Dual Homing / BGP default route only / Load Sharing Setup

jehobi · January 25, 2018, 9:21pm

Dear All, I hope you can shed some light on this matter.

Up until now, we have had a ISP providing us transit and some public IPs. Early this month we received our own first allocation (/22) and sign with a second ISP looking mainly to accomplish “Redundancy” and Load “Sharing” between our two ISP. We also bought a couple of CCR (MT-1 & MT-2) to do the peering between the ISPs and us.

Following the guidelines from the wiki and some other posts on this forum we decide to advertise our IP space as follows, see attached diagram:

ISP2
192.X.40.0/24
192.X.41.0/24
192.X.40.0/22

ISP1
192.X.42.0/24
192.X.43.0/24
192.X.40.0/22

This approach should (I think) give us redundancy at BGP level if some of the links is down and (manually) shares the “ingress” load between ISPs.

*One issue to note here is both ISPs can/will only share us one default route on the BGP session.

Fisrt BGP session has been established between our ISP2 and one of our routers (MT-2). Everything works fine and our test machine is reachable from the internet using one of our new IPs. Then there’s the iBGP session between our routers (MT-1 ↔ MT-2).

We now want to add the second eBGP session to the mix but I have some doubts about the results. Hope you can help us predict what would happen:

**[u]- Given that both ISPs sends only a default (0.0.0.0) route. How can We effectively share “Egress” load between these two equal cost links?

Given only a default route, do I still need to set routing filters?[/u]**

Here’s the configuration on the router connected to our ISP2

#MT-2 Config /routing bgp instance
set default as=30

#add BGP peers
/routing bgp peer
add name=isp2 remote-address=172.16.0.2 remote-as=20

#advertising our networks
/routing bgp network
add network=192.XXX.40.0/24 synchronize=no
add network=192.XXX.41.0/24 synchronize=no
add network=192.XXX.40/22 synchronize=no

And the results:

> ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADb  0.0.0.0/0                          172.16.0.2               20
 1 ADC  10.10.1.0/30       10.10.1.1       ether3                    0
 2 ADC  172.16.0.0/29      172.16.0.1      ether1                    0
 3 ADb  192.XXX.40.0/22                    10.10.1.2               200
 4 ADC  192.XXX.40.0/24    192.XXX.40.1    ether2                    0
 5 ADb  192.XXX.42.0/24                    10.10.1.2               200
 6 ADb  192.XXX.43.0/24                    10.10.1.2               200


> ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                                                          
 0   ;;; LAN
     192.XXX.40.1/24    192.XXX.40.0    ether2                                                                                                                                                                                                                             
 1   ;;; toISP2
     172.16.0.1/29      172.16.0.0      ether1                                                                                                                                                                                                                             
 2   ;;; iBGP
     10.10.1.1/30       10.10.1.0       ether3

Thanks to all in advance.

shaoranrch · January 26, 2018, 10:10pm

Hi,

Lets go by parts

- Given that both ISPs sends only a default (0.0.0.0) route. How can We effectively share “Egress” load between these two equal cost links?
From the perspective of your edge routers (the ones that terminate the eBGP sessions) there’ll be always two 0.0.0.0/0 routes (eBGP and iBGP learned), Assuming both routes are equal in terms of AS_PATH and that you don’t alter WEIGHT or LOCAL_PREF each will prefer the one learnt via eBGP (due to BGP best path selection algorithm).

MikroTik doesn’t support ECMP via BGP, but there are a couple of things you can do to achieve this, the approach here would be to add a third router that learns the routes from both edge routers via an IGP (OSPF) such as this third router can ECMP on both connections.

Currently R1 and R2 are directly connected and then (from your diagram) terminate user’s connections, you’d need to have at least a third device, lets call it R3.
-R3 will connect to R1 and R2
-R3 will serve as your subnets gw
-R1 and R2 will need to redistribute the default route via OSPF as type-2 with exactly the same distance
-R3 will install 0.0.0.0/0 and will point R1 and R2 as the GW (thus enabling ECMP)
-Traffic from R3 will reach either R1 and R2 and then, since R1 will prefer its eBGP learned 0.0.0.0/0 will use it (same with R2, it’ll use 0.0.0.0/0 from the other provider)

As you can see, to fix this you’d need to make changes in your topology

- Given only a default route, do I still need to set routing filters?
You will always need filters outbound, this is a common best practices that you should follow (there are RFCs that also describe this), you’d also like to filter inbound prefixes from your provider that are considered bogons or RFC1918. Every provider will mess its routing table at some point, it’s not a matter of “if” but “when” hence the need to always use inbound and outbound prefixes, to protect yourself and to protect others from yourself respectively.