cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
402
Views
0
Helpful
1
Replies

BGP controlling default route advertisement

desromic101
Level 1
Level 1

I have a router at a datacenter, we will call MAIN-ROUTER, which is advertising default routes over BGP to remote sites, for which we will only concentrate on one and call REMOTE-ROUTER. Directly connected to the MAIN-ROUTER is an ASA firewall called MAIN-FIREWALL. This firewall is connected to the Internet and is the gateway for the entire network. The router needs to advertised the loopback address of the MAIN-FIREWALL to the REMOTE-ROUTER, but it doesn't. It advertises itself. Here's more details:

MAIN-ROUTER IP is 192.168.101.3

It is directly connected to MAIN-FIREWALL, which is 192.168.101.1

MAIN-FIREWALL has a loopback of 1.1.1.1 that all routers hit in order to reach the Internet

MAIN-ROUTER has these static routes:

ip route 0.0.0.0 0.0.0.0 1.1.1.1

ip route 1.1.1.1 255.255.255.255 192.168.101.1

(so 1.1.1.1 is it's default route, and it knows how to get there)

What I want is MAIN-ROUTER to advertise the 1.1.1.1 route exactly as it appears in its own routing table. It should appear like this in REMOTE-ROUTER's table:

B*     0.0.0.0/0   [200/0]  via  1.1.1.1,  00:27:58

But instead it appears like this:

B*     0.0.0.0/0   [200/0]  via  192.168.101.3,  00:27:58

MAIN-ROUTER is electing itself as the default route, and that's bad because all traffic bound for the Internet is passing through MAIN-FIREWALL twice.

The idea behind all this is that there is a second datacenter that is also advertising the default route but with a lower weight, so when the main site goes down, all the remote routers grab the backup site's route and continue operating. It all works just fine, but the load on the firewalls is twice what it should be.

MAIN-ROUTER BGP CONFIG:

I need one of three things:

A way to force BGP to advertise the default route exactly as it appears in the routing table.

A way to force BGP to advertise an arbitrary route of my choice.

If all this is impossible, I need a better solution for failover.

1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

MAIN-ROUTER is electing itself as the default route, and that's bad because all traffic bound for the Internet is passing through MAIN-FIREWALL twice.

What do you mean by this ?

If the DC router is advertising the default route via BGP across the WAN then surely remote sites must go via the DC router to get to the firewall ?

You seem to be expecting the remote sites to be able to go straight to the firewall but if the DC router is connected to the WAN and to the firewall surely traffic coming from remote sites has to go to the DC router first ?

Perhaps if you could draw a topology diagram that would help clarify.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: