Single/Dual Homed and Multi-homed Designs

Hello Tom

Weight is an attribute that is local to each individual router. There is nothing that prevents you from using weight on both R3 and R4 to direct traffic to the ISP of your choice.

For your new topology now, remember, you have full control of your outbound traffic. Just like you did with your topology with a single router on the company network, you simply configure the same thing on each of the R3 and R4 routers. Set up the prefixes you want to send via ISP1 and those you want to send via ISP2.

Now in order to configure R3 as your primary router and R4 as the backup router for your traffic, you can do this in multiple ways. These include:

  1. Configure HSRP, VRRP, or GLBP which are gateway redundancy protocols, on the enterprise-network-facing interfaces of the routers and make R3 the primary gateway and R4 the secondary/backup.
  2. Configure routing (either IGP or iBGP) between the edge routers and internal routers on the enterprise network to route traffic via R3, and have backup routes go via R4.
  3. You can even configure load balancing/sharing using GLBP, or equal cost load balancing of a routing protocol to send traffic to both R3 and R4, taking advantage of the bandwidth available for both devices to each ISP.

A couple of notes:

  • If internal traffic is sent primarily to R3 using one of the above methods, then BGP routing in R3 will take care of where to send such outbound traffic, ISP1 or ISP2, depending on the destination. The same goes for traffic to R4.
  • The benefit that iBGP between R3 and R4 will provide is if the physical link between R3 and R2 fails, for example, then traffic that hits R3 that should be routed via ISP1, will be sent to R4, and then to ISP1. In case of such a failure, it may take BGP some minutes to reconverge, so you may need to set up BGP Additional Paths in order to allow for R3 to have the additional path added via R3 using iBGP.

I hope this has been helpful!

Laz

Lazaros,

Thank you for your reply. I wanted to replicate a real scenario as much as possible.

1st. I did Rene’s configuration and as per your suggestion of IGP and loopback IPs and it worked also with the next-hop-self command
2nd. Went back to the original configuration and just added the next-hop-self command - and it worked as well.
3rd. What’s a suggestion or commonly used configuration in real environments?
3.2 - Use an additional Pool IPs from the ISP “public IPs” to configure iBGP and use the next hop -self command?
3.3 Do most companies use an IP as part of the block that they are announcing to make a loopbacks and iBGP peer to do the configuration you are suggesting ?

Im trying to do configurations that are as close as possible to real scenarios. At work we have two wan routers all internetconnected with public IPs and down into the environment FIrewalls all with public IPs… not sure how that’s configured as access to those are thru an NRV "console server’ that i dont have access to for some X reason.

Hello Diego

For 1 and 2, glad to hear that those worked out for you.

In general it is best to use a loopback for the source of the BGP peering. This is typically best practice, primarily because it eliminates the possibility of losing a peering due to a downed interface. If you are using BGP on the edge of your network with the ISP, then you must use some public IPs to configure BGP on your devices. If you’re using iBGP, then yes, the next hop self configuration is necessary. Most often, however, you will see eBGP peerings between the enterprise edge and the ISP, so the next hop self doesn’t have any meaning there.

There is no single correct scenario, so sometimes you will see several other arrangements. It depends on the specific requirements and network topologies.

I hope this has been helpful!

Laz

Hi Laz, I have a clarification in the below.
Single Dual homed- Assuming we have two CE routers ( CE1 and CE2 ) , Both connected to their respective ISP1 and ISP2. Now we have a bought a public IP for our servers and attached only to CE1 router. Question is, how well we can set failover as in if ISP1 fails it has to go through by ISP2.?

Hi,

I have a question about this topology:

  • Company with office on different sites.
  • Each site have his ebgp peering with different ISPs
    *Exist an iBGP between each office.
    *On each site exist a webfarm with server with public IPs.

is possible to configure the same vlan on access switches between sites with public IPs to permit to move a server to a different webfarm?

Thanks.

Hello Giovanni

I’ve created the following diagram to help us out:

So you’re saying that the server farms at each site are on the same subnet, correct? Well, there are indeed several ways you can achieve this. Since the two remote offices have iBGP peerings between the routers, this means that they have some sort of WAN between them, that is independent of the ISPs themselves. Without knowing more about the type of WAN, here are a few thoughts:

  1. Create a L2 connection between the two sites, and span the server VLAN across the link, allowing the servers to be in the same VLAN. You could then advertise this subnet out of one or the other or both R1 routers to the Internet. This would require some changes in the WAN and internal topology of the network.
  2. If the WAN only functions at layer 3, then use a tunneling protocol such as L2TPv3 to tunnel layer 2 over a layer 3 link. This would allow the server farm VLAN to span the two sites. You could then advertise the subnet out of the two ISPs as you see fit.
  3. The use of Cisco’s Overlay Transport Virtualization (OTV) technology will allow you to have the same subnet at remote locations, while still maintaining the benefit of having dual redundant ISP connections that can be leveraged by both sites. This is done by allowing R1 and R2 to use first hop redundancy protocols such as HSRP and VRRP across the WAN. You can findout more about this at the following post:

Now notice that all of the options simply speak about the necessary topology to allow for the spanning of the VLAN across the WAN. The mechanism of then advertising these prefixes to both ISPs is the same in all cases. All that is necessary is to make that VLAN/subnet accessible on some interface on both R1 and R2, so that it can then be advertised however you see fit to the ISPs using eBGP peerings.

I hope this has been helpful!

Laz

Hello Dakshinamurthy

Based on your description, we’re looking at something like this:

Now the first thing I’d say is in such a situation, you wouldn’t have the servers connected just to CE1 but you would find a way to have them connect to both CE1 and CE2 either via internal routing or using some first hop redundancy protocol like HSRP or VRRP.

However, if you want to maintain only a single physical connection from the servers to CE1, then you would at least have a connection between the two CE routers since they are on the same enterprise network. This way, both CE1 and CE2 will learn of the subnet of the servers, and can then be advertised to both ISP1 and ISP2.

Otherwise, if CE1 and CE2 are disconnected from each other, then we don’t have a multihomed network as you suggest but two separate enterprise networks each connected to a single ISP. The multihoming component of such an arrangement is nullified.

There are multiple ways to affect incoming traffic on a BGP enabled edge network with multiple ISPs. You can find out more about these possibilities at the following post:

I hope this has been helpful!

Laz

Thanks, mabye the vxlan can be another solution?

What is the difference between vxlan and OTV?

Hi Laz,

Thanks for the reply. I read the post you shared and in that it says " assuming you are running EBGP between your equipment and each ISP’s equipment". Here you are saying we are running EBGP between CE1 and CE2 and also EbGP peering between CE1 -ISP1 and CE2-ISP2 right ?

And lets assume we are manipulating our outbound traffic from CE1 and CE2 with routing policies. What kind of attributes can we use to manipulate outbound traffic ? Local preference ? And you mentioned that there are 4 ways to influence incoming traffic. If we want to change either MED value or AS-Path prepending for example in this case, it has to be done from ISP side towards CE ?

Can you provide any examples of influencing inbound and outbound traffic with the topology.?

Hello Giovanni

VXLAN would also be a solution in this case, absolutely. You could tunnel your Layer 2 topology over the Layer 3 underlay network and get the same result. If you have a large enough network, it would definitely be more elegant than L2TPv3.

OTV differs from VXLANs in purpose. VXLANs allow you to extend your Layer 2 topology, essentially your VLANs, by tunnelling them over a Layer 3 network. This adds flexibility, ease of deployment, as well as a much larger number of manageable VLANs, which is especially useful for ISPs and datacenter providers.

OTV on the other hand is used to allow for the spanning of Layer 2 topologies across disparate and remote datacenters while at the same time, preventing the waste of precious bandwidth across the WAN, something that VXLANs are not designed to do.

This is a very simplistic view of OTV however, as it is much more involved than this, but for the purposes of this discussion, these are the primary differences, as far as this specific application is concerned.

More info about OTV can be found at this Cisco Documentation.

I hope this has been helpful!

Laz

Hello Dakshinamurthy

Yes, let me clarify. My meaning is that we are assuming that we are creating some sort of peering between the CE and ISP routers. Now this can be eBGP, it may also be iBGP, it depends on the arrangement you have with your ISPs. In any case, internal CE routers will most often have an iBGP peering, but also will be routable via their IGP internal to the enterprise network.

Because inbound traffic is essentially sent to you, you do not have the ultimate control of how traffic enters your AS. Your ISPs may have outbound policies that will always override all of your attempts to influence inbound traffic. However, you do have the option of influencing inbound traffic. There are several ways to do this including:

  • Leaking more specific routes - BGP will prefer more specific routes than summarizations, but some ISPs may consider this to be a “hostile” act, as it causes BGP tables to increase in size.
  • Using the MED attribute
  • AS PATH prepending
  • Community/local pref agreement

All of the above are implemented on the customer side of the connection, because this is the side that you have control over. Remember however, that the ISP has the final word for inbound traffic. For this reason, make sure to discuss your requirements with the ISP before actually implementing any of these. ISPs will usually be more than happy to accommodate your needs, and will provide you with suggested solutions to what you need. To find out more about examples or implementations of these, click on the links in the above list to see the associated lessons.

I hope this has been helpful!

Laz

Many thanks for the detailed explanation. One question remains unanswered. What kind of attributes we can choose to manipulate outbound traffic ? Local preference ? or any thing else ?

Hello Dakshinamurthy

Outgoing traffic is what you have complete control over, so you can use any of the attributes that can directly be manipulated. The most commonly used, and easiest to deploy are weight and local preference. Because these are the first to be examined when selecting a BGP path, any changes to these will take precedence over any other attributes that may affect routing.

I hope this has been helpful!

Laz

Thank you Laz for the clear reply.

Multihomed network
Hi , I have uploaded a multiohomed network with multiple routers involving two different ISP. I am trying to achive load sharing here . However my requirements are as below.

1.AS 100 accepts the local routes from both providers, along with a default for the rest of the Internet routes.
The outbound traffic policy is:
1.Traffic that is destined to AS 300 goes through the R1-ISP(A) link.
2.Traffic that is destined to AS 400 goes through the R2-ISP(B) link.
3.All other traffic should prefer default route 0.0.0.0 through the R1-ISP(A) link.
4.If the R1-ISP(A) link fails, all traffic should go through the R2-ISP(B) link.

The inbound traffic policy is:
1.Traffic that is destined for network 10.10.10.0/24 from the Internet should come from the ISP(A)-R1 link.
2.Traffic that is destined for network 10.10.20.0/24 from the Internet should come from the ISP(B)-R2 link.
3.If one ISP fails, the other ISP should route traffic back to AS 100 from the Internet for all the networks

Please note the above is taken from cisco website . They have given configurations for the same but I could not get the whole of it. Could you please explain it how well can we achieve the requirements mentioned above ?

Hello Dakshinamurthy

Remember that you have full control over traffic that is sent from your AS to other AS’es. You don’t have ultimate control over incoming traffic, however, you can influence it in various ways. For influencing incoming traffic, take a look at this post:

If you do want to adjust incoming traffic, before you inject any BGP attributes into your ISP’s AS’es, have a chat with them and tell them what you want to do. They are often very accommodating in such cases.

Now specifically, for your outbound traffic policy, numbers 1 and 2 will happen automatically simply because of BGP routing. Number 3 can be configured most simply by adjusting the Weight Attribute. You can also adjust other attributes to achieve this. For a link failure (number 4) BGP will (eventually) reconverge, but you may want to use Next Hop Tracking and Additinoal Paths BGP features to speed up convergence.

For inbound, as mentioned before, talk first with your ISPs. It may be that they will do all the routing for you. They may ask you to configure some things on your end as well. The attributes involved in this are those described in the shared post above.

I hope this has been helpful!

Laz

Thank you Laz for the clear explanation.

I’m trying to create a network which connects to the Internet as indicated in the image below.

I have a single multihome setup with each router also connected to multilayer switches. I’d like the routers to load-balance by setting two default routes: one to the ISP and one to the other router.

How can I prevent the routers from looping traffic and have failover to the other router if one ISP fails?

Hello Au

There are several issues to be dealt with here and several solutions for them. These include:

Connectivity of Routers to the ISPs - This is achieved using BGP. Typically, you have a BGP AS on your own routers, and then each ISP provides you with an AS of its own, and you create eBGP peerings. You can then adjust your BGP Attributes and parameters in the routers so that if connectivity is lost, one router will take over from the other.

Connectivity between routers and internal MLS’es - Here you can either use a first-hop redundancy protocol (FHRP) such as HSRP in order to allow the MLS’es to reach either router. Typically however, in such a situation, you would use some for of equal cost or unequal cost routing so that you can direct traffic to whichever edge router you want. This way, if a router is lost, routing protocols will dynamically detect this and send traffic in the appropriate direction.

Connectivity between MLS’es and internal network - Here in most cases you will use an FHRP such as HSRP so that internal devices will have a redundant gateway. If one of the switches fails, internal hosts will not lose connectivity, but will continue to have access using the other switch as the gateway.

In all three cases, avoiding loops on the routers simply involves employing routing protocols and configurations appropriately.

I hope this has been helpful!

Laz

Hi Rene,
In the example of dual homed (connected to a single ISP router using dual links), one way to load share is by configuring loopbacks on both routers, configure reachability between the loopbacks (via static route or IGP) and use update-source, ebgp multi-hop 2, commands to get the BGP up and load share across the 2 links.

Is there another way? like configure 2 neighbor statements to the same ISP router and use maximum-paths 2?

Thanks,
Amar