Re: OpenBGP announce customer routes
Morning Michal, sorry for late very late reply ... it is probably not useful to you but im writing this to help anyone searching mailing list archives for an answer As Stuart mentioned you can use filters in bgpd.conf to do this check out /etc/examples/bgpd.conf also check man bgpd.conf and it has lots of functionality that will help you do that through filtering also just note there was a change in behavior from 6.4 where it wont announce by default and you have to specifically accept what routes you wish to announce to an ebgp neighbour also in 6.4 and onwards Claudio@ and others have improved the filtering syntax to make things easier (grouping multiple prefixes) so that they can be referenced in a single filter which is handy) Cheers On Mon, 26 Nov 2018 at 12:11, Michail Iordanidis wrote: > > Dear all, > > is there a way to advertise IP prefixes generated from a customer AS & > prefixes to an EBGP neighbor in Openbgpd? > > Can I somehow create an outgoing prefix list our something like a > route-map for outgoing filtering? > > Please help > > -- Kindest regards, Tom Smyth The information contained in this E-mail is intended only for the confidential use of the named recipient. If the reader of this message is not the intended recipient or the person responsible for delivering it to the recipient, you are hereby notified that you have received this communication in error and that any review, dissemination or copying of this communication is strictly prohibited. If you have received this in error, please notify the sender immediately by telephone at the number above and erase the message You are requested to carry out your own virus check before opening any attachment.
Re: OpenBGP announce customer routes
On 2018-11-26, Michail Iordanidis wrote: > Dear all, > > is there a way to advertise IP prefixes generated from a customer AS & > prefixes to an EBGP neighbor in Openbgpd? > > Can I somehow create an outgoing prefix list our something like a > route-map for outgoing filtering? > > Please help > > > Normally you talk BGP with the customer and use filter rules to allow them to send announcements for their prefixes (and no others), either from a prearranged list, or from their IRR database entries (maybe using bgpq3 or similar to generate it). Does that match what you're trying to do? Or are they asking you to announce for them?
OpenBGP announce customer routes
Dear all, is there a way to advertise IP prefixes generated from a customer AS & prefixes to an EBGP neighbor in Openbgpd? Can I somehow create an outgoing prefix list our something like a route-map for outgoing filtering? Please help
Re: OpenBGP Issues. :-(
Alex Mathiasen(a...@mira.dk) on 2013.02.28 14:51:25 +0100: Dear recipients, I have been using OpenBGP for a while with OpenBSD - And I am very satisfied with the performance and amazed by the ease of configuration. My BGPD is configured against a Danish ISP called TDC - And we were previously configured to receive a full routing table. However a few months ago I ran into an issue where my BGPD stopped working properly. Was this in November by any chance? [ Alex Mathiasen ] Yes, it was at 29.11.2012. Happened in the middle of the night.. :-( It appeared the BGPD kept receiving the routing tables, and then start all over. Looking into the log files, it appeared BGPD received a certain route in the routing table, and then grumbled about the prefix, apparently for some reason the result was BGPD kept reloading when it reached this route. The result was of course my network was down. As TDC (My ISP) couldn't resolve which route that caused this issue (They told me: That's what happened when you use third party software, so no help there...), we agreed that my connection would be set to Default candidate, instead of receiving a full routing table. So now I have configured a static route to forward all my traffic to this route. However this is not the result I wanted, as I am about to have one more connection, so I have 2 connections outbound. But the automatic failover switch / load balancing won't work, as long as I have my static route. This is why I want to go back to receiving a full routing table. Is there any way of configuring BGPD to ignore a specific route in case of corrupted prefix, so this won't happened again? No there is not such a feature, and the bgp protocol mandates session teardown in certain cases anyway. Your report lacks a few details, please send with dmesg next time. And your bgpd.conf is not valid. [ Alex Mathiasen ] I do apologize for the lack of information, I was unable to find my logfile from that date, and was unable to provide with more information. My guess is that your problem is fixed by the patch available on http://www.openbsd.org/errata52.html [ Alex Mathiasen ] It would appear this is the patch I need to resolve this issue. So I will try to apply this patch, thank you! You could also update to -current. /Benno
OpenBGP Issues. :-(
Dear recipients,
I have been using OpenBGP for a while with OpenBSD - And I am very satisfied
with the performance and amazed by the ease of configuration.
My BGPD is configured against a Danish ISP called TDC - And we were previously
configured to receive a full routing table.
However a few months ago I ran into an issue where my BGPD stopped working
properly.
It appeared the BGPD kept receiving the routing tables, and then start all
over.
Looking into the log files, it appeared BGPD received a certain route in the
routing table, and then grumbled about the prefix, apparently for some reason
the result was BGPD kept reloading when it reached this route. The result was
of course my network was down.
As TDC (My ISP) couldn't resolve which route that caused this issue (They told
me: That's what happened when you use third party software, so no help
there...), we agreed that my connection would be set to Default candidate,
instead of receiving a full routing table.
So now I have configured a static route to forward all my traffic to this
route. However this is not the result I wanted, as I am about to have one more
connection, so I have 2 connections outbound.
But the automatic failover switch / load balancing won't work, as long as I
have my static route.
This is why I want to go back to receiving a full routing table.
Is there any way of configuring BGPD to ignore a specific route in case of
corrupted prefix, so this won't happened again?
I hope that some of you have an answer for this...
Here you can see my bgpd.conf:
AS
router-id 000.000.000.000
network 000.000.000.00/00
neighbor 000.000.000.000 {
remote-as
descr TDC
local-address 000.000.000.000
passive
holdtime180
holdtime min3
tcp md5sig password 00
}
log updates
Re: OpenBGP Issues. :-(
Alex Mathiasen [a...@mira.dk] wrote: It appeared the BGPD kept receiving the routing tables, and then start all over. You don't mention which version of openbsd you are using. There are some problems like this in older versions of bgpd which are now fixed. You may want to try a new snapshot.
Re: OpenBGP Issues. :-(
Alex Mathiasen(a...@mira.dk) on 2013.02.28 14:51:25 +0100: Dear recipients, I have been using OpenBGP for a while with OpenBSD - And I am very satisfied with the performance and amazed by the ease of configuration. My BGPD is configured against a Danish ISP called TDC - And we were previously configured to receive a full routing table. However a few months ago I ran into an issue where my BGPD stopped working properly. Was this in November by any chance? It appeared the BGPD kept receiving the routing tables, and then start all over. Looking into the log files, it appeared BGPD received a certain route in the routing table, and then grumbled about the prefix, apparently for some reason the result was BGPD kept reloading when it reached this route. The result was of course my network was down. As TDC (My ISP) couldn't resolve which route that caused this issue (They told me: That's what happened when you use third party software, so no help there...), we agreed that my connection would be set to Default candidate, instead of receiving a full routing table. So now I have configured a static route to forward all my traffic to this route. However this is not the result I wanted, as I am about to have one more connection, so I have 2 connections outbound. But the automatic failover switch / load balancing won't work, as long as I have my static route. This is why I want to go back to receiving a full routing table. Is there any way of configuring BGPD to ignore a specific route in case of corrupted prefix, so this won't happened again? No there is not such a feature, and the bgp protocol mandates session teardown in certain cases anyway. Your report lacks a few details, please send with dmesg next time. And your bgpd.conf is not valid. My guess is that your problem is fixed by the patch available on http://www.openbsd.org/errata52.html You could also update to -current. /Benno
Re: OpenBGP Issues. :-(
On 2013-02-28, Alex Mathiasen a...@mira.dk wrote: Looking into the log files, it appeared BGPD received a certain route in the routing table, and then grumbled about the prefix grumbled about is not very exact, actual log entries would be a lot more helpful. It would be even better if you could capture the actual update messages causing the problem (tcpdump -i em0 -w bgp.pcap -s 1500 port 179 and host $foo) As TDC (My ISP) couldn't resolve which route that caused this issue (They told me: That's what happened when you use third party software, so no help there...), Every BGP implementation has problems from time to time, IMHO anyone running this really needs to keep track of development of their chosen implementation/s (at least keep an eye on changelogs / cvs commits / mailing lists etc) and general network problems (nanog, local network operator groups, etc), and when they do have problems provide good information to the (vendor | developers | 3rd party support org). Also see everything that Benno wrote. :)
Re: OpenBGP Issues. :-(
Alex Mathiasen a...@mira.dk a écrit :
Dear recipients,
I have been using OpenBGP for a while with OpenBSD - And I am very
satisfied
with the performance and amazed by the ease of configuration.
My BGPD is configured against a Danish ISP called TDC - And we were
previously
configured to receive a full routing table.
However a few months ago I ran into an issue where my BGPD stopped
working
properly.
It appeared the BGPD kept receiving the routing tables, and then start
all
over.
Looking into the log files, it appeared BGPD received a certain route
in the
routing table, and then grumbled about the prefix, apparently for some
reason
the result was BGPD kept reloading when it reached this route. The
result was
of course my network was down.
As TDC (My ISP) couldn't resolve which route that caused this issue
(They told
me: That's what happened when you use third party software, so no
help
there...), we agreed that my connection would be set to Default
candidate,
instead of receiving a full routing table.
So now I have configured a static route to forward all my traffic to
this
route. However this is not the result I wanted, as I am about to have
one more
connection, so I have 2 connections outbound.
But the automatic failover switch / load balancing won't work, as long
as I
have my static route.
This is why I want to go back to receiving a full routing table.
Is there any way of configuring BGPD to ignore a specific route in case
of
corrupted prefix, so this won't happened again?
I hope that some of you have an answer for this...
Here you can see my bgpd.conf:
AS
router-id 000.000.000.000
network 000.000.000.00/00
neighbor 000.000.000.000 {
remote-as
descr TDC
local-address 000.000.000.000
passive
holdtime180
holdtime min3
tcp md5sig password 00
}
log updates
Hi,
Please have a look in archives for a similar thread i did initiate.
Re: OpenBGP - iBGP peers not announcing after 3 hops
On 2013-02-04, Eduardo Meyer dudu.me...@gmail.com wrote: On 02/04/2013 03:59 PM, Eduardo Meyer wrote: Hello, I am facing a strange behavior, I have the following scenario eBGP1-iBGP1-iBGP2-iBGP3-eBGP2 iBGP must be fully meshed, a session between iBGP1 and iBGP3 is missing. Really? It's difficult for me in this environment, do I have another option? This doesn't mean that they need to be directly connected; iBGP sessions can be run over multiple hops by default. It just means you need neighbour configs for 12, 13, 23. You could use a route reflector as others suggested but it's a bit much for this setup imo; it will be a critical part of the network so you'll probably want a redundant pair. These come into their own when the number of routers goes up.
Re: OpenBGP - iBGP peers not announcing after 3 hops
On Tue, Feb 05, 2013 at 10:34:02AM +, Stuart Henderson wrote: On 2013-02-04, Eduardo Meyer dudu.me...@gmail.com wrote: On 02/04/2013 03:59 PM, Eduardo Meyer wrote: Hello, I am facing a strange behavior, I have the following scenario eBGP1-iBGP1-iBGP2-iBGP3-eBGP2 iBGP must be fully meshed, a session between iBGP1 and iBGP3 is missing. Really? It's difficult for me in this environment, do I have another option? This doesn't mean that they need to be directly connected; iBGP sessions can be run over multiple hops by default. It just means you need neighbour configs for 12, 13, 23. You could use a route reflector as others suggested but it's a bit much for this setup imo; it will be a critical part of the network so you'll probably want a redundant pair. These come into their own when the number of routers goes up. It should be possible to make all routers route-reflectors and not do a full mesh but route-reflector setups are not inherently stable. In some setups they can result in a unstable network. Especially when adding redundancies to setups (by additional RRs or additional iBGP links) it is possible to end up with a not converging network which is fun fun fun... In general if you have less than a handfull bgp router us a full mesh. The pain of fiddeling with RR is not worth the few sessions you save. -- :wq Claudio
OpenBGP - iBGP peers not announcing after 3 hops
Hello, I am facing a strange behavior, I have the following scenario eBGP1-iBGP1-iBGP2-iBGP3-eBGP2 The very first eBGP (eBGP1) is my customer, the later (eBGP2) is my carrier (WAN). eBGP1 announces its network successfully to iBGP1, which announces everything successfuly to iBGP2, but iBGP2 never announces it to iBGP3. I have announce all and absolutely no filter. If I set up eBGP using reserved ASN in substitution to iBGP2 and iBGP3, the announcement just happens fine. All received/announced networks up to iBGP2 are considered valid using bgpctl sh rib det nei iBGP1. Any suggestions on what might be going wrong? -- === Eduardo Meyer pessoal: dudu.me...@gmail.com profissional: ddm.farmac...@saude.gov.br
Re: OpenBGP - iBGP peers not announcing after 3 hops
On 02/04/2013 03:59 PM, Eduardo Meyer wrote: Hello, I am facing a strange behavior, I have the following scenario eBGP1-iBGP1-iBGP2-iBGP3-eBGP2 iBGP must be fully meshed, a session between iBGP1 and iBGP3 is missing.
Re: OpenBGP - iBGP peers not announcing after 3 hops
Really? It's difficult for me in this environment, do I have another option? On Mon, Feb 4, 2013 at 1:30 PM, Florian Obser flor...@narrans.de wrote: On 02/04/2013 03:59 PM, Eduardo Meyer wrote: Hello, I am facing a strange behavior, I have the following scenario eBGP1-iBGP1-iBGP2-iBGP3-eBGP2 iBGP must be fully meshed, a session between iBGP1 and iBGP3 is missing. -- === Eduardo Meyer pessoal: dudu.me...@gmail.com profissional: ddm.farmac...@saude.gov.br
Re: OpenBGP - iBGP peers not announcing after 3 hops
make iBGP2 a route server. On 2013 Feb 04 (Mon) at 13:32:43 -0200 (-0200), Eduardo Meyer wrote: :Really? It's difficult for me in this environment, do I have another option? : : :On Mon, Feb 4, 2013 at 1:30 PM, Florian Obser flor...@narrans.de wrote: : : : : On 02/04/2013 03:59 PM, Eduardo Meyer wrote: : Hello, : : I am facing a strange behavior, : : I have the following scenario : : eBGP1-iBGP1-iBGP2-iBGP3-eBGP2 : : iBGP must be fully meshed, a session between iBGP1 and iBGP3 is : missing. : : : : :-- :=== :Eduardo Meyer :pessoal: dudu.me...@gmail.com :profissional: ddm.farmac...@saude.gov.br : -- I don't care who does the electing as long as I get to do the nominating -- Boss Tweed
Re: OpenBGP - iBGP peers not announcing after 3 hops
On Mon, Feb 4, 2013 at 1:36 PM, Peter Hessler phess...@theapt.org wrote: make iBGP2 a route server. Sounds promising, what are the key configurations in bgpd.conf to do so? So I can look further. Are we talking 'bout reflector/collector? On 2013 Feb 04 (Mon) at 13:32:43 -0200 (-0200), Eduardo Meyer wrote: :Really? It's difficult for me in this environment, do I have another option? : : :On Mon, Feb 4, 2013 at 1:30 PM, Florian Obser flor...@narrans.de wrote: : : : : On 02/04/2013 03:59 PM, Eduardo Meyer wrote: : Hello, : : I am facing a strange behavior, : : I have the following scenario : : eBGP1-iBGP1-iBGP2-iBGP3-eBGP2 : : iBGP must be fully meshed, a session between iBGP1 and iBGP3 is : missing. : : : : :-- :=== :Eduardo Meyer :pessoal: dudu.me...@gmail.com :profissional: ddm.farmac...@saude.gov.br : -- I don't care who does the electing as long as I get to do the nominating -- Boss Tweed -- === Eduardo Meyer pessoal: dudu.me...@gmail.com profissional: ddm.farmac...@saude.gov.br
Re: OpenBGP - iBGP peers not announcing after 3 hops
On 4 Feb 2013, at 10:36, Peter Hessler wrote: make iBGP2 a route server. I think this would be a route reflector since you're dealing with iBGP. Michael
Re: OpenBGP - iBGP peers not announcing after 3 hops
Am 04.02.2013 16:32, schrieb Eduardo Meyer: Really? It's difficult for me in this environment, do I have another option? add a route collector that peers with all ibgp neighbors...
Re: OpenBGP - iBGP peers not announcing after 3 hops
Eduardo Meyer(dudu.me...@gmail.com) on 2013.02.04 13:51:25 -0200: On Mon, Feb 4, 2013 at 1:36 PM, Peter Hessler phess...@theapt.org wrote: make iBGP2 a route server. Sounds promising, what are the key configurations in bgpd.conf to do so? So I can look further. Are we talking 'bout reflector/collector? A reflector, you need to use route-reflector id on your sessions on iBGP2. You might want to pick up a book on BGP. Stuart recently recommended BGP by Iljitsch van Beijnum (O'Reilly), and BGP Design and Implementation from Cisco will also help you along.
Re: OpenBGP lost session
Am 2012-09-18 16:34, schrieb Stuart Henderson: On 2012-09-18, Bernd be...@kroenchenstadt.de wrote: Hi list, I've got two OpenBSD (5.1-STABLE, amd64) machines running OpenBGPd. Both of them are connected to two upstream providers each, furthermore there are (older) Ciscos, also connecteed to the same (!) upstream routers. Recently, both OpenBSD machines lost their BGP session to one of the upstream providers. On both machines the same upstream router was affected. Logs show this: Sep 17 17:25:35 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): sending notification: HoldTimer expired, unknown subcode 0 Sep 17 17:25:35 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change Established - Idle, reason: HoldTimer expired Sep 17 17:25:43 hostname ospfd[5366]: desync; scheduling fib reload Sep 17 17:25:43 hostname ospfd[5366]: reloading interface list and routing table Sep 17 17:25:48 hostname bgpd[15513]: nexthop 12.23.34.45 now valid: directly connected Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change Idle - Connect, reason: Start Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change Connect - OpenSent, reason: Connection opened Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change OpenSent - OpenConfirm, reason: OPEN message received Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change OpenConfirm - Established, reason: KEEPALIVE message received Sep 17 17:26:20 hostname bgpd[15513]: nexthop 12.23.34.45 now valid: directly connected The Ciscos didn't see anything like this, their sessions didn't drop. Any clue what was going on? Thanks, Bernd Can't tell from this. Are you running the same hold times on your openbgp boxes as your ciscos? Hi, yes, it's 90 sec on the Ciscos as well as for BGPd (default is 90 sec). Best, Bernd
OpenBGP lost session
Hi list, I've got two OpenBSD (5.1-STABLE, amd64) machines running OpenBGPd. Both of them are connected to two upstream providers each, furthermore there are (older) Ciscos, also connecteed to the same (!) upstream routers. Recently, both OpenBSD machines lost their BGP session to one of the upstream providers. On both machines the same upstream router was affected. Logs show this: Sep 17 17:25:35 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): sending notification: HoldTimer expired, unknown subcode 0 Sep 17 17:25:35 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change Established - Idle, reason: HoldTimer expired Sep 17 17:25:43 hostname ospfd[5366]: desync; scheduling fib reload Sep 17 17:25:43 hostname ospfd[5366]: reloading interface list and routing table Sep 17 17:25:48 hostname bgpd[15513]: nexthop 12.23.34.45 now valid: directly connected Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change Idle - Connect, reason: Start Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change Connect - OpenSent, reason: Connection opened Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change OpenSent - OpenConfirm, reason: OPEN message received Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change OpenConfirm - Established, reason: KEEPALIVE message received Sep 17 17:26:20 hostname bgpd[15513]: nexthop 12.23.34.45 now valid: directly connected The Ciscos didn't see anything like this, their sessions didn't drop. Any clue what was going on? Thanks, Bernd
Re: OpenBGP lost session
On 2012-09-18, Bernd be...@kroenchenstadt.de wrote: Hi list, I've got two OpenBSD (5.1-STABLE, amd64) machines running OpenBGPd. Both of them are connected to two upstream providers each, furthermore there are (older) Ciscos, also connecteed to the same (!) upstream routers. Recently, both OpenBSD machines lost their BGP session to one of the upstream providers. On both machines the same upstream router was affected. Logs show this: Sep 17 17:25:35 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): sending notification: HoldTimer expired, unknown subcode 0 Sep 17 17:25:35 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change Established - Idle, reason: HoldTimer expired Sep 17 17:25:43 hostname ospfd[5366]: desync; scheduling fib reload Sep 17 17:25:43 hostname ospfd[5366]: reloading interface list and routing table Sep 17 17:25:48 hostname bgpd[15513]: nexthop 12.23.34.45 now valid: directly connected Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change Idle - Connect, reason: Start Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change Connect - OpenSent, reason: Connection opened Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change OpenSent - OpenConfirm, reason: OPEN message received Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change OpenConfirm - Established, reason: KEEPALIVE message received Sep 17 17:26:20 hostname bgpd[15513]: nexthop 12.23.34.45 now valid: directly connected The Ciscos didn't see anything like this, their sessions didn't drop. Any clue what was going on? Thanks, Bernd Can't tell from this. Are you running the same hold times on your openbgp boxes as your ciscos?
OpenBGP bgpctl(8) asdot / 4byte-asn
Is there a way bgpctl will produce run-time information not using asdot format? I am trying to convert my OpenBGP conf to RPSL but the later is old enough that wont accept as-dot format, therefore I need it in 4-byte ASN notation. Thanks. -- === Eduardo Meyer pessoal: dudu.me...@gmail.com profissional: ddm.farmac...@saude.gov.br
Re: OpenBGP bgpctl(8) asdot / 4byte-asn
On 2011-05-27, Eduardo Meyer dudu.me...@gmail.com wrote: Is there a way bgpctl will produce run-time information not using asdot format? Not at present, OpenBGP only accepts as-plain for input, it always outputs as-dot. I think we should probably change this, rfc5396 came out a couple of years ago and pretty much everyone is using as-plain now. (Even though 3.10 looks far nicer than 196618 ;)
Re: OpenBGP bgpctl(8) asdot / 4byte-asn
On Fri, May 27, 2011 at 3:28 PM, Stuart Henderson s...@spacehopper.org wrote: On 2011-05-27, Eduardo Meyer dudu.me...@gmail.com wrote: Is there a way bgpctl will produce run-time information not using asdot format? Not at present, OpenBGP only accepts as-plain for input, it always outputs as-dot. I think we should probably change this, rfc5396 came out a couple of years ago and pretty much everyone is using as-plain now. (Even though 3.10 looks far nicer than 196618 ;) Yeah, I agree, but the world seems to prefer plain 4byte (maybe they can read). BTW I have read in many Cisco[1] documents that asdot is made up of (PART1 * 65535) + PART2 However OpenBGP does the math as ((PART1 * 65535) + PART2) + PART1. How can Cisco be wrong again? lol [1]http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/white_paper_c11_516829.html Thanks, Ill do some shell scripting to convert. -- === Eduardo Meyer pessoal: dudu.me...@gmail.com profissional: ddm.farmac...@saude.gov.br
Re: OpenBGP bgpctl(8) asdot / 4byte-asn
On 2011-05-27, Eduardo Meyer dudu.me...@gmail.com wrote: On Fri, May 27, 2011 at 3:28 PM, Stuart Henderson s...@spacehopper.org wrote: On 2011-05-27, Eduardo Meyer dudu.me...@gmail.com wrote: Is there a way bgpctl will produce run-time information not using asdot format? Not at present, OpenBGP only accepts as-plain for input, it always outputs as-dot. Re-reading this sentence I see it's badly written; I meant it as the only place OpenBGP accepts as-plain is for input but I'll rephrase to make it totally clear: Currently OpenBGP accepts either format for input, but it always outputs as-dot. I think we should probably change this, rfc5396 came out a couple of years ago and pretty much everyone is using as-plain now. (Even though 3.10 looks far nicer than 196618 ;) Yeah, I agree, but the world seems to prefer plain 4byte (maybe they can read). I think it's largely because a lot of people are using regular expressions over AS paths to set routing policy and the .'s are going to mess things up there. BTW I have read in many Cisco[1] documents that asdot is made up of [1]http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/white_paper_c11_516829.html (PART1 * 65535) + PART2 [1 * 65535] + 10 = 65546 err...wow. However OpenBGP does the math as ((PART1 * 65535) + PART2) + PART1. Or, put another way, part1*65536 + part2 (though it's actually written as the more efficient `$$ = uval | (uvalh 16)' in the parser).
Re: OpenBGP bgpctl(8) asdot / 4byte-asn
On Fri, May 27, 2011 at 08:54:25PM +, Stuart Henderson wrote: On 2011-05-27, Eduardo Meyer dudu.me...@gmail.com wrote: On Fri, May 27, 2011 at 3:28 PM, Stuart Henderson s...@spacehopper.org wrote: On 2011-05-27, Eduardo Meyer dudu.me...@gmail.com wrote: Is there a way bgpctl will produce run-time information not using asdot format? Not at present, OpenBGP only accepts as-plain for input, it always outputs as-dot. Re-reading this sentence I see it's badly written; I meant it as the only place OpenBGP accepts as-plain is for input but I'll rephrase to make it totally clear: Currently OpenBGP accepts either format for input, but it always outputs as-dot. I think we should probably change this, rfc5396 came out a couple of years ago and pretty much everyone is using as-plain now. (Even though 3.10 looks far nicer than 196618 ;) I still prefer 3.10. At least it tells me quickly from which RIR the AS is from. And it looks nicer. Yeah, I agree, but the world seems to prefer plain 4byte (maybe they can read). I think it's largely because a lot of people are using regular expressions over AS paths to set routing policy and the .'s are going to mess things up there. Yes, network admins seem to be unable to write correct regular expressions. No T-Shirt from them. Or maybe we should make on: move out of the way, I don't know regular expressions BTW I have read in many Cisco[1] documents that asdot is made up of [1]http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/white_paper_c11_516829.html (PART1 * 65535) + PART2 [1 * 65535] + 10 = 65546 err...wow. However OpenBGP does the math as ((PART1 * 65535) + PART2) + PART1. Or, put another way, part1*65536 + part2 (though it's actually written as the more efficient `$$ = uval | (uvalh 16)' in the parser). Yep. All the multiplication is way to complex. -- :wq Claudio
OpenBGP
Hi! I need some help with an configuration of OpenBGP. I have four routers that is connected with p-2-p links between each other: R1 - R2 - R3 - R4 I've only seen networks announced to the nearest router that it is connected to. For example: R1 see R2 but R1 cannot see R3 etc.. There is no other router deamon running on the servers (ie no ospfd). I think this must be some basic error that I have made. The configuration files is very basic ie: no filter rules at all and there is an allow from any. All the routers have an uniq router id. All routers announce an uniq network that the others don't have. -- //fredan
Re: OpenBGP
Hi, R1 - R2 - R3 - R4 I've only seen networks announced to the nearest router that it is connected to. For example: R1 see R2 but R1 cannot see R3 etc.. Do you mean R2 is neighbor to R1 but not R3 or you mean R3 doesn't distribute to R1 ?
Re: OpenBGP
On Mon, Feb 28, 2011 at 03:08:05PM +0100, fredrik danerklint wrote: Hi! I need some help with an configuration of OpenBGP. I have four routers that is connected with p-2-p links between each other: R1 - R2 - R3 - R4 I've only seen networks announced to the nearest router that it is connected to. For example: R1 see R2 but R1 cannot see R3 etc.. There is no other router deamon running on the servers (ie no ospfd). I think this must be some basic error that I have made. The configuration files is very basic ie: no filter rules at all and there is an allow from any. All the routers have an uniq router id. All routers announce an uniq network that the others don't have. If you use the same AS on all 4 routers then you need to full mesh the four routers (iBGP sessions). Another option would be to use the route-reflector support. This is how BGP works. -- :wq Claudio
Re: OpenBGP
* fredrik danerklint fredan-open...@fredan.se [2011-02-28 15:11]: Hi! I need some help with an configuration of OpenBGP. I have four routers that is connected with p-2-p links between each other: R1 - R2 - R3 - R4 I've only seen networks announced to the nearest router that it is connected to. For example: R1 see R2 but R1 cannot see R3 etc.. that's how BGP works. inside your own AS, the assumptions are 1) every bgp speaker talks to every bgp speaker, or there's a route reflector 2) routing inside the AS is handled by an IGP (e. g. ospf) There is no other router deamon running on the servers (ie no ospfd). well, you'll need one. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: OpenBGP
mendagen den 28 februari 2011 15.15.21 skrev Claudio Jeker: On Mon, Feb 28, 2011 at 03:08:05PM +0100, fredrik danerklint wrote: Hi! I need some help with an configuration of OpenBGP. I have four routers that is connected with p-2-p links between each other: R1 - R2 - R3 - R4 I've only seen networks announced to the nearest router that it is connected to. For example: R1 see R2 but R1 cannot see R3 etc.. There is no other router deamon running on the servers (ie no ospfd). I think this must be some basic error that I have made. The configuration files is very basic ie: no filter rules at all and there is an allow from any. All the routers have an uniq router id. All routers announce an uniq network that the others don't have. If you use the same AS on all 4 routers then you need to full mesh the four routers (iBGP sessions). Another option would be to use the route-reflector support. This is how BGP works. Fair enough. I have now tested to use three different AS number on the routers so they all act like eBGP in between them (I have in this test skipped router R4). Only router R2 sees everything. R1 see what R2 announce but not R3 and the same is true for router R3 that it can't see what R1 announce. Still, it must be something obviously that I have missed with this configuration for OpenBGP shall work in a configuration like this? -- //fredan
Re: OpenBGP
mendagen den 28 februari 2011 16.22.10 skrev Henning Brauer: * fredrik danerklint fredan-open...@fredan.se [2011-02-28 15:11]: Hi! I need some help with an configuration of OpenBGP. I have four routers that is connected with p-2-p links between each other: R1 - R2 - R3 - R4 I've only seen networks announced to the nearest router that it is connected to. For example: R1 see R2 but R1 cannot see R3 etc.. that's how BGP works. inside your own AS, the assumptions are 1) every bgp speaker talks to every bgp speaker, or there's a route reflector 2) routing inside the AS is handled by an IGP (e. g. ospf) I have seems to missed this with BGP but now dived into presentations about BGP to learn more about this (that I need some type of a mesh network inside my AS to achieve what I would like to do). There is no other router deamon running on the servers (ie no ospfd). well, you'll need one. Well, ospf6d is so broken that it can't be used in a production environment. Since IPv6 is so important for me as a Internet Service Provider I have to come up with something to solve my needs -- //fredan
Re: OpenBGP
mendagen den 28 februari 2011 19.27.28 skrev fredrik danerklint: mendagen den 28 februari 2011 15.15.21 skrev Claudio Jeker: On Mon, Feb 28, 2011 at 03:08:05PM +0100, fredrik danerklint wrote: Hi! I need some help with an configuration of OpenBGP. I have four routers that is connected with p-2-p links between each other: R1 - R2 - R3 - R4 I've only seen networks announced to the nearest router that it is connected to. For example: R1 see R2 but R1 cannot see R3 etc.. There is no other router deamon running on the servers (ie no ospfd). I think this must be some basic error that I have made. The configuration files is very basic ie: no filter rules at all and there is an allow from any. All the routers have an uniq router id. All routers announce an uniq network that the others don't have. If you use the same AS on all 4 routers then you need to full mesh the four routers (iBGP sessions). Another option would be to use the route-reflector support. This is how BGP works. Fair enough. I have now tested to use three different AS number on the routers so they all act like eBGP in between them (I have in this test skipped router R4). Only router R2 sees everything. R1 see what R2 announce but not R3 and the same is true for router R3 that it can't see what R1 announce. Still, it must be something obviously that I have missed with this configuration for OpenBGP shall work in a configuration like this? I did miss the announce all in the neighbour. Now it does work as eBGP in between. -- //fredan
Re: OpenBGP
Am 28.02.2011 19:36, schrieb fredrik danerklint: Well, ospf6d is so broken that it can't be used in a production environment. Since IPv6 is so important for me as a Internet Service Provider I have to come up with something to solve my needs... Well I use opsf6d in production (for a small setup), when you know what issues you have to deal with its ok. To sum up: - No LSAs sent for passive interfaces. Patch available on misc/tech - opsf6d crashes when ip addresses are added to interfaces or when interfaces are removed. Patch available on misc/tech - opsf6d crashes on ospf6ctl reload. (No that big a deal...) - ospf6d does not support stub routes (Would be nice for carp interfaces - like ospfd does announce the backup routes...) - ospf6d does not support multiple areas (AFAIK) But having this points in mind, it does work okay. (It sure works better than static routing or stuff like ripng. You might even use quagga I don't know if its more stable though...)
OpenBGP Filter - Selectively Announcing by Peer.
Hello, I want to selectively announce what I get from my peers (whom I am transit for) for a certain upstream peer. I decided to use community to do so, like that: # Add what I get from my transit peers to communyt $myasn:1010 match from $peer_t1 set community $myasn:1010 match from $peer_t2 set community $myasn:1010 # Selectively announce it to by upstream peer number 2 deny to $peer_up2 allow to $peer_up2 community $myasn:1010 But it did not work. I dont want to manually declare the networks I get, and my upstream wont allow me to announce all. What is wrong with the above OpenBGP rules? -- === Eduardo Meyer pessoal: dudu.me...@gmail.com profissional: ddm.farmac...@saude.gov.br
Re: OpenBGP Filter - Selectively Announcing by Peer.
On Mon, Oct 04, 2010 at 02:20:55PM -0300, Eduardo Meyer wrote: Hello, I want to selectively announce what I get from my peers (whom I am transit for) for a certain upstream peer. I decided to use community to do so, like that: # Add what I get from my transit peers to communyt $myasn:1010 match from $peer_t1 set community $myasn:1010 match from $peer_t2 set community $myasn:1010 # Selectively announce it to by upstream peer number 2 deny to $peer_up2 allow to $peer_up2 community $myasn:1010 But it did not work. I dont want to manually declare the networks I get, and my upstream wont allow me to announce all. What is wrong with the above OpenBGP rules? You need to set the announce type to all which means process all entries in the RIB with the outbound filterset. Announce self which is the default for eBGP sessions will block all non empty as pathes before passing the prefix to the outbound filtering. As soon as you do tranist you need announce all plus correct filters. -- :wq Claudio
Re: OpenBGP Filter - Selectively Announcing by Peer.
On Mon, Oct 4, 2010 at 6:12 PM, Claudio Jeker cje...@diehard.n-r-g.com wrote: On Mon, Oct 04, 2010 at 02:20:55PM -0300, Eduardo Meyer wrote: Hello, I want to selectively announce what I get from my peers (whom I am transit for) for a certain upstream peer. I decided to use community to do so, like that: # Add what I get from my transit peers to communyt $myasn:1010 match from $peer_t1 set community $myasn:1010 match from $peer_t2 set community $myasn:1010 # Selectively announce it to by upstream peer number 2 deny to $peer_up2 allow to $peer_up2 community $myasn:1010 But it did not work. I dont want to manually declare the networks I get, and my upstream wont allow me to announce all. What is wrong with the above OpenBGP rules? You need to set the announce type to all which means process all entries in the RIB with the outbound filterset. Announce self which is the default for eBGP sessions will block all non empty as pathes before passing the prefix to the outbound filtering. As soon as you do tranist you need announce all plus correct filters. Hello Jeker, I am announcing al already. Please enlighten ment, when I do a bgpctl sh rib out nei description The prefixes I see are the ones the peer *accepted* from me or the ones I am actually announcing, no matter if the peer accepts or not? Because I announce all and later, filter by community, and the abouve sh rib out nei d shows empty. Thanks again. -- :wq Claudio -- === Eduardo Meyer pessoal: dudu.me...@gmail.com profissional: ddm.farmac...@saude.gov.br
Re: OpenBGP: 3 doubts regarding localpref, rib out and announcement
On Sun, May 23, 2010 at 3:10 PM, Henning Brauer lists-open...@bsws.de wrote:
match to $peer_2 prefix X.Y.Z.0/23 set localpref +50
But it wont work as I need. Please remember X.Y.Z.0/23 is announced by me.
localpref for outgoing? that is useless. localpref is, well, local,
and not transmitted to the peer. and since you're setting it outbound
(after all route decisions) it is a noop.
I believe I was not clear. I need to set a certain prefix of mine with
a higher localpref. It's not expected to be transmitted to the peer,
it's a local router policy decision to set localpref for a local /23.
Today I do this with pf route-to.
pass route-to peer2_ip from x.y.z.0/23 to any
sounds like you're after sh ri out nei foo
Thats excactly what I wanted, thank you a lot Brauer.
Finally, my last doubt. I want to re-announce the bogon prefix I get
from cymru projet to by internal BGP servers. I do announce all but
the bogon list prefixes I get from cymru don't get announced. I
managed to set community delete NO_EXPORT since I believed the
NO_EXPORT community cymru sends me is the cause of non-reannouncement
on announce all desired behavior.
However its still dont get announced to my peers.
i bet this is an invalid nexthop case. set nexthop-self might be
required.
That's why I like talking to whom knows. You are absolutely right,
thank you again :) I could export it setting it to a reachable
nexthop.
But now I tried something else which did not work.
My scenario:
group cymru {
...
set community $myasn:6
...
peer $cymru1 {
...
...
}
peer $cymru2 {
...
}
}
#match from any community $myasn:6 set community delete NO_EXPORT #
[1] works great
match to $transit_peer1 community $myasn:6 set community delete
NO_EXPORT # [2] wont work, never gets deleted
My intention: export selectively what I get from group cymru, by
selectively removing the NO_EXPORT community.
If I comment [1] and uncomment [2] the rule wont match. [1] always match fine...
In fact I tested a number o rules and nome with match to .. set X
worked, when I am dealing with a prefix I got from someone else (not
announced by be).
What am I missing?
--
===
Eduardo Meyer
pessoal: dudu.me...@gmail.com
profissional: ddm.farmac...@saude.gov.br
OpenBGP: 3 doubts regarding localpref, rib out and announcement
Hello, I have 3 simple but yet annoying doubts. First, it's about localpref. Today I have a /23 prefix which I announce only to one peer and which I also go upstream to this very only peer. However the upstream policy I had to use pf route-to to achieve the desired behavior. I could not arrange to sort a match filter which would allow me to set localpref to any destionation for a prefix of mine (outgoing). I cam, for sure, arrange to set destination based localpref. Say, I can raise or lower localpref for a given destination, but not for all destionations from a /23 source of mine. Tried things like: match to $peer_2 prefix X.Y.Z.0/23 set localpref +50 But it wont work as I need. Please remember X.Y.Z.0/23 is announced by me. By second doubts is regarding bgpctl show rib out. This command shows what I announce in one OpenBGP router but does not shows on any other one. I have read the man pages, I have softreconfig set o yes for both in and out (which is the default, btw, as mentioned on man page and as bgpd -nv shows me). Sometimes I use bgpctl net show but thats not as nice as sh rib out. Finally, my last doubt. I want to re-announce the bogon prefix I get from cymru projet to by internal BGP servers. I do announce all but the bogon list prefixes I get from cymru don't get announced. I managed to set community delete NO_EXPORT since I believed the NO_EXPORT community cymru sends me is the cause of non-reannouncement on announce all desired behavior. However its still dont get announced to my peers. I tried things like: allow to $my_inner_peer community $cymruas:888 But they did not work. Any other suggestions? Thank you. -- === Eduardo Meyer pessoal: dudu.me...@gmail.com profissional: ddm.farmac...@saude.gov.br
Re: OpenBGP: 3 doubts regarding localpref, rib out and announcement
* Eduardo Meyer dudu.me...@gmail.com [2010-05-23 13:51]: Hello, I have 3 simple but yet annoying doubts. First, it's about localpref. Today I have a /23 prefix which I announce only to one peer and which I also go upstream to this very only peer. However the upstream policy I had to use pf route-to to achieve the desired behavior. I could not arrange to sort a match filter which would allow me to set localpref to any destionation for a prefix of mine (outgoing). I cam, for sure, arrange to set destination based localpref. Say, I can raise or lower localpref for a given destination, but not for all destionations from a /23 source of mine. Tried things like: match to $peer_2 prefix X.Y.Z.0/23 set localpref +50 But it wont work as I need. Please remember X.Y.Z.0/23 is announced by me. localpref for outgoing? that is useless. localpref is, well, local, and not transmitted to the peer. and since you're setting it outbound (after all route decisions) it is a noop. By second doubts is regarding bgpctl show rib out. This command shows what I announce in one OpenBGP router but does not shows on any other one. I have read the man pages, I have softreconfig set o yes for both in and out (which is the default, btw, as mentioned on man page and as bgpd -nv shows me). Sometimes I use bgpctl net show but thats not as nice as sh rib out. sounds like you're after sh ri out nei foo Finally, my last doubt. I want to re-announce the bogon prefix I get from cymru projet to by internal BGP servers. I do announce all but the bogon list prefixes I get from cymru don't get announced. I managed to set community delete NO_EXPORT since I believed the NO_EXPORT community cymru sends me is the cause of non-reannouncement on announce all desired behavior. However its still dont get announced to my peers. i bet this is an invalid nexthop case. set nexthop-self might be required. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: OpenBGP tcp md5 woes...
On Sat, May 15, 2010 at 05:15:21PM +0200, Xavier Beaudouin wrote: Hi Stuart, Le 15 mai 2010 ` 13:47, Stuart Henderson a icrit : On 2010-05-15, Xavier Beaudouin k...@oav.net wrote: Hello, I am running OpenBSD 4.7-current, and it seems I have some problems to negociate tcp md5 bgp session... They doesn't seems at all to wake up, I have connection timeout... or what ever. Please show ipsecctl -sa and netstat -rnfencap # netstat -rnfencap Routing tables (empty) # ipsecctl -sa FLOWS: No flows SAD: tcpmd5 from 194.68.129.120 to 194.68.129.151 spi 0x18ca8716 tcpmd5 from 194.68.129.120 to 194.68.129.150 spi 0x38c985dd tcpmd5 from 194.68.129.114 to 194.68.129.120 spi 0x4f5d8833 tcpmd5 from 194.68.129.103 to 194.68.129.120 spi 0x5351ca6b tcpmd5 from 194.68.129.120 to 194.68.129.115 spi 0x7a989c0e tcpmd5 from 194.68.129.120 to 194.68.129.121 spi 0x8c8c5051 tcpmd5 from 194.68.129.129 to 194.68.129.120 spi 0xaece6b67 tcpmd5 from 194.68.129.121 to 194.68.129.120 spi 0xbb6260f1 tcpmd5 from 194.68.129.115 to 194.68.129.120 spi 0xbc589b6f tcpmd5 from 194.68.129.120 to 194.68.129.129 spi 0xc16133b3 tcpmd5 from 194.68.129.120 to 194.68.129.114 spi 0xc36216e4 tcpmd5 from 194.68.129.120 to 194.68.129.103 spi 0xc39e4d97 tcpmd5 from 194.68.129.150 to 194.68.129.120 spi 0xc8bf11ca tcpmd5 from 194.68.129.120 to 194.68.129.102 spi 0xcc6b7756 tcpmd5 from 194.68.129.102 to 194.68.129.120 spi 0xd9097ad1 tcpmd5 from 194.68.129.197 to 194.68.129.120 spi 0xdb53b930 tcpmd5 from 194.68.129.151 to 194.68.129.120 spi 0xde1e91da tcpmd5 from 194.68.129.120 to 194.68.129.197 spi 0xe630b27a The .120 is my IP :p I have md5 working with a kernel from April 28th and an absolutely -current bgpd, and also with the version from the Apr 28th snapshot, so I don't think there is a general problem with the code you're running. I'm allmost sure there is no problems... I still try to find where is it the problem :( If you have any hints.. I'm be happy to apply them... Did it work before the update with that peer? Most of the time the problem is different passwords or some other misconfiguration. TCP MD5 is an ugly hack that has some nasty ramifications (it breaks some basic behaviour of TCP e.g. RST signaling). Normaly the best is to turn of md5 and check that the session works. Then enabling md5 or use ttl-security. -- :wq Claudio
Re: OpenBGP tcp md5 woes...
Hi there, Le 16 mai 2010 ` 14:26, Claudio Jeker a icrit : On Sat, May 15, 2010 at 05:15:21PM +0200, Xavier Beaudouin wrote: Hi Stuart, Le 15 mai 2010 ` 13:47, Stuart Henderson a icrit : On 2010-05-15, Xavier Beaudouin k...@oav.net wrote: Hello, I am running OpenBSD 4.7-current, and it seems I have some problems to negociate tcp md5 bgp session... They doesn't seems at all to wake up, I have connection timeout... or what ever. Please show ipsecctl -sa and netstat -rnfencap # netstat -rnfencap Routing tables (empty) # ipsecctl -sa FLOWS: No flows SAD: tcpmd5 from 194.68.129.120 to 194.68.129.151 spi 0x18ca8716 tcpmd5 from 194.68.129.120 to 194.68.129.150 spi 0x38c985dd tcpmd5 from 194.68.129.114 to 194.68.129.120 spi 0x4f5d8833 tcpmd5 from 194.68.129.103 to 194.68.129.120 spi 0x5351ca6b tcpmd5 from 194.68.129.120 to 194.68.129.115 spi 0x7a989c0e tcpmd5 from 194.68.129.120 to 194.68.129.121 spi 0x8c8c5051 tcpmd5 from 194.68.129.129 to 194.68.129.120 spi 0xaece6b67 tcpmd5 from 194.68.129.121 to 194.68.129.120 spi 0xbb6260f1 tcpmd5 from 194.68.129.115 to 194.68.129.120 spi 0xbc589b6f tcpmd5 from 194.68.129.120 to 194.68.129.129 spi 0xc16133b3 tcpmd5 from 194.68.129.120 to 194.68.129.114 spi 0xc36216e4 tcpmd5 from 194.68.129.120 to 194.68.129.103 spi 0xc39e4d97 tcpmd5 from 194.68.129.150 to 194.68.129.120 spi 0xc8bf11ca tcpmd5 from 194.68.129.120 to 194.68.129.102 spi 0xcc6b7756 tcpmd5 from 194.68.129.102 to 194.68.129.120 spi 0xd9097ad1 tcpmd5 from 194.68.129.197 to 194.68.129.120 spi 0xdb53b930 tcpmd5 from 194.68.129.151 to 194.68.129.120 spi 0xde1e91da tcpmd5 from 194.68.129.120 to 194.68.129.197 spi 0xe630b27a The .120 is my IP :p I have md5 working with a kernel from April 28th and an absolutely -current bgpd, and also with the version from the Apr 28th snapshot, so I don't think there is a general problem with the code you're running. I'm allmost sure there is no problems... I still try to find where is it the problem :( If you have any hints.. I'm be happy to apply them... Did it work before the update with that peer? Most of the time the problem is different passwords or some other misconfiguration. TCP MD5 is an ugly hack that has some nasty ramifications (it breaks some basic behaviour of TCP e.g. RST signaling). Hum, this is strange, in fact all tcp md5 sessions doesn't work at all. I can give you access to this router if you like Claudio... :) Xavier Normaly the best is to turn of md5 and check that the session works. Then enabling md5 or use ttl-security. -- :wq Claudio
OpenBGP tcp md5 woes...
Hello,
I am running OpenBSD 4.7-current, and it seems I have some problems to
negociate tcp md5 bgp session... They doesn't seems at all to wake up, I have
connection timeout... or what ever.
dmesg :
OpenBSD 4.7-current (GENERIC.MP) #560: Wed Apr 28 11:55:01 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,D
S,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR
real mem = 1072132096 (1022MB)
avail mem = 1028767744 (981MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/12/06, BIOS32 rev. 0 @ 0xfb6d0,
SMBIOS rev. 2
.3 @ 0xf0800 (41 entries)
bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 06/12/2006
bios0: Supermicro P4SC8
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices CSAD(S5) HUB0(S5) HRB_(S5) UAR1(S5) UAR2(S5) USB0(S3)
USB1(S3) U
SBE(S3) MODM(S5) PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,D
S,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
ioapic1 at mainbus0: apid 3 pa 0xfec1, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (CSAB)
acpiprt2 at acpi0: bus 4 (HUB0)
acpiprt3 at acpi0: bus 2 (HRB_)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpitz0 at acpi0acpitz0: THRM: failed to read _TMP
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82875P Host rev 0x02
ppb0 at pci0 dev 3 function 0 Intel 82875P CSA rev 0x02
pci1 at ppb0 bus 1
em0 at pci1 dev 1 function 0 Intel PRO/1000CT (82547GI) rev 0x00: apic 2 int
18 (irq
10), address 00:30:48:81:18:0a
ppb1 at pci0 dev 28 function 0 Intel 6300ESB PCIX rev 0x02
pci2 at ppb1 bus 2
ppb2 at pci2 dev 1 function 0 Pericom PI7C21P100 PCIX-PCIX rev 0x01
pci3 at ppb2 bus 3
em1 at pci3 dev 4 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3
int 0 (i
rq 9), address 00:1b:21:30:85:d4
em2 at pci3 dev 4 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3
int 1 (i
rq 9), address 00:1b:21:30:85:d5
em3 at pci3 dev 6 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3
int 2 (i
rq 9), address 00:1b:21:30:85:d6
em4 at pci3 dev 6 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3
int 3 (i
rq 9), address 00:1b:21:30:85:d7
uhci0 at pci0 dev 29 function 0 Intel 6300ESB USB rev 0x02: apic 2 int 16
(irq 11)
uhci1 at pci0 dev 29 function 1 Intel 6300ESB USB rev 0x02: apic 2 int 19
(irq 12)
Intel 6300ESB WDT rev 0x02 at pci0 dev 29 function 4 not configured
Intel 6300ESB APIC rev 0x02 at pci0 dev 29 function 5 not configured
ehci0 at pci0 dev 29 function 7 Intel 6300ESB USB rev 0x02: apic 2 int 23
(irq 7)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x0a
pci4 at ppb3 bus 4
vga1 at pci4 dev 9 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em5 at pci4 dev 10 function 0 Intel PRO/1000MT (82541GI) rev 0x00: apic 2
int 19 (ir
q 12), address 00:30:48:81:18:0b
ichpcib0 at pci0 dev 31 function 0 Intel 6300ESB LPC rev 0x02
pciide0 at pci0 dev 31 function 1 Intel 6300ESB IDE rev 0x02: DMA, channel 0
configu
red to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: DMV340H4-004-M
wd0: 1-sector PIO, LBA, 3679MB, 7535808 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
ifconfig em5 :
ifconfig em5
em5: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:30:48:81:18:0b
description: Sfinx
priority: 0
media: Ethernet 100baseTX full-duplex
status: active
inet 194.68.129.xxx netmask 0xff00 broadcast 194.68.129.255
inet6 fe80::230:48ff:fe81:180b%em5 prefixlen 64 scopeid 0x6
inet6 2001:7f8:4e:2::xxx prefixlen 64
Extract of /etc/bgpd.conf :
group Sfinx {
local-address 194.68.129.xxx
announceall
softreconfigin yes
softreconfigout yes
set med 50
set localpref 5000
# SFinx
neighbor 194.68.129.102 {
remote-as 2200
max-prefix 200 restart 60
tcp md5sig password ZeUnecryptedPass
set { med +5 }
set community delete 2200:*
}
}
Re: OpenBGP tcp md5 woes...
On 2010-05-15, Xavier Beaudouin k...@oav.net wrote:
Hello,
I am running OpenBSD 4.7-current, and it seems I have some problems to
negociate tcp md5 bgp session... They doesn't seems at all to wake up, I have
connection timeout... or what ever.
Please show ipsecctl -sa and netstat -rnfencap.
I have md5 working with a kernel from April 28th and an absolutely
-current bgpd, and also with the version from the Apr 28th snapshot,
so I don't think there is a general problem with the code you're
running.
dmesg :
OpenBSD 4.7-current (GENERIC.MP) #560: Wed Apr 28 11:55:01 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,D
S,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR
real mem = 1072132096 (1022MB)
avail mem = 1028767744 (981MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/12/06, BIOS32 rev. 0 @ 0xfb6d0,
SMBIOS rev. 2
.3 @ 0xf0800 (41 entries)
bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 06/12/2006
bios0: Supermicro P4SC8
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices CSAD(S5) HUB0(S5) HRB_(S5) UAR1(S5) UAR2(S5) USB0(S3)
USB1(S3) U
SBE(S3) MODM(S5) PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,D
S,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
ioapic1 at mainbus0: apid 3 pa 0xfec1, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (CSAB)
acpiprt2 at acpi0: bus 4 (HUB0)
acpiprt3 at acpi0: bus 2 (HRB_)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpitz0 at acpi0acpitz0: THRM: failed to read _TMP
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82875P Host rev 0x02
ppb0 at pci0 dev 3 function 0 Intel 82875P CSA rev 0x02
pci1 at ppb0 bus 1
em0 at pci1 dev 1 function 0 Intel PRO/1000CT (82547GI) rev 0x00: apic 2 int
18 (irq
10), address 00:30:48:81:18:0a
ppb1 at pci0 dev 28 function 0 Intel 6300ESB PCIX rev 0x02
pci2 at ppb1 bus 2
ppb2 at pci2 dev 1 function 0 Pericom PI7C21P100 PCIX-PCIX rev 0x01
pci3 at ppb2 bus 3
em1 at pci3 dev 4 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3
int 0 (i
rq 9), address 00:1b:21:30:85:d4
em2 at pci3 dev 4 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3
int 1 (i
rq 9), address 00:1b:21:30:85:d5
em3 at pci3 dev 6 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3
int 2 (i
rq 9), address 00:1b:21:30:85:d6
em4 at pci3 dev 6 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3
int 3 (i
rq 9), address 00:1b:21:30:85:d7
uhci0 at pci0 dev 29 function 0 Intel 6300ESB USB rev 0x02: apic 2 int 16
(irq 11)
uhci1 at pci0 dev 29 function 1 Intel 6300ESB USB rev 0x02: apic 2 int 19
(irq 12)
Intel 6300ESB WDT rev 0x02 at pci0 dev 29 function 4 not configured
Intel 6300ESB APIC rev 0x02 at pci0 dev 29 function 5 not configured
ehci0 at pci0 dev 29 function 7 Intel 6300ESB USB rev 0x02: apic 2 int 23
(irq 7)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x0a
pci4 at ppb3 bus 4
vga1 at pci4 dev 9 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em5 at pci4 dev 10 function 0 Intel PRO/1000MT (82541GI) rev 0x00: apic 2
int 19 (ir
q 12), address 00:30:48:81:18:0b
ichpcib0 at pci0 dev 31 function 0 Intel 6300ESB LPC rev 0x02
pciide0 at pci0 dev 31 function 1 Intel 6300ESB IDE rev 0x02: DMA, channel 0
configu
red to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: DMV340H4-004-M
wd0: 1-sector PIO, LBA, 3679MB, 7535808 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
ifconfig em5 :
ifconfig em5
em5: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:30:48:81:18:0b
description: Sfinx
priority: 0
media: Ethernet 100baseTX full-duplex
status: active
inet 194.68.129.xxx netmask 0xff00 broadcast 194.68.129.255
inet6 fe80::230:48ff:fe81:180b%em5 prefixlen 64 scopeid 0x6
inet6 2001:7f8:4e:2::xxx prefixlen 64
Extract of /etc/bgpd.conf :
group Sfinx {
local-address
Re: OpenBGP tcp md5 woes...
Hi Stuart, Le 15 mai 2010 ` 13:47, Stuart Henderson a icrit : On 2010-05-15, Xavier Beaudouin k...@oav.net wrote: Hello, I am running OpenBSD 4.7-current, and it seems I have some problems to negociate tcp md5 bgp session... They doesn't seems at all to wake up, I have connection timeout... or what ever. Please show ipsecctl -sa and netstat -rnfencap # netstat -rnfencap Routing tables (empty) # ipsecctl -sa FLOWS: No flows SAD: tcpmd5 from 194.68.129.120 to 194.68.129.151 spi 0x18ca8716 tcpmd5 from 194.68.129.120 to 194.68.129.150 spi 0x38c985dd tcpmd5 from 194.68.129.114 to 194.68.129.120 spi 0x4f5d8833 tcpmd5 from 194.68.129.103 to 194.68.129.120 spi 0x5351ca6b tcpmd5 from 194.68.129.120 to 194.68.129.115 spi 0x7a989c0e tcpmd5 from 194.68.129.120 to 194.68.129.121 spi 0x8c8c5051 tcpmd5 from 194.68.129.129 to 194.68.129.120 spi 0xaece6b67 tcpmd5 from 194.68.129.121 to 194.68.129.120 spi 0xbb6260f1 tcpmd5 from 194.68.129.115 to 194.68.129.120 spi 0xbc589b6f tcpmd5 from 194.68.129.120 to 194.68.129.129 spi 0xc16133b3 tcpmd5 from 194.68.129.120 to 194.68.129.114 spi 0xc36216e4 tcpmd5 from 194.68.129.120 to 194.68.129.103 spi 0xc39e4d97 tcpmd5 from 194.68.129.150 to 194.68.129.120 spi 0xc8bf11ca tcpmd5 from 194.68.129.120 to 194.68.129.102 spi 0xcc6b7756 tcpmd5 from 194.68.129.102 to 194.68.129.120 spi 0xd9097ad1 tcpmd5 from 194.68.129.197 to 194.68.129.120 spi 0xdb53b930 tcpmd5 from 194.68.129.151 to 194.68.129.120 spi 0xde1e91da tcpmd5 from 194.68.129.120 to 194.68.129.197 spi 0xe630b27a The .120 is my IP :p I have md5 working with a kernel from April 28th and an absolutely -current bgpd, and also with the version from the Apr 28th snapshot, so I don't think there is a general problem with the code you're running. I'm allmost sure there is no problems... I still try to find where is it the problem :( If you have any hints.. I'm be happy to apply them... Xavier
OpenBGP compare prefix from other peer
Hi all, i have following configuration: Upstream A [RA] [RC] [RB] --- Upstream B EBGP: RA - Upstream A RB - Upstream B Upstream A has 100% full internet routing table Upstream B has 70% internet routing table. on RA and RB: fib-update no and have default route to their respective EBGP peering RC has default route to RB, I want to keep kernel routing table as minimal as possible. How do i distribute routes from RA to RC and update kernel routing table if there is no route from RB? on RC i want to something like this: deny from RA deny from RB allow from RA if there's no route from RB So RC only contain 30% internet routing table. (RA and RB has 30% differences) Is it possible? Nowadays 30% of full internet routing table are 90K prefixes. Is there any significant differences looking up 300K than 90K routing table? Thanks, Leo
Re: OpenBGP filter question
On 12.2.2010 P3. 11:10, Stuart Henderson wrote:
On 2010-02-11, Ivo Chutkinopen...@bgone.net wrote:
match to $my_upstream_1 source-as {some_as} set prepend-self 4
I would like to prepend my as to make as path longer for some_as
trough my_upstream_1 and make it to prefer path trough my_upstream_2.
It does not produce error with bgpd-n but there is no effect as well.
Are you certain it has no effect (and how?) - you can't rely on
AS path prepending to change how traffic flows, if someone gives you
a higher localpref they'll use that path irrespective of the path length.
Hi Stuart,
I am certain as I don't see my prepend on some_as looking glass.
The actual filter looks like this without the comment:
match to $spnet_bg #(AS8717) sourse_as 9070 set prepend-seff 4
and this is what I see on 9070 looking glass:
This filter affects prefixes you send to the peer, and only those
with source_as 9070. Unless you are providing transit for 9070
you won't be sending anything to 34224 that matches this (and if
you are, it wouldn't be a useful thing to do, as 9070 won't
accept routes with their own AS in the path).
If I understand correctly, you'd like 9070 to see a longer path
to you via 34224, but not affect things for other AS that see you
via 34224.
I think there are just two ways you can do this via prepending
1. ask 34224 to prepend their announcements to 9070.
Some providers let you set communities on your prefixes to
do this, see e.g. whois -r as3356|more +/ties.acc
but many do not.
2. ask 9070 to prepend the paths they receive from 34224.
Hi Stuart, hi list,
Sorry for being away for so long.
You get me correct, that is what I wanted to achieve. The as 9070 is
just an example. Obviously it is not the correct way to do it.
Thank you for clarifying it for me.
Regards,
Ivo
Re: OpenBGP filter question
On 2010-02-11, Ivo Chutkin open...@bgone.net wrote:
match to $my_upstream_1 source-as {some_as} set prepend-self 4
I would like to prepend my as to make as path longer for some_as
trough my_upstream_1 and make it to prefer path trough my_upstream_2.
It does not produce error with bgpd-n but there is no effect as well.
Are you certain it has no effect (and how?) - you can't rely on
AS path prepending to change how traffic flows, if someone gives you
a higher localpref they'll use that path irrespective of the path length.
Hi Stuart,
I am certain as I don't see my prepend on some_as looking glass.
The actual filter looks like this without the comment:
match to $spnet_bg #(AS8717) sourse_as 9070 set prepend-seff 4
and this is what I see on 9070 looking glass:
This filter affects prefixes you send to the peer, and only those
with source_as 9070. Unless you are providing transit for 9070
you won't be sending anything to 34224 that matches this (and if
you are, it wouldn't be a useful thing to do, as 9070 won't
accept routes with their own AS in the path).
If I understand correctly, you'd like 9070 to see a longer path
to you via 34224, but not affect things for other AS that see you
via 34224.
I think there are just two ways you can do this via prepending
1. ask 34224 to prepend their announcements to 9070.
Some providers let you set communities on your prefixes to
do this, see e.g. whois -r as3356|more +/ties.acc
but many do not.
2. ask 9070 to prepend the paths they receive from 34224.
Re: OpenBGP filter question
Am 11.02.2010 11:31, schrieb Ivo Chutkin:
The actual filter looks like this without the comment:
match to $spnet_bg #(AS8717) sourse_as 9070 set prepend-seff 4
These are typos, right?
match to neighborip source-as as to prepend set { prepend-self 3 }
works in our setup
Re: OpenBGP filter question
On 10.2.2010 P3. 21:32, Stuart Henderson wrote:
On 2010-02-10, Ivo Chutkinopen...@bgone.net wrote:
Hello misc,
Would the following filter work?
match to $my_upstream_1 source-as {some_as} set prepend-self 4
I would like to prepend my as to make as path longer for some_as
trough my_upstream_1 and make it to prefer path trough my_upstream_2.
It does not produce error with bgpd-n but there is no effect as well.
Are you certain it has no effect (and how?) - you can't rely on
AS path prepending to change how traffic flows, if someone gives you
a higher localpref they'll use that path irrespective of the path length.
Hi Stuart,
I am certain as I don't see my prepend on some_as looking glass.
The actual filter looks like this without the comment:
match to $spnet_bg #(AS8717) sourse_as 9070 set prepend-seff 4
and this is what I see on 9070 looking glass:
inet.0: 5185 destinations, 8315 routes (5184 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
A DestinationP Prf Metric 1 Metric 2 Next hopAS path
* 87.120.100.0/24B 170115212.116.129.38 34224
20682 I
B 170115 99 212.116.129.66 34224
20682 I
B 170115212.116.135.81 8717
20682 I
{master:0}
where 20682 is my as.
Filter like:
match to $spnet_gl prefix {$net3 $net4 $net5 $net6} set prepend-self 2
works perfect but it prepends all as paths from this neighbor and it
changes the routes to me.
I am aware of local preference.
Thanks for the help,
Ivo
OpenBGP filter question
Hello misc,
Would the following filter work?
match to $my_upstream_1 source-as {some_as} set prepend-self 4
I would like to prepend my as to make as path longer for some_as
trough my_upstream_1 and make it to prefer path trough my_upstream_2.
It does not produce error with bgpd-n but there is no effect as well.
Thanks for the help,
Ivo
Re: OpenBGP filter question
On 2010-02-10, Ivo Chutkin open...@bgone.net wrote:
Hello misc,
Would the following filter work?
match to $my_upstream_1 source-as {some_as} set prepend-self 4
I would like to prepend my as to make as path longer for some_as
trough my_upstream_1 and make it to prefer path trough my_upstream_2.
It does not produce error with bgpd-n but there is no effect as well.
Are you certain it has no effect (and how?) - you can't rely on
AS path prepending to change how traffic flows, if someone gives you
a higher localpref they'll use that path irrespective of the path length.
ASN Flow Exporter for OpenBGP device
Hello, I have an OpenBGP device and I need to find out which ASN demands more bandwidth to do some sort of traffic policy engineering. Therefore I need to know if there is any software that is able to export netflow data including SRC/DST AS on an OpenBGP system. I have used pfflow and softflowd but on the second AS is always '0' and pfflow will depend on the ability to have pf data per ASN. I know I can set up some rtlabel or pftable to allow OBGP interaction with PF. However, I would need to manually set the whole scenario and the reliability of my information would depend on my observation of potential ASN to be tracked. Its OK but this way I miss the behavior deviations, if a certain quiet ASN suddenly raises traffic and later lowers it back again. So, how options we have? Thank you in advance. -- === Eduardo Meyer pessoal: dudu.me...@gmail.com profissional: ddm.farmac...@saude.gov.br
Re: ASN Flow Exporter for OpenBGP device
* Eduardo Meyer dudu.me...@gmail.com [2009-12-04 17:29]: Hello, I have an OpenBGP device and I need to find out which ASN demands more bandwidth to do some sort of traffic policy engineering. Therefore I need to know if there is any software that is able to export netflow data including SRC/DST AS on an OpenBGP system. I have used pfflow and softflowd but on the second AS is always '0' and pfflow will depend on the ability to have pf data per ASN. I know I can set up some rtlabel or pftable to allow OBGP interaction with PF. However, I would need to manually set the whole scenario and the reliability of my information would depend on my observation of potential ASN to be tracked. Its OK but this way I miss the behavior deviations, if a certain quiet ASN suddenly raises traffic and later lowers it back again. So, how options we have? we'd really like that functionality (with pflow(4), of course) but no good idea on how to do that yet. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: ASN Flow Exporter for OpenBGP device
On Fri, Dec 4, 2009 at 3:08 PM, Henning Brauer lists-open...@bsws.de wrote: * Eduardo Meyer dudu.me...@gmail.com [2009-12-04 17:29]: Hello, I have an OpenBGP device and I need to find out which ASN demands more bandwidth to do some sort of traffic policy engineering. Therefore I need to know if there is any software that is able to export netflow data including SRC/DST AS on an OpenBGP system. I have used pfflow and softflowd but on the second AS is always '0' and pfflow will depend on the ability to have pf data per ASN. I know I can set up some rtlabel or pftable to allow OBGP interaction with PF. However, I would need to manually set the whole scenario and the reliability of my information would depend on my observation of potential ASN to be tracked. Its OK but this way I miss the behavior deviations, if a certain quiet ASN suddenly raises traffic and later lowers it back again. So, how options we have? we'd really like that functionality (with pflow(4), of course) but no good idea on how to do that yet. I can see how hard it gets to be, specially to make it lightweight. One approach would be auto labeling routing entries by AS (basic support for it already exists) and later, pflow would check for it on exporting time, or maybe check from openbgp directly. I hope its possible somehow. Thank you for your time, we really appreciate. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting -- === Eduardo Meyer pessoal: dudu.me...@gmail.com profissional: ddm.farmac...@saude.gov.br
Re: ASN Flow Exporter for OpenBGP device
On 2009-12-04, Eduardo Meyer dudu.me...@gmail.com wrote: I have an OpenBGP device and I need to find out which ASN demands more bandwidth to do some sort of traffic policy engineering. Therefore I need to know if there is any software that is able to export netflow data including SRC/DST AS on an OpenBGP system. take a look at pmacct, it's in ports/packages. it can collect netflow data and peer bgp (quagga-based code) to add ASN information, but as far as I know the bgp code hasn't been tested on OpenBSD yet.
OpenBGP on CARP
Hello, I'm trying to implement CARP on our edge BGP OpenBSD routers. CARP itself seems to be working perfectly but I'm having problems figuring out how to propertly configure BGP. I have couple of external IP's on my network, so limited number of them is not an issue (as it's often with internet exchange points). From claudio's presentation it seems to me doing it by depend on carp0 is wrong [1]. My setup is like this: [ upstream ] 10.1.1.254 | 10.1.1.1 10.1.1.2 carp0 10.1.1.3 [ router#1 ] [ router#2 ] Should I peer both routers using their external IP's to my upstream ISP and keep IBGP session between both of them? Or should I use depend on carp0 and local-address 10.1.1.1 on both of them? In this case, what am I supposed to announce between both of my routers? Thanks, Peter 1. http://www.openbsd.org/papers/linuxtag06-network/mgp00028.html
Re: OpenBGP on CARP
Hello Peter Den 29/09/2009 kl. 14.33 skrev peter dunaskin: Hello, I'm trying to implement CARP on our edge BGP OpenBSD routers. CARP itself seems to be working perfectly but I'm having problems figuring out how to propertly configure BGP. I have couple of external IP's on my network, so limited number of them is not an issue (as it's often with internet exchange points) Could you get one BGP session to each router from your provider. That way you only need the carp on the inside. It makes the setup a little simpler, and allows you to have 2 full BGP views, making failover faster. From claudio's presentation it seems to me doing it by depend on carp0 is wrong [1]. My setup is like this: [ upstream ] 10.1.1.254 | 10.1.1.1 10.1.1.2 carp0 10.1.1.3 [ router#1 ] [ router#2 ] Should I peer both routers using their external IP's to my upstream ISP and keep IBGP session between both of them? That's what I do, with OSPF on top. Or should I use depend on carp0 and local-address 10.1.1.1 on both of them? In this case, what am I supposed to announce between both of my routers? Thanks, Peter 1. http://www.openbsd.org/papers/linuxtag06-network/mgp00028.html /Sxren
Re: OpenBGP on CARP
Den 29/09/2009 kl. 18.24 skrev peter dunaskin:
Hello Soeren,
I'm trying to implement CARP on our edge BGP OpenBSD routers. CARP
itself seems to be working perfectly but I'm having problems
figuring
out how to propertly configure BGP.
I have couple of external IP's on my network, so limited number of
them
is not an issue (as it's often with internet exchange points)
Could you get one BGP session to each router from your provider.
That way you only need the carp on the inside.
It makes the setup a little simpler, and allows you to have 2 full
BGP
views, making failover faster.
Thanks for your reply!
Yes, I could probably ask my provider to give me two BGP sessions.
From claudio's presentation it seems to me doing it by depend on
carp0
is wrong [1].
My setup is like this:
[ upstream ]
10.1.1.254
|
10.1.1.1
10.1.1.2 carp0 10.1.1.3
[ router#1 ] [ router#2 ]
Should I peer both routers using their external IP's to my upstream
ISP
and keep IBGP session between both of them?
That's what I do, with OSPF on top.
Could you please tell me what benefit does OSPF in this case give?
It seems to me like this makes things bit more complicated.
I need it due to having 4 upstream in 2 different PoP's to 2
providers, with a fiber between.
OSPF does make things more complicated/interesting though.
Could you please send your configuration?
I am not sure they are ready for public consumption... :-)
This is my first production BGP setup, and I could be absolutely wrong.
Beware, all advice from this end should be taken with absolute caution.
:-)
At this point my configuration is like this:
group peering AS3 {
remote-as 2
neighbor $upstream {
descr AS 3 peer 1
announce self
tcp md5sig password somepassword
depend on carp0
local-address 10.1.1.1 [this is carp address]
}
}
group IBGP {
remote-as 3
neighbor $core1b {
descr core1b
tcp md5sig password somepassword
}
}
It's not really clear to me what I should announce between my iBGP
peers.
Upstream I announce self
iBGP I announce all
All according to the manpage of bgpd.conf:
The default value for EBGP peers is self,
which limits the sent UPDATE messages to announcements
of the lo-
cal AS. The default for IBGP peers is all.
And it's bit complicated to test it, this system currently is in
production and I don't want to mess things up.
Make a testenvironment of old junk pc's ??
/Soeren
Re: OpenBGP default route selection process
On Sat, May 23, 2009 at 8:55 PM, Justin Credible mista.justin.credi...@gmail.com wrote: On Sat, May 23, 2009 at 6:35 PM, Justin Credible mista.justin.credi...@gmail.com wrote: Hi there, I am running OpenBSD 4.4 with OpenBGPD and multiple peers. For some reason the device is selecting Level3 as the default route for absolutely everything which is not statically set. On Level3 config i have set: set localpref 100 softreconfig in yes max-prefix 100 restart 300 For the others I have not set max-prefix. Also set nexthop qualify via bgp rde route-age evaluate and then stopped the session for Level 3 and started it again so it would seem less stable to the decision engine since it is a newer session, it is still the default for every single route. I even did a route flush and flushed them all, and did a refresh from another peer, at which point all routes came back, defaulting to Level3! How do i stop this from being my default route? The reason why is because it is not the best route most of the time. E.g. to some parts of the US it takes 16 hops through Level3, whereas Global Crossing will do it in 1 hop, Abovenet in 3, etc. Thanks! Ken If you need more examples here you go: # bgpctl show rib 199.185.137.3 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *199.185.136.0/2364.x.x.x 200 1 3549 812 812 812 812 3602 22512 i * 199.185.136.0/23212.x.x.x 100 500 3356 6453 812 3602 22512 i # route -n show | grep 199.185.136.0/23 # route -n show | grep 199.185.136 199.185.136/23 212.x.x.x UG100 -48 vlan400 # route delete 199.185.136/23 delete net 199.185.136/23 # ping 199.185.137.3 PING 199.185.137.3 (199.185.137.3): 56 data bytes 64 bytes from 199.185.137.3: icmp_seq=0 ttl=245 time=150.000 ms 64 bytes from 199.185.137.3: icmp_seq=1 ttl=245 time=155.865 ms --- 199.185.137.3 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 150.000/152.932/155.865/2.958 ms # route -n show | grep 199.185.136 199.185.136/23 212.x.x.x UG100 -48 vlan400 # bgpctl show rib 199.185.137.3 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *199.185.136.0/2364.x.x.x 200 1 3549 812 812 812 812 3602 22512 i * 199.185.136.0/23212.x.x.x 100 500 3356 6453 812 3602 22512 i I've even set my config to be EXTREMELY biased against Level3 but it (the 212 address) still populates my routing tables: BGP routing table entry for 199.185.136.0/23 3549 812 812 812 812 3602 22512 Nexthop 64.x.x.x (via 212.x.x.x) from gblx-p1 (208.48.250.230) Origin IGP, metric 1, localpref 200, external, valid, best Last update: 00:26:45 ago Communities: 3549:4356 3549:8013 3549:8023 3549:8043 3549:8073 3549:8090 3549:8163 3549:8173 3549:8223 3549:8233 3549:30840 BGP routing table entry for 199.185.136.0/23 3356 6453 812 3602 22512 Nexthop 212.x.x.x (via 212.x.x.x) from level3-p2 (4.69.187.4) Origin IGP, metric 500, localpref 100, external, valid Last update: 00:26:45 ago # traceroute -n 199.185.137.3 traceroute to 199.185.137.3 (199.185.137.3), 64 hops max, 40 byte packets 1 212.x.x.x 0.550 ms 0.555 ms 0.448 ms 2 4.69.136.93 0.529 ms 0.445 ms 0.575 ms 3 4.69.136.90 11.273 ms 17.935 ms 11.317 ms 4 4.69.139.73 11.396 ms 11.439 ms 11.317 ms 5 4.68.63.106 16.769 ms 17.935 ms 17.939 ms 6 195.219.195.37 11.772 ms 195.219.83.2 11.687 ms 195.219.195.89 11.562 ms 7 195.219.243.14 12.17 ms 195.219.195.22 164.349 ms 164.471 ms 8 195.219.144.10 83.354 ms 195.219.144.1 12.184 ms 12.62 ms 9 195.219.144.10 83.355 ms 83.270 ms 216.6.98.1 109.634 ms 10 216.6.98.1 109.835 ms 109.880 ms 216.6.98.30 163.602 ms 11 216.6.98.30 163.552 ms 163.741 ms 64.86.115.38 178.523 ms 12 64.86.115.38 178.788 ms 179.88 ms 24.153.7.137 203.204 ms 13 24.153.7.137 180.416 ms 210.443 ms 238.549 ms 14 24.153.4.77 177.923 ms 178.712 ms 24.153.3.38 173.844 ms 15 24.153.3.38 173.921 ms 174.215 ms 173.595 ms 16 204.50.251.202 196.411 ms 207.107.204.178 177.465 ms 176.209 ms 17 207.107.204.178 177.542 ms 177.960 ms 176.719 ms 18 199.185.230.2 177.924 ms 199.185.137.3 177.712 ms 199.185.230.2 176.215 ms # route add 199.185.137.3 64.x.x.x add host 199.185.137.3: gateway 64.x.x.x # traceroute -n 199.185.137.3 traceroute to 199.185.137.3 (199.185.137.3), 64 hops max, 40 byte packets 1 64.x.x.x 10.505 ms 10.427 ms 10.316 ms 2 64.208.169.150 98.472 ms 98.635 ms 98.513 ms 3 69.63.248.98 97.96 ms 102.9 ms 97.141 ms 4 66.185.80.186 138.946 ms 107.131 ms 107.136 ms 5 24.153.4.74
Re: OpenBGP default route selection process
On Sun, May 24, 2009 at 11:54:37AM -0600, Justin Credible wrote: snip snip I figured this one out. This particular problem was caused because i had set: nexthop qualify via bgp Why did you set this? Just for fun or was there a reason behind it. I don't know why that setting in particular set all of my routes to point at Level 3 regardless of the preferential settings against it, but how i got around it is simple. route add -mpath default gw1 route add -mpath default gw2 etc... Then change that setting to nexthop qualify via default Why did you set this? Just for fun or was there a reason behind it. If you need to use nexthop qualify via default or nexthop qualify via bgp then you have an error in your network setup. Either you should use an IGP (like ospfd) or have a static route to the bgp router. Also make sure that the metric, localpref, etc are equal on all of the peers (unless you want one taking up all of the routing tables). then do a bgpctl reload The routing tables seem to have evened out now and become more realistic and unbiased. There are now more routes through GBLX than Level3 but only a few thousand, as opposed to the previous problem of no dynamic routes pointing to GBLX. -- :wq Claudio
Re: OpenBGP default route selection process
On Sun, May 24, 2009 at 12:22 PM, Claudio Jeker cje...@diehard.n-r-g.com wrote: On Sun, May 24, 2009 at 11:54:37AM -0600, Justin Credible wrote: snip snip I figured this one out. This particular problem was caused because i had set: nexthop qualify via bgp Why did you set this? Just for fun or was there a reason behind it. It was a last resort ro another problem which I was having (See thread titled BGP responding with wrong IP address.). I thought that If i set this, that the correct interface would respond at the router since it seems as though random interfaces were responding. I don't know why that setting in particular set all of my routes to point at Level 3 regardless of the preferential settings against it, but how i got around it is simple. route add -mpath default gw1 route add -mpath default gw2 etc... Then change that setting to nexthop qualify via default Why did you set this? Just for fun or was there a reason behind it. If you need to use nexthop qualify via default or nexthop qualify via bgp then you have an error in your network setup. Either you should use an IGP (like ospfd) or have a static route to the bgp router. I toggled this setting to see if it would make a difference on the routing tables. My main reason for setting preferred routes is because BGP was selecting Level3 as default for our route to Latin America. We implemented GBLX since there are only two or three hops to Latin America through them, but BGP wasn't selecting them by default, therefore i had to manually intervene. This setting seems to have fixed that particular problem but the problem in thread BGP responding with wrong IP address. still exists somewhat. In a way they are related, in more ways they are not, that's why I have them as separate threads. I don't use OSPFD yet since I am very new to BGP. Once I master BGP I will move on to learning about the other things which plug in to it, rather than screwing everything up all at once (especially in a live production environment). Thanks!
Re: OpenBGP default route selection process
On 2009-05-24, Justin Credible mista.justin.credi...@gmail.com wrote: On Sat, May 23, 2009 at 6:35 PM, Justin Credible *199.185.136.0/2364.x.x.x 200 1 3549 812 812 812 812 3602 22512 i * 199.185.136.0/23212.x.x.x 100 500 3356 6453 812 3602 22512 i # route -n show | grep 199.185.136 199.185.136/23 212.x.x.x UG100 -48 vlan400 this is pretty wierd, bgpd thinks it has installed a route to the kernel (*) but it isn't actually there. I've seen something a bit like this once, when I botched a router upgrade and managed to upgrade /etc/rc.conf but not /etc/rc, which resulted in an old copy of routed being accidentally run and messing with the routes from the other routing daemons. (I noticed the problems but didn't find what was causing them until I happened to do 'route -n monitor' and noticed route changes were coming from separate process ids, which made me look at which daemons were running). ... I don't know why that setting in particular set all of my routes to point at Level 3 regardless of the preferential settings against it, but how i got around it is simple. route add -mpath default gw1 route add -mpath default gw2 etc... Then change that setting to nexthop qualify via default Why did you set this? Just for fun or was there a reason behind it. If you need to use nexthop qualify via default or nexthop qualify via bgp then you have an error in your network setup. Either you should use an IGP (like ospfd) or have a static route to the bgp router. I toggled this setting to see if it would make a difference on the routing tables. My main reason for setting preferred routes is because BGP was selecting Level3 as default for our route to Latin America. We implemented GBLX since there are only two or three hops to Latin America through them, but BGP wasn't selecting them by default, BGP doesn't know about hops, only AS paths. (And in reality you can't tell much from hops, fewer IP hops might just mean they have longer and more complex tunnels of one sort or another). One tool for dealing with sending certain geographic regions via a particular transit is to have your providers tag their routes with communities denoting the geographic origin (some do this, others don't. see as3356 whois entry for examples of what level3 do). You can use this, or alternatively hand-selected AS, in match rules in bgpd.conf and adjust localpref/weight/prepend to influence outbound traffic. Note that localpref is a sledgehammer approach; a hugely long AS path with localpref 101 beats a very short path with localpref 100. Influencing the route traffic takes to reach you is trickier and a lot less direct. therefore i had to manually intervene. This setting seems to have fixed that particular problem but the problem in thread BGP responding with wrong IP address. still exists somewhat. In a way they are related, in more ways they are not, that's why I have them as separate threads. Host X traceroutes through your router. If your kernel route _to_ host X is via level3, it doesn't matter how their packets reach you, your level3- facing interface is the one that will show up. And with the problem you've got where kernel routes don't match the routes bpd is trying to use, this obviously causes the problem much of the time.
OpenBGP default route selection process
Hi there, I am running OpenBSD 4.4 with OpenBGPD and multiple peers. For some reason the device is selecting Level3 as the default route for absolutely everything which is not statically set. On Level3 config i have set: set localpref 100 softreconfig in yes max-prefix 100 restart 300 For the others I have not set max-prefix. Also set nexthop qualify via bgp rde route-age evaluate and then stopped the session for Level 3 and started it again so it would seem less stable to the decision engine since it is a newer session, it is still the default for every single route. I even did a route flush and flushed them all, and did a refresh from another peer, at which point all routes came back, defaulting to Level3! How do i stop this from being my default route? The reason why is because it is not the best route most of the time. E.g. to some parts of the US it takes 16 hops through Level3, whereas Global Crossing will do it in 1 hop, Abovenet in 3, etc. Thanks! Ken
Re: OpenBGP default route selection process
On Sat, May 23, 2009 at 6:35 PM, Justin Credible mista.justin.credi...@gmail.com wrote: Hi there, I am running OpenBSD 4.4 with OpenBGPD and multiple peers. For some reason the device is selecting Level3 as the default route for absolutely everything which is not statically set. On Level3 config i have set: set localpref 100 softreconfig in yes max-prefix 100 restart 300 For the others I have not set max-prefix. Also set nexthop qualify via bgp rde route-age evaluate and then stopped the session for Level 3 and started it again so it would seem less stable to the decision engine since it is a newer session, it is still the default for every single route. I even did a route flush and flushed them all, and did a refresh from another peer, at which point all routes came back, defaulting to Level3! How do i stop this from being my default route? The reason why is because it is not the best route most of the time. E.g. to some parts of the US it takes 16 hops through Level3, whereas Global Crossing will do it in 1 hop, Abovenet in 3, etc. Thanks! Ken If you need more examples here you go: # bgpctl show rib 199.185.137.3 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *199.185.136.0/2364.x.x.x 200 1 3549 812 812 812 812 3602 22512 i * 199.185.136.0/23212.x.x.x 100 500 3356 6453 812 3602 22512 i # route -n show | grep 199.185.136.0/23 # route -n show | grep 199.185.136 199.185.136/23 212.x.x.x UG100 -48 vlan400 # route delete 199.185.136/23 delete net 199.185.136/23 # ping 199.185.137.3 PING 199.185.137.3 (199.185.137.3): 56 data bytes 64 bytes from 199.185.137.3: icmp_seq=0 ttl=245 time=150.000 ms 64 bytes from 199.185.137.3: icmp_seq=1 ttl=245 time=155.865 ms --- 199.185.137.3 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 150.000/152.932/155.865/2.958 ms # route -n show | grep 199.185.136 199.185.136/23 212.x.x.x UG100 -48 vlan400 # bgpctl show rib 199.185.137.3 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *199.185.136.0/2364.x.x.x 200 1 3549 812 812 812 812 3602 22512 i * 199.185.136.0/23212.x.x.x 100 500 3356 6453 812 3602 22512 i I've even set my config to be EXTREMELY biased against Level3 but it (the 212 address) still populates my routing tables: BGP routing table entry for 199.185.136.0/23 3549 812 812 812 812 3602 22512 Nexthop 64.x.x.x (via 212.x.x.x) from gblx-p1 (208.48.250.230) Origin IGP, metric 1, localpref 200, external, valid, best Last update: 00:26:45 ago Communities: 3549:4356 3549:8013 3549:8023 3549:8043 3549:8073 3549:8090 3549:8163 3549:8173 3549:8223 3549:8233 3549:30840 BGP routing table entry for 199.185.136.0/23 3356 6453 812 3602 22512 Nexthop 212.x.x.x (via 212.x.x.x) from level3-p2 (4.69.187.4) Origin IGP, metric 500, localpref 100, external, valid Last update: 00:26:45 ago # traceroute -n 199.185.137.3 traceroute to 199.185.137.3 (199.185.137.3), 64 hops max, 40 byte packets 1 212.x.x.x 0.550 ms 0.555 ms 0.448 ms 2 4.69.136.93 0.529 ms 0.445 ms 0.575 ms 3 4.69.136.90 11.273 ms 17.935 ms 11.317 ms 4 4.69.139.73 11.396 ms 11.439 ms 11.317 ms 5 4.68.63.106 16.769 ms 17.935 ms 17.939 ms 6 195.219.195.37 11.772 ms 195.219.83.2 11.687 ms 195.219.195.89 11.562 ms 7 195.219.243.14 12.17 ms 195.219.195.22 164.349 ms 164.471 ms 8 195.219.144.10 83.354 ms 195.219.144.1 12.184 ms 12.62 ms 9 195.219.144.10 83.355 ms 83.270 ms 216.6.98.1 109.634 ms 10 216.6.98.1 109.835 ms 109.880 ms 216.6.98.30 163.602 ms 11 216.6.98.30 163.552 ms 163.741 ms 64.86.115.38 178.523 ms 12 64.86.115.38 178.788 ms 179.88 ms 24.153.7.137 203.204 ms 13 24.153.7.137 180.416 ms 210.443 ms 238.549 ms 14 24.153.4.77 177.923 ms 178.712 ms 24.153.3.38 173.844 ms 15 24.153.3.38 173.921 ms 174.215 ms 173.595 ms 16 204.50.251.202 196.411 ms 207.107.204.178 177.465 ms 176.209 ms 17 207.107.204.178 177.542 ms 177.960 ms 176.719 ms 18 199.185.230.2 177.924 ms 199.185.137.3 177.712 ms 199.185.230.2 176.215 ms # route add 199.185.137.3 64.x.x.x add host 199.185.137.3: gateway 64.x.x.x # traceroute -n 199.185.137.3 traceroute to 199.185.137.3 (199.185.137.3), 64 hops max, 40 byte packets 1 64.x.x.x 10.505 ms 10.427 ms 10.316 ms 2 64.208.169.150 98.472 ms 98.635 ms 98.513 ms 3 69.63.248.98 97.96 ms 102.9 ms 97.141 ms 4 66.185.80.186 138.946 ms 107.131 ms 107.136 ms 5 24.153.4.74 149.191 ms 152.977 ms 159.354 ms 6 24.153.3.34 146.816 ms 146.733 ms 146.861 ms 7 204.50.251.141 146.942 ms 146.975 ms 146.860 ms 8
Re: OpenBGP: announcing network to different peers
On Fri, Mar 13, 2009 at 12:29 AM, Claudio Jeker cje...@diehard.n-r-g.com wrote: On Thu, Mar 12, 2009 at 10:27:42PM -0300, Eduardo Meyer wrote: Hello, I have a /20 and I want a announce half of it to peer21 and the other half to peer2 only. How am I expected to do so? Using filters? Can anyone please mention a working example? network a.b.c.d/21 network a.b.c.e/21 deny to peer21 prefix a.b.c.e/21 deny to peer2 prefix a.b.c.d/21 Something like this may work. Very good. I believed I had to deal with some complex stuff. I will try that right now. Tks Claudio and Pierre. -- :wq Claudio -- === Eduardo Meyer pessoal: dudu.me...@gmail.com profissional: ddm.farmac...@saude.gov.br
OpenBGP: announcing network to different peers
Hello, I have a /20 and I want a announce half of it to peer21 and the other half to peer2 only. How am I expected to do so? Using filters? Can anyone please mention a working example? -- === Eduardo Meyer pessoal: dudu.me...@gmail.com profissional: ddm.farmac...@saude.gov.br
Re: OpenBGP: announcing network to different peers
It's really easy, you can send some of the 1's and 0s to peer 21, and some 1's and 0's to peer2. Assuming the halves are contiguous, you would probably announce 2x /21's. You could also really try and be very specific and announce them as a bunch of /32's, this would give you the granularity you are perhaps looking for. In the end, which of the above options you select is based on your experience and mad skillz. Pierre Eduardo Meyer wrote: Hello, I have a /20 and I want a announce half of it to peer21 and the other half to peer2 only. How am I expected to do so? Using filters? Can anyone please mention a working example?
Re: OpenBGP: announcing network to different peers
On Thu, Mar 12, 2009 at 10:27:42PM -0300, Eduardo Meyer wrote: Hello, I have a /20 and I want a announce half of it to peer21 and the other half to peer2 only. How am I expected to do so? Using filters? Can anyone please mention a working example? network a.b.c.d/21 network a.b.c.e/21 deny to peer21 prefix a.b.c.e/21 deny to peer2 prefix a.b.c.d/21 Something like this may work. -- :wq Claudio
Re: OpenBGP 4.3/4.4 Gotchas
* Dan Carley dan.car...@gmail.com [2009-02-20 14:47]: This behaviour was thankfully not replicated with 4.4 in the lab, so we'll be upgrading promptly. But we were having issues with our 4.4 peers keeping sessions open to each other. This was resolved with r1.13 of bgpd/timer.c. I'm curious though whether this will make it into the 4.4 errata as a reliability fix? it is in 4.4-stable -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
OpenBGP 4.3/4.4 Gotchas
Hi, I've run into a couple of gothas in the past week. This isn't so much a bug report, because everything is fine in -current. But I hope it might serve to save somebody some time if they stubble across it in the archives. The first was experienced on a pair of 4.3 machines. Unlike any of our other transit feeds, we have one provider which appears to re-advertise our own prefixes back to our alternate routers. The routes are of course considered invalid because they are not loop free and it hasn't caused us problems previously. Except this week when applying an inbound filter with softreconfig in yes and bgpctl reload. We observed all announcements matching these re-advertised prefixes to be withdrawn from all transit peers and not reannounced until the filter was removed. This behaviour was thankfully not replicated with 4.4 in the lab, so we'll be upgrading promptly. But we were having issues with our 4.4 peers keeping sessions open to each other. This was resolved with r1.13 of bgpd/timer.c. I'm curious though whether this will make it into the 4.4 errata as a reliability fix? Regards, Dan
Re: Openbsd 4.4 and openbgp current problems
On Tue, 10 Feb 2009 17:39:50 +0700, Esa Kuusisto esa.kuusi...@gmail.com wrote: Hi I have samekind of panic problems with two different openbgp routers. All I get panic: rtfree 2 before dump. I was searching if someone else have samekind of problem via google and you're only one. My only question is that did you get any solution for the problem? Best Regards -Esa Kuusisto Hi, I already send my PR, I haven't found any solution for this problem. On S3200 it panicked, on S3000AH it went freeze. Thanks, -- insandotpraja(at)gmaildotcom
Need help with OpenBGP 4.4
Hello,
We've recently begun testing using OpenBSD 4.4 with OpenBGP in our datacenter.
Our initial tests have uncovered an odd issue we hope you all can help us
with. I've included our configs and relevant information below.
The summary of our issue is this:
1.) Upon starting bgpd the session between the two routers goes to established
and updates are passed.
2.) Keepalives aren't passed beyond the first exchange.
3.) After some time, the session goes to IDLE on both routers.
4.) The session tears down if we either issue a bgpctl command (like show
summary or show neighbors) or wait 240 seconds after the initial connect.
5.) The routers then reestablish connections but they drop again.
6.) The exact same setup works fine with OpenBGP 4.3.
Here's what we've found. If we modify session.c at line 405 (timeout = 240;
/* loop every 240s at least */) to some number lower than our holdtime, it
works. Adding debugging code to the code after that line shows us that the
code doesn't get processed again after the intial setup unless the timeout
value is reached or some bgpctl statement is excecuted.
We've replicated this error in two different test environments. The error
causes sessions to be torn down anytime a 4.4 bgpd is used. (ie 4.4 - 4.4 and
4.4 - 4.3).
Please let me know if you need any additional information from me.
Thanks so much,
Marc Runkel
Technical Operations Manger
Untangle, Inc.
The two machines in question are dcrouter1 and bgptest2:
dcrouter1:/etc/bgpd.conf
#macros
# XO Peer
XOpeer=65.46.252.33
# global configuration
AS 21634
router-id 65.46.252.34
log updates
network 64.2.3.0/24
holdtime min 3
holdtime 90
# neighbors and peers
neighbor $XOpeer {
remote-as 2828
descr XO Upstream
local-address 65.46.252.34
multihop2
}
# filter out prefixes longer than 24 or shorter than 8 bits
deny from any
allow from any inet prefixlen 8 - 24
# do not accept a default route
deny from any prefix 0.0.0.0/0
# We're in test mode, so we gotta let the test networks in (192.168.0.0/16).
# filter bogus networks
deny from any prefix 10.0.0.0/8 prefixlen = 8
deny from any prefix 172.16.0.0/12 prefixlen = 12
#deny from any prefix 192.168.0.0/16 prefixlen = 16
deny from any prefix 169.254.0.0/16 prefixlen = 16
deny from any prefix 192.0.2.0/24 prefixlen = 24
deny from any prefix 224.0.0.0/4 prefixlen = 4
deny from any prefix 240.0.0.0/4 prefixlen = 4
-- END --
dcrouter1:/etc/hostname.em0
inet 65.46.252.34 255.255.255.252 65.46.252.35 description XO WAN
-- END --
dcrouter1:/var/log/daemon.log (bgpd only)
Jan 20 11:19:51 dcrouter1 bgpd[24217]: startup
Jan 20 11:19:51 dcrouter1 bgpd[14770]: route decision engine ready
Jan 20 11:19:52 dcrouter1 bgpd[5962]: listening on 0.0.0.0
Jan 20 11:19:52 dcrouter1 bgpd[5962]: listening on ::
Jan 20 11:19:52 dcrouter1 bgpd[5962]: session engine ready
Jan 20 11:19:52 dcrouter1 bgpd[5962]: neighbor 65.46.252.33 (XO Upstream):
state change None - Idle, reason: None
Jan 20 11:19:52 dcrouter1 bgpd[5962]: neighbor 65.46.252.33 (XO Upstream):
state change Idle - Connect, reason: Start
Jan 20 11:19:52 dcrouter1 bgpd[5962]: neighbor 65.46.252.33 (XO Upstream):
socket error: Connection refused
Jan 20 11:19:52 dcrouter1 bgpd[5962]: neighbor 65.46.252.33 (XO Upstream):
state change Connect - Active, reason: Connection open failed
Jan 20 11:19:56 dcrouter1 bgpd[5962]: neighbor 65.46.252.33 (XO Upstream):
state change Active - OpenSent, reason: Connection opened
Jan 20 11:19:56 dcrouter1 bgpd[5962]: neighbor 65.46.252.33 (XO Upstream):
state change OpenSent - OpenConfirm, reason: OPEN message received
Jan 20 11:19:56 dcrouter1 bgpd[5962]: neighbor 65.46.252.33 (XO Upstream):
state change OpenConfirm - Established, reason: KEEPALIVE message received
Jan 20 11:19:56 dcrouter1 bgpd[14770]: neighbor 65.46.252.33 (XO Upstream)
AS2828: update 192.168.42.0/24 via 65.46.252.33
Jan 20 11:19:56 dcrouter1 bgpd[24217]: nexthop 65.46.252.33 now valid:
directly connected
Jan 20 11:20:44 dcrouter1 bgpd[5962]: neighbor 65.46.252.33 (XO Upstream):
received notification: HoldTimer expired, unknown subcode 0
Jan 20 11:20:44 dcrouter1 bgpd[5962]: neighbor 65.46.252.33 (XO Upstream):
state change Established - Idle, reason: NOTIFICATION received
-- END --
dcrouter1:tcpdump -vvns1500 -i em0 port 179
tcpdump: listening on em0, link-type EN10MB
11:19:52.537633 65.46.252.34.48310 65.46.252.33.179: S [tcp sum ok]
164215:164215(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 2322120143 0 (DF) [tos 0xc0] (ttl 2, id 23223, len 64)
11:19:52.537747 65.46.252.33.179 65.46.252.34.48310: R [tcp sum ok] 0:0(0)
ack 164216 win 0 (DF) (ttl 64, id 40395, len 40)11:19:56.759172
65.46.252.33.1985 65.46.252.34.179: S [tcp sum ok] 2516427034:2516427034(0)
win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1931362699
0 (DF) [tos 0xc0] (ttl 2
Re: OpenBGP load balancing between 2 ISP (multihoming)
Hello,
I can load balance on the firewalls with pf , but the problem of that
Solution is that there is no failover AFAIK.
If I loose a link between an ISP and me half of the packets will be lost.
And not loosing packets is more important to me than load balancing...
--
Cordialement,
Pierre BARDOU
De : Frans Haarman [mailto:[EMAIL PROTECTED]
Envoyé : mardi 7 octobre 2008 18:54
À : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet,
but I don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations
on how to do this with cisco, but I have never found an openBGP
solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on
the
FW's with 'set nexhop self' on BGP routers), but when both
connections
are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea
?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but
I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your
traffic on your firewalls ? So you devide
the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin
from $lan_net to any keep state
#and on the other bgp router
route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin
from $lan_net to any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD
smime.p7s
Description: S/MIME cryptographic signature
Re: OpenBGP load balancing between 2 ISP (multihoming)
Hello,
So the solution would be to activate multipath on FW's, and to use
ospf between BGP routers and my FW's ( I've heard somewhere that
OSPF can announce multiple defaults routes, contrary to BGP )
to ensure failover if I understand properly...
Nice idea, I'm trying to setup that on my test config.
--
Cordialement,
Pierre BARDOU
-Message d'origine-
De : Mariusz Makowski [mailto:[EMAIL PROTECTED]
Envoyi : mardi 7 octobre 2008 21:38
@ : Frans Haarman
Cc : BARDOU Pierre; misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)
Frans Haarman wrote:
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet, but I
don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations on
how to do this with cisco, but I have never found an openBGP solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on
the FW's with 'set nexhop self' on BGP routers), but when both
connections are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea ?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your traffic on your firewalls ? So
you devide the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin from
$lan_net to any keep state #and on the other bgp router route-to {
($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin from $lan_net to
any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
You might want to read about http://www.openbsd.org/faq/faq6.html#Multipath,
although it's not bgp solution.
I think with default configuration you should have multipath capability.
Check if there is not localpref chosen, and check yours ISP prepends length.
Regards,
Mariusz Makowski
[demime 1.01d removed an attachment of type application/x-pkcs7-signature which
had a name of smime.p7s]
Re: OpenBGP load balancing between 2 ISP (multihoming)
BARDOU Pierre wrote:
Hello,
I can load balance on the firewalls with pf , but the problem of that
Solution is that there is no failover AFAIK.
If I loose a link between an ISP and me half of the packets will be lost.
And not loosing packets is more important to me than load balancing...
--
Cordialement,
Pierre BARDOU
De : Frans Haarman [mailto:[EMAIL PROTECTED]
Envoyi : mardi 7 octobre 2008 18:54
@ : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet,
but I don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations
on how to do this with cisco, but I have never found an openBGP
solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on
the
FW's with 'set nexhop self' on BGP routers), but when both
connections
are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea
?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but
I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your
traffic on your firewalls ? So you devide
the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin
from $lan_net to any keep state
#and on the other bgp router
route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin
from $lan_net to any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
If you want to use fail-over capability of bgp, you can use prepend to
increase length of one path. I have no experience with configuring
openbgpd but on juniper/cisco it seems to work great.
Regards,
Marusz
Re: OpenBGP load balancing between 2 ISP (multihoming)
Hello,
Failover already works with BGP on my test conf, the problem is that BGP
only selects ONE route to a destination, so there is no load balancing.
The easiest for me would be to tell BGP to keep TWO routes to each
Destination, and use them in a round-robin way.
That's what Cisco does with BGP multipath
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431
.shtml#bgpmpath
But AFAIK there is no way to setup this with openBGP.
Am I right ?
--
Cordialement,
Pierre BARDOU
-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Envoyé : mercredi 8 octobre 2008 09:05
À : BARDOU Pierre
Cc : Frans Haarman; misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)
BARDOU Pierre wrote:
Hello,
I can load balance on the firewalls with pf , but the problem of that
Solution is that there is no failover AFAIK.
If I loose a link between an ISP and me half of the packets will be lost.
And not loosing packets is more important to me than load balancing...
--
Cordialement,
Pierre BARDOU
De : Frans Haarman [mailto:[EMAIL PROTECTED] Envoyé : mardi 7
octobre 2008 18:54 À : BARDOU Pierre Cc : misc@openbsd.org Objet : Re:
OpenBGP load balancing between 2 ISP (multihoming)
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet,
but I don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations
on how to do this with cisco, but I have never found an openBGP
solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on
the
FW's with 'set nexhop self' on BGP routers), but when both
connections
are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea
?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but
I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your
traffic on your firewalls ? So you devide
the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin
from $lan_net to any keep state
#and on the other bgp router
route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin
from $lan_net to any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
If you want to use fail-over capability of bgp, you can use prepend to
increase length of one path. I have no experience with configuring
openbgpd but on juniper/cisco it seems to work great.
Regards,
Marusz
BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD
smime.p7s
Description: S/MIME cryptographic signature
Re: OpenBGP load balancing between 2 ISP (multihoming)
Hello,
I set up net.inet.ip.multipath to 1
I configured OSPF on the BGP routers to 'redistribute default' to FW's.
'ospfctl show rib' on FW's shows that they have two defaults routes,
But 'ospfctl show fib' shows that only one is active.
Besides a 'dirty' solution with ifstated which inserts multipath routes,
and withdraw them when one link/router fails, I am running out of ideas...
Someone has one ?
Thanks
--
Cordialement,
Pierre BARDOU
-Message d'origine-
De : Mariusz Makowski [mailto:[EMAIL PROTECTED]
Envoyé : mardi 7 octobre 2008 21:38
À : Frans Haarman
Cc : BARDOU Pierre; misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)
Frans Haarman wrote:
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet, but I
don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations on
how to do this with cisco, but I have never found an openBGP solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on
the FW's with 'set nexhop self' on BGP routers), but when both
connections are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea ?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your traffic on your firewalls ? So
you devide the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin from
$lan_net to any keep state #and on the other bgp router route-to {
($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin from $lan_net to
any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
You might want to read about http://www.openbsd.org/faq/faq6.html#Multipath,
although it's not bgp solution.
I think with default configuration you should have multipath capability.
Check if there is not localpref chosen, and check yours ISP prepends length.
Regards,
Mariusz Makowski
BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD
smime.p7s
Description: S/MIME cryptographic signature
Re: OpenBGP load balancing between 2 ISP (multihoming)
On 2008-10-08, BARDOU Pierre [EMAIL PROTECTED] wrote: This is a multi-part message in MIME format. --=_NextPart_000_00C3_01C92936.6DEF4560 Content-Type: multipart/mixed; boundary==_NextPart_001_00C4_01C92936.6DEF4560 --=_NextPart_001_00C4_01C92936.6DEF4560 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Ugh, I thought the list server stripped these. Did something change? The problem is that if the ISP router fails, my corresponding BGP=20 router is still up and running, and so keeps the CARP master,=20 which makes him a black hole :( I don't think I'd do it like this (either preferring OSPF running on BGP speakers to distribute default routes, or iBGP to avoid handing traffic to one router only to hand it straight to the other one). But it can be done, look at demote.
Re: OpenBGP load balancing between 2 ISP (multihoming)
On 2008-10-08, Stuart Henderson [EMAIL PROTECTED] wrote: On 2008-10-08, BARDOU Pierre [EMAIL PROTECTED] wrote: This is a multi-part message in MIME format. --=_NextPart_000_00C3_01C92936.6DEF4560 Content-Type: multipart/mixed; boundary==_NextPart_001_00C4_01C92936.6DEF4560 --=_NextPart_001_00C4_01C92936.6DEF4560 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Ugh, I thought the list server stripped these. Did something change? The problem is that if the ISP router fails, my corresponding BGP=20 router is still up and running, and so keeps the CARP master,=20 which makes him a black hole :( I don't think I'd do it like this (either preferring OSPF running on BGP speakers to distribute default routes, or iBGP to avoid handing traffic to one router only to hand it straight to the other one). But it can be done, look at demote. Oh, in case it wasn't clear, you also need to write the bgpd.conf parts to handle route selection. As Claudio says, just the standard traffic engineering methods. Investigate localpref, prepend-neighbor, weights, etc. There is no magic balance my traffic button. See http://quigon.bsws.de/papers/epf2006/mgp00012.html. As you hopefully know, balacing incoming traffic is a different matter. Return packets do not automatically come in via the ISP where you sent the associated outbound packets. For this, look at prepends and whether your upstreams give you any finer control over traffic-engineering via communities (for an example of what some providers let you do, see e.g. whois -r as3356, in the Communities accepted from customers section). If you are learning this whole area, you have some reading to do. Plenty of information is available online and in print. Much of it is aimed at cisco users and you'll need to read between the lines for any !cisco, but the basic information and techniques are generally applicable.
Re: OpenBGP load balancing between 2 ISP (multihoming)
On Wed, Oct 08, 2008 at 09:14:02AM +0200, BARDOU Pierre wrote: Hello, Failover already works with BGP on my test conf, the problem is that BGP only selects ONE route to a destination, so there is no load balancing. There is loadbalancing insofar that if you have two independent upstreams you get two different views of the internet and you should be able to split the 250k IPv4 routes into two sets that will result in equal use of both links. This is the usual traffic engineering done on BGP with the help of match filters that change the localpref based on communities, AS pathes or whatever you like. The easiest for me would be to tell BGP to keep TWO routes to each Destination, and use them in a round-robin way. That's what Cisco does with BGP multipath http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431 .shtml#bgpmpath This will not work as you expect. In your setup case with two independet upstreams only one upstream will be selected. From the document: In order to be candidates for multipath, paths to the same destination need to have these characteristics equal to the best-path characteristics: * Weight * Local preference * AS-PATH length * Origin * MED * One of these: o Neighboring AS or sub-AS (before the addition of the eiBGP Multipath feature) o AS-PATH (after the addition of the eiBGP Multipath feature) In your case neither the Neighboring AS nor the AS-PATH will be the same. This is the main reason why I never spent time to allow multipath selection in bgpd. It will only work in very few setups. -- :wq Claudio
Re: OpenBGP load balancing between 2 ISP (multihoming)
ospf and bgp are designed to select the best possbile route and
add that to the kernel routing table I think ;)
I still think you could run 2 CARPs on both BGP routers and
load balance on your firewalls. It means if one BGP router
fails you will be load balancing your connections to the
same BGP router..
2008/10/8 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I set up net.inet.ip.multipath to 1
I configured OSPF on the BGP routers to 'redistribute default' to FW's.
'ospfctl show rib' on FW's shows that they have two defaults routes,
But 'ospfctl show fib' shows that only one is active.
Besides a 'dirty' solution with ifstated which inserts multipath routes,
and withdraw them when one link/router fails, I am running out of ideas...
Someone has one ?
Thanks
--
Cordialement,
Pierre BARDOU
-Message d'origine-
De : Mariusz Makowski [mailto:[EMAIL PROTECTED]
Envoyi : mardi 7 octobre 2008 21:38
@ : Frans Haarman
Cc : BARDOU Pierre; misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)
Frans Haarman wrote:
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet, but I
don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations on
how to do this with cisco, but I have never found an openBGP solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on
the FW's with 'set nexhop self' on BGP routers), but when both
connections are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea ?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your traffic on your firewalls ? So
you devide the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin from
$lan_net to any keep state #and on the other bgp router route-to {
($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin from $lan_net to
any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
You might want to read about
http://www.openbsd.org/faq/faq6.html#Multipath,
although it's not bgp solution.
I think with default configuration you should have multipath capability.
Check if there is not localpref chosen, and check yours ISP prepends
length.
Regards,
Mariusz Makowski
Re: OpenBGP load balancing between 2 ISP (multihoming)
The problem is that if the ISP router fails, my corresponding BGP
router is still up and running, and so keeps the CARP master,
which makes him a black hole :(
--
Cordialement,
Pierre BARDOU
De : Frans Haarman [mailto:[EMAIL PROTECTED]
Envoyé : mercredi 8 octobre 2008 10:56
À : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)
ospf and bgp are designed to select the best possbile route and
add that to the kernel routing table I think ;)
I still think you could run 2 CARPs on both BGP routers and
load balance on your firewalls. It means if one BGP router
fails you will be load balancing your connections to the
same BGP router..
2008/10/8 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I set up net.inet.ip.multipath to 1
I configured OSPF on the BGP routers to 'redistribute default' to
FW's.
'ospfctl show rib' on FW's shows that they have two defaults routes,
But 'ospfctl show fib' shows that only one is active.
Besides a 'dirty' solution with ifstated which inserts multipath
routes,
and withdraw them when one link/router fails, I am running out of
ideas...
Someone has one ?
Thanks
--
Cordialement,
Pierre BARDOU
-Message d'origine-
De : Mariusz Makowski [mailto:[EMAIL PROTECTED]
Envoyé : mardi 7 octobre 2008 21:38
À : Frans Haarman
Cc : BARDOU Pierre; misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)
Frans Haarman wrote:
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet,
but I
don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of
informations on
how to do this with cisco, but I have never found an openBGP
solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP
on
the FW's with 'set nexhop self' on BGP routers), but when both
connections are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good
idea ?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice,
but I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your traffic on your firewalls
? So
you devide the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin
from
$lan_net to any keep state #and on the other bgp router route-to {
($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin from
$lan_net to
any keep
Re: OpenBGP load balancing between 2 ISP (multihoming)
Hi, First off lets clear up to things: OSPF is an igp protocol, you would use it to share routes between your own routers not a transit providers. iBGP is again an igp, this time BGP will automatically talk iBGP when talking to routers within the same AS. Your BGP sessions will automatically talk eBGP to your transits. Ok so lets look at the way it will need to work, BGP works by propagating the routes you announce to your up stream 'transit' peers, via eBGP. In turn these transit providers announce your routes to the larger internet. Remote AS's will choose a path back to you based on several factors inc. AS path length, local preference, weighting etc. You can control to some extent the provider your inbound traffic arrives on by padding your announcement to one provider over another, outbound traffic is much easier as you can use various methods of setting local preferences based on inbound communities etc. Now this is all great in theory however to do this with two providers you will need your OWN AS, this is necessary as the transit will simply filter out any private AS's (65xxx). You will also need your own reasonably large IP allocation. From your diagram I see you are using a /28 how did you come by this? If this was given to you by a provider e.g. ISP1 they will already be announcing this as part of a summarised route to their transits, as such they probably won't let you re announce their allocation to ISP2. Even if this IP space has been allocated to you e.g. by ripe many transit providers are now filtering out smaller routes such as /24 routes, let alone /28 in an effort to keep their routing tables to a minimum. See below we're now at about 260k routes! So in this case even if ISP1 2 re transmit your routes their upstreams will filter you out so you won't get connectivity. Now I'm no BGP expert by any means so please forgive me if any of this is wrong or misleading. Out of pure 'play' factor I do maintain a BGP peering session with one of my ISP's from a OpenBSD 4.3 box, I usually use Cisco so wanted to play OpenBGP. # bgpctl sh sum Neighbor AS MsgRcvdMsgSentOutQ Up/Down State/PrfRcvd MT Peering 13122183343 3245 0 2d06h03m 263451 # I would suggest your best bet is to follow the good advice of others and look at the multi homed solutions suggested. Hope that helps Simon BARDOU Pierre wrote: Hello, I am trying to set up a configuraion like this : +--- -+ +-+ | ISP1 | | ISP2 | Cisco | ROUTER | | ROUTER | | AS3215 | | AS12670 | +-+ +-+ || || +-+ +-+ | BGP | | BGP | | ROUTER | | ROUTER | OpenBSD 4.3 | AS47818 | | AS45818 | +-+ +-+ || || +-+ |217.109.108.240/28 | +-+ || || +++---+ | FW || FW | OpenBSD 4.3 | MASTER | pfsync | SLAVE | +++---+ || || +-+ | PRIVATE NETWORKS| +-+ I'd like to load balance outgoing connections to the internet, but I don't know how to configure openBGPd to do this. I searched a lot on the Internet and I found a lot of informations on how to do this with cisco, but I have never found an openBGP solution. Some people speak about it but I have never seen it. I made a test conf where failover works like a charm (using iBGP on the FW's with 'set nexhop self' on BGP routers), but when both connections are active only one is used. Would it be possible to help me please ? Is setting up iBGP sessions between FW's and BGP routers a good idea ? Should I rather use OSPF for this ? And in tha case how to configure it to loadbalance/failover ? Many thanks PS : loadbalancing incoming connections too would be very nice, but I understood it was much more difficult. -- Cordialement, Pierre BARDOU
Re: OpenBGP load balancing between 2 ISP (multihoming)
One way to do this is to have both client fw/routers running in their own right, i.e. no carp failover. Each router peers with one of the ISP routers via eBGP and then peers with it's partner via iBGP. On each router use the 'weight' option to make each router believe it's learned routes are the best. Each router will now install it's best route in the kernel routing table and believing it has the best route will also redistribute it's routes to the iBGP partner. The result each router will have two routes to any network in it's BGP table, one via its eBGP which it regards as 'best' and another with a higher weight via it's partner router. It's also important to tune the BGP dead timers as low as you can so that if a link is lost to an upstream BGP session is cleared as soon as possible minimizing the amount of black holed traffic. Once the BGP session is down the alternate route learned from the partner router will be used to replace the failed route in the actual routing table. To control which route is used for outbound traffic CARP can be setup on the 'internal' interfaces. Which ever router is the master will be used as the egress point for the network. Padding the announcement to the secondary provider could also help with controlling incoming traffic, although in my experience the results are mixed. Now I've never tried it on OpenBGP but on Cisco this works like a charm. e.g. [ISP1][ISP2] | | ebgp ebgp | | [PRIV1]---iBGP---[PRIV2] | | M S | | -|- All traffic would flow out of PRIV1 / ISP1, if PRIV1 or ISP1 failed traffic would flow out of PRIV2 / ISP2. BARDOU Pierre wrote: Hello, Failover already works with BGP on my test conf, the problem is that BGP only selects ONE route to a destination, so there is no load balancing. The easiest for me would be to tell BGP to keep TWO routes to each Destination, and use them in a round-robin way. That's what Cisco does with BGP multipath http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431 .shtml#bgpmpath But AFAIK there is no way to setup this with openBGP. Am I right ? -- Cordialement, Pierre BARDOU -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Envoyi : mercredi 8 octobre 2008 09:05 @ : BARDOU Pierre Cc : Frans Haarman; misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) BARDOU Pierre wrote: Hello, I can load balance on the firewalls with pf , but the problem of that Solution is that there is no failover AFAIK. If I loose a link between an ISP and me half of the packets will be lost. And not loosing packets is more important to me than load balancing... -- Cordialement, Pierre BARDOU De : Frans Haarman [mailto:[EMAIL PROTECTED] Envoyi : mardi 7 octobre 2008 18:54 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) 2008/10/7 BARDOU Pierre [EMAIL PROTECTED] Hello, I am trying to set up a configuraion like this : +--- -+ +-+ | ISP1 | | ISP2 | Cisco | ROUTER | | ROUTER | | AS3215 | | AS12670 | +-+ +-+ || || +-+ +-+ | BGP | | BGP | | ROUTER | | ROUTER | OpenBSD 4.3 | AS47818 | | AS45818 | +-+ +-+ || || +-+ |217.109.108.240/28 | +-+ || || +++---+ | FW || FW | OpenBSD 4.3 | MASTER | pfsync | SLAVE | +++---+ || || +-+ | PRIVATE NETWORKS| +-+ I'd like to load balance outgoing connections to the internet, but I don't know how to configure openBGPd to do this. I searched a lot on the Internet and I found a lot of informations on how to do this with cisco, but I have never found an openBGP solution. Some people speak about it but I have never seen it. I made a test conf where
Re: OpenBGP load balancing between 2 ISP (multihoming)
On 2008-10-08, Simon Slaytor [EMAIL PROTECTED] wrote: It's also important to tune the BGP dead timers as low as you can if you do this, do it with care, it's a double-edged sword. sure you pick up a dead session sooner, but, it greatly increases the chance of killing a session when your or more likely your peer's routers are working ok, forwarding ok, but a bit busy to handle control plane traffic in a timely fashion. when that happens, dropping the session and forcing them to feed you full table is about the last thing you want to do...
Re: ham,Re: OpenBGP load balancing between 2 ISP (multihoming)
True, although in this scenario would soft reconfig not be an answer? As each router has two copies of the full table, one via the eBGP peer and another from the iBGP peer. If the eBGP peer dropped all the iBGP learned routes would remain and be used. When the eBGP peer came back up soft reconfig would allow for a seemless move back to the prefered peer? Ideally what is needed is BFD to detect the link failure between the host and the external peer, that way the BGP timers could be set to something more conservative. Also some means of reliable flap control would be good to save restoring a session to an unreliable host. Good point well taken though. Stuart Henderson wrote: On 2008-10-08, Simon Slaytor [EMAIL PROTECTED] wrote: It's also important to tune the BGP dead timers as low as you can if you do this, do it with care, it's a double-edged sword. sure you pick up a dead session sooner, but, it greatly increases the chance of killing a session when your or more likely your peer's routers are working ok, forwarding ok, but a bit busy to handle control plane traffic in a timely fashion. when that happens, dropping the session and forcing them to feed you full table is about the last thing you want to do... .
OpenBGP load balancing between 2 ISP (multihoming)
Hello, I am trying to set up a configuraion like this : +--- -+ +-+ | ISP1 | | ISP2 | Cisco | ROUTER | | ROUTER | | AS3215 | | AS12670 | +-+ +-+ || || +-+ +-+ | BGP | | BGP | | ROUTER | | ROUTER | OpenBSD 4.3 | AS47818 | | AS45818 | +-+ +-+ || || +-+ |217.109.108.240/28 | +-+ || || +++---+ | FW || FW | OpenBSD 4.3 | MASTER | pfsync | SLAVE | +++---+ || || +-+ | PRIVATE NETWORKS| +-+ I'd like to load balance outgoing connections to the internet, but I don't know how to configure openBGPd to do this. I searched a lot on the Internet and I found a lot of informations on how to do this with cisco, but I have never found an openBGP solution. Some people speak about it but I have never seen it. I made a test conf where failover works like a charm (using iBGP on the FW's with 'set nexhop self' on BGP routers), but when both connections are active only one is used. Would it be possible to help me please ? Is setting up iBGP sessions between FW's and BGP routers a good idea ? Should I rather use OSPF for this ? And in tha case how to configure it to loadbalance/failover ? Many thanks PS : loadbalancing incoming connections too would be very nice, but I understood it was much more difficult. -- Cordialement, Pierre BARDOU BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20070806T072621Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
Re: OpenBGP load balancing between 2 ISP (multihoming)
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet,
but I don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations
on how to do this with cisco, but I have never found an openBGP solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on the
FW's with 'set nexhop self' on BGP routers), but when both connections
are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea ?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your
traffic on your firewalls ? So you devide
the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin
from $lan_net to any keep state
#and on the other bgp router
route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin
from $lan_net to any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
Re: OpenBGP load balancing between 2 ISP (multihoming)
Frans Haarman wrote:
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet,
but I don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations
on how to do this with cisco, but I have never found an openBGP solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on the
FW's with 'set nexhop self' on BGP routers), but when both connections
are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea ?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your
traffic on your firewalls ? So you devide
the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin
from $lan_net to any keep state
#and on the other bgp router
route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin
from $lan_net to any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
You might want to read about http://www.openbsd.org/faq/faq6.html#Multipath,
although it's not bgp solution.
I think with default configuration you should have multipath capability. Check
if there is not localpref chosen, and check yours ISP prepends length.
Regards,
Mariusz Makowski
Re: MPLS On OpenBGP
On Fri, Aug 08, 2008 at 12:09:06PM +0800, Zamri Besar wrote: On Wed, Aug 6, 2008 at 11:07 PM, Claudio Jeker [EMAIL PROTECTED]wrote: On Wed, Aug 06, 2008 at 03:17:41PM +0100, [EMAIL PROTECTED] wrote: Will it be likely possible and feasible to add MPLS feature on OpenBGPd? Yes. It is neither impossible nor unfeasible. But don't ask when it will happen unless you like to do the work. -- :wq Claudio Or is it possible to port ayame to OpenBSD? Or is it in progress / done? http://www.ayame.org/ You sure are living under a rock. cd /sys/netmpls and have a look. But there is still tons of stuff missing but we're working on it. -- :wq Claudio
Re: MPLS On OpenBGP
On 8/6/08 11:29 AM, #ukasz Bromirski wrote: [EMAIL PROTECTED] wrote: I'll be looking for that day wherein those Cisco guys can boost no more that they are the only ones in the planet that has the MPLS skills. Whew, maybe somebody knows where to start on how to add this MPLS feature so as to answer the question like where do I begin? You're top-posting. For the MPLS, you have basically two parts - data plane, which is encapsulation of the frames or cells, and the control plane, which is exchanging VPNv4/VPNv6 information between multiprotocol speaking BGP routers (usually - PEs/LERs in MPLS nomenclature). Quick look at google shows a lot of places where existing MPLS code can be found[1]. But as usual - maybe it's not the best of breed, or even not complete. The MPLS as itself is not Cisco domain, but it was invented by Cisco as tag switching[2] back in the days where nobody believed it will be needed. It was back in 1997. A historical nit: MPLS/tag switching/frame-relay-with-found-objects [1] predates Cisco. Ipsilon Networks, which Nokia bought in 1997, was doing label switching around 6-12 months earlier, but I wouldn't describe their stuff as production grade. Yes, there are many commercial suppliers of MPLS other than Cisco. Whether that will stop sales guys from boasting they're unique is altogether another matter. dn [1] Mike O'Dell's apt description. So, as Claudio said - go for it, if You think you can do better. [1]. http://www.mplsrc.com/vendor.shtml being one of them, with old ayame project as well for NetBSD [2]. http://tools.ietf.org/html/rfc2105
Re: MPLS On OpenBGP
On Wed, Aug 6, 2008 at 11:07 PM, Claudio Jeker [EMAIL PROTECTED]wrote: On Wed, Aug 06, 2008 at 03:17:41PM +0100, [EMAIL PROTECTED] wrote: Will it be likely possible and feasible to add MPLS feature on OpenBGPd? Yes. It is neither impossible nor unfeasible. But don't ask when it will happen unless you like to do the work. -- :wq Claudio Or is it possible to port ayame to OpenBSD? Or is it in progress / done? http://www.ayame.org/ -zamri-
Re: MPLS On OpenBGP
Will it be likely possible and feasible to add MPLS feature on OpenBGPd?
Re: MPLS On OpenBGP
On Wed, Aug 06, 2008 at 03:17:41PM +0100, [EMAIL PROTECTED] wrote: Will it be likely possible and feasible to add MPLS feature on OpenBGPd? Yes. It is neither impossible nor unfeasible. But don't ask when it will happen unless you like to do the work. -- :wq Claudio
Re: MPLS On OpenBGP
I'll be looking for that day wherein those Cisco guys can boost no more that they are the only ones in the planet that has the MPLS skills. Whew, maybe somebody knows where to start on how to add this MPLS feature so as to answer the question like where do I begin? On Wed, Aug 06, 2008 at 03:17:41PM +0100, [EMAIL PROTECTED] wrote: Will it be likely possible and feasible to add MPLS feature on OpenBGPd? Yes. It is neither impossible nor unfeasible. But don't ask when it will happen unless you like to do the work. -- :wq Claudio
Re: MPLS On OpenBGP
[EMAIL PROTECTED] wrote: I'll be looking for that day wherein those Cisco guys can boost no more that they are the only ones in the planet that has the MPLS skills. Whew, maybe somebody knows where to start on how to add this MPLS feature so as to answer the question like where do I begin? You're top-posting. For the MPLS, you have basically two parts - data plane, which is encapsulation of the frames or cells, and the control plane, which is exchanging VPNv4/VPNv6 information between multiprotocol speaking BGP routers (usually - PEs/LERs in MPLS nomenclature). Quick look at google shows a lot of places where existing MPLS code can be found[1]. But as usual - maybe it's not the best of breed, or even not complete. The MPLS as itself is not Cisco domain, but it was invented by Cisco as tag switching[2] back in the days where nobody believed it will be needed. It was back in 1997. So, as Claudio said - go for it, if You think you can do better. [1]. http://www.mplsrc.com/vendor.shtml being one of them, with old ayame project as well for NetBSD [2]. http://tools.ietf.org/html/rfc2105 -- Don't expect me to cry for all the | #ukasz Bromirski reasons you had to die -- Kurt Cobain |http://lukasz.bromirski.net
Re: openbgp: operation not permitted
2008/6/13 Claudio Jeker [EMAIL PROTECTED]: On Fri, Jun 13, 2008 at 12:47:26PM -0700, Lu Vo wrote: Greetings, I set up 2 routers running openbgpd. The first one is working well. The 2nd one is not. I am seeing these errors in the syslog Jun 13 14:18:13 router2 bgpd[9453]: neighbor xxx.191.188.137: write error: Operation not permitted Jun 13 14:22:23 router2 bgpd[9453]: neighbor xxx.191.188.137: connect: Operation not permitted Smells like a pf block rule hitting you. First thing I checked. Also disabled it just to make sure. It is not pf Thanks
openbgp: operation not permitted
Greetings, I set up 2 routers running openbgpd. The first one is working well. The 2nd one is not. I am seeing these errors in the syslog Jun 13 14:18:13 router2 bgpd[9453]: neighbor xxx.191.188.137: write error: Operation not permitted Jun 13 14:22:23 router2 bgpd[9453]: neighbor xxx.191.188.137: connect: Operation not permitted I am not yet sure whether the problem is with the peer or with my server. Because I set both servers up in the same manner, I am stumped as to why it is complaining about permission issue: # ps -ax | grep bgp 24233 ?? I 0:03.75 bgpd: route decision engine (bgpd) 9453 ?? I 0:00.25 bgpd: session engine (bgpd) 14094 ?? Is 0:04.78 bgpd: parent (bgpd) 1255 p0 R+/00:00.00 grep bgp # bgpctl show neighbor BGP neighbor is xxx.191.188.137, remote AS 15290 BGP version 4, remote router-id xxx.191.66.21 BGP state = Active, down for 00:26:13 Last read 00:30:13, holdtime 240s, keepalive interval 80s Message statistics: Sent Received Opens1 1 Notifications0 0 Updates 1 45502 Keepalives 16 17 Route Refresh0 0 Total 18 45520 Update statistics: Sent Received Updates 0 0 Withdraws0 0 Local host: xxx.191.188.139, Local port: 16342 Remote host: xxx.191.188.137, Remote port: 179 If you have seen this, please share your experience. thanks. Lu
