Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4080
Views
4
Helpful
29
Replies

BGP path selection issue with AS prepend

Najib Akbari
Level 1
Level 1

‎08-28-2024 02:48 PM

Hi,

I have site ASA 1.1.1.1 and tunneled with static route to two Fortigate FW1 and FW2. each FW linked to LAN via Core SW -> VeloCloud SD-WAN, so both FW 1&2 has BGP neighborship with Core SW and Core SW with VeloCLoud A and B and to make A path less preferable I prepend the ASA subnet 192.168.168.0/24 ( redistributed as static into BGP ) route with FW1 ASN so from C prespective, the route from B path be more preferable but C site Core switch BGP prefers A even though it has longer AS-Path. i have limited knowledge of Velo-Clouds and i checked BGP settings on core switches and fortigate and no other attributes are affecting best-path decision unless something going on on VeloCloud and i do not know how to check. please advise

attached is the topology 

Labels:
Preview file
57 KB
0 Helpful
29 Replies 29

Najib Akbari
Level 1
Level 1
In response to MHM Cisco World

‎08-29-2024 02:20 PM

i agree with summary, but this is bugging me why AS-Path prepend not working.

weight is locally significant to the router so can not use it.

i dnt understand your last part

0 Helpful

MHM Cisco World
VIP
VIP
In response to Najib Akbari

‎08-29-2024 02:35 PM - edited ‎09-02-2024 08:44 AM

MHM

0 Helpful

Najib Akbari
Level 1
Level 1
In response to MHM Cisco World

‎08-29-2024 02:45 PM

yes next hope is reachable otherwise when i disabled Site A, then it would't add site B to the routing table. and for the weight, again it is locally significant so i can not do it one by one on all sites its not scalble, plus the core switch on site C has no record of the route from site B when run "sh ip bgp" until site A is down

0 Helpful

MHM Cisco World
VIP
VIP
In response to Najib Akbari

‎08-29-2024 02:51 PM - edited ‎09-02-2024 08:45 AM

MHM

0 Helpful

Najib Akbari
Level 1
Level 1
In response to MHM Cisco World

‎08-29-2024 03:04 PM

I agree, and I have no knowledge tshoot the SDWAN device

MHM Cisco World
VIP
VIP
In response to Najib Akbari

‎08-29-2024 03:09 PM

Just contact SDWAN team to prefer path you want.

MHM

0 Helpful

Najib Akbari
Level 1
Level 1

‎08-31-2024 04:07 PM

I spoke with our consultant and it is confirmd the SDWAN VC overrides the as-prepend and choose its own path! So that is cleared and I can fix it with aggregate address.

Initially as I described I used route-based VPN S-VTI two tunnels on ASA and uses static route towards FW1 and FW2 and vise versa prefering one tunnel over another with metric. on FW1 and FW2 redistributed static into the BGP for ASA subnets.

now what if I choose BGP end to end, which I can do it, in this case no more static route. the question is, is there any consideration and concerns here? since it is ASA dual TUnnel is there anything to do? do i need to do address aggregation again to prefer certain path or leave it to BGP decision since Im not limitted with static route on ASA? of course to avoid ASA become transit I will use route-map to avoid route advertisement of subnets received from one tunnel BGP link to another BGP link tunnel.

I am going to use one BGP process and establish two neighborship with FW1 and FW2

please advise. Thanks

Najib Akbari
Level 1
Level 1

‎08-31-2024 05:10 PM - edited ‎08-31-2024 05:35 PM

Well after doing some test with end 2 end BGP, apparently I might be dealing with sub-optimal routing  if I leave BGP default behavor in tact ? like there might be a scenario ASA choose FW1 link as its outgoing link and other BGP nodes in the topology chooses FW2 for traffic towards ASA ?!   ( of course considering the SDWAN override is not in the picture )

and if thats the case what do I do to mitigate this potential risk ?

0 Helpful

MHM Cisco World
VIP
VIP
In response to Najib Akbari

‎09-01-2024 12:21 AM - edited ‎09-02-2024 08:46 AM

MHM

Najib Akbari
Level 1
Level 1
In response to MHM Cisco World

‎09-01-2024 09:40 AM

Thank you! Im aware of this config. As i stated before, i want to use end to end BGP which is supported by ASA route based vpn and looking for advise if this might be an issue of sub-optimal routing or any other thing to be considered if i leave it with default BGP config? I can do the aggregate so it prefers one path over other, but wondering if any other advise regarding this scenario to be considered? Since we are dealing with two physical path here 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Najib Akbari

‎09-01-2024 10:12 AM - edited ‎09-02-2024 08:46 AM

MHM

0 Helpful

Najib Akbari
Level 1
Level 1
In response to MHM Cisco World

‎09-01-2024 09:25 PM

i want to use BGP

MHM Cisco World
VIP
VIP
In response to Najib Akbari

‎09-02-2024 01:33 AM - edited ‎09-02-2024 08:47 AM

MHM

0 Helpful

Najib Akbari
Level 1
Level 1
In response to MHM Cisco World

‎09-02-2024 08:37 AM

Thanks for the effort! but this is not my scenario and I did not ask for its solution and in my opinion what you have described is not going to work. if C adv same subnet as ASA with same specs then the middle nodes will divide traffic between ASA and C.

In my scenario ONLY ASA advertise a subnet but to both FW1 and FW2 and since it has two links which basically its physical loop then I simply asked if anyone in the community can advise me on anything to be considered. other that that I have implemented like this:

- ASA adv aggregated to FW1 and adv specific to FW2 to control incoming traffic

- with LP or wight it control outgoing traffic

- ran BGP end to end with VTI

0 Helpful

MHM Cisco World
VIP
VIP
In response to Najib Akbari

‎09-02-2024 08:47 AM

I make review  check  my suggestion in your previous post.

Goodluck 

MHM

0 Helpful
Customers Also Viewed These Support Documents