| 1 | % Network Design Workshop |
|---|
| 2 | % BGP Policy Lab |
|---|
| 3 | |
|---|
| 4 |  |
|---|
| 5 | |
|---|
| 6 | \pagebreak |
|---|
| 7 | |
|---|
| 8 | # Introduction |
|---|
| 9 | |
|---|
| 10 | The purpose of this exercise is to: |
|---|
| 11 | |
|---|
| 12 | * Apply the concepts of BGP policy learned in class |
|---|
| 13 | to achieve the desired traffic patterns, particularly |
|---|
| 14 | in an academic environment. |
|---|
| 15 | * Learn how to use Local Preference, BGP Communities, AS Path |
|---|
| 16 | Prepending and related BGP operational commands. |
|---|
| 17 | |
|---|
| 18 | # Pre-requisites |
|---|
| 19 | |
|---|
| 20 | This exercise builds upon the configurations implemented in |
|---|
| 21 | the basic BGP routing lab. You must: |
|---|
| 22 | |
|---|
| 23 | * Verify that all your BGP sessions are up |
|---|
| 24 | * Be able to see every lab prefix in your routing table |
|---|
| 25 | * Be able to ping and traceroute successfully to any other router |
|---|
| 26 | in the lab. |
|---|
| 27 | |
|---|
| 28 | **Remember, all the above applies to both IPv4 and IPv6.** |
|---|
| 29 | |
|---|
| 30 | # Routing Policy in academic networks |
|---|
| 31 | |
|---|
| 32 | Research and Education Networks (RENs) are designed for high throughput |
|---|
| 33 | and low latency. In many cases their links are also subsidized by |
|---|
| 34 | governments and other organizations. Therefore, it is common in academic |
|---|
| 35 | environments to want to apply routing policies that prefer these paths |
|---|
| 36 | over the "commodity" (commercial) ones. |
|---|
| 37 | |
|---|
| 38 | # Local Preference |
|---|
| 39 | |
|---|
| 40 | Our first goal is to configure our routers to prefer the paths |
|---|
| 41 | via the NREN for outgoing traffic to ALL destinations. |
|---|
| 42 | |
|---|
| 43 | 1. Use the Local Preference attribute to prefer all routes learned |
|---|
| 44 | via the NREN: |
|---|
| 45 | |
|---|
| 46 | R11: |
|---|
| 47 | |
|---|
| 48 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 49 | route-map set-lpref permit 10 |
|---|
| 50 | set local-preference 150 |
|---|
| 51 | route-map set-lpref permit 20 |
|---|
| 52 | ! |
|---|
| 53 | router bgp 10 |
|---|
| 54 | address-family ipv4 |
|---|
| 55 | neighbor 10.101.254.1 route-map set-lpref in |
|---|
| 56 | address-family ipv6 |
|---|
| 57 | neighbor fd00:101:fe:: route-map set-lpref in |
|---|
| 58 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 59 | |
|---|
| 60 | |
|---|
| 61 | R12: |
|---|
| 62 | |
|---|
| 63 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 64 | route-map set-lpref permit 10 |
|---|
| 65 | set local-preference 50 |
|---|
| 66 | route-map set-lpref permit 20 |
|---|
| 67 | ! |
|---|
| 68 | router bgp 10 |
|---|
| 69 | address-family ipv4 |
|---|
| 70 | neighbor 10.201.254.1 route-map set-lpref in |
|---|
| 71 | address-family ipv6 |
|---|
| 72 | neighbor fd00:201:fe:: route-map set-lpref in |
|---|
| 73 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 74 | |
|---|
| 75 | What is the default local preference in Cisco IOS? |
|---|
| 76 | Notice that we are setting a higher preference on the NREN |
|---|
| 77 | side, and a lower preference on the ISP side. Explain why this is |
|---|
| 78 | a good idea. |
|---|
| 79 | |
|---|
| 80 | Check your BGP routes. The next hop in R11 should be the |
|---|
| 81 | address of your NREN's router (except for your own prefix). |
|---|
| 82 | In R12, the next hop should be R11's loopback address. |
|---|
| 83 | Remember the 'next-hop-self' parameter? |
|---|
| 84 | |
|---|
| 85 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 86 | show ip bgp |
|---|
| 87 | show bgp ipv6 unicast |
|---|
| 88 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 89 | |
|---|
| 90 | All good now, right? |
|---|
| 91 | |
|---|
| 92 | Wait!... What about the prefixes of ASs with whom |
|---|
| 93 | you are peering directly? Remember the path selection algorithm? |
|---|
| 94 | What comes first, highest local preference or shortest AS path? |
|---|
| 95 | |
|---|
| 96 | 2. Modify the route map to NOT apply the local preference |
|---|
| 97 | attribute to prefixes originated by your direct peers. |
|---|
| 98 | |
|---|
| 99 | *Here, AS10 peers with AS20, but also with the NREN (AS101) |
|---|
| 100 | and the ISP (AS201). Notice the AS Path access list.* |
|---|
| 101 | |
|---|
| 102 | R11: |
|---|
| 103 | |
|---|
| 104 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 105 | ip as-path access-list 1 permit _20$ |
|---|
| 106 | ip as-path access-list 1 permit _101$ |
|---|
| 107 | ip as-path access-list 1 permit _201$ |
|---|
| 108 | ! |
|---|
| 109 | no route-map set-lpref |
|---|
| 110 | ! |
|---|
| 111 | route-map set-lpref permit 10 |
|---|
| 112 | match as-path 1 |
|---|
| 113 | continue 30 |
|---|
| 114 | route-map set-lpref permit 20 |
|---|
| 115 | set local-preference 150 |
|---|
| 116 | route-map set-lpref permit 30 |
|---|
| 117 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 118 | |
|---|
| 119 | R12: |
|---|
| 120 | |
|---|
| 121 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 122 | ip as-path access-list 1 permit _20$ |
|---|
| 123 | ip as-path access-list 1 permit _101$ |
|---|
| 124 | ip as-path access-list 1 permit _201$ |
|---|
| 125 | ! |
|---|
| 126 | no route-map set-lpref |
|---|
| 127 | ! |
|---|
| 128 | route-map set-lpref permit 10 |
|---|
| 129 | match as-path 1 |
|---|
| 130 | continue 30 |
|---|
| 131 | route-map set-lpref permit 20 |
|---|
| 132 | set local-preference 50 |
|---|
| 133 | route-map set-lpref permit 30 |
|---|
| 134 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 135 | |
|---|
| 136 | Use BGP refresh to make sure that the policies are applied: |
|---|
| 137 | |
|---|
| 138 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 139 | clear ip bgp * in |
|---|
| 140 | clear ip bgp * out |
|---|
| 141 | clear bgp ipv6 unicast * in |
|---|
| 142 | clear bgp ipv6 unicast * out |
|---|
| 143 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 144 | |
|---|
| 145 | Check your BGP routes again. What is the next hop towards your direct |
|---|
| 146 | peers' prefixes? (Hint: the path should be direct!) |
|---|
| 147 | |
|---|
| 148 | 3. STOP - Checkpoint |
|---|
| 149 | |
|---|
| 150 | All groups must finish this part before continuing. Do NOT continue |
|---|
| 151 | until the instructor says so. |
|---|
| 152 | |
|---|
| 153 | # Path Prepending |
|---|
| 154 | |
|---|
| 155 | At this point we have influenced outbound traffic only. Now we want to |
|---|
| 156 | influence the traffic COMING IN to our AS. We want traffic to come |
|---|
| 157 | to us via the R&E networks as much as possible. |
|---|
| 158 | |
|---|
| 159 | In the case of this lab, every other group is already preferring the |
|---|
| 160 | NREN link for their outgoing traffic. For groups connected to your |
|---|
| 161 | same NREN, the traffic towards you will NOT go via the commodity |
|---|
| 162 | (commercial) Internet. However, this is not the case for groups |
|---|
| 163 | connected to other NRENs. |
|---|
| 164 | |
|---|
| 165 | To see this, check your paths towards groups NOT connected to your |
|---|
| 166 | NREN. For example, from AS10: |
|---|
| 167 | |
|---|
| 168 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 169 | R11# show ip bgp 10.40.0.0 |
|---|
| 170 | R11# traceroute 10.40.255.1 |
|---|
| 171 | R11# show bgp ipv6 unicast fd00:40::/32 |
|---|
| 172 | R11# traceroute fd00:40:ff::1 |
|---|
| 173 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 174 | |
|---|
| 175 | Notice that the traffic leaves via the R&E networks, but then enters |
|---|
| 176 | AS40 through their commercial ISP. |
|---|
| 177 | |
|---|
| 178 | The same happens with traffic coming back to you from other NRENs. |
|---|
| 179 | How can you influence their path selection so that traffic towards |
|---|
| 180 | you enters via your NREN? |
|---|
| 181 | |
|---|
| 182 | We will now use a technique called AS path prepending, which consists |
|---|
| 183 | of adding extra âfakeâ hops to a path using our ASN multiple times. |
|---|
| 184 | |
|---|
| 185 | 1. Prepend your AS number twice in the path announced to your ISP: |
|---|
| 186 | |
|---|
| 187 | R12: |
|---|
| 188 | |
|---|
| 189 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 190 | ip prefix-list AS10-prefix permit 10.10.0.0/16 |
|---|
| 191 | ! |
|---|
| 192 | route-map set-prepend permit 10 |
|---|
| 193 | match ip address prefix-list AS10-prefix |
|---|
| 194 | set as-path prepend 10 10 |
|---|
| 195 | route-map set-prepend permit 20 |
|---|
| 196 | ! |
|---|
| 197 | ipv6 prefix-list ipv6-AS10-prefix permit fd00:10::/32 |
|---|
| 198 | ! |
|---|
| 199 | route-map ipv6-set-prepend permit 10 |
|---|
| 200 | match ipv6 address prefix-list ipv6-AS10-prefix |
|---|
| 201 | set as-path prepend 10 10 |
|---|
| 202 | route-map ipv6-set-prepend permit 20 |
|---|
| 203 | ! |
|---|
| 204 | router bgp 10 |
|---|
| 205 | address-family ipv4 |
|---|
| 206 | neighbor 10.201.254.1 route-map set-prepend out |
|---|
| 207 | address-family ipv6 |
|---|
| 208 | neighbor fd00:201:fe:: route-map ipv6-set-prepend out |
|---|
| 209 | ! |
|---|
| 210 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 211 | |
|---|
| 212 | Use BGP refresh to re-announce your prefix to the ISP: |
|---|
| 213 | |
|---|
| 214 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 215 | R12# clear ip bgp 10.201.254.1 out |
|---|
| 216 | R12# clear bgp ipv6 unicast fd00:201:fe:: out |
|---|
| 217 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 218 | |
|---|
| 219 | Ask remote groups (connected to the other NRENs), to verify that |
|---|
| 220 | their paths towards you do not traverse the commercial ISPs. |
|---|
| 221 | |
|---|
| 222 | 2. STOP - Checkpoint |
|---|
| 223 | |
|---|
| 224 | All groups must finish this part before continuing. Do NOT continue |
|---|
| 225 | until the instructor says so. |
|---|
| 226 | |
|---|
| 227 | # BGP Communities |
|---|
| 228 | |
|---|
| 229 | Now let's reflect on our initial outbound policy. Since our NREN |
|---|
| 230 | carries commodity Internet prefixes in addition to R&E prefixes, |
|---|
| 231 | we decided to use the Local Preference attribute to send |
|---|
| 232 | *everything* via the NREN. |
|---|
| 233 | |
|---|
| 234 | In reality this may not be optimal, because the NREN may not |
|---|
| 235 | always have the best paths towards the rest of the Internet and also |
|---|
| 236 | because we're not taking advantage of our dual connections |
|---|
| 237 | to load-balance our outbound traffic. |
|---|
| 238 | |
|---|
| 239 | What we really need is a way to tell which prefixes are originated |
|---|
| 240 | from the R&E community, so that we prefer the NREN link when sending |
|---|
| 241 | to THOSE prefixes only, and let the rest be decided by the regular |
|---|
| 242 | BGP selection process. This is where BGP Communities are useful. |
|---|
| 243 | |
|---|
| 244 | 1. Remove the configurations from the Local Preference section. |
|---|
| 245 | Notice the correct order in which this should be done (hint: |
|---|
| 246 | do not remove something if it's still referenced by something |
|---|
| 247 | else): |
|---|
| 248 | |
|---|
| 249 | R11: |
|---|
| 250 | |
|---|
| 251 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 252 | router bgp 10 |
|---|
| 253 | address-family ipv4 |
|---|
| 254 | no neighbor 10.101.254.1 route-map set-lpref in |
|---|
| 255 | address-family ipv6 |
|---|
| 256 | no neighbor fd00:101:fe:: route-map set-lpref in |
|---|
| 257 | ! |
|---|
| 258 | no route-map set-lpref |
|---|
| 259 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 260 | |
|---|
| 261 | *Remember to do the equivalent thing on the other router.* |
|---|
| 262 | |
|---|
| 263 | RENs use BGP communities (basically tags) to mark groups of routes |
|---|
| 264 | together as a unit, which makes it easier for their neighbors to |
|---|
| 265 | apply policies to those groups of routes. |
|---|
| 266 | |
|---|
| 267 | In this particular case, the NRENs carry research and education |
|---|
| 268 | (R&E) routes, as well as commercial Internet routes. The R&E |
|---|
| 269 | routes are marked with a special community (99) as they are |
|---|
| 270 | received from each customer. Also, the NREN passes those communities |
|---|
| 271 | on to other customers and to the RREN. |
|---|
| 272 | |
|---|
| 273 | Notice that the NRENs and the RREN also use the communities to |
|---|
| 274 | set a higher local preference value, in order to prefer the R&E paths. |
|---|
| 275 | This is because they also can learn those prefixes via the ISPs with |
|---|
| 276 | whom they peer. |
|---|
| 277 | |
|---|
| 278 | NREN1: |
|---|
| 279 | |
|---|
| 280 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 281 | ip bgp-community new-format |
|---|
| 282 | ! |
|---|
| 283 | route-map set-RE-comm permit 10 |
|---|
| 284 | set community 101:99 |
|---|
| 285 | route-map set-RE-comm permit 20 |
|---|
| 286 | ! |
|---|
| 287 | ip community-list 1 permit 100:99 |
|---|
| 288 | ! |
|---|
| 289 | route-map set-RE-lpref permit 10 |
|---|
| 290 | match community 1 |
|---|
| 291 | set local-preference 150 |
|---|
| 292 | route-map set-RE-lpref permit 20 |
|---|
| 293 | ! |
|---|
| 294 | router bgp 101 |
|---|
| 295 | address-family ipv4 |
|---|
| 296 | neighbor 10.101.254.2 send-community |
|---|
| 297 | neighbor 10.101.254.2 route-map set-RE-comm in |
|---|
| 298 | neighbor 10.101.254.6 send-community |
|---|
| 299 | neighbor 10.101.254.6 route-map set-RE-comm in |
|---|
| 300 | neighbor 10.101.254.10 send-community |
|---|
| 301 | neighbor 10.101.254.10 route-map set-RE-comm in |
|---|
| 302 | neighbor 10.100.254.1 send-community |
|---|
| 303 | neighbor 10.100.254.1 route-map set-RE-lpref in |
|---|
| 304 | address-family ipv6 |
|---|
| 305 | neighbor fd00:101:fe::1 send-community |
|---|
| 306 | neighbor fd00:101:fe::1 route-map set-RE-comm in |
|---|
| 307 | neighbor fd00:101:fe::3 send-community |
|---|
| 308 | neighbor fd00:101:fe::3 route-map set-RE-comm in |
|---|
| 309 | neighbor fd00:101:fe::5 send-community |
|---|
| 310 | neighbor fd00:101:fe::5 route-map set-RE-comm in |
|---|
| 311 | neighbor fd00:100:fe:: send-community |
|---|
| 312 | neighbor fd00:100:fe:: route-map set-RE-lpref in |
|---|
| 313 | ! |
|---|
| 314 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 315 | |
|---|
| 316 | NREN2: |
|---|
| 317 | |
|---|
| 318 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 319 | ip bgp-community new-format |
|---|
| 320 | ! |
|---|
| 321 | route-map set-RE-comm permit 10 |
|---|
| 322 | set community 101:99 |
|---|
| 323 | route-map set-RE-comm permit 20 |
|---|
| 324 | ! |
|---|
| 325 | ip community-list 1 permit 100:99 |
|---|
| 326 | ! |
|---|
| 327 | route-map set-RE-lpref permit 10 |
|---|
| 328 | match community 1 |
|---|
| 329 | set local-preference 150 |
|---|
| 330 | route-map set-RE-lpref permit 20 |
|---|
| 331 | ! |
|---|
| 332 | router bgp 102 |
|---|
| 333 | address-family ipv4 |
|---|
| 334 | neighbor 10.102.254.2 send-community |
|---|
| 335 | neighbor 10.102.254.2 route-map set-RE-comm in |
|---|
| 336 | neighbor 10.102.254.6 send-community |
|---|
| 337 | neighbor 10.102.254.6 route-map set-RE-comm in |
|---|
| 338 | neighbor 10.102.254.10 send-community |
|---|
| 339 | neighbor 10.102.254.10 route-map set-RE-comm in |
|---|
| 340 | neighbor 10.100.254.5 send-community |
|---|
| 341 | neighbor 10.100.254.5 route-map set-RE-lpref in |
|---|
| 342 | address-family ipv6 |
|---|
| 343 | neighbor fd00:102:fe::1 send-community |
|---|
| 344 | neighbor fd00:102:fe::1 route-map set-RE-comm in |
|---|
| 345 | neighbor fd00:102:fe::3 send-community |
|---|
| 346 | neighbor fd00:102:fe::3 route-map set-RE-comm in |
|---|
| 347 | neighbor fd00:102:fe::5 send-community |
|---|
| 348 | neighbor fd00:102:fe::5 route-map set-RE-comm in |
|---|
| 349 | neighbor fd00:100:fe::2 send-community |
|---|
| 350 | neighbor fd00:100:fe::2 route-map set-RE-lpref in |
|---|
| 351 | ! |
|---|
| 352 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 353 | |
|---|
| 354 | The regional REN (RREN) connects multiple NRENs, so they |
|---|
| 355 | replace communities in the R&E routes learned from NRENs |
|---|
| 356 | with their own community: |
|---|
| 357 | |
|---|
| 358 | RREN: |
|---|
| 359 | |
|---|
| 360 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 361 | ip bgp-community new-format |
|---|
| 362 | ! |
|---|
| 363 | ip community-list 1 permit 101:99 |
|---|
| 364 | ip community-list 1 permit 102:99 |
|---|
| 365 | ! |
|---|
| 366 | route-map set-RE-comm-in permit 10 |
|---|
| 367 | match community 1 |
|---|
| 368 | set community 100:99 |
|---|
| 369 | set local-preference 150 |
|---|
| 370 | route-map set-RE-comm-in permit 20 |
|---|
| 371 | ! |
|---|
| 372 | route-map del-RE-comm-out permit 10 |
|---|
| 373 | set comm-list 1 delete |
|---|
| 374 | route-map del-RE-comm-out permit 20 |
|---|
| 375 | ! |
|---|
| 376 | router bgp 100 |
|---|
| 377 | address-family ipv4 |
|---|
| 378 | neighbor 10.100.254.2 send-community |
|---|
| 379 | neighbor 10.100.254.2 route-map set-RE-comm-in in |
|---|
| 380 | neighbor 10.100.254.2 route-map del-RE-comm-out out |
|---|
| 381 | neighbor 10.100.254.6 send-community |
|---|
| 382 | neighbor 10.100.254.6 route-map set-RE-comm-in in |
|---|
| 383 | neighbor 10.100.254.6 route-map del-RE-comm-out out |
|---|
| 384 | address-family ipv6 |
|---|
| 385 | neighbor fd00:100:fe::1 send-community |
|---|
| 386 | neighbor fd00:100:fe::1 route-map set-RE-comm-in in |
|---|
| 387 | neighbor fd00:100:fe::1 route-map del-RE-comm-out out |
|---|
| 388 | neighbor fd00:100:fe::3 send-community |
|---|
| 389 | neighbor fd00:100:fe::3 route-map set-RE-comm-in in |
|---|
| 390 | neighbor fd00:100:fe::3 route-map del-RE-comm-out out |
|---|
| 391 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 392 | |
|---|
| 393 | Explain the purpose of replacing the NREN communities |
|---|
| 394 | at the RREN, before they are passed on to other NRENs. |
|---|
| 395 | |
|---|
| 396 | ISPs will originate additional prefixes to represent the |
|---|
| 397 | rest of the commodity Internet: |
|---|
| 398 | |
|---|
| 399 | ISP1: |
|---|
| 400 | |
|---|
| 401 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 402 | router bgp 201 |
|---|
| 403 | address-family ipv4 |
|---|
| 404 | network 172.16.0.0 mask 255.255.0.0 |
|---|
| 405 | network 172.17.0.0 mask 255.255.0.0 |
|---|
| 406 | network 172.18.0.0 mask 255.255.0.0 |
|---|
| 407 | network 172.19.0.0 mask 255.255.0.0 |
|---|
| 408 | address-family ipv6 |
|---|
| 409 | network 2001:db8::/32 |
|---|
| 410 | network 2001:db9::/32 |
|---|
| 411 | network 2001:dba::/32 |
|---|
| 412 | network 2001:dbb::/32 |
|---|
| 413 | ! |
|---|
| 414 | ip route 172.16.0.0 255.255.0.0 null0 |
|---|
| 415 | ip route 172.17.0.0 255.255.0.0 null0 |
|---|
| 416 | ip route 172.18.0.0 255.255.0.0 null0 |
|---|
| 417 | ip route 172.19.0.0 255.255.0.0 null0 |
|---|
| 418 | ! |
|---|
| 419 | ipv6 route 2001:db8::/32 null0 |
|---|
| 420 | ipv6 route 2001:db9::/32 null0 |
|---|
| 421 | ipv6 route 2001:dba::/32 null0 |
|---|
| 422 | ipv6 route 2001:dbb::/32 null0 |
|---|
| 423 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 424 | |
|---|
| 425 | ISP2: |
|---|
| 426 | |
|---|
| 427 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 428 | router bgp 202 |
|---|
| 429 | address-family ipv4 |
|---|
| 430 | network 172.20.0.0 mask 255.255.0.0 |
|---|
| 431 | network 172.21.0.0 mask 255.255.0.0 |
|---|
| 432 | network 172.22.0.0 mask 255.255.0.0 |
|---|
| 433 | network 172.23.0.0 mask 255.255.0.0 |
|---|
| 434 | address-family ipv6 |
|---|
| 435 | network 2001:dbc::/32 |
|---|
| 436 | network 2001:dbd::/32 |
|---|
| 437 | network 2001:dbe::/32 |
|---|
| 438 | network 2001:dbf::/32 |
|---|
| 439 | ! |
|---|
| 440 | ip route 172.20.0.0 255.255.0.0 null0 |
|---|
| 441 | ip route 172.21.0.0 255.255.0.0 null0 |
|---|
| 442 | ip route 172.22.0.0 255.255.0.0 null0 |
|---|
| 443 | ip route 172.23.0.0 255.255.0.0 null0 |
|---|
| 444 | ! |
|---|
| 445 | ipv6 route 2001:dbc::/32 null0 |
|---|
| 446 | ipv6 route 2001:dbd::/32 null0 |
|---|
| 447 | ipv6 route 2001:dbe::/32 null0 |
|---|
| 448 | ipv6 route 2001:dbf::/32 null0 |
|---|
| 449 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 450 | |
|---|
| 451 | 2. Set local preference ONLY on the R&E routes (marked with |
|---|
| 452 | the R&E community) learned from the NREN. Notice that |
|---|
| 453 | your NREN is also passing you the communities set by |
|---|
| 454 | the regional REN, so you need to match either one. |
|---|
| 455 | |
|---|
| 456 | Also notice that we do not set the local preference on the |
|---|
| 457 | prefixes originated by our direct peers. |
|---|
| 458 | |
|---|
| 459 | R11: |
|---|
| 460 | |
|---|
| 461 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 462 | ip bgp-community new-format |
|---|
| 463 | ! |
|---|
| 464 | ip as-path access-list 1 permit _20$ |
|---|
| 465 | ip as-path access-list 1 permit _101$ |
|---|
| 466 | ip as-path access-list 1 permit _201$ |
|---|
| 467 | ! |
|---|
| 468 | ip community-list 1 permit 100:99 |
|---|
| 469 | ip community-list 1 permit 101:99 |
|---|
| 470 | ! |
|---|
| 471 | route-map set-local-pref permit 10 |
|---|
| 472 | match as-path 1 |
|---|
| 473 | continue 30 |
|---|
| 474 | route-map set-local-pref permit 20 |
|---|
| 475 | match community 1 |
|---|
| 476 | set local-preference 150 |
|---|
| 477 | route-map set-local-pref permit 30 |
|---|
| 478 | ! |
|---|
| 479 | router bgp 10 |
|---|
| 480 | address-family ipv4 |
|---|
| 481 | neighbor 10.101.254.1 route-map set-local-pref in |
|---|
| 482 | address-family ipv6 |
|---|
| 483 | neighbor fd00:101:fe:: route-map set-local-pref in |
|---|
| 484 | ! |
|---|
| 485 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 486 | |
|---|
| 487 | Refresh to/from your neighbors: |
|---|
| 488 | |
|---|
| 489 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 490 | clear ip bgp * in |
|---|
| 491 | clear ip bgp * out |
|---|
| 492 | clear bgp ipv6 unicast * in |
|---|
| 493 | clear bgp ipv6 unicast * out |
|---|
| 494 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 495 | |
|---|
| 496 | Verify that communities are being set and transmitted: |
|---|
| 497 | |
|---|
| 498 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 499 | R11#show ip bgp 10.20.0.0 |
|---|
| 500 | R11#show ip bgp 10.40.0.0 |
|---|
| 501 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 502 | |
|---|
| 503 | Check your BGP routes again. |
|---|
| 504 | |
|---|
| 505 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 506 | show ip bgp |
|---|
| 507 | show ip route |
|---|
| 508 | show bgp ipv6 unicast |
|---|
| 509 | show ipv6 route |
|---|
| 510 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 511 | |
|---|
| 512 | The result should be that you now prefer the NREN path for any |
|---|
| 513 | prefix originated by an R&E member. For all other prefixes, |
|---|
| 514 | including the ones from the commercial Internet, your routers |
|---|
| 515 | will choose based on BGP defaults. |
|---|
| 516 | |
|---|
| 517 | # Multihoming with Partial Routes and Defaults |
|---|
| 518 | |
|---|
| 519 | Another way to load-balance outbound traffic in our multihoming setup |
|---|
| 520 | is to play with partial routing tables and default routes. |
|---|
| 521 | The idea is that our routers will prefer the more specific R&E routes |
|---|
| 522 | coming from the NREN, and the rest of the outgoing traffic will use the |
|---|
| 523 | ISP. Only if the ISP fails, our non-R&E traffic will leave through the NREN. |
|---|
| 524 | Similarly, if the NREN link fails, the ISP will route all our |
|---|
| 525 | outbound traffic. |
|---|
| 526 | |
|---|
| 527 | This has the advantage of reducing our routing table size, and |
|---|
| 528 | therefore convergence time. The disadvantage is that we may |
|---|
| 529 | not always follow the best paths, but it might be a good |
|---|
| 530 | compromise. |
|---|
| 531 | |
|---|
| 532 | We are going to ask the NREN to only send us R&E routes, plus |
|---|
| 533 | the default route: |
|---|
| 534 | |
|---|
| 535 | NREN1: |
|---|
| 536 | |
|---|
| 537 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 538 | ip community-list 1 permit 100:99 |
|---|
| 539 | ip community-list 1 permit 101:99 |
|---|
| 540 | ! |
|---|
| 541 | route-map send-RE-only permit 10 |
|---|
| 542 | match community 1 |
|---|
| 543 | ! |
|---|
| 544 | router bgp 101 |
|---|
| 545 | address-family ipv4 |
|---|
| 546 | no neighbor 10.101.254.2 send-community |
|---|
| 547 | no neighbor 10.101.254.6 send-community |
|---|
| 548 | no neighbor 10.101.254.10 send-community |
|---|
| 549 | neighbor 10.101.254.2 route-map send-RE-only out |
|---|
| 550 | neighbor 10.101.254.2 default-originate |
|---|
| 551 | neighbor 10.101.254.6 route-map send-RE-only out |
|---|
| 552 | neighbor 10.101.254.6 default-originate |
|---|
| 553 | neighbor 10.101.254.10 route-map send-RE-only out |
|---|
| 554 | neighbor 10.101.254.10 default-originate |
|---|
| 555 | address-family ipv6 |
|---|
| 556 | no neighbor fd00:101:fe::1 send-community |
|---|
| 557 | no neighbor fd00:101:fe::3 send-community |
|---|
| 558 | no neighbor fd00:101:fe::5 send-community |
|---|
| 559 | neighbor fd00:101:fe::1 route-map send-RE-only out |
|---|
| 560 | neighbor fd00:101:fe::1 default-originate |
|---|
| 561 | neighbor fd00:101:fe::3 route-map send-RE-only out |
|---|
| 562 | neighbor fd00:101:fe::3 default-originate |
|---|
| 563 | neighbor fd00:101:fe::5 route-map send-RE-only out |
|---|
| 564 | neighbor fd00:101:fe::5 default-originate |
|---|
| 565 | ! |
|---|
| 566 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 567 | |
|---|
| 568 | NREN2: |
|---|
| 569 | |
|---|
| 570 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 571 | ip community-list 1 permit 100:99 |
|---|
| 572 | ip community-list 1 permit 102:99 |
|---|
| 573 | ! |
|---|
| 574 | route-map send-RE-only permit 10 |
|---|
| 575 | match community 1 |
|---|
| 576 | ! |
|---|
| 577 | router bgp 102 |
|---|
| 578 | address-family ipv4 |
|---|
| 579 | no neighbor 10.102.254.2 send-community |
|---|
| 580 | no neighbor 10.102.254.6 send-community |
|---|
| 581 | no neighbor 10.102.254.10 send-community |
|---|
| 582 | neighbor 10.102.254.2 route-map send-RE-only out |
|---|
| 583 | neighbor 10.102.254.2 default-originate |
|---|
| 584 | neighbor 10.102.254.6 route-map send-RE-only out |
|---|
| 585 | neighbor 10.102.254.6 default-originate |
|---|
| 586 | neighbor 10.102.254.10 route-map send-RE-only out |
|---|
| 587 | neighbor 10.102.254.10 default-originate |
|---|
| 588 | address-family ipv6 |
|---|
| 589 | no neighbor fd00:102:fe::1 send-community |
|---|
| 590 | no neighbor fd00:102:fe::3 send-community |
|---|
| 591 | no neighbor fd00:102:fe::5 send-community |
|---|
| 592 | neighbor fd00:102:fe::1 route-map send-RE-only out |
|---|
| 593 | neighbor fd00:102:fe::1 default-originate |
|---|
| 594 | neighbor fd00:102:fe::3 route-map send-RE-only out |
|---|
| 595 | neighbor fd00:102:fe::3 default-originate |
|---|
| 596 | neighbor fd00:102:fe::5 route-map send-RE-only out |
|---|
| 597 | neighbor fd00:102:fe::5 default-originate |
|---|
| 598 | ! |
|---|
| 599 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 600 | |
|---|
| 601 | |
|---|
| 602 | Similarly, we will ask the ISP to only send us a default |
|---|
| 603 | route: |
|---|
| 604 | |
|---|
| 605 | |
|---|
| 606 | ISP1: |
|---|
| 607 | |
|---|
| 608 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 609 | ip prefix-list default permit 0.0.0.0/0 |
|---|
| 610 | ipv6 prefix-list ipv6-default permit ::/0 |
|---|
| 611 | ! |
|---|
| 612 | router bgp 201 |
|---|
| 613 | address-family ipv4 |
|---|
| 614 | neighbor 10.201.254.2 default-originate |
|---|
| 615 | neighbor 10.201.254.2 prefix-list default out |
|---|
| 616 | neighbor 10.201.254.6 default-originate |
|---|
| 617 | neighbor 10.201.254.6 prefix-list default out |
|---|
| 618 | neighbor 10.201.254.10 default-originate |
|---|
| 619 | neighbor 10.201.254.10 prefix-list default out |
|---|
| 620 | address-family ipv6 |
|---|
| 621 | neighbor FD00:201:FE::1 default-originate |
|---|
| 622 | neighbor FD00:201:FE::1 prefix-list ipv6-default out |
|---|
| 623 | neighbor FD00:201:FE::3 default-originate |
|---|
| 624 | neighbor FD00:201:FE::3 prefix-list ipv6-default out |
|---|
| 625 | neighbor FD00:201:FE::5 default-originate |
|---|
| 626 | neighbor FD00:201:FE::5 prefix-list ipv6-default out |
|---|
| 627 | ! |
|---|
| 628 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 629 | |
|---|
| 630 | ISP2: |
|---|
| 631 | |
|---|
| 632 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 633 | ip prefix-list default permit 0.0.0.0/0 |
|---|
| 634 | ipv6 prefix-list ipv6-default permit ::/0 |
|---|
| 635 | ! |
|---|
| 636 | router bgp 202 |
|---|
| 637 | address-family ipv4 |
|---|
| 638 | neighbor 10.202.254.2 default-originate |
|---|
| 639 | neighbor 10.202.254.2 prefix-list default out |
|---|
| 640 | neighbor 10.202.254.6 default-originate |
|---|
| 641 | neighbor 10.202.254.6 prefix-list default out |
|---|
| 642 | neighbor 10.202.254.10 default-originate |
|---|
| 643 | neighbor 10.202.254.10 prefix-list default out |
|---|
| 644 | address-family ipv6 |
|---|
| 645 | neighbor FD00:202:FE::1 default-originate |
|---|
| 646 | neighbor FD00:202:FE::1 prefix-list ipv6-default out |
|---|
| 647 | neighbor FD00:202:FE::3 default-originate |
|---|
| 648 | neighbor FD00:202:FE::3 prefix-list ipv6-default out |
|---|
| 649 | neighbor FD00:202:FE::5 default-originate |
|---|
| 650 | neighbor FD00:202:FE::5 prefix-list ipv6-default out |
|---|
| 651 | ! |
|---|
| 652 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 653 | |
|---|
| 654 | Check what you are now receiving from your NREN and |
|---|
| 655 | your ISP: |
|---|
| 656 | |
|---|
| 657 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 658 | R11#show ip bgp neighbors 10.101.254.1 routes |
|---|
| 659 | R11#show bgp ipv6 uni neighbors fd00:101:fe:: routes |
|---|
| 660 | R11#show ip route 0.0.0.0 0.0.0.0 |
|---|
| 661 | R11#show ipv6 route ::/0 |
|---|
| 662 | |
|---|
| 663 | R12#show ip bgp neighbors 10.201.254.1 routes |
|---|
| 664 | R12#show bgp ipv6 uni neighbors fd00:201:fe:: routes |
|---|
| 665 | R12#show ip route 0.0.0.0 0.0.0.0 |
|---|
| 666 | R12#show ipv6 route ::/0 |
|---|
| 667 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 668 | |
|---|
| 669 | At this point you should see that each of your routers |
|---|
| 670 | has a default route pointing to its upstream peer. This |
|---|
| 671 | is an OK situation. But let's say that we want the ISP |
|---|
| 672 | to handle all the non-R&E outbound traffic. |
|---|
| 673 | |
|---|
| 674 | Configure your RX2 router to assign a higher local preference |
|---|
| 675 | to the default announced by the ISP: |
|---|
| 676 | |
|---|
| 677 | R12: |
|---|
| 678 | |
|---|
| 679 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 680 | ip prefix-list default permit 0.0.0.0/0 |
|---|
| 681 | ipv6 prefix-list ipv6-default permit ::/0 |
|---|
| 682 | ! |
|---|
| 683 | route-map set-lpref-default permit 10 |
|---|
| 684 | match ip address prefix-list default |
|---|
| 685 | set local-preference 150 |
|---|
| 686 | ! |
|---|
| 687 | route-map set-lpref-ipv6-default permit 10 |
|---|
| 688 | match ip address prefix-list ipv6-default |
|---|
| 689 | set local-preference 150 |
|---|
| 690 | ! |
|---|
| 691 | router bgp 10 |
|---|
| 692 | address-family ipv4 |
|---|
| 693 | neighbor 10.201.254.1 route-map set-lpref-default in |
|---|
| 694 | address-family ipv6 |
|---|
| 695 | neighbor fd00:201:fe:: route-map set-lpref-ipv6-default in |
|---|
| 696 | ! |
|---|
| 697 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 698 | |
|---|
| 699 | Check your default route on both routers: |
|---|
| 700 | |
|---|
| 701 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 702 | show ip bgp 0.0.0.0 0.0.0.0 |
|---|
| 703 | show ip route 0.0.0.0 0.0.0.0 |
|---|
| 704 | |
|---|
| 705 | show bgp ipv6 uni ::/0 |
|---|
| 706 | show ipv6 route ::/0 |
|---|
| 707 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 708 | |
|---|
| 709 | |
|---|
| 710 | Also, check your BGP routing table. Has it shrinked? |
|---|
| 711 | |
|---|
| 712 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 713 | show ip bgp |
|---|
| 714 | show bgp ipv6 unicast |
|---|
| 715 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| 716 | |
|---|