Screen OS

I am continuing to configure BGP on an SSG550M and would like to add a second peer.

I do not know how to get this to work properly.   My topology is a single AS number and /24 prefix, which I am wanting to advertise to two different ISP's (ASN's) connected to ethernet0/2 and 0/3 on my SSG550.   I can get the advertisement to work just fine on one, but when I add the second one to the neighbours routing stops working.  I am using MIP's on the interface with the primary ISP and DIP's as well.

The remote AS routers are configured to give me only next hop, not full table, if that matters.

I have done some reading and see some discussion of loopback interfaces etc but I do not really understand what I need to do.   Ideally I'd like the one ISP (the one I have now) to receive most of the traffic, and maybe just accept traffic on the other ISP from their AS numbers (if such a thing is possible).    I have no idea how to weight it or use routes to do so, but would appreciate any ideas or explanations anyone can point me to.   It may of course not be possible to control it with that level of granularity, but I wondered if there's any experts out there who know.

Thanks for any pointers / articles etc you can suggest.

Hi,

As per me the the descripbed scenario is possible, Iam ataching a sample config, please check

set interface ethernet3/1 ip 1.1.1.1/24
set interface ethernet3/2 ip 2.2.2.1/24

set vrouter "trust-vr"
set protocol bgp 11001
set enable
set neighbor 1.1.1.2 remote-as 11002
set neighbor 2.2.2.2 remote-as 11003
set ipv4 neighbor 1.1.1.2 activate
set ipv4 neighbor 2.2.2.2 activate
set ipv4 network 99.99.99.0/24 no-check

Let me know if you have any queries. If the issue still persists, please attach the BGP config and network diagram.

Thanks & regards,

Venkat

[If it helped please mark it as "Accepted Solution". Kudos will be appreciated too.]

Yes, this is exactly what I have done, and the BGP sessions exist, but where do I put the MIP to use the BGP injected subnet.

So BGP is working as per your instructions (which is how I set it up) but I don't understand how to do the MIP.  I can do it on one or the other interface, but what do I do so it will use either interface in the event of a failure for example?

I would try the mip on the server facing interface and not on the isp interfaces in this scenario.

---

@spuluka wrote:

I would try the mip on the server facing interface and not on the isp interfaces in this scenario.

---

I have never done it that way; so you can MIP on the trusted bgroup0 interfaces then from the public to the private IP's?

This should be a straightforward configuration, could you please post your bgp configuration? what do you mean by use MIPs? are BGP speaker behind the firewall?

---

jgu@dorado.com wrote:

This should be a straightforward configuration, could you please post your bgp configuration? what do you mean by use MIPs? are BGP speaker behind the firewall?

---

I will do that, but basically it is exactly what you wrote above.

BGP is enabled on ethernet0/2 and 0/3, which are two interfaces, one to one ISP and the other to another.

Right now I have the MIPs on ethernet0/2 which are working fine, but when I enable the secondary ISP peer routing to the BGP injected subnet stops.

I also need to DIP to a pool in the BGP subnet from the trusted private subnet.

So the end result of this in case anyone else needs to know is that you need to create a loopback interface, add it and the two ISP interfaces to the BGP group, then do the MIP's on the loopback interface.

Thanks for posting the final answer. 

The loopback group to keep the mip working on both ISPs is a nice solution.