odd BGP Problem

Discussion in 'Cisco' started by Gary, Feb 20, 2008.

  1. Gary

    Gary Guest

    We have a router connected to 2 x tier1 provider routers over a single
    x-connect and we run BGP to them no problems. We have taken on a new client
    that wants their own dedicated cable and BGP session to the same 2 routers
    and a second x-connect is now in and 2 new BGP sessions are up to what are
    actually the same tier1 routers.

    The client wants his address space routed over his cable to the tier1
    provider unless that cable fails in which case the traffic should failover
    to our x-connect to the tier1 provider.

    The question is how do I get the customers traffic to ONLY leave via his
    x-connect cable/BGP sessions while it is up but failover to ours if his
    fails. Also how do I get the inbound traffic to ONLY come down one set of
    BGP sessions (the clients) as opposed to our BGP sessions while his are up.

    An ASCI Diagram would look like


    Our Router A x------------our x-connect------------------------x Tier1
    Router A & B - This carries to BGP sessions on a small subnet which we use
    for clients to transit generally
    Our Router A x------------client x-connect----------------------x Tier 1
    Router A & B- This should only carry client subnet in and out while up
    otherwise failover to our cable and BGP sessions

    Both cables carry 2 BGP peering sessions receivong full routing tables with
    both Tier1 Router A and B so in total we now gave 4 full routing tables form
    the same Tier1 provider on Our Router A.


    Hope this makes sense.
    Thanks
    Gary
     
    Gary, Feb 20, 2008
    #1
    1. Advertising

  2. In article <%6Luj.3489$>,
    "Gary" <> wrote:

    > We have a router connected to 2 x tier1 provider routers over a single
    > x-connect and we run BGP to them no problems. We have taken on a new client
    > that wants their own dedicated cable and BGP session to the same 2 routers
    > and a second x-connect is now in and 2 new BGP sessions are up to what are
    > actually the same tier1 routers.
    >
    > The client wants his address space routed over his cable to the tier1
    > provider unless that cable fails in which case the traffic should failover
    > to our x-connect to the tier1 provider.
    >
    > The question is how do I get the customers traffic to ONLY leave via his
    > x-connect cable/BGP sessions while it is up but failover to ours if his
    > fails. Also how do I get the inbound traffic to ONLY come down one set of
    > BGP sessions (the clients) as opposed to our BGP sessions while his are up.


    This should happen automatically. The routes through your x-connect
    should have your ASN in the AS path, which will make it longer than the
    routes directly to the tier1 providers.

    >
    > An ASCI Diagram would look like
    >
    >
    > Our Router A x------------our x-connect------------------------x Tier1
    > Router A & B - This carries to BGP sessions on a small subnet which we use
    > for clients to transit generally
    > Our Router A x------------client x-connect----------------------x Tier 1
    > Router A & B- This should only carry client subnet in and out while up
    > otherwise failover to our cable and BGP sessions
    >
    > Both cables carry 2 BGP peering sessions receivong full routing tables with
    > both Tier1 Router A and B so in total we now gave 4 full routing tables form
    > the same Tier1 provider on Our Router A.
    >
    >
    > Hope this makes sense.
    > Thanks
    > Gary


    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
     
    Barry Margolin, Feb 20, 2008
    #2
    1. Advertising

  3. Well having the customer with a separate x-connect and bgp sessions directly
    to the Transit providers should automatically have a shorter as-path from
    cust-to-provider. But the customer can set a higher local-pref on the routes
    received from those two neighbors and a lower local-pref to the prefixes
    received from you.

    Now controlling inbound traffic is a bit trickier you can try AS-PREPEND
    (even though technically it should route automatically to his direct
    connection) but that's beyond your control as the providers can set
    LOCAL-PREF on their side and their goes that idea. So what you can really do
    is.

    1) BGP conditional advertisement (where you track a certain prefix) maybe a
    loopback on the customer routers (2 in this case) and only advertise the
    customers prefixes to the providers through your link if and only if both
    loopbacks go down. That way the provider will really only see the customers
    prefixes through their link unless it goes down, then you start advertising
    The customers prefixes through your connection.

    cya


    On 2/19/08 11:51 PM, in article
    , "Barry Margolin"
    <> wrote:

    > In article <%6Luj.3489$>,
    > "Gary" <> wrote:
    >
    >> We have a router connected to 2 x tier1 provider routers over a single
    >> x-connect and we run BGP to them no problems. We have taken on a new client
    >> that wants their own dedicated cable and BGP session to the same 2 routers
    >> and a second x-connect is now in and 2 new BGP sessions are up to what are
    >> actually the same tier1 routers.
    >>
    >> The client wants his address space routed over his cable to the tier1
    >> provider unless that cable fails in which case the traffic should failover
    >> to our x-connect to the tier1 provider.
    >>
    >> The question is how do I get the customers traffic to ONLY leave via his
    >> x-connect cable/BGP sessions while it is up but failover to ours if his
    >> fails. Also how do I get the inbound traffic to ONLY come down one set of
    >> BGP sessions (the clients) as opposed to our BGP sessions while his are up.

    >
    > This should happen automatically. The routes through your x-connect
    > should have your ASN in the AS path, which will make it longer than the
    > routes directly to the tier1 providers.
    >
    >>
    >> An ASCI Diagram would look like
    >>
    >>
    >> Our Router A x------------our x-connect------------------------x Tier1
    >> Router A & B - This carries to BGP sessions on a small subnet which we use
    >> for clients to transit generally
    >> Our Router A x------------client x-connect----------------------x Tier 1
    >> Router A & B- This should only carry client subnet in and out while up
    >> otherwise failover to our cable and BGP sessions
    >>
    >> Both cables carry 2 BGP peering sessions receivong full routing tables with
    >> both Tier1 Router A and B so in total we now gave 4 full routing tables form
    >> the same Tier1 provider on Our Router A.
    >>
    >>
    >> Hope this makes sense.
    >> Thanks
    >> Gary
     
    Yandy Ramirez, Feb 20, 2008
    #3
  4. Gary

    Gary Guest

    "Yandy Ramirez" <> wrote in message
    news:C3E12033.6CCE%...
    > Well having the customer with a separate x-connect and bgp sessions
    > directly
    > to the Transit providers should automatically have a shorter as-path from
    > cust-to-provider. But the customer can set a higher local-pref on the
    > routes
    > received from those two neighbors and a lower local-pref to the prefixes
    > received from you.
    >
    > Now controlling inbound traffic is a bit trickier you can try AS-PREPEND
    > (even though technically it should route automatically to his direct
    > connection) but that's beyond your control as the providers can set
    > LOCAL-PREF on their side and their goes that idea. So what you can really
    > do
    > is.
    >
    > 1) BGP conditional advertisement (where you track a certain prefix) maybe
    > a
    > loopback on the customer routers (2 in this case) and only advertise the
    > customers prefixes to the providers through your link if and only if both
    > loopbacks go down. That way the provider will really only see the
    > customers
    > prefixes through their link unless it goes down, then you start
    > advertising
    > The customers prefixes through your connection.
    >
    > cya
    >
    >
    > On 2/19/08 11:51 PM, in article
    > , "Barry Margolin"
    > <> wrote:
    >
    >> In article <%6Luj.3489$>,
    >> "Gary" <> wrote:
    >>
    >>> We have a router connected to 2 x tier1 provider routers over a single
    >>> x-connect and we run BGP to them no problems. We have taken on a new
    >>> client
    >>> that wants their own dedicated cable and BGP session to the same 2
    >>> routers
    >>> and a second x-connect is now in and 2 new BGP sessions are up to what
    >>> are
    >>> actually the same tier1 routers.
    >>>
    >>> The client wants his address space routed over his cable to the tier1
    >>> provider unless that cable fails in which case the traffic should
    >>> failover
    >>> to our x-connect to the tier1 provider.
    >>>
    >>> The question is how do I get the customers traffic to ONLY leave via his
    >>> x-connect cable/BGP sessions while it is up but failover to ours if his
    >>> fails. Also how do I get the inbound traffic to ONLY come down one set
    >>> of
    >>> BGP sessions (the clients) as opposed to our BGP sessions while his are
    >>> up.

    >>
    >> This should happen automatically. The routes through your x-connect
    >> should have your ASN in the AS path, which will make it longer than the
    >> routes directly to the tier1 providers.
    >>
    >>>
    >>> An ASCI Diagram would look like
    >>>
    >>>
    >>> Our Router A x------------our x-connect------------------------x Tier1
    >>> Router A & B - This carries to BGP sessions on a small subnet which we
    >>> use
    >>> for clients to transit generally
    >>> Our Router A x------------client x-connect----------------------x Tier 1
    >>> Router A & B- This should only carry client subnet in and out while up
    >>> otherwise failover to our cable and BGP sessions
    >>>
    >>> Both cables carry 2 BGP peering sessions receivong full routing tables
    >>> with
    >>> both Tier1 Router A and B so in total we now gave 4 full routing tables
    >>> form
    >>> the same Tier1 provider on Our Router A.
    >>>
    >>>
    >>> Hope this makes sense.
    >>> Thanks
    >>> Gary

    >
    >


    Maybee I explained this badly. We have 6 full BGP peering sessions to the
    same TIER1 Provider to different routers. We announce a /19 on all sessions
    and all works well. Now we want a particular /24 within that /19 to only
    come down 2 of the BGP Peering sessions. Should these 2 fail for any reason
    (cable break) we want the /24 to come in any of the remaining 4 BGP
    sessions.

    Hope that calrifies?
    Gary
     
    Gary, Feb 21, 2008
    #4
  5. That makes I allot easier.
    Is the /24 connected on one of those interface on the two routers you want?
    Or is it being subneted below that point?

    1) If it is connected to an interface (like an ethernet interface on both
    routers) then on both routers you can do something like.

    Ip prefix-list CONN-TO-BGP permti x.x.x.x/24

    Route-map CONN-TO-BGP permit 150
    match ip address prefix-list CONN-TO-BGP
    set origin igp
    set community "your community values here"
    !
    Router bgp xxxx
    redistribute connected route-map CONN-TO-BGP
    !
    Now since your /19 and /24 are separate networks closest match always win,
    since your only advertising /24 from two routers that will always be the
    path. And if that goes down you stop advertising /24 but still have the /19
    from other sessions.

    Now if the /24 is not directly connected but subneted below that, then the
    config is pretty much the same except change it around for redistributing
    static to bgp and have a static route....

    Ip route x.x.x.x 255.255.255.0 "next-hop-here"

    And that's it. If you don't know how to redistribute statics let me know,
    its pretty much the same except for the redistribution command.

    Hope that helps.



    On 2/20/08 8:41 PM, in article VE4vj.5556$, "Gary"
    <> wrote:

    >
    > "Yandy Ramirez" <> wrote in message
    > news:C3E12033.6CCE%...
    >> Well having the customer with a separate x-connect and bgp sessions
    >> directly
    >> to the Transit providers should automatically have a shorter as-path from
    >> cust-to-provider. But the customer can set a higher local-pref on the
    >> routes
    >> received from those two neighbors and a lower local-pref to the prefixes
    >> received from you.
    >>
    >> Now controlling inbound traffic is a bit trickier you can try AS-PREPEND
    >> (even though technically it should route automatically to his direct
    >> connection) but that's beyond your control as the providers can set
    >> LOCAL-PREF on their side and their goes that idea. So what you can really
    >> do
    >> is.
    >>
    >> 1) BGP conditional advertisement (where you track a certain prefix) maybe
    >> a
    >> loopback on the customer routers (2 in this case) and only advertise the
    >> customers prefixes to the providers through your link if and only if both
    >> loopbacks go down. That way the provider will really only see the
    >> customers
    >> prefixes through their link unless it goes down, then you start
    >> advertising
    >> The customers prefixes through your connection.
    >>
    >> cya
    >>
    >>
    >> On 2/19/08 11:51 PM, in article
    >> , "Barry Margolin"
    >> <> wrote:
    >>
    >>> In article <%6Luj.3489$>,
    >>> "Gary" <> wrote:
    >>>
    >>>> We have a router connected to 2 x tier1 provider routers over a single
    >>>> x-connect and we run BGP to them no problems. We have taken on a new
    >>>> client
    >>>> that wants their own dedicated cable and BGP session to the same 2
    >>>> routers
    >>>> and a second x-connect is now in and 2 new BGP sessions are up to what
    >>>> are
    >>>> actually the same tier1 routers.
    >>>>
    >>>> The client wants his address space routed over his cable to the tier1
    >>>> provider unless that cable fails in which case the traffic should
    >>>> failover
    >>>> to our x-connect to the tier1 provider.
    >>>>
    >>>> The question is how do I get the customers traffic to ONLY leave via his
    >>>> x-connect cable/BGP sessions while it is up but failover to ours if his
    >>>> fails. Also how do I get the inbound traffic to ONLY come down one set
    >>>> of
    >>>> BGP sessions (the clients) as opposed to our BGP sessions while his are
    >>>> up.
    >>>
    >>> This should happen automatically. The routes through your x-connect
    >>> should have your ASN in the AS path, which will make it longer than the
    >>> routes directly to the tier1 providers.
    >>>
    >>>>
    >>>> An ASCI Diagram would look like
    >>>>
    >>>>
    >>>> Our Router A x------------our x-connect------------------------x Tier1
    >>>> Router A & B - This carries to BGP sessions on a small subnet which we
    >>>> use
    >>>> for clients to transit generally
    >>>> Our Router A x------------client x-connect----------------------x Tier 1
    >>>> Router A & B- This should only carry client subnet in and out while up
    >>>> otherwise failover to our cable and BGP sessions
    >>>>
    >>>> Both cables carry 2 BGP peering sessions receivong full routing tables
    >>>> with
    >>>> both Tier1 Router A and B so in total we now gave 4 full routing tables
    >>>> form
    >>>> the same Tier1 provider on Our Router A.
    >>>>
    >>>>
    >>>> Hope this makes sense.
    >>>> Thanks
    >>>> Gary

    >>
    >>

    >
    > Maybee I explained this badly. We have 6 full BGP peering sessions to the
    > same TIER1 Provider to different routers. We announce a /19 on all sessions
    > and all works well. Now we want a particular /24 within that /19 to only
    > come down 2 of the BGP Peering sessions. Should these 2 fail for any reason
    > (cable break) we want the /24 to come in any of the remaining 4 BGP
    > sessions.
    >
    > Hope that calrifies?
    > Gary
    >
    >
     
    Yandy Ramirez, Feb 21, 2008
    #5
  6. One more thing, just make soure your transit provider opens up its filter
    and allows that /24 through. Should not be a big concern for them to do so.


    On 2/20/08 8:41 PM, in article VE4vj.5556$, "Gary"
    <> wrote:

    >
    > "Yandy Ramirez" <> wrote in message
    > news:C3E12033.6CCE%...
    >> Well having the customer with a separate x-connect and bgp sessions
    >> directly
    >> to the Transit providers should automatically have a shorter as-path from
    >> cust-to-provider. But the customer can set a higher local-pref on the
    >> routes
    >> received from those two neighbors and a lower local-pref to the prefixes
    >> received from you.
    >>
    >> Now controlling inbound traffic is a bit trickier you can try AS-PREPEND
    >> (even though technically it should route automatically to his direct
    >> connection) but that's beyond your control as the providers can set
    >> LOCAL-PREF on their side and their goes that idea. So what you can really
    >> do
    >> is.
    >>
    >> 1) BGP conditional advertisement (where you track a certain prefix) maybe
    >> a
    >> loopback on the customer routers (2 in this case) and only advertise the
    >> customers prefixes to the providers through your link if and only if both
    >> loopbacks go down. That way the provider will really only see the
    >> customers
    >> prefixes through their link unless it goes down, then you start
    >> advertising
    >> The customers prefixes through your connection.
    >>
    >> cya
    >>
    >>
    >> On 2/19/08 11:51 PM, in article
    >> , "Barry Margolin"
    >> <> wrote:
    >>
    >>> In article <%6Luj.3489$>,
    >>> "Gary" <> wrote:
    >>>
    >>>> We have a router connected to 2 x tier1 provider routers over a single
    >>>> x-connect and we run BGP to them no problems. We have taken on a new
    >>>> client
    >>>> that wants their own dedicated cable and BGP session to the same 2
    >>>> routers
    >>>> and a second x-connect is now in and 2 new BGP sessions are up to what
    >>>> are
    >>>> actually the same tier1 routers.
    >>>>
    >>>> The client wants his address space routed over his cable to the tier1
    >>>> provider unless that cable fails in which case the traffic should
    >>>> failover
    >>>> to our x-connect to the tier1 provider.
    >>>>
    >>>> The question is how do I get the customers traffic to ONLY leave via his
    >>>> x-connect cable/BGP sessions while it is up but failover to ours if his
    >>>> fails. Also how do I get the inbound traffic to ONLY come down one set
    >>>> of
    >>>> BGP sessions (the clients) as opposed to our BGP sessions while his are
    >>>> up.
    >>>
    >>> This should happen automatically. The routes through your x-connect
    >>> should have your ASN in the AS path, which will make it longer than the
    >>> routes directly to the tier1 providers.
    >>>
    >>>>
    >>>> An ASCI Diagram would look like
    >>>>
    >>>>
    >>>> Our Router A x------------our x-connect------------------------x Tier1
    >>>> Router A & B - This carries to BGP sessions on a small subnet which we
    >>>> use
    >>>> for clients to transit generally
    >>>> Our Router A x------------client x-connect----------------------x Tier 1
    >>>> Router A & B- This should only carry client subnet in and out while up
    >>>> otherwise failover to our cable and BGP sessions
    >>>>
    >>>> Both cables carry 2 BGP peering sessions receivong full routing tables
    >>>> with
    >>>> both Tier1 Router A and B so in total we now gave 4 full routing tables
    >>>> form
    >>>> the same Tier1 provider on Our Router A.
    >>>>
    >>>>
    >>>> Hope this makes sense.
    >>>> Thanks
    >>>> Gary

    >>
    >>

    >
    > Maybee I explained this badly. We have 6 full BGP peering sessions to the
    > same TIER1 Provider to different routers. We announce a /19 on all sessions
    > and all works well. Now we want a particular /24 within that /19 to only
    > come down 2 of the BGP Peering sessions. Should these 2 fail for any reason
    > (cable break) we want the /24 to come in any of the remaining 4 BGP
    > sessions.
    >
    > Hope that calrifies?
    > Gary
    >
    >
     
    Yandy Ramirez, Feb 21, 2008
    #6
  7. Gary

    Gary Guest

    "Yandy Ramirez" <> wrote in message
    news:C3E24B4A.792A%...
    > One more thing, just make soure your transit provider opens up its filter
    > and allows that /24 through. Should not be a big concern for them to do
    > so.
    >
    >
    > On 2/20/08 8:41 PM, in article VE4vj.5556$, "Gary"
    > <> wrote:
    >
    >>
    >> "Yandy Ramirez" <> wrote in message
    >> news:C3E12033.6CCE%...
    >>> Well having the customer with a separate x-connect and bgp sessions
    >>> directly
    >>> to the Transit providers should automatically have a shorter as-path
    >>> from
    >>> cust-to-provider. But the customer can set a higher local-pref on the
    >>> routes
    >>> received from those two neighbors and a lower local-pref to the prefixes
    >>> received from you.
    >>>
    >>> Now controlling inbound traffic is a bit trickier you can try AS-PREPEND
    >>> (even though technically it should route automatically to his direct
    >>> connection) but that's beyond your control as the providers can set
    >>> LOCAL-PREF on their side and their goes that idea. So what you can
    >>> really
    >>> do
    >>> is.
    >>>
    >>> 1) BGP conditional advertisement (where you track a certain prefix)
    >>> maybe
    >>> a
    >>> loopback on the customer routers (2 in this case) and only advertise the
    >>> customers prefixes to the providers through your link if and only if
    >>> both
    >>> loopbacks go down. That way the provider will really only see the
    >>> customers
    >>> prefixes through their link unless it goes down, then you start
    >>> advertising
    >>> The customers prefixes through your connection.
    >>>
    >>> cya
    >>>
    >>>
    >>> On 2/19/08 11:51 PM, in article
    >>> , "Barry Margolin"
    >>> <> wrote:
    >>>
    >>>> In article <%6Luj.3489$>,
    >>>> "Gary" <> wrote:
    >>>>
    >>>>> We have a router connected to 2 x tier1 provider routers over a single
    >>>>> x-connect and we run BGP to them no problems. We have taken on a new
    >>>>> client
    >>>>> that wants their own dedicated cable and BGP session to the same 2
    >>>>> routers
    >>>>> and a second x-connect is now in and 2 new BGP sessions are up to what
    >>>>> are
    >>>>> actually the same tier1 routers.
    >>>>>
    >>>>> The client wants his address space routed over his cable to the tier1
    >>>>> provider unless that cable fails in which case the traffic should
    >>>>> failover
    >>>>> to our x-connect to the tier1 provider.
    >>>>>
    >>>>> The question is how do I get the customers traffic to ONLY leave via
    >>>>> his
    >>>>> x-connect cable/BGP sessions while it is up but failover to ours if
    >>>>> his
    >>>>> fails. Also how do I get the inbound traffic to ONLY come down one set
    >>>>> of
    >>>>> BGP sessions (the clients) as opposed to our BGP sessions while his
    >>>>> are
    >>>>> up.
    >>>>
    >>>> This should happen automatically. The routes through your x-connect
    >>>> should have your ASN in the AS path, which will make it longer than the
    >>>> routes directly to the tier1 providers.
    >>>>
    >>>>>
    >>>>> An ASCI Diagram would look like
    >>>>>
    >>>>>
    >>>>> Our Router A x------------our x-connect------------------------x Tier1
    >>>>> Router A & B - This carries to BGP sessions on a small subnet which we
    >>>>> use
    >>>>> for clients to transit generally
    >>>>> Our Router A x------------client x-connect----------------------x Tier
    >>>>> 1
    >>>>> Router A & B- This should only carry client subnet in and out while up
    >>>>> otherwise failover to our cable and BGP sessions
    >>>>>
    >>>>> Both cables carry 2 BGP peering sessions receivong full routing tables
    >>>>> with
    >>>>> both Tier1 Router A and B so in total we now gave 4 full routing
    >>>>> tables
    >>>>> form
    >>>>> the same Tier1 provider on Our Router A.
    >>>>>
    >>>>>
    >>>>> Hope this makes sense.
    >>>>> Thanks
    >>>>> Gary
    >>>
    >>>

    >>
    >> Maybee I explained this badly. We have 6 full BGP peering sessions to the
    >> same TIER1 Provider to different routers. We announce a /19 on all
    >> sessions
    >> and all works well. Now we want a particular /24 within that /19 to only
    >> come down 2 of the BGP Peering sessions. Should these 2 fail for any
    >> reason
    >> (cable break) we want the /24 to come in any of the remaining 4 BGP
    >> sessions.
    >>
    >> Hope that calrifies?
    >> Gary
    >>
    >>

    >
    >


    Thanks. I will test that. I did try MED's and that seems ot have worked.
    When we check the advertised routes on the upstream provider the /24 has a
    Metric of zero for the preferred BGP session and all other sessions on the
    upstream are 50 which is the MED we applied and inbound routing looks good.
    It does come through the correct upstream router AND BGP session to us.

    Is your method superior - Why?

    Also how do I ensure that the locally connected /24 (A Cisco ASA5500 will
    arp the whole /24) only routes out through the same BGP session. 99.99% of
    traffic will be inbound and I assume will depart the way it came, but what
    about sessions initiated inside the firewall within the /24. I need to force
    that traffic to only go out one of the BGP sessions but failover should that
    BGP session fail.

    Thanks
    Gary
     
    Gary, Feb 21, 2008
    #7
  8. One method is not really superior over the other.
    First I will say ( the network command under bgp is for wusses.. Lol j/k )
    The only reason that advertising a /24 out of your 2 sessions that you want
    and only advertising a /19 out of all of them including the 2 that advertise
    the /24, the only reason this is considered best practice is because you
    cannot count on your providers trusting your MED values, maybe someone
    complains and they change their local-pref higher out one of the other 4
    sessions, oops their goes your MED.

    MED is useful in certain situations but my recommendation stays as it was.


    With both /24 and /19 you have full routing and high availability should
    something fail.

    Now as far as the arp goes, as long as your internal routing is properly
    configured the incoming traffic should not affect your firewall from arping
    for the correct subnet (The internet is hardly symmetrical to begin with).

    Hope that helps.


    On 2/21/08 12:32 AM, in article I18vj.3626$, "Gary"
    <> wrote:

    >
    > "Yandy Ramirez" <> wrote in message
    > news:C3E24B4A.792A%...
    >> One more thing, just make soure your transit provider opens up its filter
    >> and allows that /24 through. Should not be a big concern for them to do
    >> so.
    >>
    >>
    >> On 2/20/08 8:41 PM, in article VE4vj.5556$, "Gary"
    >> <> wrote:
    >>
    >>>
    >>> "Yandy Ramirez" <> wrote in message
    >>> news:C3E12033.6CCE%...
    >>>> Well having the customer with a separate x-connect and bgp sessions
    >>>> directly
    >>>> to the Transit providers should automatically have a shorter as-path
    >>>> from
    >>>> cust-to-provider. But the customer can set a higher local-pref on the
    >>>> routes
    >>>> received from those two neighbors and a lower local-pref to the prefixes
    >>>> received from you.
    >>>>
    >>>> Now controlling inbound traffic is a bit trickier you can try AS-PREPEND
    >>>> (even though technically it should route automatically to his direct
    >>>> connection) but that's beyond your control as the providers can set
    >>>> LOCAL-PREF on their side and their goes that idea. So what you can
    >>>> really
    >>>> do
    >>>> is.
    >>>>
    >>>> 1) BGP conditional advertisement (where you track a certain prefix)
    >>>> maybe
    >>>> a
    >>>> loopback on the customer routers (2 in this case) and only advertise the
    >>>> customers prefixes to the providers through your link if and only if
    >>>> both
    >>>> loopbacks go down. That way the provider will really only see the
    >>>> customers
    >>>> prefixes through their link unless it goes down, then you start
    >>>> advertising
    >>>> The customers prefixes through your connection.
    >>>>
    >>>> cya
    >>>>
    >>>>
    >>>> On 2/19/08 11:51 PM, in article
    >>>> , "Barry Margolin"
    >>>> <> wrote:
    >>>>
    >>>>> In article <%6Luj.3489$>,
    >>>>> "Gary" <> wrote:
    >>>>>
    >>>>>> We have a router connected to 2 x tier1 provider routers over a single
    >>>>>> x-connect and we run BGP to them no problems. We have taken on a new
    >>>>>> client
    >>>>>> that wants their own dedicated cable and BGP session to the same 2
    >>>>>> routers
    >>>>>> and a second x-connect is now in and 2 new BGP sessions are up to what
    >>>>>> are
    >>>>>> actually the same tier1 routers.
    >>>>>>
    >>>>>> The client wants his address space routed over his cable to the tier1
    >>>>>> provider unless that cable fails in which case the traffic should
    >>>>>> failover
    >>>>>> to our x-connect to the tier1 provider.
    >>>>>>
    >>>>>> The question is how do I get the customers traffic to ONLY leave via
    >>>>>> his
    >>>>>> x-connect cable/BGP sessions while it is up but failover to ours if
    >>>>>> his
    >>>>>> fails. Also how do I get the inbound traffic to ONLY come down one set
    >>>>>> of
    >>>>>> BGP sessions (the clients) as opposed to our BGP sessions while his
    >>>>>> are
    >>>>>> up.
    >>>>>
    >>>>> This should happen automatically. The routes through your x-connect
    >>>>> should have your ASN in the AS path, which will make it longer than the
    >>>>> routes directly to the tier1 providers.
    >>>>>
    >>>>>>
    >>>>>> An ASCI Diagram would look like
    >>>>>>
    >>>>>>
    >>>>>> Our Router A x------------our x-connect------------------------x Tier1
    >>>>>> Router A & B - This carries to BGP sessions on a small subnet which we
    >>>>>> use
    >>>>>> for clients to transit generally
    >>>>>> Our Router A x------------client x-connect----------------------x Tier
    >>>>>> 1
    >>>>>> Router A & B- This should only carry client subnet in and out while up
    >>>>>> otherwise failover to our cable and BGP sessions
    >>>>>>
    >>>>>> Both cables carry 2 BGP peering sessions receivong full routing tables
    >>>>>> with
    >>>>>> both Tier1 Router A and B so in total we now gave 4 full routing
    >>>>>> tables
    >>>>>> form
    >>>>>> the same Tier1 provider on Our Router A.
    >>>>>>
    >>>>>>
    >>>>>> Hope this makes sense.
    >>>>>> Thanks
    >>>>>> Gary
    >>>>
    >>>>
    >>>
    >>> Maybee I explained this badly. We have 6 full BGP peering sessions to the
    >>> same TIER1 Provider to different routers. We announce a /19 on all
    >>> sessions
    >>> and all works well. Now we want a particular /24 within that /19 to only
    >>> come down 2 of the BGP Peering sessions. Should these 2 fail for any
    >>> reason
    >>> (cable break) we want the /24 to come in any of the remaining 4 BGP
    >>> sessions.
    >>>
    >>> Hope that calrifies?
    >>> Gary
    >>>
    >>>

    >>
    >>

    >
    > Thanks. I will test that. I did try MED's and that seems ot have worked.
    > When we check the advertised routes on the upstream provider the /24 has a
    > Metric of zero for the preferred BGP session and all other sessions on the
    > upstream are 50 which is the MED we applied and inbound routing looks good.
    > It does come through the correct upstream router AND BGP session to us.
    >
    > Is your method superior - Why?
    >
    > Also how do I ensure that the locally connected /24 (A Cisco ASA5500 will
    > arp the whole /24) only routes out through the same BGP session. 99.99% of
    > traffic will be inbound and I assume will depart the way it came, but what
    > about sessions initiated inside the firewall within the /24. I need to force
    > that traffic to only go out one of the BGP sessions but failover should that
    > BGP session fail.
    >
    > Thanks
    > Gary
    >
    >
     
    Yandy Ramirez, Feb 21, 2008
    #8
  9. Gary

    Gary Guest

    "Yandy Ramirez" <> wrote in message
    news:C3E27CEB.84F4%...
    > One method is not really superior over the other.
    > First I will say ( the network command under bgp is for wusses.. Lol j/k )
    > The only reason that advertising a /24 out of your 2 sessions that you
    > want
    > and only advertising a /19 out of all of them including the 2 that
    > advertise
    > the /24, the only reason this is considered best practice is because you
    > cannot count on your providers trusting your MED values, maybe someone
    > complains and they change their local-pref higher out one of the other 4
    > sessions, oops their goes your MED.
    >
    > MED is useful in certain situations but my recommendation stays as it was.
    >
    >
    > With both /24 and /19 you have full routing and high availability should
    > something fail.
    >
    > Now as far as the arp goes, as long as your internal routing is properly
    > configured the incoming traffic should not affect your firewall from
    > arping
    > for the correct subnet (The internet is hardly symmetrical to begin with).
    >
    > Hope that helps.
    >
    >
    > On 2/21/08 12:32 AM, in article I18vj.3626$, "Gary"
    > <> wrote:
    >
    >>
    >> "Yandy Ramirez" <> wrote in message
    >> news:C3E24B4A.792A%...
    >>> One more thing, just make soure your transit provider opens up its
    >>> filter
    >>> and allows that /24 through. Should not be a big concern for them to do
    >>> so.
    >>>
    >>>
    >>> On 2/20/08 8:41 PM, in article VE4vj.5556$, "Gary"
    >>> <> wrote:
    >>>
    >>>>
    >>>> "Yandy Ramirez" <> wrote in message
    >>>> news:C3E12033.6CCE%...
    >>>>> Well having the customer with a separate x-connect and bgp sessions
    >>>>> directly
    >>>>> to the Transit providers should automatically have a shorter as-path
    >>>>> from
    >>>>> cust-to-provider. But the customer can set a higher local-pref on the
    >>>>> routes
    >>>>> received from those two neighbors and a lower local-pref to the
    >>>>> prefixes
    >>>>> received from you.
    >>>>>
    >>>>> Now controlling inbound traffic is a bit trickier you can try
    >>>>> AS-PREPEND
    >>>>> (even though technically it should route automatically to his direct
    >>>>> connection) but that's beyond your control as the providers can set
    >>>>> LOCAL-PREF on their side and their goes that idea. So what you can
    >>>>> really
    >>>>> do
    >>>>> is.
    >>>>>
    >>>>> 1) BGP conditional advertisement (where you track a certain prefix)
    >>>>> maybe
    >>>>> a
    >>>>> loopback on the customer routers (2 in this case) and only advertise
    >>>>> the
    >>>>> customers prefixes to the providers through your link if and only if
    >>>>> both
    >>>>> loopbacks go down. That way the provider will really only see the
    >>>>> customers
    >>>>> prefixes through their link unless it goes down, then you start
    >>>>> advertising
    >>>>> The customers prefixes through your connection.
    >>>>>
    >>>>> cya
    >>>>>
    >>>>>
    >>>>> On 2/19/08 11:51 PM, in article
    >>>>> , "Barry
    >>>>> Margolin"
    >>>>> <> wrote:
    >>>>>
    >>>>>> In article <%6Luj.3489$>,
    >>>>>> "Gary" <> wrote:
    >>>>>>
    >>>>>>> We have a router connected to 2 x tier1 provider routers over a
    >>>>>>> single
    >>>>>>> x-connect and we run BGP to them no problems. We have taken on a new
    >>>>>>> client
    >>>>>>> that wants their own dedicated cable and BGP session to the same 2
    >>>>>>> routers
    >>>>>>> and a second x-connect is now in and 2 new BGP sessions are up to
    >>>>>>> what
    >>>>>>> are
    >>>>>>> actually the same tier1 routers.
    >>>>>>>
    >>>>>>> The client wants his address space routed over his cable to the
    >>>>>>> tier1
    >>>>>>> provider unless that cable fails in which case the traffic should
    >>>>>>> failover
    >>>>>>> to our x-connect to the tier1 provider.
    >>>>>>>
    >>>>>>> The question is how do I get the customers traffic to ONLY leave via
    >>>>>>> his
    >>>>>>> x-connect cable/BGP sessions while it is up but failover to ours if
    >>>>>>> his
    >>>>>>> fails. Also how do I get the inbound traffic to ONLY come down one
    >>>>>>> set
    >>>>>>> of
    >>>>>>> BGP sessions (the clients) as opposed to our BGP sessions while his
    >>>>>>> are
    >>>>>>> up.
    >>>>>>
    >>>>>> This should happen automatically. The routes through your x-connect
    >>>>>> should have your ASN in the AS path, which will make it longer than
    >>>>>> the
    >>>>>> routes directly to the tier1 providers.
    >>>>>>
    >>>>>>>
    >>>>>>> An ASCI Diagram would look like
    >>>>>>>
    >>>>>>>
    >>>>>>> Our Router A x------------our x-connect------------------------x
    >>>>>>> Tier1
    >>>>>>> Router A & B - This carries to BGP sessions on a small subnet which
    >>>>>>> we
    >>>>>>> use
    >>>>>>> for clients to transit generally
    >>>>>>> Our Router A x------------client x-connect----------------------x
    >>>>>>> Tier
    >>>>>>> 1
    >>>>>>> Router A & B- This should only carry client subnet in and out while
    >>>>>>> up
    >>>>>>> otherwise failover to our cable and BGP sessions
    >>>>>>>
    >>>>>>> Both cables carry 2 BGP peering sessions receivong full routing
    >>>>>>> tables
    >>>>>>> with
    >>>>>>> both Tier1 Router A and B so in total we now gave 4 full routing
    >>>>>>> tables
    >>>>>>> form
    >>>>>>> the same Tier1 provider on Our Router A.
    >>>>>>>
    >>>>>>>
    >>>>>>> Hope this makes sense.
    >>>>>>> Thanks
    >>>>>>> Gary
    >>>>>
    >>>>>
    >>>>
    >>>> Maybee I explained this badly. We have 6 full BGP peering sessions to
    >>>> the
    >>>> same TIER1 Provider to different routers. We announce a /19 on all
    >>>> sessions
    >>>> and all works well. Now we want a particular /24 within that /19 to
    >>>> only
    >>>> come down 2 of the BGP Peering sessions. Should these 2 fail for any
    >>>> reason
    >>>> (cable break) we want the /24 to come in any of the remaining 4 BGP
    >>>> sessions.
    >>>>
    >>>> Hope that calrifies?
    >>>> Gary
    >>>>
    >>>>
    >>>
    >>>

    >>
    >> Thanks. I will test that. I did try MED's and that seems ot have worked.
    >> When we check the advertised routes on the upstream provider the /24 has
    >> a
    >> Metric of zero for the preferred BGP session and all other sessions on
    >> the
    >> upstream are 50 which is the MED we applied and inbound routing looks
    >> good.
    >> It does come through the correct upstream router AND BGP session to us.
    >>
    >> Is your method superior - Why?
    >>
    >> Also how do I ensure that the locally connected /24 (A Cisco ASA5500 will
    >> arp the whole /24) only routes out through the same BGP session. 99.99%
    >> of
    >> traffic will be inbound and I assume will depart the way it came, but
    >> what
    >> about sessions initiated inside the firewall within the /24. I need to
    >> force
    >> that traffic to only go out one of the BGP sessions but failover should
    >> that
    >> BGP session fail.
    >>
    >> Thanks
    >> Gary
    >>
    >>

    >
    >

    I have confused this again. Only the /24 should use this dedicated peering
    to the upstream. That includes inbound and outbound traffic. I think now all
    sessions initiated externally will come doen the right connection so it can
    be easily metered and charged, but what about outbound connections from the
    /24. How do I force them to ONLY use a particular peering while is is up.

    It is almost like I want to VLAN then to a BGP session.
    Gary
     
    Gary, Feb 21, 2008
    #9
  10. Simple,

    Policy based routing. Set ip next-hop.
    This is done in conjuction with standard or extended acls and route-maps.

    Sample.

    Access-list 3 permit 200.1.1.0 0.0.0.255

    Route-map POLICY-ROUTE permit 100
    match ip address 3
    set Ip next-hop 200.1.2.2

    Interface f0/0
    desc outside
    ip add 200.1.2.1 255.255.255.0
    !
    Inteface f0/1
    desc inside
    ip add 200.1.1.1 255.255.255.0
    ip policy route-map POLICY-ROUTE
    !


    On 2/21/08 10:21 AM, in article 2Ggvj.529$, "Gary"
    <> wrote:

    >
    > "Yandy Ramirez" <> wrote in message
    > news:C3E27CEB.84F4%...
    >> One method is not really superior over the other.
    >> First I will say ( the network command under bgp is for wusses.. Lol j/k )
    >> The only reason that advertising a /24 out of your 2 sessions that you
    >> want
    >> and only advertising a /19 out of all of them including the 2 that
    >> advertise
    >> the /24, the only reason this is considered best practice is because you
    >> cannot count on your providers trusting your MED values, maybe someone
    >> complains and they change their local-pref higher out one of the other 4
    >> sessions, oops their goes your MED.
    >>
    >> MED is useful in certain situations but my recommendation stays as it was.
    >>
    >>
    >> With both /24 and /19 you have full routing and high availability should
    >> something fail.
    >>
    >> Now as far as the arp goes, as long as your internal routing is properly
    >> configured the incoming traffic should not affect your firewall from
    >> arping
    >> for the correct subnet (The internet is hardly symmetrical to begin with).
    >>
    >> Hope that helps.
    >>
    >>
    >> On 2/21/08 12:32 AM, in article I18vj.3626$, "Gary"
    >> <> wrote:
    >>
    >>>
    >>> "Yandy Ramirez" <> wrote in message
    >>> news:C3E24B4A.792A%...
    >>>> One more thing, just make soure your transit provider opens up its
    >>>> filter
    >>>> and allows that /24 through. Should not be a big concern for them to do
    >>>> so.
    >>>>
    >>>>
    >>>> On 2/20/08 8:41 PM, in article VE4vj.5556$, "Gary"
    >>>> <> wrote:
    >>>>
    >>>>>
    >>>>> "Yandy Ramirez" <> wrote in message
    >>>>> news:C3E12033.6CCE%...
    >>>>>> Well having the customer with a separate x-connect and bgp sessions
    >>>>>> directly
    >>>>>> to the Transit providers should automatically have a shorter as-path
    >>>>>> from
    >>>>>> cust-to-provider. But the customer can set a higher local-pref on the
    >>>>>> routes
    >>>>>> received from those two neighbors and a lower local-pref to the
    >>>>>> prefixes
    >>>>>> received from you.
    >>>>>>
    >>>>>> Now controlling inbound traffic is a bit trickier you can try
    >>>>>> AS-PREPEND
    >>>>>> (even though technically it should route automatically to his direct
    >>>>>> connection) but that's beyond your control as the providers can set
    >>>>>> LOCAL-PREF on their side and their goes that idea. So what you can
    >>>>>> really
    >>>>>> do
    >>>>>> is.
    >>>>>>
    >>>>>> 1) BGP conditional advertisement (where you track a certain prefix)
    >>>>>> maybe
    >>>>>> a
    >>>>>> loopback on the customer routers (2 in this case) and only advertise
    >>>>>> the
    >>>>>> customers prefixes to the providers through your link if and only if
    >>>>>> both
    >>>>>> loopbacks go down. That way the provider will really only see the
    >>>>>> customers
    >>>>>> prefixes through their link unless it goes down, then you start
    >>>>>> advertising
    >>>>>> The customers prefixes through your connection.
    >>>>>>
    >>>>>> cya
    >>>>>>
    >>>>>>
    >>>>>> On 2/19/08 11:51 PM, in article
    >>>>>> , "Barry
    >>>>>> Margolin"
    >>>>>> <> wrote:
    >>>>>>
    >>>>>>> In article <%6Luj.3489$>,
    >>>>>>> "Gary" <> wrote:
    >>>>>>>
    >>>>>>>> We have a router connected to 2 x tier1 provider routers over a
    >>>>>>>> single
    >>>>>>>> x-connect and we run BGP to them no problems. We have taken on a new
    >>>>>>>> client
    >>>>>>>> that wants their own dedicated cable and BGP session to the same 2
    >>>>>>>> routers
    >>>>>>>> and a second x-connect is now in and 2 new BGP sessions are up to
    >>>>>>>> what
    >>>>>>>> are
    >>>>>>>> actually the same tier1 routers.
    >>>>>>>>
    >>>>>>>> The client wants his address space routed over his cable to the
    >>>>>>>> tier1
    >>>>>>>> provider unless that cable fails in which case the traffic should
    >>>>>>>> failover
    >>>>>>>> to our x-connect to the tier1 provider.
    >>>>>>>>
    >>>>>>>> The question is how do I get the customers traffic to ONLY leave via
    >>>>>>>> his
    >>>>>>>> x-connect cable/BGP sessions while it is up but failover to ours if
    >>>>>>>> his
    >>>>>>>> fails. Also how do I get the inbound traffic to ONLY come down one
    >>>>>>>> set
    >>>>>>>> of
    >>>>>>>> BGP sessions (the clients) as opposed to our BGP sessions while his
    >>>>>>>> are
    >>>>>>>> up.
    >>>>>>>
    >>>>>>> This should happen automatically. The routes through your x-connect
    >>>>>>> should have your ASN in the AS path, which will make it longer than
    >>>>>>> the
    >>>>>>> routes directly to the tier1 providers.
    >>>>>>>
    >>>>>>>>
    >>>>>>>> An ASCI Diagram would look like
    >>>>>>>>
    >>>>>>>>
    >>>>>>>> Our Router A x------------our x-connect------------------------x
    >>>>>>>> Tier1
    >>>>>>>> Router A & B - This carries to BGP sessions on a small subnet which
    >>>>>>>> we
    >>>>>>>> use
    >>>>>>>> for clients to transit generally
    >>>>>>>> Our Router A x------------client x-connect----------------------x
    >>>>>>>> Tier
    >>>>>>>> 1
    >>>>>>>> Router A & B- This should only carry client subnet in and out while
    >>>>>>>> up
    >>>>>>>> otherwise failover to our cable and BGP sessions
    >>>>>>>>
    >>>>>>>> Both cables carry 2 BGP peering sessions receivong full routing
    >>>>>>>> tables
    >>>>>>>> with
    >>>>>>>> both Tier1 Router A and B so in total we now gave 4 full routing
    >>>>>>>> tables
    >>>>>>>> form
    >>>>>>>> the same Tier1 provider on Our Router A.
    >>>>>>>>
    >>>>>>>>
    >>>>>>>> Hope this makes sense.
    >>>>>>>> Thanks
    >>>>>>>> Gary
    >>>>>>
    >>>>>>
    >>>>>
    >>>>> Maybee I explained this badly. We have 6 full BGP peering sessions to
    >>>>> the
    >>>>> same TIER1 Provider to different routers. We announce a /19 on all
    >>>>> sessions
    >>>>> and all works well. Now we want a particular /24 within that /19 to
    >>>>> only
    >>>>> come down 2 of the BGP Peering sessions. Should these 2 fail for any
    >>>>> reason
    >>>>> (cable break) we want the /24 to come in any of the remaining 4 BGP
    >>>>> sessions.
    >>>>>
    >>>>> Hope that calrifies?
    >>>>> Gary
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>> Thanks. I will test that. I did try MED's and that seems ot have worked.
    >>> When we check the advertised routes on the upstream provider the /24 has
    >>> a
    >>> Metric of zero for the preferred BGP session and all other sessions on
    >>> the
    >>> upstream are 50 which is the MED we applied and inbound routing looks
    >>> good.
    >>> It does come through the correct upstream router AND BGP session to us.
    >>>
    >>> Is your method superior - Why?
    >>>
    >>> Also how do I ensure that the locally connected /24 (A Cisco ASA5500 will
    >>> arp the whole /24) only routes out through the same BGP session. 99.99%
    >>> of
    >>> traffic will be inbound and I assume will depart the way it came, but
    >>> what
    >>> about sessions initiated inside the firewall within the /24. I need to
    >>> force
    >>> that traffic to only go out one of the BGP sessions but failover should
    >>> that
    >>> BGP session fail.
    >>>
    >>> Thanks
    >>> Gary
    >>>
    >>>

    >>
    >>

    > I have confused this again. Only the /24 should use this dedicated peering
    > to the upstream. That includes inbound and outbound traffic. I think now all
    > sessions initiated externally will come doen the right connection so it can
    > be easily metered and charged, but what about outbound connections from the
    > /24. How do I force them to ONLY use a particular peering while is is up.
    >
    > It is almost like I want to VLAN then to a BGP session.
    > Gary
    >
    >
     
    Yandy Ramirez, Feb 21, 2008
    #10
  11. Gary

    Gary Guest

    "Yandy Ramirez" <> wrote in message
    news:C3E30B8C.8587%...
    > Simple,
    >
    > Policy based routing. Set ip next-hop.
    > This is done in conjuction with standard or extended acls and route-maps.
    >
    > Sample.
    >
    > Access-list 3 permit 200.1.1.0 0.0.0.255
    >
    > Route-map POLICY-ROUTE permit 100
    > match ip address 3
    > set Ip next-hop 200.1.2.2
    >
    > Interface f0/0
    > desc outside
    > ip add 200.1.2.1 255.255.255.0
    > !
    > Inteface f0/1
    > desc inside
    > ip add 200.1.1.1 255.255.255.0
    > ip policy route-map POLICY-ROUTE
    > !
    >
    >
    > On 2/21/08 10:21 AM, in article 2Ggvj.529$, "Gary"
    > <> wrote:
    >
    >>
    >> "Yandy Ramirez" <> wrote in message
    >> news:C3E27CEB.84F4%...
    >>> One method is not really superior over the other.
    >>> First I will say ( the network command under bgp is for wusses.. Lol
    >>> j/k )
    >>> The only reason that advertising a /24 out of your 2 sessions that you
    >>> want
    >>> and only advertising a /19 out of all of them including the 2 that
    >>> advertise
    >>> the /24, the only reason this is considered best practice is because you
    >>> cannot count on your providers trusting your MED values, maybe someone
    >>> complains and they change their local-pref higher out one of the other 4
    >>> sessions, oops their goes your MED.
    >>>
    >>> MED is useful in certain situations but my recommendation stays as it
    >>> was.
    >>>
    >>>
    >>> With both /24 and /19 you have full routing and high availability should
    >>> something fail.
    >>>
    >>> Now as far as the arp goes, as long as your internal routing is properly
    >>> configured the incoming traffic should not affect your firewall from
    >>> arping
    >>> for the correct subnet (The internet is hardly symmetrical to begin
    >>> with).
    >>>
    >>> Hope that helps.
    >>>
    >>>
    >>> On 2/21/08 12:32 AM, in article I18vj.3626$, "Gary"
    >>> <> wrote:
    >>>
    >>>>
    >>>> "Yandy Ramirez" <> wrote in message
    >>>> news:C3E24B4A.792A%...
    >>>>> One more thing, just make soure your transit provider opens up its
    >>>>> filter
    >>>>> and allows that /24 through. Should not be a big concern for them to
    >>>>> do
    >>>>> so.
    >>>>>
    >>>>>
    >>>>> On 2/20/08 8:41 PM, in article VE4vj.5556$,
    >>>>> "Gary"
    >>>>> <> wrote:
    >>>>>
    >>>>>>
    >>>>>> "Yandy Ramirez" <> wrote in message
    >>>>>> news:C3E12033.6CCE%...
    >>>>>>> Well having the customer with a separate x-connect and bgp sessions
    >>>>>>> directly
    >>>>>>> to the Transit providers should automatically have a shorter as-path
    >>>>>>> from
    >>>>>>> cust-to-provider. But the customer can set a higher local-pref on
    >>>>>>> the
    >>>>>>> routes
    >>>>>>> received from those two neighbors and a lower local-pref to the
    >>>>>>> prefixes
    >>>>>>> received from you.
    >>>>>>>
    >>>>>>> Now controlling inbound traffic is a bit trickier you can try
    >>>>>>> AS-PREPEND
    >>>>>>> (even though technically it should route automatically to his direct
    >>>>>>> connection) but that's beyond your control as the providers can set
    >>>>>>> LOCAL-PREF on their side and their goes that idea. So what you can
    >>>>>>> really
    >>>>>>> do
    >>>>>>> is.
    >>>>>>>
    >>>>>>> 1) BGP conditional advertisement (where you track a certain prefix)
    >>>>>>> maybe
    >>>>>>> a
    >>>>>>> loopback on the customer routers (2 in this case) and only advertise
    >>>>>>> the
    >>>>>>> customers prefixes to the providers through your link if and only if
    >>>>>>> both
    >>>>>>> loopbacks go down. That way the provider will really only see the
    >>>>>>> customers
    >>>>>>> prefixes through their link unless it goes down, then you start
    >>>>>>> advertising
    >>>>>>> The customers prefixes through your connection.
    >>>>>>>
    >>>>>>> cya
    >>>>>>>
    >>>>>>>
    >>>>>>> On 2/19/08 11:51 PM, in article
    >>>>>>> , "Barry
    >>>>>>> Margolin"
    >>>>>>> <> wrote:
    >>>>>>>
    >>>>>>>> In article <%6Luj.3489$>,
    >>>>>>>> "Gary" <> wrote:
    >>>>>>>>
    >>>>>>>>> We have a router connected to 2 x tier1 provider routers over a
    >>>>>>>>> single
    >>>>>>>>> x-connect and we run BGP to them no problems. We have taken on a
    >>>>>>>>> new
    >>>>>>>>> client
    >>>>>>>>> that wants their own dedicated cable and BGP session to the same 2
    >>>>>>>>> routers
    >>>>>>>>> and a second x-connect is now in and 2 new BGP sessions are up to
    >>>>>>>>> what
    >>>>>>>>> are
    >>>>>>>>> actually the same tier1 routers.
    >>>>>>>>>
    >>>>>>>>> The client wants his address space routed over his cable to the
    >>>>>>>>> tier1
    >>>>>>>>> provider unless that cable fails in which case the traffic should
    >>>>>>>>> failover
    >>>>>>>>> to our x-connect to the tier1 provider.
    >>>>>>>>>
    >>>>>>>>> The question is how do I get the customers traffic to ONLY leave
    >>>>>>>>> via
    >>>>>>>>> his
    >>>>>>>>> x-connect cable/BGP sessions while it is up but failover to ours
    >>>>>>>>> if
    >>>>>>>>> his
    >>>>>>>>> fails. Also how do I get the inbound traffic to ONLY come down one
    >>>>>>>>> set
    >>>>>>>>> of
    >>>>>>>>> BGP sessions (the clients) as opposed to our BGP sessions while
    >>>>>>>>> his
    >>>>>>>>> are
    >>>>>>>>> up.
    >>>>>>>>
    >>>>>>>> This should happen automatically. The routes through your
    >>>>>>>> x-connect
    >>>>>>>> should have your ASN in the AS path, which will make it longer than
    >>>>>>>> the
    >>>>>>>> routes directly to the tier1 providers.
    >>>>>>>>
    >>>>>>>>>
    >>>>>>>>> An ASCI Diagram would look like
    >>>>>>>>>
    >>>>>>>>>
    >>>>>>>>> Our Router A x------------our x-connect------------------------x
    >>>>>>>>> Tier1
    >>>>>>>>> Router A & B - This carries to BGP sessions on a small subnet
    >>>>>>>>> which
    >>>>>>>>> we
    >>>>>>>>> use
    >>>>>>>>> for clients to transit generally
    >>>>>>>>> Our Router A x------------client x-connect----------------------x
    >>>>>>>>> Tier
    >>>>>>>>> 1
    >>>>>>>>> Router A & B- This should only carry client subnet in and out
    >>>>>>>>> while
    >>>>>>>>> up
    >>>>>>>>> otherwise failover to our cable and BGP sessions
    >>>>>>>>>
    >>>>>>>>> Both cables carry 2 BGP peering sessions receivong full routing
    >>>>>>>>> tables
    >>>>>>>>> with
    >>>>>>>>> both Tier1 Router A and B so in total we now gave 4 full routing
    >>>>>>>>> tables
    >>>>>>>>> form
    >>>>>>>>> the same Tier1 provider on Our Router A.
    >>>>>>>>>
    >>>>>>>>>
    >>>>>>>>> Hope this makes sense.
    >>>>>>>>> Thanks
    >>>>>>>>> Gary
    >>>>>>>
    >>>>>>>
    >>>>>>
    >>>>>> Maybee I explained this badly. We have 6 full BGP peering sessions to
    >>>>>> the
    >>>>>> same TIER1 Provider to different routers. We announce a /19 on all
    >>>>>> sessions
    >>>>>> and all works well. Now we want a particular /24 within that /19 to
    >>>>>> only
    >>>>>> come down 2 of the BGP Peering sessions. Should these 2 fail for any
    >>>>>> reason
    >>>>>> (cable break) we want the /24 to come in any of the remaining 4 BGP
    >>>>>> sessions.
    >>>>>>
    >>>>>> Hope that calrifies?
    >>>>>> Gary
    >>>>>>
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>> Thanks. I will test that. I did try MED's and that seems ot have
    >>>> worked.
    >>>> When we check the advertised routes on the upstream provider the /24
    >>>> has
    >>>> a
    >>>> Metric of zero for the preferred BGP session and all other sessions on
    >>>> the
    >>>> upstream are 50 which is the MED we applied and inbound routing looks
    >>>> good.
    >>>> It does come through the correct upstream router AND BGP session to us.
    >>>>
    >>>> Is your method superior - Why?
    >>>>
    >>>> Also how do I ensure that the locally connected /24 (A Cisco ASA5500
    >>>> will
    >>>> arp the whole /24) only routes out through the same BGP session. 99.99%
    >>>> of
    >>>> traffic will be inbound and I assume will depart the way it came, but
    >>>> what
    >>>> about sessions initiated inside the firewall within the /24. I need to
    >>>> force
    >>>> that traffic to only go out one of the BGP sessions but failover should
    >>>> that
    >>>> BGP session fail.
    >>>>
    >>>> Thanks
    >>>> Gary
    >>>>
    >>>>
    >>>
    >>>

    >> I have confused this again. Only the /24 should use this dedicated
    >> peering
    >> to the upstream. That includes inbound and outbound traffic. I think now
    >> all
    >> sessions initiated externally will come doen the right connection so it
    >> can
    >> be easily metered and charged, but what about outbound connections from
    >> the
    >> /24. How do I force them to ONLY use a particular peering while is is up.
    >>
    >> It is almost like I want to VLAN then to a BGP session.
    >> Gary
    >>
    >>

    >


    Thanks. Would it simply be the same as setting the D/Gateway of the firewall
    protecting the /24 to the upstreams BGP session and a lower D/Gateway to the
    standby routers?

    Maybe I made this too complex. Would this do the same as the Policy Based
    Routing and leave less for the router to do?

    Gary
     
    Gary, Feb 21, 2008
    #11
  12. If your firewall lets you do that, then yes!
    That's simpler

    cya


    On 2/21/08 6:58 PM, in article Qeovj.2682$, "Gary"
    <> wrote:

    >
    > "Yandy Ramirez" <> wrote in message
    > news:C3E30B8C.8587%...
    >> Simple,
    >>
    >> Policy based routing. Set ip next-hop.
    >> This is done in conjuction with standard or extended acls and route-maps.
    >>
    >> Sample.
    >>
    >> Access-list 3 permit 200.1.1.0 0.0.0.255
    >>
    >> Route-map POLICY-ROUTE permit 100
    >> match ip address 3
    >> set Ip next-hop 200.1.2.2
    >>
    >> Interface f0/0
    >> desc outside
    >> ip add 200.1.2.1 255.255.255.0
    >> !
    >> Inteface f0/1
    >> desc inside
    >> ip add 200.1.1.1 255.255.255.0
    >> ip policy route-map POLICY-ROUTE
    >> !
    >>
    >>
    >> On 2/21/08 10:21 AM, in article 2Ggvj.529$, "Gary"
    >> <> wrote:
    >>
    >>>
    >>> "Yandy Ramirez" <> wrote in message
    >>> news:C3E27CEB.84F4%...
    >>>> One method is not really superior over the other.
    >>>> First I will say ( the network command under bgp is for wusses.. Lol
    >>>> j/k )
    >>>> The only reason that advertising a /24 out of your 2 sessions that you
    >>>> want
    >>>> and only advertising a /19 out of all of them including the 2 that
    >>>> advertise
    >>>> the /24, the only reason this is considered best practice is because you
    >>>> cannot count on your providers trusting your MED values, maybe someone
    >>>> complains and they change their local-pref higher out one of the other 4
    >>>> sessions, oops their goes your MED.
    >>>>
    >>>> MED is useful in certain situations but my recommendation stays as it
    >>>> was.
    >>>>
    >>>>
    >>>> With both /24 and /19 you have full routing and high availability should
    >>>> something fail.
    >>>>
    >>>> Now as far as the arp goes, as long as your internal routing is properly
    >>>> configured the incoming traffic should not affect your firewall from
    >>>> arping
    >>>> for the correct subnet (The internet is hardly symmetrical to begin
    >>>> with).
    >>>>
    >>>> Hope that helps.
    >>>>
    >>>>
    >>>> On 2/21/08 12:32 AM, in article I18vj.3626$, "Gary"
    >>>> <> wrote:
    >>>>
    >>>>>
    >>>>> "Yandy Ramirez" <> wrote in message
    >>>>> news:C3E24B4A.792A%...
    >>>>>> One more thing, just make soure your transit provider opens up its
    >>>>>> filter
    >>>>>> and allows that /24 through. Should not be a big concern for them to
    >>>>>> do
    >>>>>> so.
    >>>>>>
    >>>>>>
    >>>>>> On 2/20/08 8:41 PM, in article VE4vj.5556$,
    >>>>>> "Gary"
    >>>>>> <> wrote:
    >>>>>>
    >>>>>>>
    >>>>>>> "Yandy Ramirez" <> wrote in message
    >>>>>>> news:C3E12033.6CCE%...
    >>>>>>>> Well having the customer with a separate x-connect and bgp sessions
    >>>>>>>> directly
    >>>>>>>> to the Transit providers should automatically have a shorter as-path
    >>>>>>>> from
    >>>>>>>> cust-to-provider. But the customer can set a higher local-pref on
    >>>>>>>> the
    >>>>>>>> routes
    >>>>>>>> received from those two neighbors and a lower local-pref to the
    >>>>>>>> prefixes
    >>>>>>>> received from you.
    >>>>>>>>
    >>>>>>>> Now controlling inbound traffic is a bit trickier you can try
    >>>>>>>> AS-PREPEND
    >>>>>>>> (even though technically it should route automatically to his direct
    >>>>>>>> connection) but that's beyond your control as the providers can set
    >>>>>>>> LOCAL-PREF on their side and their goes that idea. So what you can
    >>>>>>>> really
    >>>>>>>> do
    >>>>>>>> is.
    >>>>>>>>
    >>>>>>>> 1) BGP conditional advertisement (where you track a certain prefix)
    >>>>>>>> maybe
    >>>>>>>> a
    >>>>>>>> loopback on the customer routers (2 in this case) and only advertise
    >>>>>>>> the
    >>>>>>>> customers prefixes to the providers through your link if and only if
    >>>>>>>> both
    >>>>>>>> loopbacks go down. That way the provider will really only see the
    >>>>>>>> customers
    >>>>>>>> prefixes through their link unless it goes down, then you start
    >>>>>>>> advertising
    >>>>>>>> The customers prefixes through your connection.
    >>>>>>>>
    >>>>>>>> cya
    >>>>>>>>
    >>>>>>>>
    >>>>>>>> On 2/19/08 11:51 PM, in article
    >>>>>>>> , "Barry
    >>>>>>>> Margolin"
    >>>>>>>> <> wrote:
    >>>>>>>>
    >>>>>>>>> In article <%6Luj.3489$>,
    >>>>>>>>> "Gary" <> wrote:
    >>>>>>>>>
    >>>>>>>>>> We have a router connected to 2 x tier1 provider routers over a
    >>>>>>>>>> single
    >>>>>>>>>> x-connect and we run BGP to them no problems. We have taken on a
    >>>>>>>>>> new
    >>>>>>>>>> client
    >>>>>>>>>> that wants their own dedicated cable and BGP session to the same 2
    >>>>>>>>>> routers
    >>>>>>>>>> and a second x-connect is now in and 2 new BGP sessions are up to
    >>>>>>>>>> what
    >>>>>>>>>> are
    >>>>>>>>>> actually the same tier1 routers.
    >>>>>>>>>>
    >>>>>>>>>> The client wants his address space routed over his cable to the
    >>>>>>>>>> tier1
    >>>>>>>>>> provider unless that cable fails in which case the traffic should
    >>>>>>>>>> failover
    >>>>>>>>>> to our x-connect to the tier1 provider.
    >>>>>>>>>>
    >>>>>>>>>> The question is how do I get the customers traffic to ONLY leave
    >>>>>>>>>> via
    >>>>>>>>>> his
    >>>>>>>>>> x-connect cable/BGP sessions while it is up but failover to ours
    >>>>>>>>>> if
    >>>>>>>>>> his
    >>>>>>>>>> fails. Also how do I get the inbound traffic to ONLY come down one
    >>>>>>>>>> set
    >>>>>>>>>> of
    >>>>>>>>>> BGP sessions (the clients) as opposed to our BGP sessions while
    >>>>>>>>>> his
    >>>>>>>>>> are
    >>>>>>>>>> up.
    >>>>>>>>>
    >>>>>>>>> This should happen automatically. The routes through your
    >>>>>>>>> x-connect
    >>>>>>>>> should have your ASN in the AS path, which will make it longer than
    >>>>>>>>> the
    >>>>>>>>> routes directly to the tier1 providers.
    >>>>>>>>>
    >>>>>>>>>>
    >>>>>>>>>> An ASCI Diagram would look like
    >>>>>>>>>>
    >>>>>>>>>>
    >>>>>>>>>> Our Router A x------------our x-connect------------------------x
    >>>>>>>>>> Tier1
    >>>>>>>>>> Router A & B - This carries to BGP sessions on a small subnet
    >>>>>>>>>> which
    >>>>>>>>>> we
    >>>>>>>>>> use
    >>>>>>>>>> for clients to transit generally
    >>>>>>>>>> Our Router A x------------client x-connect----------------------x
    >>>>>>>>>> Tier
    >>>>>>>>>> 1
    >>>>>>>>>> Router A & B- This should only carry client subnet in and out
    >>>>>>>>>> while
    >>>>>>>>>> up
    >>>>>>>>>> otherwise failover to our cable and BGP sessions
    >>>>>>>>>>
    >>>>>>>>>> Both cables carry 2 BGP peering sessions receivong full routing
    >>>>>>>>>> tables
    >>>>>>>>>> with
    >>>>>>>>>> both Tier1 Router A and B so in total we now gave 4 full routing
    >>>>>>>>>> tables
    >>>>>>>>>> form
    >>>>>>>>>> the same Tier1 provider on Our Router A.
    >>>>>>>>>>
    >>>>>>>>>>
    >>>>>>>>>> Hope this makes sense.
    >>>>>>>>>> Thanks
    >>>>>>>>>> Gary
    >>>>>>>>
    >>>>>>>>
    >>>>>>>
    >>>>>>> Maybee I explained this badly. We have 6 full BGP peering sessions to
    >>>>>>> the
    >>>>>>> same TIER1 Provider to different routers. We announce a /19 on all
    >>>>>>> sessions
    >>>>>>> and all works well. Now we want a particular /24 within that /19 to
    >>>>>>> only
    >>>>>>> come down 2 of the BGP Peering sessions. Should these 2 fail for any
    >>>>>>> reason
    >>>>>>> (cable break) we want the /24 to come in any of the remaining 4 BGP
    >>>>>>> sessions.
    >>>>>>>
    >>>>>>> Hope that calrifies?
    >>>>>>> Gary
    >>>>>>>
    >>>>>>>
    >>>>>>
    >>>>>>
    >>>>>
    >>>>> Thanks. I will test that. I did try MED's and that seems ot have
    >>>>> worked.
    >>>>> When we check the advertised routes on the upstream provider the /24
    >>>>> has
    >>>>> a
    >>>>> Metric of zero for the preferred BGP session and all other sessions on
    >>>>> the
    >>>>> upstream are 50 which is the MED we applied and inbound routing looks
    >>>>> good.
    >>>>> It does come through the correct upstream router AND BGP session to us.
    >>>>>
    >>>>> Is your method superior - Why?
    >>>>>
    >>>>> Also how do I ensure that the locally connected /24 (A Cisco ASA5500
    >>>>> will
    >>>>> arp the whole /24) only routes out through the same BGP session. 99.99%
    >>>>> of
    >>>>> traffic will be inbound and I assume will depart the way it came, but
    >>>>> what
    >>>>> about sessions initiated inside the firewall within the /24. I need to
    >>>>> force
    >>>>> that traffic to only go out one of the BGP sessions but failover should
    >>>>> that
    >>>>> BGP session fail.
    >>>>>
    >>>>> Thanks
    >>>>> Gary
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>> I have confused this again. Only the /24 should use this dedicated
    >>> peering
    >>> to the upstream. That includes inbound and outbound traffic. I think now
    >>> all
    >>> sessions initiated externally will come doen the right connection so it
    >>> can
    >>> be easily metered and charged, but what about outbound connections from
    >>> the
    >>> /24. How do I force them to ONLY use a particular peering while is is up.
    >>>
    >>> It is almost like I want to VLAN then to a BGP session.
    >>> Gary
    >>>
    >>>

    >>

    >
    > Thanks. Would it simply be the same as setting the D/Gateway of the firewall
    > protecting the /24 to the upstreams BGP session and a lower D/Gateway to the
    > standby routers?
    >
    > Maybe I made this too complex. Would this do the same as the Policy Based
    > Routing and leave less for the router to do?
    >
    > Gary
    >
    >
     
    Yandy Ramirez, Feb 22, 2008
    #12
  13. I guess I understood you wrong, I thought you wanted to route traffic to
    that one specific session from a /24 not to a /24.


    On 2/21/08 6:58 PM, in article Qeovj.2682$, "Gary"
    <> wrote:

    >
    > "Yandy Ramirez" <> wrote in message
    > news:C3E30B8C.8587%...
    >> Simple,
    >>
    >> Policy based routing. Set ip next-hop.
    >> This is done in conjuction with standard or extended acls and route-maps.
    >>
    >> Sample.
    >>
    >> Access-list 3 permit 200.1.1.0 0.0.0.255
    >>
    >> Route-map POLICY-ROUTE permit 100
    >> match ip address 3
    >> set Ip next-hop 200.1.2.2
    >>
    >> Interface f0/0
    >> desc outside
    >> ip add 200.1.2.1 255.255.255.0
    >> !
    >> Inteface f0/1
    >> desc inside
    >> ip add 200.1.1.1 255.255.255.0
    >> ip policy route-map POLICY-ROUTE
    >> !
    >>
    >>
    >> On 2/21/08 10:21 AM, in article 2Ggvj.529$, "Gary"
    >> <> wrote:
    >>
    >>>
    >>> "Yandy Ramirez" <> wrote in message
    >>> news:C3E27CEB.84F4%...
    >>>> One method is not really superior over the other.
    >>>> First I will say ( the network command under bgp is for wusses.. Lol
    >>>> j/k )
    >>>> The only reason that advertising a /24 out of your 2 sessions that you
    >>>> want
    >>>> and only advertising a /19 out of all of them including the 2 that
    >>>> advertise
    >>>> the /24, the only reason this is considered best practice is because you
    >>>> cannot count on your providers trusting your MED values, maybe someone
    >>>> complains and they change their local-pref higher out one of the other 4
    >>>> sessions, oops their goes your MED.
    >>>>
    >>>> MED is useful in certain situations but my recommendation stays as it
    >>>> was.
    >>>>
    >>>>
    >>>> With both /24 and /19 you have full routing and high availability should
    >>>> something fail.
    >>>>
    >>>> Now as far as the arp goes, as long as your internal routing is properly
    >>>> configured the incoming traffic should not affect your firewall from
    >>>> arping
    >>>> for the correct subnet (The internet is hardly symmetrical to begin
    >>>> with).
    >>>>
    >>>> Hope that helps.
    >>>>
    >>>>
    >>>> On 2/21/08 12:32 AM, in article I18vj.3626$, "Gary"
    >>>> <> wrote:
    >>>>
    >>>>>
    >>>>> "Yandy Ramirez" <> wrote in message
    >>>>> news:C3E24B4A.792A%...
    >>>>>> One more thing, just make soure your transit provider opens up its
    >>>>>> filter
    >>>>>> and allows that /24 through. Should not be a big concern for them to
    >>>>>> do
    >>>>>> so.
    >>>>>>
    >>>>>>
    >>>>>> On 2/20/08 8:41 PM, in article VE4vj.5556$,
    >>>>>> "Gary"
    >>>>>> <> wrote:
    >>>>>>
    >>>>>>>
    >>>>>>> "Yandy Ramirez" <> wrote in message
    >>>>>>> news:C3E12033.6CCE%...
    >>>>>>>> Well having the customer with a separate x-connect and bgp sessions
    >>>>>>>> directly
    >>>>>>>> to the Transit providers should automatically have a shorter as-path
    >>>>>>>> from
    >>>>>>>> cust-to-provider. But the customer can set a higher local-pref on
    >>>>>>>> the
    >>>>>>>> routes
    >>>>>>>> received from those two neighbors and a lower local-pref to the
    >>>>>>>> prefixes
    >>>>>>>> received from you.
    >>>>>>>>
    >>>>>>>> Now controlling inbound traffic is a bit trickier you can try
    >>>>>>>> AS-PREPEND
    >>>>>>>> (even though technically it should route automatically to his direct
    >>>>>>>> connection) but that's beyond your control as the providers can set
    >>>>>>>> LOCAL-PREF on their side and their goes that idea. So what you can
    >>>>>>>> really
    >>>>>>>> do
    >>>>>>>> is.
    >>>>>>>>
    >>>>>>>> 1) BGP conditional advertisement (where you track a certain prefix)
    >>>>>>>> maybe
    >>>>>>>> a
    >>>>>>>> loopback on the customer routers (2 in this case) and only advertise
    >>>>>>>> the
    >>>>>>>> customers prefixes to the providers through your link if and only if
    >>>>>>>> both
    >>>>>>>> loopbacks go down. That way the provider will really only see the
    >>>>>>>> customers
    >>>>>>>> prefixes through their link unless it goes down, then you start
    >>>>>>>> advertising
    >>>>>>>> The customers prefixes through your connection.
    >>>>>>>>
    >>>>>>>> cya
    >>>>>>>>
    >>>>>>>>
    >>>>>>>> On 2/19/08 11:51 PM, in article
    >>>>>>>> , "Barry
    >>>>>>>> Margolin"
    >>>>>>>> <> wrote:
    >>>>>>>>
    >>>>>>>>> In article <%6Luj.3489$>,
    >>>>>>>>> "Gary" <> wrote:
    >>>>>>>>>
    >>>>>>>>>> We have a router connected to 2 x tier1 provider routers over a
    >>>>>>>>>> single
    >>>>>>>>>> x-connect and we run BGP to them no problems. We have taken on a
    >>>>>>>>>> new
    >>>>>>>>>> client
    >>>>>>>>>> that wants their own dedicated cable and BGP session to the same 2
    >>>>>>>>>> routers
    >>>>>>>>>> and a second x-connect is now in and 2 new BGP sessions are up to
    >>>>>>>>>> what
    >>>>>>>>>> are
    >>>>>>>>>> actually the same tier1 routers.
    >>>>>>>>>>
    >>>>>>>>>> The client wants his address space routed over his cable to the
    >>>>>>>>>> tier1
    >>>>>>>>>> provider unless that cable fails in which case the traffic should
    >>>>>>>>>> failover
    >>>>>>>>>> to our x-connect to the tier1 provider.
    >>>>>>>>>>
    >>>>>>>>>> The question is how do I get the customers traffic to ONLY leave
    >>>>>>>>>> via
    >>>>>>>>>> his
    >>>>>>>>>> x-connect cable/BGP sessions while it is up but failover to ours
    >>>>>>>>>> if
    >>>>>>>>>> his
    >>>>>>>>>> fails. Also how do I get the inbound traffic to ONLY come down one
    >>>>>>>>>> set
    >>>>>>>>>> of
    >>>>>>>>>> BGP sessions (the clients) as opposed to our BGP sessions while
    >>>>>>>>>> his
    >>>>>>>>>> are
    >>>>>>>>>> up.
    >>>>>>>>>
    >>>>>>>>> This should happen automatically. The routes through your
    >>>>>>>>> x-connect
    >>>>>>>>> should have your ASN in the AS path, which will make it longer than
    >>>>>>>>> the
    >>>>>>>>> routes directly to the tier1 providers.
    >>>>>>>>>
    >>>>>>>>>>
    >>>>>>>>>> An ASCI Diagram would look like
    >>>>>>>>>>
    >>>>>>>>>>
    >>>>>>>>>> Our Router A x------------our x-connect------------------------x
    >>>>>>>>>> Tier1
    >>>>>>>>>> Router A & B - This carries to BGP sessions on a small subnet
    >>>>>>>>>> which
    >>>>>>>>>> we
    >>>>>>>>>> use
    >>>>>>>>>> for clients to transit generally
    >>>>>>>>>> Our Router A x------------client x-connect----------------------x
    >>>>>>>>>> Tier
    >>>>>>>>>> 1
    >>>>>>>>>> Router A & B- This should only carry client subnet in and out
    >>>>>>>>>> while
    >>>>>>>>>> up
    >>>>>>>>>> otherwise failover to our cable and BGP sessions
    >>>>>>>>>>
    >>>>>>>>>> Both cables carry 2 BGP peering sessions receivong full routing
    >>>>>>>>>> tables
    >>>>>>>>>> with
    >>>>>>>>>> both Tier1 Router A and B so in total we now gave 4 full routing
    >>>>>>>>>> tables
    >>>>>>>>>> form
    >>>>>>>>>> the same Tier1 provider on Our Router A.
    >>>>>>>>>>
    >>>>>>>>>>
    >>>>>>>>>> Hope this makes sense.
    >>>>>>>>>> Thanks
    >>>>>>>>>> Gary
    >>>>>>>>
    >>>>>>>>
    >>>>>>>
    >>>>>>> Maybee I explained this badly. We have 6 full BGP peering sessions to
    >>>>>>> the
    >>>>>>> same TIER1 Provider to different routers. We announce a /19 on all
    >>>>>>> sessions
    >>>>>>> and all works well. Now we want a particular /24 within that /19 to
    >>>>>>> only
    >>>>>>> come down 2 of the BGP Peering sessions. Should these 2 fail for any
    >>>>>>> reason
    >>>>>>> (cable break) we want the /24 to come in any of the remaining 4 BGP
    >>>>>>> sessions.
    >>>>>>>
    >>>>>>> Hope that calrifies?
    >>>>>>> Gary
    >>>>>>>
    >>>>>>>
    >>>>>>
    >>>>>>
    >>>>>
    >>>>> Thanks. I will test that. I did try MED's and that seems ot have
    >>>>> worked.
    >>>>> When we check the advertised routes on the upstream provider the /24
    >>>>> has
    >>>>> a
    >>>>> Metric of zero for the preferred BGP session and all other sessions on
    >>>>> the
    >>>>> upstream are 50 which is the MED we applied and inbound routing looks
    >>>>> good.
    >>>>> It does come through the correct upstream router AND BGP session to us.
    >>>>>
    >>>>> Is your method superior - Why?
    >>>>>
    >>>>> Also how do I ensure that the locally connected /24 (A Cisco ASA5500
    >>>>> will
    >>>>> arp the whole /24) only routes out through the same BGP session. 99.99%
    >>>>> of
    >>>>> traffic will be inbound and I assume will depart the way it came, but
    >>>>> what
    >>>>> about sessions initiated inside the firewall within the /24. I need to
    >>>>> force
    >>>>> that traffic to only go out one of the BGP sessions but failover should
    >>>>> that
    >>>>> BGP session fail.
    >>>>>
    >>>>> Thanks
    >>>>> Gary
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>> I have confused this again. Only the /24 should use this dedicated
    >>> peering
    >>> to the upstream. That includes inbound and outbound traffic. I think now
    >>> all
    >>> sessions initiated externally will come doen the right connection so it
    >>> can
    >>> be easily metered and charged, but what about outbound connections from
    >>> the
    >>> /24. How do I force them to ONLY use a particular peering while is is up.
    >>>
    >>> It is almost like I want to VLAN then to a BGP session.
    >>> Gary
    >>>
    >>>

    >>

    >
    > Thanks. Would it simply be the same as setting the D/Gateway of the firewall
    > protecting the /24 to the upstreams BGP session and a lower D/Gateway to the
    > standby routers?
    >
    > Maybe I made this too complex. Would this do the same as the Policy Based
    > Routing and leave less for the router to do?
    >
    > Gary
    >
    >
     
    Yandy Ramirez, Feb 22, 2008
    #13
  14. Gary

    Gary Guest

    I want inbound traffic to one /24 to only come down one BGP session and
    MED's seem to do that plus I want traffic outbound from the /24 to use the
    same BGP session. Almost like a /24 on a stick with the upstream.

    Thx
    Gary


    "Yandy Ramirez" <> wrote in message
    news:C3E38C6A.85D9%...
    >I guess I understood you wrong, I thought you wanted to route traffic to
    > that one specific session from a /24 not to a /24.
    >
    >
    > On 2/21/08 6:58 PM, in article Qeovj.2682$, "Gary"
    > <> wrote:
    >
    >>
    >> "Yandy Ramirez" <> wrote in message
    >> news:C3E30B8C.8587%...
    >>> Simple,
    >>>
    >>> Policy based routing. Set ip next-hop.
    >>> This is done in conjuction with standard or extended acls and
    >>> route-maps.
    >>>
    >>> Sample.
    >>>
    >>> Access-list 3 permit 200.1.1.0 0.0.0.255
    >>>
    >>> Route-map POLICY-ROUTE permit 100
    >>> match ip address 3
    >>> set Ip next-hop 200.1.2.2
    >>>
    >>> Interface f0/0
    >>> desc outside
    >>> ip add 200.1.2.1 255.255.255.0
    >>> !
    >>> Inteface f0/1
    >>> desc inside
    >>> ip add 200.1.1.1 255.255.255.0
    >>> ip policy route-map POLICY-ROUTE
    >>> !
    >>>
    >>>
    >>> On 2/21/08 10:21 AM, in article 2Ggvj.529$, "Gary"
    >>> <> wrote:
    >>>
    >>>>
    >>>> "Yandy Ramirez" <> wrote in message
    >>>> news:C3E27CEB.84F4%...
    >>>>> One method is not really superior over the other.
    >>>>> First I will say ( the network command under bgp is for wusses.. Lol
    >>>>> j/k )
    >>>>> The only reason that advertising a /24 out of your 2 sessions that you
    >>>>> want
    >>>>> and only advertising a /19 out of all of them including the 2 that
    >>>>> advertise
    >>>>> the /24, the only reason this is considered best practice is because
    >>>>> you
    >>>>> cannot count on your providers trusting your MED values, maybe someone
    >>>>> complains and they change their local-pref higher out one of the other
    >>>>> 4
    >>>>> sessions, oops their goes your MED.
    >>>>>
    >>>>> MED is useful in certain situations but my recommendation stays as it
    >>>>> was.
    >>>>>
    >>>>>
    >>>>> With both /24 and /19 you have full routing and high availability
    >>>>> should
    >>>>> something fail.
    >>>>>
    >>>>> Now as far as the arp goes, as long as your internal routing is
    >>>>> properly
    >>>>> configured the incoming traffic should not affect your firewall from
    >>>>> arping
    >>>>> for the correct subnet (The internet is hardly symmetrical to begin
    >>>>> with).
    >>>>>
    >>>>> Hope that helps.
    >>>>>
    >>>>>
    >>>>> On 2/21/08 12:32 AM, in article I18vj.3626$,
    >>>>> "Gary"
    >>>>> <> wrote:
    >>>>>
    >>>>>>
    >>>>>> "Yandy Ramirez" <> wrote in message
    >>>>>> news:C3E24B4A.792A%...
    >>>>>>> One more thing, just make soure your transit provider opens up its
    >>>>>>> filter
    >>>>>>> and allows that /24 through. Should not be a big concern for them to
    >>>>>>> do
    >>>>>>> so.
    >>>>>>>
    >>>>>>>
    >>>>>>> On 2/20/08 8:41 PM, in article VE4vj.5556$,
    >>>>>>> "Gary"
    >>>>>>> <> wrote:
    >>>>>>>
    >>>>>>>>
    >>>>>>>> "Yandy Ramirez" <> wrote in message
    >>>>>>>> news:C3E12033.6CCE%...
    >>>>>>>>> Well having the customer with a separate x-connect and bgp
    >>>>>>>>> sessions
    >>>>>>>>> directly
    >>>>>>>>> to the Transit providers should automatically have a shorter
    >>>>>>>>> as-path
    >>>>>>>>> from
    >>>>>>>>> cust-to-provider. But the customer can set a higher local-pref on
    >>>>>>>>> the
    >>>>>>>>> routes
    >>>>>>>>> received from those two neighbors and a lower local-pref to the
    >>>>>>>>> prefixes
    >>>>>>>>> received from you.
    >>>>>>>>>
    >>>>>>>>> Now controlling inbound traffic is a bit trickier you can try
    >>>>>>>>> AS-PREPEND
    >>>>>>>>> (even though technically it should route automatically to his
    >>>>>>>>> direct
    >>>>>>>>> connection) but that's beyond your control as the providers can
    >>>>>>>>> set
    >>>>>>>>> LOCAL-PREF on their side and their goes that idea. So what you can
    >>>>>>>>> really
    >>>>>>>>> do
    >>>>>>>>> is.
    >>>>>>>>>
    >>>>>>>>> 1) BGP conditional advertisement (where you track a certain
    >>>>>>>>> prefix)
    >>>>>>>>> maybe
    >>>>>>>>> a
    >>>>>>>>> loopback on the customer routers (2 in this case) and only
    >>>>>>>>> advertise
    >>>>>>>>> the
    >>>>>>>>> customers prefixes to the providers through your link if and only
    >>>>>>>>> if
    >>>>>>>>> both
    >>>>>>>>> loopbacks go down. That way the provider will really only see the
    >>>>>>>>> customers
    >>>>>>>>> prefixes through their link unless it goes down, then you start
    >>>>>>>>> advertising
    >>>>>>>>> The customers prefixes through your connection.
    >>>>>>>>>
    >>>>>>>>> cya
    >>>>>>>>>
    >>>>>>>>>
    >>>>>>>>> On 2/19/08 11:51 PM, in article
    >>>>>>>>> , "Barry
    >>>>>>>>> Margolin"
    >>>>>>>>> <> wrote:
    >>>>>>>>>
    >>>>>>>>>> In article <%6Luj.3489$>,
    >>>>>>>>>> "Gary" <> wrote:
    >>>>>>>>>>
    >>>>>>>>>>> We have a router connected to 2 x tier1 provider routers over a
    >>>>>>>>>>> single
    >>>>>>>>>>> x-connect and we run BGP to them no problems. We have taken on a
    >>>>>>>>>>> new
    >>>>>>>>>>> client
    >>>>>>>>>>> that wants their own dedicated cable and BGP session to the same
    >>>>>>>>>>> 2
    >>>>>>>>>>> routers
    >>>>>>>>>>> and a second x-connect is now in and 2 new BGP sessions are up
    >>>>>>>>>>> to
    >>>>>>>>>>> what
    >>>>>>>>>>> are
    >>>>>>>>>>> actually the same tier1 routers.
    >>>>>>>>>>>
    >>>>>>>>>>> The client wants his address space routed over his cable to the
    >>>>>>>>>>> tier1
    >>>>>>>>>>> provider unless that cable fails in which case the traffic
    >>>>>>>>>>> should
    >>>>>>>>>>> failover
    >>>>>>>>>>> to our x-connect to the tier1 provider.
    >>>>>>>>>>>
    >>>>>>>>>>> The question is how do I get the customers traffic to ONLY leave
    >>>>>>>>>>> via
    >>>>>>>>>>> his
    >>>>>>>>>>> x-connect cable/BGP sessions while it is up but failover to ours
    >>>>>>>>>>> if
    >>>>>>>>>>> his
    >>>>>>>>>>> fails. Also how do I get the inbound traffic to ONLY come down
    >>>>>>>>>>> one
    >>>>>>>>>>> set
    >>>>>>>>>>> of
    >>>>>>>>>>> BGP sessions (the clients) as opposed to our BGP sessions while
    >>>>>>>>>>> his
    >>>>>>>>>>> are
    >>>>>>>>>>> up.
    >>>>>>>>>>
    >>>>>>>>>> This should happen automatically. The routes through your
    >>>>>>>>>> x-connect
    >>>>>>>>>> should have your ASN in the AS path, which will make it longer
    >>>>>>>>>> than
    >>>>>>>>>> the
    >>>>>>>>>> routes directly to the tier1 providers.
    >>>>>>>>>>
    >>>>>>>>>>>
    >>>>>>>>>>> An ASCI Diagram would look like
    >>>>>>>>>>>
    >>>>>>>>>>>
    >>>>>>>>>>> Our Router A x------------our x-connect------------------------x
    >>>>>>>>>>> Tier1
    >>>>>>>>>>> Router A & B - This carries to BGP sessions on a small subnet
    >>>>>>>>>>> which
    >>>>>>>>>>> we
    >>>>>>>>>>> use
    >>>>>>>>>>> for clients to transit generally
    >>>>>>>>>>> Our Router A x------------client
    >>>>>>>>>>> x-connect----------------------x
    >>>>>>>>>>> Tier
    >>>>>>>>>>> 1
    >>>>>>>>>>> Router A & B- This should only carry client subnet in and out
    >>>>>>>>>>> while
    >>>>>>>>>>> up
    >>>>>>>>>>> otherwise failover to our cable and BGP sessions
    >>>>>>>>>>>
    >>>>>>>>>>> Both cables carry 2 BGP peering sessions receivong full routing
    >>>>>>>>>>> tables
    >>>>>>>>>>> with
    >>>>>>>>>>> both Tier1 Router A and B so in total we now gave 4 full routing
    >>>>>>>>>>> tables
    >>>>>>>>>>> form
    >>>>>>>>>>> the same Tier1 provider on Our Router A.
    >>>>>>>>>>>
    >>>>>>>>>>>
    >>>>>>>>>>> Hope this makes sense.
    >>>>>>>>>>> Thanks
    >>>>>>>>>>> Gary
    >>>>>>>>>
    >>>>>>>>>
    >>>>>>>>
    >>>>>>>> Maybee I explained this badly. We have 6 full BGP peering sessions
    >>>>>>>> to
    >>>>>>>> the
    >>>>>>>> same TIER1 Provider to different routers. We announce a /19 on all
    >>>>>>>> sessions
    >>>>>>>> and all works well. Now we want a particular /24 within that /19 to
    >>>>>>>> only
    >>>>>>>> come down 2 of the BGP Peering sessions. Should these 2 fail for
    >>>>>>>> any
    >>>>>>>> reason
    >>>>>>>> (cable break) we want the /24 to come in any of the remaining 4 BGP
    >>>>>>>> sessions.
    >>>>>>>>
    >>>>>>>> Hope that calrifies?
    >>>>>>>> Gary
    >>>>>>>>
    >>>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>
    >>>>>> Thanks. I will test that. I did try MED's and that seems ot have
    >>>>>> worked.
    >>>>>> When we check the advertised routes on the upstream provider the /24
    >>>>>> has
    >>>>>> a
    >>>>>> Metric of zero for the preferred BGP session and all other sessions
    >>>>>> on
    >>>>>> the
    >>>>>> upstream are 50 which is the MED we applied and inbound routing looks
    >>>>>> good.
    >>>>>> It does come through the correct upstream router AND BGP session to
    >>>>>> us.
    >>>>>>
    >>>>>> Is your method superior - Why?
    >>>>>>
    >>>>>> Also how do I ensure that the locally connected /24 (A Cisco ASA5500
    >>>>>> will
    >>>>>> arp the whole /24) only routes out through the same BGP session.
    >>>>>> 99.99%
    >>>>>> of
    >>>>>> traffic will be inbound and I assume will depart the way it came, but
    >>>>>> what
    >>>>>> about sessions initiated inside the firewall within the /24. I need
    >>>>>> to
    >>>>>> force
    >>>>>> that traffic to only go out one of the BGP sessions but failover
    >>>>>> should
    >>>>>> that
    >>>>>> BGP session fail.
    >>>>>>
    >>>>>> Thanks
    >>>>>> Gary
    >>>>>>
    >>>>>>
    >>>>>
    >>>>>
    >>>> I have confused this again. Only the /24 should use this dedicated
    >>>> peering
    >>>> to the upstream. That includes inbound and outbound traffic. I think
    >>>> now
    >>>> all
    >>>> sessions initiated externally will come doen the right connection so it
    >>>> can
    >>>> be easily metered and charged, but what about outbound connections from
    >>>> the
    >>>> /24. How do I force them to ONLY use a particular peering while is is
    >>>> up.
    >>>>
    >>>> It is almost like I want to VLAN then to a BGP session.
    >>>> Gary
    >>>>
    >>>>
    >>>

    >>
    >> Thanks. Would it simply be the same as setting the D/Gateway of the
    >> firewall
    >> protecting the /24 to the upstreams BGP session and a lower D/Gateway to
    >> the
    >> standby routers?
    >>
    >> Maybe I made this too complex. Would this do the same as the Policy Based
    >> Routing and leave less for the router to do?
    >>
    >> Gary
    >>
    >>

    >
     
    Gary, Feb 22, 2008
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?SmFzb24=?=

    An odd problem w/ folder sharing

    =?Utf-8?B?SmFzb24=?=, Dec 21, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    547
    Carey Holzman
    Dec 21, 2004
  2. Evan Stone
    Replies:
    3
    Views:
    2,063
    Evan Stone
    Oct 20, 2005
  3. harald rüger
    Replies:
    0
    Views:
    573
    harald rüger
    Oct 25, 2004
  4. papi
    Replies:
    4
    Views:
    2,288
    theapplebee
    Sep 8, 2009
  5. Replies:
    0
    Views:
    636
Loading...

Share This Page