- 최신
- 최다 투표
- 가장 많은 댓글
This seems exactly to be an issue of asymmetric routig. As Tushar mentioned stateful firewalls don't like this. Looking at your configs roughy it seems you are using Local Pref to control egress traffic. You would keep local pref for primary BGP session higher than secondary connection on the received routes. But I also noticed there is no route map to influence traffic from AWS to ASA. You would need either advertise AS_PATH prepend or BGP Communities to influance path from AWS to ASA and ensure it is same as egress. https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html#bgp-communities-private-transit
This AWS article discuss how the use of AS_PATH prepend or Communities. https://repost.aws/knowledge-center/active-passive-direct-connect
This Cisco article shows you an example on how to use communities and create route-maps. https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/28784-bgp-community.html
Here are some good read from cisco on working with BGP. https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html
Hi Azeem, thank you for the reply. So basically you're saying that due to the firewall being stateful and not being able to do asymmetric routing you recommend doing just active/passive?
If so, could you please help me how to apply the local preference and community for this? I'm unsure if this is the right way or if i should reverse the in/out statements.
route-map LOCAL-PREF-AWS permit 10 set local-preference 200
route-map LOCAL-PREF-AWS-300 permit 10 set local-preference 300
route-map COMMUNITY-HIGH-PREF permit 10 set community 7224:7300
route-map COMMUNITY-LOW-PREF permit 10 set community 7224:7100
router bgp 65532 bgp log-neighbor-changes bgp graceful-restart address-family ipv4 unicast neighbor 169.254.96.1 remote-as 64520 neighbor 169.254.96.1 password ***** neighbor 169.254.96.1 fall-over bfd neighbor 169.254.96.1 activate neighbor 169.254.96.1 weight 500 neighbor 169.254.96.1 route-map LOCAL-PREF-AWS in neighbor 169.254.96.1 route-map COMMUNITY-LOW-PREF out neighbor 169.254.96.9 remote-as 64520 neighbor 169.254.96.9 password ***** neighbor 169.254.96.9 fall-over bfd neighbor 169.254.96.9 activate neighbor 169.254.96.9 weight 550 neighbor 169.254.96.9 route-map COMMUNITY-HIGH-PREF in neighbor 169.254.96.9 route-map LOCAL-PREF-AWS-300 out network 10.1.0.0 mask 255.255.0.0
Many thanks.
Most firewalls are stateful in nature and do not like asymmetric routing, some of the Next Gen firewalls do support asymmetric routing, you can enable it. You would need to check if the firewall supports asymmetric routing, if not you can setup Active/Passive paths.
https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
관련 콘텐츠
- AWS 공식업데이트됨 일 년 전
I was able to find the following potential fix for the assymetric routing in Cisco ASA. Implementing zones. Will try it out and see if it fixes my issue: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-zones.html