topic Re: How to assign custom route Tag in ASA in Network Security

How to assign custom route Tag in ASA

munaf shaikh — Thu, 15 Sep 2022 20:21:03 GMT

Dear All,

On our ASA(9.18), we are running OSPF and BGP, and are redistributing BGP routes into OSPF.

We want the redistributed routes to be tagged with a custom route tag. However, on ASA there is no option to tag routes using set command under route-map config. I know this option is available on routers.

Can someone please let me know how I can tag the redistributed routes.

I can see an option of automatic-tag, however I believe this option will assign a random tag to routes. And I am not sure whether this automatic tag is a constant value which will remain same forever or it's a variable which might get change on its own.

We do not want the tag to be changed ever, because it will create a major impact in our environment.

We will be using this custom assigned tags on our WAN router and deny the tagged routes from being redistributed into BGP.

Please also let me know if you can think of any other way to achieve this.

Please note : We do not want to create prefix lists as BGP routes might dynamically change.

Thank you in advance.

Re: How to assign custom route Tag in ASA

MHM Cisco World — Thu, 15 Sep 2022 20:26:59 GMT

the BGP-into-OSPF the prefix is by default tag with value same as BGP AS prefix come from.
for example if BGP AS-100 the prefix is auto tag with tag =100

Re: How to assign custom route Tag in ASA

munaf shaikh — Thu, 15 Sep 2022 20:37:54 GMT

That's correct, but on ASA, we have two BGP neighbors with same AS number - 12076(Azure).

One BGP peer is with Azure Private cloud and another with Azure public cloud, both have same AS number.

We want the routes which are learned from public cloud neighbor to be denied from being redistributed back into the BGP at our WAN router.

Azure--(BGP)-->ASA ---(OSPF)--->Coreswitch---(OSPF)--->WAN Router---(BGP)---->BRANCH Router

Re: How to assign custom route Tag in ASA

MHM Cisco World — Thu, 15 Sep 2022 21:12:10 GMT

BGP-into-OSPF the prefix will tag with BGP AS come from
OSPF-into-BGP with route-map (set as-path tag) the prefix will have as-path same as tag/ AS
now when other router receive prefix with as-path contain it AS number it drop this prefix (loop prevent).

Re: How to assign custom route Tag in ASA

munaf shaikh — Thu, 15 Sep 2022 21:43:06 GMT

Sorry, but I have not understood the solution.

On ASA, BGP-into-OSPF will tag routes with AS number. Ok

On WAN Router, OSPF-into-BGP, add as-path tag, which will do nothing. As as-path and the tag both will be same.

Brach routers will receive this routes from WAN router because AS number of branch routers are different than route tag (as-path tag)

Let me know if i miss anything.

Re: How to assign custom route Tag in ASA

MHM Cisco World — Thu, 15 Sep 2022 21:53:47 GMT

only add AS to your topology and I will explain to you

Re: How to assign custom route Tag in ASA

munaf shaikh — Thu, 15 Sep 2022 22:03:31 GMT

Here it is buddy.

(Azure) =={BGP 12076}==(ASA)--{OSPF 1}--(Coreswitch)--{OSPF 1}--(WAN Router) - -{BGP 65521} - - (Branch Router)

Between azure and ASA, there are 2 peers with same ASN 12076

Re: How to assign custom route Tag in ASA

MHM Cisco World — Thu, 15 Sep 2022 22:37:27 GMT

one Peer Azure send prefix and you config
BGP-into-OSPF
OSPF-into-BGP in ASA
you want the prefix learn from one peer never resend to other peer ? is may topology right ?

Re: How to assign custom route Tag in ASA

munaf shaikh — Fri, 16 Sep 2022 05:47:33 GMT

Hi Buddy,

Below is the our topology with couple of sample routes.

On ASA, 1.1.1.1 is learned from peer 1.

10.0.0.1 is learned from peer 2.

We do not want routes learned from BGP peer 1 on ASA to be advertised to Branch router.

Only the routes learned from peer 2 must be advertised to Branch router

Re: How to assign custom route Tag in ASA

MHM Cisco World — Fri, 16 Sep 2022 11:51:04 GMT

I run small lab, hope this solution for you

Re: How to assign custom route Tag in ASA

munaf shaikh — Sun, 18 Sep 2022 13:04:32 GMT

Won't this deny routes learned from both R1 and R2?

Btw i have gone with same solution to deny routes learned from both R1 and R2 on the basis of Route tag of the AS number. And then allow routes learned from R2 on the basis of prefixes

Re: How to assign custom route Tag in ASA

MHM Cisco World — Sun, 18 Sep 2022 13:25:02 GMT

according to my topology I will assume R1 is public and you want only WAN router to advertise the route from R2 and deny the route from R1?

Re: How to assign custom route Tag in ASA

MHM Cisco World — Sun, 18 Sep 2022 14:00:44 GMT

we use route-map IN and set comm for any prefix learn from R1
and then use the OSPF-into-BGP route-map to modify the tag to be 1000
in WAN we will deny any prefix with tag 1000