Ahem. Yes - it's probably high time I stop being so distracted and put some networking related articles up.
Well, until my focus drifts again, here's an article on how to source based route maps for BGP instances.
Scenario:
Let's say you've got two pairs of routers with each pair at a different company.
We'll be running iBGP between routers at the same company and eBGP between companies.
Different service providers are used for connectivity as follows:
Now let's say that we want to route a couple of /24 subnets over link A and B however we want to route traffic for some particular hosts within those 4 * /24 subnets over link A only.
This is initially pretty easy.
Step 1) Define interfaces
Company_A_DC1
hostname A1
interface fa 0/0
ip address 172.16.0.1 255.255.255.248
no shut
exit
interface fa 0/1
ip address 172.16.0.9 255.255.255.248
no shut
exit
Company_A_DC2
conf term
hostname A2
interface fa 0/0
ip address 172.16.0.17 255.255.255.248
no shut
exit
interface fa 0/1
ip address 172.16.0.10 255.255.255.248
no shut
exit
Company_B_DC1
conf term
hostname B1
interface fa 0/0
ip address 172.16.0.2 255.255.255.248
no shut
exit
interface fa 0/1
ip address 172.16.0.25 255.255.255.248
no shut
exit
Company_B_DC2
conf term
hostname B1
interface fa 0/0
ip address 172.16.0.18 255.255.255.248
no shut
exit
interface fa 0/1
ip address 172.16.0.26 255.255.255.248
no shut
exit
Step 2) Define eBGP and iBGP Peers
A1
router bgp 64512
neighbor 172.16.0.2 remote-as 64513
neighbor 172.16.0.10 remote-as 64512
neighbor 172.16.0.10 next-hop self
no auto-summary
exit
B1
router bgp 64513
neighbor 172.16.0.1 remote-as 64512
neighbor 172.16.0.26 remote-as 64513
no auto-summary
exit
A2
router bgp 64512
neighbor 172.16.0.18 remote-as 64513
neighbor 172.16.0.9 remote-as 64512
neighbor 172.16.0.9 next-hop self
no auto-summary
exit
B2
router bgp 64513
neighbor 172.16.0.17 remote-as 64512
neighbor 172.16.0.25 remote-as 64513
no auto-summary
exit
Step 3) Define Local Interfaces
A1
interface fa 2/0.1
encapsulation dot1q 1
ip address 10.0.50.254 255.255.255.0
no shut
exit
interface fa 2/0.2
encapsulation dot1q 2
ip address 10.0.100.254 255.255.255.0
no shut
interface fa 2/0
no shut
A2
interface fa 1/0.1
encapsulation dot1q 1
ip address 10.0.50.253 255.255.255.0
no shut
exit
interface fa 1/0.2
encapsulation dot1q 2
ip address 10.0.100.253 255.255.255.0
no shut
interface fa 1/0
no shut
B1
interface fa 2/0.1
encapsulation dot1q 1
ip address 192.168.100.254 255.255.255.0
no shut
exit
interface fa 2/0.2
encapsulation dot1q 2
ip address 192.168.200.254 255.255.255.0
no shut
interface fa 2/0
no shut
B2
interface fa 2/0.1
encapsulation dot1q 1
ip address 192.168.100.253 255.255.255.0
no shut
exit
interface fa 2/0.2
encapsulation dot1q 2
ip address 192.168.200.253 255.255.255.0
no shut
interface fa 2/0
no shut
Step 4) BGP Network Statements and How-To Advertise /32 Hosts in BGP
Ok - so now we've got our basic lab setup with BGP advertising some subnets at different locations.
Now we want to advertise the /24 subnet on both Company A DC1 and DC2 but then also put some more specific host routes on Company A DC1's router to make this the preferred entry point router for these specific hosts.
We can control which is the preferred entry point for the /32 host routes as they are more specific and should be more favoured by the external BGP AS's.
To advertise the /24's:
A1
router bgp 64512
network 10.0.100.0 mask 255.255.255.0
network 10.0.50.0 mask 255.255.255.0
exit
A2
router bgp 64512
network 10.0.100.0 mask 255.255.255.0
network 10.0.50.0 mask 255.255.255.0
exit
To advertise the /32's:
As the host IPs 10.0.50.1 and 10.0.50.20 are learnt from networks with a mask of 255.255.255.0, BGP won't enter them into the route table as the mask doesn't match.
To address this, create a static route for that IP as follows:
A1
ip route 10.0.50.1 255.255.255.255 fast 2/0
ip route 10.0.50.20 255.255.255.255 fast 2/0
exit
Step 5) Controlling the Return Route Path
Ok - so now we're successfully making Company B routers take the route path via ISP A to reach Company A for 2 specific hosts.
Now, the aim of this scenario is to force all traffic in all directions for these two hosts over the one ISP link.
To do this we need to make sure that if the two source IPs 10.0.50.1 and 10.0.50.20 try to route out router A2 we force the traffic via A1.
We can do this by defining a route map on Company_A_DC2's router which matches a source IP of the /32 hosts defined with destination any and then uses the BGP route-map "Next-Hop" function to force traffic out Company_A_DC1's router.
First of all we need to create the route-map which specifies the IPs of the hosts we want to redirect:
route-map redirect_hosts permit 10
match ip address Host_IPs
set ip next-hop 172.16.0.9
exit
ip access-list extended Host_IPs
permit ip host 10.0.50.1 any
permit ip host 10.0.50.20 any
The significant part of the statement above is the any statement on the end of the access-list rule.
This signifies that this rule is to be applied to 10.0.50.1 and 10.0.50.20 as the source IP.
Without the any statement this rule would take effect in both directions and could cause major issues for the return path to the server from Company B.
Now we want to apply this to interface fa1/0 on A2 to force any traffic entering this interface over to router A1:
interface fastEthernet 1/0
ip policy route-map redirect_hosts
Congratulations :)
You've just forced BGP into doing something a little bit nasty.
Not exactly the recommended way of doing things but a good one to keep in your back pocket nonetheless.
This is initially pretty easy.
Step 1) Define interfaces
Company_A_DC1
hostname A1
interface fa 0/0
ip address 172.16.0.1 255.255.255.248
no shut
exit
interface fa 0/1
ip address 172.16.0.9 255.255.255.248
no shut
exit
Company_A_DC2
conf term
hostname A2
interface fa 0/0
ip address 172.16.0.17 255.255.255.248
no shut
exit
interface fa 0/1
ip address 172.16.0.10 255.255.255.248
no shut
exit
Company_B_DC1
conf term
hostname B1
interface fa 0/0
ip address 172.16.0.2 255.255.255.248
no shut
exit
interface fa 0/1
ip address 172.16.0.25 255.255.255.248
no shut
exit
Company_B_DC2
conf term
hostname B1
interface fa 0/0
ip address 172.16.0.18 255.255.255.248
no shut
exit
interface fa 0/1
ip address 172.16.0.26 255.255.255.248
no shut
exit
Step 2) Define eBGP and iBGP Peers
A1
router bgp 64512
neighbor 172.16.0.2 remote-as 64513
neighbor 172.16.0.10 remote-as 64512
neighbor 172.16.0.10 next-hop self
no auto-summary
exit
B1
router bgp 64513
neighbor 172.16.0.1 remote-as 64512
neighbor 172.16.0.26 remote-as 64513
no auto-summary
exit
A2
router bgp 64512
neighbor 172.16.0.18 remote-as 64513
neighbor 172.16.0.9 remote-as 64512
neighbor 172.16.0.9 next-hop self
no auto-summary
exit
B2
router bgp 64513
neighbor 172.16.0.17 remote-as 64512
neighbor 172.16.0.25 remote-as 64513
no auto-summary
exit
Step 3) Define Local Interfaces
A1
interface fa 2/0.1
encapsulation dot1q 1
ip address 10.0.50.254 255.255.255.0
no shut
exit
interface fa 2/0.2
encapsulation dot1q 2
ip address 10.0.100.254 255.255.255.0
no shut
interface fa 2/0
no shut
A2
interface fa 1/0.1
encapsulation dot1q 1
ip address 10.0.50.253 255.255.255.0
no shut
exit
interface fa 1/0.2
encapsulation dot1q 2
ip address 10.0.100.253 255.255.255.0
no shut
interface fa 1/0
no shut
B1
interface fa 2/0.1
encapsulation dot1q 1
ip address 192.168.100.254 255.255.255.0
no shut
exit
interface fa 2/0.2
encapsulation dot1q 2
ip address 192.168.200.254 255.255.255.0
no shut
interface fa 2/0
no shut
B2
interface fa 2/0.1
encapsulation dot1q 1
ip address 192.168.100.253 255.255.255.0
no shut
exit
interface fa 2/0.2
encapsulation dot1q 2
ip address 192.168.200.253 255.255.255.0
no shut
interface fa 2/0
no shut
Step 4) BGP Network Statements and How-To Advertise /32 Hosts in BGP
Ok - so now we've got our basic lab setup with BGP advertising some subnets at different locations.
Now we want to advertise the /24 subnet on both Company A DC1 and DC2 but then also put some more specific host routes on Company A DC1's router to make this the preferred entry point router for these specific hosts.
We can control which is the preferred entry point for the /32 host routes as they are more specific and should be more favoured by the external BGP AS's.
To advertise the /24's:
A1
router bgp 64512
network 10.0.100.0 mask 255.255.255.0
network 10.0.50.0 mask 255.255.255.0
exit
A2
router bgp 64512
network 10.0.100.0 mask 255.255.255.0
network 10.0.50.0 mask 255.255.255.0
exit
As the host IPs 10.0.50.1 and 10.0.50.20 are learnt from networks with a mask of 255.255.255.0, BGP won't enter them into the route table as the mask doesn't match.
To address this, create a static route for that IP as follows:
A1
ip route 10.0.50.1 255.255.255.255 fast 2/0
ip route 10.0.50.20 255.255.255.255 fast 2/0
exit
You can also use an IP as the next-hop for the static route, as long as it's the actual next-hop for that destination it doesn't matter :)
Now that the router is learning a /32 mask for this host, you can advertise this network in BGP:
A1
router bgp 64512
network 10.0.50.1 mask 255.255.255.255
network 10.0.50.20 mask 255.255.255.255
exit
router bgp 64512
network 10.0.50.1 mask 255.255.255.255
network 10.0.50.20 mask 255.255.255.255
exit
Ok - so now we're successfully making Company B routers take the route path via ISP A to reach Company A for 2 specific hosts.
Now, the aim of this scenario is to force all traffic in all directions for these two hosts over the one ISP link.
To do this we need to make sure that if the two source IPs 10.0.50.1 and 10.0.50.20 try to route out router A2 we force the traffic via A1.
We can do this by defining a route map on Company_A_DC2's router which matches a source IP of the /32 hosts defined with destination any and then uses the BGP route-map "Next-Hop" function to force traffic out Company_A_DC1's router.
First of all we need to create the route-map which specifies the IPs of the hosts we want to redirect:
route-map redirect_hosts permit 10
match ip address Host_IPs
set ip next-hop 172.16.0.9
exit
ip access-list extended Host_IPs
permit ip host 10.0.50.1 any
permit ip host 10.0.50.20 any
The significant part of the statement above is the any statement on the end of the access-list rule.
This signifies that this rule is to be applied to 10.0.50.1 and 10.0.50.20 as the source IP.
Without the any statement this rule would take effect in both directions and could cause major issues for the return path to the server from Company B.
Now we want to apply this to interface fa1/0 on A2 to force any traffic entering this interface over to router A1:
interface fastEthernet 1/0
ip policy route-map redirect_hosts
Congratulations :)
You've just forced BGP into doing something a little bit nasty.
Not exactly the recommended way of doing things but a good one to keep in your back pocket nonetheless.
No comments:
Post a Comment