Friday, 4 June 2010

Basic BGP - Path Selection with Vyatta

There is actually very little BGP documentation out there on Vyatta, which is strange as if there is one real strength of Vyatta it is BGP.
This set of videos is all about BGP and if it proves popular I will do some more with some more advanced features.

Here is the Picture:




Basic BGP - Path Selection with Vyatta -Part 1
General Setup

Basic BGP - Path Selection with Vyatta -Part 1 from Roggy on Vimeo.




Basic BGP - Path Selection with Vyatta -Part 2

Checking BGP peering
Adding Next-hop-self


Basic BGP - Path Selection with Vyatta -Part 2 from Roggy on Vimeo.



Basic BGP - Path Selection with Vyatta -Part 3
Creating ACLs
Creating Prefix Lists
Creating Route-maps
Setting Local Pref
Setting Med
Clearing a Peer


Basic BGP - Path Selection with Vyatta -Part 3 from Roggy on Vimeo.




Although it can seem a little boring, I always like to include the full configs:
R1

firewall {
all-ping enable
broadcast-ping disable
conntrack-table-size 32768
conntrack-tcp-loose enable
ip-src-route disable
ipv6-receive-redirects disable
ipv6-src-route disable
log-martians enable
name ALLOW_ESTABLISHED {
default-action drop
rule 10 {
action accept
state {
established enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 172.12.123.1/24
description R1-R2-R3
duplex auto
hw-id 00:0c:29:fe:17:2d
smp_affinity auto
speed auto
}
ethernet eth1 {
duplex auto
hw-id 00:0c:29:fe:17:37
smp_affinity auto
speed auto
}
ethernet eth2 {
address dhcp
duplex auto
hw-id 00:0c:29:fe:17:41
smp_affinity auto
speed auto
}
loopback lo {
address 5.5.5.5/24
address 6.6.6.6/24
address 7.7.7.7/24
address 8.8.8.8/24
}
}
policy {
}
protocols {
bgp 1 {
neighbor 172.12.123.2 {
remote-as 234
}
neighbor 172.12.123.3 {
remote-as 234
}
redistribute {
connected {
}
}
}
}
service {
dns {
forwarding {
cache-size 150
listen-on eth1
name-server 208.67.222.222
name-server 208.67.220.220
}
}
nat {
rule 10 {
outbound-interface eth0
source {
address 192.168.10.0/24
}
type masquerade
}
}
ssh {
allow-root
port 22
protocol-version v2
}
}
system {
host-name R1
login {
user root {
authentication {
encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
plaintext-password ""
}
level admin
}
user vyatta {
authentication {
encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
}
level admin
}
}
ntp-server 0.vyatta.pool.ntp.org
package {
auto-sync 1
repository community {
components main
distribution stable
password ""
url http://packages.vyatta.com/vyatta
username ""
}
repository lenny {
components main
distribution lenny
password ""
url http://packages.vyatta.com/debian/
username ""
}
repository VC6 {
components main
distribution VC6.0
password ""
url http://packages.vyatta.com/vyatta/
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone GMT
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@2:nat@3:quagga@1:system@3:vrrp@1:wanloadbalance@2:webgui@1:webproxy@1" === */
/* Release version: VC6.0-2010.03.22 */



R2

firewall {
all-ping enable
broadcast-ping disable
conntrack-table-size 32768
conntrack-tcp-loose enable
ip-src-route disable
ipv6-receive-redirects disable
ipv6-src-route disable
log-martians enable
name ALLOW_ESTABLISHED {
default-action drop
rule 10 {
action accept
state {
established enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 172.12.123.2/24
description R1-R2-R3
duplex auto
hw-id 00:0c:29:fa:84:8d
smp_affinity auto
speed auto
}
ethernet eth1 {
address 172.12.234.2/24
description Inside
duplex auto
hw-id 00:0c:29:fa:84:97
smp_affinity auto
speed auto
}
ethernet eth2 {
address dhcp
description DMZ
duplex auto
hw-id 00:0c:29:fa:84:a1
smp_affinity auto
speed auto
}
loopback lo {
}
}
policy {
access-list 100 {
rule 10 {
action permit
destination {
any
}
source {
any
}
}
}
access-list 150 {
rule 10 {
action permit
destination {
any
}
source {
inverse-mask 0.0.0.255
network 172.12.234.0
}
}
}
route-map SET-LOCAL-PREF {
rule 10 {
action permit
match {
ip {
address {
access-list 100
}
}
}
set {
local-preference 301
}
}
}
route-map SET-MED {
rule 10 {
action permit
match {
ip {
address {
access-list 150
}
}
}
set {
metric 201
}
}
rule 20 {
action permit
match {
ip {
address {
access-list 100
}
}
}
}
}
}
protocols {
bgp 234 {
neighbor 172.12.123.1 {
remote-as 1
route-map {
export SET-MED
}
}
neighbor 172.12.234.4 {
nexthop-self
remote-as 234
route-map {
export SET-LOCAL-PREF
}
}
redistribute {
connected {
}
}
}
}
service {
dns {
forwarding {
cache-size 150
listen-on eth1
name-server 208.67.222.222
name-server 208.67.220.220
}
}
ssh {
allow-root
port 22
protocol-version v2
}
}
system {
host-name R2
login {
user root {
authentication {
encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
plaintext-password ""
}
level admin
}
user vyatta {
authentication {
encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
}
level admin
}
}
ntp-server 0.vyatta.pool.ntp.org
package {
auto-sync 1
repository community {
components main
distribution stable
password ""
url http://packages.vyatta.com/vyatta
username ""
}
repository lenny {
components main
distribution lenny
password ""
url http://packages.vyatta.com/debian/
username ""
}
repository VC6 {
components main
distribution VC6.0
password ""
url http://packages.vyatta.com/vyatta/
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone GMT
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@2:nat@3:quagga@1:system@3:vrrp@1:wanloadbalance@2:webgui@1:webproxy@1" === */
/* Release version: VC6.0-2010.03.22 */



R3

firewall {
all-ping enable
broadcast-ping disable
conntrack-table-size 32768
conntrack-tcp-loose enable
ip-src-route disable
ipv6-receive-redirects disable
ipv6-src-route disable
log-martians enable
name ALLOW_ESTABLISHED {
default-action drop
rule 10 {
action accept
state {
established enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 172.12.123.3/24
description R1-R2-R3
duplex auto
hw-id 00:0c:29:21:bd:6f
smp_affinity auto
speed auto
}
ethernet eth1 {
address 172.12.234.3/24
description R2-R3-R4
duplex auto
hw-id 00:0c:29:21:bd:79
smp_affinity auto
speed auto
}
ethernet eth2 {
address dhcp
description DMZ
duplex auto
hw-id 00:0c:29:21:bd:83
smp_affinity auto
speed auto
}
loopback lo {
}
}
policy {
access-list 150 {
rule 10 {
action permit
destination {
any
}
source {
inverse-mask 0.0.0.255
network 172.12.234.0
}
}
}
prefix-list ALL-ROUTES {
rule 10 {
action permit
le 32
prefix 0.0.0.0/0
}
}
route-map SET-LOCAL-PREF {
rule 10 {
action permit
match {
ip {
address {
prefix-list ALL-ROUTES
}
}
}
set {
local-preference 201
}
}
}
route-map SET-MED {
rule 10 {
action permit
match {
ip {
address {
access-list 150
}
}
}
set {
metric 101
}
}
rule 20 {
action permit
match {
ip {
address {
prefix-list ALL-ROUTES
}
}
}
}
}
}
protocols {
bgp 234 {
neighbor 172.12.123.1 {
remote-as 1
route-map {
export SET-MED
}
}
neighbor 172.12.234.4 {
nexthop-self
remote-as 234
route-map {
export SET-LOCAL-PREF
}
}
redistribute {
connected {
}
}
}
}
service {
dns {
forwarding {
cache-size 150
listen-on eth1
name-server 208.67.222.222
name-server 208.67.220.220
}
}
ssh {
allow-root
port 22
protocol-version v2
}
}
system {
host-name R3
login {
user root {
authentication {
encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
plaintext-password ""
}
level admin
}
user vyatta {
authentication {
encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
}
level admin
}
}
ntp-server 0.vyatta.pool.ntp.org
package {
auto-sync 1
repository community {
components main
distribution stable
password ""
url http://packages.vyatta.com/vyatta
username ""
}
repository lenny {
components main
distribution lenny
password ""
url http://packages.vyatta.com/debian/
username ""
}
repository VC6 {
components main
distribution VC6.0
password ""
url http://packages.vyatta.com/vyatta/
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone GMT
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@2:nat@3:quagga@1:system@3:vrrp@1:wanloadbalance@2:webgui@1:webproxy@1" === */
/* Release version: VC6.0-2010.03.22 */



R4

firewall {
all-ping enable
broadcast-ping disable
conntrack-table-size 32768
conntrack-tcp-loose enable
ip-src-route disable
ipv6-receive-redirects disable
ipv6-src-route disable
log-martians enable
name ALLOW_ESTABLISHED {
default-action drop
rule 10 {
action accept
state {
established enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 172.12.234.4/24
duplex auto
smp_affinity auto
speed auto
}
ethernet eth2 {
address dhcp
duplex auto
smp_affinity auto
speed auto
}
loopback lo {
}
}
protocols {
bgp 234 {
neighbor 172.12.234.2 {
remote-as 234
}
neighbor 172.12.234.3 {
remote-as 234
}
redistribute {
connected {
}
}
}
}
service {
dhcp-server {
disabled false
shared-network-name POOL1 {
authoritative disable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 192.168.10.1
domain-name Vyatta.local
lease 86400
start 192.168.10.10 {
stop 192.168.10.200
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
name-server 208.67.222.222
name-server 208.67.220.220
}
}
nat {
rule 10 {
outbound-interface eth0
source {
address 192.168.10.0/24
}
type masquerade
}
}
ssh {
allow-root
port 22
protocol-version v2
}
}
system {
host-name R4
login {
user root {
authentication {
encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
plaintext-password ""
}
level admin
}
user vyatta {
authentication {
encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
}
level admin
}
}
ntp-server 0.vyatta.pool.ntp.org
package {
auto-sync 1
repository community {
components main
distribution stable
password ""
url http://packages.vyatta.com/vyatta
username ""
}
repository lenny {
components main
distribution lenny
password ""
url http://packages.vyatta.com/debian/
username ""
}
repository VC6 {
components main
distribution VC6.0
password ""
url http://packages.vyatta.com/vyatta/
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone GMT
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@2:nat@3:quagga@1:system@3:vrrp@1:wanloadbalance@2:webgui@1:webproxy@1" === */
/* Release version: VC6.0-2010.03.22 */

3 comments:

Stig said...

Very informative Roggy. I've added a link on Vyatta's User Submitted Tutorials page: http://www.vyatta.org/documentation/tips-tricks

Zellius said...

Roggy;

Thanks for this fee example for simple BGP setup. We need support on 2 isp bgp setup how can we contact you for consulting. Thanks

liridonq said...

Very good post, can you explain to us is there a way to apply route-maps to an interface kinda like cisco configuration. I cannot find a way to manipulate source based routing. Thank you.