BGP "Router ID" and multiple peers

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

BGP "Router ID" and multiple peers

What exactly is the "Router ID" field used for in the BGP tab of Virtual Router configuration?

I ask because I'm planning on announcing a /24 to two different ISPs/peers, and each ISP has its own /30 for the transit segment.  So, if I make the router ID the IP address for one segment, it is incorrect for the other segment... or does "Router ID" not actually get used for anything and it's just an identifier?  The documentation / help file says "Enter the IP address to assign to the virtual router," does this mean I need to use a separate VR for each BGP peer?

If so, how do I get my traffic to fail from one VR to the other?  I currently have all of my interfaces attached to a single VR using a default route to ISP A.  I'm running a BGP session with them to receive routes for an MPLS network, but not announcing anything to them yet.  I now have a publicly routable /24 from ISP B, as well as a public ASN,  but I need to announce that /24 to both providers and (ideally) unevenly weight the two connections as ISP B is a 50Mb link while ISP A is only 25Mb.

I have seen the document that explains setting up BGP with two ISPs, but it is a bit confusing since it was written for 4.0 and I am on 4.1.  Also, it assumes that I want to take the /24 and apply it to an internal interface on the PAN, which I do not.  I want any / all addresses in the /24 to be proxy ARPed by the PAN and I will NAT (1:1 or otherwise) to internal hosts.  This is simply because I don't want to have to put together another switch or VLAN and public IPs on my internal systems - it's easier to just run it all through the PAN.

(I do have an active/passive pair of PANs but that is already functional, the only thing I'm having trouble with is the BGP portion.  The HA pair has appropriate interfaces to each ISP for failover to function correctly.)


Accepted Solutions
Highlighted
L5 Sessionator

I am Afraid if this will work.

The loopback IP address on the PANFW has to be a /32 IP address, and cannot have a /24 subnet. With that being said, even if the server 203.0.113.5/24 connects on an access port on the switch, and if the segment "VLAN 2000- Internet" is a trunk port carrying VLAN tagged traffic for the Vlan 2000, you should have a layer 2 port on the firewall  configured as an access port for vlan 2000, from where the server can reach any of the hosts behind this port and that lie in the /24 range.

I would rather move the server behind the firewall, reachable on the vlan 2000 access port, and configure a vlan interface for the vlan 2000 (203.0.113.1/24), to serve as the gateway for the hosts on vlan 2000. I can then advertise the whole /24 address.

An advantage of this setup is that you can protect your server against any forms of attacks by using a zone protection profile on the firewall. Otherwise the server is left exposed and can be subjected to attacks from the internet ( that the switch may not block )

BR,

Karthik RP

View solution in original post


All Replies
Highlighted
L5 Sessionator

Hello,

The router ID is used just as an identifier. For example in the below output, you can see that the routed ids are 192.168.1.1 and 192.168.1.2 respectively. However, the PANFW establishes the BGP connectivity with peers 10.10.10.4 (local address: 10.10.10.1 ), and 192.168.1.3 (local address 192.168.1.1 ) on VR1. Similarly on VR2 the router id is 192.168.1.2, and it establishes the BGP connectivity with peers 10.10.10.3 ( local IP address 10.10.10.2 )  and 192.168.1.4 ( local IP address 192.168.1.2)

dmin@46-PA-4020> show

admin@46-PA-4020> show routing

admin@46-PA-4020> show routing protocol bgp

admin@46-PA-4020> show routing protocol bgp summary

  ==========

  router id:                     192.168.1.1

  virtual router:                vr1

  reject default route:          reject

  redist default route:          block

  Install BGP routes:            no

  Graceful Restart:              supported

  AS size:                       2

  Local AS:                      65000

  Local member AS:               0

  Cluster id:                    0.0.0.0

  Default local preference:      100

  Always compare MED:            no

  Aggregate regardless MED:      yes

  Deterministic MED processing:  yes

  Accept ORF:                    no

  Accept CISCO style prefix:     yes

  rib-out entries:               current 0, peak 0

    peer peer1.4.1:              AS 65002, Established, IP 10.10.10.4

      IPv4/unicast pfx:          Accepted pfx: 0, Advertised pfx: 0

    peer peer1.3.1:              AS 65001, Established, IP 192.168.1.3

      IPv4/unicast pfx:          Accepted pfx: 0, Advertised pfx: 0

  ==========

  router id:                     192.168.1.2

  virtual router:                vr2

  reject default route:          reject

  redist default route:          block

  Install BGP routes:            no

  Graceful Restart:              supported

  AS size:                       2

  Local AS:                      65008

  Local member AS:               0

  Cluster id:                    0.0.0.0

  Default local preference:      100

  Always compare MED:            no

  Aggregate regardless MED:      yes

  Deterministic MED processing:  yes

  Accept ORF:                    no

  Accept CISCO style prefix:     yes

  rib-out entries:               current 0, peak 0

    peer peer1.3.1-vr2:          AS 65001, Established, IP 10.10.10.3

      IPv4/unicast pfx:          Accepted pfx: 0, Advertised pfx: 0

    peer peer1.4.1-vr2:          AS 65002, Established, IP 192.168.1.4

      IPv4/unicast pfx:          Accepted pfx: 0, Advertised pfx: 0

Hope that helps,

BR,

Karthik RP

Highlighted
L5 Sessionator

To be more specific:

admin@46-PA-4020> show routing protocol bgp peer

admin@46-PA-4020> show routing protocol bgp peer

  ==========

  Peer:                          peer1.4.1 (id 2)

  virtual router:                vr1

  Peer router id:                192.168.1.4

  Remote AS:                     65002

  Peer group:                    peer1.4 (id 2)

  Peer status:                   Established, for 2946 seconds

  Password set:                  no

  Passive:                       no

  Multi-hop TTL:                 2

  Remote Address:                10.10.10.4:57911

  Local Address:                 10.10.10.1:179

  (R) reflector client:          not-client

  same confederation:            no

  send aggr confed as-path:      yes

  peering type:                  Unspecified

  Connect-Retry interval:        120

  Open Delay:                    0

  Idle Hold:                     15

  Prefix limit:                  5000

  Holdtime:                      90 (config 90)

  Keep-Alive interval:           30 (config 30)

  Update messages:               in        1, out        1

  Total messages:                in      115, out      115

  Last update age:               3

  Last error:                   

  Flap counts:                   1, established 1 times

  (R) ORF entries:               0

  Nexthop set to self:           no

  use 3rd party as next-hop:     yes

  override nexthop to peer:      no

  ----------

  remove private AS number:      yes

  ----------

  Capability:                    Multiprotocol Extensions(1)  value: 00010001

  Capability:                    Route Refresh(2)

  Capability:                    Graceful Restart(64)  value: 007800010100

  Capability:                    Route Refresh (Cisco)(128)

  ----------

  Prefix counter for:            IPv4 / unicast

  Incoming Prefix:               Accepted 0, Rejected 0, Total 0

  Outgoing Prefix:               0

  Advertised Prefix:             0

  ==========

  Peer:                          peer1.3.1 (id 1)

  virtual router:                vr1

  Peer router id:                192.168.1.3

  Remote AS:                     65001

  Peer group:                    peer1.3 (id 1)

  Peer status:                   Established, for 3657 seconds

  Password set:                  no

  Passive:                       no

  Multi-hop TTL:                 2

  Remote Address:                192.168.1.3:34865

  Local Address:                 192.168.1.1:179

  (R) reflector client:          not-client

  same confederation:            no

  send aggr confed as-path:      yes

  peering type:                  Unspecified

  Connect-Retry interval:        120

  Open Delay:                    0

  Idle Hold:                     15

  Prefix limit:                  5000

  Holdtime:                      90 (config 90)

  Keep-Alive interval:           30 (config 30)

  Update messages:               in        1, out        1

  Total messages:                in      143, out      143

  Last update age:               27

  Last error:                   

  Flap counts:                   1, established 1 times

  (R) ORF entries:               0

  Nexthop set to self:           no

  use 3rd party as next-hop:     yes

  override nexthop to peer:      no

  ----------

  remove private AS number:      yes

  ----------

  Capability:                    Multiprotocol Extensions(1)  value: 00010001

  Capability:                    Route Refresh(2)

  Capability:                    Graceful Restart(64)  value: 007800010100

  Capability:                    Route Refresh (Cisco)(128)

  ----------

  Prefix counter for:            IPv4 / unicast

  Incoming Prefix:               Accepted 0, Rejected 0, Total 0

  Outgoing Prefix:               0

  Advertised Prefix:             0

  ==========

  Peer:                          peer1.3.1-vr2 (id 1)

  virtual router:                vr2

  Peer router id:                192.168.1.3

  Remote AS:                     65001

  Peer group:                    peer1.3-vr2 (id 3)

  Peer status:                   Established, for 2191 seconds

  Password set:                  no

  Passive:                       no

  Multi-hop TTL:                 2

  Remote Address:                10.10.10.3:179

  Local Address:                 10.10.10.2:42688

  (R) reflector client:          not-client

  same confederation:            no

  send aggr confed as-path:      yes

  peering type:                  Unspecified

  Connect-Retry interval:        120

  Open Delay:                    0

  Idle Hold:                     15

  Prefix limit:                  5000

  Holdtime:                      90 (config 90)

  Keep-Alive interval:           30 (config 30)

  Update messages:               in        1, out        1

  Total messages:                in       87, out       87

  Last update age:               25

  Last error:                   

  Flap counts:                   0, established 1 times

  (R) ORF entries:               0

  Nexthop set to self:           no

  use 3rd party as next-hop:     yes

  override nexthop to peer:      no

  ----------

  remove private AS number:      yes

  ----------

  Capability:                    Multiprotocol Extensions(1)  value: 00010001

  Capability:                    Route Refresh(2)

  Capability:                    Graceful Restart(64)  value: 007800010100

  Capability:                    Route Refresh (Cisco)(128)

  ----------

  Prefix counter for:            IPv4 / unicast

  Incoming Prefix:               Accepted 0, Rejected 0, Total 0

  Outgoing Prefix:               0

  Advertised Prefix:             0

  ==========

  Peer:                          peer1.4.1-vr2 (id 2)

  virtual router:                vr2

  Peer router id:                192.168.1.4

  Remote AS:                     65002

  Peer group:                    peer1.3-vr2 (id 3)

  Peer status:                   Established, for 2188 seconds

  Password set:                  no

  Passive:                       no

  Multi-hop TTL:                 2

  Remote Address:                192.168.1.4:179

  Local Address:                 192.168.1.2:40043

  (R) reflector client:          not-client

  same confederation:            no

  send aggr confed as-path:      yes

  peering type:                  Unspecified

  Connect-Retry interval:        120

  Open Delay:                    0

  Idle Hold:                     15

  Prefix limit:                  5000

  Holdtime:                      90 (config 90)

  Keep-Alive interval:           30 (config 30)

  Update messages:               in        1, out        1

  Total messages:                in       86, out       88

  Last update age:               7

  Last error:                   

  Flap counts:                   0, established 1 times

  (R) ORF entries:               0

  Nexthop set to self:           no

  use 3rd party as next-hop:     yes

  override nexthop to peer:      no

  ----------

  remove private AS number:      yes

  ----------

  Capability:                    Multiprotocol Extensions(1)  value: 00010001

  Capability:                    Route Refresh(2)

  Capability:                    Graceful Restart(64)  value: 007800010100

  Capability:                    Route Refresh (Cisco)(128)

  ----------

  Prefix counter for:            IPv4 / unicast

  Incoming Prefix:               Accepted 0, Rejected 0, Total 0

  Outgoing Prefix:               0

  Advertised Prefix:             0

Highlighted
L3 Networker

OK, that makes sense.  The peers won't really care if the "Router ID" doesn't actually match the interface that is connected to them.  This also explains why the "peer router ID" I'm getting from ISP B doesn't fall inside the /30 that is being used to exchange routes.

This means I should be able to establish a connection with both peers via the same VR once I get my existing setup with ISP A changed to use my public ASN.  (We were using private ASNs for them to hand me MPLS routes prior to me obtaining a public ASN.)

How can I go about weighting the two routes for load-balancing (so more traffic travels via the larger connection), rather than just failover?  I understand that in some cases I can't affect the paths because the ISPs may re-write them when they leave their border, but I'd at least like to try to set it up "correctly."  I apologize for my inexperience here, this is my first real foray into BGP, and while I have the O'Reilly BGP book, it is written with Cisco in mind and PAN behavior seems somewhat different.  :smileyhappy:

Highlighted
L5 Sessionator

You can use just one VR itself, even  if you are multihomed with ISP 1 and ISP 2. All you need is to influence the routes using the BGP attributes ( local preference, the AS hops, or origin ). For  and I would prefer the local preference as the primary factor for the influencing the outbound routes. You can continue using the /24 addresses on the external interfaces itself, and since they are assigned to you by your ISPs ( hence being advertised too ), users have a route to reach any IP address on this /24 subnet.  You can write destination NAT rules for any IP address that fall within the /24 range and the firewall will proxy arp for these IP addresses.

Please let me know if you have any questions.

For design considerations, you can also talk to your Sales Engineer or get in touch with the Dev Centre team.

BR,

Karthik

Highlighted
L3 Networker

So I can keep the /24 on the PAN and NAT for it...  but what if I need to assign one of those addresses directly to a server ("outside" the firewall)?

Here's a basic diagram of the setup (it omits the second ISP and a bunch of other irrelevant stuff) - is what I want to do in the lower right corner going to work?

PAN-WAN BGP question.png

Highlighted
L5 Sessionator

I am Afraid if this will work.

The loopback IP address on the PANFW has to be a /32 IP address, and cannot have a /24 subnet. With that being said, even if the server 203.0.113.5/24 connects on an access port on the switch, and if the segment "VLAN 2000- Internet" is a trunk port carrying VLAN tagged traffic for the Vlan 2000, you should have a layer 2 port on the firewall  configured as an access port for vlan 2000, from where the server can reach any of the hosts behind this port and that lie in the /24 range.

I would rather move the server behind the firewall, reachable on the vlan 2000 access port, and configure a vlan interface for the vlan 2000 (203.0.113.1/24), to serve as the gateway for the hosts on vlan 2000. I can then advertise the whole /24 address.

An advantage of this setup is that you can protect your server against any forms of attacks by using a zone protection profile on the firewall. Otherwise the server is left exposed and can be subjected to attacks from the internet ( that the switch may not block )

BR,

Karthik RP

View solution in original post

Highlighted
L3 Networker

The "server" here is actually a SIP gateway device from our VoIP provider, it is locked down and only accepts traffic from their IP block so security isn't much of a concern here.  I'm trying to keep it "outside" the PAN because I don't want any added delay in the traffic due to filtering/etc. 

If I add 203.0.113.1/24 as a secondary address on the vlan 2000 L3 port, that should work though, correct?  I can put the SIP gateway in the same VLAN, assign it 203.0.113.5/24 and have it use the PAN 203.0.113.1 as default GW, which should then route it through the routing table and out to 198.53.100.1 (the ISP) and from there the internet?

If the packet is entering and leaving the same interface and same security zone, then the firewall rules don't act on it and it should pass through as quick as a normal router would, right?

I realize that I will then have two subnets on the same VLAN but since both subnets are public and "outside" I don't really care...

Highlighted
L3 Networker

My option works (just tested it).  You are correct that the loopback only takes a /32, I forgot about that.

I put .1 /24 as a secondary IP on the same VLAN 2000 L3 subif.  I was then able to put another device on the same VLAN, use .1 as the gateway and assign an IP, and pass traffic without issue.  :smileyhappy:

Highlighted
L5 Sessionator

Glad that it works! If I have been able to answer your queries, you can mark my answer as a correct answer for the benefit of other people, asking the same question in future :smileyhappy:

BR,

Karthik

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!