cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
350
Views
20
Helpful
7
Replies

Solid BGP Config?

stephen.stack
Level 4
Level 4

Hi Guys,

Looking for a workable BGP config here. Have brushed up on a lot of my BGP stuff, but i am just not getting the config i need.

I have a BGP core that is Peered with several other ISPs. At the moment we have contracted a tier 1 ISP to povide a gig link for application testing to us. We are just about to peer with them. We advertise 2 /19's with our other peers.

What i want to do is limit the scope of traffic in and out of this link. i.e. traffic from 3 /24 are only allowed in this link and only 1 /24 out of the /19 to be advertised out.

This is my config to allow only 3 subnets inbound from the tier1. I will apply a local_pref of 200 to ensure my AS chooses these routes.

access-list 115 remark *** ACL TO ALLOW ONLY THESE NETWORK IN FROM TIER1 ***

access-list 115 permit ip 1.1.0.0 0.0.63.255 any

access-list 115 permit ip 2.2.0.0 0.0.127.255 any

access-list 115 permit ip 3.3.3.0 0.0.0.255 any

!

!

!**** SET AS-PATH ACL TO TEIR1 ASN ****

ip as-path access-list 7 permit ^??????$

!

!

Route-map TIER1-RMAP-IN permit 10

match ip address 115

!

route-map TIER1-RMAP-IN permit 20

match as-path 7

set local-preference 200

!

!

Route-map TIER1-RMAP-OUT permit 10

match ip address 116

!

!

router BGP 100

neighbour 206.24.169.117 desc *** BGP PEER WITH TIER1 ***

neighbour 206.24.169.117 remote-as ??????

neighbour 206.24.169.117 route-map TIER1-RMAP-IN in

neighbour 206.24.169.117 route-map TIER1-RMAP-OUT out

neighbour 206.24.169.117 version 4

neighbour 206.24.169.117 soft-reconfiguration inbound

!

I need a config or some tips to only advertise a /24 out of 1 of our /19s out of the tier1 peer. I need to ensure that this /24 via our new tier1 is the only path and that it will failover to another peer if the new link goes down.

I hope all this makes sense.

Thanks in advance

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
7 Replies 7

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Stephen,

use a single block on incoming routes or you will receive all prefixes with AS path = provider's path

Route-map TIER1-RMAP-IN permit 10

match ip address 115

match as-path 7

set local-preference 200

for output :

use a different route-map out of this neighbor with an ACL that permits only the intended /24

have access-list 116 that contains only the intended /24 prefix.

to all your other peers use a route-map made of two blocks:

in first block you allow the /24 prefix but you do your own AS number prepend

route-map otherpeers-out permit 10

match ip adddress 116

set as-path prepend 100 100 100

route-map otherpeers-out permit 20

match ip address 120

where ACL 120 will list all the IP prefixes you want to advertise to the other ASes

Hope to help

Giuseppe

Edison Ortiz
Hall of Fame
Hall of Fame

What i want to do is limit the scope of traffic in and out of this link. i.e. traffic from 3 /24 are only allowed in this link and only 1 /24 out of the /19 to be advertised out.

Create an ACL or Prefix-list including the 3 /24 subnets that you want to allow into your router and configure another ACL or Prefix-list that you want advertised out of your router.

Apply this ACL or Prefix-list within the neighbor statement with the distribute-list or prefix-list option.

On the last requirement, in order to advertise a /24 out of the /19 being advertised out, you must have the /24 in the router's routing table and announce this /24 either via a network statement or redistribution and if it was done via an aggregate, you can use the unsuppress-map option.

HTH,

__

Edison.

Hi Guys,

Thanks for the responses. They are very clear. Can i ask you both one or two more q's.

Giuseppe - In the inbound route map, you bascially took the one i created and compressed it a bit? Does this have the same effect as the two route map statements i created? My own logic in terms of my statement is that statement 10 allows only the 3 /24s inbound and denies all other updates. Steatement 20 ups the local_pref to 200 around my AS for prefixes allowed in from the provider AS?

Also, "use a single block on incoming routes or you will receive all prefixes with AS path = provider's path" - - - - Why is this????

And the unsuppress-map option!!!

Edison, If i may :)

This /24 is almost in the middle of the /19. It is currently in the routing table as a /24. Can i just advertise the network using the network statement in BGP config? Will this advertise the /24 to all peers as well as our /19? Can the route be advertise out of one peer only and failover to others on peer failure?

Thanks again guys.

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

And the unsuppress-map option!!!

Edison, If i may :)

This /24 is almost in the middle of the /19. It is currently in the routing table as a /24. Can i just advertise the network using the network statement in BGP config? Will this advertise the /24 to all peers as well as our /19? Can the route be advertise out of one peer only and failover to others on peer failure?

If you put the network statement along with an aggregate in the same BGP router, the route will be advertised as /19 if you use the 'summary-only' on the aggregate. If you don't use the 'summary-only' you will advertise the /19 along with the specific subnets.

If you decide to use the /19 with the 'summary-only', you can use the unsuppress-map option to advertise the /19 and only advertise one of the /24 to a neighbor.

HTH,

__

Edison.

Please rate helpful posts

Hello Stephen,

my answer

Does this have the same effect as the two route map statements i created?

No, the effect of my config is more specific:

I allow to receive only prefixes permitted by ACL 115 and at the same time I provide an increased local pref of 200 to those prefixes. all other prefixes are denied.

With your config :

at step 1 route-map permit 10 you accept prefixes that match ACL 115

at step2 route-map permit 10 you accept all prefixes with AS path=provider's path and you increase local pref to 200.

I'm not sure you will get loc pref 200 for prefixes that match ACL 115 but you will accept all possible prefixes with that AS path and give them loc pref 200.

You also defined the peering as experimental so my idea, but I may be wrong of course, is that you wanted to receive only prefixes that match ACL 115 and provide them an increased loc pref of 200.

If you want to receive all prefixes (with AS path = ISP's AS) and provide them loc pref 200 you are correct.

For the fact that the /24 is a component subnet of an aggregate /19 follow Edison's suggestions: if you haven't the summary-only option in the aggregate you are fine, otherwise the unsuppress-map is the tool that allows you to advertise the /19 and the component /24.

in every case the network command for the component /24 is required (unless it comes from IGP redistribution into BGP)

Hope to help

Giuseppe

Hi Guys,

Thanks for all the info. I am compiling some more information on my exact requirements before i roll out this config. I'm sure to some (or even most) this maybe very simple, but i want to be very careful to get this right first time.

I will update this post once i have completed the config and let you know my findings.

Regards

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Hi Guys,

So... thanks for all the help here. I have completed the task in question.

I have successfully advertised a /24 only to Savvis and the rest of the /19 to the rest of the internet. Failover is inherent as route lookups will always use the longest prefix match, if the /24 is removed the traffic is routed through the /19. I did this by using a prefix match for the Savvis link only allowing the /24 outbound and using the existing distribute lists to remove the /24 from the outbound updates to all other peers.

I also received the 3 x subnets i need to come in from Savvis by using a route map and setting the local_pref to 200. That way if they are removed the BGP table has another entry for them and can populate to routing table with the next best entries.

All in all very successful and i could not have done it without your help.

I'm feeling quite good about BGP all of a sudden.

Thanks & Regards

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco