BGP Lab Exercise 1 ------------------ 1. Remove OSPF from your router and shutdown your serial links. We will only be using the Ethernet link for this exercise. OSPF can be removed by doing "no router ospf ". 2. Confirm that you are no longer receiving OSPF routes by doing a "show ip route". 3. Figure out your AS number from the diagram and write it down here: AS: 4. Verify the IP address block used for your PC link. Your group was assigned an address block. You need to sub-divide it, using part of it for the LAN with your PC, and part of it for point to point links between routers. Aggregate address block: Mask: More-specific block used for LAN: 5. We will set up peering sessions according the map. Decide which IP addresses you are going to use for your Point-to-Point links with your neighbouring peer. More-specific block used for point to point link: 6. Configure BGP on your router to announce your network. RouterA#config term Enter configuration commands, one per line. End with CNTL/Z. RouterA(config)#ip bgp-community new-format RouterA(config)#router bgp 1 // use your AS number RouterA(config-router)#network 196.200.220.16 mask 255.255.255.240 // use your network and mask RouterA(config-router)#no synchronization RouterA(config-router)#no auto-summary BGP is now configured on your router, but not yet talking to any other routers. 7. Set up a peering session with your upstream neighbor: RouterA(config)#router bgp 1 //use your AS number RouterA(config-router)#neighbor 196.200.220.12 remote-as 100 // use the IP address and AS number of your neighbor RouterA(config-router)#neighbor 196.200.220.12 descr My-Peer-with-AS100 8. Check to see if the peering session is up: RouterA#show ip bgp summary BGP router identifier 196.200.220.12, local AS number 1 BGP table version is 3, main routing table version 3 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 196.200.220.12 4 1 0 0 0 0 0 never Idle 9. Check to see if you are sending routes to your neighbor? Why or why not? RouterA#sh ip bgp neighbor x.x.x.x advertised-routes 10. Check to see if you are receiving routes from your neighbor. RouterA#show ip bgp What routes are you receiving? Other commands to monitor BGP: RouterA#sh ip route RouterA#sh ip bgp RouterA#sh ip bgp neighbor RouterA#sh ip bgp neighbor x.x.x.x routes BGP Lab Exercise 2 ------------------ 11. Building on the previous exercise, we are now going to connect to a neighbouring ISP in our locality. For the lab, you will connect to the Router Team directly opposite you. For example, Router A will connect to Router B. Use the Serial interface and the supplied serial cable to do this. 12. Agree between you and your neighbouring AS whose address block you will take IP addresses from for the point to point link. Address Block for the Point to Point Link: 13. Write down the AS number of the network you are connecting to: AS Number: 14. As in step 7 above, configure eBGP with this AS. 15. Check the BGP process using "sh ip bgp" to see what prefixes you are receiving from your neighbouring AS. 16. What routes do you see? What paths are available? BGP Lab Exercise 3 ------------------ 17. We are now at the stage where we are talking BGP with our upstream ISP and BGP with the neighbouring ISP in our locality. But we have no filters and as you saw in step 16. We are now going to fix this. 18. This exercise will use AS Path filters to the BGP sessions. These will ensure that we only announce our prefixes to our neighbours. Create an AS Path filter which permits only prefixes originated by your peer AS to enter your network RouterA(config)#ip as-path access-list 1 permit ^2$ ! permit prefixes originated by AS2 19. Enable soft reconfiguration for the BGP session. This is only so that we can analyse the effect the applying the filter on our BGP session later on in this exercise. The use of soft reconfiguration in general ISP operations is not recommended apart from during session debugging (as it requires extra memory). RouterA(config)#router bgp 1 RouterA(config-router)#neighbor 196.200.220.xx soft-reconfiguration in 20. Now apply this filter to the eBGP session you have with your peer AS. RouterA(config-router)#neighbor 196.200.220.xx filter-list 1 in ! apply as-path filter 1 inbound 21. Now that you have applied the policy, you need to tell the BGP session to refresh the prefixes it has received from the neighbour. To do this, we use the route refresh capability of BGP. routerA#clear ip bgp 2 in ! router refresh the peering with AS2 22. Check the BGP process using "sh ip bgp" to see what prefixes you are now receiving from your neighbouring AS. Use the more specific commands "sh ip bgp neighbor 196.200.220.xx routes" and "sh ip bgp neighbor 196.200.220.xx received-routes". What difference do you see? Write your answer here: 23. Note that you are still sending all prefixes you hear to your upstream ISP in AS100. There are no outbound filters. Also note that you are sending all prefixes you hear to your neighbouring ISP. Furthermore, this implicitly trusts your peer ISP to originate the correct prefixes from his ASN. BGP Lab Exercise 4 ------------------ 24. This exercise will investigate the use of prefix-lists for filtering BGP announcements from both BGP neighbours. Before you begin, remove the AS-path filter configuration you added in Lab Exercise 3. 25. Define the prefix-lists that you will need. This first one specifies which routes you will send out to any BGP neighbour. RouterA(config)#ip prefix-list my-routes description My routes outbound RouterA(config)#ip prefix-list my-routes permit 196.200.220.16/28 RouterA(config)#ip prefix-list my-routes deny 0.0.0.0/0 le 32 Double check that you set your "my-routes" outbound filter to contain the network you wish to announce. 26. Now define the prefix-list for the prefixes you expect to hear from your peer AS. RouterA(config)#ip prefix-list peer-AS2 description routes from AS2 inbound RouterA(config)#ip prefix-list peer-AS2 permit 196.200.220.32/28 RouterA(config)#ip prefix-list peer-AS2 deny 0.0.0.0/0 le 32 27. Finally define the sanity prefix-list for prefixes you would expect to hear from your upstream ISP. In this example we assume we receive the full Internet Routing Table, or the default route, so we simply permit everything and discard the prefixes we should never hear on the Internet. See RFC3330 and www.cymru.com/Documents for more information on these special prefixes and the sanity filter. RouterA(config)#ip prefix-list sanity-filter description Sanity Inbound RouterA(config)#ip prefix-list sanity-filter deny 10.0.0.0/8 le 32 RouterA(config)#ip prefix-list sanity-filter deny 127.0.0.0/8 le 32 RouterA(config)#ip prefix-list sanity-filter deny 169.254.0.0/16 le 32 RouterA(config)#ip prefix-list sanity-filter deny 172.16.0.0/12 le 32 RouterA(config)#ip prefix-list sanity-filter deny 192.0.2.0/24 le 32 RouterA(config)#ip prefix-list sanity-filter deny 192.168.0.0/16 le 32 RouterA(config)#ip prefix-list sanity-filter permit 0.0.0.0/0 le 32 In most classroom exercises, you trust your provider enough that you can use a simple sanity filter that denies a few things and then permits everything else. 28. Now apply the prefix filter to the BGP session you have with your peer. RouterA(config-router)#neighbor 196.200.220.xx prefix-list my-routes out RouterA(config-router)#neighbor 196.200.220.xx prefix-list peer-AS2 in 29. And now apply the prefix filter to the BGP session you have with your upstream in AS100. RouterA(config-router)#neigh 196.200.220.12 prefix-list my-routes out RouterA(config-router)#neigh 196.200.220.12 prefix-list sanity-filter in 30. To implement the new policy, don't forget to request a route refresh on the two BGP sessions. The following commands will do the needful. clear ip bgp 100 in ! apply new policy outbound to AS100 clear ip bgp 100 out ! apply new policy inbound from AS100 clear ip bgp 2 in ! apply new policy outbound to AS2 clear ip bgp 2 out ! apply new policy inbound to AS2 31. Check the BGP process using "sh ip bgp" to see what prefixes you are receiving from your neighbouring AS. 32. What routes do you see? What paths are available? BGP Lab Exercise 5 ------------------ 33. The final exercise in the BGP labs is to simulate a situation which is commonly found in many service provider networks around the world. The situation is where an ISP multihomes between two upstream ISPs, and uses two local routers for redundancy. This necessitates using eBGP towards the upstreams, and iBGP between the two local routers. 34. To prepare for this remove the eBGP configuration with your local peer. RouterA(config-router)#no neigh 192.200.220.xx remote 2 35. The teams on the left hand side of the room, (A,C,E,G,I) will have to change the BGP AS Number the one they are using to the one used by their neighbours on the right hand side of the room. The best way to do this is to make a note of the BGP configuration, then do "no router bgp " before entering the configuration as "router bgp . RouterA(config)#no router bgp 1 RouterA(config)#router bgp 2 RouterA(config-router)#neigh 196.200.220.12 remote-as 100 RouterA(config-router)#neigh 196.200.220.12 prefix-list my-routes out RouterA(config-router)#neigh 196.200.220.12 prefix-list sanity-filter in RouterA(config-router)#no synchronization ...etc... 36. The teams on the right hand side of the room, (B,D,F,H,J) will have to delete the BGP session with AS100 and replace it with a BGP session with AS200. RouterB(config)#router bgp 2 RouterB(config-router)#no neigh 196.200.220.12 remote-as 100 RouterB(config-router)#neigh 196.200.220.13 remote-as 200 RouterB(config-router)#neigh 196.200.220.13 prefix-list my-routes out RouterB(config-router)#neigh 196.200.220.13 prefix-list sanity-filter in 37. Note that the prefix-list "my-routes" used in the eBGP filters in the previous two steps will need to include the address block from both routers. So it will have two /28 networks in it, one from the router on the left. For example: RouterB(config)#ip prefix-list my-routes permit 196.200.220.16/28 RouterB(config)#ip prefix-list my-routes permit 196.200.220.32/28 RouterB(config)#ip prefix-list my-routes deny 0.0.0.0/0 le 32 38. Now each of AS 2, AS 4, AS 6, AS 8 and AS 10 needs to configure OSPF in their AS. Before starting the OSPF process, configure a loopback interface and give it an IP address so that OSPF will use it as the OSPF Router ID. For the loopback interface, assign a /32 IP address from your block. RouterA(config)#interface loopback0 RouterA(config-if)#ip addr 196.200.220.yy 255.255.255.255 RouterA(config)#router ospf 2 RouterA(config)#passive-interface default RouterA(config)#network 196.200.220.yy 0.0.0.0 area 0 RouterA(config)#network 196.200.220.xx 0.0.0.3 area 0 RouterA(config)#no passive-interface Serial 0/0 Note that we only run OSPF on the Serial link between the two routers in the AS. 39. Now each of AS 2, AS 4, AS 6, AS 8 and AS 10 needs to configure iBGP in their AS. Remember that iBGP runs between loopback interfaces on the router. RouterA(config-router)#router bgp 2 RouterA(config-router)#neighbor 196.200.220.xx remote-as 2 RouterA(config-router)#neighbor 196.200.220.xx next-hop-self RouterA(config-router)#neighbor 196.200.220.xx update-source loopback 0 Note that the iBGP session does not need any prefix filters to be applied. In an ISP network, iBGP prefixes are distributed throughout the whole iBGP speaking network. Notice the purpose of the next-hop-self command in iBGP. This ensures that external point to point links do not need to be carried in OSPF. 40. Check the BGP process using "sh ip bgp" to see if both the eBGP and iBGP neighbours are active. 41. Also check to see what prefixes you are receiving from all your BGP neighbours. What paths do you see? Can you explain what is happening? BGP Testing ----------- 1. Verify that you can see routes for all networks in your AS by using "show ip route". Test connectivity using ping and traceroute, as well as "show ip bgp" and "show ip route". 2. Add some additional routes to simulate connections to customers. Obtain IP address allocations from the registry (instructors), add routes to "null 0", and use bgp "network" statements to bring the routes into BGP. Adjust your filters as appropriate. Get your peers to adjust their filters too. 3. Review your filters. Make sure that you are seeing the right information from everyone. 4. What routes do you see in your routing table? What do the ASpaths look like? Which routes are preferred? 5. Look at the routing table of other ASes to understand how traffic flows in the network. 6. Verify that you can get to all the PCs in the entire classroom (not just in your own AS). 7. Experiment with breaking connections. See how the routing changes.