Solved: Re: WAN issue

anitachoi3 · ‎04-17-2011

Dear Expert,

There is one potential issue on the network service, the normal traffic flow would be stopped at once as long as the WAN link was failure. Attached please refer the diagram. Below please find the relevant config on both Internet gateway routers which are inter-connect to ISP-A. How to automate the config on both internet gateway routers to annouce proper route of 192.168.40.0/24 so that the traffic flow would go to "backup traffic path" if the WAN link was down.

rdgs

! TW IGR

!

router bgp 192

....

network 192.168.40.0

network 192.168.50.0

neighbor 172.16.110.1 route-map Set_ASN_TW out

!

ip route 192.168.40.0 255.255.255.0 null0

ip route 192.168.50.0 255.255.255.0 null0

!

access-list 40 permit 192.168.40.0 0.0.0.255

access-list 50 permit 192.168.50.0 0.0.0.255

!

ip as-path access-list 200 permit ^$

!

route-map Set_ASN_TW permit 10

match ip address 40

set as-path prepend 192

!

route-map Set_ASN_TW permit 20

match ip address 50

!

route-map Set_ASN_TW permit 30

match as-path 200

!

! HK IGR

!

router bgp 192

....

network 192.168.40.0

network 192.168.50.0

neighbor 172.16.10.1 route-map Set_ASN_TW out

!

ip route 192.168.40.0 255.255.255.0 null0

ip route 192.168.50.0 255.255.255.0 null0

!

access-list 40 permit 192.168.40.0 0.0.0.255

access-list 50 permit 192.168.50.0 0.0.0.255

!

ip as-path access-list 200 permit ^$

!

route-map Set_ASN_TW permit 10

match ip address 40

set as-path prepend 192 192

!

route-map Set_ASN_TW permit 20

match ip address 50

!

route-map Set_ASN_TW permit 30

match as-path 200

Kasiraman S · ‎04-23-2011

Hi Anita,

TW IGR

router bgp 192
neighbor 172.16.110.1 remote-as XYZ
neighbor 172.16.110.1 route-map Set_ASN_TW out
network 192.168.40.128 mask 255.255.255.128 ->More prefered bcz of Prefix Length
network 192.168.40.0 mask 255.255.255.128 ->More preffered bcz of Prefix Length
network 192.168.50.0 mask 255.255.255.0 ->More prefered bcz of AS Path count
!
router ospf 192
network 192.168.40.128 0.0.0.127 area 0
!
ip route 192.168.50.0 255.255.255.0 null0 -> To advertise 50.0/24 to BGP peer
!
access-list 50 permit 192.168.50.0 0.0.0.255
access-list 50 permit 192.168.x.y 0.0.0.255 - > If you have any other subnet to advertise. not .40.0
!
ip as-path access-list 200 permit ^$ -> Allow anything else
!
route-map Set_ASN_TW permit 10
match ip address 50
set as-path prepend 192
!
route-map Set_ASN_TW permit 20
match as-path 200

If you compare the above configuration with the one you provided there is change in the sequence 10 of the Route-map. yes I'm not prepending the AS path for .40.0/25 and .40/128/25 prefix. I believe it is not necessary because by prefix length it is already more preferred route.

Also If you advertising other than 40.0/24 & .50.0/24 via TW, please include the subnet in the ACL 50 so that traffic for those subnet will be more preferred via TW.

-------------------------------------------------------------------------------------------------
HK IGR

router bgp 192
neighbor 172.16.10.1 remote-as ZYX
neighbor 172.16.10.1 route-map Set_ASN_TW out
network 192.168.40.0 mask 255.255.255.0
network 192.168.50.0 mask 255.255.255.0
!
router ospf 192
network 192.168.40.0 0.0.0.127 area 0
!
ip route 192.168.40.0 255.255.255.0 null0
ip route 192.168.50.0 255.255.255.0 null0
!
access-list 50 permit 192.168.50.0 0.0.0.255
access-list 50 permit 192.168.x.y 0.0.0.255 - > If you have any other subnet to advertise, not .40.0
!
ip as-path access-list 200 permit ^$
!
route-map Set_ASN_TW permit 10
match ip address 50
set as-path prepend 192 192
!
route-map Set_ASN_TW permit 20
match as-path 200

If you compare the above configuration with the one you provided there is change in the sequence 10 of the Route-map. yes I'm not prepending the AS path for .40.0/24 prefix. I believe it is not necessary, because by prefix length it is already less preferred route.

Also in sequence 10 I have prepend the AS-path to make it less preferred through HK IGR, because as per the traffic pattern the path via HK is acting as a backup path for all traffic. If you advertising other than 40.0/24 & .50.0/24 via HW, please include the subnet in the ACL 50 so that traffic for those subnet will be less preferred via HW.

Do rate helpful post and let me know if you have any question.

Thanks,

Kasi

View solution in original post

Kasiraman S · ‎04-17-2011

Hi,

Could you please let me know the actual location of the 192.168.40.0/24 network.

If all the .40 netwotk is in HK location and the TW learn the network via OSPF, below option would help.

If the .40.0/24 network/subnets are in Hk location and if you discover the .40 network in both location via network command it does not help the ISP to identify the failure of the reachability of .40 network/subnets over WAN circuit. Instead of adding network staement you can redistribute the .40 network from OSPF to BGP in TW site( if you would like you can summarize the subnets of all .40 into .40.0/24 network and send it to ISP). If the TW site loose access to .40 network due to WAN failure it would cause OSFP to loose all the .40 network from HK site and in turn it will not redistribute the .40 network to BGP. So all the traffic for .40 go through HK's ISP.

Experts: Please forgive if the above option does not work and also let me know the best option.

Thanks,

Kasi

Giuseppe Larosa · ‎04-18-2011

Hello Anita,

>> How to automate the config on both internet gateway routers to annouce proper route of 192.168.40.0/24 so that the traffic flow would go to "backup traffic path" if the WAN link was down.

As Kasi noted you shouldn't use a static route to null0 to advertise 192.168.40.0/24 to advertise it in BGP.

A static route to null0 is always alive.

Rather you should put some network commands in router bgp process matching a component route within 192.168.40.0/24 that is learned via OSPF or other IGP over the WAN link.

An aggregate-address command is a more modern way to create an aggregate route and works if and only if a component route is in the BGP table

example:

router bgp 192

! route coming from OSPF or other IGP exact match is required here

network 192.168.40.0 mask 255.255.255.240

! aggregate route

aggregate-address 192.168.40.0 255.255.255.0 summary-only

BGP conditional advertising could be used if you wish to advertise networks from backup site only when primary site is down ( = BGP session), but here you are focusing on the WAN link between sites.

an iBGP session between the two gateways may be of help in preparing the path to the use of BGP conditional advertising.

Hope to help

Giuseppe

Kasiraman S · ‎04-18-2011

Giuseppe,

Awesome feature. I have a small question.

Can we use the BGP session status(UP/DOWN) for conditional advertisement. If not what is the specific use of having the BGP session over the WAN.

Thanks,

Kasi

samavedula_rama · ‎04-18-2011

Kasi

There is no such thing as conditional advertising in BGP. If your BGP session is down, the prefixes will be removed from the routing table [although not quickly], through that peer. The only another way to get into your AS is through another router.

So, as Larosa stated, the best way is to run iBGP between the Internet edge routers and configure Local_pref to the received routes from ISP-A so your traffic leaves appropriately when there is a failure.

For incoming traffic though, nothing else is required as AS-Prepend is already in place.

Regards,

samavedula_rama · ‎04-18-2011

And to specifically answer your question, "iBGP is needed so that it can carry BGP attributes from between your border routers"

Kasiraman S · ‎04-18-2011

Hi,

Thanks a lot for the reply. Are we going to advertise the BGP prefix over the iBGP and this is really a extra work right(Creating iBGP relation and advertising routes). Instead of that what happen if we have the neighbor command and it would definitely show the Route in the BGP table (not RIB) and we can utilize that for conditional advertisement right.

Thanks,

Kasi

Giuseppe Larosa · ‎04-18-2011

Hello Rama,

>> There is no such thing as conditional advertising in BGP

I was referring to

http://www.cisco.com/en/US/docs/ios/12_1/iproute/configuration/guide/1cdbgp.html#wp1023342

but as I have already written it is not useful in this scenario

>> the best way is to run iBGP between the Internet edge routers and configure Local_pref to the received routes from ISP-A so your traffic leaves appropriately when there is a failure.

I agree but the point, for the original poster, is that the main site should not advertise one aggregate (i.e. 192.168.40.0/24 ) when the WAN link between the two sites fail because it is actually on the secondary site, so the suggestion to use network + aggregate-address command instead of network + static route to null0

Hope to help

Giuseppe

samavedula_rama · ‎04-18-2011

I completely agree and to be honest did not read the original question properly since I thought you already answered it.

I was actually answering Kasi in this regard since he asked why we want to use BGP

"Can we use the BGP session status(UP/DOWN) for conditional advertisement".... I was not refering to that feature at all. And now that I've read the history, I couldn't agree more !

anitachoi3 · ‎04-19-2011

Dear Giuseppe,

It seems that the solution is to build the iBGP between two IGRs located in HK and TW. Attached please the diagram for your reference. Below please find the relevant config for your further comments.

! TW IGR

!

Interface FastE 0/2

description Connect to IGR in HK, 172.16. 20.1

ip address 172.16.20.2 255.255.255.252

!

router bgp 192

! network in TW

network 192.168.40.128 mask 255.255.255.128

! aggregate route

aggregate-address 192.168.40.0 255.255.255.0 summary-only

neighbor 172.16.20.1 remote-as 192

...

!

! 192.168.40.0/25 in HK

! 192.168.40.128/25 in TW

!

ip route 192.168.40.0 255.255.255.128 172.16.20.1

ip route 192.168.40.128 255.255.255.128

!

! do I keep this route?

ip route 192.168.40.0 255.255.255.0 null

!

! HK IGR

!

Interface FastE 0/2

description Connect to TW IGR, 172.16.20.2

ip address 172.16.20.1 255.255.255.252

!

router bgp 192

! network in HK

network 192.168.40.0 mask 255.255.255.128

! aggregate route

aggregate-address 192.168.40.0 255.255.255.0 summary-only

neighbor 172.16.20.2 remote-as 192

...

!

! 192.168.40.0/25 in HK

! 192.168.40.128/25 in TW

!

ip route 192.168.40.0 255.255.255.128

ip route 192.168.40.128 255.255.255.128 172.16.20.2

!

! do I keep this route?

ip route 192.168.40.0 255.255.255.0 null

!

Grateful if you would advise on following issues.

1. Does it support the GRE tunnel between two IGRs via Internet for iBGP connection? It would save the extra cost. if yes, grateful if you would comment on the following config

! TW IGR

!

interface Faste 0/0

description connected to ISP-A in TW

ip address 172.16.110.2 255.255.255.252

!

interface Faste 0/1

description connected to TW internal network

ip address 192.168.120.2 255.255.255.0

!

interface Tunnel20

description connect to HK IGR 172.16.20.1

ip address 172.16.20.2 255.255.255.252

!

tunnel source 172.16.110.2

tunnel destination 192.168.20.2

!

! ---

! HK IGR

!

interface Faste 0/0

description connected to ISP-A in HK

ip address 172.16.10.2 255.255.255.252

!

interface Faste 0/1

description connected to HK internal network

ip address 192.168.20.2 255.255.255.0

!

interface Tunnel20

description connect to TW IGR 172.16.20.2

ip address 172.16.20.1 255.255.255.252

!

tunnel source 172.16.10.2

tunnel destination 192.168.120.2

!

2. For the WAN circuit between HK and TW was down,

- the traffic of 192.168.40.0/25 (HK) would go outside via ISP-A located in HK. The return traffic would back to ISP-A located in TW --> TW IGR --> HK IGR --> HK internal

- the in/out traffic of 192.168.40.128/25 (TW) would go via ISP-A located in TW

Please correct me if I am wrong.

rdgs

Kasiraman S · ‎04-20-2011

Our objective is to send the traffic for 192.168.40.0/25 via the local RTR (HK) from ISP if the WAN between the sites are down. If the WAN is down or not down we should send the traffic for 192.168.40.128/25 to go via local RTR(TW). If the WAN is up all the traffic for 192.168.40.0/24 should go and come back via TW RTR.

I believe both the site Router know the remote site's network via OSPF.Instead of creating iBGP, we can use the below config.Also Instead of sending the smmary route, we can advertise both the subnet to the ISP via TW and the preffered one for both network is via TW and we can adverstise the prefix /24 via HW and this would be less preferred because of network mask.

----------------------------------------------------------------------------------------

TW:--> This is more prefered based on prefix length /25, if we apply the below config.

neighbor ISP_A remote-as XY
network 192.168.40.0 mask 255.255.255.128
! The above entry wont be adversised if we lose the WAN connection and the ISP prefer HW path for the network (192.168.40.0/24).
network 192.168.40.128 mask 255.255.255.128
no aggregate-address 192.168.40.0 255.255.255.0 summary-only
...
!
!
no access-list 40 permit 192.168.40.0 0.0.0.255
access-list 40 permit 192.168.40.0 0.0.0.127
access-list 40 permit 192.168.40.128 0.0.0.127
!
route-map Set_ASN_TW permit 10
match ip address 40
set as-path prepend 192
!
!Remove the "ip route 192.168.40.0 255.255.255.0 null" from TW RTR.

----------------------------------------------------------------------------------------------------

HW: --> this one is less prefered because of high prefix length /24 compared to TW site.

neighbor ISP_A remote-as YZ
network 192.168.40.0 mask 255.255.255.0
...

! You may need the command "ip route 192.168.40.0 255.255.255.0 null" if the network 192.168.40.0/24 is not in the RIB.

Let me know if you any question.

Please rate the helpfull post.

Thanks,

Kasi

anitachoi3 · ‎04-20-2011

Dear Kasi,

I apprehend the objective of both IGR configurations. The /25 would be the more prefered route. The return traffic (or inbound traffic) of 192.168.40.128/25 would go to TW. the /24 would be the less prefered route, The return traffic (or inbound traffic) of 192.168.40.0/25 would go to HK

It seems that ISP supports the route to be at least /24 for BGP config. How to advertis the route with /25 to ISP which would willing to receive it?

It may require operator to change above config when the WAN circuit is down. This solution is good. Any idea to automate it?

Thanks.

rdgs

Kasiraman S · ‎04-21-2011

Hi

,

The solution I provided is automatic. I believe you have small miss understanding in advertising /25 prefix. Let me explain once again.

Both the /25 prefix are advertised via TW and that is more prefered for both prefix.

/24 prefix will be advertised via HW and this is less preferred by ISP because of the prefix length.

How it is automated?

If TW does not know about 192.168.40.0/25 via OSPF(WAN Circuit Down), TW will not advertise(40.0/25) to ISP, so the ISP prefer the HW as the /24 prefix covers the IP range(40.0/25).

If the WAN circuit is UP, TW advertise both /25 prefix and all the traffic goes fine via TW.

The configuration I provided in the previous post would work fine. If you need further assistance please post the complete configuration of Routing information from both TW and HW you have configured currently, so that I can analyse the complete flow.

Do rate helpful post.

Thanks,

Kasi

anitachoi3 · ‎04-22-2011

Dear Kasi,

Thank your for your advices and information is very useful. It is a slightly amendment on the config. Grateful if you would comment on it and recitfy wrong setting.

rdgs

Anita

! TW IGR

!

router bgp 192

....

! Whether it is re-distri to be the better approach or not

~~network 192.168.40.0 netmask 255.255.255.128~~

redistribute ospf 192 match internal route-map FROM-HKNW

!

network 192.168.40.128 netmask 255.255.255.128

network 192.168.50.0

!

neighbor 172.16.110.1 route-map Set_ASN_TW out

!

router ospf 192

network 192.168.40.128 0.0.0.127 area 0

!

~~ip route 192.168.40.0 255.255.255.0 null0~~

ip route 192.168.50.0 255.255.255.0 null0

!

access-list 40 remark === Announce /24 routes to ISP-A ===

access-list 40 permit 192.168.40.0 0.0.0.255

!

access-list 45 remark === Announce /25 routes to ISP-A ===

access-list 45 permit 192.168.40.0 0.0.0.127

access-list 45 permit 192.168.40.128 0.0.0.127

!

access-list 50 remakr === Announce /24 routes to ISP-A ===

access-list 50 permit 192.168.50.0 0.0.0.255

!

ip as-path access-list 200 permit ^$

!

route-map Set_ASN_TW permit 10

!

! advertising both /25 routes; only one /25 will be announced when WAN circuit down

match ip address 45

set as-path prepend 192

!

route-map Set_ASN_TW permit 20

match ip address 50

!

route-map Set_ASN_TW permit 30

match as-path 200

!

route-map FROM-HKNW permit 10

match ip address CrossSiteNetwork

!

ip access-list standard CrossSiteNetwork

permit 192.168.40.0 0.0.0.127

deny 192.168.0.0 0.0.255.255

deny 172.16.0.0 0.0.255.255

deny 10.0.0.0 0.255.255.255

!

! HK IGR

!

router bgp 192

....

network 192.168.40.0

network 192.168.50.0

neighbor 172.16.10.1 route-map Set_ASN_TW out

!

router ospf 192

network 192.168.40.0 0.0.0.127 area 0

!

ip route 192.168.40.0 255.255.255.0 null0

ip route 192.168.50.0 255.255.255.0 null0

!

access-list 40 permit 192.168.40.0 0.0.0.255

access-list 50 permit 192.168.50.0 0.0.0.255

!

ip as-path access-list 200 permit ^$

!

route-map Set_ASN_TW permit 10

match ip address 40

set as-path prepend 192 192

!

route-map Set_ASN_TW permit 20

match ip address 50

!

route-map Set_ASN_TW permit 30

match as-path 200

Kasiraman S · ‎04-23-2011