Topology:
For this task, add a second connection between R1 and R5.
Use configuration from BGP task #5 as initial configuration for this task.
Requirements:
1. Configure second connection between R1 and R5.
2. Traffic between AS5 and AS12 should load balance across the two links.
a. Do not create new BGP sessions.
b. Do not use ebgp-multihop command.
c. You are allowed to create a total of 4 new static routes.
3. Security policy of AS12 requires to protect the edge routers running eBGP from DoS attacks, that use address spoofing, on BGP protocol.
4. Change the configuration of AS12 to reduce the number of iBGP sessions.
Solution:
Highlight the text below to reveal the solution.
Understanding of the following technologies is required to complete this task:
Multihop-eBGP configuration options.
BGP TTL-security feature
Route-reflectors
Requirements #2 - Since creating additional BGP session is not allowed, change the existing eBGP session to run between the loopback0 interfaces of R1 and R5. Configure static-routes toward the neighbors loopback via the two links. Use "disable-connected-check" to allows multihop eBGP session without using the ebgp-multihop command. Note that you need to redistribute the static routes on R1 into OSPF.
Requirement #3 - TTL-security feature provides protection from DoS attacks on BGP protocol. Only packets with TTL higher than configures are processed, the rest are discarded. Note that IOS-XR does not allow to edit the TTL value, so for IOS-XR this feature only works for directly connected eBGP peers.
Requirement #4 - configure R2 and R4 as route-reflectors, and R1 and R3 as clients. This allows to remove iBGP session between R1 and R3.
bgp log-neighbor-changes
bgp maxas-limit 10
neighbor IBGP peer-group
neighbor IBGP remote-as 12
neighbor IBGP update-source Loopback0
neighbor IBGP send-community
neighbor 5.0.5.5 remote-as 5
neighbor 5.0.5.5 ttl-security hops 254
neighbor 5.0.5.5 disable-connected-check
neighbor 5.0.5.5 update-source Loopback0
neighbor 5.0.5.5 route-map LAST out
neighbor 12.0.2.2 peer-group IBGP
neighbor 12.0.4.4 peer-group IBGP
router bgp 12
bgp log-neighbor-changes
network 12.0.0.0 mask 255.255.0.0
neighbor IBGP peer-group
neighbor IBGP remote-as 12
neighbor IBGP update-source Loopback0
neighbor IBGP send-community
neighbor CLIENT peer-group
neighbor CLIENT remote-as 12
neighbor CLIENT update-source Loopback0
neighbor CLIENT route-reflector-client
neighbor CLIENT send-community
neighbor 12.0.1.1 peer-group CLIENT
neighbor 12.0.3.3 peer-group CLIENT
neighbor 12.0.4.4 peer-group IBGP
router bgp 12
address-family ipv4 unicast
!
neighbor-group IBGP
remote-as 12
update-source Loopback0
address-family ipv4 unicast
!
!
neighbor 12.0.2.2
use neighbor-group IBGP
!
neighbor 12.0.4.4
use neighbor-group IBGP
!
neighbor 67.0.36.6
remote-as 67
ttl-security
address-family ipv4 unicast
route-policy SECONDARY_IN in
route-policy SECONDARY_OUT out
!
!
neighbor 67.0.37.7
remote-as 67
ttl-security
address-family ipv4 unicast
route-policy PRIMARY_IN in
route-policy BGP_ALL out
!
!
!
router bgp 12
address-family ipv4 unicast
network 12.0.0.0/16
!
neighbor-group IBGP
remote-as 12
update-source Loopback0
address-family ipv4 unicast
!
!
neighbor-group CLIENT
use neighbor-group IBGP
address-family ipv4 unicast
route-reflector-client
!
!
neighbor 12.0.1.1
use neighbor-group CLIENT
!
neighbor 12.0.2.2
use neighbor-group IBGP
!
neighbor 12.0.3.3
use neighbor-group CLIENT
!
!
ip route 12.0.1.1 255.255.255.255 5.0.15.1
ip route 12.0.1.1 255.255.255.255 5.0.51.1
router bgp 67
bgp log-neighbor-changes
network 67.0.0.0 mask 255.255.0.0
neighbor 8.0.68.8 remote-as 8
neighbor 67.0.36.3 remote-as 12
neighbor 67.0.36.3 ttl-security hops 254
neighbor 67.0.36.3 send-community
neighbor 67.0.36.3 route-map NO_TRANSIT out
neighbor 67.0.67.7 remote-as 67
router bgp 67
bgp log-neighbor-changes
network 67.0.0.0 mask 255.255.0.0
neighbor 8.0.78.8 remote-as 8
neighbor 67.0.37.3 remote-as 12
neighbor 67.0.37.3 ttl-security hops 254
neighbor 67.0.37.3 send-community
neighbor 67.0.37.3 route-map NO_TRANSIT out
neighbor 67.0.67.6 remote-as 67
Understanding of the following technologies is required to complete this task:
Multihop-eBGP configuration options.
BGP TTL-security feature
Route-reflectors
Requirements #2 - Since creating additional BGP session is not allowed, change the existing eBGP session to run between the loopback0 interfaces of R1 and R5. Configure static-routes toward the neighbors loopback via the two links. Use "disable-connected-check" to allows multihop eBGP session without using the ebgp-multihop command. Note that you need to redistribute the static routes on R1 into OSPF.
Requirement #3 - TTL-security feature provides protection from DoS attacks on BGP protocol. Only packets with TTL higher than configures are processed, the rest are discarded. Note that IOS-XR does not allow to edit the TTL value, so for IOS-XR this feature only works for directly connected eBGP peers.
Requirement #4 - configure R2 and R4 as route-reflectors, and R1 and R3 as clients. This allows to remove iBGP session between R1 and R3.
R1:
!
router ospf 1
router-id 12.0.1.1
redistribute static subnets
passive-interface Ethernet1/0
!
ip route 5.0.5.5 255.255.255.255 5.0.15.5
ip route 5.0.5.5 255.255.255.255 5.0.51.5
!
router bgp 12bgp log-neighbor-changes
bgp maxas-limit 10
neighbor IBGP peer-group
neighbor IBGP remote-as 12
neighbor IBGP update-source Loopback0
neighbor IBGP send-community
neighbor 5.0.5.5 remote-as 5
neighbor 5.0.5.5 ttl-security hops 254
neighbor 5.0.5.5 disable-connected-check
neighbor 5.0.5.5 update-source Loopback0
neighbor 5.0.5.5 route-map LAST out
neighbor 12.0.2.2 peer-group IBGP
neighbor 12.0.4.4 peer-group IBGP
!
R2:
!router bgp 12
bgp log-neighbor-changes
network 12.0.0.0 mask 255.255.0.0
neighbor IBGP peer-group
neighbor IBGP remote-as 12
neighbor IBGP update-source Loopback0
neighbor IBGP send-community
neighbor CLIENT peer-group
neighbor CLIENT remote-as 12
neighbor CLIENT update-source Loopback0
neighbor CLIENT route-reflector-client
neighbor CLIENT send-community
neighbor 12.0.1.1 peer-group CLIENT
neighbor 12.0.3.3 peer-group CLIENT
neighbor 12.0.4.4 peer-group IBGP
!
R3:
!router bgp 12
address-family ipv4 unicast
!
neighbor-group IBGP
remote-as 12
update-source Loopback0
address-family ipv4 unicast
!
!
neighbor 12.0.2.2
use neighbor-group IBGP
!
neighbor 12.0.4.4
use neighbor-group IBGP
!
neighbor 67.0.36.6
remote-as 67
ttl-security
address-family ipv4 unicast
route-policy SECONDARY_IN in
route-policy SECONDARY_OUT out
!
!
neighbor 67.0.37.7
remote-as 67
ttl-security
address-family ipv4 unicast
route-policy PRIMARY_IN in
route-policy BGP_ALL out
!
!
!
R4:
!router bgp 12
address-family ipv4 unicast
network 12.0.0.0/16
!
neighbor-group IBGP
remote-as 12
update-source Loopback0
address-family ipv4 unicast
!
!
neighbor-group CLIENT
use neighbor-group IBGP
address-family ipv4 unicast
route-reflector-client
!
!
neighbor 12.0.1.1
use neighbor-group CLIENT
!
neighbor 12.0.2.2
use neighbor-group IBGP
!
neighbor 12.0.3.3
use neighbor-group CLIENT
!
!
R5:
!ip route 12.0.1.1 255.255.255.255 5.0.15.1
ip route 12.0.1.1 255.255.255.255 5.0.51.1
!
router bgp 5
bgp log-neighbor-changes
bgp inject-map INJECT exist-map EXIST copy-attributes
network 5.0.0.0 mask 255.255.0.0
neighbor 8.0.58.8 remote-as 8
neighbor 8.0.58.8 password STRONG
neighbor 12.0.1.1 remote-as 12
neighbor 12.0.1.1 ttl-security hops 254
neighbor 12.0.1.1 disable-connected-check
neighbor 12.0.1.1 update-source Loopback0
neighbor 12.0.1.1 send-community
neighbor 12.0.1.1 route-map NO_TRANSIT out
neighbor 12.0.1.1 advertise-map ADVMAP exist-map NONEXIST
!
R6:
!router bgp 67
bgp log-neighbor-changes
network 67.0.0.0 mask 255.255.0.0
neighbor 8.0.68.8 remote-as 8
neighbor 67.0.36.3 remote-as 12
neighbor 67.0.36.3 ttl-security hops 254
neighbor 67.0.36.3 send-community
neighbor 67.0.36.3 route-map NO_TRANSIT out
neighbor 67.0.67.7 remote-as 67
!
R7:
!router bgp 67
bgp log-neighbor-changes
network 67.0.0.0 mask 255.255.0.0
neighbor 8.0.78.8 remote-as 8
neighbor 67.0.37.3 remote-as 12
neighbor 67.0.37.3 ttl-security hops 254
neighbor 67.0.37.3 send-community
neighbor 67.0.37.3 route-map NO_TRANSIT out
neighbor 67.0.67.6 remote-as 67
!
Verification:
RP/0/0/CPU0:R3#traceroute 1.0.1.1
Wed Dec 23 15:39:56.773 UTC
Type escape sequence to abort.
Tracing the route to 1.0.1.1
1 12.0.10.2 0 msec 0 msec 0 msec
2 12.0.20.1 0 msec 0 msec 0 msec
3 5.0.51.5 0 msec 0 msec 0 msec
4 8.0.58.8 0 msec 0 msec 0 msec
RP/0/0/CPU0:R4#traceroute 1.0.1.1
Wed Dec 23 15:40:10.982 UTC
Type escape sequence to abort.
Tracing the route to 1.0.1.1
1 12.0.20.1 0 msec 0 msec 0 msec
2 5.0.15.5 0 msec 0 msec 0 msec
3 8.0.58.8 0 msec 0 msec 0 msec
R1#show bgp sum
BGP router identifier 12.0.1.1, local AS number 12
BGP table version is 27, main routing table version 27
11 network entries using 1628 bytes of memory
16 path entries using 1024 bytes of memory
9/7 BGP path/bestpath attribute entries using 1224 bytes of memory
2 BGP rrinfo entries using 48 bytes of memory
5 BGP AS-PATH entries using 120 bytes of memory
1 BGP community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 4068 total bytes of memory
BGP activity 22/11 prefixes, 78/62 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
5.0.5.5 4 5 47 43 27 0 0 00:34:01 10
12.0.2.2 4 12 28 31 27 0 0 00:19:38 3
12.0.4.4 4 12 27 23 27 0 0 00:15:26 3
