Re: Load balancing incoming trafic with BGP
Hello, Wow, I didn't thought of that solution, but that's very simple and elegant, just the way I like :) I tested it, it works very well. Thank you very much for your advices. -- Cordialement, Pierre BARDOU -Message d'origine- De : Stuart Henderson [mailto:s...@spacehopper.org] Envoyi : mardi 29 juin 2010 14:47 @ : misc@openbsd.org Objet : Re: Load balancing incoming trafic with BGP On 2010-06-29, BARDOU Pierre bardo...@mipih.fr wrote: Hello, I tried to follow your advices, and I set : network 1.1.1.0/24 network 1.1.1.0/25 set prepend-self 5 hmm, I meant that you should announce the larger network (/24) from both sites, and the more-specific (/25) from each site. e.g. from the main site: network 1.1.1.0/24 network 1.1.1.0/25 and from the backup site: network 1.1.1.0/24 network 1.1.1.128/25 No need to mess about with prepends for this. The /25 appears on the RIB of router A, but not in ISP A router RIB. Why ? My only filter rule is allow from any Are you absolutely certain you have allow from any everywhere that you need it? A few details : * 1.1.1.0/24 is for testing purposes an used only in my (isolated) lab. I have a true /24, registered with RIPE. It is still bad practice. What if someone were to use your registered /24 in their test network, and then accidentally announce it to the internet? Sometimes things which shouldn't happen do; the point of this is to avoid breaking other people's networks when things go wrong. * I have an MPLS VPN between my two sites, which uses different wires from Internet * I didn't knew the issue about propagating a /25 to the internet. Thanks for the information, I'll have to think about that before setting this in production... Yes, something like the allow from any inet prefixlen 8 - 24 in the sample bgpd.conf (i.e. don't allow longer prefixes) is pretty common practice in many networks. Many thanks for the help -- Cordialement, Pierre BARDOU -Message d'origine- De : Stuart Henderson [mailto:s...@spacehopper.org] Envoyi : samedi 26 juin 2010 12:18 @ : misc@openbsd.org Objet : Re: Load balancing incoming trafic with BGP On 2010-06-25, BARDOU Pierre bardo...@mipih.fr wrote: I have issues trying to setup this : ISP AISP B || Router ARouter B Main site --- Backup site 1.1.1.0/25 1.1.1.128/25 I think you will have to rethink a bit. Even if your immediate upstreams accept it (which is unlikely without a special arrangement), there is no way that most of the internet will accept a /25 announcement. You would want to use at least a /23 for the whole net, so your site-specific announcements can be /24. You will also have to ensure connectivity between the two sites under normal conditions (if you don't have a direct link, then you could consider a tunnel between addresses from outside this network; either plain gif/gre and accept the restricted MTU, or you could use a gre+vether+bridge+pf setup which would let you run at the lowest MTU of the physical links between them). I'd like that connections to the main site flow through ISP A, to the backup site flow through ISP B, with backup through the other ISP if one fails. So I set up openBGPd like this : Router A : AS 65001 network 1.1.1.0/25 network 1.1.1.128/25 set prepend-self 5 From one site you would want to announce x.x.x.0/25 and x.x.x.0/24 From the other you want x.x.x.128/25 and x.x.x.0/24 (or similar with /24 and /23 if you actually want it to work from the rest of the internet). Also: note that 1.0.0.0/8 is an allocated network. Please do not use addresses from this block even as a test network unless they are properly allocated to you (which being in europe, they are not).
Re: Load balancing incoming trafic with BGP
Sorry, it's a typo. The real RIB : On router A bgpctl sh rib : Flags destination gateway lpref med aspath origin AI*217.109.108.0/240.0.0.0 100 0 i AI*217.109.108.128/25 0.0.0.0 100 0 i On ISP router A bgpctl sh rib : Flags destination gateway lpref med aspath origin AI*217.109.108.0/240.0.0.0 100 0 65001 i AI*217.109.108.128/25 0.0.0.0 100 0 65001 65001 65001 65001 65001 i -- Cordialement, Pierre BARDOU -Message d'origine- De : Stuart Henderson [mailto:s...@spacehopper.org] Envoyi : mardi 29 juin 2010 17:13 @ : misc@openbsd.org Objet : Re: Load balancing incoming trafic with BGP On 2010-06-29, BARDOU Pierre bardo...@mipih.fr wrote: Hello, I did this on router A : network 217.109.108.0/24 network 217.109.108.128/25 neigbor... allow from any match to any prefix 217.109.108.128/25 set prepend-self 5 On router A bgpctl sh rib : Flags destination gateway lpref med aspath origin AI* 217.109.108.0/240.0.0.0 100 0 i AI* 217.109.108.128/24 0.0.0.0 100 0 i On ISP router A bgpctl sh rib : Flags destination gateway lpref med aspath origin AI* 217.109.108.0/240.0.0.0 100 0 65001 i AI* 217.109.108.128/24 0.0.0.0 100 0 65001 65001 65001 65001 65001 i Everything is fine :) Hmm, that's wierd, the received routes are /24!
Re: Load balancing incoming trafic with BGP
Hello, I tried to follow your advices, and I set : network 1.1.1.0/24 network 1.1.1.0/25 set prepend-self 5 The /25 appears on the RIB of router A, but not in ISP A router RIB. Why ? My only filter rule is allow from any A few details : * 1.1.1.0/24 is for testing purposes an used only in my (isolated) lab. I have a true /24, registered with RIPE. * I have an MPLS VPN between my two sites, which uses different wires from Internet * I didn't knew the issue about propagating a /25 to the internet. Thanks for the information, I'll have to think about that before setting this in production... Many thanks for the help -- Cordialement, Pierre BARDOU -Message d'origine- De : Stuart Henderson [mailto:s...@spacehopper.org] Envoyi : samedi 26 juin 2010 12:18 @ : misc@openbsd.org Objet : Re: Load balancing incoming trafic with BGP On 2010-06-25, BARDOU Pierre bardo...@mipih.fr wrote: I have issues trying to setup this : ISP AISP B || Router ARouter B Main site --- Backup site 1.1.1.0/25 1.1.1.128/25 I think you will have to rethink a bit. Even if your immediate upstreams accept it (which is unlikely without a special arrangement), there is no way that most of the internet will accept a /25 announcement. You would want to use at least a /23 for the whole net, so your site-specific announcements can be /24. You will also have to ensure connectivity between the two sites under normal conditions (if you don't have a direct link, then you could consider a tunnel between addresses from outside this network; either plain gif/gre and accept the restricted MTU, or you could use a gre+vether+bridge+pf setup which would let you run at the lowest MTU of the physical links between them). I'd like that connections to the main site flow through ISP A, to the backup site flow through ISP B, with backup through the other ISP if one fails. So I set up openBGPd like this : Router A : AS 65001 network 1.1.1.0/25 network 1.1.1.128/25 set prepend-self 5 From one site you would want to announce x.x.x.0/25 and x.x.x.0/24 From the other you want x.x.x.128/25 and x.x.x.0/24 (or similar with /24 and /23 if you actually want it to work from the rest of the internet). Also: note that 1.0.0.0/8 is an allocated network. Please do not use addresses from this block even as a test network unless they are properly allocated to you (which being in europe, they are not).
Re: Load balancing incoming trafic with BGP
Hello, Have you tried a filter based config for your prepends ?
Re: Load balancing incoming trafic with BGP
On 2010-06-29, BARDOU Pierre bardo...@mipih.fr wrote: Hello, I tried to follow your advices, and I set : network 1.1.1.0/24 network 1.1.1.0/25 set prepend-self 5 hmm, I meant that you should announce the larger network (/24) from both sites, and the more-specific (/25) from each site. e.g. from the main site: network 1.1.1.0/24 network 1.1.1.0/25 and from the backup site: network 1.1.1.0/24 network 1.1.1.128/25 No need to mess about with prepends for this. The /25 appears on the RIB of router A, but not in ISP A router RIB. Why ? My only filter rule is allow from any Are you absolutely certain you have allow from any everywhere that you need it? A few details : * 1.1.1.0/24 is for testing purposes an used only in my (isolated) lab. I have a true /24, registered with RIPE. It is still bad practice. What if someone were to use your registered /24 in their test network, and then accidentally announce it to the internet? Sometimes things which shouldn't happen do; the point of this is to avoid breaking other people's networks when things go wrong. * I have an MPLS VPN between my two sites, which uses different wires from Internet * I didn't knew the issue about propagating a /25 to the internet. Thanks for the information, I'll have to think about that before setting this in production... Yes, something like the allow from any inet prefixlen 8 - 24 in the sample bgpd.conf (i.e. don't allow longer prefixes) is pretty common practice in many networks. Many thanks for the help -- Cordialement, Pierre BARDOU -Message d'origine- De : Stuart Henderson [mailto:s...@spacehopper.org] Envoyi : samedi 26 juin 2010 12:18 @ : misc@openbsd.org Objet : Re: Load balancing incoming trafic with BGP On 2010-06-25, BARDOU Pierre bardo...@mipih.fr wrote: I have issues trying to setup this : ISP AISP B || Router ARouter B Main site --- Backup site 1.1.1.0/25 1.1.1.128/25 I think you will have to rethink a bit. Even if your immediate upstreams accept it (which is unlikely without a special arrangement), there is no way that most of the internet will accept a /25 announcement. You would want to use at least a /23 for the whole net, so your site-specific announcements can be /24. You will also have to ensure connectivity between the two sites under normal conditions (if you don't have a direct link, then you could consider a tunnel between addresses from outside this network; either plain gif/gre and accept the restricted MTU, or you could use a gre+vether+bridge+pf setup which would let you run at the lowest MTU of the physical links between them). I'd like that connections to the main site flow through ISP A, to the backup site flow through ISP B, with backup through the other ISP if one fails. So I set up openBGPd like this : Router A : AS 65001 network 1.1.1.0/25 network 1.1.1.128/25 set prepend-self 5 From one site you would want to announce x.x.x.0/25 and x.x.x.0/24 From the other you want x.x.x.128/25 and x.x.x.0/24 (or similar with /24 and /23 if you actually want it to work from the rest of the internet). Also: note that 1.0.0.0/8 is an allocated network. Please do not use addresses from this block even as a test network unless they are properly allocated to you (which being in europe, they are not).
Re: Load balancing incoming trafic with BGP
Hello, I did this on router A : network 217.109.108.0/24 network 217.109.108.128/25 neigbor... allow from any match to any prefix 217.109.108.128/25 set prepend-self 5 On router A bgpctl sh rib : Flags destination gateway lpref med aspath origin AI*217.109.108.0/240.0.0.0 100 0 i AI*217.109.108.128/24 0.0.0.0 100 0 i On ISP router A bgpctl sh rib : Flags destination gateway lpref med aspath origin AI*217.109.108.0/240.0.0.0 100 0 65001 i AI*217.109.108.128/24 0.0.0.0 100 0 65001 65001 65001 65001 65001 i Everything is fine :) Many, many thanks for your help. -- Cordialement, Pierre BARDOU -Message d'origine- DeB : rh...@hushmail.com [mailto:rh...@hushmail.com] EnvoyC)B : mardi 29 juin 2010 13:30 CB : misc@openbsd.org CcB : BARDOU Pierre ObjetB : Re: Load balancing incoming trafic with BGP Hello, Have you tried a filter based config for your prepends ?
Re: Load balancing incoming trafic with BGP
On 2010-06-29, BARDOU Pierre bardo...@mipih.fr wrote: Hello, I did this on router A : network 217.109.108.0/24 network 217.109.108.128/25 neigbor... allow from any match to any prefix 217.109.108.128/25 set prepend-self 5 On router A bgpctl sh rib : Flags destination gateway lpref med aspath origin AI* 217.109.108.0/240.0.0.0 100 0 i AI* 217.109.108.128/24 0.0.0.0 100 0 i On ISP router A bgpctl sh rib : Flags destination gateway lpref med aspath origin AI* 217.109.108.0/240.0.0.0 100 0 65001 i AI* 217.109.108.128/24 0.0.0.0 100 0 65001 65001 65001 65001 65001 i Everything is fine :) Hmm, that's wierd, the received routes are /24!
Re: Load balancing incoming trafic with BGP
On 2010-06-25, BARDOU Pierre bardo...@mipih.fr wrote: I have issues trying to setup this : ISP AISP B || Router ARouter B Main site --- Backup site 1.1.1.0/25 1.1.1.128/25 I think you will have to rethink a bit. Even if your immediate upstreams accept it (which is unlikely without a special arrangement), there is no way that most of the internet will accept a /25 announcement. You would want to use at least a /23 for the whole net, so your site-specific announcements can be /24. You will also have to ensure connectivity between the two sites under normal conditions (if you don't have a direct link, then you could consider a tunnel between addresses from outside this network; either plain gif/gre and accept the restricted MTU, or you could use a gre+vether+bridge+pf setup which would let you run at the lowest MTU of the physical links between them). I'd like that connections to the main site flow through ISP A, to the backup site flow through ISP B, with backup through the other ISP if one fails. So I set up openBGPd like this : Router A : AS 65001 network 1.1.1.0/25 network 1.1.1.128/25 set prepend-self 5 From one site you would want to announce x.x.x.0/25 and x.x.x.0/24 From the other you want x.x.x.128/25 and x.x.x.0/24 (or similar with /24 and /23 if you actually want it to work from the rest of the internet). Also: note that 1.0.0.0/8 is an allocated network. Please do not use addresses from this block even as a test network unless they are properly allocated to you (which being in europe, they are not).
Load balancing incoming trafic with BGP
Hello, I have issues trying to setup this : ISP AISP B || Router ARouter B Main site --- Backup site 1.1.1.0/25 1.1.1.128/25 I'd like that connections to the main site flow through ISP A, to the backup site flow through ISP B, with backup through the other ISP if one fails. So I set up openBGPd like this : Router A : AS 65001 network 1.1.1.0/25 network 1.1.1.128/25 set prepend-self 5 neighbor ISP A { remote-as 65002 } neighbor router B { remote-as 65001 } allow from any Router B : AS 65001 network 1.1.1.0/25 network 1.1.1.128/25 set prepend-self 5 neighbor ISP B { remote-as 65003 } neighbor router A { remote-as 65001 } allow from any I'm still during the test phase, so to simulate ISPs routers I've put some other openBSD boxes. Their setup : Router ISP A : AS 65002 neighbor Router A { remote-as 65001 announce default-route } allow from any Router ISP B : AS 65003 neighbor Router B { remote-as 65001 announce default-route } allow from any For now, I only have ISP A and router A set up. My problem : the set prepend-self 5 on router A prevents the network 1.1.1.128/25 from appearing into router ISP A RIB. If I remove the option, everything is fine. Bgpctl sh rib on router A : Flags destination gateway lpref med aspath origin * 0.0.0.0/0 router ISP A 100 0 65002 i AI*1.1.1.0/25 0.0.0.0 100 0 i AI*1.1.1.128/250.0.0.0 100 0 65001 65001 65001 65001 65001 i Bgpctl sh rib on router ISP A : Flags destination gateway lpref med aspath origin * 1.1.1.0/25 router A 100 0 65001 i Could someone tell me where is my mistake ? Thank you very much. -- Cordialement, Pierre BARDOU