Solved: Re: Bgp & loopback

prabha07042000 · ‎10-07-2023

Dear All ,

Kindly help to me understand the configuration.

router bgp 65005
bgp log-neighbor-changes
bgp update-delay 5
network 10.239.55.113 mask 255.255.255.255
neighbor 10.102.86.185 remote-as 9730
neighbor 10.102.86.185 description *** EBGP BHARTI ***
neighbor 10.102.86.185 timers 10 30
neighbor 10.102.86.185 send-community
neighbor 10.102.86.185 soft-reconfiguration inbound
neighbor 10.102.86.185 route-map BHARTIIN in
neighbor 10.102.86.185 route-map BHARTIOUT out
neighbor 10.102.131.53 remote-as 55836
neighbor 10.102.131.53 description *** RJIO ***
neighbor 10.102.131.53 send-community
neighbor 10.102.131.53 soft-reconfiguration inbound
neighbor 10.102.131.53 route-map JIOIN in
neighbor 10.102.131.53 route-map JIOOUT out
neighbor 10.102.131.53 advertise-map Loopback non-exist-map Nonexist
!

route-map JIOOUT permit 10
match ip address 25
set community 55836:2 additive
!
route-map BHARTIIN permit 10
match ip address 20!

set local preferece 300
route-map Loopback permit 10
match ip address 25
!
route-map Nonexist permit 10
match ip address 20
match as-path 20
!
route-map BHARTIOUT permit 10
match ip address 25
set community 9730:1 additive
!
route-map JIOIN permit 10
match ip address 20
!

ip access-list standard 20
10 permit 0.0.0.0
20 deny any
ip access-list standard 25
10 permit 10.239.55.113
20 deny any

My question is why we adversting loopback in bgp as isp will remove our private ip and as path & why access-list 25 required & applied in both bharathiout Jioout.

Q2) As per my understanding local preference is only used for controlling outgoing traffic, instead of path prepend and med why they using local preference.

Kindly help me to understand this question.

Thanks in advance...

M02@rt37 · ‎10-07-2023

@prabha07042000,

You are correct, using loopback addresses for BGP peering provides stability by decoupling the BGP neighbor relationship from the status of any particular physical interface. However, when it comes to IPsec VPN peer establishment, it's common to use physical interfaces due to certain design considerations and practicalities.

In your VPN setup, the VPN peer is established using the physical interface's

IP addresses e.g., 10.250.225.100, 10.250.225.51

This is often done for simplicity and alignment with typical VPN configuration practices. VPN peers can still be established using physical IPs while utilizing loopback addresses for BGP peering.

If you want to use loopback addresses for VPN peer establishment, you would need to configure your IPsec VPN to use these loopback addresses as the source and destination. This can be more complex and might involve additional configuration, especially if it's a site-to-site VPN where the other end also needs to support loopback-based VPN endpoints.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

M02@rt37 · ‎10-07-2023

Hello @prabha07042000,

Q1:

Advertising the loopback in BGP allows for a stable endpoint in case of changes in the physical interface. It ensures a consistent BGP neighbor regardless of the interface status changes.

The access-list 25 permits only the loopback

IP 10.239.55.113

and denies all other traffic. This is likely used to match specific routes (like the loopback) for policy application.

The

route-maps BHARTIOUT and JIOOUT

reference access-list 25 to match the loopback

10.239.55.113

.

BHARTIOUT and JIOOUT

apply a specific BGP community when matching the loopback. This could be for further BGP policy or traffic engineering.

Q2:

Local Preference is indeed used to influence the outgoing traffic from the local AS. By setting a higher local preference (e.g., 300 ; default is 100), the local router is indicating to its BGP neighbors that it prefers to exit via the path advertised with this higher local preference. This can be used to control egress traffic.

Using local preference instead of path prepend or MED might be a specific design choice. AS path prepending and MED are used to influence the incoming traffic to your AS.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

prabha07042000 · ‎10-07-2023

Hi M02@rt37

Thanks for faster response.

Undretand the route map & acl.

But still having some douts in loopback...

Advertising the loopback in BGP allows for a stable endpoint in case of changes in the physical interface. It ensures a consistent BGP neighbor regardless of the interface status changes. (Please look into below configuration).

22I-RUT-H-30769#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.250.225.100  10.239.55.113   QM_IDLE           1001 ACTIVE
10.250.225.51   10.239.55.113   MM_NO_STATE          0 ACTIVE

If loopback are used for stability, then how we establishing vpn peer using loopback as it was removed by isp.

Note : cryptomap also assigned in interfcaces

M02@rt37 · ‎10-07-2023

@prabha07042000,

You are correct, using loopback addresses for BGP peering provides stability by decoupling the BGP neighbor relationship from the status of any particular physical interface. However, when it comes to IPsec VPN peer establishment, it's common to use physical interfaces due to certain design considerations and practicalities.

In your VPN setup, the VPN peer is established using the physical interface's

IP addresses e.g., 10.250.225.100, 10.250.225.51

This is often done for simplicity and alignment with typical VPN configuration practices. VPN peers can still be established using physical IPs while utilizing loopback addresses for BGP peering.

If you want to use loopback addresses for VPN peer establishment, you would need to configure your IPsec VPN to use these loopback addresses as the source and destination. This can be more complex and might involve additional configuration, especially if it's a site-to-site VPN where the other end also needs to support loopback-based VPN endpoints.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

prabha07042000 · ‎10-08-2023

Dear M02@rt37

Thanks for your quick response & your help.