headers
Ernesto Gonzalez Navarro | 1 Aug 2007 02:17
Picon

[quagga-users 8760] Problem with VPN

Hello, this is the first time i use this mailing list, so first of all, 
Hi Everybody!

Now, back to business, I've been making tests of quagga in simple and 
controlled environments, and so far so good, it has worked great.

The thing I've been testing is the use of route changes between VPN 
links between our offices , using alternate static routes with higher 
costs, so that when one goes down, the other takes it's place. the 
diagram explains it a bit, as much as in a text diagram is possible. the 
3 machines have quagga configured with 4 static routes (2 main routes 
and 2 alternate with a cost of 100)
                                         ________
                                         |   PC_0    |
                                   * * |                |172.16.0.0/24
              openvpn    *       |________|
                 ppp     *                      :
                         *                         :
                      *                            : openvpn
                   *                               :   ppp
               *  172.16.1.0/24           : 172.16.2.0/24           
     ________                         ___:____
    |  PC_1    |         ppp          |  PC_2   |
    |               | ************|              |
    |_______|      openvpn      |_______|

The problem is that the switching of routes works when you remove 
logically the link
 (ie. [root]# ifconfig tun0 down ), but when you either physically 
remove one link to the VPN,  or simply remove the route to reach the
(Continue reading)

Permalink | Reply | 0 comments |
headers
Emmanuel Muncal | 2 Aug 2007 12:01
Picon

[quagga-users 8761] Re: Welcome to the "Quagga-users" mailing list (Digest mode)

Good Day to the list!

I am trying to run OSPF over a network with a router with an Alias IP. For example: Router 1 has a PUBLIC IP 2.2.2.2/24 and an alias PRIVATE IP 1.1.1.2/24. The other OSPF peer has PUB IP 2.2.2.3/24 and PRIV IP 1.1.1.3/24.

I got no problems in  OSPF advertisements.  Only that I am learning the routes via the 2 IP. For example: 2.2.2.3   via  2.2.2.3  and via 1.1.1.3. Which is right.

What I want to do is that the PUBLIC IP will learn via PUBLIC IP Interface. While PRIVATE IP  from PRIVATE IP Interface.

Is there such a way to do this?

Sorry fo the newbie question.


Thanks in Advance.


Cheers!

Emmanuel



_______________________________________________
Quagga-users mailing list
Quagga-users@...
http://lists.quagga.net/mailman/listinfo/quagga-users
Permalink | Reply | 2 comments |
headers
emmanuel vize | 2 Aug 2007 12:49

[quagga-users 8762] Re: Welcome to the "Quagga-users" mailing list (Digest mode)

Hi,
Would separate areas solve the problem ?
I mean have public interfaces in area 0 and private interfaces in area 1.
This way, you will have separate neighboring on private and public 
interfaces.
If area 1 is a stub area, the routes learned on public interfaces won't 
be announced via the private interfaces.

Emmanuel Muncal wrote:
> Good Day to the list!
>
> I am trying to run OSPF over a network with a router with an Alias IP. 
> For example: Router 1 has a PUBLIC IP 2.2.2.2/24 <http://2.2.2.2/24> 
> and an alias PRIVATE IP 1.1.1.2/24 <http://1.1.1.2/24>. The other OSPF 
> peer has PUB IP 2.2.2.3/24 <http://2.2.2.3/24> and PRIV IP 1.1.1.3/24 
> <http://1.1.1.3/24>.
>
> I got no problems in  OSPF advertisements.  Only that I am learning 
> the routes via the 2 IP. For example: 2.2.2.3 <http://2.2.2.3>   via  
> 2.2.2.3 <http://2.2.2.3>  and via 1.1.1.3 <http://1.1.1.3>. Which is 
> right.
>
> What I want to do is that the PUBLIC IP will learn via PUBLIC IP 
> Interface. While PRIVATE IP  from PRIVATE IP Interface.
>
> Is there such a way to do this?
>
> Sorry fo the newbie question.
>
>
> Thanks in Advance.
>
>
> Cheers!
>
> Emmanuel
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Quagga-users mailing list
> Quagga-users@...
> http://lists.quagga.net/mailman/listinfo/quagga-users
>
Permalink | Reply | 1 comment |
headers
Emmanuel Muncal | 2 Aug 2007 14:53
Picon

[quagga-users 8763] Re: Welcome to the "Quagga-users" mailing list (Digest mode)

Hello:

Thanks for the prompt reply.

This is just defining the following right?:

router ospf
 router-id 2.2.2.2
 network 2.2.2.0/24 area 0.0.0.0
 network 1.1.1.0/24 area 0.0.0.1

It seems they have the same result. Maybe an additional configuration that I haven't encounter would resolve this. 


Thanks Again for the reply.


Anyone, tried the same set up? How did you go about it?

 

On 8/2/07, emmanuel vize < emmanuel.vize-pdR9zngts4EAvxtiuMwx3w@public.gmane.org> wrote:
Hi,
Would separate areas solve the problem ?
I mean have public interfaces in area 0 and private interfaces in area 1.
This way, you will have separate neighboring on private and public
interfaces.
If area 1 is a stub area, the routes learned on public interfaces won't
be announced via the private interfaces.


Emmanuel Muncal wrote:
> Good Day to the list!
>
> I am trying to run OSPF over a network with a router with an Alias IP.
> For example: Router 1 has a PUBLIC IP 2.2.2.2/24 <http://2.2.2.2/24>
> and an alias PRIVATE IP 1.1.1.2/24 <http://1.1.1.2/24 >. The other OSPF
> peer has PUB IP 2.2.2.3/24 <http://2.2.2.3/24> and PRIV IP 1.1.1.3/24
> < http://1.1.1.3/24>.
>
> I got no problems in  OSPF advertisements.  Only that I am learning
> the routes via the 2 IP. For example: 2.2.2.3 < http://2.2.2.3>   via
> 2.2.2.3 <http://2.2.2.3>  and via 1.1.1.3 <http://1.1.1.3>. Which is
> right.
>
> What I want to do is that the PUBLIC IP will learn via PUBLIC IP
> Interface. While PRIVATE IP  from PRIVATE IP Interface.
>
> Is there such a way to do this?
>
> Sorry fo the newbie question.
>
>
> Thanks in Advance.
>
>
> Cheers!
>
> Emmanuel
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Quagga-users mailing list
> Quagga-users-UOy77sIEA+cAd7ICUelF/Q@public.gmane.org
> http://lists.quagga.net/mailman/listinfo/quagga-users
>





--
Regards,

Emmanuel Muncal, ECE

"Why geeks like computers: unzip, strip, touch, finger, grep, mount, fsck, more, yes,fsck,fsck,fsck,umount, sleep." --unknown 

_______________________________________________
Quagga-users mailing list
Quagga-users@...
http://lists.quagga.net/mailman/listinfo/quagga-users
Permalink | Reply | 0 comments |
headers
Felipe Grazziotin - SouthTech SuperDatacenter | 3 Aug 2007 17:19
Picon
Favicon

[quagga-users 8764] Integrating bgpd and iptables

Hello list,

has anyone made any kind of integration between quagga's BGP daemon and 
iptables?
I need to do something like CISCO ACLs to restrict traffic from some 
clients to specific blocks
received from a few ASNs.

For example, say that I receive a full feeds from an uplink, and a 
client buys traffic for only certain ASN, say 65530 and 65520.
My BGP configuration will announce only those two ASN to my client, but 
how can I make sure that the client isn't going to set his default 
gateway to my router and use my access to other ASNs?

My idea was to use something integrated between bgpd and iptables to 
only accept traffic from his networks to the blocks from those two ASNs, 
and deny any other kind of connection.

Any suggestions? Any idea will be appreciated.

--

-- 
Yours,

Felipe Grazziotin
Permalink | Reply | 4 comments |
headers
Beavis | 4 Aug 2007 14:57
Picon

[quagga-users 8765] Re: Quagga-users Digest, Vol 49, Issue 4

have you tried the ACL feature that quagga has? might want to check out this link.

http://harrychanputra.wordpress.com/2007/07/08/bgp-routing-setup-with-bgp-communities/

regards,
beavis

On 8/4/07, quagga-users-request-UOy77sIEA+cAd7ICUelF/Q@public.gmane.org < quagga-users-request-UOy77sIEA+cAd7ICUelF/Q@public.gmane.org> wrote:
Send Quagga-users mailing list submissions to
        quagga-users-UOy77sIEA+cAd7ICUelF/Q@public.gmane.org

To subscribe or unsubscribe via the World Wide Web, visit
         http://lists.quagga.net/mailman/listinfo/quagga-users
or, via email, send a message with subject or body 'help' to
        quagga-users-request-UOy77sIEA+cAd7ICUelF/Q@public.gmane.org

You can reach the person managing the list at
        quagga-users-owner-UOy77sIEA+cAd7ICUelF/Q@public.gmane.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Quagga-users digest..."


Today's Topics:

   1. [quagga-users 8764] Integrating bgpd and iptables
      (Felipe Grazziotin - SouthTech SuperDatacenter)


----------------------------------------------------------------------

Message: 1
Date: Fri, 03 Aug 2007 12:19:44 -0300
From: Felipe Grazziotin - SouthTech SuperDatacenter
        < fgrazziotin-+kFIu4fVGTY4j/f6Vo8NEw@public.gmane.org>
Subject: [quagga-users 8764] Integrating bgpd and iptables
To: quagga-users-UOy77sIEA+cAd7ICUelF/Q@public.gmane.org
Message-ID: < 46B34790.5080506-+kFIu4fVGTY4j/f6Vo8NEw@public.gmane.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hello list,

has anyone made any kind of integration between quagga's BGP daemon and
iptables?
I need to do something like CISCO ACLs to restrict traffic from some
clients to specific blocks
received from a few ASNs.

For example, say that I receive a full feeds from an uplink, and a
client buys traffic for only certain ASN, say 65530 and 65520.
My BGP configuration will announce only those two ASN to my client, but
how can I make sure that the client isn't going to set his default
gateway to my router and use my access to other ASNs?

My idea was to use something integrated between bgpd and iptables to
only accept traffic from his networks to the blocks from those two ASNs,
and deny any other kind of connection.

Any suggestions? Any idea will be appreciated.

--
Yours,

Felipe Grazziotin



------------------------------

_______________________________________________
Quagga-users mailing list
Quagga-users-UOy77sIEA+cAd7ICUelF/Q@public.gmane.org
http://lists.quagga.net/mailman/listinfo/quagga-users


End of Quagga-users Digest, Vol 49, Issue 4
*******************************************

_______________________________________________
Quagga-users mailing list
Quagga-users@...
http://lists.quagga.net/mailman/listinfo/quagga-users
Permalink | Reply | 0 comments |
headers
Josh Nertrino | 4 Aug 2007 18:38
Picon
Favicon

[quagga-users 8766] announcing /24 prefix to our upstream without our own ASN

Hello folks. Looking forward to use quagga for announcing our own /24 prefix to our upstream provider that will broadcast our ip allocation under their own ASN. We do not have our own ASN.
 
How do I run this prefix announcement to our upstream provider without our own ASN? Can I just use a fake ASN number that our upstream will replace with their own? We do not want to run pre-defined route, but prefer using a BGP session - in case our quagga box goes down - the route disapears from that particular location.
 
Thank you in advance.
Jeff

Boardwalk for $500? In 2007? Ha!
Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games.
_______________________________________________
Quagga-users mailing list
Quagga-users@...
http://lists.quagga.net/mailman/listinfo/quagga-users
Permalink | Reply | 2 comments |
headers
Paul Cupis | 4 Aug 2007 19:13
Picon
Gravatar

[quagga-users 8767] Re: announcing /24 prefix to our upstream without our own ASN

Josh Nertrino wrote:
> Hello folks. Looking forward to use quagga for announcing our own /24 
> prefix to our upstream provider that will broadcast our ip allocation 
> under their own ASN. We do not have our own ASN.

What is your prefix? Why don't you get an ASN?

> How do I run this prefix announcement to our upstream provider without 
> our own ASN?

Private ASN.

> Can I just use a fake ASN number that our upstream will 
> replace with their own?

No.

Regards,
Permalink | Reply | 0 comments |
headers
Arnold Nipper | 4 Aug 2007 19:38
Picon

[quagga-users 8768] Re: announcing /24 prefix to our upstream without our own ASN

On 04.08.2007 18:38 Josh Nertrino wrote

> Hello folks. Looking forward to use quagga for announcing our own /24
> prefix to our upstream provider that will broadcast our ip allocation
> under their own ASN. We do not have our own ASN.
>  
> How do I run this prefix announcement to our upstream provider without
> our own ASN? Can I just use a fake ASN number that our upstream will
> replace with their own? We do not want to run pre-defined route,
> but prefer using a BGP session - in case our quagga box goes down - the
> route disapears from that particular location.
>  

First hit when googling for "private AS numbers" is what you want ;-)

http://www.cisco.com/warp/public/459/36.html

Easy, wasn't it?

Arnold
--

-- 
Arnold Nipper, AN45
Permalink | Reply | 0 comments |
headers
John Payne | 5 Aug 2007 21:38
Favicon

[quagga-users 8769] Re: BGP inbound session requests


On Jul 13, 2007, at 8:08 PM, Bill Fowler wrote:

> Hello,
>
> I just activated BGP with XO and had a problem where session was  
> stuck in "Connect" state.  We found that XO ACL did not accept  
> inbound session requests from us and once the ACL was removed it  
> worked.  As a result XO is telling me that Quagga needs to accept  
> inbound BGP session requests from XO for things to work.  I tried  
> to find such a config setting but need help on how to do this, or  
> confirmation that it can't be done with Quagga.   Not sure why XO  
> insist on this policy, I have BGP connections with other providers  
> without this issue.

quagga's bgp might be getting "confused" by the lack of response to  
it's outbound connect and blocking the inbound one from XO.

Try making the XO neighbor passive.

if that doesn't do the trick, are you perchance using an old MD5  
patch to bgpd?
Permalink | Reply | 1 comment |

Gmane