22 Oct

Arista – dealing with inactive routes in BGP

In EOS, BGP implementation normally considers only active routes in RIB for advertisement to its peers.

In certain deployments, IGP protocol like OSPF may carry same set of prefixes as BGP (especially if we use OSPF to form iBGP). In addition, routes from OSPF and BGP may be mutually redistributed. As a result, when local BGP process advertises these prefixes to its neighbors, it would always choose OSPF routes over corresponding BGP routes (admin distance of OSPF is better than that of BGP).

For a Cisco network engineer, this is totally deviate from their normal understanding. In Cisco, if the similar situation happened, it only marked as rib failure, but the BGP prefixes are still advertised out to other BGP peer.

Coincidentally, I encountered this situation and I will share my findings and workaround for reference.

Option 1 – advertise-inactive

This is documented by Arista, basically it tells the BGP to advertised out prefixes even though it is inactive (inactive due to better AD is exist in other routing protocol).
https://eos.arista.com/eos-4-15-0f/bgp-advertise-inactive/

Option 2 – override the AD for prefixes learnt from iBGP peer

ip prefix-list default-only seq 10 permit 0.0.0.0/0
!
route-map set-distance-for-default permit 10
    match ip address prefix-list default-only
    set distance 20
 !
 route-map set-distance-for-default permit 20
!
router bgp 65999
   neighbor 10.3.36.2 route-map set-distance-for-default in

For my case, the 0.0.0.0/0 is not installed in BGP because the switch is also receiving the same prefix from OSPF. Above config will set the AD for 0.0.0.0/0 to 20 (instead of 200) when it received the BGP update from the peer. I can set it to any value as long as it is lower than 110 (OSPF)

https://eos.arista.com/forum/change-ad-for-specific-prefix-in-bgp-or-ospf/



09 Aug

Arista EOS – BGP remove-private-as

This is a post copied/stolen/updated from Kevin Wang’s wiznote – [EOS] [RFC6996] BGP remove-private-as

Summary:

  1. Feature support starts from 4.19.1F and 4.18.4F
  2. “remove-private-as” works for both 2B/4B AS#. 
  3. Private AS number: 64512-65534(2B), 4200000000-4294967294(4B). convert to asdot notation is 64086.59904.
  4. “neighbor x.x.x.x remove-private-as” only works for those as-path which only have private as number present.
  5. 3. In case you have both public as number and private as number, you need give the keyword “all” to force remove all private as number within the as-path-list. “neighbor x.x.x.x remove-private-as all”
  6. 4. If you want to keep the as-path length, using replace-as. “neighbor x.x.x.x remove-private-as all replace-as”
  7. 5. If the AS_PATH contains the AS number of the eBGP neighbor, BGP does not remove the private AS number.
  8. 6. If the AS_PATH contains confederations, BGP removes the private AS numbers only if they come after the confederation portion of the AS_PATH.
  9. If the eBGP neighbor using private as number which you intend to apply “remove-private-as”, you will get below warning message, but the CLI still able to apply and functionality also works as expected, the reason why we have this warning before it may create potential loop, because on local switch, you remove all private-as number which might be include peer’s ASN, in this case, the loop will happen, so that’s why we put the warning here.
  10. If you configured remote-as on peer-group, and peer inherit that information from peer-group, in this case, remove-private-as on peer will not prompt warning, because that’s inherit information, EOS will not check it.

04 Jul

BGP as-path regular expressions

A regular expression is the character pattern that can be matched against an input string. Regular expressions can be built using letters (A through Z, a through z), numbers (0 through 9) and other keyboard characters, such as the exclamation point (!) or a tilde (~). A regular expression can be a single-character pattern or a multiple-character pattern. Certain keyboard characters such as caret (^) and dollar sign ($) have special meaning and allow complex regular expressions to be built. Characters with special meaning can be used as simple keyboard characters by preceding them with a backslash (\). When a Border Gateway Protocol (BGP) update exits an Autonomous System (AS), the AS path attribute of the route gets updated. The AS number of the AS is prepended to an existing list of AS numbers. BGP can be configured to use regular expressions for route filtering based on the AS path attribute.

Range

A range is a sequence of characters contained within left and right square brackets. For example: [abcd]

Atom

An atom is a single character, such as the following:

. (Matches any single character)

^ (Matches the beginning of the input string)

$ (Matches the end of the input string)

\ (Matches the character)

– (Matches a comma (,), left brace ({), right brace (}), the beginning of the input string, the end of the input string, or a space.

Piece

A piece is an atom followed by one of the following symbols:

* (Matches 0 or more sequences of the atom)

+ (Matches 1 or more sequences of the atom)

? (Matches the atom or the null string)

Branch

A branch is a 0 or more concatenated pieces.

Examples of regular expressions follow:

a* (Any occurrence of the letter “a”, including none)

a+ ( At least one occurrence of the letter “a” should be present)

ab?a (This matches “aa” or “aba”)

_100_ (Via AS100)

_100$ (Origin AS100)

^100 .* (Coming from AS100)

^$ (Originated from this AS)

Refer to Using Regular Expressions in BGP for sample configurations on regular expression filtering

To test in live network using public looking glass server:
https://www.netdigix.com/servers.html

Additional readings:

http://www.quagga.net/docs/docs-multi/AS-Path-Regular-Expression.html

http://www.cisco.com/warp/public/459/26.html

http://www.avici.com/documentation/HTMLDocs/02223-06_revBA/Routing_Pol7.html

28 Mar

BGP Additional Paths

BGP routers only advertise the best path to their neighbors. When a better path is found, it replaces the current path. Advertising a path and replacing it with a new path is called an implicit withdraw.

Since we only advertise the best path, a lot of other possible paths are unknown to some of the routers. We call this path hiding.

Extra notes on additional path command syntax:

  • neighbor neighbor-id additional-paths send: We use this to configure the router so it sends multiple BGP paths to a neighbor.
  • neighbor neighbor-id additional-paths receive: If you have a neighbor that sends multiple paths, that’s nice but you still have to configure your local router that it wants to receive multiple paths.
  • bgp additional-paths select : you receive a bunch of paths from your neighbor but you can still configure your router which of these paths you actually want to use.
  • bgp additional-paths install: this tells the router to actually install a backup path that you selected with the “bgp additional-paths install” command.
  • neighbor neighbor-id advertise additional-paths: This configures your router which additional-paths you want to advertise to a neighbor. “all” means all additional-paths.

Reference:
https://networklessons.com/bgp/bgp-additional-paths
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-xe-3s-book/irg-additional-paths.html

Incoming search terms:

  • arista bgp additional-paths install
18 Mar

VPN Ports

 

PPTP:
To allow PPTP tunnel maintenance traffic, open TCP 1723.
To allow PPTP tunneled data to pass through router, open Protocol ID 47.

L2TP over IPSec
To allow Internet Key Exchange (IKE), open UDP 500.
To allow IPSec Network Address Translation (NAT-T) open UDP 4500.
To allow L2TP traffic, open UDP 1701.

OpenVPN:

OpenVPN uses port 1194 udp and tcp:

Here’s the Cisco access list: (gre=Protocol ID 47, pptp=1723, isakmp=500, non500-isakmp=4500):

permit gre any any
permit tcp any any eq 1194
permit udp any any eq 1194
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 5500
permit tcp any any eq 1723
permit udp any any eq 1701

If natted address is being used by any of the peer then you need to open up the UDP port 4500 for ISAKMP.

If no natting is there then you need to open up the UDP port 500 for ISAKMP

For Phase 2: you need to explicitly open up the port for specific protocol like port 50 for AH and port 51 for ESP

IPSec can use ESP (protocol 50), or AH (protocol 51).   AH breaks if used with any type of NAT with IPv4, so it is rarely ever used in a transform set.

Common Cisco ACL for allowing VPN traffic:

remark Allow VPN Traffic
permit udp any host [IPSec Headend] eq 500
permit udp any host [IPSec Headend] eq 4500
permit 50 any host [IPSec Headend]
permit 51 any host [IPSec Headend]
permit 47 any host [IPSec Headend]
permit 57 any host [IPSec Headend]
deny   ip any host [IPSec Headend]