Hello Amit

thanks for the reply..that really helps..

My issue is that i am advertising 5 subnets to my peer through ebgp and same to my other router through ibgp,  i just want one of the subnets to go through ibgp while others should go from ebgp...

Hi Bhavish,

If I understand correctly.

Out of your 5 subnets you want traffic sourced from one of the subnet (let say x) should route via iBGP and traffic sourced from remaining 4 subnets (lets say a,b,c,d) should route via eBGP.

If above understanding is correct then it means you are looking for sourced based routing and not the destination based routing. By default router does destination based routing.

In this case you can use PBR (Policy based routing). Make sure that you are advertising subnet x to iBGP peer and subnets a,b,c and d to eBGP peer. Otherwise it may create asymmetric routing.

Please rate if it helped.

HTH

-Amit

hello Amit

Thanks for the reply.  yes you totally understood my requirement. Can you please give some config example which can help me in creating the route maps .. not very good with them.,,,

Hi Bhavish,

You can try below example.

*******PBR config*************

route-map PBR permit 10

match ip address 101

set ip next-hop <remote ip of interface connected to iBGP peer>

route-map PBR permit 20

match ip address 102

set ip next-hop <remote ip of interface connected to eBGP peer>

ip access-list extended 101

permit ip <X> any

ip access-list extended 102

permit ip <a> any

permit ip <b> any

permit ip <c> any

permit ip <d> any

********BGP config*************

router bgp <AS number>

neighbor <ibgp neighbor IP> route-map X out

neighbor <ebgp neighbor IP> route-map abcd out

route-map X

match ip address prefix-list X

route-map abcd

match ip address prefix-list abcd

ip prefix-list X permit seq 10 <network x>

ip prefix-list abcd permit seq 10 <network a>

ip prefix-list abcd permit seq 20 <network b>

ip prefix-list abcd permit seq 30 <network c>

ip prefix-list abcd permit seq 40 <network d>

Please rate if it helps

HTH

-Amit

Hello Amit.

Thanks for the reply and help.. i tried the config , but my traffic is still going out from eBGP.

PLease check the config and advice.

Mega_Bofi#
Mega_Bofi#sh run
Building configuration...

Current configuration : 5615 bytes
!
! Last configuration change at 07:52:37 UTC Mon Dec 19 2016 by admin
! NVRAM config last updated at 06:17:17 UTC Mon Dec 19 2016 by admin
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Mega_Bofi
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.154-3.M.bin
boot-end-marker
!
!
no logging buffered

!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name mega.bw
ip name-server 154.x.x.1
ip name-server 154.x.x.1

ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-4066184745
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4066184745
revocation-check none
rsakeypair TP-self-signed-4066184745
!
!
crypto pki certificate chain TP-self-signed-4066184745
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303636 31383437 3435301E 170D3134 30383231 31373338
35355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30363631
38343734 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C12B D260E01F 4EBC495A E9E6DEA2 79E4514D 21DC4828 53CEFE43 7460CB88
862A0FDC AB58AB14 8D7DA489 466EBCF7 C15AB0C6 7CF4CFC2 98639979 3C0EE689
6B721DA1 DF4BBC48 0505188F 54207565 ECB8EB01 D3E1FF85 8E4B62EA 01A70247
A04D75F5 182BF4BC 3AF0C62E 853C3A25 9ACB590C E9965821 7A5D19CB B4A9A8F7
C06F0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 114D6567 615F426F 66692E6D 6567612E 6277301F 0603551D
23041830 16801493 5638F31B C55FC9F1 2E9197C5 60F7A33C EA476430 1D060355
1D0E0416 04149356 38F31BC5 5FC9F12E 9197C560 F7A33CEA 4764300D 06092A86
4886F70D 01010405 00038181 00AB0766 708E0981 CE2D5FEE 82A564AA 600B7B38
83DEF620 F64B88BD 3ED76B90 82F683B8 86E567EE FF45104E 3475965A 46E6C108
84DA16F7 CDE41685 71F2E56A 251DE26F EE2E20F3 560AA2FE D965CF98 A9DA3B21
ED8D4524 CC3813D7 AE8579FA D4D49F69 A1B68FF5 D01C37A6 C869A683 8F7677F5
5D1F678E 94CD0AD0 5EAE5A91 75
quit
license udi pid CISCO2921/K9 sn FCZ144520V5
license boot module c2900 technology-package securityk9
!
!
archive
log config
hidekeys
username admin privilege 15 password 0 cisco1
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 41.x.x.x 255.255.255.252    ebgp interface
load-interval 30
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ETH-WAN$
ip address 154.0.23.254 255.255.255.0  interface connected to internal side
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 10.0.0.2 255.255.255.248    ibgp interface
duplex auto
speed auto
!
router bgp 37711
bgp log-neighbor-changes
bgp dampening
network 154.x.x.x mask 255.255.255.0  network a
network 154.x.x.x mask 255.255.255.0  network b
network 154.0.x.x mask 255.255.255.0  network c
network 154.0.x.x mask 255.255.255.0 network d
network 154.0.x.x mask 255.255.255.0 network x
neighbor 10.0.0.1 remote-as 37711
neighbor 10.0.0.1 next-hop-self
neighbor 10.0.0.1 route-map X out
neighbor 41.x.x.x remote-as 37678
neighbor 41.x.x.x route-map abcd out
!
ip forward-protocol nd
!
ip as-path access-list 80 permit ^$
ip as-path access-list 85 permit ^37678_[0-9]*$
ip http server
ip http secure-server
!
ip route 154.x.x.x 255.255.248.0 Null0 200
ip route 154.x.x.x 255.255.254.0 154.x.x.x
!
!
ip prefix-list X seq 5 permit 154.x.x.x/24       
!
ip prefix-list abcd seq 5 permit 154.x.x.x/24
ip prefix-list abcd seq 10 permit 154.x.x.x/24
ip prefix-list abcd seq 15 permit 154.x.x.x/24
ip prefix-list abcd seq 20 permit 154.x.x.x/24

!
route-map abcd permit 10
match ip address prefix-list abcd
!
route-map PBR permit 10
match ip address 101
set ip next-hop 10.0.0.1
!
route-map PBR permit 20
match ip address 102
set ip next-hop 41.x.x.x
!
route-map X permit 10
match ip address prefix-list X
!
!
access-list 101 permit ip any 154.x.x.x 0.0.0.255
access-list 102 permit ip any 154.x.x.x 0.0.0.255
access-list 102 permit ip any 154.x.x.x 0.0.0.255
access-list 102 permit ip any 154.x.x.x 0.0.0.255
access-list 102 permit ip any 154.x.x.x 0.0.0.255

!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password cisco1
login local
transport input all
!
scheduler allocate 20000 1000
ntp update-calendar

!
end

Mega_Bofi#

Hi Bhavish,

Please provide below outputs.

1. show ip bgp summary.

2. show ip bgp neighbor 10.0.0.1  advertised-routes

3. show ip bgp neighbor 41.x.x.x advertised-routes

4. show route-map PBR

HTH

-Amit

Mega_Bofi#sh ip bgp summary
BGP router identifier 154.x.x.x, local AS number 37711
BGP table version is 889592, main routing table version 889592
613510 network entries using 88345440 bytes of memory
1225401 path entries using 98032080 bytes of memory
192947/96829 BGP path/bestpath attribute entries using 30871520 bytes of memory
1 BGP rrinfo entries using 24 bytes of memory
170650 BGP AS-PATH entries using 7490702 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 224739766 total bytes of memory
Dampening enabled. 205 history paths, 185 dampened paths
BGP activity 619403/5893 prefixes, 1276180/50779 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.0.0.1 4 37711 172599 160768 889592 0 0 1d00h 613072
41.x.x.x  4 37678 188069 17235 889506 0 0 1d00h 612117
Mega_Bofi#

2  if i do show advertised routes its gives me about 600000 routes.

Hello Bhavish,

*****from your reply****

2  if i do show advertised routes its gives me about 600000 routes.

***************************

This is again design flaw and your router may get filled with traffic for 600000 routes.

It signifies that route-map you applied is not correct and it must advertised only routes which are matched in prefix-list X and abcd to respective neighbors.

regarding ACL 101 and 102 called in PBR route-map has below problem.

You configured:

access-list 101 permit ip any 154.x.x.x 0.0.0.255
access-list 102 permit ip any 154.x.x.x 0.0.0.255
access-list 102 permit ip any 154.x.x.x 0.0.0.255
access-list 102 permit ip any 154.x.x.x 0.0.0.255
access-list 102 permit ip any 154.x.x.x 0.0.0.255

It should be configured as below.

access-list 101 permit ip 154.x.x.x 0.0.0.255 any
access-list 102 permit ip 154.x.x.x 0.0.0.255 any
access-list 102 permit ip 154.x.x.x 0.0.0.255 any
access-list 102 permit ip 154.x.x.x 0.0.0.255 any
access-list 102 permit ip 154.x.x.x 0.0.0.255 any

HTH

-Amit

Hi Amit

I tried but its stopping all the traffic.

Please check the config

Mega_Bofi#sh ip bgp summary
BGP router identifier 154.0.23.254, local AS number 37711
BGP table version is 615248, main routing table version 615248
614620 network entries using 88505280 bytes of memory
1227627 path entries using 98210160 bytes of memory
193284/97054 BGP path/bestpath attribute entries using 30925440 bytes of memory
1 BGP rrinfo entries using 24 bytes of memory
170923 BGP AS-PATH entries using 7521580 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 225162484 total bytes of memory
Dampening enabled. 36 history paths, 0 dampened paths
BGP activity 1294170/679550 prefixes, 3122114/1894487 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.0.0.1 4 37711 96715 5 615248 0 0 00:02:33 614166
41.191.216.97 4 37678 100727 5 615248 0 0 00:02:23 613418

Mega_Bofi#
Mega_Bofi#sh run
Building configuration...

Current configuration : 5585 bytes
!
! Last configuration change at 10:39:12 UTC Wed Dec 28 2016 by admin
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Mega_Bofi
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.154-3.M.bin
boot-end-marker
!
!
no logging buffered
enable secret 5 $1$B7c8$Cbgnz5Ixb2t8v3CeHVXGc1
enable password secret p9a8s7s6
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name mega.bw
ip name-server 154.0.23.1
ip name-server 154.0.16.1
ip name-server 168.167.168.34
ip name-server 168.167.21.5
ip name-server 168.167.21.4
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-4066184745
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4066184745
revocation-check none
rsakeypair TP-self-signed-4066184745
!
!
crypto pki certificate chain TP-self-signed-4066184745
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303636 31383437 3435301E 170D3134 30383231 31373338
35355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30363631
38343734 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C12B D260E01F 4EBC495A E9E6DEA2 79E4514D 21DC4828 53CEFE43 7460CB88
862A0FDC AB58AB14 8D7DA489 466EBCF7 C15AB0C6 7CF4CFC2 98639979 3C0EE689
6B721DA1 DF4BBC48 0505188F 54207565 ECB8EB01 D3E1FF85 8E4B62EA 01A70247
A04D75F5 182BF4BC 3AF0C62E 853C3A25 9ACB590C E9965821 7A5D19CB B4A9A8F7
C06F0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 114D6567 615F426F 66692E6D 6567612E 6277301F 0603551D
23041830 16801493 5638F31B C55FC9F1 2E9197C5 60F7A33C EA476430 1D060355
1D0E0416 04149356 38F31BC5 5FC9F12E 9197C560 F7A33CEA 4764300D 06092A86
4886F70D 01010405 00038181 00AB0766 708E0981 CE2D5FEE 82A564AA 600B7B38
83DEF620 F64B88BD 3ED76B90 82F683B8 86E567EE FF45104E 3475965A 46E6C108
84DA16F7 CDE41685 71F2E56A 251DE26F EE2E20F3 560AA2FE D965CF98 A9DA3B21
ED8D4524 CC3813D7 AE8579FA D4D49F69 A1B68FF5 D01C37A6 C869A683 8F7677F5
5D1F678E 94CD0AD0 5EAE5A91 75
quit
license udi pid CISCO2921/K9 sn FCZ144520V5
license boot module c2900 technology-package securityk9
!
!
archive
log config
hidekeys
username admin privilege 15 password 0 cisco1
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 41.191.216.98 255.255.255.252
load-interval 30
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ETH-WAN$
ip address 154.0.16.254 255.255.255.0 secondary
ip address 154.0.17.254 255.255.255.0 secondary
ip address 154.0.20.254 255.255.255.0 secondary
ip address 154.0.21.254 255.255.255.0 secondary
ip address 154.0.22.254 255.255.255.0 secondary
ip address 154.0.23.254 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 10.0.0.2 255.255.255.248
duplex auto
speed auto
!
router bgp 37711
bgp log-neighbor-changes
bgp dampening
network 154.0.16.0 mask 255.255.248.0
network 154.0.16.0 mask 255.255.255.0
network 154.0.17.0 mask 255.255.255.0
network 154.0.18.0 mask 255.255.255.0
network 154.0.19.0 mask 255.255.255.0
network 154.0.20.0 mask 255.255.255.0
network 154.0.21.0 mask 255.255.255.0
network 154.0.22.0 mask 255.255.255.0
network 154.0.23.0 mask 255.255.255.0
neighbor 10.0.0.1 remote-as 37711
neighbor 10.0.0.1 next-hop-self
neighbor 10.0.0.1 route-map X out
neighbor 41.191.216.97 remote-as 37678
neighbor 41.191.216.97 password m3g9peeR@bof
neighbor 41.191.216.97 route-map abcd out
!
ip forward-protocol nd
!
ip as-path access-list 80 permit ^$
ip as-path access-list 85 permit ^37678_[0-9]*$
ip http server
ip http secure-server
!
ip route 154.0.16.0 255.255.248.0 Null0 200
ip route 154.0.18.0 255.255.254.0 154.0.23.5
!
!
ip prefix-list X seq 5 permit 154.0.20.0/24
!
ip prefix-list abcd seq 5 permit 154.0.16.0/24
ip prefix-list abcd seq 10 permit 154.0.17.0/24
ip prefix-list abcd seq 15 permit 154.0.18.0/24
ip prefix-list abcd seq 20 permit 154.0.19.0/24
ip prefix-list abcd seq 25 permit 154.0.21.0/24
ip prefix-list abcd seq 30 permit 154.0.22.0/24
ip prefix-list abcd seq 35 permit 154.0.23.0/24
!
route-map abcd permit 10
match ip address prefix-list abcd
!
route-map PBR permit 10
match ip address 101
set ip next-hop 10.0.0.1
!
route-map PBR permit 20
match ip address 102
set ip next-hop 41.191.216.97
!
route-map X permit 10
match ip address prefix-list X
!
!
access-list 101 permit ip 154.0.20.0 0.0.0.255 any
access-list 102 permit ip 154.0.16.0 0.0.0.255 any
access-list 102 permit ip 154.0.17.0 0.0.0.255 any
access-list 102 permit ip 154.0.18.0 0.0.0.255 any
access-list 102 permit ip 154.0.19.0 0.0.0.255 any
access-list 102 permit ip 154.0.21.0 0.0.0.255 any
access-list 102 permit ip 154.0.22.0 0.0.0.255 any
access-list 102 permit ip 154.0.23.0 0.0.0.255 any
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password cisco1
login local
transport input all
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 168.167.21.110 prefer source GigabitEthernet0/1
!
end

Mega_Bofi#

Mega_Bofi#

Mega_Bofi#show ip bgp neighbor 41.191.216.97 advertised-routes
BGP table version is 625990, local router ID is 154.0.23.254
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
*> 154.0.16.0/24 0.0.0.0 0 32768 i
*> 154.0.17.0/24 0.0.0.0 0 32768 i
*> 154.0.21.0/24 0.0.0.0 0 32768 i
*> 154.0.22.0/24 0.0.0.0 0 32768 i
*> 154.0.23.0/24 0.0.0.0 0 32768 i

Total number of prefixes 5

Mega_Bofi#show ip bgp neighbor 10.0.0.1 advertised-routes
BGP table version is 626063, local router ID is 154.0.23.254
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
*> 154.0.20.0/24 0.0.0.0 0 32768 i

Total number of prefixes 1
Mega_Bofi#

Hi Bhavish,

BGP outputs looks good to me. PBR configuration is also fine.

Try doing a traceroute to destination from a specific source and check which path it is taking.

I expect traffic will fail only from below subnets since they are not advertised to BGP peers.

access-list 102 permit ip 154.0.18.0 0.0.0.255 any
access-list 102 permit ip 154.0.19.0 0.0.0.255 any

HTH

-Amit

HI Amit

thanks...Yes it seems fine...But traffic from 154.0.20.0 subnet is still going through ebgp... Also why subnet 154.0.18.0 is not shown in advertised routes..evn though i have advertise them

Hi Bhavish,

I hope below is your LAN side interface.

interface GigabitEthernet0/1
description $ETH-WAN$
ip address 154.0.16.254 255.255.255.0 secondary
ip address 154.0.17.254 255.255.255.0 secondary
ip address 154.0.20.254 255.255.255.0 secondary
ip address 154.0.21.254 255.255.255.0 secondary
ip address 154.0.22.254 255.255.255.0 secondary
ip address 154.0.23.254 255.255.255.0
 

1. I don't see command "ip policy route-map PBR" on this interface.

2. I also don't see you have configured an IP from subnet 154.0.18.0 on this interface as secondary. To advertise a route to BGP you must have the route on router first via an IGP.

I hope by configuring above it will work the way you want them.

Please rate if it helps.

HTH

-Amit

hello

Yes it worked perfectly fine..

Thanks a lot

Bhavish