The purpose of this exercise is to:
Understand the routing implications of connecting to multiple external domains
Learn to configure basic eBGP to exchange routing information with multiple external peers.
This exercise builds upon the configurations implemented in the iBGP lab. You must:
be able to ping your neighbour router in the same AS using its loopback address (both IPv4 and IPv6!).
be able to ping your neighbour routers in other ASs using their point-to-point link addresses.
have iBGP running with other routers in your autonomous system.
Refer to the IP Address Plan document for information about the IP address plan for the network infrastructure for these labs.
Configure your BX1 router to connect to the NREN with a point-to-point link.
NRENs: Use the configuration in the Appendix.
On B11:
interface GigabitEthernet1/0
description P2P Link to NREN1
ip address 100.101.1.2 255.255.255.252
no ip directed-broadcast
no ip redirects
no ip proxy-arp
ipv6 address 2001:11:0:10::1/127
ipv6 nd prefix default no-advertise
ipv6 nd ra suppress all
no shutdownMake sure that it's up and that you can ping the other side:
B11# ping 100.101.1.1
B11# ping 2001:11:0:10::0Do some traceroutes to other networks again:
B11# traceroute 100.68.2.1
B11# traceroute 100.68.3.1Has anything changed since the last exercise?
Notice that before we had only one connection to the Internet - via the ISP. Now we have two. But we are still using a default route pointing to the ISP only!
We could add another default route pointing to the NREN, but that would not give us much flexibility in terms of traffic policies. Keep going.
Configure eBGP sessions to the ISP and the NREN
On B11:
router bgp 10
address-family ipv4
neighbor 100.101.1.1 remote-as 101
neighbor 100.101.1.1 description eBGP with NREN1
neighbor 100.101.1.1 password NSRC-BGP
neighbor 100.101.1.1 activate
!
address-family ipv6
neighbor 2001:11:0:10:: remote-as 101
neighbor 2001:11:0:10:: description eBGP with NREN1
neighbor 2001:11:0:10:: password NSRC-BGP
neighbor 2001:11:0:10:: activate
!Notice that with eBGP we no longer use the loopback address as the endpoint of the BGP session, as we did with iBGP. Why?
On B12:
router bgp 10
address-family ipv4
neighbor 100.121.1.1 remote-as 121
neighbor 100.121.1.1 description eBGP with ISP1
neighbor 100.121.1.1 password NSRC-BGP
neighbor 100.121.1.1 activate
!
address-family ipv6
neighbor 2001:18:0:10:: remote-as 121
neighbor 2001:18:0:10:: description eBGP with ISP1
neighbor 2001:18:0:10:: password NSRC-BGP
neighbor 2001:18:0:10:: activate
!Check that the BGP sessions are up on both routers:
show ip bgp summary
show bgp ipv6 unicast summaryOnce those are up, check if you are learning any prefixes:
B11# show ip bgp neighbor 100.101.1.1 routes
B11# show bgp ipv6 uni neighbor 2001:11:0:10:: routesVerify what you are advertising to the NREN:
B11# show ip bgp neighbor 100.101.1.1 advertised-routes
B11# show bgp ipv6 uni neighbor 2001:11:0:10:: advertised-routes... and to the ISP:
B12# show ip bgp neighbor 100.121.1.1 advertised-routes
B12# sh bgp ipv6 uni neigh 2001:18:0:10:: advertisedAre you perhaps announcing other prefixes that don't originate in your AS? If so, can you remember what serious negative implications this could have? Please stop and think about this. Ask the instructor if you need clarification.
Create prefix lists for your outbound filters. Outbound filters for BX1 and BX2 are the same:
ip prefix-list ASX0-out permit 100.68.X.0/24
ipv6 prefix-list ASX0-v6-out permit 2001:db8:X::/48As you can see, we are only allowing our aggregate out to the Internet. Sending smaller prefixes (if we had any) serves no useful purpose at all.
Now create prefix lists for your inbound filters. Notice the descriptive names for the prefix lists.
On BX1:
ip prefix-list nren-in deny 100.68.X.0/24 le 32
ip prefix-list nren-in permit 0.0.0.0/0 le 32
!
ipv6 prefix-list nren-v6-in deny 2001:db8:X::/48 le 128
ipv6 prefix-list nren-v6-in permit ::/0 le 128On BX2:
ip prefix-list isp-in deny 100.68.X.0/24 le 32
ip prefix-list isp-in permit 0.0.0.0/0 le 32
!
ipv6 prefix-list isp-v6-in deny 2001:db8:X::/48 le 128
ipv6 prefix-list isp-v6-in permit ::/0 le 128Notice how we are matching the aggregate as well as all possible subnets of our address blocks. This protects against some other network announcing any of our prefixes (whatever subnet size) to us.
Now apply these prefix-lists to the BGP sessions with the ISP and the NREN.
On B11:
router bgp 10
address-family ipv4
neighbor 100.101.1.1 prefix-list nren-in in
neighbor 100.101.1.1 prefix-list AS10-out out
!
address-family ipv6
neighbor 2001:11:0:10:: prefix-list nren-v6-in in
neighbor 2001:11:0:10:: prefix-list AS10-v6-out outOn B12:
router bgp 10
address-family ipv4
neighbor 100.121.1.1 prefix-list isp-in in
neighbor 100.121.1.1 prefix-list AS10-out out
!
address-family ipv6
neighbor 2001:18:0:10:: prefix-list isp-v6-in in
neighbor 2001:18:0:10:: prefix-list AS10-v6-out outUse the BGP route refresh capability to resend the information to the peer. Use the AS number of the peer rather than the IP address (much less typing for IPv6) in the route refresh command:
B11# clear ip bgp 101 out
B11# clear bgp ipv6 unicast 101 outB12# clear ip bgp 121 out
B12# clear bgp ipv6 unicast 121 outYou should now be advertising only your own address space. Check with the ISP and NREN administrators to make sure that they are receiving your prefix.
The administrators of the NREN routers need to set up connectivity and BGP with the RREN router. The administrators will either be the workshop instructors, or members of the workshop itself.
The suggested configuration for the RREN router is in Appendix A. A suggested configuration for the NREN1 router is in Appendix B - the configuration for the NREN2 router will be very similar. These configurations uses all the best practice ideas we have been using in the labs so far.
Bring up BGP between the NREN routers and the RREN and check that the prefixes originated by NREN1, NREN2 and the RREN are all visible in each other's BGP tables.
The administrators of the ISP routers need to set up eBGP between each other and the RREN router as well. The administrators will either be the workshop instructors, or members of the workshop itself.
A suggested configuration for the ISP1 router is in Appendix C - the configuration for the ISP2 router will be very similar. These configurations uses all the best practice ideas we have been using in the labs so far.
Bring up BGP between the RREN and the ISP routers across the Internet Exchange Point. Check that the prefixes originated by ISP1, ISP2 and the RREN are all visible in each other's BGP tables.
Now your ISP has learned a route to reach your network, correct? The ISPs can now safely remove the static routes pointing to you and the other customers:
ISP1:
no ip route 100.68.1.0 255.255.255.0 100.121.1.2
no ip route 100.68.2.0 255.255.255.0 100.121.1.6
no ip route 100.68.3.0 255.255.255.0 100.121.1.10
!
no ipv6 route 2001:db8:1::/48 2001:18:0:10::1
no ipv6 route 2001:db8:2::/48 2001:18:0:11::1
no ipv6 route 2001:db8:3::/48 2001:18:0:12::1ISP2:
no ip route 100.68.4.0 255.255.255.0 100.122.1.2
no ip route 100.68.5.0 255.255.255.0 100.122.1.6
no ip route 100.68.6.0 255.255.255.0 100.122.1.10
!
no ipv6 route 2001:db8:4::/48 2001:19:0:10::1
no ipv6 route 2001:db8:5::/48 2001:19:0:11::1
no ipv6 route 2001:db8:6::/48 2001:19:0:12::1In the previous exercise, we created default routes on both routers. But thanks to BGP, we should now be receiving routes from our NREN and our ISP.
Let's check first (do this on both routers):
show ip bgp
show bgp ipv6 unicast
show ip route
show ipv6 routeYou should be learning routes advertised by other groups, and also from the NRENs and the ISPs.
Remove your static default routes from routers BX2:
On B12:
no ip route 0.0.0.0 0.0.0.0 100.121.1.1
no ipv6 route ::/0 2001:18:0:10::You should be able to ping any other router now. If you can't, wait for other groups to finish. If other groups are finished, work them to work out what might be wrong. If you cannot see what is wrong, ask the instructors.
Use traceroute to verify the paths that packets are following towards various destinations:
B11# traceroute 100.100.0.1
B11# traceroute 100.68.3.2
...Repeat the same tests from the other router in your AS and compare. Use the diagram to help you visualise it.
The sample configuration for the RREN is below.
hostname RREN
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
username nrenlab secret lab-PW
enable secret lab-EN
service password-encryption
line vty 0 4
transport preferred none
line console 0
transport preferred none
no logging console
logging buffered 8192 debugging
no ip domain-lookup
ipv6 unicast-routing
ipv6 cef
no ip source-route
no ipv6 source-route
!
interface Loopback0
ip address 100.100.0.1 255.255.255.255
ipv6 address 2001:10::1/128
!
interface GigabitEthernet1/0
description P2P Link to NREN1
ip address 100.100.1.1 255.255.255.252
no ip directed-broadcast
no ip redirects
no ip proxy-arp
ipv6 address 2001:10:0:10::/127
ipv6 nd prefix default no-advertise
ipv6 nd ra suppress
no shutdown
!
interface GigabitEthernet2/0
description P2P Link to NREN2
ip address 100.100.1.5 255.255.255.252
no ip directed-broadcast
no ip redirects
no ip proxy-arp
ipv6 address 2001:10:0:11::/127
ipv6 nd prefix default no-advertise
ipv6 nd ra suppress
no shutdown
!
interface GigabitEthernet3/0
description Link to IXP
ip address 100.127.1.3 255.255.255.0
no ip redirects
no ip proxy-arp
ipv6 address 2001:DB8:FFFF:1::3/64
ipv6 nd prefix default no-advertise
ipv6 nd ra suppress
no shutdown
!
router bgp 100
bgp log-neighbor-changes
bgp deterministic-med
no bgp default ipv4-unicast
address-family ipv4
distance bgp 200 200 200
network 100.100.0.0 mask 255.255.0.0
neighbor 100.100.1.2 remote-as 101
neighbor 100.100.1.2 description eBGP with NREN1 (AS101)
neighbor 100.100.1.2 password NSRC-BGP
neighbor 100.100.1.2 activate
neighbor 100.100.1.6 remote-as 102
neighbor 100.100.1.6 description eBGP with NREN2 (AS102)
neighbor 100.100.1.6 password NSRC-BGP
neighbor 100.100.1.6 activate
neighbor 100.127.1.1 remote-as 121
neighbor 100.127.1.1 description eBGP with ISP1 (AS121)
neighbor 100.127.1.1 password NSRC-BGP
neighbor 100.127.1.1 activate
neighbor 100.127.1.2 remote-as 122
neighbor 100.127.1.2 description eBGP with ISP2 (AS122)
neighbor 100.127.1.2 password NSRC-BGP
neighbor 100.127.1.2 activate
!
address-family ipv6
distance bgp 200 200 200
network 2001:10::/32
neighbor 2001:10:0:10::1 remote-as 101
neighbor 2001:10:0:10::1 description eBGP with NREN1 (AS101)
neighbor 2001:10:0:10::1 password NSRC-BGP
neighbor 2001:10:0:10::1 activate
neighbor 2001:10:0:11::1 remote-as 102
neighbor 2001:10:0:11::1 description eBGP with NREN2 (AS102)
neighbor 2001:10:0:11::1 password NSRC-BGP
neighbor 2001:10:0:11::1 activate
neighbor 2001:DB8:FFFF:1::1 remote-as 121
neighbor 2001:DB8:FFFF:1::1 description eBGP with ISP1 (AS121)
neighbor 2001:DB8:FFFF:1::1 password NSRC-BGP
neighbor 2001:DB8:FFFF:1::1 activate
neighbor 2001:DB8:FFFF:1::2 remote-as 122
neighbor 2001:DB8:FFFF:1::2 description eBGP with ISP2 (AS122)
neighbor 2001:DB8:FFFF:1::2 password NSRC-BGP
neighbor 2001:DB8:FFFF:1::2 activate
!
ip route 100.100.0.0 255.255.0.0 null0
ipv6 route 2001:10::/32 null0
The sample configuration for NREN1 is below. NREN2's configuration will be very similar, so modify accordingly.
hostname NREN1
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
username nrenlab secret lab-PW
enable secret lab-EN
service password-encryption
line vty 0 4
transport preferred none
line console 0
transport preferred none
no logging console
logging buffered 8192 debugging
no ip domain-lookup
ipv6 unicast-routing
ipv6 cef
no ip source-route
no ipv6 source-route
!
interface Loopback0
ip address 100.101.0.1 255.255.255.255
ipv6 address 2001:11::1/128
!
interface GigabitEthernet1/0
description P2P Link to RREN
ip address 100.100.1.2 255.255.255.252
no ip directed-broadcast
no ip redirects
no ip proxy-arp
ipv6 address 2001:10:0:10::1/127
ipv6 nd prefix default no-advertise
ipv6 nd ra suppress
no shutdown
!
! (repeat for Group 2 and Group 3 using Gig4/0 and 5/0)
interface GigabitEthernet3/0
description P2P Link to R11
ip address 100.101.1.1 255.255.255.252
no ip directed-broadcast
no ip redirects
no ip proxy-arp
ipv6 address 2001:11:0:10::/127
ipv6 nd prefix default no-advertise
ipv6 nd ra suppress
no shutdown
!
! inbound filter for AS10 - repeat for AS20 and AS30
ip prefix-list AS10-in permit 100.68.1.0/24
ipv6 prefix-list AS10-v6-in permit 2001:db8:1::/48
!
router bgp 101
bgp log-neighbor-changes
bgp deterministic-med
no bgp default ipv4-unicast
address-family ipv4
distance bgp 200 200 200
network 100.101.0.0 mask 255.255.0.0
neighbor 100.101.1.2 remote-as 10
neighbor 100.101.1.2 description eBGP with AS10
neighbor 100.101.1.2 password NSRC-BGP
neighbor 100.101.1.2 prefix-list AS10-in in
neighbor 100.101.1.2 activate
! (repeat for AS20 and AS30)
neighbor 100.100.1.1 remote-as 100
neighbor 100.100.1.1 description eBGP with RREN (AS100)
neighbor 100.100.1.1 password NSRC-BGP
neighbor 100.100.1.1 activate
!
address-family ipv6
distance bgp 200 200 200
network 2001:11::/32
neighbor 2001:11:0:10::1 remote-as 10
neighbor 2001:11:0:10::1 description eBGP with AS10
neighbor 2001:11:0:10::1 password NSRC-BGP
neighbor 2001:11:0:10::1 prefix-list AS10-v6-in in
neighbor 2001:11:0:10::1 activate
! (repeat for AS20 and AS30)
neighbor 2001:10:0:10:: remote-as 100
neighbor 2001:10:0:10:: description eBGP with RREN (AS100)
neighbor 2001:10:0:10:: password NSRC-BGP
neighbor 2001:10:0:10:: activate
!
ip route 100.101.0.0 255.255.0.0 null0
ipv6 route 2001:11::/32 null0
Note: This is in addition to what was configured in the previous exercise.
We can now announce a default route to each campus connected to us (as we have a route to the global IPv4 Internet via the classroom backbone). We will announce a default route by IPv6 as well, even though we don’t have global connectivity. This default route represents how commercial ISPs usually provide the last resort for commodity Internet to NRENs and Campuses.
! (filters for Group 1 - repeat for Group 2 and 3)
ip prefix-list AS10-in permit 100.68.1.0/24
ipv6 prefix-list AS10-v6-in permit 2001:db8:1::/48
!
router bgp 121
bgp log-neighbor-changes
no bgp default ipv4-unicast
bgp deterministic-med
address-family ipv4
distance bgp 200 200 200
network 100.121.0.0 mask 255.255.0.0
neighbor 100.101.2.1 remote-as 101
neighbor 100.101.2.1 description eBGP with NREN1 (AS101)
neighbor 100.101.2.1 password NSRC-BGP
neighbor 100.101.2.1 activate
neighbor 100.121.1.2 remote-as 10
neighbor 100.121.1.2 description eBGP with AS10
neighbor 100.121.1.2 password NSRC-BGP
neighbor 100.121.1.2 prefix-list AS10-in in
neighbor 100.121.1.2 activate (repeat for AS20 and AS30)
neighbor 100.127.1.2 remote-as 122
neighbor 100.127.1.2 description eBGP with ISP2 (AS122)
neighbor 100.127.1.2 password NSRC-BGP
neighbor 100.127.1.3 activate
neighbor 100.127.1.3 remote-as 100
neighbor 100.127.1.3 description eBGP with RREN (AS100)
neighbor 100.127.1.3 password NSRC-BGP
neighbor 100.127.1.3 activate
!
address-family ipv6
distance bgp 200 200 200
network 2001:18::/32
neighbor 2001:11:0:20:: remote-as 101
neighbor 2001:11:0:20:: description eBGP with NREN1 (AS101)
neighbor 2001:11:0:20:: password NSRC-BGP
neighbor 2001:11:0:20:: activate
neighbor 2001:18:0:10::1 remote-as 10
neighbor 2001:18:0:10::1 description eBGP with AS10
neighbor 2001:18:0:10::1 password NSRC-BGP
neighbor 2001:18:0:10::1 prefix-list AS10-v6-in in
neighbor 2001:18:0:10::1 activate (repeat for AS20 and AS30)
neighbor 2001:DB8:FFFF:1::2 remote-as 122
neighbor 2001:DB8:FFFF:1::2 description eBGP with ISP2 (AS122)
neighbor 2001:DB8:FFFF:1::2 password NSRC-BGP
neighbor 2001:DB8:FFFF:1::2 activate
neighbor 2001:DB8:FFFF:1::3 remote-as 100
neighbor 2001:DB8:FFFF:1::3 description eBGP with RREN (AS100)
neighbor 2001:DB8:FFFF:1::3 password NSRC-BGP
neighbor 2001:DB8:FFFF:1::3 activate
!
! Default IPv4 Route to Classroom Gateway
ip route 0.0.0.0 0.0.0.0 10.10.0.254
!
ip route 100.121.0.0 255.255.0.0 null0
ipv6 route 2001:18::/32 null0
