I have an interesting problem that I haven't found a satisfying solution for.
I have various remote sites connected via private circuit with OSPF, and then IPSec VPN with eBGP learned routes. The administrative distance of eBGP is 20, and the administrative distance of OSPF is 30. I believe these are the defaults.
Right now, if there are two paths to a site, my firewall will always chose the eBGP route. I have sites where I want the eBGP route to be the backup to the OSPF. I haven't been able to get that to work. Is there anything I can do in OSPF or BGP to make a route learned by that protocol more or less desirable than a path learned by the other protocol?
I have been able to get this to "sort of" work by using static routing with path monitoring to "force" the OSPF path to be taken when it is available. This works, but takes significantly more configuration than what I would like, and is essentially replacing OSPF with static routing in that case.
Anyone have any better ideas?
I am thinking of building my IPSec tunnel to a different VR, and then the route can be shared between the new VR and the default VR via OSPF. I can then have a higher OSPF cost between the VR.
Solved! Go to Solution.
You should be able to make that route less likeable. In PAN BGP i think its called the MED value. But that is sent prior to the PAN, in Cisco you can prepend the route.
BGP > Conditional Adv > Advertise Filters
Hope that helps.
Is there any way you can make the OSPF routes more specific than the BGP routes? Do some summarization with BGP when you export the prefixes to a peer? If the routes are the same, then administrative distance is used to determine which to use and will take the lower value.
You can change the administrative distance of the routing protocols but that would affect the entire virtual router.
You could change the Administrative Distances on the firewall virtual routerr.
Network -> Virtual Router -> Router Setting -> Administrative distances.
Yeah, but that would be a global change, instead of allowing me to be more selective, and I would end up with other routes not being what I want, so that isn't really a solution.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!