I have two sites connected at L3 by Wireguard, with allowedips containing only the Wireguard subnet 172.30.100.0/24.
There is also a VXLAN device vx0 attached to bridge br0 along with ens18.
The VXLAN tunnel establishes provided I install a static route 10.X.0.0/24 dev br0 at each site. I'm now trying to make use of iBGP to provide control plane learning, but since BGP shares routes I am wondering if I am able to have it install this route to the neighbors.
A vtysh -c 'show ip route' indicates that BGP has learned the route is...
B>* 10.X.0.0/24 [200/0] via 172.30.100.X, wg0, weight 1, 00:08:17
... which doesn't work, because that network isn't in the allowedIPs:
ping: sendmsg: Required key not available
If I add the 10. network to the allowed IPs, traffic just routes directly via Wireguard and not VXLAN encapsulated.
I figure this is probably down to the IPs being used in the bgpd.conf (which is most likely going to be a bit of a dog's breakfast given I've scraped it together from various sources). Hoping someone can assist in me cleaning it up. Some of the lines I picked up are for setups with route reflectors which may be redundant, as I'm currently only running one BGP instance at each site. If I can still make use of peer-groups without route reflectors that'll be handy for adding additional sites (possibly need to add a listen range?)
!
router bgp 65000
bgp router-id 172.30.100.A
no bgp default ipv4-unicast
neighbor fabric peer-group
neighbor fabric remote-as 65000
neighbor fabric capability extended-nexthop
neighbor fabric update-source 172.30.100.A
neighbor 172.30.100.B peer-group fabric
!
address-family ipv4 unicast
neighbor fabric activate
redistribute connected
nexthop-self
!
address-family l2vpn evpn
neighbor fabric activate
advertise-all-vni
nexthop-self
!
!
