BGP and Routing....

[paradoxwd]

Hey,

I'd just like to say thank you to everyone who commented in my last post. Everyone was extremely helpful and I hope you all can help me with my latest questions.

After doing some reading on BGP and testing many of the configuration examples i've been able to find, I have come to several conclusions.

BGP's purpose is not only to be a fail-safe, it also controls how people get to your router. My local router really doesn't have any control of how they get there, only how they leave. Because of this it is nearly impossible to make servers behind the router use the two lines as if they were one pipe. However, one could load-balance the lines by setting the router so that one block of ip addresses used one line and the other used the other line.

My question is, what if I only wanted 1 single ip to always use one line and than have all other ip's use the other line and still fail over if either of the lines went down. How would I set this up?

 

[wybnormal]

Policy routing is probably the easiest and will let you take one IP or block of IPS(or by protocol) and send it to a specific interface.

Understanding Policy Routing

http://www.cisco.com/warp/public/105/36.html

Configuring Policy Based Routing

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c/qcpart1/qcpolicy.htm

You can script the policy so if the first choice of the policy is down, it defaults to the other interface.

A short example
This is for a router with two serial interfaces to two ISPs.

router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
router(config)#acess-list 2 permit 172.16.1.0 0.0.0.255
! this starts the configuration. You set up a route map with the nameof ISP1 and starting seq # is 10(you can have more using seq#)
router(config)#route-map ISP1 permit 10
!Matching the IP addresses based on Access-list 1
router(config-route-map)#match ip address 1
!This is where you tell the policy where to send the packets, S0 in this case
router(config-route-map)#set interface s0
!This starts the 2nd route map for ISP2
router(config)#router-map ISP2 permit 10
router(config-route-map)#match ip address 2
router(config-route-map)#set interface s1

To apply the new policy(s)

router(config)#interface e0
router(config-if)#ip policy route-map ISP1
router(config-if)#interface e1
router(config-if)#ip policy route-map ISP2



MikeS


Find me at

http://www.packetattack.com

"The trouble with giving up civil rights is that you never get them back"

 

[paradoxwd]

Will that work with BGP? Wouldn't I want to use prefix-lists and add route-maps to the bgp settings, to control how the packets left?

By specifying in access-lists which serial interface packets should go to, does that specify that those packets will than travel out that interface too?

Is this an example of the phrase, "there is more than one way to skin a cat?"

 

[paradoxwd]

What if the one ip you want to go to a specific interface is inside a block of ips that you want to go to the other interface?

 

[wybnormal]

BGP is a routing protocol.. in other words, it's designed to be able to provide routing information and routes to other routers(or anything else that talks BGP) It's designed for large networks..ie. the internet core or very large corporate WANs. What you want to do is have the router make a choice about where to send the packets from the LAN to the internet.. ie.. what interface/gateway does it use. Will BGP does this? sorta of.. Is it the best choice? I dont think so in this case.. BGP is complex, definitly not user friendly to the average router geek. When I suggested policy routing, it is with two thoughts in mind.

1: It's far easier to get support for policy routing then BGP
2: It can provide a decent control system (access-lists) to manage the flow.

Yes, the two can live well together as the BGP works just like any other routing protocol. Policy routing does not *route* per say, welll.. I guess you might say it does but it does not providing routing information to any other router. It's strictly local to the router at hand.

A nice effect from this is once BGP works, you leave it alone. Even when you want to make changes, you will change the access-lists or route maps. You do not need to mess with BGP which is a real plus.

Yes, this an example of different ways to get from A to B. Others certainly will have different ideas on how to accomplish this.

You do not specify in the accesslist what port to use.. only what packets need to be manipulated. The route-map is what steers the packets to a certain destination. If the route map says to take all packets that match a certain accesslist to serial 0, then that is what port the packets will leave from. Unless the port is unavailable.


MikeS

Find me at

http://www.packetattack.com

"The trouble with giving up civil rights is that you never get them back"

 

[paradoxwd]

Ok, let me further explain my specific scenario.

I have a server at 65.212.126.253 and I have the block 65.212.126.* as well as the 66.115.51.* block.

I want the 1 ip of 65.212.126.253 to send packets out the one line (s0/1) and all the other ips to go out the other line.

Would this be how I set it up the ACLs?

ip access-list 1 deny 65.212.126.253 255.255.255.255
ip access-list 1 permit 65.212.126.0 0.0.0.255
ip access-list 1 permit 66.115.51.0 0.0.0.255

ip access-list 2 permit 65.212.126.253 255.255.255.255

Thank you for all of your help.

 

[CCIEWANNABE]

Apply ether a well designed inbound or outbound access lists or both.

Their usefulness comes from the fact that they do look at everything coming into a specific interface.

In example:
needs HTTP (TCP port 80)
be able to ping
HTTP (web) access
SSL access
permit udp
Return packets of HTTP connections and responses to pings

Remeber this, outbound access lists do not differentiate between the interfaces where packets originate.
BGP uses TCP, and we have to allow it explicitly on the inbound access lists.
Access to the TCP must be bidirectional for BGP Route once; switch many

 

[paradoxwd]

Well, I believe, what I am trying to do, is create a well designed outbound access-list. But, than again, I really don't know what I am doing. Routers and configuring routers is just not my area of expertise; so I require a bit more guidance in creating these well-designed ACLs. I am not asking for people to write them for me, just to let me know if I am hot, cold, or somewhere in the middle. I appreciate everyone's replies, they have all been very helpful. Thank you all for your time and patience.

 

[wybnormal]

Here is a link that is very useful on the BGP side..

http://info.connect.com.au/docs/routing/general/multi-faq.shtml

MikeS
Find me at

http://www.packetattack.com

"The trouble with giving up civil rights is that you never get them back"

 

[wybnormal]

::snip::
Would this be how I set it up the ACLs?

ip access-list 1 deny 65.212.126.253 255.255.255.255
ip access-list 1 permit 65.212.126.0 0.0.0.255
ip access-list 1 permit 66.115.51.0 0.0.0.255

::snip::

Not exactly..try this way

!
ip access-list 1 permit 65.212.126.0 0.0.0.255
ip access-list 1 permit 66.115.51.0 0.0.0.255
!

Now.. where is the deny? well.. at the end of a accesslist is a implied *deny all* so you do not need to put it there. Anything that doesnt match the first two lines will denied. You should always put the highest level of matches in the first few lines of an accesslist to keep the response time up.

Also, you can filtere a range of ips out of a subnet by using the wildcard mask. This is the inverse mask you put after the IP address. 0 means this must match the bits and 1 means I dont care. So the 0.0.0.255 says I will match everything in the first octets and I do not care after that for the fourth octet. The mask could also be 0.0.0.3 which filters that last octet even tighter..(matches to a 255.255.255.252) so you could specify only two IPs would be matched.

MikeS
Find me at

http://www.packetattack.com

"The trouble with giving up civil rights is that you never get them back"

 

[paradoxwd]

I noticed in your original example you applied the policy's to the two ethernets. I only have 1 fast ethernet that goes to the network. So where do I apply the two policies?

 

[paradoxwd]

yeah uhm, my last question there.. is where I am still stuck. Someone want to help me with that?

P.S. Anyone want to recommend a good Cisco Router book, that doesn't read like a manual?

 

[paradoxwd]

Ha Great.. I got it. Wow and it works.

I set it up like so:

access-list 1 permit 66.115.51.0 0.0.0.255
access-list 1 permit 216.242.60.0 0.0.0.255
access-list 2 permit 65.212.126.0 0.0.0.255
!
route-map LINES permit 10
match ip address 2
set interface Serial0/0.1
!
route-map LINES permit 20
match ip address 1
set interface Serial0/1

and on my fast ethernet I added this line:

ip policy route-map LINES

And it works. Thanks so much. You do not know how giddy I am right now. I'm giggling like a girl.

 

[wybnormal]

Outstanding!!!! I was caught up in some other stuff and was not able to get back here for a lengthy response. I'm glad to hear it's working out for you.

As far as books go, there are a few books that come to mind.

Cisco Routers for IP routing (Little Black Book Series)
Cisco Routers for IP Networking (Little Black Book Series) ; this is thicker version of the above book

A very handy book is:
Cisco Router Troubleshooting Handbook
Peter Rybaczyk

There are others but these come to mind first.

MikeS

http://www.packetattack.com

Find me at

http://www.packetattack.com

"The trouble with giving up civil rights is that you never get them back"