SRX

Expand all | Collapse all

How to prefer BGP route over IPsec VPN generated static route

Jump to Best Answer
  • 1.  How to prefer BGP route over IPsec VPN generated static route

    Posted 01-05-2017 13:41

    Hi, all,

     

    I have a unique situation I don't have an obvious answer for. We have the need to interconnect with a customer by using MPLS-VPN circuit as the primary and IPsec VPN as backup, say we advertise subnet A and customer advertise subnet B to MPLS VPN provider (via BGP of course), everything is good, now we want to set up an IPsec VPN as a backup, unfortunately cutomer side VPN device (Cisco ASA) only supports "policy based" VPN, so I have to explicity configure traffice-selector in SRX vpn configuration listing subnet A as local-ip and subnet-B as remote-ip on SRX, not a problem ... the problem is SRX automatically injects a static route for subnet-B to routing table and SRX would prefer IPsec VPN to reach the customer, how to get around this dilema? 

     

    Thanks,



  • 2.  RE: How to prefer BGP route over IPsec VPN generated static route
    Best Answer

    Posted 01-05-2017 22:15

    Hi there,

    Easy, as always with JUNOS  🙂

    Under Your BGP group add this line:

    preference <number less than reverse static route preference>

    I can't remember what is the reverse static route preference for IPSec VPN with traffic selectors, but default static route preference in JUNOS is 5, so Your line above should look like "preference 4".

    HTH

    Thx

    Alex



  • 3.  RE: How to prefer BGP route over IPsec VPN generated static route

    Posted 01-06-2017 04:18

    I think in that case you would need to set the default preference for static routes to be higher than BGP and then your other static routes you would have to set them to prerefence 5 or whatever value you chose. So when the SRX generates the VPN static route, its default would higher

    Something like this:


    set routing-options static defaults preference 180

    set routing-options static route 0.0.0.0/0 next-hop 172.18.1.1
    set routing-options static route 0.0.0.0/0 preference 5
    set routing-options static route 192.12.0.0/24 next-hop 172.18.1.2
    set routing-options static route 192.12.0.0/24 preference 5



  • 4.  RE: How to prefer BGP route over IPsec VPN generated static route

     
    Posted 06-10-2019 12:03

    this is not true for ARI in Traffic-selector , even though we change preference in Static route manually, ARI takes its default value : 5.


    @lyndidon wrote:

    I think in that case you would need to set the default preference for static routes to be higher than BGP and then your other static routes you would have to set them to prerefence 5 or whatever value you chose. So when the SRX generates the VPN static route, its default would higher

    Something like this:


    set routing-options static defaults preference 180

    set routing-options static route 0.0.0.0/0 next-hop 172.18.1.1
    set routing-options static route 0.0.0.0/0 preference 5
    set routing-options static route 192.12.0.0/24 next-hop 172.18.1.2
    set routing-options static route 192.12.0.0/24 preference 5