Hello,

I am planning to configure Fail-Over using Multi-Homing (with Single ISP) with BGP in Mikrotik,please find the below requirements :

1) Peering with 2 Juniper Routers at ISP side
2) We dont have a Public AS
3) ISP will provide 2 physical 10Mbps links from both their BGP Routers which will be terminating on Mikrotik
4) Need to configure Mikrotik in such a way that one of the link will be Primary and the second as Back-Up which comes UP immediately when the primary goes down.
5) ISP will provide a 3 Public /27 Networks.


Please suggest the required configuration to be done in Mikrotik and revert if you need any additional information.......


Regards
Rakesh

Hi rock!

I have a simlilar configuration here, think the major difference is I'm using two boards.

As said before, my setup has two RB1000 and I have one BGP session established with my ISP on each
board. Then, to use only one link I'm sending different a greater matric on my backup session.

At the LAN side I made a VRRP interface to establish default gateway fail-over.

Good tips for that configuration are:
- Keep both BGP sessions up all the time, when primary goes down your ISP will automatically use the backup one
- Remember to set a bigger metric on BGP outgoing polices at you backup session
- You can keep an extra BGP session between your boards, so if primary session with your ISP goes down and local
interface of your master board still up you can get all routes from your backup dinamically. If you dont have memory to do that, just send default route thru BGP or use an static route with low preference.

Well, if you want to use only one board all you need to do is establish two sessions and at your backup session polices you will send a higher metric for outgoing prefixes and set a lower local-preference for received prefixes.

/routing filter
add action=passthrough chain=globalx-out comment="" disabled=no invert-match=no set-bgp-med=200
add action=passthrough chain=globalx-in comment="" disabled=no invert-match=no set-bgp-local-pref=80

Good luck
Jorge

Thanks George for your prompt response...I am running Mikrotik v3.28 on X-86 Server with RAM-2GB and 4 Processors and 4 NIC cards,so I suppose there wont be any Device level constraints.

Will be great if you can provide me with the detailed IBGP configuration of my setup with the below example parameters as this is the first time I am going for BGP in Mikrotik :

ISP Gateway 1 : 192.168.1.1/30
ISP Gateway 2 : 192.168.2.1/30

Mikrotik Ether 1 : 192.168.1.2/30
Mikrotik Ether 2 : 192.168.2.2/30

LAN Pools provided by ISP : 172.16.1.0/27 & 172.16.1.128/25

AS Number : 65501


Please suggest......


Regards
Rakesh

metric is not the best way to influence incoming traffic (in fact there's no best way at all to do this) - it depends if upstream ISP accepts MED (some don't - they just reset MED to 0 for any external peering and they're allowed to do that - it's their AS and they don't really have to trust other ASes). Another way would be to modify AS-PATH (AS-PATH prepending). I'm pretty sure it can be done with Mikrotik.
In general - there's no best way to control incoming traffic and that's because incoming traffic is something that we don't have full control on...
Any another suggestion - if you have two uplinks to two separate routers - use two routers on your side. Youd have much, much better resilience (I'd say you've got much better chance for your RB to go down than their Junipers or links...)
Yet another suggestion - if you don't have BGP experience be very, very carefull... Your ISP won't be happy if you start advertising something that you don't own or if you start flapping the link constantly

Just my 2 cents...

Thanks George for your prompt response...I am running Mikrotik v3.28 on X-86 Server with RAM-2GB and 4 Processors and 4 NIC cards,so I suppose there wont be any Device level constraints.

Will be great if you can provide me with the detailed IBGP configuration of my setup with the below example parameters as this is the first time I am going for BGP in Mikrotik :

ISP Gateway 1 : 192.168.1.1/30
ISP Gateway 2 : 192.168.2.1/30

Mikrotik Ether 1 : 192.168.1.2/30
Mikrotik Ether 2 : 192.168.2.2/30

LAN Pools provided by ISP : 172.16.1.0/27 & 172.16.1.128/25

AS Number : 65501


Please suggest......


Regards
Rakesh

I have done it before.
Make sure you create peer setup to 192.168.1.1 & 192.168.2.1

To do FAIL-OVER for the UPSTREAM :

1. You need to receive Internet full prefix from your main peer (192.168.1.1). It is about 300k prefix today.
2. Block any prefix received from backup peer (192.168.2.1)
2. Set your default gateway to backup gateway(192.168.2.1)

By doing this, on normal situation, your routing table will have 300k prefix routes with 192.168.1.1 as the next hop. These routes have higher priority than the default gateway (192.168.2.1). So any packet goes to internet will use 192.168.1.1 as the gateway.
When the main link fail and peer to main gateway terminated, those routes will be removed from routing tables after 180 seconds (default "hold-time" setting. You can set it smaller) then any packet goes to internet will use the default gateway (192.168.2.1).

To do FAIL-OVER for DOWNSTREAM

OK we know that route with smaller segment has higher priority.
For example, if we have 2 routes on our router like these:
202.46.150.0/24 via 202.0.0.1
202.46.150.0/25 via 202.0.0.2
Any packet directed to 202.46.150.5 will be passed to 202.0.0.2 by our router, right.

So what you need to do is :
1. Advertise 172.16.1.0/27 & 172.16.1.128/25 to your backup peer (192.168.2.1).
2. And advertise 172.16.1.0/28, 172.16.1.16/28 ,172.16.1.128/26, 172.16.1.192/26 to your main peer (192.168.1.1).

By doing this, on normal situation, your isp main router (I believe this router located above 192.168.1.1(R1) & 192.168.2.1(R2) and closer to the internet), will have 6 active routes :
172.16.1.0/28 via (R1)
172.16.1.16/28 via (R1)
172.16.1.128/26 via (R1)
172.16.1.192/26 via (R1)
172.16.1.0/27 via (R2)
172.16.1.128/25 via (R2)
In this situation, first 4 routes have higher priority, right? Isp main router will always use R1 to reach your network.

When your main link goes down, first 4 routes will be removed from isp main router and your ispmain router will use R2 to reach your network. And how long the router will remove the routes is depend on the isp main router hold-time setting and you can not do anything. What you have to do is just wait.
If your isp set the hold-time to 30 minutes so you have to wait 30 minutes before your backup work.

I hope you get the idea. It is work good for me. What we need to worry is ISP hold-time setting. So make sure you ask ISP about their hold-time setting.

Actually, AS prepending is also work to fail-over the Downstream, but since I'm using public AS and not all router in the internet allow as prepending, so I do not use it. Just make sure you consult to your ISP when you want to use AS prepending.

I hope it help

ISP Gateway 1 : 192.168.1.1/30
ISP Gateway 2 : 192.168.2.1/30

Mikrotik Ether 1 : 192.168.1.2/30
Mikrotik Ether 2 : 192.168.2.2/30

LAN Pools provided by ISP : 172.16.1.0/27 & 172.16.1.128/25

AS Number : 65501


Please suggest......

Rakesh

Hey,

Look this configuration, it's simple but you can use as sample:
CON01: Master
CON02: Backup

==============================================
/ip address
add address=192.168.1.2/30 broadcast=192.168.1.3 comment="" disabled=no interface=ether1 network=192.168.1.0
add address=192.168.2.2/30 broadcast=192.168.2.3 comment="" disabled=no interface=ether2 network=192.168.2.0
add address=<lan address> broadcast=<bcast lan> comment="" disabled=no interface=ether3 network=<lan>

/routing bgp instance
set default as=65501 client-to-client-reflection=no comment="" disabled=no ignore-as-path-len=no name=default out-filter="" redistribute-connected=no \
redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no redistribute-static=no
/routing bgp network
add disabled=no network=172.16.1.0/27 synchronize=no
add disabled=no network=172.16.1.128/25 synchronize=no
/routing bgp peer
add address-families=ip comment="" default-originate=never disabled=no hold-time=3m in-filter=con01-in instance=default multihop=no name=CON01 \
nexthop-choice=default out-filter=con01-out remote-address=192.168.1.1 remote-as=<ISP ASN> remove-private-as=no route-reflect=no tcp-md5-key="" ttl=\
default
add address-families=ip comment="" default-originate=never disabled=no hold-time=3m in-filter=con02-in instance=default multihop=no name=CON02 \
nexthop-choice=default out-filter=con01-out remote-address=192.168.2.1 remote-as=<ISP ASN> remove-private-as=no route-reflect=no tcp-md5-key="" \
ttl=default

/routing filter
add action=passthrough chain=con02-in comment="" disabled=no bgp-local-pref=80
add action=passthrough chain=con02-out comment="" disabled=no set-bgp-med=200

===============================================
Don't forget to make the right filters for con01 too!

I'm using med for one reason, if you have a 3th connection with any other ISP the
prepends can force traffic to that ISP when your master connection goes down.
All good ISP's have the following polices for metrics:

Metric FROM customers: Accept changes
Metric TO customers: Send default
Metric FROM peers: Do NOT accept changes
Metric TO peers: Do NOT send changes

but you always can use prepend if you prefer or your ISP don't like metrics!

regards!

This doesn't look like something to be used with BGP.
BGP is normally for multiple paths on the Internet, not in the LAN.

You probably just need a basic gateway ping and failover configuration.

metric is not the best way to influence incoming traffic (in fact there's no best way at all to do this) - it depends if upstream ISP accepts MED (some don't - they just reset MED to 0 for any external peering and they're allowed to do that - it's their AS and they don't really have to trust other ASes). Another way would be to modify AS-PATH (AS-PATH prepending). I'm pretty sure it can be done with Mikrotik.
In general - there's no best way to control incoming traffic and that's because incoming traffic is something that we don't have full control on...
Any another suggestion - if you have two uplinks to two separate routers - use two routers on your side. Youd have much, much better resilience (I'd say you've got much better chance for your RB to go down than their Junipers or links...)
Yet another suggestion - if you don't have BGP experience be very, very carefull... Your ISP won't be happy if you start advertising something that you don't own or if you start flapping the link constantly

Just my 2 cents...

Can you give us an example configuration using two routers?