Forum Discussion
NSX-T and F5 HA using BGP
- May 25, 2022
Hello,
This configuration is entirely supported and used at many service provider accounts, including my own.
For the BGP peers you will want to peer with the self-IP, not with the floating self-IP. This will indeed allow for two active peers and they will receive routes from both BIP-IP's. The way you control traffic is indeed with the floating self-IP, you just need to set the outbound (or inbound on the routers) next-hop as the floating self-IP using a quick route-map. Here is a quick example config:
router bgp xxxx
bgp log-neighbor-changes
bgp graceful-restart restart-time 120
neighbor x.x.x.x remote-as xxxxx
neighbor x.x.x.x description xxxxx
neighbor x.x.x.x route-map blue-to-bgp outroute-map blue-to-bgp permit 100
set metric 100
set ip next-hop x.x.x.x primary <--Floating Self-IP
I haven't done any production design/implementation of BGP on BIG-IP, so I'd defer to someone who has, but my understanding is that your neighbor relationships should be active to both active and standby devices, and only the active device should be publishing routes.
Hi JRahm,
I appreciate your time to give a reply. The problem, or better said the behaivor, I have noticed is that the Active/Standby F5 units both advertise the BGP routes while connected to the Active/Active Edge routers of NSX-T. I don't know if this is a behavior of F5 by default when in HA pair.
In contrast, and I know these systems aren't 1 to 1, when configuring another system such as a Cisco firewall in HA, the passive firewall will suppress the advertisements until a failover occurs, and the downstream and upstream routers will not see a route being installed, in fact the BGP neighborship will remain idle until after the failover.
Is there any reason why the F5 in HA does not behave similarly?
Regards
- JRahmMay 25, 2022Admin
I'm out on PTO the rest of the week, but if you want to email me your BGP configuration (sanitized is fine as long as the integrity of the config doesn't change) I'll mock it up in the lab and take a look early next week, and reach out to some peers who work actively with BGP on the BIG-IP
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com