06-05-2014 03:39 PM - edited 03-04-2019 11:06 PM
Hi,
I want to load share traffic for my two network segments. I have two routers with each internet circuit running BGP with two different ISPs(ISP- A & ISP-B). Also running IBGP between two routers. Since i have two /24 segments(not provided by ISP) so i want one segment to prefer via ISP A & other segment to prefer via ISP B. I have configured EBGP & IBGP and configured AS-path prepend but i see some asymmetric behaviour. Source traffic which prefer via ISP -A is going via it but incoming traffic is via ISP-B.
Pls suggest how this asymmetric behaviour could be fixed.
06-06-2014 04:38 AM
Hello.
This might be caused by misconfiguration on your side, or it might be a result of ISP's routing policy.
Your ISP[s] might be implementing BGP policies, like assign local preference 120 to routes from customers and local preference of 90 to routes from peering points.
If so, you also should be able to influence path selection with BGP communities. For example, see the link for some ISPs http://onesc.net/communities/
PS: you might be interested in RFC 4264 (BGP wedgies), as it describes potential issues of such policies.
PS2: could you please share you configuration, including realy AS numbers and public prefixes.
06-07-2014 10:07 AM
Hi. Pls see below config. I have ASA configured with ip x.x.x.5 so while tracing from firewall to another location public ip(USA) trace goes to router-A via ISP-A. But when do trace from USA to ASA it goes through ISP-B.
Router-A#
router bgp 132965
bgp log-neighbor-changes
neighbor 14.140.191.181 remote-as 4755 --- ISP- A
neighbor X.X.X.18 remote-as 132965 ---- IBGP
!
address-family ipv4
network X.X.X.0 mask 255.255.255.0
network Y.Y.Y.0 mask 255.255.255.0
neighbor 14.140.191.181 activate
neighbor 14.140.191.181 soft-reconfiguration inbound
neighbor 14.140.191.181 route-map BGP-add out
neighbor 14.140.191.181 maximum-prefix 1000 1
neighbor X.X.X.18 activate
neighbor X.X.X.18 next-hop-self
neighbor X.X.X.18 soft-reconfiguration inbound
exit-address-family
!
!
ip route X.X.X.0 255.255.255.0 Null0 254
ip route Y.Y.Y.0 255.255.255.0 X.X.X.5 name DMZ
!
!
ip prefix-list BGP-236 seq 5 permit X.X.X.0/24
!
ip prefix-list BGP-237 seq 5 permit Y.Y.Y.0/24
!
route-map BGP-add permit 5
match ip address prefix-list BGP-236
!
route-map BGP-add permit 10
match ip address prefix-list BGP-237
set as-path prepend 132965 132965 132965 132965
===========================================================
Router-B#
router bgp 132965
bgp log-neighbor-changes
redistribute connected
network X.X.X.0 mask 255.255.255.0
network Y.Y.Y.0 mask 255.255.255.0
neighbor X.X.X.17 remote-as 132965 --- IBGP
neighbor X.X.X.17 next-hop-self
neighbor X.X.X.17 soft-reconfiguration inbound
neighbor 125.19.48.121 remote-as 9498 --- ISP-B
neighbor 125.19.48.121 soft-reconfiguration inbound
neighbor 125.19.48.121 route-map BGP-bhar out
neighbor 125.19.48.121 maximum-prefix 1000 1
!
ip route Y.Y.Y.0 255.255.255.0 X.X.X.5 name DMZ
!
ip prefix-list BGP-236 seq 5 permit X.X.X.0/24
!
ip prefix-list BGP-237 seq 5 permit Y.Y.Y.0/24
!
route-map BGP-bhar permit 5
match ip address prefix-list BGP-237
!
route-map BGP-bhar permit 10
match ip address prefix-list BGP-236
set as-path prepend 132965 132965 132965 132965
06-07-2014 01:24 PM
Hi Anukalp,
could you please attach the diagram and check if any static default routes are configured on firewall which point to Router-A.
06-08-2014 02:50 AM
06-08-2014 06:03 AM
Hi Anukalp,
It seems the subnets X.X.X.X and Y.Y.Y.Y are located behind the firewall.Since firewall doesnt support PBR,all traffic from firewall has to choose hsrp ipaddress as the next hop ipaddress and then it select only the active router to exit,eventhough the incoming traffic select diffrent routers to reach these network as per the configuration. In this scenario using PBR in router would not be appropriate but still there is some work around for replacing the PBR in Firewall using destination policy nat which may make the configuration little bit complicated.
the below one describes about the ASA configuration.Careful about IOS version
http://www.packetu.com/2011/11/28/egress-interface-selection-on-the-cisco-asa/
Regards
PrajithTR
06-08-2014 06:46 AM
Hi,
My concern is how to correct incoming traffic as you can see X.X.X.X traffic is being prefered on router A towards ISP-A and hence incoming traffic for X.X.X.X should arrive through Router A only but its not happening same. Incoming traffic arriving through ISP B.
What configuration should i do to remove this asymmetric behaviour.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide