04-14-2021 11:54 PM
Hi @tamilvanan ,
I would disagree with @OtakarKlier - you don't need PBF if you already running BGP. Why would you put additional complexity if you already have dynamic routing which you can control in so many ways
I don't understand what ECMP have to do in this question... I understand you use ECMP for Internet access (your default route), but on top of that we are talking about IPsec tunnels, so the routing to AWS private range as nothing to do with the ECMP (as long as you have any tunnel up 🙂 ). So I will abstract from this.
Now I understand that you are receiving the AWS prefix via BGP from all four tunnels. So all you have to do is to create import policy under the BGP. As I said with BGP you have lots of options to controll what you receive, how you receive it and what you advertise, probably the straight forward would be:
- Create one import policy for BGP peer over tunnel1
- Since you receive only one prefix, you can leave "match" tab as it is (meaning match any route received from that peer
- On "action" tab put 100 as local preference (for example)
- Create one more import below the previous one for BGP peer over tunnel2, 3 and 4
- Leave match tab as it is
- On "action" tab put 200 for local preference
This way your firewall will receive same prefix over all four tunnel, but it will prefer the route over tunnel1. If this tunnel fail, BGP peering will also fail and fw will stop receiving the prefix from tunnel1, so it will switch to the other tunnels.
Now depending what you actually try to accomplish you may want to split the second import policy and have four different policy for each bgp peer with different local pref for each.
