Solved: Multihomed BGP Routing Load-Sharing

AS789 · ‎03-20-2024

Hi There,

i am struggling a bit with our BGP Configuration and hopefully someone can give me a hint to right direction.

We have 3 Routers in iBGP each of them has a WAN Connection to external AS (eBGP).

Currently all Traffic is routed to only 1 external AS. Failover between the iBGP Routers is working, but i want to have to Share the Traffic between.

Here are the configurations:

R1: 172.16.1.15

R2: 172.16.1.16

R3: 172.16.1.17

(all are in AS 100)

ROUTER 1

router bgp 100
bgp log-neighbor-changes
neighbor 10.1.1.1 remote-as 300
neighbor 10.1.1.1 version 4
neighbor 172.16.1.16 remote-as 100
neighbor 172.16.1.17 remote-as 100
!
address-family ipv4
bgp dampening
network 172.16.1.0
neighbor 10.1.1.1 activate
neighbor 10.1.1.1 send-community
neighbor 10.1.1.1 advertise-map ADVERTISE non-exist-map NON-EXIST
neighbor 10.1.1.1 next-hop-self
neighbor 10.1.1.1 soft-reconfiguration inbound
neighbor 10.1.1.1 filter-list 1 out
neighbor 172.16.1.16 activate
neighbor 172.16.1.16 send-community
neighbor 172.16.1.16 next-hop-self
neighbor 172.16.1.16 soft-reconfiguration inbound
neighbor 172.16.1.17 activate
neighbor 172.16.1.17 send-community
neighbor 172.16.1.17 next-hop-self
neighbor 172.16.1.17 soft-reconfiguration inbound
maximum-paths ibgp 3
exit-address-family

access-list 60 permit 172.16.1.0 0.0.0.255
access-list 65 permit 10.1.1.0 0.0.0.255

route-map ADVERTISE permit 10
match ip address 60

route-map NON-EXISTS permit 10
match ip address 65

ROUTER 2

router bgp 100
bgp router-id 172.16.1.16
bgp log-neighbor-changes
neighbor 172.16.1.15 remote-as 100
neighbor 172.16.1.17 remote-as 100
neighbor 20.1.1.1 remote-as 400
neighbor 20.1.1.1 version 4
!
address-family ipv4
bgp dampening
network 172.16.1.0
neighbor 172.16.1.15 activate
neighbor 172.16.1.15 send-community
neighbor 172.16.1.15 next-hop-self
neighbor 172.16.1.15 soft-reconfiguration inbound
neighbor 172.16.1.17 activate
neighbor 172.16.1.17 send-community
neighbor 172.16.1.17 next-hop-self
neighbor 172.16.1.17 soft-reconfiguration inbound
neighbor 20.1.1.1 activate
neighbor 20.1.1.1 send-community
neighbor 20.1.1.1 advertise-map ADVERTISE non-exist-map NON-EXIST
neighbor 20.1.1.1 next-hop-self
neighbor 20.1.1.1 soft-reconfiguration inbound
neighbor 20.1.1.1 filter-list 1 out
maximum-paths ibgp 3
exit-address-family

access-list 60 permit 172.16.1.0 0.0.0.15
access-list 65 permit 20.1.1.0 0.0.0.255

route-map ADVERTISE permit 10
match ip address 60

route-map NON-EXISTS permit 10
match ip address 65

Router 3

router bgp 100
bgp router-id 172.16.1.16
bgp log-neighbor-changes
neighbor 172.16.1.15 remote-as 100
neighbor 172.16.1.17 remote-as 100
neighbor 30.1.1.1 remote-as 400
neighbor 30.1.1.1 version 4
!
address-family ipv4
bgp dampening
network 172.16.1.0
neighbor 172.16.1.15 activate
neighbor 172.16.1.15 send-community
neighbor 172.16.1.15 next-hop-self
neighbor 172.16.1.15 soft-reconfiguration inbound
neighbor 172.16.1.16 activate
neighbor 172.16.1.16 send-community
neighbor 172.16.1.16 next-hop-self
neighbor 172.16.1.16 soft-reconfiguration inbound
neighbor 30.1.1.1 activate
neighbor 30.1.1.1 send-community
neighbor 30.1.1.1 advertise-map ADVERTISE non-exist-map NON-EXIST
neighbor 30.1.1.1 next-hop-self
neighbor 30.1.1.1 soft-reconfiguration inbound
neighbor 30.1.1.1 filter-list 1 out
maximum-paths ibgp 3
exit-address-family

access-list 60 permit 172.16.1.0 0.0.0.15
access-list 65 permit 30.1.1.0 0.0.0.255

route-map ADVERTISE permit 10
match ip address 60

route-map NON-EXISTS permit 10
match ip address 65

---------------

Currently all traffic is routed trough 10.1.1.1 (AS300)

I was considering using the "maximum-path eigp" command, but unsure is the right thing to do.

Appreciate any kind of help.

Thanks,

Joseph W. Doherty · ‎03-20-2024

If your ISPs only see the same public IP, ingress LB can be difficult. This because the Internet routers determine how they best reach you. Of course there are things to do to influence Internet routers, but again, for ingress LB, it's a bit hit or miss.

If you're using a single virtual IP from your FW to your CE routers, you might achieve egress LB using mHSRP or GLBP. (Unknown if VRRP has similar capability.)

The relax command would, I believe, would only be useful for multiple ASs connected to same router.

View solution in original post

MHM Cisco World · ‎03-20-2024

Do you receive defualt route via ISP?

MHM

paul driver · ‎03-20-2024

Hello
Egress

utilise default Local preference/acl/route-maps

Ingress (options)

amend you existing conditional route advertisements to include more specific route prefixes
apply longer more specific network statements for the preferred ingress path and summarise on the least preferred ingress path
use egress route-maps with as-path prepending

Please see attached file.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

AS789 · ‎03-20-2024

Hi,

i have already tried with as-path prepending but did not really helps. Specifying routes for advertismens is a way to achieve this but was wondering if there is a more auto way..

Thanks for the configuration. will test and come back to you.

Best Regards,

Attiq

Joseph W. Doherty · ‎03-20-2024

How does the rest of your network route to R1, R2 and R3?

Are the posted external ASs correct? I.e. R1 connects to AS300 while R2 and R3 connects to AS400.

Destinations via the external ASs are all equal cost?

You're asking about egress LB or egress and ingress LB? Any potential issues with possible asymmetric routing if you use multiple external ASs concurrently?

Also, just BTW, your external AS routers don't support BGP "route refresh"? I.e. the reason for "soft-reconfiguration inbound"?

Are you familiar with the Cisco hidden command "bgp bestpath as-path multipath-relax"?

If not, https://ipwithease.com/bgp-multipath-as-path-relax/ .

But, you also have the problem, eBGP learned routes on different routers takes precedence over same routes leaned via iBGP. (Reason for my first question.)

Lastly, PfR can (dynamically) load balance across your 3 routers.

AS789 · ‎03-20-2024

Hi,

the rest of our network is behind the Cisco ASA Firewall. The ASAs default Route is the standbyIP configured on internal interface of the routers.
The ASs are correct. R2 and R3 are on 2 different physical locations with same ISP. Destinations are all equal.

The main goal is to balance the traffic on the 3 locations. Whatever the best way is. Ingress or egress.

the "soft-configuration inbound" setting, was there already before i start to manage the network. so don't really know about this.

Thanks for the command "bgp bestpath as-path multipath-relax". Didn't know about this. i will test and let you know.

Best Regards,
Attiq

Joseph W. Doherty · ‎03-20-2024

If your ISPs only see the same public IP, ingress LB can be difficult. This because the Internet routers determine how they best reach you. Of course there are things to do to influence Internet routers, but again, for ingress LB, it's a bit hit or miss.

If you're using a single virtual IP from your FW to your CE routers, you might achieve egress LB using mHSRP or GLBP. (Unknown if VRRP has similar capability.)

The relax command would, I believe, would only be useful for multiple ASs connected to same router.

AS789 · ‎03-25-2024

Thanks Guys, for all your support to lead me in to right direction.

Unfortunately i cannot make any tests right now. I need to do a complete review of our topology first and then implement the right redundancy protocol.

Best Regards!