design for becomming dual homed to internet

Unanswered Question
Sep 23rd, 2009
User Badges:

I am on a fact finding mission in regards to becomming dual homed to the internet. I currently have a registered ASN associated with my own Class C address space with my primary provider located at my corporate office. I have a secondary provider at a remote location that we have been using simply for VPN type access but want to expand this to be a redundant link in the event our primary link goes down. The ASN & address space at the remote location is provided by the secondary provider.


The questions I have are regarding two different fronts. The first being what I need to do on the internet side and the second being changes within the core so that traffic can be routed properly when the primary link is down.


In regards to the Internet front, would the best practice be to split my class C and request a second ASN and use that with my registered address space at the secondary location? Do I simply proceed using both my registered ASN / Address and the provider ASN / Address? I posted a note to ARIN inquiring about best practice but they were semi-helpful on that front. I am also thinking that these will basically become load balanced for inbound traffic when I start adding the secondary space into DNS? Is there a way I can load entries so that the secondary paths have a higher cost? My concern here is over subscribing the secondary link as it is smaller than the primary. These are just a few that have come to mind. I am sure there will be more as I work through the design.


In regards to the core, how do I get network status information from my internet router, through my pix and to the core? I use BGP with my ISPs and BGP on my MPLS cloud and EIGRP in the cores of the remote locations for redistribution of my VLANS into the MPLS cloud. I figure can add another EIGRP or RIP to get network status of the internet not sure how to handle the handoff through the pix. Is it simply a pass through or is there more to it? I am thinking that I also need to remove the network 0.0.0.0 that I am injecting into BGP between the MPLS network and the core but at the same time I want to keep all internet traffic going out through corporate unless that path drops and then use the secondary. Once again thinking of some type of high cost mechanism compared to manual changes to handle the internet bound traffic.


I will put together a diagram and attach to hopefully make things clearer. basically I have Internet router connected to pix connected to core 4506. Off the core 4506 are two(2) routers with unique paths to the MPLS cloud. On the remote I have router off the MPLS cloud connected to a 4506. From that 4506 to a pix to the router supporting my secondary internet.


Thanks in advance...


Brent

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 09/23/2009 - 10:27
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Brent,


>> In regards to the Internet front, would the best practice be to split my class C and request a second ASN and use that with my registered address space at the secondary location?


No, you don't need a second public ASN it is good that you have already one even if you are not multihomed.


>> Do I simply proceed using both my registered ASN / Address and the provider ASN / Address? I posted a note to ARIN inquiring about best practice but they were semi-helpful on that front.


You should use your registered ASN also on secondary location to advertise your own prefix.

But I'm not sure that is something you need in your scenario.


Internet works in this way:

public IP subnets have to be sourced by their legitimate owners using the expected ASN.

ISP2 cannot source your prefix and the private AS number ISP2 has given to you is removed by ISP2 and not seen on the internet.


>> Is there a way I can load entries so that the secondary paths have a higher cost?

at the BGP level you can use AS path prepending to make advetisements from second location less attractive to the internet.You can only prepend your own ASN.



>> In regards to the core, how do I get network status information from my internet router, through my pix and to the core?


You can think of using reliable static routing with object tracking if supported in your core devices.


EIGRP might be supported or not on PIX.

if not supported you should run it over a GRE tunnel and you need to configure the PIX to allow GRE packets.



About sending the default route into BGP towards the MPLS cloud.

I suppose you are using L3 MPLS VPN service from your MPLS SP.

with SP cooperation the 0.0.0.0/0 coming from primary site can be preferred for example SP can set an higher local preference on PE node connected to primary central site.


All PE nodes will install the preferred route and will pass over eBGP sessions to CE routers a default route.


Hope to help

Giuseppe


bberry Thu, 09/24/2009 - 08:17
User Badges:

Thanks for the response ..


>>No, you don't need a second public ASN it is good that you have already one even if you are not multihomed.


I thought that all ASNs needed to be unique unless at the same physical location. Would I not need this so that say www.myweb.com would be able to resolve to either the primary location or secondary location? That is why I was thinking of splitting the Class C and have part at primary with 1.2.3.4 pointing to www.myweb.com and 1.2.3.200 at secondary pointing to www.myweb.com as well.



bberry Thu, 09/24/2009 - 08:31
User Badges:

I have been looking at the actual configs and working on a diagrahm. I just noticed that I already have the same ASN number at both the corporate location and the remote location. but I do not appear to be doing a prepend and I gather that is because I am using different IP address space for the two?


It looks like I just need to figure out the prepend stuff and work with my secondary provider to make sure that traffic can be routed over them using my registered address space.


Nothing like riding the learning curve *S*

Giuseppe Larosa Thu, 09/24/2009 - 21:50
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Brent,


>> I just noticed that I already have the same ASN number at both the corporate location and the remote location.


This is a good starting point, so ISP2 is already peering with your public ASN.


>> but I do not appear to be doing a prepend and I gather that is because I am using different IP address space for the two?


yes, this is likely the reason.


to perform a selective as-path prepending you need to use a route-map.


example:


! let's pretend your public network is:


access-list 11 permit 220.221.225.0 0.0.0.255


route-map sel-prepend-toISP2 permit 10

match ip address 11

set as-path prepend ASN ASN ASN ASN


! an empty final clause is needed to send other prefix with normal AS path


route-map sel-prepend-toISP2 permit 20


router bgp ASN

neigh ISP2.ipaddress route-map sel-prepend-toISP2 out


Hope to help

Giuseppe


bberry Thu, 10/15/2009 - 11:28
User Badges:

woo hoo. I think I am getting close. At least past the paper design phase. one more question. I can still use the address space I received from ISP2 and prepend my network correct?


For example I have 1.2.3.0 from ISP2 that I currently am using for dedicated access through that link. I shoul dbe able to continue to use this and us the as-path prepend for 220.221.225.0?


Thanks for the assistance.

Actions

This Discussion