Posted by: Richard @ Configureterminal.com | January 11, 2009

Sovereign BGP – Part 2

As a continuation of last month’s “Sovereign BGP” post, this post will demonstrate the implementation of an Advertise-Map + an Exist-Map:

I’ll be honest, it took me a few minutes to figure out when you could use this feature, two situations came to mind but I opted for this one -> my apologies if it’s a rubbish example.

To keep things straight-forward we’ll stick with the majority of the setup from the previous post; an internal router is the only device that has been added to the diagram and the non-exist-map configuration remains in place.

Please take a look at the new network topology:
existmaps1

The aim of SanFran Systems is to only advertise their public network (146.55.43.0/26) to AS456 and AS789 if their private network (192.168.3.0/24) is available; the private network is where hosts on the inside of static one-to-one NATs are found, the public network provides the addresses for the outside of the NATs -> if the inside network isn’t available (and therefore the servers) SanFran Systems wish to withhold the advertisement of their outside network to AS456 and AS789.
In the case of AS789; the route should only be advertised if the private network is in the BGP table of SF_R1 and the 146.55.0.0/16 route isn’t being received from AS456 (non-exist-map + exist-map policy).  The private network has reached the BGP table of SF_R1 over an iBGP session being run with SF_R2 -> please remember, this is imaginary, I haven’t addressed the security side of things other than a lazy addition of a firewall symbol
J

Our task detailed:

1a) If 192.168.3.0/24 exists in the local BGP table of SF_R1, then advertise the 146.55.43.0/26 route to ISP1_R1 (AS456)

1b)If 192.168.3.0/24 does not exist in the local BGP table of SF_R1, then do not advertise the 146.55.43.0/26 route to ISP1_R1 (AS456)

————————————————————————————

2a) If 192.168.3.0/24 exists in the local BGP table of SF_R1 and we are receiving the  146.55.0.0/16 route from ISP1_R1 (AS456), then do not advertise the 146.55.43.0/26 route to ISP2_R1 (AS789)

2b) If 192.168.3.0/24 exists in the local BGP table of SF_R1 and we aren’t receiving the  146.55.0.0/16 route from ISP1_R1 (AS456), then advertise the 146.55.43.0/26 route to ISP2_R1 (AS789)

2c) If 192.168.3.0/24 does not exist in the local BGP table of SF_R1 and we are receiving the  146.55.0.0/16 route from ISP1_R1 (AS456), then do not advertise the 146.55.43.0/26 route to ISP2_R1 (AS789)

2d) If 192.168.3.0/24 does not exist in the local BGP table of SF_R1 and we aren’t receiving the  146.55.0.0/16 route from ISP1_R1 (AS456), then do not advertise the 146.55.43.0/26 route to ISP2_R1 (AS789)


Initial Configuration of SF_R1, new lines in bold, retained lines not:

router bgp 123
 no synchronization
 bgp log-neighbor-changes
 network 146.55.43.0 mask 255.255.255.192

 neighbor 146.55.43.1 remote-as 123
 neighbor 146.55.43.1 next-hop-self
 neighbor 146.55.251.13 remote-as 456
 neighbor 146.55.251.13 route-map AS456_IN in
 neighbor 146.55.251.13 route-map AS456_OUT out
 neighbor 146.55.251.13 advertise-map SEND_THIS exist-map IF_THIS_EXISTS
 neighbor 163.86.53.5 remote-as 789
 neighbor 163.86.53.5 route-map AS789_IN in
 neighbor 163.86.53.5 route-map AS789_OUT out
 neighbor 163.86.53.5 advertise-map SEND_THIS non-exist-map IF_THIS_IS_MISSING
 neighbor 163.86.53.5 advertise-map SEND_THIS exist-map IF_THIS_EXISTS
 no auto-summary
!
ip community-list 1 permit 123:456
ip as-path access-list 1 permit ^$
!
ip prefix-list ISP456_TRACK seq 10 permit 146.55.0.0/16
!
ip prefix-list CONDITIONAL seq 10 permit 146.55.43.0/26
!

ip prefix-list PRIVATE_NET seq 10 permit 192.168.3.0/24
!
route-map IF_THIS_IS_MISSING permit 10
 match ip address prefix-list ISP456_TRACK
 match community 1
!
route-map IF_THIS_EXISTS permit 10
 match ip address prefix-list PRIVATE_NET
!
route-map AS456_OUT deny 5
 match ip address prefix-list PRIVATE_NET
!
route-map AS456_OUT permit 10
 match as-path 1
!

route-map AS789_OUT deny 5
 match ip address prefix-list PRIVATE_NET
!
route-map AS789_OUT permit 10
 match as-path 1
!
route-map SEND_THIS permit 10
 match ip address prefix-list CONDITIONAL
!
route-map AS789_IN permit 10
 set community 8061717
!
route-map AS456_IN permit 10
 set local-preference 110
 set community 8061384
!

 

Configuration explanation:
The first two highlighted lines are for the new iBGP session required, the next two lines assign CR in the form of an advertise-map + exist-map to the neighbours in AS456 and AS789.  We then get into the route-maps…  we have been polite and filtered the internal private network from outbound advertisements, this has been done by adding lines above the existing “OUT” route-map permit lines to be able to selectively deny – in this case, a prefix-list that identifies 192.168.3.0/24 is matched.  The “IF_THIS_EXISTS” route-map that is referenced by CR has been created and also matches the same prefix-list, the “SEND_THIS” route-map then matches the existing “CONDITIONAL” prefix-list -> We want to advertise the route identified by “SEND_THIS” when the route identified by “IF_THIS_EXISTS” exists in the local BGP table.


So, now let’s test things… starting with the BGP tables of ISP1_R1 and ISP2_R1 after applying the configuration above:

ISP1_R1#sho ip bgp neighbors 146.55.251.14 received-routes
*output omitted*
*> 146.55.43.0/26   146.55.251.14            0             0 123 i

 

 

ISP2_R1#show ip bgp neighbor 163.86.53.6 received-routes

Total number of prefixes 0

(note. “received-routes” = neighbor ‘ip-address’ soft-reconfiguration inbound)
existmaps2

That looks good, we are receiving 192.168.3.0/24 and 146.55.0.0/16 on SF_R1, so we should be sending 146.55.43.0/26 to ISP1_R1 and withholding our advert to ISP2_R1 until we stop receiving 146.55.0.0/16 from ISP1_R1 -> That fulfils the requirements of “1a” and “2a” -> let’s check the requirement “2b” by shutting down the interface connected to ISP1_R1:

SF_R1(config)#interface serial 1/0
SF_R1(config-if)#shutdown

 

After waiting a little while….

ISP2_R1#sho ip bgp neighbors 146.55.251.14 received-routes
*output omitted*
*> 146.55.43.0/26   146.55.251.14            0             0 123 i

existmaps3

Great, SF_R1 is sending its 146.55.43.0/26 route to ISP2_R1 because it has stopped receiving the 146.55.0.0/16 route from ISP1_R1 whilst still having the 192.168.3.0/24 route in its BGP table.  (“and breathe”)

Let’s address requirements “1b” and “2c” now.  We’ll start by doing a “no shut” on the interface previously shutdown and then after everything has stabilized we’ll shutdown the link to SF_R2 –the 192.168.3.0/24 route will no longer be received:

SF_R1(config)#interface serial 1/0
SF_R1(config-if)#no shutdown

 

SF_R1(config)#interface fastethernet 0/0
SF_R1(config-if)#shutdown

ISP1_R1#show ip bgp neighbor 163.86.53.6 received-routes

Total number of prefixes 0

 

ISP2_R1#show ip bgp neighbor 163.86.53.6 received-routes

Total number of prefixes 0

existmaps4

Superb, the 146.55.43.0/26 route isn’t being sent to ISP1_R1 or ISP2_R1 when SF_R1 doesn’t have the 192.168.3.0/24 network in its BGP table.

That just leaves “2d”.  We’ll shutdown the respective BGP neighbors and not the interfaces this time -> “there’s more than one way to skin a cat”… 

SF_R1(config)#router bgp 123
SF_R1(config-router)#neighbor 146.55.251.13 shutdown
SF_R1(config-router)#neighbor 163.86.53.5 shutdown

 

ISP1_R1#show ip bgp neighbor 163.86.53.6 received-routes

Total number of prefixes 0

 

ISP2_R1#show ip bgp neighbor 163.86.53.6 received-routes

Total number of prefixes 0

existmaps5

And there we have it -> all requirements fulfilled 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: