BGP-NFX

Z Czela.net
Přejít na: navigace, hledání

Obsah

Obecne nastaveni

!
! obecna konfigurace
!
hostname NejakyNazevRouteru
password HesloProKoukani
enable password HesloProKonfigurace
log file /var/log/quagga/bgpd.log
log trap errors
log record-priority
service advanced-vty
service password-encryption
service terminal-length 23
!
!
! Definice accesslistu ke konzoli bgpd
! povinny je pristup ze segmentu NFX 10.253.32.0/24
! 
access-list login remark Administrator access to zebra
access-list login permit 127.0.0.1/32
access-list login permit 10.253.32.0/24
! access-list login permit 10.X.X.X/X
! ...atd...
access-list login deny any
!
! konfigurace virtualniho terminalu (telnet <ip> 2605)
line vty
  access-class login
  exec-timeout 60 0
!

BGP pro CZFree peering

  • pro routery pouze s CZF peeringem
! pro fungujici send-community both
bgp config-type cisco
!
! Za 6XXXX dosadit pridelene cislo AS, melo by byt dokumentovane v ripe.czfree.net
router bgp 6XXXX
 ! unikatni identifikace routeru (napr. IP loopback interface)
 bgp router-id 10.X.Y.Z
 bgp dampening
 ! propagovany prideleny (agregovany) prefix
 network 10.X.0.0 mask 255.255.0.0
 ! definice peer groups
 ! - EXTERNAL pro peery s okolnimi AS/sitemi (EBGP)
 neighbor EXTERNAL peer-group
 neighbor EXTERNAL description External cloud peerings
 neighbor EXTERNAL next-hop-self
 neighbor EXTERNAL send-community both
 neighbor EXTERNAL soft-reconfiguration inbound
 neighbor EXTERNAL prefix-list cloudtransin in
 neighbor EXTERNAL prefix-list cloudtransout out
 ! - INTERNAL pro vnitri peery uvnitr AS (IBGP)
 !   - AS stejne jako v definici router BGP)
 !   - update-source dummy routeru (obdobne jako router-id)
 neighbor INTERNAL peer-group
 neighbor INTERNAL description Internal peerings
 neighbor INTERNAL remote-as 6XXXX
 neighbor INTERNAL update-source 10.X.Y.Z
 neighbor INTERNAL next-hop-self
 neighbor INTERNAL send-community both
 neighbor INTERNAL soft-reconfiguration inbound
 ! - NFX-RSERV pro peering s route-servery NFX, remote AS nemenit
 neighbor NFX-RSERV peer-group
 neighbor NFX-RSERV description NFX route-servers
 neighbor NFX-RSERV remote-as 65532
 neighbor NFX-RSERV next-hop-self
 neighbor NFX-RSERV prefix-list cloudtransin in
 neighbor NFX-RSERV prefix-list cloudtransout out
 neighbor NFX-RSERV soft-reconfiguration inbound
 neighbor NFX-RSERV send-community both
 !
 ! vlastni definice peeru
 ! - s route servery NFX
 neighbor 10.253.32.250 peer-group NFX-RSERV 
 neighbor 10.253.32.250 description NFX RouteServer 1
 neighbor 10.253.32.251 peer-group NFX-RSERV 
 neighbor 10.253.32.251 description NFX RouteServer 2
 ! - uvnitr sveho AS (napr. s dalsim hranicnim routerem)
 neighbor 10.X.A.B peer-group INTERNAL
 neighbor 10.X.A.B description NejakyPopisek
 ! ...atd...
 ! - s libovolnym dalsim CZF peer AS
 neighbor 10.X.C.D remote-as 6ABCD
 neighbor 10.X.C.D peer-group EXTERNAL
 neighbor 10.X.C.D description NejakyPopisek
 neighbor 10.X.C.D update-source 10.X.C.C
 ! ...atd...
!
! definice prefix-listu propoustejici prefixy dle CZF-RFC-ROUTING
! 15-20 je pripustne rozmezi prijimanych a posilanych prefixu, tedy  nejmensi je /20, nejvetsi /15
ip prefix-list cloudtransin description CZFree.NET inter-cloud filter IN
ip prefix-list cloudtransin seq 10 permit 10.0.0.0/8 ge 15 le 20
ip prefix-list cloudtransin seq 20 deny any
ip prefix-list cloudtransout description CZFree.NET inter-cloud filter OUT
ip prefix-list cloudtransout seq 10 permit 10.0.0.0/8 ge 15 le 20
ip prefix-list cloudtransout seq 20 deny any
!

BGP pro tranzitni internetovou konektivitu

  • puvodni NFX nastaveni - NEPOUZIVAT!!
router bgp 8251
!  prideleny prefix uvnitr NFX
  network 78.108.X.0 mask 255.255.255.0
  ! ...atd...
  !  definice peer-group
  neighbor INTERNAL peer-group
  neighbor INTERNAL remote-as 8251
  neighbor INTERNAL description Interier BGP
  neighbor INTERNAL prefix-list internal in
  neighbor INTERNAL prefix-list internal out
  ! vlastni peering s jednotlivymi zarizenimi NFX
  neighbor 81.201.48.193 peer-group INTERNAL
  neighbor 81.201.48.193 description L3-switch-NIX
  neighbor 81.201.48.194 peer-group INTERNAL
  neighbor 81.201.48.194 description HranicniRouter-Telia
  neighbor 81.201.48.195 peer-group INTERNAL
  neighbor 81.201.48.195 description HranicniRouter-CDT

BGP view

  • neovlivnuje lokalni routovaci tabulku, ale ven prefixy oznamuje
  • muze se hodit na stroji, kde se kombinuje CZF a verejny peering.
router bgp 8251 view NFXPUBLIC
  no synchronization
  ! unikatni identifikace routeru, napr. IP pro verejny peering v NFX
  bgp router-id 81.201.48.X
  bgp log-neighbor-changes
  ! pridelene prefixy clena
  network 78.108.103.X mask 255.255.255.X
  ! ...atd...
  !
  ! definice peer group
  neighbor NFX-tranzit peer-group
  neighbor NFX-tranzit remote-as 8251
  neighbor NFX-tranzit description NFX transit routers
  neighbor NFX-tranzit update-source X.X.X.X
  neighbor NFX-tranzit next-hop-self
  neighbor NFX-tranzit send-community both
  neighbor NFX-tranzit soft-reconfiguration inbound
  ! vlastni peering s jednotlivymi zarizenimi NFX
  neighbor 81.201.48.193 peer-group NFX-tranzit
  neighbor 81.201.48.193 description NFX - switch NIX
  neighbor 81.201.48.194 peer-group NFX-tranzit
  neighbor 81.201.48.194 description NFX - router Telia
  neighbor 81.201.48.195 peer-group NFX-tranzit
  neighbor 81.201.48.195 description NFX - router CDT
  no auto-summary

BGP kombinovane pro CZFree i pro tranzitni internetovou konektivitu

  • pro mista, kde je hranicni router soucasne pro CZF i INET
  • v lokalni routovaci tabulce jsou jak verejne, tak CZF IP (! pozor na redistribuci do OSPF)
  • do CZF (NFX,EXTERNAL) + iBGP (INTERNAL) se propaguji pouze CZF adresy
  • do verejneho peeringu (NFXPUB) se siri pouze verejne prefixy, akceptuje se vse (cca 5tis prefixu NIX)
bgp config-type cisco
!
router bgp 6XXXX
no synchronization
bgp router-id 10.X.X.X
   ! czfree prefix
   network 10.X.0.0 mask 255.255.0.0
   ! prefixy pro verejny peering
   network 78.X.X.X mask 255.255.255.Z
   neighbor EXTERNAL peer-group
   neighbor EXTERNAL description Direct external peerings 
   neighbor EXTERNAL next-hop-self
   neighbor EXTERNAL send-community both
   neighbor EXTERNAL soft-reconfiguration inbound
   neighbor EXTERNAL prefix-list CZF in
   neighbor EXTERNAL prefix-list CZF out
   neighbor INTERNAL peer-group
   neighbor INTERNAL remote-as 6XXXX
   neighbor INTERNAL description Internal peerings 
   neighbor INTERNAL next-hop-self
   neighbor INTERNAL send-community both
   neighbor INTERNAL soft-reconfiguration inbound
   neighbor INTERNAL prefix-list CZF in
   neighbor INTERNAL prefix-list CZF out
   neighbor NFX peer-group
   neighbor NFX remote-as 65532
   neighbor NFX description NFX-route-servers 
   neighbor NFX next-hop-self
   neighbor NFX send-community both
   neighbor NFX soft-reconfiguration inbound
   neighbor NFX prefix-list CZF in
   neighbor NFX prefix-list CZF out
   neighbor NFXPUB peer-group
   neighbor NFXPUB remote-as 8251
   neighbor NFXPUB description NFX public route-servers 
   neighbor NFXPUB next-hop-self
   neighbor NFXPUB send-community both
   neighbor NFXPUB soft-reconfiguration inbound
   neighbor NFXPUB prefix-list PUB out
   neighbor 10.253.32.250 peer-group NFX
   neighbor 10.253.32.251 peer-group NFX
   neighbor 81.201.48.194 peer-group NFXPUB
   neighbor 81.201.48.195 peer-group NFXPUB
   no auto-summary
!
! prefix list pro filtrovani CZF prefixu (in/out)
ip prefix-list CZF description CZfree.Net prefixes 
ip prefix-list CZF seq 10 permit 10.0.0.0/8 ge 15 le 20
ip prefix-list CZF seq 99 deny any
! prefix list propoustejici pridelene verejne IP
ip prefix-list PUB description Public IP 
ip prefix-list PUB seq 10 permit 78.X.X.X/Y
ip prefix-list PUB seq 99 deny any

IPv6 peering

Prida se k jiz existujici konfiguraci... zadna magie :-)

router bgp XXXXX
  neighbor 2a01:490:0:1::1 remote-as 8251
  no neighbor 2a01:490:0:1::1 activate
  neighbor 2a01:490:0:1::b:1 remote-as 8251
  no neighbor 2a01:490:0:1::b:1 activate
  address-family ipv6
    ! prideleny ipv6 prefix
    network 2a01:490:XXXX::/48
    neighbor 2a01:490:0:1::1 activate
    neighbor 2a01:490:0:1::1 send-community both
    neighbor 2a01:490:0:1::1 soft-reconfiguration inbound
    neighbor 2a01:490:0:1::b:1 activate
    neighbor 2a01:490:0:1::b:1 send-community both
    neighbor 2a01:490:0:1::b:1 soft-reconfiguration inbound

Doplnujici kouzla

Toto jsou mozna rozsireni vyse uvedenych konfiguraci. Pouzivejte jen v pripade, ze vite, co delate :-) Vice teorie viz BGP best path selection.

lokalni preference

Pokud pro dany prefix v ramci celeho AS existuje vice cest, zohledni se ta s nejvyssi lokalni preferenci. Vychozi hodnota (pokud se nemeni pomoci route-map) tohoto parametru je 100. Lokalni preference ma prednost pred AS-path (uplatni se drive). Parametr se uplatni pouze uvnitr vlastniho AS.

route-map ChangeLocPref permit 10
  set local-preference 50
router bgp 6XXXX
  neighbor 10.X.Y.Z route-map ChangeLocPref in
multi-exit discriminator

Pokud je prefix do sousedniho AS oznamovan vice alternativnimi cestami pri stejne dlouhe AS-path, je mozne pomoci tohoto parametru ovlivnit, ktera z cest bude v sousednim AS preferovana. Vychozi hodnota (pokud se nemeni pomoci route-map) tohoto parametru je 0. Parametr se uplatni pouze v sousednim AS.

route-map ChangeMetric permit 10
  set metric 10
router bgp 6XXXX
  neighbor 10.X.Y.Z route-map ChangeMetric out

quagga

Ve verzi 0.99.8 + 0.99.9 je chyba, zamezujici multi-protocol prefix advertismenty - tj. se pak nepropaguje zadany "network" v IPv6 (pokud pouzivate jen IPv4, tak se vas to netyka). Patch je integrovan v 0.99.10 (z teto verze pochazi).

--- bgpd/bgp_open.c
+++ bgpd/bgp_open.c
@@ -177,7 +177,7 @@ bgp_capability_mp (struct peer *peer, struct capability_header *hdr)
  peer->afc_recv[mpc.afi][mpc.safi] = 1;
  
  if (peer->afc[mpc.afi][mpc.safi])
-    peer->afc_nego[mpc.safi][mpc.safi] = 1;
+    peer->afc_nego[mpc.afi][mpc.safi] = 1;
  else 
    return -1;

linux jádro

Potvrzena nefunkční IPv6 default route na jádrech v rozmezí 2.6.20.5 - 2.6.21.x viz. kernel.org bugzilla. Na 2.6.20.4-1 ještě v pohodě, na 2.6.21.1 nefunguje, na 2.6.22.1 už opět ano.

pomalý forward IPv6

Nevím kam to nacpat jinam :-) Ale pokud se s tím někdo potýká (rychlosti ~1Mbit na gigabit Intel 82576), sepsal jsem to sem na khnetí wiki


kernel routing table pro IPv6

Kernel IPv6 routing table je defaultne omezena na 4096 rout (!) - naucene routy nad tento limit se v kernel table neobjevi ... Vysledne pocty jsou podivne nizsi - mezi 3200 a 3700.

  • zmenit se da v runtime pomoci
 sysctl -w net.ipv6.route.max_size=16384
  • nebo lepe - zaclenit do /etc/sysctl.conf
 net.ipv6.route.max_size=16384
Osobní nástroje
Jmenné prostory
Varianty
Akce
Navigace
Nástroje