biggynet
asked on
bgp inbound traffic multi-homed failover
I have a multi-homed failover scenario. I advertise my public subnet to ISP1 with normal AS path and prepend the AS path going to ISP2 so that ISP2 will act as the backup. I would expect that for the inbound traffic, everything will go to ISP1. But after inspecting the traffic through the firewall/router, I see inbound traffic going through ISP2 as well. How do I fix that? I only want inbound traffic via ISP2 if ISP1 would go down. Is this something that ISP2 has to do on their end? Thx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The block of public IP addresses is from ISP1. So I advertise it to ISP1 and ISP2 (with AS pre-pending). ISP2 will advertise my block with AS pre-pending to the Internet. So the route will be propagated to other BGP peers which will prefer the route of ISP1 over ISP2 for my inbound traffic. It should not see the route through ISP2 as the prefer route. Correct?
If your traffic is destined to ISP2's network, ISP2 is going to send the data back through the directly connected path. In other words, they most likely have configured their routers to change the preference of the routes of the destination if it is directly connected.
You get to decide how you want to route your packets but, when they hit another provider's network, that provider may decide to do something different.
You get to decide how you want to route your packets but, when they hit another provider's network, that provider may decide to do something different.
ASKER
In a normal situation, my outbound traffic will only go to ISP1 because I setup the weight to have ISP1 as the prefer path. But for the outbound traffic, it should see ISP1 as the only prefer route because the traffic from my network coming out of ISP2 has the AS_path prepending. So all traffic should go only to ISP1 and not ISP2. I don't think ISP2 will change anything in the routes coming from my network.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
router bgp my_AS_#
network ISP1_block_of_IP_address mask 255.255.255.0
neighbor ISP2_ip address remote_as ISP2_AS
neighbor ISP2_ip address prefix-list OUTBOUND out
neighbor ISP2_ip address route-map MY-OUT out
neighbor ISP2_ip address prefix-list DEFAULT in
!
ip prefix-list OUTBOUND permit ISP1_block_of_IP_address/2
ip prefix-list DEFAULT permit 0.0.0.0/0
!
route-map MY-OUT permit 10
set as-path prepend my_AS_# my_AS_# my_AS_#
network ISP1_block_of_IP_address mask 255.255.255.0
neighbor ISP2_ip address remote_as ISP2_AS
neighbor ISP2_ip address prefix-list OUTBOUND out
neighbor ISP2_ip address route-map MY-OUT out
neighbor ISP2_ip address prefix-list DEFAULT in
!
ip prefix-list OUTBOUND permit ISP1_block_of_IP_address/2
ip prefix-list DEFAULT permit 0.0.0.0/0
!
route-map MY-OUT permit 10
set as-path prepend my_AS_# my_AS_# my_AS_#
Your route-map does not affect your traffic leaving the router. It tells other routers the path that you prefer for traffic coming into your network.
ASKER
Correct. Traffic coming into my network is inbound traffic. That's what I was trying to explain. I use the weight which is not shown here for my outbound traffic. So in a normal situation, all traffic will go to ISP1 and I SHOULD NOT SEE ANY OUTBOUND TRAFFIC COMING THROUGH MY ISP2 because I have prepending my advertisement through my ISP2.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are the IP addresses you are seeing coming inbound via ISP2's link in blocks that are owned by ISP2?
pergr is 100% correct. Typically ISP's will route traffic from addresses they own using directly over links that they provide.
Using the diagram (hopefully it comes through) below the flow would be:
1) Any traffic coming from "Other ISP's and their customers" will get to you over ISP1's link until that link failed.
2) Any traffic coming from "Other ISP1 Customers" will get to you over ISP1's link until that link failed.
3) Any traffic coming from "Other ISP2 Customers" will get to you over ISP2's link until that link failed.
Other ISP2 Customers
/\
|
\/
/----> ISP2 <---\
YOU <--| |--> "Internet" <-- Other ISPs and their customers
\----> ISP1 <---/
/\
|
\/
Other ISP1 Customers
pergr is 100% correct. Typically ISP's will route traffic from addresses they own using directly over links that they provide.
Using the diagram (hopefully it comes through) below the flow would be:
1) Any traffic coming from "Other ISP's and their customers" will get to you over ISP1's link until that link failed.
2) Any traffic coming from "Other ISP1 Customers" will get to you over ISP1's link until that link failed.
3) Any traffic coming from "Other ISP2 Customers" will get to you over ISP2's link until that link failed.
Other ISP2 Customers
/\
|
\/
/----> ISP2 <---\
YOU <--| |--> "Internet" <-- Other ISPs and their customers
\----> ISP1 <---/
/\
|
\/
Other ISP1 Customers
For the record, since biggynet mention they have their own AS number (and so are not using a private AS or the AS of one of the ISPs), it does not really matter from where they got their IP addresses.
I even suspect that since they have their own AS number, they probably have their own IP range. Possibly one of the ISPs just helped out with the application and process.
I even suspect that since they have their own AS number, they probably have their own IP range. Possibly one of the ISPs just helped out with the application and process.
ASKER
One thing I don't understand is when I advertise my prepending AS_path routes to ISP2. ISP2 will add its AS_path and send it to the peers. Therefore, my routes advertised by ISP2 should not be the preferred one over ISP1. Thus, all traffic destined for my AS, should go through ISP1 and not ISP2.
Well, what we don't know which you are implying is that the IP addresses that are coming in via ISP2 are not from ISP2, but from their peers.
Is that what you are saying?
Is that what you are saying?
ASKER
yes. The peers learned my block of IP addresses from ISP2 advertisement which has my route as prepending. What I am saying is my route advertised by ISP2 to the Internet is not the prefer one. My route advertised by ISP1 is the prefer one. Therefore, all the traffic destined for my network will all go through ISP1. Correct?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh, just to make sure, I am NOT recommending that you stop advertising across ISP2 until ISP1 goes down.
I would continue to advertise over ISP2 and just live with the fact that you can't fully control which path the traffic comes in on.
I would continue to advertise over ISP2 and just live with the fact that you can't fully control which path the traffic comes in on.
ASKER
Not sure I understand what you meant.