04-07-2020 08:52 AM
We are attempting to peer with two ISPs between two local routers and need to know how to prefer a single connection for both inbound and outbound traffic over the backup ISP. Based on my research it appears this is done through local preference and as-path manipulation, but I need to confirm.
04-07-2020 08:55 AM
As long as you have an IBGP connection between your local routers then yes that is exactly how you do it.
Jon
04-07-2020 09:05 AM
What would be the configuration for the back up router? This is what I have so far.
neighbor 1.1.1.1 route-map AS-11-INCOMING in
neighbor 1.1.1.1 route-map AS-11-OUTGOING out
ip as-path access-list 1 permit ^11$
access-list 10 permit 2.2.2.0 0.0.0.255
route-map AS-11-INCOMING permit 10
match as-path 1
set local preference 150
route-map AS-11-OUTGOING permit 10
set as-path prepend 12 12 12
route-map AS-11-OUTGOING permit 20
match ip address 10
04-07-2020 12:09 PM - edited 04-07-2020 01:33 PM
Also, does the subnet used for the iBGP connection need to be able to route across the Internet, or can it be 1918 address space? Does the /24 we have need a /30 carved out for that connection?
04-08-2020 01:50 AM
You can use private addressing for the IBGP peering.
It's not clear from your posted configuration how this is setup but basically on the backup router you would use local preference and apply it to the routes received from the primary router so they are preferred rather than the routes received from the ISP.
And also on the backup router you would do the AS path prepending.
Jonk
04-08-2020 01:04 AM
If I understood correctly your eBGP neighbor is in AS 11 then route-map could look like:
route-map AS-11-INCOMING permit 10 set local preference 150
So that all prefixes coming from your primary ISP will have LOCAL-PREF value 150 which will be prefarable path over your backup ISP with default value of LOCAL-PREF 100.
On backup router route-map would be:
route-map AS-11-OUTGOING permit 10
match ip address 10 set as-path prepend 12 12 12
no route-map AS-11-OUTGOING permit 20
effectively making the path longer(less preferable) than primary which is sending prefixes without prepend. Above route-map will prepend only subnet 2.2.2.0/24 towards backup ISP.
04-08-2020 02:02 AM - edited 04-08-2020 02:06 AM
Hello
In your example you don’t have any ibgp peering, you are only allowing setting the local-preference path attribute for prefixes originating from ASN 11.
As stated by Jon, When you have two wan rtrs peering between two ISPs then you need an internal bgp peering between the two wan rtrs so to provide resiliency towards either ISP, However you also need to make sure you don’t become a transit path for these ISPs so you can use various path attributes such as local-preference , as-path filtering and prepending for path manipulation and filtering.
Below is a basic example only advertising local originate routes to either ISP for both your sites wan rtrs, and making your the primary wan rtr the preferred path for all ingress/egress traffic.
no neighbor 1.1.1.1 route-map AS-11-INCOMING in
no neighbor 1.1.1.1 route-map AS-11-OUTGOING out
no route-map AS-11-INCOMING
no ip as-path access-list 1 permit ^11$
no route-map AS-11-OUTGOING permit 20
no access-list 10 permit 2.2.2.0 0.0.0.255
Primary router
ip as-path access-list 1 permit ^$
router bgp 12
bgp default local-preferance 50000
neighbor (ISP1) remote-as XX
neighbor (ISP1) filter-list 1 out
neighbor (Backup router) remote-as 12
Backup router
ip as-path access-list 1 permit ^$
route-map AS-11-OUTGOING permit
set as-path prepend 12 12 12
router bgp 12
bgp default local-preferance 10000
neighbor (ISP2) remote-as XX
neighbor (ISP2) filter-list 1 out
neighbor (ISP2) AS-11-OUTGOING OUT
neighbor (primary router) remote-as 12
04-08-2020 02:49 AM
Hi,
If i understood correctly, you have two ISP's, and you want to have both ingress/egress traffic overt he backup ISP, correct? What is your current BGP configuration, can you post it, and what is your PI public space? Are both BGP peerings with the ISP's on the same router of yours, or on multiple routers?
Regards,
Cristian Matei.
04-08-2020 06:44 AM - edited 04-08-2020 06:45 AM
That's correct. We have two local routers connected to two different ISPs, and we want to prefer one over the other for all traffic. Here is the current configuration:
PRIMARY ROUTER
router bgp 1111
bgp log-neighbor-changes
network 192.168.1.0 mask 255.255.255.0
neighbor 1.1.1.2 remote-as 1111
neighbor 1.1.1.2 description Router 2
neighbor 1.1.1.2 next-hop-self
neighbor 1.1.1.2 soft-reconfiguration inbound
neighbor 3.3.3.3 remote-as 2222
neighbor 3.3.3.3 description ISP 1
neighbor 3.3.3.3 soft-reconfiguration inbound
neighbor 3.3.3.3 route-map AS-2222-INCOMING in
neighbor 3.3.3.3 route-map AS-2222-OUTGOING out
!
ip as-path access-list 1 permit ^$
!
access-list 10 permit 192.168.1.0 0.0.0.255
!
route-map AS-2222-INCOMING permit 10
match as-path 1
set local-preference 200
!
route-map AS-2222-OUTGOING permit 10
match ip address 10
SECONDARY
router bgp 1111
bgp log-neighbor-changes
network 192.168.1.0 mask 255.255.255.0
neighbor 1.1.1.1 remote-as 1111
neighbor 1.1.1.1 description Router 1
neighbor 1.1.1.1 next-hop-self
neighbor 1.1.1.1 soft-reconfiguration inbound
neighbor 4.4.4.4 remote-as 3333
neighbor 4.4.4.4 description ISP 2
neighbor 4.4.4.4 soft-reconfiguration inbound
neighbor 4.4.4.4 route-map AS-3333-INCOMING in
neighbor 4.4.4.4 route-map AS-3333-OUTGOING out
!
ip as-path access-list 1 permit ^$
!
access-list 10 permit 192.168.1.0 0.0.0.255
!
!
route-map AS-3333-INCOMING permit 10
match as-path 1
set local-preference 150
!
route-map AS-3333-OUTGOING permit 10
match ip address 10
set as-path prepend 1111 1111 1111
04-08-2020 11:24 AM
Hi,
That's the best thing you can do, config good.
Regards,
Cristian Matei.
04-08-2020 12:16 PM - edited 04-14-2020 06:39 AM
Hello
Two things to point out wth your lastest configuration
router bgp xx
neighbor 1.1.1.2 soft-reconfiguration inbound <---I would suggest if you rtr has the capability remove this and utilize route refresh instead, it would save on router processing the adj-rib-in table for ingress prefixes especially if your excepting a full internet table
ip as-path access-list 1 permit ^$
route-map AS-2222-INCOMING permit 10
match as-path 1 < this regex value is matching on any prefixes that doesn’t have a asn value attached to it, it’s usually used to only advertised locally originated routes towards ypur ISP but you have it to filter ingress on routes advertised from your ISP, Would suggest again to remove this as-path filter and just either have a catch all statement for local preferance on all incoming routes from your isp or ammend to just allow specifc route(s)
04-09-2020 06:32 AM
We are only receiving a default route from our providers, instead of the full bgp table. As for the as path access list, is this what you're saying the config should be:
route-map AS-3333-INCOMING permit 10
match as-path 1 <remove>
set local-preference 150
route-map AS-3333-INCOMING permit 10
set local-preference 150
04-09-2020 06:43 AM - edited 04-10-2020 02:08 AM
Hello
yes that is correct remove or change it to allow the default.
04-09-2020 09:28 AM
Hi,
If you want to allow only the default route and create a filter in case the ISP screws up:
ip as-path access-list 10 permit ^3333$
ip prefix-list DEFAULT_ROUTE permit 0.0.0.0/0
!
route-map AS-3333-INCOMING permit 10
match ip address prefix-list DFAULT_ROUTE
match as-path 10
set local-preference 150
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide