Reset Search
 

 

Article

How to configure BGP on Vyatta Routers connecting to two different Internet Service Providers?

« Go Back

Information

 
TitleHow to configure BGP on Vyatta Routers connecting to two different Internet Service Providers?
Question
This document provides configuration of two Vyatta routers connecting to each other through iBGP and each Vyatta connecting to ISP1 and ISP2.


In this scenario we are using eth1 for iBGP connection between two Vyatta routers R1 and R2 and each Vyatta router connects to ISP1 and ISP2 for redundancy.
Environment
Answer
vyatta@R1:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth1 10.10.10.1/24 u/u iBGP Connection
eth2 192.0.2.1/29 u/u eBGP Connection to ISP2
eth3 203.0.113.1/29 u/u eBGP Connection to ISP1
lo 127.0.0.1/8 u/u
10.10.0.253/32


Note that loopback is configured with an IP address 10.10.0.253/32 which is used for BGP connection within the AS 100. This will ensure that BGP connection will be up without any interruption as long as router is up and running. If the BGP router ID is configured on the physical interface and for some reason link goes down or link is unstable then all the BGP connections will go down and needs to reconnect to all peers and update the BGP routing table.

AS-Path list is one of the BGP filter options which uses regular expressions to match information in BGP AS-path. As-path-list LocalPref-AS200 will only accept routes from AS200 that have an AS-path length or 2 or less.

vyatta@R1# show policy
as-path-list LocalPref-AS200 {
rule 100 {
action permit
regex "^200(_[0-9]+){0,1}$"
}
}


As-path-list LocalPref-AS300 will match routes with AS path that begins with AS300 followed by two other AS's similar to above expression.

as-path-list LocalPref-AS300 {
rule 100 {
action permit
regex "^300(_[0-9]+){0,1}$"
}
}


Policy as-path-list My-AS use regular expression "^$ to match the beginning of the string ("^), and then immediately match the end of the string ("$). This means that the string is null. With respect to BGP the only time that the AS-Path is null is when you are looking at a route within your own AS has originated. Hence this matches locally originated routes.

as-path-list My-AS {
rule 10 {
action permit
regex ^$
}
}


In order to prevent the transit traffic (routes learned from one ISP1 advertising to ISP2) we are explicitly advertising prefixes owned by Vyatta and all other prefixes are rejected by default.

route-map ebgp {
rule 10 {
action permit
match {
as-path My-AS
}
}
}


Prefix list eBGP-MARTIAN-NETWORKS defines few set of IP addresses which should not appear on the internet. There are several range of subnets which are reserved or not allocated by RIRs( Regional internet registries). But at sometimes these IP addresses appear as source addresses during DDos attacks. In order to minimize the effect of such attacks, you need to make sure to filter these subnets entering into your network.

NOTE: Martian Networks also known as eBGP bogons and one should make sure keep this updated as IP addresses keep adding to this list.

prefix-list eBGP-MARTIAN-NETWORKS {
rule 10 {
action permit
le 32
prefix 0.0.0.0/8
}
rule 20 {
action permit
le 32
prefix 10.0.0.0/8
}
rule 30 {
action permit
le 32
prefix 127.0.0.0/8
}
rule 40 {
action permit
le 32
prefix 169.254.0.0/26
}
rule 50 {
action permit
le 32
prefix 172.16.0.0/12
}
rule 60 {
action permit
le 32
prefix 192.0.0.0/24
}
rule 70 {
action permit
le 32
prefix 192.0.2.0/24
}
rule 80 {
action permit
le 32
prefix 224.0.0.0/7
}
}


We want ISP1 to be preferred over ISP2. This is accomplished by configuring local-preference defined in route-map then apply to BGP neighbor

route-map ISP1 {
rule 1 {
action permit
match {
as-path LocalPref-AS200
}
set {
local-preference 100
}
}
rule 10 {
action deny
match {
ip {
address {
prefix-list eBGP-MARTIAN-NETWORKS
}
}
}
}
rule 20 {
action permit
}
}
route-map ISP2 {
rule 1 {
action permit
match {
as-path LocalPref-AS300
}
set {
local-preference 200
}
}
rule 10 {
action deny
match {
ip {
address {
prefix-list eBGP-MARTIAN-NETWORKS
}
}
}
}
rule 20 {
action permit
}
}


set policy as-path-list LocalPref-AS200 rule 100 action 'permit'
set policy as-path-list LocalPref-AS200 rule 100 regex '^200(_[0-9]+){0,1}$'
set policy as-path-list LocalPref-AS300 rule 100 action 'permit'
set policy as-path-list LocalPref-AS300 rule 100 regex '^300(_[0-9]+){0,1}$'
set policy as-path-list My-AS rule 10 action 'permit'
set policy as-path-list My-AS rule 10 regex '^$'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 10 action 'permit'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 10 le '32'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 10 prefix '0.0.0.0/8'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 20 action 'permit'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 20 le '32'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 20 prefix '10.0.0.0/8'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 30 action 'permit'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 30 le '32'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 30 prefix '127.0.0.0/8'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 40 action 'permit'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 40 le '32'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 40 prefix '169.254.0.0/26'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 50 action 'permit'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 50 le '32'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 50 prefix '172.16.0.0/12'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 60 action 'permit'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 60 le '32'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 60 prefix '192.0.0.0/24'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 70 action 'permit'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 70 le '32'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 70 prefix '192.0.2.0/24'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 80 action 'permit'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 80 le '32'
set policy prefix-list eBGP-MARTIAN-NETWORKS rule 80 prefix '224.0.0.0/7'
set policy route-map ISP1 rule 1 action 'permit'
set policy route-map ISP1 rule 1 match as-path 'LocalPref-AS200'
set policy route-map ISP1 rule 1 set local-preference '100'
set policy route-map ISP1 rule 10 action 'deny'
set policy route-map ISP1 rule 10 match ip address prefix-list 'eBGP-MARTIAN-NETWORKS'
set policy route-map ISP1 rule 20 action 'permit'
set policy route-map ISP2 rule 1 action 'permit'
set policy route-map ISP2 rule 1 match as-path 'LocalPref-AS300'
set policy route-map ISP2 rule 1 set local-preference '200'
set policy route-map ISP2 rule 10 action 'deny'
set policy route-map ISP2 rule 10 match ip address prefix-list 'eBGP-MARTIAN-NETWORKS'
set policy route-map ISP2 rule 20 action 'permit'
set policy route-map ebgp rule 10 action 'permit'
set policy route-map ebgp rule 10 match as-path 'My-AS'


Above policies are not effective until they are applied to respective BGP neighbors.

vyatta@R1# show protocols bgp
bgp 100 {
neighbor 10.10.0.254 {
description "iBGP connection between Vyatta routers"
remote-as 100
update-source 10.10.0.253
}
neighbor 192.0.2.2 {
description "eBGP connection to ISP2"
password Vyatta!
remote-as 300
route-map {
export ebgp
import ISP2
}
soft-reconfiguration {
inbound
}
}
neighbor 203.0.113.2 {
description "eBGP connection to ISP1"
password Vyatta!
remote-as 200
route-map {
export ebgp
import ISP1
}
soft-reconfiguration {
inbound
}
}
network 10.10.10.0/24 {
}
parameters {
router-id 10.10.0.253
}
}

set protocols bgp 100 neighbor 10.10.0.254 remote-as '100'
set protocols bgp 100 neighbor 10.10.0.254 update-source '10.10.0.253'
set protocols bgp 100 neighbor 192.0.2.2 description 'eBGP connection to ISP2'
set protocols bgp 100 neighbor 192.0.2.2 password 'Vyatta!'
set protocols bgp 100 neighbor 192.0.2.2 remote-as '300'
set protocols bgp 100 neighbor 192.0.2.2 route-map export 'ebgp'
set protocols bgp 100 neighbor 192.0.2.2 route-map import 'ISP2'
set protocols bgp 100 neighbor 192.0.2.2 soft-reconfiguration 'inbound'
set protocols bgp 100 neighbor 203.0.113.2 description 'eBGP connection to ISP1'
set protocols bgp 100 neighbor 203.0.113.2 password 'Vyatta!'
set protocols bgp 100 neighbor 203.0.113.2 remote-as '200'
set protocols bgp 100 neighbor 203.0.113.2 route-map export 'ebgp'
set protocols bgp 100 neighbor 203.0.113.2 route-map import 'ISP1'
set protocols bgp 100 neighbor 203.0.113.2 soft-reconfiguration 'inbound'
set protocols bgp 100 network '10.10.10.0/24'
set protocols bgp 100 parameters router-id '10.10.0.253'


Verification of BGP Configuration:

vyatta@R1# run show ip bgp summary
BGP router identifier 10.10.0.253, local AS number 100
RIB entries 5, using 320 bytes of memory
Peers 3, using 7572 bytes of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.0.254 4 100 302 307 0 0 0 00:02:47 2
192.0.2.2 4 300 237 241 0 0 0 00:02:45 1
203.0.113.2 4 200 249 263 0 0 0 00:02:39 1


vyatta@R1:~$ show ip bgp neighbors 203.0.113.2 routes
BGP table version is 0, local router ID is 10.10.0.253
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 11.11.11.0/24 203.0.113.2 1 100 0 200 i


Total number of prefixes 1

vyatta@R1:~$ show ip bgp neighbors 192.0.2.2 routes
BGP table version is 0, local router ID is 10.10.0.253
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete


Network Next Hop Metric LocPrf Weight Path

*> 22.22.22.0/24 192.0.2.2 1 200 0 300 i
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255