Re: OT: PFR Internet Inbound/Outbound LB

Border Status UP/DOWN AuthFail Version DOWN Reason
172.31.255.14 INACTIVE DOWN 0 3.1

That's not good for a start, second why are your customer routes in the same routing table sounds like you have no security policies tut tut

can you post

show pfr master
show pfr master traffic-class
sh run | s key-chain

On both BR's

Is the GRE tunnel up/up between the BR's

The major 3. number must match between your MC and BR the minor .1 on MC must be greater or equal to the BR's minor version

For echo probe you don't need ip sla responder for the other tcp-connect operations you do on the remote side

--
BR
Tony
> On 13 Feb 2014, at 13:46, Mohammad Moghaddas <moghaddas.it_at_gmail.com> wrote:
> 
> Hi.
> 
> I hope you are all doing well, and I'm sorry for posting such a long OT.
> Straight to the issue, we have one 7609S which its IOS is 15.1(3)S. I
> should note that this an ISP environment and this router has 15 private IX
> peers, and 5 Exit links.
> I've configured the router being MC and BR the same time, 1 Internal
> interface, and 5 External interface.
> Each exit link has specific customers, we have separated each link's
> customers using ACL. When customer's TX traffic reaches the Internal
> interface, they are routed using PBR (default next-hop) to their specific
> exit link. Also these ACLs are referenced in a route-map assigned to each
> exit BGP peer, so we only advertise the customers to their specific exit
> BGP peer.
> We have categorized our BGP peers in 3 template peer-policy.
> 
> *The issue is that, I see PFR configuring /30 STATIC routes to exit links
> (it should be /24), and much more important for me, no inbound optimization
> is happening.*
> 
> Below you will find some partial logging plus the configurations.
> And I'm again sorry for such long post.
> 
> Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 85.133.140.168/30,
> Couldn't find the best exit
> Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 85.133.140.168/30,
> Couldn't choose exit in prefix timeout
> Feb 13 16:41:43: %OER_MC-5-NOTICE: Range Entrance OOP BR 172.31.255.14, i/f
> Tu108, percent 100. Other BR 172.31.255.14, i/f Gi8/0/0 percent 15
> Feb 13 16:41:43: %OER_MC-5-NOTICE: Load Entrance OOP BR 172.31.255.14, i/f
> Tu108,  load 33000 policy 31350
> Feb 13 16:41:43: %OER_MC-5-NOTICE: Entrance 172.31.255.14 intf Tu108 OOP,
> Tx BW 24, Rx BW 33000, Tx Load 0, Rx Load 100
> Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 220.98.114.8/30,
> Couldn't find the best exit
> Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 220.98.114.8/30,
> Couldn't choose exit in prefix timeout
> Feb 13 16:41:46: %OER_MC-5-NOTICE: Uncontrol Prefix 217.169.166.40/30,
> Couldn't choose exit in prefix timeout
> Feb 13 16:41:48: %OER_MC-5-NOTICE: Route changed Prefix 188.253.53.96/30,
> BR 172.31.255.14, i/f Gi8/0/0, Reason Utilization, OOP Reason Timer Expired
> 
> route-map CHNG_GW permit 10
> description ***CUST1 through EXIT1***
> match ip address CUST1
> set ip default next-hop 10.30.148.169
> route-map CHNG_GW permit 11
> description ****CUST2 through EXIT2****
> match ip address CUST2
> set ip default next-hop 172.16.108.2
> route-map CHNG_GW permit 12
> description ****CUST3 through EXIT3****
> match ip address CUST3
> set ip default next-hop 172.16.101.2
> route-map CHNG_GW permit 13
> description ****CUST4 through EXIT2****
> match ip address CUST4
> 
> !! All other customers are routed using the PRIMARY default route. !!
> 
> ip route 0.0.0.0 0.0.0.0 192.168.64.1 name PRIMARY
> ip route 0.0.0.0 0.0.0.0 10.30.148.169 5 name PFR
> ip route 0.0.0.0 0.0.0.0 172.16.101.2 6 name PFR
> ip route 0.0.0.0 0.0.0.0 172.16.105.2 7 name PFR
> ip route 0.0.0.0 0.0.0.0 172.16.108.2 8 name PFR
> 
> template peer-policy CUST_BGP
>  route-map BGP_CUST_NO-OUT out
>  default-originate
>  soft-reconfiguration inbound
>  send-community both
> exit-peer-policy
> !
> template peer-policy BW_UPLINKS
>  prefix-list ISP_IX-in in
>  next-hop-self all
>  soft-reconfiguration inbound
>  send-community both
> exit-peer-policy
> !
> template peer-policy IX
>  route-map IX_BGP-OUT out
>  prefix-list ISP_IX-in in
>  next-hop-self all
>  soft-reconfiguration inbound
>  send-community both
> 
> pfr master
> policy-rules PFR_BGP
> max-range-utilization percent 80
> logging
> !
> border 172.31.255.14 key-chain OER
>  interface GigabitEthernet8/0/0 external
>   max-xmit-utilization percentage 95
>   maximum utilization receive percentage 95
>  interface Tunnel101 external
>   max-xmit-utilization percentage 95
>   maximum utilization receive percentage 95
>  interface Tunnel108 external
>   max-xmit-utilization percentage 95
>   maximum utilization receive percentage 95
>  interface Tunnel105 external
>   max-xmit-utilization percentage 95
>   maximum utilization receive percentage 95
>  interface POS8/1/0 external
>   max-xmit-utilization percentage 95
>   maximum utilization receive percentage 95
>  interface GigabitEthernet5/1 internal
> !
> learn
>  throughput
>  inside bgp
>  periodic-interval 0
>  monitor-period 1
>  prefixes 200 applications 200
>  expire after time 30
> max range receive percent 80
> backoff 150 150
> mode route control
> mode monitor fast
> periodic 150
> no resolve delay
> no resolve range
> !
> active-probe tcp-conn 216.239.32.20 target-port 80
> active-probe tcp-conn 216.239.32.20 target-port 443
> active-probe echo 4.2.2.4
> active-probe echo 8.8.8.8
> active-probe tcp-conn 173.194.34.53 target-port 443
> active-probe tcp-conn 46.228.47.114 target-port 80
> active-probe echo 4.2.2.1
> active-probe echo 8.8.4.4
> active-probe echo 4.2.2.2
> pfr border
> local Loopback17231255
> master 172.31.255.14 key-chain OER
> active-probe address source interface GigabitEthernet5/1
> pfr-map PFR_BGP 10
> match pfr learn inside
> set mode route control
> set mode monitor passive
> set resolve utilization priority 1 variance 10
> no set resolve delay
> no set resolve range
> 
> show pfr master:
> OER state: ENABLED and INACTIVE
>  Conn Status: SUCCESS, PORT: 3949
>  Version: 3.1
>  Number of Border routers: 1
>  Number of Exits: 5
>  Number of monitored prefixes: 0 (max 5000)
>  Max prefixes: total 5000 learn 2500
>  Prefix count: total 0, learn 0, cfg 0
>  PBR Requirements met
>  Nbar Status: Inactive
> 
> Border           Status   UP/DOWN             AuthFail  Version  DOWN Reason
> 172.31.255.14    INACTIVE DOWN                       0  3.1
> 
> OER master in special monitor mode
> 
> Global Settings:
>  max-range-utilization percent 80 recv 80
>  rsvp post-dial-delay 0 signaling-retries 1
>  mode route metric bgp local-pref 5000
>  mode route metric static tag 5000
>  trace probe delay 1000
>  logging
>  exit holddown time 60 secs, time remaining 0
> 
> Default Policy Settings:
>  backoff 150 150 150
>  delay relative 50
>  holddown 300
>  periodic 150
>  probe frequency 56
>  number of jitter probe packets 100
>  mode route control
>  mode monitor fast
>  mode select-exit good
>  loss relative 10
>  jitter threshold 20
>  mos threshold 3.60 percent 30
>  unreachable relative 50
>  resolve utilization priority 13 variance 20
> 
> Learn Settings:
>  current state : DISABLED
>  time remaining in current state : 0 seconds
>  throughput
>  no delay
>  inside bgp
>  monitor-period 5
>  periodic-interval 5
>  aggregation-type prefix-length 24
>  prefixes 200 appls 200
>  expire after time 30
> 
> 
> show pfr master policy:
> HT-CoreRT(config-pfr-mc)#do s pfr mas pol
> Default Policy Settings:
>  backoff 150 150 150
>  delay relative 50
>  holddown 300
>  periodic 150
>  probe frequency 56
>  number of jitter probe packets 100
>  mode route control
>  mode monitor fast
>  mode select-exit good
>  loss relative 10
>  jitter threshold 20
>  mos threshold 3.60 percent 30
>  unreachable relative 50
>  resolve utilization priority 13 variance 20
> oer-map PFR_BGP 10
>  sequence no. 8444249301975040, provider id 1, provider priority 30
>    host priority 0, policy priority 10, Session id 0
>  match oer learn inside
>  backoff 150 150 150
>  delay relative 50
>  holddown 300
>  periodic 150
>  probe frequency 56
>  number of jitter probe packets 100
> *mode route control
> *mode monitor passive
>  mode select-exit good
>  loss relative 10
>  jitter threshold 20
>  mos threshold 3.60 percent 30
>  unreachable relative 50
>  next-hop not set
>  forwarding interface not set
> *resolve utilization priority 1 variance 10
> 
> Best Regards,
> *Mohammad Moghaddas*
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net