When configuring BGP through the ASA, a basic understanding of how the ASA works and how BGP is implemented is very important. I would highlight some of my findings about the BGP/ASA relationship in this post.
1. The ASA (when in routed mode) is a HOP: This doesnt matter if we are configuring ibgp since BGP believes that the underlying IGP would take care of reachability to the neighbor but with ebgp, we need to explicitly state that the bgp neighbor is not on the same subnet. The ebgp multihop command is used to achieve this. Lets assume the following topology;
R2(f0/0) --- (ins) ASA (out) --- (f0/0) R3.
on R2 (and similarly on R3), we need to configure:
router bgp 1
neighbor 192.168.13.3 remote-as 2
neighbor 192.168.13.3 ebgp-multihop 2
When configuring ebgp multihop, we should also ensure that there is a route to the neighbor with a length greater than 0 (default route will not work) in the routing table..
Assuming we have on R2,
ip route 0.0.0.0 0.0.0.0 192.168.12.1
When we try to negotiate the BGP connection, it would fail (except R3 configured properly - which would always make R3 active). When we look at the debugs, we would see;
BGP: 192.168.13.3 active open failed - no route to peer, open active delayed 29090ms (35000ms max, 28% jitter)
But when we take a look at the routing table, sure enough, our default route is there...
R2(config-router)#do sh ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.12.1 to network 0.0.0.0
C 192.168.12.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.12.1
This is because the router actually searches for a route going to 192.168.13.3 and finds none.
R2(config-router)#do sh ip rou 192.168.13.3
% Network not in table
To fix this, we insert a route with a longer match in the routing table (doesnt have to be a host route, anything from a /1 would do)
R2(config-router)#ip route 192.168.0.0 255.255.0.0 192.168.12.1
That should fix things considerably and the BGP neighbor should come up.
2. The ASA does NAT: If the ASA NATs the address of the BGP peer, the neighbor statement should reflect this. Assuming we had a static statement on the ASA,
static (i,o) 192.168.13.2 192.168.12.2
Then on R3, we would peer with 192.168.13.2 instead of 192.168.12.2
neigh 192.168.13.2 remote 1
This would work well if Authentication is NOT configured.
3. Configuring BGP Authentication: BGP Authentication uses special tcp option for MD5 (option 19) to carry the Authentication information. This is stated in rfc 2385. The 16-byte MAC is computed based on a one-way hash function (MD5) generated from TCP header, the IP header, the password and a key. The following must be considered when configuring BGP authentication through the ASA:
a. Since the IP header is used in generating the hash, NAT cannot be used to change the ip address of the peers as this would break the authentication. If nat-control is enabled, the real and translated ip address must be the same.
b. Since the tcp header is used, the sequence number must not be randomized (default behavior of the ASA.) To stop randomization we can append the norandomseq option behind a static address mapping (that does not change the IP address) of the neighbor. This would only work in routed mode (of course)
static (inside,outside) 192.168.12.2 192.168.12.2 no randomseq
We can also disable random sequencing in the global_policy.
c. Finally, option 19 must be allowed to pass through the ASA for BGP traffic. This can be achieved by allowing it in the global_policy. The configuration on the ASA is shown below.
tcp-map BGP
tcp-options range 19 19 allow
!
class-map BGP
match port tcp eq bgp
!
policy-map global_policy
class BGP
set connection random-sequence-number disable
set connection advanced-options BGP
!
That would be all for now.
Further Reading
BGP through ASA configuration exmaple
RFC 2385: Protection of BGP Sessions via the TCP MD5 Signature Option
Amplebrain.
Thursday, October 22, 2009
Saturday, October 17, 2009
21 yr old CCIE : Interview with CCIE Agent
I was going thru CCIE flyer October Edition when I stumbled on Peter Ehiwe's interview. Peter is my friend, classmate and study partner. Details of the interview can be found here.
Quote of the day: "Peter you are so young just 21 years old. I have shoes older than you!" - Eman Conde (CCIE Agent) :D
Way to go bro!
Amplebrain.
Quote of the day: "Peter you are so young just 21 years old. I have shoes older than you!" - Eman Conde (CCIE Agent) :D
Way to go bro!
Amplebrain.
Wednesday, October 7, 2009
Shooting yourself in the leg
When doing personal study/'research', whether for the CCIE lab or some other exam, we get used to some practices that save time and aid troubleshooting. Many students have a template of initial config on their routers. Here is an example of what I would have on mine.
alias exec s sh ip interface brief
no ip domain-lookup
line con 0
logging synchronous
no exec-timeout
and a few other commands.
It is also common to turn on debugs when trying to troubleshoot a problem or understand a protocol.
While these practice definitely saves time, it should ONLY be used in a lab environment and the routers should be adequately CLEANED up before being put into production.
Recently. I got a call from a friend, he just put in a box that he used to study sometime ago into production and his router stopped resolving hostnames to ip addresses. The DNS server was properly configured and he had pointed to it using the ip name server command.
While reading through this post, the answer is obvious, but in a production environment with many issues and phone calls, it is a lot more difficult to decipher and you would probably need another pair of eyes going through your config.
We figured out that he had the no ip domain-lookup configured from one of his practice sessions and forgot to take out the command during clean-up. The issue was resolved and everything was fine.
Moral of the story: Cisco would arm you with a Gun and they wouldn't stop you from shooting yourself with a gun. Lab environment and production environments are totally different.
Turning on debugs in a produvtion environment could be a lot worse, It is important for a network engineer to be able to handle logs appropriatelyy but that's going to be a post for another day.
Have fun with your job and with your studies.
Amplebrain.
alias exec s sh ip interface brief
no ip domain-lookup
line con 0
logging synchronous
no exec-timeout
and a few other commands.
It is also common to turn on debugs when trying to troubleshoot a problem or understand a protocol.
While these practice definitely saves time, it should ONLY be used in a lab environment and the routers should be adequately CLEANED up before being put into production.
Recently. I got a call from a friend, he just put in a box that he used to study sometime ago into production and his router stopped resolving hostnames to ip addresses. The DNS server was properly configured and he had pointed to it using the ip name server command.
While reading through this post, the answer is obvious, but in a production environment with many issues and phone calls, it is a lot more difficult to decipher and you would probably need another pair of eyes going through your config.
We figured out that he had the no ip domain-lookup configured from one of his practice sessions and forgot to take out the command during clean-up. The issue was resolved and everything was fine.
Moral of the story: Cisco would arm you with a Gun and they wouldn't stop you from shooting yourself with a gun. Lab environment and production environments are totally different.
Turning on debugs in a produvtion environment could be a lot worse, It is important for a network engineer to be able to handle logs appropriatelyy but that's going to be a post for another day.
Have fun with your job and with your studies.
Amplebrain.
Sunday, October 4, 2009
Is Cisco Superstitous?
Cisco systems has released the IOS 15.0M - Mainstream version.
The sudden jump from the IOS 12.4T series to the 15.0 is remarkable. Why did they chose to skip 13.x and 14.x - could the software development team be Tetraphobic or Triskaidekaphobic?
I doubt that the are tetraphobic though - Since we had 12.4T :-)
What's new? New Features in the 15.0 IOS release can be found here.
More cool features. More fun stuff..
Enjoy!
Amplebrain :-)
The sudden jump from the IOS 12.4T series to the 15.0 is remarkable. Why did they chose to skip 13.x and 14.x - could the software development team be Tetraphobic or Triskaidekaphobic?
I doubt that the are tetraphobic though - Since we had 12.4T :-)
What's new? New Features in the 15.0 IOS release can be found here.
More cool features. More fun stuff..
Enjoy!
Amplebrain :-)
Subscribe to:
Posts (Atom)