Agenda: lab-bgp-policy.txt

File lab-bgp-policy.txt, 21.7 KB (added by cvicente, 6 years ago)
Line 
1% Network Design Workshop
2% BGP Policy Lab
3
4![Multi-homed Topology](ex3-1.png)
5
6\pagebreak
7
8# Introduction
9
10The purpose of this exercise is to:
11
12* Apply the concepts of BGP policy learned in class
13  to achieve the desired traffic patterns, particularly
14  in an academic environment.
15* Learn how to use Local Preference, BGP Communities, AS Path
16  Prepending and related BGP operational commands.
17
18# Pre-requisites
19
20This exercise builds upon the configurations implemented in
21the basic BGP routing lab. You must:
22
23* Verify that all your BGP sessions are up
24* Be able to see every lab prefix in your routing table
25* Be able to ping and traceroute successfully to any other router
26  in the lab.
27
28**Remember, all the above applies to both IPv4 and IPv6.**
29
30# Routing Policy in academic networks
31
32Research and Education Networks (RENs) are designed for high throughput
33and low latency. In many cases their links are also subsidized by
34governments and other organizations. Therefore, it is common in academic
35environments to want to apply routing policies that prefer these paths
36over the "commodity" (commercial) ones.
37
38# Local Preference
39
40Our first goal is to configure our routers to prefer the paths
41via the NREN for outgoing traffic to ALL destinations.
42
431. Use the Local Preference attribute to prefer all routes learned
44   via the NREN:
45
46R11:
47
48~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
49route-map set-lpref permit 10
50 set local-preference 150
51route-map set-lpref permit 20
52!
53router bgp 10
54 address-family ipv4
55  neighbor 10.101.254.1 route-map set-lpref in
56 address-family ipv6
57  neighbor fd00:101:fe:: route-map set-lpref in
58~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
59
60
61R12:
62
63~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
64route-map set-lpref permit 10
65 set local-preference 50
66route-map set-lpref permit 20
67!
68router bgp 10
69 address-family ipv4
70  neighbor 10.201.254.1 route-map set-lpref in
71 address-family ipv6
72  neighbor fd00:201:fe:: route-map set-lpref in
73~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
74
75What is the default local preference in Cisco IOS?
76Notice that we are setting a higher preference on the NREN
77side, and a lower preference on the ISP side. Explain why this is
78a good idea.
79
80Check your BGP routes. The next hop in R11 should be the
81address of your NREN's router (except for your own prefix).
82In R12, the next hop should be R11's loopback address.
83Remember the 'next-hop-self' parameter?
84
85~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
86show ip bgp
87show bgp ipv6 unicast
88~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
89
90All good now, right?
91
92Wait!... What about the prefixes of ASs with whom
93you are peering directly? Remember the path selection algorithm?
94What comes first, highest local preference or shortest AS path?
95
962. Modify the route map to NOT apply the local preference
97   attribute to prefixes originated by your direct peers.
98
99*Here, AS10 peers with AS20, but also with the NREN (AS101)
100and the ISP (AS201). Notice the AS Path access list.*
101
102R11:
103
104~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
105ip as-path access-list 1 permit _20$
106ip as-path access-list 1 permit _101$
107ip as-path access-list 1 permit _201$
108!
109no route-map set-lpref
110!
111route-map set-lpref permit 10
112 match as-path 1
113 continue 30
114route-map set-lpref permit 20
115 set local-preference 150
116route-map set-lpref permit 30
117~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
118
119R12:
120
121~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
122ip as-path access-list 1 permit _20$
123ip as-path access-list 1 permit _101$
124ip as-path access-list 1 permit _201$
125!
126no route-map set-lpref
127!
128route-map set-lpref permit 10
129 match as-path 1
130 continue 30
131route-map set-lpref permit 20
132 set local-preference 50
133route-map set-lpref permit 30
134~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
135
136Use BGP refresh to make sure that the policies are applied:
137
138~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
139clear ip bgp * in
140clear ip bgp * out
141clear bgp ipv6 unicast * in
142clear bgp ipv6 unicast * out
143~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
144
145Check your BGP routes again. What is the next hop towards your direct
146peers' prefixes? (Hint: the path should be direct!)
147
1483. STOP - Checkpoint
149
150All groups must finish this part before continuing. Do NOT continue
151until the instructor says so.
152
153# Path Prepending
154
155At this point we have influenced outbound traffic only. Now we want to
156influence the traffic COMING IN to our AS. We want traffic to come
157to us via the R&E networks as much as possible.
158
159In the case of this lab, every other group is already preferring the
160NREN link for their outgoing traffic. For groups connected to your
161same NREN, the traffic towards you will NOT go via the commodity
162(commercial) Internet. However, this is not the case for groups
163connected to other NRENs.
164
165To see this, check your paths towards groups NOT connected to your
166NREN. For example, from AS10:
167
168~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
169R11# show ip bgp 10.40.0.0
170R11# traceroute 10.40.255.1
171R11# show bgp ipv6 unicast fd00:40::/32
172R11# traceroute fd00:40:ff::1
173~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
174
175Notice that the traffic leaves via the R&E networks, but then enters
176AS40 through their commercial ISP.
177
178The same happens with traffic coming back to you from other NRENs.
179How can you influence their path selection so that traffic towards
180you enters via your NREN?
181
182We will now use a technique called AS path prepending, which consists
183of adding extra “fake” hops to a path using our ASN multiple times.
184
1851. Prepend your AS number twice in the path announced to your ISP:
186
187R12:
188
189~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
190ip prefix-list AS10-prefix permit 10.10.0.0/16
191!
192route-map set-prepend permit 10
193 match ip address prefix-list AS10-prefix
194 set as-path prepend 10 10
195route-map set-prepend permit 20
196!
197ipv6 prefix-list ipv6-AS10-prefix permit fd00:10::/32
198!
199route-map ipv6-set-prepend permit 10
200 match ipv6 address prefix-list ipv6-AS10-prefix
201 set as-path prepend 10 10
202route-map ipv6-set-prepend permit 20
203!
204router bgp 10
205 address-family ipv4
206  neighbor 10.201.254.1 route-map set-prepend out
207 address-family ipv6
208  neighbor fd00:201:fe:: route-map ipv6-set-prepend out
209!
210~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
211
212Use BGP refresh to re-announce your prefix to the ISP:
213
214~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
215R12# clear ip bgp 10.201.254.1 out
216R12# clear bgp ipv6 unicast fd00:201:fe:: out
217~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
218
219Ask remote groups (connected to the other NRENs), to verify that
220their paths towards you do not traverse the commercial ISPs.
221
2222. STOP - Checkpoint
223
224All groups must finish this part before continuing. Do NOT continue
225until the instructor says so.
226
227# BGP Communities
228
229Now let's reflect on our initial outbound policy. Since our NREN
230carries commodity Internet prefixes in addition to R&E prefixes,
231we decided to use the Local Preference attribute to send
232*everything* via the NREN.
233
234In reality this may not be optimal, because the NREN may not
235always have the best paths towards the rest of the Internet and also
236because we're not taking advantage of our dual connections
237to load-balance our outbound traffic.
238
239What we really need is a way to tell which prefixes are originated
240from the R&E community, so that we prefer the NREN link when sending
241to THOSE prefixes only, and let the rest be decided by the regular
242BGP selection process. This is where BGP Communities are useful.
243
2441. Remove the configurations from the Local Preference section.
245   Notice the correct order in which this should be done (hint:
246   do not remove something if it's still referenced by something
247   else):
248
249R11:
250
251~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
252router bgp 10
253 address-family ipv4
254  no neighbor 10.101.254.1 route-map set-lpref in
255 address-family ipv6
256  no neighbor fd00:101:fe:: route-map set-lpref in
257!
258no route-map set-lpref
259~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
260
261*Remember to do the equivalent thing on the other router.*
262
263RENs use BGP communities (basically tags) to mark groups of routes
264together as a unit, which makes it easier for their neighbors to
265apply policies to those groups of routes.
266
267In this particular case, the NRENs carry research and education
268(R&E) routes, as well as commercial Internet routes. The R&E
269routes are marked with a special community (99) as they are
270received from each customer. Also, the NREN passes those communities
271on to other customers and to the RREN.
272
273Notice that the NRENs and the RREN also use the communities to
274set a higher local preference value, in order to prefer the R&E paths.
275This is because they also can learn those prefixes via the ISPs with
276whom they peer.
277
278NREN1:
279
280~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
281ip bgp-community new-format
282!
283route-map set-RE-comm permit 10
284 set community 101:99
285route-map set-RE-comm permit 20
286!
287ip community-list 1 permit 100:99
288!
289route-map set-RE-lpref permit 10
290 match community 1
291 set local-preference 150
292route-map set-RE-lpref permit 20
293!
294router bgp 101
295 address-family ipv4
296  neighbor 10.101.254.2 send-community
297  neighbor 10.101.254.2 route-map set-RE-comm in
298  neighbor 10.101.254.6 send-community
299  neighbor 10.101.254.6 route-map set-RE-comm in
300  neighbor 10.101.254.10 send-community
301  neighbor 10.101.254.10 route-map set-RE-comm in
302  neighbor 10.100.254.1 send-community
303  neighbor 10.100.254.1 route-map set-RE-lpref in
304 address-family ipv6
305  neighbor fd00:101:fe::1 send-community
306  neighbor fd00:101:fe::1 route-map set-RE-comm in
307  neighbor fd00:101:fe::3 send-community
308  neighbor fd00:101:fe::3 route-map set-RE-comm in
309  neighbor fd00:101:fe::5 send-community
310  neighbor fd00:101:fe::5 route-map set-RE-comm in
311  neighbor fd00:100:fe:: send-community
312  neighbor fd00:100:fe:: route-map set-RE-lpref in
313!
314~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
315
316NREN2:
317
318~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
319ip bgp-community new-format
320!
321route-map set-RE-comm permit 10
322 set community 101:99
323route-map set-RE-comm permit 20
324!
325ip community-list 1 permit 100:99
326!
327route-map set-RE-lpref permit 10
328 match community 1
329 set local-preference 150
330route-map set-RE-lpref permit 20
331!
332router bgp 102
333 address-family ipv4
334  neighbor 10.102.254.2 send-community
335  neighbor 10.102.254.2 route-map set-RE-comm in
336  neighbor 10.102.254.6 send-community
337  neighbor 10.102.254.6 route-map set-RE-comm in
338  neighbor 10.102.254.10 send-community
339  neighbor 10.102.254.10 route-map set-RE-comm in
340  neighbor 10.100.254.5 send-community
341  neighbor 10.100.254.5 route-map set-RE-lpref in
342 address-family ipv6
343  neighbor fd00:102:fe::1 send-community
344  neighbor fd00:102:fe::1 route-map set-RE-comm in
345  neighbor fd00:102:fe::3 send-community
346  neighbor fd00:102:fe::3 route-map set-RE-comm in
347  neighbor fd00:102:fe::5 send-community
348  neighbor fd00:102:fe::5 route-map set-RE-comm in
349  neighbor fd00:100:fe::2 send-community
350  neighbor fd00:100:fe::2 route-map set-RE-lpref in
351!
352~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
353
354The regional REN (RREN) connects multiple NRENs, so they
355replace communities in the R&E routes learned from NRENs
356with their own community:
357
358RREN:
359
360~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
361ip bgp-community new-format
362!
363ip community-list 1 permit 101:99
364ip community-list 1 permit 102:99
365!
366route-map set-RE-comm-in permit 10
367 match community 1
368 set community 100:99
369 set local-preference 150
370route-map set-RE-comm-in permit 20
371!
372route-map del-RE-comm-out permit 10
373 set comm-list 1 delete
374route-map del-RE-comm-out permit 20
375!
376router bgp 100
377 address-family ipv4
378  neighbor 10.100.254.2 send-community
379  neighbor 10.100.254.2 route-map set-RE-comm-in in
380  neighbor 10.100.254.2 route-map del-RE-comm-out out
381  neighbor 10.100.254.6 send-community
382  neighbor 10.100.254.6 route-map set-RE-comm-in in
383  neighbor 10.100.254.6 route-map del-RE-comm-out out
384 address-family ipv6
385  neighbor fd00:100:fe::1 send-community
386  neighbor fd00:100:fe::1 route-map set-RE-comm-in in
387  neighbor fd00:100:fe::1 route-map del-RE-comm-out out
388  neighbor fd00:100:fe::3 send-community
389  neighbor fd00:100:fe::3 route-map set-RE-comm-in in
390  neighbor fd00:100:fe::3 route-map del-RE-comm-out out
391~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
392
393Explain the purpose of replacing the NREN communities
394at the RREN, before they are passed on to other NRENs.
395
396ISPs will originate additional prefixes to represent the
397rest of the commodity Internet:
398
399ISP1:
400
401~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
402router bgp 201
403 address-family ipv4
404  network 172.16.0.0 mask 255.255.0.0
405  network 172.17.0.0 mask 255.255.0.0
406  network 172.18.0.0 mask 255.255.0.0
407  network 172.19.0.0 mask 255.255.0.0
408 address-family ipv6
409  network 2001:db8::/32
410  network 2001:db9::/32
411  network 2001:dba::/32
412  network 2001:dbb::/32
413!
414ip route 172.16.0.0 255.255.0.0 null0
415ip route 172.17.0.0 255.255.0.0 null0
416ip route 172.18.0.0 255.255.0.0 null0
417ip route 172.19.0.0 255.255.0.0 null0
418!
419ipv6 route 2001:db8::/32 null0
420ipv6 route 2001:db9::/32 null0
421ipv6 route 2001:dba::/32 null0
422ipv6 route 2001:dbb::/32 null0
423~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
424
425ISP2:
426
427~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
428router bgp 202
429 address-family ipv4
430  network 172.20.0.0 mask 255.255.0.0
431  network 172.21.0.0 mask 255.255.0.0
432  network 172.22.0.0 mask 255.255.0.0
433  network 172.23.0.0 mask 255.255.0.0
434 address-family ipv6
435  network 2001:dbc::/32
436  network 2001:dbd::/32
437  network 2001:dbe::/32
438  network 2001:dbf::/32
439!
440ip route 172.20.0.0 255.255.0.0 null0
441ip route 172.21.0.0 255.255.0.0 null0
442ip route 172.22.0.0 255.255.0.0 null0
443ip route 172.23.0.0 255.255.0.0 null0
444!
445ipv6 route 2001:dbc::/32 null0
446ipv6 route 2001:dbd::/32 null0
447ipv6 route 2001:dbe::/32 null0
448ipv6 route 2001:dbf::/32 null0
449~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
450
4512. Set local preference ONLY on the R&E routes (marked with
452   the R&E community) learned from the NREN. Notice that
453   your NREN is also passing you the communities set by
454   the regional REN, so you need to match either one.
455
456   Also notice that we do not set the local preference on the
457   prefixes originated by our direct peers.
458
459R11:
460
461~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
462ip bgp-community new-format
463!
464ip as-path access-list 1 permit _20$
465ip as-path access-list 1 permit _101$
466ip as-path access-list 1 permit _201$
467!
468ip community-list 1 permit 100:99
469ip community-list 1 permit 101:99
470!
471route-map set-local-pref permit 10
472 match as-path 1
473 continue 30
474route-map set-local-pref permit 20
475 match community 1
476 set local-preference 150
477route-map set-local-pref permit 30
478!
479router bgp 10
480 address-family ipv4
481  neighbor 10.101.254.1 route-map set-local-pref in
482 address-family ipv6
483  neighbor fd00:101:fe:: route-map set-local-pref in
484!
485~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
486
487Refresh to/from your neighbors:
488
489~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
490clear ip bgp * in
491clear ip bgp * out
492clear bgp ipv6 unicast * in
493clear bgp ipv6 unicast * out
494~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
495
496Verify that communities are being set and transmitted:
497
498~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
499R11#show ip bgp 10.20.0.0
500R11#show ip bgp 10.40.0.0
501~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
502
503Check your BGP routes again.
504
505~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
506show ip bgp
507show ip route
508show bgp ipv6 unicast
509show ipv6 route
510~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
511
512The result should be that you now prefer the NREN path for any
513prefix originated by an R&E member. For all other prefixes,
514including the ones from the commercial Internet, your routers
515will choose based on BGP defaults.
516
517# Multihoming with Partial Routes and Defaults
518
519Another way to load-balance outbound traffic in our multihoming setup
520is to play with partial routing tables and default routes.
521The idea is that our routers will prefer the more specific R&E routes
522coming from the NREN, and the rest of the outgoing traffic will use the
523ISP. Only if the ISP fails, our non-R&E traffic will leave through the NREN.
524Similarly, if the NREN link fails, the ISP will route all our
525outbound traffic.
526
527This has the advantage of reducing our routing table size, and
528therefore convergence time. The disadvantage is that we may
529not always follow the best paths, but it might be a good
530compromise.
531
532We are going to ask the NREN to only send us R&E routes, plus
533the default route:
534
535NREN1:
536
537~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
538ip community-list 1 permit 100:99
539ip community-list 1 permit 101:99
540!
541route-map send-RE-only permit 10
542 match community 1
543!
544router bgp 101
545 address-family ipv4
546  no neighbor 10.101.254.2 send-community
547  no neighbor 10.101.254.6 send-community
548  no neighbor 10.101.254.10 send-community
549  neighbor 10.101.254.2 route-map send-RE-only out
550  neighbor 10.101.254.2 default-originate
551  neighbor 10.101.254.6 route-map send-RE-only out
552  neighbor 10.101.254.6 default-originate
553  neighbor 10.101.254.10 route-map send-RE-only out
554  neighbor 10.101.254.10 default-originate
555 address-family ipv6
556  no neighbor fd00:101:fe::1 send-community
557  no neighbor fd00:101:fe::3 send-community
558  no neighbor fd00:101:fe::5 send-community
559  neighbor fd00:101:fe::1 route-map send-RE-only out
560  neighbor fd00:101:fe::1 default-originate
561  neighbor fd00:101:fe::3 route-map send-RE-only out
562  neighbor fd00:101:fe::3 default-originate
563  neighbor fd00:101:fe::5 route-map send-RE-only out
564  neighbor fd00:101:fe::5 default-originate
565!
566~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
567
568NREN2:
569
570~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
571ip community-list 1 permit 100:99
572ip community-list 1 permit 102:99
573!
574route-map send-RE-only permit 10
575 match community 1
576!
577router bgp 102
578 address-family ipv4
579  no neighbor 10.102.254.2 send-community
580  no neighbor 10.102.254.6 send-community
581  no neighbor 10.102.254.10 send-community
582  neighbor 10.102.254.2 route-map send-RE-only out
583  neighbor 10.102.254.2 default-originate
584  neighbor 10.102.254.6 route-map send-RE-only out
585  neighbor 10.102.254.6 default-originate
586  neighbor 10.102.254.10 route-map send-RE-only out
587  neighbor 10.102.254.10 default-originate
588 address-family ipv6
589  no neighbor fd00:102:fe::1 send-community
590  no neighbor fd00:102:fe::3 send-community
591  no neighbor fd00:102:fe::5 send-community
592  neighbor fd00:102:fe::1 route-map send-RE-only out
593  neighbor fd00:102:fe::1 default-originate
594  neighbor fd00:102:fe::3 route-map send-RE-only out
595  neighbor fd00:102:fe::3 default-originate
596  neighbor fd00:102:fe::5 route-map send-RE-only out
597  neighbor fd00:102:fe::5 default-originate
598!
599~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
600
601
602Similarly, we will ask the ISP to only send us a default
603route:
604
605
606ISP1:
607
608~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
609ip prefix-list default permit 0.0.0.0/0
610ipv6 prefix-list ipv6-default permit ::/0
611!
612router bgp 201
613 address-family ipv4
614  neighbor 10.201.254.2 default-originate
615  neighbor 10.201.254.2 prefix-list default out
616  neighbor 10.201.254.6 default-originate
617  neighbor 10.201.254.6 prefix-list default out
618  neighbor 10.201.254.10 default-originate
619  neighbor 10.201.254.10 prefix-list default out
620 address-family ipv6
621  neighbor FD00:201:FE::1 default-originate
622  neighbor FD00:201:FE::1 prefix-list ipv6-default out
623  neighbor FD00:201:FE::3 default-originate
624  neighbor FD00:201:FE::3 prefix-list ipv6-default out
625  neighbor FD00:201:FE::5 default-originate
626  neighbor FD00:201:FE::5 prefix-list ipv6-default out
627!
628~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
629
630ISP2:
631
632~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
633ip prefix-list default permit 0.0.0.0/0
634ipv6 prefix-list ipv6-default permit ::/0
635!
636router bgp 202
637 address-family ipv4
638  neighbor 10.202.254.2 default-originate
639  neighbor 10.202.254.2 prefix-list default out
640  neighbor 10.202.254.6 default-originate
641  neighbor 10.202.254.6 prefix-list default out
642  neighbor 10.202.254.10 default-originate
643  neighbor 10.202.254.10 prefix-list default out
644 address-family ipv6
645  neighbor FD00:202:FE::1 default-originate
646  neighbor FD00:202:FE::1 prefix-list ipv6-default out
647  neighbor FD00:202:FE::3 default-originate
648  neighbor FD00:202:FE::3 prefix-list ipv6-default out
649  neighbor FD00:202:FE::5 default-originate
650  neighbor FD00:202:FE::5 prefix-list ipv6-default out
651!
652~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
653
654Check what you are now receiving from your NREN and
655your ISP:
656
657~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
658R11#show ip bgp neighbors 10.101.254.1 routes
659R11#show bgp ipv6 uni neighbors fd00:101:fe:: routes
660R11#show ip route 0.0.0.0 0.0.0.0
661R11#show ipv6 route ::/0
662
663R12#show ip bgp neighbors 10.201.254.1 routes
664R12#show bgp ipv6 uni neighbors fd00:201:fe:: routes
665R12#show ip route 0.0.0.0 0.0.0.0
666R12#show ipv6 route ::/0
667~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
668
669At this point you should see that each of your routers
670has a default route pointing to its upstream peer. This
671is an OK situation. But let's say that we want the ISP
672to handle all the non-R&E outbound traffic.
673
674Configure your RX2 router to assign a higher local preference
675to the default announced by the ISP:
676
677R12:
678
679~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
680ip prefix-list default permit 0.0.0.0/0
681ipv6 prefix-list ipv6-default permit ::/0
682!
683route-map set-lpref-default permit 10
684 match ip address prefix-list default
685 set local-preference 150
686!
687route-map set-lpref-ipv6-default permit 10
688 match ip address prefix-list ipv6-default
689 set local-preference 150
690!
691router bgp 10
692 address-family ipv4
693  neighbor 10.201.254.1 route-map set-lpref-default in
694 address-family ipv6
695  neighbor fd00:201:fe:: route-map set-lpref-ipv6-default in
696!
697~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
698
699Check your default route on both routers:
700
701~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
702show ip bgp 0.0.0.0 0.0.0.0
703show ip route 0.0.0.0 0.0.0.0
704
705show bgp ipv6 uni ::/0
706show ipv6 route ::/0
707~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
708
709
710Also, check your BGP routing table. Has it shrinked?
711
712~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
713show ip bgp
714show bgp ipv6 unicast
715~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
716