BGP/ISIS traffic loop

Here is the following topology:

 

 

R1 is a core router for SP1 and R4 is a core router for SP2, both R2 and R3 are routers which are part of SP1 and SP2 networks respectively and act as edge routers.

-          R1 and R2 are ISIS neighbors, all directly connected and loopback interfaces are advertised using this protocol.

-          R1 and R2 are iBGP peers [AS65001]

-          R1 and R4 are eBGP peers [AS65001 and AS65004] using loopback IP’s

-          R1 learns default route and networks 192.168.41-43.0/24 from R4

-          R2 learns default route through BGP from R1

-          R2 has static route for 4.4.4.4/32 with next-hop to 10.1.23.3 which advertised to R1 through ISIS.

Now let’s simulate situation where the link between R2 and R3 is down due to physical or layer-2 failure:

1.       R1 BGP peer with R4 is still up due to tolerance behavior of the BGP protocol

2.       R2 has static route to 4.4.4.4 to 10.1.23.3 but this directly connected interface is down so a recursive lookup will occur and R2 will use the default route to send traffic

 

3.       R2 learns the default route from R1 through BGP so next-hop is R1

This situation in large SP can cause huge amount of traffic going back and forth between R1 and R2 and will cause a network outage in the network.

In order to overcome this issue I have configured a track object to Fa1 on R2 and bond it to the static route of R4:

track 1 interface FastEthernet1 line-protocol ! ip route 4.4.4.4 255.255.255.255 10.1.23.3 track 1

 

This will cause R1 to discard from the routing table all routes learned from R4 even if the BGP peer is still up.

R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route   Gateway of last resort is 4.4.4.4 to network 0.0.0.0   C    192.168.12.0/24 is directly connected, Loopback2      1.0.0.0/32 is subnetted, 1 subnets C       1.1.1.1 is directly connected, Loopback0 C    192.168.13.0/24 is directly connected, Loopback3      2.0.0.0/32 is subnetted, 1 subnets i L2    2.2.2.2 [115/10] via 10.1.12.2, FastEthernet0 B    192.168.42.0/24 [20/0] via 4.4.4.4, 00:01:02 B    192.168.43.0/24 [20/0] via 4.4.4.4, 00:01:02 C    192.168.11.0/24 is directly connected, Loopback1 B    192.168.41.0/24 [20/0] via 4.4.4.4, 00:01:03      10.0.0.0/24 is subnetted, 1 subnets C       10.1.12.0 is directly connected, FastEthernet0 B*   0.0.0.0/0 [20/0] via 4.4.4.4, 00:01:03   R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route   Gateway of last resort is 4.4.4.4 to network 0.0.0.0   C    192.168.12.0/24 is directly connected, Loopback2      1.0.0.0/32 is subnetted, 1 subnets C       1.1.1.1 is directly connected, Loopback0 C    192.168.13.0/24 is directly connected, Loopback3      2.0.0.0/32 is subnetted, 1 subnets i L2    2.2.2.2 [115/10] via 10.1.12.2, FastEthernet0 B    192.168.42.0/24 [20/0] via 4.4.4.4, 00:01:05 B    192.168.43.0/24 [20/0] via 4.4.4.4, 00:01:05 C    192.168.11.0/24 is directly connected, Loopback1 B    192.168.41.0/24      10.0.0.0/24 is subnetted, 1 subnets C       10.1.12.0 is directly connected, FastEthernet0   R1#  show ip bgp summary BGP router identifier 192.168.13.1, local AS number 65001 BGP table version is 23, main routing table version 23 4 network entries using 528 bytes of memory 4 path entries using 208 bytes of memory 2/1 BGP path/bestpath attribute entries using 336 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Bitfield cache entries: current 1 (at peak 2) using 28 bytes of memory BGP using 1124 total bytes of memory BGP activity 8/4 prefixes, 8/4 paths, scan interval 60 secs   Neighbor        V          AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd 2.2.2.2         4      65001     937     942       23    0    0 15:42:11        0 4.4.4.4         4      65004     902     893       19    0    0 00:01:25        4

 In the first show command the link is up, in the second show command the link is down  altough the BGP peer is still up.

 

 

 

 

 

 

 

 

Check Point FW monitor examples

Command syntax

Command line options

fw monitor [-u|s] [-i] [-d] [-D] <{-e expr}+|-f <filter-file|->> [-l len] [-m mask] [-x offset[,len]] [-o <file>] <[-pi pos] [-pI pos] [-po pos] [-pO pos] | -p all > [-a] [-ci count] [-co count] [-vs vsid or vsname]

 

Option	Description
-e	Filter packets expression
-l [LENGTH]	Limit the packet length
-m [MASK]	Capture mask out from 4 directions
-x [OFFSET],[LENGTH]	Print packet/payload data
-o [FILE]	Write output to file
-ci / -co	Capture number of packets inbound/outbound
-u	Display UUID
fw ctl chain	Display firewall control chain

Filter ICMP only

Filter the 9th byte of IP and accept only IP protocol 1 which is ICMP

fw monitor -e 'accept [9:1]=1;'

 

Filter ICMP only

echo "accept [9:1]=1;" >myfilter.pf fw monitor -f myfilter.pf

 

Filter ICMP only

Filter the 9th byte of IP and accept only IP protocol 1 which is ICMP

fw monitor -e 'accept [9:1]=1;'

 

Capture ICMP only

Capture all ICMP from host 192.168.10.2

fw monitor -e 'accept icmp and host(192.168.10.2);’

 

Using position filter

Using position filter on inbound with fw ctl chain alias and write it out to dump.cap

fw monitor -pi -secxl_sync -o dump.cap

 

HTTP source port

Capture all traffic with source port 80

Fw monitor –e ‘accept [20:2,b]=80; ‘

 

HTTP destination port

Capture all traffic with destination port 80

Fw monitor –e ‘accept [22:2,b]=80; ‘

 

Capture all HTTP

Capture all HTTP traffic

fw monitor -e 'accept tcpport(80);’

 

FTP source port

Capture all traffic with FTP source port (control channel)

Fw monitor –e ‘accept [20:2,b]=21; ‘

 

FTP destination port

Capture all traffic with FTP destination port (control channel)

Fw monitor –e ‘accept [22:2,b]=21; ‘

 

Capture network range

Capture all traffic for network 192.168.10.0/24

fw monitor -e 'internal={<192.168.10.0, 192.168.10.254>}; accept (src in internal);'

 

Capture specific network range

Capture all traffic from IP address 192.168.10.100 up to 192.168.10.254

fw monitor -e 'lan={<192.168.10.100, 192.168.10.254>}; accept (src in lan);'

 

Do not capture HTTP traffic

Capture all traffic except HTTP

fw monitor -e ‘accept not ( [20:2,b]=80 or [22:2,b]=80); ‘

 

Do not capture SSH or RDP traffic

Capture all traffic except SSH and remote desktop, on all positions  and write it to dump.cap

fw monitor -e 'accept not ([20:2,b]=22 or [22:2,b]=22 or [20:2,b]=3389 or [22:2,b]=3389);' -p all -o dump.cap

 

Do not capture SSH or RDP traffic

Capture all traffic from host 192.168.10.2 except SSH and remote desktop

fw monitor -e 'accept (host(192.168.10.2) and not (tcpport(3389) or tcpport(22))) ;'

 

Capture DNS queries

Capture all DNS queries from host 192.168.10.2

fw monitor -e 'accept (host(192.168.10.2) and (udpport(53))) ;'

 

Route Redistribution - Part 1

My goal in the following lab is to test the options and features while redistributing routing protocols.

 

Here is  the current topology:

1.       Virtual-link between area 0 and area 68, we need to configure the virtual link over area 36 because it is the transit between 68 and 0, also note that the virtual link is done using the router-id and not the IP.

R3: router ospf 1  area 36 virtual-link 6.6.6.6 R6: router ospf 1  area 36 virtual-link 6.6.6.6

2.       Area 17 has been configured as a totally stub area which means no LSA types other then 1 and 2

R7: router ospf 1  area 17 stub no-summary R1: router ospf 1  area 17 stub no-summary

3.       R4 is advertising 192.168.41.0/24 into RIP, R7 will redistribute it into OSPF Area 17

First we will create prefix-list and route-map to limit the exact networks we are going to redistribute:

R7: Ip prefix-list PL_NET41 permit 192.168.41.0/24 ! Route-map RM_RIP_TO_OSPF permit 10 Match ip address prefix-list PL_NET41 ! Route-map RM_RIP_TO_OSPF deny 100 !

Then we will using this route-map to redistribute RIP into OSPF:

R7: Router ospf 1 Redistribute rip subnets route-map RM_RIP_TO_OSPF !

And we got the following error message:

*Mar  3 11:43:48.353: %OSPF-4-ASBR_WITHOUT_VALID_AREA: Router is currently an ASBR while having only one area which is a stub area

The reason is that Area 17 is a stub area hence he can’t advertise LSA type 5 (external routes), so let’s convert area 17 into an NSSA area which eventually allow us LSA type 1,2 and convert type 5 into type 7:

R7: Router ospf 1  no area 17 stub no-summary  no area 17 stub  area 17 nssa no-summary ! R1: Router ospf 1  no area 17 stub no-summary  no area 17 stub  area 17 nssa no-summary !

Note that the first no command only remove the summary, the second no command remove the stub.

Now although area 17 is stub network he can advertise external routes into OSPF domain

R1: R1#sh ip route ospf      2.0.0.0/32 is subnetted, 1 subnets O       2.2.2.2 [110/129] via 10.1.13.3, 00:02:55, Serial0/0.13      3.0.0.0/32 is subnetted, 1 subnets O       3.3.3.3 [110/65] via 10.1.13.3, 00:02:55, Serial0/0.13      6.0.0.0/32 is subnetted, 1 subnets O IA    6.6.6.6 [110/75] via 10.1.13.3, 00:02:45, Serial0/0.13 O N2 192.168.41.0/24 [110/20] via 10.1.17.7, 00:02:45, FastEthernet0/1      7.0.0.0/32 is subnetted, 1 subnets O       7.7.7.7 [110/2] via 10.1.17.7, 00:02:45, FastEthernet0/1      8.0.0.0/32 is subnetted, 1 subnets O IA    8.8.8.8 [110/85] via 10.1.13.3, 00:02:45, Serial0/0.13      192.168.81.0/32 is subnetted, 1 subnets O IA    192.168.81.1 [110/85] via 10.1.13.3, 00:02:45, Serial0/0.13      192.168.83.0/32 is subnetted, 1 subnets O IA    192.168.83.1 [110/85] via 10.1.13.3, 00:02:45, Serial0/0.13      10.0.0.0/24 is subnetted, 6 subnets O       10.1.23.0 [110/128] via 10.1.13.3, 00:02:55, Serial0/0.13 O IA    10.1.36.0 [110/74] via 10.1.13.3, 00:02:45, Serial0/0.13 O IA    10.1.68.0 [110/84] via 10.1.13.3, 00:02:46, Serial0/0.13      192.168.82.0/32 is subnetted, 1 subnets O IA    192.168.82.1 [110/85] via 10.1.13.3, 00:02:46, Serial0/0.13      192.168.71.0/32 is subnetted, 1 subnets O       192.168.71.1 [110/2] via 10.1.17.7, 00:02:46, FastEthernet0/1

Note that the network 192.168.41.0/24 is marked with N2 which means it has learned via NSSA area external type 2.

External type 2 means a route with a calculated metric, to this network, from the advertised router perspective - R7, which is the ASBR in this case. This type along with metric 20 are defaults for OSPF and we can change them while issue the command redistribute under OSPF process.

4.       Now let’s redistribute network 192.168.61.0/24 into RIP so we could ping network 192.168.41.0 from 192.168.61.0, the first problem that we will encounter is the fact the area 17 is totally NSSA area and he doesn’t know network 192.168.61.0. Let’s convert area 17 into NSSA area only:

R7: Router ospf 1  no area 17 nssa no-summary ! R1: Router ospf 1  no area 17 nssa no-summary !

Configure prefix-list and route-map so we could control what we are advertising:

R7: Ip prefix-list PL_NET61 permit 192.168.61.0/24 ! Route-map RM_OSPF_TO_RIP permit 10 Match ip address prefix-list PL_NET61 ! Route-map RM_OSPF_TO_RIP deny 100 !

And redistribute OSPF into RIP:

R7: Router rip  redistribute ospf 1 route-map RM_OSPF_TO_RIP metric 5 !

Note that RIP doesn’t have default metric, which calculated based on hop counts, so if we wouldn’t specific the metric the network will be down.

While trying to redistribute 192.168.61.0/24 into RIP I have encounter a very common error,

In this lab I’m using loopback interfaces to simulate LAN segments, OSPF doesn’t advertise loopback with their correct prefix hence prefix-list PL_NET61 wouldn’t be able to catch this specific network and nothing will be advertised:

R7#sh ip prefix-list detail Prefix-list with the last deletion/insertion: PL_NET61 ip prefix-list PL_NET41:    count: 1, range entries: 0, sequences: 5 - 5, refcount: 2    seq 5 permit 192.168.41.0/24 (hit count: 3, refcount: 1) ip prefix-list PL_NET61:    count: 1, range entries: 0, sequences: 5 - 5, refcount: 3    seq 5 permit 192.168.61.0/24 (hit count: 0, refcount: 1) R7#sh ip route 192.168.61.0   Routing entry for 192.168.61.0/32, 1 known subnets   Redistributing via rip O IA    192.168.61.1 [110/76] via 10.1.17.1, 00:06:15, FastEthernet0/0

In order to fix that we need to configure under any loopback the following command:

R6: interface loopback 1  ip ospf network point-to-point !

This will allow OSPF to advertise the network with the correct prefix.

R7: R7#sh ip route 192.168.61.0 Routing entry for 192.168.61.0/24   Known via "ospf 1", distance 110, metric 76, type inter area   Redistributing via rip   Advertised by rip metric 5 route-map RM_OSPF_TO_RIP   Last update from 10.1.17.1 on FastEthernet0/0, 00:00:48 ago   Routing Descriptor Blocks:   * 10.1.17.1, from 1.1.1.1, 00:00:48 ago, via FastEthernet0/0       Route metric is 76, traffic share count is 1!

To verify the result:

R6#ping 192.168.41.1 source lo1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.41.1, timeout is 2 seconds: Packet sent with a source address of 192.168.61.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =24/52/92 ms R6#ping 192.168.41.1           Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.41.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

Only when ping network 192.168.41.0 with source 192.168.61.0 we are getting replies.

5.       Now let’s redistribute 192.168.41.0/24 into EIGRP AS100:

R4: Ip prefix-list PL_NET41 permit 192.168.41.0/24 ! Route-map RM_CONNECTED_TO_EIGRP permit 10 Match ip address prefix-list PL_NET41 ! Route-map RM_CONNECTED_TO_EIGRP deny 100 ! Router eigrp 100 redistribute connected route-map RM_CONNECTED_TO_EIGRP !

Note that we are redistributing connected and not rip as network 192.168.41.0/24 is connected in R4.

Now network 192.168.41.0/24 is known by R5 as external EIGRP route

R5#sh ip route eigrp      4.0.0.0/32 is subnetted, 1 subnets D       4.4.4.4 [90/156160] via 10.1.45.4, 01:18:26, FastEthernet0/1 D EX 192.168.41.0/24 [170/156160] via 10.1.45.4, 00:01:36, FastEthernet0/1      10.0.0.0/24 is subnetted, 4 subnets D       10.1.14.0 [90/284160] via 10.1.45.4, 01:18:26, FastEthernet0/1

So now let’s redistribute network 192.168.41.0/24 from EIGRP into OSPF domain on R2:

R2: Ip prefix-list PL_NET41 permit 192.168.41.0/24 ! Route-map RM_EIGRP_TO_OSPF permit 10 Match ip address prefix-list PL_NET41 ! Route-map RM_EIGRP_TO_OSPF deny 100 ! Router ospf 1 redistribute eigrp 100 subnets route-map RM_EIGRP_TO_OSPF !

Again always control what you are advertising.

Network 192.168.61.0/24 is learned via OSPF so we will need to redistribute it to EIGRP on R2:

R2: Ip prefix-list PL_NET61 permit 192.168.61.0/24 ! Route-map RM_OSPF_TO_EIGRP permit 10 Match ip address prefix-list PL_NET61 ! Route-map RM_OSPF_TO_EIGRP deny 100 ! Router eigrp 100 redistribute ospf 1 route-map RM_OSPF_TO_EIGRP metric 100000 10 255 1 1500 !

Very similar to RIP, EIGRP must be redistributed with metric.

On R4 EIGRP is learn network 192.168.41.0/24 from RIP so we need to redistribute network 192.168.61.0/24 into EIGRP so we can have complete return path:

R4: Ip prefix-list PL_NET61 permit 192.168.61.0/24 ! Route-map RM_EIGRP_TO_RIP permit 10 Match ip address prefix-list PL_NET61 ! Route-map RM_EIGRP_TO_RIP deny 100 ! Router rip redistribute eigrp 100 route-map RM_EIGRP_TO_RIP !

So now after advertising network 192.168.61.0/24 all over the network let’s examine who learned what and from where.

R6 is self-originate for this network

R3 is learning this network through OSPF from R6:

R3#show ip route 192.168.61.0 Routing entry for 192.168.61.0/24   Known via "ospf 1", distance 110, metric 11, type intra area   Last update from 10.1.36.6 on FastEthernet0/0, 05:42:37 ago   Routing Descriptor Blocks:   * 10.1.36.6, from 6.6.6.6, 05:42:37 ago, via FastEthernet0/0

R1 and R2 learn this network through OSPF from R3:

R1#show ip route 192.168.61.0 Routing entry for 192.168.61.0/24   Known via "ospf 1", distance 110, metric 75, type inter area   Last update from 10.1.13.3 on Serial0/0.13, 00:07:58 ago   Routing Descriptor Blocks:   * 10.1.13.3, from 3.3.3.3, 00:07:58 ago, via Serial0/0.13       Route metric is 75, traffic share count is 1

R2 is also redistributing this network to EIGRP.

R5 is learning this network through EIGRP from R2:

R5# show ip route 192.168.61.0 Routing entry for 192.168.61.0/24   Known via "eigrp 100", distance 170, metric 284160, type external   Redistributing via eigrp 100   Last update from 10.1.25.2 on FastEthernet0/0, 00:15:43 ago   Routing Descriptor Blocks:   * 10.1.25.2, from 10.1.25.2, 00:15:43 ago, via FastEthernet0/0       Route metric is 284160, traffic share count is 1       Total delay is 1100 microseconds, minimum bandwidth is 10000 Kbit       Reliability 255/255, minimum MTU 1500 bytes       Loading 1/255, Hops 1

R4 is learning this network from two sources: EIGRP through R5 and RIP through R7, but in the routing table the preferred route is through R7 as it got a better AD (RIP AD120, EIGRP External AD170):

R4#show ip route 192.168.61.0 Routing entry for 192.168.61.0/24   Known via "rip", distance 120, metric 5   Redistributing via rip   Last update from 10.1.47.7 on FastEthernet0/1, 00:00:25 ago   Routing Descriptor Blocks:   * 10.1.47.7, from 10.1.47.7, 00:00:25 ago, via FastEthernet0/1       Route metric is 5, traffic share count is 1

And last R7 which learn this network through OSPF from R1:

R7#sh ip route 192.168.61.0 Routing entry for 192.168.61.0/24   Known via "ospf 1", distance 110, metric 76, type inter area   Redistributing via rip   Advertised by rip metric 5 route-map RM_OSPF_TO_RIP   Last update from 10.1.17.1 on FastEthernet0/0, 00:16:40 ago   Routing Descriptor Blocks:   * 10.1.17.1, from 1.1.1.1, 00:16:40 ago, via FastEthernet0/0       Route metric is 76, traffic share count is 1

Now I like that R4 will prefer the route to 192.168.61.0/24 through R5 and not through R7:

R4: ip access-list standard 61 permit 192.168.61.0 0.0.0.255 ! Router rip distance 180 10.1.47.7 0.0.0.0 61 !

Using the distance command I can raise up the AD value of specific routes received from R7, in this case network 192.168.61.0/24 which will received from R7 will be with an AD of 180 which be higher then EIGRP external (AD 170).