In this post we will examine the use of BGP in the Cisco ASA to allow failover between 2 ethernet style connections from the same ISP. There is no reason to doubt that this would not work with a PPPoE style connections but, the same ISP must still be sued. This requirement is because we will be announcing IP addresses which are not part of the glue subnets.
Stage 1 – Set up the routers
Our 2 routers will have mirror configs on them and both of them will advertise a default route to the ASA. This is a config extract…
router bgp 111 bgp log-neighbor-changes neighbor 2.2.2.2 remote-as 111 neighbor 2.2.2.2 update-source Loopback0 neighbor 2.2.2.2 next-hop-self neighbor 11.11.11.2 remote-as 65000 neighbor 11.11.11.2 default-originate
Pretty basic but it will get us running. Note I used IS-IS to share loopback info between the two routers.
Stage 2 – Onto the ASA
First thing is to choose our prefix for announcement. I’m using 99.99.99.99/32, but note that its not attached to an interface at this point. We can fix that by using Null0
route Null0 99.99.99.99 255.255.255.255
Now we can set up a prefix list to stop us becoming a transit provider!
prefix-list MYIP seq 5 permit 99.99.99.99/32
Lastly the actual BGP config:
router bgp 65000 bgp log-neighbor-changes address-family ipv4 unicast neighbor 10.10.10.1 remote-as 111 neighbor 10.10.10.1 activate neighbor 10.10.10.1 prefix-list MYIP out neighbor 11.11.11.1 remote-as 111 neighbor 11.11.11.1 activate neighbor 11.11.11.1 prefix-list MYIP out network 99.99.99.99 mask 255.255.255.255 no auto-summary no synchronization exit-address-family
Its a bit odd in the way its configured but it works ok.
Stage 3 – Testing
The first test is the show ip bap summary which in ASA language is:
ciscoasa# show bgp summ BGP router identifier 192.168.192.1, local AS number 65000 BGP table version is 13, main routing table version 13 2 network entries using 400 bytes of memory 3 path entries using 240 bytes of memory 2/2 BGP path/bestpath attribute entries using 416 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 1080 total bytes of memory BGP activity 14/12 prefixes, 57/54 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.10.10.1 4 111 8 6 13 0 0 00:01:35 1 11.11.11.1 4 111 8 6 13 0 0 00:01:35 1
Note we have 1 route received from each peer. This should be the default route, but we can test that:
ciscoasa# sh route bgp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 11.11.11.1 to network 0.0.0.0 B* 0.0.0.0 0.0.0.0 [20/0] via 11.11.11.1, 00:03:44
and for a bit more info…
ciscoasa# show bgp 0.0.0.0/0 BGP routing table entry for 0.0.0.0/0, version 2 Paths: (2 available, best #1, table default) Not advertised to any peer 111 11.11.11.1 from 11.11.11.1 (1.1.1.1) Origin IGP, localpref 100, valid, external, best 111 10.10.10.1 from 10.10.10.1 (2.2.2.2) Origin IGP, localpref 100, valid, external
And we also should check that we are announcing the 99.99.99.99/32 prefix to our peers
ciscoasa# show bgp neighbors 10.10.10.1 advertised-routes BGP table version is 13, local router ID is 192.168.192.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 99.99.99.99/32 0.0.0.0 0 32768 i Total number of prefixes 1
Stage 4 – Tuning
The final part is to tune the setup to use a primary and a backup line. Currently the two links are not controlled and the default route is based on the longest uptime!
The first stage is to ensure we send our traffic out of the primary connection. We will be using local preference, but there are other ways such as weight. This is done with a route-map attached to the bap neighbour.
prefix-list DG seq 5 permit 0.0.0.0/0 route-map OUTMAP permit 10 match ip address prefix-list DG set local-preference 200 router bgp 65000 bgp log-neighbor-changes address-family ipv4 unicast neighbor 11.11.11.1 remote-as 111 neighbor 11.11.11.1 activate neighbor 11.11.11.1 prefix-list MYIP out neighbor 11.11.11.1 route-map OUTMAP in
which we can verify is working with the following output:
ciscoasa# show bgp 0.0.0.0/0 BGP routing table entry for 0.0.0.0/0, version 17 Paths: (2 available, best #1, table default) Not advertised to any peer 111 11.11.11.1 from 11.11.11.1 (1.1.1.1) Origin IGP, localpref 200, valid, external, best 111 10.10.10.1 from 10.10.10.1 (2.2.2.2) Origin IGP, localpref 100, valid, external
Next we need to ensure the traffic is sent back to us via the same primary route. As we are using the same service provider we could use the MED, however, sometimes the MED is respected, other times its not. The more reliable method is the as prepend feature. this is configured below:
prefix-list MYIP seq 5 permit 99.99.99.99/32 route-map BAKMAP permit 10 match ip address prefix-list MYIP set as-path prepend 65000 65000 router bgp 65000 bgp log-neighbor-changes address-family ipv4 unicast neighbor 10.10.10.1 remote-as 111 neighbor 10.10.10.1 activate neighbor 10.10.10.1 prefix-list MYIP out neighbor 10.10.10.1 route-map BAKMAP out
this can be verified on the upstream router:
R2#sh ip bgp BGP table version is 43, local router ID is 2.2.2.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, t secondary path, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path 0.0.0.0 0.0.0.0 0 i *>i 99.99.99.99/32 1.1.1.1 0 100 0 65000 i * 10.10.10.2 0 0 65000 65000 65000 i