microsoft · davmhelm · Oct 18, 2024 · Oct 18, 2024 · Oct 18, 2024 · Oct 30, 2024
@@ -82,7 +82,7 @@ The onprem routers know some routes, but not the Vnet prefixes. For example, CSR
 
 ```
 ❯ csr4=$(az network public-ip show -n csr4-pip -g $rg --query ipAddress -o tsv)
-❯ ssh $csr4 "sh ip route"
+❯ ssh labadmin@$csr4 "sh ip route"
 Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
@@ -127,7 +127,7 @@ You can verify connectivity between the VMs in the branches and the core MPLS ne
 
 ```
 ❯ testvm3=$(az network public-ip show -n testvm3-pip -g $rg --query ipAddress -o tsv)
-❯ ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no "$testvm3" "ping 10.5.1.4 -c 5"
+❯ ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$testvm3" "ping 10.5.1.4 -c 5"
 10.5.1.4 (10.5.1.4) 56(84) bytes of data.
 64 bytes from 10.5.1.4: icmp_seq=1 ttl=62 time=15.7 ms
 64 bytes from 10.5.1.4: icmp_seq=2 ttl=62 time=9.87 ms

@@ -35,7 +35,7 @@ csr3=$(az network public-ip show -n csr3-pip -g $rg --query ipAddress -o tsv) &&
 vpngw_bgp_json=$(az network vnet-gateway show -n vng1 -g $rg --query 'bgpSettings')
 vpngw_asn=$(echo "$vpngw_bgp_json" | jq -r '.asn') && echo $vpngw_asn
 vpngw_gw0_bgp_ip=$(echo "$vpngw_bgp_json" | jq -r '.bgpPeeringAddresses[0].defaultBgpIpAddresses[0]') && echo $vpngw_gw0_bgp_ip
-ssh -o BatchMode=yes -o StrictHostKeyChecking=no "$csr3" >/dev/null 2>&1 <<EOF
+ssh -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$csr3" >/dev/null 2>&1 <<EOF
         config t
           router bgp 65100
             neighbor ${vpngw_gw0_bgp_ip} remote-as ${vpngw_asn}
@@ -102,7 +102,7 @@ Network       NextHop     Origin    AsPath    Weight
 Similarly, you can look at the different tables in CSR3. Let's start with the neighbor list. Notice that the number of prefixes received is the number of advertised routes that the `az network vnet-gateway list-advertised-routes` gave us earlier:
 
 <pre>
-ssh $csr3 "show ip bgp summary"
+ssh labadmin@$csr3 "show ip bgp summary"
 
 BGP router identifier 10.3.0.10, local AS number 65100
 BGP table version is 8, main routing table version 8
@@ -126,7 +126,7 @@ You can safely ignore the 10.5.0.10 for now, it was pre-created by the deploymen
 We can have a look at the BGP route table, which will show the prefixes learnt over BGP. Note that the prefixes generated in the local AS (65100) have a path of `?`. Not too important, but this typically signals that the prefixes were injected via redistribution and not with a `network` command:
 
 <pre>
-ssh $csr3 "show ip bgp"
+ssh labadmin@$csr3 "show ip bgp"
 
 BGP table version is 8, local router ID is 10.3.0.10
 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
@@ -148,7 +148,7 @@ RPKI validation codes: V valid, I invalid, N Not found
 The `r` mark in the previous table means that a certain prefix learnt over BGP will not be converted into an actual route, because another route already exists. That being said, we can now see which routes appear in the route table coming from BGP, which should essentially be the prefix for Vnet1, plus 10.5.0.0/16 from the corporate network:
 
 <pre>
-ssh $csr3 "show ip route bgp"
+ssh labadmin@$csr3 "show ip route bgp"
 [...]
 B        10.1.0.0/16 [20/0] via 10.1.0.254, 00:17:17
 B        10.5.0.0/16 [200/0] via 10.5.0.10, 21:31:00
@@ -157,7 +157,7 @@ B        10.5.0.0/16 [200/0] via 10.5.0.10, 21:31:00
 You can try other commands to see the learned routes:
 
 <pre>
-ssh $csr3 "show ip bgp neighbor 10.1.0.254 routes"
+ssh labadmin@$csr3 "show ip bgp neighbor 10.1.0.254 routes"
 [...]
      Network          Next Hop            Metric LocPrf Weight Path
  *>   10.1.0.0/16      10.1.0.254                             0 65001 i
@@ -171,7 +171,7 @@ Total number of prefixes 4
 ...and the advertised routes:
 
 <pre>
-ssh $csr3 "show ip bgp neig 10.1.0.254 advertised-routes"
+ssh labadmin@$csr3 "show ip bgp neig 10.1.0.254 advertised-routes"
 [...]
      Network          Next Hop            Metric LocPrf Weight Path
  *>   10.3.0.0/16      10.3.0.1                 0         32768 ?
@@ -196,7 +196,7 @@ vpngw_bgp_json=$(az network vnet-gateway show -n vng2 -g $rg --query 'bgpSetting
 vpngw_asn=$(echo "$vpngw_bgp_json" | jq -r '.asn') && echo $vpngw_asn
 vpngw_gw0_bgp_ip=$(echo "$vpngw_bgp_json" | jq -r '.bgpPeeringAddresses[0].defaultBgpIpAddresses[0]') && echo $vpngw_gw0_bgp_ip
 vpngw_gw1_bgp_ip=$(echo "$vpngw_bgp_json" | jq -r '.bgpPeeringAddresses[1].defaultBgpIpAddresses[0]') && echo $vpngw_gw1_bgp_ip
-ssh -o BatchMode=yes -o StrictHostKeyChecking=no "$csr4" >/dev/null 2>&1 <<EOF
+ssh -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$csr4" >/dev/null 2>&1 <<EOF
         config t
           router bgp 65100
             neighbor ${vpngw_gw0_bgp_ip} remote-as ${vpngw_asn}
@@ -297,7 +297,7 @@ We can test VM connectivity now. VNet1 should have access to VNets 3 and 5, and
 
 ```
 ❯ testvm1=$(az network public-ip show -n testvm1-pip -g $rg --query ipAddress -o tsv)
-❯ ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no "$testvm1" "ping 10.3.1.4 -c 3"
+❯ ssh -n -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$testvm1" "ping 10.3.1.4 -c 3"
 Warning: Permanently added '94.245.106.184' (ECDSA) to the list of known hosts.
 PING 10.3.1.4 (10.3.1.4) 56(84) bytes of data.
 64 bytes from 10.3.1.4: icmp_seq=1 ttl=63 time=8.63 ms
@@ -307,7 +307,7 @@ PING 10.3.1.4 (10.3.1.4) 56(84) bytes of data.
 --- 10.3.1.4 ping statistics ---
 3 packets transmitted, 3 received, 0% packet loss, time 2003ms
 rtt min/avg/max/mdev = 4.913/6.391/8.635/1.614 ms
-❯ ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no "$testvm1" "ping 10.5.1.4 -c 3"
+❯ ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$testvm1" "ping 10.5.1.4 -c 3"
 PING 10.5.1.4 (10.5.1.4) 56(84) bytes of data.
 64 bytes from 10.5.1.4: icmp_seq=1 ttl=62 time=10.3 ms
 64 bytes from 10.5.1.4: icmp_seq=2 ttl=62 time=8.55 ms
@@ -320,7 +320,7 @@ rtt min/avg/max/mdev = 8.557/9.304/10.338/0.762 ms
 
 ```
 ❯ testvm2=$(az network public-ip show -n testvm2-pip -g $rg --query ipAddress -o tsv)
-❯ ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no "$testvm2" "ping 10.4.1.4 -c 3"
+❯ ssh -n -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "$labadmin@testvm2" "ping 10.4.1.4 -c 3"
 Warning: Permanently added '137.135.128.45' (ECDSA) to the list of known hosts.
 PING 10.4.1.4 (10.4.1.4) 56(84) bytes of data.
 64 bytes from 10.4.1.4: icmp_seq=1 ttl=63 time=6.13 ms
@@ -330,7 +330,7 @@ PING 10.4.1.4 (10.4.1.4) 56(84) bytes of data.
 --- 10.4.1.4 ping statistics ---
 3 packets transmitted, 3 received, 0% packet loss, time 2002ms
 rtt min/avg/max/mdev = 4.232/5.046/6.137/0.805 ms
-❯ ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no "$testvm2" "ping 10.5.1.4 -c 3"
+❯ ssh -n -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$testvm2" "ping 10.5.1.4 -c 3"
 PING 10.5.1.4 (10.5.1.4) 56(84) bytes of data.
 64 bytes from 10.5.1.4: icmp_seq=1 ttl=62 time=10.2 ms
 64 bytes from 10.5.1.4: icmp_seq=2 ttl=62 time=12.1 ms
@@ -364,7 +364,7 @@ vpngw_bgp_json=$(az network vnet-gateway show -n vng2 -g $rg --query 'bgpSetting
 vpngw_asn=$(echo "$vpngw_bgp_json" | jq -r '.asn') && echo $vpngw_asn
 vpngw_gw0_bgp_ip=$(echo "$vpngw_bgp_json" | jq -r '.bgpPeeringAddresses[0].defaultBgpIpAddresses[0]') && echo $vpngw_gw0_bgp_ip
 vpngw_gw1_bgp_ip=$(echo "$vpngw_bgp_json" | jq -r '.bgpPeeringAddresses[1].defaultBgpIpAddresses[0]') && echo $vpngw_gw1_bgp_ip
-ssh -o BatchMode=yes -o StrictHostKeyChecking=no "$csr3" >/dev/null 2>&1 <<EOF
+ssh -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$csr3" >/dev/null 2>&1 <<EOF
         config t
           router bgp 65100
             neighbor ${vpngw_gw0_bgp_ip} remote-as ${vpngw_asn}
@@ -381,7 +381,7 @@ EOF
 vpngw_bgp_json=$(az network vnet-gateway show -n vng1 -g $rg --query 'bgpSettings')
 vpngw_asn=$(echo "$vpngw_bgp_json" | jq -r '.asn') && echo $vpngw_asn
 vpngw_gw0_bgp_ip=$(echo "$vpngw_bgp_json" | jq -r '.bgpPeeringAddresses[0].defaultBgpIpAddresses[0]') && echo $vpngw_gw0_bgp_ip
-ssh -o BatchMode=yes -o StrictHostKeyChecking=no "$csr4" >/dev/null 2>&1 <<EOF
+ssh -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$csr4" >/dev/null 2>&1 <<EOF
         config t
           router bgp 65100
             neighbor ${vpngw_gw0_bgp_ip} remote-as ${vpngw_asn}
@@ -423,7 +423,7 @@ Neighbor    ASN    State      ConnectedDuration    RoutesReceived    MessagesSen
 </pre>
 
 <pre>
-ssh $csr3 "sh ip bgp summ"
+ssh labadmin@$csr3 "sh ip bgp summ"
 [...]
 Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
 10.1.0.254      4        65001      46      51       16    0    0 00:33:04        5
@@ -434,7 +434,7 @@ Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State
 </pre>
 
 <pre>
-ssh $csr4 "sh ip bgp summ"
+ssh labadmin@$csr4 "sh ip bgp summ"
 [...]
 Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
 10.1.0.254      4        65001      46      51       16    0    0 00:33:04        5

@@ -22,7 +22,7 @@ In order to fix this we can configure CSR3 and CSR4 to advertise a worse metric
 
 ```bash
 # CSR3
-ssh -o BatchMode=yes -o StrictHostKeyChecking=no "$csr3" >/dev/null 2>&1 <<EOF
+ssh -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$csr3" >/dev/null 2>&1 <<EOF
 conf t
     router bgp 65100
       neighbor 10.1.0.254 route-map tovngs out
@@ -42,7 +42,7 @@ And this on CSR4:
 
 ```bash
 # CSR4
-ssh -o BatchMode=yes -o StrictHostKeyChecking=no "$csr4" >/dev/null 2>&1 <<EOF
+ssh -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$csr4" >/dev/null 2>&1 <<EOF
 conf t
     router bgp 65100
       neighbor 10.1.0.254 route-map tovngs out
@@ -61,8 +61,8 @@ EOF
 You might need to restart your BGP adjacencies to make the change take effect quicker:
 
 ```bash
-ssh -n $csr3 "clear ip bgp *"
-ssh -n $csr4 "clear ip bgp *"
+ssh -o ServerAliveInterval=60 -n labadmin@$csr3 "clear ip bgp *"
+ssh -o ServerAliveInterval=60 -n labadmin@$csr4 "clear ip bgp *"
 ```
 
 Now let's look again at how VNG1 learns 10.3.0.0/16:

@@ -16,7 +16,7 @@ Since you cannot configure route filters on Azure VPN gateways (or ExpressRoute
 As you can see, CSR3 and CSR4 get some /32 prefixes from BGP:
 
 ```
-ssh $csr3 "sh ip bgp | i /32"
+ssh -o ServerAliveInterval=60 labadmin@$csr3 "sh ip bgp | i /32"
  rmi  10.1.0.254/32    10.4.0.10                0    100      0 65002 i
  r i  10.2.0.4/32      10.1.0.254               0    100      0 65001 i
  r i  10.2.0.5/32      10.1.0.254               0    100      0 65001 i
@@ -28,7 +28,7 @@ The objective is not to accept /32 prefixes advertised by Azure neighbors. To th
 
 ```bash
 # CSR3
-ssh -o BatchMode=yes -o StrictHostKeyChecking=no "$csr3" >/dev/null 2>&1 <<EOF
+ssh -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$csr3" >/dev/null 2>&1 <<EOF
 conf t
     router bgp 65100
       neighbor 10.1.0.254 route-map fromvngs in
@@ -41,7 +41,7 @@ conf t
 wr mem
 EOF
 # CSR4
-ssh -o BatchMode=yes -o StrictHostKeyChecking=no "$csr4" >/dev/null 2>&1 <<EOF
+ssh -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$csr4" >/dev/null 2>&1 <<EOF
 conf t
     router bgp 65100
       neighbor 10.1.0.254 route-map fromvngs in
@@ -60,14 +60,14 @@ The line `ip prefix-list max24 permit 0.0.0.0/0 le 24` matches any prefix with a
 Restart the BGP adjacencies (`clear ip bgp *`) to accelerate the convergence process. For example in CSR3:
 
 ```bash
-ssh -n $csr3 "clear ip bgp *"
-ssh -n $csr4 "clear ip bgp *"
+ssh -n labadmin@$csr3 "clear ip bgp *"
+ssh -n labadmin@$csr4 "clear ip bgp *"
 ```
 
 And now you can check that there are no /32 prefixes in the BGP table:
 
 ```
-ssh $csr3 "sh ip bgp"
+ssh labadmin@$csr3 "sh ip bgp"
 
 BGP table version is 20, local router ID is 10.3.0.10
 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

@@ -22,7 +22,7 @@ This means that if the routes from VNG2 disappeared, VNG1 would send traffic thr
 
 ```bash
 # CSR3
-ssh -o BatchMode=yes -o StrictHostKeyChecking=no "$csr3" >/dev/null 2>&1 <<'EOF'
+ssh -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$csr3" >/dev/null 2>&1 <<'EOF'
 conf t
     ip as-path access-list 1 permit ^$
     route-map tovngs permit 20
@@ -32,7 +32,7 @@ end
 wr mem
 EOF
 # CSR4
-ssh -o BatchMode=yes -o StrictHostKeyChecking=no "$csr4" >/dev/null 2>&1 <<'EOF'
+ssh -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$csr4" >/dev/null 2>&1 <<'EOF'
 conf t
     ip as-path access-list 1 permit ^$
     route-map tovngs permit 20

@@ -14,7 +14,7 @@ Deploy this configuration to CSR3 and CSR4:
 
 ```bash
 # CSR3
-ssh -o BatchMode=yes -o StrictHostKeyChecking=no "$csr3" >/dev/null 2>&1 <<'EOF'
+ssh -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$csr3" >/dev/null 2>&1 <<'EOF'
 config t
     route-map fromvngs permit 5
       match ip address prefix-list Vnet1
@@ -30,7 +30,7 @@ end
 wr mem
 EOF
 # CSR4
-ssh -o BatchMode=yes -o StrictHostKeyChecking=no "$csr4" >/dev/null 2>&1 <<'EOF'
+ssh -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$csr4" >/dev/null 2>&1 <<'EOF'
 conf t
     route-map fromvngs permit 5
       match ip address prefix-list Vnet1
@@ -51,15 +51,15 @@ We can clear the BGP adjacencies to make sure that our new config is effective:
 
 ```bash
 # Restart BGP adjacencies
-ssh -n $csr3 "clear ip bgp *"
-ssh -n $csr4 "clear ip bgp *"
+ssh -n labadmin@$csr3 "clear ip bgp *"
+ssh -n labadmin@$csr4 "clear ip bgp *"
 ```
 
 We can see whether CSR5 could leverage this information to configure its routing policies. The first thing to see if whether CSR5 can see the communities that CSR3 and CSR4 applied to the routes:
 
 <pre>
 ❯ csr5=$(az network public-ip show -n csr5-pip -g $rg --query ipAddress -o tsv)
-❯ ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no "$csr5" "sh ip bgp 10.1.0.0/16"
+❯ ssh -n -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$csr5" "sh ip bgp 10.1.0.0/16"
 
 BGP routing table entry for 10.1.0.0/16, version 76
 Paths: (2 available, best #2, table default)

@@ -31,11 +31,12 @@ We can configure one or both of the branch CSRs to propagate a default. In this
 
 ```bash
 # CSR3
-ssh -o BatchMode=yes -o StrictHostKeyChecking=no "$csr3" >/dev/null 2>&1 <<'EOF'
+ssh -o ServerAliveInterval=60 -o BatchMode=yes -o StrictHostKeyChecking=no "labadmin@$csr3" >/dev/null 2>&1 <<'EOF'
 config t
-    ip prefix-list S2B permit 0.0.0.0/0
     router bgp 65100
-      default-information originate
+      neighbor 10.1.0.254 default-originate
+      neighbor 10.2.0.4 default-originate
+      neighbor 10.2.0.5 default-originate
 end
 clear ip bgp *
 wr mem

@@ -2,7 +2,7 @@
 
 ## Introduction
 
-In this Hack exercise students will explore how to use BGP in a complex environment between an on-premises network and two Azure regions. Both active/passive and active/active Azure VPN Gateways will be used in Azure, and Cisco CSR 1000v will be used to simulate onprem devices.
+In this Hack exercise students will explore how to use BGP in a complex environment between an on-premises network and two Azure regions. Both active/passive and active/active Azure VPN Gateways will be used in Azure, and Cisco CSR 8000V will be used to simulate onprem devices.
 
 The challenges will show real-world scenarios that have been observed in customers deploying their applications to Azure
 

@@ -7,13 +7,22 @@
 Since this Hack is not about deploying VNets or NVAs, you can use a script to deploy the infrastructure that you will be working on. You will find a script called `bgp.sh` in the file resources supplied for this Hack, which you can run to deploy the environment. The script has been tested to run in Azure Cloud Shell. Note that the script takes around 1 hour to complete, and it requires certain dependencies to exist. Therefore, it is recommended to deploy the environment the day before the Hack:
 
 ```bash
-bash ./bgp.sh '1:vng1:65001,2:vng:65002,3:csr:65100,4:csr:65100,5:csr:65100' '1:2:nobgp,1:3:nobgp,1:4:nobgp,2:3:nobgp,2:4:nobgp,3:4:nobgp,3:5,4:5' wthbgp northeurope 'supersecretpsk'
+bash ./bgp.sh '1:vng1:65001,2:vng:65002,3:csr:65100,4:csr:65100,5:csr:65100' '1:2:nobgp,1:3:nobgp,1:4:nobgp,2:3:nobgp,2:4:nobgp,3:4:nobgp,3:5,4:5' wthbgp northeurope 'SuperSecretPsk!0123'
 ```
 
 The previous command will deploy the topology described in the following diagram without the BGP adjacencies (which you will configure as part of the challenge), including VPN Virtual Network Gateways in VNet 1 (in active/passive mode) and VNet 2 (in active-active mode). The script will take around 1h to run, during which time your coach will give you a theory intro on BGP. The script has been tested to run in Azure Cloud Shell, but it should run in any Linux environments where the dependencies are installed (the script will check for those dependencies and error out if it doesn't find them).
 
 ![](Images/bgp.png)
 
+### Note regarding preshared key:
+Your preshared key must satisfy the following criteria:
+* Must be at least 12 characters long
+* Must contain at least one of each of the following character types:
+    * Uppercase letters
+    * Lowercase letters
+    * Digits 0-9
+    * Punctuation characters such as .,!(){}[]_
+
 ## Success Criteria
 
 - Two VNGs and three Cisco CSRs deployed, each in its own VNet.

@@ -31,7 +31,7 @@ router bgp ?
 ## Success Criteria
 
 - BGP adjacencies are created between the following devices:
-    - VNG1 and VNG1
+    - VNG1 and VNG2
     - VNG1 and CSR3
     - VNG1 and CSR4
     - VNG2 and CSR3

@@ -7,9 +7,8 @@
 Inject a default route (`0.0.0.0/0`) over BGP from one of the CSRs. You might use these commands:
 
 ```
-    ip prefix-list S2B permit 0.0.0.0/0
     router bgp 65100
-      default-information originate
+      neighbor ? default-originate
 ```
 
 ## Success Criteria