AS Regular Expression

This section explains the creation of a regular expression.

A regular expression is a pattern to match against an input string. When you build a regular expression, you specify a string that input must match. In the case of BGP, you specify a string that consists of path information that an input must match.

In the example in the section Path Filtering, you specified the string ^200$. You wanted path information that comes inside updates to match the string in order to make a decision.

A regular expression comprises:

• Range

  A range is a sequence of characters within left and right square brackets. An example is [abcd].

• Atom

  An atom is a single character. Here are some examples:

  .

  • The . matches any single character.

  ^

  • The ^ matches the start of the input string.

  $

  • The $ matches the end of the input string.

  \

  • The \ matches the character.

  -

  • The _ matches a comma (,), left brace ({), right brace (}), the start of the input string, the end of the input string, or a space.
• Piece

  A piece is one of these symbols, which follows an atom:

  *

  • The * matches 0 or more sequences of the atom.

  +

  • The + matches 1 or more sequences of the atom.

  ?

  • The ? matches the atom or the null string.
• Branch

  A branch is 0 or more concatenated pieces.

Here are some examples of regular expressions:

a*

• This expression indicates any occurrence of the letter "a", which includes none.

a+

• This expression indicates that at least one occurrence of the letter "a" must be present.

ab?a

• This expression matches "aa" or "aba".

_100_

• This expression means via AS100.

_100$

• This expression indicates an origin of AS100.

^100 .*

• This expression indicates transmission from AS100.

^$

• This expression indicates origination from this AS.

Why laugh at me?

So finally i made up my mind to finish up an old research i was working on - this to multihome with two ISP between two different locations.

I ended up waking around 4 AM in the morning due to my flu and then thought to use my time for this task.

As many people end up with questions and problem and dream to achieve it without any issues, i'm gonna post out the details .

Task Details:

Subnet : 2x.1x.2x.0/23 needs to be advertised via two ISP for redundancy between datacenters.

Upstream providers:

Global Crossings, Level 3

I'm assuming following steps has been followed already before configurations:

Step - 1 : would be to own and register a public ASN

Step - 2: would be to talk with both upstream providers and get appropriate filters updated so that you can advertise your IP block as you want on both providers. Some ISP's dont allow to go under /24 - ideally in filters i would break a /23 like below:

• 2x.1x.2x.0/23
• 2x.1x.2x1.0/24
• 2x.1x.2x2.0/24

This way you have two options,

1. Redundancy by prepaending AS PATH
2. Load-balancing by subneting and advertising more specifics

- Scenario:

Both routers needs to run IGP between, my personal prefference is EIGRP which is NOT COMPLEX and is MORE FLEXIBLE than running OSPF :) (i beg to differ)

As both routers are not connected directly, but have IP routing internall, i have made up a GRE IP to IP Tunnel between both routers:

Philadelphia Router:

interface Tunnel9999
 description %TUNNEL TO LEVEL3 DIA ROUTER%
 ip address 192.168.192.1 255.255.255.252
 ip tcp adjust-mss 1436
 ip summary-address eigrp 1 0.0.0.0 0.0.0.0 250
 keepalive 10 3
 tunnel source 10.x.x.x
 tunnel destination 10.x.x.x
end

Pittsburgh Router:

interface Tunnel9999
 description %TUNNEL TO GBLX DIA ROUTER%
 ip address 192.168.192.2 255.255.255.252
 ip tcp adjust-mss 1436
 ip summary-address eigrp 1 0.0.0.0 0.0.0.0 250
 keepalive 10 3
 tunnel source 10.x.x.x
 tunnel destination 10.x.x.x
end

 

EIGRP Configs:

Philadelphia Router:

router eigrp 1
 passive-interface default
 no passive-interface Tunnel9999
 network 192.168.192.0 0.0.0.3
 no auto-summary
 eigrp router-id 10.x.x.x
 eigrp stub connected
!

Pittsburgh Router:

router eigrp 1
 passive-interface default
 no passive-interface Tunnel9999
 network 192.168.192.0 0.0.0.3
 no auto-summary
 eigrp router-id 10.x.x.x
 eigrp stub connected
!

I'll post out the BGP configs in another post as can't any more. Current challenge i have to cover is the ICMP/TRACEROUTE requests which are being tagged by 192.168.192.x address when primary ISP is down and traffic is routed from Level3 over to Philadelphia by GRE Tunnel. Its a bit complex and requires a debugging. Good practice is to always make a very specific ACL and use it for debugging instead of open debugging as your router will immediately sieze it self in processing DEBUG messages and you would end up loosing connection.

Following is my output:

*Oct  5 01:39:43.526: IP: s=2x.2x.1x.1x (Tunnel9999), d=2x.1x.2x.1, len 28, rcvd 0
*Oct  5 01:39:43.526:     UDP src=49862, dst=33482
*Oct  5 01:39:43.526: IP: tableid=0, s=192.168.192.1 (local), d=2x.2x.1x.1x (Tunnel9999), routed via FIB
*Oct  5 01:39:43.526: IP: s=192.168.192.1 (local), d=2x.2x.1x.1x (Tunnel9999), len 56, sending
*Oct  5 01:39:43.526:     ICMP type=3, code=3
*Oct  5 01:39:46.522: IP: s=2x.2x.1x.1x (Tunnel9999), d=2x.1x.2x.1, len 28, rcvd 0
*Oct  5 01:39:46.522:     UDP src=49863, dst=33483
*Oct  5 01:39:46.522: IP: tableid=0, s=192.168.192.1 (local), d=2x.2x.1x.1x (Tunnel9999), routed via FIB
*Oct  5 01:39:46.522: IP: s=192.168.192.1 (local), d=2x.2x.1x.1x (Tunnel9999), len 56, sending
*Oct  5 01:39:46.522:     ICMP type=3, code=3
*Oct  5 01:39:49.522: IP: s=2x.2x.1x.1x (Tunnel9999), d=2x.1x.2x.1, len 28, rcvd 0
*Oct  5 01:39:49.522:     UDP src=49864, dst=33484
*Oct  5 01:39:49.522: IP: tableid=0, s=192.168.192.1 (local), d=2x.2x.1x.1x (Tunnel9999), routed via FIB
*Oct  5 01:39:49.522: IP: s=192.168.192.1 (local), d=2x.2x.1x.1x (Tunnel9999), len 56, sending
*Oct  5 01:39:49.522:     ICMP type=3, code=3

%BGP-3-NOTIFICATION:received from neighbor 196.7.8.9 2/2 (peer in wrong as) 2 bytes 0064

Explanation:

The Obvious is true, a wrong ASN is configured, but there is more detail here. "2 bytes 0064" : the 0064 is the received ASN in HEX, ie 0x0064 in HEX = 100 decimal.

The local router is expecting Neighbor 196.7.8.9 to come from a specific ASN, not ASN 100. Have a look at the "neighbor {IP} remote-as" command to confirm it is set correctly. If confederations are used, make sure your confederation-id is correct between the two EBGP peers.

[edit logical-routers r3 protocols]
nigel@junos# set ospf area 10 stub no-summaries

[edit logical-routers r4 protocols]
nigel@junos# set ospf area 10 stub no-summaries

查看Juniper JUNOS R1的OSPF数据库，只有由两台JUNOS OSPF ABR注入的，用于保持OSPF域外/域间目标网段连通性的默认路由仍然保留在JUNOS OSPF的数据库当中，同时注意这些默认路由依然以OSPF LSA-3的形式出现。OSPF区域10内的路由器仍然保持对200.200/24网段的连通性。

nigel@junos# run show ospf database logical-router r1
netsummary

    OSPF link state database, Area 0.0.0.10
 Type      ID       Adv Rtr   Seq    Age  Opt  Cksum Len
Summary 0.0.0.0  10.0.3.3 0x8000000a  31 0x20 0x849d 28
Summary 0.0.0.0  10.0.3.4 0x8000000b  30 0x20 0x7ea2 28

nigel@junos# run traceroute logical-router r1 200.200.0.1
traceroute to 200.200.0.1 (200.200.0.1), 30 hops max,
40 byte packets
 1  10.0.4.13 (10.0.4.13)  0.476 ms  0.364 ms  0.278 ms
 2  10.0.2.1 (10.0.2.1)  0.438 ms  0.577 ms  0.407 ms
 3  10.0.8.10 (10.0.8.10)  0.613 ms  0.583 ms  0.601 ms
 4  10.0.8.10 (10.0.8.10)  0.581 ms !H  0.661 ms !H
0.548 ms !H

Juniper JUNOS BGP与OSPF完全末节区域(TSA)的设计陷阱

需要特别注意的是：配置OSPF TSA，它往往是事故出现的多灾区域，因为不单失去了OSPF域外路由LSA-5，同时OSPF域间路由LSA-3同时被过滤掉，链路状态的瓶颈会增加OSPF网络的扩展性能。尤其由于设计上的疏忽，尝试在OSPF TSA内实现扩展特性，路由黑洞屡屡会产生。

常见的设计错误包括将本地子网在OSPF TSA内汇总，从而丢失域内路由器全部的外部连通性，使OSPF TSA成为网路孤岛；尝试穿越TSA建立OSPF虚链路；以及OSPF TSA域内路由器通过JUNOS BGP与域外路由器交换路由更新，而造成协议下一跳不可达，进而造成路由Hidden，如此这般的情况时有发生。

这些情况会在后面的内容里面逐一演示。因此在配置JUNOS OSPF区域的时候，需要明确OSPF TSA的角色，任何日后存在扩展性需求的区域都不应该被轻易的定义为OSPF TSA。

Introduction

This document contains frequently asked questions (FAQs) about Border Gateway Protocol (BGP).

Q. How do I configure BGP?

A. Refer to these documents for information on how to configure BGP and BGP functioning:

• Configuring BGP
• BGP Case Studies

Q. How do I configure BGP with the use of a loopback address?

A. The use of a loopback interface ensures that the neighbor stays up and is not affected by malfunctioning hardware.

BGP uses the IP address configured on the physical interface directly connected to the BGP peer as the source address when it establishes the BGP peering session, by default. Issue the neighbor <ip address> update-source <interface> command in order to change this behavior and configure the BGP that speaks to the router to establish peering with the use of a loopback address as the source address.

Refer to Sample Configuration for iBGP and eBGP With or Without a Loopback Address for more information.

Q. What is the order of preference of attributes when some or all are applied to one neighbor in BGP?

A. The order of preference varies based on whether the attributes are applied for inbound updates or outbound updates.

For inbound updates the order of preference is:

1. route-map
2. filter-list
3. prefix-list, distribute-list

For outbound updates the order of preference is:

1. prefix-list, distribute-list
2. filter-list
3. route-map

Note: The attributes prefix-list and distribute-list are mutually exclusive, and only one command (neighbor prefix-list or neighbor distribute-list) can be applied to each inbound or outbound direction for a particular neighbor.

Q. What does a next hop of 0.0.0.0 mean in the show ip bgp command output?

A. A network in the BGP table with a next hop address of 0.0.0.0 means that the network is locally originated via redistribution of Interior Gateway Protocol (IGP) into BGP, or via a network or aggregate command in the BGP configuration.

Q. What are the well known communities of the BGP community attribute?

A. The community attribute is a transitive, optional attribute designed to group destinations in a certain community and apply certain policies (such as accept, prefer, or redistribute). This table shows the well known BGP communities.

Community	Description
Local-AS	Use in confederation scenarios to prevent sending packets outside the local autonomous system (AS).
no-export	Do not advertise to external BGP (eBGP) peers. Keep this route within an AS.
no-advertise	Do not advertise this route to any peer, internal or external.
none	Apply no community attribute when you want to clear the communities associated with a route.
internet	Advertise this route to the internet community, and any router that belongs to it.

Refer to the Configuring BGP Community Filtering section of Configuring BGP for more information about the configuration of communities.

Q. What formats can I use to configure the BGP community attribute?

A. In Cisco IOS® Software Release 12.0 and later, you can configure communities in three different formats called decimal, hexadecimal, and AA:NN. By default, IOS uses the older decimal format. In order to configure and display in AA:NN, where the first part is the AS number and the second part is a 2-byte number, issue the ip bgp new-format global configuration command.

Note: Although the community attribute can be represented in decimal, hexadecimal, or AA:NN, it is still a 32-bit number. For example, any of these three configuration commands specify the community 30:20 (AS 30, number 20):

• set community 30:20
• set community 0x1E0014
• set community 1966100

Regardless of which command you use, the community displayed in the router configuration file and the BGP table is 30:20.

Refer to the Community Attribute section of BGP Case Studies, and Using BGP Community Values to Control Routing Policy in Upstream Provider Network for more information.

Q. How does BGP behave differently with auto-summary enabled or disabled?

A. Auto-summary behavior has changed across Cisco IOS software releases. Initially, auto-summary was enabled by default. However, with Cisco bug ID CSCdu81680 ( registered customers only) this behavior has changed. In the latest Cisco IOS, auto-summary is disabled by default. When auto-summary is enabled, it summarizes the locally originated BGP networks to their classfull boundaries. Auto-summary is enabled by default in BGP. When auto-summary is disabled, the routes introduced locally into the BGP table are not summarized to their classfull boundaries. When a subnet exists in the routing table and these three conditions are satisfied, then any subnet of that classfull network in the local routing table will prompt BGP to install the classfull network into the BGP table.

• Classfull network statement for a network in the routing table
• Classfull mask on that network statement
• Auto-summary enabled

For example, if the subnet in the routing table is 75.75.75.0 mask 255.255.255.0, and you configure network 75.0.0.0 under the router bgp command, and auto-summary is enabled, BGP introduces the classfull network 75.0.0.0 mask 255.0.0.0 in the BGP table.

If these three conditions are not all met, then BGP does not install any entry in the BGP table unless there is an exact match in the local routing table.

Note: If the AS that performs BGP does not own the complete classfull network, Cisco recommends that you issue the no auto-summary command under router bgp in order to disable auto-summary.

Q. How can I verify if a BGP router announces its BGP networks and propagates them to the global BGP mesh?

A. Use these commands to check if the IP blocks are announced to the directly connected ISP:

• The show ip bgp neighbors [address] advertised-routes command shows which messages are being sent.
• The show ip bgp neighbors [address] routes command shows which messages are being received.

Note: The show ip bgp neighbors [address] advertise-routes command does not take into account any outbound policies you might have applied. In future Cisco IOS software releases, the command output will be changed to reflect the outbound policies. If there are two alternate paths to a destination, BGP always uses the best route to advertise.

In order to verify how the IP blocks get propagated to the global BGP mesh via the directly connected ISP, log onto a route server on the Internet and look for the BGP entries of the prefix in the route server.

Q. When and how should I reset a BGP session?

A. Clear a BGP session when you change the inbound/outbound policy for this session. Issue the clear ip bgp x.x.x.x soft out command to clear a BGP session in order to bring outbound policy changes into effect. Issue the clear ip bgp x.x.x.x command in order to clear a BGP session to bring inbound policy changes into effect. If the neighbor has the soft reconfiguration capability, you can issue the clear ip bgp x.x.x.x soft in command. The BGP session can be cleared automatically if you setup the Optimized Edge Routing (OER). OER automatically clears the BGP session for both Inbound and Outbound directions. Refer to Setting Up OER Network Components for more information on OER.

Note: With Cisco IOS Software Release 12.0 and later, a new BGP Soft Reset Enhancement feature is introduced. Refer to BGP Soft Reset Enhancement for more information.

Q. When I perform MD5 Authentication for BGP through a PIX, is there anything special that needs to be done on the PIX?

A. Yes. When a BGP 'neighbor ... password ...' is configured, MD5 authentication is used on the TCP psuedo-IP header, TCP header, and data (refer to RFC 2385 ). TCP uses this data, which includes the TCP sequence and ACK numbers, and the BGP neighbor password, to create a 128-bit hash number. The hash number is included in the packet in a TCP header option field. By default, the PIX offsets the sequence number by a random value per TCP flow. On the sending BGP peer, TCP uses the original sequence number to create the 128-bit MD5 hash number and includes this hash number in the packet. When the receiving BGP peer gets the packet, TCP uses the PIX modified sequence number to create a 128-bit MD5 hash number and compares it to the hash number included in the packet. Because the TCP sequence value was changed by the PIX, the hash is different—TCP on the BGP neighbor drops the packet and logs an MD5 failed message similar to this:

%TCP-6-BADAUTH: Invalid MD5 digest from 10.28.0.9:1778 to 10.156.50.10:179

Use the norandomseq keyword in order to solve this problem and stop the PIX from offsetting the TCP sequence number with the static (inside,DMZ-ICE) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 norandomseq command.

Q. What is an autonomous system (AS) number and how do I obtain one?

A. AS numbers are globally unique numbers that are used to identify ASes, and which enable an AS to exchange exterior routing information between neighboring ASes. An AS is a connected group of IP networks that adhere to a single and clearly defined routing policy.

There are a limited number of available AS numbers. Therefore, it is important to determine which sites require unique AS numbers and which do not. Sites that do not require a unique AS number should use one or more of the AS numbers reserved for private use, which are in the range from 64512 to 65535. Access the AS Number Registration Services website to obtain an AS number.

Q. What is the BGP path selection criteria?

A. BGP path selection criteria is documented in BGP Best Path Selection Algorithm.

Q. What is the difference between always-compare-med and deterministic-med?

A. A complete explanation of the differences between these commands is documented in How the bgp deterministic-med Command Differs from the bgp always-compare-med Command.

Q. Do internal BGP (iBGP) sessions modify the next hop?

A. iBGP sessions preserve the next hop attribute learned from eBGP peers. This is why it is important to have an internal route to the next hop. The BGP route is otherwise unreachable. In order to make sure you can reach the eBGP next hop, include the network that the next hop belongs to in the IGP or issue the next-hop-self neighbor command to force the router to advertise itself, rather than the external peer, as the next hop. Refer to the BGP Next Hop Attribute section of BGP Case Studies for a more detailed explanation.

Q. Do external BGP (eBGP) sessions between confederations modify the next hop?

A. No, eBGP sessions between confederation sub-ASes do not modify the next hop attribute. All iBGP rules still apply to have the whole AS behave as a single entity. The metric and local preference values also remain unaltered among confederation eBGP peers. Refer to the BGP Confederation section of BGP Case Studies for more information about confederations.

Q. In external BGP (eBGP) sessions, which IP address is sent as the next hop?

A. In eBGP peering, the next hop is the IP address of the neighbor that announces the route. However, when the route is advertised on a multi-access media (such as Ethernet or Frame Relay), the next hop is usually the IP address of the router interface connected to that media, which originated the route. Refer to the BGP Next Hop Attribute of BGP Case Studies for a more detailed explanation.

Q. Does the route reflector change the next hop attribute of a reflected prefix?

A. By default, the next hop attribute is not changed when a prefix is reflected by route reflector. However, you can issue the neighbor next-hop-self command in order to change the attribute of the next hop for prefixes reflected from an eBGP peer to any route reflector client.

Q. How can I announce a prefix conditionally to one ISP only when I lose the connection to my primary ISP?

A. BGP advertises routes from its BGP table to external peers by default. The BGP conditional advertisement feature provides additional control of route advertisement depending on the existence of other prefixes in the BGP table. Normally, routes are propagated regardless of the existence of a different path. The BGP conditional advertisement feature uses the non-exist-map and advertise-map configuration commands to track routes by the route prefix. If a route prefix is not present in the non-exist-map command, the route specified by the advertise-map command is announced. Refer to the Configuring BGP Conditional Advertisement section of Configuring BGP for more information.

Q. How can I configure BGP to provide load sharing and redundancy in my network?

A. Use these documents for detailed configuration information:

• Load Sharing with BGP in Single and Multihomed Environments: Sample Configurations
• How to Use HSRP to Provide Redundancy in a Multihomed BGP Network

Q. How much memory should I have in my router to receive the complete BGP routing table from my ISP?

A. The amount of memory required to store BGP routes depends on many factors, such as the router, the number of alternate paths available, route dampening, community, the number of maximum paths configured, BGP attributes, and VPN configurations. Without knowledge of these parameters it is difficult to calculate the amount of memory required to store a certain number of BGP routes. Cisco typically recommends a minimum of 512 MB of RAM in the router to store a complete global BGP routing table from one BGP peer. However, it is important to understand ways to reduce memory consumption and achieve optimal routing without the need to receive the complete Internet routing table. Refer to Achieve Optimal Routing and Reduce BGP Memory Consumption ( registered customers only) for more detailed information.

Q. What are the benefits of configuring BGP peer groups?

A. The major benefit of specifying a BGP peer group is that it reduces the amount of system resources (CPU and memory) used in an update generation. It also simplifies BGP configuration since it allows the routing table to be checked only once, and updates to be replicated to all other in-sync peer group members. This can significantly reduce the load, which depends on the number of peer group members, the number of prefixes in the table, and the number of prefixes advertised. Cisco recommends that you group together peers with identical outbound announcement policies. Refer to BGP Peer Groups for more detailed information.

Q. What is synchronization, and how does it influence BGP routes installed in the IP routing table?

A. If your AS passes traffic from another AS to a third AS, BGP should not advertise a route before all routers in your AS learn about the route via IGP. BGP waits until IGP propagates the route within the AS and then advertises it to external peers. A BGP router with synchronization enabled does not install iBGP learned routes into its routing table if it is not able to validate those routes in its IGP. Issue the no synchronization command under router bgp in order to disable synchronization. This prevents BGP from validating iBGP routes in IGP. Refer to BGP Case Studies: Synchronization for a more detailed explanation.

Q. How do I know which Cisco IOS software release supports a particular BGP feature?

A. Use the Cisco IOS Software Advisor ( registered customers only) to quickly find which Cisco IOS software release supports your feature.

Q. How can I set the Multi Exit Discriminator (MED) value on prefixes advertised to external BGP (eBGP) neighbors to match the Interior Gateway Protocol (IGP) next hop metric?

A. The set metric-type internal route-map configuration command causes BGP to advertise a MED that corresponds to the IGP metric associated with the next hop of the route. This command is available in Cisco IOS Software Release 10.3 and later. Refer to BGP Commands for more information.

Q. What is the default BGP ConnectRetry timer, and is it possible to tune the BGP ConnectRetry timer?

A. The default BGP ConnectRetry timer is 120 seconds. Only after this time passes does the BGP process check to see if the passive TCP session is established. If the passive TCP session is not established, then the BGP process starts a new active TCP attempt to connect to the remote BGP speaker. During this idle 120 seconds of the ConnectRetry timer, the remote BGP peer can establish a BGP session to it. Presently, the Cisco IOS ConnectRetry timer cannot be changed from its default of 120 seconds.

Q. What does r RIB-Failure mean in the show ip bgp command output?

R1> show ip bgp
BGP table version is 5, local router ID is 200.200.200.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
r> 6.6.6.0/24       10.10.13.3               0    130      0 30 i
*> 7.7.7.0/24       10.10.13.3               0    125      0 30 i

When BGP tries to install the bestpath prefix into Routing Information Base (RIB) (for example, the IP Routing table), RIB might reject the BGP route due to any of these reasons:

• Route with better administrative distance already present in IGP. For example, if a static route already exists in IP Routing table.
• Memory failure.
• The number of routes in VPN routing/forwarding (VRF) exceeds the route-limit configured under the VRF instance.

In such cases, the prefixes that are rejected for these reasons are identified by r RIB Failure in the show ip bgp command output and are not advertised to the peers. This feature was first made available in Cisco IOS Software Release 12.2(08.05)T.

Q. How can I redistribute internal BGP (iBGP) learned default-route (0.0.0.0/0) route into EIGRP/OSPF/IS-IS?

A. The redistribution of iBGP routes into Interior Gateway Protocol (IGP)—Enhanced Interior Gateway Routing Protocol/Open Shortest Path First/Intermediate System-to-Intermediate System (EIGRP/OSPF/IS-IS)—can cause routing loops within the Autonomous System, which is not recommended. By default, iBGP redistribution into IGP is disabled. Issue the bgp redistribute-internal command in order to enable redistribution of iBGP routes into IGP. Precautions must be taken to redistribute specific routes using route-maps into IGP. A sample configuration for redistributing a iBGP learned default route 0.0.0.0/0 into EIGRP is shown in this output. Configurations for OSPF/IS-IS are similar.

router bgp 65345
[...]
bgp redistribute-internal
!
router eigrp 10
[...]
redistribute bgp 65345 route-map check-def
!
ip prefix-list def-route seq 5 permit 0.0.0.0/0
!
route-map check-def permit 10
match ip address prefix-list def-route

Q. How can I filter all IP routes advertised to a BGP neighbor except the default route 0.0.0.0/0?

A. The specific routes can be filtered if you use inbound filter-list, distribute-list, prefix-list and route-map all at the same time for the same bgp neighbor. This is the order of operation:

1. Filter-list
2. Router-map
3. Distribute-list (or) prefix-list

Q. How to resolve the error Protocol not in this image?

A. The reason for getting the error message protocol not in this image is because BGP feature is not supported in the IOS version running on the router. To resolve this error upgrade the IOS to newer IOS versions that supports BGP.

Q. BGP: timer-wheel running slow by 1 ticks appears in the debug output.

A. This message only shows up when a BGP debug is turned on the router. It is just an informational message and not an error message. This informational message relates to BGP internal timers. This message can be ignored by issuing undebug all command.

Q. Is it possible to track an interface and change the route availability?

A. Yes, it is possible to track the state change of an interface and route availability with the Enhanced Object tracking. Refer to Enhanced Object Tracking for more information.

Q. How does IP RIB Update allocate memory?

A. IP RIB Update allocates the prefixes, and attributes are held in chunks. It is not possible to free the entire chunk until every element in the chunk is freed. If more routes are learned, then those free elements in the chunks are used.

Bagaimana jika situs yang ingin dituju ternyata berada di benua Internet lain? Mau tidak mau ISP harus melempar sesi komunikasi tersebut ke benua Internet yang terdekat ke situs tersebut. Atau paling tidak ke NAP-NAP provider yang berada di atas ISP tersebut. Kemudian NAP provider-lah yang membangun jalur komunikasi antarbenua Internet lain dan mencarikan jalan terbaik menuju ke situs tujuan.
Untuk menuju ke sebuah situs tujuan tentu juga akan melewati benua-benua dan juga kota-kota lain di belahan dunia Internet lain. Begitu seterusnya sehingga dunia Internet terbentuk sedemikian besarnya saat ini. Jadi inti sebenarnya Internet adalah merupakan kumpulan dari jaringan-jaringan kecil yang dijadikan satu.
Untuk melayani penggunanya untuk berkomunikasi dengan situs atau pengguna yang berada di benua lain, ISP harus memiliki sebuah komponen penting, yaitu informasi rute menuju ke lokasi yang diinginkan penggunanya. ISP tempat Anda terkoneksi mutlak harus mengetahui jalur-jalur mana saja yang dapat digunakan untuk menyambungkan komunikasi para penggunanya. Jalan-jalan yang banyak terbentang di dunia Internet mau tidak mau harus dikumpulkan oleh ISP untuk kemudian disimpan atau disebarkan lagi ke
penggunanya.
Proses pengumpulan dan maintenance informasi rute inilah yang terpenting dalam proses terjadinya Internet. Terjadinya proses ini merupakan tugas utama dari sebuah routing protocol. Untuk menangani tugas ini, dunia Internet mempercayakan satu nama routing protocol, yaitu BGP.
Apakah BGP?
Border Gateway Protocol atau yang sering disingkat BGP merupakan salah satu jenis routing protocol yang ada di dunia komunikasi data. Sebagai sebuah routing protocol, BGP memiliki kemampuan melakukan pengumpulan rute, pertukaran rute dan menentukan rute terbaik menuju ke sebuah lokasi dalam jaringan. Routing protocol juga pasti dilengkapi dengan algoritma yang pintar dalam mencari jalan terbaik. Namun yang membedakan BGP dengan routing protocol lain seperti misalnya OSPF dan IS-IS ialah, BGP termasuk dalam kategori routing protocol jenis Exterior Gateway Protocol (EGP). Apa lagi itu EGP?
Sesuai dengan namanya, Exterior, routing protocol jenis ini memiliki kemampuan melakukan pertukaran rute dari dan ke luar jaringan lokal sebuah organisasi atau kelompok tertentu. Organisasi atau kelompok tertentu diluar organisasi pribadi sering disebut dengan istilah autonomous system (AS). Maksudnya rute-rute yang dimiliki oleh sebuah AS dapat juga dimiliki oleh AS lain yang berbeda kepentingan dan otoritas. Begitu juga dengan AS tersebut dapat memiliki rute-rute yang dipunya organisasi lain. Apa untungnya organisasi lain memiliki rute milik organisasi Anda dan sebaliknya?
Keuntungannya adalah organisasi Anda bisa dikenal oleh organisasi-organisasi lain yang Anda kirimi rute. Setelah dikenali rute-rute menuju lokasi Anda, banyak orang yang dapat berkomunikasi dengan Anda. Selain itu, Anda juga menerima rute-rute menuju ke organisasi lain, sehingga Anda juga dapat membangun komunikasi dengan para pengguna yang tergabung di organisasi lain. Dengan demikian, komunikasi dapat semakin luas menyebar.
BGP dikenal sebagai routing protocol yang sangat kompleks dan rumit karena kemampuannya yang luar biasa ini, yaitu melayani pertukaran rute antarorganisasi yang besar. Routing protocol ini memiliki tingkat skalabilitas yang tinggi karena beberapa organisasi besar dapat dilayaninya dalam melakukan pertukaran routing, sehingga luas sekali jangkauan BGP dalam melayani para pengguna jaringan.
Apa yang akan terjadi jika banyak organisasi di dunia ini yang saling berkumpul dan bertukar informasi routing? Yang akan dihasilkan dari kejadian ini adalah INTERNET. Maka dari itu, tidak salah jika BGP mendapat julukan sebagai inti dari eksisnya dunia Internet.
Apakah Autonomous System?
Analogi Autonomous System atau sering disingkat AS adalah bagaikan sebuah perusahaan tempat Anda bekerja. Sebuah perusahaan memiliki peraturannya sendiri, memiliki struktur organisasi sendiri, memiliki produknya sendiri, memiliki gayanya sendiri dalam berbisnis dan memiliki privasinya sendiri. Semua itu, tidak perlu diketahui oleh orang lain di luar perusahaan Anda, bukan?.
Namun, apa jadinya jika perusahaan tersebut menghasilkan sebuah produk yang harus dijual ke masyarakat? Tentu pertama-tama produk itu haruslah diketahui orang lain di luar perusahaan tersebut. Produk hasilnya diketahui orang lain bukan berarti seluruh isi perut perusahaan tersebut bisa diketahui oleh pihak lain, bukan? Kira-kira analogi Autonomous System dalam BGP sama seperti ini.
Jaringan internal sebuah organisasi bisa terdiri dari berpuluh-puluh bahkan ratusan perangkat jaringan dan server. Semuanya bertugas melayani kepentingan organisasi tersebut, sehingga otoritas dan kontrolnya hanya boleh diatur oleh organisasi tersebut. Cisco System, sebuah perusahaan pembuat perangkat jaringan mendefinisikan Autonomous System sebagai “Sekumpulan perangkat jaringan yang berada di bawah administrasi dan strategi routing yang sama”.
Autonomous System biasanya ditentukan dengan sistem penomoran. Sistem penomoran AS di dunia Internet diatur oleh organisasi Internet bernama IANA. Apa dan bagaimana sistem penomoran AS number ini akan dibahas di bawah nanti?

Apa Analogi untuk BGP?
Jika AS diumpamakan sebagai sebuah perusahaan, routing protocol BGP dapat diumpamakan sebagai divisi marketing dan promosi dalam sebuah perusahaan. Divisi marketing memiliki tugas menginformasikan dan memasarkan produk perusahaan tersebut. Divisi marketing memiliki tugas menyebarkan informasi seputar produk yang akan dijualnya. Dengan berbagai siasat dan algoritma di dalamnya, informasi tersebut disebarkan ke seluruh pihak yang menjadi target pasarnya. Tujuannya adalah agar mereka mengetahui apa produk tersebut dan di mana mereka bisa mendapatkannya.
Selain itu, divisi marketing juga memiliki tugas melakukan survai pasar yang menjadi target penjualan produknya. Para pembeli dan pengecer produk juga akan memberikan informasi seputar keinginan dan kebutuhan mereka terhadap produk yang dijual perusahaan tersebut. Divisi marketing juga perlu mengetahui bagaimana kondisi, prosepek, rute perjalanan, karakteristik tertentu dari suatu daerah target penjualannya. Jika semua informasi tersebut sudah diketahui, maka akan diolah menjadi sebuah strategi marketing yang hebat.
BGP memiliki tugas yang kurang lebih sama dengan divisi marketing dan promosi pada sebuah perusahaan. Tugas utama dari BGP adalah memberikan informasi tentang apa yang dimiliki oleh sebuah organisasi ke dunia di luar. Tujuannya adalah untuk memperkenalkan pada dunia luar alamat-alamat IP apa saja yang ada dalam jaringan tersebut. Setelah dikenal dari luar, server-server, perangkat jaringan, PC-PC dan perangkat komputer lainnya yang ada dalam jaringan tersebut juga dapat dijangkau dari dunia luar. Selain itu, informasi dari luar juga dikumpulkannya untuk keperluan organisasi tersebut berkomunikasi dengan dunia luar.
Dengan mengenal alamat-alamat IP yang ada di jaringan lain, maka para pengguna dalam jaringan Anda juga dapat menjangkau jaringan mereka. Sehingga terbukalah halaman web Yahoo, search engine Google, toko buku Amazon, dan banyak lagi.
Mengapa Menggunakan BGP?
BGP merupakan satu-satunya routing protocol yang dapat digunakan untuk menghubungkan dua organisasi besar yang berbeda kepentingan. Meskipun routing protocol jenis EGP bukan hanya BGP saja, namun tampaknya BGP sudah menjadi standar internasional untuk keperluan ini. Hal ini dikarenakan BGP memiliki fitur-fitur yang luar biasa banyak dan fleksibel.
Mulai dari pengaturan frekuensi routing update, sistem pembangunan hubungan dengan AS tetangga, sistem hello, policy-policy penyebaran informasi routing, dan banyak lagi fitur lain yang dapat Anda modifikasi dan utak-atik sendiri sesuai dengan selera. Maka dari itu BGP merupakan routing protocol yang dapat dikontrol sebebasbebasnya oleh pengguna. Dengan demikian, banyak sekali kebutuhan yang dapat terpenuhi dengan menggunakan BGP.
BGP juga sangat tepat jika sebuah perusahaan memiliki jalur menuju internet yang berjumlah lebih dari satu. Kondisi jaringan dimana memiliki jalur keluar lebih dari satu buah ini sering disebut dengan istilah multihoming. Jaringan multihoming pada umumnya adalah jaringan berskala sedang sampai besar seperti misalnya ISP, bank, perusahaan minyak multinasional, dan banyak lagi. Biasanya jaringan ini memiliki blok IP dan nomor AS sendiri.
Peranan BGP dalam jaringan multihoming ini sangat besar. Pertama, BGP akan berperan sebagai routing protocol yang melakukan pertukaran routing dengan ISP atau NAP yang berada di atas jaringan ini. Kedua, BGP dengan dipadukan oleh pengaturan policy-policynya yang sangat fleksibel dapat membuat sistem load balancing traffic yang keluar masuk. Bagaimana membuat sistem load balancing dengan menggunakan BGP akan dibahas pada artikel edisi berikutnya.
Selain itu, BGP juga merupakan routing protocol yang sangat reliable kerjanya. Hal ini dikarenakan BGP menggunakan protokol TCP untuk berkomunikasi dengan tetangganya
dalam melakukan pertukaran informasi. TCP merupakan protokol yang menganut sistem reliable service, di mana setiap sesi komunikasi yang dibangun berdasarkan protokol ini harus dipastikan sampai tidaknya.
Pemastian ini dilakukan menggunakan sistem Acknowledge terhadap setiap sesi komunikasi yang terjadi. Dengan demikian, hampir tidak ada informasi routing dari BGP yang tidak sampai ke perangkat tujuannya. Routing protocol BGP yang sekarang banyak
digunakan adalah BGP versi 4 atau lebih sering disingkat sebagai BGP-4.
Bagaimana Karakteristik BGP?
Kecanggihan dan kerumitan BGP sebenarnya dapat diperjelas intinya dengan beberapa karakteristik kunci. Berikut ini adalah karakteristik routing protokol BGP yang
menandakan ciri khasnya:
• BGP adalah Path Vector routing protocol yang dalam proses menentukan rute-rute terbaiknya selalu mengacu kepada path yang terbaik dan terpilih yang didapatnya dari router BGP yang lainnya.
• Routing table akan dikirim secara penuh pada awal dari sesi BGP, update selanjutnya hanya bersifat incremental atau menambahi dan mengurangi routing yang sudah ada saja.
• Router BGP membangun dan menjaga koneksi antar-peer menggunakan port TCP nomor 179.
• Koneksi antar-peer dijaga dengan menggunakan sinyal keepalive secara periodik.
• Kegagalan menemukan sinyal keepalive, routing update, atau sinyal-sinyal notifikasi lainnya pada sebuah router BGP dapat memicu perubahan status BGP peer dengan router lain, sehingga mungkin saja akan memicu update-update baru ke router yang lain.
• Metrik yang digunakan BGP untuk menentukan rute terbaik sangat kompleks dan dapat dimodifikasi dengan sangat fleksibel. Ini merupakan sumber kekuatan BGP yang sebenarnya. Metrik-metrik tersebut sering disebut dengan istilah Attribute.
• Penggunaan sistem pengalamatan hirarki dan kemampuannya untuk melakukan manipulasi aliran traffic membuat routing protokol BGP sangat skalabel untuk perkembangan jaringan dimasa mendatang.
• BGP memiliki routing table sendiri yang biasanya memuat informasi prefix-prefix routing yang diterimanya dari router BGP lain. Prefixprefix ini juga disertai dengan informasi atributnya yang dicantumkan secara spesifik di dalamnya.
• BGP memungkinkan Anda memanipulasi traffic menggunakan attribute-attributenya yang cukup banyak. Attribute ini memiliki tingkat prioritas untuk dijadikan sebagai
acuan.
Kapan Saatnya Tidak Menggunakan BGP?
Seperti dijelaskan di atas, BGP merupakan routing protocol yang kompleks dan sulit untuk di-maintain. Dengan demikian, penggunaannya diperlukan keahlian khusus dan juga perangkat router berkemampuan proses yang tinggi. Untuk itu, perencanaan yang baik sangat diperlukan untuk menggunakan BGP. Ada kalanya Anda tidak perlu menggunakan routing protocol ini dalam berhubungan dengan AS lain. Jangan gunakan BGP untuk jaringan dengan situasi seperti berikut ini:
• Hanya ada satu buah koneksi yang menuju ke Internet atau ke AS lain. Jaringan ini sering disebut dengan istilah singlehoming.
• Policy routing untuk ke Internet dan pemilihan jalur terbaik tidak terlalu diperlukan dalam sebuah AS.
• Perangkat router yang akan digunakan untuk menjalankan BGP tidak memiliki cukup memory dan tenaga processing untuk menangani update informasi dalam jumlah besar dan konstan.
• Keterbatasan pengetahuan dan kemampuan para administrator jaringannya dalam hal policy routing dan karakteristik BGP lainnya.
• Bandwidth yang kecil yang menghubungkan AS yang satu dengan lainnya.
Inti Internet yang Rumit
Terjadinya sebuah dunia bernama Internet memang sangat rumit. Bagaimana tidak pasalnya semua manusia yang ada di dunia ini ingin dapat dilayani permintaan komunikasinya, tentu sangat rumit, bukan? Kerumitannya ini terlihat juga pada routing protocol yang bertugas mengatur dan menciptakan komunikasi tersebut, yaitu BGP.
BGP memang sangat rumit, namun juga sangat bertenaga dalam melayani kebutuhan penduduk dunia akan internet. Karena kerumitan dan keunikannya inilah BGP begitu menarik untuk dipelajari. Namun untuk mempelajari lebih dalam lagi mungkin perlu training khusus dan pengalaman bertahun-tahun. Anda dapat mengetahui bagaimana dunia internet yang sebenarnya dari mempelajari BGP. Pada edisi selanjutnya akan dibahas bagaimana cara kerja BGP, atribut-atribut BGP, dan pernak-pernik lainnya. Selamat belajar!

http://www.pcmedia.co.id

1)ebgp-multihop :- In EBGP, neighbor relationships are only formed if we have directly connected networks. We would require to use ebgp-multihop  keyword with neighbor statement so that neighbors which are not directly connected can form relationship with each other. We need to specify a number with ebgp-multihop keyword, number can be between 1-255. This number represents how many hop counts is the router away.

2)update-source. We need to specify the interface which will be used to update neighbor table incase routers are not directly connected. Without update-source we will not be able to form BGP neighbor relationships. update-source keyword will update the interface which will be used to form neighbor relationship. see configuration example below for better understanding.

3) next-hop-self:- When ebgp relation replicates , next hop always changes.IBGP  routers only connected with other ibgp routers in same AS will not be able to talk with routers outside the AS, if they are not directly connected with each other. We would require a next-hop-self keyword in the ibgp router which is directly connected with ebgp neighbor so that other router in same AS (IBGP) can talk with ebgp routers. Refer to configuration examples below:-

Lets assume that we have three routers and we have to setup a ebgp relationship in between them.  Router A ( AS :- 34 Serial0 192.168.1.1 , loopback0 1.1.1.1) , RouterB ( AS 34, loopback0 2.2.2.2 , Serial0 192.168.1.2 , Serial1 172.16.1.1), RouterC ( AS 400 , loopback0 3.3.3.3, Serial0 172.16.1.2)

Lets start configuring Router A

router BGP 34 –> As soon as we type 34 BGP process will start in the background
neighbor 192.168.1.2 remote-as 34  –> Bgp will know that this is IBGP looking at  AS
 

Router B

router BGP 34
neighbor 192.168.1.1 remote-as 34
neighbor 172.16.1.2 remote-as 400  –> neighbor relationship with ebgp peer.
neighbor 3.3.3.3 remote-as 400
neighbor 3.3.3.3 ebgp-multihop 255  –>  255 is number of hops that neighbor is away. we can use any number from 1-255, it can be more specific by using 1 or 2 but my personal fav is 255 as it avoids confusion.
neighbor 3.3.3.3 update-source loopback 0 –> Here is the idea, when its sourcing the packets its sourcing it from serial interface, we need to inform the otherside that source interface is not serial interface, it is looback interface so that it cann match ip ip’s with the right interface and form neighbor relationship.

we would require to do similar configuration on router c

router bgp 400
neighbor 172.16.1.1 remote-as 34
neighbor 2.2.2.2 remote-as 34
neighbor 2.2.2.2 ebgp-multihop 255
neighbor 2.2.2.2 update-source loopback 0

Now after forming the neighbro relationships we’ll use network commands to add neighbors in routing table. Network command in BGP is bit different then Network command in other routing protocols. we ‘ll  need to define mask keywork with network command in order to advertise clasless network where as if it is using a default mask we can ignore the same.

Example

Router C

router bgp 400
neighbor 172.16.1.0 mask 255.255.255.0
note:- i cannot use network 172.16.0.0 command without mask keyword as it will treat this as  class B network. For any customised subnetting scheme we ‘ll need to specify subnet mask with mask keyword in network command.

Even after configuring above, Router A will not be able to talk with Router C. If we will use show ip bgp command on Router A. we’ll see that it has a valid route for Router C but it will not be able to ping router c. This is because next hop will be 3.3.3.3 which is not directly connected with Router A. . First thing which will come in our mind is that rule of synchronisation has taken in to effect but even after disabling synchronisation between router a and router B, Router C will not be reachable. we would need a special command on Router B so that all IBGP peers of AS 34 can talk with AS 400

To troubleshoot this we can use “debug ip bgp updates” but before using this debug we should use ” clear ip bgp *” command. We’ll see that it will show us that there is no valid path for networks in Router C. Next hop should be Router B but in the updates it will show next hp as router c. to avoid the we will use next-hop self keyword in Router B.

Router B

router bgp 34

neighbor 192.168.1.1 next-hop-self

When Router B is sending an update to Router A it is sending the update without changging its next hop so router A will receive next hop as Router C which is not directly connected. To avoid this we will use next-hop-self command in Router B so that router A should receve valid route.

http://ciscotips.wordpress.com/2006/09/18/bgp-quick-tips/

Funzionamento del BGP

Questo protocollo di routing non fà altro che tramite una serie di algoritmi calcolare la "best" path verso una determinata sottorete.Una volta calcolata,questa viene "spreadata" a tutti i router vicini definiti "neighbour".BGP inoltre riterrà una route come la più favorità quanto più sia vicina alla rete di destinazione.Ecco un esempio....

Network          Next Hop           Metric LocPrf Weight Path  *>  151.1.0.0/16      5.198.4.2             0    100      0  100 ?

  *>  151.1.3.0/24     5.198.4.3             0    100      0  100 ?
Qui sopra vediamo riportato l'output di una entry BGP,ritornando al discorso cominciato sopra se per esempio noi dobbiamo raggiungere l'indirizzo 151.1.3.34 la best path sarà la seconda perchè è più "vicina" rispetto alla prima in quanto lnella seconda entry viene annunciata una sottorete più completa rispetto alla prima e quindi più simile all'indirizzo ip che dobbiamo raggiungere.

Dove stà l'inghippo....

Visto che BGP prenderà come vere ogni aggiornamento sulle route e eleggerà come best path quella più vicina all'ip di destinazione....un male intenzionato potrebbe "spreadare" un falso update BGP per dirottare il traffico verso un determinato indirizzo ip verso un altro e verrebbe sempre considerato vero dai router e verrà annunciato a tutti i "neighbour".

Un evento del genere era già capitato per sbaglio a You Tube quando la Telecom Pakistana ha cominciato a "spreadare" update BGP errati sulla route verso you tube questo ha causato l'irraggiungibilità del sito per diverse ore.Potete leggerne di più qui http://news.bbc.co.uk/1/hi/technology/7262071.stm

Purtroppo la facilità con cui si può creare un router BGP e quindi poter spargere falsi update è molto semplice come è dimostrato dall'articolo qui sotto dove viene creato utilizzando un semplice Mac Mini. http://www.fubra.com/blog/2007/10/mac-mini-bgp-routers-part-2.html

Riporto qui di seguito il file di presentazione power point utilizzato dai due esperti per il DefCon.

http://installatore.wordpress.com/files/2008/09/edited-iphd-2.ppt

Ovviamente per ovviare a questa mancanza nel protocollo ,che è il più usato per il collegamento tra i vari ISP,si è studiato una soluzione chiamata S-BGP (Secure BGP) che consiste in tutta una serie di collegamenti cifrati tramite IPsec e certificati per rendere sicuro l'interscambio di informazioni tra i vari Enterprise router.Questo sicuramente eliminerebbe il problema ,ma comporterebbe un notevole esborso in termini di denaro per sostituire tutti i router ormai obsoleti che a causa della limitata potenza di calcolo oltrechè alla memoria ristretta nonchè all'altissimo numero di collegamenti che reggono,che non reggerebbero di certo il nuovo protocollo.

Come conclusione citando Douglas Maughan( cybersecurity research program manager for the DHS's Science and Technology Directorate)

The only thing that can force them (to fix BGP) is if their customers ... start to demand security solutions

klik disini

Penjelasan pada gambar dimana pada kedua router saling terhubung dengan memakai nomor AS sama AS-1. Router A terkoneksi ke Router B dengan network 10.1.1.0 kedua router tersebut dapat saling berkomunikasi tanpa ada halangan. Router B terkoneksi dengan ISP atau Internet dengan network address 10.1.2.0/30 hal ini akan membuat router A tidak bisa mengenal network tersebut karena berada diluar routing tabel router A, untuk itu diperlukan konfigurasi default-route agar network luar dapat dikenal. Berbeda settingan default-router untuk router BGP, kali ini BGP akan memakai settingan sendiri yakni default-originate.

Default-originate akan menerangkan network diluar tabel routing yang kita miliki. Sama halnya dengan settigan routing default-route dipakai untuk routing internal.

Router A

router bgp 1

neighbor 10.1.1.2 remote-as 1

no sync

Router B

router bgp 1

neighbor 10.1.1.1 remote-as 1

neighbor 10.1.1.1 default-originate route-map exists
!

access-list 1 permit 10.1.2.0 0.0.0.3

!

route-map exists permit 10

match ip address 1

Konfigurasi diatas merupakan settingan pada router BGP untuk mendapatkan tabel routing ISP yang akan diperkenalkan pada Router A. Konfigurasi router B akan mengenal network internet kedalam tabel routing BGP router B sehingga router A dapat mengenal network tersebut. Setelah konfigurasi dilakukan coba periksa hasilnya pada tabel routing masing – masing router baik router A dan B dengan command show ip route untuk routing tabel dan show ip route bgp untuk tabel routing bgp. Apabila pada tabel routing tiap–tiap router menunjukan network address ISP/Internet tersebut berarti konfigurasi yang dilakukan berhasil kalo tidak coba lakukan verifikasi ulang terhadap konfigurasi masing -  masing router.

routerA#show ip bgp

BGP table version is 3, local router ID is 172.17.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal

Origin codes: i - IGP, e - EGP, ? - incomplete

Network          Next Hop            Metric LocPrf Weight Path

*>i0.0.0.0          10.1.1.2                      100      0 i

*>i10.1.2.0/30      10.1.1.2                 0    100      0 i

routerA#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default

U - per-user static route, o - ODR, P - periodic downloaded static route

T - traffic engineered route

Gateway of last resort is 10.1.1.2 to network 0.0.0.0

10.0.0.0/30 is subnetted, 2 subnets

B       10.1.2.0 [200/0] via 10.1.1.2

C       10.1.1.0 is directly connected, Serial0

B*   0.0.0.0/0 [200/0] via 10.1.1.2

Terlihat tabel routing router A network – network yang telah diperkenalkan oleh router B. Terdapat network 10.1.2.0 merupakan network ISP/Internet yang telah default-originate kan router B. Network 10.1.1.0 network terkoneksi langsung oleh kedua router. Apabila ada masalah jangan disimpan dalam hati, tanyakan sama orang yang lebih mengerti . do the best job and you’ll be happy

The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.

The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet's core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy. The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosed a serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness.[...] (more)

O'Reilly TV: Dan Kaminsky on the DNS Bug of 2008

The authors represent relationships via an annotated AS graph, with ASs as nodes and edges labeled with the relationship class. Directed edges connect providers and consumers. Routes in the graph are labeled by the first non-sibling-to-sibling edge in its AS path. Each AS determines its export policies based on its relationships with its neighbors. BGP export policies state that when exporting to a customer or sibling, an AS can export (1) its routes, (2) its consumer routes, and (3) its provider and peer routes. When exporting to a provider or peer, however, ASs usually do not support (3). These constraints are encoded into the authors' selective export rule in their graph. The authors prove that export policies can be inferred from routing table entries by inspecting AS paths. When the selective export rule is used, an AS path can be proven to be valley-free: provider-to-consumer and peer-to-peer edges can be followed by only provider-to-consumer or sibling-to-sibling edges. The authors further show that an AS path is partitioned either as a (1) max uphill path -> peer-to-peer edge -> max downhill path, or (2) max uphill path -> max downhill path. Using the notion that the AS with the highest degree is the top provider of an AS path, the authors can infer consecutive pairs before the top provider are customer-provider or siblings, while those afterwards are provider-to-customer or siblings. To determine peering relationships, a couple more heuristics are used (e.g. a top provider would be in a peering relationship with its largest neighbor and that a pair of peering ASs do not differ much in size).

This paper is a keeper because it shows the implications of BGP being policy-based on the connectivity of the Internet, as well as enhancing the previous paper about what could happen between ASs and what actually happens between them in practice. I'm wondering how meaningful it is that the authors discovered 90.5% of the relationships were provider-consumer. What would people expect the percentage to be? I'm also interested to see the authors' future work on building tools that would utilize the knowledge gained from inferring AS relationships.

Relationships between each AS determine their communication. In a provider-consumer transit relationship, an AS provides access to the destinations in its routing tables. In a peering relationship, ASs provide mutual access to each other's routing tables, as they are interested in each other's transit customers; this results in a direct link for customers across ISPs and has better end-to-end performance. Peering relationships can be tricky, though, if there are asymmetric traffic ratio, since both ASs want an unpaid deal to be satisfactory.

One of the key ideas in this paper is that ISPs want to provide service they can make money from. The implicit interdomain routing implies that ISPs charge customers for the entries in their routing tables. Each ISP filters its exported routes because it doesn't want to offer transit that it isn't making money on: it wants to advertise routes to its customers to as many other ASs since more traffic carried for a customer results in more money. On the other hand, an ISP doesn't want to advertise to peerers that could use it to reach a destination without generating it money. Choosing which paths to destinations a router should import into its routing table is another financially-motivated decision, resulting in the prioritized list: customer > peer > provider, which is implemented in BGP via the LOCAL PREF attribute. The BGP's design goals include that (1) the routing infrastructure should scale with the number of connected networks, (2) each AS should be able to implement a variety of routing policies, and (3) ASs should be able to make local routing decisions.

To start a BGP session, router connects to BGP over TCP and they exchange routing tables with active routes. Within the session, the router can send UPDATE (to announce route changes or to withdraw routes) or KEEPALIVE ("I'm still here!") messages, which both serve to show that the router is still functioning. Routers in an AS have eBGP sessions with neighboring ASs, then have iBGP sessions with other routers within the AS, ensuring that eBGP learned routes are forwarding-loop-free and external routes learned for an AS must be the same regardless of which eBGP router in the AS was used. Route announcements set several attributes that affect path selection: next hop, AS PATH (list of ASs gone through), and MED (choose between multiple exit paths). All this leads to the priority ordering of routes via their attributes: LOCAL PREF, ASPATH, MED, eBGP >iBGP, IGP path, Router ID.

I was fascinated by how much financial gain factors into routing decisions, dashing my idealist views and reminding me again how research agendas can be altered by business agendas. Still, the paper had a very thorough explanation of how the relationships between ASs influence their policies. One thing I'm a little confused about is why all this finagling of routing paths didn't cause some uproar of "my rights are being violated!" similar to the net neutrality hubbub.  I also wonder what the observable performance impact is for the layperson.

And I just realized that every time I mentioned multiple Autonomous Systems, I was really just writing "ass." Awesome.  I think I'll keep it.

After a few weeks of not being able to put the number of hours I would like to into studying I can now see the light at the end of the tunnel.  I am hoping that everything should return to ‘normal’ from now on – I have just returned from the last of the trips-away scheduled for during my first few weeks at Cisco (2-day training course) and will now be at home in the evenings for the immediate future.  Within the limited number of study hours I have managed to do over the last few weeks I have used some of the time to start and finish documenting (inc. labbing) all of the methods of route filtering for RIP that I can think of/find, and also to start doing the same thing for EIGRP – the idea being that I will complete the task for each routing protocol on the CCIE R&S blueprint.
I recognised a while back that I was in desperate need of some way of ‘mixing-up’ my learning, and so, I decided to spend some time working through creating some ‘pretty’ images that depict various configuration practices – allowing me to mix theory with some CLI timeJ

Please note.  It’s a large image/file that needs some zooming to be readable – it might be worthwhile downloading it first.
Please please please leave a comment if I have missed any methods/made any mistakesJ

Leanne continues to be a star – I don’t mention her enough on this blog - without her support (inc. a kick up the **** every now and again) I would really struggle to stay focused on the prize at stake.  It was a very personal goal of mine in the past but now I’m also looking around at Cisco and realising that I have so much catching up to-do! – the amount the people around me know not only about technologies/protocols but the Cisco hardware itself is quite astonishing!  And R&S is just “the basics” in many people’s eyes!

Lastly, I thought I would share some pics from last week - my first visit to San Francisco, and my first GSM:

This is just before Rick Justice’s Hollywood style entrance (John Chambers closed the show)

A view of the Bay Bridge from the restaurant hosting my team’s get-together dinner – the sheer size of it is a sight to behold - the island to the left isn't the end of it!

San Francisco @ Night – taken from the lift/elevator of the hotel I was staying in (nobody else was in the lift at the time!)

Oh, and it was my daughters first day at school today!  Wow, I can't believe how quickly she has grown-up!