BGP source based routing.

I have a number of ideas for this, but jsut curious how others would handle it.

Situation is that I have a fire wall (checkpoint) that is connected to two external routers, I should say the fire wall is a HA load-balanced pair for resilience but as it appears as a single device to the network for the purpose of this post I will image its a single device.

So my two external routers each pair with our ISP via BGP, and the standard advertising of our prefixs to them is achieved while they just pass a default route to us. All straight forward and it currently is set up as active / passive.

Now I would like to do some policy based routing out going, and incoming. So the incoming is simple, the ISP accept me setting priorities on prefexs simply by setting community values which they will honour, it is the out going I haven't decided on yet.

Ideally it would be the firewall that makes the forwarding choice, based on the source address. So if its in subnet A send it to Router A and traffic from subnet B goes out via Router B. I can think of plenty of ways to achieve this, but I don't know of any dynamic way to achieve this, ( the routers tell the firewall what source subnets should be forwarded to them). OR if I set the policies on he firewall when to fail over. Router A and B are sending a Default route to the firewall which have tags and different metrics (#default information originate), so ideal I would like to have a policy that says for traffic from subnet A, and there is a default route being received from Router A then use this as next hope, if there is no default route advertised from Router A use any route available.

So all i want to do is control the outgoing traffic, and insure that should the BGP pairing go down, this will be filtered down to insure routing fails over correctly.

Find more posts tagged with

Comments

networker050184

First I have to ask why you want something like this to happen? Seems more trouble than any kind of gain you'd get out of this.

DevilWAH

It's todo with how our ISP is structured.

The ISP has a data centre and a PoP to a sip provider, by chance one of our links goes in to this same location, while the other although it can reach the data centre goes via a round about route. Now I know that's no real reason to play around with load-balancing, but i would like our server and phone estate to talk directly via the direct link and the, rest of the user traffic to use the second link. we run an archiving service so it would be good to dedicate one link for this traffic out going and leave the other for day to day stuff

But in all honest, no reason to do it at all at the moment apart from the fun of doing it. incoming policing is so stright forward, but outgoing seems far harder to control.

networker050184

Not really a way to do this with BGP, but something like PBR would work. Or logical device separation (VRF lite, firewall context etc.) that has a fall back up route to the a global table at some point.

pevangel

Outgoing is not harder to control than incoming. The issue is that you want to make decisions based on the source address when routing is done using the destination address. If your servers are communicating with the datacenter at specific subnets, then ask your ISP to advertise those subnets to you along with the default route.

DevilWAH

pevangel wrote: »

Outgoing is not harder to control than incoming. The issue is that you want to make decisions based on the source address when routing is done using the destination address. If your servers are communicating with the datacenter at specific subnets, then ask your ISP to advertise those subnets to you along with the default route.

OK so lets say I advertise subnet A out of link 1 and B out of link 2 to the ISP. I then want (so to avoid asynchronous paths) for traffic from Subnet A to go out link 1 and subnet B to go out link 2.

I think Networker has the right idea, logical separate the network, Plus VRF if some thing I have only played with briefly so as this si really just a thought exercise I might as well give it a go

pevangel

You would probably want to advertise both A and B out of both links or you wouldn't have any redundancy.

What I was trying to say is if you have subnet A reaching out to a specific address at the datacenter, let's say 1.1.1.0/24, then why not ask your ISP to advertise that more specific route along with 0.0.0.0/0.

PBR or virtual routers will work, but that's adding complexity that you don't even need. The more complexity you add, the harder it will be to troubleshoot when something breaks.

DevilWAH

pevangel wrote: »

You would probably want to advertise both A and B out of both links or you wouldn't have any redundancy.

Well yes but if I want to control inbound traffic I am advertising them both out of both links but with different communities, (which the ISP then translates to local preferences) This way I can control incoming traffic but still have fail over.