Skip to main content

CCIE BGP ORF

This days I am a little slow on article writing as I am in the final lap before my lab exam (wish to pass..) ok that was on a personal note. Now on a hopefully helping note, i had a little bit difficulty understanding first the logic behind ORF but when the coin dropped then I started hearing a voice in my head saying tada... So here it how it goes, the real BGP full table is currently almost 250K path entries, now you have connection to 3 ISP's and you want for example to get from your Backbone ISP the full table and from your other ISP's only partial table, you then face with a dilemma should I develop my human bagging skills to ask nicely from each ISP's to filter on his side specifically for you and what you will probably get as answer is "NO" or if he is nice then "NO". So now you face with a problem you can get from each of the ISP's the full table and filter on your side but it will not solve the performance and resource intensive problem you wanted to avoid. or you can call the nice person in the ISP side and ask him just to put neighbor capability orf prefix-list recive and on your side: neighbor capability orf prefix-list send note: that this will reset your BGP peer relationship, after that you will create your Prefix Filter now lets say you want to only recive the 2 class B subnets all you need to do is: ip prefix-list FILTER-FULL-TABLE seq 5 permit 187.0.0.0/16 ip prefix-list FILTER-FULL-TABLE seq 10 permit 198.0.0.0/16 ip prefix-list FILTER-FULL-TABLE seq 15 deny 0.0.0.0/0 le 32 ! ! under the BGP process ! router bgp neighbor prefix-list FILTER-FULL-TABLE in ! This will result in filtering the BGP table on your ISP side so you will not even get the table to filter it, it is cool not?! as it is allowing you to create filters on the ISP side without him to do any thing. Here is a small example from my home lab: R3 is peering with R1 and R1 is advertising some prefixes now R3 want to filter them but not on his side: !R3 before ORF ! router bgp 100 no synchronization bgp log-neighbor-changes neighbor 150.1.1.1 remote-as 200 neighbor 150.1.1.1 password CISCO neighbor 150.1.1.1 update-source Loopback0 ! R3#sh ip bg BGP table version is 193, local router ID is 150.1.3.3Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 150.1.0.0/21 150.1.1.1 0 0 200 i *> 150.1.1.0/24 150.1.1.1 0 0 200 i *> 167.13.0.0 150.1.1.1 0 0 200 i *> 167.13.135.0/24 150.1.1.1 0 0 200 i *> 205.90.31.0 150.1.1.1 0 200 254 ? *> 220.20.3.0 150.1.1.1 0 200 254 ? *> 222.22.2.0 150.1.1.1 0 200 254 ? ! Here is R1 before: R1#sh ip bg nei 150.1.3.3 ad BGP table version is 16, local router ID is 150.1.1.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 150.1.0.0/21 0.0.0.0 32768 i *> 150.1.1.0/24 0.0.0.0 0 32768 i *> 167.13.0.0 0.0.0.0 32768 i *> 167.13.135.0/24 0.0.0.0 0 32768 i *> 205.90.31.0 192.10.1.254 0 0 254 ? *> 220.20.3.0 192.10.1.254 0 0 254 ? *> 222.22.2.0 192.10.1.254 0 0 254 ? ! router bgp 200 no synchronization bgp log-neighbor-changes network 150.1.1.0 mask 255.255.255.0 network 167.13.135.0 mask 255.255.255.0 aggregate-address 150.1.0.0 255.255.248.0 aggregate-address 167.13.0.0 255.255.0.0 neighbor 150.1.3.3 remote-as 100 neighbor 150.1.3.3 password CISCO neighbor 150.1.3.3 next-hop-self ! NOW: I would like to filter on R1 the following so I will not even get prefixes" 167.13.135.0/24 150.1.1.0/24 222.22.2.0/24 So I am setting on ! R1 (the ISP side for that example) router bgp 200 neighbor 150.1.3.3 capability orf prefix-list receive ! ! R3 (the client side) router bgp 100 neighbor 150.1.1.1 capability orf prefix-list send neighbor 150.1.1.1 prefix-list FILTER-DUP in ! and the following prefix list ip prefix-list FILTER-DUP seq 5 deny 167.13.135.0/24 ip prefix-list FILTER-DUP seq 10 deny 150.1.1.0/24 ip prefix-list FILTER-DUP seq 11 deny 222.22.2.0/24 ip prefix-list FILTER-DUP seq 15 permit 0.0.0.0/0 le 32 ! now be prepared for the TADA.. R3#sh ip bg BGP table version is 194, local router ID is 150.1.3.3Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 150.1.0.0/21 150.1.1.1 0 0 200 i *> 167.13.0.0 150.1.1.1 0 0 200 i *> 205.90.31.0 150.1.1.1 0 200 254 ? *> 220.20.3.0 150.1.1.1 0 200 254 ? So Up to now it looks normal that the filter was done on our side and when applied it was filtering incoming prefixes, but no! See R1 Advertisements: R1#sh ip bg nei 150.1.3.3 ad BGP table version is 16, local router ID is 150.1.1.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 150.1.0.0/21 0.0.0.0 32768 i *> 167.13.0.0 0.0.0.0 32768 i *> 205.90.31.0 192.10.1.254 0 0 254 ? *> 220.20.3.0 192.10.1.254 0 0 254 ? and no there is no prefix list on R1, belive me: R1#sh ip bg nei 150.1.3.3 ... Outbound Route Filter (ORF): received (4 entries) Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 4 0 Prefixes Total: 4 0 Implicit Withdraw: 0 0 Explicit Withdraw: 0 0 Used as bestpath: n/a 0 Used as multipath: n/a 0 ... ORF prefix-list: 3 I hope that was a little eye open on this issue :-)
Post a Comment

Popular posts from this blog

Step By Step MPLS – Basic MPLS Setup

Initial configuration , very basic with no MPLS, connectivity only to directly connected interfaces.R1R2R3R4!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.31.1 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.42.2 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.31.3 255.255.255.0
duplex auto
speed auto
  no clns route-cache
!
interface Serial1/0
ip address 10.0.43.3 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.42.4 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
ip address 10.0.43.4 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
adding to the following configuration MPLS labels we will start wi…

What is about to change in CISSP from Apr 2018

Change have arrived and like with other professional certification there is almost a standard time before certification gets its update, with most anywhere it is between 3 - 4 years, CISSP is no different and since last update was on 2015 the change is arriving here as well.

For the people that wish to see the official existing and new outline

I have decided to write this post as the new out line is more of a list of Domain and Sections within the domain without hint or indication to what was modified actually and I could not find anyone else that done that comparison, I had to take the task and do the comparison, please be advised that I have done it for my own "pleasure" so apologies if I missed something :-)
Lets start with the obvious change:
CISSP - Before Apr 2018CISSP - from Apr 20181. Security and Risk Management16%15%2. Asset Security10%10%3. Security Engineering12%13%4. Communications and Network Security12%14%5. Identity and Access Management13%13%6. …

VRF Maximum Routes

Maximum routes under customer vrf, if the service provider had unlimited resources he would not have needed that!
however normally resources are limited and expensive, and Service provider would like to make money from his available resources. maximum routes configured under VRF provide a mean of controlling PE local resource and abuse avoidance from the CE side.I have vrf called DC_EXTRANET, you can see that I have 16 routes, I have configured 10 maximum routes under that vrf however I did not want to be aggressive so I have set the warning only option. See that immediately I get a notice that I have more routes then the maximum, however no action is taken other then alerting and sending a syslog. ! PE_ashdod_otherisp.n(config-vrf)# maximum routes 10 warning-only % The current number of routes in the routing table is equal to, or exceeds the configured warning limit PE_ashdod_otherisp.n(config-vrf)# *Nov 26 20:39:41.175: %IPRT-3-ROUTELIMITWARNING: IP routing table limit warning - DC_…