1st what is a 4byte ASN?
Simple the internet was originally built around a 2byte ASN number format { 1- 65535 }, if you remember the hay days of the "wildwest internet" & the big push with all of the new networks that joined the internet backbone around the late 90s early 2000s? Will the internet community soon realized that we would exhaust these AS# out very quickly if the demand stayed high.
So the internet community and vendors made a big dash and rush to come up with a fix and that was to increase the available ASs from 65535 to over 4 billion ( 1 - 4,294,967,296 ). This increase would sustain us until the IPv6 is exhausted , and for at least 40+ years by some experts opinions.
So 4byte ASN posed a few issues to be aware of;
- asdot or asplain ( i.e 200.3 vrs 13107203 )
- BGP regex or as_path filters breaking ( e.g show ip bgp regex _'200.3'_ would not match 200.3 but _'200\.3'_ would be fine )
- relearning how to convert asn from decimal (asplain ) to dot ( asdot ) or vice-versa ( education )
- human error is increased due to more digits and more potential errors
- peering with devices that don't support 4 byte ASNs
- and so on......
- cisco
- fortinet
- juniper
- huawei
- brocade
- vyatta
- pfSense
- OpenBGPd
- adtran
- HP-Networking
Okay now that we got that out of the way, let's move on to the meat of this post. We will peer 2 bgp speakers ( cisco ISR ios 15.1.X and Fortigate 200A ) using a 4byte ASN.
1st the fortigate;
And now the cfg details;
Okay simple, we set the aS number for the firewall , define the interface that does BGP and the neighbor with his remote-as. I'm advertising my local lan 192.168.254.0/24
The bgp cmd to see your neighbor details;
And for comparative here's a cisco equal;
router3825#show ip bgp neighbors
BGP neighbor is 198.200.10.2, remote AS 1.30, external link
BGP version 4,
remote router ID 198.200.10.2
BGP state =
Established, up for 00:29:23
Last read
00:00:39, last write 00:00:05, hold time is 180, keepalive interval is 60
seconds
Neighbor
sessions:
1
active, is not multisession capable (disabled)
Neighbor
capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Address family IPv6 Unicast: received
Multisession Capability:
Message
statistics:
InQ depth is 0
OutQ depth is 0
Sent
Rcvd
Opens:
1
1
Notifications: 0 0
Updates:
5
6
Keepalives:
32 32
Route Refresh: 1 0
Total:
39 39
Default
minimum time between advertisement runs is 30 seconds
For address
family: IPv4 Unicast
Session:
198.200.10.2
BGP table
version 7, neighbor version 7/0
Output queue
size : 0
Index 2,
Advertise bit 0
2 update-group
member
Outbound path
policy configured
Route map for
outgoing advertisements is addmetrics
Slow-peer
detection is disabled
Slow-peer
split-update-group dynamic is disabled
Sent
Rcvd
Prefix
activity:
----
----
Prefixes Current:
3
1 (Consumes 56 bytes)
Prefixes Total:
6
6
Implicit Withdraw:
3
5
Explicit Withdraw:
0
0
Used as bestpath:
n/a 1
Used as multipath:
n/a
0
Outbound
Inbound
Local Policy
Denied Prefixes:
--------
-------
Bestpath from this peer:
3
n/a
Total: 3
0
Number of
NLRIs in the update sent: max 3, min 0
Last detected
as dynamic slow peer: never
Dynamic slow
peer recovered: never
Address
tracking is enabled, the RIB does have a route to 198.200.10.2
Connections
established 1; dropped 0
Last reset
never
Transport(tcp)
path-mtu-discovery is enabled
Graceful-Restart is disabled
Connection state is ESTAB, I/O status: 1, unread input
bytes: 0
Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing
TTL 1
Local host: 198.200.10.1, Local port: 12149
Foreign host: 198.200.10.2, Foreign port: 179
Connection tableid (VRF): 0
Maximum output segment queue size: 50
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0x2043B0):
Timer Starts Wakeups
Next
Retrans
38 0
0x0
TimeWait
0 0
0x0
AckHold
40 37
0x0
SendWnd
0 0
0x0
KeepAlive 0 0
0x0
GiveUp
0 0
0x0
PmtuAger 947
946
0x20449A
DeadWait
0 0
0x0
Linger
0 0
0x0
ProcessQ
0 0
0x0
iss: 1387821271
snduna: 1387822215 sndnxt:
1387822215
irs:
864367026 rcvnxt: 864368030
sndwnd:
5840 scale: 0 maxrcvwnd: 16384
rcvwnd:
15381 scale: 0 delrcvwnd: 1003
SRTT: 994 ms, RTTO: 1046 ms, RTV: 52 ms, KRTT: 0 ms
minRTT: 0 ms, maxRTT: 1000 ms, ACK hold: 200 ms
Status Flags: active open
Option Flags: nagle, path mtu capable
IP Precedence value : 6
Datagrams (max data segment is 1460 bytes):
Rcvd: 77 (out of order: 0), with data: 39, total data bytes:
1003
Sent: 78 (retransmit: 0, fastretransmit: 0, partialack: 0,
Second Congestion: 0), with data: 39, total data bytes: 943
Packets
received in fast path: 0, fast processed: 0, slow path: 0
fast lock
acquisition failures: 0, slow path: 0
router3825#
Key points up to this point;
- BGP is simple to configure regardless of 2/4byte AS#s
- FGT are multi-protocol BGP Speakers ( AFI/SAFI )
- Neighbor capabilities are sent in the BGP open messages and negotiated between peers
- conversion of bgp ASN to asdot requires a little bit of math but it's not that hard
You can monitor this with cisco "debug ip bgp event " or fortigate "debug ip router bgp" commands
Both will show you errors such negotiation ( above ) or bad password or AS# ( below )
Okay moving onwards, the fortigate allows for path manipulation via route-map in the same fashion as cisco or just about;
Any changes will require a soft clear
More examples of manipulation and with communities and path prepending;
The cisco configuration is very simple for this project
config t
router bgp 1.29
bgp asnotation dot
bgp router-ip 198.200.10.1
neighbor 198.200.10.2 remote-as 1.30
end
Okay so now let's wrap up and look at some asplain (decimal ) to asdot ( dot ) conversions. Yes the latter has a dot in the ASN representation but it's not that hard to figure out.
Here a classic ATT's ASN 7018 in asdot ( 0.7018 ). Okay I will admit that's an easy one. Any legacy 2bytes ASN maps into 4byte asdot with no problems. Here's legacy UUnet ASN701 ( 0.701 ) and here's cogent ( 0.174 ).
Okay simple ? Yeap you bet'cha !
Now let's up the ante, we will convert ASN 100000 to asdot annonation.
1st take the 100000 / by 65536 - 1.52 blah blah blah. So we know it's devided by at least one 65536, so that number would be to the left of the dot ( 1 . XXXX ) so to fill in the value of XXXX we will now subtract the main # from 1000000 - 65536 = 34464.
So now the asdot representation = 1.34464
Okay now let's take in our cisco example asdot 1.30 and convert to asplain,
1st
1x 65536 ( left most of the dot ) = 65536
2nd
add the right most to the left most digits and we now have 65536+30 = 65566.
Okay are you confused?
Okay take a deep breath. Let's do one more, here's a ASN that I did some consulting for and a firm that peer'd with. ASN: 130120 a APNIC 4byte ASN.
Let's convert this one to asdot .
1st
130120 /65536 = 1.98 blah blah blah
so the leftmost value = 1
2nd
Now subtract the 65536 from the main #
130120 - 65536 = 64584
Now we get asdot notation of 1.64584
I hope you found this posting useful :)
^ ^
= ( * * ) =
o
Link to my google doc asdot2asplain conversion xls and online & 4byte AS tracking
https://docs.google.com/file/d/0B_nMtQiwB-DpQjB1MzE5bnRzVTA/edit?usp=sharing
http://labs.spritelink.net/ascalc
http://www.potaroo.net/tools/asn32/
chart of 4byte allocation authorities
note: Older FortiOS code does not support 4byte ASN;
FortiWiFi-60 # config router bgp
FortiWiFi-60 (bgp) # set as
<integer> valid AS number: 1-65535; 0 to disable BGP
FortiWiFi-60 (bgp) # end
FortiWiFi-60 # get sys status
Version: FortiWiFi-60 3.00,build0730,080919
Virus-DB: 8.00631(2008-01-15 14:27)
IPS-DB: 2.00461(2008-01-18 11:23)
Serial-Number: FWF-602104402047
BIOS version: 03000301
Log hard disk: Not available
Hostname: FortiWiFi-60
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Distribution: International
Branch point: 730
MR/Patch Information: MR7 Patch 1
System time: Thu May 1 10:57:05 2013
Ken Felix
kfelix -a-t hyperfeed ---dot----com
BGP enabled since 1994 :)
No comments:
Post a Comment