Wednesday, January 30, 2013

BGP terminologies - Part 1

1. BGP neighborship states

Before a BGP peer forming neighborship with a remote BGP peer, it must pass through several states:
  • Idle
  • Connect
  • Active
  • OpenSent
  • OpenConfirm
  • Established
 Before enabling BGP process, both R1 and R2 in Idle state and ignore all incoming requests. When R1 enables BGP process, it sends TCP request to R2 and waits for reply. At this time, R1 goes to Connect state. If connection establishes, R1 will send an Open message to R2 and goes to OpenSent state. If fails, R1 transitions to Active state.
To view the state of local router, use command:


In Active state, R1 is trying to send TCP request to R2, if connection establishes successfully, R1 will send Open message and transitions to OpenSent state.


When R1 reaches OpenSent state, it will send to R2 Open message, if valid Open message received, Keepalive message will be sent to negotiate session parameters and R1 goes to OpenConfirm state.
In OpenConfirm state, R1 keeps sending Keepalive message, and when it received Keepalive from R2, final state Established reached.


2. BGP Attributes

BGP choose route highily based on the values of path attributes. This post considers some well-known attributes which router must regconize.
  • Origin: this attribute states out the originally of route, maybe the route from IGP - i, or EGP - e, or undetermined - ?. i < e < ? and lower value is prefered.
  • AS Path: lists all traversed AS, used to choose the best route and prevents routing loop. This value is only changed when advertised through eBGP. 
  • Next hop: next hop address, only modified when received from an eBGP peer. Must appear in routing table.
  • Multiple Exit Discriminator (MED): optional, nontransitive, eBGP advertises to iBGPs to help choosing route when multiple routes exist. iBGP does not readvertise to eBGP.
  • Local Preference: locally value, never advertised to eBGP. This value is used to consider routes in the same AS. Higher value is prefered.
3. Route selection process

The route selection process depends on each vendor. For Cisco, it is:
  • Weight - highest (Cisco proprietary)
  • Local preference - highest
  • locally originated
  • AS Path - shortest
  • Origin (i
  • MED - lowest
  • eBGP>iBGP
  • IGP metric - lowest
  • oldest route
  • neighbor with lowest RID
  • neighbor with lowest IP address.
For Juniper:
  • Highest Local preference
  • AS Path - shortest
  • Origin - smallest
  • MED - smallest
  • eBGP > iBGP
  • IGP metric - smallest
Posted by at No comments:
Labels: , , ,

Monday, January 21, 2013

Policy-Based Routing

1. Introduction to PBR

PBR is a tool provides a way to change the normal processing of packet routing function. After checking frame from errors, PBR intercepts packet before router performs routing decision. Some benifits when implementing PBR:
  • Transit packets based on source informations: dealing with packets from various sources.
  • QoS: setting precedence or TOS value in IP packet header.
  • Cost saving: manual distribute traffic over low-bandwidth, low-cost links
  • Load sharing: distribute traffic over multiple paths.


2. How PRB works

PRB decides how to forward packets by refering to route map for matching logic. The steps as following:
  • Create a route map for matching criterias to choose the route.
  • Enable route map to use in PBR, apply to incoming interface.
Route map definition was covered about in previous post plus a set condition with next-hop attribute. The ACLs used in route map can be standard or extended ACL, that means, we can define various requirements: source/dest address or both, TCP/UDP port number, ...

3. PBR configurations


Requirement: Direct traffic from R5 goes through R2, traffic from R6 goes through R3 to reach R4.

Before applying PBR, traffic from R5, R6 destine to R4 both via 10.0.0.2 (R2).
R6#trace 12.0.0.3

Type escape sequence to abort.
Tracing the route to 12.0.0.3

  1 172.16.1.3 32 msec 20 msec 24 msec
  2 10.0.0.2 40 msec 40 msec 40 msec
  3 12.0.0.3 60 msec *  60 msec
 R5#trace 12.0.0.3

Type escape sequence to abort.
Tracing the route to 12.0.0.3

  1 172.16.1.3 32 msec 20 msec 20 msec
  2 10.0.0.2 40 msec 44 msec 40 msec
  3 12.0.0.3 60 msec *  48 msec
 Define an extended ACL to match traffic from each host:
R1#show run | section access-list
access-list 101 permit ip host 172.16.1.1 host 12.0.0.3
access-list 102 permit ip host 172.16.1.2 host 12.0.0.3
Create a route-map for matched traffic and control direction of packets:
R1#show run | section route-map
route-map PBR permit 10
 match ip address 101
 set ip next-hop 10.0.0.2
route-map PBR permit 20
 match ip address 102
 set ip next-hop 11.0.0.2
 
 Apply route-map to interface:
R1#show run | section Ethernet0/0
interface Ethernet0/0
 ip address 172.16.1.3 255.255.255.0
 ip policy route-map PBR
 half-duplex
 Verifying traffic from R5 and R6:
R5#trace 12.0.0.3

Type escape sequence to abort.
Tracing the route to 12.0.0.3

  1 172.16.1.3 20 msec 12 msec 12 msec
  2 10.0.0.2 40 msec 56 msec 44 msec
  3 12.0.0.3 72 msec *  56 msec

R6#trace 12.0.0.3

Type escape sequence to abort.
Tracing the route to 12.0.0.3

  1 172.16.1.3 24 msec 16 msec 20 msec
  2 11.0.0.2 28 msec 44 msec 40 msec
  3 12.0.0.3 60 msec *  72 msec
 The set command can use "default" keyword to add more functions. With this command, there are two cases could be happen:
  • Omitting this parameter: " try PBR first, of PBR's route does not work, using routing table."
  • Including this parameter: " try routing table first, if routing table fails, use PBR."
Above example is just one of many ways using PBR, you can adjust requirements by mixing some tools together to achieve your goal.
Posted by at No comments:
Labels: , , ,

Filter routes when redistributing

This blogpost will explain about 2 tools used in filtering routes when redistributing: Distribute-lists and route-maps.

1.Distribute-lists

Distribute-lists are used to filter routing updates in both inbound and outbound direction. It refers to access-list or prefix-list to match a source traffic and then applies under routing process.

Example using access-list
Router(config)# access-list 10 permit ip 172.16.0.0 0.0.255.255
Router(config)# router rip
Router(config-router)# distribute-list 10 in serial0/0
Distribute-list only allows incoming updates to RIP on serial0/0 for traffic refered in access-list 10. That means "Only update informations from 172.16.0.0/24  go through Serial0/0 by inbound direction will be accepted to RIP protocol."

Example using prefix-list
Router(config)# ip prefix-list MYLIST 10.1.0.0/16
Router(config)# router rip
Router(config-router)# distribute-list 10 in serial0/0
With the same meaning with access-list, difference in  replacing access-list 10 with prefix-list MYLIST

Two above examples both say about routing updates, so what happen in redistribution.
Distribute-lists can be configured under routing process that importing routes from redistributed-protocol. That means, when configuring distribute-lists, you have to go to received-protocol process to configure filtering. And the command must use "out" direction because it refers to routing process from which routes are redistributed.

For example, under EIGRP process, the command
distribute-list 1 out ospf 2
tells EIGRP to apply ACL 1 when importing routes from OSPF process 2. Note that, "out" direction must be refered.
Using this figure to demonstrate:
In this scenario, two routing protocols running are EIGRP and OSPF. R1 will take redistributing functions. The requirement is preventing route 1.1.1.0/24 from redistributing into OSPF process.
Before filtering route, subnet 1.1.1.0/24 still appears in routing table of R3:
R3#show ip route ospf
     1.0.0.0/24 is subnetted, 1 subnets
O E2    1.1.1.0 [110/20] via 11.0.0.1, 00:01:08, Ethernet0/1
     2.0.0.0/24 is subnetted, 1 subnets
O E2    2.2.2.0 [110/20] via 11.0.0.1, 00:28:33, Ethernet0/1
     10.0.0.0/30 is subnetted, 1 subnets
O E2    10.0.0.0 [110/20] via 11.0.0.1, 00:28:33, Ethernet0/1
     11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O E2    11.11.11.0/24 [110/20] via 11.0.0.1, 00:28:33, Ethernet0/1
 I'm using prefix-list named TEST:
R1#show run | section prefix-list
ip prefix-list TEST seq 5 deny 1.1.1.0/24
ip prefix-list TEST seq 10 permit 0.0.0.0/0 le 32
 This prefix-list only denies subnet 1.1.1.0/24 exactly and allows the rest.  Go to R1, under OSPF process:
R1#show run | section router ospf
router ospf 1
 log-adjacency-changes
 redistribute eigrp 10 subnets
 network 11.0.0.0 0.0.0.3 area 0
 distribute-list prefix TEST out eigrp 10
After applying distribute-list to OSPF process, subnet 1.1.1.0/24 is no longer appears in R3's routing table.
R3#show ip route ospf
     2.0.0.0/24 is subnetted, 1 subnets
O E2    2.2.2.0 [110/20] via 11.0.0.1, 00:30:21, Ethernet0/1
     10.0.0.0/30 is subnetted, 1 subnets
O E2    10.0.0.0 [110/20] via 11.0.0.1, 00:30:21, Ethernet0/1
     11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O E2    11.11.11.0/24 [110/20] via 11.0.0.1, 00:30:21, Ethernet0/1

2. Route-maps

Route-map is another tool to filter traffic like ACL but has more power functions:
  • Controlling redistribution between routing protocols
  • Adjust attributes for routes (especially BGP)
  • Implement Policy Base Routing - PBR
Route-maps are organized by statements, each statement with a permit or deny condition. Traffic must firstly matched by using some criterias and then particular attribution or action is set to matched traffic.

Syntax of route-map:
Router(config)# access-list 1 permit 10.1.0.0 0.0.0.255
Router(config)# route-map TEST permit 10
Router(config-route-map)# match ip address 1
Router(config-route-map)# set ip next-hop 2.2.2.2
An ACL was created first to match traffic from 10.1.0.0/24. Then the route-map named TEST with permit condition and a sequence number is 10.
The route-map will match traffic listed in ACL 1 and finally sets attribute next-hop to traffic.
A route-map can contains multiple match commands:
Router(config)# route-map TEST permit 10
Router(config-route-map)# match ip address 1 2 3
With matching criteria in the same line, that means "OR" logical is applied.
Router(config-route-map)# match ip address 1
Router(config-route-map)# match ip address 2
With separated lines, the "AND" logical is applied.

When using with redistribution, if you dont want to make any changes to attributes of traffic, the route-map must have permit condition, match condition refers to ACL with no set is configured.

Use above diagram and requirement to demonstrate:

R1#show run | section access-list
access-list 10 deny   1.1.1.0 0.0.0.255
access-list 10 permit any
R1#show run | section route-map
route-map TEST permit 10
 match ip address 10  <<<< there is no set condition
R1#show run | section router ospf
router ospf 1
 log-adjacency-changes
 redistribute eigrp 10 subnets route-map TEST
 network 11.0.0.0 0.0.0.3 area 0
 Verify routing table on R3:
R3#show ip route ospf
     2.0.0.0/24 is subnetted, 1 subnets
O E2    2.2.2.0 [110/20] via 11.0.0.1, 00:03:09, Ethernet0/1
     10.0.0.0/30 is subnetted, 1 subnets
O E2    10.0.0.0 [110/20] via 11.0.0.1, 00:03:09, Ethernet0/1
     11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O E2    11.11.11.0/24 [110/20] via 11.0.0.1, 00:03:09, Ethernet0/1
As you can see, both distribute-lists and route-map accept us to expand configuration depends on requirement. They use ACL and prefix-list for reference so you can set various settings in ACL to have the best configuration.
Posted by at No comments:
Labels: , , , , ,

Friday, January 18, 2013

OSPF Virtual Link

1. Introduction to Virtual link

OSPF design requires all areas must be physically connected to backbone area (Area 0) to communicate with each other. In some cases, the backbone area is separated by non-backbone area or a non-backbone area can not directly connect to backbone area - see figure below.

Virtual link is a connection from Area 2 to Area 0 through Area 29. Now, Area 29 is called Transit area. Transit area must have following requirements:
  • Have full routing information.
  • Not a stub area.
2. How it works

When virtual link configured, all routers know how to reach each other through virtual link. At this time, packets are transmitted through two ends of virtual link are not multicast packets, they are unicast packets on virtual link.
OSPF uses IP protocol 89 to transport, so if there is a firewall between virtual link, firewall should allow OSPF packets.
When routers become adjacent via virtual link, R3 now thinks itself as an ABR because it has a connection with Area 0, R3 then creates a LSA type 3 for its networks and advertises to Area 0 and Area 29. SPF processes calculate their best routes normally, using virtual link as a point-to-point link in Area 0.

 3. Configuring OSPF Virtual link

Virtual link will be configured on R2 and R3, Area 29 will be transit area.

OSPF Configuration on R2:
R2#show run | section ospf
router ospf 1
 log-adjacency-changes
 area 29 virtual-link 10.0.2.1 <<
 network 1.1.1.0 0.0.0.255 area 0
 network 2.2.2.0 0.0.0.255 area 29 
R2#show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 10.0.2.1 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 29, via interface FastEthernet0/1, Cost of using 10
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:07
    Adjacency State FULL (Hello suppressed)
    Index 2/3, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec
OSPF Configuration on R3:
R3#show run | section ospf
router ospf 1
 log-adjacency-changes
 area 29 virtual-link 2.2.2.1 <<< R2's Router ID
 network 2.2.2.0 0.0.0.255 area 29
 network 10.0.0.0 0.0.0.255 area 2
 network 10.0.1.0 0.0.0.255 area 2
 network 10.0.2.0 0.0.0.255 area 2
You can configure authentication for virtual link either.
Another post about Virtual link ( by VietNamese)
Posted by at No comments:
Labels: , , ,

Saturday, January 12, 2013

EIGRP load balancing over unequal-cost paths

Previous post covered about load balancing over equal-cost paths. This post will explain how to load balance traffics over UNequal-cost paths.
In the case there is only one route is installed into routing table, other feasible successor routes are kept in topology table and will be refered when successor route failed. To enable load sharing over unequal-cost paths, it requires the feasible successor route is installed into routing table. A value called VARIANCE is configured to achieve this goal.
Variance is a number in range 1 to 128, where 1 is default means load balancing over equal-cost paths. Variance will be multiplied by current best metric (successor's FD) and compare with feasible successor's FD to decide whether it is useful or not. The comparison is:
If feasible successor's FD < successor's FD * variance = route will be installed into routing table.


 In this figure, R1-R4-R5 is feasible successor route for R1 to reach 1.1.1.0/24.
Feasible successor's FD is entire metric calculated from R1-1.1.1.0/24, it means 27+7+12=46
Successor's FD is: 10+5+6=21.
With variance value is 3, route R1-R4-R5 will be installed into routing table because it satisfies the condition.

For demonstration, the bandwidth in R1's s0/0 is changed to 700. Now, R1 only uses s0/1 to forward traffic to 5.5.5.0/24
R1#show ip route | section 5.5.5
D       5.5.5.0 [90/2323456] via 2.2.2.2, 00:00:04, Serial0/1
 In topology table of R1, it still keeps route via R2 to reach 5.5.5.0/24 with higher metric:
R1#show ip eig to 5.5.5.0/24
...
  2.2.2.2 (Serial0/1), from 2.2.2.2, Send flag is 0x0
      Composite metric is (2323456/409600), Route is Internal
      Vector metric:
        Minimum bandwidth is 1544 Kbit
       ...
  1.1.1.2 (Serial0/0), from 1.1.1.2, Send flag is 0x0
      Composite metric is (4322560/409600), Route is Internal
      Vector metric:
        Minimum bandwidth is 700 Kbit
       ...
To use unequal-cost load balancing over these routes, go to eigrp process and configure variance value is 2:
R1(config)#router eigrp 10
R1(config-router)#variance 2
  Now, both 2 routes are appeared in routing table:
R1#show ip route eig | section 5.5.5
     3.0.0.0/24 is subnetted, 1 subnets
D       5.5.5.0 [90/2323456] via 2.2.2.2, 00:01:08, Serial0/1
                [90/4322560] via 1.1.1.2, 00:01:08, Serial0/0
 R1#show ip route 5.5.5.5
Routing entry for 5.5.5.0/24
  Known via "eigrp 10", distance 90, metric 2323456, type internal
  Redistributing via eigrp 10
  Last update from 1.1.1.2 on Serial0/0, 00:02:17 ago
  Routing Descriptor Blocks:
    2.2.2.2, from 2.2.2.2, 00:02:17 ago, via Serial0/1
      Route metric is 2323456, traffic share count is 80
      Total delay is 26000 microseconds, minimum bandwidth is 1544 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 2
  * 1.1.1.2, from 1.1.1.2, 00:02:17 ago, via Serial0/0
      Route metric is 4322560, traffic share count is 43
      Total delay is 26000 microseconds, minimum bandwidth is 700 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 2
Posted by at No comments:
Labels: , , , , ,

Friday, January 11, 2013

EIGRP load balancing over equal-cost paths

When router learned routes from other routing protocols, it will choose a best route to install to routing table. This route is the route with lowest  Administrative Distance, this value is assigned to each routing protocol.
In case there are multiple routes learned from a single routing protocol, metric will be considered and route with the lowest metric wins. If those routes have the same metric values, load balancing can be occur (EIGRP, OSPF). EIGRP even allows load balance over unequal-cost paths.

By default, EIGRP will load balance over 4 equal-cost paths and can be increased to 16 paths. EIGRP does not perform load balancing by itself, switching technologies handle it.

CEF is a layer 3 switching technology and enabled by default on IOS, and when CEF is enabling, load balancing will occur on per-destination basis. That means, all packets reach to a destination will use the same output interface.

In topology table:
R1#show ip eigrp to
IP-EIGRP Topology Table for AS(10)/ID(1.1.1.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status
...
P 3.3.3.0/24, 2 successors, FD is 435200
        via 10.0.0.2 (435200/409600), Ethernet0/0
        via 13.0.0.2 (435200/409600), Ethernet0/1
...
There are two successor routes to reach 3.3.3.0/24 from R1 with the same FD 435200. In this case, CEF is enabled on R1. so load balancing will occur in per-destination basis.
R1#show run | section cef
ip cef
 In per-destination basis, all traffics reach a destination will use the same output interface:
 When cef is disabled, packets are distributed over both two routes:

 Alternatetively, per-packet load balancing can be happen while CEF is enabled by configuring load sharing on outgoing interfaces.
R1(config)#ip cef
R1(config)#int e0/0
R1(config-if)#ip load-sharing per-packet
R1(config-if)#int e0/1
R1(config-if)#ip load-sharing per-packet


Posted by at No comments:
Labels: , , , , ,

Thursday, January 10, 2013

EIGRP Terminologies

In this post, I will explain some terminologies related to EIGRP, include:
  • Feasible distance and reported/administrative distance (FD and AD).
  • Successors and feasible successor routes.

1.Feasible Distance and Reported Distance - FD and RD


Feasible Distance (FD): is the metric of best route from local router to destination subnet. Best route is the route with the lowest metric.

Reported Distance (RD): is the metric advertised by the neighbor/next hop for that route. Local router knows this information because they exchange their topology tables together. 


In this example, let consider the route from R1 to 1.1.1.0/24.
There are two routes from R1 to reach 1.1.1.0/24:
  1. R1-R2-R3-dest: metric is 10+15+7 = 32.
  2. R1-R4-R5-dest: metric is 12+9+12 = 33.
In this scenario, R1 will choose 1st route with lower metric. The FD in here is 32 because it is the best metric.

Reported Distance is the value of next hop router to destination, in here, next hop router of R1 is R2, and RD of this route is the metric calculated from R2 to destination: 15+7 = 22.

2. Successor and Feasible successor routes

Successor route is the best route choosen to install into routing table, in above example is R1-R2-R3 route.
Feasible successor route is the backup route for successor route in case feasible successor route down.

By default, EIGRP only keeps one best route to install to routing table, but it still keeps the less-than-optimal routes in topology table.

To become a feasible route, a route must be qualified the stuff called feasibility condition. The condition is:
  • The route must be loop-free. This means, the RD of that route from local router must less than the local best metric (FD).
So, in above diagram, what is the feasible successor route of the best route from R1 to 1.1.1.0/24?
As explained before, the best route from R1 to 1.1.1.0/24 is R1-R2-R3 with FD is 32. Another route to reach 1.1.1.0/24 is R1-R4-R5 with metric is 33.
If R1-R4-R5 route wants to become feasible successor route, its RD must be less than current FD of R1.
In this example, the RD of R1-R4-R5 is calculated from R4 to 1.1.1.0/24 so it is 21.

With this RD value (21 < 32), this route is feasible successor route.


Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)