BGP Policy Routing

[abidg]

Hello,

I am testing a customer and provider setup with MPLS-VPN and BGP for CE-PE.

There is a situation where I need to implement policy routing on CE router.

I create a route-map as Set-Tag and another to Check-Tag.

When I apply the route-map (either) to BGP neighbor it says that this is not allowed.

Scenario: I have a customer AS multi-homed to privider AS. Customer is already running an IGP. I have to redistribute both ways (IGP to BGP and BGP to IGP) on both the CE-PE links. Now to avoid getting routing loops and sub-optimal routing I am thinking of TAGging IGP routes and using the TAG to control their redistribution into BGP on both the CEs.

Basically I wanted to control routes which are distributed in both directions. Currently am using distribute list but wanted to find out if I could use TAG/Route-Map for this purpose.

Thanks and regards,

Abid Ghufran.

 

[imbadatthis]

wouldn't this work with creating vrf families and asking BGP and IGP to keep track of it accordingly ?

 

[lerdalt]

Guess I'm a little confused why you need to redistribute BGP into IGP. I think the distribution lists is the way to go, but maybe I'm missing something for what you are trying to accomplish.

Great reference for BGP is the Internet Routing Architectures book by Sam Halabi.

 

[abidg]

Client is already using an IGP within their cloud. CE-PE connectivity is over EBGP. Customer core sites would have CE running IGP and BGP. To get the MPLS routes from the CE routers to C routers down in the customer Intranet, BGP needs to be redistributed into IGP.

I am not familiar with this "vrf family tracking" - could you please elaborate it a bit further or point me towards a resource?

Thanks guys,

Regards,

Abid.

 

[Belushi]

Well, good news for you. You don't really have to worry about routes looping around within your local networks and then coming back up through for a destination in the service provider's WAN. Reason being is that one of BGP's main loop prevention mechanisms is AS-PATH. For your case the service provider has an AS and you have an AS. If the service provider receives a route from you with his own AS-PATH in the AS-PATH string, he will drop it by default. More than likely as well, their PE-rotuer is probably configured to only accept routes originating with your assigned AS anyway.

As fro controlling which routes get redistributed. I would strongly suggest the path you are going down using route-maps. They are the strongest and most diverse method of filtering routes. You could easily reference prefix-lists, ACLs, etc. when filtering between anything.

 

[abidg]

Hello Belushi,

In my case imagine that I have an AS cloud with two point of connections with the service provider AS.

__ Intranet Routers __
|_________()__________()__________()___|
| Core |
| Cutomer Network |
| IGP |
A ()----------------------------------() B
| |
| |
| Provider Network |
______()____________________________() _______
| |
| |
| |
() ()
---------- -------------
| | | |
| | | |
---------- -------------
Remote Remote
Site-1 Site-2


Points A and B are two points where the customer AS connects with the provider AS. Customer has other remote sites connected to the provider cloud.

1) To have resilient connectivity between the remote sites and core site, the core routes need to be advertised (through IGP redistribution into EBGP), from both the points. This way if point A goes down, those routes would still be advertised via other point B.

2) Similarly, to have resilient connectivity from the core site to the remote sites, EBGP routes need to be advertised (through redistribution from EBGP into IGP), again at both the points. This way if point A or B goes down, core site routers could still access remote site route via either of the remaing network point B or A.

I hope this makes it clear why I need to redistribute vice versa at both the points.

Now, while doing this I need to control the routing information going and coming across at the redistribution points A and B, otherwise I could get a routing loop.

I am currently doing this via acl and route-map, but wanted to do it way tagging routes going and coming across. When I try to do that via "set/match tag" in a route-map and apply the route map, it says that set and match tag cannot be used in a route-map and applied.

 

[Belushi]

Simple answer is don't use tags to set traffic. If you are going into BGP from an IGP use communities (make sure your service provider preserves them across their network). If it is from BGP to an IGP, I beleive you should be able to use route tags (although it may depend on the IGP). Otherwise, do as I said before and match on sets of prefixes or something else that can be matched upon. You have lots of choices and in my opinion, tags are not the best.

 

[abidg]

Hello Belushi - I have done some testing with route-map and distribute lists. With both of these you need to use ACLs or as you said (set/match) communitties. Using communitties in my limited experience might not be much different then using tags. I have a feeling that using either tags or communitties is going to make administration much more easy. If I were to use acl based mechanism, I would have to maintain them to accomodate for any addition or deletion of networks/subnets. On the contrary if I were to use tags or communitties, I would need to do that. I could just mark the routes with a tag or community when resdistributing into IGP and BGP. My IGP here is RIPv2 which does support tagging so will work with it. Communitties will only work within BGP, and for IGP I could tag, implying that I might have to use both.

Well back to testing. Thanks for your suggestions.

_______________________________________
Courage does not always roar. Sometimes, it is the quiet voice at the
end of the day saying, "I will try again tomorrow".
-- Anonymous