Also, I tried setting autonomous-system xxxx loops 2, but I still don't see the advertised prefixes number increasing under show bgp neighbor, which means the other border router isn't getting the routes at all, so the allowing 2 loops flag won't do much since there are no loops to allow.
Thanks, Morgan On Sat, Aug 25, 2012 at 4:26 AM, Morgan McLean <[email protected]> wrote: > I sent out an email regarding some iBGP stuff and route aggregate stuff a > few weeks ago, but I'm having a difficult time putting it into practice. > > My setup is two border routers, environment A firewall and environment B > firewall. The border routers each have a connection to the firewalls, and a > connection between each other. All of this is iBGP. Each border also has a > couple ISP eBGP sessions accepting full tables. > > My goal here is pretty simple, just keep moving the traffic best I can. > Here is how I'm doing things now in my lab before I send it to production: > > The firewall A is the primary site, and advertises smaller prefix's > (direct and static discard) via iBGP, and the border routers then generate > an aggregate route that gets advertised to our upstream. > > The border routers generate a 0/0 aggregate route based on the presence of > main internet routes (exact ranges not determined yet), indicating BGP > connectivity is good and we should be telling people we have the egress > route.* Is this bad practice?* > * > * > The firewall B is a secondary site, and we need iBGP links to facilitate > the communication between them since they both use the same ASN and I don't > want to accept our own ASN in the as path from our providers. > > My main issue is I can't seem to get the advertised routes from firewall A > to be shared between the border routers. I know the nature of iBGP will > block this, so I tried enabling advertise-peer-as for just the border to > border peer relationship, but I still do not see it being advertised or > showing up in the route tables. This would he helpful in a scenario where > the ISP links are functional, but the local connection to firewall A is > not. I would like to continue advertising my public address via the > aggregate route into eBGP which needs the contributing routes from iBGP. I > can also reach the firewall still through the adjacent border router. I do > not want to set the aggregate route to passive, because if the border loses > its link to the firewall and the other border, it will still advertise and > receive traffic it cannot route. > > I could of course just ditch the connection between the border routers, > and leave it such that if it has no route to the firewalls, it doesn't > advertise to our providers, and if it doesn't have internet routes, it > doesn't send the default to the firewall and thats it. Is this a more > standard approach? The only problem here is the router could lose its ISP > link, but still have connectivity to the site B firewall, which is why I > would still like to be able to figure out the advertise-peer-as > functionality so I wouldn't have to rely on the default route to know how > to get to site B, which is independent to our ISP links. > > I hope that makes sense. > > Thanks, > Morgan > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
