Agenda: lab-bgp-policy.txt

File lab-bgp-policy.txt, 25.2 KB (added by pokui, 6 years ago)

BGP Policy Lab (TXT)

Line 
1% Advanced Routing Workshop
2% BGP Policy Lab
3
4![Multi-homed Topology](ex3-1.png)
5
6\pagebreak
7
8# Introduction
9
10The purpose of this exercise is to:
11
12* Apply the concepts of BGP policy learned in class
13  to achieve the desired traffic patterns, particularly
14  in an academic environment.
15* Learn how to use Local Preference, BGP Communities, AS Path
16  Prepending and related BGP operational commands.
17
18# Pre-requisites
19
20This exercise builds upon the configurations implemented in
21the basic BGP routing lab. You must:
22
23* Verify that all your BGP sessions are up
24* Be able to see every lab prefix in your routing table
25* Be able to ping and traceroute successfully to any other router
26  in the lab.
27
28**Remember, all the above applies to both IPv4 and IPv6.**
29
30# Routing Policy in academic networks
31
32Research and Education Networks (RENs) are designed for high throughput
33and low latency. In many cases their links are also subsidized by
34governments and other organizations. Therefore, it is common in academic
35environments to want to apply routing policies that prefer these paths
36over the "commodity" (commercial) ones.
37
38# Local Preference
39
40Our first goal is to configure our routers to prefer the paths
41via the NREN for outgoing traffic to ALL destinations.
42
431. Use the Local Preference attribute to prefer all routes learned
44   via the NREN:
45
46R11:
47
48~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
49route-map set-lpref permit 10
50 set local-preference 150
51route-map set-lpref permit 20
52!
53router bgp 10
54 address-family ipv4
55  neighbor 10.101.254.1 route-map set-lpref in
56 address-family ipv6
57  neighbor fd00:101:fe:: route-map set-lpref in
58~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
59
60
61R12:
62
63~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
64route-map set-lpref permit 10
65 set local-preference 50
66route-map set-lpref permit 20
67!
68router bgp 10
69 address-family ipv4
70  neighbor 10.201.254.1 route-map set-lpref in
71 address-family ipv6
72  neighbor fd00:201:fe:: route-map set-lpref in
73~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
74
75What is the default local preference in Cisco IOS?
76Notice that we are setting a higher preference on the NREN
77side, and a lower preference on the ISP side. Can you think
78of a reason why this could be useful?
79
80Check your BGP routes. The next hop should be the P2P
81address of your NREN's router (except for your own prefix).
82
83~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
84show ip bgp
85show bgp ipv6 unicast
86~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
87
88All good now, right?
89
90Wait!... What about the prefixes of ASs with whom
91you are peering directly? Remember the path selection algorithm?
92What comes first, highest local preference or shortest AS path?
93
942. Modify the route map to apply a higher local preference
95   attribute to prefixes originated by your direct peers.
96
97*Notice the AS path access list. How does it work?*
98
99
100R11:
101
102~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
103ip as-path access-list 1 permit ^[0-9]+$
104!
105no route-map set-lpref
106!
107route-map set-lpref permit 10
108 match as-path 1
109 set local-preference 200
110route-map set-lpref permit 20
111 set local-preference 150
112route-map set-lpref permit 30
113~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
114
115Notice that we need to also apply the route-map to the bi-lateral
116peering.
117
118R12:
119
120~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
121ip as-path access-list 1 permit ^[0-9]+$
122!
123no route-map set-lpref
124!
125route-map set-lpref permit 10
126 match as-path 1
127 set local-preference 200
128route-map set-lpref permit 20
129 set local-preference 50
130route-map set-lpref permit 30
131!
132router bgp 10
133 address-family ipv4
134  neighbor 10.10.254.6 route-map set-lpref in
135 address-family ipv6
136  neighbor fd00:10:fe::3 route-map set-lpref in
137~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
138
139Use BGP refresh to make sure that the policies are applied:
140
141~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
142clear ip bgp * in
143clear ip bgp * out
144clear bgp ipv6 unicast * in
145clear bgp ipv6 unicast * out
146~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
147
148Check your BGP routes again. What is the next hop towards your direct
149peers' prefixes? (Hint: the path should be direct!)
150
1513. STOP - Checkpoint
152
153All groups must finish this part before continuing. Do NOT continue
154until the instructor says so.
155
156# Path Prepending
157
158At this point we have influenced outbound traffic only. Now we want to
159influence the traffic *coming in* to our AS. We want traffic to come
160to us via the R&E networks as much as possible.
161
162In the case of this lab, every other group is already preferring the
163NREN link for their outgoing traffic. For groups connected to your
164same NREN, the traffic towards you will NOT go via the commodity
165(commercial) Internet. However, this is not the case for groups
166connected to other NRENs.
167
168To see this, check your paths towards groups NOT connected to your
169NREN. For example, from AS10:
170
171~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
172R11# show ip bgp 10.40.0.0
173R11# traceroute 10.40.255.1
174R11# show bgp ipv6 unicast fd00:40::/32
175R11# traceroute fd00:40:ff::1
176~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
177
178Notice that the traffic leaves via the R&E networks, but then enters
179AS40 through their commercial ISP.
180
181The same happens with traffic coming back to you from other NRENs.
182How can you influence their path selection so that traffic towards
183you enters via your NREN?
184
185We will now use a technique called AS path prepending, which consists
186of adding extra "fake" hops to a path using our ASN multiple times.
187
1881. Prepend your AS number twice in the path announced to your ISP:
189
190R12:
191
192~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
193ip prefix-list AS10-prefix permit 10.10.0.0/16
194!
195route-map set-prepend permit 100
196 match ip address prefix-list AS10-prefix
197 set as-path prepend 10 10
198route-map set-prepend permit 200
199!
200ipv6 prefix-list ipv6-AS10-prefix permit fd00:10::/32
201!
202route-map ipv6-set-prepend permit 100
203 match ipv6 address prefix-list ipv6-AS10-prefix
204 set as-path prepend 10 10
205route-map ipv6-set-prepend permit 200
206!
207router bgp 10
208 address-family ipv4
209  neighbor 10.201.254.1 route-map set-prepend out
210 address-family ipv6
211  neighbor fd00:201:fe:: route-map ipv6-set-prepend out
212!
213~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
214
215Use BGP refresh to re-announce your prefix to the ISP:
216
217~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
218R12# clear ip bgp 10.201.254.1 out
219R12# clear bgp ipv6 unicast fd00:201:fe:: out
220~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
221
222Ask remote groups (connected to the other NRENs), to verify that
223their paths towards you do not traverse the commercial ISPs.
224
2252. STOP - Checkpoint
226
227All groups must finish this part before continuing. Do NOT continue
228until the instructor says so.
229
230# BGP Communities
231
232Now let's reflect on our initial outbound policy. Since our NREN
233carries commodity Internet prefixes in addition to R&E prefixes,
234we decided to use the Local Preference attribute to send
235*everything* via the NREN.
236
237In reality this may not be optimal, because the NREN may not
238always have the best paths towards the rest of the Internet and also
239because we're not taking advantage of our dual connections
240to load-balance our outbound traffic.
241
242What we really need is a way to tell *which prefixes are originated
243from the R&E community*, so that we prefer the NREN link when sending
244to *those* prefixes only, and let the rest be decided by the regular
245BGP selection process. This is where BGP communities are useful.
246
2471. Remove the configurations from the Local Preference section.
248   Notice the correct order in which this should be done (hint:
249   do not remove something if it's still referenced by something
250   else):
251
252R11:
253
254~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
255router bgp 10
256 address-family ipv4
257  no neighbor 10.101.254.1 route-map set-lpref in
258 address-family ipv6
259  no neighbor fd00:101:fe:: route-map set-lpref in
260!
261no route-map set-lpref
262~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
263
264*Remember to do the equivalent thing on the other router.*
265
266RENs use BGP communities (basically tags) to mark groups of routes
267together as a unit, which makes it easier for their members to
268apply policies to those groups of routes.
269
270In this particular case, the NRENs carry research and education
271(R&E) routes, as well as commercial Internet routes. The R&E
272routes are marked with a special community (99) as they are
273received from each customer. Also, the NREN passes those communities
274on to other customers and to the RREN.
275
276Notice that the NRENs and the RREN also use the communities to
277set a higher local preference value, in order to prefer the R&E paths.
278This is because they also can learn those prefixes via the ISPs with
279whom they peer.
280
281NREN1:
282
283~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
284ip bgp-community new-format
285!
286route-map set-RE-comm permit 10
287 set community 101:99
288route-map set-RE-comm permit 20
289!
290ip community-list 1 permit 100:99
291!
292route-map set-RE-lpref permit 10
293 match community 1
294 set local-preference 150
295route-map set-RE-lpref permit 20
296!
297router bgp 101
298 address-family ipv4
299  neighbor 10.101.254.2 send-community
300  neighbor 10.101.254.2 route-map set-RE-comm in
301  neighbor 10.101.254.6 send-community
302  neighbor 10.101.254.6 route-map set-RE-comm in
303  neighbor 10.101.254.10 send-community
304  neighbor 10.101.254.10 route-map set-RE-comm in
305  neighbor 10.100.254.1 send-community
306  neighbor 10.100.254.1 route-map set-RE-lpref in
307 address-family ipv6
308  neighbor fd00:101:fe::1 send-community
309  neighbor fd00:101:fe::1 route-map set-RE-comm in
310  neighbor fd00:101:fe::3 send-community
311  neighbor fd00:101:fe::3 route-map set-RE-comm in
312  neighbor fd00:101:fe::5 send-community
313  neighbor fd00:101:fe::5 route-map set-RE-comm in
314  neighbor fd00:100:fe:: send-community
315  neighbor fd00:100:fe:: route-map set-RE-lpref in
316!
317~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
318
319NREN2:
320
321~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
322ip bgp-community new-format
323!
324route-map set-RE-comm permit 10
325 set community 102:99
326route-map set-RE-comm permit 20
327!
328ip community-list 1 permit 100:99
329!
330route-map set-RE-lpref permit 10
331 match community 1
332 set local-preference 150
333route-map set-RE-lpref permit 20
334!
335router bgp 102
336 address-family ipv4
337  neighbor 10.102.254.2 send-community
338  neighbor 10.102.254.2 route-map set-RE-comm in
339  neighbor 10.102.254.6 send-community
340  neighbor 10.102.254.6 route-map set-RE-comm in
341  neighbor 10.102.254.10 send-community
342  neighbor 10.102.254.10 route-map set-RE-comm in
343  neighbor 10.100.254.5 send-community
344  neighbor 10.100.254.5 route-map set-RE-lpref in
345 address-family ipv6
346  neighbor fd00:102:fe::1 send-community
347  neighbor fd00:102:fe::1 route-map set-RE-comm in
348  neighbor fd00:102:fe::3 send-community
349  neighbor fd00:102:fe::3 route-map set-RE-comm in
350  neighbor fd00:102:fe::5 send-community
351  neighbor fd00:102:fe::5 route-map set-RE-comm in
352  neighbor fd00:100:fe::2 send-community
353  neighbor fd00:100:fe::2 route-map set-RE-lpref in
354!
355~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
356
357The regional REN (RREN) connects multiple NRENs, so they
358replace communities in the R&E routes learned from NRENs
359with their own community:
360
361RREN:
362
363~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
364ip bgp-community new-format
365!
366ip community-list 1 permit 101:99
367ip community-list 1 permit 102:99
368!
369route-map set-RE-comm-in permit 10
370 match community 1
371 set community 100:99 additive
372 set local-preference 150
373route-map set-RE-comm-in permit 20
374!
375router bgp 100
376 address-family ipv4
377  neighbor 10.100.254.2 send-community
378  neighbor 10.100.254.2 route-map set-RE-comm-in in
379  neighbor 10.100.254.6 send-community
380  neighbor 10.100.254.6 route-map set-RE-comm-in in
381 address-family ipv6
382  neighbor fd00:100:fe::1 send-community
383  neighbor fd00:100:fe::1 route-map set-RE-comm-in in
384  neighbor fd00:100:fe::3 send-community
385  neighbor fd00:100:fe::3 route-map set-RE-comm-in in
386~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
387
388ISPs will announce additional prefixes to represent the
389rest of the commodity Internet. Notice that we are prepending
390"fake" ASNs so that they do not appear to be originated by the ISP.
391
392ISP1:
393
394~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
395ip prefix-list v4-commodity-1 permit 172.16.0.0/16
396ip prefix-list v4-commodity-2 permit 172.17.0.0/16
397ip prefix-list v4-commodity-3 permit 172.18.0.0/16
398ip prefix-list v4-commodity-4 permit 172.19.0.0/16
399
400ipv6 prefix-list v6-commodity-1 permit 2001:db8::/32
401ipv6 prefix-list v6-commodity-2 permit 2001:db9::/32
402ipv6 prefix-list v6-commodity-3 permit 2001:dba::/32
403ipv6 prefix-list v6-commodity-4 permit 2001:dbb::/32
404
405route-map set-prepend-commodity permit 10
406 match prefix-list v4-commodity-1
407 set prepend 65001
408route-map set-prepend-commodity permit 20
409 match prefix-list v4-commodity-2
410 set prepend 65002
411route-map set-prepend-commodity permit 30
412 match prefix-list v4-commodity-3
413 set prepend 65003
414route-map set-prepend-commodity permit 40
415 match prefix-list v4-commodity-4
416 set prepend 65004
417route-map set-prepend-commodity permit 50
418 match prefix-list v6-commodity-1
419 set prepend 65001
420route-map set-prepend-commodity permit 60
421 match prefix-list v6-commodity-2
422 set prepend 65002
423route-map set-prepend-commodity permit 70
424 match prefix-list v6-commodity-3
425 set prepend 65003
426route-map set-prepend-commodity permit 80
427 match prefix-list v6-commodity-4
428 set prepend 65004
429route-map set-prepend-commodity permit 90
430
431router bgp 201
432 address-family ipv4
433  network 172.16.0.0 mask 255.255.0.0
434  network 172.17.0.0 mask 255.255.0.0
435  network 172.18.0.0 mask 255.255.0.0
436  network 172.19.0.0 mask 255.255.0.0
437  neighbor 10.201.254.2 route-map set-prepend-commodity out
438  neighbor 10.201.254.6 route-map set-prepend-commodity out
439  neighbor 10.201.254.10 route-map set-prepend-commodity out
440  neighbor 10.101.254.13 route-map set-prepend-commodity out
441  neighbor 10.251.1.2 route-map set-prepend-commodity out
442  neighbor 10.251.1.3 route-map set-prepend-commodity out
443 address-family ipv6
444  network 2001:db8::/32
445  network 2001:db9::/32
446  network 2001:dba::/32
447  network 2001:dbb::/32
448  neighbor fd00:101:fe::6 route-map set-prepend-commodity out
449  neighbor fd00:201:fe::1 route-map set-prepend-commodity out
450  neighbor fd00:201:fe::3 route-map set-prepend-commodity out
451  neighbor fd00:201:fe::5 route-map set-prepend-commodity out
452  neighbor fd00:251:1::2 route-map set-prepend-commodity out
453  neighbor fd00:251:1::3 route-map set-prepend-commodity out
454!
455ip route 172.16.0.0 255.255.0.0 null0
456ip route 172.17.0.0 255.255.0.0 null0
457ip route 172.18.0.0 255.255.0.0 null0
458ip route 172.19.0.0 255.255.0.0 null0
459!
460ipv6 route 2001:db8::/32 null0
461ipv6 route 2001:db9::/32 null0
462ipv6 route 2001:dba::/32 null0
463ipv6 route 2001:dbb::/32 null0
464
465~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
466
467ISP2:
468
469~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
470ip prefix-list v4-commodity-1 permit 172.20.0.0/16
471ip prefix-list v4-commodity-2 permit 172.21.0.0/16
472ip prefix-list v4-commodity-3 permit 172.22.0.0/16
473ip prefix-list v4-commodity-4 permit 172.23.0.0/16
474
475ipv6 prefix-list v6-commodity-1 permit 2001:dbc::/32
476ipv6 prefix-list v6-commodity-2 permit 2001:dbd::/32
477ipv6 prefix-list v6-commodity-3 permit 2001:dbe::/32
478ipv6 prefix-list v6-commodity-4 permit 2001:dbf::/32
479
480route-map set-prepend-commodity permit 10
481 match prefix-list v4-commodity-1
482 set prepend 65005
483route-map set-prepend-commodity permit 20
484 match prefix-list v4-commodity-2
485 set prepend 65006
486route-map set-prepend-commodity permit 30
487 match prefix-list v4-commodity-3
488 set prepend 65007
489route-map set-prepend-commodity permit 40
490 match prefix-list v4-commodity-4
491 set prepend 65008
492route-map set-prepend-commodity permit 50
493 match prefix-list v6-commodity-1
494 set prepend 65005
495route-map set-prepend-commodity permit 60
496 match prefix-list v6-commodity-2
497 set prepend 65006
498route-map set-prepend-commodity permit 70
499 match prefix-list v6-commodity-3
500 set prepend 65007
501route-map set-prepend-commodity permit 80
502 match prefix-list v6-commodity-4
503 set prepend 65008
504route-map set-prepend-commodity permit 90
505
506router bgp 202
507 address-family ipv4
508  network 172.20.0.0 mask 255.255.0.0
509  network 172.21.0.0 mask 255.255.0.0
510  network 172.22.0.0 mask 255.255.0.0
511  network 172.23.0.0 mask 255.255.0.0
512  neighbor 10.202.254.2 route-map set-prepend-commodity out
513  neighbor 10.202.254.6 route-map set-prepend-commodity out
514  neighbor 10.202.254.10 route-map set-prepend-commodity out
515  neighbor 10.102.254.14 route-map set-prepend-commodity out
516  neighbor 10.251.1.1 route-map set-prepend-commodity out
517  neighbor 10.251.1.3 route-map set-prepend-commodity out
518 address-family ipv6
519  network 2001:dbc::/32
520  network 2001:dbd::/32
521  network 2001:dbe::/32
522  network 2001:dbf::/32
523  neighbor fd00:102:fe::7 route-map set-prepend-commodity out
524  neighbor fd00:202:fe::1 route-map set-prepend-commodity out
525  neighbor fd00:202:fe::3 route-map set-prepend-commodity out
526  neighbor fd00:202:fe::5 route-map set-prepend-commodity out
527  neighbor fd00:251:1::1 route-map set-prepend-commodity out
528  neighbor fd00:251:1::3 route-map set-prepend-commodity out
529!
530ip route 172.20.0.0 255.255.0.0 null0
531ip route 172.21.0.0 255.255.0.0 null0
532ip route 172.22.0.0 255.255.0.0 null0
533ip route 172.23.0.0 255.255.0.0 null0
534!
535ipv6 route 2001:dbc::/32 null0
536ipv6 route 2001:dbd::/32 null0
537ipv6 route 2001:dbe::/32 null0
538ipv6 route 2001:dbf::/32 null0
539~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
540
5412. Set local preference ONLY on the R&E routes (marked with
542   the R&E community) learned from the NREN. Notice that
543   your NREN is also passing you the communities set by
544   the regional REN, so you need to match either one.
545
546   Also notice that we still need to set a higher local
547   preference on the prefixes originated by our direct peers.
548
549R11:
550
551~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
552ip bgp-community new-format
553!
554ip as-path access-list 1 permit ^[0-9]+$
555!
556ip community-list 1 permit 100:99
557ip community-list 1 permit 101:99
558!
559no route-map set-lpref
560!
561route-map set-lpref permit 10
562 match as-path 1
563 set local-preference 200
564route-map set-lpref permit 20
565 match community 1
566 set local-preference 150
567route-map set-lpref permit 30
568!
569router bgp 10
570 address-family ipv4
571  neighbor 10.101.254.1 route-map set-lpref in
572 address-family ipv6
573  neighbor fd00:101:fe:: route-map set-lpref in
574!
575~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
576
577Refresh to/from your neighbors:
578
579~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
580clear ip bgp * in
581clear ip bgp * out
582clear bgp ipv6 unicast * in
583clear bgp ipv6 unicast * out
584~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
585
586Verify that communities are being set and transmitted:
587
588~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
589R11#show ip bgp 10.20.0.0
590R11#show ip bgp 10.40.0.0
591~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
592
593Check your BGP routes again.
594
595~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
596show ip bgp
597show ip route
598show bgp ipv6 unicast
599show ipv6 route
600~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
601
602The result should be that you now prefer the NREN path for any
603prefix originated by an R&E member. For all other prefixes,
604including the ones from the commercial Internet, your routers
605will choose based on BGP defaults.
606
607# Multihoming with Partial Routes and Defaults
608
609Another way to load-balance outbound traffic in our multihoming setup
610is to play with partial routing tables and default routes.
611The idea is that our routers will prefer the more specific R&E routes
612coming from the NREN, and the rest of the outgoing traffic will use the
613ISP. Only if the ISP fails, our non-R&E traffic will leave through the NREN.
614Similarly, if the NREN link fails, the ISP will route all our
615outbound traffic.
616
617This has the advantage of reducing our routing table size, and
618therefore memory requirements and convergence time. The disadvantage
619is that we may not always follow the best paths, but it might be a good
620compromise.
621
622R11: Remove the route-map from the previous step.
623
624We are going to ask the NREN to only send us R&E routes, plus
625the default route:
626
627NREN1:
628
629~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
630ip community-list 1 permit 100:99
631ip community-list 1 permit 101:99
632!
633route-map send-RE-only permit 10
634 match community 1
635!
636router bgp 101
637 address-family ipv4
638  no neighbor 10.101.254.2 send-community
639  no neighbor 10.101.254.6 send-community
640  no neighbor 10.101.254.10 send-community
641  neighbor 10.101.254.2 route-map send-RE-only out
642  neighbor 10.101.254.2 default-originate
643  neighbor 10.101.254.6 route-map send-RE-only out
644  neighbor 10.101.254.6 default-originate
645  neighbor 10.101.254.10 route-map send-RE-only out
646  neighbor 10.101.254.10 default-originate
647 address-family ipv6
648  no neighbor fd00:101:fe::1 send-community
649  no neighbor fd00:101:fe::3 send-community
650  no neighbor fd00:101:fe::5 send-community
651  neighbor fd00:101:fe::1 route-map send-RE-only out
652  neighbor fd00:101:fe::1 default-originate
653  neighbor fd00:101:fe::3 route-map send-RE-only out
654  neighbor fd00:101:fe::3 default-originate
655  neighbor fd00:101:fe::5 route-map send-RE-only out
656  neighbor fd00:101:fe::5 default-originate
657!
658~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
659
660NREN2:
661
662~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
663ip community-list 1 permit 100:99
664ip community-list 1 permit 102:99
665!
666route-map send-RE-only permit 10
667 match community 1
668!
669router bgp 102
670 address-family ipv4
671  no neighbor 10.102.254.2 send-community
672  no neighbor 10.102.254.6 send-community
673  no neighbor 10.102.254.10 send-community
674  neighbor 10.102.254.2 route-map send-RE-only out
675  neighbor 10.102.254.2 default-originate
676  neighbor 10.102.254.6 route-map send-RE-only out
677  neighbor 10.102.254.6 default-originate
678  neighbor 10.102.254.10 route-map send-RE-only out
679  neighbor 10.102.254.10 default-originate
680 address-family ipv6
681  no neighbor fd00:102:fe::1 send-community
682  no neighbor fd00:102:fe::3 send-community
683  no neighbor fd00:102:fe::5 send-community
684  neighbor fd00:102:fe::1 route-map send-RE-only out
685  neighbor fd00:102:fe::1 default-originate
686  neighbor fd00:102:fe::3 route-map send-RE-only out
687  neighbor fd00:102:fe::3 default-originate
688  neighbor fd00:102:fe::5 route-map send-RE-only out
689  neighbor fd00:102:fe::5 default-originate
690!
691~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
692
693
694Similarly, we will ask the ISP to only send us a default
695route:
696
697
698ISP1:
699
700~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
701ip prefix-list default permit 0.0.0.0/0
702ipv6 prefix-list ipv6-default permit ::/0
703!
704router bgp 201
705 address-family ipv4
706  neighbor 10.201.254.2 default-originate
707  neighbor 10.201.254.2 prefix-list default out
708  neighbor 10.201.254.6 default-originate
709  neighbor 10.201.254.6 prefix-list default out
710  neighbor 10.201.254.10 default-originate
711  neighbor 10.201.254.10 prefix-list default out
712 address-family ipv6
713  neighbor FD00:201:FE::1 default-originate
714  neighbor FD00:201:FE::1 prefix-list ipv6-default out
715  neighbor FD00:201:FE::3 default-originate
716  neighbor FD00:201:FE::3 prefix-list ipv6-default out
717  neighbor FD00:201:FE::5 default-originate
718  neighbor FD00:201:FE::5 prefix-list ipv6-default out
719!
720~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
721
722ISP2:
723
724~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
725ip prefix-list default permit 0.0.0.0/0
726ipv6 prefix-list ipv6-default permit ::/0
727!
728router bgp 202
729 address-family ipv4
730  neighbor 10.202.254.2 default-originate
731  neighbor 10.202.254.2 prefix-list default out
732  neighbor 10.202.254.6 default-originate
733  neighbor 10.202.254.6 prefix-list default out
734  neighbor 10.202.254.10 default-originate
735  neighbor 10.202.254.10 prefix-list default out
736 address-family ipv6
737  neighbor FD00:202:FE::1 default-originate
738  neighbor FD00:202:FE::1 prefix-list ipv6-default out
739  neighbor FD00:202:FE::3 default-originate
740  neighbor FD00:202:FE::3 prefix-list ipv6-default out
741  neighbor FD00:202:FE::5 default-originate
742  neighbor FD00:202:FE::5 prefix-list ipv6-default out
743!
744~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
745
746Check what you are now receiving from your NREN and
747your ISP:
748
749~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
750R11#show ip bgp neighbors 10.101.254.1 routes
751R11#show bgp ipv6 uni neighbors fd00:101:fe:: routes
752R11#show ip route 0.0.0.0 0.0.0.0
753R11#show ipv6 route ::/0
754
755R12#show ip bgp neighbors 10.201.254.1 routes
756R12#show bgp ipv6 uni neighbors fd00:201:fe:: routes
757R12#show ip route 0.0.0.0 0.0.0.0
758R12#show ipv6 route ::/0
759~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
760
761At this point you should see that each of your routers
762has a default route pointing to its upstream peer. This
763is an OK situation. But let's say that we want the ISP
764to handle all the non-R&E outbound traffic.
765
766Configure your RX2 router to assign a higher local preference
767to the default announced by the ISP:
768
769R12:
770
771~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
772ip prefix-list default permit 0.0.0.0/0
773ipv6 prefix-list ipv6-default permit ::/0
774!
775route-map set-lpref-default permit 10
776 match ip address prefix-list default
777 set local-preference 150
778!
779route-map set-lpref-ipv6-default permit 10
780 match ip address prefix-list ipv6-default
781 set local-preference 150
782!
783router bgp 10
784 address-family ipv4
785  neighbor 10.201.254.1 route-map set-lpref-default in
786 address-family ipv6
787  neighbor fd00:201:fe:: route-map set-lpref-ipv6-default in
788!
789~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
790
791Check your default route on both routers:
792
793~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
794show ip bgp 0.0.0.0 0.0.0.0
795show ip route 0.0.0.0 0.0.0.0
796
797show bgp ipv6 uni ::/0
798show ipv6 route ::/0
799~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
800
801
802Also, check your BGP routing table. Has it shrinked?
803
804~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
805show ip bgp
806show bgp ipv6 unicast
807~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
808