Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1923
Views
10
Helpful
4
Replies

iBGP path manipulation

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎08-13-2019 01:59 AM

Hi Networkers,

One of my clients requires Internet conductivity for 2 of the sites which are interconnected using L2 link. Client is very specific about the requirements. I have attached the Diagram for more understanding of the current infrastructure.

Each site has 3 internet lines, where 1st internet line at each will be receiving a default route from the ISP, and other 2 links will be configured with static routes in the Edge Routers.Diagram.jpg

Requirement is as below.

1. Always both sites must use internet 1 link in Site 1. In case of link failure it should use internet 2 link in Site 2.

2. In case both Internet 1 links are failed, Site 1 should use it's Internet 2 link only, and Site 2 should use Internet 2 link in same site. 

3. Same as 2 point for the 3rd Internet link.

 

My plan is to achieve this using iBGP and extending it up to Core Switches. Core switches are cat9k, comes with Network Advantage licenses, so it should support advance routing. Kindly provide your valuable suggestions and recommendations to provide the best design using iBGP or any other routing protocol.

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-13-2019 02:28 AM

Hello Arshadsaf,

you can use local preference to make Internet 1 site 1 default route the preferred one when alive.

 

However, you need to take care on how you inject the default route in BGP on site 1.

the Perimeter switch should be the only one to inject the default route in BGP only when Internet 1 dynamic default route is received.

What you can so is to use a route-map with multiple blocks to advertise the default route in BGP with an higher local preference when a default route exists with next-hop the Internet1 router.

 

prefix-list ONLY-DEFAULT permit 0.0.0.0/0

access-list 11 remark check next-hop

access-list 11 permit 11.11.11.11

 

route-map GEN-DEF-CHECK-EBGP permit 10

match ip address prefix ONLY-DEFAULT

match ip next-hop 11

set local-preference 500

route-map GEN-DEF-CHECK-EBGP permit 20

match ip address prefix ONLY-DEFAULT

!

! we use a private BGP AS number 65000

router bgp 65000

network 0.0.0.0 route-map GEN-DEF-CHECK-EBGP

 

Please note that network 0.0.0.0 without the route-map would generate a default route if one is present in the IP routing table by any means (eBGP or floating static routes with AD > 20 )

 

iBGP should be deployed also on Edge switches and core switches to allow the default route to reach the core switches.

the iBGP sessions have to be permitted allowed by the Firewalls.

 

The configuration proposed above with increased local-pref for eBGP received route is only for perimeter switch on Site 1.

On site 2 a simple network 0.0.0.0 can be used on the site 2 perimeter switch BGP configuration section.

 

Normally you would run iBGP sessions over loopbacks and use an IGP like OSPF to make the iBGP sessions to be established.

Here you have firewalls on the path so you need to verify what are the FW routing capabilities they should have a default route pointing to the edge switches and knowledge of the internal routes of both sites via the core switches downstream.

 

Hope to help

Giuseppe

 

View solution in original post

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Arshad Safrulla

‎08-13-2019 03:10 AM

Hello Arshadsaf,

thanks for your kind remarks.

IF the perimeter switches are L2 only the duty of generating a default route in iBGP moves on the edge switches with same logic that can be applied.

 

>> Just a quick addition, regarding my 2nd requirement if internet link 1 at both sites are down there shouldn't be any intersite routing for internet. I believe in this case we can use ip sla to achieve this. Pls correct if i m wrong.

 

Ok, so on site 2 edge routers we should generate a default route with local-pref 200 when Internet 1 link is up.

 

When both sites internet 1 links are down all the four edge routers will generate a default route with default settings of local preference 100.

Here an IGP would be very handy so that Core switches of site1 would prefer the route generated by local edge routers for their lower IGP metric to next-hop (preferring the local edge switch with lowest BGP router-id).

 

If using an IGP with an high metric on the inter sites link the IP SLAs should not be necessary.

However to be able to use an IGP firewalls should be able to take part on it. Example : OSPF can be a good candidate for this.

If the IGP can be used there shouldn't be a need for IP SLAs.

 

Hope to help

Giuseppe

 

View solution in original post

4 Replies 4

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-13-2019 02:28 AM

Hello Arshadsaf,

you can use local preference to make Internet 1 site 1 default route the preferred one when alive.

 

However, you need to take care on how you inject the default route in BGP on site 1.

the Perimeter switch should be the only one to inject the default route in BGP only when Internet 1 dynamic default route is received.

What you can so is to use a route-map with multiple blocks to advertise the default route in BGP with an higher local preference when a default route exists with next-hop the Internet1 router.

 

prefix-list ONLY-DEFAULT permit 0.0.0.0/0

access-list 11 remark check next-hop

access-list 11 permit 11.11.11.11

 

route-map GEN-DEF-CHECK-EBGP permit 10

match ip address prefix ONLY-DEFAULT

match ip next-hop 11

set local-preference 500

route-map GEN-DEF-CHECK-EBGP permit 20

match ip address prefix ONLY-DEFAULT

!

! we use a private BGP AS number 65000

router bgp 65000

network 0.0.0.0 route-map GEN-DEF-CHECK-EBGP

 

Please note that network 0.0.0.0 without the route-map would generate a default route if one is present in the IP routing table by any means (eBGP or floating static routes with AD > 20 )

 

iBGP should be deployed also on Edge switches and core switches to allow the default route to reach the core switches.

the iBGP sessions have to be permitted allowed by the Firewalls.

 

The configuration proposed above with increased local-pref for eBGP received route is only for perimeter switch on Site 1.

On site 2 a simple network 0.0.0.0 can be used on the site 2 perimeter switch BGP configuration section.

 

Normally you would run iBGP sessions over loopbacks and use an IGP like OSPF to make the iBGP sessions to be established.

Here you have firewalls on the path so you need to verify what are the FW routing capabilities they should have a default route pointing to the edge switches and knowledge of the internal routes of both sites via the core switches downstream.

 

Hope to help

Giuseppe

 

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni
In response to Giuseppe Larosa

‎08-13-2019 02:42 AM - edited ‎08-13-2019 02:53 AM

Thank you @Giuseppe Larosa  for the detailed reply. Just wanted to let you know that wan perimeter switch will be pure L2, which will be used only as a wan breakout switch for the routers. But i think still ur logic is valid as we will redistribute the default routes in to bgp in both the routers with cost or local preference manipulation.

 

I was initially focussed on redistributing the default route using information originate. Thats why i reached the community. Thanks for enlightening me.

 

Just a quick addition, regarding my 2nd requirement if internet link 1 at both sites are down there shouldn't be any intersite routing for internet. I believe in this case we can use ip sla to achieve this. Pls correct if i m wrong.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Arshad Safrulla

‎08-13-2019 03:10 AM

Hello Arshadsaf,

thanks for your kind remarks.

IF the perimeter switches are L2 only the duty of generating a default route in iBGP moves on the edge switches with same logic that can be applied.

 

>> Just a quick addition, regarding my 2nd requirement if internet link 1 at both sites are down there shouldn't be any intersite routing for internet. I believe in this case we can use ip sla to achieve this. Pls correct if i m wrong.

 

Ok, so on site 2 edge routers we should generate a default route with local-pref 200 when Internet 1 link is up.

 

When both sites internet 1 links are down all the four edge routers will generate a default route with default settings of local preference 100.

Here an IGP would be very handy so that Core switches of site1 would prefer the route generated by local edge routers for their lower IGP metric to next-hop (preferring the local edge switch with lowest BGP router-id).

 

If using an IGP with an high metric on the inter sites link the IP SLAs should not be necessary.

However to be able to use an IGP firewalls should be able to take part on it. Example : OSPF can be a good candidate for this.

If the IGP can be used there shouldn't be a need for IP SLAs.

 

Hope to help

Giuseppe

 

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni
In response to Giuseppe Larosa

‎08-13-2019 03:19 AM

Hi Sir @g
This answers all my concerns. Thanks for the support.
___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card