[technique] Mise en place tunnel gw <-> chiwawa
Jérôme Nicolle
jerome at ceriz.fr
Dim 11 Déc 19:08:46 CET 2011
Plop,
Ca commence à prendre forme ! Pour l'instant la selection primaire /
secondaire se fait par localprefs. De mon coté elles sont dans la
centaine (parce que j'ai que ça), coté ttn elles sont largement
supérieures aux peers et upstream (toujours favoriser le trafic client)
Voici ma conf (policies et bgp) prête à tester :
vyatta at heavengate# show policy
prefix-list eBGP-IN {
description "*** filter incoming prefixes ***"
rule 10 {
action deny
ge 9
le 32
prefix 10.0.0.0/8
}
rule 12 {
action deny
ge 17
le 32
prefix 192.168.0.0/16
}
rule 14 {
action deny
ge 13
le 32
prefix 172.16.0.0/12
}
rule 20 {
action permit
ge 8
le 24
prefix 0.0.0.0/0
}
}
prefix-list eBGP-OUT {
rule 1 {
action permit
prefix 91.224.148.32/29
}
}
prefix-list6 eBGP-IN6 {
rule 10 {
action permit
ge 10
le 48
prefix 2000::/3
}
}
prefix-list6 eBGP-OUT6 {
rule 1 {
action permit
prefix 2a01:6600:8040::/48
}
}
route-map eBGP-EXPORT-ttn-pri {
rule 10 {
action permit
match {
ip {
address {
prefix-list eBGP-OUT
}
}
ipv6 {
address {
prefix-list eBGP-OUT6
}
}
}
set {
ipv6-next-hop {
global 2a01:6600:8081:af00::1
local fe80::203:1dff:fe07:61e
}
ip-next-hop 91.224.149.175
}
}
}
route-map eBGP-EXPORT-ttn-sec {
rule 10 {
action permit
match {
ip {
address {
prefix-list eBGP-OUT
}
}
ipv6 {
address {
prefix-list eBGP-OUT6
}
}
}
set {
ipv6-next-hop {
global 2a01:6600:8000::202
local fe80::6404:9fff:fed7:adba
}
ip-next-hop 91.224.148.19
}
}
}
route-map eBGP-IMPORT-ttn-pri {
rule 10 {
action permit
match {
ip {
address {
prefix-list eBGP-IN
}
}
ipv6 {
address {
prefix-list eBGP-IN6
}
}
}
set {
ipv6-next-hop {
global 2a01:6600:8000::131
}
ip-next-hop 91.224.149.254
local-preference 300
}
}
}
route-map eBGP-IMPORT-ttn-sec {
rule 10 {
action permit
match {
ip {
address {
prefix-list eBGP-IN
}
}
ipv6 {
address {
prefix-list eBGP-IN6
}
}
}
set {
ipv6-next-hop {
global 2a01:6600:8000::201
}
ip-next-hop 91.224.148.18
local-preference 200
}
}
}
vyatta at heavengate# show protocols bgp
bgp 64600 {
address-family {
ipv6-unicast {
network 2a01:6600:8040::/48 {
}
}
}
neighbor 91.224.148.18 {
description "*** BGP session to gw.tetaneutral.net through
backup link ***"
password plopik
remote-as 197422
route-map {
export eBGP-EXPORT-ttn-sec
}
shutdown
weight 100
}
neighbor 91.224.149.254 {
description "*** BGP session to h3.tetaneutral.net through
radio link ***"
password plopijk
remote-as 197422
route-map {
export eBGP-EXPORT-ttn-pri
}
shutdown
weight 200
}
network 91.224.148.32/29 {
}
parameters {
router-id 91.224.148.32
}
}
Coté ttn, ça implique les ajouts suivants :
sur gw
bird.conf
filter bgp_IN_chiwawa {
if (net ~ [91.224.148.32/29]) then accept;
else reject;
}
protocol bgp chiwawa_sec {
local as myas;
neighbor 91.224.148.19 as 64600;
import filter bgp_IN_chiwawa;
export where avoid_martians();
preference 2000;
}
bird6.conf
filter bgp_IN_6_chiwawa {
if (net ~ [2a01:6600:8040::/48]) then accept;
else reject;
}
protocol bgp chiwawa_6_sec {
local as myas;
neighbor 2a01:6600:8800::202 as 64600;
import filter bgp_IN_6_chiwawa;
export where avoid_martians();
preference 2000;
}
sur h3
bird.conf
filter bgp_IN_chiwawa {
if (net ~ [91.224.148.32/29]) then accept;
else reject;
}
protocol bgp chiwawa_sec {
local as myas;
neighbor 91.224.149.175 as 64600;
import filter bgp_IN_chiwawa;
export where avoid_martians();
preference 3000;
}
bird6.conf
filter bgp_IN_6_chiwawa {
if (net ~ [2a01:6600:8040::/48]) then accept;
else reject;
}
protocol bgp chiwawa_6_sec {
local as myas;
neighbor 2a01:6600:88af::1 as 64600;
import filter bgp_IN_6_chiwawa;
export where avoid_martians();
preference 3000;
}
J'attends un GO pour allumer !
@+
--
Jérôme Nicolle
06 19 31 27 14
Plus d'informations sur la liste de diffusion technique