BGP Question

Hi,
I currently work for an ISP and also studying BGP. I was wondering when an ISP peers with another ISP what is the most common or best way for an ISP to advertise there networks. They obviously can't use the network commend as you could have 1000's and 1000's of routes will they use a routes map and apply this outbound and the route match matches a prefix list?
What options do you have here?

The most common way for an ISP to advertise their networks is that they advertise routes/prefixes that they have learned from others. When they have learned routes/prefixes from one EBGP peer then they can advertise those to other BGP peers (no network statement required). And when they have learned routes/prefixes from their customers they may aggregate or summarize those routes and advertise the results to BGP neighbors. They would need network statements only for the networks whose advertisement is started from that ISP.
HTH
Rick

Similar Messages

BGP advertise-map questions

I have a few questions pertaining to Conditional advertisements in BGP using advertise-map(s).
From the Cisco site the examples I have seen stipulate that the routes you redistribute into BGP are through the means of "network" statements.
The first question is, are you able to redistribute the route(s) you wish to control being advertised to neighboring BGP peers via an advertise-map through the "redistribute" command or must you use "network" statements?
The second question is, are you able to put a condition on more than one route that you may or may not want to advertise based on the condition you have set. In otherwords as an example I want to allow around 30 routes to be advertised towards a BGP peer if a certain route exists in the BGP routing table. For this I will obviously need to use an advertise-map with the exist-map statement. Is it possible to have this condition set on the 30 routes?

Advertise-map are only related to what is sent out of the router. They really don't care how the route got into the router. You can use either network statements or the redistribution command to get them into the bgp routing table.
I don't know what the limit is on how many addreses you can put in the route-map used for conditional advertisement but it is much more than 30. It would just be in worse case a access list that had 30 entries.
The conditional advertisement is not really any different than a normal route-map filter. You just build a access list or prefix list that matches any address you want to allow. You do it the same way as if you were building a normal route-map that allow certain routes all the time. The only thing really special is when it is applied not how you create it.

Bgp neighborship question

Hi.
one question.
why bgp neighborship doesn"t establish when no dynamic routing protocol is enabled?
there four router.
A--------B-------C-------D
they all can ping.
No dynamic routing
static routing only enabled.
Configured bgp as 100 with A and D but bgp neighborshi didn"t establish.
am i missing something??

From A side :
R1#ping 1.1.34.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.34.4, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/127/164 ms
R1#show ip route
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.12.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 1.1.12.2
R1#ping 1.1.34.4
R1#sh ip bgp summary
BGP router identifier 1.1.12.1, local AS number 10
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.34.4 4 10 0 0 0 0 0 never Active
=======================================================
From D side :
R4#sh ip bgp summary
BGP router identifier 1.1.34.4, local AS number 10
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.12.1 4 10 0 0 0 0 0 never Active
R4#
there's no special log. i tested in my GNS3 and i can open 179 both side by using telnet
weird thing is that when i enabled ospf for all of this topology, BGP neighborship was established. that's why i asked this question.
router ospf 1
net 0.0.0.0 0.0.0.0 a 0

Question about BGP "remove-private-as"

In Cisco document about BGP "remove-private-as", it says "if the ASpath contains the AS of the peering router (through eBGP), then the AS's will not be stripped".
My question is: when a route is received from the peering router, its AS Path always has the peering router's AS# appended. So the assumption in the document is always true. Then what's the point to even have the assumption?
PLease let me know if I'm incorrect somewhere.
Thanks
Gary

Gary,
Consider this: A -- B -- C
If A has a private AS, all routes it advertises to B will contain that private AS#. If you have configured "remove-private-as" on B, it will strip that private AS# when advertising those routes to C. Now, if B somehow decides to advertise those routes back to A, that's where that statement from the Cisco Document comes in. If B stripped that private AS# from these routes, A will not know that it should drop those routes because it contains its own AS#. That's the kind of situation it is protecting against.
Hope that helps - pls do rate the post if it does
Paresh

Question about OSPF to BGP redistribution

I have some static routes on a router where OSPF and BGP are also running. I have redistributed the static routes into OSPF (showing in OSPF database). I also want to have the static routes into the BGP routing table. Understand this can be done by using a prefix list permiting all the static routes, however I was thinking a simpler way just redistributing whatever is in the OSPF routing tabel into BGP (permit 0.0.0.0/0 le 32).
My question is if OSPF really redistributes those routes. Those routes are shown as "static" in "sh ip route" even though they are also in OSPF database. I have heard that OSPF only redistributes the routes showing as "OSPF routes", not what's in its database.
Thanks for any help.
Gary

Hi Gary,
The thing to understand here is that the use of redistribution does not change anything in the routing table of the router on which you are configuring it.
As you have observed, static routes do not become OSPF routes when you redistribute them into OSPF. This can be generalised to the following: when you redistribute protoclol1 into protocol2, the router will scan the routing table for routes installed by protocol1 and will then do one of the following, depending on the protocol it is being redistributed into:
- if it is a Link state protocol like OSPF, it will originate LSAs appropriate to the route being redistributed. These LSAs will be subsequently flooded to other routers which will install them as routes in their routing table. The only change on the redistributing router is the installation of additional LSAs; the routing table does not change
- if it is a distance vector protocol like IGRP, the router will take the protocol1 routes and advertise them via IGRP update packets every time an update packet is sent. Once again, there is no change on the routing table of the redistributing router.
Note the other important point: when redistributing is carried out, the only routes that are redistributed are those that are in the routing table and installed there by the source protocol, which could be quite different to the contents of link-state databases.
Hope that helps.
Pls remember to rate posts.
Paresh.

BGP multi-homing with two different providers – iBGP and traversal question.

I have two internet connections. Both connections are with different providers and on two separate routers. I have two ASA’s that sit behind the routers and I proxy arp all hosted services off of the ASA’s outside interface.
I am obtaining a provider independent AS number from ARIN and would like to setup eBGP peering with each provider, accepting a default route only and advertise my leased block (let’s say 50.100.150.0/24). I’d like to prepend my AS on the ISP-B connection to ensure that it is only used as backup.
Here is the real question. I know I will need to allow TCP-179 through the ASA’s to establish the iBGP connection but because the hosts that I have at site A are proxy-arp’d off of the firewall outside interface, I need some way for traffic to come in from ISP-B, to router B and then traverse over to router A so that it can be sent to ASA-Firewall A. (please see attached diagram). What is the best way to accomplish this? GRE tunnel between the routers & through the firewalls? I have ample bandwidth and low latency between site A and B.
Thanks

Is that orange line a direct connection between CPE routers? If yes, a direct iBGP connection is possible. If not, I suggest that you obtain one as it is almost impossible to make the ASAs stay in sync with BGP routing. (-: If you can't, then GRE could be a workaround.
Is ASA redundancy a requirement too? (I mean in case ASA-A fails, are the site-A servers supposed to be accessible via ASA-B?) If yes, you must ensure that the outgoing traffic (default route in internal network) is in sync with active ISP and asymmetric routing is prevented. You can solve that with object tracking and you need the same static NATs in both ASAs.
I would consider creating shared VLANs on ASA interfaces and form a failover pair too but it's a different setup.

Question about network statement in OSPF and BGP

The network statements in OSPF and BGP can be used to advertise networks. But I'm not clear under what circumstances would make more sense to use network statements to advertise a network than by using other methods to have the network learned by other routers.
Here is an example: assume I'm running BGP on router A. I want to advertise network 10.1.1.0/24 to other BGP peers. I have a OSPF route for this network. I can do 2 things: one is to use "network 10.1.1.0 mask 255.255.255.0", the other is to do "redistribute OSPF ... route-map OSPF-INTO-BGP", and create a prefix list to permit 10.1.1.0/24.
Both would work to have this network learned by other BGP peers. But which is better for what purpose?
Thanks a lot
Gary

Hi Gary,
There is one little difference between the use of the two approaches - the route injected into BGP by using a network statement will carry an Origin attribute of IGP, whereas the route injected using redistribution will have an Origin attribute of Incomplete. Now, that is not a huge issue since you can always change that whatever value you desire both with the use of the network statement and redistribution. The important thing, however, is that in the BGP best path selection process, the Origin attribute comparison is fairly high up and will prefer a route with the attribute of IGP.
Apart from that, there is absolutely no difference between using the network statement and using redistribution with a route-map that matches exactly on the same route that you would have specified with the network statement.
I guess one advantage of using the redistribute approach is that it does not clutter up the BGP config. If you wish to add more routes, you simply add them to the prefix list so that you don't really touch the BGP config portion at all..
Hope that helps - pls do remember to rate posts that help.
Paresh

BGP Outbound Route-Map Question

Hi Experts,
Just need your help again. I was trying to do some lab and I came across this weird behaviour with BGP outbound route-map. The diagram is simple.
Please see attached diagram. Sorry for the very poor illustration. R6 has iBGP peering to both R4 and R1. Both R1 and R4 have eBGP peering to R5. No IGP running on any routers as well to keep things simple. There are 2 things to do.
* Create a static route for 160.1.0.0/16 pointing to Null0 on both R1 and R4 and advertise to BGP via network statement but only R5 should be able to see the 160.1.0.0/16 route. R6 should not receive it.
* Advertise R5's /32 loopback interface to BGP but ensure R6 to have that route in its routing table. Don't use next-hop-self on both R1 and R4. Don't advertise WAN link via network command.
I'll just illustrate R4 and R6 here to keep things straight forward.
R4#sh ip bgp
BGP table version is 5, local router ID is 150.1.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
*> 150.1.5.5/32     155.1.45.5               0             0 100 i
*> 160.1.0.0        0.0.0.0                  0         32768 i
R6#sh ip bgp
BGP table version is 11, local router ID is 150.1.6.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
* i150.1.5.5/32     155.1.45.5               0    100      0 100 i
* i                 155.1.0.5                0    100      0 100 i
The first task was achieved as the 160.0.0.0/16 route is not present in R6's table. I used these commands in R4.
router bgp 65000
no synchronization
bgp log-neighbor-changes
network 160.1.0.0
neighbor 155.1.45.5 remote-as 100
neighbor 155.1.146.6 remote-as 65000
neighbor 155.1.146.6 route-map R6_OUT out
no auto-summary
route-map R6_OUT deny 5
match ip address prefix-list AGGR
route-map R6_OUT permit 1000
ip prefix-list AGGR seq 5 permit 160.1.0.0/16
So with the configuration above, it is clear that R4 is hitting route-map line 5 to deny 160.1.0.0/16 being advertised to R6. I tried to remove line 5 to validate as well if the /16 route will be advertised to R6 and it did so route-map configuration above is confirmed working.
Next, advertise loopback 0 of R5 to R6 and make sure it is a valid route in BGP table without the use of next-hop-self or WAN advertisement.
I used the following configuration.
ip prefix-list R5_LINK seq 5 permit 155.1.45.5/32
route-map R6_OUT permit 10
match ip route-source R5_LINK
set ip next-hop 155.1.146.4
I inserted line 10 in between route-map 5 and 1000. So R4 would check its route table for routes with 155.1.45.5 as route-source then advertise it to R6 with next-hop address of 155.1.146.4. It worked!
R6#sh ip bgp
BGP table version is 15, local router ID is 150.1.6.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
*>i150.1.5.5/32     155.1.146.4              0    100      0 100 i
* i                 155.1.0.5                0    100      0 100 i
*>i160.1.0.0        155.1.146.4              0    100      0 i
As you can see above, 150.1.5.5 route is now a valid BGP route but surprisingly, the 160.1.0.0/16 route is there! From what I have seen, BGP skipped line 5 and started at 10. Even if I insert the same rule as line 5 and make it as line 15, it's not working. The /16 route is still being advertised. If I remove the match ip route-source clause in sequence 10 then it will withdraw the 160.1.0.0/16 route again. Looks like "match ip route-source" is not very friendly with direct filtering to BGP neighbors but I saw this being used with BGP inject-map and it worked well.
R4#sh route-map
route-map R6_OUT, deny, sequence 5
Match clauses:
    ip address prefix-lists: AGGR
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map R6_OUT, permit, sequence 10
Match clauses:
    ip route-source (access-lists): R5_LINK
Set clauses:
    ip next-hop 155.1.146.4
Policy routing matches: 0 packets, 0 bytes
route-map R6_OUT, permit, sequence 1000
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Any thoughts why this is happening?
Thanks in advance.

Hi John,
I did a small lab to test feature "match ip route-source" and it is working fine. Please check below config and output.
R4 does not have 172.16.16.0/24 and also routes for which next-hop is not 1.1.1.1. In case you still facing issue, please share output of "debug ip bgp updates out"
Topology
R1--ebgp--R3---ibgp---R4
R3#show ip b su | b Nei
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.1 4 100 34 36 29 0 0 00:27:37 7
4.4.4.4 4 300 9 12 29 0 0 00:04:12 0
R3#
R3#sh route-map TO-R4
route-map TO-R4, deny, sequence 10
Match clauses:
ip address prefix-lists: DENY-PREFIX
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map TO-R4, permit, sequence 20
Match clauses:
ip route-source (access-lists): 20
Set clauses:
Policy routing matches: 0 packets, 0 bytes
R3#
R3#show ip prefix-list DENY-PREFIX
ip prefix-list DENY-PREFIX: 1 entries
seq 5 permit 172.16.16.0/24
R3#
R3#sh ip access-lists 20
Standard IP access list 20
20 permit 1.1.1.1 (25 matches)
R3#
R3#show ip b
BGP table version is 29, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 172.16.8.0/22 1.1.1.1 0 0 100 i
*> 172.31.13.1 20 32768 i
*> 172.16.16.0/24 1.1.1.1 0 0 100 i
*> 172.16.17.0/24 1.1.1.1 0 0 100 i
*> 172.16.19.0/24 1.1.1.1 0 0 100 i
*> 172.16.20.0/22 1.1.1.1 0 0 100 i
* 172.16.24.0/30 1.1.1.1 0 0 100 i
*> 172.31.13.1 20 32768 i
*> 172.16.80.0/22 1.1.1.1 0 0 100 i
R3#
R4#show ip b
BGP table version is 53, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
r>i172.16.17.0/24 1.1.1.1 0 100 0 100 i
r>i172.16.19.0/24 1.1.1.1 0 100 0 100 i
r>i172.16.20.0/22 1.1.1.1 0 100 0 100 i
*>i172.16.80.0/22 1.1.1.1 0 100 0 100 i
R4#
--Pls dont forget to rate helpful posts--
Regards,
Akash

BGP received-only Question

Hi
From what I understand in the show ip bgp x.x.x.x/x output the received-only would be present when soft-reconfiguration inbound is configured and the route has been rejected by a policy i.e. a route map
What i have also found is that on many outputs i can see the exact same route in the output twice, one which has the received-only keyword and one doesn't.
Now for a specified neighbor we have a route map configured inbound which will change the weight based on the community value. It seems as though when a route map is configured and an attribute is changed that route appears in the output twice, one being modified and one which is unchanged. But this contradicts what is said on the Cisco website its states 'the received-only keyword will only show up if the route is denied by a policy', but its not.. it's just changed.
Has anyone had this discussion before? I would like to hear people's thoughts on the matter.
Thanks
Andre
corerouter#show ip bgp | b 10.141.54.0
* 10.141.54.0/23 10.199.10.18 0 64000 34406 65502 ?
*> 10.199.10.18 0 64000 34406 65502 ?
corerouter#sho ip bgp 10.141.54.0/23
BGP routing table entry for 10.141.54.0/23, version 1219279
Paths: (4 available, best #3, table Default-IP-Routing-Table)
Advertised to update-groups:
2 3 4 5 6 7
34406 65502
10.199.10.18 from 10.199.10.20 (82.196.60.60)
Origin incomplete, metric 0, localpref 100, weight 64000, valid, external
Community: 10199111
34406 65502, (received-only)
10.199.10.18 from 10.199.10.20 (82.196.60.60)
Origin incomplete, metric 0, localpref 100, valid, external
Community: 10199111
34406 65502
10.199.10.18 from 10.199.10.19 (82.196.60.1)
Origin incomplete, metric 0, localpref 100, weight 64000, valid, external, best
Community: 10199111
34406 65502, (received-only)
10.199.10.18 from 10.199.10.19 (82.196.60.1)
Origin incomplete, metric 0, localpref 100, valid, external
Community: 10199111

show ip bgp neighbor x.x.x.x received-routes
show ip bgp neighbor x.x.x.x routes
sho ip bgp a.b.c.d
If you found this page, like I did, while searching for "received-only" - that means that the route has only been received, but not entered in the routing table. This is good if you meant to block that route. But if that route is actually also installed in the routing table and you meant to block it, check your route-map, specifically your prefix-lists and you will likely find that you have an error with wither the IP address or the CIDR mask, resulting in a non-match condition. The inverse is also true if you intend to allow a route but you only see the "received-only" route, you probably have a typo in your route-map or prefix list. Below are some examples that might help.
Here are some BGP with route-map and prefix-list examples, although the data is not meaningful.
router bgp 1234
neighbor CARRIER1 peer-group
neighbor CARRIER1 route-map PROVIDER1-IN in
neighbor 6.7.8.9 peer group CARRIER1
route-map PROVIDER1-IN deny 5
match ip address prefix-list MyIPs
route-map PROVIDER1-IN permit 10
match ip address prefix-list GOOG APPL
ip prefix-list GOOG seq 5 permit 8.8.8.0/24 le 32
ip prefix-list GOOG seq 10 permit 8.8.4.4/32
ip prefix-list APPL seq 5 per 17.142.160.59/32
ip prefix-list APPL seq 10 per 17.178.96.0/24 le 32
ip prefix-list MyIPs seq 5 per 1.2.0.0/16 le 24
ip prefix-list MyIPs seq 10 per 2.3.4.0/24 le 32
ip prefix-list MyIPs seq 15 per 4.5.6.7/32

Bgp-Eigrp-Bgp redistribution question

Hi Experts,
Just wish to ask if there is an option to retain the as-path information in eigrp when i redistribute from bgp to eigrp then to bgp?
I recall coming across something similar to this before but I can't seem to remember it.
Thanks in advance.

Hello friend.
No, you can't retain the AS-PATH when redistributing prefixes from BGP to EIGRP.
What you CAN do though, is to add the AS-PATH you want when redistributing it BACK to BGP.
You can do something like this:
1 - Add a TAG when redistributing the BGP prefixes into EIGRP
route-map SET_TAG permit 10
set tag 100
router eigrp 1
redistribute bgp 100 metric 1 1 1 1 1 route-map SET_TAG
2 - transform the TAG into an AS_PATH, when redistributing it BACK to BGP.
route-map set-as-path-from-tag
set as-path tag
router bgp 100
redistribute eigrp 1 route-map set-as-path-from-tag
Got it ?
I hope this helps you !
cheers

IPv6 - Newb Question (BGP Advertisement)

Hi Everyone - Quick question on IPv6 subnetting
If we are allocated a /32 from an RIR (eg 2001:0DB0::/32), and we advertise the /32 to our upstream Inet providers - Assigning
2001:0DB0:0:10::1/64 to a loop Interface, we *should* be able to reach the Upstream providers IPv6 addresses with a source of the loop interface(As the /64 is within the /32 subnet)?
Cheers.

Hi John,
Correct. You should be able to use that technique to perform initial testing for your ipv6 connectivity. You can use extended ping for instance to specify the loopback interface as the source address.
Regards

Do you need a cisco router at remote sites when using VRF BGP?

Hello.....
If you could refer to the attached document and read the following... I need to know if a CISCO router is required for each of the sites. OR does the ISP (Provider) provide the only required Router in the private cloud?
We want to replace the Cisco 891 with a PepLink but I don't know if we can do that. Can anyone jump in and help me understand?
When we hear about VRF, its almost synonymous to MPLS VPN. Virtual Routing and Forwarding is commonly used by Service Providers to provide services within an MPLS cloud with multiple customers. The most interesting feature of this is that, VRF allows creation of multiple routing tables within a single router. This means that overlapping use of IP addresses from different customers is possible. Some enterprises use VRF to seggrate their services like VOIP, wireless, geographical location and other varieties.

Whether you can replace the 891 device with another device boils down to a single question: Do you need to run BGP with the Service Provider in order to use their service. If you need to run a routing protocol with your service provider, your service is likely a L3VPN (IP VPN) solution ( i.e. you inject your site's routes into the providers L3VPN session, they use MP-BGP+VRF for segmentation within their network).
If, however, they just drop you a L2 connection and provide L2 emulated services ( e.g. L2VPN or VPLS ) across their network, then your device can be whatever you want it to be.
From your device's perspective, it is not VRF aware. That is, it does not know about how the service provider segments your service from another customers. In the L3VPN case, your device is routing-protocol aware. In the L2VPN case, your device is not routing protocol aware and does not need to form adjacency with the service provider's equipment.
HTH.
Rate if helpful.

Nexus-F5 & BGP

Just to background, we are having two data centres with 6509 switches as netwrok. In main data centre two F5 (BIG IP 3600) devices in active & standby mode (source nat mode). In the process of upgrading the entire infrastructure within next 3-6 moths in following manner
1. Replace two F5 in primary DC & installing new F5 in secondary DC (F5 will be in routed mode for certain rquirement of cisco ISE)
2. Replace Cisco6509 in primary DC with Nexus( 2x 7010, 3x 6004 & FEX, etc)
3. Look at Nexus for secondary DC.
Below are the question I am having is about F5-Route Health Injection (to have same VIP on primary & secondary DC) to work in Cisco environment.
1. Does this feature required to have BGP as routing protocol in the network ?
2. Currently OSPF is the IGP in our network, concerning about using BGP for DC this setup. Will this utilize high processng/memory resource of existing 6509s.
3. Is this a recommended/ best practice approach ?
4. When the Nexus switches comes will this work each other. I know 6500 & Nexus is completely two different platforms ?
5. Is there any references around this sort of design/guidelines ?
Thanks
Rasika

Just to background, we are having two data centres with 6509 switches as netwrok. In main data centre two F5 (BIG IP 3600) devices in active & standby mode (source nat mode). In the process of upgrading the entire infrastructure within next 3-6 moths in following manner
1. Replace two F5 in primary DC & installing new F5 in secondary DC (F5 will be in routed mode for certain rquirement of cisco ISE)
2. Replace Cisco6509 in primary DC with Nexus( 2x 7010, 3x 6004 & FEX, etc)
3. Look at Nexus for secondary DC.
Below are the question I am having is about F5-Route Health Injection (to have same VIP on primary & secondary DC) to work in Cisco environment.
1. Does this feature required to have BGP as routing protocol in the network ?
2. Currently OSPF is the IGP in our network, concerning about using BGP for DC this setup. Will this utilize high processng/memory resource of existing 6509s.
3. Is this a recommended/ best practice approach ?
4. When the Nexus switches comes will this work each other. I know 6500 & Nexus is completely two different platforms ?
5. Is there any references around this sort of design/guidelines ?
Thanks
Rasika

BGP, VRF and PBR ("set vrf")

Hi networkers!
Requirements:
- 2 locations (OFFICE, DC) in the same town
- each having two active WAN connections (carrying individual routing domains): The default Any2Any WAN (where several other locations are connected to) and a client specific MC WAN.
- There is a high speed "metro" connection between the locations
- Targets of MC WAN must only be available from a dedicated "MC LAN" network segment
- The default route of "MC LAN" is into Any2Any. Some specific routes coming from MC WAN will overrule A2A routes
- By default, all locally generated traffic should leave into the local WAN links
- In case of a local fault, the locally generated traffic should go via "metro" link into the remote WAN links.
- Traffic between office and DC has to use the metro link.
Hardware: Cat 4500X in VSS configuration at both locations acting as router.
The challenge is with the "MC LAN" that should be fully integrated into A2A routing (communicating locally with devices in other LAN segments and remotely with other sites) but it should also communicate with some special targets of the MC WAN that all other LAN segments must not see.
The general solution that I found is to set the "MC LAN segment" into the GRT but apply "ip vrf receive VRF_MC" and "set vrf VRF_MC" as PBR for targets that should be reached via MC-WAN. It is makes me a little unhappy, that I have to configure a static PBR "routing" because the MC routes are already available by BGP within VRF_MC. But I have tested several other solutions (route leackage e.g.). But they did not work (route leakage for example is not possible on-device between VLANs but only between physical ports).
I put in here only the OFFICE part of the configuration. At the DC there is no "MC LAN" only "MC WAN" which is fully isolated by VRF.
We create two transfer networks at each side. One for the Metro and one for the WAN and start BGP sessions with the neighbors. Failover is guaranteed by longer AS-PATH:
vrf definition VRF_MC
description MC routing domain
rd 65500:1
address-family ipv4
exit-address-family
interface Vlan3
description MC Office
ip vrf receive VRF_MC
ip address 1.40.1.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip policy route-map MC_PBR_VRF
interface Vlan30
description WAN A2A transfer (partner 2.2.2.18 // remote-as 65293 - local AS 65502)
ip address 2.2.2.21 255.255.255.240
interface Vlan31
description WAN MC(partner 2.2.2.50 // remote-as 65293 - local AS 65502)
vrf forwarding VRF_MC
ip address 2.2.2.53 255.255.255.240
interface Vlan34
description Metro A2A transfer (partner 3.3.3.69 remote-as 65503)
ip address 3.3.3.66 255.255.255.240
interface Vlan36
description Metro MC transfer (partner 3.3.3.85 remote-as 65503)
vrf forwarding VRF_MC
ip address 3.3.3.82 255.255.255.240
router bgp 65502
bgp always-compare-med
bgp log-neighbor-changes
network 1.40.1.0 mask 255.255.255.0        <-- MC LAN
network 1.1.192.0 mask 255.255.248.0       <-- other Office LAN segments below
network 1.1.200.0 mask 255.255.248.0
network 1.1.208.0 mask 255.255.248.0
neighbor 2.2.2.18 remote-as 65293
neighbor 2.2.2.18 description to_A2A_WAN
neighbor 2.2.2.18 version 4
neighbor 2.2.2.18 remove-private-as
neighbor 2.2.2.18 soft-reconfiguration inbound
neighbor 2.2.2.18 prefix-list BGP_A2A_out out
neighbor 3.3.3.69 remote-as 65503
neighbor 3.3.3.69 description A2A_Metro_to_DC
neighbor 3.3.3.69 update-source Vlan34
neighbor 3.3.3.69 version 4
neighbor 3.3.3.69 soft-reconfiguration inbound
address-family ipv4 vrf VRF_MC
network 1.40.1.0 mask 255.255.255.0         <-- MC LAN
neighbor 2.2.2.50 remote-as 65293
neighbor 2.2.2.50 description to_MC_WAN
neighbor 2.2.2.50 version 4
neighbor 2.2.2.50 activate
neighbor 2.2.2.50 remove-private-as
neighbor 2.2.2.50 soft-reconfiguration inbound
neighbor 2.2.2.50 prefix-list BGP_MC_out out
neighbor 3.3.3.85 remote-as 65503
neighbor 3.3.3.85 description MC_Metro_to_DC
neighbor 3.3.3.85 update-source Vlan36
neighbor 3.3.3.85 activate
neighbor 3.3.3.85 soft-reconfiguration inbound
exit-address-family
route-map MC_PBR_VRF permit 10
match ip address MC_PBR_ROUTE
set vrf VRF_MC
! control BGP
ip prefix-list BGP_A2A_out seq 10 permit 1.1.192.0/21 le 32
ip prefix-list BGP_A2A_out seq 20 permit 1.1.200.0/21 le 32
ip prefix-list BGP_A2A_out seq 30 permit 1.1.208.0/21 le 32
ip prefix-list BGP_A2A_out seq 40 permit 1.40.1.0/24 le 32
! control BGP
ip prefix-list BGP_MC_out seq 10 permit 1.40.1.0/24 le 32
ip access-list extended MC_PBR_ROUTE
permit ip any 2.2.2.48 0.0.0.15
permit ip any 3.3.3.80 0.0.0.15
permit ip any 7.87.208.0 0.0.15.255
permit ip any 55.55.0.0 0.0.0.255
permit ip any host 93.93.93.93
That's all.
What is possible:
- traceroute into MC WAN from Office LAN router "traceroute vrf VRF_MC 55.55.0.83"
1 2.2.2.50 [AS 65276] 8 msec 0 msec 0 msec
2 10.10.21.189 [AS 65276] 4 msec 0 msec 4 msec
3 10.10.41.74 [AS 65276] 12 msec 8 msec 16 msec
- MC LAN is fully reachable from A2A WAN
- Metro link is used for backup and "city" traffic between office and DC.
What does not work:
- A device connected to MC LAN cannot reach any target in MC WAN. Example:
C:\Users\me>tracert -d 55.55.0.83
1     2 ms     1 ms     1 ms 2.2.2.53 <- IP local VLAN31 MC-WAN transfer net (belonging to VRF_MC)
2    <1 ms    <1 ms    <1 ms 2.2.2.18 <- jump back into the GTR (A2A WAN router IP)
3     1 ms     1 ms     1 ms 5.5.5.5 <- A2A WAN
What is missing?? Is my solution itself a no-go?
Additional question: There is a backup metro link with a smaller bandwidth that should be used only in case of main metro link is down. I installed a route-map to "set local-preference 20" for all routes received via this backup metro link. Is this the recommended way to implement such backup link.
Best regards

Use the route map as a noraml thing.
To match the all the ip address there should not be any match statement in the route map.

BGP routing updates via VRF's fails on PE

HQ connects to 2 different remote sites via MPLS.
HQ connects to PE1 via MPLS vrf SITE1
HQ also connects to PE1 via MPLS vrf SITE2
WAN1 connects to PE2 via F0/0 vrf SITE1
WAN2 connects to PE2 via F0/1 vrf SITE2
HQ sees all prefixes from both remote sites!!
HQ and WAN1 can successfully ping/trace each other.
HQ and WAN2 can successfully ping/trace each other.
WAN1 only sees HQ prefixes
WAN2 only sees HQ prefixes
PE1 vrf SITE1 routing table sees HQ and WAN1 prefixes only
PE1 vrf SITE2 routing table sees HQ and WAN2 prefixes only
I can see from HQ that HQ is sending the same prefixes to both eBGP PE1 peers.
(I.E. sh bgp ipv4 uni nei x.x.x.x adv)
TOPOLOGY:
           /---MPLS--PE2------WAN1
HQ----PE1--
           \---MPLS--PE2------WAN2
HQ   AS 10
WAN1 AS 20
WAN2 AS 30
MPLS AS 65535
On PE1 and PE2
Under vrf SITE1, I added route-target import from vrf SITE2 and
Under vrf SITE2, I added route-target import from vrf SITE1 and this did not work at all.
HQ must remain in 2 different vrf's while the remotes are in different vrf's as well.
PROBLEM:
I need to be able to communicate between WAN1 to WAN2 via HQ.
Anyone know what might fix my problem????, Or can explain what is happening that causes this failure?
THANKS and BEST REGARDS
Frank

Hi Frank
Looking at your mentioned design above it seems all fine and should work..Just one question did you import the cross-vrf RTs after the normal setup was up and working ' coz in that case I think we would need to soft clear the BGP Process on PE1 to cross import the vrf routes from PE2..But on PE2 it should have worked fine..
May be as asked by Olivier you can share the configs once to look at it.
Coming to your second question of
PROBLEM:
I need to be able to communicate between WAN1 to WAN2 via HQ.
This is a case of MPLS Hub and Spoke VPN Services using eBGP as PE-CE..
Here we need to use 3 VRF with separe export RT for the Hub (HQ-VRF) and Spoke 1(Site 1-VRF) /Spoke 2(Site 2-VRF)
Hub will import the RT of Spoke 1 and Spoke 2 . SPoke 1/ Spoke 2 will import only HQ RT..
On PE1 create a default null route under VRF Hub and under BGP addess-family ipv4 vrf HQ-VRF send a default route using below network statement
network 0.0.0.0
This will help to achieve the desired traffic flow of WAN1 communicating to WAN2 via HQ..
Hope this provides some insight to your query.
Regards
Varma

BGP Question

Similar Messages

Maybe you are looking for