Solved: BGP and Load Distribution

Simon Young · ‎12-19-2012

Hi,

I opened a discussion a while ago and had some great feedback but I am still racking my brains to figure this out

I have 2 routers each with a dedicated connection to the same ISP. I am using MED to influence my advertisements to the provider

I have 2 core switches (6509) with multiple vlans, each vlan has an HSRP address of .10 shared by the switches

My routers and switches are using iBGP to communicate. Both routers connect to vlan 1 on the core switches

I want to influence my traffic from the vlans to go to specific routers, so that I utilize both routes at all times (when possible), ensuring symmetric routing at the same time.

I think I have the following options

- PBR, I'd set this on the routers fastethernet interfaces and match based an two different ACLs

set the next hop as the ISP router 1 when matching ACL 1

set the next hop as the ISP router 2 when matching ACL 2

My concern is if I lose a link (say to ISP router 1), all traffic matched by ACL 1 is blackholed

- HSRP was suggested to me.

configure 2 standby groups on the routers with different priorities

allocate different HSRP addresses matching each vlan (to act as a core switch default gateway)

My concern here is I'd need the routers HSRP virtual IP addresses as the BGP neighbors on the core switches?

milan.kulik · ‎12-21-2012

Hi,

IMHO, you could configure following:

Make each of your core switches to prefer routing out to one of your BGP routers. This can be easily done by configuring an incoming route-map increasing weight or local preference BGP attribute for prefixes received from the proper BGP router.

I suppose each of your BGP routers prefers prefixes recieved from "his" ISP router, so outgoing routing should be OK, too.

You would also need to configure HSRP in each VLAN to prefer one or second of your core switches.

And configure MED on your BGP routers to make proper subnets preferred for the returning traffic.

To make it clearer, let's make a simple example:

Let's say you've got two VLANs only in your LAN: VLAN1 with subnet 1.1.1.1/24 and VLAN2 with subnet 2.2.2.2/24.

So you configure HSRP on your core switches to make Switch1 preferred in VLAN1 nad Switch2 preferred in VLAN2.

You configure BGP on Switch1 to prefer WAN prefixes received from your BGP Router1 (increase weight combined with as-path match possibly) and Switch2 to prefer WAN prefixes received from your BGP Router2.

You aslo configure your BGP Router1 to advertise the 1.1.1.1/24 prefix with better MED than Router2 to the ISP (and Router2 to advertise 2.2.2.2/24 with better MED than Router1) - to make the returning traffic use the same path.

You can also configure similar BGP route-map on your Router1 to prefer 1.1.1.1/24 received from Switch1 over the same prefix received from Switch2.

And that's it!

The PCs in VLAN1 will take the Switch1 as their default GW (active in HSRP for VLAN1).

Siwtch1 will route the outgoing traffic to your Router2 and it will forward it to ISP router1.

The returning traffic will come to your Router1.

And will be forwarded to Switch1.

The same is valid for VLAN2 but usining Switch2 and Router2.

As there are the same prefixes received from the second router/swicth with worse preference all the time, a backup path would be available in a case of one connection failure.

This solution is a load sharing per subnet, of course. So if traffic from/to one of your subnets will be much higher than from/to the second subnet, one of your lines will also be load much higher.

It will also work only for VLANs connected directly to your core switches.

In a case of any cascaded subnets connected by another L3 device(s) in your LAN you would need to configure your IGP routing to prefer one of your core switches while keeping the second as less preferred.

And to make similar configurations on your BGP routers for them.

HTH,

Milan

View solution in original post

SOcchiogrosso · ‎12-19-2012

So you want to load share to the ISP routers from your core 6509's, Might want to consider running PfR it might be a little more complicated at first but you'll get better load balancing then relying on HSRP. PBR with ACL might get a little too tedious to upkeep depending how in-depth you get with it.

--
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/

Peter Koltl · ‎12-19-2012

You could use IBGP multipath:

http://www.cisco.com/en/US/partner/docs/ios/12_2s/feature/guide/fsbgpls.html

For First-Hop behaviour, GLBP could be considered.

Joseph W. Doherty · ‎12-20-2012

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

The PBR approach would likely work, although I agree with SOcchiogrosso it can be tedious to maintain, especially when dealing with fail-over.

One concern with the HSRP (or mHSRP?) approach is BGP maintains TCP sessions between routers, so although HSRP will migrate the virtual IP, likely the BGP session will drop. Might be other possible issues too. I've used a similar approach when using static routing, but with that, there's no session context between the routers.

Have you considered making your links between the core 6509s and your CE routers p2p? This would allow you to have different IGP metrics from each 6500 core to each CE router. Basically each CE router would prefer one of the two CE routers for its next hop but would know of the other as a backup path. As to how you get the VLAN traffic to start with a particular core 6509, that could be controlled by which of the two 6509 core routers provides the active HSRP gateway, per VLAN.

Simon Young · ‎12-20-2012

I have had a very quick read of PFR and although it looks like an interesting technology, I don't think my management would want to add in that much complexity, maybe if it was not a production site or if I had a blank canvas.

The HSRP points are as I suspected that the BGP will not work. The IGP is a nice idea but.... I need to keep iBGP as I have a backup VPN running that links to the core switches as a fail over in the event of the main MPLS circuits failing. The route to this has a longer AS Path

So I am back to PBR

I am sure that the admin of PBR will be a bit of a pain but once in place, I don't think it will change much.

How can I enforce, some kind of fail over for the traffic, so that the other link is used in the event of a failure. Any ideas, some configuration options. Thanks in advance

Joseph W. Doherty · ‎12-20-2012

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You did originally post you're running iBGP - but you're doing this without a dynamic IGP? (I guess you're just peering iBGP on the same subnet?)

I wasn't thinking of replacing your iBGP with an IGP, but just to use the latter to influence the former for "equal cost" BGP paths. Basically the IGP would, for equal BGP, go to the "nearest" IGP exit. If BGP saw one path better, i.e. your VPN, it should send to the correct BGP next hop.

PS:

BTW, I haven't thought this fully out - i.e. it might not be able to work as I'm suggesting.

milan.kulik · ‎12-21-2012

Hi,

IMHO, you could configure following:

Make each of your core switches to prefer routing out to one of your BGP routers. This can be easily done by configuring an incoming route-map increasing weight or local preference BGP attribute for prefixes received from the proper BGP router.

I suppose each of your BGP routers prefers prefixes recieved from "his" ISP router, so outgoing routing should be OK, too.

You would also need to configure HSRP in each VLAN to prefer one or second of your core switches.

And configure MED on your BGP routers to make proper subnets preferred for the returning traffic.

To make it clearer, let's make a simple example:

Let's say you've got two VLANs only in your LAN: VLAN1 with subnet 1.1.1.1/24 and VLAN2 with subnet 2.2.2.2/24.

So you configure HSRP on your core switches to make Switch1 preferred in VLAN1 nad Switch2 preferred in VLAN2.

You configure BGP on Switch1 to prefer WAN prefixes received from your BGP Router1 (increase weight combined with as-path match possibly) and Switch2 to prefer WAN prefixes received from your BGP Router2.

You aslo configure your BGP Router1 to advertise the 1.1.1.1/24 prefix with better MED than Router2 to the ISP (and Router2 to advertise 2.2.2.2/24 with better MED than Router1) - to make the returning traffic use the same path.

You can also configure similar BGP route-map on your Router1 to prefer 1.1.1.1/24 received from Switch1 over the same prefix received from Switch2.

And that's it!

The PCs in VLAN1 will take the Switch1 as their default GW (active in HSRP for VLAN1).

Siwtch1 will route the outgoing traffic to your Router2 and it will forward it to ISP router1.

The returning traffic will come to your Router1.

And will be forwarded to Switch1.

The same is valid for VLAN2 but usining Switch2 and Router2.

As there are the same prefixes received from the second router/swicth with worse preference all the time, a backup path would be available in a case of one connection failure.

This solution is a load sharing per subnet, of course. So if traffic from/to one of your subnets will be much higher than from/to the second subnet, one of your lines will also be load much higher.

It will also work only for VLANs connected directly to your core switches.

In a case of any cascaded subnets connected by another L3 device(s) in your LAN you would need to configure your IGP routing to prefer one of your core switches while keeping the second as less preferred.

And to make similar configurations on your BGP routers for them.

HTH,

Milan

Joseph W. Doherty · ‎12-21-2012

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I like it! Basically same concept as what I proposed, but using BGP metrics rather than IGP metrics for outbound route preference from a particular gateway router. Local HSRP active gateway still used to select "starting" BGP router per VLAN.

One thing to take care of, though, as weight and local preference have priority over AS path length, the VPN with the longer AS path isn't overridden.

Simon Young · ‎12-21-2012

Milan

Thanks so much, I knew I was staring at it. I have the HSRP set up already and the MED for the ISP traffic

All the vlans where Core 1 is priority, send to router 1 (neighbor x.x.x.x weigh x) and reverse for other Core

This matches the MED.

so core 1 has vlans 1-5 all sent to router 1. The MED adertises these subnets/prefixes to the eBGP peer

Core 2 has 6-10 all to router 2. MED advertises these to its ebgp peer

Again, thanks Joseph and everyone for their contributions.

arushgandotra · ‎12-20-2012

Check for configuring IP SLA and modify your PBR accordingly to take the respective ISP.

Sent from Cisco Technical Support iPhone App