AS-PATH Prepending vs PBR for eBGP topology

Hi guys. I have a very important question regarding a bgp design. I created this enterprise BGP design between a site and two DCs.

Site AS:65028 is the remote and has two ISP connections to DC A via Lumen as primary and DC B ATT as Secondary in AS:65000. I want to connect to a file server (10.1.100.x subnet) that is hosted in DC B via ATT from AS:65028 and everything else from AS:65028 to go to the via Lumen. I have configured BGP on all sites and everything is working fine. However, i configured PBR to direct the traffic going to the file server on the remote sites. This policy isn’t working. I also tried to use as-path prepend to manipulate that specific subnet to go over ATT. That didn’t work either. I would like your suggestions please. I have the topology that i could attach to this post if i can find out to attach it.

Hello Samuel

When working with eBGP, it is usually best practice to manipulate the BGP attributes. In your particular case, it looks like you are needing to affect eBGP routing, that is, routing choices between AS’es. You can do this using a route map to change either the weight, localpref, or use path prepending. Any one of these can be used to choose a different routing between AS’es.

You can use policy-based routing to change the next-hop IP address for a particular route as well.

All of these solutions should work. It is preferable to modify BGP attributes rather than PBR simply because any topology change will cause BGP to reconverge, maintaining connectivity by potentially other routes. With PBR, it is more difficult to achieve this. In any case, if it is configured correctly, it should deliver a similar reliablity.

Now having said all of that, the fact that your topology didn’t operate as expected means that you will have to do some troubleshooting. If you need help in this process, please share more details about your topology, and the resulting behavior so that we can help you along the way.

I hope this has been helpful!

Laz

Hi Laz.

Thank you for your reply to this thread. Below is the current config that is currently working.
Note: Currently, every traffic is going over R20WAN01 >> R02WAN02. That is how i want the design to work. However, i want only 10.1.100.0/24 from R20WAN0x to route via the secondary
circuit R20WAN02 >> R01WAN01.
!
DC routers are R02WAN02 active and standby R01WAN01
Remote routers are active R20WAN01 and standby R20WAN02!
Currently, everything is working fine. Meaning, all traffic from remote location is transiting via Lumen “R20WAN01”.
!

CURRENT ACTIVE DC1 CONFIG:
!
OSPF:
!
R02WAN02#
router ospf 1
 redistribute static metric-type 1 subnets
 network 10.0.0.0 0.255.255.255 area 0
 default-information originate metric-type 1
!
BGP:
!
router bgp 65501
 bgp log-neighbor-changes
 neighbor 10.3.80.4 remote-as 65501
 neighbor 63.237.177.2 remote-as 209
 !
 address-family ipv4
  network 0.0.0.0
  network 10.0.0.0
  network 10.0.1.0 mask 255.255.255.0
  network 10.0.3.0 mask 255.255.255.0
  network 10.1.0.0 mask 255.255.0.0
  network 10.3.0.0 mask 255.255.0.0
  network 10.12X.0.0 mask 255.255.0.0
  network 10.170.48.0 mask 255.255.255.0
  network 10.17X.50.0 mask 255.255.255.0
  aggregate-address 10.17X.48.0 255.255.252.0 summary-only
  redistribute static route-map BlockLocal
  neighbor 10.3.80.4 activate
  neighbor 63.237.177.2 activate
  neighbor 63.237.177.2 soft-reconfiguration inbound
  neighbor 63.237.177.2 filter-list 2 out
  default-information originate
!
!
SECONDARY DC2:
!
OSPF:
!
R01WAN01#
router ospf 1
 redistribute static metric-type 1 subnets
 network 10.0.0.0 0.255.255.255 area 0
 redistribute bgp 65501 metric 1000 metric-type 1 subnets route-map ad-out
 default-information originate metric-type 1
!
router bgp 65501
 bgp log-neighbor-changes
 neighbor 10.2.211.1 remote-as 65028
 neighbor 10.2.211.1 fall-over bfd
 neighbor 10.3.80.3 remote-as 65501
 !
 address-family ipv4
  network 0.0.0.0
  network 10.0.0.0
  network 10.0.1.0 mask 255.255.255.0
  network 10.0.3.0 mask 255.255.255.0
  network 10.1.0.0 mask 255.255.0.0
  network 10.3.0.0 mask 255.255.0.0
  redistribute static route-map BlockLocal
  redistribute ospf 1
  neighbor 10.2.211.1 activate
  neighbor 10.2.211.1  soft-reconfiguration inbound
  neighbor 10.2.211.1  route-map prepend3 in
  neighbor 10.2.211.1  route-map prepend3 out
  neighbor 10.2.211.1  filter-list 1 out
  neighbor 10.3.80.3 activate
 exit-address-family
!
ROUTE-MAP
route-map ad-out deny 10
 match community 1
 set community 791417746
route-map ad-out deny 20
 match community 2
 set community 791417756
route-map ad-out deny 30
 match community 3
 set community 791417766
route-map ad-out deny 35
 match community 5
 set community 791417776
route-map ad-out deny 40
 match community 4
 set community 791417836
route-map ad-out permit 50
 match ip address any
route-map prepend3 permit 10
 set as-path prepend 65500 65500 65500
!

################## REMOTE LOCATION HAS TWO CE ROUTERS #################
R20WAN01 IS CURRENTLY ACTIVE ROUTER ON THE REMOTE SITE:
!

EIGRP:
!
R20WAN01#
router eigrp 20
 network 10.0.0.0
 redistribute bgp 65000 metric 1000000 1000 255 1 1500 route-map bgptoeigrp
  redistribute eigrp 20 route-map route-out

!
 redistribute bgp 65000 metric 1000000 1000 255 1 1500 route-map bgptoeigrp
router bgp 65000
 bgp log-neighbor-changes
 neighbor 10.0.20.7 remote-as 65000
 neighbor 10.0.20.7 update-source Loopback0
 neighbor 63.150.3.4 remote-as 209
 !
 address-family ipv4
  network 10.0.20.0 mask 255.255.255.0
  network 10.0.20.6 mask 255.255.255.255
  network 10.0.100.0 mask 255.255.255.0
  network 10.20.0.0 mask 255.255.0.0
  network 10.100.0.0 mask 255.255.0.0
  network 10.200.240.8 mask 255.255.255.252
  aggregate-address 10.200.0.0 255.255.0.0 summary-only
  aggregate-address 10.100.0.0 255.255.0.0 summary-only
  aggregate-address 10.20.0.0 255.255.0.0
  aggregate-address 10.0.100.0 255.255.255.0 summary-only
  aggregate-address 10.0.20.0 255.255.255.0
  redistribute static
  redistribute eigrp 20 route-map route-out
  neighbor 10.0.20.7 activate
  neighbor 63.150.3.4 activate
  neighbor 63.150.3.4 soft-reconfiguration inbound
  neighbor 63.150.3.4 route-map CVISS_ROUTES out
  neighbor 63.150.3.4 filter-list 1 out
 exit-address-family
!
ip access-list extended CVI permit 10.1.100.0 0.0.0.255 any 
! (this is the subnet i'm trying to go over att link. Everything else from remote location to go over Lumen).
!
route-map CVISS_ROUTES permit 10
match ip address CVI
set as-path prepend 65000 65000 65000 65000 65000
route-map CVISS_ROUTES permit 20

!
R20WAN02 IS CURRENTLY STANDBY ROUTER ON THE REMOTE SITE:
!

EIGRP
!
R20WAN02# 
router eigrp 20
 network 10.0.0.0
 network 63.150.3.4 0.0.0.0
 redistribute bgp 65020 metric 1000000 1000 255 1 1500 route-map bgptoeigrp
 passive-interface default
 no passive-interface GigabitEthernet0/1
!
BGP:
!
router bgp 65028
 bgp log-neighbor-changes
 neighbor 10.0.20.6 remote-as 65028
 neighbor 10.0.20.6 update-source Loopback0
 neighbor 10.2.211.1  remote-as 65500
 !
 address-family ipv4
  network 10.0.20.0 mask 255.255.255.0
  network 10.0.20.7 mask 255.255.255.255
  network 10.0.100.0 mask 255.255.255.0
  network 10.20.0.0 mask 255.255.0.0
  network 10.100.0.0 mask 255.255.0.0
  aggregate-address 10.200.0.0 255.255.0.0 summary-only
  aggregate-address 10.100.0.0 255.255.0.0 summary-only
  aggregate-address 10.20.0.0 255.255.0.0 summary-only
  aggregate-address 10.0.100.0 255.255.255.0 summary-only
  aggregate-address 10.0.20.0 255.255.255.0 summary-only
  redistribute eigrp 20 route-map route-out
  neighbor 10.0.20.6 activate
  neighbor 10.2.211.1  activate
  neighbor 10.2.211.1  soft-reconfiguration inbound
  neighbor 10.2.211.1  route-map route-out out
  neighbor 10.2.211.1  filter-list 1 out

10.1.100.0 0.0.0.255 (this is the subnet i’m trying to route "Ingress and Egress over ATT link. Everything other subnets in the remote location to route over Lumen).

Hello Samuel

Thanks for sharing this information! I’m still having some trouble understanding your topology. I’m confused because you are referring to the DCs as well as the WAN connections using the same labels “R01WANx” and you are also referring to them as ATT and Lumen, which of course are the providers, but it’s not clear as to which path each one is referring to. Can you clarify by giving us a clearer picture of your topology?

Looking forward to it!

Thanks!

Laz

Hi Laz,

any host from 10.28.x.x that needs to connect to 10.1.100.0/24 should go via R28WAN02 to R01WAN01 and every other traffic from 10.28.x.x should go through R28WAN01 to R03WAN02. I have pasted the topology here. Hope it shows up.