Cisco ASA BGP configuration

In this post we will examine the use of BGP in the Cisco ASA to allow failover between 2 ethernet style connections from the same ISP. There is no reason to doubt that this would not work with a PPPoE style connections but, the same ISP must still be sued. This requirement is because we will be announcing IP addresses which are not part of the glue subnets.

The test lab setup is:
Cisco ASA BGP Lab setup

Stage 1 – Set up the routers
Our 2 routers will have mirror configs on them and both of them will advertise a default route to the ASA. This is a config extract…

router bgp 111
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 111
 neighbor 2.2.2.2 update-source Loopback0
 neighbor 2.2.2.2 next-hop-self
 neighbor 11.11.11.2 remote-as 65000
 neighbor 11.11.11.2 default-originate

Pretty basic but it will get us running. Note I used IS-IS to share loopback info between the two routers.

Stage 2 – Onto the ASA
First thing is to choose our prefix for announcement. I’m using 99.99.99.99/32, but note that its not attached to an interface at this point. We can fix that by using Null0

route Null0 99.99.99.99 255.255.255.255

Now we can set up a prefix list to stop us becoming a transit provider!

prefix-list MYIP seq 5 permit 99.99.99.99/32

Lastly the actual BGP config:

router bgp 65000
 bgp log-neighbor-changes
 address-family ipv4 unicast
  neighbor 10.10.10.1 remote-as 111
  neighbor 10.10.10.1 activate
  neighbor 10.10.10.1 prefix-list MYIP out
  neighbor 11.11.11.1 remote-as 111
  neighbor 11.11.11.1 activate
  neighbor 11.11.11.1 prefix-list MYIP out
  network 99.99.99.99 mask 255.255.255.255
  no auto-summary
  no synchronization
 exit-address-family

Its a bit odd in the way its configured but it works ok.

Stage 3 – Testing
The first test is the show ip bap summary which in ASA language is:

ciscoasa# show bgp summ
BGP router identifier 192.168.192.1, local AS number 65000
BGP table version is 13, main routing table version 13
2 network entries using 400 bytes of memory
3 path entries using 240 bytes of memory
2/2 BGP path/bestpath attribute entries using 416 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1080 total bytes of memory
BGP activity 14/12 prefixes, 57/54 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.10.10.1      4          111 8       6             13    0    0 00:01:35  1       
11.11.11.1      4          111 8       6             13    0    0 00:01:35  1       

Note we have 1 route received from each peer. This should be the default route, but we can test that:

ciscoasa# sh route bgp 

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 11.11.11.1 to network 0.0.0.0

B*       0.0.0.0 0.0.0.0 [20/0] via 11.11.11.1, 00:03:44

and for a bit more info…

ciscoasa# show bgp 0.0.0.0/0
BGP routing table entry for 0.0.0.0/0, version 2
Paths: (2 available, best #1, table default)
  Not advertised to any peer
  111 
    11.11.11.1 from 11.11.11.1 (1.1.1.1)
      Origin IGP, localpref 100, valid, external, best
  111 
    10.10.10.1 from 10.10.10.1 (2.2.2.2)
      Origin IGP, localpref 100, valid, external

And we also should check that we are announcing the 99.99.99.99/32 prefix to our peers

ciscoasa# show bgp neighbors 10.10.10.1 advertised-routes 

BGP table version is 13, local router ID is 192.168.192.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*> 99.99.99.99/32   0.0.0.0              0         32768  i

Total number of prefixes 1 

Stage 4 – Tuning
The final part is to tune the setup to use a primary and a backup line. Currently the two links are not controlled and the default route is based on the longest uptime!
The first stage is to ensure we send our traffic out of the primary connection. We will be using local preference, but there are other ways such as weight. This is done with a route-map attached to the bap neighbour.

prefix-list DG seq 5 permit 0.0.0.0/0
route-map OUTMAP permit 10
 match ip address prefix-list DG
 set local-preference 200

router bgp 65000
 bgp log-neighbor-changes
 address-family ipv4 unicast
  neighbor 11.11.11.1 remote-as 111
  neighbor 11.11.11.1 activate
  neighbor 11.11.11.1 prefix-list MYIP out
  neighbor 11.11.11.1 route-map OUTMAP in

which we can verify is working with the following output:

ciscoasa# show bgp 0.0.0.0/0
BGP routing table entry for 0.0.0.0/0, version 17
Paths: (2 available, best #1, table default)
  Not advertised to any peer
  111 
    11.11.11.1 from 11.11.11.1 (1.1.1.1)
      Origin IGP, localpref 200, valid, external, best
  111 
    10.10.10.1 from 10.10.10.1 (2.2.2.2)
      Origin IGP, localpref 100, valid, external

Next we need to ensure the traffic is sent back to us via the same primary route. As we are using the same service provider we could use the MED, however, sometimes the MED is respected, other times its not. The more reliable method is the as prepend feature. this is configured below:

prefix-list MYIP seq 5 permit 99.99.99.99/32
route-map BAKMAP permit 10
 match ip address prefix-list MYIP
 set as-path prepend 65000 65000

router bgp 65000
 bgp log-neighbor-changes
 address-family ipv4 unicast
  neighbor 10.10.10.1 remote-as 111
  neighbor 10.10.10.1 activate
  neighbor 10.10.10.1 prefix-list MYIP out
  neighbor 10.10.10.1 route-map BAKMAP out

this can be verified on the upstream router:

R2#sh ip bgp
BGP table version is 43, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
              t secondary path, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
      0.0.0.0          0.0.0.0                                0 i
 *>i  99.99.99.99/32   1.1.1.1                  0    100      0 65000 i
 *                     10.10.10.2               0             0 65000 65000 65000 i
This entry was posted in Cisco and tagged , , . Bookmark the permalink.