Discussion:
[c-nsp] IOS XR BGP default route - prepending AS
Brian Knight
2016-04-20 06:50:44 UTC
Permalink
At $DAYJOB we use MPLS VPNs from other carriers to provide Internet access
to customers connected to these VPNs. There is always a primary path for
outbound access, plus one or more backup paths. I am trying to configure a
backup path, but can't seem to set AS path prepending on the default route
we announce to the MPLS VPN.

This is our first time configuring these types of MPLS VPNs on IOS XR.

I've got a config that looks a little something like this:

--------

route-policy BACKUP-IN
apply IPV4-RESERVED-DENY
apply IPV4-DEFAULT-DENY
# For backup, localpref = 350
#
set local-preference 350
set community BGP-SITECODE additive
end-policy

route-policy BACKUP-OUT
# For backup, prepend = 2
#
# Announce only default route
if destination in (0.0.0.0/0) then
prepend as-path MY-AS 2
set community BGP-SITECODE
else
drop
endif
end-policy

router bgp 53828
neighbor THEIR-IP
remote-as THEIR-AS
address-family ipv4 unicast
default-originate
route-policy BACKUP-IN in
route-policy BACKUP-OUT out
send-community-ebgp
send-extended-community-ebgp
soft-reconfig inbound
maximum-prefix 500 80 restart 1

--------

The config originates a default route towards THEIR-IP, which is expected.
But the default route that is generated is apparently not influenced by the
BACKUP-OUT policy (prepend MY-AS 2 times).

RP/0/8/CPU0:AR1.ATL1#sh bgp ipv4 u nei THEIR-IP adv
Wed Apr 20 01:00:39.545 CDT
Network Next Hop From AS Path
0.0.0.0/0 0.0.0.0 Local i

What's the simplest way to prepend AS path on a default route advertised to
a single peer?

A few sources suggest adding a default route to Null0 in our Internet
routing table and advertising it through redistribution, or enter a
"network 0.0.0.0/0" command in the BGP address-family, both of which can be
influenced by route policies. Neither of those options sound particularly
simple to me.

I have also tried the following to no avail:

---------

route-policy DEFAULT-BACKUP-OUT
prepend as-path 53828 2
set community BGP-SITECODE
end-policy

router bgp 53828
neighbor THEIR-IP
address-family ipv4 unicast
default-originate route-policy DEFAULT-BACKUP-OUT

---------

I'd be grateful for any insight.

Thanks,

-Brian Knight
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
brad dreisbach
2016-04-20 13:27:15 UTC
Permalink
Post by Brian Knight
At $DAYJOB we use MPLS VPNs from other carriers to provide Internet access
to customers connected to these VPNs. There is always a primary path for
outbound access, plus one or more backup paths. I am trying to configure a
backup path, but can't seem to set AS path prepending on the default route
we announce to the MPLS VPN.
This is our first time configuring these types of MPLS VPNs on IOS XR.
--------
route-policy BACKUP-IN
apply IPV4-RESERVED-DENY
apply IPV4-DEFAULT-DENY
# For backup, localpref = 350
#
set local-preference 350
set community BGP-SITECODE additive
end-policy
route-policy BACKUP-OUT
# For backup, prepend = 2
#
# Announce only default route
if destination in (0.0.0.0/0) then
prepend as-path MY-AS 2
set community BGP-SITECODE
else
drop
endif
end-policy
router bgp 53828
neighbor THEIR-IP
remote-as THEIR-AS
address-family ipv4 unicast
default-originate
route-policy BACKUP-IN in
route-policy BACKUP-OUT out
send-community-ebgp
send-extended-community-ebgp
soft-reconfig inbound
maximum-prefix 500 80 restart 1
--------
The config originates a default route towards THEIR-IP, which is expected.
But the default route that is generated is apparently not influenced by the
BACKUP-OUT policy (prepend MY-AS 2 times).
RP/0/8/CPU0:AR1.ATL1#sh bgp ipv4 u nei THEIR-IP adv
Wed Apr 20 01:00:39.545 CDT
Network Next Hop From AS Path
0.0.0.0/0 0.0.0.0 Local i
What's the simplest way to prepend AS path on a default route advertised to
a single peer?
A few sources suggest adding a default route to Null0 in our Internet
routing table and advertising it through redistribution, or enter a
"network 0.0.0.0/0" command in the BGP address-family, both of which can be
influenced by route policies. Neither of those options sound particularly
simple to me.
---------
route-policy DEFAULT-BACKUP-OUT
prepend as-path 53828 2
set community BGP-SITECODE
end-policy
router bgp 53828
neighbor THEIR-IP
address-family ipv4 unicast
default-originate route-policy DEFAULT-BACKUP-OUT
---------
I'd be grateful for any insight.
you need to apply a policy at the default-originate statement to do
stuff to the originated default on the outbound:

default-originate route-policy blah
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Brian Knight
2016-04-20 20:12:03 UTC
Permalink
Hi Nathan,

Fair enough. Just trying not to get into too much trouble by revealing too
much.

(Although I'm curious now - what do other people do to sanitize configs for
public mailing lists? Obviously customer sensitive data must be removed,
but is that it?)

We are running XR 4.2.4 on a C12k.

Here's the full config as it sits now:

----------

community-set BGP-SITECODE
53828:1003
end-set

prefix-set IPV4-RESERVED
0.0.0.0/8 le 32,
10.0.0.0/8 le 32,
100.64.0.0/10 le 32,
127.0.0.0/8 le 32,
169.254.0.0/16 le 32,
172.16.0.0/12 le 32,
192.0.0.0/24 le 32,
192.0.2.0/24 le 32,
192.168.0.0/16 le 32,
198.18.0.0/15 le 32,
198.51.100.0/24 le 32,
203.0.113.0/24 le 32,
224.0.0.0/3 le 32,
240.0.0.0/4 le 32
end-set

route-policy IPV4-RESERVED-DENY
if destination in IPV4-RESERVED then
drop
else
pass
endif
end-policy

prefix-set IPV4-DEFAULT
0.0.0.0/0
end-set

route-policy IPV4-DEFAULT-DENY
if destination in IPV4-DEFAULT then
drop
else
pass
endif
end-policy

route-policy IPV4-BGP-NNI-DIA-IN($localpref)
apply IPV4-RESERVED-DENY
apply IPV4-DEFAULT-DENY
# For primary NNIs, $localpref = 400
# For backup NNIs, $localpref = 350
#
set local-preference $localpref
set community BGP-SITECODE additive
end-policy

route-policy IPV4-BGP-NNI-DIA-OUT($prepend)
# For primary NNIs, $prepend = 0
# For backup NNIs, $prepend = 2
#
# Announce only default route
if destination in (0.0.0.0/0) then
prepend as-path 53828 $prepend
set community BGP-SITECODE
else
drop
endif
end-policy

route-policy IPV4-BGP-NNI-DIA-PRIMARY-IN
apply IPV4-BGP-NNI-DIA-IN(400)
end-policy

route-policy IPV4-BGP-NNI-DIA-PRIMARY-OUT
apply IPV4-BGP-NNI-DIA-OUT(0)
end-policy

route-policy IPV4-BGP-NNI-DIA-BACKUP-IN
apply IPV4-BGP-NNI-DIA-IN(350)
end-policy

route-policy IPV4-BGP-NNI-DIA-BACKUP-OUT
apply IPV4-BGP-NNI-DIA-OUT(2)
end-policy

route-policy IPV4-BGP-NNI-DIA-DEFAULT-PRIMARY-OUT
set community BGP-SITECODE
end-policy

route-policy IPV4-BGP-NNI-DIA-DEFAULT-BACKUP-OUT
prepend as-path 53828 2
set community BGP-SITECODE
end-policy

router bgp 53828
!
neighbor-group IPV4-NNI-DIA-PRIMARY
address-family ipv4 unicast
send-community-ebgp
route-policy IPV4-BGP-NNI-DIA-PRIMARY-IN in
maximum-prefix 500 80 restart 1
route-policy IPV4-BGP-NNI-DIA-PRIMARY-OUT out
send-extended-community-ebgp
default-originate
soft-reconfiguration inbound
!
neighbor-group IPV4-NNI-DIA-BACKUP
address-family ipv4 unicast
send-community-ebgp
route-policy IPV4-BGP-NNI-DIA-BACKUP-IN in
maximum-prefix 500 80 restart 1
route-policy IPV4-BGP-NNI-DIA-BACKUP-OUT out
send-extended-community-ebgp
default-originate
soft-reconfiguration inbound
!
neighbor 64.191.75.189
remote-as 2828
use neighbor-group IPV4-NNI-DIA-BACKUP
shutdown

----------

Thanks again,

-Brian Knight
Hi,
At first I thought this was because you were seeing the pre-policy routes,
but that’s not the case if you’re asking for advertised routes under a
neighbour - when I look at advertised routes on ASR9k neighbours where I
have prepends in the policy, I see those prepends. You don’t see them if
you ask for “route-policy <blah>” though, weirdly.
I can’t see anything wrong with your config - perhaps you can paste the
relevant unmodified config, I wonder if your modifications have hidden bugs
or something. Note that you left your ASN in anyway, despite doing the
MY-AS thing in some places, so, may as well just include it rather than
potentially obscuring things ;)
--
Nathan Ward
Post by Brian Knight
At $DAYJOB we use MPLS VPNs from other carriers to provide Internet
access
Post by Brian Knight
to customers connected to these VPNs. There is always a primary path for
outbound access, plus one or more backup paths. I am trying to
configure a
Post by Brian Knight
backup path, but can't seem to set AS path prepending on the default
route
Post by Brian Knight
we announce to the MPLS VPN.
This is our first time configuring these types of MPLS VPNs on IOS XR.
--------
route-policy BACKUP-IN
apply IPV4-RESERVED-DENY
apply IPV4-DEFAULT-DENY
# For backup, localpref = 350
#
set local-preference 350
set community BGP-SITECODE additive
end-policy
route-policy BACKUP-OUT
# For backup, prepend = 2
#
# Announce only default route
if destination in (0.0.0.0/0) then
prepend as-path MY-AS 2
set community BGP-SITECODE
else
drop
endif
end-policy
router bgp 53828
neighbor THEIR-IP
remote-as THEIR-AS
address-family ipv4 unicast
default-originate
route-policy BACKUP-IN in
route-policy BACKUP-OUT out
send-community-ebgp
send-extended-community-ebgp
soft-reconfig inbound
maximum-prefix 500 80 restart 1
--------
The config originates a default route towards THEIR-IP, which is
expected.
Post by Brian Knight
But the default route that is generated is apparently not influenced by
the
Post by Brian Knight
BACKUP-OUT policy (prepend MY-AS 2 times).
RP/0/8/CPU0:AR1.ATL1#sh bgp ipv4 u nei THEIR-IP adv
Wed Apr 20 01:00:39.545 CDT
Network Next Hop From AS Path
0.0.0.0/0 0.0.0.0 Local i
What's the simplest way to prepend AS path on a default route advertised
to
Post by Brian Knight
a single peer?
A few sources suggest adding a default route to Null0 in our Internet
routing table and advertising it through redistribution, or enter a
"network 0.0.0.0/0" command in the BGP address-family, both of which
can be
Post by Brian Knight
influenced by route policies. Neither of those options sound
particularly
Post by Brian Knight
simple to me.
---------
route-policy DEFAULT-BACKUP-OUT
prepend as-path 53828 2
set community BGP-SITECODE
end-policy
router bgp 53828
neighbor THEIR-IP
address-family ipv4 unicast
default-originate route-policy DEFAULT-BACKUP-OUT
---------
I'd be grateful for any insight.
Thanks,
-Brian Knight
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
--
-Brian Knight
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at h
Adam Vitkovsky
2016-04-22 12:57:12 UTC
Permalink
Post by Brian Knight
Brian Knight
Sent: Wednesday, April 20, 2016 7:51 AM
At $DAYJOB we use MPLS VPNs from other carriers to provide Internet
access to customers connected to these VPNs. There is always a primary
path for outbound access, plus one or more backup paths. I am trying to
configure a backup path, but can't seem to set AS path prepending on the
default route we announce to the MPLS VPN.
Hi Brian,

Hmm interesting I'm just thinking if it's some weird corner case.
-but you do see the route in BGP table so the policy applied on neighbour out attach point should match on it.

Do you see the default route matching if you do "show bgp route-policy BACKUP-OUT" please?
Post by Brian Knight
default-originate route-policy DEFAULT-BACKUP-OUT
This won't work as the attach point for default-originate is very limited and allows the "set" operation to modify only the MED parameter also the only valid "match" operation is rib-has-route.

Anyways I'd try introducing the default route into BGP via network cmd (would require defining a static default route to null0).

adam



















Adam Vitkovsky
IP Engineer

T: 0333 006 5936
E: ***@gamma.co.uk
W: www.gamma.co.uk

This is an email from Gamma Telecom Ltd, trading as “Gamma”. The contents of this email are confidential to the ordinary user of the email address to which it was addressed. This email is not intended to create any legal relationship. No one else may place any reliance upon it, or copy or forward all or any of it in any form (unless otherwise notified). If you receive this email in error, please accept our apologies, we would be obliged if you would telephone our postmaster on +44 (0) 808 178 9652 or email ***@gamma.co.uk

Gamma Telecom Limited, a company incorporated in England and Wales, with limited liability, with registered number 04340834, and whose registered office is at 5 Fleet Place London EC4M 7RD and whose principal place of business is at Kings House, Kings Road West, Newbury, Berkshire, RG14 5BY.


_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/p
Brian Knight
2016-04-26 22:42:23 UTC
Permalink
So, I did a quick lab test, and it turns out that:

* to influence the default route attributes, one must use a route-policy
attached to the default-originate statement (as Brad mentioned)

* the output of "show bgp neighbor x.x.x.x advertise" does NOT show the
prepended AS path, but

* the receiving router DOES receive the prepended path correctly.

Lab config follows for those interested. (Routers are running IOS XRv
6.0.0 on VIRL 1.1.1.)

I'll be turning up those BGP sessions again soon, and I'll ask the remote
side if they see the path prepending.

Thanks all for your replies!

-Brian Knight


iosxr-1
-----
RP/0/0/CPU0:ios#show run
Fri Apr 22 04:56:23.042 UTC
Building configuration...
!! IOS XR Configuration 6.0.0
!! Last configuration change at Fri Apr 22 04:53:56 2016 by cisco
!
interface Loopback0
ipv4 address 53.53.53.53 255.255.255.255
!
interface MgmtEth0/0/CPU0/0
shutdown
!
interface GigabitEthernet0/0/0/0
!
interface GigabitEthernet0/0/0/0.101
ipv4 address 192.168.0.1 255.255.255.252
encapsulation dot1q 101
!
interface GigabitEthernet0/0/0/1
shutdown
!
prefix-set IPV4-DEFAULT
0.0.0.0/0
end-set
!
community-set BGP-SITECODE
53828:1003
end-set
!
route-policy IPV4-DEFAULT-DENY
if destination in IPV4-DEFAULT then
drop
else
pass
endif
end-policy
!
route-policy IPV4-BGP-NNI-DIA-IN($localpref)
apply IPV4-DEFAULT-DENY
# For primary NNIs, $localpref = 400
# For backup NNIs, $localpref = 350
#
set local-preference $localpref
set community BGP-SITECODE additive
end-policy
!
route-policy IPV4-BGP-NNI-DIA-OUT($prepend)
# For primary NNIs, $prepend = 0
# For backup NNIs, $prepend = 2
#
# Announce only default route
if destination in (0.0.0.0/0) then
prepend as-path 53828 $prepend
set community BGP-SITECODE
else
drop
endif
end-policy
!
route-policy IPV4-BGP-NNI-DIA-BACKUP-IN
apply IPV4-BGP-NNI-DIA-IN(350)
end-policy
!
route-policy IPV4-BGP-NNI-DIA-BACKUP-OUT
apply IPV4-BGP-NNI-DIA-OUT(2)
end-policy
!
route-policy IPV4-BGP-NNI-DIA-PRIMARY-IN
apply IPV4-BGP-NNI-DIA-IN(400)
end-policy
!
route-policy IPV4-BGP-NNI-DIA-PRIMARY-OUT
apply IPV4-BGP-NNI-DIA-OUT(0)
end-policy
!
route-policy IPV4-BGP-NNI-DIA-DEFAULT-BACKUP-OUT
prepend as-path 53828 2
set community BGP-SITECODE
end-policy
!
route-policy IPV4-BGP-NNI-DIA-DEFAULT-PRIMARY-OUT
set community BGP-SITECODE
end-policy
!
router bgp 53828
bgp router-id 53.53.53.53
address-family ipv4 unicast
redistribute connected
redistribute static
!
neighbor 192.168.0.2
remote-as 2828
address-family ipv4 unicast
send-community-ebgp
route-policy IPV4-BGP-NNI-DIA-BACKUP-IN in
route-policy IPV4-BGP-NNI-DIA-BACKUP-OUT out
send-extended-community-ebgp
default-originate route-policy IPV4-BGP-NNI-DIA-DEFAULT-BACKUP-OUT
soft-reconfiguration inbound
!
!
!
end

RP/0/0/CPU0:ios#sh bgp ipv4 u nei 192.168.0.2 advertised-routes
Fri Apr 22 04:56:26.072 UTC
Network Next Hop From AS Path
0.0.0.0/0 0.0.0.0 Local i

Processed 1 prefixes, 1 paths
RP/0/0/CPU0:ios#
---

iosxr-2
----
RP/0/0/CPU0:ios#show run
Fri Apr 22 04:57:57.445 UTC
Building configuration...
!! IOS XR Configuration 6.0.0
!! Last configuration change at Fri Apr 22 04:50:19 2016 by cisco
!
vrf VPN
address-family ipv4 unicast
import route-target
2828:1
!
export route-target
2828:1
!
!
!
interface Loopback0
ipv4 address 28.28.28.28 255.255.255.255
!
interface MgmtEth0/0/CPU0/0
shutdown
!
interface GigabitEthernet0/0/0/0
!
interface GigabitEthernet0/0/0/0.101
vrf VPN
ipv4 address 192.168.0.2 255.255.255.252
encapsulation dot1q 101
!
interface GigabitEthernet0/0/0/1
vrf VPN
ipv4 address 172.16.0.1 255.255.255.252
!
route-policy PERMIT-ALL
pass
end-policy
!
router static
vrf VPN
address-family ipv4 unicast
172.17.0.0/24 172.16.0.1
!
!
!
router bgp 2828
bgp router-id 28.28.28.28
address-family ipv4 unicast
redistribute connected
redistribute static
!
address-family vpnv4 unicast
!
vrf VPN
rd 2828:1
address-family ipv4 unicast
redistribute connected
redistribute static
!
neighbor 192.168.0.1
remote-as 53828
address-family ipv4 unicast
send-community-ebgp
route-policy PERMIT-ALL in
route-policy PERMIT-ALL out
send-extended-community-ebgp
soft-reconfiguration inbound
!
!
!
!
end

RP/0/0/CPU0:ios#sh bgp vrf VPN
Fri Apr 22 04:58:02.645 UTC
BGP VRF VPN, state: Active
BGP Route Distinguisher: 2828:1
VRF ID: 0x60000006
BGP router identifier 28.28.28.28, local AS number 2828
Non-stop routing is enabled
BGP table state: Active
Table ID: 0xe0000015 RD version: 7
BGP main routing table version 7
BGP NSR Initial initsync version 3 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0

Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 2828:1 (default for vrf VPN)
*> 0.0.0.0/0 192.168.0.1 0 53828 53828
53828 i
*> 172.16.0.0/30 0.0.0.0 0 32768 ?
*> 192.168.0.0/30 0.0.0.0 0 32768 ?

Processed 3 prefixes, 3 paths
RP/0/0/CPU0:ios#sh bgp vrf VPN ipv4 u nei 192.168.0.1 routes
Fri Apr 22 04:58:05.415 UTC
BGP VRF VPN, state: Active
BGP Route Distinguisher: 2828:1
VRF ID: 0x60000006
BGP router identifier 28.28.28.28, local AS number 2828
Non-stop routing is enabled
BGP table state: Active
Table ID: 0xe0000015 RD version: 7
BGP main routing table version 7
BGP NSR Initial initsync version 3 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0

Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 2828:1 (default for vrf VPN)
*> 0.0.0.0/0 192.168.0.1 0 53828 53828
53828 i

Processed 1 prefixes, 1 paths
RP/0/0/CPU0:ios#
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Loading...