BGP question about choosing one ISP over another when sending packets

StefanStefanR · ‎09-14-2023

Hello, this is the network that I'm using:

I'm using NAT (PAT to be exact) on Edge-A and Edge-B routers. I put static routes on ISP_1 and ISP_2 for address 198.133.219.5/32 (ISP_1) and 198.133.220.5/32 (ISP_2) respectively, so they can return the packets when address is translated. ISP_1 has a static NAT for a server. Also I had to type it twice for static routes, for an example on ISP_1:

ip route 198.133.219.5 255.255.255.255 203.200.200.202
ip route 198.133.219.5 255.255.255.255 Null0

Reason for this is that if ISP_1 tries to ping this IP address, it won't go on loop forever. It will bounce once and then ISP_1 will discard the packet. If any PC wants to ping 17.17.17.1 loopback 1, ISP_1 will know how to respond. I know I could have putted a default static route to the company's network but I didn't want to do it here.

Same is done on ISP_2;

Edge-B has a default static route of: ip route 0.0.0.0 0.0.0.0 203.200.200.204 80 (Metric is 80 to make it not preferable).

Now here's the issue with default static routes. Edge-A has configured a default route of 0.0.0.0 0.0.0.0 towards ISP_1 for any network that he doesn't know about. Edge-B has configured a default route of 0.0.0.0 0.0.0.0 towards ISP_2 but my plan is to make sure that Edge-B sends all routes to Edge-A instead and only use his ISP_2's default route if Edge-A network fails.

So on Edge-B, the default static route to ISP_2 will appear only when Edge-A connection is lost towards ISP_1. If I cut the connection with the ISP_1, Edge-B gets his route in the routing table instead and advertises it. But he will never return to the default route of Edge-A when ISP_1 comes back to life.

My suggestion here is that I add a weight material for all routes coming from AS 200. I tested this and it turns out that this method works albeit I'm not sure how efficient this is.

Now Edge-B shows that he prefers the static default route of Edge-A because it has a weight of 50000. Is this acceptable? Or this isn't a very good solution?

2) I also have a second question that boggles my mind. Please help me understand this scenario:

When I did these commands on Edge-A: default-information originate and redistribute static route-map STATIC_1 (route-map here is used so that static ip address of D1 is not propagated to the others).

Every router in the network has gotten its default static route BUT ISP_1 and ISP_2 did not receive this route at all.

To my understanding, correct me if I'm wrong, this is because ISP_1 sees this network and he knows that it is propagated by his next-hop address so he immediately discards the update to not create a loop right? The same is done on ISP_2 when Edge-B redistributes his static default route.

-------------------------------------------

So in conclusion, when network has to pick which route is best to use for internet, they should always pick ISP_1. I did this with the static default route, advertising it from Edge-A to others and making sure that when Edge-B receives it, it should have a higher weight so when Edge-B redistributes it to the others --> they will choose Edge-A as intended.

Also I did test a ping on a server 89.203.12.47 and ping passes without issues. All PC's in the network can ping the server and vice versa.

Also is it correct to make sure ISP routers cannot ping 198.133.219.5 and 198.133.220.5 because no host exists, but they can return the packet because of next-hop + have Null0 interface to prevent loop? I hope this is the correct configuration.

Here is a test to see if Confederation routers will pick Edge-B or Edge-A (they are much closer to Edge-B):

In the end, he did choose Edge-A instead, so I think my configuration works? (the traceroute was done on a non-existent network to see which default static route sends it).

Edge-B:

route-map Edge-A permit 10
match as-path 49
set weight 50000
!
ip as-path access-list 49 permit ^200$

router bgp 300
bgp router-id 5.5.5.5
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 170.255.255.254 remote-as 100
neighbor 202.0.0.2 remote-as 200
neighbor 202.1.0.1 remote-as 150
neighbor 203.200.200.205 remote-as 62100
!
address-family ipv4
network 13.13.13.0 mask 255.255.255.128
aggregate-address 192.168.0.0 255.255.192.0 as-set summary-only
aggregate-address 160.0.0.0 224.0.0.0 as-set summary-only
redistribute static
neighbor 170.255.255.254 activate
neighbor 170.255.255.254 unsuppress-map AS_PATH
neighbor 202.0.0.2 activate
neighbor 202.0.0.2 route-map Edge-A in
neighbor 202.0.0.2 unsuppress-map AS_PATH
neighbor 202.1.0.1 activate
neighbor 202.1.0.1 unsuppress-map AS_PATH
neighbor 203.200.200.205 activate
neighbor 203.200.200.205 remove-private-as all
default-information originate
exit-address-family
!
ip prefix-list NO-SUP seq 5 permit 0.0.0.0/0 le 32

Edge-A:

router bgp 200
bgp log-neighbor-changes
neighbor 1.2.3.4 remote-as 64530
neighbor 1.2.3.4 disable-connected-check
neighbor 1.2.3.4 update-source Loopback0
neighbor 180.120.120.1 remote-as 100
neighbor 202.0.0.1 remote-as 300
neighbor 203.200.200.201 remote-as 63100
!
address-family ipv4
network 12.12.12.0 mask 255.255.255.128
aggregate-address 192.168.0.0 255.255.192.0 as-set summary-only
aggregate-address 160.0.0.0 224.0.0.0 as-set summary-only
redistribute static route-map STATIC_1
neighbor 1.2.3.4 activate
neighbor 1.2.3.4 route-map ACCEPT in
neighbor 1.2.3.4 unsuppress-map AS_PATH
neighbor 180.120.120.1 activate
neighbor 180.120.120.1 unsuppress-map AS_PATH
neighbor 202.0.0.1 activate
neighbor 202.0.0.1 unsuppress-map AS_PATH
neighbor 203.200.200.201 activate
neighbor 203.200.200.201 remove-private-as all
default-information originate
exit-address-family
!
ip as-path access-list 50 permit ^300$
!
ip nat pool public-addrs 198.133.219.5 198.133.219.30 netmask 255.255.255.224
ip nat inside source list 1 pool public-addrs overload
ip route 0.0.0.0 0.0.0.0 203.200.200.201
ip route 1.2.3.4 255.255.255.255 180.200.200.2
!
ip access-list extended ALLOW
permit ip 10.255.255.0 0.0.0.63 any
permit ip 192.168.100.0 0.0.0.255 any
permit ip 192.168.150.0 0.0.0.255 any
permit ip 10.0.0.0 0.31.255.255 any
deny ip any any
ip access-list extended STATIC
deny ip host 1.2.3.4 any
permit ip any any
!
!
ip prefix-list NO-SUP seq 5 permit 192.168.20.0/24
ip prefix-list NO-SUP seq 10 permit 192.168.30.0/24
ip prefix-list NO-SUP seq 15 permit 192.168.31.0/24
ip prefix-list NO-SUP seq 20 permit 192.168.32.0/24
ip prefix-list NO-SUP seq 25 permit 192.168.33.0/24
ip prefix-list NO-SUP seq 30 permit 192.168.34.0/24
ip prefix-list NO-SUP seq 35 permit 192.168.40.0/24
ip prefix-list NO-SUP seq 40 permit 172.16.0.0/16
ip prefix-list NO-SUP seq 45 permit 172.18.0.0/16
ip prefix-list NO-SUP seq 50 permit 172.19.0.0/16
ip prefix-list NO-SUP seq 55 permit 172.20.0.0/19
ip prefix-list NO-SUP seq 60 permit 172.24.49.0/24
ip prefix-list NO-SUP seq 65 permit 172.24.50.0/24
ip prefix-list NO-SUP seq 70 permit 172.30.0.0/22
ip prefix-list NO-SUP seq 75 permit 172.31.192.0/19
ip prefix-list NO-SUP seq 80 permit 172.31.255.248/29
ip prefix-list NO-SUP seq 85 permit 176.28.0.0/16
!
route-map ACCEPT permit 10
match ip address ALLOW
set community none
!
route-map AS_PATH permit 10
match ip address prefix-list NO-SUP
!
route-map STATIC_1 permit 10
match ip address STATIC
!

ISP_1:

!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.31.255.255
access-list 1 permit 160.0.0.0 31.255.255.255
!
router bgp 63100
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 203.200.200.202 remote-as 200
!
address-family ipv4
network 17.17.17.0 mask 255.255.255.128
neighbor 203.200.200.202 activate
exit-address-family
!
!
ip nat inside source static 192.168.179.100 89.203.12.47
ip route 198.133.219.5 255.255.255.255 203.200.200.202
ip route 198.133.219.5 255.255.255.255 Null0
!

MHM Cisco World · ‎09-14-2023

Can you summary your Q?

Thanks

MHM