Multi BGP help - urgent

Unanswered Question
Jul 1st, 2009
User Badges:

Hello,


Recently we have changed over to BGP for our SINGLE PROVIDER we currently have.


The configuration looks like this:


router bgp AS_NUMBER

no synchronization

bgp router-id ROUTER_ID_IP

bgp log-neighbor-changes

network XXX.XXX.XXX.XXX (1) mask 255.255.252.0

network XXX.XXX.XXX.XXX (2) mask 255.255.252.0

network XXX.XXX.XXX.XXX (3) mask 255.255.252.0

network XXX.XXX.XXX.XXX (4) mask 255.255.252.0

neighbor NEIGHBOR_IP remote-as REMOTE_AS

neighbor NEIGHBOR_IP password BGP_PASS

neighbor NEIGHBOR_IP route-map filter-in in

no auto-summary

!

ip prefix-list only-default seq 5 permit 0.0.0.0/0

!

route-map filter-in permit 10

match ip address prefix-list only-default

!


-------------------------------


NOW, we are going to plug a NEW ISP and want to announce ONLY our NETWORK (4) above.


Meaning this ISP will only route that CLASS C. So they are announcing it on their end and I have to announce that I am routing this CLASS C on the new ISP in my device.


Can someone please provide EXACT configuration commands to put in my router in order to achieve this ??


As well, I told my new ISP to only route this Class C on their network. But what happens if I tell them to route ALL my IP's and I want ONLY this Class C to go through them, can this be achieved? or if they announce it then I cannot control incoming traffic since they are announcing it and therefore I can only control outgoing traffic ?? Can someone please detail this for me?


Waiting for an answer on both questions.


GREATLY appreciated


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jerry Ye Wed, 07/01/2009 - 08:25
User Badges:
  • Cisco Employee,

Hi Elazar,


Are you going to use the same router or a different router to connect to this new ISP? The configuration will be different between a new router and single router multi-home. BTW, your network 4 is not a Class C network.


To answer the other questions, you need to block certain routes to your ISP and announce certain routes if these routes need to route by your ISP. ISP generally will not help you block routes. I am assuming you an assigned AS and public IP addresses by Arin.


Another question, you did not specify what routes you will want to take from your new ISP.


HTH,

jerry

interwebmedia Wed, 07/01/2009 - 08:49
User Badges:

Thank you for your answer.


You are right, Network 4 is a /22 but we will extract the FIRST /24 from that and route it with our new provider.


it is on the SAME ROUTER.


As well, Why I ask for the networks, is I want to know because our providers ask which Ip address block to announce... is it actually them announcing it or simply creating a filter to accept only those IP's from my network and then I decide what to route through them? Or what I tell them they will actually route on the internet ??


Yes we have public IP's with our own AS from Arin.


We only want default route from the ISP, like in the configuration with our first ISP.


Thanks

Jerry Ye Wed, 07/01/2009 - 09:15
User Badges:
  • Cisco Employee,

Hi Elazar,


I think your provider is trying to put a filter in place to accept certain network block(s) from you. Or you can


So here is the additional configuration on top of your existing to your 2nd provider, I am assuming you want to block the /24 into your current ISP:


!

! INSIDE BGP PROCESS

network XXX.XXX.XXX.XXX (4) mask 255.255.255.0

neighbor NEW_ISP_NEIGHBOR_IP remote-as NEW_ISP_REMOTE_AS

neighbor NEW_ISP_NEIGHBOR_IP password NEW_ISP_BGP_PASS

neighbor NEW_ISP_NEIGHBOR_IP route-map filter-in in

neighbor NEW_ISP_NEIGHBOR_IP route-map NETWORK_TO_ISP_XXXX out


neighbor NEIGHBOR_IP route-map NETWORK_TO_CURRENT_ISP out

!


! NETWORK TO BE ADV TO NEW ISP

ip prefix-list PREFIX_TO_ISP_XXXX seq 5 permit XXX.XXX.XXX.XXX/24


route-map NETWORK_TO_ISP_XXXX permit 10

match ip address prefix-list PREFIX_TO_ISP_XXXX

!


! NETWORK TO BE ADV TO CURRENT ISP

ip prefix-list PREFIX_TO_CURRENT_ISP seq 5 perm XXX.XXX.XXX.XXX(1)/22

ip prefix-list PREFIX_TO_CURRENT_ISP seq 10 perm XXX.XXX.XXX.XXX(2)/22

ip prefix-list PREFIX_TO_CURRENT_ISP seq 15 perm XXX.XXX.XXX.XXX(3)/22

ip prefix-list PREFIX_TO_CURRENT_ISP seq 20 perm XXX.XXX.XXX.XXX(4)/22


route-map NETWORK_TO_CURRENT_ISP permit 10

match ip address prefix-list PREFIX_TO_CURRENT_ISP


HTH,

jerry

interwebmedia Mon, 07/06/2009 - 10:38
User Badges:

So do I remove the announcement of the /24 to the current ISP or I just need to create an inside process which blocks it from announcing it?? as I want INCOMING and OUTGOING for that specific /24 to go through the NEW provider.

xcz504d1114 Mon, 07/06/2009 - 11:02
User Badges:
  • Bronze, 100 points or more

You will announce the /24 to your ISP (both ISP's) and use the filter to restrict what you are sending to the ISP.


The filter can be based on the prefix list as provided above, or an access-list like I provided below. They will both accomplish the same thing, prefix lists can make some configurations easier than an access-list, but I haven't seen anything a prefix list can do that an ACL can't, or vice versa.


If you do not advertise the /24 out to your ISP, there is no need to filter :)


HTH,

Craig

Jerry Ye Mon, 07/06/2009 - 11:50
User Badges:
  • Cisco Employee,

Hi Elazar,


The following configuration actually block the /24 going into your current ISP


ip prefix-list PREFIX_TO_CURRENT_ISP seq 5 perm XXX.XXX.XXX.XXX(1)/22

ip prefix-list PREFIX_TO_CURRENT_ISP seq 10 perm XXX.XXX.XXX.XXX(2)/22

ip prefix-list PREFIX_TO_CURRENT_ISP seq 15 perm XXX.XXX.XXX.XXX(3)/22

ip prefix-list PREFIX_TO_CURRENT_ISP seq 20 perm XXX.XXX.XXX.XXX(4)/22


route-map NETWORK_TO_CURRENT_ISP permit 10

match ip address prefix-list PREFIX_TO_CURRENT_ISP


! INSIDE BGP PROCESS

neighbor NEW_ISP_NEIGHBOR_IP route-map NETWORK_TO_ISP_XXXX out


If you would like to include the /24, just edit the prefix list to include the /24.


HTH,

jerry

interwebmedia Thu, 09/17/2009 - 08:17
User Badges:

Ok I will post here more details so I can get the exact configuration.


Let's resume what is going on here.


We have:


ISP1 - MTO (AS 21548)

ISP2 - COGENT (AS 174)


Current Config:


router bgp 21793

no synchronization

bgp router-id ROUTER_ID_IP

bgp log-neighbor-changes

network XXX.65.60.0 mask 255.255.252.0

network XXX.66.68.0 mask 255.255.252.0

network XXX.75.188.0 mask 255.255.252.0

network XX.76.96.0 mask 255.255.252.0

neighbor XX.254.237.9 remote-as 21548

neighbor XX.254.237.9 password BGP_PASS

neighbor XX.254.237.9 route-map filter-in in

no auto-summary

!

ip prefix-list only-default seq 5 permit 0.0.0.0/0

!

route-map filter-in permit 10

match ip address prefix-list only-default

!



NOW, what we need done is SIMPLE.


We are adding COGENT as a provider in our BGP.


We need this XXX.75.188.0 /24 To go ONLY on COGENT. It is announced as part of a /22 to the current ISP as you can see in the configuration. So what we need is ONE CLASS C (the first one) XXX.75.188.0 /24 to be advertised to COGENT and for INCOMING and OUTGOING traffic on this range to go ONLY through Cogent, it should NOT go through MTO.


Cogent Details for connectivity:


Cogent Connected Address Block: XX.104.152.4 /30


Cogent Router Port IP/Gateway: XX.104.152.5


Our Router Port IP: XX.104.152.6


Subnet: 255.255.255.252


Then they assign us a Cogent Assigned Ip Block:


XX.102.65.112 /29


BGP Password: BGP_PASS (not showing for security purposes)


I hope I gave all details to get an EXACT and COMPLETE configuration to ADD to our existing config in order to implement this.


Help is greatly appreciated.


Thanks

YANGCCIE4 Mon, 09/21/2009 - 07:38
User Badges:

Hi,

Your IPS should not worry about the IP Addresses you announced by NETWORK statements. (these addressees are all private ip address, if I am wrong ,let me know ) these private IP network segments are the routes that the other branch need to know.


The ISP responsibility is to give you the Public ip address, these public ip addresses perform connection function which your router shares one the other side branch share another one. that all you should request from them,


I don't think your ISP has any necessary to filter or block any network segment in your internal network, which you NETWORK in to BGP,


hope this help



Yang


xcz504d1114 Wed, 07/01/2009 - 09:29
User Badges:
  • Bronze, 100 points or more

create an access-list that matches your (4) network.


access-list 4 permit 4.4.4.0 0.0.0.255



Create a route-map for your new ISP specifying you ACL


route-map ISP-OUT 10

match ip address 4



Use that route map to filter to your new ISP


router bgp

neighbor NEW_ISP_IP route-map ISP-OUT out



With that you will only advertise the routes to your ISP neighbor that you specified in your access-list. If you want to add more to advertise out later, either re-write your access-list (not my choice though) or create a new access-list with the new IP, and create additional entries under your route-map (my preference).


So it would look like this to add network 2.


access-list 2 permit 2.2.2.0 0.0.0.255

route-map ISP-OUT 20

match ip address 2


The "20" after ISP-OUT specifies a new line number in the same route map, remember to clear your BGP neighbor anytime you make changes like that, but also remember if your ISP see's you "flapping" due to a down link or you clearing your BGP status, they may stop advertising you for 45 minutes to prevent flapping routes on the internet. So make sure you learn to use the soft clear BGP commands.


In order to control incoming routes, that is a very long topic, easiest way (and best in my opinion), is to have your ISP send you what you want to receive, I run dual service providers at my edge, and I told my ISP's I only want to receive a default route, I don't need the entire internet routing tables for my application.


If you have your ISP send you the entire internet routing table keep in mind a few points, it consumes router memory, and if you enable CEF, it consumes twice the amount of memory to build the CEF table. If you have them send you the entire internet routing table and you filter on your side, your router still receives and stores the information, and then uses CPU cycles to filter 200k+ routes from entering your routing table, but the information is still stored in memory to allow soft BGP clears.


HTH,

Craig

interwebmedia Thu, 09/17/2009 - 07:56
User Badges:

OK I finally received all the exact numbers for the new ISP BGP and I am now ready to implement it.


Is it possible to get a one on one with an expert from here for help? As I do not want to post the exact IP's on this forum.


And I do not want to mess up the configuration by filling in the variables.


How can we arrange this?


Thank you

interwebmedia Thu, 09/17/2009 - 08:18
User Badges:

Ok I will post here more details so I can get the exact configuration.


Let's resume what is going on here.


We have:


ISP1 - MTO (AS 21548)

ISP2 - COGENT (AS 174)


Current Config:


router bgp 21793

no synchronization

bgp router-id ROUTER_ID_IP

bgp log-neighbor-changes

network XXX.65.60.0 mask 255.255.252.0

network XXX.66.68.0 mask 255.255.252.0

network XXX.75.188.0 mask 255.255.252.0

network XX.76.96.0 mask 255.255.252.0

neighbor XX.254.237.9 remote-as 21548

neighbor XX.254.237.9 password BGP_PASS

neighbor XX.254.237.9 route-map filter-in in

no auto-summary

!

ip prefix-list only-default seq 5 permit 0.0.0.0/0

!

route-map filter-in permit 10

match ip address prefix-list only-default

!



NOW, what we need done is SIMPLE.


We are adding COGENT as a provider in our BGP.


We need this XXX.75.188.0 /24 To go ONLY on COGENT. It is announced as part of a /22 to the current ISP as you can see in the configuration. So what we need is ONE CLASS C (the first one) XXX.75.188.0 /24 to be advertised to COGENT and for INCOMING and OUTGOING traffic on this range to go ONLY through Cogent, it should NOT go through MTO.


Cogent Details for connectivity:


Cogent Connected Address Block: XX.104.152.4 /30


Cogent Router Port IP/Gateway: XX.104.152.5


Our Router Port IP: XX.104.152.6


Subnet: 255.255.255.252


Then they assign us a Cogent Assigned Ip Block:


XX.102.65.112 /29


BGP Password: BGP_PASS (not showing for security purposes)


I hope I gave all details to get an EXACT and COMPLETE configuration to ADD to our existing config in order to implement this.


Help is greatly appreciated.


Thanks

interwebmedia Thu, 09/17/2009 - 13:01
User Badges:

Anything on this please? I am already plugged in I just need the final BGP configurations to get going with this.


Please let me know asap

xcz504d1114 Thu, 09/17/2009 - 13:07
User Badges:
  • Bronze, 100 points or more



conf t

ip route xxx.75.188.0 255.255.255.0 null 0 254


access-list 11 permit xxx.75.188.0 0.0.0.255

route-map COGNET-OUT 10

match ip address 11


access-list 12 deny xxx.75.188.0 0.0.0.255

access-list 12 permit any

route-map MTO-OUT 10

match ip address 12



router bgp 21793

neighbor XX.254.237.9 route-map MTO-OUT out

network xxx.75.188.0 mask 255.255.255.0

neighbor xx.104.152.6 remote-as 174

neighbor xx.104.152.6 password BGP_PASS

neighbor xx.104.152.6 route-map COGNET-OUT out



If you want to filter incoming routes and only accept the default route just like you are for your other carrier, add the following line:


neighbor xx.104.152.6 route-map filter-in in



You also specified that this class C should not be advertised out the other carrier, since you are advertising the /22 to the other carrier, it will not be a problem the /24 is a more specific route, and your other link will actually act as a failover.


Depending on how your internal network is setup you could have some asymmetric routing occuring, so the traffic will exit out MTO and come back in through COGNET or vice versa, since I don't know the rest of your network topology and configuration I can't really help much there. By default BGP will only use one of the links.


But that is the "basic" configuration you will need to get that working, but there is still design left that probably needs to be done.


HTH,

Craig

interwebmedia Mon, 09/21/2009 - 11:45
User Badges:

Ok so finally we got it to work as mentionned in the above configs, only thing remaining is that the router chooses COGENT as the default 0.0.0.0, I need all the traffic that is NOT from the XXX.75.188.0 /24 network to go out through MTO and that class C through cogent.


How do I accomplish this?


Thanks

Giuseppe Larosa Thu, 09/17/2009 - 13:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Elazar,

warning:


you say you would like to send a more specific prefix to cogent.


But your current BGP configuration contains a /22 network not an aggregate that creates a /22 prefix.


You need to have a meaningful route to the desired /24 subnet or the configuration suggested by Craig with a static to null0 even with AD 254 will act as a black hole for this traffic.


Craig:

this point has to be addressed.


How is the /22 prefix present in your router?


Hope to help

Giuseppe


xcz504d1114 Thu, 09/17/2009 - 13:39
User Badges:
  • Bronze, 100 points or more

I definately made some assumptions on his internal configurations, I assumed the /22's were already being advertised by a null route, and I assume he segmented the /24 to a subinterface of some sort, and does not have a giant /22 present without any subnetting.


If he is not subnetting the /22, he will most definately black hole that class C.


The complete configuration and topology needs to be present to make proper design decisions.


Craig

interwebmedia Thu, 09/17/2009 - 15:28
User Badges:

Internally, yes each /22 is separated into /24.


I already have a null route for the /22 in place, actually I have them for all my /22.


So yes they are internally connected to vlans as /24 ...


So 2 questions.


1.Can I go ahead with his config ??

2. How come above I have a suggestion config with all those ip prefix-list .... and in your new config there is none of that? How can they be so different ?


Thank You

interwebmedia Thu, 09/17/2009 - 16:07
User Badges:

Hello,


Also, what do I have to make sure to be careful or fix to not have what described here


"Depending on how your internal network is setup you could have some asymmetric routing occuring, so the traffic will exit out MTO and come back in through COGNET or vice versa, since I don't know the rest of your network topology and configuration I can't really help much there. By default BGP will only use one of the links."


Thanks

xcz504d1114 Thu, 09/17/2009 - 17:01
User Badges:
  • Bronze, 100 points or more

Again, that depends on your network topology, are there 2 routers or 1? Do you want redundancy? Do you want partial redundancy, or if either link fails it should be redundant for all networks? Is your ISP aware that you are advertising these networks out? If not they will likely filter whatever you advertise. Is there a community you can send your ISP to make a route less preferred on the internet? If you begin to make your links fully redundant, you will run into the case where one ISP is definately "stronger" than the other, and sometime AS prepending isn't enough.


There are a lot of things that I consider when designing a network, and even more so when designing and interface with a network that I don't control (like an ISP).


Can you create a network diagram of your network? And also post the complete configuration of your external routers?


Also, one person recommended to use prefix lists, I recommended to use a route-map, they will accomplish the exact same thing, there are certain circumstances where a prefix list can make configuration easier, but an ACL and route map can accomplish anything a prefix list can.


Craig

interwebmedia Thu, 09/17/2009 - 23:05
User Badges:

so I put in the configuration and I everything crashed at the middle of putting in the configurations.


The neighbor IP was not correct as it was referring to the .6 IP but that is my own configured IP so the neighbor should be .5 but even with putting .5 everything crashed.


Is there anyway I can get ONE on ONE help outside of this public forums from one of you professionals?


Please let me know, you can email me at [email protected]


Thank You

interwebmedia Fri, 09/18/2009 - 07:06
User Badges:

so I put in the configuration and I everything crashed at the middle of putting in the configurations.


The neighbor IP was not correct as it was referring to the .6 IP but that is my own configured IP so the neighbor should be .5 but even with putting .5 everything crashed.


Is there anyway I can get ONE on ONE help outside of this public forums from one of you professionals?


Please let me know, you can email me at [email protected]


Thank You

create an acl with allowing your for /24 and deny everything else...

ip access-list my_routes

permit ip 2.2.2.0 0.0.0.255 any

permit ip 2.2.3.0 0.0.0.255 any

permit ip 2.2.4.0 0.0.0.255 any

permit ip 2.2.5.0 0.0.0.255 any

deny ip any any


and apply distribute-list to that new ISP BGP peer.

neighbor 1.1.1.1 distribute-list my_routes




they could apply a filter to only learn the /24 you told them to redistribute or they may rely on you to properly advertise your routes. They could also potentially only accept certain number of routes. For example, if you told them 4 routes, they might give you a little head room and drop peering if you go over it 10 or something. You have to ask them, ISP, what kind of policy they have in place.

interwebmedia Mon, 09/21/2009 - 12:10
User Badges:

Ok so finally we got it to work as mentionned in the above configs, only thing remaining is that the router chooses COGENT as the default 0.0.0.0, I need all the traffic that is NOT from the XXX.75.188.0 /24 network to go out through MTO and that class C through cogent.


How do I accomplish this?


Thanks

Actions

This Discussion