Simple BGP Multi-home Topology Part 3 – Working with distribution lists

In de previous labs we discussed BGP neighboring and how to alter the origin IGP.

We also saw that the learned prefixes originated from CUSTOMER. ISP1 and ISP2 did not share any routes since there was nothing to share.
Since every Internet BGP router can contain up to 300K or more filtering by means of distribution lists is most recommended.

Distribution lists can filter network prefixes to prevent exhaustion on your customer router (by overloading it with 300k routes) and to make sure you’re not acting as a Transit ISP by mistake.

BGP-Topo

For the sake of the lab we are going to create some fictinious networks based on loopback addresses on ISP1 and ISP2 and see how several prefixes are going to be filtered out.

Let capture some information first:

ISP1#sh run | sec bgp
router bgp 64310
 no synchronization
 bgp log-neighbor-changes
 neighbor 1.1.1.1 remote-as 64200
 neighbor 1.1.1.1 ebgp-multihop 2
 neighbor 1.1.1.1 update-source Loopback0
 no auto-summary
ISP1#
ISP1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
S       1.1.1.1 [1/0] via 172.16.1.2
     3.0.0.0/32 is subnetted, 1 subnets
C       3.3.3.3 is directly connected, Loopback0
     172.16.0.0/31 is subnetted, 1 subnets
C       172.16.1.2 is directly connected, FastEthernet0/0
B    192.168.4.0/24 [20/0] via 1.1.1.1, 02:09:12
B    192.168.1.0/24 [20/0] via 1.1.1.1, 02:09:12
B    192.168.2.0/24 [20/0] via 1.1.1.1, 02:09:12
B    192.168.3.0/24 [20/0] via 1.1.1.1, 02:09:12

ISP2#
ISP2#sh run | sec bgp
router bgp 64510
 no synchronization
 bgp log-neighbor-changes
 neighbor 1.1.1.2 remote-as 64200
 neighbor 1.1.1.2 ebgp-multihop 2
 neighbor 1.1.1.2 update-source Loopback0
 no auto-summary
ISP2#
ISP2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
S       1.1.1.2 [1/0] via 172.16.1.4
     4.0.0.0/32 is subnetted, 1 subnets
C       4.4.4.4 is directly connected, Loopback0
     172.16.0.0/31 is subnetted, 1 subnets
C       172.16.1.4 is directly connected, FastEthernet0/1
B    192.168.4.0/24 [20/0] via 1.1.1.2, 02:09:30
     10.0.0.0/32 is subnetted, 1 subnets
C       10.0.0.1 is directly connected, Loopback200
B    192.168.1.0/24 [20/0] via 1.1.1.2, 02:09:30
B    192.168.2.0/24 [20/0] via 1.1.1.2, 02:09:32
B    192.168.3.0/24 [20/0] via 1.1.1.2, 02:09:32

As we can see there is no redistribution mechanisme configured on both ISP routers, becauase we only use one routing protocol. Be aware of the fact that BGP will exchange all prefixes to their peers.

Configuring the Network prefixes:

ISP1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ISP1(config)#
!
int lo100
ip address 193.31.1.1 255.255.255.224
int lo200
ip address 193.31.2.1 255.255.255.224
int lo300
ip address 193.31.3.1 255.255.255.224
int lo400
ip address 193.31.4.1 255.255.255.224
int lo500
ip address 193.31.5.1 255.255.255.224
int lo600
ip address 193.31.6.1 255.255.255.224
int lo700
ip address 193.31.7.1 255.255.255.224
int lo800
ip address 193.31.8.1 255.255.255.224
int lo900
ip address 193.31.9.1 255.255.255.224
!
Router BGP 64310
Network 193.31.1.0 mask 255.255.255.224
Network 193.31.2.0 mask 255.255.255.224
Network 193.31.3.0 mask 255.255.255.224
Network 193.31.4.0 mask 255.255.255.224
Network 193.31.5.0 mask 255.255.255.224
Network 193.31.6.0 mask 255.255.255.224
Network 193.31.7.0 mask 255.255.255.224
Network 193.31.8.0 mask 255.255.255.224
Network 193.31.9.0 mask 255.255.255.224
ISP2(config)#end

ISP2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ISP2(config)#
int lo100
ip address 193.51.1.1 255.255.255.224
int lo200
ip address 193.51.2.1 255.255.255.224
int lo300
ip address 193.51.3.1 255.255.255.224
int lo400
ip address 193.51.4.1 255.255.255.224
int lo500
ip address 193.51.5.1 255.255.255.224
int lo600
ip address 193.51.6.1 255.255.255.224
int lo700
ip address 193.51.7.1 255.255.255.224
int lo800
ip address 193.51.8.1 255.255.255.224
int lo900
ip address 193.51.9.1 255.255.255.224
!
Router BGP 64510
Network 193.51.1.0 mask 255.255.255.224
Network 193.51.2.0 mask 255.255.255.224
Network 193.51.3.0 mask 255.255.255.224
Network 193.51.4.0 mask 255.255.255.224
Network 193.51.5.0 mask 255.255.255.224
Network 193.51.6.0 mask 255.255.255.224
Network 193.51.7.0 mask 255.255.255.224
Network 193.51.8.0 mask 255.255.255.224
Network 193.51.9.0 mask 255.255.255.224
ISP2(config)#end

We configured the network statements with a mask option because the BGP network statement alone take classfull networks as default and compares these with the configured networks on the local interfaces or simple said the entry in the routing table. When there is a mismatch, the prefix wil not appear in the BGP Topology table.

Configuring the mask will set the match between configured network statement and the entry in the routing table. When the match is correct the prefixes will appear in the topology table as seen below:

ISP1#sh ip bgp        
BGP table version is 26, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 192.168.1.0      1.1.1.1                  0             0 64200 i
*> 192.168.2.0      1.1.1.1                  0             0 64200 i
*> 192.168.3.0      1.1.1.1                  0             0 64200 i
*> 192.168.4.0      1.1.1.1                  0             0 64200 i
*> 193.31.1.0/27    0.0.0.0                  0         32768 i
*> 193.31.2.0/27    0.0.0.0                  0         32768 i
*> 193.31.3.0/27    0.0.0.0                  0         32768 i
*> 193.31.4.0/27    0.0.0.0                  0         32768 i
*> 193.31.5.0/27    0.0.0.0                  0         32768 i
*> 193.31.6.0/27    0.0.0.0                  0         32768 i
*> 193.31.7.0/27    0.0.0.0                  0         32768 i
*> 193.31.8.0/27    0.0.0.0                  0         32768 i
*> 193.31.9.0/27    0.0.0.0                  0         32768 i
ISP1#

The weight is set to a value of 32768 which is the highest weight and the default for local originated prefixes.

Now let’s check CUSTOMER’s topology table:

CUSTOMER#sh ip bgp
BGP table version is 39, local router ID is 192.168.4.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 192.168.1.0      0.0.0.0                  0         32768 i
*> 192.168.2.0      0.0.0.0                  0         32768 i
*> 192.168.3.0      0.0.0.0                  0         32768 i
*> 192.168.4.0      0.0.0.0                  0         32768 i
*> 193.31.1.0/27    3.3.3.3                  0             0 64310 i
*> 193.31.2.0/27    3.3.3.3                  0             0 64310 i
*> 193.31.3.0/27    3.3.3.3                  0             0 64310 i
*> 193.31.4.0/27    3.3.3.3                  0             0 64310 i
*> 193.31.5.0/27    3.3.3.3                  0             0 64310 i
*> 193.31.6.0/27    3.3.3.3                  0             0 64310 i
*> 193.31.7.0/27    3.3.3.3                  0             0 64310 i
*> 193.31.8.0/27    3.3.3.3                  0             0 64310 i
*> 193.31.9.0/27    3.3.3.3                  0             0 64310 i
*> 193.51.1.0/27    4.4.4.4                  0             0 64510 i
*> 193.51.2.0/27    4.4.4.4                  0             0 64510 i
*> 193.51.3.0/27    4.4.4.4                  0             0 64510 i
*> 193.51.4.0/27    4.4.4.4                  0             0 64510 i
*> 193.51.5.0/27    4.4.4.4                  0             0 64510 i
*> 193.51.6.0/27    4.4.4.4                  0             0 64510 i
*> 193.51.7.0/27    4.4.4.4                  0             0 64510 i
*> 193.51.8.0/27    4.4.4.4                  0             0 64510 i
*> 193.51.9.0/27    4.4.4.4                  0             0 64510 i

Now imagine this was a real life ISP with 300.000 or more routes sharing all it’s information with us…… right!!

Let’s check the topology table from ISP2 just for curiosity purposes:

ISP2#sh ip bgp
BGP table version is 41, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop  Metric LocPrf Weight Path
*> 192.168.1.0      1.1.1.2        0             0 64200 i
*> 192.168.2.0      1.1.1.2        0             0 64200 i
*> 192.168.3.0      1.1.1.2        0             0 64200 i
*> 192.168.4.0      1.1.1.2        0             0 64200 i
*> 193.31.1.0/27    1.1.1.2                      0 64200 64310 i
*> 193.31.2.0/27    1.1.1.2                      0 64200 64310 i
*> 193.31.3.0/27    1.1.1.2                      0 64200 64310 i
*> 193.31.4.0/27    1.1.1.2                      0 64200 64310 i
*> 193.31.5.0/27    1.1.1.2                      0 64200 64310 i
*> 193.31.6.0/27    1.1.1.2                      0 64200 64310 i
*> 193.31.7.0/27    1.1.1.2                      0 64200 64310 i
*> 193.31.8.0/27    1.1.1.2                      0 64200 64310 i
*> 193.31.9.0/27    1.1.1.2                      0 64200 64310 i
*> 193.51.1.0/27    0.0.0.0                      0       32768 i
*> 193.51.2.0/27    0.0.0.0                      0       32768 i
*> 193.51.3.0/27    0.0.0.0                      0       32768 i
*> 193.51.4.0/27    0.0.0.0                      0       32768 i
*> 193.51.5.0/27    0.0.0.0                      0       32768 i
*> 193.51.6.0/27    0.0.0.0                      0       32768 i
*> 193.51.7.0/27    0.0.0.0                      0       32768 i
*> 193.51.8.0/27    0.0.0.0                      0       32768 i
*> 193.51.9.0/27    0.0.0.0                      0       32768 i

WOOPS!! What are those prefixes from ISP1(via 1.1.1.2) doing there???? Ohh, sure, we’re acting as a transit for both ISP’s without getting payed for it.
That will put the pressure on applying those filters 🙂 .

Let’s do some filtering, but where do you apply such distribution-lists??

Best practice from a customer point of view is to configure your own filter not knowing what the ISP’s do on their side. We all know that a respective ISP applies filters on their side. But wasn’t there a saying… “Assumption is the mother of all fuck-ups”.
Right and because of that wise fact we’ll apply filters on the customer side.

There are two options:
1) Apply Distribution lists on BGP neighbor level or
2) Apply Distribution lists on BGP global level (all BGP neighbours)
Since CUSTOMER has two BGP neighbours we’ll apply option 1 and use a simple standard access-list.

!
CUSTOMER(config)#access-list 90 permit 193.31.1.0
CUSTOMER(config)#access-list 90 permit 193.31.9.0
!
CUSTOMER(config)#access-list 91 permit 193.51.1.0
CUSTOMER(config)#access-list 91 permit 193.51.9.0
!
CUSTOMER(config)#router bgp 64200
CUSTOMER(config-router)#neighbor 3.3.3.3 distribute-list 90 in
CUSTOMER(config-router)#neighbor 4.4.4.4 distribute-list 91 in

CUSTOMER#clear ip bgp *

!
BGP Sessions will be closed and re-initiated.

But wait a second… We are filtering, but still the network prefixes are shared through AS 64200. Of course, sounds very logical. They are shared to a single AS which in turns shares all prefixes to it’s neighbors.

We might consider blocking info from a specific AS to a specific AS.

CUSTOMER(config)#router bgp 64200
CUSTOMER(config-router)#neighbor 3.3.3.3 filter-list 1 out
CUSTOMER(config-router)#neighbor 4.4.4.4 filter-list 2 out
!
CUSTOMER(config)#ip as-path access-list 1 deny 64510
CUSTOMER(config)#ip as-path access-list 1 permit .*
!
CUSTOMER(config)#ip as-path access-list 2 deny 64310
CUSTOMER(config)#ip as-path access-list 2 permit .*
!
CUSTOMER#clear ip bgp *

or you can use route-maps with self-explanatory names

neighbor 3.3.3.3 route-map BLOCK-AS64510 out
neighbor 4.4.4.4 route-map BLOCK-AS64310 out
!
ip as-path access-list 1 deny 64510
ip as-path access-list 1 permit .*
!
ip as-path access-list 2 deny 64310
ip as-path access-list 2 permit .*
!
route-map BLOCK-AS64510 permit 10
match as-path 1
!
route-map BLOCK-AS64310 permit 10
match as-path 2
!
CUSTOMER#clear ip bgp *

Let’s check the topology tables on ISP1 and ISP2:

ISP1#sh ip bgp 
BGP table version is 26, local router ID is 193.31.9.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 192.168.1.0      1.1.1.1                  0             0 64200 i
*> 192.168.2.0      1.1.1.1                  0             0 64200 i
*> 192.168.3.0      1.1.1.1                  0             0 64200 i
*> 192.168.4.0      1.1.1.1                  0             0 64200 i
*> 193.31.1.0/27    0.0.0.0                  0         32768 i
*> 193.31.2.0/27    0.0.0.0                  0         32768 i
*> 193.31.3.0/27    0.0.0.0                  0         32768 i
*> 193.31.4.0/27    0.0.0.0                  0         32768 i
*> 193.31.5.0/27    0.0.0.0                  0         32768 i
*> 193.31.6.0/27    0.0.0.0                  0         32768 i
*> 193.31.7.0/27    0.0.0.0                  0         32768 i
*> 193.31.8.0/27    0.0.0.0                  0         32768 i
*> 193.31.9.0/27    0.0.0.0                  0         32768 i
ISP1#

ISP2#sh ip bgp 
BGP table version is 26, local router ID is 193.51.9.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 192.168.1.0      1.1.1.2                  0             0 64200 i
*> 192.168.2.0      1.1.1.2                  0             0 64200 i
*> 192.168.3.0      1.1.1.2                  0             0 64200 i
*> 192.168.4.0      1.1.1.2                  0             0 64200 i
*> 193.51.1.0/27    0.0.0.0                  0         32768 i
*> 193.51.2.0/27    0.0.0.0                  0         32768 i
*> 193.51.3.0/27    0.0.0.0                  0         32768 i
*> 193.51.4.0/27    0.0.0.0                  0         32768 i
*> 193.51.5.0/27    0.0.0.0                  0         32768 i
*> 193.51.6.0/27    0.0.0.0                  0         32768 i
*> 193.51.7.0/27    0.0.0.0                  0         32768 i
*> 193.51.8.0/27    0.0.0.0                  0         32768 i
*> 193.51.9.0/27    0.0.0.0                  0         32768 i
ISP2#

Looks OK! No transit happening anymore.

Let’s check the BGP Toplogy table and routing table from CUSTOMER:
CUSTOMER#sh ip bgp
BGP table version is 9, local router ID is 192.168.4.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 192.168.1.0      0.0.0.0                  0         32768 i
*> 192.168.2.0      0.0.0.0                  0         32768 i
*> 192.168.3.0      0.0.0.0                  0         32768 i
*> 192.168.4.0      0.0.0.0                  0         32768 i
*> 193.31.1.0/27    3.3.3.3                  0             0 64310 i
*> 193.31.9.0/27    3.3.3.3                  0             0 64310 i
*> 193.51.1.0/27    4.4.4.4                  0             0 64510 i
*> 193.51.9.0/27    4.4.4.4                  0             0 64510 i

CUSTOMER#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 2 subnets
C       1.1.1.1 is directly connected, Loopback1
C       1.1.1.2 is directly connected, Loopback2
     3.0.0.0/32 is subnetted, 1 subnets
S       3.3.3.3 [1/0] via 172.16.1.3
     4.0.0.0/32 is subnetted, 1 subnets
S       4.4.4.4 [1/0] via 172.16.1.5
     193.31.9.0/27 is subnetted, 1 subnets
B       193.31.9.0 [20/0] via 3.3.3.3, 00:20:31
     193.51.9.0/27 is subnetted, 1 subnets
B       193.51.9.0 [20/0] via 4.4.4.4, 00:20:31
     172.16.0.0/31 is subnetted, 2 subnets
C       172.16.1.4 is directly connected, FastEthernet0/1
C       172.16.1.2 is directly connected, FastEthernet0/0
C    192.168.4.0/24 is directly connected, Loopback104
     193.31.1.0/27 is subnetted, 1 subnets
B       193.31.1.0 [20/0] via 3.3.3.3, 00:20:33
     193.51.1.0/27 is subnetted, 1 subnets
B       193.51.1.0 [20/0] via 4.4.4.4, 00:20:33
C    192.168.1.0/24 is directly connected, Loopback101
C    192.168.2.0/24 is directly connected, Loopback102
C    192.168.3.0/24 is directly connected, Loopback103
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s