Dear Tony,
thanks for responding.
The cause of DOWN status is because I've pasted the info after shutting PFR
down.
All the traffic is pure internet (all the exits), and as I mentioned
before, using PBR customers are routed through different exits, but when
one exit become unavailable, EEM changes the configuration (ip sla+track).
So there was no need to separate them in different VRFs.
There is no ip sla responder, the tcp-connect probe are checking google,
yahoo, etc on port 80 from different exits.
Inbound Internet optimization is the most important part for me. I know
that PFR should prepend the AS-PATH to change the entrance, but it is not
behaving so. Is is only doing STATIC routes which affects Outbound traffic.
I should note that I've tried removing the PBR and also route-maps assigned
to Exit BGP peers, but nothing changed. I think my first post has more
complete info for you than this one.
I've "no shut" pfr and you find the relative info below:
show pfr master:
OER state: ENABLED and ACTIVE
Conn Status: SUCCESS, PORT: 3949
Version: 3.1
Number of Border routers: 1
Number of Exits: 5
Number of monitored prefixes: 290 (max 5000)
Max prefixes: total 5000 learn 2500
Prefix count: total 290, learn 290, cfg 0
PBR Requirements met
Nbar Status: Inactive
Border Status UP/DOWN AuthFail Version DOWN Reason
172.31.255.14 ACTIVE UP 00:07:31 0 3.1
OER master in special monitor mode
......
!
show pfr border active-p
.....
Type Target TPort Source Interface Att
Comps
DSCP
echo 213.79.125.122 N 188.75.64.21 PO8/1/0 1
1
0
echo 213.79.125.122 N 188.75.64.21 Tu108 1
0
0
echo 213.79.125.122 N 188.75.64.21 Tu101 1
1
0
echo 213.79.125.122 N 188.75.64.21 Gi8/0/0 1
1
0
echo 213.79.125.122 N 188.75.64.21 Tu105 1
1
0
......
!
show pfr master traffi
....
--------------------------------------------------------------------------------
37.32.34.0/24 N N N N N N
# INPOLICY @5 172.31.255.14 PO8/1/0
STATIC
U U 0 0 10420 10557 11
9
13 11 0 0 N N N
N
94.101.185.0/24 N N N N N N
# INPOLICY @21 172.31.255.14 Gi8/0/0
STATIC
U U 0 0 4077 5430 17
15
12 13 0 0 N N N
N
94.201.94.128/30 N N N N N N
# DEFAULT* @25 172.31.255.14 Tu105
U
313 313 0 0 102311 96658 57
0
U U 1000000 1000000 N N N
N
176.9.63.104/30 N N N N N N
# INPOLICY @42 172.31.255.14 PO8/1/0
STATIC
U U 0 0 0 0 0
0
132 132 0 0 N N N
N
178.32.55.52/30 N N N N N N
# HOLDDOWN @155 172.31.255.14 Gi8/0/0
STATIC
U U 0 0 0 0 1
1
131 131 0 0 N N N
N
.....
!
show pfr master traffi inside
....
--------------------------------------------------------------------------------
x.x.64.0/18 N N N N N N
DEFAULT* 0 U
U
x.x.112.0/23 N N N N N N
DEFAULT* 0 U
U
x.x.114.0/23 N N N N N N
DEFAULT* 0 U
U
x.x.76.0/23 N N N N N N
DEFAULT* 0 U
U
Best Regards,
*Mohammad Moghaddas*
On Fri, Feb 14, 2014 at 4:13 AM, Tony Singh <mothafungla_at_gmail.com> wrote:
>
>
> Border Status UP/DOWN AuthFail Version DOWN
> Reason
> 172.31.255.14 INACTIVE DOWN 0 3.1
>
> That's not good for a start, second why are your customer routes in the
> same routing table sounds like you have no security policies tut tut
>
> can you post
>
> show pfr master
> show pfr master traffic-class
> sh run | s key-chain
>
> On both BR's
>
> Is the GRE tunnel up/up between the BR's
>
> The major 3. number must match between your MC and BR the minor .1 on MC
> must be greater or equal to the BR's minor version
>
> For echo probe you don't need ip sla responder for the other tcp-connect
> operations you do on the remote side
>
> --
> BR
>
> Tony
>
> > On 13 Feb 2014, at 13:46, Mohammad Moghaddas <moghaddas.it_at_gmail.com>
> wrote:
> >
> > Hi.
> >
> > I hope you are all doing well, and I'm sorry for posting such a long OT.
> > Straight to the issue, we have one 7609S which its IOS is 15.1(3)S. I
> > should note that this an ISP environment and this router has 15 private
> IX
> > peers, and 5 Exit links.
> > I've configured the router being MC and BR the same time, 1 Internal
> > interface, and 5 External interface.
> > Each exit link has specific customers, we have separated each link's
> > customers using ACL. When customer's TX traffic reaches the Internal
> > interface, they are routed using PBR (default next-hop) to their specific
> > exit link. Also these ACLs are referenced in a route-map assigned to each
> > exit BGP peer, so we only advertise the customers to their specific exit
> > BGP peer.
> > We have categorized our BGP peers in 3 template peer-policy.
> >
> > *The issue is that, I see PFR configuring /30 STATIC routes to exit links
> > (it should be /24), and much more important for me, no inbound
> optimization
> > is happening.*
> >
> > Below you will find some partial logging plus the configurations.
> > And I'm again sorry for such long post.
> >
> > Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 85.133.140.168/30,
> > Couldn't find the best exit
> > Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 85.133.140.168/30,
> > Couldn't choose exit in prefix timeout
> > Feb 13 16:41:43: %OER_MC-5-NOTICE: Range Entrance OOP BR 172.31.255.14,
> i/f
> > Tu108, percent 100. Other BR 172.31.255.14, i/f Gi8/0/0 percent 15
> > Feb 13 16:41:43: %OER_MC-5-NOTICE: Load Entrance OOP BR 172.31.255.14,
> i/f
> > Tu108, load 33000 policy 31350
> > Feb 13 16:41:43: %OER_MC-5-NOTICE: Entrance 172.31.255.14 intf Tu108 OOP,
> > Tx BW 24, Rx BW 33000, Tx Load 0, Rx Load 100
> > Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 220.98.114.8/30,
> > Couldn't find the best exit
> > Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 220.98.114.8/30,
> > Couldn't choose exit in prefix timeout
> > Feb 13 16:41:46: %OER_MC-5-NOTICE: Uncontrol Prefix 217.169.166.40/30,
> > Couldn't choose exit in prefix timeout
> > Feb 13 16:41:48: %OER_MC-5-NOTICE: Route changed Prefix 188.253.53.96/30
> ,
> > BR 172.31.255.14, i/f Gi8/0/0, Reason Utilization, OOP Reason Timer
> Expired
> >
> > route-map CHNG_GW permit 10
> > description ***CUST1 through EXIT1***
> > match ip address CUST1
> > set ip default next-hop 10.30.148.169
> > route-map CHNG_GW permit 11
> > description ****CUST2 through EXIT2****
> > match ip address CUST2
> > set ip default next-hop 172.16.108.2
> > route-map CHNG_GW permit 12
> > description ****CUST3 through EXIT3****
> > match ip address CUST3
> > set ip default next-hop 172.16.101.2
> > route-map CHNG_GW permit 13
> > description ****CUST4 through EXIT2****
> > match ip address CUST4
> >
> > !! All other customers are routed using the PRIMARY default route. !!
> >
> > ip route 0.0.0.0 0.0.0.0 192.168.64.1 name PRIMARY
> > ip route 0.0.0.0 0.0.0.0 10.30.148.169 5 name PFR
> > ip route 0.0.0.0 0.0.0.0 172.16.101.2 6 name PFR
> > ip route 0.0.0.0 0.0.0.0 172.16.105.2 7 name PFR
> > ip route 0.0.0.0 0.0.0.0 172.16.108.2 8 name PFR
> >
> > template peer-policy CUST_BGP
> > route-map BGP_CUST_NO-OUT out
> > default-originate
> > soft-reconfiguration inbound
> > send-community both
> > exit-peer-policy
> > !
> > template peer-policy BW_UPLINKS
> > prefix-list ISP_IX-in in
> > next-hop-self all
> > soft-reconfiguration inbound
> > send-community both
> > exit-peer-policy
> > !
> > template peer-policy IX
> > route-map IX_BGP-OUT out
> > prefix-list ISP_IX-in in
> > next-hop-self all
> > soft-reconfiguration inbound
> > send-community both
> >
> > pfr master
> > policy-rules PFR_BGP
> > max-range-utilization percent 80
> > logging
> > !
> > border 172.31.255.14 key-chain OER
> > interface GigabitEthernet8/0/0 external
> > max-xmit-utilization percentage 95
> > maximum utilization receive percentage 95
> > interface Tunnel101 external
> > max-xmit-utilization percentage 95
> > maximum utilization receive percentage 95
> > interface Tunnel108 external
> > max-xmit-utilization percentage 95
> > maximum utilization receive percentage 95
> > interface Tunnel105 external
> > max-xmit-utilization percentage 95
> > maximum utilization receive percentage 95
> > interface POS8/1/0 external
> > max-xmit-utilization percentage 95
> > maximum utilization receive percentage 95
> > interface GigabitEthernet5/1 internal
> > !
> > learn
> > throughput
> > inside bgp
> > periodic-interval 0
> > monitor-period 1
> > prefixes 200 applications 200
> > expire after time 30
> > max range receive percent 80
> > backoff 150 150
> > mode route control
> > mode monitor fast
> > periodic 150
> > no resolve delay
> > no resolve range
> > !
> > active-probe tcp-conn 216.239.32.20 target-port 80
> > active-probe tcp-conn 216.239.32.20 target-port 443
> > active-probe echo 4.2.2.4
> > active-probe echo 8.8.8.8
> > active-probe tcp-conn 173.194.34.53 target-port 443
> > active-probe tcp-conn 46.228.47.114 target-port 80
> > active-probe echo 4.2.2.1
> > active-probe echo 8.8.4.4
> > active-probe echo 4.2.2.2
> > pfr border
> > local Loopback17231255
> > master 172.31.255.14 key-chain OER
> > active-probe address source interface GigabitEthernet5/1
> > pfr-map PFR_BGP 10
> > match pfr learn inside
> > set mode route control
> > set mode monitor passive
> > set resolve utilization priority 1 variance 10
> > no set resolve delay
> > no set resolve range
> >
> > show pfr master:
> > OER state: ENABLED and INACTIVE
> > Conn Status: SUCCESS, PORT: 3949
> > Version: 3.1
> > Number of Border routers: 1
> > Number of Exits: 5
> > Number of monitored prefixes: 0 (max 5000)
> > Max prefixes: total 5000 learn 2500
> > Prefix count: total 0, learn 0, cfg 0
> > PBR Requirements met
> > Nbar Status: Inactive
> >
> > Border Status UP/DOWN AuthFail Version DOWN
> Reason
> > 172.31.255.14 INACTIVE DOWN 0 3.1
> >
> > OER master in special monitor mode
> >
> > Global Settings:
> > max-range-utilization percent 80 recv 80
> > rsvp post-dial-delay 0 signaling-retries 1
> > mode route metric bgp local-pref 5000
> > mode route metric static tag 5000
> > trace probe delay 1000
> > logging
> > exit holddown time 60 secs, time remaining 0
> >
> > Default Policy Settings:
> > backoff 150 150 150
> > delay relative 50
> > holddown 300
> > periodic 150
> > probe frequency 56
> > number of jitter probe packets 100
> > mode route control
> > mode monitor fast
> > mode select-exit good
> > loss relative 10
> > jitter threshold 20
> > mos threshold 3.60 percent 30
> > unreachable relative 50
> > resolve utilization priority 13 variance 20
> >
> > Learn Settings:
> > current state : DISABLED
> > time remaining in current state : 0 seconds
> > throughput
> > no delay
> > inside bgp
> > monitor-period 5
> > periodic-interval 5
> > aggregation-type prefix-length 24
> > prefixes 200 appls 200
> > expire after time 30
> >
> >
> > show pfr master policy:
> > HT-CoreRT(config-pfr-mc)#do s pfr mas pol
> > Default Policy Settings:
> > backoff 150 150 150
> > delay relative 50
> > holddown 300
> > periodic 150
> > probe frequency 56
> > number of jitter probe packets 100
> > mode route control
> > mode monitor fast
> > mode select-exit good
> > loss relative 10
> > jitter threshold 20
> > mos threshold 3.60 percent 30
> > unreachable relative 50
> > resolve utilization priority 13 variance 20
> > oer-map PFR_BGP 10
> > sequence no. 8444249301975040, provider id 1, provider priority 30
> > host priority 0, policy priority 10, Session id 0
> > match oer learn inside
> > backoff 150 150 150
> > delay relative 50
> > holddown 300
> > periodic 150
> > probe frequency 56
> > number of jitter probe packets 100
> > *mode route control
> > *mode monitor passive
> > mode select-exit good
> > loss relative 10
> > jitter threshold 20
> > mos threshold 3.60 percent 30
> > unreachable relative 50
> > next-hop not set
> > forwarding interface not set
> > *resolve utilization priority 1 variance 10
> >
> > Best Regards,
> > *Mohammad Moghaddas*
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Feb 14 2014 - 11:17:22 ART
This archive was generated by hypermail 2.2.0 : Sat Mar 01 2014 - 08:41:48 ART