Solved: Re: Multihoming BGP and static route

gasparmenendez · ‎10-03-2017

Hi friends,

I'm using 2 ISPs (ISP-A and ISP-B), have my own block of public IP addresses (170.X.X.0/22) and my ASN (26XX25). I'm using a Cisco ASR1001-X Router. Besides, I have a BGP session established with ISP-B and ISP-A is using default route (in a few days I should have BGP with this ISP too). I need to make ISP-B my primary provider and pass all my traffic through it, but right now all my traffic is through ISP-A, even when I have in my ASR a static route to ISP-B: ip route 0.0.0.0 0.0.0.0 187.X.X.112, where 187.X.X.112 is the gateway for ISP-B. A couple days ago ISP-A went down and I losted internet access, even when my ISP-B were up. Is it possible what I want to do?? Can anybody help me please?? Thanks in advance.

Richard Burts · ‎10-05-2017

Gaspar

We are making progress. Now we see that you are advertising your network to ISP B.Now there is a question about whether ISP B is advertising your network to the Internet. Can you ask them about that?

At this point your BGP appears to be doing what it should. An output shown in an earlier part of this thread shows that you are learning 1 route from ISP B. I assume that this would be a default route. Now you are advertising your network to ISP B. Learning a default route from ISP B and advertising your network to them is what you want BGP to do.

And at some point you want BGP to do the same things with ISP A. When that happens we can be fairly confident that you will have failover (and failback) working so that if one ISP goes down that your network will continue to operate using the surviving ISP.

You have asked this question a few times "can I access to internet (obviously through ISP-B) if my ISP-A goes down??? " That will be easy to answer when both ISP are using BGP. But it is complicated when one ISP uses BGP and the other ISP is using static routes. There are at least two things that make this complicated:

1) ISP A seems to be advertising your network to the Internet. What happens to that advertisement if ISP A stops working? If the link from you to ISP A stops working would ISP A stop advertising your network? If ISP continues to advertise your network to the Internet but can not forward traffic to you then your failover will not work. (note that this issue is resolved when both ISP are using BGP)

2) You have a static route for outbound traffic (which currently sends traffic through ISP B). What would happen if that link stopped working (or if the router at ISP B stopped working)? The usual way to handle this is to implement IP SLA to track the static route and to remove it from the routing table if the next hop is no longer reachable. Note that you have a similar issue if you have a backup static route to the other ISP. Note that this issue is resolved when both ISP are using BGP.

So perhaps there is a questin about how quickly you are likely to get BGP running with ISP A. And perhaps a question about whether it is worth much effort to fix failover in the current environment (with ISP A using static) if you will soon be able to use BGP for both ISP.

HTH

Rick

HTH

Rick

View solution in original post

Georg Pauwen · ‎10-03-2017

Hello,

post the config of your router. With static routes, you could use an IP SLA. If we see your configuration, we can make suggestions...

gasparmenendez · ‎10-03-2017

here you go:

Contencion1001-X#sh running-config
Building configuration...

Current configuration : 6569 bytes
!
! Last configuration change at 07:12:22 MX Tue Oct 3 2017 by gaspar
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname Contencion1001-X
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$fNDH$l6BXIQvSDmlm/
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
clock summer-time MX recurring
!
!
!
!
!
!
!
!
!
!
!

ip domain name algo.com
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
license udi pid ASR1001-X sn ********
!
!
username gaspar privilege 15 password 7 151552291C3B
username fermin privilege 15 password 7 11271817161C
username francesco privilege 15 password 7 01420911B06
!
redundancy
mode none
!
!
!
!
!
!
!
!
interface TenGigabitEthernet0/0/0
description *** ISP A ***
ip address 208.X.X.182 255.255.255.252
!
interface TenGigabitEthernet0/0/1
description *** ISP B ***
ip address 187.X.X.113 255.255.255.254
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1
description *** Servidor 815 ***
ip address 170.X.X.33 255.255.255.248
negotiation auto
!
interface GigabitEthernet0/0/2
description *** Conecta servidor SpeedTest ***
ip address 170.X.X.41 255.255.255.248
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/4
description *** Switch 2960 Sub Int. ***
no ip address
negotiation auto
!
interface GigabitEthernet0/0/4.20
description *** COMAPO ***
encapsulation dot1Q 20
ip address 170.X.X.97 255.255.255.252
!
interface GigabitEthernet0/0/4.24
description *** Refac. Venegas ***
encapsulation dot1Q 24
ip address 10.147.24.1 255.255.255.252
!
interface GigabitEthernet0/0/4.25
description *** HOSP. VILLA UNION ***
encapsulation dot1Q 25
ip address 10.147.25.1 255.255.255.252
!
interface GigabitEthernet0/0/4.26
description *** HOSP. NUEVO IDEAL ***
encapsulation dot1Q 26
ip address 10.147.26.1 255.255.255.252
!
interface GigabitEthernet0/0/4.27
description *** HOSP. CANATLAN ***
encapsulation dot1Q 27
ip address 10.147.27.1 255.255.255.252
!
interface GigabitEthernet0/0/4.28
description *** HOSP. SANTIAGO ***
encapsulation dot1Q 28
ip address 10.147.28.1 255.255.255.252
!
interface GigabitEthernet0/0/4.29
description *** HOSP. MADERO ***
encapsulation dot1Q 29
ip address 10.147.29.1 255.255.255.252
!
interface GigabitEthernet0/0/4.31
description *** Mina del Castillo ***
encapsulation dot1Q 31
ip address 10.147.31.1 255.255.255.248
!
interface GigabitEthernet0/0/4.32
description *** TECNO ***
encapsulation dot1Q 32
ip address 10.147.22.1 255.255.255.252
!
interface GigabitEthernet0/0/4.44
description *** Monitoreo Telcel ***
encapsulation dot1Q 44
ip address 170.X.X.73 255.255.255.252
!
interface GigabitEthernet0/0/4.47
description *** First Majestic ***
encapsulation dot1Q 47
ip address 10.170.18.1 255.255.255.252
!
interface GigabitEthernet0/0/4.65
description *** Sec. Salud Dgo. ***
encapsulation dot1Q 165
ip address 170.X.X.65 255.255.255.252
!
interface GigabitEthernet0/0/4.69
description *** Sec. Salud Stgo. ***
encapsulation dot1Q 169
ip address 170.X.X.69 255.255.255.252
!
interface GigabitEthernet0/0/4.75
description *** MI MERCADO ***
encapsulation dot1Q 75
ip address 170.X.X.141 255.255.255.252
!
interface GigabitEthernet0/0/4.89
description *** D-LATEM ***
encapsulation dot1Q 89
ip address 10.147.89.1 255.255.255.252
!
interface GigabitEthernet0/0/4.97
description *** GEN. ELECTRIC ***
encapsulation dot1Q 97
ip address 10.147.197.1 255.255.255.248
!
interface GigabitEthernet0/0/4.148
description *** Mina La Colorada ***
encapsulation dot1Q 148
ip address 10.147.20.1 255.255.255.252
!
interface GigabitEthernet0/0/4.156
description *** DELPHI ***
encapsulation dot1Q 156
ip address 10.147.21.1 255.255.255.252
!
interface GigabitEthernet0/0/5
no ip address
negotiation auto
!
interface TenGigabitEthernet0/1/0
description *** ASA 5580 ***
ip address 170.X.X.1 255.255.255.240
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.20.15 255.255.255.0
negotiation auto
!
router bgp 26XX25
bgp router-id 187.X.X.113
bgp log-neighbor-changes
neighbor 187.X.X.112 remote-as 13XX9
neighbor 187.X.X.112 password 7 045C5D0449
neighbor 187.X.X.112 soft-reconfiguration inbound
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 187.X.X.112
ip route 170.X.X.16 255.255.255.240 170.X.X.2
ip route 170.X.X.48 255.255.255.240 10.170.18.2
ip route 170.X.X.80 255.255.255.240 170.X.X.2
ip route 170.X.X.100 255.255.255.252 10.147.24.2
ip route 170.X.X.108 255.255.255.252 10.147.89.2
ip route 170.X.X.112 255.255.255.252 10.147.21.2
ip route 170.X.X.116 255.255.255.252 10.147.197.2
ip route 170.X.X.120 255.255.255.252 10.147.27.2
ip route 170.X.X.124 255.255.255.252 10.147.29.2
ip route 170.X.X.128 255.255.255.252 10.147.26.2
ip route 170.X.X.132 255.255.255.252 10.147.28.2
ip route 170.X.X.136 255.255.255.252 10.147.25.2
ip route 170.X.X.140 255.255.255.252 10.147.75.2
ip route 170.X.X.144 255.255.255.252 10.147.20.2
ip route 170.X.X.148 255.255.255.252 10.147.31.2
ip route 170.X.X.152 255.255.255.248 10.147.22.2
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 192.168.20.254
ip ssh version 2
!
ip access-list standard ELCACTI
permit 200.X.X.9
deny   any
!
!
snmp-server community aSr-****1 RO ELCACTI
snmp-server location BLACKSITE
snmp-server contact yo@redgl.com
!
!
!
!
control-plane
!
banner login ^C

========================================================================
========================================================================

                    Acceso Restringido

                 Solo Personal Autorizado

========================================================================
========================================================================
^C
!
line con 0
password 7 144344C7E
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 014755352
logging synchronous
transport input ssh
!
!
end

thanks!

Meheretab Mengistu · ‎10-03-2017

Hi,

Did you learn any route from ISP-B? Or, are you getting default route from ISP-B?
Generally speaking, you need to check your route entries by running 'sh ip route'. If you do not learn and/or use any route from ISP-B, then that will explain why you were having outage when ISP-A was down.

Also, do not forget how routers route traffic. Routes with longest match are preferred even if different protocols are used. If the prefix length are the same, then you will need to look at the AD of the route. Static route's AD is 1, and eBGP's AD is 20 while iBGP AD is 200.

HTH,
Meheretab

HTH,
Meheretab

gasparmenendez · ‎10-03-2017

hi, alread posted my config, and besides is this:

Contencion1001-X#sh ip bGp summary
BGP router identifier 187.X.X.113, local AS number 26XX25
BGP table version is 2, main routing table version 2
1 network entries using 248 bytes of memory
1 path entries using 120 bytes of memory
1/1 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 40 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 656 total bytes of memory
BGP activity 1/0 prefixes, 1/0 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
187.X.X.112 4 13XX9 1590 1747 2 0 0 1d02h 1
Contencion1001-X#

and:

Contencion1001-X#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 187.X.X.112 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 187.X.X.112
      10.0.0.0/8 is variably subnetted, 26 subnets, 3 masks
C        10.147.20.0/30 is directly connected, GigabitEthernet0/0/4.148
L        10.147.20.1/32 is directly connected, GigabitEthernet0/0/4.148
C        10.147.21.0/30 is directly connected, GigabitEthernet0/0/4.156
L        10.147.21.1/32 is directly connected, GigabitEthernet0/0/4.156
C        10.147.22.0/30 is directly connected, GigabitEthernet0/0/4.32
L        10.147.22.1/32 is directly connected, GigabitEthernet0/0/4.32
C        10.147.24.0/30 is directly connected, GigabitEthernet0/0/4.24
L        10.147.24.1/32 is directly connected, GigabitEthernet0/0/4.24
C        10.147.25.0/30 is directly connected, GigabitEthernet0/0/4.25
L        10.147.25.1/32 is directly connected, GigabitEthernet0/0/4.25
C        10.147.26.0/30 is directly connected, GigabitEthernet0/0/4.26
L        10.147.26.1/32 is directly connected, GigabitEthernet0/0/4.26
C        10.147.27.0/30 is directly connected, GigabitEthernet0/0/4.27
L        10.147.27.1/32 is directly connected, GigabitEthernet0/0/4.27
C        10.147.28.0/30 is directly connected, GigabitEthernet0/0/4.28
L        10.147.28.1/32 is directly connected, GigabitEthernet0/0/4.28
C        10.147.29.0/30 is directly connected, GigabitEthernet0/0/4.29
L        10.147.29.1/32 is directly connected, GigabitEthernet0/0/4.29
C        10.147.31.0/29 is directly connected, GigabitEthernet0/0/4.31
L        10.147.31.1/32 is directly connected, GigabitEthernet0/0/4.31
C        10.147.89.0/30 is directly connected, GigabitEthernet0/0/4.89
L        10.147.89.1/32 is directly connected, GigabitEthernet0/0/4.89
C        10.147.197.0/29 is directly connected, GigabitEthernet0/0/4.97
L        10.147.197.1/32 is directly connected, GigabitEthernet0/0/4.97
C        10.170.18.0/30 is directly connected, GigabitEthernet0/0/4.47
L        10.170.18.1/32 is directly connected, GigabitEthernet0/0/4.47
      170.X.0.0/16 is variably subnetted, 31 subnets, 4 masks
C        170.X.X.0/28 is directly connected, TenGigabitEthernet0/1/0
L        170.X.X.1/32 is directly connected, TenGigabitEthernet0/1/0
S        170.X.X.16/28 [1/0] via 170.X.X.2
C        170.X.X.32/29 is directly connected, GigabitEthernet0/0/1
L        170.X.X.33/32 is directly connected, GigabitEthernet0/0/1
C        170.X.X.40/29 is directly connected, GigabitEthernet0/0/2
L        170.X.X.41/32 is directly connected, GigabitEthernet0/0/2
S        170.X.X.48/28 [1/0] via 10.170.18.2
C        170.X.X.64/30 is directly connected, GigabitEthernet0/0/4.65
L        170.X.X.65/32 is directly connected, GigabitEthernet0/0/4.65
C        170.X.X.68/30 is directly connected, GigabitEthernet0/0/4.69
L        170.X.X.69/32 is directly connected, GigabitEthernet0/0/4.69
C        170.X.X.72/30 is directly connected, GigabitEthernet0/0/4.44
L        170.X.X.73/32 is directly connected, GigabitEthernet0/0/4.44
S        170.X.X.80/28 [1/0] via 170.X.X.2
C        170.X.X.96/30 is directly connected, GigabitEthernet0/0/4.20
L        170.X.X.97/32 is directly connected, GigabitEthernet0/0/4.20
S        170.X.X.100/30 [1/0] via 10.147.24.2
S        170.X.X.108/30 [1/0] via 10.147.89.2
S        170.X.X.112/30 [1/0] via 10.147.21.2
S        170.X.X.116/30 [1/0] via 10.147.197.2
S        170.X.X.120/30 [1/0] via 10.147.27.2
S        170.X.X.124/30 [1/0] via 10.147.29.2
S        170.X.X.128/30 [1/0] via 10.147.26.2
S        170.X.X.132/30 [1/0] via 10.147.28.2
S        170.X.X.136/30 [1/0] via 10.147.25.2
C        170.X.X.140/30 is directly connected, GigabitEthernet0/0/4.75
L        170.X.X.141/32 is directly connected, GigabitEthernet0/0/4.75
S        170.X.X.144/30 [1/0] via 10.147.20.2
S        170.X.X.148/30 [1/0] via 10.147.31.2
S        170.X.X.152/29 [1/0] via 10.147.22.2
      187.X.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        187.X.X.112/31 is directly connected, TenGigabitEthernet0/0/1
L        187.X.X.113/32 is directly connected, TenGigabitEthernet0/0/1
      208.X.X.0/24 is variably subnetted, 2 subnets, 2 masks
C        208.X.X.180/30 is directly connected, TenGigabitEthernet0/0/0
L        208.X.X.182/32 is directly connected, TenGigabitEthernet0/0/0
Contencion1001-X#

thanks!

Julio E. Moisa · ‎10-03-2017

Hi

A default route will be preferred for any unknow destination. If you are going to use BGP peering with both ISP, you can use the BGP attributes to manipulate the traffic and prefer a path over other. You can use Weight, Local Preference and MED for example.

This is just an example:

*Imagine you are receiving the same traffic from both devices:

ip prefix-list FROM-ISP seq 5 permit 0.0.0.0/0

ip prefix-list FROM-ISP seq 10 permit 10.0.0.0/24

ip prefix-list TO-IPS seq 5 permit 192.168.0.0/24

route-map ISP-A-IN permit 5

match ip address prefix FROM-ISP

set weight 1000

route-map ISP-A-OUT permit 5

match ip address prefix TO-ISP

set as-path prepend 65001 65001 65001 65001

route-map ISP-B-IN permit 5

match ip address prefix FROM-ISP

set weight 2000

route-map ISP-B-OUT permit 5

match ip address prefix TO-ISP

set as-path prepend 65001

router bgp 65001

neighbor 1.1.1.2 remote 65002

neighbor 1.1.1.2 route-map ISP-A-IN in

neighbor 1.1.1.2 route-map ISP-A-OUT out

neighbor 2.2.2.2 remote 65003

neighbor 2.2.2.2 route-map ISP-B-IN in

neighbor 2.2.2.2 route-map ISP-B-OUT out

*With this configuration your router will prefer the path through the ISP-B because it will have a higher Weight, also you will have symmetric traffic because you are advertising the local network with lowest AS-Path preprend.

Also you could be receiving a default route and redistribute it into an IGP. Now if your router is connected to Internet you can avoid become your router in "transit", this link can explain that behavior: http://www.burningnode.com/2013/07/20/bgp-prevent-being-a-transit-as/

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

gasparmenendez · ‎10-03-2017

hi Julio, I understand perfectly what you´re saying, but all that´s in case I use BGP with both providers, what should be working in a few days from now. But right now, when I´m using BGP with ISP-B and static routes with ISP-A, is it possible for me to pass all my traffic through ISP-B ???? that´s my main concern right now because ISP-A is a little bit unstable... Thanks!!

Meheretab Mengistu · ‎10-03-2017

Hi,

If you are configuring default static routes, you can configure ISP-A with lower AD and configure IP SLA. It will force all of your traffic to be send to ISP-B, and when the connection is down (which you will monitor using "track" objects), the backup default route through ISP-A will be active.

HTH,
Meheretab

HTH,
Meheretab

gasparmenendez · ‎10-04-2017

I'm going to try what you suggest, to see how it goes!!

gasparmenendez · ‎10-04-2017

sorry my friend but your solution didn't work.....I configured default routes like this:;

ip route 0.0.0.0 0.0.0.0 187.X.X.112
ip route 0.0.0.0 0.0.0.0 208.X.X.181 10

where the first one is to ISP-B (the one with BGP) and second one to ISP-A (the one with static route). When I check my traffic I get this:

Contencion1001-X#sh interface TenGigabitEthernet0/0/0 | i rate
Queueing strategy: fifo
5 minute input rate 1084125000 bits/sec, 107880 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec

Contencion1001-X#sh interface TenGigabitEthernet0/0/1 | i rate
Queueing strategy: fifo
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 87629000 bits/sec, 60325 packets/sec

so all my outgoing traffic is passing through ISP-B but the incoming traffic is through ISP-A, and that's my problem. Besides when I shutdown interface connected to ISP-A I lost connection to internet. Any ideas on how to solve this??

Richard Burts · ‎10-04-2017

Gaspar

Thank you for the additional information. I believe that I now understand at least part of what is causing your issue. You are running BGP with ISP B and forming the BGP neighbor relationship. But you are not advertising your network to ISP B (there is no network statement or any redistribution in your BGP configuration). If you are not advertising your network to ISP B then they can not advertise your network to the Internet. Obviously ISP A knows about your network (based on static routes) and seems to be advertising your network to the Internet. That explains why all Internet traffic to you is coming through ISP A and why you lose connectivity to the Internet if ISP A goes down. This could be resolved if you advertise your network to ISP B.

HTH

Rick

HTH

Rick

gasparmenendez · ‎10-04-2017

ok thanks Rick, and please can you tell me how can I advertise my network to ISP B????

Thanks!

Richard Burts · ‎10-04-2017

There are two parts of getting BGP to advertise your network. First you need to add a network statement in your router bgp config which would look like

network 170.x.x.0 netmask 255.255.252.0

This will advertise your 170.x.x.0 network as long as BGP sees a matching entry in your routing table. So the second part would be to configure a static route for your network which might look something like this

ip route 170.x.x.0 255.255.252.0 null0

If you do these two things then BGP should advertise your network.

HTH

Rick

HTH

Rick

gasparmenendez · ‎10-04-2017

sorry my friend but it didn't work....

I have this on my ASR:

router bgp 26XX25
bgp router-id 187.X.X.113
bgp log-neighbor-changes
network 170.X.X.0 mask 255.255.252.0
neighbor 187.X.X.112 remote-as 13XX9
neighbor 187.X.X.112 password 7 104352154
neighbor 187.X.X.112 soft-reconfiguration inbound

and:

ip route 0.0.0.0 0.0.0.0 187.X.X.112
ip route 0.0.0.0 0.0.0.0 208.X.X.181 10
ip route 170.X.X.0 255.255.252.0 Null0

but same-o same-o

??

Meheretab Mengistu · ‎10-04-2017

network 170.X.X.0 mask 255.255.252.0
and:
ip route 170.X.X.0 255.255.252.0 Null0

When you advertise the network to your ISP-B, you need to advertise only your network. Is your network 172.X.X.0/22? If not, please replace the above two networks with the correct mask.

Also, you can use one of the free servers (in https://www.netdigix.com/servers.html or any other route servers) to check how does the rest of the world reaches to your network? What factors you can change to affect the route? Or, you can provide us your network block and we can help looking.

HTH,
Meheretab

HTH,
Meheretab