Saturday, April 23, 2011

How setup a BGP multihome network without your own public AS & IP prefix list

One of the best ways of doing traffic load-balancing and fail-over together is BGP multi-homing. Because BGP always have to best path to a particular destination and one link failure automatically transfer into other link.

But main blocker of implementing BGP in small companies is inability of having their own AS number and IP address list. If you need your own AS number and IP prefix list you have to go through the Regional Internet Registry that allocates IP and AS numbers like APNIC doing in Asia pacific reign.

Following I have explain how to set up a BGP multihomed network without your own public AS or ip prefix list. Set up describe simply as follows. you have to have two BGP peers with two ISPs (ISP1 and ISP2) by peering with your private AS number (EBGP). Also you don't advertise any prefixes (Obviously you don't have). And ask both ISPs to advertise their global BGP routing tables to your end.

Once you get both BGP routing tables on your router you obviously you have the best paths in the routing tables itself. One limitation of this setup is you can't load-balance traffic like web server, mail server traffic that DNS pointed to since you don't have your own IP addresses. In such cases you have to use one of both ISPs IP addresses. This set up is better where you have multiple links from multiple ISPs and you need to get optimal use of the bandwidth.

Following is the configuration as per the Diagram 1.



Client config


router bgp 65550
bgp log-neighbor-changes
neighbor 1.1.1.2 remote-as 100
neighbor 1.1.1.2 ebgp-multihop 10
neighbor 1.1.1.2 update-source f0/0
neighbor 1.1.1.2 soft-reconfiguration inbound
neighbor 2.2.2.2 remote-as 200
neighbor 2.2.2.2 ebgp-multihop 10
neighbor 2.2.2.2 update-source f0/1
neighbor 2.2.2.2 soft-reconfiguration inbound

ISP1 config

router bgp 100
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 65550
neighbor 1.1.1.1 ebgp-multihop 10
neighbor 1.1.1.1 update-source f0/0
neighbor 1.1.1.1 soft-reconfiguration inbound
neighbor 1.1.1.1 default-originate

ISP2 config

router bgp 200
bgp log-neighbor-changes
neighbor 2.2.2.1 remote-as 65550
neighbor 2.2.2.1 ebgp-multihop 10
neighbor 2.2.2.1 update-source f0/1
neighbor 2.2.2.1 soft-reconfiguration inbound
neighbor 2.2.2.1 default-originate

F0/0 ip address is a public IP given by ISP1, same as F0/1 is public ip of ISP2. Once you done this configuration your peers should be up and running. This is same as setting up normal BGP peers. Make sure ISP1 and ISP2 advertise the default routes as well. By this point you have to make sure peers are up and running and you are getting BGP updates from both ISPs with default routes.

you can make sure whether peers are running by following commands on client and you will see output like following.

show ip bgp summery

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.2 4 100 1370 1373 174 0 0 21:51:15 150543
2.2.2.2 4 200 1355 1355 174 0 0 22:27:24 110435

Also following commands may help to check the BGP routes and updates
show ip bgp
show ip route bgp
sh ip bgp neighbors 1.1.1.2 received-routes


There is a possibility that you re advertising the updates comming from one ISP to other. You can limit it by configuring a filter list at client side.

ip as-path access-list 1 permit ^$
router bgp 65550
neighbor 1.1.1.2 filter-list 1 out
neighbor 2.2.2.2 filter-list 1 out


Also you can use prefix list to filter the unwanted BGP prefixes coming from ISP1 and ISP2.


Second phase is how to send the upload traffic. Most of the time Client LAN is on private ip range there fore you have to nat the LAN traffic to access the Internet.Upload Traffic that goes to ISP1 has to be nat into F0/0 ip (1.1.1.1) and ISP2 traffic has to be nat into F0/1 ip (2.2.2.1). In any case if you have done static NAT and unknowingly if ISP1 get the packets with source address as ISP2 IP then ISP1 will block the traffic.
To overcome this problem you have to do the natting based on the outgoing interface. As a example Traffic goes to ISP1 has to be nat into F0/0 IP address dynamically.

Following is the configuration


ip nat pool isp1natpool 1.1.1.1 1.1.1.1 netmask 255.255.255.252
ip nat inside source route-map NAT2ISP1 pool isp1natpool overload

route-map NAT2ISP1 permit 10
match ip address 180
match interface f0/0

access-list 180 permit ip 192.168.0.0 0.0.0.255 any

int f0/0
ip nat outside

int f1/0
ip nat inside


Likewise you need to done the natting for ISP2 as well.

ip nat pool isp2natpool 2.2.2.1 2.2.2.1 netmask 255.255.255.252
ip nat inside source route-map NAT2ISP2 pool isp2natpool overload

route-map NAT2ISP2 permit 10
match ip address 185
match interface f0/1

access-list 185 permit ip 192.168.0.0 0.0.0.255 any

int f0/1
ip nat outside



Now your primary setup is done. you have failover and load-balanced multihomed network. Assume one link goes down all the BGP route will be removed from the routing table and all traffic goes through the other path. Best path to particular destination will be select from the BGP table.

Assume you need to set particular destination always through ISP1. This can be done by setting local preference higher.

router bgp 65550
neighbor 1.1.1.2 route-map set-isp1-local-pref in

route-map set-isp1-local-pref permit 10
match ip address prefix-list ISP1_IN_LOCAL_PREF
set local-preference 120

ip prefix-list ISP1_IN_LOCAL_PREF seq 5 permit 140.10.0.0/24


This set up is successfully tested with IOS version c1841-ipbase-mz.124-15.T12.bin. If you encounter any problem while configuring please let me know.

Thanks

9 comments:

  1. Hello.
    Nice post.
    Where have I to apply the second NAT (traslating to 2.2.2.1), just in F0/1?, or also in F1/0? There are no problem if F1/0 (NAT inside) is traslating LAN network 192.168.0.0/24 to both Public IPs (1.1.1.1 and 2.2.2.1) ??
    Thanks

    ReplyDelete
  2. yes you have to apply to F0/1. I added the configuration now.
    There is no problem, because the natting will be happen based on the path that traffic goes. Eg: If it choose ISP1 to particular access google it will nat into f0/0(1.1.1.1). If it chooses ISP2 it will nat into F0/1(2.2.21).
    This is done through the route map used in natting matches the outgoing interface.
    check.
    route-map NAT2ISP2 permit 10
    match ip address 185
    match interface f0/1

    ReplyDelete
  3. hi can you provide similar configuration if on the client side you have 2 routers instead of just one. Both router connected through a single gigabit connection

    RTR1->iSP1 and RTR2->ISP2

    ReplyDelete
  4. Hi,
    you wrote
    "One limitation of this setup is you can't load-balance traffic like web server, mail server traffic that DNS pointed to since you don't have your own IP addresses. In such cases you have to use one of both ISPs IP addresses"
    If, For example, additionally to that scheme, i will have two public IP blocks from ISPs - 1.1.x.x/27 (ISP1) and 2.2.x.x/27 (ISP2). I will have two DNS servers, on one of them will be IP from ISP1, on other - IP from ISP2. If I will advertise the subnet of 1.x.x/27 to ISP1 and the subnet of 2.2.x.x/27 to ISP2, can this scheme provide the availability of my DNS server if other ISP had fallen? On the client's router will be configured the static NAT...

    ReplyDelete
  5. What if you don't want to NAT and want to route the Public IP's assigned to you instead?

    ReplyDelete
  6. Hi,

    I have a same situation and i need to advertise a whole ip arange. I have a range of servers that need access to internet.

    Here is the situation IP Range have already been purchased but i want to avoid purchasing AS number.


    I have a situation one router on my side and two ISPs. If i advertise ip segment how could i set preference for ISP1 and make ISP2 as back for the same subnet.

    Please advise.

    Thanks.

    ReplyDelete
  7. What if I have Public AS and range of ip addresses that I want to advertise through three different ISP, with 2 different ISPs as active and third one to backup first two. Could you please explain.

    ReplyDelete
  8. Make sets of three from your public IP range e.g. SET-A = 1.1.1.0/24, SET-B = 1.1.2.0/24, SET-C = 1.1.3.0/24. Advertise all these sets over each ISP link, but prepend such that SET-A is most preferred over ISP1, first backup for SET-A is ISP2, second backup for SET-A is ISP3... you know what I mean?

    ReplyDelete
  9. what if we just use static default routes to both ISPs will give the same result

    ReplyDelete