{"id":700,"date":"2018-07-08T00:10:41","date_gmt":"2018-07-07T17:10:41","guid":{"rendered":"https:\/\/lagonet.vn\/?p=700"},"modified":"2018-07-08T00:10:41","modified_gmt":"2018-07-07T17:10:41","slug":"goi-y-ve-route-reflector","status":"publish","type":"post","link":"https:\/\/kb.lagonet.vn\/?p=700","title":{"rendered":"G\u1ee2I \u00dd V\u1ec0 ROUTE REFLECTOR"},"content":{"rendered":"<h2 id=\"Main\">Main<a id=\"section_1\" class=\"anchor\" title=\"Edit this section\" href=\"https:\/\/trac.coccoc.com\/coccoc\/wiki\/NCC\/net-structure\/BGP-RouteReflectors?action=edit&amp;section=1\"><\/a><\/h2>\n<blockquote><p>Basically 2 KVM VM with Debian9 and FRR software used for RR roles &#8211; rr{1,2}v.itim.vn<\/p><\/blockquote>\n<ul>\n<li>packages with configs\n<ul>\n<li>coccoc-net-config-rr1v<\/li>\n<li>coccoc-net-frr-config-rr1v<\/li>\n<li>coccoc-net-config-rr2v<\/li>\n<li>coccoc-net-frr-config-rr1v<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<blockquote><p>RRs grouped inside of subnet\u00a0<em>10.196.112.0\/24<\/em>\u00a0to keep a simple config of RR cluster\u00a0<em>FRRouting<strong>\u00a0software used for the next reasons:<\/strong><\/em><\/p><\/blockquote>\n<ul>\n<li>Support of BGP peer-groups<\/li>\n<li>Support of BGP dynamic neighbors (with a different ranges per group)<\/li>\n<li>Future support of BFD<\/li>\n<li>frr 3.0.2-1~debian9+1 (Deb9) &#8211; fork of Quagga\n<ul>\n<li>FRR has its roots in the Quagga project. In fact, it was started by many long-time Quagga developers who combined their efforts to improve on Quagga&#8217;s well-established foundation in order to create the best routing protocol stack available.<\/li>\n<li>Sources &lt;<a class=\"ext-link\" href=\"https:\/\/github.com\/FRRouting\/frr\/\"><span class=\"icon\">\u200b<\/span>https:\/\/github.com\/FRRouting\/frr\/<\/a>&gt;<\/li>\n<li>Packages &lt;<a class=\"ext-link\" href=\"https:\/\/github.com\/FRRouting\/frr\/releases\"><span class=\"icon\">\u200b<\/span>https:\/\/github.com\/FRRouting\/frr\/releases<\/a>&gt;<\/li>\n<li>Latest stable release version is 3.0.2 &lt;<a class=\"ext-link\" href=\"https:\/\/github.com\/FRRouting\/frr\/releases\/download\/frr-3.0.2\/frr_3.0.2-1-debian9.1_amd64.deb\"><span class=\"icon\">\u200b<\/span>https:\/\/github.com\/FRRouting\/frr\/releases\/download\/frr-3.0.2\/frr_3.0.2-1-debian9.1_amd64.deb<\/a>&gt;<\/li>\n<li>Install dependencies and frr package\n<pre class=\"wiki\">    apt-get install libc-ares2 libjson-c3\n    wget https:\/\/github.com\/FRRouting\/frr\/releases\/download\/frr-3.0.2\/frr_3.0.2-1-debian9.1_amd64.deb\n    dpkg -i frr_3.0.2-1-debian9.1_amd64.deb\n<\/pre>\n<\/li>\n<li><strong>Bug:<\/strong>\u00a0BGP third-party next-hop resolution via kernel default route doesn&#8217;t work &lt;<a class=\"ext-link\" href=\"https:\/\/github.com\/FRRouting\/frr\/issues\/1578\"><span class=\"icon\">\u200b<\/span>https:\/\/github.com\/FRRouting\/frr\/issues\/1578<\/a>&gt;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<blockquote><p>Currently frr package added into our Deb9 repo, so it can be installed by apt-get Typical BGP config<\/p>\n<pre class=\"wiki\">    conf t\n        router bgp 100000\n            bgp router-id 10.196.112.N\n            bgp cluster-id 10.196.112.0\n            neighbor PG-BGP-RRs peer-group\n            neighbor PG-BGP-RRs remote-as 100000\n            neighbor PG-Calico peer-group\n            neighbor PG-Calico remote-as 100000\n            neighbor PG-Core peer-group\n            neighbor PG-Core remote-as 100000\n            bgp listen range 10.196.112.0\/24 peer-group PG-BGP-RRs\n            bgp listen range 10.3.0.0\/22 peer-group PG-Calico\n            bgp listen range 10.10.0.0\/23 peer-group PG-Calico\n            bgp listen range 10.10.64.0\/23 peer-group PG-Calico\n            bgp listen range 10.101.0.0\/22 peer-group PG-Calico\n            bgp listen range 10.196.126.0\/24 peer-group PG-Core\n            neighbor aaa.bbb.ccc.ddd peer-group PG-BGP-RRs\n            neighbor PG-Core route-reflector-client\n            neighbor PG-Calico route-reflector-client\n            bgp client-to-client reflection\n        ip route 10.0.0.0\/8 10.196.112.1\n<\/pre>\n<blockquote><p>Static route is a workaround for the bug, described above.<\/p><\/blockquote>\n<\/blockquote>\n<h3 id=\"Installationofnewnode\">Installation of new node<a id=\"section_2\" class=\"anchor\" title=\"Edit this section\" href=\"https:\/\/trac.coccoc.com\/coccoc\/wiki\/NCC\/net-structure\/BGP-RouteReflectors?action=edit&amp;section=2\"><\/a><\/h3>\n<blockquote><p>To add additional RR node:<\/p><\/blockquote>\n<ul>\n<li>create 2 more packages\n<ul>\n<li><em>coccoc-net-config-rrNv<\/em>\u00a0&#8211; network interface config<\/li>\n<li><em>coccoc-net-frr-config-rrNv<\/em>\u00a0&#8211; frr configs<\/li>\n<\/ul>\n<\/li>\n<li>add all RRs as a neighbors (exclude itself)\n<pre class=\"wiki\">    neighbor 10.196.112.16 peer-group PG-BGP-RRs\n    neighbor 10.196.112.17 peer-group PG-BGP-RRs\n    neighbor 10.196.112.N peer-group PG-BGP-RRs\n<\/pre>\n<\/li>\n<li>bgp\u00a0<em>router-id<\/em>\u00a0is ip of eth0\/ens3\/&#8230; interface (we don&#8217;t need a dummy\/lo interface here, because we have just a single interface per RR)<\/li>\n<li>install packages on VM\/Bare metal node<\/li>\n<li>in vtysh cli make sure that your RRs have a peers:\n<pre class=\"wiki\">    sh ip bgp summary\n<\/pre>\n<\/li>\n<\/ul>\n<blockquote>\n<blockquote>\n<blockquote><p>output should show a static (RRs) and dynamic (Calico nodes and core\/border routers)<\/p>\n<pre class=\"wiki\">rr1v# sh ip bgp summary\n\nIPv4 Unicast Summary:\nBGP router identifier 10.196.112.16, local AS number 100000 vrf-id 0\nBGP table version 49\nRIB entries 1, using 136 bytes of memory\nPeers 4, using 84 KiB of memory\nPeer groups 3, using 216 bytes of memory\n\nNeighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ  Up\/Down State\/PfxRcd\n10.196.112.17   4     100000   10121   10159        0    0    0 01w0d00h            0\n*10.3.4.149     4     100000     214     188        0    0    0 03:04:08            1\n*10.196.126.1   4     100000   10120   10156        0    0    0 01w0d00h            0\n*10.196.126.2   4     100000   10120   10156        0    0    0 01w0d00h            0\n\nTotal number of neighbors 4\n* - dynamic neighbor\n3 dynamic neighbor(s), limit 100\n\n<\/pre>\n<\/blockquote>\n<\/blockquote>\n<\/blockquote>\n<h3 id=\"Security\">Security<a id=\"section_3\" class=\"anchor\" title=\"Edit this section\" href=\"https:\/\/trac.coccoc.com\/coccoc\/wiki\/NCC\/net-structure\/BGP-RouteReflectors?action=edit&amp;section=3\"><\/a><\/h3>\n<blockquote><p>The next things can be done fore BGP security<\/p><\/blockquote>\n<h4 id=\"MD5basedpasswordsforBGPsessionsbetweenpeers\">MD5 based passwords for BGP sessions between peers<a id=\"section_4\" class=\"anchor\" title=\"Edit this section\" href=\"https:\/\/trac.coccoc.com\/coccoc\/wiki\/NCC\/net-structure\/BGP-RouteReflectors?action=edit&amp;section=4\"><\/a><\/h4>\n<ul>\n<li>seems like neither Quagga nor FRR supports MD5 auth for Peer Groups with Dynamic peers (support MD5 auth only for Static peers)\n<ul>\n<li><strong>ISSUE request<\/strong>\u00a0to FRR developers &lt;<a class=\"ext-link\" href=\"https:\/\/github.com\/FRRouting\/frr\/issues\/1631\"><span class=\"icon\">\u200b<\/span>https:\/\/github.com\/FRRouting\/frr\/issues\/1631<\/a>&gt;<\/li>\n<\/ul>\n<\/li>\n<li>MD5 auth for dynamic neighbors doesn&#8217;t work in FRR 3.0.2 due to the limitation in Linux kernel (patched in kernel version 4.14),\u00a0<a class=\"ext-link\" href=\"https:\/\/github.com\/FRRouting\/frr\/issues\/1631#issuecomment-357342471\"><span class=\"icon\">\u200b<\/span>feature should be implemented in future versions of FRR<\/a>). It means that on dev\u00a0<a class=\"missing wiki\" href=\"https:\/\/trac.coccoc.com\/coccoc\/wiki\/NCC\/net-structure\/BareMetal\" rel=\"nofollow\">BareMetal?<\/a>\u00a0nodes non-privileged user can run a BGP speaking software to establish rogue BGP session and advertise a prefixes, that may be already advertised from another\u00a0<a class=\"missing wiki\" href=\"https:\/\/trac.coccoc.com\/coccoc\/wiki\/NCC\/net-structure\/BareMetal\" rel=\"nofollow\">BareMetal?<\/a>\u00a0node. It can cause installation of 2 ECMP routes into routing table of Nodes and Routers, and can be used for:\n<ul>\n<li>traffic capture<\/li>\n<li>service outages (blackhole routes)<\/li>\n<\/ul>\n<\/li>\n<li>All above means that we should control connections to TCP port 179 of RRs on\u00a0<a class=\"missing wiki\" href=\"https:\/\/trac.coccoc.com\/coccoc\/wiki\/NCC\/net-structure\/BareMetal\" rel=\"nofollow\">BareMetal?<\/a>\u00a0nodes. It may be implemented by using of\u00a0<strong>cgroups + iptables<\/strong>, to allow outbound connection to TCP port 179 only for process in exact cgroup. At least until MD5SIG feature will be implemented in FRR.<\/li>\n<\/ul>\n<h4 id=\"FilterinboundupdatesfromCalicopeers-allowonlyroutestotheprefixesinsideofallocatedbigprefixesforprojects\">Filter inbound updates from Calico peers &#8211; allow only routes to the prefixes inside of allocated big prefixes for projects<a id=\"section_5\" class=\"anchor\" title=\"Edit this section\" href=\"https:\/\/trac.coccoc.com\/coccoc\/wiki\/NCC\/net-structure\/BGP-RouteReflectors?action=edit&amp;section=5\"><\/a><\/h4>\n<ul>\n<li>We should use a filters for inbound route updates, to avoid announces of prefixes that we did not define in IP plan. Such prefixes can be installed with the same technique that i described above.<\/li>\n<li>We can use BGP ORF technique, so with the next config Calico node will announce only prefixes that our RR allow to sent in prefix-list\n<ul>\n<li>Let&#8217;s say that RR is our CE\n<pre class=\"wiki\">    conf t\n        ip prefix-list calico-in description \"Allow only allocated prefixes in updates\"\n        ip prefix-list calico-in seq 10 permit 10.196.160.0\/21 le 32\n        ip prefix-list calico-in seq 1000 deny any\n        router bgp 100000\n            neighbor PG-Calico capability orf prefix-list send\n            neighbor PG-Calico prefix-list calico-in in\n<\/pre>\n<\/li>\n<li>Let&#8217;s say that Calico node is our PE (here is an example for FRR software)\n<pre class=\"wiki\">    conf t\n        router bgp 100000\n            neighbor 10.196.112.16 capability orf prefix-list receive\n<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>NOTE:<\/strong>\u00a0If BGP ORF will not be supported at the Calico node side, i will implement usual prefix-list based filter. It requires much more CPU in case of big numbers of routes.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Main Basically 2 KVM VM with Debian9 and FRR software used for RR roles &#8211; rr{1,2}v.itim.vn packages with configs coccoc-net-config-rr1v [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[],"class_list":["post-700","post","type-post","status-publish","format-standard","hentry","category-networking"],"_links":{"self":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/700","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=700"}],"version-history":[{"count":0,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/700\/revisions"}],"wp:attachment":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}