Routing

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

How to prefer route at remote site rather through BGP neighbor

  • 1.  How to prefer route at remote site rather through BGP neighbor

    Posted 07-20-2021 11:54
      |   view attached
    Hello,

    We have a scenario as attached where a particular route is preferred via default route coming from other site.  But as more specific route is available the traffic is forced via BGP neighbor which blocks this route. 

    The main goal here is to route 172.22.174.144/28 via Site A but at Site B traffic stops working as soon as BGP neighborship to their FW1 is activated.

    ------------------------------
    junos sky
    ------------------------------


  • 2.  RE: How to prefer route at remote site rather through BGP neighbor

    Posted 07-21-2021 11:18
    how do site A and site B communicate to each other?  Via the ISP at the top?  If I'm understanding your design and what your trying to accomplish, is there a link b/wn site A and site B that is missing on the drawing?


  • 3.  RE: How to prefer route at remote site rather through BGP neighbor

    Posted 07-21-2021 13:56
    Seems like you need to inject 172.22.174.144/28 into your IGP so the Preference of the IGP wins over the Preference of BGP

    ------------------------------
    Aaron Gould
    Senior Network Engineer
    aaron@gvtc.com
    https://www.linkedin.com/in/agould123/
    ------------------------------



  • 4.  RE: How to prefer route at remote site rather through BGP neighbor

    Posted 07-22-2021 10:14
    Hi bluedove84, I remember you had some questions regarding this topology a while back. I'm curious to know why the same /28 is used in different sites. are you using anycast or something like that?  is this prefix expected to be received from FW1/2 by design? some additional info would be helpful.

    if this behavior is not expected, and you simply want to rely on the default route, you can modify the two policies we discussed on the other thread (import/export) to actually reject the route from customer or customers firewall if its not needed.  if this prefix from downstream firewall (and other sites) is needed for some backup failover mechanism, then one option is to inject the /28 from all sites into BGP and then modify LP for each site to control what site uses what route. for example for Site-A you will end up receiving /28 from 3 directions. site A will have a higher pref for prefix received from ISP while lower pref is assigned to FW routes. 

    hope this helps :)


  • 5.  RE: How to prefer route at remote site rather through BGP neighbor

    Posted 07-26-2021 20:05
    This is exactly what I am trying to achieve.

    ------------------------------
    junos sky
    ------------------------------



  • 6.  RE: How to prefer route at remote site rather through BGP neighbor

    Posted 07-26-2021 20:06
    @ali.taheri  Yes this is correct.

    172.22.174.144/28 is advertised by both sites but one route will be preferred and in case of customer firewall failure Site B will advertise the same route to ISP and hence why its preferred on one site while the other will remain inactive until its not receiving the same route from site A.. 
    One way would be to advertise default plus this new route 172.22.174.144/28 to Site R 1 router and force it to use this new route coming in. The only problem I have is my config looks like below:


    set policy-options policy-statement default-vpn term default-originate from route-filter 0.0.0.0/0 exact
    set policy-options policy-statement default-vpn term default-originate then accept
    set policy-options policy-statement default-vpn then reject


    Above config is alrady in place so if I add below

    set policy-options policy-statement LSH-prefixes term allowed from route-filter 172.26.82.128/28 orlonger
    set policy-options policy-statement LSH-prefixes term allowed then accept
    set policy-options policy-statement LSH-prefixes then reject







    set routing-instances vpn128 protocols bgp group vpn neighbor 172.31.255.102 export default-vpn
    set routing-instances vpn128 protocols bgp group vpn neighbor 172.31.255.102 export LSH-prefixes

    edit routing-instances vpn128 protocols bgp group vpn neighbor 172.31.255.102]
    - export default-vpn;
    + export [ default-vpn LSH-prefixes ];


    I cannot touch default-vpn and due to reject statement at the end it will never allow 172.26.82.128/28 to be advertised to my BGP neighbor . this is where I am stuck and not sure how to achieve what I am looking for. 

    At this stage I only need to allow 172.26.82.128/28 to my BGP neighbor router R1 so to force it to use this new route and ignore  local BGP from FW.
    I hope I have clarified everything but please let me know.





    ------------------------------
    junos sky
    ------------------------------



  • 7.  RE: How to prefer route at remote site rather through BGP neighbor

    Posted 07-27-2021 13:51
    In your LSH-prefixes policy, get rid of the reject statement.  Then in the export statement put the LSH-prefixes before the default-vpn.  This should then get you the result you want, announcing the 172.26.82.128/28 and a default(0.0.0.0/0) route only.