JUNOSインターネットソフトウェアとIOSのコンフィグレーション変換

Size: px

Start display at page:

Download "JUNOSインターネットソフトウェアとIOSのコンフィグレーション変換"

えみかいじ
7 years ago
Views:

1 Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA or 888 JUNIPER

6 show Test Network Topology UNIX / /24.1 Lunkan M10.1 Lo /32 Null /16 Null /16 Lo /32 Lo /32 Lo /32 Lo /32 Access Lo / / /30 Lo /32 Ida.3 M20 Lo /32 Cisco_pop.5 Lo /32 Cisco_core_rr Lena M40 Lo / / /24 Cisco_border Lo /32 Pagent Dummy Null0 2.2/16 Plus Route Generation Null0 3.3/16 Plus Martians Null /24.6 Lo /32 6 Copyright 2001, Juniper Networks, Inc.

9 図 4: Connected Access and POP Route Reflector Routers UNIX Lunkan AS 1111 M10 Lena Pagent Access M20 M40 AS 2222 Ida Cisco_pop Cisco_border Dummy AS 3333 Cisco_core_rr Copyright 2001, Juniper Networks, Inc. 9

13 router isis redistribute isis ip level-2 into level-1 distribute-list 100 /* Leak policy from L2 db -> L1 db */ passive-interface Loopback0 net metric-style wide/* TLV 135 used for extended metrics, no TLV 128 */ max-lsp-lifetime lsp-refresh-interval spf-interval prc-interval lsp-gen-interval log-adjacency-changes router bgp 1111 no synchronization bgp router-id bgp log-neighbor-changes timers bgp neighbor internal peer-group neighbor internal remote-as 1111 neighbor internal update-source Loopback0 neighbor pop peer-group neighbor pop remote-as 1111 neighbor pop update-source Loopback0 neighbor pop_rr peer-group neighbor pop_rr remote-as 1111 neighbor pop_rr update-source Loopback0 neighbor pop_rr route-reflector-client neighbor peer-group internal neighbor peer-group internal neighbor peer-group pop_rr no auto-summary access-list 1 permit Copyright 2001, Juniper Networks, Inc. 13

14 routing-options { router-id ; autonomous-system 1111; protocols { bgp { traceoptions { file bgp; flag state detail; log-updown; group internal { type internal; local-address ; neighbor ; neighbor ; group pop_rr { type internal; local-address ; cluster ; neighbor ; group pop { type internal; local-address ; neighbor ; isis { traceoptions { file isis; flag state detail; export isis_leak;/* Leak policy */ lsp-lifetime 65535; /* Default 1200 seconds */ level 2 wide-metrics-only; /* TLV 135 used for extended metrics, default both TLV 128/135 used */ interface fxp0.0 { level 1 disable;/* Level 2 only to Core */ interface fxp1.0 { level 2 disable;/* Level 1 only to access stub area */ 14 Copyright 2001, Juniper Networks, Inc.

15 policy-options { policy-statement isis_leak { term one { from { protocol isis; level 2; route-filter /24 longer; /* Prefix where next hop for BGP are within lo0 */ to { protocol isis; /*To L1 area */ level 1; lunkan@ida> show isis adjacency IS-IS adjacency database: Interface System L State Hold (secs) SNPA fxp0.0 cisco_pop 2 Up 23 0:0:c:34:74:5b fxp0.0 cisco_border 2 Up 28 0:60:9:c4:23:18 fxp0.0 cisco_core_rr 2 Up 28 0:d0:ba:58:7e:4b fxp0.0 lena 2 Up 26 0:2:b3:22:38:63 fxp0.0 lunkan 2 Up 8 0:2:b3:22:38:61 fxp1.0 cisco_access 1 Up 7 0:d0:ba:58:81:dd lunkan@ida> show isis database detail IS-IS level 1 link-state database: ida Sequence: 0x1d, Checksum: 0x9774, Lifetime: secs IS neighbor: cisco_access.01 Metric: 10 IP prefix: /30 Metric: 20 Internal IP prefix: /32 Metric: 10 Internal IP prefix: /32 Metric: 10 Internal IP prefix: /32 Metric: 10 Internal IP prefix: /32 Metric: 10 Internal IP prefix: /32 Metric: 10 Internal IP prefix: /32 Metric: 0 Internal IP prefix: /30 Metric: 10 Internal cisco_access Sequence: 0x3, Checksum: 0xd715, Lifetime: secs IS neighbor: cisco_access.01 Metric: 10 IP prefix: /32 Metric: 0 Internal IP prefix: /30 Metric: 10 Internal cisco_access Sequence: 0x3, Checksum: 0x4b86, Lifetime: secs IS neighbor: ida.00 Metric: 0 IS neighbor: cisco_access.00 Metric: 0 IS-IS level 2 link-state database: lunkan Sequence: 0x16, Checksum: 0x3c69, Lifetime: secs IS neighbor: lunkan.02 Metric: 10 IP prefix: /24 Metric: 10 Internal Copyright 2001, Juniper Networks, Inc. 15

16 IP prefix: /32 Metric: 0 Internal lunkan Sequence: 0x6, Checksum: 0x920c, Lifetime: secs IS neighbor: cisco_pop.00 Metric: 0 IS neighbor: cisco_core_rr.00 Metric: 0 IS neighbor: cisco_border.00 Metric: 0 IS neighbor: ida.00 Metric: 0 IS neighbor: lena.00 Metric: 0 IS neighbor: lunkan.00 Metric: 0 lena Sequence: 0x13, Checksum: 0x815c, Lifetime: secs IS neighbor: lunkan.02 Metric: 10 IP prefix: /24 Metric: 10 Internal IP prefix: /24 Metric: 10 Internal IP prefix: /32 Metric: 0 Internal ida Sequence: 0x21, Checksum: 0x6128, Lifetime: secs IS neighbor: lunkan.02 Metric: 10 IP prefix: /32 Metric: 10 Internal IP prefix: /24 Metric: 10 Internal IP prefix: /30 Metric: 10 Internal IP prefix: /32 Metric: 0 Internal cisco_border Sequence: 0xb, Checksum: 0x71c8, Lifetime: secs IS neighbor: lunkan.02 Metric: 10 IP prefix: /24 Metric: 0 Internal IP prefix: /32 Metric: 0 Internal IP prefix: /24 Metric: 10 Internal cisco_pop Sequence: 0xd, Checksum: 0x20c2, Lifetime: secs IS neighbor: lunkan.02 Metric: 10 IP prefix: /30 Metric: 10 Internal IP prefix: /32 Metric: 0 Internal IP prefix: /24 Metric: 10 Internal cisco_core_rr Sequence: 0xc, Checksum: 0xb9b1, Lifetime: secs IS neighbor: lunkan.02 Metric: 10 IP prefix: /32 Metric: 0 Internal IP prefix: /24 Metric: 10 Internal cisco_access Sequence: 0x7, Checksum: 0x7373, Lifetime: secs IS neighbor: cisco_access.01 Metric: 10 IP prefix: /30 Metric: 10 Internal IP prefix: /32 Metric: 0 Internal cisco_access Sequence: 0x1, Checksum: 0x69f0, Lifetime: secs IS neighbor: ida.00 Metric: 0 IS neighbor: cisco_access.00 Metric: 0 lunkan@ida> show route inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both /24 *[Direct/0] 01:41:20 > via fxp /32 *[Local/0] 01:41:55 Local /32 *[IS-IS/18] 00:48:26, metric 10, tag 2 > to via fxp /32 *[IS-IS/18] 00:48:33, metric 10, tag 2 > to via fxp /32 *[Direct/0] 01:41:55 > via lo /32 *[IS-IS/18] 00:48:33, metric 10, tag 2 > to via fxp Copyright 2001, Juniper Networks, Inc.

17 /32 *[IS-IS/18] 00:48:33, metric 10, tag 2 > to via fxp /32 *[IS-IS/18] 00:48:33, metric 10, tag 2 > to via fxp /32 *[IS-IS/15] 00:26:14, metric 10, tag 1 > to via fxp /30 *[Direct/0] 01:41:55 > via fxp /32 *[Local/0] 01:41:55 Local /30 *[IS-IS/18] 00:27:52, metric 20, tag 2 > to via fxp /16 *[BGP/170] 00:18:56, MED 0, localpref 100, from AS path: 2222 I > to via fxp0.0 [BGP/170] 00:18:56, MED 0, localpref 100, from AS path: 2222 I > to via fxp /16 *[BGP/170] 00:48:09, MED 1, localpref 100, from AS path: 3333 I > to via fxp0.0 [BGP/170] 00:47:33, MED 1, localpref 100, from AS path: 3333 I > to via fxp /8 *[BGP/170] 00:48:09, MED 1, localpref 100, from AS path: 3333? > to via fxp0.0 [BGP/170] 00:47:33, MED 1, localpref 100, from AS path: 3333? > to via fxp /32 *[BGP/170] 00:22:11, MED 0, localpref 100, from AS path:? > to via fxp /32 *[BGP/170] 00:22:11, MED 0, localpref 100, from AS path:? > to via fxp /24 *[BGP/170] 00:48:20, localpref 100, from AS path: I > to via fxp0.0 [BGP/170] 00:48:26, localpref 100, from AS path: I > to via fxp /24 *[IS-IS/18] 00:48:33, metric 10, tag 2 > to via fxp0.0 iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both /80 *[Direct/0] 01:41:55 > via lo0.0 Copyright 2001, Juniper Networks, Inc. 17

18 router isis passive-interface Loopback0 net is-type level-1/* Pure L1 ISIS adjacency allowed */ metric-style wide/* TLV 135 used for extended metrics, no TLV 128 */ max-lsp-lifetime lsp-refresh-interval spf-interval prc-interval lsp-gen-interval log-adjacency-changes router bgp 1111 no synchronization bgp router-id bgp log-neighbor-changes timers bgp redistribute connected route-map access neighbor access peer-group neighbor access remote-as 1111 neighbor access update-source Loopback0 neighbor peer-group access neighbor peer-group access no auto-summary access-list 1 permit access-list 1 permit route-map access permit 10 match ip address 1 cisco_access#sh clns nei det System Id Interface SNPA State Holdtime Type Protocol ida Et b322.39c8 Up 25 L1 IS-IS Area Address(es): IP Address(es): * Uptime: 00:10:50 cisco_access# 18 Copyright 2001, Juniper Networks, Inc.

19 cisco_access#sh isis dat det IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL ida x D 0x /0/0 Area Address: NLPID: 0xCC Router ID: IP Address: Hostname: ida Metric: 10 IS cisco_access.01 Metric: 10 IS-Extended cisco_access.01 Metric: 10 IP Metric: 0 IP Metric: 74 IP Metric: 74 IP Metric: 74 IP Metric: 74 IP Metric: 74 IP Metric: 84 IP Metric: 10 IP /30 Metric: 0 IP /32 Metric: 10 IP-Interarea /32 Metric: 10 IP-Interarea /32 Metric: 10 IP-Interarea /32 Metric: 10 IP-Interarea /32 Metric: 10 IP-Interarea /32 Metric: 20 IP-Interarea /30 cisco_access * 0x xD /0/0 Area Address: NLPID: 0xCC Hostname: cisco_access IP Address: Metric: 10 IP /30 Metric: 0 IP /32 Metric: 10 IS-Extended cisco_access.01 cisco_access * 0x x4B /0/0 Metric: 0 IS-Extended cisco_access.00 Metric: 0 IS-Extended ida.00 cisco_access# Copyright 2001, Juniper Networks, Inc. 19

20 cisco_access#sh ip ro Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set /8 is variably subnetted, 9 subnets, 2 masks i ia /32 [115/20] via , Ethernet0 i L /32 [115/10] via , Ethernet0 i ia /32 [115/20] via , Ethernet0 i ia /32 [115/20] via , Ethernet0 i ia /32 [115/20] via , Ethernet0 C /32 is directly connected, Loopback0 i ia /32 [115/20] via , Ethernet0 C /30 is directly connected, Ethernet0 i ia /30 [115/30] via , Ethernet /16 is subnetted, 1 subnets B [200/0] via , 00:05: /32 is subnetted, 2 subnets C is directly connected, Loopback1 C is directly connected, Loopback /16 is subnetted, 1 subnets B [200/1] via , 00:08:49 B /8 [200/1] via , 00:08:49 B /24 [200/0] via , 00:08:49 cisco_access# 20 Copyright 2001, Juniper Networks, Inc.

21 cisco_access#sh ip bgp BGP table version is 14, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path * i / i *>i i * i / i *>i i * i / i *>i i *> / ? *> / ? * i / i *>i i *> / ? *> / ? *> / ? * i i *>i i * i i *>i i *> / ? cisco_access# Copyright 2001, Juniper Networks, Inc. 21

22 Multihomed Autonomous System AS / /12 border_ /16 AS /16 10/ /12 border_ /16 AS /16 Prevention of Internal Announcements with External Link Failures AS border_1 AS /16 border_2 AS / / / /16 22 Copyright 2001, Juniper Networks, Inc.

23 Prevention of External Announcements with External Link Failures AS border_1 AS /16 border_2 AS / / / /16 router bgp 1111 no synchronization aggregate-address summary-only # Aggregation of /16 and suppress of routes within prefix with longer mask timers bgp neighbor internal peer-group neighbor internal remote-as 1111 neighbor internal update-source Loopback0 neighbor internal next-hop-self neighbor peer-group internal neighbor peer-group internal neighbor remote-as 2222 neighbor remote-as 3333 no auto-summary Copyright 2001, Juniper Networks, Inc. 23

24 cisco_border#sh ip bgp nei adv BGP table version is 157, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / i *> / i *>i i cisco_border# atomic-aggregate Origin igp cisco_border#sh ip bgp BGP routing table entry for /16, version 153 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to peer-groups: internal Advertised to non peer-group peers: Local, (aggregated by ) from ( ) Origin IGP, localpref 100, weight 32768, valid, aggregated, local, atomic-aggregate, best cisco_border# cisco_border#sh ip bgp BGP table version is 157, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path * i / i * i i *> i * i * i / i * i i * i *> i * i ? * i ? * ? *> ? *> / i s i / ? s>i ? s i / ? s>i ? *>i i Network Next Hop Metric LocPrf Weight Path * i i cisco_border# 24 Copyright 2001, Juniper Networks, Inc.

25 routing-options { aggregate { route /16;/* Aggregation of /16 if more specific exist in route-table */ router-id ; autonomous-system 1111; protocols { bgp { path-selection always-compare-med; traceoptions { file bgp; flag state; log-updown; group external { type external; local-address ; export ebgp; peer-as 2222; neighbor { peer-as 2222; neighbor { peer-as 3333; group internal { type internal; local-address ; export internal; neighbor ; neighbor ; policy-statement ebgp { term one { from { protocol aggregate; route-filter /16 exact; /* Aggregated route */ then accept; term two { from { route-filter /16 longer; /* Deny routes (suppress) with longer mask than /16 for prefix /16 */ then reject; Copyright 2001, Juniper Networks, Inc. 25

26 Originator run show route advertising-protocol bgp detail inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path /16 (3 entries, 1 announced) BGP (External AS 3333) Nexthop: Self AS path:? <Originator> Cluster list: Originator ID: [edit] lunkan@lena# lunkan@lena> show route /16 detail all inet.0: 24 destinations, 24 routes (23 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both /16 (2 entries, 1 announced) *Aggregate Preference: 130 Next hop type: Reject State: <Active Int Ext> Age: 5d 0:42:08 Task: Aggregate Announcement bits (3): 0-KRT 4-BGP BGP_Sync_Any AS path:? <Originator> Cluster list: Originator ID: Flags: Depth: 0 Active AS path list: AS path:? <Originator> Cluster list: Originator ID: Refcount: 2 Contributing Routes (2): /32 proto BGP /32 proto BGP BGP Preference: 170/-101/* This route is from IOS border router and is ignored */ Source: Nexthop: via fxp0.0, selected State: <Int Ext> Inactive reason: Route Preference Local AS: 1111 Peer AS: 1111 Age: 46:30 Metric2: 10 Task: BGP_ AS path: I <Atomic Originator> Aggregator: Cluster list: Originator ID: /* IOS default change originate-id to itself */ BGP next hop: Localpref: 100 Router ID: Copyright 2001, Juniper Networks, Inc.

27 /32 (1 entry, 1 announced)/* This is the contributing route from IOS access router */ *BGP Preference: 170/-101 Source: Nexthop: via fxp0.0, selected State: <Active Int Ext> Local AS: 1111 Peer AS: 1111 Age: 30:02 Metric: 0 Metric2: 20 Task: BGP_ Announcement bits (3): 0-KRT 3-Aggregate 5-BGP_Sync_Any AS path:? <Originator> /* Note IOS add Origin incomplete default for provision of routes*/ Cluster list: Originator ID: Communities: 1111:1 BGP next hop: Localpref: 100 Router ID: /32 (1 entry, 1 announced)/* This is the contributing route from IOS access router */ *BGP Preference: 170/-101 Source: Nexthop: via fxp0.0, selected State: <Active Int Ext> Local AS: 1111 Peer AS: 1111 Age: 30:02 Metric: 0 Metric2: 20 Task: BGP_ Announcement bits (3): 0-KRT 3-Aggregate 5-BGP_Sync_Any AS path:? <Originator> /* Note IOS add Origin incomplete default for provision of routes*/ Cluster list: Originator ID: Communities: 1111:2 BGP next hop: Localpref: 100 Router ID: lunkan@lena> dummy#sh ip bgp BGP table version is 78, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / i *> i *> / i * / ? /*JUNOS*/ *> I /*IOS*/ * / ? *> i *> / ? * ? *> / ? * ? dummy# Copyright 2001, Juniper Networks, Inc. 27

28 Originate Origin MED as-path Origin igp dummy#sh ip bgp BGP routing table entry for /16, version 77 Paths: (2 available, best #2, table Default-IP-Routing-Table) Flag: 0x208 Advertised to peer-groups: external from ( )/* JUNOS router */ Origin incomplete, localpref 100, valid, external 1111, (aggregated by )/* IOS router */ from ( ) Origin IGP, localpref 100, valid, external, atomic-aggregate, best routing-options aggregate atomic-aggregate aggregate [edit routing-options] show aggregate { route /16 { as-path { origin igp; atomic-aggregate; aggregator ; Origin igp atomic-aggregate aggregator AS router-id lunkan@lena# run show route /16 detail all inet.0: 24 destinations, 24 routes (23 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both /16 (2 entries, 1 announced) *Aggregate Preference: 130 Next hop type: Reject State: <Active Int Ext> Age: 5d 1:28:22 Task: Aggregate Announcement bits (3): 0-KRT 4-BGP BGP_Sync_Any AS path: I <Atomic> Aggregator: Flags: Depth: 0 Active Contributing Routes (2): /32 proto BGP /32 proto BGP 28 Copyright 2001, Juniper Networks, Inc.

29 BGP Preference: 170/-101 Source: Nexthop: via fxp0.0, selected State: <Int Ext> Inactive reason: Route Preference Local AS: 1111 Peer AS: 1111 Age: 30:02 Metric2: 10 Task: BGP_ AS path: I <Atomic Originator> Aggregator: Cluster list: Originator ID: BGP next hop: Localpref: 100 Router ID: /32 (1 entry, 1 announced) *BGP Preference: 170/-101 Source: Nexthop: via fxp0.0, selected State: <Active Int Ext> Local AS: 1111 Peer AS: 1111 Age: 30:02 Metric: 0 Metric2: 20 Task: BGP_ Announcement bits (3): 0-KRT 3-Aggregate 5-BGP_Sync_Any AS path:? <Originator> Cluster list: Originator ID: Communities: 1111:1 BGP next hop: Localpref: 100 Router ID: /32 (1 entry, 1 announced) *BGP Preference: 170/-101 Source: Nexthop: via fxp0.0, selected State: <Active Int Ext> Local AS: 1111 Peer AS: 1111 Age: 30:02 Metric: 0 Metric2: 20 Task: BGP_ Announcement bits (3): 0-KRT 3-Aggregate 5-BGP_Sync_Any AS path:? <Originator> Cluster list: Originator ID: Communities: 1111:2 BGP next hop: Localpref: 100 Router ID: [edit routing-options] lunkan@lena# Copyright 2001, Juniper Networks, Inc. 29

30 dummy#sh ip bgp BGP table version is 8, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / i *> i *> / i *> / I/* JUNOS */ * I/* IOS */ *> / i * i *> / ? * ? *> / ? * ? dummy#sh ip bgp BGP routing table entry for /16, version 5 Paths: (2 available, best #1, table Default-IP-Routing-Table) Advertised to peer-groups: external 1111, (aggregated by )/* JUNOS */ from ( ) Origin IGP, localpref 100, valid, external, atomic-aggregate, best 1111, (aggregated by )/* IOS */ from ( ) Origin IGP, localpref 100, valid, external, atomic-aggregate 30 Copyright 2001, Juniper Networks, Inc.

31 routing-options { aggregate { route /24 policy deny_local; router-id ; autonomous-system 1111; protocols { bgp { advertise-inactive; log-updown; group external { type external; description to_ebgp-routers; local-address ; hold-time 180; damping; import ebgp_in; family inet { unicast { prefix-limit { maximum 100; teardown 70; any; export ebgp; peer-as 2222; neighbor { peer-as 3333; policy-options { policy-statement deny_local { term 1 { from interface lo0.0; then reject; Copyright 2001, Juniper Networks, Inc. 31

32 run show route detail inet.0: 27 destinations, 27 routes (25 active, 0 holddown, 2 hidden) + = Active Route, - = Last Active, * = Both /24 (1 entry, 1 announced) *Aggregate Preference: 130 Next hop type: Reject State: <Active Int Ext> Age: 18:14:13 Task: Aggregate Announcement bits (3): 0-KRT 4-BGP BGP_Sync_Any AS path: I Flags: Depth: 0 Active AS path list: AS path: I Refcount: 7 Contributing Routes (7): /32 proto IS-IS /32 proto IS-IS /32 proto IS-IS /32 proto IS-IS /32 proto IS-IS /32 proto IS-IS This example shows the local (direct) routes. Note /32 is a direct route. lunkan@junos_lena# run show route protocol direct inet.0: 27 destinations, 27 routes (25 active, 0 holddown, 2 hidden) + = Active Route, - = Last Active, * = Both /32 *[Direct/0] 1w4d 20:09:21 > via lo /28 *[Direct/0] 17:40:51 > via fxp /24 *[Direct/0] 1d 06:24:04 > via fxp Copyright 2001, Juniper Networks, Inc.

34 Provision and Prevention of Advertising Intra-AS Routes AS 1111 UNIX Access Lunkan M10 Ida M /24, no-export /24, 1111:10 Lena M40 2.2/16 Pagent AS /32, 1111: /32, 1111: /32, 1111: /32, 1111: /16, 1111: /16, 1111:6 Cisco_pop Cisco_core_rr Cisco_border Dummy 3.3/16 Plus Martians AS /24, no-export as-path MED community 34 Copyright 2001, Juniper Networks, Inc.

35 Manipulation of Announced Aggregate Updates AS 1111 UNIX Lunkan M /16 MED /16 MED 100 as-path /16 MED /16 MED 100 as-path Access Ida M20 Lena M40 Pagent AS /32, 1111: /32, 1111: /32, 1111: /32, 1111: /16, 1111: /16, 1111:6 Cisco_pop Cisco_core_rr Cisco_border /16 MED /16 MED 100 as-path /16 MED /16 MED 100 as-path Dummy AS 3333 community no-export router bgp 1111 no synchronization bgp router-id bgp cluster-id bgp log-neighbor-changes network route-map rfc1918 timers bgp redistribute connected neighbor internal_rr peer-group neighbor internal_rr remote-as 1111 neighbor internal_rr update-source Loopback0 neighbor internal_rr route-reflector-client neighbor internal_rr send-community neighbor internal_rr route-map rfc1918 out neighbor internal peer-group neighbor internal remote-as 1111 neighbor internal update-source Loopback0 neighbor internal send-community/* Send community */ neighbor internal route-map rfc1918 out/* Route-map out */ neighbor peer-group internal neighbor peer-group internal_rr Copyright 2001, Juniper Networks, Inc. 35

36 neighbor peer-group internal_rr neighbor peer-group internal_rr neighbor peer-group internal_rr no auto-summary ip bgp-community new-format access-list 1 permit /* Access-list that route-map use */ route-map rfc1918 permit 10/* Route-map mark route with no-export community */ match ip address 1 set community no-export community router bgp 1111 no synchronization bgp log-neighbor-changes timers bgp redistribute connected route-map access/* Route-map used for connected routes (loopbacks) */ redistribute static route-map static neighbor access peer-group neighbor access remote-as 1111 neighbor access update-source Loopback0 neighbor access send-community neighbor peer-group access neighbor peer-group access no auto-summary ip bgp-community new-format /* Route-map used for static routes */ access-list 1 permit /* Access-list that route-map uses */ access-list 2 permit access-list 3 permit access-list 4 permit access-list 5 permit access-list 6 permit route-map access permit 10/* Route-map that sets community for connected routes */ match ip address 1 set community 1111:1 route-map access permit 20 match ip address 2 set community 1111:2 route-map access permit 30 match ip address 3 set community 1111:3 36 Copyright 2001, Juniper Networks, Inc.

37 route-map access permit 40 match ip address 4 set community 1111:4 route-map static permit 10/* Route-map that set community for staticly routes */ match ip address 5 set community 1111:5 route-map static permit 20 match ip address 6 set community 1111:6 community cisco_access#sh ip bgp commun 1111:1 BGP table version is 12, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / ? cisco_access#sh ip bgp commun 1111:2 BGP table version is 12, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / ? cisco_access#sh ip bgp commun 1111:3 BGP table version is 12, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / ? cisco_access#sh ip bgp commun 1111:4 BGP table version is 12, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / ? cisco_access#sh ip bgp commun 1111:5 BGP table version is 12, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / ? cisco_access#sh ip bgp commun 1111:6 BGP table version is 12, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / ? Copyright 2001, Juniper Networks, Inc. 37

38 community no-export community routing-options { router-id ; autonomous-system 1111; protocols { bgp { traceoptions { file bgp; flag state; log-updown; group internal_rr { type internal; local-address ; export service;/* Export policy (for non-reflected routes) */ cluster ; neighbor { authentication-key "$9$.mT3ApBSrv9ApBRSMW"; neighbor { authentication-key "$9$h2PclM7-waZjX7-w2aiH"; neighbor ; neighbor ; group internal { type internal; local-address ; export service;/* Export policy (for non-reflected routes) */ neighbor ; policy-options { policy-statement service { term one { from { route-filter /24 exact; then { community add rfc1918; accept; term two { from { route-filter /24 exact; then { community add mcast; accept; community mcast members 1111:10; community rfc1918 members no-export; 38 Copyright 2001, Juniper Networks, Inc.

39 community run show route advertising-protocol bgp /24 detail inet.0: 27 destinations, 27 routes (27 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path /24 (1 entry, 1 announced) BGP group type Internal AS 1111 Nexthop: Self Localpref: 100 AS path: I Communities: 1111:10 [edit] lunkan@lunkan# run show route advertising-protocol bgp /24 detail inet.0: 27 destinations, 27 routes (27 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path /24 (1 entry, 1 announced) BGP group type Internal AS 1111 Nexthop: Self Localpref: 100 AS path: I Communities: no-export [edit] lunkan@lunkan# MED as-path community community no-export router bgp 1111 no synchronization bgp router-id bgp log-neighbor-changes bgp deterministic-med bgp dampening route-map damp aggregate-address summary-only aggregate-address summary-only timers bgp neighbor internal peer-group neighbor internal remote-as 1111 neighbor internal update-source Loopback0 neighbor internal next-hop-self neighbor external peer-group neighbor external prefix-list martians in neighbor external route-map int_policy in neighbor external route-map ext_policy out /* Route-map (policy) applied to route... */ neighbor peer-group internal neighbor peer-group internal neighbor remote-as 2222 neighbor peer-group external neighbor remote-as 3333 neighbor peer-group external no auto-summary ip bgp-community new-format ip community-list 1 permit 1111:5 ip community-list 2 permit 1111:6 Copyright 2001, Juniper Networks, Inc. 39

40 access-list 10 permit access-list 20 permit route-map ext_policy permit 10 match ip address 10 /* Agggregate /16 are as-prep and get high (bad) MED */ set metric 100 set as-path prepend route-map ext_policy permit 20 match ip address 20/* Aggregate /16 get low (good) MED */ set metric 0 route-map ext_policy permit 30 match community 1 set metric 100 set as-path prepend /* /16 route with community 1111:5 get as-path prepend and high MED (bad) value */ route-map ext_policy permit 40 match community 2 /* /16 route with community 1111:6 get low MED (good) value */ set metric 0 route-map ext_policy deny 50 community cisco_border#sh ip bgp comm 1111:1 BGP table version is 17, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path s>i / ? cisco_border# cisco_border#sh ip bgp comm 1111:2 BGP table version is 17, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path s>i / ? cisco_border# cisco_border#sh ip bgp comm 1111:3 BGP table version is 17, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path s>i / ? cisco_border# cisco_border#sh ip bgp comm 1111:4 BGP table version is 17, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path s>i / ? cisco_border# 40 Copyright 2001, Juniper Networks, Inc.

41 community cisco_border#sh ip bgp com 1111:10 BGP table version is 18, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *>i / i cisco_border# no-export community cisco_border#sh ip bgp comm no-export BGP table version is 19, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *>i i *>i i * i i cisco_border# community MED as-path cisco_border#sh ip bgp comm 1111:5 BGP table version is 17, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *>i / ? cisco_border# cisco_border#sh ip bgp comm 1111:6 BGP table version is 17, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *>i / ? cisco_border# cisco_border#sh ip bgp nei adv BGP table version is 17, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / i *> / i *>i / ? *>i / ? cisco_border# Copyright 2001, Juniper Networks, Inc. 41

42 routing-options { aggregate { route /16 { as-path { origin igp; atomic-aggregate; aggregator ; route /16 { as-path { origin igp; atomic-aggregate; aggregator ; router-id ; autonomous-system 1111; protocols { bgp { traceoptions { file bgp; flag damping detail; log-updown; group external { type external; local-address ; damping; import ebgp_in; export ebgp; /* Policy used for EBGP peering */ neighbor { peer-as 2222; neighbor { peer-as 3333; group internal { type internal; local-address ; export internal; neighbor { authentication-key "$9$0UylORSvWxwYoevWx-waJ"; neighbor ; policy-options { policy-statement ebgp { term two {/* Agggregate /16 are as-prep and get high (bad) MED */ from { route-filter /16 exact; then { metric 100; as-path-prepend " "; accept; 42 Copyright 2001, Juniper Networks, Inc.

43 term three {/* Aggregate /16 get low (good) MED */ from { route-filter /16 exact; then { metric 0; accept; term four {/* /16 route with community 1111:5 get as-path prepend and high MED (bad) value */ from community bad; then { metric 100; as-path-prepend " "; accept; term five {/* /16 route with community 1111:6 get low MED (good) value */ from community good; then { metric 0; accept; term last { then reject; community bad members 1111:6; community good members 1111:5; Copyright 2001, Juniper Networks, Inc. 43

44 community show route community 1111:1 inet.0: 28 destinations, 28 routes (26 active, 0 holddown, 4 hidden) + = Active Route, - = Last Active, * = Both /32 *[BGP/170] 01:55:38, MED 0, localpref 100, from AS path:? > to via fxp0.0 to via fxp0.0 iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both lunkan@lena> show route community 1111:2 inet.0: 28 destinations, 28 routes (26 active, 0 holddown, 4 hidden) + = Active Route, - = Last Active, * = Both /32 *[BGP/170] 01:55:41, MED 0, localpref 100, from AS path:? to via fxp0.0 > to via fxp0.0 iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both lunkan@lena> show route community 1111:3 inet.0: 28 destinations, 28 routes (26 active, 0 holddown, 4 hidden) + = Active Route, - = Last Active, * = Both /32 *[BGP/170] 01:55:43, MED 0, localpref 100, from AS path:? > to via fxp0.0 to via fxp0.0 iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both lunkan@lena> show route community 1111:4 inet.0: 28 destinations, 28 routes (26 active, 0 holddown, 4 hidden) + = Active Route, - = Last Active, * = Both /32 *[BGP/170] 01:55:45, MED 0, localpref 100, from AS path:? > to via fxp0.0 to via fxp0.0 iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both community lunkan@lena> show route community 1111:10 inet.0: 28 destinations, 28 routes (26 active, 0 holddown, 4 hidden) + = Active Route, - = Last Active, * = Both /24 *[BGP/170] 00:22:42, localpref 100, from AS path: I > to via fxp0.0 iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 44 Copyright 2001, Juniper Networks, Inc.

45 show route community no-export inet.0: 28 destinations, 28 routes (26 active, 0 holddown, 4 hidden) + = Active Route, - = Last Active, * = Both /24 *[BGP/170] 02:03:04, localpref 100, from AS path: I > to via fxp /24 *[BGP/170] 02:03:07, MED 0, localpref 100, from AS path: I > to via fxp0.0 [BGP/170] 02:03:04, MED 0, localpref 100, from AS path: I > to via fxp0.0 iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both community MED as-path lunkan@lena> show route community 1111:5 detail inet.0: 28 destinations, 28 routes (26 active, 0 holddown, 4 hidden) + = Active Route, - = Last Active, * = Both /16 (1 entry, 1 announced) *BGP Preference: 170/-101 Source: Nexthop: via fxp0.0 Nexthop: via fxp0.0, selected State: <Active Int Ext> Local AS: 1111 Peer AS: 1111 Age: 1:59:26 Metric: 0 Metric2: 20 Task: BGP_ Announcement bits (3): 0-KRT 4-BGP BGP_Sync_Any AS path:? <Originator> Cluster list: Originator ID: Communities: 1111:5 BGP next hop: Localpref: 100 Router ID: iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both lunkan@lena> show route community 1111:6 detail inet.0: 28 destinations, 28 routes (26 active, 0 holddown, 4 hidden) + = Active Route, - = Last Active, * = Both /16 (1 entry, 1 announced) *BGP Preference: 170/-101 Source: Nexthop: via fxp0.0, selected Nexthop: via fxp0.0 State: <Active Int Ext> Local AS: 1111 Peer AS: 1111 Age: 1:59:33 Metric: 0 Metric2: 20 Task: BGP_ Announcement bits (3): 0-KRT 4-BGP BGP_Sync_Any Copyright 2001, Juniper Networks, Inc. 45

46 AS path:? <Originator> Cluster list: Originator ID: Communities: 1111:6 BGP next hop: Localpref: 100 Router ID: iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both lunkan@lena> show route advertising-protocol bgp inet.0: 28 destinations, 28 routes (25 active, 0 holddown, 7 hidden) Prefix Nexthop MED Lclpref AS path /16 Self 0 I /16 Self [1111] I /16 Self 0? /16 Self [1111]? lunkan@lena> MED as-path pagent#sh ip bgp BGP table version is 13, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> i *> / i *> / i *> ? *> / i * i * i *> / i * i * i *> / ? * ? * ? *> / ? * ? * ? pagent# 46 Copyright 2001, Juniper Networks, Inc.

47 as-path MED pagent#sh ip ro Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route S C /8 is variably subnetted, 2 subnets, 2 masks /16 is directly connected, Null /32 is directly connected, Loopback /16 is subnetted, 2 subnets B [20/0] via , 00:21:51/* JUNOS */ B [20/0] via , 00:21:37/* IOS */ /16 is subnetted, 1 subnets B [20/1] via , 00:21:56 C /24 is directly connected, Ethernet /16 is subnetted, 1 subnets B [20/0] via , 00:21:53/* JUNOS */ B /8 [20/1] via , 00:21:57 B* /0 [20/1] via , 00:21:58 B /16 [20/0] via , 00:21:39/* IOS */ pagent# Copyright 2001, Juniper Networks, Inc. 47

48 local-preference Controlling Traffic Out from an AS AS 1111 UNIX Lunkan Access M10 Ida M20 2.2/16, Local-pref /16, Local-pref 100 Lena M40 2.2/16, as-path 2222 Pagent AS 2222 Cisco_pop 3.3/16, Local pref /16. Local pref 100 Cisco_border Dummy AS 3333 Cisco_core_rr 3.3/16, as-path 3333 Plus Martians 48 Copyright 2001, Juniper Networks, Inc.

49 local-preference router bgp 1111 no synchronization bgp router-id bgp log-neighbor-changes bgp deterministic-med bgp dampening route-map damp aggregate-address summary-only aggregate-address summary-only timers bgp neighbor internal peer-group/* Internal peer grp */ neighbor internal remote-as 1111 neighbor internal update-source Loopback0 neighbor internal next-hop-self/* Source-address for BGP next hop is router lo0 */ neighbor external peer-group/* external peer grp */ neighbor external soft-reconfiguration inbound neighbor external prefix-list martians in neighbor external route-map int_policy in /* Route-map applied for receiving updates */ neighbor external route-map ext_policy out neighbor peer-group internal neighbor peer-group internal neighbor remote-as 2222 neighbor peer-group external neighbor remote-as 3333 neighbor peer-group external no auto-summary ip as-path access-list 1 permit ^3333$ /* as-path used (routes originate in AS 3333 one hop away) */ route-map int_policy permit 10 match as-path 1 set local-preference 101/* Local-preference for routes from as-path defined above */ route-map int_policy permit 20 as-path local-preference cisco_border#sh ip bgp reg ^3333$ BGP table version is 25, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / i cisco_border# Copyright 2001, Juniper Networks, Inc. 49

50 local-preference routing-options { aggregate { route /16 { as-path { origin igp; atomic-aggregate; aggregator ; route /16 { as-path { origin igp; atomic-aggregate; aggregator ; router-id ; autonomous-system 1111; protocols { bgp { traceoptions { file bgp; flag route receive; flag damping; flag state; group external {/* External peer grp */ type external; local-address ; damping; import ebgp_in;/* Policy applied to incoming route updates */ family inet { unicast { prefix-limit { maximum 100; teardown 70; export ebgp; neighbor { peer-as 2222; neighbor { peer-as 3333; group internal {/* Internal peer grp */ type internal; local-address ; export internal;/* Policy applied to advertised updates */ neighbor { authentication-key "$9$4ToGiP5FApB.P5F6A1I"; neighbor ; policy-options { policy-statement internal { term one { then { next-hop self;/* Source-address for BGP next hop is router lo0 */ 50 Copyright 2001, Juniper Networks, Inc.

51 policy-statement ebgp_in { term 1918 { from { route-filter /0 exact; route-filter /8 orlonger; route-filter /8 orlonger; route-filter /16 orlonger; then reject; term local_pref { from as-path from_pagent; then { local-preference 101;/* Local-precedence for routes from as-path defined below */ term no_damp { from { route-filter /24 exact; route-filter /16 exact; route-filter /24 exact; route-filter /16 exact; route-filter /24 exact; route-filter /23 exact; route-filter /16 exact; route-filter /24 exact; route-filter /24 exact; route-filter /24 exact; route-filter /24 exact; then { damping no; accept; term damp { then damping yes; as-path from_pagent 2222;/* as-path used (routes originate in AS 2222 one hop away) */ damping no { disable; damping yes { half-life 15; reuse 750; suppress 2000; max-suppress 60; Copyright 2001, Juniper Networks, Inc. 51

52 local-preference run show route aspath-regex "2222" detail inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both /16 (2 entries, 1 announced) *BGP Preference: 170/-102 Nexthop: via fxp1.0, selected State: <Active Ext> Local AS: 1111 Peer AS: 2222 Age: 56 Metric: 0 Task: BGP_ Announcement bits (3): 0-KRT 4-BGP BGP_Sync_Any AS path: 2222 I Localpref: 101 Router ID: iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both local-preference as-path lunkan@lunkan> show route all detail inet.0: 25 destinations, 25 routes (25 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both /16 (1 entry, 1 announced) *BGP Preference: 170/-102 Source: Nexthop: via fxp0.0, selected State: <Active Int Ext> Local AS: 1111 Peer AS: 1111 Age: 5:25 Metric: 0 Metric2: 10 Task: BGP_ Announcement bits (3): 0-KRT 3-BGP BGP_Sync_Any AS path: 2222 I BGP next hop: Localpref: 101 Router ID: lunkan@lunkan> show route all detail inet.0: 25 destinations, 25 routes (25 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 52 Copyright 2001, Juniper Networks, Inc.

53 /16 (1 entry, 1 announced) *BGP Preference: 170/-102 Source: Nexthop: via fxp0.0, selected State: <Active Int Ext> Local AS: 1111 Peer AS: 1111 Age: 38:34 Metric: 1 Metric2: 10 Task: BGP_ Announcement bits (3): 0-KRT 3-BGP BGP_Sync_Any AS path: 3333 I BGP next hop: Localpref: 101 Router ID: lunkan@lunkan> cisco_core_rr#sh ip rout Routing entry for /16 Known via "bgp 1111", distance 200, metric 0 Tag 2222, type internal Last update from :06:56 ago Routing Descriptor Blocks: * , from , 00:06:56 ago Route metric is 0, traffic share count is 1 AS Hops 1 cisco_core_rr#sh ip rout Routing entry for /16 Known via "bgp 1111", distance 200, metric 1 Tag 3333, type internal Last update from :39:58 ago Routing Descriptor Blocks: * , from , 00:39:58 ago Route metric is 1, traffic share count is 1 AS Hops 1 cisco_core_rr# cisco_access#sh ip ro Routing entry for /16 Known via "bgp 1111", distance 200, metric 0 Tag 2222, type internal Last update from :02:40 ago Routing Descriptor Blocks: * , from , 00:02:40 ago Route metric is 0, traffic share count is 1 AS Hops 1 cisco_access#sh ip ro Routing entry for /16 Known via "bgp 1111", distance 200, metric 1 Tag 3333, type internal Last update from :35:47 ago Routing Descriptor Blocks: * , from , 00:35:47 ago Route metric is 1, traffic share count is 1 AS Hops 1 Copyright 2001, Juniper Networks, Inc. 53

54 cisco_access#sh ip bgp BGP routing table entry for /16, version 71 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer (metric 20) from ( ) Origin IGP, metric 0, localpref 101, valid, internal, best Originator: , Cluster list: , cisco_access#sh ip bgp BGP routing table entry for /16, version 61 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer (metric 20) from ( ) Origin IGP, metric 1, localpref 101, valid, internal, best Originator: , Cluster list: , cisco_access# router bgp neighbor peer-group gix neighbor gix distribute-list 100 in... ip access-list 100 deny ip host any ip access-list 100 deny ip ip access-list 100 deny ip ip access-list 100 deny ip ip access-list 100 deny ip ip access-list 100 permit ip any any 54 Copyright 2001, Juniper Networks, Inc.

55 router bgp 1111 no synchronization bgp router-id bgp log-neighbor-changes bgp deterministic-med bgp dampening route-map damp aggregate-address summary-only aggregate-address summary-only timers bgp neighbor internal peer-group neighbor internal remote-as 1111 neighbor internal update-source Loopback0 neighbor internal next-hop-self neighbor external peer-group neighbor external prefix-list martians in neighbor external route-map int_policy in neighbor external route-map ext_policy out neighbor external soft-reconfiguration inbound neighbor peer-group internal neighbor peer-group internal neighbor remote-as 2222 neighbor peer-group external neighbor remote-as 3333 neighbor peer-group external no auto-summary ip prefix-list martians seq 10 deny /32 ip prefix-list martians seq 20 deny /8 le 32 ip prefix-list martians seq 30 deny /8 le 32 ip prefix-list martians seq 40 deny /12 le 32 ip prefix-list martians seq 50 deny /16 le 32 cisco_border#sh ip bgp nei rec BGP table version is 19, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path * i * / i * / i * ? Total number of prefixes 4 Copyright 2001, Juniper Networks, Inc. 55

56 cisco_border#sh ip bgp BGP table version is 19, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *>i / i *>i / i *> / i s>i / ? s>i / ? *> / i s>i / ? s>i / ? *>i / ? *>i i *>i i * i i *>i / ? cisco_border# 56 Copyright 2001, Juniper Networks, Inc.

57 routing-options { aggregate { route /16; router-id ; autonomous-system 1111; protocols { bgp { traceoptions { file bgp; flag damping detail; log-updown; group external { type external; local-address ; damping; import ebgp_in; export ebgp; neighbor { peer-as 2222; neighbor { peer-as 3333; group internal { type internal; local-address ; export internal; neighbor { authentication-key "$9$0UylORSvWxwYoevWx-waJ"; neighbor ; policy-options { policy-statement ebgp_in { term 1918 { from { route-filter /0 exact; route-filter /8 orlonger; route-filter /8 orlonger; route-filter /16 orlonger; then reject; Copyright 2001, Juniper Networks, Inc. 57

58 run show route receive-protocol bgp inet.0: 27 destinations, 27 routes (25 active, 0 holddown, 4 hidden) Prefix Nexthop MED Lclpref AS path / I / I iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path lunkan@lena# run show bgp summary Groups: 3 Peers: 4 Down Peers: 0 Table Tot Paths Act Paths Suppressed History Damp State Pending inet inet Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State #Act/Rcvd/Damp :34:33 1/4/0 0/0/ :07:58 1/4/0 0/0/ :07:43 8/10/0 0/0/ :06:43 1/1/0 0/0/0 lunkan@lena# run show route receive-protocol bgp inactive inet.0: 27 destinations, 27 routes (25 active, 0 holddown, 4 hidden) Prefix Nexthop MED Lclpref AS path / I / ? 58 Copyright 2001, Juniper Networks, Inc.

59 protocols { bgp { path-selection always-compare-med; traceoptions { file bgp; flag route; flag damping; flag state; log-updown; group external { type external; local-address ; damping; import [ (test1 && test2) martians ebgp_in) ]; family inet { unicast { prefix-limit { maximum 100; teardown 70; export ebgp; multipath; neighbor { import [ special_policy ]; neighbor { peer-as 3333; import [ (test1 && test2) martians ebgp_in) ]; test1 test2 ebgp_in Copyright 2001, Juniper Networks, Inc. 59

60 policy-options { policy-statement ebgp_in { term 1918 { from { route-filter /0 exact; route-filter /8 orlonger; route-filter /8 orlonger; route-filter /16 orlonger; then reject; term local_pref { from as-path from_pagent; then { local-preference 101; term no_damp { from policy root_dns; then { damping no; accept; term damp { then damping yes; policy-statement root_dns { term dns { from { route-filter /24 exact; route-filter /16 exact; route-filter /24 exact; route-filter /16 exact; route-filter /24 exact; route-filter /23 exact; route-filter /24 exact; route-filter /16 exact; route-filter /24 exact; route-filter /24 exact; route-filter /24 exact; route-filter /24 exact; then accept; 60 Copyright 2001, Juniper Networks, Inc.

61 as-path router bgp 1111 no synchronization bgp router-id bgp log-neighbor-changes bgp deterministic-med bgp dampening route-map damp aggregate-address summary-only aggregate-address summary-only timers bgp neighbor internal peer-group neighbor internal remote-as 1111 neighbor internal update-source Loopback0 neighbor internal next-hop-self neighbor internal soft-reconfiguration inbound neighbor external peer-group neighbor external prefix-list martians in neighbor external route-map int_policy in neighbor external route-map ext_policy out neighbor external soft-reconfiguration inbound neighbor peer-group internal neighbor peer-group internal neighbor remote-as 2222 neighbor peer-group external neighbor remote-as 3333 Copyright 2001, Juniper Networks, Inc. 61

62 neighbor peer-group external no auto-summary ip as-path access-list 10 permit ^$ ip prefix-list root_dns seq 1 permit /24 ip prefix-list root_dns seq 2 permit /16 ip prefix-list root_dns seq 3 permit /24 ip prefix-list root_dns seq 4 permit /16 ip prefix-list root_dns seq 5 permit /24 ip prefix-list root_dns seq 6 permit /23 ip prefix-list root_dns seq 7 permit /24 ip prefix-list root_dns seq 8 permit /16 ip prefix-list root_dns seq 9 permit /24 ip prefix-list root_dns seq 10 permit /24 ip prefix-list root_dns seq 11 permit /24 ip prefix-list root_dns seq 12 permit /24 route-map damp deny 1 match as-path 10 route-map damp deny 2 match ip address prefix-list root_dns route-map damp permit 3 set dampening cisco_border#sh ip bgp sum BGP router identifier , local AS number 1111 BGP table version is 117, main routing table version network entries and 112 paths using bytes of memory 21 BGP path attribute entries using 1092 bytes of memory 2 BGP rrinfo entries using 48 bytes of memory 11 BGP AS-PATH entries using 376 bytes of memory 7 BGP community entries using 168 bytes of memory 25 BGP route-map cache entries using 400 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Dampening enabled. 0 history paths, 0 dampened paths BGP activity 243/968 prefixes, 247/135 paths, scan interval 15 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd :01: :01: :00: :01:14 1 cisco_border# Partial route-table: cisco_border#sh ip bgp BGP table version is 117, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete 62 Copyright 2001, Juniper Networks, Inc.

63 Network Next Hop Metric LocPrf Weight Path *> / i *> / {27016,57039,16690 e *> / {27016,57039,16690 e *> / {27016,57039,16690 e *> / {27016,57039,16690 e *> / {27016,57039,16690 e *> / {27016,57039,16690 e *> / {27016,57039,16690 e *> / {27016,57039,16690 e *> / {27016,57039,16690 e *> / {27016,57039,16690 e *> / {18917,28575,47361 e cisco_border# cisco_border#debug ip bgp damp *Mar 1 07:59:59.798: BGP(0): charge penalty for /24 path {51019 with halflife-time 15 reuse/suppress 750/2000 *Mar 1 07:59:59.802: BGP(0): flapped 1 times since 00:00:00. New penalty is 1000 *Mar 1 08:00:00.814: BGP(0): charge penalty for /24 path with halflife-time 15 reuse/suppress 750/2000 *Mar 1 08:00:00.818: BGP(0): flapped 2 times since 00:00:16. New penalty is 1988 *Mar 1 08:00:01.810: BGP(0): charge penalty for /24 path {10312,4520 with halflife-time 15 reuse/suppress 750/2000 *Mar 1 08:00:01.814: BGP(0): flapped 1 times since 00:00:00. New penalty is 1000 *Mar 1 08:00:02.798: BGP(0): charge penalty for /24 path {18917,28575,47361 with halflife-time 15 reuse/suppress 750/2000 *Mar 1 08:00:02.802: BGP(0): flapped 1 times since 00:00:00. New penalty is 1000g all *Mar 1 08:00:03.806: BGP(0): charge penalty for /24 path {27016,57039,16690 with halflife-time 15 reuse/suppress 750/2000 *Mar 1 08:00:03.810: BGP(0): flapped 1 times since 00:00:00. New penalty is 1000 cisco_border#no debug all All possible debugging has been turned off Copyright 2001, Juniper Networks, Inc. 63

64 cisco_border#sh ip bgp damp BGP table version is 1001, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network From Reuse Path *d / :21: {27016,57039,16690 e [edit protocols bgp] lunkan@lena# show traceoptions { file bgp; flag damping detail; log-updown; group external { type external; local-address ; damping; import ebgp_in;# /* Policy for inbound EBGP ( Damping etcö). No damp on internal routes can happenö */ export ebgp; neighbor { peer-as 2222; neighbor { peer-as 3333; group internal { type internal; local-address ; export internal; neighbor { authentication-key "$9$-Xds4UjqQF/ZUjqPQ9C"; neighbor ; policy-statement ebgp_in { term 1918 { from { route-filter /0 exact; route-filter /8 orlonger; route-filter /8 orlonger; route-filter /16 orlonger; then reject; term local_pref { from as-path from_pagent; then { local-preference 101; term no_damp {/* DNS root servers, no damp of these */ 64 Copyright 2001, Juniper Networks, Inc.

65 from { route-filter /24 exact; route-filter /16 exact; route-filter /24 exact; route-filter /16 exact; route-filter /24 exact; route-filter /23 exact; route-filter /16 exact; route-filter /24 exact; route-filter /24 exact; route-filter /24 exact; route-filter /24 exact; then { damping no; accept; term damp { then damping yes;/* Damping apply of rest of routes */ damping no { disable; damping yes { half-life 15; reuse 750; suppress 2000; max-suppress 60; [edit protocols bgp] lunkan@lena# [edit protocols bgp] lunkan@lena# run show bgp summary Groups: 3 Peers: 4 Down Peers: 0 Table Tot Paths Act Paths Suppressed History Damp State Pending inet inet Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State #Active/Received/Damped :00:05 0/101/35 0/0/ :15:23 1/3/0 0/0/ :15:27 7/8/0 0/0/ :15:33 1/1/0 0/0/0 Copyright 2001, Juniper Networks, Inc. 65

66 [edit protocols bgp traceoptions] show file bgp; flag damping; run monitor start bgp Jan 11 02:18:36 bgp_damp_change: Change event Jan 11 02:18:36 bgp_dampen: Damping Jan 11 02:18:36 bgp_rt_change: Dampening makes route unusable Jan 11 02:18:36 bgp_damp_change: Change event Jan 11 02:18:36 bgp_dampen: Damping Jan 11 02:18:36 bgp_rt_change: Dampening makes route unusable Jan 11 02:18:36 bgp_damp_change: Change event Jan 11 02:18:36 bgp_dampen: Damping Jan 11 02:18:36 bgp_rt_change: Dampening makes route unusable Jan 11 02:18:36 bgp_damp_change: Change event Jan 11 02:18:36 bgp_dampen: Damping Jan 11 02:18:36 bgp_rt_change: Dampening makes route unusable Jan 11 02:18:36 bgp_damp_change: Change event Jan 11 02:18:36 bgp_dampen: Damping Jan 11 02:18:36 bgp_rt_change: Dampening makes route unusable Jan 11 02:18:36 bgp_damp_change: Change event run show route damping suppressed inet.0: 125 destinations, 125 routes (22 active, 0 holddown, 103 hidden) + = Active Route, - = Last Active, * = Both /24 [BGP] 00:00:19, MED 1622, localpref 100 AS path: { E > to via fxp /24 [BGP] 00:00:19, MED 1622, localpref 100 AS path: { E > to via fxp /24 [BGP] 00:00:19, MED 1622, localpref 100 AS path: { E > to via fxp /24 [BGP] 00:00:19, MED 1622, localpref 100 AS path: { E > to via fxp /24 [BGP] 00:00:19, MED 1622, localpref 100 AS path: { E > to via fxp /24 [BGP] 00:00:19, MED 1622, localpref 100 AS path: { E > to via fxp /24 [BGP] 00:00:03, MED 1622, localpref 100 AS path: { E > to via fxp /24 [BGP] 00:00:19, MED 1622, localpref 100 AS path: { E > to via fxp Copyright 2001, Juniper Networks, Inc.

67 run show route damping history inet.0: 125 destinations, 125 routes (22 active, 0 holddown, 103 hidden) + = Active Route, - = Last Active, * = Both /24 [BGP] 00:00:43, MED 1622, localpref 100 AS path: { E > to via fxp /24 [BGP] 00:00:43, MED 1622, localpref 100 AS path: { E > to via fxp /24 [BGP] 00:00:43, MED 1622, localpref 100 AS path: { E > to via fxp /24 [BGP] 00:00:43, MED 1622, localpref 100 AS path: { E > to via fxp /24 [BGP] 00:00:36, MED 1622, localpref 100 AS path: { E > to via fxp /24 [BGP] 00:00:15, MED 1622, localpref 100 AS path: { E > to via fxp /24 [BGP] 00:00:43, MED 1622, localpref 100 AS path: { E > to via fxp /24 [BGP] 00:00:43, MED 1622, localpref 100 AS path: { E > to via fxp /24 [BGP] 00:00:43, MED 1622, localpref 100 AS path: { E > to via fxp /24 [BGP] 00:00:43, MED 1622, localpref 100 AS path: { E lunkan@lena# run show route damping history detail inet.0: 125 destinations, 125 routes (22 active, 0 holddown, 103 hidden) + = Active Route, - = Last Active, * = Both /24 (1 entry, 0 announced) BGP Preference: /-101 Nexthop: via fxp1.0, selected State: <Hidden Ext> Local AS: 1111 Peer AS: 2222 Age: 42 Metric: 1622 Task: BGP_ AS path: { E Localpref: 100 Router ID: Merit (last update/now): 12110/12110 Damping parameters: "yes" Last update: 00:00:01 First update: 00:06:21 Flaps: 21 Suppressed. Reusable in: 00:59:40 Preference will be: 170 History entry. Expires in: 00:59:40 Copyright 2001, Juniper Networks, Inc. 67

68 maximum-prefix Log/inform when threshold exceeds Shutdown peer that exceed limit router bgp 1111 no synchronization bgp router-id bgp log-neighbor-changes bgp deterministic-med bgp dampening route-map damp aggregate-address summary-only aggregate-address summary-only timers bgp neighbor internal peer-group neighbor internal remote-as 1111 neighbor internal update-source Loopback0 neighbor internal next-hop-self neighbor internal soft-reconfiguration inbound neighbor external peer-group neighbor external soft-reconfiguration inbound neighbor external prefix-list martians in neighbor external route-map int_policy in neighbor external route-map ext_policy out neighbor external maximum-prefix neighbor peer-group internal neighbor peer-group internal neighbor remote-as 2222 neighbor peer-group external neighbor remote-as 3333 neighbor peer-group external no auto-summary *Mar 1 03:19:44.275: %BGP-4-MAXPFX: No. of prefix received from (afi 0) reaches 71, max 100 *Mar 1 03:19:49.435: %BGP-3-MAXPFXEXCEED: No. of prefix received from (afi 0): 101 exceed limit Copyright 2001, Juniper Networks, Inc.

69 cisco_border#sh ip bgp sum BGP router identifier , local AS number 1111 BGP table version is 1420, main routing table version network entries and 14 paths using 1668 bytes of memory 11 BGP path attribute entries using 572 bytes of memory 3 BGP rrinfo entries using 72 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 7 BGP community entries using 168 bytes of memory 4 BGP route-map cache entries using 64 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Dampening enabled. 0 history paths, 0 dampened paths 3 received paths for inbound soft reconfiguration BGP activity 256/270 prefixes, 2058/2044 paths, scan interval 15 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd :18: :18: :00:57 Idle (PfxCt) :14:39 0 cisco_border# Copyright 2001, Juniper Networks, Inc. 69

70 [edit protocols bgp] show traceoptions { file bgp; flag damping detail; log-updown; group external { type external; local-address ; damping; import ebgp_in; family inet { unicast { prefix-limit { maximum 100; teardown 70; export ebgp; neighbor { peer-as 2222; neighbor { peer-as 3333; group internal { type internal; local-address ; export internal; neighbor { authentication-key "$9$HkPQ/CuEcln/CuBEeK"; neighbor ; [edit protocols bgp] lunkan@lena# 70 Copyright 2001, Juniper Networks, Inc.

71 run show bgp group external Group Type: External AS: 3333 Local AS: 1111 Export: [ ebgp ] Import: [ ebgp_in ] Options: <Preference LocalAddress HoldTime LogUpDown Damping AddressFamily PeerAS Multipath PrefixLimit LocalAS Refresh> Address families configured: inet-unicast Local Address: Holdtime: 90 Preference: 170 Local AS: 1111 Local System AS: 1111 Total peers: 1 Established: Group Type: External AS: 2222 Local AS: 1111 Export: [ ebgp ] Import: [ ebgp_in ] Options: <Preference LocalAddress HoldTime LogUpDown Damping AddressFamily PeerAS Multipath PrefixLimit LocalAS Refresh> Address families configured: inet-unicast Local Address: Holdtime: 90 Preference: 170 Prefix Limit for inet-unicast: 100 (teardown, warning at 70%) Local AS: 1111 Local System AS: 1111 Total peers: 1 Established: [edit protocols bgp] Jan 14 20:46:56 [ ] lena: rpd[305]: (External AS 2222): Configured maximum prefix threshold exceeded for inet-unicast nlri: 71 Jan 14 20:47:08 [ ] lena: rpd[305]: (External AS 2222): Shutting down peer due to exceeding configured prefix limit for inet-unicast nlri: 101 Copyright 2001, Juniper Networks, Inc. 71

72 policy-options { policy-statement load_balance { then { load-balance per-packet; /* Specific prefix can be used, instead of the whole forwding table if desire */ routing-options { forwarding-table { export load_balance; lunkan@petra# run show route forwarding-table destination detail Routing table:: inet Internet: Destination Type RtRef InIf Flags Nexthop Type Index NhRef Netif /32 user 0 0 0x10 ulst ucst 28 4 e1-0/2/ ucst 41 3 e1-0/2/1.0 [load-balance per-packet] [ip load-sharing per-packet] 72 Copyright 2001, Juniper Networks, Inc.

73 advertise-inactive advertise-inactive protocols { bgp { advertise-inactive; /* Advertise inactive routes in BGP */ router bgp 3333 no synchronization bgp router-id bgp always-compare-med bgp log-neighbor-changes bgp deterministic-med neighbor external peer-group neighbor external remote-as 1111 neighbor external timers 30 90/* Timers for BGP connections in peer grp */ neighbor peer-group external neighbor peer-group external no auto-summary Copyright 2001, Juniper Networks, Inc. 73

74 bgp { path-selection always-compare-med; log-updown; local-as 1111; group external { type external; local-address ; hold-time 180/* Timers for BGP connections in peer grp */ peer-as 2222 neighbor ; neighbor ; lunkan@lena# run show bgp neighbor Peer: AS 3333 Local: AS 1111 Type: External State: Established Flags: <> Last State: OpenConfirm Last Event: RecvKeepAlive Last Error: None Export: [ ebgp ] Import: [ ebgp_in ] Options: <Preference LocalAddress HoldTime LogUpDown Damping AddressFamily PeerAS PrefixLimit LocalAS Refresh> Address families configured: inet-unicast Local Address: Holdtime: 180 Preference: 170 Prefix Limit for inet-unicast: 100 (teardown, warning at 70%) Local AS: 1111 Local System AS: 1111 Number of flaps: 1 Peer ID: Local ID: Active Holdtime: 180 Keepalive Interval: 60 MED cisco-nondeterministic always-compare-med cisco-non-deterministic MED always-compare-med MED 74 Copyright 2001, Juniper Networks, Inc.

75 bgp deterministicmed path-selection protocols { bgp { path-selection always-compare-med;/* Path selection attribute */ aaa new-model aaa authentication login default tacacs+ local /* Default TACACS, if no service then local user for login */ aaa authentication login console none /* No console authentication */ aaa authentication enable default TACACS+ enable /* Default Tacacs, if no service then local user for enable */ enable secret 5 $1$cOwR$49I5ixU1CqiKrjco8948tp privilege exec level 1 show configuration/* Authorization, level 1 user allowed do show conf, etc. */ privilege exec level 1 show Copyright 2001, Juniper Networks, Inc. 75

76 clock timezone CET 1 ip subnet-zero ip rcmd rsh-enable ip rcmd remote-host root enable root /* RSH incoming accept from specified host */ ip cef ip tcp window-size ip tftp source-interface Loopback0/* Source address for TFTP packets originate on router */ ip ftp source-interface Loopback0/* Source address for FTP packets originate on router */ ip ftp username lunkan/* If using FTP service, username, and password below */ ip ftp password 7 018rfnurcp783jmc0u6 ip host tftps /* TFTP server */ ip domain-name lunkan.net ip name-server /* DNS server */ interface Loopback0 ip address no ip directed-broadcast interface ethernet0 description Link to GIX ip address ip broadcast-address ip access-group 100 in/* Filter inbound traffic */ no ip directed-broadcast/* No forward of packet with broadcast destinations */ no ip redirect/* Disable ICMP redirect */ ip route-cache flow/* Access-list on interface, route-cache flow instead CEF for better performance*/ no ip route-cache cef no ip mroute-cache load-interval 30 no cdp enable/* CDP Level 2 information protocol disable, no gain on EBGP segment */ logging facility local7/* System log facility */ logging source-interface Loopback0/*Source address for system log packets originate on router */ logging /* System log server */ logging buffered debugging/* Logging information locally stored */ logging console alerts /* Local message to consol, level Alerts and above */ Example IOS Access List 76 Copyright 2001, Juniper Networks, Inc.

77 access-list 1 permit log access-list 1 permit log access-list 2 permit log access-list 3 permit log access-list 100 deny ip any log access-list 100 deny ip any log access-list 100 deny ip any log access-list 100 deny ip any log access-list 100 permit ip any any snmp-server community ida RO 2/* Host with access read-only to router, see access-list 2 */ snmp-server community lena RW 3/* Host with access read-write to router, see access-list 3 */ snmp-server trap-source Loopback0/* Source address for SNMP trap (UDP 162) packets originate on router */ snmp-server contact [email protected] snmp-server enable traps config/* SNMP trap categories */ snmp-server enable traps entity snmp-server enable traps envmon snmp-server enable traps bgp snmp-server host lunkan /* Destination address for SNMP traps and community */ tacacs-server host /* Tacacs server */ tacacs-server key exeption core-file this_router_name/* Coredump sent to FTP server */ exception protocol ftp exception dump Copyright 2001, Juniper Networks, Inc. 77

78 line con 0 exec-timeout 60 0 login authentication console transport input none line aux 0 line vty 0 4 access-class 1 in/* Restrict Telnet based on source addressö*/ exec-timeout password 7 123A E1810 ntp clock-period ntp source Loopback0/* NTP use lo0 as source address */ ntp update-calendar ntp server /* NTP server (peering can also be done) */ system { host-name lunkan_home;/* IP hostname */ domain-name lunkan.net;/* IP Domain */ default-address-selection;/* All UDP,TCP,ICMP ex FTP, system log, ping packets use lo0 as source */ no-redirects; /* No ip ICMP redirects */ name-server { ; /* DNS server */ root-authentication {/* root user password for local root user */ encrypted-password "$1$kksX6$i58hdOpkMI4pKfFlgkt94."; # SECRET-DATA authentication-order [ radius password ]; /* Radius will be used primary as authentication validation */ radius-server { {/* Radius server */ secret "$9$Ch.9ABElhk6-wM8"; # SECRET-DATA # Radius key timeout 5; retry 2; login { class noc_grp { permissions [ admin interface routing system firewall view]; /* Rights for noc_grp*/ user lunkan {/* Ex of local backup user with super-user access */ uid 2001; class super-user; /* Class belonging for user lunkan (handle access level) */ authentication { encrypted-password "$1$sGD5.$/8Ql5qZrDovMr7CgupSHo0"; # SECRET-DATA 78 Copyright 2001, Juniper Networks, Inc.

79 user remotex { full-name "radius group-user, super-user rights"; /*RADIUS super-user template grp*/ uid 2010; class super-user; user remotexx { full-name "radius group-user, read rights";/* RADIUS show/noc template grp */ uid 2011; class noc_grp; services { /* Allowed service, note that finger/tftp etc are not enable */ ssh; telnet; ftp; /* Note that JunOS use interactive FTP, not TFTP */ syslog { user * { any alerts;/* Local message to vty, level Alerts and above */ console { alerts;/* Local message to consol, level Alerts and above */ host { /* Syslog server */ any any;/* All is sent to syslog server */ facility-override local1;/* Facility local1 will be used, since core router */ log-prefix Lunkan_home;/* All messagies will be added with prefix Lunkan_home */ file messages { any notice; authorization info; file cli_trace { authorization any;/* All user logins log to local file on router */ interactive-commands any;/* All CLI actions log to local file on router */ archive size 50m files 2 world-readable; /* Local user log 50 Mb, with overwrite to backup file */ ntp { server ;/* NTP server, peer is not used but can also/instead be used */ chassis { no-source-route;/* No ip source-routing */ protocols { bgp { traceoptions {/* Start variables use when BGP monitoring */ file bgp; flag state; flag damping; flag keepalive; log-updown;/* Log message when adjencys flap */ isis { traceoptions {/* Start variables use when BGP monitoring */ file isis; flag state; flag hello; Copyright 2001, Juniper Networks, Inc. 79

80 snmp { describtion "blaha"; location " In my home lab"; contact "[email protected]"; community read-only { authorisation read-only; clients { ;/* NMS host, source address for snmp-get (UDP 161) allowed */ trap-group ida { version all; categories authentication chassis link routing /* SNMP Trap categories */ targets { ; /*NMS host, destination for traps (UDP 162)*/ firewall { filter access { term telnet_ok { from { source-address { /24; /* Telnet allowed from prefix and below host, ex a ssh/radius server */ /32; protocol tcp; destination-port telnet; then { accept; term telnet-deny { from { protocol tcp; destination-port telnet; then { count telnet_deny;/* Deny Telnet counted */ log;/* Deny Telnet log to var/log file */ discard; 80 Copyright 2001, Juniper Networks, Inc.

81 term snmp_ok { from { source-address { /24; /32; protocol udp; destination-port snmp; then { accept; term snmp_deny { from { protocol udp; destination-port snmp; then { count snmp_deny; log; discard; term ntp_ok { from { source-address { /32; /32; protocol udp; destination-port ntp; then { accept; term ntp_deny { from { protocol udp; destination-port ntp; then { count ntp_deny; log; discard; term permit_any {/* So that BGP, IGP etc is accepted to RE */ then accept; Copyright 2001, Juniper Networks, Inc. 81

82 show firewall filter access Filter/Counter Packet count Byte count access telnet_deny 0 0 snmp_deny 0 0 ntp_deny 0 0 lo0 { unit 0 { family inet { filter { input access; /* Filter applied to logical interface (RE) */ address /32; family iso { address ; firewall { filter access_2 { term martians { from { source-address { /8;/* rfc1918 denied routes */ /8; /12; /16; then { count martians;/* Reject counted */ reject administratively-prohibited; /* Reject and send ICMP messageö */ term permit_any {/* Everything else is accepted */ then accept; 82 Copyright 2001, Juniper Networks, Inc.

84 version 4.2R2.4; system { host-name lena; domain-name lunkan.net; time-zone Europe/Stockholm; default-address-selection; no-redirects; login { user lunkan { uid 2001; class super-user; authentication { encrypted-password "$1$.vHnM$BKQpc.3dFteKZ.vheNof0."; # SECRET-DATA services { telnet; ssh; ftp; syslog { user * { any emergency; host { any any; facility-override local7; log-prefix lena; file messages { any notice; authorization info; ntp { peer ; interfaces { fxp0 { unit 0 { family inet { address /24; family iso; fxp1 { unit 0 { family inet { address /24; family iso; 84 Copyright 2001, Juniper Networks, Inc.

85 lo0 { unit 0 { family inet { address /32; family iso { address ; routing-options { aggregate { route /16 { as-path { origin igp; atomic-aggregate; aggregator ; route /16 { as-path { origin igp; atomic-aggregate; aggregator ; router-id ; autonomous-system 1111; protocols { bgp { path-selection always-compare-med; traceoptions { file bgp; flag route receive; flag damping; flag state; log-updown; group external { type external; local-address ; damping; import ebgp_in; family inet { unicast { prefix-limit { maximum 100; teardown 70; export ebgp; multipath; neighbor { peer-as 2222; neighbor { peer-as 3333; Copyright 2001, Juniper Networks, Inc. 85

86 group internal { type internal; local-address ; export internal; neighbor { authentication-key "$9$4ToGiP5FApB.P5F6A1I"; neighbor ; isis { traceoptions { file isis; flag state; lsp-lifetime 65535; level 2 wide-metrics-only; interface all { level 1 disable; interface fxp1.0 { passive; policy-options { policy-statement internal { term one { from protocol bgp; then { next-hop self; policy-statement loadbalance { then { load-balance per-packet; policy-statement ebgp { inactive: term one { from protocol aggregate; then origin igp; term two { from { route-filter /16 exact; then { metric 100; as-path-prepend " "; accept; term three { from { route-filter /16 exact; then { metric 0; accept; 86 Copyright 2001, Juniper Networks, Inc.

87 term four { from community bad; then { metric 100; as-path-prepend " "; accept; term five { from community good; then { metric 0; accept; term last { then reject; policy-statement ebgp_in { term 1918 { from { route-filter /0 exact; route-filter /8 orlonger; route-filter /8 orlonger; route-filter /16 orlonger; then reject; term local_pref { from as-path from_pagent; then { local-preference 101; term no_damp { from { route-filter /24 exact; route-filter /16 exact; route-filter /24 exact; route-filter /16 exact; route-filter /24 exact; route-filter /23 exact; route-filter /16 exact; route-filter /24 exact; route-filter /24 exact; route-filter /24 exact; route-filter /24 exact; then { damping no; accept; term damp { then damping yes; policy-statement root_dns { term dns { from { route-filter /24 exact; route-filter /16 exact; Copyright 2001, Juniper Networks, Inc. 87

88 route-filter /24 exact; route-filter /16 exact; route-filter /24 exact; route-filter /23 exact; route-filter /24 exact; route-filter /16 exact; route-filter /24 exact; route-filter /24 exact; route-filter /24 exact; route-filter /24 exact; then accept; community bad members 1111:6; community good members 1111:5; as-path from_pagent 2222; damping no { disable; damping yes { half-life 15; reuse 750; suppress 2000; max-suppress 60; 88 Copyright 2001, Juniper Networks, Inc.

89 version 4.2R2.4; system { host-name lunkan; domain-name lunkan.net; default-address-selection; no-redirects; login { user lunkan { uid 2001; class super-user; authentication { encrypted-password "$1$sGD5.$/8Ql5qZrDovMr7CgupSHo0"; # SECRET-DATA services { telnet; ssh; ftp; syslog { user * { any emergency; host { facility-override local7; log-prefix lunkan; file messages { any notice; authorization info; ntp { peer ; interfaces { fxp0 { unit 0 { family inet { address /24; family iso; fxp1 { unit 0 { family inet { address /24 { primary; address /24; lo0 { unit 0 { family inet { address /32; Copyright 2001, Juniper Networks, Inc. 89

90 family iso { address ; routing-options { router-id ; autonomous-system 1111; protocols { bgp { traceoptions { file bgp; flag state; log-updown; group internal_rr { type internal; local-address ; export service; cluster ; neighbor { authentication-key "$9$FckZ39pIEyWLNBIEyeW-d"; neighbor { authentication-key "$9$ebkK87wYojHmVwYoZjPf"; neighbor ; neighbor ; group internal { type internal; local-address ; export service; neighbor ; isis { traceoptions { file isis; flag state; lsp-lifetime 65535; level 1 disable; level 2 wide-metrics-only; interface all { level 2 priority 127; interface fxp1.0 { disable; policy-options { policy-statement service { term one { from { route-filter /24 exact; then { community add rfc1918; 90 Copyright 2001, Juniper Networks, Inc.

92 version 4.2R2.4; system { host-name ida; domain-name juniper.net; default-address-selection; login { user lunkan { uid 2001; class super-user; authentication { encrypted-password "$1$Fg/2.$G1YuZUcU6ujXF5fCDlvWQ/"; # SECRET-DATA services { telnet; ssh; ftp; syslog { user * { any emergency; host { any any; facility-override local7; log-prefix ida; file messages { any notice; authorization info; ntp { peer ; interfaces { fxp0 { unit 0 { family inet { address /24; family iso; fxp1 { unit 0 { family inet { address /30; family iso; lo0 { unit 0 { family inet { address /32; family iso { address ; routing-options { router-id ; autonomous-system 1111; protocols { bgp { traceoptions { file bgp; flag state detail; 92 Copyright 2001, Juniper Networks, Inc.

93 flag update; flag policy; flag route; log-updown; group internal { type internal; local-address ; neighbor { authentication-key "$9$IW5RSeLxdgoGWLxdwgUD"; neighbor ; group pop_rr { type internal; local-address ; cluster ; neighbor ; group pop { type internal; local-address ; neighbor ; isis { traceoptions { file isis; flag state detail; export isis_leak; lsp-lifetime 65535; level 2 wide-metrics-only; interface all; interface fxp0.0 { level 1 disable; policy-options { policy-statement isis_leak { term one { from { level 2; route-filter /24 longer; then accept; Copyright 2001, Juniper Networks, Inc. 93

94 version 12.1 service timestamps debug datetime msec localtime service timestamps log datetime msec localtime no service password-encryption hostname cisco_border aaa new-model aaa authentication login default none aaa authentication enable default none ip subnet-zero ip rcmd rsh-enable ip rcmd remote-host root root enable no ip finger ip telnet source-interface Loopback0 ip tftp source-interface Loopback0 ip ftp source-interface Loopback0 ip ftp username root ip ftp password lunkan no ip domain-lookup ip name-server ip cef cns event-service server interface Loopback0 ip address interface Ethernet0 ip address ip router isis interface Ethernet1 ip address interface Serial0 no ip address shutdown no fair-queue interface Serial1 no ip address shutdown router isis passive-interface Ethernet1 passive-interface Loopback0 net is-type level-2-only metric-style wide max-lsp-lifetime Copyright 2001, Juniper Networks, Inc.

95 lsp-refresh-interval spf-interval prc-interval lsp-gen-interval log-adjacency-changes router bgp 1111 no synchronization bgp router-id bgp log-neighbor-changes bgp deterministic-med bgp dampening route-map damp aggregate-address summary-only aggregate-address summary-only timers bgp neighbor internal peer-group neighbor internal remote-as 1111 neighbor internal update-source Loopback0 neighbor internal next-hop-self neighbor external peer-group neighbor external soft-reconfiguration inbound neighbor external prefix-list martians in neighbor external route-map int_policy in neighbor external route-map ext_policy out neighbor external maximum-prefix neighbor peer-group internal neighbor peer-group internal neighbor remote-as 2222 neighbor peer-group external neighbor remote-as 3333 neighbor peer-group external no auto-summary ip classless no ip http server ip bgp-community new-format ip community-list 1 permit 1111:5 ip community-list 2 permit 1111:6 ip community-list 3 permit 1111:10 ip as-path access-list 1 permit ^3333$ ip as-path access-list 10 permit ^$ ip prefix-list martians seq 1 deny /32 ip prefix-list martians seq 20 deny /8 le 32 ip prefix-list martians seq 30 deny /8 le 32 ip prefix-list martians seq 40 deny /12 le 32 ip prefix-list martians seq 50 deny /16 le 32 ip prefix-list root_dns seq 1 permit /24 ip prefix-list root_dns seq 2 permit /16 ip prefix-list root_dns seq 3 permit /24 ip prefix-list root_dns seq 4 permit /16 ip prefix-list root_dns seq 5 permit /24 ip prefix-list root_dns seq 6 permit /23 ip prefix-list root_dns seq 7 permit /24 ip prefix-list root_dns seq 8 permit /16 ip prefix-list root_dns seq 9 permit /24 ip prefix-list root_dns seq 10 permit /24 ip prefix-list root_dns seq 11 permit /24 ip prefix-list root_dns seq 12 permit /24 logging trap debugging logging source-interface Loopback0 Copyright 2001, Juniper Networks, Inc. 95

96 logging access-list 10 permit access-list 20 permit route-map damp deny 1 match as-path 10 route-map damp deny 2 match ip address prefix-list root_dns route-map damp permit 3 set dampening route-map int_policy permit 10 match as-path 1 set local-preference 101 route-map int_policy permit 20 route-map ext_policy permit 10 match ip address 10 set metric 100 set as-path prepend route-map ext_policy permit 20 match ip address 20 set metric 0 route-map ext_policy permit 30 match community 1 set metric 100 set as-path prepend route-map ext_policy permit 40 match community 2 set metric 0 route-map ext_policy deny 50 match community 3 line con 0 transport input none line aux 0 line vty 0 4 ntp source Loopback0 ntp peer end 96 Copyright 2001, Juniper Networks, Inc.

97 version 12.1 service timestamps debug datetime msec localtime service timestamps log datetime msec localtime no service password-encryption hostname cisco_core_rr boot system flash:b.bin aaa new-model aaa authentication login default none aaa authentication enable default none ip subnet-zero ip ftp source-interface Loopback0 ip ftp username root ip ftp password lunkan no ip domain-lookup ip name-server ip dhcp pool core network default-router cns event-service server interface Loopback0 ip address interface Loopback1 ip address interface Ethernet0 ip address ip router isis isis priority 126 interface Serial0 no ip address no ip mroute-cache shutdown no fair-queue interface Serial1 no ip address shutdown router isis passive-interface Loopback0 net Copyright 2001, Juniper Networks, Inc. 97

98 is-type level-2-only metric-style wide max-lsp-lifetime lsp-refresh-interval spf-interval prc-interval lsp-gen-interval log-adjacency-changes router bgp 1111 no synchronization bgp router-id bgp cluster-id bgp log-neighbor-changes network route-map rfc1918 timers bgp redistribute connected neighbor internal_rr peer-group neighbor internal_rr remote-as 1111 neighbor internal_rr update-source Loopback0 neighbor internal_rr route-reflector-client neighbor internal_rr send-community neighbor internal_rr route-map rfc1918 out neighbor internal peer-group neighbor internal remote-as 1111 neighbor internal update-source Loopback0 neighbor internal send-community neighbor internal route-map rfc1918 out neighbor peer-group internal neighbor peer-group internal_rr neighbor peer-group internal_rr neighbor peer-group internal_rr neighbor peer-group internal_rr no auto-summary ip classless no ip http server ip bgp-community new-format logging trap debugging logging source-interface Loopback0 logging access-list 1 permit route-map rfc1918 permit 10 match ip address 1 set community no-export line con 0 transport input none line aux 0 line 2 3 line vty 0 4 ntp source Loopback0 ntp peer end 98 Copyright 2001, Juniper Networks, Inc.

99 version 12.1 service timestamps debug datetime msec localtime service timestamps log datetime msec localtime no service password-encryption hostname cisco_pop aaa new-model aaa authentication login default none aaa authentication enable default none ip subnet-zero ip rcmd rsh-enable ip rcmd remote-host root root enable no ip finger ip telnet source-interface Loopback0 no ip domain-lookup ip name-server ip cef cns event-service server interface Loopback0 ip address interface Ethernet0 ip address ip router isis isis circuit-type level-2-only interface Serial0 bandwidth ip address ip router isis clockrate interface Serial1 no ip address shutdown router isis redistribute isis ip level-2 into level-1 distribute-list 100 passive-interface Loopback0 net metric-style wide max-lsp-lifetime lsp-refresh-interval spf-interval prc-interval lsp-gen-interval Copyright 2001, Juniper Networks, Inc. 99

100 log-adjacency-changes router bgp 1111 no synchronization bgp router-id bgp log-neighbor-changes timers bgp neighbor internal peer-group neighbor internal remote-as 1111 neighbor internal update-source Loopback0 neighbor pop peer-group neighbor pop remote-as 1111 neighbor pop update-source Loopback0 neighbor pop_rr peer-group neighbor pop_rr remote-as 1111 neighbor pop_rr update-source Loopback0 neighbor pop_rr route-reflector-client neighbor peer-group internal neighbor peer-group internal neighbor peer-group pop_rr no auto-summary ip classless no ip http server ip bgp-community new-format logging trap debugging logging source-interface Loopback0 logging access-list 1 permit line con 0 transport input none line 1 8 line aux 0 line vty 0 4 ntp source Loopback0 ntp peer end 100 Copyright 2001, Juniper Networks, Inc.

101 community version 12.1 service timestamps debug datetime msec localtime service timestamps log datetime msec localtime no service password-encryption hostname cisco_access boot system flash:b.bin aaa new-model aaa authentication login default enable none aaa authentication enable default enable none ip subnet-zero ip ftp source-interface Loopback0 ip ftp username root ip ftp password lunkan no ip domain-lookup cns event-service server interface Loopback0 ip address interface Loopback1 ip address interface Loopback2 ip address interface Loopback3 ip address interface Loopback4 ip address interface Ethernet0 ip address ip router isis interface Serial0 ip address ip router isis no ip mroute-cache no fair-queue interface Serial1 no ip address shutdown Copyright 2001, Juniper Networks, Inc. 101

102 router isis passive-interface Loopback0 net is-type level-1 metric-style wide max-lsp-lifetime lsp-refresh-interval spf-interval prc-interval lsp-gen-interval log-adjacency-changes router bgp 1111 no synchronization bgp router-id bgp log-neighbor-changes timers bgp redistribute connected route-map access redistribute static route-map static neighbor access peer-group neighbor access remote-as 1111 neighbor access update-source Loopback0 neighbor access send-community neighbor peer-group access neighbor peer-group access no auto-summary ip default-gateway ip classless ip route Null0 ip route Null0 no ip http server ip bgp-community new-format logging trap debugging logging source-interface Loopback0 logging access-list 1 permit access-list 2 permit access-list 3 permit access-list 4 permit access-list 5 permit access-list 6 permit route-map access permit 10 match ip address 1 set community 1111:1 route-map access permit 20 match ip address 2 set community 1111:2 route-map access permit 30 match ip address 3 set community 1111:3 route-map access permit 40 match ip address 4 set community 1111:4 route-map static permit 10 match ip address 5 set community 1111:5 102 Copyright 2001, Juniper Networks, Inc.

104 version 12.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname pagent aaa new-model aaa authentication login default none aaa authentication enable default none ip subnet-zero no ip domain-lookup cns event-service server interface Loopback0 ip address interface Ethernet0 ip address interface Serial0 no ip address shutdown no fair-queue interface Serial1 no ip address shutdown router bgp 2222 no synchronization bgp router-id bgp always-compare-med bgp log-neighbor-changes bgp deterministic-med network mask neighbor external peer-group neighbor external remote-as 1111 neighbor peer-group external neighbor peer-group external neighbor remote-as 3333 no auto-summary ip classless ip route ip route ip route Null0 no ip http server ip bgp-community new-format 104 Copyright 2001, Juniper Networks, Inc.

106 version 12.0 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname dummy aaa new-model aaa authentication login default none aaa authentication enable default none ip subnet-zero isdn voice-call-failure 0 interface Loopback0 ip address no ip directed-broadcast interface Loopback1 no ip address no ip directed-broadcast interface Ethernet0 ip address no ip directed-broadcast interface Serial0 no ip address no ip directed-broadcast no ip mroute-cache shutdown no fair-queue interface BRI0 no ip address no ip directed-broadcast shutdown isdn guard-timer 0 on-expiry accept router bgp 3333 no synchronization bgp router-id bgp always-compare-med bgp log-neighbor-changes bgp deterministic-med network mask network redistribute static metric 1 neighbor external peer-group 106 Copyright 2001, Juniper Networks, Inc.

107 neighbor external remote-as 1111 neighbor external route-map med out neighbor peer-group external neighbor peer-group external neighbor remote-as 2222 default-information originate no auto-summary ip classless ip route Null0 ip route Null0 ip route Null0 no ip http server ip bgp-community new-format route-map out_tag permit 10 set community 3333:1 route-map med permit 10 set metric 1 route-map prepend permit 10 set as-path prepend line con 0 transport input none line vty 0 4 end Copyright 2001, Juniper Networks, Inc. 107

すべて見る

宛先変更のトラブルシューティング

宛先変更のトラブルシューティング APPENDIX B この付録では Guard の宛先変更元ルータ (Cisco および Juniper) に関連する宛先変更問題を解決するためのトラブルシューティング手順を示します次の手順について説明します Guard のルーティングと宛先変更元ルータの設定確認 Guard と宛先変更元ルータ間の BGP セッションの設定確認宛先変更元ルータのレコードの確認 B-1 Guard のルーティングと宛先変更元ルータの設定確認