Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
842
Views
3
Helpful
6
Replies

BGP inbound traffic manipulation

Fernando Hernández
Level 1
Level 1

‎02-02-2024 10:03 AM

Hello guys.

I have more experience in switching than in routing, so, I have some doubts regarding BGP manipulation.

In the image attached, there is a diagram for any reference.

What I basically want to know, is if there is a way to force that all Internet traffic that wants to reach the public subnet we are going to distribute in BGP to both ISPs, can enter only by the first ISP (By Router R1).
So lets say that currently, to HSRP all outband traffic goes to R1 and use ISP 1. But what about the reply traffic? If it enters by ISP 2 may lead to asymetric traficc maybe? But even if it doesnt generate conflicts. How can we ensure that traffic always enters by ISP 1, and use ISP 2 only as a backup / redundancy

Labels:
Preview file
32 KB
0 Helpful
6 Replies 6

Harold Ritter
Level 12
Level 12

‎02-02-2024 10:10 AM

Hi @Fernando Hernández ,

Asymetric traffic would not be an issue in this scenario, but if you want to make sure that traffic returns via ISP1, you can use BGP conditional advertisement to advertised your public subnet through ISP2 only if there is an ISP1 failure.

Please refer to the following document for more information on this feature.

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/16137-cond-adv.html

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Fernando Hernández
Level 1
Level 1
In response to Harold Ritter

‎02-02-2024 02:10 PM

I read the document, and seems to be a good use to solve the scenario. Cause have read other options are usually not really ideal or useful

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Fernando Hernández

‎02-02-2024 03:59 PM

@Harold Ritter recommendation is probably the best.  You really cannot guarantee what ISPs may do regarding how the choose to route to your network allowed a CHOICE.  What Harold suggest eliminates the ISPs having a choice.

0 Helpful

Ruben Cocheno
Spotlight
Spotlight

‎02-02-2024 12:11 PM

@Fernando Hernández 

If we talking about the same prefixes advertised through both ISPs, is just a matter of having an iBGP between your two routers, to make sure that you traverse the preferred ISP based on your LOCAL_PREF.  and to make sure that traffic returns via the same ISP, you do AS-path prepend (2x your ASN) against your ISP2.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful

Harold Ritter
Level 12
Level 12
In response to Ruben Cocheno

‎02-02-2024 01:42 PM

Hi @Ruben Cocheno ,

Bear in mind that using AS Path prepending might not be ideal in some scenarios, as some service provider will set local preference higher on their customer routes than on their peering and transit routes. This will cause them to prefer the customer routes over any other routes even though they have a longer AS path. 

The best way to make sure that all ingress traffic comes through the primary provider under normal conditions is to only advertise to the secondary provider if there is a failure with the primary provider. This is what BGP conditional advertisement is all about.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Ruben Cocheno
Spotlight
Spotlight
In response to Harold Ritter

‎02-24-2024 03:40 PM - edited ‎02-24-2024 03:47 PM

Traffic manipulation inside Provider Networks is a dark box in general, and better have it advertise even "manipulated" as your backup plan as you can validate/monitor through ThousandEyes or other Looking Glass tooling, otherwise with BGP conditional advertisement you can only validate when you need it without mentioning the propagation time required (depending of ISP Tier).

If you can have downtime (?) during the transition (advertise+convergence) and want to use the ISP1 without any doubt then i agree with you that BGP conditional advertisement is likely to be the best option with the caveats mentioned before.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card