Saudações. Nesse artigo vou ensinar como o FRR funciona, como instalar no Debian e as principais configurações de roteamento.
1 – O que é o FRR e como funciona
FRR é um software de administração de protocolos de rede. Sua função e prover um framework de gestão de informações que serão usadas para provisionar configuração de rede no kernel Linux.
Nos termos de rede de computadores ele é um sistema de control-plane.
O FRR não roteia pacotes IP. Essa tarefa é realizada pelo Kernel Linux e os drivers de rede. O FRR é responsável apenas pela adição/remoção de rotas na camada de rede. Observe:
Conforme diagrama acima, os pacotes IP que entram nas interfaces de rede vão até o kernel para serem roteados no “kernel space”, lugar onde o kernel (drivers, módulos do kernel, protocolos de rede) rodam na CPU. Esses pacotes não interagem com os programas “user space”. Quando o FRR aprende uma rota por meio de um protocolo, ele injeta essas rotas na tabela do Kernel (ip route show).
O principal programa do pacote FRR é o “zebra”. Ele recebe esse nome herdando dos programas “Zebra” e “Quagga” que antecederam o FRR.
O Zebra é um sistema RIB – Router Information Base. Ele em si não provê nenhum protocolo de roteamento, mas coleta e reune informações de programas chamados “Clientes Zebra”. A rota que for informado com menor custo geral é tida como “melhor rota” e enviada ao Kernel para ser inserida na tabela (FIB – Forwarding Information Base – tabela de rotas do Kernel). Se o programa cliente responsável pela rota retirá-la da RIB o Zebra irá solicitar ao kernel que a remova da tabela FIB.
A RIB, FIB, Zebra e Kernel rodam todos na CPU, não existe FIB DE HARDWARE como em roteadores com separação de CPU entre RIB (Control-Plane) e FIB (ASIC/FPGA Data-Plane) como Cisco, Juniper, Huawei, etc…
Esse ambiente onde um roteador faz tudo na CPU é chamado de Soft-Router. Se a CPU parar de processar pacotes para processar um arquivo, a rede fica mais lenta esperando a CPU voltar a trabalhar nos pacotes!
Sistemas de Soft-Router são pobres em capacidades pois sofrem com interrupções de CPU provenientes do barramento PCI-Express, cada mensagem de interrupção (IRQ) empilha trabalho ao ser processada, essa pilha de processos esperando a vez de serem processados por gerar a uma crise de falta de tempo de CPU.
Por isso sistemas Soft-Routers são muito sensíveis a loops, broadcasts e ataques DDoS.
O Zebra – processo principal do pacote FRR – possui os seguintes clientes:
- vtysh: programa que provê um shell estilo Cisco para configurar o Zebra e os clientes;
- bgpd: implementa o protocolo MP-BGP;
- ospfd e ospf6d: implementa o protocolo OSPF;
- ripd e ripngd: implementa o protocolo RIP (RFC 2453 e RFC 2080);
- babeld: implementa o protocolo BABEL (RFC 8966);
- bfdd: implementa o protocolo BFD (RFC 5880 e RFC 5881);
- Demais protocolos: IS-IS (isisd), PIM-SM/MSDP (pimd), LDP/MPLS (ldpd), PBR, OpenFabric, VRRP, EIGRP, NHRP.
A execução do Zebra é critica para os sistemas clientes (zclients), quando um processo cliente (bgpd por exemplo) morrer, ele pode ser reiniciado separadamente mas se o zebra morrer todos os clientes caem, por isso o serviço FRR é gerido por um processo chamado watchfrr que monitora o zebra e os clientes para reiniciar o cliente ou a pilha inteira em caso de falhas:
A configuração do Zebra e dos clientes é concentrada no arquivo /etc/frr/frr.conf
2 – Instalando FRR
Execute os comandos para instalar o pacote FRR:
Bash
# Atualizar:
apt -y update; apt -y upgrade; apt -y dist-upgrade; apt -y autoremove;
# Instalar FRR:
apt -y install frr frr-pythontools frr-rpki-rtrlib frr-snmp;
# Instalar comandos de rede:
apt -y install install iproute2;
# Instalar comando jq de analise de JSON:
apt -y install install jq;
# Ativar FRR durante o boot do Debian:
# - Arquivo de UNIT SystemD: /lib/systemd/system/frr.service
systemctl enable frr;
Na forma acima o FRR será instalado, mas somente o Zebra puro com suporta a rotas estáticas estará disponível (sem BGP, OSPF, BFD, etc…).
Para fazer uso dos protocolos é necessário ATIVAR O CLIENTE DESEJADO no arquivo /etc/frr/daemons e REINICIAR O FRR.
Ativando todos os clientes (rode as linhas dos protocolos desejados ou todos) alternado de “=no” para “=yes” nas linhas de declaração do /etc/frr/daemons, script facilitador:
Bash
# Ativar todos:
sed -i 's/bgpd=no/bgpd=yes/' /etc/frr/daemons;
sed -i 's/ospfd=no/ospfd=yes/' /etc/frr/daemons;
sed -i 's/ospf6d=no/ospf6d=yes/' /etc/frr/daemons;
sed -i 's/ripd=no/ripd=yes/' /etc/frr/daemons;
sed -i 's/ripngd=no/ripngd=yes/' /etc/frr/daemons;
sed -i 's/isisd=no/isisd=yes/' /etc/frr/daemons;
sed -i 's/pimd=no/pimd=yes/' /etc/frr/daemons;
sed -i 's/pim6d=no/pim6d=yes/' /etc/frr/daemons;
sed -i 's/ldpd=no/ldpd=yes/' /etc/frr/daemons;
sed -i 's/nhrpd=no/nhrpd=yes/' /etc/frr/daemons;
sed -i 's/eigrpd=no/eigrpd=yes/' /etc/frr/daemons;
sed -i 's/babeld=no/babeld=yes/' /etc/frr/daemons;
sed -i 's/sharpd=no/sharpd=yes/' /etc/frr/daemons;
sed -i 's/pbrd=no/pbrd=yes/' /etc/frr/daemons;
sed -i 's/bfdd=no/bfdd=yes/' /etc/frr/daemons;
sed -i 's/fabricd=no/fabricd=yes/' /etc/frr/daemons;
sed -i 's/vrrpd=no/vrrpd=yes/' /etc/frr/daemons;
sed -i 's/pathd=no/pathd=yes/' /etc/frr/daemons;
# Ativar pontualmente os mais usados (escolha do autor) - RECOMENDADO:
sed -i 's/bgpd=no/bgpd=yes/' /etc/frr/daemons;
sed -i 's/ospfd=no/ospfd=yes/' /etc/frr/daemons;
sed -i 's/ospf6d=no/ospf6d=yes/' /etc/frr/daemons;
sed -i 's/babeld=no/babeld=yes/' /etc/frr/daemons;
sed -i 's/pbrd=no/pbrd=yes/' /etc/frr/daemons;
sed -i 's/bfdd=no/bfdd=yes/' /etc/frr/daemons;
# Reiniciar apos alterar:
systemctl restart frr;
Preparando arquivos de logs:
Bash
# Diretorio de logs:
mkdir -p /var/log/frr;
# Arquivo de debug, caso necessario no futuro:
touch /var/log/frr/debug.log;
# Ajustar permissoes:
chown frr:frr /var/log/frr/debug.log;
Opcional – script para o comando “show” no terminal:
Bash
# - Comando: show
# Repassar para FRR VTYSH
(
echo '#!/bin/sh';
echo;
echo '[ "x$1" = "x" ] && exit 1';
echo 'cmd="show $@"';
echo 'vtysh -c "$cmd"';
echo;
) > /usr/bin/show;
chmod +x /usr/bin/show;
# Teste direto no shell bash:
show run;
Opcionalmente, altere a UNIT do SystemD para incluir:
- Subir o FRR apenas quando a rede (/etc/network/interfaces) estiver previamente configurada;
- Coletar informações do sistema antes de iniciar o FRR;
Bash
# Ajustes na UNIT Systemd
FRRUNIT=/lib/systemd/system/frr.service
# 1 - Coletar informacoes pre-execucao
egrep -q ExecStartPre $FRRUNIT || \
sed -i '/PIDFile/a ExecStartPre=-/usr/lib/frr/sysinfo.sh' $FRRUNIT;
# 1 - Subir apos o /etc/network/interfaces
#sed -i '/^After=/s/=.*/=network-pre.target systemd-sysctl.service network-online.target/' $FRRUNIT;
#sed -i '/OnFailure/a Requires=network-online.target' $FRRUNIT;
# Script script de informacoes do sistema que precede a execucao do FRR
(
echo '#!/bin/sh';
echo '';
echo '[ -d /run/frr ] || { mkdir /run/frr; chown frr:frr /run/frr; };';
echo 'SYSINF="/run/frr/sysinfo.inf";';
echo '[ -f "$SYSINF" ] && SYSINF="/run/frr/sysinfo.run";';
echo '(';
echo ' echo "# ip link show";';
echo ' ip link show;';
echo ' echo;';
echo ' echo "# ip -4 addr show";';
echo ' ip -4 addr show;';
echo ' echo;';
echo ' echo "# ip -6 addr show";';
echo ' ip -6 addr show;';
echo ' echo;';
echo ' echo "# ip -4 rule show";';
echo ' ip -4 rule show;';
echo ' echo;';
echo ' echo "# ip -6 rule show";';
echo ' ip -6 rule show;';
echo ' echo;';
echo ' echo "# ip -4 route show";';
echo ' ip -4 route show;';
echo ' echo;';
echo ' echo "# ip -6 route show";';
echo ' ip -6 route show;';
echo ' echo;';
echo ' echo "# ps aux";';
echo ' ps aux;';
echo ' echo;';
echo ') > $SYSINF;';
echo '';
) > /usr/lib/frr/sysinfo.sh;
chmod +x /usr/lib/frr/sysinfo.sh;
3 – Configurando serviços
Você pode executar comandos de visualização a partir do shell Linux usando o comando vtysh no seguinte formato: vtysh -c “comando do zebra aqui”
Exemplos:
Bash
# Extraindo resultados do Zebra:
vtysh -c "show run";
vtysh -c "show ip route";
vtysh -c "show ipv6 route";
vtysh -c "show interface";
vtysh -c "show interface brief";
# Saidas no formato JSON:
vtysh -c "show ip route json";
vtysh -c "show ipv6 route json";
vtysh -c "show interface json";
vtysh -c "show interface brief json";
A primeira forma de configurar o Zebra é iniciando o vtysh e rodar os comandos padrão Cisco:
Bash
# Entrar no Shell do Zebra:
vtysh;
Uma vez dentro do Zebra pelo vtysh, o terminal/shell só aceitará os comandos registrados e compatíveis com esse ambiente:
FRR VTYSH
Hello, this is FRRouting (version 10.3).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
debian#
debian# show run
Building configuration...
Current configuration:
!
frr version 10.3
frr defaults traditional
hostname srv-w01
log syslog informational
service integrated-vtysh-config
!
end
debian# Principais comandos:
- Para exibir a configuração: show run
- Para entrar no modo configuração: configure terminal
- Sair do modo configuração e voltar na raiz do vtysh: end
- Para salvar a configuração: write
- Para sair do vtysh e voltar ao shell do linux: exit ou quit
- Ajuda – tecle interrogação ?
- Ajuda de um comando – digite o comando e tecle ? ou aperte TAB
- Limpar a tela – tecle as duas teclas: CONTROL L
- Interromper um comando (ping por exemplo): CONTROL C
A segunda forma de configurar é criando scripts e passam para o vtysh a sequência “configure” + “parâmetros” + “end” + “write” via pipeline.
No shell (terminal, bash) execute da seguinte maneira:
Bash
# Criar bloco de texto com os comandos e enviar via STDIN ao vtysh:
# - Ativar debug do FRR:
(
echo "configure terminal";
echo " log file /var/log/frr/debug.log";
echo " log syslog debugging ";
echo " end";
echo "write";
) | vtysh;
4 – Exemplos diversos
Vou deixar abaixo muitos exemplos de configurações para ajudar na escolha dos parâmetros. Só tem serventia se você entende o que está fazendo (pre-requisito: saber como os protocolos funcionam).
Geral:
Bash
# Suporte MPLS - opcional, somente para laboratórios, tome cuidado
# - Subir modulos manualmente:
#-modprobe mpls_router;
#-modprobe mpls_gso;
#-modprobe mpls_iptunnel;
# - Ativar modulo MPLS no boot
#-egrep -q mpls_router /etc/modules || echo mpls_router >> /etc/modules
#-egrep -q mpls_gso /etc/modules || echo mpls_gso >> /etc/modules
#-egrep -q mpls_iptunnel /etc/modules || echo mpls_iptunnel >> /etc/modules
# Exibir config atual:
vtysh -c 'show run';
# BOOT router-id padrão de todos os protocolos
(
echo "configure terminal";
echo " router-id 10.111.255.1";
echo " end";
echo "write";
) | vtysh;
# Prefix-Lists
(
echo "configure terminal";
echo " ip prefix-list PRIVATE-IPV4 seq 11 permit 10.0.0.0/8 le 32";
echo " ip prefix-list PRIVATE-IPV4 seq 12 permit 172.16.0.0/12 le 32";
echo " ip prefix-list PRIVATE-IPV4 seq 13 permit 192.168.0.0/16 le 32";
echo " ip prefix-list PRIVATE-IPV4 seq 14 permit 169.254.0.0/16 le 32";
echo " ip prefix-list PRIVATE-IPV4 seq 15 permit 100.64.0.0/10 le 32";
echo;
echo " ipv6 prefix-list ALLV6GLOBAL seq 10 deny 2001:db8::/32 le 128";
echo " ipv6 prefix-list ALLV6GLOBAL seq 99 permit 2000::/3 ge 4 le 48";
echo;
echo " ipv6 prefix-list GATEWAY-IPV6 seq 99 permit ::/0";
echo " ip prefix-list GATEWAY-IPV4 seq 10 permit 0.0.0.0/0";
echo;
echo " end";
echo "write";
) | vtysh;
# AS-Path
(
echo "configure terminal";
echo;
echo " bgp as-path access-list ASPATH-BLACKLIST permit _3549_";
echo " bgp as-path access-list ASPATH-BLACKLIST permit _3356_";
echo " bgp as-path access-list ASPATH-BLACKLIST permit _2639_";
echo " bgp as-path access-list ASPATH-BLACKLIST permit 61480$";
echo " bgp as-path access-list ASPATH-BLACKLIST permit 61480_[0-9]+$";
echo;
echo " bgp as-path access-list ASPATH-EMPTY permit ^$";
echo;
echo " bgp as-path access-list ASPATH-ALGAR permit _16735$";
echo;
echo " end";
echo "write";
) | vtysh;
# Community-List e uso em Route-Map
(
echo "configure terminal";
echo;
echo " bgp community-list standard C01-EXPORT-BLK seq 1 permit 65001:50167";
echo " bgp community-list standard C01-EXPORT-P1 seq 1 permit 65001:50101";
echo " bgp community-list standard C01-EXPORT-P2 seq 1 permit 65001:50102";
echo " bgp community-list standard C01-EXPORT-P3 seq 1 permit 65001:50103";
echo;
echo " route-map C01-EXPORT deny 1000";
echo " match community C01-EXPORT-BLK";
echo;
echo " route-map C01-EXPORT permit 1011";
echo " match community C01-EXPORT-P1";
echo;
echo " route-map C01-EXPORT permit 1012";
echo " match community C01-EXPORT-P2";
echo " set as-path prepend 65001";
echo;
echo " route-map C01-EXPORT permit 1013";
echo " match community C01-EXPORT-P3";
echo " set as-path prepend 65001 65001";
echo " end";
echo;
echo "write";
) | vtysh;
BFD:
Bash
# BOOT BFD
(
echo "configure terminal";
echo " bfd";
echo " profile OSPF-CLOUD";
echo " echo receive-interval 400";
echo " echo transmit-interval 400";
echo " receive-interval 400";
echo " transmit-interval 400";
echo " detect-multiplier 5";
echo " end";
echo "write";
) | vtysh;
# Analise BFD:
vtysh -c 'show bfd peer';
vtysh -c 'show bfd peer 192.168.10.1 counters';
vtysh -c 'show bfd peers brief';
vtysh -c 'show bfd peers counters';
vtysh -c 'show bfd vrf VRFNAME peers ';
OSPF:
Bash
# BOOT OSPFv2
(
echo "configure terminal";
echo " router ospf";
echo " router-id 10.111.255.1";
echo " log-adjacency-changes detail";
echo " graceful-restart";
echo " capability opaque";
echo " distance 110";
echo " end";
echo "write";
) | vtysh;
# BOOT OSPFv3
(
echo "configure terminal";
echo " router ospf6";
echo " ospf6 router-id 10.111.255.1";
echo " log-adjacency-changes detail";
echo " graceful-restart";
echo " distance 110";
echo " end";
echo "write";
) | vtysh;
# REDISTRIBUICAO SEGURA DE ROTAS CONECTADAS
(
echo "configure terminal";
echo;
echo " ip prefix-list OSPFV2-ROUTES seq 101 permit 10.0.0.0/8 ge 8 le 32";
echo " ip prefix-list OSPFV2-ROUTES seq 111 permit 10.201.0.0/16 ge 16 le 32";
echo;
echo " ip prefix-list OSPFV3-ROUTES seq 101 permit 2001:db8::/32 ge 32 le 128";
echo;
echo " route-map OSPF-IMPORT-CONN-IPV4 permit 10101";
echo " match ip address prefix-list OSPFV2-ROUTES";
echo " route-map OSPF-IMPORT-CONN-IPV4 deny 65535";
echo;
echo " route-map OSPF-IMPORT-CONN-IPV6 permit 10101";
echo " match ipv6 address prefix-list OSPFV3-ROUTES";
echo " route-map OSPF-IMPORT-CONN-IPV6 deny 65535";
echo;
echo " router ospf";
echo " redistribute connected route-map OSPF-IMPORT-CONN-IPV4";
echo;
echo " router ospf6";
echo " redistribute connected route-map OSPF-IMPORT-CONN-IPV6";
echo " end";
echo "write";
) | vtysh;
# Ativar OSPF nas interfaces ethernet
(
RTDEVS="eth0 eth1";
echo "configure terminal";
echo;
for dev in $RTDEVS; do
echo "interface $dev";
echo " ip ospf area 0.0.0.0";
echo " ip ospf network point-to-point";
echo " ip ospf cost 8800";
echo " ip ospf bfd";
echo " ip ospf bfd profile OSPF-CLOUD";
echo;
done
echo " end";
echo "write";
) | vtysh;
# OSPF com padrao passive
(
echo "configure terminal";
echo " router ospf";
echo " passive-interface default";
echo " no passive-interface eth0";
echo " no passive-interface eth1";
echo " end";
echo "write";
) | vtysh;
# OSPF - Interface personalizada
(
echo "configure terminal";
echo " interface eth9";
echo " ip ospf network broadcast";
echo " ip ospf area 0.0.0.0";
echo " ip ospf mtu-ignore";
echo " ip ospf bfd";
echo " ip ospf bfd profile OSPF-CLOUD";
echo " ip ospf hello-interval 10";
echo " ip ospf dead-interval 40";
echo " ip ospf cost 1";
echo " ip ospf priority 1";
echo " end";
echo "write";
) | vtysh;
# OSPF - Injetando rota parao
(
echo "configure terminal";
echo " router ospf";
echo " default-information originate";
echo " end";
echo "write";
) | vtysh;
# Analise OSPFv2 - IPv4:
vtysh -c 'show ip ospf';
vtysh -c 'show ip ospf neighbors';
vtysh -c 'show ip ospf neighbor eth0';
vtysh -c 'show ip ospf neighbor eth0 detail';
vtysh -c 'show ip ospf neighbor detail';
vtysh -c 'show ip ospf neighbor detail all';
vtysh -c 'show ip ospf neighbor detail all json';
vtysh -c 'show ip ospf database';
vtysh -c 'show ip ospf interface';
vtysh -c 'show ip ospf interface json';
vtysh -c 'show ip ospf interface traffic';
vtysh -c 'show ip ospf interface traffic eth0';
vtysh -c 'show ip ospf interface traffic eth0 json';
vtysh -c 'show ip ospf mpls-te interface';
vtysh -c 'show ip ospf mpls-te router';
vtysh -c 'show ip ospf route';
vtysh -c 'show ip ospf vrf';
# Analise OSPFv3 - IPv6:
vtysh -c 'show ipv6 ospf6';
vtysh -c 'show ipv6 ospf6 neighbor';
vtysh -c 'show ipv6 ospf6 neighbor detail';
vtysh -c 'show ipv6 ospf6 database';
vtysh -c 'show ipv6 ospf6 interface';
vtysh -c 'show ipv6 ospf6 interface traffic';
vtysh -c 'show ipv6 ospf6 interface traffic eth0';
vtysh -c 'show ipv6 ospf6 route';
BGP:
Bash
# BOOT BGP
(
echo "configure terminal";
echo " router bgp 65001";
echo " bgp log-neighbor-changes";
echo " bgp always-compare-med";
echo " no bgp ebgp-requires-policy";
echo " no bgp default ipv4-unicast";
echo " bgp deterministic-med";
echo " bgp graceful-shutdown";
echo " bgp bestpath as-path multipath-relax";
echo " bgp bestpath med confed missing-as-worst";
echo " no bgp network import-check";
echo " end";
echo "write";
) | vtysh;
# BGP - Router-Reflector fazendo peering para roteadores da rede
(
echo "configure terminal";
echo " router bgp 65001 ";
echo " neighbor 10.111.255.2 remote-as 65001";
echo " neighbor 10.111.255.2 update-source 10.111.255.1";
echo " neighbor 10.111.255.3 remote-as 65001";
echo " neighbor 10.111.255.3 update-source 10.111.255.1";
echo " neighbor 10.111.255.4 remote-as 65001";
echo " neighbor 10.111.255.4 update-source 10.111.255.1";
echo " address-family ipv4 unicast";
echo " neighbor 10.111.255.2 activate";
echo " neighbor 10.111.255.2 soft-reconfiguration inbound";
echo " neighbor 10.111.255.3 activate";
echo " neighbor 10.111.255.3 soft-reconfiguration inbound";
echo " neighbor 10.111.255.4 activate";
echo " neighbor 10.111.255.4 soft-reconfiguration inbound";
echo " end";
echo "write";
) | vtysh;
# BGP - Peering eBGP com cliente de transito (sem politica)
(
echo "configure terminal";
echo " router bgp 65001";
echo " neighbor 192.168.77.2 remote-as 61077";
echo " neighbor 192.168.77.2 solo";
echo " neighbor 192.168.77.2 timers connect 1";
echo " neighbor 192.168.77.2 timers 5 15";
echo;
echo " neighbor 2001:db8::2 remote-as 61077";
echo " neighbor 2001:db8::2 solo";
echo " neighbor 2001:db8::2 timers connect 1";
echo " neighbor 2001:db8::2 timers 5 15";
echo;
echo " address-family ipv4 unicast";
echo " neighbor 192.168.77.2 activate";
echo " neighbor 192.168.77.2 next-hop-self";
echo " neighbor 192.168.77.2 default-originate";
echo " neighbor 192.168.77.2 send-community all";
echo " neighbor 192.168.77.2 remove-private-AS all";
echo " neighbor 192.168.77.2 soft-reconfiguration inbound";
echo;
echo " address-family ipv6 unicast";
echo " neighbor 2001:db8::2 activate";
echo " neighbor 2001:db8::2 next-hop-self";
echo " neighbor 2001:db8::2 default-originate";
echo " neighbor 2001:db8::2 send-community all";
echo " neighbor 2001:db8::2 remove-private-AS all";
echo " neighbor 2001:db8::2 soft-reconfiguration inbound";
echo;
echo " end";
echo "write";
) | vtysh;
# BGP - Peering eBGP com cliente de transito com BFD de alta-frequencia
(
echo "configure terminal";
echo;
echo " bfd";
echo " profile BGP-FLASH";
echo " transmit-interval 100";
echo " receive-interval 100";
echo " echo-interval 100";
echo " detect-multiplier 4";
echo;
echo " router bgp 65001";
echo " neighbor 192.168.88.2 remote-as 61088";
echo " neighbor 192.168.88.2 password TULIPA77";
echo " neighbor 192.168.88.2 solo";
echo " neighbor 192.168.88.2 timers connect 1";
echo " neighbor 192.168.88.2 timers 5 15";
echo " neighbor 192.168.88.2 bfd profile BGP-FLASH";
echo;
echo " neighbor 2001:db8:88::2 remote-as 61088";
echo " neighbor 2001:db8:88::2 password TULIPA77";
echo " neighbor 2001:db8:88::2 solo";
echo " neighbor 2001:db8:88::2 timers connect 1";
echo " neighbor 2001:db8:88::2 timers 5 15";
echo " neighbor 2001:db8:88::2 bfd profile BGP-FLASH";
echo;
echo " address-family ipv4 unicast";
echo " neighbor 192.168.88.2 activate";
echo " neighbor 192.168.88.2 next-hop-self";
echo " neighbor 192.168.88.2 default-originate";
echo " neighbor 192.168.88.2 send-community all";
echo " neighbor 192.168.88.2 remove-private-AS all";
echo " neighbor 192.168.88.2 soft-reconfiguration inbound";
echo;
echo " address-family ipv6 unicast";
echo " neighbor 2001:db8:88::2 activate";
echo " neighbor 2001:db8:88::2 next-hop-self";
echo " neighbor 2001:db8:88::2 default-originate";
echo " neighbor 2001:db8:88::2 send-community all";
echo " neighbor 2001:db8:88::2 remove-private-AS all";
echo " neighbor 2001:db8:88::2 soft-reconfiguration inbound";
echo;
echo " end";
echo "write";
) | vtysh;
# BGP - Desativando peering do cliente
(
echo "configure terminal";
echo " router bgp 65001";
echo " neighbor 192.168.88.2 shutdown";
echo " neighbor 2001:db8:88::2 shutdown";
echo " end";
echo "write";
) | vtysh;
# BGP - Reativando peering do cliente
(
echo "configure terminal";
echo " router bgp 65001";
echo " no neighbor 192.168.88.2 shutdown";
echo " no neighbor 2001:db8:88::2 shutdown";
echo " end";
echo "write";
) | vtysh;
# BGP - DELETANDO peering do cliente (apagar config)
(
echo "configure terminal";
echo " router bgp 65001";
echo " no neighbor 192.168.88.2";
echo " no neighbor 2001:db8:88::2";
echo " end";
echo "write";
) | vtysh;
# BGP - Origem de prefixo (sem atributos)
(
echo "configure terminal";
echo " ip route 198.18.77.0/24 blackhole";
echo " ipv6 route 4001:fada::/32 blackhole";
echo " router bgp 65001";
echo " address-family ipv4 unicast";
echo " network 198.18.77.0/24";
echo " address-family ipv4 unicast";
echo " network 4001:fada::/32";
echo " end";
echo "write";
) | vtysh;
# BGP - Origem de prefixo (com atributos de origem, AS do prefixo alugado)
(
echo "configure terminal";
echo " ip route 198.19.128.0/22 blackhole";
echo " ipv6 route 4001:cafe::/32 blackhole";
echo;
echo " route-map ORIGIN-198-19-128-0M22 permit 65535";
echo " set as-path replace 65123";
echo " set community 65001:10090 65001:10092 65001:60071";
echo " set extcommunity rt 65001:10090 65001:10092 65001:60071";
echo " set local-preference 900";
echo " set metric 20";
echo;
echo " route-map ORIGIN-4001-CAFEM32 permit 65535";
echo " set as-path replace 65123";
echo " set community 65001:10090 65001:10092 65001:60071";
echo " set extcommunity rt 65001:10090 65001:10092 65001:60071";
echo " set local-preference 900";
echo " set metric 20";
echo;
echo " router bgp 65001";
echo " address-family ipv4 unicast";
echo " network 198.19.128.0/22 route-map ORIGIN-198-19-128-0M22";
echo " address-family ipv6 unicast";
echo " network 4001:cafe::/32 route-map ORIGIN-4001-CAFEM32";
echo " end";
echo "write";
) | vtysh;
# BGP - Peering por escuta passiva aberta
(
echo "configure terminal";
echo;
echo " route-map INTRANET-EXPORT-IPV4 permit 65535";
echo;
echo " route-map INTRANET-IMPORT-IPV4 permit 65535";
echo;
echo " route-map INTRANET-EXPORT-IPV6 permit 65535";
echo;
echo " route-map INTRANET-IMPORT-IPV6 permit 65535";
echo;
echo " route-map ORIGIN-GW permit 65535";
echo " set community 65001:10090 65001:10097";
echo " set extcommunity rt 65001:10090 65001:10097";
echo " set metric 1";
echo;
echo " router bgp 65001";
echo " neighbor INTRANETV4 peer-group";
echo " neighbor INTRANETV4 graceful-restart";
echo " neighbor INTRANETV4 remote-as external";
echo " neighbor INTRANETV4 description INTRANET_AUTOBGP_IPv4";
echo " neighbor INTRANETV4 passive";
echo " neighbor INTRANETV4 enforce-first-as";
echo " neighbor INTRANETV4 timers 10 40";
echo;
echo " neighbor INTRANETV6 peer-group";
echo " neighbor INTRANETV6 graceful-restart";
echo " neighbor INTRANETV6 remote-as external";
echo " neighbor INTRANETV6 description INTRANET_AUTOBGP_IPv6";
echo " neighbor INTRANETV6 passive";
echo " neighbor INTRANETV6 enforce-first-as";
echo " neighbor INTRANETV6 timers 10 40";
echo;
echo " bgp listen range 192.168.0.0/24 peer-group INTRANETV4";
echo " bgp listen range 2001:db8:192:168::/64 peer-group INTRANETV6";
echo;
echo " address-family ipv4 unicast";
echo " neighbor INTRANETV4 activate";
echo " neighbor INTRANETV4 next-hop-self force";
echo " neighbor INTRANETV4 send-community all";
echo " neighbor INTRANETV4 soft-reconfiguration inbound";
echo " neighbor INTRANETV4 route-map INTRANET-EXPORT-IPV4 out";
echo " neighbor INTRANETV4 route-map INTRANET-IMPORT-IPV4 in";
echo " neighbor INTRANETV4 default-originate route-map ORIGIN-GW";
echo " exit-address-family";
echo;
echo " address-family ipv6 unicast";
echo " neighbor INTRANETV6 activate";
echo " neighbor INTRANETV6 next-hop-self force";
echo " neighbor INTRANETV6 send-community all";
echo " neighbor INTRANETV6 soft-reconfiguration inbound";
echo " neighbor INTRANETV6 route-map INTRANET-EXPORT-IPV6 out";
echo " neighbor INTRANETV6 route-map INTRANET-IMPORT-IPV6 in";
echo " neighbor INTRANETV6 default-originate route-map ORIGIN-GW";
echo " exit-address-family";
echo;
echo " end";
echo "write";
) | vtysh;
# BGP - Peering eBGP multihop (requer rota estatic/igp para o ip remoto)
(
echo "configure terminal";
echo;
echo " interface eth0.1720";
echo " ip address 10.7.7.2/30";
echo " ipv6 address fcda:a:7:7::2/126";
echo;
echo " ip route 172.16.0.1/32 10.7.7.1";
echo " ipv6 route fbc1:172:16::1/128 fcda:a:7:7::1";
echo;
echo " router bgp 65001";
echo " neighbor 172.16.0.1 remote-as external";
echo " neighbor 172.16.0.1 ebgp-multihop 16";
echo " neighbor fbc1:172:16::1 remote-as external";
echo " neighbor fbc1:172:16::1 ebgp-multihop 16";
echo;
echo " address-family ipv4 unicast";
echo " neighbor 172.16.0.1 activate";
echo " exit-address-family";
echo;
echo " address-family ipv4 unicast";
echo " neighbor fbc1:172:16::1 activate";
echo " exit-address-family";
echo;
echo " end";
echo "write";
) | vtysh;
# Analise de BGP:
vtysh -c 'show bgp ipv4';
vtysh -c 'show bgp ipv6';
vtysh -c 'show bgp summary';
vtysh -c 'show bgp ipv4 summary';
vtysh -c 'show bgp ipv6 summary';
vtysh -c 'show bgp ipv4 unicast summary';
vtysh -c 'show bgp ipv6 unicast summary';
# Analise de peering BGP:
vtysh -c 'show bgp ipv4 neighbors 10.7.7.1';
vtysh -c 'show bgp ipv4 neighbors 10.7.7.1 flap-statistics';
vtysh -c 'show bgp ipv4 neighbors 10.7.7.1 prefix-counts';
vtysh -c 'show bgp ipv4 neighbors 10.7.7.1 advertised-routes';
vtysh -c 'show bgp ipv4 neighbors 10.7.7.1 received-routes';
vtysh -c 'show bgp ipv4 neighbors 10.7.7.1 routes';
# Reset/refresh de peering BGP:
vtysh -c 'clear bgp 10.7.7.1';
vtysh -c 'clear bgp 10.7.7.1 in';
vtysh -c 'clear bgp 10.7.7.1 out';
vtysh -c 'clear bgp 10.7.7.1 soft';
vtysh -c 'clear bgp 10.7.7.1 soft in';
vtysh -c 'clear bgp 10.7.7.1 soft out';
# Reset/refresh geral de peerings BGP:
vtysh -c 'clear bgp *';
BGP+EVPN:
Bash
# eVPN Router-Reflector
(
echo "configure terminal";
echo;
echo " router bgp 65001";
echo " bgp cluster-id 10.111.254.1";
echo;
echo " neighbor EBACKBONE peer-group";
echo " neighbor EBACKBONE ebgp-multihop 5";
echo " neighbor EBACKBONE remote-as 65001";
echo " neighbor EBACKBONE disable-connected-check";
echo " neighbor EBACKBONE capability extended-nexthop";
echo " neighbor EBACKBONE update-source 10.111.255.1";
echo;
echo " bgp listen range 10.111.0.0/16 peer-group EBACKBONE";
echo;
echo " address-family ipv4 unicast";
echo " neighbor EBACKBONE activate";
echo " exit-address-family";
echo;
echo " address-family ipv6 unicast";
echo " neighbor EBACKBONE activate";
echo " exit-address-family";
echo;
echo " address-family l2vpn evpn";
echo " neighbor EBACKBONE activate";
echo " neighbor EBACKBONE route-reflector-client";
echo " advertise-all-vni";
echo " advertise-svi-ip";
echo " exit-address-family";
echo;
echo " end";
echo "write";
) | vtysh;
# eVPN VTEP
(
echo "configure terminal";
echo;
echo " router bgp 65001";
echo " neighbor EBACKBONE peer-group";
echo " neighbor EBACKBONE ebgp-multihop 3";
echo " neighbor EBACKBONE remote-as 65000";
echo " neighbor EBACKBONE disable-connected-check";
echo " neighbor EBACKBONE capability extended-nexthop";
echo " neighbor EBACKBONE update-source 10.111.255.14";
echo;
echo " neighbor 10.111.255.1 peer-group EBACKBONE";
echo;
echo " address-family l2vpn evpn";
echo " neighbor EBACKBONE activate";
echo " advertise-all-vni";
echo " advertise-svi-ip";
echo " exit-address-family";
echo;
echo " end";
echo "write";
) | vtysh;
# Script para configurar VXLAN no linux:
for VNI in 100 200; do
# Criar interface VXLAN
ip link add vxlan${VNI} type vxlan
id ${VNI} \
dstport 4789 \
local 203.0.113.2 \
nolearning;
# Criar bridge para a VNI
brctl addbr br${VNI};
# - Adicionar interface vxlan na bridge da VNI
brctl addif br${VNI} vxlan${VNI};
# - Desativar STP
brctl stp br${VNI} off;
# - Ativar interfaces bridge e vxlan
ip link set up dev br${VNI};
ip link set up dev vxlan${VNI};
done;
# Anexe a TAP da maquina virtual ou
# interface L2 a transprotar na VNI na
# mesma bridge de VNI desejada:
brctl addif br100 vnet10;
brctl addif br100 vnet11;
brctl addif br200 vnet12;
# Analise de BGP-EBPN:
vtysh -c 'show bgp ipv4 unicast summary';
vtysh -c 'show bgp l2vpn evpn summary';
vtysh -c 'show bgp l2vpn evpn';
vtysh -c 'show evpn';
vtysh -c 'show evpn vni detail';
vtysh -c 'show evpn vni 100';
vtysh -c 'show evpn mac vni 100';
Babel:
Bash
# Boot BABEL
(
echo "configure terminal";
echo;
echo " router babel";
echo " babel smoothing-half-life 0";
echo " redistribute ipv4 connected";
echo " redistribute ipv4 static";
echo " redistribute ipv6 connected";
echo " redistribute ipv6 static";
echo;
echo " end";
echo "write";
) | vtysh;
# Interface BABEL:
(
echo "configure terminal";
echo;
echo " router babel";
echo " network eth0";
echo;
echo " interface eth8";
echo " babel enable-timestamps";
echo " babel hello-interval 202";
echo " babel max-rtt-penalty 0";
echo " babel rtt-decay 3";
echo " babel rxcost 101";
echo " babel update-interval 22";
echo " babel wired";
echo;
echo " end";
echo "write";
) | vtysh;
Proponha mais exemplos para mim, contatos no menu principal.
Conclusão
O FRR é hoje a pilha de roteamento mais completa para Linux, recomendo que estudem mais sobre ele e montem muitos laboratórios.
Até mais,
Patrick Brandão