topic Re: Best method to advertise BGP from ClusterXL VIP? in Firewall and Security Management

Best method to advertise BGP from ClusterXL VIP?

Rob_Shears — Wed, 27 Apr 2022 02:29:30 GMT

I have a clusterxl interface setup between 2 gateways.

I have a /30 to advertise (yes, I know. Small for BGP but this is the ISPs requirement).

After arguing with a vendor and doing a bunch of reading, the docs lead me to believe ClusterXL will support BGP just fine.

What is my best option to advertise the /30 from the cluster?

Since it's a /30 (only allowing 2 ips), I established an interface VIP with 72.131.248.249/30 between members on a private subnet - 172.17.1.5 and 172.17.1.6.

Redistribute interface seems to work perfectly, but I'm unable to filter out the 172.17.x.x on the CP side.

Should I be setting up a static route for 72.131.248.249/30 with an interface gateway only and redistribute that?

Or a NAT pool?

Both of the last two options seemingly don't work for me. BGP is established but the route is not pushed.

cp-gw-1> show bgp peer 172.17.0.1 adj-rib-out

... shows routes when "Interface" is selected, but not when a static route or NAT pool is used for redistribution in Gaia.

Re: Best method to advertise BGP from ClusterXL VIP?

Sundeep_Mudgal — Wed, 27 Apr 2022 02:51:57 GMT

You have few options:

1) Using NAT-Pools.

2) Using static routes.

3) Using routemaps and match on an exact prefix and protocol direct. Check sk100501.

Last option is the most standard way of redistributing routes.

Re: Best method to advertise BGP from ClusterXL VIP?

Rob_Shears — Wed, 27 Apr 2022 14:26:09 GMT

For some reason I can't get NAT Pools or static routes to work.

Using "interfaces" works. If I use the same route that "interfaces" pushed but via NAT-Pools or static routes, the bgp session is established but no route is advertised by the CP. Will continue to play.

Re: Best method to advertise BGP from ClusterXL VIP?

Sundeep_Mudgal — Wed, 27 Apr 2022 15:53:11 GMT

You will have to explicitly redistribute NAT pools to the destination AS. If you are using routemaps then route-redistribution commands will not work.

Re: Best method to advertise BGP from ClusterXL VIP?

Rob_Shears — Wed, 27 Apr 2022 21:31:36 GMT

No routemap commands issued, so they shouldn't be overriding my attempts.

Using "interfaces" redistribution, the routes 72.131.248.249/30 and 172.17.1.4/30 are redistributed as seen with "show bgp peers adj-rib-out". I would like to use Gaia web ui and find a way to only push 72.131.248.249/30.

I've tried creating a static route blackhole for 72.131.248.249/30 and using the "static" option. "show bgp peers adj-rib-out" says "no route advertised".

I've tried creating a NAT Pool with 72.131.248.249/30 and using the NAT Pool redistribution option. Same. "show bgp peers adj-rib-out" says "no route advertised".

I also tried the "Kernel" option, and it is the same.

Nothing stands out in /var/log/routed* to signify a problem and a bgp session IS established, just no routes advertised.

Re: Best method to advertise BGP from ClusterXL VIP?

Sundeep_Mudgal — Wed, 27 Apr 2022 22:01:33 GMT

I think I know whats happening. The C route is the only active route and therefore static and NAT pools do not become active. You can check in "show route". Only active routes get redistributed.

I don;t think there is any other way besides routemaps to achieve the granularity that you are aiming form. We will try to get this in next maintrain. Would it be possible for you to open a RFE request?

Re: Best method to advertise BGP from ClusterXL VIP?

Rob_Shears — Thu, 28 Apr 2022 13:17:15 GMT

I actually only created the interface (which is actually in the same vmware portgroup) just to have an IP in that range to work with.

So, I think what you're saying is - I can potentially remove the interface all together and use something like NAT Pool - and that will probably work.

I should then be able to create NAT rules for this subset of IPs;

and probably enable automatic proxy arp --> since this is ClusterXL - static arps for the same IP on 2 members probably won't work?

Re: Best method to advertise BGP from ClusterXL VIP?

Sundeep_Mudgal — Thu, 28 Apr 2022 14:27:42 GMT

You can try but this is not what I was suggesting. I was trying to reason out why the relevant prefix is not being redistributed. It would just be simpler if you use routemaps. You can open a configuration task so TAC can help you.

Re: Best method to advertise BGP from ClusterXL VIP?

Rob_Shears — Fri, 29 Apr 2022 09:55:11 GMT

If I removed the interface, it would no longer be a Connected route is what I was getting at.

Would route-maps display on GUI and are they supported on ClusterXL?

Edit: based on your analysis, I removed the interface and the NAT pool instantly started working! Thanks!

Re: Best method to advertise BGP from ClusterXL VIP?

Sundeep_Mudgal — Fri, 29 Apr 2022 15:43:18 GMT

I am glad that it works for you. Regarding your questions:

- Routemaps are not on Web-UI. They are only CLI commands.

- Routemaps work with clustering.