topic RE: Limiting inbound BGP routes in ExtremeSwitching (EXOS/Switch Engine)

Limiting inbound BGP routes

Frank — Thu, 19 Feb 2015 19:17:00 GMT

Hello,

I'm multihomed with several upstream providers over two 480s and get full BGP routes from them. Both 480s are connected to two "core" 8806s that then connect to a bunch of 460s.
The 8806s are the default routers for all of our customers' public IP ranges.

I want to at least "pre-sort" Internet-bound traffic on the 8806s, so that they send the traffic to the right 480, so the 8806s are BGP neighbors to the 480s.

Now, the 8806s with the cards I have aren't necessarily designed to handle full BGP routes in fastpath, so I probably should somehow limit the BGP routes they receive from the 480s. My idea here was to only accept routes to networks that are a /16 or bigger (I may have to adjust the size). That way, I think, I at least pre-sort some of the traffic to the right outbound router, understanding that some traffic will still go from router1 to router2 out to the Internet - and as last resort, there's always the default route 😉

If I use the following policy inbound on the 8806s, would that properly limit my BGP routes on the 8806s to "only blocks from a /0 to /16" (or rather: denying /17 and larger masks, allowing the rest)? And yes, I'd play a similar game with ipv6.

Will the policy work as expected? Is there a better way?

configure bgp neigh 1.2.3.4 route-policy in NoSmallBlocks

File: NoSmallBlocks.pol

entry DenySmallBlocks {
if match any {
nlri any/17;
nlri any-ipv6/33;
} then { deny; }
}
entry AllowRest {
if {
} then { allow; }
}

Thanks for all your help!
Frank

RE: Limiting inbound BGP routes

PARTHIBAN_CHINN — Thu, 19 Feb 2015 19:28:00 GMT

Who is your service provider AT&T and sprint add route policy by default. In 2 x480 with ibgp peers and each one having Ebgp neighbour to service provider you can add an outbound policy allowing only the lab subnets and deny rest . By doing this we are just blocking a possible transit autonomous loop . Also make sure for Bgp to run properly use 15.x version

RE: Limiting inbound BGP routes

Frank — Thu, 19 Feb 2015 19:38:00 GMT

I do not want to limit the routes on the 480s, which are the edge/egress routers. I want them to have the full route set (well, as full as I can get without blowing up the 480s, given that the current ipv4 routes exceed the limits on most routers out there  )

This is only to pre-sort outbound traffic that passes through the 8806s. I want to minimize the 8806s sending traffic to the "wrong" 480, as well as actually actively sending traffic to both 480s (and not just the one that currently holds the VRRP IP)

RE: Limiting inbound BGP routes

PARTHIBAN_CHINN — Thu, 19 Feb 2015 21:39:00 GMT

Could you show the topology We can confirm the policy with the topology

RE: Limiting inbound BGP routes

Frank — Thu, 19 Feb 2015 22:37:00 GMT

Basic quick-and-dirty picture. Customers are connected on ports on the 460s, 8800s' VRRP IP address as their default gateway, each customer in their own vlan.

RE: Limiting inbound BGP routes

Stephane_Grosj1 — Fri, 20 Feb 2015 06:54:00 GMT

Hi,

One of the cool thing with Extreme, is that you can have VM to test. I believe you can have the VM from xKit, otherwise ask your local team.

Your policy will match traffic with a mask of /17 or longer (for IPv4). You cannot mix IPv4 with IPv6, so you'd need to have a separate policy for IPv6.

I'd replace the "allow" term by "permit".

RE: Limiting inbound BGP routes

Frank — Fri, 20 Feb 2015 06:54:00 GMT

Of course, you're right. "permit" is the word. That would've taken me eons to find!
Also "if match" needs to be just an "if"

And thanks for the VM tip. I wasn't aware of the xkit website and all its goodies (like the Android client). Gottago-gottaplay 🙂

And now off to testing this mess 😉

RE: Limiting inbound BGP routes

Stephane_Grosj1 — Fri, 20 Feb 2015 06:54:00 GMT

"if" alone should default to "if match all", so a logical AND between your various match conditions, while "if match any" is a logical OR. Of course, with only one match condition, it doesn't really matter.

You can experiment all of this (BGP, routing policies, etc) with the VM, on your laptop, without the fear to make a mistake.

I believe everything that is "control plane" related is working just fine with VM, but when it comes to the data plane, not every features has been software-emulated. So you might experience issues with some features while it would work fine on real switches (VPLS is one example). The VMs are free, this is not a product, just a training tool. But a very good one, I use them everyday.

In my experience, BGP and Routing Policies work great.

RE: Limiting inbound BGP routes

Manoharan__Sent — Mon, 27 Jul 2015 16:14:00 GMT

You may create a default route from bd8K to X480,then you can configure max prefix to X480 peer.
Check the h/w limit of BD8K & also check for both BGP4 & BGP6 max supported unique & non-unique routes.
Then configure max prefix for IPV4 & IPV6 peers.