Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Guillaume_Bilic
Explorer

eBGP peering & traffic balancing

Hi all,

We use an R77.30 cluster which is connected to internet through two core routers (configured with static routing and link tracking), using only one vlan, routers and fw vip are on the same subnet (we used to use HSRP initially). We have 2 equal cost static default gw configured toward these 2 routers, which so far is working without problem.

Our core network engineers are asking us to migrate this connection to eBGP, making one peering to each router, using 2 different vlans (so two different fw external interfaces). This way, it will be easier to manage our public subnets and it'll be possible to advertise them from different sites if needed.

I managed to get this working in a lab, using two quagga in place of the cisco core routers.

I ask myself the following questions : 

  1. as I plan to advertise public subnets using "as path prepend" to balance bandwidth usage on the two Gbps links and possibly use the two defaults gateways on the firewall, will it be a problem to have connections possibly flowing through 2 differents external interfaces (ingress interface different from egress interface), would CoreXL be a problem in this situation ?
  2. what is the best way to define ipv4 nat subnets for them to be redistributed in eBGP (as this is the only way in R77.30 to advertise networks)

Thanks in advance,

Guillaume

 

 

0 Kudos
9 Replies
Vladimir
Champion
Champion

Have to mention it here: R77.30 is no longer supported, so doing anything with it would automatically render possible TAC involvement null. Other than that, if you have more than one public range larger than /24, in my personal opinion, it is better to handle BGP on a router sandwich between you and ISPs.

You can balance between ISP links advertising single AS with prepends out of a single cluster interface (or bond), but it will be an uneven balancing based on proximity of the destination to one of the ISPs. I suppose you can expand it with second AS and connect it to the cluster using ISP redundancy with load sharing.

Inbound connection balancing or redundancy in this case will depend on the presence of the DNS server on the inside, that will be resolving your public hostnames to the IPs from the proper range, so not optimal.

Perhaps there are better ways to achieve what you are trying to accomplish. Let's see if someone else would chime in.

See this prehistoric diagram of how what I was talking about was once configured:

Very_old_routing_diagram.jpg

0 Kudos
Guillaume_Bilic
Explorer

Hi Vladimir,

Thank you for your help.

We only deal with 3 little /27 and one /58, I've already thought about adding 2 routers in front of the cluster, and I think I would probably be more confortable with this configuration. I understand my configuration (using BGP on Checkpoint) will result in an uneven balancing, but that's not a big deal. My question is regarding the asymetric flow (ingress <> egress interfaces), will it be a problem ? 

0 Kudos
vinceneil666
Advisor

Hi,

You have a active-backup cluster ? 

0 Kudos
Guillaume_Bilic
Explorer

Hello Vince,

Yes, it's an active-backup cluster (using clusterXL).

 

0 Kudos
vinceneil666
Advisor

I cant see that there is any real good way of dooing load-balancing using BGP here, the best thing would be to utilize local-pref and as-prepend (working with the guys controlling the router), and have it as a redundant setup.

But you want to utilize both links, as a loadbalancing setup ? I guess you could get it working - but you would need 2 eBGP sessions from each of the nodes in the cluster. So with 2 routers and 2 nodes in cluster - totaling 4 eBGP sessions in total.

 

But I might not understand what you want to do properly ? 🙂

0 Kudos
Guillaume_Bilic
Explorer

Are you sure about bgp sessions ? I thought they were established only on the active node (when using ClusterXL), using vip, so resulting in 2 sessions.

I understand bandwidth usage will not be perfectly balanced that way. I know how to prioritize routing using as-prepend and getting some subnets preferably routed on one link (inbound). But what about outbound traffic, using the two default gateways as expected (with same weight), it will possibly result in asymetric flows (I mean ingress fw interface different from egress fw interface). Would it be an issue ?

 

0 Kudos
vinceneil666
Advisor

Yeah, but you will need to have the BGP config on both nodes in the cluster ofcourse - so yeah, you wont have 4 that are running at the same time - but if there is a failover ofcourse the other node needs config too... and thus the router/routers on the other 'end' needs to have all 4 configured.

With the one node in the cluster active - you want 2 eBGP sessions to two different routers, right ? And you wanna 'load balance' these two links, right ? - I would recomend you dont do this, and rather just have one of them as primary and the other as secondary. Because, as you say, there will be asymetric routing - it will probably work for a lot of stuff - and then give you issues with other stuff.

 

A drawing would be nice 🙂 

 

0 Kudos
Guillaume_Bilic
Explorer

massy_bgp.png

I'm not sure if ECMP splitting is working with BGP, if not I plan to just use static default routes.

But once again, my point was just, is asymetric connection an issue for internal mechanisms or optimizations of the FW (secureXL?)

And my secondary question 😉, what is the best way to define ipv4 nat subnets to redistribute them in BGP (no cisco like 'network' command for BGP) ? alias of existing interface? fake static routes ? 

0 Kudos
vinceneil666
Advisor

You could redistribute static/connected, and lets say you have 10.10.10./24 and 10.10.11.0/24 - just add a Null0 (blackhole) route for 10.10.0.0/16

set route-redistribution .....  (for redist of routes into BGP)

Regarding the Cisco version of "network":
I would also use route-maps and prefix lists (you set them inbound or outbound on the neighbours) to specify what gets recived and distributed. It is pretty much the same syntax as on Cisco.

 

For the question about secureXL - I dont know.. I do not think so in this case. 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events