Re: Internet Redundancy using BGP

networkservices · ‎02-06-2006

I'm in the process of gathering information on setting up redundant ineternet connectivity for my company. I currently have a 25MB internet connection being handed off via a Ethernet connection. I'll be adding a second 3MB internet connecion that will also be handed of by way of Ethernet. I have a Cisco 2821 router that I would like to use to take these two connections and then connect my PIX 525 up to this 2821 router. Can anyone give me some examples on how to do this?

Another note...I currently own a block of routable IPs from my existing ISP. I won't be getting any IPs from my secondary ISP.

nethelper · ‎02-06-2006

Hello,

it depends on what you want to achieve, load balancing, or a primary and a backup link. In your case, the second would probably make more sense, since one of the connections has a much larger bandwidth capacity. The configuration for a primary and backup link would look like this:

interface FastEthernet0/0

ip address x.x.x.x y.y.y.y

ip nat inside

!

interface Ethernet0/0

description connection to ISP1

ip address x.x.x.x. y.y.y.y

!

interface Ethernet0/1

description connection to ISP2

ip address x.x.x.x. y.y.y.y

ip nat outside

!

ip nat inside source route-map ISP2 interface Ethernet0/1 overload

!

route-map ISP2 permit 10

match ip address 1

match interface Ethernet0/1

!

ip route 0.0.0.0 0.0.0.0 Ethernet0/0

ip route 0.0.0.0 0.0.0.0 Ethernet0/1 200

With this configuration, the second interface would only be used if the first one goes down. This might actually be a problem when the interface doesn´t go down, but you loose connectivity to your provider, so you might want to introduce the following in order to make using the secondary interface dependent on if you can reach a specific IP address through the first one. The IP address (x.x.x.x) must be a remote address that you can reach through ISP1.

ip sla monitor 1

type echo protocol ipIcmpEcho x.x.x.x

timeout500

frequency 3

threshold 2

!

ip sla monitor schedule 1 life forever start-time now

!

track 100 rtr 1 reachability

!

ip local policy route-map Local_Traffic

!

access list 101 permit icmp any host x.x.x.x echo

!

route-map Local_Traffic permit 10

match ip address 101

set interface Ethernet0/0

set interface null0

!

ip route 0.0.0.0 0.0.0.0 Ethernet0/0 track 100

ip route 0.0.0.0 0.0.0.0 Ethernet0/1 200

Is that what you are looking for ?

Regards,

Nethelper

pkhatri · ‎02-06-2006

Hi,

I presume you would like to set this up as a primary/backup setup, seeing the difference in the size of your links.

Here's how I would so it:

- create a static default route pointing to the WAN IP of ISP1. Enable tracking on this route so that it goes down when the link goes down (reliable static routing)

- create a static default route pointing to the WAN IP of ISP2 with an admin distance of 250

- assuming that you are using NAT on the block of IPs you have got, configure your LAN interface as an inside NAT interface, and configure your 2 WAN interfaces as outside NAT interfaces

- use the 'ip nat inside source' command with a route-map to select the NAT'ed address/pool based on which interface the packet is routed of. For the primary interface, use a NAT pool with the block of public IPs you have,. For the backup interface, overload on the interface IP.

Hope that helps - pls rate the post if it does.

Paresh

mheusinger · ‎02-06-2006

Hello,

the previous posts focussed on static IP routing and gave some excellent advice on it. As you explicitly asked for BGP here is a sample configuration for your case with BGP to the two providers. I am assuming your IP addresses are from ISP1, network 1.1.0.0/16.

You should apply the proper inbound and outbound filters to be sure an ISP failure will not get you in trouble. An example configuration for ISP1 being primary and ISP2 being backup would look like this:

interface Ethernet0/1

description to ISP1

ip address 1.4.5.2 255.255.255.252

interface Ethernet0/2

description to ISP2

ip address 2.2.2.2 255.255.255.252

ip nat outside

router bgp 65000

network 1.1.0.0 mask 255.255.0.0

neighbor 1.4.5.1 remote-as 1 ! ISP1

neighbor 1.4.5.1 prefix-list NoTrash in

neighbor 1.4.5.1 filter-list 1 out

neighbor 1.4.5.1 weight 150

neighbor 2.2.2.1 remote-as 2 ! ISP2

neighbor 2.2.2.1 prefix-list NoTrash in

neighbor 2.2.2.1 filter-list 2 out

neighbor 2.2.2.1 weight 100

no auto-summary

ip as-path access-list 1 permit ^$

ip as-path access-list 2 deny .*

ip prefix-list NoTrash deny 192.168.0.0/16 le 32

ip prefix-list NoTrash deny 172.16.0.0/12 le 32

ip prefix-list NoTrash deny 10.0.0.0/8 le 32

ip prefix-list NoTrash deny 1.1.0.0/16 le 32

ip prefix-list NoTrash permit 0.0.0.0/0 le 32

ip route 1.1.0.0 255.255.0.0 Null 0 250

ip nat inside source route-map NATtoISP2 interface Ethernet0/2 overload

route-map NATtoISP2 permit 10

match interface Ethernet0/2

This would not announce any network to ISP2 and only the assigned IP addresses to ISP1, i.e. it prevents that you become transit AS between them. Also all RFC1918 routes are blocked. You could extend this and use the BOGON list for filtering, but this would require more maintainance, because you have to adjust the filters from time to time. For a customer it should be sufficient to block all routes you potentially have internally.

Hope this helps! Please rate all posts.

Regards, Martin

networkservices · ‎02-07-2006

Hello Martin,

Thanks for the sample config. Since this is my very first experience with BGP, I'm probably going to need more help understanding what some of the neighbor IPs are for and where to plug my IP addresses into this configuration. I still need to apply for an AS number with ARIN. Thanks again.

Pete