Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8278
Views
0
Helpful
6
Replies

BGP Failover Setup

AA26
Level 1
Level 1

‎12-18-2020 07:24 AM

Networkers need to your help

2921 - Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M4, RELEASE SOFTWARE (fc2)

 

IP Addressing Details:

Primary P2P: 10.93.206.116/30
Backup P2P: 10.93.249.68/30
Static IP Pool : 10.93.249.72/29

 

Below is the topology we are using. we have 2 links coming from ISP. Primary and Backup. From MC they are terminating into switch and from switch  to Router. In the current scenario we are not using anything for auto-failover. Currently we are using only 1 link at a moment. So if primary goes down we remove that cable from fa1/0/3 and plug in Backup link cable into same port in switch which is also from same ISP. And then we have to call ISP to map our Primary Link IPs and Static IPs to backup link and we dont have to do any changes from our side neither in Router nor in switch other than changing cables but ISP takes time to do switching from there side.

 

So we have planned to configure BGP to setup auto-failover between our Primary and Backup Links. After contacting ISP they have provided us with BGP configuration. So I have plugged-in both the links primary and backup to switch and I have used that BGP configuration in router but still auto-failover is not working. I am sharing current router config. 

 

I need your help to setup this auto-failover. Please guide me to what other changes do I have to make. 

 

I hope I have explained it properly. Please let me know if you have any confusions. I'll do my best to clear them up. Thank you.

 

 

TopologyTopology

Preview file
5 KB
Preview file
4 KB
0 Helpful
6 Replies 6

Georg Pauwen
VIP
VIP

‎12-18-2020 08:16 AM

Hello,

 

a simple failover config would look like below (additons marked in bold):

 

interface GigabitEthernet0/0
description *** INSIDE INTERFACE ***
ip address 172.25.17.10 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description *** Broadband Internet ***
no ip address
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.100
description **** CNET OUTSIDE INTERFACE (PRI) ***
encapsulation dot1Q 100
ip address 10.93.206.118 255.255.255.252
ip access-group anti-spoof in
ip flow egress
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.200
description **** OUTSIDE INTERFACE (BACKUP) ***
encapsulation dot1Q 200
ip address 10.93.249.70 255.255.255.252
ip access-group anti-spoof in
ip flow egress
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
##################### NEWLY ADDED BGP CONFIG ############################
router bgp 12345
bgp log-neighbor-changes
neighbor 10.93.206.117 remote-as 56789
neighbor 10.93.206.117 description "eBGP-Primary"
neighbor 10.93.206.117 version 4
neighbor 10.93.206.117 timers 10 30
neighbor 10.93.249.69 remote-as 38193
neighbor 10.93.249.69 description "eBGP-Backup"
neighbor 10.93.249.69 version 4
neighbor 10.93.249.69 timers 10 30
!
address-family ipv4
network 10.93.249.72 mask 255.255.255.248
neighbor 10.93.206.117 activate
neighbor 10.93.206.117 soft-reconfiguration inbound
neighbor 10.93.206.117 route-map in-peer-DO in
neighbor 10.93.206.117 route-map out-peer-DO out

--> neighbor fail-over route-map eBGP-PRIMARY-FAILOVER-RM
neighbor 10.93.249.69 activate
neighbor 10.93.249.69 soft-reconfiguration inbound
neighbor 10.93.249.69 route-map in-peer-DO-bkp in
neighbor 10.93.249.69 route-map out-peer-DO out

--> neighbor 10.93.249.68 route-map eBGP-BACKUP-FAILOVER-RM
exit-address-family
#########################################################################
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
ip flow-top-talkers
top 50
sort-by bytes
cache-timeout 60000
!
--> ip prefix-list PRIMARY-ISP-PL seg 5 permit 10.93.206.117/32
--> ip prefix-list BACKUP-ISP-PL seq 5 permit 10.93.249.69/32
!
--> route-map eBGP-PRIMARY-FAILOVER-RM permit 10
--> match ip address prefix-list PRIMARY-ISP-PL
!
--> route-map eBGP-BACKUP-FAILOVER-RM permit 10
--> match ip address prefix-list BACKUP-ISP-PL
!
ip nat inside source list NAT-Overload interface GigabitEthernet0/1.100 overload
ip nat inside source static 172.25.18.18 110.93.249.74
ip nat inside source static 172.25.18.50 110.93.249.75
ip nat inside source static 172.25.18.15 110.93.249.76
ip route 0.0.0.0 0.0.0.0 10.93.206.117
ip route 172.25.0.0 255.255.0.0 172.25.17.1
!
ip access-list standard NAT-Overload
permit 172.25.16.0 0.0.0.255
permit 172.25.17.0 0.0.0.255
permit 172.25.18.0 0.0.0.255
permit 172.25.20.0 0.0.0.255
permit 172.25.21.0 0.0.0.255
!
ip access-list extended anti-spoof
permit tcp any host 10.93.206.118 eq 22
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
deny tcp any any eq 22
deny tcp any any eq 137
deny tcp any any eq 139
deny udp any any eq ntp
permit ip host 1.1.1.1 any
permit ip host 2.2.2.2 any
permit udp any any range 10000 20000
deny ip any host 10.93.249.74
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
permit udp any any
permit ip any any
!
!
##################### NEWLY ADDED BGP CONFIG ############################
ip prefix-list in-peer-DO seq 10 permit 0.0.0.0/0
!
ip prefix-list out-peer-DO seq 10 permit 10.93.249.72/29
access-list 100 permit ip any any
!
route-map out-peer-DO-bkup permit 10
match ip address prefix-list out-peer-DO
set metric 100
!
route-map in-peer-DO-bkp permit 10
match ip address prefix-list in-peer-DO
set local-preference 150
!
route-map out-peer-DO permit 10
match ip address prefix-list out-peer-DO
!
route-map in-peer-TWA permit 10
match ip address prefix-list in-peer-DO
set local-preference 200

0 Helpful

AA26
Level 1
Level 1

‎12-18-2020 08:47 AM

Thank you Pauwen for replying. 

 

So what will happen with the Static Routes and NAT that is configured. there will be no changing in that?

ip nat inside source list NAT-Overload interface GigabitEthernet0/1.100 overload
ip nat inside source static 172.25.18.18 110.93.249.74
ip nat inside source static 172.25.18.50 110.93.249.75
ip nat inside source static 172.25.18.15 110.93.249.76
ip route 0.0.0.0 0.0.0.0 10.93.206.117

0 Helpful

Georg Pauwen
VIP
VIP
In response to AA26

‎12-18-2020 09:02 AM

Hello,

 

what are the static NAT entries referring to ? Will they change when the backup link is active ? Also, where does the default route point to, and does that change when the failover occurs ?

 

ip nat inside source list NAT-Overload interface GigabitEthernet0/1.100 overload
ip nat inside source static 172.25.18.18 110.93.249.74
ip nat inside source static 172.25.18.50 110.93.249.75
ip nat inside source static 172.25.18.15 110.93.249.76
ip route 0.0.0.0 0.0.0.0 10.93.206.117

0 Helpful

AA26
Level 1
Level 1

‎12-18-2020 09:55 AM

Hi,

1) what are the static NAT entries referring to? Referring to servers in LAN, where servers are assigned local IP. e.g 172.25.18.18

2) Will they change when the backup link is active? No, they do not change. 

3) Also, where does the default route point to, and does that change when the failover occurs? Default Route points to Primary Link ISP Side Interface IP Address p2p. We were using this before BGP. Do we really need to use this static route entry when configuring BGP fail-over? because if primary is down than this static route would be of no use, right.  

 

ip nat inside source list NAT-Overload interface GigabitEthernet0/1.100 overload
ip nat inside source static 172.25.18.18 10.93.249.74 #pointing to server in lan
ip nat inside source static 172.25.18.50 10.93.249.75 #pointing to server in lan
ip nat inside source static 172.25.18.15 10.93.249.76 #pointing to server in lan
ip route 0.0.0.0 0.0.0.0 10.93.206.117 # 10.93.206.117 is primary link ISP side Interface IP Address. 

 

ISP Primary Link P2P

ISP Primary Link  10.93.206.117<---------------->Our Router WAN Interface 10.93.206.118

 

ISP Backup Link P2P
Back up Link ISP Side IP 10.93.249.69<--------------> Our Router WAN Interface 10.93.249.70

 

So what do you suggest, do we need to make any changes in NAT and I think Static route entry should be removed as BGP will take over, isnt it?

 

Thank you.

0 Helpful

Georg Pauwen
VIP
VIP
In response to AA26

‎12-18-2020 11:34 AM

Hello,

 

if the static NAT entries do not change, regardlessof which ISP is active, then leave them as is.

 

Whether or not you need the static route entry depends on what you get from your ISPs. If they send a default route, you can remove the static route. If not, leave it in there and add a second one with a higher administrative distance.

 

So the entire configuration would look like this (additions marked in bold):

 

--> track 1 ip sla 1
!
interface GigabitEthernet0/0
description *** INSIDE INTERFACE ***
ip address 172.25.17.10 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description *** Broadband Internet ***
no ip address
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.100
description **** CNET OUTSIDE INTERFACE (PRI) ***
encapsulation dot1Q 100
ip address 10.93.206.118 255.255.255.252
ip access-group anti-spoof in
ip flow egress
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.200
description **** OUTSIDE INTERFACE (BACKUP) ***
encapsulation dot1Q 200
ip address 10.93.249.70 255.255.255.252
ip access-group anti-spoof in
ip flow egress
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
##################### NEWLY ADDED BGP CONFIG ############################
router bgp 12345
bgp log-neighbor-changes
neighbor 10.93.206.117 remote-as 56789
neighbor 10.93.206.117 description "eBGP-Primary"
neighbor 10.93.206.117 version 4
neighbor 10.93.206.117 timers 10 30
neighbor 10.93.249.69 remote-as 38193
neighbor 10.93.249.69 description "eBGP-Backup"
neighbor 10.93.249.69 version 4
neighbor 10.93.249.69 timers 10 30
!
address-family ipv4
network 10.93.249.72 mask 255.255.255.248
neighbor 10.93.206.117 activate
neighbor 10.93.206.117 soft-reconfiguration inbound
neighbor 10.93.206.117 route-map in-peer-DO in
neighbor 10.93.206.117 route-map out-peer-DO out

--> neighbor fail-over route-map eBGP-PRIMARY-FAILOVER-RM
neighbor 10.93.249.69 activate
neighbor 10.93.249.69 soft-reconfiguration inbound
neighbor 10.93.249.69 route-map in-peer-DO-bkp in
neighbor 10.93.249.69 route-map out-peer-DO out

--> neighbor 10.93.249.69 route-map eBGP-BACKUP-FAILOVER-RM
exit-address-family
#########################################################################
!
--> ip sla 1
--> icmp-echo 10.93.206.117 source-ip 10.93.206.118
--> frequency 3
!
-->ip sla schedule 1 start-time now life forever
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
ip flow-top-talkers
top 50
sort-by bytes
cache-timeout 60000
!
--> ip prefix-list PRIMARY-ISP-PL seg 5 permit 10.93.206.117/32
--> ip prefix-list BACKUP-ISP-PL seq 5 permit 10.93.249.69/32
!
--> route-map eBGP-PRIMARY-FAILOVER-RM permit 10
--> match ip address prefix-list PRIMARY-ISP-PL
!
--> route-map eBGP-BACKUP-FAILOVER-RM permit 10
--> match ip address prefix-list BACKUP-ISP-PL
!
ip nat inside source list NAT-Overload interface GigabitEthernet0/1.100 overload
ip nat inside source static 172.25.18.18 110.93.249.74
ip nat inside source static 172.25.18.50 110.93.249.75
ip nat inside source static 172.25.18.15 110.93.249.76
--> ip route 0.0.0.0 0.0.0.0 10.93.206.117 track 1
--> ip route 0.0.0.0 0.0.0.0 10.93.249.69 200
ip route 172.25.0.0 255.255.0.0 172.25.17.1
!
ip access-list standard NAT-Overload
permit 172.25.16.0 0.0.0.255
permit 172.25.17.0 0.0.0.255
permit 172.25.18.0 0.0.0.255
permit 172.25.20.0 0.0.0.255
permit 172.25.21.0 0.0.0.255
!
ip access-list extended anti-spoof
permit tcp any host 10.93.206.118 eq 22
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
deny tcp any any eq 22
deny tcp any any eq 137
deny tcp any any eq 139
deny udp any any eq ntp
permit ip host 1.1.1.1 any
permit ip host 2.2.2.2 any
permit udp any any range 10000 20000
deny ip any host 10.93.249.74
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
permit udp any any
permit ip any any
!
!
##################### NEWLY ADDED BGP CONFIG ############################
ip prefix-list in-peer-DO seq 10 permit 0.0.0.0/0
!
ip prefix-list out-peer-DO seq 10 permit 10.93.249.72/29
access-list 100 permit ip any any
!
route-map out-peer-DO-bkup permit 10
match ip address prefix-list out-peer-DO
set metric 100
!
route-map in-peer-DO-bkp permit 10
match ip address prefix-list in-peer-DO
set local-preference 150
!
route-map out-peer-DO permit 10
match ip address prefix-list out-peer-DO
!
route-map in-peer-TWA permit 10
match ip address prefix-list in-peer-DO
set local-preference 200

 

 

0 Helpful

paul driver
VIP
VIP

‎12-18-2020 03:46 PM - edited ‎12-19-2020 02:51 AM

Hello
Your bgp configuration looks very convoluted for a single rtr with dual peering,
I see your using med/local preference attributes which really isn’t applicable -weight and as-path prepending would be more beneficial in this instance,

Can you elaborate on why are your using a static default route when you have bgp enabled also advertising certain prefixes to either isp instead of advertising them all to both isp rtrs and use the bgp attributes to traffic engineer the egress/ingress paths?

lastly i would suspect that all rtrs now are route refresh capable which assists greatly in saving rtr resources for bgp prefix advertising as such you wouldn’t need to use the soft-inbound command which is high on rtr resources such as cpu-memory

Example below will prefer neigbour 10.93.206.117 to be the egress/ingess for bgp traffic this can obviously be tweaked to accommodate additional preferences your require and lasty it will negate your wan rtr from being a transit path between the two isps by just advertsing locally orignated routes:

route-map prepend
set as-path prepend 12345 12345 12345
ip as-path access-list 10 permit ^$

router bgp 12345
no neighbor 10.93.206.117 soft-reconfiguration inbound
no neighbor 10.93.206.117 route-map in-peer-DO in
no neighbor 10.93.206.117 route-map out-peer-DO out
no neighbor fail-over route-map eBGP-PRIMARY-FAILOVER-RM
no neighbor 10.93.249.69 soft-reconfiguration inbound
no neighbor 10.93.249.69 route-map in-peer-DO-bkp in
no neighbor 10.93.249.69 route-map out-peer-DO out
no neighbor 10.93.249.68 route-map eBGP-BACKUP-FAILOVER-RM
neighbor 10.93.206.117 weight 50000
neighbor 10.93.206.117 filter-list 10 out
neighbor 10.93.249.68 weight 20000
neighbor 10.93.249.68 filter-list 10 out
neighbor 10.93.249.68 route-map prepend out


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card