06-24-2005 01:13 PM - edited 03-03-2019 09:54 AM
I am running a multi-homed BGP setup with 2 different ISPs each a full T1.
On is connected serial the other is connected to the Fast Ethernet.
The problem I am experiencing is when I lose my Fast Ethernet Connection through my ISP (ISPA) the BGP failover takes a long time and I lose access to the Internet, or if I connect it is very slow.
Here is my config, any suggestions.
!
interface FastEthernet0/0
description connected to ISPA
ip address 65.x.x.x.255.255.248
ip access-group 150 out
no ip route-cache
duplex auto
speed auto
ntp disable
no cdp enable
no mop enabled
!
interface Serial0/0
description connected to ISPB
ip address 75.1.x.x.255.255.252
ip access-group 150 out
ntp disable
fair-queue
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
no cdp enable
!
interface FastEthernet0/1
description connected to Firewall
ip address 201.x.x.x.255.255.0
ip access-group 112 in
no ip route-cache
duplex auto
speed auto
ntp disable
no cdp enable
no mop enabled
!
router rip
version 2
network 206.x.x.0
no auto-summary
!
router bgp 11111
no synchronization
bgp log-neighbor-changes
bgp dampening
network 201.x.x.0
neighbor 85.x.x.9 remote-as 22222
neighbor 85.x.x.9 ebgp-multihop 3
neighbor 85.x.x.9 password xxx
neighbor 85.x.x.9 filter-list 2 in
neighbor 85.x.x.9 filter-list 3 out
neighbor 75.x.x.237 remote-as 33333
neighbor 75.x.x.237 filter-list 1 in
neighbor 75.x.x.237 filter-list 3 out
no auto-summary
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 65.1.1.41
ip route 85.1.x.x.x.255.255 65.1.1.41
!
ip as-path access-list 1 permit ^1239_[0-9]*$
ip as-path access-list 2 permit ^32654_[0-9]*$
ip as-path access-list 3 permit ^$
!
access-list 112 permit ip 201.1.1.0 0.0.0.255 any
access-list 112 deny ip any any log
access-list 150 permit ip 201.1.1.0 0.0.0.255 any
access-list 150 deny ip any any log
no cdp run
06-24-2005 01:48 PM
The question is how does your firewall know how to change the NAT pool (from provider A to provider B address space) when the Fast E goes out.
06-25-2005 06:55 AM
You are getting full BGP-tables from both ISPs? If so, you shouldn't use the "ip route 0.0.0.0 0.0.0.0" statements...
Depending on how your upstream providers are connected there *will* be a slight delay for some connectivity to be restored..
What you could do is lower the BGP-timers to make the BGP-process pick up any connectivity-trouble faster... this is specially important in EBGP multihop peerings...
do like this:
!
router bgp 11111
neighbor 85.1.1.9 timers 10 30
neighbor 75.1.1.237 timers 10 30
!
This will make the BGP-process do hello's every 10 seconds and have a hold-time of 30 seconds (instead of 60 and 180 seconds as default..). Many uses 30 and 90 seconds...
You will have to reset the BGP-peering to make these parameters take effect (they are negotiated).
I see you are using BGP dampening.. you do know this could make some prefixes get shut out of the routing for some time.. Unless you are experiencing a lot of flapping on the routes and you are running as a transit provider, you should not have to run BGP dampening.. but if it's a matter of CPU on the router, then it could have some relevance..
And.. as this is a Internet-peering router.. you should absolutely check out this page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_paper0900aecd802b8f21.shtml
Pay special attention to applying incoming ACL's etc.
If you get full BGP-tables from your ISPs, it could be advisable to set the 0.0.0.0/0 route to the Null0 interface... then any unusual scanning (on non-existing addresses) from your internal network would get Null0-routed (typically from worms/virii). Or you could send it to a sinkhole server to see exactly what this traffic is.. :)
06-26-2005 04:04 AM
It is pretty clear that the original poster is not receiving full BGP routes. The inbound prefix lists appear to be set up to receive prefixes originated at the ISP and one hop beyond the ISP and no others.
I very much agree with your comments questioning the configuration of dampening on the customer BGP router. Unless there is some specific reason to use this feature which the original poster may clarify, I would agree with you to suggest removing this from the configuration.
I believe that you are on the right track in commenting on the use of two static default routes. I believe this is the cause of his problems. In particular with a static default route pointed to the ISP over the FastEthernet interface that static route will only be removed from the routing table is the line protocol on the interface goes up/down, which is very unlikely to happen. So if there is a problem with the ISP over the FastEthernet the default route will remain in the routing table and the router will continue to forward packets to it. The fact that the BGP routes leaerned from this provider will be withdrawn when the BGP timers expire does not change the fact that there will still be a default route in the routing table sending packets to the ISP which can not receive them.
The most important thing the original poster can do is to change the static default routes. If they are learning default routes from both providers then the simple thing to do is to remove both static default routes. If for some reason they need the static default routes then they should look into using the new feature in IOS of Object Tracking. This link has some good material to start looking at this alternative:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/products_feature_guide09186a00801d862d.html
HTH
Rick
07-11-2005 03:43 AM
Removed the defautlt route on FastEthernet solved the problem.
Thanks
George
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: