Configuration Archives — Page 2 of 7

Typical access-list on edge router

This is typical ACL which you can configure on the Public interface of your router in the Inbound direction.

ip access-list EDGE_ROUTER_FW_IN
 
remark ***DENY_FRAGMENTS***
deny tcp any PUBLIC_NETWORK fragments
deny udp any PUBLIC_NETWORK fragments
 
remark ***DENY_RFC3330***
deny ip host 0.0.0.0 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
 
remark ***DENY_RFC1918***
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
 
remark ***DENY_SPOOFING***
deny ip PUBLIC_NETWORK any
 
remark ***PERMIT_PEERS****
permit tcp host PEER host ROUTER eq bgp
 
remark ***PROTECT_INFRA***
deny ip any INFRA_NETWORK
 
remark ***PERMIT_PUBLIC_NETWORK***
permit ip any PUBLIC_NETWORK

Share this!

Advanced Cisco BGP features: Selective Next-hop

Below topology was used for this post, and all the configuration happened on two Cisco CSR1000v

BGP Selective Next-hop Route filtering

Imagine that you want to accept routes only from peers, which the route covering the next-hop passes specific conditions, such as prefix-length, or protocol.

In the following configuration I will only accept routes from peers, which the route covering the next-hop has a mask of less-equal to 24:

Let’s see the current BGP table:

csr1#s ip bg
     Network          Next Hop           Metric LocPrf Weight Path
 *>  1.1.1.1/32       0.0.0.0               0          32768  i
 *   2.2.2.2/32       192.168.12.2          0             0   11 22 2 i
 *>                   12.12.12.2            0             0   2 i
 *   222.222.222.0/23 192.168.12.2          0             0   11 22 2 i
 *>                   12.12.12.2            0             0   2 i

Continue reading “Advanced Cisco BGP features: Selective Next-hop”

Share this!

Advanced Cisco BGP features: NSF

Below topology was used for this post, and all the configuration happened on two Cisco CSR1000v

BGP Nonstop Forwarding

During normal NSF operation, CEF on the active RP synchronizes its current FIB and adjacency databases with the FIB and adjacency databases on the standby RP
While switching over, the traffic is depended on CEF, once the routing protocol is converged, FIB will be updated
RIB repopulating happens prefix-by-prefix, thus the same for FIB and adjacency table
For BGP NSF, graceful-restart needs to be configured on both ends of a BGP session. Although one end could be only NSF-aware (not SSO capable)
BFD can’t be enabled simultaneously with NSF for BGP
SSO is not integrated into EIGRP, hence only NSF awareness is supported

Continue reading “Advanced Cisco BGP features: NSF”

Share this!

Advanced Cisco BGP features: BFD

Below topology was used for this post, and all the configuration happened on two Cisco CSR1000v

Bidirectional Forwarding Detection for BGP

I have just one note here. BFD can’t be enabled simultaneously with NSF for BGP. Even for other protocols, extreme care should be taken while implementing BFD with NSF. Depending on the platform, there may be enough of a traffic outage during the switchover to cause BFD to prematurely signal a link failure. When BFD is running on the RP, some platforms are not able to detect a switchover before the BFD protocol times out; these platforms are referred to as slow switchover platforms. Continue reading “Advanced Cisco BGP features: BFD”

Share this!

Internet routing table and damping on JunOS

To get an idea about the current number of Internet routes, for both IPv4 and IPv6:

moghaddas@USA> show route summary | match "inet|bgp"  
 
inet.0: 560133 destinations, 1663174 routes (558798 active, 0 holddown, 1525 hidden)
                 BGP: 1663124 routes, 558752 active
 
inet6.0: 24047 destinations, 47458 routes (23459 active, 0 holddown, 851 hidden)
                 BGP:  47444 routes,  23447 active

moghaddas@GER> show route summary | match "inet|bgp"
 
inet.0: 541278 destinations, 965338 routes (541118 active, 0 holddown, 206 hidden)
                 BGP: 965308 routes, 541091 active
 
inet6.0: 22658 destinations, 38527 routes (22558 active, 0 holddown, 104 hidden)
                 BGP:  38516 routes,  22549 active

moghaddas@IRE> show route summary | match "inet|bgp"
 
inet.0: 545571 destinations, 1547251 routes (545111 active, 0 holddown, 1237 hidden)
                 BGP: 1547185 routes, 545062 active
 
inet6.0: 23065 destinations, 65881 routes (23026 active, 0 holddown, 90 hidden)
                 BGP:  65860 routes,  23008 active

Now, imagine what would be the outcome of route flaps for a Service Provider environment with many eBGP neighbors. Instability and customer dissatisfaction!

The first solution to avoid such situations is BGP Route Dampening/Damping. Continue reading “Internet routing table and damping on JunOS”

Share this!