sign in sign up
<<
Home , Border Gateway Protocol

AT A GLANGE Extranet network security  BGP versus IGP  BGP security benefits CHALK TALK BEST PRACTICES

(Network Edge) !

5- ,9;3 / 7 . --/ 7 Ç ()*Ô)+ / ,-, .+ / -. ,+ )*) / 0 1 / + 2 3 ,3+ /., 2 . (Trust) . . + / 3 . . / -.,2/ .. , 9 /., 5, 9 =4 , > 4,3- 5 )2 + ., (- - , ,3 7 -) Border Gateway Protocol (BGP) -,9 3/(Net- work Edge) ; 2

(Network Edge) : - / /3 + () .,. - + /3-- / +(+ ()* / ., ( , 9 *,3.

-,9 ,9/ .,

8 PACKET 2007

p8-11_Cisco.pmd 8 22/5/2550, 18:19 001 - . . * ) , > (Con- trol Plane) ,+ .9 " # $%&' $#  *

,?5/ (Network Edge) .,2 () .* (); 34. 4 2 2 -/ BigShoes ()/ ., 9 10.1.0.0/16 - 2 / Medium-Socks () /. 10.2.0.0/16 (3,. 25)

7+ 2 2 4 . , 9 -* 3 BigShoes ,9 4 7 / SmallFeet / * ) / Redistribution Interior Gateway Protocols (IGPs) ,5? )2 2 ., 2:  SmallFeet /. 10.2.1.0/24 MediumSocks ,>,?5-2..? Bigshoes (,) 9 . ( 2 MediumSocks Redistribution / BGP 4 2 ; .  BigShoes . MediumSocks ; redistribu- BGP IGP tion -,=2., () Edge BGP . - ,?5 MediumSocks .+ . 2 Internet Edge Router ,32W /2. MediumSock / ; Internet - MediumSocks 3 (Internetwork) IGP / ()./ .,-,3 (Internal Information  BigShoes , . * Exchange) - BGP -.,?5-2. . + (Internet Routing /* Table) ., IGP MediumSocks IGP () MediumSocks . ; ! " #$% &'' (Network Edge) $" ' MediumSocks - ,> , 5? 4 BGP 2*,-3/. 2. . ,9- / * / (., / IGP ;.. 2 ; -) -.- ,3 BGP 0?/7 / / Flapping Routing Information (Policy) ,> (Protection) -- = MediumSocks . Voice over (Peer-based Management) IP (VoIP) ., 2 -, . + , .,.9 (*) ) fast timer - exponential backoff '' BGP 7 *,>,?5 BigShoes ., MediumSocks () MediumSocks . ., 10.1.1.0/ ,-, MediumSocks ,9. 24 * SmallFeet ., BigShoes .,;; .,? IGP ,-,)22,9/ - Prefix Filter 7 .,*-,?52. - /2 .* - Fast Timer BGP 2 7 2 ,+,-,)2  / Prefix List 2/ Prefix Routing Information BigShoes ; Convergence Time ,2 3 ., (W.,) MediumSocks MediumSocks . Partner Sessions ,1

PACKET CISCO SYSTEMS 2007 9

p8-11_Cisco.pmd 9 22/5/2550, 18:19 CHALK TALK BEST PRACTICES

/ Prefix Mask. . 17 2 /* any routes permitted by the as path access-list 1 ,9,>. ., will  / AS PATH Filter List ,>().. /* be accepted .*., MediumSocks .... 2 MediumSocks * route-map filter-partner-out permit 10 BigShoes 2 / . set community no-export /* prevents BigShoes from readvertising routes learned *- Communities ., BGP Route . - /* from MediumSocks, and from transiting traffic to ; -.., / /* MediumSocks MediumSocks . SmallFeet + .... ; BigShoes *+ NO_EXPORT commu- ip prefix-list partner-routes-in seq 10 deny nity . - . BigShoes + 192.168.0.0/16 ge 15 * , 9 NO_EXPORT .+ * ,=., Rout- /* denies bogon routes in the range 192.168.0.0/16 ing Domain ip prefix-list partner-routes-in seq 20 deny x.x.x.x/ xx Bogon Route ., /* deny other bogon routes here () Bogon Route 2*)/..+ ip prefix-list partner-routes-in seq 10 permit / (Private Network) 2 0.0.0.0/0 le 18 + - . 5 /* permit any routes with a prefix length less than 2 -.. /17 / -- ().*- /* prevents longer prefix routes from causing local . +,9 Bogon / -.,+.; /* routing problems ! ip as-path access-list 1 permit ^65000$ .,2,901/ 2- /* denies any routes originated outside the peering MediumSocks / BGP ,> AS 3 (Internal Routing Infrastructure) /* including BigShoes’ partners and routes BigShoes cisco.com/packet/183_5a1 2 BigShoes / is AS65000 - MediumSocks / AS65001 /* learning from an ISP

BGP Router Peering with BigShoes BGP Router Peering with the Internet Service Provider router bgp 65001 router bgp 65001 neighbor remote-as 65000 neighbor remote-as neighbor route-map filter-partner-in in neighbor prefix-list isp-routes-in in /* inbound route filter, described below in the neighbor route-map filter-isp-out out route-map .... /* filter-partner-in configuration ip prefix-list isp-routes-in seq 10 permit x.x.x.x/xx neighbor route-map filter-partner-out out /* deny bogon routes here /* outbound route filter, described below in the .... route- route-map filter-isp-out permit 10 /* map filter-partner-out configuration match as-path 2 ...... route-map filter-partner-in permit 10 as-path access-list 2 permit ^$ match prefix-list partner-routes-in /* permits only routes originating within /* any routes permitted by the prefix list partner- MediumSocks, so /* routes-in /* MediumSocks doesn’t transit to BigShoes match as-path 1

10 PACKET CISCO SYSTEMS 2007

p8-11_Cisco.pmd 10 22/5/2550, 18:19 neighbor maximum-prefix 100 restart 30 JOIN THE DISCUSSION !"#$$%& !' BGP ($)*+' , - .+, Cisco Networking ,+.*.(+ BGP ", #2( Professionals: forum: cisco.com/discuss/infrastructure 100 * $!+.3"+)+/6( 30 ("

* ( BGP + * Advertising Routes BGP Flapping Route AS Number " (+#( Peering BigShoes !"# Convergence Speed $! Router ( . +" % % BigShoes %&' MediumSocks (% " BigShoes '")! Advertising Routes + 10.1.1.0/24 -. ) "" +* Peering Edge Originating AS ( BGP MediumSocks %H0 "2 $) * ) AS number BigShoes #/ " ( $", -. #/ BGP " ( Route * Enforce the First Autonomous System Path + . Flap Dampening . ( 0 ,+-"1+ $ "" / "* Flap I$(3 3 IOS +/ 5 - +$ +"-"1'*)",+( "*)!%2!#(.(( Route Flap Dampening * /# * *.(+%(#/),("")!# . +2 2+#"34'( "" Peering Session BGP %# "" ' * ( $#5 ,( 3,#$( + 4K . BGP '4#44)4 Route Flap Dampening Parameters )!%* .6 / + $5/ "!#"- $ +)!&"5 +*$( BGP !## ",+( ,.(!!(5 $" # %,+ -) -!&" 5 ( BGP #$## ( 2.(!!(*5 +%", &'" ( 2 . 3 &2 )& (+%",+&) router bgp 65000 (. BGP %+I3(3 .... ). Unicast TCP Session 2 " (0 * bgp dampening .(+%.I3(3(#/"2 bgp dampening 1000 2 2000 750 60 $(. BGP (#$/ 2 "

%)/ Flap ( Prefix " ( " - 3". BGP )! #(+( BGP . Route-map ( . +% 10.1.1.0/24 ,* > ( . Generic Time-to-live Security Mechanism (GTSM) $ 10.1.2.0/24 . %.. / + $/ ,0 # 2 RFC 3682 at cisco.com/packet/183_5a2 +# 10.1.2.0/24 $("%2!# #%. , show ip bgp dampened-paths %,+(*-.,*

-"( + Route Flap Dampening ! #" $/ router bgp 65000 +,+ # Private Peering Relationship $!)!2 + / neighbor incoming-++1 %)!+ $"),(25 .( !!(5* ,+# Private Peering /( (. IGP #+2"!+( " MediumSocks )!)" BigShoes -) " 2 ( "" (. BGP % 2),() $!)",+ .!##" 2' (?( MediumSocks % ),(,*

router bgp 65000 neighbor

PACKET CISCO SYSTEMS 2007 11

p8-11_Cisco.pmd 11 22/5/2550, 18:19