blob: afbbd8f0c2537c36f1e824c6a38407f9c4046d0e [file] [log] [blame]
paulfbaf39e2004-11-15 00:45:44 +00001@c -*-texinfo-*-
2@c @value{COPYRIGHT_STR}
3@c See file quagga.texi for copying conditions.
4@c
5@c This file is a modified version of Jose Luis Rubio's TeX sources
6@c of his RS-Manual document
7
8@node Configuring Quagga as a Route Server
9@chapter Configuring Quagga as a Route Server
10
11The purpose of a Route Server is to centralize the peerings between BGP
12speakers. For example if we have an exchange point scenario with four BGP
13speakers, each of which maintaining a BGP peering with the other three
14(@pxref{fig:full-mesh}), we can convert it into a centralized scenario where
15each of the four establishes a single BGP peering against the Route Server
16(@pxref{fig:route-server}).
17
18We will first describe briefly the Route Server model implemented by Quagga.
19We will explain the commands that have been added for configuring that
20model. And finally we will show a full example of Quagga configured as Route
21Server.
22
23@menu
24* Description of the Route Server model::
25* Commands for configuring a Route Server::
26* Example of Route Server Configuration::
27@end menu
28
29@node Description of the Route Server model
30@section Description of the Route Server model
31
32First we are going to describe the normal processing that BGP announcements
33suffer inside a standard BGP speaker, as shown in @ref{fig:normal-processing},
34it consists of three steps:
35
Paul Jakmaab2416a2006-04-03 21:24:27 +000036@itemize @bullet
37@item
38When an announcement is received from some peer, the `In' filters
paulfbaf39e2004-11-15 00:45:44 +000039configured for that peer are applied to the announcement. These filters can
40reject the announcement, accept it unmodified, or accept it with some of its
41attributes modified.
42
Paul Jakmaab2416a2006-04-03 21:24:27 +000043@item
44The announcements that pass the `In' filters go into the
paulfbaf39e2004-11-15 00:45:44 +000045Best Path Selection process, where they are compared to other
46announcements referred to the same destination that have been
47received from different peers (in case such other
48announcements exist). For each different destination, the announcement
49which is selected as the best is inserted into the BGP speaker's Loc-RIB.
50
Paul Jakmaab2416a2006-04-03 21:24:27 +000051@item
52The routes which are inserted in the Loc-RIB are
paulfbaf39e2004-11-15 00:45:44 +000053considered for announcement to all the peers (except the one
54from which the route came). This is done by passing the routes
55in the Loc-RIB through the `Out' filters corresponding to each
56peer. These filters can reject the route,
57accept it unmodified, or accept it with some of its attributes
58modified. Those routes which are accepted by the `Out' filters
59of a peer are announced to that peer.
60@end itemize
61
62@float Figure,fig:normal-processing
Paul Jakmaab2416a2006-04-03 21:24:27 +000063@image{fig-normal-processing,400pt,,Normal announcement processing}
paulfbaf39e2004-11-15 00:45:44 +000064@caption{Announcement processing inside a ``normal'' BGP speaker}
65@end float
66
67@float Figure,fig:full-mesh
Paul Jakmaab2416a2006-04-03 21:24:27 +000068@image{fig_topologies_full,120pt,,Full Mesh BGP Topology}
paulfbaf39e2004-11-15 00:45:44 +000069@caption{Full Mesh}
70@end float
71
72@float Figure,fig:route-server
Paul Jakmaab2416a2006-04-03 21:24:27 +000073@image{fig_topologies_rs,120pt,,Route Server BGP Topology}
paulfbaf39e2004-11-15 00:45:44 +000074@caption{Route Server and clients}
75@end float
76
77Of course we want that the routing tables obtained in each of the routers
78are the same when using the route server than when not. But as a consequence
79of having a single BGP peering (against the route server), the BGP speakers
80can no longer distinguish from/to which peer each announce comes/goes.
81@anchor{filter-delegation}This means that the routers connected to the route
82server are not able to apply by themselves the same input/output filters
83as in the full mesh scenario, so they have to delegate those functions to
84the route server.
85
Paul Jakmaab2416a2006-04-03 21:24:27 +000086Even more, the ``best path'' selection must be also performed inside
87the route server on behalf of its clients. The reason is that if, after
88applying the filters of the announcer and the (potential) receiver, the
89route server decides to send to some client two or more different
90announcements referred to the same destination, the client will only
91retain the last one, considering it as an implicit withdrawal of the
92previous announcements for the same destination. This is the expected
93behavior of a BGP speaker as defined in @cite{RFC1771}, and even though
94there are some proposals of mechanisms that permit multiple paths for
95the same destination to be sent through a single BGP peering, none are
96currently supported by most existing BGP implementations.
paulfbaf39e2004-11-15 00:45:44 +000097
98As a consequence a route server must maintain additional information and
99perform additional tasks for a RS-client that those necessary for common BGP
100peerings. Essentially a route server must:
101
102@anchor{Route Server tasks}
Paul Jakmaab2416a2006-04-03 21:24:27 +0000103@itemize @bullet
104@item
105Maintain a separated Routing Information Base (Loc-RIB)
paulfbaf39e2004-11-15 00:45:44 +0000106for each peer configured as RS-client, containing the routes
107selected as a result of the ``Best Path Selection'' process
108that is performed on behalf of that RS-client.
109
Paul Jakmaab2416a2006-04-03 21:24:27 +0000110@item
111Whenever it receives an announcement from a RS-client,
paulfbaf39e2004-11-15 00:45:44 +0000112it must consider it for the Loc-RIBs of the other RS-clients.
113
114@anchor{Route-server path filter process}
Paul Jakmaab2416a2006-04-03 21:24:27 +0000115@itemize @bullet
paulfbaf39e2004-11-15 00:45:44 +0000116@item
117This means that for each of them the route server must pass the
118announcement through the appropriate `Out' filter of the
119announcer.
120
121@item
122Then through the appropriate `In' filter of
123the potential receiver.
124
125@item
126Only if the announcement is accepted by both filters it will be passed
127to the ``Best Path Selection'' process.
128
129@item
130Finally, it might go into the Loc-RIB of the receiver.
131@end itemize
paulfbaf39e2004-11-15 00:45:44 +0000132@end itemize
paulfbaf39e2004-11-15 00:45:44 +0000133
134When we talk about the ``appropriate'' filter, both the announcer and the
135receiver of the route must be taken into account. Suppose that the route
136server receives an announcement from client A, and the route server is
137considering it for the Loc-RIB of client B. The filters that should be
138applied are the same that would be used in the full mesh scenario, i.e.,
139first the `Out' filter of router A for announcements going to router B, and
140then the `In' filter of router B for announcements coming from router A.
141
142We call ``Export Policy'' of a RS-client to the set of `Out' filters that
143the client would use if there was no route server. The same applies for the
144``Import Policy'' of a RS-client and the set of `In' filters of the client
145if there was no route server.
146
147It is also common to demand from a route server that it does not
148modify some BGP attributes (next-hop, as-path and MED) that are usually
149modified by standard BGP speakers before announcing a route.
150
151The announcement processing model implemented by Quagga is shown in
152@ref{fig:rs-processing}. The figure shows a mixture of RS-clients (B, C and D)
153with normal BGP peers (A). There are some details that worth additional
154comments:
155
Paul Jakmaab2416a2006-04-03 21:24:27 +0000156@itemize @bullet
157@item
158Announcements coming from a normal BGP peer are also
paulfbaf39e2004-11-15 00:45:44 +0000159considered for the Loc-RIBs of all the RS-clients. But
160logically they do not pass through any export policy.
161
Paul Jakmaab2416a2006-04-03 21:24:27 +0000162@item
163Those peers that are configured as RS-clients do not
paulfbaf39e2004-11-15 00:45:44 +0000164receive any announce from the `Main' Loc-RIB.
165
Paul Jakmaab2416a2006-04-03 21:24:27 +0000166@item
167Apart from import and export policies,
paulfbaf39e2004-11-15 00:45:44 +0000168`In' and `Out' filters can also be set for RS-clients. `In'
169filters might be useful when the route server has also normal
170BGP peers. On the other hand, `Out' filters for RS-clients are
171probably unnecessary, but we decided not to remove them as
172they do not hurt anybody (they can always be left empty).
173@end itemize
174
175@float Figure,fig:rs-processing
Paul Jakmaab2416a2006-04-03 21:24:27 +0000176@image{fig-rs-processing,450pt,,Route Server Processing Model}
paulfbaf39e2004-11-15 00:45:44 +0000177@caption{Announcement processing model implemented by the Route Server}
178@end float
179
180@node Commands for configuring a Route Server
181@section Commands for configuring a Route Server
182
183Now we will describe the commands that have been added to quagga
184in order to support the route server features.
185
186@deffn {Route-Server} {neighbor @var{peer-group} route-server-client} {}
187@deffnx {Route-Server} {neighbor @var{A.B.C.D} route-server-client} {}
188@deffnx {Route-Server} {neighbor @var{X:X::X:X} route-server-client} {}
189This command configures the peer given by @var{peer}, @var{A.B.C.D} or
190@var{X:X::X:X} as an RS-client.
191
192Actually this command is not new, it already existed in standard Quagga. It
193enables the transparent mode for the specified peer. This means that some
194BGP attributes (as-path, next-hop and MED) of the routes announced to that
195peer are not modified.
196
197With the route server patch, this command, apart from setting the
198transparent mode, creates a new Loc-RIB dedicated to the specified peer
199(those named `Loc-RIB for X' in @ref{fig:rs-processing}.). Starting from
200that moment, every announcement received by the route server will be also
201considered for the new Loc-RIB.
202@end deffn
203
204@deffn {Route-Server} {neigbor @{A.B.C.D|X.X::X.X|peer-group@} route-map WORD @{import|export@}} {}
205This set of commands can be used to specify the route-map that
206represents the Import or Export policy of a peer which is
207configured as a RS-client (with the previous command).
208@end deffn
209
210@deffn {Route-Server} {match peer @{A.B.C.D|X:X::X:X@}} {}
211This is a new @emph{match} statement for use in route-maps, enabling them to
212describe import/export policies. As we said before, an import/export policy
213represents a set of input/output filters of the RS-client. This statement
214makes possible that a single route-map represents the full set of filters
215that a BGP speaker would use for its different peers in a non-RS scenario.
216
217The @emph{match peer} statement has different semantics whether it is used
218inside an import or an export route-map. In the first case the statement
219matches if the address of the peer who sends the announce is the same that
220the address specified by @{A.B.C.D|X:X::X:X@}. For export route-maps it
221matches when @{A.B.C.D|X:X::X:X@} is the address of the RS-Client into whose
222Loc-RIB the announce is going to be inserted (how the same export policy is
223applied before different Loc-RIBs is shown in @ref{fig:rs-processing}.).
224@end deffn
225
226@deffn {Route-map Command} {call @var{WORD}} {}
227This command (also used inside a route-map) jumps into a different
228route-map, whose name is specified by @var{WORD}. When the called
229route-map finishes, depending on its result the original route-map
230continues or not. Apart from being useful for making import/export
231route-maps easier to write, this command can also be used inside
232any normal (in or out) route-map.
233@end deffn
234
235@node Example of Route Server Configuration
236@section Example of Route Server Configuration
237
238Finally we are going to show how to configure a Quagga daemon to act as a
239Route Server. For this purpose we are going to present a scenario without
240route server, and then we will show how to use the configurations of the BGP
241routers to generate the configuration of the route server.
242
243All the configuration files shown in this section have been taken
244from scenarios which were tested using the VNUML tool
245@uref{http://www.dit.upm.es/vnuml,VNUML}.
246
247@menu
248* Configuration of the BGP routers without Route Server::
249* Configuration of the BGP routers with Route Server::
250* Configuration of the Route Server itself::
251* Further considerations about Import and Export route-maps::
252@end menu
253
254@node Configuration of the BGP routers without Route Server
255@subsection Configuration of the BGP routers without Route Server
256
257We will suppose that our initial scenario is an exchange point with three
258BGP capable routers, named RA, RB and RC. Each of the BGP speakers generates
259some routes (with the @var{network} command), and establishes BGP peerings
260against the other two routers. These peerings have In and Out route-maps
261configured, named like ``PEER-X-IN'' or ``PEER-X-OUT''. For example the
262configuration file for router RA could be the following:
263
264@example
265#Configuration for router 'RA'
266!
267hostname RA
268password ****
269!
270router bgp 65001
271 no bgp default ipv4-unicast
272 neighbor 2001:0DB8::B remote-as 65002
273 neighbor 2001:0DB8::C remote-as 65003
274!
275 address-family ipv6
276 network 2001:0DB8:AAAA:1::/64
277 network 2001:0DB8:AAAA:2::/64
278 network 2001:0DB8:0000:1::/64
279 network 2001:0DB8:0000:2::/64
280
281 neighbor 2001:0DB8::B activate
282 neighbor 2001:0DB8::B soft-reconfiguration inbound
283 neighbor 2001:0DB8::B route-map PEER-B-IN in
284 neighbor 2001:0DB8::B route-map PEER-B-OUT out
285
286 neighbor 2001:0DB8::C activate
287 neighbor 2001:0DB8::C soft-reconfiguration inbound
288 neighbor 2001:0DB8::C route-map PEER-C-IN in
289 neighbor 2001:0DB8::C route-map PEER-C-OUT out
290 exit-address-family
291!
292ipv6 prefix-list COMMON-PREFIXES seq 5 permit 2001:0DB8:0000::/48 ge 64 le 64
293ipv6 prefix-list COMMON-PREFIXES seq 10 deny any
294!
295ipv6 prefix-list PEER-A-PREFIXES seq 5 permit 2001:0DB8:AAAA::/48 ge 64 le 64
296ipv6 prefix-list PEER-A-PREFIXES seq 10 deny any
297!
298ipv6 prefix-list PEER-B-PREFIXES seq 5 permit 2001:0DB8:BBBB::/48 ge 64 le 64
299ipv6 prefix-list PEER-B-PREFIXES seq 10 deny any
300!
301ipv6 prefix-list PEER-C-PREFIXES seq 5 permit 2001:0DB8:CCCC::/48 ge 64 le 64
302ipv6 prefix-list PEER-C-PREFIXES seq 10 deny any
303!
304route-map PEER-B-IN permit 10
305 match ipv6 address prefix-list COMMON-PREFIXES
306 set metric 100
307route-map PEER-B-IN permit 20
308 match ipv6 address prefix-list PEER-B-PREFIXES
309 set community 65001:11111
310!
311route-map PEER-C-IN permit 10
312 match ipv6 address prefix-list COMMON-PREFIXES
313 set metric 200
314route-map PEER-C-IN permit 20
315 match ipv6 address prefix-list PEER-C-PREFIXES
316 set community 65001:22222
317!
318route-map PEER-B-OUT permit 10
319 match ipv6 address prefix-list PEER-A-PREFIXES
320!
321route-map PEER-C-OUT permit 10
322 match ipv6 address prefix-list PEER-A-PREFIXES
323!
324line vty
325!
326@end example
327
328@node Configuration of the BGP routers with Route Server
329@subsection Configuration of the BGP routers with Route Server
330
331To convert the initial scenario into one with route server, first we must
332modify the configuration of routers RA, RB and RC. Now they must not peer
333between them, but only with the route server. For example, RA's
334configuration would turn into:
335
336@example
337# Configuration for router 'RA'
338!
339hostname RA
340password ****
341!
342router bgp 65001
343 no bgp default ipv4-unicast
344 neighbor 2001:0DB8::FFFF remote-as 65000
345!
346 address-family ipv6
347 network 2001:0DB8:AAAA:1::/64
348 network 2001:0DB8:AAAA:2::/64
349 network 2001:0DB8:0000:1::/64
350 network 2001:0DB8:0000:2::/64
351
352 neighbor 2001:0DB8::FFFF activate
353 neighbor 2001:0DB8::FFFF soft-reconfiguration inbound
354 exit-address-family
355!
356line vty
357!
358@end example
359
360Which is logically much simpler than its initial configuration, as it now
361maintains only one BGP peering and all the filters (route-maps) have
362disappeared.
363
364@node Configuration of the Route Server itself
365@subsection Configuration of the Route Server itself
366
367As we said when we described the functions of a route server
368(@pxref{Description of the Route Server model}), it is in charge of all the
369route filtering. To achieve that, the In and Out filters from the RA, RB and
370RC configurations must be converted into Import and Export policies in the
371route server.
372
373This is a fragment of the route server configuration (we only show
374the policies for client RA):
375
376@example
377# Configuration for Route Server ('RS')
378!
379hostname RS
380password ix
381!
382bgp multiple-instance
383!
384router bgp 65000 view RS
385 no bgp default ipv4-unicast
386 neighbor 2001:0DB8::A remote-as 65001
387 neighbor 2001:0DB8::B remote-as 65002
388 neighbor 2001:0DB8::C remote-as 65003
389!
390 address-family ipv6
391 neighbor 2001:0DB8::A activate
392 neighbor 2001:0DB8::A route-server-client
393 neighbor 2001:0DB8::A route-map RSCLIENT-A-IMPORT import
394 neighbor 2001:0DB8::A route-map RSCLIENT-A-EXPORT export
395 neighbor 2001:0DB8::A soft-reconfiguration inbound
396
397 neighbor 2001:0DB8::B activate
398 neighbor 2001:0DB8::B route-server-client
399 neighbor 2001:0DB8::B route-map RSCLIENT-B-IMPORT import
400 neighbor 2001:0DB8::B route-map RSCLIENT-B-EXPORT export
401 neighbor 2001:0DB8::B soft-reconfiguration inbound
402
403 neighbor 2001:0DB8::C activate
404 neighbor 2001:0DB8::C route-server-client
405 neighbor 2001:0DB8::C route-map RSCLIENT-C-IMPORT import
406 neighbor 2001:0DB8::C route-map RSCLIENT-C-EXPORT export
407 neighbor 2001:0DB8::C soft-reconfiguration inbound
408 exit-address-family
409!
410ipv6 prefix-list COMMON-PREFIXES seq 5 permit 2001:0DB8:0000::/48 ge 64 le 64
411ipv6 prefix-list COMMON-PREFIXES seq 10 deny any
412!
413ipv6 prefix-list PEER-A-PREFIXES seq 5 permit 2001:0DB8:AAAA::/48 ge 64 le 64
414ipv6 prefix-list PEER-A-PREFIXES seq 10 deny any
415!
416ipv6 prefix-list PEER-B-PREFIXES seq 5 permit 2001:0DB8:BBBB::/48 ge 64 le 64
417ipv6 prefix-list PEER-B-PREFIXES seq 10 deny any
418!
419ipv6 prefix-list PEER-C-PREFIXES seq 5 permit 2001:0DB8:CCCC::/48 ge 64 le 64
420ipv6 prefix-list PEER-C-PREFIXES seq 10 deny any
421!
422route-map RSCLIENT-A-IMPORT permit 10
423 match peer 2001:0DB8::B
424 call A-IMPORT-FROM-B
425route-map RSCLIENT-A-IMPORT permit 20
426 match peer 2001:0DB8::C
427 call A-IMPORT-FROM-C
428!
429route-map A-IMPORT-FROM-B permit 10
430 match ipv6 address prefix-list COMMON-PREFIXES
431 set metric 100
432route-map A-IMPORT-FROM-B permit 20
433 match ipv6 address prefix-list PEER-B-PREFIXES
434 set community 65001:11111
435!
436route-map A-IMPORT-FROM-C permit 10
437 match ipv6 address prefix-list COMMON-PREFIXES
438 set metric 200
439route-map A-IMPORT-FROM-C permit 20
440 match ipv6 address prefix-list PEER-C-PREFIXES
441 set community 65001:22222
442!
443route-map RSCLIENT-A-EXPORT permit 10
444 match peer 2001:0DB8::B
445 match ipv6 address prefix-list PEER-A-PREFIXES
446route-map RSCLIENT-A-EXPORT permit 20
447 match peer 2001:0DB8::C
448 match ipv6 address prefix-list PEER-A-PREFIXES
449!
450...
451...
452...
453@end example
454
455If you compare the initial configuration of RA with the route server
456configuration above, you can see how easy it is to generate the Import and
457Export policies for RA from the In and Out route-maps of RA's original
458configuration.
459
460When there was no route server, RA maintained two peerings, one with RB and
461another with RC. Each of this peerings had an In route-map configured. To
462build the Import route-map for client RA in the route server, simply add
463route-map entries following this scheme:
464
465@example
466route-map <NAME> permit 10
467 match peer <Peer Address>
468 call <In Route-Map for this Peer>
469route-map <NAME> permit 20
470 match peer <Another Peer Address>
471 call <In Route-Map for this Peer>
472@end example
473
474This is exactly the process that has been followed to generate the route-map
475RSCLIENT-A-IMPORT. The route-maps that are called inside it (A-IMPORT-FROM-B
476and A-IMPORT-FROM-C) are exactly the same than the In route-maps from the
477original configuration of RA (PEER-B-IN and PEER-C-IN), only the name is
478different.
479
480The same could have been done to create the Export policy for RA (route-map
481RSCLIENT-A-EXPORT), but in this case the original Out route-maps where so
482simple that we decided not to use the @var{call WORD} commands, and we
483integrated all in a single route-map (RSCLIENT-A-EXPORT).
484
485The Import and Export policies for RB and RC are not shown, but
486the process would be identical.
487
488@node Further considerations about Import and Export route-maps
489@subsection Further considerations about Import and Export route-maps
490
491The current version of the route server patch only allows to specify a
492route-map for import and export policies, while in a standard BGP speaker
493apart from route-maps there are other tools for performing input and output
494filtering (access-lists, community-lists, ...). But this does not represent
495any limitation, as all kinds of filters can be included in import/export
496route-maps. For example suppose that in the non-route-server scenario peer
497RA had the following filters configured for input from peer B:
498
499@example
500 neighbor 2001:0DB8::B prefix-list LIST-1 in
501 neighbor 2001:0DB8::B filter-list LIST-2 in
502 neighbor 2001:0DB8::B route-map PEER-B-IN in
503 ...
504 ...
505route-map PEER-B-IN permit 10
506 match ipv6 address prefix-list COMMON-PREFIXES
507 set local-preference 100
508route-map PEER-B-IN permit 20
509 match ipv6 address prefix-list PEER-B-PREFIXES
510 set community 65001:11111
511@end example
512
513It is posible to write a single route-map which is equivalent to
514the three filters (the community-list, the prefix-list and the
515route-map). That route-map can then be used inside the Import
516policy in the route server. Lets see how to do it:
517
518@example
519 neighbor 2001:0DB8::A route-map RSCLIENT-A-IMPORT import
520 ...
521!
522...
523route-map RSCLIENT-A-IMPORT permit 10
524 match peer 2001:0DB8::B
525 call A-IMPORT-FROM-B
526...
527...
528!
529route-map A-IMPORT-FROM-B permit 1
530 match ipv6 address prefix-list LIST-1
531 match as-path LIST-2
532 on-match goto 10
533route-map A-IMPORT-FROM-B deny 2
534route-map A-IMPORT-FROM-B permit 10
535 match ipv6 address prefix-list COMMON-PREFIXES
536 set local-preference 100
537route-map A-IMPORT-FROM-B permit 20
538 match ipv6 address prefix-list PEER-B-PREFIXES
539 set community 65001:11111
540!
541...
542...
543@end example
544
545The route-map A-IMPORT-FROM-B is equivalent to the three filters
546(LIST-1, LIST-2 and PEER-B-IN). The first entry of route-map
547A-IMPORT-FROM-B (sequence number 1) matches if and only if both
548the prefix-list LIST-1 and the filter-list LIST-2 match. If that
549happens, due to the ``on-match goto 10'' statement the next
550route-map entry to be processed will be number 10, and as of that
551point route-map A-IMPORT-FROM-B is identical to PEER-B-IN. If
552the first entry does not match, `on-match goto 10'' will be
553ignored and the next processed entry will be number 2, which will
554deny the route.
555
556Thus, the result is the same that with the three original filters,
557i.e., if either LIST-1 or LIST-2 rejects the route, it does not
558reach the route-map PEER-B-IN. In case both LIST-1 and LIST-2
559accept the route, it passes to PEER-B-IN, which can reject, accept
560or modify the route.