Re: Same BGP public ASN at two datacenters

WILLIAM STEGMAN · ‎10-23-2023

I'm looking for reasons to use the same public ASN at two distinct datacenters vs. reasons to use unique ASNs at each. We're bringing a new datacenter online that will have a unique public address space of its own but must also advertise a /24 prefix operated primarily out of the active datacenter if that active datacenter fails. There will be a private layer 3 link between the datacenters used for replication, but if that link goes down I'd expect to use the internet as a failover link to support replication until the primary is brought back online. I'm only interested in receiving a default route from both ISPs. I've found posts regarding some specific scenarios and technical details related to them, but not much in the way of architecture and why someone might use either approach. Given that the datacenters are active/passive, I can't see an advantage in using iBGP between my CERs to support connectivity across both links. Plus there's a firewall issue in that the traffic would be asymmetric. And I'm not 100% on the feasibility of both datacenters using their internet link to form a tunnel if they're both using the same ASN. Maybe I could allow both the CERs to allow as in. But these are steps to support the use of the same ASN after the decision has been made, and again, I'm looking for the why. What advantages does using the ASN offer, and at what cost vs. what advantages does using a different ASN each site offer and at what cost?

thank you

Richard Pidcock · ‎10-23-2023

In our environment we have your scenario (two distinctly different data centers with two different /24 address spaces). We are using the same public ASN at both sites. We worked with our providers so that we could actively advertise both /24 address spaces out each data center. We are setting community values on the networks being sent to the provider and prepending additional AS's onto the lesser preferred network on each side respectively. In this scenario we don't see asymetric routing as each public space is only allowed to communicate on its primary path unless there is a failure scenario. As for forming a tunnel between the two datacenters, I don't see two different ASN's having any bearing on forming that tunnel. As for cost advantages, you'll pay for a second registered ASN with ARIN to use the two ASN method. I don't see a cost advantage to using two ASN's, that would actually cost you more. Hope this helps.

Richard W. Pidcock

MHM Cisco World · ‎10-23-2023

Both DC serve advertise same prefix or different?

WILLIAM STEGMAN · ‎10-23-2023

Each DC has a unique prefix, but the DR DC should be able to advertise the prefix used by the primary DC if the primary DC goes offline. Similar to Richard's post above.

MHM Cisco World · ‎10-23-2023

I think then use different AS for each DC' since you use primary backup design.

Richard Burts · ‎10-23-2023

The ASN identifies the organization who wants to advertise some networks. If both data centers are part of the same organization it would be reasonable that they use the same ASN.

Another aspect to consider is that BGP uses ASN in its loop detection/avoidance mechanism. If for some reason there was a loop between the data centers BGP would not detect the loop if data centers used different ASN.

HTH

Rick

WILLIAM STEGMAN · ‎10-23-2023

Richard, this hits on one aspect I'm concerned with. Each DC will have a unique prefix, but would use the same ASN. Could the DCs communicate with each using their unique prefixes without issue even though they have the same ASN, or because they're using the same ASN, ASN loop detection will kick in and communication will not happen. Wasn't sure if ASN loop detection only applied when the same network was used with the same ASN, or if unique IP address spaces on either side bypassed that loop detection mechanism.

David Ruess · ‎10-23-2023

The BGP loop detection relies on the ASN. You can circumvent this by using the command:

router bgp 100

neighbor x.x.x.x allowas-in <allows your local AS to be seen in the path and accepts routes.

I believe this is common in MPLS designs where customers are geographically separated but have the same AS and still need communication. There is another command that kinda does the same thing enabled on the SP side. But I figured you'd want control over your network. The command is:

router bgp 100

neighbor x.x.x.x as-overrride <-allows the SP to exchange your AS with its AS in the path.

You could also tag these routes with a community string and then filter out that community string on your backbend/exit so it doesn't create a loop.

-David

Richard Burts · ‎10-23-2023

You ask "Could the DCs communicate with each using their unique prefixes without issue". Yes they would communicate without issue. The loop detection is about what prefix advertisements to accept, but does not impact communication between peers.

HTH

Rick

Richard Pidcock · ‎10-23-2023

In my scenario each DC advertises both /24 spaces. This did require coordination with providers also.

Richard W. Pidcock

WILLIAM STEGMAN · ‎10-23-2023

So using the same ASN at each DC fits better for an active/active design then. That makes sense. Based on Richard's post though, I suppose there isn't much harm in employing the same ASN if at some point the desire and design changes and we want to use active/active. Or is there some other downside we're missing?