Building ISP Networks Xantaro Page 1 / 18
TABLE OF CONTENTS 1. LAB ACCESS 4 1.1 Accessing the Jumphost... 4 1.2 Access to your routers... 4 1.3 Local Network Topology... 5 1.4 Global Network Topology... 6 1.5 Local ISP Address Assignment... 6 1.6 Transit ISP Address Assignment... 7 1.7 Transfer Addressing... 7 2. FIRST STEPS IN YOUR NETWORK 8 2.1 Connect to your routers... 8 2.2 Getting started with JUNOS operational mode commands... 8 2.3 Getting started with JUNOS configuration mode commands... 9 2.4 Monitoring system and chassis operation... 9 3. INTERFACE ADRESSING 10 3.1 Address Plan... 10 3.2 Configure Internal IP Addresses... 10 3.3 Optional: Monitoring interface operation... 10 4. ISIS CONFIGURATION 11 4.1 Configure External IP Addresses... 11 4.2 Configure ISIS... 11 4.3 Temporary Enable IS-IS to the backbone... 11 4.4 Disable ISIS on external links... 11 4.5 Optional: IS-IS Authentication... 11 5. CONFIGURING BGP 12 5.1 Specifying the local AS number... 12 5.2 Verifying IGP connectivity... 12 5.3 Configuring internal BGP Sessions... 12 5.4 Configuring External BGP Sessions... 13 Building ISP Networks Page 2 / 18
TABLE OF FIGURES Figure 1: Local ISP Topology... 5 Figure 2 : Global Topology... 6 TABLE DIRECTORY Table 1 : Management IPs... 5 Table 2 : Local ISP address assignment... 6 Table 3 : Transit ISP address assignment... 7 Table 4 : Transit IPv4 and IPv6 Addressing... 7 Table 5: IS-IS Area Addresses... 11 Building ISP Networks Page 3 / 18
1. LAB ACCESS To access the lab network, you need a SSH Client on your notebook. Linux and Mac users just have to open a terminal window and type "ssh username@host" to start the session. Windows users should download a software to connect. A commonly used freeware tool is putty: http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html but any other SSH Client software should work too. Please note that the Lab Access will only work during the time we have our practical sessions. 1.1 Accessing the Jumphost You can access the jumphost with the following addresses from the Internet: IPv4: 185.16.196.74 IPv6: 2a03:dfc0::b910:c44a The username that you have to use is depending on your group. It will be one of these: as1000 as2000 as3000 as4000 The passwords will be handed out during the session to the different teams. Once logged in, you may change the password to something else using the command 'passwd', but please negotiate with your other team members as they will use the same account. Each of the 4 defined users has a rsa keypair located in the ~/.ssh directory. Please do not change these keys, as they will provide you with access to the routers. If you prefer to use public key authentication to access the jumphost, you may download the public key and import it into your SSH client. 1.2 Access to your routers Every router of your network has a dedicated out-of-band management port. These ports can be used to connect to the devices independent of its routing configuration. The systems have been preconfigured to perform SSH authentication based on a RSA key that is located in the ~/.ssh directory of the jumphost. Each group should only get access to their own routers. Please note that the p1 routers are not used in the first sections of the network, hence they can be ignored for the moment. Building ISP Networks Page 4 / 18
Device IP Device IP as1000-pe1 172.24.20.111 as3000-pe1 172.24.20.131 as1000-pe2 172.24.20.112 as3000-pe2 172.24.20.132 as1000-pe3 172.24.20.113 as3000-pe3 172.24.20.133 as1000-p1 172.24.20.114 as3000-p1 172.24.20.134 as2000-pe1 172.24.20.121 as4000-pe1 172.24.20.141 as2000-pe2 172.24.20.122 as4000-pe2 172.24.20.142 as2000-pe3 172.24.20.123 as4000-pe3 172.24.20.143 as2000-p1 172.24.20.124 as4000-p1 172.24.20.144 Table 1 : Management IPs 1.3 Local Network Topology Figure 1 shows how the different PE routers are interconnected. This will be the same for all 4 ISPs. The PE routers are interconnected in a triangle. Transit ISP PE1 ge-0/0/3 ge-0/0/0 ge-0/0/1 ge-0/0/0 ge-0/0/0 Customer PE3 ge-0/0/1 ge-0/0/1 PE2 ge-0/0/3 Transit ISP Figure 1: Local ISP Topology PE1 and PE2 hold the connection to the Upstream ISPs, whereas PE3 connects to your local customers that would like to get connectivity to the rest of the world. Building ISP Networks Page 5 / 18
1.4 Global Network Topology In Figure 2 you can see the global topology of our network. In the middle are 4 Transit Service Providers that make up the backbone of our virtual Internet. Each local ISP is dual-homed to two different transit service providers. AS1000 AS2000 AS100 AS200 AS300 AS400 AS3000 AS4000 Figure 2 : Global Topology 1.5 Local ISP Address Assignment Each ISP has been allocated a block of "public" IP addresses that may be used for routing in our global network. Please note that the IPv4 addresses that we use in our examples are in reality private IP addresses according to RFC1918, so you should not see them in the real public internet, but they are fine for our simulation. Local ISP IPv4 Network IPv6 Network AS1000 10.0.10.0/24 2001:db8:1000::/48 AS2000 10.0.20.0/24 2001:db8:2000::/48 AS3000 10.0.30.0/24 2001:db8:3000::/48 AS4000 10.0.40.0/24 2001:db8:4000::/48 Table 2 : Local ISP address assignment The IPv6 addresses are defined as documentation prefixes. RFC3849 defines that these addresses should be used for documentation purposes, we will use them as public routable addresses for our topology. In reality every ISP should block these addresses in the Internet. Building ISP Networks Page 6 / 18
1.6 Transit ISP Address Assignment The table below shows the IP address assignments to the Transit ISPs. This is for your reference only and helps you identify where an IP address belongs in our topology. Transit ISP IPv4 Network IPv6 Network AS100 10.10.0.0/16 2001:db8:10::/48 AS200 10.20.0.0/16 2001:db8:20::/48 AS300 10.30.0.0/16 2001:db8:30::/48 AS400 10.40.0.0/16 2001:db8:40::/48 Table 3 : Transit ISP address assignment 1.7 Transfer Addressing In the Table below you will find the IPv4 and IPv6 Addressing of the links between your Transit Providers and the local ISPs. local ISP Local Router Transit ISP IPv4 Address IPv6 Address AS1000 PE1 AS100 10.10.10.2/30 2001:db8:10:10::2/126 AS1000 PE2 AS300 10.30.10.2/30 2001:db8:30:10::2/126 AS2000 PE1 AS200 10.20.20.2/30 2001:db8:20:20::2/126 AS2000 PE2 AS400 10.40.20.2/30 2001:db8:40:20::2/126 AS3000 PE1 AS100 10.10.30.2/30 2001:db8:10:30::2/126 AS3000 PE2 AS300 10.30.30.2/30 2001:db8:30:30::2/126 AS4000 PE1 AS200 10.20.40.2/30 2001:db8:20:40::2/126 AS4000 PE2 AS400 10.40.40.2/30 2001:db8:40:40::2/126 Table 4 : Transit IPv4 and IPv6 Addressing Building ISP Networks Page 7 / 18
2. FIRST STEPS IN YOUR NETWORK 2.1 Connect to your routers Using the IP addresses from Table 1, connect from the jumphost with SSH to the PE routers. If you are in AS1000 and you want to access PE2, the following command should work: ssh 172.24.20.112 Other routers / groups should work accordingly. You should negotiate within your group if you want to assign a router per person or do this dynamically for each task. Remember that multiple users may access a router at the same time and can interfere with each other during the configuration phase. 2.2 Getting started with JUNOS operational mode commands In this part, you will use CLI to become more familiar with the operational mode of JUNOS: Get an overview of the interfaces available in the router. Experiment with command completion by entering show i<space> Add characters to disambiguate your command so that you can display interface related information. Enter a show route command followed by a show system user command. What happens when entering <Ctrl>-p twice? What happens when entering <Ctrl>-n? Can you use the up and down keys? What happens? In many cases, the output of a command might exceed one full screen. Execute for example the show interface extensive command. What happens if you press space? What happens entering the letter b? What happens if you enter a slash (/)? Use the pipe ( ) and match functions of the JUNOS software CLI to list all GigabitEthernet interface which are physically down! How many interfaces are down? A large portion of the JUNOS software documentation is available directly from the CLI. You can retrieve high-level topics the help topic command while detailed configuration-related information is made available with help reference command. Use the help apropos stub command to get a list of commands and help pages with the word "stub" Use the help topic ospf stub to get explanation about the OSPF stub area Use the help reference system host-name command to display information regarding system host names. Building ISP Networks Page 8 / 18
2.3 Getting started with JUNOS configuration mode commands In this part, you will get some experience with configuring the Juniper router. First of all, enter the configuration mode by entering the command configure. Now enter the command show interfaces. Is the output as you have expected? Why does the output not provide you with interface state information? How can you display such information without leaving the configuration mode? Move to the [edit protocols ospf] portion of the command hierarchy. Afterward issue the set area 0 interface lo0.0 command. Execute the command show. Which output do you get? Execute the command show display set. What commands can you enter now to reposition yourself at the [edit] portion of the hierarchy? What command can you use to display any differences between a candidate and a previous configuration file? Change the configuration back to the old configuration! 2.4 Monitoring system and chassis operation In this optional part, you will use key commands within the CLI to monitor system and chassis operation: Monitor system status by issuing show system CLI command with the version, statistics, storage, uptime, and users switch. Monitor chassis operation by issuing the show chassis command including switches like alarms, routing-engine, hardware and fpc. Execute the command show chassis pic fpc-slot 0 pic-slot 0. Building ISP Networks Page 9 / 18
3. INTERFACE ADRESSING For the moment, we will consider only IPv4, so please ignore the mentioned IPv6 addresses for the moment. 3.1 Address Plan The first step is building your provider network is to create an IP Address plan. We will start with IPv4. You need to slice up your provided IP Network into the following areas: IP Range for Loopback Addressing (one address per router) IP Range for Transfer Subnets (one network per link in your topology) IP Range for Customer Assignments Discuss with your other team members how you want to manage the address space. Remember that an additional router will be added to the topology later on, so the ranges for loopbacks and transfer subnets should allow for some growth. 3.2 Configure Internal IP Addresses Within the lab, multiple Ethernet interfaces are used to interconnect the routers. Refer to the physical lab setup diagram to get an overview. Configure IPv4 addresses on all PE routers in your network. When done all 3 routers should have an IPv4 address on the following interfaces ge-0/0/0 ge-0/0/1 lo0 Use the ping command to test connectivity between directly connected routers. Hint: There is a possibility to put a label to an interface that describes the neighbor system. This is very useful for operation. Try to find the correct configuration statement. 3.3 Optional: Monitoring interface operation Test your interfaces using the CLI's ping command. lf you can ping your neighbors on all your directly connected interfaces, you should consider saving the router configuration so this basic configuration can be recalled at any time. Watch some interface related operational mode commands: Display the summary status of your interfaces using the show interfaces terse command. Reset interface statistics with the clear interfaces statistics all command and display detailed interface information using show interfaces detail What is the difference between the extensive and detail option of the show interface command? Monitor real-time traffic on one of your interfaces. Ask your neighbors to send you some ICMP packets to see if the statistics is working. Building ISP Networks Page 10 / 18
4. ISIS CONFIGURATION In this exercise, we will build the IGP of our carrier networks. 4.1 Configure External IP Addresses Each AS has two PE routers that have a connection to an upstream provider. This is always located on ge- 0/0/3. Use the IP information from Table 4. You should be able to ping the other end of the connection. 4.2 Configure ISIS In order to configure ISIS, you need to assign a ISO Address to the lo0 Interface of all your 3 routers. Use The area addresses from the following table. You may choose the system ID as you like, but ensure that each of your routers get's a unique one. AS AREA Address AS1000 49.1000 AS2000 49.2000 AS3000 49.3000 AS4000 49.4000 Table 5: IS-IS Area Addresses Enable ISIS on the [edit protocols isis] stanza and configure family iso on the internal ge-interfaces and your loopback interface. When done, you should have 2 ISIS adjacencies on each system. Examine the ISIS Database and check whether all Loopback addresses are reachable by ping. 4.3 Temporary Enable IS-IS to the backbone As an exercise, we will also enable ISIS on the ge-0/0/3 interfaces of PE1 and PE2. Enable ISIS for ge- 0/0/3. You need to configure this link as a point-to-point connection! When done, you should have an adjacency towards the Backbone. NOTE: Usually you would not enable IS-IS to another carrier, we will just use it for this exercise and disable it for the next section. 4.4 Disable ISIS on external links When you have completed the exercises on the separate handout for 4.3, disable ISIS on the ge-0/0/3 interfaces of the routers in your AS. 4.5 Optional: IS-IS Authentication If time allows, enable IS-IS Authentication within your AS. This needs to be coordinated between all routers. Building ISP Networks Page 11 / 18
5. CONFIGURING BGP In this exercise, we will enable BGP within your AS and to external Peers 5.1 Specifying the local AS number The first step is to tell your router your own (local) AS number router# set routing-options autonomous-system <as-number> Replace <as-number> with your assigned AS which is 1000, 2000, 3000 or 4000, depending on your group. 5.2 Verifying IGP connectivity We will set up ibgp sessions between the loopback addresses, hence it is important that the 3 routers in your AS can reach each other. You can verify that by sending a ping and sourcing it from your local IP loopback address. Replace "10.20.0.0" with a loopback address of a router you try to reach and "10.10.0.0" with the loopback of the router from where you start the ping. sgraf@bb1> ping 10.20.0.0 source 10.10.0.0 PING 10.20.0.0 (10.20.0.0): 56 data bytes 64 bytes from 10.20.0.0: icmp_seq=0 ttl=64 time=1.869 ms 64 bytes from 10.20.0.0: icmp_seq=1 ttl=64 time=1.301 ms 64 bytes from 10.20.0.0: icmp_seq=2 ttl=64 time=1.589 ms ^C --- 10.20.0.0 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.301/1.586/1.869/0.232 ms You can stop the ping by hitting <Ctrl>-C When the ping is working go to the next section, otherwise check your IGP and/or ask for assistance. 5.3 Configuring internal BGP Sessions In JUNOS, BGP neighbors are organized in groups. You can freely choose the group names, they do not have to match between routers, but it is best-practice to use common names within your network. We will follow best practices and change the next-hop for all routes that we advertise to internal BGP peers. router# set protocols bgp group intern type internal router# set protocols bgp group intern local-address 10.10.0.0 router# set protocols bgp group intern neighbor 10.20.0.0 router# set protocols bgp group intern export NHS router# set policy-options policy-statement NHS then next-hop self Replace "10.10.0.0" with the loopback address of the router that you configure and "10.20.0.0" with the loopback address of the remote router. You need to repeat the last command for the 3rd router. Each router in your AS should have two ibgp sessions. You can verify the sessions with router> show bgp summary Building ISP Networks Page 12 / 18
Be calm, as BGP sessions can take some seconds to establish. Just rerun the command a few times and check for the status. A session may be in the following states: idle (router does not even try to establish the session) active (router has sent BGP open message to peer and is waiting for reply) a number (this shows the number of received prefixes which means that the session is established) Once you have all ibgp sessions enabled, move on to the next part. 5.4 Configuring External BGP Sessions Configuring external BGP sessions is similar as internal ones, but there are two main differences: we use the interface address to establish the session, not the loopbacks we have to specify the autonomous system number of the peer We will use a different group for the external peers: router# set protocols bgp group extern type external router# set protocols bgp group extern neighbor 10.10.10.2 peer-as 100 Replace "10.10.10.2" with the IP address of your connected transit ISP and "100" with the corresponding AS number. Refer to Table 4 for further details. Your PE1 router should have one external session and PE2 should have another external session. As before, use "show bgp summary" to verify the status of your session. Once the session is established, you can check which routes you are receiving from this neighbor using the following command router> show route receive-protocol bgp 10.10.10.2 Replace "10.10.10.2" with your external BGP peer. Try the same command and add the "extensive knob" router> show route receive-protocol bgp 10.10.10.2 extensive Building ISP Networks Page 13 / 18
6. ROUTE ANNOUNCEMENTS 6.1 Check advertised routes Before we configure any route advertisements, check which routes are advertised to your ebgp peers from your AS. Use the following command to do this: router> show route advertising-protocol bgp 10.10.10.2 Replace 10.10.10.2 with your external BGP peer! Before moving to the next part, complete the first part of the assessment. 6.2 Route Announcements Your AS has been assigned with a public IPv4 IP Range and this now needs to be advertised to all your ebgp peers. Refer to Table 2 to find out your network. In order to propagate the network, we will create a static discard route on PE1 and PE2 so that we have a matching route that can be propagated. router# set routing-options static route 10.0.30.0/24 discard Replace 10.0.30.0/24 with the network assigned to your AS according to Table 2. Afterwards create a policy to match on this route and advertise it to your ebgp peers. router# set policy-options policy-statement ADVERTISE term INTERNAL from route-filter 10.0.30.0/24 exact router# set policy-options policy-statement ADVERTISE term INTERNAL then accept router# set protocols bgp group extern export ADVERTISE Be sure to replace "10.0.30.0/24" from your policy with your assigned network. If you used another name for your BGP group than "extern", change the command accordingly. Afterwards re-check the advertised routes from your router. You should see your internal IP range added now. router> show route advertising-protocol bgp 10.10.10.2 If you propagate your internal IP space, you should have full reachability to the following Addresses. Try to send a ping and source it from your loopback address 10.10.0.0 10.20.0.0 10.30.0.0 10.40.0.0 Building ISP Networks Page 14 / 18
router> ping 10.40.0.0 source 10.0.30.1 Be sure to replace the source Address from the command above with your loopback address. Check connectivity with the other groups. Once they completed the activity, you should also be able to ping their loopback addresses (you need to ask them which IP they configured on the loopback interfaces). By the end of this exercise, we should get full reachability among all autonomous Systems 6.3 Updating Routing Policies As you saw on the previous exercise, you are now propagating your own IP space along with the IP space of the 4 Transit AS systems (maybe even networks from other students by now). Update your policy from the previous step with the following command: router# set policy-options policy-statement ADVERTISE term DENY then reject Before committing this change, verify it with the command router# show policy-options policy-statement ADVERTISE try to understand what should happen once you commit the change and verify it afterwards. Complete the second part of the assessment. Building ISP Networks Page 15 / 18
7. MPLS In order to increase the scalability and flexibility of your network, you will introduce MPLS. A new router P1 has been connected to your network as shown in Figure 3. Transit ISP PE1 ge-0/0/3 ge-0/0/2 ge-0/0/0 ge-0/0/1 ge-0/0/2 Customer ge-0/0/3 PE3 ge-0/0/2 P1 ge-0/0/2 PE2 ge-0/0/3 Transit ISP Figure 3: MPLS Topology 7.1 Update PE configuration In order to force all traffic to the new P router, we will disable all direct links between PE1, PE2 and PE3. Use the following command to do this: set interfaces ge-0/0/0 disable set interfaces ge-0/0/1 disable Extend your IP schema and assign IP addresses for the new links between P1 and all three PE routers from your IP pool. Afterwards configure the new addresses on the ge-0/0/2 interfaces and enable family iso and family mpls on PE1, PE2, PE3 set interfaces ge-0/0/2.0 family inet address 10.0.30.68/31 set interfaces ge-0/0/2.0 family mpls set interfaces ge-0/0/2.0 family iso Remember to replace the IP prefix shown above with the one from your network. We will use the label distribution protocol for transport label assignment and use a fairly simple basic configuration. set protocols isis interface ge-0/0/2.0 set protocols mpls interface ge-0/0/2.0 set protocols ldp interface ge-0/0/2.0 7.2 Configuration of P router Initially, configure the P router on the interfaces ge-0/0/0, ge-0/0/1, ge-0/0/2 and lo0 with the correct addressing according to your plan. Below is an example how this could look like: Building ISP Networks Page 16 / 18
set interfaces ge-0/0/0 unit 0 family inet address 10.0.30.65/31 set interfaces ge-0/0/0 unit 0 family iso set interfaces ge-0/0/0 unit 0 family mpls set interfaces ge-0/0/1 unit 0 family inet address 10.0.30.69/31 set interfaces ge-0/0/1 unit 0 family iso set interfaces ge-0/0/1 unit 0 family mpls set interfaces ge-0/0/2 unit 0 family inet address 10.0.30.67/31 set interfaces ge-0/0/2 unit 0 family iso set interfaces ge-0/0/2 unit 0 family mpls set interfaces lo0 unit 0 family inet address 10.0.30.4/32 set interfaces lo0 unit 0 family iso address 49.0000.0000.0004.00 Remember to change IP and ISO addressing to fit your network. Afterwards configure the required protocols, but do not configure BGP on the P router! set protocols mpls interface ge-0/0/0.0 set protocols mpls interface ge-0/0/1.0 set protocols mpls interface ge-0/0/2.0 set protocols mpls interface ge-0/0/3.0 set protocols isis interface ge-0/0/0.0 set protocols isis interface ge-0/0/1.0 set protocols isis interface ge-0/0/2.0 set protocols isis interface lo0.0 set protocols ldp interface ge-0/0/0.0 set protocols ldp interface ge-0/0/1.0 set protocols ldp interface ge-0/0/2.0 Verify the correct operation with the following command on the P router: show isis adjacency show ldp neighbor You should see all three PE routers as neighbors on P1 for LDP and ISIS. Verify that your BGP sessions are operational on the PE routers using show bgp summary All BGP Sessions should be established. 7.3 Checking label bindings You can view the mpls labels that were allocated using the command show ldp database on all P and PE routers. The input label database shows the labels that your local router received from its neighbors, whereas the output label database shows the labels that your local router advertised to its peers. 7.4 Verify MPLS operation On PE3 try to ping the following destinations from your loopback address: Building ISP Networks Page 17 / 18
10.10.0.0 10.20.0.0 10.30.0.0 10.40.0.0 router> ping 10.40.0.0 source 10.0.30.1 Be sure to replace the source Address from the command above with your loopback address. Once connectivity is verified, use the following command on one of the routes on PE3: show route 10.10.0.0 You should see a push operation next to the outgoing interface. Remember the label value. On P1, verify that there is no route to the BGP network: show route 10.10.0.0 Verify the action that P1 will do with incoming packets using the label value that you have seen on PE3: show route table mpls.0 label <label value> You should see a label Pop operation, which means that the topmost label is removed, before the frame is transmitted. This is because penultimate hop popping is the default behavior in Junos. As you can see, P1 has no clue about this IP network, but can still forward the packets, as it only cares about the MPLS label. Congratulations, you have successfully built a local ISP network. Building ISP Networks Page 18 / 18