routing services 2 - gnatbox.com · routing services 2 bgp, ospf, rip & static routes 1/29/2013...

© 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION.

‹#›Global Technology Associates, Inc.

Routing Services 2 BGP, OSPF, RIP & Static Routes

1/29/2013Course # 2251

http://www.gta.com/


‹#›

Overview ▪ Static Routes

▪ Overview ▪ Firewall Configuration

▪ BGP ▪ Overview ▪ Firewall Configuration

▪ OSPF ▪ Overview ▪ Firewall Configuration

▪ RIP ▪ Overview ▪ Firewall Configuration


‹#›

Static Routes

▪ Over ride the dynamic routing protocols. ▪ Configured in [Configure -> Network ->

Routing -> Static Routes] ▪ Supports both IPv4 and IPv6 routes.


‹#›

Static Route Example


‹#›

Static Route Trouble Shooting

Traceroute to and from remote LAN Check the firewall routing and arp table. No static route is needed if network is reached by the default gateway in most cases.


‹#›

Common Problem


‹#›

BGP

▪ BGP – Border Gateway Protocol ▪ IPv4 & IPv6 support in GB-OS

6.0. ▪ Used for large networks ▪ Supported on

▪ GB-3000 ▪ GB-2500 ▪ GB-2100 ▪ GB-2000 Family ▪ GB-Ware

▪ Uses TCP port 179 for communication

▪ Two or more routers form a peer group or neighbors and exchange reachability information.


‹#›

Configuring BGP

▪ Router AS (Autonomous System) - The number assigned to a router or set of routers in a single technical administration.

▪ Router ID – Unique router ID. For simplicity, we usually use one of the firewall IP addresses.

▪ Networks – Selection for which networks will use BGP. ▪ User defined ▪ Or Address Object


‹#›

Configuring BGP Aggregation

▪ Aggregate Addresses – ▪ Networks to Aggregate ▪ Object containing multiple networks or user define.

▪ Route Aggregation Options ▪ No AS SET and No Summary – Sends the Aggregate

address and specific addresses. Does not send AS Set information.

▪ Summary Only – Suppress less specific routes. ▪ AS SET – Includes the AS-set information in the route

updates. Does not aggregate routes.


‹#›

AS Set with Summary


‹#›

Summary with no AS SET


‹#›

AS Set & No Summary


‹#›

Configuring BGP Advanced Automatic Policies

Creates automatic remote access policy to accept BGP connections (TCP port 179).


‹#›

Configuring BGP Advanced Redistribute

▪ Connected ▪ Networks directly assigned to firewall

interfaces ▪ Includes

▪ VLAN ▪ Aliases

▪ OSPF – routes learned via OSPF ▪ RIP – routes learned via RIP ▪ Static – routes configured on the firewall. ▪ Metric – allows administrator to configure

metric for each redistribute network.


‹#›

Configuring BGP Neighbors

▪ Description ▪ Neighbor IP Address ▪ Remote AS Number ▪ Weight (v6.1.0 and above only) ▪ Advertise Default Route


‹#›

BGP Weight Option


‹#›

Advertise Default Route

▪ Advertise the firewall as the default gateway.

▪ If you want a firewall to learn it’s default route via BGP. You will need to remove the default route in[Configure -> Network -> Routing -> Static Routes] .


‹#›

BGP Between Two Firewalls


‹#›

BGP Neighbor Advanced Option eBGP Multihop

▪ Allows a Neighbor connection between two peers that are not directly connected.

▪ Only used for external BGP.


‹#›

Multihop Configuration

cisco2600#show bgp neighbors BGP neighbor is 10.20.75.75, remote AS 100, external link BGP version 4, remote router ID 10.20.75.75 BGP state = Established, up for 00:08:31 Last read 00:00:31, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received Address family IPv6 Unicast: received Received 14 messages, 0 notifications, 0 in queue Sent 13 messages, 0 notifications, 0 in queue Route refresh request: received 0, sent 0 Default minimum time between advertisement runs is 30 seconds


‹#›

BGP Neighbor Advanced Option Next Hop Self

▪ Next Hop Self is the next hop to use in order to reach a certain destination.

▪ Next Hop Self Attribute is always the IP address of the neighbor that the command specifies.


‹#›

Monitoring BGP

▪ show ip route ▪ show ip route ▪ show ip bgp ▪ show ipv6 bgp ▪ Show bgp neighbors ▪ Show ip bgp scan ▪ Show ip bgp

summary


‹#›

BGP Trouble Shooting

▪ Run show bgp neighbor check other routers/firewalls are displayed – !!!

▪ Check the BGP security policy is matched. ▪ Check routers and firewall routing tables. ▪ Run trace routes between networks. ▪ BGP does not

▪ Distribute IPSec VPN routes. ▪ Support Secure BGP. ▪ Support AS Path Filtering


‹#›

OSPF

▪ OSPF – Open Shortest Path First ▪ Interior gateway routing

protocol (IGRP). ▪ Using link state algorithm

advertisements (LSA’s) to builds a database (LSDB) of the networks.

▪ OSPF multicast packets uses protocol 89.

▪ IPv4 only ▪ Supported on All products


‹#›

What is an LSA?

▪ LSA are routing information packets used to carry routing information between routers. There are different types of LSA’s.

▪ Types ▪ Type 1 - Router LSA r LSA ▪ Type 2 - Network LSA ▪ Type 3 – Summary LSA ▪ Type 4 – ASBR Summary ▪ Type 5 – External LSA ▪ Type 6 – Group Membership LSA ▪ Type 7 – NSSA area import ▪ Type 8 – External Attribute LSA ▪ Type 9,10, 11


‹#›

Configuring OSPF

▪ Router ID: Unique identified for the firewall/router. Must be in the form of 0.0.0.0 (Example: 0.0.0.1)

▪ Advertise Default Route: A toggle for whether or not the firewall will advertise itself as the default route. ▪ If you want a firewall to learn it’s default route via OSPF. You will need

to remove the default route from the firewall. Usually this is not done.


‹#›

OSPFAdvanced

▪ Automatic Policies create an Automatic Remote Access Policy to accept OSPF packets. !!

▪ Default Metric - configure metric for a route. ▪ Distance - configure how a router or firewall

determine which source of routes it will uses if it receives identical routes from different protocols.


‹#›

Default Administrative Distances

▪ OSPF - 110 ▪ iBGP - 200 ▪ eBGP - 20 ▪ RIP - 120 ▪ Static Route – 1 !

Lower the distance more trusted the route.


‹#›

OSPF Advanced Redistribute

▪ BGP – route learned via BGP ▪ Connected Networks directly

assigned to firewall interfaces. Includes


▪ RIP – route learned via RIP ▪ Static – routes configured on the

firewall. ▪ Metric – allows administrator to

configure metric for each redistribute network.


‹#›

Configure OSPF Areas

▪ Area: Specifies the OSPF area. Areas are used to provide hierarchical routing with an Autonomous System.

▪ Type: used to determine the behavior of the firewall/router. Specifying the LSA type allowed ▪ Normal ▪ Stub ▪ NSSA ▪ NSSA No Summary ▪ Stub No Summary

▪ Networks: Networks used in the area.


‹#›

Type Restrictions

Area Restriction

Stub No Type 5 LSA. External LSA allowed

Stub No Summary (Totally Stubby)

No Type 3,4 or 5 LSA’s allowed except default summary route

NSSA No Type 5 LSA. External LSA’s allowed. Type 7 LSAs that convert to 5 at the NSA ABR can traverse.

NSSA No Summary (NSSA Totally Stubby)

No Type 3, 4 or 5 LSA’s except the default summary route.

Normal No restrictions


‹#›

OSPF Areas Advanced

▪ Key ▪ Password


‹#›

OSPF Areas Advanced

▪ Cost - allows configuration of cost for an area. ▪ Priority - A selection for the priority status of the route. The router

with the highest priority will be more eligible to become the Designated Router. Setting the value to 0 makes the router ineligible to become the Designated Router (DR)

▪ Dead Interval – time period after which router will be consider down.

▪ Hello Interval – configures rate that hello packets are sent. ▪ Retransmit Interval - Define the period of time in which the router

will wait after an update is sent. If time expires, the router will resend the update.

▪ Transmit Delay - Define the estimated time (in seconds) to send an update. This value must be greater than zero.


‹#›

Configure OSPF Areas Virtual Links and Backbone

▪ If more than one router is connected then an area 0 must exist. All routers must connect to area 0.

▪ Areas not directly connected to the Area 0 must have Virtual Links to area 0.


‹#›

Monitoring OSPF

▪ show ip route ▪ Show ip ospf ▪ Show ip osdpf border-

routers ▪ Show ip ospf database ▪ Show ip ospf interface ▪ Show ip ospf neighbor ▪ Show ip ospf route


‹#›

OSFP Trouble Shooting ▪ Run show ip ospf neighbor check other routers/firewalls are displayed –

!!!!!

▪ Firewall fails to pick up routes ▪ Check syslog ▪ Following log indicates a problem

▪ with Authentication - ▪ Aug 19 12:16:46 pri=4 msg="ospfd: interface rl1:10.10.1.80:

ospf_read authentication failed, router-id 10.10.1.229" type=mgmt ▪ Type Mis-match

▪ Sep 26 08:49:03 pri=4 msg="ospfd[30379]: Packet 10.20.80.80 [Hello:RECV]: my options: 0, his options 2" type=mgmt


‹#›

RIP

▪ RIP Uses UDP 520

▪ RIP Advertisements use ICMPv4 and IGMP

▪ Exterior Gateway Routing Protocol

▪ IPv4 only support ▪ Supported on All

products


‹#›

RIPRouting Information Protocol

▪ Routing protocol used by the firewall to learn routes. ▪ GTA firewalls support RIP v1 and v2. ▪ Disabled by default ▪ Configure

▪ Input determines if the firewall will accept RIP broadcasts ▪ Output determines if the firewall will output messages ▪ Password – None | Clear | MD5


‹#›

Advance RIP Options

▪ Advanced ▪ Automatic Polices !!▪ RIP Timers

▪ Update ▪ Timeout ▪ Garbage Collection


‹#›

RIP Advanced Redistribute

▪ BGP – route learned via BGP ▪ Connected - Networks directly

assigned to firewall interfaces. Includes


▪ OSPF – route learned via OSPF ▪ Static – routes configured on the

firewall. ▪ Metric – allows administrator to

configure metric for each redistribute network.


‹#›

Rip

▪ show ip route ▪ show ipv6 route ▪ show ip rip ▪ show ip rip

status


‹#›

RIP Trouble Shooting

▪ Check routers and firewall routing tables. ▪ Use Traceroute to find path packets are sent. ▪ Check the RIP policies are being matched. ▪ Cannot add RIP Interfaces

▪ Default section and allow firewall to configure RIP interfaces.


‹#›

Routing Tables


‹#›

Routing Flag Descriptions


‹#›

References▪ Dynamic Routing Protocols based on Quagga

▪ http://www.quagga.net/ ▪ Cisco BGP –

▪ http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094826.shtml ▪ http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfbgp.html#wp1000871 ▪ https://learningnetwork.cisco.com/docs/DOC-2681 ▪ http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rbgp.html#wp1017386 ▪ http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094195.shtml ▪ http://www.cisco.com/warp/public/104/1.pdf

▪ OSPF ▪ http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094195.shtml

▪ University of Kentucky ▪ http://www.ittc.ku.edu/EECS/EECS_800.ira/bgp_tutorial/13.html

▪ GTA Online Documentation - http://www.gta.com/support/documents

http://www.quagga.net/

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094826.shtml


http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfbgp.html

https://learningnetwork.cisco.com/docs/DOC-2681

http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rbgp.html

http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rbgp.html



http://www.cisco.com/warp/public/104/1.pdf

http://www.cisco.com/warp/public/104/1.pdf



http://www.ittc.ku.edu/EECS/EECS_800.ira/bgp_tutorial/13.html

http://www.gta.com/support/documents/


‹#›Global Technology Associates, Inc.

If you require additional assistance or have additional questions please contact GTA Technical Support. ▪ Email: support @gta.com ▪ Support Line Phone: 1.407.482.6925 ▪ Normal Hours – 0830-1900 EST U.S. ▪ Free User Support – http://forum.gta.com

1/29/2013

mailto:[email protected]

http://forum.gta.com/

http://www.gta.com/

routing services 2 - gnatbox.com · routing services 2 bgp, ospf, rip & static routes 1/29/2013...

Documents