ROUTE 642-902 Training » BGP next-hop-self, community no-export

8/13/2019 ROUTE 642-902 Training BGP next-hop-self, community no-export

1/12

/11/12 ROUTE 642-902 Training BGP next-hop-self, community no-export & send-community GNS3 Lab

1/12www.digitaltut.com/bgp-next-hop-self-community-no-export-send-community-gns3-lab

Type text to search here...

Home> BGP next-hop-self, community no-export & send-community GNS3 Lab

BGP next-hop-self, community no-export &

send-community GNS3 Lab

February 29th, 2012 in Basic LabsGo to comments

In this GNS3 lab we will learn how to establish neighborship between routers running BGP and use BGP

attributes to control how a route is advertised to its neighbors. In this lab I wish to show how to create a

basic BGP network and explain about next-hop-self, community no-export & send-community features in

BGP. Below is the topology of this lab:

IOS used in this lab: c3640-jk9s-mz.124-16.bin

Objectives of this lab:

+ Task 1: Configure EBGP on AS 1, AS 23, AS 4 and configure IBGP between R2 & R3 (AS23)

+ Task 2: Advertise loopback0 on R1 to R4 and make sure R4 can ping to that loopback interface (AS23

becomes a transit AS)

+ Task 3: Make AS 23 not a transit AS by using the feature community no-export

First we will configure all IP addresses of this lab and turn on all the interfaces:

Configure IP addresses on all interfaces

R1(config)#interface f0/0

R1(config-if)#ip address 12.12.12.1 255.255.255.0

R1(config-if)#no shutdown




R3(config)#interface f1/0R3(config-if)#ip address 34.34.34.3 255.255.255.0





2/12










Task 1: Configure EBGP & IBGP

R1(config)#router bgp 1

R1(config-router)#neighbor 12.12.12.2 remote-as

23



23

R3(config-router)#neighbor 34.34.34.4 remote-as 4


R2(config-router)#neighbor 12.12.12.1 remote-as 1


23



23

Now we should check to make sure each BGP speaker (router running BGP) learn about their neighbors

with the show ip bgp summary command:

Note: At this time, the show ip bgp commands on all routers show nothing and the show ip route

commands only show directly connected networks. For example on R4:


3/12



Task 2: Advertise loopback0 on R1 to R4 and make sure R4 can ping to that loopback interface

First, create loopback 1.1.1.1/24 on R1 and advertise it

R1(config)#interface loopback0

R1(config-if)#ip address 1.1.1.1 255.255.255.0R1(config-if)#exit


R1(config-router)#network 1.1.1.0 mask 255.255.255.0

Now we can see that route in both the routing table and BGP routing table of R2.

By the way, lets have a look of the output of the show ip bgp command on R3 at this time


4/12



Please notice the Next Hop field from the output above. We can see that although the loopback0 of R1 is

learned from R2 (so the next hop field should be the fa1/0 interface of R2) but here the Next Hop field here

is an interface on R1 (12.12.12.1). The reason is:

For EBGP, the next hop is always the IP address of the neighbor specified in the neighbor command. For

IBGP, the protocol states that the next hop advertised by EBGP should be carried into IBGP. In this

case, the next hop of EBGP (R1 on AS 1) will be installed into BGP of R3.

Therefore R3 needs an IGP (like OSPF, EIGRP) to reach that EBGP router, if not it will drop all packets

destined for network 1.1.1.0/24. In this case no IGP has been configured so a ping to 1.1.1.1 from R3 will

surely fail because R3 doesnt know how to reach 12.12.12.1.

Also, we can see that R3 cant reach 1.1.1.0/24 with the show ip bgp 1.1.1.0/24 command

This route is inaccessible so R3 will not advertise this route to R4 -> no network 1.1.1.0/24 is installed in

the BGP routing table of R4

To overcome this problem, we can declare the next-hop-self on the edge router (R2). With this command,

R2 will send its own IP address as the next hop instead of sending the EBGP next hop.

R2(config-router)#neighbor 23.23.23.3 next-hop-self

Now the Next Hop field will be an interface on R2 (23.23.23.2):

And network 1.1.1.0/24 is also installed in the BGP routing table of R4 because the route is now accessible


5/12



and R3 advertises it to R4

Notice that although the network 1.1.1.0/24 exists in the BGP routing table but R4 still cant ping to it

Check the BGP routing table of R1 we will see that R1 does not know how to reach 34.34.34.0 network ->

R1 does not know how to send the ping reply (ICMP response) to R4.

To make a successful ping from R4, we must advertise network 34.34.34.0 on R4.

R4(config-router)#network 34.34.34.0 mask 255.255.255.0

Now R1 has learned about network 34.34.34.0/24

Maybe we can now ping from R4 to loopback0? The answer is still no! Although the ping can reach

loopback0 but the reply packets cant reach R4 because there is a mistake on the BGP routing table of R2


6/12



As you can guess, the same problem next hop advertised by EBGP should be carried into IBGP occurs so

we need to use the command:

R3(config-router)#neighbor 23.23.23.2 next-hop-self

Now we can ping from R4 to loopback0 on R1

Task 3: Make AS 23 not a transit AS

This is an important problem in real life. Suppose your company (with R2 & R3 routers) wants the

connection to the Internet must be available in any time so your administrators hired two internet lines from

two separate ISPs (R1 & R4). But improper configuration can make traffic flow from R1 -> R2 -> R3 -> R4

and your company becomes a transit AS. Surely your company does not want to receive this traffic as it

takes much bandwidth of the company. We need to filter out this type of traffic.

The purpose of this task is opposite to task 2. We will make AS 23 not a transit AS by not advertising

network 1.1.1.0 to R4. To do this, we will create a route-map for 1.1.1.0/24 and set the no-export

attribute to this route:

R3(config)#access-list 1 permit 1.1.1.0 0.0.0.255

R3(config)#route-map NOEXPORT permit 10

R3(config-route-map)#match ip address 1R3(config-route-map)#set community no-export


R3(config-router)#neighbor 23.23.23.2 route-map NOEXPORT in


7/12



The no-export means do not advertise this route to any EBGP peers and this attribute is set to network

1.1.1.0/24 before entering R3 (because we apply this route-map on inbound direction to R3). Therefore R3

will understand do not advertise 1.1.1.0/24 to any EBGP neighbor, in this case EBGP neighbor is R4.

Also on R4 the 1.1.1.0/24 network disappears.

Another way to achieve the same result as above is configuring a route-map and apply it on the outbound

direction of R2 (to R3):



R2(config-route-map)#match ip address 1

R2(config-route-map)#set community no-export


R2(config-router)#neighbor 23.23.23.3 route-map NOEXPORT out

For your information, we can use the community no-export on R1 on outbound direction to achieve the

same result but notice you have to add the send-community feature so that the community attribute on R1 is

sent to R2 because even if you set the community attribute on R1, this attribute does not transmit to BGP

neighbors by default.






R1(config-router)#neighbor 12.12.12.2 route-map NOEXPORT out

R1(config-router)#neighbor 12.12.12.2 send-community

Now on R2 you will see


8/12



Also add neighbor send-community command on R2 to propagate community attribute to R3



Now both R2 & R3 receive community attribute on R1

R3 knows network 1.1.1.0/24 is not allowed to advertise to R4 (R4 is an EBGP) so R4 does not have this

route in its BGP routing table (note: we dont need to set the send-community on R3 because R3understands this route should not be advertised to any peer).

This is the end of this lab. I dont upload the configuration files because I wish you to do it by yourself (I am

sorry).

Comments

1. vince

March 19th, 2012

Good lab thx, helped me understand ibgp next-hop

2. MeMeMe

April 1st, 2012


9/12



Er- this prevents the route from being advertised to R2 an eBGP peer once I aded this it never

went to R2 again did I miss something? I did add the send-community, cleared processes, etc.

Please accept my sincerest thanks for every one of your efforts. I only hope your advertisers are

paying you enough!!!

*************************

Quoted:

*************************

For your information, we can use the community no-export on R1 on outbound direction to achievethe same result but notice you have to add the send-community feature so that the community

attribute on R1 is sent to R2 because even if you set the community attribute on R1, this attribute does

not transmit to BGP neighbors by default.





R1(config)#router bgp 1R1(config-router)#neighbor 12.12.12.2 route-map NOEXPORT out


3. MeMeMe

April 1st, 2012

oic it was the access list - should be 1.1.1.0 with 24 bit and not 1.0.0.0 8 bit.

4. digitaltut

April 2nd, 2012

@MeMeMe: Yes, thanks for your detection. I updated it!

5. DantheMan

April 7th, 2012

This is weird and i cant figure it out. I followed the directions for the second way of setting up the

route-map and applying it on the outbound direction of R2 to R3.

It worked great, R1 R2 and R3 could all see route 1.1.1.0/24 but not R4, like it is supposed to. I tried

pinging from R3 to 1.1.1.1, but i get no response. Waited a full 2-3 minutes to make sure allthe routers synch with eachother. But again (B 1.1.1.0) shows in route table, but cant ping still.

any ideas anyone?

6. asad

April 15th, 2012

is there a chance of this lab to came in exam??????????????????

7. Danish

April 16th, 2012

From where can we download these labs?

8. Newbie


10/12



May 14th, 2012

Next-hop-self worked & i could i see it in action. Community no-export & send community didnt

work. Though i did the same config as above, i wasnt able to restrict the route.

Can somebody help, please.

The other lab, i tried. it worked. Thanks for your efforts. Keep Posting many labs

9. Newbie

May 14th, 2012

Great! When i gave clear ip bgp * in i could see the change on R3.

When i give sh route-map in R3, though i could see that the route is not passed on to R4, i dont see

any policy routing matches, but sh access-list shows some matches

Can you help me understand, why routing match is not showing in sh route-map?

10. Onis

May 21st, 2012

Hello,

Wonderful lab ! Thnaks ! :D

Arrivederci !

11. Alexandru

June 11th, 2012

Posted on Its a little more siroeus than most people think, as it affects any computer with the TCP

stack reachable from the outside world ..This includes services with a router or any open ports to the

outside world! (routers having BGP open for routing tables!)All versions of the stack are vulnerable to

some degree using slightly different methods. But, according to the Outpost24 team, they are all

vulnerable.Even load-balanced servers have been used as targets by the team. The servers farms

behind these servers could, in theory, be flooded.This attack is very similar to the 1st ever Dos attack

(syn flood). But this attack starts after the TCP connection has been established and syn cookie is sent

and acknowledged.

12. Rotha

July 9th, 2012

Brilliant guardian ^ thank a lot ^^

13. Rotha

July 10th, 2012

I have done all of the steps above, everything goes perfectlybut still i cannot ping to the

loopback0any advice would be greatly appreciated.

1. No trackbacks yet.

Add a Comment


11/12



Name

Submit Comment

Subscribe to comments feed

Use Distribute-list to filter Routing Updates in BGPEIGRP OSPF Redistribution Sim

ROUTE 642-902

LabSim

Drag and Drop QuestionsDrag and Drop 2

OSPF Hotspot

EIGRP Questions

EIGRP Questions 2

EIGRP Questions 3

EIGRP Questions 4

EIGRP Questions 5

EIGRP Simlet

OSPF QuestionsOSPF Questions 2

OSPF Questions 3

OSPF Questions 4

OSPF Questions 5

OSPF Questions 6

OSPF Questions 7

BGP Questions

BGP Questions 2

BGP Questions 3

BGP Questions 4

BGP Questions 5

Redistribute Questions

Redistribute Questions 2

Redistribute Questions 3

Policy Based Routing Questions

IPv6 Questions

IPv6 Questions 2

IPv6 Questions 3

Operations QuestionsROUTE FAQs & Tips

Share your ROUTE Experience


12/12


Practice Labs with GNS3

Basic Labs

Network ResourcesCCNA Website

ROUTE Website

SWITCH Website

TSHOOT Website

CCNA Voice Website

CCNA Security Website

CCIP Website

CCDA Website

CCIE Website

Support Digitaltut

Your contribution will help keep this site updated!

Top

Copyright 2010-2012 ROUTE 642-902 Training

Privacy Policy. Valid XHTML 1.1 and CSS 3.

Date post:	04-Jun-2018
Category:	Documents
Upload:	alok52
View:	219 times
Download:	0 times

ROUTE 642-902 Training » BGP next-hop-self, community no-export

Documents