Giuseppe

keen4.net · ‎02-29-2016

Hello All,

We have two links from two different ISPs on BGP. Both links are connected on different CE router at our end. Network diagram attached for reference.

We are advertising two pools on this links , 192.168.10.0/24 from one ISP and 192.168.30.0/24 from other ISP.

Couple of days back we have experienced a problem during outage of ISP-1 link. We were not able to access pool advertised on ISP-1. Failover to second ISP was also not happened.

Requesting to help to validate the BGP configuration and suggest where might be the problem, so that we can fix the same and failover to either of the ISP can happen smoothly.

Also, if please anyone can help me the understand the configuration on BGP, as bit confused what exactly happened the time of failover so that IP were not reachable from outside.

Configuration is below.

ISP-1

router bgp 200
no bgp log-neighbor-changes
network 192.168.10.0 mask 255.255.255.0
network 192.168.30.0 mask 255.255.255.0
neighbor 172.16.1.1 remote-as 100
neighbor 172.16.1.1 next-hop-self
neighbor 172.16.1.1 soft-reconfiguration inbound
neighbor 172.16.1.1 route-map AS_PREP out
neighbor 172.16.1.1 maximum-prefix 50000 50
neighbor 172.16.1.1 filter-list 10 out
neighbor 192.168.10.3 remote-as 200
neighbor 192.168.10.3 version 4
neighbor 192.168.10.3 next-hop-self
neighbor 192.168.10.3 soft-reconfiguration inbound
neighbor 192.168.10.3 prefix-list default out
neighbor 192.168.10.3 maximum-prefix 25000 50

ip as-path access-list 1 permit ^100$
ip as-path access-list 10 permit ^$

ip prefix-list LAN1 seq 5 permit 192.168.30.0/24
!
ip prefix-list LAN2 seq 5 permit 192.168.10.0/24
!
ip prefix-list block seq 5 deny 0.0.0.0/0 ge 1
!
ip prefix-list default seq 5 permit 0.0.0.0/0

route-map WAN_OUT permit 10
match as-path 10
!
route-map AS_PREP permit 10
match ip address prefix-list LAN1
set as-path prepend 200 200 200 200 200
!
route-map AS_PREP permit 20

ip route 0.0.0.0 0.0.0.0 172.16.1.1 name ISP-1

interface GigabitEthernet0/0
description ISP-1 Link
ip address 172.16.1.1 255.255.255.252
ip access-group 100 in
ip access-group 100 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip flow ingress
ip flow egress
duplex auto
speed auto
no cdp enable

interface GigabitEthernet0/1
description *** Conected to LAN **
ip address 192.168.30.2 255.255.255.0 secondary
ip address 192.168.10.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
standby 1 ip 192.168.10.1
standby 1 timers 5 15
standby 1 priority 110
standby 1 preempt
duplex auto
speed auto
no cdp enable

+++++++++++
ISP-2 :-

router bgp 200
no bgp log-neighbor-changes
network 192.168.10.0 mask 255.255.255.0
network 192.168.30.0 mask 255.255.255.0
neighbor 192.168.10.2 remote-as 200
neighbor 192.168.10.2 version 4
neighbor 192.168.10.2 next-hop-self
neighbor 192.168.10.2 soft-reconfiguration inbound
neighbor 192.168.10.2 prefix-list default out
neighbor 192.168.10.2 maximum-prefix 25000 50
neighbor172.16.100.1 remote-as 300
neighbor172.16.100.1 next-hop-self
neighbor172.16.100.1 soft-reconfiguration inbound
neighbor172.16.100.1 route-map AS_PREP out
neighbor172.16.100.1 maximum-prefix 50000 50
neighbor172.16.100.1 filter-list 10 out

ip as-path access-list 1 permit ^300$
ip as-path access-list 10 permit ^$

ip prefix-list LAN1 seq 5 permit 192.168.30.0/24
!
ip prefix-list LAN2 seq 5 permit 192.168.10.0/24
!
ip prefix-list block seq 5 deny 0.0.0.0/0 ge 1
!
ip prefix-list default seq 5 permit 0.0.0.0/0

route-map WAN_OUT permit 10
match as-path 10
!
route-map AS_PREP permit 10
match ip address prefix-list LAN2
set as-path prepend 200 200 200 200 200
!
route-map AS_PREP permit 20

ip route 0.0.0.0 0.0.0.0 172.16.1.1 name Default

interface GigabitEthernet0/0
description ISP-2 Link
ip address 192.168.30.3 255.255.255.0 secondary
ip address 192.168.10.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
standby 1 ip 192.168.10.1
standby 1 timers 5 15
standby 1 preempt
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description *** Connected to LAN ***
ip address 172.16.100.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
duplex auto
speed auto
no cdp enable

Regards

JN

Giuseppe Larosa · ‎03-01-2016

Hello JN,

>>

We are advertising two pools on this links , 192.168.10.0/24 from one ISP and 192.168.30.0/24 from other ISP.

Couple of days back we have experienced a problem during outage of ISP-1 link. We were not able to access pool advertised on ISP-1. Failover to second ISP was also not happened.

>>

The first and most important question is the following?

Are the IP prefixes 192.168.10.0/24 owned by ISP1 and 192.168.30.0/24 owned by ISP2?

I mean has your company received two address blocks that belong to respective ISPs?

If so, ISP1 and ISP2 need to make a special agreement to cover the fault cases, because normally an ISP does not expect or accept that one address block it owns is advertised by another ISP.

Things are different if your company owns its own address space and this address space is made of 192.168.10.0/24 and 192.168.30.0/24. (I'm considering these two private IP addresses placeholders for the real public IP addresses).

Hope to help

Giuseppe

Jon Marshall · ‎03-01-2016

Hi Giuseppe

I have never worked for an ISP so just for my own information do they usually agree to do this sort of thing ie. advertise out a block that is not owned by them.

Obviously it breaks their summarisation further upstream so are they reluctant to do it, is there a cost involved and will they only consider it for /24's or greater ?

Jon

pashtet13 · ‎03-01-2016

ISPs will advertise blocks owned by other ISP. You just have to ask them to do it and submit a documents confirming you are using a block from another ISP.

Also, ISPs will only accept /24 or larger blocks.

Jon Marshall · ‎03-01-2016

Thanks.

Jon

keen4.net · ‎03-02-2016

Hi Friends,

You are right ! Both the IP pools 192.168.10.0 and 192.168.30.0 are owned by our company only and not provided by any of the ISPs.

Anyway, seems we deviated from issues here, Please suggest as requested.

Rgds

JN

Jon Marshall · ‎03-03-2016

It's not clear what all your configuration is doing.

At the moment each router sends a default route to the other router via BGP but on both routers you also have static default routes configured which will override the BGP ones.

The next hop IP of those static routes is 172.16.1.1 on both routers which is the CE outside interface to ISP1, is that a typo ?

Note also ISP2 does not have the full BGP routing table so it may be that if you were trying to access from a client on the internet that ISP2 did not have a route for it would then use it's static default route pointing to the other CE.

In which case you have a routing loop.

Difficult to say what happened without more details but there are certainly some things in the configuration that are confusing especially the static default routes.

What does a "sh ip bgp neigh <ISP IP > advertised-routes" show on each CE device ?

What does a "sh ip route 0.0.0.0 0.0.0.0" show on each CE device ?

Jon

Giuseppe Larosa · ‎03-01-2016

Hello Jon,

I agree with Pashtet13, it is the multi homed customer that makes agreements with the two ISPs to have them accept each other /24 address blocks.

You can expect the two ISP to have a peering session between them and in case of fault the missing address block starts to be received over the peering session with the other ISP.

For this reason agreements are needed.

Hope to help

Giuseppe

Jon Marshall · ‎03-01-2016

Giuseppe

Thanks for that, like I say was just wondering how easy it was to get ISPs to agree to this and it sounds like it is not actually that much of a problem.

Jon

BGP Configuration & Failover