Link to home
Start Free TrialLog in
Avatar of hermanazefor
hermanazefor

asked on

BGP Failover issues

Hello,

I am having some bgp issues within my network and was wondering if anyone can suggest a better design for this. I currently have dual path to the internet. Very basic bgp and ibgp configuration to always prefer router with highest weight. One link is 100mbps and the other is 10mbps. I am running hsrp on the LAN interfaces on these routers and 100mbps router is primary hsrp router.

However i keep having a problem of failover anytime there is an outage on the primary internet connection it takes almost 10minutes to failover. I will try to vpn into check what is going on. By the time i do it is already failover. How can i tune this for better failover.

Thank you,

Avatar of rfc1180
rfc1180
Flag of United States of America image

Network diagram and configs would be nice; this will allow us to assit you much better. Please remove any username and passwords from the configs.

Billy
Avatar of hermanazefor
hermanazefor

ASKER

version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
no service dhcp
!
hostname router-primary
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 64000 notifications
logging rate-limit 4 except errors

!
aaa new-model
!
!
aaa authentication login default group tacacs+ line enable
aaa authentication login CONSOLE enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec default
 action-type start-stop
 group tacacs+
!
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PST recurring
!
dot11 syslog
no ip source-route
ip icmp rate-limit unreachable 750
ip cef
!
!
!
!
no ip domain lookup
ip domain name fnbm.corp
no ipv6 cef
ntp server 71.110.4.4
!
multilink bundle-name authenticated
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
object-group network HOST-ALLOWING-VTY-ACCESS
 71.110.4.0 255.255.255.0
!
object-group network VTY-AUTHORIZED-USERS
 192.168.2.0 255.255.255.0
 192.168.6.0 255.255.255.0

!
archive
 log config
  hidekeys

ip ssh logging events
ip ssh version 2
buffers small permanent 239
buffers small max-free 342
buffers small min-free 71
buffers middle permanent 192
buffers middle max-free 275
buffers middle min-free 57
buffers big permanent 111
buffers big max-free 159
buffers big min-free 33
buffers verybig permanent 19
buffers verybig max-free 27
buffers verybig min-free 5
buffers large permanent 7
buffers large max-free 11
buffers large min-free 2
buffers huge permanent 5
buffers huge max-free 7
buffers huge min-free 1
!
!
!
!
interface Loopback0
 ip address 127.61.122.67 255.255.255.255
!
interface Loopback10
 description Loopback for NAT pool
 ip address 62.105.19.21 255.255.255.224
!
interface GigabitEthernet0/0
 description Internet Segment (71.110.4.0/24 - HSRP .2)
 ip address 192.168.250.3 255.255.255.0 secondary
 ip address 71.110.4.0 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 no ip virtual-reassembly
 ip tcp adjust-mss 1360
 ip ospf authentication message-digest
 ip ospf message-digest-key
 ip ospf cost 100
 duplex full
 speed 100
 media-type rj45
 standby 1 ip 71.110.2
 standby 1 priority 115
 standby 1 preempt
 standby 2 ip 192.168.241.2
 standby 2 priority 115
 standby 2 preempt
 hold-queue 300 in
 hold-queue 300 out
!
interface GigabitEthernet0/1
 description  100MBPS INTERNET
 ip address 61.46.x.21 255.255.255.252
 ip access-group ACL-FROM-XO-V2008-09-22 in
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 no ip virtual-reassembly
 duplex full
 speed 100
 media-type rj45
 ntp disable
 standby 1 preempt
 hold-queue 300 in
 hold-queue 300 out
!
interface FastEthernet0/0/0
 switchport access vlan 10
 duplex full
 speed 100
!
interface FastEthernet0/0/1
 switchport access vlan 10
 duplex full
 speed 100
!
interface FastEthernet0/0/2
 switchport access vlan 10
 duplex full
 speed 100
!
interface FastEthernet0/0/3
 switchport access vlan 10
 duplex full
 speed 100
!
interface Serial0/1/0
 description IBGP Connection
 bandwidth 1536
 no ip address
 no ip proxy-arp
 ip flow ingress
 shutdown
!
interface Vlan1
 no ip address
!
interface Vlan10
 description IBGP Connection
 ip address 10.1.21.1 255.255.255.252
 no ip proxy-arp
 ip flow ingress
!
router ospf 100
 router-id 64
 no compatible rfc1583
 log-adjacency-changes
 redistribute bgp 40202 metric 100 metric-type 1 subnets route-map BGP2OSPF
 passive-interface default
 no passive-interface GigabitEthernet0/0
 no passive-interface Vlan10
 no passive-interface Loopback0
 network 10.1.21.0 0.0.0.255 area 0
 network 71.110.4.0 0.0.0.255 area 0
 network 127.x.12.0 0.0.0.255 area 0
 default-information originate
!
router bgp 40202
 synchronization
 bgp log-neighbor-changes
 network 71.110.4.0 mask 255.255.255.0
 neighbor 61.46.x.21 remote-as 1021
 neighbor 61.46.x.21 filter-list 10 out
 neighbor 127.x.12.69 remote-as 40202
 neighbor 127.x.12.69 update-source Loopback0
 neighbor 127.x.12.69 next-hop-self
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 61.46.x.21
ip route 167.x.x.0 255.255.255.0 65.46.24.221
ip route 172.x.x.0 255.255.255.0 10.1.1.2
ip route 192.x.x.0 255.255.255.0 71.110.4.1
ip route 192.x.x.0 255.255.255.0 71.110.4.1
ip route 192.5.33.0 255.255.255.0 71.110.4.1
ip route 192.5.34.0 255.255.255.0 71.110.4.1
ip route 192.168.0.0 255.255.0.0 71.110.4.1

no ip http server
no ip http secure-server
!
ip as-path access-list 10 permit ^$
ip flow-cache timeout active 1
ip flow-export source GigabitEthernet1/4
ip flow-export version 5
ip flow-export destination 192.168.x.x 2055
ip flow-top-talkers
 top 20
 sort-by bytes
 cache-timeout 600000

!
ip access-list standard AUTHORIZED-VTY-FROM

 deny   any log
ip access-list standard
 permit 192.x.x.0 0.0.255.255
ip access-list standard

!

!
!
!
r
!
route-map BGP2OSPF permit 10
 match ip address prefix-list DEFAULT-ONLY
!
!
s
!
!
!
!
!


!
line con 0
 exec-timeout 30 0
 logging synchronous
 login authentication CONSOLE
line aux 0
line vty 0 4
 access-class AUTHORIZED-VTY-FROM in
 exec-timeout 30 0
 logging synchronous
 transport input ssh
line vty 5 15
 access-class AUTHORIZED-VTY-FROM in
 exec-timeout 30 0
 logging synchronous
 transport input ssh
!
scheduler allocate 20000 1000
end
For a solid solution to be provided for "BGP Failover issues" and BGP Tuning, all configurations and network diagrams should be provided. What you are asking for is not just a simple answer, this could be a very complex issue/config, etc. So please, provide a network diagram so that we can visualize your network, the connections that exists and the configurations that have been applied.

Billy
Hell Billy-

I just added a diagram.

Thank you
Great, so tell me a bit about what is going on, you state "However i keep having a problem of failover anytime there is an outage on the primary internet connection it takes almost 10minutes to failover. " But what type of troubeshooting have you completed this far. Are you able to send the configs of all devices in the network (Minus the ASAs for now), just the switches and routers.

Billy
The switches are just layer two devices that hand vlan traffic. the configuration you see is identical to the other router but for ip addresses. Anytime this has happened i have had to login remotely and before i do problem is already resolved.

I guess my problem is seeking a bgp failover solution which is more efficient and quick.

Thank you
I am sure it is identical, but having both configus will allows to view for misconfigurations.

Billy
ASKER CERTIFIED SOLUTION
Avatar of Marius Gunnerud
Marius Gunnerud
Flag of Norway image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
That is assuming if the link upstream is down; no doubt I agree that adding a track will benefit, however, at that point if the link is down, OSPF should reconverge (default route would not be available and no longer will be redistributed into OSPF) and routing via OSPF should occur, meaning the default would not be via the upstream gi0/1 interface, but rather the OSPF neighbor via the 10Mbps upstream link. So basically, traffic from would ingress gi0/0, a route table lookup would be performed and traffic would egress back out gi0/0 then via vlan 50 to the other router (ideally). If convergence is taking 10 minutes, there is other issues. I see that you are not filtering inbound so you are either taking a full route or you upstream is filtering outbound to you (Default only), is this the case? If there is an issue with the RIB/FIB upstream, routing would ultimately be non-existent as the BGP session is directly connected, the session ultimately remains up (Traffic would be blacked-holed); IP SLA would benefit from this scenario.

That do you think MAG?

Billy
Ok Billy how do I perform IP SLA in this situation
thanks for your help.