Internetwork Expert Volume II: Lab 8 – Section 4

Section 4 – Exteriour Gateway Routing – 13 Points

4.1 BGP

Easy BGP peering task.  Only “twist” is that you’ll be configuring confederations.

SubAS 65145 has a full mesh. 65267 does not.  You’ll need make r6 a route-reflector.

You’ll also need to remember to set ‘next-hop-self’ between inter-confederation peers where needed (unlike true EBGP peerings, inter-confederation peers do not automatically set ‘next-hop-self’).  Or not…this will be addressed in later tasks.  🙂

For some reason IE peered between the loopbacks on the routers in SubAS 65145.

4.2 BGP Summarization

Advertise a summary of 174.x.0.0/16 to the backbone routers.

“Do not allow any other devices in your BGP network to see this prefix.”
“Use one static router on r5 and r6 to accomplish this.”

So we’ll need to create a static route to Null0 on r5 and r6 and redistribute it into BGP…while filtering it for the rest of the BGP routers.

First, create the static route:

r5(config)#ip route 174.1.0.0 255.255.0.0 null0

Next, match that route in a prefix-list and create route-maps to filter it for our network:

r5(config)#ip prefix-list TASK_4_2 permi 174.1.0.0/16

r5(config)#route-map OUT_TO_R4 deny 10
r5(config-route-map)#match ip add pre TASK_4_2
r5(config-route-map)#route-map OUT_TO_R4 permi 1000
r5(config-route-map)#do sh hist

r5(config-route-map)#route-map OUT_TO_R1 deny 10
r5(config-route-map)#match ip add pre TASK_4_2
r5(config-route-map)#route-map OUT_TO_R1 permi 1000

Finally, redistribute the static route into BGP and apply the route-maps outbound to the neighbors we need to filter for:

r5(config-route-map)#router bgp 65145
r5(config-router)#redistribute static
r5(config-router)#neigh 174.1.145.4 route-map OUT_TO_R4 out
r5(config-router)#neigh 174.1.145.1 route-map OUT_TO_R1 out

We are advertising the summary to BB3:

r5#sh ip bgp neigh 204.12.1.254 adv| b Netw
   Network          Next Hop            Metric LocPrf Weight Path
*> 174.1.0.0        0.0.0.0                  0         32768 ?

Total number of prefixes 1

But we’re not advertising the summary to r4 and r1:

r5#sh ip bgp neigh 174.1.145.4 adv| b Netw
   Network          Next Hop            Metric LocPrf Weight Path
*> 28.119.16.0/24   204.12.1.254             0             0 54 i
*> 28.119.17.0/24   204.12.1.254             0             0 54 i

Total number of prefixes 2

r5#sh ip bgp neigh 174.1.145.1 adv| b Netw
   Network          Next Hop            Metric LocPrf Weight Path
*> 28.119.16.0/24   204.12.1.254             0             0 54 i
*> 28.119.17.0/24   204.12.1.254             0             0 54 i

Total number of prefixes 2

4.3 BGP Next-Hop Processing

“Configure the network in such a way that all devices throughout your network have reachablility to the BGP prefixes learned from AS54.”

Ugh.  That “all devices” bit had me worried that I would need to redistribute BGP into IGP. But the only devices not running BGP are sw3 and sw4 and they are in an OSPF stub area so they will just send traffic for unknown destinations to r3.  So we should be cool.

“Do not advertise the Frame Relay link to BB1 or the Ethernet link to BB3 into IGP or BGP to accomplish this.”

Not a problem I just use ‘next-hop-self’

“Do not use the next-hop-self command to accomplish this.”

Oh poop. I’m stumped.  Should I summarize the routes?  Create a default route? 

Nope. IE was being a bit tricky.  I need to use next-hop modification BUT I cannot use the command ‘next-hop-self’.  Instead I can set the next-hop in a route-map with ‘set ip next-hop peer-address’:

We can use the route-maps that we created for the last task and just add the line:

r6(config)#route-map OUT_TO_R2 perm 1000
r6(config-route-map)#set ip next-hop peer-address

I can ping prefixes from BB1 and BB3 from sw3 even though BGP is not running:

sw3#p 28.119.17.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 28.119.17.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms

sw3#p 112.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 112.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms

sw3#sh ip proto sum
Index Process Name
0     connected
1     static
2     ospf 100
*** IP Routing is NSF aware ***

4.4 BGP Bestpath Selection

Advertise some networks into BGP and then make the routes to some of these networks be preferred via one of the AS 54 backbone routers.

We’re affecting inbound traffic so we have a choice of AS-Path or MED. I picked AS-Path.

We also have this requirement:

“Other AS’s beyond AS 54 should not see these specific subnets, but instead should only see the previously advertised aggregate.”

This task would be very difficult without our good friend the BGP community attribute.  🙂

r6(config)#ip prefix-list VLAN3 permi 174.1.3.0/24
r6(config)#ip prefix-list VLAN4 permi 174.1.4.0/24
r6(config)#ip prefix-list VLAN7 permi 174.1.7.0/24

r6(config)#route-map OUT_TO_BB1
r6(config-route-map)#match ip add pre VLAN3 VLAN7
r6(config-route-map)#set as-path prepend 100 100 100 100
r6(config-route-map)#set community no-export
r6(config-route-map)#route-map OUT_TO_BB1 20
r6(config-route-map)#match ip add pre VLAN4
r6(config-route-map)#set community no-export
r6(config-route-map)#route-map OUT_TO_BB1 permit 1000

r6(config)#router bgp 65267
r6(config-router)#neigh 54.1.2.254 send-community
r6(config-router)#neigh 54.1.2.254 route-map OUT_TO_BB1 out

IE used MED instead of AS-Path (although they noted that both were acceptable).  They did drop this on me (I can’t believe that I didn’t know this):

MED is only compared (by default) between prefixes learned from the same autonomous system.

4.5 BGP Filtering

Advertise VLAN 1001 into BGP but make sure that devices outside of AS 65145 don’t have reachbility to this VLAN.

“Do not use any access-lists or prefix-lists to accomplish this.”

Another job for the BGP community attribute.  r1 is inside a confederation so we should use local-AS.

r1(config)#route-map TASK_4_5
r1(config-route-map)#set community local-AS

r1(config)#router bgp 65145
r1(config-router)#net 174.1.1.0 ma 255.255.255.0 route-map TASK_4_5
r1(config-router)#neighbor 174.1.145.4 send-comm
r1(config-router)#neighbor 174.1.145.5 send-comm

We see the route in AS 65145:

r4#sh ip bgp 174.1.1.0 255.255.255.0
BGP routing table entry for 174.1.1.0/24, version 20
Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised outside local AS)
Flag: 0x880
  Not advertised to any peer
  Local
    174.1.145.1 from 174.1.145.1 (150.1.1.1)
      Origin IGP, metric 0, localpref 100, valid, confed-internal, best
      Community: local-AS

We do not see it outside of AS 65145:

r2#sh ip bgp 174.1.1.0 255.255.255.0
% Network not in table

Internetwork Expert Volume II: Lab 2 – Section 5

Section 5 – Exterior Gateway Routing – 11 Points

This section started out with a very straight-forward BGP configuration.  I once again followed Ethan Bank’s suggestion to use notepad and it really helped to cut time and errors.  I did end up losing points for 5.1 though because I did not configure r4 as a route-reflector.  Although this was not  specified in the task, the answer key stated that “it is implied that r4 is performing route-reflection for these devices.”  I agree that r4 sure looks like it would be a great choice for being a route-reflector, but I’m at a loss as to why I should be configuring capabilities based on implication; especially since IE’s mantra is “if they don’t specifically request it in the lab,  then don’t do it.”

There was also a phantom peering from sw1 to bb3 in the answer key that was not specified in the task (most likely it was for the 5.3).

5.2 was a simple BGP authentication task.

5.3 was another task that I managed to pull out of my butt by simply guessing the correct BGP technology to configure.  Basically you want to peer a router in AS 54 to your router in AS 400, BUT you need to make your router in AS 400 look like it’s in AS 100 (because that’s what the router in AS 54 is configured to peer with).  You need to use the “local-as” option to accomplish this:

neighbor local-as

sw1(config-router)#neigh 204.12.1.254 remote-as 54
sw1(config-router)#neigh 204.12.1.254 local-as 100 no-prepend

Here’s a good summary of that command:

The LOCAL-AS is used to present to your neighbor a different AS than your own and the no-prepend will remove completely your own BGP AS [from the AS Path].

So if you have

R1
router bgp 100
nei 2.2.2.2 remot 200

R2
router bgp 200
nei 1.1.1.1 remot 600 <– here you see that R2 is trying to peer with you on AS 600 although R1 is in AS100

So you can

R1
router bgp 100
nei 2.2.2.2 remot 200
nei 2.2.2.2 local-as 600

If you inject a network R2 will see the route as if it came from:

*>1.1.10.10   100 600

but if you add the

 nei 2.2.2.2 local-as 600 no-prepand then you will see:

*>1.1.10.10   600

I hope it was clear enough.

5.4 was an easy BGP filtering issue.  No problems there.  You’ll need to be familiar with “ip as-path access-list” command to accomplish this:

ip as-path access-list

This section ended with a pretty straight-forward BGP route summarization.  The only strange thing was that the answer key showed that I should have advertised r5’s fa0/0 interface into BGP?  That was not stated in the task, but I think that you needed to do that int order to introduce a 132.1.1.0/24 route.  This was another “implied” answer.

Before advertising 132.1.5.5 into BGP:

r5#sh ip bgp neigh 192.10.1.254 advertised-routes | i 0.0.0.0
r5#

After advertising 132.1.5.5 into BGP:

r5(config-router)#net 132.1.5.0 mask 255.255.255.0

r5#clear ip bgp * soft
r5#sh ip bgp neigh 192.10.1.254 advertised-routes | i 0.0.0.0
*> 132.1.0.0        0.0.0.0                            32768 i

That concluded the core section of the lab.  Overall, I felt like I did pretty well for a first shot at a practice lab.  I am obviously light-years away from being ready for the real thing.

If you’ve done the Volume I labs and absorbed at least a little of the IEATC lectures, then most of the technologies and some of the verbiage should be familiar.  I hit a few features that I was unaware of, but I also managed to steal a few points by guessing right and using the DOC.