08-06-2009 02:31 AM
Is it possible in Screenos to receive BGP routes that have the the local AS in the path. The peering is an eBGP session to a Providers MPLS core.. I have a number of sites that are all attached to this mpls core, which must share the same AS..
The problem is that 'sitea' sends routes with an AS path that contains the AS of 'siteb'. Ordinarly BGP sees this as a routing loop and the route will not be installed in the RIB or the routing table.
In Junos i'd use the as-overide: Quoting from the Junos Doco
"Enabling the AS override feature allows routes originating from an AS to be accepted by a router residing in the same AS. Without AS override enabled, the router refuses the route advertisement once the AS path shows that the route originated from its own AS. This is done by default to prevent route loops. The as-override statement overrides this default behavior."
Is there an equivalent in Screenos?
08-06-2009 03:47 AM
Not that I know ...
But maybe your provider is willing to set it on his PEs? That's actually also the place to have it (and not on the CPE). This will replace <youras> with <hisas>.
If not, maybe he's willing to accept a different AS on every location.
You could also ask the provider to announce a default route at every site. This would allow you any-2-any connection again, but gives you no view on "active routes". Makes it also a bit more complicated, if you have e.g. redundant "exits" (e.g. FWs) into the internet or even the MPLS cloud.
08-06-2009 01:44 PM
Thanks for your reply.. Given that the MPLS cloud is actually 'my' MPLS cloud and i have control of it, i possibly could do some path mangaling on the PE. The default route idea is a good one, but wont' work in my case, as i have to load balance the traffic leaving the Netscreen.
If i can over-ride the AS at the Netscreen it will make things Much easier.
08-07-2009 03:12 AM
Sounds like multiple links, maybe from different PEs as well? The cleanest -I think- is in this scenario as-override on the PE and setting site-of-origin/extcommunity:sso to avoid any routing loops. Doing it on the CE (your NetScreen box) might not be the right place.
11-20-2009 02:10 PM
Any one else ran into this? For various reasons, I can't do this on the PE. All I want to do is the equivalent of Cisco's allowas-in.