cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1592
Views
0
Helpful
15
Replies

Filtering Routes

Anukalp S
Level 1
Level 1

Hello..

I have CE router which have two internet links provided by single ISP. We are running BGP making one link primary and another backup using BGP weight attributes. Now i want a public IP addess(A.A.A.A) of another location should receive through backup circuit since primary circuit bandwidth remain almost choke. I am doing this using route-map & prefix list but still traffic from source (A.A.A.A) receives through primary link, pls tell me where i am doing wrong.

neighbor x.x.x.x remote-as 4755

neighbor x.x.x.x update-source FE0/0

neighbor x.x.x.x weight 200

neighbor x.x.x.x prefix-list test in

neighbor y.y.y.y remote-as 4755

neighbor y.y.y.y update-source FE0/1

neighbor y.y.y.y weight 100

ip prefix-list test seq 5 deny B.B.B.B/32

ip prefix-list test seq 10 permit 0.0.0.0/0

15 Replies 15

Harold Ritter
Spotlight
Spotlight

Hi Anukalp,

Denying a prefix, using an inbound prefix-list, will affect the outbound traffic. From what I understand, you want to influence the inbound traffic coming from A.A.A.A, hence it not working as you expected. Can you confirm that this is really what your are trying to achieve? If so, you could influence traffic inbound to a specific destination address in your network but you can't influence a flow coming from a specific source address to take one link rather than the other.

Regards

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

Hi Harold..

Yes, i have a source at my one location and want this souce flow to come over backup circuit rather primary to my firewall ip, is it not possible..?

Hi Anukalp,

I am still a bit confused. So you have an ip address a.a.a.a and you want ingress traffic coming into your network to this specific address to use the backup link? Please confirm.

Regards

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

Harold Ritter
Spotlight
Spotlight

By the way, the prefix-list you configured specifies B.B.B.B/32 and it will not serve any purpose if you do not receive this route from your ISP. Is this route really being received from your ISP? You also mention CE. Is this in an MPLS VPN service ot Internet service context?

Regards

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

Hi Harold..

It is an internet router which i am calling as CE. I have a ASA behind this router. ASA outside interface ip is configured with a public ip from public pool provided by ISP. Actually I am looking for establishing IPSec tunnel over this backup link since primary link is usually almost high utilized.

I have a ASA in my another location which ip is lets suppose (A.A.A.A).

And this end ASA ip lets take (B.B.B.B).

So i want IPSec tunnel should be established over backup link b/w A.A.A.A & B.B.B.B IPs.

Pls help if it is possible.

Routes...

InternetRTR#sh ip bgp
BGP table version is 5, local router ID is 115.114.127.194
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 0.0.0.0          x.x.x.x                      200 4755 ?
*                   y.y.y.y                      100 4755 ?
*> 121.118.96.0/26  0.0.0.0                  0         32768 i

Hi Anukalp,

Thanks for the clarifications. For the outbound traffic, you can use a static route to A.A.A.A/32 (combined with IP SLA) or PBR to forward traffic through the secondary link. For inbound traffic towards B.B.B.B/32, you could announce a /32 to your SP via the secondary link. This obviously assumes that B.B.B.B/32 is only used as a end point for the IPsec tunnel.

Regards

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

Hi Harold..

I think after announcing B.B.B.B/32 through backup link, B.B.B.B will be reachable from all source over backup link. But i want only from source A.A.A.A it should be reachable over backup circuit.

However could you give a config example how could i  announce B.B.B.B thorugh backup link..it will be highly appreciated.

Hi Anukalp,

>I think after announcing B.B.B.B/32 through backup link, B.B.B.B will be  reachable from all source over backup link.

>But i want only from source  A.A.A.A it should be reachable over backup circuit.

I am afraid that this would be hard to achieve. On the other hand if you can use a separate addresses for the IPsec tunnel end point and the rest of the traffic, it would be much easier. Do you have any free addresses out of the pool that the ISP assigned to you?

>However could you give a config example how could i  announce B.B.B.B thorugh backup link..it will be highly

>appreciated.

You would need to originate B.B.B.B/32 locally (via a network statement) and filter it out on the primary link.

neighbor x.x.x.x remote-as 4755

neighbor x.x.x.x weight 200

neighbor x.x.x.x prefix-list test out

network B.B.B.B mask 255.255.255.255

!

ip prefix-list test seq 5 deny B.B.B.B/32

ip prefix-list test seq 10 permit 0.0.0.0/0 le 32

!

ip route B.B.B.B 255.255.255.255

Regards

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

Hi Harold..

Thanks for your suggestion..

Yes,, i can have a free ip from public ip pool and as you suggested we could achieve my requirement through it, pls see below config of internet router and share config example.

----------------------------------------------------------------

interface GigabitEthernet0/0

description ##Primary link##

ip address x.x.x.x 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/1

description ##Backup link##

ip address y.y.y.y 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/2

description ### Public LAN Pool###

ip address 121.118.96.2 255.255.255.192

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

!

router bgp 64512

no synchronization

bgp log-neighbor-changes

network 121.118.96.0 mask 255.255.255.192

neighbor x.x.x.x remote-as 4755

neighbor x.x.x.x update-source GigabitEthernet0/0

neighbor x.x.x.x weight 200

neighbor x.x.x.x prefix-list Out out

neighbor y.y.y.y remote-as 4755

neighbor y.y.y.y update-source GigabitEthernet0/1

neighbor y.y.y.y weight 100

neighbor y.y.y.y prefix-list Out out

ip prefix-list Out seq 5 permit 121.118.96.0/26

ip prefix-list Out seq 10 deny 0.0.0.0/0

----------------------------------------------------------------------------------

Lets take a free ip from pool - 121.118.96.10

ASA ip : 121.118.96.1

Pls share config example on how ip 121.118.96.10 could be reachable via backup link and rest others traffic should not be influnced.

Thanks in Advance.


Hi Anukalp,

You are almost there. You need to change the prefix-list as follow:

ip prefix-list Out seq 5 permit 121.118.96.0/26

ip prefix-list Out seq 10 deny 0.0.0.0/0 le 32 <+++++ Deny any

and you also need to originate the host route.

ip route 121.118.96.10 255.255.255.255 121.118.96.1

router bgp 64512

network 121.118.96.10 mask 255.255.255.255

You should also discuss with you ISP to make sure that they will not filter out the host route. it should not be a problem but you might want to check with them.

Regards

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

Hi Harold..

Thanks for your help..but i am seeing here one more challenges. Actually i am looking for establishing GRE over IPSec tunnel. If i do nat tunnel source ip with free public ip to tunnel destination ip and other side do NO NAT for this end tunnel source to the destination public ip then will tunnel come up? If i ping tunnel destination ip taking source tunnel ip then will it be pingable.

pls help on this too.

Hi Harold..

Pls suggest if GRE over IPSec tunnel will come up according to your suggested changes by taking a seperate ip out of public pool OR if it possible.

Hi Anukalp,

I am no security or ASA expert but I think the IPsec tunnel should not be natted. It would simply use a separate public IP address as the tunnel source. There is absolutely no need for NAT in this case.

Regards

Regards,
Harold Ritter, CCIE #4168 (EI, SP)