On 2/20/20 7:18 PM, Arturo Borrero Gonzalez wrote:
Shall we just establish the BGP session using these 2 addresses? Honestly on the
neutron side I don't have any more addresses, so at least the CR should be
configured to peer with 208.80.153.190 only (unless in future tests I discover
there are other ways of doing this).
My assumptions were wrong. Apparently neutron ignores the software defined
transport network and uses the physical network for doing the BGP stuff.
This is the neutron BGP agent trying to contact the core router:
11:05:18.615101 IP 10.192.20.10.34716 > 208.80.153.185.179: Flags [S], seq
2498112052, win 29200, options [mss 1460,sackOK,TS val 1130299297 ecr
0,nop,wscale 9], length 0
For tests, I configured the BGP peer to contact 208.80.153.185 which is
vrrp-gw-2120.wikimedia.org (i.e, the core router VIP in the cloud transport
network).
Note how the source address is 10.192.20.10 (cloudnet2002-dev.codfw.wmnet).
So I'm discarding my approach and creating the BGP session using the physical
network. You should allow BGP from the following addresses:
* cloudnet2002-dev.codfw.wmnet: 10.192.20.10
* cloudnet2003-dev.codfw.wmnet: 10.192.20.12
And I will contact:
* cr1-codfw IP: 208.80.153.186
* cr2-codfw IP: 208.80.153.187
as you originally suggested.
regards.
--
Arturo Borrero Gonzalez
SRE / Wikimedia Cloud Services
Wikimedia Foundation