IP SLA with BGP Peering on ISP Router

[peterlyttle]

Hello,

I was hoping someone has some advice on this. I was thinking of using IP SLA to advertise our default route via BGP to automate internet failover. However I have a few security concerns with peering with our ISP router.

I can use a route map to filter what gets advertised out/in but I was hoping for some advice from other peoples experience?

Thanks,
Peter

 

[unclerico]

give some more info on your topology. BGP conditional advertisement may be what you are after, but do you need to run BGP?? are you truly multi-homed to different ISPs?? like i said, a little more info would be good.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[peterlyttle]

Currently we have 2 sites that run iBGP internally and eBGP for all WAN connections.

Each site has one internet connection and has a default route to exit via the ISP router should there be no more specific route available.

I was hoping that I could have to 0.0.0.0 0.0.0.0 routes with different AS paths depending on the site that way if the local ISP router/connection had a problem the local 0.0.0.0 route wouldnt be available and therefore take the alternate route (with the longer AS path)

 

[unclerico]

So your ISP advertises a default route to both of your BGP edge routers?? If this is the case then what should be happening is each edge router will prefer the default route that is closest to them (all things being equal, the BGP decision process will drop down to eBGP > iBGP). Are you redistributing this default route into an IGP on each side as well?? If the downstream ISP router is no longer reachable due to a circuit outage, then all of the routes should be withdrawn. The CE that has the outage will then flip over to its default route learned via iBGP. You shouldn't need any kind of IP SLA or any other path monitoring tool to get this failover working properly.

Can you talk about your security concerns??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[peterlyttle]

Currently its just a static route no peering between or advertising of the route.

But yes I agree that is what happens if the ISP router goes down, but if the ISP has an outage a few hops away wouldnt the default route still be advertised (hence the IP SLA aspect)?

Security wise it was just the risk of private addresses being advertised out though I guess I could stop that with a route-map denying anything outbound and only allowing 0.0.0.0 inbound and blocking the rest?

 

[Ojboy]

Hi

I was just thinking how are you going to do that : "using IP SLA to advertise our default route via BGP to automate internet fail-over". So you are to set IP SLA pointing to the ISP Router (which is your eBGP peer)? Or you are to point IP SLA to one of your edge routers or your hub router, perhaps? For the fail-over, you can use HSRP in which if your IP SLA is not reaching to whatever device you pointed your edge router, then, it will automatically fail-over to the secondary edge router. Will an asymmetric pattern affect your applications? Because you can configure both BGP on both ISPs to be active.

 

[peterlyttle]

I was hoping to configure the IP SLA on the ISP router to track google.com, the next hope from the ISP router etc. I would then peer with the ISP router and have a route-map filtering only the 0.0.0.0 inbound and nothing outbound.

The internet connections are on two different sites / subnets and the local connection would be primary for that site and remote site would be a backup connection.

 

[unclerico]

i don't think you need to run BGP in this configuration. it sounds like all you need to use is floating static routes with the track option. are you running an IGP??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[peterlyttle]

We're running iBGP internally, the only reason I suggested the BGP peering was that we've been trying to keep it all dynamic as static routes have been the bain of our lives especially when failover to a VPN happens and stuff stops working. Hence the suggestion to have everything under BGP (i or e) which would be easier from an Admin point of view, especially for people who are not so proficient with routing.