oops, forgot to put OSL in Cc... Begin forwarded message:
> From: Christophe Lemaire <[email protected]> > Subject: Re: [OSL | CCIE_RS] how to fake BGP AS # > Date: 30 Nov 2011 15:09:30 GMT+01:00 > To: Mark Salmon <[email protected]> > > Here is an example. If you have a VoIP vrf that you initially wanted > to be isolated from the rest of the network. Then Cisco sales come > with Unified Communication, soft-phone and so on... The isolated VoIP > vrf now need to communicate with the softphones, the Exchange servers, > etc in an other vrf. If you want to keep these vrfs more or less > isolated from each other, you have to connect the vrf through a > firewall... (Remember security guys don't trust import/export as > security feature) > > I've already implemented this kind of setup. The trick is to change > the AS with "remote-as x" and "local-as y no-prepend replace-as" and > to change the BGP router id per vrf. (hard-coded or auto-assigned as > Matthew did) > > Regards, > Christophe Lemaire > > Network & Security consultant > exp-Networks sprl > Tel: +32 (0)497 73 00 47 > Fax: +32 (0)70 40 23 32 > E-mail: [email protected] > > > > On Fri, Nov 25, 2011 at 3:24 PM, Mark Salmon <[email protected]> wrote: >> Matt I was asking the same question. I cannot think of an instance (i have >> not yet seen it in ipexpert labs) when one will need to peer with one self. >> >> >> >> >> >> On Nov 25, 2011, at 2:39 AM, Matt Hill <[email protected]> wrote: >> >>> Why are you trying to do this? >>> >>> Do you have other interfaces in each VRF? Are there customers who >>> only need to see their own prefixes and not the other? Why cant you >>> talk to Mr AS{2|3} and just tell them your ASN is X? >>> >>> Cheers, >>> Matt >>> >>> CCIE #22386 >>> CCSI #31207 >>> >>> On 25 November 2011 15:56, Amir Khalili <[email protected]> wrote: >>>> Thanks for your responses - however this is what I am trying to acheive: >>>> >>>> using a single router - single BGP process - peering the vrfs using in vrf >>>> bgp router id feature. This is possible when you use ibgp >>>> >>>> however, in some cases, you will need to use ebgp - >>>> >>>> ip vrf red >>>> rd 1:1 >>>> >>>> ip vrf blue >>>> rd 1:2 >>>> >>>> int l1 >>>> ip vrf forw red >>>> ip address 1.1.1.1 255.255.255.255 >>>> >>>> int l2 >>>> ip vrf forw blue >>>> ip address 2.2.2.2 255.255.255.255 >>>> >>>> router bgp 1. >>>> >>>> address-f ipv4 vrf red >>>> bgp router-id 1.1.1.1 >>>> neib 2.2.2.2 remote-as 2 >>>> >>>> address-f ipv4 vrf blue >>>> bgp router-id 2.2.2.2 >>>> neib 1.1.1.1 remote-as 3 >>>> >>>> in the above you will need to fake the as and send it to the peer!! is it >>>> possible in cisco? >>>> >>>> Cheers >>>> Amir >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Thu, Nov 24, 2011 at 4:57 PM, Matthew Mengel >>>> <[email protected]>wrote: >>>> >>>>> Assuming that the attached image is what you are trying to do, sure. >>>>> >>>>> R1: >>>>> >>>>> ip vrf BLUE >>>>> rd 1:1 >>>>> ! >>>>> ip vrf RED >>>>> rd 101:1 >>>>> ! >>>>> ! >>>>> interface Loopback0 >>>>> ip address 1.1.1.1 255.255.255.0 >>>>> ! >>>>> interface FastEthernet0/0 >>>>> ip vrf forwarding BLUE >>>>> ip address 10.2.2.1 255.255.255.0 >>>>> ! >>>>> interface FastEthernet0/1 >>>>> ip vrf forwarding RED >>>>> ip address 10.3.3.1 255.255.255.0 >>>>> ! >>>>> ! >>>>> router bgp 1 >>>>> no bgp default ipv4-unicast >>>>> bgp log-neighbor-changes >>>>> ! >>>>> address-family ipv4 vrf RED >>>>> neighbor 10.3.3.3 remote-as 3 >>>>> neighbor 10.3.3.3 local-as 101 >>>>> neighbor 10.3.3.3 activate >>>>> no synchronization >>>>> exit-address-family >>>>> ! >>>>> address-family ipv4 vrf BLUE >>>>> neighbor 10.2.2.2 remote-as 2 >>>>> neighbor 10.2.2.2 activate >>>>> no synchronization >>>>> exit-address-family >>>>> ! >>>>> >>>>> R2: >>>>> >>>>> ! >>>>> interface Loopback0 >>>>> ip address 2.2.2.2 255.255.255.255 >>>>> ! >>>>> interface FastEthernet0/0 >>>>> ip address 10.2.2.2 255.255.255.0 >>>>> >>>>> ! >>>>> router bgp 2 >>>>> no synchronization >>>>> bgp log-neighbor-changes >>>>> network 2.2.2.2 mask 255.255.255.255 >>>>> neighbor 10.2.2.1 remote-as 1 >>>>> no auto-summary >>>>> ! >>>>> >>>>> >>>>> R3: >>>>> >>>>> ! >>>>> interface Loopback0 >>>>> ip address 3.3.3.3 255.255.255.255 >>>>> ! >>>>> interface FastEthernet0/1 >>>>> ip address 10.3.3.3 255.255.255.0 >>>>> ! >>>>> router bgp 3 >>>>> no synchronization >>>>> bgp log-neighbor-changes >>>>> network 3.3.3.3 mask 255.255.255.255 >>>>> neighbor 10.3.3.1 remote-as 101 >>>>> no auto-summary >>>>> ! >>>>> >>>>> You see the routes in the VRFs and in the VPV4 address-family: >>>>> >>>>> R1#sho ip bgp vpnv4 all >>>>> BGP table version is 5, local router ID is 1.1.1.1 >>>>> Status codes: s suppressed, d damped, h history, * valid, > best, i - >>>>> internal, >>>>> r RIB-failure, S Stale >>>>> Origin codes: i - IGP, e - EGP, ? - incomplete >>>>> >>>>> Network Next Hop Metric LocPrf Weight Path >>>>> Route Distinguisher: 1:1 (default for vrf BLUE) >>>>> *> 2.2.2.2/32 10.2.2.2 0 0 2 i >>>>> Route Distinguisher: 101:1 (default for vrf RED) >>>>> *> 3.3.3.3/32 10.3.3.3 0 0 101 3 i >>>>> >>>>> >>>>> Note that the route in the RED VRF includes the AS for the local-as in the >>>>> path. >>>>> >>>>> Matthew >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Fri, Nov 25, 2011 at 10:08 AM, Amir Khalili <[email protected]>wrote: >>>>> >>>>>> Thanks guys. I am using address family under the same process. >>>>>> Trying to peer using a diff AS number. Kind of eBGP approach. Would >>>>>> local AS serve the purpose? >>>>>> >>>>>> On 11/24/11, Matthew Mengel <[email protected]> wrote: >>>>>>> Not sure if the firewall or the VRF are really important (just as to >>>>>>> whether you are needing to use address-family or not). >>>>>>> >>>>>>> Also, not exactly sure what you mean by "fake" an AS. However, if what >>>>>> you >>>>>>> mean is that you have a situation where RouterB is expecting to peer >>>>>> with >>>>>>> AS 5, but you are running AS 1: >>>>>>> >>>>>>> RouterB#sho run | sec bgp >>>>>>> router bgp 2 >>>>>>> no synchronization >>>>>>> bgp log-neighbor-changes >>>>>>> neighbor 10.0.0.1 remote-as 5 >>>>>>> no auto-summary >>>>>>> >>>>>>> You can masquerade as AS 5 while remaining configured as AS 1 using the >>>>>>> "local-as" command: >>>>>>> >>>>>>> RouterA#sho run | sec bgp >>>>>>> router bgp 1 >>>>>>> no synchronization >>>>>>> bgp log-neighbor-changes >>>>>>> neighbor 10.0.0.2 remote-as 2 >>>>>>> neighbor 10.0.0.2 local-as 5 >>>>>>> no auto-summary >>>>>>> >>>>>>> If, however, you mean that you have two VRFs on the same router, >>>>>> hairpinned >>>>>>> through a firewall, then I think you are sunk, as this uses >>>>>>> address-families under the bgp process, and unless I am mistaken, it is >>>>>> one >>>>>>> process with one AS per router. >>>>>>> >>>>>>> M. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, Nov 25, 2011 at 8:09 AM, Amir Khalili <[email protected]> >>>>>> wrote: >>>>>>> >>>>>>>> Hello >>>>>>>> >>>>>>>> How can we fake AS # for a bgp neighbor to make ebgp peer? This is >>>>>> using >>>>>>>> in vrf bgp router id in a vrf. >>>>>>>> >>>>>>>> BGP vrf A -> FW -> BGP vrf B ( ebg peer ) >>>>>>>> >>>>>>>> Cheers >>>>>>>> Amir >>>>>>>> _______________________________________________ >>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please >>>>>>>> visit www.ipexpert.com >>>>>>>> >>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>> www.PlatinumPlacement.com >>>>>>>> >>>>>>>> To Unsubscribe from this list please visit the following link and >>>>>> follow >>>>>>>> the directions to unsubscribe. >>>>>>>> http://onlinestudylist.com/mailman/listinfo/ccie_rs >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Matthew Mengel >>>>>>> [email protected] >>>>>>> >>>>>> >>>>>> -- >>>>>> Sent from my mobile device >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Matthew Mengel >>>>> [email protected] >>>>> >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, please >>>> visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>>> To Unsubscribe from this list please visit the following link and follow >>>> the directions to unsubscribe. >>>> http://onlinestudylist.com/mailman/listinfo/ccie_rs >>>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >>> To Unsubscribe from this list please visit the following link and follow >>> the directions to unsubscribe. >>> http://onlinestudylist.com/mailman/listinfo/ccie_rs >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> To Unsubscribe from this list please visit the following link and follow the >> directions to unsubscribe. >> http://onlinestudylist.com/mailman/listinfo/ccie_rs _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
