HCIP-IERS Chapter 3 BGP Features and Configurations

return

Lab 3-6 BGP Troubleshooting

Learning Objectives

The objectives of this lab are to learn and understand:

 How to troubleshoot a failure to establish a BGP peer relationship

 How to use BGP debugging commands

Topology

Figure 3-6 BGP troubleshooting

Scenario

You are a network administrator of a company. The company's network uses BGP as
the routing protocol. This network consists of multiple ASs, and different branches
use different AS numbers. You have finished building the company's network. During
BGP configurations, you encountered many problems and have rectified all network
failures.

Tasks

Step 1 Set basic parameters and configure IP addresses.

Configure IP addresses and masks for physical interfaces and loopback interfaces of
all the routers. Each Loopback0 uses the 32-bit mask.

<R1>system-view

HUAWEI TECHNOLOGIES 419

 HCIP-IERS Chapter 3 BGP Features and Configurations

Enter system view, return user view with Ctrl+Z.

[R1]interface Serial 1/0/0

[R1-Serial1/0/0]ip address 10.0.12.1 24

[R1-Serial1/0/0]quit

[R1]interface LoopBack 0

[R1-LoopBack0]ip add 10.0.1.1 32

[R1-LoopBack0]quit

[R2]interface Serial 1/0/0

[R2-Serial1/0/0]ip address 10.0.12.2 24

[R2-Serial1/0/0]quit

[R2]interface Serial 2/0/0

[R2-Serial2/0/0]ip address 10.0.23.2 24

[R2-Serial2/0/0]quit

[R2]interface LoopBack 0

[R2-LoopBack0]ip address 10.0.2.2 32

[R2-LoopBack0]quit

[R3]interface Serial 2/0/0

[R3-Serial2/0/0]ip address 10.0.23.3 24

[R3-Serial2/0/0]quit

[R3]interface LoopBack 0

[R3-LoopBack0]ip address 10.0.3.3 32

[R3-LoopBack0]quit

After the configurations are complete, test direct link connectivity.

[R2]ping -c 1 10.0.12.1

PING 10.0.12.1: 56 data bytes, press CTRL_C to break

HUAWEI TECHNOLOGIES 420

 HCIP-IERS Chapter 3 BGP Features and Configurations

Reply from 10.0.12.1: bytes=56 Sequence=1 ttl=255 time=40 ms

--- 10.0.12.1 ping statistics ---

1 packet(s) transmitted

1 packet(s) received

0.00% packet loss

round-trip min/avg/max = 40/40/40 ms

[R2]ping -c 1 10.0.23.3

PING 10.0.23.3: 56 data bytes, press CTRL_C to break

Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=255 time=38 ms

--- 10.0.23.3 ping statistics ---

1 packet(s) transmitted

1 packet(s) received

0.00% packet loss

round-trip min/avg/max = 38/38/38 ms

The preceding command output shows that direct link connectivity is normal.

Step 2 Configure IGP and BGP.

Configure OSPF in AS 64512 and configure all devices to belong to Area 0. Configure
each router to use Loopback0 address as its router ID. Run OSPF on the network
segments connected to S1/0/0 and Loopback0 of R1.

[R1]router-id 10.0.1.1

[R1]ospf 1

[R1-ospf-1]area 0

[R1-ospf-1-area-0.0.0.0]network 10.0.12.1 0.0.0.0

[R1-ospf-1-area-0.0.0.0]network 10.0.1.1 0.0.0.0

HUAWEI TECHNOLOGIES 421

 HCIP-IERS Chapter 3 BGP Features and Configurations

[R1-ospf-1-area-0.0.0.0]quit

[R1-ospf-1]quit

Run OSPF on the network segments connected to S1/0/0 and Loopback0 of R2.

[R2]router id 10.0.2.2

[R2]ospf 1

[R2-ospf-1]area 0

[R2-ospf-1-area-0.0.0.0]network 10.0.12.2 0.0.0.0

[R2-ospf-1-area-0.0.0.0]network 10.0.2.2 0.0.0.0

[R2-ospf-1-area-0.0.0.0]quit

[R2-ospf-1]quit

After the configurations are complete, check connectivity between Loopback0

addresses of R1 and R2.

[R1]ping -c 1 -a 10.0.1.1 10.0.2.2

PING 10.0.2.2: 56 data bytes, press CTRL_C to break

Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=40 ms

--- 10.0.2.2 ping statistics ---

1 packet(s) transmitted

1 packet(s) received

0.00% packet loss

round-trip min/avg/max = 40/40/40 ms

Configure IBGP between R1 and R2, configure EBGP between R2 and R3, and
configure these routers to establish BGP peer relationships using loopback interface
addresses. To ensure normal transmission of routing information, configure

HUAWEI TECHNOLOGIES 422

 HCIP-IERS Chapter 3 BGP Features and Configurations

next-hop-local on R2 and specify R1’s address as the peer address and incorrectly
set the AS number of the peer 10.0.2.2 to 64514 on R3.

[R1]bgp 64512

[R1-bgp]peer 10.0.2.2 as-number 64512

[R1-bgp]quit

[R2]bgp 64512

[R2-bgp]peer 10.0.1.1 as-number 64512

[R2-bgp]peer 10.0.1.1 next-hop-local

[R2-bgp]peer 10.0.3.3 as-number 64513

[R2-bgp]quit

[R3]router id 10.0.3.3

[R3]bgp 64513

[R3-bgp]peer 10.0.2.2 as-number 64514

[R3-bgp]quit

Step 3 Troubleshoot the failure to establish BGP peer relationships.

After the configurations are complete, you can see that BGP peer relationships
between routers are not established. Check the BGP peer relationships of R2 first.

[R2]display bgp peer

BGP local router ID : 10.0.2.2

Local AS number : 64512

Total number of peers : 2 Peers in established state : 0

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

HUAWEI TECHNOLOGIES 423

 HCIP-IERS Chapter 3 BGP Features and Configurations

10.0.1.1 4 64512 0 0 0 00:05:36 Active 0

10.0.3.3 4 64513 0 0 0 00:05:21 Idle 0

The preceding command output shows that the State field of 10.0.1.1 displays
Active and the State field of 10.0.2.2 displays idle. If a BGP peer relationship is
established normally, the State field displays Established. If the State field remains
another state for a long period, a failure occurs and needs to be rectified.

Generally, when a peer IP address is unreachable for a local router, the peer status
displays Idle. That is, this router does not initiate a TCP connection with the peer.
When the peer IP address is reachable but an error occurs during the establishment
of a TCP connection, you can see that the peer status remains Active.

First check the BGP peer relationship between R2 and R3 and check connectivity
between loopback interface addresses of R2 and R3.

[R2]ping -c 1 -a 10.0.2.2 10.0.3.3

PING 10.0.3.3: 56 data bytes, press CTRL_C to break

Request time out

--- 10.0.3.3 ping statistics ---

1 packet(s) transmitted

0 packet(s) received

100.00% packet loss

The preceding command output shows that connectivity between loopback

interface addresses of R2 and R3 is abnormal.

Check the IP routing table of R2.

[R2]display ip routing-table

Route Flags: R - relay, D - download to fib

----------------------------------------------------------------------------

HUAWEI TECHNOLOGIES 424

 HCIP-IERS Chapter 3 BGP Features and Configurations

Routing Tables: Public

Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.0.1.1/32 OSPF 10 1562 D 10.0.12.1 Serial1/0/0

10.0.2.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0

10.0.12.0/24 Direct 0 0 D 10.0.12.2 Serial1/0/0

10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial1/0/0

10.0.12.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0

10.0.12.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

10.0.23.0/24 Direct 0 0 D 10.0.23.2 Serial2/0/0

10.0.23.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0

10.0.23.3/32 Direct 0 0 D 10.0.23.3 Serial2/0/0

10.0.23.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0

127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

127.255.255.255/32Direct 0 0 D 127.0.0.1 InLoopBack0

255.255.255.255/32Direct 0 0 D 127.0.0.1 InLoopBack0

The preceding command output shows that there is no route to 10.0.3.3 of R3.

Check the IP routing table of R3.

[R3]display ip routing-table

Route Flags: R - relay, D - download to fib

----------------------------------------------------------------------------

Routing Tables: Public

Destinations : 9 Routes : 9

HUAWEI TECHNOLOGIES 425

 HCIP-IERS Chapter 3 BGP Features and Configurations

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.0.3.3/32 Direct 0 0 D 127.0.0.1 InLoopBack0

10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial2/0/0

10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial2/0/0

10.0.23.3/32 Direct 0 0 D 127.0.0.1 InLoopBack0

10.0.23.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0

127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

127.255.255.255/32Direct 0 0 D 127.0.0.1 InLoopBack0

255.255.255.255/32Direct 0 0 D 127.0.0.1 InLoopBack0

The preceding command output shows that there is no route to 10.0.2.2 of R2.

For different ASs, using static routes can ensure connectivity between loopback
interface addresses of neighboring routers.

On R2 and R3, you need to configure static routes to the network segments
connected to the loopback interfaces of R3 and R2 respectively.

[R2]ip route-static 10.0.3.3 32 10.0.23.3

[R3]ip route-static 10.0.2.2 32 10.0.23.2

Check connectivity between R2 and R3.

[R2]ping -c 1 -a 10.0.2.2 10.0.3.3

PING 10.0.3.3: 56 data bytes, press CTRL_C to break

Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=30 ms

--- 10.0.3.3 ping statistics ---

HUAWEI TECHNOLOGIES 426

 HCIP-IERS Chapter 3 BGP Features and Configurations

1 packet(s) transmitted

1 packet(s) received

0.00% packet loss

round-trip min/avg/max = 30/30/30 ms

Check BGP peer relationships of R2.

[R2]display bgp peer

BGP local router ID : 10.0.12.2

Local AS number : 64512

Total number of peers : 2 Peers in established state : 0

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

10.0.1.1 4 64512 0 0 0 05:23:27 Active 0

10.0.3.3 4 64513 0 0 0 05:23:02 Active 0

The BGP peer relationship between R2 and R3 changes from Idle to Active state.

Check the BGP peer relationship between R1 and R2. After OSPF is configured,
connectivity between loopback interface addresses of R1 and R2 has been tested.

BGP uses TCP port 179 for communication. Check whether port 179 is enabled on
the routers.

On R1 and R2, check the TCP status.

[R1]display tcp status

TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State

194b9500 8 /2 0.0.0.0:22 0.0.0.0:0 23553 Listening

194b939c 8 /1 0.0.0.0:23 0.0.0.0:0 23553 Listening

HUAWEI TECHNOLOGIES 427

 HCIP-IERS Chapter 3 BGP Features and Configurations

194b90d4 106/1 0.0.0.0:80 0.0.0.0:0 0 Listening

194b9a90 234/2 0.0.0.0:179 10.0.2.2:0 0 Listening

194b9664 8 /3 0.0.0.0:830 0.0.0.0:0 23553 Listening

194b9238 6 /1 0.0.0.0:7547 0.0.0.0:0 0 Listening

[R2]display tcp status

TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State

1949a048 234/5 0.0.0.0:0 0.0.0.0:0 0 Closed

19499d80 8 /2 0.0.0.0:22 0.0.0.0:0 23553 Listening

19499c1c 8 /1 0.0.0.0:23 0.0.0.0:0 23553 Listening

19499954 106/1 0.0.0.0:80 0.0.0.0:0 0 Listening

1949a474 234/2 0.0.0.0:179 10.0.1.1:0 0 Listening

1949a310 234/4 0.0.0.0:179 10.0.3.3:0 0 Listening

19499ee4 8 /3 0.0.0.0:830 0.0.0.0:0 23553 Listening

19499ab8 6 /1 0.0.0.0:7547 0.0.0.0:0 0 Listening

The preceding command output shows that port 179 for corresponding peer
address is in Listening state. BGP works normally on a single router.

Run the debugging command on R1 to check whether R1 receives BGP packets sent
from R2.

<R1>terminal monitor

<R1>terminal debugging

<R1>debugging tcp packet

Dec 7 2011 10:08:16.620.1+00:00 R1 SOCKET/7/TCP PACKET:

TCP debug packet information:

1323252496: Input: no port,

(src = 10.0.12.2:52688,dst = 10.0.1.1:179,VrfIndex = 0,seq = 2254758724,

ack = 0,datalen = 0,optlen = 4,flag = SYN ,window = 16384,ttl = 0,tos = 0,MSS = 0)

HUAWEI TECHNOLOGIES 428

 HCIP-IERS Chapter 3 BGP Features and Configurations

Dec 7 2011 10:08:16.620.2+00:00 R1 SOCKET/7/TCP PACKET:

TCP debug packet information:

1323252496: Output: task = (0), socketid = 0,

(src = 10.0.1.1:179,dst = 10.0.12.2:52688,VrfIndex = 0,seq = 0,

ack = 2254758725,datalen = 0,optlen = 0,flag = ACK RST ,window = 0,ttl = 255,tos = 0,MSS = 0)

<R1>undo debugging all

Info: All possible debugging has been turned off

The preceding command output shows that the source address of the packet with
the destination port number 179 is 10.0.12.2. After checking the topology, you can
see that 10.0.12.2 is the address of R2's Serial1/0/0.

When establishing BGP peer relationships, you use the loopback interface address of
R2. As a result, the BGP peer relationship between R1 and R2 cannot be established.
Therefore, you need to use connect-interface to specify the source address during
establishment of BGP peer relationships.

Similarly, this problem also exists between R2 and R3. Therefore, you need to use
connect-interface to specify the source address during establishment of BGP peer
relationships.

[R1]bgp 64512

[R1-bgp]peer 10.0.2.2 connect-interface LoopBack 0

[R1-bgp]quit

[R2]bgp 64512

[R2-bgp]peer 10.0.1.1 connect-interface LoopBack 0

[R2-bgp]peer 10.0.3.3 connect-interface LoopBack 0

[R2-bgp]quit

HUAWEI TECHNOLOGIES 429

 HCIP-IERS Chapter 3 BGP Features and Configurations

[R3]bgp 64513

[R3-bgp]peer 10.0.2.2 connect-interface LoopBack 0

[R3-bgp]quit

After the modifications are complete, check BGP peer relationships of R2 again.

[R2]display bgp peer

BGP local router ID : 10.0.2.2

Local AS number : 64512

Total number of peers : 2 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

10.0.1.1 4 64512 16 17 0 00:14:18 Established 0

10.0.3.3 4 64513 0 0 0 00:14:35 Active 0

The preceding command output shows that the BGP peer relationship between R1
and R2 is in Established state.

Run the debugging command on R3 to check whether R3 receives any BGP packet
and check the content of the packet.

<R3>terminal monitor

<R3>terminal debugging

<R3>debugging ip packet

Dec 7 2011 10:51:44.30.5+00:00 R3 IP/7/debug_case:

Delivering, interface = S2/0/0, version = 4, headlen = 20, tos = 192,

pktlen = 40, pktid = 4752, offset = 0, ttl = 1, protocol = 6,

checksum = 36220, s = 10.0.2.2, d = 10.0.3.3

prompt: Packet is before IP_Reass before really deliver to up.

HUAWEI TECHNOLOGIES 430

 HCIP-IERS Chapter 3 BGP Features and Configurations

Dec 7 2011 10:51:44.30.6+00:00 R3 IP/7/debug_case:

Sending, interface = S2/0/0, version = 4, headlen = 20, tos = 0,

pktlen = 40, pktid = 9953, offset = 0, ttl = 255, protocol = 6,

checksum = 31722, s = 10.0.3.3, d = 10.0.2.2

prompt: Sending the packet from local at S2/0/0

<R3>undo debugging all

Info: All possible debugging has been turned off

The preceding command output shows that the TTL of the BGP packet received by
R3 is 1. For EBGP, the default TTL of the packet sent from a router to its peer is 1.

In this scenario, R2 and R3 establish a BGP peer relationship using loopback interface
addresses. There are two hops from the loopback interface address of R2 to that of
R3. Therefore, before this BGP packet reaches the loopback interface address of R2, it
is discarded because of TTL expiry.

To address this problem, change the TTL of the packet sent between two EBGP peers.

[R2]bgp 64512

[R2-bgp]peer 10.0.3.3 ebgp-max-hop 2

[R2-bgp]quit

[R3]bgp 64513

[R3-bgp]peer 10.0.2.2 ebgp-max-hop 2

[R3-bgp]quit

After the configurations are complete, check the BGP peer relationship of R2 again.

[R2]display bgp peer

HUAWEI TECHNOLOGIES 431

 HCIP-IERS Chapter 3 BGP Features and Configurations

BGP local router ID : 10.0.2.2

Local AS number : 64512

Total number of peers : 2 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

10.0.1.1 4 64512 3 4 0 00:01:34 Established 0

10.0.3.3 4 64513 0 1 0 00:00:44 Active 0

The preceding command output shows that the BGP peer relationship between R2
and R3 remains Active.

Check BGP errors on R3.

[R3]display bgp error

Error Type : Peer Error

Date/Time : 2011/12/07 11:24:37

Peer Address : 10.0.2.2

VRF Name : Public

Error Info : Incorrect remote AS

Error Type : Peer Error

Date/Time : 2011/12/07 11:25:09

Peer Address : 10.0.2.2

VRF Name : Public

Error Info : Incorrect remote AS

Error Type : Peer Error

Date/Time : 2011/12/07 11:25:41

Peer Address : 10.0.2.2

HUAWEI TECHNOLOGIES 432

 HCIP-IERS Chapter 3 BGP Features and Configurations

VRF Name : Public

Error Info : Incorrect remote AS

<R3>terminal debugging

<R3>debugging bgp packet verbose

Dec 7 2011 11:31:01.540.1+00:00 R3 RM/6/RMDEBUG:

BGP.Public: Err/SubErr: 2/2 Errdata: 41040000fc00

Identified in OPEN MSG from 10.0.2.2.

Dec 7 2011 11:31:01.540.2+00:00 R3 RM/6/RMDEBUG:

Dec 7 2011 11:31:01.540.3+00:00 R3 RM/6/RMDEBUG:

BGP.Public: Err/SubErr: 2/2 Errdata: 41040000fc00

Identified in OPEN MSG from 10.0.2.2.

The preceding command output shows an incorrect AS number message.

Run the debugging command to troubleshoot this error.

The preceding command output shows that the error code/suberror code is 2. This
error indicates incorrect AS number. You need to change the peer AS number on R3.

[R3]bgp 64513

[R3-bgp]undo peer 10.0.2.2

[R3-bgp]peer 10.0.2.2 as-number 64512

[R3-bgp]peer 10.0.2.2 ebgp-max-hop 2

[R3-bgp]peer 10.0.2.2 connect-interface LoopBack0

[R3-bgp]quit

Check the BGP peer relationship between R2 and R3.

HUAWEI TECHNOLOGIES 433

 HCIP-IERS Chapter 3 BGP Features and Configurations

[R2]display bgp peer

BGP local router ID : 10.0.2.2

Local AS number : 64512

Total number of peers : 2 Peers in established state : 2

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

10.0.1.1 4 64512 81 82 0 01:19:18 Established 0

10.0.3.3 4 64513 3 4 0 00:01:12 Established 0

Step 4 Configure BGP security.

BGP is often used in a backbone network, so BGP security is important. If a BGP

router is attacked, large-scale network breakdown occurs.

To prevent malicious users from forging valid routers to establish BGP peer
relationships with BGP routers, configure MD5 authentication between BGP peers.

Enable MD5 authentication between R1 and R2. First, configure an incorrect

password. Configure the password to huawei on R1 and that to 123 on R2 and then
check the BGP peer relationship changes.

[R1]bgp 64512

[R1-bgp]peer 10.0.2.2 password simple huawei

[R1-bgp]quit

[R2]bgp 64512

[R2-bgp]peer 10.0.1.1 password simple 123

[R2-bgp]quit

HUAWEI TECHNOLOGIES 434

 HCIP-IERS Chapter 3 BGP Features and Configurations

Reset the BGP peer relationship of R1. The following command output shows that
the peer relationship between R1 and R2 remains Connect and Active and cannot
enter the Established state.

<R1>reset bgp 10.0.2.2

[R1]display bgp peer

BGP local router ID : 10.0.1.1

Local AS number : 64512

Total number of peers : 1 Peers in established state : 0

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

10.0.2.2 4 64512 0 0 0 00:03:39 Connect 0

Change the password of R2 to huawei.

[R2]bgp 64512

[R2-bgp]undo peer 10.0.1.1 password

[R2-bgp]peer 10.0.1.1 password simple huawei

[R2-bgp]quit

Wait for about 30 seconds, and then check the peer relationship again.

[R2]display bgp peer

BGP local router ID : 10.0.2.2

Local AS number : 64512

Total number of peers : 2 Peers in established state : 2

HUAWEI TECHNOLOGIES 435

 HCIP-IERS Chapter 3 BGP Features and Configurations

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

10.0.1.1 4 64512 2 2 0 00:00:34 Established 0

10.0.3.3 4 64513 166 167 0 02:44:05 Established 0

The preceding command output shows that the peer relationship between R1 and
R2 has reached the Established state.

In this scenario, the administrator of AS 64512 does not want the routers in AS 64513
to view its actual AS number.

The fake-as parameter can achieve this purpose. It can specify a fake AS number for
the peer.

Configure this command on R2, specify R3's address as the peer address, and set the
fake AS number to 100.

On R3, change the AS number of the BGP peer R2.

[R2]bgp 64512

[R2-bgp]peer 10.0.3.3 fake-as 100

[R2-bgp]quit

[R3]bgp 64513

[R3-bgp]undo peer 10.0.2.2

[R3-bgp]peer 10.0.2.2 as-number 100

[R3-bgp]peer 10.0.2.2 ebgp-max-hop 2

[R3-bgp]peer 10.0.2.2 connect-interface LoopBack0

[R3-bgp]quit

Check the BGP peer of R3. The following command output shows that the AS
number of R2 changes to 100.

HUAWEI TECHNOLOGIES 436

 HCIP-IERS Chapter 3 BGP Features and Configurations

[R3]display bgp peer

BGP local router ID : 10.0.3.3

Local AS number : 64513

Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

10.0.2.2 4 100 2 2 0 00:00:28 Established 0

On R2, advertise the network segment where its Loopback0 resides and observe the
AS_Path attribute of the BGP route learned from R3.

[R2]bgp 64512

[R2-bgp]network 10.0.2.2 32

[R2-bgp]quit

[R3]display bgp routing-table

BGP Local router ID is 10.0.3.3

Status codes: * - valid, > - best, d - damped,

h - history, i - internal, s - suppressed, S - Stale

Origin : i - IGP, e - EGP, ? - incomplete

Total Number of Routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

10.0.2.2/32 10.0.2.2 0 0 100i

HUAWEI TECHNOLOGIES 437

 HCIP-IERS Chapter 3 BGP Features and Configurations

The preceding command output shows that the AS_Path attribute of the BGP route
10.0.2.2/32 learned from R3 is 100. That is, R3 considers that this route is originated
from AS 100. In this situation, AS 64512 is not displayed.

BGP also provides a security mechanism: Generalized TTL Security Mechanism

(GTSM). GTSM protects routers by checking whether the TTL value in the IP header is
within a specified range. That is, if the TTL value of the received BGP packet exceeds
the specified range, this packet is discarded. Both the GTSM and ebgp-max-hop
functions will affect the TTL value of sent BGP packets and the two functions are
mutually exclusive. You can only enable one of the GTSM and ebgp-max-hop
functions on one peer or peer group.

In this scenario, enable GTSM on the link between R2 and R3 to observe BGP packet
exchange. First, in the system view of R2, configure the default action to be taken on
BGP packets whose TTL value is not within the specified range. Here, you configure
the default action to drop. That is, the BGP packets whose TTL value is not within the
specified range will be discarded.

[R2]gtsm default-action drop

In the BGP view of R2, specify R3's address as the peer address and enable GTSM.
Before performing this configuration, you need to delete the ebgp-max-hop
configuration. Because R2 and R3 are directly connected, the valid-ttl-hops
parameter is 1.

[R2]bgp 64512

[R2-bgp]undo peer 10.0.3.3 ebgp-max-hop

[R2-bgp]peer 10.0.3.3 valid-ttl-hops 1

[R2-bgp]peer 10.0.1.1 valid-ttl-hops 1

[R2-bgp]quit

Perform the same operation on R1 and R3.

[R1]gtsm default-action drop

HUAWEI TECHNOLOGIES 438

 HCIP-IERS Chapter 3 BGP Features and Configurations

[R1]bgp 64512

[R1-bgp]peer 10.0.2.2 valid-ttl-hops 1

[R1-bgp]quit

[R3]gtsm default-action drop

[R3]bgp 64513

[R3-bgp]undo peer 10.0.2.2 ebgp-max-hop

[R3-bgp]peer 10.0.2.2 valid-ttl-hops 1

[R3-bgp]quit

Check the BGP peer relationship between R2 and R3.

[R3]dis bgp peer

BGP local router ID : 10.0.3.3

Local AS number : 64513

Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

10.0.2.2 4 100 3 2 0 00:00:06 Established 1

On R3, observe the TTL value of BGP packets.

<R3>terminal monitor

<R3>terminal debugging

<R3>debugging ip packet

Dec 7 2011 16:34:51.10.1+00:00 R3 IP/7/debug_case:

Receiving, interface = S2/0/0, version = 4, headlen = 20, tos = 192,

pktlen = 59, pktid = 8820, offset = 0, ttl = 255, protocol = 6,

HUAWEI TECHNOLOGIES 439

 HCIP-IERS Chapter 3 BGP Features and Configurations

checksum = 32644, s = 10.0.2.2, d = 10.0.3.3

prompt: Receiving IP packet from S2/0/0

Dec 7 2011 16:34:51.10.2+00:00 R3 IP/7/debug_case:

Receiving, interface = Serial2/0/0, version = 4, headlen = 20, tos = 192,

pktlen = 59, pktid = 8820, offset = 0, ttl = 255, protocol = 6,

checksum = 32644, s = 10.0.2.2, d = 10.0.3.3

prompt: IP_ProcessByBoard Begin!

<R3>undo debugging all

Info: All possible debugging has been turned off

The preceding command output shows that the TTL value of packets received by R3
from R2 is 255 instead of the default value 1. To confirm that GTSM discards the BGP
packets whose TTL value is not within the specified range, enable the GTSM log
function on R3. When BGP packets are discarded by GTSM, a log is recorded.

[R3]gtsm log drop-packet all

Run the ebgp-max-hop command on R2 to ensure that the TTL value of BGP
packets sent from R2 to R3 is less than 254.

[R2]bgp 64512

[R2-bgp]undo peer 10.0.3.3 valid-ttl-hops

[R2-bgp]peer 10.0.3.3 ebgp-max-hop 253

[R2-bgp]quit

After waiting for a certain period, you can see that the BGP peer relationship
between R2 and R3 is in Idle state. Check GTSM statistics on R3. The following
command output shows that some BGP packets are discarded by GTSM.

HUAWEI TECHNOLOGIES 440

 HCIP-IERS Chapter 3 BGP Features and Configurations

Dec 7 2011 16:48:34+00:00 R3 %%01BGP/3/STATE_CHG_UPDOWN(l)[4]:The status of the peer 10.0.2.2 changed

from ESTABLISHED to IDLE. (InstanceName=Public, StateChangeReason=Hold Timer Expired)

[R3]display gtsm statistics all

GTSM Statistics Table

----------------------------------------------------------------

SlotId Protocol Total Counters Drop Counters Pass Counters

----------------------------------------------------------------

0 BGP 83 27 56

0 OSPF 0 0 0

0 LDP 0 0 0

----------------------------------------------------------------

Run the following commands on R2 to change the current configuration to the

previous configuration. Wait for a certain period and then check whether BGP
packets are discarded.

[R2]bgp 64512

[R2-bgp]undo peer 10.0.3.3 ebgp-max-hop

[R2-bgp]peer 10.0.3.3 valid-ttl-hops 1

[R2-bgp]quit

[R3]display gtsm statistics all

GTSM Statistics Table

----------------------------------------------------------------

SlotId Protocol Total Counters Drop Counters Pass Counters

----------------------------------------------------------------

0 BGP 89 27 62

0 OSPF 0 0 0

HUAWEI TECHNOLOGIES 441

 HCIP-IERS Chapter 3 BGP Features and Configurations

0 LDP 0 0 0

----------------------------------------------------------------

The preceding command output shows that no more BGP packets are discarded.

----End

Additional Exercises: Analysis and Verification

What type of attacks is GTSM mainly used to defend against?

Can fake-as be used in a confederation?

Device Configurations
<R1>display current-configuration

[V200R007C00SPC600]

sysname R1

router id 10.0.1.1

gtsm default-action drop

interface Serial1/0/0

link-protocol ppp

ip address 10.0.12.1 255.255.255.0

interface LoopBack0

ip address 10.0.1.1 255.255.255.255

bgp 64512

HUAWEI TECHNOLOGIES 442

 HCIP-IERS Chapter 3 BGP Features and Configurations

peer 10.0.2.2 as-number 64512

peer 10.0.2.2 connect-interface LoopBack0

peer 10.0.2.2 password simple huawei

peer 10.0.2.2 valid-ttl-hops 1

ipv4-family unicast

undo synchronization

peer 10.0.2.2 enable

ospf 1 router-id 10.0.1.1

area 0.0.0.0

network 10.0.12.1 0.0.0.0

network 10.0.1.1 0.0.0.0

return

<R2>display current-configuration

[V200R007C00SPC600]

sysname R2

router id 10.0.2.2

gtsm default-action drop

acl number 2001

rule 5 permit source 10.0.2.2 0

HUAWEI TECHNOLOGIES 443

 HCIP-IERS Chapter 3 BGP Features and Configurations

interface Serial1/0/0

link-protocol ppp

ip address 10.0.12.2 255.255.255.0

interface Serial2/0/0

link-protocol ppp

ip address 10.0.23.2 255.255.255.0

interface LoopBack0

ip address 10.0.2.2 255.255.255.255

bgp 64512

peer 10.0.1.1 as-number 64512

peer 10.0.1.1 connect-interface LoopBack0

peer 10.0.1.1 password simple huawei

peer 10.0.1.1 valid-ttl-hops 1

peer 10.0.3.3 as-number 64513

peer 10.0.3.3 connect-interface LoopBack0

peer 10.0.3.3 fake-as 100

peer 10.0.3.3 valid-ttl-hops 1

ipv4-family unicast

undo synchronization

network 10.0.2.2 255.255.255.255

peer 10.0.1.1 enable

peer 10.0.1.1 next-hop-local

peer 10.0.3.3 enable

ospf 1 router-id 10.0.2.2

HUAWEI TECHNOLOGIES 444

 HCIP-IERS Chapter 3 BGP Features and Configurations

area 0.0.0.0

network 10.0.12.2 0.0.0.0

network 10.0.2.2 0.0.0.0

route-policy change_origin deny node 10

if-match acl 2001

apply origin egp 100

ip route-static 10.0.3.3 255.255.255.255 10.0.23.3

return

<R3>display current-configuration

[V200R007C00SPC600]

sysname R3

router id 10.0.3.3

gtsm default-action drop

gtsm log drop-packet all

interface Serial2/0/0

link-protocol ppp

ip address 10.0.23.3 255.255.255.0

interface LoopBack0

ip address 10.0.3.3 255.255.255.255

HUAWEI TECHNOLOGIES 445

 HCIP-IERS Chapter 3 BGP Features and Configurations

bgp 64513

peer 10.0.2.2 as-number 100

peer 10.0.2.2 connect-interface LoopBack0

peer 10.0.2.2 valid-ttl-hops 1

ipv4-family unicast

undo synchronization

peer 10.0.2.2 enable

ip route-static 10.0.2.2 255.255.255.255 10.0.23.2

return

HUAWEI TECHNOLOGIES 446