07-01-2009 08:04 AM - edited 03-06-2019 06:32 AM
Hello,
Recently we have changed over to BGP for our SINGLE PROVIDER we currently have.
The configuration looks like this:
router bgp AS_NUMBER
no synchronization
bgp router-id ROUTER_ID_IP
bgp log-neighbor-changes
network XXX.XXX.XXX.XXX (1) mask 255.255.252.0
network XXX.XXX.XXX.XXX (2) mask 255.255.252.0
network XXX.XXX.XXX.XXX (3) mask 255.255.252.0
network XXX.XXX.XXX.XXX (4) mask 255.255.252.0
neighbor NEIGHBOR_IP remote-as REMOTE_AS
neighbor NEIGHBOR_IP password BGP_PASS
neighbor NEIGHBOR_IP route-map filter-in in
no auto-summary
!
ip prefix-list only-default seq 5 permit 0.0.0.0/0
!
route-map filter-in permit 10
match ip address prefix-list only-default
!
-------------------------------
NOW, we are going to plug a NEW ISP and want to announce ONLY our NETWORK (4) above.
Meaning this ISP will only route that CLASS C. So they are announcing it on their end and I have to announce that I am routing this CLASS C on the new ISP in my device.
Can someone please provide EXACT configuration commands to put in my router in order to achieve this ??
As well, I told my new ISP to only route this Class C on their network. But what happens if I tell them to route ALL my IP's and I want ONLY this Class C to go through them, can this be achieved? or if they announce it then I cannot control incoming traffic since they are announcing it and therefore I can only control outgoing traffic ?? Can someone please detail this for me?
Waiting for an answer on both questions.
GREATLY appreciated
Thanks
07-01-2009 08:25 AM
Hi Elazar,
Are you going to use the same router or a different router to connect to this new ISP? The configuration will be different between a new router and single router multi-home. BTW, your network 4 is not a Class C network.
To answer the other questions, you need to block certain routes to your ISP and announce certain routes if these routes need to route by your ISP. ISP generally will not help you block routes. I am assuming you an assigned AS and public IP addresses by Arin.
Another question, you did not specify what routes you will want to take from your new ISP.
HTH,
jerry
07-01-2009 08:49 AM
Thank you for your answer.
You are right, Network 4 is a /22 but we will extract the FIRST /24 from that and route it with our new provider.
it is on the SAME ROUTER.
As well, Why I ask for the networks, is I want to know because our providers ask which Ip address block to announce... is it actually them announcing it or simply creating a filter to accept only those IP's from my network and then I decide what to route through them? Or what I tell them they will actually route on the internet ??
Yes we have public IP's with our own AS from Arin.
We only want default route from the ISP, like in the configuration with our first ISP.
Thanks
07-01-2009 09:15 AM
Hi Elazar,
I think your provider is trying to put a filter in place to accept certain network block(s) from you. Or you can
So here is the additional configuration on top of your existing to your 2nd provider, I am assuming you want to block the /24 into your current ISP:
!
! INSIDE BGP PROCESS
network XXX.XXX.XXX.XXX (4) mask 255.255.255.0
neighbor NEW_ISP_NEIGHBOR_IP remote-as NEW_ISP_REMOTE_AS
neighbor NEW_ISP_NEIGHBOR_IP password NEW_ISP_BGP_PASS
neighbor NEW_ISP_NEIGHBOR_IP route-map filter-in in
neighbor NEW_ISP_NEIGHBOR_IP route-map NETWORK_TO_ISP_XXXX out
neighbor NEIGHBOR_IP route-map NETWORK_TO_CURRENT_ISP out
!
! NETWORK TO BE ADV TO NEW ISP
ip prefix-list PREFIX_TO_ISP_XXXX seq 5 permit XXX.XXX.XXX.XXX/24
route-map NETWORK_TO_ISP_XXXX permit 10
match ip address prefix-list PREFIX_TO_ISP_XXXX
!
! NETWORK TO BE ADV TO CURRENT ISP
ip prefix-list PREFIX_TO_CURRENT_ISP seq 5 perm XXX.XXX.XXX.XXX(1)/22
ip prefix-list PREFIX_TO_CURRENT_ISP seq 10 perm XXX.XXX.XXX.XXX(2)/22
ip prefix-list PREFIX_TO_CURRENT_ISP seq 15 perm XXX.XXX.XXX.XXX(3)/22
ip prefix-list PREFIX_TO_CURRENT_ISP seq 20 perm XXX.XXX.XXX.XXX(4)/22
route-map NETWORK_TO_CURRENT_ISP permit 10
match ip address prefix-list PREFIX_TO_CURRENT_ISP
HTH,
jerry
07-06-2009 10:38 AM
So do I remove the announcement of the /24 to the current ISP or I just need to create an inside process which blocks it from announcing it?? as I want INCOMING and OUTGOING for that specific /24 to go through the NEW provider.
07-06-2009 11:02 AM
You will announce the /24 to your ISP (both ISP's) and use the filter to restrict what you are sending to the ISP.
The filter can be based on the prefix list as provided above, or an access-list like I provided below. They will both accomplish the same thing, prefix lists can make some configurations easier than an access-list, but I haven't seen anything a prefix list can do that an ACL can't, or vice versa.
If you do not advertise the /24 out to your ISP, there is no need to filter :)
HTH,
Craig
07-06-2009 11:50 AM
Hi Elazar,
The following configuration actually block the /24 going into your current ISP
ip prefix-list PREFIX_TO_CURRENT_ISP seq 5 perm XXX.XXX.XXX.XXX(1)/22
ip prefix-list PREFIX_TO_CURRENT_ISP seq 10 perm XXX.XXX.XXX.XXX(2)/22
ip prefix-list PREFIX_TO_CURRENT_ISP seq 15 perm XXX.XXX.XXX.XXX(3)/22
ip prefix-list PREFIX_TO_CURRENT_ISP seq 20 perm XXX.XXX.XXX.XXX(4)/22
route-map NETWORK_TO_CURRENT_ISP permit 10
match ip address prefix-list PREFIX_TO_CURRENT_ISP
! INSIDE BGP PROCESS
neighbor NEW_ISP_NEIGHBOR_IP route-map NETWORK_TO_ISP_XXXX out
If you would like to include the /24, just edit the prefix list to include the /24.
HTH,
jerry
09-17-2009 08:17 AM
Ok I will post here more details so I can get the exact configuration.
Let's resume what is going on here.
We have:
ISP1 - MTO (AS 21548)
ISP2 - COGENT (AS 174)
Current Config:
router bgp 21793
no synchronization
bgp router-id ROUTER_ID_IP
bgp log-neighbor-changes
network XXX.65.60.0 mask 255.255.252.0
network XXX.66.68.0 mask 255.255.252.0
network XXX.75.188.0 mask 255.255.252.0
network XX.76.96.0 mask 255.255.252.0
neighbor XX.254.237.9 remote-as 21548
neighbor XX.254.237.9 password BGP_PASS
neighbor XX.254.237.9 route-map filter-in in
no auto-summary
!
ip prefix-list only-default seq 5 permit 0.0.0.0/0
!
route-map filter-in permit 10
match ip address prefix-list only-default
!
NOW, what we need done is SIMPLE.
We are adding COGENT as a provider in our BGP.
We need this XXX.75.188.0 /24 To go ONLY on COGENT. It is announced as part of a /22 to the current ISP as you can see in the configuration. So what we need is ONE CLASS C (the first one) XXX.75.188.0 /24 to be advertised to COGENT and for INCOMING and OUTGOING traffic on this range to go ONLY through Cogent, it should NOT go through MTO.
Cogent Details for connectivity:
Cogent Connected Address Block: XX.104.152.4 /30
Cogent Router Port IP/Gateway: XX.104.152.5
Our Router Port IP: XX.104.152.6
Subnet: 255.255.255.252
Then they assign us a Cogent Assigned Ip Block:
XX.102.65.112 /29
BGP Password: BGP_PASS (not showing for security purposes)
I hope I gave all details to get an EXACT and COMPLETE configuration to ADD to our existing config in order to implement this.
Help is greatly appreciated.
Thanks
09-21-2009 07:38 AM
Hi,
Your IPS should not worry about the IP Addresses you announced by NETWORK statements. (these addressees are all private ip address, if I am wrong ,let me know ) these private IP network segments are the routes that the other branch need to know.
The ISP responsibility is to give you the Public ip address, these public ip addresses perform connection function which your router shares one the other side branch share another one. that all you should request from them,
I don't think your ISP has any necessary to filter or block any network segment in your internal network, which you NETWORK in to BGP,
hope this help
Yang
07-01-2009 09:29 AM
create an access-list that matches your (4) network.
access-list 4 permit 4.4.4.0 0.0.0.255
Create a route-map for your new ISP specifying you ACL
route-map ISP-OUT 10
match ip address 4
Use that route map to filter to your new ISP
router bgp
neighbor NEW_ISP_IP route-map ISP-OUT out
With that you will only advertise the routes to your ISP neighbor that you specified in your access-list. If you want to add more to advertise out later, either re-write your access-list (not my choice though) or create a new access-list with the new IP, and create additional entries under your route-map (my preference).
So it would look like this to add network 2.
access-list 2 permit 2.2.2.0 0.0.0.255
route-map ISP-OUT 20
match ip address 2
The "20" after ISP-OUT specifies a new line number in the same route map, remember to clear your BGP neighbor anytime you make changes like that, but also remember if your ISP see's you "flapping" due to a down link or you clearing your BGP status, they may stop advertising you for 45 minutes to prevent flapping routes on the internet. So make sure you learn to use the soft clear BGP commands.
In order to control incoming routes, that is a very long topic, easiest way (and best in my opinion), is to have your ISP send you what you want to receive, I run dual service providers at my edge, and I told my ISP's I only want to receive a default route, I don't need the entire internet routing tables for my application.
If you have your ISP send you the entire internet routing table keep in mind a few points, it consumes router memory, and if you enable CEF, it consumes twice the amount of memory to build the CEF table. If you have them send you the entire internet routing table and you filter on your side, your router still receives and stores the information, and then uses CPU cycles to filter 200k+ routes from entering your routing table, but the information is still stored in memory to allow soft BGP clears.
HTH,
Craig
09-17-2009 07:56 AM
OK I finally received all the exact numbers for the new ISP BGP and I am now ready to implement it.
Is it possible to get a one on one with an expert from here for help? As I do not want to post the exact IP's on this forum.
And I do not want to mess up the configuration by filling in the variables.
How can we arrange this?
Thank you
09-17-2009 08:18 AM
Ok I will post here more details so I can get the exact configuration.
Let's resume what is going on here.
We have:
ISP1 - MTO (AS 21548)
ISP2 - COGENT (AS 174)
Current Config:
router bgp 21793
no synchronization
bgp router-id ROUTER_ID_IP
bgp log-neighbor-changes
network XXX.65.60.0 mask 255.255.252.0
network XXX.66.68.0 mask 255.255.252.0
network XXX.75.188.0 mask 255.255.252.0
network XX.76.96.0 mask 255.255.252.0
neighbor XX.254.237.9 remote-as 21548
neighbor XX.254.237.9 password BGP_PASS
neighbor XX.254.237.9 route-map filter-in in
no auto-summary
!
ip prefix-list only-default seq 5 permit 0.0.0.0/0
!
route-map filter-in permit 10
match ip address prefix-list only-default
!
NOW, what we need done is SIMPLE.
We are adding COGENT as a provider in our BGP.
We need this XXX.75.188.0 /24 To go ONLY on COGENT. It is announced as part of a /22 to the current ISP as you can see in the configuration. So what we need is ONE CLASS C (the first one) XXX.75.188.0 /24 to be advertised to COGENT and for INCOMING and OUTGOING traffic on this range to go ONLY through Cogent, it should NOT go through MTO.
Cogent Details for connectivity:
Cogent Connected Address Block: XX.104.152.4 /30
Cogent Router Port IP/Gateway: XX.104.152.5
Our Router Port IP: XX.104.152.6
Subnet: 255.255.255.252
Then they assign us a Cogent Assigned Ip Block:
XX.102.65.112 /29
BGP Password: BGP_PASS (not showing for security purposes)
I hope I gave all details to get an EXACT and COMPLETE configuration to ADD to our existing config in order to implement this.
Help is greatly appreciated.
Thanks
09-17-2009 01:01 PM
Anything on this please? I am already plugged in I just need the final BGP configurations to get going with this.
Please let me know asap
09-17-2009 01:07 PM
conf t
ip route xxx.75.188.0 255.255.255.0 null 0 254
access-list 11 permit xxx.75.188.0 0.0.0.255
route-map COGNET-OUT 10
match ip address 11
access-list 12 deny xxx.75.188.0 0.0.0.255
access-list 12 permit any
route-map MTO-OUT 10
match ip address 12
router bgp 21793
neighbor XX.254.237.9 route-map MTO-OUT out
network xxx.75.188.0 mask 255.255.255.0
neighbor xx.104.152.6 remote-as 174
neighbor xx.104.152.6 password BGP_PASS
neighbor xx.104.152.6 route-map COGNET-OUT out
If you want to filter incoming routes and only accept the default route just like you are for your other carrier, add the following line:
neighbor xx.104.152.6 route-map filter-in in
You also specified that this class C should not be advertised out the other carrier, since you are advertising the /22 to the other carrier, it will not be a problem the /24 is a more specific route, and your other link will actually act as a failover.
Depending on how your internal network is setup you could have some asymmetric routing occuring, so the traffic will exit out MTO and come back in through COGNET or vice versa, since I don't know the rest of your network topology and configuration I can't really help much there. By default BGP will only use one of the links.
But that is the "basic" configuration you will need to get that working, but there is still design left that probably needs to be done.
HTH,
Craig
09-21-2009 11:45 AM
Ok so finally we got it to work as mentionned in the above configs, only thing remaining is that the router chooses COGENT as the default 0.0.0.0, I need all the traffic that is NOT from the XXX.75.188.0 /24 network to go out through MTO and that class C through cogent.
How do I accomplish this?
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: