bgp flowspec その2
今回はbgp flowspecのredirectアクションの確認を行う。
NW構成は前回と同様これ。
ちょっと前回の記事は図がでかすぎた。見づらい。。
目標はr3→csr4の経路をflowspecを使って変える。
まずは、flowspecを流す前の経路。
r3#traceroute 4.4.4.4 so 3.3.3.3 Type escape sequence to abort. Tracing the route to 4.4.4.4 VRF info: (vrf in name/id, vrf out name/id) 1 10.2.3.2 2 msec 2 msec 1 msec 2 10.2.4.4 5 msec 7 msec *
r3→mx2→csr4という経路を、
r3→mx2→xrv1→gobgp5→csr4にする。
そのためにはmx2に以下の設定が必要。
mx2
set version 14.1R1.10
set system root-authentication encrypted-password "$1$LX76abow$JcRkn5rfGl0fE6QyThdrc0"
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces ge-0/0/0 unit 0 family inet address 10.1.2.2/24
set interfaces ge-0/0/1 unit 0 family inet address 10.2.3.2/24
set interfaces ge-0/0/2 unit 0 family inet address 10.2.5.2/24
set interfaces ge-0/0/3 unit 0 family inet address 10.2.4.2/24
set interfaces lo0 unit 0 family inet address 2.2.2.2/32
set routing-options router-id 2.2.2.2
set routing-options autonomous-system 2
set routing-options flow term-order standard
set protocols bgp group ebgp type external
set protocols bgp group ebgp export lo0
set protocols bgp group ebgp neighbor 10.2.3.3 peer-as 3
set protocols bgp group ebgp neighbor 10.2.5.5 family inet flow no-validate ps-accept
set protocols bgp group ebgp neighbor 10.2.5.5 peer-as 5
set protocols bgp group ebgp neighbor 10.2.4.4 peer-as 4
set policy-options prefix-list lo0 1.1.1.1/32
set policy-options prefix-list lo0 2.2.2.2/32
set policy-options prefix-list lo0 3.3.3.3/32
set policy-options prefix-list lo0 4.4.4.4/32
set policy-options policy-statement lo0 term 1 from prefix-list lo0
set policy-options policy-statement lo0 term 1 then accept
set policy-options policy-statement ps-accept term 1 then accept
set routing-instances VPN-A instance-type vrf
set routing-instances VPN-A interface ge-0/0/0.0
set routing-instances VPN-A route-distinguisher 10:10
set routing-instances VPN-A vrf-target target:10:10
set routing-instances VPN-A routing-options static route 4.4.4.4/32 next-hop 10.1.2.1
set routing-instances VPN-A protocols bgp group VPN-A type external
set routing-instances VPN-A protocols bgp group VPN-A peer-as 1
set routing-instances VPN-A protocols bgp group VPN-A neighbor 10.1.2.1
gobgp5より、mx2のVRF(VPN-A)にredirectするようにflowspec注入。
root@ubuntu:~# gobgp global rib -a ipv4-flowspec add match destination 4.4.4.4/32 source 3.3.3.3/32 then redirect 10:10
root@ubuntu:~# gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination:4.4.4.4/32][source:3.3.3.3/32] fictitious 00:00:11 [{Origin: ?} {Extcomms: [redirect: 10:10]}]mx2側でも受信していることを確認。
root> show route table inetflow.0 detail
inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
4.4.4.4,3.3.3.3/term:1 (1 entry, 1 announced)
*BGP Preference: 170/-101
Next hop type: Fictitious
Address: 0x9297b44
Next-hop reference count: 1
State:
Local AS: 2 Peer AS: 5
Age: 1:22
Validation State: unverified
Task: BGP_5.10.2.5.5+42497
Announcement bits (1): 0-Flow
AS path: 5 ?
Communities: redirect:10:10
Accepted
Localpref: 100
Router ID: 10.2.5.5
これで、csr4宛のpingはxrv1に転送される。
本来gobgpはフォワーディングしないので、今回の構成ではgobgpにFIB manipulationの設定が必要。
まんまこの通りに設定すればquaggaのように利用可能。
github.com
この状態でtracerouteで確認。
r3#traceroute 4.4.4.4 so 3.3.3.3 Type escape sequence to abort. Tracing the route to 4.4.4.4 VRF info: (vrf in name/id, vrf out name/id) 1 10.2.3.2 2 msec 2 msec 2 msec 2 10.1.2.1 3 msec 4 msec 2 msec 3 10.1.5.5 4 msec 5 msec 5 msec 4 10.4.5.4 5 msec 52 msec *
想定通りの経路にすることが出来た。
ペイントで図形を斜めにする方法が分からなかった。調べる気力もなかったので雑なやり方で。
次回はRPKIあたりに挑戦したい。
