Everything with OUTBOUND traffic optimization is OK (except that I don't know why PFR adds /30 routes where I have "aggregation-type prefix-length 24") What I need is INBOUND traffic optimization by prepending to AS-PATH. Imagine that below prefixes are originated in our AS and are advertised to our eBGP peers. I want PFR to prepend to the AS-PATH of prefixes advertised to one of the 5 exit eBGP peers when the RX load of that exit is 95 percent. sh ip bgp | i 32768 *> x.x.128.0/24 x.x.64.22 20 32768 i *> x.x.64.0/18 x.x.64.22 0 32768 i *> x.x.71.0/24 x.x.64.22 20 32768 i *> x.x.74.0/24 x.x.64.22 0 32768 i .....
Best Regards, *Mohammad Moghaddas* On Fri, Feb 14, 2014 at 12:49 PM, Tony Singh <[email protected]> wrote: > > You said you were using PBR and your INPOLICY shows STATICS, PfR should > only optimise what is learnt through your global rib and inbound > optimisation is specific to BGP, is there any eBGP learnt routes to > optimise? > > > -- > BR > > Tony > > Sent from my iPad > > On 14 Feb 2014, at 08:37, Mohammad Moghaddas <[email protected]> > wrote: > > I found this, what could be the cause? > > show pfr mas traffic-class performance inside > > Traffic-class: (inside) > Destination Prefix : x.x.64.0/18 Source Prefix : N/A > Destination Port : N/A Source Port : N/A > DSCP : N Protocol : N/A > Application Name: : N/A > > General: > Control State : Not Controlled > Traffic-class status : DISABLED due to unknown reason > Current Exit : BR Unknown interface Unknown, Tie > breaker was None > Time on current exit : 0d 0:0:0 > Time remaining in current state : 0 seconds > Traffic-class type : Learned > Improper config : None > > Last Out-of-Policy event: > No Out-of-Policy Event > > Average Passive Performance Current Exit: (Average for last 5 minutes) > Unreachable : 0% -- Threshold: 50% > Delay : 0% -- Threshold: 50% > Loss : 0% -- Threshold: 10% > Egress BW : 0 kbps > Ingress BW : 0 kbps > Time since last update : 0d 0:0:0 > ..... > > Best Regards, > *Mohammad Moghaddas* > > > On Fri, Feb 14, 2014 at 11:29 AM, Mohammad Moghaddas < > [email protected]> wrote: > >> Moataz, >> >> thanks for sharing the link, but I've gone through it and did the steps >> exactly as mentioned there. >> >> Best Regards, >> *Mohammad Moghaddas* >> >> >> On Fri, Feb 14, 2014 at 11:24 AM, Moataz <[email protected]> wrote: >> >>> Hello Mohamed >>> >>> did you check this document >>> >>> >>> http://www.cisco.com/c/en/us/td/docs/ios/pfr/configuration/guide/15_1/pfr_15_1_book/pfr-bgp-inbound.html#wp1058755 >>> >>> Regards, >>> Moataz Tolba >>> ------------------------------ >>> *From:* Mohammad Moghaddas <[email protected]> >>> *To:* Tony Singh <[email protected]> >>> *Cc:* CCIE_RS OnlineStudyList <[email protected]> >>> *Sent:* Friday, 14 February 2014, 9:48 >>> >>> *Subject:* Re: [OSL | CCIE_RS] OT: PFR Internet Inbound/Outbound LB >>> >>> Dear Tony, >>> >>> thanks for responding. >>> The cause of DOWN status is because I've pasted the info after shutting >>> PFR >>> down. >>> All the traffic is pure internet (all the exits), and as I mentioned >>> before, using PBR customers are routed through different exits, but when >>> one exit become unavailable, EEM changes the configuration (ip >>> sla+track). >>> So there was no need to separate them in different VRFs. >>> There is no ip sla responder, the tcp-connect probe are checking google, >>> yahoo, etc on port 80 from different exits. >>> Inbound Internet optimization is the most important part for me. I know >>> that PFR should prepend the AS-PATH to change the entrance, but it is not >>> behaving so. Is is only doing STATIC routes which affects Outbound >>> traffic. >>> I should note that I've tried removing the PBR and also route-maps >>> assigned >>> to Exit BGP peers, but nothing changed. I think my first post has more >>> complete info for you than this one. >>> I've "no shut" pfr and you find the relative info below: >>> >>> show pfr master: >>> OER state: ENABLED and ACTIVE >>> Conn Status: SUCCESS, PORT: 3949 >>> Version: 3.1 >>> Number of Border routers: 1 >>> Number of Exits: 5 >>> Number of monitored prefixes: 290 (max 5000) >>> Max prefixes: total 5000 learn 2500 >>> Prefix count: total 290, learn 290, cfg 0 >>> PBR Requirements met >>> Nbar Status: Inactive >>> >>> Border Status UP/DOWN AuthFail Version DOWN Reason >>> 172.31.255.14 ACTIVE UP 00:07:31 0 3.1 >>> >>> OER master in special monitor mode >>> ...... >>> >>> ! >>> >>> show pfr border active-p >>> ..... >>> Type Target TPort Source Interface Att >>> Comps >>> DSCP >>> echo 213.79.125.122 N 188.75.64.21 PO8/1/0 1 >>> 1 >>> 0 >>> echo 213.79.125.122 N 188.75.64.21 Tu108 1 >>> 0 >>> 0 >>> echo 213.79.125.122 N 188.75.64.21 Tu101 1 >>> 1 >>> 0 >>> echo 213.79.125.122 N 188.75.64.21 Gi8/0/0 1 >>> 1 >>> 0 >>> echo 213.79.125.122 N 188.75.64.21 Tu105 1 >>> 1 >>> 0 >>> ...... >>> ! >>> >>> show pfr master traffi >>> .... >>> >>> -------------------------------------------------------------------------------- >>> 37.32.34.0/24 N N N N N N >>> >>> # INPOLICY @5 172.31.255.14 PO8/1/0 >>> STATIC >>> U U 0 0 10420 10557 11 >>> 9 >>> 13 11 0 0 N N N >>> N >>> >>> 94.101.185.0/24 N N N N N N >>> >>> # INPOLICY @21 172.31.255.14 Gi8/0/0 >>> STATIC >>> U U 0 0 4077 5430 17 >>> 15 >>> 12 13 0 0 N N N >>> N >>> >>> 94.201.94.128/30 N N N N N N >>> >>> # DEFAULT* @25 172.31.255.14 Tu105 >>> U >>> 313 313 0 0 102311 96658 57 >>> 0 >>> U U 1000000 1000000 N N N >>> N >>> >>> 176.9.63.104/30 N N N N N N >>> >>> # INPOLICY @42 172.31.255.14 PO8/1/0 >>> STATIC >>> U U 0 0 0 0 0 >>> 0 >>> 132 132 0 0 N N N >>> N >>> 178.32.55.52/30 N N N N N N >>> >>> # HOLDDOWN @155 172.31.255.14 Gi8/0/0 >>> STATIC >>> U U 0 0 0 0 1 >>> 1 >>> 131 131 0 0 N N N >>> N >>> ..... >>> ! >>> >>> show pfr master traffi inside >>> .... >>> >>> -------------------------------------------------------------------------------- >>> x.x.64.0/18 N N N N N N >>> >>> DEFAULT* 0 U >>> U >>> >>> x.x.112.0/23 N N N N N N >>> >>> DEFAULT* 0 U >>> U >>> >>> x.x.114.0/23 N N N N N N >>> >>> DEFAULT* 0 U >>> U >>> >>> x.x.76.0/23 N N N N N N >>> >>> DEFAULT* 0 U >>> U >>> >>> >>> Best Regards, >>> *Mohammad Moghaddas* >>> >>> >>> >>> On Fri, Feb 14, 2014 at 1:13 AM, Tony Singh <[email protected]> >>> wrote: >>> >>> > >>> > Border Status UP/DOWN AuthFail Version DOWN >>> > Reason >>> > 172.31.255.14 INACTIVE DOWN 0 3.1 >>> > >>> > That's not good for a start, second why are your customer routes in the >>> > same routing table sounds like you have no security policies tut tut >>> > >>> > can you post >>> > >>> > show pfr master >>> > show pfr master traffic-class >>> > sh run | s key-chain >>> > >>> > On both BR's >>> > >>> > Is the GRE tunnel up/up between the BR's >>> > >>> > The major 3. number must match between your MC and BR the minor .1 on >>> MC >>> > must be greater or equal to the BR's minor version >>> > >>> > For echo probe you don't need ip sla responder for the other >>> tcp-connect >>> > operations you do on the remote side >>> > >>> > -- >>> > BR >>> > >>> > Tony >>> > >>> > Sent from my iPad >>> > >>> > > On 13 Feb 2014, at 13:45, Mohammad Moghaddas <[email protected] >>> > >>> > wrote: >>> > > >>> > > Hi. >>> > > >>> > > I hope you are all doing well, and I'm sorry for posting such a long >>> OT. >>> > > Straight to the issue, we have one 7609S which its IOS is 15.1(3)S. I >>> > > should note that this an ISP environment and this router has 15 >>> private >>> > IX >>> > > peers, and 5 Exit links. >>> > > I've configured the router being MC and BR the same time, 1 Internal >>> > > interface, and 5 External interface. >>> > > Each exit link has specific customers, we have separated each link's >>> > > customers using ACL. When customer's TX traffic reaches the Internal >>> > > interface, they are routed using PBR (default next-hop) to their >>> specific >>> > > exit link. Also these ACLs are referenced in a route-map assigned to >>> each >>> > > exit BGP peer, so we only advertise the customers to their specific >>> exit >>> > > BGP peer. >>> > > We have categorized our BGP peers in 3 template peer-policy. >>> > > >>> > > *The issue is that, I see PFR configuring /30 STATIC routes to exit >>> links >>> > > (it should be /24), and much more important for me, no inbound >>> > optimization >>> > > is happening.* >>> > > >>> > > Below you will find some partial logging plus the configurations. >>> > > And I'm again sorry for such long post. >>> > > >>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix >>> 85.133.140.168/30, >>> > > Couldn't find the best exit >>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix >>> 85.133.140.168/30, >>> > > Couldn't choose exit in prefix timeout >>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Range Entrance OOP BR >>> 172.31.255.14, >>> > i/f >>> > > Tu108, percent 100. Other BR 172.31.255.14, i/f Gi8/0/0 percent 15 >>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Load Entrance OOP BR >>> 172.31.255.14, >>> > i/f >>> > > Tu108, load 33000 policy 31350 >>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Entrance 172.31.255.14 intf Tu108 >>> OOP, >>> > > Tx BW 24, Rx BW 33000, Tx Load 0, Rx Load 100 >>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 220.98.114.8/30, >>> > > Couldn't find the best exit >>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 220.98.114.8/30, >>> > > Couldn't choose exit in prefix timeout >>> > > Feb 13 16:41:46: %OER_MC-5-NOTICE: Uncontrol Prefix >>> 217.169.166.40/30, >>> > > Couldn't choose exit in prefix timeout >>> > > Feb 13 16:41:48: %OER_MC-5-NOTICE: Route changed Prefix >>> 188.253.53.96/30 >>> > , >>> > > BR 172.31.255.14, i/f Gi8/0/0, Reason Utilization, OOP Reason Timer >>> > Expired >>> > > >>> > > route-map CHNG_GW permit 10 >>> > > description ***CUST1 through EXIT1*** >>> > > match ip address CUST1 >>> > > set ip default next-hop 10.30.148.169 >>> > > route-map CHNG_GW permit 11 >>> > > description ****CUST2 through EXIT2**** >>> > > match ip address CUST2 >>> > > set ip default next-hop 172.16.108.2 >>> > > route-map CHNG_GW permit 12 >>> > > description ****CUST3 through EXIT3**** >>> > > match ip address CUST3 >>> > > set ip default next-hop 172.16.101.2 >>> > > route-map CHNG_GW permit 13 >>> > > description ****CUST4 through EXIT2**** >>> > > match ip address CUST4 >>> > > >>> > > !! All other customers are routed using the PRIMARY default route. !! >>> > > >>> > > ip route 0.0.0.0 0.0.0.0 192.168.64.1 name PRIMARY >>> > > ip route 0.0.0.0 0.0.0.0 10.30.148.169 5 name PFR >>> > > ip route 0.0.0.0 0.0.0.0 172.16.101.2 6 name PFR >>> > > ip route 0.0.0.0 0.0.0.0 172.16.105.2 7 name PFR >>> > > ip route 0.0.0.0 0.0.0.0 172.16.108.2 8 name PFR >>> > > >>> > > template peer-policy CUST_BGP >>> > > route-map BGP_CUST_NO-OUT out >>> > > default-originate >>> > > soft-reconfiguration inbound >>> > > send-community both >>> > > exit-peer-policy >>> > > ! >>> > > template peer-policy BW_UPLINKS >>> > > prefix-list ISP_IX-in in >>> > > next-hop-self all >>> > > soft-reconfiguration inbound >>> > > send-community both >>> > > exit-peer-policy >>> > > ! >>> > > template peer-policy IX >>> > > route-map IX_BGP-OUT out >>> > > prefix-list ISP_IX-in in >>> > > next-hop-self all >>> > > soft-reconfiguration inbound >>> > > send-community both >>> > > >>> > > pfr master >>> > > policy-rules PFR_BGP >>> > > max-range-utilization percent 80 >>> > > logging >>> > > ! >>> > > border 172.31.255.14 key-chain OER >>> > > interface GigabitEthernet8/0/0 external >>> > > max-xmit-utilization percentage 95 >>> > > maximum utilization receive percentage 95 >>> > > interface Tunnel101 external >>> > > max-xmit-utilization percentage 95 >>> > > maximum utilization receive percentage 95 >>> > > interface Tunnel108 external >>> > > max-xmit-utilization percentage 95 >>> > > maximum utilization receive percentage 95 >>> > > interface Tunnel105 external >>> > > max-xmit-utilization percentage 95 >>> > > maximum utilization receive percentage 95 >>> > > interface POS8/1/0 external >>> > > max-xmit-utilization percentage 95 >>> > > maximum utilization receive percentage 95 >>> > > interface GigabitEthernet5/1 internal >>> > > ! >>> > > learn >>> > > throughput >>> > > inside bgp >>> > > periodic-interval 0 >>> > > monitor-period 1 >>> > > prefixes 200 applications 200 >>> > > expire after time 30 >>> > > max range receive percent 80 >>> > > backoff 150 150 >>> > > mode route control >>> > > mode monitor fast >>> > > periodic 150 >>> > > no resolve delay >>> > > no resolve range >>> > > ! >>> > > active-probe tcp-conn 216.239.32.20 target-port 80 >>> > > active-probe tcp-conn 216.239.32.20 target-port 443 >>> > > active-probe echo 4.2.2.4 >>> > > active-probe echo 8.8.8.8 >>> > > active-probe tcp-conn 173.194.34.53 target-port 443 >>> > > active-probe tcp-conn 46.228.47.114 target-port 80 >>> > > active-probe echo 4.2.2.1 >>> > > active-probe echo 8.8.4.4 >>> > > active-probe echo 4.2.2.2 >>> > > pfr border >>> > > local Loopback17231255 >>> > > master 172.31.255.14 key-chain OER >>> > > active-probe address source interface GigabitEthernet5/1 >>> > > pfr-map PFR_BGP 10 >>> > > match pfr learn inside >>> > > set mode route control >>> > > set mode monitor passive >>> > > set resolve utilization priority 1 variance 10 >>> > > no set resolve delay >>> > > no set resolve range >>> > > >>> > > show pfr master: >>> > > OER state: ENABLED and INACTIVE >>> > > Conn Status: SUCCESS, PORT: 3949 >>> > > Version: 3.1 >>> > > Number of Border routers: 1 >>> > > Number of Exits: 5 >>> > > Number of monitored prefixes: 0 (max 5000) >>> > > Max prefixes: total 5000 learn 2500 >>> > > Prefix count: total 0, learn 0, cfg 0 >>> > > PBR Requirements met >>> > > Nbar Status: Inactive >>> > > >>> > > Border Status UP/DOWN AuthFail Version DOWN >>> > Reason >>> > > 172.31.255.14 INACTIVE DOWN 0 3.1 >>> > > >>> > > OER master in special monitor mode >>> > > >>> > > Global Settings: >>> > > max-range-utilization percent 80 recv 80 >>> > > rsvp post-dial-delay 0 signaling-retries 1 >>> > > mode route metric bgp local-pref 5000 >>> > > mode route metric static tag 5000 >>> > > trace probe delay 1000 >>> > > logging >>> > > exit holddown time 60 secs, time remaining 0 >>> > > >>> > > Default Policy Settings: >>> > > backoff 150 150 150 >>> > > delay relative 50 >>> > > holddown 300 >>> > > periodic 150 >>> > > probe frequency 56 >>> > > number of jitter probe packets 100 >>> > > mode route control >>> > > mode monitor fast >>> > > mode select-exit good >>> > > loss relative 10 >>> > > jitter threshold 20 >>> > > mos threshold 3.60 percent 30 >>> > > unreachable relative 50 >>> > > resolve utilization priority 13 variance 20 >>> > > >>> > > Learn Settings: >>> > > current state : DISABLED >>> > > time remaining in current state : 0 seconds >>> > > throughput >>> > > no delay >>> > > inside bgp >>> > > monitor-period 5 >>> > > periodic-interval 5 >>> > > aggregation-type prefix-length 24 >>> > > prefixes 200 appls 200 >>> > > expire after time 30 >>> > > >>> > > >>> > > show pfr master policy: >>> > > HT-CoreRT(config-pfr-mc)#do s pfr mas pol >>> > > Default Policy Settings: >>> > > backoff 150 150 150 >>> > > delay relative 50 >>> > > holddown 300 >>> > > periodic 150 >>> > > probe frequency 56 >>> > > number of jitter probe packets 100 >>> > > mode route control >>> > > mode monitor fast >>> > > mode select-exit good >>> > > loss relative 10 >>> > > jitter threshold 20 >>> > > mos threshold 3.60 percent 30 >>> > > unreachable relative 50 >>> > > resolve utilization priority 13 variance 20 >>> > > oer-map PFR_BGP 10 >>> > > sequence no. 8444249301975040, provider id 1, provider priority 30 >>> > > host priority 0, policy priority 10, Session id 0 >>> > > match oer learn inside >>> > > backoff 150 150 150 >>> > > delay relative 50 >>> > > holddown 300 >>> > > periodic 150 >>> > > probe frequency 56 >>> > > number of jitter probe packets 100 >>> > > *mode route control >>> > > *mode monitor passive >>> > > mode select-exit good >>> > > loss relative 10 >>> > > jitter threshold 20 >>> > > mos threshold 3.60 percent 30 >>> > > unreachable relative 50 >>> > > next-hop not set >>> > > forwarding interface not set >>> > > *resolve utilization priority 1 variance 10 >>> > > >>> > > Best Regards, >>> > > *Mohammad Moghaddas* >>> > > _______________________________________________ >>> > > Free CCIE R&S, Collaboration, Data Center, Wireless & Security >>> Videos :: >>> > > >>> > > iPexpert on YouTube: www.youtube.com/ipexpertinc >>> > >>> _______________________________________________ >>> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >>> >>> iPexpert on YouTube: www.youtube.com/ipexpertinc >>> >>> >>> >> > _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
