Multihomed ISP with 2 default routes.

abhishekpal · ‎12-24-2021

Hello

We are a multihomed ISP receiving just 2 default routes from Upstream ISP-1 and ISP-2. I have two LAN's which are advertised towards upstream ISP in the following manner -

1] network 11.11.11.0/24 is advertised towards ISP-1 ( preferred ) and also ISP-2 ( not preferred )

2] network 12.12.12.0/24 is advertised towards ISP-2 ( preferred ) and also ISP-1 ( not preferred )

Inbound traffic is well managed by using as-path prepending.

But how do I control outgoing traffic? Two default routes are installed in the routing table and I have changed the Local-preference of the default routes (the default route coming from ISP-1 is 150 and the default route coming from ISP-2 is 170 ), but in this manner, all forward traffic is going through ISP-2 ( quite natural ).

How should I change my BGP in a way so that network 11.11.11.0/24 traffic ( in+ out ) goes through ISP-1 and network 12.12.12.0/24 traffic ( in + out ) goes through ISP-2? To be precise outbound traffic.

Requesting to help me out. Please do inform me if any part is unclear.

Thanks in advance.

Abhishek

pman · ‎12-24-2021

Hi,

How should I change my BGP in a way so that network 11.11.11.0/24 traffic ( in+ out ) goes through ISP-1 and network 12.12.12.0/24 traffic ( in + out ) goes through ISP-2? To be precise outbound traffic.

in - MED, AS-PATH

here is example with AS-PATH prepend:

ip prefix-list prepend permit 11.11.11.0/24

route-map prepend
match ip address prefix-list prepend
set ip as-path prepend 100 100
router bgp 100
neighbor <ISP-2 IP> route-map prepend out

out -

If you want to manipulate in such a way that network 11.11.11.0/24 will go through ISP1 and network 12.12.12.0/24 will go through ISP 2 then you can use PBR.
It is important to note that if you have decided to use PBR to perform the manipulation then you will also need to make sure that the next-hop (BGP peer / ISP p2p address) is available.

about BGP CONTROL outbound and inbound traffic:

Local Preference

used to manipulate traffic going out of your ASN This attribute is only exchanged with IBGP peers

Weight

used to manipulate traffic going out of your ASN but this attribute is local to the router

MED, AS-PATH

used To influence the inbound traffic path

about multihomed to Two ISPs Through a Single router:

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html?referring_site=bodynav#anc21

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/23675-27.html

abhishekpal · ‎12-24-2021

Hi

Thanks for your feedback.

Applying PBR is of course a way out in this case ( next-hop of ISP-1 & ISP-2 is available with me ). But by applying PBR, will it be possible to achieve failover in case one ISP goes down?

If this can be done by using BGP, then BGP itself can take care if one path goes out of production.

Abhishek

pman · ‎12-24-2021

Hi,

@abhishekpal wrote:
But by applying PBR, will it be possible to achieve failover in case one ISP goes down?

about failover
When you configure PBR and set next-hop command the router will use the policy routing as long the next hop is reachable,

if the next-hop is not reachable - i believe in this case the router will use its normal routing table.

if you decided to use PBR then i suggest you to check out the ip next-hop verify-availability feature

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/command/iri-cr-book/iri-cr-s1.html#wp8093935770

https://www.networkbulls.com/ask/what-is-the-meaning-of-this-command-in-pbr-set-ip-next-hot-availability

abhishekpal · ‎12-24-2021

OK, if this is the case ( if next-hop goes down, default routing behavior kicks in ), then PBR can be applied.

Abhishek

MHM Cisco World · ‎12-24-2021

You can use PBR to control the traffic.

paul driver · ‎12-24-2021

Hello

Do you have single or dual wan rtrs, I am assume the later as you mention local-preference, if so PBR wouldn't probably be viable.
If you do have dual wan rtrs do you have an IGP between them?
Are you receiving defaults by choice (meaning are you filtering other prefixes) or is it a sla between you and the ISP's

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

abhishekpal · ‎12-24-2021

Hi

I am having a single router connected to two different ISPs. We have actually instructed the upstreams to send us only the default route, as the router cant take the full routing table.

Abhishek

paul driver · ‎12-24-2021

Hello

Okay then PBR would be viable.

FYI local preference wouldn't be applicable in your design, You would use weight to manipulate egress traffic.

Depending on what you monitor/track you may need to negate it from being seen via ISP2 connection

Possible example:
WAN RTR
ip sla 1
icmp-echo x.x.x.x source xxxx
frequency 5
ip sla schedule 1 life forever start-time now

track 10 sla 1 reachability

access-list 100 permit ip any 11.11.11.0 00.0.255

route-map PBR permit 10
match ip address 100
set ip next-hop verify-availability (ISP 2) track 10

interface x/x
description LAN FACING
ip policy route-map PBR

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

abhishekpal · ‎12-24-2021

Hi

Thanks for your feedback. I will apply PBR.

But just i am curious - you have mentioned PBR like this -

access-list 100 permit ip any 11.11.11.0 00.0.255

Will it be like the above or as below-

access-list 100 permit ip 11.11.11.0 00.0.255 any

Abhishek

paul driver · ‎12-24-2021

Hello
The extended acl is based on a source/destination ace so in this instance any traffic originating from that particular interface to that particular destination network (11.11.11.0/24)

so the acl reads

“any traffic for network 11.11.11.0/24”

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎12-24-2021

One note about using PBR and achieving failover. It is true that if the route to the next hop is removed from the routing table that PBR would use normal routing and failover would be successful. Since the next hop is usually on a connected interface this means that the route would be removed if the outbound interface goes down (line protocol down). There are situations where the next hop is not reachable but the outbound interface does not go down, the route is not removed and failover would not be successful. To achieve successful failover you should include the verify-availability parameter in your PBR config. This link has helpful information about this feature

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/command/iri-cr-book/iri-cr-s1.html#wp8093935770

HTH

Rick