Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 854 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Filter subnets from using BGP

sayhitopatrick

Hello,

I have set up a public virtual interface for a direct connect with AWS using BGP.

I am wondering if anyone can guide me on the below question.

If you have two subnets, say 192.168.100.0/24 and 192.168.200.0/24, and a public IP is being advertised by a BGP peer, is it possible to have the 100 subnet use the route from BGP and have the 200 subnet ignore it and use the standard WAN route?  

Would this be accomplished as part of the BGP configuration, such as with some sort of filtering or route map, or can this be done using NAT in some way?  Have been playing with this for a while and have not had any success.

Thanks for any insight.



This thread was automatically locked due to age.
Parents
  • 0

    You might be able to achieve this using an SD-WAN policy route for the 200 subnet. For the 100 subnet, you can leave it as it is and it will be routed according to the routing table.

    If you could provide a diagram, I would be able to give you further advise.

  • 0 in reply to Jevin Lizardo

    This is an interesting idea, but unfortunately one problem in this particular case might be that the neighbor is advertising all public prefixes for anything hosted in AWS, which is a large portion of the internet itself.  It would be therefore challenging to define the "destination networks" section of the SD-WAN policy, as there are thousands of advertised prefixes and they change dynamically.  Also, I'm not sure that the SSL VPN subnet would be able to use this policy, so anyone connected to our company's full tunnel VPN would also be unlikely to access any AWS-hosted website from their local browser.  Ideally, I would like to filter all subnets from using the BGP route by default and be able to specifically create a policy allowing the 100 subnet to use the BGP route.  But not sure if this is possible.

Reply
  • 0 in reply to Jevin Lizardo

    This is an interesting idea, but unfortunately one problem in this particular case might be that the neighbor is advertising all public prefixes for anything hosted in AWS, which is a large portion of the internet itself.  It would be therefore challenging to define the "destination networks" section of the SD-WAN policy, as there are thousands of advertised prefixes and they change dynamically.  Also, I'm not sure that the SSL VPN subnet would be able to use this policy, so anyone connected to our company's full tunnel VPN would also be unlikely to access any AWS-hosted website from their local browser.  Ideally, I would like to filter all subnets from using the BGP route by default and be able to specifically create a policy allowing the 100 subnet to use the BGP route.  But not sure if this is possible.

Children