RE: BGP in promiscous/passive mode!

From: Nathasha Aleyevka (naleyevka@yahoo.com)
Date: Wed Dec 31 2003 - 16:13:21 GMT-3

Thank you Brian, you are "the" Arnold Schwarzenegger
of this screen;-)

Happy New Year Everybody..

--- Brian McGahan <bmcgahan@internetworkexpert.com>
wrote:
> Nathasha,
>
> Actually yes you can do this (in a way) with NAT.
> The following
> configuration can be used to set a router in BGP
> "promiscuous" mode. While
> completely impractical, this is a fun (yes I said
> fun) exercise in IOS
> logic.
>
> R1--R3--RX
>
> R1 will be our "promiscuous" router. R3 will be a
> staging device
> for address translation, and RX is one or more
> devices that want to create a
> BGP session with R1.
>
> First, R1 is configured with various neighbor
> statements that will
> be used when one or more devices want to initiate a
> BGP session. This
> configuration cannot occur without these neighbor
> statements. A random
> remote-as value of 2 has been chosen. Devices that
> want to peer with R1
> will need to know that R1 is expecting their AS
> number to be 2.
>
> R1:
> interface Loopback0
> ip address 1.1.1.1 255.255.255.255
> !
> interface Serial0/1
> description TO R3
> ip address 13.0.0.1 255.0.0.0
> !
> router bgp 1
> neighbor PSEUDO_PEERS peer-group
> neighbor PSEUDO_PEERS remote-as 2
> neighbor PSEUDO_PEERS ebgp-multihop 255
> neighbor PSEUDO_PEERS update-source Loopback0
> neighbor 13.0.0.100 peer-group PSEUDO_PEERS
> neighbor 13.0.0.101 peer-group PSEUDO_PEERS
> neighbor 13.0.0.102 peer-group PSEUDO_PEERS
> neighbor 13.0.0.103 peer-group PSEUDO_PEERS
> neighbor 13.0.0.104 peer-group PSEUDO_PEERS
> neighbor 13.0.0.105 peer-group PSEUDO_PEERS
> neighbor 13.0.0.106 peer-group PSEUDO_PEERS
> neighbor 13.0.0.107 peer-group PSEUDO_PEERS
> neighbor 13.0.0.108 peer-group PSEUDO_PEERS
> neighbor 13.0.0.109 peer-group PSEUDO_PEERS
>
> Now R1 is expecting a BGP session from any of these
> addresses. Now
> all we need to do is intercept BGP traffic on R3
> that is going to R1 and
> translate it.
>
> R3:
> interface Serial1/2
> description TO R1
> ip address 13.0.0.3 255.0.0.0
> ip nat outside
> !
> interface Serial1/3
> description TO RX
> ip address 23.0.0.3 255.0.0.0
> ip nat inside
> !
> ip nat pool PSEUDO_PEERS 13.0.0.100 13.0.0.109
> netmask 255.0.0.0
> ip nat inside source list BGP_TRAFFIC_TO_TRANSLATE
> pool PSEUDO_PEERS
> !
> ip access-list extended BGP_TRAFFIC_TO_TRANSLATE
> permit tcp any host 1.1.1.1 eq bgp
>
> Now any BGP traffic that is destined for R1 will be
> translated to
> one of the addresses that R1 is expecting. Now for
> the config on RX. This
> will simply specify R1 as a peer, and include the
> fact that R1 expects RX's
> ASN to be 2.
>
> RX:
> router bgp 12345
> neighbor 1.1.1.1 remote-as 1
> neighbor 1.1.1.1 local-as 2
> neighbor 1.1.1.1 ebgp-multihop 255
>
> RX#sh ip bgp sum
> BGP router identifier 23.0.0.2, local AS number
> 12345
> BGP table version is 1, main routing table version 1
>
> Neighbor V AS MsgRcvd MsgSent TblVer
> InQ OutQ Up/Down
> State/PfxRcd
> 1.1.1.1 4 1 21 21 1
> 0 0 00:17:58 0
>
>
> As long as R1 has a default route to the staging
> router it will
> accept a BGP session from anyone who tries to
> initiate it.
>
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 708-362-1418 (Outside the US and Canada)
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> > Nathasha Aleyevka
> > Sent: Monday, December 29, 2003 11:44 PM
> > To: ccielab@groupstudy.com
> > Subject: BGP in promiscous/passive mode!
> >
> > Good Evening All,
> >
> >
> > I have 2 questions regarding BGP:
> >
> > a) I would like to establish a BGP session between
> two routers
> > R1 in AS10 and R2 in AS20(Central site), I can
> configure R1 with the
> > neighbor 1.1.1.2 remote-as 20 command, is it
> possible to configure R2 in a
> > promiscous mode so it will establish a session
> with R1/x without entering
> > the neighbor commands on R2?
> >
> > R1
> > R2
> >
> > int e0
> > int e0
> > ip addres 1.1.1.1/24
> ip
> > address 1.1.1.2/24
> > router bgp 10
> > neighbor 1.1.1.2 remote-as 20
> >
>
===========================================================
> >
> > b) I only want R1 to be able to start a BGP
> session with R2, destination
> > port 179.
> > By using a local policy & route-map on R2 with an
> outbound access-list,
> > applied to R2's E0, here is what I got:
> > IP: s=1.1.1.1 (Ethernet0), d=1.1.1.2 (Ethernet0),
> len 60, rcvd 3
> > TCP src=11009, dst=179, seq=2156087920, ack=0,
> win=16384 SYN
> > IP: s=1.1.1.1 (Ethernet0), d=1.1.1.2 (Ethernet0),
> len 60, rcvd 3
> > TCP src=11009, dst=179, seq=2156087921,
> ack=2260118643, win=16384 ACK
> > IP: s=1.1.1.1 (Ethernet0), d=1.1.1.2 (Ethernet0),
> len 99, rcvd 3
> > TCP src=11009, dst=179, seq=2156087921,
> ack=2260118643, win=16384 ACK
> > PSH
> > IP: s=1.1.1.1 (Ethernet0), d=1.1.1.2 (Ethernet0),
> len 73, rcvd 3
> > TCP src=11009, dst=179, seq=2156087966,
> ack=2260118672, win=16355 ACK
> > PSH su
> > BGP table version is 1, main routing table version
> 1
> > Having said that, it seems to me that the router
> initiating the
> > TCPconnection in the above scenarion is router R1,
> but the BGP session is
> > started by R2.
> >
> > If router R1 were to iniate a BGP session second
> line should look like
> > IP: s=1.1.1.1 (Ethernet0), d=1.1.1.2 (Ethernet0),
> len 60, rcvd 3
> > TCP src=179, dst=11016, seq=2918566711,
> ack=3022616789, win=16384 ACK
> > SYN
> > therefore the configuration should be done on the
> router which stops
> > traffic going to port 179
> >
> > Am I reading this correctly? Thank you
>
=== message truncated ===

__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/

This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:46 GMT-3