Link to home
Start Free TrialLog in
Avatar of jskfan
jskfanFlag for Cyprus

asked on

The purpose of using BGP

Other than Service Providers, I would like to know in which scenario that a company can use BGP
Reading online, they state that the only case that you need to use BGP is when you have 2 or more Active links to  Service Providers, meaning not one Active and the other is Backup, but both Active/Active.

Well, is BGP used to advertise your inside Networks or to reach outside Networks? Reaching Outside Networks, I believe it does not require BGP configured in your LAN.

Any clarification will be very much appreciated.
Avatar of Ken Boone
Ken Boone
Flag of United States of America image

BGP is used for large scale routing.  That is why you see it in provider's networks.  Unless you have a large corporate network - worldwide large - as in Donald Trump "HUUUGEE"  you probably won't use BGP except in the following cases:

#1) As you mentioned within you have two active links to an ISP and you want redundancy.

#2) Connecting to an MPLS backbone where the provider makes the connection via BGP.

BGP is broken up into two things EBGP - which is External BGP and IBGP which is internal BGP.  As the BGP name implies Border Gateway Protocol - BGP is primarily used to exchange routes between different networks.  Not two subnets talking through a router kind of thing, but two networks as in your companies network, the ISP network.

In both of the cases I mentioned above you would be running EBGP.  So BGP is used to advertise your routes to the ISP's network, so your public address space gets advertised to the world, and it is used to learn either a default route from your provider, or a default route plus the routes in the provider's backup, or a default route plus all of the available Internet routes.  - Need a big router and a lot of memory for the last one.

In the case of #1 above there are multiple ways you could set that up as well. You can connect to two ISPs with a single router, and run eBGP on both links learning routes from both providers and sharing your route with them.  You could also use two routers with one going to each ISP.  In this case you might run iBGP between your two routers to exchange the routes learned form the providers depending on how you want to set it up.

In the case of an MPLS connection, it is usually where you contract service with an MPLS provider to connect all of your corporate locations together on a private backbone.  In this case it is usually a single router at each site, except maybe at the HQ site, and then each router rung eBGP with the next hope provider's router.  In this scenario, you are injecting routes from each of your locations into your mpls cloud, and also learning the routes from your other locations across the cloud.  This gives you the freedom to add a new network at site A, and having site B, C, D learn the route back to site A, without having to contact the provider to have them update routes or keeps you from having to configure static routes.

It is not typically run in the LAN environment.  Internal routing is usually done via what we would call an interior routing protocol which would be OSPF, RIPv2 or Cisco's proprietary EIGRP.

Hope that helps.
A routing protocol allows the network to move past static routing.

A "simple" network with just one link between each site (or network) can be managed with static routes, as soon as the network becomes "complex" or too large to manually manage with static routes, using a routing protocol enables the network to scale and remain manageable.
The size of the network does not matter.

If you have two external circuits with either the same provider or two different providers, then you want BGP to control both your inbound and your outbound traffic.
Avatar of jskfan

ASKER

Outbound
if I am connected to the outside world through 2 ISPs (Comcast and ATT) both Active, do I need BGP ?
if so how can I split the traffic between both ISPs?


Inbound
let 's say I need outside customers to reach my web servers inside my company. do I need BGP? or just register my public DNS IP address
Well you have alternatives.. With BGP you either have your own public class C address, or one of the providers would provide you with a public /24 network for your use.  The other provider would agree to provide routing for that /24.  Then you run BGP with both providers advertising that single /24 (or larger) out to the ISP which announce it out to the greater internet.  

So outbound you have full control over via many ways.  If you want to have something close to a 50/50 load distribution, then you could have two routers (one to each provider) and then run EIGRP from each router to a layer 3 core switch.  You would receive a default route from each provider via BGP and would redistribute that into EIGRP.  You would NOT run ibgp between the routers.  Then since the core will receive two default routes, you can set EIGRP to load balance across the two equal cost paths.  So the core router will attempt to split the traffic between the two router, each router has a single default route out.  That is ONE way to do it.  If you have a single router it is a little harder to accomplish because routing is done on a per hop basis.  So at that point the router would choose a single route out.  You can use policy based routing to different some of your traffic to the other gateway.  But then it doesn't have a good failover mechanism if one of the link fails.  Generally, depending on your business, the outbound traffic is not the big issue - If you are hosting something that is bandwidth intensive i.e. lots of video, constant software downloads, etc.. then it would be a big deal.  

Inbound is the bigger issue.   So if you have a public IP address and a single provider you don't need BGP, everything can be done with static routes.  The provider puts a static route to you, and you put a static default route to the provider.  Now the provider will then advertise your network to the rest of the world.  All works good.  When you go to two providers, if you run BGP and have at least a /24 to work with for your public IP address, then you can setup BGP with each provider as mentioned before.  If you DON't do this, then you have to deal with two different IP address spaces.  Then we have to deal with other issues, such as how fast will DNS get updated when you have a provider switch, do you have a single firewall that both providers come through?  If so, will the firewall support two different NAT entries for the same inside IP address?  You will need some type of policy routing to switch traffic if one provider fails, etc..

So BGP is used to advertise the public IP address space out.  If you use statics, then the provider will use BGP to advertise your route out to the rest of the world.  In either case, if you want customers to reach you via a DNS name, you will need to have a public DNS host entry for your website and whatever other hosts customers need to reach.  You will need this regardless.

Hope that helps.
Avatar of jskfan

ASKER

so even if you have your domain DNS registered , you still need to have BGP configured? assuming you have 2 ISPs
So BGP and DNS are two totally separate functions.  BGP is for routing... learning and sharing your routes.  DNS is for IP address resolution of hostnames.
To be able to use connections from two ISPs for load failover to an address, you would need to rub BGP with each ISP and also have PI address space.

Most ISPs will only run BGP on "business" connections, and the smallest address range that can be advertised is a /24, acquiring a /24 these days may prove difficult...

For inbound load failover, you might also look at "Dynamic" DNS publishing an A record with a short TTL and automatically changing it to a  secondary address is/when required.
Avatar of jskfan

ASKER

ArneLovius

can you elaborate on the comments below:
To be able to use connections from two ISPs for load failover to an address, you would need to rub BGP with each ISP and also have PI address space.

For inbound load failover, you might also look at "Dynamic" DNS publishing an A record with a short TTL and automatically changing it to a  secondary address is/when required
If you have two or more connections/providers, you run BGP to control your inbound and outbound traffic.

In the networking world, we drop any incoming prefixes from our eBGP neighbors that are smaller than a /24.

What are the size of your subnet(s) that you would announce?
PI is "Provider Independent" an IP address block that you get directly from your RIR (Regional Internet Registry, which as you mentioned ATT and Comcast would be ARIN), rather than getting from an ISP.

BGP allows for for this address block to be "advertised" to the rest of the internet over more than one Internet connection, but it requires  cooperation from each service ISP to do this as it is the ISP that advertises the PI space to its peers rather than you directly. Running BGP is not just configuring BGP on your routers, it requires the serving ISP to configure their routers to run BGP with your routers.

One reason to run BGP is to increase availability, so if one connection goes down (digger going through a copper/fibre bundle, ISP routing failure, line termination card failing etc), inbound traffic will automatically go over the other connection. Outbound traffic is much simpler to control, as it can be directly controlled by you, you have no direct control over inbound traffic.

DNS provides a layer of abstraction to IP addresses. Dynamic DNS simply means having an automated method of updating DNS records.

To pick a specific use case, an on site web server. A web server that would be accessed by a hostname, I'm going to use file.domain.com (used for transferring large image files to/from clients that are then worked on my people in the company, so no point in moving to external hosting) as the hostname. A hostname would usually have a single DNS A record (there can be more than one, but that would be for a different use case than the one I am describing).

Lets say that this A record resolves in DNS to an address on a Comcast connection, but you want to be able to also use an ATT connection if the Comcast connection is down, to do this you

First you need a NAT device that can failover traffic between the Comcast and ATT connections based on reachability of an address outside the Comcast and ATT networks, Cisco ASA and SonicWALL can do this, as can open source appliances such as pfSense.

Second you would either use a DNS hosting provider that checks to see if the web server is available on the address on the Comcast connection, and if it is not changes the A record to the address on the ATT connection, or use a DNS provider where you run an application/script that keeps updating the A record based on the address that the connection is from, if the Comcast connection is up, the address will be from the Comcast address, and if it fails over, the address will be from the ATT connection.

Now you have a hostname that is usually available on the Comcast connection, but if the Comcast connection is down, the A record will be automatically updated to be on the ATT connection, when the Comcast connection comes back up, the DNS A record would be updated  making the hostname available on the Comcast connection again.

Dynamic DNS can improve availability, not to the level of having two connections, PI space and BGP, but at much lower outlay as there is no requirement for PI space or BGP

ARIN charges for PI space are detailed here https://www.arin.net/fees/fee_schedule.html

For a single /24 and single AS, you would be $450 per annum, plus $550 initial cost for the AS and an undocumented initial fee for the /24.

To go with your PI address space you then need ISP connections with BGP, which from Comcast and ATT would be in their Enterprise level of connections (not xfinity or u-verse).

Then finally you need router(s) capable of running BGP and to configure them.

It all depends on what you are trying to achieve and what your budget is...
It doesn't have to be provider independent.  As long as the provider that has assigned the /24 or larger to you provides and LOA and has also SWIPed the space, you should be able to announce that space out another provider once it and its upstreams have adjusted their filters.
@Jan Springer GPWM

There is a third option, use a third party to provide address space that is then tunnelled (a VPN) with primary and secondary routes to on site  equipment. This could be done with an ASA/SonicWALL at a colo facility and on site. It has the disadvantage that because the traffic is encapsulated, the effective MTU will be smaller, but can provide a faster failover than Dynamic DNS.

As I said previously,. it all depends on what you are trying to achieve, and what your budget is...
That's just ugly.  If the author has a /24 or larger from ARIN, he can announce that to his providers.

If the author has a /24 or larger from another company (provider or otherwise), he can get an LOA and announce it to his providers.
I'm not saying that it's not an ugly solution, but sometimes, the ugly solution is the one that works for the client.

Not everyone can justify the expense of a /24 and ISP BGP connections.

I saw it used by a client over a decade ago that had rather "dumb" devices that connected with (mostly) always on mobile data connections and send a small amount of data every ~minute (to add extra spice, the devices didn't do DNS so the connection had to be to an IP address...). For "other" reasons, this data had to get back to their office rather just be than a colo facility, and they had baulked at the cost of a /24 and BGP, so this Rube Goldberg "network" had been created, you could "see" the gaffer tape holding it together, but it worked...
If you can't justify the expense of a /24 then you don't need to worry about BGP.  Get your redundancy through a single provider.
@Jan Springer, While a single provider can supply two or more connections to provide basic redundancy, if both lines follow the same route, they are highly likely to be taken out by the same digger going through a duct/van driving into a pole/node fault/DSLAM fault. While some providers can provide diverse feeds, this is frequently significantly more expensive as the provider may have to build out in a different direction to that which they currently have. I have many clients with a cable and an xDSL connection using Dynamic DNS to provide basic failover using diverse routing and different providers. Perhaps you have more experience with Enterprise level network implementations where some priorities and budgets may be different to small businesses.
If you need redundancy and cannot get a /24, then get an assignment from each provider and use SLA to monitor the connection and failover appropriately.  There is no need for dynamic DNS or VPNs.

Add in DNS failover like Route53 with AWS and you're set.
DNS Failover _is_ Dynamic DNS
No, it's not.  It's DNS failover.  Dynamic DNS is a different methodology completely.
SOLUTION
Avatar of ArneLovius
ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
DNS failover uses high availability by change zone data, incrementing the serial number and reloading the zone when the monitor detects that the IP address being monitored is not reachable.

Dynamic DNS is a mechanism that pushes a DNS update to a DNS server to create an A or PTR record on the fly.
You are agreeing that the Address is updated Dynamically with Failover DNS ?
I am not.
Avatar of jskfan

ASKER

Thank you for the Expertise and Insights Guys.
 

A company when they register their DNS publicly , DomainName= 222.222.222.222
Customers can Reach them by typing the DomainName and will be able to get to the company site
No Need for BGP

if you have your DomainName with 2 different ISPs, then when outside customers type in DomainName, which ISP will render the response to the customer?

in this case, I do not how BGP will resolve this issue ?


Regarding outbound, I believe you can just put a loadbalancer (inside the comapny LAN) in front of your Edge Routers (DSL)
and the requests from inside to outside will be loadbalanced between DSL routers ( one going to ATT and the other to COmcast)
If you have two providers and you have a /24 or larger, you will announce that via BGP.  Then people can reach your website through each provider.

If you have something smaller than a /24, then you either need DNS failover or Dynamic DNS to change the IP to something from the other provider if the path for the primary IP goes down.
Avatar of jskfan

ASKER

so it is based:
- on the number of Active/Active connections to the providers you have.
if you have one provider as Active the other as Backup then you do not need to use BGP

- also on the subnet size /24 or Larger we need BGP

correct ?
No, you can configure BGP to prefer one path in and out and use an alternate path only if the primary is down.

If you have two different providers, use BGP.  You just cannot expect an announcement smaller than a /24 to not be dropped by the rest of the world.
Avatar of jskfan

ASKER

Not smaller than /24
you mean the company public IP addresses should be of /25 and above ?
Yes, the public IPs used to route to the Internet.  And not /25 but /24 or larger.  If they aren't at least a /24, then you can't expect them to be reachable to the general Internet -- it will have to be summarized in the provider's subnet that provided that to you to use.
Avatar of jskfan

ASKER

Thank you Jan,

just wanted to know what larger Network means.. is it large number of hosts or subnets ?

example
/8 larger number of hosts but smaller number of subnets
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jskfan

ASKER

Thank you Guys