Multhoming Traffic Management

Unanswered Question
Feb 18th, 2009

Hi,

I am using Multhoming set up and having Internet links from two different ISPs.

I have hosted sites and VPN running on these over these two links.

Can I somehow control the incoming traffic to my hosted site over a link and dedicate another one to VPN and other traffic.

Please help. n Thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Kerem Gursu Wed, 02/18/2009 - 06:54

Hello Ghanshyam,

First of all , I would like to ask if you have the hosted sites and the VPN segmnet , on the same IP segment ?

Having both hosted sites and VPN segment on "different" subnets will allow you to perform a conditional bgp advertisement to both of your upstream providers.

Please seperate the segments of hosted sites and VPN and create prefix lists regarding these subnets. After creating the prefix lists , you need to create route-maps and permit on outbound the related segment to the related ISP

ip prefix-list HOSTED_SITES permit x/24

ip prefix-list VPN_SEGMENT permit y/24

route-map TO-ISP-A-OUTBOUND permit 10

match ip address prefix-list HOSTED_SITES

route-map TO-ISP-B-OUTBOUND permit 10

match ip address prefix-list VPN_SEGMENT

router bgp xyz

neighbor A route-map TO-ISP-A-OUTBOUND out

neighbor B route-map TO-ISP-B-OUTBOUND out

after you apply this configuration , you will be advertising HOSTED_SITES to ISP A and VPN_SEGMENT to ISP B. But please remember that you are NOT announcing these segments to both ISPs ,so if one of your link goes down , your announcement to that ISP will also be down , leading your subnet to be unreachable. If you consider redundancy , please let me know of your current IP structure of your hosted sites and VPN segment.

Hope to help,

Kerem

ghanshyam.saini Wed, 02/18/2009 - 07:07

Thanks for reply Kerem,

I am using same /24 subnet for hosted sites and VPNs.

I have to have consider the redundancy all the times.

Yes it is possible to advetise two diffrent /24 over two different links but is it possible to have redundancy in this case.I have the subnet available with me.

Please suggest.

guruprasadr Wed, 02/18/2009 - 07:28

HI ghanshyam, [Pls RATE if HELPS]

Please see below the sample Plan & the Configuration:

1.Consider your company has /23 Supernet from APNIC/RIPE

2.The /23 Supernet is further subnetted to 2" /24 Segments (VPN & Hosted Sites)

3.The VPN has to flow via ISP-1 & Hosted Sites to flow via ISP-2

4.If ISP-1 fails, the respective traffic to be backed-up via ISP-2 (viceversa)

5.Advertise /23 Supernets to both ISP's

6.Advertise 1" /24 as normal to an ISP and other /24 with AS-prepend (viceversa)

7.This will influence the reverse traffic flow

8.Use "Set ip next-hop" in route-map's to influence the forward traffic from CE.

Start of Configuration:

========================

router bgp 12345

bgp log-neighbor-changes

neighbor aaa.bbb.ccc.ddd remote-as XXXX

neighbor aaa.bbb.ccc.ddd description *** EBGP with ISP1 ***

neighbor eee.fff.ggg.hhh remote-as XXXX

neighbor eee.fff.ggg.hhh description *** EBGP with ISP2 ***

!

address-family ipv4

neighbor aaa.bbb.ccc.ddd activate

neighbor aaa.bbb.ccc.ddd prefix-list Supernet-OUT out

neighbor aaa.bbb.ccc.ddd route-map ISP-1 out

neighbor eee.fff.ggg.hhh activate

neighbor eee.fff.ggg.hhh prefix-list Supernet-OUT out

neighbor eee.fff.ggg.hhh route-map ISP-2 out

no auto-summary

no synchronization

exit-address-family

ip prefix-list Supernet-OUT seq 5 permit xxx.yyy.zzz.0/23 le 24

!

ip prefix-list ISP1-Sec-out seq 5 permit xxx.yyy.zzz.0/24

!

ip prefix-list ISP1-Pry-out seq 5 permit xxx.yyy.zzz.0/24

!

ip prefix-list ISP2-Sec-out seq 5 permit xxx.yyy.zzz.0/24

!

ip prefix-list ISP2-Pry-out seq 5 permit xxx.yyy.zzz.0/24

!

route-map ISP-1 permit 10

match ip address ISP1-Sec-out

set as-path prepend 12345 12345 12345 12345 12345

!

route-map ISP-1 permit 20

match ip address ISP1-Pry-out

!

route-map ISP-2 permit 10

match ip address ISP2-Sec-out

set as-path prepend 12345 12345 12345 12345 12345

!

route-map ISP-2 permit 20

match ip address ISP2-Sec-out

!

Hope I am Informative.

Pls RATE if HELPS

Best Regards,

Guru Prasad R

ghanshyam.saini Wed, 02/18/2009 - 19:47

Thanks Prasad for the info.

Actually for this location I have only one /24. I have another /23 but it will be difficult for me to change all the IPs in use now.

Can we do something for one /24 subnet.

I ll be using /23 for my another location where i can use the details you provided.

Please suggest.

Kerem Gursu Wed, 02/18/2009 - 07:29

Hello Ghanshyam,

If you are able to announce both of these subnets over two different /24s , you are going to be able to aggregate these subnets and have redundancy .

lets assume that subnet x and y are contiguous. You will need to add another aggregated supernet to the prefix lists and permit this aggregate within the outbound route map.

ip prefix-list HOSTED_SITES permit x/24

ip prefix-list VPN_SEGMENT permit y/24

ip prefix-list AGGREGATE permit (x and y supernet)/23

route-map TO-ISP-A-OUTBOUND permit 10

match ip address prefix-list HOSTED_SITES

route-map TO-ISP-A-OUTBOUND permit 20

match ip address prefix-list AGGREGATE

route-map TO-ISP-B-OUTBOUND permit 10

match ip address prefix-list VPN_SEGMENT

route-map TO-ISP-B-OUTBOUND permit 20

match ip address prefix-list AGGREGATE

router bgp xyz

neighbor A route-map TO-ISP-A-OUTBOUND out

neighbor B route-map TO-ISP-B-OUTBOUND out

Hope to help,

Kerem

ghanshyam.saini Thu, 02/19/2009 - 00:56

Hi,

For thislocation I have only /24 subnet.I have another /23 but not contiguous.I facing problem that my incoming traffic is much and chosking one link while outgoing i can select the link.What we can do in this case.

Second: If I use /23 (2*/24) in another location for single site can i distribute the incoming traffic over the links.

Thanks in advance.

Kerem Gursu Thu, 02/19/2009 - 01:08

Hello Ghanshyam,

For your first question , in order to load balance your traffic , you definitely need to separate your IP blocks and announce them accordingly . But to conserve your redundancy , you need to have an aggregate route announced to both of your ISPs. Technically you do not need an /23 to have an aggregate route , but most of the ISPs have filters that do not allow advertisements below /24 prefixes.

With your current IP structure , you can divide your /24 segment into two /25s and announce them accordingly , but this action will lead your prefixes be filtered somewhere on the internet. So minimum recommendation is a /23 aggregate and two /24s as segments.

For your second question , I would like to have more information before making any comments.

Hope to help,

Mohamed Sobair Thu, 02/19/2009 - 01:41

ghanshyam,

Most of the ISPs dont accept "LESSER" than /24 prefix, but its still possible. You can whether announce your most prefix length and have them agreed on that, OR prepend your Network from the Second link so that its prefered on the desired path.

HTH

Mohamed

Actions

This Discussion