Inbound Routing based on AS Number

Simon Young · ‎05-23-2014

I would like to influence inbound traffic into a site based on the source AS, is this possible?

I have two circuits communicating with two different business units

Outbound is fine, using local preference

I want all inbound and outbound traffic to use the circuits as follows

Circuit A = BU 1

Circuit B = BU 2

Obviously the site is advertising the same routes from both circuits. So I can't use MED for the local routes as traffic will come in one way only

what I want to do is match on source AS number, so

If AS 2 (BU 2) wants to access the site, then they will use circuit B

I was thinking I could do the following on the Circuit A, whereby if source is AS 2 (BU 2) then prepend the route, but I have not got this right as I need to actually prepend the local AS!!! So that the BU 2 traffic preferes circuit B

ip as-path access-list 1 permit _2$

route-map BU 2 permit 10
match as-path 1
set as-path prepend 2 2

neighbor x.x.x.x route-map BU 2 out

I am not sure if this is even possible? Any help much appreciated.

Note that all connections to the cloud are eBGP

Within the local site, the router to router connections are iBGP

The switch is using an IGP

Giuseppe Larosa · ‎05-23-2014

Hello SJYoung2008,

>> I have two circuits communicating with two different business units

Do you mean you have direct eBGP sessions on local AS between (localAS, AS1) on circuitA and (localAS, AS2) on circuitB?

If this is the case, you don't need to do anything to achieve the desired result as from the point of view of AS2 the direct eBGP session on circuitB is a better path then going through AS1 and circuitA

(shortest AS path is preferred)

Your attempts are conceptually wrong as AS2 choices are not influenced by what you do on the other eBGP session. You could achieve that all return traffic comes back via circuitB even if originated in AS1. But you don't want this.

if AS1 and AS2 have no direct eBGP session with local AS of local site the result is not guaranteed and you cannot influence it in any way it is a choice of administrators of AS2 at that point what path to prefer to go back to you.

Hope to help

Giuseppe

Simon Young · ‎06-04-2014

Hi Giuseppe

Thanks for the response

The cloud represents an ISP. Each of the locations AS1, AS2 and the main site have eBGP connections to the ISP

I would like AS2 to use circuit B, so all traffic to and from AS2 via this circuit but if the link drops, then it will use the other circuit

and AS1 to use circuit A

I had set the local preference, so any outbound traffic for AS2 went via Circuit B and AS1 via circuit A

My problem is getting the traffic from a specific source to enter the same circuit

Is there a way that I could use a community string?

So I mark traffic leaving Site AS2 with a community string

At the main site, I match the community string and set a prepend, so that the router advertises all its routes with a worse as path?

I am not sure if this is possible

Thanks
Simon

syed kazim abbas · ‎06-04-2014

Hi young,

you can use community string, here is the example:

http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/28784-bgp-community.html

Regards,

kazim

"HTH"

Simon Young · ‎06-05-2014

Hi

Yes, I had read this already and most other web links but its not specific enough. So in my test environment

I have configured on AS2 only (R5)

ip access-list standard test
permit any log
!
!
route-map SETCOM permit 10
match ip address test
set community 2:1
!
router bgp 2
neighbor x.x.x.x send-community
neighbor x.x.x.x route-map SETCOM out

So all traffic from Site AS2 is matched and has a community string assigned.

This traffic reaches my Circuit A router (R11)

route-map SETCOM permit 10
match community 2:1
set as-path prepend 3 3 3 3
!
route-map SETCOM permit 20
!
router bgp 3
neighbor x.x.x.x send-community
neighbor x.x.x.x route-map SETCOM in

The traffic from community 2:1 is matched, I then prepend traffic to to Site AS 2

It kind of works but it black holes the routes from AS3 via R11

When I look at the BGP on R7 I see only routes from R10 and not R9

I want both paths to be available but a preferred return path via R12 for all R5 traffic

syed kazim abbas · ‎06-05-2014

ok, send config this topology