BGP Multihomed (Single Router)

Good Morning, (here at least)

We are pretty new to BGP. We have two upstream providers, I’ll just call them ISP1 and ISP2. We are receiving the full routing tables from both upstreams. We have 4 /22’s and 1 /24 from ARIN. We are advertising these prefixes to both upstreams. While turning up ISP2, literally after doing so we had a fiber cut on ISP1. Everything worked great and BGP did it’s job.

The goal is to be able to say prefix 1, 2 and 3 go out ISP1 and prefix 4 and 5 go out ISP2. When we do this we appear to be breaking DNS and I it’s because the way the traffic is going out and coming back in.

So right now I am testing our /24 because it has 2 customer’s behind it so far.

Here is how our filters are currently setup: (not using our actual IP’s here, just examples)
add chain=ISP1-out prefix=10.0.0.0/22 action=accept
add chain=ISP1-out prefix=10.100.0.0/22 action=accept
add chain=ISP1-out prefix=10.200.0.0/22 action=accept
add chain=ISP1-out prefix=10.300.0.0/22 action=accept
add chain=ISP1-out prefix=10.400.00/24 action=accept set-bgp-communities=6461:5060 set-bgp-prepend=3

add chain=ISP2-out prefix=10.0.0.0/22 action=accept set-bgp-prepend=3
add chain=ISP2-out prefix=10.100.0.0/22 action=accept set-bgp-prepend=3
add chain=ISP2-out prefix=10.200.0.0/22 action=accept set-bgp-prepend=3
add chain=ISP2-out prefix=10.300.0.0/22 action=accept set-bgp-prepend=3
add chain=ISP2-out prefix=10.400.00/24 action=accept

So on the /24, I am wanting that to go out ISP2 and back into ISP2. Coming in from the outside, that works. However, traffic from our router still wants to go out ISP1 for the /24. So I believe that is where my problem is coming into play. What am I missing here to make traffic from our router from the /24 to go out ISP2 and not ISP1?

Thanks all,

Prepending doesn’t work very well these days so i’d choose another strategy.

If your ISPs support communities and most large ISPs do, then you can set communities on your routes to either prioritize or deprioritize them via a specific peer. You can also split the prefixes up and advertise specific routes and an aggregate out each peer to influence the traffic.

Here is an example from a presentation I did on BGP Traffic engineering

When we do this we appear to be breaking DNS and I it’s because the way the traffic is going out and coming back in.

What do you mean with this?
With such a setup you will invariably have some asymmetric routing so you should not be doing any stateful firewalling that expects answers to come back via the path the queries went out.

I agree with pe1chi , if you’re using your border routers as a stateful firewall for traffic to customers and BGP full tables, you need to redesign the way you are doing things and break out security devices into a separate box - independent of the border router.

We do have separate firewalls independent of our core router. So it would appear as though we are going to have to redesign our border router rules.

Thanks all. More to come!

I would advise to not do any firewalling in the forward path of the border router except for things that you can do stateless and are always valid on both paths.
(like blocking packets with bogon source addresses or with destination pors you never want to allow)