Ahh ok , so now i understand. to answer your questions.

yes the iP's are the isp because the as 4567 was provided by the isp I don't have my own public AS it was given to me by them.

If you have different block per circuit then why are you advertising both blocks from each router.  ( I have this for routing redundancy if i lose one circuit or isp drop the other one picks up i also configured hsrp for hardware redundancy)

What do you mean by circuit ? ( i mean service line , so i have 2 separate 100mbps  pipes first drop or circuit goes to r1 and second r2 , thats why i setup ibgp ( AS 12345 ( PRIVATE AS i made up for internal ibgp )for the redundancy.

* i appreciate taking the time and not wanting to break my nw :) 

Do you use a different IP subnet for connectivity to the ISP routers.

Right so the public blocks are on the inside of your routers ie. between the routers and the firewalls and the outside of your routers use different IP addressing ie. not part of the blocks ?

Just want to be absolutely sure I follow.

If you want to use MED then you would either need to configure both routers and explicitly set the MED so that your backup router had a higher metric (lower metric is better) or you can work out the current metric being advertised by looking at the routing table.

To be honest it would be better to set it explicitly on both routers just in case the metric changes for the internal route

With AS prepending you just need to modify the backup router.

Happy to go with whichever you want, can you just clarify about the addressing and then I promise we'll get to the config :-)

Jon

yes the public block are on the lan side of the router.. and the wan side interfaces are not part of the block given to me :)

before i for any further. i do have one concern, haha i have a lot of tunnels setup.  will this cause an issue with traffic coming back a different path, i know ispec is funny .cause right now it seems to be working but the in bound traffic is a different path, maybe it doesn't matter because it;s all terminated at the vip ...

Anyway, from what the ISP told me they said AS prepending would make more sense. which one would you go with based on my environment?

what is the main difference between med and as prepending? Thanks again for your help, it' greatly appreciated.

If your IPSEC tunnels are terminating on the firewall(s) then it should make no difference to them.

If you were terminating on the routers obviously that would completely break them :-)

MED is a weaker attribute than AS path in the BGP best path selection algorithm. If your ISP said prepending would make more sense we'll go with that as you only need to configure the backup router.

Because you want both blocks to go via the HSRP active router you don't need an acl to match which networks you want to prepend ie. you just want to prepend all networks (both blocks) on your backup router.

So add this to your backup router -

route-map <name> permit 10  <-- <name can be anything you want>
set as-path prepend 12345 12345 <-- this must be your AS

router bgp 12345
neighbour 4.4.4.4 route-map <name> out

then after you have done this -

R2#clear ip bgp 4.4.4.4 soft out

make sure you include the "soft out" bit otherwise it tears down the BGP session and has to restart it.

Once you've done this it should be pretty quick.

Log onto the looking glass server you used before and do a few traceroutes to some IPs from those blocks and they should all go via the WAN IP of your active router.

Probably worth doing a few traceroutes before you add the config just to verify it isn't working that way currently unless you already saw that when you tested last time.

Any problems let me know.

Jon

before i do this, and unfoutnly i wont be able to do this until tomrrow, ut just want to understand i need to use MY AS that i made up for ibgp right?

not the AS that the ISP provided?

When this all works if you don't mind explaining what these commands do ..

set as-path prepend 
neighbour 4.4.4.4 route-map <name> out

R2#clear ip bgp 4.4.4.4 soft out

Just want to understand the steps what happens when the packets head back to my routers. How do those commands control in bound traffic if it has no control of the path. Again , can't thank you enough for your help and learning experience on this topic

Not sure i understand about the AS number.

You use the AS number in your "router bgp <AS no>" command.

That is the AS the ISP sees in the route advertisements.

If you made it up they will be removing it from your advertisements but I'm assuming they won't remove it before they make the routing choice otherwise i am completely lost as to why they suggested using AS prepending.

It will only work if they use the AS number in your route advertisements to select the best path.

I can't really be more specific as I'm not your ISP so maybe worth another quick chat but i really don't think they would have suggested it unless they don't know what your setup is.

In terms of the additional configuration BGP has a complicated selection process as to which route it uses if it receives multiple routes for the same network. Each BGP route has a set of attributes and there is an order to these attributes that BGP uses to select the best route advertisement.

One of the attributes is the length of the AS path, the shorter, ie. number of ASs in the path, the better.

So if the attributes that are more important than the AS path length in selecting the best path are equal then the length of the AS path is considered.

What you are doing is making sure that the path length is longer for the backup router so the other route advertisement is chosen because the ISP will be running IBGP within their network as well.

The clear command is used when you make a change and you need to tell your BGP process to use those changes.

Like i say i assume it will work as the ISP suggested it.

Jon

OK, i'll touch base after i make the change, thanks for your help

Things just got  a little tricky here. So looking at my bandwidth ,if the change we spoke about works then all my traffic will come back the same way it came it went out ( great).. However, if management does not want to spend the money to upgrade both lines to accommodate the HA and routing redundancy environment , would it be possible to have all outbound traffic and inbound traffic route the way we were talking about , but have a certain tunnel traffic flow through the other path (r2). Reason I ask this is because most of my bandwidth is being chewed up from data replication to my co-location. Bare in mind i still need my hsrp setup to work the way it is but this tunnel will not point to the  vip.  I would setup another firewall/vpn concentrator and point the gw to the r2 gig0/1 (lan) this way it wont use the vip. I guess wee would need a route-map just for the traffic?

Is this possible, just thinking outside the box..

No it wouldn't.

The issue is that the VPN tunnel is terminated on the VIP of the firewalls.

With the BGP configuration you are telling the ISP to send all traffic for that VIP to your HSRP active router.

The routing protocol has no way of knowing that for a particular IPSEC tunnel the traffic should be sent the other way. In fact the routers don't even know it is IPSEC.

PBR would allow you to send some traffic one way and some another but it won't work here because the inside IPs ie. the internal IPs within the tunnel are not visible to the routers and even if they were they aren't routable on the internet.

The only way you could make this work is if you either -

1) had a separate firewall with a public IP you advertised with preference for the backup router to your ISP for that tunnel

or

2) you terminated the specific IPSEC tunnel on the backup router and then used the WAN interface IP of the backup router as the VPN termination point.

Then it would have to route via the backup router.

Jon

I must remember to read all of your post :-)

If you do have a separate firewall then yes you could do it.

You would need a specific host route for firewall outside IP and you would also need to check with your ISP that they are happy for you to advertise a host route to them.

Just to them obviously ie. it doesn't need to go beyond the ISP but they may not be happy with that.

Jon

OK, but once i setup the host route it should work, the ISP will only notify me if they have a problem right, the rule will kick in right away, they don't have to config anything on their end right?

-And if this all works i could still have prepend working like we discussed?>

-Plus i can still use pbr if i wanted , say for port 80 traffic, even though hsrp is enabled active passive?

Sorry if i'm being repetitive. 

No problem with the questions, it's your network so you need to be sure.

I would check with the ISP personally as host routes are not something a lot of them like.

Yes you can still use the BGP configuration.

You can use PBR but I'm not sure where you are talking about using it.

PBR will allow you to send non encrypted traffic down either link but the return traffic will come back depending on your route advertisements.

It helps to think of traffic flow in two directions and just because you influence the path one way doesn't necessarily mean it will come back that way.

There are ways of trying to make it follow the same path for both ways, using NAT is an example, but I don't really know what you are trying to do.

Jon

I just thinking of a way i can balance the load on the routers to put the most important traffic through R1, but your saying even if we send it out that path ( even through we have route-map setup) does not mean it will come back the same way.

I'll let you know my out come on setting up prepend. thanks again or all your help, and if i have any more questions, i'll ask :)

If you send traffic out via one router with a source IP of x then when the return traffic gets back to the ISP they will do a route lookup for x and send it to the next hop IP address for x which may be the router you used to send the traffic out or it may not.

If you wanted to ensure the traffic came back via the same router then what you can do is NAT all the source IPs to the WAN interface of the router it goes out of then traffic has to come back via that router.

Don't do that for any of your VPN tunnels though.

You are already looking to influence traffic inbound with BGP and also maybe use the backup link for a specific VPN tunnel. If you also want to use the backup link for other traffic it may be worth stepping back for a bit and working out exactly what you want to do for everything.

Otherwise you could end up with a mess of configuration for different things where a more simple setup could also have worked.

Jon