Tasks:
   1. Implement Route Reflectors;
   2. Configure a Route Reflector and Internal BGP session;
   3. Restrict Route Propagation to a Client;
   4. Implement BGP Security Options;
   5. Implement BGP Neighbor Authentication Using Key Chains;
   6. Enable BGP TTL Security Check;
   7. Enable CoPP;
   8. Enable RTBG Filtering;
   9. Improve BGP Scalability;
   10. Improve BGP Convergence by Changing the BGP Scan and Advertisement Interval;
   11. Improve BGP Convergence by Enabling BFD;
   12. Implement BGP Route Dampening;

---------------------------------------------------------------------------------------------------------------
1. Implement Route Reflectors;
---------------------------------------------------------------------------------------------------------------
####
1-a. Configure IP addressing (IPv4 and IPv6)
####

Example of router P1 interface configuration:

P1#sh run | sec interface
interface Loopback0
 ip address 10.0.1.1 255.255.255.255
 ipv6 address 2001:DB8:10:0:1::1/128
interface Ethernet0/0
 ip address 192.168.11.1 255.255.255.0
 ip router isis 
 ipv6 address 2001:DB8:192:168:11::1/80
interface Ethernet0/1
 ip address 192.168.2.1 255.255.255.0
 ip router isis 
 ipv6 address 2001:DB8:192:168:2::1/80
 isis circuit-type level-2-only
interface Ethernet0/2
 ip address 192.168.1.1 255.255.255.0
 ip router isis 
 ipv6 address 2001:DB8:192:168:1::1/80
 isis circuit-type level-2-only
interface Ethernet0/3
 ip address 192.168.21.1 255.255.255.0
 ip router isis 
 ipv6 address 2001:DB8:192:168:21::1/80
  

###
1-b. Configure IGP (ISIS)
###

In order to enable IS-IS for IP on a Cisco router and have it exchange routing information with other IS-IS enabled routers, you must perform these two tasks:

Enable the IS-IS process and assign area
Enable IS-IS for IP routing on an interface

The configuration below configure routers P1 and P2 are in area 49.000, Routers PE1 and PE2 - in are 49.001 and 49.002 respectively. By default all routers will be type is L1/2. Loopback interfaces (loopbacks are advertised by IS-IS, not IS-IS enabled) unless configured otherwise.

P1:
 router isis
     net 49.0000.0100.0000.1001.00
     passive-interface Loopback0

PE1:
router isis
 net 49.0001.0100.0100.1001.00
 passive-interface Loopback0
!

PE2:
router isis
 net 49.0002.0100.0200.1001.00
 passive-interface Loopback0
  

Monitoring ISIS:

Use the show clns neighbor command to display the adjacencies for a specific router:

PE1#sh clns neighbors 
Tag null:
System Id      Interface   SNPA                State  Holdtime  Type Protocol
P1             Et0/2       aabb.cc00.0800      Up     8         L2   IS-IS
PE2            Et0/1       aabb.cc00.0110      Up     28        L2   IS-IS
P2             Et0/3       aabb.cc00.0630      Up     6         L2   IS-IS


P2#sh clns interface ethernet 0/1
Ethernet0/1 is up, line protocol is up
  Checksums enabled, MTU 1497, Encapsulation SAP
  ERPDUs enabled, min. interval 10 msec.
  CLNS fast switching disabled
  CLNS SSE switching disabled
  DEC compatibility mode OFF for this interface
  Next ESH/ISH in 13 seconds
  Routing Protocol: IS-IS
    Circuit Type: level-1-2
    Interface number 0x1, local circuit ID 0x2
    Level-1 Metric: 10, Priority: 64, Circuit ID: P1.02
    DR ID: P1.02
    Level-1 IPv6 Metric: 10
    Number of active level-1 adjacencies: 1
    Level-2 Metric: 10, Priority: 64, Circuit ID: P1.02
    DR ID: P1.02
    Level-2 IPv6 Metric: 10
    Number of active level-2 adjacencies: 1
    Next IS-IS LAN Level-1 Hello in 4 seconds
    Next IS-IS LAN Level-2 Hello in 108 milliseconds
  

Monitoring ISIS database and routing table

PE2#sh isis database 

Tag null:
IS-IS Level-1 Link State Database:
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
PE2.00-00           * 0x00000004   0x0B86        677               1/0/0
IS-IS Level-2 Link State Database:
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
P1.00-00              0x00000006   0x785C        782               0/0/0
P1.01-00              0x00000002   0xEDB8        585               0/0/0
P1.02-00              0x00000002   0x5244        557               0/0/0
P1.03-00              0x00000002   0x4B4A        733               0/0/0
P1.04-00              0x00000002   0xEEB3        746               0/0/0
P2.00-00              0x00000006   0x8022        745               0/0/0
P2.01-00              0x00000002   0x4441        561               0/0/0
P2.04-00              0x00000002   0x196A        673               0/0/0
PE1.00-00             0x00000004   0xC9D7        564               0/0/0
PE1.01-00             0x00000002   0x049F        675               0/0/0
PE2.00-00           * 0x00000004   0x88FF        747               0/0/0
PE2# sh ip route isis
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 6 subnets
i L2     10.0.1.1 [115/10] via 192.168.21.1, 00:22:04, Ethernet0/3
i L2     10.0.2.1 [115/10] via 192.168.22.2, 00:22:04, Ethernet0/2
i L2     10.1.1.1 [115/10] via 192.168.112.10, 00:22:04, Ethernet0/1
i L2  192.168.1.0/24 [115/20] via 192.168.22.2, 00:22:04, Ethernet0/2
                     [115/20] via 192.168.21.1, 00:22:04, Ethernet0/3
i L2  192.168.2.0/24 [115/20] via 192.168.22.2, 00:22:04, Ethernet0/2
                     [115/20] via 192.168.21.1, 00:22:04, Ethernet0/3
i L2  192.168.11.0/24 [115/20] via 192.168.112.10, 00:22:04, Ethernet0/1
                      [115/20] via 192.168.21.1, 00:22:04, Ethernet0/3
i L2  192.168.12.0/24 [115/20] via 192.168.112.10, 00:22:04, Ethernet0/1
                      [115/20] via 192.168.22.2, 00:22:04, Ethernet0/2
PE2#

  

###
1-c. Configure BGP
###

All 4 routers: PE1, PE2, P1, P2 are in on AS 64500. Routers P1 and P2 will be configured as RR and PE1 and PE2 - as RR clients.
On PE routers, internal neighbors have been configured with loopback ip address:

PE1# sh run | sec bgp
router bgp 64500
 neighbor 10.0.1.1 remote-as 64500
 neighbor 10.0.1.1 update-source Loopback0
 neighbor 10.0.1.1 next-hop-self
 neighbor 10.0.2.1 remote-as 64500
 neighbor 10.0.2.1 update-source Loopback0
 neighbor 10.0.2.1 next-hop-self
  
  

P1 and P2 routers have iBGP sessions with PE routers configured and are route reflectors as well. Cluster ID on both routers is set to the same value - router ID of P1 router

P1#sh run | sec bgp
router bgp 64500
 neighbor 10.0.2.1 remote-as 64500
 neighbor 10.0.2.1 update-source Loopback0
 neighbor 10.1.1.1 remote-as 64500
 neighbor 10.1.1.1 cluster-id 10.0.1.1
 neighbor 10.1.1.1 update-source Loopback0
 neighbor 10.1.1.1 route-reflector-client
 neighbor 10.2.1.1 remote-as 64500
 neighbor 10.2.1.1 cluster-id 10.0.1.1
 neighbor 10.2.1.1 update-source Loopback0
 neighbor 10.2.1.1 route-reflector-client


P2#sh run | sec bgp
router bgp 64500
 neighbor 10.0.1.1 remote-as 64500
 neighbor 10.0.1.1 update-source Loopback0
 neighbor 10.1.1.1 remote-as 64500
 neighbor 10.1.1.1 cluster-id 10.0.1.1
 neighbor 10.1.1.1 update-source Loopback0
 neighbor 10.1.1.1 route-reflector-client
 neighbor 10.2.1.1 remote-as 64500
 neighbor 10.2.1.1 cluster-id 10.0.1.1
 neighbor 10.2.1.1 update-source Loopback0
 neighbor 10.2.1.1 route-reflector-client
  

We can see that PE router receives updates from both RR with the same cluster ID:

PE1#sh bgp
BGP table version is 4, local router ID is 10.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.1.10.1/32     192.168.101.11           0             0 64501 i
 *   10.1.100.1/32    192.168.101.11           0             0 64501 i
 *>i                  172.16.1.1               0   1000      0 ?
 * i 10.2.10.1/32     10.2.1.1                 0    100      0 64502 i
 *>i                  10.2.1.1                 0    100      0 64502 i
PE1#sh ip bgp  10.2.10.1/32
BGP routing table entry for 10.2.10.1/32, version 3
Paths: (2 available, best #2, table default)
  Advertised to update-groups:
     2         
  Refresh Epoch 1
  64502
    10.2.1.1 (metric 10) from 10.0.2.1 (10.0.2.1)
      Origin IGP, metric 0, localpref 100, valid, internal
      Originator: 10.2.1.1, Cluster list: 10.0.1.1
      rx pathid: 0, tx pathid: 0
  Refresh Epoch 1
  64502
    10.2.1.1 (metric 10) from 10.0.1.1 (10.0.1.1)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Originator: 10.2.1.1, Cluster list: 10.0.1.1
      rx pathid: 0, tx pathid: 0x0
PE1#
  

SPADVROUTE101LG-C LAB1

1. Configure all ipv6 and ipv6 interfaces.
For example IPv4 address 192.168.10x.x/24 corresponds to ipv6 address 2001:db8:192:168:10x::x/80
IPv4 Loopback address 10.1.1x.x corresponds to ipv6 Loopback address 2001:db8:10:1:1x::x/128
Verified connectivity on every link via ping and ping ipv6.

2. Configure ISIS on PE and P routers.

ISO routers ISIS config:
router isis
net 49.0001.0100.0100.1001.00
is-type level-2-only
passive-interface Loopback0

interface Ethernet0/x
ip router isis
ipv6 router isis

XRV rotuers ISIS config:
router isis 1
is-type level-2-only
net 49.0000.0100.0000.1001.00
interface Loopback0
address-family ipv4 unicast
!
address-family ipv6 unicast
!
!
interface GigabitEthernet0/0/0/0
address-family ipv4 unicast
!
address-family ipv6 unicast
!
!
interface GigabitEthernet0/0/0/x
address-family ipv4 unicast
!
address-family ipv6 unicast
!

Verify connectivity to loopbacks:

PE1#ping ipv6 2001:db8:10:0:2::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:10:0:2::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
PE1#wr

RP/0/0/CPU0:P1_RR#ping 2001:db8:10:2:1::1
Fri May 29 10:49:20.216 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:db8:10:2:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/9 ms

RP/0/0/CPU0:P1_RR#sh ip route
Fri May 29 11:00:33.670 UTC

Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
       U - per-user static route, o - ODR, L - local, G - DAGR, l - LISP
       A - access/subscriber, a - Application route
       M - mobile route, (!) - FRR Backup path

Gateway of last resort is not set

L    10.0.1.1/32 is directly connected, 01:25:27, Loopback0
i L2 10.0.2.1/32 [115/20] via 192.168.2.2, 00:23:42, GigabitEthernet0/0/0/2
                 [115/20] via 192.168.1.2, 00:23:42, GigabitEthernet0/0/0/3
i L2 10.2.1.1/32 [115/20] via 192.168.21.20, 00:23:42, GigabitEthernet0/0/0/1
C    192.168.1.0/24 is directly connected, 11:15:21, GigabitEthernet0/0/0/3
L    192.168.1.1/32 is directly connected, 11:15:21, GigabitEthernet0/0/0/3
C    192.168.2.0/24 is directly connected, 11:15:21, GigabitEthernet0/0/0/2
L    192.168.2.1/32 is directly connected, 11:15:21, GigabitEthernet0/0/0/2
C    192.168.11.0/24 is directly connected, 11:15:21, GigabitEthernet0/0/0/0
L    192.168.11.1/32 is directly connected, 11:15:21, GigabitEthernet0/0/0/0
i L2 192.168.12.0/24 [115/20] via 192.168.11.10, 00:13:58, GigabitEthernet0/0/0/0
                     [115/20] via 192.168.2.2, 00:13:58, GigabitEthernet0/0/0/2
                     [115/20] via 192.168.1.2, 00:13:58, GigabitEthernet0/0/0/3
C    192.168.21.0/24 is directly connected, 11:15:21, GigabitEthernet0/0/0/1
L    192.168.21.1/32 is directly connected, 11:15:21, GigabitEthernet0/0/0/1
i L2 192.168.22.0/24 [115/20] via 192.168.21.20, 00:23:42, GigabitEthernet0/0/0/1
                     [115/20] via 192.168.2.2, 00:23:42, GigabitEthernet0/0/0/2
                     [115/20] via 192.168.1.2, 00:23:42, GigabitEthernet0/0/0/3
i L2 192.168.112.0/24 [115/20] via 192.168.11.10, 00:13:58, GigabitEthernet0/0/0/0
                      [115/20] via 192.168.21.20, 00:13:58, GigabitEthernet0/0/0/1
RP/0/0/CPU0:P1_RR#

RP/0/0/CPU0:PE2#sh route ipv6
Fri May 29 11:01:03.318 UTC

Gateway of last resort is not set

i L2 2001:db8:10:0:1::1/128
      [115/20] via fe80::a00:27ff:febf:493, 00:24:15, GigabitEthernet0/0/0/3
L    2001:db8:10:2:1::1/128 is directly connected,
      01:49:43, Loopback0
i L2 2001:db8:192:168:1::/80
      [115/20] via fe80::a00:27ff:febf:493, 00:24:15, GigabitEthernet0/0/0/3
i L2 2001:db8:192:168:2::/80
      [115/20] via fe80::a00:27ff:febf:493, 00:24:15, GigabitEthernet0/0/0/3
i L2 2001:db8:192:168:11::/80
      [115/20] via fe80::a00:27ff:febf:493, 00:24:15, GigabitEthernet0/0/0/3
C    2001:db8:192:168:21::/80 is directly connected,
      01:11:48, GigabitEthernet0/0/0/3
L    2001:db8:192:168:21::20/128 is directly connected,
      01:11:48, GigabitEthernet0/0/0/3
C    2001:db8:192:168:22::/80 is directly connected,
      01:12:28, GigabitEthernet0/0/0/2
L    2001:db8:192:168:22::20/128 is directly connected,
      01:12:28, GigabitEthernet0/0/0/2
C    2001:db8:192:168:102::/80 is directly connected,
      01:19:53, GigabitEthernet0/0/0/0
L    2001:db8:192:168:102::20/128 is directly connected,
      01:19:53, GigabitEthernet0/0/0/0
C    2001:db8:192:168:112::/80 is directly connected,
      01:17:39, GigabitEthernet0/0/0/1
L    2001:db8:192:168:112::20/128 is directly connected,
      01:17:39, GigabitEthernet0/0/0/1
RP/0/0/CPU0:PE2#

3. Configure BGP Between CE and PE routers. We are not using multihop, neighbors are directly connected.

CE1#sh run | sec bgp
router bgp 64501
bgp log-neighbor-changes
network 10.1.10.1 mask 255.255.255.255
neighbor 192.168.101.10 remote-as 64500
CE1#

PE1# sh run | sec bgp
router bgp 64500
bgp log-neighbor-changes
neighbor 10.0.1.1 remote-as 64500
neighbor 10.0.1.1 update-source Loopback0
neighbor 10.0.1.1 next-hop-self
neighbor 10.0.1.1 soft-reconfiguration inbound
neighbor 10.0.2.1 remote-as 64500
neighbor 10.0.2.1 update-source Loopback0
neighbor 10.0.2.1 next-hop-self
neighbor 10.0.2.1 soft-reconfiguration inbound
neighbor 192.168.101.11 remote-as 64501
neighbor 192.168.101.11 soft-reconfiguration inbound
PE1#

RP/0/0/CPU0:PE2# sh run
...
...

router bgp 64500
address-family ipv4 unicast
!
neighbor 10.0.1.1
remote-as 64500
update-source Loopback0
address-family ipv4 unicast
   next-hop-self
!
!
neighbor 10.0.2.1
remote-as 64500
update-source Loopback0
address-family ipv4 unicast
   next-hop-self
!
!
neighbor 192.168.102.21
remote-as 64502
address-family ipv4 unicast
   route-policy PASS in
   route-policy PASS out
!
!
!
end

RP/0/0/CPU0:PE2#

4. Configure iBGP between PE and P routers.

5. Verify BGP routers on PE routers. One route should be from directed CE and another one - fron another pod, reflected by P routers (Route Reflectors)

RP/0/0/CPU0:PE2#sh ip bgp
Tue Jun 16 12:21:52.299 UTC
BGP router identifier 10.2.1.1, local AS number 64500
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0xe0000000 RD version: 5
BGP main routing table version 5
BGP NSR Initial initsync version 2 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop            Metric LocPrf Weight Path
*>i10.1.10.1/32       10.1.1.1                 0    100      0 64501 i
* i                   10.1.1.1                 0    100      0 64501 i
*> 10.2.10.1/32       192.168.102.21           0             0 64502 i

Processed 2 prefixes, 3 paths
RP/0/0/CPU0:PE2#

PE1#sh bgp
BGP table version is 4, local router ID is 10.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
*> 10.1.10.1/32     192.168.101.11           0             0 64501 i
*>i 10.2.10.1/32     10.2.1.1                 0    100      0 64502 i
* i                  10.2.1.1                 0    100      0 64502 i
PE1#sh bgp 10.2.10.1
BGP routing table entry for 10.2.10.1/32, version 4
Paths: (2 available, best #1, table default)
Advertised to update-groups:
     1
Refresh Epoch 1
64502, (received & used)
    10.2.1.1 (metric 20) from 10.0.1.1 (10.0.1.1)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Originator: 10.2.1.1, Cluster list: 10.0.1.1
      rx pathid: 0, tx pathid: 0x0
Refresh Epoch 1
64502, (received & used)
    10.2.1.1 (metric 20) from 10.0.2.1 (10.0.2.1)
      Origin IGP, metric 0, localpref 100, valid, internal
      Originator: 10.2.1.1, Cluster list: 10.0.2.1
      rx pathid: 0, tx pathid: 0
PE1#
PE1#

RP/0/0/CPU0:PE2#sh ip bgp 10.1.10.1
Tue Jun 16 12:21:26.031 UTC
BGP routing table entry for 10.1.10.1/32
Versions:
Process           bRIB/RIB SendTblVer
Speaker                  5           5
Last Modified: Jun 16 09:28:28.096 for 02:52:58
Paths: (2 available, best #1)
Advertised to peers (in unique update groups):
    192.168.102.21
Path #1: Received by speaker 0
Advertised to peers (in unique update groups):
    192.168.102.21
64501
    10.1.1.1 (metric 20) from 10.0.1.1 (10.1.1.1)
      Origin IGP, metric 0, localpref 100, valid, internal, best, group-best
      Received Path ID 0, Local Path ID 1, version 5
      Originator: 10.1.1.1, Cluster list: 10.0.1.1
Path #2: Received by speaker 0
Not advertised to any peer
64501
    10.1.1.1 (metric 20) from 10.0.2.1 (10.1.1.1)
      Origin IGP, metric 0, localpref 100, valid, internal
      Received Path ID 0, Local Path ID 0, version 0
      Originator: 10.1.1.1, Cluster list: 10.0.2.1
RP/0/0/CPU0:PE2#

6. Configure RR cluster ID on P routers:

RP/0/0/CPU0:P1_RR(config)#router bgp 64500
RP/0/0/CPU0:P1_RR(config-bgp)#neighbor 10.1.1.1
RP/0/0/CPU0:P1_RR(config-bgp-nbr)#cluster-id 10.0.1.1
RP/0/0/CPU0:P1_RR(config-bgp-nbr)#exit
RP/0/0/CPU0:P1_RR(config-bgp)#neighbor 10.2.1.1
RP/0/0/CPU0:P1_RR(config-bgp-nbr)#cluster-id 10.0.1.1
RP/0/0/CPU0:P1_RR(config-bgp-nbr)#exit
RP/0/0/CPU0:P1_RR(config-bgp)#commit

and verify reflected route on PE routers:
PE1#sh bgp 10.2.10.1
BGP routing table entry for 10.2.10.1/32, version 5
Paths: (2 available, best #1, table default)
Advertised to update-groups:
     4
Refresh Epoch 1
64502, (received & used)
    10.2.1.1 (metric 20) from 10.0.1.1 (10.0.1.1)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Originator: 10.2.1.1, Cluster list: 10.0.1.1
      rx pathid: 0, tx pathid: 0x0
Refresh Epoch 2
64502, (received & used)
    10.2.1.1 (metric 20) from 10.0.2.1 (10.0.2.1)
      Origin IGP, metric 0, localpref 100, valid, internal
      Originator: 10.2.1.1, Cluster list: 10.0.1.1
      rx pathid: 0, tx pathid: 0
PE1#

7. Restrict Route Propagation to a Client

- Create a policy on PE1 to advertise only 10.2.10.1/32 to PE1:
route-policy FILTER_TO_CLIENT
if destination in 10.2.10.1 then
pass
else
drop
endif
end-policy

router bgp 64500
..
neighbor 10.1.1.1
remote-as 64500
cluster-id 10.0.1.1
update-source Loopback0
address-family ipv4 unicast
   route-reflector-client
   route-policy FILTER_TO_CLIENT out
   soft-reconfiguration inbound

##########################################################################
Implement BGP Security Options

*Configure authentication between PE and CE peers based on md5 authentication
neighbor 192.168.101.10 password cisco

*And between PE and P routers using key chaing

key chain ibgpsec
key 9
accept-lifetime 10:16:00 april 12 2015 infinite
key-string password 045802150C2E
send-lifetime 10:16:00 april 12 2015 infinite
cryptographic-algorithm HMAC-MD5
!
!

neighbor 10.0.1.1
remote-as 64500
keychain ibgpsec
update-source Loopback0
address-family ipv4 unicast
next-hop-self

*** Specify a valid send and accept lifetime as well; otherwise, the key will not be valid. And key IDs should be less than 63.

------ Enable BGP TTL Security Check

On IOS XE: neighbor 192.168.101.10 ttl-security hops 1

on IOS XR:
neighbor 192.168.102.21
ttl-security
ISO XR does not support 'hops' option, so there can be just 1 hop by default

Verification on IOS XR router: RP/0/RSP0/CPU0:PE1#show lpts flows | begin BGP
<…output omitted…>
L3-proto : IPV4(2)
L4-proto : TCP(6)
VRF-ID : default (0x60000000)
Local-IP : any
Remote-IP : 192.168.105.51
Local-Port : 179
Remote-Port : any
Interface : any (0x0)
Flow-type : BGP-cfg-peer
Min-TTL : 255
Slice : BGP4_FM
Flags : 0x8 (in Pre-IFIB)
Location : 0/RSP0/CPU0
Element References
location / count / scope
0/RSP0/CPU0 / 1 / LR
<…output omitted…>

on ISO XE router:
PE2#show ip bgp neighbors 192.168.102.21 | include TTL
Connection is ECN Disabled, Mininum incoming TTL 254, Outgoing TTL 255

#########################################################################
Enable CoPP

On CE router (IOS XE):

class-map match-all BGP-Class
match access-group name BGP_TRAFFIC
!
policy-map BGP-Policy
class BGP-Class
police rate 200 pps conform-action transmit exceed-action drop

ip access-list extended BGP_TRAFFIC
permit tcp host 192.168.101.10 host 192.168.101.11 eq bgp
permit tcp host 192.168.101.11 eq bgp host 192.168.101.10

control-plane
service-policy input BGP-Policy

Verification commands:

CE1# show access-lists
Extended IP access list BGP_TRAFFIC
10 permit tcp host 192.168.101.10 host 192.168.101.11 eq bgp
20 permit tcp host 192.168.101.10 eq bgp host 192.168.101.11 (9 matches)

CE1#show class-map
Class Map match-any class-default (id 0)
Match any

Class Map match-all BGP_CLASS (id 1)
Match access-group name BGP_TRAFFIC

CE1# show policy-map control-plane
<…output omitted…>
Class-map: BGP_CLASS (match-all)
   11 packets, 953 bytes
   5 minute offered rate 0 bps, drop rate 0 bps
   Match: access-group name BGP_TRAFFIC
   police:
       rate 200 pps, burst 48 packets
   conformed 11 packets; actions:
       transmit
   exceeded 0 packets; actions:
       drop
   conformed 0 pps, exceed 0 pps

Class-map: class-default (match-any)
   273 packets, 24331 bytes
   5 minute offered rate 1000 bps, drop rate 0 bps
   Match: any

#########################################################################
Enable RTBH Filtering
We pick a unused subnet and configure a static route with the next-hop Null0. This subnet will be used to blackhole a route. For example:
On IOS XE:
ip route 172.16.1.0 255.255.255.0 Null0

On IOS XR:
router static
address-family ipv4 unicast
172.16.1.0/24 Null0

We pick one router which will be the point of control where we will initiate blockholing. In our case, we pick P1 router (IOS XR), and except the static route, we configure a policy RTBH:
route-policy RTBH
if tag eq 1 then
    set next-hop 172.16.1.1
    set local-preference 1000
    set community (no-export)
endif
end-policy

Also in BGP configuration, we configure redistribution of the static route with the specific tag number:
router bgp 64500
address-family ipv4 unicast
redistribute static route-policy RTBH

So, now, when we want to blackhole a route, we just configure a static route on P1 route:

ip route 10.0.100.1 255.255.255.255 Null0 tag 1

Next hop for this route will be set 172.16.1.1 by the policy RTBH and will be redistributed to all other routers in the AS. Note, since every router has already a static route 172.16.1.0/24 Null0, then 10.0.100.1/32 next-hop 172.16.1.1 will be blackholed.

So, when we want to null route a network, we j

All Blogposts