08-27-2007 08:42 AM - edited 03-03-2019 06:29 PM
I think I'm just missing the right "ciscoese" jargon to find the docs for what I want to do.
I need to install a policy-based source-address route map, but instead of using a static access list as the source-address match, I need to match any packets coming from an ISP which source from networks that are advertised to me from a specific BGP AS.
Basically we need to split ingress traffic from the ISP onto two different interfaces so that traffic that the ISP advertises on one AS can be filtered by a layer 4 shaper, and traffic coming from a different AS goes to a different physical link. The AS is the only way we have to tell these two traffic classes apart, since all the packets come in untagged on the same link.
08-27-2007 06:06 PM
Have u triedAS-Prepending on the first interface(Basically we need to split ingress traffic from the ISP onto two different interfaces so that traffic that the ISP advertises on one AS can be filtered by a layer 4 shaper).Then use the original AS Path from the Other link will only use its own prepend info
Ingress Traffic:Makes use of AS-Prepending where Egress traffic relies on Med to determine which AS is chosen.HTH
Cheers
0
08-28-2007 06:52 AM
I think maybe I was not clear...
We have one and only one link from the ISP. Traffic from the ISP comes in two flavors. The ISP will be setting us up a BGP peer so that we know which global networks are which flavor, but the ISP will not be using that BGP process to route back to us, just a static route for our one network. (I am sure they use BGP internally but that doesn't matter to us.)
Getting traffic to split on the way out of our network is no problem, it is just normal routing. We send traffic from the distribution router to one AS down one link and traffic to the other AS down another link, based on weighting of routes. Then on the border router the traffic is all combined and sent to the ISP to do with as they please.
On the way back in, though, we need to flip the BGP tables on the border router to use them as an source-address access-list for PBR. Traffic from either AS will be going to the same destination, so this is not a case of trying to combine separate networks using the same equipment.
From what I read AS-prepending is used when you have multiple links from an ISP, or when you are trying to merge two old networks without changing the AS. This is not the case -- we only have one address space, and traffic will be going to and from our network and both ASs.
08-28-2007 07:07 AM
Hi,
Never tried it, but QoS Policy Propagation through BGP might be helpful. You can set IP precedence or QoS group based on BGP attributes like AS path. Have a look at "Configuring QoS Policy Propagation via Border Gateway Protocol"
http://www.cisco.com/en/US/docs/ios/12_1/qos/configuration/guide/qcdprop.html
You might either try to set the next hop as well or use the Precedence value as input for PBR.
Just an idea, yet to be tested.
Hope this helps!
Regards, Martin
08-28-2007 09:36 AM
That's the closest I've seen...
...and it just might work. But you never know what features are going to work in combination with what other features until you have it up and running.
I can't count the number of times I've wished a PBR feature would work for QoS or visa versa, or where I've wished one of the route-map commands that only applies to route redistribution was available for payload traffic.
Thanks, I'll have to see how far I can get with that.
08-29-2007 12:51 PM
OK, well I decided to kick the tires on this feature with an old 3550 we have kicking around and a quagga bgpd to inject routes.
I have:
router bgp 1887
table-map MarkI2
route-map MarkI2 permit 10
description scribble on I2 packets
match as-path 1
set ip precedence flash-override
route-map MarkI2 permit 20
set ip precedence routine
ip as-path access-list 1 permit _1337_
ip as-path access-list 1 permit _1887_
...and that gives me this:
Switch#show ip route 10.4.10.0
Routing entry for 10.4.10.0/24
Known via "bgp 1887", distance 20, metric 0
Tag 1337, precedence flash-override (4), type external
Last update from 10.0.0.2 00:03:56 ago
Routing Descriptor Blocks:
* 10.0.0.2, from 10.0.0.2, 00:03:56 ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 1337
...so the ip precedence is getting into the route table.
Then I have:
interface FastEthernet0/1
bgp-policy source ip-prec-map
and just in case:
interface FastEthernet0/2
bgp-policy source ip-prec-map
...however packets leaving fa0/2 keep the same tos they had when they entered fa0/1, regardless of whether the source address is 10.4.10.x or not.
I think I got everything in the instructions... anyone ever done this?
08-28-2007 07:13 AM
I think I know what you mean, I was looking for this as well and I know people/organization who also looking for this. I wish IOS have this feature that instead of using static ACL in a PBR you can use the AS of a specific ISP so that whenever that ISP change the prefix in their AS its transparent to you. I started calling it ASCL (Autonomous System Control List) instead of ACL (Access Control List) :)
No I did't find it and I don't think IOS supports it for now. Majority still struggling with the traditional Community which is not appropriate in some scenarios.
Good luck!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide