Tuesday, May 7, 2013

Fortinet-2-Cisco BGP configuration wth 4byte ASN

In this post, we will look at a very basic  BGP configuration using a 4byte ASN between a cisco and fortinet firewall. The configuration is straight forward and simple regardless if your using a 2 or 4 byte ASN.

1st what is a 4byte ASN?

Simple  the internet was originally built around a 2byte ASN number format { 1- 65535 },  if you remember the hay days of the "wildwest  internet"  & the big  push with all of the new networks that joined the internet backbone around the late 90s early 2000s?  Will the internet community soon realized that we would exhaust these  AS# out very quickly if the demand stayed high.

So the internet community and vendors made a big dash and rush to come up with a fix and that was to increase the available ASs from 65535 to over 4 billion ( 1 -  4,294,967,296 ).  This increase would sustain us until the IPv6 is exhausted , and for at least 40+ years by some experts opinions.

So 4byte ASN posed a few issues to be aware of;
  • asdot or asplain ( i.e   200.3 vrs 13107203 )
  • BGP regex or as_path filters  breaking ( e.g  show ip bgp regex _'200.3'_ would  not match 200.3 but _'200\.3'_ would be fine )
  • relearning how to convert  asn from decimal (asplain ) to dot ( asdot ) or vice-versa ( education )
  • human error  is increased due to  more digits and more potential errors
  • peering with devices that don't support 4 byte ASNs
  • and so on......
Also in my experience all most all BGP devices support 4byte ASN. Here's a simple compiled list of vendors that I'm aware that are 4byte ASN enabled


  • cisco
  • fortinet
  • juniper
  • huawei
  • brocade
  • vyatta
  • pfSense 
  • OpenBGPd
  • adtran
  • HP-Networking


Okay now that we got that out of the way, let's move on  to the meat of this post. We will  peer 2 bgp speakers  ( cisco ISR  ios 15.1.X  and Fortigate 200A ) using a 4byte ASN.

1st the fortigate;



 And now the cfg details;



 
Okay simple, we set  the aS number for the firewall , define the interface that does BGP and the neighbor with his remote-as. I'm advertising my local lan 192.168.254.0/24

The bgp cmd to see your neighbor details;




And for comparative here's a cisco equal;


-->
router3825#show ip bgp neighbors

BGP neighbor is 198.200.10.2,  remote AS 1.30, external link

  BGP version 4, remote router ID 198.200.10.2

  BGP state = Established, up for 00:29:23

  Last read 00:00:39, last write 00:00:05, hold time is 180, keepalive interval is 60 seconds

  Neighbor sessions:

    1 active, is not multisession capable (disabled)

  Neighbor capabilities:

    Route refresh: advertised and received(new)

    Four-octets ASN Capability: advertised and received

    Address family IPv4 Unicast: advertised and received

    Address family IPv6 Unicast: received

    Multisession Capability:

  Message statistics:

    InQ depth is 0

    OutQ depth is 0



                         Sent       Rcvd

    Opens:                  1          1

    Notifications:          0          0

    Updates:                5          6

    Keepalives:            32         32

    Route Refresh:          1          0

    Total:                 39         39

  Default minimum time between advertisement runs is 30 seconds



 For address family: IPv4 Unicast

  Session: 198.200.10.2

  BGP table version 7, neighbor version 7/0

  Output queue size : 0

  Index 2, Advertise bit 0

  2 update-group member

  Outbound path policy configured

  Route map for outgoing advertisements is addmetrics

  Slow-peer detection is disabled

  Slow-peer split-update-group dynamic is disabled

                                 Sent       Rcvd

  Prefix activity:               ----       ----

    Prefixes Current:               3          1 (Consumes 56 bytes)

    Prefixes Total:                 6          6

    Implicit Withdraw:              3          5

    Explicit Withdraw:              0          0

    Used as bestpath:             n/a          1

    Used as multipath:            n/a          0



                                   Outbound    Inbound

  Local Policy Denied Prefixes:    --------    -------

    Bestpath from this peer:              3        n/a

    Total:                                3          0

  Number of NLRIs in the update sent: max 3, min 0

  Last detected as dynamic slow peer: never

  Dynamic slow peer recovered: never



  Address tracking is enabled, the RIB does have a route to 198.200.10.2

  Connections established 1; dropped 0

  Last reset never

  Transport(tcp) path-mtu-discovery is enabled

  Graceful-Restart is disabled

Connection state is ESTAB, I/O status: 1, unread input bytes: 0

Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 1

Local host: 198.200.10.1, Local port: 12149

Foreign host: 198.200.10.2, Foreign port: 179

Connection tableid (VRF): 0

Maximum output segment queue size: 50



Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)



Event Timers (current time is 0x2043B0):

Timer          Starts    Wakeups            Next

Retrans            38          0             0x0

TimeWait            0          0             0x0

AckHold            40         37             0x0

SendWnd             0          0             0x0

KeepAlive           0          0             0x0

GiveUp              0          0             0x0

PmtuAger          947        946        0x20449A

DeadWait            0          0             0x0

Linger              0          0             0x0

ProcessQ            0          0             0x0



iss: 1387821271  snduna: 1387822215  sndnxt: 1387822215

irs:  864367026  rcvnxt:  864368030



sndwnd:   5840  scale:      0  maxrcvwnd:  16384

rcvwnd:  15381  scale:      0  delrcvwnd:   1003



SRTT: 994 ms, RTTO: 1046 ms, RTV: 52 ms, KRTT: 0 ms

minRTT: 0 ms, maxRTT: 1000 ms, ACK hold: 200 ms

Status Flags: active open

Option Flags: nagle, path mtu capable

IP Precedence value : 6



Datagrams (max data segment is 1460 bytes):

Rcvd: 77 (out of order: 0), with data: 39, total data bytes: 1003

Sent: 78 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 39, total data bytes: 943

 Packets received in fast path: 0, fast processed: 0, slow path: 0

 fast lock acquisition failures: 0, slow path: 0



router3825#


Key points up to this point;
  • BGP is simple to configure regardless of 2/4byte AS#s
  • FGT are multi-protocol BGP Speakers ( AFI/SAFI )
  • Neighbor capabilities are sent in the BGP open messages and negotiated between peers
  • conversion of bgp ASN to asdot requires a little bit of math but it's not that hard
Now on the last part, some have claimed negotiation issues with Fortinet vrs Cisco, but I haven't ran into any issues  that requires negotiation to be disable or not enforced.

You can monitor this with cisco "debug ip bgp event " or fortigate "debug ip router bgp" commands




Both will show you errors such negotiation ( above ) or  bad password or AS# ( below )


 Okay moving onwards, the fortigate allows for  path manipulation via route-map in the same fashion as  cisco or just about;




 Any changes will require a soft clear 




 More  examples of  manipulation and with  communities and path prepending;



The cisco configuration is very simple for this project

config t
router bgp 1.29
    bgp asnotation dot
    bgp router-ip 198.200.10.1
    neighbor  198.200.10.2 remote-as 1.30
end


 Okay so now let's wrap up and look at some  asplain (decimal ) to  asdot ( dot )  conversions. Yes the latter has a dot in the ASN representation but it's not that hard to figure out.

Here a classic  ATT's ASN 7018 in asdot   ( 0.7018 ). Okay I will admit that's an easy one. Any legacy  2bytes ASN maps into 4byte  asdot with no problems. Here's legacy UUnet  ASN701 ( 0.701 ) and here's cogent ( 0.174 ). 

Okay simple ? Yeap you bet'cha !

Now let's up the ante, we will convert ASN 100000 to  asdot annonation.

1st take the  100000  / by 65536  - 1.52 blah blah blah.  So we know it's devided by at least one 65536, so that number would be to the left of the dot  ( 1 . XXXX ) so to fill in the value of XXXX we will now subtract the main # from  1000000 -  65536 = 34464. 

So now the asdot representation =  1.34464 

 Okay now let's take in our cisco example asdot 1.30 and convert to asplain,  

1st 

1x 65536 ( left most of the dot ) =  65536 

2nd 

add the right most to the left  most digits and we now have  65536+30 = 65566.

Okay are you confused?


Okay take a deep breath. Let's do one more, here's a ASN that I  did some consulting for  and a  firm that peer'd with.  ASN: 130120 a APNIC 4byte ASN.

 Let's convert this one to  asdot .

1st

130120 /65536 =  1.98 blah blah blah 

so the leftmost value  = 1

2nd

Now subtract  the 65536 from the main #

130120 - 65536 =  64584

Now we get  asdot notation of  1.64584

 I hope you found this posting useful :)


       ^   ^
=  ( *    * ) =
          o


Link to my google doc  asdot2asplain conversion xls and online & 4byte AS tracking

https://docs.google.com/file/d/0B_nMtQiwB-DpQjB1MzE5bnRzVTA/edit?usp=sharing

http://labs.spritelink.net/ascalc

http://www.potaroo.net/tools/asn32/


chart of 4byte allocation authorities





note: Older FortiOS code does not support 4byte ASN;


FortiWiFi-60 # config router bgp

FortiWiFi-60 (bgp) # set as
<integer>    valid AS number: 1-65535; 0 to disable BGP


FortiWiFi-60 (bgp) # end

FortiWiFi-60 # get sys status
Version: FortiWiFi-60 3.00,build0730,080919
Virus-DB: 8.00631(2008-01-15 14:27)
IPS-DB: 2.00461(2008-01-18 11:23)
Serial-Number: FWF-602104402047
BIOS version: 03000301
Log hard disk: Not available
Hostname: FortiWiFi-60
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Distribution: International
Branch point: 730
MR/Patch Information: MR7 Patch 1
System time: Thu May  1 10:57:05 2013




Ken Felix
kfelix -a-t  hyperfeed ---dot----com
BGP enabled since 1994 :)

No comments:

Post a Comment