BGP is the de facto routing protocol deployed on the Internet. Large enterprise networks will typically run BGP on the edge of their networks to ensure that routing between the ISP and the enterprise network takes place in the best possible way.
It is possible to use BGP to modify the way that the ISP routes traffic into the enterprise network.
In this article, we’ll discuss the various ways that BGP can be used to influence incoming traffic into an enterprise network, especially for multihoming (i.e using two ISP connections).
BGP at the network edge
Large enterprises will typically provide various network services that are housed in their own data centers within their own facilities.
In order to make these services available to users on the Internet at large, their IP addresses must be advertised on the Internet.
To do so, an enterprise will typically run BGP on the edge of its network to share those prefixes with the rest of the world.
In the diagram above, this enterprise has some Internet-accessible services running on its premises.
These network services may include things like a web server, a videoconferencing service, mobile app services of any type, or databases that are to be leveraged by hosts that are on the Internet.
Using BGP, the edge router of the enterprise advertises the address of these services so that the Internet can know how to route traffic to these services. The result is that a host on the Internet is able to access them.
However, enterprise networks will rarely have a single point of entry into their network.
For redundancy and high availability, an enterprise will have two or more connections to the Internet, often via multiple ISPs, like so.
This presents a challenge when advertising your internal routable IP addresses, especially if the enterprise network connects to the Internet via two or more links from two or more different ISPs.
When two or more ISPs are involved in this fashion, the connection is said to be “multi-homed.”
As an administrator of the enterprise network, you will want to manage the incoming traffic in such a way that your internal network policies are adhered to.
You may want one ISP link to be preferred over another, or you may want to load balance across the multiple connections you have.
Best and ethical practices
BGP can be used to influence the routing of incoming traffic, and there are various techniques you can use for this.
I’ll be examining those techniques in this article. However, before we look at how this can be achieved, there is an important aspect of these mechanisms that must be emphasized.
Incoming traffic can only be influenced using these mechanisms. The ISPs still have ultimate control over how traffic enters your network.
Administrators of the ISPs can override all of your attempts to influence incoming traffic.
Keep in mind that any attempts at doing so without any prior notification or discussion may be perceived by the ISPs as hostile, or unprofessional.
Thus, it is always best to talk with the ISP to let them know what you want to achieve before employing any of these mechanisms.
Using BGP to Influence Incoming Traffic
Incoming traffic can be influenced using BGP by one of the following three techniques:
- AS Path Prepending
- Adjusting the MED
- Leaking more specific routes
We’ll take a look at each one below:
AS Path Prepending
AS Path prepending operates by artificially lengthening the AS Path attribute in BGP announcements, making certain routes appear less desirable than others.
AS Path Prepending involves adding your AS number multiple times in the route-map configuration of your BGP routers, thereby making the path seem longer and less attractive.
You can share the longer AS path via one of your links to one ISP, while advertising the shorter one via the link that you want incoming traffic to prefer.
The above diagram shows how the enterprise edge router is advertising an artificially longer AS Path to the ISP2 router, causing BGP to prefer the path via the ISP1 router.
Keep in mind that overuse of this technique can lead to routing issues, so a balanced approach is advised.
Adjusting the MED
The MED (Multi-Exit Discriminator) is a BGP attribute that can be used to influence the selection of incoming traffic paths in multi-homed network environments.
The MED is a hint to external ASes, managed by the ISPs, about the preferred path into an AS that has multiple entry points.
Essentially, it’s a comparative value, where lower MED values signal a more favorable path, guiding ISPs in their routing decisions.
Configuring the MED involves setting numerical values on BGP advertisements. For instance, in a scenario with two connections to the same ISP, a lower MED can be assigned to the more preferred connection, subtly influencing the ISP’s routing choice towards your network, like so:
Remember however that because MED is a value that is shared between eBGP routers, the ISPs must be configured to be in a different BGP Autonomous System (AS) than the enterprise edge router. If they are in the same AS, this technique will not function.
Leaking more specific routes
Another way to influence or steer incoming traffic in BGP-enabled networks is the practice of leaking more specific routes.
This technique hinges on the BGP preference for more specific, or narrower, subnet routes over broader aggregated ones.
By strategically advertising a smaller subnet from a preferred network entry point, alongside or in place of a larger subnet, network administrators can effectively guide the flow of inbound traffic.
For instance, advertising a /28 subnet route from a desired data center will likely attract more traffic to it, compared to a less specific /24 subnet advertised elsewhere.
In the above diagram, the enterprise edge router advertises a /28 network to ISP1, compared to the /24 network advertised to ISP2. Thus BGP routing will prefer the path via the ISP1 router.
Keep in mind however that this method demands a careful balance as its implications on the global BGP routing table are significant.
More specific routes contribute to routing table expansion, potentially burdening the enterprise’s and the ISPs’ BGP routers with increased processing loads.
Conclusion
For enterprises hosting their own network services, influencing incoming traffic is of vital importance.
Using these BGP techniques, incoming traffic can be steered based on the policies and network requirements of the enterprise.
However, it is always best practice to discuss your needs with your ISPs and inform them of your intention before applying any of these methods, to ensure that you are also adhering to the policies and procedures of the ISPs to which you connect.