10-07-2023 05:41 AM - last edited on 10-09-2023 03:38 AM by Translator
Dear All ,
Kindly help to me understand the configuration.
router bgp 65005
bgp log-neighbor-changes
bgp update-delay 5
network 10.239.55.113 mask 255.255.255.255
neighbor 10.102.86.185 remote-as 9730
neighbor 10.102.86.185 description *** EBGP BHARTI ***
neighbor 10.102.86.185 timers 10 30
neighbor 10.102.86.185 send-community
neighbor 10.102.86.185 soft-reconfiguration inbound
neighbor 10.102.86.185 route-map BHARTIIN in
neighbor 10.102.86.185 route-map BHARTIOUT out
neighbor 10.102.131.53 remote-as 55836
neighbor 10.102.131.53 description *** RJIO ***
neighbor 10.102.131.53 send-community
neighbor 10.102.131.53 soft-reconfiguration inbound
neighbor 10.102.131.53 route-map JIOIN in
neighbor 10.102.131.53 route-map JIOOUT out
neighbor 10.102.131.53 advertise-map Loopback non-exist-map Nonexist
!
route-map JIOOUT permit 10
match ip address 25
set community 55836:2 additive
!
route-map BHARTIIN permit 10
match ip address 20!
set local preferece 300
route-map Loopback permit 10
match ip address 25
!
route-map Nonexist permit 10
match ip address 20
match as-path 20
!
route-map BHARTIOUT permit 10
match ip address 25
set community 9730:1 additive
!
route-map JIOIN permit 10
match ip address 20
!
ip access-list standard 20
10 permit 0.0.0.0
20 deny any
ip access-list standard 25
10 permit 10.239.55.113
20 deny any
My question is why we adversting loopback in bgp as isp will remove our private ip and as path & why access-list 25 required & applied in both bharathiout Jioout.
Q2) As per my understanding local preference is only used for controlling outgoing traffic, instead of path prepend and med why they using local preference.
Kindly help me to understand this question.
Thanks in advance...
Solved! Go to Solution.
10-07-2023 07:33 AM - last edited on 10-09-2023 05:08 AM by Translator
You are correct, using loopback addresses for BGP peering provides stability by decoupling the BGP neighbor relationship from the status of any particular physical interface. However, when it comes to IPsec VPN peer establishment, it's common to use physical interfaces due to certain design considerations and practicalities.
In your VPN setup, the VPN peer is established using the physical interface's
IP addresses e.g., 10.250.225.100, 10.250.225.51
This is often done for simplicity and alignment with typical VPN configuration practices. VPN peers can still be established using physical IPs while utilizing loopback addresses for BGP peering.
If you want to use loopback addresses for VPN peer establishment, you would need to configure your IPsec VPN to use these loopback addresses as the source and destination. This can be more complex and might involve additional configuration, especially if it's a site-to-site VPN where the other end also needs to support loopback-based VPN endpoints.
10-07-2023 06:22 AM - last edited on 10-09-2023 05:26 AM by Translator
Hello @prabha07042000,
Q1:
Advertising the loopback in BGP allows for a stable endpoint in case of changes in the physical interface. It ensures a consistent BGP neighbor regardless of the interface status changes.
The access-list 25 permits only the loopback
IP 10.239.55.113
and denies all other traffic. This is likely used to match specific routes (like the loopback) for policy application.
The
route-maps BHARTIOUT and JIOOUT
reference access-list 25 to match the loopback
10.239.55.113
.
BHARTIOUT and JIOOUT
apply a specific BGP community when matching the loopback. This could be for further BGP policy or traffic engineering.
Q2:
Local Preference is indeed used to influence the outgoing traffic from the local AS. By setting a higher local preference (e.g., 300 ; default is 100), the local router is indicating to its BGP neighbors that it prefers to exit via the path advertised with this higher local preference. This can be used to control egress traffic.
Using local preference instead of path prepend or MED might be a specific design choice. AS path prepending and MED are used to influence the incoming traffic to your AS.
10-07-2023 07:20 AM
Hi M02@rt37
Thanks for faster response.
Undretand the route map & acl.
But still having some douts in loopback...
Advertising the loopback in BGP allows for a stable endpoint in case of changes in the physical interface. It ensures a consistent BGP neighbor regardless of the interface status changes. (Please look into below configuration).
22I-RUT-H-30769#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.250.225.100 10.239.55.113 QM_IDLE 1001 ACTIVE 10.250.225.51 10.239.55.113 MM_NO_STATE 0 ACTIVE
If loopback are used for stability, then how we establishing vpn peer using loopback as it was removed by isp.
Note : cryptomap also assigned in interfcaces
10-07-2023 07:33 AM - last edited on 10-09-2023 05:08 AM by Translator
You are correct, using loopback addresses for BGP peering provides stability by decoupling the BGP neighbor relationship from the status of any particular physical interface. However, when it comes to IPsec VPN peer establishment, it's common to use physical interfaces due to certain design considerations and practicalities.
In your VPN setup, the VPN peer is established using the physical interface's
IP addresses e.g., 10.250.225.100, 10.250.225.51
This is often done for simplicity and alignment with typical VPN configuration practices. VPN peers can still be established using physical IPs while utilizing loopback addresses for BGP peering.
If you want to use loopback addresses for VPN peer establishment, you would need to configure your IPsec VPN to use these loopback addresses as the source and destination. This can be more complex and might involve additional configuration, especially if it's a site-to-site VPN where the other end also needs to support loopback-based VPN endpoints.
10-08-2023 11:13 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide