From: Scott Morris (swm@emanon.com)
Date: Wed Dec 31 2003 - 01:13:04 GMT-3
That mean, very mean.... I like it! :) <<And you just wonder how many
proctors monitor the list looking for amusing new ideas!>>
Although on the flip side, you "sort of" know who your peers are, at least
in terms of the AS number and pre-defined Ips. So it's not QUITE the same,
but still an amusing lesson in IOS logic!
(If you're using Juniper routers it's called a dynamic peer, I believe
Riverstone calls it the same)
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIS, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian McGahan
Sent: Tuesday, December 30, 2003 11:04 PM
To: 'Nathasha Aleyevka'; ccielab@groupstudy.com
Subject: RE: BGP in promiscous/passive mode!
Nathasha,
Actually yes you can do this (in a way) with NAT. The following
configuration can be used to set a router in BGP "promiscuous" mode. While
completely impractical, this is a fun (yes I said fun) exercise in IOS
logic.
R1--R3--RX
R1 will be our "promiscuous" router. R3 will be a staging device
for address translation, and RX is one or more devices that want to create a
BGP session with R1.
First, R1 is configured with various neighbor statements that will
be used when one or more devices want to initiate a BGP session. This
configuration cannot occur without these neighbor statements. A random
remote-as value of 2 has been chosen. Devices that want to peer with R1
will need to know that R1 is expecting their AS number to be 2.
R1:
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Serial0/1
description TO R3
ip address 13.0.0.1 255.0.0.0
!
router bgp 1
neighbor PSEUDO_PEERS peer-group
neighbor PSEUDO_PEERS remote-as 2
neighbor PSEUDO_PEERS ebgp-multihop 255 neighbor PSEUDO_PEERS
update-source Loopback0 neighbor 13.0.0.100 peer-group PSEUDO_PEERS
neighbor 13.0.0.101 peer-group PSEUDO_PEERS neighbor 13.0.0.102 peer-group
PSEUDO_PEERS neighbor 13.0.0.103 peer-group PSEUDO_PEERS neighbor
13.0.0.104 peer-group PSEUDO_PEERS neighbor 13.0.0.105 peer-group
PSEUDO_PEERS neighbor 13.0.0.106 peer-group PSEUDO_PEERS neighbor
13.0.0.107 peer-group PSEUDO_PEERS neighbor 13.0.0.108 peer-group
PSEUDO_PEERS neighbor 13.0.0.109 peer-group PSEUDO_PEERS
Now R1 is expecting a BGP session from any of these addresses. Now
all we need to do is intercept BGP traffic on R3 that is going to R1 and
translate it.
R3:
interface Serial1/2
description TO R1
ip address 13.0.0.3 255.0.0.0
ip nat outside
!
interface Serial1/3
description TO RX
ip address 23.0.0.3 255.0.0.0
ip nat inside
!
ip nat pool PSEUDO_PEERS 13.0.0.100 13.0.0.109 netmask 255.0.0.0 ip nat
inside source list BGP_TRAFFIC_TO_TRANSLATE pool PSEUDO_PEERS !
ip access-list extended BGP_TRAFFIC_TO_TRANSLATE permit tcp any host
1.1.1.1 eq bgp
Now any BGP traffic that is destined for R1 will be translated to
one of the addresses that R1 is expecting. Now for the config on RX. This
will simply specify R1 as a peer, and include the fact that R1 expects RX's
ASN to be 2.
RX:
router bgp 12345
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 local-as 2
neighbor 1.1.1.1 ebgp-multihop 255
RX#sh ip bgp sum
BGP router identifier 23.0.0.2, local AS number 12345 BGP table version is
1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
1.1.1.1 4 1 21 21 1 0 0 00:17:58 0
As long as R1 has a default route to the staging router it will
accept a BGP session from anyone who tries to initiate it.
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Nathasha Aleyevka
> Sent: Monday, December 29, 2003 11:44 PM
> To: ccielab@groupstudy.com
> Subject: BGP in promiscous/passive mode!
>
> Good Evening All,
>
>
> I have 2 questions regarding BGP:
>
> a) I would like to establish a BGP session between two routers
> R1 in AS10 and R2 in AS20(Central site), I can configure R1 with the
> neighbor 1.1.1.2 remote-as 20 command, is it possible to configure R2
> in a promiscous mode so it will establish a session with R1/x without
> entering the neighbor commands on R2?
>
> R1
> R2
>
> int e0
> int e0
> ip addres 1.1.1.1/24 ip
> address 1.1.1.2/24
> router bgp 10
> neighbor 1.1.1.2 remote-as 20
> ===========================================================
>
> b) I only want R1 to be able to start a BGP session with R2,
> destination port 179.
> By using a local policy & route-map on R2 with an outbound
> access-list, applied to R2's E0, here is what I got:
> IP: s=1.1.1.1 (Ethernet0), d=1.1.1.2 (Ethernet0), len 60, rcvd 3
> TCP src=11009, dst=179, seq=2156087920, ack=0, win=16384 SYN
> IP: s=1.1.1.1 (Ethernet0), d=1.1.1.2 (Ethernet0), len 60, rcvd 3
> TCP src=11009, dst=179, seq=2156087921, ack=2260118643, win=16384
> ACK
> IP: s=1.1.1.1 (Ethernet0), d=1.1.1.2 (Ethernet0), len 99, rcvd 3
> TCP src=11009, dst=179, seq=2156087921, ack=2260118643, win=16384
> ACK PSH
> IP: s=1.1.1.1 (Ethernet0), d=1.1.1.2 (Ethernet0), len 73, rcvd 3
> TCP src=11009, dst=179, seq=2156087966, ack=2260118672, win=16355
> ACK PSH su BGP table version is 1, main routing table version 1 Having
> said that, it seems to me that the router initiating the TCPconnection
> in the above scenarion is router R1, but the BGP session is started by
> R2.
>
> If router R1 were to iniate a BGP session second line should look like
> IP: s=1.1.1.1 (Ethernet0), d=1.1.1.2 (Ethernet0), len 60, rcvd 3
> TCP src=179, dst=11016, seq=2918566711, ack=3022616789, win=16384
> ACK SYN therefore the configuration should be done on the router which
> stops traffic going to port 179
>
> Am I reading this correctly? Thank you Nathasha
>
>
>
>
>
>
> ---------------------------------
> Do you Yahoo!?
> New Yahoo! Photos - easier uploading and sharing
>
> ______________________________________________________________________
> _ Please help support GroupStudy by purchasing your study materials
> from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:46 GMT-3