Saturday, June 9, 2012

Configuring BGP - Soft Reconfiguration Inbound

We live in a world filled with instant updates. Where you are going? What you are eating? What you did last night? Everything is instantly "updated", "tweeted", and "posted". So why is it that when we make a routing policy change to BGP we have to clear the entire state of the BGP neighbor and tear down BGP peering before it can take effect?

To keep up-to-date with the world we live in we can configure 'BGP Soft Reconfiguration' which will allow us to make routing policy changes to BGP without having to tear down the peering. 

Consider the simple topology below and let's get started. 

Friday, June 8, 2012

Configuring BGP - Local AS - One router multiple ASN

Wouldn't it be awesome if you had two first names and you had the choice to use whichever one you wanted based on some criteria? Well in BGP your first names are your ASN (Autonomous System Numbers). In BGP you can only spin up one instance of BGP with an ASN unlike OSPF or other routing protocols. For example, you will get this error message if you try to spin up more than one instance.


R2(config)#router bgp 200
R2(config-router)#exit
R2(config)#router bgp 201
BGP is already running; AS is 200

So what do you do when you need to have more than one ASN number on the same router? This is where local-as comes in handy. 

Consider this simple topology below and let's get started. 

Thursday, June 7, 2012

Configuring MPLS - MPLS ttl-propagation

Would you disclose anything less than what you had to about your network? Certainly I follow the logic that the more I disclose the less secure my network becomes.

This post is a follow up from my 'Configuring MPLS - Easiest L3VPN Ever' and in that post I stated that when we do a traceroute from the CE (Customer Edge) router, we can see inside the MPLS cloud and all the next hop routers are exposed to the customers. Check out the screenshot below.


Tuesday, June 5, 2012

Configuring BGP - Remove Private AS

Most of you are familiar with private IP addresses. Right? Well the basic concept behind private IP address is that they should not be in the global ISP routing table. Private IP addresses were created to conserve IPv4 space and not to be routed globally. There is something very similar in the BGP world called Private ASN. Bascially, these ASNs should never be advertised from one ISP to another ISP. BGP Private ASNs are to be used within an organization for internal purposes only.

In this blogtorial we will see how we can remove these private AS before sending our update to an ISP.

Consider this simple topology below and let's begin.


Bypassing Firewalls - Reverse SSH Tunneling

Have you ever found yourself in the situation where you need remote access to internal resources but don’t have the time (or maybe authority) to make changes to the network firewall?  If so, you are in luck!

This tutorial shows how SSH can be used to connect to machines that are not accessible via the internet without 1-to-1 NAT, firewall exceptions, etc...  With this you can bypass NAT and incoming FIREWALL restrictions.  Examples of when this would be used include: getting a remote shell on a firewall’d server (see diagram below), establishing VNC or RDP sessions to NAT’d servers (see guide below), etc...


Configuring BGP - BGP Backdoor

At one point or another we have all sneaked into our parent's house through the backdoor. Well we are going to be talking about something very similar, however instead of parents house and a sneaking teenager ;) we are going to be discussing about sneaking routes into the routing table via BGP backdoor.

Our objective is to prefer a IGP learned route instead of a eBGP learned route. As we all know that for the most part AD (Administrative distance) dictates what routes gets installed in the routing table.

Consider this simple topology and let's get started.