Showing posts with label Routing. Show all posts
Showing posts with label Routing. Show all posts

IGMP Version 2

IGMP Version 2 was developed as a solution for the first version's weaknesses. One of which was the inability to detect if there are still hosts which are still members of a multicast group. It will take 3 minutes before the router knows that there are no more members in version 1. The enhancements in Version 2 is shown below.


Group-Specific Query messages – enables the router to do a query operation on specific multicast groups

Leave Group messages – hosts sends a Leave message to the router that they are leaving the multicast group.

Querier election process – can elect the router that will do that query without relying on multicast routing protocols.

Maximum Response Time field - permits the Query Router to specify the maximum Query-Response time. This field
permits the tuning of the Query-Response process to control response burstiness and to fine-tune leave latencies.

The first 2 enhancements above, really helps in saving bandwidth. What happens is, if a host leaves the multicast group, it sends a Leave message. When the router receives this Leave message, it will send out a Group Specific query to that group of which the Leave message indicated and within 10 secs (default) if no host replies a Membership Report the router removes the entry in its IGMP membership table. The router doesn't have to wait 3 minutes like in Version 1.

Below is the Message types.


IGMP Version 2 Message Types

Membership Query (Type code = 0x11)

Two Subtypes:
       General Query – operates the same way like in the
       Group-Specific Query - enables the router to do a query operation on specific multicast groups.

Version 1 Membership Report (Type code = 0x12) - This is for backwards compatibility with version 1.

Version 2 Membership Report (Type code = 0x16)

Leave Group (Type code = 0x17)

Now let’s try this in the lab. I have set up the lab like before using Ubuntu and MINT. To start off, let's configure the router the same way in the IGMP Version 1 post. The command "ip multicast-routing" should be configured under global config mode. Commands "ip igmp version 2" and "ip pim sparse-dense-mode" should be configured on the FastEthernet interface. Let’s see the screenshots on Wireshark. Firstly I have generated the traffic in MINT for the Ubuntu VM to join multicast group 239.10.10.10 port 4321.


The screenshot above shows the Membership report which has a Type code of 0x16. Since in the lab that I made, there are no valid multicast sources, the host immediately sends a Leave message.

We see that the host sends the leave message to a multicast group 224.0.0.2 which means “all routers” in the local subnet. Its clear that they Type code is 0x17. Right below the Leave group message, immediately the router sends a Group Specific Query to check if there are still hosts who are still members on the same multicast group. Also it sends a General Query. Check the screenshots below to spot the difference.


Group Specific Query


General Query


The similarities between both is the Type Code which is 0x11. General Queries send it out to a well known multicast group 224.0.0.1 which is all hosts in the segment. Group Specific queries shows that it sends to the group address. In the Multicast address field, General Queries will have 0.0.0.0 which Group Specific will have the group address.

Finally let’s see the router debug output.

Router>
*Nov 18 15:41:32.759: IGMP(0): Received v2 Report on FastEthernet0/0 from 192.168.59.128 for 239.10.10.10
*Nov 18 15:41:32.759: IGMP(0): Received Group record for group 239.10.10.10, mode 2 from 192.168.59.128 for 0 sources
*Nov 18 15:41:32.763: IGMP(0): WAVL Insert group: 239.10.10.10 interface: FastEthernet0/0Successful
*Nov 18 15:41:32.763: IGMP(0): Switching to EXCLUDE mode for 239.10.10.10 on FastEthernet0/0
*Nov 18 15:41:32.763: IGMP(0): Updating EXCLUDE group timer for 239.10.10.10
*Nov 18 15:41:32.767: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,239.10.10.10) by 0
*Nov 18 15:41:33.975: IGMP(0): Received Leave from 192.168.59.128 (FastEthernet0/0) for 239.10.10.10
*Nov 18 15:41:33.975: IGMP(0): Received Group record for group 239.10.10.10, mode 3 from 192.168.59.128 for 0 sources
*Nov 18 15:41:33.979: IGMP(0): Lower expiration timer to 2000 msec for 239.10.10.10 on FastEthernet0/0
*Nov 18 15:41:33.979: IGMP(0): Send v2 Query on FastEthernet0/0 for group 239.10.10.10
*Nov 18 15:41:34.979: IGMP(0): Send v2 Query on FastEthernet0/0 for group 239.10.10.10
*Nov 18 15:41:35.979: IGMP(0): Switching to INCLUDE mode for 239.10.10.10 on FastEthernet0/0
*Nov 18 15:41:35.979: IGMP(0): MRT delete FastEthernet0/0 for (*,239.10.10.10) by 0

Why did the router send 2 Group Specific Queries on the debug above? The router in this case used a “Last Member Query Interval” in the range of 10 -1 second in between the Group Specific queries. What it did in our case, was to send on Group Specific query and wait for 1 second and then sends another so by the 2nd time it sent the queries and there is no reply, we see now that it did remove the group from its MRT as the last line of the debug indicated. It should take around 3 seconds as shown above for the router to stop sending traffic for a group if there are no more members. Should there were other hosts in the same multicast group 239.10.10.10 the router will continue forwarding traffic.

Wednesday, November 18, 2009 | Filed Under , , | 1 Comments

IGMP Version 1

This protocol's version might be old but its very important how to learn the differences between IGMP V1, V2 and V3. It's important to start learning about how the protocol evolved into what it is now. Learning IGMP V1 will give us a foundational knowledge of what IGMP does and how it functions.


What is IGMP?

IGMP is used for hosts who wish to join a multicast address/group, to inform their nearest 
multicast router on which group they wish to be a member of.

Used by routers to maintain a table of multicast group membership per interface. Multicast 
group membership is active on an interface, if the router receives a Membership 
Report from that interface.

It is only needed on IPV4 networks as IPV6 has a different way to handle multicast.


In this entry, I will focus on how the router forms the multicast membership table and what are the most commonly used multicast addresses used to discover multicast members. I will also do some debugs to check how IGMP Version 1 removes a multicast address from the IGMP membership table. The simple diagram is shown below, instructions on how I set up MINT, Wireshark and Ubuntu can be found on the previous blog entry.


Scenario: Ubuntu VM wishes to receive multicast traffic from 239.10.10.10, 239.20.20.20 and 
239.30.30.30. Observe through Wireshark and debug commands how IGMP Version 1 works.

First thing is to configure the router to make multicast work.


R0(config)#ip multicast-routing
R0(config)#int fa0/0
R0(config-if)#ip pim sparse-dense-mode
R0(config-if)#ip igmp version 1

Router#sh ip igmp interface
FastEthernet0/0 is up, line protocol is up
 Internet address is 192.168.18.10/24
 IGMP is enabled on interface
  Current IGMP host version is 1
  Current IGMP router version is 1
 IGMP query interval is 60 seconds
 Inbound IGMP access group is not set
 IGMP activity: 6 joins, 4 leaves
 Multicast routing is enabled on interface
 Multicast TTL threshold is 0
 Multicast designated router (DR) is 192.168.18.10 (this system)
 IGMP querying router is 192.168.18.10 (this system)
 Multicast groups joined by this system (number of users):
     224.0.1.40(1)


These commands are needed to make multicast operate on the router. PIM sparse-dense mode will be discussed on the other entries. I doubt if any aspiring CCIE candidates who already took their CCNP will know nothing about PIM.:)

Then, Wireshark should already be ready to sniff packets on the VMware interface towards Ubuntu VM. From Ubuntu VM Terminal, generate the commands below for the virtual machine to receive traffic for multicast groups 239.10.10.10, 239.20.20.20 and 239.30.30.30. There are no real multicast sources though so don't expect a continous multicast traffic flow. This commands on MINT will only send Membership Report to the router informing that this host is interested joining these 3 multicast groups.


pete@pete-desktop:~/mint-1.2$ mint -r 239.10.10.10 -p 4321
pete@pete-desktop:~/mint-1.2$ mint -r 239.20.20.20 -p 4321
pete@pete-desktop:~/mint-1.2$ mint -r 239.20.20.20 -p 4321


I filtered the output on Wireshark to only show igmp packets and the first 3 outputs are shown below in the red box. My Ubuntu VM's ip address is 192.168.18.129. Click on the picture below to enlarge...


We can see the lines numbered 2, 4 and 7 with the red box that the Info part specifies a V1 Membership Report. Let's see how the router sees the debug.


*Oct 30 13:39:35.783: IGMP(0): Received v1 Report on FastEthernet0/0 from 192.168.18.129 for 239.10.10.10
*Oct 30 13:39:35.783: IGMP(0): Received Group record for group 239.10.10.10, mode 2 from 192.168.18.129 for 0 sources
*Oct 30 13:39:35.787: IGMP(0): WAVL Insert group: 239.10.10.10 interface: FastEthernet0/0Successful
*Oct 30 13:39:35.787: IGMP(0): Switching to EXCLUDE mode for 239.10.10.10 on FastEthernet0/0
*Oct 30 13:39:35.787: IGMP(0): Updating EXCLUDE group timer for 239.10.10.10
*Oct 30 13:39:35.791: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,239.10.10.10) by 0
*Oct 30 13:39:41.083: IGMP(0): Received v1 Report on FastEthernet0/0 from 192.168.18.129 for 239.20.20.20
*Oct 30 13:39:41.087: IGMP(0): Received Group record for group 239.20.20.20, mode 2 from 192.168.18.129 for 0 sources
*Oct 30 13:39:41.087: IGMP(0): WAVL Insert group: 239.20.20.20 interface: FastEthernet0/0Successful
*Oct 30 13:39:41.087: IGMP(0): Switching to EXCLUDE mode for 239.20.20.20 on FastEthernet0/0
*Oct 30 13:39:41.091: IGMP(0): Updating EXCLUDE group timer for 239.20.20.20
*Oct 30 13:39:41.091: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,239.20.20.20) by 0
*Oct 30 13:39:42.275: IGMP(0): Received v1 Report on FastEthernet0/0 from 192.168.18.129 for 239.20.20.20
*Oct 30 13:39:42.275: IGMP(0): Received Group record for group 239.20.20.20, mode 2 from 192.168.18.129 for 0 sources
*Oct 30 13:39:42.279: IGMP(0): Updating EXCLUDE group timer for 239.20.20.20
*Oct 30 13:39:42.279: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,239.20.20.20) by 0
*Oct 30 13:39:44.651: IGMP(0): Received v1 Report on FastEthernet0/0 from 192.168.18.129 for 239.30.30.30
*Oct 30 13:39:44.651: IGMP(0): Received Group record for group 239.30.30.30, mode 2 from 192.168.18.129 for 0 sources
*Oct 30 13:39:44.655: IGMP(0): WAVL Insert group: 239.30.30.30 interface: FastEthernet0/0Successful
*Oct 30 13:39:44.655: IGMP(0): Switching to EXCLUDE mode for 239.30.30.30 on FastEthernet0/0
*Oct 30 13:39:44.655: IGMP(0): Updating EXCLUDE group timer for 239.30.30.30
*Oct 30 13:39:44.655: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,239.30.30.30) by 0

We can see there the statements "MRT Add/Update FastEthernet0/0" which means it mapped the specific multicast address to the MRT (multicast routing table) for a specific interface. This will be also added to the IGMP membership. Lets check the MROUTE and IGMP memberships.


Router#sh ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
     L - Local, P - Pruned, R - RP-bit set, F - Register flag,
     T - SPT-bit set, J - Join SPT, M - MSDP created entry,
     X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
     U - URD, I - Received Source Specific Host Report,
     Z - Multicast Tunnel, z - MDT-data group sender,
     Y - Joined MDT-data group, y - Sending to MDT-data group
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 239.255.255.250), 00:00:44/00:02:15, RP 0.0.0.0, flags: DC
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
  FastEthernet0/0, Forward/Sparse-Dense, 00:00:44/00:00:00

(*, 239.10.10.10), 00:00:08/00:02:51, RP 0.0.0.0, flags: DC
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
  FastEthernet0/0, Forward/Sparse-Dense, 00:00:08/00:00:00 ######### Added to MRT

(*, 224.0.1.40), 00:00:49/00:02:52, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
  FastEthernet0/0, Forward/Sparse-Dense, 00:00:49/00:00:00

Router#sh ip igmp member
Flags: A  - aggregate, T - tracked
  L  - Local, S - static, V - virtual, R - Reported through v3
  I - v3lite, U - Urd, M - SSM (S,G) channel
  1,2,3 - The version of IGMP the group is in
Channel/Group-Flags:
  / - Filtering entry (Exclude mode (S,G), Include mode (*,G))
Reporter:
   - last reporter if group is not explicitly tracked
/      -  reporter in include mode,  reporter in exclude

Channel/Group                  Reporter        Uptime   Exp.  Flags  Interface
*,239.255.255.250              192.168.18.1    00:03:32 02:59 1A     Fa0/0
*,239.20.20.20                 192.168.18.129  00:02:38 00:22 1A     Fa0/0
*,239.10.10.10                 192.168.18.129  00:02:43 00:16 1A     Fa0/0
*,239.30.30.30                 192.168.18.129  00:02:34 00:25 1A     Fa0/0
*,224.0.1.40                   192.168.18.10   00:03:34 02:50 1LA    Fa0/0

What are these other groups here? We are these for? Check the Wireshark screenshot above for the blue and green boxes. 239.255.255.250 is used by SSDP (Simple Service Discovery Protocol) used for Universal Plug and Play and from the output above its REPORTER is my Host OS which is Windows (192.168.18.1). 224.0.1.40 is a well known IANA assigned address for RP discovery while its counter part 224.0.1.39 is for RP announcement. This is reported by the router itself.


Multicast Routers use the IANA allocated Multicast address 224.0.0.1 for Membership Queries.
This multicast address is  reserved for all hosts in the LAN segment.



Leave Group

What happens when a host no longer wants to receive multicast traffic? How does the router know that there are no more interested hosts for that multicast group. For version 1, IGMP by default does Membership query every 60 seconds. It sends the multicast to 224.0.0.1 which means all host in the subnet. If by 3 tries which would be 180 secs or 3 mins and there are no Membership Report for a certain address, the router removes the entry from the IGMP membership table. Let's again generate traffic for 239.10.10.10 in MINT and lets see after 3 mins what the router does if there are no more Membership Reports.


pete@pete-desktop:~/mint-1.2$ mint -r 239.20.20.20 -p 4321

Router#debug ip igmp 239.10.10.10
IGMP debugging is on
Router#
*Oct 30 13:53:33.727: IGMP(0): Received v1 Report on FastEthernet0/0 from 192.168.18.129 for 239.10.10.10
*Oct 30 13:53:33.731: IGMP(0): Received Group record for group 239.10.10.10, mode 2 from 192.168.18.129 for 0 sources
*Oct 30 13:53:33.731: IGMP(0): WAVL Insert group: 239.10.10.10 interface: FastEthernet0/0Successful
*Oct 30 13:53:33.731: IGMP(0): Switching to EXCLUDE mode for 239.10.10.10 on FastEthernet0/0
*Oct 30 13:53:33.735: IGMP(0): Updating EXCLUDE group timer for 239.10.10.10
*Oct 30 13:53:33.735: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,239.10.10.10) by 0
*Oct 30 13:54:09.335: IGMP(0): Send v1 general Query on FastEthernet0/0
*Oct 30 13:54:14.815: IGMP(0): Report has illegal group address 224.0.0.251
*Oct 30 13:55:09.335: IGMP(0): Send v1 general Query on FastEthernet0/0
*Oct 30 13:55:14.095: IGMP(0): Report has illegal group address 224.0.0.251
Router#sh ip igmp member
Flags: A  - aggregate, T - tracked
L  - Local, S - static, V - virtual, R - Reported through v3
I - v3lite, U - Urd, M - SSM (S,G) channel
1,2,3 - The version of IGMP the group is in
Channel/Group-Flags:
/ - Filtering entry (Exclude mode (S,G), Include mode (*,G))
Reporter:
 - last reporter if group is not explicitly tracked
/      -  reporter in include mode,  reporter in exclude

Channel/Group                  Reporter        Uptime   Exp.  Flags  Interface
*,239.255.255.250              192.168.18.1    00:17:14 02:13 1A     Fa0/0
*,239.10.10.10                 192.168.18.129  00:02:27 00:32 1A     Fa0/0
*,224.0.1.40                   192.168.18.10   00:17:16 02:08 1LA    Fa0/0
Router#
*Oct 30 13:56:09.335: IGMP(0): Send v1 general Query on FastEthernet0/0
*Oct 30 13:56:15.155: IGMP(0): Report has illegal group address 224.0.0.251
*Oct 30 13:56:34.335: IGMP(0): Switching to INCLUDE mode for 239.10.10.10 on FastEthernet0/0
*Oct 30 13:56:34.335: IGMP(0): MRT delete FastEthernet0/0 for (*,239.10.10.10) by 0


The one highlighted in red is timestamped 13:53:33.735 when the router added 239.10.10.10 in the IGMP membership and when it did not receive a Membership report it removed the entry in its IGMP Membership timestamped 13:56:34.335, thats almost exactly 3 minutes! The command "show ip igmp membership" shows above that in 00:32 secs the multicast group will be removed from the IGMP Membership if it doesn't hear a Membership Report. If there was a real multicast source in this lab, R0 would have been wasting bandwidth for 3 minutes sending multicast traffic out of Fa0/0 with no receivers. IGMP version 1 doesn't have mechanism for hosts to inform the router that they are leaving the group. The host "quietly leaves" the multicast group. This lead to the development of IGMP V2.

Friday, October 30, 2009 | Filed Under , , | 0 Comments

Multicast Studies Loading

Its been a while since I posted something here. I have finished my BGP studies but will get back on that again after I have finished the other topics. Now I am into Multicasting and currently reading the book Developing IP Multicast Networks. The book might be a little old but the author is good at explaning what Multicast is and the other topics. I haven't even finished half of the book and yet the information it shares really helps. I have also setup VMware in my laptop and setup Ubuntu as a Guest Operating System on where I will run a multicast software to send and receive multicast traffic. Installed Wireshark for packet sniffing so I can see what's going on, on a multicast packet. I will post the instructions how I set up the lab I will be using and integrate it with Dynamips/GNS3. I am excited in this study because Multicast is one areas I have little to no experience with. I rarely encounter Multicast in the production networks in my present and previous jobs. This is one of weaknesses but the book I'm reading will greatly help me overcome this weakness.

Wednesday, October 28, 2009 | Filed Under , , | 0 Comments

BGP MED

BGP MED is an optional non-transitive attribute meaning its not propagated throughout the whole internet but just to adjacent AS. The word "optional" means that this is not necessarily by default sent with the BGP updates. The purpose of MED is to influence how other autonomous systems enter your AS to reach a certain prefix. If the other attributes are set to default, MED will be the attribute used for path selection however, if Weight or Local preference is configured on the adjacent AS router, then MED will not be selected. The lower the MED the more preferred the path will be.



Acronym for Multi Exit Discriminator and otherwise known as "Metric" in the BGP table.
The lower the MED the more preferred.
It is an optional non-transitive attribute.
Can dictate how other AS enter your AS.
Configure R4 so that it will advertise a MED value of 30 to R3 and 20 to R2. Afterwards,
tweak the route map to set a MED of 10 for network 144.144.144.144/32 in R4 towards R3. The end
result should have traffic from AS123 to 4.4.4.4/32 and 44.44.44.44/32 take R2 but traffic for
144.144.144.144/32 should take R3. At the start BGP has been established on all routers.


To start lets configure 2 route maps and set the MED as required.


R4(config)#access-list 20 permit any
R4(config)#access-list 30 permit any
R4(config)#route-map R2SETMED20 permit 10
R4(config-route-map)#match ip address 20
R4(config-route-map)#set metric 20
R4(config-route-map)#route-map R3SETMED30 permit 10
R4(config-route-map)#match ip address 30         
R4(config-route-map)#set metric 30


Access-list matches all routes. Now, lets apply the route map to the neighbors.


R4(config-router)#neighbor 24.24.24.2 route-map R2SETMED20 out
R4(config-router)#neighbor 34.34.34.3 route-map R3SETMED30 out

Its in the "out" direction because R4 is the one advertising the routes. Let's check what R2 and R3 see in their BGP table.



R2#sh ip bgp
BGP table version is 31, local router ID is 24.24.24.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
             r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

  Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       24.24.24.4              20             0 4 i
*> 44.44.44.44/32   24.24.24.4              20             0 4 i
*> 144.144.144.144/32
                   24.24.24.4              20             0 4 i

R3#sh ip bgp
BGP table version is 10, local router ID is 34.34.34.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
             r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

  Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       34.34.34.4              30             0 4 i
*> 44.44.44.44/32   34.34.34.4              30             0 4 i
*> 144.144.144.144/32
                   34.34.34.4              30             0 4 i

Ok, its clear that the Metric now is changed to 20 and 30 for R2 and R3 respectively. Let's see how R1 sees the routes.



R1#sh ip bgp
BGP table version is 34, local router ID is 13.13.13.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
             r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

  Network          Next Hop            Metric LocPrf Weight Path
*>i4.4.4.4/32       24.24.24.4              20    100      0 4 i
* i                 34.34.34.4              30    100      0 4 i
*>i44.44.44.44/32   24.24.24.4              20    100      0 4 i
* i                 34.34.34.4              30    100      0 4 i
*>i144.144.144.144/32
                   24.24.24.4              20    100      0 4 i
* i                 34.34.34.4              30    100      0 4 i

R1 sees two paths, but notice that the paths with ">" are with those with lower MED. Therefore it is going to take those paths. Now, lets configure R4 so that the path R1 will take to 144.144.144.144/32 in R4 will be through R3 then clear the BGP session after.



R4(config)#access-list 33 permit 144.144.144.144 0.0.0.0
R4(config)#route-map R3SETMED30 permit 10
R4(config-route-map)#match ip address 33
R4(config-route-map)#set metric 10
R4(config-route-map)#route-map R3SETMED30 permit 20
R4(config-route-map)#match ip address 30
R4(config-route-map)#set metric 30
R4#clear ip bgp *

Now, lets see the outputs.



R2#sh ip bgp | beg Network
  Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       24.24.24.4              20             0 4 i
*> 44.44.44.44/32   24.24.24.4              20             0 4 i
*> 144.144.144.144/32
                   24.24.24.4              20             0 4 i

R3#sh ip bgp | beg Network
  Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       34.34.34.4              30             0 4 i
*> 44.44.44.44/32   34.34.34.4              30             0 4 i
*> 144.144.144.144/32
                    34.34.34.4              10             0 4 i

R1#sh ip bgp | beg Network
  Network          Next Hop            Metric LocPrf Weight Path
* i4.4.4.4/32       34.34.34.4              30    100      0 4 i
*>i                 24.24.24.4              20    100      0 4 i
* i44.44.44.44/32   34.34.34.4              30    100      0 4 i
*>i                 24.24.24.4              20    100      0 4 i
*>i144.144.144.144/32
                    34.34.34.4              10    100      0 4 i
* i                 24.24.24.4              20    100      0 4 i

We can see a change in R3 that shows a MED of 10 for 144.144.144.144/32, while R1 shows the same and will now take R3 to reach the subnet.

Monday, October 19, 2009 | Filed Under , , , | 5 Comments

BGP Local Preference

Local Preference is one of the ways to alter the path taken by one AS to reach another AS. The difference between Local Preference and Weight is that Weight is just locally signifant in the router while Local Preference is what I call "Local AS significant". What I mean by that is that Local Preference is being propagated Intra AS but not outside the AS.


Local preference is to influence your own AS how to get or exit to another AS.
MED is to influence other AS how to enter your AS.
The higher the local preference, the more preferred.

In this lab, local preference will be configured and will be using route map for more flexibility. Check the diagram below for details.
R1, R2 and R3 belongs to AS 123. R4 is in AS4 and is advertising 4.4.4.4/32, 44.44.44.44/32 and 144.144.144.144/32
subnets.We need to set all routes learned from R3 to have local preference value of 300. After which, configure a
route-map that will assign a local preference of 500 in R2 for the network 144.144.144.144/32.

Here are the initial BGP configurations on the routers.


R1#
!
router bgp 123
no synchronization
bgp log-neighbor-changes
neighbor 12.12.12.2 remote-as 123
neighbor 13.13.13.3 remote-as 123
no auto-summary

R2#
!
router bgp 123
no synchronization
bgp log-neighbor-changes
neighbor 12.12.12.1 remote-as 123
neighbor 12.12.12.1 next-hop-self
neighbor 24.24.24.4 remote-as 4
no auto-summary

R3#
!
router bgp 123
no synchronization
bgp log-neighbor-changes
neighbor 13.13.13.1 remote-as 123
neighbor 13.13.13.1 next-hop-self
neighbor 34.34.34.4 remote-as 4
no auto-summary

R4#
!
router bgp 4
no synchronization
bgp log-neighbor-changes
network 4.4.4.4 mask 255.255.255.255
network 44.44.44.44 mask 255.255.255.255
network 144.144.144.144 mask 255.255.255.255
neighbor 24.24.24.2 remote-as 123
neighbor 34.34.34.3 remote-as 123
no auto-summary

Let's see what is the best path taken by R1 to reach the networks advertised by R4.


R1#sh ip bgp

BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
             r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

  Network          Next Hop            Metric LocPrf Weight Path
*>i4.4.4.4/32       12.12.12.2               0    100      0 4 i
* i                 13.13.13.3               0    100      0 4 i
*>i44.44.44.44/32   12.12.12.2               0    100      0 4 i
* i                 13.13.13.3               0    100      0 4 i
*>i144.144.144.144/32
                   12.12.12.2               0    100      0 4 i
* i                 13.13.13.3               0    100      0 4 i

R1#sh ip route | beg Gateway


Gateway of last resort is not set

    1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
    4.0.0.0/32 is subnetted, 1 subnets
B       4.4.4.4 [200/0] via 12.12.12.2, 00:04:00
    144.144.0.0/32 is subnetted, 1 subnets
B       144.144.144.144 [200/0] via 12.12.12.2, 00:04:00
    12.0.0.0/24 is subnetted, 1 subnets
C       12.12.12.0 is directly connected, Serial1/2
    13.0.0.0/24 is subnetted, 1 subnets
C       13.13.13.0 is directly connected, Serial1/3
    44.0.0.0/32 is subnetted, 1 subnets
B       44.44.44.44 [200/0] via 12.12.12.2, 00:04:00

It's clear that it prefers to take R2 to reach the networks in R4. Let's configure R3 so that all routes received by R3 will have a Local preference of 300


R3#config t
R3(config)#router bgp 123
R3(config-router)#bgp default local-preference 300

R1#sh ip bgp
BGP table version is 13, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
             r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

  Network          Next Hop            Metric LocPrf Weight Path
* i4.4.4.4/32       12.12.12.2               0    100      0 4 i
*>i                 13.13.13.3               0    300      0 4 i
* i44.44.44.44/32   12.12.12.2               0    100      0 4 i
*>i                 13.13.13.3               0    300      0 4 i
* i144.144.144.144/32
                   12.12.12.2               0    100      0 4 i
*>i                 13.13.13.3               0    300      0 4 i

Immediately, even without clearing the BGP process, R3 now became the more preferred path to reach R4. Remember that in Local Preference, the higher the value, the more preferred.

Let's configure in R2 a route-map so the network 144.144.144.144/32 will have a local preference of 500. This will make R2 the best path to reach the mentioned network.


R2(config)#access-list 1 permit host 144.144.144.144
R2(config)#route-map LOCALPREF500 permit 10
R2(config-route-map)#match ip address 1
R2(config-route-map)#set local-preference 500
R2#(config)# router bgp 123
R2(config-router)#neighbor 24.24.24.4 route-map LOCALPREF500 in
R2# clear ip bgp *

R1#sh ip bgp
BGP table version is 14, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
             r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

  Network          Next Hop            Metric LocPrf Weight Path
*>i4.4.4.4/32       13.13.13.3               0    300      0 4 i
*>i44.44.44.44/32   13.13.13.3               0    300      0 4 i
*>i144.144.144.144/32
                   12.12.12.2               0    500      0 4 i
* i                 13.13.13.3               0    300      0 4 i

Firstly, why is that the route-map has an "in" direction. It's because we are receiving the route from another router, R2 is not the one advertising. You can see now that path to 144.144.144.144/32 will have R2 as the next hop. If you noticed also, why is that for 4.4.4.4/32 and 44.44.44.44/32, there is no other path except through 13.13.13.3. Check the route-map above and you'll find the answer. There is no succedding line after line 10, which means, it will block out the subnets and not advertised it to R1.

Let's configure the 20th sequence of the route-map.


R2(config)#route-map LOCALPREF500 permit 20

Let's see now if there are changes.


R1#sh ip bgp
BGP table version is 16, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
             r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

  Network          Next Hop            Metric LocPrf Weight Path
* i4.4.4.4/32       12.12.12.2               0    100      0 4 i
*>i                 13.13.13.3               0    300      0 4 i
* i44.44.44.44/32   12.12.12.2               0    100      0 4 i
*>i                 13.13.13.3               0    300      0 4 i
*>i144.144.144.144/32
                   12.12.12.2               0    500      0 4 i
* i                 13.13.13.3               0    300      0 4 i

That's it for local preference. Hopefully I can finish the BGP topics soon. :)

Wednesday, September 23, 2009 | Filed Under , , , | 11 Comments

HSRP Route Tracking

I have been accustomed to tracking the WAN interface to determine the HSRP priority. However, there are more ways to use tracking in HSRP and one of those is to track a certain prefix in the routing table. This works by checking a specific route configured in "track" if it is still in the routing table. If not, it will decrease the priority according the configured decrement.


R1 and R2 are in one site. R1 is the Active HSRP route while R2 is the standby. R1 and R2 should
not be OSPF neighbors. Traffic should go to R2 once a route to 3.3.3.3/32 is lost in R1.
This is not the best way to track this scenario but just for example sake. Excuse the IP addressing scheme as well because I find it easier to know which ip is from which router just by number in the last octet. (e.g. .1 is in R1, .2 is in R2 and .3 is in R3)

The pre-configuration of the routers is found below.


R1#
interface FastEthernet0/0
ip address 10.10.20.1 255.255.255.0
duplex half
standby 1 ip 10.10.20.10
standby 1 preempt
!
interface Serial1/0
ip address 10.10.13.1 255.255.255.0
serial restart-delay 0
no fair-queue
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 1
log-adjacency-changes
passive-interface FastEthernet0/0
network 10.10.13.0 0.0.0.255 area 0
network 10.10.20.0 0.0.0.255 area 0

R2#
interface FastEthernet0/0
ip address 10.10.20.2 255.255.255.0
duplex half
standby 1 ip 10.10.20.10
standby 1 priority 91
standby 1 preempt
!
interface Serial1/0
ip address 10.10.23.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 1
log-adjacency-changes
passive-interface FastEthernet0/0
network 10.10.20.0 0.0.0.255 area 0
network 10.10.23.0 0.0.0.255 area 0

R3#
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 10.10.13.3 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
ip address 10.10.23.3 255.255.255.0
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 1
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 10.10.13.0 0.0.0.255 area 0
network 10.10.23.0 0.0.0.255 area 0


Let's configure tracking and apply it on the HSRP group of 1.

R1(config)#track 1 ip route 3.3.3.3 255.255.255.255 reachability
R1(config-track)#int fa0/0
R1(config-if)#standby 1 track 1 decrement 11

Ok, lets see how a "show track" output looks like.

R1#sh track 1
Track 1
IP route 3.3.3.3 255.255.255.255 reachability
Reachability is Up (OSPF)
1 change, last change 00:01:22
First-hop interface is Serial1/0
Tracked by:
HSRP FastEthernet0/0 1

Notice that tracking knows what routing protocol the route is learned from. It also shows how long its up, which interface and what HSRP group is using. Pretty neat huh? :) Let's remove the announcement of 3.3.3.3/32 in R3 to simulate lost of entry in the routing table.


R3(config-router)#no network 3.3.3.3 0.0.0.0 area 0

Let's see how R1 reacts to that.


R1#
*Sep  4 16:57:37.679: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial1/0 from FULL to DOWN, Neighbor Down: Dead timer expired
*Sep  4 16:57:53.679: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak
*Sep  4 16:58:03.675: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
*Sep  4 16:58:08.747: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial1/0 from LOADING to FULL, Loading Done
*Sep  4 16:58:23.691: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active
*Sep  4 16:58:38.831: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak
*Sep  4 16:58:48.831: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby

R1#sh standby br
            P indicates configured to preempt.
            |
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa0/0       1   89   P Standby  10.10.20.2      local           10.10.20.10

R1#sh track 1
Track 1
IP route 3.3.3.3 255.255.255.255 reachability
Reachability is Down (no route)
4 changes, last change 00:00:56
First-hop interface is unknown
Tracked by:
HSRP FastEthernet0/0 1

Ok, as we can see, once OSPF detected that the network isn't anymore reachable, HSRP reacted as well by decrementing the priority by 11 as per configured. The priority is now 89, 11 less than the default HSRP priority of 100. "show track" also indicated that there is no more route going to 3.3.3.3. I would just like to point out here that if the command "standby 1 preempt" was not configured in R2, it would not assume the Active state and R1 will still remain the Active HSRP router. Preempt feature will make HSRP renegotiate.

Let's advertise again the route and see the changes.


R3(config)#router ospf 1
R3(config-router)#network 3.3.3.3 0.0.0.0 area 0

R1#sh standby br
                  P indicates configured to preempt.
                  |
Interface   Grp Prio P State    Active          Standby         Virtual IP 
Fa0/0       1   100  P Active   local           10.10.20.2      10.10.20.10

As expected R1 will reassume the HSRP Active state because the route is now found in the routing table. :)

Friday, September 04, 2009 | Filed Under , , , | 0 Comments

IP SLA with HSRP

My friend recently had an implementation involving an EoSDH connection from one site to another involving 2 routers. LAN side of Site 1 requires HSRP to be running and it needs to track the EoSDH connection so the Active HSRP will shift to R2 incase of primary link failure. The problem is most EoSDH connection like his implementation has no way of detecting Layer 1 and Layer 2 failures upstream because there are switches installed in the customer premise and even within the ISP EoSDH connection. Houston we have a problem! :)

As a solution he can have a transit connection between R1 and R2 and run OSPF but configure the routes received from R2 to have a higher admin distance than the OSPF which has 110. He could also use IP SLA feature to detect failures and track it in the HSRP group so that any breaches on the configured IP SLA will make HSRP decrement priority. The diagram is shown below similar to most setups.


Cisco IOS IP SLAs is a feature included in the Cisco IOS Software that can allow administrators the ability to
Analyze IP Service Levels for IP applications and services.IP SLA's uses active traffic-monitoring technology to
monitor continuous traffic on the network. This is a reliable method in measuring over head network performance.
Cisco Routers provide IP SLA Responders that give accuracy of measured data across a network.
-Wikipedia- 


In our diagram, the requirement is to run HSRP on the LAN and connect the primary router R1
and backup router, R2 to Site 2 which has R3. Connections to R1 -R3 and R2 - R3 should be in
different subnets. Imagine the network after SW1 towards R3 will be on the ISP side and could
have several switches towards R3. R1 is the Active HSRP router and R2 is the Standby.


The challenge here is how to track the EoSDH link which is like a FastEthernet/ GigabitEthernet network run across the
WAN. Tracking the interface of R1 or R2 connected to the switch won't do any good in HSRP because, even if there is
an upstream failure, that connection will still remain up. HSRP only decrements priority once it detects the router's interface
down. The solution to this problem is to configure IP SLA.

Before we proceed the routers' initial configs are shown below.



R1#
interface FastEthernet0/0
ip address 10.10.20.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
ip address 192.168.100.10 255.255.255.0
duplex full
speed auto
standby 12 ip 192.168.100.1
standby 12 preempt
!
router ospf 1
log-adjacency-changes
passive-interface FastEthernet1/0
network 10.10.20.0 0.0.0.255 area 0
network 192.168.100.0 0.0.0.255 area 0

R2#
!
interface FastEthernet0/0
ip address 10.10.30.2 255.255.255.0
duplex full
!
interface FastEthernet1/0
ip address 192.168.100.20 255.255.255.0
duplex full
speed auto
standby 12 ip 192.168.100.1
standby 12 priority 91
!      
router ospf 1
log-adjacency-changes
passive-interface FastEthernet1/0
network 10.10.30.0 0.0.0.255 area 0
network 192.168.100.0 0.0.0.255 area 0

R3#
!
interface Loopback0
ip address 192.168.33.33 255.255.255.255
!
interface FastEthernet0/0
ip address 10.10.20.3 255.255.255.0
duplex full
!
interface FastEthernet1/0
ip address 10.10.30.3 255.255.255.0
duplex full
speed auto
!
router ospf 1
log-adjacency-changes
network 10.10.20.0 0.0.0.255 area 0
network 10.10.30.0 0.0.0.255 area 0
network 192.168.33.33 0.0.0.0 area 0
distance 254 10.10.30.2 0.0.0.0

Now, lets configure and SLA that constantly pings the Loopback address of R3 from R1. We will set the frequency of 10 , timeout and threshold of 2000.


R1(config)#ip sla monitor 1
R1(config-sla-monitor)#type echo protocol ipIcmpEcho 192.168.33.33
R1(config-sla-monitor-echo)#timeout 2000
R1(config-sla-monitor-echo)#threshold 2000
R1(config-sla-monitor-echo)#frequency 10

The frequency means it will do a ping in every 10 seconds to check if the configured netework is still reachable. The timeout and threshold values will determine if there is a "breach" in the configured SLA. Now let's start the SLA now and let it continue "forever" as long as the router is alive. You can also set other parameters like what time of the day this will start and what time it will end.


R1(config)#ip sla monitor schedule 1 start-time now life forever

Let's do a "debug ip icmp" and see if it is really doing its job now.


R1#debug ip icmp
ICMP packet debugging is on
R1#
*Sep  2 10:57:31.507: ICMP: echo reply rcvd, src 192.168.33.33, dst 10.10.20.1
*Sep  2 10:57:41.523: ICMP: echo reply rcvd, src 192.168.33.33, dst 10.10.20.1
*Sep  2 10:57:51.523: ICMP: echo reply rcvd, src 192.168.33.33, dst 10.10.20.1
*Sep  2 10:58:01.547: ICMP: echo reply rcvd, src 192.168.33.33, dst 10.10.20.1

Ok, its clear its receiving replies every 10 seconds. We are not done yet, we have to configure this to be tracked by HSRP.


R1(config)#track 1 rtr 1 reachability
R1(config-track)#int fa1/0
R1(config-if)#standby 12 track 1 decrement 11

The command "track 1 rtr 1" means that the IP SLA 1 is marked as tracked number 1. It doesn't matter what track number you use. Now, the HSRP config means that if the SLA is "breached" decrement by 11. First let's see the statistics of the configured IP SLA.


R1#sh ip sla monitor statistics 1
Round trip time (RTT)   Index 1
Latest RTT: 28 ms
Latest operation start time: *11:04:01.523 UTC Wed Sep 2 2009
Latest operation return code: OK
Number of successes: 42
Number of failures: 0
Operation time to live: Forever

I will shut down the connection from R1 to R3. The threshold and timeout are set to 2000 but if there isn't a reply its also a breach. Let's check what happens to the HSRP.


R1#sh standby br
         P indicates configured to preempt.
         |
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa1/0       12  89   P Standby  192.168.100.20  local           192.168.100.1

When the router is able to ping again the loopback of R3. The HSRP state will become active again.

Wednesday, September 02, 2009 | Filed Under , , , | 6 Comments

BGP Weight Attribute

The BGP Weight attribute is a Cisco Proprietary attribute that influences a router how to reach a certain prefix. The difference between Local Preference and Weight is that the former is propagated within an AS and the latter is router locally significant. Weight can be used if there is one router connected to two or more AS's or just to just one with two or more eBGP peers. Now, lets configure weight and later use a route-map for more complex use of weight.


Weight is a Cisco Proprietary attribute for BGP that is "locally significant."
Local Preference is a Well-known Discretionary attribute, Weight doesn't belong to any category.
Default Weight for locally originated routes is 32768.Zero is the default for other routes.
Weight is not propagated to other routers within the AS.



All routers have BGP established and within its own AS.R4 is announcing 4 prefixes and the condition is
for R1 to reach routes 4.4.4.4/32, 44.44.4.44/32 and 144.144.144.144/32, it must take AS2. Then later
configure a route-map to so that R1 with take AS 3 to reach 144.144.144.144/32.

Lets see how R1 reaches the prefixes announced by R4.


R1#sh ip bgp
BGP table version is 12, local router ID is 13.13.13.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*  4.4.4.4/32       12.12.12.2                             0 2 4 i
*>                  13.13.13.3                             0 3 4 i
*  44.44.44.44/32   12.12.12.2                             0 2 4 i
*>                  13.13.13.3                             0 3 4 i
*  144.144.144.144/32
                    12.12.12.2                             0 2 4 i
*>                  13.13.13.3                             0 3 4 i

Ok, it takes AS3 to reach the prefixes. Now, lets configure Weight to make AS2 the more preferred path to reach the prefixes.


R1(config)#router bgp 1
R1(config-router)#neighbor 12.12.12.2 weight 100
R1(config-router)#do clear ip bgp * soft

Now let's see if that changes after clearing the BGP session "softly".


R1#sh ip bgp
BGP table version is 15, local router ID is 13.13.13.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
  r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       12.12.12.2                           100 2 4 i
*                   13.13.13.3                             0 3 4 i
*> 44.44.44.44/32   12.12.12.2                           100 2 4 i
*                   13.13.13.3                             0 3 4 i
*> 144.144.144.144/32
        12.12.12.2                           100 2 4 i
*                   13.13.13.3                             0 3 4 i

It's now taking AS 2. Let's configure a route-map so R1 will take AS3 to reach 144.144.144.144/32. The weight should be 200. We will apply the route-map towards neighbor 13.13.13.3.


R1(config)#access-list 1 permit host 144.144.144.144
R1(config)#route-map TAKE_AS3 permit 10
R1(config-route-map)#match address 1
R1(config-route-map)#set weight 200
R1(config-router)#neighbor 13.13.13.3 route-map TAKE_AS3 in
R1(config-router)# do clear ip bgp * soft

The ACL is to filter which routes be given a weight of 200. The reason the route-map was configured inbound direction because we are receiving the routes from that neighbor. Let's see what happens to the BGP table.


R1#sh ip bgp
BGP table version is 16, local router ID is 13.13.13.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       12.12.12.2                           100 2 4 i
*> 44.44.44.44/32   12.12.12.2                           100 2 4 i
*  144.144.144.144/32
                    12.12.12.2                           100 2 4 i
*>                  13.13.13.3                           200 3 4 i

Now, R1 will take AS3 to reach 144.144.144.144/32. Notice that the weight now is 200, and its more prefered.

Thursday, August 20, 2009 | Filed Under , , | 3 Comments

EBGP Multihop

Configuring iBGP doesn't require the neighbor address to be directly connected. The best practice for iBGP is to use the loopback address as the ip address configured on the BGP neighbor statement. Loopback interfaces never go down so provided that there is an alternate route to the loopback ip address through an IGP, BGP session will not be torn down.

Using loopback addresses for eBGP is also a good practice if there are multiple links between two routers on different autonomous system as shown on the example diagram below. This will also achieve load balancing.


The initial configuration for this lab is shown below.


R1#
!
interface Serial1/0
ip address 10.10.10.1 255.255.255.0
serial restart-delay 0
end
!
interface Serial1/1
ip address 10.10.20.1 255.255.255.0
serial restart-delay 0
end
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 2
no auto-summary
!
ip route 2.2.2.2 255.255.255.255 10.10.10.2
ip route 2.2.2.2 255.255.255.255 10.10.20.2

R2#
!
interface Serial1/0
ip address 10.10.10.2 255.255.255.0
serial restart-delay 0
end
!
interface Serial1/1
ip address 10.10.20.2 255.255.255.0
serial restart-delay 0
end
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
router bgp 2
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1
no auto-summary
!
ip route 1.1.1.1 255.255.255.255 10.10.10.1
ip route 1.1.1.1 255.255.255.255 10.10.20.1

Notice that in both routers we put 2 static routes to achieve load balancing. Currently the BGP session is not established eventhough both loopbacks are reachable. Now, lets configure "ebgp-multihop" on both routers and see if this will make the BGP session establish.


The purpose of "ebgp-multihop" is to connect to eBGP neighbors that are not directly connected.
As we know, BGP expects eBGP peers to be directly connected but this command will make
neighborship possible even though they are not directly connected.

Now let's configure the routers.


R1(config)#router bgp 1
R1(config-router)#neighbor 2.2.2.2 ebgp-multihop 2

R2(config)#router bgp 2
R2(config-router)#neighbor 1.1.1.1 ebgp-multihop 2

R1#sh ip bgp sum
BGP router identifier 1.1.1.1, local AS number 1
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
2.2.2.2         4     2       0       0        0    0    0 never    Active

The BGP session is not established even though we configured the "ebgp-multihop" command. Before we find out why, lets first discuss the "ebgp-multihop" command. The default value of this command if we don't put anything will be 255. We put a value of 2 because it will take 2 hops to reach 2.2.2.2 from 1.1.1.1 as they are not directly connected. Provided all the requirements are met except the hop count value, if the hop count value is lesser than what it should be, the eBGP neighborship will not be established.

Going back to why its not established, its because by default for BGP to establish the TCP session it will use the outgoing interface ip address as the source. The other router will reject the incoming TCP SYN packets because it doesn't recognize the source IP address as a configured neighbor. In our case, it will source the TCP session using the two physical interfaces ip addresses.


The BGP session updates should be sourced from the IP address that the the neighbor
configured for eBGP Multihop to work. The command "neighbor ip_address update-source
Loopback0" in our example is needed.

Now lets configure, the update-source command sourcing all BGP negiotiations and updates from Loopback0 which are the ip addresses configured on our neighbor statements.


R1(config)#router bgp 1
R1(config-router)#neighbor 2.2.2.2 update-source Loopback0

R2(config)#router bgp 2
R2(config-router)#neighbor 1.1.1.1 update-source Loopback0

R1#sh ip bgp su
*Aug 13 14:41:43.175: %SYS-5-CONFIG_I: Configured from console by consolem
BGP router identifier 1.1.1.1, local AS number 1
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
2.2.2.2         4     2      11      11        1    0    0 00:00:47        0

R2#sh ip bgp sum
*Aug 13 14:41:38.099: %SYS-5-CONFIG_I: Configured from console by console
BGP router identifier 2.2.2.2, local AS number 2
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.1         4     1      11      11        1    0    0 00:00:42        0

BGP session now established. We can see in CEF that this is load balanced.


R1#sh ip cef 2.2.2.2
2.2.2.2/32, version 27, epoch 0, per-destination sharing
0 packets, 0 bytes
via 10.10.20.2, 0 dependencies, recursive
traffic share 1
next hop 10.10.20.2, Serial1/1 via 10.10.20.0/24
valid adjacency
via 10.10.10.2, 0 dependencies, recursive
traffic share 1
next hop 10.10.10.2, Serial1/0 via 10.10.10.0/24
valid adjacency
0 packets, 0 bytes switched through the prefix
tmstats: external 0 packets, 0 bytes
internal 0 packets, 0 bytes

Now, BGP session is established. Let's try shutting down one link and see if the session is still established.


R2(config)#int se1/0
R2(config-if)#shut
R2(config-if)#^Z
R2#sh ihp b
*Aug 13 14:42:38.871: %SYS-5-CONFIG_I: Configured from console by console
*Aug 13 14:42:39.095: %LINK-5-CHANGED: Interface Serial1/0, changed state to administrativ
*Aug 13 14:42:39.095: %ENTITY_ALARM-6-INFO: ASSERT INFO Se1/0 Physical Port Administrative State Down
*Aug 13 14:42:40.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down
R2#sh ip bgp sum
BGP router identifier 2.2.2.2, local AS number 2
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.1         4     1      12      12        1    0    0 00:01:45        0

BGP session still established. Thats all about EBGP Multihop feature.:)

Thursday, August 13, 2009 | Filed Under , , | 7 Comments

BGP Confederation

This is feature is used to split an autonomous system into smaller autonomous systems or the reverse which is to combine several autonomous systems into one. Reasons of splitting might be IGP's like OSPF might not be able to handle the routes of a really big enterprise so splitting the AS into smaller will help OSPF scale better, or perhaps the enterprise wants to have separate administrative control per region and wants to control the routing policies on their specific regions. This could also be used if there are company mergers and they want to appear as one AS to other EBGP peers. One thing that intrigues me though is that one of the materials I was using mentioned that this could also be a work around for the BGP Split Horizon Rule. I really doubt that Confederations can be a work around for that. I'll find out for sure in this lab.

The diagram below shows 5 Routers with each its own AS number. The goal here to group these routers into one confederation and make them appear as AS1234 to R5 in AS5.


Below are the configurations I have placed on the routers.


R1#sh run | section router bgp
router bgp 1
no synchronization
bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.255
neighbor 2.2.2.2 remote-as 2
neighbor 2.2.2.2 ebgp-multihop 2
neighbor 2.2.2.2 update-source Loopback0
neighbor 3.3.3.3 remote-as 3
neighbor 3.3.3.3 ebgp-multihop 2
neighbor 3.3.3.3 update-source Loopback0
no auto-summary

R2#sh run | section router bgp
router bgp 2
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 ebgp-multihop 2
neighbor 1.1.1.1 update-source Loopback0
neighbor 4.4.4.4 remote-as 4
neighbor 4.4.4.4 ebgp-multihop 2
neighbor 4.4.4.4 update-source Loopback0
no auto-summary

R3#sh run | section router bgp
router bgp 3
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 ebgp-multihop 2
neighbor 1.1.1.1 update-source Loopback0
neighbor 4.4.4.4 remote-as 4
neighbor 4.4.4.4 ebgp-multihop 2
neighbor 4.4.4.4 update-source Loopback0
no auto-summary

R4#sh run | section router bgp
router bgp 4
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 2
neighbor 2.2.2.2 ebgp-multihop 2
neighbor 2.2.2.2 update-source Loopback0
neighbor 3.3.3.3 remote-as 3
neighbor 3.3.3.3 ebgp-multihop 2
neighbor 3.3.3.3 update-source Loopback0
neighbor 5.5.5.5 remote-as 5
neighbor 5.5.5.5 ebgp-multihop 2
neighbor 5.5.5.5 update-source Loopback0
no auto-summary

R5#sh run | section router bgp
router bgp 5
no synchronization
bgp log-neighbor-changes
neighbor 4.4.4.4 remote-as 4
neighbor 4.4.4.4 ebgp-multihop 2
neighbor 4.4.4.4 update-source Loopback0
no auto-summary

I have configured static routes for reachability. Notice as well that I am using EBGP-multihop feature for EBGP neighbors. I have configured Loopback10 11.11.11.11/32 in R1 and lets see how R2,R3,R4 and R5 see this prefix.


R2# sh ip bgp | beg Network
Network          Next Hop            Metric LocPrf Weight Path
*> 11.11.11.11/32   1.1.1.1                  0             0 1 i

R3#sh ip bgp | beg Network
Network          Next Hop            Metric LocPrf Weight Path
*  11.11.11.11/32   4.4.4.4                                0 4 2 1 i
*>                  1.1.1.1                  0             0 1 i

R4#sh ip bgp | beg Network
Network          Next Hop            Metric LocPrf Weight Path
*  11.11.11.11/32   3.3.3.3                                0 3 1 i
*>                  2.2.2.2                                0 2 1 i

R5#sh ip bgp | beg Network
Network          Next Hop            Metric LocPrf Weight Path
*> 11.11.11.11/32   4.4.4.4                                0 4 2 1 i

All of them is seeing this prefix sourcing from an EBGP. Now let's configure R1, R2, R3 and R4 as one confederation and let's see how the BGP table looks like after that. To configure BGP confederations, what are needed is the confederation ID and the peer ASes belonging to that confederation.


R1(config)#router bgp 1
R1(config-router)#bgp confederation identifier 1234
R1(config-router)#bgp confederation peers 2 3 4

R2(config)#router bgp 2
R2(config-router)#bgp confederation identifier 1234
R2(config-router)#bgp confederation peers 1 3 4

R3(config)#router bgp 3
R3(config-router)#bgp confederation identifier 1234
R3(config-router)#bgp confederation peers 1 2 4

R4(config)#router bgp 4
R4(config-router)#bgp confederation identifier 1234
R4(config-router)#bgp confederation peers 1 2 3
R4(config-router)#bgp confederation peers 4
4 Local member-AS not allowed in confed peer list
4 Local member-AS not allowed in confed peer list

As you noticed, you are not allowed to configure your own AS on the "bgp confederation peer command". Ok now let's check how R2,R3,R4 and R5 sees this prefix.


R2#sh ip bgp | beg Network
Network          Next Hop            Metric LocPrf Weight Path
*> 11.11.11.11/32   1.1.1.1                  0    100      0 (1) i

R3#sh ip bgp | beg Network
Network          Next Hop            Metric LocPrf Weight Path
*> 11.11.11.11/32   1.1.1.1                  0    100      0 (1) i

R4#sh ip bgp | beg Network
Network          Next Hop            Metric LocPrf Weight Path
*  11.11.11.11/32   1.1.1.1                  0    100      0 (3 1) i
*                   1.1.1.1                  0    100      0 (2 1) i

R5#sh ip bgp

It's clear that its now behaving like they are in one AS. In R4, you can see that it enclosed the AS path in parenthesis, which means AS is using BGP confederation. I have not configured any route reflector here but R4 is still learning the prefix as advertised by R2 and R3. Therefore in some way it circumvents the BGP Split Horizon rule. In a confederation, it may appear like its one AS but it functions how the peering is configured whether its IBGP or EBGP. Going back, R5 is not seeing anything. You know why? It's because R4 doesn't know how to get to 1.1.1.1 inorder to reach 11.11.11.11/32. It won't advertise anything to R5 until it knows how to get to the destination. Let's configure a static route.


R4(config)#ip route 1.1.1.1 255.255.255.255 24.24.24.2
R4(config)#ip route 1.1.1.1 255.255.255.255 34.34.34.3

Then let's see if R4 now sees the best path to 11.11.11.11 in its BGP table.


R4#sh ip bgp | beg Network
Network          Next Hop            Metric LocPrf Weight Path
*> 11.11.11.11/32   1.1.1.1                  0    100      0 (2 1) i

EBGP peering between R4 and R5 is still there but R5 is still using 4 as the remote-as of R4. It may learn the prefix even though the remote-as number for 4.4.4.4 hasn't been changed, however if the link goes down or the BGP session is cleared, BGP will generate now an error that neighbor in wrong AS. Let's change that config to 1234 and check if R5 now sees 11.11.11.11/32.


R5(config)#router bgp 5
R5(config-router)#neighbor 4.4.4.4 remote 1234
R5(config-router)#neighbor 4.4.4.4 update-source Lo0
*Aug  6 16:09:00.259: %BGP-5-ADJCHANGE: neighbor 4.4.4.4 Down Remote AS changed.4.4.4
*Aug  6 16:09:02.567: %BGP-5-ADJCHANGE: neighbor 4.4.4.4 Up  update lo0
R5(config-router)#neighbor 4.4.4.4 ebgp 2

R5#sh ip bgp | beg Network
Network          Next Hop            Metric LocPrf Weight Path
*> 11.11.11.11/32   4.4.4.4                                0 1234 i

The AS path to get to 11.11.11.11/32 is now only 1234 and R5 is now seeing the groups of AS as one AS. Well that's all about it regarding Confederations.

Thursday, August 06, 2009 | Filed Under , , | 5 Comments

BGP Maximum-Prefix

BGP handles over 100,000 routes in the internet and it is doing a very good job in doing so. I tried doing the "show ip bgp" command on our internet router with a Public AS and takes quite a long time to show all the prefixes. I have to hit the space bar a lot of times. You can imagine how much CPU this number of routes will take on the router.

I have read an article that a few months ago, there was one ISP that advertised the whole internet routing table and originated all the routes. A mistake will most likely affect the routers in the internet, or could take the internet down if there are no counter measures done. One more possible thing I can imagine that might happen is that private ip addresses from a customer might be advertised out to the internet if the ISP failed to filter the private address. ( I dunno if this happened before)

Limiting the number of prefixes received from a BGP neighbor is one of the best ways to make sure these mistakes never affect the whole internet. The best practice is to check the number of prefixes received from a neighbor and then give a little allowance on the number of prefixes allowed. R1 on the diagram below is announcing prefixes to R2, let's see what happens if these prefixes reach the limit and what happens if it exceeds the limit.


Let's see how many prefixes R2 learns from R1.


R2#sh ip bgp summary
BGP router identifier 10.10.10.2, local AS number 234
BGP table version is 101, main routing table version 101
100 network entries using 11700 bytes of memory
100 path entries using 5200 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 17172 total bytes of memory
BGP activity 100/0 prefixes, 100/0 paths, scan interval 60 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.10.10.1      4   123      13      12      101    0    0 00:06:03      100

It's learning 100 prefixes from R1. Now lets configure BGP so that R2 will only allow 101 routes from R1. The command we will use is "neighbor neighboraddress maximum-prefix number ".


R2(config)#router bgp 234
R2(config-router)#neighbor 10.10.10.1 remote-as 123
R2(config-router)#neighbor 10.10.10.1 maximum-prefix 101

Let's advertise one route to BGP in R1. I will configure as well a static route pointing to Null0, to make sure the new route will be advertised. I didn't configure any loopback addresses on R1.


R1(config)#router bgp 123
R1(config-router)#network 1.1.1.101 mask 255.255.255.255
R1(config-router)#ip route 1.1.1.101 255.255.255.255 Null0

Let's see how R2 reacted to this configuration.


R2#
*Aug  5 13:08:58.959: %BGP-4-MAXPFX: No. of prefix received from 10.10.10.1 (afi 0) reaches 101, max 101

Oh, it reacted by generating a log message that the number of prefixes learned from R1 has reached its maximum. Lets add one more route in R1 and see what happens.


R1(config)#router bgp 123
R1(config-router)#network 1.1.1.102 mask 255.255.255.255
R1(config-router)#ip route 1.1.1.102 255.255.255.255 Null0

Let's check R1 and R2 syslog messages.


R1#
*Aug  5 13:11:16.415: %BGP-3-NOTIFICATION: received from neighbor 10.10.10.2 3/1 (update malformed) 0 bytes
*Aug  5 13:11:16.415: %BGP-5-ADJCHANGE: neighbor 10.10.10.2 Down BGP Notification received

R2#
*Aug  5 13:11:20.199: %BGP-3-MAXPFXEXCEED: No. of prefix received from 10.10.10.1 (afi 0): 102 exceed limit 101
*Aug  5 13:11:20.199: %BGP-5-ADJCHANGE: neighbor 10.10.10.1 Down BGP Notification sent
*Aug  5 13:11:20.199: %BGP-3-NOTIFICATION: sent to neighbor 10.10.10.1 3/1 (update malformed) 0 bytes  FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 0035 0200 0000 1940 0101 0040 0204 0201 007B 4003 040A 0A0A 0180 0404 0000 0000 2001 0101 66

This time it gave also a notification in R2 and also generated a hexadecimal code. ( I have yet to review what this means :)) Right then and there, when it exceeded the limit R2 dropped the peering to R1. Let's see what the BGP table summary looks like after the violation.


R2#sh ip bgp sum
BGP router identifier 10.10.10.2, local AS number 234
BGP table version is 203, main routing table version 203

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.10.10.1      4   123      21      19        0    0    0 00:04:26 Idle (PfxCt)

The state is in Idle and included a description (PfxCt) which means the neighbor exceeded the prefix limit set. The peering will only be established once the prefixes goes below the threshold set and "clear ip bgp *" needs to be issued to renegotiate the connection. Again, this command is very useful to protect your own AS from over flooding of prefixes and protect other ASes as well.

Wednesday, August 05, 2009 | Filed Under , , | 4 Comments

Certifications

Certifications

The Dreamer

A fun loving person who enjoys learning new things. Currently working as a Network Engineer supporting the global network of a Fortune 500 company. This blog serves as my notes for the labs I created for my CCIE journey. I can guarantee there are errors in my posts. If you spot them, please let me know.

Join my Facebook Page I WANT TO BE A CCIE

Donate to the Cause

My aim is to create materials for free and possibly a free lab. If you wish to help out, please send any amount. Thanks.

Join my Bandwagon

Blogs that I Read