Understand BGP Underlay Routing and Provider Edge (PE) Resiliency
In Contrail Service Orchestration (CSO), when you add an enterprise hub site or an SD-WAN on-premise spoke site and enable local breakout on a WAN link, you can enable BGP routing on the underlay network. In addition, you can enable provider edge (PE) resiliency on the underlay network, by specifying primary and secondary PE nodes for a WAN link.
When PE resiliency is enabled for a WAN link, CSO uses the BGP path attribute (local-preference) to give preference to the routes learned from the primary PE node over the routes learned from the secondary PE node. For the PEs to decide the path preference, the as-path-prepend parameter is configured and advertised to the secondary PE to decrement the preference for the secondary BGP route. If the CPE detects that the primary PE node is down, the secondary PE node is used as the route next hop. When the primary node comes back up, the route next hops are changed back to the primary node.
To enable BGP underlay routing, you must enable local breakout on the WAN link. However, for traffic to break out locally on the WAN link, you must configure a breakout profile, reference the breakout profile in an SD-WAN policy intent, and deploy the SD-WAN policy.
When you enable BGP underlay routing, CSO installs the routes advertised by the PE nodes on the customer premises equipment (CPE) device. However, CSO does not generate the static default route. Route advertisements to the primary PE node and, if configured, the secondary PE node occur as follows:
CSO advertises the WAN interface subnet.
If pool-based translation is configured, CSO advertises the NAT address pool.
Figure 1 shows an example of BGP PE resiliency. The CPE device has two WAN links (WAN0 and WAN1); each WAN link is connected to two PE nodes. CSO establishes a BGP peering relationship between the CPE device and the PE nodes connected to the WAN links. CSO allocates BGP attributes in such a way that one PE node acts as the primary node and the other PE node acts as the secondary node.
BGP Underlay Routing and Route Advertisements
CSO also allows you to advertise public LAN prefixes to the BGP underlay.
If a tenant has a public IP address pool configured (in the Tenant-Owned Public IP Pool field during tenant addition) and you enable the advertisement of public LAN prefixes, then for LAN segments that are created with a subnet that falls under the tenant public IP address pool, CSO advertises the LAN subnet to the BGP underlay.
When you enable BGP underlay routing, you can specify the autonomous system (AS) number for the external (EBGP) peer. If the peer AS number is not specified, or if the AS number that is specified is same as the AS number for the site, then the BGP type is assumed to be internal BGP (IBGP). If the specified peer AS number is different from AS number of the site, then the BGP type is assumed to be EBGP.
CSO also provides an option to authenticate BGP routes by using
MD5 authentication. When you enable authentication, which is disabled
by default, you must specify an authentication key, which is used
to verify the authenticity of BGP packets. You must ensure that the
BGP peers are also configured with the same MD5 authentication key.
Benefits of BGP Underlay Routing and PE Resiliency
Public LAN routes can now be advertised to legacy sites, which provides connectivity from SD-WAN sites to legacy sites.
Previously, there was no capability to exchange underlay prefixes, which meant that users had to configure static routes. With BGP underlay routing, routes are learned dynamically.