What would a configuration

shaank257 · ‎05-01-2014

We are in the midst of finishing our BGP setup.

We are wanting to basically force all traffic to come in and go out on our Primary ISP unless it goes down.

What we have in place:

1 router (though we have a coldspare ready to swap to) BGP setup with 2 different ISP's

a Fiber pipeline 200meg up/down from ISP1 (primary)

and

2 x T1's from ISP 2 (Backup)

I haven't found a clear cut way or best practice way to achieve this and is why I am here looking for some help,

Any information on the best way to go about this is appreciated. If you could provide examples that would be fantastic

Thanks all,

Configuration:

redundancy
!
!
controller T1 0/0/0
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
cablelength long 0db
channel-group 0 timeslots 1-24
!
ip ssh version 2
!
!
!
!
interface Multilink1
description T1 Backup
bandwidth inherit
ip address xxx.xxx.xxx.xxx 255.255.255.252

ppp multilink
ppp multilink group 1
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Primary
ip address yyy.yyy.yyy.yyy 255.255.255.252
duplex full
speed 1000
!
interface GigabitEthernet0/1
description WAN Switch
ip address xxx.xxx.xxx.xxx 255.255.255.192 secondary
ip address xxx.xxx.xxx.xxx 255.255.255.128
duplex full
speed 1000

!
interface GigabitEthernet0/2
ip address xxx.xxx.xxx.xxx 255.255.255.192
duplex full
speed auto
!
interface Serial0/0/0:0
description T1-1
bandwidth 1544
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
interface Serial0/0/1:0
description T1-2
bandwidth 1544
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
router bgp #####
bgp log-neighbor-changes
network XXX.XXX.XXX.XXX
neighbor xxx.xxx.xxx.xxx remote-as 111111
neighbor xxx.xxx.xxx.xxx description PRIMARY BGP
neighbor xxx.xxx.xxx.xxx password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
neighbor xxx.xxx.xxx.xxx soft-reconfiguration inbound
neighbor xxx.xxx.xxx.xxx route-map Corp-BGP-Mid-in in
neighbor xxx.xxx.xxx.xxx route-map Corp-BGP-Mid-out out
neighbor xxx.xxx.xxx.xxx maximum-prefix 200
neighbor yyy.yyy.yyy.yyy remote-as 222222
neighbor yyy.yyy.yyy.yyy description BACKUP BGP
neighbor yyy.yyy.yyy.yyy password 7 xxxxxxxxxxxxxxx
neighbor yyy.yyy.yyy.yyy update-source Multilink1
neighbor yyy.yyy.yyy.yyy soft-reconfiguration inbound
neighbor yyy.yyy.yyy.yyy route-map Corp-BGP-Mid-in in
neighbor yyy.yyy.yyy.yyy route-map Corp-BGP-Mid-out out
neighbor yyy.yyy.yyy.yyy maximum-prefix 200
!
ip default-gateway xxx.xxx.xxx.xxx
ip forward-protocol nd
!
no ip http server
no ip http secure-server

!
no ip nat service sip udp port 5060

ip route xxx.xxx.xxx.xxx 255.255.255.0 xxx.xxx.xxx.xxx *(Primary)*
!
!
ip prefix-list Corp-BGP-Mid-in seq 10 deny xxx.xxx.xxx.xxx/24
ip prefix-list Corp-BGP-Mid-in seq 20 permit 0.0.0.0/0
ip prefix-list Corp-BGP-Mid-in seq 30 permit 0.0.0.0/0 le 32
!
ip prefix-list Corp-BGP-Mid-out seq 10 permit xxx.xxx.xxx.xxx/24
!
route-map Corp-BGP-Mid-in permit 10
match ip address prefix-list Corp-BGP-Mid-in
!
!
route-map Corp-BGP-Mid-out permit 10
match ip address prefix-list Corp-BGP-Mid-out
!
!
!
!

Robert Falconer · ‎05-01-2014

Accept only the default route from each ISP. Set the received default on ISP1 to a higher local-preference than ISP2.

route-map Corp-BGP-Mid-ISP1-in permit 10
match ip address prefix-list Corp-BGP-Mid-in
set local-preference 110

Prepend your AS number a few times to the advertised prefixes out ISP2. This will generally make the path through ISP2 less preferred. But any inbound traffic that originates within ISP2's network will take their path as well as possibly direct peers with that ISP.

route-map Corp-BGP-Mid-ISP2-out permit 10
match ip address prefix-list Corp-BGP-Mid-out
set as-path prepend xxxxx xxxxx xxxxx

Why do you have a static default?

Be careful with the 200 prefix max. If you end up receiving more than 200, you'll end up with the BGP session to that neighbor going up and down. Your inbound prefix list is permitting the entire routing table so there's a chance you'll end up with more than 200 in your configuration.

I'm a little surprised that you are backing up a 200Mb link with a 3Mb link. That sounds like a problem waiting to happen. What is your business expectation if the primary link fails?

shaank257 · ‎05-01-2014

Thanks for the reply,

Yes the backup ISP is somewhat of a problem, if the primary goes down we would shut most of our hosting services down besides our VoIP service that has multiple tenants. The reason it is like it is now is that we needed multihoming for ARIN requirements. This will change in the future for sure.

Julio Carvajal · ‎05-03-2014

Hello,

Here is the thing.

When talking about BGP and using the BGP attributes to affect the inbound traffic path you have basically the following options:

Using the AS-PATH as shown before on this post
Filtering the traffic inbound on one link (will not do redundancy)
Using the Multi-Exit Discriminator (MED) attribute.

With the MED you will basically configure it with a route-map as follows:

Taken from Cisco

router bgp 65000
 neighbor 10.1.1.1 route-map FINANCE out
!
ip as-path access-list 1 permit ^690_
ip as-path access-list 2 permit .*
!
route-map FINANCE permit 10
 match as-path 1
 set metric 127
!
route-map FINANCE permit 20
 match as-path 2

Remembering that the lowest MED will be preffered.

Regards,

Jcarvaja

CCIE 42930

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Emmanouil Patiniotakis · ‎05-03-2014

MED will be taken in account only if both links are towards the same ISP. Otherwise, it is useless.

Julio Carvajal · ‎05-03-2014

Totally agree with you.

At least know you know all of the options and where to use each one.

Now is your time to choose which tool to use :)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

akbntc001 · ‎04-19-2016

What would a configuration look like when two ISP's are connected to two different routers to come to your network and you still want to keep one as a backup?

Regards,

akbntc

Emmanouil Patiniotakis · ‎05-03-2014

In addition to all the right things rmf.newport said, you could send aggregates routes from both ISP and send more specific routes from th eprimary one. In this way, all incoming traffic will flow from the primary link.

shaank257 · ‎12-18-2014

I finally got around to do this tonight, then went to test failover to the T1's and nothing can get out.

Not sure why, I have tried adding a static route for my T1 gateway but no luck .

Robert Falconer · ‎12-24-2014

Can you post your current BGP configuration, including route-maps and associated ACLs?

Also, can you include sh ip bgp 0.0.0.0?

Do you still have a static default route?

BGP/Multihoming How do i go about having everything coming inbound through my primary ISP and the backup only be used if the primary is down.