BGPD - Border Gateway Protocol
Routing with bgpd
Table of Contents:
* <a href="#upandrunning">Am I up and Running?</a>
* <a href="#run_serve"> What am I serving out?</a>
* <a href="#run_connectwho"> Who is connected to me (neighbours)?</a>
* <a href="#run_tellme"> What are my neighbours telling me?</a>
* Configuration Samples
* <a href="#config_primary">Primary</a>
* <a href="#config_satellite_1">Satellite #1</a>
* <a href="#config_satellite_2">Satellite #2</a>
These notes are a direct RIP from the above notes, and others aggregated here to help my depleting memory cells.
OpenBSD supports the Border Gateway Protocol through bgpd(8)
BGPD(8) bgpd is a Border Gateway Protocol (BGP) daemon which manages the network routing tables. Its main purpose is to exchange information concerning "network reachability" with other BGP systems. bgpd uses the Border Gateway Protocol, Version 4, as described in RFC 1771. Please refer to that document for more information about BGP.
Monitoring and managing active bgpd sessions is through bgpctl(8)
BGPCTL(8) The bgpctl program controls the bgpd(8) daemon.
The sample network we use to discuss BGPD is shown in the below diagram.
Am I up and Running
A simplified verification whether our BGPD server is up and running is to check the daemon (/usr/sbin/bgpd) is running using the standard ‘process status’ ps(1) or using bgpctl.
Basic confirmation of the daemon running can be performed using
ps auxwww | grep bgpd
The next step is to get information from the bgpd daemon.
bgpctl show summary
If BGPD is running, then it will display status information such as the connected BGPD peers (neighbors).
Neighbor AS MsgRcvd MsgSent OutQ Up/Down State/PrfRcvd CLOUD Supplier 6666 19587 19046 0 3d18h16m 4
If BGPD is not running you may get an error similar to the below:
bgpctl: connect: /var/run/bgpd.sock: No such file or directory
When your BGP server is failed, and not running. Review it’s start up failure by foregrounding the server such as:
/usr/sbin/bgpd -d
The screen display give directions for investigation. For example:
/usr/sbin/bgpd -d
/etc/bgpd.conf:19: could not parse address "10.0.323.0/24" route decision engine ready config file /etc/bgpd.conf has errors, not reloading fatal in RDE: rde_dispatch_imsg_ession: pipe closed kernel routing table decoupled Terminating
The above error directing us to review the config file “/etc/bgpd.conf” line 19 and specifically the ‘address “10.0.323.0/24”
Where am I
What network interfaces am I seeing?
Confirm that “bgpd” correctly interpolates your active network interfaces.
bgpctl show interfaces
Interface Nexthop state Flags Link state tun0 ok UP link state 2 pflog0 ok UP unknown pfsync0 ok UP unknown carp2 ok UP CARP, master carp1 ok UP CARP, master carp0 ok UP CARP, master lo0 ok UP unknown enc0 invalid unknown em2 ok UP Ethernet, active, 1000 MBit/s em1 ok UP Ethernet, active, 1000 MBit/s nfe0 ok UP Ethernet, active, 1000 MBit/s em0 ok UP Ethernet, active, 10 MBit/s
If you are using ipsec or tcp md5sig then you may need to review:
ipsecctl -sa netstat -rnfencap
More information about how the bgpd active session, relavant to the question include:
- What am I serving out?
- Who is connected to me (neighbours)?
- What are my neighbours telling me?
What am I serving out?
The following command should reflect the values specified in your “network” statements in /etc/bgpd.conf
bgpctl show network
flags: S = Static flags destination * 0 192.168.18.0/24 * 0 192.168.20.0/24 * 0 192.168.21.0/24 * 0 192.168.22.0/24 * 0 192.168.23.0/24 * 0 192.168.60.0/24
Who is connected to me (neighbours)?
The following command should reflect connection information related to the “neighbor” statements in your /etc/bgpd.conf
bgpctl show neighbor
BGP neighbor is 172.20.10.1, remote AS 6666
Description: CLOUD Supplier
BGP version 4, remote router-id 172.20.10.1
BGP state = Established, up for 3d18h17m
Last read 00:00:10, holdtime 90s, keepalive interval 30s
Neighbor capabilities:
Multiprotocol extensions: IPv4 Unicast
Route Refresh
Message statistics:
Sent Received
Opens 6 6
Notifications 1 4
Updates 2 50
Keepalives 19039 19530
Route Refresh 0 0
Total 19048 19590
Update statistics:
Sent Received
Updates 6 24
Withdraws 0 20
Local host: 172.20.10.2, Local port: 12650
Remote host: 172.20.10.1, Remote port: 179
Things to look-out for include;
- Neighbor IP Address mismatch, are the src/dst IP addresses on the neighbor servers correct (vis-a-vis).
- AS numbers are correct, are the src/dst AS numbers on the neighbor servers correct (vis-a-vis).
What are my neighbours telling me?
bgpctl show ip bgp
The above command gives us the following information:
* *> - gives us routing information from external sources
* origin : where the routing is coming from
* AI*> - what we are pushing out
bgpctl show ip bgp flags: * = Valid, > = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *> 192.168.14.0/24 172.20.10.1 100 0 6666 65002 i AI*> 192.168.18.0/24 0.0.0.0 100 0 i AI*> 192.168.20.0/24 0.0.0.0 100 0 i AI*> 192.168.21.0/24 0.0.0.0 100 0 i AI*> 192.168.22.0/24 0.0.0.0 100 0 i AI*> 192.168.23.0/24 0.0.0.0 100 0 i *> 192.168.24.0/24 172.20.10.1 100 0 6666 65003 i AI*> 192.168.60.0/24 0.0.0.0 100 0 i
Configuration Samples
Some sample configuration files that reflect the output information shown above (where all sites are linked through an intermediary “CLOUD Supplier”
* <a href="#config_primary">Primary</a>
* <a href="#config_satellite_1">Satellite #1</a>
* <a href="#config_satellite_2">Satellite #2</a>
The scenario is three sites connecting through a 3rd party.
This 3rd party could have been the primary site if desired.
Configuration: PRIMARY
#
# SITE - PRIMARY
#
AS 65001
router-id 172.20.10.2
network 192.168.18.0/24
network 192.168.20.0/24
network 192.168.21.0/24
network 192.168.22.0/24
network 192.168.23.0/24
network 192.168.60.0/24
neighbor 172.20.10.1 {
announce IPv4 unicast
remote-as 6666
depend on carp0
descr CLOUD Supplier
local-address 172.20.10.2
}
deny from any
allow from any inet prefixlen 8 - 24
deny from any prefix 0.0.0.0/0
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4
Configuration: Satellite Site # 2
#
# SITE - Satellite #1
#
AS 65002
router-id 172.20.10.14
network 192.168.14.0/24
neighbor 172.20.10.13 {
announce IPv4 unicast
remote-as 6666
descr CLOUD Supplier
local-address 172.20.10.14
}
deny from any
allow from any inet prefixlen 8 - 24
deny from any prefix 0.0.0.0/0
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4
Configuration: Satellite Site #2
#
# SITE - Satellite #1
#
AS 65003
router-id 172.20.10.14
network 192.168.24.0/24
neighbor 172.20.10.9 {
announce IPv4 unicast
remote-as 6666
descr CLOUD Supplier
depend on carp0
local-address 172.20.10.10
}
deny from any
allow from any inet prefixlen 8 - 24
deny from any prefix 0.0.0.0/0
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4