Merge pull request #1690 from dslicenc/bgpd-vrf-show-cm17377

[mirror_frr.git] / doc / routeserver.texi

@c -*-texinfo-*-
@c @value{COPYRIGHT_STR}
@c See file frr.texi for copying conditions.
@c
@c This file is a modified version of Jose Luis Rubio's TeX sources 
@c of his RS-Manual document

@node Configuring Frr as a Route Server
@chapter Configuring Frr as a Route Server

The purpose of a Route Server is to centralize the peerings between BGP
speakers. For example if we have an exchange point scenario with four BGP
speakers, each of which maintaining a BGP peering with the other three
(@pxref{fig:full-mesh}), we can convert it into a centralized scenario where
each of the four establishes a single BGP peering against the Route Server
(@pxref{fig:route-server}).

We will first describe briefly the Route Server model implemented by Frr.
We will explain the commands that have been added for configuring that
model. And finally we will show a full example of Frr configured as Route
Server.

@menu
* Description of the Route Server model::
* Commands for configuring a Route Server::
* Example of Route Server Configuration::
@end menu

@node Description of the Route Server model
@section Description of the Route Server model

First we are going to describe the normal processing that BGP announcements
suffer inside a standard BGP speaker, as shown in @ref{fig:normal-processing},
it consists of three steps:

@itemize @bullet
@item
When an announcement is received from some peer, the `In' filters
configured for that peer are applied to the announcement. These filters can
reject the announcement, accept it unmodified, or accept it with some of its
attributes modified.

@item
The announcements that pass the `In' filters go into the
Best Path Selection process, where they are compared to other
announcements referred to the same destination that have been
received from different peers (in case such other
announcements exist). For each different destination, the announcement
which is selected as the best is inserted into the BGP speaker's Loc-RIB.

@item
The routes which are inserted in the Loc-RIB are
considered for announcement to all the peers (except the one
from which the route came). This is done by passing the routes
in the Loc-RIB through the `Out' filters corresponding to each
peer. These filters can reject the route,
accept it unmodified, or accept it with some of its attributes
modified. Those routes which are accepted by the `Out' filters
of a peer are announced to that peer.
@end itemize

@float Figure,fig:normal-processing
@image{fig-normal-processing,400pt,,Normal announcement processing}
@caption{Announcement processing inside a ``normal'' BGP speaker}
@end float

@float Figure,fig:full-mesh
@image{fig_topologies_full,120pt,,Full Mesh BGP Topology}
@caption{Full Mesh}
@end float

@float Figure,fig:route-server
@image{fig_topologies_rs,120pt,,Route Server BGP Topology}
@caption{Route Server and clients} 
@end float

Of course we want that the routing tables obtained in each of the routers
are the same when using the route server than when not. But as a consequence
of having a single BGP peering (against the route server), the BGP speakers
can no longer distinguish from/to which peer each announce comes/goes.
@anchor{filter-delegation}This means that the routers connected to the route
server are not able to apply by themselves the same input/output filters
as in the full mesh scenario, so they have to delegate those functions to
the route server.

Even more, the ``best path'' selection must be also performed inside
the route server on behalf of its clients. The reason is that if, after
applying the filters of the announcer and the (potential) receiver, the
route server decides to send to some client two or more different
announcements referred to the same destination, the client will only
retain the last one, considering it as an implicit withdrawal of the
previous announcements for the same destination. This is the expected
behavior of a BGP speaker as defined in @cite{RFC1771}, and even though
there are some proposals of mechanisms that permit multiple paths for
the same destination to be sent through a single BGP peering, none are
currently supported by most existing BGP implementations.

As a consequence a route server must maintain additional information and
perform additional tasks for a RS-client that those necessary for common BGP
peerings. Essentially a route server must:

@anchor{Route Server tasks}
@itemize @bullet
@item
Maintain a separated Routing Information Base (Loc-RIB)
for each peer configured as RS-client, containing the routes
selected as a result of the ``Best Path Selection'' process
that is performed on behalf of that RS-client.

@item
Whenever it receives an announcement from a RS-client,
it must consider it for the Loc-RIBs of the other RS-clients.

@anchor{Route-server path filter process}
@itemize @bullet
@item
This means that for each of them the route server must pass the
announcement through the appropriate `Out' filter of the
announcer.

@item
Then through the  appropriate `In' filter of
the potential  receiver. 

@item
Only if the announcement is accepted by both filters it will be passed
to the ``Best Path Selection'' process.

@item
Finally, it might go into the Loc-RIB of the receiver.
@end itemize
@end itemize

When we talk about the ``appropriate'' filter, both the announcer and the
receiver of the route must be taken into account. Suppose that the route
server receives an announcement from client A, and the route server is
considering it for the Loc-RIB of client B. The filters that should be
applied are the same that would be used in the full mesh scenario, i.e.,
first the `Out' filter of router A for announcements going to router B, and
then the `In' filter of router B for announcements coming from router A.

We call ``Export Policy'' of a RS-client to the set of `Out' filters that
the client would use if there was no route server. The same applies for the
``Import Policy'' of a RS-client and the set of `In' filters of the client
if there was no route server.

It is also common to demand from a route server that it does not
modify some BGP attributes (next-hop, as-path and MED) that are usually
modified by standard BGP speakers before announcing a route.

The announcement processing model implemented by Frr is shown in
@ref{fig:rs-processing}. The figure shows a mixture of RS-clients (B, C and D)
with normal BGP peers (A). There are some details that worth additional
comments:

@itemize @bullet
@item
Announcements coming from a normal BGP peer are also
considered for the Loc-RIBs of all the RS-clients. But
logically they do not pass through any export policy.

@item
Those peers that are configured as RS-clients do not
receive any announce from the `Main' Loc-RIB.

@item
Apart from import and export policies,
`In' and `Out' filters can also be set for RS-clients. `In'
filters might be useful when the route server has also normal
BGP peers. On the other hand, `Out' filters for RS-clients are
probably unnecessary, but we decided not to remove them as
they do not hurt anybody (they can always be left empty).
@end itemize

@float Figure,fig:rs-processing
@image{fig-rs-processing,450pt,,Route Server Processing Model}
@caption{Announcement processing model implemented by the Route Server}
@end float

@node Commands for configuring a Route Server
@section Commands for configuring a Route Server

Now we will describe the commands that have been added to frr
in order to support the route server features.

@deffn {Route-Server} {neighbor @var{peer-group} route-server-client} {}
@deffnx {Route-Server} {neighbor @var{A.B.C.D} route-server-client} {}
@deffnx {Route-Server} {neighbor @var{X:X::X:X} route-server-client} {}
This command configures the peer given by @var{peer}, @var{A.B.C.D} or
@var{X:X::X:X} as an RS-client.

Actually this command is not new, it already existed in standard Frr. It
enables the transparent mode for the specified peer. This means that some
BGP attributes (as-path, next-hop and MED) of the routes announced to that
peer are not modified.

With the route server patch, this command, apart from setting the
transparent mode, creates a new Loc-RIB dedicated to the specified peer
(those named `Loc-RIB for X' in @ref{fig:rs-processing}.). Starting from
that moment, every announcement received by the route server will be also
considered for the new Loc-RIB.
@end deffn

@deffn {Route-Server} {neigbor @{A.B.C.D|X.X::X.X|peer-group@} route-map WORD @{import|export@}} {}
This set of commands can be used to specify the route-map that
represents the Import or Export policy of a peer which is
configured as a RS-client (with the previous command).
@end deffn

@deffn {Route-Server} {match peer @{A.B.C.D|X:X::X:X@}} {}
This is a new @emph{match} statement for use in route-maps, enabling them to
describe import/export policies. As we said before, an import/export policy
represents a set of input/output filters of the RS-client. This statement
makes possible that a single route-map represents the full set of filters
that a BGP speaker would use for its different peers in a non-RS scenario.

The @emph{match peer} statement has different semantics whether it is used
inside an import or an export route-map. In the first case the statement
matches if the address of the peer who sends the announce is the same that
the address specified by @{A.B.C.D|X:X::X:X@}. For export route-maps it
matches when @{A.B.C.D|X:X::X:X@} is the address of the RS-Client into whose
Loc-RIB the announce is going to be inserted (how the same export policy is
applied before different Loc-RIBs is shown in @ref{fig:rs-processing}.).
@end deffn

@deffn {Route-map Command} {call @var{WORD}} {}
This command (also used inside a route-map) jumps into a different
route-map, whose name is specified by @var{WORD}. When the called
route-map finishes, depending on its result the original route-map
continues or not. Apart from being useful for making import/export
route-maps easier to write, this command can also be used inside
any normal (in or out) route-map.
@end deffn

@node Example of Route Server Configuration
@section Example of Route Server Configuration

Finally we are going to show how to configure a Frr daemon to act as a
Route Server. For this purpose we are going to present a scenario without
route server, and then we will show how to use the configurations of the BGP
routers to generate the configuration of the route server.

All the configuration files shown in this section have been taken
from scenarios which were tested using the VNUML tool
@uref{http://www.dit.upm.es/vnuml,VNUML}. 

@menu
* Configuration of the BGP routers without Route Server::
* Configuration of the BGP routers with Route Server::
* Configuration of the Route Server itself::
* Further considerations about Import and Export route-maps::
@end menu

@node Configuration of the BGP routers without Route Server
@subsection Configuration of the BGP routers without Route Server

We will suppose that our initial scenario is an exchange point with three
BGP capable routers, named RA, RB and RC. Each of the BGP speakers generates
some routes (with the @var{network} command), and establishes BGP peerings
against the other two routers. These peerings have In and Out route-maps
configured, named like ``PEER-X-IN'' or ``PEER-X-OUT''. For example the
configuration file for router RA could be the following:

@exampleindent 0
@example
#Configuration for router 'RA'
!
hostname RA
password ****
!
router bgp 65001
  no bgp default ipv4-unicast
  neighbor 2001:0DB8::B remote-as 65002
  neighbor 2001:0DB8::C remote-as 65003
!
  address-family ipv6
    network 2001:0DB8:AAAA:1::/64
    network 2001:0DB8:AAAA:2::/64
    network 2001:0DB8:0000:1::/64
    network 2001:0DB8:0000:2::/64

    neighbor 2001:0DB8::B activate
    neighbor 2001:0DB8::B soft-reconfiguration inbound
    neighbor 2001:0DB8::B route-map PEER-B-IN in
    neighbor 2001:0DB8::B route-map PEER-B-OUT out

    neighbor 2001:0DB8::C activate
    neighbor 2001:0DB8::C soft-reconfiguration inbound
    neighbor 2001:0DB8::C route-map PEER-C-IN in
    neighbor 2001:0DB8::C route-map PEER-C-OUT out
  exit-address-family
!
ipv6 prefix-list COMMON-PREFIXES seq  5 permit 2001:0DB8:0000::/48 ge 64 le 64
ipv6 prefix-list COMMON-PREFIXES seq 10 deny any
!
ipv6 prefix-list PEER-A-PREFIXES seq  5 permit 2001:0DB8:AAAA::/48 ge 64 le 64
ipv6 prefix-list PEER-A-PREFIXES seq 10 deny any
!
ipv6 prefix-list PEER-B-PREFIXES seq  5 permit 2001:0DB8:BBBB::/48 ge 64 le 64
ipv6 prefix-list PEER-B-PREFIXES seq 10 deny any
!
ipv6 prefix-list PEER-C-PREFIXES seq  5 permit 2001:0DB8:CCCC::/48 ge 64 le 64
ipv6 prefix-list PEER-C-PREFIXES seq 10 deny any
!
route-map PEER-B-IN permit 10
  match ipv6 address prefix-list COMMON-PREFIXES
  set metric 100
route-map PEER-B-IN permit 20
  match ipv6 address prefix-list PEER-B-PREFIXES
  set community 65001:11111
!
route-map PEER-C-IN permit 10
  match ipv6 address prefix-list COMMON-PREFIXES
  set metric 200
route-map PEER-C-IN permit 20
  match ipv6 address prefix-list PEER-C-PREFIXES
  set community 65001:22222
!
route-map PEER-B-OUT permit 10
  match ipv6 address prefix-list PEER-A-PREFIXES
!
route-map PEER-C-OUT permit 10
  match ipv6 address prefix-list PEER-A-PREFIXES
!
line vty
!
@end example

@node Configuration of the BGP routers with Route Server
@subsection Configuration of the BGP routers with Route Server

To convert the initial scenario into one with route server, first we must
modify the configuration of routers RA, RB and RC. Now they must not peer
between them, but only with the route server. For example, RA's
configuration would turn into:

@example
# Configuration for router 'RA'
!
hostname RA
password ****
!
router bgp 65001
  no bgp default ipv4-unicast
  neighbor 2001:0DB8::FFFF remote-as 65000
!
  address-family ipv6
    network 2001:0DB8:AAAA:1::/64
    network 2001:0DB8:AAAA:2::/64
    network 2001:0DB8:0000:1::/64
    network 2001:0DB8:0000:2::/64

    neighbor 2001:0DB8::FFFF activate
    neighbor 2001:0DB8::FFFF soft-reconfiguration inbound
  exit-address-family
!
line vty
!
@end example

Which is logically much simpler than its initial configuration, as it now
maintains only one BGP peering and all the filters (route-maps) have
disappeared.

@node Configuration of the Route Server itself
@subsection Configuration of the Route Server itself

As we said when we described the functions of a route server
(@pxref{Description of the Route Server model}), it is in charge of all the
route filtering. To achieve that, the In and Out filters from the RA, RB and
RC configurations must be converted into Import and Export policies in the
route server.

This is a fragment of the route server configuration (we only show
the policies for client RA):

@example
# Configuration for Route Server ('RS')
!
hostname RS
password ix
!
bgp multiple-instance
!
router bgp 65000 view RS
  no bgp default ipv4-unicast
  neighbor 2001:0DB8::A  remote-as 65001
  neighbor 2001:0DB8::B  remote-as 65002
  neighbor 2001:0DB8::C  remote-as 65003
!
  address-family ipv6
    neighbor 2001:0DB8::A activate
    neighbor 2001:0DB8::A route-server-client
    neighbor 2001:0DB8::A route-map RSCLIENT-A-IMPORT import
    neighbor 2001:0DB8::A route-map RSCLIENT-A-EXPORT export
    neighbor 2001:0DB8::A soft-reconfiguration inbound

    neighbor 2001:0DB8::B activate
    neighbor 2001:0DB8::B route-server-client
    neighbor 2001:0DB8::B route-map RSCLIENT-B-IMPORT import
    neighbor 2001:0DB8::B route-map RSCLIENT-B-EXPORT export
    neighbor 2001:0DB8::B soft-reconfiguration inbound

    neighbor 2001:0DB8::C activate
    neighbor 2001:0DB8::C route-server-client
    neighbor 2001:0DB8::C route-map RSCLIENT-C-IMPORT import
    neighbor 2001:0DB8::C route-map RSCLIENT-C-EXPORT export
    neighbor 2001:0DB8::C soft-reconfiguration inbound
  exit-address-family
!
ipv6 prefix-list COMMON-PREFIXES seq  5 permit 2001:0DB8:0000::/48 ge 64 le 64
ipv6 prefix-list COMMON-PREFIXES seq 10 deny any
!
ipv6 prefix-list PEER-A-PREFIXES seq  5 permit 2001:0DB8:AAAA::/48 ge 64 le 64
ipv6 prefix-list PEER-A-PREFIXES seq 10 deny any
!
ipv6 prefix-list PEER-B-PREFIXES seq  5 permit 2001:0DB8:BBBB::/48 ge 64 le 64
ipv6 prefix-list PEER-B-PREFIXES seq 10 deny any
!
ipv6 prefix-list PEER-C-PREFIXES seq  5 permit 2001:0DB8:CCCC::/48 ge 64 le 64
ipv6 prefix-list PEER-C-PREFIXES seq 10 deny any
!
route-map RSCLIENT-A-IMPORT permit 10
  match peer 2001:0DB8::B
  call A-IMPORT-FROM-B
route-map RSCLIENT-A-IMPORT permit 20
  match peer 2001:0DB8::C
  call A-IMPORT-FROM-C
!
route-map A-IMPORT-FROM-B permit 10
  match ipv6 address prefix-list COMMON-PREFIXES
  set metric 100
route-map A-IMPORT-FROM-B permit 20
  match ipv6 address prefix-list PEER-B-PREFIXES
  set community 65001:11111
!
route-map A-IMPORT-FROM-C permit 10
  match ipv6 address prefix-list COMMON-PREFIXES
  set metric 200
route-map A-IMPORT-FROM-C permit 20
  match ipv6 address prefix-list PEER-C-PREFIXES
  set community 65001:22222
!
route-map RSCLIENT-A-EXPORT permit 10
  match peer 2001:0DB8::B
  match ipv6 address prefix-list PEER-A-PREFIXES
route-map RSCLIENT-A-EXPORT permit 20
  match peer 2001:0DB8::C
  match ipv6 address prefix-list PEER-A-PREFIXES
!
...
...
...
@end example

If you compare the initial configuration of RA with the route server
configuration above, you can see how easy it is to generate the Import and
Export policies for RA from the In and Out route-maps of RA's original
configuration.

When there was no route server, RA maintained two peerings, one with RB and
another with RC. Each of this peerings had an In route-map configured. To
build the Import route-map for client RA in the route server, simply add
route-map entries following this scheme:

@example
route-map <NAME> permit 10
    match peer <Peer Address>
    call <In Route-Map for this Peer>
route-map <NAME> permit 20
    match peer <Another Peer Address>
    call <In Route-Map for this Peer>
@end example

This is exactly the process that has been followed to generate the route-map
RSCLIENT-A-IMPORT. The route-maps that are called inside it (A-IMPORT-FROM-B
and A-IMPORT-FROM-C) are exactly the same than the In route-maps from the
original configuration of RA (PEER-B-IN and PEER-C-IN), only the name is
different.

The same could have been done to create the Export policy for RA (route-map
RSCLIENT-A-EXPORT), but in this case the original Out route-maps where so
simple that we decided not to use the @var{call WORD} commands, and we
integrated all in a single route-map (RSCLIENT-A-EXPORT).

The Import and Export policies for RB and RC are not shown, but
the process would be identical.

@node Further considerations about Import and Export route-maps
@subsection Further considerations about Import and Export route-maps

The current version of the route server patch only allows to specify a
route-map for import and export policies, while in a standard BGP speaker
apart from route-maps there are other tools for performing input and output
filtering (access-lists, community-lists, ...). But this does not represent
any limitation, as all kinds of filters can be included in import/export
route-maps. For example suppose that in the non-route-server scenario peer
RA had the following filters configured for input from peer B:

@example
    neighbor 2001:0DB8::B prefix-list LIST-1 in
    neighbor 2001:0DB8::B filter-list LIST-2 in
    neighbor 2001:0DB8::B route-map PEER-B-IN in
    ...
    ...
route-map PEER-B-IN permit 10
  match ipv6 address prefix-list COMMON-PREFIXES
  set local-preference 100
route-map PEER-B-IN permit 20
  match ipv6 address prefix-list PEER-B-PREFIXES
  set community 65001:11111
@end example

It is posible to write a single route-map which is equivalent to
the three filters (the community-list, the prefix-list and the
route-map). That route-map can then be used inside the Import
policy in the route server. Lets see how to do it:

@example
    neighbor 2001:0DB8::A route-map RSCLIENT-A-IMPORT import
    ...
!
...
route-map RSCLIENT-A-IMPORT permit 10
  match peer 2001:0DB8::B
  call A-IMPORT-FROM-B
...
...
!
route-map A-IMPORT-FROM-B permit 1
  match ipv6 address prefix-list LIST-1
  match as-path LIST-2
  on-match goto 10
route-map A-IMPORT-FROM-B deny 2
route-map A-IMPORT-FROM-B permit 10
  match ipv6 address prefix-list COMMON-PREFIXES
  set local-preference 100
route-map A-IMPORT-FROM-B permit 20
  match ipv6 address prefix-list PEER-B-PREFIXES
  set community 65001:11111
!
...
...
@end example

The route-map A-IMPORT-FROM-B is equivalent to the three filters
(LIST-1, LIST-2 and PEER-B-IN). The first entry of route-map
A-IMPORT-FROM-B (sequence number 1) matches if and only if both
the prefix-list LIST-1 and the filter-list LIST-2 match. If that
happens, due to the ``on-match goto 10'' statement the next
route-map entry to be processed will be number 10, and as of that
point route-map A-IMPORT-FROM-B is identical to PEER-B-IN. If
the first entry does not match, `on-match goto 10'' will be
ignored and the next processed entry will be number 2, which will
deny the route.

Thus, the result is the same that with the three original filters,
i.e., if either LIST-1 or LIST-2 rejects the route, it does not
reach the route-map PEER-B-IN. In case both LIST-1 and LIST-2
accept the route, it passes to PEER-B-IN, which can reject, accept
or modify the route.