We have recently invested in a SD-WAN solution called CloudGenix. CloudGenix uses edge devices called IONs. These devices can act like routers and/or firewalls depending on your deployment design. We are currently using them just as routers. Due to security requirements and compliance we have to run standard firewalls behind these edge ION devices to maintain a security standard across the enterprise. Recently we have brought in some new ISPs with DIAs for these CloudGenix devices specifically. One thing to note, to get the actual best path outbound for multiple providers you must allow the ION to run your internet edge NAT.
We needed to peer BGP at our main Datacenter just due the complexity of the internet edge as we try to migrate away from some legacy ISP services. I was amazed at how easy this process was with a few things learned along the way.
While needing to just take in the default route from the ISP its definitely a good idea to put some things in place like prefix-lists and Route-maps. I personally am a CLI guy so doing this whole process in the UI gave me the jitters since I feel like I am selling out to the “easy road”.
First step is to make some prefix-lists like we would in the Cisco world:
Here we will create two prefix-list entries, one for our ARIN registered Public IP Block and the other to allow the default route inbound from the ISP. This ensures we are only getting the default route in the scenario of an OOPS and we take in too many routes and crash the device.
**CloudGenix does advise that their devices will not be able to hand taking on the entire internet BGP table.
So because I know the future, I am going to have to apply an AS-Prepend to my ASN due to the need to influence inbound preference to my other ISP currently. So lets build that into the outbound route-map and build the inbound route-map for the ISP default-route:
Two route-maps built for inbound and outbound. The inbound route-map will deny everything except the route 0.0.0.0/0 which is what we want. The outbound route-map will allow us to advertise our registered ARIN IP block with a as-path prepend of 3 times. This will tell the things of the internet this path is less preferable since I have NATs tied to another router also advertising the ARIN IP block. Wouldn’t want to cause asymmetric routing now would we?!
So now that we have prefix-lists and associated those with route-maps, now its time to create a BGP peering with my provider. When doing this you fill out the Peer IP, the Remote-AS, and you choose the route-map to allow only the default route for the inbound route-map selection and choose the route-map to advertise the ARIN IP block with the AS-Prepend for the outbound route-map selection.
When you completed the peering options you can check the status of your peering with the “status” option and see we have an established state of BGP peering. Lets also check we are only receiving the default route from our provider. Normally the provider has mechanisms on their end to only send the default, but like I said…Just in case someone makes a mistake we are covered.
And there we go, default route only. Pretty easy right? I agree.
So while I love the CLI and I feel like I am betraying the CLI when I use a nice UI like this one that CloudGenix has built, I am ok with it when it works. To add to their nice polished UI, Cloudgenix also has a pretty nice API you can work with as well. I am now just diving into that so maybe something I can write about later on.
Well thats it for me. Thanks for reading!