BGP Question

T-K-O

Hi guys,

Hoping someone can advise on BGP peering with EIR.

I have my neighbour details, remote AS and RIPE allocation but unfortunately no experience with BGP.

How do I configure the WAN interface? I have a /30 peer address and a /30 RIPE addresss. I'm a little confused as to what the WAN IP should be and what network (prefix) I should advertise

ED E

Not a network architect but a bit unusual to use BGP for two address no? Have you got your own AS for that? Calling their NOC and having them drop a static listing in their tables then configure your wan to your first address woulda been my guess at the KISS policy.

rmacm

T-K-O wrote: »

Hi guys,

Hoping someone can advise on BGP peering with EIR.

I have my neighbour details, remote AS and RIPE allocation but unfortunately no experience with BGP.

How do I configure the WAN interface? I have a /30 peer address and a /30 RIPE addresss. I'm a little confused as to what the WAN IP should be and what network (prefix) I should advertise

If you have your neighbor address, then your WAN IP address would be the remaining free address from the /30 transit network between yourself and EIR. The prefix you would advertise is the RIPE (this is probably not from RIPE unless you are an LIR) assigned prefix.

The syntax for interface and BGP configuration is platform dependent but most of the major vendors Cisco, Juniper etc. have extensive documentation online that will guide you through the configuration.

trompele

Hi, It is recently common practice by Eir. They give you BGP based handover for no reason (not for such a small subnets which are advertised as a aggregated subnet outside Eir anyway).
You probably received email with details similar to this:

interface ge1/0
description Interface ge1/0 Circuit ID INT12345678
ip address 159.X.X.YZ 255.255.255.252
duplex auto
speed auto
no shutdown

! Customer Assigned RIPE Allocation =
83.XX.XX.AB/30

router BGP 645MM
neighbor 159.X.X.CD remote-as 5466



159.X.X.YZ is ip address that you use on your WAN interface for BGP peering to Eir BGP router (159.X.X.CD)
83.XX.XX.AB/30 is a subnet allocation for for yourself.
interface ge1/0 is interface on your router that connects to Eir PE device
BGP 645MM is your local private ASN

network layout should look as follows:

(EIR-PE)159.X.X.CD

---

159.X.X.YZ (Customer CE) 83.XX.XX.01/30

---

83.XX.XX.02/30 (Customer Firewall)

Let me know if you need more explanation or help in configuring this. You basically first of all need to get that CE device (Cisco ?). Model depends on bandwidth to be used on that circuit.

T-K-O

Hi guys, Thanks for the info

So this is what I got from EIR [* IP's and AS's]

interface ge1/0
description Interface ge1/0 Circuit ID xxxxx
ip address 10.10.10.1 /30
duplex auto
speed auto
no shutdown

! Customer Assigned RIPE Allocation =
192.168.1.1/30

router BGP 77777
neighbor 10.10.10.2 remote-as 6666

---

The device is a Fortigate:
config router bgp

set as 77777
config neighbor
edit "10.10.10.2"
set remote-as 6666
next
end
config network
edit 1
set prefix 192.168.1.1/30
next
end
config redistribute "connected"
set status enable
end

Now, the 192.168.1.1/30 does not exist in my network(unless I add a static route] So I am not sure how BGP advertises that network. Do I need a router between the EIR demarc and my firewall?

T-K-O

trompele wrote: »

Hi, It is recently common practice by Eir. They give you BGP based handover for no reason (not for such a small subnets which are advertised as a aggregated subnet outside Eir anyway).
You probably received email with details similar to this:

interface ge1/0
description Interface ge1/0 Circuit ID INT12345678
ip address 159.X.X.YZ 255.255.255.252
duplex auto
speed auto
no shutdown

! Customer Assigned RIPE Allocation =
83.XX.XX.AB/30

router BGP 645MM
neighbor 159.X.X.CD remote-as 5466



159.X.X.YZ is ip address that you use on your WAN interface for BGP peering to Eir BGP router (159.X.X.CD)
83.XX.XX.AB/30 is a subnet allocation for for yourself.
interface ge1/0 is interface on your router that connects to Eir PE device
BGP 645MM is your local private ASN

network layout should look as follows:

(EIR-PE)159.X.X.CD

---

159.X.X.YZ (Customer CE) 83.XX.XX.01/30

---

83.XX.XX.02/30 (Customer Firewall)

Let me know if you need more explanation or help in configuring this. You basically first of all need to get that CE device (Cisco ?). Model depends on bandwidth to be used on that circuit.

Beat me to it!

That's great, thanks for confirming.

Cuddlesworth

ED E wrote: »

Not a network architect but a bit unusual to use BGP for two address no? Have you got your own AS for that? Calling their NOC and having them drop a static listing in their tables then configure your wan to your first address woulda been my guess at the KISS policy.

If they would like to go multi-homed, scale up with more IP's or move providers its less work for eircom overall. But it is far more work for the customer if they have never worked with BGP before.

Does anybody know if they advertise their all their internal prefix's or just a default route?

trompele

Just default route.

trompele

T-K-O wrote: »

Now, the 192.168.1.1/30 does not exist in my network(unless I add a static route] So I am not sure how BGP advertises that network. Do I need a router between the EIR demarc and my firewall?

You need router between your firewall and Eir PE. Eir offers additional service when they can provide this device (and charge you monthly for support). Tell me what is your bandwidth I will advise you on device (Cisco only) you need.

T-K-O

trompele wrote: »

You need router between your firewall and Eir PE. Eir offers additional service when they can provide this device (and charge you monthly for support). Tell me what is your bandwidth I will advise you on device (Cisco only) you need.

100Mb circuit, Cisco 3945?

trompele

Cisco 2921 will easily handle that. Since there will be no other services running on it (like NAT, ACL, VPN) but routing that one will be more than enough. I have one of these on 100 Mbps circuit and it CPU never goes beyond 10% (even with complex QoS configuration). 2921 will do around 70 Mbps of real traffic with NAT,QOS,ACL over IPsec. If you want go with 4000 series you need to look at 4331. Both routers will be over 3000€.

Cuddlesworth

If its just a default route, its probable his Fortigate firewall can easily handle it. No need for a edge router.

T-K-O

Cuddlesworth wrote: »

If its just a default route, its probable his Fortigate firewall can easily handle it. No need for a edge router.

How would that work , considering the network?

(EIR-PE)159.X.X.CD

---

159.X.X.YZ (Customer CE) 83.XX.XX.01/30

---

83.XX.XX.02/30 (Customer Firewall)

Cuddlesworth

T-K-O wrote: »

How would that work , considering the network?

(EIR-PE)159.X.X.CD

---

159.X.X.YZ (Customer CE) 83.XX.XX.01/30

---

83.XX.XX.02/30 (Customer Firewall)

Once you have a device connected to 159.x.x.yz(if its a public IP), you can do a lot of things. You could even just not implement the 83 subnet because you have a public IP regardless.

A larger company would have a edge router, into a L2 firewall and back into another internal router. But a smaller setup can get by just fine with a single firewall at the edge if its just a default route.

If you want somebody to do the config for you, go with what trompele says. But I'm really confused as to why you would request this type of circuit with this level of networking knowledge. It seems like a recipe for disaster.

trompele

159 is public but Eir will tell you not to use it for services as its belongs to their internal infrastructure. It might work now but might stop later or be filtered etc. Eir used to provide both PE and CE devices as standard in the past, but now for some reason they decoupled that and selling as separate service. My advice is to get a consultant or company that has knowledge/experience on enterprise grade WAN circuits and pay them to do that job for you. That work should cost you half of your monthly bill for that circuit. Otherwise speak to your Eir account manager about purchasing that add-on.
However if you have knowledge of networking on CCNA level get required CPE device and configure it yourself (10 lines of config on Cisco device).

T-K-O

Cuddlesworth wrote: »

Once you have a device connected to 159.x.x.yz(if its a public IP), you can do a lot of things. You could even just not implement the 83 subnet because you have a public IP regardless.

A larger company would have a edge router, into a L2 firewall and back into another internal router. But a smaller setup can get by just fine with a single firewall at the edge if its just a default route.

If you want somebody to do the config for you, go with what trompele says. But I'm really confused as to why you would request this type of circuit with this level of networking knowledge. It seems like a recipe for disaster.

I thought so too but the 159.x.x.x does not work! I don't want someone to do the config just need some advice.

T-K-O

trompele wrote: »

159 is public but Eir will tell you not to use it for services as its belongs to their internal infrastructure. It might work now but might stop later or be filtered etc. Eir used to provide both PE and CE devices as standard in the past, but now for some reason they decoupled that and selling as separate service. My advice is to get a consultant or company that has knowledge/experience on enterprise grade WAN circuits and pay them to do that job for you. That work should cost you half of your monthly bill for that circuit. Otherwise speak to your Eir account manager about purchasing that add-on.
However if you have knowledge of networking on CCNA level get required CPE device and configure it yourself (10 lines of config on Cisco device).

That is what I expected from Eir and was a little confused when I received the handover doc and no router.
I'm going to purchase the router from EIR and configure myself. Thanks again for the advice, really appreciate it!