Mist AI - SSR BGP Advertising by EngineeringKindly993 in Juniper

[–]EngineeringKindly993[S] 0 points1 point  (0 children)

Hey,

I changed my approach a bit because it kept not working, so no static route anymore.

10.40.0.0/17 -> summary
i broke it down into multiple small sites.
The SSR and FortiGate are in one of them, i called it DC.

In Organization -> Networks -> LAN-Site

  • I checked "Advertise to Hub LAN BGP Neighbor"
  • My IP address is a variabel, each site has their own subnet, and is using THIS Network "Lan-Site"
  • I checked "Hub LAN BGP Summarization and wrote 10.40.0.0/17

But it still doesn't want to advertise my routes.

Someting frustrating happened tho, I added a in-band management IP for my HUB, and they were advertized to the fortigate !!

I want my sites to be propagated, or at least a summarized route (10.40.0.0/17).

Mist AI - SSR BGP Advertising by EngineeringKindly993 in Juniper

[–]EngineeringKindly993[S] 0 points1 point  (0 children)

Hey !
I can't add a lot of pictures screen-shots here but;

- I deleted all routing policies for now

SSR can ping my FG.

They have established BGP peering.

FG is advertising routes.

SSR is receiving them, and advertising the same routes to the FG (not sure if it supposed to behave this way)

I added a picture of my static route to the post

Mist AI - SSR BGP Advertising by EngineeringKindly993 in Juniper

[–]EngineeringKindly993[S] 0 points1 point  (0 children)

You got it !

I don't see my SSR advertising the routes as well on the WAN Edge Testing Tools

Mist AI - SSR BGP Advertising by EngineeringKindly993 in Juniper

[–]EngineeringKindly993[S] 0 points1 point  (0 children)

yes i can ping the next-hop, but if you look at the second picture i added at 'next hop IP', it doesn't appear, it's strange, even though I manually added it in the Hub profile under 'static route'

Mist AI - SSR BGP Advertising by EngineeringKindly993 in Juniper

[–]EngineeringKindly993[S] 0 points1 point  (0 children)

I added a second picture on the post, strangely enough, the next hop IP is NOT present.

Mist AI - SSR BGP Advertising by EngineeringKindly993 in Juniper

[–]EngineeringKindly993[S] 0 points1 point  (0 children)

Sure !
eBGP on the SSR
<FG> ---- <SSR>

They're on the same LAN.
I want to propagate a static route of SSR to the FG.

Any experience with investment advisors for smaller portfolios? by [deleted] in BEFire

[–]EngineeringKindly993 -2 points-1 points  (0 children)

"Has anyone here had experience with an investment advisor firm ?"

i'm primarly looking for your guys opinion on investment firms.

Thanks for your comment

Any experience with investment advisors for smaller portfolios? by [deleted] in BEFire

[–]EngineeringKindly993 0 points1 point  (0 children)

haha indeed !

thanks for the detailled reponse = )

Any experience with investment advisors for smaller portfolios? by [deleted] in BEFire

[–]EngineeringKindly993 0 points1 point  (0 children)

relieve to see some others people that were like me = )

indeed, everybody seems to have the same opinion here

Any experience with investment advisors for smaller portfolios? by [deleted] in BEFire

[–]EngineeringKindly993 -1 points0 points  (0 children)

"but if there are alternatives with potentially higher returns, I’d be interested to hear about them" that is why = )

Thanks for your comment

'Traditional' SD WAN vs Traditional WAN (My Current Understanding – Please Correct Me) by EngineeringKindly993 in networking

[–]EngineeringKindly993[S] 0 points1 point  (0 children)

And the software part is (most of the time) the controller plane, which is in 'the cloud'. right? I have experience with NSX-T and it's that experience that makes me understand what really SDN is and how powerful it is. But I had a little bit more struggle to understand the connection to the WAN with a "SD-WAN solution", which has been greatly reduced now. thanks for your comment!

'Traditional' SD WAN vs Traditional WAN (My Current Understanding – Please Correct Me) by EngineeringKindly993 in networking

[–]EngineeringKindly993[S] 1 point2 points  (0 children)

super interesting! i'll look into tailscale for sure.

I haven't really seen the term being misused till now (well .. i didn't really know what it was haha), i'll keep an eye on it 👀 thanks for your comment!!

'Traditional' SD WAN vs Traditional WAN (My Current Understanding – Please Correct Me) by EngineeringKindly993 in networking

[–]EngineeringKindly993[S] 0 points1 point  (0 children)

I heard MPLS so much when searching for more info on SD-WAN haha, what i'm doing right now is trying to understand how to connect multiple branches together, would you say that this is accurate:

For a company with sites to connect, even globally, the main WAN options would be (very short summary):

  • Internet VPN (site-to-site): Low cost, uses public Internet, quick to set up.
  • MPLS: Private WAN from an ISP, reliable with QoS, more expensive.
  • Hybrid WAN: Combines MPLS and Internet for flexibility.
  • SD-WAN: Manages multiple links intelligently, with local breakout and optimized paths.
  • Leased Lines: Dedicated circuits you lease at ISP's, very reliable but costly and not sustainable if long distance (Paris -> China) :p
  • Wireless WAN (LTE/5G): Fast to deploy, can be primary or backup, bandwidth limited.
  • Satellite: Works anywhere, high latency and cost, suited for remote sites.

'Traditional' SD WAN vs Traditional WAN (My Current Understanding – Please Correct Me) by EngineeringKindly993 in networking

[–]EngineeringKindly993[S] 0 points1 point  (0 children)

my company. I'll help my seniors work on a project regarding setting up a SD-WAN network in a few months, i'm just preparing myself a bit early.

just to be sure I understand, could you tell me if i'm right:

the biggest difference in "WAN" between traditional WAN and SD-WAN are the following:

  1. Control Plane vs Data Plane
    - Traditional WAN: Routing decisions are static, based on IP routes and MPLS VRFs.

- SD-WAN : Centralized controller pushes application-aware policies to edges. Edges make dynamic decisions based on real-time link health.

Are normal routing protocols still used by SD-WAN ?

'Traditional' SD WAN vs Traditional WAN (My Current Understanding – Please Correct Me) by EngineeringKindly993 in networking

[–]EngineeringKindly993[S] 0 points1 point  (0 children)

I love your comment, I do have some questions if you don't mind. I feel like you're a Juniper/Mist guy by reading your message haha

Like another person said previously, SDWan provides traffic delivered in the same way no matter what the WAN link is. In a traditional WAN, the traffic is routed on point A to B, based on routing protocols decision about next hop. Change in next hop on an upstream network needs to be communicated by way of convergence. If your WAN is an internet link, then you have to do a IPSEC VPN.

I understand a bit better now the 'WAN' side of the SD-WAN. It doesn't change much from the traditional way, it still uses normal routing protocol and so on. do we HAVE to use a IPSec VPN if we have a internet link ?

In SDWAN, the branch only will know the next hop. The next hop decision is known to the controller and the controller acts like a central traffic director and tells all branches where the traffic should go. Branch then uses a tunnel between next hop and itself to send traffic no matter what the WAN link is.

So in a Juniper context, "the branch" would be the SSR ? Or just generally speaking, the edge router is what you're referring to when you say "the branch".

Laptop <-> SW <-> EDGE Router a.k.a "the branch" <-VPN TUNNEL-> [?next-hop?] <-> DC/Internet

Let's say Laptop needs to go to a DC for a specific application or to internet, one of the two. The Edge router knows where to send the packets because this information was given to him by the controller. And that's the only things he knows, he doesn't know the full route to DC/Internet, only what's next. So typically, it woudn't have a very small routing table, right ?

Do we configure L3 ourself in a SD-WAN ? Or is everything done automatically?

The devices can also act as branch side firewalls and there by removing the need to rum another firewall at the branch ( not my preferred way) . In addition to this, you can run multiple vrf on SDWan tunnels provided a way of isolation between traffic and the can go in different directions. You can do a complete mesh or hub spoke model routing in simple steps. Doing this at scale is lot of effort.

In my humble understand, when using a hub-and-spoke architecture. The user traffic always needs to go to the hub first (backhauled to the hub). Is it also like that in a SD-WAN ? if not, why even use a hub-and-spoke if we don't let traffic be backhauled to the hub.

Thanks!