"><1-99> Community-list number (standard)</span></span><br /><span style="font-family: courier new; font-size: 100%;"><span style="font-size: 85%;"><100-500> Community-list number (expanded)</span></span><br /><span style="font-family: courier new; font-size: 100%;"><span style="font-size: 85%;">WORD Community-list name</span></span><br /><span style="font-family: courier new; font-size: 100%;"><span style="font-size: 85%;">R4(config-route-map)#match community EXPANDED</span></span><br /><span style="font-family: courier new; font-size: 100%;"><span style="font-size: 85%;">R4(config-route-map)#exit</span></span><br /><span style="font-family: courier new; font-size: 100%;"><span style="font-size: 85%;">R4(config)#router bgp 400</span></span><br /><span style="font-family: courier new; font-size: 100%;"><span style="font-size: 85%;">R4(config-router)#neighbor 172.12.34.3 route-map filtercom out</span></span><br /><span style="font-family: courier new; font-size: 100%;"></span><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;">Let's check on R3:</span><br /><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;"></span><span style="font-size: 85%;"><span style="font-family: courier new;">R</span><span style="font-family: courier new;">3#show ip bgp</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">BGP table version is 66, local router ID is 3.3.3.3</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> r RIB-failure, S Stale</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Origin codes: i - IGP, e - EGP, ? - incomplete</span></span><br /><span style="font-size: 85%;"></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 1.0.0.0/24 172.12.34.4 0 400 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 1.0.1.0/24 172.12.34.4 0 400 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.0.0.0/24 172.12.34.4 0 400 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.0.1.0/24 172.12.34.4 0 400 65000 i</span></span><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;"></span><br /><span style="font-size: 100%;">In this example the regexp string [1-2]00 matched either 100 or 200 an only allowed these routes through to R3.</span></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-22111306546202752812009-02-08T15:49:00.001+05:302009-02-08T15:49:56.785+05:30BGP - prefix-based outbound route filtering<div style="text-align: justify; color: rgb(51, 0, 51);"> Prefix-based outbound route filtering is used so a local router can tell it's peer what routes it should send/filter. This prevents unnecessary resources from being used. There is no sense in a router sending a bunch of route updates, if they are only going to get filtered anyway.<br /><br />In this example we have EBGP peers R4 and R3:<br /><br />[R4]---[R3]<br /><br />R3 is receiving a bunch of routes from R4:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R3#show ip bgp</span> <span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 1.0.0.0/24 172.12.34.4 0 400 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"></span><span style="font-family: courier new;">*> 1.0.1.0/24 172.12.34.4 0 400 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 1.0.2.0/24 172.12.34.4 0 400 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 1.0.3.0/24 172.12.34.4 0 400 65000 i</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.0.0.0/24 172.12.34.4 0 400 65000 i</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.0.1.0/24 172.12.34.4 0 400 65000 i</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.0.2.0/24 172.12.34.4 0 400 65000 i</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.0.3.0/24 172.12.34.4 0 400 65000 i</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 3.3.3.0/24 0.0.0.0 0 32768 i</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 4.0.0.0/24 172.12.34.4 0 0 400 i</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 4.0.1.0/24 172.12.34.4 0 0 400 i</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 4.0.2.0/24 172.12.34.4 0 0 400 i</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 4.0.3.0/24 172.12.34.4 0 0 400 i</span></span><br /><br />R3 only wants to receive 3 routes:<br /><br />1.0.0.0/24<br />2.0.0.0/24<br />4.0.0.0/24<br /><br />R3 can create a prefix-list allowing these 3 routes only and advertise this to R4. R4 will use this list as a outbound filter. Let's configure it. First you need enable the advertisement of the orf capability. R3 is the one sending the prefix-list so use the send keyword. R4 is receiving the prefix-list.<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R3(config)#router bgp 65003</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R3(config-router)#neighbor 172.12.34.4 capability orf prefix-list send</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"></span> <span style="font-family: courier new;">R4(config)#router bgp 400</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R4(config-router)#neighbor 172.12.34.3 capability orf prefix-list receive</span></span><br /><br />Now <span style="font-size: 100%;">configure</span> the prefix-list and apply it to the neighbor:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R3(config)#ip prefix-list ZERO seq 5 permit 1.0.0.0/24</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R3(config)#ip prefix-list ZERO seq 10 permit 2.0.0.0/24</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R3(config)#ip prefix-list ZERO seq 15 permit 4.0.0.0/24</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R3(config)#router bgp 65003</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R3(config-router)#neighbor 172.12.34.4 prefix-list ZERO in</span></span><br /><span style="font-size: 85%;"></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R3#clear ip bgp * soft in prefix-filter</span></span><br /><span style="font-size: 85%;"></span><br /><span style="font-size: 85%;"></span><span style="font-size: 100%;">Here is the final result:</span><span style="font-size: 85%;"></span><br /><span style="font-size: 85%;"></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R3#show ip bgp</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 1.0.0.0/24 172.12.34.4 0 400 65000 i</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.0.0.0/24 172.12.34.4 0 400 65000 i</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 3.3.3.0/24 0.0.0.0 0 32768 i</span> <span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 4.0.0.0/24 172.12.34.4 0 0 400 i</span></span><br /><br />Here are some captures I took in dynamips. The first shows the advertisement of the orf capability. The second shows the actually prefix-list R3 is sending. Wireshark shows this as "route-refresh" message. Pretty cool, eh?<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMjku88jySlZvb__t_FC6AIRC9XIO7ghzNbJIvsispahwlzm0k-e65mhRrQwMqChZM5EEGdC_zX1aThSdIDn-n33PggXqqjsma6HXZlr4u-omYAvUFOAXzpmsnkKEtxSsrRrvmLCtaQFI/s1600-h/bgp+-+orf+capture1.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMjku88jySlZvb__t_FC6AIRC9XIO7ghzNbJIvsispahwlzm0k-e65mhRrQwMqChZM5EEGdC_zX1aThSdIDn-n33PggXqqjsma6HXZlr4u-omYAvUFOAXzpmsnkKEtxSsrRrvmLCtaQFI/s400/bgp+-+orf+capture1.JPG" alt="" id="BLOGGER_PHOTO_ID_5221794770614704514" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-9Im6KIiRv2U2MwFcCIpDWqiep1YWp-VHqqMUFRMlNkZPrl05GamT3GvONYA9OtMSqv4x_-s_IyCVz4uZ6xutW6H2bMt91AcLc6P9cUOM1VjDpAuyEoxWd1l0b63Uki5uwhHOJrU_N_Y/s1600-h/bgp+-+orf+capture2.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-9Im6KIiRv2U2MwFcCIpDWqiep1YWp-VHqqMUFRMlNkZPrl05GamT3GvONYA9OtMSqv4x_-s_IyCVz4uZ6xutW6H2bMt91AcLc6P9cUOM1VjDpAuyEoxWd1l0b63Uki5uwhHOJrU_N_Y/s400/bgp+-+orf+capture2.JPG" alt="" id="BLOGGER_PHOTO_ID_5221794863718567858" border="0" /></a><br />Restrictions:<br /><br />I used the bgp upgrade-cli command to configure these neighbors in AF mode.<br />Also, prefix-lists must be used, not ACL or distribute lists</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-62942418805301627492009-02-08T15:48:00.001+05:302009-02-08T15:48:51.293+05:30BGP - changing cluster-id<div style="text-align: justify;"> <span style="color: rgb(51, 51, 255);"> The network:</span><br /><br /><span style="color: rgb(51, 51, 255);">[R3]---[R5]---[R4]---[EXTERNAL AS]</span><br /><br /><span style="color: rgb(51, 51, 255);">R3 is IBGP peer with R5</span><br /><span style="color: rgb(51, 51, 255);">R5 is IBGP peer with R4</span><br /><span style="color: rgb(51, 51, 255);">R5 is the route reflector</span><br /><br /><span style="color: rgb(51, 51, 255);">Here is the bgp entry for a route learned initially from R4:</span><br /><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">R3#show ip bgp 6.0.0.0</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">BGP routing table entry for 6.0.0.0/24, version 5</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Paths: (1 available, best #1, table Default-IP-Routing-Table)</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> Not advertised to any peer</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> 65000</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> 4.4.4.4 (metric 2) from 5.5.5.5 (5.5.5.5)</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> Origin IGP, metric 0, localpref 100, valid, internal, best</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> Originator: 4.4.4.4, Cluster list: 5.5.5.5</span><br /><br /><span style="color: rgb(51, 51, 255);">Changing the cluster-id:</span><br /><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">R5(config)#router bgp 345</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">R5(config-router)#bgp cluster-id ?</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> <1-4294967295> Route-Reflector Cluster-id as 32 bit quantity</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> A.B.C.D Route-Reflector Cluster-id in IP address format</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">R5(config-router)#bgp cluster-id 5</span><br /><br /><span style="color: rgb(51, 51, 255);">Here's how the change looks on R3:</span><br /><br /><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">R3#show ip bgp 6.0.0.0</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">BGP routing table entry for 6.0.0.0/24, version 9</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Paths: (1 available, best #1, table Default-IP-Routing-Table)</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;">Flag: 0x800</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> Not advertised to any peer</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> 65000</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> 4.4.4.4 (metric 2) from 5.5.5.5 (5.5.5.5)</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> Origin IGP, metric 0, localpref 100, valid, internal, best</span><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><br /><span style="font-size: 85%; color: rgb(51, 51, 255);"></span><span style="color: rgb(51, 51, 255); font-family: courier new; font-size: 85%;"> Originator: 4.4.4.4, Cluster list: 0.0.0.5</span></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-9632885919096079782009-02-08T15:47:00.000+05:302009-02-08T15:48:12.392+05:30BGP - set clauses are ignored on reflected routes<div style="text-align: justify; color: rgb(0, 0, 153);"> Network:<br /><br />R4,R5,R6 have serial interfaces connected to Frame cloud 172.14.45.0/24<br />R3,R4,R5 have LAN interfaces connected to 172.12.34.0/24<br /><br />R6 has EBGP peering with R5 and R4, however R5 has R6 neighbor shutdown for now.<br />R4 is connected to R5 via IBGP.<br />R5 then connects to R3 via IBGP.<br />R5 has R3 configured as a route-reflector client.<br />R5 reflects routes learned from R4 to R3.<br />R5 has the following config:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">router bgp 345</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> bgp cluster-id 5</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> neighbor 3.3.3.3 remote-as 345</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> neighbor 3.3.3.3 update-source Loopback0</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> !</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> address-family ipv4</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> neighbor 3.3.3.3 activate</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> neighbor 3.3.3.3 send-community</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> neighbor 3.3.3.3 route-reflector-client</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> neighbor 3.3.3.3 route-map SET out</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">!</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">ip prefix-list SIX seq 5 permit 6.0.0.0/24</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">!</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">route-map LOOPBACK permit 10</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> match ip address 5</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">!</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">route-map SET permit 10</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> match ip address prefix-list SIX</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> set community 500</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">!</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">route-map SET permit 20</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">!</span></span><br /><br />The community does not show up on R3:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R3#show ip bgp 6.0.0.0</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">BGP routing table entry for 6.0.0.0/24, version 9</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Paths: (1 available, best #1, table Default-IP-Routing-Table)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Not advertised to any peer</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 65000</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 4.4.4.4 (metric 2) from 5.5.5.5 (5.5.5.5)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Origin IGP, metric 0, localpref 100, valid, internal, best</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Originator: 4.4.4.4, Cluster list: 0.0.0.5</span></span><br /><br />Now let's peer R5 directly with R6 and see what happens:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5(config)#router bgp 345</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5(config-router)#neighbor 4.4.4.4 shutdown</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5(config-router)#no neighbor 172.14.45.6 shutdown</span></span><br /><br />Immediately the community shows up on R3:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R3#show ip bgp 6.0.0.0</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">BGP routing table entry for 6.0.0.0/24, version 13</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Paths: (1 available, no best path)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Flag: 0x820</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Not advertised to any peer</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 65000</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 172.14.45.6 (inaccessible) from 5.5.5.5 (5.5.5.5)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Origin IGP, metric 200, localpref 100, valid, internal</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Community: 500</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"></span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"></span></span>I got this info while browsing the DocCD:<br /><br /><a href="http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_bgp_int_features_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1054036">Configuring a Route Reflector</a><br /><br />"<span class="content">The use of <b class="cBold">set</b> clauses in outbound route maps can modify attributes and possibly create routing loops. To avoid this behavior, <b class="cBold">set</b> clauses of outbound route maps are ignored for routes reflected to iBGP peers."</span></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-21570112667896330622009-02-08T15:46:00.001+05:302009-02-08T15:46:51.818+05:30BGP - deterministic-med and always-compare-med<div style="text-align: justify; color: rgb(0, 0, 153);">How the bgp deterministic-med Command Differs from the bgp always-compare-med Command<br /><br />In order to get the various routes to look right in the bgp table, it took some work. Here is a picture that helps explain it. I'm not gonna put addressing on it. If you want configs, let me know.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9k5LPq2QB2LiHJLOKTLJN6k4f-IQiAZrxgdwuys99w7gp4z51XeOCshQL1YOLXQO5GzzWgKE-LJ10_Shpi_P8-S0e39ex4D8F78gWx4UsO5ZtGoXFZyMk-Ka7fngcARWmw6qB160qNL4/s1600-h/bgp+med+comparison.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9k5LPq2QB2LiHJLOKTLJN6k4f-IQiAZrxgdwuys99w7gp4z51XeOCshQL1YOLXQO5GzzWgKE-LJ10_Shpi_P8-S0e39ex4D8F78gWx4UsO5ZtGoXFZyMk-Ka7fngcARWmw6qB160qNL4/s400/bgp+med+comparison.jpg" alt="" id="BLOGGER_PHOTO_ID_5222958750775104338" border="0" /></a><br />Our focus is on R1, it has 3 bgp entries to 3.3.3.0:<br /><br /><span style="font-family: courier new; font-size: 85%;">R1#show ip bgp 3.3.3.0</span><br /><span style="font-family: courier new; font-size: 85%;">BGP routing table entry for 3.3.3.0/24, version 24</span><br /><span style="font-family: courier new; font-size: 85%;">Paths: (3 available, best #3, table Default-IP-Routing-Table)</span><br /><span style="font-family: courier new; font-size: 85%;">Advertised to non peer-group peers:</span><br /><span style="font-family: courier new; font-size: 85%;">172.12.12.2 172.12.14.4</span><br /><span style="font-family: courier new; font-size: 85%;">400</span><br /><span style="font-family: courier new; font-size: 85%;">172.12.12.2 from 172.12.12.2 (2.2.2.2)</span><br /><span style="font-family: courier new; font-size: 85%;"> Origin IGP, metric 100, localpref 100, valid, internal</span><br /><span style="font-family: courier new; font-size: 85%;">400</span><br /><span style="font-family: courier new; font-size: 85%;">172.12.14.4 from 172.12.14.4 (4.0.3.4)</span><br /><span style="font-family: courier new; font-size: 85%;"> Origin IGP, metric 150, localpref 100, valid, external</span><br /><span style="font-family: courier new; font-size: 85%;">65003</span><br /><span style="font-family: courier new; font-size: 85%;">172.12.13.3 from 172.12.13.3 (3.3.3.3)</span><br /><span style="font-family: courier new; font-size: 85%;"> Origin IGP, metric 200, localpref 100, valid, external, best</span><br /><span style="font-family: courier new; font-size: 85%;">R1#</span><br /><br />Tiebreaker:<br />1. entry1 and entry2 are compared, entry2 is picked because external > internal<br />2. entry2 and entry3 are compared, entry 3 picked because RID 3.3.3.3<br /><br />Now let's configre always-compare-med:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1(config)#router bgp 65000</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1(config-router)#bgp always-compare-med</span></span><br /><br />This command should allow entry1 to be picked over entry2 (lower MED), then entry1 will be preferred over entry3 (also lower MED):<br /><br /><span style="font-size: 85%;">R1#show ip bgp 3.3.3.0</span><br /><span style="font-size: 85%;">BGP routing table entry for 3.3.3.0/24, version 41</span><br /><span style="font-size: 85%;">Paths: (3 available, best #1, table Default-IP-Routing-Table)</span><br /><span style="font-size: 85%;">Flag: 0x820</span><br /><span style="font-size: 85%;"> Advertised to non peer-group peers:</span><br /><span style="font-size: 85%;"> 172.12.13.3 172.12.14.4</span><br /><span style="font-size: 85%;"> 400</span><br /><span style="font-size: 85%;"> 172.12.12.2 from 172.12.12.2 (2.2.2.2)</span><br /><span style="font-size: 85%;"> Origin IGP, metric 100, localpref 100, valid, internal, best</span><br /><span style="font-size: 85%;"> 400</span><br /><span style="font-size: 85%;"> 172.12.14.4 from 172.12.14.4 (4.0.3.4)</span><br /><span style="font-size: 85%;"> Origin IGP, metric 150, localpref 100, valid, external</span><br /><span style="font-size: 85%;"> 65003</span><br /><span style="font-size: 85%;"> 172.12.13.3 from 172.12.13.3 (3.3.3.3)</span><br /><span style="font-size: 85%;"> Origin IGP, metric 200, localpref 100, valid, external</span><br /><br />It works!<br /><br />Notice that entries are compared in pairs. To get the pairs reordered you may have shut peers down and enable them accordingly. Example: I wanted the peers to appear in this order 4.0.3.4, 3.3.3.3, and 2.2.2.2. So I brought them up in reverse order: 2.2.2.2, 3.3.3.3, and finally 4.0.3.4. I just did a shut/no shut on the interface. Now I have:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1#show ip bgp 3.3.3.0</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">BGP routing table entry for 3.3.3.0/24, version 47</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Paths: (3 available, best #3, table Default-IP-Routing-Table)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Advertised to non peer-group peers:</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 172.12.13.3 172.12.14.4</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 400</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 172.12.14.4 from 172.12.14.4 (4.0.3.4)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Origin IGP, metric 150, localpref 100, valid, external</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 65003</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 172.12.13.3 from 172.12.13.3 (3.3.3.3)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Origin IGP, metric 200, localpref 100, valid, external</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 400</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 172.12.12.2 from 172.12.12.2 (2.2.2.2)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Origin IGP, metric 100, localpref 100, valid, internal, best</span></span><br /><br />Notice the best route is still from 2.2.2.2 because always-compare-med is enabled. Let's try bgp deterministic-med, without always compare-med. First reset bgp, then continue.<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1(config)#router bgp 65000</span></span><br /><span style="font-size: 85%;"></span><span style="font-family: courier new; font-size: 85%;">R1(config-router)#no bgp always-compare-med</span><span style="font-size: 85%;"></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1(config-router)#bgp deterministic-med</span></span><br /><br />In this case entry2 should be compared to entry3 with entry 2 winning based on lower MED (they are in the same AS so MED is compared). Then entry2 is compared to entry1, with entry1 winning because external bgp is preferred over internal. MED is not compared between these entries.<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1#show ip bgp 3.3.3.0</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">BGP routing table entry for 3.3.3.0/24, version 11</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Paths: (3 available, best #1, table Default-IP-Routing-Table)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Advertised to non peer-group peers:</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 172.12.12.2 172.12.14.4</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 65003</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 172.12.13.3 from 172.12.13.3 (3.3.3.3)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Origin IGP, metric 200, localpref 100, valid, external, best</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 400</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 172.12.12.2 from 172.12.12.2 (2.2.2.2)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Origin IGP, metric 100, localpref 100, valid, internal</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 400</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 172.12.14.4 from 172.12.14.4 (4.0.3.4)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Origin IGP, metric 150, localpref 100, valid, external</span></span><br /><br />Notice in the above example that the entries are ordered in groups based on AS. I brough up 4.4.4.4 last, but it is showing up last with the other entry from AS400.<br /><br />The last example uses both bgp deterministic-med and bgp always-compare-med. In this case, entry2 should win with the lowest MED. This is the same as the last example except MED is used for comparison between entry1 and entry2.<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R1#show ip bgp 3.3.3.0</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">BGP routing table entry for 3.3.3.0/24, version 12</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Paths: (3 available, best #2, table Default-IP-Routing-Table)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Advertised to non peer-group peers:</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 172.12.13.3 172.12.14.4</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 65003</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 172.12.13.3 from 172.12.13.3 (3.3.3.3)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Origin IGP, metric 200, localpref 100, valid, external</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 400</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 172.12.12.2 from 172.12.12.2 (2.2.2.2)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Origin IGP, metric 100, localpref 100, valid, internal, best</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 400</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> 172.12.14.4 from 172.12.14.4 (4.0.3.4)</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Origin IGP, metric 150, localpref 100, valid, external</span></span></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-63336242345304108902009-02-08T15:44:00.000+05:302009-02-08T15:45:38.101+05:30BGP - maximum-prefix command<div style="text-align: justify;"> <span style="color: rgb(51, 0, 51);">The network: [R5]---[R6]</span><br /><br /><span style="color: rgb(51, 0, 51);">R5 connects to R6 via EBGP</span><br /><span style="color: rgb(51, 0, 51);">R5 is 172.14.45.5</span><br /><span style="color: rgb(51, 0, 51);">R6 is 172.45.45.6</span><br /><br /><span style="color: rgb(51, 0, 51);">R6 is advertising 10 networks to R5:</span><br /><br /><span style="color: rgb(51, 0, 51); font-family: courier new; font-size: 85%;">R5#show ip bgp | inc 45\.6</span><br /><span style="color: rgb(51, 0, 51); font-family: courier new; font-size: 85%;">*> 6.0.0.0/24 172.14.45.6 0 0 65000 i</span><br /><span style="color: rgb(51, 0, 51); font-family: courier new; font-size: 85%;">*> 6.0.1.0/24 172.14.45.6 0 0 65000 i</span><br /><span style="color: rgb(51, 0, 51); font-family: courier new; font-size: 85%;">*> 6.0.2.0/24 172.14.45.6 0 0 65000 i</span><br /><span style="color: rgb(51, 0, 51); font-family: courier new; font-size: 85%;">*> 6.0.3.0/24 172.14.45.6 0 0 65000 i</span><br /><span style="color: rgb(51, 0, 51); font-family: courier new; font-size: 85%;">*> 6.0.4.0/24 172.14.45.6 0 0 65000 i</span><br /><span style="color: rgb(51, 0, 51); font-family: courier new; font-size: 85%;">*> 6.0.5.0/24 172.14.45.6 0 0 65000 i</span><br /><span style="color: rgb(51, 0, 51); font-family: courier new; font-size: 85%;">*> 6.0.6.0/24 172.14.45.6 0 0 65000 i</span><br /><span style="color: rgb(51, 0, 51); font-family: courier new; font-size: 85%;">*> 6.0.7.0/24 172.14.45.6 0 0 65000 i</span><br /><span style="color: rgb(51, 0, 51); font-family: courier new; font-size: 85%;">*> 6.0.8.0/24 172.14.45.6 0 0 65000 i</span><br /><span style="color: rgb(51, 0, 51); font-family: courier new; font-size: 85%;">*> 6.0.9.0/24 172.14.45.6 0 0 65000 i</span><br /><br /><span style="color: rgb(51, 0, 51);">I am going to play with a few options of the maximum-prefix command and see the effect. First let's configure a maximum of 8 routes:</span><br /><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R5(config)#router bgp 65005</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R5(config-router)#neighbor 172.14.45.6 maximum-prefix 8</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R5(config-router)#</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:45:41.467: %BGP-5-ADJCHANGE: neighbor 172.14.45.6 Down Maximum-Prefix restart timeout</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:46:10.519: %BGP-5-ADJCHANGE: neighbor 172.14.45.6 Up</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:46:11.919: %BGP-4-MAXPFX: No. of prefix received from 172.14.45.6 (afi 0) reaches 7, max 8</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:46:11.927: %BGP-3-MAXPFXEXCEED: No. of prefix received from 172.14.45.6 (afi 0): 9 exceed limit 8</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:46:11.931: %BGP-5-ADJCHANGE: neighbor 172.14.45.6 Down BGP Notification sent</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:46:11.931: %BGP-3-NOTIFICATION: sent to neighbor 172.14.45.6 3/1 (update malformed) 0 bytes</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R5(config-router)# FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 0058 0200 0000 1940 0</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">101 0040 0204 0201 FDE8 4003 04AC 0E2D 0680 0404 0000 0000 1806 0009 1806 0008 1</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">806 0007 1806 0006 1806 0005 1806 0004 1806 0003 1806 0002 1806 0001 1806 0000</span></span><br /><br /><span style="color: rgb(51, 0, 51);">Notice that the nighbor tried to come up after I configured the max. It never tried to come up again after going down the second time. Now the neighbor has the following output (much of the output is omitted):</span><br /><br /><span style="font-size: 85%; color: rgb(51, 0, 51);"><span style="font-family: courier new;">R5#show clock</span></span><br /><span style="font-size: 85%; color: rgb(51, 0, 51);"><span style="font-family: courier new;">.20:50:26.655 UTC Mon Jul 14 2008</span></span><br /><span style="font-size: 85%; color: rgb(51, 0, 51);"><span style="font-family: courier new;">R5#</span></span><br /><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R5#show ip bgp neighbor 172.14.45.6</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">...</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">Peer had exceeded the max. no. of prefixes configured.</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">Maximum prefixes allowed 8</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">Threshold for warning message 75%</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">Reduce the no. of prefix and clear ip bgp 172.14.45.6 to restore peering</span></span><br /><br /><span style="color: rgb(51, 0, 51);">We can also configure the router to try and establush the connection again after the max limit is reached and the connection is brought down:</span><br /><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R5(config)#router bgp 65005</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R5(config-router)#neighbor 172.14.45.6 maximum-prefix 8 restart 1</span></span><br /><br /><span style="color: rgb(51, 0, 51);">Here is a sample of the output, the connection tries to re-establish but then drops because the max-prefix limit is reached:</span><br /><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R5#</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:53:16.779: %BGP-5-ADJCHANGE: neighbor 172.14.45.6 Up</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:53:16.811: %BGP-4-MAXPFX: No. of prefix received from 172.14.45.6 (afi 0) reaches 7, max 8</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:53:16.819: %BGP-3-MAXPFXEXCEED: No. of prefix received from 172.14.45.6 (afi 0): 9 exceed limit 8</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:53:16.823: %BGP-5-ADJCHANGE: neighbor 172.14.45.6 Down BGP Notification sent</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:53:16.827: %BGP-3-NOTIFICATION: sent to neighbor 172.14.45.6 3/1 (update malformed) 0 bytes</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:54:15.999: %BGP-5-ADJCHANGE: neighbor 172.14.45.6 Up</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:54:16.011: %BGP-4-MAXPFX: No. of prefix received from 172.14.45.6 (afi 0) reaches 7, max 8</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:54:16.015: %BGP-3-MAXPFXEXCEED: No. of prefix received from 172.14.45.6 (afi 0): 9 exceed limit 8</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:54:16.023: %BGP-5-ADJCHANGE: neighbor 172.14.45.6 Down BGP Notification sent</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:54:16.023: %BGP-3-NOTIFICATION: sent to neighbor 172.14.45.6 3/1 (update malformed) 0 bytes</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:55:41.311: %BGP-5-ADJCHANGE: neighbor 172.14.45.6 Up</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:55:41.355: %BGP-4-MAXPFX: No. of prefix received from 172.14.45.6 (afi 0) reaches 7, max 8</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:55:41.359: %BGP-3-MAXPFXEXCEED: No. of prefix received from 172.14.45.6 (afi 0): 9 exceed limit 8</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:55:41.363: %BGP-5-ADJCHANGE: neighbor 172.14.45.6 Down BGP Notification sent</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 20:55:41.367: %BGP-3-NOTIFICATION: sent to neighbor 172.14.45.6 3/1 (update malformed) 0 bytes</span></span><br /><br /><span style="color: rgb(51, 0, 51);">We can also configure a percentage to give us a warning. Here we configure the percantge to 75 of 8 (6) while disabling 3 of the loopbacks on R6:</span><br /><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R5(config)#router bgp 65005</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R5(config-router)#neighbor 172.14.45.6 maximum-prefix 8 7</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 21:00:08.226: %BGP-5-ADJCHANGE: neighbor 172.14.45.6 Up</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 21:00:08.234: %BGP-4-MAXPFX: No. of prefix received from 172.14.45.6 (afi 0) reaches 7, max 8</span></span><br /><br /><span style="color: rgb(51, 0, 51);">The connection stays up:</span><br /><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R5#show ip bgp summary</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">172.14.45.6 4 65000 186 177 224 0 0 00:00:33 7</span></span><br /><br /><span style="color: rgb(51, 0, 51);">Lastly, we can configure a warning-only which doesn't bring down the connection:</span><br /><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R5(config)#router bgp 65005</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R5(config-router)#neighbor 172.14.45.6 maximum-prefix 8 75 warning-only</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 21:01:53.614: %BGP-4-MAXPFX: No. of prefix received from 172.14.45.6 (afi 0) reaches 8, max 8</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">.Jul 14 21:02:24.046: %BGP-3-MAXPFXEXCEED: No. of prefix received from 172.14.45.6 (afi 0): 9 exceed limit 8</span></span><br /><br /><span style="color: rgb(51, 0, 51);">The connection stays up:</span><br /><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">R5#show ip bgp summary | be Ne</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;">172.14.45.6 4 65000 190 181 226 0 0 00:02:41 9</span></span><br /><span style="color: rgb(51, 0, 51); font-size: 85%;"><span style="font-family: courier new;"></span></span><br /><span style="color: rgb(51, 204, 255); font-size: 85%;"><span style="font-family: courier new;"></span></span></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-6176524294759831899.post-72413008958773959132009-02-08T15:43:00.002+05:302009-02-08T15:44:12.181+05:30BGP - local-as option<div style="text-align: justify; color: rgb(51, 51, 255);"> BGP local-as option allows a router to appear as if it is in another AS. Suppose we have a frame-relay cloud with 3 routers all EBGP peers with each other:<br /><br />R6: 172.14.45.6 (AS 65000)<br />R5: 172.14.45.5 (AS 65005)<br />R4: 172.14.45.4 (AS 345)<br /><br />We can configure R6 to use the local-as option to appear to be from AS 65006 to R5, but remain in AS65000 for R4. Here's how:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R6(config-router)#router bgp 65000</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R6(config-router)#neighbor 172.14.45.5 local-as 65006</span></span><br /><br />On R5:<br /><br /><span style="font-family: courier new; font-size: 85%;">R5(config)#router bgp 65005</span><br /><span style="font-family: courier new; font-size: 85%;">R5(config-router)#neighbor 172.14.45.6 remote-as 65006</span><br /><span style="font-family: courier new; font-size: 85%;"></span><br /><span style="font-family: courier new; font-size: 85%;"></span>Let's take a look at the neighbor summary:<br /><span style="font-family: courier new; font-size: 85%;"></span><br /><span style="font-family: courier new; font-size: 85%;">R5# show ip bgp summary | be Ne</span><br /><span style="font-family: courier new; font-size: 85%;">Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd</span><br /><span style="font-family: courier new; font-size: 85%;">172.14.45.6 4 65006 220 221 244 0 0 00:03:39 9</span><br /><span style="font-family: courier new; font-size: 85%;"></span><br /><span style="font-family: courier new; font-size: 85%;">R4#show ip bgp summary | be Ne</span><br /><span style="font-family: courier new; font-size: 85%;">172.14.45.6 4 65000 176 146 69 0 0 00:00:08 11</span><br /><br />Notice the different AS numbers. Also notice the AS path from R5's view:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5# show ip bgp | inc 172.14.45.6</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 6.0.3.0/24 172.14.45.6 0 0 65006 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 6.0.4.0/24 172.14.45.6 0 0 65006 65000 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 6.0.5.0/24 172.14.45.6 0 0 65006 65000 i</span></span><br /><br />And the AS path from R6's view also includes the local-AS number:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R6#show ip bgp | be Ne</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.2.2.2/32 172.14.45.5 0 65006 65005 65002 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 5.5.5.5/32 172.14.45.5 0 0 65006 65005 i</span></span><br /><br />The routes appear to magically pass through 65006. We can prevent R6 from prepending the local-as number on routes received from R6 with the no-prepend option<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R6(config)#router bgp 65000</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R6(config-router)#neighbor 172.14.45.5 local-as 65006 no-prepend</span></span><br /><br />65006 is no longer in the AS Path:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R6#show ip bgp | be Ne</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 2.2.2.2/32 172.14.45.5 0 65005 65002 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 5.5.5.5/32 172.14.45.5 0 0 65005 i</span></span><br /><br />With the replace-AS we can prevent R5's real BGP AS number from appearing in the AS path on routes from R6 to R5:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R6(config)#router bgp 65000</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R6(config-router)#neighbor 172.14.45.5 local-as 65006 no-prepend replace-as</span></span><br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5# show ip bgp | be Ne</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;"> Network Next Hop Metric LocPrf Weight Path</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 6.0.3.0/24 172.14.45.6 0 0 65006 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 6.0.4.0/24 172.14.45.6 0 0 65006 i</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">*> 6.0.5.0/24 172.14.45.6 0 0 65006 i</span></span><br /><br />Lastly, we can configure R6 to accept connections to either AS 65000 or AS 65006 with the dual-as option:<br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R6(config)#router bgp 65000</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R6(config-router)#neighbor 172.14.45.5 local-as 65006 no-prepend replace-as dual-as</span></span><br /><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5#show ip bgp summary</span></span><br /><span style="font-size: 85%;"></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">172.14.45.6 4 65006 268 284 343 0 0 00:00:08 9</span></span><br /><span style="font-size: 85%;"></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5#conf t</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Enter configuration commands, one per line. End with CNTL/Z.</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5(config)#router bgp 65005</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5(config-router)#neighbor 172.14.45.6 remote-as 65000</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5(config-router)#</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">.Jul 14 21:34:34.273: %BGP-5-ADJCHANGE: neighbor 172.14.45.6 Down Remote AS changed</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5(config-router)#</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">.Jul 14 21:34:36.505: %BGP-5-ADJCHANGE: neighbor 172.14.45.6 Up</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5(config-router)#</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5(config-router)#^Z</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">R5#show ip bgp summary</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd</span></span><br /><span style="font-size: 85%;"><span style="font-family: courier new;">172.14.45.6 4 65000 270 286 0 0 0 00:00:09 0</span></span></div>Unknownnoreply@blogger.com