Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
0
Helpful
6
Replies

Internet load sharing

Anukalp S
Level 1
Level 1

‎06-05-2014 03:39 PM - edited ‎03-04-2019 11:06 PM

 

 Hi,

 I want to load share traffic for my two network segments. I have two routers with each internet circuit running BGP with two different ISPs(ISP- A & ISP-B). Also running IBGP between two routers. Since i have two /24 segments(not provided by ISP) so i want one segment to prefer via ISP A & other segment to prefer via ISP B. I have configured EBGP & IBGP and configured AS-path prepend but i see some asymmetric behaviour. Source traffic which prefer via ISP -A is going via it but incoming traffic is via ISP-B.

Pls suggest how this asymmetric behaviour could be fixed.

Labels:
0 Helpful
6 Replies 6

Vasilii Mikhailovskii
Level 7
Level 7

‎06-06-2014 04:38 AM

Hello.

This might be caused by misconfiguration on your side, or it might be a result of ISP's routing policy.

Your ISP[s] might be implementing BGP policies, like assign local preference 120 to routes from customers and local preference of 90 to routes from peering points.

If so, you also should be able to influence path selection with BGP communities. For example, see the link for some ISPs http://onesc.net/communities/

PS: you might be interested in RFC 4264 (BGP wedgies), as it describes potential issues of such policies.

PS2: could you please share you configuration, including realy AS numbers and public prefixes.

0 Helpful

Anukalp S
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎06-07-2014 10:07 AM

 

Hi. Pls see below config. I have ASA configured with ip x.x.x.5 so while tracing from firewall to another location public ip(USA) trace goes to router-A via ISP-A. But when do trace from USA to ASA it goes through ISP-B.

 

Router-A#
router bgp 132965
 bgp log-neighbor-changes
 neighbor 14.140.191.181 remote-as 4755  --- ISP- A
 neighbor X.X.X.18 remote-as 132965   ---- IBGP

 !
 address-family ipv4
  network X.X.X.0 mask 255.255.255.0
  network Y.Y.Y.0 mask 255.255.255.0
  neighbor 14.140.191.181 activate
  neighbor 14.140.191.181 soft-reconfiguration inbound
  neighbor 14.140.191.181 route-map BGP-add out
  neighbor 14.140.191.181 maximum-prefix 1000 1
  neighbor X.X.X.18 activate
  neighbor X.X.X.18 next-hop-self
  neighbor X.X.X.18 soft-reconfiguration inbound

 exit-address-family
!
!
ip route X.X.X.0 255.255.255.0 Null0 254
ip route Y.Y.Y.0 255.255.255.0 X.X.X.5 name DMZ
!
!
ip prefix-list BGP-236 seq 5 permit X.X.X.0/24
!
ip prefix-list BGP-237 seq 5 permit Y.Y.Y.0/24

!
route-map BGP-add permit 5
 match ip address prefix-list BGP-236
!
route-map BGP-add permit 10
 match ip address prefix-list BGP-237
 set as-path prepend 132965 132965 132965 132965
===========================================================

Router-B#
router bgp 132965
 bgp log-neighbor-changes
 redistribute connected
 network X.X.X.0 mask 255.255.255.0
 network Y.Y.Y.0 mask 255.255.255.0
 neighbor X.X.X.17 remote-as 132965  --- IBGP
 neighbor X.X.X.17 next-hop-self
 neighbor X.X.X.17 soft-reconfiguration inbound
 neighbor 125.19.48.121 remote-as 9498  --- ISP-B
 neighbor 125.19.48.121 soft-reconfiguration inbound
 neighbor 125.19.48.121 route-map BGP-bhar out
 neighbor 125.19.48.121 maximum-prefix 1000 1
!
ip route Y.Y.Y.0 255.255.255.0 X.X.X.5 name DMZ
!
ip prefix-list BGP-236 seq 5 permit X.X.X.0/24
!
ip prefix-list BGP-237 seq 5 permit Y.Y.Y.0/24
!
route-map BGP-bhar permit 5
 match ip address prefix-list BGP-237
!
route-map BGP-bhar permit 10
 match ip address prefix-list BGP-236
 set as-path prepend 132965 132965 132965 132965

 

 

 

 

 

0 Helpful

prajithtr_2
Level 1
Level 1

‎06-07-2014 01:24 PM

Hi Anukalp,

  could you please attach the diagram and check if any static default routes are configured on firewall which point to Router-A.

0 Helpful

Anukalp S
Level 1
Level 1
In response to prajithtr_2

‎06-08-2014 02:50 AM

Yes we have default route towards virtual IP since we are running HSRP between routers.

Preview file
51 KB
0 Helpful

prajithtr_2
Level 1
Level 1
In response to Anukalp S

‎06-08-2014 06:03 AM

Hi Anukalp,

   It seems the subnets X.X.X.X and Y.Y.Y.Y are located behind the firewall.Since firewall doesnt support PBR,all traffic from firewall has to choose hsrp ipaddress as the next hop ipaddress and then it select only the active router to exit,eventhough the incoming traffic select diffrent routers to reach these network as per the configuration. In this scenario using PBR in router would not be appropriate but still there is some work around for replacing the PBR in Firewall using destination policy nat which may make the configuration little bit complicated.

the below one describes about the ASA configuration.Careful about IOS version
http://www.packetu.com/2011/11/28/egress-interface-selection-on-the-cisco-asa/

Regards
PrajithTR

0 Helpful

Anukalp S
Level 1
Level 1
In response to prajithtr_2

‎06-08-2014 06:46 AM

Hi,

 

My concern is how to correct incoming traffic as you can see X.X.X.X traffic is being prefered on router A towards ISP-A and hence incoming traffic for X.X.X.X should arrive through Router A only but its not happening same. Incoming traffic arriving through ISP B.

What configuration should i do to remove this asymmetric behaviour.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card