Network Technologies | IPNET

BGP Conditional Advertisement

BGP Conditional Advertisement – it let the impression of a very complex task. Actually you will find it very easy to implement once you understand it.

In simple words I would say that BGP conditional advertisement it’s a feature that let you advertise a prefix to one of your neighbors if mandatory condition is satisfied. To implement this feature you must configure at least two of the following three maps:

– Advertise-map -> this contains the selected prefixes which will be advertised if the mandatory condition is satisfied
– Exist-map -> condition to be satisfied (e.g. advertise the prefixes in the “advertise-map” only if the prefixes in this condition exist)
– Non-exist-map -> condition to be satisfied (e.g. advertise the prefixes in the “advertise-map” only if the prefixes in this condition doesn’t exist)

Let’s take an example. We have the following topology:

We have here a simple topology, with eBGP peering between R1 – R2 and R2 – R3. Each router has a Loopback interface with the following IP addresses:

R1 – L0 – 1.1.1.1 /24
R2 -L0 – 2.2.2.2 /24
R3 – L0 – 3.3.3.3 /24

These interfaces are advertised into BGP and they have full reachability:

R2#sh ip bgp sum | b Nei
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.10.12.1      4   100       5       4        0    0    0 00:01:27        1
10.10.23.3      4   300       2       2        0    0    0 00:00:24        0
 
R2#sh ip bgp | b Net
   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       10.10.12.1               0             0 100 i
*> 2.2.2.0/24       0.0.0.0                  0         32768 i
*> 3.3.3.0/24       10.10.23.3               0             0 300 i
 
R2#sh ip route bgp
     1.0.0.0/24 is subnetted, 1 subnets
B       1.1.1.0 [20/0] via 10.10.12.1, 00:04:02
     3.0.0.0/24 is subnetted, 1 subnets
B       3.3.3.0 [20/0] via 10.10.23.3, 00:04:02

Task

An easy task would ask you to solve something like if 1.1.1.0 /24 is NOT in the BGP table of R2, then R2 should advertise its 2.2.2.0 /24 to R3.

Solution

Let’s analyze this request a little bit. The prefix to be advertised or not, depending of the satisfaction of the condition, is 2.2.2.0 /24. According to what I said before about the necessary “maps” for BGP conditional advertisement, this prefix will go into the “advertise-map”. R2 is the only router you need to configure to accomplish this task.

conf t
access-list 2 permit 2.2.2.0 0.0.0.255
route-map ADVERTISE permit 10
match ip address 2

OK, we have the advertisement map. What about the condition? The task request that 2.2.2.0 /24 should be advertised if 1.1.1.0 / 24 does NOT exist in the BGP table of R2. Using logical deduction we can say that “non-exist-map” is what we need to configure.

conf t
access-list 1 permit 1.1.1.1 0.0.0.255
route-map NOT-EXIST permit 10
match ip address 1

Let’s add everything together in BGP:

conf t
router bgp 200
neighbor 10.10.23.3 advertise-map ADVERTISE non-exist-map NOT-EXIST

Verification

On R2 check the BGP table:

R2#sh ip bgp | b Net
   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       10.10.12.1               0             0 100 i
*> 2.2.2.0/24       0.0.0.0                  0         32768 i
*> 3.3.3.0/24       10.10.23.3               0             0 300 i

We have the 1.1.1.0 /24 prefix in the BGP table. According to our task, 2.2.2.0 /24 should be advertised if 1.1.1.0 /24 does NOT EXIST. By analogy, if 1.1.1.0 /24 EXIST, the 2.2.2.0 /24 should NOT be advertised. You see? It’s just a tricky words game.

R2#sh ip bgp neigh 10.10.23.3 adv | b Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       10.10.12.1               0             0 100 i
 
Total number of prefixes 1

We advertise only one network. The 2.2.2.0 /24 is not advertised to R3:

R3#sh ip bgp | b Net
   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       10.10.23.2                             0 200 100 i
*> 3.3.3.0/24       0.0.0.0                  0         32768 i

To check that the conditional advertisement really works, stop R1 from announcing 1.1.1.0 /24 in BGP. You can just shutdown the interface.
Check if the L0 of R1 is in the routing table / BGP table of R2:

R2#sh ip bgp | b Net
   Network          Next Hop            Metric LocPrf Weight Path
*> 2.2.2.0/24       0.0.0.0                  0         32768 i
*> 3.3.3.0/24       10.10.23.3               0             0 300 i

1.1.1.0 /24 is not in the BGP table of R2, then 2.2.2.0 /24 should be advertised to R3:

R2#sh ip bgp neigh 10.10.23.3 adv | b Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 2.2.2.0/24       0.0.0.0                  0         32768 i
 
Total number of prefixes 1

On R3:

R3#sh ip bgp | b Net
   Network          Next Hop            Metric LocPrf Weight Path
*> 2.2.2.0/24       10.10.23.2               0             0 200 i
*> 3.3.3.0/24       0.0.0.0                  0         32768 i

Remember that usually in the exams, the tasks related to BGP Conditional Advertisement are more word tricks than complex. As an example, base on the above topology, resolve the following:
– If 1.1.1.0 /24 and 2.2.2.0 /24 are both in the BGP table of R2, both prefixes should be advertised to R3
– If 1.1.1.0 /24 is not in the BGP table of R2, then 2.2.2.0 /24 should not be advertised to R3
– If 1.1.1.0 /24 and 2.2.2.0 /24 are not in the BGP table of R2, then none of them should be advertised to R3

If you don’t understand the trick, let me know and I will explain.

Which WAN Optimization vendor will consolidate and expand its market position on 2011

447 votes – Thank you all!

I add the results in a blog posts so we can see over years on which optimization technology we were betting in 2011.

RIPv2 MD5 authentication – routing trick

I must admit that the following example is more a CCIE exam topic and not a solution that you would add in real network environments.

Let’s assume that we have the following topology:

[adsense_id=”1″]
The Loopback interfaces are there to have some networks which we will advertise into RIPv2. The request for this topic is to have RIPv2 MD5 authentication in place, Router1 to receive all routes from Router2, but Router2 will not have any prefixes in routing table from Router1. Don’t use any access-list, prefix-list, distribution-list, RIP packet version send / receive command under interface…well not use anything which is common to carry out this task.

Let’s start the configuration:
Router 1
!
version 2
network 10.0.0.0
network 192.168.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
network 192.168.5.0
no auto-summary
!
!! Let’s define the key chain
!! The RIPv2 MD5 authentication need
!! to have the same key number on
!! both ends
key chain RIP
key 1
key-string cisco
!
!! let’s apply RIPv2 authentication
int fa0/1
ip rip authentication mode md5
ip rip authentication key-chain RIP
!
Now the configuration on Router 2
!
router rip
version 2
network 10.0.0.0
network 172.16.0.0
no auto-summary
!
key chain RIP
key 1
key-string cisco
!
int fa0/0
ip rip authentication mode md5
ip rip authentication key-chain RIP

If you want to check if the RIPv2 authentication is running fine, shutdown / no shutdown one interface and on the other end do:
debug ip rip
You should see something like:
*Mar 12 03:22:08.261: RIP: received packet with MD5 authentication

OK, let’s check the routing tables.

Router1

R1#sh ip route rip
R 172.16.4.0 [120/1] via 10.10.12.2, 00:00:20, FastEthernet0/1
R 172.16.5.0 [120/1] via 10.10.12.2, 00:00:20, FastEthernet0/1
R 172.16.0.0 [120/1] via 10.10.12.2, 00:00:20, FastEthernet0/1
R 172.16.1.0 [120/1] via 10.10.12.2, 00:00:20, FastEthernet0/1
R 172.16.2.0 [120/1] via 10.10.12.2, 00:00:20, FastEthernet0/1
R 172.16.3.0 [120/1] via 10.10.12.2, 00:00:20, FastEthernet0/1

Router 2

R2#sh ip route rip
R 192.168.4.0/24 [120/1] via 10.10.12.1, 00:00:23, FastEthernet0/0
R 192.168.5.0/24 [120/1] via 10.10.12.1, 00:00:23, FastEthernet0/0
R 192.168.0.0/24 [120/1] via 10.10.12.1, 00:00:23, FastEthernet0/0
R 192.168.1.0/24 [120/1] via 10.10.12.1, 00:00:23, FastEthernet0/0
R 192.168.2.0/24 [120/1] via 10.10.12.1, 00:00:23, FastEthernet0/0
R 192.168.3.0/24 [120/1] via 10.10.12.1, 00:00:23, FastEthernet0/0

We have all routes. Until now we just configured a RIPv2 with authentication which is working fine, but still we haven’t accomplish our task.
Here is how we will do it. I found out this recently. I believe some of you already know this trick, but for the rest will be pretty interesting.

MD5 authentication in RIPv2 states that the key number in the key chain has to be the same so everything is running fine. But what if we change one key to a higher number than (in our case) 1?

The result will be that the router with the higher key number will receive ALL routes and the one with the lower key number will receive NO routes. Our task is that R1 has all routes but R2 has no prefixes (from RIP process) in routing table. Since both keys are having number 1, we cannot lower the key number on R2 so we have to increase it on R1

On Router 1
!
R1#conf t
R1(config)#key chain RIP
R1(config-keychain)#no key 1
R1(config)#key chain RIP
R1(config-keychain)#key 5
R1(config-keychain-key)#key-string cisco
R1(config-keychain-key)#end

Let’s check again the routing table on those 2 devices. You may want to clear the IP routing table to speed up the process.

Router 1

R1#sh ip route rip
R 172.16.4.0 [120/1] via 10.10.12.2, 00:00:06, FastEthernet0/1
R 172.16.5.0 [120/1] via 10.10.12.2, 00:00:06, FastEthernet0/1
R 172.16.0.0 [120/1] via 10.10.12.2, 00:00:06, FastEthernet0/1
R 172.16.1.0 [120/1] via 10.10.12.2, 00:00:06, FastEthernet0/1
R 172.16.2.0 [120/1] via 10.10.12.2, 00:00:06, FastEthernet0/1
R 172.16.3.0 [120/1] via 10.10.12.2, 00:00:06, FastEthernet0/1

Router 2

R2#sh ip route rip

There is nothing in the routing table.

Let’s check with ping:

R1#ping 172.16.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/13/24 ms

Of course is working, as the source interface from which the packet is send will be the direct connected interface. Let’s try to ping having the source one of the Loopback interfaces on R1:

R1#ping 172.16.1.1 source lo10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
…..
Success rate is 0 percent (0/5)

It’s not working as R2 doesn not have a route back to Loopback10 subnet which is 192.168.0.0 /24

If you’ll do a “debug ip rip” on R2 you will see something like this:

*Mar 12 03:39:57.001: RIP: ignored v2 packet from 10.10.12.1 (invalid authentication)
*Mar 12 03:39:58.261: RIP: received packet with MD5 authentication

I hope this example will help in your preparation.

[adsense_id=”3″]

InterVLAN routing using Private VLANs

Private VLANs is one possible solutions for service providers to offer secure connections to their customers and avoid inter-vlan communication in the same switched environment.

I’m sure that you heard (and most probably practice already) InterVLAN routing. When it comes to Private VLANs the routing part may be a bit tricky. Keep in mind that this is not something that I would recommend to use as a standard in a productive environment, but for things like Cisco exams (e.g. CCIE R&S) or last resort solution, it may work.

Consider please the following simple topology:

[adsense_id=”1″]
With simple InterVLAN Routing the things will be easy.
On the Layer 3 Switch you configure the following:
!! We assume that the L2 configuration, like access port in the
!! correct VLAN, is already there
!! Only the routing part will be shown here
configure terminal
!
ip routing
!
vlan 10
!
vlan 20
!
interface vlan 10
ip address 10.10.10.254 255.255.255.255.0
!
interface vlan 20
ip address 20.20.20.254 255.255.255.0
!

On Router 1
!
ip route 0.0.0.0 0.0.0.0 10.10.10.254

On Router 2
!
ip route 0.0.0.0 0.0.0.0 20.20.20.254

That’s it, you’ll have connectivity from R1 to R2.

Now let’s assume that VLAN 10 and 20 are not regular VLANs, but Private ones configured as Secondary, community mode:
On L3 Switch
!! You need VTP in transparent mode
!! for Private VLANs configuration
configure terminal
!
vlan 10
private-vlan community
!
vlan 20
private-vlan community
!
!! Private VLANs need a Primary VLAN
vlan 100
private-vlan primary
private-vlan association 10,20
!
Up to now we have one Primary VLAN (100) and two Secondary ones (10 and 20) associated with primary. Next we will configure the physical ports in their specific VLAN.

On L3 Switch:
!
configure terminal
!
int x/y
description -> to R1
switchport mode private-vlan host
switchport private-vlan host-association 100 10
!
int z/w
description -> to R2
switchport mode private-vlan host
switchport private-vlan host-association 100 20
!
!! We will need a port on VLAN 100;
!! Any other device may be connected to this port
int x/x
description -> Other device in Primary Private-VLAN
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 10,20
!

In a standard environment with Private-VLANs, until now we will have L2 communication possible between hosts in VLAN100 with hosts in VLAN10 or VLAN20. Communication between hosts in VLAN10 and hosts in VLAN20 will not be possible because the ports are in Private-Vlan community mode. Just a small reminder in community mode, the L2 connection is possible in the same VLAN or with the Primary VLAN.

If now you would like to implement the InterVLAN routing presented above, you will see that is not possible. When you will try to bring up a SVI interface for VLAN 10 or 20 an error will occur stating the VLAN is in Private-VLAN mode community and you cannot configure an interface. Let’s see how can we fix this.

On L3 switch
!
Configure terminal
!
ip routing
!! You’ll configure a SVI interface for VLAN 100
!! This is also a private VLAN, but it is the Primary one
interface vlan 100
description -> InterVLAN routing
ip address 10.10.10.254 255.255.255.0
ip address 20.20.20.254 255.255.255.0 secondary
private-vlan mapping 10,20

All you have to do now is add the routing part on R1 and R2 and they will be able to communicate. VLAN 100 will handle the routing part.

[adsense_id=”4″]

Cisco Easy VPN Router-to-Router

Cisco Easy VPN is not a new technology. Actually it is pretty old, but still used by many companies or people to connect remote site / remote workers to headquarter.

A few days ago I was looking to connect a remote site in a simple way but still secure and a colleagues suggested me to use Easy VPN. It supposed to be a simple configuration and it was after solving all issues that came into play.

First of all, I needed an Easy VPN Router(client) – to – Router(server). The other method is some client (PC) with software connection to Router / PIX / ASA / VPN Concentrator (Server). Something like this:

[adsense_id=”1″]

The idea is that behind the Client router, I will have a group of people who need to connect to the headquarter, so I don’t want each of them to use personal VPN connections. In search of possible configurations, I’ve found this Cisco configuration example. The only issue in that document is that the Easy VPN tunnel needs manual intervention to connect, which I want to avoid.

For those who need a quick and secure Easy VPN connection here is my sample configuration:

EasyVPN-Server

!! We define a new AAA model for authentication and authorization
!! for remote VPN clients
aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!! Generic username and password
username cisco password 0 cisco123
!
!! We configure a crypto isakmp policy. The number and encryption are your choice
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!! We add a key and ! Important ! “save-password” command
!! “Save-password” allow client to save the password in an automatic vpn connection
!! scenario
crypto isakmp client configuration group vpngrp
key cisco123
save-password
!
!! The IPSec transform set; You can pick a stronger one like esp-aes 256, but
!! for this example will work fine
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
!! We get everything together in a crypto dynamic map
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!! Add the crypto map on the WAN interface or where your VPN tunnels will terminate
interface x/y
description WAN
crypto map clientmap

EasyVPN-Client

!! On the remote side we define an Easy VPN client
!! connect auto – means it will connect automatically
!! network-extension – connection between remote side LAN and server LAN will
!! not need NAT
!! peer is the VPN server IP address
!! xauth mode has to be local for auto connection without manual intervention
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
peer 192.168.0.2
username cisco password cisco123
xauth userid mode local
!
!! Apply the already defined crypto to WAN interface
!! This will be automatically the Outside interface, even if you don’t
!! add the “outside” keyword at the end of the command
interface x/y
description WAN
crypto ipsec client ezvpn ez
!
!! Apply it on ALL L3 LAN interfaces that needs to communicate over VPN
!! more, you need to specifiy the keyword “inside”
interface x/y
description ANY L3 LAN interface (SVI / Physical)
crypto ipsec client ezvpn ez inside

To test if your tunnel is up, issue the following command on the EasyVPN client router

#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : TEST
Inside interface list: GigabitEthernet0/0, GigabitEthernet0/1
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Allowed
Current EzVPN Peer: 192.168.0.2

As you can see the Current State shows IPSEC_ACTIVE

Other commands that will help you see if everything is ok (this can be run on client or server side)
#show crypto isakmp sa
! Look for the “state” (it has to be QM_IDLE) and
! “status” (has to be ACTIVE)

#show crypto ipsec sa
! Look for #pkts encaps and #pkts decaps; the decimal values should be close

I hope this will help you. If anything is unclear please ask in comments.

[adsense_id=”1″]