Let’s talk about Peer-Groups, Session-Templates and Policy-Templates

We have a lot of BGP configuration over a number of devices. In the main these run IOS XE but not all. This post is a walk through of how to convert a ‘long-hand’ BGP config into first peer- groups, then session-templates and policy-templates. We’l move on to IOS XR configurations in another post.

Here is our initial ‘long-hand’ configuration:

neighbor 10.20.80.46 remote-as 65007
neighbor 10.20.80.46 description *** TEST PEER ***
neighbor 10.20.80.46 transport connection-mode passive
neighbor 10.20.80.46 password its_a_secret
neighbor 10.20.80.46 activate
neighbor 10.20.80.46 default-originate
neighbor 10.20.80.46 prefix-list DEFAULT-ROUTE out
neighbor 10.20.80.46 maximum-prefix 10

Exercise 1 – Peer-Groups
Lets put this into a peer-group – its inside a VRF for extra complexity!

neighbor REDTEST peer-group
neighbor REDTEST remote-as 65100
neighbor REDTEST transport connection-mode passive
neighbor REDTEST password its_a_secret
neighbor REDTEST default-originate
neighbor REDTEST prefix-list DEFAULT_ROUTE out

Then we can add the neighbour

neighbor 10.20.80.46 peer-group REDTEST
neighbor 10.20.80.46 description *** TEST PEER ***
neighbor 10.20.80.46 activate

As we are using a af-group for this peer, the peer ‘activate’ is required. AS it happens I have made it a requirement for the ipv4 af as well which would automatically enable on an IOS-XE device. I’ve configured the other side as follows:

router bgp 65100
 bgp log-neighbor-changes
 neighbor 10.20.80.45 remote-as 1000
 neighbor 10.20.80.45 password its_a_secret
 !
 address-family ipv4
  neighbor 10.20.80.45 activate
 exit-address-family

So the completed configuration for the peer-group router is:

router bgp 1000
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv4 vrf RED
  neighbor REDTEST peer-group
  neighbor REDTEST remote-as 65100
  neighbor REDTEST transport connection-mode passive
  neighbor REDTEST password its_a_secret
  neighbor REDTEST default-originate
  neighbor REDTEST prefix-list DEFAULT_ROUTE out
  neighbor 10.20.80.46 peer-group REDTEST
  neighbor 10.20.80.46 description *** TEST PEER ***
  neighbor 10.20.80.46 activate
 exit-address-family

Exercise 2 – Session-Templates
First things first – session-templates and policy-templates do not play well with peer-groups so I’ll need to delete the peer-group setup first. Another point to note is the session/policy templates are set up in the main BGP setup not in the af as the peer-group was. The session template contains information to do with the connection/tcp session. Here is my conversion:

router bgp 1000
 template peer-session TESTSESSION
  remote-as 65100
  transport connection-mode passive
  password its_a_secret
 exit-peer-session

The other data needs to go in the normal place and the neighbour needs to inherit the session template.

 address-family ipv4 vrf RED
  neighbor 10.20.80.46 inherit peer-session TESTSESSION
  neighbor 10.20.80.46 description *** TEST PEER ***
  neighbor 10.20.80.46 activate
  neighbor 10.20.80.46 default-originate
  neighbor 10.20.80.46 prefix-list DEFAULT_ROUTE out
  neighbor 10.20.80.46 maximum-prefix 10
 exit-address-family

This all works well and the partner router is getting the default route sent over.
Exercise 3 – Policy Templates
The last task on this post is to wrap up all the routing policy based stuff into the policy templates. This is done with the template peer-policy statement.

router bgp 1000
 template peer-policy TESTPOLICY
  prefix-list DEFAULT_ROUTE out
  default-originate
  maximum-prefix 10
 exit-peer-policy

then inherit as before:

address-family ipv4 vrf RED
  neighbor 10.20.80.46 inherit peer-session TESTSESSION
  neighbor 10.20.80.46 description *** TEST PEER ***
  neighbor 10.20.80.46 activate
  neighbor 10.20.80.46 inherit peer-policy TESTPOLICY
 exit-address-family

Again this all works fine and the other side is getting the default route.
Exercise 4 – Overrides
This test shows that we can override the settings in the policy or session template by adding into the individual peer stanza.

router bgp 1000
 template peer-policy TESTPOLICY
  prefix-list DEFAULT_ROUTE out
  default-originate
  maximum-prefix 10
 exit-peer-policy
 !
 template peer-session TESTSESSION
  remote-as 65100
  transport connection-mode passive
  password not_a_secret
 exit-peer-session
 !
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv4 vrf RED
  neighbor 10.20.80.46 inherit peer-session TESTSESSION
  neighbor 10.20.80.46 description *** TEST PEER ***
  neighbor 10.20.80.46 password its_a_secret
  neighbor 10.20.80.46 activate
  neighbor 10.20.80.46 inherit peer-policy TESTPOLICY
 exit-address-family
This entry was posted in Cisco and tagged , , , . Bookmark the permalink.