The purpose of this lab is to introduce improved selection (i.e make it more deterministic) of the outbound transit paths in our multi homed group.
The lab topology diagram is included below as a reminder.
Our autonomous system can now choose between two transit providers for all non-local traffic. As we saw in the previous exercise, the border router in our AS would choose either of the transits based purely on the age of the learned default route from the upstream. If a link is toggled, the other transit provider would be chosen (as it became the oldest learned default). This really is not ideal.
We will now configure our border router such that the transit provider chosen for inbound and outbound traffic is TR1 (AS121). TR2 (AS122) will be the back up.
Recall from the BGP presentation that we choose outbound paths using the local-preference attribute. So we need to set up a route-map to tag the default route we learn from AS121 with a high local preference.
But note we already have a route-map applied to the BGP peering with AS121 - the configuration currently looks something like this:
router bgp X0
address-family ipv4
neighbor <ipv4-ptp-TR1> route-map tag-default in
neighbor <ipv4-ptp-TR2> route-map tag-default in
!
address-family ipv6
neighbor <ipv6-ptp-TR1> route-map tag-v6default in
neighbor <ipv6-ptp-TR2> route-map tag-v6default in
!The same route-map is being used on both Transit router Peerings. This is not a good idea long term as we will want to implement different policy for each transit provider.
We will now redo the route-maps for each Transit provider. Here are the two existing route-maps (IPv4 and IPv6):
route-map tag-default permit 10
match ip address prefix-list DEFAULT-ROUTE
set community no-advertise
!
route-map tag-default permit 20
!
route-map tag-v6default permit 10
match ipv6 address prefix-list DEFAULT-v6ROUTE
set community no-advertise
!
route-map tag-v6default permit 20
!We will create a new route-map (one for IPv4, another for IPv6) for the AS121 peering to include an additional set clause, to make the local-preference 150. Like this for IPv4:
route-map TR1-tag-default permit 10
match ip address prefix-list DEFAULT-ROUTE
set community no-advertise
set local-preference 150
!
route-map TR1-tag-default permit 20
!and like this for IPv6:
route-map TR1-tag-v6default permit 10
match ipv6 address prefix-list DEFAULT-v6ROUTE
set community no-advertise
set local-preference 150
!
route-map TR1-tag-v6default permit 20
!Once you have created the new route-map, we can apply it to the BGP peering with AS121, like this:
router bgp X0
address-family ipv4
neighbor <ipv4-ptp-TR1> route-map TR1-tag-default in
!
address-family ipv6
neighbor <ipv6-ptp-TR1> route-map TR1-tag-v6default in
!Once applied, don’t forget to do a route-refresh on the BGP session.
Next, we create a new route-map for the AS122 peering. It is exactly the same as the existing route-map tag-default, just with a new name. We don’t need to set the local-preference here, as the default local-preference of 100 is sufficient.
Here is an example of the IPv4 route-map:
route-map TR2-tag-default permit 10
match ip address prefix-list DEFAULT-ROUTE
set community no-advertise
!
route-map TR2-tag-default permit 20
!and here is an example of the IPv6 route-map:
route-map TR2-tag-v6default permit 10
match ipv6 address prefix-list DEFAULT-v6ROUTE
set community no-advertise
!
route-map TR2-tag-v6default permit 20
!Now apply the route-map to the AS122 peering, in the same way as we did for the AS121 peering. Don’t forget to apply a route-refresh to the BGP peering (as IOS does not do it automatically).
Once you have applied the new route-maps to the two eBGP peerings, you need to remove the old route-maps simply by doing no route-map tag-default and no route-map tag-v6default in configuration mode. Save the configuration and then confirm that these two route-maps are gone.
Now look at the BGP table. What do you see?
Try a traceroute from your Access router to the Internet - which transit provider does the trace exit through? Is it AS121 or AS122?
What about a traceroute to another group? Hopefully that still goes through the IXP or private peer!
Now try a traceroute from your laptop to the Access routers in the network. Which way does the traffic go, through AS121 or AS122 or both? Can you explain why?
Right now the traffic entering each group from the wider network will enter through the AS121 transit provider (but not by any deliberate policy on our behalf1). We will now modify the configuration on the peering with our upstreams so that inbound traffic comes through AS122 transit provider to each group.
To do this we will have one policy tool available to us, the AS-PATH prepend. We will modify the policy on our peering with AS121 so that our address block is announced to AS121 with a longer AS path than that of the peering with AS122.
To do this we create a new route-map for use outbound on the peering with AS121. It will replace the existing Transit-out route-map we created previously. This route-map will look for our IP address block, and apply a three times AS-PATH prepend on it. Here is an example - note we can use this route-map for both IPv4 and IPv6 as it has no address family specific configuration in it:
route-map TR1-prepend permit 10
match community 1
set as-path prepend X0 X0 X0
!Once we have created the route-map we apply it to the BGP peering with AS121. Here is an example for IPv4:
router bgp X0
address-family ipv4
neighbor <ipv4-ptp-TR1> route-map TR1-prepend out
!and for IPv6:
router bgp X0
address-family ipv6
neighbor <ipv6-ptp-TR1> route-map TR1-prepend out
!Once the configuration has been applied, remember to run an outbound route-refresh on the eBGP session with the AS121 router (TR1). For IPv4 and for IPv6.
There is no real way of seeing what is happening within the transit provider network - but the instructors will log into the transit routers and show the class the BGP table there.
However, each group should try a traceroute from their laptops to their Access router in their Group network. Which way does the inbound traffic go? Via AS121 or AS122 or what happens? What about an outbound traceroute from the Access router to 8.8.8.8, for example?
The path from the outside world to our 6 groups comes from the Virtualised Training Platform to AS121 first - AS121 best path to every group is via the direct link. The hop via AS122 is one AS longer so will not be used unless for backup.↩