| 0c3368a8 |
1 | @c -*-texinfo-*-\r |
| 2 | @c @value{COPYRIGHT_STR}\r |
| 3 | @c See file quagga.texi for copying conditions.\r |
| 4 | @c\r |
| 5 | @c This file is a modified version of Jose Luis Rubio's TeX sources \r |
| 6 | @c of his RS-Manual document\r |
| 7 | \r |
| 8 | @node Configuring Quagga as a Route Server\r |
| 9 | @chapter Configuring Quagga as a Route Server\r |
| 10 | \r |
| 11 | The purpose of a Route Server is to centralize the peerings between BGP\r |
| 12 | speakers. For example if we have an exchange point scenario with four BGP\r |
| 13 | speakers, each of which maintaining a BGP peering with the other three\r |
| 14 | (@pxref{fig:full-mesh}), we can convert it into a centralized scenario where\r |
| 15 | each of the four establishes a single BGP peering against the Route Server\r |
| 16 | (@pxref{fig:route-server}).\r |
| 17 | \r |
| 18 | We will first describe briefly the Route Server model implemented by Quagga.\r |
| 19 | We will explain the commands that have been added for configuring that\r |
| 20 | model. And finally we will show a full example of Quagga configured as Route\r |
| 21 | Server.\r |
| 22 | \r |
| 23 | @menu\r |
| 24 | * Description of the Route Server model::\r |
| 25 | * Commands for configuring a Route Server::\r |
| 26 | * Example of Route Server Configuration::\r |
| 27 | @end menu\r |
| 28 | \r |
| 29 | @node Description of the Route Server model\r |
| 30 | @section Description of the Route Server model\r |
| 31 | \r |
| 32 | First we are going to describe the normal processing that BGP announcements\r |
| 33 | suffer inside a standard BGP speaker, as shown in @ref{fig:normal-processing},\r |
| 34 | it consists of three steps:\r |
| 35 | \r |
| 36 | @itemize\r |
| 37 | @item When an announcement is received from some peer, the `In' filters\r |
| 38 | configured for that peer are applied to the announcement. These filters can\r |
| 39 | reject the announcement, accept it unmodified, or accept it with some of its\r |
| 40 | attributes modified.\r |
| 41 | \r |
| 42 | @item The announcements that pass the `In' filters go into the\r |
| 43 | Best Path Selection process, where they are compared to other\r |
| 44 | announcements referred to the same destination that have been\r |
| 45 | received from different peers (in case such other\r |
| 46 | announcements exist). For each different destination, the announcement\r |
| 47 | which is selected as the best is inserted into the BGP speaker's Loc-RIB.\r |
| 48 | \r |
| 49 | @item The routes which are inserted in the Loc-RIB are\r |
| 50 | considered for announcement to all the peers (except the one\r |
| 51 | from which the route came). This is done by passing the routes\r |
| 52 | in the Loc-RIB through the `Out' filters corresponding to each\r |
| 53 | peer. These filters can reject the route,\r |
| 54 | accept it unmodified, or accept it with some of its attributes\r |
| 55 | modified. Those routes which are accepted by the `Out' filters\r |
| 56 | of a peer are announced to that peer.\r |
| 57 | @end itemize\r |
| 58 | \r |
| 59 | @float Figure,fig:normal-processing\r |
| 60 | @image{fig-normal-processing,500pt,,Normal announcement processing,eps}\r |
| 61 | @caption{Announcement processing inside a ``normal'' BGP speaker}\r |
| 62 | @end float\r |
| 63 | \r |
| 64 | @float Figure,fig:full-mesh\r |
| 65 | @image{fig_topologies_full,,,Full Mesh BGP Topology,eps}\r |
| 66 | @caption{Full Mesh}\r |
| 67 | @end float\r |
| 68 | \r |
| 69 | @float Figure,fig:route-server\r |
| 70 | @image{fig_topologies_rs,,,Route Server BGP Topology,eps}\r |
| 71 | @caption{Route Server and clients} \r |
| 72 | @end float\r |
| 73 | \r |
| 74 | Of course we want that the routing tables obtained in each of the routers\r |
| 75 | are the same when using the route server than when not. But as a consequence\r |
| 76 | of having a single BGP peering (against the route server), the BGP speakers\r |
| 77 | can no longer distinguish from/to which peer each announce comes/goes.\r |
| 78 | @anchor{filter-delegation}This means that the routers connected to the route\r |
| 79 | server are not able to apply by themselves the same input/output filters\r |
| 80 | as in the full mesh scenario, so they have to delegate those functions to\r |
| 81 | the route server.\r |
| 82 | \r |
| 83 | Even more, the ``best path'' selection must be also performed inside the route\r |
| 84 | server on behalf of its clients. The reason is that if, after applying the\r |
| 85 | filters of the announcer and the (potential) receiver, the route server\r |
| 86 | decides to send to some client two or more different announcements referred\r |
| 87 | to the same destination, the client will only retain the last one,\r |
| 88 | considering it as an implicit withdrawal of the previous announcements for\r |
| 89 | the same destination. This is the expected behavior of a BGP speaker as\r |
| 90 | defined in @cite{RFC1771}, and even though there are some proposals of\r |
| 91 | mechanisms that permit multiple paths for the same destination to be sent\r |
| 92 | through a single BGP peering, none of them are currently supported by most\r |
| 93 | of the existing BGP implementations.\r |
| 94 | \r |
| 95 | As a consequence a route server must maintain additional information and\r |
| 96 | perform additional tasks for a RS-client that those necessary for common BGP\r |
| 97 | peerings. Essentially a route server must:\r |
| 98 | \r |
| 99 | @anchor{Route Server tasks}\r |
| 100 | @itemize\r |
| 101 | @item Maintain a separated Routing Information Base (Loc-RIB)\r |
| 102 | for each peer configured as RS-client, containing the routes\r |
| 103 | selected as a result of the ``Best Path Selection'' process\r |
| 104 | that is performed on behalf of that RS-client.\r |
| 105 | \r |
| 106 | @item Whenever it receives an announcement from a RS-client,\r |
| 107 | it must consider it for the Loc-RIBs of the other RS-clients.\r |
| 108 | \r |
| 109 | @anchor{Route-server path filter process}\r |
| 110 | @itemize\r |
| 111 | @item\r |
| 112 | This means that for each of them the route server must pass the\r |
| 113 | announcement through the appropriate `Out' filter of the\r |
| 114 | announcer.\r |
| 115 | \r |
| 116 | @item\r |
| 117 | Then through the appropriate `In' filter of\r |
| 118 | the potential receiver. \r |
| 119 | \r |
| 120 | @item\r |
| 121 | Only if the announcement is accepted by both filters it will be passed\r |
| 122 | to the ``Best Path Selection'' process.\r |
| 123 | \r |
| 124 | @item\r |
| 125 | Finally, it might go into the Loc-RIB of the receiver.\r |
| 126 | @end itemize\r |
| 127 | @c end of route-server best path process list\r |
| 128 | @end itemize\r |
| 129 | @c end of route-server tasks list\r |
| 130 | \r |
| 131 | When we talk about the ``appropriate'' filter, both the announcer and the\r |
| 132 | receiver of the route must be taken into account. Suppose that the route\r |
| 133 | server receives an announcement from client A, and the route server is\r |
| 134 | considering it for the Loc-RIB of client B. The filters that should be\r |
| 135 | applied are the same that would be used in the full mesh scenario, i.e.,\r |
| 136 | first the `Out' filter of router A for announcements going to router B, and\r |
| 137 | then the `In' filter of router B for announcements coming from router A.\r |
| 138 | \r |
| 139 | We call ``Export Policy'' of a RS-client to the set of `Out' filters that\r |
| 140 | the client would use if there was no route server. The same applies for the\r |
| 141 | ``Import Policy'' of a RS-client and the set of `In' filters of the client\r |
| 142 | if there was no route server.\r |
| 143 | \r |
| 144 | It is also common to demand from a route server that it does not\r |
| 145 | modify some BGP attributes (next-hop, as-path and MED) that are usually\r |
| 146 | modified by standard BGP speakers before announcing a route.\r |
| 147 | \r |
| 148 | The announcement processing model implemented by Quagga is shown in\r |
| 149 | @ref{fig:rs-processing}. The figure shows a mixture of RS-clients (B, C and D)\r |
| 150 | with normal BGP peers (A). There are some details that worth additional\r |
| 151 | comments:\r |
| 152 | \r |
| 153 | @itemize\r |
| 154 | @item Announcements coming from a normal BGP peer are also\r |
| 155 | considered for the Loc-RIBs of all the RS-clients. But\r |
| 156 | logically they do not pass through any export policy.\r |
| 157 | \r |
| 158 | @item Those peers that are configured as RS-clients do not\r |
| 159 | receive any announce from the `Main' Loc-RIB.\r |
| 160 | \r |
| 161 | @item Apart from import and export policies,\r |
| 162 | `In' and `Out' filters can also be set for RS-clients. `In'\r |
| 163 | filters might be useful when the route server has also normal\r |
| 164 | BGP peers. On the other hand, `Out' filters for RS-clients are\r |
| 165 | probably unnecessary, but we decided not to remove them as\r |
| 166 | they do not hurt anybody (they can always be left empty).\r |
| 167 | @end itemize\r |
| 168 | \r |
| 169 | @float Figure,fig:rs-processing\r |
| 170 | @image{fig-rs-processing,500pt,,,eps}\r |
| 171 | @caption{Announcement processing model implemented by the Route Server}\r |
| 172 | @end float\r |
| 173 | \r |
| 174 | @node Commands for configuring a Route Server\r |
| 175 | @section Commands for configuring a Route Server\r |
| 176 | \r |
| 177 | Now we will describe the commands that have been added to quagga\r |
| 178 | in order to support the route server features.\r |
| 179 | \r |
| 180 | @deffn {Route-Server} {neighbor @var{peer-group} route-server-client} {}\r |
| 181 | @deffnx {Route-Server} {neighbor @var{A.B.C.D} route-server-client} {}\r |
| 182 | @deffnx {Route-Server} {neighbor @var{X:X::X:X} route-server-client} {}\r |
| 183 | This command configures the peer given by @var{peer}, @var{A.B.C.D} or\r |
| 184 | @var{X:X::X:X} as an RS-client.\r |
| 185 | \r |
| 186 | Actually this command is not new, it already existed in standard Quagga. It\r |
| 187 | enables the transparent mode for the specified peer. This means that some\r |
| 188 | BGP attributes (as-path, next-hop and MED) of the routes announced to that\r |
| 189 | peer are not modified.\r |
| 190 | \r |
| 191 | With the route server patch, this command, apart from setting the\r |
| 192 | transparent mode, creates a new Loc-RIB dedicated to the specified peer\r |
| 193 | (those named `Loc-RIB for X' in @ref{fig:rs-processing}.). Starting from\r |
| 194 | that moment, every announcement received by the route server will be also\r |
| 195 | considered for the new Loc-RIB.\r |
| 196 | @end deffn\r |
| 197 | \r |
| 198 | @deffn {Route-Server} {neigbor @{A.B.C.D|X.X::X.X|peer-group@} route-map WORD @{import|export@}} {}\r |
| 199 | This set of commands can be used to specify the route-map that\r |
| 200 | represents the Import or Export policy of a peer which is\r |
| 201 | configured as a RS-client (with the previous command).\r |
| 202 | @end deffn\r |
| 203 | \r |
| 204 | @deffn {Route-Server} {match peer @{A.B.C.D|X:X::X:X@}} {}\r |
| 205 | This is a new @emph{match} statement for use in route-maps, enabling them to\r |
| 206 | describe import/export policies. As we said before, an import/export policy\r |
| 207 | represents a set of input/output filters of the RS-client. This statement\r |
| 208 | makes possible that a single route-map represents the full set of filters\r |
| 209 | that a BGP speaker would use for its different peers in a non-RS scenario.\r |
| 210 | \r |
| 211 | The @emph{match peer} statement has different semantics whether it is used\r |
| 212 | inside an import or an export route-map. In the first case the statement\r |
| 213 | matches if the address of the peer who sends the announce is the same that\r |
| 214 | the address specified by @{A.B.C.D|X:X::X:X@}. For export route-maps it\r |
| 215 | matches when @{A.B.C.D|X:X::X:X@} is the address of the RS-Client into whose\r |
| 216 | Loc-RIB the announce is going to be inserted (how the same export policy is\r |
| 217 | applied before different Loc-RIBs is shown in @ref{fig:rs-processing}.).\r |
| 218 | @end deffn\r |
| 219 | \r |
| 220 | @deffn {Route-map Command} {call @var{WORD}} {}\r |
| 221 | This command (also used inside a route-map) jumps into a different\r |
| 222 | route-map, whose name is specified by @var{WORD}. When the called\r |
| 223 | route-map finishes, depending on its result the original route-map\r |
| 224 | continues or not. Apart from being useful for making import/export\r |
| 225 | route-maps easier to write, this command can also be used inside\r |
| 226 | any normal (in or out) route-map.\r |
| 227 | @end deffn\r |
| 228 | \r |
| 229 | @node Example of Route Server Configuration\r |
| 230 | @section Example of Route Server Configuration\r |
| 231 | \r |
| 232 | Finally we are going to show how to configure a Quagga daemon to act as a\r |
| 233 | Route Server. For this purpose we are going to present a scenario without\r |
| 234 | route server, and then we will show how to use the configurations of the BGP\r |
| 235 | routers to generate the configuration of the route server.\r |
| 236 | \r |
| 237 | All the configuration files shown in this section have been taken\r |
| 238 | from scenarios which were tested using the VNUML tool\r |
| 239 | @uref{http://www.dit.upm.es/vnuml,VNUML}. \r |
| 240 | \r |
| 241 | @menu\r |
| 242 | * Configuration of the BGP routers without Route Server::\r |
| 243 | * Configuration of the BGP routers with Route Server::\r |
| 244 | * Configuration of the Route Server itself::\r |
| 245 | * Further considerations about Import and Export route-maps::\r |
| 246 | @end menu\r |
| 247 | \r |
| 248 | @node Configuration of the BGP routers without Route Server\r |
| 249 | @subsection Configuration of the BGP routers without Route Server\r |
| 250 | \r |
| 251 | We will suppose that our initial scenario is an exchange point with three\r |
| 252 | BGP capable routers, named RA, RB and RC. Each of the BGP speakers generates\r |
| 253 | some routes (with the @var{network} command), and establishes BGP peerings\r |
| 254 | against the other two routers. These peerings have In and Out route-maps\r |
| 255 | configured, named like ``PEER-X-IN'' or ``PEER-X-OUT''. For example the\r |
| 256 | configuration file for router RA could be the following:\r |
| 257 | \r |
| 258 | @example\r |
| 259 | #Configuration for router 'RA'\r |
| 260 | !\r |
| 261 | hostname RA\r |
| 262 | password ****\r |
| 263 | !\r |
| 264 | router bgp 65001\r |
| 265 | no bgp default ipv4-unicast\r |
| 266 | neighbor 2001:0DB8::B remote-as 65002\r |
| 267 | neighbor 2001:0DB8::C remote-as 65003\r |
| 268 | !\r |
| 269 | address-family ipv6\r |
| 270 | network 2001:0DB8:AAAA:1::/64\r |
| 271 | network 2001:0DB8:AAAA:2::/64\r |
| 272 | network 2001:0DB8:0000:1::/64\r |
| 273 | network 2001:0DB8:0000:2::/64\r |
| 274 | \r |
| 275 | neighbor 2001:0DB8::B activate\r |
| 276 | neighbor 2001:0DB8::B soft-reconfiguration inbound\r |
| 277 | neighbor 2001:0DB8::B route-map PEER-B-IN in\r |
| 278 | neighbor 2001:0DB8::B route-map PEER-B-OUT out\r |
| 279 | \r |
| 280 | neighbor 2001:0DB8::C activate\r |
| 281 | neighbor 2001:0DB8::C soft-reconfiguration inbound\r |
| 282 | neighbor 2001:0DB8::C route-map PEER-C-IN in\r |
| 283 | neighbor 2001:0DB8::C route-map PEER-C-OUT out\r |
| 284 | exit-address-family\r |
| 285 | !\r |
| 286 | ipv6 prefix-list COMMON-PREFIXES seq 5 permit 2001:0DB8:0000::/48 ge 64 le 64\r |
| 287 | ipv6 prefix-list COMMON-PREFIXES seq 10 deny any\r |
| 288 | !\r |
| 289 | ipv6 prefix-list PEER-A-PREFIXES seq 5 permit 2001:0DB8:AAAA::/48 ge 64 le 64\r |
| 290 | ipv6 prefix-list PEER-A-PREFIXES seq 10 deny any\r |
| 291 | !\r |
| 292 | ipv6 prefix-list PEER-B-PREFIXES seq 5 permit 2001:0DB8:BBBB::/48 ge 64 le 64\r |
| 293 | ipv6 prefix-list PEER-B-PREFIXES seq 10 deny any\r |
| 294 | !\r |
| 295 | ipv6 prefix-list PEER-C-PREFIXES seq 5 permit 2001:0DB8:CCCC::/48 ge 64 le 64\r |
| 296 | ipv6 prefix-list PEER-C-PREFIXES seq 10 deny any\r |
| 297 | !\r |
| 298 | route-map PEER-B-IN permit 10\r |
| 299 | match ipv6 address prefix-list COMMON-PREFIXES\r |
| 300 | set metric 100\r |
| 301 | route-map PEER-B-IN permit 20\r |
| 302 | match ipv6 address prefix-list PEER-B-PREFIXES\r |
| 303 | set community 65001:11111\r |
| 304 | !\r |
| 305 | route-map PEER-C-IN permit 10\r |
| 306 | match ipv6 address prefix-list COMMON-PREFIXES\r |
| 307 | set metric 200\r |
| 308 | route-map PEER-C-IN permit 20\r |
| 309 | match ipv6 address prefix-list PEER-C-PREFIXES\r |
| 310 | set community 65001:22222\r |
| 311 | !\r |
| 312 | route-map PEER-B-OUT permit 10\r |
| 313 | match ipv6 address prefix-list PEER-A-PREFIXES\r |
| 314 | !\r |
| 315 | route-map PEER-C-OUT permit 10\r |
| 316 | match ipv6 address prefix-list PEER-A-PREFIXES\r |
| 317 | !\r |
| 318 | line vty\r |
| 319 | !\r |
| 320 | @end example\r |
| 321 | \r |
| 322 | @node Configuration of the BGP routers with Route Server\r |
| 323 | @subsection Configuration of the BGP routers with Route Server\r |
| 324 | \r |
| 325 | To convert the initial scenario into one with route server, first we must\r |
| 326 | modify the configuration of routers RA, RB and RC. Now they must not peer\r |
| 327 | between them, but only with the route server. For example, RA's\r |
| 328 | configuration would turn into:\r |
| 329 | \r |
| 330 | @example\r |
| 331 | # Configuration for router 'RA'\r |
| 332 | !\r |
| 333 | hostname RA\r |
| 334 | password ****\r |
| 335 | !\r |
| 336 | router bgp 65001\r |
| 337 | no bgp default ipv4-unicast\r |
| 338 | neighbor 2001:0DB8::FFFF remote-as 65000\r |
| 339 | !\r |
| 340 | address-family ipv6\r |
| 341 | network 2001:0DB8:AAAA:1::/64\r |
| 342 | network 2001:0DB8:AAAA:2::/64\r |
| 343 | network 2001:0DB8:0000:1::/64\r |
| 344 | network 2001:0DB8:0000:2::/64\r |
| 345 | \r |
| 346 | neighbor 2001:0DB8::FFFF activate\r |
| 347 | neighbor 2001:0DB8::FFFF soft-reconfiguration inbound\r |
| 348 | exit-address-family\r |
| 349 | !\r |
| 350 | line vty\r |
| 351 | !\r |
| 352 | @end example\r |
| 353 | \r |
| 354 | Which is logically much simpler than its initial configuration, as it now\r |
| 355 | maintains only one BGP peering and all the filters (route-maps) have\r |
| 356 | disappeared.\r |
| 357 | \r |
| 358 | @node Configuration of the Route Server itself\r |
| 359 | @subsection Configuration of the Route Server itself\r |
| 360 | \r |
| 361 | As we said when we described the functions of a route server\r |
| 362 | (@pxref{Description of the Route Server model}), it is in charge of all the\r |
| 363 | route filtering. To achieve that, the In and Out filters from the RA, RB and\r |
| 364 | RC configurations must be converted into Import and Export policies in the\r |
| 365 | route server.\r |
| 366 | \r |
| 367 | This is a fragment of the route server configuration (we only show\r |
| 368 | the policies for client RA):\r |
| 369 | \r |
| 370 | @example\r |
| 371 | # Configuration for Route Server ('RS')\r |
| 372 | !\r |
| 373 | hostname RS\r |
| 374 | password ix\r |
| 375 | !\r |
| 376 | bgp multiple-instance\r |
| 377 | !\r |
| 378 | router bgp 65000 view RS\r |
| 379 | no bgp default ipv4-unicast\r |
| 380 | neighbor 2001:0DB8::A remote-as 65001\r |
| 381 | neighbor 2001:0DB8::B remote-as 65002\r |
| 382 | neighbor 2001:0DB8::C remote-as 65003\r |
| 383 | !\r |
| 384 | address-family ipv6\r |
| 385 | neighbor 2001:0DB8::A activate\r |
| 386 | neighbor 2001:0DB8::A route-server-client\r |
| 387 | neighbor 2001:0DB8::A route-map RSCLIENT-A-IMPORT import\r |
| 388 | neighbor 2001:0DB8::A route-map RSCLIENT-A-EXPORT export\r |
| 389 | neighbor 2001:0DB8::A soft-reconfiguration inbound\r |
| 390 | \r |
| 391 | neighbor 2001:0DB8::B activate\r |
| 392 | neighbor 2001:0DB8::B route-server-client\r |
| 393 | neighbor 2001:0DB8::B route-map RSCLIENT-B-IMPORT import\r |
| 394 | neighbor 2001:0DB8::B route-map RSCLIENT-B-EXPORT export\r |
| 395 | neighbor 2001:0DB8::B soft-reconfiguration inbound\r |
| 396 | \r |
| 397 | neighbor 2001:0DB8::C activate\r |
| 398 | neighbor 2001:0DB8::C route-server-client\r |
| 399 | neighbor 2001:0DB8::C route-map RSCLIENT-C-IMPORT import\r |
| 400 | neighbor 2001:0DB8::C route-map RSCLIENT-C-EXPORT export\r |
| 401 | neighbor 2001:0DB8::C soft-reconfiguration inbound\r |
| 402 | exit-address-family\r |
| 403 | !\r |
| 404 | ipv6 prefix-list COMMON-PREFIXES seq 5 permit 2001:0DB8:0000::/48 ge 64 le 64\r |
| 405 | ipv6 prefix-list COMMON-PREFIXES seq 10 deny any\r |
| 406 | !\r |
| 407 | ipv6 prefix-list PEER-A-PREFIXES seq 5 permit 2001:0DB8:AAAA::/48 ge 64 le 64\r |
| 408 | ipv6 prefix-list PEER-A-PREFIXES seq 10 deny any\r |
| 409 | !\r |
| 410 | ipv6 prefix-list PEER-B-PREFIXES seq 5 permit 2001:0DB8:BBBB::/48 ge 64 le 64\r |
| 411 | ipv6 prefix-list PEER-B-PREFIXES seq 10 deny any\r |
| 412 | !\r |
| 413 | ipv6 prefix-list PEER-C-PREFIXES seq 5 permit 2001:0DB8:CCCC::/48 ge 64 le 64\r |
| 414 | ipv6 prefix-list PEER-C-PREFIXES seq 10 deny any\r |
| 415 | !\r |
| 416 | route-map RSCLIENT-A-IMPORT permit 10\r |
| 417 | match peer 2001:0DB8::B\r |
| 418 | call A-IMPORT-FROM-B\r |
| 419 | route-map RSCLIENT-A-IMPORT permit 20\r |
| 420 | match peer 2001:0DB8::C\r |
| 421 | call A-IMPORT-FROM-C\r |
| 422 | !\r |
| 423 | route-map A-IMPORT-FROM-B permit 10\r |
| 424 | match ipv6 address prefix-list COMMON-PREFIXES\r |
| 425 | set metric 100\r |
| 426 | route-map A-IMPORT-FROM-B permit 20\r |
| 427 | match ipv6 address prefix-list PEER-B-PREFIXES\r |
| 428 | set community 65001:11111\r |
| 429 | !\r |
| 430 | route-map A-IMPORT-FROM-C permit 10\r |
| 431 | match ipv6 address prefix-list COMMON-PREFIXES\r |
| 432 | set metric 200\r |
| 433 | route-map A-IMPORT-FROM-C permit 20\r |
| 434 | match ipv6 address prefix-list PEER-C-PREFIXES\r |
| 435 | set community 65001:22222\r |
| 436 | !\r |
| 437 | route-map RSCLIENT-A-EXPORT permit 10\r |
| 438 | match peer 2001:0DB8::B\r |
| 439 | match ipv6 address prefix-list PEER-A-PREFIXES\r |
| 440 | route-map RSCLIENT-A-EXPORT permit 20\r |
| 441 | match peer 2001:0DB8::C\r |
| 442 | match ipv6 address prefix-list PEER-A-PREFIXES\r |
| 443 | !\r |
| 444 | ...\r |
| 445 | ...\r |
| 446 | ...\r |
| 447 | @end example\r |
| 448 | \r |
| 449 | If you compare the initial configuration of RA with the route server\r |
| 450 | configuration above, you can see how easy it is to generate the Import and\r |
| 451 | Export policies for RA from the In and Out route-maps of RA's original\r |
| 452 | configuration.\r |
| 453 | \r |
| 454 | When there was no route server, RA maintained two peerings, one with RB and\r |
| 455 | another with RC. Each of this peerings had an In route-map configured. To\r |
| 456 | build the Import route-map for client RA in the route server, simply add\r |
| 457 | route-map entries following this scheme:\r |
| 458 | \r |
| 459 | @example\r |
| 460 | route-map <NAME> permit 10\r |
| 461 | match peer <Peer Address>\r |
| 462 | call <In Route-Map for this Peer>\r |
| 463 | route-map <NAME> permit 20\r |
| 464 | match peer <Another Peer Address>\r |
| 465 | call <In Route-Map for this Peer>\r |
| 466 | @end example\r |
| 467 | \r |
| 468 | This is exactly the process that has been followed to generate the route-map\r |
| 469 | RSCLIENT-A-IMPORT. The route-maps that are called inside it (A-IMPORT-FROM-B\r |
| 470 | and A-IMPORT-FROM-C) are exactly the same than the In route-maps from the\r |
| 471 | original configuration of RA (PEER-B-IN and PEER-C-IN), only the name is\r |
| 472 | different.\r |
| 473 | \r |
| 474 | The same could have been done to create the Export policy for RA (route-map\r |
| 475 | RSCLIENT-A-EXPORT), but in this case the original Out route-maps where so\r |
| 476 | simple that we decided not to use the @var{call WORD} commands, and we\r |
| 477 | integrated all in a single route-map (RSCLIENT-A-EXPORT).\r |
| 478 | \r |
| 479 | The Import and Export policies for RB and RC are not shown, but\r |
| 480 | the process would be identical.\r |
| 481 | \r |
| 482 | @node Further considerations about Import and Export route-maps\r |
| 483 | @subsection Further considerations about Import and Export route-maps\r |
| 484 | \r |
| 485 | The current version of the route server patch only allows to specify a\r |
| 486 | route-map for import and export policies, while in a standard BGP speaker\r |
| 487 | apart from route-maps there are other tools for performing input and output\r |
| 488 | filtering (access-lists, community-lists, ...). But this does not represent\r |
| 489 | any limitation, as all kinds of filters can be included in import/export\r |
| 490 | route-maps. For example suppose that in the non-route-server scenario peer\r |
| 491 | RA had the following filters configured for input from peer B:\r |
| 492 | \r |
| 493 | @example\r |
| 494 | neighbor 2001:0DB8::B prefix-list LIST-1 in\r |
| 495 | neighbor 2001:0DB8::B filter-list LIST-2 in\r |
| 496 | neighbor 2001:0DB8::B route-map PEER-B-IN in\r |
| 497 | ...\r |
| 498 | ...\r |
| 499 | route-map PEER-B-IN permit 10\r |
| 500 | match ipv6 address prefix-list COMMON-PREFIXES\r |
| 501 | set local-preference 100\r |
| 502 | route-map PEER-B-IN permit 20\r |
| 503 | match ipv6 address prefix-list PEER-B-PREFIXES\r |
| 504 | set community 65001:11111\r |
| 505 | @end example\r |
| 506 | \r |
| 507 | It is posible to write a single route-map which is equivalent to\r |
| 508 | the three filters (the community-list, the prefix-list and the\r |
| 509 | route-map). That route-map can then be used inside the Import\r |
| 510 | policy in the route server. Lets see how to do it:\r |
| 511 | \r |
| 512 | @example\r |
| 513 | neighbor 2001:0DB8::A route-map RSCLIENT-A-IMPORT import\r |
| 514 | ...\r |
| 515 | !\r |
| 516 | ...\r |
| 517 | route-map RSCLIENT-A-IMPORT permit 10\r |
| 518 | match peer 2001:0DB8::B\r |
| 519 | call A-IMPORT-FROM-B\r |
| 520 | ...\r |
| 521 | ...\r |
| 522 | !\r |
| 523 | route-map A-IMPORT-FROM-B permit 1\r |
| 524 | match ipv6 address prefix-list LIST-1\r |
| 525 | match as-path LIST-2\r |
| 526 | on-match goto 10\r |
| 527 | route-map A-IMPORT-FROM-B deny 2\r |
| 528 | route-map A-IMPORT-FROM-B permit 10\r |
| 529 | match ipv6 address prefix-list COMMON-PREFIXES\r |
| 530 | set local-preference 100\r |
| 531 | route-map A-IMPORT-FROM-B permit 20\r |
| 532 | match ipv6 address prefix-list PEER-B-PREFIXES\r |
| 533 | set community 65001:11111\r |
| 534 | !\r |
| 535 | ...\r |
| 536 | ...\r |
| 537 | @end example\r |
| 538 | \r |
| 539 | The route-map A-IMPORT-FROM-B is equivalent to the three filters\r |
| 540 | (LIST-1, LIST-2 and PEER-B-IN). The first entry of route-map\r |
| 541 | A-IMPORT-FROM-B (sequence number 1) matches if and only if both\r |
| 542 | the prefix-list LIST-1 and the filter-list LIST-2 match. If that\r |
| 543 | happens, due to the ``on-match goto 10'' statement the next\r |
| 544 | route-map entry to be processed will be number 10, and as of that\r |
| 545 | point route-map A-IMPORT-FROM-B is identical to PEER-B-IN. If\r |
| 546 | the first entry does not match, `on-match goto 10'' will be\r |
| 547 | ignored and the next processed entry will be number 2, which will\r |
| 548 | deny the route.\r |
| 549 | \r |
| 550 | Thus, the result is the same that with the three original filters,\r |
| 551 | i.e., if either LIST-1 or LIST-2 rejects the route, it does not\r |
| 552 | reach the route-map PEER-B-IN. In case both LIST-1 and LIST-2\r |
| 553 | accept the route, it passes to PEER-B-IN, which can reject, accept\r |
| 554 | or modify the route.\r |
projects / mirror_frr.git / blame