BGP Error at VCF Deployment

You just downloaded the latest version of the VMware Cloud Foundation Lab Constructor (VLC) so you can deploy a nested version of VMware Cloud Foundation in your lab. You’ve read all the articles and followed the directions. You kick off the deployment and…. It fails with a BGP error.

Now what? Today I’ll show you something that might help…

It has happened to a lot of us. You’re watching a VCF deployment when you get an error like this:

Previously, I’ve covered some steps on how to troubleshoot BGP. One thing that I didn’t cover there was the checking for incoming and outgoing filters.

RFC-8212 defines the default behavior when there are no inbound or outbound policies applied to an eBGP configuration. In short, the purpose of this is to prevent route leaks. A route leak is when a peer sends routes to a provider that are out of scope or incorrect. If the provider accepts these routes, then this can lead to issues. Most of the time this would happen by accident. However, it could be done maliciously.  

To prevent route leaks, the default behavior then is to drop messages when there is not an incoming or outgoing filter explicitly defined.  

How can you identify if this is an issue for you? The easiest would be to look at the output of the neighbor details. If you’re using pfSense (like I covered here, here, and here), then go to Status -> FRR -> BGP and look at the BGP Neighbor information. At the bottom of the output for a neighbor, see if you see a message that says that the updates were discarded due to a missing policy like this:

If you see this, then you need to establish the incoming and outgoing filters to allow the routes to be distributed and accepted. Note you will also see this if you look at the BGP summary and see (Policy) for the neighbor.

To configure a policy, first go to Services -> FRR -> Global Settings -> Prefix Lists. Add a prefix list and define the attributes as desired. In my case, this is for a lab environment that is not connected to anything else. As a result, I’m just going to configure one prefix list that allows any traffic:

Now go to Services -> FRR -> BGP -> Neighbors. Edit each neighbor definition and specify the appropriate filter for the inbound and outbound messages. Again, as we are in a lab environment, I’ll just specify the same filter for both. This will allow any messages to be sent and received:

Now go back and check the status of the BGP neighbors. You should see that the prefix filter list has been applied:

And that’s it! If you are still having issues, then you may need to do some more troubleshooting. Otherwise, you should be able to go back to the Cloud Builder appliance and just click retry to continue your deployment!