This is something you don’t typically see on the Internet. Or perhaps I wasn’t seeking hard enough. When I was learning BGP in 2013, everything in my lab was beautiful. I was able to form neighbors, advertise my networks, do some filtering, etc. But I always wondered. What about in the real world? What is the process to obtain BGP for a business and advertise public addresses to the outside world?.
I searched the internet countless times about acquiring and configuring BGP for a business, and nothing. The way I learned was when I worked for a few companies. They wanted me to implement BGP for different sites, including data centers.
Long story short, I had to do a lot of digging to get this going. I had to contact my internet provider, do some research, and contact my regional Internet registry (RIR). In this case, ARIN. It took some time, but after filling out some forms and showing justification of why I need /24 block addresses, my request was granted.
So, If you have never done this before or dont know where to start, dont stress out. I’ve got you covered. I will show you the process of how to request IP addresses and ASN, followed by the peering process with the ISP.
But first of all, let me accentuate that the BGP peering I will talk about will be multi-homing. And let me tell you why. In my experience, acquiring BGP with a single point of failure doesn’t make sense. Because if I lose the circuit, the whole organization will be down for God knows how long. However, the scenario may vary for some organizations. There are different types of topologies, such as single-homed, dual-homed, and multi-homed. See the image below.
Now, let me explain why multihoming. Firstly, I’ve never encountered an environment with a single-homed configuration unless the budget is tight or you have some special requirements. The environment I’ve always witnessed has two internet providers. For example, Verizon is its primary circuit, and Cogent is its backup circuit. So if one link goes down, traffic will fall back to the backup circuit.
Picture this for a second. Suppose that you’ve purchased a block of /24 public addresses, right? And your public Ip addresses start from 50.0.0.1 – 50.0.0.254. You have 254 addresses for you to use and NAT when needed.
Now, let’s presume that you have 150 web servers visible to the Internet. If one of your Internet connections goes down, you still have the backup Internet to fallback, and thus your clients can reach your 150 web servers via the same public addresses 50.0.0.1-50.0.0.254. That’s awesome, right?
Look at this multi-homed design.
Let me break this configuration for you.
The Circuits
You have two internet service providers. Verizon and Cogent. The Verizon line has 1gbps speed, and Cogent has 500mbps. Verizon line has priority over Cogent because of its traffic manipulation using “Path prepend.” We can talk about this later. But to give you an idea, you can manipulate what link becomes primary for all the incoming traffic. This will depend on what you agree with the providers. Manipulating incoming traffic can be crafty sometimes.
The same thing applies to outbound traffic. You can do load sharing rather than having one internet active and the other passive. This type of configuration doesn’t involve your ISP. By utilizing the attribute “local preference,” you can control how traffic exits your network.
The Verizon circuit is simulated to be down due to some wiring issue from the ISP. But as you can see, the cogent line is still functional, allowing internal and external networks to communicate.
The Edges
The edge routers. (*By the way, you can use any type of L3 appliance for the edges, for instance, a switch. It doesn’t have to be routers).
These routers are the ones doing eBGP and iBGP, and they belong to your company. Both appliances will be neighboring the upstream and downstream devices. Each provider has a different ASN, including you.
For example, Verizon has ASN 100 and Cogent ASN 200. Then, you have your public ASN 54555 as an illustration. After completing the justification and process request, you’d get a similar ASN from ARIN, “ASN 54555.” This is for you to peer with your internet providers and make it public to the world. You’ll also get the assigned subnet 50.0.0.0/24 for you to use and advertise to the outside world. “Remember, this is the network you are going to use for SNAT, DNAT.”
The Core Network
Lastly, your firewalls, which are the perimeter of your network, are connected to your upstream and downstream networks. Both are running two routing protocols, BGP & OSPF. The edges forward all the route updates, including the default route, to the firewall. The firewall redistributes the default route received from BGP towards the downstream core switch via OSPF. *You could also do some BGP redistribution to send public addresses to the core if needed.*
NOTE: The firewall (or any device acting as a perimeter) will be running OSPF. This is needed to redistribute the default route that you received via iBGP downstream to the switches. So the switch knows where to forward the packet if the network is not in the forwarding table.
* You don’t necessarily need to use OSPF; there are other ways to redistribute routes, but for the sake of this article, I’m using OSPF*.
To summarize what I just shared, BGP multihoming is the most recommended option due to its fault tolerance configuration. It avoids single points of failure by having another circuit to fall back on if there is a failure with the primary circuit. But remember, the topology you choose will depend on your business requirements.
How do you acquire BGP for your business?
Here is what you need to do
- You need to request the block of IP addresses /24 via https://arin.net. – This requires a request form and a justification.
- You need need to obtain a public ASN via https://arin.net. – This goes in conjunction with the first line.
- You need to contact your ISP to kick off the process. Your actual Ip address may be changed for /30
- Optional – have your environment ready before your ISP migration. They will use the same circuit you have and presumably replace the current public IP addresses you hold. (remember, this is a migration from regular service to BGP service). On some rare occasions, they could install a new circuit in your premises, so once you are ready, they can turn it on and start testing.
Links for Peering
The ISP may replace your actual networks with new ones. These networks could be /29 /30 or /31, and they are needed to form neighbors. Once you have formed neighborships, you’ll need to advertise those networks along with your given subnet by ARIN. 50.0.0.0/24.
Also, you will need to filter out the routes coming from your ISP and allow ONLY the default route. Because, let’s be frank here, you dont want 600k+ routes in your routing table, right?
How to obtain the addresses?
Provider-assigned (PA) & Provider-independent (PI) are the two ways to obtain addresses.
Let’s commence with Provider-assigned. Your ISP can allocate addresses to you. For example, if you are looking for a /25 or /26. The ISP can provide you such networks. The only downside of that is that you cannot migrate them to another provider, or even worst if you need to re-address your subnets for more allocation, the subnets will be changed.
Let’s imagine your business is growing, and you need 62 usable hosts for NAT purposes. This type of request requires a justification over the next 6 to 12 months. You may need to fill out a form, and they may charge a fee for that.
Provider independent (Widely used) can assign addresses to you, which means your 50.0.0.0/24 is NOT tied to a particular provider, like (Cogent or Verizon). This is pretty cool because it allows you to peer toward multiple ISP. Another good thing is that you can take it with you if you want to leave your current ISP.
To obtain the block of addresses, you must contact the organization controlling your country’s internet address, RIR (Regional Internet Registry). For example, here in the USA, we got ARIN. Latin America, got LACNIC, etc… That implies an annual fee and justification regarding how many addresses you will need over a year or two.
For the justification form, here is the link here: https://www.arin.net/resources/guide/request/Internet_Services-Example-Util.ods
Here are the steps to obtain a provider Independent (PI) and start the BGP process.
- Visit https://www.arin.net/
- Create an account if you dont have one.
- Request a justification. If you need help, you can give them a call. But the process is simple. https://www.arin.net/contact/
- Contact your ISP and tell them about your request and what’s going to be next for you to work with them.
- Once the request is complete, then you need to be ready to prepare the environment.
Optional – IPv6.
Believe it or not, we are running out of IPv4. That means, pretty soon, there are not going to be more ipv4 to distribute. That’s why IPv6 is here to help us out. We can go dual-stack if needed, so we can send both Ipv4 and Ipv6. The process is the same as Ipv4. Same concept but simpler.
How to obtain your public ASN?
The public ASN are allocated by ARIN or any RIR, depending on which country you are in. Once everything gets approved. You’ll get a public ASN like this one. “ASN 54555“, ” this is an example.”
You will need an ASN to peer with your ISP and be known to the world. You can either use a private or public one. I recommend using a public one because you may want to peer with other service providers.
To request an ASN, click here https://www.arin.net/resources/guide/asn/. You’ll need to log in to fill out the form.
What’s next?
Okay, so let’s speculate that ARIN got back to you with the request approved. Now you have access to your BGP ASN# and public address 50.0.0.0/24.
The next step will be working with the ISP to kick off the process. There will be another application form for you to fill out from the ISPs. This is needed to attain some information about your peering, for instance, how you would like to peer with Verizon and Cogent…
This is what the ISPs will ask you.
- The addressing between you and the ISP.
- The ASN you want to use.
- What kind of authentication do you’d like to use, plain or MD5.
- Routing type and filtering.
- Perhaps some more.
How do you advertise your routes?
So, I’m sure at this point you’re happy, you got your ASN and your block of addresses, and you are now peering with the ISP provider. Now we need to advertise some routes to your ISP. But there’s something you need to keep in mind. Your ISP will filter out what you send them. That means you need to agree on the routes you will send before the configuration. The reason behind this is to prevent any misconfiguration on your part that causes flooding routes to them.
If you want to advertise your Provider’s Independent address (PI), you must add the network statement on the BGP. Be aware that the smallest prefix you can advertise is a /24.
My final thoughts:
I hope this article has helped you understand BGP in the real world, such as how to obtain the services, what to do, and how to peer with the ISP. If you want to see the configuration for the real world, subscribe for more updates.