12-15-2014 05:55 AM - edited 03-05-2019 12:22 AM
Hello,
I am working with a group of engineers who have decided that terminating BGP to our core switch is better than re-distributing into OSPF at the edge. The reason behind this is that it would be easier to have BGP run through our Palo Alto firewall than redistribute at the edge and pass OSPF through the firewall. At the core switch, they would then redistribute into OSPF. I personally wouldn't run BGP internally to my core switch, I like the separation at the edge. They are trying to have two default gateways, so that if the primary internet link runs out that traffic will traverse the MPLS cloud to a secondary site with an internet connection.
So, my two questions are can we not just inject a static default route into OSPF at the MPLS router? Or, learn the secondary route from the other site and it would be a higher metric because it is being learned from a separate area?
My other question is, why would we not want to run BGP into the core switch? It doesn't seem like a good design practice but I can't find any documentation that says you shouldn't do it. Also, are there any different security/performance risks by running BGP to the core?
Thanks for your help!
Solved! Go to Solution.
02-20-2015 09:44 AM
So, my two questions are can we not just inject a static default route into OSPF at the MPLS router? Or, learn the secondary route from the other site and it would be a higher metric because it is being learned from a separate area?
Yes. Since each side is a different area, you should end up with two E1 routes. From the perspective of the primary site, the E1 learned from the secondary should have a higher cost and the intra-area route should be preferred or the inter-area E1 learned from the secondary side.
The drawback is that now you have to redistribute at at least 4 places ( 1 for each edge router, 1 for each mpls router). With the BGP plan, redistribution happens only at the core.
My other question is, why would we not want to run BGP into the core switch?
If we're talking about just a default route that is advertised from edge to core, not really a problem. If your edge is taking full routes and wants to pass that to the core then you could have a limitation on the number of routes your core can take ( this really only applied to the dual multi-homed internet edge ).
It doesn't seem like a good design practice but I can't find any documentation that says you shouldn't do it. Also, are there any different security/performance risks by running BGP to the core?
If your only concerned with a default route and you control the Internet Edge router then the security implications of BGP to the core are minimal. For example, since you control the Internet Edge router the core doesn't have to worry about bad things like the edge spoofing routes, TCP issues, etc. In your case, the firewall would handle the majority of TCP-related anomalies for the edge-core BGP session (SYN floods, Session Hijacking etc). Performance impact for enabling BGP in the core should be nominal--especially if your not dealing with full routes. You would need to ensure that the BGP TCP session get's priority on the firewall, however as sometimes improperly sized firewalls cause packet loss.
Hope that helps
Joe
**Rate if helpful **
02-20-2015 09:44 AM
So, my two questions are can we not just inject a static default route into OSPF at the MPLS router? Or, learn the secondary route from the other site and it would be a higher metric because it is being learned from a separate area?
Yes. Since each side is a different area, you should end up with two E1 routes. From the perspective of the primary site, the E1 learned from the secondary should have a higher cost and the intra-area route should be preferred or the inter-area E1 learned from the secondary side.
The drawback is that now you have to redistribute at at least 4 places ( 1 for each edge router, 1 for each mpls router). With the BGP plan, redistribution happens only at the core.
My other question is, why would we not want to run BGP into the core switch?
If we're talking about just a default route that is advertised from edge to core, not really a problem. If your edge is taking full routes and wants to pass that to the core then you could have a limitation on the number of routes your core can take ( this really only applied to the dual multi-homed internet edge ).
It doesn't seem like a good design practice but I can't find any documentation that says you shouldn't do it. Also, are there any different security/performance risks by running BGP to the core?
If your only concerned with a default route and you control the Internet Edge router then the security implications of BGP to the core are minimal. For example, since you control the Internet Edge router the core doesn't have to worry about bad things like the edge spoofing routes, TCP issues, etc. In your case, the firewall would handle the majority of TCP-related anomalies for the edge-core BGP session (SYN floods, Session Hijacking etc). Performance impact for enabling BGP in the core should be nominal--especially if your not dealing with full routes. You would need to ensure that the BGP TCP session get's priority on the firewall, however as sometimes improperly sized firewalls cause packet loss.
Hope that helps
Joe
**Rate if helpful **
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide