Hello everyone,
Today, I'm going to share the discussion on BGP security and reliability in the new HCIE R&S lab.
Topic
1. As shown in the following figure, all devices run only BGP. R1 and R4 network the corresponding service network segments. In this case, PC1 cannot access PC2. How can I troubleshoot the fault?
2. Provide a solution to improve BGP security and reliability.
Question1
Check whether the IP addresses of the IBGP and EBGP peers are reachable. If the IP addresses are reachable, check whether the neighbor relationship can be established. If the address is unreachable, check the reachability of the route to the neighbor address and check whether the physical layer and link layer are faulty.
1. If the neighbor relationship is faulty, check whether the following IBGP and EBGP peer configurations are correct.
1.1 Check whether peer addresses are correctly referenced and whether AS configurations are correct.
1.2 Check whether the peer address is reachable.
1.3 Check whether the BGP authentication configuration is correct and whether the authentication passwords are consistent.
1.4 Check the TTL value range of GTSM.
1.5 Check whether peer-ignore is configured.
1.6 Check whether an ACL is configured to filter BGP traffic.
1.7 Establish an indirect EBGP peer relationship and check whether TTL multi-hop is configured.
1.8 Check whether the address family negotiated by the neighbor matches.
2. If the neighbor relationship is normal, check BGP routes.
2.1 Check whether the next-hop corresponding to the BGP route is reachable. Check whether the next-hop-local address is added when the EBGP route is advertised to the IBGP peer relationship or the route policy is used to set a reachable next hop.
2.2 Check whether the community carried in BGP routes affects the route transmission range.
2.3 Check whether BGP route filtering exists.
2.4 Check whether the BGP route status is flapping.
2.5 Checking whether improper BGP route summarization Exists
2.6 Checking whether BGP routes are delivered to the FIB Table
Question2
Improves BGP security.
1. MD5 authentication
To prevent BGP from being attacked, MDS authentication can be used between BGP neighbors to reduce the possibility of being attacked.
2. Keychain authentication
A keychain has a set of passwords. Passwords can be automatically switched based on configurations. However, the configuration is complex and applies to networks that have high-security requirements.
3. GTSM
A proper TTL range is selected based on the network topology. Packets that do not meet the TTL range are directly discarded by the LPU. This prevents network attackers from simulating valid BGP packets to attack the device.
Improves BGP reliability.
1. BGP Tracking
Quickly detects link unreachable or neighbor unreachable, implementing fast network convergence.
2. BFD
BGP introduces the association between BGP and BFD. BFD detection is millisecond-level and can notify BGP pairs within 50 ms.
If a link between peers fails, BGP route convergence can be speeded up, fast link switchover can be ensured, and traffic loss can be reduced.
3. BGP GR
Graceful restart (GR) can prevent traffic interruption. Configuring BGP GR is meaningful only in the hardware environment with dual mainboards.
4. Redundancy
In the topology design, link redundancy and device redundancy networking are used to enhance the overall network reliability.
