Earlier this year I got a /24 of PA space, set up our shiny new router,
got BGP working with both my upstreams, and heaved a sigh of relief: "I'll
never have to think about THAT again!" (Okay, quit laughing; I SAID I was
a noob!)
Now, I discover that one of my upstreams quit announcing our route in
November (fortunately the provider who assigned us the /24, so we're still
covered in their /18) and the other upstream apparently started filtering
our announcements last week. I'm working with both of them to get that
fixed, but it's made it clear to me that I need to be monitoring this.
My question for the group is, how? I can and do monitor my own router, and
I can see that I'm receiving full routes from both ISPs. I am capable of
manually accessing route servers and looking glass servers to check if
they're receiving routes to me, but I'd like something more automated.
Free is nice, $$ is not a problem, $$$$ might become a problem.
Manually speaking, you can always telnet to route-views.routeviews.org which is a restricted Cisco interface. Log in with username "rviews" and don't enable. From the prompt you can do all the "show ip bgp" commands you need to see whether or not your /24 is being announced via your upstream providers. As an example 'sho ip bgp x.x.x.x' where x.x.x.x is your /24. You should see the announcement originating from your AS over multiple providers that includes both of yours. If not, you know you have a problem.
Use one of the following services: http://cyclops.cs.ucla.edu/ http://bgpmon.net/
You'll get an email whenever a routing change takes place in regards to the prefix you are monitoring.
Is http://cyclops.cs.ucla.edu/ still working? I don't seem to received emails from them anymore when we stop announcing to one of our upstream providers. On the other hand http://bgpmon.net/ does send me emails when an announcement disappears from an upstream, although it's usually a day later.
Depending on the nature of your redundant connections, your traffic
engineering/bgp settings, and the visibility of the routing through the
lost provider to the internet route servers mentioned, you may/may not be
able to easily monitor this. Some failures are harder to find than others.
Suggestions:
1) On the provider that stopped accepting your prefix, your inbound traffic
would have dropped to 0. Monitor for this if this isn't by design already.
2) Use the bgpmon suggested by Dave below to see events which are visible
to the route server they use.
.-- My secret spy satellite informs me that at 11-12-20 11:16 AM Bret Clark wrote:
Is http://cyclops.cs.ucla.edu/ still working? I don't seem to received
emails from them anymore when we stop announcing to one of our upstream
providers. On the other hand http://bgpmon.net/ does send me emails when
an announcement disappears from an upstream, although it's usually a day
later.
Just to clarify this:
For all alert types below BGPmon.net sends out an alert within minutes:
1) prefix withdrawal (prefix disappeared)
2) new upstream
3) new prefix
4) origin AS changes
5) ASpath regex failure
6) policy violation
7) RPKI validation failure
There's one other feature, the routing-report feature, that runs only once a day. It's similar as the cidr report, but specific to your AS. I like to refer to it as a rancid for your BGP announcements.
It's basically a diff between how your routes were visible today and yesterday. This specific feature will also notify the user if you lost / gained one or more upstreams per prefix.
Also see Blog | BGPmon for more information about that specific feature.
Unless I'm misunderstanding something, I'm concerned regarding the IPv4 bogon list on http://bgpmon.net/showbogons.php?inet=4 . It clearly includes several /8's that should not be there. The data seems to be stale as if some job is no longer pulling the updated data. It states it's being pulled from http://www.cymru.com/Documents/bogon-bn-nonagg.txt , but that clearly does not contain 100/8, 5/8, 181/8, 49/8 and a few others... and hasn't for quite some time.
.-- My secret spy satellite informs me that at 11-12-21 5:17 AM Vinny Abello wrote:
Unless I'm misunderstanding something, I'm concerned regarding the IPv4 bogon list on http://bgpmon.net/showbogons.php?inet=4 . It clearly includes several /8's that should not be there. The data seems to be stale as if some job is no longer pulling the updated data. It states it's being pulled from http://www.cymru.com/Documents/bogon-bn-nonagg.txt , but that clearly does not contain 100/8, 5/8, 181/8, 49/8 and a few others... and hasn't for quite some time.
The http://bgpmon.net/showbogons.php?inet=4 page show a list of bogons that were announced at a certain point in time, so the page show historical announcements as well (check the date).
For example the last 100/8 bogons were detected on 2010-10-29, at that time it was still considered a bogon.
Ahh, that would be the part where I'm misunderstanding something, the date! LOL... Makes sense now. I thought this was a recent snapshot all from 2011. I see of course that I was wrong. Thanks for clearing that up for me. My excuse is lack of coffee when I wrote that.
