cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1183
Views
0
Helpful
12
Replies

iBGP routing

Joe Lee
Level 1
Level 1

All- we have a client that has a data center in Boston and a DR in New York with more than 10 site-to-site VPN tunnels. Each remote site runs IPSec with GRE tunnel with BGP connected to the Data Center in Boston. The client requests to build the failover VPN router at DR in New York, and between New York and Boston, there is a MPLS via eBGP.

I am attaching the network diagram. Should I run the same AS 65003 on the failover VPN router 2 as the router 3 since the router 2 and 3 are VPN terminated end points? or should I run the differen AS than the AS 65003? Please advise.

Regards,

Joe

3 Accepted Solutions

Accepted Solutions

milan.kulik
Level 10
Level 10

Hi,

is there the Remote-Atlanta router on your diagram an example of a remote site running a primary IPSec with GRE VPN tunnel with Router 3 in Boston?

And in a case of the primary VPN failure it will establish an failover VPN connection to  Router 2  in New York?

And connect to to Boston through an MPLS connection between New York and Boston?

If the all the answers to questions above are "Yes", then you can't use the same AS number on Router 3 and router 2, I'm afraid.

Imagine following scenario:

Atlanta (AS 65004) would be connected to New York (AS 65003).

How would Router 3 (AS 65003) know where to forward the traffic with Atlanta destination?

It needs the receive the Atlanrta prefix from New York!

But if the AS_PATH conatins its own AS number (65003), it would be rejected by Router 3!

So you have to use a different AS number for Router 2.

You can imagine also more complicated scenarios when some clients are connected to Router 2 and some to Router 3.

And they would need to communicate each to the others. Again, the same AS number can't be used on Router 2 and Router 3.

According to possible routing loops caused by the client becoming a transfer AS (routing data from Boston to NewYork):

You can (and you should) configure the clients to advertise only their own (local) prefixes.

Generally, it's always confusing using the same AS number on multiple sites in more complex enterprise networks.

HTH,

Milan

View solution in original post

I thought they were CPEs. But if they are PEs, then you are right.

If they are CPEs, I like the idea to run the same AS in the WAN Edge bubble.

View solution in original post

Hi Joe and Milan,

The problem that Milan describes with possible loops can be overcome with the BGP as-override command.

This command is very common for ISP and VPN solutions. In this cases the ISP provide an AS to the customer and use the AS override command for the PE-CE BGP peerings.

In your topology, in case that you use the same AS, you can achieve this by configuring AS-Override to the BGP peerings R1->R3 and R0-R2.

Initially, in my first post, I thought that NY & Boston has the same AS due to the big circle in the diagram.

Now, it seems that it is more simple to have a different AS.

Just to mention that the AS override should be configured in case that you have more remote sites like R-Atlanta with the same AS, in order to achieve the site to site communication.

Regards,

Vasilis

View solution in original post

12 Replies 12

Edison Ortiz
Hall of Fame
Hall of Fame

Yes, that would be ideal.

As always, thank you Ed. Just want to clarify that I should run the same AS 65003 on the failover router, right? If so, can you please explain to me?

Joe,

Sorry, I should've opened the PDF file before responding. I agree with Milan's assessment.

It's usually suggested to have an unique AS per site, thus I recommend leaving 65000 just for NY and perhaps running 65001 or 65003 just for Boston.

Hi Edison/Joe,

aren't Router 0 and Router 1 routers owned by an MPLS provider?

Then it would make a sense to use two AS numbers per site.

BR,

Milan

I thought they were CPEs. But if they are PEs, then you are right.

If they are CPEs, I like the idea to run the same AS in the WAN Edge bubble.

Hi Joe,

I also agree with Edison.

It is better to have the same AS number to both R2 and R3 routers in your design.

Possible routing loops e.g. bymiscofiguration, are prevented due to the built-in AS-LOOP prevention BGP mechanism.

For instance if R4 advertises the subnets learnt by R2 to R3, these are denied to R3 due to the same AS value.

The same applies to R1,R0.

Of course all these can be prevented with the correct configuration (e.g. route-maps, filterlist) but in this way you can add an extra layer of protection to BGP routing loops.

Hope that helps

Vasilis

milan.kulik
Level 10
Level 10

Hi,

is there the Remote-Atlanta router on your diagram an example of a remote site running a primary IPSec with GRE VPN tunnel with Router 3 in Boston?

And in a case of the primary VPN failure it will establish an failover VPN connection to  Router 2  in New York?

And connect to to Boston through an MPLS connection between New York and Boston?

If the all the answers to questions above are "Yes", then you can't use the same AS number on Router 3 and router 2, I'm afraid.

Imagine following scenario:

Atlanta (AS 65004) would be connected to New York (AS 65003).

How would Router 3 (AS 65003) know where to forward the traffic with Atlanta destination?

It needs the receive the Atlanrta prefix from New York!

But if the AS_PATH conatins its own AS number (65003), it would be rejected by Router 3!

So you have to use a different AS number for Router 2.

You can imagine also more complicated scenarios when some clients are connected to Router 2 and some to Router 3.

And they would need to communicate each to the others. Again, the same AS number can't be used on Router 2 and Router 3.

According to possible routing loops caused by the client becoming a transfer AS (routing data from Boston to NewYork):

You can (and you should) configure the clients to advertise only their own (local) prefixes.

Generally, it's always confusing using the same AS number on multiple sites in more complex enterprise networks.

HTH,

Milan

All-

To answer all Milan's questions are "Yes". It seems there are two different idea, but I agree with what Milan says, Any thoughts?

Regards,

Joe

Hi Joe and Milan,

The problem that Milan describes with possible loops can be overcome with the BGP as-override command.

This command is very common for ISP and VPN solutions. In this cases the ISP provide an AS to the customer and use the AS override command for the PE-CE BGP peerings.

In your topology, in case that you use the same AS, you can achieve this by configuring AS-Override to the BGP peerings R1->R3 and R0-R2.

Initially, in my first post, I thought that NY & Boston has the same AS due to the big circle in the diagram.

Now, it seems that it is more simple to have a different AS.

Just to mention that the AS override should be configured in case that you have more remote sites like R-Atlanta with the same AS, in order to achieve the site to site communication.

Regards,

Vasilis

Thank Vasilis, Milan and Ed.

I have one last question about the Nat'ing. My client has few VPN remotes, and those VPN sites require to have the routable IP address for the local host. So what I configured on the router 3 as the following . (72.10.10.1 is routable IP address in this case)

ip nat inside source static 192.168.1.1 72.10.10.1

This nat'ing is only to meet what those VPN requirement, Question is...Should I need to configure "Ip nat outside" on the external interface, which is connected to the internet?

Joe,

You need 'ip nat inside' on the ingress interface from the 192.168.1.0/24 network and 'ip nat outside' on the egress interface towards the internet.

Hi Vasilis,

yes, configuring AS-override on the BGP peerings R1->R3 and R0-R2 would enable using the same AS number on Router 2 and Router 3.

But do you think it would be safe from possible loop detection point of view?

IMHO, this feature should be used only if you have to.

Which is not this case.

In a case that you have more remote sites like R-Atlanta with the same AS number, AS-override on the BGP peerings R1->R3 and R0-R2 would not help.

You would need  neighbor allowas-in configured on the remote sites.

BR,

Milan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: