This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
"The Border Gateway Protocol (BGP) conditional advertisement feature provides additional control of route advertisement, depending on the existence of other prefixes in the BGP table."
I am assuming, for those who want to read this post, that you have some understanding of BGP and its use of prefix-lists and route maps, otherwise this post might be hard to understand. Mind you, conditional advertisement is part of the CCIE R&S exam.
So let me go straight to the scenario:
So the routers under my admin domain are BEN and IBM. My primary router is BEN and my public IP range I am advertising is 220.127.116.11/24.
My two ISPs are Telstra and Next.
BEN has an eBGP neighbour with Telstra,
IBM has an eBGP peer with Next.
Then BEN and IBM from an iBGP neighbourship.
Nothing new so far. Now I have found that when advertising out the same public IP address (prefix) towards 2 different providers, even with AS path prepend, trying to make one ISP more preferable over the other, is highly unpredictable. This is because some providers prefer other providers no matter how often you AS prepend the crap out of your public prefix. This can cause asynchronous routing where your exit path is the primary ISP and entry through your secondary router. So I was looking for another solution; only route my public IP addresses out to the backup provider (Next in my case), in the event the primary fails. Or even better; fail over when the primary ISP stops advertising a default route into my organisation through the primary router.
In order to put all this in place, most, if not all configuration is done on the secondary router; IBM, so lets dive in.
As you can see below, the secondary internet router (IBM) has 2 default gateways
IBM#sh ip bgp topology *
For address family: IPv4 Unicast
BGP table version is 26, local router ID is 18.104.22.168
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*>i 0.0.0.0 22.214.171.124 0 200 0 3000 i
* 126.96.36.199 100 0 4000 i
The most preferred on comes from the BEN router, which in turn is being advertised by the Telstra Router (188.8.131.52). Initially I was going to use ip sla tracking on the IBM router to advertise 184.108.40.206/24 out if BEN lost the connection to Telstra, but this is not as fool proof as checking if the default gateway is still being advertised by BEN, because if my primary internet router no longer sends a default route 0.0.0.0 to my secondary internet router, the either my primary router is down, the link to Telstra is down, or Telstra is for some other reason no longer advertising a default route.
OK so on my IBM i set up a conditional advertisement to my Next BGP peer:
what this means is thatroute map ADVERTISEis being invoked when the condition inroute map NON-EXISTno longer exists.
route-map ADVERTISE permit 10
match ip address 60
route-map NON-EXIST permit 10
match ip address prefix-list TEST
match community 1
So the ADVERTISE route map is the easy part, it constitutes our public IP prefix 220.127.116.11/24
access-list 60 permit 18.104.22.168 0.0.0.255
the NON-EXIST route map is the condition that needs checking, and has in fact two conditions in it; it checks the prefix for a certain community and it checks if the actual prefix is available in the BGP table:
ip prefix-list TEST seq 5 permit 0.0.0.0/0
The reason there are two conditions, is that (refer to the sh ip bgp topology * output above), there are two 0.0.0.0 prefixes in the table; one from each provider. Now I am only interested in checking one of them; namely the one that comes from BEN 22.214.171.124. I though it would be easiest to add a check for a certain community in (although AS path would have worked as well).
ip community-list 1 permit 362000
So basically this second condition check to see if the route has 362000 as the community.
You can check the route to see if the community attribute is set and has the correct value. see below
IBM#sh ip bgp 0.0.0.0
BGP routing table entry for 0.0.0.0/0, version 25
Paths: (3 available, best #1, table default)
Not advertised to any peer
Refresh Epoch 1
3000, (received & used)
126.96.36.199 from 188.8.131.52 (184.108.40.206)
Origin IGP, metric 0, localpref 200, valid, internal, best
rx pathid: 0, tx pathid: 0x0
Refresh Epoch 1
So at this stage both conditions should be met; a) a default route in the BGP table and b)a route with community attribute 36200. So our public prefix 220.127.116.11/24 should NOT be advertised out IBM to Next. To verify:
IBM#sh ip bgp nei 18.104.22.168
BGP neighbor is 22.214.171.124, remote AS 4000, external link
As you can see the conditional advertisement states "withdraw" which means the condition to start advertising is not met; ie.e we have a valid default route coming from BEN. So let me break something to trigger the condition to change. For this I will shut the connection between Telstra and BEN. (Remember BEN does not originate 0.0.0.0, its receives it from Telstra and as soon as that link breaks, it should no longer receive a default route either).
Hello, I am working on a unique system & switch configuration where there are middle-man workstations that communicate with each other and a community of servers. Each workstation must also be able to communicate with one single isolated workstat...
Hi We have two edge routers which are connected to ATT and Verizon separately. One of two routers is primary and second one is backup. so almost all of the time only one router work and another router is resting there. Do we have a way to bind the two rou...
Good Day, I am having issues with my ASA configuration and have thus far been unlucky in determining a solution. I have a bunch of hosts in a DMZ and a couple of client nets that they need access to. I need to route and allow traffic from hosts in th...
Hello All,We have an IR829GW router. I need to use it as a typical old school NAT router such that whatever devices are behind it use a NAT IP for the traffic that's going outbound ( For instance Internet access). I have looked in the config g...