Re: BGP block one branch with AS path filters

wilson_1234_2 · ‎02-06-2011

I have a main site connected to branches through provider MPLS.

Our DR site is connected to main site via Metro E and OSPF

Our remote branches are set up to go to main site, and if unavailable be routed to leass desirable routes to DR site.

The DR site has prepended AS path to accomplish this.

Everything is:

Branch--MPLS--HQ,

if that path is unavailable

Branch--MPLS--DR

I need to do some testing of a single branch, (failover path) while all other sites are not affected, and was thinking I could use an AS path filter to do this.

If main site has an inbound filter of the test branch AS, and Branch has a filter of the Main site as, Both sites would route the alternate path.

Main site goes through DR to get to test branch,

Test branch goes through DR to get to Main site.

Everything else is unaffected

I was thinking something like this, would there be any hidden gotchas to look out for?

MPLS AS = 65000

Main site = 65001

DR = 65002

Branch = 65003

Main(config-router)#neighbor 192.168.1.1 remote-as 65000
Main(config-router)#neighbor 192.168.1.1 filter-list 25 in
Main(config)#ip as-path access-list 25 deny _65003_
Main(config)#ip as-path access-list 25 permit .*

Branch(config-router)#neighbor 192.168.1.3 remote-as 65000
Branch(config-router)#neighbor 192.168.1.3 filter-list 25 in
Branch(config)#ip as-path access-list 25 deny _65001_
Branch(config)#ip as-path access-list 25 permit .*

lgijssel · ‎02-06-2011

For such a basic scenario it is perhaps easier to use the weight to manipulate the routes?

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431.shtml

regards,

Leo

gerald.suiza · ‎02-06-2011

what i think wilson is trying to accomplish is to set a policy to "force" traffic over the back up without failover since he will be testing something and would not want to disrupt the production network..in that case the as-path filter should work.

another solution you could use are bgp communities to filter the routes..hth

wilson_1234_2 · ‎02-07-2011

Correct, weight will not work because I have a single connection to my MPLS provider.

I have to make sure both ends do not see the routes at all.

On the Main site side, I could just do an inbound filter for the branch subnet and it will not get distributed into ospf and the other path will be used.

I am wondering what path the traffic will take once it gets to the provider route tables on the branch side with the AS path filter.

Even though my router only thinks there is a single path, and the filter is inbound to my router, does the provider still have the most desirable route between the branch and Main site?

gerald.suiza · ‎02-07-2011

that is a good point. the service provider will definitely have a preference over one link if it is designed as a back up link. i think the best way to influence the routes is to use a filter and apply it to a route map and add a set as-path to prepend the as path for it to appear longer (less preferred). apply this route map out bound on your Main site. in this way ingress and egress traffic will traverse the link you prefer...hth

what we need to know is what we need to filter from the Head Office point of view. I assume since this is for testing that the source network at the head office will be isolate from the rest of the network. is this correct?

we can try filtering via the IP addresses. The prepend must come from the primary (outbound) Head Office link since we need to influence traffic flow and that is the point where in the service provider PE will do the selection of the best path.

** no need to reconfigure the branch since as path is a mandatory attribute so this will be carried out thru BGP.