Re: [c-nsp] separation of transit, peerings and this-AS traffic (long)
Hi, On Sun, Sep 14, 2008 at 11:48:45PM +0200, Tomas Hlavacek wrote: The point is how to make packets traveling from upstreams of AS1 to AS2 not to take path via IX, but via direct Ethernet connection while traffic originating in AS1 and traffic from AS3 traveling trough AS1 take path via IX? I'd actually just not peer with AS2, then... don't peer with customers. (Yes, this is not exactly what you wanted to hear - but everything else that I could think of sounds horribly complicated, prone to fail, or likely to burn lots of router memory for dubious gains). If only AS3 and AS2 are involved, maybe a direct peering AS2-AS3 could be arranged, to achieve the goal of traffic from AS3 reaching AS2 without paying for uplink costs? gert -- Gert Doering Mobile communications ... right now writing from * Sardegna, Italy * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] separation of transit, peerings and this-AS traffic (long)
Greetings! I am thinking about a scenario, which is maybe quite common, but I do not know how to make that work. Say that an AS1 is receiving full BGP table from multiple upstreams, for example AS100 and AS200. AS1 has a customer, say AS2. There is one Ethernet physical connection between border routers of AS1 and AS2. AS2 is paying to AS1 for upstream and receives full BGP feed. AS1 has another customer AS3, paying for upstream also. Besides that AS1 and AS2 has a peering via some IX. AS2 is stub, so it is announcing only prefixes with as-path ^2$. AS1 is announcing ^1$ and ^1 3$ prefixes to its peers in the IX. AS1 preferres paths via IX by local-preferrence. The point is how to make packets traveling from upstreams of AS1 to AS2 not to take path via IX, but via direct Ethernet connection while traffic originating in AS1 and traffic from AS3 traveling trough AS1 take path via IX? I have two ideas: 1) policy based routing, bind some route-map to AS1's upstream-facing interfaces and set ip next-hop or set interface... But it does not scale well of course. 2) put transit neighbors (upstream and customers also) into vrf, for example: ip vrf transit rd 1:100 export map EXPORT_ALL import map IMPORT_ALL ! router bgp 1 network 1.1.1.0 mask 255.255.255.0 neighbor 2.2.2.1 remote-as 2 neighbor 2.2.2.1 route-map SET_IX_LOCPREF in neighbor 2.2.2.1 filter-list 1 ! address-family ipv4 vrf transit neighbor 1.1.0.1 remote-as 100 neighbor 1.1.0.1 route-map SET_TRANSIT_LOCPREF in neighbor 1.1.0.1 description UPSTREAM1 neighbor 1.1.0.2 remote-as 200 neighbor 1.1.0.2 route-map SET_TRANSIT_LOCPREF in neighbor 1.1.0.2 description UPSTREAM2 neighbor 2.2.2.2 remote-as 2 neighbor 2.2.2.2 route-map SET_TRANSIT_LOCPREF in neighbor 2.2.2.2 description CUSTOMER AS2 neighbor 3.3.3.1 remote-as 3 neighbor 3.3.3.1 route-map SET_TRANSIT_LOCPREF in neighbor 3.3.3.1 description CUSTOMER AS3 ! ! route-map SET_IX_LOCPREF permit 10 set local-preference 200 ! route-map SET_TRANSIT_LOCPREF permit 10 set local-preference 100 ! route-map EXPORT_ALL permit 10 ! route-map IMPORT_ALL permit 10 ! I spent few hours in lab experimenting with this configuration. I am using old Cisco 1600, so there is possibility that issues I had could come from some bug in this EoL platform... For reference, I used IOS (tm) 1600 Software (C1600-SY-M), Version 12.2(37) RELEASE SOFTWARE (fc1) for experiments. Problems: 1) routes in vrf transit are learned to into vrf routing table and are announced in both directions from AS100 to AS2 and AS3 and vice-versa, as expected. But routes from vrf transit are not exported into global routing table nor imported from global into vrf. I tried everything (I put some prefix- or access-list to match ip address clause in IMPORT_ALL and EXPORT_ALL maps,...), but nothing appeared in the global table. It should be some misconfiguration over there but I do not see that. Any help would be appreciated. 2) Let's assume that the import and export works, so I have all transit routes in my global table and route 1.1.1.0/24 inside vrf transit (this is a route originated in AS2). Those routes are therefore in fact duplicated... Is there any mechanism or chance to overcome that? Something like default route in global table pointing into transit VRF and triggering one extra routing decission inside VRF? Or is the duplication somehow optimized and it won't be any problem even for full BGP table? (O course I mean full table on real routers... 7200 or 7600.) Is there any best-practice or common approach to that? Maybe something completly different which I am not aware of? Tomas -- Tomáš Hlaváček [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] separation of transit, peerings and this-AS traffic (long)
my apologies, i seem to have read through your original to quickly 2008/9/14 Tomas Hlavacek [EMAIL PROTECTED]: Hello Christian, thanks for reply! Maybe I do not see some obvious solution with MED... The point is, that I need to route traffic from all of my upstreams to my customer AS2 via one path and any other traffic from my AS or from my other customers via another path facing AS2 too. So the problem is not which of two routes with the same prefix and different next-hops should be installed into routing table - that is, what the MED solves, AFAIK. The problem is how to use concurrently on a one single box two routes with the same prefix and different next-hops and select which of routes is to be used based on where the traffic comes from (not src IP address but interface). Tomas Christian Koch wrote: use meds On Sun, Sep 14, 2008 at 5:48 PM, Tomas Hlavacek [EMAIL PROTECTED] wrote: Greetings! I am thinking about a scenario, which is maybe quite common, but I do not know how to make that work. Say that an AS1 is receiving full BGP table from multiple upstreams, for example AS100 and AS200. AS1 has a customer, say AS2. There is one Ethernet physical connection between border routers of AS1 and AS2. AS2 is paying to AS1 for upstream and receives full BGP feed. AS1 has another customer AS3, paying for upstream also. Besides that AS1 and AS2 has a peering via some IX. AS2 is stub, so it is announcing only prefixes with as-path ^2$. AS1 is announcing ^1$ and ^1 3$ prefixes to its peers in the IX. AS1 preferres paths via IX by local-preferrence. The point is how to make packets traveling from upstreams of AS1 to AS2 not to take path via IX, but via direct Ethernet connection while traffic originating in AS1 and traffic from AS3 traveling trough AS1 take path via IX? I have two ideas: 1) policy based routing, bind some route-map to AS1's upstream-facing interfaces and set ip next-hop or set interface... But it does not scale well of course. 2) put transit neighbors (upstream and customers also) into vrf, for example: ip vrf transit rd 1:100 export map EXPORT_ALL import map IMPORT_ALL ! router bgp 1 network 1.1.1.0 mask 255.255.255.0 neighbor 2.2.2.1 remote-as 2 neighbor 2.2.2.1 route-map SET_IX_LOCPREF in neighbor 2.2.2.1 filter-list 1 ! address-family ipv4 vrf transit neighbor 1.1.0.1 remote-as 100 neighbor 1.1.0.1 route-map SET_TRANSIT_LOCPREF in neighbor 1.1.0.1 description UPSTREAM1 neighbor 1.1.0.2 remote-as 200 neighbor 1.1.0.2 route-map SET_TRANSIT_LOCPREF in neighbor 1.1.0.2 description UPSTREAM2 neighbor 2.2.2.2 remote-as 2 neighbor 2.2.2.2 route-map SET_TRANSIT_LOCPREF in neighbor 2.2.2.2 description CUSTOMER AS2 neighbor 3.3.3.1 remote-as 3 neighbor 3.3.3.1 route-map SET_TRANSIT_LOCPREF in neighbor 3.3.3.1 description CUSTOMER AS3 ! ! route-map SET_IX_LOCPREF permit 10 set local-preference 200 ! route-map SET_TRANSIT_LOCPREF permit 10 set local-preference 100 ! route-map EXPORT_ALL permit 10 ! route-map IMPORT_ALL permit 10 ! I spent few hours in lab experimenting with this configuration. I am using old Cisco 1600, so there is possibility that issues I had could come from some bug in this EoL platform... For reference, I used IOS (tm) 1600 Software (C1600-SY-M), Version 12.2(37) RELEASE SOFTWARE (fc1) for experiments. Problems: 1) routes in vrf transit are learned to into vrf routing table and are announced in both directions from AS100 to AS2 and AS3 and vice-versa, as expected. But routes from vrf transit are not exported into global routing table nor imported from global into vrf. I tried everything (I put some prefix- or access-list to match ip address clause in IMPORT_ALL and EXPORT_ALL maps,...), but nothing appeared in the global table. It should be some misconfiguration over there but I do not see that. Any help would be appreciated. 2) Let's assume that the import and export works, so I have all transit routes in my global table and route 1.1.1.0/24 inside vrf transit (this is a route originated in AS2). Those routes are therefore in fact duplicated... Is there any mechanism or chance to overcome that? Something like default route in global table pointing into transit VRF and triggering one extra routing decission inside VRF? Or is the duplication somehow optimized and it won't be any problem even for full BGP table? (O course I mean full table on real routers... 7200 or 7600.) Is there any best-practice or common approach to that? Maybe something completly different which I am not aware of? Tomas -- Tomáš Hlaváček [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Tomáš Hlaváček [EMAIL PROTECTED] ___ cisco-nsp mailing list
Re: [c-nsp] separation of transit, peerings and this-AS traffic (long)
Hello Christian, thanks for reply! Maybe I do not see some obvious solution with MED... The point is, that I need to route traffic from all of my upstreams to my customer AS2 via one path and any other traffic from my AS or from my other customers via another path facing AS2 too. So the problem is not which of two routes with the same prefix and different next-hops should be installed into routing table - that is, what the MED solves, AFAIK. The problem is how to use concurrently on a one single box two routes with the same prefix and different next-hops and select which of routes is to be used based on where the traffic comes from (not src IP address but interface). Tomas Christian Koch wrote: use meds On Sun, Sep 14, 2008 at 5:48 PM, Tomas Hlavacek [EMAIL PROTECTED] wrote: Greetings! I am thinking about a scenario, which is maybe quite common, but I do not know how to make that work. Say that an AS1 is receiving full BGP table from multiple upstreams, for example AS100 and AS200. AS1 has a customer, say AS2. There is one Ethernet physical connection between border routers of AS1 and AS2. AS2 is paying to AS1 for upstream and receives full BGP feed. AS1 has another customer AS3, paying for upstream also. Besides that AS1 and AS2 has a peering via some IX. AS2 is stub, so it is announcing only prefixes with as-path ^2$. AS1 is announcing ^1$ and ^1 3$ prefixes to its peers in the IX. AS1 preferres paths via IX by local-preferrence. The point is how to make packets traveling from upstreams of AS1 to AS2 not to take path via IX, but via direct Ethernet connection while traffic originating in AS1 and traffic from AS3 traveling trough AS1 take path via IX? I have two ideas: 1) policy based routing, bind some route-map to AS1's upstream-facing interfaces and set ip next-hop or set interface... But it does not scale well of course. 2) put transit neighbors (upstream and customers also) into vrf, for example: ip vrf transit rd 1:100 export map EXPORT_ALL import map IMPORT_ALL ! router bgp 1 network 1.1.1.0 mask 255.255.255.0 neighbor 2.2.2.1 remote-as 2 neighbor 2.2.2.1 route-map SET_IX_LOCPREF in neighbor 2.2.2.1 filter-list 1 ! address-family ipv4 vrf transit neighbor 1.1.0.1 remote-as 100 neighbor 1.1.0.1 route-map SET_TRANSIT_LOCPREF in neighbor 1.1.0.1 description UPSTREAM1 neighbor 1.1.0.2 remote-as 200 neighbor 1.1.0.2 route-map SET_TRANSIT_LOCPREF in neighbor 1.1.0.2 description UPSTREAM2 neighbor 2.2.2.2 remote-as 2 neighbor 2.2.2.2 route-map SET_TRANSIT_LOCPREF in neighbor 2.2.2.2 description CUSTOMER AS2 neighbor 3.3.3.1 remote-as 3 neighbor 3.3.3.1 route-map SET_TRANSIT_LOCPREF in neighbor 3.3.3.1 description CUSTOMER AS3 ! ! route-map SET_IX_LOCPREF permit 10 set local-preference 200 ! route-map SET_TRANSIT_LOCPREF permit 10 set local-preference 100 ! route-map EXPORT_ALL permit 10 ! route-map IMPORT_ALL permit 10 ! I spent few hours in lab experimenting with this configuration. I am using old Cisco 1600, so there is possibility that issues I had could come from some bug in this EoL platform... For reference, I used IOS (tm) 1600 Software (C1600-SY-M), Version 12.2(37) RELEASE SOFTWARE (fc1) for experiments. Problems: 1) routes in vrf transit are learned to into vrf routing table and are announced in both directions from AS100 to AS2 and AS3 and vice-versa, as expected. But routes from vrf transit are not exported into global routing table nor imported from global into vrf. I tried everything (I put some prefix- or access-list to match ip address clause in IMPORT_ALL and EXPORT_ALL maps,...), but nothing appeared in the global table. It should be some misconfiguration over there but I do not see that. Any help would be appreciated. 2) Let's assume that the import and export works, so I have all transit routes in my global table and route 1.1.1.0/24 inside vrf transit (this is a route originated in AS2). Those routes are therefore in fact duplicated... Is there any mechanism or chance to overcome that? Something like default route in global table pointing into transit VRF and triggering one extra routing decission inside VRF? Or is the duplication somehow optimized and it won't be any problem even for full BGP table? (O course I mean full table on real routers... 7200 or 7600.) Is there any best-practice or common approach to that? Maybe something completly different which I am not aware of? Tomas -- Tomáš Hlaváček [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Tomáš Hlaváček [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] separation of transit, peerings and this-AS traffic (long)
use meds On Sun, Sep 14, 2008 at 5:48 PM, Tomas Hlavacek [EMAIL PROTECTED] wrote: Greetings! I am thinking about a scenario, which is maybe quite common, but I do not know how to make that work. Say that an AS1 is receiving full BGP table from multiple upstreams, for example AS100 and AS200. AS1 has a customer, say AS2. There is one Ethernet physical connection between border routers of AS1 and AS2. AS2 is paying to AS1 for upstream and receives full BGP feed. AS1 has another customer AS3, paying for upstream also. Besides that AS1 and AS2 has a peering via some IX. AS2 is stub, so it is announcing only prefixes with as-path ^2$. AS1 is announcing ^1$ and ^1 3$ prefixes to its peers in the IX. AS1 preferres paths via IX by local-preferrence. The point is how to make packets traveling from upstreams of AS1 to AS2 not to take path via IX, but via direct Ethernet connection while traffic originating in AS1 and traffic from AS3 traveling trough AS1 take path via IX? I have two ideas: 1) policy based routing, bind some route-map to AS1's upstream-facing interfaces and set ip next-hop or set interface... But it does not scale well of course. 2) put transit neighbors (upstream and customers also) into vrf, for example: ip vrf transit rd 1:100 export map EXPORT_ALL import map IMPORT_ALL ! router bgp 1 network 1.1.1.0 mask 255.255.255.0 neighbor 2.2.2.1 remote-as 2 neighbor 2.2.2.1 route-map SET_IX_LOCPREF in neighbor 2.2.2.1 filter-list 1 ! address-family ipv4 vrf transit neighbor 1.1.0.1 remote-as 100 neighbor 1.1.0.1 route-map SET_TRANSIT_LOCPREF in neighbor 1.1.0.1 description UPSTREAM1 neighbor 1.1.0.2 remote-as 200 neighbor 1.1.0.2 route-map SET_TRANSIT_LOCPREF in neighbor 1.1.0.2 description UPSTREAM2 neighbor 2.2.2.2 remote-as 2 neighbor 2.2.2.2 route-map SET_TRANSIT_LOCPREF in neighbor 2.2.2.2 description CUSTOMER AS2 neighbor 3.3.3.1 remote-as 3 neighbor 3.3.3.1 route-map SET_TRANSIT_LOCPREF in neighbor 3.3.3.1 description CUSTOMER AS3 ! ! route-map SET_IX_LOCPREF permit 10 set local-preference 200 ! route-map SET_TRANSIT_LOCPREF permit 10 set local-preference 100 ! route-map EXPORT_ALL permit 10 ! route-map IMPORT_ALL permit 10 ! I spent few hours in lab experimenting with this configuration. I am using old Cisco 1600, so there is possibility that issues I had could come from some bug in this EoL platform... For reference, I used IOS (tm) 1600 Software (C1600-SY-M), Version 12.2(37) RELEASE SOFTWARE (fc1) for experiments. Problems: 1) routes in vrf transit are learned to into vrf routing table and are announced in both directions from AS100 to AS2 and AS3 and vice-versa, as expected. But routes from vrf transit are not exported into global routing table nor imported from global into vrf. I tried everything (I put some prefix- or access-list to match ip address clause in IMPORT_ALL and EXPORT_ALL maps,...), but nothing appeared in the global table. It should be some misconfiguration over there but I do not see that. Any help would be appreciated. 2) Let's assume that the import and export works, so I have all transit routes in my global table and route 1.1.1.0/24 inside vrf transit (this is a route originated in AS2). Those routes are therefore in fact duplicated... Is there any mechanism or chance to overcome that? Something like default route in global table pointing into transit VRF and triggering one extra routing decission inside VRF? Or is the duplication somehow optimized and it won't be any problem even for full BGP table? (O course I mean full table on real routers... 7200 or 7600.) Is there any best-practice or common approach to that? Maybe something completly different which I am not aware of? Tomas -- Tomáš Hlaváček [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] separation of transit, peerings and this-AS traffic (long)
MED isn't going to solve this problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christian Koch Sent: Monday, 15 September 2008 9:01 AM To: Tomas Hlavacek Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] separation of transit, peerings and this-AS traffic (long) use meds On Sun, Sep 14, 2008 at 5:48 PM, Tomas Hlavacek [EMAIL PROTECTED] wrote: Greetings! I am thinking about a scenario, which is maybe quite common, but I do not know how to make that work. Say that an AS1 is receiving full BGP table from multiple upstreams, for example AS100 and AS200. AS1 has a customer, say AS2. There is one Ethernet physical connection between border routers of AS1 and AS2. AS2 is paying to AS1 for upstream and receives full BGP feed. AS1 has another customer AS3, paying for upstream also. Besides that AS1 and AS2 has a peering via some IX. AS2 is stub, so it is announcing only prefixes with as-path ^2$. AS1 is announcing ^1$ and ^1 3$ prefixes to its peers in the IX. AS1 preferres paths via IX by local-preferrence. The point is how to make packets traveling from upstreams of AS1 to AS2 not to take path via IX, but via direct Ethernet connection while traffic originating in AS1 and traffic from AS3 traveling trough AS1 take path via IX? I have two ideas: 1) policy based routing, bind some route-map to AS1's upstream-facing interfaces and set ip next-hop or set interface... But it does not scale well of course. 2) put transit neighbors (upstream and customers also) into vrf, for example: ip vrf transit rd 1:100 export map EXPORT_ALL import map IMPORT_ALL ! router bgp 1 network 1.1.1.0 mask 255.255.255.0 neighbor 2.2.2.1 remote-as 2 neighbor 2.2.2.1 route-map SET_IX_LOCPREF in neighbor 2.2.2.1 filter-list 1 ! address-family ipv4 vrf transit neighbor 1.1.0.1 remote-as 100 neighbor 1.1.0.1 route-map SET_TRANSIT_LOCPREF in neighbor 1.1.0.1 description UPSTREAM1 neighbor 1.1.0.2 remote-as 200 neighbor 1.1.0.2 route-map SET_TRANSIT_LOCPREF in neighbor 1.1.0.2 description UPSTREAM2 neighbor 2.2.2.2 remote-as 2 neighbor 2.2.2.2 route-map SET_TRANSIT_LOCPREF in neighbor 2.2.2.2 description CUSTOMER AS2 neighbor 3.3.3.1 remote-as 3 neighbor 3.3.3.1 route-map SET_TRANSIT_LOCPREF in neighbor 3.3.3.1 description CUSTOMER AS3 ! ! route-map SET_IX_LOCPREF permit 10 set local-preference 200 ! route-map SET_TRANSIT_LOCPREF permit 10 set local-preference 100 ! route-map EXPORT_ALL permit 10 ! route-map IMPORT_ALL permit 10 ! I spent few hours in lab experimenting with this configuration. I am using old Cisco 1600, so there is possibility that issues I had could come from some bug in this EoL platform... For reference, I used IOS (tm) 1600 Software (C1600-SY-M), Version 12.2(37) RELEASE SOFTWARE (fc1) for experiments. Problems: 1) routes in vrf transit are learned to into vrf routing table and are announced in both directions from AS100 to AS2 and AS3 and vice-versa, as expected. But routes from vrf transit are not exported into global routing table nor imported from global into vrf. I tried everything (I put some prefix- or access-list to match ip address clause in IMPORT_ALL and EXPORT_ALL maps,...), but nothing appeared in the global table. It should be some misconfiguration over there but I do not see that. Any help would be appreciated. 2) Let's assume that the import and export works, so I have all transit routes in my global table and route 1.1.1.0/24 inside vrf transit (this is a route originated in AS2). Those routes are therefore in fact duplicated... Is there any mechanism or chance to overcome that? Something like default route in global table pointing into transit VRF and triggering one extra routing decission inside VRF? Or is the duplication somehow optimized and it won't be any problem even for full BGP table? (O course I mean full table on real routers... 7200 or 7600.) Is there any best-practice or common approach to that? Maybe something completly different which I am not aware of? Tomas -- Tomáš Hlaváček [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] separation of transit, peerings and this-AS traffic (long)
Hello Ben and all, thanks for reply. First thing is that I am only trying to set up a proof-of-concept using small old boxes which are not doing MPLS at all. In my lab scenario one box stays for one AS. When it comes to deployment of the solution - whatever it is - to my real network, it will be all done by a single 7600, which has connected upstreams, peerings and customers into one single box. In real life my network will stay for AS2. As I am new to MPLS (I only did several labs and read theory) I could be wrong, but I think that sice I have only one box involved, I have only one RIB and so I can not use your solution now. And yes, you are right. I don't like solution with policy based routing despite that I know how to achive what I need using PBR. But I am scared by eventual future expanding of PBR for more customers and more sites. Tomas Ben Steele wrote: Is your network MPLS enabled? You could do TE from your bdr of YOUR upstreams to your PE that connects to AS1 and set a bgp weight (not local pref) on that router to prefer the directly connected Ethernet bgp peer, this solution will also give you some redundancy in should the TE tunnel go down or the bgp relationship over the ethernet it will just take the natural path of the IX. More static options like policy route-maps and static routing next hops etc have the consequence of leaving your neighbour with a broken network in the event of a failure through that policy, sure you can add sla tracking to your next hop but you mentioned scalability etc. So you don't want to be configuring ip sla all over the place and route-maps. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomas Hlavacek Sent: Monday, 15 September 2008 7:19 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] separation of transit, peerings and this-AS traffic (long) Greetings! I am thinking about a scenario, which is maybe quite common, but I do not know how to make that work. Say that an AS1 is receiving full BGP table from multiple upstreams, for example AS100 and AS200. AS1 has a customer, say AS2. There is one Ethernet physical connection between border routers of AS1 and AS2. AS2 is paying to AS1 for upstream and receives full BGP feed. AS1 has another customer AS3, paying for upstream also. Besides that AS1 and AS2 has a peering via some IX. AS2 is stub, so it is announcing only prefixes with as-path ^2$. AS1 is announcing ^1$ and ^1 3$ prefixes to its peers in the IX. AS1 preferres paths via IX by local-preferrence. The point is how to make packets traveling from upstreams of AS1 to AS2 not to take path via IX, but via direct Ethernet connection while traffic originating in AS1 and traffic from AS3 traveling trough AS1 take path via IX? I have two ideas: 1) policy based routing, bind some route-map to AS1's upstream-facing interfaces and set ip next-hop or set interface... But it does not scale well of course. 2) put transit neighbors (upstream and customers also) into vrf, for example: ip vrf transit rd 1:100 export map EXPORT_ALL import map IMPORT_ALL ! router bgp 1 network 1.1.1.0 mask 255.255.255.0 neighbor 2.2.2.1 remote-as 2 neighbor 2.2.2.1 route-map SET_IX_LOCPREF in neighbor 2.2.2.1 filter-list 1 ! address-family ipv4 vrf transit neighbor 1.1.0.1 remote-as 100 neighbor 1.1.0.1 route-map SET_TRANSIT_LOCPREF in neighbor 1.1.0.1 description UPSTREAM1 neighbor 1.1.0.2 remote-as 200 neighbor 1.1.0.2 route-map SET_TRANSIT_LOCPREF in neighbor 1.1.0.2 description UPSTREAM2 neighbor 2.2.2.2 remote-as 2 neighbor 2.2.2.2 route-map SET_TRANSIT_LOCPREF in neighbor 2.2.2.2 description CUSTOMER AS2 neighbor 3.3.3.1 remote-as 3 neighbor 3.3.3.1 route-map SET_TRANSIT_LOCPREF in neighbor 3.3.3.1 description CUSTOMER AS3 ! ! route-map SET_IX_LOCPREF permit 10 set local-preference 200 ! route-map SET_TRANSIT_LOCPREF permit 10 set local-preference 100 ! route-map EXPORT_ALL permit 10 ! route-map IMPORT_ALL permit 10 ! I spent few hours in lab experimenting with this configuration. I am using old Cisco 1600, so there is possibility that issues I had could come from some bug in this EoL platform... For reference, I used IOS (tm) 1600 Software (C1600-SY-M), Version 12.2(37) RELEASE SOFTWARE (fc1) for experiments. Problems: 1) routes in vrf transit are learned to into vrf routing table and are announced in both directions from AS100 to AS2 and AS3 and vice-versa, as expected. But routes from vrf transit are not exported into global routing table nor imported from global into vrf. I tried everything (I put some prefix- or access-list to match ip address clause in IMPORT_ALL and EXPORT_ALL maps,...), but nothing appeared in the global table. It should be some misconfiguration over there but I do not see that. Any help would be appreciated. 2) Let's assume that the import and export works, so I have all transit routes in my global table
Re: [c-nsp] separation of transit, peerings and this-AS traffic (long)
Dean Rasheed [EMAIL PROTECTED] writes: foo.char and foo.varchar have similarly unexpected behavior; I think that's probably the end of it, though, since those are the only types that CoerceViaIO will take as targets. ... and also any user defined domains based on those, which is what I actually had. Ouch. That makes the scope for unexpected behavior wider than I thought. Maybe we do need some restriction here? The ideas I had involved not considering the cast interpretation when the actual syntax is table.column and some-set-of-other-conditions. While this is certainly possible to implement, any variant of it will break the existing 100% equivalence of foo.bar and bar(foo); which seems to me to be a nice principle, though I grant you won't find it anywhere in the SQL standard. The other-conditions are a bit up for grabs. The narrowest restriction that would serve the purpose is table variable is of composite type and the cast would be a CoerceViaIO cast, but that definitely seems like a wart. However, cleaner-seeming restrictions like no casts on composites at all could potentially break applications that worked okay before 8.3. Comments anyone? Should we try to change this, or leave well enough alone? regards, tom lane -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[c-nsp] separation of transit, peerings and this-AS traffic (long)
kills.: SAP BI, SAP BI Netweaver Experience Level..: Midlevel Location...: Jersey City, New Jersey (NJ) Job duration.: 3 Months PayRate...: Market Click for details: http://corp-corp.com/js/js_view_job.aspx?js=133840 Job Title...: MD-Baltimore-Midlevel-SAP EDI Consultant Specialized Area..: SAP Required Skills.: SAP EDI, UNIX Experience Level..: Midlevel Location...: Baltimore, Maryland (MD) Job duration.: 1 Year PayRate...: Market Click for details: http://corp-corp.com/js/js_view_job.aspx?js=126504 Job Title...: MD- Baltimore-Midlevel-SAP EDI Consultant Specialized Area..: SAP Required Skills.: SAP-EDI, UNIX, Experience Level..: Midlevel Location...: Baltimore, Maryland (MD) Job duration.: 1 Year PayRate...: Market Click for details: http://corp-corp.com/js/js_view_job.aspx?js=133807 Job Title...: IL-Chicago-Midlevel-Lead SAP BI Planning consultant Specialized Area..: SAP Required Skills.: SAP BI Experience Level..: Midlevel Location...: Chicago, Illinois (IL) Job duration.: 3 Months PayRate...: Market Click for details: http://corp-corp.com/js/js_view_job.aspx?js=133810 Job Title...: GA-Atlanta-Midlevel-SAP FICO Consultant Specialized Area..: SAP Required Skills.: SAP FICO, SAP R/3, SAP BW Experience Level..: Midlevel Location...: Atlanta, Georgia (GA) Job duration.: 1 Year PayRate...: Market Click for details: http://corp-corp.com/js/js_view_job.aspx?js=133649 Job Title...: MN-Minnesota-Senior, Architect-SAP Security Architect Specialized Area..: SAP Required Skills.: SAP Security, SAP Portal Experience Level..: Senior,Architect Location...: Minnesota, Minnesota (MN) Job duration.: 6 Months PayRate...: Market Click for details: http://corp-corp.com/js/js_view_job.aspx?js=133683 Job Title...: NJ-New Jersy-Senior-SAP BI Specialized Area..: SAP Required Skills.: SAP BI, Experience Level..: Senior Location...: New Jersy, New Jersey (NJ) Job duration.: 3 Months PayRate...: Market Click for details: http://corp-corp.com/js/js_view_job.aspx?js=133698 Job Title...: NJ-New Jersy-Senior-SAP CRM Specialized Area..: SAP Required Skills.: SAP CRM Experience Level..: Senior Location...: New Jersy, New Jersey (NJ) Job duration.: 1 Year PayRate...: Market Click for details: http://corp-corp.com/js/js_view_job.aspx?js=133705 Job Title...: NJ-New Jersy-Midlevel-SAP FICO Specialized Area..: SAP Requiredtable from multiple upstreams, for example AS100 and AS200. AS1 has a customer, say AS2. There is one Ethernet physical connection between border routers of AS1 and AS2. AS2 is paying to AS1 for upstream and receives full BGP feed. AS1 has another customer AS3, paying for upstream also. Besides that AS1 and AS2 has a peering via some IX. AS2 is stub, so it is announcing only prefixes with as-path ^2$. AS1 is announcing ^1$ and ^1 3$ prefixes to its peers in the IX. AS1 preferres paths via IX by local-preferrence. The point is how to make packets traveling from upstreams of AS1 to AS2 not to take path via IX, but via direct Ethernet connection while traffic originating in AS1 and traffic from AS3 traveling trough AS1 take path via IX? I have two ideas: 1) policy based routing, bind some route-map to AS1's upstream-facing interfaces and set ip next-hop or set interface... But it does not scale well of course. 2) put transit neighbors (upstream and customers also) into vrf, for example: ip vrf transit rd 1:100 export map EXPORT_ALL import map IMPORT_ALL ! router bgp 1 network 1.1.1.0 mask 255.255.255.0 neighbor 2.2.2.1 remote-as 2 neighbor 2.2.2.1 route-map SET_IX_LOCPREF in neighbor 2.2.2.1 filter-list 1 ! address-family ipv4 vrf transit neighbor 1.1.0.1 remote-as 100 neighbor 1.1.0.1 route-map SET_TRANSIT_LOCPREF in neighbor 1.1.0.1 description UPSTREAM1 neighbor 1.1.0.2 remote-as 200 neighbor 1.1.0.2 route-map SET_TRANSIT_LOCPREF in neighbor 1.1.0.2 description UPSTREAM2 neighbor 2.2.2.2 remote-as 2