×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

iBGP routing

Answered Question
Apr 2nd, 2012
User Badges:

All- we have a client that has a data center in Boston and a DR in New York with more than 10 site-to-site VPN tunnels. Each remote site runs IPSec with GRE tunnel with BGP connected to the Data Center in Boston. The client requests to build the failover VPN router at DR in New York, and between New York and Boston, there is a MPLS via eBGP.


I am attaching the network diagram. Should I run the same AS 65003 on the failover VPN router 2 as the router 3 since the router 2 and 3 are VPN terminated end points? or should I run the differen AS than the AS 65003? Please advise.


Regards,

Joe







Correct Answer by Vasileios Boulo... about 5 years 4 months ago

Hi Joe and Milan,


The problem that Milan describes with possible loops can be overcome with the BGP as-override command.

This command is very common for ISP and VPN solutions. In this cases the ISP provide an AS to the customer and use the AS override command for the PE-CE BGP peerings.

In your topology, in case that you use the same AS, you can achieve this by configuring AS-Override to the BGP peerings R1->R3 and R0-R2.


Initially, in my first post, I thought that NY & Boston has the same AS due to the big circle in the diagram.

Now, it seems that it is more simple to have a different AS.


Just to mention that the AS override should be configured in case that you have more remote sites like R-Atlanta with the same AS, in order to achieve the site to site communication.


Regards,

Vasilis

Correct Answer by Edison Ortiz about 5 years 4 months ago

I thought they were CPEs. But if they are PEs, then you are right.

If they are CPEs, I like the idea to run the same AS in the WAN Edge bubble.

Correct Answer by milan.kulik about 5 years 4 months ago

Hi,


is there the Remote-Atlanta router on your diagram an example of a remote site running a primary IPSec with GRE VPN tunnel with Router 3 in Boston?

And in a case of the primary VPN failure it will establish an failover VPN connection to  Router 2  in New York?

And connect to to Boston through an MPLS connection between New York and Boston?


If the all the answers to questions above are "Yes", then you can't use the same AS number on Router 3 and router 2, I'm afraid.

Imagine following scenario:

Atlanta (AS 65004) would be connected to New York (AS 65003).

How would Router 3 (AS 65003) know where to forward the traffic with Atlanta destination?

It needs the receive the Atlanrta prefix from New York!

But if the AS_PATH conatins its own AS number (65003), it would be rejected by Router 3!

So you have to use a different AS number for Router 2.


You can imagine also more complicated scenarios when some clients are connected to Router 2 and some to Router 3.

And they would need to communicate each to the others. Again, the same AS number can't be used on Router 2 and Router 3.


According to possible routing loops caused by the client becoming a transfer AS (routing data from Boston to NewYork):

You can (and you should) configure the clients to advertise only their own (local) prefixes.


Generally, it's always confusing using the same AS number on multiple sites in more complex enterprise networks.


HTH,

Milan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Edison Ortiz Mon, 04/02/2012 - 13:47
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Yes, that would be ideal.

Joe Lee Mon, 04/02/2012 - 14:24
User Badges:

As always, thank you Ed. Just want to clarify that I should run the same AS 65003 on the failover router, right? If so, can you please explain to me?

Edison Ortiz Tue, 04/03/2012 - 07:42
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Joe,


Sorry, I should've opened the PDF file before responding. I agree with Milan's assessment.

It's usually suggested to have an unique AS per site, thus I recommend leaving 65000 just for NY and perhaps running 65001 or 65003 just for Boston.

milan.kulik Tue, 04/03/2012 - 08:01
User Badges:
  • Red, 2250 points or more

Hi Edison/Joe,


aren't Router 0 and Router 1 routers owned by an MPLS provider?

Then it would make a sense to use two AS numbers per site.


BR,

Milan

Correct Answer
Edison Ortiz Tue, 04/03/2012 - 08:05
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

I thought they were CPEs. But if they are PEs, then you are right.

If they are CPEs, I like the idea to run the same AS in the WAN Edge bubble.

Vasileios Boulo... Mon, 04/02/2012 - 14:45
User Badges:
  • Silver, 250 points or more

Hi Joe,


I also agree with Edison.

It is better to have the same AS number to both R2 and R3 routers in your design.

Possible routing loops e.g. bymiscofiguration, are prevented due to the built-in AS-LOOP prevention BGP mechanism.

For instance if R4 advertises the subnets learnt by R2 to R3, these are denied to R3 due to the same AS value.

The same applies to R1,R0.

Of course all these can be prevented with the correct configuration (e.g. route-maps, filterlist) but in this way you can add an extra layer of protection to BGP routing loops.


Hope that helps

Vasilis

Correct Answer
milan.kulik Tue, 04/03/2012 - 04:51
User Badges:
  • Red, 2250 points or more

Hi,


is there the Remote-Atlanta router on your diagram an example of a remote site running a primary IPSec with GRE VPN tunnel with Router 3 in Boston?

And in a case of the primary VPN failure it will establish an failover VPN connection to  Router 2  in New York?

And connect to to Boston through an MPLS connection between New York and Boston?


If the all the answers to questions above are "Yes", then you can't use the same AS number on Router 3 and router 2, I'm afraid.

Imagine following scenario:

Atlanta (AS 65004) would be connected to New York (AS 65003).

How would Router 3 (AS 65003) know where to forward the traffic with Atlanta destination?

It needs the receive the Atlanrta prefix from New York!

But if the AS_PATH conatins its own AS number (65003), it would be rejected by Router 3!

So you have to use a different AS number for Router 2.


You can imagine also more complicated scenarios when some clients are connected to Router 2 and some to Router 3.

And they would need to communicate each to the others. Again, the same AS number can't be used on Router 2 and Router 3.


According to possible routing loops caused by the client becoming a transfer AS (routing data from Boston to NewYork):

You can (and you should) configure the clients to advertise only their own (local) prefixes.


Generally, it's always confusing using the same AS number on multiple sites in more complex enterprise networks.


HTH,

Milan

Joe Lee Tue, 04/03/2012 - 06:44
User Badges:

All-


To answer all Milan's questions are "Yes". It seems there are two different idea, but I agree with what Milan says, Any thoughts?


Regards,

Joe

Correct Answer
Vasileios Boulo... Tue, 04/03/2012 - 15:00
User Badges:
  • Silver, 250 points or more

Hi Joe and Milan,


The problem that Milan describes with possible loops can be overcome with the BGP as-override command.

This command is very common for ISP and VPN solutions. In this cases the ISP provide an AS to the customer and use the AS override command for the PE-CE BGP peerings.

In your topology, in case that you use the same AS, you can achieve this by configuring AS-Override to the BGP peerings R1->R3 and R0-R2.


Initially, in my first post, I thought that NY & Boston has the same AS due to the big circle in the diagram.

Now, it seems that it is more simple to have a different AS.


Just to mention that the AS override should be configured in case that you have more remote sites like R-Atlanta with the same AS, in order to achieve the site to site communication.


Regards,

Vasilis

Joe Lee Tue, 04/03/2012 - 19:19
User Badges:

Thank Vasilis, Milan and Ed.


I have one last question about the Nat'ing. My client has few VPN remotes, and those VPN sites require to have the routable IP address for the local host. So what I configured on the router 3 as the following . (72.10.10.1 is routable IP address in this case)

ip nat inside source static 192.168.1.1 72.10.10.1


This nat'ing is only to meet what those VPN requirement, Question is...Should I need to configure "Ip nat outside" on the external interface, which is connected to the internet?

Edison Ortiz Tue, 04/03/2012 - 21:07
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Joe,


You need 'ip nat inside' on the ingress interface from the 192.168.1.0/24 network and 'ip nat outside' on the egress interface towards the internet.

milan.kulik Wed, 04/04/2012 - 00:56
User Badges:
  • Red, 2250 points or more

Hi Vasilis,


yes, configuring AS-override on the BGP peerings R1->R3 and R0-R2 would enable using the same AS number on Router 2 and Router 3.

But do you think it would be safe from possible loop detection point of view?

IMHO, this feature should be used only if you have to.

Which is not this case.


In a case that you have more remote sites like R-Atlanta with the same AS number, AS-override on the BGP peerings R1->R3 and R0-R2 would not help.

You would need  neighbor allowas-in configured on the remote sites.


BR,

Milan

Actions

This Discussion