Solved: BGP community and interface graphing

Mark Potter · ‎02-03-2009

I'd like to graph inbound traffic depending on 2 things.

The destination address (ACL?)

and source acquired form community-lists.

Currently BGP marks routes and we have a outbound policy for traffic.

I'm having problems on a 7301 router (12.4) graphing the inbound traffic.

I can do it with only ACLs, but then I can't differentiate between BGP community tagged routes.

ISP provides domestic routes with :123 and international routes with community :456.

I've tried something like this and there aren't any hits on the class-maps on the inbound policy.

! Sample config

!

ip access-list extended WEBSITES # our wesite address range

permit ip any 10.10.10.0 0.0.0.255

!

ip access-list extended CORPORATE # our corporate address range

permit ip any 20.20.20.0 0.0.0.255

!

ip community-list 1 permit 789:123 # domestic routes

ip community-list 2 permit 789:456 # international routes

!

route-map SET-QOS-GROUPS permit 10 # match and set qos-group for domestic routes

match community 1

set ip qos-group 1

!

route-map SET-QOS-GROUPS permit 20 # match and set qos-group for internationl routes

match community 2

set ip qos-group 2

!

router bgp 890 # make BGP mark routes.

table-map SET-QOS-GROUPS

!

class-map match-all WEBDOMESTIC # traffic to our websites from domestic routes

match access-group name WEBSITES

match qos-group 1

!

class-map match-all WEBINTERNATIONAL # traffic to our websites from international routes

match access-group name wEBSITES

match qos-group 2

!

class-map match-all CORPDOMESTIC # traffic to corporate office from domestic routes

match access-group name CORPORATE

match qos-group 1

!

class-matp match-all CORPINTERNATIONAL # traffic to corporate office from international routes

match access-group name CORPORATE

match qos-group 2

!

policy-map INBOUNDTRAFFIC # policy-map to graph against.

class WEBDOMESTIC

class WEBITNERNATIONAL

class CORPDOMESTIC

class CORPINTERNATIONAL

!

interface gig0/1 # apply policy to interface.

service-policy input INBOUNDTRAFFIC

!

end

If I'm missing something in config or there is a better way to graph this then your help is much appreciated.

Laurent Aubert · ‎02-05-2009

Yes, you need the command on both interfaces where you could received the target traffic

Don't forget the bgp-policy destination cmd will match the destination address of the packet. If you want to match the source address, you need bgp-policy source cmd instead.

View solution in original post

Laurent Aubert · ‎02-03-2009

Hi,

I think you are missing the bgp-policy destination ip-qos-map command on your ingress interface if your sending the BGP updates on that interface.

Please refer to the following link for more details regarding QPPB feature:

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfprop_ps1835_TSD_Products_Configuration_Guide_Chapter.html#wp1000872

HTH

Laurent.

Mark Potter · ‎02-04-2009

Arh yes, bgp-policy destination ip-qos-map is on our G0/0 interface on our side of the router.

I believe this is because we are dual homed to a peering point as well.

G0/1 - ISP

G0/2 - Peer

G0/0 - LAN (corp/web)

Should this be moved to the 2 Provider interfaces on the outside of the router?

Will this cause a conflict in the qos table having two sources?

Laurent Aubert · ‎02-05-2009

Yes, you need the command on both interfaces where you could received the target traffic

Don't forget the bgp-policy destination cmd will match the destination address of the packet. If you want to match the source address, you need bgp-policy source cmd instead.

Mark Potter · ‎02-09-2009

Thank you, all is working now. :)

Aside from having the bgp-policy on the interface, I had ACLs which were different from the config that were also making the troubleshooting hard having netmask instead of wildcard mask as above.

Laurent Aubert · ‎02-09-2009

You're welcome !!

Laurent.