I sent out an email regarding some iBGP stuff and route aggregate stuff a few weeks ago, but I'm having a difficult time putting it into practice.
My setup is two border routers, environment A firewall and environment B firewall. The border routers each have a connection to the firewalls, and a connection between each other. All of this is iBGP. Each border also has a couple ISP eBGP sessions accepting full tables. My goal here is pretty simple, just keep moving the traffic best I can. Here is how I'm doing things now in my lab before I send it to production: The firewall A is the primary site, and advertises smaller prefix's (direct and static discard) via iBGP, and the border routers then generate an aggregate route that gets advertised to our upstream. The border routers generate a 0/0 aggregate route based on the presence of main internet routes (exact ranges not determined yet), indicating BGP connectivity is good and we should be telling people we have the egress route.* Is this bad practice?* * * The firewall B is a secondary site, and we need iBGP links to facilitate the communication between them since they both use the same ASN and I don't want to accept our own ASN in the as path from our providers. My main issue is I can't seem to get the advertised routes from firewall A to be shared between the border routers. I know the nature of iBGP will block this, so I tried enabling advertise-peer-as for just the border to border peer relationship, but I still do not see it being advertised or showing up in the route tables. This would he helpful in a scenario where the ISP links are functional, but the local connection to firewall A is not. I would like to continue advertising my public address via the aggregate route into eBGP which needs the contributing routes from iBGP. I can also reach the firewall still through the adjacent border router. I do not want to set the aggregate route to passive, because if the border loses its link to the firewall and the other border, it will still advertise and receive traffic it cannot route. I could of course just ditch the connection between the border routers, and leave it such that if it has no route to the firewalls, it doesn't advertise to our providers, and if it doesn't have internet routes, it doesn't send the default to the firewall and thats it. Is this a more standard approach? The only problem here is the router could lose its ISP link, but still have connectivity to the site B firewall, which is why I would still like to be able to figure out the advertise-peer-as functionality so I wouldn't have to rely on the default route to know how to get to site B, which is independent to our ISP links. I hope that makes sense. Thanks, Morgan _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
