BGP community and interface graphing

Answered Question
Feb 3rd, 2009
User Badges:

I'd like to graph inbound traffic depending on 2 things.

The destination address (ACL?)

and source acquired form community-lists.


Currently BGP marks routes and we have a outbound policy for traffic.

I'm having problems on a 7301 router (12.4) graphing the inbound traffic.

I can do it with only ACLs, but then I can't differentiate between BGP community tagged routes.


ISP provides domestic routes with :123 and international routes with community :456.


I've tried something like this and there aren't any hits on the class-maps on the inbound policy.



! Sample config

!

ip access-list extended WEBSITES # our wesite address range

permit ip any 10.10.10.0 0.0.0.255

!

ip access-list extended CORPORATE # our corporate address range

permit ip any 20.20.20.0 0.0.0.255

!

ip community-list 1 permit 789:123 # domestic routes

ip community-list 2 permit 789:456 # international routes

!

route-map SET-QOS-GROUPS permit 10 # match and set qos-group for domestic routes

match community 1

set ip qos-group 1

!

route-map SET-QOS-GROUPS permit 20 # match and set qos-group for internationl routes

match community 2

set ip qos-group 2

!

!

router bgp 890 # make BGP mark routes.

table-map SET-QOS-GROUPS

!

class-map match-all WEBDOMESTIC # traffic to our websites from domestic routes

match access-group name WEBSITES

match qos-group 1

!

class-map match-all WEBINTERNATIONAL # traffic to our websites from international routes

match access-group name wEBSITES

match qos-group 2

!

class-map match-all CORPDOMESTIC # traffic to corporate office from domestic routes

match access-group name CORPORATE

match qos-group 1

!

class-matp match-all CORPINTERNATIONAL # traffic to corporate office from international routes

match access-group name CORPORATE

match qos-group 2

!

policy-map INBOUNDTRAFFIC # policy-map to graph against.

class WEBDOMESTIC

class WEBITNERNATIONAL

class CORPDOMESTIC

class CORPINTERNATIONAL

!

interface gig0/1 # apply policy to interface.

service-policy input INBOUNDTRAFFIC

!

end



If I'm missing something in config or there is a better way to graph this then your help is much appreciated.

Correct Answer by Laurent Aubert about 8 years 5 months ago

Yes, you need the command on both interfaces where you could received the target traffic


Don't forget the bgp-policy destination cmd will match the destination address of the packet. If you want to match the source address, you need bgp-policy source cmd instead.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Laurent Aubert Tue, 02/03/2009 - 20:15
User Badges:
  • Cisco Employee,

Hi,


I think you are missing the bgp-policy destination ip-qos-map command on your ingress interface if your sending the BGP updates on that interface.


Please refer to the following link for more details regarding QPPB feature:


http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfprop_ps1835_TSD_Products_Configuration_Guide_Chapter.html#wp1000872


HTH


Laurent.

Mark Potter Wed, 02/04/2009 - 13:53
User Badges:

Arh yes, bgp-policy destination ip-qos-map is on our G0/0 interface on our side of the router.

I believe this is because we are dual homed to a peering point as well.


G0/1 - ISP

G0/2 - Peer

G0/0 - LAN (corp/web)


Should this be moved to the 2 Provider interfaces on the outside of the router?

Will this cause a conflict in the qos table having two sources?

Correct Answer
Laurent Aubert Thu, 02/05/2009 - 20:05
User Badges:
  • Cisco Employee,

Yes, you need the command on both interfaces where you could received the target traffic


Don't forget the bgp-policy destination cmd will match the destination address of the packet. If you want to match the source address, you need bgp-policy source cmd instead.

Mark Potter Mon, 02/09/2009 - 12:19
User Badges:

Thank you, all is working now. :)

Aside from having the bgp-policy on the interface, I had ACLs which were different from the config that were also making the troubleshooting hard having netmask instead of wildcard mask as above.





Actions

This Discussion