Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


have I set up bgp correctly? packet capture included
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

have I set up bgp correctly? packet capture included

singsingsingsing Member
edited September 2015 in General

I have Quagga bgpd running and it seems to establish a bgp session, but the announce is not going out to the Internet yet.

The network topology, as I understand it, is Quagga bgpd in VPS <--> VPS provider router <--> BGP router. But the VPS provider router does not run BGP. So I have enabled multi-hop. Something about a "static route to the BGP router" was mentioned but I assume it is not needed since I understand that's a Cisco requirement that doesn't apply to Quagga bgpd?

Anyways a BGP session connection is formed and the following UPDATE goes out from my VPS to the BGP router:

http://i.imgsafe.org/677f19c.png

But it doesn't get to the public Internet.

Is there anything obviously wrong with my config, or should I just ask them again to make sure they've unfiltered it?

My config is:

hostname localhost password password log stdout ! router bgp my-asn bgp router-id my-ipv4 neighbor bgp-peer-ipv6 remote-as their-asn neighbor bgp-peer-ipv6 ebgp-multihop no auto-summary no neighbor bgp-peer-ipv6 activate ! address-family ipv6 network my-ipv6-space neighbor bgp-peer-ipv6 activate neighbor bgp-peer-ipv6 prefix-list pl-block-all-6 in neighbor bgp-peer-ipv6 route-map rm-out-6 out exit-address-family ! route-map rm-out-6 permit 10 set ipv6 next-hop global bgp-peer-ipv6 ! ipv6 prefix-list pl-block-all-6 deny 0::/0

I also tried without "set ipv6 next-hop global bgp-peer-ipv6" initially, actually I think that should not be used. Changed it back, still doesn't work.

Thanks

Comments

  • What does the output of this show?

    show ip bgp neighbors [neighbor IP] advertised-routes

    PM me the output

    Also why are you using eBGP Multihop? Is the peer not local?

  • singsingsingsing Member
    edited September 2015

    MarkTurner said: What does the output of this show?

    show ip bgp neighbors [neighbor IP] advertised-routes

    It shows

    Network: my-ipv6-space, Next-Hop: the-BGP-peer-address, LocPrf 0, Weight 32768, Path i

    MarkTurner said: Also why are you using eBGP Multihop? Is the peer not local?

    There is (at least one) router (or switch? update: actually probably not just switch since it has an address) between the VPS and BGP peer. Otherwise bgpd uses TTL=1 for security and nothing gets through (though actually I've noticed that if you wait a long time a TCP connection seems to materialize somehow anyways, but I didn't experiment more with that and just set multi-hop as I was instructed).

    By the way, in the image I posted, the thing labeled "router IPv6" is the BGP router ipv6 address, not the address of the VPS provider router.

  • What's your AS number? It would be easier to check if route objects have been setup properly for your AS.

  • singsingsingsing Member
    edited September 2015

    pechspilz said: What's your AS number? It would be easier to check if route objects have been setup properly for your AS.

    Just tell me how this is done and I can check it. What I use currently to check if the announce is going out is https://www.dan.me.uk/bgplookup (and also ping6 attempt from another VPS).

    Anyways if nobody can spot anything wrong with my config I'll just ask the VPS provider support to look into this tomorrow.

  • gbshousegbshouse Member, Host Rep

    Try to set "ebgp-multihop 10", also add "soft-reconfiguration inbound"

  • gbshousegbshouse Member, Host Rep

    Beside that in route map the next global should be your address

  • singsingsingsing Member
    edited September 2015

    @gbshouse said:
    Try to set "ebgp-multihop 10", also add "soft-reconfiguration inbound"

    Done.

    @gbshouse said:
    Beside that in route map the next global should be your address

    Ok, reintroduced the line with "set ipv6 next-hop global" into the config, but put own ipv6 address in there. output of "show ipv6 bgp neighbors router-ipv6 advertised-routes" correctly reflects this change.

    Waiting to see if anything will happen ... (any idea how long it usually takes? 15min?)

    Update: when I ping6 is now says "hop limit" but I am not sure if this is due to the most recent change or something that happened earlier. but it is no longer saying "no route" so that is an improvement I guess.

    Update2: traceroute from another VPS shows it going to the BGP router, so something is making it to the Internet (woo!) but still not working properly yet.

  • patrick7patrick7 Member, LIR
    edited September 2015

    To announce it will take some seconds. How long your upstream has to update the filter, nobody can tell you.

    I think hop limit is like ttl exceeded in transit. Means there's a layer3 loop.

  • gbshouse said: Beside that in route map the next global should be your address

    Wait, are you sure about this? Maybe next-hop should be the VPS provider router?

  • patrick7 said: How long your upstream has to update the filter, nobody can tell you.

    Pretty sure it's unfiltered right now (I realize you probably posted when I was updating my post).

  • patrick7patrick7 Member, LIR

    If you announce a /48, don't use the route map. Also make sure to add an IGP route for this network, sometimes quagga will not announce it if there is no route.

    I don't think you're unfiltered.

  • patrick7 said: I don't think you're unfiltered.

    I mean that they have added a filter rule, and something is being announced to the Internet. I am running traceroute on a VPS hosted at a different provider, which wouldn't know to go to the BGP router if there wasn't any announce out there (before, I was getting "no route" ping6, now I get "hop limit" back from something on the same network as the BGP router).

  • patrick7patrick7 Member, LIR

    Can you pm me the network? Do you have an IGP route? (If you announce it and don't have a route, you will probably route the traffic back to your upstream (in case you have a default route))

  • rds100rds100 Member
    edited September 2015

    You should have chosen a server from a provider that can do a direct BGP session with you, not multihop. Multihop is harder to configure and get right so if you got a provider that doesn't know how to do it properly and how to troubleshoot it - you are going to waste a lot of time and brain cells.

  • gbshousegbshouse Member, Host Rep

    Yop, I'm sure about global next. You may shutdown the session ("neighbor IP sbutdown" and "no neighbor IP shutdown") with upstream as sometimes IPv6 routers are picky (with IPv4 "clear ip bgp IP soft out" usually do the trick). Usually you don't need next-hop config. Instead of filtering incoming with prefix-list as your peer to send you default route only.

  • rds100 said: Multihop is harder to configure and get right so if you got a provider that doesn't know how to do it properly and how to troubleshoot it - you are going to waste a lot of time and brain cells.

    Well, too early to judge if they can or can't troubleshoot, as I haven't asked them yet. Will do tomorrow. At least all the obvious problems at my end have been fixed now I take it.

  • patrick7 said: If you announce it and don't have a route, you will probably route the traffic back to your upstream (in case you have a default route)

    Well right now no traffic is reaching me at all (I was watching all ICMP6 in tcpdump when I tried to ping). And I don't have ip forwarding enabled or anything.

  • The quickest way to get your ipv6 block online is via he.net tunnel - they will even BGP with you and it's all free. Once you've done that you can move on to setting up and troubleshooting BGP with other providers.

  • rds100 said: The quickest way to get your ipv6 block online is via he.net tunnel - they will even BGP with you and it's all free. Once you've done that you can move on to setting up and troubleshooting BGP with other providers.

    It's OK I'm not in a hurry ;) This is a side project for now.

Sign In or Register to comment.