10-03-2017 11:02 AM - edited 03-05-2019 09:14 AM
Hi friends,
I'm using 2 ISPs (ISP-A and ISP-B), have my own block of public IP addresses (170.X.X.0/22) and my ASN (26XX25). I'm using a Cisco ASR1001-X Router. Besides, I have a BGP session established with ISP-B and ISP-A is using default route (in a few days I should have BGP with this ISP too). I need to make ISP-B my primary provider and pass all my traffic through it, but right now all my traffic is through ISP-A, even when I have in my ASR a static route to ISP-B: ip route 0.0.0.0 0.0.0.0 187.X.X.112, where 187.X.X.112 is the gateway for ISP-B. A couple days ago ISP-A went down and I losted internet access, even when my ISP-B were up. Is it possible what I want to do?? Can anybody help me please?? Thanks in advance.
Solved! Go to Solution.
10-05-2017 02:17 PM
Gaspar
We are making progress. Now we see that you are advertising your network to ISP B.Now there is a question about whether ISP B is advertising your network to the Internet. Can you ask them about that?
At this point your BGP appears to be doing what it should. An output shown in an earlier part of this thread shows that you are learning 1 route from ISP B. I assume that this would be a default route. Now you are advertising your network to ISP B. Learning a default route from ISP B and advertising your network to them is what you want BGP to do.
And at some point you want BGP to do the same things with ISP A. When that happens we can be fairly confident that you will have failover (and failback) working so that if one ISP goes down that your network will continue to operate using the surviving ISP.
You have asked this question a few times "can I access to internet (obviously through ISP-B) if my ISP-A goes down??? " That will be easy to answer when both ISP are using BGP. But it is complicated when one ISP uses BGP and the other ISP is using static routes. There are at least two things that make this complicated:
1) ISP A seems to be advertising your network to the Internet. What happens to that advertisement if ISP A stops working? If the link from you to ISP A stops working would ISP A stop advertising your network? If ISP continues to advertise your network to the Internet but can not forward traffic to you then your failover will not work. (note that this issue is resolved when both ISP are using BGP)
2) You have a static route for outbound traffic (which currently sends traffic through ISP B). What would happen if that link stopped working (or if the router at ISP B stopped working)? The usual way to handle this is to implement IP SLA to track the static route and to remove it from the routing table if the next hop is no longer reachable. Note that you have a similar issue if you have a backup static route to the other ISP. Note that this issue is resolved when both ISP are using BGP.
So perhaps there is a questin about how quickly you are likely to get BGP running with ISP A. And perhaps a question about whether it is worth much effort to fix failover in the current environment (with ISP A using static) if you will soon be able to use BGP for both ISP.
HTH
Rick
10-03-2017 01:08 PM
Hello,
post the config of your router. With static routes, you could use an IP SLA. If we see your configuration, we can make suggestions...
10-03-2017 01:32 PM
here you go:
Contencion1001-X#sh running-config
Building configuration...
Current configuration : 6569 bytes
!
! Last configuration change at 07:12:22 MX Tue Oct 3 2017 by gaspar
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname Contencion1001-X
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$fNDH$l6BXIQvSDmlm/
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
clock summer-time MX recurring
!
!
!
!
!
!
!
!
!
!
!
ip domain name algo.com
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
license udi pid ASR1001-X sn ********
!
!
username gaspar privilege 15 password 7 151552291C3B
username fermin privilege 15 password 7 11271817161C
username francesco privilege 15 password 7 01420911B06
!
redundancy
mode none
!
!
!
!
!
!
!
!
interface TenGigabitEthernet0/0/0
description *** ISP A ***
ip address 208.X.X.182 255.255.255.252
!
interface TenGigabitEthernet0/0/1
description *** ISP B ***
ip address 187.X.X.113 255.255.255.254
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1
description *** Servidor 815 ***
ip address 170.X.X.33 255.255.255.248
negotiation auto
!
interface GigabitEthernet0/0/2
description *** Conecta servidor SpeedTest ***
ip address 170.X.X.41 255.255.255.248
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/4
description *** Switch 2960 Sub Int. ***
no ip address
negotiation auto
!
interface GigabitEthernet0/0/4.20
description *** COMAPO ***
encapsulation dot1Q 20
ip address 170.X.X.97 255.255.255.252
!
interface GigabitEthernet0/0/4.24
description *** Refac. Venegas ***
encapsulation dot1Q 24
ip address 10.147.24.1 255.255.255.252
!
interface GigabitEthernet0/0/4.25
description *** HOSP. VILLA UNION ***
encapsulation dot1Q 25
ip address 10.147.25.1 255.255.255.252
!
interface GigabitEthernet0/0/4.26
description *** HOSP. NUEVO IDEAL ***
encapsulation dot1Q 26
ip address 10.147.26.1 255.255.255.252
!
interface GigabitEthernet0/0/4.27
description *** HOSP. CANATLAN ***
encapsulation dot1Q 27
ip address 10.147.27.1 255.255.255.252
!
interface GigabitEthernet0/0/4.28
description *** HOSP. SANTIAGO ***
encapsulation dot1Q 28
ip address 10.147.28.1 255.255.255.252
!
interface GigabitEthernet0/0/4.29
description *** HOSP. MADERO ***
encapsulation dot1Q 29
ip address 10.147.29.1 255.255.255.252
!
interface GigabitEthernet0/0/4.31
description *** Mina del Castillo ***
encapsulation dot1Q 31
ip address 10.147.31.1 255.255.255.248
!
interface GigabitEthernet0/0/4.32
description *** TECNO ***
encapsulation dot1Q 32
ip address 10.147.22.1 255.255.255.252
!
interface GigabitEthernet0/0/4.44
description *** Monitoreo Telcel ***
encapsulation dot1Q 44
ip address 170.X.X.73 255.255.255.252
!
interface GigabitEthernet0/0/4.47
description *** First Majestic ***
encapsulation dot1Q 47
ip address 10.170.18.1 255.255.255.252
!
interface GigabitEthernet0/0/4.65
description *** Sec. Salud Dgo. ***
encapsulation dot1Q 165
ip address 170.X.X.65 255.255.255.252
!
interface GigabitEthernet0/0/4.69
description *** Sec. Salud Stgo. ***
encapsulation dot1Q 169
ip address 170.X.X.69 255.255.255.252
!
interface GigabitEthernet0/0/4.75
description *** MI MERCADO ***
encapsulation dot1Q 75
ip address 170.X.X.141 255.255.255.252
!
interface GigabitEthernet0/0/4.89
description *** D-LATEM ***
encapsulation dot1Q 89
ip address 10.147.89.1 255.255.255.252
!
interface GigabitEthernet0/0/4.97
description *** GEN. ELECTRIC ***
encapsulation dot1Q 97
ip address 10.147.197.1 255.255.255.248
!
interface GigabitEthernet0/0/4.148
description *** Mina La Colorada ***
encapsulation dot1Q 148
ip address 10.147.20.1 255.255.255.252
!
interface GigabitEthernet0/0/4.156
description *** DELPHI ***
encapsulation dot1Q 156
ip address 10.147.21.1 255.255.255.252
!
interface GigabitEthernet0/0/5
no ip address
negotiation auto
!
interface TenGigabitEthernet0/1/0
description *** ASA 5580 ***
ip address 170.X.X.1 255.255.255.240
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.20.15 255.255.255.0
negotiation auto
!
router bgp 26XX25
bgp router-id 187.X.X.113
bgp log-neighbor-changes
neighbor 187.X.X.112 remote-as 13XX9
neighbor 187.X.X.112 password 7 045C5D0449
neighbor 187.X.X.112 soft-reconfiguration inbound
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 187.X.X.112
ip route 170.X.X.16 255.255.255.240 170.X.X.2
ip route 170.X.X.48 255.255.255.240 10.170.18.2
ip route 170.X.X.80 255.255.255.240 170.X.X.2
ip route 170.X.X.100 255.255.255.252 10.147.24.2
ip route 170.X.X.108 255.255.255.252 10.147.89.2
ip route 170.X.X.112 255.255.255.252 10.147.21.2
ip route 170.X.X.116 255.255.255.252 10.147.197.2
ip route 170.X.X.120 255.255.255.252 10.147.27.2
ip route 170.X.X.124 255.255.255.252 10.147.29.2
ip route 170.X.X.128 255.255.255.252 10.147.26.2
ip route 170.X.X.132 255.255.255.252 10.147.28.2
ip route 170.X.X.136 255.255.255.252 10.147.25.2
ip route 170.X.X.140 255.255.255.252 10.147.75.2
ip route 170.X.X.144 255.255.255.252 10.147.20.2
ip route 170.X.X.148 255.255.255.252 10.147.31.2
ip route 170.X.X.152 255.255.255.248 10.147.22.2
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 192.168.20.254
ip ssh version 2
!
ip access-list standard ELCACTI
permit 200.X.X.9
deny any
!
!
snmp-server community aSr-****1 RO ELCACTI
snmp-server location BLACKSITE
snmp-server contact yo@redgl.com
!
!
!
!
control-plane
!
banner login ^C
========================================================================
========================================================================
Acceso Restringido
Solo Personal Autorizado
========================================================================
========================================================================
^C
!
line con 0
password 7 144344C7E
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 014755352
logging synchronous
transport input ssh
!
!
end
thanks!
10-03-2017 01:12 PM
10-03-2017 01:40 PM
hi, alread posted my config, and besides is this:
Contencion1001-X#sh ip bGp summary
BGP router identifier 187.X.X.113, local AS number 26XX25
BGP table version is 2, main routing table version 2
1 network entries using 248 bytes of memory
1 path entries using 120 bytes of memory
1/1 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 40 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 656 total bytes of memory
BGP activity 1/0 prefixes, 1/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
187.X.X.112 4 13XX9 1590 1747 2 0 0 1d02h 1
Contencion1001-X#
and:
Contencion1001-X#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 187.X.X.112 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 187.X.X.112
10.0.0.0/8 is variably subnetted, 26 subnets, 3 masks
C 10.147.20.0/30 is directly connected, GigabitEthernet0/0/4.148
L 10.147.20.1/32 is directly connected, GigabitEthernet0/0/4.148
C 10.147.21.0/30 is directly connected, GigabitEthernet0/0/4.156
L 10.147.21.1/32 is directly connected, GigabitEthernet0/0/4.156
C 10.147.22.0/30 is directly connected, GigabitEthernet0/0/4.32
L 10.147.22.1/32 is directly connected, GigabitEthernet0/0/4.32
C 10.147.24.0/30 is directly connected, GigabitEthernet0/0/4.24
L 10.147.24.1/32 is directly connected, GigabitEthernet0/0/4.24
C 10.147.25.0/30 is directly connected, GigabitEthernet0/0/4.25
L 10.147.25.1/32 is directly connected, GigabitEthernet0/0/4.25
C 10.147.26.0/30 is directly connected, GigabitEthernet0/0/4.26
L 10.147.26.1/32 is directly connected, GigabitEthernet0/0/4.26
C 10.147.27.0/30 is directly connected, GigabitEthernet0/0/4.27
L 10.147.27.1/32 is directly connected, GigabitEthernet0/0/4.27
C 10.147.28.0/30 is directly connected, GigabitEthernet0/0/4.28
L 10.147.28.1/32 is directly connected, GigabitEthernet0/0/4.28
C 10.147.29.0/30 is directly connected, GigabitEthernet0/0/4.29
L 10.147.29.1/32 is directly connected, GigabitEthernet0/0/4.29
C 10.147.31.0/29 is directly connected, GigabitEthernet0/0/4.31
L 10.147.31.1/32 is directly connected, GigabitEthernet0/0/4.31
C 10.147.89.0/30 is directly connected, GigabitEthernet0/0/4.89
L 10.147.89.1/32 is directly connected, GigabitEthernet0/0/4.89
C 10.147.197.0/29 is directly connected, GigabitEthernet0/0/4.97
L 10.147.197.1/32 is directly connected, GigabitEthernet0/0/4.97
C 10.170.18.0/30 is directly connected, GigabitEthernet0/0/4.47
L 10.170.18.1/32 is directly connected, GigabitEthernet0/0/4.47
170.X.0.0/16 is variably subnetted, 31 subnets, 4 masks
C 170.X.X.0/28 is directly connected, TenGigabitEthernet0/1/0
L 170.X.X.1/32 is directly connected, TenGigabitEthernet0/1/0
S 170.X.X.16/28 [1/0] via 170.X.X.2
C 170.X.X.32/29 is directly connected, GigabitEthernet0/0/1
L 170.X.X.33/32 is directly connected, GigabitEthernet0/0/1
C 170.X.X.40/29 is directly connected, GigabitEthernet0/0/2
L 170.X.X.41/32 is directly connected, GigabitEthernet0/0/2
S 170.X.X.48/28 [1/0] via 10.170.18.2
C 170.X.X.64/30 is directly connected, GigabitEthernet0/0/4.65
L 170.X.X.65/32 is directly connected, GigabitEthernet0/0/4.65
C 170.X.X.68/30 is directly connected, GigabitEthernet0/0/4.69
L 170.X.X.69/32 is directly connected, GigabitEthernet0/0/4.69
C 170.X.X.72/30 is directly connected, GigabitEthernet0/0/4.44
L 170.X.X.73/32 is directly connected, GigabitEthernet0/0/4.44
S 170.X.X.80/28 [1/0] via 170.X.X.2
C 170.X.X.96/30 is directly connected, GigabitEthernet0/0/4.20
L 170.X.X.97/32 is directly connected, GigabitEthernet0/0/4.20
S 170.X.X.100/30 [1/0] via 10.147.24.2
S 170.X.X.108/30 [1/0] via 10.147.89.2
S 170.X.X.112/30 [1/0] via 10.147.21.2
S 170.X.X.116/30 [1/0] via 10.147.197.2
S 170.X.X.120/30 [1/0] via 10.147.27.2
S 170.X.X.124/30 [1/0] via 10.147.29.2
S 170.X.X.128/30 [1/0] via 10.147.26.2
S 170.X.X.132/30 [1/0] via 10.147.28.2
S 170.X.X.136/30 [1/0] via 10.147.25.2
C 170.X.X.140/30 is directly connected, GigabitEthernet0/0/4.75
L 170.X.X.141/32 is directly connected, GigabitEthernet0/0/4.75
S 170.X.X.144/30 [1/0] via 10.147.20.2
S 170.X.X.148/30 [1/0] via 10.147.31.2
S 170.X.X.152/29 [1/0] via 10.147.22.2
187.X.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 187.X.X.112/31 is directly connected, TenGigabitEthernet0/0/1
L 187.X.X.113/32 is directly connected, TenGigabitEthernet0/0/1
208.X.X.0/24 is variably subnetted, 2 subnets, 2 masks
C 208.X.X.180/30 is directly connected, TenGigabitEthernet0/0/0
L 208.X.X.182/32 is directly connected, TenGigabitEthernet0/0/0
Contencion1001-X#
thanks!
10-03-2017 01:25 PM - edited 10-03-2017 01:28 PM
Hi
A default route will be preferred for any unknow destination. If you are going to use BGP peering with both ISP, you can use the BGP attributes to manipulate the traffic and prefer a path over other. You can use Weight, Local Preference and MED for example.
This is just an example:
*Imagine you are receiving the same traffic from both devices:
ip prefix-list FROM-ISP seq 5 permit 0.0.0.0/0
ip prefix-list FROM-ISP seq 10 permit 10.0.0.0/24
ip prefix-list TO-IPS seq 5 permit 192.168.0.0/24
route-map ISP-A-IN permit 5
match ip address prefix FROM-ISP
set weight 1000
route-map ISP-A-OUT permit 5
match ip address prefix TO-ISP
set as-path prepend 65001 65001 65001 65001
route-map ISP-B-IN permit 5
match ip address prefix FROM-ISP
set weight 2000
route-map ISP-B-OUT permit 5
match ip address prefix TO-ISP
set as-path prepend 65001
router bgp 65001
neighbor 1.1.1.2 remote 65002
neighbor 1.1.1.2 route-map ISP-A-IN in
neighbor 1.1.1.2 route-map ISP-A-OUT out
neighbor 2.2.2.2 remote 65003
neighbor 2.2.2.2 route-map ISP-B-IN in
neighbor 2.2.2.2 route-map ISP-B-OUT out
*With this configuration your router will prefer the path through the ISP-B because it will have a higher Weight, also you will have symmetric traffic because you are advertising the local network with lowest AS-Path preprend.
Also you could be receiving a default route and redistribute it into an IGP. Now if your router is connected to Internet you can avoid become your router in "transit", this link can explain that behavior: http://www.burningnode.com/2013/07/20/bgp-prevent-being-a-transit-as/
Hope it is useful
:-)
10-03-2017 07:59 PM
10-03-2017 10:22 PM
10-04-2017 08:00 AM
I'm going to try what you suggest, to see how it goes!!
10-04-2017 11:44 AM
sorry my friend but your solution didn't work.....I configured default routes like this:;
ip route 0.0.0.0 0.0.0.0 187.X.X.112
ip route 0.0.0.0 0.0.0.0 208.X.X.181 10
where the first one is to ISP-B (the one with BGP) and second one to ISP-A (the one with static route). When I check my traffic I get this:
Contencion1001-X#sh interface TenGigabitEthernet0/0/0 | i rate
Queueing strategy: fifo
5 minute input rate 1084125000 bits/sec, 107880 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
Contencion1001-X#sh interface TenGigabitEthernet0/0/1 | i rate
Queueing strategy: fifo
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 87629000 bits/sec, 60325 packets/sec
so all my outgoing traffic is passing through ISP-B but the incoming traffic is through ISP-A, and that's my problem. Besides when I shutdown interface connected to ISP-A I lost connection to internet. Any ideas on how to solve this??
10-04-2017 12:21 PM
Gaspar
Thank you for the additional information. I believe that I now understand at least part of what is causing your issue. You are running BGP with ISP B and forming the BGP neighbor relationship. But you are not advertising your network to ISP B (there is no network statement or any redistribution in your BGP configuration). If you are not advertising your network to ISP B then they can not advertise your network to the Internet. Obviously ISP A knows about your network (based on static routes) and seems to be advertising your network to the Internet. That explains why all Internet traffic to you is coming through ISP A and why you lose connectivity to the Internet if ISP A goes down. This could be resolved if you advertise your network to ISP B.
HTH
Rick
10-04-2017 01:44 PM
ok thanks Rick, and please can you tell me how can I advertise my network to ISP B????
Thanks!
10-04-2017 02:01 PM
There are two parts of getting BGP to advertise your network. First you need to add a network statement in your router bgp config which would look like
network 170.x.x.0 netmask 255.255.252.0
This will advertise your 170.x.x.0 network as long as BGP sees a matching entry in your routing table. So the second part would be to configure a static route for your network which might look something like this
ip route 170.x.x.0 255.255.252.0 null0
If you do these two things then BGP should advertise your network.
HTH
Rick
10-04-2017 02:56 PM
sorry my friend but it didn't work....
I have this on my ASR:
router bgp 26XX25
bgp router-id 187.X.X.113
bgp log-neighbor-changes
network 170.X.X.0 mask 255.255.252.0
neighbor 187.X.X.112 remote-as 13XX9
neighbor 187.X.X.112 password 7 104352154
neighbor 187.X.X.112 soft-reconfiguration inbound
and:
ip route 0.0.0.0 0.0.0.0 187.X.X.112
ip route 0.0.0.0 0.0.0.0 208.X.X.181 10
ip route 170.X.X.0 255.255.252.0 Null0
but same-o same-o
??
10-04-2017 04:43 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide