Friday 15 March 2024

What is Auto-RP? How to configure Auto-RP?

What is Rendezvous's point?

The rendezvous point is a meeting point in the Multicast PIM sparse mode for all the multicast traffic. We have two ways to configure the Rendezvous point manually and automatically. Manual RP is for small networks and Auto RP is for large networks.

We have two discovery protocols for finding the Rendezvous point on the multicast network.

  1. Auto Rendezvous point (Auto-RP)
  2. PIMv2 bootstrap router (BSR)

What is Auto Rendezvous Point (Auto-RP)?

Auto Rendezvous Point (Auto-RP) Auto Rendezvous Point, also called Auto-RP, is a protocol used in Cisco networking devices to dynamically distribute multicast group information. Auto-RP is a legacy Cisco proprietary method of learning RP information on the PIM multicast network. Auto-RP used for router automatically learns RP address.

 

How Does Auto Rendezvous Point Work?

Auto-RP operates by designating a specific router as the rendezvous point (RP) for a multicast group. This RP is responsible for maintaining information about the multicast group members and facilitating multicast traffic distribution within the network. Through the Auto-RP protocol, routers can automatically discover the RP and establish communication paths for multicast traffic.

1.       Candidate Rendezvous Point generates advertisements using (S. 224.0.1.39) and groups with group information

2.       Mapping agent listens for (*,224.0.1.39) to learn about Rendezvous Point mappings.

3.       Mapping agent generates advertisement using (S,224.0.1.40) to distribute RP mapping information.

Benefits of Auto Rendezvous Point

Implementing Auto-RP in a network offers several advantages, including:

  • Simplified Configuration: Auto-RP automates determining the rendezvous point, eliminating the need for manual configuration and reducing the risk of human error.
  • Scalability: By efficiently managing multicast group information, Auto-RP ensures that multicast traffic is routed optimally, even in large networks with multiple multicast groups.
  • Improved Network Performance: With Auto-RP, routers can quickly adapt to changes in the network topology and ensure that multicast traffic is delivered efficiently and without delays.

 

 Topology:-


Goal:

  • configure the topology as per the diagram 
  • assign the IP addresses as per the topology 
  • enable Multicast routing on all the routers 
  • configure OSPF on all the routers
  • configure PIM sparse mode
  • configure manually IGMP multicast group membership on router 2 for testing.

  • configure the RP address on all the routers. 
  • configure Router 3 Loopback 0 to be RP and mapping agent for all multicast groups
  • advertise Loopback 0 13.0.0.1 in OSPF
  • Configure Auto-RP on all the routers
  • make sure all the routers can listen to Announcements

 


R1(config)#interface serial 4/0
R1(config-if)#ip address 1.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#no keepalive
R1(config-if)#exit
 
R2(config)#interface serial 4/0
R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface serial 4/1
R2(config-if)#ip address 2.2.2.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 20.1.1.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#no keepalive
R2(config-if)#exit
 
R3(config)#interface serial 4/1
R3(config-if)#ip address 2.2.2.2 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface serial 4/2
R3(config-if)#ip address 3.3.3.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 30.1.1.1 255.0.0.0
R3(config-if)#no keepalive
R3(config-if)#no shutdown
R3(config-if)#exit
 
R4(config)#interface serial 4/2
R4(config-if)#ip address 3.3.3.2 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#exit

R4(config)#interface serial 4/4
R4(config-if)#ip address 5.5.5.2 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#exit

R4(config)#interface fastethernet 0/0
R4(config-if)#ip address 40.1.1.1 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit
 
R5(config)#interface serial 4/4
R5(config-if)#ip address 5.5.5.1 255.0.0.0
R5(config-if)#no shutdown
R5(config-if)#exit
R5(config)#interface fastethernet 0/0
R5(config-if)#ip address 50.1.1.1 255.0.0.0
R5(config-if)#no keepalive
R5(config-if)#no shutdown
R5(config-if)#exit
 

R1(config)#router ospf 1
R1(config-router)#network 10.0.0.0 0.255.255.255 area 0
R1(config-router)#network 1.0.0.0 0.255.255.255 area 0
R1(config-router)#exit

*Mar  9 13:26:44.063: %OSPF-5-ADJCHG: Process 1, Nbr 20.1.1.1 on Serial4/0 from LOADING to FULL, Loading Done
*Mar  9 13:27:43.187: %OSPF-5-ADJCHG: Process 1, Nbr 40.1.1.1 on Serial4/3 from LOADING to FULL, Loading Done
 
R2(config)#router ospf 1
R2(config-router)#network 20.0.0.0 0.255.255.255 area 0
R2(config-router)#network 2.0.0.0 0.255.255.255 area 0
R2(config-router)#network 1.0.0.0 0.255.255.255 area 0
R2(config-router)#exit

*Mar  9 13:26:44.079: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.1.1 on Serial4/0 from LOADING to FULL, Loading Done
*Mar  9 13:27:09.215: %OSPF-5-ADJCHG: Process 1, Nbr 30.1.1.1 on Serial4/1 from LOADING to FULL, Loading Done
 
R3(config)#router ospf 1
R3(config-router)#network 2.0.0.0 0.255.255.255 area 0
R3(config-router)#network 2.0.0.0 0.255.255.255 area 0
R3(config-router)#network 3.0.0.0 0.255.255.255 area 0
R3(config-router)#network 30.0.0.0 0.255.255.255 area 0
R3(config-router)#exit

*Mar  9 13:27:55.571: %OSPF-5-ADJCHG: Process 1, Nbr 40.1.1.1 on Serial4/2 from LOADING to FULL, Loading Done
*Mar  9 13:27:09.299: %OSPF-5-ADJCHG: Process 1, Nbr 20.1.1.1 on Serial4/1 from LOADING to FULL, Loading Done
 
 
R4(config)#router ospf 1
R4(config-router)#network 40.0.0.0 0.255.255.255 area 0
R4(config-router)#network 3.0.0.0 0.255.255.255 area 0
R4(config-router)#network 5.0.0.0 0.255.255.255 area 0
R4(config-router)#exit

*Mar  9 13:27:55.763: %OSPF-5-ADJCHG: Process 1, Nbr 30.1.1.1 on Serial4/2 from LOADING to FULL, Loading Done
*Mar  9 13:28:44.047: %OSPF-5-ADJCHG: Process 1, Nbr 50.1.1.1 on Serial4/4 from LOADING to FULL, Loading Done
 
R5(config)#router ospf 1
R5(config-router)#network 5.0.0.0 0.255.255.255 area 0
R5(config-router)#network 50.0.0.0 0.255.255.255 area 0
R5(config-router)#exit
*Mar  9 13:28:43.951: %OSPF-5-ADJCHG: Process 1, Nbr 40.1.1.1 on Serial4/4 from LOADING to FULL, Loading Done


R1(config)#ip multicast-routing

R1(config)#interface serial 4/0
R1(config-if)#ip pim sparse-mode
R1(config-if)#exit


R1(config)#interface fastEthernet 0/0
R1(config-if)#ip pim sparse-mode
R1(config-if)#exit

*Mar  9 13:32:17.003: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 10.1.1.1 on interface FastEthernet0/0
*Mar  9 13:32:57.099: %PIM-5-NBRCHG: neighbor 1.1.1.2 UP on interface Serial4/0
R2(config)#ip multicast-routing

R2(config)#interface serial 4/0
R2(config-if)#ip pim sparse-mode
R2(config-if)#exit

R2(config)#interface serial 4/1
R2(config-if)#ip pim sparse-mode
R2(config-if)#exit

R2(config)#interface fastethernet 0/0
R2(config-if)#ip pim sparse-mode
R2(config-if)#exit

*Mar  9 13:32:57.135: %PIM-5-NBRCHG: neighbor 1.1.1.1 UP on interface Serial4/0
*Mar  9 13:33:39.063: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 20.1.1.1 on interface FastEthernet0/0
*Mar  9 13:34:17.039: %PIM-5-NBRCHG: neighbor 2.2.2.2 UP on interface Serial4/1

R3(config)#ip multicast-routing

R3(config)#interface serial 4/1
R3(config-if)#ip pim sparse-mode
R3(config-if)#exit

R3(config)#interface serial 4/2
R3(config-if)#ip pim sparse-mode
R3(config-if)#exit

R3(config)#interface fastethernet 0/0
R3(config-if)#ip pim sparse-mode
R3(config-if)#exit

*Mar  9 13:34:53.087: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 30.1.1.1 on interface FastEthernet0/0
*Mar  9 13:34:17.139: %PIM-5-NBRCHG: neighbor 2.2.2.1 UP on interface Serial4/1
*Mar  9 13:35:33.479: %PIM-5-NBRCHG: neighbor 3.3.3.2 UP on interface Serial4/2

R4(config)#ip multicast-routing

R4(config)#interface serial 4/2
R4(config-if)#ip pim sparse-mode
R4(config-if)#exit


R4(config)#interface fastethernet 0/0
R4(config-if)#ip pim sparse-mode
R4(config-if)#exit

R4(config)#interface serial 4/4
R4(config-if)#ip pim sparse-mode
R4(config-if)#exit

*Mar  9 13:37:22.723: %PIM-5-NBRCHG: neighbor 5.5.5.1 UP on interface Serial4/4
*Mar  9 13:35:33.647: %PIM-5-NBRCHG: neighbor 3.3.3.1 UP on interface Serial4/2
*Mar  9 13:36:12.595: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 40.1.1.1 on interface FastEthernet0/0


R5(config)#ip multicast-routing
R5(config)#interface serial 4/4
R5(config-if)#ip pim sparse-mode
R5(config-if)#exit
 
R5(config)#interface fastethernet 0/0
R5(config-if)#ip pim sparse-mode
R5(config-if)#exit

*Mar  9 13:37:46.543: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 50.1.1.1 on interface FastEthernet0/0
*Mar  9 13:37:22.611: %PIM-5-NBRCHG: neighbor 5.5.5.2 UP on interface Serial4/4


R1#show ip pim interface

Address          Interface                Ver/   Nbr    Query  DR     DR
                                          Mode   Count  Intvl  Prior
1.1.1.1          Serial4/0                v2/S   1      30     1      0.0.0.0
10.1.1.1         FastEthernet0/0          v2/S   0      30     1      10.1.1.1

R1#show ip pim neighbor
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
      S - State Refresh Capable
Neighbor          Interface                Uptime/Expires    Ver   DR
Address                                                            Prio/Mode
1.1.1.2           Serial4/0                00:07:37/00:01:27 v2    1 / S P

R2#show ip pim interface

Address          Interface                Ver/   Nbr    Query  DR     DR
                                          Mode   Count  Intvl  Prior
1.1.1.2          Serial4/0                v2/S   1      30     1      0.0.0.0
2.2.2.1          Serial4/1                v2/S   1      30     1      0.0.0.0
20.1.1.1         FastEthernet0/0          v2/S   0      30     1      20.1.1.1

R2#show ip pim neighbor
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
      S - State Refresh Capable
Neighbor          Interface                Uptime/Expires    Ver   DR
Address                                                            Prio/Mode
1.1.1.1           Serial4/0                00:08:03/00:01:32 v2    1 / S P
2.2.2.2           Serial4/1                00:06:43/00:01:24 v2    1 / S P



R4#show ip pim interface

Address          Interface                Ver/   Nbr    Query  DR     DR
                                          Mode   Count  Intvl  Prior
3.3.3.2          Serial4/2                v2/S   1      30     1      0.0.0.0
40.1.1.1         FastEthernet0/0          v2/S   0      30     1      40.1.1.1
5.5.5.2          Serial4/4                v2/S   1      30     1      0.0.0.0

R4#show ip pim neighbor
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
      S - State Refresh Capable
Neighbor          Interface                Uptime/Expires    Ver   DR
Address                                                            Prio/Mode
3.3.3.1           Serial4/2                00:06:02/00:01:35 v2    1 / S P
5.5.5.1           Serial4/4                00:04:13/00:01:26 v2    1 / S P


R3(config)#interface loopback 0
R3(config-if)#ip address 13.0.0.1 255.255.255.0
R3(config-if)#exit

R3(config)#interface loopback 0
R3(config-if)#ip pim sparse-mode

R3(config-if)#ip pim send-rp-announce loopback 0 scope 10
R3(config)#ip pim send-rp-discovery loopback 0 scope 10
R3(config)#end

R3(config)#interface fastEthernet 0/0
R3(config-if)#ip igmp join-group 224.5.5.5
R3(config-if)#exit

R3(config)#router ospf 1
R3(config-router)#network 13.0.0.0 255.0.0.0 area 0
R3(config-router)#exit

R1(config)#ip pim autorp listener
R1(config)#end
R2(config)#ip pim autorp listener
R2(config)#end
R3(config)#ip pim autorp listener
R3(config)#end
R4(config)#ip pim autorp listener
R4(config)#end
R5(config)#ip pim autorp listener
R5(config)#end

R1#show ip pim rp mapping
PIM Group-to-RP Mappings

Group(s) 224.0.0.0/4
  RP 13.0.0.1 (?), v2v1
    Info source: 13.0.0.1 (?), elected via Auto-RP
         Uptime: 00:40:34, expires: 00:02:58

R1#show ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
       L - Local, P - Pruned, R - RP-bit set, F - Register flag,
       T - SPT-bit set, J - Join SPT, M - MSDP created entry,
       X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
       U - URD, I - Received Source Specific Host Report,
       Z - Multicast Tunnel, z - MDT-data group sender,
       Y - Joined MDT-data group, y - Sending to MDT-data group,
       V - RD & Vector, v - Vector
Outgoing interface flags: H - Hardware switched, A - Assert winner
 Timers: Uptime/Expires
 Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 224.0.1.39), 00:40:38/stopped, RP 0.0.0.0, flags: D
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    Serial4/0, Forward/Sparse, 00:40:38/00:00:00

(13.0.0.1, 224.0.1.39), 00:00:48/00:02:11, flags: PT
  Incoming interface: Serial4/0, RPF nbr 1.1.1.2
  Outgoing interface list: Null

(*, 224.0.1.40), 00:44:37/stopped, RP 0.0.0.0, flags: DCL
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    Serial4/0, Forward/Sparse, 00:44:37/00:00:00

(13.0.0.1, 224.0.1.40), 00:40:40/00:02:51, flags: PLTX
  Incoming interface: Serial4/0, RPF nbr 1.1.1.2
  Outgoing interface list: Null


R5#show ip pim rp mapping
PIM Group-to-RP Mappings

Group(s) 224.0.0.0/4
  RP 13.0.0.1 (?), v2v1
    Info source: 13.0.0.1 (?), elected via Auto-RP
         Uptime: 00:41:26, expires: 00:02:01

R5#show ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
       L - Local, P - Pruned, R - RP-bit set, F - Register flag,
       T - SPT-bit set, J - Join SPT, M - MSDP created entry,
       X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
       U - URD, I - Received Source Specific Host Report,
       Z - Multicast Tunnel, z - MDT-data group sender,
       Y - Joined MDT-data group, y - Sending to MDT-data group,
       V - RD & Vector, v - Vector
Outgoing interface flags: H - Hardware switched, A - Assert winner
 Timers: Uptime/Expires
 Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 224.0.1.39), 00:41:29/stopped, RP 0.0.0.0, flags: D
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    Serial4/4, Forward/Sparse, 00:41:29/00:00:00

(13.0.0.1, 224.0.1.39), 00:01:39/00:01:20, flags: PT
  Incoming interface: Serial4/4, RPF nbr 5.5.5.2
  Outgoing interface list: Null

(*, 224.0.1.40), 00:44:31/stopped, RP 0.0.0.0, flags: DCL
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    Serial4/4, Forward/Sparse, 00:44:31/00:00:00

(13.0.0.1, 224.0.1.40), 00:41:30/00:02:01, flags: PLTX
  Incoming interface: Serial4/4, RPF nbr 5.5.5.2
  Outgoing interface list: Null

R1#ping 224.5.5.5 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 224.5.5.5, timeout is 2 seconds:

Reply to request 0 from 2.2.2.2, 56 ms
Reply to request 0 from 2.2.2.2, 56 ms
Reply to request 1 from 2.2.2.2, 72 ms
Reply to request 1 from 2.2.2.2, 96 ms
Reply to request 1 from 2.2.2.2, 96 ms
Reply to request 1 from 2.2.2.2, 72 ms
Reply to request 2 from 2.2.2.2, 88 ms
Reply to request 2 from 2.2.2.2, 108 ms
Reply to request 3 from 2.2.2.2, 68 ms
Reply to 

R1#show ip pim autorp
AutoRP Information:
  AutoRP is enabled.
  AutoRP groups over sparse mode interface is enabled

PIM AutoRP Statistics: Sent/Received
  RP Announce: 0/0, RP Discovery: 0/51


Thursday 22 February 2024

How to spoof the IP address? | How to prevent spoofed IP packets from entering in network? | What is unicast reverse path forwarding?




In this blog, you see, how to spoof the IP address and how to prevent spoofed IP packets from entering in network. What is unicast reverse path forwarding? 

The router uses Unicast Reverse Path Forwarding also called uRPF check. uRPF is a security feature to prevent spoofing attacks. As we all know routers normally look for the destination IP in its routing table when forwarding unicast IP packets and forward the IP packet to the right interface. We and the attacker also know the routers, so an attacker can spoof the source IP address and send packets. Well, the uRPF feature checks the incoming source IP packets and looks for matching entries in the routing table. if the entry is found then the router can forward the packet but if there is no entry found in the routing table then the router will drop the packet.

Unicast reverse path forwarding has two modes

  1. Strict mode – in this mode, the router does two checks, first check the source IP matching entry in the routing table. second, it checks the interface from where the router receives source IP packets.
  2. Lose mode – in this mode, the router only checks the matching source IP entry in the routing table.

Let's take the example of our topology 


In this topology where we have an attacker machine IP 192.168.1.10 that is in a different network and the victim PC1 10.1.1.10 is in a different network. The attacker machine is going to send ICMP packets with spoof source IP address 100.100.100.100  to PC1.  router 1 will forward this packet because the router will look for the destination and remember we have not configured unicast RPF. router 2 will do the same. PC1 will get an ICMP request and PC1 will reply continuously. To prevent this attack we are going to configure uRPF on router 2 serial 4/0 interface and the spoofed IP packet will not forward. 





(before starting this lab. this blog is only for study purposes please do not try this on a real device)



Topology: 

Goal:
  • configure  the topology as per the diagram
  • configure the IP addresses as per the topology 
  • configure IGP routing and make sure the Attacker can ping the victim's PC
  • configure spoof attack change the source IP 192.168.1.10 to 100.100.100.100 send ICMP packets to 10.1.1.10/8
  • after successfully attacking the victim configure uRPF on router 2 serial 4/0 
  • configure strict mode and make sure spoofed packets will be discarded.




R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface serial 4/0
R1(config-if)#ip address 1.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
 
R2(config)#interface serial 4/0
R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 10.1.1.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
 
PC1> ip 10.1.1.10 255.0.0.0 10.1.1.1
Checking for duplicate address...
PC1 : 10.1.1.10 255.0.0.0 gateway 10.1.1.1
 
PC1> show ip
 
NAME        : PC1[1]
IP/MASK     : 10.1.1.10/8
GATEWAY     : 10.1.1.1
DNS         :
MAC         : 00:50:79:66:68:00
LPORT       : 10019
RHOST:PORT  : 127.0.0.1:10020
MTU:        : 1500
 
PC2> ip 10.1.1.20 255.0.0.0 10.1.1.1
Checking for duplicate address...
PC1 : 10.1.1.20 255.0.0.0 gateway 10.1.1.1
 
PC2> show ip
 
NAME        : PC2[1]
IP/MASK     : 10.1.1.20/8
GATEWAY     : 10.1.1.1
DNS         :
MAC         : 00:50:79:66:68:01
LPORT       : 10021
RHOST:PORT  : 127.0.0.1:10022
MTU:        : 1500

 (Configure IP 192.168.1.10/24 default-gateway 192.168.1.1 on Kali Linux)


R1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES manual up                    up
Serial4/0                  1.1.1.1         YES manual up                    up

R2#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up
Serial4/0                  1.1.1.2         YES manual up                    up


(Configure EIGRP on both the routers)


R1(config)#router eigrp 100
R1(config-router)#network 192.168.1.0
R1(config-router)#network 1.0.0.0
R1(config-router)#no auto-summary
R1(config-router)#exit

*Feb 22 13:45:39.083: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 1.1.1.2 (Serial4/0) is up: new adjacency

R2(config)#router eigrp 100
R2(config-router)#network 10.0.0.0
R2(config-router)#network 1.0.0.0
R2(config-router)#no auto-summary
R2(config-router)#exit

R1#show ip route eigrp
D    10.0.0.0/8 [90/2172416] via 1.1.1.2, 00:02:52, Serial4/0

R2#show ip route eigrp
D    192.168.1.0/24 [90/2172416] via 1.1.1.1, 00:03:28, Serial4/0


(Make sure the Attacking machine can ping the 10.0.0.0/8 network)






(PC1 configure Wireshark for capturing packets)








(capture packets)




configure spoof attack change the source IP 192.168.1.10 to 100.100.100.100 send ICMP packets to 10.1.1.10/8






(now you see the screenshot of captured traffic, you see the source IP has been changing spoofed IP 192.168.1.10 to 100.100.100.100 and PC1 continuously replying to the spoofed IP.)





configure strict mode and make sure spoofed packets will be discarded.



R2(config)#interface serial 4/0
R2(config-if)#ip verify unicast source reachable-via ?
  any  Source is reachable via any interface
  rx   Source is reachable via interface on which packet was received
R2(config-if)#ip verify unicast source reachable-via rx
R2(config-if)#exit

R2(config)#ip cef
R2(config)#exit

(Now again we try to attack)



(you notice router 2 discarding spoofed IP packets)


R2#show ip interface serial 4/0 | include drops
   30 verification drops
   0 suppressed verification drops

R2#show ip interface serial 4/0 | include verify
  IP verify source reachable-via RX

Friday 2 February 2024

What is RBAC Role Based Access Control? | What are RBAC Views? | What is the Concept behind Role Based Access Control? | How to configure RBAC on gns3?

 

What is Role-Based Access Control?

RBAC (Role Based Access Control), is also known as Role-Base security. RBAC assigns access permission to users on their role in IT. Only the admin has complete access to the network while the other network engineers do not need full access, some of them just need to monitor and crosscheck the configuration with show commands. Admin can define what user can access as per the user roles.

Why do we need RBAC?

RBAC reduces the risk of cybersecurity and protects against human error, RBAC ensures that admin define users can only access the information and perform actions they need to do as per the role. RBAC is good for large organizations.




What is the Concept behind Role Based Access Control

Admin creates a set of permissions and assigns that permission to the user. For example, user-1 is a junior engineer L-1 and the role is just to monitor interface state. Admin will allow user-1 to only show ip interface brief command to user-1 and now user-1 only access show ip interface brief command not show ip route not configure any and delete anything on the device. Now the security level has been increased because only the admin can configure and delete the configuration.





What are RBAC Views?

Admin creates the Views and views define the commands that a user can access. Mainly we have two types of view. Root view is an admin view where you configure views and superview in this view admin assigns multiple views (users) in superview. Superview can access all the commands that the admin configures the views. Remember these views should be in superview.

(configure the password before configuring any view, if you configure configure then you can lock yourself )

Let's see the topology: https://www.youtube.com/watch?v=D0t29ZdO09I&t=579s


Goal:

  • configure  the topology as per the diagram 
  • configure the IP addressing as per the topology 
  • configure telnet and ensure the computer in our LAN network can access the router. 
  • configure root view and password admin and username admin
  • configure Parser view user1 and allow ping and show IP int br commands password user1
  • configure Parser view user2 and allow show IP int br, show IP route, show IP protocol and trace commands only.
  • configure super view and allow user1 and user2 in superview
  • ensure computer can access all views 


Router-one-(config)#int fa 0/0
Router-one-(config-if)#ip add 192.168.1.1 255.255.255.0
Router-one-(config-if)#no shutdown
Router-one-(config-if)#exit

Router-one-(config)#int fa 1/0
Router-one-(config-if)#ip address 10.1.1.1 255.255.255.0
Router-one-(config-if)#no shutdown
Router-one-(config-if)#exit

Router-one-(config)#int fa 1/1
Router-one-(config-if)#ip address 192.168.2.1 255.255.255.0
Router-one-(config-if)#no shut
Router-one-(config-if)#exit

*Feb  1 22:20:42.979: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Feb  1 22:20:43.059: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Feb  1 22:20:43.099: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up

Telnet and ensure the computer in our LAN network can access the router.


Router-one-(config)#line vty 0 15
Router-one-(config-line)#password admin
Router-one-(config-line)#login
Router-one-(config-line)#exit

Router-one-(config)#username admin password admin
Router-one-(config)#exit

Root view and password admin and username admin



Router-one-(config)#aaa new-model
Router-one-(config)#enable secret admin
Router-one-(config)#exit

Router-one-#enable view
Password:

%PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

Router-one-#show parser view
Current view is 'root'


Configure Parser view user1 and allow ping and show IP int br commands password user1



Router-one-(config)#parser view user1
Router-one-(config-view)#secret user1
Router-one-(config-view)#command exec include show ip int br
Router-one-(config-view)#command exec include ping
Router-one-(config-view)#exit

%PARSER-6-VIEW_CREATED: view 'user1' successfully created.

Router-one-(config)#username user1 view user1 secret user1
Router-one-(config)#end

Router-one-#enable view user1
Password:

%PARSER-6-VIEW_SWITCH: successfully set to view 'user1'.

Router-one-#show parser view
Current view is 'user1'


Router-one-#show ip route
                    ^
% Invalid input detected at '^' marker.

Router-one-#traceroute 192.168.1.2
            ^
% Invalid input detected at '^' marker.


(From the above you see user-1 is not able to access show ip route and traceroute command because of admin only two commands to user-1. show ip int br and ping)

Router-one-#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES manual up                    up
FastEthernet1/0            10.1.1.1        YES manual up                    up
FastEthernet1/1            192.168.2.1     YES manual up                    up



Router-one-#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/37/56 ms


configure Parser view user2 and allow show IP int br, show IP route, show IP protocol and trace commands only.



Router-one-(config)#parser view user2
Router-one-(config-view)#secret user2
Router-one-(config-view)#command exec in
Router-one-(config-view)#command exec include show ip int br
Router-one-(config-view)#command exec include show ip route
Router-one-(config-view)#command exec include show ip protocol
Router-one-(config-view)#command exec include traceroute
Router-one-(config-view)#command exec include ping
Router-one-(config-view)#exit

%PARSER-6-VIEW_CREATED: view 'user2' successfully created.

Router-one-(config)#username user2 view user2 secret user2
Router-one-(config)#exit

Router-one-#enable view user2
Password:

%PARSER-6-VIEW_SWITCH: successfully set to view 'user2'.

Router-one-#show parser view
Current view is 'user2'

Router-one-#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES manual up                    up
FastEthernet1/0            10.1.1.1        YES manual up                    up
FastEthernet1/1            192.168.2.1     YES manual up                    up

Router-one-#show ip protocol

Router-one-#show ip route


Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, FastEthernet1/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
C    192.168.2.0/24 is directly connected, FastEthernet1/1


Router-one-#traceroute 192.168.1.2

Type escape sequence to abort.
Tracing the route to 192.168.1.2

  1 192.168.1.2 24 msec 40 msec 20 msec

Router-one-#show ?
  bootflash:  display information about bootflash: file system
  disk0:      display information about disk0: file system
  disk1:      display information about disk1: file system
  flash:      display information about flash: file system
  ip          IP information
  parser      Show parser commands
  slot0:      display information about slot0: file system
  slot1:      display information about slot1: file system

Router-one-#show ip ?
  interface  IP interface status and configuration
  protocols  IP routing protocol process parameters and statistics
  route      IP routing table


(From above you see the admin allows user-2 to access only these commands above)


configure super view and allow user1 and user2 in superview



Router-one-(config)#parser view supuser superview
Router-one-(config-view)#secret supuser
Router-one-(config-view)#view user1
Router-one-(config-view)#view user2
Router-one-(config-view)#exit

%PARSER-6-SUPER_VIEW_EDIT_ADD: view user1 added to superview supuser.

%PARSER-6-SUPER_VIEW_EDIT_ADD: view user2 added to superview supuser.

(from the above output you notice we added user-1 and user-2 in superview and now superview can access all the commands that are in user-1and user-2)

Router-one-(config)#username supuser view supuser secret supuser
Router-one-(config)#exit

%PARSER-6-SUPER_VIEW_CREATED: super view 'supuser' successfully created.

Router-one-#enable view supuser
Password:

*Feb  1 22:57:11.823: %PARSER-6-VIEW_SWITCH: successfully set to view 'supuser'.

Router-one-#show parser view
Current view is 'supuser'


ensure the computer can access all views 




Computer#telnet 192.168.1.1
Trying 192.168.1.1 ... Open


User Access Verification

Username: user1
Password:
Router-one->enable view user1
Password:


Router-one-#show ip route
                    ^
% Invalid input detected at '^' marker.

Router-one-#show ip int br
Interface                  IP-Address      OK? Method Status                Prot                                                                                                                                         ocol
FastEthernet0/0            192.168.1.1     YES manual up                    up                                                                                                                                           
FastEthernet1/0            10.1.1.1        YES manual up                    up                                                                                                                                           
FastEthernet1/1            192.168.2.1     YES manual up                    up  

(user-1 allows only two commands ping and show ip int br)




Tuesday 23 January 2024

What is a Multi Exit Discriminator (MED)? What is BGP always compared to MED?

 




Multi Exit Discriminator (MED) also called metric. MED is an optional and nontransitive attribute; MED allows an autonomous system to tell a neighboring autonomous system the best way to forward packets into the first autonomous system. MED is used to advertise one autonomous system into another, propagated inside the autonomous system, but not sent to any other autonomous systems. A smaller MED value means more preferred, by default 0 and the range is 0 through 4,294,967,295. MED originally worked for a dual-homed design.

 

 





 

 

 

MED is used in the route selection process only if all the paths come from the same Autonomous System. BGP uses the BGP always-compare-med command to force the router to compare the MED even if the paths come from different autonomous systems. If you are enabling this option then enable it entire autonomous system otherwise loops can occur.  

 




 

Before we start  BGP configuration check out some important of BGP CCIE exam topics.

 

Here is the list of all BGP labs and theories CCNA to CCIE 

1.Introduction of BGP

2.BGP Neighbors


3.BGP Peer Group


4.BGP Attributes


5.BGP Weight Attribute


6.BGP Local Preference (Local_Pref)


7.BGP Multi Exit Discriminator (MED)


8.BGP AS Path Prepending


9.BGP Route Reflectors (RR)


10.BGP Communities_No-advertise configuration


11.BGP community Local-AS


12.BGP Confederations and configuration


13.BGP Route filtering methods

 

Topology:-





 

 


 

configure the topology as per the diagram 

configure the IP addressing as per the topology 

configure IBGP and EBGP, advertise all the directly connected interface

configure next hop behavior at AS 6023

configure AS 6001 (R-1) should exit via AS 6005 to reach 192.168.20.1 or any network. 

configure weight attribute on (AS 6001) 

make sure AS 6001 return traffic should use the same path which it exits via 6005,6004,6003 and 6023

configure MED on and MED compare to tell BGP router to compare MED in the entire 6023 AS. 

in the end, make sure traffic will move as we thought. 

 




configure the IP addressing as per the topology 

 

 

R1(config)#interface serial 4/0

R1(config-if)#ip address 1.1.1.2 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 4/4
R1(config-if)#ip address 5.5.5.2 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

 



 

AS-6001-R1-#show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            192.168.10.1    YES NVRAM  up                    up

Serial4/0                              1.1.1.1         YES NVRAM  up                    up

Serial4/4                              5.5.5.2         YES NVRAM  up                    up

Loopback0                          10.1.1.1        YES NVRAM  up                    up

 

 

R2(config)#interface serial 4/0

R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit


R2(config)#interface serial 4/1
R2(config-if)#ip address 2.2.2.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit


R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 192.168.20.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#no keepalive
R2(config-if)#exit

 

R2(config)#interface loopback 0

R2(config-if)#ip address 20.1.1.1 255.255.255.0

R2(config-if)#no shutdown
R2(config-if)#exit

 

AS6023-R2-#show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            192.168.20.1    YES NVRAM  up                    up

Serial4/0                             1.1.1.2         YES NVRAM  up                    up

Serial4/1                             2.2.2.1         YES NVRAM  up                    up

Loopback0                        20.1.1.1        YES NVRAM  up                    up

 

 

R3(config)#interface serial 4/1
R3(config-if)#ip address 2.2.2.2 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface serial 4/2
R3(config-if)#ip address 3.3.3.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface fastEthernet 0/0
R3(config-if)#ip address 192.168.30.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit

R3(config)#interface loopback 0
R3(config-if)#ip address 30.1.1.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

 

 

 

 

R4(config)#interface serial 4/2
R4(config-if)#ip address 3.3.3.2 255.0.0.0
R4(config-if)#no sh
R4(config-if)#no shutdown
R4(config-if)#exit

R4(config)#interface serial 4/3
R4(config-if)#ip address 4.4.4.1 255.0.0.0
R4(config-if)#no sh
R4(config-if)#no shutdown
R4(config-if)#exit


R4(config)#interface fastEthernet 0/0
R4(config-if)#ip address 192.168.40.1 255.255.255.0
R4(config-if)#no keepalive
R4(config-if)#no shutdown
R4(config-if)#exit

R4(config)#interface loopback 0
R4(config-if)#ip address 40.1.1.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit

 

AS6004-R4-#show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            192.168.40.1    YES NVRAM  up                    up

Serial4/2                                3.3.3.2         YES NVRAM  up                    up

Serial4/3                                4.4.4.1         YES NVRAM  up                    up

Loopback0                           40.1.1.1        YES NVRAM  up                    up

 

 

 

R5(config)#interface serial 4/3
R5(config-if)#ip address 4.4.4.2 255.0.0.0
R5(config-if)#no shutdown
R5(config-if)#exit

R5(config)#interface serial 4/4
R5(config-if)#ip address 5.5.5.1 255.0.0.0
R5(config-if)#no shutdown
R5(config-if)#exit

 

AS6005-R5-(config)#interface fastEthernet 0/0

AS6005-R5-(config-if)#ip address 50.1.1.1 255.255.255.0

AS6005-R5-(config-if)#no shutdown

AS6005-R5-(config-if)#no keepalive

AS6005-R5-(config-if)#exit

 


R5(config)#interface loopback 0
R5(config-if)#ip address 192.168.50.1 255.255.255.0
R5(config-if)#no shutdown
R5(config-if)#exit



AS6005-R5-#show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            50.1.1.1        YES manual up                    up

Serial4/3                        4.4.4.2         YES NVRAM  up                    up

Serial4/4                        5.5.5.1         YES NVRAM  up                    up

Loopback0                  192.168.50.1    YES NVRAM  up                    up

 

 

configure IBGP and EBGP, advertise all the directly connected interface
configure next hop behavior at AS 6023

 

 

AS-6001-R1-(config)#router bgp 6001
AS-6001-R1-(config-router)#neighbor 1.1.1.2 remote-as 6023
AS-6001-R1-(config-router)#neighbor 5.5.5.1 remote-as 6005
AS-6001-R1-(config-router)#network 192.168.10.0 mask 255.255.255.0
AS-6001-R1-(config-router)#network 10.0.0.0 mask 255.255.255.0
AS-6001-R1-(config-router)#network 1.0.0.0
AS-6001-R1-(config-router)#network 5.0.0.0
AS-6001-R1-(config-router)#no auto-summary
AS-6001-R1-(config-router)#no synchronization
AS-6001-R1-(config-router)#exit

 

AS-6001-R1-#show ip route bgp

B    2.0.0.0/8 [20/0] via 1.1.1.2, 00:23:52

B    3.0.0.0/8 [20/0] via 1.1.1.2, 00:23:21

B    192.168.30.0/24 [20/0] via 1.1.1.2, 00:23:21

B    4.0.0.0/8 [20/0] via 5.5.5.1, 00:23:49

B    192.168.40.0/24 [20/0] via 1.1.1.2, 00:23:21

B    192.168.20.0/24 [20/0] via 1.1.1.2, 00:23:52

B    192.168.50.0/24 [20/0] via 5.5.5.1, 00:23:49

 

AS-6001-R1-#show ip bgp summary

BGP router identifier 10.1.1.1, local AS number 6001

BGP table version is 10, main routing table version 10

9 network entries using 1188 bytes of memory

17 path entries using 884 bytes of memory

8/5 BGP path/bestpath attribute entries using 1344 bytes of memory

5 BGP AS-PATH entries using 120 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory

BGP using 3568 total bytes of memory

BGP activity 9/0 prefixes, 17/0 paths, scan interval 60 secs



Neighbor        V          AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

1.1.1.2         4       6023      29      31       10    0    0 00:25:25        7

5.5.5.1         4       6005      30      31       10    0    0 00:25:24        8

 

 

 

 

AS6023-R2-(config)#router bgp 6023
AS6023-R2-(config-router)#neighbor 1.1.1.1 remote-as 6001
AS6023-R2-(config-router)#neighbor 2.2.2.2 remote-as 6023
AS6023-R2-(config-router)#neighbor 2.2.2.2 next-hop-self
AS6023-R2-(config-router)#network 192.168.20.0 mask 255.255.255.0
AS6023-R2-(config-router)#network 20.0.0.0 mask 255.255.255.0
AS6023-R2-(config-router)#network 1.0.0.0
AS6023-R2-(config-router)#network 2.0.0.0
AS6023-R2-(config-router)#no auto-summary
AS6023-R2-(config-router)#no synchronization
AS6023-R2-(config-router)#exit

 

 

AS6023-R2-#show ip route bgp

B    3.0.0.0/8 [200/0] via 2.2.2.2, 00:29:32

B    192.168.30.0/24 [200/0] via 2.2.2.2, 00:29:32

B    4.0.0.0/8 [200/0] via 2.2.2.2, 00:29:29

B    5.0.0.0/8 [20/0] via 1.1.1.1, 00:29:33

B    192.168.10.0/24 [20/0] via 1.1.1.1, 00:01:35

B    192.168.40.0/24 [200/0] via 2.2.2.2, 00:29:29

B    192.168.50.0/24 [20/0] via 1.1.1.1, 00:29:06

 

AS6023-R2-#show ip bgp summary

BGP router identifier 20.1.1.1, local AS number 6023

BGP table version is 11, main routing table version 11

9 network entries using 1188 bytes of memory

13 path entries using 676 bytes of memory

7/5 BGP path/bestpath attribute entries using 1176 bytes of memory

4 BGP AS-PATH entries using 96 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

Bitfield cache entries: current 3 (at peak 3) using 96 bytes of memory

BGP using 3232 total bytes of memory

BGP activity 9/0 prefixes, 13/0 paths, scan interval 60 secs

 

Neighbor        V          AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

1.1.1.1         4       6001      37      35       11    0    0 00:31:31        4

2.2.2.2         4       6023      35      35       11    0    0 00:31:22        6

 



AS6023-R3-(config)#router bgp 6023
AS6023-R3-(config-router)#neighbor 2.2.2.1 remote-as 6023
AS6023-R3-(config-router)#neighbor 2.2.2.1 remote-as 6023
AS6023-R3-(config-router)#neighbor 3.3.3.2 remote-as 6004
AS6023-R3-(config-router)#neighbor 2.2.2.1 next-hop-self
AS6023-R3-(config-router)#network 192.168.30.0 mask 255.255.255.0
AS6023-R3-(config-router)#network 30.0.0.0 mask 255.255.255.0
AS6023-R3-(config-router)#network 3.0.0.0
AS6023-R3-(config-router)#network 2.0.0.0
AS6023-R3-(config-router)#no auto-summary
AS6023-R3-(config-router)#no synchronization
AS6023-R3-(config-router)#exit

 

AS6023-R3-#show ip route bgp

B    1.0.0.0/8 [200/0] via 2.2.2.1, 00:33:25

B    4.0.0.0/8 [20/0] via 3.3.3.2, 00:33:22

B    5.0.0.0/8 [200/0] via 2.2.2.1, 00:33:25

B    192.168.10.0/24 [200/0] via 2.2.2.1, 00:02:17

B    192.168.40.0/24 [20/0] via 3.3.3.2, 00:33:22

B    192.168.20.0/24 [200/0] via 2.2.2.1, 00:33:25

B    192.168.50.0/24 [20/0] via 3.3.3.2, 00:33:22

 

 

AS6023-R3-#show ip bgp

BGP table version is 10, local router ID is 30.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

 

   Network          Next Hop            Metric LocPrf Weight Path

*>i1.0.0.0          2.2.2.1                  0    100      0 i

* i2.0.0.0          2.2.2.1                  0    100      0 i

*>                  0.0.0.0                  0         32768 i

*  3.0.0.0          3.3.3.2                  0             0 6004 i

*>                  0.0.0.0                  0         32768 i

*> 4.0.0.0          3.3.3.2                  0             0 6004 i

*  5.0.0.0          3.3.3.2                                0 6004 6005 i

*>i                 2.2.2.1                  0    100      0 6001 i

*  192.168.10.0     3.3.3.2                                0 6004 6005 6001 i

*>i                 2.2.2.1                  0    100      0 6001 i

*>i192.168.20.0     2.2.2.1                  0    100      0 i

*> 192.168.30.0     0.0.0.0                  0         32768 i

*> 192.168.40.0     3.3.3.2                  0             0 6004 i

* i192.168.50.0     2.2.2.1                  0    100      0 6001 6005 i

*>                  3.3.3.2                                0 6004 6005 i

 

 

AS6004-R4-(config)#router bgp 6004
AS6004-R4-(config-router)#neighbor 3.3.3.1 remote-as 6023
AS6004-R4-(config-router)#neighbor 4.4.4.2 remote-as 6005
AS6004-R4-(config-router)#network 192.168.40.0 mask 255.255.255.0
AS6004-R4-(config-router)#network 40.0.0.0 mask 255.255.255.0
AS6004-R4-(config-router)#network 3.0.0.0
AS6004-R4-(config-router)#network 4.0.0.0
AS6004-R4-(config-router)#no auto-summary
AS6004-R4-(config-router)#no synchronization
AS6004-R4-(config-router)#exit



AS6004-R4-#show ip route bgp

B    1.0.0.0/8 [20/0] via 3.3.3.1, 00:38:47

B    2.0.0.0/8 [20/0] via 3.3.3.1, 00:38:47

B    192.168.30.0/24 [20/0] via 3.3.3.1, 00:38:47

B    5.0.0.0/8 [20/0] via 4.4.4.2, 00:38:47

B    192.168.20.0/24 [20/0] via 3.3.3.1, 00:38:47

B    192.168.50.0/24 [20/0] via 4.4.4.2, 00:38:47

 

AS6004-R4-#show ip bgp

BGP table version is 10, local router ID is 40.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

 

   Network          Next Hop            Metric LocPrf Weight Path

*  1.0.0.0          4.4.4.2                                0 6005 6001 i

*>                  3.3.3.1                                0 6023 i

*> 2.0.0.0          3.3.3.1                  0             0 6023 i

*  3.0.0.0          3.3.3.1                  0             0 6023 i

*>                  0.0.0.0                  0         32768 i

*  4.0.0.0          4.4.4.2                  0             0 6005 i

*>                  0.0.0.0                  0         32768 i

*> 5.0.0.0          4.4.4.2                  0             0 6005 i

*                   3.3.3.1                                0 6023 6001 i

*  192.168.10.0     3.3.3.1                                0 6023 6001 i

*>                  4.4.4.2                                0 6005 6001 i

*> 192.168.20.0     3.3.3.1                                0 6023 i

*> 192.168.30.0     3.3.3.1                  0             0 6023 i

*> 192.168.40.0     0.0.0.0                  0         32768 i

*> 192.168.50.0     4.4.4.2                  0             0 6005 i

 

 

 

 

AS6005-R5-(config)#router bgp 6005
AS6005-R5-(config-router)#neighbor 4.4.4.1 remote-as 6004
AS6005-R5-(config-router)#neighbor 4.4.4.1 remote-as 6001
AS6005-R5-(config-router)#neighbor 5.5.5.2  remote-as 6001
AS6005-R5-(config-router)#network 192.168.50.0 mask 255.255.255.0
AS6005-R5-(config-router)#network 50.0.0.0 mask 255.255.255.0
AS6005-R5-(config-router)#network 5.0.0.0
AS6005-R5-(config-router)#network 4.0.0.0
AS6005-R5-(config-router)#no auto-summary
AS6005-R5-(config-router)#no synchronization
AS6005-R5-(config-router)#exit

 

AS6005-R5-#show ip route bgp

B    1.0.0.0/8 [20/0] via 5.5.5.2, 00:39:33

B    2.0.0.0/8 [20/0] via 4.4.4.1, 00:39:32

B    3.0.0.0/8 [20/0] via 4.4.4.1, 00:39:32

B    192.168.10.0/24 [20/0] via 5.5.5.2, 00:05:06

B    192.168.30.0/24 [20/0] via 4.4.4.1, 00:39:32

B    192.168.40.0/24 [20/0] via 4.4.4.1, 00:39:32

B    192.168.20.0/24 [20/0] via 4.4.4.1, 00:39:32

 

AS6005-R5-#show ip bgp

BGP table version is 10, local router ID is 192.168.50.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

 

   Network          Next Hop            Metric LocPrf Weight Path

*  1.0.0.0          4.4.4.1                                0 6004 6023 i

*>                  5.5.5.2                  0             0 6001 i

*  2.0.0.0          5.5.5.2                                0 6001 6023 i

*>                  4.4.4.1                                0 6004 6023 i

*  3.0.0.0          5.5.5.2                                0 6001 6023 i

*>                  4.4.4.1                  0             0 6004 i

*  4.0.0.0          4.4.4.1                  0             0 6004 i

*>                  0.0.0.0                  0         32768 i

*  5.0.0.0          5.5.5.2                  0             0 6001 i

*>                  0.0.0.0                  0         32768 i

*> 192.168.10.0     5.5.5.2                  0             0 6001 i

*  192.168.20.0     5.5.5.2                                0 6001 6023 i

*>                  4.4.4.1                                0 6004 6023 i

*  192.168.30.0     5.5.5.2                                0 6001 6023 i

*>                  4.4.4.1                                0 6004 6023 i

*  192.168.40.0     5.5.5.2                                0 6001 6023 6004 i

*>                  4.4.4.1                  0             0 6004 i

*> 192.168.50.0     0.0.0.0                  0         32768 i

 

 

AS-6001-R1-#traceroute 192.168.20.1

 

Type escape sequence to abort.

Tracing the route to 192.168.20.1

 

  1 1.1.1.2 20 msec 28 msec 36 msec

 

 

 





 

 

 

{As you can see, to reach 192.168.20.1/24 router 1 (6001) is using path serial 4/0 because this path has less number of AS. Our task is, to reach any or 192.168.20.1/24 network from AS 6001 router 1 should use the path 6005+6004+6023}

 

 

AS-6001-R1-#show ip bgp 192.168.20.1

BGP routing table entry for 192.168.20.0/24, version 4

Paths: (2 available, best #2, table Default-IP-Routing-Table)

  Advertised to update-groups:

        1

  6005 6004 6023

    5.5.5.1 from 5.5.5.1 (192.168.50.1)

      Origin IGP, localpref 100, valid, external

  6023

    1.1.1.2 from 1.1.1.2 (20.1.1.1)

      Origin IGP, metric 0, localpref 100, valid, external, best

 

 

 

configure AS 6001 (R-1) should exit via AS 6005 to reach 192.168.20.1 or any network. 

configure weight attribute on (AS 6001) 

 

 

 

AS-6001-R1-(config)#router bgp 6001

AS-6001-R1-(config-router)#neighbor 5.5.5.1 weight 3000

AS-6001-R1-(config-router)#end

 

AS-6001-R1-#clear ip bgp * soft

 

AS-6001-R1-#traceroute 192.168.20.1

 

Type escape sequence to abort.

Tracing the route to 192.168.20.1

 

  1 5.5.5.1 16 msec 28 msec 32 msec

  2 4.4.4.1 [AS 6005] 76 msec 64 msec 72 msec

  3 3.3.3.1 [AS 6004] 68 msec 88 msec 68 msec

  4 2.2.2.1 [AS 6023] 76 msec 76 msec 80 msec

 

 

 

AS-6001-R1-#show ip bgp 192.168.20.1 bestpath

BGP routing table entry for 192.168.20.0/24, version 17

Paths: (2 available, best #1, table Default-IP-Routing-Table)

  Advertised to update-groups:

        1

  6005 6004 6023

    5.5.5.1 from 5.5.5.1 (192.168.50.1)

      Origin IGP, localpref 100, weight 3000, valid, external, best

 

 

{as you can see now AS 6001 is using the path that we configure via 6005+ 6004+6023}

 

 

AS-6001-R1-(config)#route-map INTERNETWORKS 1

AS-6001-R1-(config-route-map)#set metric 130

AS-6001-R1-(config-route-map)#set as-path prepend 600

AS-6001-R1-(config-route-map)#exit

 

AS-6001-R1-(config)#router bgp 6001

AS-6001-R1-(config-router)#neighbor 1.1.1.2 route-map INTERNETWORKS out

AS-6001-R1-(config-router)#end

 

AS-6001-R1-#clear ip bgp * soft

 

 

AS6023-R2-#traceroute 192.168.10.1

 

Type escape sequence to abort.

Tracing the route to 192.168.10.1

 

  1 1.1.1.1 20 msec 24 msec 36 msec

 

 

AS6023-R2-#show ip bgp 192.168.10.1

BGP routing table entry for 192.168.10.0/24, version 13

Paths: (1 available, best #1, table Default-IP-Routing-Table)

Flag: 0x820

  Advertised to update-groups:

        1

  6001 600

    1.1.1.1 from 1.1.1.1 (10.1.1.1)

      Origin IGP, metric 130, localpref 100, valid, external, best

 

 

{but the return traffic is not using the same path 6004+6005+6001 instead it's using 6001 serial 4/0}

 

 



  

 

make sure AS 6001 return traffic should use the same path which it exits via 6005,6004,6003 and 6023

configure MED on and MED compare to tell BGP router to compare MED in the entire 6023 AS. 

 

AS6023-R2-(config)#router bgp 6023

AS6023-R2-(config-router)#bgp bestpath as-path ignore

AS6023-R2-(config-router)#bgp always-compare-med

AS6023-R2-(config-router)#exit

 

AS6023-R2-#clear ip bgp * soft

 

 

AS6023-R3-(config)#router bgp 6023

AS6023-R3-(config-router)#bgp bestpath as-path ignore

AS6023-R3-(config-router)#bgp always-compare-med

AS6023-R3-(config-router)#exit

AS6023-R3-(config)#end

 

AS6023-R3-#clear ip bgp * soft

 

 

AS6023-R2-#traceroute 192.168.10.1

 

Type escape sequence to abort.

Tracing the route to 192.168.10.1

 

  1 2.2.2.2 20 msec 24 msec 32 msec

  2 3.3.3.2 76 msec 52 msec 80 msec

  3 4.4.4.2 [AS 6004] 80 msec 84 msec 80 msec

  4 5.5.5.2 [AS 6005] 68 msec 80 msec 72 msec

 

 

AS6023-R2-#show ip bgp 192.168.10.1/24 bestpath

BGP routing table entry for 192.168.10.0/24, version 11

Paths: (2 available, best #1, table Default-IP-Routing-Table)

Flag: 0x820

  Advertised to update-groups:

        2

  6004 6005 6001

    2.2.2.2 from 2.2.2.2 (30.1.1.1)

      Origin IGP, metric 0, localpref 100, valid, internal, best

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

What is Cisco IOS Zone Based Firewall on router? How to configure ZBF on Cisco Routers?

 Zone Based Firewall ZBF (Zone Based Firewall) is the stateful firewall that is available on Cisco IOS routers, introduced in 2006. ZBF supp...