[j-nsp] BGP setup question, advertise-peer-as?

Sat Aug 25 07:36:06 EDT 2012

Also, I tried setting autonomous-system xxxx loops 2, but I still don't see
the advertised prefixes number increasing under show bgp neighbor, which
means the other border router isn't getting the routes at all, so the
allowing 2 loops flag won't do much since there are no loops to allow.

Thanks,
Morgan

On Sat, Aug 25, 2012 at 4:26 AM, Morgan McLean <wrx230 at gmail.com> wrote:

> I sent out an email regarding some iBGP stuff and route aggregate stuff a
> few weeks ago, but I'm having a difficult time putting it into practice.
>
> My setup is two border routers, environment A firewall and environment B
> firewall. The border routers each have a connection to the firewalls, and a
> connection between each other. All of this is iBGP. Each border also has a
> couple ISP eBGP sessions accepting full tables.
>
> My goal here is pretty simple, just keep moving the traffic best I can.
> Here is how I'm doing things now in my lab before I send it to production:
>
> The firewall A is the primary site, and advertises smaller prefix's
> (direct and static discard) via iBGP, and the border routers then generate
> an aggregate route that gets advertised to our upstream.
>
> The border routers generate a 0/0 aggregate route based on the presence of
> main internet routes (exact ranges not determined yet), indicating BGP
> connectivity is good and we should be telling people we have the egress
> route.* Is this bad practice?*
> *
> *
> The firewall B is a secondary site, and we need iBGP links to facilitate
> the communication between them since they both use the same ASN and I don't
> want to accept our own ASN in the as path from our providers.
>
> My main issue is I can't seem to get the advertised routes from firewall A
> to be shared between the border routers. I know the nature of iBGP will
> block this, so I tried enabling advertise-peer-as for just the border to
> border peer relationship, but I still do not see it being advertised or
> showing up in the route tables. This would he helpful in a scenario where
> the ISP links are functional, but the local connection to firewall A is
> not. I would like to continue advertising my public address via the
> aggregate route into eBGP which needs the contributing routes from iBGP. I
> can also reach the firewall still through the adjacent border router. I do
> not want to set the aggregate route to passive, because if the border loses
> its link to the firewall and the other border, it will still advertise and
> receive traffic it cannot route.
>
> I could of course just ditch the connection between the border routers,
> and leave it such that if it has no route to the firewalls, it doesn't
> advertise to our providers, and if it doesn't have internet routes, it
> doesn't send the default to the firewall and thats it. Is this a more
> standard approach? The only problem here is the router could lose its ISP
> link, but still have connectivity to the site B firewall, which is why I
> would still like to be able to figure out the advertise-peer-as
> functionality so I wouldn't have to rely on the default route to know how
> to get to site B, which is independent to our ISP links.
>
> I hope that makes sense.
>
> Thanks,
> Morgan
>