BGP route manipulation 1

[Reignman]

Hello All,
first of all I'd like to say that I'm very new to the cisco world, so please tolerate my ignorence.
We have two Cisco 3640 running iBGP and each of them has an eBGP connection with a different ISP.
For now, all of our traffic goes thru one of these ISPs and this is causing us problems (full line).
I forgot to say that we have our own AS number and address space.
What I would like to do is change for specific Class C's the prefered way out (thru the second ISP).
I believe that this is done using route maps but I'm having difficulties figuring out how I should do it.
Could someone please give me some assistance?
Thank you all very much in advance!

 

[tschouten]

Here are a few designs for you to look at, I'm not exactly sure what you want to do so I tried to cover as broad a selection as I could think of without getting too big on explenations. I'm sorry I made this post a bit long didn't I?

Creating a BGP Policy List

1. enable

2. configure terminal

3. ip policy-list policy-list-name {permit | deny}

4. match as-path as-number

5. match metric metric

6. end

DETAILED INFORMATION ON THE STEPS

Command or Action Purpose
Step 1

enable
Example:

Router> enable Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:
Router# configure terminal Enters global configuration mode.

Step 3

ip policy-list policy-list-name {permit | deny}
Example:
Router(config)# ip policy-list policy-list-name permit Enters policy-list configuration mode and creates a BGP policy list that will permit routes that are allowed by the match clauses that follow.

Step 4

match as-path as-number
Example:
Router(config-policy-list)# match as-path as-number Creates a match clause to permit routes from the specified autonomous system path.

Step 5
match metric metric
Example:
Router(config-policy-list)# match metric metric Creates a match clause to permit routes with the specified metric.

Step 6

end

Example:
Router(config-policy-list)# end Exits policy-list configuration mode and enters privileged EXEC mode.


You also want to look at this!!


Creating a BGP Policy List that Matches a Community Using Regular Expression Filtering



STEPS
1. enable

2. configure terminal

3. ip policy-list policy-list-name {permit | deny}

4. match community regular-expression

5. match ip next-hop ip-address

6. end

DETAILED INFORMATION STEPS

Command or Action Purpose
Step 1

enable

Example:
Router> enable Enables privileged EXEC mode.
Enter your password if prompted.

Step 2

configure terminal
Example:
Router# configure terminal Enters global configuration mode.

Step 3
ip policy-list policy-list-name {permit | deny}

Example:
Router(config)# ip policy-list policy-list-name deny Enters policy-list configuration mode and creates a BGP policy list that will deny routes that are matched by the match clauses that follow.

Step 4

match community regular-expression

Example:
Router(config-policy-list)# match community regular-expression Creates a match clause to permit routes that match the specified regular expression.

Step 5

match ip next-hop ip-address

Example:
Router(config-policy-list)# match ip next-hop ip-address Creates a match clause to permit routes with the specified next hop of a router.

Step 6

end

Example:
Router(config-policy-list)# end Exits policy-list configuration mode and enters privileged EXEC mode.


This is something else you may want to concider.


Configuring Policy Lists in Route-Maps

One problem with Policy lists is that they support only match clauses and do not support set clauses. Yet policy lists can coexist in route map entries, with match and set clauses that are configured separately from the policy lists.

NOTE: You will need to creat the POLICY-LIST first!

Configuring a Route-Map


SUMMARY STEPS
1. enable

2. configure terminal

3. route-map route-map-name permit sequence-number

4. match ip-address access-list-number

5. match policy-list policy-list-name

6. set community community-number

7. end

DETAILED INFORMATION STEPS

Command or Action Purpose
Step 1

enable

Example:
Router> enable Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:
Router# configure terminal Enters global configuration mode.

Step 3

route-map map-tag [permit | deny] [sequence-number]

Example:
Router(config)# route-map route-map-name permit sequence-number Enters route-map configuration mode and creates a route map.

Step 4

match ip address {access-list-number | access-list-name} [... access-list-number | ... access-list-name]

Example:
Router(config-route-map)# match ip address access-list-number Creates a match clause to permit routes that match the specified access-list-number.

Step 5

match policy-list policy-list-name

Example:
Router(config-route-map)# match policy-list policy-list-name Creates a clause that will match the specified policy list. All match clauses within the policy list will be evaluated and processed. Multiple policy lists can referenced with this command. This command also supports AND or OR semantics like a standard match clause.

Step 6

set community community-number [additive] | none

Example:
Router(config-route-map)# set community 1 Creates a clause to set or remove the specified community.

Step 7

set local-preference preference-value

Example:
Router(config-route-map)# set local-preference preference-value Creates a clause to set the specified local preference value.

Step 8

end

Example:
Router(config-route-map)# end Exits route-map configuration mode and places the router in privileged EXEC mode.

 

[Reignman]

No don't worry it's OK!
However, to tell you the truth I'm a little confused on how to do what I want.
What I know for sure is that there won't be any communities involved and the manipulation I want to do is based on the origin of specific Class C's.
This means that from a total of 24 Class C's we have, I would like to announce four of them to my second ISP (high preference), still I would like to have a backup route from the first one.
I hope I was a little more clear this time.

 

[tschouten]

Try this style:


1. enable

2. configure terminal

3. ip policy-list policy-list-name {permit | deny}
(use this as the way to say updates is permitted this
way and denied the other direction. Think of it like
an access-list.)

4. match as-path as-number
(with this policy you want to think of it as the
direction you want specific traffic to be announced
what gets announced will be in thr route map below)

5. match metric metric

6. end

Then use the route-mapping


2. configure terminal

3. route-map route-map-name permit sequence-number

4. match ip-address access-list-number
(your class c addresses)

5. match policy-list policy-list-name

6. end

 

[tschouten]

If I managed to be even more confusing let me know and I will try to work with you on the problem a little more in depth. Also, if you feel secure you can email the addresses AS-paths (basically a show runn of all devices and a description of which block of addresses you want going where) and I will help you with the design.

Hope I helped!

tschouten@weltman.com

 

[Reignman]

I thing your answer cleared things much more..
I still have a few questions though (sorry about that)..
e.g.

ip policy-list SPECIFIC permit
match as-path <as number of the second ISP???>
match metric metric (I don't understand what you mean here)

route-map ToISP2 permit 10
match ip-address 90
match policy-list SPECIFIC

access-list 90 remark *** ANNOUNCE NETWORKS***
access-list 90 permit 192.168.9.0 0.0.3.255

Finally In the router bgp xxx section I enter
neighbor 10.0.0.1 route-map ToISP2 out

Am I correct?

 

[tschouten]

looks right to me

As for your question

match metric metric (I don't understand what you mean here)

match metric metric_number {Creates a match clause to permit routes with the specified metric. I should have explained that I placed that there as an option to further limit or should say be more robust in how you can design the policy statement.}

ip policy-list SPECIFIC permit
match as-path <as number of the second ISP???>
match as path to which as path you want used or blocked depending on how you design it in this case you are matching and permiting its use..

 

[tschouten]

Thinking about this; I wasn't very descriptive was I....

ip policy-list SPECIFIC permit
match as-path <as number of the second ISP???>
match as path to which as path you want used or blocked depending on how you design it in this case you are matching and permiting its use..

The exact definition of that statement is this:match as-path> Creates a match clause to permit routes from the specified autonomous system path.

 

[Reignman]

a) Regarding the metric, I think I cannot use weight (the route-map is out). What else can I use that would have an affect?
b) Could you give an example on the match as-path command? I somehow don't get it (perhaps I'm stupid)...

 

[tschouten]

I doubt you're stupid, probably IOS version you are using doesn't have the ip policy-list command. You are probably trying to use policy-map and that won't work for this at all. Check your IOS version if you are 12.0(22)S or higher you will have the command available.

This is what your commands should look like:

Router>en
Router#conf t
Router(config)#ip policy-list POLICYTEST permit
Router(config-policy-list)#match as-path 1654


Hope that helps you...

 

[Reignman]

That was it! Old IOS version!
After uploading a newer version (12.1.5(T)) it worked like a charm!
Now, can you help me on the opposite direction?
What I mean is I have a subnet where I want all of it's PC's, routers, etc to be able to use primarily ISP B and not A to find there way in the Internet.
e.g. a router with the IP 192.168.9.10 to be forced to use ISP B and not ISP A as we have declared for all other subnets.
Am I asking too much?
Thanx once more for your patience!

 

[Reignman]

Anybody???

 

[Reignman]

Anybody???
I've tried several option but nothing seems to work....

 

[Reignman]

Anybody???
I've tried several options but nothing seems to work....

 

[tschouten]

Did you create another policy-list and route-map for it?
You should be able to do the same thing just create a seperate list and map for matching using the different ip addresses and as-numbers.

Sorry didn't see your request for more help until now.

 

[Reignman]

I tried many different ideas that I had but couldn't make it work.
The previous request I had was for incoming sessions to my AS, so by using different metrics I had the result I wanted.
This time the problem is a little more complex for me.
I've already set weight metrics to both peers and also local preference. This way most of my outgoing traffic goes thru ISP A. However I can't change the metrics for some of my Class C's....

 

[tschouten]

Tell you what email me all the specifics we can work back and forth like that much faster. I will post the results of our working together.

tschouten@weltman.com