02-18-2009 06:26 AM - edited 03-04-2019 03:37 AM
Hi,
I am using Multhoming set up and having Internet links from two different ISPs.
I have hosted sites and VPN running on these over these two links.
Can I somehow control the incoming traffic to my hosted site over a link and dedicate another one to VPN and other traffic.
Please help. n Thanks in advance!
02-18-2009 06:54 AM
Hello Ghanshyam,
First of all , I would like to ask if you have the hosted sites and the VPN segmnet , on the same IP segment ?
Having both hosted sites and VPN segment on "different" subnets will allow you to perform a conditional bgp advertisement to both of your upstream providers.
Please seperate the segments of hosted sites and VPN and create prefix lists regarding these subnets. After creating the prefix lists , you need to create route-maps and permit on outbound the related segment to the related ISP
ip prefix-list HOSTED_SITES permit x/24
ip prefix-list VPN_SEGMENT permit y/24
route-map TO-ISP-A-OUTBOUND permit 10
match ip address prefix-list HOSTED_SITES
route-map TO-ISP-B-OUTBOUND permit 10
match ip address prefix-list VPN_SEGMENT
router bgp xyz
neighbor A route-map TO-ISP-A-OUTBOUND out
neighbor B route-map TO-ISP-B-OUTBOUND out
after you apply this configuration , you will be advertising HOSTED_SITES to ISP A and VPN_SEGMENT to ISP B. But please remember that you are NOT announcing these segments to both ISPs ,so if one of your link goes down , your announcement to that ISP will also be down , leading your subnet to be unreachable. If you consider redundancy , please let me know of your current IP structure of your hosted sites and VPN segment.
Hope to help,
Kerem
02-18-2009 07:07 AM
Thanks for reply Kerem,
I am using same /24 subnet for hosted sites and VPNs.
I have to have consider the redundancy all the times.
Yes it is possible to advetise two diffrent /24 over two different links but is it possible to have redundancy in this case.I have the subnet available with me.
Please suggest.
02-18-2009 07:28 AM
HI ghanshyam, [Pls RATE if HELPS]
Please see below the sample Plan & the Configuration:
1.Consider your company has /23 Supernet from APNIC/RIPE
2.The /23 Supernet is further subnetted to 2" /24 Segments (VPN & Hosted Sites)
3.The VPN has to flow via ISP-1 & Hosted Sites to flow via ISP-2
4.If ISP-1 fails, the respective traffic to be backed-up via ISP-2 (viceversa)
5.Advertise /23 Supernets to both ISP's
6.Advertise 1" /24 as normal to an ISP and other /24 with AS-prepend (viceversa)
7.This will influence the reverse traffic flow
8.Use "Set ip next-hop" in route-map's to influence the forward traffic from CE.
Start of Configuration:
========================
router bgp 12345
bgp log-neighbor-changes
neighbor aaa.bbb.ccc.ddd remote-as XXXX
neighbor aaa.bbb.ccc.ddd description *** EBGP with ISP1 ***
neighbor eee.fff.ggg.hhh remote-as XXXX
neighbor eee.fff.ggg.hhh description *** EBGP with ISP2 ***
!
address-family ipv4
neighbor aaa.bbb.ccc.ddd activate
neighbor aaa.bbb.ccc.ddd prefix-list Supernet-OUT out
neighbor aaa.bbb.ccc.ddd route-map ISP-1 out
neighbor eee.fff.ggg.hhh activate
neighbor eee.fff.ggg.hhh prefix-list Supernet-OUT out
neighbor eee.fff.ggg.hhh route-map ISP-2 out
no auto-summary
no synchronization
exit-address-family
ip prefix-list Supernet-OUT seq 5 permit xxx.yyy.zzz.0/23 le 24
!
ip prefix-list ISP1-Sec-out seq 5 permit xxx.yyy.zzz.0/24
!
ip prefix-list ISP1-Pry-out seq 5 permit xxx.yyy.zzz.0/24
!
ip prefix-list ISP2-Sec-out seq 5 permit xxx.yyy.zzz.0/24
!
ip prefix-list ISP2-Pry-out seq 5 permit xxx.yyy.zzz.0/24
!
route-map ISP-1 permit 10
match ip address ISP1-Sec-out
set as-path prepend 12345 12345 12345 12345 12345
!
route-map ISP-1 permit 20
match ip address ISP1-Pry-out
!
route-map ISP-2 permit 10
match ip address ISP2-Sec-out
set as-path prepend 12345 12345 12345 12345 12345
!
route-map ISP-2 permit 20
match ip address ISP2-Sec-out
!
Hope I am Informative.
Pls RATE if HELPS
Best Regards,
Guru Prasad R
02-18-2009 07:47 PM
Thanks Prasad for the info.
Actually for this location I have only one /24. I have another /23 but it will be difficult for me to change all the IPs in use now.
Can we do something for one /24 subnet.
I ll be using /23 for my another location where i can use the details you provided.
Please suggest.
02-18-2009 07:29 AM
Hello Ghanshyam,
If you are able to announce both of these subnets over two different /24s , you are going to be able to aggregate these subnets and have redundancy .
lets assume that subnet x and y are contiguous. You will need to add another aggregated supernet to the prefix lists and permit this aggregate within the outbound route map.
ip prefix-list HOSTED_SITES permit x/24
ip prefix-list VPN_SEGMENT permit y/24
ip prefix-list AGGREGATE permit (x and y supernet)/23
route-map TO-ISP-A-OUTBOUND permit 10
match ip address prefix-list HOSTED_SITES
route-map TO-ISP-A-OUTBOUND permit 20
match ip address prefix-list AGGREGATE
route-map TO-ISP-B-OUTBOUND permit 10
match ip address prefix-list VPN_SEGMENT
route-map TO-ISP-B-OUTBOUND permit 20
match ip address prefix-list AGGREGATE
router bgp xyz
neighbor A route-map TO-ISP-A-OUTBOUND out
neighbor B route-map TO-ISP-B-OUTBOUND out
Hope to help,
Kerem
02-19-2009 12:56 AM
Hi,
For thislocation I have only /24 subnet.I have another /23 but not contiguous.I facing problem that my incoming traffic is much and chosking one link while outgoing i can select the link.What we can do in this case.
Second: If I use /23 (2*/24) in another location for single site can i distribute the incoming traffic over the links.
Thanks in advance.
02-19-2009 01:08 AM
Hello Ghanshyam,
For your first question , in order to load balance your traffic , you definitely need to separate your IP blocks and announce them accordingly . But to conserve your redundancy , you need to have an aggregate route announced to both of your ISPs. Technically you do not need an /23 to have an aggregate route , but most of the ISPs have filters that do not allow advertisements below /24 prefixes.
With your current IP structure , you can divide your /24 segment into two /25s and announce them accordingly , but this action will lead your prefixes be filtered somewhere on the internet. So minimum recommendation is a /23 aggregate and two /24s as segments.
For your second question , I would like to have more information before making any comments.
Hope to help,
02-19-2009 01:41 AM
ghanshyam,
Most of the ISPs dont accept "LESSER" than /24 prefix, but its still possible. You can whether announce your most prefix length and have them agreed on that, OR prepend your Network from the Second link so that its prefered on the desired path.
HTH
Mohamed
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: