@Gregory: the configuration is just an example, is not a LAB but i changed IP information for privacy
@Claudio: Yes there are lots of ways to achieve this, for example "depends on" options that annonunce a route via BGP only if interface link is up (in terms of carp MASTER)
let me be more clear, I have this scenario: two fw with shared ip 10.10.10.100/32 between two hosts fw-01 (MASTER) and fw-02 (SLAVE).
Provider routers is set to forward traffic to fw-01 and fallback on fw-02.
If bgpd crashes on fw-01, but network still stays up, fw-01 will still be the MASTER of carp, but ISP routers will forward traffic to fw-02 (SLAVE) cause they detects bgpd session down.
Even tough fw-02 is SLAVE, it is taking charge of traffic and forwarding it to below network without any issue.
So, my question is: is this un expected carp behavior??
Thank you for your time
Luca
> Il giorno 2 apr 2020, alle ore 15:12, Claudio Jeker <cjeker@diehard.n-r-g.com> ha scritto:
>
> On Thu, Apr 02, 2020 at 11:34:21AM +0200, Luca Bodini wrote:
>> Hi folks,
>>
>> I'm just having a strange issue using OpenBSD 6.6 and BGP .
>> I have two OpenBSD firewalls with a carp configuration, let's suppose the shared IP is 10.10.10.100, and I am able to announce 10.10.10.100/32 via BGP.
>> Now, here is my /etc/bgpd.conf configuration:
>>
>> # define our own ASN as a macro
>> ASN="65000"
>> rde med compare always
>>
>> # global configuration
>> AS $ASN
>> router-id 172.10.10.3
>>
>> # list of networks that may be originated by our ASN
>> prefix-set mynetworks { \
>> 10.10.10.100/32 \
>> }
>>
>> # Generate routes for the networks our ASN will originate.
>> # The communities (read 'tags') are later used to match on what
>> # is announced to EBGP neighbors
>> network prefix-set mynetworks set { community $ASN:1 med 10 }
>>
>> # upstream providers
>> group "upstreams" {
>> remote-as 20746
>> neighbor 172.10.10.1 {
>> descr "provider router 01"
>> }
>> neighbor 172.10.10.2 {
>> descr "provider router 02"
>> }
>> }
>>
>> ## rules section
>> allow from group upstreams prefix 0.0.0.0/0
>>
>> # IBGP: allow all updates to and from our IBGP neighbors
>> allow from ibgp
>> allow to ibgp
>> allow to ebgp prefix-set mynetworks
>>
>> The problem I'm facing is due to (i guess) provider router misconfiguration, in fact, routers are forwarding traffic to carp slave and unexpectedly everything is working fine: firewall is accepting connections and forwarding traffic, for example if I try to SSH:
>> ~# ssh -l root 10.10.10.100
>> [root@fw-02 root]# ifconfig | grep vhid
>> carp: BACKUP carpdev vlan100 vhid 10 advbase 1 advskew 10
>>
>> I've asked provider to change BGP configuration and everything now is stetted up correctly, now, the question is:
>> Is the carp slave accepting and forwarding connections by design or is it un "unintended" feature?
>>
>
> By default bgpd will just announce mynetworks without checking if
> something is up or not.
> You may have more luck with 'network inet connected' or even better use a
> rtlabel. In that case bgpd should respect the status of the route.
>
> I normally use carp on both sides and use 'network X/Y set nexthop $CARPIP'
> Where $CARPIP is the external carp IP shared between the two routers. In
> this case both systems announce the same network with the same nexthop
> (the carp IP) to the next routers and so no rerouting happens if the
> master dies. This only works if the systems share a lan segement for ebgp
> sessions.
>
> --
> :wq Claudio
No comments:
Post a Comment