Jump to: navigation, search

OpenBGPD configuration notes


Notes below on experimentation with OpenBGPD

Peers

  • Neighbor with password that will work with Cisco, Juniper, etc. Also setting attributes using methodology here. Even though this is an EBGP peer we're still going to announce all instead of announce self because self will only announce originating prefixes. All will allow you to pass your customer or peer prefxies as well.
AS 65000
router-id 4.1.1.2

neighbor 4.1.1.1 {
	remote-as 65001
	announce all

	descr "ebgp1"
	local-address   4.1.1.2
	tcp md5sig password secret

	set med 10
	set localpref 80
	set community 65000:180
}


Filters

Specific examples for OpenBGPD's filter syntax seem hard to come by, here's some documentation from my experimentation based on the bgpd.conf man page.

  • Apply community, med, localpref to a prefix
match from any prefix 4.0.0.0/8 set med 10
match from any prefix 4.0.0.0/8 set localpref 120
match from any prefix 4.0.0.0/8 set community 65000:220


  • Same as above but with macros matching multiple prefix
PREFIXES_TEST = "{ 4.0.0.0/8, 12.0.0.0/8, 66.1.2.0/24 }"
match from any prefix $PREFIXES_TEST set med 10
match from any prefix $PREFIXES_TEST set localpref 120
match from any prefix $PREFIXES_TEST set community 65000:220


  • Same again but condensed
PREFIXES_TEST = "{ 4.0.0.0/8, 12.0.0.0/8, 66.1.2.0/24 }"
match from any prefix $PREFIXES_TEST set { med 10, localpref 120, community 65000:220 }


  • Previous examples are for exact matches. Below will match anything in 4.0.0.0/8 (/9 is what's actually currently being advertised)
PREFIXES_TEST = "{ 4.0.0.0/8, 12.0.0.0/8 }"
match from any prefix $PREFIXES_TEST prefixlen >= 8 set { med 10, localpref 120, community 65000:220 }


  • And with AS numbers (AS must be uppercase!). This will match anywhere in the AS PATH.
AS_TEST = "{ 3356, 7018 }"
match from any AS $AS_TEST  set { med 99, localpref 199, community 65000:299 }


  • You can specify where the AS number is in the path as well, but not from a macro. Valid keywords that you can mix and match:
    • peer-as: leftmost AS number
    • source-as: rightmost AS number
    • transit-as: all but the rightmost AS number
match from any AS { source-as 3356, 7018 } set { med 99, localpref 199, community 65000:299 }


  • Only send prefixes to neighbor 10.170.7.203 with communities matching 65000:220
deny  to 10.170.7.203
allow to 10.170.7.203 community 65000:220


  • Same as above but with a macro for community:
COMMUNITY_TEST = "65000:220"
deny  to 10.170.7.203
allow to 10.170.7.203 community $COMMUNITY_TEST


  • Same again but to a group named IBGP that contains 10.170.7.203
COMMUNITY_TEST = "65000:220"
deny  to group IBGP
allow to group IBGP community $COMMUNITY_TEST


  • Apply attributes from a neighbor
COMMUNITY_TRANSIT       = "65000:180"
match from group GROUP-EBGP set community $COMMUNITY_TRANSIT
match from group GROUP-EBGP set med 10
match from group GROUP-EBGP set localpref 80


Originating networks

  • Use the network statement in the global config of bgpd.conf:
network 200.0.0.0/24


  • Set an attribute:
network 200.0.0.0/24 set localpref 140


  • Set multiple attributes:
network 200.0.0.0/24 set { localpref 140 med 10 community 65000:666 }


  • Or set multiple attributes and communities:
network 200.0.0.0/24 set { localpref 140 med 10 community 65000:666  community 65000:777 }


IPv6

  • Configuration is the same.
  • Use the inet6 keyword for your show commands.
  • The default config is ipv6 equivalents of the ipv4 filters. If you don't add any filters the deny from any will do just that- deny all ipv6. These seem to be sane default filters including an adaptation of these relaxed filters:
# filter out ipv6 prefixes longer than 48 bits
allow from any inet6 prefixlen <= 48 

# filter out ipv6 default route
deny from any inet6 prefix ::/0 prefixlen = 0

# bogons 
deny  from any inet6 prefix 3ffe::/16		prefixlen <= 128
deny  from any inet6 prefix 2001:db8::/32	prefixlen <= 128
deny  from any inet6 prefix 2001::/32		prefixlen <= 128
deny  from any inet6 prefix 2002::/16		prefixlen <= 128
deny  from any inet6 prefix 0000::/8		prefixlen <= 128
deny  from any inet6 prefix fe00::/9		prefixlen <= 128
deny  from any inet6 prefix ff00::/8		prefixlen <= 128
deny  from any inet6 prefix 0::/0		prefixlen <= 128
allow from any inet6 prefix 2000::/3		prefixlen <= 48 
allow from any inet6 prefix 2001::/32
allow from any inet6 prefix 2002::/16


Performance

Approximate BGP convergence times. Full feeds in these tests comes from a lowly 7200VXR NPE-400. OpenBSD 4.8 i386 running as VMs each with 1 CPU, 512MB ram on a Dell 1950 with dual Xeons and no CPU limit per VM, no VMWare tools installed. OpenBSD runnnig BGP between loopback interfaces reachable via OSPF.

Scenario 1

Tests are with full feeds (~350k prefixes), no filters on OpenBGPD. C1 is OpenBSD Client. Diagram:

[NPE-400] --- [OpenBSD C1]
  • No filters, RIB only: ~12 seconds
  • Full feed, no filters, RIB+FIB: ~17 seconds

Scenario 2

RR = Route Reflector, C is RR Client. Tests are when manually shuting down the BGP peer between NPE and RR 1. RR1 is feeding C1 by matching 5 communities each with their own allow rule totaling full feeds:

[NPE-400] --- [OpenBSD RR1] --- [OpenBSD C1]
  • 5 rules matching 5 communities: ~30 seconds

Scenario 3

RR1/RR2 = Route Reflectors, C1/2/3 are clients. Tests are when manually shuting down both BGP feeds peer between NPE and RR's. Same filters as above

            +--- [OpenBSD RR1] --- [OpenBSD C1]
            |                   \ /
[NPE-400] --|                    x [OpenBSD C2]
            |                   / \
            +--- [OpenBSD RR2] --- [OpenBSD C3]
  • Full convergence through to all clients ~1 minute


System Resources

CPU

Memory

Memory usage is stellar, this is with a full ipv4 and ipv6 view:

rr1# bgpctl show ip bgp memory
RDE memory statistics
   348715 IPv4 unicast network entries using 13.3M of memory
     4426 IPv6 unicast network entries using 242K of memory
   706282 rib entries using 43.1M of memory
   706339 prefix entries using 43.1M of memory
   124463 BGP path attribute entries using 14.2M of memory
    56191 BGP AS-PATH attribute entries using 2.7M of memory,
          and holding 124463 references
     7445 BGP attributes entries using 291K of memory
          and holding 89707 references
     7444 BGP attributes using 104K of memory
RIB using 117M of memory


Gotchas

  • DO NOT accidentally start a 2nd instance of bgpd or ospfd. Doing so will happily launch without warning and destroy your sessions from the first instance.


  • Most bgpd.conf settings take when you issue bgpctl reload. Some things such as tcp md5 passwords are not. If you add or remove a tcp md5sig password from a neighbor you must:
bgpctl reload
bgpctl neighbor <name> clear


  • Changing the announce setting on a neighbor such as from announce self to announce all will not take affect with a bgpctl reload / neighbor refresh. You must also clear as above.


  • If you are making changes to networks you're originating, editing the 'network' statement in the conf and ussuing bgpctl reload will not suffice without this patch. You must set attributes with bgpctl network syntax as follows:
bgpctl network add 200.0.0.0/24 localpref 140


  • Be sure to not set attributes as follows. Doing so will set ONLY that attribute and reset the others. If you were to issue these statements you'd end up with just community 65000:777 set, med 0, localpref 100.
bgpctl network add 200.0.0.0/24 localpref 140
bgpctl network add 200.0.0.0/24 med 10
bgpctl network add 200.0.0.0/24 community 65000:666 
bgpctl network add 200.0.0.0/24 community 65000:777


  • Instead you want something like this:
bgpctl network add 200.0.0.0/24 localpref 140 med 10 community 65000:666  community 65000:777