How to make a certain AS exit through the AS of your choice?

Hello!

I'm really no BGP expert, in fact I haven't even started studying for ROUTE yet. However, I'm in need of guidance.

Until recently, we ran full BGP from two different providers, connecting to separate routers. It seems, though, that the Internets have become too many for our routers to handle... I've now asked one of our providers (ISP2) to stop giving us a full table and instead give us only a BGP default route and their own nets.

This made memory usage go down a bit, so now I'm waiting for the other provider to get back to me, so they can do the same thing at their end.

The above change meant that nearly all outbound traffic started exiting through ISP1, which is to be expected, I suppose.

While I'm waiting for ISP2 to get back to me so we can discuss how to proceed, I'd like to try and artificially increase outbound traffic via ISP2. I've identified an AS to which traffic used to exit almost exclusively through ISP2, but now exits through ISP1.

I'd like to make traffic bound for this AS exit through ISP2 instead of ISP1, as long as ISP2 is available (I dont want to risk blackholing the traffic) Is this possible? I'm thinking AS prepending should do the trick? The problem is I don't really know how to implement prepending, or if it really does what I want it to, and since this is a live network, I'd like to have one of you gurus tell me what to do

I'm trying to include a diagram for your viewing pleasure. IPs have been changed to protect.. uh, me.

BGP config is as follows:

Y1:

router bgp 12345
no synchronization
bgp router-id 10.10.10.254
bgp log-neighbor-changes
bgp dampening
network 192.168.1.0 mask 255.255.240.0
neighbor 172.24.0.90 remote-as 5678
neighbor 172.24.0.90 description ISP1 ebgp AS5678-Multihop
neighbor 172.24.0.90 eBGP-multihop 255
neighbor 172.24.0.90 route-map send-nothing out
neighbor 172.24.9.21 remote-as 5678
neighbor 172.24.9.21 description ISP1 eBGP AS5678
neighbor 172.24.9.21 route-map as-out out
neighbor 10.10.10.253 remote-as 12345
neighbor 10.10.10.253 description iBGP to Y2
no auto-summary

ip as-path access-list 1 permit ^$
ip as-path access-list 3 permit .*

route-map send-nothing deny 10
match as-path 3
!
route-map as-out permit 10
match as-path 1

Y2:

router bgp 12345
no synchronization
bgp router-id 10.10.10.253
bgp log-neighbor-changes
bgp dampening
network 192.168.1.0 mask 255.255.240.0
neighbor 172.31.99.73 remote-as 23456
neighbor 172.31.99.73 description ISP2 eBGP AS23456
neighbor 172.31.99.73 route-map as-out out
neighbor 10.10.10.254 remote-as 12345
neighbor 10.10.10.254 description iBGP to Y1
no auto-summary

ip as-path access-list 1 permit ^$

!
route-map as-out permit 10
match as-path 1

BGP and stuff.jpg

Find more posts tagged with

Comments

creamy_stew

Also, what's up with the config on Y1? That multihop thing and the "send-nothing" routemap looks really scary ;-(

cxzar20

Since you are in the same AS you can consider using local preference. This would help dictate your outbound traffic.

creamy_stew

A higher Local pref would make all traffic more likely to exit the router that has the higher LP, though?

Is the default 100? Would it be safe to try e.g. 150? Is it as simple as setting it in the bgp-clause? Bandwidth-wise, this would be a great time to try it out - But will I risk busting some VPNs etc?

I'll take another look at the graphs and google LP, I'll be back shortly.

DPG

Edit: This would only work if you were taking full routes. Just set a higher local preference for ISP2 as cxzar20 suggested.

On the router connected to ISP1:

ip as-path access-list 1 deny _X$ (X is the AS that you only want reachable through ISP2)
ip as-path access-list 1 permit .* (This allows all other AS paths)

router bgp 45678
neighbor neighbor 172.24.0.90 route-map BLOCK_ASX in (applies the route-map to incoming routes)

route-map BLOCK_ASX
match as-path 1

creamy_stew

Hm, I thought I replied yesterday. I was so tired that I probably just missed the reply button

Anyway, is it something like this what you have in mind? :

Y2(config)# route-map LOCALPREF150 permit 10
Y2(config-route-map)# set local-preference 150
Y2(config-route-map)# router bgp 12345
Y2(config-router)# neighbor 10.10.10.254 route-map LOCALPREF150 in

The default LP for both routers is 100 afaikt.

pham0329

Maybe I'm missing something, and if I am, please fill me in. But if ISP1 is advertising full routing tables, and ISP2 is only advertising a partial, is the AS you're trying to get to being advertised by ISP2?

If not, wouldn't the longest match rule applies and it'll always go through ISP1, regardless of the local pref for ISP2?

dtlokee

In terms of routing and route selection the router needs to have multiple identical routes before it would consider anything else (med, as path, weight..). If you are only receiving the route via ISP1 and there is no identical route from ISP2 there is no amount of attribute manipulation that can force your routers to use ISP2 for that destination. You could ask ISP2 to change the filter to advertise the routes from the remote AS that you want to egress your network via ISP2 and then if necessary use BGP attribute manipulation to influence the routing. If the traffic prevously used ISP2 as the best path you may not need to change the BGP attributes in those paths.

creamy_stew

Thanks for the replies, guys!

Of course, pham0329 and dtlokee are correct.

I have now tried this (and it actually seems to work):

On Y1, I specify a filterlist that filters out AS6666. This caused the BGP default to be the best match, and so, outbound traffic to AS6666's prefixes started exiting through Y2. I also added a static default default route on Y1 with a metric of 254, which should kick in if the BGP default becomes unavailable?

So, routing wise, things seem to work as intended. However, the primary purpose of this "labbing" is to reduce the number of prefixes received. The AS I filtered out should originate (if that's the right word) a good amount of prefixes. However, when I did a "sh ip bgp", the number of prefixes hadn't changed, and I can still see the original routes to AS6666's nets, even though the traffic is obviously taking the default route received from ISP2!

dtlokee

Although the number of prefixes in the output of show ip bgp may not have changed, the number of paths may have changed to reflect less paths to the destinations once you filtered routes from ISP1. From all of the availble paths the BGP routing process will select the 'best path' based on the path selection algorithm, then that prefix is compared against any matching prefix from other routing protocols and static routes and the one with the lowest administrative distance wins and it placed in the routing table.

APA

show your configuration now and also the 'sh ip bgp' output where you see AS6666 prefixes still....