Re: OpenBGP load balancing between 2 ISP (multihoming)
Hello,
I can load balance on the firewalls with pf , but the problem of that
Solution is that there is no failover AFAIK.
If I loose a link between an ISP and me half of the packets will be lost.
And not loosing packets is more important to me than load balancing...
--
Cordialement,
Pierre BARDOU
De : Frans Haarman [mailto:[EMAIL PROTECTED]
Envoyé : mardi 7 octobre 2008 18:54
À : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet,
but I don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations
on how to do this with cisco, but I have never found an openBGP
solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on
the
FW's with 'set nexhop self' on BGP routers), but when both
connections
are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea
?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but
I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your
traffic on your firewalls ? So you devide
the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin
from $lan_net to any keep state
#and on the other bgp router
route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin
from $lan_net to any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD
smime.p7s
Description: S/MIME cryptographic signature
Re: OpenBGP load balancing between 2 ISP (multihoming)
Hello,
So the solution would be to activate multipath on FW's, and to use
ospf between BGP routers and my FW's ( I've heard somewhere that
OSPF can announce multiple defaults routes, contrary to BGP )
to ensure failover if I understand properly...
Nice idea, I'm trying to setup that on my test config.
--
Cordialement,
Pierre BARDOU
-Message d'origine-
De : Mariusz Makowski [mailto:[EMAIL PROTECTED]
Envoyi : mardi 7 octobre 2008 21:38
@ : Frans Haarman
Cc : BARDOU Pierre; misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)
Frans Haarman wrote:
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet, but I
don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations on
how to do this with cisco, but I have never found an openBGP solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on
the FW's with 'set nexhop self' on BGP routers), but when both
connections are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea ?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your traffic on your firewalls ? So
you devide the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin from
$lan_net to any keep state #and on the other bgp router route-to {
($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin from $lan_net to
any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
You might want to read about http://www.openbsd.org/faq/faq6.html#Multipath,
although it's not bgp solution.
I think with default configuration you should have multipath capability.
Check if there is not localpref chosen, and check yours ISP prepends length.
Regards,
Mariusz Makowski
[demime 1.01d removed an attachment of type application/x-pkcs7-signature which
had a name of smime.p7s]
Re: OpenBGP load balancing between 2 ISP (multihoming)
BARDOU Pierre wrote:
Hello,
I can load balance on the firewalls with pf , but the problem of that
Solution is that there is no failover AFAIK.
If I loose a link between an ISP and me half of the packets will be lost.
And not loosing packets is more important to me than load balancing...
--
Cordialement,
Pierre BARDOU
De : Frans Haarman [mailto:[EMAIL PROTECTED]
Envoyi : mardi 7 octobre 2008 18:54
@ : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet,
but I don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations
on how to do this with cisco, but I have never found an openBGP
solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on
the
FW's with 'set nexhop self' on BGP routers), but when both
connections
are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea
?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but
I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your
traffic on your firewalls ? So you devide
the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin
from $lan_net to any keep state
#and on the other bgp router
route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin
from $lan_net to any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
If you want to use fail-over capability of bgp, you can use prepend to
increase length of one path. I have no experience with configuring
openbgpd but on juniper/cisco it seems to work great.
Regards,
Marusz
Re: OpenBGP load balancing between 2 ISP (multihoming)
Hello,
Failover already works with BGP on my test conf, the problem is that BGP
only selects ONE route to a destination, so there is no load balancing.
The easiest for me would be to tell BGP to keep TWO routes to each
Destination, and use them in a round-robin way.
That's what Cisco does with BGP multipath
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431
.shtml#bgpmpath
But AFAIK there is no way to setup this with openBGP.
Am I right ?
--
Cordialement,
Pierre BARDOU
-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Envoyé : mercredi 8 octobre 2008 09:05
À : BARDOU Pierre
Cc : Frans Haarman; misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)
BARDOU Pierre wrote:
Hello,
I can load balance on the firewalls with pf , but the problem of that
Solution is that there is no failover AFAIK.
If I loose a link between an ISP and me half of the packets will be lost.
And not loosing packets is more important to me than load balancing...
--
Cordialement,
Pierre BARDOU
De : Frans Haarman [mailto:[EMAIL PROTECTED] Envoyé : mardi 7
octobre 2008 18:54 À : BARDOU Pierre Cc : misc@openbsd.org Objet : Re:
OpenBGP load balancing between 2 ISP (multihoming)
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet,
but I don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations
on how to do this with cisco, but I have never found an openBGP
solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on
the
FW's with 'set nexhop self' on BGP routers), but when both
connections
are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea
?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but
I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your
traffic on your firewalls ? So you devide
the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin
from $lan_net to any keep state
#and on the other bgp router
route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin
from $lan_net to any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
If you want to use fail-over capability of bgp, you can use prepend to
increase length of one path. I have no experience with configuring
openbgpd but on juniper/cisco it seems to work great.
Regards,
Marusz
BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD
smime.p7s
Description: S/MIME cryptographic signature
Re: OpenBGP load balancing between 2 ISP (multihoming)
Hello,
I set up net.inet.ip.multipath to 1
I configured OSPF on the BGP routers to 'redistribute default' to FW's.
'ospfctl show rib' on FW's shows that they have two defaults routes,
But 'ospfctl show fib' shows that only one is active.
Besides a 'dirty' solution with ifstated which inserts multipath routes,
and withdraw them when one link/router fails, I am running out of ideas...
Someone has one ?
Thanks
--
Cordialement,
Pierre BARDOU
-Message d'origine-
De : Mariusz Makowski [mailto:[EMAIL PROTECTED]
Envoyé : mardi 7 octobre 2008 21:38
À : Frans Haarman
Cc : BARDOU Pierre; misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)
Frans Haarman wrote:
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet, but I
don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations on
how to do this with cisco, but I have never found an openBGP solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on
the FW's with 'set nexhop self' on BGP routers), but when both
connections are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea ?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your traffic on your firewalls ? So
you devide the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin from
$lan_net to any keep state #and on the other bgp router route-to {
($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin from $lan_net to
any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
You might want to read about http://www.openbsd.org/faq/faq6.html#Multipath,
although it's not bgp solution.
I think with default configuration you should have multipath capability.
Check if there is not localpref chosen, and check yours ISP prepends length.
Regards,
Mariusz Makowski
BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD
smime.p7s
Description: S/MIME cryptographic signature
Re: OpenBGP load balancing between 2 ISP (multihoming)
On 2008-10-08, BARDOU Pierre [EMAIL PROTECTED] wrote: This is a multi-part message in MIME format. --=_NextPart_000_00C3_01C92936.6DEF4560 Content-Type: multipart/mixed; boundary==_NextPart_001_00C4_01C92936.6DEF4560 --=_NextPart_001_00C4_01C92936.6DEF4560 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Ugh, I thought the list server stripped these. Did something change? The problem is that if the ISP router fails, my corresponding BGP=20 router is still up and running, and so keeps the CARP master,=20 which makes him a black hole :( I don't think I'd do it like this (either preferring OSPF running on BGP speakers to distribute default routes, or iBGP to avoid handing traffic to one router only to hand it straight to the other one). But it can be done, look at demote.
Re: OpenBGP load balancing between 2 ISP (multihoming)
On 2008-10-08, Stuart Henderson [EMAIL PROTECTED] wrote: On 2008-10-08, BARDOU Pierre [EMAIL PROTECTED] wrote: This is a multi-part message in MIME format. --=_NextPart_000_00C3_01C92936.6DEF4560 Content-Type: multipart/mixed; boundary==_NextPart_001_00C4_01C92936.6DEF4560 --=_NextPart_001_00C4_01C92936.6DEF4560 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Ugh, I thought the list server stripped these. Did something change? The problem is that if the ISP router fails, my corresponding BGP=20 router is still up and running, and so keeps the CARP master,=20 which makes him a black hole :( I don't think I'd do it like this (either preferring OSPF running on BGP speakers to distribute default routes, or iBGP to avoid handing traffic to one router only to hand it straight to the other one). But it can be done, look at demote. Oh, in case it wasn't clear, you also need to write the bgpd.conf parts to handle route selection. As Claudio says, just the standard traffic engineering methods. Investigate localpref, prepend-neighbor, weights, etc. There is no magic balance my traffic button. See http://quigon.bsws.de/papers/epf2006/mgp00012.html. As you hopefully know, balacing incoming traffic is a different matter. Return packets do not automatically come in via the ISP where you sent the associated outbound packets. For this, look at prepends and whether your upstreams give you any finer control over traffic-engineering via communities (for an example of what some providers let you do, see e.g. whois -r as3356, in the Communities accepted from customers section). If you are learning this whole area, you have some reading to do. Plenty of information is available online and in print. Much of it is aimed at cisco users and you'll need to read between the lines for any !cisco, but the basic information and techniques are generally applicable.
Re: OpenBGP load balancing between 2 ISP (multihoming)
On Wed, Oct 08, 2008 at 09:14:02AM +0200, BARDOU Pierre wrote: Hello, Failover already works with BGP on my test conf, the problem is that BGP only selects ONE route to a destination, so there is no load balancing. There is loadbalancing insofar that if you have two independent upstreams you get two different views of the internet and you should be able to split the 250k IPv4 routes into two sets that will result in equal use of both links. This is the usual traffic engineering done on BGP with the help of match filters that change the localpref based on communities, AS pathes or whatever you like. The easiest for me would be to tell BGP to keep TWO routes to each Destination, and use them in a round-robin way. That's what Cisco does with BGP multipath http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431 .shtml#bgpmpath This will not work as you expect. In your setup case with two independet upstreams only one upstream will be selected. From the document: In order to be candidates for multipath, paths to the same destination need to have these characteristics equal to the best-path characteristics: * Weight * Local preference * AS-PATH length * Origin * MED * One of these: o Neighboring AS or sub-AS (before the addition of the eiBGP Multipath feature) o AS-PATH (after the addition of the eiBGP Multipath feature) In your case neither the Neighboring AS nor the AS-PATH will be the same. This is the main reason why I never spent time to allow multipath selection in bgpd. It will only work in very few setups. -- :wq Claudio
Re: OpenBGP load balancing between 2 ISP (multihoming)
ospf and bgp are designed to select the best possbile route and
add that to the kernel routing table I think ;)
I still think you could run 2 CARPs on both BGP routers and
load balance on your firewalls. It means if one BGP router
fails you will be load balancing your connections to the
same BGP router..
2008/10/8 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I set up net.inet.ip.multipath to 1
I configured OSPF on the BGP routers to 'redistribute default' to FW's.
'ospfctl show rib' on FW's shows that they have two defaults routes,
But 'ospfctl show fib' shows that only one is active.
Besides a 'dirty' solution with ifstated which inserts multipath routes,
and withdraw them when one link/router fails, I am running out of ideas...
Someone has one ?
Thanks
--
Cordialement,
Pierre BARDOU
-Message d'origine-
De : Mariusz Makowski [mailto:[EMAIL PROTECTED]
Envoyi : mardi 7 octobre 2008 21:38
@ : Frans Haarman
Cc : BARDOU Pierre; misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)
Frans Haarman wrote:
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet, but I
don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations on
how to do this with cisco, but I have never found an openBGP solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on
the FW's with 'set nexhop self' on BGP routers), but when both
connections are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea ?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your traffic on your firewalls ? So
you devide the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin from
$lan_net to any keep state #and on the other bgp router route-to {
($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin from $lan_net to
any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
You might want to read about
http://www.openbsd.org/faq/faq6.html#Multipath,
although it's not bgp solution.
I think with default configuration you should have multipath capability.
Check if there is not localpref chosen, and check yours ISP prepends
length.
Regards,
Mariusz Makowski
Re: OpenBGP load balancing between 2 ISP (multihoming)
The problem is that if the ISP router fails, my corresponding BGP
router is still up and running, and so keeps the CARP master,
which makes him a black hole :(
--
Cordialement,
Pierre BARDOU
De : Frans Haarman [mailto:[EMAIL PROTECTED]
Envoyé : mercredi 8 octobre 2008 10:56
À : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)
ospf and bgp are designed to select the best possbile route and
add that to the kernel routing table I think ;)
I still think you could run 2 CARPs on both BGP routers and
load balance on your firewalls. It means if one BGP router
fails you will be load balancing your connections to the
same BGP router..
2008/10/8 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I set up net.inet.ip.multipath to 1
I configured OSPF on the BGP routers to 'redistribute default' to
FW's.
'ospfctl show rib' on FW's shows that they have two defaults routes,
But 'ospfctl show fib' shows that only one is active.
Besides a 'dirty' solution with ifstated which inserts multipath
routes,
and withdraw them when one link/router fails, I am running out of
ideas...
Someone has one ?
Thanks
--
Cordialement,
Pierre BARDOU
-Message d'origine-
De : Mariusz Makowski [mailto:[EMAIL PROTECTED]
Envoyé : mardi 7 octobre 2008 21:38
À : Frans Haarman
Cc : BARDOU Pierre; misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)
Frans Haarman wrote:
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet,
but I
don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of
informations on
how to do this with cisco, but I have never found an openBGP
solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP
on
the FW's with 'set nexhop self' on BGP routers), but when both
connections are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good
idea ?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice,
but I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your traffic on your firewalls
? So
you devide the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin
from
$lan_net to any keep state #and on the other bgp router route-to {
($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin from
$lan_net to
any keep
Re: OpenBGP load balancing between 2 ISP (multihoming)
Hi, First off lets clear up to things: OSPF is an igp protocol, you would use it to share routes between your own routers not a transit providers. iBGP is again an igp, this time BGP will automatically talk iBGP when talking to routers within the same AS. Your BGP sessions will automatically talk eBGP to your transits. Ok so lets look at the way it will need to work, BGP works by propagating the routes you announce to your up stream 'transit' peers, via eBGP. In turn these transit providers announce your routes to the larger internet. Remote AS's will choose a path back to you based on several factors inc. AS path length, local preference, weighting etc. You can control to some extent the provider your inbound traffic arrives on by padding your announcement to one provider over another, outbound traffic is much easier as you can use various methods of setting local preferences based on inbound communities etc. Now this is all great in theory however to do this with two providers you will need your OWN AS, this is necessary as the transit will simply filter out any private AS's (65xxx). You will also need your own reasonably large IP allocation. From your diagram I see you are using a /28 how did you come by this? If this was given to you by a provider e.g. ISP1 they will already be announcing this as part of a summarised route to their transits, as such they probably won't let you re announce their allocation to ISP2. Even if this IP space has been allocated to you e.g. by ripe many transit providers are now filtering out smaller routes such as /24 routes, let alone /28 in an effort to keep their routing tables to a minimum. See below we're now at about 260k routes! So in this case even if ISP1 2 re transmit your routes their upstreams will filter you out so you won't get connectivity. Now I'm no BGP expert by any means so please forgive me if any of this is wrong or misleading. Out of pure 'play' factor I do maintain a BGP peering session with one of my ISP's from a OpenBSD 4.3 box, I usually use Cisco so wanted to play OpenBGP. # bgpctl sh sum Neighbor AS MsgRcvdMsgSentOutQ Up/Down State/PrfRcvd MT Peering 13122183343 3245 0 2d06h03m 263451 # I would suggest your best bet is to follow the good advice of others and look at the multi homed solutions suggested. Hope that helps Simon BARDOU Pierre wrote: Hello, I am trying to set up a configuraion like this : +--- -+ +-+ | ISP1 | | ISP2 | Cisco | ROUTER | | ROUTER | | AS3215 | | AS12670 | +-+ +-+ || || +-+ +-+ | BGP | | BGP | | ROUTER | | ROUTER | OpenBSD 4.3 | AS47818 | | AS45818 | +-+ +-+ || || +-+ |217.109.108.240/28 | +-+ || || +++---+ | FW || FW | OpenBSD 4.3 | MASTER | pfsync | SLAVE | +++---+ || || +-+ | PRIVATE NETWORKS| +-+ I'd like to load balance outgoing connections to the internet, but I don't know how to configure openBGPd to do this. I searched a lot on the Internet and I found a lot of informations on how to do this with cisco, but I have never found an openBGP solution. Some people speak about it but I have never seen it. I made a test conf where failover works like a charm (using iBGP on the FW's with 'set nexhop self' on BGP routers), but when both connections are active only one is used. Would it be possible to help me please ? Is setting up iBGP sessions between FW's and BGP routers a good idea ? Should I rather use OSPF for this ? And in tha case how to configure it to loadbalance/failover ? Many thanks PS : loadbalancing incoming connections too would be very nice, but I understood it was much more difficult. -- Cordialement, Pierre BARDOU
Re: OpenBGP load balancing between 2 ISP (multihoming)
One way to do this is to have both client fw/routers running in their own right, i.e. no carp failover. Each router peers with one of the ISP routers via eBGP and then peers with it's partner via iBGP. On each router use the 'weight' option to make each router believe it's learned routes are the best. Each router will now install it's best route in the kernel routing table and believing it has the best route will also redistribute it's routes to the iBGP partner. The result each router will have two routes to any network in it's BGP table, one via its eBGP which it regards as 'best' and another with a higher weight via it's partner router. It's also important to tune the BGP dead timers as low as you can so that if a link is lost to an upstream BGP session is cleared as soon as possible minimizing the amount of black holed traffic. Once the BGP session is down the alternate route learned from the partner router will be used to replace the failed route in the actual routing table. To control which route is used for outbound traffic CARP can be setup on the 'internal' interfaces. Which ever router is the master will be used as the egress point for the network. Padding the announcement to the secondary provider could also help with controlling incoming traffic, although in my experience the results are mixed. Now I've never tried it on OpenBGP but on Cisco this works like a charm. e.g. [ISP1][ISP2] | | ebgp ebgp | | [PRIV1]---iBGP---[PRIV2] | | M S | | -|- All traffic would flow out of PRIV1 / ISP1, if PRIV1 or ISP1 failed traffic would flow out of PRIV2 / ISP2. BARDOU Pierre wrote: Hello, Failover already works with BGP on my test conf, the problem is that BGP only selects ONE route to a destination, so there is no load balancing. The easiest for me would be to tell BGP to keep TWO routes to each Destination, and use them in a round-robin way. That's what Cisco does with BGP multipath http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431 .shtml#bgpmpath But AFAIK there is no way to setup this with openBGP. Am I right ? -- Cordialement, Pierre BARDOU -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Envoyi : mercredi 8 octobre 2008 09:05 @ : BARDOU Pierre Cc : Frans Haarman; misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) BARDOU Pierre wrote: Hello, I can load balance on the firewalls with pf , but the problem of that Solution is that there is no failover AFAIK. If I loose a link between an ISP and me half of the packets will be lost. And not loosing packets is more important to me than load balancing... -- Cordialement, Pierre BARDOU De : Frans Haarman [mailto:[EMAIL PROTECTED] Envoyi : mardi 7 octobre 2008 18:54 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) 2008/10/7 BARDOU Pierre [EMAIL PROTECTED] Hello, I am trying to set up a configuraion like this : +--- -+ +-+ | ISP1 | | ISP2 | Cisco | ROUTER | | ROUTER | | AS3215 | | AS12670 | +-+ +-+ || || +-+ +-+ | BGP | | BGP | | ROUTER | | ROUTER | OpenBSD 4.3 | AS47818 | | AS45818 | +-+ +-+ || || +-+ |217.109.108.240/28 | +-+ || || +++---+ | FW || FW | OpenBSD 4.3 | MASTER | pfsync | SLAVE | +++---+ || || +-+ | PRIVATE NETWORKS| +-+ I'd like to load balance outgoing connections to the internet, but I don't know how to configure openBGPd to do this. I searched a lot on the Internet and I found a lot of informations on how to do this with cisco, but I have never found an openBGP solution. Some people speak about it but I have never seen it. I made a test conf where
Re: OpenBGP load balancing between 2 ISP (multihoming)
On 2008-10-08, Simon Slaytor [EMAIL PROTECTED] wrote: It's also important to tune the BGP dead timers as low as you can if you do this, do it with care, it's a double-edged sword. sure you pick up a dead session sooner, but, it greatly increases the chance of killing a session when your or more likely your peer's routers are working ok, forwarding ok, but a bit busy to handle control plane traffic in a timely fashion. when that happens, dropping the session and forcing them to feed you full table is about the last thing you want to do...
Re: ham,Re: OpenBGP load balancing between 2 ISP (multihoming)
True, although in this scenario would soft reconfig not be an answer? As each router has two copies of the full table, one via the eBGP peer and another from the iBGP peer. If the eBGP peer dropped all the iBGP learned routes would remain and be used. When the eBGP peer came back up soft reconfig would allow for a seemless move back to the prefered peer? Ideally what is needed is BFD to detect the link failure between the host and the external peer, that way the BGP timers could be set to something more conservative. Also some means of reliable flap control would be good to save restoring a session to an unreliable host. Good point well taken though. Stuart Henderson wrote: On 2008-10-08, Simon Slaytor [EMAIL PROTECTED] wrote: It's also important to tune the BGP dead timers as low as you can if you do this, do it with care, it's a double-edged sword. sure you pick up a dead session sooner, but, it greatly increases the chance of killing a session when your or more likely your peer's routers are working ok, forwarding ok, but a bit busy to handle control plane traffic in a timely fashion. when that happens, dropping the session and forcing them to feed you full table is about the last thing you want to do... .
OpenBGP load balancing between 2 ISP (multihoming)
Hello, I am trying to set up a configuraion like this : +--- -+ +-+ | ISP1 | | ISP2 | Cisco | ROUTER | | ROUTER | | AS3215 | | AS12670 | +-+ +-+ || || +-+ +-+ | BGP | | BGP | | ROUTER | | ROUTER | OpenBSD 4.3 | AS47818 | | AS45818 | +-+ +-+ || || +-+ |217.109.108.240/28 | +-+ || || +++---+ | FW || FW | OpenBSD 4.3 | MASTER | pfsync | SLAVE | +++---+ || || +-+ | PRIVATE NETWORKS| +-+ I'd like to load balance outgoing connections to the internet, but I don't know how to configure openBGPd to do this. I searched a lot on the Internet and I found a lot of informations on how to do this with cisco, but I have never found an openBGP solution. Some people speak about it but I have never seen it. I made a test conf where failover works like a charm (using iBGP on the FW's with 'set nexhop self' on BGP routers), but when both connections are active only one is used. Would it be possible to help me please ? Is setting up iBGP sessions between FW's and BGP routers a good idea ? Should I rather use OSPF for this ? And in tha case how to configure it to loadbalance/failover ? Many thanks PS : loadbalancing incoming connections too would be very nice, but I understood it was much more difficult. -- Cordialement, Pierre BARDOU BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20070806T072621Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
Re: OpenBGP load balancing between 2 ISP (multihoming)
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet,
but I don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations
on how to do this with cisco, but I have never found an openBGP solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on the
FW's with 'set nexhop self' on BGP routers), but when both connections
are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea ?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your
traffic on your firewalls ? So you devide
the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin
from $lan_net to any keep state
#and on the other bgp router
route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin
from $lan_net to any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
Re: OpenBGP load balancing between 2 ISP (multihoming)
Frans Haarman wrote:
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet,
but I don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations
on how to do this with cisco, but I have never found an openBGP solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on the
FW's with 'set nexhop self' on BGP routers), but when both connections
are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea ?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your
traffic on your firewalls ? So you devide
the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin
from $lan_net to any keep state
#and on the other bgp router
route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin
from $lan_net to any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
You might want to read about http://www.openbsd.org/faq/faq6.html#Multipath,
although it's not bgp solution.
I think with default configuration you should have multipath capability. Check
if there is not localpref chosen, and check yours ISP prepends length.
Regards,
Mariusz Makowski
