OpenBGPD Quick
There aren't many examples of OpenBGPD/OpenOSPFD configurations out there yet. Here's a configuration for one of the simplest configurations, connecting one end-user site to two ISPs.
Contents
Topology
Our site, which is Aatrix, connects to two ISPs, Midco and Invisimax. Invisimax has two upstream providers, Midco and Halstad Telephone Company (HTC). I want to advertise our network only through Invisimax's link to HTC, because it balances the incoming traffic more evenly between our links. To support this, Invisimax declared two BGP communiities. When we advertise without a community attribute, the advertisement goes out both of their links; when we advertise with community 16739:501, Invisimax blocks our advertisement to HTC; and when we advertise with community 16739:502, Invisimax blocks our advertisement to Midco. When we advertise to Midco, we never add a community attribute.
We have two routers. Each has an interface connected to our edge network, which is 96.3.203.240/28 on vlan1750. Router0 has an interface connected to Midco, and Router1 has an interface connected to Invisimax. These routers use CARP to present a virtual IP for others hosts on 96.3.205.240/28 to use as their default route. Firewalls protecting our other networks have IPs on our edge network and simply use .241 for the default route. Alternatively, they could join OSPF, but a CARP IP seems to work just as well.
Note that bgpd and ospfd communicate with each other to populate the routing table. Using bgpd without ospfd will not work. But ospfd has an extremely simple configuration, so just go with it.
Notes
- Filtering out reserved prefixes that matter to you is a good practice. For example, 127.0.0.1/8, 169.254/16, 10/8, and 192.168/16 are filtered out below. They should never appear, but if they do this avoids unexpected behavior with possible security implications.
- It seems you can "set community" inside the "neighbor" block. In our tests, this does not work. Or perhaps it doesn't mean what we thought it means. It appears the community attribute must be set with filtering rules.
- Although CARP is usually paired with pfsync, it is unnecessary and probably too latent to work well. If you use PF to protect self, you'll need to explicitly accept in-progress connections without tracking sequence numbers or scrubbing. The default behavior of PF (flags S/SA and modulate state) will break connections when routes change if you merely use "pass all". It still helps performance to use the state table with "sloppy", though. Try:
pass log quick flags any keep state (sloppy)
- The order of precedence for selecting routes is: higher local_pref, local aggregates, shortest as_path, lowest origin type (IGP, then EGP, then incomplete).
Operation
- To restart bgpd and ospfd:
/etc/rc.d/bgpd stop /etc/rc.d/ospfd stop /etc/rc.d/bgpd start /etc/rc.d/ospfd start
- Typical summary:
# bgpctl show summary Neighbor AS MsgRcvd MsgSent OutQ Up/Down State/PrfRcvd AATRIXv4 394490 462291 720036 0 00:35:14 576184 MIDCO-NETv4 11232 296002 2315 0 19:16:39 568487
- To show all learned routes:
bgpctl show rib | less
- To show just routes for Midco's /16 or longer:
bgpctl show rib 96.3.0.0/16 all
- To show routes with detail such as communities:
bgpctl show rib detail | less
Router0
hostname.vlan1750
inet 96.3.205.242 255.255.255.240 NONE vlan 1750 vlandev trunk0 !route add -net 96.3.205.0/24 -gateway 127.0.0.1 -blackhole
hostname.carp1750
inet 96.3.205.241 255.255.255.240 NONE vhid 241 pass xxx carpdev vlan1750 advskew 50
ospfd.conf
router-id 96.3.203.122
redistribute connected
area 0.0.0.0 {
interface vlan1750
}
bgpd.conf
AS 394490
router-id 96.3.203.122
connect-retry 10
#log updates
network 96.3.205.0/24
#network inet static
neighbor 96.3.203.121 {
remote-as 11232
descr MIDCO-NETv4
local-address 96.3.203.122
announce self
}
neighbor 96.3.205.243 {
remote-as 394490
descr AATRIXv4
local-address 96.3.205.242
announce all
}
# Last match wins.
allow from any
allow to any
deny from any prefix 0.0.0.0/0
deny from any prefix 0.0.0.0/8 or-longer
deny from any prefix 10.0.0.0/8 or-longer
deny from any prefix 127.0.0.0/8 or-longer
deny from any prefix 169.254.0.0/16 or-longer
deny from any prefix 172.16.0.0/12 or-longer
deny from any prefix 192.0.2.0/24 or-longer
deny from any prefix 192.168.0.0/16 or-longer
deny from any prefix 224.0.0.0/4 or-longer
deny from any prefix 240.0.0.0/4 or-longer
match to 96.3.203.121 set {prepend-self 1}
# Nudge some networks to route away from Midco, since otherwise nearly all go this way.
match from 96.3.203.121 prefix 0.0.0.0/1 or-longer set {localpref 90}
Router1
hostname.vlan1750
inet 96.3.205.243 255.255.255.240 NONE vlan 1750 vlandev trunk0 !route add -net 96.3.205.0/24 -gateway 127.0.0.1 -blackhole
hostname.carp1750
inet 96.3.205.241 255.255.255.240 NONE vhid 241 pass xxx carpdev vlan1750 advskew 100
ospfd.conf
router-id 208.72.151.165
redistribute connected
area 0.0.0.0 {
interface vlan1750
}
bgpd.conf
AS 394490
router-id 208.72.151.165
connect-retry 10
#log updates
network 96.3.205.0/24
#network inet static
neighbor 208.72.151.166 {
remote-as 16739
descr INVISIMAX-AS-GFv4
local-address 208.72.151.165
announce self
}
neighbor 96.3.205.242 {
remote-as 394490
descr AATRIXv4
local-address 96.3.205.243
announce all
}
# Last match wins.
allow from any
allow to any
deny from any prefix 0.0.0.0/0
deny from any prefix 0.0.0.0/8 or-longer
deny from any prefix 10.0.0.0/8 or-longer
deny from any prefix 127.0.0.0/8 or-longer
deny from any prefix 169.254.0.0/16 or-longer
deny from any prefix 172.16.0.0/12 or-longer
deny from any prefix 192.0.2.0/24 or-longer
deny from any prefix 192.168.0.0/16 or-longer
deny from any prefix 224.0.0.0/4 or-longer
deny from any prefix 240.0.0.0/4 or-longer
# Invisimax defines the following communities:
# 16739:501 -- We assign this to advertise only to Midco
# 16739:502 -- We assign this to advertise only to Halstad
# 16739:22001 -- They assign this to routes that go to Halstad
# 16739:22002 -- They assign this to routes that go to Midco
match to 208.72.151.166 set {community 16739:502}
match from 208.72.151.166 community 16739:22001 set {localpref 110}
