Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
819
Views
0
Helpful
5
Replies

Using BGP Communities in Layer-3 VPN

dinesh.thathanath
Level 1
Level 1

‎01-25-2009 10:58 PM

Folks,

I am running a Full Mesh Layer-3 VPN for my Internet Services in my Service Provider backbone. The MPLS network is divided into two regions; each having an e-BGP peering with a TIER-1 ISP.

Our intention is to learn only default routes from the TIER-1 ISP and mark it with a community. To localize the traffic, this community can be matched at each PE level to manipulate the Local Preference.

The current issue is that, since it is a Full Mesh VPN, even though I map a different community at each IGW, the router is still advertising the other communities what the other IGW has set.

Please note that all Routers have different RD values. My P Routers are acting as my RRs.

I will attach a presentation on this as soon as possible.

Labels:
0 Helpful
5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-26-2009 07:24 AM

Hello Dinesh,

you may want to match using expanded community list that allows top perform more detailed matches

ip community-list ?

<1-99> Community list number (standard)

<100-500> Community list number (expanded)

expanded Add an expanded community-list entry

standard Add a standard community-list entry

there is one type of community ACL that should allow to match an exact match of a community value not only if one of the community values is the one you look for

Hope to help

Giuseppe

0 Helpful

Laurent Aubert
Cisco Employee
Cisco Employee

‎01-26-2009 06:28 PM

Hi,

Which router are you referring to when you said "the router is still advertising " ?

You should deploy two import-map which set different LP based on the BGP community:

import-map Prefer-IGW1 permit 10

match C1

set LP 200

import-map Prefer-IGW1 permit 15

match C2

set LP 100

...

import-map Prefer-IGW2 permit 10

match C2

set LP 200

import-map Prefer-IGW2 permit 15

match C1

set LP 100

...

Then just called the right import-map on the right PE. Each PE should learn/import both default-routes so you will have a backup route available.

Sorry if I misunderstood something...

HTH

Laurent.

0 Helpful

dinesh.thathanath
Level 1
Level 1
In response to Laurent Aubert

‎01-30-2009 02:32 AM

Hi All,

Thanks for all the replies. Let me re-phrase the issue. I am attaching a ppt for reference as well.

On my IGW-1, I am able to set the community value 111111

--------------------------------------------

IGW-1

address family ipv4 vrf internet

neighbor 65.65.65.65 route-map set in

route-map set permit in

set community 111111

---------------------------------------------

On my PE-1 I am able to match the community 111111 and set the local preference to 200.

---------------------------------------------

PE-1

route-map LP per 10

match community 1

set local-preference 200

route-map LP per 20

match community 2

set local-preference 150

route-map LP per 30

ip community list 1 permit 111111

ip community list 2 permit 222222

addfamily vpnv4 uni

neigh 4.4.4.4 route-map LP in

-------------------------------------------

Following configs on my PE-2 Router :

------------------------------------------

route-map LP per 10

match community 2

set local-preference 200

route-map LP per 20

match community 1

set local-preference 150

route-map LP per 30

ip community list 1 permit 111111

ip community list 2 permit 222222

addfamily vpnv4 uni

neigh 4.4.4.4 route-map LP in

-------------------------------------------

The issue starts on the IGW-2 Router. The router is not able to set and advertise a community 222222. I suspect it is because the router (IGW-2) already has the 0/0 route with the community 111111.

-------------------------------------------

IGW-2

address family ipv4 vrf internet

neighbor 66.66.66.66 route-map set in

route-map set permit in

set community 222222

--------------------------------------------

Preview file
204 KB
0 Helpful

Laurent Aubert
Cisco Employee
Cisco Employee

‎01-30-2009 04:59 AM

That's what I said in my previous reply ;-). You should configure Import-map in each VRF that requires Internet access instead of applying the route-map directly on your VPNv4 session.

Also you should use one community for the Western Region and another for the Eastern Region so that way PE in the Western side will use their IGP metric as a tie-breaker first to IGW1 or 2 for the western side and then for IGW1 or 2 for the Easter side.

The config should look like this:

Wester side:

IGW1:

address family ipv4 vrf internet

neighbor x.x.x.x route-map set in

route-map set permit in

set community 111111

IGw2

address family ipv4 vrf internet

neighbor x.x.x.x route-map set in

route-map set permit in

set community 111111

PE:

route-map IMPORT permit 10

match community 1

set local-pref 200

route-map IMPORT permit 20

!

ip community list 1 permit 111111

!

ip vrf CUSTOMER

route-target import x:y

import map IMPORT

!

Easter Side:

IGW1:

address family ipv4 vrf internet

neighbor x.x.x.x route-map set in

route-map set permit in

set community 222222

IGw2

address family ipv4 vrf internet

neighbor x.x.x.x route-map set in

route-map set permit in

set community 222222

PE:

route-map IMPORT permit 10

match community 2

set local-pref 200

route-map IMPORT permit 20

!

ip community list 2 permit 222222

!

ip vrf CUSTOMER

route-target import x:y

import map IMPORT

!

HTH

Laurent.

0 Helpful

dinesh.thathanath
Level 1
Level 1
In response to Laurent Aubert

‎01-30-2009 05:15 AM

Thanks All.

I will simulate this and revert.

0 Helpful
Customers Also Viewed These Support Documents