Guides
Secure Access Help Center

Routing Options and Guidelines

This topic describes the routing choices available when you configure Secure Access network tunnel groups.

Secure Access network tunnel groups provide a framework for establishing tunnel redundancy and high availability. When you configure a network tunnel group you must define a route to the host or network, either using static or dynamic routing.

Table of Contents

Static Routing

Use this option to manually add IP address ranges for a network tunnel group. You might want to use static routes in the following cases:

  • Your networks use an unsupported router discovery protocol.
  • Your network is small and you can easily manage static routes.
  • You do not want the traffic or CPU overhead associated with routing protocols.
  • In some cases, a default route is not enough. The default gateway might not be able to reach the destination network, so you must also configure more specific static routes. For example, if the default gateway is outside, then the default route cannot direct traffic to any inside networks that are not directly connected to the network device.
  • You are using a feature that does not support dynamic routing protocols.
  • Note that advertising a default route using static routing is not supported and can lead to traffic disruptions.


Dynamic Routing

Use this option for a network tunnel group when you have a BGP peer for your on-premise router.

About BGP

BGP (Border Gateway Protocol) is an inter and intra autonomous system routing protocol. An autonomous system is a network or group of networks under a common administration and with common routing policies. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP).

Customer networks, such as universities and corporations, usually employ an Interior Gateway Protocol (IGP) such as OSPF for the exchange of routing information within their networks. Customers connect to ISPs, and ISPs use BGP to exchange customer and ISP routes. When BGP is used between autonomous systems (AS), the protocol is referred to as external BGP (eBGP). If a service provider is using BGP to exchange routes within an AS, then the protocol is referred to as interior BGP (iBGP).

Note: While the core functionality of BGP is fundamentally the same across different devices, the specific configuration options and implementation details can vary depending on the device vendor, meaning BGP may appear slightly different on different routers, particularly in terms of command syntax and available attributes to manipulate routing decisions.

BGP Guidelines and Best Practices

Refer to the following guidelines when you choose dynamic routing for network tunnel groups.

  • Secure Access BGP servers listen on 169.254.0.0/24, port 179, and require the client's source IP to also reside within that same prefix. Clients can choose any IP address within this range; we suggest customers use 169.254.0.5 for their primary data center and 169.254.0.9 for their secondary data center; an example of the source IP addresses would be 169.254.0.6 and 169.254.0.10.
  • Peers should be configured in eBGP mode.
  • The Secure Access BGP AS is 64512. This AS is reserved for Secure Access and should not be used in any other configurations.
  • A single network tunnel group can support multiple IPsec tunnels, which provides the framework for establishing tunnel redundancy and high availability. For example, you could configure five IPsec tunnels to the primary data center for ECMP and only one IPsec tunnel to the secondary data center. This equates to six BGP connections required, one per IPsec tunnel.
  • Secure Access supports ECMP across multiple IPsec tunnels belonging to the same network tunnel group in one data center. To enable ECMP on a given prefix with BGP, you need to create multiple IPsec tunnels for the same network tunnel group in the data center in question, and you need to advertise the prefix in all the BGP connections associated with this tunnel group.
  • You cannot aggregate multiple IPsec tunnels from different devices in the same network tunnel group. Multiple tunnels in one network tunnel group must originate from the same network device.
  • Routes advertised by Secure Access to the network device come with an AS path of 1 if the tunnel is connected to the primary data center and an AS path of 2 if the tunnel is connected to the secondary data center. You could thus install all the routes received in its FIB and switch from primary to secondary based on routing decisions.
  • Advertising default routes via BGP is not supported and can lead to traffic disruptions. You can block the advertisement of the default route when you configure the network tunnel group routing options, under Advanced Settings.

Network Tunnel Configuration < Routing Options and Guidelines > Configure Tunnels with Cisco Catalyst SD-WAN

Updated 14 days ago