Routing
Reply
Visitor
mpgioia
Posts: 5
Registered: ‎06-07-2010
0

BGP - Single CPE, Dual ISP, Single remote AS, Load Balancing based on prefix matching

Hi peoples,

 

I have the following scenario (attached BGP topology.jpg).

 

I'm just throwing some ideas out there, so bare with me.

 

I'd love to do some prefix based route preferencing.  I have a few public prefixes used for public facing services.

A particular /29 public routed segment given to me by my ISP is preferenced to be fired down the link between PE2 and my CPE.  This ingress manipulation can work, no problems.  SP confirmed.

 

The other prefixes take the path of the link between PE1 and my CPE.  Including a default route, is shot down here.  Again, no issues, for ingress.

 

SP has yet to come back to me, but they will most likely tell me to use MED's or AS-Path prepending to achieve this, right ?

 

It's the return traffic, that needs to be facilitated from this special /29 prefix range.  The destination IP address is theoretically, anywhere (0.0.0.0/0), aka out on the net.  I want to force the return traffic that was originally hit on this /29 range back via the link to the PE1.  To maintain symmetry of flow.  If this WAN connectivity, then it would be ok.  Aka, known destination dotted decimal's being targeted, but with the Internet, its a lot harder.  Or am I looking into this too deeply ?

 

Is this at all possible, and some snippets of config's would be great, if anyone can share.

Visitor
mpgioia
Posts: 5
Registered: ‎06-07-2010
0

Re: BGP - Single CPE, Dual ISP, Single remote AS, Load Balancing based on prefix matching

[ Edited ]

Just to be clear.

 

I'll run through my scenario....

- WWW (80) TCP packet is sourced from a client out there in the Internet, destined to our server in this special /29 prefix range

- SP knows to preference the packet down the PE1 to CPE link

- It gets NAT'd on our firewall (cursory step, but i'll put it in for completeness) to an internal address (DMZ subnet)

- TCP+SYN packet is generated from WWW server

- Goes through reverse translation, source address of this packet is once again in the /29 range

- Now..... our firewall, running the BGP process to each PE, he needs to maintain symmetry, and route this TCP+SYN back down the PE1 to CPE link.

 

All other traffic is meant to go down the CPE to PE2 link.  So the default route is preferenced higher that way.

 

How am I going to influence this return packet down the other way ?

 

Match on source address and manipulate local preference on this match ?

Trusted Contributor
kurapati
Posts: 32
Registered: ‎01-23-2011
0

Re: BGP - Single CPE, Dual ISP, Single remote AS, Load Balancing based on prefix matching

You can use Filter Based Forwarding in this case.

 

Very preliminary config below:

 

Assuming 151.1.1.2 is PE1 and 151.1.2.2 is PE2:

 

Create 2 routing-instances:

PE1 {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 151.1.1.2;
        }
    }
}
PE2 {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 151.1.2.2;
        }
    }
}

 

Import interface routes to both the routing-instances:

Pavan@CE# show routing-options
interface-routes {
    rib-group inet interfaces;
}
rib-groups {
    interfaces {
        import-rib [ inet.0 PE1.inet.0 PE2.inet.0 ];
    }
}

 

Configure a firewall which matches on source-ip address and diverts traffic to one of these routing-instances based on your preferred source ip address

 

Here, I have considered 201.201/16 to go to PE1 and 204.204/16 go to PE2 ( I can make rest all go to PE2 as well)

 

Pavan@CE# show firewall
family inet {
    filter SOURCE-FILTER {
        term term2 {
            from {
                source-address {
                    204.204.0.0/16;
                }
                destination-address {
                    101.101.0.0/16;
                }
            }
            then {
                routing-instance PE2;
            }
        }
        term term1 {
            from {
                source-address {
                    201.201.0.0/16;
                }
                destination-address {
                    101.101.0.0/16;
                }
            }
            then {
                routing-instance PE1;
            }
        }
        term term3 {
            then accept;
        }
    }
}

Apply this to your ingress interfaces as input filter

so-4/2/0 {
    encapsulation ppp;
    unit 0 {
        family inet {
               filter {
                input SOURCE-FILTER;
            }
            address 151.1.2.1/30;
        }
    }
}

 

I just tried it on my setup : Traceroute from a router behind CE, and this is how it shows

 

Pavan@C2# run traceroute 101.101.0.1 source 204.204.0.1   
traceroute to 101.101.0.1 (101.101.0.1) from 204.204.0.1, 30 hops max, 40 byte packets
 1  141.1.1.2 (141.1.1.2)  0.551 ms  0.423 ms  0.332 ms
 2  10.1.0.2 (10.1.0.2)  0.514 ms  0.501 ms  0.440 ms
 3  151.1.2.2 (151.1.2.2)  0.592 ms  0.555 ms  0.478 ms <------------ Going to PE2
 4  101.101.0.1 (101.101.0.1)  0.725 ms  0.580 ms  0.553 ms

[edit]
Pavan@C2#

[edit]
Pavan@C2# run traceroute 101.101.0.1 source 201.201.0.1   
traceroute to 101.101.0.1 (101.101.0.1) from 201.201.0.1, 30 hops max, 40 byte packets
 1  141.1.1.2 (141.1.1.2)  0.516 ms  0.373 ms  0.329 ms
 2  10.1.0.2 (10.1.0.2)  0.511 ms  0.472 ms  0.444 ms
 3  whatsup01.IT.net (151.1.1.2)  0.465 ms  0.434 ms  0.456 ms <------------- Going to PE1
 4  101.101.0.1 (101.101.0.1)  0.671 ms  0.592 ms  0.571 ms

[edit]
Pavan@C2#

 

Please accept solution if it works & Kudos if you feel it helped solve your problem :smileyhappy:

Pavan Kurapati
Visitor
areefhxc
Posts: 1
Registered: ‎04-17-2012
0

Re: BGP - Single CPE, Dual ISP, Single remote AS, Load Balancing based on prefix matching

Hi pavat,

 

 

whether your explain including for redundancy ?

 

 

Sincerely,

 

Arif

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.