[j-nsp] BGP setup question, advertise-peer-as?

Morgan McLean wrx230 at gmail.com
Sat Aug 25 07:26:53 EDT 2012


I sent out an email regarding some iBGP stuff and route aggregate stuff a
few weeks ago, but I'm having a difficult time putting it into practice.

My setup is two border routers, environment A firewall and environment B
firewall. The border routers each have a connection to the firewalls, and a
connection between each other. All of this is iBGP. Each border also has a
couple ISP eBGP sessions accepting full tables.

My goal here is pretty simple, just keep moving the traffic best I can.
Here is how I'm doing things now in my lab before I send it to production:

The firewall A is the primary site, and advertises smaller prefix's (direct
and static discard) via iBGP, and the border routers then generate an
aggregate route that gets advertised to our upstream.

The border routers generate a 0/0 aggregate route based on the presence of
main internet routes (exact ranges not determined yet), indicating BGP
connectivity is good and we should be telling people we have the egress
route.* Is this bad practice?*
*
*
The firewall B is a secondary site, and we need iBGP links to facilitate
the communication between them since they both use the same ASN and I don't
want to accept our own ASN in the as path from our providers.

My main issue is I can't seem to get the advertised routes from firewall A
to be shared between the border routers. I know the nature of iBGP will
block this, so I tried enabling advertise-peer-as for just the border to
border peer relationship, but I still do not see it being advertised or
showing up in the route tables. This would he helpful in a scenario where
the ISP links are functional, but the local connection to firewall A is
not. I would like to continue advertising my public address via the
aggregate route into eBGP which needs the contributing routes from iBGP. I
can also reach the firewall still through the adjacent border router. I do
not want to set the aggregate route to passive, because if the border loses
its link to the firewall and the other border, it will still advertise and
receive traffic it cannot route.

I could of course just ditch the connection between the border routers, and
leave it such that if it has no route to the firewalls, it doesn't
advertise to our providers, and if it doesn't have internet routes, it
doesn't send the default to the firewall and thats it. Is this a more
standard approach? The only problem here is the router could lose its ISP
link, but still have connectivity to the site B firewall, which is why I
would still like to be able to figure out the advertise-peer-as
functionality so I wouldn't have to rely on the default route to know how
to get to site B, which is independent to our ISP links.

I hope that makes sense.

Thanks,
Morgan


More information about the juniper-nsp mailing list