You said you were using PBR and your INPOLICY shows STATICS, PfR should only optimise what is learnt through your global rib and inbound optimisation is specific to BGP, is there any eBGP learnt routes to optimise?
-- BR Tony Sent from my iPad > On 14 Feb 2014, at 08:37, Mohammad Moghaddas <[email protected]> wrote: > > I found this, what could be the cause? > > show pfr mas traffic-class performance inside > > Traffic-class: (inside) > Destination Prefix : x.x.64.0/18 Source Prefix : N/A > Destination Port : N/A Source Port : N/A > DSCP : N Protocol : N/A > Application Name: : N/A > > General: > Control State : Not Controlled > Traffic-class status : DISABLED due to unknown reason > Current Exit : BR Unknown interface Unknown, Tie > breaker was None > Time on current exit : 0d 0:0:0 > Time remaining in current state : 0 seconds > Traffic-class type : Learned > Improper config : None > > Last Out-of-Policy event: > No Out-of-Policy Event > > Average Passive Performance Current Exit: (Average for last 5 minutes) > Unreachable : 0% -- Threshold: 50% > Delay : 0% -- Threshold: 50% > Loss : 0% -- Threshold: 10% > Egress BW : 0 kbps > Ingress BW : 0 kbps > Time since last update : 0d 0:0:0 > ..... > > Best Regards, > Mohammad Moghaddas > > >> On Fri, Feb 14, 2014 at 11:29 AM, Mohammad Moghaddas >> <[email protected]> wrote: >> Moataz, >> >> thanks for sharing the link, but I've gone through it and did the steps >> exactly as mentioned there. >> >> Best Regards, >> Mohammad Moghaddas >> >> >>> On Fri, Feb 14, 2014 at 11:24 AM, Moataz <[email protected]> wrote: >>> Hello Mohamed >>> >>> did you check this document >>> >>> http://www.cisco.com/c/en/us/td/docs/ios/pfr/configuration/guide/15_1/pfr_15_1_book/pfr-bgp-inbound.html#wp1058755 >>> >>> Regards, >>> Moataz Tolba >>> From: Mohammad Moghaddas <[email protected]> >>> To: Tony Singh <[email protected]> >>> Cc: CCIE_RS OnlineStudyList <[email protected]> >>> Sent: Friday, 14 February 2014, 9:48 >>> >>> Subject: Re: [OSL | CCIE_RS] OT: PFR Internet Inbound/Outbound LB >>> >>> Dear Tony, >>> >>> thanks for responding. >>> The cause of DOWN status is because I've pasted the info after shutting PFR >>> down. >>> All the traffic is pure internet (all the exits), and as I mentioned >>> before, using PBR customers are routed through different exits, but when >>> one exit become unavailable, EEM changes the configuration (ip sla+track). >>> So there was no need to separate them in different VRFs. >>> There is no ip sla responder, the tcp-connect probe are checking google, >>> yahoo, etc on port 80 from different exits. >>> Inbound Internet optimization is the most important part for me. I know >>> that PFR should prepend the AS-PATH to change the entrance, but it is not >>> behaving so. Is is only doing STATIC routes which affects Outbound traffic. >>> I should note that I've tried removing the PBR and also route-maps assigned >>> to Exit BGP peers, but nothing changed. I think my first post has more >>> complete info for you than this one. >>> I've "no shut" pfr and you find the relative info below: >>> >>> show pfr master: >>> OER state: ENABLED and ACTIVE >>> Conn Status: SUCCESS, PORT: 3949 >>> Version: 3.1 >>> Number of Border routers: 1 >>> Number of Exits: 5 >>> Number of monitored prefixes: 290 (max 5000) >>> Max prefixes: total 5000 learn 2500 >>> Prefix count: total 290, learn 290, cfg 0 >>> PBR Requirements met >>> Nbar Status: Inactive >>> >>> Border Status UP/DOWN AuthFail Version DOWN Reason >>> 172.31.255.14 ACTIVE UP 00:07:31 0 3.1 >>> >>> OER master in special monitor mode >>> ...... >>> >>> ! >>> >>> show pfr border active-p >>> ..... >>> Type Target TPort Source Interface Att >>> Comps >>> DSCP >>> echo 213.79.125.122 N 188.75.64.21 PO8/1/0 1 >>> 1 >>> 0 >>> echo 213.79.125.122 N 188.75.64.21 Tu108 1 >>> 0 >>> 0 >>> echo 213.79.125.122 N 188.75.64.21 Tu101 1 >>> 1 >>> 0 >>> echo 213.79.125.122 N 188.75.64.21 Gi8/0/0 1 >>> 1 >>> 0 >>> echo 213.79.125.122 N 188.75.64.21 Tu105 1 >>> 1 >>> 0 >>> ...... >>> ! >>> >>> show pfr master traffi >>> .... >>> -------------------------------------------------------------------------------- >>> 37.32.34.0/24 N N N N N N >>> >>> # INPOLICY @5 172.31.255.14 PO8/1/0 >>> STATIC >>> U U 0 0 10420 10557 11 >>> 9 >>> 13 11 0 0 N N N >>> N >>> >>> 94.101.185.0/24 N N N N N N >>> >>> # INPOLICY @21 172.31.255.14 Gi8/0/0 >>> STATIC >>> U U 0 0 4077 5430 17 >>> 15 >>> 12 13 0 0 N N N >>> N >>> >>> 94.201.94.128/30 N N N N N N >>> >>> # DEFAULT* @25 172.31.255.14 Tu105 >>> U >>> 313 313 0 0 102311 96658 57 >>> 0 >>> U U 1000000 1000000 N N N >>> N >>> >>> 176.9.63.104/30 N N N N N N >>> >>> # INPOLICY @42 172.31.255.14 PO8/1/0 >>> STATIC >>> U U 0 0 0 0 0 >>> 0 >>> 132 132 0 0 N N N >>> N >>> 178.32.55.52/30 N N N N N N >>> >>> # HOLDDOWN @155 172.31.255.14 Gi8/0/0 >>> STATIC >>> U U 0 0 0 0 1 >>> 1 >>> 131 131 0 0 N N N >>> N >>> ..... >>> ! >>> >>> show pfr master traffi inside >>> .... >>> -------------------------------------------------------------------------------- >>> x.x.64.0/18 N N N N N N >>> >>> DEFAULT* 0 U >>> U >>> >>> x.x.112.0/23 N N N N N N >>> >>> DEFAULT* 0 U >>> U >>> >>> x.x.114.0/23 N N N N N N >>> >>> DEFAULT* 0 U >>> U >>> >>> x.x.76.0/23 N N N N N N >>> >>> DEFAULT* 0 U >>> U >>> >>> >>> Best Regards, >>> *Mohammad Moghaddas* >>> >>> >>> >>> On Fri, Feb 14, 2014 at 1:13 AM, Tony Singh <[email protected]> wrote: >>> >>> > >>> > Border Status UP/DOWN AuthFail Version DOWN >>> > Reason >>> > 172.31.255.14 INACTIVE DOWN 0 3.1 >>> > >>> > That's not good for a start, second why are your customer routes in the >>> > same routing table sounds like you have no security policies tut tut >>> > >>> > can you post >>> > >>> > show pfr master >>> > show pfr master traffic-class >>> > sh run | s key-chain >>> > >>> > On both BR's >>> > >>> > Is the GRE tunnel up/up between the BR's >>> > >>> > The major 3. number must match between your MC and BR the minor .1 on MC >>> > must be greater or equal to the BR's minor version >>> > >>> > For echo probe you don't need ip sla responder for the other tcp-connect >>> > operations you do on the remote side >>> > >>> > -- >>> > BR >>> > >>> > Tony >>> > >>> > Sent from my iPad >>> > >>> > > On 13 Feb 2014, at 13:45, Mohammad Moghaddas <[email protected]> >>> > wrote: >>> > > >>> > > Hi. >>> > > >>> > > I hope you are all doing well, and I'm sorry for posting such a long OT. >>> > > Straight to the issue, we have one 7609S which its IOS is 15.1(3)S. I >>> > > should note that this an ISP environment and this router has 15 private >>> > IX >>> > > peers, and 5 Exit links. >>> > > I've configured the router being MC and BR the same time, 1 Internal >>> > > interface, and 5 External interface. >>> > > Each exit link has specific customers, we have separated each link's >>> > > customers using ACL. When customer's TX traffic reaches the Internal >>> > > interface, they are routed using PBR (default next-hop) to their >>> > > specific >>> > > exit link. Also these ACLs are referenced in a route-map assigned to >>> > > each >>> > > exit BGP peer, so we only advertise the customers to their specific exit >>> > > BGP peer. >>> > > We have categorized our BGP peers in 3 template peer-policy. >>> > > >>> > > *The issue is that, I see PFR configuring /30 STATIC routes to exit >>> > > links >>> > > (it should be /24), and much more important for me, no inbound >>> > optimization >>> > > is happening.* >>> > > >>> > > Below you will find some partial logging plus the configurations. >>> > > And I'm again sorry for such long post. >>> > > >>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 85.133.140.168/30, >>> > > Couldn't find the best exit >>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 85.133.140.168/30, >>> > > Couldn't choose exit in prefix timeout >>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Range Entrance OOP BR 172.31.255.14, >>> > i/f >>> > > Tu108, percent 100. Other BR 172.31.255.14, i/f Gi8/0/0 percent 15 >>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Load Entrance OOP BR 172.31.255.14, >>> > i/f >>> > > Tu108, load 33000 policy 31350 >>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Entrance 172.31.255.14 intf Tu108 >>> > > OOP, >>> > > Tx BW 24, Rx BW 33000, Tx Load 0, Rx Load 100 >>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 220.98.114.8/30, >>> > > Couldn't find the best exit >>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 220.98.114.8/30, >>> > > Couldn't choose exit in prefix timeout >>> > > Feb 13 16:41:46: %OER_MC-5-NOTICE: Uncontrol Prefix 217.169.166.40/30, >>> > > Couldn't choose exit in prefix timeout >>> > > Feb 13 16:41:48: %OER_MC-5-NOTICE: Route changed Prefix 188.253.53.96/30 >>> > , >>> > > BR 172.31.255.14, i/f Gi8/0/0, Reason Utilization, OOP Reason Timer >>> > Expired >>> > > >>> > > route-map CHNG_GW permit 10 >>> > > description ***CUST1 through EXIT1*** >>> > > match ip address CUST1 >>> > > set ip default next-hop 10.30.148.169 >>> > > route-map CHNG_GW permit 11 >>> > > description ****CUST2 through EXIT2**** >>> > > match ip address CUST2 >>> > > set ip default next-hop 172.16.108.2 >>> > > route-map CHNG_GW permit 12 >>> > > description ****CUST3 through EXIT3**** >>> > > match ip address CUST3 >>> > > set ip default next-hop 172.16.101.2 >>> > > route-map CHNG_GW permit 13 >>> > > description ****CUST4 through EXIT2**** >>> > > match ip address CUST4 >>> > > >>> > > !! All other customers are routed using the PRIMARY default route. !! >>> > > >>> > > ip route 0.0.0.0 0.0.0.0 192.168.64.1 name PRIMARY >>> > > ip route 0.0.0.0 0.0.0.0 10.30.148.169 5 name PFR >>> > > ip route 0.0.0.0 0.0.0.0 172.16.101.2 6 name PFR >>> > > ip route 0.0.0.0 0.0.0.0 172.16.105.2 7 name PFR >>> > > ip route 0.0.0.0 0.0.0.0 172.16.108.2 8 name PFR >>> > > >>> > > template peer-policy CUST_BGP >>> > > route-map BGP_CUST_NO-OUT out >>> > > default-originate >>> > > soft-reconfiguration inbound >>> > > send-community both >>> > > exit-peer-policy >>> > > ! >>> > > template peer-policy BW_UPLINKS >>> > > prefix-list ISP_IX-in in >>> > > next-hop-self all >>> > > soft-reconfiguration inbound >>> > > send-community both >>> > > exit-peer-policy >>> > > ! >>> > > template peer-policy IX >>> > > route-map IX_BGP-OUT out >>> > > prefix-list ISP_IX-in in >>> > > next-hop-self all >>> > > soft-reconfiguration inbound >>> > > send-community both >>> > > >>> > > pfr master >>> > > policy-rules PFR_BGP >>> > > max-range-utilization percent 80 >>> > > logging >>> > > ! >>> > > border 172.31.255.14 key-chain OER >>> > > interface GigabitEthernet8/0/0 external >>> > > max-xmit-utilization percentage 95 >>> > > maximum utilization receive percentage 95 >>> > > interface Tunnel101 external >>> > > max-xmit-utilization percentage 95 >>> > > maximum utilization receive percentage 95 >>> > > interface Tunnel108 external >>> > > max-xmit-utilization percentage 95 >>> > > maximum utilization receive percentage 95 >>> > > interface Tunnel105 external >>> > > max-xmit-utilization percentage 95 >>> > > maximum utilization receive percentage 95 >>> > > interface POS8/1/0 external >>> > > max-xmit-utilization percentage 95 >>> > > maximum utilization receive percentage 95 >>> > > interface GigabitEthernet5/1 internal >>> > > ! >>> > > learn >>> > > throughput >>> > > inside bgp >>> > > periodic-interval 0 >>> > > monitor-period 1 >>> > > prefixes 200 applications 200 >>> > > expire after time 30 >>> > > max range receive percent 80 >>> > > backoff 150 150 >>> > > mode route control >>> > > mode monitor fast >>> > > periodic 150 >>> > > no resolve delay >>> > > no resolve range >>> > > ! >>> > > active-probe tcp-conn 216.239.32.20 target-port 80 >>> > > active-probe tcp-conn 216.239.32.20 target-port 443 >>> > > active-probe echo 4.2.2.4 >>> > > active-probe echo 8.8.8.8 >>> > > active-probe tcp-conn 173.194.34.53 target-port 443 >>> > > active-probe tcp-conn 46.228.47.114 target-port 80 >>> > > active-probe echo 4.2.2.1 >>> > > active-probe echo 8.8.4.4 >>> > > active-probe echo 4.2.2.2 >>> > > pfr border >>> > > local Loopback17231255 >>> > > master 172.31.255.14 key-chain OER >>> > > active-probe address source interface GigabitEthernet5/1 >>> > > pfr-map PFR_BGP 10 >>> > > match pfr learn inside >>> > > set mode route control >>> > > set mode monitor passive >>> > > set resolve utilization priority 1 variance 10 >>> > > no set resolve delay >>> > > no set resolve range >>> > > >>> > > show pfr master: >>> > > OER state: ENABLED and INACTIVE >>> > > Conn Status: SUCCESS, PORT: 3949 >>> > > Version: 3.1 >>> > > Number of Border routers: 1 >>> > > Number of Exits: 5 >>> > > Number of monitored prefixes: 0 (max 5000) >>> > > Max prefixes: total 5000 learn 2500 >>> > > Prefix count: total 0, learn 0, cfg 0 >>> > > PBR Requirements met >>> > > Nbar Status: Inactive >>> > > >>> > > Border Status UP/DOWN AuthFail Version DOWN >>> > Reason >>> > > 172.31.255.14 INACTIVE DOWN 0 3.1 >>> > > >>> > > OER master in special monitor mode >>> > > >>> > > Global Settings: >>> > > max-range-utilization percent 80 recv 80 >>> > > rsvp post-dial-delay 0 signaling-retries 1 >>> > > mode route metric bgp local-pref 5000 >>> > > mode route metric static tag 5000 >>> > > trace probe delay 1000 >>> > > logging >>> > > exit holddown time 60 secs, time remaining 0 >>> > > >>> > > Default Policy Settings: >>> > > backoff 150 150 150 >>> > > delay relative 50 >>> > > holddown 300 >>> > > periodic 150 >>> > > probe frequency 56 >>> > > number of jitter probe packets 100 >>> > > mode route control >>> > > mode monitor fast >>> > > mode select-exit good >>> > > loss relative 10 >>> > > jitter threshold 20 >>> > > mos threshold 3.60 percent 30 >>> > > unreachable relative 50 >>> > > resolve utilization priority 13 variance 20 >>> > > >>> > > Learn Settings: >>> > > current state : DISABLED >>> > > time remaining in current state : 0 seconds >>> > > throughput >>> > > no delay >>> > > inside bgp >>> > > monitor-period 5 >>> > > periodic-interval 5 >>> > > aggregation-type prefix-length 24 >>> > > prefixes 200 appls 200 >>> > > expire after time 30 >>> > > >>> > > >>> > > show pfr master policy: >>> > > HT-CoreRT(config-pfr-mc)#do s pfr mas pol >>> > > Default Policy Settings: >>> > > backoff 150 150 150 >>> > > delay relative 50 >>> > > holddown 300 >>> > > periodic 150 >>> > > probe frequency 56 >>> > > number of jitter probe packets 100 >>> > > mode route control >>> > > mode monitor fast >>> > > mode select-exit good >>> > > loss relative 10 >>> > > jitter threshold 20 >>> > > mos threshold 3.60 percent 30 >>> > > unreachable relative 50 >>> > > resolve utilization priority 13 variance 20 >>> > > oer-map PFR_BGP 10 >>> > > sequence no. 8444249301975040, provider id 1, provider priority 30 >>> > > host priority 0, policy priority 10, Session id 0 >>> > > match oer learn inside >>> > > backoff 150 150 150 >>> > > delay relative 50 >>> > > holddown 300 >>> > > periodic 150 >>> > > probe frequency 56 >>> > > number of jitter probe packets 100 >>> > > *mode route control >>> > > *mode monitor passive >>> > > mode select-exit good >>> > > loss relative 10 >>> > > jitter threshold 20 >>> > > mos threshold 3.60 percent 30 >>> > > unreachable relative 50 >>> > > next-hop not set >>> > > forwarding interface not set >>> > > *resolve utilization priority 1 variance 10 >>> > > >>> > > Best Regards, >>> > > *Mohammad Moghaddas* >>> > > _______________________________________________ >>> > > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >>> > > >>> > > iPexpert on YouTube: www.youtube.com/ipexpertinc >>> > >>> _______________________________________________ >>> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >>> >>> iPexpert on YouTube: www.youtube.com/ipexpertinc > _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
