BGP question... (SOT)

Sat Jul 27 18:29:06 UTC 2002

On Jul 26, 2002 Gerardo A. Gregory spake:

> 
> On a serious note...I imagine the Nokia is in front of one of the
> Cisco's....(my assumption since the poster is as vague as a capitol hill
> politician)

Yeah sorry - vagueness is an art... it's pretty much a DMZ set up we have 
an outside border (CISCO 7206VXR) and an inside border/distribution border 
(CISCO 6513 MSFC)  The NOKIA is running a flavor of GateD that I have seen 
this problem with before - I did find a work around.  The problem is that 
the CISCO is sedning a version identifier (4) that GateD is identifying as 
an authentication string.  The error that the 7206vxr is receiving is a 
'BGP-3 Authentification failure'  I cludged it by setting a MD5 auth 
string on the NOKIA as "4" - that solved the prob on that side - but I 
think I am still having an issue with the 6513.  It was an upgrade that 
our firewall group had rolled into production - to replace a 
Solaris/Checkpoint setup that was running iBGP with Zebra.  All we are 
really passing is default in and accepting some routes from a secure 
server farm connected to the 6513. The Farm will be dual homed to 2 of our 
campuses in the near future (otherwise since it is now stub we could 
static it.)

Anyway - thanks...

> If this is the case, then take the stinking firewall and place it behind the
> router, let the routers do their Peering, and even place some Bogon-lists on
> the router, and some basic bogon filtering for your ingress traffic.  (take
> as much illegitimate traffic of the firewall).

Yeah it is see above..

> But hey, does this belong in the NANOG anyway.......?

Prolly not - I asked for replys to me directyl and did get quite a few 
helpful ones - I'm replying back to the nog cuz I got spanked a little by 
Sue for the beer off-shoot to this and to provide the little bit more 
detail that you were asking for...  Anyway I took a mulligan on teh beer 
thread and am now playing through... thanks...

> 
> my 2 cashings!!!

Kaching - thanks again...

> 
> ----- Original Message -----
> From: "Manolo Hernandez" <manolo at dialtoneinternet.com>
> To: "Rich Sena" <ras at thick.net>
> Cc: "Martin Hannigan" <hannigan at fugawi.net>; "NANOG" <nanog at merit.edu>
> Sent: Friday, July 26, 2002 8:53 AM
> Subject: Re: BGP question... (SOT)
> 
> 
> >
> > This has got to be the strangest setup of BGP I have seen yet. A
> > firewall running an inherently insecure protocol all I can say is have
> > fun.
> >
> > On Fri, 2002-07-26 at 09:31, Rich Sena wrote:
> > >
> > > Noice...
> > >
> > > There has got to be some sort of health code against you and I at the
> same
> > > bug pulling off the same tap - the laws of gravity etc...
> > >
> > > On Jul 26, 2002 Martin Hannigan spake:
> > >
> > > >
> > > >
> > > >
> > > > On Thu, 25 Jul 2002, Rich Sena wrote:
> > > >
> > > > >
> > > > > OK trying to get a BGP session up between a pair of CISCO routers
> and a
> > > > > NOKIA running Checkpoint.  Coming across an issue I had with GateD
> where
> > > > > the NOKIA is choking on a version indentifier sent by the CISCO and
> > > > > reporting back a BGP-3 authentification failure for the OPEN message
> (it's
> > > > > interpreting the version ID as a authentification attempt...
> > > > >
> > > > > Any ideas?
> > > > >
> > > > > Please respond off list...
> > > >
> > > >
> > > > Yeah, ok Sena.
> > > >
> > > > Uh, how about calling me back about beers you slacker ass?
> > > >
> > > >
> > > >
> > >
> > > --
> > > Rich Sena - ras at thick.net
> > > ThickNET Consulting
> > > "On the way to understanding; you understand, and forget."
> > >
> > >
> > >
> >
> >
> 

-- 
Rich Sena - ras at thick.net
ThickNET Consulting
"On the way to understanding; you understand, and forget."