evilrouters.net

In “Configuring Frame-Relay, Part 1″, I demonstrated how to configure a basic frame-relay hub and spoke network.

In Part 2, we have the same three routers with the same physical topology, but we’ll be using point-to-point connections between each of the routers.

Here’s the topology…

…and the walkthrough…

In Part 3, we’ll add another router, R4, to the topology and use a combination of the physical interface and point-to-point subinterface on R1 to demonstrate how to use both simultaneously. We’ll follow that up in Part 4 by adding OSPF to the whole network to show the differences over various types of networks.

In this video, we show how to configure a basic frame-relay network with one hub and two spokes. The configuration is pretty straightforward and simple, and nearly identical on all three routers. As such, a lot of the video is repetitive. It does, however, go from blank configurations to a fully-configured frame-relay hub-and-spoke network with full connectivity.

Here’s the topology:

As you can see, we’re using the 172.16.123.0/24 network and physical interfaces (no sub-interfaces). The DLCI numbers are illustrated in the diagram.

Here’s the video:

Part 2 uses a similar topology but in a full-mesh configuration with point-to-point connections (and sub-interfaces, of course). Part 3 will use a combination of physical interfaces and sub-interfaces to show how to set up both simultaneously. In Part 4, we’ll be configuring OSPF over the network we set up in Part 3, to show the differences in how OSPF works over various types of networks.

A couple of quick videos to show how to configure basic (back-to-back/directly connected) serial and PPP links. Here’s the topology (as basic as it gets):

Configuring a serial connection

Configuring a PPP connection

Here’s another lab that I just made up using dynamips/dynagen. There is a download link to the .net file I used (modify it as needed) at the bottom of this post.

NOTE: See the video demonstration below!

For this lab, here’s the topology we’re working with:

Our scenario here is pretty basic. We are AS 65065 and are dual-homed to our service provider, AS 65001. We have two T-1 connections: R1 to R2 and R1 to R3. We’re running BGP with our service provider and we would like to load share our outgoing traffic over these two T-1 connections. Fortunately, Cisco provides us with an easy way to do this.

As you may already know, BGP will, by default, only install the one best path into the routing table. In our case, that means that we would only be utilizing one connection at a given time. That’s not exactly the best use of our available bandwidth. The “maximum-paths” command is our friend.

From the Cisco IOS IP Command Reference:

“To configure the maximum number of parallel routes that an IP routing protocol will install into the routing table, use the maximum-paths command in router configuration or address family configuration mode. To restore the default value, use the no form of this command.”

Here are our starting configurations for R2 and R3:

R2:

interface fastethernet 0/0
 ip address 172.16.23.2 255.255.255.0
 no shutdown
interface serial 1/1
 ip address 172.16.12.2 255.255.255.0
 no shutdown
router bgp 65001
 network 172.16.12.0 mask 255.255.255.0
 network 172.16.23.0 mask 255.255.255.0
 neighbor 172.16.12.1 remote-as 65065
 neighbor 172.16.23.3 remote-as 65001
 neighbor 172.16.23.3 next-hop-self
end

R3:

interface fastethernet 0/0
 ip address 172.16.23.3 255.255.255.0
 no shutdown
interface serial 1/0
 ip address 172.16.13.3 255.255.255.0
 no shutdown
router bgp 65001
 network 172.16.13.0 mask 255.255.255.0
 network 172.16.23.0 mask 255.255.255.0
 neighbor 172.16.13.1 remote-as 65065
 neighbor 172.16.23.2 remote-as 65001
 neighbor 172.16.23.2 next-hop-self
end

The interface configuration for R1 is pretty standard and simple, with perhaps one exception:

interface serial 1/0
 ip address 172.16.13.1 255.255.255.0
 ip load-sharing per-packet
 no shutdown
interface serial 1/1
 ip address 172.16.12.1 255.255.255.0
 ip load-sharing per-packet
 no shutdown

Note the use of “ip load-sharing per-packet”. Cisco’s default is to use per-destination load sharing. You’ll want to evaluate your network to decide which is best for you.

Now, let’s configure BGP on R1 and we’re practically done:

router bgp 65065
 maximum-paths 2
 neighbor 172.16.12.2 remote-as 65001
 neighbor 172.16.13.3 remote-as 65001

The only thing left to do is test and verify. See how I did it in the video below:

• Download the dynagen .NET file

UPDATE: I made a video demonstration of this as well. You can find it at the bottom of this post. Let me know what you think! Thanks.

Upon request, and as a sort of “continuation” of a prior post, “Using BGP communities to influence routing“, I’m going to demonstrate how to permit this to occur (and configure it!) from the service provider perspective.

Recall our topology:

For simplicity, I’m only going to deal with the configurations on R1 and R2 in this post (R3’s configuration is nearly identical to R2’s). Also, because I’m doing this on real gear in my lab at work and I’m currently at home, we’ll be using our FastEthernet 0/1 interfaces (instead of FastEthernet 0/0, as depicted in the diagram). IP addresses and such will remain the same.

Remember that R1 has four loopback interfaces (172.31.0.1/24, 172.31.1.1/24, 172.31.2.1/24, and 172.31.3.1/24). R1 and R2’s IP addresses are 172.16.12.1 and 172.16.12.2 (/24), respectively.

First, let’s go ahead and bring up R2’s FastEthernet 0/1 interface:

R2# conf t
R2(config)# interface fa0/1
R2(config-if)# ip address 172.16.12.2 255.255.255.0
R2(config-if)# no shutdown

Let’s configure the interfaces on R1:

R1# conf t
R1(config)# interface loopback 0
R1(config-if)# ip address 172.31.0.1 255.255.255.0
R1(config-if)# interface loopback 1
R1(config-if)# ip address 172.31.1.1 255.255.255.0
R1(config-if)# interface loopback 2
R1(config-if)# ip address 172.31.2.1 255.255.255.0
R1(config-if)# interface loopback 3
R1(config-if)# ip address 172.31.3.1 255.255.255.0
R1(config-if)# interface fa0/1
R1(config-if)# ip address 172.16.12.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# end

Make sure we have connectivity:

R1# ping 172.16.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Now we’ll work on setting up R2, the service provider router. Remember that we’re supporting two communities that our customers can send to us:

• 200: set local preference to 200
• 500: set local preference to 500

Any routes received without one of these communities will have the local preference set to 150 (this wasn’t in the previous post, but I’m adding it here so we can show off a few things later).

First, we’ll tell R2 that we want to display BGP communities in the “new” AA:NN format:

R2(config)# ip bgp-community new-format

We need to set up two “community lists”. These are what our route maps will match on:

R2(config)# ip community-list 1 permit 65001:200
R2(config)# ip community-list 2 permit 65001:500

Now we can configure our route-map. They should fairly self-explanatory:

R2(config)# route-map CUSTOMER_IN permit 10
R2(config-route-map)# match community 1
R2(config-route-map)# set local-preference 200
R2(config-route-map)# route-map CUSTOMER_IN permit 20
R2(config-route-map)# match community 2
R2(config-route-map)# set local-preference 500
R2(config-route-map)# route-map CUSTOMER_IN permit 30
R2(config-route-map)# set local-preference 150

Can you understand what those do? By this point, hopefully you can!

Let’s go ahead and configure R2’s BGP peering with R1 and apply the CUSTOMER_IN route map to the neighbor:

R2(config)# router bgp 65001
R2(config-router)# neighbor 172.16.12.1 remote-as 65065
R2(config-router)# neighbor 172.16.12.1 soft-reconfiguration inbound
R2(config-router)# neighbor 172.16.12.1 next-hop-self
R2(config-router)# neighbor 172.16.12.1 route-map CUSTOMER_IN in

At this point, we’re all set on the service provider (R2) side. All we need is for the BGP session to come up and R1 to start advertising routes to the service provider. Let’s configure R1 to also display BGP communities in the “new” AA:NN format:

R1(config)# ip bgp-community new-format

Now, before we go messing around with any route-maps on R1, let’s get the BGP session up first:

R1(config)# router bgp 65065
R1(config-router)# neighbor 172.16.12.2 remote-as 65001
R1(config-router)# neighbor 172.16.12.2 soft-reconfiguration inbound
R1(config-router)# neighbor 172.16.12.2 send-community

Verify that BGP is up and running:

R1# show ip bgp summary
BGP router identifier 172.31.3.1, local AS number 65065
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.16.12.2     4 65001       4       4        1    0    0 00:00:21        0

Now let’s go ahead and begin advertising our four (loopback) networks:

R1(config)# router bgp 65065
R1(config-router)# network 172.31.0.0 mask 255.255.255.0
R1(config-router)# network 172.31.1.0 mask 255.255.255.0
R1(config-router)# network 172.31.2.0 mask 255.255.255.0
R1(config-router)# network 172.31.3.0 mask 255.255.255.0

How do things look from the service provider (R2) side of things?

R2# show ip bgp
BGP table version is 5, local router ID is 172.16.12.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 172.31.0.0/24    172.16.12.1              0    150      0 65065 i
*> 172.31.1.0/24    172.16.12.1              0    150      0 65065 i
*> 172.31.2.0/24    172.16.12.1              0    150      0 65065 i
*> 172.31.3.0/24    172.16.12.1              0    150      0 65065 i

Well, there’s our routes. They are most definitely showing up. Notice that R2 has assigned them a local preference of 150 (the default is 100). This is because the routes did not have any communities associated with them, so they “fell through” the route-map on R2 and were “caught” by the last entry (”30″), which assigned them a local preference of 150.

Let’s set up two route maps on R1:

R1(config)# route-map LOCAL_PREF_200 permit 10
R1(config-route-map)# set community 65001:200
R1(config-route-map)# route-map LOCAL_PREF_500 permit 10
R1(config-route-map)# set community 65001:500

Can you figure out what those do? By assigning one of the two route maps here to our BGP adjacency with R2, we’re setting one of the community values that R2 supports.

Let’s apply the LOCALPREF200 route-map and clear our adjacency:

R1(config)# router bgp 65065
R1(config-router)# neighbor 172.16.12.2 route-map LOCAL_PREF_200 out
R1(config-router)# do clear ip bgp 172.16.12.2

Now what do we see on R2?

R2# show ip bgp | in 172.16.12.1
*> 172.31.0.0/24    172.16.12.1              0    200      0 65065 i
*> 172.31.1.0/24    172.16.12.1              0    200      0 65065 i
*> 172.31.2.0/24    172.16.12.1              0    200      0 65065 i
*> 172.31.3.0/24    172.16.12.1              0    200      0 65065 i

Aha! Now R2 has assigned a local preference value of 200 to our routes. Can you guess what will happen if we apply the LOCALPREF500 route-map on R1?

R1(config-router)# no neighbor 172.16.12.2 route-map LOCAL_PREF_200 out
R1(config-router)# neighbor 172.16.12.2 route-map LOCAL_PREF_500 out
R1(config-router)# do clear ip bgp 172.16.12.2

I bet you know what R2’s BGP table is going to look like now, don’t you!?

R2# show ip bgp | in 172.16.12.1
*> 172.31.0.0/24    172.16.12.1              0    500      0 65065 i
*> 172.31.1.0/24    172.16.12.1              0    500      0 65065 i
*> 172.31.2.0/24    172.16.12.1              0    500      0 65065 i
*> 172.31.3.0/24    172.16.12.1              0    500      0 65065 i

Bingo! R2 has now assigned a local preference value of 500 to our advertised routes! See how easy that is? Now go out there and change how your SP routes to you!

Note: If you found this useful, please do leave me a comment below and let me know. Also, if there are specific examples or “how to’s” you’re looking for, let me know that too. I’m always looking for good ideas for things to write about!

Previously I’ve covered using weight, local preference, and AS path prepending to influence routing between autonomous systems running BGP. Today we’ll look at one of the common methods for influencing routing, and that is BGP community values.

BGP communities are simply values attached to a route that is sent to BGP peers. This values have special meanings to the peers and cause specific actions to be taken, depending upon the values assigned. A customer who is multi-homed to a service provider can often use communities to tell the service provider how to route traffic to the customer autonomous system (AS).

For this example, let’s assume the following topology:

We are the customer (AS 65065) and R1 is our router. We are multi-homed to our service provider (AS 65001) with a 100 Mbit/s connection to R2 and a T-1 connection to R3. R2 and R3 are connected over a 100 Mbit/s connection as well.

Since the IP addresses being used are not illustrated in the diagram, here is a table with the IP addresses we are using:

ROUTER    INTERFACE    IP/MASK
--------------------------------------

R1        Fa0/0        172.16.12.1/24
          Se1/0        172.16.13.1/24
R2        Fa0/0        172.16.12.2/24
          Fa1/0        172.16.23.2/24
R3        Fa0/0        172.16.23.3/24
          Se1/0        172.16.13.3/24

In addition, our router (R1) has four loopback interfaces (Loopback0, Loopback1, Loopback2, and Loopback3) with the following IP addresses assigned, respectively: 172.31.0.1/24, 172.31.1.1/24, 172.31.2.1/24, and 172.31.3.1/24.

Okay, so let’s get our loopbacks configured and IP connectivity up between R1/R2 and R1/R3:

R1# conf t
R1(config)# interface loopback 0
R1(config-if)# ip address 172.31.0.1 255.255.255.0
R1(config-if)# interface loopback 1
R1(config-if)# ip address 172.31.1.1 255.255.255.0
R1(config-if)# interface loopback 2
R1(config-if)# ip address 172.31.2.1 255.255.255.0
R1(config-if)# interface loopback 3
R1(config-if)# ip address 172.31.3.1 255.255.255.0
R1(config-if)# interface fa0/0
R1(config-if)# ip address 172.16.12.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# interface se1/0
R1(config-if)# ip address 172.16.13.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# end

Let’s make sure we can ping both R2 and R3:

R1# ping 172.16.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/24 ms
R1# ping 172.16.13.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/12/20 ms

Alright, so far, so good. We have four networks that we want to advertise into BGP — the four /24 subnets assigned to our loopback interfaces. Before we do this, however, let’s take another look at our topology. Recall that we have connections into AS 65001: a 100 Mbit/s connection to 172.16.12.2 and a 1.544 Mbit/s connection to 172.16.13.3. Sure would be nice if we could tell AS 65001 to send our traffic over that 100 Mbit/s connection, wouldn’t it? Well, we can!

Our service provider, AS 65001, allows us to use the communities attribute of BGP to influence how they route our traffic. In this (simplified) example, there are three different communities we can use:

• 200: set local preference to 200
• 500: set local preference to 500

If we send routes to AS 65001 with a community of 65001:200, the SP’s routers will set the local preference on those routes to 200. If we send routes to AS 65001 with a community of 65001:500, the SP’s routers will set the local preference on those routes to 500. How handy is that?

Because of how the BGP best path selection algorithm works, we want our SP’s routers to assign a higher local preference to the routes it receives from us over that 100 Mbit/s connection, so we’ll send those routes with a community of 65001:500. Just for good measure, we’ll attach community 65001:200 to the routers we send to 172.16.13.3 over the T-1 connection as well.

Let’s go ahead and set up BGP, but don’t start advertising any routes just yet:

R1(config)# ip bgp-community new-format
R1(config)# router bgp 65065
R1(config-router)# neighbor 172.16.12.2 remote-as 65001
R1(config-router)# neighbor 172.16.12.2 next-hop-self
R1(config-router)# neighbor 172.16.12.2 send-community
R1(config-router)# neighbor 172.16.13.3 remote-as 65001
R1(config-router)# neighbor 172.16.13.3 next-hop-self
R1(config-router)# neighbor 172.16.13.3 send-community

We are all set to begin advertising our routes, with the appropriate communities attached. The next thing we need to do is create a pair of route maps. We’ll apply these route maps outbound to the BGP peers and these are what we will use to attach our communities to the routes:

R1(config)# route-map LOCAL_PREF_200 permit 10
R1(config-route-map)# set community 65001:200
R1(config-route-map)# route-map LOCAL_PREF_500 permit 10
R1(config-route-map)# set community 65001:500

Lookin’ good so far, right? Let’s apply those route map to our BGP peers:

R1(config)# router bgp 65065
R1(config-router)# neighbor 172.16.12.2 route-map LOCAL_PREF_500 out
R1(config-router)# neighbor 172.16.13.3 route-map LOCAL_PREF_200 out

That was easy enough. Now, let’s advertise those loopbacks:

R1(config-router)# network 172.31.0.0 mask 255.255.255.0
R1(config-router)# network 172.31.1.0 mask 255.255.255.0
R1(config-router)# network 172.31.2.0 mask 255.255.255.0
R1(config-router)# network 172.31.3.0 mask 255.255.255.0

Let’s take a look at how the SP sees our routes:

R2# sh ip bgp | in 65065
*> 172.31.0.0/24    172.16.12.1              0    500      0 65065 i
*> 172.31.1.0/24    172.16.12.1              0    500      0 65065 i
*> 172.31.2.0/24    172.16.12.1              0    500      0 65065 i
*> 172.31.3.0/24    172.16.12.1              0    500      0 65065 i

R3# sh ip bgp | in 65065
*>i172.31.0.0/24    172.16.23.2              0    500      0 65065 i
*                   172.16.13.1              0    200      0 65065 i
*>i172.31.1.0/24    172.16.23.2              0    500      0 65065 i
*                   172.16.13.1              0    200      0 65065 i
*>i172.31.2.0/24    172.16.23.2              0    500      0 65065 i
*                   172.16.13.1              0    200      0 65065 i
*>i172.31.3.0/24    172.16.23.2              0    500      0 65065 i
*                   172.16.13.1              0    200      0 65065 i

If we ping/traceroute from R3 to one of R1’s loopbacks, we should see that traffic first passes to R2 before being sent to R1 (which is our goal):

R3# ping 172.31.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/17/36 ms
R3# traceroute 172.31.0.1

Type escape sequence to abort.
Tracing the route to 172.31.0.1

  1 172.16.23.2 4 msec 12 msec 16 msec
  2 172.16.12.1 16 msec *  32 msec

Success!

From HP’s Advanced Traffic Management Guide:

“BPDU protection is a security feature designed to protect the active STP topology by preventing spoofed BPDU packets from entering the STP domain. In a typical implementation, BPDU protection would be applied to edge ports connected to end user devices that do not run STP. If STP BPDU packets are received on a protected port, the feature will disable that port and alert the network manager …”

In short, we want to enable BPDU protection on any “edge ports”, or ports that are connected to end user devices (PCs, printers, etc.) — any device that should not be sending out STP BPDU’s. Without BPDU protection, a malicious (or ignorant) user could plug a switch into our network and alter the spanning tree topology. That’s a bad thing.

With BPDU protection, we can a port automatically disabled if it receives an STP BPDU. Under normal circumstances, this should never happen. Enabling this feature does two things:

• helps protect your network, and
• keeps you, the network guy (or gal), informed about what is happening.

Let’s assume a user brings in their own switch from home. They unplug their PC from the wall, plug into their own switch, then plug their switch into the data jack in the wall. As soon as their switch sends out a BPDU, our switch will receive it and immediately disable the port. If you do not configure your switch to automatically re-enable the port after a specified period of time (I don’t), their data jack is effectively dead. It cannot be used again without the intervention of the network guy. When they can no longer work and must come to you for assistance, you’ll have a good idea of what they did and can promptly break their fingers educate them on why they should never do that.

On HP ProCurve switches, we enable BPDU protection with the “spanning-tree <port> bpdu-protection” command. You can do this individually per port (you can specify ranges) or do it like I do:

SWITCH(config)# spanning-tree all bpdu-protection

This, in my opinion, is the best way. This will enable BPDU protection on EVERY port. Then, you selectively disable it on your uplink ports:

SWITCH(config)# no spanning-tree a24 bpdu-protection

The default BPDU protection timeout is set to 0. This is the amount of time, in seconds, after which the switch will re-enable a port that has been disabled due to receiving an “illegal” BPDU. A value of 0 means “never”, and is the value that I prefer. This ensures that “network guy intervention” is required to break the user’s fingers re-enable the port.

Let’s take a look at what happens. In this example, I have BPDU protection enabled on port A2 (all ports except for A24, actually), as can be verified here:

SWITCH# sh spanning-tree bpdu-protection

 Status and Counters - STP Port(s) BPDU Protection Information

 BPDU Protection Timeout (sec) : 0                     
 BPDU Protected Ports : A1-A23,B1-B24,C1-C24,D1-D24,E1-E24,F1-F24,G1-G24,H1-H2...

So, having verified that BPDU protection is enabled on port A2, what happens when we plug another switch into that port? You obviously can’t see me plug in the cable, but here’s what we get in our logs:

SWITCH# sh logging
 Keys:   W=Warning   I=Information
         M=Major     D=Debug E=Error
----  Event Log listing: Events Since Boot  ----
I 03/12/09 00:02:41 00435 ports: port A2 is Blocked by STP
I 03/12/09 00:02:41 00840 stp: port A2 disabled - BPDU received on protected
            port.
I 03/12/09 00:02:41 00898 ports: BPDU protect(5) has disabled port A2 for 0
            seconds
I 03/12/09 00:02:41 00077 ports: port A2 is now off-line
----  Bottom of Log : Events Listed = 99  ----

Our switch will, when the port comes “up”, wait briefly and just listen. It will wait to see if it receives a BPDU (”Blocked by STP”) and, as soon as it does, notes this in the system log and immediately disables the port.

SWITCH# sh spanning-tree bpdu-protection a2

 Status and Counters - STP BPDU Protection Information

 BPDU Protection Timeout (sec) : 0                     
 BPDU Protected Ports : A1-A23,B1-B24,C1-C24,D1-D24,E1-E24,F1-F24,G1-G24,H1-H2..
.

  Port  Type      Protection State      Errant BPDUs
  ----- --------- ---------- ---------- ------------
  A2    100/1000T Yes        BpduError  1

The “sh spanning-tree bpdu-protection a2″ command shows us that port A2 is in “BpduError” state and has received a total of one “errant BPDUs”. Now, let’s assume we’ve unplugged the switch and plugged a PC back in. How do we get the port functional again? Easy:

SWITCH# conf
SWITCH(config)# interface a2
SWITCH(eth-A2)# enable
SWITCH(eth-A2)# end

That’s all there is to it! BPDU protection is simple to implement (assuming you know what connects where) and can add a bit of protection to your network. Turn it on!

At the end of my last article, “Using AS path prepending to influence inbound routing“, I mentioned:

“Notice anything weird there? Yeah, traffic from R6 is first going to R7, then to R9 over that T1 connection, NOT the much faster 100 Mbit/s connection! How can we change that? The next article will continue on from here and we’ll change the configuration of our routers in AS 67 to address that.”

We’re going to continue where we left off and create another route-map, this time to manipulate the local preference value assigned to routes received from one of our BGP neighbors. We want to do this so that the fastest connection out of our AS is the preferred one for outgoing traffic.

Here’s the topology we’re dealing with:

We want all outgoing traffic to exit our AS over the 100 Mbit/s connection between R7 and R8, assuming it is available.

The default local-preference, or “local pref”, value assigned to routes is 100. Let’s look at the BGP table on R7 and examine what paths we have received to get to 172.16.99.0/24 (R9):

R7# sh ip bgp | be Network
   Network          Next Hop            Metric LocPrf Weight Path
*>i172.16.66.0/24   172.31.67.6              0    100      0 i
*> 172.16.67.0/24   0.0.0.0                  0         32768 i
*> 172.16.88.0/24   172.31.78.8              0             0 88 i
*                   172.31.79.9                            0 99 88 i
* i                 172.31.67.6              0    100      0 88 i
*  172.16.99.0/24   172.31.78.8                            0 88 99 i
*>                  172.31.79.9              0             0 99

We can see that we have received a total of two routes to 172.16.99.0/24, one via R8 in AS 88 and the other from R9 in AS 99. Because the path directly to AS 99 is shorter than the path that traverses AS 88, it has been selected as the best path. Traffic destined to AS 99 will exit our AS over the (slow, in comparison) T-1 connection between R7 and R9. We want to change that and ensure that all traffic exits over our 100 Mbit/s connection into AS 88.

Easy as pie. Just like manipulating the AS Path, we’re going to create a simple route-map that takes care of this for us. The route map sets the local preference of received routes to 500 (remember, the default is 100) — higher local preference values win out. We’ll apply this route map to the BGP session between R7 and R8 and be done with it:

R7(config)# route-map LOCALPREF permit 10
R7(config-route-map)# set local-preference 500
R7(config-route-map)# router bgp 67
R7(config-router)# neighbor 172.31.78.8 route-map LOCALPREF in

Now we need to clear the inbound BGP session with R8. Fortunately, we used the “neighbor soft-reconfiguration inbound” command so we can do a route refresh without having to tear down the BGP session and bring it back up:

R7# clear ip bgp 172.31.78.8 soft in

Let’s look at R7’s BGP table now:

R7# sh ip bgp | be Network
   Network          Next Hop            Metric LocPrf Weight Path
*>i172.16.66.0/24   172.31.67.6              0    100      0 i
*> 172.16.67.0/24   0.0.0.0                  0         32768 i
*> 172.16.88.0/24   172.31.78.8              0    500      0 88 i
*                   172.31.79.9                            0 99 88 i
*> 172.16.99.0/24   172.31.78.8                   500      0 88 99 i
*                   172.31.79.9              0             0 99 i

Notice that the routes we have received from 172.31.78.8 now have a local preference value of 500 assigned to them. The preferred route to 172.16.99.0/24 is via 172.31.78.8 (R8 in AS 88), even though the AS Path is longer! How cool is that? If we run the same traceroute from R6 to R9 again, we’ll see that the traffic does, indeed, take this new, preferred path:

R6# traceroute 172.16.99.1 source 172.16.66.1

Type escape sequence to abort.
Tracing the route to 172.16.99.1

  1 172.31.67.7 8 msec 4 msec 4 msec
  2 172.31.78.8 4 msec 12 msec 8 msec
  3 172.31.89.9 4 msec *  28 msec

Success!

As you may remember, the BGP Best Path Algorithm decides how the best path to an autonomous system is selected. Probably the most common value that is used to determine the best path is the AS Path length. When two or more routes exist to reach a particular prefix the default in BGP is to prefer the route with the shortest AS Path length.

If we are a multi-homed customer of one or more service providers, we may prefer that incoming traffic take a particular path to reach our network. Perhaps we have two connections, but one costs only half as much as the other. Or, we may have one fast connection and another, much slower connection that we really only want to use a “backup” if our primary connection is down. Regardless of your reasons, AS path prepending is probably the easiest method that one can use to influence inbound routing to your autonomous system.

Consider the following topology:

In this example, we are AS 67. We are multi-homed to our service providers, AS 88 and AS 99, and have a T1 connection to each. AS 88 and AS 99 also peer directly with each other, and have a 100 Mbit/s connection between them. Because we have been experiencing growth, we have added a third connection, a 100 Mbit/s link between R7 and R8

Due to this huge increase in bandwidth, we would prefer that all (or, at least, the majority) of our incoming traffic come in over this much faster Ethernet connection. Since we have a connection directly to R9, however, this results in a very short AS Path in the BGP table to our prefixes. AS 99 will, by default, send any traffic for AS 67 over this 1.5 Mbit/s T1 connection.

How can we cause R9 to, instead, send any traffic destined to AS 67 over the 100 Mbit/s connection to AS 88? In addition, how can we cause AS 88 to send any traffic destined to AS 67 over the 100 Mbit/s connection to R7 in AS 67? Remember that BGP, unlike some other routing protocols (e.g. EIGRP), does not take bandwidth into consideration when deciding on the best path.

The answer is to use AS Path prepending. When using AS Path prepending, we artificially lengthen the AS Path that we advertise to a neighbor to make them think that the path much longer than it actually is.

I’ve included here the initial configurations for each of the routers to get us to the point where we have established connectivity between all routers. Instead of explaining all these configurations, however, I’ll be jumping straight to the good stuff. It is assumed that, if you are playing with AS Path prepending, you have the requisite knowledge for understand the initial configurations.

Since the IP addresses being used are not illustrated in the diagram, here is a table with the IP addresses we are using:

ROUTER    INTERFACE    IP/MASK
--------------------------------------

R6        Fa0/0        172.31.67.6/24
          Se1/0        172.31.68.6/24
R7        Fa0/0        172.31.67.7/24
          Fa0/1        172.31.78.7/24
          Se1/0        172.31.79.7/24
R8        Fa0/0        172.31.89.8/24
          Fa0/1        172.31.78.8/24
          Se1/0        172.31.68.8/24
R9        Fa0/0        172.31.89.9/24
          Se1/0        172.31.79.9/24

In addition, each router has a loopback address (with a /24 mask). These /24 networks are being advertised into BGP. The loopback addresses are what we’ll use for testing and verifying proper operation.

Okay, so now that we have basic connectivity, we can get down to the fun stuff. First, let’s get out iBGP adjacency between R6 and R7 up and running and start advertising our loopbacks:

R6(config)# router bgp 67
R6(config-router)# network 172.16.66.0 mask 255.255.255.0
R6(config-router)# neighbor 172.31.67.7 remote-as 67
R6(config-router)# neighbor 172.31.67.7 next-hop-self
R6(config-router)# neighbor 172.31.67.7 soft-reconfiguration inbound

R7(config)# router bgp 67
R7(config-router)# network 172.16.67.0 mask 255.255.255.0
R7(config-router)# neighbor 172.31.67.6 remote-as 67
R7(config-router)# neighbor 172.31.67.6 next-hop-self
R7(config-router)# neighbor 172.31.67.6 soft-reconfiguration inbound

Verification:

R6# sh ip bgp | be Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 172.16.66.0/24   0.0.0.0                  0         32768 i
*>i172.16.67.0/24   172.31.67.7              0    100      0 i

R7# sh ip bgp | be Network
   Network          Next Hop            Metric LocPrf Weight Path
*>i172.16.66.0/24   172.31.67.6              0    100      0 i
*> 172.16.67.0/24   0.0.0.0                  0         32768 i

Let’s go ahead and get the eBGP adjacency between R8 and R9 in place:

R8(config)# router bgp 88
R8(config-router)# network 172.16.88.0 mask 255.255.255.0
R8(config-router)# neighbor 172.31.89.9 remote-as 99
R8(config-router)# neighbor 172.31.89.9 soft-reconfiguration inbound

R9(config)# router bgp 99
R9(config-router)# network 172.16.99.0 mask 255.255.255.0
R9(config-router)# neighbor 172.31.89.8 remote-as 88
R9(config-router)# neighbor 172.31.89.8 soft-reconfiguration inbound

Now, let’s establish eBGP between R6 and R8 over the T1 connection:

R6(config)# router bgp 67
R6(config-router)# neighbor 172.31.68.8 remote-as 88
R6(config-router)# neighbor 172.31.68.8 soft-reconfiguration inbound

R8(config)# router bgp 88
R8(config-router)# neighbor 172.31.68.6 remote-as 67
R8(config-router)# neighbor 172.31.68.6 soft-reconfiguration inbound

At this point, if we take a look at R9’s BGP tables, we can see that it now has routes for all of the loopback networks:

R9# sh ip bgp | be Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 172.16.66.0/24   172.31.89.8                            0 88 67 i
*> 172.16.67.0/24   172.31.89.8                            0 88 67 i
*> 172.16.88.0/24   172.31.89.8              0             0 88 i
*> 172.16.99.0/24   0.0.0.0                  0         32768 i

We can verify that we have connectivity between R6 and R9. First, we’ll ping, then a traceroute:

R9# ping 172.16.67.1 source 172.16.99.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.67.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.99.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/20 ms
R9# traceroute 172.16.67.1 source 172.16.99.1

Type escape sequence to abort.
Tracing the route to 172.16.67.1

  1 172.31.89.8 4 msec 4 msec 4 msec
  2 172.31.68.6 8 msec 8 msec 12 msec
  3 172.31.67.7 4 msec *  20 msec

Make a note of how the 172.16.66.0/24 and 172.16.67.0/24 networks appear in R9’s BGP table, specifically, the AS Path (we’ll be coming back to that shortly):

R9# sh ip bgp | in 172.16.6
*> 172.16.66.0/24   172.31.89.8                            0 88 67 i
*> 172.16.67.0/24   172.31.89.8                            0 88 67 i

In order for R9 to reach R7, it must pass traffic off to R8 (in AS 88). R8 then passes the traffic to R6 (in AS 67) and R6 will deliver it on to R7. Let’s bring up BGP over the T1 between R7 and R9 and see what happens:

R7(config)# router bgp 67
R7(config-router)# neighbor 172.31.79.9 remote-as 99
R7(config-router)# neighbor 172.31.79.9 soft-reconfiguration inbound

R9(config)# router bgp 99
R9(config-router)# neighbor 172.31.79.7 remote-as 67
R9(config-router)# neighbor 172.31.79.7 soft-reconfiguration inbound

Now’s let look at the same routes (172.16.66.0/24 and 172.16.67.0/24) in R9’s BGP table:

R9# sh ip bgp | in 172.16.6
*> 172.16.66.0/24   172.31.79.7                            0 67 i
*> 172.16.67.0/24   172.31.79.7              0             0 67 i

Notice the difference in the AS Path? Previously, the best (albeit, only) path R9 had to get to the 172.16.66.0/24 and 172.16.67.0/24 networks was through AS 88. Now there is a direct connection between AS 67 and AS 99 and this new path is shorter (direct, as opposed to traversing AS 88). Because the new path is shorter, it has been identified as the best path. Let’s run that traceroute again and see the difference:

R9# traceroute 172.16.67.1 source 172.16.99.1

Type escape sequence to abort.
Tracing the route to 172.16.67.1

  1 172.31.79.7 4 msec *  28 msec

Now, let’s bring up BGP on the 100 Mbit/s connection between R7 and R8:

R7(config)# router bgp 67
R7(config-router)# neighbor 172.31.78.8 remote-as 88
R7(config-router)# neighbor 172.31.78.8 soft-reconfiguration inbound

R8(config)# router bgp 88
R8(config-router)# neighbor 172.31.78.7 remote-as 67
R8(config-router)# neighbor 172.31.78.7 soft-reconfiguration inbound

All of our BGP adjacencies are up at this point, and traffic is flowing normally. Now it’s time to start making it flow the way we want! Let’s take a look at R8’s BGP table, since it is receiving routes over three connections:

R8# sh ip bgp | be Network
   Network          Next Hop            Metric LocPrf Weight Path
*  172.16.66.0/24   172.31.78.7                            0 67 i
*                   172.31.89.9                            0 99 67 i
*>                  172.31.68.6              0             0 67 i
*  172.16.67.0/24   172.31.78.7              0             0 67 i
*                   172.31.89.9                            0 99 67 i
*>                  172.31.68.6                            0 67 i
*> 172.16.88.0/24   0.0.0.0                  0         32768 i
*  172.16.99.0/24   172.31.78.7                            0 67 99 i
*                   172.31.68.6                            0 67 99 i
*>                  172.31.89.9              0             0 99 i

Note that AS 88 has two direct paths to AS 67’s advertised networks (172.16.66.0/24 and 172.16.67.0/24). This is evidenced by the AS Path’s for these two routes (”67 i”). AS 88 has picked the path with a next hop of 172.31.68.6, however. Recall that this is the direct T1 connection between R6 and R8. Why did it choose this path instead of the faster (100 Mbit/s) path?

Earlier I stated “…BGP, unlike some other routing protocols (e.g. EIGRP), does not take bandwidth into consideration when deciding on the best path.” Since the two paths are of the same length, R8 continues its way through the “Best Path Selection Algorithm” and eventually chooses the path that was received first. As we were configuring our BGP sessions earlier, we brought up the T1 connection first. AS 88, therefore, received the path from R6 before it did R7. We could bypass this by bringing up the 100 Mbit/s connection first, however this is not always under our control (think about when a router reloads — which connection will come up first? We really don’t know.)

Our best method, then, to influence the routing of traffic coming into our AS (and, indeed, the whole point of this article) is to manipulate the AS Path that we advertise to BGP neighbors. By causing AS 88 to think that the path to AS 67 over the T1 connection is much longer, we can get it to select the path via the 100 Mbit/s connection. We’ll also need to do the same thing to R9 in AS 99. Remember, we want AS 88 to send us traffic over that 100 Mbit/s connection, and we want AS 99 to send us traffic via AS 88.

This is much easier to configure than it might sound. We’ll use a route-map applied to (certain) outbound BGP sessions from AS 67 to do this for us. We’ll create a route-map named “PREPEND” on both R6 and R7 that will prepend our AS number twice to outgoing route advertisements, then apply it to the BGP sessions over the T1 connections (R6 to R8 and R7 to R9):

R6(config)# route-map PREPEND permit 10
R6(config-route-map)# set as-path prepend 67 67
R6(config-route-map)# router bgp 67
R6(config-router)# neighbor 172.31.68.8 route-map PREPEND out

R7(config)# route-map PREPEND permit 10
R7(config-route-map)# set as-path prepend 67 67
R7(config-route-map)# router bgp 67
R7(config-router)# neighbor 172.31.79.9 route-map PREPEND out

That’s all there is to it! Let’s examine R8’s BGP table now:

R8# sh ip bgp | be Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 172.16.66.0/24   172.31.78.7                            0 67 i
*                   172.31.68.6              0             0 67 67 67 i
*> 172.16.67.0/24   172.31.78.7              0             0 67 i
*                   172.31.68.6                            0 67 67 67 i
*> 172.16.88.0/24   0.0.0.0                  0         32768 i
*  172.16.99.0/24   172.31.78.7                            0 67 99 i
*                   172.31.68.6                            0 67 67 67 99 i
*>                  172.31.89.9              0             0 99 i

Look at the paths for 172.16.66.0/24 and 172.16.67.0/24. Note that the path received from 172.31.68.6 is much longer than the path received from 172.31.78.7. There are three AS numbers in the routes received from 172.31.68.6, even though it is the same AS number. Because this path is now much longer, the shorter path via 172.31.78.7 (our 100 Mbit/s connection) will now be the preferred way to get there.

Let’s see how R9 was affected by all of this:

R9# sh ip bgp | be Network
   Network          Next Hop            Metric LocPrf Weight Path
*  172.16.66.0/24   172.31.79.7                            0 67 67 67 i
*>                  172.31.89.8                            0 88 67 i
*  172.16.67.0/24   172.31.79.7              0             0 67 67 67 i
*>                  172.31.89.8                            0 88 67 i
*  172.16.88.0/24   172.31.79.7                            0 67 67 67 88 i
*>                  172.31.89.8              0             0 88 i
*> 172.16.99.0/24   0.0.0.0                  0         32768 i

We can see that R9 has received updated routing information as well, evidenced by the paths that are prepended. Now, instead of preferring the direct T1 connection into AS 67, R9 will send any traffic destined for AS 67 to 172.31.89.8 in AS 88. We already know from looking at R8’s BGP table that it will pass the traffic on to AS 67 over the 100 Mbit/s link. Let’s run traceroutes from R9 to verify:

R9# traceroute 172.16.66.1 source 172.16.99.1

Type escape sequence to abort.
Tracing the route to 172.16.66.1

  1 172.31.89.8 4 msec 8 msec 8 msec
  2 172.31.78.7 4 msec 8 msec 8 msec
  3 172.31.67.6 12 msec *  36 msec
R9# traceroute 172.16.67.1 source 172.16.99.1

Type escape sequence to abort.
Tracing the route to 172.16.67.1

  1 172.31.89.8 4 msec 4 msec 8 msec
  2 172.31.78.7 4 msec *  36 msec

This shows us that traffic is behaving exactly as we intended. The first hop after leaving R9 is 172.31.89.8 (R8). It leaves R8 over the 100 Mbit/s connection arrives at 172.31.78.7 (R7). From there it is sent over R7’s 100 Mbit/s connection to R6 (172.31.67.6).

Success! Our job here is done!

Note: One thing that isn’t apparent from this exercise is the path that traffic from R6 (in AS 67) takes to get to R9 (in AS 99). To illustrate, let’s take a look at a traceroute from R6’s loopback to R9’s loopback:

R6# traceroute 172.16.99.1 source 172.16.66.1

Type escape sequence to abort.
Tracing the route to 172.16.99.1

  1 172.31.67.7 4 msec 4 msec 8 msec
  2 172.31.79.9 8 msec *  48 msec

Notice anything weird there? Yeah, traffic from R6 is first going to R7, then to R9 over that T1 connection, NOT the much faster 100 Mbit/s connection! How can we change that? The next article will continue on from here and we’ll change the configuration of our routers in AS 67 to address that.