login
Search
------=_NextPart_001_00C1_01C92893.0B4562D0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Hello,
I am trying to set up a configuraion like this :
+------- -+ +---------+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+---------+ +---------+
| |
| |
+---------+ +---------+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+---------+ +---------+
| |
| |
+-------------------------+
| 217.109.108.240/28 |
+-------------------------+
| |
| |
+--------+ +-------+
| FW |--------| FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+--------+ +-------+
| |
| |
+-------------------------+
| PRIVATE NETWORKS |
+-------------------------+
I'd like to load balance outgoing connections to the internet,
but I don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations
on how to do this with cisco, but I have never found an openBGP solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on the
FW's with 'set nexhop self' on BGP routers), but when both connections
are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea ?
Should I rather use ...You might want to read about http://www.openbsd.org/faq/faq6.html#Multipath, although it's not bgp solution. I think with default configuration you should have multipath capability. Check if there is not localpref chosen, and check yours ISP prepends length. Regards, Mariusz Makowski
Hello, So the solution would be to activate multipath on FW's, and to use ospf between BGP routers and my FW's ( I've heard somewhere that OSPF can announce multiple defaults routes, contrary to BGP ) to ensure failover if I understand properly... Nice idea, I'm trying to setup that on my test config. -- Cordialement, Pierre BARDOU -----Message d'origine----- De : Mariusz Makowski [mailto:cnav@talamasca.pl] Envoyi : mardi 7 octobre 2008 21:38 @ : Frans Haarman Cc : BARDOU Pierre; misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) You might want to read about http://www.openbsd.org/faq/faq6.html#Multipath, although it's not bgp solution. I think with default configuration you should have multipath capability. Check if there is not localpref chosen, and check yours ISP prepends length. Regards, Mariusz Makowski [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
------=_NextPart_001_0069_01C9292F.9A5B3480 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, I set up net.inet.ip.multipath to 1 I configured OSPF on the BGP routers to 'redistribute default' to FW's. 'ospfctl show rib' on FW's shows that they have two defaults routes, But 'ospfctl show fib' shows that only one is active. Besides a 'dirty' solution with ifstated which inserts multipath routes, and withdraw them when one link/router fails, I am running out of = ideas... Someone has one ? Thanks -- Cordialement, Pierre BARDOU -----Message d'origine----- De : Mariusz Makowski [mailto:cnav@talamasca.pl]=20 Envoy=E9 : mardi 7 octobre 2008 21:38 =C0 : Frans Haarman Cc : BARDOU Pierre; misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) You might want to read about = http://www.openbsd.org/faq/faq6.html#Multipath, although it's not bgp solution. I think with default configuration you should have multipath capability. Check if there is not localpref chosen, and check yours ISP prepends = length. Regards, Mariusz Makowski ------=_NextPart_001_0069_01C9292F.9A5B3480 Content-Type: text/x-vcard; name="BARDOU Pierre.vcf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="BARDOU Pierre.vcf" BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:bardou.p@mipih.fr REV:20070806T072621Z END:VCARD ------=_NextPart_001_0069_01C9292F.9A5B3480--
ospf and bgp are designed to select the best possbile route and add that to the kernel routing table.... I think ;) I still think you could run 2 CARPs on both BGP routers and load balance on your firewalls. It means if one BGP router fails you will be load balancing your connections to the same BGP router..
------=_NextPart_001_00C4_01C92936.6DEF4560 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable The problem is that if the ISP router fails, my corresponding BGP=20 router is still up and running, and so keeps the CARP master,=20 which makes him a black hole :( =20 -- Cordialement, Pierre BARDOU =20 ________________________________ De : Frans Haarman [mailto:franshaarman@gmail.com]=20 Envoy=E9 : mercredi 8 octobre 2008 10:56 =C0 : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) ospf and bgp are designed to select the best possbile route and add that to the kernel routing table.... I think ;) I still think you could run 2 CARPs on both BGP routers and load balance on your firewalls. It means if one BGP router fails you will be load balancing your connections to the same BGP router.. 2008/10/8 BARDOU Pierre <bardou.p@mipih.fr> Hello, =09 I set up net.inet.ip.multipath to 1 I configured OSPF on the BGP routers to 'redistribute default' to FW's. =09 'ospfctl show rib' on FW's shows that they have two defaults routes, But 'ospfctl show fib' shows that only one is active. =09 Besides a 'dirty' solution with ifstated which inserts multipath routes, and withdraw them when one link/router fails, I am running out of ideas... =09 Someone has one ? =09 Thanks =09 -- Cordialement, Pierre BARDOU =09 -----Message d'origine----- =09 De : Mariusz Makowski [mailto:cnav@talamasca.pl] Envoy=E9 : mardi 7 octobre 2008 21:38 =C0 : Frans Haarman =09 Cc : BARDOU Pierre; misc@openbsd.org =09 Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) =09 =09 Frans Haarman wrote: > 2008/10/7 BARDOU Pierre <bardou.p@mipih.fr> > >> Hello, >> >> I am trying to set up a configuraion like this : >> >> +------- -+ +---------+ >> | ISP1 | | ISP2 | Cisco >> | ROUTER | ...
------=_NextPart_001_0001_01C92920.52981280 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, =20 I can load balance on the firewalls with pf , but the problem of that=20 Solution is that there is no failover AFAIK. If I loose a link between an ISP and me half of the packets will be = lost. And not loosing packets is more important to me than load balancing... =20 -- Cordialement, Pierre BARDOU =20 ________________________________ De : Frans Haarman [mailto:franshaarman@gmail.com]=20 Envoy=E9 : mardi 7 octobre 2008 18:54 =C0 : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) 2008/10/7 BARDOU Pierre <bardou.p@mipih.fr> Hello, =09 I am trying to set up a configuraion like this : =09 +------- -+ +---------+ | ISP1 | | ISP2 | Cisco | ROUTER | | ROUTER | | AS3215 | | AS12670 | +---------+ +---------+ | | | | +---------+ +---------+ | BGP | | BGP | | ROUTER | | ROUTER | OpenBSD 4.3 | AS47818 | | AS45818 | +---------+ +---------+ | | | | +-------------------------+ | 217.109.108.240/28 | +-------------------------+ | | | | +--------+ +-------+ | FW |--------| FW | OpenBSD 4.3 | MASTER | pfsync | SLAVE | +--------+ +-------+ | | | | +-------------------------+ | PRIVATE NETWORKS | ...
If you want to use fail-over capability of bgp, you can use prepend to increase length of one path. I have no experience with configuring openbgpd but on juniper/cisco it seems to work great. Regards, Marusz
------=_NextPart_001_001B_01C92926.3452FDC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable =20 Hello, Failover already works with BGP on my test conf, the problem is that BGP = only selects ONE route to a destination, so there is no load balancing. The easiest for me would be to tell BGP to keep TWO routes to each Destination, and use them in a round-robin way. That's what Cisco does with BGP multipath http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094= 431 .shtml#bgpmpath But AFAIK there is no way to setup this with openBGP. Am I right ? -- Cordialement, Pierre BARDOU -----Message d'origine----- De : cnav@talamasca.pl [mailto:cnav@talamasca.pl]=20 Envoy=E9 : mercredi 8 octobre 2008 09:05 =C0 : BARDOU Pierre Cc : Frans Haarman; misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) If you want to use fail-over capability of bgp, you can use prepend to=20 increase length of one path. I have no experience with configuring=20 openbgpd but on juniper/cisco it seems to work great. Regards, Marusz ------=_NextPart_001_001B_01C92926.3452FDC0 Content-Type: text/x-vcard; name="BARDOU Pierre.vcf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="BARDOU Pierre.vcf" BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:bardou.p@mipih.fr REV:20070806T072621Z END:VCARD ------=_NextPart_001_001B_01C92926.3452FDC0--
There is loadbalancing insofar that if you have two independent upstreams
you get two different views of the internet and you should be able to
split the 250k IPv4 routes into two sets that will result in equal use of
both links. This is the usual traffic engineering done on BGP with the
help of match filters that change the localpref based on communities, AS
This will not work as you expect. In your setup case with two independet
upstreams only one upstream will be selected.
From the document:
In order to be candidates for multipath, paths to the same destination
need to have these characteristics equal to the best-path characteristics:
* Weight
* Local preference
* AS-PATH length
* Origin
* MED
* One of these:
o Neighboring AS or sub-AS (before the addition of the eiBGP
Multipath feature)
o AS-PATH (after the addition of the eiBGP Multipath feature)
In your case neither the Neighboring AS nor the AS-PATH will be the same.
This is the main reason why I never spent time to allow multipath
selection in bgpd. It will only work in very few setups.
One way to do this is to have both client fw/routers running in their own right, i.e. no carp failover. Each router peers with one of the ISP routers via eBGP and then peers with it's partner via iBGP. On each router use the 'weight' option to make each router believe it's learned routes are the best. Each router will now install it's best route in the kernel routing table and believing it has the best route will also redistribute it's routes to the iBGP partner. The result each router will have two routes to any network in it's BGP table, one via its eBGP which it regards as 'best' and another with a higher weight via it's partner router. It's also important to tune the BGP dead timers as low as you can so that if a link is lost to an upstream BGP session is cleared as soon as possible minimizing the amount of black holed traffic. Once the BGP session is down the alternate route learned from the partner router will be used to replace the failed route in the actual routing table. To control which route is used for outbound traffic CARP can be setup on the 'internal' interfaces. Which ever router is the master will be used as the egress point for the network. Padding the announcement to the secondary provider could also help with controlling incoming traffic, although in my experience the results are mixed. Now I've never tried it on OpenBGP but on Cisco this works like a charm. e.g. [ISP1] [ISP2] | | ebgp ebgp | | [PRIV1]---iBGP---[PRIV2] | | M S | | ---------|--------- All traffic would flow out of PRIV1 / ISP1, if PRIV1 or ISP1 failed traffic would flow out of PRIV2 / ISP2.
Hi, First off lets clear up to things: OSPF is an igp protocol, you would use it to share routes between your own routers not a transit providers. iBGP is again an igp, this time BGP will automatically talk iBGP when talking to routers within the same AS. Your BGP sessions will automatically talk eBGP to your transits. Ok so lets look at the way it will need to work, BGP works by propagating the routes you announce to your up stream 'transit' peers, via eBGP. In turn these transit providers announce your routes to the larger internet. Remote AS's will choose a path back to you based on several factors inc. AS path length, local preference, weighting etc. You can control to some extent the provider your inbound traffic arrives on by padding your announcement to one provider over another, outbound traffic is much easier as you can use various methods of setting local preferences based on inbound communities etc. Now this is all great in theory however to do this with two providers you will need your OWN AS, this is necessary as the transit will simply filter out any private AS's (65xxx). You will also need your own reasonably large IP allocation. From your diagram I see you are using a /28 how did you come by this? If this was given to you by a provider e.g. ISP1 they will already be announcing this as part of a summarised route to their transits, as such they probably won't let you re announce their allocation to ISP2. Even if this IP space has been allocated to you e.g. by ripe many transit providers are now filtering out smaller routes such as /24 routes, let alone /28 in an effort to keep their routing tables to a minimum. See below we're now at about 260k routes! So in this case even if ISP1 & 2 re transmit your routes their upstreams will filter you out so you won't get connectivity. Now I'm no BGP expert by any means so please forgive me if any of this is wrong or misleading. Out of pure 'play' factor I do maintain a BGP peering ...
