odd BGP Problem

This should happen automatically. The routes through your x-connect should have your ASN in the AS path, which will make it longer than the routes directly to the tier1 providers.

Well having the customer with a separate x-connect and bgp sessions directly to the Transit providers should automatically have a shorter as-path from cust-to-provider. But the customer can set a higher local-pref on the routes received from those two neighbors and a lower local-pref to the prefixes received from you.

Now controlling inbound traffic is a bit trickier you can try AS-PREPEND (even though technically it should route automatically to his direct connection) but that's beyond your control as the providers can set LOCAL-PREF on their side and their goes that idea. So what you can really do is.

1) BGP conditional advertisement (where you track a certain prefix) maybe a loopback on the customer routers (2 in this case) and only advertise the customers prefixes to the providers through your link if and only if both loopbacks go down. That way the provider will really only see the customers prefixes through their link unless it goes down, then you start advertising The customers prefixes through your connection.

cya

Maybee I explained this badly. We have 6 full BGP peering sessions to the same TIER1 Provider to different routers. We announce a /19 on all sessions and all works well. Now we want a particular /24 within that /19 to only come down 2 of the BGP Peering sessions. Should these 2 fail for any reason (cable break) we want the /24 to come in any of the remaining 4 BGP sessions.

Hope that calrifies? Gary

That makes I allot easier. Is the /24 connected on one of those interface on the two routers you want? Or is it being subneted below that point?

1) If it is connected to an interface (like an ethernet interface on both routers) then on both routers you can do something like.

Ip prefix-list CONN-TO-BGP permti x.x.x.x/24

Route-map CONN-TO-BGP permit 150 match ip address prefix-list CONN-TO-BGP set origin igp set community "your community values here" ! Router bgp xxxx redistribute connected route-map CONN-TO-BGP ! Now since your /19 and /24 are separate networks closest match always win, since your only advertising /24 from two routers that will always be the path. And if that goes down you stop advertising /24 but still have the /19 from other sessions.

Now if the /24 is not directly connected but subneted below that, then the config is pretty much the same except change it around for redistributing static to bgp and have a static route....

Ip route x.x.x.x 255.255.255.0 "next-hop-here"

And that's it. If you don't know how to redistribute statics let me know, its pretty much the same except for the redistribution command.

Hope that helps.

One more thing, just make soure your transit provider opens up its filter and allows that /24 through. Should not be a big concern for them to do so.

Thanks. I will test that. I did try MED's and that seems ot have worked. When we check the advertised routes on the upstream provider the /24 has a Metric of zero for the preferred BGP session and all other sessions on the upstream are 50 which is the MED we applied and inbound routing looks good. It does come through the correct upstream router AND BGP session to us.

Is your method superior - Why?

Also how do I ensure that the locally connected /24 (A Cisco ASA5500 will arp the whole /24) only routes out through the same BGP session. 99.99% of traffic will be inbound and I assume will depart the way it came, but what about sessions initiated inside the firewall within the /24. I need to force that traffic to only go out one of the BGP sessions but failover should that BGP session fail.

Thanks Gary

One method is not really superior over the other. First I will say ( the network command under bgp is for wusses.. Lol j/k ) The only reason that advertising a /24 out of your 2 sessions that you want and only advertising a /19 out of all of them including the 2 that advertise the /24, the only reason this is considered best practice is because you cannot count on your providers trusting your MED values, maybe someone complains and they change their local-pref higher out one of the other 4 sessions, oops their goes your MED.

MED is useful in certain situations but my recommendation stays as it was.

With both /24 and /19 you have full routing and high availability should something fail.

Now as far as the arp goes, as long as your internal routing is properly configured the incoming traffic should not affect your firewall from arping for the correct subnet (The internet is hardly symmetrical to begin with).

Hope that helps.

I have confused this again. Only the /24 should use this dedicated peering to the upstream. That includes inbound and outbound traffic. I think now all sessions initiated externally will come doen the right connection so it can be easily metered and charged, but what about outbound connections from the /24. How do I force them to ONLY use a particular peering while is is up.

It is almost like I want to VLAN then to a BGP session. Gary

Simple,

Policy based routing. Set ip next-hop. This is done in conjuction with standard or extended acls and route-maps.

Sample.

Access-list 3 permit 200.1.1.0 0.0.0.255

Route-map POLICY-ROUTE permit 100 match ip address 3 set Ip next-hop 200.1.2.2

Interface f0/0 desc outside ip add 200.1.2.1 255.255.255.0 ! Inteface f0/1 desc inside ip add 200.1.1.1 255.255.255.0 ip policy route-map POLICY-ROUTE !

Thanks. Would it simply be the same as setting the D/Gateway of the firewall protecting the /24 to the upstreams BGP session and a lower D/Gateway to the standby routers?

Maybe I made this too complex. Would this do the same as the Policy Based Routing and leave less for the router to do?

Gary

If your firewall lets you do that, then yes! That's simpler

cya

I guess I understood you wrong, I thought you wanted to route traffic to that one specific session from a /24 not to a /24.

I want inbound traffic to one /24 to only come down one BGP session and MED's seem to do that plus I want traffic outbound from the /24 to use the same BGP session. Almost like a /24 on a stick with the upstream.

Thx Gary