iPod

Jan 8 2009

Redistributing ISIS into OSPF

Someone asked me recently for an example of ISIS redistribution into OSPF. So here goes.

Consider the toplogy below.

isis-into-ospf

We redistribute ISIS into OSPF and vice versa on R2. We should then be able to ping R1 loopback from R3 loopback and vice versa.

Watch the video below or alternativly click here to download and watch it on your iPod.

The Flash plugin is required to view this object.

The commands used in the above video can be found below.

R1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet1/0
description :connected to R2 fa1/0:
ip address 10.0.0.1 255.255.255.252
ip ospf network point-to-point
!
router ospf 1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.0.0.0 0.0.0.3 area 0
!

R2
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet1/0
description :connected to R1 fa1/0:
ip address 10.0.0.2 255.255.255.252
ip ospf network point-to-point
!
interface FastEthernet1/1
description :connected to R3 fa1/0:
ip address 10.0.0.5 255.255.255.252
ip router isis
!
router ospf 1
log-adjacency-changes
redistribute isis level-2 subnets
network 2.2.2.2 0.0.0.0 area 0
network 10.0.0.0 0.0.0.3 area 0
!
router isis
net 49.0001.0000.0000.0002.00
is-type level-2-only
redistribute ospf 1
!

R3
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet1/0
description :connected to R2 fa1/1:
ip address 10.0.0.6 255.255.255.252
ip router isis
!
router isis
net 49.0001.0000.0000.0003.00
is-type level-2-only
passive-interface Loopback0
!

By Zarar • CCIE SP, iPod, IS-IS, OSPF 2 • Tags: , ,

Jan 3 2009

ISIS level-1, level-2 areas, ISIS redistribution and ISIS default route origination.

I’m going to cover following three things in this post.

  1. Level-1, Level-1-2 and Level-2-only routers.  How to configure and what is the att bit
  2. Investigate the default behavior of the various levels with respect to routing updates.  ie are level-2 prefixes by default advertised to level-1 routers.
  3. Finally we will cover how to originate a default route within a level-2 area.

Consider the topology below.

isis-att-redist-area

Some important points worth noting:

  1. level-1-2 router HAVE to be in the same area as level-1 routers otherwise level-1 routers will not be able to form an adjacency with them.
  2. the level-1-2 router must have a level-2 adjacency with a router in another area for the att bit to be set in outgoing level-1 updates.
  3. By default level-1 routes are advertised to level-2 routers.
  4. By default level-2 routes are NOT advertised to level-1 routers.

Watch the video below or alternatively download the video and watch it on your iPod .

The Flash plugin is required to view this object.

The command used for the above configuration are:

R1

frame-relay switching
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Serial1/0
ip address 10.0.0.1 255.255.255.252
ip router isis
encapsulation frame-relay
clockrate 128000
no arp frame-relay
frame-relay map clns 200 broadcast
frame-relay map ip 10.0.0.2 200
no frame-relay inverse-arp
frame-relay intf-type dce
!
router isis
net 49.0001.0000.0000.0001.00
is-type level-1
passive-interface Loopback0
!

R2
!
frame-relay switching
!
interface Serial1/0
ip address 10.0.0.5 255.255.255.252
ip router isis
encapsulation frame-relay
no fair-queue
serial restart-delay 0
clockrate 128000
no arp frame-relay
frame-relay map ip 10.0.0.6 200
frame-relay map clns 200 broadcast
no frame-relay inverse-arp
frame-relay intf-type dce
isis circuit-type level-2-only
!
interface Serial1/1
ip address 10.0.0.2 255.255.255.252
ip router isis
encapsulation frame-relay
no arp frame-relay
frame-relay map clns 200 broadcast
frame-relay map ip 10.0.0.1 200
no frame-relay inverse-arp
isis circuit-type level-1
!
router isis
net 49.0001.0000.0000.0002.00
redistribute isis ip level-2 into level-1 distribute-list 100
!
access-list 100 permit ip any any

R3

interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Serial1/0
ip address 10.0.0.6 255.255.255.252
ip router isis
encapsulation frame-relay
serial restart-delay 0
no arp frame-relay
frame-relay map clns 200 broadcast
frame-relay map ip 10.0.0.5 200
no frame-relay inverse-arp
!
router isis
net 49.0002.0000.0000.0003.00
is-type level-2-only
passive-interface Loopback0
default-information originate

By zismail • CCIE SP, Inter-AS, iPod, IS-IS 1 • Tags: ,

Jan 3 2009

ISIS over Frame-Relay

Configuring ISIS over frame-relay requires an additional command due to the fact that ISIS packets do not use IP at layer 3 but rather use CLNS.

Consider the topology below.

frame-isis

Watch the video below or alternatively download it and watch it on your iPod .

The Flash plugin is required to view this object.

The commands used in the configuration can be found below.

R1
!
frame-relay switching
!
interface Serial1/0
ip address 10.0.0.1 255.255.255.252
ip router isis
encapsulation frame-relay
clockrate 128000
no arp frame-relay
frame-relay map clns 200 broadcast
frame-relay map ip 10.0.0.2 200
no frame-relay inverse-arp
frame-relay intf-type dce
!
router isis
net 49.0001.0000.0000.0001.00
is-type level-1

R2

!
interface Serial1/1
ip address 10.0.0.2 255.255.255.252
ip router isis
encapsulation frame-relay
no arp frame-relay
frame-relay map clns 200 broadcast
frame-relay map ip 10.0.0.1 200
no frame-relay inverse-arp
isis circuit-type level-1
!
router isis
net 49.0001.0000.0000.0002.00

By zismail • CCIE SP, iPod, IS-IS 4 • Tags: ,

Jan 2 2009

ISIS wide metrics

Be default ISIS caps ISIS metrics greater than 63.

To address this limitation a new IS-IS TLV was defined to overcome the limited 6-bit metric of 63.  This TLV known as TLV Type 135 increased the per-link metric range from <0-63> to <1-16777214> ie the new TLV has 24-bits for the ISIS metric.

This new range can be seen under the interface config mode as shown below.

R2(config)#interface loopback 0
R2(config-if)#isis metric ?
<1-16777214>  Default metric

Consider the topology below.

metric-style

We will attempt to increase the metric of the R2 loopback to greater than 63 with and without wide-metrics enabled.

The video below shows how to configure and verify the use of wide metrics in ISIS.  Click here to download the video and watch it on your iPod.

The Flash plugin is required to view this object.

The commands used in the video are as below:-

R1

interface FastEthernet1/0
ip router isis
!
router isis
net 49.0001.0000.0000.0001.00
is-type level-2-only
metric-style wide
passive-interface Loopback0de>

R2

interface Loopback0
isis metric 10000
!
interface FastEthernet1/0
ip router isis
!
router isis
net 49.0001.0000.0000.0002.00
is-type level-2-only
metric-style wide
passive-interface Loopback0

R3

interface FastEthernet1/0
ip router isis
!
interface FastEthernet1/1
ip router isis
!
router isis
net 49.0001.0000.0000.0003.00
is-type level-2-only
metric-style wide
passive-interface Loopback0
!

To verify the wide metric on R1 use the command below.

R1#show isis database R2.00-00 detail

IS-IS Level-2 LSP R2.00-00
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
R2.00-00              0x0000000E   0x1A31        428               0/0/0
Area Address: 49.0001
NLPID:        0xCC
Hostname: R2
IP Address:        2.2.2.2
Metric: 10         IS-Extended R3.02
Metric: 10000      IP 2.2.2.2/32
Metric: 10         IP 10.0.0.4/30

By zismail • CCIE SP, iPod, IS-IS, Traffic Engineering 0 • Tags: , , ,

Dec 30 2008

Prefix Lists

IP Prefix lists can be used with BGP to permit or deny specific prefixes from being advertised or learnt to or from a neighbor.

Consider the topology below.

prefix-lists

We will carry out three exercises.

  1. configure a prefix list to match 192.168.1.0/24
  2. configure a prefix list to match 192.168.1.0/24, 192.168.1.0/25, 192.168.1.0/26.
  3. configure a prefix list to match 192.168.1.0/25 and 192.168.1.0/26

Exercise 1

We configure the following prefix list and attach it to the bgp neighbor 10.0.0.2 using the commands below.

ip prefix-list slash-24-only seq 5 permit 192.168.1.0/24

router bgp 1
!
neighbor 10.0.0.2 prefix-list slash-24-only in

Exercise 2

We configure the following prefix list and attach it to the bgp neighbor 10.0.0.2 using the commands below.

ip prefix-list UP-TO-SLASH-26 seq 5 permit 192.168.1.0/24 le 26

router bgp 1
!
neighbor 10.0.0.2 prefix-list UP-TO-SLASH-26 in

Exercise 3

We configure the following prefix list and attach it to the bgp neighbor 10.0.0.2 using the commands below.

ip prefix-list GE-LE seq 5 permit 192.168.1.0/24 ge 25 le 26

router bgp 1
!
neighbor 10.0.0.2 prefix-list GE-LE in

Now let me try and explain what these 3 prefix lists are actually doing.

Prefix list 1 – slash-24-only

ip prefix-list slash-24-only seq 5 permit 192.168.1.0/24

This is pretty straight forward.  This prefix list will match on the exact prefix as configured in the prefix list ie 192.168.1.0/24.

Prefix list 2 – UP-TO-SLASH-26

ip prefix-list UP-TO-SLASH-26 seq 5 permit 192.168.1.0/24 le 26

For a prefix to be permitted by this prefix-list the first 24 bits must match the first 24 bits of 192.168.1.0.

The le 26 then adds a subnet clause which states that the subnet mask being advertised must be less than or equal to 26 bits in length.

Lets consider a bunch of prefixes and see if they would be permited by the above prefix list.

  1. 192.168.1.0/24
  2. 192.168.1.4/30
  3. 192.168.1.128/25
  4. 192.168.1.0/23
  5. 192.168.1.0/27

Prefix 1 matches both criteria ie the first 24 bits in prefix 1 match the prefix in the prefix list and the subnet mask is less than 26 bits.

Prefix 2 matches the first criteria ie the first 24 bits in prefix 1 match the prefix in the prefix list, however the subnet mask is greater than 26 bits.

Prefix 3 also matches both criteria ie the first 24 bits in prefix 1 match the prefix in the prefix list and the subnet mask is less than 26 bits.

Prefix 4 is an invalid prefix, I’ll let you work out why.

Prefix 5 matches the first criteria but fails on the subnet mask length criteria and as such the prefix is denied.

Prefix list 3 – GE-Le

ip prefix-list GE-LE seq 5 permit 192.168.1.0/24 ge 25 le 26

Now this is an interesting beast.  This prefix-list had 2 match clauses.

  1. The prefix must match the first 24 bits on the prefix in the prefix list
  2. The subnet mask must be between 25 and 26 bits in length

Lets consider a bunch of prefixes and see if they would be permited by the above prefix list.

  1. 192.168.1.0/24
  2. 192.168.1.4/30
  3. 192.168.1.128/25

Prefix 1 matches the first criteria ie the first 24 bits match, however the subnet mask is the wrong length.

Prefix 2 matches the first criteria ie the first 24 bits match, however the subnet mask is the wrong length.

Prefix 3 matches both criteria ie the first 24 bits in prefix 1 match the prefix in the prefix list and the subnet mask is greather than 25 bits buts still less than 26 bits.

I hope that makes sense.  Anyhow, here is a video showing how to put it all together or alternativley click here to download and watch it on your iPod.

The Flash plugin is required to view this object.

By zismail • BGP, CCIE, CCIE SP, CCIP, CCNP, iPod, Security 0 • Tags: , ,

Dec 27 2008

AFIs and SAFIs

BGP uses Open messages to negotiate BGP sessions.  These Open messages have optional parameters which allow additional capabilities to be negotiated during setup.

If you want to run anything other than IPv4 unicast then you will have to configure BGP to advertise its additional capabilities i.e. Multi-Protocol extensions (AFI/SAFI) during initial setup.

As an example you may want to run IPv4 multicast, VPNv4 or even IPv6.  The table below shows the different AFI and SAFI values.  The AFI and SAFI values combine to form pairs which are used during the BGP negotiation phase.  Ie if the BGP speaker wants to negotiate IPv4 multicast, then it advertises capability 1/2.

AFI SAFI TYPE
IPv4(1) Unicast(1) IPv4 Address
IPv4(1) Multicast(2) IPv4 Address
IPv4(1) VPN(128) VPNv4 Address
IPv6(2) Unicast(1) IPv6 Address

Lets suppose you wanted to run an MP-iBGP session between two PE routers to advertise IPv4 Unicast and IPv4 VPN(VPNv4) routes.  You would need to negotiate AFI/SAFI pairs 1/1 and 1/128 during the initial BGP setup phase.  If after the BGP session is established you would like to add an additional AFI/SAFI pair then BGP will have to renegotiate its capabilities which unfortunately means tearing down the original session.  Some folks refer to this as BGP fate sharing.

Anyhow, lets see this in action.  Consider the topology below.

afi-safi

Watch the video below or alternatively click here to download it and watch it on your iPod.

The Flash plugin is required to view this object.

The commands used to configure the above can be found below.

R1
!
ipv6 unicast-routing
!
interface FastEthernet1/0
description "Interface connected to R2"
ip address 10.0.0.1 255.255.255.252
!
router ospf 1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.0.0.0 0.0.0.3 area 0
!
router bgp 1
no bgp default ipv4-unicast
neighbor 2.2.2.2 remote-as 1
neighbor 2.2.2.2 update-source Loopback0
!
address-family ipv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community
exit-address-family
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv6
neighbor 2.2.2.2 activate
exit-address-family

R2
!
ipv6 unicast-routing
!
interface FastEthernet1/0
description "Interface connected to R1"
ip address 10.0.0.2 255.255.255.252
!
router ospf 1
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 10.0.0.0 0.0.0.3 area 0
!
router bgp 1
no bgp default ipv4-unicast
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
!
address-family ipv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community
exit-address-family
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv6
neighbor 1.1.1.1 activate
exit-address-family

By zismail • BGP, CCIE SP, iPod 1 • Tags: ,

Dec 26 2008

BGP Route Aggregation

There are times when it is required to aggregate a set of prefixes.  There are a number of reasons why you would want to do this such as, your peering transit edge may not accept certain size prefixes, you may want to reduce the size of the routing table in some part of your network etc etc.

Consider the topology below:-

bgp-aggregate

Watch how to use the aggregate command below, or alternatively download the video and watch it on your iPod.

The Flash plugin is required to view this object.

The commands used in the above setup are as below.

R1

interface FastEthernet1/0
description "Interface connected to R2"
ip address 10.0.0.1 255.255.255.252
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 10.0.0.2 remote-as 2
no auto-summary

R2

interface FastEthernet1/0
description "Interface connected to R1"
ip address 10.0.0.2 255.255.255.252
!
interface Loopback0
ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
ip address 192.168.2.1 255.255.255.0
!
interface Loopback3
ip address 192.168.3.1 255.255.255.0
!
router bgp 2
no synchronization
bgp log-neighbor-changes
network 192.168.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
aggregate-address 192.168.0.0 255.255.252.0 suppress-map SUPPRESS-2-ONLY
neighbor 10.0.0.1 remote-as 1
no auto-summary
!
access-list 1 permit 192.168.2.0 0.0.0.255
!
route-map SUPPRESS-2-ONLY permit 10
match ip address 1

By zismail • BGP, CCIE, CCIE SP, CCIP, CCNA, CCNP, iPod 0 • Tags: , , , , ,

Dec 25 2008

Source Based RTBH

Consider the topology below.

rtbh-src

PC1 sends a syn flood attack using source IP 192.168.1.1 to PC2 destination address 172.16.1.1.

The network engineer at ZeeNet spots the attack and quickly logs onto the trigger router.  He adds a static route to the trigger router which states that the next hop for 192.168.1.1/32 is Null0.  This static route is then redistributed into BGP and advertised using iBGP to R1.  When the static route is redistributed into iBGP, the route-map attached to the redist static command changes the next hop to 192.0.2.1.

R1 has a static route which states to get to 192.0.2.1 go via the null0 interface.

R1 has Unicast Reverse Path Forwarding (URPF) configured on fa1/1.  URPF is a cool technology.  When a packet enter fa1/1 URPF checks the source address of the packet to see whether it has an entry in the local routing table.  If there is no entry in the local routing table or the entry points to a different interface or if the entry points to null0 then the packet is dropped.

In our case, there is an entry in the local routing table for 192.168.1.1/32 which points to null0.  Therefore URPF will drop the packet.

Once again, you have to understand the implications of using this approach, if for example an attacker is sending a syn flood attack to PC2 and he is spoofing address 10.10.10.1/32 for example and you black hole 10.10.10.1/32 using source based RTBH, then the actual user 10.10.10.1/32 will be black holed.

Now lets look at how to configure Source based RTBH below, or alternatively click here to download it and watch it on your iPod.

The Flash plugin is required to view this object.

The commands used to configure Source based RTBH are as follows.

R1

! To configure URPF on interface facing attacker.

interface FastEthernet1/1
ip verify unicast reverse-path

! Black hole static route.

ip route 192.0.2.1 255.255.255.255 Null0

Trigger router

! route-map which matches tagged static routes and sets the ip next hop as well as add a no-export community.

route-map BLACK-HOLE permit 10
match tag 100
set ip next-hop 192.0.2.1
set community no-export

! Attach the route map to redist static command under BGP.

router bgp 1
redistribute static route-map BLACK-HOLE

! Also you add a static route which you would like to black hole.

ip route 192.168.1.1 255.255.255.255 Null0 tag 100

! Black hole static route.

ip route 192.0.2.1 255.255.255.255 Null0

By zismail • CCIE SP, iPod, Security 0 • Tags: ,

1 2