Ch 12: Advanced BGP Flashcards
Transit routing between a multihomed enterprise network and a service provider is generally not recommend in which scenarios? (Choose all that apply.)
- Internet connections at data centers
- Internet connections at branch locations
- MPLS data centers
- MPLS branch locations
1, 2, and 4.
Transit routing for enterprises is generally acceptable only for data centers connecting to MPLS networks.
T/F: An extended ACL used to match routes changes behavior if the routing protocol is an IGP rather than BGP.
True.
IGPs use the destination field to select the smallest prefix length, whereas BGP uses it to match the subnet mask for a route.
Which network prefixes match the prefix match pattern 10.168.0.0/13 ge 24? (Choose two.)
a. 10.168.0.0/13
b. 10.168.0.0/24
c. 10.173.1.0/28
d. 10.104.0.0/24
B and C. Please see Figure 12-6 for an explanation.
What is the correct regular expression syntax for matching a route that originated in AS 300?
a. ^300_
b. $300!
c. _300_
d. _300$
D.
Please see Table 12-6 for an explanation.
What happens when the route map route-map QUESTION permit 20 does not contain a conditional match statement?
- The routes are discarded, and a syslog message is logged.
- All routes are discarded.
- All routes are accepted.
- An error is assigned when linking the route map to a BGP peer.
3.
All routes are accepted and processed.
What happens to a route that does not match the PrefixRFC1918 prefix list when using the following route map?.
- *route-map** QUESTION deny 10
- *match ip** address prefix-list PrefixRFC1918
route-map QUESTION permit 20
set metric 200
- The route is allowed, and the metric is set to 200.
- The route is denied.
- The route is allowed.
- The route is allowed, and the default metric is set to 100.
1
Because the route does not match the prefix list, sequence 10 does not apply, and the route moves on to sequence 20 which sets the metric to 200. It is implied that the route proceeds because it was modified.
T/F: A BGP AS_Path ACL and a prefix-list can be applied to a neighbor at the same time.
True.
A distribute-list and a prefix-list cannot be used at the same time for a neighbor. All other filtering techniques can be combined.
Which of the following is not a well-known BGP community?
a. No_Advertise
b. Internet
c. No_Export
d. Private_Route
D.
The other communities are common global communities.
Which of the following techniques is the second selection criterion for the BGP best path?
- Weight
- Local preference
- Origin
- MED
B. Local preference is the second selection criterion for the BGP best path.
How the Best Path Algorithm Works
- Prefer the path with the highest WEIGHT.
- Note: WEIGHT is a Cisco-specific parameter. It is local to the router on which it is configured.
- Prefer the path with the highest LOCAL_PREF.
- Prefer the path that was locally Originated via a network or aggregate BGP subcommand or through redistribution from an IGP.
- Prefer the path with the shortest AS_PATH.
- An AS_SET counts as 1, no matter how many ASs are in the set.
- Prefer the path with the lowest multi-exit discriminator (MED).
T/F: For MED to be used as a selection criterion, the routes must come from different autonomous systems.
False.
For MED to be used, the routes must come from the same AS.
T/F: If an enterprise uses BGP to connect with more than one service provider, it runs the risk of its autonomous system (AS) becoming a transit AS.
True.
In Figure 12-2, AS 500 is connecting to two different service providers (SP3 and SP4) for resiliency. Problems can arise if R1 and R2 use the ________________.
Problems can arise if R1 and R2 use the default BGP routing policy.
A user that connects to SP3 (AS 300) routes through the enterprise network (AS 500) to reach a server that attaches to SP4 (AS 400). SP3 receives the 100.64.1.0/24 prefix from AS 100 and AS 500. SP3 selects the path through AS 500 because the AS_Path is much shorter than going through SP1 and SP2’s networks.
The AS 500 network is providing transit routing to everyone on the Internet, which can saturate AS 500’s peering links. In addition to causing problems for the users in AS 500, this situation has an impact on traffic from the users that are trying to transverse AS 500.
How can the problem of transit routing be avoided?
Transit routing can be avoided by applying outbound BGP route policies that only allow for local BGP routes to be advertised to other autonomous systems.
What is asymmetric forwarding?
Asymmmetic forwarding occurs when a different path for each direction is used. This makes troubleshooting difficult.
Symmetric forwarding simplifies troubleshooting (i.e. traffic follows the same path in both directions) as opposed to asymmetric forwarding (a different path for each direction) because the full path has to be discovered in both directions.
What is meant by a ‘deterministic’ path?
The path is considered deterministic when the flow between sites is predetermined and predictable.
T/F: Multihomed environments should be configured so that branch routers cannot act as transit routers.
True.
Multihomed environments should be configured so that branch routers cannot act as transit routers.
In most designs, transit routing of traffic from another branch is undesirable, as WAN bandwidth may not be sized accordingly. Transit routing can be avoided by configuring outbound route filtering at each branch site. In essence, the branch sites do not advertise what they learn from the WAN but advertise only networks that face the LAN. If transit behavior is required, it is restricted to the data centers or specific locations as follows:
- Proper routing design can accommodate outages.
- Bandwidth can be sized accordingly.
- The routing pattern is bidirectional and predictable.
What are the ranges for Standard and Extended ACLs?
- Standard ACLS use a numbered entry 1–99, 1300–1999, or a named ACL.
- Extended ACLs use a numbered entry 100–199, 2000–2699, or a named ACL.
Named ACLs provide relevance to the functionality of the ACL, can be used with standard or extended ACLs, and are generally preferred.
What is the process for defining a standard ACL? Hint: there are two steps…
This is the process for defining a standard ACL:
- Define the ACL by using the command:
- ip access-list standard {acl-number | acl-name} This puts the CLI in ACL configuration mode.
- Configure the specific ACE entry with the command:
- [sequence] {permit | deny } source source-wildcard.
- In lieu of using source source-wildcard, the keyword any replaces 0.0.0.0 0.0.0.0, and use of the host keyword refers to a /32 IP address so that the source-wildcard can be omitted.
What are the steps to define an extended ACL? Hint: there are two steps…
The following is the process for defining an extended ACL:
- Define the ACL by using the command:
- ip access-list extended {acl-number | acl-name} and placing the CLI in ACL configuration mode.
- Configure the specific ACE entry with the command:
- [sequence] {permit | deny} protocol source source-wildcard destination destination-wildcard. The behavior for selecting a network prefix with an extended ACL varies depending on whether the protocol is an IGP (EIGRP, OSPF, or IS-IS) or BGP.
T/F: When ACLS are used for IGP network selection, the source fields of the ACL are used to identify the network, and the destination fields identify the smallest prefix length allowed in the network range.
True.
Table 12-3 provides sample ACL entries from within the ACL configuration mode and specifies the networks that would match with the extended ACL. Notice that the subtle difference in the destination wildcard for the 172.16.0.0 network affects the network ranges that are permitted in the second and third rows of the table.
Note: The 172.16.0.0 255.240.0.0 range is the RFC1918 range, 172.16.0.0 - 172.16.31.255
T/F: Extended ACLs react differently when matching BGP routes than when matching IGP routes.
Extended ACLs react differently when matching BGP routes than when matching IGP routes. The source fields match against the network portion of the route, and the destination fields match against the network mask, as shown in Figure 12-5. Until the introduction of prefix lists, extended ACLs were the only match criteria used with BGP.
Extended ACL for BGP Route Selection. Write the ACLs to match the following four examples:
- Permits only the 10.0.0.0/16 network
- Permits any 10.0.x.0 network with a /24 prefix length
- Permits any 172.16.x.x network with a /24 to /32 prefix length
- Permits any 172.16.x.x network with a /25 to /32 prefix length
Remember that extended ACLs react differently when matching BGP routes than when matching IGP routes. The source fields match against the network portion of the route, and the destination fields match against the network mask, as shown in Figure 12-5. Until the introduction of prefix lists, extended ACLs were the only match criteria used with BGP.
- permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0
- permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
- permit ip 172.16.0.0 0.0.255.255 255.255.255.0 0.0.0.255
- permit ip 172.16.0.0 0.0.255.255 255.255.255.128 0.0.0.127
Extended IGP ACL for IGP route selection. Write the ACLs to match the following requirements:
- Permits all networks
- Permits all networks in the 172.16.0.0/12 range
- Permits all networks in the 172.16.0.0/16 range
- Permits only the 192.168.1.1/32 network
When ACLS are used for IGP network selection, the source fields of the ACL are used to identify the network, and the destination fields identify the smallest prefix length allowed in the network range.
- permit ip any any
- permit ip host 172.16.0.0 host 255.240.0.0
- permit ip host 172.16.0.0 host 255.255.0.0
- permit host 192.168.1.1
What is Prefix-list Matching?
Prefix lists provide another method of identifying networks in a routing protocol.
A prefix list identifies a specific IP address, network, or network range and allows for the selection of multiple networks with a variety of prefix lengths by using a prefix match specification.
Many network engineers prefer this over the ACL network selection method.
T/F: A prefix match specification contains two parts: a high-order bit pattern and a high-order bit count, which determines the high-order bits in the bit pattern that are to be matched.
True.
Some documentation refers to the high-order bit pattern as the address or network and the high- order bit count as the length or mask length.
In Figure 12-6, the prefix match specification has the high-order bit pattern 192.168.0.0 and the high-order bit count 16. The high-order bit pattern has been converted to binary to demonstrate where the high-order bit count lies. Because there are not additional matching length parameters included, the high-order bit count is an exact match.
Which of the following matches 10.168.0.0/13 ge 24
- 10.168.0.0/13
- 10.168.0.0/24
- 10.173.1.0/28
- 10.104.0.0/24
2&3 are correct. 10.168.0.0/24 and 10.173.1.0/28 meet the criteria.
Figure 12-7 demonstrates the prefix match specification with the high-order bit pattern 10.168.0.0 and high-order bit count 13; the matching length of the prefix must be greater than or equal to 24.
The 10.168.0.0/13 prefix does not meet the matching length parameter because the prefix length is less than the minimum of 24 bits, whereas the 10.168.0.0/24 prefix does meet the matching length parameter. The 10.173.1.0/28 prefix qualifies because the first 13 bits match the high-order bit pattern, and the prefix length is within the matching length parameter. The 10.104.0.0/24 prefix does not qualify because the high-order bit pattern does not match within the high-order bit count.
Which of the following match 10.0.0.0/8 ge 22 le 26?
- 10.0.0.0/8
- 10.0.0.0/24
- 10.0.0.0/30
2. 10.0.0.0/24
The 10.0.0.0/8 prefix does not match because the prefix length is too short. The 10.0.0.0/24 network qualifies because the bit pattern matches, and the prefix length is between 22 and 26. The 10.0.0.0/30 prefix does not match because the bit pattern is too long. Any prefix that starts with 10 in the first octet and has a prefix length between 22 and 26 will match.
T/F: Matching to a specific prefix length that is higher than the high-order bit count requires that the ge-value and le-value match.
True.
Both must be true, as in logical AND.
e.g.
10.0.0.0/8 ge 16 le 24 will match all prefixes within the 10.0.0.0/8 network having a mask both a) greater than or equal to 16 bits, and b) less than or equal to 24 bits in length. For instance, 10.42.0.0/18 would be matched, because its length is between 16 and 24 (inclusive), but neither 10.16.0.0/12 nor 10.123.77.128/25 would be matched.
T/F: Prefix lists can contain only one prefix matching specification entries that contain a permit or deny action.
False.
Prefix lists can contain multiple prefix matching specification entries that contain a permit or deny action.
Prefix lists process in sequential order in a top-down fashion, and the first prefix match processes with the appropriate permit or deny action.
T/F: Prefix lists can be resequenced, just like ACLs
False.
Because prefix lists cannot be resequenced, it is advisable to leave enough space for insertion of sequence numbers at a later time.
If a sequence is not provided, the sequence number auto-increments by 5, based on the higest sequence number. The first entry is 5. Sequencing enables the deletion of a specific entry.
What is the command to configure a prefix-list?
Prefix lists are configured with the global configuration command:
ip prefix-list prefix-list-name [seq sequence-number] {permit | deny} high-order-bit-pattern/high-order-bit-count [ge ge-value] [le le-value].
T/F: In a prefix list this equation applies.
high-order bit count < ge-value <= le-value
True.
IOS and IOS XE require that the ge-value be greater than the high-order bit count and that the le-value be greater than or equal to the ge-value:
What is permitted by this prefix list? (go line by line to analyze)
- ip prefix-list RFC1918 seq 5 permit 192.168.0.0/13 ge 32
- ip prefix-list RFC1918 seq 10 deny 0.0.0.0/0 ge 32
- ip prefix-list RFC1918 seq 15 permit 10.0.0.0/7 ge 8
- ip prefix-list RFC1918 seq 20 permit 172.16.0.0/11 ge 12
- ip prefix-list RFC1918 seq 25 permit 192.168.0.0/15 ge 16
- Sequence 5 permits all /32 prefixes in the 192.168.0.0/13 bit pattern.
- Sequence 10 denies all /32 prefixes in any bit pattern.
- Sequences 15, 20, and 25 permit routes in the appropriate private network ranges.
- The sequence order is important for the first two entries to ensure that only /32 prefixes exist in the 192.168.0.0 network in the prefix list.