Is it possible to deploy FRR BGP processes on the same Linux server, establish BGP neighbors with three other servers, and then segment by business application scenarios?

[maojianyou]

Description

As shown in the network topology diagram, A, B, and C are three different services. A, B, C, and D’s eth1 are on the same subnet, and eth0 is the default gateway for accessing the internet. I now want to announce AD, BD, and CD, all of which announce FRRouting’s BGP to establish BGP processes. Then, on D, I want to announce target routes. For example, for A to announce its subnet on D, it only needs to announce the network 11.11.11.0/24; for B to announce its subnet on D, it only needs to announce the network 11.11.12.0/24; for C to announce its subnet on D, it only needs to announce the network 11.11.13.0/24. If a BGP process is enabled on D, then ABC will receive 11.11.11.0/24, 11.11.12.0/24, and 11.11.13.0/24. I want to achieve subnet isolation on D.

Version

FRRouting (version 10.0.1).

How to reproduce

reference file:

router bgp 1
neighbor 10.0.0.1 remote-as 20
neighbor 10.0.0.2 remote-as 30
!
router bgp 2 vrf blue
neighbor 10.0.0.3 remote-as 40
neighbor 10.0.0.4 remote-as 50
!
router bgp 3 vrf red
neighbor 10.0.0.5 remote-as 60
neighbor 10.0.0.6 remote-as 70

Expected behavior

D:
router bgp 65002 vrf AD
bgp router-id 192.168.32.1
no bgp ebgp-requires-policy
no bgp network import-check
neighbor A peer-group
neighbor A remote-as 65012
neighbor A update-source 192.168.32.1
neighbor 192.168.32.2 peer-group A
no neighbor 192.168.32.2 enforce-first-as
!
address-family ipv4 unicast
network 11.11.11.0/24

router bgp 65003 vrf BD
bgp router-id 192.168.32.1
no bgp ebgp-requires-policy
no bgp network import-check
neighbor B peer-group
neighbor B remote-as 65012
neighbor B update-source 192.168.32.1
neighbor 192.168.32.3 peer-group B
no neighbor 192.168.32.3 enforce-first-as
!
address-family ipv4 unicast
network 11.11.12.0/24
!
router bgp 65004 vrf CD
bgp router-id 192.168.32.1
no bgp ebgp-requires-policy
no bgp network import-check
neighbor C peer-group
neighbor C remote-as 65014
neighbor C update-source 192.168.32.1
neighbor 192.168.32.4 peer-group C
no neighbor 192.168.32.4 enforce-first-as
!
address-family ipv4 unicast
network 11.11.13.0/24

Actual behavior

However, in practice, they cannot establish neighbor communication through port 179. Only the default router bgp 65000 process can communicate, while the other VRFs cannot communicate.

Could you provide a specific configuration document or example? If this method cannot be implemented, is it possible to achieve business isolation by using policy routing along with a single BGP process (65000) to differentiate and announce the network subnets?

Additional context

No response

Checklist

• I have searched the open issues for this bug.
• I have not included sensitive information in this report.

[ton31337]

However, in practice, they cannot establish neighbor communication through port 179.

I'm confused at all. Do you have VRFs configured? How is this related (communication issues) with BGP (not advertising something)?