Re: BGP Failover

gjohnson1963 · ‎06-24-2005

I am running a multi-homed BGP setup with 2 different ISP’s each a full T1.

On is connected serial the other is connected to the Fast Ethernet.

The problem I am experiencing is when I lose my Fast Ethernet Connection through my ISP (ISPA) the BGP failover takes a long time and I lose access to the Internet, or if I connect it is very slow.

Here is my config, any suggestions.

!

interface FastEthernet0/0

description connected to ISPA

ip address 65.x.x.x.255.255.248

ip access-group 150 out

no ip route-cache

duplex auto

speed auto

ntp disable

no cdp enable

no mop enabled

!

interface Serial0/0

description connected to ISPB

ip address 75.1.x.x.255.255.252

ip access-group 150 out

ntp disable

fair-queue

service-module t1 timeslots 1-24

service-module t1 remote-alarm-enable

no cdp enable

!

interface FastEthernet0/1

description connected to Firewall

ip address 201.x.x.x.255.255.0

ip access-group 112 in

no ip route-cache

duplex auto

speed auto

ntp disable

no cdp enable

no mop enabled

!

router rip

version 2

network 206.x.x.0

no auto-summary

!

router bgp 11111

no synchronization

bgp log-neighbor-changes

bgp dampening

network 201.x.x.0

neighbor 85.x.x.9 remote-as 22222

neighbor 85.x.x.9 ebgp-multihop 3

neighbor 85.x.x.9 password xxx

neighbor 85.x.x.9 filter-list 2 in

neighbor 85.x.x.9 filter-list 3 out

neighbor 75.x.x.237 remote-as 33333

neighbor 75.x.x.237 filter-list 1 in

neighbor 75.x.x.237 filter-list 3 out

no auto-summary

!

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0

ip route 0.0.0.0 0.0.0.0 65.1.1.41

ip route 85.1.x.x.x.255.255 65.1.1.41

!

ip as-path access-list 1 permit ^1239_[0-9]*$

ip as-path access-list 2 permit ^32654_[0-9]*$

ip as-path access-list 3 permit ^$

!

access-list 112 permit ip 201.1.1.0 0.0.0.255 any

access-list 112 deny ip any any log

access-list 150 permit ip 201.1.1.0 0.0.0.255 any

access-list 150 deny ip any any log

no cdp run

thisisshanky · ‎06-24-2005

The question is how does your firewall know how to change the NAT pool (from provider A to provider B address space) when the Fast E goes out.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

johansens · ‎06-25-2005

You are getting full BGP-tables from both ISPs? If so, you shouldn't use the "ip route 0.0.0.0 0.0.0.0" statements...

Depending on how your upstream providers are connected there *will* be a slight delay for some connectivity to be restored..

What you could do is lower the BGP-timers to make the BGP-process pick up any connectivity-trouble faster... this is specially important in EBGP multihop peerings...

do like this:

!

router bgp 11111

neighbor 85.1.1.9 timers 10 30

neighbor 75.1.1.237 timers 10 30

!

This will make the BGP-process do hello's every 10 seconds and have a hold-time of 30 seconds (instead of 60 and 180 seconds as default..). Many uses 30 and 90 seconds...

You will have to reset the BGP-peering to make these parameters take effect (they are negotiated).

I see you are using BGP dampening.. you do know this could make some prefixes get shut out of the routing for some time.. Unless you are experiencing a lot of flapping on the routes and you are running as a transit provider, you should not have to run BGP dampening.. but if it's a matter of CPU on the router, then it could have some relevance..

And.. as this is a Internet-peering router.. you should absolutely check out this page:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_paper0900aecd802b8f21.shtml

Pay special attention to applying incoming ACL's etc.

If you get full BGP-tables from your ISPs, it could be advisable to set the 0.0.0.0/0 route to the Null0 interface... then any unusual scanning (on non-existing addresses) from your internal network would get Null0-routed (typically from worms/virii). Or you could send it to a sinkhole server to see exactly what this traffic is.. :)

Richard Burts · ‎06-26-2005

It is pretty clear that the original poster is not receiving full BGP routes. The inbound prefix lists appear to be set up to receive prefixes originated at the ISP and one hop beyond the ISP and no others.

I very much agree with your comments questioning the configuration of dampening on the customer BGP router. Unless there is some specific reason to use this feature which the original poster may clarify, I would agree with you to suggest removing this from the configuration.

I believe that you are on the right track in commenting on the use of two static default routes. I believe this is the cause of his problems. In particular with a static default route pointed to the ISP over the FastEthernet interface that static route will only be removed from the routing table is the line protocol on the interface goes up/down, which is very unlikely to happen. So if there is a problem with the ISP over the FastEthernet the default route will remain in the routing table and the router will continue to forward packets to it. The fact that the BGP routes leaerned from this provider will be withdrawn when the BGP timers expire does not change the fact that there will still be a default route in the routing table sending packets to the ISP which can not receive them.

The most important thing the original poster can do is to change the static default routes. If they are learning default routes from both providers then the simple thing to do is to remove both static default routes. If for some reason they need the static default routes then they should look into using the new feature in IOS of Object Tracking. This link has some good material to start looking at this alternative:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/products_feature_guide09186a00801d862d.html

HTH

Rick

HTH

Rick

gjohnson1963 · ‎07-11-2005

Removed the defautlt route on FastEthernet solved the problem.

Thanks

George