cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3243
Views
12
Helpful
12
Replies

Migrating BGP private ASN to Public ASN

jagdev.dhaliwal
Level 1
Level 1

Hello All,

I have two link on two edge routes from same ISP for Active/Standby. I am using the private AS and ISP provided IPs, now i got own Public IPs and AS number. I want to publish my IPs and migrate the AS number from private to Public.  But currently i do not want migrate my device IPs. just want to  publish network and ASN.

current config is :-

Router 1

router bgp 64530

no synchronization

bgp log-neighbor-changes

redistribute connected

redistribute static

neighbor 4.4.4.4 remote-as 100

neighbor 4.4.4.4 timers 10 30

no auto-summary

Router 2

router bgp 64530

no synchronization

bgp log-neighbor-changes

redistribute connected

redistribute static

neighbor 4.4.4.6 remote-as 9583

neighbor 4.4.4.6 timers 10 30

no auto-summary

Thanks

Jagdev

1 Accepted Solution

Accepted Solutions

Hello Jagdev,

the first note is that you are using the /23 directly on the interfaces to the ASA pair.

This can cause great problems with the static ip route to null0 for the /24 component routes.

going this way the risk is that traffic is black holed sent to null0 as those static routes are more specific then the connected route!!!

In order to advertise the component routes and to have traffic that can successfully be received you need to use a /24 IP subnet mask on the link to ASA.

The second /24 IP subnet may be associated to a DMZ defined on the ASA.

Alternatively, the two /24 could become two different DMZ connected to the ASA and a private IP subnet is used between the ASA pair and the border router.

Let's suppose you use a /24 on the IP subnet between border routers and ASA pair:

change all subnet masks to 255.255.255.0   (/24)

on routers add a static route for the other /24 pointing to the ASA active address

ip route 1.1.1.2.0 255.255.255.0 1.1.1.5

remove static routes to null0 for component routes.

I suppose that 1.1.1.5 is ASA active and 1.1.1.6 is ASA standby.

All the rest of what you are suggesting is fine with the use of two HSRP groups to provide IP next-hops for static routes default and route to HQ to be defined on the ASA pair.

Again, details are very important to build a working solution.

Hope to help

Giuseppe

View solution in original post

12 Replies 12

milan.kulik
Level 10
Level 10

Hi,

IMHO, the easiest way would be:

Make an agreement with your ISP for some maintenance window out of business hours.

Reconfigure your private ASN to the public one on your secondary router and ask the ISP to modify the remote-as number for your secondary router in his configs at the same time.

Start advetising your public IP network from your secondary router.

Check through some Internet looking glass if your public IP network is advertised correctly.

Finally repeat the same steps on your primary router.

You just need to think about the current prefixes: Will the ISP accept them when received from the new ASN?

And advertise them to the Internet with your ASN originated?

Or is he not advertising them currently (as provided by him) and advertising only some less specific summary routes?

HTH,

Milan

Hi Milan,

Thanks, After this i  planing for ISP level redundacy, for that  i planned below config :-

----------------------------------------------------------------------------------------------------------------------------------------------

Router 1

autonomous-system 100

!

!

ip route 1.1.1.0  255.255.254.0 Null0 200

!

ip prefix-list MY_IP_OUT seq 10 permit 1.1.1.0/23 le 24

!

ip prefix-list SECOND-ROUTE 1.1.2.0/24

!

route-map  MY_TO_ISP1 permit 10

match ip address prefix  SECOND-ROUTE

set as-path prepend 100 100 100

!

route-map MY_To_ISP1 permit 20

match ip address prefix MY_IP_OUT

!

ip prefix-list DEFAULT&HQ_ROUTE_IN  seq 10 permit 0.0.0.0/0

ip prefix-list DEFAULT&HQ_ROUTE_IN  seq 20 permit 6.6.6.0/24

!

route-map ISP1_TO_ME permit 10

match ip address prefix  DEFAULT&HQ_ROUTE_IN

!

!

router bgp 100

no synchronization

bgp log-neighbor-changes

bgp dampening

network 1.1.1.0  255.255.255.0

network 1.1.2.0  255.255.255.0

aggregate-address 1.1.1.0 255.255.254.0

! define BGP session with ISP-1

neighbor  ISP1 remote-as 200

neighbor  ISP1 description BGP Transit to ISP1

neighbor  ISP1 timers 10 30               

neighbor  ISP1 version 4

neighbor  ISP1 password

neighbor  ISP1 soft-reconfiguration inbound       

neighbor  ISP1 route-map ISP1_TO_ME in

neighbor  ISP1 route-map MY_TO_ISP1 out

neighbor  ISP1 maximum-prefix 10           

neighbor  ISP1 next-hop-self

!

! define iBGP session

neighbor IBGP remote-as 100

neighbor IBGP description iBGP to Router2

neighbor IBGP version 4

neighbor IBGP soft-reconfiguration inbound       

neighbor IBGP update-source Loopback0

!

neighbor 4.4.4.4 peer-group ISP1

!

neighbor 1.1.1.2 peer-group IBGP

!

end

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Router 2

!

autonomous-system 100

!

!

ip route 1.1.1.0  255.255.254.0 Null0 200

!

ip prefix-list MY_IP_OUT seq 10 permit 1.1.1.0/23 le 24

!

ip prefix-list FIRST-ROUTE 1.1.1.0/24

!

route-map MY_TO_ISP2 permit 10

match ip address prefix FIRST-ROUTE

set as-path prepend 100 100 100

!

route-map MY_TO_ISP2 permit 20

match ip address prefix IP_OUT

!

ip prefix-list DEFAULT_ROUTE_IN  seq 10 permit 0.0.0.0/0

!

route-map ISP2_TO_ME permit 10

match ip address prefix  DEFAULT_ROUTE_IN

!

router bgp 100

no synchronization

bgp log-neighbor-changes

bgp dampening

network 1.1.1.0  255.255.255.0

network 1.1.2.0  255.255.255.0

aggregate-address 1.1.1.0 255.255.254.0

! define BGP session with ISP-2

neighbor ISP2  remote-as 300

neighbor ISP2 description BGP Transit to ISP2

neighbor ISP2 timers 10 30               

neighbor ISP2 version 4

neighbor ISP2 password

neighbor ISP2 soft-reconfiguration inbound       

neighbor ISP2 route-map ISP2_TO_ME in

neighbor ISP2 route-map MY_TO_ISP2 out

neighbor ISP2 maximum-prefix 10               

neighbor ISP2 next-hop-self

!

! define iBGP session

neighbor IBGP remote-as 100

neighbor IBGP description iBGP to Router1

neighbor IBGP version 4

neighbor IBGP soft-reconfiguration inbound           

neighbor IBGP update-source Loopback0

!

neighbor 3.3.3.3 peer-group ISP2

!

neighbor 1.1.1.1 peer-group IBGP

!

end

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Now  I want that my All Internet traffic primarily goes out from  ISP2 and HQ (6.6.6.0/24) goes out from ISP 1, I am using Cisco router so I can use weight attribute, if I use  weight on ISP2' default router will it also effect the HQ's route (6.6.6.0/24) as its more specific. If yes than how can I achieve this?

Thanks

Jagdev

Hi,

I'm not sure if I'm following your configs completely.

So generally:

If you want to influence the way the traffic is outgoing from your site, you might need to manipulate BGP attributes of prefixes received from your neigbhours.

And vice versa:

If you want to influence the way the traffic is sent to your site, yiou might need to manipulate BGP attributes of prefixes sent to your neigbhours.

So if you want the traffic sent to 6.6.6.0/24 to choose Router1 as the outgoing gateway from your site, you need to make the BGP attributes of the 6.6.6.0/24 prefix received on your Router1 better than the attributes of the same prefix received on your Router2.

The easiest way is to increase the Local Preference value (set it to 200, e.g., as the default value is 100).

Using the Weight attribute is not practical in your case, as this attribute has a local meaning only (i.e., is not sent to other BGP neighbours) and Router2 could still prefer the prefix received from IPS2.

I'd also use

neighbor ... next-hop-self

command in the iBGP section, not in the eBGP section.

HTH,

Milan

Hi Milan,

Let me explain more on config so that you can help me. I got new Public IPs eg 1.1.1.0/23, now i want to publish /24 1.1.1.0/24 from ISP1 and 1.1.2.0/24 from ISP2 and 1.1.1.0/23 from the both ISP for redundancy.

I have created a perfix-list and using route map i am prepending ASN to a subnet 1.1.2.0/24

Router 1 :- 

ip route 1.1.1.0  255.255.254.0 Null0 200

!

ip prefix-list SECOND-ROUTE 1.1.2.0/24

!

route-map  MY_TO_ISP1 permit 10

match ip address prefix  SECOND-ROUTE

set as-path prepend 100 100 100

!

route-map MY_To_ISP1 permit 20

match ip address prefix MY_IP_OUT

!

router bgp 100

network 1.1.1.0  255.255.255.0

network 1.1.2.0  255.255.255.0

aggregate-address 1.1.1.0 255.255.254.0

neighbor  ISP1 route-map MY_TO_ISP1 out

--------------------------------------------------------------------------------------

same i am doing for other route 1.1.1.0/24 on router 2

Router 2 : -

ip route 1.1.1.0  255.255.254.0 Null0 200

!

ip prefix-list MY_IP_OUT seq 10 permit 1.1.1.0/23 le 24

!

ip prefix-list FIRST-ROUTE 1.1.1.0/24

!

route-map MY_TO_ISP2 permit 10

match ip address prefix FIRST-ROUTE

set as-path prepend 100 100 100

!

route-map MY_TO_ISP2 permit 20

match ip address prefix IP_OUT

!

router bgp 100

network 1.1.1.0  255.255.255.0

network 1.1.2.0  255.255.255.0

aggregate-address 1.1.1.0 255.255.254.0

neighbor  ISP1 route-map MY_TO_ISP1 out

######################################################################################

For inbound routes i just want to learn just default route, but i want my traffic to HQ goes out from ISP1 and rest of Internet traffic on ISP2.

for that i leaned HQ specific route from ISP1 and feel since it will be more specific route it should be used for outbound traffic for HQ 

Router 1:-

ip prefix-list DEFAULT&HQ_ROUTE_IN  seq 10 permit 0.0.0.0/0

ip prefix-list DEFAULT&HQ_ROUTE_IN  seq 20 permit 6.6.6.0/24

!

route-map ISP1_TO_ME permit 10

match ip address prefix  DEFAULT&HQ_ROUTE_IN

!

router bgp 100

neighbor  ISP1 route-map ISP1_TO_ME in

----------------------------------------------------------------------------------------------------------------------------

And just learning default route from ISP2

Router 2:

ip prefix-list DEFAULT_ROUTE_IN  seq 10 permit 0.0.0.0/0

!

route-map ISP2_TO_ME permit 10

match ip address prefix  DEFAULT_ROUTE_IN

!

router bgp 100

neighbor ISP2 route-map ISP2_TO_ME in

======================================

Please let me know if this make you clear or i try to explain more.

Thanks

Jagdev

Hi Jagdev,

for advertised subnets:

IMHO, you've got a typo in you configs, there should be:

Router 1 :- 

ip route 1.1.1.0  255.255.255.0 Null0

Router 2 : -

ip route 1.1.2.0  255.255.255.0 Null0

shouldn't it?

This way you will get the routes for those subnets to your RIB to be able to advertise them to the IPSs and create the /23 aggregated route.

And you will advertise both

1.1.1.0/24 and 1.1.2.0/24 together with 1.1.1.0/23 from both your routers to the ISPs.

The route received from the other iBGP router will be advertised with 100 100 100 prepended though.

Is that what you want?

######################################################################################

For inbound routes:

If you permit the 6.6.6.0/24 prefix to be received only on Router 1, it will work.

But you also need to be sure the default route recieved on Router 2 would be preferred if you want the rest of the traffic to leave your site through Router 2. So increasing the Local Preference for the default route received from ISP2 would be a solution.

And again

neighbor ... next-hop-self

command should be used in the iBGP section, not in the eBGP section.

BR,

Milan

Thanks Once again Milan,

I will add "next-hop-self" in IBGP session.

Router 1 :- 

ip route 1.1.1.0  255.255.255.0 Null0

Router 2 : -

ip route 1.1.2.0  255.255.255.0 Null0

Router 1:-

ip prefix-list MY_IP_OUT seq 10 permit 1.1.1.0/23 le 24

!

ip prefix-list SECOND-ROUTE 1.1.2.0/24

!

route-map  MY_TO_ISP1 permit 10

match ip address prefix  SECOND-ROUTE

set as-path prepend 100 100 100

!

route-map MY_To_ISP1 permit 20

match ip address prefix MY_IP_OUT

!

ip prefix-list HQ_ROUTE_IN  seq 10 permit 6.6.6.0/24

!

ip prefix-list DEFAULT_IN seq 10 permit 0.0.0.0/0

!

route-map ISP1_TO_ME permit 10

match ip address prefix HQ_ROUTE_IN

set local-preference 200

!

route-map ISP1_TO_ME permit 20

match ip address prefix DEFAULT_IN

Router 2:-

ip prefix-list MY_IP_OUT seq 10 permit 1.1.1.0/23 le 24

!

ip prefix-list FIRST-ROUTE 1.1.1.0/24

!

route-map MY_TO_ISP2 permit 10

match ip address prefix FIRST-ROUTE

set as-path prepend 100 100 100

!

route-map MY_TO_ISP2 permit 20

match ip address prefix IP_OUT

!

ip prefix-list DEFAULT_ROUTE_IN  seq 10 permit 0.0.0.0/0

!

route-map ISP2_TO_ME permit 10

match ip address prefix  DEFAULT_ROUTE_IN

set local-preference 200

!

Thanks

Jagdev

Hi,

yes, this should work I hope.

BR,

Milan

Thansk for your support Milan

Regards

Jagdev

Hello Jagdev,

just a note:

from a previous thread I had understood that your border routers learn the component routes 1.1.1.0/24 and 1.1.2.0/24 via IGP ( OSPF or other) or they are directly connected to them, if it is so, you don't need the static route to null0,  but  just the BGP network command would work well.

everything else is fine in the proposed configuration

Hope to help

Giuseppe

Hi Giuseppe,

I understood those subnets were not used yet?

Doesn't really matter how to get them to the RIB in that case.

Another possibility would be creating Loopback interfaces with addresses assigned to those subnets, e.g.

BR,

Milan

Thanks Giuseppe

Currently they not learning from IGP or they learn from from directly connected interface. I will use  HSRP at LAN interface and before them there would ASA fws.  now I want config some tracking for HSRP  for BGP session instead of WAN interface.

HQ's trffice goes to ISP1 router's LAN interface and rest of  traffic goes to ISP2 router's LAN interface. They will  work in failover Please go thorough below config and suggest

Router ISP1:-

interface FastEthernet0/1

description Connect to ASA1

ip address 1.1.1.2 255.255.254.0

duplex auto

speed 100

standby 1 ip 1.1.1.1

standby 1 priority 90

standby 1 preempt

Router ISP2:-

interface FastEthernet0/1

description Connect to ASA2

ip address 1.1.1.3 255.255.254.0

duplex auto

speed 100

standby 1 ip 1.1.1.1

standby 1 priority 110

standby 1 preempt

ASA are in Active failover mode.

I can use route Outside 0.0.0.0 0.0.0.0 1.1.1.1 for Internet traffic But for HQ trffic should i use

another standbay groupe or is there any other waay to achive this

interface FastEthernet0/1

description Connect to ASA1

ip address 1.1.1.2 255.255.254.0

duplex auto

speed 100

standby 1 ip 1.1.1.1

standby 1 priority 90

standby 1 preempt

standby 2 ip 1.1.1.4

standby 2 priority 90

standby 2 preempt

interface FastEthernet0/1

description Connect to ASA2

ip address 1.1.1.3 255.255.254.0

duplex auto

speed 100

standby 2 ip 1.1.1.4

standby 2 priority 110

standby 2 preempt

and for HQ route Outside 6.6.6.0 255.255.255.0 1.1.1.4

Thanks

Jagdev

Hello Jagdev,

the first note is that you are using the /23 directly on the interfaces to the ASA pair.

This can cause great problems with the static ip route to null0 for the /24 component routes.

going this way the risk is that traffic is black holed sent to null0 as those static routes are more specific then the connected route!!!

In order to advertise the component routes and to have traffic that can successfully be received you need to use a /24 IP subnet mask on the link to ASA.

The second /24 IP subnet may be associated to a DMZ defined on the ASA.

Alternatively, the two /24 could become two different DMZ connected to the ASA and a private IP subnet is used between the ASA pair and the border router.

Let's suppose you use a /24 on the IP subnet between border routers and ASA pair:

change all subnet masks to 255.255.255.0   (/24)

on routers add a static route for the other /24 pointing to the ASA active address

ip route 1.1.1.2.0 255.255.255.0 1.1.1.5

remove static routes to null0 for component routes.

I suppose that 1.1.1.5 is ASA active and 1.1.1.6 is ASA standby.

All the rest of what you are suggesting is fine with the use of two HSRP groups to provide IP next-hops for static routes default and route to HQ to be defined on the ASA pair.

Again, details are very important to build a working solution.

Hope to help

Giuseppe

Review Cisco Networking for a $25 gift card