Putting It All Together
Problem
You want to combine all of best the elements in this chapter to create a good redundant ISP connection.
Solution
For simplicity, we will extend the single router dual ISP configuration of Recipe 9.4 rather than the dual router dual ISP example of Recipe 9.5. It should be clear from the discussion in Recipe 9.5 how to extend this example to the two-router case:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#interface Serial0 Router1(config-if)#description connection to ISP #1, ASN 65510 Router1(config-if)#ip address 192.168.1.6 255.255.255.252 Router1(config-if)#exit Router1(config)#interface Serial1 Router1(config-if)#description connection to ISP #2, ASN 65520 Router1(config-if)#ip address 192.168.2.6 255.255.255.252 Router1(config-if)#exit Router1(config)#interface Ethernet0 Router1(config-if)#description connection to internal network, ASN 65500 Router1(config-if)#ip address 172.18.5.2 255.255.255.0 Router1(config-if)#exit Router1(config)#ip as-path access-list 15 permit ^$ Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.101.0 1 Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.102.0 2 Router1(config)#ip prefix-list CREATE-DEFAULT seq 10 permit 192.168.101.0/24 Router1(config)#ip prefix-list CREATE-DEFAULT seq 20 permit 192.168.102.0/24 Router1(config)#ip prefix-list BLOCK-DEFAULT seq 10 permit 0.0.0.0/0 ge 1 Router1(config)#route-map PREPEND permit 10 Router1(config-route-map)#set as-path prepend 65500 65500 Router1(config-route-map)#exit Router1(config)#route-map LOCALPREF permit 10 Router1(config-route-map)#set local-preference 75 Router1(config-route-map)#exit Router1(config)#route-map DEFAULT-ROUTE permit 10 Router1(config-route-map)#match ip address prefix-list CREATE-DEFAULT Router1(config-route-map)#exit Router1(config)#router bgp 65500 Router1(config-router)#network 172.18.5.0 mask 255.255.255.0 Router1(config-router)#neighbor 172.18.5.3 remote-as 65500 Router1(config-router)#neighbor 172.18.5.3 password password_number1 Router1(config-router)#neighbor 172.18.5.3 default-origniate route-map DEFAULT-ROUTE Router1(config-router)#neighbor 192.168.1.5 remote-as 65510 Router1(config-router)#neighbor 192.168.1.5 password password_number2 Router1(config-router)#neighbor 192.168.1.5 filter-list 15 out Router1(config-router)#neighbor 192.168.1.5 prefix-list CREATE-DEFAULT in Router1(config-router)#neighbor 192.168.1.5 prefix-list BLOCK-DEFAULT out Router1(config-router)#neighbor 192.168.2.5 remote-as 65520 Router1(config-router)#neighbor 192.168.2.5 password password_number3 Router1(config-router)#neighbor 192.168.2.5 filter-list 15 out Router1(config-router)#neighbor 192.168.2.5 prefix-list CREATE-DEFAULT in Router1(config-router)#neighbor 192.168.2.5 prefix-list BLOCK-DEFAULT out Router1(config-router)#neighbor 192.168.2.5 route-map PREPEND out Router1(config-router)#neighbor 192.168.2.5 route-map LOCALPREF in Router1(config-router)#no synchronization Router1(config-router)#exit Router1(config)#end Router1#
Discussion
In this recipe, we put together several of the concepts discussed throughout the chapter. This router has three BGP peers, two of which are ISPs, and the other is an internal BGP router.
We have disabled synchronization. We aren't using an IGP on this router, so synchronization doesn't serve any purpose. We have used a network statement that covers only part of a classful network:
Router1(config)#router bgp 65500 Router1(config-router)#network 172.18.5.0 mask 255.255.255.0 Router1(config-router)#no synchronization
All of the peer relationships, including the internal peer, use MD5 authentication, which we have configured by using the neighbor password command, as discussed in Recipe 9.16:
Router1(config)#router bgp 65500 Router1(config-router)#neighbor 172.18.5.3 password password_number1 Router1(config-router)#neighbor 192.168.1.5 password password_number2 Router1(config-router)#neighbor 192.168.2.5 password password_number3
Note that we have configured different passwords on each peer, and each password is between 12 and 24 characters long, as we discussed in Recipe 9.16.
We have configured an AS Path filter to each of the ISP peers to prevent them from using our network for transit purposes:
Router1(config)#router bgp 65500 Router1(config)#ip as-path access-list 15 permit ^$ Router1(config-router)#neighbor 192.168.1.5 filter-list 15 out Router1(config-router)#neighbor 192.168.2.5 filter-list 15 out
We have followed Recipe 9.11 to replace the entire Internet routing table with a default route. This router then passes its default route along to the internal BGP router, which forces us to be careful that we don't distribute the default back to the ISP routers:
Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.101.0 1 Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.102.0 2 Router1(config)#ip prefix-list CREATE-DEFAULT seq 10 permit 192.168.101.0/24 Router1(config)#ip prefix-list CREATE-DEFAULT seq 20 permit 192.168.102.0/24 Router1(config)#ip prefix-list BLOCK-DEFAULT permit 0.0.0.0/0 ge 1 Router1(config)#route-map DEFAULT-ROUTE permit 10 Router1(config-route-map)#match ip address prefix-list CREATE-DEFAULT Router1(config-route-map)#exit Router1(config)#router bgp 65500 Router1(config-router)#neighbor 172.18.5.3 remote-as 65500 Router1(config-router)#neighbor 172.18.5.3 default-origniate route-map DEFAULT-ROUTE Router1(config-router)#neighbor 192.168.1.5 remote-as 65510 Router1(config-router)#neighbor 192.168.1.5 prefix-list CREATE-DEFAULT in Router1(config-router)#neighbor 192.168.1.5 prefix-list BLOCK-DEFAULT out Router1(config-router)#neighbor 192.168.2.5 remote-as 65520 Router1(config-router)#neighbor 192.168.2.5 prefix-list CREATE-DEFAULT in Router1(config-router)#neighbor 192.168.2.5 prefix-list BLOCK-DEFAULT out
Next, we have used Recipe 9.7 to make ISP #2 less attractive for outbound traffic. This may be because this ISP has higher usage charges, or perhaps it is a lower bandwidth connection. Using Local Preference for this ensures that all of the BGP routers inside the AS can share this information about the best outbound path:
Router1(config)#route-map LOCALPREF permit 10 Router1(config-route-map)#set local-preference 75 Router1(config-route-map)#exit Router1(config)#router bgp 65500 Router1(config-router)#neighbor 192.168.2.5 route-map LOCALPREF in
And, finally, we have followed Recipe 9.13 to make sure that inbound traffic from the public Internet also uses the link through ISP #1 preferentially:
Router1(config)#route-map PREPEND permit 10 Router1(config-route-map)#set as-path prepend 65500 65500 Router1(config-route-map)#exit Router1(config)#router bgp 65500 Router1(config-router)#neighbor 192.168.2.5 route-map PREPEND out
You should feel free to mix and match these types of configuration elements to make your configuration match your requirements.
Many backbone ISPs have looking glass servers that allow you to see how your BGP routes look several hops away from your network. These are generally web pages that allow you to submit show BGP type queries for specific routes. You can find a list of looking glass servers around the world on http://www.traceroute.org. This site also lists a large number of traceroute servers, which will allow you to test which paths inbound connections will use to reach your network.
See Also
Recipe 9.4; Recipe 9.5; Recipe 9.7; Recipe 9.11; Recipe 9.13; Recipe 9.16