BGP community not being set on outbound BGP updates
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All, I'm building a s/RTBH setup based on bird 1.3.7. I'm using a single route injector which has iBGP peerings with my route-reflector cluster. The setup looks like this (with the injector running on OpenBSD-4.9/Alpha and router* running on Debian Squeeze amd64 if that matters): [injector] / \ / \ / \ [router 1] [router 2] On the injector, I configure static routes, which I export over BGP. I want to tag these prefixes with a BGP community, so I can nullroute the IP's on my route-reflectors and all routers that are connected to this cluster. For this, I'm using the following configuration (only the relevant portions included): [injector] protocol static blacklist { route 1.2.3.4/32 via 192.0.2.1; } protocol bgp router_1 { local 172.16.0.1 as 65000; neighbor 172.16.0.2 as 65000; export filter { bgp_community = -empty-; bgp_community.add((65000,666)); accept; }; import none; } [router 1] protocol bgp injector { local 172.16.0.2 as 65000; neighbor 172.16.0.1 as 65000; export none; import filter { gw = 192.0.2.1; bgp_community = -empty-; bgp_community.add((65000,666)); accept; }; } The configuration for router 2 is identical apart from the IP's, so I haven't included this configuration. This setup works, however, the BGP community only gets set when the prefix enters BGP on router 1: user@injector# birdc show route 1.2.3.4/32 all BIRD 1.3.7 ready. 1.2.3.4/32 via 192.0.2.1 on lo1 [blacklist 12:01] * (200) Type: static unicast univ user@injector# birdc show route export router_1 all BIRD 1.3.7 ready. 1.2.3.4/32 via 192.0.2.1 on lo1 [blacklist 12:01] * (200) Type: static unicast univ BGP.origin: IGP BGP.as_path: BGP.next_hop: 192.0.2.1 BGP.local_pref: 100 user@router_1# birdc show route 1.2.3.4/32 BIRD 1.3.7 ready. 1.2.3.4/32 unreachable [injector 12:01 from 172.16.0.1] * (100) [i] user@router_1# birdc show route 1.2.3.4/32 all BIRD 1.3.7 ready. 1.2.3.4/32 unreachable [injector 12:01 from 172.16.0.1] * (100) [i] Type: BGP unicast univ BGP.origin: IGP BGP.as_path: BGP.next_hop: 192.0.2.1 BGP.local_pref: 100 BGP.community: (65000,666) My questions: 1) First, are these configuration snippets and command output enough to assist in these questions? 2) Is it possible to set a BGP community on a static route which is being exported over BGP? The example in the docs(*) says I should be able to do this. 3) Am i doing something wrong in this setup that is causing the BGP community not being set? 4) Is there a more intelligent way to get this to work? Imho, using a BGP community is the most cleanest and generic way to implement this, but I want this to be set on the injector, and not on my RR cluster. Kind Regards, Lex van Roon *) http://bird.network.cz/?get_doc&f=bird-6.html#ss6.1 - -- LRO-RIPE | 11FCBF2A | 756E 845C 0A88 75FF C750 1E7E 9723 E0DF 11FC BF2A -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPfZxqAAoJEJcj4N8R/L8q5o8H/2bM1FIfXYtfMsTCsgF5VaeH /jWO1dvBDWpXd6bG/8LO786dboroOgF9u2nN8mMxJdkJ9eurlifs+VkPX53hoTiU 8nT4v1mjF7QzYu6pD3e4U6WDCuvmSSuKFt3F0DI0CBVEI3Gde9RFPT75rC2bfhu2 BOSx8dDmyOpS0WiMuQeqLmfZWwdK12lx7t2/AY1+F2IXCbhC1Q/4sEa8FOEKTLpT ZEPdTBL0N44dqcVaGtfg+FrmsIQi8iIiUrRFhFicxzzEuBuT5jvbbcPWroVg4Hco SSMD1ha9b4b4atWGY/kFa0ixO92aBMtEpJIsCoifd1TUPf3oNwawfjxJdEJkDiA= =y7xa -----END PGP SIGNATURE-----
On Thu, Apr 05, 2012 at 03:21:52PM +0200, Lex van Roon wrote:
Hi All,
I'm building a s/RTBH setup based on bird 1.3.7. I'm using a single route injector which has iBGP peerings with my route-reflector cluster. The setup looks like this (with the injector running on OpenBSD-4.9/Alpha and router* running on Debian Squeeze amd64 if that matters):
[injector] / \ / \ / \ [router 1] [router 2]
On the injector, I configure static routes, which I export over BGP. I want to tag these prefixes with a BGP community, so I can nullroute the IP's on my route-reflectors and all routers that are connected to this cluster.
...
My questions:
1) First, are these configuration snippets and command output enough to assist in these questions? 2) Is it possible to set a BGP community on a static route which is being exported over BGP? The example in the docs(*) says I should be able to do this. 3) Am i doing something wrong in this setup that is causing the BGP community not being set? 4) Is there a more intelligent way to get this to work? Imho, using a BGP community is the most cleanest and generic way to implement this, but I want this to be set on the injector, and not on my RR cluster.
Yes, this is a proper way to do this, setting bgp_community in this way should work and in my test setup that config and that commands work as expected. There are some steps you could try to find the problem: 1) check the log to see if there is no filter error report. 2) restart the injector to see if the config is really used. 3) remove import filter on router_* (use import all) to see whether the problem is only in 'birdc show route export router_1 all' command or also in the real export (it is independently computed). 4) you could try to move setting bgp_community to the import filter of static protocol 'blacklist', in that case community should be seen even with 'birdc show route 1.2.3.4/32 all'. But the position in export filter of bgp should work too. 5) send me full config, i will check if there isn't some other problem that might be related. 6) you could try another architecture for injector, perhaps there is some obscure problem in BIRD on Alphas. BTW, resetting BGP community with 'bgp_community = -empty-;' is not necessary, it is implicitly handled as empty, but should not harm anyway. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On 07/04/12 13:14, Ondrej Zajicek wrote:
On Thu, Apr 05, 2012 at 03:21:52PM +0200, Lex van Roon wrote:
Hi All,
I'm building a s/RTBH setup based on bird 1.3.7. I'm using a single route injector which has iBGP peerings with my route-reflector cluster. The setup looks like this (with the injector running on OpenBSD-4.9/Alpha and router* running on Debian Squeeze amd64 if that matters):
[injector] / \ / \ / \ [router 1] [router 2]
On the injector, I configure static routes, which I export over BGP. I want to tag these prefixes with a BGP community, so I can nullroute the IP's on my route-reflectors and all routers that are connected to this cluster.
...
My questions:
1) First, are these configuration snippets and command output enough to assist in these questions? 2) Is it possible to set a BGP community on a static route which is being exported over BGP? The example in the docs(*) says I should be able to do this. 3) Am i doing something wrong in this setup that is causing the BGP community not being set? 4) Is there a more intelligent way to get this to work? Imho, using a BGP community is the most cleanest and generic way to implement this, but I want this to be set on the injector, and not on my RR cluster.
Yes, this is a proper way to do this, setting bgp_community in this way should work and in my test setup that config and that commands work as expected.
There are some steps you could try to find the problem:
1) check the log to see if there is no filter error report.
2) restart the injector to see if the config is really used.
3) remove import filter on router_* (use import all) to see whether the problem is only in 'birdc show route export router_1 all' command or also in the real export (it is independently computed).
4) you could try to move setting bgp_community to the import filter of static protocol 'blacklist', in that case community should be seen even with 'birdc show route 1.2.3.4/32 all'. But the position in export filter of bgp should work too.
This was the actual solution: protocol static injector { route 1.2.3.4/32 via 192.0.2.1; import filter { bgp_community.add((65342,666)); accept; }; }
5) send me full config, i will check if there isn't some other problem that might be related.
6) you could try another architecture for injector, perhaps there is some obscure problem in BIRD on Alphas.
I'm currently porting my software towards debian-squeeze-amd64, to see if I can replicate this issue.
BTW, resetting BGP community with 'bgp_community = -empty-;' is not necessary, it is implicitly handled as empty, but should not harm anyway.
-- LRO-RIPE | 11FCBF2A | 756E 845C 0A88 75FF C750 1E7E 9723 E0DF 11FC BF2A
participants (2)
-
Lex van Roon -
Ondrej Zajicek