BGP Single Site Multi Homing

Single Site Multi Homing
March, 2004
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.;
Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA,
CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo,
Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net
Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar,
ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered
trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0304R)

Copyright © 2004 Cisco Systems, Inc. All rights reserved.
CONTENTS
Single Site Multi Homing 1
Internet Edge Design Guidance 1

High Availability 1
Scalability 3
Intelligent Network Services 3
HSRP 3
Internal Routing 4
Edge Routing 4
Design Caveats 6
Design Recommendations 7
Internet Edge Design Fundamentals 7
Border Routers 8
Layer 2 Switching Layer 9
Firewall Layer 9
Implementation Details 9
Single Site Multi-Homing Topology 9
Internet Cloud Router BGP 10
Primary Customer Configurations 11
Secondary Customer Configurations 11
BGP Attributes 11
Controlling Outbound Routes 12
Controlling Inbound Routes 13
Security Considerations 14
INDEX

Version 1.0 iii
Contents

iv Version 1.0
This document clarifies and identifies typical single site Internet edge designs. This encompasses the
core design principles associated with all network infrastructure designs, with the unique requirements
that are relevant to Internet Edge topologies. Like any infrastructure design, these solutions must be
highly scalable while maintaining the key aspects of redundancy and security. Last but not least, the
solution as a whole must not be too complex to manage. The key redundancy function associated with
this type of design is the resiliency of having ISP connections to two or more providers depending on
the bandwidth requirements of the server farm architecture or any other internet services. A connection
to two or more internet connections is referred to as multi-homing.
Internet Edge Design Guidance

As mentioned above, Internet Edge solutions touch many different types of enterprise networks and
therefore may potentially have many different topologies. They can range from any remote office
connection to a major ISP peering point. Therefore, maintaining common design principles allows you
to apply these recommendations to almost all Internet Edge topologies.
High Availability
In the single ISP topology, the need for redundancy at the edge is a null issue because if the primary edge
router fails the Internet connection goes down. Therefore defining redundancy at the edge of the network
has no beneficial affect. However, when the provider supplies two terrestrial circuits, as depicted below,
you can take advantage of the redundancy offered by mulit-homing. Figure 1 displays a multi-homed
topology.

Version 1.0 1
Figure 1 Single Site Multi-Homing
Internet
SP 1 SP 2
Edge connectivity
Edge routing
Edge security
Server farms
architectures
76696
Internet edge topologies consist of multiple layers. There must be no single point of failure within the
network architecture. Therefore, complete device redundancy in this architecture is a necessity. These
redundant devices, coupled with specific Layer 2 and Layer 3 technologies, help achieve redundancy. To
meet this requirement, the Internet edge topologies use some of the key functions of the IOS software.
The Layer 2 features used include:
• Port fast
• Bridge Protocol Data Unit (BPDU) Guard and Root Guard
• Broadcast Suppression
• Uplinkfast
• Etherchannel
• Unidirectional Link Detection (UDLD)

2 Version 1.0
The above technologies increase convergence times and lower operational downtime. These
technologies also offer basic security functions to protect against rogue devices on the network that
become malicious in the event of a network attack.
The Layer 3 features used for high availability offer redundant default gateways for networked hosts and
provide a predictable traffic flow both in normal operating conditions and under the adverse conditions
surrounding a network link or device failure. The Layer 3 features include:
• Hot Standby Router Protocol (HSRP)
• Multi-group Hot Standby Router Protocol (MHSRP)
• Dynamic routing protocol metric tuning (EIGRP and OSPF)
HSRP and Multigroup HSRP offer Layer 3 gateway redundancy while the dynamic routing protocols
offer a look into network availability from a higher level.
Scalability
The network architecture must be scalable to accommodate increasing user support, as well as
unforeseen bursts in network traffic. While feature availability and processing power of network devices
are important design considerations, physical capacity attributes, like port density, can limit architecture
scalability. Within the border layer of this topology, the termination of circuits can become a burden on
device scalability. Improper memory provisioning on a device can cause performance to degrade and
hence cause the device to process traffic at a slower rate. These principles are the same for the layers of
firewall device and Layer 3 switching capacities. Port density scalability is important at the Layer 3
switching layer because it provides additional connections for host devices, in this case, servers.
Intelligent Network Services

In all network topologies, the intelligent network services present within IOS software revisions, such
as QoS, and high availability technologies, such as HSRP, are used to ensure network availability. For
instance, with QoS, the IP bits within one packet can be adjusted to create a higher priority on the
network for that packet over other packets.
HSRP
HSRP enables a set of routers to work together to present the appearance of a single virtual router or
default gateway to the hosts on a LAN. HSRP is particularly useful in fault tolerant network
environments running critical applications. By sharing an IP and MAC address, two or more routers
acting as one virtual router are able to transparently assume the routing responsibility in the event of a
defined outage or an unexpected failure. This allows hosts on a LAN to continue to forward IP packets
to a consistent IP and MAC address enabling the transparent changeover of routing devices during a
failure.
HSRP allows administrators to configure Hot Standby Groups to share responsibility for an IP address.
Administrators give each router a priority. The priority weights the prioritization of routers for active
router selection. One router in each group is the active forwarder and one is the stand-by. This
determination is made according to the router's configured priorities. The router with the highest priority
wins and, in the event that there is a priority tie, the greater value of their configured IP addresses breaks
the tie. Other routers in this group monitor the active and stand-by routers' status to enable further fault
tolerance. All HSRP routers participating in a standby group watch for hello packets from the active and
the standby routers. All routers in the group learn the hello and dead timers from the active router, as

Version 1.0 3
well as the IP address of the standby router, if these parameters are not explicitly configured on each
individual router. Although this process is dynamic, it is recommended that the network administrator
define the HSRP dead timers. If the active router becomes unavailable due to scheduled maintenance,
power failure, or other reasons, the stand-by router transparently assumes the role of the active router
within a few seconds. This changeover occurs when the dead timer is reached or when three successive
hello packets are missed. The standby router promptly takes over the virtual addresses and identities
responsibilities during a failure of the active router. When the secondary interface assumes mastership,
the new master sends a gratuitous ARP, which updates the CAM (Content Addressable Memory) on the
Layer 2 switch. This then becomes the primary route for the devices accessing this gateway. Configure
these HSRP timers on a per HSRP instance.
Internal Routing
Before discussing the basic ways you can connect autonomous systems (AS) to ISPs, some basic routing
terminology and concepts must be discussed. There are three basic routing approaches: static routing,
default routing and dynamic routing.
• Static routing refers to route destinations manually configured in the router. Network reachability in
this case is not dependent on the existence and state of the network itself. Whether a destination is
up or down, the static routes remain in the routing table, and traffic is still sent toward that
destination.
• Default routing refers to a “last resort” outlet. Traffic to destinations that are unknown to the router
are sent to that default outlet. Default routing is the easiest form of routing for a domain connected
to a single exit point.
• Dynamic routing refers to routes learned via an internal or external routing protocol. Network
reachability is dependent on the existence and state of the network. If a destination is down, the route
disappears from the routing table and traffic is not sent toward that destination.
These three routing approaches are possibilities for all the AS configurations considered in upcoming
sections, but there is an optimal approach. Thus, in illustrating different ASs, this document considers
whether static, dynamic, default, or some combination of these routing methods is optimal. This
document also considers whether interior or exterior routing protocols are appropriate. You can use
Internal Gateway Protocols (IGPs) to advertise your network internally. Use an IGP between your
network and your ISPs network to redistribute routes internally. This has all the benefits of dynamic
routing where network information and changes are dynamically sent to the ISP. Also, the IGPs
distributes the network routes upstream to the BGP function.
Edge Routing
BGP performs interdomain routing in TCP/IP networks. BGP is an exterior gateway protocol (EGP),
which means that it performs routing between multiple ASs or domains and exchanges routing and
reachability information with other BGP systems.
BGP replaces its predecessor, the now obsolete Exterior Gateway Protocol (EGP), as the standard
exterior gateway-routing protocol used in the global Internet. It solves serious problems found in EGP
and scales to Internet growth more efficiently. As with any routing protocol, BGP maintains routing
tables, transmits routing updates, and bases routing decisions on routing metrics. The primary function
of a BGP system is to exchange network-reachability information, including information about the list
of AS paths, with other BGP systems. Use this information to construct a graph of AS connectivity where
you can prune routing loops and enforce AS-level policy decisions. Each BGP router maintains a routing
table that lists all feasible paths to a particular network. The router does not refresh the routing table,
instead routing information received from peer routers is retained until the router receives an incremental
update.

4 Version 1.0
BGP devices exchange routing information upon initial data exchange and during incremental updates.
When a router first connects to the network, BGP routers exchange their entire BGP routing tables.
However, when the routing table changes, routers send only the changed portion of their routing table.
BGP routers do not send regularly scheduled routing updates and BGP routing updates advertise only
the optimal path to a network.
BGP uses a single routing metric to determine the best path to a given network. This metric consists of
an arbitrary unit number that specifies the degree of preference of a particular link. The BGP metric is
typically assigned to each link by the network administrator. The value assigned to a link is based on any
number of criteria, including the number of ASs through which the path passes, stability, speed, delay,
or cost.
BGP performs three types of routing:
• Interautonomous system routing
• Intra-autonomous system routing
• Pass-through autonomous system routing
Interautonomous system routing occurs between two or more BGP routers in different ASs. Peer routers
in these systems use BGP to maintain a consistent view of the internetwork topology. BGP neighbors
communicating between ASs must reside on the same physical network. The Internet serves as an
example of an entity that uses this type of routing because it contains ASs or administrative domains.
Many of these domains represent the various institutions, corporations, and entities that make up the
Internet. BGP is frequently used to provide path determination that creates optimal routing within the
Internet.
Intra-autonomous system routing occurs between two or more BGP routers located within the same AS.
Peer routers within the same AS use BGP to maintain a consistent view of the system topology. BGP is
also used to determine which router serves as the connection point for specific external ASs. Once again,
the Internet provides an example of interautonomous system routing. An organization, such as a
university, can make use of BGP to provide optimal routing within its own administrative domain or AS.
The BGP protocol provides both inter- and intra-autonomous system routing services.
Pass-through autonomous system routing occurs between two or more BGP peer routers that exchange
traffic across an AS that does not run BGP. In a pass-through AS environment, the BGP traffic did not
originate within the AS in question and is not destined for a node in the AS. BGP must interact with the
intra-autonomous system routing protocol available to successfully transport BGP traffic through that
AS.

Version 1.0 5
Design Caveats
Figure 2 E-BGP and I-BGP
Internet
SP 1 SP 2
E-BGP Instance
I-BGP Instance
Design Caveats 76697
When implementing an internet edge topology, you can take certain common design principles for
granted. For example, the addressing of an internet edge topology requires careful consideration. More
specifically, if you have not received a registered address space for your entire network infrastructure
from the American Registry for Internet Numbers (ARIN), then you must get your addresses from the
upstream providers. This assumes that each provider provides you with a contiguous block within the
ISP’s address range. This makes it impossible for you to advertise each of these blocks to the other
upstream ISP routers. If you are peering with multiple ISP’s and assuming the addresses of one of the
two networks, it is difficult for the other ISP to advertise the routes of your address space. This is because
the network address is most likely summarized at a different peering point within the ISP network.
Therefore, the addressing remains limited to the ISP block supplied by the respective ISP. If you were

6 Version 1.0
Design Recommendations
to advertise these address ranges, you run the risk of becoming a transit network in the internet backbone.
Which means that some of the peers on one ISP backbone could perceive your network topology as a
closer route to the other ISP backbone.
This issue is also apparent in instances where you use the same network addressing as the I-BGP instance
and advertise yourself as a more attractive route to the each of the ISP’s respectively.
Another issue associated with this type of design is the DNS (Domain Name Service) resolution to the
associated address schemes. For instance, if you were to address the server farm with the address block
from ISP A and advertise this address via DNS, that A record might not be addressable to many users
on the internet. The reasons are that the advertisement is destined to a specific ISP route. In the event of
failure and the primary ISP that holds that address range is no longer reachable, you would blackhole
the entire web site.
Therefore, the workaround is to have multiple DNS a records associated to the same Virtual IP Address
(VIP). The DNS server returns two different A records for the same server farm using an address from
the two different address blocks from the upstream ISP. Build this redundancy into your DNS
implementation by defining a DNS round robin between the two A records associated with this site.
Internet Edge Design Fundamentals
As mentioned above; Internet Edge topologies are in every Internet facing network, however, the scale
of these topologies may be different. These topologies are increasingly important to business functions.
The scalability of these topologies must not be overlooked. Below are the details of the functional layers
of the internet edge topologies and how they interact with one another. It is imperative to this type of
architecture to have complete redundancy.

Version 1.0 7
Figure 3 Physical Layer Topology
WWW WWW
BGP BGP
AS 1 AS 2
S2/0 S2/0
172.16.10.X .1 .1 172.16.11.X
S2/0 BGP S2/0
.254 AS 100 .254
F0/0 F0/0
Border router .254 .1
172.18.21.X
F2/0 F2/0
R1 .3 .1 R2
.2
Layer 2 switching HSRP
172.16.20.X
E0 E0
.253 .254
Firewall security 172.16.20.X
172.16.20.X
E1 VLAN6 VLAN6 E1
.253 F3/1 F3/1 .254
.1
.3 .2
Layer 3 switching
G1 HSRP G1
G2 G2 CE1 F 1/0 172.16.25.5/24

CE1 F 1/0 172.16.25.6/24
VLAN 10
F3/3
.254 172.16.100.X
Laptop
172.16.100.1
DG 172.16.100.254
76698
Border Routers
The border routers, typically deployed in pairs, are the edge-facing devices of the network. The quantity
of border routers is a provisioning decision based on memory requirements and physical circuit
termination. The border routers are the point at which ISP termination and initial security parameters are
provisioned. The border router layer serves as the gateway of the network and utilizes an externally
facing Layer 3 routing protocol like BGP integrated with an internally facing routing protocol, such as
EIGRP or OSPF, to intelligently route traffic throughout the external and internal networks, respectively.
The internet edge in an enterprise environment may provide internet connectivity to an ISP through the
use of single-homed core routers, or to several ISPs using multi-homed core routers.

8 Version 1.0
Implementation Details
Layer 2 Switching Layer

Beneath the border layer is the Layer 2 switching layer. This layer functions as a security gateway by
offering physical separation between the border routers, firewalls and internal Layer 3 switching
platforms. This layer also offers HA (high availability) services such as HSRP and stateful firewall
failover. You must consider the aggregate throughput of the external links when engineering this
platform.
Firewall Layer
The firewall layer is a security layer that supports stateful packet inspection into the network
infrastructure and to the services and applications offered in the server farms and database layers. This
layer acts as the network address translation (NAT) device in most design topologies. NAT at the internet
Edge is common based on the ever depleting Ipv4 address pool associated with ISP’s. The firewall layer
allows many ISP’s to provide a limited address range requiring you to define NAT pools at the egress
point of the topology.
Layer 3 Switching Layer

The Layer 3 switching layer is the final layer in the internet edge topology. This is also a functional layer
of the server farm design as well. The Layer 3 switching layer may act as either a core layer or an
aggregation layer in some design topologies. Yet the primary function, from the standpoint of the
internet edge design topology, is to advertise the IGP routing protocol internally to the infrastructure as
well as the static routes defined upstream to the firewall layer. This layer is the termination point for the
IGP internal to the infrastructure. This is a necessity because, in the Internet Edge design, the PIX layer
is a default route from the internal network. This route is also redistributed internally as the gateway of
last resort for the 0.0.0.0 route.
Single Site Multi-Homing Topology

Below are the configuration details associated with single site multi-homing design. In this section, the
router configurations were taken from the primary route or R1 as depicted in Figure 4

Version 1.0 9
Figure 4 Internet Edge Test Topology
WWW WWW
BGP BGP
AS 1 AS 2
S2/0 S2/0
172.16.10.X .1 .1 172.16.11.X
S2/0 BGP S2/0
.254 AS 100 .254
F0/0 F0/0
.254 .1
172.18.21.X
F2/0 F2/0
R1 .3 .1 R2
.2
HSRP
172.16.20.X
E0 E0
.253 .254
172.16.20.X
172.16.20.X
E1 VLAN6 VLAN6 E1
.253 F3/1 F3/1 .254
.1
.3 .2
G1 HSRP G1
G2 G2 CE1 F 1/0 172.16.25.5/24

CE1 F 1/0 172.16.25.6/24
VLAN 10
F3/3
.254 172.16.100.X
Laptop
172.16.100.1
DG 172.16.100.254
76699
Internet Cloud Router BGP

router bgp 1
no synchronization
bgp log-neighbor-changes
network 1.0.0.0
network 2.0.0.0
network 3.0.0.0
network 4.0.0.0
network 5.0.0.0
network 6.0.0.0
network 7.0.0.0

10 Version 1.0
network 8.0.0.0
network 9.0.0.0
network 100.0.0.0
redistribute connected
neighbor 172.16.10.254 remote-as 100
no auto-summary
router bgp 2
no synchronization
network 1.0.0.0
network 2.0.0.0
network 3.0.0.0
network 4.0.0.0
network 5.0.0.0
network 6.0.0.0
network 7.0.0.0
network 8.0.0.0
network 9.0.0.0
network 100.0.0.0
no auto-summary
Primary Customer Configurations

router bgp 100
network 172.16.10.0
network 172.16.21.0
neighbor 172.16.21.254 next-hop-self
Secondary Customer Configurations

router bgp 100
network 172.16.11.0
network 172.16.20.0
BGP Attributes
BGP attributes control both inbound and outbound network routes. These attributes can be adjusted to
control the decision making process of BGP itself. The BGP attributes are a set of parameters that
describe the characteristics of a prefix (route). The BGP decision process uses these attributes to select
the best routes. The next few sections cover these attributes and how they can be manipulated to affect
the routing behavior.

Version 1.0 11
Controlling Outbound Routes
Weight Attribute
The weight attribute is a proprietary Cisco attribute used for path selection when there are multiple
routes to the same destination. This occurs when you want to use both outbound links in conjunction.
The weight attribute is local to the router on which it is assigned and is not propagated in routing updates.
By default, the weight attribute is 32768 for paths that the router originates and zero for other paths.
Routes with a higher weight are preferred when there are multiple routes to the same destination.
Below are sample configurations defined for the weight attribute which is default in Cisco IOS.
Define a weight statement as follows to control route updates from a specific ISP ASs on the primary
router:
Router R1
router bgp 100
neighbor 172.16.10.1 filter-list 5 weight 2000
neighbor 172.16.21.254 filter-list 6 weight 1000
!
ip as-path access-list 5 permit ^1$
ip as-path access-list 6 permit ^100$
In the above example, a weight of 2000 is assigned toupdates from the neighbor router at IP address
171.16.10.1 that are permitted by access list 5. Access list 5 permits updates whose AS_path attribute starts
with 1 (as specified by ^) and ends with 1 (as specified by $).
Note The ^ and $ symbols are used to form regular expressions. For a complete explanation of regular
expressions, see the appendix on regular expressions in the Cisco Internetwork Operating System (Cisco
IOS) software configuration guides and command references.
This example also assigns 1000 to the weight attribute of updates from the neighbor at IP address
172.15.21.254 that are permitted by access list 6. Access list 6 permits updates whose AS_path attribute
starts with 100 and ends with 100.
In effect, this configuration assigns 2000 to the weight attribute of all route updates received from AS 1
and assigns 1000 to the weight attribute of all route updates from AS 100. This implies that the majority
of the traffic would be routed to the upstream E-BGP instance rather than the I-BGP instance. This
assumes that the ISP connection associated with each border router is the primary route for this router.
This type of design topology is most beneficial when the I-BGP routes can be re-distributed internally
to the network topology.
Below are the R2 configuration of the weight attribute as well. In this design, the primary route is the
ISP link terminated on the border router itself.
Local Preference
Setting the local preference also affects the BGP decision process. If multiple paths for the same prefix
are available, the path with the larger local preference is preferred. Local preference is at the highest
level of the BGP decision process (comes after the Cisco proprietary weight parameter); and is
considered before the path length. A longer path with a higher local preference is preferred over a shorter

12 Version 1.0
path with a lower local preference. The following configuration depicts the configuration commands
needed to set up local preference routing. The configurations below are from the primary border router
R1.
This is the routing configuration to define the BGP parameter:
router bgp 100
no synchronization
network 172.16.10.0 mask 255.255.255.0
network 172.16.20.0 mask 255.255.255.0
neighbor 172.16.10.1 filter-list 10 out
neighbor 172.16.10.1 route-map SETLOCAL in
no auto-summary
The configurations below are defined to associate a route map with the incoming routes. Apply this
access list to the router that you want to define as the primary router.
ip as-path access-list 10 permit ^$
route-map SETLOCAL permit 10
set local-preference 150
The route-map SETLOCAL assigns a local preference of 150 for all routes coming from the upstream
router in the ISP cloud (note the keyword in). With this configuration, the local preference attribute of
any update coming from AS 1 is set to 150.
Also, define a local preference on the secondary border router with the following configuration.
router bgp 100
no synchronization
network 172.16.10.0 mask 255.255.255.0
network 172.16.20.0 mask 255.255.255.0
neighbor 172.16.11.1 filter-list 10 out
neighbor 172.16.11.1 route-map SETLOCAL in
no auto-summary
This configuration defines the route map configured for the ISP AS 2.
ip as-path access-list 10 permit ^$
route-map SETLOCAL permit 10
set local-preference 200
The route-map SETLOCAL assigns a local preference of 200 for all routes coming from the upstream
router in the ISP cloud (note the keyword in). With this configuration, the local preference attribute of
any update coming from AS 1 is set to 200.
Controlling Inbound Routes

In internet edge topologies, controlling outbound routes is first and foremost. This is how your network
topology is seen by the world. Controlling outbound routes also defines, by default, how traffic returns
to your site. Controlling the outbound traffic allows you to manipulate the amount of traffic that comes
in from various ISPs. More specifically, if you wanted to define that all traffic leaves your topology from
one ISP link and all traffic destined to the topology comes inbound on another ISP link, implement AS
prepending. This is the most common deployment for instances where a network administrator does not
want to leave a link idle.

Version 1.0 13
Security Considerations
AS Path Attribute
Whenever an update passes through an AS, BGP prepends its AS number to the update. The AS_path
attribute is the list of AS numbers that an update has traversed in order to reach a destination. An AS-SET
is a set of all the ASs that have been traversed. This becomes relevant when a network administrator
wants to append multiple AS path statements on an update to upstream providers for the purpose of
making that route less attractive to the upstream ISP routers. Since routing distance in BGP is defined
by AS hop count, the more AS path lengths associated with a specific link determines how attractive the
link is to upstream routers in the topology.
AS Prepend Configuration
The following configuration was taken from router R1 as depicted above in Figure 4.
R1 was previously defined as the local preference router. Therefore, to control the inbound routes of the
topology, you must define the same configuration on R1. This configuration makes R2 a more attractive
route to our advertised address space and effectively distributes the load of the both the ingress and
egress routes across both routers.
router bgp 100
network 172.16.10.0 mask 255.255.255.0
network 172.16.20.0 mask 255.255.255.0
neighbor 172.16.10.1 route-map AddASnumbers out
no auto-summary
route-map AddASnumbers permit 10

set as-path prepend 100 100
In the above configuration, the route map states that for outbound advertisements to ISP AS1, more path
hops are appended to the advertisement.
Security is a necessity in all network architectures today, regardless of your Internet connectivity. You
must ensure that the network architecture and the network devices are securely provisioned and
managed.
Internet Edge security is discussed in “Internet Edge Security Design Principles” and “Internet Edge
Security Implementation.” This section provides a brief summary from that guide of the security
functions supported within Internet Edge designs. These functions include:
• Element Security – The secure configuration and management of the devices that collectively define
the Internet Edge.
• Identity Services – The inspection of IP traffic across the Internet Edge requires the ability to
identify the communicating endpoints. Although this can be accomplished with explicit user/host
session authentication mechanisms, usually IP identity across the Internet Edge is based on header
information carried within the IP packet itself. Therefore, IP addressing schemas, address
translation mechanisms, and application definition (IP protocol/port identity) play key roles in
identity services.
• IP Anti-Spoofing – This includes support for the requirements of RFC-2827, which requires
enterprises to protect their assigned public IP address space, and RFC-1918, which allows the use
of private IP address spaces within enterprise networks.

14 Version 1.0
• Demilitarized Zones (DMZ) – A basic security policy for enterprise networks is that internal
network hosts must not be directly accessible from hosts on the Internet (as opposed to replies from
Internet hosts for internally initiated session, which are statefully permitted). For those hosts, such
as web servers, mail servers, VPN devices, etc., which are required to be directly accessible from
the Internet, it is necessary to establish quasi-trusted network areas between, or adjacent to both, the
Internet and the internal enterprise network. Such DMZs allow internal hosts and Internet hosts to
communicate with DMZ hosts, but the separate security policies between each area prevent direct
communication originating from Internet hosts from reaching internal hosts.
• Basic Filtering and Application Definition – Derived from enterprise security policies, implement
ACLs to provide explicitly permitted and/or denied IP traffic that may traverse between areas
(Inside, Outside, DMZ, etc.) defined to exist within the Internet Edge.
• Stateful Inspection – Provides the ability to establish and monitor session states of traffic permitted
to flow across the Internet Edge, and deny that traffic which fails to match the expected state of an
existing or allowed session.
• Intrusion Detection – The ability to promiscuously monitor network traffic across a discrete point
within the Internet Edge, and alarm and/or take action upon detecting suspect behavior that may
threaten the enterprise network.
Please refer to the above mentioned chapters for detailed insight into security parameters and the
measures taken within Internet edge topologies.

Version 1.0 15

16 Version 1.0
INDEX
A F
American Registry for Internet Numbers 6 Firewall Layer 9

ARIN 6
AS paths 4
H
hot standby router protocol 3

B
HSRP 3
BDPU guard 2
BGP 11
I
BGP Attributes 11
border routers 8 interautonomous system routing 5
BPDU 2 Internal Routing 4
bridge protocol data unit 2 Internet Edge Design Fundamentals 7
broadcast suppression 2 Internet Edge Design Recommendations 7
intra-autonomous system routing 5
Ipv4 9
C
controlling inbound routes 13

L
controlling outbound routes 12
D
DMZ 15
N
DNS resolution 7
dynamic routing protocol metric tuning 3 NAT 9
E O
Edge Routing 4 OSPF 3, 8
EGP 4
EIGRP 3, 8
Exterior Gateway Protocol 4
P
pass-through autonomous system routing 5

Customer Order Number:

Version 1.0 17
Index
Port fast 2
QoS 3
redundancy 1
rootguard 2
UDLD 2
unidirectional link detection 2
uplinkfast 2
VIP 7
virtual IP Address 7

18 Version 1.0

BGP Single Site Multi Homing

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

BGP Single Site Multi Homing

Transféré par

Droits d'auteur :

Formats disponibles

Single Site Multi Homing

Single Site Multi Homing

Single Site Multi Homing 1

Internet Edge Design Guidance 1

Single Site Multi Homing

Single Site Multi Homing

Internet Edge Design Guidance

Single Site Multi Homing

Figure 1 Single Site Multi-Homing

Single Site Multi Homing

Intelligent Network Services

Single Site Multi Homing

Single Site Multi Homing

Single Site Multi Homing

Figure 2 E-BGP and I-BGP

Design Caveats 76697

Single Site Multi Homing

Single Site Multi Homing

Figure 3 Physical Layer Topology

G2 G2 CE1 F 1/0 172.16.25.5/24

Single Site Multi Homing

Layer 2 Switching Layer

Layer 3 Switching Layer

Single Site Multi-Homing Topology

Single Site Multi Homing

Figure 4 Internet Edge Test Topology

G2 G2 CE1 F 1/0 172.16.25.5/24

Internet Cloud Router BGP

Single Site Multi Homing

Primary Customer Configurations

Secondary Customer Configurations

Single Site Multi Homing

Controlling Outbound Routes

Single Site Multi Homing

Controlling Inbound Routes

Single Site Multi Homing

route-map AddASnumbers permit 10

Single Site Multi Homing

Single Site Multi Homing

Single Site Multi Homing

American Registry for Internet Numbers 6 Firewall Layer 9

hot standby router protocol 3

controlling inbound routes 13

pass-through autonomous system routing 5

Single Site Multi Homing

Single Site Multi Homing

Vous aimerez peut-être aussi