Hi All,
Firstly, thanks for taking the time to read this, i hope you can help!
I have drawn my network topology and would like to know what would be the best way to change the routing so that traffic uses the return path to PE1 instead of PE2?
The easiest way to influence inbound traffic is by advertising the more specific prefixes out PE1 router. You then advertise a summary route out PE2 router to provide redundancy.
There are also two BGP attributes to influence inbound traffic, AS_Path and MED.
AS_Path prepending means to make a path to our local prefix the less desirable compared to other.
You accomplish the same with MED by setting a higher MED out one router.
Hello Stamati
Let’s simplify the problem. The fundamental issue is what BGP parameters can you use to influence the traffic between two BGP ASes that have two eBGP peerings between them so that outgoing traffic goes through PE2 and incoming traffic goes through PE1.
From the point of view of BGP ASN 65000, it’s easy to make sure that outgoing traffic will only go through PE2. You can use Local Preference which can specifically indicate via which eBGP router you want your traffic to exit your AS.
For incoming traffic, as @lugg15 has mentioned, you can use either AS_Path Prepending or MED. But there is a catch here. You can only influence incoming traffic, but you don’t have ultimate control over it. Only the administrator of the neighboring AS (which at the edge of your network is usually the ISP) has ultimate control. They can override any of your MED or path prepending attempts. For this reason, it is always best to talk to your ISP, let them know what you want to achieve, and have them work with you to achieve it.
Another note here is that the incoming traffic being influenced is only for inbound traffic to particular IPs that are advertised to the Internet via BGP. For regular Internet traffic that an internal host may generate, such as web browsing, for example, returning traffic will always come back in via the same “pipe” through which it reached the Internet in the first place. But in order to further refine this, we’d need some more info about your topology and how you connect to the ISP.
I hope this has been helpful!
Laz
Hi,
Thank you for your replies. May I point out that the customer does not have any BGP configuration, the only client devices in the diagram are the FW’s which is using 100.1.1.1 as the gateway with HSRP configured on the adjacent ISP devices. The ISP is then redistributing the customer’s IP range into BGP using connected and static.
Would therefore changing the MED still work? I would assume this would be easiest done by increasing the MED on CORE 2?
Hello Stamati
Thanks for the update! So, we assume that the FWs are customer devices while the rest belong to the ISP. So from the enterprise’s perspective, they can only manipulate routing up to the FW. Everything beyond the FWs is the ISP’s responsibility.
We have to distinguish here between two types of traffic. The first is regular internal hosts accessing services on the internet such as web, email etc… The second is users on the internet attempting to connect to internal servers (such as web servers) via the BGP-advertised addresses.
In the first case, for internal hosts accessing the internet, from the enterprise’s point of view, BGP is not involved at all. For your specific topology, you can direct all such traffic to FW1 out to SW1, but you have no control over return traffic. Return traffic, by default, will enter the network from the exit point. Indeed in this case, since from the switches onward the network belongs to the ISP, only the ISP can provide any configuration that will manipulate the path traffic will take. If you want such traffic to follow the incoming and outgoing pattern indicated on your diagram, you must speak with the ISP.
In the second case, you can direct traffic to function as you describe, but it is the ISP’s responsibility to do so. They can advertise your public IP addresses such that there is a higher metric on Core 2 using MED, as you mention. Core 2 will advertise a higher MED to the downstream AS. If that belongs to the ISP, then they can guarantee this behavior. If it doesn’t they, in turn, must negotiate with their partners to ensure this kind of routing.
In general, it’s not a good idea to separate such traffic like this for two reasons:
- This could affect the synchronization of services such as VoIP, or videoconferencing since such routing can introduce delay in one or both directions.
- You are essentially limiting traffic to operate in half-duplex for each connection, thus underutilizing network bandwidth. Full-duplex communication would make better use of bandwidth in both directions on both links.
There may be situations in which you would require this, but I can’t think of one off the top of my head. Can you share with us the reasoning behind configuring such a topology? What do you want to ultimately achieve, or is the question simply academic?
I hope this has been helpful!
Laz