SlideShare a Scribd company logo

BGP security tuning: pull-up route

GLC Networks
GLC Networks

Webinar topic: BGP security tuning: pull-up route Presenter: Achmad Mardiansyah In this webinar, we discussed about BGP security tuning: pull-up route. pullup route is a very simple trick that is very useful to avoid routing loop with your upstream provider Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback Check our schedule for future events: https://www.glcnetworks.com/en/schedule/ Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord Recording is available on youtube: https://youtu.be/8g0qymHVrY8

Technology
1 of 39
Download to read offline
www.glcnetworks.com BGP Security tuning: Pull-up route GLC WEBINAR, 15 Dec 2022, 19:30 GMT+7 Achmad Mardiansyah achmad@glcnetworks.com GLC Networks, Indonesia
www.glcnetworks.com Agenda ● Introduction ● Review prerequisite knowledge ● BGP ● BGP pull-up route ● Live practice ● Q & A 2
www.glcnetworks.com Introduction 3
www.glcnetworks.com What is GLC? ● Garda Lintas Cakrawala (www.glcnetworks.com) ● Based in Bandung, Indonesia ● Areas: Training, IT Consulting ● Certified partner for: Mikrotik, Ubiquity, Linux foundation ● Product: GLC radius manager ● Regular event 4
www.glcnetworks.com Trainer Introduction ● Name: Achmad Mardiansyah ● Base: bandung, Indonesia ● Linux user since 1999, mikrotik user since 2007, UBNT 2011 ● Mikrotik Certified Trainer (MTCNA/RE/WE/UME/INE/TCE/IPv6) ● Mikrotik/Linux Certified Consultant ● Website contributor: achmadjournal.com, mikrotik.tips, asysadmin.tips ● More info: http://au.linkedin.com/in/achmadmardiansyah 5
www.glcnetworks.com Past experience ● 2020-2022 (Congo DRC, PNG, Malaysia): network support, radius/billing integration ● 2019, Congo (DRC): build a wireless ISP from ground-up ● 2018, Malaysia: network revamp, develop billing solution and integration, setup dynamic routing ● 2017, Libya (north africa): remote wireless migration for a new Wireless ISP ● 2016, United Kingdom: workshop for wireless ISP, migrating a bridged to routed network ● 2015, Kalimantan, wireless support ● See our website for more details 6
www.glcnetworks.com Please introduce yourself ● Your name ● Your company/university? ● Your networking experience? ● Your mikrotik experience? ● Your expectation from this course? 7
www.glcnetworks.com Prerequisite This presentation some prerequisite knowledge ● We assume you already know: ○ TCP/IP ○ Mikrotik ○ Routing protocol ○ BGP 8
www.glcnetworks.com Review prerequisite knowledge 9
www.glcnetworks.com 7 OSI layer & protocol ● OSI layer Is a conceptual model from ISO (International Standard Organization) for project OSI (Open System Interconnection) ● When you send a message with a courier, you need to add more info to get your message arrived at the destination (This process is called encapsulation) ● What is protocol ○ Is a set of rules for communication ○ Available on each layer ● Communication consist of series encapsulation ○ SDU: service data unit (before PDU) ○ PDU: protocol data unit (after header is added) 10
www.glcnetworks.com Layered model (TCP/IP vs ISO) and encapsulation 11 / datagram
www.glcnetworks.com Did you notice? ● There is a big overhead on encapsulation process ● More encapsulation means less payload? 12
www.glcnetworks.com Router and Routing 13 ● Router is a network device that is used to forward packets, based on layer 3 information (layer 3 header) ● Routing is the process of selecting a path for traffic in a network, or between or across multiple networks Physical router Router icon
www.glcnetworks.com Typical connection (physical) 14 R2 R1 R3 ● Router connects layer 2 segments ● Router works on layer 3, connecting L2 segments ● Meaning, each layer 2 segment has network ID
www.glcnetworks.com Typical connection (logical) and routing table 15 Routing table: ● A table at router that is used to forward packet ● Available on every devices (router and host) ● Entry is executed sequentially 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3
www.glcnetworks.com Forwarding packets using routing table 16 ● It works like a firewall: match and action ● When a packet arrived, routing table is used to forward packets ● You should think in binary to understand how it works destination gateway 192.168.16.3/32 11000000 10101000 00001000 00000011 192.168.0.2 192.168.0.0/26 11000000 10101000 00000000 00 direct 192.168.1.0/24 11000000 10101000 00000001 direct 192.168.2.0/24 11000000 10101000 00000010 192.168.0.2 192.168.3.0/24 11000000 10101000 00000011 192.168.0.3 0.0.0.0/0 (no match) 192.168.0.3
www.glcnetworks.com A packet arrived at R1… (example) 17 Destination IP address of the packet is 192.168.2.6, which gateway do we use? A: 192.168.2.6 = (11000000 10101000 00000010 00000110) destination gateway 192.168.16.3/32 11000000 10101000 00001000 00000011 192.168.0.2 192.168.0.0/26 11000000 10101000 00000000 00 direct 192.168.1.0/24 11000000 10101000 00000001 direct 192.168.2.0/24 11000000 10101000 00000010 192.168.0.2 192.168.3.0/24 11000000 10101000 00000011 192.168.0.3 0.0.0.0/0 192.168.0.3
www.glcnetworks.com Where routing table lookup happens? 18
www.glcnetworks.com How routing works & Administrative distance (analogy) 19 19 CITY 1 100 km CITY 2 120 km CITY 2 90 km CITY 3 500 km CITY 4 250 km 10.10.10.0/24 192.168.0.1 10 10.10.20.0/24 192.168.0.2 12 10.10.20.0/24 192.168.0.3 9 10.10.30.0/24 192.168.0.3 50 10.10.40.0/24 192.168.0.4 25
www.glcnetworks.com Administrative distance 20 ● Distance is considered when prefix length is same ● Lowest distance wins ● Administrative distance policy is depends on vendor ● Table on the right shows an example of administrative distance on cisco router
www.glcnetworks.com Static routing 21 ● Entries on routing table is created manually ● Admin must manage routing table in all routers ● Admin have full control 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 192.168.0.3
www.glcnetworks.com Dynamic routing 22 ● Router will talk to each other with routing protocol (RIP, OSPF, BGP) ● Entries on routing table is created automatically ● Admin must have a good knowledge about routing protocol 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 192.168.0.3
www.glcnetworks.com Routing metric ● is value used by a router to make routing decisions. It depends on routing protocols ● OSPF: accumulated cost ● RIP: hop count ● IS-IS: cost ● EIGRP: bandwidth, load, delay, reliability and MTU ● BGP: AS-Path, Next-hop, Origin, Local preference, Atomic aggregate, Multi Exit Discriminator (MED) 23
www.glcnetworks.com Asymmetric routing 24 ● Currently, routing is done one-way only ● Forwarding process on router is based on destination IP address ● There is no guarantee incoming path is similar to outgoing path ● We can only control outgoing forwarding R1 192.168.0.1/26 192.168.0.3/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24
www.glcnetworks.com BGP Border Gateway Protocol 25
www.glcnetworks.com ● Dynamic routing protocol, Path-vector ● Connecting AS numbers ● Each router need to create BGP-peer ○ Only receive and send routing prefix to peer ● At Layer 5 (session): use for BGP peer session ● At Layer 4 (transport): TCP port 179 ● Used by all routers in the internet ● Routes contents: ○ Full routes: all prefix in the internet ○ Partial routes: specific prefix Need to consider: ● Requires knowledge to operate ● More complex (compared to RIP), lots of options What is BGP? 26
www.glcnetworks.com ● A collection of Routers & Networks ● Under one administration (organisation, company, etc) ● Defined by AS number, given by IANA via RIR (APNIC, LACNIC, AFRINIC, ARIN, RIPE-NCC) ● We run BGP between AS ● Inside AS we run IGP (Interior gateway protocol): RIP, OSPF, IS-IS, EIGRP, etc Autonomous number (AS), IGP, BGP AS1 AS4 AS3 AS2 R1 27
www.glcnetworks.com HOW BGP works? BGP steps ● Each router must have router-id and AS number ● Each router must create BGP peer ● Setup BGP filter: ○ Inbound filter ○ Outbound filter ● Exchange routing tables between routers ● Send keep alive periodically 28
www.glcnetworks.com BGP attributes BGP metrics are called path attributes. Classifications: ● Well-known (all router must support) ○ Mandatory (must exist, in every update) ■ AS-Path ■ Next-hop ■ Origin ○ Discretionary (not always exist) ■ Local preference ■ Atomic aggregate ● Optional (some routers do not support) ○ Transitive (If not recognized, marked as partial and still propagated to neighbor) ■ Community ■ Aggregator ○ Non-Transitive (If not recognized, discard) ■ Multi Exit Discriminator (MED) 29
www.glcnetworks.com BGP best path selection algorithm 1. Router is ignoring received path if the route is not valid. Route is valid if: a. NEXT_HOP of the route is valid and reachable b. AS_PATH received from external peers does not contain the local AS c. route is not rejected by routing filters 2. The first path received is automatically considered 'best path'. Any further received paths are compared to first received to determine if the new path is better. 3. Prefer the path with the highest WEIGHT. a. WEIGHT parameter is local to the router on which it is configured. A route without assigned WEIGHT have a default value of 0. 4. Prefer the path with the highest LOCAL_PREF. It is used only within an AS. a. A path without LOCAL_PREF attribute have a value of 100 by default. 5. Prefer the path with the shortest AS_PATH. (skipped if ignore-as-path-len set to yes) a. Each AS_SET counts as 1, regardless of the set size. The AS_CONFED_SEQUENCE and AS_CONFED_SET are not included in the AS_PATH length. 6. Prefer the path that was locally originated via aggregate or BGP network 7. Prefer the path with the lowest ORIGIN type. a. Interior Gateway Protocol (IGP) is lower than Exterior Gateway Protocol (EGP), and EGP is lower than INCOMPLETE, in other words IGP < EGP < INCOMPLETE 8. Prefer the path with the lowest multi-exit discriminator (MED). a. The router compare MED attribute only for paths that have the same neighboring (leftmost) AS. Paths without explicit MED value are treated as with MED of 0 9. Prefer eBGP over iBGP paths 10. Prefer the route that comes from the BGP router with the lowest router ID. If a route carries the ORIGINATOR_ID attribute, then the ORIGINATOR_ID is used instead of router ID. 11. Prefer the route with the shortest route reflection cluster list. Routes without a cluster list are considered to have a cluster list of length 0. 12. Prefer the path that comes from the lowest neighbor address 30
www.glcnetworks.com BGP prefix distribution 31
www.glcnetworks.com Topology 32 AS 19 19.0.0.0/22 AS 17 17.0.0.0/22 AS 15 15.0.0.0/22 E4 AS 13 13.0.0.0/22 AS 11 11.0.0.0/22 R1 R2 R21 R22 R41 R42 E2 E4 E4 E4 E4 E2 E2 E2 E3 E3 E6 R3 R4 R23 R24 R43 R44 E2 E4 E4 E4 E4 E2 E2 E2 E3 E3 E6 R5 R6 R25 R26 R45 R46 E2 E4 E4 E4 E4 E2 E2 E2 E3 E3 E6 R7 R8 R27 R28 R47 R48 E2 E4 E4 E4 E2 E2 E2 E3 E3 E6 R9 R10 R29 R30 R49 R50 E2 E4 E4 E4 E4 E2 E2 E2 E3 E3 E6 SW86 192.168.86.0/24 E5 E5 E5 E5 E5 R86 E6 R61 R62 R63 R64 R65 R66 R67 R68 R69 R70 E3 E3 E3 E3 E2 E2 E2 E2 E3 E3 E3 E3 E2 E2 E2 E2 E3 E3 E3 E3 E2 E2 E2 E2 E3 E3 E3 E3 E2 E2 E2 E2 E3 E3 E3 E3 E2 E2 E2 E2 E6 E5 E6 E5 SW51 E2 E2 SW52 SW53 SW54 SW55 SW55 SW59 SW58 SW55 SW60 E2 pc79 pc80 E2 E3 E4 E2 E3 E2 E4 pc78 E2 E2 E3 E4 pc71 pc72 E2 E2 E3 E4 E3 E4 pc73 pc74 pc75 E2 pc76 E2 pc77 E2 E2 E3 E4 E2 E2 E3 E4 E2 E2 E3 E4 E2 E3 E4 E2 E3 E4 E6 E5 E6 E5 E6 E5 AS 86
www.glcnetworks.com BGP peer 33
www.glcnetworks.com BGP pull-up route 34
www.glcnetworks.com BGP best practice: aggregate 35 ● You get an address block from RIR (e.g. /22) ● You split (subnet) the address block into smaller prefix (/23, /24, /25, etc) for different purposes: ○ For Customers ○ Special subnet, etc ● Aggregation: announcing the whole address block received from the RIR to internet ● Do not advertise splitted subnet ● Techniques: ○ Redistribute ○ Aggregate ○ Pull-up route
www.glcnetworks.com Pull-up route ● Inject the whole prefix from RIR into ASBR routing table ● Note: longest prefix wins ● Good for security, drop packets if specific route not exist ● Avoid routing loop with upstream provider 36
www.glcnetworks.com QnA Any questions? 37
www.glcnetworks.com Interested? Just come to our training... ● Topics are arranged in systematic and logical way ● You will learn from experienced teacher ● Not only learn the materials, but also sharing experiences, best-practices, and networking 38
www.glcnetworks.com End of slides ● Thank you for your attention ● Please submit your feedback: http://bit.ly/glcfeedback ● Find our further event on our website : https://www.glcnetworks.com ● Like our facebook page: https://www.facebook.com/glcnetworks ● Slide: https://www.slideshare.net/glcnetworks/ ● Discord (bahasa indonesia): (https://discord.gg/6MZ3KUHHBX ) ● Recording (youtube): https://www.youtube.com/c/GLCNetworks ● Stay tune with our schedule 39

Recommended

BGP tuning: Peer with loopback
BGP tuning: Peer with loopbackBGP tuning: Peer with loopback
BGP tuning: Peer with loopbackGLC Networks
 
BGP troubleshooting: route origin
BGP troubleshooting: route originBGP troubleshooting: route origin
BGP troubleshooting: route originGLC Networks
 
Internal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopInternal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopGLC Networks
 
Stable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdfStable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdfGLC Networks
 
Steering traffic in OSPF: Interface cost
Steering traffic in OSPF: Interface costSteering traffic in OSPF: Interface cost
Steering traffic in OSPF: Interface costGLC Networks
 
RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7GLC Networks
 
Tuning OSPF: Bidirectional Forwarding Detection (BFD)
Tuning OSPF: Bidirectional Forwarding Detection (BFD)Tuning OSPF: Bidirectional Forwarding Detection (BFD)
Tuning OSPF: Bidirectional Forwarding Detection (BFD)GLC Networks
 
Tuning OSPF: Prefix Aggregate
Tuning OSPF: Prefix AggregateTuning OSPF: Prefix Aggregate
Tuning OSPF: Prefix AggregateGLC Networks
 

Recommended

BGP tuning: Peer with loopback
BGP tuning: Peer with loopbackBGP tuning: Peer with loopback
BGP tuning: Peer with loopbackGLC Networks
 
BGP troubleshooting: route origin
BGP troubleshooting: route originBGP troubleshooting: route origin
BGP troubleshooting: route originGLC Networks
 
Internal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopInternal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopGLC Networks
 
Stable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdfStable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdfGLC Networks
 
Steering traffic in OSPF: Interface cost
Steering traffic in OSPF: Interface costSteering traffic in OSPF: Interface cost
Steering traffic in OSPF: Interface costGLC Networks
 
RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7GLC Networks
 
Tuning OSPF: Bidirectional Forwarding Detection (BFD)
Tuning OSPF: Bidirectional Forwarding Detection (BFD)Tuning OSPF: Bidirectional Forwarding Detection (BFD)
Tuning OSPF: Bidirectional Forwarding Detection (BFD)GLC Networks
 
Tuning OSPF: Prefix Aggregate
Tuning OSPF: Prefix AggregateTuning OSPF: Prefix Aggregate
Tuning OSPF: Prefix AggregateGLC Networks
 
Tuning OSPF: area hierarchy, LSA, and area type
Tuning OSPF: area hierarchy, LSA, and area typeTuning OSPF: area hierarchy, LSA, and area type
Tuning OSPF: area hierarchy, LSA, and area typeGLC Networks
 
Firewall mangle PBR: steering outbound path similar to inbound
Firewall mangle PBR: steering outbound path similar to inboundFirewall mangle PBR: steering outbound path similar to inbound
Firewall mangle PBR: steering outbound path similar to inboundGLC Networks
 
Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1GLC Networks
 
BGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikBGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikGLC Networks
 
Mikrotik User Meeting Manila: bgp vs ospf
Mikrotik User Meeting Manila: bgp vs ospfMikrotik User Meeting Manila: bgp vs ospf
Mikrotik User Meeting Manila: bgp vs ospfAchmad Mardiansyah
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1GLC Networks
 
OSPF On Router OS7
OSPF On Router OS7OSPF On Router OS7
OSPF On Router OS7GLC Networks
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1GLC Networks
 
Controlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 SegmentControlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 SegmentGLC Networks
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOSGLC Networks
 
Mikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and SecurityMikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and SecurityGLC Networks
 
Best Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityBest Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityGLC Networks
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1GLC Networks
 
CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1GLC Networks
 
Network LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikNetwork LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikGLC Networks
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for MonitoringGLC Networks
 
Routing fundamentals with mikrotik
Routing fundamentals with mikrotikRouting fundamentals with mikrotik
Routing fundamentals with mikrotikAchmad Mardiansyah
 
BGP filter with mikrotik
BGP filter with mikrotikBGP filter with mikrotik
BGP filter with mikrotikAchmad Mardiansyah
 
BGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringBGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringGLC Networks
 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-DiveGLC Networks
 
GIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration ManagementGIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration ManagementGLC Networks
 
Building a Web Server with NGINX
Building a Web Server with NGINXBuilding a Web Server with NGINX
Building a Web Server with NGINXGLC Networks
 

More Related Content

Similar to BGP security tuning: pull-up route

Tuning OSPF: area hierarchy, LSA, and area type
Tuning OSPF: area hierarchy, LSA, and area typeTuning OSPF: area hierarchy, LSA, and area type
Tuning OSPF: area hierarchy, LSA, and area typeGLC Networks
 
Firewall mangle PBR: steering outbound path similar to inbound
Firewall mangle PBR: steering outbound path similar to inboundFirewall mangle PBR: steering outbound path similar to inbound
Firewall mangle PBR: steering outbound path similar to inboundGLC Networks
 
Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1GLC Networks
 
BGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikBGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikGLC Networks
 
Mikrotik User Meeting Manila: bgp vs ospf
Mikrotik User Meeting Manila: bgp vs ospfMikrotik User Meeting Manila: bgp vs ospf
Mikrotik User Meeting Manila: bgp vs ospfAchmad Mardiansyah
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1GLC Networks
 
OSPF On Router OS7
OSPF On Router OS7OSPF On Router OS7
OSPF On Router OS7GLC Networks
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1GLC Networks
 
Controlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 SegmentControlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 SegmentGLC Networks
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOSGLC Networks
 
Mikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and SecurityMikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and SecurityGLC Networks
 
Best Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityBest Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityGLC Networks
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1GLC Networks
 
CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1GLC Networks
 
Network LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikNetwork LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikGLC Networks
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for MonitoringGLC Networks
 
Routing fundamentals with mikrotik
Routing fundamentals with mikrotikRouting fundamentals with mikrotik
Routing fundamentals with mikrotikAchmad Mardiansyah
 
BGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringBGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringGLC Networks
 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-DiveGLC Networks
 

Similar to BGP security tuning: pull-up route (20)

Tuning OSPF: area hierarchy, LSA, and area type
Tuning OSPF: area hierarchy, LSA, and area typeTuning OSPF: area hierarchy, LSA, and area type
Tuning OSPF: area hierarchy, LSA, and area type
 
Firewall mangle PBR: steering outbound path similar to inbound
Firewall mangle PBR: steering outbound path similar to inboundFirewall mangle PBR: steering outbound path similar to inbound
Firewall mangle PBR: steering outbound path similar to inbound
 
Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1
 
BGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikBGP vs OSPF on Mikrotik
BGP vs OSPF on Mikrotik
 
Mikrotik User Meeting Manila: bgp vs ospf
Mikrotik User Meeting Manila: bgp vs ospfMikrotik User Meeting Manila: bgp vs ospf
Mikrotik User Meeting Manila: bgp vs ospf
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1
 
OSPF On Router OS7
OSPF On Router OS7OSPF On Router OS7
OSPF On Router OS7
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1
 
Controlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 SegmentControlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 Segment
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOS
 
Mikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and SecurityMikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and Security
 
Best Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityBest Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for Security
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1
 
CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1
 
Network LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikNetwork LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with Mikrotik
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for Monitoring
 
Routing fundamentals with mikrotik
Routing fundamentals with mikrotikRouting fundamentals with mikrotik
Routing fundamentals with mikrotik
 
BGP filter with mikrotik
BGP filter with mikrotikBGP filter with mikrotik
BGP filter with mikrotik
 
BGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringBGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP Peering
 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-Dive
 

More from GLC Networks

GIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration ManagementGIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration ManagementGLC Networks
 
Building a Web Server with NGINX
Building a Web Server with NGINXBuilding a Web Server with NGINX
Building a Web Server with NGINXGLC Networks
 
Policy Based Routing with Indirect BGP - Part 2
Policy Based Routing with Indirect BGP - Part 2Policy Based Routing with Indirect BGP - Part 2
Policy Based Routing with Indirect BGP - Part 2GLC Networks
 
Network Monitoring with The Dude and Whatsapp
Network Monitoring with The Dude and WhatsappNetwork Monitoring with The Dude and Whatsapp
Network Monitoring with The Dude and WhatsappGLC Networks
 
Automatic Backup via FTP - Part 2
Automatic Backup via FTP - Part 2Automatic Backup via FTP - Part 2
Automatic Backup via FTP - Part 2GLC Networks
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1GLC Networks
 
Voice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIPVoice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIPGLC Networks
 
MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2GLC Networks
 
BGP on RouterOS7 - Part 2
BGP on RouterOS7 - Part 2BGP on RouterOS7 - Part 2
BGP on RouterOS7 - Part 2GLC Networks
 
OSPF On Router OS7 - Part 2
OSPF On Router OS7 - Part 2OSPF On Router OS7 - Part 2
OSPF On Router OS7 - Part 2GLC Networks
 
Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)GLC Networks
 

More from GLC Networks (12)

GIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration ManagementGIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration Management
 
Building a Web Server with NGINX
Building a Web Server with NGINXBuilding a Web Server with NGINX
Building a Web Server with NGINX
 
EOIP Deep Dive
EOIP Deep DiveEOIP Deep Dive
EOIP Deep Dive
 
Policy Based Routing with Indirect BGP - Part 2
Policy Based Routing with Indirect BGP - Part 2Policy Based Routing with Indirect BGP - Part 2
Policy Based Routing with Indirect BGP - Part 2
 
Network Monitoring with The Dude and Whatsapp
Network Monitoring with The Dude and WhatsappNetwork Monitoring with The Dude and Whatsapp
Network Monitoring with The Dude and Whatsapp
 
Automatic Backup via FTP - Part 2
Automatic Backup via FTP - Part 2Automatic Backup via FTP - Part 2
Automatic Backup via FTP - Part 2
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1
 
Voice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIPVoice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIP
 
MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2
 
BGP on RouterOS7 - Part 2
BGP on RouterOS7 - Part 2BGP on RouterOS7 - Part 2
BGP on RouterOS7 - Part 2
 
OSPF On Router OS7 - Part 2
OSPF On Router OS7 - Part 2OSPF On Router OS7 - Part 2
OSPF On Router OS7 - Part 2
 
Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

BGP security tuning: pull-up route

  • 1. www.glcnetworks.com BGP Security tuning: Pull-up route GLC WEBINAR, 15 Dec 2022, 19:30 GMT+7 Achmad Mardiansyah achmad@glcnetworks.com GLC Networks, Indonesia
  • 2. www.glcnetworks.com Agenda ● Introduction ● Review prerequisite knowledge ● BGP ● BGP pull-up route ● Live practice ● Q & A 2
  • 4. www.glcnetworks.com What is GLC? ● Garda Lintas Cakrawala (www.glcnetworks.com) ● Based in Bandung, Indonesia ● Areas: Training, IT Consulting ● Certified partner for: Mikrotik, Ubiquity, Linux foundation ● Product: GLC radius manager ● Regular event 4
  • 5. www.glcnetworks.com Trainer Introduction ● Name: Achmad Mardiansyah ● Base: bandung, Indonesia ● Linux user since 1999, mikrotik user since 2007, UBNT 2011 ● Mikrotik Certified Trainer (MTCNA/RE/WE/UME/INE/TCE/IPv6) ● Mikrotik/Linux Certified Consultant ● Website contributor: achmadjournal.com, mikrotik.tips, asysadmin.tips ● More info: http://au.linkedin.com/in/achmadmardiansyah 5
  • 6. www.glcnetworks.com Past experience ● 2020-2022 (Congo DRC, PNG, Malaysia): network support, radius/billing integration ● 2019, Congo (DRC): build a wireless ISP from ground-up ● 2018, Malaysia: network revamp, develop billing solution and integration, setup dynamic routing ● 2017, Libya (north africa): remote wireless migration for a new Wireless ISP ● 2016, United Kingdom: workshop for wireless ISP, migrating a bridged to routed network ● 2015, Kalimantan, wireless support ● See our website for more details 6
  • 7. www.glcnetworks.com Please introduce yourself ● Your name ● Your company/university? ● Your networking experience? ● Your mikrotik experience? ● Your expectation from this course? 7
  • 8. www.glcnetworks.com Prerequisite This presentation some prerequisite knowledge ● We assume you already know: ○ TCP/IP ○ Mikrotik ○ Routing protocol ○ BGP 8
  • 10. www.glcnetworks.com 7 OSI layer & protocol ● OSI layer Is a conceptual model from ISO (International Standard Organization) for project OSI (Open System Interconnection) ● When you send a message with a courier, you need to add more info to get your message arrived at the destination (This process is called encapsulation) ● What is protocol ○ Is a set of rules for communication ○ Available on each layer ● Communication consist of series encapsulation ○ SDU: service data unit (before PDU) ○ PDU: protocol data unit (after header is added) 10
  • 11. www.glcnetworks.com Layered model (TCP/IP vs ISO) and encapsulation 11 / datagram
  • 12. www.glcnetworks.com Did you notice? ● There is a big overhead on encapsulation process ● More encapsulation means less payload? 12
  • 13. www.glcnetworks.com Router and Routing 13 ● Router is a network device that is used to forward packets, based on layer 3 information (layer 3 header) ● Routing is the process of selecting a path for traffic in a network, or between or across multiple networks Physical router Router icon
  • 14. www.glcnetworks.com Typical connection (physical) 14 R2 R1 R3 ● Router connects layer 2 segments ● Router works on layer 3, connecting L2 segments ● Meaning, each layer 2 segment has network ID
  • 15. www.glcnetworks.com Typical connection (logical) and routing table 15 Routing table: ● A table at router that is used to forward packet ● Available on every devices (router and host) ● Entry is executed sequentially 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3
  • 16. www.glcnetworks.com Forwarding packets using routing table 16 ● It works like a firewall: match and action ● When a packet arrived, routing table is used to forward packets ● You should think in binary to understand how it works destination gateway 192.168.16.3/32 11000000 10101000 00001000 00000011 192.168.0.2 192.168.0.0/26 11000000 10101000 00000000 00 direct 192.168.1.0/24 11000000 10101000 00000001 direct 192.168.2.0/24 11000000 10101000 00000010 192.168.0.2 192.168.3.0/24 11000000 10101000 00000011 192.168.0.3 0.0.0.0/0 (no match) 192.168.0.3
  • 17. www.glcnetworks.com A packet arrived at R1… (example) 17 Destination IP address of the packet is 192.168.2.6, which gateway do we use? A: 192.168.2.6 = (11000000 10101000 00000010 00000110) destination gateway 192.168.16.3/32 11000000 10101000 00001000 00000011 192.168.0.2 192.168.0.0/26 11000000 10101000 00000000 00 direct 192.168.1.0/24 11000000 10101000 00000001 direct 192.168.2.0/24 11000000 10101000 00000010 192.168.0.2 192.168.3.0/24 11000000 10101000 00000011 192.168.0.3 0.0.0.0/0 192.168.0.3
  • 19. www.glcnetworks.com How routing works & Administrative distance (analogy) 19 19 CITY 1 100 km CITY 2 120 km CITY 2 90 km CITY 3 500 km CITY 4 250 km 10.10.10.0/24 192.168.0.1 10 10.10.20.0/24 192.168.0.2 12 10.10.20.0/24 192.168.0.3 9 10.10.30.0/24 192.168.0.3 50 10.10.40.0/24 192.168.0.4 25
  • 20. www.glcnetworks.com Administrative distance 20 ● Distance is considered when prefix length is same ● Lowest distance wins ● Administrative distance policy is depends on vendor ● Table on the right shows an example of administrative distance on cisco router
  • 21. www.glcnetworks.com Static routing 21 ● Entries on routing table is created manually ● Admin must manage routing table in all routers ● Admin have full control 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 192.168.0.3
  • 22. www.glcnetworks.com Dynamic routing 22 ● Router will talk to each other with routing protocol (RIP, OSPF, BGP) ● Entries on routing table is created automatically ● Admin must have a good knowledge about routing protocol 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 192.168.0.3
  • 23. www.glcnetworks.com Routing metric ● is value used by a router to make routing decisions. It depends on routing protocols ● OSPF: accumulated cost ● RIP: hop count ● IS-IS: cost ● EIGRP: bandwidth, load, delay, reliability and MTU ● BGP: AS-Path, Next-hop, Origin, Local preference, Atomic aggregate, Multi Exit Discriminator (MED) 23
  • 24. www.glcnetworks.com Asymmetric routing 24 ● Currently, routing is done one-way only ● Forwarding process on router is based on destination IP address ● There is no guarantee incoming path is similar to outgoing path ● We can only control outgoing forwarding R1 192.168.0.1/26 192.168.0.3/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24
  • 26. www.glcnetworks.com ● Dynamic routing protocol, Path-vector ● Connecting AS numbers ● Each router need to create BGP-peer ○ Only receive and send routing prefix to peer ● At Layer 5 (session): use for BGP peer session ● At Layer 4 (transport): TCP port 179 ● Used by all routers in the internet ● Routes contents: ○ Full routes: all prefix in the internet ○ Partial routes: specific prefix Need to consider: ● Requires knowledge to operate ● More complex (compared to RIP), lots of options What is BGP? 26
  • 27. www.glcnetworks.com ● A collection of Routers & Networks ● Under one administration (organisation, company, etc) ● Defined by AS number, given by IANA via RIR (APNIC, LACNIC, AFRINIC, ARIN, RIPE-NCC) ● We run BGP between AS ● Inside AS we run IGP (Interior gateway protocol): RIP, OSPF, IS-IS, EIGRP, etc Autonomous number (AS), IGP, BGP AS1 AS4 AS3 AS2 R1 27
  • 28. www.glcnetworks.com HOW BGP works? BGP steps ● Each router must have router-id and AS number ● Each router must create BGP peer ● Setup BGP filter: ○ Inbound filter ○ Outbound filter ● Exchange routing tables between routers ● Send keep alive periodically 28
  • 29. www.glcnetworks.com BGP attributes BGP metrics are called path attributes. Classifications: ● Well-known (all router must support) ○ Mandatory (must exist, in every update) ■ AS-Path ■ Next-hop ■ Origin ○ Discretionary (not always exist) ■ Local preference ■ Atomic aggregate ● Optional (some routers do not support) ○ Transitive (If not recognized, marked as partial and still propagated to neighbor) ■ Community ■ Aggregator ○ Non-Transitive (If not recognized, discard) ■ Multi Exit Discriminator (MED) 29
  • 30. www.glcnetworks.com BGP best path selection algorithm 1. Router is ignoring received path if the route is not valid. Route is valid if: a. NEXT_HOP of the route is valid and reachable b. AS_PATH received from external peers does not contain the local AS c. route is not rejected by routing filters 2. The first path received is automatically considered 'best path'. Any further received paths are compared to first received to determine if the new path is better. 3. Prefer the path with the highest WEIGHT. a. WEIGHT parameter is local to the router on which it is configured. A route without assigned WEIGHT have a default value of 0. 4. Prefer the path with the highest LOCAL_PREF. It is used only within an AS. a. A path without LOCAL_PREF attribute have a value of 100 by default. 5. Prefer the path with the shortest AS_PATH. (skipped if ignore-as-path-len set to yes) a. Each AS_SET counts as 1, regardless of the set size. The AS_CONFED_SEQUENCE and AS_CONFED_SET are not included in the AS_PATH length. 6. Prefer the path that was locally originated via aggregate or BGP network 7. Prefer the path with the lowest ORIGIN type. a. Interior Gateway Protocol (IGP) is lower than Exterior Gateway Protocol (EGP), and EGP is lower than INCOMPLETE, in other words IGP < EGP < INCOMPLETE 8. Prefer the path with the lowest multi-exit discriminator (MED). a. The router compare MED attribute only for paths that have the same neighboring (leftmost) AS. Paths without explicit MED value are treated as with MED of 0 9. Prefer eBGP over iBGP paths 10. Prefer the route that comes from the BGP router with the lowest router ID. If a route carries the ORIGINATOR_ID attribute, then the ORIGINATOR_ID is used instead of router ID. 11. Prefer the route with the shortest route reflection cluster list. Routes without a cluster list are considered to have a cluster list of length 0. 12. Prefer the path that comes from the lowest neighbor address 30
  • 32. www.glcnetworks.com Topology 32 AS 19 19.0.0.0/22 AS 17 17.0.0.0/22 AS 15 15.0.0.0/22 E4 AS 13 13.0.0.0/22 AS 11 11.0.0.0/22 R1 R2 R21 R22 R41 R42 E2 E4 E4 E4 E4 E2 E2 E2 E3 E3 E6 R3 R4 R23 R24 R43 R44 E2 E4 E4 E4 E4 E2 E2 E2 E3 E3 E6 R5 R6 R25 R26 R45 R46 E2 E4 E4 E4 E4 E2 E2 E2 E3 E3 E6 R7 R8 R27 R28 R47 R48 E2 E4 E4 E4 E2 E2 E2 E3 E3 E6 R9 R10 R29 R30 R49 R50 E2 E4 E4 E4 E4 E2 E2 E2 E3 E3 E6 SW86 192.168.86.0/24 E5 E5 E5 E5 E5 R86 E6 R61 R62 R63 R64 R65 R66 R67 R68 R69 R70 E3 E3 E3 E3 E2 E2 E2 E2 E3 E3 E3 E3 E2 E2 E2 E2 E3 E3 E3 E3 E2 E2 E2 E2 E3 E3 E3 E3 E2 E2 E2 E2 E3 E3 E3 E3 E2 E2 E2 E2 E6 E5 E6 E5 SW51 E2 E2 SW52 SW53 SW54 SW55 SW55 SW59 SW58 SW55 SW60 E2 pc79 pc80 E2 E3 E4 E2 E3 E2 E4 pc78 E2 E2 E3 E4 pc71 pc72 E2 E2 E3 E4 E3 E4 pc73 pc74 pc75 E2 pc76 E2 pc77 E2 E2 E3 E4 E2 E2 E3 E4 E2 E2 E3 E4 E2 E3 E4 E2 E3 E4 E6 E5 E6 E5 E6 E5 AS 86
  • 35. www.glcnetworks.com BGP best practice: aggregate 35 ● You get an address block from RIR (e.g. /22) ● You split (subnet) the address block into smaller prefix (/23, /24, /25, etc) for different purposes: ○ For Customers ○ Special subnet, etc ● Aggregation: announcing the whole address block received from the RIR to internet ● Do not advertise splitted subnet ● Techniques: ○ Redistribute ○ Aggregate ○ Pull-up route
  • 36. www.glcnetworks.com Pull-up route ● Inject the whole prefix from RIR into ASBR routing table ● Note: longest prefix wins ● Good for security, drop packets if specific route not exist ● Avoid routing loop with upstream provider 36
  • 38. www.glcnetworks.com Interested? Just come to our training... ● Topics are arranged in systematic and logical way ● You will learn from experienced teacher ● Not only learn the materials, but also sharing experiences, best-practices, and networking 38
  • 39. www.glcnetworks.com End of slides ● Thank you for your attention ● Please submit your feedback: http://bit.ly/glcfeedback ● Find our further event on our website : https://www.glcnetworks.com ● Like our facebook page: https://www.facebook.com/glcnetworks ● Slide: https://www.slideshare.net/glcnetworks/ ● Discord (bahasa indonesia): (https://discord.gg/6MZ3KUHHBX ) ● Recording (youtube): https://www.youtube.com/c/GLCNetworks ● Stay tune with our schedule 39