cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2320
Views
10
Helpful
32
Replies

Setting BGP metrics for neighbors

Steven Williams
Level 4
Level 4

Is there a way to mark different networks with different metrics in the same route-map for the same neighbor?

 

Like if I want to mark 10.10.10.0/24 with metric of 900 but want to mark 20.20.20.0/24 with metric of 100, can I do this in the same route map?

32 Replies 32

your BGP without any password (please indicate a comment what are your PA device in the neighbor statements) and your SVI which are in HSRP

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello Francesco,

Steven's network is iBGP  I don't see a chance to use AS path prepending here

 

Best Regards

Giuseppe

 

Hello Steven,

for me the following behaviour means that the FW do not support iBGP multipath

 

>> So the Palos do multi-path and they do it well. Really the issue is HSRP due to the fact both peers have interfaces for the same network on each and are connected networks so without some HSRP trickery each Palo is always going to select core sw #1 due to lowest router-id.

 

As I have explained you can use the MED or local-preference if you accept to break iBGP multipath in all the network.

If you want to make some load sharing only on the FWs without influencing all devices you need to play with what Palo Alto gives you available to choice a path over the other the equivalent of Cisco weight that can be called route preference or in a different way.

 

Hope to help

Giuseppe

 

I am not sure how you comment that the firewalls do not support multi-path? This is the command output from a firewall and each of these networks are behind the core switches. 

 

 

Screen Shot 2019-08-07 at 10.38.20 AM.png

The Cisco config not PA.
In the file, put the comment near it

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Here are both Configs for Each Core 9500. 

 

 

I'll check them over the weekend

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Before I start the explanation of what I did, I just want to point out that I used EEM in a very simple way to achieve this.

As you have many SVIs, you can use TCL/EEM to script in a more complex way to have only 1 script running based on syslog event and check the hsrp state table.

The other way I would personally use is leverage IOS-XE with guestshell (Linux container) and run a python script that can parse show hsrp brie output and make changes based on a previous state which can be saved into a file or database. I don't have any IOS-XE to do a quick lab and show how it will looks like.

 

Anyway the EEM I did to show you works and have to be replicated multiple times (For the switch that's ok to have multiple EEM but it could be tough for you to manage depending on how much EEM you will create).

 

I don't have your design and I built a quick and simple design:

 

image.png

 

For an example I took your vlan150 as work base.

To make sure to prioritize some prefixes from C9500-1 and some others from C9500-2, I used BGP Communities (PA supports these)

On PA (in my example is a Cisco device and you will need to readapt the command line to PA syntax), I used a route-map on both peers to set a local-preference depending on the community the prefix has.

 

PA1#sh ip community-list
Named Community expanded list HIGH
permit 65001:10
Named Community expanded list LOW
permit 65001:20

!

route-map BGP_IN permit 10
 match community HIGH
 set local-preference 200
route-map BGP_IN permit 20
 match community LOW
 set local-preference 90

!

router bgp 65001

 neighbor 172.16.63.1 route-map BGP_IN in

 neighbor 172.16.63.2 route-map BGP_IN in

 

If a prefix is tagged with community 65001:20, it will be considered as low priority (HSRP standby) and with community 65001:10 it will be high priority (HSRP active)

 

 

On 9500 switches, I applied a route-map out with multiple sequences and prefix-lists associated to them: (for readability, I haven't paste all config and I will attach them as text files)

C9500-1 snippet config:

ip prefix-list Vlan150 seq 5 permit 192.168.150.0/24
ip prefix-list Vlan17 seq 5 permit 192.168.7.0/24
!

route-map BGP_OUT permit 10
 match ip address prefix-list Vlan17
 set community 65001:10
route-map BGP_OUT permit 20
 match ip address prefix-list Vlan150
 set community 65001:20
!

router bgp 65001

 neighbor 172.16.63.3 route-map BGP_OUT out ==> in my design, PA has IP 172.16.63.3

 

Obviously, on C9500-2, the route-map has inverted value (rest is identical):

route-map BGP_OUT permit 10
 match ip address prefix-list Vlan17
 set community 65001:20
route-map BGP_OUT permit 20
 match ip address prefix-list Vlan150
 set community 65001:10

 

My HSRP (vrrp in my lab for EVE-NG simulation limitations) show that vlan 150 is active on C9500-1 and standby on C9500-2:

C9500-1#sh vrrp brie
Interface Grp Pri Time Own Pre State Master addr Group addr
Et0/2.150 150 110 3570 Y Master 192.168.150.2 192.168.150.1

C9500-2#sh vrrp brie
Interface Grp Pri Time Own Pre State Master addr Group addr
Et0/1.150 150 90 3648 Y Backup 192.168.150.2 192.168.150.1

 

And obviously, my PA is going to prefer then C9500-1 prefix to be installed in RIB:

 

PA1#sh ip bgp vpnv4 vrf CORP_BKO 192.168.150.0
BGP routing table entry for 65001:10:192.168.150.0/24, version 36
Paths: (2 available, best #1, table CORP_BKO)
Advertised to update-groups:
11
Refresh Epoch 3
Local, (Received from a RR-client)
172.16.63.1 (metric 20) (via default) from 172.16.63.1 (172.16.63.1) ==> C9500-1 has per your loopback info
Origin IGP, metric 0, localpref 200, valid, internal, best
Community: 65001:10
Extended Community: RT:65001:10
mpls labels in/out nolabel/31
rx pathid: 0, tx pathid: 0x0
Refresh Epoch 3
Local, (Received from a RR-client)
172.16.63.2 (metric 20) (via default) from 172.16.63.2 (172.16.63.2) ==> C9500-2 has per your loopback info
Origin IGP, metric 0, localpref 90, valid, internal
Community: 65001:20
Extended Community: RT:65001:10
mpls labels in/out nolabel/30
rx pathid: 0, tx pathid: 0

 

PA1#sh ip bgp vpnv4 vrf CORP_BKO | b 192.168.150
Route Distinguisher: 65001:10 (default for vrf CORP_BKO)
*>i 192.168.150.0 172.16.63.1 0 200 0 i
* i                          172.16.63.2 0 90 0 i

 

The lab is setup has per your IP informations with the route-maps and bgp communities added.

 

Now, I've build 2 EEM applets (1 for HSRP down or backup and 1 for HSRP active). The config is done based on vrrp and maybe adapted with the hsrp output.

 

event manager applet GRP150_DOWN authorization bypass --> the EEM applet DOWN has 2 events to be catch with a OR condition (the 1st or the 2nd not both)
event tag MSG1 syslog pattern "Grp 150 state Master -> Init" --> When issue with SVI (shutdown or whatever)
event tag MSG2 syslog pattern "Grp 150 state Master -> Backup" --> Event in case the priority is lowered and status moves back to standby
trigger
correlate event MSG1 or event MSG2
action 001 cli command "enable"
action 002 cli command "conf t"
action 003 cli command "route-map BGP_OUT permit 20"
action 004 cli command "no set community 65001:10" --> We remove the high community
action 005 cli command "set community 65001:20" --> We add the low community
action 006 cli command "clear ip bgp vpnv4 unicast 65001 soft" --> Just forced a clear soft on BGP
action 090 cli command "end"
action 099 cli command "wr"
action 100 syslog msg "HSRP GRP 150 WENT DOWN. BGP CONFIG CHANGED"

 

event manager applet GRP150_UP authorization bypass
event syslog pattern "Grp 150 state Backup -> Master"
action 001 cli command "enable"
action 002 cli command "conf t"
action 003 cli command "route-map BGP_OUT permit 20"
action 004 cli command "no set community 65001:20" --> We remove the low community when hsrp is back active
action 005 cli command "set community 65001:10" --> We add the high community when hsrp is back active
action 006 cli command "clear ip bgp vpnv4 unicast 65001 soft" --> Just forced a clear soft on BGP
action 090 cli command "end"
action 099 cli command "wr"
action 100 syslog msg "HSRP GRP 150 IS BACK UP. BGP CONFIG CHANGED"

 

Now the testing part.

Your initial configs:

 

C9500-1#sh run int e0/2.150
interface Ethernet0/2.150
description SECURITY_NETWORK_CAMERAS
encapsulation dot1Q 150
vrf forwarding CORP_BKO
ip address 192.168.150.2 255.255.255.0
ip helper-address 10.20.0.50
ip helper-address 10.20.0.51
no ip redirects
no ip unreachables
no ip proxy-arp
vrrp 150 ip 192.168.150.1
vrrp 150 preempt delay minimum 30
vrrp 150 priority 110


C9500-2#sh run int e0/1.150
interface Ethernet0/1.150
description SECURITY_NETWORK_CAMERAS
encapsulation dot1Q 150
vrf forwarding CORP_BKO
ip address 192.168.150.3 255.255.255.0
ip helper-address 10.20.0.50
ip helper-address 10.20.0.51
no ip redirects
no ip unreachables
no ip proxy-arp
vrrp 150 ip 192.168.150.1
vrrp 150 preempt delay minimum 30
vrrp 150 priority 90

I go on C9500-1 and change the priority from 110 to 70 to force C9500-2 becoming active hsrp (vrrp in my lab). If you shut the interface it will work obviously with or without the EEM because the SVI will be down and not advertised by BGP.

 

C9500-1(config)#int e0/2.150
C9500-1(config-subif)#vrrp 150 priori 70 --> lowering the priority 
C9500-1(config-subif)#^Z
C9500-1#
*Aug 9 22:09:25.848: %SYS-5-CONFIG_I: Configured from console by cisco on console
C9500-1#
*Aug 9 22:09:55.641: %VRRP-6-STATECHANGE: Et0/2.150 Grp 150 state Master -> Backup --> Switch is now standby and not anymore active
*Aug 9 22:09:56.597: %SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:GRP150_DOWN) --> EEM DOWN triggered
C9500-1#
*Aug 9 22:09:56.726: %HA_EM-6-LOG: GRP150_DOWN: HSRP GRP 150 WENT DOWN. BGP CONFIG CHANGED --> Syslog message generated by the EEM to keep track on when it has been changed and ran (monitoring purpose)
C9500-1#

 

C9500-2#
*Aug 9 22:09:55.640: %VRRP-6-STATECHANGE: Et0/1.150 Grp 150 state Backup -> Master -> Switch is now active 
*Aug 9 22:09:56.597: %SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:GRP150_UP) --> EEM UP triggered
C9500-2#
*Aug 9 22:09:56.727: %HA_EM-6-LOG: GRP150_UP: HSRP GRP 150 IS BACK UP. BGP CONFIG CHANGED-> Syslog message generated by the EEM to keep track on when it has been changed and ran (monitoring purpose)
C9500-2#

 

Finally the output to validate the prefix is preferred over the new active HSRP member:

 

PA1#sh ip bgp vpnv4 vrf CORP_BKO | b 192.168.150
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65001:10 (default for vrf CORP_BKO)
* i 192.168.150.0 172.16.63.1 0 90 0 i
*>i                       172.16.63.2 0 200 0 i

PA1#sh ip bgp vpnv4 vrf CORP_BKO 192.168.150.0
BGP routing table entry for 65001:10:192.168.150.0/24, version 42
Paths: (2 available, best #2, table CORP_BKO)
Advertised to update-groups:
11
Refresh Epoch 6
Local, (Received from a RR-client)
172.16.63.1 (metric 20) (via default) from 172.16.63.1 (172.16.63.1) ==> C9500-1
Origin IGP, metric 0, localpref 90, valid, internal
Community: 65001:20
Extended Community: RT:65001:10
mpls labels in/out nolabel/32
rx pathid: 0, tx pathid: 0
Refresh Epoch 6
Local, (Received from a RR-client)
172.16.63.2 (metric 20) (via default) from 172.16.63.2 (172.16.63.2) ==> C9500-2
Origin IGP, metric 0, localpref 200, valid, internal, best
Community: 65001:10
Extended Community: RT:65001:10
mpls labels in/out nolabel/30
rx pathid: 0, tx pathid: 0x0

 

 

Hope this answered your question. If you want to use 1 EEM/TCL to handle all vlans, you will need to work with regex, save the state of previous hsrp state or read live the logging buffer. But again, I would go with guestshell and work with a Linux script or a python (as you prefer and depending on which you're more comfortable with).

 

Attached the config I added for PA, C9500-1 and C9500-2. All in 1 file.

 

Let me know if you need more infos.

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

What limitations have you come across in eve with HSRP that you use VRRP? I have solved many issues in eve and HSRP with disabling igmp snooping. I am using HSRP in my eve lab so want to make sure things I am simulating aren't causing an issue with this topology.

Sorry, I'm using VIRL usually and not eve-ng. I just installed it with IOU image very quickly to build your lab and HSRP wasn't working. As it wasn't my focus, I just used VRRP to show you how to use EEM.
Now you can tweak it with tcl or even as I said with Python as you're using IOS-XE which integrates a Linux Container (GuestShell)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello Francesco,

very good job rated as it deserves.

 

 

Best Regards

Giuseppe

 

Thanks Giuseppe! Much appreciated!

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello Steven,

I am lost now.

You have an iBGP multipath environment if iBGP multipath is really working on the Palo alto FWs why you should tweak BGP MED or local-preference ?

Is it to follow the HSRP Active state as you are discussing with Francesco ?

 

You have written that PA FWs prefer to use the paths coming lowest BGP RID on core routers.

The provided show suggests some use of both core devices if the hits columns means number of usage of each single path.

 

Hope to help

Giuseppe

 

Yes I want the traffic returning through the Palos to the cores to only go to their active hsrp node.

In the lab I am running no matter what I do, multi-path, ecmp, etc, etc, if the vlan has active hsrp on core 2 the palos always want to force it to core 1.

Hello Steven,

OK you can set MED or local-preference for this not AS path prepending as in iBGP AS path attribute is empty.

 

>> In the lab I am running no matter what I do, multi-path, ecmp, etc, etc, if the vlan has active hsrp on core 2 the palos always want to force it to core 1.

First PA FWs cannot know who is HSRP active.

Second the behaviour that you describe for me means that iBGP multipath is not occurring in your lab.

Note:

How do you make your tests ?

There is a chance that an hashing function choices the same path for all test flows on the PA FWs?

 

Hope to help

Giuseppe

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco