Re: BGP Multihomed to Two ISPs Through Multiple Local Routers Question

Scott_22 · ‎04-07-2020

We are attempting to peer with two ISPs between two local routers and need to know how to prefer a single connection for both inbound and outbound traffic over the backup ISP. Based on my research it appears this is done through local preference and as-path manipulation, but I need to confirm.

Jon Marshall · ‎04-07-2020

As long as you have an IBGP connection between your local routers then yes that is exactly how you do it.

Jon

Scott_22 · ‎04-07-2020

What would be the configuration for the back up router? This is what I have so far.

neighbor 1.1.1.1 route-map AS-11-INCOMING in
neighbor 1.1.1.1 route-map AS-11-OUTGOING out

ip as-path access-list 1 permit ^11$

access-list 10 permit 2.2.2.0 0.0.0.255

route-map AS-11-INCOMING permit 10
match as-path 1
set local preference 150

route-map AS-11-OUTGOING permit 10
set as-path prepend 12 12 12

route-map AS-11-OUTGOING permit 20
match ip address 10

Scott_22 · ‎04-07-2020

Also, does the subnet used for the iBGP connection need to be able to route across the Internet, or can it be 1918 address space? Does the /24 we have need a /30 carved out for that connection?

Jon Marshall · ‎04-08-2020

You can use private addressing for the IBGP peering.

It's not clear from your posted configuration how this is setup but basically on the backup router you would use local preference and apply it to the routes received from the primary router so they are preferred rather than the routes received from the ISP.

And also on the backup router you would do the AS path prepending.

Jonk

Abzal · ‎04-08-2020

If I understood correctly your eBGP neighbor is in AS 11 then route-map could look like:

route-map AS-11-INCOMING permit 10
set local preference 150

So that all prefixes coming from your primary ISP will have LOCAL-PREF value 150 which will be prefarable path over your backup ISP with default value of LOCAL-PREF 100.

On backup router route-map would be:

route-map AS-11-OUTGOING permit 10
match ip address 10
set as-path prepend 12 12 12
no route-map AS-11-OUTGOING permit 20

effectively making the path longer(less preferable) than primary which is sending prefixes without prepend. Above route-map will prepend only subnet 2.2.2.0/24 towards backup ISP.

Best regards,
Abzal

paul driver · ‎04-08-2020

Hello

In your example you don’t have any ibgp peering, you are only allowing setting the local-preference path attribute for prefixes originating from ASN 11.

As stated by Jon, When you have two wan rtrs peering between two ISPs then you need an internal bgp peering between the two wan rtrs so to provide resiliency towards either ISP, However you also need to make sure you don’t become a transit path for these ISPs so you can use various path attributes such as local-preference , as-path filtering and prepending for path manipulation and filtering.

Below is a basic example only advertising local originate routes to either ISP for both your sites wan rtrs, and making your the primary wan rtr the preferred path for all ingress/egress traffic.

no neighbor 1.1.1.1 route-map AS-11-INCOMING in
no neighbor 1.1.1.1 route-map AS-11-OUTGOING out
no route-map AS-11-INCOMING
no ip as-path access-list 1 permit ^11$
no route-map AS-11-OUTGOING permit 20
no access-list 10 permit 2.2.2.0 0.0.0.255

Primary router

ip as-path access-list 1 permit ^$

router bgp 12
bgp default local-preferance 50000
neighbor (ISP1) remote-as XX
neighbor (ISP1) filter-list 1 out
neighbor (Backup router) remote-as 12

Backup router

ip as-path access-list 1 permit ^$

route-map AS-11-OUTGOING permit
set as-path prepend 12 12 12

router bgp 12
bgp default local-preferance 10000
neighbor (ISP2) remote-as XX
neighbor (ISP2) filter-list 1 out
neighbor (ISP2) AS-11-OUTGOING OUT
neighbor (primary router) remote-as 12

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Cristian Matei · ‎04-08-2020

Hi,

If i understood correctly, you have two ISP's, and you want to have both ingress/egress traffic overt he backup ISP, correct? What is your current BGP configuration, can you post it, and what is your PI public space? Are both BGP peerings with the ISP's on the same router of yours, or on multiple routers?

Regards,

Cristian Matei.

Scott_22 · ‎04-08-2020

That's correct. We have two local routers connected to two different ISPs, and we want to prefer one over the other for all traffic. Here is the current configuration:

PRIMARY ROUTER

router bgp 1111
bgp log-neighbor-changes
network 192.168.1.0 mask 255.255.255.0
neighbor 1.1.1.2 remote-as 1111
neighbor 1.1.1.2 description Router 2
neighbor 1.1.1.2 next-hop-self
neighbor 1.1.1.2 soft-reconfiguration inbound
neighbor 3.3.3.3 remote-as 2222
neighbor 3.3.3.3 description ISP 1
neighbor 3.3.3.3 soft-reconfiguration inbound
neighbor 3.3.3.3 route-map AS-2222-INCOMING in
neighbor 3.3.3.3 route-map AS-2222-OUTGOING out
!
ip as-path access-list 1 permit ^$
!
access-list 10 permit 192.168.1.0 0.0.0.255

!
route-map AS-2222-INCOMING permit 10
match as-path 1
set local-preference 200
!
route-map AS-2222-OUTGOING permit 10
match ip address 10

SECONDARY

router bgp 1111
bgp log-neighbor-changes
network 192.168.1.0 mask 255.255.255.0
neighbor 1.1.1.1 remote-as 1111
neighbor 1.1.1.1 description Router 1
neighbor 1.1.1.1 next-hop-self
neighbor 1.1.1.1 soft-reconfiguration inbound
neighbor 4.4.4.4 remote-as 3333
neighbor 4.4.4.4 description ISP 2
neighbor 4.4.4.4 soft-reconfiguration inbound
neighbor 4.4.4.4 route-map AS-3333-INCOMING in
neighbor 4.4.4.4 route-map AS-3333-OUTGOING out
!
ip as-path access-list 1 permit ^$
!
access-list 10 permit 192.168.1.0 0.0.0.255
!
!
route-map AS-3333-INCOMING permit 10
match as-path 1
set local-preference 150
!
route-map AS-3333-OUTGOING permit 10
match ip address 10
set as-path prepend 1111 1111 1111

Cristian Matei · ‎04-08-2020

Hi,

That's the best thing you can do, config good.

Regards,

Cristian Matei.

paul driver · ‎04-08-2020

Hello

Two things to point out wth your lastest configuration

router bgp xx
neighbor 1.1.1.2 soft-reconfiguration inbound <---I would suggest if you rtr has the capability remove this and utilize route refresh instead, it would save on router processing the adj-rib-in table for ingress prefixes especially if your excepting a full internet table

ip as-path access-list 1 permit ^$

route-map AS-2222-INCOMING permit 10
match as-path 1 < this regex value is matching on any prefixes that doesn’t have a asn value attached to it, it’s usually used to only advertised locally originated routes towards ypur ISP but you have it to filter ingress on routes advertised from your ISP, Would suggest again to remove this as-path filter and just either have a catch all statement for local preferance on all incoming routes from your isp or ammend to just allow specifc route(s)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Scott_22 · ‎04-09-2020

We are only receiving a default route from our providers, instead of the full bgp table. As for the as path access list, is this what you're saying the config should be:

route-map AS-3333-INCOMING permit 10
match as-path 1 <remove>
set local-preference 150

route-map AS-3333-INCOMING permit 10
set local-preference 150

paul driver · ‎04-09-2020

Hello

yes that is correct remove or change it to allow the default.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Cristian Matei · ‎04-09-2020

Hi,

If you want to allow only the default route and create a filter in case the ISP screws up:

ip as-path access-list 10 permit ^3333$

ip prefix-list DEFAULT_ROUTE permit 0.0.0.0/0

!

route-map AS-3333-INCOMING permit 10

match ip address prefix-list DFAULT_ROUTE

match as-path 10

set local-preference 150

Regards,

Cristian Matei.