==== BGP =====
RegEX:
^ Matches the beginning of input.
$ matches the end of input
|(pipe) A logical "or" statement.
.(period) matches a SINGLE character.
+ matches the character to the left 1 or more times.
* matches the character to the left 0 or more times.
? matches the character to the left 0 or 1 times.
\ removes special meanings.
() affects order of operations
[] creates a group of characters.
_ white space.
Examples:
150.1.1.0/24
AS Path: 6733 982 43 239 852 4439 10295 6010 10
1. only match 43: _43_
2. only match 43 or 10: _43_|_10_
3. only match the last previous 6733: ^6733 ---begins with 6733, it reads left to right.
4. only match AS originated 10: _10$ --match end of the string, which is 10 orginated AS.
(_33_|_44_)_982_
match EITHER 33 OR 44 FOLLOW BY 982.
^6733_. ====matches most recent AS and anything behind, but not originated from 6733. The period is 1 charater, so matches any AS, no matter how many, after 6733, since 1 character after.
^[0-9]+$ ====match to the left of + one or more times. just match one AS.
[300]+ === match 300 one or more times.
AS 300 300 300 300
to match 300 again and again:
^(300)+$
$([0-9]+)(_\1)*$ ===0-9 one or more times. AS 1234, 555, etc. To match ANY AS that has been prepended.
5. Match stuff originated from my AS. Match internal routes only. Inside our AS. Only when leaves our AS, do we put the AS on it.
^$
6. ^\(64512) ==removes special meaning from the parentheses.
If in AS Path: (6733 982) 43 239 852 4439
The AS inside the AS path with parentheses is Confederation.
7. Match everything: .*
==================
AS Path Access-list / filtering
permit .....
deny ....
permit ....
permit .* ===permit all at the end.
conf t
ip as-path access-list 1 deny ^300_ -- match everything from 300 most recently. or _300_ anywhere there's 300, deny.
ip as-path access-list 1 permit .* ===need this, else there's a implicit deny all.
route-map FILTER_300 permit 10
match as-path 1 ===if want "or" 1 2 3 4: match as-path 1 or 2 or 3 or 4.
router bgp 500
neighbor 1.1.1.1 route-map FILTER_300 out
example 2:
match as-path 500 and set weight 1000, so prefer that route from that neighbor.
ip as-path access-list 10 permit _500_
route-map INFLUENCE
match as-path 10
set weight 1000
router bgp 200
neighbor 199.9.9.2 route-map INFLUENCE in ====Routes from that neighbor pass to the route map and set weight to 1000...so, routes outbound will prefer path to the neighbor.
===================
Prefix List filtering:
route matching system better than ACLs. Improved processor util., Better subnet mask matching.
2 stage matching: Match network first, then match mask.
example:
ip prefix-list NEWLIST permit 172.30.0.0/16 le 20
(Network) (mask)
ip prefix-list NEWLIST permit 172.30.0.0/16 ge 24 le 24 == exactly 24.
ip prefix-list NEWLIST permit 172.30.0.0/16 ge 24 le 30 == between 24-30 subnet mask.
ip prefix-list NEWLIST permit 0.0.0.0/0 === This does NOT match everything. ONLY match exactly that route. The default route.
ip prefix-list NEWLIST permit 0.0.0.0/0 le 32 ===This match all. Permit any.
ip prefix-list NEWLIST permit 0.0.0.0/0 ge 32 ===This match only Host routes. all hosts /32.
ip prefix-list NEWLIST permit 0.0.0.0/1 ge 24 le 24 === Any class A address, and subnet mask is a /24. The first octet is 0000000.------- in the network section.
class A: 0-127 (bit 0----)
class B: 128-192 (bit 10---)
class C: 192-223 (bit 110--)
ip prefix-list NEWLIST-PF permit 128.0.0.0/2 ge 16 === Any class B network with mask of /16.
128 = 1000000 = class B.
conf t
router bgp 500
neighbor 1.1.1.1 prefix-list NEWLIST in ===routes coming in filtered.
show ip prefix-list
clear ip bgp 1.1.1.1
example 2:
route-map SET-LP
match ip add prefix-list NEWLIST-PF
st local-pre 9000
route-map SET-LP 20 ====THIS NEEDS TO BE IN to do permit all at end. else routes not match for this route-map will be filtered.
neighbor 1.1.1.1 route-map SET-LP in ==as route come in from neighbor, change Localpref.
=====================================
Soft reconfiguration: Prefix list , route maps changes can be updated to neighbors w/o tearing down peers.
- Outbound soft reconfiguration
ex.) clear ip bgp 1.1.1.1 soft out
This don't need to be activated.
- Inbound soft reconfiguration:
- keeps the whole inbound routes from neighbor in memory before any filters applied. Then passes through filters, ie pF, routemaps and then update the BGP table.
This needs to be configured.
neighbor 1.1.1.1 soft-reconfig in ==to activate it to have a full route copy in memory from neighbor.
- Route Refresh--started in 12.1. BGP can tell its neighbor to resend routes.
Don't need: neighbor 1.1.1.1 soft-reconfig in
Just clear ip bgp 1.1.1.1 soft in ===This will automatically do Route Refresh.
==================================================
ORF - Outbound Route Filtering
Why send 1000s of routes if they're filtered.
ORF allows you to transmits inbound filters to a neighbor to be apply in the outbound on that neighbor.
Neighbors must support ORF types.
Configured PER NEIGHBOR
neighbor 1.1.1.1 capability orf prefix-list send/receive. local is send--ISP receive.
clear ip bgp 1.1.1.1 in prefix-filter
========================
BGP COMMUNITIES
================
Route Reflectors iBGP
If received routes from eBGP peer---- send to ALL iBGP/eBGP peers.
If received routes from iBGP non-client peer, --- send to all eBGP and client peers only. Makes sense, since iBGP don't send to other iBGP peers by default.
If received routes from iBGP CLIENT peer, --- send to all peers.
Loop preventions for redundant RR is clusterID. If have 3 RR, then it's a Group. RR groups add a cluster-ID tag or attribut to routes they advertise out to other RR peer. The eBGP router needs to peer to all 3 RR Group.
Originator-ID -- if RR sees it's own originator ID, it will also reject the route to prevent loop.
RR clients are oblivious to everything.
========================
Confederation: Use private AS: 64512 - 65535
An AS inside and AS.
RR taken to the next level.
Alternative to RR.
Uses Intra-AS numbers which are stripped before sending updates to eBGP peers.
Inter-Confedration peers are treated as eBGP to establish, but iBGP relating to attributes.
Still ONE IGP for the entire system.
Can combine RR inside confederation.
router bgp 64513
bgp confederation identifier 500 ===this is what's used to communicate to eBGP peers.
bgp confederation peers 64514 64515 64516 -- need to list all private AS in the whole system. Both need to be applied to all routers.
==================================
BGP can kill your router and how to stop it:
- Filter
OPtimize BGP
BGP PROCESSES:
BGP OPEN - STARTS PEERS UP
BGP I/O - Prepares / processes updates, keepailives
BGP Scanner - checks next hops, determines routes to advertise. Check the entire BGP table and make sure next hop is reachable. Runs at a certain interval. CPU intensive.
BGP router process - calculates best path, processes route changes. Looks at weight, etc to calculate best path. Runs at certain interval. CPU heavy.
All these does not affect stuff going through the router....all these handle by CEF.
TUNE IMPROVE BGP:
Use the global IP TCP PATH-MTU-DISCOVERY: BGP defaults to 536 bytes. This let BGP negotiates better performance for stuff going to the router or from the router, not stuff going THROUGH the router. By default rediscovers every 30 seconds.
show ip bgp neighbors | i max
2. Use BGP peer Groups.
3. Increase INPUT queues (HOld-queue in) -- This is how much packet I can hold before I start tail dropping.
4. Tune BGP Scanner timer
router bgp 500
bgp scan-time 60 ( default is 60) --- time check the next hop reachability.
advertisement-interval is per neighbor-- default 30 sec. ... how often it queues updates or messages for a neighbor.
5. Set a maximum prefix limit. Upstream ISP may go bad and affect your BGP table to the max.
neighbor 1.1.1.1 maximum-prefix 500000 warning-only --- if just hit enter, it will take down neighbor when max is reached...and an admin need to do a clear ip bgp neighbor x.x.x.x.
show ip bgp summ -- get an idea how many prefix came in.
==================================================
PEER GROUPS /
ROUTE DAMPENING for flapping routes. AFter 3 route flaps, BGP will be down for 30 mins...no route, until the dampening and penalty came down.
max is 60mins.
clear ip bgp dampening 150.1.1.0 255.255.255.0 ==== to start reusing/readvertise immediately., but still remembers the penalty. == clear the reuse, but not the penalty.
clear ip bgp 1.1.1.1 flap-statistics === clears the penalty and not the reuse.
US NetworkSecure
Free Tips On Networking and Security
12/18/2019
ASA-ACL-OBJECT-GR
======= ASA MFP======
INGRESS: MFP first, then ACL
EGRESS: ACL first.
====================== ASA ACL Oject Groups ================
4 ways to group obj. groups.
1. protocol
tcp, udp, esp , gre, etc
2. network
ip add, subnet, etc
3. service
tcp port# and udp port#
4. icmp type
echo, echo-reply, unreachable, etc.
example:
object-group network OUTSIDE_TRUSTED_HOSTS
network-object host 200.0.0.1
network-object host 200.0.0.2
object-group network PUBLICK_INSIDE_SERVERS
network-object host 10.0.100
network-object host 10.0.101
object-group service PUBLIC_INSIDE_SERVER_PORTS tcp
port-object eq www
port-object eq https
port-object eq smtp
access-l 101 extended permit tcp object-group OUTSIDE_TRUSTED_HOSTS object-group PUBLIC_INSIDE_SERVERS object-group PUBLIC_INSIDE_SERVER_PORTS
access-l 101 extended permit tcp object-group "THE-SOURCE-IP" object-group "the-destination-IP" object-group "THE-DESTINATION-PORT#"
access-group 101 in interface outside
This way don't need to do so many access-l to add additonal servers or add an outside host to access in.
IPSLA - TRACK
track 20 ip sla 1 reachability
ip sla 1
icmp-echo 6.16.5.13 source-interface GigabitEthernet0/2
timeout 1500
threshold 500
frequency 3
ip sla schedule 1 life forever start-time now
ip route 0.0.0.0 0.0.0.0 6.16.5.13 track 20
ip route 0.0.0.0 0.0.0.0 21.19.25.2 254
Cisco Password Recovery - 2900 and ASA
===========For 2900 Series======
Reboot the router and press the "Break key" to interrupt the boot sequence.
1.) Either switch off or shut down the router.
1a.) Take out flash card and switch on the router.
1b.) Once the router is on Rommon mode, reinsert the compact flash.
For break key sequences, refer to this Cisco link: http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note0.
alt+b for teraterm
1.) Type "confreg 0x2142". ====This tells the router to bypass NVRAM during bootup. In other words, your existing configuration won't be loaded. The good news is that it won't be deleted either.
2.) Type "reset" to reboot the router.
Answer "No" when prompted to run setup.
2a.) type "enable" to get into enable mode.
3.) "copy **startup-config** running". ========This loads your startup configuration into memory. Now, if you type a show run config, ou'll see the router configuration. Also, you should notice that your router name is now in the prompt instead of the default “Router”.
4.) conf t === Change the enable- “enable password new_password”
and (config)#enable secret cisco
4b.) username
5.) Change the register back to 0x2102:
(config)#config-register 0x2102
6.) "exit" and Save the password so that it will be persistent during reboots, type "copy run start" or wr mem.
7.) Reboot the router by typing reload at the enable prompt.
========================================================================
========================***** ASA Password Recovery ***** ============
1.) Power off the security appliance, and then power it on.
2.) During the startup messages, press the Escape key when prompted to enter ROMMON.
3.) rommon #1> confreg
and asks if you want to change the value:
Current Configuration Register: 0x00000001 === note this
Configuration Summary:
Do you wish to change this configuration? y/n [n]: y
Take all defaults except:
Do you wish to change this configuration? y/n [n]:
The security appliance prompts you for new values.
4.) Accept the default values for all settings, except for the "disable system configuration?" value; at that prompt, enter Y.
5.) Reload the security appliance by entering the following command:
rommon #2> boot
The security appliance loads a default configuration instead of the startup configuration.
6.) Enter privileged EXEC mode by entering the following command:
hostname> enable
7.) When prompted for the password, press Return.
The password is blank.
8.) hostname# copy startup-config running-config
9.) hostname# configure terminal
10. hostname(config)# username name password password pri 15
11.) Change the configuration register to load the startup configuration at the next reload by entering the following command:
hostname(config)# config-register value
Where value is the configuration register value you noted in Step 5 and 0x1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.
12.) hostname(config)# copy running-config startup-config
Reboot the router and press the "Break key" to interrupt the boot sequence.
1.) Either switch off or shut down the router.
1a.) Take out flash card and switch on the router.
1b.) Once the router is on Rommon mode, reinsert the compact flash.
For break key sequences, refer to this Cisco link: http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note0.
alt+b for teraterm
1.) Type "confreg 0x2142". ====This tells the router to bypass NVRAM during bootup. In other words, your existing configuration won't be loaded. The good news is that it won't be deleted either.
2.) Type "reset" to reboot the router.
Answer "No" when prompted to run setup.
2a.) type "enable" to get into enable mode.
3.) "copy **startup-config** running". ========This loads your startup configuration into memory. Now, if you type a show run config, ou'll see the router configuration. Also, you should notice that your router name is now in the prompt instead of the default “Router”.
4.) conf t === Change the enable- “enable password new_password”
and (config)#enable secret cisco
4b.) username
5.) Change the register back to 0x2102:
(config)#config-register 0x2102
6.) "exit" and Save the password so that it will be persistent during reboots, type "copy run start" or wr mem.
7.) Reboot the router by typing reload at the enable prompt.
========================================================================
========================***** ASA Password Recovery ***** ============
1.) Power off the security appliance, and then power it on.
2.) During the startup messages, press the Escape key when prompted to enter ROMMON.
3.) rommon #1> confreg
and asks if you want to change the value:
Current Configuration Register: 0x00000001 === note this
Configuration Summary:
Do you wish to change this configuration? y/n [n]: y
Take all defaults except:
Do you wish to change this configuration? y/n [n]:
The security appliance prompts you for new values.
4.) Accept the default values for all settings, except for the "disable system configuration?" value; at that prompt, enter Y.
5.) Reload the security appliance by entering the following command:
rommon #2> boot
The security appliance loads a default configuration instead of the startup configuration.
6.) Enter privileged EXEC mode by entering the following command:
hostname> enable
7.) When prompted for the password, press Return.
The password is blank.
8.) hostname# copy startup-config running-config
9.) hostname# configure terminal
10. hostname(config)# username name password password pri 15
11.) Change the configuration register to load the startup configuration at the next reload by entering the following command:
hostname(config)# config-register value
Where value is the configuration register value you noted in Step 5 and 0x1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.
12.) hostname(config)# copy running-config startup-config
ASA-VPN-Setup
You need a policy nat for private to public interface vpn.
STEP 1:
access-list policy-nat-acl extended permit ip your-internal-ip 255.255.255.0 your-destinationIP 255.255.0.0
==
access-list COMPANYA extended permit ip host 207.108.219.254 10.30.4.0 255.255.255.128 == no need here.
access-list COMPANYA extended permit ip host 192.168.1.159 10.30.4.0 255.255.255.128 ***should be
Identify interesting traffic as source and destination needed to be natted on above ACL.
-------------------------------------------------------------
STEP 2:
static (inside,outside) xxx.xxx.xxx.xxx access-list policy-nat-acl ====
static (INSIDE,OUTSIDE) 207.108.219.250 192.168.1.159 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 207.108.219.250 access-list COMPANYA ===should be this.***
Now static-nat your source-private to pbulic address in the "xxx.xxx.xxx.xxx" use the public ip range as you wish.
-------------------------------------------------------------
STEP3:
access-list outside_4_cryptomap extended permit ip xxx.xxx.xxx.xxx mask.mask.mask.mask 172.x.0.0 255.255.0.0
access-list COMPANYA extended permit ip host 207.108.219.254 10.30.4.0 255.255.255.128
in the crypto-acl above you could use network address itself plus its mask or an IP address along but be consistance with step 2, the remainging config is just like regular vpn tunnel setup.
STEP 1:
access-list policy-nat-acl extended permit ip your-internal-ip 255.255.255.0 your-destinationIP 255.255.0.0
==
access-list COMPANYA extended permit ip host 207.108.219.254 10.30.4.0 255.255.255.128 == no need here.
access-list COMPANYA extended permit ip host 192.168.1.159 10.30.4.0 255.255.255.128 ***should be
Identify interesting traffic as source and destination needed to be natted on above ACL.
-------------------------------------------------------------
STEP 2:
static (inside,outside) xxx.xxx.xxx.xxx access-list policy-nat-acl ====
static (INSIDE,OUTSIDE) 207.108.219.250 192.168.1.159 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 207.108.219.250 access-list COMPANYA ===should be this.***
Now static-nat your source-private to pbulic address in the "xxx.xxx.xxx.xxx" use the public ip range as you wish.
-------------------------------------------------------------
STEP3:
access-list outside_4_cryptomap extended permit ip xxx.xxx.xxx.xxx mask.mask.mask.mask 172.x.0.0 255.255.0.0
access-list COMPANYA extended permit ip host 207.108.219.254 10.30.4.0 255.255.255.128
in the crypto-acl above you could use network address itself plus its mask or an IP address along but be consistance with step 2, the remainging config is just like regular vpn tunnel setup.
9/24/2015
BGP Prefix List filtering:
Prefix List filtering and Local Pref at bottom:
- Route matching system better than ACLs. Improved processor utilization., Better subnet mask matching.
- a TWO stage matching: Match network first, then match mask.
example:
ip prefix-list NEWLIST permit 172.30.0.0/16 le 20
(Network) (mask)
ip prefix-list NEWLIST permit 172.30.0.0/16 ge 24 le 24 == exactly 24.
ip prefix-list NEWLIST permit 172.30.0.0/16 ge 24 le 30 == between 24-30 subnet mask.
ip prefix-list NEWLIST permit 0.0.0.0/0 === This does NOT match everything. ONLY match exactly that route. The default route.
ip prefix-list NEWLIST permit 0.0.0.0/0 le 32 ===This match all. Permit any.
ip prefix-list NEWLIST permit 0.0.0.0/0 ge 32 ===This match only Host routes. all hosts /32.
ip prefix-list NEWLIST permit 0.0.0.0/1 ge 24 le 24 === Any class A address, and subnet mask is a /24. The first octet is 0000000.------- in the network section.
class A: 0-127 (bit 0----)
class B: 128-192 (bit 10---)
class C: 192-223 (bit 110--)
ip prefix-list NEWLIST-PF permit 128.0.0.0/2 ge 16 === Any class B network with mask of /16.
128 = 1000000 = class B.
Example:
conf t
router bgp 500
neighbor 1.1.1.1 prefix-list NEWLIST in ===routes coming in filtered.
show ip prefix-list
clear ip bgp 1.1.1.1
example 2:
route-map SET-LP
match ip add prefix-list NEWLIST-PF
st local-pre 9000
route-map SET-LP 20 ==== THIS NEEDS TO BE IN to do permit all at end. else routes not match for this route-map will be filtered.
neighbor 1.1.1.1 route-map SET-LP in ==as route come in from neighbor, change Localpref.
- Route matching system better than ACLs. Improved processor utilization., Better subnet mask matching.
- a TWO stage matching: Match network first, then match mask.
example:
ip prefix-list NEWLIST permit 172.30.0.0/16 le 20
(Network) (mask)
ip prefix-list NEWLIST permit 172.30.0.0/16 ge 24 le 24 == exactly 24.
ip prefix-list NEWLIST permit 172.30.0.0/16 ge 24 le 30 == between 24-30 subnet mask.
ip prefix-list NEWLIST permit 0.0.0.0/0 === This does NOT match everything. ONLY match exactly that route. The default route.
ip prefix-list NEWLIST permit 0.0.0.0/0 le 32 ===This match all. Permit any.
ip prefix-list NEWLIST permit 0.0.0.0/0 ge 32 ===This match only Host routes. all hosts /32.
ip prefix-list NEWLIST permit 0.0.0.0/1 ge 24 le 24 === Any class A address, and subnet mask is a /24. The first octet is 0000000.------- in the network section.
class A: 0-127 (bit 0----)
class B: 128-192 (bit 10---)
class C: 192-223 (bit 110--)
ip prefix-list NEWLIST-PF permit 128.0.0.0/2 ge 16 === Any class B network with mask of /16.
128 = 1000000 = class B.
Example:
conf t
router bgp 500
neighbor 1.1.1.1 prefix-list NEWLIST in ===routes coming in filtered.
show ip prefix-list
clear ip bgp 1.1.1.1
example 2:
route-map SET-LP
match ip add prefix-list NEWLIST-PF
st local-pre 9000
route-map SET-LP 20 ==== THIS NEEDS TO BE IN to do permit all at end. else routes not match for this route-map will be filtered.
neighbor 1.1.1.1 route-map SET-LP in ==as route come in from neighbor, change Localpref.
BGP AS Path Access-list / filtering
AS Path Access-list / filtering
permit .....
deny ....
permit ....
permit .* ===permit all at the end.
Example 1:
conf t
ip as-path access-list 1 deny ^300_ -- match everything from 300 most recently. or _300_ anywhere there's 300, deny.
ip as-path access-list 1 permit .* === need this, else there's a implicit deny all.
route-map FILTER_300 permit 10
match as-path 1 ===if want "or" 1 2 3 4: match as-path 1 or 2 or 3 or 4.
router bgp 500
neighbor 1.1.1.1 route-map FILTER_300 out
Example 2:
match as-path 500 and set weight 1000, so prefer that route from that neighbor.
ip as-path access-list 10 permit _500_
route-map INFLUENCE
match as-path 10
set weight 1000
router bgp 200
neighbor 199.9.9.2 route-map INFLUENCE in == Routes from that neighbor pass to the route map and set weight to 1000...so, routes outbound will prefer path to the neighbor.
permit .....
deny ....
permit ....
permit .* ===permit all at the end.
Example 1:
conf t
ip as-path access-list 1 deny ^300_ -- match everything from 300 most recently. or _300_ anywhere there's 300, deny.
ip as-path access-list 1 permit .* === need this, else there's a implicit deny all.
route-map FILTER_300 permit 10
match as-path 1 ===if want "or" 1 2 3 4: match as-path 1 or 2 or 3 or 4.
router bgp 500
neighbor 1.1.1.1 route-map FILTER_300 out
Example 2:
match as-path 500 and set weight 1000, so prefer that route from that neighbor.
ip as-path access-list 10 permit _500_
route-map INFLUENCE
match as-path 10
set weight 1000
router bgp 200
neighbor 199.9.9.2 route-map INFLUENCE in == Routes from that neighbor pass to the route map and set weight to 1000...so, routes outbound will prefer path to the neighbor.
Subscribe to:
Posts (Atom)