Posted on August 18, 2020 3:22 am
 |  Asked by Lukasz Gogolin
Print Friendly, PDF & Email


I’m playing with BGP ECMP to load traffic across our load-balancers and I’ve hit a problem that I do not know how to solve. Internally everything works fine, but I’m unable to present Public IP on the uplinks of Core Edge Routers.

I will mention that I do not have MGMT access to Core Edge Routers – those are routers of our ISP.
I’ve also attached diagram of how thing looks like.

WDC02-SC3-03A-C35-AGG-SW01#show ip bgp
BGP routing table information for VRF default
Router identifier, local AS number 65534
Route status codes: s – suppressed, * – valid, > – active, # – not installed, E – ECMP head, e – ECMP
S – Stale, c – Contributing to ECMP, b – backup, L – labeled-unicast
Origin codes: i – IGP, e – EGP, ? – incomplete
AS Path Attributes: Or-ID – Originator ID, C-LST – Cluster List, LL Nexthop – Link Local Nexthop

Network Next Hop Metric LocPref Weight Path
* >Ec 0 100 0 65500 i
* ec 0 100 0 65500 i


Thing is that our Public IPs is provided to us as Access Port:

WDC02-SW01#show running-config interfaces Port-Channel 999
interface Port-Channel999
switchport access vlan 10
mlag 999
WDC02-SW01#show running-config interfaces Ethernet 48
interface Ethernet48
speed forced 1000full
no ip attached-routes
channel-group 999 mode active


What I was able to do and this was for testing purposes is this hacky way to be able to reach IP from the outside:

WDC02-SW01#conf t
WDC02-SW01(config)#interface Vlan 10
WDC02-SW01(config-if-Vl10)#ip address virtual
WDC02-SW01(config-if-Vl10)#no ip address virtual


After this, once Core Edge Routers learn the IP I am able to reach Public IP: for around 20-30min (I guess it’s arp aging time on edge routers)

I know Private BGP between Me and ISP would solve the problem but, case is this switch should have set default GW to our Firewall (NAT).

WDC02-SW01#show ip route

Gateway of last resort:
S [1/0] via, Vlan72
C is directly connected, Vlan72
B E [100/0] via, Vlan101
                                                         via, Vlan101


Is there is any way to somehow spoof this IP on Uplink interface so that Edge Routers would know where to forward traffic for ?

Posted by Alexis Dacquay
Answered on August 18, 2020 10:39 am

Hi Lukasz,

The diagram device names don't match the CLI outputs you provide, can you clarify?
What do you call Core Edge: the and 189 routers, or the Core LAN switches?

Which devices are "WDC02-SC3-03A-C35-AGG-SW01" on your diagram ?
Are WDC02-SW01 the ToR LAMN switches?

There are some missing pieces: for example, do you advertise the subnet in BGP by redistributing connected, or the specific subnet?
How do you advertise the routing from SW01 to the Core?

Why do you remove the public subnet from the SVI (L3 VLAN interface), if you wish that to remain?

To advertise a BGP prefix, you can either:
- advertise a connected L3 interface like you did, but it has to stay (don't remove the IP address)
- advertise a subnet with a network statement in BGP. In this method the route must exist in the routing table, so you may need to configure a static route for pointing to null0

In either cases, you don't know what the ISP router allows out. They might have a prefix-list that only allows other prefixes being advertised. Can you confirm whether they already today advertise your, or do they not advertise it and you try to sneakily(?) make them advertise it?
Or are you just trying to attract one and only one IP specific address?

Advertising a new subnet should be negotiated with your ISP, to make sure they allow it.

Can you clarify what exact subnet you want to advertise : or
If the ISP router accepts it, you can just advertise the /32 (, not the /26 (180/26 isn't a valid route). By advertising a more specific route, the ISP router would naturally follow the longest-prefix length route, being the /32.
But it relies on the ISP router accepting more specific route. They might not accept.

In conclusion,
If you want only to attract traffic to, then you can simply:
1) let your LB advertise these /32 by routing
2) or let your ToR LAN switch advertise the by routing protocol. It will automatically propagate to the Core LAN then to the Core edge ISP. It seem you might already have BGP there, which is good.
Use static route pointing to the LB's private IP.
3) last option, advertise the from the Core LAN switches ( but the ToR LAN needs to continue routing too, so it ends up more work than the option2)

I would recommend 1) if you can do on the LB. Some servers and appliances support routing protocols (built-in or add agents like ExaBGP, Bird, etc.
If not, then option 2), it's pure networking, so you can do everything yourself.


Post your Answer

You must be logged in to post an answer.