BGP Single Site Multi Homing

Single Site Multi Homing March, 2004

Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 526-4100

http://www.cisco.com

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Single Site Multi HomingCopyright © 2004 Cisco Systems, Inc. All rights reserved.

CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0304R)

Version 1.0

C O N T E N T S

Single Site Multi Homing 1

Internet Edge Design Guidance 1

High Availability 1

Scalability 3

Intelligent Network Services 3

HSRP 3

Internal Routing 4

Edge Routing 4

Design Caveats 6

Design Recommendations 7

Internet Edge Design Fundamentals 7

Border Routers 8

Layer 2 Switching Layer 9

Firewall Layer 9


Implementation Details 9

Single Site Multi-Homing Topology 9

Internet Cloud Router BGP 10

Primary Customer Configurations 11

Secondary Customer Configurations 11

BGP Attributes 11

Controlling Outbound Routes 12

Controlling Inbound Routes 13

Security Considerations 14

I N D E X

iiiSingle Site Multi Homing

Contents

ivSingle Site Multi Homing

Version 1.0

Single Site Multi Homing

This document clarifies and identifies typical single site Internet edge designs. This encompasses the core design principles associated with all network infrastructure designs, with the unique requirements that are relevant to Internet Edge topologies. Like any infrastructure design, these solutions must be highly scalable while maintaining the key aspects of redundancy and security. Last but not least, the solution as a whole must not be too complex to manage. The key redundancy function associated with this type of design is the resiliency of having ISP connections to two or more providers depending on the bandwidth requirements of the server farm architecture or any other internet services. A connection to two or more internet connections is referred to as multi-homing.

Internet Edge Design GuidanceAs mentioned above, Internet Edge solutions touch many different types of enterprise networks and therefore may potentially have many different topologies. They can range from any remote office connection to a major ISP peering point. Therefore, maintaining common design principles allows you to apply these recommendations to almost all Internet Edge topologies.

High AvailabilityIn the single ISP topology, the need for redundancy at the edge is a null issue because if the primary edge router fails the Internet connection goes down. Therefore defining redundancy at the edge of the network has no beneficial affect. However, when the provider supplies two terrestrial circuits, as depicted below, you can take advantage of the redundancy offered by mulit-homing. Figure 1 displays a multi-homed topology.

1Single Site Multi Homing

Version 1.0

Single Site Multi HomingInternet Edge Design Guidance

Figure 1 Single Site Multi-Homing

Internet edge topologies consist of multiple layers. There must be no single point of failure within the network architecture. Therefore, complete device redundancy in this architecture is a necessity. These redundant devices, coupled with specific Layer 2 and Layer 3 technologies, help achieve redundancy. To meet this requirement, the Internet edge topologies use some of the key functions of the IOS software. The Layer 2 features used include:

• Port fast

• Bridge Protocol Data Unit (BPDU) Guard and Root Guard

• Broadcast Suppression

• Uplinkfast

• Etherchannel

• Unidirectional Link Detection (UDLD)

7669

6

Edge connectivity

Edge routing

Edge security

Server farmsarchitectures

SP 1 SP 2Internet


Version 1.0


The above technologies increase convergence times and lower operational downtime. These technologies also offer basic security functions to protect against rogue devices on the network that become malicious in the event of a network attack.

The Layer 3 features used for high availability offer redundant default gateways for networked hosts and provide a predictable traffic flow both in normal operating conditions and under the adverse conditions surrounding a network link or device failure. The Layer 3 features include:

• Hot Standby Router Protocol (HSRP)

• Multi-group Hot Standby Router Protocol (MHSRP)

• Dynamic routing protocol metric tuning (EIGRP and OSPF)

HSRP and Multigroup HSRP offer Layer 3 gateway redundancy while the dynamic routing protocols offer a look into network availability from a higher level.

ScalabilityThe network architecture must be scalable to accommodate increasing user support, as well as unforeseen bursts in network traffic. While feature availability and processing power of network devices are important design considerations, physical capacity attributes, like port density, can limit architecture scalability. Within the border layer of this topology, the termination of circuits can become a burden on device scalability. Improper memory provisioning on a device can cause performance to degrade and hence cause the device to process traffic at a slower rate. These principles are the same for the layers of firewall device and Layer 3 switching capacities. Port density scalability is important at the Layer 3 switching layer because it provides additional connections for host devices, in this case, servers.

Intelligent Network ServicesIn all network topologies, the intelligent network services present within IOS software revisions, such as QoS, and high availability technologies, such as HSRP, are used to ensure network availability. For instance, with QoS, the IP bits within one packet can be adjusted to create a higher priority on the network for that packet over other packets.

HSRP

HSRP enables a set of routers to work together to present the appearance of a single virtual router or default gateway to the hosts on a LAN. HSRP is particularly useful in fault tolerant network environments running critical applications. By sharing an IP and MAC address, two or more routers acting as one virtual router are able to transparently assume the routing responsibility in the event of a defined outage or an unexpected failure. This allows hosts on a LAN to continue to forward IP packets to a consistent IP and MAC address enabling the transparent changeover of routing devices during a failure.

HSRP allows administrators to configure Hot Standby Groups to share responsibility for an IP address. Administrators give each router a priority. The priority weights the prioritization of routers for active router selection. One router in each group is the active forwarder and one is the stand-by. This determination is made according to the router's configured priorities. The router with the highest priority wins and, in the event that there is a priority tie, the greater value of their configured IP addresses breaks the tie. Other routers in this group monitor the active and stand-by routers' status to enable further fault tolerance. All HSRP routers participating in a standby group watch for hello packets from the active and the standby routers. All routers in the group learn the hello and dead timers from the active router, as


Version 1.0


well as the IP address of the standby router, if these parameters are not explicitly configured on each individual router. Although this process is dynamic, it is recommended that the network administrator define the HSRP dead timers. If the active router becomes unavailable due to scheduled maintenance, power failure, or other reasons, the stand-by router transparently assumes the role of the active router within a few seconds. This changeover occurs when the dead timer is reached or when three successive hello packets are missed. The standby router promptly takes over the virtual addresses and identities responsibilities during a failure of the active router. When the secondary interface assumes mastership, the new master sends a gratuitous ARP, which updates the CAM (Content Addressable Memory) on the Layer 2 switch. This then becomes the primary route for the devices accessing this gateway. Configure these HSRP timers on a per HSRP instance.

Internal Routing

Before discussing the basic ways you can connect autonomous systems (AS) to ISPs, some basic routing terminology and concepts must be discussed. There are three basic routing approaches: static routing, default routing and dynamic routing.

• Static routing refers to route destinations manually configured in the router. Network reachability in this case is not dependent on the existence and state of the network itself. Whether a destination is up or down, the static routes remain in the routing table, and traffic is still sent toward that destination.

• Default routing refers to a “last resort” outlet. Traffic to destinations that are unknown to the router are sent to that default outlet. Default routing is the easiest form of routing for a domain connected to a single exit point.

• Dynamic routing refers to routes learned via an internal or external routing protocol. Network reachability is dependent on the existence and state of the network. If a destination is down, the route disappears from the routing table and traffic is not sent toward that destination.

These three routing approaches are possibilities for all the AS configurations considered in upcoming sections, but there is an optimal approach. Thus, in illustrating different ASs, this document considers whether static, dynamic, default, or some combination of these routing methods is optimal. This document also considers whether interior or exterior routing protocols are appropriate. You can use Internal Gateway Protocols (IGPs) to advertise your network internally. Use an IGP between your network and your ISPs network to redistribute routes internally. This has all the benefits of dynamic routing where network information and changes are dynamically sent to the ISP. Also, the IGPs distributes the network routes upstream to the BGP function.

Edge Routing

BGP performs interdomain routing in TCP/IP networks. BGP is an exterior gateway protocol (EGP), which means that it performs routing between multiple ASs or domains and exchanges routing and reachability information with other BGP systems.

BGP replaces its predecessor, the now obsolete Exterior Gateway Protocol (EGP), as the standard exterior gateway-routing protocol used in the global Internet. It solves serious problems found in EGP and scales to Internet growth more efficiently. As with any routing protocol, BGP maintains routing tables, transmits routing updates, and bases routing decisions on routing metrics. The primary function of a BGP system is to exchange network-reachability information, including information about the list of AS paths, with other BGP systems. Use this information to construct a graph of AS connectivity where you can prune routing loops and enforce AS-level policy decisions. Each BGP router maintains a routing table that lists all feasible paths to a particular network. The router does not refresh the routing table, instead routing information received from peer routers is retained until the router receives an incremental update.


Version 1.0


BGP devices exchange routing information upon initial data exchange and during incremental updates. When a router first connects to the network, BGP routers exchange their entire BGP routing tables. However, when the routing table changes, routers send only the changed portion of their routing table. BGP routers do not send regularly scheduled routing updates and BGP routing updates advertise only the optimal path to a network.

BGP uses a single routing metric to determine the best path to a given network. This metric consists of an arbitrary unit number that specifies the degree of preference of a particular link. The BGP metric is typically assigned to each link by the network administrator. The value assigned to a link is based on any number of criteria, including the number of ASs through which the path passes, stability, speed, delay, or cost.

BGP performs three types of routing:

• Interautonomous system routing

• Intra-autonomous system routing

• Pass-through autonomous system routing

Interautonomous system routing occurs between two or more BGP routers in different ASs. Peer routers in these systems use BGP to maintain a consistent view of the internetwork topology. BGP neighbors communicating between ASs must reside on the same physical network. The Internet serves as an example of an entity that uses this type of routing because it contains ASs or administrative domains. Many of these domains represent the various institutions, corporations, and entities that make up the Internet. BGP is frequently used to provide path determination that creates optimal routing within the Internet.

Intra-autonomous system routing occurs between two or more BGP routers located within the same AS. Peer routers within the same AS use BGP to maintain a consistent view of the system topology. BGP is also used to determine which router serves as the connection point for specific external ASs. Once again, the Internet provides an example of interautonomous system routing. An organization, such as a university, can make use of BGP to provide optimal routing within its own administrative domain or AS. The BGP protocol provides both inter- and intra-autonomous system routing services.

Pass-through autonomous system routing occurs between two or more BGP peer routers that exchange traffic across an AS that does not run BGP. In a pass-through AS environment, the BGP traffic did not originate within the AS in question and is not destined for a node in the AS. BGP must interact with the intra-autonomous system routing protocol available to successfully transport BGP traffic through that AS.


Version 1.0

Single Site Multi HomingDesign Caveats

Figure 2 E-BGP and I-BGP

Design Caveats When implementing an internet edge topology, you can take certain common design principles for granted. For example, the addressing of an internet edge topology requires careful consideration. More specifically, if you have not received a registered address space for your entire network infrastructure from the American Registry for Internet Numbers (ARIN), then you must get your addresses from the upstream providers. This assumes that each provider provides you with a contiguous block within the ISP’s address range. This makes it impossible for you to advertise each of these blocks to the other upstream ISP routers. If you are peering with multiple ISP’s and assuming the addresses of one of the two networks, it is difficult for the other ISP to advertise the routes of your address space. This is because the network address is most likely summarized at a different peering point within the ISP network. Therefore, the addressing remains limited to the ISP block supplied by the respective ISP. If you were

7669

7

E-BGP Instance

I-BGP Instance

SP 1 SP 2Internet


Version 1.0

Single Site Multi HomingDesign Recommendations

to advertise these address ranges, you run the risk of becoming a transit network in the internet backbone. Which means that some of the peers on one ISP backbone could perceive your network topology as a closer route to the other ISP backbone.

This issue is also apparent in instances where you use the same network addressing as the I-BGP instance and advertise yourself as a more attractive route to the each of the ISP’s respectively.

Another issue associated with this type of design is the DNS (Domain Name Service) resolution to the associated address schemes. For instance, if you were to address the server farm with the address block from ISP A and advertise this address via DNS, that A record might not be addressable to many users on the internet. The reasons are that the advertisement is destined to a specific ISP route. In the event of failure and the primary ISP that holds that address range is no longer reachable, you would blackhole the entire web site.

Therefore, the workaround is to have multiple DNS a records associated to the same Virtual IP Address (VIP). The DNS server returns two different A records for the same server farm using an address from the two different address blocks from the upstream ISP. Build this redundancy into your DNS implementation by defining a DNS round robin between the two A records associated with this site.

Design Recommendations

Internet Edge Design Fundamentals

As mentioned above; Internet Edge topologies are in every Internet facing network, however, the scale of these topologies may be different. These topologies are increasingly important to business functions. The scalability of these topologies must not be overlooked. Below are the details of the functional layers of the internet edge topologies and how they interact with one another. It is imperative to this type of architecture to have complete redundancy.


Version 1.0

Single Site Multi HomingDesign Recommendations

Figure 3 Physical Layer Topology

Border Routers

The border routers, typically deployed in pairs, are the edge-facing devices of the network. The quantity of border routers is a provisioning decision based on memory requirements and physical circuit termination. The border routers are the point at which ISP termination and initial security parameters are provisioned. The border router layer serves as the gateway of the network and utilizes an externally facing Layer 3 routing protocol like BGP integrated with an internally facing routing protocol, such as EIGRP or OSPF, to intelligently route traffic throughout the external and internal networks, respectively. The internet edge in an enterprise environment may provide internet connectivity to an ISP through the use of single-homed core routers, or to several ISPs using multi-homed core routers.

7669

8172.16.100.X

Border router

Layer 2 switching

Firewall security

Layer 3 switching

.1

.1

F2/0.3

F2/0.2

G1

G2

G1

G2 CE1 F 1/0 172.16.25.5/24CE1 F 1/0 172.16.25.6/24

BGPAS 1

BGPAS 2

WWW WWW

Laptop172.16.100.1

DG 172.16.100.254

172.16.10.X 172.16.11.XBGP

AS 100

172.18.21.X

172.16.20.X

172.16.20.X

172.16.20.X

S2/0.1

S2/0.1

S2/0.254

S2/0.254F0/0

.254F0/0

.1

HSRP

R2R1

HSRP

E0.253

E0.254

E1.253

E1.254

VLAN6F3/1

.3

VLAN6F3/1

.2

VLAN 10F3/3.254


Version 1.0

Single Site Multi HomingImplementation Details

Layer 2 Switching Layer

Beneath the border layer is the Layer 2 switching layer. This layer functions as a security gateway by offering physical separation between the border routers, firewalls and internal Layer 3 switching platforms. This layer also offers HA (high availability) services such as HSRP and stateful firewall failover. You must consider the aggregate throughput of the external links when engineering this platform.

Firewall Layer

The firewall layer is a security layer that supports stateful packet inspection into the network infrastructure and to the services and applications offered in the server farms and database layers. This layer acts as the network address translation (NAT) device in most design topologies. NAT at the internet Edge is common based on the ever depleting Ipv4 address pool associated with ISP’s. The firewall layer allows many ISP’s to provide a limited address range requiring you to define NAT pools at the egress point of the topology.

Layer 3 Switching Layer

The Layer 3 switching layer is the final layer in the internet edge topology. This is also a functional layer of the server farm design as well. The Layer 3 switching layer may act as either a core layer or an aggregation layer in some design topologies. Yet the primary function, from the standpoint of the internet edge design topology, is to advertise the IGP routing protocol internally to the infrastructure as well as the static routes defined upstream to the firewall layer. This layer is the termination point for the IGP internal to the infrastructure. This is a necessity because, in the Internet Edge design, the PIX layer is a default route from the internal network. This route is also redistributed internally as the gateway of last resort for the 0.0.0.0 route.

Implementation Details

Single Site Multi-Homing TopologyBelow are the configuration details associated with single site multi-homing design. In this section, the router configurations were taken from the primary route or R1 as depicted in Figure 4


Version 1.0


Figure 4 Internet Edge Test Topology

Internet Cloud Router BGP

router bgp 1 no synchronization bgp log-neighbor-changes network 1.0.0.0 network 2.0.0.0 network 3.0.0.0 network 4.0.0.0 network 5.0.0.0 network 6.0.0.0 network 7.0.0.0

7669

9

172.16.100.X

.1

.1

F2/0.3

F2/0.2

G1

G2

G1

G2 CE1 F 1/0 172.16.25.5/24CE1 F 1/0 172.16.25.6/24

BGPAS 1

BGPAS 2

WWW WWW

Laptop172.16.100.1

DG 172.16.100.254

172.16.10.X 172.16.11.XBGP

AS 100

172.18.21.X

172.16.20.X

172.16.20.X

172.16.20.X

S2/0.1

S2/0.1

S2/0.254

S2/0.254F0/0

.254F0/0

.1

HSRP

R2R1

HSRP

E0.253

E0.254

E1.253

E1.254

VLAN6F3/1

.3

VLAN6F3/1

.2

VLAN 10F3/3.254


Version 1.0


network 8.0.0.0 network 9.0.0.0 network 100.0.0.0 redistribute connected neighbor 172.16.10.254 remote-as 100 neighbor 172.16.11.254 remote-as 100 no auto-summary

router bgp 2 no synchronization bgp log-neighbor-changes network 1.0.0.0 network 2.0.0.0 network 3.0.0.0 network 4.0.0.0 network 5.0.0.0 network 6.0.0.0 network 7.0.0.0 network 8.0.0.0 network 9.0.0.0 network 100.0.0.0 redistribute connected neighbor 172.16.10.254 remote-as 100 neighbor 172.16.11.254 remote-as 100 no auto-summary

Primary Customer Configurations

router bgp 100 bgp log-neighbor-changes network 172.16.10.0 network 172.16.21.0 redistribute connected neighbor 172.16.10.1 remote-as 1 neighbor 172.16.21.254 remote-as 100 neighbor 172.16.21.254 next-hop-self

Secondary Customer Configurations

router bgp 100 bgp log-neighbor-changes network 172.16.11.0 network 172.16.20.0 redistribute connected neighbor 172.16.11.1 remote-as 2 neighbor 172.16.21.1 remote-as 100 neighbor 172.16.21.1 next-hop-self

BGP Attributes

BGP attributes control both inbound and outbound network routes. These attributes can be adjusted to control the decision making process of BGP itself. The BGP attributes are a set of parameters that describe the characteristics of a prefix (route). The BGP decision process uses these attributes to select the best routes. The next few sections cover these attributes and how they can be manipulated to affect the routing behavior.


Version 1.0


Controlling Outbound Routes

Weight Attribute

The weight attribute is a proprietary Cisco attribute used for path selection when there are multiple routes to the same destination. This occurs when you want to use both outbound links in conjunction. The weight attribute is local to the router on which it is assigned and is not propagated in routing updates. By default, the weight attribute is 32768 for paths that the router originates and zero for other paths. Routes with a higher weight are preferred when there are multiple routes to the same destination.

Below are sample configurations defined for the weight attribute which is default in Cisco IOS.

Define a weight statement as follows to control route updates from a specific ISP ASs on the primary router:

Router R1router bgp 100neighbor 172.16.10.1 remote-as 1neighbor 172.16.10.1 filter-list 5 weight 2000neighbor 172.16.21.254 remote-as 100neighbor 172.16.21.254 next-hop-selfneighbor 172.16.21.254 filter-list 6 weight 1000!ip as-path access-list 5 permit ^1$ip as-path access-list 6 permit ^100$

In the above example, a weight of 2000 is assigned toupdates from the neighbor router at IP address 171.16.10.1 that are permitted by access list 5. Access list 5 permits updates whose AS_path attribute starts with 1 (as specified by ^) and ends with 1 (as specified by $).

Note The ^ and $ symbols are used to form regular expressions. For a complete explanation of regular expressions, see the appendix on regular expressions in the Cisco Internetwork Operating System (Cisco IOS) software configuration guides and command references.

This example also assigns 1000 to the weight attribute of updates from the neighbor at IP address 172.15.21.254 that are permitted by access list 6. Access list 6 permits updates whose AS_path attribute starts with 100 and ends with 100.

In effect, this configuration assigns 2000 to the weight attribute of all route updates received from AS 1 and assigns 1000 to the weight attribute of all route updates from AS 100. This implies that the majority of the traffic would be routed to the upstream E-BGP instance rather than the I-BGP instance. This assumes that the ISP connection associated with each border router is the primary route for this router. This type of design topology is most beneficial when the I-BGP routes can be re-distributed internally to the network topology.

Below are the R2 configuration of the weight attribute as well. In this design, the primary route is the ISP link terminated on the border router itself.

Local Preference

Setting the local preference also affects the BGP decision process. If multiple paths for the same prefix are available, the path with the larger local preference is preferred. Local preference is at the highest level of the BGP decision process (comes after the Cisco proprietary weight parameter); and is considered before the path length. A longer path with a higher local preference is preferred over a shorter


Version 1.0


path with a lower local preference. The following configuration depicts the configuration commands needed to set up local preference routing. The configurations below are from the primary border router R1.

This is the routing configuration to define the BGP parameter:

router bgp 100 no synchronization network 172.16.10.0 mask 255.255.255.0 network 172.16.20.0 mask 255.255.255.0 neighbor 172.16.21.254 remote-as 100 neighbor 172.16.21.254 next-hop-self neighbor 172.16.10.1 remote-as 1 neighbor 172.16.10.1 filter-list 10 out neighbor 172.16.10.1 route-map SETLOCAL in no auto-summary

The configurations below are defined to associate a route map with the incoming routes. Apply this access list to the router that you want to define as the primary router.

ip as-path access-list 10 permit ^$route-map SETLOCAL permit 10set local-preference 150

The route-map SETLOCAL assigns a local preference of 150 for all routes coming from the upstream router in the ISP cloud (note the keyword in). With this configuration, the local preference attribute of any update coming from AS 1 is set to 150.

Also, define a local preference on the secondary border router with the following configuration.

router bgp 100 no synchronization network 172.16.10.0 mask 255.255.255.0 network 172.16.20.0 mask 255.255.255.0 neighbor 172.16.21.1 remote-as 100 neighbor 172.16.21.1 next-hop-self neighbor 172.16.11.1 remote-as 2 neighbor 172.16.11.1 filter-list 10 out neighbor 172.16.11.1 route-map SETLOCAL in no auto-summary

This configuration defines the route map configured for the ISP AS 2.

ip as-path access-list 10 permit ^$route-map SETLOCAL permit 10set local-preference 200

The route-map SETLOCAL assigns a local preference of 200 for all routes coming from the upstream router in the ISP cloud (note the keyword in). With this configuration, the local preference attribute of any update coming from AS 1 is set to 200.

Controlling Inbound Routes

In internet edge topologies, controlling outbound routes is first and foremost. This is how your network topology is seen by the world. Controlling outbound routes also defines, by default, how traffic returns to your site. Controlling the outbound traffic allows you to manipulate the amount of traffic that comes in from various ISPs. More specifically, if you wanted to define that all traffic leaves your topology from one ISP link and all traffic destined to the topology comes inbound on another ISP link, implement AS prepending. This is the most common deployment for instances where a network administrator does not want to leave a link idle.


Version 1.0

Single Site Multi HomingSecurity Considerations

AS Path Attribute

Whenever an update passes through an AS, BGP prepends its AS number to the update. The AS_path attribute is the list of AS numbers that an update has traversed in order to reach a destination. An AS-SET is a set of all the ASs that have been traversed. This becomes relevant when a network administrator wants to append multiple AS path statements on an update to upstream providers for the purpose of making that route less attractive to the upstream ISP routers. Since routing distance in BGP is defined by AS hop count, the more AS path lengths associated with a specific link determines how attractive the link is to upstream routers in the topology.

AS Prepend Configuration

The following configuration was taken from router R1 as depicted above in Figure 4.

R1 was previously defined as the local preference router. Therefore, to control the inbound routes of the topology, you must define the same configuration on R1. This configuration makes R2 a more attractive route to our advertised address space and effectively distributes the load of the both the ingress and egress routes across both routers.

router bgp 100 network 172.16.10.0 mask 255.255.255.0 network 172.16.20.0 mask 255.255.255.0 neighbor 172.16.21.254 remote-as 100 neighbor 172.16.21.254 next-hop-self neighbor 172.16.10.1 remote-as 1 neighbor 172.16.10.1 route-map AddASnumbers out no auto-summary

route-map AddASnumbers permit 10 set as-path prepend 100 100

In the above configuration, the route map states that for outbound advertisements to ISP AS1, more path hops are appended to the advertisement.

Security ConsiderationsSecurity is a necessity in all network architectures today, regardless of your Internet connectivity. You must ensure that the network architecture and the network devices are securely provisioned and managed.

Internet Edge security is discussed in “Internet Edge Security Design Principles” and “Internet Edge Security Implementation.” This section provides a brief summary from that guide of the security functions supported within Internet Edge designs. These functions include:

• Element Security – The secure configuration and management of the devices that collectively define the Internet Edge.

• Identity Services – The inspection of IP traffic across the Internet Edge requires the ability to identify the communicating endpoints. Although this can be accomplished with explicit user/host session authentication mechanisms, usually IP identity across the Internet Edge is based on header information carried within the IP packet itself. Therefore, IP addressing schemas, address translation mechanisms, and application definition (IP protocol/port identity) play key roles in identity services.

• IP Anti-Spoofing – This includes support for the requirements of RFC-2827, which requires enterprises to protect their assigned public IP address space, and RFC-1918, which allows the use of private IP address spaces within enterprise networks.


Version 1.0


• Demilitarized Zones (DMZ) – A basic security policy for enterprise networks is that internal network hosts must not be directly accessible from hosts on the Internet (as opposed to replies from Internet hosts for internally initiated session, which are statefully permitted). For those hosts, such as web servers, mail servers, VPN devices, etc., which are required to be directly accessible from the Internet, it is necessary to establish quasi-trusted network areas between, or adjacent to both, the Internet and the internal enterprise network. Such DMZs allow internal hosts and Internet hosts to communicate with DMZ hosts, but the separate security policies between each area prevent direct communication originating from Internet hosts from reaching internal hosts.

• Basic Filtering and Application Definition – Derived from enterprise security policies, implement ACLs to provide explicitly permitted and/or denied IP traffic that may traverse between areas (Inside, Outside, DMZ, etc.) defined to exist within the Internet Edge.

• Stateful Inspection – Provides the ability to establish and monitor session states of traffic permitted to flow across the Internet Edge, and deny that traffic which fails to match the expected state of an existing or allowed session.

• Intrusion Detection – The ability to promiscuously monitor network traffic across a discrete point within the Internet Edge, and alarm and/or take action upon detecting suspect behavior that may threaten the enterprise network.

Please refer to the above mentioned chapters for detailed insight into security parameters and the measures taken within Internet edge topologies.


Version 1.0



Version 1.0

Version 1.0

I N D E X

A

American Registry for Internet Numbers 6

ARIN 6

AS paths 4

B

BDPU guard 2

BGP 11

BGP Attributes 11

border routers 8

BPDU 2

bridge protocol data unit 2

broadcast suppression 2

C

controlling inbound routes 13

controlling outbound routes 12

D

DMZ 15

DNS resolution 7

dynamic routing protocol metric tuning 3

E

Edge Routing 4

EGP 4

EIGRP 3, 8

Exterior Gateway Protocol 4

Customer Order Number:

F

Firewall Layer 9

H

hot standby router protocol 3

HSRP 3

I

interautonomous system routing 5

Internal Routing 4

Internet Edge Design Fundamentals 7

Internet Edge Design Recommendations 7

intra-autonomous system routing 5

Ipv4 9

L



N

NAT 9

O

OSPF 3, 8

P

pass-through autonomous system routing 5


Index

Port fast 2

Q

QoS 3

R

redundancy 1

rootguard 2

U

UDLD 2

unidirectional link detection 2

uplinkfast 2

V

VIP 7

virtual IP Address 7


Version 1.0

Documents

BGP Single Site Multi Homing