Dynamic Routing Using BGP

You add network tunnel groups to Secure Access to enable secure network connections to the internet and private resources. When setting up a network tunnel group, choose dynamic routing when you have a BGP peer for your on-premise router.

Dynamic routing using BGP enables the advertisement of customer-specific routes, ensuring the Secure Access tunnels can route return traffic. Without these routes, the Secure Access tunnels cannot properly route return traffic to the customer networks.

Table of Contents

• BGP Guidelines and Best Practices for Secure Access
  • Secure Access BGP Configuration
  • Key Considerations for Dynamic Routing
  • Tunnel Redundancy and High Availability
  • View BGP Routes
  • Important Restrictions

BGP Guidelines and Best Practices for Secure Access

Follow these guidelines when configuring dynamic routing for Secure Access network tunnel groups.

Secure Access BGP Configuration

BGP Peer IPs

• SSE Side: Use an IP address within the 169.254.0.0/24 range; for example, 169.254.0.5 for the primary data center and 169.254.0.9 for the secondary data center.
• Customer Side: Match these IPs within the 169.254.0.0/24 range; for example with 169.254.0.6 (for 169.254.0.5) and 169.254.0.10 (for 169.254.0.9).

BGP Identifier (Router ID)

• Do not use 169.254.0.1 as the BGP identifier.
• Use the local router gateway address (typically in the RFC1918 space, e.g., 192.168.x.x) as the customer-side BGP identifier. Avoid using addresses in the 169.254.0.0/24 range.
  Note: Some devices refer to the BGP identifier as the Router ID.

Key Considerations for Dynamic Routing

Advantages of Using BGP Dynamic Routing

• Automatic Route Updates: When route changes occur on the customer side, they are automatically communicated to the Secure Access side without requiring manual updates in the dashboard settings.
• Dynamic Failover: If a tunnel on the Secure Access side goes down, the routes sent to the customer dynamically adjust, allowing seamless failover to a secondary tunnel.

Customer AS Number

• Use any private BGP AS number in the range 64513–65534.
• Avoid conflicts: 64512 is reserved for the SSE side.

Tunnel Redundancy and High Availability

Tunnel Group Configuration

• A single network tunnel group can support multiple IPsec tunnels for redundancy and high availability.
• Example: Configure five IPsec tunnels to the primary data center for ECMP and one IPsec tunnel to the secondary data center. This setup requires six BGP connections, one per IPsec tunnel.

ECMP Support

• Secure Access supports Equal-Cost Multi-Path (ECMP) across multiple IPsec tunnels in the same network tunnel group.
• To enable ECMP, create multiple IPsec tunnels in the same data center and advertise the same prefix on all BGP connections associated with that network tunnel group.

Device Aggregation

• Do not aggregate multiple IPsec tunnels from different devices in the same network tunnel group. All tunnels must originate from the same network device.

Route Advertisement by Secure Access

• Routes advertised by Secure Access include an AS path of 1 for primary tunnels and 2 for secondary tunnels.
• This allows customers to install all received routes in their Forwarding Information Base (FIB) and switch between primary and secondary routes based on routing decisions.

Connecting Multiple Devices in HA to Secure Access

• Secure Access allows you to connect multiple HA routers from the same branch to Secure Access, either in Active/Active mode or Active/Standby mode.
• The two devices should advertise the same set of routes to Secure Access and use the AS path length to define the device priority; you should prepend the AS path length for Standby devices.
• All IPsec tunnels from all HA routers should belong to the same Network Tunnel Group.
  • For example, if you want to connect two devices to Secure Access in Active/Active mode, use the same AS path length for all routes advertised by the two devices.
  • If you want the devices to be in Active/Standby mode, advertise routes from your Active device with a shorter AS path length (e.g. length of 1 for routes coming from the Active device and 2 for routes coming from the Standby device).
• You can connect as many HA routers as you want to Secure Access but you are limited to 10 IPsec tunnels overall for a Network Tunnel Group.

View BGP Routes

Monitoring Client Routes

• To view BGP routes received from the customer side, go to the Network Group page in the Secure Access dashboard.
• Click on a network tunnel to open the details pane on the right-hand side of the page. The Client Routes section shows received routes.
• Routes can be seen on the primary tunnels. If there are multiple primary tunnels advertising the same route, the route would be seen on each primary tunnel.
• All other routes for an organization (not coming from the primary tunnel) are shown in the Cloud routes section of the Secure Access dashboard.

Important Restrictions

Default Route Advertising

• Advertising default routes via BGP from the customer to Secure Access is not supported and can lead to traffic disruptions.
• You can block default route advertisements in the Advanced Settings of the network tunnel group configuration.

Avoid IP and Identifier Conflicts

• Network tunnel groups using the same Secure Access region should use different BGP peer IPs and BGP identifier IPs (Router IDs) to prevent conflicts.
• However, an organization can use the same BGP peer IPs (not Router IDs) for all of its network tunnel groups in the same region.

Static Routing < Dynamic Routing Using BGP > Configure Tunnels with Cisco Catalyst SD-WAN