BGP - Multihoming

bdikici.55 · ‎03-14-2009

Hello ,

I would like consult some subject about BGP to the experienced BGP users. We are making a BGP connection to a two different ISPs via central site router. We are announcing our subnet via ISP-1 normally , but for ISP2 we are announcing the subnet with AS path prepending configuration. As a result , we still see inbound traffic from internet to our subnet via ISP-2. Is that possible to adjust more tuning for

inbound traffic ? We would like to achieve that there will be no inbound traffic via ISP-2.

By the way , in the next step of the configuration we would like to configure our multihomed BGP router with PBR & NBAR. What we are going to try with this is that for example p2p traffic from our subnet to the internet

will be detected with NBAR and it will be forwarded to the ISP-2 connection with PBR and the return traffic of this

connection will be come through the ISP-2 connection. (Symmetric traffic flow) How can be achive that ?

Kind Regards...

Burak Dikici

Note: I am writing the configuration of our multihomed BGP router below. (the real configuration's ip addresses

and BGP AS numbers has beed changed in the text which is writing below.)

router bgp 100

bgp log-neighbor-changes

neighbor 2.2.2.2 remote-as 222

neighbor 2.2.2.2 description ISP_2

neighbor 1.1.1.1 remote-as 111

neighbor 1.1.1.1 description ISP_1

!

address-family ipv4

no synchronization

network X.Y.0.0 mask 255.255.0.0

neighbor 2.2.2.2 activate

neighbor 2.2.2.2 route-map AS_path_prepend_for_ISP2 out

neighbor 2.2.2.2 filter-list 10 out

neighbor 1.1.1.1 activate

neighbor 1.1.1.1 route-map UPDATES_FOR_ISP1 in

neighbor 1.1.1.1 filter-list 10 out

no auto-summary

exit-address-family

ip as-path access-list 10 permit ^$

access-list 10 permit any

access-list 20 permit X.Y.0.0 0.0.255.255

route-map UPDATES_FOR_ISP1 permit 10

match ip address 10

set weight 100

route-map AS_path_prepend_for_ISP2 permit 10

match ip address 20

set as-path prepend 100 100 100 100 100

route-map AS_path_prepend_for_ISP2 permit 20

Joseph W. Doherty · ‎03-14-2009

For your first question, the BGP Conditional Advertisement Feature might be of use. Don't advertise you subnet to ISP2 unless ISP1 fails. (More info: http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094309.shtml)

For your second question, one method might be to use a different address block for your ISP2 PBR directed traffic. You'll likely need to use NAT so that the PBR traffic only returns to the "special" address block you only advertise via ISP2.

bdikici.55 · ‎03-14-2009

For my second question , what about redundancy ? Your advice is to use NATing , in this situation what if ISP-1 connection goes down , normal user traffic (other than p2p for example) will also be NATed , am i right ? Is this cause any problem for redundancy ?

bdikici.55 · ‎03-14-2009

By the way , if we use PAT for this process , is that couse any problem ?

(not NAT because , we have got a lot of client ip addresses and all of them are real ip addresses)

Joseph W. Doherty · ‎03-15-2009

For your first question, what happens if the ISP1 traffic is not nat'ed? Well if your addresses change, current sessions would be broken. (BTW: I've been assuming you have your own public IP address blocks that work on both ISPs.) Can NAT be conditional? I'm not sure. It might if NAT could also trigger on something like PBR or some other condition. An example of the latter, might be two logical interfaces on the ISP2 connection. (Comments from anyone else?)

For your second question, PAT can be an issue. There are applications that are confused if their ports change. I've seen "cheap" consumer Internet routers handle this issue well, but some Cisco PAT (on "enterprise class" routers) didn't seem to work as well. (Perhaps someone with more experience will comment on this.)