11-04-2023 06:42 AM - edited 11-04-2023 06:44 AM
Hi all, I am experiencing an issue with properly configuring an ASR1000 BGP router with 2 different upstream ASs for redundancy both sending default-route only.
I have properly configured as-path prepending and local preference to influence in/out traffic routing, however when I activate the 2nd BGP peer all the traffic coming from this 2nd upstream seems to be blocked and can't reach destination.
I might be wrong, this seems to me an asymmetric routing issue, however can't get a clue on solving the issue.
Excerpt from my config is below:
interface GigabitEthernet0/1/0
 description ISP-A
 ip address xxx.xxx.xxx.xxx 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip verify unicast reverse-path
 ip access-group ACL-IPV4-ANTISPOOF-IN in
 negotiation auto
end
interface GigabitEthernet1/1/1
 description ISP-B
 ip address xxx.xxx.xxx.xxx 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip verify unicast reverse-path
 ip access-group ACL-IPV4-ANTISPOOF-IN in
 negotiation auto
end
router bgp 00000
 no bgp fast-external-fallover
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 timers bgp 3 20
neighbor 111.111.111.111 remote-as 1111
 neighbor 111.111.111.111 description ISP-B
 neighbor 111.111.111.111 dont-capability-negotiate enhanced-refresh
 neighbor 111.111.111.111 ebgp-multihop 3
 neighbor 111.111.111.111 update-source GigabitEthernet1/1/1
 neighbor 111.111.111.111 version 4
 neighbor 111.111.111.111 fall-over bfd
 neighbor 222.222.222.222 remote-as 2222
 neighbor 222.222.222.222 description ISP-A
 neighbor 222.222.222.222 dont-capability-negotiate enhanced-refresh
 neighbor 222.222.222.222 ttl-security hops 1
 neighbor 222.222.222.222 update-source GigabitEthernet0/1/0
 neighbor 222.222.222.222 version 4
 neighbor 222.222.222.222 fall-over bfd
address-family ipv4
  network xxx.xxx.xxx.xxx mask 255.255.255.0
  aggregate-address xxx.xxx.xxx.xxx 255.255.255.0 summary-only
  neighbor 111.111.111.111 activate
  neighbor 111.111.111.111 remove-private-as
  neighbor 111.111.111.111 soft-reconfiguration inbound
  neighbor 111.111.111.111 prefix-list DEFAULT_ROUTE in
  neighbor 111.111.111.111 prefix-list LOCAL_ROUTES out
  neighbor 111.111.111.111 route-map AS1111-LOCAL-PREFERENCE in
  neighbor 111.111.111.111 route-map AS1111-prepend out
  neighbor 222.222.222.222 activate
  neighbor 222.222.222.222 send-community
  neighbor 222.222.222.222 remove-private-as
  neighbor 222.222.222.222 soft-reconfiguration inbound
  neighbor 222.222.222.222 prefix-list DEFAULT_ROUTE in
  neighbor 222.222.222.222 prefix-list LOCAL_ROUTES out
  neighbor 222.222.222.222 route-map AS2222-LOCAL-PREFERENCE in
 exit-address-family
ip prefix-list DEFAULT_ROUTE seq 5 permit 0.0.0.0/0
access-list 1 permit 0.0.0.0
route-map AS1111-prepend permit 10
 set as-path prepend 00000 00000 00000
!
route-map AS1111-prepend permit 20
!
route-map AS1111-LOCAL-PREFERENCE permit 10
 match ip address 1
 set local-preference 300
!
route-map AS2222-LOCAL-PREFERENCE permit 10
 match ip address 1
 set local-preference 500
!
route-map AS2222-prepend permit 10
 set as-path prepend 00000 00000 00000
!
route-map AS2222-prepend permit 20
ip access-list extended ACL-IPV4-ANTISPOOF-IN
 remark --- Deny special-use address sources
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 100.64.0.0 0.63.255.255 any log
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.0.0.0 0.0.0.255 any log
 deny   ip 192.0.2.0 0.0.0.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 198.18.0.0 0.1.255.255 any log
 deny   ip 198.51.100.0 0.0.0.255 any log
 deny   ip 203.0.113.0 0.0.0.255 any log
 deny   ip 224.0.0.0 15.255.255.255 any log
 deny   ip 240.0.0.0 15.255.255.255 any log
 remark --- Deny AS00000 prefixes as source from entering AS
 deny   ip xxx.xxx.xxx.xxx 0.0.1.255 any log
 remark --- Deny snmp/bootpc/bootps traffic
 deny   udp any any eq snmp log
 deny   udp any any eq bootpc log
 deny   udp any any eq bootps log
 remark --- Permit known-good BGP peers
 permit tcp host 222.222.222.222 host xxx.xxx.xxx.xxx eq bgp
 permit tcp host 222.222.222.222 eq bgp host xxx.xxx.xxx.xxx
 permit tcp host 111.111.111.111 host xxx.xxx.xxx.xxx eq bgp
 permit tcp host 111.111.111.111 eq bgp host xxx.xxx.xxx.xxx
 remark --- Deny all other BGP packets
 deny   tcp any any eq bgp log
 deny   tcp any eq bgp any log
 remark --- Permit IP transit traffic
 permit ip any any
11-04-2023 07:16 AM - edited 11-04-2023 07:18 AM
if you config NAT did you check it ?
if this is direct connect why you use fall-over BFD?
Thanks A Lot 
MHM
11-04-2023 09:06 AM
Hi
From my reading of your config, traffic will be asymetric by design:
INGRESS TRAFFIC
VIA ISP-B 111.111.111.111 (Due to AS prepend to ISP-A 222.222.222.222)
EGRESS TRAFFIC
VIA ISP-A 222.222.222.222 (Due to higher local preference - 500 compared to 300 of ISP-B)
hth
Andy
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide