2 2011 4 1

iii 1.1.............................................. 1 2 I 3 2.1............................................ 3 2.1.1....................................... 4 2.1.2 TCP............................................ 4 2.1.3 UDP............................................ 6 2.1.4 ICMP........................................... 6 2.2................................... 8 3 II 9 3.1 IPFilter.............................................. 9 3.1.1..................................... 9 3.1.2..................................... 9 3.1.3................................. 11 3.1.4.................................. 11 3.1.5................................. 13 3.2...................................... 15 3.2.1....................................... 15 3.2.2....................................... 17 3.2.3 private address spoofing............................ 18 3.2.4............................ 18 3.2.5 IP......................... 19 3.2.6................................... 19 3.2.7 ICMP........................................ 21 3.2.8 Mail Web....................................... 22 3.2.9 DNS query........................................ 24 3.2.10............................. 25 3.2.11.............................. 25 3.2.12................................... 26 3.2.13..................................... 26 3.2.14........................................... 29 3.3.............................................. 31 3.4.............................................. 32

iv 4 RIP 33 4.1............................... 33 4.1.1........................... 34 4.1.2........................ 34 4.2 RIP...................................... 35 4.3 Quagga.......................................... 38 4.3.1 Quagga...................................... 38 4.3.2 zebra....................................... 39 4.3.3 ripd........................................ 40 4.3.4 Quagga...................................... 42 4.3.5 VTY...................................... 43 4.4 RIP............................................ 46 4.5.............................................. 48 5 OSPF 51 5.1 OSPF........................................... 51 5.1.1 (LSA).................................. 52 5.2.......................................... 54 5.3 OSPF.................................... 54 5.3.1.................................. 55 5.4 ospfd............................................ 57 5.4.1 ospf router............................... 58 5.4.2 ospf rip.................................. 59 5.4.3 interface...................................... 60 5.5 OSPF....................................... 60 5.6 1............................................. 66 6 BGP 67 6.1 BGP............................................. 67 6.2 BGP.................................. 68 6.3........................................... 68 6.4........................................... 69 6.5 bgpd 1........................................... 70 6.6 bgpd 2........................................... 75 6.7 BGP........................................ 76 6.8.............................................. 80

1.1. 1 1.1 1.1 NAT 172.16.N.0/24 IP NAT DNS (/etc/rc.conf named_enab="no" ) Ethernet PCMCIA # ifconfig ue0 ue0: flags=108843<up,broadcast,running,simplex,multicast> mtu 1500 options=8<vlan_mtu> ether 00:09:5b:bc:01:8f media: Ethernet autoselect (none) status: no carrer ifconfig ue0 1.2 le0 IP 172.16.N.M/24 N M ue0 IP 172.16.N.1 kterm ping ( ping ) arp -a 1.3 1 5 5 10 1.4 ue0 IP 172.17.N.0/24 172.17.N.1/30 IP 172.17.N.2/30 N 1 4 N 1 IP ping ifconfig ue0 PC IP IP 1.5 NAT /etc/rc.conf (172.16.N.0/24 )

3 2 I ( ) ( ) ( ) IP,, (TCP,UDP,ICMP) IPFilter, IPFW(FreeBSD), PF, screend, IPCHAIN(Linux) IPFilter OS (Solaris ) IPFilter FreeBSD IPFW(IPFirewall),IPFilter,PF IPFW IPFW IPFilter IPFW OS PF OpenBSD OpenBSD IPFilter OpenBSD IPFilter IPFilter IPFilter NAT OS 2.1 TCP/IP

4 2 I 2.1.1 TCP/IP 2 TCP 2 IP,Port, IP,Port 2 IP,Port mail MTA mail-server,25 2 IP,Port, IP,Port TCP ( UDP TCP UDP ) 1023 Unix root ( ) Unix Unix OS FreeBSD Linux NIS 2.1.2 TCP TCP TCP TCP TCP TCP TCP 2byte 10 15

2.1. 5 bit 10 URG 11 ACK 12 PSH 13 RST 14 SYN 15 FIN TCP (RFC793) 1. (a) SYN SENT (3 ) (b) ESTABLISHED (c) FIN WAIT 1, FIN WAIT 2 (half-closed) (d) TIME WAIT (e) CLOSED 2. (a) LISTEN (b) SYN RECVD (c) ESTABLISHED (d) CLOSE WAIT (e) LAST ACK (f) CLOSED SYN ACK ACK(,PSH,URG) FIN,ACK SYN,ACK ACK(,PSH,URG) ACK FIN,ACK ACK 3 setup established ( ) SYN ACK

6 2 I SYN ( ) SYN ACK IPFilter ( UDP,ICMP IPFW ) (stateful) (stateless) (Sequence Number) (ACK Number) (Sequence Number ACK Number Sequence Number ) 2.1.3 UDP UDP TCP UDP DNS DNS ( ) UDP TCP DNS DNS TCP DNS TCP ( DoS DNS DNS ) UDP IP,Port, IP,Port IP,Port UDP 2.1.4 ICMP ICMP (Internet Control Message Protocol) TCP,UDP ( ) IP ping ICMP ICMP 1byte

2.1. 7 type message ipf 0 Echo Reply echorep 3 Host Unreacheable unreach 4 Source Quench squench 5 Redirect redir 8 Echo echo 9 Router Advertisement routerad 10 Router Solicitation routersol 11 Time Exceeded timex 12 Parameter Problem paramprob 13 Time Stamp timest 14 Time Stamp Reply timestrep 15 Information Request inforeq 16 Information Reply inforep 17 Address Mask Request maskreq 18 Address Mask Reply maskrep Echo, Echo Reply Echo Reply Host Unreacheable Source Quench Redirect Router Solicitation, Router Advertisement Time Exceeded TTL(Time To Live) 0 Fragmentation Parameter Problem Time Stamp, Time Stamp Reply

8 2 I Information Request, Information Reply IP Information Reply Address Mask Request, Address Mask Reply 2.2 1. ICMP ( ) 2. IP 3. IP 4. (NAT ) 5. IP 1. Mail Server SMTP 2. SMTP 3. DNS(, ) UDP 4. DNS 5. WWW 6. WWW 7. NTP NTP Network Time Protocol NTP Cisco FreeBSD IPFilter FTP

9 3 II 3.1 IPFilter 3.1.1 IPFilter make (Solaris solaris) make install FreeBSD OS make ( Solaris SunOS5/ make package pkg pkgadd ) FreeBSD NAT IPFilter 3.1.2 IPFilter OS FreeBSD 1. /usr/src/sys/i386/conf (GENERIC LINT) ( ) 2. config MYKERNEL # config MYKERNEL 3. make config../compile/mykernel

10 3 II # make depend # make 4. # make install # shutdown -r now /boot/kernel/ /boot/kernel.old/ /boot/kernel.old/ mv /boot/kernel.old /boot/kernel.org /kernel.org make 5. 9 ok /boot/kernel.org/ ( /boot/kernel.old/ ) ok unload ok load /boot/kernel.old/kernel ok boot /boot/kernel.old/ ( kernel.org ) loader prompt 6

3.1. IPFilter 11 3.1.3 NAT /sys/i386/conf/ ( /usr/src/sys /usr/src/sys/i386/conf/ ) /sys/i386/conf/generic LINT LINT LINT (LINT make LINT ) GENERIC ( MYKERNEL) options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPFILTER_DEFAULT_BLOCK #block all packets by default options IPSTEALTH #support for stealth forwarding MYKERNEL GENERIC ( /var/log/messages GENERIC ) ident MYFIREWALL 3.1.4 (/etc/rc.conf)

12 3 II /etc/ipf.rules pass in all pass out all /etc/rc.conf ipfilter_enable="yes" ipnat_enable="no" ipmon_enable="yes" tcp_drop_synfin="yes" # Set to YES to enable ipfilter functionality # Set to YES for ipnat; needs ipfilter, too! # Set to YES for ipmon; needs ipfilter, too! # Set to YES to drop TCP packets with SYN+FIN icmp_drop_redirect="yes" # Set to YES to ignore ICMP REDIRECT packets icmp_log_redirect="yes" # Set to YES to log ICMP REDIRECT packets /etc/default/rc.conf /etc/defaults/rc.conf # /etc/defaults/rc.conf ipfilter_program="/sbin/ipf" # where the ipfilter program lives ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see ipfilter_flags="" # /usr/src/contrib/ipfilter/rules for examples # additional flags for ipfilter /etc/rc.conf FreeBSD /etc/rc.conf # /etc/rc.d/ipfilter start ipfilter # /etc/rc.d/ipfilter reload OS # ipf -Fa -f /etc/ipf.rules ( telnet ) tcpdump wireshark

3.1. IPFilter 13 3.1.5 IPFilter ipf ipfstat ipftest ipnat NAT ipmon ipresend IP FreeBSD ipf,ipnat,ipfstat,ipmon,ipresend /sbin ipf, ipfstat, ipftest ipf ipf # ipf -Fa -Z -f /etc/ipf.rules (-Fa) /etc/opt/ipf/ipf.conf (-Z) ipfstat

14 3 II bad packets: in 0 out 0 IPv6 packets: in 0 out 0 input packets: blocked 0 passed 113 nomatch 0 counted 0 short 0 output packets: blocked 0 passed 78 nomatch 0 counted 0 short 0 input packets logged: blocked 0 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 0 output 0 fragment state(in): kept 0 lost 0 not fragmented 0 fragment state(out): kept 0 lost 0 not fragmented 0 packet state(in): kept 0 lost 0 packet state(out): kept 0 lost 0 ICMP replies: 0 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 19 (out): 45 IN Pullups succeeded: 0 failed: 0 OUT Pullups succeeded: 0 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 IPF Ticks: 2216 Packet log flags set: (0) none -s -i -o ( input -o output ) IP -s -i -o # /sbin/ipfstat -io pass out quick on OUTIF proto tcp/udp from 192.168.254.0/24 to any keep state pass out quick on OUTIF proto icmp from 192.168.254.0/24 to any keep state block in on OUTIF from any to any block in quick on OUTIF from 172.16.0.0/12 to any block in quick on OUTIF from 127.0.0.0/8 to any block in quick on OUTIF from 0.0.0.0/8 to any block in quick on OUTIF from 224.0.0.0/3 to any pass in quick on OUTIF proto tcp/udp from 192.168.254.0/24 to any keep state -io IPFilter -i -i, -o -n

3.2. 15 ipftest IPFilter IPFilter ipftest # ipftest -r ipf.rules -i data ipf.rules data data in on OUTIF tcp 192.168.1.1,20000 172.16.0.1,80 TCP OUTIF IP 192.168.1.1 Port 20000 172.16.0.1 Port 80 (pass) # ipftest -r ipf.rules -i data pass ip #0 40(20) 6 192.168.1.1,20000 > 172.16.0.1,80 -------------- 3.2 3.2.1 IPFilter [block pass] [in out] [quick,log,on IF] [proto {tcp/udp tcp udp icmp}] [IP-set] quick block pass (block,pass count,skip,auth,call ) in out on IF ifconfig lnc0 on lnc0 log ( ) quick ( head

16 3 II ) IPFilter quick proto 4 tcp/udp tcp udp icmp TCP UDP TCP UDP ICMP proto /etc/services OSPF pass in quick proto 89 all pass out quick proto 89 all (OSPF 89 ) proto IP-set 172.16.1.1 from 172.16.1.1 to any any 10/8 192.168.0.0/16 from 10.0.0.0/8 to 192.168.0.0/16 mask from 10.0.0.0 mask 255.0.0.0 to 192.168.0.0 mask 255.255.0.0 from any to any all WWW from any to 172.16.1.1 port = 80 >< Port 6000 6063 from any to 172.16.1.2 port 5999 >< 6064

3.2. 17 5999 6064 > <!= >= <= http://www.obfuscation.org/ipf/ipf-howto.txt 3.2.2 log ipmon IPFILTER_LOG ( ) ipmon /etc/rc.conf ipmon_enable="yes" ( ) ipmon_flags="-ds" # typically "-Ds" or "-D /var/log/ipflog" syslog local0.* /etc/syslog.conf ipmon_flags="-d /var/log/iplog" /var/log/iplog ( touch /var/log/iplog ) # /etc/rc.d/ipmon restart syslog /etc/syslog.conf *.emerg local0.* syslogd *.emerg * local0.* /var/log/iplog

18 3 II 3.2.3 private address spoofing Internet private address private address OUTIF INIF # Deny reserved addresses from outside block in log quick on OUTIF from 10.0.0.0/8 to any block in log quick on OUTIF from 192.168.0.0/16 to any block in log quick on OUTIF from 172.16.0.0/12 to any 200.1.1.0/29 block in log quick on OUTIF from 200.1.1.0/29 to any block out log quick on OUTIF from any to 200.1.1.0/29 block in log quick on OUTIF from 127.0.0.0/8 to any block in log quick on OUTIF from any to 127.0.0.0/8 pass in quick on lo0 all pass out quick on lo0 all 3.2.4 DHCP D,E block in quick on OUTIF from any to 0.0.0.0/8 block in quick on OUTIF from any to 169.254.0.0/16 block in quick on OUTIF from any to 192.0.2.0/24 block in quick on OUTIF from any to 224.0.0.0/4 block in quick on OUTIF from any to 240.0.0.0/4 draft-manning-dsua-03.txt 224.0.0.0/4

3.2. 19 3.2.5 IP IP DoS IP rr ts ssrr lsrr block in log quick on OUTIF from any to any with opt rr block in log quick on OUTIF from any to any with opt ts block in log quick on OUTIF from any to any with opt ssrr block in log quick on OUTIF from any to any with opt lsrr 3.2.6 in, out in, out Outside In Out FireWall out0 in0 Inside Out In 4 IPFilter head OUTIF 100 100 pass in on OUTIF all head 100 pass block block

20 3 II block in on OUTIF all head 100 OUTIF 100 OUTIF 100 ( quick head quick head head quick ) block in on OUTIF all head 100 block out on OUTIF all head 200 pass in on INIF all head 300 pass out on INIF all head 400 # pass loop back on lo0 pass in quick on lo0 all head 500 pass out quick on lo0 all head 600 # Deny reserved addresses block in log quick from 10.0.0.0/8 to any group 100 block in log quick from 192.168.0.0/16 to any group 100 #block in log quick from 172.16.0.0/12 to any group 100 # Deny ip spoofing block in log quick on OUTIF from 200.1.1.0/29 to any group 100 block out log quick on OUTIF from any to 200.1.1.0/29 group 200 # loop back block in log quick from 127.0.0.0/8 to any group 100 block in log quick from any to 127.0.0.0/8 group 100 block in log quick from 127.0.0.0/8 to any group 300 block in log quick from any to 127.0.0.0/8 group 300 # other reserved address block in quick on OUTIF from any to 0.0.0.0/8 group 100 block in quick on OUTIF from any to 169.254.0.0/16 group 100 block in quick on OUTIF from any to 192.0.2.0/24 group 100 # block in quick on OUTIF from any to 224.0.0.0/4 group 100 # multicast block in quick on OUTIF from any to 240.0.0.0/4 group 100 # IP options block in log quick on OUTIF from any to any with opt rr group 100 block in log quick on OUTIF from any to any with opt ts group 100 block in log quick on OUTIF from any to any with opt ssrr group 100 block in log quick on OUTIF from any to any with opt lsrr group 100 group [number] lo0

3.2. 21 172.16.0.0/12 NAT NAT ( NAT ) NAT IP NAT 1 1 NAT 3.2.7 ICMP ICMP ICMP ICMP ICMP type message in out 0 Echo Reply pass block 3 Host Unreachable pass pass 4 Source Quench pass pass 5 Redirect block block 8 Echo block pass 9 Router Advertisement block block 10 Router Solicitation block block 11 TTL Exceeded pass pass 12 Parameter Problem pass pass 13 Time Stamp block block 14 Time Stamp Reply block block 15 Information Request block block 16 Information Request Reply block block 17 Address Mask Request block block 18 Address Mask Request Reply block block

22 3 II 3 out 4 source quench Echo Reply ( IPFilter ) pass in quick proto icmp all icmp-type 0 group 100 pass in quick proto icmp all icmp-type 3 group 100 pass in quick proto icmp all icmp-type 4 group 100 #pass in quick proto icmp all icmp-type 8 group 100 # for test pass in quick proto icmp all icmp-type 11 group 100 pass in quick proto icmp all icmp-type 12 group 100 #pass out quick proto icmp all icmp-type 0 group 200 # for test pass out quick proto icmp all icmp-type 3 group 200 pass out quick proto icmp all icmp-type 4 group 200 pass out quick proto icmp all icmp-type 8 group 200 pass out quick proto icmp all icmp-type 11 group 200 pass out quick proto icmp all icmp-type 12 group 200 Echo ( ) 3.2.8 Mail Web Web Web TCP 3 setup SYN SYN+ACK ACK ACK established setup IPFilter keep state keep state stateful TCP keep state TCP flags S SYN

3.2. 23 (MAIL) pass in quick proto tcp from any to MAIL port = 25 flags S keep state group 100 pass out quick proto tcp from MAIL to any port = 25 flags S keep state group 200 Web server(www) pass in quick proto tcp from any to WWW port = 80 flags S keep state group 100 pass out quick proto tcp from any to any port = 80 flags S keep state group 200 Web 80 from any IP 1. flags S flags S flags SYN U(RG),A(CK),P(SH),R(ST),S(YN),F(IN) ( U,A,P,R,F ) SA (SYN+ACK) flags S/SA SA SYN S/SA S U,P,R,F SF SA 000010 S UAPRSF SF 000011 SA 010010 SF & SA 000010 S 000010 SAF SAF(010011) SA(010010) (010010) S(000010) SAF flags S/SA flags /S flags S/SA SF RFC1322 TCP/IP Web SF SR,SU,SP

24 3 II flags S SF flags S/SUAPR 2. keep frags SYN keep state keep frags ( ) pass in quick proto tcp from any to WWW port = 80 flags S keep state keep frags group 100 pass out quick proto tcp from any to any port = 80 flags S keep state keep frags group 200 ( ) Mail NTP (Network Time Protocol port=123) NNTP(Network News Transfer Protocol port=119) mail 3.2.9 DNS query DNS query DNS 53 DNS query UDP (TCP DNS ) stateless UDP DNS 53 IPFilter keep state pass in quick proto udp from any to MYDNS port = 53 group 100 pass in quick proto udp from any port = 53 to any group 100 pass out quick proto udp from MYDNS port = 53 to any group 200 pass out quick proto udp from any to any port = 53 group 200 MYDNS DNS to any from any stateless stateful

3.2. 25 pass in quick proto udp from any to MYDNS port = 53 keep state group 100 pass out quick proto udp from any to any port = 53 keep state group 200 DNS port 53 pass in quick proto udp from any to MYDNS port = 53 keep state group 100 pass out quick proto udp from MYDNS port = 53 to any port = 53 keep state group 200 nslookup DNS query response DNS UDP 53 (DNS 53 ) 3.2.10 pass out quick proto tcp from INSIDE port >= 1024 to any flags S keep state keep frags group 200 ( ) INSIDE IPFilter keep state TCP UDP ICMP 60 ICMP ICMP traceroute block ICMP pass out proto udp from any to any port 33434 >< 33690 keep state group 200 ICMP Echo ICMP EchoReply pass out proto icmp from INSIDE to any icmp-type echo keep state group 200 3.2.11 SSH(Secure SHell)

26 3 II SSH 22 SSH pass in quick proto tcp from any port >= 1024 to SSH port = 22 flags S keep state keep frags gorup 200 ( ) 3.2.12 0 1023 quick block in from any to INSIDE port < 1024 group 100 ICMP unreachable IP IP IP ( ) # block with port unreachable block return-icmp-as-dest(port-unr) in from any to INSIDE port < 1024 group 100 1025 lister 1433 SQLSPIDA 1434 Slammer for MS SQL 1524 ingreslock 2000 openwin 2049 NFS 2766 listner(systemv) 6000-6063 X11 6667 IRC 7100 Sun Font server(tcp) 3.2.13

3.2. 27 # block in on OUTIF all head 100 block out on OUTIF all head 200 pass in on INIF all head 300 pass out on INIF all head 400 # pass loop back on lo0 pass in quick on lo0 all head 500 pass out quich on lo0 all head 600 # block in log quick from any to any with ipopts group 100 block in log quick proto tcp from any to any with short group 100 # # Deny reserved addresses block in log quick from 10.0.0.0/8 to any group 100 block in log quick from 192.168.0.0/16 to any group 100 #block in log quick from 172.16.0.0/12 to any group 100 # # Deny ip spoofing block in log quick from 200.1.1.0/29 to any group 100 block out log quick from any to 200.1.1.0/29 group 200 # # block from loop back address block in log quick from 127.0.0.0/8 to any group 100 block in log quick from any to 127.0.0.0/8 group 100 block in log quick from 127.0.0.0/8 to any group 300 block in log quick from any to 127.0.0.0/8 group 300 # # /* */

28 3 II # block other reserved address block in quick from any to 0.0.0.0/8 group 100 block in quick from any to 169.254.0.0/16 group 100 block in quick from any to 192.0.2.0/24 group 100 # block in quick on OUTIF from any to 224.0.0.0/4 group 100 # multicast #block in quick from any to 240.0.0.0/4 group 100 # block irregular IP options block in log quick from any to any with opt rr group 100 block in log quick from any to any with opt ts group 100 block in log quick from any to any with opt ssrr group 100 block in log quick from any to any with opt lsrr group 100 # # ICMP pass in quick proto icmp all icmp-type 0 group 100 # for test pass in quick proto icmp all icmp-type 3 group 100 pass in quick proto icmp all icmp-type 4 group 100 pass in quick proto icmp all icmp-type 8 group 100 # for test pass in quick proto icmp all icmp-type 11 group 100 pass in quick proto icmp all icmp-type 12 group 100 pass out quick proto icmp all icmp-type 0 group 200 # for test pass out quick proto icmp all icmp-type 3 group 200 pass out quick proto icmp all icmp-type 4 group 200 #pass out quick proto icmp all icmp-type 8 keep state group 200 pass out quick proto icmp all icmp-type 8 group 200 # for test pass out quick proto icmp all icmp-type 11 group 200 pass out quick proto icmp all icmp-type 12 group 200 # pass in quick proto icmp all icmp-type 0 group 300 pass in quick proto icmp all icmp-type 3 group 300 pass in quick proto icmp all icmp-type 4 group 300 pass in quick proto icmp all icmp-type 8 group 300 pass in quick proto icmp all icmp-type 11 group 300 pass in quick proto icmp all icmp-type 12 group 300 pass out quick proto icmp all icmp-type 0 group 400 pass out quick proto icmp all icmp-type 3 group 400 pass out quick proto icmp all icmp-type 4 group 400 pass out quick proto icmp all icmp-type 8 group 400 pass out quick proto icmp all icmp-type 11 group 400 pass out quick proto icmp all icmp-type 12 group 400 # # default block access to FIREWALL from outside block return-icmp-as-dest(port-unr) in from any to FIREWALL group 100 # # ssh to FIREALL from inside pass in quick proto tcp from any to FIREWALL port = 22 # # /* */ flags S keep state keep frags group 300

3.2. 29 # traceroute to outside pass out proto udp from any to any port 33434 >< 33690 keep state group 200 # DNS pass in quick proto udp from any to MYDNS port = 53 keep state group 100 pass out quick proto udp from any to any port = 53 keep state group 200 # mail pass in quick proto tcp from any to MAIL port = 25 flags S keep state group 100 pass out quick proto tcp from MAIL to any port = 25 flags S keep state group 200 # WWW pass in quick proto tcp from any to WWW port = 80 flags S keep state group 100 pass out quick proto tcp from any to any port = 80 flags S keep state group 200 # # # write any services to pass WWW,MAIL,FIREWALL IP mail gateway DNS 3.2.14 rule ipftest SYN ICMP tcp in on OUTIF tcp 200.2.1.1,200000 192.168.1.1,80 out on OUTIF tcp 192.168.1.1,80 200.2.1.1,20000 SA in on OUTIF tcp 200.2.1.1,200000 192.168.1.1,80 out on OUTIF tcp 192.168.1.1,80 200.2.1.1,20000 A in on OUTIF tcp 200.2.1.1,200000 192.168.1.1,80 out on OUTIF tcp 192.168.1.1,80 200.2.1.1,20000 FA in on OUTIF tcp 200.2.1.1,200000 192.168.1.1,80 in on OUTIF tcp 200.2.1.1,200000 192.168.1.1,80 out on OUTIF tcp 192.168.1.1,80 200.2.1.1,20000 A 200.2.1.1,20000 192.168.1.1,80 TCP S A A A FA

30 3 II in on OUTIF tcp 200.2.1.1,20000 192.168.1.1,80 in on OUTIF tcp 200.2.1.1,20000 192.168.1.1,80 in on OUTIF tcp 200.2.1.1,20000 192.168.1.1,80 in on OUTIF tcp 200.2.1.1,20000 192.168.1.1,80 ICMP in on OUTIF icmp 200.2.1.1 192.168.1.1 echo in on OUTIF icmp 200.2.1.1 192.168.1.1 echorep in on OUTIF icmp 200.2.1.1 192.168.1.1 unreach ICMP IPFilter ICMP type unreach, echo, echorep, squench, redir, timex, paramprob, timest, timestrep, inforeq, inforep, maskreq, maskrep, routerad, routersol UDP keep state keep state IP TCP man IPFilter S SA SFP SPU

3.3. 31 3.3 3.1 /etc/ipf.rules pass in all pass out all /etc/rc.conf ipfilter_enable="yes" 3.2 ICMP ipftest ( ) 3.3 ICMP ping quick log ( ) ping ipfstat -io 3.4 ICMP ping ( ) log

32 3 II 3.4 3.5 (TCP port 25) DNS(UDP port 53) ipftest (port 25 tcp port53 UDP ) 3.6 ( ) ipftest TCP,UDP 3.7 spoofing, loopback 10/8, 172.16.0/24, 172.17.0/24 head, group 4

33 4 RIP RIP 4.1 ( ) ( forwarding) A B x y w z A B ( A,B,x,y,z,w ) A B A ( ) x z A x,z y w A x A,z,y A B 1 A->x->y->B 3 A->z->x->y->B 4 A->z->w->B RIP RIP ( )

34 4 RIP (Poison reverse) RIP A B B z ( ) OSPF 4.1.1 Internet Exterior Gateway Protocol (EGP) Interior Gateway Protocol (IGP) EGP IGP ( IGP ) IGP EGP IGP EGP BGP4 (Border Gateway Protocol version 4) IGP IS-IS, OSPF, RIP OSPF( Open Shortest Path First) (IETF: Internet Engineering Task Force) RIP (Routing Informationn Protocol) RIP,OSPF BGP4 4.1.2 ( Distance Vector Type) (Link State Type) RIP BGP IS-IS OSPF

4.2. RIP 35 4.2 RIP ( ) A,B B 192.168.0.0/24 A 192.168.0.0/24 B B A B A 192.168.0.0/24 A,B C,D C A D B,C B D B 192.168.0.0/24 2 D B,D B 192.168.0.0/24 3

36 4 RIP 1 D B 192.168.0.0/24 3 C D C 192.168.0.0/24 3 D C 192.168.0.0/24 2 D C 192.168.0.0/24 4 D D 1 B 192.168.0.0/24 3 2 C 192.168.0.0/24 4 1 192.168.0.0/24 B D A B,C D B,C B B 1 A 192.168.0.0/24 2 2 D 192.168.0.0/24 4 1 ( ) A 192.168.0.0/24 RIP A ( Poison reverse (16) ) B

4.2. RIP 37 B 1 D 192.168.0.0/24 4 B D 192.168.0.0/24 D ( C ) D 1 B 192.168.0.0/24 5 B 6 B 1 D 192.168.0.0/24 6 ( ) RIP 16 RIP RIP ( ) 16 ( 15 ) 15 RIP ( RIP 30 ) BGP ( ) BGP RIP (1 2 ) RIP ( ) OSPF OSPF RIP OSPF RIP

38 4 RIP 4.3 Quagga Quagga Unix zebra bgpd, ripd, ospfd Quagga Zebra (ZebOS ) Zebra Quagga Zebra Quagga 0.99 Quagga Zebra zebra 4.3.1 Quagga Quagga Quagga /usr/local/share/examples/quagga/ bgpd.conf.sample ospfd.conf.sample vtysh.conf.sample bgpd.conf.sample2 ripd.conf.sample zebra.conf.sample ospf6d.conf.sample ripngd.conf.sample Cisco CUI (CLI) (Quagga VTY ) Quagga FreeBSD /etc/services Quagga

4.3. Quagga 39 zebrasrv 2600/tcp #zebra service zebra 2601/tcp #zebra vty ripd 2602/tcp #RIPd vty ripngd 2603/tcp #RIPngd vty ospfd 2604/tcp #OSPFd vty bgpd 2605/tcp #BGPd vty ospf6d 2606/tcp #OSPF6d vty 4.3.2 zebra zebra zebra zebra.conf! zebra configuration! hostname pcss001 password zebra enable password zebra service password-encryption log file /var/log/zebra.log! interface le0! multicast interface ue0 multicast! shutdown!!ip route 0.0.0.0/0 172.16.1.1! hostname zebra password view enable password

40 4 RIP service password-encryption write ( ) log file interface write shutdown ip route static ripd, ospfd static (redistribute) /etc/rc.conf static routing zebra RIP ip route zebra.conf Quagga 4.3.3 ripd RIP ripd.conf ripd.conf RIP zebra

4.3. Quagga 41!! $Id: ripd.conf, 2008/04/01 $! hostname pcss001 password zebra!! debug rip events! debug rip packet! router rip! network ue0 network le0! network 11.0.0.0/0! network eth0! distribute-list private-only!! access-list private-only permit 10.0.0.0/8! access-list private-only deny any!! log file /var/log/ripd.log! log stdout router rip RIP network <interface name> RIP IP network 172.16.1.3/24 log stdout log file /var/log/ripd.log

42 4 RIP 1. passive-interface <interface name> RIP 2. deault-information originate RIP default RIP 3. redistribute connected RIP 4. redistribute ospf OSPF RIP 5. redistribute bgp BGP RIP 6. redistribute static Quagga RIP 7. redistribute kernel RIP 4.3.4 Quagga zebra, ospfd, bgpd, ospf6d,ripd,ripngd -d /usr/local/etc/rc.d/quagga start, stop, restart (Zebra zebractl Quagga ) # zebra -d # ripd -d /etc/rc.conf quagga_enable="yes" /usr/local/etc/rc.d/quagga # /usr/local/etc/rc.d/quagga start stop, restart /etc/rc.conf watchquagga_enable="yes" /usr/local/etc/rc.d/watchquagga (watchquagga Quagga ) # /usr/local/etc/rc.d/watchquagga start stop, restart

4.3. Quagga 43 4.3.5 VTY RIP zebra ripd ( zebra Quagga ) zebra VTY zebra (zebra.conf.sample zebra.conf copy ) # telnet localhost zebra (VTY ) # telnet localhost zebra Connected to localhost. Escape character is ^]. Hello, this is zebra (version 0.93b). Copyright 1996-2002 Kunihiro Ishiguro. User Access Verification Password: Router> view privileged ( ) config ( ) help? VTY >? enable exit help list quit show who Turn on privileged mode command Exit current mode and down to previous mode Description of the interactive help system Print command list Exit current mode and down to previous mode Show running system information terminal Set terminal line parameters Display who is on vty show

44 4 RIP > show? debugging Zebra configuration history Display the session command history interface Interface status and configuration ip ipv6 memory version > show IP information IPv6 information Memory statistics Displays zebra version? help TAB > show ip? forwarding IP forwarding status route IP routing table zebra K C S zebra R,O,B RIP,OSPF,BGP > show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, B - BGP, > - selected route, * - FIB route S>* 0.0.0.0/0 [1/0] via 172.16.1.1, le0 C>* 172.16.1.2/24 is directly connected, le0 K>* 172.18.1.2/32 via 127.0.0.1, lo0 C>* 127.0.0.0/8 is directly connected, lo0 privileged( ) enable (en) pc2f001-zebra> en Password: pc2f001-zebra# Quagga VTY write # write Configuration saved to /usr/local/etc/quagga/zebra.conf write terminal write terminal show running-config (

4.3. Quagga 45 ) show startup-config VTY ^P tcsh ripd VTY ripd VTY zebra ripd VTY > telnet localhost ripd zebra view mode enable ÁŒ mode configure terminal rip Ý è mode Ý è mode router rip interface <if-name> interface Ý è mode? quit( exit) end exit VTY write vtysh vty vtysh -c [ ]

46 4 RIP # vtysh -c sh ip rip 4.4 RIP RIP RIP VTY show ip rip 172.16.0.0/24 172.16.1.0/24 RIP 172.2.1 Metric 3 Metric 2 172.16.2.0/24 RIP show ip rip 172.16.0.0/24 Metric 16 172.16.0.0/24 ( Poison reverse (cost 16) ) Quagga Metric 16 (Poison reverse )

4.4. RIP 47 172.16.0.0/24 ( 172.16/24 )

48 4 RIP 4.5 4.1 Quagga pkg_add -r quagga 4.2 RIP OSPF # out0, in0 pass in on out0 all head 100 pass out on out0 all head 200 pass in on in0 all head 300 pass out on in0 all head 400 # pass in quick on lo0 all pass out quick on lo0 all # # ICMP pass in quick proto icmp all icmp-type 0 group 100 pass in quick proto icmp all icmp-type 3 group 100 pass in quick proto icmp all icmp-type 4 group 100 pass in quick proto icmp all icmp-type 8 group 100 pass in quick proto icmp all icmp-type 11 group 100 pass out quick proto icmp all icmp-type 0 group 200 pass out quick proto icmp all icmp-type 3 group 200 pass out quick proto icmp all icmp-type 4 group 200 pass out quick proto icmp all icmp-type 8 group 200 pass out quick proto icmp all icmp-type 11 group 200 # block in quick proto icmp all group 100 block out quick proto icmp all group 200 4.3 zebra.conf static default default # route delete default 172.16.1.1 10.120.254.254 zebra default

4.5. 49 4.4 RIP ripd.conf ( ) router rip... passive-interface ue0! RIP default-information originate! defaultrouting zebra rip 4.5 zebra rip zebra ( ) # route delete default 172.16.1.1 zebra rip 4.6 zebra, rip telnet localhost ripd RIP show rip

51 5 OSPF RIP ( ) OSPF(Open Shortest Path First) IS-IS(Intermediate System-to-Intermediate System) OSPF 5.1 OSPF (Link State) OSPF OSPF ( LSA: Link State Advertisement) LSA LSA (LSDB: Link State Database) Shortest Path First(SPF) OSPF (IGP IS-IS ) RIP OSPF (2byte) A B A OSPF LSA OSPF

52 5 OSPF 5.1.1 (LSA) (LSA) LSA LSA LSA (flooding: ) LSA (flood) LSA LSDB LSA OSPF 4 3 4 6 LSA 3 LSA 3 LSA 2 LSA 3 9 LSA LSA 12 LSA ( 5.1) 5.1: LSA OSPF (Designated Router:DR) LSA LSA 3 ( 5.2) DR DR OSPF DR (Backup Designated Router:BDR) BDR DR

5.1. OSPF 53 5.2: LSA LSA LSA LSDB ( LSA LSDB ) LSA LSA OSPF LSA Router LSA ( Router LSA ) hello hello LSA hello ( RIP RIP ) Network LSA Network LSA OSPF LSA ( ) OSPF (AllSPFRouters:224.0.0.5 AllDRouters:224.0.0.6) ( OSPF ) OSPF (Zebra )

54 5 OSPF 5.2 TCP/IP IGMP(Internet Group Management Protocol) IGMP L2 L3 L2 L3 IP ( L3 ) OSPF IP 224.0.0.0/4 AllSPFRouters(224.0.0.5) IGMP OSPF LSA LSA 5.3 OSPF OSPF OSPF CPU OSPF OSPF LSA (Router LSA Network LSA) Summary LSA LSA 32bit ID (IP 1byte x.x.x.x IP ) 0.0.0.0 ( 5.3)

5.3. OSPF 55 5.3: OSPF Network (ABR: Area Border Router) Summary LSA ABR OSPF IGP BGP OSPF AS (ASBR: AS Border Router) AS OSPF (AS external LSA) LSA ( AS external LSA ) 1. AS (Autonomous System) AS AS AS 5.3.1 OSPF 0 1,2 1 1 ABR SummaryLSA 2 ABR 2 3

56 5 OSPF 5.4: 3 3 R3 SummaryLSA R1 2 3 ( ) LSDB OSPF 2 R2 1 3 Network LSA Router LSA Summary LSA OSPF OSPF ( RIP ) OSPF ( ) OSPF 90 200 Summary OSPFv3 OSPF

5.4. ospfd 57 5.4 ospfd ospfd OSPF zebra! OSPFDd config! hostname pcs001-ospfd password zebra enable password zebra service password-encryption log file /var/log/ospfd.log! router ospf! ospf router-id 202.11.99.9 network 202.11.99.8/29 area 0 network 10.254.8.0/24 area 0 line vty router ospf OSPF 1. router ospf OSPF 2. ospf router-id <32bit > Router ID Router IP 32bit ( ) ( IP x.x.x.x ) RouterID designated router( ) ip ospf priority 3. network <network/mask> area <area ID> OSPF network OSPF ( ) 0 32bit ( ) ospfd ( Quagga ) VTY VTY config router interface line (VTY write )

58 5 OSPF! ospf config!! [ ] interface fxp0...! [ fxp0 ] interface rl0...! [ rl0 ] router ospf! [ ospf ] line vty [ VTY ] (IP up ) VTY ( zebra ) Quagga no 5.4.1 ospf router ospf router ( ) 1. passive-interface <interface name> 2. auto-cost reference-bandwidth <1-4294967> OSPF ( ) N = (M bps) N 1000 100M 10 10M 100

5.4. ospfd 59 10 100 OSPF N N 100 1Gbps N 1000 ( N 10 ) 10G N 10 N 3. area <area ID> virtual-link <router ID> area ID IP (x.x.x.x) 32bit( ) router ID ABR(Area Border Router) ID ID IP IP ID ABR 4. default-information originate ASBR(AS ) external LSA default ASBR 5.4.2 ospf rip OSPF RIP RIP RIP OSPF Quagga rip ospf zebra 1. redistribute rip ospf rip zebra ospf OSPF zebra rip 2. redistribute connected ospf rip ospf rip ospf rip rip zebra ospf OSPF

60 5 OSPF 1. rip rip ospf ( rip ospf ) rip ospf redistribute ripd.conf (a) redistribute ospf (b) redistribute connected 5.4.3 interface OSPF 1. ip ospf priority <0-255> ( ) 0 2. ip ospf cost <1-65535> 10 11 10 OSPF 9 11 ( 9 11 20 ) 5.5 OSPF OSPF traceroute traceroute UDP TTL ICMP unreachable (OSPF ) OSPF OSPF ICMP redirect ICMP redirect

5.5. OSPF 61 ( OSPF default ) # route flush OSPF ospf ( LSA ) ospf ospfd VTY (view ) 1. show ip ospf OSPF ospfd# show ip ospf OSPF Routing Process, Router ID: 202.11.99.9 Supports only single TOS (TOS0) routes This implementation conforms to RFC2328 RFC1583Compatibility flag is disabled SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Refresh timer 10 secs Number of external LSA 1 Number of areas attached to this router: 1 Area ID: 0.0.0.0 (Backbone) Number of interfaces in this area: Total: 2, Active: 4 Number of fully adjacent neighbors in this area: 3 Area has no authentication SPF algorithm executed 40 times Number of LSA 9 RouterID AS external LSA areaid:0 ( Number of fully adjacent neighbors in this area:) LSA 2. show ip ospf interface

62 5 OSPF ospfd# show ip ospf interface rl0 is up, line protocol is up Internet Address 202.11.99.9/29, Area 0.0.0.0 Router ID 202.11.99.9, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 202.11.99.9, Interface Address 202.11.99.9 Backup Designated Router (ID) 202.11.99.10, Interface Address 202.11.99.10 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:01 Neighbor Count is 2, Adjacent neighbor count is 2 rl0 rl0 202.11.99.9/29 IP area 0 RouterID 202.11.99.9 10 State DR (DR) Backup DR 202.11.99.10 Timer intervals Hello 10 Dead 40 (Dead WaitTimer ) LSA 5 (adjacent neighbor) (adjacent neighbor ) fxp0 fxp0 is up, line protocol is up Internet Address 10.254.8.13/24, Area 0.0.0.0 Router ID 202.11.99.9, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State Backup, Priority 1 Designated Router (ID) 202.11.99.81, Interface Address 10.254.8.111 Backup Designated Router (ID) 10.254.8.13, Interface Address 10.254.8.13 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:02 Neighbor Count is 1, Adjacent neighbor count is 1 rl0 DR 10.254.8.111 (ID 202.11.99.81 ) Backup DR ( IP Backup Desinated Router IP ) (lo0)

5.5. OSPF 63 faith0 is down, line protocol is down OSPF not enabled on this interface lo0 is up, line protocol is up OSPF not enabled on this interface ppp0 is down, line protocol is down OSPF not enabled on this interface sl0 is down, line protocol is down OSPF not enabled on this interface 3. show ip ospf neighbor ospfd# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL 202.11.99.10 1 Full/DROther 00:00:32 202.11.99.10 rl0:202.11.99.9 0 0 0 202.11.99.33 1 Full/DR 00:00:32 10.254.8.32 fxp0:10.254.8.32 0 0 0 202.11.99.49 1 Full/Backup 00:00:34 10.254.8.49 fxp0:10.254.8.32 0 0 0 State Full twoway Full twoway(dr ) DR Bakcup 4. show ip ospf route ospf LSA DR AS external LSA 202.11.99.81

64 5 OSPF ospfd# show ip ospf route ============ OSPF network routing table ============ N 202.11.99.8/29 [10] area: 0.0.0.0 directly attached to rl0 N 202.11.99.16/24 [10] area: 0.0.0.0 directly attached to fxp0 N 202.11.99.24/24 [10] area: 0.0.0.0 directly attached to fxp0 N 202.11.99.32/24 [10] area: 0.0.0.0 directly attached to fxp0 ============ OSPF router routing table ============= R 202.11.99.254 [10] area: 0.0.0.0, ASBR via 202.11.99.81, fxp0 ============ OSPF external routing table =========== N E2 0.0.0.0/0 [10/10] tag: 0 via 202.11.99.81, fxp0 5. show ip ospf database LSDB(LinkStatus Database) LSA Age LSA Age LSA ( ) OSPF LSA 3600sec(1 ) 30 (1800sec) LSA OSPF 1800sec 1

5.5. OSPF 65 ospfd# sh ip ospf database OSPF Router with ID (202.11.99.17) Router Link States (Area 0.0.0.0) Link ID ADV Router Age Seq# CkSum Link count 202.11.99.9 202.11.99.9 960 0x80000019 0x193f 2 202.11.99.17 202.11.99.17 460 0x80000017 0x6a32 2 202.11.99.25 202.11.99.25 959 0x80000013 0xaf6b 2 202.11.99.33 202.11.99.33 971 0x80000006 0x0d60 2 202.11.99.41 202.11.99.41 459 0x80000018 0xfb12 2 255.0.0.2 255.0.0.2 968 0x8000001a 0xea04 2 Net Link States (Area 0.0.0.0) Link ID ADV Router Age Seq# CkSum 202.11.99.9 202.11.99.97 955 0x80000005 0xed45 202.11.99.17 202.11.99.17 459 0x80000004 0x2264 202.11.99.81 202.11.99.81 968 0x80000008 0x1d23 AS External Link States Link ID ADV Router Age Seq# CkSum Route 0.0.0.0 202.11.99.81 367 0x80000004 0x8fbc E2 0.0.0.0/0 [0x0] 0.0.0.1

66 5 OSPF 5.6 1 5.1 Quagga /usr/local/etc/quagga/ripd.conf RIP ospf 5.2 default-information originate passive-interface ue0 OSPF Router-ID ( 172.16.N.M ) IP OSPF OSPF 5.3 OSPF show ip ospf neighbor 5.4 (OSPF ) OSPF ( 172.17.X.Y ) OSPF sh ip ospf route

67 6 BGP RIP,OSPF BGP EGP IGP 6.1 BGP BGP BGP RFC1771 RFC2545,2283 (IPv6 ) BGP BGP (AS: Autonomous System) AS AS AS (BR: Border Router) BGP AS AS AS AS (transit) BGP TCP (port179 ) BGP BGP TCP BGP (KeepAlive) (Notification) BGP BGP BGP ( ) BGP BGP BGP BGP AS (2byte) ( ) BGP RIB(Routing Information Base) BGP ASN AS ( ) BGP BGP ( ) AS ( 202.11.0.0/16 )

68 6 BGP 6.2 BGP BGP TCP (ASN,RouterID) BGP BGP AS BGP AS BGP Open ASN,BGP ID BGP ID(4byte) IP IP BGP ID ( ) Update BGP BGP Notification Notification( ) KeepAlive 6.3 BGP well-known( ) optional( ) BGP ORIGIN (Origin AS: AS)AS IGP IGP AS EGP EGP AS INCOMPLETE AS-PATH ASN

6.4. 69 AS SET(AS ) AS ASN 10 AX/24 ASN 11 AY/24 A/16 10 11 AS ( ) {10,11} A/16 AS SEQUENCE AS AS-PATH 3-7-15-{10,11}-78 ( ) NEXT HOP BGP AS AS ( AS ) MULTI EXIT DISCRIMINATOR AS AS AS AS AS ( ) LOCAL PREF AS BGP AS X AS P,Q P,Q ATOMIC AGGREGATE BGP AS BGP BGP AS PATH AS AGGREGATOR AS AS 6.4 BGP BGP IX(Internet exchange) BGP BGP BGP

70 6 BGP RFC 6.5 bgpd 1 BGP bgpd.conf BGP IP 202.11.99.{9,10,11} 202.11.99.9 BGP 3 10.254.8.60 172.17.0.2,172.17.1.2 202.11.99.8/29 202.11.99.9 BGP ASN 65001 65010, 65002 AS 202.11.99.8/29 AS 65001 10.254.8.10 AS 65010 10.254.8.60 202.11.99.80/29 202.11.99.9 202.11.99.10 202.11.99.11 172.17.0.1 172.17.1.1 AS 65002 172.17.0.2 202.11.99.16/29 172.17.1.2

6.5. bgpd 1 71! BGPd config! hostname pc2f001-bgpd password zebra enable password zebra log file /var/log/bgpd.log! router bgp 65001! bgp router-id 202.11.99.9 network 202.11.99.8/29! I-BGP router neighbor 202.11.99.10 remote-as 65001 neighbor 202.11.99.11 remote-as 65001! prefer this route neighbor 10.254.8.60 remote-as 65010 neighbor!!redistribute static route-map LOCAL-PREF1 permit 10! match as-path R65010 set local-preference 200 10.254.8.60 route-map LOCAL-PREF1 in ip as-path access-list R65010 permit ^65010_! --- end of config --- 1. router bgp ASN BGP AS IP APNIC IGP ASN private AS number: 64512-65535 65001 ASN router AS BGP ibgp AS BGP ebgp 2. bgp router-id BGP-ID BGP-ID IP zebra bgpd

72 6 BGP zebra 3. network IPaddress/prefix 4. neighbor IPaddress remote-as ASN neighbor IP address ASN ibgp ebgp ASN 5. neighbor IPaddress route-map NAME [in out] (in) (out) route-map (NAME) route-map 6. neighbor IPaddress ebgp-multihop hop-count ebgp TTL(TimeToLive) ebgp TTL 1 hop-count neighbor 202.11.98.67 ebgp-multihop 3 TTL 3 7. redistribute other-proto RIP OSPF other-proto IGP other-proto static,kernel, connected, rip, ospf 8. route-map NAME [permit deny] seq-num (NAME (seq-num) set (permit) (deny) 9. match cond ac-list-name route-map cond ip as-path

6.5. bgpd 1 73 as-path community extcommunity ip ipv6 metric origin AS BGP BGP/VPN IPv4 ll IPv6 BGP ac-list-name 10. set attribute-command attribute-command ( local-preference) set local-preference <0-4294967295> local-preference ebgp 10.254.8.60 200 ( 100 ) (a) AS ( local-preference) (RFC1771) 11. ip as-path access-list ac-list-name [permit deny] reg AS (permit) deny ac-list-name route-map match reg ASN AS (_) AS ASN ( ASN ) ^65000_ 65000 _5600 100$ 5600 100 202.11.99.10 BGP AS65002

74 6 BGP! BGPd config! hostname pc2f002-bgpd password zebra enable password zebra log file /var/log/bgpd.log! router bgp 65001 bgp router-id 202.11.99.10 network 202.11.99.8/29! I-BGP router neighbor 202.11.99.9 remote-as 65001 neighbor 202.11.99.11 remote-as 65001! neighbor 172.17.0.2 remote-as 65002 neighbor! route-map LOCAL-PREF2 permit 20! match as-path R65002 set local-preference 150 172.17.0.2 route-map LOCAL-PREF2 in ip as-path access-list R65002 permit ^65002_ BGP AS ibgp NEXT-HOP 202.11.99.9 10.254.8.60 (ebgp NEXT-HOP BGP ) 202.11.99.9 BGP ibgp 10.254.8.0/24 ( RIB(Routing Information Base) BGP ibgp NEXT-HOP IGP(RIP OSPF) 202.11.99.9 # route add -net 10.254.8.0/24 202.11.99.9 ( 172 ) Quagga RIP OSPF 202.11.99.9 redistribute connected (11.4.2 ) ripd.conf ospfd.conf BGP NEXT-HOP router bgp ( ibgp )

6.6. bgpd 2. 75!neighbor neighbor neighbor 1. next-hop-self 202.11.99.9 next-hop-self 202.11.99.10 next-hop-self 202.11.99.11 next-hop-self ibgp NEXT-HOP ibgp NEXT-HOP 6.6 bgpd 2. AS 202.11.99.9 202.11.99.8/28 AS MED(Multi-Exit-Descriminator) MED AS BGP DV BGP BGP ( ) ( )! BGPd config! hostname pc2f003-bgpd!! neighbor 172.17.1.2 route-map LOCAL-PREF2 in! neighbor!!! route-map LONG-PATH permit 40 match ip address MYNET 172.17.1.2 route-map LONG-PATH out set as-path prepend 65001 65001 65001 65001! access-list MYNET permit 202.11.99.8/29 ( )

76 6 BGP 1. access-list ac-list-name [permit deny] ip-range IP (permit) ac-list-name ( ) ip-range 2. match ip address ac-list-name IP 3. set as-path prepend AS-list AS-list 65001 4 ( 202.11.99.10 AS path 3 202.11.99.10 65001 2 ) AS 65001,65001,65001,65001,65001 (5 ASN ) 65001 ( 2 65001 3 ) BGP 202.11.99.8/29 BGP 4. AS AS AS AS 6.7 BGP BGP traceroute bgpd VTY BGP OSPF 1. show ip bgp BGP BGP BGP

6.7. BGP 77 bgpd# show ip bgp BGP table version is 0, local router ID is 202.11.99.9 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path * i202.11.99.8/29 202.11.99.11 0 100 0 i * i 202.11.99.10 0 100 0 i *> 0.0.0.0 0 32768 i *>i202.11.99.16/29 10.254.8.45 0 200 0 65002 i Total number of prefixes 2 ( ) > Next Hop 0.0.0.0 LocPrf Path i, e,? IGP(Internal-GP) EGP(External-GP)? Incomplete( ) 2. show ip bgp IP[/prefix] IP BGP bgpd# show ip bgp 202.11.99.16/29 BGP routing table entry for 202.11.99.16/29 Paths: (2 available, best #2, table Default-IP-Routing-Table) Not advertised to any peer 65002 65002 65002 172.17.0.2 from 172.17.0.2 (202.11.99.18) Origin IGP, localpref 150, valid, internal, best Last update: Thu Jun 23 14:34:44 2008 65002 202.11.99.9 from 202.11.99.9 (202.11.99.18) Origin IGP, metric 0, localpref 200, valid, external Last update: Thu Jun 23 14:21:00 2008 3. show ip bgp neighbors [peer-ip] BGP IP peer-ip

78 6 BGP bgpd# show ip bgp neighbors BGP neighbor is 10.254.8.60, remote AS 65010, local AS 65001, external link BGP version 4, remote router ID 202.11.99.81 BGP state = Established, up for 00:18:25 Last read 00:00:25, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received (old and new) Address family IPv4 Unicast: advertised and received Message statistics: Inq depth is 0 Outq depth is 0 Sent Rcvd Opens: 1 1 Notifications: 0 0 Updates: 1 1 Keepalives: 37 33 Route Refresh: 0 0 Cpability: 0 0 Total: 39 35 Minimum time between advertisement runs is 30 seconds For address family: IPv4 Unicast Community attribute sent to this neighbor (both) Inbound path policy cofigured Outbound path policy configured Route map for incoming advertisements is *LOCAL-PREF1 1 accepted prefixes Connections established 2; dropped 0 Last reset 00:18:36, due to Peer closed the session Local host: 10.254.8.10, Local port: 57141 Foreign host: 10.254.8.60, Foreign port: 179 Nexthop: 10.254.8.10 Nexthop global: fe80::290:27ff:feba:aff5 Nexthop local: :: BGP connection: non shared network Read thread: on Write thread: off... 4. show ip bgp summary

6.7. BGP 79 bgpd# show ip bgp summary BGP router identifier 202.11.99.9, local AS number 65001 4 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.254.8.60 4 65010 314 320 0 0 0 04:06:04 1 202.11.99.10 4 65001 378 381 0 0 0 06:19:09 3 202.11.99.11 4 65001 377 379 0 0 0 06:24:53 1... 5. show ip bgp paths BGP bgpd# show ip bgp paths Address Refcnt Path [0x8218510:0] (5) [0x8218780:201207] (1) 65002 65002 65002 [0x8218730:19968] (1) 65001 65001 [0x82187f0:120316] (1) 65001 65002 [0x82187b0:59903] (3) 65010 VTY bgpd Soft reconfig bgpd# clear bgp * soft

80 6 BGP 6.8 6.1 BGP AS 65000 + ( ) 1 65001 AS RouterID IP 172.16.1.1 next-hop-self i-bgp BGP show ip bgp 6.2 show ip bgp neighbors