Friday, February 19, 2016

bgp


BGP -  Port 179  Private AS Numbers: 64512-65535


Introduction to BGP 


  • Designed as a routing protocol between AS Autonomous System
  • Current BGP version is v4 
  • It uses TCP as a Transport protocol and operates over TCP 179
  • There are 2 forms of BGP: internal iBGP and external eBGP
  • iBGP connects within the same AS
  • eBGP connect between different AS 
  • BGP speakers exchange routes between themselves in the form of IP prefixes (network layer reachability information – NLRI) plus the path attributes associated with that prefix
  • By supporting CIDR (classless interdomain routing), BGP is not restricted by the classful network routing.
  • In CIDR, an IP network is represented in the form of IP prefix/prefix length e.g. 192.16.0.0/16.


Basic Configuration of BGP
Router(config)# router bgp  <AS Number>
Router(config-router)# network <network ID>  [ mask <subnet mask>]
Router(config-router)# neighbor <IP-Address> remote-as <AS Number>



Turn up BGP between R1 and R2

Turn up interface fa0/0 on R1 and R2 and add the ip address you need to communicate with.
R1  -  Interface FA0/0 4.4.4.2 /30
R2  -  Interface FA0/0 4.4.4.1 /30
Turn BGP on R1 with 
Router BGP 500 
neighbor 4.4.4.1 remote-as 600    //points to R4 AS number
Add network on router R1 

Turn BGP on R2 with
Router bgp 600
neighbor 4.4.4.2 remote-as 500    //points to R1 AS number
Add network on Router R1 


R1
router bgp 500
bgp log-neighbor-changes
no synchronization
neighbor 4.4.4.1 remote-as 600    //points to R4 AS number 
network 40.1.1.0 mask 255.255.255.0
network 10.1.1.0 mask 255.255.255.0
network 11.0.0.0 mask 255.255.255.0

R2
router bgp 600
bgp log-neighbor-changes
no synchronization
neighbor 4.4.4.2 remote-as 500  //points to R1 AS number 
network 40.1.1.0 mask 255.255.255.0



Neighbor Table
A list of ALL configured BGP neighbors
Has to be manually configured using neighbor command
# show ip bgp summary  -  Overview of all neighbors
# show ip bgp neighbors  [neighbor address] -  Detailed information about one or all neighbors

BGP Forwarding Table/Database
A list of networks known by BGP, along with their peers and attributes
# show ip bgp

IP Routing Table
A list the best path to destination networks.
# show ip route
# clear ip bgp
Clears BGP session by neighbor address , AS number, or all (*) sessions
R2#sh ip protocols
Routing Protocol is "bgp 600"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
IGP synchronization is disabled
Automatic route summarization is disabled
Neighbor(s):
Address FiltIn FiltOut DistIn DistOut Weight RouteMap
4.4.4.2
Maximum path: 1
Routing Information Sources:
Gateway Distance Last Update
4.4.4.2 20 00:00:00
Distance: external 20 internal 200 local 200

R2# 


R2#show ip bgp summary
BGP router identifier 14.0.0.1, local AS number 600
BGP table version is 14, main routing table version 6
0 network entries using 0 bytes of memory
0 path entries using 0 bytes of memory
0/0 BGP path/bestpath attribute entries using 0 bytes of memory
0 BGP AS-PATH entries using 0 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory
BGP using 32 total bytes of memory
BGP activity 0/0 prefixes, 0/0 paths, scan interval 60 secs

Neighbor V AS  MsgRcvd MsgSent TblVer InQ OutQ Up/Down  State/PfxRcd
4.4.4.2  4 500 74      67      14     0   0    00:46:20 4


R2#


v     -  version number
AS    – Remote AS number
MsgRcvd – Message Received
MsgSent – Message Sent
TblVer  - Table Version
InQ     - What messages are queued
OutQ    - Out queue
Up/Down - How long session been up
State/PfxRcd – State of session other then established, how many prefix been  Exchange with this neighbor 




R1>show ip bgp neighbors
BGP neighbor is 4.4.4.1, remote AS 600, external link
BGP version 4, remote router ID 14.0.0.1
BGP state = Established, up for 00:36:53
Last read 00:36:53, last write 00:36:53, hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received(new)
Address family IPv4 Unicast: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0

Sent Rcvd
Opens: 3 3
Notifications: 4 2
Updates: 10 5
Keepalives: 50 50
Route Refresh: 0 1
Total: 67 61
Default minimum time between advertisements runs is 30 seconds

For address family: IPv4 Unicast
BGP table version 9, neighbor version 6/0
Output queue size : 0
Index 1, Offset 0, Mask 0x2
1 update-group member
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 2 0 (Consumes 46 bytes)
Prefixes total: 2 0
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 1
Used as multipath: n/a 0

Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Total: 0 0
Number of NLRIs in the update sent: max 3, min 1

Address tracking is enabled, the RIB does have a route to 4.4.4.1
Connections established 3; dropped 2
Last reset never
Transport(tcp) path-mtu-discovery is enabled
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Minimum incoming TTL 0, Outgoing TTL 1
Local host: 4.4.4.2, Local port: 1027
Foreign host: 4.4.4.1, Foreign port: 179
Connection tableid (VRF): 0

Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)

Event Timers (current time is 0xC69F4):
Timer Starts Wakeups Next
Retrans 0 0 0x0
TimeWait 0 0 0x0
AckHold 55 0 0x0
SendWnd 0 0 0x0
KeepAlive 50 0 0x0
GiveUp 0 0 0x0
PmtuAger 0 0 0x0
DeadWait 0 0 0x0
Linger 0 0 0x0
ProcessQ 0 0 0x0

iss: 2057115318 snduna: 2057115748 sndnxt: 2057115748 sndwnd: 15955
irs: 3480424370 rcvnxt: 3480424751 rcvwnd: 16004 delrcvwnd: 380

SRTT: 259 ms, RTTO: 579 ms, RTV: 320 ms, KRTT: 0 ms
minRTT: 16 ms, maxRTT: 300 ms, ACK hold: 200 ms
Status Flags: passive open, gen tcbs
Option Flags: nagle, path mtu capable
IP Precedence value : 6

Datagrams (max data segment is 1460 bytes):
Rcvd: 60 (out of order: 0), with data: 2, total data bytes: 48
Sent: 61 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 12, total data bytes: 288
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0



R1>


R2#sh ip bgp neighbors
BGP neighbor is 4.4.4.2, remote AS 500, external link
BGP version 4, remote router ID 11.0.0.1
BGP state = Established, up for 00:42:13
Last read 00:42:13, last write 00:42:13, hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received(new)
Address family IPv4 Unicast: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0

Sent Rcvd
Opens: 3 3
Notifications: 2 2
Updates: 4 12
Keepalives: 56 56
Route Refresh: 0 0
Total: 65 73
Default minimum time between advertisements runs is 30 seconds

For address family: IPv4 Unicast
BGP table version 14, neighbor version 6/0
Output queue size : 0
Index 1, Offset 0, Mask 0x2
1 update-group member
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 0 2 (Consumes 46 bytes)
Prefixes total: 0 2
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 1
Used as multipath: n/a 0

Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Total: 0 0
Number of NLRIs in the update sent: max 3, min 1

Address tracking is enabled, the RIB does have a route to 4.4.4.2
Connections established 3; dropped 0
Last reset never
Transport(tcp) path-mtu-discovery is enabled
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Minimum incoming TTL 0, Outgoing TTL 1
Local host: 4.4.4.1, Local port: 179
Foreign host: 4.4.4.2, Foreign port: 1027
Connection tableid (VRF): 0

Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)

Event Timers (current time is 0xC69F4):
Timer Starts Wakeups Next
Retrans 0 0 0x0
TimeWait 0 0 0x0
AckHold 68 0 0x0
SendWnd 0 0 0x0
KeepAlive 56 0 0x0
GiveUp 0 0 0x0
PmtuAger 0 0 0x0
DeadWait 0 0 0x0
Linger 0 0 0x0
ProcessQ 0 0 0x0

iss: 2057115318 snduna: 2057115748 sndnxt: 2057115748 sndwnd: 15955
irs: 3480424370 rcvnxt: 3480424751 rcvwnd: 16004 delrcvwnd: 380

SRTT: 259 ms, RTTO: 579 ms, RTV: 320 ms, KRTT: 0 ms
minRTT: 16 ms, maxRTT: 300 ms, ACK hold: 200 ms
Status Flags: passive open, gen tcbs
Option Flags: nagle, path mtu capable
IP Precedence value : 6

Datagrams (max data segment is 1460 bytes):
Rcvd: 73 (out of order: 0), with data: 2, total data bytes: 48
Sent: 63 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 5, total data bytes: 120
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0



R2# 


BG


Attributes


Attributes

  • Mandatory  - in every update
  • Discretionary - not required in every update
  • Transitive - Silently forward attribute to routers without considering its value
  • Non-Transitive - Router will remove, to not propagate to peer
Well-known mandatory
Must be recognized by all BGP routers, present in all BGP updates and pass on to other BGP routers
AS path, origin, and next hop
Well-Known discretionary
Must be recognized by all BGP routers, present in all BGP updates and pass on to other BGP routers, but may not be present in an update

Local preference
Optional transitive
Might or night not be recognized by a BGP router but is passing on to other BGP routers
If not recognized, it is marked as partial
Aggregator, community
Optional non-transitive
if the BGP process does not recognize the attribute, then it can ignore the update and not advertise the path to it’s peers

Multi-Exit Discriminator (MED), Originator ID



  • Well Known

    • Origin (M)

      • Codes
        • IGP - i - network, aggregate-address, neighbor default-originate
        • EGP - e
        • Incomplete - ? - redistribute, aggregate-address, default-information originate
      • Aggregate-Address
        • i - as-set not used or as-set used and all component subnets have origin "i"
        • ? - as-set used, as least one "?"
    • AS-Path (M)

      • AS_SEQ
        • ordered list
        • space delimiter
        • no enclosing characters
      • AS_SET
        • unordered list of ASNs of component subnets
        • coma delimiter
        • enclosed in brackets { }
      • AS_CONFED_SEQ
        • space delimiter
        • enclosed in parenthesis ( )
      • AS_CONFED_SET
        • coma delimiter
        • enclosed in brackets { }
    • Next-Hop (M)

      • ip address
    • Local-Dereference (D)

    • Atomic Aggregate (D)

      • tags NRLI as summary


  • Optional (trans/no-trans)

    • Aggregator (T)

      • lists RID and ASN of router that created the summary
    • Community (T)

      • identifier to group routes by
    • Multi-Exit Descriminator (N)

    • Originator ID

      • used by RR to denote RID of iBGP neighbor that injected into the AS
    • Cluster List

      • lists RR cluster IDs to prevent loops



Policies

Exclude inaccessible next-hop, highest weight, highest local preference, originated routes, shortest AS path, lowest origin code,
 lowest MED, EBGP over IBGP, IBGP with closest IGP Neighbor, EBGP with oldest path, lowest BGP router-id
  • Step 0 - NEXT_HOP Reachable

    • config-router# neighbor 2.2.2.2 next-hop-self (eBGP default)
    • config-router# neighbor 2.2.2.2 next-hop-unchanged (iBGP default)
  • Step 1 - Larger Administrative Weight

    • Cisco proprietary
    • identifies a single router's best route
    • scope - single router
    • 0 for learned; 32768 for locally injected; 0-65525 (2^16 - 1)
    • config-route-map# set weight <int>
    • config-router# neighbor 2.2.2.2 weight <int>
  • Step 2 - Highest LOCAL_PREF

    • identifies best exit point from AS to reach NLRI
    • scope - throughout AS including confederation sub-as
    • default - 100
      • config-router# bgp default local-preference <0-4,294,967,695>
    • config-route-map# set local-preference <int>
    • config-router# neighbor 2.2.2.2 router-map ("in" param for eBGP peer)
  • Step 3 - Locally Injected

    • BGP assigns weight of 32768 for locally injected; decision is made in step 1
    • Possibility
      • "network 2.2.2.2" and "redistribute connected" commands
      • both have weight of 32768
      • default to same LOCAL_PREF
    • ORIGIN code used for this step
  • Step 4 - Shortest AS_PATH

    • AS_SET only counts as 1
    • AS_CONFED_SEQ & AS_CONFED_SET do not count
    • config-router# neighbor 2.2.2.2 remove-private-as (64512 - 65535)
    • config-router# neighbor 2.2.2.2 local-as no-prepend
    • config-router# bgp bestpath as-path ignore (skips this entire step)
    • config-route-map# set as-path prepend
  • Step 5 - Best ORIGIN

    • EGP(e) should not occur today
    • only one IGP(i) and rest unknown(?); IGP will be best
    • config-route-map# set origin <value>
  • Step 6 - Smallest MED

    • tell a neighbor how good this route is
    • scope - advertised from 1 AS to another; no other AS's
    • default - 0
      • config-router# bgp bestpath med missing-as-worst (makes default value the highest possible; 2^32 - 1)
    • config-route-map# set metric
    • config-router# bgp always-compare-med
    • config-router# bgp deterministic-med (processes routes per adjacent AS picking best from each neighboring AS)
  • Step 7 - Neighbor Type

    • eBGP > iBGP
  • Step 8 - Smallest IGP Metric

    • metric to reach NEXT_HOP
    • router looks for route in table
  • Step 9 - Lowest RID

    • examin eBGP routes only, pick lowest RID advertiser
    • if only iBGP routes exist, pick lowest RID advertiser
    • exception to above rules
      • when already has best route to NLRI
      • new route to known prefix is advertised
      • decision process is applied
        • if no decision and existing is eBGP; then do not replace
    • config-router# bgp bestpath compare-routerid (always use lowest RID)
  • Step 10 - Lowest Neighbor ID

    • lowest RID of all current neighbors advertising the NLRI


Communities



  • group routes together so routing policies can be applied
  • COMMUNITY attribute; transitive; downstream routers will receive
  • New Format - AA:NN

    • AA is 16-bit number, potentially represent ASN
    • NN is a value set by that ASN
    • config# ip bgp-community new-format
  • Community Lists

    • Standard

      • matches multiple communities with one command
      • limited to 16 lines per list
    • Extended

      • supports matching with regular expressions
      • more than 16 lines per list
    • config# ip community-list [standard|extended] WORD
    • config-route-map# set comm-list WORD delete (deletes ones that match)
  • Special Values

    • NO_EXPORT
      • FFFF:FF01 - do not advertise outside the AS; can advertise to confederations
    • NO_ADVERT
      • FFFF:FF02 - do not advertise to any peer
    • LOCAL_AS
      • FFFF:FF03 - do not advertise outside the local confederation sub-AS
  • config-route-map# match community <int>
  • config-route-map# set community none
  • config-router# neighbor 2.2.2.2 send-community [both|standard|extended] (needs to be set on receiver of community attribute)


Router ID

  • config-router# bgp router-id
  • highest up/up loopback
  • highest up/up non-loopback


Multi-Hop & Loopback



  • even if router is 1 hop away, the route from the in-interface to the loopback still counts as one, to 2 hops will be needed


Neighbor Checks



  • TCP connection request's source address needs to be in "network" command
  • ASN must match neighbors referenced in "neighbor remote-as" command
  • RID of two routers must not be the same
  • MD5 authentication must pass if configured


Neighbor States



  • Idle
  • Connect - listen for TCP
  • Active - initiate TCP
  • Open Sent - TCP up; open message sent
  • Open Confirm - open message received
  • Established - neighbors up


Message Types



  • Open - establish neighbor relationship
  • Keep-alive - maintain neighbor relationship
  • Update - exchange routing information
  • Notification - when error occurs; neighbor relationship reset


BGP Table



  • Routing Information Base (RIB)

    • holds Network Layer Reachability Information (NLRI)
      • IP Prefix
      • Prefix Length
  • Injecting Routes/Prefixes

    • IGP, Static and Connected

      • if metric is assigned, stored in MultiExit Discriminator (MED)
      • config-router# redistribute [static|connected] metric 9
      • config-router# redistribute eigrp 1
    • Impact of Auto-Summary

      • only routes injected due to distribution
      • does not look for classful network boundaries
      • does not look at routes already in BGP table
    • Manual Summaries

      • aggregate-address
        • sets AS_SEQ to null, could cause routing loops
        • set NEXT_HOP of summary in local BGP table to 0.0.0.0
        • if component subnets have same AS_SEQ, then summary will use the same AS_SEQ
        • if components have different AS_SEQ, set summary AS_SEQ to null
        • when "as-set" option, if AS_SEQ is null, router creates AS_SET
        • if advertised to EBGP, append ASN to AS_SEQ
    • Default Routes

      • via redistribution
        • default-information originate
        • redistribute static
      • config-router# neighbor 3.3.3.3 default-originate route-map WORD
      • checks for default route before using self


Multiple Routing Entries



  • eBGP
    • steps 9 & 10 as tiebreakers
    • only routes with adjacent ASN that are the same ASN as the best route
    • if more candidates than configured for; step 9 & 10 tiebreaker
    • config-router# maximum-paths <int>
  • iBGP
    • steps 9 & 10 as tiebreakers
    • only routes with different NEXT_HOP are considered
    • if more candidates than configured for; steps 9 & 10 tiebreaker
    • config-router# maximum-paths ibgp <int> (# of possible IP routes)
  • MPLS
    • config-router# maximum-paths eibgp <int>



Origin Path Attribute



  • Codes

    • IGP - i - network, aggregate-address, neighbor default-originate
    • EGP - e
    • Incomplete - ? - redistribute, aggregate-address, default-information originate
  • Aggregate-Address

    • i -as-set not used or as-set used and all component subnets have origin "i"
    • ? as-set used, as least one "?"


Advertising Routes to Neighbors



  • Not Included

    • Routes that are not considered "best" - ibgp, ebgp
      • best out of multiple routes
        • choose shortest AS_PATH route
        • prefer single eBGP over one or more iBGP routes
        • choose lowest IGP metric to the NEXT_HOP
        • choose iBGP route with lowest BGP RID of advertising router
      • never best because of NEXT_HOP attribute
        • 0.0.0.0 as a result of being injected by local router
        • value thats not in the routing table
    • Routes that match Deny clause in outbound filter - ibgp, ebgp
    • iBGP-learned routes (unless route reflectors or confederations) - ibgp
  • Changing NEXT_HOP

    • iBGP - do not change unless "neighbor ... next-hop-self" command
    • eBGP - change value to "update source" ip address unless "neighbor next-hop-unchanged" command
    • cannot change with route map


Redistributing Routes



  • Sync

    • controls if route can be "best"
    • do not consider best unless its from IGP and in routing table
  • Confederations

    • AS_CONFED_SEQ, AS_CONFED_SET
    • inside sub-as, full mesh required
    • confederation eBGP connections act like iBGP
      • except for TTL
    • confederations ASN not considered part of AS_PATH length
    • confederation routers remove confederation ASN from AS_PATH in updates to outside of the confederation
  • Reflections

    • non-clients wont advertise to other non-clients
    • prevent lops
      • CLUSTER_LIST attribute - just like AS_PATH
      • ORIGINATOR_ID attribute - first peer to advertise into the AS, checks for self
      • reflects only best route




Basic Configuration

config# router bgp 1
config-router# neighbor 172.16.12.1 remote-as 1 (IBGP since 1=1)

config# router bgp 777
config-router# neighbor 2.2.2.2 remote-as 605 (EBGP since 777!=605)
config-router# neighbor 2.2.2.2 ebgp-multihop 1...255 (hops)
config-router# neighbor 2.2.2.2 update-source loopback 0


Resetting Peer Connections


config-router# neighbor 10.1.1.2 shutdown
config# clear ip bgp *


Timers


config-router# bgp timers <keep-alive> <hold-down>
config-router# neighbor .... timers <keep-alive> <hold-down>


Advertisements


config-router# network 10.5.1.0 mask 255.255.255.0 (needs to be specific)
config-router# no synchronization (don't worry about having two routing protocols)
config-router# neighbor 172.16.12.1 next-hop-self (tell router that you are the next hop)


Authentication


config-router# neighbor ... password WORD (md5)


Route Reflector


config-router# bgp cluster-id 1
config-router# neighbor 10.12.1.2 route-reflector-client (disable split-horizon to client)


Confederations


config# router bgp <sub-as>
config-router# bgp confederation identifier <real-as>
config-router# bgp confederation peers <peer-sub-as>


Minimize


config-router# neighbor WORD peer-group
config-router# neighbor WORD remote-as 65500
config-router# neighbor WORD route-reflector-client
config-router# 10.12.1.2 peer-group WORD


Redistribution


config# router bgp 7500
config-router# neighbor 10.12.1.1 remote-ad 7500
config-router# redistribute ospf 1
config-router# neighbor 10.12.1.1 next-hop-self
config-router# neighbor 10.46.1.6 route-reflector-client
config-router# no synchronization


Summarization


config-router# aggregate-address 172.0.0.0 255.0.0.0 summary-only (only send summary to everyone)

config# access-list 30 permit 172.0.0 0.255.255.255 (match all 172.x.x.x routes)
config# route-map WORD
config-route-map# match ip address 30
config-router# aggregate-address 172.0.0.0 255.0.0.0 suppress-map WORD (dont send any routes that match the route map)
config-router# neighbor 10.14.1.2 unsuppress-map WORD (invert the route map for this network)


Route Filtering


config# access-list 25 deny 172.0.0.0 0.0.0.0 permit any (match specific subnet)
config-router# distribute-list 25 out (filter from all routers)
config-router# neighbor 10.14.1.2 distribute-list 25 out (filter for specific neighbor)
config# ip prefix-list WORD deny 172.0.0.0/8
config# ip prefix-list WORD permit 0.0.0.0/0 le 32 
(less then equal to 32)
config-router# neighbor 10.12.1.1 prefix-list WORD out

config# route-map WORD
config-route-map# match ip address 25
config-router# neighbor 10.14.1.2 route-map WORD out

Influencing Routing with Attributes



config# access-list 61 permit 192.168.0.0 0.0.255.255
config# route-map WORD
config-route-map# match ip address 61
config-route-map# set origin igp (igp > egp > unknown) 
config-router# neighbor 10.13.1.2 route-map WORD out

config# route-map WORD permit 20 
(creates a permit any statement at sequence 20)


config-route-map# set as-path prepend 7500 7500 7500 
(use your own as number so you dont confuse any other routers)


config-route-map# set ip next-hop 10.1.1.1

config-route-mat# set metric 1000 (lower is better)
config-router# bgp bestmatch med confed
config-router# bgp bestmatch med missing-as-worst (is no metric then set as worst metric possible)

config-route-map# set local-preference 1000
config-route-map# set weight 8000 (set for neighbor an In direction)


Filtering Using Regular Expressions


config# ip as-path access-list 1 permit ^500$
config-route-map# match as-path 1


Communities



  • Internet - default
  • Local-AS - doesnt leave AS
  • No-Advertisement - send to router but do not forward after that
  • No-Export - dont send to egp peer except for confederations
  • None

0-65535 is IANA reserved

config-route-map# set community no-export
config-router# neighbor 10.12.1.1 send-community

config# ip bgp-community new-format (to use colon)

config-route-map# match community 1
config# ip community-list 1 permit no-export
config# ip community-list 103 permit <regexp>


Backdoor


config-router# network 172.0.0.0 mask 255.0.0.0 backdoor (set admin distance to 200)


AS Translations


config-router# neighbor 172.0.0.0 local-as 65502


View/Debug Commands


show ip bgp summary
show ip bgp neighbor
show ip bgp neighbor ... advertised-routes
show ip bgp neighbor ... received-routes (requires "neighbor .... soft-reconfiguration inbound" command)
show tcp brief all
show ip bgp community [no-export | local-as | no-advert | WORD]
clear ip bgp *
clear ip bgp * [soft [in|out]] (soft reconfiguration)
debug ip bgp updates
debug ip bgp events




Checkpoint provides three methods for backing and restoring the operating system and networking parameters.
  • Snapshot and Revert – Snapshots can only be performed on Splat and backs up everything including the OS drivers; can be used to backup both gateway and management server. File sizes for these backups are usually very  large and can only be restored to devices having the EXACT OS, Checkpoint version of Splat and patch level. Command used to perform a snapshot issnapshot_ and must be run from expert mode. By default the snapshot file is stored in the /var/CPsnapshot/snapshots directory. To perform a restore, issue the revert command from expert mode. 
  • Backup and Restore – The Backup utility is only available on Splat and backups up your firewall configuration as well as networking parameters such as routing. The file size is usually smaller than that of a snapshot because it doesn’t contain any drivers. Can be used to restore to a machine having the same OS, Checkpoint version and patch level. Backups are performed using the backup command; the default location is /var/CPbackup/backups. On UTM-1 and Power-1 appliacnes the default location is /var/log/CPbackup/backups. Restoring is done by issuing the restore command from export mode. Backups are generally performed via the WebUI however restores must be done via the CLI.
  • Upgrade_export/Export – Upgrade tools backs up all configuration independent of hardware, OS and Checkpoint version. Migrate utility is used for uprades/migration of database information and can’t be used when downgrading to an earlier version of Checkpoint. File size usually depends on the size of your Policy. Usually this can be done on a live system provided that the CPU isn’t overloaded. Can be run on Splat, Linux and Windows. Upgrade tools on R75 can be found at $FWDIR/bin/upgrade_tools
Saving Interface and Routing Information
  • Windows: netstat -rm > routes.txt – saves route information to text file.
  • Windows: ipconfig -a > ipconfig.txt – saves interface information to tex file.
  • Splat: ifconfig > ifconfig.txt – saves inferface information to text file.
  • Splat: copy /etc/sysconfig/network.C <location>– copies files containing route information to a location defined.
Performing Upgrades
Always upgrade the Security Management Server first before the Gateways.
Migration steps for SMS
  1. Prepare source machine for export by performing a migrate export which creates a backup of all configurations. Once this is completed, export the file using SCP on Splat or by copying it from its directory on Windows.
  2. Perform clean install on new server
  3. Import the database on the new server using the migrate import command.
  4. Test to make sure everything works before putting into production.












No comments:

Post a Comment