- Cisco
- EdgeRouter-X
- FortiGate
- Tests
- Changing the AS Numbers
- Optimizing route maps
- BGP Prevent becoming an Transit AS
- Links
Revisiting an old post.
We had the need for BGP load balancing.
In short what Cisco01 is hrsp master and does mulipath routing over cisco02 / edge02 to the fortigate, for the time being multipath has been turn off on cisco02.
After doing some setup finally i went with Local Preferences on the Cisco Side. Solution 3.
All Solution will require some sort of reconfiguration, currently i do not see a way to do this based on hrsp state.
Cisco
cisco01
config
ip as-path access-list 1 permit ^$
!
interface Vlan916
ip address 10.29.1.21 255.255.255.248
!
interface Vlan581
ip address 10.255.80.28 255.255.255.240
!
router bgp 65021
bgp log-neighbor-changes
network 10.255.4.0 mask 255.255.255.0
neighbor 10.29.1.18 remote-as 65011
neighbor 10.29.1.18 filter-list 1 out
neighbor 10.255.80.29 remote-as 65021
maximum-paths eibgp 2
!show ip bgp summary
show ip bgp summaryBGP router identifier 10.255.0.1, local AS number 65021
BGP table version is 40, main routing table version 40
7 network entries using 1008 bytes of memory
14 path entries using 1232 bytes of memory
3 multipath network entries and 6 multipath paths
6/3 BGP path/bestpath attribute entries using 1104 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 3392 total bytes of memory
BGP activity 14/7 prefixes, 48/34 paths, scan interval 60 secs
7 networks peaked at 18:09:33 Jun 22 2024 UTC (00:35:00.223 ago)
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.29.1.18 4 65011 19 27 40 0 0 00:15:10 3
10.255.80.29 4 65021 56 63 40 0 0 00:37:18 7
show ip route
cisco01#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.255.80.29 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.255.80.29, 01:17:01
[20/0] via 10.29.1.18, 01:17:01
show ip bgp
show ip bgp
BGP table version is 40, local router ID is 10.255.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*mi 0.0.0.0 10.255.80.29 0 100 0 65011 65001 i
*> 10.29.1.18 0 65011 65001 i
cisco02
! Multipath is disabled !
config
ip as-path access-list 1 permit ^$
!
interface Vlan581
ip address 10.255.80.29 255.255.255.240
!
interface Vlan917
ip address 10.29.1.5 255.255.255.248
!
router bgp 65021
bgp log-neighbor-changes
network 10.255.4.0 mask 255.255.255.0
neighbor 10.29.1.3 remote-as 65011
neighbor 10.29.1.3 filter-list 1 out
neighbor 10.255.80.28 remote-as 65021
!show ip bgp summary
show ip bgp summaryBGP router identifier 10.255.0.2, local AS number 65021
BGP table version is 25, main routing table version 25
7 network entries using 1008 bytes of memory
14 path entries using 1232 bytes of memory
3 multipath network entries and 6 multipath paths
6/3 BGP path/bestpath attribute entries using 1104 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 3392 total bytes of memory
BGP activity 14/7 prefixes, 40/26 paths, scan interval 60 secs
7 networks peaked at 18:09:33 Jun 22 2024 UTC (00:38:23.699 ago)
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.29.1.3 4 65011 46 55 25 0 0 00:40:43 3
10.255.80.28 4 65021 67 60 25 0 0 00:40:41 7
show ip route
cisco02#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.255.80.28 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.255.80.28, 01:17:49
[20/0] via 10.29.1.3, 01:17:49
EdgeRouter-X
edge01
config
set interfaces ethernet eth0 vif 916 address 10.29.1.18/29
set interfaces ethernet eth0 vif 997 address 10.255.2.8/28
set interfaces ethernet eth3 address 10.29.1.9/29
set interfaces loopback lo address 10.29.0.1/32
set protocols bgp 65011 neighbor 10.29.1.14 remote-as 65011
set protocols bgp 65011 neighbor 10.29.1.21 remote-as 65021
set protocols bgp 65011 neighbor 10.255.2.5 remote-as 65001
set protocols bgp 65011 network 10.29.0.1/32
set protocols bgp 65011 parameters log-neighbor-changes
set protocols bgp 65011 parameters router-id 10.29.0.1show ip route
ubnt01:~$ show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
B *> 0.0.0.0/0 [200/0] via 10.255.2.5, eth0.997, 01:05:15
B *> 10.29.0.2/32 [200/0] via 10.29.1.14, eth3, 01:15:12
B *> 10.255.4.0/24 [20/0] via 10.29.1.21, eth0.916, 01:05:19
edge02
config
set interfaces ethernet eth0 address 10.29.1.3/29
set interfaces ethernet eth0 vif 997 address 10.255.2.9/28
set interfaces ethernet eth3 address 10.29.1.14/29
set interfaces loopback lo address 10.29.0.2/32
set protocols bgp 65011 neighbor 10.29.1.5 remote-as 65021
set protocols bgp 65011 neighbor 10.29.1.9 remote-as 65011
set protocols bgp 65011 neighbor 10.255.2.5 remote-as 65001
set protocols bgp 65011 network 10.29.0.2/32
set protocols bgp 65011 parameters log-neighbor-changes
set protocols bgp 65011 parameters router-id 10.29.0.2
show ip route
ubnt02:~$ show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
B *> 0.0.0.0/0 [20/0] via 10.255.2.5, eth0.997, 35w5d06h
B *> 10.29.0.1/32 [200/0] via 10.29.1.9, eth3, 01:06:30
B *> 10.255.4.0/24 [20/0] via 10.29.1.5, eth0, 35w5d06h
FortiGate
config
config system interface
edit "port1.997"
set vdom "root"
set ip 10.255.2.5 255.255.255.240
set interface "port1"
set vlanid 997
next
end
config router bgp
set as 65001
set router-id 10.255.2.5
set ebgp-multipath enable
config neighbor
edit "10.255.2.9"
set activate6 disable
set activate-vpnv4 disable
set capability-default-originate enable
set remote-as 65011
next
edit "10.255.2.8"
set activate6 disable
set activate-vpnv4 disable
set capability-default-originate enable
set remote-as 65011
next
end
end
get router info routing-table details
forti01 # get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 62.155.244.225, ppp2, [1/0]
B 10.255.4.0/24 [20/0] via 10.255.2.9, 00:00:06, [1/0]
[20/0] via 10.255.2.8, 00:00:06, [1/0]
Tests
traceroute -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 10.255.4.2 1.380 ms 1.345 ms 1.345 ms
2 10.255.80.29 1.136 ms 10.29.1.18 0.616 ms 10.255.80.29 1.079 ms
Changing the AS Numbers
Changed AS Numbers, so bgp bestpath as-path multipath-relax is needed.
Cisco01
router bgp 65021
bgp bestpath as-path multipath-relax
show ip route
show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.255.80.29 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.255.80.29, 00:00:01
[20/0] via 10.29.1.18, 00:00:01
show ip bgp
show ip bgp
BGP table version is 52, local router ID is 10.255.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*mi 0.0.0.0 10.255.80.29 0 100 0 65012 65001 i
*> 10.29.1.18 0 65011 65001 i
Optimizing route maps
cisco1
ip as-path access-list 1 permit ^$
!
ip prefix-list IBGP-IN seq 5 permit 0.0.0.0/0
!
ip prefix-list IBGP-OUT seq 5 permit 0.0.0.0/0
!
route-map IBGP-IN deny 10
match ip address prefix-list IBGP-IN
!
route-map IBGP-OUT permit 10
match ip address prefix-list IBGP-OUT
set local-preference 200
!
route-map IBGP-OUT permit 20
set ip next-hop self
!
router bgp 65021
bgp log-neighbor-changes
bgp bestpath as-path multipath-relax
network 10.255.0.1 mask 255.255.255.255
network 10.255.4.0 mask 255.255.255.0
network 10.255.80.0 mask 255.255.240.0
network 10.255.96.0 mask 255.255.240.0
network 10.255.112.0 mask 255.255.240.0
neighbor 10.29.1.18 remote-as 65011
neighbor 10.29.1.18 next-hop-self
neighbor 10.29.1.18 soft-reconfiguration inbound
neighbor 10.29.1.18 filter-list 1 out
neighbor 10.255.80.29 remote-as 65021
neighbor 10.255.80.29 next-hop-self
neighbor 10.255.80.29 soft-reconfiguration inbound
neighbor 10.255.80.29 route-map IBGP-OUT out
maximum-paths eibgp 2
show ip bgp neighbors 10.255.80.29 received-routes
show ip bgp neighbors 10.255.80.29 received-routes
BGP table version is 16, local router ID is 10.255.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*mi 0.0.0.0 10.255.80.29 0 100 0 65012 65001 i
* i 10.29.0.1/32 10.255.80.29 0 100 0 65012 65011 i
*>i 10.29.0.2/32 10.255.80.29 0 100 0 65012 i
r>i 10.255.0.2/32 10.255.80.29 0 100 0 i
* i 10.255.4.0/24 10.255.80.29 0 100 0 i
* i 10.255.80.0/20 10.255.80.29 0 100 0 i
* i 10.255.96.0/20 10.255.80.29 0 100 0 i
* i 10.255.112.0/20 10.255.80.29 0 100 0 i
Total number of prefixes 8
show ip bgp
show ip bgp
BGP table version is 16, local router ID is 10.255.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*mi 0.0.0.0 10.255.80.29 0 100 0 65012 65001 i
*> 10.29.1.18 0 65011 65001 i
show ip route
show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.255.80.29 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.255.80.29, 00:17:25
[20/0] via 10.29.1.18, 00:17:25
cisco2
ip as-path access-list 1 permit ^$
!
ip prefix-list IBGP-IN seq 5 permit 0.0.0.0/0
!
ip prefix-list IBGP-OUT seq 5 permit 0.0.0.0/0
!
route-map IBGP-IN deny 10
match ip address prefix-list IBGP-IN
!
route-map IBGP-OUT permit 10
match ip address prefix-list IBGP-OUT
set local-preference 100
!
route-map IBGP-OUT permit 20
set ip next-hop self
!
router bgp 65021
bgp log-neighbor-changes
network 10.255.0.2 mask 255.255.255.255
network 10.255.4.0 mask 255.255.255.0
network 10.255.80.0 mask 255.255.240.0
network 10.255.96.0 mask 255.255.240.0
network 10.255.112.0 mask 255.255.240.0
neighbor 10.29.1.3 remote-as 65012
neighbor 10.29.1.3 next-hop-self
neighbor 10.29.1.3 soft-reconfiguration inbound
neighbor 10.29.1.3 filter-list 1 out
neighbor 10.255.80.28 remote-as 65021
neighbor 10.255.80.28 next-hop-self
neighbor 10.255.80.28 soft-reconfiguration inbound
neighbor 10.255.80.28 route-map IBGP-IN in
neighbor 10.255.80.28 route-map IBGP-OUT out
show ip bgp neighbors 10.255.80.28 received-routes
show ip bgp neighbors 10.255.80.28 received-routes
BGP table version is 43, local router ID is 10.255.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*>i 0.0.0.0 10.255.80.28 0 200 0 65011 65001 ishow ip route
cisco02#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.255.80.28 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.29.1.3, 00:16:50
BGP Prevent becoming an Transit AS
The soution at hand is a Filter-list with AS-PATH access-list on the provider bgp session to let only local AS numbers out. Other Solution are
R1(config)#ip as-path access-list 1 permit ^$ R1(config-router)#neighbor 192.168.12.2 filter-list 1 outNo-Export Community
R1(config)#route-map NO-EXPORT
R1(config-route-map)#set community no-export
R1(config)#router bgp 1
R1(config-router)#neighbor 192.168.12.2 route-map NO-EXPORT inLinks
- https://networklessons.com/bgp/bgp-prevent-transit-as
- https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html
- https://www.cisco.com/c/en/us/td/docs/ios/12_2sx/feature/guide/fsxeibmp.html
- CISCO Dreamer
- https://blog.ipspace.net/tag/bgp.html
- https://bgplabs.net/lb/1-ebgp/
Patrick Marc's Networks 