I am in the process or building an IPSec transit network connecting my various AWS cloud based data centers to various private (on premise) data centers. This is a completely private network.
The design is hub and spoke and routing is handled by BGP. All data center locations connect to the various hub routers and the hub routers advertise routes between data centers. Some BGP route manipulation is performed on the hub routers to prefer specific paths etc. The reason for the hub and spoke design is to simplify the configuration when an additional data center is added to the existing network (it just needs to connect to the hub).
I have some BGP experience but I am not an expert. The AS numbers provided by AWS for IPSec connectivity (between my hub network and the AWS regions) are obviously controlled by them thus making the connection eBGP (because the AS number will be different from the private AS number I use on my routers). My question is specifically around the suggested numbering of private AS numbers on my own routers. Although I know that within an organization usually the same private AS number is used, I was wondering if it would be an acceptable design to use different private AS numbers for different routers. I use multiple ISPs within my network to run IPSec across multiple paths to the hub routers. When looking at the BGP routes, I find it easier to associate an AS number with a specific router rather than the BGP peer IP so for me it is easier to understand the preferred path. Is there an issue with this design? I would appreciate your input.
No comments:
Post a Comment