Re: Currently have the asr1001x

networkops3 · ‎03-02-2017

Does anyone have any real world experience of implementing Azure MS expressroute using multiple dedicated circuits, routing private address space over eBGP (private peering) and connecting to public services over eBGP (public peering).

i have a few ideas regarding private peering e.g as your azure environment is seen as an extension of your own network i would probably advertise my internal subnets within a vrf on my external routers and the redistribute into a seperate address-family in BGP, seperating this from the global RT. Id be interested in hearing other ways this can be achieved? Or are there any performance impacts with redistribution of routes?

The public peering seems more of a problem. Does anyone have any practical examples/scenarios of how this would be configured?

thanks

Georg Pauwen · ‎03-03-2017

Hello,

just to be clear: you want private and public peering on the same device ?

Either way, with the Cisco virtual router functionallity (which is supported on the XR platform as far as I know), you wouldn't even need a VRF, but could simply run two separate BGP processes on the same device.

If you don't have the virtual router, VRF sounds like a good option.

As with regard to public peering, the Cisco side is pretty straight forward. The link below (section 2) has a sample config for setting up eBGP peering with Microsoft.

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-config-samples-routing

Not sure if this is in any way useful, but I have also included a link to a document that describes how to set up private and public peering using the Azure portal and the Resource Manager:

https://docs.microsoft.com/nl-nl/azure/expressroute/expressroute-howto-routing-portal-resource-manager

networkops3 · ‎03-03-2017

Hi Georg

Thank you for your reply. Unfortunately i dont have access to the XR code only XE. I do not believe i can have multiple bgp sessions using XE?? (Correct me if im wrong)

I have seen the microsoft docs previously and they do appear straightforward at first glance however they're approach does not factor in security from the customer premises view point and is rather simplified.

From what i gather the public peering allows users to access MS public services/addresses using the dedicated expressroute. The relevant subnets from MS would be advertised through eBGP.

As a hypothetical. If i had a firewall in multiple context mode with all internal traffic having a default route to the primary context and i wanted to create a new context for cloud services (public peering). How would i be able to direct all traffic to Azure public services without using specific static routes?

MS public <---expressroute--->edge router <---FW (multiple contexts)--->L3 switch<---INTERNAL users

networkops

Georg Pauwen · ‎03-05-2017

Hello,

as far as I remember, the ASA in multiple context mode supports only one global AS, similar to one AS for all address families in IOS.

Either way, what Cisco router do you have on your edge ?

networkops3 · ‎03-07-2017

Currently have the asr1001x series.

WSum · ‎09-05-2017

What your describing is exactly what I'm in the middle of configuring with excatly the same devices. Our ISP is presnting our express route connection as a VLAN down our connection to them so I'm having to peer with our perimeter routers or introduce some layer 2 between our routers and theirs. What I've settled on is our internet traffic will route via the global table on our ASR's and I'm pulling the Azure Private routes into a VRF ultimatley presenting it at our perimeter firewalls.

Theoretically the "Azure Public" peering could be implimented the same way, within a VRF or just hit the Global Table. We have no plans to impliment the public peering down Express Route because of the amount of bandwidth we have to our ISP.

Cisco to Azure via expressroute