OpenBGPD Quick

From Devpit
Jump to: navigation, search

There aren't many examples of OpenBGPD/OpenOSPFD configurations out there yet. Here's a configuration for one of the simplest configurations, connecting one end-user site to two ISPs.


Topology

Our site, which is Aatrix, connects to two ISPs, Midco and Invisimax. Invisimax has two upstream providers, Midco and Halstad Telephone Company (HTC). I want to advertise our network only through Invisimax's link to HTC, because it balances the incoming traffic more evenly between our links. To support this, Invisimax declared two BGP communiities. When we advertise without a community attribute, the advertisement goes out both of their links; when we advertise with community 16739:501, Invisimax blocks our advertisement to HTC; and when we advertise with community 16739:502, Invisimax blocks our advertisement to Midco. When we advertise to Midco, we never add a community attribute.

We have two routers. Each has an interface connected to our edge network, which is 96.3.203.240/28 on vlan1750. Router0 has an interface connected to Midco, and Router1 has an interface connected to Invisimax. These routers use CARP to present a virtual IP for others hosts on 96.3.205.240/28 to use as their default route. Firewalls protecting our other networks have IPs on our edge network and simply use .241 for the default route. Alternatively, they could join OSPF, but a CARP IP seems to work just as well.

Note that bgpd and ospfd communicate with each other to populate the routing table. Using bgpd without ospfd will not work. But ospfd has an extremely simple configuration, so just go with it.


Notes

  • Filtering out reserved prefixes that matter to you is a good practice. For example, 127.0.0.1/8, 169.254/16, 10/8, and 192.168/16 are filtered out below. They should never appear, but if they do this avoids unexpected behavior with possible security implications.
  • It seems you can "set community" inside the "neighbor" block. In our tests, this does not work. Or perhaps it doesn't mean what we thought it means. It appears the community attribute must be set with filtering rules.
  • Although CARP is usually paired with pfsync, it is unnecessary and probably too latent to work well. If you use PF to protect self, you'll need to explicitly accept in-progress connections without tracking sequence numbers or scrubbing. The default behavior of PF (flags S/SA and modulate state) will break connections when routes change if you merely use "pass all". It still helps performance to use the state table with "sloppy", though. Try:
pass log quick flags any keep state (sloppy)
  • The order of precedence for selecting routes is: higher local_pref, local aggregates, shortest as_path, lowest origin type (IGP, then EGP, then incomplete).


Operation

  • To restart bgpd and ospfd:
/etc/rc.d/bgpd stop
/etc/rc.d/ospfd stop
/etc/rc.d/bgpd start
/etc/rc.d/ospfd start
  • Typical summary:
# bgpctl show summary 
Neighbor                   AS    MsgRcvd    MsgSent  OutQ Up/Down  State/PrfRcvd
AATRIXv4               394490     462291     720036     0 00:35:14 576184
MIDCO-NETv4             11232     296002       2315     0 19:16:39 568487
  • To show all learned routes:
bgpctl show rib | less
  • To show just routes for Midco's /16 or longer:
bgpctl show rib 96.3.0.0/16 all
  • To show routes with detail such as communities:
bgpctl show rib detail | less


Router0

hostname.vlan1750

inet 96.3.205.242 255.255.255.240 NONE vlan 1750 vlandev trunk0
!route add -net 96.3.205.0/24 -gateway 127.0.0.1 -blackhole


hostname.carp1750

inet 96.3.205.241 255.255.255.240 NONE vhid 241 pass xxx carpdev vlan1750 advskew 50


ospfd.conf

router-id 96.3.203.122
redistribute connected
area 0.0.0.0 {
	interface vlan1750
}


bgpd.conf

AS 394490
router-id 96.3.203.122
connect-retry 10
#log updates

network 96.3.205.0/24
#network inet static

neighbor 96.3.203.121 {
        remote-as 11232
        descr MIDCO-NETv4
        local-address 96.3.203.122
        announce self
}

neighbor 96.3.205.243 {
        remote-as 394490
        descr AATRIXv4
        local-address 96.3.205.242
        announce all
}

# Last match wins.
allow from any
allow to any
deny from any prefix 0.0.0.0/0
deny from any prefix 0.0.0.0/8 or-longer
deny from any prefix 10.0.0.0/8 or-longer
deny from any prefix 127.0.0.0/8 or-longer
deny from any prefix 169.254.0.0/16 or-longer
deny from any prefix 172.16.0.0/12 or-longer
deny from any prefix 192.0.2.0/24 or-longer
deny from any prefix 192.168.0.0/16 or-longer
deny from any prefix 224.0.0.0/4 or-longer
deny from any prefix 240.0.0.0/4 or-longer

match to 96.3.203.121 set {prepend-self 1}

# Nudge some networks to route away from Midco, since otherwise nearly all go this way.
match from 96.3.203.121 prefix 0.0.0.0/1 or-longer set {localpref 90}


Router1

hostname.vlan1750

inet 96.3.205.243 255.255.255.240 NONE vlan 1750 vlandev trunk0
!route add -net 96.3.205.0/24 -gateway 127.0.0.1 -blackhole


hostname.carp1750

inet 96.3.205.241 255.255.255.240 NONE vhid 241 pass xxx carpdev vlan1750 advskew 100


ospfd.conf

router-id 208.72.151.165
redistribute connected
area 0.0.0.0 {
        interface vlan1750
}


bgpd.conf

AS 394490
router-id 208.72.151.165
connect-retry 10
#log updates

network 96.3.205.0/24
#network inet static

neighbor 208.72.151.166 {
        remote-as 16739
        descr INVISIMAX-AS-GFv4
        local-address 208.72.151.165
        announce self
}

neighbor 96.3.205.242 {
        remote-as 394490
        descr AATRIXv4
        local-address 96.3.205.243
        announce all
}

# Last match wins.
allow from any
allow to any
deny from any prefix 0.0.0.0/0
deny from any prefix 0.0.0.0/8 or-longer
deny from any prefix 10.0.0.0/8 or-longer
deny from any prefix 127.0.0.0/8 or-longer
deny from any prefix 169.254.0.0/16 or-longer
deny from any prefix 172.16.0.0/12 or-longer
deny from any prefix 192.0.2.0/24 or-longer
deny from any prefix 192.168.0.0/16 or-longer
deny from any prefix 224.0.0.0/4 or-longer
deny from any prefix 240.0.0.0/4 or-longer

# Invisimax defines the following communities:
# 16739:501 -- We assign this to advertise only to Midco
# 16739:502 -- We assign this to advertise only to Halstad
# 16739:22001 -- They assign this to routes that go to Halstad
# 16739:22002 -- They assign this to routes that go to Midco

match to 208.72.151.166 set {community 16739:502}
match from 208.72.151.166 community 16739:22001 set {localpref 110}