So, I have a pair of software routers running FRR (a quagga fork). OSPF between them and to the layer 3 core switches, BGP (on a public AS) to the upstream (and iBGP between the two routers with next-hop-self). I am seeing two bits of odd behavior and the ISP says there's no filtering (beyond a prefix list on the BGP sessions) their side but I can't see how it's misconfiguration on my side, and I'm hoping for a second opinion!
The ISP and the 2 routers on the WAN are in a /29 of the ISPs address space, the routers and my L3 switches are in a /29 of my IP space. At all times I can ping the routers on their IP in the ISPs /29 from externally, the ISP isn't running multipath. On the /29 I can at all times ping the switches or anything behind the switches (from externally). However, if router 1 is 10.0.0.1/29 (in reality, it is from our owned IP space) and router 2 is 10.0.0.2/29, if router 1 is currently handling the traffic then I can ping 10.0.0.1 but I can't ping 10.0.0.2, and if I clear the BGP session to get them to install the route to router 2, I can briefly ping both. After 30 seconds or so, router 1 would stop pinging (at all times, I can ping both routers from any device on my network, they can ping each other, and I can ping the routers using the ISPs /29).
The other oddity I am seeing is, I have an L2TP VPN to a different provider (which I know is pointless for redundancy, throughput, etc) and if I advertise the prefix to that ISP over the VPN, then I can see traffic coming in over the L2TP tunnel (using tcpdump) but the outbound traffic seems to get blackholed (the L2TP VPN only advertises a default route, vs full table from the ISP so outbound traffic is flowing over the ISP).
Does this sound like uRPF / similar filtering, or is it likely mis-configuration on my side?
Thanks :-)
No comments:
Post a Comment