The purpose of this exercise is to:
Apply the concepts of BGP policy learned in class to achieve the desired traffic patterns, particularly in an academic environment.
Learn how to use Local Preference and other BGP operational commands.
This exercise builds upon the configurations implemented in the basic BGP routing lab. You must:
Verify that all your BGP sessions are up
Be able to see every lab prefix in your routing table
Be able to ping and traceroute successfully to any other router in the lab.
Remember, all the above applies to both IPv4 and IPv6.
The following diagram should serve as a visual reminder of the topology of the lab network and the address blocks assigned to each group, ISP, NREN, etc.
Research and Education Networks (RENs) are designed for high throughput and low latency. In many cases their links are also subsidised by governments and other organizations. Therefore, it is common in academic environments to want to apply routing policies that prefer these paths over the "commodity" (commercial) ones.
Our first goal is to configure our routers to prefer the paths via the NREN for outgoing traffic to ALL destinations.
Use the Local Preference attribute to prefer all routes learned via the NREN:
B11 (to NREN):
route-map set-lpref-nren permit 10
description Set High Local Pref on everything
set local-preference 150
!
router bgp 10
address-family ipv4
neighbor 100.101.1.1 route-map set-lpref-nren in
address-family ipv6
neighbor 2001:11:0:10:: route-map set-lpref-nren inB12 (to ISP):
route-map set-lpref-isp permit 10
description Set Low Local Pref on everything
set local-preference 50
!
router bgp 10
address-family ipv4
neighbor 100.121.1.1 route-map set-lpref-isp in
address-family ipv6
neighbor 2001:18:0:10:: route-map set-lpref-isp inWhat is the default local preference in Cisco IOS?
Notice that we are setting a higher preference on the NREN side, and a lower preference on the ISP side. Explain why this would be useful.
Check your BGP routes. The next hop in B11 should be the address of your NREN's router (except for your own prefix). In B12, the next hop should be B11's loopback address. Remember the 'next-hop-self' parameter?
show ip bgp
show bgp ipv6 unicastAll good now, right?
Wait!... What about the prefixes of ASs with whom you are peering directly? Remember the path selection algorithm? What comes first, highest local preference or shortest AS path?
We will now modify the route map to apply a higher local preference to prefixes originated by your direct peers. So we want high preference on prefixes originated by the NREN and by the ISP. We also want high preference on prefixes transited to us by the NREN (as they will be from other NREN customers or the RREN).
Notice the AS Path access list below. How does it work?
What we have done, rather than listing all the ASNs above, we have said that anything originated by any neighbouring AS should be matched, and in the route-map we will set a local-preference even higher than that for the regular routes heard from the neighbours.
On B11:
ip as-path access-list 1 permit ^[0-9]+$
!
no route-map set-lpref-nren
!
route-map set-lpref-nren permit 10
description Set High Local Pref for adjacent ASNs
match as-path 1
set local-preference 200
route-map set-lpref-nren permit 20
description Set Local Pref for rest of NREN routes
set local-preference 150
!
router bgp 10
address-family ipv4
neighbor 100.101.1.1 route-map set-lpref-nren in
address-family ipv6
neighbor 2001:11:0:10:: route-map set-lpref-nren in
!On B12:
ip as-path access-list 1 permit ^[0-9]+$
!
no route-map set-lpref-isp
!
route-map set-lpref-isp permit 10
description Set High Local Pref for adjacent ASNs
match as-path 1
set local-preference 200
route-map set-lpref-isp permit 20
description Set Low Local Pref for rest of ISP routes
set local-preference 50
!
router bgp 10
address-family ipv4
neighbor 100.121.1.1 route-map set-lpref-isp in
address-family ipv6
neighbour 2001:18:0:10:: route-map set-lpref-isp in
!Use BGP route refresh to make sure that the policies are applied:
clear ip bgp external in
clear bgp ipv6 unicast external inThe use of external in the command means to refresh the External BGP (eBGP) sessions only - the Internal BGP (iBGP) sessions are not touched in this case.
Check your BGP routes again. What is the next hop towards your direct peers' prefixes? Can you explain what is happening now?
In the previous step we saw that traffic from our immediate neighbouring groups went via our NREN provider rather than via the direct peering. For example AS10 traffic to AS20 and AS30 is going via the NREN, not over the direct peering links. We need to fix this now.
We need to create a new route-map for the bi-lateral peerings we have with the other groups.
B11 peering with B32
ip as-path access-list 1 permit ^[0-9]+$
!
route-map set-lpref-peer permit 10
description Set High Local Pref for adjacent ASNs
match as-path 1
set local-preference 200
!
router bgp 10
address-family ipv4
neighbor 100.68.3.25 route-map set-lpref-peer in
address-family ipv6
neighbor 2001:db8:3:12::0 route-map set-lpref-peer in
!The other router groups should come up with a similar configuration for B12 through B62. The route-map will be the same, just allowing prefixes from the neighbouring AS into the network, and setting the local preference high. Once this is applied, all prefixes from immediately adjacent ASes will be local preference 200.
Note that the route-map set-lpref-peer does not have a line 20 which makes it an implicit filter. (Cisco IOS route-maps drop prefixes by default unless there is a matching condition.) Not including a following line ensures that any prefix a peer sends to the local AS must only be originated by the adjacent AS, and not be transited from anywhere else.
Explain why this might be a good idea.
Use BGP route refresh to make sure that the policies are applied:
clear ip bgp external in
clear bgp ipv6 unicast external inCheck your BGP routes again. What is the next hop towards your direct peers' prefixes? (Hint: the path should be direct now!)
Before we move on to the next BGP policy section, the instructors will display the BGP table from one of the groups routers on the overhead screen. Take a look at your BGP table now be ready to explain what the best paths are from your router, your AS, to the ISPs, to the NRENs and to the RREN. Do the paths seem reasonable to you?
What about in your day to day situation? If you are an NREN operator, would you want the paths you see now? Or if you are a campus network administrator, what would your opinion be? Discuss.
Included for completeness and to aid discussion, here is the BGP table as seen on C61 at the end of this lab exercise.
C61#sh ip bgp
BGP table version is 17, local router ID is 100.68.6.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*>i 100.68.1.0/24 100.68.6.1 0 150 0 102 122 121 10 i
*>i 100.68.2.0/24 100.68.6.1 0 150 0 102 122 121 20 i
*>i 100.68.3.0/24 100.68.6.1 0 150 0 102 122 121 30 i
*>i 100.68.4.0/24 100.68.6.2 0 200 0 40 i
*>i 100.68.5.0/24 100.68.6.1 0 200 0 50 i
* i 100.68.6.0/24 100.68.6.2 0 100 0 i
* i 100.68.6.1 0 100 0 i
*> 0.0.0.0 0 32768 i
*>i 100.100.0.0/16 100.68.6.1 0 150 0 102 100 i
*>i 100.101.0.0/16 100.68.6.1 0 150 0 102 100 101 i
*>i 100.102.0.0/16 100.68.6.1 0 200 0 102 i
*>i 100.121.0.0/16 100.68.6.1 0 150 0 102 100 121 i
*>i 100.122.0.0/16 100.68.6.2 0 200 0 122 i