User Tools

Site Tools


Lab Setup

Peering & IXP Workshop


The purpose of this lab is to investigate the differences and best practices for transit and peering configuration when an AS is connected both to a transit provider, a private peer, and an Internet Exchange Point.

Lab Topology

The initial lab topology sets up 6 autonomous systems, each with three routers. In each AS, one router is the border router (for connecting to transit providers), one router is the core router (representing the rest of the network operator’s core network), and one router is a peering router (for connecting to private peers and IXPs).

The lab will start simply by configuring each autonomous system, and making sure that transit works via their transit provider. The address plan for the entire network is described in the Address Plan document. The initial set up is shown below.


Each participant will be assigned to a group. Depending on the number of participants, either a single person or a group will be responsible for the configuration of a router. You may be asked to rotate and work on a different router so that you have the opportunity to understand the network from another point of view.

As you go through the exercises, you will see examples of configurations for one or more routers. Make sure to take those examples and adapt them to your own router, network topology and addressing scheme. Use the diagrams to guide you.

Refer to the Lab Access Instructions document for information about logging into the routers that have been assigned to you.

Address Space Allocation

Refer to the IP Address Plan document for information about the IP address plan for the network infrastructure for these labs.

Basic Router Configuration

The following configuration examples show the suggested/recommended configuration to be implemented on the routers in each group. Replace the RX in the examples with the router type (either B for Border or C for Core or P for Peering or A for Access) and Group number as appropriate.

Name the router

Router> enable
Router# config terminal
Router(config)# hostname RX

Configure Users & Passwords

We will use the username “isplab” for this workshop. It is a role account, note, something that is strongly discouraged on public infrastructure. However, we use it here only for ease of operating the lab, and that we will need to connect to other groups’ routers through the duration of this workshop.

username isplab secret lab-PW
enable secret lab-EN
service password-encryption

Configure Authentication

Cisco’s standard authentication model is from the late 80s and is really very obsolete. We will instead use Cisco’s implementation of AAA, first introduced in around 1995. The code snippet below uses the locally configured username/password pair for standard login, with the locally configured enable secret to go into configuration mode.

aaa new-model
aaa authentication login default local
aaa authentication enable default enable

Configure console and VTY access

Stop the router from guessing transports if it does not recognise what was entered in on the command line. This is done for both the VTY (remote access to router) and the Console (what is being used during this lab).

line vty 0 4
 transport preferred none
line console 0
 transport preferred none

Configure logging

No logs are sent to the console. Instead they are sent to a log buffer. To access the logs in the log buffer, use the command “show logging”.

no logging console
logging buffered 8192 debugging

Disable DNS resolution

There is no DNS resolver in the lab, so we stop the router from trying to do domain name resolution for encountered addresses.

no ip domain-lookup

Activate IPv6 routing

Turn on IPv6 Routing and activate IPv6 CEF (not on by default in Cisco IOS)

ipv6 unicast-routing
ipv6 ref

Disable source routing for IPv4 and IPv6

no ip source-route
no ipv6 source-route

Path MTU Discovery

Enable Path MTU Discovery on the router - this is not enabled by default for connections to the control plane (but it is enabled by default now for BGP).

ip tcp path-mtg-discovery

Exit configuration mode and save

write memory

Interface Configuration

Links to other Routers

Configure your interfaces according to the diagram and the supplied address plan. The examples below show just the Core and Border routers in your AS. You will need to do the same for the link between the Core router and the Peering router, and for the link between the Core router and the Access router.

Note that we follow the convention of addressing the Core router with the low address of the point-to-point link, and the other router with the high address.

On CoreX:

interface GigabitEthernet1/0
 description P2P Ethernet Link to BX
 ip address 100.68.X.17
 no ip directed-broadcast
 no ip redirects
 no ip proxy-arp
 ipv6 address 2001:DB8:X:10::0/127
 ipv6 nd prefix default no-advertise
 ipv6 nd ra suppress all
 no shutdown

On BorderX:

interface GigabitEthernet1/0
 description P2P Ethernet Link to CX
 ip address 100.68.X.18
 no ip directed-broadcast
 no ip redirects
 no ip proxy-arp
 ipv6 address 2001:DB8:X:10::1/127
 ipv6 nd prefix default no-advertise
 ipv6 nd ra suppress all
 no shutdown

Explanations for some of the commands used

no ip directed-broadcast

An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet, but which originates from a node that is not itself part of that destination subnet.

Because directed broadcasts, and particularly Internet Control Message Protocol (ICMP) directed broadcasts, have been abused by malicious persons, we recommend disabling the ip directed-broadcast command on any intereface where directed broadcasts are not needed (probably all).

no ip proxy-arp

Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for another machine. By “faking” its identity, the router accepts responsibility for routing packets to the “real” destination. Proxy ARP can help machines on a subnet reach remote subnets without the need to configure routing or a default gateway.

Disadvantages of proxy arp:

  • It increases the impact of ARP spoofing, in which a machine claims to be another in order to intercept packets.
  • It hides network misconfigurations in hosts
  • Hosts will have larger ARP tables

no ip redirects

ICMP redirects can be sent to a host when the router knows that another router in the same subnet has a better path to a destination. If a hacker installs a router in the network that causes the legitimate router to learn these ilegitimate paths, the hacker's router will end up diverting legitimate traffic thanks to ICMP redirects. Thus, we recommend that you disable this feature in all your interfaces.

ipv6 nd ra suppress all

IPv6 router advertisements are sent periodically by routers to inform hosts that the router is present, and to allow hosts to autoconfigure themselves using stateless autoconfiguration mechanisms. This is not necessary on point-to-point interfaces.

ipv6 nd prefix default no-advertise

This prevents the router from sending any prefixes as part of router advertisements, so the client will not auto-configure itself with a global IPv6 address. This is helpful for IOS versions where you cannot suppress solicited RA messages.

Loopback interface

Also create the Loopback interface and apply the IPv4 and IPv6 addresses to it - consult the address plan for the addresses used. Here is an example for the Core router in the autonomous system. Remember that the IPv4 address on the Loopback is a /32 and the IPv6 address on the Loopback is /128.

interface Loopback0
 description Loopback on Core
 ip address 100.68.X.2
 ipv6 address 2001:DB8:X::2/128

Save Configuration

Verify and save the configuration.

show running-config
write memory

Connectivity Testing

Do some PING tests between all four routers - here is an example for between Core and Border in Group One:

C1# ping         <- B1
C1# ping 2001:DB8:1:10::1    <- B1
C1# ping         <- P1
C1# ping 2001:DB8:1:11::1    <- P1

and then verify the output of the following commands:

show arp             : Show ARP cache
show interface       : Show interface state and config
show ip interface    : Show interface IP state and config
show ipv6 neighbors  : Show IPv6 neighbours
show ipv6 interface  : Show interface state and config
show cdp neighbors   : Show neighbours seen via CDP
wunca38-bgp/lab_setup.txt · Last modified: 2020/01/03 12:03 (external edit)