Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

BGP Load balancing

Hello Experts!!!

Need your some expert advise on BGP traffic controlling. I'm attaching my Setup here so it'll help you to understand my situation.

My Setup is I've 3 Cisco router connected with 3 different ISPs using BGP and all 3 routers are connected using iBGP with HSRP and I've 2 Cisco ASAs, Setup with Active/Passive Configuration. Now Since ASA doesn't support PBR. I've situation that I can't control Traffic.

We've Lots of Servers in our In-House DataCenter almost 120 Server some of them have 1-to-1 NAT IP. which is managed by ASA. Now I can't control NAT IPs to choose path. I Want to share load between NAT IPs so that I can utilize my all ISP. I'm having 3 ISP with 30Mbps Each.

 

Like if I've one server having NAT IP 130.XX.XX.30 should use ISP-I and IP 130.XX.XX.32 should use ISP-II. I know this is possible if I've PBR in my ASA but since ASA donesn't support PBR. Is there any other way I can handle it? I'm not Master of BGP Routing So any suggestion related BGP are most welcome. I've only one IP Block which is 130.XX.XX.0/24 

Any help or any advice from Experts like your self are appreciated.

 

 

 

Everyone's tags (1)
18 REPLIES

Hi Raj ,   You cant influence

Hi Raj , 

  You cant influence outgoing traffic , because your ASA takes all default traffic towards active HSRP router . But you can influence Inbound traffic to your datacenter via Network command

For Example 

By Default on your router bgp  you will be advertising 130.X.X.X/24 towards all three ISP . 

If you want to Load balance a server P 130.XX.XX.30 should use ISP-I , on this case advertise two network statement on your router CB R1 , 

like 

network 130.XX.XX.30 mask 255.255.255.255

network 130.xx.xx.xx mask 255.255.255.0 

By this way any traffic for server .30 will be via ISP 1 , If your ISP 1 link fails traffic for this server will go via router 2 or router 3 because still they advertising summarized 130.xx.xx.xx/24 towards other ISP 

Similarly you can plan for server you want . 

 

HTH

Sandy

hi RajAdvertising /32 network

hi Raj

Advertising /32 network on bgp will not help you because ISP router will not accept your /32 advertisement. Service providers advertise client's IP till /24 (it will not advertise /32 network in internet cloud). However if you have HSRP configured on routers for internal network you can configure 3 standby groups and configure each of the three routers as active for each group. In this way you will have 3 virtual IPs with 3 different Active routers. You can configure your default route on ASA will all three virtual IPs with equal distance. This is the possible solution for you. the load balance will be round robin on firewall.

Hi Raj ,             By Using

Hi Raj , 

            By Using HSRP you can influence /control only outbound traffic ( traffic which is being sent out from Data center ) , But cant control inbound traffic . 

      Questionnaire by Raj , is to utilize internet link . What you have said is correctly right , ISP wont advertise /32 network towards external world .

When the return traffic comes to ISP , this Individual host advertisement has got more control . Than Subnet advertisement .  

Or Else you can advertise as ../30 or /29 along with /24 network statement

 

HTH
Sandy

 

New Member

Really appreciated for your

Really appreciated for your answer Santosh :)

 

ASA Sucks Because doesn't support PBR and Because of that I can't utilize my all ISPs whom we're paying a lot every month. I don't know why CISCO not adding PBR on ASA. Now a days all Major Firewalls support PBR. We used to use Fortigate before and it was really good. But then my Boss Decided to put all Network gear to CISCO. During the placing order of ASA did not noticed that ASA doesn't support PBR. Now stuck at this situation. 

I mean according new Network doesn't making sense to me to have 3 ISP. Well you can say that also. And it's because of Stupid ASA. If I did not find any solution in few days, then I have no choice to move again to "Fortigate".

Cisco Saying that ASA supports up to 3 default route with same metric value. like this
0.0.0.0 0.0.0.0 130.xx.xx.2 1

0.0.0.0 0.0.0.0 130.xx.xx.3 1

0.0.0.0 0.0.0.0 130.xx.xx.4 1 

 

But I don't know how then ASA handle traffic with that, Does it share traffic among the routes? if yes then how?  So I'm bit confused with it to implement on live network.

 

New Member

Rahul, I not sure but I guess

Rahul,

 

I not sure but I guess now a days core Up-Streams only accept /24. So even if My ISP will advertise /27 or /29 it'll automatically filter at their Up-Streams. I've already tested that things like this way, /25 on Router-II, /26 on Router-II, /26 on Router-III, But no luck because I was keep complaining my All ISPs to Advertise /24 as well as /26 and /25. They said they did it already. But When Check traffic from outside world it's still passing from my primary HSRP Router which is Router-III.

Dear Raj ,                 If

Dear Raj , 

                If you are advertising  /27 or 29 .do AS pre-pend for these subnet towards other two provider , By this way can influence path via single provider . 

 

Share me your router config , I can help you with this .

 

HTH

Sandy

New Member

Hi Santosh, Currently I'm

Hi Santosh,

 

Currently I'm advertising only /24 to all 3 my ISP. So if you saying that it's possible then ya I did something wrong with configuration. 

Can Please you show me exact sample config for my setup, My goal is like this. I've all servers Primary and backup So I can change their IPs in order to archive load sharing, Like this I can put primary server on ISP-I, Backup Server on ISP-II and normal Internet traffic and IPSec Traffic to ISP-III. So My setup should be like this:

ISP-I   : 130.xx.xx.128/26

ISP-II  : 130.xx.xx.192/26

ISP-III : 130.xx.xx.0/25

 

Really appreciated Santosh and thanks in advance.. 

 

Hi,Let me clarify that return

Hi,

Let me clarify that return traffic from internet to you is not influenced by bgp configuration at your end, whatever attributes clients use to influence their bgp routing it is only limited till client's router. Service provider router will only advertise /24 network and ISP router doesn't accept your attributes. also the return traffic from internet to you is influenced by Peering policy of a particular ISP, even if you send traffic through link 1, the return traffic may come to any of the links (1,2 or 3)  depends what is the peering policy of remote end ISP.

By using HSRP you can atleast influence your outbound routing and the fact is that you cannot influence your inbound routing untill unless you manually down a particular link.

 

I would suggest to go with three default routes with three differnt HSRP IP of upstream internet routers.

 

 

Dear Rahul ,            Using

Dear Rahul , 

           Using three default routes will influence your outgoing traffic , But ASA cant do round robin load balancing . Normally for Data center always inbound traffic more huge than outbound traffic .

Your Statement is absolute correct for outbound traffic  . 

The ASA hashes the source and destination IP addresses of the outbound packet to determine which route it will use to determine the next hop for the packet (the ASA does not employ a round-robin algorithm to choose the next hop). As opposed to round-robin load balancing, packets with the same source and destination pair are always sent towards the same next hop, as per the computed hash.

 

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/115986-asa-eqm-products-configuration-example.html

Raj : Kindly check traffic utilization which seems to be high inbound /outbound to these server  

HTH

Sandy

Hi Raj , Here is the config ,

Hi Raj ,

 Here is the config , Kindly replace xxx with your own AS number . 

Router 1

router bgp xxx
 no synchronization
 bgp log-neighbor-changes
 network 130.xx.xx.128 mask 255.255.255.192
 network 130.xx.xx.0 mask 255.255.255.0
 neighbor x.x.x.x remote-as 96yy
 neighbor x.x.x.x route-map ASPREPND-MAP out
!--- The AS_PATH is increased for 130.xx.xx.128.
 no auto-summary
!

access-list 101 permit 130.xx.xx.xx 0.0.0.255 any
access-list 102 permit ip 130.xx.xx.128 0.0.0.61 any


route-map ASPREPND-MAP permit 10
 match ip address 101
 set as-path prepend xxx xxx xxx
!         
route-map ASPREPND-MAP permit 20
 match ip address 102

 

Router 2

router bgp xxx
 no synchronization
 bgp log-neighbor-changes
 network 130.xx.xx.192 mask 255.255.255.192
 network 130.xx.xx.0 mask 255.255.255.0
 neighbor x.x.x.x remote-as 47yy
 neighbor x.x.x.x route-map ASPREPND-MAP out
!--- The AS_PATH is increased for 130.xx.xx.192.
 no auto-summary
!

access-list 101 permit 130.xx.xx.xx 0.0.0.255 any
access-list 102 permit ip 130.xx.xx.192 0.0.0.61 any


route-map ASPREPND-MAP permit 10
 match ip address 101
 set as-path prepend xxx xxx xxx
!         
route-map ASPREPND-MAP permit 20
 match ip address 102

 

Router 3

router bgp xxx
 no synchronization
 bgp log-neighbor-changes
 network 130.xx.xx.0 mask 255.255.255.128
 network 130.xx.xx.0 mask 255.255.255.0
 neighbor x.x.x.x remote-as 86yy
 neighbor x.x.x.x route-map ASPREPND-MAP out
!--- The AS_PATH is increased for 130.xx.xx.0.
 no auto-summary
!

access-list 101 permit 130.xx.xx.xx 0.0.0.255 any
access-list 102 permit ip 130.xx.xx.0 0.0.0.127 any


route-map ASPREPND-MAP permit 10
 match ip address 101
 set as-path prepend xxx xxx xxx
!         
route-map ASPREPND-MAP permit 20
 match ip address 102

 

HTH

Sandy

New Member

Thank your Soooooo Much

Thank your Soooooo Much Santosh,

 

Let me implement this config. 

New Member

Hi Santosh, I've configured

Hi Santosh,

 

I've configured same setting but still my all incoming traffic using ISP-III.

Hi,Let me clarify that return

Hi,

Let me clarify that return traffic from internet to you is not influenced by bgp configuration at your end, whatever attributes clients use to influence their bgp routing it is only limited till client's router. Service provider router will only advertise /24 network and ISP router doesn't accept your attributes. also the return traffic from internet to you is influenced by Peering policy of a particular ISP, even if you send traffic through link 1, the return traffic may come to any of the links (1,2 or 3)  depends what is the peering policy of remote end ISP.

By using HSRP you can atleast influence your outbound routing and the fact is that you cannot influence your inbound routing untill unless you manually down a particular link.

I would suggest to go with three default routes with three differnt HSRP IP of upstream internet routers.

 

Else do you have Public IPs provided by your service  providers? If yes then you can use each ISP's IP for a particular server for NAT so that upstream and downstream traffic should follow that particular link. In this way you can utilize your all internet links.

 

 

New Member

Thanks Rahul, But problem is

Thanks Rahul, But problem is we need Internet redundancy that was the whole idea behind implement bgp, so If i use ISP's NAT ip then it's same issue again if ISP is down My server is down also.

But you correct Rahul, that upstreams only advertise /24 minimum. Anyway really appreciated for your help Rahul and Santosh, Well Let's see if I can convince my Boss to replace ASA, I know he'll be agree on that because he doesn't know the current situation yet. Because our setup is big, We've operation in 3 different countries, and all offices are also connected each other using 20Mbps IPLC Circuit.

Hi Raj ,            Kindly

Hi Raj , 

           Kindly clarify few things , 

1) Do you have BGP AS NO owned by your company or its provided by service provider among 3 of them ??

2) I need to check from internet route server , to understand among three ISP which is having least AS path to reach your DATACENTER , From all scenario you say that your 3rd Service provider is choosen as BEST . It mean your 3rd service provider has got best AS best path in your region . 

3) share me show IP BGP from all 3 routers . Similarly show IP BGP neigbhors X.X.X.X advertised-routes 

 

There are multiple way to achieve this ..

 

 

 

New Member

Hi Santosh, AS# is owned by

Hi Santosh,

 

AS# is owned by us, And we're member of APNIC and ARIN. IP address are also owned by us.

By default it's choosing ISP-III because ISP-III router having higher priority on HSRP. So If my ISP-III is down it automatically going to ISP-II, But if ISP-III is up which is usually UP. all traffic always goes through ISP-III. But ya incoming traffic is random depends on source ip. My firewall ip is  130.xx.xx.5 which is also handling all IPsec VPNs so some clients traffic passing from ISP-I some of them ISP-II and few clients ISP-III. But if i do trace-route it always use ISP-III. 

New Member

And I can say your right

And I can say your right about best path, yeah Because my ISP-III is country's biggest ISP. Because Their upstreams are like HE, Comcats, etc. May be that's why it always get best path.

Hi Raj ,  When you own AS

Hi Raj , 

 When you own AS Number , When we do AS prepend it must reflect to external world . 

share me show IP BGP from all 3 routers . Similarly show IP BGP neigbhors X.X.X.X advertised-routes 

 

2351
Views
25
Helpful
18
Replies
CreatePlease to create content