01-30-2014 12:36 PM - edited 03-04-2019 10:13 PM
I have a router at a datacenter, we will call MAIN-ROUTER, which is advertising default routes over BGP to remote sites, for which we will only concentrate on one and call REMOTE-ROUTER. Directly connected to the MAIN-ROUTER is an ASA firewall called MAIN-FIREWALL. This firewall is connected to the Internet and is the gateway for the entire network. The router needs to advertised the loopback address of the MAIN-FIREWALL to the REMOTE-ROUTER, but it doesn't. It advertises itself. Here's more details:
MAIN-ROUTER IP is 192.168.101.3
It is directly connected to MAIN-FIREWALL, which is 192.168.101.1
MAIN-FIREWALL has a loopback of 1.1.1.1 that all routers hit in order to reach the Internet
MAIN-ROUTER has these static routes:
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 1.1.1.1 255.255.255.255 192.168.101.1
(so 1.1.1.1 is it's default route, and it knows how to get there)
What I want is MAIN-ROUTER to advertise the 1.1.1.1 route exactly as it appears in its own routing table. It should appear like this in REMOTE-ROUTER's table:
B* 0.0.0.0/0 [200/0] via 1.1.1.1, 00:27:58
But instead it appears like this:
B* 0.0.0.0/0 [200/0] via 192.168.101.3, 00:27:58
MAIN-ROUTER is electing itself as the default route, and that's bad because all traffic bound for the Internet is passing through MAIN-FIREWALL twice.
The idea behind all this is that there is a second datacenter that is also advertising the default route but with a lower weight, so when the main site goes down, all the remote routers grab the backup site's route and continue operating. It all works just fine, but the load on the firewalls is twice what it should be.
MAIN-ROUTER BGP CONFIG:
I need one of three things:
A way to force BGP to advertise the default route exactly as it appears in the routing table.
A way to force BGP to advertise an arbitrary route of my choice.
If all this is impossible, I need a better solution for failover.
01-30-2014 05:28 PM
MAIN-ROUTER is electing itself as the default route, and that's bad because all traffic bound for the Internet is passing through MAIN-FIREWALL twice.
What do you mean by this ?
If the DC router is advertising the default route via BGP across the WAN then surely remote sites must go via the DC router to get to the firewall ?
You seem to be expecting the remote sites to be able to go straight to the firewall but if the DC router is connected to the WAN and to the firewall surely traffic coming from remote sites has to go to the DC router first ?
Perhaps if you could draw a topology diagram that would help clarify.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide