Inject default route via OSPF, but only to specific OSPF peer and contingent on BGP session established
Hi, I have two "border gateways"; each establishes a BGP session to the outside world. An internal router connects to each of the border gateways and uses OSPF to exchange routes. (Note, other OSPF links may exist as well). Both border gateways act as default gateways for the internal router. In order to create redundancy, each border gateway should send the default route via OSPF to the internal router. However, the default route should not be sent to any other device (otherwise it would mess up everything, incl tunnels). Additionally, injecting the default route should be contingent on having the BGP session established successfully (only then I can assume the route to the internet is good). This is my current bird.conf (most relevant parts): protocol bgp vultr { local as xxx; source address xxx; import none; export filter { if(proto = "static_bgp") then { accept; }; }; graceful restart on; multihop 2; neighbor xx yy; password "xxxx"; }; protocol static static_bgp { route 192.0.2.0/24 via xxxx; }; protocol ospf internal { import all; export none; area 0.0.0.0 { interface "wg-introuter" { cost 100;hello 10;retransmit 5;wait 5;dead 40; type broadcast; authentication cryptographic; password "xxx" { id 1; }; }; }; }; Thanks, Luke
Hello! TL;DR: That's currently not possible. But there are other options. On 2024-01-10 00:28, Lukas Haase via Bird-users wrote:
Hi,
I have two "border gateways"; each establishes a BGP session to the outside world. An internal router connects to each of the border gateways and uses OSPF to exchange routes. (Note, other OSPF links may exist as well).
Both border gateways act as default gateways for the internal router. In order to create redundancy, each border gateway should send the default route via OSPF to the internal router. However, the default route should not be sent to any other device (otherwise it would mess up everything, incl tunnels).
First, if sending a default route through OSPF breaks stuff, you should probably filter that route out on these devices where it's unwanted. Just to be safe if somebody misconfigures something. And with that, you can then just send the default route to the whole OSPF. Another approach would be filtering between areas in OSPF, which is quite fragile and not supported by BIRD anyway, but you can theoretically run two OSPF instances, one for the "with-default" network, and another one for the other network. This is very much a crazy setup which I do not recommend to go with unless you are sure that no better approach is available. And finally, what may be even better, if your two uplinks are two different AS's … you can link the internal router to iBGP as well, balancing the traffic between the uplinks and failing to send all data over one uplink if the other fails.
Additionally, injecting the default route should be contingent on having the BGP session established successfully (only then I can assume the route to the internet is good).
In BIRD v2, there will be a possibility to do prefix aggregation added this year, and it looks like the configuration can be bent enough to actually generate "just the default route" from it. Not supported for now. In BIRD v3, there will be more possible methods to generate default route, anyway, no one of them is merged even into thread-next yet. I hope that I have at least pointed you the right way. Have a nice day! Maria -- Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.
Hi Maria, Thank you for respecting. First of all, sorry for my duplicate message. (My browser crashed and I did not realize the email was sent)
Gesendet: Mittwoch, den 10.01.2024 um 08:52 Uhr Von: "Maria Matejka via Bird-users" <bird-users@network.cz> An: bird-users@network.cz Betreff: Re: Inject default route via OSPF, but only to specific OSPF peer and contingent on BGP session established
Hello!
TL;DR: That's currently not possible. But there are other options.
To me, my setup sounds like the most common, most normal configuration one could imagine. The fact that this sounds so troubling makes me think: Am I doing something conceptually wrong? How would one implement my scenario?
On 2024-01-10 00:28, Lukas Haase via Bird-users wrote:
Hi,
I have two "border gateways"; each establishes a BGP session to the outside world. An internal router connects to each of the border gateways and uses OSPF to exchange routes. (Note, other OSPF links may exist as well).
Both border gateways act as default gateways for the internal router. In order to create redundancy, each border gateway should send the default route via OSPF to the internal router. However, the default route should not be sent to any other device (otherwise it would mess up everything, incl tunnels).
First, if sending a default route through OSPF breaks stuff, you should probably filter that route out on these devices where it's unwanted.
Fair but not many devices support such sophisticated filters as bird.
Just to be safe if somebody misconfigures something. And with that, you can then just send the default route to the whole OSPF.
Another approach would be filtering between areas in OSPF, which is quite fragile and not supported by BIRD anyway, but you can theoretically run two OSPF instances, one for the "with-default" network, and another one for the other network. This is very much a crazy setup which I do not recommend to go with unless you are sure that no better approach is available.
Hmm this might actually be an option to explore … Am I understanding correctly that I’d have two “protocol ospf” instances in bird.conf, each with a different area ? Could I just define two area instances in one “protocol ospf “ block instead?
And finally, what may be even better, if your two uplinks are two different AS's … you can link the internal router to iBGP as well, balancing the traffic between the uplinks and failing to send all data over one uplink if the other fails.
No, the uplinks are both connected to the same AS. Why would separate AS be required? In general, is it better to use iBGP in place of OSPF for my case?
Additionally, injecting the default route should be contingent on having the BGP session established successfully (only then I can assume the route to the internet is good).
In BIRD v2, there will be a possibility to do prefix aggregation added this year, and it looks like the configuration can be bent enough to actually generate "just the default route" from it. Not supported for now.
Hmm, even then I am unclear how this would be configured because a default gateway does not exist from BGP (I think). It would be a “protocol static” route, no? Thanks!! Luke
On Wed, Jan 10, 2024 at 10:02:49AM +0100, Lukas Haase via Bird-users wrote:
Hi Maria,
Thank you for respecting. First of all, sorry for my duplicate message. (My browser crashed and I did not realize the email was sent)
Gesendet: Mittwoch, den 10.01.2024 um 08:52 Uhr Von: "Maria Matejka via Bird-users" <bird-users@network.cz> An: bird-users@network.cz Betreff: Re: Inject default route via OSPF, but only to specific OSPF peer and contingent on BGP session established
Hello!
TL;DR: That's currently not possible. But there are other options.
To me, my setup sounds like the most common, most normal configuration one could imagine. The fact that this sounds so troubling makes me think: Am I doing something conceptually wrong?
How would one implement my scenario?
In general, OSPF supposes that all routers in one area have the same set of routes / network destinations, they are not announced to some specific router, but to everybody in the area. You wrote:
Both border gateways act as default gateways for the internal router. In order to create redundancy, each border gateway should send the default route via OSPF to the internal router. However, the default route should not be sent to any other device (otherwise it would mess up everything, incl tunnels).
The other devices do not have a default route? Or use one from the internal router? You could probably have separate area for gateways and internal router, and another area (perhaps stub / NSSA) for one with other devices, or just use IBGP as you suggested. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) "To err is human -- to blame it on a computer is even more so."
participants (3)
-
Lukas Haase -
Maria Matejka -
Ondrej Zajicek