X Y wrote :
I'm having a bit of trouble with the finer details of my OpenBGPD
config, and would appreciate some tips on getting it right and advice
on the right way of doing things.
I have two routers, two independent BGP connections, and a block of
provider independent address space. The routers are arranged in a
redundant pair. The public network and some private subnets have
gateway addresses provided with CARP. The two routers use pfsync.
The BGP connections are actually completely independent (I'll be
adding two more in due course for a total of four). They have
different network addresses, cables and route to the rest of the
world. The cables are plugged directly into the routers, and there's
no CARP on those interfaces. Packets will arrive via either of those
routes.
I have got a basic configuration working. This maintains the BGP
sessions, packets go in and out, and the firewalls will fail over as
they should. I use depend on carp0 ... carp3 on the master router
(chosen via advskew) to drop that session if it fails, and demote on
the backup to make sure it doesn't like being master if it doesn't
have a BGP session.
I have been recommended by our ISPs that I should also advertise
routes between the routers, so that if one's BGP session fails, it can
route packets to the other for a cleaner failover. I have not managed
to get this configuration working.
Some configuration information, with the real details removed to
protect the guilty.
AS: 99999
PI subnet: A.A.A.0/23
PI gateway: A.A.A.1
Master: A.A.A.2
Backup: A.A.A.3
BGP connection 1: X.X.X.4 -> X.X.X.200 on X.X.X.0/24, AS 88888
BGP connection 2: Y.Y.Y.4 -> Y.Y.Y.200 on Y.Y.Y.0/24, AS 88888
(Y.Y.Y !=3D X.X.X)
/etc/bgpd.conf
AS 99999
network A.A.A.0/23
neighbor X.X.X.200 {
remote-as 88888
local-address X.X.X.4
announce self
tcp md5sig password PASSWORD1
depend on carp1
depend on carp2
depend on carp3
# demote on backup
}
neighbor A.A.A.3 {
remote-as 99999
descr "backup"
local-address A.A.A.2
announce all
tcp md5sig password PASSWORD2
set nexthop A.A.A.3 # A.A.A.2 didn't help
set localpref -10
}
Then...
Stuart Henderson <[EMAIL PROTECTED]> wrote:
On 2006/10/13 11:24, Ronnie Garcia wrote:
I have been recommended by our ISPs that I should also advertise
routes between the routers, so that if one's BGP session fails, =20
it can
route packets to the other for a cleaner failover. I have not =20
managed
to get this configuration working.
Yes you should, this is called iBGP. All of your BGP routers =20
should have
a iBGP session with all of the others, in a full mesh (unless you are
using a route reflector).
OP has already done that in the config file, the problem is how to
add a route so the other provider's router can be reached. Normally =20=
the
provider's router is listed in the IBGP announcement so unless this is
overwritten in the IBGP announcements (by 'set nexthop) you need to =20=
have
a route to the provider's router (static or OSPF).
I think this is the critical bit of information. I need to add a =20
static route to the other router for the X.X.X/24 or Y.Y=10.Y/24 =20
network. The IBGP session from the other router will give it's =20
neighbour's address, not it's own address which I had expected. I =20
can't override this with nexthop, I just have to make sure there are =20
routes provided via something other than BGP.
A couple of follow-up questions:
1) Will the "set localpref -10" on the session with the other router =20
be sufficient to make sure that when the main BGP session is up, =20
that's actually used?
2) When I get to use multiple locations, should I use ospfd rather =20
than BGP to manage which route to take internally to the network?
Thanks for the help,
Ben
