Categories

CUC (6) CUCM (27) Jabber (6) Python (2) Routing (3) Solarwinds Orion NPM (4) switching (1) Video (6) voice (3)

Tuesday, 6 March 2018

BGP Conditional Advertisement Feature

BGP Conditional Advertisement Feature

This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does

"The Border Gateway Protocol (BGP) conditional advertisement feature provides additional control of route advertisement, depending on the existence of other prefixes in the BGP table."

I am assuming, for those who want to read this post, that you have some understanding of BGP and its use of prefix-lists and route maps, otherwise this post might be hard to understand. Mind you, conditional advertisement are part of the CCIE R&S exam.

So let me go straight to the scenario:




So the routers under my admin domain are BEN and IBM. My primary router is BEN and my public IP range I am advertising is 203.11.11.0/24. 
  • My two ISPs are Telstra and Next. 
  • BEN has an eBGP neighbour with Telstra,
  • IBM has an eBGP peer with Next. 
  • Then BEN and IBM from an iBGP neighbourship.
Nothing new so far. Now I have found that when advertising out the same public IP address (prefix) towards 2 different providers, even with AS path prepend, trying to make one ISP more preferable over the other, is highly unpredictable. This is because some providers prefer other providers no matter how often you AS prepend the crap out of your public prefix. This can cause asynchronous routing where your exit path is the primary ISP and entry through your secondary router. So I was looking for another solution; only route my public IP addresses out to the backup provider (Next in my case), in the event the primary fails. Or even better; fail over when the primary ISP stops advertising a default route into my organisation through the primary router.

In order to put all this in place, most, if not all configuration is done on the secondary router; IBM, so lets dive in.

As you can see below, the secondary internet router (IBM) has 2 default gateways

IBM#sh ip bgp topology *

For address family: IPv4 Unicast


BGP table version is 26, local router ID is 160.100.100.231

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

              x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
     Network          Next Hop            Metric LocPrf Weight Path
 *>i 0.0.0.0          203.11.11.5             0    200      0 3000 i
 *                    160.100.100.230               100      0 4000 i

The most preferred on comes from the BEN router, which in turn is being advertised by the Telstra Router (23.23.23.113). Initially I was going to use ip sla tracking on the IBM router to advertise 203.11.11.0/24 out if BEN lost the connection to Telstra, but this is not as fool proof as checking if the default gateway is still being advertised by BEN, because if my primary internet router no longer sends a default route 0.0.0.0 to my secondary internet router, the either my primary router is down, the link to Telstra is down, or Telstra is for some other reason no longer advertising a default route.

OK so on my IBM i set up a conditional advertisement to my Next BGP peer:

router bgp 5000
address-family ipv4
 neighbor 160.100.100.230 advertise-map ADVERTISE non-exist-map NON-EXIST

what this means is that route map ADVERTISE is being invoked when the condition in route map NON-EXIST no longer exists.

route-map NON-EXIST permit 10
 match ip address prefix-list TEST
 match community 1
So the ADVERTISE route map is the easy part, it constitutes our public IP prefix 203.11.11.0/24

access-list 60 permit 203.11.11.0 0.0.0.255
the NON-EXIST route map is the condition that needs checking, and has in fact two conditions in it; it checks the prefix for a certain community and it checks if the actual prefix is available in the BGP table:

ip prefix-list TEST seq 5 permit 0.0.0.0/0

The reason there are two conditions, is that  (refer to the sh ip bgp topology * output above), there are two 0.0.0.0 prefixes in the table; one from each provider. Now I am only interested in checking one of them; namely the one that comes from BEN 203.11.11.5. I though it would be easiest to add a check for a certain community in (although AS path would have worked as well).


ip community-list 1 permit 362000
So basically this second condition check to see if the route has 362000 as the community.
You can check the route to see if the community attribute is set and has the correct value. see below



IBM#sh ip bgp 0.0.0.0
BGP routing table entry for 0.0.0.0/0, version 25
Paths: (3 available, best #1, table default)
  Not advertised to any peer
  Refresh Epoch 1
  3000, (received & used)
    203.11.11.5 from 203.11.11.5 (203.11.11.5)
      Origin IGP, metric 0, localpref 200, valid, internal, best
      Community: 36200
      rx pathid: 0, tx pathid: 0x0
  Refresh Epoch 1
  4000


So at this stage both conditions should be met; a) a default route in the BGP table and b)a route with community attribute 36200. So our public prefix 23.11.11.0/24 should NOT be advertised out IBM to Next. To verify: 


IBM#sh ip bgp nei 160.100.100.230
BGP neighbor is 160.100.100.230,  remote AS 4000, external link
---<output omitted>
Condition-map NON-EXIST, Advertise-map ADVERTISE, status: Withdraw
---<output omitted>
As you can see the conditional advertisement states "withdraw" which means the condition to start advertising is not met; ie.e we have a valid default route coming from BEN. So let me break something to trigger the condition to change. For this I will shut the connection between Telstra and BEN. (Remember BEN does not originate 0.0.0.0, its receives it from Telstra and as soon as that link breaks, it should no longer receive a default route either).

when debugging routing on IBM:



IBM#
*Mar  7 04:45:48.908: RT: updating bgp 0.0.0.0/0 (0x0)  :
    via 160.100.100.230   0 1048577
*Mar  7 04:45:48.915: RT: closer admin distance for 0.0.0.0, flushing 1 routes
*Mar  7 04:45:48.919: RT: add 0.0.0.0/0 via 160.100.100.230, bgp metric [20/0]

as you can see the 0.0.0.0 from BEN gets purged from the bgp table. and consequently the conditional advertisement kicks in:


IBM#sh ip bgp nei 160.100.100.230
<omitted>
  Condition-map NON-EXIST, Advertise-map ADVERTISE, status: Advertise
To double check this, we check what routes the IBM router is sending to Next:



IBM#sh ip bgp nei 160.100.100.230 advertised-routes
BGP table version is 13, local router ID is 160.100.100.231
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
     Network          Next Hop            Metric LocPrf Weight Path
 *>  203.11.11.0/24  203.11.11.1            0         32768 i


Any questions, drop me a line.

Namaste


































































No comments:

Post a Comment