mirror of
https://github.com/knorrie/network-examples
synced 2025-08-29 05:29:21 +00:00
BGP Intro: WIP
This commit is contained in:
Hans van Kranenburg
parent
ce24461687
commit
9d54d06927
@ -41,7 +41,7 @@ In the second half of this tutorial we'll configure a network, using OSPF, BGP a
|
||||
|
||||
|
||||
|
||||
It's starting to look serious now! Thankfully, most of the configuration is provided already, so we can quickly set up this whole network using our LXC environment. Just like in the previous tutorial, the birdbase container can be cloned, after which the lxc network information and configuration inside the containers can be copied into them.
|
||||
Our networks start to look serious now! Thankfully, most of the configuration is provided already, so we can quickly set up this whole network using our LXC environment. Just like in the previous tutorial, the birdbase container can be cloned, after which the lxc network information and configuration inside the containers can be copied into them.
|
||||
|
||||
1. Clone this git repository somewhere to be able to use some files from the bgp-intro/lxc/ directory inside.
|
||||
2. lxc-clone the birdbase container several times:
|
||||
@ -146,10 +146,10 @@ It's starting to look serious now! Thankfully, most of the configuration is prov
|
||||
2001:db8:40::3/128 via fe80::aff:fe28:d801 on vlan216 [ospf1 22:58:08] * I (150/20) [10.40.217.3]
|
||||
2001:db8:40:d910::/120 via fe80::aff:fe28:d801 on vlan216 [ospf1 22:58:08] * I (150/20) [10.40.217.3]
|
||||
|
||||
As you can see, OSPF is running for IPv4 and IPv6, and has discovered the complete internal network of AS64080.
|
||||
As you can see, OSPF is running for IPv4 and IPv6, and has discovered the complete internal network of `AS64080`.
|
||||
|
||||
Now make sure you can do the following, and answer the following questions:
|
||||
* From H6, `traceroute -n` and `traceroute6 -n` to a few destinations in AS64080 to get acquainted with the network topology.
|
||||
* From H6, `traceroute -n` and `traceroute6 -n` to a few destinations in `AS64080` to get acquainted with the network topology.
|
||||
* Look at the BIRD logging. A fun way to follow the logging is to do `tail -F R*/rootfs/var/log/bird/*.log` from outside the containers, and then start all of them.
|
||||
* Find out why `10.40.217.18` or `2001:db8:40:d910::2` on `R10` cannot be pinged from `R1`, while the route to `10.40.217.16/30` and `2001:db8:40:d910::/120` are actually present in the routing table of `R1` and `R3`.
|
||||
|
||||
@ -214,15 +214,50 @@ Now, add the following configuration to `bird.conf` of `R3`:
|
||||
export none;
|
||||
}
|
||||
|
||||
### A closer look
|
||||
|
||||
Let me explain a bit about what's going on here. So far, we've used the BIRD protocol types `kernel`, `device` and `ospf`. This configuration snippet introduces three other ones: `static`, `bgp` and `pipe`. Besides that, there's also a table definition on top.
|
||||
|
||||
* By issuing `table t_r10`, we tell BIRD that we'd like to use an extra internal routing table with the name `t_r10`. By default, BIRD always has a routing table named `master`, and now we added a second one. Routing tables in BIRD are just a collection of routes, having some attributes.
|
||||
* The static protocol is used to generate a collection of static routes. In this case, we define a protocol static with name `originate_to_r10`, and connect it to table `t_r10`. The import statement causes the routes that are generated by this static route protocol to be imported into the `t_r10` table. Static routes usually have a target of a neighbor router, using a via statement, but in this case, we don't care about a next hop, since it's just a collection of some prefixes that will be exported via BGP. The blackhole won't be actually used for anything here.
|
||||
* The bgp protocol is named after the router which it's talking to, `R10`, and is also connected to the `t_r10` routing table inside BIRD. It has a local and remote IP address and AS number. The import rules are a bit more complex than a simple `import all`, which also would have been sufficient here. I'll explain more about that later, although I doubt you wouldn't already understand what they do. The export rule contains a simple filter that tells BIRD to push all routes from table `t_r10` that originate from a static protocol to the outside, to `R10`.
|
||||
* The pipe protocol is a simple protocol that is able to move around routes between internal BIRD routing tables. In this case, the pipe protocol `p_master_to_r10` is connected to the central `master` routing table and is looking at table `t_r10`. From table `t_r10`, all routes that originate from an external BGP peer are imported into the master table. Doing so will make sure that the routes that will be learned from the remote network end up in the routing table of the Linux kernel (via the kernel protocol that exports them from the BIRD master table to the outside, to the Linux kernel), while the routes that only were meant to be used to export to the BGP peer (generated by the static protocol) stay in `t_r10`.
|
||||
table t_r10;
|
||||
|
||||
By issuing `table t_r10`, we tell BIRD that we'd like to use an extra internal routing table with the name `t_r10`. By default, BIRD always has a routing table named `master`, and now we added a second one. Routing tables in BIRD are just a collection of routes, having some attributes.
|
||||
|
||||
protocol static originate_to_r10 {
|
||||
table t_r10;
|
||||
import all; # originate here
|
||||
route 10.40.0.0/22 blackhole;
|
||||
route 10.40.216.0/21 blackhole;
|
||||
}
|
||||
|
||||
The static protocol is used to generate a collection of static routes. In this case, we define a protocol static with name `originate_to_r10`, and connect it to table `t_r10`. The import statement causes the routes that are generated by this static route protocol to be imported into the `t_r10` table. Static routes usually have a target of a neighbor router, using a via statement, but in this case, we don't care about a next hop, since it's just a collection of some prefixes that will be exported via BGP. The blackhole won't be actually used for anything here.
|
||||
|
||||
protocol bgp ebgp_r10 {
|
||||
table t_r10;
|
||||
local 10.40.217.17 as 64080;
|
||||
neighbor 10.40.217.18 as 65033;
|
||||
import filter {
|
||||
if net ~ [ 10.0.0.0/8{19,24} ] then accept;
|
||||
reject;
|
||||
};
|
||||
import keep filtered on;
|
||||
export where source = RTS_STATIC;
|
||||
}
|
||||
|
||||
The bgp protocol is named after the router which it's talking to, `R10`, and is also connected to the `t_r10` routing table inside BIRD. It has a local and remote IP address and AS number. The import rules are a bit more complex than a simple `import all`, which also would have been sufficient here to get it working. The filter shown here just makes sure only RFC1918 prefixes from `10/8` are accepted, which are allowed to be from a `/19` to `/24` in size each. The export rule contains a simple filter that tells BIRD to push all routes from table `t_r10` that originate from a static protocol to the outside, to `R10`.
|
||||
|
||||
protocol pipe p_master_to_r10 {
|
||||
table master;
|
||||
peer table t_r10;
|
||||
import where source = RTS_BGP;
|
||||
export none;
|
||||
}
|
||||
|
||||
The pipe protocol is a simple protocol that is able to move around routes between internal BIRD routing tables. In this case, the pipe protocol `p_master_to_r10` is connected to the central `master` routing table and is looking at table `t_r10`. From table `t_r10`, all routes that originate from an external BGP peer are imported into the master table. Doing so will cause the routes that will be learned from the remote network to end up in the routing table of the Linux kernel (via the kernel protocol that exports them from the BIRD master table outside BIRD), while the routes that only were meant to be used to export to the BGP peer (generated by the static protocol) stay in `t_r10`.
|
||||
|
||||
Remember, the internal BIRD routing tables are not used to actually do packet forwarding. During the OSPF tutorial, we already discussed this difference between the "Control Plane" and "Forwarding Plane". Actually, the routing table inside the control plane is usually called the "RIB" (Routing Information Base), while the routing table that is used in the forwarding plane is called the "FIB" (Forwarding Information Base). Just look up all those terms on the internet to see what everyone is saying about them.
|
||||
|
||||
### Seeing it in action!
|
||||
|
||||
After adding the configuration, fire up the interactive BIRD console, using `birdc`:
|
||||
|
||||
root@R3:/# birdc
|
||||
@ -290,7 +325,7 @@ Since there is no explicit name given for the kernel protocol in the configurati
|
||||
10.40.216.0/21 via 10.40.217.17 dev vlan217 proto bird
|
||||
10.40.217.16/30 dev vlan217 proto kernel scope link src 10.40.217.18
|
||||
|
||||
And there was much rejoicing! Yayyyy! Well, let's have a look what we can do with this result. Since both networks are now aware of each other's routes, I'd expect I can do some tracerouting into a remote network now!
|
||||
Well, let's have a look what we can do with this result. Since both networks are now aware of each other's routes, I'd expect I can do some tracerouting into a remote network now!
|
||||
|
||||
root@R10:/# traceroute -n 10.40.2.6
|
||||
traceroute to 10.40.2.6 (10.40.2.6), 30 hops max, 60 byte packets
|
||||
@ -298,7 +333,7 @@ And there was much rejoicing! Yayyyy! Well, let's have a look what we can do wit
|
||||
2 10.40.216.2 0.430 ms 0.427 ms 0.378 ms
|
||||
3 10.40.2.6 0.781 ms 0.724 ms 0.716 ms
|
||||
|
||||
W00t!. `R10` now knows the route to IPv4 ranges used in `AS64080`, and it seems `H6` also knows a route back to `R10`.
|
||||
`R10` now knows the route to IPv4 ranges used in `AS64080`, and it seems `H6` also knows a route back to `R10`.
|
||||
|
||||
Let's try it from `H34`!
|
||||
|
||||
@ -308,12 +343,12 @@ Let's try it from `H34`!
|
||||
|
||||
Meh, that doesn't look to good. Apparently there's more work to do.
|
||||
|
||||
## Some assignments
|
||||
### Some assignments
|
||||
|
||||
Now make sure you can do the following, and answer the following questions:
|
||||
|
||||
* Configure the IPv6 BGP connection between `R3` and `R10`. IPv4 and IPv6 is handled separately by BIRD now, but the configuration for IPv6 is very similar to the configuration I showed here. Just use import all for bgp if you don't want to learn more about filtering now.
|
||||
* Explain why `10.40.217.18` or `2001:db8:40:d910::2` on `R10` can be pinged from `R1` now:
|
||||
* Explain why `10.40.217.18` or `2001:db8:40:d910::2` on `R10` can be pinged from `R1` now, while this was not the case before:
|
||||
|
||||
root@R1:/# ping6 2001:db8:40:d910::2
|
||||
PING 2001:db8:40:d910::2(2001:db8:40:d910::2) 56 data bytes
|
||||
@ -323,7 +358,8 @@ Now make sure you can do the following, and answer the following questions:
|
||||
--- 2001:db8:40:d910::2 ping statistics ---
|
||||
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
|
||||
rtt min/avg/max/mdev = 0.099/0.249/0.399/0.150 ms
|
||||
* Try to export a route outside of `10.0.0.0/8` over BGP and notice that the filter will actually stop that route from being propagated, while accepting the other routes. Using the `show route filtered protocol ebgp_r3` command the route should be visible, if it was pushed from `R3`.
|
||||
|
||||
* Try to export a route outside of `10.0.0.0/8` over BGP, from `R3` to `R10` and notice that the filter will actually stop that route from being propagated, while accepting the other routes. Using the `show route filtered protocol ebgp_r3` command the route should be visible, thanks to the `import keep filtered on` option that is set.
|
||||
|
||||
------------
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user