<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On 4 August 2014 09:53, Sergey Popovich <span dir="ltr"><<a href="mailto:popovich_sergei@mail.ru" target="_blank">popovich_sergei@mail.ru</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
> Hi,<br>
<br>
Hello.<br>
<div class=""><br>
> The problem I am facing is that when I adjust a filter in order to<br>
> withdraw the route, all routes are withdrawn and the remaining are<br>
> announced again. According to the doc if a reload on bird brings a new<br>
> configuration for a protocol, that protocol will be restarted. So, it is<br>
> expected behavior.<br>
><br>
<br>
</div>You have changed import filter of direct1 protocol, thus direct1 gets<br>
reconfigured (on HUP or birdc configure). However this protocol does not<br>
perform "soft" reconfiguration on filter changes thus direct1 restarts<br>
unconditionally to apply your filter changes (IP removal/addition).<br>
<br>
All routes flushed out from the table (causing BGP withdrawal) and<br>
fetched from the protocol (direct) again to the table (causing BGP update).<br>
<br>
This seems normal behavior.<br>
<br>
<br></blockquote><div><br>Sergey, thanks you very much for this very detailed explanation.<br><br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
You could simply attach your loopback_ACL filter to the BGP_PEERS template<br>
export (which any needed adjustments, or just make loopback_ACL to work as<br>
function returning false/true and use it in anycast_range) to solve your case.<br>
<br>
Also I suggest you to use global prefix set definition, as local variable<br>
(in filter/function) is created/assigned each time function is called.<br>
<br>
For example:<br>
------------<br>
<br>
# It is probably good idea to have such protocol configred in most cases.<br>
# It fetches list of the interfaces in system and provides them to the other<br>
# protocols (except OSPF, it has it's own mechanisms).<br>
<div class="">#<br>
protocol device {<br>
scan time 10;<br>
}<br>
<br>
</div># This set should be modified only when new frontend subnet is added.<br>
# direct1 would restart on protocol filter change.<br>
#<br>
define ACAST_PS_DIRECT1 =<br>
[<br>
<a href="http://192.168.200.0/24{32,32}" target="_blank">192.168.200.0/24{32,32}</a><br>
];<br>
<br>
protocol direct {<br>
# Import directly connected routes from "lo" interface.<br>
interface "lo";<br>
<br>
# This may be is needed to properly resolve nexthops from upstream routes.<br>
interface "<interface_to_your_routers>";<br>
<br></blockquote><div><br></div><div>what do you mean by this ?<br><br></div><div>Since I only want to export routes for IPs in the loopback interface, I thought I can safely skip other interfaces for<br></div><div>protocol direct. Well, with the filters in place, I don't worry for accidentally announcing routes that I shouldn't.<br>
</div><div>Furthermore, as a safeguard I have set the upstream routers to allow announcements only for the specific prefix(<a href="http://192.168.200.0/24">192.168.200.0/24</a>). Oh yes I play very safe here:-)<br></div>
<div><br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
# Do not import from other sources.<br>
interface "-*";<br>
<br>
# Import only allowed IPs from the "lo" and route from the upstream<br>
# interface.<br>
import where net ~ ACAST_PS_DIRECT1 || ifname<br>
="<interface_to_your_routers>";<br>
<br></blockquote><div><br></div><div>I don't need to import anything. Bird is used only as an advertisement system.<br><br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
# No export to the protocol, not necessary<br>
export none;<br>
}<br>
<br>
# This is global constant for your prefix set (PS) <a href="http://192.168.200.0/24" target="_blank">192.168.200.0/24</a>.<br>
#<br>
# Place this definition into external file and source it with include<br>
# directive from the global configuration file if you wish to modify<br>
# this PS from the outside (e.g. by some HA script).<br>
#<br>
define ACAST_PS_ADVERTISE =<br>
[<br>
<a href="http://192.168.200.1/32" target="_blank">192.168.200.1/32</a>, # Frontend 1<br>
<a href="http://192.168.200.2/32" target="_blank">192.168.200.2/32</a> # Frontend 2<br>
];<br>
<br>
function acast_advertise()<br>
{<br>
return net ~ ACAST_PS_ADVERTISE;<br>
}<br>
<br>
filter anycast_range<br>
{<br>
if acase_advertise() then<br>
accept;<br>
reject;<br>
}<br>
<br>
Tested similar config with BIRD 1.3.11 and seems no unwanted<br>
withdrawals spot.<br>
<div class=""><div class="h5"><br></div></div></blockquote><div><br></div><div><br><br></div><div>I configured bird as you suggested[1] and after a restart I removed <a href="http://192.168.200.1/32">192.168.200.1/32</a> from the prefix set[2]<br>
<br></div><div>See below the log<br></div><div><br>13:29:18 <INFO> Reconfiguration requested by SIGHUP<br>13:29:18 <INFO> Reconfiguring<br>13:29:18 <TRACE> direct1: Reconfigured<br>13:29:18 <TRACE> bgp_peer1: Reconfigured<br>
13:29:18 <INFO> Reloading protocol bgp_peer1<br>13:29:18 <TRACE> bgp_peer1: State changed to feed<br>13:29:18 <TRACE> bgp_peer2: Reconfigured<br>13:29:18 <INFO> Reloading protocol bgp_peer2<br>13:29:18 <TRACE> bgp_peer2: State changed to feed<br>
13:29:18 <INFO> Reconfigured<br>13:29:18 <TRACE> bgp_peer1 < filtered out <a href="http://192.168.200.1/32">192.168.200.1/32</a> dev lo<br>13:29:18 <TRACE> bgp_peer1 < removed <a href="http://192.168.200.1/32">192.168.200.1/32</a> dev lo<br>
13:29:18 <TRACE> bgp_peer1 < replaced <a href="http://192.168.200.2/32">192.168.200.2/32</a> dev lo<br>13:29:18 <TRACE> bgp_peer1: State changed to up<br>13:29:18 <TRACE> bgp_peer2 < filtered out <a href="http://192.168.200.1/32">192.168.200.1/32</a> dev lo<br>
13:29:18 <TRACE> bgp_peer2 < removed <a href="http://192.168.200.1/32">192.168.200.1/32</a> dev lo<br>13:29:18 <TRACE> bgp_peer2 < replaced <a href="http://192.168.200.2/32">192.168.200.2/32</a> dev lo<br>
13:29:18 <TRACE> bgp_peer2: State changed to up<br><br><br></div><div>what the meaning of the 'replaced' here?<br> <br></div><div>and the output of birdcl show protocols all \"bgp*\" in a loop<br>
</div><div><br>### Mon Aug 4 13:29:11 CEST 2014 ###<br> Routes: 0 imported, 2 exported, 0 preferred<br> Import updates: 0 0 0 0 0<br> Import withdraws: 0 0 --- 0 0<br>
Export updates: 2 0 0 --- 2<br> Export withdraws: 0 --- --- --- 0<br> Routes: 0 imported, 2 exported, 0 preferred<br>
Import updates: 0 0 0 0 0<br> Import withdraws: 0 0 --- 0 0<br> Export updates: 2 0 0 --- 2<br>
Export withdraws: 0 --- --- --- 0<br>### Mon Aug 4 13:29:16 CEST 2014 ###<br> Routes: 0 imported, 1 exported, 0 preferred<br> Import updates: 0 0 0 0 0<br>
Import withdraws: 0 0 --- 0 0<br> Export updates: 4 0 1 --- 3<br> Export withdraws: 0 --- --- --- 1<br>
Routes: 0 imported, 1 exported, 0 preferred<br> Import updates: 0 0 0 0 0<br> Import withdraws: 0 0 --- 0 0<br>
Export updates: 4 0 1 --- 3<br> Export withdraws: 0 --- --- --- 1<br>### Mon Aug 4 13:29:21 CEST 2014 ###<br><br><br>Thank you very much for taking the time to provide a complete solution for me. It is very much appreciated.<br>
<br></div><div>Cheers,<br></div><div>Pavlos<br></div><div><br></div><div>[1] bird.conf<br></div><div><br>include "/etc/bird.d/anycast_prefixes.conf";<br><br>define ACAST_PS_DIRECT1 = [ <a href="http://192.168.200.0/24{32,32}">192.168.200.0/24{32,32}</a> ];<br>
<br>function anycast_advertise()<br>{<br> return net ~ ACAST_PS_ADVERTISE;<br>}<br><br>filter anycast_range {<br> if anycast_advertise() then<br> accept;<br><br> reject;<br>}<br><br>router id 192.168.88.194;<br>
listen bgp address 192.168.88.194;<br><br>protocol direct {<br> interface "lo";<br> debug all;<br> import where net ~ ACAST_PS_DIRECT1;<br> export none;<br>}<br><br>protocol kernel kernel1 {<br>
disabled yes;<br>}<br><br>protocol device {<br> scan time 10;<br>}<br><br>protocol static {<br> disabled yes;<br>}<br><br>protocol bfd {<br> interface "eth0" {<br> min rx interval 500 ms;<br>
min tx interval 500 ms;<br> idle tx interval 1000 ms;<br> multiplier 3;<br> };<br>}<br><br>template bgp BGP_PEERS {<br> bfd on;<br> debug all;<br> import none;<br> export filter anycast_range;<br>
direct;<br> hold time 30;<br> startup hold time 240;<br> connect retry time 120;<br> keepalive time 10;<br> start delay time 5;<br> error wait time 60, 300;<br> error forget time 300;<br> disable after error off;<br>
next hop self;<br> path metric 1;<br> default bgp_med 0;<br> default bgp_local_pref 0;<br>}<br><br>protocol bgp bgp_peer1 from BGP_PEERS {<br> disabled no;<br> description "My-BGP-Peer1";<br> local as 46111;<br>
neighbor 192.168.95.252 as 46111;<br> source address 192.168.88.194;<br>}<br><br>protocol bgp bgp_peer2 from BGP_PEERS {<br> disabled no;<br> description "My-BGP-Peer2";<br> local as 46111;<br> neighbor 192.168.95.253 as 46111;<br>
source address 192.168.88.194;<br>}<br></div></div><br><br>[2] /etc/bird.d/anycast_prefixes.conf <br>define ACAST_PS_ADVERTISE =<br> [<br> <a href="http://192.168.200.1/32">192.168.200.1/32</a>, # Frontend 1<br>
<a href="http://192.168.200.2/32">192.168.200.2/32</a> # Frontend 2<br> ];<br><br></div></div>