The Journey of a Network Engineer


December 19, 2010  3:46 AM

How to manipulate BGP Routes – part 3

Sulaiman Syed Profile: Sulaiman Syed

This is the last part of BGP route manipulation. As discussed in the earlier entries, routes can be manipulated by

  • neighbor distribute-list (standard ACL / extended ACL)
  • neighbor prefix-list
  • neighbor filter-list
  • neighbor route-map

A valid question before talking bout route-maps is, when to use a route-map? A general rule will be that when route manipulation is concerned with network prefixes, then neighbor distribute-list and prefix-list will suffice. filter-list will be used when route manipulation is based on AS information. route-maps should be used when the conditions are variable. They could be based on network prefixes, AS, next_hop, weight, local_pref, origin, MED, etc.

The following lines are the command line syntax for route-maps

neighbor neighbor-id route-map name {in | out}

route-map name {permit | deny} number

match ….

set

The match is the condition or conditions that we want to base our route manipulation on, while the set is the course of action we would like to take.

the following example shows how we can set the weight of 200 to routes advertised by a certain BGP neighbor (10.0.0.1) and the routes have ASN 55 in the AS PATH.

router bgp 111

neighbor 10.0.0.1 route-map weight-200 in

ip as-path access-list 5 permit _55_

route-map weight-200 permit 10

match as-path 5

set weight 200

route-map weight-200 permit 20

The second route map was necessary, without it all other routes advertised by neighbor 10.0.0.1 that don’t have ASN 55 will be removed.

This concludes the manipulation of BGP routes. :)

December 16, 2010  4:46 AM

How to manipulate BGP Routes – part 2

Sulaiman Syed Profile: Sulaiman Syed

As discussed earlier, BPG mainly uses 4 variations to manipulate the routes

  • neighbor distribute-list (standard ACL / extended ACL)
  • neighbor prefix-list
  • neighbor filter-list
  • neighbor route-map

The first two methods were explained in earlier entry. In this entry, I would explain how to use filter-list, and when they should be used.

filter-list is a strong tool to manipulate the routing table, which indirectly will manipulate the routes packet will travel to reach their destinations.

When the goal of the policy is to filter routes based on matching with the AS_PATH filter then filter-list will be used. filter-list will filter BGP updates by matching the AS_PATH PA. The syntax for the filter-list as follows

ip as-path access-list number {permit | deny} regex

neighbor neighbor-id filter-list as-path-filter-number {in | out}

regex are the conditions that are used to match the AS_PATH segments. AS_PATH have four major segments. which are:

  • AS_SEQUENCE: Which is an ordered list of ASNs through which the route has been advertised. Delimiters between ASN is space, and there is no character enclosing the segment.
  • AS_SET: Which is an umordered list of ASNs through which the route has been advertised. Delimiters between ASN is comma, and there is { } character enclosing the segment. (usually used when a router summarizes a route)
  • AS_CONFED_SEQ: similar to AS_SEQ, but holds confederation ASNs only. Delimiters between ASN is space, and there is ( ) character enclosing the segment.
  • AS_CONFED_SET: similar to AS_SET, but hold confederation ASNs only. Delimiters between ASN is comma, and there is { } character enclosing the segment.

The following line is an example of AS_CONFED_ST, AS_SEQ, and AS_SET.

*>20.0.0.0/8         10.20.14.50               0              100            0  (111) 4 {1, 404, 200} i

the regex that will match the conditions are kinda tricky and confusing. I think the only way to master them is to practice them, practice making conditions with them. here are the list that explain them in nutshells.

  • ^: start of the line
  • $: end of line
  • |: logical OR applied between the characters.
  • _: any delimiter: black, comma, start of line, or end of line.
  • .: any single character
  • ?: Zero or one instances of the preceding character
  • *: Zero or more instances of the preceding character
  • +: one or more instances of the preceding character
  • (string): Parenthesis combine enclosed string character as a single entity when used with ?,*, or +
  • [string]: creates a wild card in which any single character in the string can be used to match that position in the AS_PATH

Brian did a good job explaining the regex in his blog. Please refer it to get more examples and how to use these expressions to match AS_PATH segments.

an example of regex that is used in access list 10.

ip as-path access-list 10 deny ^1_.*_.*_.*_44$ – this will filter routes whose ASN begins with AS 1, has three additional ASNs or any value, and ends with ASN 44.

I would say that practicing these regex is very important, without it route filtering can take unpredictable and undesirable path.

Our next entry will be about the use of route-maps to filter routes.


December 12, 2010  1:19 AM

How to manipulate BGP Routes – part 1

Sulaiman Syed Profile: Sulaiman Syed

After knowing how BGP select the best route for the routing update, using the BGP PAs. The next step would be to manipulate these PAs to give the desired route for NLRI

BPG mainly uses 4 variations to manipulate the routes:

  • neighbor distribute-list (standard ACL / extended ACL)
  • neighbor prefix-list
  • neighbor filter-list
  • neighbor route-map

The first two distribute-list and prefix-list will be able to match the network, and the subnet mask. a prefix-list is a straightforward operation. match certain network, with certain subnet mask and filter it out. a simple example that will deny network range 10.20.0.0/24 to 10.20.255.0/24 and permit any other network to be advertise to the neighbor will follow the following syntax

ip prefix-list sample seq 5 deny 10.20.0.0/16 ge 16 le 24

ip prefix-list sample seq 5 permet 0.0.0.0/0 le 32

router bgp 123

neighbor 1.1.1.1 prefix-list sample out.

BGP’s distributed-list uses ACL to match prefix and prefix length. The way extended ACL is interpreted differently than the normal extended ACL. extended ACL will be used to match the network length (prefix), and the prefix length (subnet). for example

ip prefix-list sample_2 seq 5 deny 10.5.0.0/16

ip prefix-list sample_2 seq 5 deny 10.20.0.0/16 ge 16 le 24

can be written as

ip access0list extended sample_2

deny ip host 10.5.0.0 host 255.255.0.0

deny ip host 10.20.0.0 0.0.255.255 host 255.255.255.0

The following documentation will further help understanding prefix-list. In the next entry, we would discuss how to use neighbor filter-list to match the AS_PATH contents for route manipulation. and a simple guideline when to use which method out of the four to filter and manipulate BGP routes.


December 7, 2010  2:59 AM

How to use IP Prefix List?

Sulaiman Syed Profile: Sulaiman Syed

IP prefix list mostly used with route filtering in IGP (OSPF, IS-IS, EIGRP) and EGP (BGP) protocols. At first sight, the command will look confusing, but it is pretty simple and straight forward.

Prefix list can be used with route map, and they would be referred with a match command. The command syntax as follows:

ip prefix-list list-name [seq value] {deny network/length | permit network/length} [ge value] [le value]

as seen from the syntax, the command is divided into two parts. First, the network/length. Then, ge, and le. To summarize the meaning of two parts.

  1. network/length will determine range of addressed implied by the prefix list.
  2. the prefix (subnet mask) of the route must match the prefixes implied by the ge (greater or equal) and le (less or equal).

This mind sound confusing slightly, but an example will show what it means.

  1. 192.168.10.0/8. This means any network with 192 in the first octet only. which would mean 192.0.0.0/8 network.
  2. 192.168.10.0/16 ge 16. This means any network starting 192.168.0.0/16 to 192.168.xx.xx/32
  3. 192.168.10.0/8 ge 8 le 16. This will imply network starting from 192.0.0.0/8 to 192.xx.0.0/16
  4. 0.0.0.0/0. This means any network with prefix zero. only default routes have this.
  5. 0.0.0.0/0 le 32. This range implies all networks.

Another example to show how it works, imagine the following networks.

  1. 10.1.0.0/16
  2. 10.0.0.0/8
  3. 10.2.0.0/16
  4. 10.128.0.0/9

10.0.0.0/8 will match only network 2. since it is exact match.

10.0.0.0/8 ge 8 will match all routes. Since all of the above networks are starting with 10. and the lowest subnet mask is 8.

10.0.0.0/8 ge 9 le 16 will match network 1,3, and 4. Because ge 9 implies a subnet mask equal or greater than 9. and route 2 has subnet mask of 8.

I hope this article did explain how to write and understand prefix list. It is strong tool when it comes to filter routes in any route map. For further reading, please refer to IP prefix List by Cisco.


December 3, 2010  2:10 AM

How BGP selects the best route?

Sulaiman Syed Profile: Sulaiman Syed

Since, i started studying for CCIE, i would start writing technical topics that are either difficult or interesting, and present them in easy way.

BGP is one of the most interesting routing protocols out there. The interesting part lies in the way routes can be manipulated. There are many Path Attributes (PA) that play part in the way BGP build the routing table from the route updates.

Routes can be manipulated by omitting or filters routes based on prefixes or AS_PATH segments (this will be discussed in next entry)

The main Path Attributes (PAs) are

  • Weight (Cisco proprietary)
  • Local Pref
  • Locally injected routes
  • Autonomous System (AS) Path
  • Origin PA
  • Multi-Exit Discriminator (MED)
  • Neighbor Type
  • IGP metric for reaching NEXT_HOP

These are the main PAs that can be manipulated to change the way the routing table is built. The Decision of BGP to include a route into a routing table takes the following process.

0- Add the route, if the NEXT_HOP is reachable.  so if there is no route to NEXT_HOP address, the route will be automatically rejected. Although this is not a PA, but it is the first and most important factor for a route to be added to Routing Table.

1-Highest administrative weight, the higher the value the better the route is. This can only be modified locally (on router) and cant be communicated to other routers.

2-Highest local pref, it can be distributed insight the AS. the higher the value the better.

3-Locally injected routes, this will cause BGP to use routes that were injected locally through Network, redistribution or route summarization.

4-Shortest AS_PATH length. the shorter the path, the better the route. It will treat AS_SET as one ASN regardless of the number of ASNs in the variable.

5-ORIGIN PA, IGP (I)> EGP (E) > incomplete (?)

6- Smallest MED. This allows the ISP to let the costumer know which exit to choose in multi-homing designs for reaching particulate Network.

7- Neighbor type, it would prefer eBGP routes over iBGP.

8- IGP metric for reaching the NEXT_HOP, the smaller the value the better the route is.

If all of those fail to decide which route to add in the routing table. then the following tiebreakers will be used.

9- Keep oldest eBGP route. This will give more stability and stop route flops.

10-choose the smallest neighbor RID.

11 smallest neighbor ID. the local router will have to neighbor relationships with a single router (one router, to another router with two links and two neighbor commands) . the lower ID is the better.

One last point to know, with maximum-path BGP will allow more than one route to be added to routing table. BUT, it will always use one BEST route when advertising to neighbors.


October 31, 2010  2:39 PM

From trunk ports to routed ports – part 3

Sulaiman Syed Profile: Sulaiman Syed

This is the final part of the series. In this blog entry, I would post the sequence and the configuration lines that are needed to be done in order to have smooth transition from trunk ports to routed ports. The motive to change from trunk ports to routed ports can be read in part 1 , while the part two covered the network design scheme.

Implementation Plan:

The implementation will be carried in specific number of steps. The following syntax will give a general configuration which later on can be changed depending on IP addresses, switches, and number of links.

First Step: configuring IP addressed and default gateways in all network devices
en
conf t
int vlan 1
ip address 10.0.yy.xx 255.255.255.0 (where yy is distribution switch location, xx is switch number)
exit
ip default gateway 10.254.yy.1 (where yy is distribution switch location)
Second Step: configuring STP root on distribution switch.
en
conf t
spanning-tree vlan xx priority 4096 (do for all respective vlans in that building)
Third Step: configuring STP root on second distribution switch if available.
en
conf t
spanning-tree vlan xx priority 8192 (do for all respective vlans in that building)
Fourth Step: configuring the routing protocol on core switches.
en
conf t
router eigrp 10
network 10.0.0.0
Fifth Step: configuring the ports on core switches.
en
conf t
int gig x/x (x/x is the interface number)
no switchport
ip address 10.1.255.254 255.255.255.252
Sixth Step: configuring the routing protocol on distribution switch.
en
Conf t
router eigrp 10
network 10.0.0.0
Seventh Step: configuring the ports on distribution switch.
en
conf t
int gig x/x (x/x is the interface number)
no switchport
ip address 10.1.255.253 255.255.255.252
Eighth Step: configuring distribution switch for VTP
en
conf t
vtp mode server
vtp domain VTPDOMAIN
no vlan x,x-x (where x is the vlan numbers wanted to be removed)
Ninth Step: configuring access switch for VTP
en
conf t
vtp mode client
vtp domain VTPDOMAIN
Step four to step five can be combined. Step six to eight can be done in one instance as well. Since most of distribution switches do have two links, it will not be necessary to go to the building physically. Buildings that have single link connecting distribution switch to core switch will require the presence physically at both ends.


October 27, 2010  3:46 AM

From trunk ports to routed ports – part 2

Sulaiman Syed Profile: Sulaiman Syed

In this part, I would talk bout the migration from current network, to the proposed network.

Figure 1 shows a core layer with two distribution layer, the one on the left is current, and the one on the right is the proposed. Before explaining any further, take note that although user vlans were local (shouldn’t span to core and other distribution) they were spanning cause of some poor configuration.

Routed,Cisco,Ports

The core network will have ip address of 10.0.y.x/16 where y = 0 for core layer, and x = host number/id. The distribution layer follow the scheme of 10.0.y.x/16, where y = distribution switch location, x = host number/id. access switches will have same scheme as distribution just their x will start from 100.

The objective is to migrate to routed ports without loosing connectivity in management vlan and providing a good summary for routing table. This is possible by following the design on the right side of the figure. Change the subnet mask from /16 to /24 from distribution layer and lower. The routed ports will have IP address from the last subnet of the user vlans. The user vlan IP scheme follows as 10.y.x.z/24 where y is distribution switch location, x is vlan number, z is host id.  so for first distribution switch the following subnets were allocated for the routed ports. 10.1.255.255/31 and 10.1.255.252/31. second distribution switch used subnets 10.1.255.250/31 and 10.1.255.248/31.


October 23, 2010  11:59 PM

How to Configure Router on GNS3 to work with SDM.

Sulaiman Syed Profile: Sulaiman Syed

This is pretty basic configurations that can be done on GNS3 router, or any router that it matters. it is useful for first time users, or who wants to practice CCNA security.

on host do the following settings:

IP address: 10.0.0.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.0.1

on the router do the following settings to the interface connecting to your host.

Router>
Router> en
Router# conf t
Router(config)# int fa0/0
Router(config-if)#ip address 10.0.0.1 255.255.255.0
Router(config-if)#no shut

Now, you need to configure the router to be able

Router(config)# ip domain-name TEST (need domain name setup for sdm)
Router(config)#username test privilege 15 secret 5 TeSt (username / used with SDM)
Router(config)#ip http server (normal http)
Router(config)#ip http secure-server (to enable ssh/https)
Router(config)#ip http authentication local
Router(config)#line vty 0 4
Router(config-line)# login local
Router(config-line)# transport input telnet ssh
Router(config-line)# privilege level 15 (it is recommended to add this line, if not no harm)
Router(config-line)# exit
Router(config)# crypto key gen rsa gen mod 1024

Once this done. the router is ready to be used using SDM. as a side note, if the additional task doesn’t work with your sdm. then just change to older java version, it solves this problem.


October 23, 2010  1:37 AM

From trunk ports to routed ports – part 1

Sulaiman Syed Profile: Sulaiman Syed

In this post I’ll talk about the migration of our backbone links from layer two to layer three links. Cisco recommends using layer three links between the distribution and the core switches for various reasons:

  1. Faster Convergence.
  2. Equal load balancing on redundant links.
  3. loops will be taken care by routing protocol not STP.

Another objective of this project is to localize the VTP domain for each building’s network. Currently, all vlans are distributed through one VTP domain. The enterprise backbone is running STP instances for 129 vlans.

Trunk Links



The figure shows the network, that is the connectivity between distribution and core layer switches. All the links connecting the Core switches to distribution switches are layer two links. Making the campus a wide broadcast domain, manual pruning is taking place, but yet the management vlan is spanning throughout the network, and new distribution switches are not pruning properly. Many of the redundant links are blocked by STP as a step to mitigate layer two loops.

One of the major issues with this design is that vlans are spanned throughout the network. The core switches already have exceeded the running spanning tree instance recommendation. The current design consist of user vlans that are confined  to the distribution switch, (although spanning tree is running network wide for these vlans.), the management vlan with ip scheme of 10.xx.0.0/16 is spanning throughout the enterprise from core switch to the access point.

In part two, i would discuss how we have done the change. and the issues that we faced.


October 15, 2010  12:21 PM

Issues with VTP

Sulaiman Syed Profile: Sulaiman Syed

Although Vlan Trunking Protocol does its job in distributing vlan database from server to all the other client switches.  It has some major issues when wrongly implemented or trunk negotiation between switches.
1- Always reset the revision number of a switch before adding to production network. It happened almost everywhere.

The usual scenario, a switch goes down somewhere. and in the emergency state, someone will go bring that test lab switch, delete the running config. Then add it to production network. BAM, suddenly all vlans have disappeared, and we have whole network outage.

Reason for this phenomena is that the test lab switch will have higher configuration revision than the normal production network. Remember a Server will accept VTP update from client if the client had a higher revision number.

2-Always Hard code a trunk link between two different VTP domains.
In the case of keeping the default setting of trunk config in just one side.

interface FastEthernet0/1
switchport mode dynamic desirable

this will cause trunk negotiation to fail and the port will work as access, and you would have partial network outage.

In interesting case, it happened in my own organization. where the negotiation failed. but in Sw1 it showed the link as trunk using the command (show int trunk), and showed the link access in the Sw2!!

3-Know the maximum Vlan supported by a switch.
Some low end switches (2960, 2950,etc) have a maximum vlans support. If you make these switches into client mode. They will cause various issues, and the best solution would be to make them transparent.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: