Re: Please help me for PBR (ASR 1004)

Shariful Islam-Bangladesh · ‎11-26-2024

I have two /24 IP blocks: 192.168.83.0/24 and 192.168.82.0/24. I am using two ISPs with BGP for internet connectivity.

Currently, all uploads are handled by one ISP, while downloads are split between the two ISPs.
now I want to configure it so that both uploads and downloads for 192.168.83.0/24 go through ISP 1, and both uploads and downloads for 192.168.82.0/24 go through ISP 2.

Here are the details:
• ISP 1: 10.0.0.10/30 (P2P IP: 10.0.0.9)

• ISP 2: 20.0.148.2/30 (P2P IP: 20.0.148.1)

I want:
• 192.168.83.0/24 to use 10.0.0.9 for both uploads and downloads via ISP 1.

• 192.168.82.0/24 to use 20.0.148.1 for both uploads and downloads via ISP 2.

i am using ASR 1004

Thanks in advance

Richard Burts · ‎11-26-2024

If we knew more about your environment we would be able to give better advice. One thing we need to understand is the direction of traffic. I am assuming that most of your Internet traffic is originated from inside your network and goes to the Internet, and responses come back. Is there traffic originated from the Internet to resources inside your network?
Another thing it would be nice to understand is why you are running BGP with 2 ISP. Do you have any Public IP addresses that belong to you and that you need to advertise to the Internet?
Managing traffic originated inside your network is fairly straightforward. PBR uses a route map which is applied to the interface where your inside devices are connected. So you may want a route map on the interface where 192.168.82.0 is connected. And another route map on the interface where 192.168.83.0 is connected.
Each route map will use an access list to identify traffic to be policy routed. The access list should deny traffic originated from the local (private) network to other private networks, and then permit all other traffic. The route map will then set the next hop to direct traffic to the desired ISP.

HTH

Rick

Shariful Islam-Bangladesh · ‎11-26-2024

Thanks for your reply ...

Yes, I have 2 /24 public IPs, also my own AS. Additionally, I am using a Cisco ASR 1004 model with a throughput capacity of 10G."

stephan.l.martin1 · ‎11-26-2024

As with @Richard Burts I would be asking a few questions from a design perspective
1) What is the level of throughput that you are looking at? Policy based routing can be CPU intensive depending on the amount of data
2) As they are private subnets you can't perform prepending for your subnets which will make your traffic unpredictable on the return without proper planning/consideration
3) Understanding that you probably have a problem that you are trying to solve- what is the purpose of splitting your traffic in this manner? If your network is geographically dispersed with multiple BGP speaking routers you can simply set weights to direct traffic from one subnet or the other on the outbound and set communities with prepending to influence traffic inbound. But there is quite a bit that we don't have on hand to properly make a recommendation.

Shariful Islam-Bangladesh · ‎11-26-2024

Thanks for your reply, also asking some valuable questions.

1, I have 10G thrugput.

2. I have my public ip two /24 also my own AS.

3.One major issue arises with uploads. For example, if there's an upload on ISP 1 and I encounter a problem with ISP 2, contacting ISP 2's customer care results in them asking me to upload data to check the issue. If the same problem occurs with ISP 1, they also request an upload for verification. Therefore, I want to upload to both ISPs to keep the data on their respective sides.

stephan.l.martin1 · ‎11-27-2024

Thank you for the additional info. To clarify what is your average traffic load for the ISP links. If you have 2 /24s sending multigig worth of data you may experience undesirable performance issues if performing PBR on all traffic outbound. If you know the specific protocol the uploads are using or target hosts that could significantly reduce the impact.

Shariful Islam-Bangladesh · ‎11-27-2024

Brother thanks for your reply

800 MB is taken from ISP 1, and 170 MB is taken from ISP 2.

I want my local users with public IPs announced by ISP 1 to handle both downloads and uploads through ISP 1. Similarly, local users with public IPs announced by ISP 2 should handle both downloads and uploads through ISP 2.

Richard Burts · ‎11-27-2024

Thanks for the additional information. PBR should be effective to achieve that local users with public IPs announced by ISP 1 to handle both downloads and uploads through ISP 1. And similar for users with addresses announced by ISP 2.

HTH

Rick

stephan.l.martin1 · ‎11-27-2024

Ideally you could simply PBR one /24 and allow the other to follow the default route. You will also want to prepend your route for the PBR to ensure synchronous traffic routing. If not configured I would put netflow on both in/out directions as this will allow you to verify synchronous traffic foows.

Richard Burts · ‎11-27-2024

It is certainly correct that one PBR configuration for one set of traffic and using the default route for the other set of traffic might work. And in some similar discussions I have advocated for this. But in this discussion, with 2 ISP both running BGP (and I assume both ISP advertising a default route) I don't know that we can be sure which default route would be used. So I advocate using PBR for both.

HTH

Rick

stephan.l.martin1 · ‎11-27-2024

For the sake of reducing potential performance impacts would it not be more prudent to weight the defaults? This would keep them in the bgp table but reduce cpu overhead as one would rely on CEF.

MHM Cisco World · ‎11-27-2024

Totally correct'

One PBR using verify

And one default route

Is enough

No need two PBR.

MHM

Richard Burts · ‎11-27-2024

@MHM Cisco World makes an interesting point, using verify in the PBR configuration. It has been my experience that verify is supported on some platforms, and NOT supported in some other platforms. I do not have enough experience with the ASR1004 to know whether verify is supported here or not.

It is an interesting question whether to suggest one PBR instance or two. I agree that it is possible that one instance might work. But I am concerned about the possibility that one instance might encounter some problems. So the OP needs to make a choice. If there are concerns about resource consumption then choose one instance. If there are concerns about potential issues in implementation choose two instances.

HTH

Rick

stephan.l.martin1 · ‎11-27-2024

Ultimately I think you hit it on the head. The outcome has many solutions that can fit the need. As with any design elegance is implementing complexity when needed yet keeping it simple enough to meet the requirement.

Shariful Islam-Bangladesh · ‎12-06-2024

Thank you all for taking the time to help me resolve my issue. My problem has now been fixed, and the ISP2 is configured accordingly.

ip access-list extended ISP2_prefix
permit ip 192.168.82.0 0.0.0.255 any

route-map PBR-LAN permit 5
match ip address ISP2_prefix
set ip default next-hop 20.0.148.1

interface TenGigabitEthernet1/0/0.3004
description ISP2
encapsulation dot1Q 3004
ip address 192.168.82.1 255.255.255.252
ip policy route-map PBR-LAN