BGP with Policy-Based Routing

In this scenario, you configure EBGP using the next hop addresses and use policy- based routing to allow certain network design policies to affect IP routing decisions.

Policy-based routing is used for the following main reasons:

• To control traffic flow direction either by source or destination address

• To change the next hop address

• To change the way traffic is sent to a neighboring router

The advantages of using policy routing is the ability to load share to provide high- quality service and cost saving, based on data traffic, for expensive links.

Figure 6-4 displays the same two-router network used in Scenario 6-3, except this time you configure two EBGP sessions between R1 and R2 and use BGP to route dynamically without static routing.

Figure 6-4. Two-EBGP Session Topology

Configure two EBGP TCP sessions between R1 and R2. Example 6-46 displays the EBGP configuration on R1. (Notice, you don't need EBGP multihop because you are using a directly connected peer.)

Example 6-46 EBGP on R1

R1(config)#router bgp 1

R1(config-router)#network 131.108.1.0 mask 255.255.255.0 R1(config-router)#neighbor 131.108.255.2 remote-as 2 R1(config-router)#neighbor 131.108.255.6 remote-as 2

Example 6-47 displays the two EBGP sessions configured on R2.

Example 6-47 EBGP on R2

R2(config)#router bgp 2

R2(config-router)#network 161.108.1.0 mask 255.255.255.0 R2(config-router)#neighbor 131.108.255.1 remote-as 1 R2(config-router)#neighbor 131.108.255.5 remote-as 1

Example 6-48 displays the IP BGP table on R1 after the two BGP sessions are established.

Example 6-48 BGP Table on R1

R1#show ip bgp

BGP table version is 3, local router ID is 131.108.255.5

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 131.108.1.0/24 0.0.0.0 0 32768 i

* 161.108.1.0/24 131.108.255.6 0 0 2 i

*> 131.108.255.2 0 0 2 i

Example 6-48 displays R1 choosing the path through the next hop address.

131.108.255.2. to reach the remote network 161.108.1.0/24 because BGP does not load balance as you discovered in Scenario 6-2. The path is chosen through

131.108.255.2 because of its lower IP addresses; all other parameters that BGP bases decisions on are equal in this case. Assume that all traffic from the Ethernet segment on R1 bound for 161.108.1.0 must be sent through the next hop address 131.108.255.6, or Serial 1/1, and all traffic destined for the Internet is sent through Serial 1/0.

You can force BGP to complete this task by using policy-based routing or changing BGP attributes. But, suppose you want to send internal traffic through one path and all Internet traffic through the second link. Next, you learn to configure policy-based routing to illustrate how you can use route maps to achieve this.

To illustrate policy-based routing, configure R1 to choose a different next hop address for IP ICMP packets destined for the remote network 161.108.1.0 (Serial 1/1) than for all other destinations (for example, Internet-based traffic), which will be through the second link (Serial 1/0).

Policy routing is based on incoming packets only, so you need to apply the policy command on the Ethernet interface on R1.

First, configure R2 to advertise a default route to R1.

Example 6-49 displays the configuration on R2 so that it sends a default BGP route to R1. Two default statements are configured for redundancy purposes.

Example 6-49 Default Route Configuration on R2

R2(config)#router bgp 2

R2(config-router)#neighbor 131.108.255.1 default-originate R2(config-router)#neighbor 131.108.255.5 default-originate

Example 6-50 displays the BGP default route in R1's BGP table.

Example 6-50 show ip bgp Command on R1

R1>show ip bgp

BGP table version is 4, local router ID is 131.108.255.5

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

* 0.0.0.0 131.108.255.6 0 2 i

*> 131.108.255.2 0 2 i

*> 131.108.1.0/24 0.0.0.0 0 32768 i

* 161.108.1.0/24 131.108.255.6 0 0 2 i

*> 131.108.255.2 0 0 2 i

Example 6-50 tells you that R1 is choosing all traffic through the next hop address 131.108.255.2. Example 6-51 confirms this when you view the IP routing table on R1.

Example 6-51 show ip route Command on R1

R1>show ip route

Gateway of last resort is 131.108.255.2 to network 0.0.0.0 131.108.0.0/16 is variably subnetted, 3 subnets, 2 masks C 131.108.255.0/30 is directly connected, Serial1/0 C 131.108.255.4/30 is directly connected, Serial1/1 C 131.108.1.0/24 is directly connected, Ethernet0/0 161.108.0.0/24 is subnetted, 1 subnets

B 161.108.1.0 [20/0] via 131.108.255.2, 00:23:11 B* 0.0.0.0/0 [20/0] via 131.108.255.2, 00:13:58

Policy routing needs to be configured on R1 to ensure that IP ICMP packets destined for the remote network 161.108.1.0/24 are sent through the next hop address 131.108.255.6 and all other traffic is sent through 131.108.1.1 (Serial 1/0 to R2).

To configure policy routing, you apply the policy statement on the outbound interface and reference a route map. The IOS command is ip policy route-map route-map-name.

Example 6-52 displays the policy routing interface configuration on R1. The route map name is an arbitrary name you can assign. This exa mple assigns a route map called nondefault.

Example 6-52 Policy Configuration on R1

R1(config)#interface E0/0 R1(config-if)#ip policy route

R1(config-if)#ip policy route-map ? WORD Route map name

R1(config-if)#ip policy route-map nondefault

Next, you must set the conditions on R1 so that policy routing can occur. Example 6- 53 sets all IP ICMP traffic from the Ethernet segment on R1 destined for

161.108.1.0/24 through Serial 1/1 (next hop address 131.108.255.6) and all default traffic through Serial 1/0 (next hop address 131.108.255.1). Remember that BGP, as displayed in Example 6-50, is sending all traffic through Serial 1/0 on R1. Example 6- 52 uses the ? tool to illustrate the options available to you.

Example 6-53 Route Map Configuration on R1

route-map default permit 10 match ip address 100

set ip next-hop 131.108.255.6

access-list 100 permit icmp 131.108.1.0 0.0.0.255 161.108.1.0 0.0.0.255 The route map on R1 policy routes any IP ICMP packets with a source address in the range 131.108.1.1–131.108.1.255 through the next hop address 131.108.255.6.

Unfortunately, you cannot verify policy routing with the IP routing table. Example 6- 54 displays R1's IP routing table.

Example 6-54 show ip route on R1

R1#show ip route

131.108.0.0/16 is variably subnetted, 3 subnets, 2 masks C 131.108.255.0/30 is directly connected, Serial1/0 C 131.108.255.4/30 is directly connected, Serial1/1 C 131.108.1.0/24 is directly connected, Ethernet0/0 161.108.0.0/24 is subnetted, 1 subnets

B 161.108.1.0 [20/0] via 131.108.255.2, 00:22:52 B* 0.0.0.0/0 [20/0] via 131.108.255.2, 00:22:52

Example 6-54 stills displays that all remote networks are routed through 131.108.255.2, or Serial 1/0.

An extended ping request along with a debug ip policy on R1 displays any policy routing.

Example 6-55 displays an extended ping using the source address 131.108.1.1 (R1's Ethernet interface) to the remote network 161.108.1.0/4.

Example 6-55 Extended Ping on R1

R1#debug ip policy

Policy routing debugging is on R1#ping

Protocol [ip]:

Target IP address: 161.108.1.1 Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 131.108.1.1 Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 161.108.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/18/20 ms 00:26:57: IP: s=131.108.1.1 (local), d=161.108.1.1, len 100, policy match

00:26:57: IP: route map default, item 10, permit

00:26:57: IP: s=131.108.1.1 (local), d=161.108.1.1 (Serial1/1), len 100, policy

routed

00:26:57: IP: local to Serial1/1 131.108.255.6

00:26:57: IP: s=131.108.1.1 (local), d=161.108.1.1, len 100, policy match

00:26:57: IP: route map default, item 10, permit

00:26:57: IP: s=131.108.1.1 (local), d=161.108.1.1 (Serial1/1), len 100, policy

routed

00:26:57: IP: local to Serial1/1 131.108.255.6

00:26:57: IP: s=131.108.1.1 (local), d=161.108.1.1, len 100, policy match

00:26:57: IP: route map default, item 10, permit

00:26:57: IP: s=131.108.1.1 (local), d=161.108.1.1 (Serial1/1), len 100, policy

routed

00:26:57: IP: local to Serial1/1 131.108.255.6

00:26:57: IP: s=131.108.1.1 (local), d=161.108.1.1, len 100, policy match

00:26:57: IP: route map default, item 10, permit

00:26:57: IP: s=131.108.1.1 (local), d=161.108.1.1 (Serial1/1), len 100, policy

routed

00:26:57: IP: local to Serial1/1 131.108.255.6

00:26:57: IP: s=131.108.1.1 (local), d=161.108.1.1, len 100, policy match

00:26:57: IP: route map default, item 10, permit

00:26:57: IP: s=131.108.1.1 (local), d=161.108.1.1 (Serial1/1), len 100, policy

routed

00:26:57: IP: local to Serial1/1 131.108.255.6

Example 6-55 displays the five ping requests successfully policy routed through Serial 1/1, or the next hop address 131.108.255.6.

Example 6-56 displays a ping request to the unknown network 141.108.1.1 on R1 and the subsequent policy debug output.

Example 6-56 ping 141.108.1.1 on R1

R1#ping 141.108.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 141.108.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/20 ms 00:30:35: IP: s=131.108.255.1 (local), d=141.108.1.1, len 100, policy rejected -

- normal forwarding

00:30:35: IP: s=131.108.255.1 (local), d=141.108.1.1, len 100, policy rejected -

- normal forwarding

00:30:35: IP: s=131.108.255.1 (local), d=141.108.1.1, len 100, policy rejected -

- normal forwarding

00:30:35: IP: s=131.108.255.1 (local), d=141.108.1.1, len 100, policy rejected -

- normal forwarding

00:30:35: IP: s=131.108.255.1 (local), d=141.108.1.1, len 100, policy rejected -

- normal forwarding

00:30:37: IP: s=131.108.255.1 (local), d=131.108.255.2, len 59, policy rejected

-- normal forwarding

00:30:39: IP: s=131.108.255.5 (local), d=131.108.255.6, len 59, policy rejected

-- normal forwarding

R1 sends all packets to an unknown destination through normal forwarding through Serial 1/0. The debug output in Example 6-56 displays a nonmatching policy; hence, the IP datagram is forwarded through the normal outbound interface.

This simple scenario demonstrates the powerful use of policy-based routing on

source and destination addresses. With the use of extended access lists, you can also base routing on port numbers. For example, you can do this if you want Telnet sessions to go through one interface or another.

Configure R1 to send all Telnet traffic originated from the network 131.108.1.0/24 through the next hop interface 131.108.255.6.

Example 6-57 displays the access-list configuration to allow Telnet sessions through Serial 1/1.

Example 6-57 Allowing Telnet to Be Policy Routed on R1

access-list 100 permit tcp 131.108.1.0 0.0.0.255 161.108.1.0 0.0.0.255 eq telnet

Example 6-58 Sample debug ip policy Output on R1

R1#debug ip policy

Policy routing debugging is on

R1#telnet 161.108.1.1 /source-interface ethernet 0/0 Trying 161.108.1.1 ... Open

R2>

01:04:00: IP: s=131.108.1.1 (local), d=161.108.1.1, len 44, policy match

01:04:00: IP: route map default, item 10, permit

01:04:00: IP: s=131.108.1.1 (local), d=161.108.1.1 (Serial1/1), len 44, policy

routed