ā05-01-2014 01:52 PM - edited ā03-04-2019 10:53 PM
We are in the midst of finishing our BGP setup.
We are wanting to basically force all traffic to come in and go out on our Primary ISP unless it goes down.
What we have in place:
1 router (though we have a coldspare ready to swap to) BGP setup with 2 different ISP's
a Fiber pipeline 200meg up/down from ISP1 (primary)
and
2 x T1's from ISP 2 (Backup)
I haven't found a clear cut way or best practice way to achieve this and is why I am here looking for some help,
Any information on the best way to go about this is appreciated. If you could provide examples that would be fantastic
Thanks all,
Configuration:
redundancy
!
!
controller T1 0/0/0
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
cablelength long 0db
channel-group 0 timeslots 1-24
!
ip ssh version 2
!
!
!
!
interface Multilink1
description T1 Backup
bandwidth inherit
ip address xxx.xxx.xxx.xxx 255.255.255.252
ppp multilink
ppp multilink group 1
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Primary
ip address yyy.yyy.yyy.yyy 255.255.255.252
duplex full
speed 1000
!
interface GigabitEthernet0/1
description WAN Switch
ip address xxx.xxx.xxx.xxx 255.255.255.192 secondary
ip address xxx.xxx.xxx.xxx 255.255.255.128
duplex full
speed 1000
!
interface GigabitEthernet0/2
ip address xxx.xxx.xxx.xxx 255.255.255.192
duplex full
speed auto
!
interface Serial0/0/0:0
description T1-1
bandwidth 1544
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
interface Serial0/0/1:0
description T1-2
bandwidth 1544
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
router bgp #####
bgp log-neighbor-changes
network XXX.XXX.XXX.XXX
neighbor xxx.xxx.xxx.xxx remote-as 111111
neighbor xxx.xxx.xxx.xxx description PRIMARY BGP
neighbor xxx.xxx.xxx.xxx password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
neighbor xxx.xxx.xxx.xxx soft-reconfiguration inbound
neighbor xxx.xxx.xxx.xxx route-map Corp-BGP-Mid-in in
neighbor xxx.xxx.xxx.xxx route-map Corp-BGP-Mid-out out
neighbor xxx.xxx.xxx.xxx maximum-prefix 200
neighbor yyy.yyy.yyy.yyy remote-as 222222
neighbor yyy.yyy.yyy.yyy description BACKUP BGP
neighbor yyy.yyy.yyy.yyy password 7 xxxxxxxxxxxxxxx
neighbor yyy.yyy.yyy.yyy update-source Multilink1
neighbor yyy.yyy.yyy.yyy soft-reconfiguration inbound
neighbor yyy.yyy.yyy.yyy route-map Corp-BGP-Mid-in in
neighbor yyy.yyy.yyy.yyy route-map Corp-BGP-Mid-out out
neighbor yyy.yyy.yyy.yyy maximum-prefix 200
!
ip default-gateway xxx.xxx.xxx.xxx
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
no ip nat service sip udp port 5060
ip route xxx.xxx.xxx.xxx 255.255.255.0 xxx.xxx.xxx.xxx *(Primary)*
!
!
ip prefix-list Corp-BGP-Mid-in seq 10 deny xxx.xxx.xxx.xxx/24
ip prefix-list Corp-BGP-Mid-in seq 20 permit 0.0.0.0/0
ip prefix-list Corp-BGP-Mid-in seq 30 permit 0.0.0.0/0 le 32
!
ip prefix-list Corp-BGP-Mid-out seq 10 permit xxx.xxx.xxx.xxx/24
!
route-map Corp-BGP-Mid-in permit 10
match ip address prefix-list Corp-BGP-Mid-in
!
!
route-map Corp-BGP-Mid-out permit 10
match ip address prefix-list Corp-BGP-Mid-out
!
!
!
!
ā05-01-2014 02:46 PM
Accept only the default route from each ISP. Set the received default on ISP1 to a higher local-preference than ISP2.
route-map Corp-BGP-Mid-ISP1-in permit 10
match ip address prefix-list Corp-BGP-Mid-in
set local-preference 110
Prepend your AS number a few times to the advertised prefixes out ISP2. This will generally make the path through ISP2 less preferred. But any inbound traffic that originates within ISP2's network will take their path as well as possibly direct peers with that ISP.
route-map Corp-BGP-Mid-ISP2-out permit 10
match ip address prefix-list Corp-BGP-Mid-out
set as-path prepend xxxxx xxxxx xxxxx
Why do you have a static default?
Be careful with the 200 prefix max. If you end up receiving more than 200, you'll end up with the BGP session to that neighbor going up and down. Your inbound prefix list is permitting the entire routing table so there's a chance you'll end up with more than 200 in your configuration.
I'm a little surprised that you are backing up a 200Mb link with a 3Mb link. That sounds like a problem waiting to happen. What is your business expectation if the primary link fails?
ā05-01-2014 05:02 PM
Thanks for the reply,
Yes the backup ISP is somewhat of a problem, if the primary goes down we would shut most of our hosting services down besides our VoIP service that has multiple tenants. The reason it is like it is now is that we needed multihoming for ARIN requirements. This will change in the future for sure.
ā05-03-2014 10:37 AM
Hello,
Here is the thing.
When talking about BGP and using the BGP attributes to affect the inbound traffic path you have basically the following options:
With the MED you will basically configure it with a route-map as follows:
Taken from Cisco
router bgp 65000 neighbor 10.1.1.1 route-map FINANCE out ! ip as-path access-list 1 permit ^690_ ip as-path access-list 2 permit .* ! route-map FINANCE permit 10 match as-path 1 set metric 127 ! route-map FINANCE permit 20 match as-path 2
Remembering that the lowest MED will be preffered.
Regards,
Jcarvaja
CCIE 42930
ā05-03-2014 02:24 PM
MED will be taken in account only if both links are towards the same ISP. Otherwise, it is useless.
ā05-03-2014 06:37 PM
Totally agree with you.
At least know you know all of the options and where to use each one.
Now is your time to choose which tool to use :)
Regards
ā04-19-2016 01:01 PM
What would a configuration look like when two ISP's are connected to two different routers to come to your network and you still want to keep one as a backup?
Regards,
akbntc
ā05-03-2014 09:47 AM
In addition to all the right things rmf.newport said, you could send aggregates routes from both ISP and send more specific routes from th eprimary one. In this way, all incoming traffic will flow from the primary link.
ā12-18-2014 08:52 PM
I finally got around to do this tonight, then went to test failover to the T1's and nothing can get out.
Not sure why, I have tried adding a static route for my T1 gateway but no luck .
ā12-24-2014 09:05 AM
Can you post your current BGP configuration, including route-maps and associated ACLs?
Also, can you include sh ip bgp 0.0.0.0?
Do you still have a static default route?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide