In this post we will examine the use of BGP in the Cisco ASA to allow failover between 2 ethernet style connections from the same ISP. There is no reason to doubt that this would not work with a PPPoE style connections but, the same ISP must still be sued. This requirement is because we will be announcing IP addresses which are not part of the glue subnets.
The test lab setup is:
Stage 1 – Set up the routers
Our 2 routers will have mirror configs on them and both of them will advertise a default route to the ASA. This is a config extract…
router bgp 111
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 111
neighbor 2.2.2.2 update-source Loopback0
neighbor 2.2.2.2 next-hop-self
neighbor 11.11.11.2 remote-as 65000
neighbor 11.11.11.2 default-originate
Pretty basic but it will get us running. Note I used IS-IS to share loopback info between the two routers.
Stage 2 – Onto the ASA
First thing is to choose our prefix for announcement. I’m using 99.99.99.99/32, but note that its not attached to an interface at this point. We can fix that by using Null0
route Null0 99.99.99.99 255.255.255.255
Now we can set up a prefix list to stop us becoming a transit provider!
prefix-list MYIP seq 5 permit 99.99.99.99/32
Lastly the actual BGP config:
router bgp 65000
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 10.10.10.1 remote-as 111
neighbor 10.10.10.1 activate
neighbor 10.10.10.1 prefix-list MYIP out
neighbor 11.11.11.1 remote-as 111
neighbor 11.11.11.1 activate
neighbor 11.11.11.1 prefix-list MYIP out
network 99.99.99.99 mask 255.255.255.255
no auto-summary
no synchronization
exit-address-family
Its a bit odd in the way its configured but it works ok.
Stage 3 – Testing
The first test is the show ip bap summary which in ASA language is:
ciscoasa# show bgp summ
BGP router identifier 192.168.192.1, local AS number 65000
BGP table version is 13, main routing table version 13
2 network entries using 400 bytes of memory
3 path entries using 240 bytes of memory
2/2 BGP path/bestpath attribute entries using 416 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1080 total bytes of memory
BGP activity 14/12 prefixes, 57/54 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.10.1 4 111 8 6 13 0 0 00:01:35 1
11.11.11.1 4 111 8 6 13 0 0 00:01:35 1
Note we have 1 route received from each peer. This should be the default route, but we can test that:
ciscoasa# sh route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 11.11.11.1 to network 0.0.0.0
B* 0.0.0.0 0.0.0.0 [20/0] via 11.11.11.1, 00:03:44
and for a bit more info…
ciscoasa# show bgp 0.0.0.0/0
BGP routing table entry for 0.0.0.0/0, version 2
Paths: (2 available, best #1, table default)
Not advertised to any peer
111
11.11.11.1 from 11.11.11.1 (1.1.1.1)
Origin IGP, localpref 100, valid, external, best
111
10.10.10.1 from 10.10.10.1 (2.2.2.2)
Origin IGP, localpref 100, valid, external
And we also should check that we are announcing the 99.99.99.99/32 prefix to our peers
ciscoasa# show bgp neighbors 10.10.10.1 advertised-routes
BGP table version is 13, local router ID is 192.168.192.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 99.99.99.99/32 0.0.0.0 0 32768 i
Total number of prefixes 1
Stage 4 – Tuning
The final part is to tune the setup to use a primary and a backup line. Currently the two links are not controlled and the default route is based on the longest uptime!
The first stage is to ensure we send our traffic out of the primary connection. We will be using local preference, but there are other ways such as weight. This is done with a route-map attached to the bap neighbour.
prefix-list DG seq 5 permit 0.0.0.0/0
route-map OUTMAP permit 10
match ip address prefix-list DG
set local-preference 200
router bgp 65000
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 11.11.11.1 remote-as 111
neighbor 11.11.11.1 activate
neighbor 11.11.11.1 prefix-list MYIP out
neighbor 11.11.11.1 route-map OUTMAP in
which we can verify is working with the following output:
ciscoasa# show bgp 0.0.0.0/0
BGP routing table entry for 0.0.0.0/0, version 17
Paths: (2 available, best #1, table default)
Not advertised to any peer
111
11.11.11.1 from 11.11.11.1 (1.1.1.1)
Origin IGP, localpref 200, valid, external, best
111
10.10.10.1 from 10.10.10.1 (2.2.2.2)
Origin IGP, localpref 100, valid, external
Next we need to ensure the traffic is sent back to us via the same primary route. As we are using the same service provider we could use the MED, however, sometimes the MED is respected, other times its not. The more reliable method is the as prepend feature. this is configured below:
prefix-list MYIP seq 5 permit 99.99.99.99/32
route-map BAKMAP permit 10
match ip address prefix-list MYIP
set as-path prepend 65000 65000
router bgp 65000
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 10.10.10.1 remote-as 111
neighbor 10.10.10.1 activate
neighbor 10.10.10.1 prefix-list MYIP out
neighbor 10.10.10.1 route-map BAKMAP out
this can be verified on the upstream router:
R2#sh ip bgp
BGP table version is 43, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
0.0.0.0 0.0.0.0 0 i
*>i 99.99.99.99/32 1.1.1.1 0 100 0 65000 i
* 10.10.10.2 0 0 65000 65000 65000 i