TCP Intercept

TCP Intercept

Erick N. Borgard CCNP

In this blog entry, we are going to talk about a feature on the Cisco router called TCP intercept. TCP intercept was designed to help in the prevention of denial of service attacks. Before we get into the example, I think it's very important that some fundamental TCP knowledge be reviewed and some terminology covered.  

First let's talk about how two network devices establish a TCP connection.  Remember that TCP is a reliable protocol so a connection has to be made between two devices in order for them to transmit data.  In order for them to be able to form this connection, a TCP 3way handshake must take place.  The TCP 3 way handshake starts with a client sending a SYN(Synchronize) packet with it's own IP address in the source IP address field.  The server will then return a SYN/ACK packet back to the client acknowledging the SYN packet.  Finally, the client will send the server a ACK packet to complete the 3way handshake process.  From there, the client and server can exchange information.  This is a bit over simplified, but for the purposes of this blog, that is fine.

Now a DoS attack is when an attacker sends a plethora of packets with bogus source IP addresses.  When this happens, the server will reply with a SYN/ACK, but the connection will never complete because the server will never receive the ACK packet back from the source.  This leaves a lot of 1/2 open connections effectively eating up a ton of the server's resources that it could otherwise be allocating to other things.  Ultimately, the server will run out of resources and will cease to be able to provide legitimate services to clients who need them.

Enter TCP intercept.  Cisco provides a feature that allows the engineer to configure a router to act as  a proxy for the server.  Cisco's TCP intercept can run in two different modes.

Intercept Mode - Intercepts all legitimate TCP connections as defined in the ACL.  In this mode, the router will establish a TCP with the client on behalf of the server.  In essence, this is what is I would call a TCP proxy.  The router will respond to TCP SYN packets and will patch the connection between the client and server.  

Watch Mode - In this mode the router will passively watch the TCP connections as they pass between the client and the server.  If the connection does not complete within the configured threshold, the router terminates the connection.

When under a DoS, the router will become more aggressive in it's behavior to protect the network.  By default, the router will allow 1100 connections or 1100 connections in a 1 minute period.  From there it will begin to close the oldest connection attempts received.  In addition, the retransmit interval is reduced by one half.  The router will, by default, drop the oldest connections, but this is easily changed to allow the router to drop random connections instead.  The command to allow the router to drop random connections is ip tcp intercept drop-mode random.  

The two things that the router will use in determining if there is an attack is happening are the following.

• Total incomplete connections
• The number of connection attempts in a one minute sampling period

These value are configurable which gives the engineer more granularity when implementing the security policy for the enterprise.  It is also worth mentioning that the the 2 factors above work together to determine when to become more aggressive and when to become less aggressive by the thresholds defined by the engineer.

Now that we have reviewed the basics of how a TCP 3way handshake functions and what a DoS attack is and how a SYN flood operates, we can look at an example.

In this example there will be a web server that will be simulated at R2.  It will be simulated with a loopback interface with IP address 155.2.2.2.  The requirements are as follows.

• Enable TCP intercept on R1 to protect the web server located behind R2.
• The mode should be intercept
• The drop mode should be set to random
• Set the timeout for connections to be 5 minutes

Configuration:

ip access-list extended TCP-Intercept

 permit tcp any host 155.2.2.2

!

!

ip tcp intercept list TCP-Intercept

ip tcp intercept connection-timeout 300

ip tcp intercept drop-mode random

!

!

end

In order to test this, a telnet connection to R2's loopback from R3 can be established.  Remember that TCP intercept is going to inspect data plane traffic, so the traffic needs to pass through the router.

With this feature, there are only two(2) show commands for verification.  They are:

1. show tcp intercept connections
2. show tcp intercept statistics

In this example I am going to enable debug ip tcp intercept on R1 and test with the telnet connection from R3 to R2.

INTERCEPT: new connection (10.0.13.3:21903 SYN -> 155.2.2.2:23)

INTERCEPT(*): (10.0.13.3:21903 <- ACK+SYN 155.2.2.2:23)

INTERCEPT: 1st half of connection is established (10.0.13.3:21903 ACK -> 155.2.2.2:23)

INTERCEPT(*): (10.0.13.3:21903 SYN -> 155.2.2.2:23)

INTERCEPT: 2nd half of connection established  (10.0.13.3:21903 <- ACK+SYN 155.2.2.2:23)

INTERCEPT(*): (10.0.13.3:21903 ACK -> 155.2.2.2:23)

INTERCEPT(*): (10.0.13.3:21903 <- WINDOW 155.2.2.2:23)

In the above debug output, we can see that a new connection attempt was established by R3.  R1 intercepted the packet and replied with a SYN/ACK to R3 to IP address 10.0.13.3.  It then says the 1st half of the connection is established.  Then the router establishes the TCP connection with R2.  After the 2nd half of the connection is established, the router will finally patches the two parts together and allows the TCP connection between R3 to R2.  Let's take a look at the show commands for verification.

R1#show tcp intercept statistics

Intercepting new connections using access-list TCP-Intercept

0 incomplete, 1 established connections (total 1)

1 connection requests per minute

R1#show tcp intercept connections 

Incomplete:

Client                Server                State    Create   Timeout  Mode

Established:

Client                Server                State    Create   Timeout  Mode

10.0.13.3:21903       155.2.2.2:23          ESTAB    00:02:54 00:02:06 I

The above output shows that a connection to server 155.2.2.2 is established.  It also shows that it is intercepting TCP connections using access list TCP-Intercept that we created.  There are no incomplete connections


In summary, this blog examined the basics of the TCP 3way handshake, the definition and examination of a DoS attack and how the Cisco router can be configured to intercept TCP connections and act as a proxy for the servers needing to be protected from potential DoS attacks.

Exploring AAA Basics

Exploring AAA Basics

Erick N. Borgard CCNP

AAA is a protocol used to secure access to a Cisco network device. AAA stands for Authentication, Authorization, & Accounting. The AAA model answers 3 questions.

• Who is on the network?
• What are they allowed to do on the network?
• What have they been doing on the network?

AAA allows for a granular approach to securing the devices by setting policies for either a group or individual and by allowing the administrator to use different method lists for different access types. For example, the engineer could create a method list for authentication that states the TACACS+ server at 10.0.0.1 should be used for console access and should fall back to the local database. A different method list can be used for the VTY lines stating that a RADIUS server should be used and fall back to the local database. If the default method list is used, then it applies to all device access methods.

AAA can be used with both RADIUS & TACACS+ servers to provide secure services. This blog will not go into the details of RADIUS and TACACS+, but there are some noteworthy differences between the two protocols.

• TACACS+ uses TCP port 49 for communication while RADIUS uses UDP port 1645/1646  1812/1813
• TACACS+ encrypts the entire contents of the packet. RADIUS only encrypts the password
• TACACS+ is more flexible in the protocols that it can support.
• TACACS+ is proprietary. RADIUS is defined in RFC 2138 and is an open standard

Configuring AAA on the command line is fairly simple, but the commands can be quite lengthy depending on the optional parameters used within the command set itself.

When AAA is executed, the method lists will be checked in order of configuration. Suppose we have a configuration line that looks like the following:

aaa authentication login default group tacacs+ local

The default method list will be checked in order as configured on the CLI. In this case, the TACACS server would be polled for authentication. If the TACACS server does not respond, the next method in the list will be checked. In this case, it would use the local database. It's important to understand that if authentication fails using the TACACS+ method, the local database will not be used. The local database would only be used if the TACACS+ server was unresponsive.

The engineer does not have to use the default method list when configuring AAA. A separate method list can be defined for each line authentication, authorization and accounting method.

One interesting caveat is that the Cisco IOS will not display the RADIUS commands until the aaa new-model command has been entered into the CLI.  However, the TACACS server can be defined even without the aaa new-model command.

**Note** When the aaa new-model command is issued at the command line, all other authentication methods will be null and the default method list will be applied to all lines. Be very careful here. Can you say password recovery?

Now let's look an an example.  Suppose we have the following requirements.

• Configure AAA on R1
• Set the enable password to CCIE
• Create a user in the local database called USER1 password PASS1
• USER1 should use a method list called LIST1
• USER1 should first try and authenticate to a TACACS+ server located at 177.1.1.7
• Use the key string CCIE for the TACACS+ server
• User authentication should use the local database if the TACACS+ fails to respond.
• The username and password should be case sensitive
• Authentication requests should be sourced from the loopback interface
• The method lists should be applied to the VTY line
• Ensure that privilege level access uses the TACACS+ server and fall back to the enable password

The configuration on R1 will be the following

user USER1 password PASS1
enable password CCIE
!
!
ip tacacs source-interface Loopback1
tacacs-server host 177.1.1.7
tacacs-server key CCIE
!
!
aaa new-model
aaa authentication login LIST1 group tacacs+ local-case 
aaa authentication enable default group tacacs+ enable
!
!
line vty 0 4
login authentication LIST1

We can test this by turning on debug aaa authentication on R1.  We will test this configuration by telnetting to R1 loopback from R3.  The first test will will use the incorrect password to enter privileged exec mode.

AAA/BIND(00000011): Bind i/f
AAA/AUTHEN/LOGIN (00000011): Pick method list 'LIST1'
AAA: parse name=tty98 idb type=-1 tty=-1
AAA: name=tty98 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=98 channel=0
AAA/MEMORY: create_user (0x6723D6E8) user='USER1' ruser='NULL' ds0=0 port='tty98' rem_addr='10.0.13.3' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
AAA/AUTHEN/START (756001): port='tty98' list='' action=LOGIN service=ENABLE
AAA/AUTHEN/START (756001): using "default" list
AAA/AUTHEN/START (756001): Method=tacacs+ (tacacs+)
TAC+: send AUTHEN/START packet ver=192 id=756001
AAA/AUTHEN(756001): Status=ERROR
AAA/AUTHEN/START (756001): Method=ENABLE
AAA/AUTHEN(756001): Status=GETPASS
AAA/AUTHEN/CONT (756001): continue_login (user='(undef)')
AAA/AUTHEN(756001): Status=GETPASS
AAA/AUTHEN/CONT (756001): Method=ENABLE
AAA/AUTHEN(756001): password incorrect
AAA/AUTHEN(756001): Status=FAIL
AAA/MEMORY: free_user (0x6723D6E8) user='NULL' ruser='NULL' port='tty98' rem_addr='10.0.13.3' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

We can see by the above debug output that the router tried to contact that TACACS+ server and returned a status of "ERROR".  It then used the second method in the list which is the enable password.  It then returned a "password incorrect" message and a status of "FAIL".

Let's try it again and use the correct credentials so we can see the debug output.

AAA/BIND(00000012): Bind i/f
AAA/AUTHEN/LOGIN (00000012): Pick method list 'LIST1'
AAA: parse name=tty98 idb type=-1 tty=-1
AAA: name=tty98 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=98 channel=0
AAA/MEMORY: create_user (0x6728C130) user='USER1' ruser='NULL' ds0=0 port='tty98' rem_addr='10.0.13.3' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
AAA/AUTHEN/START (3981081858): port='tty98' list='' action=LOGIN service=ENABLE
AAA/AUTHEN/START (3981081858): using "default" list
AAA/AUTHEN/START (3981081858): Method=tacacs+ (tacacs+)
TAC+: send AUTHEN/START packet ver=192 id=-313885438
AAA/AUTHEN(3981081858): Status=ERROR
AAA/AUTHEN/START (3981081858): Method=ENABLE
AAA/AUTHEN(3981081858): Status=GETPASS
AAA/AUTHEN/CONT (3981081858): continue_login (user='(undef)')
AAA/AUTHEN(3981081858): Status=GETPASS
AAA/AUTHEN/CONT (3981081858): Method=ENABLE
AAA/AUTHEN(3981081858): Status=PASS
AAA/MEMORY: free_user (0x6728C130) user='NULL' ruser='NULL' port='tty98' rem_addr='10.0.13.3' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

From the above output, we can see that the router tried to contact the TACACS+ server and returned a status of "ERROR", meaning the TACACS+ server did not respond so the router used the second method in the list.  This time authentication was successful.  We can verify that by seeing the Status=PASS message in the debug output.

BGP Conditional Advertisement

If you ever took a programming course or have done any development, you probably have heard of an “If/Then” statement.  An "If/Then" statement is one that says if a condition exists, then take a specific action.  BGP conditional advertising uses a similar logic, but uses something called advertise maps and non-exist or exist maps.  In this example, I will use the advertise map and non-exist map.

Diagram1-1

In this example, we have R4 multi-homed with two different ISPs.  The company has a few public addresses to advertise to the internet to ensure reachability.  The subnets include the following:

• 77.10.12.0/24
• 77.14.16.0/24
• 78.55.97.0/24

The company BGP policy states that subnet 77.10.12.0/24 & 78.55.97.0 should be advertised to both service providers.  The policy also states that traffic entering the AS for subnet 77.14.16.0/24 must use the link between R2 & R4.  If the link between R2 & R4 should fail, traffic for subnet 77.14.16.0/24 should use the link between R3& R4 to ensure reachability.

While we could use AS path prepending to hint to the upstream providers how traffic should enter the AS.  This doesn't mean all traffic will use only one path if AS path prepending is used.  One way to ensure all traffic for subnet 77.14.16.0/24 uses a specific link, is to only advertise the subnet to the ISP where the traffic is expected.  With the requirements that are given, BGP conditional advertising can be used to meet those requirements.

The way in which to approach this is by using a non-exist-map to check for the existence of a default route from R2. (That's the “If”part) If the default route from R2 is removed from the BGP table, the non-exist-map will match and R4 will begin to advertise the 77.14.16.0/24 network to R3 with the advertise-map. (That's the“Then” part)

If the default route from R2 is installed into the BGP table, the non-exist-map will not match and the route being advertised to R3 will be withdrawn.

Here are the intermediate configurations of R2, R3 and R4

R2

interface Loopback77

 ip address 7.7.7.7 255.255.255.255

!

!

router bgp 200

 no synchronization

 bgp router-id 2.2.2.2

 bgp log-neighbor-changes

 network 7.7.7.7 mask 255.255.255.255

 neighbor 10.10.12.1 remote-as 100

 neighbor 10.10.24.4 remote-as 400

 neighbor 10.10.24.4 default-originate

 no auto-summary

R3

router bgp 300

 no synchronization

 bgp router-id 3.3.3.3

 bgp log-neighbor-changes

 neighbor 10.10.13.1 remote-as 100

 neighbor 10.10.34.4 remote-as 400

 neighbor 10.10.34.4 default-originate

 no auto-summary

R4

interface Loopback1

 ip address 77.10.12.1 255.255.255.0

!

interfaceLoopback2

 ip address 77.14.16.1 255.255.255.0

!

interfaceLoopback3

 ip address 78.55.97.1 255.255.255.0

!

!

router bgp 400

 no synchronization

 bgp router-id 4.4.4.4

 bgp log-neighbor-changes

 network 77.10.12.0 mask 255.255.255.0

 network 77.14.16.0 mask 255.255.255.0

 network 78.55.97.0 mask 255.255.255.0

 neighbor 10.10.24.2 remote-as 200

 neighbor 10.10.24.2 distribute-list 5 in

 neighbor 10.10.24.2 distribute-list 10 out

 neighbor 10.10.34.3 remote-as 300

 neighbor 10.10.34.3 distribute-list 5 in

 neighbor 10.10.34.3 distribute-list 10 out

 neighbor 10.10.34.3 advertise-map ADVERTISE non-exist-map NON-EXIST

 no auto-summary

!

!

access-list 5 permit 0.0.0.0

access-list 10 permit 77.10.12.0 0.0.0.255

access-list 10 permit 77.14.16.0 0.0.0.255

access-list 10 permit 78.55.97.0 0.0.0.255

access-list 30 permit 0.0.0.0

access-list 40 permit 77.14.16.0 0.0.0.255

!

!

!

route-map NON-EXIST permit 10

 match ip address 30

!

route-map ADVERTISE permit 40

 match ip address 40

There is a problem with the above configuration.  With this configuration, the NON-EXIST portion of the BGP conditional advertisement will never match.  The reason is that it's only checking for the existence of a default route.  R4 is receiving a default route from both R2 &R3.  The NON-EXIST portion would never match because there will always be a default route in the routing table.  The engineer needs a way to identify which default route to look for.  With BGP conditional advertising, the engineer can create an as-path access-list to identify which AS the default route should be coming from.  The additional configuration would be:

Ip as-path access-list 10 permit ^200$

!

!

route-map NON-EXIST permit 10

 match ip address 30

 match as-path 10

**Note**  The configuration is applied using the neighbor advertise-map non-exist-map configuration command.

Now, if the link between R2 & R4 fails, the non-exist-map will match because both conditions have matched.  The default route has been removed and it was sourced from AS 200.

We can verify that the configuration is working as expected by viewing the routes we are advertising to R3.  R4 should not be advertising the 77.14.16.0/24 network because R4 is receiving a default route from R2.

R4#show ip bgp neighbor 10.10.34.3 advertised-routes  | b O

Origin codes: i - IGP, e - EGP, ? - incomplete

Network            Next Hop      Metric  LocPrf  Weight  Path

*>77.10.12.0/24    0.0.0.0            0           32768  i

*>78.55.97.0/24    0.0.0.0            0           32768  i

To test this, a continuous ping will be started to 77.14.16.1 from R1.  The link between R2 & R4 will be shut down to simulate a link failure.  Because BGP is timer driven, and there has been no changes to the default timers, it will take BGP 3 minutes or longer to converge.  The timers can be adjusted in a lab environment to get the results faster, but in this example the timers will be left at their defaults so the reader can get an understanding of how long it takes BGP to converge after a link failure using BGP conditional advertising.

Once the link between R2 & R4 is shut down a console message on R4 appears.

*Mar  1 01:33:29.675: BGP(0): 10.10.34.3 rcv UPDATE about 77.14.16.0/24 – withdrawn

Note the time that the interface failed in the console message.  This is when BGP sent an UPDATE message to withdraw routes.  Now let's take a look at the debug output when the non-exist-map get a match.

*Mar  1 01:36:25.859: BPG(0): Condition NON-EXIST changes to Advertise

*Mar  1 01:36:25.863: BPG(0): Condition NON-EXIST changes to Advertise

*Mar  1 01:36:25.867: BGP(0): net 77.14.16.0/24 matches ADV MAP ADVERTISE: bump version to 11

*Mar  1 01:36:26.651: BGP(0): 10.10.34.3 77.14.16.0/24 matches advertise map ADVERTISE, state: Advertise

*Mar  1 01:36:55.935: BGP(0): 10.10.34.3 send UPDATE (format) 77.14.16.0/24, next 10.10.34.4, metric 0, path Local

Looking at the time stamps, we can see it took 3 min (180 seconds) for BGP to converge.  The default hold timer for BGP is 180 seconds.

Now let's take a look at R1 where the pings were running.

Type escape sequence to abort.

Sending 10000, 100-byte ICMP Echos to 77.14.16.1, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!U....................................

......................................................!!!!!!!!!!!!!!!!

To verify that the conditional advertising is working, we can look at the routes we are sending to R3.  We should now see that R4 is advertising the 77.14.16.0/24 network to R3.

R4#show ip bgp neighbor 10.10.34.3 advertised-routes  | b O

Origin codes: i - IGP, e - EGP, ? - incomplete

Network            Next Hop      Metric  LocPrf  Weight  Path

*> 77.10.12.0/24   0.0.0.0            0           32768 i

*> 77.14.16.0/24   0.0.0.0            0           32768 i

*> 78.55.97.0/24   0.0.0.0            0           32768 i

Now let's bring the link between R2 & R4 back up and examine the debug output on R4.

*Mar  1 01:56:32.463: BPG(0): Condition NON-EXIST changes to Withdraw

*Mar  1 01:56:32.463: BPG(0): Condition NON-EXIST changes to Withdraw

*Mar  1 01:56:32.463: BGP(0): net 77.14.16.0/24 matches ADV MAP ADVERTISE: bump version to 8

*Mar  1 01:56:32.679: BGP(0): 10.10.24.2 skip UPDATE 77.14.16.0/24(chgflags: 0x0), next 0.0.0.0, path *Mar  1 01:56:32.679: BGP(0): 10.10.34.3 77.14.16.0/24 matches advertise map ADVERTISE, state: Withdraw

You can see that once the link is brought back online the NON-EXIST condition does not match and the state changes from advertise to withdraw.

In conclusion, this document outlined the basic function and operation of BGP conditional advertisement.  For more information, please refer to the documentation at Cisco.com.

BGP Summarization Part 2

BGP Summarization Part 2

Erick N. Borgard CCNP

In part one of BGP Summarization, we looked at the “static route” to Null0 approach to BGP summarization.  We found that we could create a summary route using the network command or with redistribution.  In addition,  I showed how to use the same concept to advertise a default route into BGP.

The last thing that was covered was the correct use of the network command in BGP.

In this blog, we will take a look at the aggregate-address command briefly.  We will not explore any of the options that go along with the aggregate-address command. The options and features will be saved for other documents.  This document will give a brief overview of the aggregate-address command.

Diagram 1-1

Before we dive into the example, it's important to do a bit more digging into what actually happens with BGP route aggregation.  When a BGP router performs route aggregation using the aggregate-address command, the AS path information is lost and the aggregating router sets the atomic aggregate attribute to inform the upstream neighbors that AS path information has been lost.  If the as-set argument is used, BGP AS path information is built.  The atomic aggregate will consist of the aggregating router's ASN and BGP router-id.

eBGP speaking routers use the AS path information to avoid routing loops.(iBGP uses cluster-id in the case the route reflectors are used)  If a router receives a a route and it sees it's own AS in the path, the router will not accept the route information.  When aggregation occurs, the AS path information is lost, thereby creating the possibility of a routing loop.  eBGP speaking routers will hold the AS path information in the in the AS_SEQUENCE segment of the AS path attribute.  This is an ordered list of autonomous systems that the route has passed through with each consecutive autonomous prepending it's own AS in the AS path information.  The use of the as-set argument restores the AS path information for the aggregate in an unordered list.  The same rules apply inside of confederation autonomous systems, the only difference is how it's handled inside the AS and which segments of the AS path attribute are being used.

There are 4 parts to the AS Path attribute. They include the following:

AS_SEQUENCE	An ordered list of AS path information
AS_SET	An unordered list of AS path information
AS_CONFED_SEQ	An ordered list of confederated AS(s) path information
AS_CONFED_SET	An unordered list of confederated AS(s) path information

One thing to remember is that with the “static route” method of summarization, no AS path information is lost.  In our previous example, we used the network command and redistribution to create the summary.  Let's take a lookat R2's entry in the BGP table to see if the atomic aggregate attribute is set on the route.

R2#sh ip bgp 10.10.0.0255.255.192.0

BGP routing table entry for10.10.0.0/18, version 11

Paths: (1 available, best#1, table Default-IP-Routing-Table)

  Advertised to update-groups:

        1

  100

    100.1.1.1 from 100.1.1.1(1.1.1.1)

      Origin IGP, metric 0,local pref 100, valid, external, best

Notice that there is no atomic aggregate attribute set when when the method in part one isused.  Now lets use the aggregate-address command.  By default, when using the aggregate-address command, the router will send the summary and the more specific routes to it's neighbors this is the opposite of the static route method.  We can use the summary-only key word to instruct the router to only send the summary.  Another difference between the two methods is that if we want to use the aggregate-address command, there must be at least one component subnet in the BGP table to form the aggregate route.  This is not the case with the static route method.

Here is the output of R2 after we use the aggregate-address 10.10.0.0 255.255.192.0 command on R1.

R2#sh ip bgp 10.10.0.0255.255.192.0

BGP routing table entry for10.10.0.0/18, version 13

Paths: (1 available, best#1, table Default-IP-Routing-Table)

Flag: 0x820

  Advertised to update-groups:

        1

  100, (aggregated by 1001.1.1.1)

    100.1.1.1 from 100.1.1.1(1.1.1.1)

      Origin IGP, metric 0,local pref 100, valid, external,atomic aggregate, best

Here we see that without the use of the as-set argument, the atomic aggregate attribute is set and passed along to it's neighbors.  We can verify this by examining the output of the same command on R3. (Not shown in picture)

R3#sh ip bgp 10.10.0.0255.255.192.0

BGP routing table entry for10.10.0.0/18, version 13

Paths: (1 available, best#1, table Default-IP-Routing-Table)

  Not advertised to any peer

  200 100, (aggregated by100 1.1.1.1)

    101.1.1.2 from 101.1.1.2(2.2.2.2)

      Origin IGP, local pref100, valid, external,atomic-aggregate, best

We can also look at the BGP table on R1 to see that the more specific route has been suppressed.

R1#sh ip bgp

BGP table version is 24,local router ID is 1.1.1.1

Status codes: s suppressed,d damped, h history, * valid, > best, i - internal,r RIB-failure,S Stale

Origin codes: i - IGP, e -EGP, ? - incomplete

   Network          Next Hop      Metric LocPrf Weight Path

*> 10.10.0.0/18     0.0.0.0                      32768 i

s> 10.10.10.0/24    0.0.0.0                      32768 i

Now let's take a look at an example where the as-set argument is used to rebuild the AS path information in an unordered list.  We will use the aggregate-address10.10.0.0 255.255.192.0 as-set summary-only command on R1 and examine the output of the aggregate on R2.

BGP(0): Aggregate processing for IPv4 Unicast

BGP(0): For aggregate 10.10.0.0/18

BGP(0): 10.10.0.0/18 subtree has an entry 10.10.10.0/24

BGP(0): sub-prefix : 10.10.10.0/24

BGP(0): Needs to be re-aggregated

BGP(0): 10.10.0.0/18 subtree has an entry 10.10.10.0/24

BGP(0): 10.10.0.0/18 aggregate has 10.10.10.0/24 more-specific

BGP(0): 10.10.0.0/18 aggregate created, attributes updated

BGP(0): 10.10.0.0/18 subtree has an entry 10.10.0.0/18

BGP(0): 10.10.0.0/18 subtree has another entry 10.10.10.0/24

BGP(0): Found sub-prefix 10.10.10.0/24: suppressed

BGP(0): Found sub-prefix 10.10.20.0/24: suppressed

BGP(0): Found sub-prefix 10.10.30.0/24: suppressed

BGP(0): Found sub-prefix 10.10.40.0/24: suppressed

BGP(0): Found sub-prefix 10.10.50.0/24: suppressed

R2#sh ip bgp 10.10.0.0255.255.192.0

BGP routing table entry for10.10.0.0/18, version 17

Paths: (1 available, best#1, table Default-IP-Routing-Table)

Flag: 0x820

  Advertised to update-groups:

        1

  100, (aggregated by 1001.1.1.1)

    100.1.1.1 from 100.1.1.1(1.1.1.1)

      Origin IGP, metric 0,local pref 100, valid, external, best

In this example, notice that the atomic aggregate attribute is not added to the route because the as-set portion of the AS path attribute is used to rebuild AS path information.

The document outlined some of the key differences between using the static route method of BGP summarization and using the aggregate-address command.  There are many more features to the aggregate address command that we will look at in future blogs.