Scribd
Upload
180 views22 pages

BGP Policy Lab: Remember, All The Above Applies To Both Ipv4 and Ipv6

The document provides instructions for a BGP policy lab to prefer research and education network (REN) paths over commercial paths. It describes using local preference and AS path prepending to influence outbound and inbound traffic patterns. The goal is to steer traffic towards the academic paths for performance and economic reasons by making these paths more attractive in the BGP decision process.

Uploaded by

Nwankwo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
180 views22 pages

BGP Policy Lab: Remember, All The Above Applies To Both Ipv4 and Ipv6

The document provides instructions for a BGP policy lab to prefer research and education network (REN) paths over commercial paths. It describes using local preference and AS path prepending to influence outbound and inbound traffic patterns. The goal is to steer traffic towards the academic paths for performance and economic reasons by making these paths more attractive in the BGP decision process.

Uploaded by

Nwankwo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

2016/01/17 04:05

1/22

BGP Policy Lab

BGP Policy Lab


Introduction
The purpose of this exercise is to:
Apply the concepts of BGP policy learned in class to achieve the desired trac patterns,
particularly in an academic environment.
Learn how to use Local Preference, BGP Communities, AS Path Prepending and related BGP
operational commands.

Pre-requisites
This exercise builds upon the congurations implemented in the basic BGP routing lab. You must:
Verify that all your BGP sessions are up
Be able to see every lab prex in your routing table
Be able to ping and traceroute successfully to any other router in the lab.
Remember, all the above applies to both IPv4 and IPv6.

Lab Network Topology and Address Assignments


The following diagram should serve as a visual reminder of the topology of the lab network and the
address blocks assigned to each group, ISP, NREN, etc.

Workshops - http://workshops.nsrc.org/dokuwiki/

Last update:
2016:preginet-bgp:3-lab-bgp-policy http://workshops.nsrc.org/dokuwiki/doku.php?id=2016:preginet-bgp:3-lab-bgp-policy
2016/01/17 03:37

Routing Policy in academic networks


Research and Education Networks (RENs) are designed for high throughput and low latency. In many
cases their links are also subsidized by governments and other organizations. Therefore, it is common
in academic environments to want to apply routing policies that prefer these paths over the
commodity (commercial) ones.

Local Preference
Our rst goal is to congure our routers to prefer the paths via the NREN for outgoing trac to ALL
destinations.

Preferring NREN routes


Use the Local Preference attribute to prefer all routes learned via the NREN:
B11 (to NREN):
route-map set-lpref-nren permit 10
description Set High Local Pref on everything
set local-preference 150
!
router bgp 10
address-family ipv4
neighbor 100.101.1.1 route-map set-lpref-nren in
address-family ipv6
neighbor 2001:11:0:10:: route-map set-lpref-nren in
B12 (to ISP):
route-map set-lpref-isp permit 10
description Set Low Local Pref on everything
set local-preference 50
!
router bgp 10
address-family ipv4
neighbor 100.121.1.1 route-map set-lpref-isp in
address-family ipv6
neighbor 2001:18:0:10:: route-map set-lpref-isp in
What is the default local preference in Cisco IOS?
Notice that we are setting a higher preference on the NREN side, and a lower preference on the ISP
side. Explain why this would be useful.
Check your BGP routes. The next hop in B11 should be the address of your NREN's router (except for
http://workshops.nsrc.org/dokuwiki/

Printed on 2016/01/17 04:05

2016/01/17 04:05

3/22

BGP Policy Lab

your own prex). In B12, the next hop should be B11's loopback address. Remember the 'next-hopself' parameter?
show ip bgp
show bgp ipv6 unicast
All good now, right?
Wait! What about the prexes of ASs with whom you are peering directly? Remember the path
selection algorithm? What comes rst, highest local preference or shortest AS path?

Increasing local preference for direct peers


We will now modify the route map to apply a higher local preference to prexes originated by your
direct peers. So we want high preference on prexes originated by the NREN and by the ISP. We also
want high preference on prexes transited to us by the NREN (as they will be from other NREN
customers or the RREN).
Notice the AS Path access list below. How does it work?
What we have done, rather than listing all the ASNs above, we have said that anything originated by
any neighbouring AS should be matched, and in the route-map we will set a local-preference even
higher than that for the regular routes heard from the neighbours.
On B11:
ip as-path access-list 1 permit ^[0-9]+$
!
no route-map set-lpref-nren
!
route-map set-lpref-nren permit 10
description Set High Local Pref for adjacent ASNs
match as-path 1
set local-preference 200
route-map set-lpref-nren permit 20
description Set Local Pref for rest of NREN routes
set local-preference 150
!
router bgp 10
address-family ipv4
neighbor 100.101.1.1 route-map set-lpref-nren in
address-family ipv6
neighbor 2001:11:0:10:: route-map set-lpref-nren in
!
On B12:
ip as-path access-list 1 permit ^[0-9]+$
!
no route-map set-lpref-isp
Workshops - http://workshops.nsrc.org/dokuwiki/

Last update:
2016:preginet-bgp:3-lab-bgp-policy http://workshops.nsrc.org/dokuwiki/doku.php?id=2016:preginet-bgp:3-lab-bgp-policy
2016/01/17 03:37

!
route-map set-lpref-isp permit 10
description Set High Local Pref for adjacent ASNs
match as-path 1
set local-preference 200
route-map set-lpref-isp permit 20
description Set Low Local Pref for rest of ISP routes
set local-preference 50
!
router bgp 10
address-family ipv4
neighbor 100.121.1.1 route-map set-lpref-isp in
address-family ipv6
neighbor 2001:18:0:10:: route-map set-lpref-isp in
!
Use BGP route refresh to make sure that the policies are applied:
clear ip bgp external in
clear bgp ipv6 unicast external in
The use of external in the command means to refresh the External BGP (eBGP) sessions only - the
Internal BGP (iBGP) sessions are not touched in this case.
Check your BGP routes again. What is the next hop towards your direct peers' prexes? Can you
explain what is happening now?

Preferring Local Peers over upstreams


In the previous step we saw that trac from our immediate neighbouring groups went via our NREN
provider rather than via the direct peering. For example AS10 trac to AS20 and AS30 is going via
the NREN, not over the direct peering links. We need to x this now.
We need to create a new route-map for the bi-lateral peerings we have with the other groups.
B11 peering with B32
ip as-path access-list 1 permit ^[0-9]+$
!
route-map set-lpref-peer permit 10
description Set High Local Pref for adjacent ASNs
match as-path 1
set local-preference 200
!
router bgp 10
address-family ipv4
neighbor 100.68.30.25 route-map set-lpref-peer in
address-family ipv6
neighbor 2001:db8:30:12::0 route-map set-lpref-peer in
http://workshops.nsrc.org/dokuwiki/

Printed on 2016/01/17 04:05

2016/01/17 04:05

5/22

BGP Policy Lab

!
The other router groups should come up with a similar conguration for B12 through R62. The routemap will be the same, just allowing prexes from the neighbouring AS into the network, and setting
the local preference high. Once this is applied, all prexes from immediately adjacent ASes will be
local preference 200.
Note that the route-map set-lpref-peer does not have a line 20 which makes it an implicit lter. (Cisco
IOS route-maps drop prexes by default unless there is a matching condition.) Not including a
following line ensures that any prex a peer sends to the local AS must only be originated by the
adjacent AS, and not be transited from anywhere else.
Explain why this might be a good idea.
Use BGP route refresh to make sure that the policies are applied:
clear ip bgp external in
clear bgp ipv6 unicast external in
Check your BGP routes again. What is the next hop towards your direct peers' prexes? (Hint: the
path should be direct now!)

STOP - Checkpoint One


All groups must nish this part before continuing. Please do NOT continue until the instructor
says so.
As part of the review, before we move on to the next BGP policy section, the instructors will display
the BGP table from one of the groups routers on the overhead screen. Take a look at your BGP table
now be ready to explain what the best paths are from your router, your AS, to the ISPs, to the NRENs
and to the RREN. Do the paths seem reasonable to you?
What about in your day to day situation? If you are an NREN operator, would you want the paths you
see now? Or if you are a campus network administrator, what would your opinion be? Discuss.

AS-Path Prepending
At this point we have inuenced outbound trac only. Now we want to inuence the trac COMING
IN to our AS. We want trac to come to us via the R&E networks as much as possible.
In the case of this lab, every other group is already preferring the NREN link for their outgoing trac.
For groups connected to your same NREN, the trac towards you will NOT go via the commodity
(commercial) Internet. However, this is not the case for groups connected to other NRENs.
To see this, check your paths towards groups NOT connected to your NREN, starting from your core
router (normally the campus core L3 switch) - aim for another core router. For example, from AS10
using both IPv4 and IPv6:
Workshops - http://workshops.nsrc.org/dokuwiki/

Last update:
2016:preginet-bgp:3-lab-bgp-policy http://workshops.nsrc.org/dokuwiki/doku.php?id=2016:preginet-bgp:3-lab-bgp-policy
2016/01/17 03:37

C11#
C11#
C11#
C11#

show ip bgp 100.68.40.0


traceroute 100.68.40.3
show bgp ipv6 unicast 2001:db8:40::/48
traceroute 2001:db8:40::3

Notice that the trac leaves via the R&E networks, but then enters AS40 through their commercial
ISP.
The same happens with trac coming back to you from other NRENs. How might you inuence
another ASes best path selection so that trac towards you enters via your NREN (say)?
We will now use a technique called AS path prepending, which consists of adding extra fake hops to
a path using our ASN multiple times.

AS Path Prepending to ISP


On your border router facing your ISP (BX2), set up an outbound route-map which will prepend your
AS number twice in the path announced to your ISP.
On B12:
ip prefix-list AS10-prefix permit 100.68.10.0/24
!
route-map set-prepend permit 10
description 2x prepend on our prefix block
match ip address prefix-list AS10-prefix
set as-path prepend 10 10
route-map set-prepend permit 20
!
ipv6 prefix-list AS10-v6-prefix permit 2001:db8:10::/48
!
route-map set-v6-prepend permit 10
description 2x prepend on our prefix block
match ipv6 address prefix-list AS10-v6-prefix
set as-path prepend 10 10
route-map set-v6-prepend permit 20
!
router bgp 10
address-family ipv4
neighbor 100.121.1.1 route-map set-prepend out
address-family ipv6
neighbor 2001:18:0:10:: route-map set-v6-prepend out
!
Use BGP refresh to re-announce your prex to the ISP:
clear ip bgp external out
clear bgp ipv6 unicast external out

http://workshops.nsrc.org/dokuwiki/

Printed on 2016/01/17 04:05

2016/01/17 04:05

7/22

BGP Policy Lab

Ask remote groups (connected to the other NRENs), to verify that their paths towards you do not
traverse the commercial ISPs.

STOP - Checkpoint Two


All groups must nish this part before continuing. Please do NOT continue until the instructor
says so.

BGP Communities
Now let's reect on our initial outbound policy. Since our NREN carries commodity Internet prexes in
addition to R&E prexes, we decided to use the Local Preference attribute to send everything via the
NREN.
In reality this may not be optimal, because the NREN may not always have the best paths towards the
rest of the Internet and also because we're not taking advantage of our dual connections to loadbalance our outbound trac.
What we really need is a way to tell which prexes are originated from the R&E community, so
that we prefer the NREN link when sending to those prexes only, and let the rest be decided by the
regular BGP selection process. This is where BGP Communities are useful.

Tidy up earlier Local Preference conguration


Remove the congurations from the Local Preference section. Notice the correct order in which this
should be done (hint: do not remove something if it's still referenced by something else). Here is one
example:
B11:
router bgp 10
address-family ipv4
no neighbor 100.101.1.1 route-map set-lpref-nren in
address-family ipv6
no neighbor 2001:11:0:10:: route-map set-lpref-nren in
!
no route-map set-lpref-nren
Remember to do the equivalent on the other router in your group. So both BX1 and BX2
should have the route-map setting local preference removed, as per the above example.

Conguring Community Support on NRENs and RREN


RENs use BGP communities (basically tags) to mark groups of routes together as a unit, which makes
Workshops - http://workshops.nsrc.org/dokuwiki/

Last update:
2016:preginet-bgp:3-lab-bgp-policy http://workshops.nsrc.org/dokuwiki/doku.php?id=2016:preginet-bgp:3-lab-bgp-policy
2016/01/17 03:37

it easier for their neighbours to apply policies to those groups of routes.


In this particular case, the NRENs carry research and education (R&E) routes, as well as commercial
Internet routes. The R&E routes are marked with a special community (99) as they are received from
each customer. Also, the NREN passes those communities on to other customers and to the RREN.
Notice that the NRENs and the RREN also use the communities to set a higher local preference value,
in order to prefer the R&E paths. This is because they also can learn those prexes via the ISPs with
whom they peer.
NREN1:
ip bgp-community new-format
!
route-map set-RE-comm permit 10
description Tag what we get from RE customer
set community 101:99
!
ip community-list 1 permit 100:99
!
route-map set-RE-lpref permit 10
description Look for RE routes from RREN
match community 1
set local-preference 150
route-map set-RE-lpref permit 20
description Other routes are untouched
!
router bgp 101
address-family ipv4
neighbor 100.101.1.2 send-community
neighbor 100.101.1.2 route-map set-RE-comm in
neighbor 100.101.1.6 send-community
neighbor 100.101.1.6 route-map set-RE-comm in
neighbor 100.101.1.10 send-community
neighbor 100.101.1.10 route-map set-RE-comm in
neighbor 100.100.1.1 send-community
neighbor 100.100.1.1 route-map set-RE-lpref in
address-family ipv6
neighbor 2001:11:0:10::1 send-community
neighbor 2001:11:0:10::1 route-map set-RE-comm
neighbor 2001:11:0:11::1 send-community
neighbor 2001:11:0:11::1 route-map set-RE-comm
neighbor 2001:11:0:12::1 send-community
neighbor 2001:11:0:12::1 route-map set-RE-comm
neighbor 2001:10:0:10:: send-community
neighbor 2001:10:0:10:: route-map set-RE-lpref
!

in
in
in
in

NREN2:
ip bgp-community new-format
http://workshops.nsrc.org/dokuwiki/

Printed on 2016/01/17 04:05

2016/01/17 04:05

9/22

!
route-map set-RE-comm permit 10
description Tag what we get from RE customer
set community 102:99
!
ip community-list 1 permit 100:99
!
route-map set-RE-lpref permit 10
description Look for RE routes from RREN
match community 1
set local-preference 150
route-map set-RE-lpref permit 20
description Other routes are untouched
!
router bgp 102
address-family ipv4
neighbor 100.102.1.2 send-community
neighbor 100.102.1.2 route-map set-RE-comm in
neighbor 100.102.1.6 send-community
neighbor 100.102.1.6 route-map set-RE-comm in
neighbor 100.102.1.10 send-community
neighbor 100.102.1.10 route-map set-RE-comm in
neighbor 100.100.1.5 send-community
neighbor 100.100.1.5 route-map set-RE-lpref in
address-family ipv6
neighbor 2001:12:0:10::1 send-community
neighbor 2001:12:0:10::1 route-map set-RE-comm
neighbor 2001:12:0:11::1 send-community
neighbor 2001:12:0:11::1 route-map set-RE-comm
neighbor 2001:12:0:12::1 send-community
neighbor 2001:12:0:12::1 route-map set-RE-comm
neighbor 2001:10:0:11:: send-community
neighbor 2001:10:0:11:: route-map set-RE-lpref
!

BGP Policy Lab

in
in
in
in

The regional REN (RREN) connects multiple NRENs, so they replace communities in the R&E routes
learned from NRENs with their own community:
RREN:
ip bgp-community new-format
!
ip community-list 1 permit 101:99
ip community-list 1 permit 102:99
!
route-map set-RE-comm permit 10
match community 1
set community 100:99
set local-preference 150
route-map set-RE-comm permit 20
!
Workshops - http://workshops.nsrc.org/dokuwiki/

Last update:
2016:preginet-bgp:3-lab-bgp-policy http://workshops.nsrc.org/dokuwiki/doku.php?id=2016:preginet-bgp:3-lab-bgp-policy
2016/01/17 03:37

router bgp 100


address-family ipv4
neighbor 100.100.1.2 send-community
neighbor 100.100.1.2 route-map set-RE-comm in
neighbor 100.100.1.6 send-community
neighbor 100.100.1.6 route-map set-RE-comm in
address-family ipv6
neighbor 2001:10:0:10::1 send-community
neighbor 2001:10:0:10::1 route-map set-RE-comm in
neighbor 2001:10:0:11::1 send-community
neighbor 2001:10:0:11::1 route-map set-RE-comm in
Explain the purpose of replacing the NREN communities at the RREN, before they are passed on to
other NRENs.
The only thing we still need to do is tag the routes originated by the NRENs and RREN and being R&E
routes too, otherwise there is every likelihood we will see best paths via ISPs.
NREN1 example:
route-map RE-comm-tag permit 10
set community 101:99
!
router bgp 101
address-family ipv4
network 100.101.0.0 mask 255.255.0.0 route-map RE-comm-tag
address-family ipv6
network 2001:11::/32 route-map RE-comm-tag
!
Similar conguration needs to be set up for NREN2 and the RREN. Use the same route-map, just set
the community to be appropriate for that REN.

Setting up the ISPs to announce commodity routes


ISPs will originate additional prexes to represent the rest of the commodity Internet. The
congurations below will make the BGP table look as though ISP1 has AS65001, AS65002, AS65003
and AS65004 as customers, and ISP2 has AS65005, AS65006, AS65007 and AS65008 as customers.
ISP1:
ip prefix-list v4-commodity-1 permit 172.16.0.0/16
ip prefix-list v4-commodity-2 permit 172.17.0.0/16
ip prefix-list v4-commodity-3 permit 172.18.0.0/16
ip prefix-list v4-commodity-4 permit 172.19.0.0/16
!
ipv6 prefix-list v6-commodity-1 permit 2001:db8::/32
ipv6 prefix-list v6-commodity-2 permit 2001:db9::/32
ipv6 prefix-list v6-commodity-3 permit 2001:dba::/32
http://workshops.nsrc.org/dokuwiki/

Printed on 2016/01/17 04:05

2016/01/17 04:05

11/22

ipv6 prefix-list v6-commodity-4 permit 2001:dbb::/32


!
route-map set-prepend-commodity permit 10
match ip address prefix-list v4-commodity-1
set as-path prepend 65001
route-map set-prepend-commodity permit 20
match ip address prefix-list v4-commodity-2
set as-path prepend 65002
route-map set-prepend-commodity permit 30
match ip address prefix-list v4-commodity-3
set as-path prepend 65003
route-map set-prepend-commodity permit 40
match ip address prefix-list v4-commodity-4
set as-path prepend 65004
route-map set-prepend-commodity permit 50
!
route-map set-prepend-v6commodity permit 10
match ipv6 address prefix-list v6-commodity-1
set as-path prepend 65001
route-map set-prepend-v6commodity permit 20
match ipv6 address prefix-list v6-commodity-2
set as-path prepend 65002
route-map set-prepend-v6commodity permit 30
match ipv6 address prefix-list v6-commodity-3
set as-path prepend 65003
route-map set-prepend-v6commodity permit 40
match ipv6 address prefix-list v6-commodity-4
set as-path prepend 65004
route-map set-prepend-v6commodity permit 50
!
router bgp 121
address-family ipv4
network 172.16.0.0 mask 255.255.0.0
network 172.17.0.0 mask 255.255.0.0
network 172.18.0.0 mask 255.255.0.0
network 172.19.0.0 mask 255.255.0.0
neighbor 100.101.2.1 route-map set-prepend-commodity out
neighbor 100.121.1.2 route-map set-prepend-commodity out
neighbor 100.121.1.6 route-map set-prepend-commodity out
neighbor 100.121.1.10 route-map set-prepend-commodity out
neighbor 100.127.1.2 route-map set-prepend-commodity out
neighbor 100.127.1.3 route-map set-prepend-commodity out
!
address-family ipv6
network 2001:db8::/32
network 2001:db9::/32
network 2001:dba::/32
network 2001:dbb::/32
neighbor 2001:11:0:20:: route-map set-prepend-v6commodity out
neighbor 2001:18:0:10::1 route-map set-prepend-v6commodity out
neighbor 2001:18:0:11::1 route-map set-prepend-v6commodity out
Workshops - http://workshops.nsrc.org/dokuwiki/

BGP Policy Lab

Last update:
2016:preginet-bgp:3-lab-bgp-policy http://workshops.nsrc.org/dokuwiki/doku.php?id=2016:preginet-bgp:3-lab-bgp-policy
2016/01/17 03:37

neighbor 2001:18:0:12::1 route-map set-prepend-v6commodity out


neighbor 2001:db8:ffff:1::2 route-map set-prepend-v6commodity out
neighbor 2001:db8:ffff:1::3 route-map set-prepend-v6commodity out
!
ip route 172.16.0.0 255.255.0.0
ip route 172.17.0.0 255.255.0.0
ip route 172.18.0.0 255.255.0.0
ip route 172.19.0.0 255.255.0.0
!
ipv6 route 2001:db8::/32 null0
ipv6 route 2001:db9::/32 null0
ipv6 route 2001:dba::/32 null0
ipv6 route 2001:dbb::/32 null0

null0
null0
null0
null0

ISP2:
ip prefix-list v4-commodity-1 permit 172.20.0.0/16
ip prefix-list v4-commodity-2 permit 172.21.0.0/16
ip prefix-list v4-commodity-3 permit 172.22.0.0/16
ip prefix-list v4-commodity-4 permit 172.23.0.0/16
!
ipv6 prefix-list v6-commodity-1 permit 2001:dbc::/32
ipv6 prefix-list v6-commodity-2 permit 2001:dbd::/32
ipv6 prefix-list v6-commodity-3 permit 2001:dbe::/32
ipv6 prefix-list v6-commodity-4 permit 2001:dbf::/32
!
route-map set-prepend-commodity permit 10
match ip address prefix-list v4-commodity-1
set as-path prepend 65005
route-map set-prepend-commodity permit 20
match ip address prefix-list v4-commodity-2
set as-path prepend 65006
route-map set-prepend-commodity permit 30
match ip address prefix-list v4-commodity-3
set as-path prepend 65007
route-map set-prepend-commodity permit 40
match ip address prefix-list v4-commodity-4
set as-path prepend 65008
route-map set-prepend-commodity permit 50
!
route-map set-prepend-v6commodity permit 10
match ipv6 address prefix-list v6-commodity-1
set as-path prepend 65005
route-map set-prepend-v6commodity permit 20
match ipv6 address prefix-list v6-commodity-2
set as-path prepend 65006
route-map set-prepend-v6commodity permit 30
match ipv6 address prefix-list v6-commodity-3
set as-path prepend 65007
http://workshops.nsrc.org/dokuwiki/

Printed on 2016/01/17 04:05

2016/01/17 04:05

13/22

BGP Policy Lab

route-map set-prepend-v6commodity permit 40


match ipv6 address prefix-list v6-commodity-4
set as-path prepend 65008
route-map set-prepend-v6commodity permit 50
!
router bgp 122
address-family ipv4
network 172.20.0.0 mask 255.255.0.0
network 172.21.0.0 mask 255.255.0.0
network 172.22.0.0 mask 255.255.0.0
network 172.23.0.0 mask 255.255.0.0
neighbor 100.102.2.1 route-map set-prepend-commodity out
neighbor 100.122.1.2 route-map set-prepend-commodity out
neighbor 100.122.1.6 route-map set-prepend-commodity out
neighbor 100.122.1.10 route-map set-prepend-commodity out
neighbor 100.127.1.1 route-map set-prepend-commodity out
neighbor 100.127.1.3 route-map set-prepend-commodity out
address-family ipv6
network 2001:dbc::/32
network 2001:dbd::/32
network 2001:dbe::/32
network 2001:dbf::/32
neighbor 2001:12:0:20:: route-map set-prepend-v6commodity out
neighbor 2001:19:0:10::1 route-map set-prepend-v6commodity out
neighbor 2001:19:0:11::1 route-map set-prepend-v6commodity out
neighbor 2001:19:0:12::1 route-map set-prepend-v6commodity out
neighbor 2001:db8:ffff:1::1 route-map set-prepend-v6commodity out
neighbor 2001:db8:ffff:1::3 route-map set-prepend-v6commodity out
!
ip route 172.20.0.0 255.255.0.0 null0
ip route 172.21.0.0 255.255.0.0 null0
ip route 172.22.0.0 255.255.0.0 null0
ip route 172.23.0.0 255.255.0.0 null0
!
ipv6 route 2001:dbc::/32 null0
ipv6 route 2001:dbd::/32 null0
ipv6 route 2001:dbe::/32 null0
ipv6 route 2001:dbf::/32 null0

Local Preference Conguration using BGP Communities


We are now going to set local preference on the prexes we learn from our various transits and peers,
according to the following table:
Neighbour Route Type Local Preference
Bi-lateral
All
200
NREN
R&E
150
Commodity 70
Commercial All
80
Workshops - http://workshops.nsrc.org/dokuwiki/

Last update:
2016:preginet-bgp:3-lab-bgp-policy http://workshops.nsrc.org/dokuwiki/doku.php?id=2016:preginet-bgp:3-lab-bgp-policy
2016/01/17 03:37

Set local preference ONLY on the R&E routes (marked with the R&E community) learned from the
NREN. Notice that your NREN is also passing you the communities set by the regional REN, so you
need to match either one.
Also notice that we (should) still have the route-map which sets the local preference to 200 on the
prexes originated by our bi-lateral peers.
On B11:
ip bgp-community new-format
!
ip community-list 1 permit 100:99
ip community-list 1 permit 101:99
!
route-map set-lpref-nren permit 10
description Look for RE routes
match community 1
set local-preference 150
route-map set-lpref-nren permit 20
description The rest are Commodity routes
set local-preference 70
!
router bgp 10
address-family ipv4
neighbor 100.101.1.1 route-map set-lpref-nren in
address-family ipv6
neighbor 2001:11:0:10:: route-map set-lpref-nren in
!
Refresh to/from your neighbours:
clear ip bgp external in
clear bgp ipv6 unicast external in
Verify that communities are being set and transmitted by the NREN - for example on B11:
B11# show ip bgp 100.68.20.0
B11# show ip bgp 100.68.40.0
Also, look at all the prexes which have community set in them. This is a good way of checking that
everything is working properly.
show ip bgp community
show bgp ipv6 unicast community
Do you see all the R&E routes now?
Question: Why do some have the best path and others do not?
Now we set all the prexes transited by the ISP to us to local preference 80, as per the earlier table.
Here is an example conguration:
http://workshops.nsrc.org/dokuwiki/

Printed on 2016/01/17 04:05

2016/01/17 04:05

15/22

BGP Policy Lab

On B12:
ip as-path access-list 1 permit ^[0-9]+$
!
route-map set-lpref-isp permit 10
description Look for ISP originated routes
match as-path 1
!
route-map set-lpref-isp permit 20
description All ISP routes
set local-preference 80
!
router bgp 10
address-family ipv4
neighbor 100.121.1.1 route-map set-lpref-isp in
address-family ipv6
neighbor 2001:18:0:10:: route-map set-lpref-isp in
!
Refresh to/from your neighbours:
clear ip bgp external in
clear bgp ipv6 unicast external in
Check your BGP routes again.
show
show
show
show

ip bgp
ip route
bgp ipv6 unicast
ipv6 route

The result should be that you now prefer the NREN path for any prex originated by an R&E member.
For all other prexes, including the ones from the commercial Internet, your routers will choose based
on BGP defaults.

STOP - Checkpoint Three


All groups must nish this part before continuing. Please do NOT continue until the instructor says so.
Look closely at the BGP table now. Have we achieved what we set out to do?

Multihoming with Partial Routes and Defaults


Another way to load-balance outbound trac in our multihoming setup is to play with partial routing
tables and default routes. The idea is that our routers will prefer the more specic R&E routes coming
from the NREN, and the rest of the outgoing trac will use the ISP. Only if the ISP fails, our non-R&E
Workshops - http://workshops.nsrc.org/dokuwiki/

Last update:
2016:preginet-bgp:3-lab-bgp-policy http://workshops.nsrc.org/dokuwiki/doku.php?id=2016:preginet-bgp:3-lab-bgp-policy
2016/01/17 03:37

trac will leave through the NREN. Similarly, if the NREN link fails, the ISP will route all our outbound
trac.
This has the advantage of reducing our routing table size, and therefore convergence time. The
disadvantage is that we may not always follow the best paths, but it might be a good compromise.
We are going to ask the NREN to only send us R&E routes, plus the default route:
NREN1:
ip community-list 1 permit 100:99
ip community-list 1 permit 101:99
!
route-map send-RE-only permit 10
match community 1
!
router bgp 101
address-family ipv4
neighbor 100.101.1.2 route-map send-RE-only out
neighbor 100.101.1.2 default-originate
neighbor 100.101.1.6 route-map send-RE-only out
neighbor 100.101.1.6 default-originate
neighbor 100.101.1.10 route-map send-RE-only out
neighbor 100.101.1.10 default-originate
address-family ipv6
neighbor 2001:11:0:10::1 route-map send-RE-only out
neighbor 2001:11:0:10::1 default-originate
neighbor 2001:11:0:11::1 route-map send-RE-only out
neighbor 2001:11:0:11::1 default-originate
neighbor 2001:11:0:12::1 route-map send-RE-only out
neighbor 2001:11:0:12::1 default-originate
!
NREN2:
ip community-list 1 permit 100:99
ip community-list 1 permit 102:99
!
route-map send-RE-only permit 10
match community 1
!
router bgp 102
address-family ipv4
neighbor 100.102.1.2 route-map send-RE-only out
neighbor 100.102.1.2 default-originate
neighbor 100.102.1.6 route-map send-RE-only out
neighbor 100.102.1.6 default-originate
neighbor 100.102.1.10 route-map send-RE-only out
neighbor 100.102.1.10 default-originate
address-family ipv6
neighbor 2001:12:0:10::1 route-map send-RE-only out
http://workshops.nsrc.org/dokuwiki/

Printed on 2016/01/17 04:05

2016/01/17 04:05

neighbor
neighbor
neighbor
neighbor
neighbor

17/22

2001:12:0:10::1
2001:12:0:11::1
2001:12:0:11::1
2001:12:0:12::1
2001:12:0:12::1

default-originate
route-map send-RE-only out
default-originate
route-map send-RE-only out
default-originate

!
Similarly, we will ask the ISP to only send us a default route:
ISP1:
ip prefix-list default permit 0.0.0.0/0
ipv6 prefix-list ipv6-default permit ::/0
!
router bgp 121
address-family ipv4
neighbor 100.121.1.2 default-originate
neighbor 100.121.1.2 prefix-list default out
neighbor 100.121.1.6 default-originate
neighbor 100.121.1.6 prefix-list default out
neighbor 100.121.1.10 default-originate
neighbor 100.121.1.10 prefix-list default out
address-family ipv6
neighbor 2001:18:0:10::1 default-originate
neighbor 2001:18:0:10::1 prefix-list ipv6-default out
neighbor 2001:18:0:11::1 default-originate
neighbor 2001:18:0:11::1 prefix-list ipv6-default out
neighbor 2001:18:0:12::1 default-originate
neighbor 2001:18:0:12::1 prefix-list ipv6-default out
!
ISP2:
ip prefix-list default permit 0.0.0.0/0
ipv6 prefix-list ipv6-default permit ::/0
!
router bgp 122
address-family ipv4
neighbor 100.122.1.2 default-originate
neighbor 100.122.1.2 prefix-list default out
neighbor 100.122.1.6 default-originate
neighbor 100.122.1.6 prefix-list default out
neighbor 100.122.1.10 default-originate
neighbor 100.122.1.10 prefix-list default out
address-family ipv6
neighbor 2001:19:0:10::1 default-originate
neighbor 2001:19:0:10::1 prefix-list ipv6-default out
neighbor 2001:19:0:11::1 default-originate
neighbor 2001:19:0:11::1 prefix-list ipv6-default out
neighbor 2001:19:0:12::1 default-originate
neighbor 2001:19:0:12::1 prefix-list ipv6-default out
Workshops - http://workshops.nsrc.org/dokuwiki/

BGP Policy Lab

Last update:
2016:preginet-bgp:3-lab-bgp-policy http://workshops.nsrc.org/dokuwiki/doku.php?id=2016:preginet-bgp:3-lab-bgp-policy
2016/01/17 03:37

!
Check what you are now receiving from your NREN and your ISP:
B11#
B11#
B11#
B11#

show
show
show
show

ip bgp neighbors 100.101.1.1 routes


bgp ipv6 uni neighbors 2001:11:0:10:: routes
ip route 0.0.0.0 0.0.0.0
ipv6 route ::/0

B12#
B12#
B12#
B12#

show
show
show
show

ip bgp neighbors 100.121.1.1 routes


bgp ipv6 uni neighbors 2001:18:0:10:: routes
ip route 0.0.0.0 0.0.0.0
ipv6 route ::/0

At this point you should see that each of your routers has a default route pointing to its upstream
peer.
Check your default route on both routers:
show ip bgp 0.0.0.0 0.0.0.0
show ip route 0.0.0.0 0.0.0.0
show bgp ipv6 uni ::/0
show ipv6 route ::/0
Also, check your BGP routing table. Has it shrunk?
show ip bgp
show bgp ipv6 unicast
Conrm that you now see a default route from your ISP, with local-preference 100. And you should
also see a default-route from your NREN, with local-preference 70 (based on the communities set in
the previous exercise).

Summary
What have we achieved here? We have connected our end-site to a local peer, an NREN and an ISP.
The best path for for our local (bi-lateral) peer is over our peering link. The best path for all REN
routes is via the NREN. The best path for all other routes is via the ISP.
Should the link to the ISP fail, we will get backup via the NREN to access the commodity
networks.
Should the link to the NREN fail, we will get backup via the ISP to access R&E networks.
How did we achieve this?
We tagged all routes from our bi-lateral peer with local-preference of 200.
We looked for REN routes from our NREN tagged with the REN community and set localpreference of 150.
http://workshops.nsrc.org/dokuwiki/

Printed on 2016/01/17 04:05

2016/01/17 04:05

19/22

BGP Policy Lab

We heard the default route from our NREN, and tagged it with low local-preference of 70.
We heard the default route from our ISP, and left it with default local-preference of 100.
Discuss with the lab instructors about testing the failure modes of your group's network connectivity.

Appendix A - BGP Table: First Policy Scenario


Included for completeness and to aid discussion, here is the BGP table as seen on C61 at the rst
checkpoint in this lab exercise.
C61#sh ip bgp
BGP table version is 17, local router ID is 100.68.60.3
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RTFilter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network
*>i 100.68.10.0/24
10 i
*>i 100.68.20.0/24
20 i
*>i 100.68.30.0/24
30 i
*>i 100.68.40.0/24
*>i 100.68.50.0/24
* i 100.68.60.0/24
* i
*>
*>i 100.100.0.0/16
*>i 100.101.0.0/16
*>i 100.102.0.0/16
*>i 100.121.0.0/16
*>i 100.122.0.0/16

Next Hop
100.68.60.1

Metric LocPrf Weight Path


0
150
0 102 122 121

100.68.60.1

150

0 102 122 121

100.68.60.1

150

0 102 122 121

100.68.60.2
100.68.60.1
100.68.60.2
100.68.60.1
0.0.0.0
100.68.60.1
100.68.60.1
100.68.60.1
100.68.60.1
100.68.60.2

0
0
0
0
0
0
0
0
0
0

200
200
100
100
150
150
200
150
200

0
0
0
0
32768
0
0
0
0
0

40 i
50 i
i
i
i
102 100 i
102 100 101 i
102 i
102 100 121 i
122 i

Appendix B - BGP Table @ ISP1: Second Policy Scenario


Included for completeness and to aid discussion, here is the BGP table as seen on ISP1 at the second
checkpoint in this lab exercise.
What do you think about the path from ISP1 to AS40, AS50 and AS60? Why is the best path via ISP2,
rather than via the peering with the RREN?
ISP1#sh ip bgp
Workshops - http://workshops.nsrc.org/dokuwiki/

Last update:
2016:preginet-bgp:3-lab-bgp-policy http://workshops.nsrc.org/dokuwiki/doku.php?id=2016:preginet-bgp:3-lab-bgp-policy
2016/01/17 03:37

BGP table version is 15, local router ID is 100.121.0.1


Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RTFilter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

*
10 i
*
*>
*
*>
*
*>
*
*>
*>
*>
*
*
*>
*
*
*>
*
*
*>
*>
*
*
*>

Network
100.68.10.0/24

100.68.20.0/24
100.68.30.0/24
100.68.40.0/24
100.68.50.0/24
100.68.60.0/24
100.100.0.0/16

100.101.0.0/16

100.102.0.0/16

100.121.0.0/16
100.122.0.0/16

Next Hop
100.127.1.2
100.127.1.3
100.101.2.1
100.121.1.2
100.101.2.1
100.121.1.6
100.101.2.1
100.121.1.10
100.127.1.2
100.127.1.2
100.127.1.2
100.101.2.1
100.127.1.2
100.127.1.3
100.127.1.2
100.127.1.3
100.101.2.1
100.101.2.1
100.127.1.3
100.127.1.2
0.0.0.0
100.101.2.1
100.127.1.3
100.127.1.2

Metric LocPrf Weight Path


0 122 100 101

0
0
0

0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
32768
0
0
0

100 101 10 i
101 10 i
10 10 10 i
101 20 i
20 20 20 i
101 30 i
30 30 30 i
122 102 40 i
122 102 50 i
122 102 60 i
101 100 i
122 100 i
100 i
122 100 101 i
100 101 i
101 i
101 100 102 i
100 102 i
122 102 i
i
101 100 122 i
100 122 i
122 i

Appendix C - BGP Table: Third Policy Scenario


Included for completeness and to aid discussion, here is the BGP table as seen on C21 at the third
checkpoint in this lab exercise.
C21#sh ip bgp
BGP table version is 29, local router ID is 100.68.20.3
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RTFilter,
x best-external, a additional-path, c RIB-compressed,
http://workshops.nsrc.org/dokuwiki/

Printed on 2016/01/17 04:05

2016/01/17 04:05

21/22

BGP Policy Lab

Origin codes: i - IGP, e - EGP, ? - incomplete


RPKI validation codes: V valid, I invalid, N Not found

*>i
* i
* i
*>
*>i
*>i
40 i
*>i
50 i
*>i
60 i
*>i
*>i
*>i
*>i
*>i
*>i
*>i
*>i
*>i
*>i
i
*>i
i
*>i
i
*>i
i

Network
100.68.10.0/24
100.68.20.0/24

100.68.30.0/24
100.68.40.0/24

Next Hop
100.68.20.1
100.68.20.2
100.68.20.1
0.0.0.0
100.68.20.2
100.68.20.1

Metric LocPrf Weight Path


0
200
0 10 i
0
100
0 i
0
100
0 i
0
32768 i
0
200
0 30 i
0
150
0 101 100 102

100.68.50.0/24

100.68.20.1

150

0 101 100 102

100.68.60.0/24

100.68.20.1

150

0 101 100 102

100.100.0.0/16
100.101.0.0/16
100.102.0.0/16
100.121.0.0/16
100.122.0.0/16
172.16.0.0
172.17.0.0
172.18.0.0
172.19.0.0
172.20.0.0

100.68.20.1
100.68.20.1
100.68.20.1
100.68.20.2
100.68.20.2
100.68.20.2
100.68.20.2
100.68.20.2
100.68.20.2
100.68.20.2

0
0
0
0
0
0
0
0
0
0

150
150
150
100
80
80
80
80
80
80

0
0
0
0
0
0
0
0
0
0

172.21.0.0

100.68.20.2

80

0 121 122 65006

172.22.0.0

100.68.20.2

80

0 121 122 65007

172.23.0.0

100.68.20.2

80

0 121 122 65008

101
101
101
121
121
121
121
121
121
121

100 i
i
100 102 i
i
122 i
65001 i
65002 i
65003 i
65004 i
122 65005

Appendix D - BGP Table: Fourth Policy Scenario


Included for completeness and to aid discussion, here is the BGP table as seen on C11 at the end of
this lab exercise.
C11#sh ip bgp
BGP table version is 134, local router ID is 100.68.10.3
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RTFilter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network

Next Hop

Workshops - http://workshops.nsrc.org/dokuwiki/

Metric LocPrf Weight Path

Last update:
2016:preginet-bgp:3-lab-bgp-policy http://workshops.nsrc.org/dokuwiki/doku.php?id=2016:preginet-bgp:3-lab-bgp-policy
2016/01/17 03:37

r>i
* i
* i
*>
*>i
*>i
*>i
40 i
*>i
50 i
*>i
60 i
*>i
*>i
*>i

0.0.0.0
100.68.10.0/24

0
0
0
0
0
0
0

100
100
100

100.68.20.0/24
100.68.30.0/24
100.68.40.0/24

100.68.10.2
100.68.10.1
100.68.10.2
0.0.0.0
100.68.10.2
100.68.10.1
100.68.10.1

100.68.50.0/24

100.68.10.1

150

0 101 100 102

100.68.60.0/24

100.68.10.1

150

0 101 100 102

100.100.0.0/16
100.101.0.0/16
100.102.0.0/16

100.68.10.1
100.68.10.1
100.68.10.1

0
0
0

150
150
150

0 101 100 i
0 101 i
0 101 100 102 i

200
200
150

0
0
0
32768
0
0
0

121 i
i
i
i
20 i
30 i
101 100 102

From:
http://workshops.nsrc.org/dokuwiki/ - Workshops
Permanent link:
http://workshops.nsrc.org/dokuwiki/doku.php?id=2016:preginet-bgp:3-lab-bgp-policy
Last update: 2016/01/17 03:37

http://workshops.nsrc.org/dokuwiki/

Printed on 2016/01/17 04:05

You might also like