Inbound BGP Traffic Shaping

Unanswered Question
Apr 26th, 2007
User Badges:

I am having a problem with one of my customers and the route they take to my data center.


My edge router is running full BGP with two ISPs. Typically, both ISPs have the same as-path and local preference defined; I just let BGP do the work. However, this customers ISP has been having problems with one of my ISP?. This customer comes in on ISP A and I have been trying to get them to come in on ISP B. This customer is located on ASN 701. So in my router configuration I have a specific route map defined just for AS paths ending in 701 so I dont affect any other customers besides ones that reside on AS 701. Below is the config.



ip as-path access-list 5 permit _701$



route-map ISP-B_OUTBOUND_POLICY permit 5

match as-path 5

set metric 200

set community 283312248


route-map ISP-B_OUTBOUND_POLICY permit 10

set metric 200

set as-path prepend 40154 40154 40154 40154 40154

set community 283312248


route-map ISP-A_OUTBOUND_POLICY permit 10

set metric 200

set as-path prepend 40154 40154 40154 40154 40154



route-map ISP-B_INBOUND_POLICY permit 5

match as-path 5

set local-preference 150


route-map ISP-B_INBOUND_POLICY permit 10

set local-preference 120


route-map ISP-A_INBOUND_POLICY permit 10

set local-preference 120



After this is in place and I have done a clear ip bgp * soft, all traffic for this customer goes out ISP B (like it should) but inbound still comes in via ISP A. This configuration used to work fine and the customer would come and go over ISP B after these changes were made. The customers ISP doesnt have a route server or looking glass for me to view the routes once I have made the changes so that makes this situation even harder. Also, the customer is single homed with only a default route, so they cannot help troubleshoot.


One of the weird things about this is that if I change the as-path prepend and local preference for ISP A to be less desired for everything in BGP, the customer comes over ISP B just fine. Look at this config for an example that works just fine.



route-map ISP-B_OUTBOUND_POLICY permit 10

set metric 200

set community 283312248


route-map ISP-A_OUTBOUND_POLICY permit 10

set metric 200

set as-path prepend 40154 40154 40154 40154 40154


route-map ISP-B_INBOUND_POLICY permit 10

set local-preference 120


route-map ISP-A_INBOUND_POLICY permit 10

set local-preference 110



Like I said, after this config is in place, all traffic is shifted to ISP B and this customer comes across fine. Its just when doing the custom as-path access-list in a route map that it doesnt work. I have also tried creating an access-list for their subnet (a /18) and doing a match ip address in the route-map but that didnt help either. The downside to shifting all traffic is that ISP B is slower and many more hops for many of my customers.


Any ideas?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
mohammedrafiq Fri, 04/27/2007 - 01:17
User Badges:

Hi,

is it not better to have your route-map just like this for incomming traffic,


ip as-path access-list 5 permit _701$


route-map ISP-B_OUTBOUND_POLICY permit 10

match as-path 5

set as-path prepend 40154 40154 40154 40154 40154

set community 283312248


Regards,

patwill66_2 Fri, 04/27/2007 - 03:25
User Badges:

Yes, I see what you mean here. You are saying since ISP A and ISP B are set to the same "preference", to just increase the as-path prepend for _701$ and that way my route maps will be shorter, right?


However, I end up having to tweak things somewhat frequently so having the route-map 10 in there with as-path prepends allows me to add things before or after without having to change our "match all" route-map 10.

patwill66_2 Fri, 04/27/2007 - 04:10
User Badges:

Here is another idea I had but I am not sure how this would work.


Would it be possible to create a prefix-list for ISP A that denied the advertisement of routes to this customers network? That way I would only be advertising one route to 701.


I was looking at Route Views BGPlay this morning and I saw all the updates I was sending out yesterday and I was able to verify that the first two times I tried sending updates using the as-path access-list and route-map ISP-B_INBOUND_MAP 5, the routes for ASN 701 didnt change. On the third attempt, when I made changes globally for all traffic, I did see those updates take affect for 701. So I was able to confirm that using the as-path access-list didnt work this time for what I was trying to accomplish.

mohammedrafiq Fri, 04/27/2007 - 05:58
User Badges:

if you don't want all be effected, its always good idea to match with Prefix list.


patwill66_2 Fri, 04/27/2007 - 06:44
User Badges:

I was thinking about this above situation and how advertisements would be made. If I used a prefix-list or as-path access-list and denied updates the customer via my ISP A, what happens if ISP B has issues?


If I still sent advertisements via A but they were less preferred, like I tried doing yesterday, and ISP B goes down, BGP will update the customer will then be able to route to us through ISP A. However, if I just block advertisements going to them via ISP A and my ISP B goes down, the customer cannot get to us now. Does this sound right? Maybe blocking advertisements isnt the best idea. Although it seems easier, it may leave us in a worse situation if my ISP were to have issues.

mohammedrafiq Fri, 04/27/2007 - 13:11
User Badges:

hi,

when I said to use Prefix-list, I didn't mean to deny any traffic,I think you mach that customer's subnet with prefix/access list, and then set the attributes in the route-map.

By denying the traffic, you will lose the redundency for that customer.Apply that route-map and then post your config,then go to any looking glass and trace that subnet, and see witch path is being taken,please put the result as well.


regards,

milan.kulik Mon, 04/30/2007 - 06:37
User Badges:
  • Red, 2250 points or more

Hi,


AFAI can understand, you are trying to force one of your customers to use a different path to your data center than the others.


IMHO, it's impossible while the customer is connected to some other (far away)ISP.


Even if you change the metric (MED) or prepend more AS numbers to the prefixes advertised to ISP A, it has no sense to do it for _701$ - the customer doesn't care about routing to his AS, he knows it already (and with better metric)!


The only thing the customer is interested is routing to YOUR AS!

That's explaining why it works when you

set as-path prepend 40154 40154 40154 40154 40154

to all prefixes:

Your AS prefixes are being advertised with a longer AS path to ISP A, so all customers chose the path via ISP B to your data center.


I'm afraid the only chance would be to make an agreement with your customer's ISP X to prefer paths via ISP B to your data center for your customer.


HTH,

Milan Kulik



patwill66_2 Tue, 05/01/2007 - 14:27
User Badges:

Well I think here you may be a little confused, or maybe I didnt fully understand you reply. The customer doesnt have an ASN, they just have one internet circuit to ISP 701. So I am trying to change the preference for the entire ISP ASN. So since the customer just has a default route to his ISP, if I were to change the prefernce for the ISP, that would affect the customers routing.


Next week I am going to be able to try using a prefix list and some other things. I will post my results.

milan.kulik Wed, 05/02/2007 - 01:25
User Badges:
  • Red, 2250 points or more

Hi,


maybe I'm missing something , but what I'm trying to say is:

You need to change the routng path from ISP 701 to your data centre.


But it has no sense to increase the length of AS path from your AS to AS701 in BGP updates sent to ISP A. Even if he accepts the update, it will not change the path from 701 to your data centre.


What you need is to ask ISP 701 to change the path to your data centre to prefer IPS B.


BR,

Milan Kulik


patwill66_2 Wed, 05/02/2007 - 10:49
User Badges:

I see what you are saying but I guess I dont fully understand. If I increase my AS path to only ASN 701 out my ISP A, why wouldnt it change the path from 701 to me? I would be telling 701 that the route via ISP A is longer than via ISP B so it should choose to come through ISP B, right?


In regards to talking to the customers ISP, I havent got that far yet. There are really no good technical people there to work with and their ISP wont work directly with me since I am not a customer.

milan.kulik Thu, 05/03/2007 - 12:17
User Badges:
  • Red, 2250 points or more

Well,

my understanding is:

You will say ISP B: "I know some route to 701 which goes through n ASes."

And you'll say ISP A: "I know some route to 701 which goes through n+5 ASes."

But both ISP A and B know some better route to 701, so they'll not chose your route as the best.


And it has totally no effect to routing from 701 to you.


BR,

Milan


patwill66_2 Mon, 05/07/2007 - 08:36
User Badges:

I was able to get this issue fixed yesterday. I worked with my ISP A on using a community value that would have them prepend their own ASN three times to 701. After I got this community set on my router, the traffic rerouted over to my ISP B without any issues.

milan.kulik Mon, 05/07/2007 - 23:36
User Badges:
  • Red, 2250 points or more

So 701 is an ISP A neighbour?

And all 701 customers will now go through ISP B, not the only one which had a problem, right?


BR,

Milan



patwill66_2 Tue, 05/08/2007 - 04:21
User Badges:

Yes, you are right. 701 neighbors my ISP A. And yes, all 701 traffic will go through ISP B, even more than just that one customer. This was the result I was trying to get to since the customer doesnt have an ASN.

milan.kulik Thu, 05/10/2007 - 04:19
User Badges:
  • Red, 2250 points or more

So your solution is based on RFC1998?

Could you please paste the final config used?

I'd like to learn something new...


Thanks,

Milan



patwill66_2 Thu, 05/10/2007 - 05:31
User Badges:

I looked at RFC 1998 and it seemed to talk about what I have done. However, I am not sure if there are more RFC's regarding this.


Here are the new route maps after I got this working.



route-map ISP-B_OUTBOUND_POLICY permit 10

set metric 200

set as-path prepend 40154

set community :120


route-map ISP-A_OUTBOUND_POLICY permit 10

set metric 200

set as-path prepend 40154

set community :8033


route-map ISP-B_INBOUND_POLICY permit 5

match as-path 5

set local-preference 150


route-map ISP-B_INBOUND_POLICY permit 10

set local-preference 120


route-map ISP-A_INBOUND_POLICY permit 10

set local-preference 120



First, I found this site which was quite helpful in finding what communities each vendor supported.


http://www.onesc.net/communities/


From here I found my ISP A in the list and checked the communities it supported. I found that they supported the ability to change their advertised as-path within their network to ASN 701. I added that command into route-map ISP-A_OUTBOUND_POLICY permit 10 and it started working shortly after that.


Actions

This Discussion