03-21-2008 01:55 PM - edited 03-03-2019 09:14 PM
I trying to have all icomming traffic in from one IPS and the other as the fail over. I have all going out fine but incoming always uses the backup IPS which is a slower speed. What is missing?
router bgp 99999
no synchronization
bgp log-neighbor-changes
bgp dampening
network x.x.x.0
neighbor 69.xx.xx.xx remote-as 1111
neighbor 69.xx.xx.xx ebgp-multihop 3
neighbor 69.xx.xx.xx timers 10 30
neighbor 69.xx.xx.xx filter-list 2 in
neighbor 69.xx.xx.xx filter-list 3 out
neighbor 69.xx.xx.xx weight 2000
neighbor 144.xx.xx.xx remote-as 2222
neighbor 144.xx.xx.xx description Backup ISP
neighbor 144.xx.xx.xx timers 10 30
neighbor 144.xx.xx.xx route-map prepend out
neighbor 144.xx.xx.xx filter-list 1 in
neighbor 144.xx.xx.xx filter-list 3 out
neighbor 144.xx.xx.xx weight 100
no auto-summary
ip as-path access-list 1 permit ^2222_[0-9]*$
ip as-path access-list 2 permit ^1111_[0-9]*$
ip as-path access-list 3 permit ^$
route-map prepend permit 10
set as-path prepend 99999 99999 99999
03-21-2008 02:12 PM
Hi,
Prepending will not totally eliminate the incoming traffic from backup ISP. The "best" it can do is to minimize the incoming traffic from backup ISP by making this path longer.
Try advertising your network with longer prefix to primary ISP and to backup ISP using shorter prefix. For example, if your network is /24, advertised it to primary ISP as 2 x /25 and to backup ISP as /24
Regards,
Dandy
03-21-2008 02:14 PM
Duh, double-post
03-21-2008 03:08 PM
George,
Bear in mind that the ISP that you select as secondary will look at the prefix it receives from you with the as-path prepended and the one it receives from its peer(s) and/or transit(s) ISPs and will base his best path decision on the shortest AS PATH but more importantly on the local preference.
ISPs usually prefer routes in the following order using local preference; customer, peer and finally transit routes. This is probably why you are seeing some traffic coming from your secondary ISP. Some providers allow their customers to send them specific community attributes to change the local preference they assign to their routes. This could be one way to make sure that the secondary ISP will only be used in failover scenario.
Check with your ISP to find out if they will let you influence the local preference they assign to your routes.
The other way to make sure the traffic always comes via the primary (except in case of failover) is to use BGP conditional advertisement. For more information on this feature, refer to the following link:
http://www.cisco.com/warp/public/459/cond_adv.html
Regards,
03-22-2008 02:16 PM
Great advice from Harold as usual :-)
03-28-2008 01:08 PM
Hi Harold,
Local preference point is perfect. Infact I have to work on the Same scenario 2 ISPs, 2 customer rtrs. Iam planning to go with HSRP on LAN end of the rtrs. So, still the best choice to choose pefect priamry & backup path is to use communities to effect backup ISP (preferably) local preference rather than AS-path prepend.
Is that correct..?
please suggest.
Thank you in advance.
MS
03-29-2008 08:35 AM
Mehboob,
The method of signalling the local preference to your ISP is usually used in conjunction with the as-path prepend.
So on the backup ISP you would prepend your own AS a couple of times (as needed) and you would also send a community to the ISP to indicate that you want it to prefer any routes received either from a peer or transit.
Once again, the conditional advertisement is the only technique that will absolutely make sure that the backup ISP is only used in case of a failure of the primary.
Regards,
03-29-2008 11:05 AM
Hi Harold,
Thank you for your suggestion and time. So based on the below configs... (considering 1.1.1.0/24 is our own RIPE assigned public space...)
RTR-A: 10MB Fast Ether to ISP-A
router bgp 42460
no synchronization
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.0
network 10.10.10.4 mask 255.255.255.224
neighbor 213.10.96.48 remote-as 21530
neighbor 213.10.96.48 ebgp-multihop 255
neighbor 213.10.96.48 remove-private-as
neighbor 213.10.96.48 soft-reconfiguration inbound
neighbor 213.10.96.48 distribute-list 15 out
neighbor 213.10.96.49 remote-as 21530
neighbor 213.10.96.49 ebgp-multihop 255
neighbor 213.10.96.49 remove-private-as
neighbor 213.10.96.49 soft-reconfiguration inbound
neighbor 213.10.96.49 distribute-list 15 out
no auto-summary
!
Fast Ether 0/1
descruption : LAN
ip address 1.1.1.2 255.255.255.0
standby 10 1.1.1.1
standby 10 preempt delay minimum 60
standby 10 priority 155
standby 10 track fast 0/0
!
distribute-list 15 : has ACL permits 1.1.1.0/24 and other /28 range to ISP-A
-----------------------------------
ISP-B : 2MB via Serila0/0
router bgp 42460
no synchronizartion
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.0
neighbor 229.23.50.157 remote-as 6466
neighbor 229.23.50.157 next-hop-self
neighbor 229.23.50.157 soft-reconfiguration inbound
neighbor 229.23.50.157 route-map set-as-path out
!
ip prefix-list ISP-B seq 10 permit 1.1.1.0/24
ip prefix-list ISP-B seq 20 deny 0.0.0.0/0 le 32
!
route-map set-as-path permit 10
match ip address prefix-list ISP-B
set as-path prepend 42460 42460 42460 42460 42460
!
inter fast 0/1
description: LAN
Fast Ether 0/1
descruption : LAN
ip address 1.1.1.3 255.255.255.0
standby 10 1.1.1.1
standby 10 preempt
standby 10 priority 150
______________________________________
To make ISB-B strict backup, I also have to use community (send out) to ISP-B to prefer routes from my peer only rather from other peer/transit. ( i noted you prefer conditional advertisement, but could not find exaple with dual Local rtrs/dual ISPs)
Also, as rtrs residing outside of firewall and not communicatiing with any internal IGP (in LAN), do I still need IBGP between these routers..? or the configs I mentioned are sufficient..?
Please suggest.
Thank you in advance
MS
03-29-2008 12:33 PM
Hi Mehboob,
Yes, you would indeed need to send a special community ISP-B and add the command "neighbor
As for conditional advertisement, it is possible to configure it with two routers. It requires iBGP between the two routers so that the backup can be informed that a given route to the Internet ia not available anymore via the primary provider and then start advertising the local prefix(es) to the Internet.
Regards,
03-29-2008 12:39 PM
Mehboob,
I forgot to answer your second question. In a primary/backup scenario, you do not necessarily need to run iBGP between the two routers.
Regards,
03-29-2008 01:43 PM
Hi Harold,
Thank you for your quick reply and valuable suggestions. I will definitely get in touch with ISP-B for community information to adjust local preference (in this case I belive ISP-B need to lower Local pref for routes from my rtr).
Also, infact, I did a test last week with the same scenario (AS Paht but no community & no IBGP) with one exception..
ISP-A rtr: 'no synchronization'
ISP-B rtr: synchronization
So even if I connect a laptop directly to the switch where these 2 rtrs LAN i/f connects, when HSRP rollover happens , it took 4-5Mins to go to internet via ISP-B. (no carrier issues at that time). So is 'synchronization' (enabled on one and disabled on another)..causing the issue..?
Please suggest...
Thank you
Mehboob
03-31-2008 09:54 AM
Hi Harold / any BGP Gurus,
Any suggestions on the above..?
Thank you
MS
03-31-2008 10:47 AM
Mehboob,
The synchroniztion has nothing to do with it. Was the 4-5 minute related to link failure detection? What kind of link failure was it? How is you HSRP configure to failover? Just link down?
Regards,
03-31-2008 11:59 AM
The 4-5min delay is to route the traffic via the secondary ISP (ISP-B). Link failure and HSRP takeover happing with no issues.HSRP configured to failover on Pririty basis and Trackign the publi interface on the ISP-A conencted rtr.
The very similar confige I posted here (above) and the both routers LAN ports and the Laptop port configured int eh same Vlan on the external switch.
Thank you
MS
03-31-2008 12:26 PM
Mehboob,
You should check if the advertised routes from your router connected to ISP-B are seen on the Internet. You can do that using an Internet looking glass.
The other possibility is that your ISP is using BGP route dampening, which would potentially penalize your route(s).
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: