Cisco SD-WAN 800v BGP peering with VWAN hub

Imroz Khan 0

Hi,

I have 2 regions of Azure connected to each other via Azure VWAN hub. Also we have Azure express route from each Azure region landing into the on-prem DC.

We intend to manually deploy 2 x Cisco SD-WAN 8000v routers in each region and setup BGP peering with respective vhubs.

I wanted to know as part of BGP advertisement the 8000v routers will send BGP extended community Site-of-orignal (SOO) to the vhub. Will the vHub accept the extended community as part of BGP advertisement and send it to the on-prem routers within the BGP updates over the Express route links. We intend to use these community to enable routing loop prevention mechanism in the on-prem DC.

KapilAnanth-MSFT 39,366 Reputation points Microsoft Employee

2023-10-04T07:06:52.47+00:00

@Imroz Khan

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

vWAN deployments can preserve BGP communities generated by on-premises

For extended communities from a NVA, I shall check internally and update this thread.

Cheers,

Kapil
Imroz Khan 0 Reputation points

2023-10-04T23:50:20.69+00:00

Thanks, I will wait for your response
KapilAnanth-MSFT 39,366 Reputation points Microsoft Employee

2023-10-09T06:08:38.53+00:00

@Imroz Khan

I have looped our Product Team on this and they are currently looking into this.

Should there be an update , I shall make sure I shall add them here.

Cheers,

Kapil
Imroz Khan 0 Reputation points

2023-10-11T05:39:37.38+00:00

It will be helpful if you could please provide an update on this.
KapilAnanth-MSFT 39,366 Reputation points Microsoft Employee

2023-10-11T14:37:59.03+00:00
@Imroz Khan

Our Product Team is working on it and I am afraid it may take some time to get the details.

Should there be a deadline or production requirement,

I would request you to file a support ticket if you have a Support plan

Else please do let us know, we will try and help you get a one-time free technical support.

You can refer this thread so I can track the case internally as well.

Hope this helps.

Cheers,

Kapil
Imroz Khan 0 Reputation points

2023-10-14T10:27:48.84+00:00
Hi Kapil,

I have requested the customer to file a support ticket with your team.

I also needed some information regarding the 2 NVA's being setup in the Transit VNET and have BGP peering configured with the vHuB. I have looked at the following document and came across following point in "Benefits & Considerations" section.

https://video2.skills-academy.com/en-us/azure/virtual-wan/scenario-bgp-peering-hub

You can peer multiple instances of your NVA with a virtual hub router. You can configure BGP attributes in your NVA and, depending on your design (active-active or active-passive), let the virtual hub router know which NVA instance is active or passive.

Inline to this, can you advise if I configure my NVA's as Active-Active, how will the vhub understand that, and in case if it receives traffic from NVA-1, how to make sure the vhub will only forward the traffic to the required destination vnet and not send it back to NVA-2, which could be a routing issue.
KapilAnanth-MSFT 39,366 Reputation points Microsoft Employee

2023-10-17T18:14:26.68+00:00

@Imroz Khan

Thanks for your question.

I shall check this internally and get back to you shortly

Cheers,

Kapil
KapilAnanth-MSFT 39,366 Reputation points Microsoft Employee

2023-10-26T08:32:11.7466667+00:00

@Imroz Khan

Greetings.

Reaching out to check if there are further questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
KapilAnanth-MSFT 39,366 Reputation points Microsoft Employee

2023-10-31T05:08:40.7466667+00:00

@Imroz Khan

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Kapil

1 answer

KapilAnanth-MSFT 39,366 Reputation points Microsoft Employee

2023-10-25T06:06:58.9533333+00:00
@Imroz Khan

Greetings.

Wrt, "can you advise if I configure my NVA's as Active-Active, how will the vhub understand that, and in case if it receives traffic from NVA-1, how to make sure the vhub will only forward the traffic to the required destination vnet and not send it back to NVA-2, which could be a routing issue."

Azure platform doesn’t guarantee symmetry - a single flow can have inbound come on instance0 and outbound return on instance1.

For scenarios where the two NVA instances are advertising the same route with the same priority,

Make sure stateful inspection on the NVA or related firewalls is turned off or

Asymmetric forwarding is turned on.

If stateful firewall is required consider active-passive set ups or having one nva instance advertise a route of higher priority for active-active purposes.

i.e., you still get high availability but one NVA instance is preferred over the other unless this instance becomes unavailable.

Hope this helps.

Cheers,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Cisco SD-WAN 800v BGP peering with VWAN hub

1 answer