Solved: Re: BGP Route Manipulation/load balancing

Junaid Shah · ‎09-19-2024

Hello,

We have run into a situation where we need to load balance internet traffic outbound i.e. for wired subnets we want to send traffic via ISP A and for Wireless users we want to send traffic via ISP B.

I am pasting high-level branch infra picture below.

Both of our ISP's are connected on two different firewalls and we are doing BGP manipulation on core switches where we are preferring one ISP over the other using local-preference. We have two core switches and core switches are connected to each other via OSPF. Core switch 2 is primary and it has local pref for incoming traffic as 700 and for Core switch has local-pref of 500. The interfaces between core switches and firewall is L3 but we do not advertised that L3 interface. Our user access switches are connected to core switches via L3 as an OSPF. The requirement is to send wired networks i.e. 10.0.0.0/8 vis ISP A that is FW1 and wireless networks that are 172.16.0.0 via FW2 and ISP B.

Please suggest how we can do that via PBR or any other option. Thanks

Giuseppe Larosa · ‎09-19-2024

Hello @Junaid Shah ,

from what you describe:

>> Core switch 2 is primary and it has local pref for incoming traffic as 700 and for Core switch has local-pref of 500

>> Our user access switches are connected to core switches via L3 as an OSPF.

you have routed access layer and your access layer switches use OSPF to reach the two core routers.

The two core routers have to inject a default route in OSPF using O E1 is recommended , the primary switch core switch 2 should send out a lower seed metric like 50 and the other core router an higher seed metric like 500.

On core switch 2 PBR can be applied inbound on all L3 interfaces with access layer switches.

only traffic directed to the internet has to be diverted.

access-list 110 remark wired

access-list 110 deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255

access-list 110 permit ip 10.0.0.0 0.255.255.255 any

route-map PBR-ACCESS permit 10

match address 110

set ip next-hop <core-switch-1-link-between-core-switches>

then it needs to be applied to all ports toward access layer with

interface type x/y

ip policy route-map PBR-ACCESS

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎09-19-2024

Hello @Junaid Shah ,

from what you describe:

>> Core switch 2 is primary and it has local pref for incoming traffic as 700 and for Core switch has local-pref of 500

>> Our user access switches are connected to core switches via L3 as an OSPF.

you have routed access layer and your access layer switches use OSPF to reach the two core routers.

The two core routers have to inject a default route in OSPF using O E1 is recommended , the primary switch core switch 2 should send out a lower seed metric like 50 and the other core router an higher seed metric like 500.

On core switch 2 PBR can be applied inbound on all L3 interfaces with access layer switches.

only traffic directed to the internet has to be diverted.

access-list 110 remark wired

access-list 110 deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255

access-list 110 permit ip 10.0.0.0 0.255.255.255 any

route-map PBR-ACCESS permit 10

match address 110

set ip next-hop <core-switch-1-link-between-core-switches>

then it needs to be applied to all ports toward access layer with

interface type x/y

ip policy route-map PBR-ACCESS

Hope to help

Giuseppe

Junaid Shah · ‎09-20-2024

Thanks for responding

so what if the access layer is layer 2 meaning that we have default gateway setup on access layer switches pointing to core switches

All the vlans are created on both the core switches with HSRP, what would you suggest in this scenario to send some traffic via one ISP and some through other ISP ?

Giuseppe Larosa · ‎09-20-2024

Hello @Junaid Shah ,

if user VLANs are served at OSI layer 3 by core switches it is enough to have HSRP primary for wired VLANs on core switch1 and HSRP primary for WIFI VLANs on core switch2 assuming each core switch will use the direct FW for the default route 0.0.0.0/0.

You are setting local preference to 700 on core switch2 and to 500 on core switch1. if an iBGP session exists between the two core switches and it is recommended in your scenario core switch1 would send traffic to core switch2 on the link between them.

in this case you can use a route-map like the one I had suggested setting the next-hop to FW01 on core switch1 to be used only for wired VLANs.

Hope to help

Giuseppe

paul driver · ‎09-19-2024

Hello

@Junaid Shah wrote:

Both of our ISP's are connected on two different firewalls and we are doing BGP manipulation on core switches where we are preferring one ISP over the other using local-preference

Can you elaborate a little,
Is it ebgp peering to either isp and if so is it from the cores or fw?
Are the cores switches/fws running ibgp between or just igp (ospf)
Are you performing any redistribution and if so is it mutual or just from ospf into bgp?
What routes are you receiving from the ISP, full/partial/default?

EDITED : implementing policy based routing will NOT have any influence on ingress traffic from the ISPs as such, you could possibly create asymmetric routing applying PBR without also focusing on inbound traffic path, which may/not be decremental on your services/applications you are running.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Junaid Shah · ‎09-20-2024

It is ebgp with ISP and is from the FW's

cores are running just ospf and not ibgp

no rdistibution

we are receiving full routing table from the ISP but we then filter it and only send default to the cores from firewall

so what if the access layer is layer 2 meaning that we have default gateway setup on access layer switches pointing to core switches

All the vlans are created on both the core switches with HSRP, what would you suggest in this scenario to send some traffic via one ISP and some through other ISP ?

MHM Cisco World · ‎09-19-2024

MHM

Junaid Shah · ‎09-20-2024

so what if the access layer is layer 2 meaning that we have default gateway setup on access layer switches pointing to core switches

All the vlans are created on both the core switches with HSRP, what would you suggest in this scenario to send some traffic via one ISP and some through other ISP ?

MHM Cisco World · ‎09-20-2024

MHM

Junaid Shah · ‎09-20-2024

but even i make 1 switch make active from hsrp perspective the default route is preferred via one switch so lets assume I make core switch 1 make active for wired and switch 2 primary for wireless and switch 1 has the default route then the switch 1 will advertise the default route to core switch 2 vis ospf so the primary hsrpf vlans on switch 2 will again go to switch 1 and go out via FW1 and ISP1 so sorry but I don't think this will work.

MHM Cisco World · ‎09-20-2024

MHM