Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
297
Views
0
Helpful
2
Replies

Advice needed in migrating existing BGP from Core router to VTI

fahai8
Level 1
Level 1

‎08-23-2023 09:39 PM

Hello everyone, I am currently working on a solution for one of our customers who wishes to replace the existing BGP connection with our Core router over a leased line. Instead, they are interested in establishing a Virtual Tunnel Interface (VTI) between the Firewalls. We currently advertise several networks over the existing BGP link, and I'm contemplating how to replicate this connectivity within our Firewall while setting up BGP over a VTI between the customer's Firewall and our own. One approach I'm considering is to create an iBGP connection between our Core router and the ASA Firewall. This would allow me to advertise the subnets to the Firewall. I am seeking advice on the best practices for migrating the current BGP setup from the Core router to the ASA Firewall. Specifically, I want to ensure that we can continue to advertise and receive the same routes that were previously managed through the leased line eBGP connection. Thank you for your insights and assistance.

10.0.0.0.1 192.168.1.254
Labels:
0 Helpful
2 Replies 2

DanielP211
VIP
VIP

‎08-23-2023 11:00 PM

Hello!

I would first check the BGP capabilities of your firewall. Which ASA is it? If you have a large routing table the ASA is maybe not the best place to migrate to. 

Regarding the migration, I would do it the following way:
- establish iBGP with the current CORE

- Create the VTI from the customer site to your firewall and establish eBGP over it
- Set the local preference inside route-map on the in from the customer to ASA peer to make the routes you recive over ASA as a lower preference
- And the last step would be to turn off the eBGP from CORE to the customer (this would cause a smaller disruption of services)

BR

****Kindly rate all useful posts*****
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎08-23-2023 11:29 PM

what you thinking can be achievable as Long as the tunnel is stable and working as expected.

check some example - i used for reference when i was doing some PoC Long back between Router (in your case one side Firewall and other side Core Router) - check the guide lines of IOS and ASA code you using (any Limitations)

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/118977-config-ebgp-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card