Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander2014-08-03 17:37:39
Border Gateway Protocol
Alexander, 2014-08-03 17:37:39

How to filter IPv6 prefixes in Quagga BGP?

Good afternoon!

There is the following task: there is a central network (AS65000, networks 192.168.1.0/24 and 2001:470:xxxx::/64) and several additional ones (AS651yy, networks 172.16.yy.0/24 and 2001:470:yyyy::/ 64). Each network has exactly one gateway under Linux or FreeBSD, with the Quagga package. Gateways add. networks are connected to the central network using OpenVPN (subnet topology, networks 172.18.65.0/24 and 2001:470:tttt::/64 are used for tunnels, the central network has tunnel addresses 172.18.65.1 and 2001:470:tttt::1, additional -- 172.18.65.yy and 2001:470:tttt::yy).

You need to configure BGP so that:
* Routes to all additional
networks are available to the core network * Routes to the core network are available to additional networks
* Routes between each other were NOT available to additional networks

Access to some networks is provided only by IPv4, to some - by IPv4 and IPv6, to some - only by IPv6.

At the moment, the bgpd configuration on the central gateway looks like this:

bgpd.conf

!
router bgp 65000
  bgp router-id 172.0.0.1
  !
  neighbor 172.18.65.10 remote-as 65110
  neighbor 172.18.65.10 prefix-list c10-filter-in in
  neighbor 172.18.65.10 prefix-list clients-filter-out out
  !
  neighbor 172.18.65.11 remote-as 65111
  neighbor 172.18.65.11 prefix-list c11-filter-in in
  neighbor 172.18.65.11 prefix-list clients-filter-out out
  !
  neighbor 172.18.65.12 remote-as 65112
  neighbor 172.18.65.12 prefix-list c12-filter-in in
  neighbor 172.18.65.12 prefix-list clients-filter-out out
  !
  neighbor 172.18.65.27 remote-as 65127
  neighbor 172.18.65.27 prefix-list c27-filter-in in
  neighbor 172.18.65.27 prefix-list clients-filter-out out
  !
  neighbor 2001:470:tttt::27 remote-as 65127
  neighbor 2001:470:tttt::27 prefix-list c27-filter6-in in
  neighbor 2001:470:tttt::27 prefix-list c27-filter6-out out
  !
  neighbor 2001:470:tttt::30 remote-as 65130
  neighbor 2001:470:tttt::30 prefix-list c30-filter6-in in
  neighbor 2001:470:tttt::30 prefix-list c30-filter6-out out
  !
  neighbor 2001:470:tttt::40 remote-as 65140
  neighbor 2001:470:tttt::40 prefix-list c40-filter6-in in
  neighbor 2001:470:tttt::40 prefix-list c40-filter6-out out
  !
  address-family ipv4
    network 192.168.1.0/24
    neighbor 172.18.16.2 activate
    neighbor 172.18.65.10 activate
    neighbor 172.18.65.11 activate
    neighbor 172.18.65.12 activate
    neighbor 172.18.65.27 activate
  exit-address-family
  !
  address-family ipv6
    network 2001:470:dc8b:c000::/64
    neighbor 2001:470:tttt::27 activate
    neighbor 2001:470:tttt::30 activate
    neighbor 2001:470:tttt::40 activate
  exit-address-family
  !
  timers bgp 10 30
!
ip prefix-list clients-filter-out seq 20 permit 192.168.1.0/24
ip prefix-list clients-filter-out seq 25 deny any
!
ip prefix-list c10-filter-in seq 20 permit 172.16.10.0/24
ip prefix-list c10-filter-in seq 25 deny any
!
ip prefix-list c11-filter-in seq 20 permit 172.16.11.0/24
ip prefix-list c11-filter-in seq 25 deny any
!
ip prefix-list c12-filter-in seq 20 permit 172.16.12.0/24
ip prefix-list c12-filter-in seq 25 deny any
!
ip prefix-list c27-filter-in seq 20 permit 172.16.27.0/24
ip prefix-list c27-filter-in seq 25 deny any
!
ipv6 prefix-list c27-filter6-in seq 20 permit 2001:470:yy27::/64
ipv6 prefix-list c27-filter6-in seq 25 deny any
ipv6 prefix-list c27-filter6-out seq 20 permit 2001:470:xxxx::/64
ipv6 prefix-list c27-filter6-out seq 25 deny any
!
ipv6 prefix-list c30-filter6-in seq 20 permit 2001:470:yy30::/64
ipv6 prefix-list c30-filter6-in seq 25 deny any
ipv6 prefix-list c30-filter6-out seq 20 permit 2001:470:xxxx::/64
ipv6 prefix-list c30-filter6-out seq 25 deny any
!
ipv6 prefix-list c40-filter6-in seq 20 permit 2001:470:yy40::/48
ipv6 prefix-list c40-filter6-in seq 30 deny any
ipv6 prefix-list c40-filter6-out seq 20 permit 2001:470:xxxx::/64
ipv6 prefix-list c40-filter6-out seq 25 deny any
!
line vty
!



On an additional c27 network gateway (available over IPv4 and IPv6):

bgpd.conf

!
router bgp 65127
  bgp router-id 172.16.27.1
  !
  neighbor 172.18.65.1 remote-as 65000
  neighbor 2001:470:tttt::1 remote-as 65000
  !
  address-family ipv4
    network 172.16.27.1/24
    neighbor 172.18.65.1 activate
  exit-address-family
  !
  address-family ipv6
    network 2001:470:yy27::/64
    neighbor 2001:470:tttt::1 activate
  exit-address-family
  !
  timers bgp 10 30
!



The task is completely solved for IPv4: all gateways of additional networks receive via BGP a single route through the tunnel to the network 192.168.1.0/24 and do not see other additional networks.

For IPv6, it seems that ipv6 prefix-lists do not work at all: all gateways see all networks.
It is required that each gateway in additional networks receive only one route to the network 2001:470:xxxx::/64.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
C
Cyril2017-07-27 17:38:59
Where can I read in detail about OSPF and BGP? 1Reply
V
Victor2019-12-27 09:10:02
How to deny access to a specific network for specific AS? 2Reply
N
Nik2015-08-28 03:25:19
Why do I have a ping to addresses in one visit for some addresses goes to some does not go? 5Reply
K
Kirill Rybakov2015-08-31 13:14:31
Is the scheme possible: 1 router, 2 iBGP to 2 ISPs? 1Reply
S
Sergey2017-11-08 15:53:19
How to find out only BGP path in telnet? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question