cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1069
Views
0
Helpful
6
Replies

BGP Best Path for Remote VPN

Joe Lee
Level 1
Level 1

All,

To make it easier to explain my problem, and I am attaching the network diagram. Hope it can help.

R1 is remote site run IPSec with GRE tunnel over BGP and it has accordingly primary and failover site to site VPN connectins to R2 and R7. RR6 and R7 are in Data Center, and R2 and R3 are in Secondary Data Center. R3, R4, R5, and R6 all are connected to the ISP MPLS cloud via eBGP. All the router are running eBGP here.

Our goal is to have failover connection for the remotes. (e.g.R1) When the primary VPN connection from R1 to R7 is down, the failover connection from R1 to R2 will kick in as the active connection, and when the primary VPN connection from R1 to R7 is up, and it will automately become an active connection, and the VPN connection from R1 to R2 will become standby.We setup the high local preference from the primary connectionn in BGP route statement. Everything seems works as we expected on the remote router, R1, However, when the primary switched back to the actived connection, we do " show ip bgp " for the R1 subnet on the router R5, the best path is 65005, 65006, 65007, 65001,which is what we want-return all the traffic from primary VPN connection to the remote site, but when we do"sho ip bgp" for the R1 subnet on the router 4, the best path is 65004,65003,65002,65001, which is returning the traffic from the standby VPN connection, which is not what we want, we want all the traffic return to the R7 and hit the remote router. It seems we need to do something on the router R3, or R6 to make the best route for the remotes to get the best traffic returned. Any idea is appriciated.

Regards,

Joe

1 Accepted Solution

Accepted Solutions

Joe,

If you use as-path prepending, you can make whichever path you want less desirable than the other. For example, if you peer with R2 at 192.168.1.2, you can modify the route-map above to apply to "neighbor 192.168.1.2 route-map ForR2 out".

Let's say that you have an internal network of 1.1.1.0/24 behind R1.

All of the neighbors will have 2 routes in their bgp tables:

1.1.1.0/24 Next-hop R2 AS-path 65001 65001 65001

1.1.1.0/24 Next-hop R7 AS-path 65001

The shorter path will be preferred over the longer path.

route-map ForR2 permit 10

set as-path prepending 65001 65001 65001

router bgp 65001

neighbor 192.168.1.2 route-map ForR2 out

HTH, John *** Please rate all useful posts ***

View solution in original post

6 Replies 6

John Blakley
VIP Alumni
VIP Alumni

Joe,

You may be able to configure prepending on R1 in order to influence all of your routers on the other end. Let me see if I understand what you're looking for:

When VPN is up: R1 - R2 - R3 - R4

When VPN is down: R1 - R7 - R6 - R5?

If that's the case, let's assume the peering address for R7 is 192.168.1.7. On R1, configure a route-map and set prepending. When the tunnel goes down to R2, it will still fail over to R7 but with a less preferred AS path. When the primary comes back up, the shorter AS path will be preferred:

route-map ForR7 permit 10

set as-path prepending 65001 65001 65001

router bgp 65001

neighbor 192.168.1.7 route-map ForR7 out

HTH,

John

HTH, John *** Please rate all useful posts ***

John,

R1-R2-R3 is secondary VPN connection, R1-R7-R6 is primary VPN connection. So when the primary goes down, the secondary VPN become active, and when the primary VPN goes up, and it becomes active and the secondary VPN becomes standby. This is works for on the R1. Supposed we want to R3, R4, and R5'sreturn traffic goes R6-R7-R1, but we see the traffic R5-R6-R7-R1(that is what we want) and R4-R3-R2-R1 (that is not what we want).

Here is my router R1 config.

router bgp 65001

bgp log-neighbor-changes

neighbor 192.168.1.5 remote-as 65007  (R7-primary VPN)

neighbor 192.168.1.5 remote-as 65002  (R2-Secondary VPN)

!

address-family ipv4

neighbor 192.168.1.5 activate

neighbor 192.168.1.5 default-originate

neighbor 192.168.1.5 soft-reconfiguration inbound

neighbor 192.168.1.5 route-map R7 in

neighbor 192.168.1.5 route-map R1-01 out

neighbor 192.168.1.5 activate

neighbor 192.168.1.5 default-originate

neighbor 192.168.1.5 soft-reconfiguration inbound

neighbor 192.168.1.5 route-map R2 in

neighbor 192.168.1.5 route-map R1-02 out

no auto-summary

no synchronization

network 0.0.0.0

exit-address-family

!

!

route-map R2 permit 10

match ip address 2

set local-preference 60

!

route-map R7 permit 10

match ip address 2

set local-preference 200

!

route-map R1-01 permit 10

match ip address 1

set local-preference 200

!

route-map R1-02 permit 10

match ip address 1

set local-preference 60

Regards,

Joe

Joe,

If you use as-path prepending, you can make whichever path you want less desirable than the other. For example, if you peer with R2 at 192.168.1.2, you can modify the route-map above to apply to "neighbor 192.168.1.2 route-map ForR2 out".

Let's say that you have an internal network of 1.1.1.0/24 behind R1.

All of the neighbors will have 2 routes in their bgp tables:

1.1.1.0/24 Next-hop R2 AS-path 65001 65001 65001

1.1.1.0/24 Next-hop R7 AS-path 65001

The shorter path will be preferred over the longer path.

route-map ForR2 permit 10

set as-path prepending 65001 65001 65001

router bgp 65001

neighbor 192.168.1.2 route-map ForR2 out

HTH, John *** Please rate all useful posts ***

Thank you so much! It works.

Awesome Joe Glad to hear it and thank you for the rating!

HTH, John *** Please rate all useful posts ***

Hello,

Now with the same network diagram. R1 is not running any dynamic routing, and it is just configured as IPSec, To R7 is primary VPN, and to R2 is the backup VPN. R2-R7 are running the same BBP protocol.

When the primary VPN is down, the backup VPN is switched as active, but the best route to the subnet in R1 is still picked from R5->R6->R1, Idealy it should be R5->R3->R2, Please be advised how I can adjust the routing.

Regards,

Joe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco