11-04-2023 06:42 AM - edited 11-04-2023 06:44 AM
Hi all, I am experiencing an issue with properly configuring an ASR1000 BGP router with 2 different upstream ASs for redundancy both sending default-route only.
I have properly configured as-path prepending and local preference to influence in/out traffic routing, however when I activate the 2nd BGP peer all the traffic coming from this 2nd upstream seems to be blocked and can't reach destination.
I might be wrong, this seems to me an asymmetric routing issue, however can't get a clue on solving the issue.
Excerpt from my config is below:
interface GigabitEthernet0/1/0
description ISP-A
ip address xxx.xxx.xxx.xxx 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip access-group ACL-IPV4-ANTISPOOF-IN in
negotiation auto
end
interface GigabitEthernet1/1/1
description ISP-B
ip address xxx.xxx.xxx.xxx 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip access-group ACL-IPV4-ANTISPOOF-IN in
negotiation auto
end
router bgp 00000
no bgp fast-external-fallover
bgp log-neighbor-changes
no bgp default ipv4-unicast
timers bgp 3 20
neighbor 111.111.111.111 remote-as 1111
neighbor 111.111.111.111 description ISP-B
neighbor 111.111.111.111 dont-capability-negotiate enhanced-refresh
neighbor 111.111.111.111 ebgp-multihop 3
neighbor 111.111.111.111 update-source GigabitEthernet1/1/1
neighbor 111.111.111.111 version 4
neighbor 111.111.111.111 fall-over bfd
neighbor 222.222.222.222 remote-as 2222
neighbor 222.222.222.222 description ISP-A
neighbor 222.222.222.222 dont-capability-negotiate enhanced-refresh
neighbor 222.222.222.222 ttl-security hops 1
neighbor 222.222.222.222 update-source GigabitEthernet0/1/0
neighbor 222.222.222.222 version 4
neighbor 222.222.222.222 fall-over bfd
address-family ipv4
network xxx.xxx.xxx.xxx mask 255.255.255.0
aggregate-address xxx.xxx.xxx.xxx 255.255.255.0 summary-only
neighbor 111.111.111.111 activate
neighbor 111.111.111.111 remove-private-as
neighbor 111.111.111.111 soft-reconfiguration inbound
neighbor 111.111.111.111 prefix-list DEFAULT_ROUTE in
neighbor 111.111.111.111 prefix-list LOCAL_ROUTES out
neighbor 111.111.111.111 route-map AS1111-LOCAL-PREFERENCE in
neighbor 111.111.111.111 route-map AS1111-prepend out
neighbor 222.222.222.222 activate
neighbor 222.222.222.222 send-community
neighbor 222.222.222.222 remove-private-as
neighbor 222.222.222.222 soft-reconfiguration inbound
neighbor 222.222.222.222 prefix-list DEFAULT_ROUTE in
neighbor 222.222.222.222 prefix-list LOCAL_ROUTES out
neighbor 222.222.222.222 route-map AS2222-LOCAL-PREFERENCE in
exit-address-family
ip prefix-list DEFAULT_ROUTE seq 5 permit 0.0.0.0/0
access-list 1 permit 0.0.0.0
route-map AS1111-prepend permit 10
set as-path prepend 00000 00000 00000
!
route-map AS1111-prepend permit 20
!
route-map AS1111-LOCAL-PREFERENCE permit 10
match ip address 1
set local-preference 300
!
route-map AS2222-LOCAL-PREFERENCE permit 10
match ip address 1
set local-preference 500
!
route-map AS2222-prepend permit 10
set as-path prepend 00000 00000 00000
!
route-map AS2222-prepend permit 20
ip access-list extended ACL-IPV4-ANTISPOOF-IN
remark --- Deny special-use address sources
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 100.64.0.0 0.63.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.0.0.0 0.0.0.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 198.18.0.0 0.1.255.255 any log
deny ip 198.51.100.0 0.0.0.255 any log
deny ip 203.0.113.0 0.0.0.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 240.0.0.0 15.255.255.255 any log
remark --- Deny AS00000 prefixes as source from entering AS
deny ip xxx.xxx.xxx.xxx 0.0.1.255 any log
remark --- Deny snmp/bootpc/bootps traffic
deny udp any any eq snmp log
deny udp any any eq bootpc log
deny udp any any eq bootps log
remark --- Permit known-good BGP peers
permit tcp host 222.222.222.222 host xxx.xxx.xxx.xxx eq bgp
permit tcp host 222.222.222.222 eq bgp host xxx.xxx.xxx.xxx
permit tcp host 111.111.111.111 host xxx.xxx.xxx.xxx eq bgp
permit tcp host 111.111.111.111 eq bgp host xxx.xxx.xxx.xxx
remark --- Deny all other BGP packets
deny tcp any any eq bgp log
deny tcp any eq bgp any log
remark --- Permit IP transit traffic
permit ip any any
11-04-2023 07:16 AM - edited 11-04-2023 07:18 AM
if you config NAT did you check it ?
if this is direct connect why you use fall-over BFD?
Thanks A Lot
MHM
11-04-2023 09:06 AM
Hi
From my reading of your config, traffic will be asymetric by design:
INGRESS TRAFFIC
VIA ISP-B 111.111.111.111 (Due to AS prepend to ISP-A 222.222.222.222)
EGRESS TRAFFIC
VIA ISP-A 222.222.222.222 (Due to higher local preference - 500 compared to 300 of ISP-B)
hth
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide