Search This Blog

Thursday, June 7, 2012

BGP Allows-in feature


Here is another BGP LAB:

R1 and R4 belong to AS65014 while R2 and R3 belong to AS65023, as we can see from the network topology AS65023 stands in the middle of AS65014.

Routes which advertised by R1 to R2 won’t be learned by R4 due to their AS-PATH, which in this case R4 will see his AS in the path.


R4:
R4# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.42.0/24 is directly connected, Loopback2
C    192.168.41.0/24 is directly connected, Loopback1
     10.0.0.0/24 is subnetted, 2 subnets
B       10.1.12.0 [20/0] via 10.1.34.3, 00:09:44
C       10.1.34.0 is directly connected, FastEthernet0/0

As you may recall BGP uses AS-PATH to prevent routing loops, where a BGP peer sees his AS nuber in the AS-PATH he will discard the route.
In order to overcome this problem we can configure R4 and R1 to accept routes with their AS in the path:

R1:
R1(config)#router bgp 65014                 
R1(config-router)#no neighbor 10.1.12.2 allowas-in 1

R4:
R4(config)#router bgp 65014                 
R4(config-router)#no neighbor 10.1.34.3 allowas-in 1

The number after the command allows-in define the number of times that the router will accept his AS in the path, in this case only 1 time.

The result:
R4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

B    192.168.12.0/24 [20/0] via 10.1.34.3, 00:00:02
C    192.168.42.0/24 is directly connected, Loopback2
B    192.168.11.0/24 [20/0] via 10.1.34.3, 00:00:02
C    192.168.41.0/24 is directly connected, Loopback1
     10.0.0.0/24 is subnetted, 2 subnets
B       10.1.12.0 [20/0] via 10.1.34.3, 00:14:20
C       10.1.34.0 is directly connected, FastEthernet0/0


Posted by at No comments:
Labels: ,

Saturday, June 2, 2012

BGP default-route


Let’s take the following scenario:



R3 is EBGP peering with R2 where there are 3 ways to advertise default route:

     1.       Use neighbor x.x.x.x default-originate
R3 configuration:
router bgp 65003
 no synchronization
 bgp log-neighbor-changes
 network 192.168.30.0
 neighbor 10.1.23.2 remote-as 65012
 neighbor 10.1.23.2 default-originate
 no auto-summary

R3 will advertise default-route to R2 with or without having default-route in his routing table.

R3:
R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.30.0/24 is directly connected, Loopback1
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.23.0 is directly connected, FastEthernet0/0
C       10.1.45.0 is directly connected, FastEthernet0/1

R2:
R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.23.3 to network 0.0.0.0

B    192.168.30.0/24 [20/0] via 10.1.23.3, 02:51:33
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.12.0 is directly connected, FastEthernet0/0
C       10.1.23.0 is directly connected, FastEthernet0/1
B*   0.0.0.0/0 [20/0] via 10.1.23.3, 00:15:19
     
     2.        Use default-information originate and redistribute static
R3 configuration:
router bgp 65003
 no synchronization
 bgp log-neighbor-changes
 network 192.168.30.0
 neighbor 10.1.23.2 remote-as 65012
default-information originate
redistribute static
no auto-summary
!
Ip route 0.0.0.0 0.0.0.0 null0

R3:
R3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

C    192.168.30.0/24 is directly connected, Loopback1
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.23.0 is directly connected, FastEthernet0/0
C       10.1.45.0 is directly connected, FastEthernet0/1
S*   0.0.0.0/0 is directly connected, Null0

R2:
R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.23.3 to network 0.0.0.0

B    192.168.30.0/24 [20/0] via 10.1.23.3, 00:01:57
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.12.0 is directly connected, FastEthernet0/0
C       10.1.23.0 is directly connected, FastEthernet0/1
B*   0.0.0.0/0 [20/0] via 10.1.23.3, 00:01:57

     3.       Using network 0.0.0.0 command where R3 does have default-route in his routing table (from static or any other dynamic routing protocol)
R3 configuration:
router bgp 65003
 no synchronization
 bgp log-neighbor-changes
 network 192.168.30.0
 neighbor 10.1.23.2 remote-as 65012
network 0.0.0.0
no auto-summary

R3:
R3#show ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.45.4 to network 0.0.0.0

C    192.168.30.0/24 is directly connected, Loopback1
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.23.0 is directly connected, FastEthernet0/0
C       10.1.45.0 is directly connected, FastEthernet0/1
O*E2 0.0.0.0/0 [110/1] via 10.1.45.4, 00:00:28, FastEthernet0/1

R2:
R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.23.3 to network 0.0.0.0

B    192.168.30.0/24 [20/0] via 10.1.23.3, 00:00:32
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.12.0 is directly connected, FastEthernet0/0
C       10.1.23.0 is directly connected, FastEthernet0/1
B*   0.0.0.0/0 [20/1] via 10.1.23.3, 00:00:32

To summarize this:

Command
Default-route in routing table
Source
Router bgp 65003
Neighbor x.x.x.x default-originate
No
N/A
Router bgp 65003
Default-information originate
Redistribute <protocol>
Yes
Static, OSPF, RIP, EIGRP
Router bgp 65003
Network 0.0.0.0
Yes
Static, OSPF, RIP, EIGRP, BGP
No special command
Yes
EBGP, IBGP


Posted by at No comments:
Labels: ,

Tuesday, May 22, 2012

RTBH using BGP communities

RTBH stands for Remote Triggering Black Hole, which means, the ability to route traffic to black hole from remote. In the real world the intention is to allow customers to instruct their ISP to route traffic to black hole without any intervention from the ISP side.

So why do we want to route traffic to black hole? in case of DoS/DDoS we would like to stop the attack ASAP and the best way to accomplish that is by routing traffic designate to victim into black hole and to prevent from the excess traffic (or pps) to reach or go through our links and devices.


looking on the network diagram we can see that the attacker will conduct his DoS attack through the ISP toward the customer server.
The customer can stop the attack by advertising the victim IP (destination) to the ISP with special community where as the ISP in return will re-route the traffic to this IP toward black hole (null 0 or discard).

Currently we are working with Level3 and Tinet which support RTBH communities 3356:9999 and 3257:2666 respectively.

So if the victim IP was  200.10.0.1 the configuration for Level3 will be:
ip prefix-list PL_RTBH_LEVEL3 permit 200.10.0.1/32
!
route-map RM_BGP_LEVEL3_OUTBOUND permit 10
match ip address prefix-list PL_RTBH_LEVEL3
set community 3356:9999

 take note that although ISP's doesn't s support BGP advertisements less the prefix /24 when it comes to RTBH you can advertise any prefix length includes /32.





Posted by at No comments:
Labels: , , ,

Sunday, May 20, 2012

How to reset Safe@Office appliance to factory default


Few things to know before reset to factory default:
     1.       All configurations will be erased!
     2.       The appliance will revert back to the firmware version which he came from the manufacture, hence all firmware upgrades, which has been done in the past, will be loss.
     3.       You should follow the instructions carefully to avoid permanent damage to the appliance.

I found that there are two ways to reset Safe@Office appliance, to factory default, and I think it somehow depends on the firmware version which has been installed on the factory.

Method #1:
     1.       Make sure the Safe@Office appliance is powered on
     2.       Press the RESET button on the back of the Safe@Office appliance steadily for seven seconds and then release it.
     3.       Allow the Safe@Office appliance to boot-up until the system is ready (PWR/SEC LED flashes slowly or illuminates steadily in green light).
     4.       Connect a PC to the appliance and check that you receive 192.168.10.xxx IP address
     5.       Login to http://my.firewall (not to 192.168.10.1) and enter password for admin access.

Method #2:
     1.       Unplug the power cord.
     2.       Hold the reset button on the back of the appliance
     3.       Plug in the power cord while holding the button until the PWR/SEC LED is steady red.
     4.       Leave the reset button for 3 seconds
     5.       Press the reset button again for 10 seconds until the PWR/SEC LED starts blinking red
     6.       Connect a PC to the appliance and check that you receive 192.168.10.xxx IP address
     7.       Login to http://my.firewall (not to 192.168.10.1) and enter password for admin access.

Warning: If you choose to reset the Safe@Office appliance by disconnecting the power cable and then reconnecting it, be sure to leave the Safe@Office appliance disconnected for at least three seconds, or the Safe@Office appliance might not function properly until you reboot it as described below

Posted by at 50 comments:
Labels: , , ,

Sunday, May 13, 2012

How to upgrade Juniper EX4200 switch software


      1.       Format DOK (disk-on-key), with enough space, to FAT32
      2.       Copy the software image (jinstall-ex-4200-11.3R2.4-domestic-signed.tgz)  into the DOK
      3.       Plug the DOK into the USB port of the switch in the backside
      4.       Enter shell mode [you will need root password]
user@switch> start shell
% su
Password:
root@switch%

       5.       Mount the DOK
mount_msdosfs /dev/da1s1 /mnt

       6.        Copy the image file to temporary directory
cp /mnt/ jinstall-ex-4200-11.3R2.4-domestic-signed.tgz /var/tmp

       7.       Return to operational mode
cli

       8.       Start upgrade process
request system software add /var/tmp/ jinstall-ex-4200-11.3R2.4-domestic-signed.tgz

Posted by at 1 comment:
Labels: , , , ,

How to enable Windows XP Network Level Authentication


In order to allow Windows XP to connect, using RDP, to Windows 7, without changing security level, we need to accomplish two steps:

     1.       Install Microsoft Remote Desktop Connection 7.0 client or later
URL: http://support.microsoft.com/kb/969084
      2.       Tweak some registry values

Follow these steps to make the required registry tweaks:
     1.       Open the registry editor, Start->Run->regedit

      2.       Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

      3.       Modify the value Security Packages
      4.       Add the value tspkg

      5.       Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
      6.       Modify the value SecurityProviders
      7.       Add the value credssp.dll (don’t forget the comma before)

      8.       Exit registry editor
      9.       Restart the computer
Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)