GoBGP Route Server 101

049- 4-9 3 290.--, EFLGA I M /E / EJI
G G 4 IE /EIE J J ACEIE 1 4 049- 4-9 3 290.--, I -JGE 0 .EGJC D FGAB

/2 2 1 0 /- IP CABL ML LBC I
GL LC G • B O P M B O . ). G G CAM G G /9 ML N LB MAB F G L LC G • : M G L P LB F P M E E L • EC G I D D • F G ACLBM • BLLI ACLBM F G LAL A AI ML N

0 9 9 3:290. IPJCABL R ) ML LBC IJ
GL LC G • 9BC IJ GL LC G N J • C @ / / • / G J E L I @ J L JLCGA / / ML JN J • 9BC IJ GL LC G 9 N J • I C@C DG OE A OBC B O A L LBJ MAB MJ IJ M LC G M • L CE @ J B @MG LC G J G@CAMJ LC G • . J @MJLB J C M C G • 1 CG E D G F GLC G A L J BM • BLLI A AI E D F

/9 / 4 0//. - - SLFDEN T ) 1
,1 • ,1 FH GBHBIN NF I LFNNBI FI 1 G ID • :: ABPBG BA S : - 4 M • ENN M DFNEO H MLD D D • 2FDE BLC LH I B • BR G FNM HOGNF LBM I NFPBGS • ON H NF I CLFBIAGS • CFLMN LFI F GB ( D D A -4 D D OL : CN LB D9 -

25 5 3 20 . -6 - IP DBCL #
GL MI L • F N # • C E L L D N # • 5 L DL GA F L LC F GLD N D GDGB • I L 72 L M LM • B 7- 72 G 1 G LDN 72 G O I L • G O D L P E P ML L I L B E GB! L G • D M A L DE • -C GB 2 CDL LM A ML 9 N • MII L DGBE 2 L M LM GEP A ML 9 N LMI • FMELD 2 L M LM C G E L • DFI N F F P G MFILD G • L

0 -6 - 2 1 0.-- FGN A O (
FDGFE E I • • D9AE 9 DFE G F II M A ADGC D E I / • 9E FE FCC LA9 6 ) 0 • • CC 9 10 • FEL D9E A E CN FDD9E I AE F 6 ) 0 9CC • 9E LA L I9 • FG AFE9C • GFG C9 M9N F AE 9LAF F F G • M A E AE FDC N9DC BIFE C

1 1 07 2 G PIB AK EG • :I
K 9 GLK IM I • NBDD N:DC KAIGL A • F K:DD:KBGF G G • G : EBFB KI:KBGF MB: P K E • G BF • IBKBF GF B LI:KBGF BD • BF I • DPBF GLK IM I GDB B • E GIK GDB P • O GIK GDB P • . KL

59 1 91 8 7 52110 /: /LMTNHFGP 0DJL LMLILFT
* IL IL IL 5 N NO DPG DJ L PD DNRDN * 4LOP : LEPSAND N U 6 LO NO 0DBHA 3L.3 ANFDP N N ACRDNPHODC BT JA AI DJ DJ D.3 D.3 D.3 2HIPDNDC NL PDO OAJMIDO

0 2 1 0- ! I LDBCN U BI B
LION M LP L • IO H DHMN HNF ODF NC GI NI IFIB OMDHB 9 BL HN • 9 BL HNADF DM P DF F N .DN/O • CNN M BDNCO ! IG HMNBN BI B LION M LP L • -IFFI NC DHMNLO NDIHM DH 2 !G • P L NCDHB R N NC AIL .I . DH DFF M N O • : LHDHB • CDM GI M NO L DHM IOL NN L OD EF • 0 L IGG H IO NI NL NC GI C H IOTL DH IOL CIOM DNC MIG MH EM!!!

69>2 92> 8 7>6 221 0: 0OP IGHS CF 1EMO
RESTP • 8BC/OO O • MBC: 8O BUE • )45 6NSEL 0O E I) • (4/ .8 BS LEBRS 4/ • BG BNS • I STBL/OW ( • HOTLD VO ON AINDOVR 7INTW SOO • HBUEN S SERSED SHOTGH

0 . 0 1 0 9 : 9 2 9

.1 1 0 / . )2 )FGN O .EI 9CC
-F - • 9L MF FG FEI F EI 9CC -F - • 2G FE FMECF9 : E9 I • 9IN 9E I DGC M9N F I 9 • E9 I 9 GF 9:C • / : 9 I 9 I 9 9CCN C EB E F : E9 N • FMECF9 FD GI : FD FI F: G C 9I I ### download binaried rs $ wget https://github.com/osrg/gobgp/releases/download/v2.2.0/gobgp_2.2.0_linux_ amd64.tar.gz rs $ tar zxf gobgp_2.2.0_linux_amd64.tar.gz ### copy them to somewhere under $PATH rs $ cp gobgp gobgpd /usr/local/sbin/ 9C 9 N 21 E DF 9 9E EL FED E EI F: G F I L

1: 1 = 2110 / /MNUOIG V ( LP 3M.39
• E SE TM MN IMLP M ILP 3M.39 • N IML(! .RI D BIL OIEP • 2MO DESE MNEO PM EMLE T M T L M OU PNECIFIC CM I • MR LEED M PE RN 3M LG SEOPIML -, ! BEFMOE • E CM N E IML S I B E FMO BM MN IMLP ) ### build binaried rs $ EXPORT GO111MODULE=on rs $ git clone git://github.com/osrg/gobgp rs $ cd gobgp && go mod download rs $ cd cmd && go install ./... ### copy them to somewhere under $PATH rs $ cp $GOPATH/bin/gobgp* /usr/local/sbin/ ### optional: install shell completion for gobgp command rs $ cp $GOPATH/src/github.com/osrg/gobgp/tools/completion/*.bash /etc/bash_completion.d/ OE DU 0 1 IL DE M > GO L ELSIOML EL LP G GMBGN OMR EPEOSEO :ECM ELDED

1 1 2 1 E 9 C F 0 CD
E C D C • . E C D C 9 49 C C C 4 9 4E E C

/ 1/ . - 0 C E I 29EF D
DE9 F E : 9 ### create a unit file for gobgpd rs $ cat << EOF > /etc/systemd/system/gobgpd.service [Unit] Description=gobgpd After=network.target syslog.target [Service] Type=simple PermissionsStartOnly=yes User=gobgpd SyslogIdentifier=gobgpd ExecStartPre=/sbin/setcap 'cap_net_bind_service=+ep' /usr/local/sbin/gobgpd ExecStart=/usr/local/sbin/gobgpd -f /etc/gobgp/gobgpd.yaml -t yaml -- cpus=2 ExecReload=/bin/kill -s HUP $MAINPID ExecStop=/bin/kill -s TERM $MAINPID [Install] WantedBy=multi-user.target EOF rs $ systemctl daemon-reload C9 0/ 9 5 C E 9 C 9 E DE E C FE9D9C 9C

.2)0.)2 2 )) C D F EF A CF AE
• C 6F9 )I9 1F6DF E9 F A A A F 9 F F D A99 E • 6A EC9 6A D9E 6AF F E9 Application Options: -f, --config-file= specifying a config file -t, --config-type= specifying config type (toml, yaml, json) (default: toml) -l, --log-level= specifying log level -p, --log-plain use plain format for logging (json by default) -s, --syslog= use syslogd --syslog-facility= specify syslog facility --disable-stdlog disable standard logging --cpus= specify the number of CPUs to be used --api-hosts= specify the hosts that gobgpd listens on (default: :50051) -r, --graceful-restart flag restart-state in graceful-restart capability -d, --dry-run check configuration --pprof-host= specify the host that gobgpd listens on for pprof (default: localhost:6060) --pprof-disable disable pprof profiling --sdnotify use sd_notify protocol --tls enable TLS authentication for gRPC API --tls-cert-file= The TLS cert file --tls-key-file= The TLS key file --version show version number

27 52 7 1 07 . , I P D
CM ( N DMP I • IN LCINF? IM M 5 A I FD DINL ? D I D M LL MI I ? • 9C M O ?I) • L --tls I MDI • MI F 70 NMC MD MDI AI 5 D M MDI • LIF M I ? ? ADFM I MDI • FI E LL MI I M ? A NFM M A I IMC CILML P FPD L N ? D M F L NF L

3 09 0 < 3100/ . .LMUNFDEP ( NFPF D
L CFDO • 1FII F PEB I L CFD N PFL FO R FI IB F PEB B L • .LMU F FPF I L CFD U I CLN P! PEB B FP FP • 2L-28 O MMLNPO PL I U I GOL E I CLN P • L B M NPO E RB INB U BB CFIIB • BT ! BFDE LN L CFD CLN N( N) • • EBNB NB F OPN PFL L B PO SEBNB UL M P L CFD N PFL ### copy fill-in-the-blank config file rs $ cp /vagrant/configs/rs/gobgpd.yaml /etc/gobgp/gobgpd.yaml ### edit to fill it according to instructions rs $ vim /etc/gobgp/gobgpd.yaml ### global setting: from global: config: as: 64686 router-id: 10.173.176.211 ### global setting: to , 8 P UL N L CFD CNL EBNB , PL EBNB EFO FO L CFD O MIB

.1)0.)1 -2 1 )) C D F : D F
: • F • F C : E :D F E E 9E F D : : 9 • 1 E I D9 D : 9 I F 9 9EE D D F9D • 1 9 C 9E :D EF9C EF9C • : F 9 C 9F9 9DE : : : 9 ### copy source is here! rs $ less /vagrant/configs/rs/step-by-step.yaml ### answer is here! rs $ less /vagrant/configs/rs/gobgpd.yaml.complete

-1 - 1 2 1 . D 9 E 9
A C • C C A 0 C ### global setting: from global: config: as: 64686 router-id: 10.173.176.211 ### global setting: to

. . . 9 0 2 1 9 rs $
systemctl start gobgpd rs $ systemctl status gobgpd • gobgpd.service - gobgpd Loaded: loaded (/etc/systemd/system/gobgpd.service; disabled; vendor preset: enabled) Active: active (running) since Sun 2019-03-24 07:25:59 UTC; 3s ago Process: 594 ExecStartPre=/sbin/setcap cap_net_bind_service=+ep /usr/local/sbin/gobgpd (code=exited, status=0/SUCCESS) Main PID: 596 (gobgpd) Tasks: 9 (limit: 4915) CGroup: /system.slice/gobgpd.service └─596 /usr/local/sbin/gobgpd -f /etc/gobgp/gobgpd.conf -t yaml --cpus=2 Mar 24 07:25:59 rs systemd[1]: Starting gobgpd... Mar 24 07:25:59 rs systemd[1]: Started gobgpd. Mar 24 07:25:59 rs gobgpd[596]: {"level":"info","msg":"gobgpd started","time":"2019-03-24T07:25:59Z"} Mar 24 07:25:59 rs gobgpd[596]: {"Topic":"Config","level":"info","msg":"Finished reading the config file","time":"2019-03-24T07:25:59Z"}

2 . ) (0 (EFM I N E D •
) I IE E IF I D A ED E C I • M E :ECF I • 9 I E C D 1 • E : D I: IE F D I LI CE 9M F D -p/--log-plain • E 9 E D D I E I • : D 9 9 9M --disable-stdlog • M E E FFE I • L :I M I C E 9 F E :

. 0 9 312 113 1 ### check log via
journald rs $ journalctl -f -u gobgpd -- Logs begin at Sat 2019-03-23 13:11:23 UTC. -- Mar 24 07:25:59 rs systemd[1]: Starting gobgpd... Mar 24 07:25:59 rs systemd[1]: Started gobgpd. Mar 24 07:25:59 rs gobgpd[596]: {"level":"info","msg":"gobgpd started","time":"2019-03-24T07:25:59Z"} Mar 24 07:25:59 rs gobgpd[596]: {"Topic":"Config","level":"info","msg":"Finished reading the config file","time":"2019-03-24T07:25:59Z"} ### check log via file (via rsyslog through systemd/journald) rs $ tailf /var/log/gobgpd.log Mar 24 07:25:59 rs systemd[1]: Starting gobgpd... Mar 24 07:25:59 rs systemd[1]: Started gobgpd. Mar 24 07:25:59 rs gobgpd[596]: {"level":"info","msg":"gobgpd started","time":"2019-03-24T07:25:59Z"} Mar 24 07:25:59 rs gobgpd[596]: {"Topic":"Config","level":"info","msg":"Finished reading the config file","time":"2019-03-24T07:25:59Z"}

-04 0 4 .4- 1 CD E G L CB
E: : 2 D::E • FG F : 2 D::E :G ::B B9 • 2E: CB9 G CB D::EF GC B9 I: E: 9 ::B :FG F :9 • : E: : I:9 EC G:F EC 4 E :G

.2 1. 2 2 95 0 neighbors: ### neighbor 10.173.176.101
setting: from - config: neighbor-address: 10.173.176.101 peer-as: 65001 auth-password: pass65001 admin-down: false timers: config: hold-time: 90 keepalive-interval: 30 transport: config: passive-mode: true route-server: config: route-server-client: true secondary-route: true afi-safis: - config: afi-safi-name: ipv4-unicast prefix-limit: config: max-prefixes: 2000 apply-policy: config: default-import-policy: reject-route default-export-policy: reject-route ### neighbor 10.173.176.101 setting: to

.16 1 6 0 /6. 2 HIO C BL P
HG C M , I • G C B H IHEC O HG C M LCHG G OG FC EEO IIEC O G CG ., LH LB H I I H • CG reload LH G ., CG O L F MGCL CE • . LB C OGL N H CG HG C M LCHG CE H I DM L H L EH CG CL G F CG HG LB M GL L L • 9HM G G N L EH LCHG H M CG H CG EH rs $ systemctl reload gobgpd

.2 1. 2 2 7 9 0 rs $ gobgp
neighbor Peer AS Up/Down State |#Received Accepted 10.173.176.101 65001 never Active | 0 0 10.173.176.102 65002 00:00:45 Establ | 2 2 10.173.176.103 65003 00:00:49 Establ | 1 1 ### wait for a while rs $ gobgp neighbor Peer AS Up/Down State |#Received Accepted 10.173.176.101 65001 00:00:05 Establ | 4 4 10.173.176.102 65002 00:00:03 Establ | 2 2 10.173.176.103 65003 00:00:01 Establ | 1 1

.2 1. 2 2 8 9 8 0 rs $
gobgp neighbor 10.173.176.101 BGP neighbor is 10.173.176.101, remote AS 65001, route-server-client BGP version 4, remote router ID 10.1.0.101 BGP state = ESTABLISHED, up for 00:01:53 BGP OutQ = 0, Flops = 0 Hold time is 90, keepalive interval is 30 seconds Configured hold time is 90, keepalive interval is 30 seconds Neighbor capabilities: multiprotocol: ipv4-unicast: advertised and received route-refresh: advertised and received graceful-restart: received Remote: notification flag set 4-octet-as: advertised and received long-lived-graceful-restart: received cisco-route-refresh: received Message statistics: Sent Rcvd Opens: 1 1 Notifications: 0 0 Updates: 3 1 Keepalives: 4 5 : (snip)

1 0 1 2 1 . 9 9 ### check
received routes rs $ gobgp neighbor 10.173.176.101 adj-in ID Network Next Hop AS_PATH Age Attrs N 0 10.1.0.0/16 10.173.176.101 65001 00:32:26 [{Origin: i}] N 0 10.1.1.0/24 10.173.176.101 65001 65001 65001 65001 65001 65001 00:32:26 [{Origin: i}] N 0 10.1.2.0/24 10.173.176.101 65111 65001 00:32:26 [{Origin: i}] N 0 10.1.3.0/24 10.173.176.101 65001 00:32:26 [{Origin: i}] ### check received routes with `-j` to see JSON format rs $ gobgp -j neighbor 10.173.176.101 adj-in | python -mjson.tool { "10.1.0.0/16": [ { "age": 1553413176, "attrs": [ { "type": 1, "value": 0 }, : (snip)

.3 1. 3 3 F 9C G 1 DC 2
E 1 9 C CD • 1 C 0 F BD C B BC 1 • B 1 B BC 1

03 20 3 .3 , )1 ) IB D )
BB9C 9 9 9D 99 2 ( ). `gobgp neighbor <A’sIP> adj-in` `gobgp neighbor <A’sIP> local` F BDE 9 9B D9 9 C 9 9 ED9 `gobgp neighbor <A’sIP> adj-out` F BDE 9 9B D9 9 C 9 9 ED9

-0 30 . -, 1 EFN I O E FED
D 9 IL D 3- D .- • gobgp neighbor xxxx adj-in • EL E I EC D 9E D A 3- -D • gobgp neighbor xxxx adj-out • EL E I I F D I E MFE I 2EB N I D IE I D 9E • A 3- 1 I DEI D C CE N D I I BBN N I C I ECC D M I • gobgp neighbor xxxx local • EL E I D BE B I 9B E I D 9E • .E B 3- DEI D C CE N D I I BBN N I C I ECC D M I

2 2 1 0 . , 3 EFM I O
# E FED D: 9 I D 8D 0 • gobgp neighbor xxxx {accepted|rejected} • 2E I :ECC8D EDNI E 8 LF :I • BB 9 L EED EF ) • DE ED I 9

1 0 1 2 1 . 9 4 3

/3 2/ 3 . 3 0 C E 1 9:
E DECF EFC9 EE D E F DC 5DE9C D D FC 9D

1 9. .9 3 291/..- , ,I D CM R
6IFD ADHDMDIH LM N MN • 6IFD IHLDLML IA LM M HML • . C LM M HM C L IH DMDIH L H MDIH L • IH DMDIH L DAD L MC LM M IA 2 1L MI M C • P ADP H D C I 6 90 I NHDM S • MDIH L DAD L OC M MI I ODMC MC 2 1L • M E M • I DA MC MM D NM L • I NHDM 3.- FI F A 6 90 H PM CI • I IH DMDIH A L MI ADH L ML • P ADP L M H D C I L M I NHDM L M S ()

, 2 . , 0 C D F L 1
9 9 D7F 7E 9E • DEF : policy-definitions’ • 7 : defined-sets’ : : F 79 D :E • 7FF79 F F D 9 I F apply-policy • F 9 , I7F F E F C 9 E 2 F 3 D D E F C E F F F 7 9 • D 9 E 7 7 7 2 F 3 D D E F C ### example policy-definitions: - name: MY-IMPORT-POLICY1 statements: - actions: ... - conditions: ... ### example neighbors: - config: neighbor-addr: x.x.x.x ... apply-policy: config: import-policy-list: - MY-IMPORT-POLICY1

: 3=:3 9 8 332 1 1NO P IR 1NLLSM
R OFD G DCR NM • OFPCR NMCK 1NLLSM R ( 8CP F! 1NLLSM R 2F DP OR NM - 33=/ = - - 33=/ 2N MNR CETFPR F RN 33=/ = - 33=/ = - - 33=/ /ETFPR F RN 33=/ = - = - - 2N MNR CETFPR F RN CKK OFFP 8CP F 1NLLSM R 7 ME 2F DP OR NM = - - MGNPLCR NMCK RC ==20 A/8 2 PFG V FV R M ==20! = - -( KRFPFE =FC NM 0N NM PFG V = - -) KRFPFE =FC NM / OCRI RNN KNM = - - KRFPFE =FC NM C OCRI G P R . OFFPC = - - KRFPFE =FC NM ==20 PFG V MNR GNSME M / 3 NP CSR MSL PFG V UC MNR GNSME M RIF OFFPX / 3 ! = - - KRFPFE =FC NM P M / MNR M OFFP / 3 = - - ( KRFPFE =FC NM PFG V = 7 :A/8 2 PNL 3SPN B 8CP F 05 1NLLSM R F 8 R • MGNPLCR NMCK 1NLLSM R

, 3 1 3 . -3, 0 A C E
I 9 9 D ED defined-sets: prefix-sets: ### prefix list for AS65001 setting: from - prefix-set-name: AS65001-PREFIX prefix-list: - ip-prefix: 10.1.0.0/16 ### prefix list for AS65001 setting: to : (snip) bgp-defined-sets: as-path-sets: ### as path list for AS65001 setting: from - as-path-set-name: AS65001-PEER as-path-list: - ^65001_ - as-path-set-name: AS65001-ORIGIN as-path-list: - _65001$ ### as path list for AS65001 setting: to C D EA E 9 F CA ,11 AC DE E AC 2 AC 2 EA E 9 F CA ,11 AC DE E

. 1. -4 EA C 9 9 C (continued from
previous page) community-sets: ### community list for AS65001 setting: from - community-set-name: NOT-EXPORT-TO-AS65001 community-list: - 0:65001 - community-set-name: EXPORT-TO-AS65001 community-list: - 64686:65001 ### community list for AS65001 setting: to : (snip) large-community-sets: ### large community list for AS65001 setting: from - large-community-set-name: NOT-EXPORT-TO-AS65001 large-community-list: - 64686:0:65001 - large-community-set-name: EXPORT-TO-AS65001 large-community-list: - 64686:1:65001 ### large community list for AS65001 setting: to F C D AC C 0 1 2 F C D AC C 0 1 2 F D AC C 0 1 2 F D AC C 0 1 2

-0 - 0 1 0 . 4 94 2 4
94 4 2 rs $ systemctl reload gobgpd ### check loaded defined-sets rs $ gobgp policy prefix AS65001-PREFIX NAME PREFIX AS65001-PREFIX 10.1.0.0/16 16..16 rs $ gobgp policy as-path | egrep 'NAME|AS65001' NAME AS-PATH AS65001-ORIGIN _65001$ AS65001-PEER ^65001(^|[,{}() ]|$) rs $ gobgp policy community | egrep 'NAME|AS65001' NAME COMMUNITY EXPORT-TO-AS65001 ^64686:65001$ NOT-EXPORT-TO-AS65001 ^0:65001$ rs $ gobgp policy large-community | egrep 'NAME|AS65001' NAME LARGE-COMMUNITY EXPORT-TO-AS65001 ^64686:1:65001$ NOT-EXPORT-TO-AS65001 ^64686:0:65001$

> :A9 4 2 1 1ST UNLM ] ( '
TSU TSPNH V F R V • FH NSR, U S 1S RN C RKSU F NSRFP FLVD • HSRIN NSR, NK ! E= . * * * • FH NSR, FII 9FUL 1S RN C> FVSR, TF M SS PSRLD U O H • HSRIN NSR, RP VV !P K SV - R NLMGSU V • FH NSR, FII 9FUL 1S RN C> FVSR, FV TF M KNUV - T UFVD U O H • HSRIN NSR, NK !TU KN[ NR 0 5 • FH NSR, FII 9FUL 1S RN C> FVSR, 0SLSR =U KN[D U O H • HSRIN NSR, RP VV !SUNLNR NR • FH NSR, FII 9FUL 1S RN C> FVSR, UNLNR RS NR T U D U O H • HSRIN NSR, RP VV !TU KN[ NR • FH NSR, FII 9FUL 1S RN C> FVSR, >>20 =U KN[ RS KS RI NR SU F R D U O H • FH NSR, FII 9FUL 1S RN C RKSU F NSRFP FLV, >>20 B 9 2D • HSRIN NSR, NK !>= R FPNI • FH NSR, FII 9FUL 1S RN C> FVSR, =U KN[ NV >= B 9 2D U O H • !I KF P FH NSR, FHH T )( 4PS

.1 41 0 / .- 2 C D F )
C 9 F E D . C DF 3 ( ( policy-definitions: ### import policy for AS65001 setting: from - name: AS65001-IMPORT statements: - actions: bgp-actions: set-large-community: options: remove set-large-community-method: communities-list: - ^64686:1[0-9]{3}:[0-9]*$ - conditions: bgp-conditions: as-path-length: operator: ge value: 5 actions: bgp-actions: set-large-community: options: add set-large-community-method: communities-list: - 64686:1101:5 route-disposition: reject-route

-04 0 4 / .4- )1 ) FC E (
9 9 F 9 E D C - CE 2 F - conditions: bgp-conditions: match-as-path-set: as-path-set: AS65001-PEER match-set-options: invert actions: bgp-actions: set-large-community: options: add set-large-community-method: communities-list: - 64686:1101:7 route-disposition: reject-route - conditions: match-prefix-set: prefix-set: BOGON actions: bgp-actions: set-large-community: options: add set-large-community-method: communities-list: - 64686:1101:3 route-disposition: reject-route

/2 -52- 1 0 /.-- 3 CD E I DC
9 C F CE / DCE 4C 9 ( () - conditions: bgp-conditions: match-as-path-set: as-path-set: AS65001-ORIGIN match-set-options: invert actions: bgp-actions: set-large-community: options: add set-large-community-method: communities-list: - 64686:1101:10 route-disposition: reject-route - conditions: match-prefix-set: prefix-set: AS65001-PREFIX match-set-options: invert actions: bgp-actions: set-large-community: options: add set-large-community-method: communities-list: - 64686:1101:9 route-disposition: reject-route

.1 41 06/ .- 2 C D F ) C
9 F E D . C DF ( - actions: bgp-actions: set-large-community: options: add set-large-community-method: communities-list: - 64686:1001:1 - conditions: bgp-conditions: rpki-validation-result: invalid actions: bgp-actions: set-large-community: options: add set-large-community-method: communities-list: - 64686:1101:13 route-disposition: reject-route ### import policy for AS65001 setting: to

0 . . 291 0 ..- ,4 , I CA
L R ) .PI L I EC L L F L • CLC C N , FFM CL :- L N LC L .. 7 • LC D L • CLC C N 1 A , FFM CL :- L N LC L .. 7 • LC D L • CLC C N , FFM CL : N LC L .. 7 • LC F N :4I LC E 1 A , FFM CL IL • CLC C N 1 A , FFM CL : N LC L .. 7 • LC F N :4I LC E 1 A , FFM CL IL • CLC C N , FFM CL :- L N LC L EE I • LC D L • CLC C N 1 A , FFM CL :- L N LC L EE I • LC D L • LC F N 1 A , FFM CL :4I LC E • MEL LC IL ( E O

.1 41 0 / .- 2 C E ) 8
9 E D C F CE 8 ( ### export policy for AS65001 setting: from - name: AS65001-EXPORT statements: - conditions: bgp-conditions: match-community-set: community-set: NOT-EXPORT-TO-AS65001 actions: route-disposition: reject-route - conditions: bgp-conditions: match-large-community-set: large-community-set: NOT-EXPORT-TO-AS65001 actions: route-disposition: reject-route

-04 0 4 / .4- )1 ) F D (
9 9 F 9 D C E D 2 F ( - conditions: bgp-conditions: match-community-set: community-set: EXPORT-TO-AS65001 actions: bgp-actions: set-community: options: remove set-community-method: communities-list: - ^(0|64686):[0-9]+$ set-large-community: options: remove set-large-community-method: communities-list: - ^64686:[0-9]{1}:[0-9]*$ - ^64686:[0-9]{3}:[0-9]*$ route-disposition: accept-route

/2 -52- 1 0 /.-- 3 C D F I
C 9 F E D - C DF 4 9 ( ) - conditions: bgp-conditions: match-large-community-set: large-community-set: EXPORT-TO-AS65001 actions: bgp-actions: set-large-community: options: remove set-large-community-method: communities-list: - ^64686:[0-9]{1}:[0-9]*$ - ^64686:[0-9]{3}:[0-9]*$ route-disposition: accept-route - conditions: bgp-conditions: match-community-set: community-set: NOT-EXPORT-TO-ALL actions: route-disposition: reject-route - conditions: bgp-conditions: match-large-community-set: large-community-set: NOT-EXPORT-TO-ALL actions: route-disposition: reject-route

.15 41 5 0 /5.- 2 C E ) 9
E D C F CE ( - actions: bgp-actions: set-community: options: remove set-community-method: communities-list: - ^(0|64686):[0-9]+$ set-large-community: options: remove set-large-community-method: communities-list: - ^64686:[0-9]{1}:[0-9]*$ - ^64686:[0-9]{3}:[0-9]*$ ### export policy for AS65001 setting: to

.1 0. 1 2,1 A C E I A 9D
EA 9 AC A neighbors: - config: neighbor-address: 10.173.176.101 : (snip) apply-policy: config: default-import-policy: reject-route default-export-policy: reject-route ### neighbor 10.173.176.101 setting: to • 09 5 9 A apply-policy E 9 A 9 • 5 F9D AC {import|export}-policy-list 5C9 5CC5 A 9 9 A 9D DA AF 5 5 A 9D 5D AFC 9 5 neighbors: - config: neighbor-address: 10.173.176.101 : (snip) apply-policy: config: default-import-policy: accept-route import-policy-list: - AS65001-IMPORT default-export-policy: accept-route export-policy-list: - AS65001-EXPORT ### neighbor 10.173.176.101 setting: to

03 .53. 2 1 0 .. , , OIA )
, CAF DA A I N ICAF • I DOAF DA A F C L LII F I L M I A E F • 3 I L M I A 6( 9default-export-policy9 A I B • 3 I L M I A I E 6( 6( 9default-import-policy9 A I B ### check received routes from AS65001 rs $ gobgp neighbor 10.173.176.101 adj-in ID Network Next Hop AS_PATH Age Attrs N 0 10.1.0.0/16 10.173.176.101 65001 00:32:26 [{Origin: i}] N 0 10.1.1.0/24 10.173.176.101 65001 65001 65001 65001 65001 65001 00:32:26 [{Origin: i}] N 0 10.1.2.0/24 10.173.176.101 65111 65001 00:32:26 [{Origin: i}] N 0 10.1.3.0/24 10.173.176.101 65001 00:32:26 [{Origin: i}] ### check advertised routes to AS65001 rs $ gobgp neighbor 10.173.176.101 adj-out Network not in table ### check advertised routes to AS65002, from AS65001 rs $ neighbor 10.173.176.102 adj-out | grep 10.173.176.101 rs $

26 42 6 1 06 . 3 F N A
O AE FCA A I : MF AE • CNAE FCA A I :E I : I • 2FM F I FD 5 :E 5 : : L AI F 5 MA E F D: AFE:C FDD EA N 8 9 rs $ systemctl reload gobgpd ### check advertised routes to AS65001 rs $ gobgp neighbor 10.173.176.101 adj-out ID Network Next Hop AS_PATH Attrs N 1 10.2.0.0/16 10.173.176.102 65002 [{Origin: i} {LargeCommunity: [ 64686:1001:1]}] N 1 10.3.0.0/16 10.173.176.103 65003 [{Origin: i} {LargeCommunity: [ 64686:1001:1]}]

2 52 1 0 . , 3 OIA P )
CAF DA A I N ICAF • DOAF DA A F C L • I L I E 6( A M I A 6( F D 6( • 910.1.0.0/169 A FDO F I L I DD NAF I L I I AF E I DA O D N • 910.1.1.0/249 • 910.1.2.0/249 • 910.1.3.0/249 ### check advertised routes to AS65002, from AS65001 rs $ gobgp neighbor 10.173.176.102 adj-out ID Network Next Hop AS_PATH Attrs N 1 10.1.0.0/16 10.173.176.101 65001 [{Origin: i} {LargeCommunity: [ 64686:1001:1]}] N 1 10.3.0.0/16 10.173.176.103 65003 [{Origin: i} {LargeCommunity: [ 64686:1001:1]}]

.15, 1,5 06 5. ,, 2 F N A 2
: FE:C FDD E N • 5A F 910.23.0.0/169 I L FD I EF IAFM E : L I D E I F F 2 : FE:C FDD E N 8 • MA A D :EI O F EF : L I F ### check received routes from AS65002 rs $ gobgp neighbor 10.173.176.102 adj-in ID Network Next Hop AS_PATH Age Attrs N 0 10.2.0.0/16 10.173.176.102 65002 09:15:55 [{Origin: i}] N 0 10.23.0.0/16 10.173.176.102 65002 09:15:55 [{Origin: i} {LargeCommunity: [ 64686:0:65001]}] ### check advertised routes to AS65001 rs $ gobgp neighbor 10.173.176.101 adj-out ID Network Next Hop AS_PATH Attrs N 1 10.2.0.0/16 10.173.176.102 65002 [{Origin: i} {LargeCommunity: [ 64686:1001:1]}] N 1 10.3.0.0/16 10.173.176.103 65003 [{Origin: i} {LargeCommunity: [ 64686:1001:1]}]

1 8/6 /8 392810//. 5 F N A O 5
FE C FDD E N • 5E A F A A E A F I L I F ,7 • 5 FE C FDD E N : M I I ### check advertised routes to AS65003 rs $ gobgp neighbor 10.173.176.103 adj-out ID Network Next Hop AS_PATH Attrs N 1 10.1.0.0/16 10.173.176.101 65001 [{Origin: i} {LargeCommunity: [ 64686:1001:1]}] N 1 10.2.0.0/16 10.173.176.102 65002 [{Origin: i} {LargeCommunity: [ 64686:1001:1]}] N 1 10.23.0.0/16 10.173.176.102 65002 [{Origin: i} {LargeCommunity: [ 64686:1001:1]}]

.16 1 6 0 6. 2 F MHA N 0A
A 9 AFE F 39 A AE • DA A 9 AFE F 39 A AE • 6 HF 810.23.0.0/168 AI H AL HFD EF FECM 5 9CIF 5 ### login to r3 and advertise route r3> configure r3# set policy-options prefix-list my-prefixes 10.23.0.0/16 r3# show | compare r3# commit check r3# commit ### advertised routes from AS65003 rs $ gobgp neighbor 10.173.176.103 adj-in ID Network Next Hop AS_PATH Age Attrs N 0 10.3.0.0/16 10.173.176.103 65003 09:28:29 [{Origin: i}] N 0 10.23.0.0/16 10.173.176.103 65003 00:00:02 [{Origin: i}]

.16 1 6 0 6., 2 DELF H M 0
H 9H DC D 9H C • 6 F 9F H D 9C 9H FDIH DF 10.23.0.0/16 • .H D H 9H H DC FDB 5 A H 9 H 9H D F H DC CDH 9 FH 9 HI9AAL ### check local RIB for AS65001 rs $ gobgp neighbor 10.173.176.101 local Network Next Hop AS_PATH Age Attrs N*>10.2.0.0/16 10.173.176.102 65002 06:17:49 [{Origin: i} {LargeCommunity: [ 64686:1001:1]}] N*>10.3.0.0/16 10.173.176.103 65003 06:18:38 [{Origin: i} {LargeCommunity: [ 64686:1001:1]}] N*>10.23.0.0/16 10.173.176.102 65002 06:17:49 [{Origin: i} {LargeCommunity: [ 64686:0:65001, 64686:1001:1]}] N* 10.23.0.0/16 10.173.176.103 65003 00:00:40 [{Origin: i} {LargeCommunity: [ 64686:1001:1]}]

.16 1 6 0 6., 2 HPI A 0 F
3 A F • F A I L 9 10.23.0.0/16 9 I E 5 M I 5 • 6A P A NA F I L I C F OH I 3 D P A DD N F F I L N DD M DL F OH I 3 D P F M I A I L H ### check advertised routes to AS65001 rs $ gobgp neighbor 10.173.176.101 adj-out ID Network Next Hop AS_PATH Attrs N 1 10.2.0.0/16 10.173.176.102 65002 [{Origin: i} {LargeCommunity: [ 64686:1001:1]}] N 1 10.3.0.0/16 10.173.176.103 65003 [{Origin: i} {LargeCommunity: [ 64686:1001:1]}] N 1 10.23.0.0/16 10.173.176.103 65003 [{Origin: i} {LargeCommunity: [ 64686:1001:1]}]

1 1 06/ 2 F OI K P . •
K N E FECO K I F 2 : : IM I • I N L F E 2 : : IM I F I K 9O 1 1 06/ 2 • KK NNN D A E I • : E I HL I KF I K IK F9 ### rpki setting: from rpki-servers: - config: address: 210.173.170.254 port: 323 ### rpki setting: to rs $ systemctl restart gobgpd

1 0 1 2 1 . 6 9 0 ###
check RTR session rs $ gobgp rpki server Session State Uptime #IPv4/IPv6 records 210.173.170.254:323 Up 00:00:10 62964/11136 ### check IPv4 ROA table rs $ gobgp rpki table | head -n5 Network Maxlen AS Server 1.0.0.0 24 13335 210.173.170.254:323 1.1.1.0 24 13335 210.173.170.254:323 1.9.0.0 24 4788 210.173.170.254:323 1.9.12.0 24 65037 210.173.170.254:323 ### check IPv6 ROA table rs $ gobgp rpki table -a v6 | head -n5 Network Maxlen AS Server 2001:200:: 32 2500 210.173.170.254:323 2001:200:136:: 48 9367 210.173.170.254:323 2001:200:900:: 40 7660 210.173.170.254:323 2001:200:8000:: 35 4690 210.173.170.254:323

1 1 06 , 2 DELF N 3. • K9
E D= 3. 9 9 DC F I • 1D : DI C D D =L F M :DC= D DI EI C 9 1 1D =DIC 9 ### check RPKI validation result rs $ gobgp neighbor 10.173.176.101 adj-in ID Network Next Hop AS_PATH Age Attrs I 0 1.0.0.0/24 10.173.176.101 7521 00:02:04 [{Origin: i}] N 0 10.1.0.0/16 10.173.176.101 7521 00:14:22 [{Origin: i}] V 0 210.173.160.0/24 10.173.176.101 7521 00:14:22 [{Origin: i}]

0 30 6. , 1 EFN ? P 9 9D
NE E D M • CF EL NE FE N D ED • I ?D FE I E NE 3E 4 L I L C D I D I I D? O • F EN 2L • E 9D D ED ? 9 ED 9 D 2L I D?I • O 9L 9 9 N D ED ? rs $ cp /vagrant/configs/rs/gobgpd.yaml.ipv6 /etc/gobgpd/gobgpd.yaml rs $ systemctl reload gobgpd

0 9. .9 :290/.. ,5 ,J LECDN R ) D
N ? I JO J I PN • 1JEI ?F • DNN M CJ C M ?F ?J • 0 JO EI OC! J I EMMO I M I 6 JI CENDO • JO ? I EI OLND L EI JL NEJI EI J E?E J?M • DNN M CENDO ?J JMLC CJ C NL MN L J?M MJOL? M

0 0 1 0 . 9 ! 0 2 6

6: 2 :2 9 8 63221 0 0NO PJHIR X
DG 1FLN NON NH 6 T) FRRJMH )* . ) EC ) EC * ) 6A P P FRI FL . ) EC ) EC ) NSRF FPTFP . ) ) ) 5N R NGRUBPF P 7SMN * P 1FCJBM ) 4N/4 BPHFR P P . ) EC ) EC ) BETFPRJ FE C LBMSB FL FL F/4 F/4 F/4 3J RFPFE PNSRF BLO F EC ) EC ) EC )

GoBGP Route Server 101

GoBGP Route Server 101

More Decks by Nasato Goto

Other Decks in Technology

Featured

Transcript