I think I'm just missing the right "ciscoese" jargon to find the docs for what I want to do.
I need to install a policy-based source-address route map, but instead of using a static access list as the source-address match, I need to match any packets coming from an ISP which source from networks that are advertised to me from a specific BGP AS.
Basically we need to split ingress traffic from the ISP onto two different interfaces so that traffic that the ISP advertises on one AS can be filtered by a layer 4 shaper, and traffic coming from a different AS goes to a different physical link. The AS is the only way we have to tell these two traffic classes apart, since all the packets come in untagged on the same link.
Have u triedAS-Prepending on the first interface(Basically we need to split ingress traffic from the ISP onto two different interfaces so that traffic that the ISP advertises on one AS can be filtered by a layer 4 shaper).Then use the original AS Path from the Other link will only use its own prepend info
Ingress Traffic:Makes use of AS-Prepending where Egress traffic relies on Med to determine which AS is chosen.HTH
We have one and only one link from the ISP. Traffic from the ISP comes in two flavors. The ISP will be setting us up a BGP peer so that we know which global networks are which flavor, but the ISP will not be using that BGP process to route back to us, just a static route for our one network. (I am sure they use BGP internally but that doesn't matter to us.)
Getting traffic to split on the way out of our network is no problem, it is just normal routing. We send traffic from the distribution router to one AS down one link and traffic to the other AS down another link, based on weighting of routes. Then on the border router the traffic is all combined and sent to the ISP to do with as they please.
On the way back in, though, we need to flip the BGP tables on the border router to use them as an source-address access-list for PBR. Traffic from either AS will be going to the same destination, so this is not a case of trying to combine separate networks using the same equipment.
From what I read AS-prepending is used when you have multiple links from an ISP, or when you are trying to merge two old networks without changing the AS. This is not the case -- we only have one address space, and traffic will be going to and from our network and both ASs.
Never tried it, but QoS Policy Propagation through BGP might be helpful. You can set IP precedence or QoS group based on BGP attributes like AS path. Have a look at "Configuring QoS Policy Propagation via Border Gateway Protocol"
...and it just might work. But you never know what features are going to work in combination with what other features until you have it up and running.
I can't count the number of times I've wished a PBR feature would work for QoS or visa versa, or where I've wished one of the route-map commands that only applies to route redistribution was available for payload traffic.
Thanks, I'll have to see how far I can get with that.
I think I know what you mean, I was looking for this as well and I know people/organization who also looking for this. I wish IOS have this feature that instead of using static ACL in a PBR you can use the AS of a specific ISP so that whenever that ISP change the prefix in their AS its transparent to you. I started calling it ASCL (Autonomous System Control List) instead of ACL (Access Control List) :)
No I did't find it and I don't think IOS supports it for now. Majority still struggling with the traditional Community which is not appropriate in some scenarios.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...