summaryrefslogtreecommitdiffstats
path: root/doc/user/routeserver.rst
diff options
context:
space:
mode:
Diffstat (limited to 'doc/user/routeserver.rst')
-rw-r--r--doc/user/routeserver.rst542
1 files changed, 542 insertions, 0 deletions
diff --git a/doc/user/routeserver.rst b/doc/user/routeserver.rst
new file mode 100644
index 0000000..969cd17
--- /dev/null
+++ b/doc/user/routeserver.rst
@@ -0,0 +1,542 @@
+.. _configuring-frr-as-a-route-server:
+
+Configuring FRR as a Route Server
+=================================
+
+The purpose of a Route Server is to centralize the peerings between BGP
+speakers. For example if we have an exchange point scenario with four BGP
+speakers, each of which maintaining a BGP peering with the other three
+(:ref:`fig-topologies-full`), we can convert it into a centralized scenario where
+each of the four establishes a single BGP peering against the Route Server
+(:ref:`fig-topologies-rs`).
+
+We will first describe briefly the Route Server model implemented by FRR.
+We will explain the commands that have been added for configuring that
+model. And finally we will show a full example of FRR configured as Route
+Server.
+
+.. _description-of-the-route-server-model:
+
+Description of the Route Server model
+-------------------------------------
+
+First we are going to describe the normal processing that BGP announcements
+suffer inside a standard BGP speaker, as shown in :ref:`fig-normal-processing`,
+it consists of three steps:
+
+- When an announcement is received from some peer, the `In` filters configured
+ for that peer are applied to the announcement. These filters can reject the
+ announcement, accept it unmodified, or accept it with some of its attributes
+ modified.
+
+- The announcements that pass the `In` filters go into the Best Path Selection
+ process, where they are compared to other announcements referred to the same
+ destination that have been received from different peers (in case such other
+ announcements exist). For each different destination, the announcement which
+ is selected as the best is inserted into the BGP speaker's Loc-RIB.
+
+- The routes which are inserted in the Loc-RIB are considered for announcement
+ to all the peers (except the one from which the route came). This is done by
+ passing the routes in the Loc-RIB through the `Out` filters corresponding to
+ each peer. These filters can reject the route, accept it unmodified, or
+ accept it with some of its attributes modified. Those routes which are
+ accepted by the `Out` filters of a peer are announced to that peer.
+
+.. _fig-normal-processing:
+
+.. figure:: ../figures/fig-normal-processing.png
+ :alt: Normal announcement processing
+ :align: center
+
+ Announcement processing inside a 'normal' BGP speaker
+
+.. _fig-topologies-full:
+
+.. figure:: ../figures/fig_topologies_full.png
+ :alt: Full Mesh BGP Topology
+ :align: center
+
+ Full Mesh
+
+.. _fig-topologies-rs:
+
+.. figure:: ../figures/fig_topologies_rs.png
+ :alt: Route Server BGP Topology
+ :align: center
+
+ Route server and clients
+
+Of course we want that the routing tables obtained in each of the routers are
+the same when using the route server than when not. But as a consequence of
+having a single BGP peering (against the route server), the BGP speakers can no
+longer distinguish from/to which peer each announce comes/goes.
+
+.. _filter-delegation:
+
+This means that the routers connected to the route server are not able to apply
+by themselves the same input/output filters as in the full mesh scenario, so
+they have to delegate those functions to the route server.
+
+Even more, the 'best path' selection must be also performed inside the route
+server on behalf of its clients. The reason is that if, after applying the
+filters of the announcer and the (potential) receiver, the route server decides
+to send to some client two or more different announcements referred to the same
+destination, the client will only retain the last one, considering it as an
+implicit withdrawal of the previous announcements for the same destination.
+This is the expected behavior of a BGP speaker as defined in :rfc:`1771`,
+and even though there are some proposals of mechanisms that permit multiple
+paths for the same destination to be sent through a single BGP peering, none
+are currently supported by most existing BGP implementations.
+
+As a consequence a route server must maintain additional information and
+perform additional tasks for a RS-client that those necessary for common BGP
+peerings. Essentially a route server must:
+
+.. _route-server-tasks:
+
+- Maintain a separated Routing Information Base (Loc-RIB)
+ for each peer configured as RS-client, containing the routes
+ selected as a result of the 'Best Path Selection' process
+ that is performed on behalf of that RS-client.
+
+- Whenever it receives an announcement from a RS-client,
+ it must consider it for the Loc-RIBs of the other RS-clients.
+
+ - This means that for each of them the route server must pass the
+ announcement through the appropriate `Out` filter of the
+ announcer.
+
+ - Then through the appropriate `In` filter of the potential receiver.
+
+ - Only if the announcement is accepted by both filters it will be passed
+ to the 'Best Path Selection' process.
+
+ - Finally, it might go into the Loc-RIB of the receiver.
+
+When we talk about the 'appropriate' filter, both the announcer and the
+receiver of the route must be taken into account. Suppose that the route server
+receives an announcement from client A, and the route server is considering it
+for the Loc-RIB of client B. The filters that should be applied are the same
+that would be used in the full mesh scenario, i.e., first the `Out` filter of
+router A for announcements going to router B, and then the `In` filter of
+router B for announcements coming from router A.
+
+We call 'Export Policy' of a RS-client to the set of `Out` filters that the
+client would use if there was no route server. The same applies for the 'Import
+Policy' of a RS-client and the set of `In` filters of the client if there was
+no route server.
+
+It is also common to demand from a route server that it does not modify some
+BGP attributes (next-hop, as-path and MED) that are usually modified by
+standard BGP speakers before announcing a route.
+
+The announcement processing model implemented by FRR is shown in
+:ref:`fig-rs-processing`. The figure shows a mixture of RS-clients (B, C and D)
+with normal BGP peers (A). There are some details that worth additional
+comments:
+
+- Announcements coming from a normal BGP peer are also considered for the
+ Loc-RIBs of all the RS-clients. But logically they do not pass through any
+ export policy.
+
+- Those peers that are configured as RS-clients do not receive any announce
+ from the `Main` Loc-RIB.
+
+- Apart from import and export policies, `In` and `Out` filters can also be set
+ for RS-clients. `In` filters might be useful when the route server has also
+ normal BGP peers. On the other hand, `Out` filters for RS-clients are
+ probably unnecessary, but we decided not to remove them as they do not hurt
+ anybody (they can always be left empty).
+
+.. _fig-rs-processing:
+.. figure:: ../figures/fig-rs-processing.png
+ :align: center
+ :alt: Route Server Processing Model
+
+ Announcement processing model implemented by the Route Server
+
+.. _commands-for-configuring-a-route-server:
+
+Commands for configuring a Route Server
+---------------------------------------
+
+Now we will describe the commands that have been added to frr
+in order to support the route server features.
+
+.. clicmd:: neighbor PEER-GROUP route-server-client
+
+.. clicmd:: neighbor A.B.C.D route-server-client
+
+.. clicmd:: neighbor X:X::X:X route-server-client
+
+ This command configures the peer given by `peer`, `A.B.C.D` or `X:X::X:X` as
+ an RS-client.
+
+ Actually this command is not new, it already existed in standard FRR. It
+ enables the transparent mode for the specified peer. This means that some
+ BGP attributes (as-path, next-hop and MED) of the routes announced to that
+ peer are not modified.
+
+ With the route server patch, this command, apart from setting the
+ transparent mode, creates a new Loc-RIB dedicated to the specified peer
+ (those named `Loc-RIB for X` in :ref:`fig-rs-processing`.). Starting from
+ that moment, every announcement received by the route server will be also
+ considered for the new Loc-RIB.
+
+.. clicmd:: neigbor A.B.C.D|X.X::X.X|peer-group route-map WORD in|out
+
+ This set of commands can be used to specify the route-map that represents
+ the Import or Export policy of a peer which is configured as a RS-client
+ (with the previous command).
+
+.. clicmd:: match peer A.B.C.D|X:X::X:X
+
+ This is a new *match* statement for use in route-maps, enabling them to
+ describe import/export policies. As we said before, an import/export policy
+ represents a set of input/output filters of the RS-client. This statement
+ makes possible that a single route-map represents the full set of filters
+ that a BGP speaker would use for its different peers in a non-RS scenario.
+
+ The *match peer* statement has different semantics whether it is used inside
+ an import or an export route-map. In the first case the statement matches if
+ the address of the peer who sends the announce is the same that the address
+ specified by {A.B.C.D|X:X::X:X}. For export route-maps it matches when
+ {A.B.C.D|X:X::X:X} is the address of the RS-Client into whose Loc-RIB the
+ announce is going to be inserted (how the same export policy is applied
+ before different Loc-RIBs is shown in :ref:`fig-rs-processing`.).
+
+.. clicmd:: call WORD
+
+ This command (also used inside a route-map) jumps into a different
+ route-map, whose name is specified by `WORD`. When the called
+ route-map finishes, depending on its result the original route-map
+ continues or not. Apart from being useful for making import/export
+ route-maps easier to write, this command can also be used inside
+ any normal (in or out) route-map.
+
+.. _example-of-route-server-configuration:
+
+Example of Route Server Configuration
+-------------------------------------
+
+Finally we are going to show how to configure a FRR daemon to act as a
+Route Server. For this purpose we are going to present a scenario without
+route server, and then we will show how to use the configurations of the BGP
+routers to generate the configuration of the route server.
+
+All the configuration files shown in this section have been taken
+from scenarios which were tested using the VNUML tool
+`http://www.dit.upm.es/vnuml,VNUML <http://www.dit.upm.es/vnuml,VNUML>`_.
+
+.. _configuration-of-the-bgp-routers-without-route-server:
+
+Configuration of the BGP routers without Route Server
+-----------------------------------------------------
+
+We will suppose that our initial scenario is an exchange point with three
+BGP capable routers, named RA, RB and RC. Each of the BGP speakers generates
+some routes (with the `network` command), and establishes BGP peerings
+against the other two routers. These peerings have In and Out route-maps
+configured, named like 'PEER-X-IN' or 'PEER-X-OUT'. For example the
+configuration file for router RA could be the following:
+
+.. code-block:: frr
+
+ #Configuration for router 'RA'
+ !
+ hostname RA
+ password ****
+ !
+ router bgp 65001
+ no bgp default ipv4-unicast
+ neighbor 2001:0DB8::B remote-as 65002
+ neighbor 2001:0DB8::C remote-as 65003
+ !
+ address-family ipv6
+ network 2001:0DB8:AAAA:1::/64
+ network 2001:0DB8:AAAA:2::/64
+ network 2001:0DB8:0000:1::/64
+ network 2001:0DB8:0000:2::/64
+ neighbor 2001:0DB8::B activate
+ neighbor 2001:0DB8::B soft-reconfiguration inbound
+ neighbor 2001:0DB8::B route-map PEER-B-IN in
+ neighbor 2001:0DB8::B route-map PEER-B-OUT out
+ neighbor 2001:0DB8::C activate
+ neighbor 2001:0DB8::C soft-reconfiguration inbound
+ neighbor 2001:0DB8::C route-map PEER-C-IN in
+ neighbor 2001:0DB8::C route-map PEER-C-OUT out
+ exit-address-family
+ !
+ ipv6 prefix-list COMMON-PREFIXES seq 5 permit 2001:0DB8:0000::/48 ge 64 le 64
+ ipv6 prefix-list COMMON-PREFIXES seq 10 deny any
+ !
+ ipv6 prefix-list PEER-A-PREFIXES seq 5 permit 2001:0DB8:AAAA::/48 ge 64 le 64
+ ipv6 prefix-list PEER-A-PREFIXES seq 10 deny any
+ !
+ ipv6 prefix-list PEER-B-PREFIXES seq 5 permit 2001:0DB8:BBBB::/48 ge 64 le 64
+ ipv6 prefix-list PEER-B-PREFIXES seq 10 deny any
+ !
+ ipv6 prefix-list PEER-C-PREFIXES seq 5 permit 2001:0DB8:CCCC::/48 ge 64 le 64
+ ipv6 prefix-list PEER-C-PREFIXES seq 10 deny any
+ !
+ route-map PEER-B-IN permit 10
+ match ipv6 address prefix-list COMMON-PREFIXES
+ set metric 100
+ route-map PEER-B-IN permit 20
+ match ipv6 address prefix-list PEER-B-PREFIXES
+ set community 65001:11111
+ !
+ route-map PEER-C-IN permit 10
+ match ipv6 address prefix-list COMMON-PREFIXES
+ set metric 200
+ route-map PEER-C-IN permit 20
+ match ipv6 address prefix-list PEER-C-PREFIXES
+ set community 65001:22222
+ !
+ route-map PEER-B-OUT permit 10
+ match ipv6 address prefix-list PEER-A-PREFIXES
+ !
+ route-map PEER-C-OUT permit 10
+ match ipv6 address prefix-list PEER-A-PREFIXES
+ !
+ line vty
+ !
+
+
+.. _configuration-of-the-bgp-routers-with-route-server:
+
+Configuration of the BGP routers with Route Server
+--------------------------------------------------
+
+To convert the initial scenario into one with route server, first we must
+modify the configuration of routers RA, RB and RC. Now they must not peer
+between them, but only with the route server. For example, RA's
+configuration would turn into:
+
+.. code-block:: frr
+
+ # Configuration for router 'RA'
+ !
+ hostname RA
+ password ****
+ !
+ router bgp 65001
+ no bgp default ipv4-unicast
+ neighbor 2001:0DB8::FFFF remote-as 65000
+ !
+ address-family ipv6
+ network 2001:0DB8:AAAA:1::/64
+ network 2001:0DB8:AAAA:2::/64
+ network 2001:0DB8:0000:1::/64
+ network 2001:0DB8:0000:2::/64
+
+ neighbor 2001:0DB8::FFFF activate
+ neighbor 2001:0DB8::FFFF soft-reconfiguration inbound
+ exit-address-family
+ !
+ line vty
+ !
+
+
+Which is logically much simpler than its initial configuration, as it now
+maintains only one BGP peering and all the filters (route-maps) have
+disappeared.
+
+.. _configuration-of-the-route-server-itself:
+
+Configuration of the Route Server itself
+----------------------------------------
+
+As we said when we described the functions of a route server
+(:ref:`description-of-the-route-server-model`), it is in charge of all the
+route filtering. To achieve that, the In and Out filters from the RA, RB and RC
+configurations must be converted into Import and Export policies in the route
+server.
+
+This is a fragment of the route server configuration (we only show
+the policies for client RA):
+
+.. code-block:: frr
+
+ # Configuration for Route Server ('RS')
+ !
+ hostname RS
+ password ix
+ !
+ router bgp 65000 view RS
+ no bgp default ipv4-unicast
+ neighbor 2001:0DB8::A remote-as 65001
+ neighbor 2001:0DB8::B remote-as 65002
+ neighbor 2001:0DB8::C remote-as 65003
+ !
+ address-family ipv6
+ neighbor 2001:0DB8::A activate
+ neighbor 2001:0DB8::A route-server-client
+ neighbor 2001:0DB8::A route-map RSCLIENT-A-IMPORT in
+ neighbor 2001:0DB8::A route-map RSCLIENT-A-EXPORT out
+ neighbor 2001:0DB8::A soft-reconfiguration inbound
+
+ neighbor 2001:0DB8::B activate
+ neighbor 2001:0DB8::B route-server-client
+ neighbor 2001:0DB8::B route-map RSCLIENT-B-IMPORT in
+ neighbor 2001:0DB8::B route-map RSCLIENT-B-EXPORT out
+ neighbor 2001:0DB8::B soft-reconfiguration inbound
+
+ neighbor 2001:0DB8::C activate
+ neighbor 2001:0DB8::C route-server-client
+ neighbor 2001:0DB8::C route-map RSCLIENT-C-IMPORT in
+ neighbor 2001:0DB8::C route-map RSCLIENT-C-EXPORT out
+ neighbor 2001:0DB8::C soft-reconfiguration inbound
+ exit-address-family
+ !
+ ipv6 prefix-list COMMON-PREFIXES seq 5 permit 2001:0DB8:0000::/48 ge 64 le 64
+ ipv6 prefix-list COMMON-PREFIXES seq 10 deny any
+ !
+ ipv6 prefix-list PEER-A-PREFIXES seq 5 permit 2001:0DB8:AAAA::/48 ge 64 le 64
+ ipv6 prefix-list PEER-A-PREFIXES seq 10 deny any
+ !
+ ipv6 prefix-list PEER-B-PREFIXES seq 5 permit 2001:0DB8:BBBB::/48 ge 64 le 64
+ ipv6 prefix-list PEER-B-PREFIXES seq 10 deny any
+ !
+ ipv6 prefix-list PEER-C-PREFIXES seq 5 permit 2001:0DB8:CCCC::/48 ge 64 le 64
+ ipv6 prefix-list PEER-C-PREFIXES seq 10 deny any
+ !
+ route-map RSCLIENT-A-IMPORT permit 10
+ match peer 2001:0DB8::B
+ call A-IMPORT-FROM-B
+ route-map RSCLIENT-A-IMPORT permit 20
+ match peer 2001:0DB8::C
+ call A-IMPORT-FROM-C
+ !
+ route-map A-IMPORT-FROM-B permit 10
+ match ipv6 address prefix-list COMMON-PREFIXES
+ set metric 100
+ route-map A-IMPORT-FROM-B permit 20
+ match ipv6 address prefix-list PEER-B-PREFIXES
+ set community 65001:11111
+ !
+ route-map A-IMPORT-FROM-C permit 10
+ match ipv6 address prefix-list COMMON-PREFIXES
+ set metric 200
+ route-map A-IMPORT-FROM-C permit 20
+ match ipv6 address prefix-list PEER-C-PREFIXES
+ set community 65001:22222
+ !
+ route-map RSCLIENT-A-EXPORT permit 10
+ match peer 2001:0DB8::B
+ match ipv6 address prefix-list PEER-A-PREFIXES
+ route-map RSCLIENT-A-EXPORT permit 20
+ match peer 2001:0DB8::C
+ match ipv6 address prefix-list PEER-A-PREFIXES
+ !
+ ...
+ ...
+ ...
+
+
+If you compare the initial configuration of RA with the route server
+configuration above, you can see how easy it is to generate the Import and
+Export policies for RA from the In and Out route-maps of RA's original
+configuration.
+
+When there was no route server, RA maintained two peerings, one with RB and
+another with RC. Each of this peerings had an In route-map configured. To
+build the Import route-map for client RA in the route server, simply add
+route-map entries following this scheme:
+
+::
+
+ route-map <NAME> permit 10
+ match peer <Peer Address>
+ call <In Route-Map for this Peer>
+ route-map <NAME> permit 20
+ match peer <Another Peer Address>
+ call <In Route-Map for this Peer>
+
+
+This is exactly the process that has been followed to generate the route-map
+RSCLIENT-A-IMPORT. The route-maps that are called inside it (A-IMPORT-FROM-B
+and A-IMPORT-FROM-C) are exactly the same than the In route-maps from the
+original configuration of RA (PEER-B-IN and PEER-C-IN), only the name is
+different.
+
+The same could have been done to create the Export policy for RA (route-map
+RSCLIENT-A-EXPORT), but in this case the original Out route-maps where so
+simple that we decided not to use the `call WORD` commands, and we
+integrated all in a single route-map (RSCLIENT-A-EXPORT).
+
+The Import and Export policies for RB and RC are not shown, but
+the process would be identical.
+
+Further considerations about Import and Export route-maps
+---------------------------------------------------------
+
+The current version of the route server patch only allows to specify a
+route-map for import and export policies, while in a standard BGP speaker
+apart from route-maps there are other tools for performing input and output
+filtering (access-lists, community-lists, ...). But this does not represent
+any limitation, as all kinds of filters can be included in import/export
+route-maps. For example suppose that in the non-route-server scenario peer
+RA had the following filters configured for input from peer B:
+
+.. code-block:: frr
+
+ neighbor 2001:0DB8::B prefix-list LIST-1 in
+ neighbor 2001:0DB8::B filter-list LIST-2 in
+ neighbor 2001:0DB8::B route-map PEER-B-IN in
+ ...
+ ...
+ route-map PEER-B-IN permit 10
+ match ipv6 address prefix-list COMMON-PREFIXES
+ set local-preference 100
+ route-map PEER-B-IN permit 20
+ match ipv6 address prefix-list PEER-B-PREFIXES
+ set community 65001:11111
+
+
+It is possible to write a single route-map which is equivalent to the three
+filters (the community-list, the prefix-list and the route-map). That route-map
+can then be used inside the Import policy in the route server. Lets see how to
+do it:
+
+.. code-block:: frr
+
+ neighbor 2001:0DB8::A route-map RSCLIENT-A-IMPORT in
+ ...
+ !
+ ...
+ route-map RSCLIENT-A-IMPORT permit 10
+ match peer 2001:0DB8::B
+ call A-IMPORT-FROM-B
+ ...
+ ...
+ !
+ route-map A-IMPORT-FROM-B permit 1
+ match ipv6 address prefix-list LIST-1
+ match as-path LIST-2
+ on-match goto 10
+ route-map A-IMPORT-FROM-B deny 2
+ route-map A-IMPORT-FROM-B permit 10
+ match ipv6 address prefix-list COMMON-PREFIXES
+ set local-preference 100
+ route-map A-IMPORT-FROM-B permit 20
+ match ipv6 address prefix-list PEER-B-PREFIXES
+ set community 65001:11111
+ !
+ ...
+ ...
+
+
+The route-map A-IMPORT-FROM-B is equivalent to the three filters (LIST-1,
+LIST-2 and PEER-B-IN). The first entry of route-map A-IMPORT-FROM-B (sequence
+number 1) matches if and only if both the prefix-list LIST-1 and the
+filter-list LIST-2 match. If that happens, due to the 'on-match goto 10'
+statement the next route-map entry to be processed will be number 10, and as of
+that point route-map A-IMPORT-FROM-B is identical to PEER-B-IN. If the first
+entry does not match, `on-match goto 10`' will be ignored and the next
+processed entry will be number 2, which will deny the route.
+
+Thus, the result is the same that with the three original filters, i.e., if
+either LIST-1 or LIST-2 rejects the route, it does not reach the route-map
+PEER-B-IN. In case both LIST-1 and LIST-2 accept the route, it passes to
+PEER-B-IN, which can reject, accept or modify the route.
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-16 20:59:56 +0000