A major part of your BSCI and CCNP exam success is mastering BGP, and that includes filtering BGP routing updates. In this tutorial, we'll take a look at how to filter BGP updates with prefix lists.
R4 is advertising three networks via BGP. The downstream router R3 sees these routes and places them into its BGP table as shown below. R3 has two downstream BGP peers, R1 and R2, and is advertising itself as the next-hop IP address for all BGP routes sent to those two routers.
R4(config)#router bgp 4
R4(config-router)#network 21.0.0.0 mask 255.0.0.0
R4(config-router)#network 22.0.0.0 mask 255.0.0.0
R4(config-router)#network 23.0.0.0 mask 255.0.0.0
R3#show ip bgp
BGP table version is 4, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i –
Internal
Origin codes: i - IGP, e - EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 21.0.0.0 10.2.2.4 0 0 4 I
*> 22.0.0.0 10.2.2.4 0 0 4 I
*> 23.0.0.0 10.2.2.4 0 0 4 I
R3(config)#router bgp 123
R3(config-router)#neighbor 172.12.123.1 next-hop-self
R3(config-router)#neighbor 172.12.123.2 next-hop-self
In turn, both R1 and R2 have these three routes in their respective BGP tables.
R2#show ip bgp
BGP table version is 4, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i –
Internal
Origin codes: i - IGP, e - EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*>i21.0.0.0 172.12.123.3 0 100 0 4 I
*>i22.0.0.0 172.12.123.3 0 100 0 4 I
*>i23.0.0.0 172.12.123.3 0 100 0 4 I
R1#show ip bgp
BGP table version is 4, local router ID is 19.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i –
Internal
Origin codes: i - IGP, e - EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*>i21.0.0.0 172.12.123.3 0 100 0 4 I
*>i22.0.0.0 172.12.123.3 0 100 0 4 I
*>i23.0.0.0 172.12.123.3 0 100 0 4 I
If we wanted R3 to receive all three of these routes from R4 but not advertise all of them to R2 and R1, we've got a couple of options on how to block these routes. Cisco's recommendation is the use of prefix-lists, and once you get used to the syntax (which you should do before taking and passing the BSCI), you'll see they are actually easier to use than access-lists.
In this case, we're going to configure R3 to send only the route to 21.0.0.0 to R1 and 23.0.0.0 to R2. However, we do want these two routers to get any future routes that R4 advertises into BGP.
Since R1 and R2 will learn about these routes from an iBGP neighbor, they will not advertise the routes to each other.
On R3, we'll write a prefix-list that denies 22.0.0.0/8 and 23.0.0.0/8, but permits all other routes. After applying the prefix list as shown, R1 sees only the 21.0.0.0 /8 route.
R3(config)#ip prefix-list FILTER_R1 deny 22.0.0.0/8
R3(config)#ip prefix-list FILTER_R1 deny 23.0.0.0/8
R3(config)#ip prefix-list FILTER_R1 permit 0.0.0.0/0 le 32
R3(config)#router bgp 123
R3(config-router)#neighbor 172.12.123.1 prefix-list FILTER_R1 out
R3#clear ip bgp * soft
R1#show ip bgp
BGP table version is 6, local router ID is 19.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i –
Internal
Origin codes: i - IGP, e - EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*>i21.0.0.0 172.12.123.3 0 100 0 4 I
The paths to 22.0.0.0/8 and 23.0.0.0/8 have been successfully filtered.
We'll do the same for R2, except the route not being expressly blocked is 23.0.0.0/8. The line "ip prefix-list permit 0.0.0.0/0 le 32" is the prefix list equivalent of a "permit any" statement in an ACL.
R3(config)#ip prefix-list FILTER_R2 deny 21.0.0.0/8
R3(config)#ip prefix-list FILTER_R2 deny 22.0.0.0/8
R3(config)#ip prefix-list FILTER_R2 permit 0.0.0.0/0 le 32
R3(config)#router bgp 123
R3(config-router)#neighbor 172.12.123.2 prefix-list FILTER_R2 out
R3#clear ip bgp * soft
R2#show ip bgp
BGP table version is 6, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i –
Internal
Origin codes: i - IGP, e - EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*>i23.0.0.0 172.12.123.3 0 100 0 4 I
The paths to 21.0.0.0/8 and 22.0.0.0/8 have been successfully filtered.
To see the prefix lists configured on a route as well as the order of the statements in each list, run show ip prefix-list.
R3#show ip prefix-list
ip prefix-list FILTER_R1: 3 entries
seq 5 deny 22.0.0.0/8
seq 10 deny 23.0.0.0/8
seq 15 permit 0.0.0.0/0 le 32
ip prefix-list FILTER_R2: 3 entries
seq 5 deny 21.0.0.0/8
seq 10 deny 22.0.0.0/8
seq 15 permit 0.0.0.0/0 le 32
Get some hands-on practice with prefix lists and you'll quickly master them. Prefix lists are an important part of working with BGP in the exam room and production networks, so it's vital that you are comfortable working with them.
Showing posts with label update. Show all posts
Showing posts with label update. Show all posts
Thursday, December 25, 2008
Cisco CCNA Exam Tutorial: Split Horizon And Hub-And-Spoke Networks
For CCNA exam success, you had better know what split horizon is, how to turn it off, and when to turn it off. Knowing when to turn split horizon off is also important in production networks, because it can cause a hub-and-spoke network to have incomplete routing tables on the spokes.
Split horizon exists for a very good reason - routing loop prevention. The rule of split horizon states that a router cannot send an advertisement for a route out the same interface that it came in on. Split horizon is on by default on all interfaces running RIP, IGRP, and EIGRP.
In this CCNA tutorial, R1 will serve, as the hub and R2 and R3 will be the spokes. We'll first configure EIGRP over the 172.16.123.0 /24 network, the network connecting the three routers.
R1#conf t
R1(config)#router eigrp 100
R1(config-router)#no auto-summary
R1(config-router)#network 172.12.123.0 0.0.0.255
R2#conf t
R2(config)#router eigrp 100
R2(config-router)#no auto-summary
R2(config-router)#network 172.12.123.0 0.0.0.255
R3#conf t
R3(config)#router eigrp 100
R3(config-router)#no auto-summary
R3(config-router)#network 172.12.123.0 0.0.0.255
Running show ip eigrp neighbor on R1 shows that adjacencies to R2 and R3 are up.
R1#show ip eigrp neighbor
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq Type
(sec) (ms) Cnt Num
1 172.12.123.3 Se0/0 11 00:02:45 1 5000 0 1
0 172.12.123.2 Se0/0 161 00:03:01 1 5000 0 1
Each router will now advertise its loopback address via EIGRP.
R1#conf t
R1(config)#router eigrp 100
R1(config-router)#network 1.1.1.0 0.0.0.255
R2#conf t
R2(config)#router eigrp 100
R2(config-router)#network 2.2.2.0 0.0.0.255
R3#conf t
R3(config)#router eigrp 100
R3(config-router)#network 3.3.3.0 0.0.0.255
Running show ip eigrp route on each router shows that R1 has a route for both R2’s and R3’s loopback. R2 and R3 will only see R1’s loopback address, and not each other’s. Why?
R1#show ip route eigrp
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/2297856] via 172.12.123.2, 00:03:19, Serial0/0
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.3.0 [90/2297856] via 172.12.123.3, 00:03:04, Serial0/0
R2#show ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/2297856] via 172.12.123.1, 00:03:40, Serial0/0.123
R3#show ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/2297856] via 172.12.123.1, 00:05:17, Serial0/0.31
EIGRP uses Split Horizon by default to prevent routing loops. In this lab, though, it prevents full network reachability. R2 and R3 both form neighbor relationships with R1’s Serial physical interface. R2 advertises its loopback address to R1’s Serial interface, as does R3. Split Horizon does not allow a route to be advertised back out the same interface it was received on. This prevents R1 from advertising R2’s loopback to R3, or R3’s loopback to R2.
Split Horizon must be disabled to allow full network reachability in this lab. To do so, run no ip split-horizon eigrp 100 on R1’s Serial interface. When Split Horizon is disabled, that will cause the neighbor
relationships to fail, and then reestablish. Run show ip route eigrp 100 on both R2 and R3. The appropriate route to the remote loopback address will now appear.
R1#conf t
R1(config)#int serial0
R1(config-if)#no ip split-horizon eigrp 100
10:02:23: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.123.2 (Serial0/0) down: split horizon changed
10:02:23: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.123.3 (Serial0/0) down: split horizon changed
10:02:27: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.123.3 (Serial0/0) ip: new adjacency
10:02:54: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.123.2 (Serial0/0) ip: new adjacency
R2#show ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/2297856] via 172.12.123.1, 00:00:06, Serial0/0.123
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.3.0 [90/2809856] via 172.12.123.1, 00:00:06, Serial0/0.123
R3#show ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/2297856] via 172.12.123.1, 00:00:12, Serial0/0.31
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/2809856] via 172.12.123.1, 00:00:12, Serial0/0.31
Disabling split horizon should be done with care, but knowing when and where to do so shows that you truly understand how this technology works - and that's a big step on the way to earning your CCNA!
Split horizon exists for a very good reason - routing loop prevention. The rule of split horizon states that a router cannot send an advertisement for a route out the same interface that it came in on. Split horizon is on by default on all interfaces running RIP, IGRP, and EIGRP.
In this CCNA tutorial, R1 will serve, as the hub and R2 and R3 will be the spokes. We'll first configure EIGRP over the 172.16.123.0 /24 network, the network connecting the three routers.
R1#conf t
R1(config)#router eigrp 100
R1(config-router)#no auto-summary
R1(config-router)#network 172.12.123.0 0.0.0.255
R2#conf t
R2(config)#router eigrp 100
R2(config-router)#no auto-summary
R2(config-router)#network 172.12.123.0 0.0.0.255
R3#conf t
R3(config)#router eigrp 100
R3(config-router)#no auto-summary
R3(config-router)#network 172.12.123.0 0.0.0.255
Running show ip eigrp neighbor on R1 shows that adjacencies to R2 and R3 are up.
R1#show ip eigrp neighbor
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq Type
(sec) (ms) Cnt Num
1 172.12.123.3 Se0/0 11 00:02:45 1 5000 0 1
0 172.12.123.2 Se0/0 161 00:03:01 1 5000 0 1
Each router will now advertise its loopback address via EIGRP.
R1#conf t
R1(config)#router eigrp 100
R1(config-router)#network 1.1.1.0 0.0.0.255
R2#conf t
R2(config)#router eigrp 100
R2(config-router)#network 2.2.2.0 0.0.0.255
R3#conf t
R3(config)#router eigrp 100
R3(config-router)#network 3.3.3.0 0.0.0.255
Running show ip eigrp route on each router shows that R1 has a route for both R2’s and R3’s loopback. R2 and R3 will only see R1’s loopback address, and not each other’s. Why?
R1#show ip route eigrp
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/2297856] via 172.12.123.2, 00:03:19, Serial0/0
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.3.0 [90/2297856] via 172.12.123.3, 00:03:04, Serial0/0
R2#show ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/2297856] via 172.12.123.1, 00:03:40, Serial0/0.123
R3#show ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/2297856] via 172.12.123.1, 00:05:17, Serial0/0.31
EIGRP uses Split Horizon by default to prevent routing loops. In this lab, though, it prevents full network reachability. R2 and R3 both form neighbor relationships with R1’s Serial physical interface. R2 advertises its loopback address to R1’s Serial interface, as does R3. Split Horizon does not allow a route to be advertised back out the same interface it was received on. This prevents R1 from advertising R2’s loopback to R3, or R3’s loopback to R2.
Split Horizon must be disabled to allow full network reachability in this lab. To do so, run no ip split-horizon eigrp 100 on R1’s Serial interface. When Split Horizon is disabled, that will cause the neighbor
relationships to fail, and then reestablish. Run show ip route eigrp 100 on both R2 and R3. The appropriate route to the remote loopback address will now appear.
R1#conf t
R1(config)#int serial0
R1(config-if)#no ip split-horizon eigrp 100
10:02:23: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.123.2 (Serial0/0) down: split horizon changed
10:02:23: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.123.3 (Serial0/0) down: split horizon changed
10:02:27: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.123.3 (Serial0/0) ip: new adjacency
10:02:54: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.123.2 (Serial0/0) ip: new adjacency
R2#show ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/2297856] via 172.12.123.1, 00:00:06, Serial0/0.123
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.3.0 [90/2809856] via 172.12.123.1, 00:00:06, Serial0/0.123
R3#show ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/2297856] via 172.12.123.1, 00:00:12, Serial0/0.31
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/2809856] via 172.12.123.1, 00:00:12, Serial0/0.31
Disabling split horizon should be done with care, but knowing when and where to do so shows that you truly understand how this technology works - and that's a big step on the way to earning your CCNA!
Subscribe to:
Posts (Atom)
