pdk
@captiveaire.com
|  [HELP] Prepending AS path in Multihomed setup
Currently I work for a company that owns their own Class C. We have an AS number, two routers and two ISPs. Router 1 has a fiber connection with bandwidth up to 10Mb/s. Router 2 has 2 T1' bonded for bandwidth around 3Mb/s. I have prepended AS path on Router 2 so as to appear to have a longer AS path so that Router1 is the preferred path for incoming traffic. This is indeed working. In the event my fiber connection goes down on Router1, Traffice is then forwarded to the next and only other advertised route, Router2. However, when Router1's fiber connection comes back to life, All traffic still remains to flow via our backup route on Router 2. Am i missing something in my config? Or perhaps, should i be configuring my routers completely different in order to accomplish this?
Router 1 Config (10.10.10.3):
router bgp 300
no synchronization
bgp log-neighbor-changes
network 10.10.10.0
neighbor 1.2.2.101 remote-as 500
neighbor 1.2.2.101 password *****************
neighbor 1.2.2.101 prefix-list default in
neighbor 1.2.2.101 prefix-list aggregate out
neighbor 10.10.10.1 remote-as 300
neighbor 10.10.10.1 next-hop-self
no auto-summary
!
!
ip as-path access-list 15 permit ^$
!
!
ip prefix-list aggregate seq 5 permit 10.10.10.0/24
!
ip prefix-list default seq 5 permit 0.0.0.0/0
logging trap debugging
logging 10.10.10.16
access-list 1 permit 10.10.10.0 0.0.0.255
snmp-server community cas-snmp-secure RO
snmp-server enable traps tty
!
route-map localonly permit 10
match as-path 10
ROUTER 2 (10.10.10.1):
!
router bgp 300
no synchronization
bgp log-neighbor-changes
network 10.10.10.0
neighbor 3.3.3.4 remote-as 400
neighbor 3.3.3.4 version 4
neighbor 3.3.3.4 prefix-list sprintin in
neighbor 3.3.3.4 route-map localonly out
neighbor 10.10.10.3 remote-as 32913
neighbor 10.10.10.3 next-hop-self
no auto-summary
!
ip classless
!
ip as-path access-list 10 permit ^$
!
no ip http server
ip http authentication local
no ip http secure-server
!
!
ip prefix-list sprintin seq 5 permit 0.0.0.0/0
route-map localonly permit 10
match as-path 10
set as-path prepend 300 300 300 |
|
aryoba
Premium,MVM
join:2002-08-22
1 edit | If this is Internet traffic, then you need to use BGP looking glass to check the BGP table from transit provider perspective. You can use the following link to find most suitable looking glass site.
»Cisco Forum FAQ »How your ISP annouce your subnet via BGP to the Internet: BGP Looking Glass
You also need to work with your ISP (AS 400 and AS 500 administrator) to check their BGP table.
These are preliminary steps to verify each other's BGP table.
You may also need to use the ISP BGP community list to set your and ISP's Local Preferences and AS Path Prepend. |
|
pdk
@captiveaire.com
| So far, our ISP has been ZERO help when contacting them regarding issues such as this, I basically have to nail down the exact problem and tell them what they need to change before they will do anything, thats why I ask, I'm not sure I follow where you are going with this... can you be more specific? |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ | Pick a looking glass and see what your routes look like there. Do you see two paths? Do you see the prepends on one of them? |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| reply to pdk
Most routers will use route caching for existing traffic flows, especially provider's large Internet aggregation routers. If you have a reconverge event with multiple paths for the same route, even though BGP updates properly, existing traffic flows may continue to flow down the backup path until they age out, unless the route cache is cleared. That is completely out of your control. ISP's do not do this as any BGP route flap event may cause a major route cache instability which usually triggers high cpu utilization on routers.
If your AS path prepend works under normal circumstances, then it will work once you reconverge. But, it will take time for you to start seeing traffic fall back over to the primary path. Fast failover and fallback can be deadly to your network. When you get trapped in a circuit flapping situation that you can't get recovered from, both yours and the ISP router's pay the price. ISP's frown severely on this when one customer's issue can bring down many other customers.
Remember that BGP is still a Distance Vector protocol underneath it all just with advanced metrics. It still takes time for reconvergence to fully occur throughout the network.
--
Ignorance is temporary...stupidity lasts forever!
»www.thewaystation.com/
»blog.thewaystation.com/ |
|
carp
join:2002-10-30
clubs:
 ·RoadRunner Cable
| reply to pdk
You can try and get around/alleviate this with DNS or an advanced device like a Radware Linkproof(if still around) or devices from F5. I know for sure that Radware would use DNS to properly get the traffic where you want it. You may need to ask for an additional IP allocation so that you have enough addresses. There are also many other advantages to using the advanced devices. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| said by carp  :You can try and get around/alleviate this with DNS or an advanced device like a Radware Linkproof(if still around) or devices from F5. While BGP may be damped to prevent harm, DNS is downright unpredictable. BGP is the proper solution. |
|
pdk
@rr.com
| reply to pdk
Thanks for all the replies everyone,
BGP is definitely the right solution for what I'm doing, I do not question that. This however is my first implementation of it in a production environment so I'm still learning. I think I found the problem. Neither of our ISP's have our routes configured properly, neither one knows about the other and right now, whoever comes up first is the preferred route regardless of how many prepends I have on the AS path. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| Can you clarify this part?
said by pdk :
Neither of our ISP's have our routes configured properly
Are you announcing your routes via BGP or are your ISPs handling this? Can you explain your setup in a bit more detail? |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| Depending on the original provider who allocated the netblock in question, one ISP may be aggregating the route as part of a larger block. The second ISP is advertising the more specific prefix and thus ends up getting all the traffic. Does that sound close? |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| said by rolande :Depending on the original provider who allocated the netblock in question, one ISP may be aggregating the route as part of a larger block. The second ISP is advertising the more specific prefix and thus ends up getting all the traffic. Does that sound close? That sure works...  There's not much info in the original post, I was assuming he had his own AS and netblock, but who knows... |
|
jwhitecs
Premium
join:2006-10-11
| reply to pdk
well, if class C 204.120.207.0 is the prefix in question then as shown below its only being announced by one of your providers (road runner/twcable AS11426).
route-server>show ip bgp regexp _32913$
BGP table version is 2321232, local router ID is 12.0.1.28
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 204.120.207.0 12.123.13.241 0 7018 3356 11426 32913 i |
|
jwhitecs
Premium
join:2006-10-11 | which would mean your second provider Sprint is not announcing your class C at all. |
|
jwhitecs
Premium
join:2006-10-11 | reply to jwhitecs
do a "show ip bgp neighbor x.x.x.x advertised-routes" and verify that the class c is being announced, specifically to your second provider Sprint. |
|
Nubiatech
soy capitan
join:2007-09-02
Illinois
1 edit | reply to jwhitecs
said by jwhitecs :well, if class C x.x.x.x is the prefix in question then as shown below its only being announced by one of your providers (road runner/twcable AS11426). Nice detective work there! 
So much for "anonymous" @somedomain.tld
---
Edit: remove actual subnet. |
|
pdk
@captiveaire.com
| reply to pdk
We have our own AS and Class C as stated in the original post.
Due to a router crash on Monday night, our sprintlink connection is down and our fiber connection is the only advertised route as of now. That is probably why you are only seeing 1 route advertised.
And so much for masking my real IP and AS #.....
Anyhoo, back to the topic...I'm going to wait until my sprint connection is back up and check out what routes are being advertised when both links are active, then post what I find. |
|
jwhitecs
Premium
join:2006-10-11 | sorry about anonymous stuff pdk. But you left your public AS in the masked config above so I went from there. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
2 edits | reply to pdk
said by pdk :
We have our own AS and Class C as stated in the original post.
It actually looks like you don't have your own class C, it's reassigned from Sprint:
[spork@devel2] $ whois -h whois.arin.net NET-204-120-207-0-1
OrgName: Captive-Aire Systems
OrgID: CAPTI-2
Address: 117 Franklin Park Ave
City: Youngsville
StateProv: NC
PostalCode: 27596
Country: US
NetRange: 204.120.207.0 - 204.120.207.255
CIDR: 204.120.207.0/24
NetName: SPRINTLINK
NetHandle: NET-204-120-207-0-1
Parent: NET-204-117-0-0-1
NetType: Reassigned <<<----
Which is interesting, since they are the ones NOT announcing the route. |
|
carp
join:2002-10-30
clubs:
1 edit | reply to sporkme
You sound uninformed about solving it with DNS, Radware, etc. Works like a charm in many situations. |
|
pdk
@captiveaire.com
| reply to pdk
SUre, its assigned to us from sprint but we have the whole block. Now that you've announced our location, physical address, domain info, router IP's, AS#, how about I just give everyone my Enable password! Sure it can be found if you search enough but it clearly states when posting to MASK the real IP addresses, AS#'s etc... |
|
