Solved: Comment BGP Config

anitachoi3 · ‎06-05-2010

Dear Expert,

Two ISPs (local ISP and global ISP) will be peered with bgp router and form the multi-homing. We would like to seek for your comments on the configuration of the bgp router located in Hong Kong data center. Attached please find the logical design diagram and below please find the user requirements for your reference:

We would like the local traffics (all Hong Kong traffic) go to local ISP-A and the global traffics (other than Hong Kong traffic) go to ISP-B. Following is the configuration:

#CPE

router bgp 100

no synchronization

bgp log-neighbor-changes

redistribute connected

# to ISP-A

neighbor 192.168.10.1 remote-as 100

neighbor 192.168.10.1 route-map LOCAL in

#ISP-B

neighbor 192.168.20.1 remote-as 200

neighbor 192.168.10.1 route-map GLOBAL in

no auto-summary

ip bgp-community new-format

# define the routes including hkix ASN

ip community-list 1 permit _4635_

# set the routes, which learn from local ISP and including HKIX ASN, to the 75, more preference to ISP-A for local traffic inside HK

route-map LOCAL permit 10

match community 1

set local-preference 75

route-map LOCAL permit 20

# set the routes, which learn from global ISP and including HKIX ASN, to the 125, less preference to ISP-B for local traffic inside HK

route-map GLOBAL permit 10

match community 1

set local-preference 125

route-map GLOBAL permit 20

According to above config, does it achieve my goal? Thanks

rdgs

Giuseppe Larosa · ‎06-07-2010

Hello Anita,

the question is more complex with this as-path access-list (2) you accept routes that are locally generated on HKIX directly connected providers but not those of customers of these providers.

However, also those customers are likely local to the Hong Kong area as they are carried to the HKIX.

Also some of the providers connected to HKIX are big providers so you should not accept all routes containing their AS number or the risk is to consider as local routes routes that are not local.

ip as-path access-list 2 permit _703$

This is UUNET ASIA now part of Verizon it may give you more then local routes if you match on _703_, so inthis case matching on _703$ can be a safe assumption.

On the other hand some providers that are local to that area will provide local routes also using _ASN_ (because they are local)

So you will need to tune the AS path access-list classifying local providers ( _ASN_) from global providers (_ASN$).

Now, the logic of route-maps is correct with correct use of local preference values

Be aware also that you will need to update this as-path access-list over time to reflect changes.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎06-05-2010

Hello Anita,

there are some notes about proposed configuration:

a)

if you want to filter on BGP attribute AS path you need to use a different filter type

ip as-path access-list 1 permit _4635_

a community list filter attempts to match on BGP community that is a different BGP attribute.

b)

the assumption that local routes will have HK IXP AS number in the AS path has to be verified: most of Internet exchange points provides VLans facilities to allow public peering between participants without need of going via the BGP session with IXP.

You need to verify this eventually looking at IXP web site and with the help of public looking glasses

you can find looking glasses in

www.traceroute.org

c) Cisco implementation provides preference to higher values of Local preference attributes so if ISP-A is the local ISP and the as-path access-list identifies local IP prefixes you need to use a value greater then 100 in route-map LOCAL and a value less then 75 in route-map GLOBAL.

So you need to exchange values in the route-map

What you need more is to check if actually local IP prefixes can be identified by the presence of ASN of IXP

I'm afraid this is not true.

see the list of connected providers at HK IXP

http://www.hkix.net/hkix/connected.htm

you may need to filter based on the AS number column of the above web page

Hope to help

Giuseppe

anitachoi3 · ‎06-06-2010

Dear Giuseppe,

Thanks for your valuable comments and advices, attached please find the revised version of proposed configuration for your further comments.

I have one question regarding as-path ACL, the setting is _xxx$ to be configured. However, I am not sure whether it is the best setup or not. I may be missing or overlook somethings.

According to HKIX web page, the HKIX would be multi-lateral exchange point for ISPs and mainly for routing of intra-HongKong Internet traffic. That's why I assume the routes belongs to the members of HKIX to be treated as local traffic. If this concept is not true, I may be wrong and the configuration may not be achieved my boss requirements. Grateful if you could provide your point of view on the idea I mention above.

Besides, I have one class C IP address only. Can I control the inbounnd (return) local traffic via ISP-A, global traffic via ISP-B? Your help is much appreciated.

rdgs

Giuseppe Larosa · ‎06-07-2010

Hello Anita,

the question is more complex with this as-path access-list (2) you accept routes that are locally generated on HKIX directly connected providers but not those of customers of these providers.

However, also those customers are likely local to the Hong Kong area as they are carried to the HKIX.

Also some of the providers connected to HKIX are big providers so you should not accept all routes containing their AS number or the risk is to consider as local routes routes that are not local.

ip as-path access-list 2 permit _703$

This is UUNET ASIA now part of Verizon it may give you more then local routes if you match on _703_, so inthis case matching on _703$ can be a safe assumption.

On the other hand some providers that are local to that area will provide local routes also using _ASN_ (because they are local)

So you will need to tune the AS path access-list classifying local providers ( _ASN_) from global providers (_ASN$).

Now, the logic of route-maps is correct with correct use of local preference values

Be aware also that you will need to update this as-path access-list over time to reflect changes.

Hope to help

Giuseppe