blob: 96de1de51256aa83d9a3a7e751c23d001bfebd53 [file] [log] [blame]
paul0c3368a2004-11-07 19:00:16 +00001@c -*-texinfo-*-
2@c @value{COPYRIGHT_STR}
3@c See file quagga.texi for copying conditions.
4@c
5@c This file is a modified version of Jose Luis Rubio's TeX sources
6@c of his RS-Manual document
7
8@node Configuring Quagga as a Route Server
9@chapter Configuring Quagga as a Route Server
10
11The purpose of a Route Server is to centralize the peerings between BGP
12speakers. For example if we have an exchange point scenario with four BGP
13speakers, each of which maintaining a BGP peering with the other three
14(@pxref{fig:full-mesh}), we can convert it into a centralized scenario where
15each of the four establishes a single BGP peering against the Route Server
16(@pxref{fig:route-server}).
17
18We will first describe briefly the Route Server model implemented by Quagga.
19We will explain the commands that have been added for configuring that
20model. And finally we will show a full example of Quagga configured as Route
21Server.
22
23@menu
24* Description of the Route Server model::
25* Commands for configuring a Route Server::
26* Example of Route Server Configuration::
27@end menu
28
29@node Description of the Route Server model
30@section Description of the Route Server model
31
32First we are going to describe the normal processing that BGP announcements
33suffer inside a standard BGP speaker, as shown in @ref{fig:normal-processing},
34it consists of three steps:
35
36@itemize
37@item When an announcement is received from some peer, the `In' filters
38configured for that peer are applied to the announcement. These filters can
39reject the announcement, accept it unmodified, or accept it with some of its
40attributes modified.
41
42@item The announcements that pass the `In' filters go into the
43Best Path Selection process, where they are compared to other
44announcements referred to the same destination that have been
45received from different peers (in case such other
46announcements exist). For each different destination, the announcement
47which is selected as the best is inserted into the BGP speaker's Loc-RIB.
48
49@item The routes which are inserted in the Loc-RIB are
50considered for announcement to all the peers (except the one
51from which the route came). This is done by passing the routes
52in the Loc-RIB through the `Out' filters corresponding to each
53peer. These filters can reject the route,
54accept it unmodified, or accept it with some of its attributes
55modified. Those routes which are accepted by the `Out' filters
56of a peer are announced to that peer.
57@end itemize
58
59@float Figure,fig:normal-processing
60@image{fig-normal-processing,500pt,,Normal announcement processing,eps}
61@caption{Announcement processing inside a ``normal'' BGP speaker}
62@end float
63
64@float Figure,fig:full-mesh
65@image{fig_topologies_full,,,Full Mesh BGP Topology,eps}
66@caption{Full Mesh}
67@end float
68
69@float Figure,fig:route-server
70@image{fig_topologies_rs,,,Route Server BGP Topology,eps}
71@caption{Route Server and clients}
72@end float
73
74Of course we want that the routing tables obtained in each of the routers
75are the same when using the route server than when not. But as a consequence
76of having a single BGP peering (against the route server), the BGP speakers
77can no longer distinguish from/to which peer each announce comes/goes.
78@anchor{filter-delegation}This means that the routers connected to the route
79server are not able to apply by themselves the same input/output filters
80as in the full mesh scenario, so they have to delegate those functions to
81the route server.
82
83Even more, the ``best path'' selection must be also performed inside the route
84server on behalf of its clients. The reason is that if, after applying the
85filters of the announcer and the (potential) receiver, the route server
86decides to send to some client two or more different announcements referred
87to the same destination, the client will only retain the last one,
88considering it as an implicit withdrawal of the previous announcements for
89the same destination. This is the expected behavior of a BGP speaker as
90defined in @cite{RFC1771}, and even though there are some proposals of
91mechanisms that permit multiple paths for the same destination to be sent
92through a single BGP peering, none of them are currently supported by most
93of the existing BGP implementations.
94
95As a consequence a route server must maintain additional information and
96perform additional tasks for a RS-client that those necessary for common BGP
97peerings. Essentially a route server must:
98
99@anchor{Route Server tasks}
100@itemize
101@item Maintain a separated Routing Information Base (Loc-RIB)
102for each peer configured as RS-client, containing the routes
103selected as a result of the ``Best Path Selection'' process
104that is performed on behalf of that RS-client.
105
106@item Whenever it receives an announcement from a RS-client,
107it must consider it for the Loc-RIBs of the other RS-clients.
108
109@anchor{Route-server path filter process}
110@itemize
111@item
112This means that for each of them the route server must pass the
113announcement through the appropriate `Out' filter of the
114announcer.
115
116@item
117Then through the appropriate `In' filter of
118the potential receiver.
119
120@item
121Only if the announcement is accepted by both filters it will be passed
122to the ``Best Path Selection'' process.
123
124@item
125Finally, it might go into the Loc-RIB of the receiver.
126@end itemize
127@c end of route-server best path process list
128@end itemize
129@c end of route-server tasks list
130
131When we talk about the ``appropriate'' filter, both the announcer and the
132receiver of the route must be taken into account. Suppose that the route
133server receives an announcement from client A, and the route server is
134considering it for the Loc-RIB of client B. The filters that should be
135applied are the same that would be used in the full mesh scenario, i.e.,
136first the `Out' filter of router A for announcements going to router B, and
137then the `In' filter of router B for announcements coming from router A.
138
139We call ``Export Policy'' of a RS-client to the set of `Out' filters that
140the client would use if there was no route server. The same applies for the
141``Import Policy'' of a RS-client and the set of `In' filters of the client
142if there was no route server.
143
144It is also common to demand from a route server that it does not
145modify some BGP attributes (next-hop, as-path and MED) that are usually
146modified by standard BGP speakers before announcing a route.
147
148The announcement processing model implemented by Quagga is shown in
149@ref{fig:rs-processing}. The figure shows a mixture of RS-clients (B, C and D)
150with normal BGP peers (A). There are some details that worth additional
151comments:
152
153@itemize
154@item Announcements coming from a normal BGP peer are also
155considered for the Loc-RIBs of all the RS-clients. But
156logically they do not pass through any export policy.
157
158@item Those peers that are configured as RS-clients do not
159receive any announce from the `Main' Loc-RIB.
160
161@item Apart from import and export policies,
162`In' and `Out' filters can also be set for RS-clients. `In'
163filters might be useful when the route server has also normal
164BGP peers. On the other hand, `Out' filters for RS-clients are
165probably unnecessary, but we decided not to remove them as
166they do not hurt anybody (they can always be left empty).
167@end itemize
168
169@float Figure,fig:rs-processing
170@image{fig-rs-processing,500pt,,,eps}
171@caption{Announcement processing model implemented by the Route Server}
172@end float
173
174@node Commands for configuring a Route Server
175@section Commands for configuring a Route Server
176
177Now we will describe the commands that have been added to quagga
178in order to support the route server features.
179
180@deffn {Route-Server} {neighbor @var{peer-group} route-server-client} {}
181@deffnx {Route-Server} {neighbor @var{A.B.C.D} route-server-client} {}
182@deffnx {Route-Server} {neighbor @var{X:X::X:X} route-server-client} {}
183This command configures the peer given by @var{peer}, @var{A.B.C.D} or
184@var{X:X::X:X} as an RS-client.
185
186Actually this command is not new, it already existed in standard Quagga. It
187enables the transparent mode for the specified peer. This means that some
188BGP attributes (as-path, next-hop and MED) of the routes announced to that
189peer are not modified.
190
191With the route server patch, this command, apart from setting the
192transparent mode, creates a new Loc-RIB dedicated to the specified peer
193(those named `Loc-RIB for X' in @ref{fig:rs-processing}.). Starting from
194that moment, every announcement received by the route server will be also
195considered for the new Loc-RIB.
196@end deffn
197
198@deffn {Route-Server} {neigbor @{A.B.C.D|X.X::X.X|peer-group@} route-map WORD @{import|export@}} {}
199This set of commands can be used to specify the route-map that
200represents the Import or Export policy of a peer which is
201configured as a RS-client (with the previous command).
202@end deffn
203
204@deffn {Route-Server} {match peer @{A.B.C.D|X:X::X:X@}} {}
205This is a new @emph{match} statement for use in route-maps, enabling them to
206describe import/export policies. As we said before, an import/export policy
207represents a set of input/output filters of the RS-client. This statement
208makes possible that a single route-map represents the full set of filters
209that a BGP speaker would use for its different peers in a non-RS scenario.
210
211The @emph{match peer} statement has different semantics whether it is used
212inside an import or an export route-map. In the first case the statement
213matches if the address of the peer who sends the announce is the same that
214the address specified by @{A.B.C.D|X:X::X:X@}. For export route-maps it
215matches when @{A.B.C.D|X:X::X:X@} is the address of the RS-Client into whose
216Loc-RIB the announce is going to be inserted (how the same export policy is
217applied before different Loc-RIBs is shown in @ref{fig:rs-processing}.).
218@end deffn
219
220@deffn {Route-map Command} {call @var{WORD}} {}
221This command (also used inside a route-map) jumps into a different
222route-map, whose name is specified by @var{WORD}. When the called
223route-map finishes, depending on its result the original route-map
224continues or not. Apart from being useful for making import/export
225route-maps easier to write, this command can also be used inside
226any normal (in or out) route-map.
227@end deffn
228
229@node Example of Route Server Configuration
230@section Example of Route Server Configuration
231
232Finally we are going to show how to configure a Quagga daemon to act as a
233Route Server. For this purpose we are going to present a scenario without
234route server, and then we will show how to use the configurations of the BGP
235routers to generate the configuration of the route server.
236
237All the configuration files shown in this section have been taken
238from scenarios which were tested using the VNUML tool
239@uref{http://www.dit.upm.es/vnuml,VNUML}.
240
241@menu
242* Configuration of the BGP routers without Route Server::
243* Configuration of the BGP routers with Route Server::
244* Configuration of the Route Server itself::
245* Further considerations about Import and Export route-maps::
246@end menu
247
248@node Configuration of the BGP routers without Route Server
249@subsection Configuration of the BGP routers without Route Server
250
251We will suppose that our initial scenario is an exchange point with three
252BGP capable routers, named RA, RB and RC. Each of the BGP speakers generates
253some routes (with the @var{network} command), and establishes BGP peerings
254against the other two routers. These peerings have In and Out route-maps
255configured, named like ``PEER-X-IN'' or ``PEER-X-OUT''. For example the
256configuration file for router RA could be the following:
257
258@example
259#Configuration for router 'RA'
260!
261hostname RA
262password ****
263!
264router bgp 65001
265 no bgp default ipv4-unicast
266 neighbor 2001:0DB8::B remote-as 65002
267 neighbor 2001:0DB8::C remote-as 65003
268!
269 address-family ipv6
270 network 2001:0DB8:AAAA:1::/64
271 network 2001:0DB8:AAAA:2::/64
272 network 2001:0DB8:0000:1::/64
273 network 2001:0DB8:0000:2::/64
274
275 neighbor 2001:0DB8::B activate
276 neighbor 2001:0DB8::B soft-reconfiguration inbound
277 neighbor 2001:0DB8::B route-map PEER-B-IN in
278 neighbor 2001:0DB8::B route-map PEER-B-OUT out
279
280 neighbor 2001:0DB8::C activate
281 neighbor 2001:0DB8::C soft-reconfiguration inbound
282 neighbor 2001:0DB8::C route-map PEER-C-IN in
283 neighbor 2001:0DB8::C route-map PEER-C-OUT out
284 exit-address-family
285!
286ipv6 prefix-list COMMON-PREFIXES seq 5 permit 2001:0DB8:0000::/48 ge 64 le 64
287ipv6 prefix-list COMMON-PREFIXES seq 10 deny any
288!
289ipv6 prefix-list PEER-A-PREFIXES seq 5 permit 2001:0DB8:AAAA::/48 ge 64 le 64
290ipv6 prefix-list PEER-A-PREFIXES seq 10 deny any
291!
292ipv6 prefix-list PEER-B-PREFIXES seq 5 permit 2001:0DB8:BBBB::/48 ge 64 le 64
293ipv6 prefix-list PEER-B-PREFIXES seq 10 deny any
294!
295ipv6 prefix-list PEER-C-PREFIXES seq 5 permit 2001:0DB8:CCCC::/48 ge 64 le 64
296ipv6 prefix-list PEER-C-PREFIXES seq 10 deny any
297!
298route-map PEER-B-IN permit 10
299 match ipv6 address prefix-list COMMON-PREFIXES
300 set metric 100
301route-map PEER-B-IN permit 20
302 match ipv6 address prefix-list PEER-B-PREFIXES
303 set community 65001:11111
304!
305route-map PEER-C-IN permit 10
306 match ipv6 address prefix-list COMMON-PREFIXES
307 set metric 200
308route-map PEER-C-IN permit 20
309 match ipv6 address prefix-list PEER-C-PREFIXES
310 set community 65001:22222
311!
312route-map PEER-B-OUT permit 10
313 match ipv6 address prefix-list PEER-A-PREFIXES
314!
315route-map PEER-C-OUT permit 10
316 match ipv6 address prefix-list PEER-A-PREFIXES
317!
318line vty
319!
320@end example
321
322@node Configuration of the BGP routers with Route Server
323@subsection Configuration of the BGP routers with Route Server
324
325To convert the initial scenario into one with route server, first we must
326modify the configuration of routers RA, RB and RC. Now they must not peer
327between them, but only with the route server. For example, RA's
328configuration would turn into:
329
330@example
331# Configuration for router 'RA'
332!
333hostname RA
334password ****
335!
336router bgp 65001
337 no bgp default ipv4-unicast
338 neighbor 2001:0DB8::FFFF remote-as 65000
339!
340 address-family ipv6
341 network 2001:0DB8:AAAA:1::/64
342 network 2001:0DB8:AAAA:2::/64
343 network 2001:0DB8:0000:1::/64
344 network 2001:0DB8:0000:2::/64
345
346 neighbor 2001:0DB8::FFFF activate
347 neighbor 2001:0DB8::FFFF soft-reconfiguration inbound
348 exit-address-family
349!
350line vty
351!
352@end example
353
354Which is logically much simpler than its initial configuration, as it now
355maintains only one BGP peering and all the filters (route-maps) have
356disappeared.
357
358@node Configuration of the Route Server itself
359@subsection Configuration of the Route Server itself
360
361As we said when we described the functions of a route server
362(@pxref{Description of the Route Server model}), it is in charge of all the
363route filtering. To achieve that, the In and Out filters from the RA, RB and
364RC configurations must be converted into Import and Export policies in the
365route server.
366
367This is a fragment of the route server configuration (we only show
368the policies for client RA):
369
370@example
371# Configuration for Route Server ('RS')
372!
373hostname RS
374password ix
375!
376bgp multiple-instance
377!
378router bgp 65000 view RS
379 no bgp default ipv4-unicast
380 neighbor 2001:0DB8::A remote-as 65001
381 neighbor 2001:0DB8::B remote-as 65002
382 neighbor 2001:0DB8::C remote-as 65003
383!
384 address-family ipv6
385 neighbor 2001:0DB8::A activate
386 neighbor 2001:0DB8::A route-server-client
387 neighbor 2001:0DB8::A route-map RSCLIENT-A-IMPORT import
388 neighbor 2001:0DB8::A route-map RSCLIENT-A-EXPORT export
389 neighbor 2001:0DB8::A soft-reconfiguration inbound
390
391 neighbor 2001:0DB8::B activate
392 neighbor 2001:0DB8::B route-server-client
393 neighbor 2001:0DB8::B route-map RSCLIENT-B-IMPORT import
394 neighbor 2001:0DB8::B route-map RSCLIENT-B-EXPORT export
395 neighbor 2001:0DB8::B soft-reconfiguration inbound
396
397 neighbor 2001:0DB8::C activate
398 neighbor 2001:0DB8::C route-server-client
399 neighbor 2001:0DB8::C route-map RSCLIENT-C-IMPORT import
400 neighbor 2001:0DB8::C route-map RSCLIENT-C-EXPORT export
401 neighbor 2001:0DB8::C soft-reconfiguration inbound
402 exit-address-family
403!
404ipv6 prefix-list COMMON-PREFIXES seq 5 permit 2001:0DB8:0000::/48 ge 64 le 64
405ipv6 prefix-list COMMON-PREFIXES seq 10 deny any
406!
407ipv6 prefix-list PEER-A-PREFIXES seq 5 permit 2001:0DB8:AAAA::/48 ge 64 le 64
408ipv6 prefix-list PEER-A-PREFIXES seq 10 deny any
409!
410ipv6 prefix-list PEER-B-PREFIXES seq 5 permit 2001:0DB8:BBBB::/48 ge 64 le 64
411ipv6 prefix-list PEER-B-PREFIXES seq 10 deny any
412!
413ipv6 prefix-list PEER-C-PREFIXES seq 5 permit 2001:0DB8:CCCC::/48 ge 64 le 64
414ipv6 prefix-list PEER-C-PREFIXES seq 10 deny any
415!
416route-map RSCLIENT-A-IMPORT permit 10
417 match peer 2001:0DB8::B
418 call A-IMPORT-FROM-B
419route-map RSCLIENT-A-IMPORT permit 20
420 match peer 2001:0DB8::C
421 call A-IMPORT-FROM-C
422!
423route-map A-IMPORT-FROM-B permit 10
424 match ipv6 address prefix-list COMMON-PREFIXES
425 set metric 100
426route-map A-IMPORT-FROM-B permit 20
427 match ipv6 address prefix-list PEER-B-PREFIXES
428 set community 65001:11111
429!
430route-map A-IMPORT-FROM-C permit 10
431 match ipv6 address prefix-list COMMON-PREFIXES
432 set metric 200
433route-map A-IMPORT-FROM-C permit 20
434 match ipv6 address prefix-list PEER-C-PREFIXES
435 set community 65001:22222
436!
437route-map RSCLIENT-A-EXPORT permit 10
438 match peer 2001:0DB8::B
439 match ipv6 address prefix-list PEER-A-PREFIXES
440route-map RSCLIENT-A-EXPORT permit 20
441 match peer 2001:0DB8::C
442 match ipv6 address prefix-list PEER-A-PREFIXES
443!
444...
445...
446...
447@end example
448
449If you compare the initial configuration of RA with the route server
450configuration above, you can see how easy it is to generate the Import and
451Export policies for RA from the In and Out route-maps of RA's original
452configuration.
453
454When there was no route server, RA maintained two peerings, one with RB and
455another with RC. Each of this peerings had an In route-map configured. To
456build the Import route-map for client RA in the route server, simply add
457route-map entries following this scheme:
458
459@example
460route-map <NAME> permit 10
461 match peer <Peer Address>
462 call <In Route-Map for this Peer>
463route-map <NAME> permit 20
464 match peer <Another Peer Address>
465 call <In Route-Map for this Peer>
466@end example
467
468This is exactly the process that has been followed to generate the route-map
469RSCLIENT-A-IMPORT. The route-maps that are called inside it (A-IMPORT-FROM-B
470and A-IMPORT-FROM-C) are exactly the same than the In route-maps from the
471original configuration of RA (PEER-B-IN and PEER-C-IN), only the name is
472different.
473
474The same could have been done to create the Export policy for RA (route-map
475RSCLIENT-A-EXPORT), but in this case the original Out route-maps where so
476simple that we decided not to use the @var{call WORD} commands, and we
477integrated all in a single route-map (RSCLIENT-A-EXPORT).
478
479The Import and Export policies for RB and RC are not shown, but
480the process would be identical.
481
482@node Further considerations about Import and Export route-maps
483@subsection Further considerations about Import and Export route-maps
484
485The current version of the route server patch only allows to specify a
486route-map for import and export policies, while in a standard BGP speaker
487apart from route-maps there are other tools for performing input and output
488filtering (access-lists, community-lists, ...). But this does not represent
489any limitation, as all kinds of filters can be included in import/export
490route-maps. For example suppose that in the non-route-server scenario peer
491RA had the following filters configured for input from peer B:
492
493@example
494 neighbor 2001:0DB8::B prefix-list LIST-1 in
495 neighbor 2001:0DB8::B filter-list LIST-2 in
496 neighbor 2001:0DB8::B route-map PEER-B-IN in
497 ...
498 ...
499route-map PEER-B-IN permit 10
500 match ipv6 address prefix-list COMMON-PREFIXES
501 set local-preference 100
502route-map PEER-B-IN permit 20
503 match ipv6 address prefix-list PEER-B-PREFIXES
504 set community 65001:11111
505@end example
506
507It is posible to write a single route-map which is equivalent to
508the three filters (the community-list, the prefix-list and the
509route-map). That route-map can then be used inside the Import
510policy in the route server. Lets see how to do it:
511
512@example
513 neighbor 2001:0DB8::A route-map RSCLIENT-A-IMPORT import
514 ...
515!
516...
517route-map RSCLIENT-A-IMPORT permit 10
518 match peer 2001:0DB8::B
519 call A-IMPORT-FROM-B
520...
521...
522!
523route-map A-IMPORT-FROM-B permit 1
524 match ipv6 address prefix-list LIST-1
525 match as-path LIST-2
526 on-match goto 10
527route-map A-IMPORT-FROM-B deny 2
528route-map A-IMPORT-FROM-B permit 10
529 match ipv6 address prefix-list COMMON-PREFIXES
530 set local-preference 100
531route-map A-IMPORT-FROM-B permit 20
532 match ipv6 address prefix-list PEER-B-PREFIXES
533 set community 65001:11111
534!
535...
536...
537@end example
538
539The route-map A-IMPORT-FROM-B is equivalent to the three filters
540(LIST-1, LIST-2 and PEER-B-IN). The first entry of route-map
541A-IMPORT-FROM-B (sequence number 1) matches if and only if both
542the prefix-list LIST-1 and the filter-list LIST-2 match. If that
543happens, due to the ``on-match goto 10'' statement the next
544route-map entry to be processed will be number 10, and as of that
545point route-map A-IMPORT-FROM-B is identical to PEER-B-IN. If
546the first entry does not match, `on-match goto 10'' will be
547ignored and the next processed entry will be number 2, which will
548deny the route.
549
550Thus, the result is the same that with the three original filters,
551i.e., if either LIST-1 or LIST-2 rejects the route, it does not
552reach the route-map PEER-B-IN. In case both LIST-1 and LIST-2
553accept the route, it passes to PEER-B-IN, which can reject, accept
554or modify the route.