Monday, December 18, 2017

Contoh Sederhana Konfigurasi BGP Conditional Advertisement

Pada catetan ke 100 ane kali ini akan membahas salah satu teknik BGP yang pernah ane dan tim ane pake dalam mendesain routing antar lokasi DC dan DRC, teknik ini bisa juga digunakan untuk menentukan primary/backup link pada BGP Multihoming.

Dalam beberapa kasus dan kondisi dibutuhkan teknik manipulasi routing seperti ini, meskipun sebenernya ada banyak teknik utk mencapai objective tersebut namun menurut ane ini teknik ini terbukti efisien ketika diterapkan di lapangan meskipun contoh yang ane tulis ini terlalu sederhana, tapi tujuan utamanya agar mudah dipahami, pada kenyataanya implementasi di lapangan sedikit lebih rumit sih.

Langsung saja contoh sederhana topologinya ialah seperti dibawah ini.
















Jadi dari gambar diatas objective dari conditional advertisement adalah melakukan tracking terhadap sebuah prefix. Ceritanya ialah R1 (AS100) melakukan peering multihoming ke R2 (AS200) dan R3 (AS300), dalam kondisi normal prefix yang muncul di R2 adalah 172.16.2.0/24 sedangkan prefix 172.16.1.0/24 tidak akan di advertise ke R2.

Tujuan utama dari teknik ini ialah apabila link dari R1 (AS100) dan R3 (AS300) putus, maka R1 akan melakukan advertise prefix 172.16.1.0/24 ke R2 (AS200).

Untuk melakukan hal diatas konfigurasi yang dilakukan di R2 dan R3 hanyalah konfigurasi BGP peering standard saja seperti dibawah ini

Konfigurasi R2
R2#show running-config
Building configuration...

Current configuration : 1269 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router bgp 200
 no synchronization
 bgp log-neighbor-changes
 neighbor 192.168.12.1 remote-as 100
 neighbor 192.168.12.1 soft-reconfiguration inbound
 no auto-summary
!
ip forward-protocol nd
!
ip bgp-community new-format
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

Konfigurasi R3
R3#show running-config
Building configuration...

Current configuration : 1367 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
 ip address 172.16.2.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.13.3 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router bgp 300
 no synchronization
 bgp log-neighbor-changes
 network 172.16.2.0 mask 255.255.255.0
 neighbor 192.168.13.1 remote-as 100
 neighbor 192.168.13.1 soft-reconfiguration inbound
 no auto-summary
!
ip forward-protocol nd
!
ip bgp-community new-format
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end


Nah konfigurasi pentingnya dilakukan di R1 yaitu seperti dibawah ini.

Konfigurasi R1
R1#show run
Building configuration...

Current configuration : 1954 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.13.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router bgp 100
 no synchronization
 bgp log-neighbor-changes
 network 172.16.1.0 mask 255.255.255.0
 neighbor 192.168.12.2 remote-as 200
 neighbor 192.168.12.2 soft-reconfiguration inbound
 neighbor 192.168.12.2 advertise-map AS200-out non-exist-map AS300-in
 neighbor 192.168.13.3 remote-as 300
 neighbor 192.168.13.3 soft-reconfiguration inbound
 neighbor 192.168.13.3 route-map Set-comm in
 no auto-summary
!
ip forward-protocol nd
!
ip bgp-community new-format
ip community-list 1 permit 100:300
!
no ip http server
no ip http secure-server
!
!
ip prefix-list AS300-track seq 5 permit 172.16.2.0/24
!
ip prefix-list Local-prefix seq 5 permit 172.16.1.0/24
no cdp log mismatch duplex
!
!
!
route-map AS300-in permit 10
 match ip address prefix-list AS300-track
 match community 1
!
route-map Set-comm permit 10
 set community 100:300
!
route-map AS200-out permit 10
 match ip address prefix-list Local-prefix
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end


VERIFIKASI
Untuk memastikan apakah konfigurasi diatas berjalan atau tidak maka kita harus melakukan verifikasi, ikuti langkah-langkah dibawah ini.

1) Status R1 dalam kondisi normal


2) Status R2 dalam kondisi normal







Perhatikan langkah No.1 dari hasil output diatas dalam kondisi normal prefix 172.16.2.0/24 diterima dari R3 (AS300), status conditional-map juga dalam keadaan Withdraw. Sedangkan pada langkah No.2 kita bisa liat dalam kondisi normal maka R2 (AS200) tidak menerima prefix 172.16.1.0/24.

3) Testing dan Pembuktian
Untuk membuktikan apakah konfigurasi conditional advertisement kita jalan atau tidak coba matikan salah satu interface yang ke R3 (AS300) dari R1 (AS100) atau interface yg mengarah ke R1 (AS100) di R3 (AS300), pada contoh ini ane matikan interface yang mengarah ke R1 (AS100) di R3 (AS300).

Apa yang akan terjadi? Mari kita coba....






Setelah down mari kita cek di R1, tunggu beberapa saat maka seharusnya R1 akan menerima informasi bahwa BGP ke arah R3 (AS300) statusnya down.





4) Cek dan Verifikasi di R1 dan R2 Apakah Conditional Advertisement Running?





Berhasil.....!!! 

Pada kondisi ini session BGP antara R1 dan R3 dalam kondisi down dan prefix 172.16.2.0/24 di removed dari BGP RIB si R1. Nah apabila dilihat dari gambar output diatas status Condition-map saat ini ialah Advertise yang artinya prefix 172.16.1.0/24 saat ini ada di R2.


Semoga contoh sederhana ini bermanfaat yah.
Posted by at No comments:
Labels: ,

Friday, December 8, 2017

Konfigurasi Per-VRF Assignment BGP Router-ID pada Topologi Router On The Stick

Catetan ini ane buat karna kebetulan lagi nyusun environment untuk POC SD-WAN, tapi karna keterbatasan jumlah router makanya diakalin dengan menggunakan konfigurasi VRF assignment pada topologi router on the stick. 

Pain point kenapa teknik ini digunakan karna dalam kondisi normal satu router hanya bisa menggunakan satu AS Number ketika menggunakan BGP, sehingga ada teknik lain agar satu router seolah-olah bisa membawa informasi routing dari 2 AS Number dan 2 lokasi berbeda.

Topologi pada GNS3 yang digunakan kira-kira seperti dibawah ini.

NOTES
  • Switch yang ditengah ialah router image 3725 yang difungsikan sebagai switch dengan menggunakan modul switch NM-16ESW.
  • Tips paling penting selalu cek VLAN Database di Router yang dijadikan SWITCH tersebut karna apabila VLAN nya menghilang maka interkoneksi akan putus, BGP tidak UP, dsb.

Skenarionya kira-kira ialah HQ akan terhubung dengan BR1 & BR2 melewati MPLS dengan logical topologinya kira-kira seperti dibawah ini.

Apabila dilihat dari fisikal topologi yang dibuat di GNS3 pada gambar pertama maka Router ISP-PE akan berfungsi sebagai Router-On-Stick dan Router yang ditengah akan berfungsi sebagai switch. 

Langsung saja untuk konfigurasinya ialah seperti dibawah ini.

SWITCH ROUTER
CENTRAL-SWITCH#terminal length 0
CENTRAL-SWITCH#sh run
Building configuration...

Current configuration : 1586 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CENTRAL-SWITCH
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 switchport mode trunk
!
interface FastEthernet1/1
 switchport access vlan 11
!
interface FastEthernet1/2
 switchport access vlan 12
!
interface FastEthernet1/3
 switchport access vlan 21
!
interface FastEthernet1/4
 switchport access vlan 22
!
interface FastEthernet1/5
 switchport access vlan 31
!
interface FastEthernet1/6
 switchport access vlan 32
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
 no ip address
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end


ISP-PE ROUTER
ISP-PE#show run
Building configuration...

 Current configuration : 3078 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP-PE
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
ip vrf MPLS1
 rd 100:1
!
ip vrf MPLS2
 rd 200:2
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.11
 description HQ-TO-MPLS1
 encapsulation dot1Q 11
 ip vrf forwarding MPLS1
 ip address 172.16.1.1 255.255.255.252
!
interface FastEthernet0/0.12
 description HQ-TO-MPLS2
 encapsulation dot1Q 12
 ip vrf forwarding MPLS2
 ip address 172.16.2.1 255.255.255.252
!
interface FastEthernet0/0.21
 description MPLS1-TO-BISP-PE
 encapsulation dot1Q 21
 ip address 172.16.21.1 255.255.255.252
!
interface FastEthernet0/0.22
 description MPLS2-TO-BISP-PE
 encapsulation dot1Q 22
 ip vrf forwarding MPLS2
 ip address 172.16.22.1 255.255.255.252
!
interface FastEthernet0/0.31
 description MPLS1-TO-BR2
 encapsulation dot1Q 31
 ip vrf forwarding MPLS1
 ip address 172.16.31.1 255.255.255.252
!
interface FastEthernet0/0.32
 description MPLS2-TO-BR2
 encapsulation dot1Q 32
 ip vrf forwarding MPLS2
 ip address 172.16.32.1 255.255.255.252
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router bgp 1
 bgp router-id 1.1.1.1
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 !
 address-family ipv4 vrf MPLS2
  redistribute connected
  neighbor 172.16.2.2 remote-as 65001
  neighbor 172.16.2.2 local-as 200 no-prepend replace-as
  neighbor 172.16.2.2 activate
  neighbor 172.16.22.2 remote-as 65002
  neighbor 172.16.22.2 local-as 200 no-prepend replace-as
  neighbor 172.16.22.2 activate
  neighbor 172.16.32.2 remote-as 65003
  neighbor 172.16.32.2 local-as 200 no-prepend replace-as
  neighbor 172.16.32.2 activate
  no synchronization
 exit-address-family
 !
 address-family ipv4 vrf MPLS1
  redistribute connected
  neighbor 172.16.1.2 remote-as 65001
  neighbor 172.16.1.2 local-as 100 no-prepend replace-as
  neighbor 172.16.1.2 activate
  neighbor 172.16.21.2 remote-as 65002
  neighbor 172.16.21.2 local-as 100 no-prepend replace-as
  neighbor 172.16.21.2 activate
  neighbor 172.16.31.2 remote-as 65003
  neighbor 172.16.31.2 local-as 100 no-prepend replace-as
  neighbor 172.16.31.2 activate
  no synchronization
 exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end


HQ-ROUTER
HQ#sh run
Building configuration...

Current configuration : 1544 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HQ
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
 ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0
 description TO-MPLS1
 ip address 172.16.1.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description TO-MPLS2
 ip address 172.16.2.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 network 192.168.1.0
 network 192.168.2.0
 neighbor 172.16.1.1 remote-as 100
 neighbor 172.16.1.1 soft-reconfiguration inbound
 neighbor 172.16.2.1 remote-as 200
 neighbor 172.16.2.1 soft-reconfiguration inbound
 no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end


BR1-ROUTER
BR1#sh run
Building configuration...

Current configuration : 1474 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BR1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
 ip address 192.168.210.1 255.255.255.0
!
interface FastEthernet0/0
 description TO-MPLS1
 ip address 172.16.21.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description TO-MPLS2
 ip address 172.16.22.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router bgp 65002
 no synchronization
 bgp log-neighbor-changes
 network 192.168.210.0
 neighbor 172.16.21.1 remote-as 100
 neighbor 172.16.21.1 soft-reconfiguration inbound
 neighbor 172.16.22.1 remote-as 200
 neighbor 172.16.22.1 soft-reconfiguration inbound
 no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end


BR2-ROUTER
BR2#show run
Building configuration...

Current configuration : 1474 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BR2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
 ip address 192.168.220.1 255.255.255.0
!
interface FastEthernet0/0
 description TO-MPLS1
 ip address 172.16.31.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description TO-MPLS2
 ip address 172.16.32.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router bgp 65003
 no synchronization
 bgp log-neighbor-changes
 network 192.168.220.0
 neighbor 172.16.31.1 remote-as 100
 neighbor 172.16.31.1 soft-reconfiguration inbound
 neighbor 172.16.32.1 remote-as 200
 neighbor 172.16.32.1 soft-reconfiguration inbound
 no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end



VERIFIKASI















































Dari hasil verifikasi dengan menggunakan command show ip bgp, show ip bgp summary, dan show ip route diatas, kita bisa lihat bahwa seluruh bagian corporate HQ, BR1 dan BR2 sudah mendapatkan routing sesuai topologi yang direncakan.

Sekarang kita liat di Router ISP-PE.













Wew gak ada apa-apa disana, kenapa?

Karna untuk melihat routing vrf verifikasi yang digunakan ialah command dibawah ini.
  • show ip vrf
  • show ip vrf detail
  • show ip bgp vpn4 unicast vrf <nama-vrf>
  • show ip bgp vpn4 all






















Dari hasil command show vrf dan show vrf detail diatas kita bisa mengetahui informasi bahwa di dalam Router ISP-PE ada vrf apa saja dan dipasang di interface mana.

Lalu untuk verifikasi routing gunakan command seperti gambar dibawah ini.












Lalu bisa juga memverifikasi routing per-vrf spesifik ke nama vrf nya.















Selesai semoga bermanfaat..
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)