topic Re: iBGP - How to modify route based on source address in Routing and SD-WAN

iBGP - How to modify route based on source address

EufracioBarrios14042 — Tue, 08 Sep 2020 00:29:17 GMT

Hello everybody, I hope you are all doing well.

I'm writting today because I need some help in BGP routing, here is the context.

I have 2 CISCO 9300 series and I will connect to a provider vía L3 using a dedicated VRF with BGP inside, I have total control over my CISCO switches but not in the provider's EDGE.

My provider will advertise me the networks I'll create on their side so I can reach them.

I am connecting to my providers EDGE through VLAN 2733, my IP address is 65.65.65.1/29 and their IP address is 65.65.65.4.

I have two clients who has the same networks in their locations, 192.168.0.0/16, and that's a bit of a problem, so I need to do something like a PBR in my switches to route their traffic based on the source IP.

What I need to do is:

When the source address 10.18.0.16/28 needs to go to 192.168.0.0/16 has to go through VLAN 1865 and the next hop to reach it es 15.1.1.4, all the other traffic that doesn't go to that network has to go through VLAN 1866 and the next hop es 10.212.212.4

When the source address 172.31.24.0/23 needs to go to 192.168.0.0/16 has to go through VLAN 1810 and the next hop to reach it is 10.213.213.4, all the other traffic that doesn't go to that network has to go through VLAN 1850 and the next hop is 10.214.214.4.

Is this doable?

Thanks!

Re: iBGP - How to modify route based on source address

balaji.bandi — Tue, 08 Sep 2020 02:55:48 GMT

We understand the requirement, but we do not have information, you want to do this in your switches or router ? do you have any high-level network diagram for us to understand, since you have mentioned many VLAN in the config ?

each way PBR should work for you, but you asked for to implement with IBGP, where is IBGP running between what devices?

that is the reason we need a network diagram and configuration of the device to understand to advise better.

Re: iBGP - How to modify route based on source address

EufracioBarrios14042 — Tue, 08 Sep 2020 13:06:18 GMT

Hello Balaji, thanks for your answer!

I'm attaching my network diagrams and my core's running-config. Before you see it and read it I will need to give you more context:

First of all, the VLANs ID I said were not correct (for security reasons), sorry for that, but is the same thing with one VLAN ID or another. All the configs are going to be made in our L3 switches and the BGP will be made in my core switches in an intranetwork with my provider's EDGE.

Right now we have several VMs directly connected to switches, in a L2 way, one client is one VRF for us and one VLAN in a 6GB EtherChannel.

Now we are migrating to another solution and we will not be able to do that anymore, we can't connect via L2 to the new provider, we'll only have one big IP trunk in L3, my problem comes with overlapping subnets, not in our side, but in customer's sides.

What we need to do is that our L3 switches discriminate and routes those 2 clients (the one causing me problems) based on the source IP:

Client A needs to go to their internal network 192.168.0.0/16 needs to be routed via VLAN 1846

Client B needs to go to their internal network 192.168.0.0/16 needs to be routed via VLAN 1648

Optional, I don't know if it will cause my a problem, I have client's C, who servers network segment is 192.168.2.0/24, but I only give them internet access, they are not connected to branches or something via MPLS.

I already configured in a lab our topology, including a provider's EDGE with the BGP, I advertise all the networks and they reach my L3 switches, but I can't route it to their destinations based on the source IP.

My labs configuration is like this:

router bgp 42355
bgp router-id 65.65.65.1
bgp log-neighbor-changes
neighbor 65.65.65.4 remote-as 42355
!
address-family ipv4 unicast vrf IAAS20
neighbor 65.65.65.4 activate
auto-summary
no synchronization
network 192.168.0.0 mask 255.255.0.0
network 172.31.33.0 mask 255.255.255.0
network 10.212.212.0 mask 255.255.255.248
network 172.16.16.0 mask 255.255.255.0
network 172.31.24.0 mask 255.255.254.0
exit-address-family

I hope I could explain me well.

Thanks!

Re: iBGP - How to modify route based on source address

Giuseppe Larosa — Tue, 08 Sep 2020 13:40:12 GMT

Hello @EufracioBarrios14042 ,

as explained by BB routing based on source address goes beyond BGP capabilities and it requires to use PBR = Policy Based Routing.

PBR works for inbound packets (traffic going to your device) and in your case you should apply it on the interface with the Internet/MPLS provider. Or on the core device on interfaces with BGP devices.

There is a great point of attention here: in addition to total overlapping between Customer A and Customer B in 192.168.0.0/16 you have also Customer C that is using a subnet 192.168.2.0/24 taken from the same space.

is the subnet 192.1678.2.0/24 used also by Customer A and Customer B?.

For PBR to work Customer A and Customer B must use different IP prefixes in their offices or branch offices.

access-list ACL-CUSTOMER-A

permit ip 10.0.0.0 0.255.255.255 192.168.0.0. 0.0.255.255

access-list ACL-CUSTOMER-B

permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255

the route-map will become:

route-map PBR-CUST-A-B permit 10

match address ACL-CUSTOMER-A

set ip next-hop <IP-in-VLAN1846>

route-map PBR-CUST-A-B permit 20

match address ACL-CUSTOMER-B

set ip next-hop <IP-in-VLAN1848>

This has to be applied on the interface of the core switch to the border switches

int vlan xxx

ip policy route-map PBR-CUST-A-B

note that traffic not matching any block of the route-map will be routed normally by destination and not dropped.

As an alternate solution you could deploy GRE tunnels with each of the customers and use VRFs one ofr each customer.

Hope to help

Giuseppe

Re: iBGP - How to modify route based on source address

EufracioBarrios14042 — Tue, 08 Sep 2020 16:25:14 GMT

Hello @Giuseppe Larosa, thanks for your answer, it has been really helpfull.

I already did what you told me, but I'm having problemas assigning the PBR to the interface VLAN, I get an error that says this:

% Policy Based Routing is NOT supported for VRF interfaces
% IP-Policy can be used ONLY for marking (set/clear DF bit) on VRF interfaces

So, it means that I have to delete the VRF on the interface? Or there is another workaround?

Thanks!

Re: iBGP - How to modify route based on source address

Giuseppe Larosa — Tue, 08 Sep 2020 16:31:47 GMT

Hello @EufracioBarrios14042 ,

yes I'ma afraid you are facing a platform limitation ( or a license limitation being C9300 modern devices ...)

>> So, it means that I have to delete the VRF on the interface?

You should move the interface and the eBGP session under global routing table in order to be able to use PBR on it

Hope to help

Giuseppe

Re: iBGP - How to modify route based on source address

EufracioBarrios14042 — Tue, 08 Sep 2020 18:06:16 GMT

Hello @Giuseppe Larosa

I tried the configuration you told me in a lab environment and it doesn't work, here is the configuration:

interface FastEthernet1/0
switchport access vlan 172
duplex full
speed 100
!
interface FastEthernet1/1
duplex full
speed 100
!
interface FastEthernet1/2
duplex full
speed 100
!
interface FastEthernet1/3
duplex full
speed 100
!
interface FastEthernet1/4
duplex full
speed 100
!
interface FastEthernet1/5
duplex full
speed 100
!
interface FastEthernet1/6
duplex full
speed 100
!
interface FastEthernet1/7
duplex full
speed 100
!
interface FastEthernet1/8
duplex full
speed 100
!
interface FastEthernet1/9
duplex full
speed 100
!
interface FastEthernet1/10
duplex full
speed 100
!
interface FastEthernet1/11
duplex full
speed 100
!
interface FastEthernet1/12
duplex full
speed 100
!
interface FastEthernet1/13
switchport access vlan 21
duplex full
speed 100
!
interface FastEthernet1/14
switchport access vlan 20
duplex full
speed 100
!
interface FastEthernet1/15
switchport access vlan 15
duplex full
speed 100
!
interface Vlan1
no ip address
shutdown
!
interface Vlan15
ip address 65.65.65.1 255.255.255.248
!
interface Vlan20
description HACIA_RED_RECSA
ip address 10.212.212.1 255.255.255.248
ip policy route-map PBR-RECS
!
interface Vlan21
description HACIA_RED_FLORES
ip address 15.1.1.1 255.255.255.248
ip policy route-map PBR-FLORES
!
interface Vlan172
ip vrf forwarding VLANRECSA1
ip address 172.31.24.1 255.255.254.0
!
router bgp 32000
bgp router-id 65.65.65.1
bgp log-neighbor-changes
neighbor 65.65.65.4 remote-as 31000
!
address-family ipv4
neighbor 65.65.65.4 activate
auto-summary
no synchronization
network 10.212.212.0 mask 255.255.255.248
network 15.1.1.0 mask 255.255.255.248
network 192.168.0.0 mask 255.255.0.0
exit-address-family
!
address-family ipv4 multicast
neighbor 65.65.65.4 activate
no auto-summary
synchronization
network 192.168.0.0 mask 255.255.0.0
exit-address-family
!
address-family ipv4 vrf kitchen
no synchronization
exit-address-family
!
address-family ipv4 vrf gflink
no synchronization
exit-address-family
!
address-family ipv4 vrf auxilia
no synchronization
exit-address-family
!
address-family ipv4 vrf VLANRECSA2
no synchronization
exit-address-family
!
address-family ipv4 vrf VLANRECSA1
no synchronization
exit-address-family
!
address-family ipv4 vrf SENIORITY
no synchronization
exit-address-family
!
address-family ipv4 vrf PARAUCO
no synchronization
exit-address-family
!
address-family ipv4 vrf NHOGAR
no synchronization
exit-address-family
!
address-family ipv4 vrf MH_INVE
no synchronization
exit-address-family
!
address-family ipv4 vrf IAAS20
neighbor 65.65.65.4 remote-as 31000
neighbor 65.65.65.4 activate
no synchronization
network 15.1.1.0 mask 255.255.255.248
network 192.168.0.0 mask 255.255.0.0
exit-address-family
!
address-family ipv4 vrf FCHILE
no synchronization
exit-address-family
!
address-family ipv4 vrf DESIMAT
no synchronization
exit-address-family
!
address-family ipv4 vrf AVIASUR
no synchronization
exit-address-family
!
address-family ipv4 vrf ANDOVER
no synchronization
exit-address-family
!
address-family ipv4 vrf ANAC
no synchronization
exit-address-family
!
address-family ipv4 vrf ACKTIB
no synchronization
exit-address-family
!
ip forward-protocol nd
ip route 192.168.0.0 255.255.0.0 15.1.1.4
ip route 192.168.0.0 255.255.0.0 10.212.212.4
ip route vrf IAAS20 192.168.0.0 255.255.0.0 10.212.212.4
ip route vrf IAAS20 192.168.0.0 255.255.0.0 15.1.1.4
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 10.18.0.16 0.0.0.15 192.168.0.0 0.0.255.255
access-list 101 permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255
no cdp log mismatch duplex
!
!
!
route-map PBR-RECS permit 100
match ip address 101
set ip next-hop 10.212.212.4
!
route-map PBR-FLORES permit 101
match ip address 100
set ip next-hop 15.1.1.4

But when I connect a host to the network 10.18.0.16/28, with IP 10.18.0.18, every packet is sent to 10.212.212.4 instead of 15.1.1.4

Re: iBGP - How to modify route based on source address

Giuseppe Larosa — Wed, 09 Sep 2020 07:26:18 GMT

Hello @EufracioBarrios14042 ,

the PBR should be applied on the interface used for BGP peering

nterface Vlan15
ip address 65.65.65.1 255.255.255.248

! here you should have:

ip policy route-map PBR-RECS
!
interface Vlan20
description HACIA_RED_RECSA
ip address 10.212.212.1 255.255.255.248
no ip policy route-map PBR-RECS
!

This is because PBR works on received packets your ACLs are written in a way that the PBR should be applied to SVI Vlan15 not to Vlan 20.

Hope to help

Giuseppe

Re: iBGP - How to modify route based on source address

EufracioBarrios14042 — Wed, 09 Sep 2020 13:14:32 GMT

It worked!

Thanks @Giuseppe Larosa for help and time!

Regards.