BGP multihoming Question

gtuhindhaka · ‎07-20-2008

Dear sir,

I have configured bgp in my router. Here is my configuration.

=======================

router bgp 38031

bgp log-neighbor-changes

network 203.112.72.0

network 203.112.73.0

network 203.112.74.0

network 203.112.75.0

network 203.112.76.0

network 203.112.77.0

network 203.112.78.0

network 203.112.79.0

network 203.112.72.0 mask 255.255.248.0

neighbor 123.49.0.137 remote-as 17494

neighbor 123.49.0.137 prefix-list default in

neighbor 123.49.0.137 prefix-list bttb out

neighbor 123.49.0.137 route-map localpref in

neighbor 123.49.0.137 filter-list 1 out

neighbor 202.133.15.105 remote-as 24399

neighbor 202.133.15.105 description eBGP with ASIX-HKG AS-24399

neighbor 202.133.15.105 version 4

neighbor 202.133.15.105 prefix-list asixdefault in

neighbor 202.133.15.105 prefix-list asix out

neighbor 202.133.15.105 route-map localpref2 in

neighbor 202.133.15.105 route-map asix-prepend out

!

ip prefix-list asix seq 10 permit 203.112.72.0/24

ip prefix-list asix seq 30 permit 203.112.79.0/24

!

ip prefix-list bttb seq 5 permit 203.112.72.0/21

ip prefix-list bttb seq 10 permit 203.112.72.0/24

ip prefix-list bttb seq 15 permit 203.112.79.0/24

ip prefix-list bttb seq 20 permit 203.112.77.0/24

route-map asix-prepend permit 10

match ip address prefix-list asix

set as-path prepend 38031 38031 38031 38031 38031 38031 38031 38031

===================================

In the above configuration when both the link is up then traffic of 203.112.79.0/24 should come through AS17494. And when AS17494 will be down then autometically traffic should come through AS24399. But its not happening.

When both the link is up then hudge traffic of 203.112.79.0/24 is comming through AS path 24399, which i don't want.

What to do to prevent this.

Please help me.

Thanks,

Tuhin

tdrais · ‎07-21-2008

Everything looks ok in general.

To make sure you are sending what you think you are issue

sh ip bgp nei xxx.xxx.xxx.xxx advertised-routes

For the ASIX neighbor you really don't need both the prefix-list and route-map out. They are both using the same prefix list so you could just use the route-map.

You never really know what you partner AS is really doing. If they have public access, many times called "Looking glass" you may be able to issue show BGP commands from routers in their AS to see what your prefixes look like. They may be overiding your settings.

If all else fails the solution that always works is conditional advertisement. This way you don't give them the routes until they are allowed to use them. This is not the best way since it is much slower to converge since your router must detect the problem rather than let it occur farther away in the network.

gtuhindhaka · ‎07-22-2008

Thanks for your reply.

I have removed "neighbor 202.133.15.105 prefix-list asix out" for bgp configuration as you suggested. And did clear ip bgp **** soft out. But still the same result.

What to do sir.

Thanks,

tuhin

milan.kulik · ‎07-22-2008

Hi,

are you sure your neighbor is accepting your prepends?

Some ISPs don't allow their customers to prepend at all...

BR,

Milan

gtuhindhaka · ‎07-22-2008

Hi,

I think they accept. Coz whyn i enable it i see the prepends in some lookingglass.

Thanks

Tuhin

lukacovsky · ‎07-22-2008

do you actually have visibility to both Service Provider Edge Routers, please?

If you do, can you post the ouput? I guess this is all MPLS so i can't give you the exact command until I know more details.

sdoremus33 · ‎07-22-2008

Try this sh ip bgp neighbor "x.x.x.x" where x equal to neigbor AS in this case 202.133.15.105 paths

sdoremus33 · ‎07-22-2008

sh ip bgp neighbor "neighbro-as" paths. HTH

lukacovsky · ‎07-22-2008

Actually, on MPLS PER you will need something like

show ip bgp vpnv4 vrf x:x neighbor x.x.x.x routes

Problem is that customer normally does not care or know which VRF they are in. Anyway, your SP should provide you some web-based tool to give you an BGP table output from the router. I doubt they will give you a telnet access to their routers.. :)

Rick Morris · ‎07-22-2008

According to the route-views server your prepends are not propigating.

You need to verify with your ISP about accepting the advertisement. Also, I have seen many ISP's block advertisements with any prepends larger than 5, shorten the prepend to 3 AS's and see if that works.

please see the txt file.

gtuhindhaka · ‎07-23-2008

You are right sir. Seems my prepends are not propogating. but let me tell you something what i do normally.

When I announce my prefixes with prepends my vsat traffic become full which i don't want and it create some problem. Thats whay i deny this prefixes.

But today i permited and checked in 7 route server which are bellow.

route-server.ip.att.net

route-server.as6667.net

route-server.ip.tiscali.net

route-server.host.net

route-server.savvis.net

route-server.he.net

route-views.oregon-ix.net

Among those i found my prepends only in one route server which is route-server.host.net.

But my question is if my prepends are not propogating then how traffic start to come when i start announce prefixes with prepends.

Another interesting thing when i check in route-server.host.net i found only one path which is

At route-server.host.net

=========================

route-server>sh ip bgp 203.112.72.10

BGP routing table entry for 203.112.72.0/24, version 609156

Paths: (1 available, best #1, table Default-IP-Routing-Table)

Flag: 0x820

Not advertised to any peer

13645 19151 9304 24399 38031 38031 38031 38031

64.135.0.1 from 64.135.0.1 (64.135.0.1)

Origin IGP, localpref 100, valid, external, best

Community: 13645:3121

Dampinfo: penalty 445, flapped 1 times in 00:02:35

=============

There should be 2 paths as i announced prefixes through both the links. And when i stopped announcing the prepends i found the below again.

route-server>sh ip bgp 203.112.72.10

BGP routing table entry for 203.112.72.0/24, version 610370

Paths: (1 available, best #1, table Default-IP-Routing-Table)

Flag: 0x820

Not advertised to any peer

13645 3356 6762 17494 38031

64.135.0.1 from 64.135.0.1 (64.135.0.1)

Origin IGP, localpref 100, valid, external, best

Community: 13645:3121

Dampinfo: penalty 500, flapped 1 times in 00:00:01

Please advice.

Regards,

Tuhin

milan.kulik · ‎07-23-2008

Hi,

IMHO,

ad "if my prepends are not propogating then how traffic start to come when i start announce prefixes with prepends")

Don't forget you are still advertising your prefixes to the other provider.

ad "There should be 2 paths as i announced prefixes through both the links."

No, as the neighbor router 64.135.0.1 is advertising only the best path for each prefix to the BGP neighbor route-server>.

One really interesting thing is why you could see 13645 19151 9304 24399 38031 38031 38031 38031 when you prepended 8x 38031.

Why don't you ask your 24399 neigbor what are they accepting and how they are manupulating with your AS_PATH?

BR,

Milan

gtuhindhaka · ‎07-23-2008

Hi,

Sorry that i forgot to mention one thing that is i have prepended now 4x 38031 as someone in this conversation told me to reduce it.

Anyway, thanks for your reply.

Regards,

Tuhin

tdrais · ‎07-23-2008

If everyone allowed for free traffic flow issue like this would not occur. The agreements about amounts of traffic allowed to flow between ISP and where they can flow tends to not make sense sometimes.

Since the non prepended path is better that is the one that is important to see. Even though the other one most likely also exists it is hard to see sometime in the public interfaces since many times these are IBGP routers or other things that are not even routers.

Now if the path you are seeing contains the AS number on the path you did the prepend on but it now does not contain the prepend someone changed your path. If the path you see contains the as number of your preferred provider then the prepend is working.

If the path you see in the internet flows though the correct ISP but the traffic actually comes in via your prepended ISP it is your primary ISP who is doing something.

You primary ISP may have a peering with your secondary ISP. Even though they have a shorter AS path to your (1 hop) they may still send the traffic out to your other ISP. Now this could be the next hop out if both your ISP peer with a common ISP. If you really want to find out this site can help

http://www.fixedorbit.com/

These type of issues are so frustrating. This is why I tell people you can only partially control your traffic.

Although a more complex solution conditional advertisement of the prefix should solve this.

You basically want to only send the routes to the provider you currently prepend to when you lose connectivity to the primary. What you choose to monitor to cause this advertisement is the tricky part. In general you want to watch a route that can show more than just physical circuit is down.