Learn Cisco

Note!
Configuration from Lab 140.

Topology


Task 1
The BGP policy stipulates that the R5's timer to send BGP advertisements should be set to 10 seconds (default: iBGP=5 seconds, eBGP=30 seconds). Also BGP peer loss should be detected in 15 seconds (default=180 seconds). Also improve the BGP scanner operation by decreasing the default value of 60 seconds to 20 seconds.

Solution

Task 1

R5 Configuration:

Note!
Hello timer is set to 5 seconds following the rule 3 x keepalive = holdtime.

BGP Processes:

• BGP Open - responsible for BGP session establishment.
• BGP I/O - handles queuing and processing updates and keepalive packets.
• BGP Scanner - responsible for conditional route advertisements, route dampening, import and export of routes into VRF (MPLS), and confirms the reachability to the NEXT_HOP (the last one is handled now by BGP next-hop tracking).
• BGP Router - calculates the best path, establishes peers, sends and receives routes and interacts with RIB.

Source:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00809d16f0.shtml#understandbgp

Note!
Configuration from Lab 140.

Topology


Task 1
Configure R3 in such a way that the interval between full table walks is 10 seconds (not 5 which is default).

Solution

Task 1


R3 Configuration:


Note!
The BGP Support for Next-Hop Address Tracking feature is enabled by default when a supporting Cisco IOS software image is installed. BGP next-hop address tracking is event driven. BGP prefixes are automatically tracked as peering sessions are established. Next-hop changes are rapidly reported to the BGP routing process as they are updated in the RIB. This optimization improves overall BGP convergence by reducing the response time to next-hop changes for routes installed in the RIB. When a bestpath calculation is run in between BGP scanner cycles, only next-hop changes are tracked and processed.


Source:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_bnht.html

Topology


Task 1
Configure full mesh BGP peering according to the topology diagram (pic. 1). Make sure that all BGP sessions in AS 100 can survive a single link loss. If IGP protocol must used, OSPF should be configured. Advertise Loopbacks into BGP.

Task 2
Configure R3 in such a way so the response time of BGP to adjacency changes is improved. Use a method of detecting the loss of the peer that is not based on the interface state but is event driven such as a loss of the path to the IGP address used for peering.

Solution

Task 1

R1 Configuration:

R2 Configuration:

R3 Configuration:

R4 Configuration:

Verification:
Task 2
Configure R3 in such a way so the response time of BGP to adjacency changes is improved. Use a method of detecting the loss of the peer that is not based on the interface state but is event driven such as a loss of the path to the IGP address used for peering.

R3 Configuration:

Verification:

Source:
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/cs_bsfda.html

Topology

Task 1
Configure R5 in such way, that if BGP in R3 does not support 'Route Refresh' message, it can still apply inbound policy without asking R5 to re-send their BGP prefixes.

Solution

Task 1




R5 Configuration:


Verfication:
Notice!
This command creates the exact copy of the BGP table. This causes high memory utilization but allows to apply inbound filtering on R5 without tearing down the session if the Route-Refresh messages are not supported on R5.

Topology

R5 should filter out all class A prefixes starting with 40.x.x.x. Configure routers in such a way that changing the inbound filtering policy on R5 should force R3 to apply the right filtering preventing it from sending prefixes R5 does not wish to receive.

Solution

Task 1


R3 Configuration:


R5 Configuration:

Verification:

Notice!
ORF has been enabled and supports prefix-lists only (as of writing this post). Now, I can apply the prefix-list based filtering as per Task 1.



R5 Configuration:


Verification:

Now, 'clear ip bgp * in' on R5.

Note!
http://www.4shared.com/document/W8lhDzNo/Hacking-Cisco-OSPF-Lab1-2-Brea.html

Topology
Configure authentication between R3 and R5 (use password: 'CISCO123'). Configure the BGP timers: hello=30 seconds, holdtime=90 on R3 for all its iBGP peers. R3's iBGP sessions should inherit the same password. Do not use 'neighbor <address> password' command in R3 to accomplish your goal. R1 and R2 and R5 can use this command.  The configuration stipulates that iBGP current and future policy in R3 should be configured as a template.

Solution

Task 1

R1 Configuration:

R2 Configuration:

R3 Configuration:

Verification:

Note!
http://www.4shared.com/document/W8lhDzNo/Hacking-Cisco-OSPF-Lab1-2-Brea.html

Topology


Solution

AS 50 has been experiencing a SYN attack on TCP port 179 (BGP). In order to protect the router, configure R5 so that it accepts BGP packets only from its directly connected neighbor.
Notice!
These attacks must have their TTL higher than 1 in order to reach AS 50. Due to the volatile behavior of BGP paths, the attacker will find it very difficult or almost impossible to calculate their TTL value to be 1 when delivered to our router. The configuration must be done on both neighbors (R3 and R5).

R3 Configuration:

Topology

Task 1
Configure R1 and R2 should apply the route dampening for prefixes 40.x.x.x according to the following:

• Max-Suppres=50 minutes
• Suppress=2000 points
• Reuse=800 points
• Half-Time=10 minutes

Prefixes 44.4.x.x should use the following dampening policy:

• Max-Suppres=90 minutes
• Suppress=2500 points
• Reuse=700 points
• Half-Time=20 minutes

Solution

Task 1

• Max-Suppres=50 minutes
• Suppress=3000 points
• Reuse=800 points
• Half-Time=15 minutes

• Max-Suppres=90 minutes
• Suppress=2500 points
• Reuse=700 points
• Half-Time=20 minutes

R1 Configuration:

Verification:
R2 Configuration:

Verification:

Topology

Task 1
Configure R3 to use BGP dampening according to the following:

• Penalty should be reduced by half after 10 minutes (default=15).
• The dampened route must be reused when it reaches value of 700. (default=750).
• Route should not be used when it reaches 2000 points (default=2000).
• The routes that experience flaps should not be suppressed for more than 40. minutes (default=4 x half-time).

Solution

Task 1

• Penalty should be reduced by half after 10 minutes (default=15).
• The dampened route must be reused when it reaches value of 700. (default=750).
• Route should not be used when it reaches 2000 points (default=2000).
• The routes that experience flaps should not be suppressed for more than 40. minutes (default=4 x half-time).

R3 Configuration:

Verification:

Note!
Use the configuration from Lab 130 except for route-maps that change the next-hop.

Topology

Task 1
Similarly to the lab 129 and 130, deal with the next hop on R1, R2 and R3, but do not use 'next-hop-self' or route-map to change the next-hop while advertising BGP prefixes in AS 123.

Solution

Task 1
Similarly to the lab 129 and 130, deal with the next hop on R1, R2 and R3, but do not use 'next-hop-self' or route-map to change the next-hop while advertising BGP prefixes in AS 123.

R1 Configuration:

R2 Configuration:

R3 Configuration:

Verification:

Note!
Use the configuration from Lab 129 except for 'next-hop-self' command.

Topology

Task 1
Similarly to the lab 129, deal with the next hop on R1, R2 and R3, but do not use 'next-hop-self' command or redistribution into IGP.

Solution

Task 1
Similarly to the lab 129, deal with the next hop on R1, R2 and R3, but do not use 'next-hop-self' command or redistribution into IGP.
R1 Configuration:

Then, 'clear ip bgp * out'

Notice!
While configuring the 'set ip next-hop 10.1.13.1' we get the warning which can be ignored. We know what we're doing after all ;)

R2 Configuration:

R3 Configuration:

Verification:
This time let's check if R1 and R2 have the best path to prefix from AS 50.

Topology

Task 1
Configure OSPF area 0 only on point-to-point links between:

• R1 and R3
• R2 and R3

Do not enable OSPF on links connecting AS 123 to AS 40 and AS 50!

Task 2
Configure BGP peering as per Pic. 1. Advertise all loopbacks into BGP. Make sure that R3 can reach loopbacks advertised by AS 40 and R1 and R2 can reach the loopback advertised by AS 50. Do not use route-map or redistribution into OSPF to accomplish that.

Solution

Task 1

• R1 and R3
• R2 and R3

R1 Configuration:

R2 Configuration:


R3 Configuration:


Verification:

Task 2
Configure BGP peering as per Pic. 1. Advertise all loopbacks into BGP. Make sure that R3 can reach loopbacks advertised by AS 40 and R1 and R2 can reach the loopback advertised by AS 50. Do not use route-map or redistribution into OSPF to accomplish that.
R1 Configuration:


R2 Configuration:

R3 Configuration:

R4 Configuration:

R5 Configuration:

Verification:
All prefixes learned from AS 40 have missing best path marker '>'. The reason is that R3 does not know how to reach the next hop for these (10.1.14.4 and 10.1.24.4). The same problem will R1 and R2 have for prefix learned from AS 50. This is due to the fact that eBGP next-hop attribute is preserved over iBGP session.

The BGP table for a specific prefix shows the problem.

In order to fix this problem, the next-hop-self command can be used given the stipulations (no redistribution into OSPF, or route-map to be used).

R1 Configuration:


R2 Configuration:

R3 Configuration:

Verification:

Topology

Task 1
R5 is connecting to their Service Provider. The company has neither their own public AS number nor their public IP addresses. For the purpose of BGP configuration AS 123 has allocated a private as number for R5 (AS 65005). Configure routers in AS 123 so this private AS number is not advertised over EBGP peerings.

Solution

Task 1
R5 is connecting to their Service Provider. The company has neither their own public AS number nor their public IP addresses. For the purpose of BGP configuration AS 123 has allocated a private as number for R5 (AS 65005). Configure routers in AS 123 so this private AS number is not advertised over EBGP peerings.
R1 Configuration:

R2 Configuration:

Notice!
Both R1 and R2 have removed the private AS from their advertisement sent to AS 40.