For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

aj1's avatar
aj1
Icon for Nimbostratus rankNimbostratus
Jul 14, 2015

BGP and Route-Domains

We recently licensed the CGNAT module for NAT44. I'm trying to setup two route-domains (rd0 - the default and rd1 - child of rd0), each having one vlan, and advertise routes (LSN pool and a default virtual server 0.0.0.0/0) from these RDs. (Default RD) RD0 will advertise the LSN pool and RD1 will advertise the default virtual server. The advertisements are done using BGP with an upstream router. In CGNAT both pools and virtual servers need to be advertised and both are kernel routes.

So far I've successfully been able to configure BGP in the default RD0 and advertise the LSN pool. I can see the pool prefix being advertised by BGP. Although, I cannot seem to advertise a 0.0.0.0/0 virtual server from RD1. RD1 has the exactly the same BGP config as RD0. And "Route Advertisement" is enabled under "Virtual Server Addresses". This can be something obvious that I'm clearly missing. Would really appreciate any inputs, if anyone has configured their environment in a similar fashion (even if they aren't using the CGNAT module).

LSN Pool:

ltm lsn-pool cgnat_pool {
    egress-interfaces {
        VLAN_709
    }
    egress-interfaces-enabled
    members {
        10.10.64.0/18
    }
    route-advertisement enabled
}


Virtual Servers:

ltm virtual vs_rd1 {
    destination 0.0.0.0%1:any
    ip-protocol tcp
    mask any
    profiles {
        fastL4 { }
    }
    source 0.0.0.0%1/0
    source-address-translation {
        pool cgnat_pool
        type lsn
    }
    translate-port disabled
    vlans {
        VLAN_701
    }
    vlans-enabled
}


Route Domains:

net route-domain 0 {
    id 0
    routing-protocol {
        BFD
        OSPFv2
        BGP
    }
    vlans {
        http-tunnel
        socks-tunnel
        VLAN_709
    }
}

net route-domain rd1 {
    id 1
    parent 0
    routing-protocol {
        OSPFv2
        BFD
        BGP
    }
    vlans {
        VLAN_701
    }
}


BGP Config:

**RD0**
f5CGNAT[0]show run
!
router bgp 64998
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 bgp graceful-restart restart-time 120
 redistribute kernel
 neighbor 198.82.148.116 remote-as 1111
 neighbor 192.168.148.116 capability graceful-restart
!

f5CGNAT[0]show ip route 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

C       127.0.0.1/32 is directly connected, lo
C       127.1.1.0/24 is directly connected, tmm0
K       10.10.64.0/18 is directly connected, tmm0
C       192.168.148.116/30 is directly connected, VLAN_709

Gateway of last resort is not set

f5CGNAT[0]show ip bgp ==> nat pool getting advertised
BGP table version is 1, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, l - labeled
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric     LocPrf     Weight Path
*> 10.10.64.0/18   0.0.0.0                                    32768 ?

Total number of prefixes 1
f5CGNAT[0]

**RD1**
f5CGNAT[1]show run
!
router bgp 64998
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 bgp graceful-restart restart-time 120
 redistribute kernel
 neighbor 172.14.0.4 remote-as 1111
 neighbor 172.14.0.4 capability graceful-restart
!

f5CGNAT[1]show ip route 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

K*      0.0.0.0/0 is directly connected, tmm0
C       127.0.0.1/32 is directly connected, lo
C       127.1.1.0/24 is directly connected, tmm0
C       172.14.0.4/30 is directly connected, VLAN_701

f5CGNAT[1]show ip bgp ==> virtual server not getting advertised, neighbor relationship is good.

f5CGNAT[1]
application delivery
deployment
design
LTM
TMSH

9 Replies

  • Ronald_van_der3's avatar
    Ronald_van_der3
    Icon for Nimbostratus rankNimbostratus
    Jul 16, 2015

    Did you enable the 'Route Advertisement' checkbox under Virtual Address configuration (and if so, is the VS up)?

     

    • aj1's avatar
      aj1
      Icon for Nimbostratus rankNimbostratus
      Jul 16, 2015
      Yes, the output of "show ip route" in RD1 indicates that, the route indicated as "K*". ltm virtual-address 0.0.0.0%1 { address any%1 arp disabled icmp-echo disabled mask any route-advertisement enabled traffic-group traffic-group-1 }
  • Ronald_van_der_'s avatar
    Ronald_van_der_
    Icon for Nimbostratus rankNimbostratus
    Jul 16, 2015

    Did you enable the 'Route Advertisement' checkbox under Virtual Address configuration (and if so, is the VS up)?

     

    • aj1's avatar
      aj1
      Icon for Nimbostratus rankNimbostratus
      Jul 16, 2015
      Yes, the output of "show ip route" in RD1 indicates that, the route indicated as "K*". ltm virtual-address 0.0.0.0%1 { address any%1 arp disabled icmp-echo disabled mask any route-advertisement enabled traffic-group traffic-group-1 }
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jul 17, 2015

    Hey Ajinkya

    It's Steve (from the Quagga mailing list). I wonder, can you add 

    /0
    to your 
    vs_rd1
    virtual server destination address please?

    Also, could you also provide the output of the 

    ip r
    command, run from within the HMS (the standard bash command line) please?

    Also, perhaps you could turn on debug logging as described here: https://support.f5.com/kb/en-us/solutions/public/14000/400/sol14490.html

    Also note Michael's note about adding a network statement for 0.0.0.0 in your BGP configuration.

  • aj1's avatar
    aj1
    Icon for Nimbostratus rankNimbostratus
    Jul 17, 2015

    Hey Steve!

    Yes, I did add 

    /0
    to the virtual server. Lets me do that on the GUI, not very clear in tmsh.

    ltm virtual vs_rd1 {
    destination 0.0.0.0%1:any
    mask any
    profiles {
        fastL4 { }
    }
    source 0.0.0.0%1/0
    source-address-translation {
        pool cgnat_pool
        type lsn
    }
    translate-port disabled
    vlans {
        VLAN_701
    }
    vlans-enabled
}


    ip r
    for RD0 and RD1:

    [admin@f5CGNAT:/S1-green-P:Eval:Active:Standalone] ~  ip r
192.168.148.116/30 dev VLAN_709  proto kernel  scope link  src 192.168.148.117 
127.1.1.0/24 dev tmm0  proto kernel  scope link  src 127.1.1.1 
127.3.0.0/24 dev mgmt_bp  proto kernel  scope link  src 127.3.0.1 
198.82.245.0/24 dev mgmt  proto kernel  scope link  src 198.82.245.112 
198.82.245.0/24 dev mgmt  scope link  src 198.82.245.112  metric 9 
127.2.0.0/24 dev mgmt.1  proto kernel  scope link  src 127.2.0.2 
127.7.0.0/16 via 127.1.1.254 dev tmm0 
127.20.0.0/16 dev tmm_bp  proto kernel  scope link  src 127.20.1.254 
default via 198.82.245.1 dev mgmt  metric 9  mtu 1500

[admin@f5CGNAT:/S1-green-P:Eval:Active:Standalone] ~  rdexec 1 ip r
172.14.0.4/30 dev VLAN_701  proto kernel  scope link  src 172.14.0.5 
127.1.1.0/24 dev tmm0  proto kernel  scope link  src 127.1.1.1

    Turned on logging. Pretty much seeing keepalives for neighbor relationships. I'm using "neighbor x.x.x.x default-originate" instead of "network 0.0.0.0/0", and I can now see the default getting advertised by BGP.

    f5CGNAT[1]show ip bgp neighbors 172.14.0.4 advertised-routes 
BGP table version is 6, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric     LocPrf     Weight Path
*> 0.0.0.0/0        172.14.0.5                        100      32768 i
*> 172.24.0.0       172.14.0.5                                 32768 ?

    But my question again, the default above is not a virtual server route that references an LSN pool. It was introduced because of "default-originate". How do clients get NAT'd if the are not connecting to the virtual server? "show ip route" shows the default virtual server route. How can I advertise that using BGP.

    f5CGNAT[1]show ip route 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

K*      0.0.0.0/0 is directly connected, tmm0
C       127.0.0.1/32 is directly connected, lo
C       127.1.1.0/24 is directly connected, tmm0
K       172.24.0.0/16 is directly connected, tmm0
C       172.14.0.4/30 is directly connected, VLAN_701

    Thanks.

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jul 20, 2015

    Sounds like this might be one for F5 support - do you have a contract in place?

     

    Regardless, surely as long as the default route is advertised (however that's done) then the traffic will arrive on the correct F5 interface and be dealt with correctly?

     

  • aj1's avatar
    aj1
    Icon for Nimbostratus rankNimbostratus
    Jul 20, 2015

    Yes, we do, C1877628. Do you mean that the default route will take care of traffic arrival on the correct (RD1) interface and the listener 

    0.0.0.0%1/0.any
    on that interface will take care of the translations (since it will match everything).