Deleting BGP Communities

BGP communities are passed between bgp peers when the 'send community' attribute is set with the neighbor. However what if there is a requirement to delete one of the communities from a list associated with a route!?

Consider the topology below. The route 1.1.1.0/24 is advertised by R1 to R2 and the route has community attributes 'no-advertise' and 'internet'.    R2 has an iBGP peering with R3 and the send-community attribute is set.   Initially by default R3 does not receive the route as a direct result of the no-advertise community.  The requirement is for R3 to have the BGP route 1.1.1.0/24 with only the internet attribute.

The solution relies on the 'set comm-list' command. This enables communities matched by the community-list to be removed.  Below i attach the working config from R2.

R2

ip community-list standard RIC permit no-advertise

route-map RIC permit 10
 set comm-list RIC delete

router bgp 1
 neighbor 192.168.12.1 remote-as 2
 neighbor 192.168.12.1 route-map RIC in

OSPF Distance command

The OSPF distance command can be used in a number of different ways.   I found the first one is well documented on the doc cd in the ospf routing section. However  the next three are strangely absent therein.  There is some info under the general distance command but this does not detail its use in OSPF.

I) distance ospf {external/inter-area/intra-area} AD

II) distance AD - this sets the distance for all routes

III) distance AD {ip-address wild-card-mask} - this sets the distance for all routes learned from a specific source-router. The source router is the RID of the link-state router that origininated the route!!!

IV) distance AD (ip-address wild-card0mask} ACL  identical to the previous command but it is applied to only a subset of routes that match the ACL.

IPV6 Multicast

IPv6 multicast rears its head on V4 of the CCIE blueprint.  If you know the basics of IPv4 multicast then the basics of IPv6 multicast should be pretty straightforward.   In fact with IPv6 its not even  necessary to define interfaces as multicast capable! Once ipv6 multicast routing is enabled on the router the interfaces become multicast enabled as well.

Here is a config example between just 2 routers connected via an ethernet interface: R1---R2. The basic steps are
i) enable ipv6 multicast routing
ii) define the rp
iii) join an interface with a multicast group

R1

Ipv6 multicast-routing

ipv6 pim rp-address 2002::2

R2

Ipv6 multicast-routing

Int lo0

   ipv6 mld join-group FF04::2

ipv6 pim rp-address 2002::2

With the above configuration an IPV6 PIM neighbourship forms between R1 and R2

The show ipv6 pim group-map command can be used to see a that a multicast address is associated with the RP.

Finally i test the multicast group with a ping

BGP adjacency problem

In this post i detail a recent problem encountered with a flapping BGP adjacency and a number of ways to resolve.

R1 has a BGP adjacency with R2. However this is continually flapping (see below).

The routers are peering using Loopback 0s that are reachable via OSPF.     The issue arises because as the BGP peering comes up the Loopback prefixes are advertised over the BGP adjacency.  OSPF AD is 110 whereas the eBGP route AD is 20. Hence the Loopback routes becomes preferred over the BGP adjacency. This is a type of recursive loop and not allowed (Just as learning the destination of the tunnel over the tunnel itself).     The adjacency is dropped and the whole process starts again.

I have detailed three solutions to the problem here

1) Block the Loopback prefixes from being received

On R2

ip prefix-list ric seq 5 deny 1.1.1.1/32
ip prefix-list ric seq 10 permit 0.0.0.0/0 le 32

router bgp 2
    neighbor 1.1.1.1 prefix-list ric in

2) Modify the distance of OSPF to be preferred over an eBGP route

router ospf 1
distance  ospf intra-area 19

3) Make use of the BGP backdoor command to raise the AD of the BGP route to 200.

router bgp 1
net 2.2.2.2 mask 255.255.255.255 backdoor

Once the command is used the route to 2.2.2.2 shows up in the BGP table as a RIB failure.  Use of the show ip bgp rib command completes the verification.

 

PPPOE

Point To Point Protocol Over Ethernet. Enables use of PPP over an ethernet connection. Here i lay out a working solution between client and server.

The many configuration options are under the 'Cisco IOS Broadband Access Aggregation and DSL Configuration Guide' under the Configuration Guide section of the Cisco Doc.
http://www.cisco.com/en/US/products/ps6441/products_installation_and_configuration_guides_list.html

In this example i have R2 and R3 connected via an ethernet connection. R2 is the client and R3 is the server.

R2

username R3 password 0 RICH

interface Ethernet0/1

ip address 2.2.2.2 255.255.255.248

half-duplex

pppoe enable group global

pppoe-client dial-pool-number 1

interface Dialer1

mtu 1492

ip address 10.10.10.2 255.255.255.0

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer persistent

ppp authentication chap

R3

username R2 password 0 RICH

bba-group pppoe global

virtual-template 1

interface Ethernet0/0

ip address 2.2.2.3 255.255.255.248

half-duplex

pppoe enable group global

interface Virtual-Template1

ip address 10.10.10.3 255.255.255.0

ppp authentication chap

Netflow

Netflow is a Cisco developed network protocol that has become an industry standard for monitoring traffic (RFC 3954). Once configured, on a per interface basis, the router builds a NetFlow record for each unique traffic stream. Amongst other details the record includes the number of bytes and packets. The record is output once the flow has finished or at preconfigured time interval via a UDP or STCP flow.

CEF is a prerequisite for Netflow to work. To configure on an interface

Config-if#ip flow {ingress|egress}

Verification

Show ip flow interface
Show ip cache flow

To configure data export

Ip flow-export destination {ip address} {udp port}

Verification

Show ip flow export

OER

OER or Optimised Edge Routing. Also known as PFR or Performance Routing is now part of the v4 blueprint. In summary it is a feature that enables selection of a route based on its dynamic performance metrics. Something lacking with traditional routing protocols that assign a metric to a route. This assigned metric is in effect the static expected performance of the route that can be used when comparing with any route alternates.

OER is a step towards route selection based on true dynamic performance e.g. in terms of real round trip times of packets. There’s quite a bit of configuring required. CISCO lays out five phases

• Profiling
• Measuring
• Policy Application
• Control
• Verification

The components of OER include a Master Controller (MC) and the Border Routers (BR). The BR’s send performance statistics to the MC. The MC sends routing policy decisions to the BR’s. It’s the BRs that sit on the edge of the network and implement the policies to control the traffic leaving on the external links.

Here i lay out the basic config between MC and Borders. Authentication via a key chain between MC and BR is not optional.

Master Configuration

R1
key chain RIC
key 1
key-string ROUTERRIC

oer master
keepalive 10
logging
!
border 2.2.2.2 key-chain RIC
interface Serial1/0 external
interface Ethernet0/0 internal
!
border 3.3.3.3 key-chain RIC
interface Serial1/0 external
interface Ethernet0/0 internal



Border Config on R2 and R3

key chain RIC
key 1
key-string ROUTERRIC
!
oer border
local Loopback0
master 1.1.1.1 key-chain RIC

Verification On R1

R1#show oer master
OER state: ENABLED and ACTIVE
Conn Status: SUCCESS, PORT: 3949
Number of Border routers: 2
Number of Exits: 2
Number of monitored prefixes: 0 (max 5000)
Max prefixes: total 5000 learn 2500
Prefix count: total 0, learn 0, cfg 0

Border Status UP/DOWN AuthFail
3.3.3.3 ACTIVE UP 00:01:57 0
2.2.2.2 ACTIVE UP 00:02:14 0

Verification on R2 and R3
R2#show oer border
OER BR 2.2.2.2 ACTIVE, MC 1.1.1.1 UP/DOWN: UP 00:45:16,
Auth Failures: 0
Conn Status: SUCCESS, PORT: 3949
Exits
Et0/0 INTERNAL
Se1/0 EXTERNAL

EIGRP V6

New in V4 CCIE R and S. EIGRP V6 is found in the configuration guide under the IPV6 EIGRP section and not under EIGRP.

Below is a sample config

ipv6 unicast-routing
ipv6 router eigrp 1
no shut

int e0/0
ipv6 enable
ipv6 eigrp 1

Of note is the fact that the EIGRPV6 router process is shutdown until it is manually enabled with ‘no shut’.
R4(config-rtr)#do show ipv6 eigrp ne
IPv6-EIGRP neighbors for process 1
% EIGRP 1 is in SHUTDOWN

Once the ipv6 router eigrp process is started then the neighbour relationship comes up!

R4(config-rtr)#ipv6 router eigrp 1
R4(config-rtr)#no shut
*Mar 1 00:05:32.727: %DUAL-5-NBRCHANGE: IPv6-EIGRP(0) 1: Neighbor FE80::C003:13FF:FE7C:0 (FastEthernet0/0) is up: new adjacency

R4#s ipv6 eigrp ne
IPv6-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num
0 Link-local address: Fa0/0 013 00:01:38 1980 5000 0 1
FE80::C003:13FF:FE7C:0

Reviewing the V4 Blueprint

I have listed the CCIE Lab v4 R and S blueprint below. The following topics look like additions over and above the V3 lab content. So far I have reviewed and blogged on RITE and MPLS, so hope to cover the other topics over the coming weeks and months.

New V4 topics
PPPoE
OER (Optimised Edge Routing)
MPLS
EIGRP v6
Ipv6 Multicast
AUTOQOS
NETFLOW
RITE (Router IP Traffic-Export)
EEM (Embedded Event Manager)
Zone Based Firewall
IPS (intrusion Prevention System)

Complete V4 blueprint
1.10 Implement Spanning Tree Protocol (STP)
(a) 802.1d
(b) 802.1w
(c) 801.1s
(d) Loop guard
(e) Root guard
(f) Bridge protocol data unit (BPDU) guard
(g) Storm control
(h) Unicast flooding
(i) Port roles, failure propagation, and loop guard operation
1.20 Implement VLAN and VLAN Trunking Protocol (VTP)
1.30 Implement trunk and trunk protocols, EtherChannel, and load-balance
1.40 Implement Ethernet technologies
(a) Speed and duplex
(b) Ethernet, Fast Ethernet, and Gigabit Ethernet
(c) PPP over Ethernet (PPPoE)
1.50 Implement Switched Port Analyzer (SPAN), Remote Switched Port Analyzer (RSPAN), and flow control
1.60 Implement Frame Relay
(a) Local Management Interface (LMI)
(b) Traffic shaping
(c) Full mesh
(d) Hub and spoke
(e) Discard eligible (DE)
1.70 Implement High-Level Data Link Control (HDLC) and PPP

2.00 Implement IPv4
2.10 Implement IP version 4 (IPv4) addressing, subnetting, and variable-length subnet masking (VLSM)
2.20 Implement IPv4 tunneling and Generic Routing Encapsulation (GRE)
2.30 Implement IPv4 RIP version 2 (RIPv2)
2.40 Implement IPv4 Open Shortest Path First (OSPF)
(a) Standard OSPF areas
(b) Stub area
(c) Totally stubby area
(d) Not-so-stubby-area (NSSA)
(e) Totally NSSA
(f) Link-state advertisement (LSA) types
(g) Adjacency on a point-to-point and on a multi-access network
(h) OSPF graceful restart
2.50 Implement IPv4 Enhanced Interior Gateway Routing Protocol (EIGRP)
(a) Best path
(b) Loop-free paths
(c) EIGRP operations when alternate loop-free paths are available, and when they are not available
(d) EIGRP queries
(e) Manual summarization and autosummarization
(f) EIGRP stubs
2.60 Implement IPv4 Border Gateway Protocol (BGP)
(a) Next hop
(b) Peering
(c) Internal Border Gateway Protocol (IBGP) and External Border Gateway Protocol (EBGP)
2.70 Implement policy routing
2.80 Implement Performance Routing (PfR) and Cisco Optimized Edge Routing (OER)
2.90 Implement filtering, route redistribution, summarization, synchronization, attributes, and other advanced features

3.00 Implement IPv6
3.10 Implement IP version 6 (IPv6) addressing and different addressing types
3.20 Implement IPv6 neighbor discovery
3.30 Implement basic IPv6 functionality protocols
3.40 Implement tunneling techniques
3.50 Implement OSPF version 3 (OSPFv3)
3.60 Implement EIGRP version 6 (EIGRPv6)
3.70 Implement filtering and route redistribution

4.00 Implement MPLS Layer 3 VPNs
4.10 Implement Multiprotocol Label Switching (MPLS)
4.20 Implement Layer 3 virtual private networks (VPNs) on provider edge (PE), provider (P), and customer edge (CE) routers
4.30 Implement virtual routing and forwarding (VRF) and Multi-VRF Customer Edge (VRF-Lite)

5.00 Implement IP Multicast
5.10 Implement Protocol Independent Multicast (PIM) sparse mode
5.20 Implement Multicast Source Discovery Protocol (MSDP)
5.30 Implement interdomain multicast routing
5.40 Implement PIM Auto-Rendezvous Point (Auto-RP), unicast rendezvous point (RP), and bootstrap router (BSR)
5.50 Implement multicast tools, features, and source-specific multicast
5.60 Implement IPv6 multicast, PIM, and related multicast protocols, such as Multicast Listener Discovery (MLD)

6.00 Implement Network Security
6.01 Implement access lists
6.02 Implement Zone Based Firewall
6.03 Implement Unicast Reverse Path Forwarding (uRPF)
6.04 Implement IP Source Guard
6.05 Implement authentication, authorization, and accounting (AAA) (configuring the AAA server is not required, only the client-side (IOS) is configured)
6.06 Implement Control Plane Policing (CoPP)
6.07 Implement Cisco IOS Firewall
6.08 Implement Cisco IOS Intrusion Prevention System (IPS)
6.09 Implement Secure Shell (SSH)
6.10 Implement 802.1x
6.11 Implement NAT
6.12 Implement routing protocol authentication
6.13 Implement device access control
6.14 Implement security features

7.00 Implement Network Services
7.10 Implement Hot Standby Router Protocol (HSRP)
7.20 Implement Gateway Load Balancing Protocol (GLBP)
7.30 Implement Virtual Router Redundancy Protocol (VRRP)
7.40 Implement Network Time Protocol (NTP)
7.50 Implement DHCP
7.60 Implement Web Cache Communication Protocol (WCCP)

8.00 Implement Quality of Service (QoS)
8.10 Implement Modular QoS CLI (MQC)
(a) Network-Based Application Recognition (NBAR)
(b) Class-based weighted fair queuing (CBWFQ), modified deficit round robin (MDRR), and low latency queuing (LLQ)
(c) Classification
(d) Policing
(e) Shaping
(f) Marking
(g) Weighted random early detection (WRED) and random early detection (RED)
(h) Compression
8.20 Implement Layer 2 QoS: weighted round robin (WRR), shaped round robin (SRR), and policies
8.30 Implement link fragmentation and interleaving (LFI) for Frame Relay
8.40 Implement generic traffic shaping
8.50 Implement Resource Reservation Protocol (RSVP)
8.60 Implement Cisco AutoQoS

9.00 Troubleshoot a Network
9.10 Troubleshoot complex Layer 2 network issues
9.20 Troubleshoot complex Layer 3 network issues
9.30 Troubleshoot a network in response to application problems
9.40 Troubleshoot network services
9.50 Troubleshoot network security

10.00 Optimize the Network
10.01 Implement syslog and local logging
10.02 Implement IP Service Level Agreement SLA
10.03 Implement NetFlow
10.04 Implement SPAN, RSPAN, and router IP traffic export (RITE)
10.05 Implement Simple Network Management Protocol (SNMP)
10.06 Implement Cisco IOS Embedded Event Manager (EEM)
10.07 Implement Remote Monitoring (RMON)
10.08 Implement FTP
10.09 Implement TFTP
10.10 Implement TFTP server on router
10.11 Implement Secure Copy Protocol (SCP)
10.12 Implement HTTP and HTTPS
10.13 Implement Telnet

Router Sniffer Capture

Ever wondered if you can run a sniffer from a router? I have only ever used monitor sessions on switches so Router IP Traffic Export or RITE was an interesting discovery for me. This can be used to achieve the same as a monitor session on a switch. Also this is on the V4 blueprint so a useful command to have come across. Its not that difficult either!

There are just two configuration steps. Define the outgoing sniffer port along with the mac address of the device attached and then define the capture traffic flows on the ingress port.

Heres an example
interface Ethernet0/1
ip traffic-export profile RICH
mac-address 1111.2222.3333

interface Ethernet0/0
ip traffic-export apply RICH

R1#show ip traffic-exp
Router IP Traffic Export Parameters
Monitored Interface Ethernet0/0
Export Interface Ethernet0/1
Destination MAC address 1111.2222.3333
bi-directional traffic export is off
Input IP Traffic Export Information Packets/Bytes Exported 0/0
Packets Dropped 0
Sampling Rate one-in-every 1 packets
No Access List configured
Profile RICH is Active

There are a number of extra options i'venot detailed here. The above shows the basic configuration that’s needed to get the feature operational.

SHAM LINKS

A customer has 2 entry points into an MPLS VPN. It is a requirement for the customer to traverse the MPLS VPN for intersite traffic. When the customer is running OSPF between its sites by default the backdoor, slower, serial connection will always be preferred by OSPF. This is because links injected into the OSPF domain by the PE routers will be external routes and hence always less preferred than OSPF internal routes.

Sham links get around this problem. Effectively they are a vehicle to enable the OSPF links traversing the provider backbone to appear as internal OSPF routes.

Sham links appear analogous to virtual links. They have tunnel start and end points and traverse a routing domain. The following are required

1) A /32 loopback address on each PE router. This has to be in the customer VRF and NOT be directly advertised into OSPF.

2) Advertise these loopbacks into MP-BGP as vpnv4 routes. This is how the PE routers will learn about the endpoints of the sham-link.

3) Configure the sham-link under the OSPF process on the PE routers

1)
PE1
Int lo0
Ip vrf forwarding CUST1
Ip address 192.168.0.1

PE2
Int lo0
Ip vrf forwarding CUST1
Ip address 192.168.0.2

2)
PE1
Router bgp 1
Address-family ipv4 vrf CUST1
Network 192.168.0.1 255.255.255.255

PE2
Router bgp 1
Address-family ipv4 vrf CUST1
Network 192.168.0.1 255.255.255.255

3)
PE1
Router ospf 1 vrf CUST1
Area 0 sham-link 192.168.0.1 192.168.0.2

PE1
Router ospf 1 vrf CUST1
Area 0 sham-link 192.168.0.2 192.168.0.1