High-availability BGP with BIRD
Please let me know if bird-users is not the appropriate place for this post; admittedly it is more of a "best practices" question... I am in the process of trying to develop a plan for deploying BGP in a high-availability configuration, using a pair of FreeBSD hosts running BIRD. A number of questions have come up, leaving me unsure how to proceed. The fact that this is my first experience with BGP doesn't help matters. The following diagram outlines how I envision the [physical] configuration. +----------+ +------+ router-a +-------+ xxxxxxxx +----------+ | xx xx +--+-----+ +------------+ xx LAN x + switch +-------| ISP router | x xx +--+-----+ +------------+ xx xxxxx +----------+ | xxxxx +------+ router-b +-------+ +----------+ I dumped this in a pastebin, in case my mail client mauls it..http://pastebin.com/rDTDMA7j In this scenario, router-a and router-b are running FreeBSD, with CARP to provide a virtual IP for failover. The two routers act in a failover manner, with router-b taking over the virtual IP upon failure of router-a. The goal is to maintain the fast failover (seconds) that I get from CARP in non-BGP configurations. I am wondering if the following method is a common/feasible/best solution. Under normal conditions. * BOTH router-a and router-b establish BGP sessions to the ISP. This way, each router has a copy of the BGP routing table in memory, ready to go. * router-a advertises my prefixes to the ISP router. * all regular traffic is handled by router-a. If router-a fails. * Programmatically update the router-b BIRD config to begin advertising prefixes. * router-b already has the BGP table in memory, so routing can resume immediately. Is there a better way to achieve this? Will my ISP laugh at me when I ask them to assign me a /29, and allow me to run two BGP sessions? Thank you! TJ -- This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the individual responsible for delivering the e-mail to the intended recipient, please be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you have received this communication in error, please return it to the sender immediately and delete the original message and any copy of it from your computer system. If you have any questions concerning this message, please contact the sender or call ClaimLynx at (952) 593-5969.
Hi Thomas I'm not a BGP expert but I run a similar configuration. Some notes below. On 08/21/2013 10:08 PM, Thomas Johnson wrote:
In this scenario, router-a and router-b are running FreeBSD, with CARP to provide a virtual IP for failover. The two routers act in a failover manner, with router-b taking over the virtual IP upon failure of router-a. The goal is to maintain the fast failover (seconds) that I get from CARP in non-BGP configurations. I am wondering if the following method is a common/feasible/best solution.
I do it here exactly like this, but with Linux and keepalived.
If router-a fails. * Programmatically update the router-b BIRD config to begin advertising prefixes. * router-b already has the BGP table in memory, so routing can resume immediately.
Not sure if I understood this correctly, but if both routers have BIRD running you shouldn't need to do any manual configuration changes. As long as your machines have the routers' virtual IP as their gateway, routing should resume as soon as the address is transferred to the remaining router.
Is there a better way to achieve this? Will my ISP laugh at me when I ask them to assign me a /29, and allow me to run two BGP sessions?
You should also consider that ISP routers can fail. Imagine that router-a has a BGP session with isp-router-a and router-b with isp-router-b. Now consider what happens if isp-router-a fails. To keep things working, I configured an iBGP session between router-a and router-b. In the example about, traffic would be routed out of your network through the router-a -> router-b -> isp-router-b path. I'm also interested to learn about possible alternative architectures to handle these cases. Cheers, Andre
Hi I have a H-A configuration of BIRD routers. It look like this: http://pastebin.com/SKY4h1Gf - 6x /24 IPv4, and 3x /48 IPv6. Router 1 and 2 are connected with iBGP (bonding connection). Prefixes ipv4 are divided into three per router, 2 prefixes ipv6 on router 1 and one on router 2. On routers is linux installed with keepalived. Keepalived is running on interfaces connected to switches (bonding and vlan for each ipv4 prefix). Example, when R01 is down, prefixes are transferred to R02 (with keepalived). Switches are connected with LAG/LACP. In the future will be additional (backup) links from ISP 1 to Router 2 and from ISP 2 to Router 1. -- Miłosz Oller GSM: +48 603 030 347 http://sys-com.pl NIP: 561-154-09-00 REGON: 340779520 On Thu, 22 Aug 2013 09:05:27 -0300 Andre Nathan <andre@digirati.com.br> wrote:
Hi Thomas
I'm not a BGP expert but I run a similar configuration. Some notes below.
On 08/21/2013 10:08 PM, Thomas Johnson wrote:
In this scenario, router-a and router-b are running FreeBSD, with CARP to provide a virtual IP for failover. The two routers act in a failover manner, with router-b taking over the virtual IP upon failure of router-a. The goal is to maintain the fast failover (seconds) that I get from CARP in non-BGP configurations. I am wondering if the following method is a common/feasible/best solution.
I do it here exactly like this, but with Linux and keepalived.
If router-a fails. * Programmatically update the router-b BIRD config to begin advertising prefixes. * router-b already has the BGP table in memory, so routing can resume immediately.
Not sure if I understood this correctly, but if both routers have BIRD running you shouldn't need to do any manual configuration changes. As long as your machines have the routers' virtual IP as their gateway, routing should resume as soon as the address is transferred to the remaining router.
Is there a better way to achieve this? Will my ISP laugh at me when I ask them to assign me a /29, and allow me to run two BGP sessions?
You should also consider that ISP routers can fail. Imagine that router-a has a BGP session with isp-router-a and router-b with isp-router-b. Now consider what happens if isp-router-a fails.
To keep things working, I configured an iBGP session between router-a and router-b. In the example about, traffic would be routed out of your network through the router-a -> router-b -> isp-router-b path.
I'm also interested to learn about possible alternative architectures to handle these cases.
Cheers, Andre
On 22.08.2013 03:08, Thomas Johnson wrote:
Please let me know if bird-users is not the appropriate place for this post; admittedly it is more of a "best practices" question...
I am in the process of trying to develop a plan for deploying BGP in a high-availability configuration, using a pair of FreeBSD hosts running BIRD. A number of questions have come up, leaving me unsure how to proceed. The fact that this is my first experience with BGP doesn't help matters. The following diagram outlines how I envision the [physical] configuration.
+----------+ +------+ router-a +-------+ xxxxxxxx +----------+ | xx xx +--+-----+ +------------+ xx LAN x + switch +-------| ISP router | x xx +--+-----+ +------------+ xx xxxxx +----------+ | xxxxx +------+ router-b +-------+ +----------+
I dumped this in a pastebin, in case my mail client mauls it..http://pastebin.com/rDTDMA7j
In this scenario, router-a and router-b are running FreeBSD, with CARP to provide a virtual IP for failover. The two routers act in a failover manner, with router-b taking over the virtual IP upon failure of router-a. The goal is to maintain the fast failover (seconds) that I get from CARP in non-BGP configurations. I am wondering if the following method is a common/feasible/best solution.
Under normal conditions. * BOTH router-a and router-b establish BGP sessions to the ISP. This way, each router has a copy of the BGP routing table in memory, ready to go. * router-a advertises my prefixes to the ISP router. * all regular traffic is handled by router-a.
If router-a fails. * Programmatically update the router-b BIRD config to begin advertising prefixes. * router-b already has the BGP table in memory, so routing can resume immediately.
Is there a better way to achieve this? Will my ISP laugh at me when I ask them to assign me a /29, and allow me to run two BGP sessions?
Thank you! TJ
Congratulations now the switch is your single point of failure. Running two BGP sessions for HA isn't usual but i have the impression you want to implement several "roles" in one pair of devices without thinking about the roles firsts. role 1: BGP edge router role 2: default gateway role 3: stateful packet filter (NAT)? +--------------+ eBGP +----------+ OSPF +------+ +-------+ | ISP router a |<------>| router a |<--+-->| fw a |<--+-->| def a |<--+ +--------------+ +----------+ | +------+ | +-------+ | ^ | | | | iBGP | | LAN v | | | +--------------+ eBGP +----------+ | +------+ | +-------+ | | ISP router b |<------>| router b |<--+-->| fw b |<--+-->| def b |<--+ +--------------+ +----------+ +------+ +-------+ Now you merge router x,fw x,def x into one device each. +--------------+ eBGP +----------+ LAN | ISP router a |<------>| router a |<--+ +--------------+ +----------+ | ^ | iBGP,CARP,pfsync | | CARP v | +--------------+ eBGP +----------+ | | ISP router b |<------>| router b |<--+ +--------------+ +----------+ Use devd to react to CARP state changes on the crossover cable between the routers. It might be a good idea to use cloned loopback interfaces for iBGP to simplify further expansions. Also you use net/ifstated for more complex checks, activate CARP preemption and demote the carp groups according to the services (e.g. established BGP session, DNS resolver working, etc.). SEE ALSO: devd.conf(5), devd(8), carp(4), pfsync(4), rc.conf(5)
participants (4)
-
Andre Nathan -
Jan Bramkamp -
Miłosz Oller -
Thomas Johnson