Hot!Stop receiving default route via BGP

Author
gradius85
Bronze Member
  • Total Posts : 22
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/02/20 06:55:23
  • Status: offline
2019/10/28 11:50:59 (permalink)
0

Stop receiving default route via BGP

I currently do not have a default IPv6 static route installed; however, it appears BGP is installing a default route out to my ISP. If I were to apply a default static IPv6 route out, would I stop receiving this auto populated route?
 
I ask, because I am getting route to install another ISP and I do not want two equal default paths. I do not want to perform load-balancing.
 
I am looking for suggestions.
#1

6 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Stop receiving default route via BGP 2019/10/28 12:35:08 (permalink)
    0
    build a prefix-list and set in on inbound for that peer.
     
    E.g
     

    config router prefix-list6
    edit "dropit"
    config rule
    edit 1
    set prefix6 ::/0
    next
    end

    config router route-map
    edit "dropinfromISP1"
    config rule
    edit 1
    set match-ip-address "dropit"
    next
    end
    next
    end
    config router bgp
    set as 5706
    config neighbor
    edit 1.x.x.x
    set remote-as 174
    set route-map-in6 "dropinfromISP1"
    next
    end
     
    The above would allow just that prefix in the bgp6  table, if you wanted to drop it change to deny and maybe add a permit anything else. Test the match-statements and give it a try
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #2
    gradius85
    Bronze Member
    • Total Posts : 22
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/20 06:55:23
    • Status: offline
    Re: Stop receiving default route via BGP 2019/10/29 07:53:50 (permalink)
    0
    Just to make sure I fully understand - but you are suggestion to create an Access Control List (ACL) to block in the inbound route. Then I would apply a default static route out, which would have an AD of 1 or 0 and a metric/priority of 0?
     
    The end idea - after the second IPS is installed, I want to put a policy route for some of my Class C blocks being advertised by my ISP via BGP to route out via a specific ISP link. I can run with Asymmetric routing with no problem; however, or so I think. I noticed on some documentation that you can turn on 'set asymmetric enable', but how can you tell in the logs if your firewall is dropping traffic due to asymmetric routing?
    #3
    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Stop receiving default route via BGP 2019/10/29 09:40:27 (permalink)
    0
    Not sure what you are trying to do, but back to 2x ISP, you firewall is not going to do load-balance unless you enable ecmp.
     
    As far as policy-based routing, yes you can try that but I suspect asymmetrical routing will become an issue if your advertising the NETWORK via 2x ISP bgp-peers.
     
    Also, heed fortios warning and especially with UDP datagrams. Your traveling into terrority that is dangerous
     
    https://kb.fortinet.com/kb/documentLink.do?externalID=FD39943
     
    Suggestion;
     
    Can you not just use SDWAN and apply specific SDWAN rules for those destinations that you want to route?
     
    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/22371/sd-wan-rules-best-quality
     
    I never used BGP SDWAN interfaces, but I do not see why this would not work.
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #4
    gradius85
    Bronze Member
    • Total Posts : 22
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/20 06:55:23
    • Status: offline
    Re: Stop receiving default route via BGP 2019/10/29 10:16:58 (permalink)
    0
    I am worried that traffic will: (1) leave ISP A (2) move around via the Internet (3) reach destination (4) return path to me is different (5) come back down ISP B.
     
    Not being a firewall guy, and having a set of ASR replaced with 510E to support 10Gbps is making me think thinks over, so I appreciate your help. I will dig around into the BGP SDWAN interfaces as you described. I am not educated enough on the matter and would like to learn about them as well.
     
    Thank you
     
    #5
    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Stop receiving default route via BGP 2019/10/29 10:26:00 (permalink)
    0
    Nothing you can do can control egress routing on return traffic, yes prepending and communities can be used to "influence" route selection but the ultimate determination rides in bgp-paths operator arena.
     
    SDWAN sound like the way you want to go, you could accept 2 default and set SDWAN rules and have automatic failover if so desired.
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #6
    gradius85
    Bronze Member
    • Total Posts : 22
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/20 06:55:23
    • Status: offline
    Re: Stop receiving default route via BGP 2019/11/05 09:11:25 (permalink)
    0
    emnoc
    Nothing you can do can control egress routing on return traffic, yes prepending and communities can be used to "influence" route selection but the ultimate determination rides in bgp-paths operator arena.
     
    SDWAN sound like the way you want to go, you could accept 2 default and set SDWAN rules and have automatic failover if so desired.
     
    Ken Felix


    I know nothing of SDWAN - do I need to have a SDWAN link to take advantage of what you describe? I currently just have two 10Gbps Ethernet links from my service providers.
    #7
    Jump to:
    © 2019 APG vNext Commercial Version 5.5