cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2591
Views
20
Helpful
9
Replies

Advertise Preferred Path to BGP Neighbor

Travis-Fleming
Level 1
Level 1

Hello,

My manager wants me to find an answer to this topic. We have a class C public subnet that is ours, and we have two data centers with ISR routers with full BGP neighborship to two different ISP at each data center. Those BGP routers are also neighbors with each other with the same AS and "next-hop-self" configured. They are also setup with HSRP for the LAN side, and only one is active at a time.

 

His question is, can we advertise out to one of the ISP to make one path inbound more appealing then the other? And do we care?

 

Both these routers are setup with hsrp so all our outbound traffic is going out one ISR router. However inbound traffic is coming from both ISP's. His fear is asynchronous routing, although it has not been a problem that we know if. He would like it if we could say to the ISP world all inbound traffic for our class C should come in Router A because the path there looks better.

 

I know BGP can do weight, but as I understand it, that is not something you advertise out with your subnets, but you could say which AS to go for a path out to a specific far end subnet.

 

Personally I think it's setup a good way, and in a way it's load balancing 100M of traffic inbound on both routers. Also, whichever ISP is closer to a far end user would be the patch chosen, so it could potentially have an adverse affect if we made a further path look better and their traffic had to go further from another carrier with bad ISP Peering.

 

Thoughts?

1 Accepted Solution

Accepted Solutions

Thanks for the additional information. If you have a Public class C network and are receiving full Internet updates from 2 ISP I am assuming that you work for a significant size Enterprise. In that case I would ask if you have anything (firewall etc) that does stateful inspection of traffic entering and exiting your network?

If the vpn head end is in a DMZ behind the routers then I do not believe that asymmetry of traffic would be an issue for the remote user. And as long as you are not doing stateful inspection not a problem for you.

If your HSRP setup sends all traffic out ISP-A then prepending to ISP-B would provide consistency in how your Internet traffic is handled. Probably a good thing. And it would operate similar to your MPLS.

HTH

Rick

View solution in original post

9 Replies 9

Hello,

 

not sure I fully understand the requirement, but for inbound path selection, typically, AS-PATH and MED attributes are used.

 

Do you have a topology map ?

Here is a topology map. Basically we want to make router A more inviting for inbound traffic to our class C public subnet. 

Hello
Having two local rtrs in the same ASN then what you could do is:

Ingress traffic -apply as-path prepending attribute to the least prefferd ISP rtr
Egress traffic -  apply local preferance path attribute to the most prefferd ISP rtr


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thanks that makes sense. We do that for our MPLS BGP neighbors today to try and make inbound\outbound traffic go a certain direction. Was not sure if an ISP would accept those.

 

The other part of the question is though, should we care to change it? Could it adversely affect a home user on VPN for example if Router B's ISP is closer to them then Router A, so now they would have an ISP peering issue trying to go through Router A's ISP, when Router B's ISP is mush better? Home that makes sense.

There are some things that we do not know about this environment and some of them might change the advice that we would give. For example we do not know what each ISP is advertising (and for that matter whether both ISP have similar policy) are they advertising only a default route? Or advertising a default and closely connected AS? Or advertising the full BGP table?

If you are connected to ISP-A and to ISP-B and have your own Public IP class C which you advertise to both ISP, and want to achieve that inbound traffic mostly comes through ISP-A then  the commonly used solution is to prepend your AS number on your advertisements to ISP-B.

If you prepend the AS number in your advertisements to ISP-B and if you (or your manager) are concerned about asymmetric traffic then I would think that you would also want to apply local preference to the advertisements from ISP-A so that they are preferred over the advertisements from ISP-B.

If you do this I am not sure how it would interact with your HSRP. Does your HSRP make any effort to track availability of ISP?

I am not clear about your concern about vpn connections. I would think that vpn would work through either ISP. Though it might make some difference based on where the vpn head end is. Is it a device behind the routers? Or is the vpn head end on one of the routers?

HTH

Rick

Thank you for that reply, very helpful. We do have full BGP table exchanges with both ISP's. prepending our AS number for our advertisements to ISP-B sounds like a winner of a solution for me.

 

The fear for asymptomatic routing exists today for my manager. With the way our HSRP is setup, all outbound traffic goes out ISP-A, however inbound is coming in both. So in theory if there was a home VPN user that chose the inbound path of ISP-B, they would initiate the VPN through ISP-B inbound, but outbound from our headend it would go out ISP-A. It would be taking two different paths to\from the home user. Our VPN firewall headend device is behind both Internet Routers, and a DMZ switch stack.

 

Today our HSRP does not track availability of the ISP, just our routers. In theory if ISP-A goes down on Router-A, the public BGP routes would not be there, and because both our routers are BGP neighbors, traffic would flow from our endpoints, to Router-A, then over to Router-B, then out to the internet. This has worked good for us so far as there is a layer 2 fiber 10 Gb connection between sites.

 

We Prepend out with some route-maps' for our MPLS networks so this would be similar.

Thanks for the additional information. If you have a Public class C network and are receiving full Internet updates from 2 ISP I am assuming that you work for a significant size Enterprise. In that case I would ask if you have anything (firewall etc) that does stateful inspection of traffic entering and exiting your network?

If the vpn head end is in a DMZ behind the routers then I do not believe that asymmetry of traffic would be an issue for the remote user. And as long as you are not doing stateful inspection not a problem for you.

If your HSRP setup sends all traffic out ISP-A then prepending to ISP-B would provide consistency in how your Internet traffic is handled. Probably a good thing. And it would operate similar to your MPLS.

HTH

Rick

Yes we are a pretty sizable enterprise great assumption. We are using stateless firewall traffic inspection, good question on that one, really thinking it out.

 

I think we will try doing a route map and prepending out to ISP-B another AS number to make it look less appealing. Thanks for the feedback everyone! 

It has been an interesting discussion.  Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick
Review Cisco Networking for a $25 gift card