--- CCIE R&S Advanced Lab --- --- Session 5 BGP, Multicast ---

Slides:



Advertisements
Similar presentations
BGP Overview Processing BGP Routes.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: EIGRP Advanced Configurations and Troubleshooting Scaling.
Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists
1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—7-1 Optimizing BGP Scalability Limiting the Number of Prefixes Received from a BGP Neighbor.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicBSCI Module 6 1 Configuring Basic BGP BSCI Module 6.
Presented By: Hanping Feng Configuring BGP With Cisco IOS Software (Part 1)
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—5-1 Implementing Path Control Assessing Path Control Network Performance Issues.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—4-1 Implement an IPv4-Based Redistribution Solution Assessing Network Routing Performance and.
© 2009 Cisco Systems, Inc. All rights reserved.ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Configuring and Verifying Basic BGP Operations.
BGP Attributes and Path Selections
Introduction to BGP 1. Border Gateway Protocol A Routing Protocol used to exchange routing information between different networks – Exterior gateway protocol.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. Module 4: Implement the DiffServ QoS Model Lesson 4.5: Configuring CBWFQ and LLQ.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
1 © 2000, Cisco Systems, Inc. Session # Presentation_ID Border Gateway Protocol.
– Chapter 4 – Secure Routing
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
© 2001, Cisco Systems, Inc. Classification and Marking.
BGP Overview Sumanta Das Gajendra Mahapatra. Content 1.Introduction 2.Session Establishment 3.Route processing 4.Basic Configuration 5.BGP Police.
© 2002, Cisco Systems, Inc. All rights reserved..
CHAPTER 8 Quality of Service. Integrated services (IntServ) Ensure that a specific flow of traffic is going to receive the appropriate level of bandwidth.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network BGP Attributes and Path Selection Process.
Top-Down Network Design Chapter Thirteen Optimizing Your Network Design Oppenheimer.
Access Control List (ACL) W.lilakiatsakun. ACL Fundamental ► Introduction to ACLs ► How ACLs work ► Creating ACLs ► The function of a wildcard mask.
© 2006 Cisco Systems, Inc. All rights reserved. Module 4: Implement the DiffServ QoS Model Lesson 4.2: Using NBAR for Classification.
© 2001, Cisco Systems, Inc. IP over MPLS. © 2001, Cisco Systems, Inc. QOS v1.0—11-2 Objectives Upon completing this module, you will be able to: Describe.
Chapter 9. Implementing Scalability Features in Your Internetwork.
© 2001, Cisco Systems, Inc. Modular QoS CLI Classification.
© 2001, Cisco Systems, Inc. A_BGP_Confed BGP Confederations.
Access-Lists Securing Your Router and Protecting Your Network.
Access Control List ACL’s 5/26/ What Is an ACL? An ACL is a sequential collection of permit or deny statements that apply to addresses or upper-layer.
1 What Are Access Lists? –Standard –Checks Source address –Generally permits or denies entire protocol suite –Extended –Checks Source and Destination address.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Border Gateway Protocol (BGP) W.lilakiatsakun. BGP Basics (1) BGP is the protocol which is used to make core routing decisions on the Internet It involves.
Network Security1 Secure Routing Source: Ch. 4 of Malik. Network Security Principles and Practices (CCIE Professional Development). Pearson Education.
BGP Filtering (Policy Routing). BGP Filtering Can Apply our Routing Policy Controlling the sending and receiving updates Prefix Filtering AS_Path Filtering.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 5: Implement Cisco AutoQoS.
© 2001, Cisco Systems, Inc. Policy Propagation Through BGP.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Employing AS-Path Filters.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—6-1 Scaling Service Provider Networks Scaling IGP and BGP in Service Provider Networks.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Filtering with Prefix-Lists.
Route Selection Using Policy Controls
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—5-1 Customer-to-Provider Connectivity with BGP Connecting a Multihomed Customer to a Single Service.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—7-1 Optimizing BGP Scalability Using BGP Route Dampening.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Using Outbound Route Filtering.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Applying Route-Maps as BGP Filters.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1 BGP Overview Understanding BGP Path Attributes.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—7-1 Optimizing BGP Scalability Improving BGP Convergence.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Module Summary The multihomed customer network must exchange BGP information with both ISP.
Route Selection Using Attributes
Lecture 8 -Traffic Management
--- CCIE R&S Advanced Lab Session 4 OSPF ---
Border Gateway Protocol DPNM Lab. Seongho Cho
Instructor Materials Chapter 7: Access Control Lists
Instructor Materials Chapter 4: Access Control Lists
Cisco IOS Firewall Context-Based Access Control Configuration
Top-Down Network Design Chapter Thirteen Optimizing Your Network Design Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Chapter 4: Access Control Lists (ACLs)
Cours BGP-MPLS-IPV6-QOS
– Chapter 4 – Secure Routing
Presentation transcript:

--- CCIE R&S Advanced Lab Session 5 BGP, Multicast ---

Copyright© Network Learning Inc BGP Topics Covered BGP Confederation Order/Preference Aggregation Security Peer Groups Dampening

Copyright© Network Learning Inc BGP Know where BGP is located on the DOC CD How can BGP be manipulated

Copyright© Network Learning Inc BGP Confederations

Copyright© Network Learning Inc Remove private AS Uses private AS for internal Need to remove the private AS information

Copyright© Network Learning Inc BGP Path Selection 1.If the path specifies a next hop that is inaccessible, drop the update. 2.Prefer the path with the largest weight. 3.If the weights are the same, prefer the path with the largest local preference. 4.If the local preferences are the same, prefer the path that was originated by BGP running on this router. 5.If no route was originated, prefer the route that has the shortest AS_path. 6.If all paths have the same AS_path length, prefer the path with the lowest origin type (where IGP is lower than EGP, and EGP is lower than incomplete). 7.If the origin codes are the same, prefer the path with the lowest MED attribute. 8.If the paths have the same MED, prefer the external path over the internal path. 9.If the paths are still the same, prefer the path through the closest IGP neighbor. 10.Prefer the path with the lowest IP address, as specified by the BGP router ID.

Copyright© Network Learning Inc Aggregating BGP Networks Aggregation creates summary routes (called aggregates) from networks already in BGP table Individual networks could be announced or suppressed Summarization is called aggregation in BGP Aggregation creates summary routes (called aggregates) from networks already in BGP table Individual networks could be announced or suppressed

Copyright© Network Learning Inc Configuring Aggregation router bgp as-number aggregate-address address-prefix mask Specify aggregation range in BGP routing process The aggregate will be announced if there is at least one network in the specified range in the BGP table Individual networks will still be announced in outgoing BGP updates

Copyright© Network Learning Inc Configuring BGP Communities BGP communities are configured in the following steps: Configure BGP community propagation Define BGP community-lists to match BGP communities Configure route-maps that match on community-lists and filter routes or set other BGP attributes Apply route-maps to incoming or outgoing updates

Copyright© Network Learning Inc Community Setting Through Route-Map route-map name match condition set community value [ value … ] [additive] Any number of communities can be specified Communities specified in the set keyword overwrites existing communities unless you specify the additive option

Copyright© Network Learning Inc Attaching Communities to a Route neighbor ip-address route-map map in | out router(config-router)# Applies a route-map to inbound or outbound BGP updates The route-map can set BGP communities or other BGP attributes redistribute protocol route-map map router(config-router)# Applies a route-map to redistributed routes

Copyright© Network Learning Inc Configure Community Propagation neighbor ip-address send-community router(config-router)# By default, communities are stripped in outgoing BGP updates Community propagation to BGP neighbors has to be manually configured

Copyright© Network Learning Inc Related Commands Set community none – Removes all community attributes Set comm-list delete – Removes specific communities ip community-list 1 permit 200:100 route map REM_COM permit 10 set comm-list 1 delete Set community additive – Appends to existing communities set community 450 additive ip community-list 1 permit 200:10 – Matches any route that has 200:10 ip community-list 3 permit 200:10 100:10 - Matches any route that has either or both communities

Copyright© Network Learning Inc AS Path Filtering Several scenarios require BGP route filtering based on AS-path Announce only local routes to the ISP - AS-path needs to be empty Select routes based on a specific AS-number in the AS-path Accept routes for specific AS only from some BGP neighbors AS-path filters use regular expressions

Copyright© Network Learning Inc Regular Expressions - Matching Delimiters ^matches beginning of string $matches end of string _matches any delimiter (beginning, end, white space, tab, comma)

Copyright© Network Learning Inc Regular Expressions - Operators * matches zero or more instances ? matches zero or one instances + matches one or more instances. Matches any single character [ ] Matches characters or a range of characters

Copyright© Network Learning Inc Sample Regular Expressions _100_ ^100$ _100$ ^100_.* ^ [0-9]+$ ^$.* Going through AS 100 Directly connected to AS 100 Originated in AS 100 networks behind AS 100 AS paths one AS long networks originated in local AS matches everything

Copyright© Network Learning Inc Configuring BGP AS-path Filters ip as-path access-list number permit | deny regexp R1(config)# Configures AS-path access list neighbor ip-address filter-list as-path-filter in | out R1(config-router)# Configures inbound or outbound AS-path filter for specified BGP neighbor

Copyright© Network Learning Inc Conditional Route Injection Used to inject more specific routes into BGP based on existence of certain routes R1(config)# router bgp R1(config-router)# bgp inject-map ORIGIN exist-map LEARNED copy-attributes R1(config)# ip prefix-list ROUTE permit /24 R1(config)# ip prefix-list ROUTE_SOURCE permit /32 R1(config)# ip prefix-list ORIGINATED_ROUTES permit /25 R1(config)# route-map LEARNED permit 10 R1(config-route-map)# match ip address prefix-list ROUTE R1(config-route-map)# match ip route-source prefix-list ROUTE_SOURCE R1(config)# route-map ORIGIN permit 10 R1(config-route-map)# set ip address prefix-list ORIGINATED_ROUTES

Copyright© Network Learning Inc BGP Authentication Authentication is MD5 Configured on a per neighbor basis R1(config)# router bgp 10 R1(config-router)# neighbor remote-as 10 R1(config-router)# neighbor password CISCO R2(config)# router bgp 10 R2(config-router)# neighbor remote-as 10 R2(config-router)# neighbor password CISCO

Copyright© Network Learning Inc Route Flap Dampening Every time an eBGP route flaps it gets 1000 penalty points (only for eBGP) The penalty placed on a route is decayed using the exponential decay algorithm When the penalty exceeds “suppress limit”, the route is dampened (no longer used or propagated to other neighbors) A dampened route is propagated when the penalty points drops below “reuse limit”

Copyright© Network Learning Inc Configuring BGP Route Flap Dampening bgp dampening [half-time reuse-limit suppress-limit max-suppress] [route-map route-map] R1(config-router)# Parameter meaning: Half-timeExponential decay half-time (time in which the penalty is halved) Suppress-limitPenalty value where the route is starting to be dampened Reuse-limitPenalty value where the dampened route is reused Max-suppressMaximum suppression time Route-map controls where BGP route dampening is enabled

Copyright© Network Learning Inc Default BGP Dampening Parameter Values The following default dampening parameter values are used if you don’t specify them: half-time15 minutes per-flap penalty1,000 (non-configurable) suppress limit2,000 reuse limit750 max-suppress-time60 minutes

Copyright© Network Learning Inc Limiting the Number of Routes Received from a Neighbor Problem definition: A misconfigured BGP neighbor can send a huge number of prefixes that exhaust router’s memory or overload the CPU All other filtering mechanisms only specify what we’re willing to accept but not how much Need to control the number of prefixes received from a neighbor

Copyright© Network Learning Inc Maximum-Prefix Command neighbor ip-address maximum-prefix maximum [threshold] [warning-only] R1(config-router)# Controls how many prefixes can be received from a neighbor Optional threshold parameter specifies the percentage where a warning message is logged (default is 75%) Optional warning-only keyword specifies the action on exceeding the maximum number (default is to drop neighborship )

--- CCIE R&S Advanced Lab Session 5 continued, Multicast ---

Copyright© Network Learning Inc Multicast Address RPF Dense / Sparse mode Source / shared tree Static RP Auto-RP BSR B-M-B MSDP / Anycast

Copyright© Network Learning Inc Multicast Address Range

Copyright© Network Learning Inc Reverse Path Forwarding

Copyright© Network Learning Inc RPF Calculation

Copyright© Network Learning Inc RPF with two paths

Copyright© Network Learning Inc Multicast Distribution Trees Dense Mode uses Source Push Technology

Copyright© Network Learning Inc Shared Distribution Tree Sparse mode uses Shared Pull Technology

Copyright© Network Learning Inc Characteristics of Distribution Trees

Copyright© Network Learning Inc Multicast Tree Creation

Copyright© Network Learning Inc PIM Sparse Mode

Copyright© Network Learning Inc How does the network know about the RP?

Copyright© Network Learning Inc Static RPs

Copyright© Network Learning Inc Auto RP Uses Intended for PIMv1 C_RP Candidates Mapping Agent (Collects announcements and sends RP discovery messages on ) The RPs announce on Recommended to locate C_RP and Mapping Agent on same router Uses dense mode to find the RP

Copyright© Network Learning Inc Auto-RP configured

Copyright© Network Learning Inc BSR Overview PIM join messages that might inadvertently cross the border ip pim bsr-border

Copyright© Network Learning Inc Configuring BSR Hash Mask Priority

Copyright© Network Learning Inc Anycast – RP Overview

Copyright© Network Learning Inc MSDP

Copyright© Network Learning Inc Anycast RP

Copyright© Network Learning Inc Anycast RP - cont.

Copyright© Network Learning Inc Broadcast-Multicast-Broadcast interface ethernet 0 ip pim sparse-mode ip multicast helper-map broadcast access-list 105 permit udp host host eq 4000 ip forward-protocol udp interface serial 0 ip pim sparse-mode ip multicast helper-map interface ethernet 1 ip directed-broadcast access-list 105 permit udp host any eq 4000 ip forward-protocol udp 4000

--- CCIE R&S Advanced Lab Session 6 QOS, Security ---

Copyright© Network Learning Inc QOS Modular QoS CLI (MQC) LLQ CAR – Committed Access Rate WRED, CBWRED Marking Shaping, FRTS Fragmenting NBAR – Network Based Application Recognition

Copyright© Network Learning Inc MQC Class-maps class-map [match-all | match-any] Lab (match all is the default) match xxx match yyy match ? Classify input interface f0/0 destination Mac address source Mac address fr-de, fr-dlci cos, dscp, IP-prec any access-group protocol NBAR (download PDLMs) –CEF requires –Can run ip protocol NBAR protocol discovery packet length min or max

Copyright© Network Learning Inc Policy-Map and DSCP policy-map Test class Lab set cos, ip-dscp, ip-prec, … bandwidth xxx … DSCP has 64 different colors to mark traffic mls qos map dscp-mutation Map 31 to 41

Copyright© Network Learning Inc CBWFQ int f0/0 max reserve bandwidth 80 (75% is default) policy-map can use Kbps or Percent but not both policy-map Voice class CONTROL bandwidth 10 class Media priority 1000 can have 255 classes total When applying a strict priority queue To a class, it is referred to as a LLQ

Copyright© Network Learning Inc CAR - Committed Access Rate Used on edge routers to classify and / or rate limit traffic Can be applied to all traffic or a subset of the traffic selected by an access list Configured on an interface rate-limit {input|output} bps normal-burst max-burst conform-action action exceed-action action rate-limit {input|output} access-group index bps normal-burst max-burst conform-action action exceed-action action normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds extended burst = 2 * normal burst

Copyright© Network Learning Inc CBWFQ Architecture policy

Copyright© Network Learning Inc Applying RED

Copyright© Network Learning Inc Configuring WRED on an interface mark probability denominator When the average queue size is above the minimum threshold, RED starts dropping packets. The rate of packet drop increases linearly as the average queue size increases, until the average queue size reaches the maximum threshold. The mark probability denominator is the fraction of packets dropped when the average queue size is at the maximum threshold. For example, one out of every 100 packets is dropped when the average queue size is at the maximum threshold. minimum threshold (number of packets) maximum threshold (number of packets)

Copyright© Network Learning Inc Traffic Shaping

Copyright© Network Learning Inc Shape Peak Peak rate = CIR(1+Be/Bc) Router(config-pmap-c)# shape {average | peak} cir [bc] [be] Shape adaptive – BECN field set to 1 25% slow down is BECN received if 16 TCs received with no BECNs increase 1/16 every TC Can also use FECN-adapt to send information ahead to other end with BECN field. Test

Copyright© Network Learning Inc Frame Relay Traffic Shaping Time Committed (TC) = 125ms

Copyright© Network Learning Inc Network Based Application Recognition (NBAR)

Copyright© Network Learning Inc NBAR Application Support

Copyright© Network Learning Inc Packet Description Language Module

Copyright© Network Learning Inc NBAR Protocol Discovery

--- CCIE R&S Advanced Lab Session 6 continued security ---

Copyright© Network Learning Inc Security Unicast Reverse Path Forwarding (uRPF) Context Based Access Control (CBAC)

Copyright© Network Learning Inc Unicast Reverse Path Forwarding (uRPF) Unicast Reverse Path Forwarding (uRPF) is a feature originally created to implement Network Ingress Filtering. Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing

Copyright© Network Learning Inc Configuring uRPF By enabling Unicast Reverse Path Forwarding (uRPF), all spoofed packets will be dropped at the first device. To enable uRPF, use the following commands. R1(config)# ip cef R1(config)# interface f0/0 R1(config-if)# ip verify unicast reverse-path

Copyright© Network Learning Inc CBAC - Context-Based Access Control The CBAC inspects TCP and UDP packets at the application layer. CBAC monitors all the outgoing requests by creating temporary openings for outbound traffic at the firewall interface. The return traffic is allowed in only if it is the part of the original outgoing traffic. CBAC inspects all the outgoing packets and maintains state information for every session. CBAC then decides whether to deny or permit the incoming traffic, based on its state information

Copyright© Network Learning Inc How CBAC Works ip inspect name FWRULE tcp 1 Control traffic is inspected by the CBAC rule. 2 CBAC creates a dynamic ACL allowing return traffic back through the firewall. Port 2447 Port 23 4 CBAC detects when an application terminates or times out and removes all dynamic ACLs for that session. 3 CBAC continues to inspect control traffic and dynamically creates and removes ACLs as required by the application. access-list 102 permit TCP host eq 23 host eq 2447

Copyright© Network Learning Inc CBAC Configuration

Copyright© Network Learning Inc Enable Audit Trails and Alerts

Copyright© Network Learning Inc Enable TCP SYN and FIN times (30s) (5s)

Copyright© Network Learning Inc TCP UDP and DNS Idle Times (3s) (1h) (30s)

Copyright© Network Learning Inc Port to Application Mapping

Copyright© Network Learning Inc Port Mapping Configuration

Copyright© Network Learning Inc Configuring Inspection Rules

Copyright© Network Learning Inc Apply Inspection Rule to an Interface

Copyright© Network Learning Inc