Don't think you understood Why would it add /24's when you have static optimisation outbound?
For inbound do you even have eBGP routes in global rib? -- BR Tony > On 14 Feb 2014, at 09:40, Mohammad Moghaddas <[email protected]> wrote: > > Everything with OUTBOUND traffic optimization is OK (except that I don't know > why PFR adds /30 routes where I have "aggregation-type prefix-length 24") > What I need is INBOUND traffic optimization by prepending to AS-PATH. > Imagine that below prefixes are originated in our AS and are advertised to > our eBGP peers. I want PFR to prepend to the AS-PATH of prefixes advertised > to one of the 5 exit eBGP peers when the RX load of that exit is 95 percent. > sh ip bgp | i 32768 > *> x.x.128.0/24 x.x.64.22 20 32768 i > *> x.x.64.0/18 x.x.64.22 0 32768 i > *> x.x.71.0/24 x.x.64.22 20 32768 i > *> x.x.74.0/24 x.x.64.22 0 32768 i > ..... > > Best Regards, > Mohammad Moghaddas > >> On Fri, Feb 14, 2014 at 12:49 PM, Tony Singh <[email protected]> wrote: >> >> You said you were using PBR and your INPOLICY shows STATICS, PfR should only >> optimise what is learnt through your global rib and inbound optimisation is >> specific to BGP, is there any eBGP learnt routes to optimise? >> >> >> -- >> BR >> >> Tony >> >> Sent from my iPad >> >>> On 14 Feb 2014, at 08:37, Mohammad Moghaddas <[email protected]> wrote: >>> >>> I found this, what could be the cause? >>> >>> show pfr mas traffic-class performance inside >>> >>> Traffic-class: (inside) >>> Destination Prefix : x.x.64.0/18 Source Prefix : N/A >>> Destination Port : N/A Source Port : N/A >>> DSCP : N Protocol : N/A >>> Application Name: : N/A >>> >>> General: >>> Control State : Not Controlled >>> Traffic-class status : DISABLED due to unknown reason >>> Current Exit : BR Unknown interface Unknown, Tie >>> breaker was None >>> Time on current exit : 0d 0:0:0 >>> Time remaining in current state : 0 seconds >>> Traffic-class type : Learned >>> Improper config : None >>> >>> Last Out-of-Policy event: >>> No Out-of-Policy Event >>> >>> Average Passive Performance Current Exit: (Average for last 5 minutes) >>> Unreachable : 0% -- Threshold: 50% >>> Delay : 0% -- Threshold: 50% >>> Loss : 0% -- Threshold: 10% >>> Egress BW : 0 kbps >>> Ingress BW : 0 kbps >>> Time since last update : 0d 0:0:0 >>> ..... >>> >>> Best Regards, >>> Mohammad Moghaddas >>> >>> >>>> On Fri, Feb 14, 2014 at 11:29 AM, Mohammad Moghaddas >>>> <[email protected]> wrote: >>>> Moataz, >>>> >>>> thanks for sharing the link, but I've gone through it and did the steps >>>> exactly as mentioned there. >>>> >>>> Best Regards, >>>> Mohammad Moghaddas >>>> >>>> >>>>> On Fri, Feb 14, 2014 at 11:24 AM, Moataz <[email protected]> wrote: >>>>> Hello Mohamed >>>>> >>>>> did you check this document >>>>> >>>>> http://www.cisco.com/c/en/us/td/docs/ios/pfr/configuration/guide/15_1/pfr_15_1_book/pfr-bgp-inbound.html#wp1058755 >>>>> >>>>> Regards, >>>>> Moataz Tolba >>>>> From: Mohammad Moghaddas <[email protected]> >>>>> To: Tony Singh <[email protected]> >>>>> Cc: CCIE_RS OnlineStudyList <[email protected]> >>>>> Sent: Friday, 14 February 2014, 9:48 >>>>> >>>>> Subject: Re: [OSL | CCIE_RS] OT: PFR Internet Inbound/Outbound LB >>>>> >>>>> Dear Tony, >>>>> >>>>> thanks for responding. >>>>> The cause of DOWN status is because I've pasted the info after shutting >>>>> PFR >>>>> down. >>>>> All the traffic is pure internet (all the exits), and as I mentioned >>>>> before, using PBR customers are routed through different exits, but when >>>>> one exit become unavailable, EEM changes the configuration (ip sla+track). >>>>> So there was no need to separate them in different VRFs. >>>>> There is no ip sla responder, the tcp-connect probe are checking google, >>>>> yahoo, etc on port 80 from different exits. >>>>> Inbound Internet optimization is the most important part for me. I know >>>>> that PFR should prepend the AS-PATH to change the entrance, but it is not >>>>> behaving so. Is is only doing STATIC routes which affects Outbound >>>>> traffic. >>>>> I should note that I've tried removing the PBR and also route-maps >>>>> assigned >>>>> to Exit BGP peers, but nothing changed. I think my first post has more >>>>> complete info for you than this one. >>>>> I've "no shut" pfr and you find the relative info below: >>>>> >>>>> show pfr master: >>>>> OER state: ENABLED and ACTIVE >>>>> Conn Status: SUCCESS, PORT: 3949 >>>>> Version: 3.1 >>>>> Number of Border routers: 1 >>>>> Number of Exits: 5 >>>>> Number of monitored prefixes: 290 (max 5000) >>>>> Max prefixes: total 5000 learn 2500 >>>>> Prefix count: total 290, learn 290, cfg 0 >>>>> PBR Requirements met >>>>> Nbar Status: Inactive >>>>> >>>>> Border Status UP/DOWN AuthFail Version DOWN Reason >>>>> 172.31.255.14 ACTIVE UP 00:07:31 0 3.1 >>>>> >>>>> OER master in special monitor mode >>>>> ...... >>>>> >>>>> ! >>>>> >>>>> show pfr border active-p >>>>> ..... >>>>> Type Target TPort Source Interface Att >>>>> Comps >>>>> DSCP >>>>> echo 213.79.125.122 N 188.75.64.21 PO8/1/0 1 >>>>> 1 >>>>> 0 >>>>> echo 213.79.125.122 N 188.75.64.21 Tu108 1 >>>>> 0 >>>>> 0 >>>>> echo 213.79.125.122 N 188.75.64.21 Tu101 1 >>>>> 1 >>>>> 0 >>>>> echo 213.79.125.122 N 188.75.64.21 Gi8/0/0 1 >>>>> 1 >>>>> 0 >>>>> echo 213.79.125.122 N 188.75.64.21 Tu105 1 >>>>> 1 >>>>> 0 >>>>> ...... >>>>> ! >>>>> >>>>> show pfr master traffi >>>>> .... >>>>> -------------------------------------------------------------------------------- >>>>> 37.32.34.0/24 N N N N N N >>>>> >>>>> # INPOLICY @5 172.31.255.14 PO8/1/0 >>>>> STATIC >>>>> U U 0 0 10420 10557 11 >>>>> 9 >>>>> 13 11 0 0 N N N >>>>> N >>>>> >>>>> 94.101.185.0/24 N N N N N N >>>>> >>>>> # INPOLICY @21 172.31.255.14 Gi8/0/0 >>>>> STATIC >>>>> U U 0 0 4077 5430 17 >>>>> 15 >>>>> 12 13 0 0 N N N >>>>> N >>>>> >>>>> 94.201.94.128/30 N N N N N N >>>>> >>>>> # DEFAULT* @25 172.31.255.14 Tu105 >>>>> U >>>>> 313 313 0 0 102311 96658 57 >>>>> 0 >>>>> U U 1000000 1000000 N N N >>>>> N >>>>> >>>>> 176.9.63.104/30 N N N N N N >>>>> >>>>> # INPOLICY @42 172.31.255.14 PO8/1/0 >>>>> STATIC >>>>> U U 0 0 0 0 0 >>>>> 0 >>>>> 132 132 0 0 N N N >>>>> N >>>>> 178.32.55.52/30 N N N N N N >>>>> >>>>> # HOLDDOWN @155 172.31.255.14 Gi8/0/0 >>>>> STATIC >>>>> U U 0 0 0 0 1 >>>>> 1 >>>>> 131 131 0 0 N N N >>>>> N >>>>> ..... >>>>> ! >>>>> >>>>> show pfr master traffi inside >>>>> .... >>>>> -------------------------------------------------------------------------------- >>>>> x.x.64.0/18 N N N N N N >>>>> >>>>> DEFAULT* 0 U >>>>> U >>>>> >>>>> x.x.112.0/23 N N N N N N >>>>> >>>>> DEFAULT* 0 U >>>>> U >>>>> >>>>> x.x.114.0/23 N N N N N N >>>>> >>>>> DEFAULT* 0 U >>>>> U >>>>> >>>>> x.x.76.0/23 N N N N N N >>>>> >>>>> DEFAULT* 0 U >>>>> U >>>>> >>>>> >>>>> Best Regards, >>>>> *Mohammad Moghaddas* >>>>> >>>>> >>>>> >>>>> On Fri, Feb 14, 2014 at 1:13 AM, Tony Singh <[email protected]> wrote: >>>>> >>>>> > >>>>> > Border Status UP/DOWN AuthFail Version DOWN >>>>> > Reason >>>>> > 172.31.255.14 INACTIVE DOWN 0 3.1 >>>>> > >>>>> > That's not good for a start, second why are your customer routes in the >>>>> > same routing table sounds like you have no security policies tut tut >>>>> > >>>>> > can you post >>>>> > >>>>> > show pfr master >>>>> > show pfr master traffic-class >>>>> > sh run | s key-chain >>>>> > >>>>> > On both BR's >>>>> > >>>>> > Is the GRE tunnel up/up between the BR's >>>>> > >>>>> > The major 3. number must match between your MC and BR the minor .1 on MC >>>>> > must be greater or equal to the BR's minor version >>>>> > >>>>> > For echo probe you don't need ip sla responder for the other tcp-connect >>>>> > operations you do on the remote side >>>>> > >>>>> > -- >>>>> > BR >>>>> > >>>>> > Tony >>>>> > >>>>> > Sent from my iPad >>>>> > >>>>> > > On 13 Feb 2014, at 13:45, Mohammad Moghaddas <[email protected]> >>>>> > wrote: >>>>> > > >>>>> > > Hi. >>>>> > > >>>>> > > I hope you are all doing well, and I'm sorry for posting such a long >>>>> > > OT. >>>>> > > Straight to the issue, we have one 7609S which its IOS is 15.1(3)S. I >>>>> > > should note that this an ISP environment and this router has 15 >>>>> > > private >>>>> > IX >>>>> > > peers, and 5 Exit links. >>>>> > > I've configured the router being MC and BR the same time, 1 Internal >>>>> > > interface, and 5 External interface. >>>>> > > Each exit link has specific customers, we have separated each link's >>>>> > > customers using ACL. When customer's TX traffic reaches the Internal >>>>> > > interface, they are routed using PBR (default next-hop) to their >>>>> > > specific >>>>> > > exit link. Also these ACLs are referenced in a route-map assigned to >>>>> > > each >>>>> > > exit BGP peer, so we only advertise the customers to their specific >>>>> > > exit >>>>> > > BGP peer. >>>>> > > We have categorized our BGP peers in 3 template peer-policy. >>>>> > > >>>>> > > *The issue is that, I see PFR configuring /30 STATIC routes to exit >>>>> > > links >>>>> > > (it should be /24), and much more important for me, no inbound >>>>> > optimization >>>>> > > is happening.* >>>>> > > >>>>> > > Below you will find some partial logging plus the configurations. >>>>> > > And I'm again sorry for such long post. >>>>> > > >>>>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 85.133.140.168/30, >>>>> > > Couldn't find the best exit >>>>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 85.133.140.168/30, >>>>> > > Couldn't choose exit in prefix timeout >>>>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Range Entrance OOP BR >>>>> > > 172.31.255.14, >>>>> > i/f >>>>> > > Tu108, percent 100. Other BR 172.31.255.14, i/f Gi8/0/0 percent 15 >>>>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Load Entrance OOP BR 172.31.255.14, >>>>> > i/f >>>>> > > Tu108, load 33000 policy 31350 >>>>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Entrance 172.31.255.14 intf Tu108 >>>>> > > OOP, >>>>> > > Tx BW 24, Rx BW 33000, Tx Load 0, Rx Load 100 >>>>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 220.98.114.8/30, >>>>> > > Couldn't find the best exit >>>>> > > Feb 13 16:41:43: %OER_MC-5-NOTICE: Uncontrol Prefix 220.98.114.8/30, >>>>> > > Couldn't choose exit in prefix timeout >>>>> > > Feb 13 16:41:46: %OER_MC-5-NOTICE: Uncontrol Prefix 217.169.166.40/30, >>>>> > > Couldn't choose exit in prefix timeout >>>>> > > Feb 13 16:41:48: %OER_MC-5-NOTICE: Route changed Prefix >>>>> > > 188.253.53.96/30 >>>>> > , >>>>> > > BR 172.31.255.14, i/f Gi8/0/0, Reason Utilization, OOP Reason Timer >>>>> > Expired >>>>> > > >>>>> > > route-map CHNG_GW permit 10 >>>>> > > description ***CUST1 through EXIT1*** >>>>> > > match ip address CUST1 >>>>> > > set ip default next-hop 10.30.148.169 >>>>> > > route-map CHNG_GW permit 11 >>>>> > > description ****CUST2 through EXIT2**** >>>>> > > match ip address CUST2 >>>>> > > set ip default next-hop 172.16.108.2 >>>>> > > route-map CHNG_GW permit 12 >>>>> > > description ****CUST3 through EXIT3**** >>>>> > > match ip address CUST3 >>>>> > > set ip default next-hop 172.16.101.2 >>>>> > > route-map CHNG_GW permit 13 >>>>> > > description ****CUST4 through EXIT2**** >>>>> > > match ip address CUST4 >>>>> > > >>>>> > > !! All other customers are routed using the PRIMARY default route. !! >>>>> > > >>>>> > > ip route 0.0.0.0 0.0.0.0 192.168.64.1 name PRIMARY >>>>> > > ip route 0.0.0.0 0.0.0.0 10.30.148.169 5 name PFR >>>>> > > ip route 0.0.0.0 0.0.0.0 172.16.101.2 6 name PFR >>>>> > > ip route 0.0.0.0 0.0.0.0 172.16.105.2 7 name PFR >>>>> > > ip route 0.0.0.0 0.0.0.0 172.16.108.2 8 name PFR >>>>> > > >>>>> > > template peer-policy CUST_BGP >>>>> > > route-map BGP_CUST_NO-OUT out >>>>> > > default-originate >>>>> > > soft-reconfiguration inbound >>>>> > > send-community both >>>>> > > exit-peer-policy >>>>> > > ! >>>>> > > template peer-policy BW_UPLINKS >>>>> > > prefix-list ISP_IX-in in >>>>> > > next-hop-self all >>>>> > > soft-reconfiguration inbound >>>>> > > send-community both >>>>> > > exit-peer-policy >>>>> > > ! >>>>> > > template peer-policy IX >>>>> > > route-map IX_BGP-OUT out >>>>> > > prefix-list ISP_IX-in in >>>>> > > next-hop-self all >>>>> > > soft-reconfiguration inbound >>>>> > > send-community both >>>>> > > >>>>> > > pfr master >>>>> > > policy-rules PFR_BGP >>>>> > > max-range-utilization percent 80 >>>>> > > logging >>>>> > > ! >>>>> > > border 172.31.255.14 key-chain OER >>>>> > > interface GigabitEthernet8/0/0 external >>>>> > > max-xmit-utilization percentage 95 >>>>> > > maximum utilization receive percentage 95 >>>>> > > interface Tunnel101 external >>>>> > > max-xmit-utilization percentage 95 >>>>> > > maximum utilization receive percentage 95 >>>>> > > interface Tunnel108 external >>>>> > > max-xmit-utilization percentage 95 >>>>> > > maximum utilization receive percentage 95 >>>>> > > interface Tunnel105 external >>>>> > > max-xmit-utilization percentage 95 >>>>> > > maximum utilization receive percentage 95 >>>>> > > interface POS8/1/0 external >>>>> > > max-xmit-utilization percentage 95 >>>>> > > maximum utilization receive percentage 95 >>>>> > > interface GigabitEthernet5/1 internal >>>>> > > ! >>>>> > > learn >>>>> > > throughput >>>>> > > inside bgp >>>>> > > periodic-interval 0 >>>>> > > monitor-period 1 >>>>> > > prefixes 200 applications 200 >>>>> > > expire after time 30 >>>>> > > max range receive percent 80 >>>>> > > backoff 150 150 >>>>> > > mode route control >>>>> > > mode monitor fast >>>>> > > periodic 150 >>>>> > > no resolve delay >>>>> > > no resolve range >>>>> > > ! >>>>> > > active-probe tcp-conn 216.239.32.20 target-port 80 >>>>> > > active-probe tcp-conn 216.239.32.20 target-port 443 >>>>> > > active-probe echo 4.2.2.4 >>>>> > > active-probe echo 8.8.8.8 >>>>> > > active-probe tcp-conn 173.194.34.53 target-port 443 >>>>> > > active-probe tcp-conn 46.228.47.114 target-port 80 >>>>> > > active-probe echo 4.2.2.1 >>>>> > > active-probe echo 8.8.4.4 >>>>> > > active-probe echo 4.2.2.2 >>>>> > > pfr border >>>>> > > local Loopback17231255 >>>>> > > master 172.31.255.14 key-chain OER >>>>> > > active-probe address source interface GigabitEthernet5/1 >>>>> > > pfr-map PFR_BGP 10 >>>>> > > match pfr learn inside >>>>> > > set mode route control >>>>> > > set mode monitor passive >>>>> > > set resolve utilization priority 1 variance 10 >>>>> > > no set resolve delay >>>>> > > no set resolve range >>>>> > > >>>>> > > show pfr master: >>>>> > > OER state: ENABLED and INACTIVE >>>>> > > Conn Status: SUCCESS, PORT: 3949 >>>>> > > Version: 3.1 >>>>> > > Number of Border routers: 1 >>>>> > > Number of Exits: 5 >>>>> > > Number of monitored prefixes: 0 (max 5000) >>>>> > > Max prefixes: total 5000 learn 2500 >>>>> > > Prefix count: total 0, learn 0, cfg 0 >>>>> > > PBR Requirements met >>>>> > > Nbar Status: Inactive >>>>> > > >>>>> > > Border Status UP/DOWN AuthFail Version DOWN >>>>> > Reason >>>>> > > 172.31.255.14 INACTIVE DOWN 0 3.1 >>>>> > > >>>>> > > OER master in special monitor mode >>>>> > > >>>>> > > Global Settings: >>>>> > > max-range-utilization percent 80 recv 80 >>>>> > > rsvp post-dial-delay 0 signaling-retries 1 >>>>> > > mode route metric bgp local-pref 5000 >>>>> > > mode route metric static tag 5000 >>>>> > > trace probe delay 1000 >>>>> > > logging >>>>> > > exit holddown time 60 secs, time remaining 0 >>>>> > > >>>>> > > Default Policy Settings: >>>>> > > backoff 150 150 150 >>>>> > > delay relative 50 >>>>> > > holddown 300 >>>>> > > periodic 150 >>>>> > > probe frequency 56 >>>>> > > number of jitter probe packets 100 >>>>> > > mode route control >>>>> > > mode monitor fast >>>>> > > mode select-exit good >>>>> > > loss relative 10 >>>>> > > jitter threshold 20 >>>>> > > mos threshold 3.60 percent 30 >>>>> > > unreachable relative 50 >>>>> > > resolve utilization priority 13 variance 20 >>>>> > > >>>>> > > Learn Settings: >>>>> > > current state : DISABLED >>>>> > > time remaining in current state : 0 seconds >>>>> > > throughput >>>>> > > no delay >>>>> > > inside bgp >>>>> > > monitor-period 5 >>>>> > > periodic-interval 5 >>>>> > > aggregation-type prefix-length 24 >>>>> > > prefixes 200 appls 200 >>>>> > > expire after time 30 >>>>> > > >>>>> > > >>>>> > > show pfr master policy: >>>>> > > HT-CoreRT(config-pfr-mc)#do s pfr mas pol >>>>> > > Default Policy Settings: >>>>> > > backoff 150 150 150 >>>>> > > delay relative 50 >>>>> > > holddown 300 >>>>> > > periodic 150 >>>>> > > probe frequency 56 >>>>> > > number of jitter probe packets 100 >>>>> > > mode route control >>>>> > > mode monitor fast >>>>> > > mode select-exit good >>>>> > > loss relative 10 >>>>> > > jitter threshold 20 >>>>> > > mos threshold 3.60 percent 30 >>>>> > > unreachable relative 50 >>>>> > > resolve utilization priority 13 variance 20 >>>>> > > oer-map PFR_BGP 10 >>>>> > > sequence no. 8444249301975040, provider id 1, provider priority 30 >>>>> > > host priority 0, policy priority 10, Session id 0 >>>>> > > match oer learn inside >>>>> > > backoff 150 150 150 >>>>> > > delay relative 50 >>>>> > > holddown 300 >>>>> > > periodic 150 >>>>> > > probe frequency 56 >>>>> > > number of jitter probe packets 100 >>>>> > > *mode route control >>>>> > > *mode monitor passive >>>>> > > mode select-exit good >>>>> > > loss relative 10 >>>>> > > jitter threshold 20 >>>>> > > mos threshold 3.60 percent 30 >>>>> > > unreachable relative 50 >>>>> > > next-hop not set >>>>> > > forwarding interface not set >>>>> > > *resolve utilization priority 1 variance 10 >>>>> > > >>>>> > > Best Regards, >>>>> > > *Mohammad Moghaddas* >>>>> > > _______________________________________________ >>>>> > > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos >>>>> > > :: >>>>> > > >>>>> > > iPexpert on YouTube: www.youtube.com/ipexpertinc >>>>> > >>>>> _______________________________________________ >>>>> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >>>>> >>>>> iPexpert on YouTube: www.youtube.com/ipexpertinc > _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
