Solved: Because BGP routers drop

danny.cintron · ‎03-14-2014

Wondering if someone could help with this one. We are using BGP with a primary and secondary ISP connection. To a be a bit more specific for example an ethernet circuit (Primary) is on network 4.0.0.0/30 and a multilink T1(Secondary) is on network 5.0.0.0/30. We have interfaces being used with public LAN addressing for both ISP's. The problem we have is when the primary circuit goes down. The users are unable to get out to the Internet. Let's say the public LAN network for the primary ISP is on 4.1.1.0/29 and for the secondary ISP it is on 5.1.1.0/24. Traffic from 5.1.1.0/24 is being advertised from what we can tell and the ISP claims they are not seeing the network being advertised. The ISP claims we may have a filter blocking the traffic from getting out. Here's a portion of the config we are using:

interface Multilink1
description Secondary ISP WAN Interface
bandwidth 3072
ip address 5.0.0.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ppp multilink
ppp multilink group 1
ppp multilink endpoint mac GigabitEthernet0/0
ppp multilink fragment disable
no cdp enable
!
interface GigabitEthernet0/0
description Secondary ISP LAN Block 5.1.1.0/24
ip address 5.1.1.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
standby 1 ip 5.1.1.1
standby 1 priority 105
standby 1 preempt
standby 1 name HSRP
standby 1 track 1 decrement 10
duplex full
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Primary ISP WAN Interface
ip address 4.0.0.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 100
media-type rj45
!
interface Serial0/0/0
description Secondary ISP First Link
bandwidth 1536
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no fair-queue
ppp multilink
ppp multilink group 1
ppp multilink endpoint mac GigabitEthernet0/0
no cdp enable
!
interface Serial0/1/0
bandwidth 1536
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no fair-queue
ppp multilink
ppp multilink group 1
ppp multilink endpoint mac GigabitEthernet0/0
no cdp enable
!
interface FastEthernet0/2/0
description Primary ISP Public LAN
ip address 4.1.1.1 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet0/2/1
no ip address
duplex auto
speed auto
!
router bgp 2465
bgp log-neighbor-changes
neighbor 4.0.0.1 remote-as 74
neighbor 4.0.0.1 description Primary
neighbor 4.0.0.1 version 4
neighbor 5.0.0.1 remote-as 109
neighbor 5.0.0.1 description Secondary
neighbor 5.0.0.1 version 4
!
address-family ipv4
network 4.1.1.0 mask 255.255.255.248
network 5.1.1.0 mask 255.255.255.0
redistribute connected
redistribute static
neighbor 4.0.0.1 activate
neighbor 4.0.0.1 weight 500
neighbor 4.0.0.1 soft-reconfiguration inbound
neighbor 5.0.0.1 activate
neighbor 5.0.0.1 weight 200
neighbor 5.0.0.1 soft-reconfiguration inbound
neighbor 5.0.0.1 prefix-list ABC in
neighbor 5.0.0.1 route-map localonly out
exit-address-family
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip as-path access-list 10 permit ^$
!
!
ip prefix-list ABC seq 5 permit 0.0.0.0/0
!
!
!
!
route-map localonly permit 10
set as-path prepend 109 109 109 109 109 109 109 109 109
!

Hope someone can help. Any help will be appreciated.

paul driver · ‎03-15-2014

Hello

Can you try ammending your prepend statement to include your own ASN instead of the ISP's

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎03-15-2014

Hello

Can you try ammending your prepend statement to include your own ASN instead of the ISP's

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

danny.cintron · ‎03-15-2014

You mean set as-path prepend 2465 2465 2465 ... Etc? Why do you think that would work?

milan.kulik · ‎03-15-2014

Because BGP routers drop prefixes having their own AS number within the AS_PATH.

So if the ISP route within AS 109 receives a prefix with his AS number 109 prepened by your route-map, it drops it.

Best regards,

Milan

danny.cintron · ‎03-15-2014

So to understand fully if I change the prepend command with my own as 2645 when there is failover or vice-versa both ISP's will adhere to the command and take over traffic?

paul driver · ‎03-15-2014

Hello At present you are trying to advertised your local network prefixes to an ISP of 109 however your are prepending on these routes with an ASN of 109 So as milan stated -A default loop prevention of BGP to drop routes when it receives a route with its own ASN . it is suggested by cisco to use your local ASN when prepending. Please try and amend your prepending and check to see it the ips in question begins to receive your advertised routes. Res Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

danny.cintron · ‎03-16-2014

Okay thanks. I'll be trying this and will see what happens. Here is the command I will add, changing the previous one:

route-map localonly permit 10
set as-path prepend 2465 2465 2465 2465 2465 2465 2465 2465 2465

Wish me luck. I appreciate your advice and will let you know the results.

danny.cintron · ‎03-17-2014

So far so good. I tried the command and the users were able to get internet traffic out through the secondary connection when we disconnected the primary. We will continue monitoring and if we see any problems we'll let you know.

danny.cintron · ‎05-26-2014

Just wanted to add this is still working fine but one other question on this one, I'm noticing in Nagios monitoring that bandwidth graphs show some traffic still going through secondary circuit although most of the traffic does go through primary. Is there a way to make sure all traffic goes through primary?

milan.kulik · ‎05-26-2014

Hi,

as long as you advertise your prefixes on both lines, you can be never 100% sure all incoming traffic will come through the primary line.

Don't forget the ISPs may have their own preference policy.

So your secondary ISP B will probably still prefer to route to your site through his direct connection even while receiving the same prefixes from your primary ISP A (even with shorter AS_PATH - ISP B can configure his local preference, e.g.). And if there are some other customers connected to the ISP B directly, they will probably connect to you through the secondary line.

So your prepending made the most of traffic incoming through your primary line but you can't be sure no traffic will come through the secondary line.

Best regards,

Milan

paul driver · ‎03-17-2014

Helo

Glad to hear that - and also thanks for the rating!

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Unable to advertise route in BGP multihomed circuit config