ISP aggregation

HI Bruce,

One more thing... I sleep much better at night having a separate router for each upstream with the internal addresses in HSRP configuration.  They are actually in two separate buildings, with the fiber coming in on two separate conduit paths and crossing the (East) river with two separate tunnels and ultimately going to separate carrier hotels.  I think it was the bridge collapse in Minneapolis when folks learned that though they had different upstreams, most fiber went over the same bridge.  Oops.
Dennis Bohn
Manager of Network and Systems
Adelphi University
bohn@adelphi.edu
5168773327

Message from mark.duling@biola.edu

I just looked at that quote in google books and it is referring to "load balancing."  If multihoming simply means having multiple paths and/or ISPs, I think the "multihoming is for redundancy" statement is an over generalization.  

Message from peter.charbonneau@williams.edu

I'll "second" this architecture.  We have used this for years and years.

Tim is correct.  Look up IP SLA, and the TRACK feature in Cisco IOS.  That's what I use to manage this issue.

Message from peter.charbonneau@williams.edu

Many thanks!

We have not found AS path prepending to be very deterministic.  You can be very deterministic for outgoing using “local pref” but incoming often does not always respond very well to prepending, and at least in our case, that the vast majority of the traffic is incoming. We have also found that once you get it all set up, something does indeed change, and your well crafted schemes get messed up.  We do not do NAT and are balancing chunks of a Class B and more, so maybe that is part of the issue for us.

 

Thank you for pointing out the fallacy of thinking that load balancing between two links can achieve both more available bandwidth and redundancy. The two are mutually exclusive goals unless you can implement per IP address rate limiting very quickly when you fail the oversubscribed traffic on to the one link.

 

If you simply need more bandwidth it is usually much cheaper to just increase the volume from your current provider as the cost per megabit per month is always going down, and you can get quantity discounts for it just like anything else.

 

What we do now is route all our traffic in and out of one provider, and fail it over to a backup provider who gives us a burstable service. The burst will support our current traffic levels, and if the failure lasts long enough we will have to pay extra which we would be glad to do at that point to keep our link up given the increasing importance.

 

Pete Morrissye

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mark Duling
Sent: Tuesday, November 06, 2012 2:25 PM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] ISP aggregation

 

I just looked at that quote in google books and it is referring to "load balancing."  If multihoming simply means having multiple paths and/or ISPs, I think the "multihoming is for redundancy" statement is an over generalization.  

 

Load sharing can quite effectively be done over multiple links in a determinate fashion by policy routing outbound (PBR in Cisco-speak), and using AS-PATH prepends to make it so that whatever pipe a packet is routed out, then the return transaction will also use the same pipe inbound unless that pipe is down.  You select which internal networks will use which pipes (I'm assuming NAT is in use) and set your dynamic NAT statements accordingly.  This method is highly determinate and very simple to setup, but still very flexible since it is easy to adjust the dynamic NAT statements to fine tune the traffic loads if adjustments are needed over time.  

 

So if the costs or your budget circumstances don't permit two similarly sized pipes you can still get the benefits of a total bandwidth increase for a reasonable cost by adding a pipe using this method, and using very unequal sized pipes isn't a problem because of the PBR out and AS-PATH prepend in combination of route determinacy I've described.  Now obviously, in this case you wouldn't get redundancy in any effective way if you have pipes of sizes 1X and 3X and are using 80% of the total bandwidth, since you can't lose the larger pipe without a devastating degradation of service.  But after setting up the multihomed infrastructure, and assuming you want at some point to be able to survive an ISP link failure, you can upgrade the smaller pipe quite easily when the money is available or the costs come down.

 

All to say if getting more bandwidth for a decent price is more critical for you or more attainable for some reason at a given point in time than path redundancy there is nothing wrong with that.  We are multihomed exactly this way and are quite happy with the results.  Dennis, we also have ASA's and a Cisco border router so I could share the relevant configuration components with you if you want to contact me offline for details.

 

 

Message from mark.duling@biola.edu

I'm not a routing expert, but it seems to me all routing metrics are merely suggestions strictly speaking.  It all depends on how they are used.  But in the context of the scheme I described with single links to multiple ISPs, it seems to me that appending multiple AS-PATHs onto route advertisements combined with outbound policy routing is very highly deterministic.  We have two pipes of wildly different bandwidths right now (though I hope we'll be able to equalize this soon) and it would be painfully obvious if AS-PATH prepending in this scenario were anything less than highly deterministic.

One useful thing to do in general would be to read the BGP path selection algorithm document from your favorite router vendor. Here's the one from Juniper: https://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/genera... As you can see, localpref trumps as-path length (this is also generally true of other vendors). So if I am a big content provider who happens to peer with both ISPs that you use, it doesn't matter how many times you prepend if I have localpref set to prefer sending my traffic to you via one of your ISPs. Let's say you have ISP 1 and ISP 2, and you want most of your traffic going over ISP 1. You therefore prepend in your announcements to ISP 2 and don't prepend to ISP 1. But I (the Big Content Provider) have a much bigger pipe to ISP 2, so I localpref your routes to ISP 2, and thence shall the traffic flow, despite your AS prepending. Even if ISP 1 and ISP 2 peer with each other, ISPs rarely localpref routes learned from peers higher--or the same--as routes learned from direct customers. So the traffic will get to you directly via ISP 2. So BGP really _is_ deterministic, it is just not deterministic from the standpoint of any one AS that is trying to manage inbound traffic. :) This also affects *which* ISPs to choose as your upstream providers, since they will have different customer and peering relationships with other ISPs and content providers, and these relationships can make traffic engineering easier (or harder). michael On 11/6/12 2:39 PM, Mark Duling wrote: > I'm not a routing expert, but it seems to me all routing metrics are > merely suggestions strictly speaking. It all depends on how they are > used. But in the context of the scheme I described with single links to > multiple ISPs, it seems to me that appending multiple AS-PATHs onto > route advertisements combined with outbound policy routing is very > highly deterministic. We have two pipes of wildly different bandwidths > right now (though I hope we'll be able to equalize this soon) and it > would be painfully obvious if AS-PATH prepending in this scenario were > anything less than highly deterministic. > > If I append my own ASN 4 times into a route advertisement to the > immediate upstream router of one of my ISPs, I think that effectively > tells it that the other link to me is actually four hops away. It > isn't, but I want him to think that so he won't try a supposed 4-hop > route unless the other is down. Ditto for the other ISP with the link > preference reversed. So maybe I'm missing something, but I don't see > what kind of event there could be in the Internet that would make my > immediate upstream peer decide it prefers a 4-hop route to a 1-hop route > unless it goes down, which is the desired behavior in our case. I've > also never seen anything other than this behavior in our deployment. > > > >

On 11/6/2012 5:56 PM, Michael Sinatra wrote: > As you can see, localpref trumps as-path length (this is also generally > true of other vendors). So if I am a big content provider who happens > to peer with both ISPs that you use, it doesn't matter how many times > you prepend if I have localpref set to prefer sending my traffic to you > via one of your ISPs. Yes, and localpref only works (for you) for outbound traffic. Inbound is quite different, you must "effect policy" on your upstreams. Some providers will accept communities on prefixes that they will in turn tag with *their* localpreferences. For others, you can send "more specific" prefixes for traffic than you announce to other providers. Some providers will accept communities that influence to which of their peers they will announce a particular prefix, so you can extend the "more-specific" override beyond the immediate upstream. "More specific" prefixes trump everything :) For all cases, you can often tag with the "no-export" community to keep those advertisements local to your upstream only (will affect their local customers only, if you don't want to fight the whole internet over traffic engineering your prefixes). Prepending is essentially network-wide (and for providers using localpref, can be totally ignored). If you have multiple links to a single provider, these can be reasonably used to load-balance the links. Beyond that, with multiple providers, "it depends". > This also affects *which* ISPs to choose as your upstream providers, > since they will have different customer and peering relationships with > other ISPs and content providers, and these relationships can make > traffic engineering easier (or harder). Yes. If your upstreams support these functions (localpref communities, and honor no-export, and peering communities) it helps greatly. Jeff ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Message from mark.duling@biola.edu

Ok, so I now get that local preference trumps.  I guess the question is how likely is this to actually occur.  It hasn't been a problem for us, but it would be a big problem at the moment if it happened because of the unequal sized pipes we have at the moment.  It sounds like from what I'm hearing that some large service such as Akamai wired in the different way to enhance regional performance could change our inbound routing behavior.

You can trump localpref/weight with BGP conditional advertisement; however, ISP2 can be used only as backup in this case Regards, Adrian -----Original Message----- From: Michael Sinatra [mailto:michael@RANCID.BERKELEY.EDU] Sent: Tuesday, November 06, 2012 4:56 PM Subject: Re: ISP aggregation One useful thing to do in general would be to read the BGP path selection algorithm document from your favorite router vendor. Here's the one from Juniper: https://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/general/ routing-ptotocols-address-representation.html As you can see, localpref trumps as-path length (this is also generally true of other vendors). So if I am a big content provider who happens to peer with both ISPs that you use, it doesn't matter how many times you prepend if I have localpref set to prefer sending my traffic to you via one of your ISPs. Let's say you have ISP 1 and ISP 2, and you want most of your traffic going over ISP 1. You therefore prepend in your announcements to ISP 2 and don't prepend to ISP 1. But I (the Big Content Provider) have a much bigger pipe to ISP 2, so I localpref your routes to ISP 2, and thence shall the traffic flow, despite your AS prepending. Even if ISP 1 and ISP 2 peer with each other, ISPs rarely localpref routes learned from peers higher--or the same--as routes learned from direct customers. So the traffic will get to you directly via ISP 2. So BGP really _is_ deterministic, it is just not deterministic from the standpoint of any one AS that is trying to manage inbound traffic. :) This also affects *which* ISPs to choose as your upstream providers, since they will have different customer and peering relationships with other ISPs and content providers, and these relationships can make traffic engineering easier (or harder). michael On 11/6/12 2:39 PM, Mark Duling wrote: > I'm not a routing expert, but it seems to me all routing metrics are > merely suggestions strictly speaking. It all depends on how they are > used. But in the context of the scheme I described with single links > to multiple ISPs, it seems to me that appending multiple AS-PATHs onto > route advertisements combined with outbound policy routing is very > highly deterministic. We have two pipes of wildly different > bandwidths right now (though I hope we'll be able to equalize this > soon) and it would be painfully obvious if AS-PATH prepending in this > scenario were anything less than highly deterministic. > > If I append my own ASN 4 times into a route advertisement to the > immediate upstream router of one of my ISPs, I think that effectively > tells it that the other link to me is actually four hops away. It > isn't, but I want him to think that so he won't try a supposed 4-hop > route unless the other is down. Ditto for the other ISP with the link > preference reversed. So maybe I'm missing something, but I don't see > what kind of event there could be in the Internet that would make my > immediate upstream peer decide it prefers a 4-hop route to a 1-hop > route unless it goes down, which is the desired behavior in our case. > I've also never seen anything other than this behavior in our deployment. > > > >

Hi All,

Message from mark.duling@biola.edu

Dennis,

Message from mark.duling@biola.edu

Hi Mark,