From: Jay Hennigan (jay@west.net)
Date: Sat Dec 06 2008 - 03:40:05 ARST
Piyoush Sharma wrote:
> Hi Marko,
>
> First of all, it is a real-life (threatening) scenario. It brought traffic
> down for a few hours ( it was done around midnight by one of the
> consultants).
> Your explanation on how the ISP makes those routing decisions confirms the
> suspicions I had about the situation. Thank you for the explanation on the
> ISP routing behaviour.
> In this case, I have decided to go ahead with conditional advertisement in
> BGP. This would make the design complex, but we would still retain control
> over how the networks are routed across the internet.
>
> Here is a brief design of what I am planning, let me know if I am missing
> something...
> iBGP peering between Router 1 and Router 2
> Advertise the IP address of the interface connecting to the respective ISP
> (Router1->ISP1 ; Router2->ISP2) into BGP
> (Its a serial interface - /30 subnet, so if the line protocol goes down, the
> directly connected route would disappear and would also be removed from iBGP
> advertisement)
> Filter that route from the ebgp advertisment.
> Configure BGP conditional advertisement - if Router1's connection to the ISP
> goes down, its directly connected interface would no longer be in the
> routing table, it would also disappear from the iBGP advertisement - this
> would cause Router2 to start advertising the network to its eBGP peer
>
> It might sound a bit confusing... trying my best to not ramble on...
> I am open to suggestions and any holes in my theories/assumptions. One
> possibility is that if the ISP's upstream connection were to die.... but I
> do not know the probability of that happening...
There are two things wrong with this design.
First, relying on the interface status doesn't help you in terms of a
failure within ISP1 or a failure downstream of ISP1 to some other subset
of ISPs. Your networks won't show up on ISP2 unless your local link
itself has failed. This means that depending on the stability of ISP1
and its connections to the rest of the Internet, some networks will be
unreachable from time to time due to many factors unrelated to your
serial link.
Second, convergence will be slow. You won't even begin to announce your
networks until a failure is detected. You'll be unreachable for up to
several minutes as your advertisement ripples across the Internet. If
the link failure is intermittent, you'll flap like crazy on both of your
transit providers and likely wind up damped in which case you may become
unreachable for a significanty long time, up to hours.
You're not taking full advantage of the benefit of being multi-homed
with BGP with this type of conditional advertisement.
You're far better off doing what Marko suggests. Use communities to
influence how your neighbors propagate your advertisements. You'll
probably want to send communities primarily to ISP2 to have them
de-preference you as opposed to trying to increase your visibility via
ISP1.
Here's a link that may be of value:
http://www.onesc.net/communities/
There's another trick that may be possible depending on the size of your
CIDR block, but I hesitate to recommend it as it isn't 100% reliable and
is considered unfriendly to the Internet as a whole. Communities are a
much better tool for this purpose.
-- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDVBlogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:07 ARST