From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Mon Dec 11 2006 - 13:17:44 ART
There is a tricky way to initate multihop BGP connection WITHOUT using a
specific
static route :) Try to figure it out, it's not very complex, though
definitely "twisted" :)
2006/12/11, Jens Petter <jenseike@start.no>:
>
> Well, that is exactly what I said... But you will NOT get BGP to peer with
> a
> default route over the pix. . You will need
> a static route on r1 and on outside routers to peer this.. You can of
> course
> also use dynamic routes but since this is between
> two bgp AS you probably would use statics
>
>
>
> This is what the debug would show on r1 if you use default route :
>
>
>
> BGP: 2.2.2.2 open active, delay 9568ms
>
> BGP: 2.2.2.2 multihop open delayed 19872ms (no route)
>
> BGP: 2.2.2.2 multihop open delayed 12784ms (no route)
>
>
>
> BGP: 3.3.3.3 open active, delay 9568ms
>
> BGP: 3.3.3.3 multihop open delayed 19872ms (no route)
>
> BGP: 3.3.3.3 multihop open delayed 12784ms (no route)
>
>
>
> The session will stay in active if you use default route with bgp.
>
>
>
>
>
> Here is a config, this is with two routers on outside of pix peering with
> inside router
>
>
>
> R1
>
>
>
> interface Loopback31
>
> ip address 152.1.30.1 255.255.255.255
>
> !
>
> interface Loopback32
>
> ip address 152.1.30.2 255.255.255.255
>
>
>
> router bgp 1
>
> no synchronization
>
> bgp router-id 1.1.1.1
>
> bgp log-neighbor-changes
>
> neighbor 2.2.2.2 remote-as 2
>
> neighbor 2.2.2.2 password CISCO
>
> neighbor 2.2.2.2 ebgp-multihop 5
>
> neighbor 3.3.3.3 remote-as 2
>
> neighbor 3.3.3.3 password CISCO
>
> neighbor 3.3.3.3 ebgp-multihop 5
>
> no auto-summary
>
>
>
> ip route 151.1.1.0 255.255.255.0 10.1.1.254
>
>
>
> pix
>
>
>
> static (inside,outside) 152.1.30.1 152.1.30.1 netmask 255.255.255.255 0 0
> norandomseq
>
> static (inside,outside) 152.1.30.2 152.1.30.2 netmask 255.255.255.255 0 0
> norandomseq
>
>
>
> R2
>
>
>
> interface Loopback0
>
> ip address 152.1.1.1 255.255.255.0
>
>
>
> router bgp 2
>
> no synchronization
>
> bgp router-id 2.2.2.2
>
> bgp log-neighbor-changes
>
> neighbor 1.1.1.1 remote-as 1
>
> neighbor 1.1.1.1 ebgp-multihop 5
>
> neighbor 1.1.1.1 password CISCO
>
> no auto-summary
>
>
>
> ip route 152.1.30.0 255.255.255.0 151.1.1.254
>
>
>
> R3
>
>
>
> interface Loopback0
>
> ip address 152.1.5.5 255.255.255.0
>
>
>
> router bgp 2
>
> no synchronization
>
> bgp router-id 3.3.3.3
>
> bgp log-neighbor-changes
>
> neighbor 1.1.1.1 remote-as 1
>
> neighbor 1.1.1.1 ebgp-multihop 5
>
> neighbor 1.1.1.1 password CISCO
>
> no auto-summary
>
>
>
> ip route 152.1.30.0 255.255.255.0 151.1.1.254
>
>
>
>
>
>
>
> Mvh
>
> Jens Petter Eikeland
>
> Mob 98247550
> Hipercom AS
>
> _____
>
> From: petrsoft@gmail.com [mailto:petrsoft@gmail.com] On Behalf Of Petr
> Lapukhov
> Sent: 11. desember 2006 14:57
> To: Kal Han
> Cc: Jens Petter; Lab Rat #109385382; security@groupstudy.com;
> ccielab@groupstudy.com; cisco@groupstudy.com
> Subject: Re: BGP through PIX Question
>
>
>
> My best loved part with BGP trough PIX is something like that:
>
> R1-----PIX------R2
>
> Reer R1 and R2 over BGP using loopback as sources. Do not let R2 initiate
> the
> connection. R1 has only the default route to PIX in it's routing table.
> Only
> one
> static NAT entry for R1 is allowed on PIX.
>
> Oh yeah, dont forget to authenticate this session, of course :)
>
> 2006/12/10, Kal Han <calikali2006@gmail.com>:
>
> how about just an access-list
> ---------deny tcp any any eq bgp
>
> Thanks
> Kal
>
>
> On 12/9/06, Jens Petter <jenseike@start.no> wrote:
> >
> > Make things easy... To have ONLY the inside router initiate the BGP
> > session,
> > what you do is just not allow bgp trough the pix from outside.. BGP uses
> > TCP
> > for transport. If you don't allow bgp trough pix ( you only make a
> static
> > translation for the bgp router peer on the inside on pix) you will force
> > the
> > inside to initiate... Pix will allow the reply traffic from outside BGP
> > peer
> > trought since pix has that is its xlate table....
> >
> > R1----pix---r2
> >
> > R1
> > router bgp 1
> > no synchronization
> > neighbor 2.2.2.2 remote-as 2
> > neighbor 2.2.2.2 ebgp-multihop 2
> > neighbor 2.2.2.2 password cisco
> >
> > On pix, all you need is this : (use norandomseq if you are using
> > password).
> > If you don't allow bgp from r2 trough pix the neighbor will form with r1
> > (inside) initiating
> > the session.
> >
> > static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255 0 0
> > norandomseq
> >
> > r2
> > router bgp 2
> > no synchronization
> > neighbor 1.1.1.1 remote-as 1
> > neighbor 1.1.1.1 ebgp-multihop 2
> > neighbor 1.1.1.1 password cisco
> >
> > Mvh
> > Jens Petter Eikeland
> > Senior networking consultant
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com <mailto:nobody@groupstudy.com>
> [mailto:nobody@groupstudy.com] On Behalf Of
> > Lab
> > Rat #109385382
> > Sent: 9. desember 2006 06:46
> > To: security@groupstudy.com <mailto:security@groupstudy.com> ;
> ccielab@groupstudy.com; cisco@groupstudy.com
> > Subject: BGP through PIX Question
> >
> > If I had a requirement to only allow a router inside of a PIX initiate a
> > BGP
> > connection to a router outside of the PIX, what could some of the
> > possibilities be?
> >
> > I'm trying to determine where the controls should be, as well. I know
> > there
> > are certain things a router can do to initiate a BGP session and I know
> > that
> > the PIX can control who begins what, as well...
> >
> > So, I'm thinking one of the following:
> >
> > 1. Set inside router with lower BGP router-id than the outside router
> > 2. Use Policy NAT on the PIX ( e.g. nat (inside) 1 access-list XX)
> >
> > I guess from a lab perspective, I'm trying to determine the best
> > practice...anyone have thoughts?
> >
> > Thanks,
> >
> > Ed
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
>
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART