Re: BGP Path Preference between two ISP

Saeed Siddiqui · ‎08-10-2022

Hello Wonderful People, would you please help me with this? the IPs and hostname are fictitious but design is real. please see attached VISIO.

i have two internet circuit coming in from two different providers ISP 1 and ISP 2, we are pairing with each provider via EBGP, both circuits are being terminated into two different Cisco 3850 switches DCSW1 and DCSW2 respectively. both swtiches are also doing HSRP and IBGP peering.

both circuits are advertising default routes.

Question, how can make ISP1 is primary for all incoming traffic and outgoing traffic and ISP2 should only become active when ISP1 is down.

currently, HSRP is active on DCSW1 therefore we see incoming and outgoing traffic on DCSW1 but we also see incoming traffic via ISP2 coming into DCSW2.

please help

Kasun Bandara · ‎08-10-2022

as a suggestion, you can do iBGP peering between two switches and do weighted routing towards ISPs.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

paul driver · ‎08-11-2022

Hello @Kasun Bandara
If you have ibgp peering then you would want to use next-hop and local-preference attributes which are not just locally significant like weight is?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎08-11-2022

If you want to control traffic with 2 ISP you have one set of tools to control outbound traffic and another set of tools to control inbound traffic. Controlling outbound traffic is easier because you are in control of the routing logic, but controlling inbound traffic is difficult because you can make suggestions to the ISPs about how to route to you but you do not control that traffic.

If both ISP advertise only a default route to you then control of outbound traffic is pretty simple. You would configure local preference to make advertisements from one ISP more attractive than advertisements from the other ISP. IBGP between your devices will make sure that both devices see the same preference.

Control of inbound traffic is more complicated. It may be helpful to think in terms of separate treatment of traffic from outside that is response to something initiated from inside from traffic that is originated from outside. Assuming that you are doing NAT on your outbound traffic then response traffic will use the same ISP that you sent the outbound packet. The tricky part is traffic originated from outside. Your tool for this is AS prepending which can make one path to your address space less attractive than the other path.

HTH

Rick

Richard Burts · ‎08-11-2022

In my response I used the assumption that you were doing NAT for traffic initiated inside your network. But perhaps you are not doing NAT for traffic initiated inside your network. Perhaps you have your own Public IP address block. In that case I would suggest that you configure normal advertisement of your Public IP address block to the primary ISP and configure conditional advertisement of your Public IP address block to the second ISP. Normally all inbound traffic would be routed through the primary ISP and if there was a problem with the primary then traffic would be routed through the backup.

HTH

Rick

pman · ‎08-10-2022

Hi,

for the next case i attached two examples:

example 1:

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#anc52

example 2:

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13768-hsrp-bgp.html

Georg Pauwen · ‎08-10-2022

Hello,

based on what you say about your topology, you could use AS PATH prepending and local preference on the backup switch. The configs would look something like below (assuming you announce the same aggregate, and accept only the default route, from both ISPs):

DCSW1

router bgp 65531
address-family ipv4
network 111.64.0.0 mask 255.255.224.0
neighbor 111.65.10.1 remote-as 1
neighbor 111.65.10.1 prefix-list AGGREGATE_PFX out
neighbor 111.65.10.1 prefix-list DEFAULT_PFX in
neighbor 111.65.10.1 activate
!
ip prefix-list AGGREGATE_PFX permit 111.64.0.0/19
ip prefix-list DEFAULT_PFX permit 0.0.0.0/0
!
ip route 111.64.0.0 255.255.224 null0

DCSW2

router bgp 65532
address-family ipv4
network 111.64.0.0 mask 255.255.224.0
neighbor 111.66.10.1 remote-as 2
neighbor 111.66.10.1 prefix-list AGGREGATE_PFX out
neighbor 111.66.10.1 route-map AS_PREP_RM out
neighbor 111.66.10.1 prefix-list DEFAULT_PFX in
neighbor 111.66.10.1 route-map LOC_PREF_RM out
neighbor 111.66.10.1 activate
!
ip prefix-list AGGREGATE_PFX permit 111.64.0.0/19
ip prefix-list DEFAULT_PFX permit 0.0.0.0/0
!
route-map AS_PREP_RM permit 10
set as-path-prepend 65532 65532 65532
!
route-map LOC_PREF_RM permit 10
set local-preference 80
!
ip route 111.64.0.0 255.255.224 null0

paul driver · ‎08-11-2022

Hello
Can you confirm if you have ibgp peering and what igp are you using for your internal network?

In the interim to traffic engineer with bgp that is running on dual wan rtrs and ISPs, as-path pending, and local preference would be applicable, but Also, I would suggest to make sure that you are indedd only advertising your local prefixes thus negating your site from becoming a transit path for either isp.

Example ( assuming you have ibgp peering)

WAN1

route-map RM-LOCAL-PREF
description *Local Pref 110 making received routes preferred in the AS*
set local-preference 110

ip as-path access-list 10 permit ^$

router bgp 1
neighbor 1.1.1.1 description ISP1
neighbor 1.1.1.1 route-map RM-LOCAL-PREF in
neighbor 1.1.1.1 filter-list 10 out
neighbor 10.10.10.2 description IBGP to WAN2
neighbor 10.10.10.2 next-hop-self

WAN2
ip as-path access-list 10 permit ^$

route-map RM-PREPEND
description "as-prepend towards ISP2 to be seen as less preferred "
set as-path prepend 1 1 1

router bgp 1
neighbor 2.2.2.2 description ISP1
neighbor 2.2.2.2 route-map RM-PREPEND out
neighbor 2.2.2.2 filter-list 10 out
neighbor 10.10.10.1 description IBGP to WAN1
neighbor 10.10.10.1 next-hop-self

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎08-11-2022

check below comments

paul driver · ‎08-11-2022

Hello

@MHM Cisco World wrote:
according to CCIE and for Me I think the issue solve by
not by AS-prepend because this make one ISP always prefer than other ISP,

Isnt this what the OP has requested?
What you are suggesting is conditional advertisement as such one of the ISPs would not even be aware of the site routes unless there is a failure on the condition so then they are readvertised via the secondary ISP, which would not help is there is failure within the ISP that the local site isn’t aware also when bgp path selection within ISP cloud has completed there will only the one ISP chosen for those NLRIs that will be used to find its way back into site for local sites networks

I would say advertising local prefixes to both ISPs is most preferable using the a well-known mandatory attribute such as aspath/nexthop

@MHM Cisco World wrote:
I will talk about the Inbound only because the outbound is simple done by the active HSRP

Not necessary what if a failure occurs on the lan interface of wan rtr1 only, I assume you wouldn’t want to drop a perfectly good EBGP peer so just to re-route traffic via wan rtr 2, Because traffic could go via the second FHRP lan interface towards wan rtr2 and then over the ibgp connection and out via wan rtr 1 (local -pref/next-hop-self) ?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎08-11-2022

""I would say advertising local prefixes to both ISPs is most preferable using the a well-known mandatory attribute such as aspath/nexthop""
the standby HSRP now be the new active HSRP peer, and we config AS-path prepend to prefer the path through the OLD active router!! is that right ??
the standby which is new active HSRP peer will use for Outbound and Inbound will be via the OLD HSRP Peer.
how can we solve this ??
by conditional advertise, when the New Active HSRP be elect it start advertise the route to ISP and hence both IN and OUT will be via same bath.

paul driver · ‎08-11-2022

Hello

@MHM Cisco World wrote:

the standby HSRP now be the new active HSRP peer, and we config AS-path prepend to prefer the path through the OLD active router!! is that right ??

if the wan rtr fails it will not be advertsing any ebgp route anyway, so even if wan rtr2 is STILL adversing routes with pre-pend this is the ONLY way back into site it dosent matter if those NRLIs has a longer as-seq it the only way back in.

@MHM Cisco World wrote:

the standby which is new active HSRP peer will use for Outbound and Inbound will be via the OLD HSRP Peer.
how can we solve this ??

i am not sure what you mean by this, but as I said BOTH wan rtrs will be advertising/receiving routes, any failure downstream a default will be advertised from both wan rtrs, and if wan rtr 1 is advertising that default with a better preference then the lan network will see this default <wan rtr1<>wan rtr2<> lan) and should sill route externally via wan rtr1 now if no i ibgp exists then failover would mean wan rtr would stop advertising externally and internally so path would via wan rtr 2

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎08-11-2022

@paul driver You are full right if router not be active anymore it will not advertise the LAN prefix except the case of aggregation with Null0.
and @Georg Pauwen suggest use the AS-PATH prepend.
let wait his reply.
thanks

MHM Cisco World · ‎08-12-2022

https://thecciejourney.wordpress.com/2014/10/12/hsrp-no-longer-for-the-weak-of-heart/

@paul driver check this link, that exactly what in my mind.

Thanks

Saeed Siddiqui · ‎09-12-2022

Hello All, first and foremost, i would like to thanks everyone who participated in this discussion and provided valuable insight.

based on the information provided, i have made a decision that multihoming is being done for a purpose so we can keep things as it is.

I have one more question:

i am planning to replace ISP 2 which is connected to DCSW2 on TE1/0/1 advertising default route to us

B* 0.0.0.0/0 [20/0] via 12.12.12.12, 7w0d

i already have another ISP connection called ISP 3 which will go into DCSW2 Te1/0/3 and will do bgp peering first before we remove ISP 2 connection.

my question is, can one switch have two default routes from two ISPs? one will eventually go away,

please share your thoughts