Simple BGP Multi-home Topology Part 4 – Masking network prefixes

In the previous labs we’ve managed to present a portion of our network to the outside world and how to prevent being “abused” as a transit for 2 different ISP’s. We also saw that the outside world sees are prefixes and how they originate.

BGP-Topo

Let’s examine the BGP topolgy table from ISP1:

ISP1#sh ip bgp 
BGP table version is 14, local router ID is 193.31.9.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 192.168.1.0      1.1.1.1                  0             0 64200 i
*> 192.168.2.0      1.1.1.1                  0             0 64200 i
*> 192.168.3.0      1.1.1.1                  0             0 64200 i
*> 192.168.4.0      1.1.1.1                  0             0 64200 i
*> 193.31.1.0/27    0.0.0.0                  0         32768 i
*> 193.31.2.0/27    0.0.0.0                  0         32768 i
*> 193.31.3.0/27    0.0.0.0                  0         32768 i
*> 193.31.4.0/27    0.0.0.0                  0         32768 i
*> 193.31.5.0/27    0.0.0.0                  0         32768 i
*> 193.31.6.0/27    0.0.0.0                  0         32768 i
*> 193.31.7.0/27    0.0.0.0                  0         32768 i
*> 193.31.8.0/27    0.0.0.0                  0         32768 i
*> 193.31.9.0/27    0.0.0.0                  0         32768 i
ISP1#

In red we see the prefixes learned from AS64200 and also see that AS64200 learned those prefixes from an IGP (i) (with our little trick in BGP lab part 2). In our case it’s from OSPF AREA 100 on node CUSTOMER.

But what if we don’t want to present all of these prefixes to anyone else? Other parties could get knowledge how the network is segmented and play some nasty tricks on you. Let’s say I want to mask my network prefixes to one prefix.

We can use a suppress-map (not to mistaken with summary-address) to mask our network prefixes to one prefix.

!
ip prefix-list SUPPRESS-PREFIX seq 10 permit 192.168.1.0/24
ip prefix-list SUPPRESS-PREFIX seq 20 permit 192.168.2.0/24
ip prefix-list SUPPRESS-PREFIX seq 30 permit 192.168.3.0/24
ip prefix-list SUPPRESS-PREFIX seq 40 permit 192.168.4.0/24
!
route-map SUPPRESS-MAP-INTERNAL permit 10
 match ip address prefix-list SUPPRESS-PREFIX
!
router bgp 64200
 aggregate-address 192.168.0.0 255.255.0.0 suppress-map SUPPRESS-MAP-INTERNAL
!

Let’s check the results:

CUSTOMER#sh ip bgp 
BGP table version is 14, local router ID is 192.168.4.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 192.168.0.0/16   0.0.0.0                            32768 i
s> 192.168.1.0      0.0.0.0                  0         32768 i
s> 192.168.2.0      0.0.0.0                  0         32768 i
s> 192.168.3.0      0.0.0.0                  0         32768 i
s> 192.168.4.0      0.0.0.0                  0         32768 i
*> 193.31.1.0/27    3.3.3.3                  0             0 64310 i
*> 193.31.9.0/27    3.3.3.3                  0             0 64310 i
*> 193.51.1.0/27    4.4.4.4                  0             0 64510 i
*> 193.51.9.0/27    4.4.4.4                  0             0 64510 i
CUSTOMER#

Pay attention to the *> for Valid prefix and the s> for suppressed prefix

And what do the ISP’s see?

ISP1#sh ip bgp
BGP table version is 19, local router ID is 193.31.9.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 192.168.0.0/16   1.1.1.1                  0             0 64200 i
*> 193.31.1.0/27    0.0.0.0                  0         32768 i
*> 193.31.2.0/27    0.0.0.0                  0         32768 i
*> 193.31.3.0/27    0.0.0.0                  0         32768 i
*> 193.31.4.0/27    0.0.0.0                  0         32768 i
*> 193.31.5.0/27    0.0.0.0                  0         32768 i
*> 193.31.6.0/27    0.0.0.0                  0         32768 i
*> 193.31.7.0/27    0.0.0.0                  0         32768 i
*> 193.31.8.0/27    0.0.0.0                  0         32768 i
*> 193.31.9.0/27    0.0.0.0                  0         32768 i
ISP1#
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s