Thoughts

I am sure some of you who have never implemented bgp for an organization have wondered what it’s like configuring bpg with an internet service provider. What are the steps to obtain it and configure it?

If you have implemented this before, congrats, you’re a top tier. But if you haven’t, you shouldn’t worry. I was once in your shoes when I was learning BGP. It can feel a bit challenging at first. But once you get the grasp of it, you’ll rock on.

Before we begin, let me explain the types of peering you will be dealing with and what’s recommended.

The image below illustrates three types of BGP peering. Since the image is relatively straightforward, I’ll explain why the multi-homed option is always the best bet.

Why is multi-homed always recommended?

In my personal experience, I’ve only encountered two occasions where organizations were using single-homed and dual-homed configurations. But that was because of some special requirements.

The environment I’ve always observed was multi-homed. This configuration relies on two internet providers. For instance, Verizon serves as the primary circuit, while Cogent functions as the backup. This setup ensures that the traffic will automatically switch to the secondary circuit if one link fails.

Now, picture this for a second. Suppose you purchased a block of /24 public addresses, and your public IP addresses start from 50.0.0.1 – 50.0.0.254. That means you have 254 addresses to use and NAT when needed.

Additionally, imagine having 150 web servers available online. If one of your Internet connections happens to go down, your backup connection is right there to save the day. This means that your clients can still access all 150 web servers using the same public addresses from 50.0.0.1 to 50.0.0.254. Pretty neat, right?

Well that, my friends, is the power of BGP. Being able to own your private addresses, take them with you, and use them to peer with any service provider out there using your private ASN.

Let’s look at this multi-homed design.

Let me break this configuration for you.

The Circuits

You have two internet service providers. Verizon and Cogent. The Verizon line has 1gbps speed, and Cogent has 500mbps.

Verizon line has priority over Cogent because it has more bandwidth, and we are manipulating the traffic using “Path prepend.” We can talk about this later. But to give you an idea, you can manipulate what link becomes primary for all the incoming traffic. This will depend on what you agree with the service provider.

The same applies to outbound traffic. You can do load sharing rather than having one internet active and the other passive. This type of configuration doesn’t involve your ISP. By utilizing the attribute “local preference,” you can control how traffic exits your network.

As an example, the Verizon circuit is simulated to be down due to some wiring issue from the ISP. But as you can see, the cogent line is still functional, allowing internal and external networks to communicate. By the way, the passive firewall becomes active after seeing the faulty link from the primary.

The Edges

The edge routers are responsible for eBGP and iBGP peering and belong to your company. Both devices will be connecting to upstream and downstream. Each provider has a unique ASN, including the organization.

For example, Verizon and Cogent may have an ASN#100 and ASN#200. In contrast, you have your own public ASN, 54555. Additionally, you’ll own a subnet 50.0.0.0/24 to use for nat purposes, which will be advertised externally for users to reach your services. This network will be used for SNAT and DNAT.

The Core Network

Lastly, your firewalls, which are the perimeter of your network, are connected to your upstream and downstream networks. Both are running two routing protocols, BGP & OSPF.

The edges forward all the bgp route updates, including the default route, to the firewall.

The firewall redistributes the default route received from iBGP towards the downstream core switch running OSPF.

NOTE: The firewall, or any device functioning as a perimeter, will run OSPF. Redistributing the default route received via iBGP to the switches is necessary. This way, the switches will know where to forward packets if the destination network is not found in their forwarding table.

To summarize what I just shared, BGP multihoming is the most recommended option because of its fault-tolerant configuration. It prevents single points of failure by providing a backup circuit if the primary circuit fails. However, the topology you choose should align with your business requirements.

Now, how do you acquire BGP for your business?

Getting the service

• You need to request the block of IP addresses /24 via https://arin.net. – This requires a request form and justification.
• You need to obtain a public ASN via https://arin.net. – This goes in conjunction with the first line.
• You need to contact your ISP to start the process. Your IP address might change to /30 if you’re using /28 and lower.
• Have your environment ready before your ISP migration. They will use the same circuit you have and presumably replace the current public IP addresses you hold.

Prepping the organization

• Asses your BGP needs, what type of configuration will be required.
• Set up your network equipment, such as router edges, that supports bgp.
• Plan your configuration for outbound and inbound traffic, including filters.
• Test your environment to ensure everything between you and the ISP works as intended.
• Monitor your configuration for 24 hours to ensure everything is stable.

Remember, this is a migration from regular service to BGP service. On some rare occasions, they could install a new circuit in your premises, so once you are ready, they can turn it on and start testing.

Cheers,