Introduction

The purpose of this exercise is to:

 

Pre-requisites

This exercise builds upon the configurations implemented in the iBGP lab. You must:

 

Address Space Allocation

Refer to the IP Address Plan document for information about the IP address plan for the network infrastructure for these labs.

 

 

Multihoming - eBGP Configuration

Connect to the NREN

Configure your BX1 router to connect to the NREN with a point-to-point link.

NRENs: Use the configuration in the Appendix.

On B11:

interface GigabitEthernet1/0
 description P2P Link to NREN1
 ip address 100.101.1.2 255.255.255.252
 no ip directed-broadcast
 no ip redirects
 no ip proxy-arp
 ipv6 address 2001:11:0:10::1/127
 ipv6 nd prefix default no-advertise
 ipv6 nd ra suppress all
 no shutdown

Make sure that it's up and that you can ping the other side:

B11# ping 100.101.1.1
B11# ping 2001:11:0:10::0

Do some traceroutes to other networks again:

B11# traceroute 100.68.2.1
B11# traceroute 100.68.3.1

Has anything changed since the last exercise?

Notice that before we had only one connection to the Internet - via the ISP. Now we have two. But we are still using a default route pointing to the ISP only!

We could add another default route pointing to the NREN, but that would not give us much flexibility in terms of traffic policies. Keep going.

 

BGP-peer with the NREN and the ISP

Configure eBGP sessions to the ISP and the NREN

On B11:

router bgp 10
 address-family ipv4
  neighbor 100.101.1.1 remote-as 101
  neighbor 100.101.1.1 description eBGP with NREN1
  neighbor 100.101.1.1 password NSRC-BGP
  neighbor 100.101.1.1 activate
 !
 address-family ipv6
  neighbor 2001:11:0:10:: remote-as 101
  neighbor 2001:11:0:10:: description eBGP with NREN1
  neighbor 2001:11:0:10:: password NSRC-BGP
  neighbor 2001:11:0:10:: activate
 !

Notice that with eBGP we no longer use the loopback address as the endpoint of the BGP session, as we did with iBGP. Why?

On B12:

router bgp 10
 address-family ipv4
  neighbor 100.121.1.1 remote-as 121
  neighbor 100.121.1.1 description eBGP with ISP1
  neighbor 100.121.1.1 password NSRC-BGP
  neighbor 100.121.1.1 activate
 !
 address-family ipv6
  neighbor 2001:18:0:10:: remote-as 121
  neighbor 2001:18:0:10:: description eBGP with ISP1
  neighbor 2001:18:0:10:: password NSRC-BGP
  neighbor 2001:18:0:10:: activate
 !

Check that the BGP sessions are up on both routers:

show ip bgp summary
show bgp ipv6 unicast summary

Once those are up, check if you are learning any prefixes:

B11# show ip bgp neighbor 100.101.1.1 routes
B11# show bgp ipv6 uni neighbor 2001:11:0:10:: routes

Verify what you are advertising to the NREN:

B11# show ip bgp neighbor 100.101.1.1 advertised-routes
B11# show bgp ipv6 uni neighbor 2001:11:0:10:: advertised-routes

... and to the ISP:

B12# show ip bgp neighbor 100.121.1.1 advertised-routes
B12# sh bgp ipv6 uni neigh 2001:18:0:10:: advertised

Are you perhaps announcing other prefixes that don't originate in your AS? If so, can you remember what serious negative implications this could have? Please stop and think about this. Ask the instructor if you need clarification.

Filter what you send and receive

Create prefix lists for your outbound filters. Outbound filters for BX1 and BX2 are the same:

ip prefix-list ASX0-out permit 100.68.X.0/24
ipv6 prefix-list ASX0-v6-out permit 2001:db8:X::/48

As you can see, we are only allowing our aggregate out to the Internet. Sending smaller prefixes (if we had any) serves no useful purpose at all.

Now create prefix lists for your inbound filters. Notice the descriptive names for the prefix lists.

On BX1:

ip prefix-list nren-in deny 100.68.X.0/24 le 32
ip prefix-list nren-in permit 0.0.0.0/0 le 32
!
ipv6 prefix-list nren-v6-in deny 2001:db8:X::/48 le 128
ipv6 prefix-list nren-v6-in permit ::/0 le 128

On BX2:

ip prefix-list isp-in deny 100.68.X.0/24 le 32
ip prefix-list isp-in permit 0.0.0.0/0 le 32
!
ipv6 prefix-list isp-v6-in deny 2001:db8:X::/48 le 128
ipv6 prefix-list isp-v6-in permit ::/0 le 128

Notice how we are matching the aggregate as well as all possible subnets of our address blocks. This protects against some other network announcing any of our prefixes (whatever subnet size) to us.

Now apply these prefix-lists to the BGP sessions with the ISP and the NREN.

On B11:

router bgp 10
 address-family ipv4
  neighbor 100.101.1.1 prefix-list nren-in in
  neighbor 100.101.1.1 prefix-list AS10-out out
 !
 address-family ipv6
  neighbor 2001:11:0:10:: prefix-list nren-v6-in in
  neighbor 2001:11:0:10:: prefix-list AS10-v6-out out

On B12:

router bgp 10
 address-family ipv4
  neighbor 100.121.1.1 prefix-list isp-in in
  neighbor 100.121.1.1 prefix-list AS10-out out
 !
 address-family ipv6
  neighbor 2001:18:0:10:: prefix-list isp-v6-in in
  neighbor 2001:18:0:10:: prefix-list AS10-v6-out out

Use the BGP route refresh capability to resend the information to the peer. Use the AS number of the peer rather than the IP address (much less typing for IPv6) in the route refresh command:

B11# clear ip bgp 101 out
B11# clear bgp ipv6 unicast 101 out
B12# clear ip bgp 121 out
B12# clear bgp ipv6 unicast 121 out

You should now be advertising only your own address space. Check with the ISP and NREN administrators to make sure that they are receiving your prefix.

 

BGP between NRENs and RREN

The administrators of the NREN routers need to set up connectivity and BGP with the RREN router. The administrators will either be the workshop instructors, or members of the workshop itself.

The suggested configuration for the RREN router is in Appendix A. A suggested configuration for the NREN1 router is in Appendix B - the configuration for the NREN2 router will be very similar. These configurations uses all the best practice ideas we have been using in the labs so far.

Bring up BGP between the NREN routers and the RREN and check that the prefixes originated by NREN1, NREN2 and the RREN are all visible in each other's BGP tables.

 

BGP between ISPs and RREN across the IXP

The administrators of the ISP routers need to set up eBGP between each other and the RREN router as well. The administrators will either be the workshop instructors, or members of the workshop itself.

A suggested configuration for the ISP1 router is in Appendix C - the configuration for the ISP2 router will be very similar. These configurations uses all the best practice ideas we have been using in the labs so far.

Bring up BGP between the RREN and the ISP routers across the Internet Exchange Point. Check that the prefixes originated by ISP1, ISP2 and the RREN are all visible in each other's BGP tables.

 

Remove static routes

The ISPs remove their static routes towards their customers

Now your ISP has learned a route to reach your network, correct? The ISPs can now safely remove the static routes pointing to you and the other customers:

ISP1:

no ip route 100.68.1.0 255.255.255.0 100.121.1.2
no ip route 100.68.2.0 255.255.255.0 100.121.1.6
no ip route 100.68.3.0 255.255.255.0 100.121.1.10
!
no ipv6 route 2001:db8:1::/48 2001:18:0:10::1
no ipv6 route 2001:db8:2::/48 2001:18:0:11::1
no ipv6 route 2001:db8:3::/48 2001:18:0:12::1

ISP2:

no ip route 100.68.4.0 255.255.255.0 100.122.1.2
no ip route 100.68.5.0 255.255.255.0 100.122.1.6
no ip route 100.68.6.0 255.255.255.0 100.122.1.10
!
no ipv6 route 2001:db8:4::/48 2001:19:0:10::1
no ipv6 route 2001:db8:5::/48 2001:19:0:11::1
no ipv6 route 2001:db8:6::/48 2001:19:0:12::1

Remove your static default routes

In the previous exercise, we created default routes on both routers. But thanks to BGP, we should now be receiving routes from our NREN and our ISP.

Let's check first (do this on both routers):

show ip bgp
show bgp ipv6 unicast
show ip route
show ipv6 route

You should be learning routes advertised by other groups, and also from the NRENs and the ISPs.

Remove your static default routes from routers BX2:

On B12:

no ip route 0.0.0.0 0.0.0.0 100.121.1.1
no ipv6 route ::/0 2001:18:0:10::

You should be able to ping any other router now. If you can't, wait for other groups to finish. If other groups are finished, work them to work out what might be wrong. If you cannot see what is wrong, ask the instructors.

Use traceroute to verify the paths that packets are following towards various destinations:

B11# traceroute 100.100.0.1
B11# traceroute 100.68.3.2
...

Repeat the same tests from the other router in your AS and compare. Use the diagram to help you visualise it.

 

 

Appendices

Appendix A - RREN Configuration

The sample configuration for the RREN is below.

hostname RREN
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
username nrenlab secret lab-PW
enable secret lab-EN
service password-encryption
line vty 0 4
 transport preferred none
line console 0
 transport preferred none
no logging console
logging buffered 8192 debugging
no ip domain-lookup
ipv6 unicast-routing
ipv6 cef
no ip source-route
no ipv6 source-route
!
interface Loopback0
 ip address 100.100.0.1 255.255.255.255
 ipv6 address 2001:10::1/128
!
interface GigabitEthernet1/0
 description P2P Link to NREN1
 ip address 100.100.1.1 255.255.255.252
 no ip directed-broadcast
 no ip redirects
 no ip proxy-arp
 ipv6 address 2001:10:0:10::/127
 ipv6 nd prefix default no-advertise
 ipv6 nd ra suppress
 no shutdown 
!
interface GigabitEthernet2/0
 description P2P Link to NREN2
 ip address 100.100.1.5 255.255.255.252
 no ip directed-broadcast
 no ip redirects
 no ip proxy-arp
 ipv6 address 2001:10:0:11::/127
 ipv6 nd prefix default no-advertise
 ipv6 nd ra suppress
 no shutdown
!
interface GigabitEthernet3/0
 description Link to IXP
 ip address 100.127.1.3 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ipv6 address 2001:DB8:FFFF:1::3/64
 ipv6 nd prefix default no-advertise
 ipv6 nd ra suppress
 no shutdown
!
router bgp 100
 bgp log-neighbor-changes
 bgp deterministic-med
 no bgp default ipv4-unicast
 address-family ipv4
  distance bgp 200 200 200
  network 100.100.0.0 mask 255.255.0.0
  neighbor 100.100.1.2 remote-as 101
  neighbor 100.100.1.2 description eBGP with NREN1 (AS101)
  neighbor 100.100.1.2 password NSRC-BGP
  neighbor 100.100.1.2 activate
  neighbor 100.100.1.6 remote-as 102
  neighbor 100.100.1.6 description eBGP with NREN2 (AS102)
  neighbor 100.100.1.6 password NSRC-BGP
  neighbor 100.100.1.6 activate
  neighbor 100.127.1.1 remote-as 121
  neighbor 100.127.1.1 description eBGP with ISP1 (AS121)
  neighbor 100.127.1.1 password NSRC-BGP
  neighbor 100.127.1.1 activate
  neighbor 100.127.1.2 remote-as 122
  neighbor 100.127.1.2 description eBGP with ISP2 (AS122)
  neighbor 100.127.1.2 password NSRC-BGP
  neighbor 100.127.1.2 activate
!
 address-family ipv6
  distance bgp 200 200 200
  network 2001:10::/32
  neighbor 2001:10:0:10::1 remote-as 101
  neighbor 2001:10:0:10::1 description eBGP with NREN1 (AS101)
  neighbor 2001:10:0:10::1 password NSRC-BGP
  neighbor 2001:10:0:10::1 activate
  neighbor 2001:10:0:11::1 remote-as 102
  neighbor 2001:10:0:11::1 description eBGP with NREN2 (AS102)
  neighbor 2001:10:0:11::1 password NSRC-BGP
  neighbor 2001:10:0:11::1 activate
  neighbor 2001:DB8:FFFF:1::1 remote-as 121
  neighbor 2001:DB8:FFFF:1::1 description eBGP with ISP1 (AS121)
  neighbor 2001:DB8:FFFF:1::1 password NSRC-BGP
  neighbor 2001:DB8:FFFF:1::1 activate
  neighbor 2001:DB8:FFFF:1::2 remote-as 122
  neighbor 2001:DB8:FFFF:1::2 description eBGP with ISP2 (AS122)
  neighbor 2001:DB8:FFFF:1::2 password NSRC-BGP
  neighbor 2001:DB8:FFFF:1::2 activate
 !
ip route 100.100.0.0 255.255.0.0 null0
ipv6 route 2001:10::/32 null0

 

Appendix B - NREN1 Sample Configuration

The sample configuration for NREN1 is below. NREN2's configuration will be very similar, so modify accordingly.

hostname NREN1
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
username nrenlab secret lab-PW
enable secret lab-EN
service password-encryption
line vty 0 4
 transport preferred none
line console 0
 transport preferred none
no logging console
logging buffered 8192 debugging
no ip domain-lookup
ipv6 unicast-routing
ipv6 cef
no ip source-route
no ipv6 source-route
!
interface Loopback0
 ip address 100.101.0.1 255.255.255.255
 ipv6 address 2001:11::1/128
!
interface GigabitEthernet1/0
 description P2P Link to RREN
 ip address 100.100.1.2 255.255.255.252
 no ip directed-broadcast
 no ip redirects
 no ip proxy-arp
 ipv6 address 2001:10:0:10::1/127
 ipv6 nd prefix default no-advertise
 ipv6 nd ra suppress
 no shutdown
! 
! (repeat for Group 2 and Group 3 using Gig4/0 and 5/0)
interface GigabitEthernet3/0
 description P2P Link to R11
 ip address 100.101.1.1 255.255.255.252
 no ip directed-broadcast
 no ip redirects
 no ip proxy-arp
 ipv6 address 2001:11:0:10::/127
 ipv6 nd prefix default no-advertise
 ipv6 nd ra suppress
 no shutdown
!
! inbound filter for AS10 - repeat for AS20 and AS30
ip prefix-list AS10-in permit 100.68.1.0/24
ipv6 prefix-list AS10-v6-in permit 2001:db8:1::/48
!
router bgp 101
 bgp log-neighbor-changes
 bgp deterministic-med
 no bgp default ipv4-unicast
 address-family ipv4
  distance bgp 200 200 200
  network 100.101.0.0 mask 255.255.0.0
  neighbor 100.101.1.2 remote-as 10
  neighbor 100.101.1.2 description eBGP with AS10
  neighbor 100.101.1.2 password NSRC-BGP
  neighbor 100.101.1.2 prefix-list AS10-in in
  neighbor 100.101.1.2 activate
! (repeat for AS20 and AS30)
  neighbor 100.100.1.1 remote-as 100
  neighbor 100.100.1.1 description eBGP with RREN (AS100)
  neighbor 100.100.1.1 password NSRC-BGP
  neighbor 100.100.1.1 activate
 !
 address-family ipv6
  distance bgp 200 200 200
  network 2001:11::/32
  neighbor 2001:11:0:10::1 remote-as 10
  neighbor 2001:11:0:10::1 description eBGP with AS10
  neighbor 2001:11:0:10::1 password NSRC-BGP
  neighbor 2001:11:0:10::1 prefix-list AS10-v6-in in
  neighbor 2001:11:0:10::1 activate
! (repeat for AS20 and AS30)
  neighbor 2001:10:0:10:: remote-as 100
  neighbor 2001:10:0:10:: description eBGP with RREN (AS100)
  neighbor 2001:10:0:10:: password NSRC-BGP
  neighbor 2001:10:0:10:: activate
!
ip route 100.101.0.0 255.255.0.0 null0
ipv6 route 2001:11::/32 null0

 

Appendix C - ISP1 Sample Configuration

Note: This is in addition to what was configured in the previous exercise.

We can now announce a default route to each campus connected to us (as we have a route to the global IPv4 Internet via the classroom backbone). We will announce a default route by IPv6 as well, even though we don’t have global connectivity. This default route represents how commercial ISPs usually provide the last resort for commodity Internet to NRENs and Campuses.

! (filters for Group 1 - repeat for Group 2 and 3)
ip prefix-list AS10-in permit 100.68.1.0/24
ipv6 prefix-list AS10-v6-in permit 2001:db8:1::/48
!
router bgp 121
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 bgp deterministic-med
 address-family ipv4
  distance bgp 200 200 200
  network 100.121.0.0 mask 255.255.0.0
  neighbor 100.101.2.1 remote-as 101
  neighbor 100.101.2.1 description eBGP with NREN1 (AS101)
  neighbor 100.101.2.1 password NSRC-BGP
  neighbor 100.101.2.1 activate
  neighbor 100.121.1.2 remote-as 10
  neighbor 100.121.1.2 description eBGP with AS10
  neighbor 100.121.1.2 password NSRC-BGP
  neighbor 100.121.1.2 prefix-list AS10-in in
  neighbor 100.121.1.2 activate (repeat for AS20 and AS30)
  neighbor 100.127.1.2 remote-as 122
  neighbor 100.127.1.2 description eBGP with ISP2 (AS122)
  neighbor 100.127.1.2 password NSRC-BGP
  neighbor 100.127.1.3 activate
  neighbor 100.127.1.3 remote-as 100
  neighbor 100.127.1.3 description eBGP with RREN (AS100)
  neighbor 100.127.1.3 password NSRC-BGP
  neighbor 100.127.1.3 activate
 !
 address-family ipv6
  distance bgp 200 200 200
  network 2001:18::/32
  neighbor 2001:11:0:20:: remote-as 101
  neighbor 2001:11:0:20:: description eBGP with NREN1 (AS101)
  neighbor 2001:11:0:20:: password NSRC-BGP
  neighbor 2001:11:0:20:: activate
  neighbor 2001:18:0:10::1 remote-as 10
  neighbor 2001:18:0:10::1 description eBGP with AS10
  neighbor 2001:18:0:10::1 password NSRC-BGP
  neighbor 2001:18:0:10::1 prefix-list AS10-v6-in in
  neighbor 2001:18:0:10::1 activate (repeat for AS20 and AS30)
  neighbor 2001:DB8:FFFF:1::2 remote-as 122
  neighbor 2001:DB8:FFFF:1::2 description eBGP with ISP2 (AS122)
  neighbor 2001:DB8:FFFF:1::2 password NSRC-BGP
  neighbor 2001:DB8:FFFF:1::2 activate
  neighbor 2001:DB8:FFFF:1::3 remote-as 100
  neighbor 2001:DB8:FFFF:1::3 description eBGP with RREN (AS100)
  neighbor 2001:DB8:FFFF:1::3 password NSRC-BGP
  neighbor 2001:DB8:FFFF:1::3 activate
!
! Default IPv4 Route to Classroom Gateway
ip route 0.0.0.0 0.0.0.0 10.10.0.254
!
ip route 100.121.0.0 255.255.0.0 null0
ipv6 route 2001:18::/32 null0

 

Appendix D - Complete Lab Diagram & Address Plan