dbd3ff8826e6f222f5ab92c6f2a9758ba6fb30e1
howto/frr.md
... | ... | @@ -0,0 +1,176 @@ |
1 | +To quote from <https://frrouting.org/>: |
|
2 | + |
|
3 | +"FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms. It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP." |
|
4 | + |
|
5 | +It features a similar configuration style to Cisco IOS. |
|
6 | + |
|
7 | +### Installation |
|
8 | +Install the `frr` and `frr-pythontools` package on your favourite Linux/BSD distribution. For BGP RPKI support, also install `frr-rpki`. _Make sure you are using frr version 8.5 or greater for IPv6 link local peerings._ |
|
9 | + |
|
10 | +- More installation options: <https://docs.frrouting.org/en/latest/installation.html> |
|
11 | +- Releases: <https://frrouting.org/release/> |
|
12 | + |
|
13 | +## Configuration |
|
14 | + |
|
15 | +Important cofiguration files: |
|
16 | +- `/etc/frr/daemons`: daemons that will be started |
|
17 | +- `/etc/frr/vtysh.conf`: configuration for the VTY shell |
|
18 | +- `/etc/frr/frr.conf`: configuration for the daemons |
|
19 | +- `/etc/frr/${DAEMON}.conf`: configuration for a single daemon (deprecated) |
|
20 | + |
|
21 | +It this guide, only BGP will be set up using the shared `/etc/frr/frr.conf`. |
|
22 | + |
|
23 | +### Daemons |
|
24 | + |
|
25 | +First, setup `/etc/frr/daemons`. As stated previously. this file specifies which daemons will be started. |
|
26 | + |
|
27 | +```diff |
|
28 | +--- /etc/frr/daemons |
|
29 | ++++ /etc/frr/daemons |
|
30 | +@@ -14,7 +14,7 @@ |
|
31 | + # |
|
32 | + # The watchfrr, zebra and staticd daemons are always started. |
|
33 | + # |
|
34 | +-bgpd=no |
|
35 | ++bgpd=yes |
|
36 | + ospfd=no |
|
37 | + ospf6d=no |
|
38 | + ripd=no |
|
39 | +``` |
|
40 | + |
|
41 | +### VTY shell |
|
42 | + |
|
43 | +To use the VTY shell, `/etc/frr/vtysh.conf` needs to be set up. _The `hostname` and `banner motd` also need to be entered there manually to be persistant._ |
|
44 | + |
|
45 | +``` |
|
46 | +service integrated-vtysh-config |
|
47 | +``` |
|
48 | + |
|
49 | +Unprivileged users need to be in the `frrvty` group to use `vtysh`. |
|
50 | + |
|
51 | +The VTY shell can be used to interact with running daemons and configure them. Changes made in the VTY shell can be written to `/etc/frr/frr.conf` using the `write` command. To enter configuration mode use the `configure` command. To get information about the available commands, press `?`. |
|
52 | + |
|
53 | +### Zebra |
|
54 | + |
|
55 | +Before configuring BGP, a few other things need to be set up. First, create a [prefix-list](https://docs.frrouting.org/en/latest/filter.html#ip-prefix-list) for the dn42 prefixes. That will be used to filter out non-dn42 routes to be announced to BGP. For that, open `/etc/frr/frr.conf` or `vtysh` in configuration mode and add: |
|
56 | + |
|
57 | +``` |
|
58 | +ip prefix-list dn42 seq 1 deny 172.22.166.0/24 le 32 |
|
59 | +ip prefix-list dn42 seq 1001 permit 172.20.0.0/24 ge 28 le 32 |
|
60 | +ip prefix-list dn42 seq 1002 permit 172.21.0.0/24 ge 28 le 32 |
|
61 | +ip prefix-list dn42 seq 1003 permit 172.22.0.0/24 ge 28 le 32 |
|
62 | +ip prefix-list dn42 seq 1004 permit 172.23.0.0/24 ge 28 le 32 |
|
63 | +ip prefix-list dn42 seq 1100 permit 172.20.0.0/14 ge 21 le 29 |
|
64 | +ip prefix-list dn42 seq 2001 permit 10.100.0.0/14 le 32 |
|
65 | +ip prefix-list dn42 seq 2002 permit 10.127.0.0/16 le 32 |
|
66 | +ip prefix-list dn42 seq 2003 permit 10.0.0.0/8 ge 15 le 24 |
|
67 | +ip prefix-list dn42 seq 3001 permit 172.31.0.0/16 le 32 |
|
68 | +ip prefix-list dn42 seq 9999 deny 0.0.0.0/0 le 32 |
|
69 | +! |
|
70 | +ipv6 prefix-list dn42v6 seq 1001 permit fd00::/8 ge 44 le 64 |
|
71 | +ipv6 prefix-list dn42v6 seq 9999 deny ::/0 le 128 |
|
72 | +``` |
|
73 | + |
|
74 | +This prefix list can be created yourself by following the instructions for Quagga in the `data/filter.txt` and `data/filter6.txt` files from the registry. |
|
75 | + |
|
76 | +Next create a [route-map](https://docs.frrouting.org/en/latest/routemap.html), which will be used for doing the actual filtering later. |
|
77 | + |
|
78 | +``` |
|
79 | +route-map dn42 permit 5 |
|
80 | + match ip address prefix-list dn42 |
|
81 | + set src <IPv4 address of the node> |
|
82 | +exit |
|
83 | +! |
|
84 | +route-map dn42v6 permit 5 |
|
85 | + match ipv6 address prefix-list dn42v6 |
|
86 | + set src <IPv6 address of the node> |
|
87 | +exit |
|
88 | +``` |
|
89 | + |
|
90 | +### BGP |
|
91 | + |
|
92 | +With the configuration of the daemons file and Zebra done, BGP can now be configured. |
|
93 | + |
|
94 | +``` |
|
95 | +router bgp <AS of the network> |
|
96 | + neighbor <IPv4 peer address> remote-as <Peer AS> |
|
97 | + neighbor <IPv6 peer address> remote-as <Peer AS> |
|
98 | + ! In case an IPv6 link local address is used to peer |
|
99 | + neighbor <IPv6 peer address> interface <Peer interface> |
|
100 | + ! |
|
101 | + address-family ipv4 unicast |
|
102 | + neighbor <IPv4 peer address> activate |
|
103 | + neighbor <IPv4 peer address> route-map dn42 in |
|
104 | + neighbor <IPv4 peer address> route-map dn42 out |
|
105 | + exit |
|
106 | + ! |
|
107 | + address-family ipv6 unicast |
|
108 | + neighbor <IPv6 peer address> activate |
|
109 | + neighbor <IPv6 peer address> route-map dn42v6 in |
|
110 | + neighbor <IPv6 peer address> route-map dn42v6 out |
|
111 | + exit |
|
112 | +exit |
|
113 | +``` |
|
114 | + |
|
115 | +With everything configured, the BGP session should come up. In the normal VTY shell mode the status of BGP peerings can be checked using the `show bgp summary` command. |
|
116 | + |
|
117 | +### Complete configuration example |
|
118 | + |
|
119 | +``` |
|
120 | +router bgp <Your AS here> |
|
121 | + neighbor <Peer IPv4> remote-as <Peer AS> |
|
122 | + neighbor <Peer IPv6> remote-as <Peer AS> |
|
123 | + ! In case an IPv6 link local address is used to peer |
|
124 | + neighbor <Peer IPv6> interface <Peer interface> |
|
125 | + ! |
|
126 | + address-family ipv4 unicast |
|
127 | + neighbor <IPv4 peer address> activate |
|
128 | + neighbor <IPv4 peer address> route-map dn42 in |
|
129 | + neighbor <IPv4 peer address> route-map dn42 out |
|
130 | + exit |
|
131 | + ! |
|
132 | + address-family ipv6 unicast |
|
133 | + neighbor <IPv6 peer address> activate |
|
134 | + neighbor <IPv6 peer address> route-map dn42v6 in |
|
135 | + neighbor <IPv6 peer address> route-map dn42v6 out |
|
136 | + exit |
|
137 | +exit |
|
138 | +! |
|
139 | +ip prefix-list dn42 seq 1 deny 172.22.166.0/24 le 32 |
|
140 | +ip prefix-list dn42 seq 1001 permit 172.20.0.0/24 ge 28 le 32 |
|
141 | +ip prefix-list dn42 seq 1002 permit 172.21.0.0/24 ge 28 le 32 |
|
142 | +ip prefix-list dn42 seq 1003 permit 172.22.0.0/24 ge 28 le 32 |
|
143 | +ip prefix-list dn42 seq 1004 permit 172.23.0.0/24 ge 28 le 32 |
|
144 | +ip prefix-list dn42 seq 1100 permit 172.20.0.0/14 ge 21 le 29 |
|
145 | +ip prefix-list dn42 seq 2001 permit 10.100.0.0/14 le 32 |
|
146 | +ip prefix-list dn42 seq 2002 permit 10.127.0.0/16 le 32 |
|
147 | +ip prefix-list dn42 seq 2003 permit 10.0.0.0/8 ge 15 le 24 |
|
148 | +ip prefix-list dn42 seq 3001 permit 172.31.0.0/16 le 32 |
|
149 | +ip prefix-list dn42 seq 9999 deny 0.0.0.0/0 le 32 |
|
150 | +! |
|
151 | +ipv6 prefix-list dn42v6 seq 1001 permit fd00::/8 ge 44 le 64 |
|
152 | +ipv6 prefix-list dn42v6 seq 9999 deny ::/0 le 128 |
|
153 | +! |
|
154 | +route-map dn42 permit 5 |
|
155 | + match ip address prefix-list dn42 |
|
156 | + set src <IPv4 address of the node> |
|
157 | +exit |
|
158 | +! |
|
159 | +route-map dn42v6 permit 5 |
|
160 | + match ipv6 address prefix-list dn42v6 |
|
161 | + set src <IPv6 address of the node> |
|
162 | +exit |
|
163 | +``` |
|
164 | + |
|
165 | +## Further reading |
|
166 | + |
|
167 | +### General things |
|
168 | + |
|
169 | +- FRR documentation: <https://docs.frrouting.org/en/latest> |
|
170 | +- FRR source code: <https://github.com/frrouting/frr> |
|
171 | + |
|
172 | +### Configuration tipps |
|
173 | + |
|
174 | +- Use [peer groups](https://docs.frrouting.org/en/latest/bgp.html#peer-groups) (_Strongly reccomended to limit the work neede to add new peers or change general configuration for may peers._) |
|
175 | +- `tab` and `?` are your best friends in the VTY shell |
|
176 | +- Use `find REGEX` in the VTY shell to find certain commands |