real life experience with oer and pbr

Unanswered Question
Oct 16th, 2008

does anyone have some real experience with this willing to share basic setup.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joseph W. Doherty Fri, 10/17/2008 - 16:13

OER MC/BR on BGP MPLS VPN.

key chain key1

key 1

key-string somekey

oer master

logging

!

border x.x.x.x key-chain key1

interface FastEthernet0/0 internal

interface Serial0/0 external

!

border x.x.x.x key-chain key1

interface FastEthernet0/0 internal

interface Serial0/0 external

!

learn

throughput

delay

periodic-interval 0

monitor-period 1

aggregation-type bgp

mode route control

mode select-exit best

periodic 180

!

oer border

local Loopback0

master x.x.x.x key-chain key1

OER BR on BGP MPLS VPN.

key chain key1

key 1

key-string somekey

oer border

local Loopback0

master x.x.x.x key-chain key1

Additional CPU load for about 100 BGP routes, minimal. Do have to watch memory for SLA tests when using "both" monitoring.

whanson Thu, 10/23/2008 - 02:27

Any chance of getting whole configuration of routers.

Joseph W. Doherty Thu, 10/23/2008 - 04:08

Unlikely, but other than router section configs, not much else really related to OER/PfR, except perhaps using loopbacks. An important point with the router sections, is to not allow OER/PfR injected routes to propagate where not desired, such as sending BGP community in the BGP router config section. Basic OER/PfR configs can be very small. I probably could get you a sample of those statements. Otherwise, do you have some specific question I might be able to answer?

whanson Thu, 10/23/2008 - 06:12

Just trying to understand exactly how it goes together. I assume that say at the hub end you use a border and separate master? I understand that the max number of border is 10 and the max number of interfaces is 20 per master. Do you mix the br/master at the remote end? Also, is this simply based on netflow to determine best path or do you have to set it up in some manner based on what you know about the topology? I am just looking for a simple example if there is one.

thx again.

Joseph W. Doherty Thu, 10/23/2008 - 16:04

Yes at two hubs, have separate MC router (2811) that works with two BR routers (NSE-G2). However, from the load on the MC, at least within a private MPLS VPN, combining the MC on a BR would likely be fine. At branches, do place a MC on a BR.

The only part of the topology you need to know, is whether a BR interface faces the outside or faces the inside. OER/PfR uses its own netflow and/or SLA tests to monitor traffic passing through the router. It needs to know the interfaces to watch, and inside vs. outside to determine whether it needs to adjust routing on the outside facing interfaces.

OER/PfR can also be activated in just monitor mode, where it won't inject any routes. You can then look at its stats and log entries to see what it would do.

Getting OER/PfR running is relatively simple; my initial post is the template I use. Just need to put in loopback addresses and insure the interfaces are defined.

As I noted, when you configure OER/PfR to inject routes, you do need to insure they go only where you want (generally limited to the BR routers). Also, when doing any active testing, OER/PfR will set up SLA ping tests to up to 5 hosts on any network it controls a route for. If OER/PfR routes are more granular then your normal routing (e.g. site advertises /20 but you configure OER/PfR to inject /26 routes), lots of SLA tests can be generated at a hub site. If you use just passive monitoring (netflow analysis of TCP flows), SLA tests are a non-issue.

whanson Tue, 10/28/2008 - 14:23

Joseph,

I know you can't give me your live routers but any chance, given you understand this stuff much better that I , to give a mock up.

Bill

Joseph W. Doherty Tue, 10/28/2008 - 18:01

My first post pretty much has the template I use in production on either border only routers or border/master-controller routers. Only need to drop in IP addresses and insure interfaces are properly defined on master. (For master controller only routers, just ignore border config.)

If I did display config from a working router, you would only see actual IP addresses and interface defined within the framework of my original post's template.

The only things I didn't show, was what you might need to do if working with non-native BGP route injection (which I usually don't) or how to block injection of OER/PfR routes into another routing protocol. For the latter, I can provide sample config how to not inject into OSPF.

Beyond that, not much more I can show you from what I normally use.

Perhaps you've been reading about all the complexity of OER/PfR, and it can do many things, but I don't have experience with that level of complexity, and a basic working configuration is pretty simple.

rares_mancas Tue, 02/03/2009 - 21:09

Hi Joseph,

I configured as per your template, but my OER state is always enabled and inactive. What can cause this state? I can not find any info!!!

Joseph W. Doherty Wed, 02/04/2009 - 16:39

Could you provide show versions, show config, show oer master and show oer boarder for the routers you're working with? I'll look to see if there's anything that I might recognize as incorrect.

rares_mancas Wed, 02/04/2009 - 17:50

Hi joseph,

the network setup is like this.

I have 2 ASA5505 that should do the NAT to the ISPs (x.x.6.1 and x.x.7.1) connected to the FE0/0 and FE0/1 of an 2811. I will use the OER with static routes. But it seems something is still missing.

Please find attached the files.

Thanks.

Joseph W. Doherty Thu, 02/05/2009 - 16:48

Not sure I'm going to be able to help you on this.

I see your running 12.4(22)T which uses PfR. Most of my experience has been with 12.4 using OER; the few times I've worked with PfR, I've used my OER config.

Looking at your config, there's much there that PfR supports, and unsure whether it's defaulted or you've added it. I would first try to get PfR working with the very minimum config. E.g., Things like your OER map would be something I would try to defer.

I also see you're using an Ethernet module, VLANs, BVI, etc. for the "inside" interface. Something I've not tried with OER/PfR. (Your usage of bridging has me especially confused since it looks like you may only be using interface FE1/0.) Unknown whether OER or PfR would support an Ethernet module VLAN or BVI. (If they don't, and if you're only using one inside interface, you might use the 1-Port Fast Ethernet HWIC, or VLAN trunk an existing FE port into 2 or 3 subinterfaces.)

rares_mancas Thu, 02/05/2009 - 18:25

Hi Joseph,

that BVI was added after I tried the defaults and other config examples I found. I enabled bridge to fe1/0 because the other are not necessary for now, as you said I just want to see it start working. But I found some bits of info, the problem could be the VLAN on which there were no clients (protocol down). That's why I want to clarify if possible. The active probes are triggered and done by the border interface (eg Loopback) like an track object (ip sla) or they are triggered by the inside interface and done by the border one? This is not clear for me.

Thanks.

Joseph W. Doherty Fri, 02/06/2009 - 04:57

OER/PfR will logically shutdown if the minimum number of interfaces are not available. I.e., the backside "internal" interface likely does need to be seen as up.

Active probes are triggered by different things depending on your OER/PfR configuration. Internally, I believe, they are actually SLA. By default, they should source off the physical interface (like a defualt ping) but recall there's a configuration command to force them to use another interface, such as loopback (similar as can be done with an extended ping). However, advise against it, since if you're doing active probing, you may not want the return path to use another path back. (OER/PfR appears clever enough, when an outbound route is changed, its active probes ignore the route change.)

ahintzsche Mon, 04/20/2009 - 08:46

Hello,

I just wanted to say, that i'm trying to setup OER too in my test net and I had exactly the same issue. OER being inactive. Even debug didn't show anything. I had a look outside cisco web, and found config on http://www.dslreports.com/forum/remark,13140833

as soon as I configured ports under master and border it sprang into life. I haven't finished configuring it yet and haven't tested it, so haven't got a finished config. But you may like to try that config mentioned in the link.

Regards Anke

Actions

This Discussion