Solved

BGP Failover between two ISP routers

Posted on 2004-07-30
11
1,987 Views
Last Modified: 2008-02-01
Can anyone help with a BGP failover configuration.There are five routers and all of them are full-mesh. First there are two ISP routers, we will call them ISP1 and ISP2. Then I have my routers I control,router1, router2, router3. Router1 connects to ISP1(EBGP), router2 connects to ISP2(EBGP), router3 connects to router2(EBGP) and router1(IBGP).

So basically if the route for ISP1 fails, traffic should route through ISP2.
I have a sample configuration for router1 but I a bit confused about the configuration for  router2, and router3. Does anyone have a better BGP configuration for BGP failover between these routers.



Router 1:
Int fastethernet 0/0
description connection to Router 2
Ip address 214.4.105.1 255.255.255.252 secondary
Ip address 214.4.106.2 255.255.255.252

Int fastethernet 0/1
description connection to ISP1
Ip address 10.10.24.1 255.255.255.0

Router BGP 50
No sync
Bgp log-neighbor-changes
Network 214.4.105.0
Network 214.4.106.0
Neighbor 10.10.24.4 remote-as 721  
Neighbor 10.10.24.4 route-map ISP-2 out
Neighbor 214.4.106.1 remote-as 50
Neighbor 214.4.106.1 next-hop-self
No auto-summary

Access-list 1 permit 214.4.106.0
Access-list 2 permit 214.4.105.0
Access-list 2 permit 214.4.108.0
Access-list 2 permit 214.4.110.0
Access-list 2 permit 214.4.111.0


Route-map PENT-NIPR permit 10
  Match ip address 1
   Set as-path prepend 721 721 721  

Route-map PENT-NIPR permit 20
 Match ip address 2            




Router2:

Current configuration : 1465 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router3

!
syscon address 1.1.1.1 password
syscon shelf-id 0
ip subnet-zero
ip cef
!
!
!
!
!
!

!
interface FastEthernet0/0
 description to router2
 ip address 199.57.22.34 255.255.255.252
 duplex half
 speed 10
!
interface FastEthernet0/1
 description connection to ISP2
 ip address 198.26.74.176 255.255.255.0
 duplex full
 speed 100
!
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
redistrubute connected
 neighbor 198.26.74.177 remote-as 500
 neighbor 199.57.22.33 remote-as 50
 no auto-summary
!
ip classless
no ip http server

!
line con 0
 stopbits 1
line aux 0
line vty 0 4
 password dos
 login
line vty 5 15
 password dos
 login
!
end


Router3:

Int fastethernet 0/0
description connection to router 1
Ip address 214.4.105.2 255.255.255.252 secondary
Ip address 214.4.106.1 255.255.255.252

Int fastethernet 0/1
description connection to router 3
Ip address 10.10.13.1 255.255.255.0

Router BGP 50
No sync
Bgp log-neighbor-changes
Network 214.4.105.0
Network 214.4.106.0
Neighbor 10.10.13.3 remote-as 65000  
Neighbor 10.10.13.3 route-map router-3 out
Neighbor 214.4.106.2 remote-as 50
Neighbor 214.4.106.2 next-hop-self
Maximum-paths 2
No auto-summary

Access-list 2 permit 214.4.105.0
Access-list 1 permit 214.4.106.0
Access-list 1 permit 214.4.108.0
Access-list 1 permit 214.4.110.0
Access-list 1 permit 214.4.111.0

Route-map JPO-NIPR permit 10
  Match ip address 1
   Set as-path prepend 500 500 500  

Route-map JPO-NIPR permit 20
 Match ip address 2















0
Comment
Question by:ritru
  • 6
  • 5
11 Comments
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 11679345
So, I can help you. But first, your configs don't make sense. You have route maps defined that aren't applied anywhere and route-maps applied that aren't defined. You are ponting to neighbors that don't exist in the configs you've posted, and the configs can't be what from the router you say (i.e. router 2: hostname router3). So, please repost accurate configs and I'll help you.

A few general comments though:
1. I don't know what IGP you're using. But in BGP on both ISP-connected routers, you should add the line "default-information originate" and redistribute BGP into your IGP. Make sure that both ISPs are sending you a default route. This will ensure that you have a default route in your IGP.
2. You can set local preference on the inbound default route. BGP will direct outbound traffic to the higher local preference. That is an easy way to set your failover between the 2 routers for outbound traffic.
3. From what I can see, you don't have a full mesh in IBGP. All 3 routers need to be IBGP neighbors.
4. Not sure why you have 3 routers in the mix when there's only 2 ISP-connected routers. If they aren't directly connected you can tell BGP how many hops to allow for the IBGP connection. If they are connected via an IGP it will work.
5. Unless you want to load balance between them, I would recommend that you ask your ISP to send you only the default route. You don't need the whole internet.
6. AS-prepend is to make the inbound route through one ISP preferable to another. So  But you have little control over that anyway since you don't contol the hops from some remote location to you. It certainly does nothing if you add the same number of AS hops on both links. And you must prepend with your own AS #, not the ISP's.
7. If you have 2 ISPS, the usual procedure is to get your own registered AS # and it will be the same for both ISPs. If you don't, you need to get the 2 ISPs to give you the same private AS #.
8. You don't need a route-map out if you're using network statements instead of redistributing your IGP into BGP. But I guess it doesn't hurt either.

Whew! That's enough for now. I'm leaving at noon California time so if you don't get back to me before then I'll respond on Monday.
0
 

Author Comment

by:ritru
ID: 11690856
Sorry for the confusion about the sample config, I'll reprint the correct version below. Do you mean install default-orginate in router 2? Now router 2 and router 3 are not directly connected...They are connected through an ATM cloud. Do I need another statement in the BGP configuration for router 2 or/and router 3.Becasue  router 3 doesn't show the BGP connection in router's ip  routing table(show ip route), it only shows the connected subnets. Although when I do a show ip bgp neighbors on  router 3, I can see the TCP connection between router 2 and 3.

Keep in mine the networks(.108,110,111) are really intended for the LAN network on router 2. So there is an IBGP connection between router 1 and router 3. It's a little backwards but that's how they want.. So the networks above come from the internet cloud and they come in through router 1 and router 1 sends the traffic across the IBGP link to router 3. If they orginate from a mail server from the router 3 network that's intended to go to the .108 network. The traffic will go through router 3 to router 1 and then out to the internet...I know it's a little confusing, but hopefully you can follow the proposed configurations below. Any suggestions or modifications to the config's below...





Router 1:
Int fastethernet 0/0
description connection to Router 2
Ip address 214.4.105.1 255.255.255.252 secondary
Ip address 214.4.106.2 255.255.255.252

Int fastethernet 0/1
description connection to ISP1
Ip address 10.10.24.1 255.255.255.0

Router BGP 50
No sync
Bgp log-neighbor-changes
Network 214.4.105.0
Network 214.4.106.0
Neighbor 10.10.24.4 remote-as 721  
Neighbor 10.10.24.4 route-map ISP-1 out
neighbor 10.10.24.4 route-map ISP-1in in
Neighbor 214.4.106.1 remote-as 50
neighbor 214.4.106.1 route-map router-2 out
Neighbor 214.4.106.1 next-hop-self
No auto-summary

Access-list 1 permit 214.4.106.0
access-list 1 deny any
Access-list 2 permit 214.4.105.0
access-list 2 deny any
Access-list 3 permit 214.4.108.0
Access-list 3 permit 214.4.110.0
Access-list 3 permit 214.4.111.0
access-list 3 deny any


Route-map ISP-1 permit 10
  Match ip address 1
   Set as-path prepend 721 721 721  

Route-map ISP-1 permit 20
 Match ip address 2  

route-map ISP-1in permit 10
match ip address 3      

route-map router-2 permit 10
match ip address 3


Router2:

Current configuration : 1465 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router3

!
syscon address 1.1.1.1 password
syscon shelf-id 0
ip subnet-zero
ip cef
!
!
!
!
!
!

!
interface FastEthernet0/0
 description to router2
 ip address 199.57.22.34 255.255.255.252
 duplex half
 speed 10
!
interface FastEthernet0/1
 description connection to ISP2
 ip address 198.26.74.176 255.255.255.0
 duplex full
 speed 100
!
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
redistrubute connected
 neighbor 198.26.74.177 remote-as 500
 neighbor 199.57.22.33 remote-as 50
 no auto-summary
!
ip classless
no ip http server

!
line con 0
 stopbits 1
line aux 0
line vty 0 4
 password dos
 login
line vty 5 15
 password dos
 login
!
end


Router3:

Int fastethernet 0/0
description connection to router 1
Ip address 214.4.105.2 255.255.255.252 secondary
Ip address 214.4.106.1 255.255.255.252

Int fastethernet 0/1
description connection to router 3
Ip address 10.10.13.1 255.255.255.0

Router BGP 50
No sync
Bgp log-neighbor-changes
Network 214.4.105.0
Network 214.4.106.0
Neighbor 10.10.13.3 remote-as 65000  
Neighbor 10.10.13.3 route-map router-3 out
Neighbor 214.4.106.2 remote-as 50
neighbor 214.4.106.2 route-map router-3in in
Neighbor 214.4.106.2 next-hop-self
Maximum-paths 2
No auto-summary

Access-list 1 permit 214.4.105.0
acces-list 1 deny any
Access-list 2 permit 214.4.106.0
access-list 2 deny any
Access-list 3 permit 214.4.108.0
Access-list 3 permit 214.4.110.0
Access-list 3 permit 214.4.111.0
access-list 3 deny any

Route-map router-3 permit 10
  Match ip address 2
   Set as-path prepend 500 500 500  

Route-map router-3 permit 20
 Match ip address 1

route-map router-3in permit 10
match ip address 3
set metric 10000
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 11695563
IBGP has an administrative distance of 200, so you won't see any BGP routes on router3 in show ip route unless there is no other route to that network. If you type sho ip bgp route, you should see some routes though.

Router 2 still has "hostname router3" and an interface description that says "to router 2" and Router 3 has an interface description that says "connection to router 3." Are they backwards?

So, is your goal to make Router2 take over if the primary path through Router1 fails? If so, it needs to be part of your IBGP also. You are using a BGP AS of 50 with ISP1. do you own that AS# or did they assign it to you? You need to make your AS # with both ISPs the same. If you own 50, use that everywhere.

AS prepend is to make the path to you look worse through one ISP than the other. If you use it with both ISPs you defeat the purpose.

Do I make sense so far?
0
 

Author Comment

by:ritru
ID: 11696256
Now I understand so far...But my goal is to have router 3 take over if the route though router 1 fails....Remember router 2 and 3 are connected via an ATM cloud..And router 2 is connected to ISP 2..I had to use the multihop command because router 2 and 3 are not directly connected. Now I own AS 50, but that's only for the router 1 and router 3 for IBGP...The ISP1 and ISP 2 have set AS #'s..


Now for router 3 I"m unable to see an BGP in the routing table, I don't think IGP is running or router 3 is not advertising to router 2.What do you think...what  sample config's or modifications do you recommend.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 11696455
I need clarification on which is router 2 and which is router 3 as mentioned in my last post. The one you called router 2 seems to be the one connected to ISP2 but you're saying router 3 is connected to ISP2. I don't understand

Where did AS 65000 come from? Is AS 50 an ARIN-registered AS #? If so, all 3 of your BGP routers should be in AS 50.
Here's the basic steps:
1. All 3 of your BGP routers should be in the same AS (50). They all need to be neighbors.
2. Both ISP-connected routers should have the statement default-information originate. This gives you a default route for internet access.
3. On the router connected to ISP 1, have your inbound route map set a local pref of 110 for the routes you accept.
4. On the router connected to ISP 1, remove the AS-prepend statement.
5. On the router connected to ISP 2, have your inbound route map set a local pref of 90 for the routes you accept.
6. On the router connected to ISP 2,  you can keep the AS-prepend statement. But you need to prepend with YOUR AS, not the ISP's.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:ritru
ID: 11700285
Sorry, your are right router 2 is connected to ISP 2. And the only AR I own is AS 50...The AS on router 3 is not mine to manipulate. Both ISP routers do have the default-information originate already configured. So what your saying is set the local pref to 110 on router 1(ISP 1) inbound route-map with the networks attached and set the local pref to 90 on router 2(ISP 2 connected). And this will propogate that router 1 is the preferred route and router 2 is the second option if router 1 one fails
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 11706162
Exactly. But local pref doesn't leave the AS. So the 2 routers that connect to your ISPs must have the same AS number (IBGP between them) or it won't work. If ISP 2 has assigned you AS 6500, work with them to change it to 50. Since you own it that should not be a problem at all.
0
 

Author Comment

by:ritru
ID: 11736931
mike, I got the route to default to router 2 when I disconnected the primary router 1 route. But I do a traceroute it gets to the router 2 WAN interface and it times out instead of sending the traffic to router 3 and out to the LAN. I have a network statment in the BGP for router 3 so it should advertise the network to router 2, but it times out???
Do I need to advertise it through an aggregate-address on router 3.

example:
traceroute 214.4.106.1

1. 10.10.24.4 [ AS 721] 120 msec 90msec
2. Someother router 120 msec 90msec
3. 198.26.74.177 [AS 500] 120 msec 90msec
4. 199.57.22.34 120 msec 90msec
5. * * *
6 * * *
4.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 11737458
Where are you tracerouting from? Based on your first hop, shouldn't 214.4.106.1 be directly connected across the fast ethernet? BGP shouldn't even be involved. Or did you shut that interface on router1?

I would get rid of the next-hop-self commands.

Are all 3 using the same AS# now? Are you only using BGP between these routers or do you have an IGP also? You should only use BGP between routers that are involved with your internet connectivity, which if I understand correctly are only routers 1 and 2. You should run something else like EIGRP between all 3 routers. BGP is not intended as in internal routing protocol and some of your problems may be stemming from that.

Please post the output of the following commands from all 3 routers:
sho ip route
sho ip bgp neighbor
sho ip bgp

I am still confused about your topology. It would really help if you'd just post the actual configs.

Do you still think this is only a 300 point question?
0
 

Author Comment

by:ritru
ID: 11814619
Alright, let's make this a simplier...How about a sample config for failover between four routers using BGP....


O(router 1)------O(router 2)
|                       |
|                       |
|                       |
O(router 4)------O(router 3)

Where router 4 is the primary router and router 3 is the back-up route incase the route to router 4 fails.....:>
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 300 total points
ID: 11816150
I don't get your IP addressing completely so I'm going to assume the following subnets for simplicity. Although I'm using a lot of 10 network, for this purpose they are legal addresses that can be routed to the internet. This might need some tweaking but it gives you the basic idea. the main things that happen are:
1. Both routers run BGP to your ISPs. They receive the default route only. You can save a lot of CPU by requesting that the ISP only send you the default route. But the inbound route map is your safety net.
2. Router 3 applies AS-prepend so it should, in general, be less preferred than Router 4 for inbound traffic from the internet.
3. Both routers redistribute BGP into EIGRP. Router 3 applies a higher EIGRP metric than Router 4, so Router 4 will be your preferred router for outbound traffic. If it loses BGP, it will not advertise the default into EIGRP so Router 3 will become your preferred outbound router.
4. Both routers redistribute EIGRP into BGP instead of using network statements in BGP. That way if one loses it's link to the LAN, it will not advertise LAN network to the internet.
5. Routers 3 and 4 do not talk EIGRP to each other, so they will not route traffic to each other if a problem arises.
6. Note that I did not use "no sync" because I only want BGP to advertise what it can get to via EIGRP.


router 4-ISP 4.0.0.0/30
router 3-ISP 3.0.0.0/30
router 4-router 3 10.4.3.0/30
router 4-router 1 10.4.1.0/30
router 3-router 1 10.3.1.0/30
router 1-router 2 10.1.2.0/30
LANs behind router 1 and router 2: 214.4.105.0 and 214.4.106.0

router 4:
router eigrp 100
 network 10.0.0.0
 network 4.0.0.0
 redistribute bgp 50
 default-metric 1000 100 255 1 1500
 default-information originate
 passive-interface [interface to router 3]

router bgp 50
 neighbor 4.0.0.1 remote-as 721
 neighbor 4.0.0.1 route-map default-route in
 neighbor 10.4.3.2 remote-as 50
 redistribute eigrp 100 route-map outbound-routes

access-list 10 permit 214.4.105.0
access-list 10 permit 214.4.106.0
access-list 11 permit 0.0.0.0

route-map outbound-routes permit 10
 match ip address 10

route-map default-route permit 10
 match ip address 11


router 3:
router eigrp 100
 network 10.0.0.0
 network 4.0.0.0
 redistribute bgp 50
 default-metric 2000 100 255 1 1500
 default-information originate
 passive-interface [interface to router 4]

router bgp 50
 neighbor 3.0.0.1 remote-as 500
 neighbor 3.0.0.1 route-map default-route in
 neighbor 10.4.3.1 remote-as 50
 redistribute eigrp 100 route-map outbound-routes

access-list 10 permit 214.4.105.0
access-list 10 permit 214.4.106.0
access-list 11 permit 0.0.0.0

route-map outbound-routes permit 10
 match ip address 10
 set as-path prepend 50 50 50 50

route-map default-route permit 10
 match ip address 11


router 1:
router eigrp 100
 network 10.0.0.0
 network 214.4.105.0
 network 214.4.106.0

router 2:
router 1:
router eigrp 100
 network 10.0.0.0
 network 214.4.105.0
 network 214.4.106.0
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now