BGP Attribute for outgoing Traffic

Answered Question
Oct 22nd, 2013
User Badges:

Dear,


I am have the attached diagram:


- There is two links between routers.

- I have intiate BGP Session between them. for incoming traffic I use prepend and it worked fine.


Now, my objective to use the BGP to route network 10.8.8.0/29 on link -1 and network 10.10.10.0/29 on Link-2  on normal operation. In case Link one down I want to route network 10.8.8.0/29 to the second link. In case link-2 down, network 10.10.10.0/29 should be routed to link-1.


Which attribute I should use for this and how this can be acheived to deal with the source IP.


Thanks.

MS

Attachment: 
Correct Answer by Harold Ritter about 3 years 9 months ago

Hi,


The failover will work without IP SLA if you shutdown the interface on the internal router. You need IP SLA if you want to test the entire path between the two routers. For instance, if the external router fails, the internal router will not know since it is connected to the switch and not directly to the internal router. That is where IP SLA can help.


Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Harold Ritter Tue, 10/22/2013 - 06:19
User Badges:
  • Cisco Employee,

Hi,


BGP could help you to direct incoming traffic (traffic coming from the Internet) over one link or the other based on the destination network (10.8.8.0/29 or 10.10.10.0/29) but it will not help if you are trying to route outgoing traffic based on the source address. You would need to use Policy Based Routing (PBR) to achieve that.


Regards

alshamlan Tue, 10/22/2013 - 06:30
User Badges:

Thanks Harold,


Can you please explain how we can achive it using the PBR? one example .


regards

dc-csa-blr Tue, 10/22/2013 - 06:39
User Badges:

Hi Alshamlan,


Can you please share with me your BGP Prepend configuration because i also configured bgp as-path prepend in my router for manage incoming traffic but i think it is not work properly, we are using multiple e-BGP in single homed that's why.



Thanks in ADV,

Harold Ritter Tue, 10/22/2013 - 07:32
User Badges:
  • Cisco Employee,

Hi,


It would look something like this.


interface Ethernet0/0

ip address 10.8.8.1 255.255.255.248

ip policy route-map pbr1

!

interface Ethernet1/0

ip address 10.10.10.1 255.255.255.248

ip policy route-map pbr2

!

interface Ethernet2/0

description Link1

ip address 192.168.1.2 255.255.255.252

interface Ethernet3/0

description Link2

ip address 192.168.2.2 255.255.255.252

!        

route-map pbr1 permit 10

set ip next-hop 192.168.1.1 192.168.2.1

set ip next-hop verify-availability

!        

route-map pbr2 permit 10

set ip next-hop 192.168.2.1 192.168.1.1

set ip next-hop verify-availability

!        



Regards

alshamlan Tue, 10/22/2013 - 07:53
User Badges:

Dear Harold,


I tried the BPR but it didnt work with me any advice?


DC, I will post the prepend configuration tomorrow.


Regards

smitesh kharecha Tue, 10/22/2013 - 08:12
User Badges:
  • Silver, 250 points or more

Hi,


You need to do conditional BGP advertisement for what you want to acheive.

In BGP you have to use advertise-map option, for more information you can try cisco docs.


Regards,

Smitesh


PS: Please rate helpful posts

Harold Ritter Tue, 10/22/2013 - 08:28
User Badges:
  • Cisco Employee,

Hi Smitesh,


This would take care of the incoming traffic. The original poster asked about the outgoing traffic.


Regards

smitesh kharecha Tue, 10/22/2013 - 08:36
User Badges:
  • Silver, 250 points or more

Hi Harold,


Yup, you are correct. Maybe my ignorance in reading the question correctly.


You can use weight or local pref in that case.


Regards,

Smitesh

Harold Ritter Tue, 10/22/2013 - 09:04
User Badges:
  • Cisco Employee,

Hi Smitesh,


Weight and local preference will not help either as the requirement is to route the outgoing traffic based on the source address rather than on the destination address. BGP won't help in this case but PBR will.


Regards

smitesh kharecha Tue, 10/22/2013 - 09:21
User Badges:
  • Silver, 250 points or more

Harold,


Seems like I never understood the question correctly.

I re-read the question again and you are correct that OP wants source based routing, and PBR is simple and elegant solution.


Regards,

Smitesh

Harold Ritter Tue, 10/22/2013 - 08:27
User Badges:
  • Cisco Employee,

Hi,


What platform is the router performing PBR?

Is CDP running between the two routers?


Can you post the relevant configuration. Can you post the output for "sh route-map pbr1" and "sh route-map pbr2"


Regards

alshamlan Wed, 10/23/2013 - 06:29
User Badges:

Hi Harold,



Router is 1841



CDP enable on both routers, however, there is a switch in between both router that is used for SVI on the first router as below

(ROUTER-1) -------------------trunk---------------------(SWITCH)----------------2 access ports-----------------(CISCO-1841)





ROUTER-1841#show route-map pbr1

route-map pbr1, permit, sequence 10

  Match clauses:

  Set clauses:

    ip next-hop 192.168.1.1 192.168.2.1

    ip next-hop verify-availability

  Policy routing matches: 2 packets, 134 bytes



ROUTER-1841#show route-map pbr2

route-map pbr2, permit, sequence 10

  Match clauses:

  Set clauses:

    ip next-hop 192.168.2.1 192.168.1.1

    ip next-hop verify-availability

  Policy routing matches: 1 packets, 60 bytes







Regards

Harold Ritter Wed, 10/23/2013 - 14:25
User Badges:
  • Cisco Employee,

Hi,


"set ip next-hop verify-availability" uses CDP to verify the status of the next hop. So this command will not work in your scenario. You can try removing this command just to verify that PBR works for you. If you want your traffic from link1 to failover to link2 and vice versa in case of failure, I would recommend that you use "set ip next-hop verify-availability" in conjonction with tracking options. The following document shows a good example of how that can be done.


http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml


Regards

Harold Ritter Wed, 10/23/2013 - 16:22
User Badges:
  • Cisco Employee,

The document I sent contained the old syntax for IP SLA. The feature used to be called Cisco Service Assurance Agent (SAA) and was later renamed to Cisco IP SLA. The syntax also changed. Here's a document explaining the new syntax. The PBR syntax does not change though and you can still use the previous document I provided to configure that part.


Regards


http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsicmp.html

alshamlan Wed, 10/23/2013 - 22:49
User Badges:

Thanks Harold,


Please the traffic is not flow as we required 10.8.8.0/29 to have the next hop as 192.168.1.1 and 10.10.10.0/29 to have next hop as 192.168.2.1, any hin on this?


Once this traffic flow work, I will test the IP-SLA.


Morevoer, Can we thing about it to do it from the other router? Since network 10.10.10.0/29 and 10.8.8.80/29 will be destinaiton to the second router??


Regards

Harold Ritter Thu, 10/24/2013 - 06:14
User Badges:
  • Cisco Employee,

Hi,


The initial configuration I provided should work. Can you please post the relevant configuration that you applied. As for load balancing in the incoming direction, this part can be addresses with BGP AS path prepending.


Regards

alshamlan Sun, 10/27/2013 - 00:02
User Badges:

Hi Harld,


See the configuration.


I have created two loop back interface and applied the route map on then for my testing now. instead og having two physical interces.


interface Loopback0

ip address 10.8.8.1 255.255.255.248

ip policy route-map pbr1

!

interface Loopback1

ip address 10.10.10.1 255.255.255.248

ip policy route-map pbr2



route-map pbr1 permit 10

set ip next-hop 192.168.1.1 192.168.2.1

set ip next-hop verify-availability

!       

route-map pbr2 permit 10

set ip next-hop 192.168.2.1 192.168.1.1

set ip next-hop verify-availability


==========================================

See the ip route

============

B*    0.0.0.0/0 [20/0] via 192.168.1.1, 2d18h

      10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks

==========================================

See ip bgp

==============

ROUTER1841#sh ip bgp

BGP table version is 26, local router ID is

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter

Origin codes: i - IGP, e - EGP, ? - incomplete



   Network          Next Hop            Metric LocPrf Weight Path

*> 0.0.0.0          192.168.1.1                           0            77887 66556 i

*                       192.168.2.1                           0            77887 66556 i

*> 10.8.8.0/29        0.0.0.0                  0         32768 i

*> 10.10.10.0/29    0.0.0.0                  0         32768 i

Harold Ritter Sun, 10/27/2013 - 18:49
User Badges:
  • Cisco Employee,

Hi,


Applying the PRB route-map to the loopback interface will not work. To apply PBR to the traffic sourced from the router. you will need to use the command "ip local policy route-map" in global mode. Also, do not forget to remove "set ip next-hop verify-availability" or use IP SLA in conjunction

with it. Aspreviously mentioned, CDP will not work in your case since the router are separated by a switch.


Regards

alshamlan Wed, 10/30/2013 - 03:28
User Badges:

Hi Harold,


It is working with me now when I tested through the physical interfaces not on loopback and removed the (( ip next-hop verify-availability )) . Moreover, I ahve tested the failover also and it worked as we required without any ip sla conficuration which make me suprised. All what I have changed is removed the (( ip next-hop verify-availability )) and kept one next hop on pbr1 as you can see below, Can you please advice how the failover worked without and ip sla? is it beacuse of BGP incoming traffic working fine that influnce the outgoing to worked?

============================================

interface Ethernet0/0

ip address 10.8.8.1 255.255.255.248

ip policy route-map pbr1

!

interface Ethernet1/0

ip address 10.10.10.1 255.255.255.248

ip policy route-map pbr2

!

interface Ethernet2/0

description Link1

ip address 192.168.1.2 255.255.255.252

!

interface Ethernet3/0

description Link2

ip address 192.168.2.2 255.255.255.252

!       

route-map pbr1 permit 10

set ip next-hop 192.168.1.1

!       

route-map pbr2 permit 10

set ip next-hop 192.168.2.1 192.168.1.1

===============================================

Senario tested:

1- Both links UP

subnet 1 going through link-1 

subnet 2 going through link-2


2- Link-1 DOWN

subnet 1 going through link-2 

subnet 2 going through link-2



the failover of subnet-1 to link-2 was approximately 3 minutes.


3- Link-2 DOWN

subnet 1 going through link-1 

subnet 2 going through link-1


the failover of subnet-2 to link-1 was approximately 3 minutes.

Correct Answer
Harold Ritter Wed, 10/30/2013 - 06:22
User Badges:
  • Cisco Employee,

Hi,


The failover will work without IP SLA if you shutdown the interface on the internal router. You need IP SLA if you want to test the entire path between the two routers. For instance, if the external router fails, the internal router will not know since it is connected to the switch and not directly to the internal router. That is where IP SLA can help.


Regards

alshamlan Thu, 10/31/2013 - 00:13
User Badges:

Hi Harold,


yes you are right. Therefore, I have to implment the IP SLA. I will do and share the result.


regards

alshamlan Sun, 11/03/2013 - 05:21
User Badges:

Hi Harold,


Thanks for your guidance,


I have implmented the SLA and tested it is working fine now , below the configuraiton.


interface FastEthernet0/0

description uplink-for-Link-1

ip address 192.168.1.2 255.255.255.252



!

interface FastEthernet0/1

description uplink-for-Link-1

ip address 192.168.2.2 255.255.255.252









interface FastEthernet0/1/0

description Downlink-for-Link-1

ip address 10.8.8.1 255.255.255.248

ip policy route-map pbr1

!

interface FastEthernet0/1/1

description Downlink-for-Link-2

ip address 10.10.10.1 255.255.255.248

ip policy route-map pbr2







track 1 ip sla 1 reachability

!

track 2 ip sla 2 reachability



## SLA for Link-1 ##

ip sla 1

icmp-echo 192.168.1.1 source-ip 192.168.1.2

threshold 15

timeout 15000

frequency 15

ip sla schedule 1 life forever start-time now



## SLA for Link-2 ##

ip sla 2

icmp-echo 192.168.2.1 source-ip 192.168.2.2

threshold 15

timeout 15000

frequency 15

ip sla schedule 2 life forever start-time now



## Route MAP for Link-1 ##

route-map pbr1 permit 10

set ip next-hop verify-availability 192.168.2.1 1 track 2

set ip next-hop 192.168.1.1



## Route MAP for Link-2 ##

route-map pbr2 permit 10

set ip next-hop verify-availability 192.168.1.1 1 track 1

set ip next-hop 192.168.2.1

dc-csa-blr Wed, 10/23/2013 - 22:51
User Badges:

Hi Alshamlan,


Can you please share with me how to manage incomming traffic by as-path prepend.


Pl share your configuration.


Thanks in ADV,









alshamlan Wed, 10/23/2013 - 23:05
User Badges:

Dear DC,


router bgp 65517

bgp log-neighbor-changes

network 10.8.8.0 mask 255.255.255.248

network 10.10.10.0 mask 255.255.255.248



neighbor 192.168.1.1 remote-as 65588

neighbor 192.168.1.1 description ### MW-LINK ###

neighbor 192.168.1.1 update-source FastEthernet0/0

neighbor 192.168.1.1 soft-reconfiguration inbound

neighbor 192.168.1.1 prefix-list BFC_IN in

neighbor 192.168.1.1 prefix-list BFC_OUT out

neighbor 192.168.1.1 route-map PEND_32_FB out



neighbor 192.168.2.1 remote-as 65588

neighbor 192.168.2.1 description ###-Fiber-Main-LINK ###

neighbor 192.168.2.1 update-source FastEthernet0/1

neighbor 192.168.2.1 soft-reconfiguration inbound

neighbor 192.168.2.1 prefix-list BFC_IN in

neighbor 192.168.2.1 prefix-list BFC_OUT out

neighbor 192.168.2.1 route-map PEND_24_MW out



!

ip route 10.8.8.0 255.255.255.248 Null0

ip route 10.10.10.0 255.255.255.248 Null0

!



ip prefix-list 24_MW seq 6 permit 10.8.8.0/29

ip prefix-list 32_FB seq 7 permit 10.10.10.0/29

!

ip prefix-list BFC_OUT seq 6 permit 10.8.8.0/29

ip prefix-list BFC_OUT seq 7 permit 10.10.10.0/29

ip prefix-list BFC_IN seq 5 permit 0.0.0.0/0



!

route-map PEND_24_MW permit 10

match ip address prefix-list 24_MW

set as-path prepend 65517 65517 65517

!

route-map PEND_24_MW permit 11

!



route-map PEND_32_FB permit 12

match ip address prefix-list 32_FB

set as-path prepend 65517 65517 65517

!

route-map PEND_32_FB permit 13

Actions

This Discussion