katorea memo

いろいろ/まずはCCIE SP

bgp flowspec その2

今回はbgp flowspecのredirectアクションの確認を行う。

NW構成は前回と同様これ。
f:id:gemunopedy:20170714142624p:plain
ちょっと前回の記事は図がでかすぎた。見づらい。。

目標はr3→csr4の経路をflowspecを使って変える。
まずは、flowspecを流す前の経路。

r3#traceroute 4.4.4.4 so 3.3.3.3
Type escape sequence to abort.
Tracing the route to 4.4.4.4
VRF info: (vrf in name/id, vrf out name/id)
  1 10.2.3.2 2 msec 2 msec 1 msec
  2 10.2.4.4 5 msec 7 msec *

f:id:gemunopedy:20170714143254p:plain
r3→mx2→csr4という経路を、
r3→mx2→xrv1→gobgp5→csr4にする。

そのためにはmx2に以下の設定が必要。
mx2

set version 14.1R1.10
set system root-authentication encrypted-password "$1$LX76abow$JcRkn5rfGl0fE6QyThdrc0"
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces ge-0/0/0 unit 0 family inet address 10.1.2.2/24
set interfaces ge-0/0/1 unit 0 family inet address 10.2.3.2/24
set interfaces ge-0/0/2 unit 0 family inet address 10.2.5.2/24
set interfaces ge-0/0/3 unit 0 family inet address 10.2.4.2/24
set interfaces lo0 unit 0 family inet address 2.2.2.2/32
set routing-options router-id 2.2.2.2
set routing-options autonomous-system 2
set routing-options flow term-order standard
set protocols bgp group ebgp type external
set protocols bgp group ebgp export lo0
set protocols bgp group ebgp neighbor 10.2.3.3 peer-as 3
set protocols bgp group ebgp neighbor 10.2.5.5 family inet flow no-validate ps-accept
set protocols bgp group ebgp neighbor 10.2.5.5 peer-as 5
set protocols bgp group ebgp neighbor 10.2.4.4 peer-as 4
set policy-options prefix-list lo0 1.1.1.1/32
set policy-options prefix-list lo0 2.2.2.2/32
set policy-options prefix-list lo0 3.3.3.3/32
set policy-options prefix-list lo0 4.4.4.4/32
set policy-options policy-statement lo0 term 1 from prefix-list lo0
set policy-options policy-statement lo0 term 1 then accept
set policy-options policy-statement ps-accept term 1 then accept
set routing-instances VPN-A instance-type vrf
set routing-instances VPN-A interface ge-0/0/0.0
set routing-instances VPN-A route-distinguisher 10:10
set routing-instances VPN-A vrf-target target:10:10
set routing-instances VPN-A routing-options static route 4.4.4.4/32 next-hop 10.1.2.1
set routing-instances VPN-A protocols bgp group VPN-A type external
set routing-instances VPN-A protocols bgp group VPN-A peer-as 1
set routing-instances VPN-A protocols bgp group VPN-A neighbor 10.1.2.1

gobgp5より、mx2のVRF(VPN-A)にredirectするようにflowspec注入。

root@ubuntu:~# gobgp global rib -a ipv4-flowspec add match destination 4.4.4.4/32 source 3.3.3.3/32 then redirect 10:10
root@ubuntu:~# gobgp global rib -a ipv4-flowspec
   Network                                     Next Hop             AS_PATH              Age        Attrs
*> [destination:4.4.4.4/32][source:3.3.3.3/32] fictitious                                00:00:11   [{Origin: ?} {Extcomms: [redirect: 10:10]}]

mx2側でも受信していることを確認。

root> show route table inetflow.0 detail

inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
4.4.4.4,3.3.3.3/term:1 (1 entry, 1 announced)
        *BGP    Preference: 170/-101
                Next hop type: Fictitious
                Address: 0x9297b44
                Next-hop reference count: 1
                State: 
                Local AS:     2 Peer AS:     5
                Age: 1:22
                Validation State: unverified
                Task: BGP_5.10.2.5.5+42497
                Announcement bits (1): 0-Flow
                AS path: 5 ?
                Communities: redirect:10:10
                Accepted
                Localpref: 100
                Router ID: 10.2.5.5

これで、csr4宛のpingはxrv1に転送される。
本来gobgpはフォワーディングしないので、今回の構成ではgobgpにFIB manipulationの設定が必要。
まんまこの通りに設定すればquaggaのように利用可能。
github.com

この状態でtracerouteで確認。

r3#traceroute 4.4.4.4 so 3.3.3.3
Type escape sequence to abort.
Tracing the route to 4.4.4.4
VRF info: (vrf in name/id, vrf out name/id)
  1 10.2.3.2 2 msec 2 msec 2 msec
  2 10.1.2.1 3 msec 4 msec 2 msec
  3 10.1.5.5 4 msec 5 msec 5 msec
  4 10.4.5.4 5 msec 52 msec *

f:id:gemunopedy:20170714150336p:plain
想定通りの経路にすることが出来た。
ペイントで図形を斜めにする方法が分からなかった。調べる気力もなかったので雑なやり方で。

次回はRPKIあたりに挑戦したい。