Basic BGP question

Answered Question
Sep 9th, 2010
User Badges:

Hello all,

  I've got 2 edge routers, each with a fiber connection to my ISP (2 separate circuits, same ISP).  I've got my public ASN, and BGP is working properly with my ISP on each of these routers.  What I need to set up is failover...so if one router's neighbor fails than my outbound internet traffic automatically fails over to the other.  I assume I need to set up iBGP peer group for these 2 routers?


Thanks,

Sean

Correct Answer by Richard Burts about 6 years 10 months ago

Sean


Based on what you have described here it is possible that there is some problem with how you advertise your networks to the ISP from the second router or there could be a problem on the ISP side about receiving those routes. I would suggest that we start by looking at how you advertise your networks to the ISP from the second router. Can you post the config (at least the BGP parts) for the second router?


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 09/09/2010 - 15:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

pondersean wrote:


Hello all,

  I've got 2 edge routers, each with a fiber connection to my ISP (2 separate circuits, same ISP).  I've got my public ASN, and BGP is working properly with my ISP on each of these routers.  What I need to set up is failover...so if one router's neighbor fails than my outbound internet traffic automatically fails over to the other.  I assume I need to set up iBGP peer group for these 2 routers?


Thanks,

Sean


Sean


Depends on how you are routing from the edge routers to your internal network. If you are using HSRP you can simply track the WAN facing interfaces of your edge routers.


If you are propagating the BGP learned routes to the internal devices then if one link goes down the internal device will simply use the one remaining link.


So how exactly how are you routing from your LAN to your edge routers ?


Jon

pondersean Thu, 09/09/2010 - 15:17
User Badges:

I've got HSRP set up on the "inside" of my edge routers...so my firewalls use a virtual IP for next hop and out of my LAN.  I'm not running any internal routing protocols (OSPF, EIGRP, RIP, etc) instead using static routes.


I've got eBGP set up on each router to my ISP (Level3) and is working properly.  Now I just want to ensure that if one of these circuits goes down then my traffic automatically flops over to the backup.

james.mirtsis Thu, 09/09/2010 - 16:12
User Badges:

sounds like you need to just add #standby (group number) track (wan interface) ---- into your HSRP configuration on the active router, also you will want to add the #standby (group number) preempt ----- command on the active router configuration to force a re-election when the interface comes back up.

Jon Marshall Fri, 09/10/2010 - 04:37
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

pondersean wrote:


I've got HSRP set up on the "inside" of my edge routers...so my firewalls use a virtual IP for next hop and out of my LAN.  I'm not running any internal routing protocols (OSPF, EIGRP, RIP, etc) instead using static routes.


I've got eBGP set up on each router to my ISP (Level3) and is working properly.  Now I just want to ensure that if one of these circuits goes down then my traffic automatically flops over to the backup.


Sean


Then as James says you just need to HSRP track the WAN interfaces on your edge routers. Make sure you have preempt enabled on both routers.


Jon

Richard Burts Fri, 09/10/2010 - 05:21
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I would offer a word of caution here. The solution is probably not quite as simple as just adding track the WAN interface in HSRP. In the original post Sean describes the connection to the router as fiber. It would help to know specifics of how the fiber connects to the router. If the connection is an Ethernet interface on the router then there is an issue. With Ethernet it is quite possible that you lose connectivity to the next hop but the interface still shows as up/up. And in this situation a simple track the WAN interface does not catch the loss of connectivity.


I agree that since the firewalls are forwarding to a virtual address that the solution needs to deal with HSRP. But I think that HSRP needs to track availability of the ISP router or track the presence of some route advertised by the ISP.


HTH


Rick

pondersean Fri, 09/10/2010 - 09:34
User Badges:

Each of the routers has a direct link via SMF to my ISP's router.  So this is using the SFP interface in auto-negotiate mode.


I've added neighbor entries to initiate iBGP on the two routers...and eBGP is working properly.  Just isn't failing over when I do a "shut" on my primary router's SFP interface.


HSRP is monitoring the inside interface only...I'll add the WAN interface to this.


-Sean

Jon Marshall Fri, 09/10/2010 - 12:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

pondersean wrote:


Each of the routers has a direct link via SMF to my ISP's router.  So this is using the SFP interface in auto-negotiate mode.


I've added neighbor entries to initiate iBGP on the two routers...and eBGP is working properly.  Just isn't failing over when I do a "shut" on my primary router's SFP interface.


HSRP is monitoring the inside interface only...I'll add the WAN interface to this.


-Sean


Sean


I don't think IBGP gives you anything here. You are not a transit AS and you are only really concerned with failing over outbound.  Just simply track the WAN interfaces. Not sure what you mean by tracking the inside interface - do you mean you are tracking it or simply running HSRP ?


Jon

Giuseppe Larosa Fri, 09/10/2010 - 13:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello all,


I agree with Rick's concerns


one possible solution to take advantage on an iBGP session is to add a direct link between the two edge routers, in this way even if HSRP state is not the correct one ( it missed an indirect failure for example) BGP routing will do the job.


Otherwise HSRP should track more then simple WAN interface state, an IP SLA towards eBGP peer address could be a good test.


Hope to help

Giuseppe

pondersean Mon, 09/13/2010 - 10:25
User Badges:

I got HSRP working properly...so now my outbound traffic fails over correctly.  Thanks for all the help guys!


The one last piece that isn't working is external connections.  If I "down" one of my routers, traffic destined for my BGP-advertised network never reaches it.  Both routers are advertising the network to my ISP, but only one router is actually receiving traffic for that network.

Correct Answer
Richard Burts Mon, 09/13/2010 - 10:40
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sean


Based on what you have described here it is possible that there is some problem with how you advertise your networks to the ISP from the second router or there could be a problem on the ISP side about receiving those routes. I would suggest that we start by looking at how you advertise your networks to the ISP from the second router. Can you post the config (at least the BGP parts) for the second router?


HTH


Rick

pondersean Mon, 09/13/2010 - 12:01
User Badges:

OK we figured it out.  Turns out my ISP had a static route to the primary router that didn't get removed when they turned up the backup circuit to my second router.  They removed the static route and everything is working as intended.


Thanks for all of your help guys!

-Sean

Richard Burts Mon, 09/13/2010 - 12:20
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sean


I am glad that you got the issue resolved. Thank you for posting back to the forum indicating that it was fixed (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know from the markings that the problem was solved. And your is a good example of the point that the problem is not always something on our side of the network.


HTH


Rick

Actions

This Discussion