BIG-IP BGPによるルーティング

BIG-IPでBGPを設定する方法を説明します。

動作確認の構成

構成図

「BIG-IP パーティションによる分割」の動作確認が終了した時点の構成を用いて動作確認をします。この構成で、Server10とServer30が互いに疎通できる設定を考察します。

                    +-----------------+
                .50 |     (Vyatta)    | .50
         +----------+     Router50    +----------+
         |     eth0 |                 | eth1     |
         |          +-----------------+          |
         |                                       |
         | 192.168.20.0/24       192.168.40.0/24 |
         | (vlan 20)                   (vlan 40) |
         |                                       |
         | .1                                    | .1
+--------+--------+                     +--------+--------+
|     bigip01     |                     |     bigip01     |
| RouteDomain 12  |                     | RouteDomain 34  |
|                 |                     |                 |
+--------+--------+                     +--------+--------+
         | .1                                    | .1
         |                                       |
         | 192.168.10.0/24       192.168.30.0/24 |
         | (vlan 10)                   (vlan 30) |
         |                                       |
         | .10                                   | .30
+--------+--------+                     +--------+--------+
|                 |                     |                 |
|     Server10    |                     |     Server30    |
|  (RockyLinux84) |                     |  (RockyLinux84) |
+-----------------+                     +-----------------+

初期設定

BIG-IPの初期設定は以下の通りとします。Router50にはBGP設定済とし、bigip(RD12)とRouter50とbigip(RD34)の間でiBGP neighborを確立します。Router50にはroute-reflector-clientを有効にし、next-hop到達性を担保するように192.168.20.0/24と192.168.40.0/24をadvertiseします。

net vlan VLAN0010 {
    interfaces {
        1.1 {
            tagged
        }
    }
    tag 10
}
net vlan VLAN0020 {
    interfaces {
        1.1 {
            tagged
        }
    }
    tag 20
}
net vlan VLAN0030 {
    interfaces {
        1.1 {
            tagged
        }
    }
    tag 30
}
net vlan VLAN0040 {
    interfaces {
        1.1 {
            tagged
        }
    }
    tag 40
}
net route-domain RD_0012 {
    id 12
    vlans {
        VLAN0010
        VLAN0020
    }
}
net route-domain RD_0034 {
    id 34
    vlans {
        VLAN0040
        VLAN0030
    }
}
net self SelfIP_VLAN0010 {
    address 192.168.10.1%12/24
    traffic-group traffic-group-local-only
    vlan VLAN0010
}
net self SelfIP_VLAN0020 {
    address 192.168.20.1%12/24
    traffic-group traffic-group-local-only
    vlan VLAN0020
}
net self SelfIP_VLAN0030 {
    address 192.168.30.1%34/24
    traffic-group traffic-group-local-only
    vlan VLAN0030
}
net self SelfIP_VLAN0040 {
    address 192.168.40.1%34/24
    traffic-group traffic-group-local-only
    vlan VLAN0040
}
ltm virtual RD0012_VS_FORWARD_ALL {
    destination 0.0.0.0%12:any
    ip-forward
    mask any
    profiles {
        fastL4 { }
    }
    serverssl-use-sni disabled
    source 0.0.0.0%12/0
    translate-address disabled
    translate-port disabled
}
ltm virtual RD0034_VS_FORWARD_ALL {
    destination 0.0.0.0%34:any
    mask any
    profiles {
        fastL4 { }
    }
    serverssl-use-sni disabled
    source 0.0.0.0%34/0
    translate-address disabled
    translate-port disabled
}

set interfaces ethernet eth0 address '192.168.20.50/24'
set interfaces ethernet eth0 hw-id '00:50:56:90:32:c5'
set interfaces ethernet eth1 address '192.168.40.50/24'
set interfaces ethernet eth1 hw-id '00:50:56:90:11:0b'
set interfaces loopback lo
set protocols bgp address-family ipv4-unicast network 192.168.20.0/24
set protocols bgp address-family ipv4-unicast network 192.168.40.0/24
set protocols bgp local-as '65000'
set protocols bgp neighbor 192.168.20.1 address-family ipv4-unicast route-reflector-client
set protocols bgp neighbor 192.168.20.1 remote-as '65000'
set protocols bgp neighbor 192.168.40.1 address-family ipv4-unicast route-reflector-client
set protocols bgp neighbor 192.168.40.1 remote-as '65000'
set protocols bgp timers holdtime '30'
set protocols bgp timers keepalive '10'
set service ssh disable-host-validation
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'vy050'
set system login user vyos authentication encrypted-password '$6$BLBE.ChYBI4ynui8$u2B.sTlyz1d.5GEjLyQKQmNRPN3kDHb3ynAzolORLLGOYe3up4u3vNg93QWk1DkOBbRNgkJJyYYVkrMofOFgw1'
set system login user vyos authentication plaintext-password ''
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'

動作確認

ZebOSの起動

BIG-IPはZebOSと呼ばれるソフトウェアを使用してBGPを実現します。デフォルトの状態ではZebOSは起動していませんので、まずはZebOSを起動します。

「Network」「Route Domains」の順に画面遷移し、「ルートドメイン名」を押下します。

「Dynamic Routing Protocols」欄を設定し、「BGP」を有効にします。

コマンドラインで操作する場合は以下の通りです。

modify net route-domain RD_0012 routing-protocol replace-all-with { BGP }
modify net route-domain RD_0034 routing-protocol replace-all-with { BGP }

ZebOSが有効になっているかどうか不安な場合は、以下のようにzebosコマンドを使用すると起動有無を確認できます。

[bigip01:BIG-IP 16.1.0]
[root@bigip01:Active:Standalone] config # zebos -a check
=== route domain: 0 ===

=== route domain: 12 ===
nsm is running [14396]
imi is running [14395]
bgpd    is running [14398]

=== route domain: 34 ===
nsm is running [14479]
imi is running [14478]
bgpd    is running [14480]

[root@bigip01:Active:Standalone] config # 

OSPFの設定

ZebOSを操作するには、imishと呼ばれるコマンドラインツールを使用します。書式は以下の通りです。

imish -r <RD番号>

操作例は以下の通りです。Cisco IOSとほぼ同等の操作感です。

[root@bigip01:Active:Standalone] config # imish -r 12
bigip01.gokatei.go[12]>en
bigip01.gokatei.go[12]#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
bigip01.gokatei.go[12](config)#router bgp 65000
bigip01.gokatei.go[12](config-router)# timers bgp 10 30
bigip01.gokatei.go[12](config-router)# neighbor 192.168.20.50 remote-as 65000
bigip01.gokatei.go[12](config-router)# network 192.168.10.0/24
bigip01.gokatei.go[12](config-router)#end
bigip01.gokatei.go[12]#exit
[root@bigip01:Active:Standalone] config # 
[root@bigip01:Active:Standalone] config # 
[root@bigip01:Active:Standalone] config # 
[root@bigip01:Active:Standalone] config # imish -r 34
bigip01.gokatei.go[34]>en
bigip01.gokatei.go[34]#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
bigip01.gokatei.go[34](config)#router bgp 65000
bigip01.gokatei.go[34](config-router)# timers bgp 10 30
bigip01.gokatei.go[34](config-router)# neighbor 192.168.40.50 remote-as 65000
bigip01.gokatei.go[34](config-router)# network 192.168.30.0/24
bigip01.gokatei.go[34](config-router)#end
bigip01.gokatei.go[34]#exit
[root@bigip01:Active:Standalone] config # 

BGPの確認

imishコマンドを使用すれば、Cisco IOSのようなBGPの確認が可能です。

[bigip01:BIG-IP 16.1.0]
[root@bigip01:Active:Standalone] config # imish -r 12
bigip01.gokatei.go[12]>show ip bgp summary 
BGP router identifier 192.168.20.1, local AS number 65000
BGP table version is 4
1 BGP AS-PATH entries
0 BGP community entries

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.20.50   4 65000      59      52        4    0    0 00:08:15        3

Total number of neighbors 1
bigip01.gokatei.go[12]>
bigip01.gokatei.go[12]>
bigip01.gokatei.go[12]>show ip bgp 192.168.30.0
BGP routing table entry for 192.168.30.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  Local
    192.168.40.1 from 192.168.20.50 (192.168.40.1)
      Origin IGP metric 0, localpref 100, valid, internal, best
      Originator: 192.168.40.1, Cluster list: 192.168.40.50 
      Last update: Sat Sep  4 13:51:48 2021

bigip01.gokatei.go[12]>
bigip01.gokatei.go[12]>
bigip01.gokatei.go[12]>show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

C       127.0.0.1/32 is directly connected, lo
C       127.1.1.254/32 is directly connected, tmm
C       192.168.10.0/24 is directly connected, VLAN0010
C       192.168.20.0/24 is directly connected, VLAN0020
B       192.168.30.0/24 [200/0] via 192.168.40.1 (recursive via 192.168.20.50 ),
 00:01:14
B       192.168.40.0/24 [200/0] via 192.168.20.50, VLAN0020, 00:01:18

Gateway of last resort is not set
bigip01.gokatei.go[12]>

rdsh入力後に、ip routeコマンド等でも確認可能です。

[bigip01:BIG-IP 16.1.0]
[root@bigip01:Active:Standalone] config # rdsh 12
[root@bigip01:Active:Standalone] config # ip route
127.1.1.0/24 dev if3  proto kernel  scope link  src 127.1.1.254 
192.168.10.0/24 dev if5  proto kernel  scope link  src 192.168.10.1 
192.168.20.0/24 dev if7  proto kernel  scope link  src 192.168.20.1 
192.168.30.0/24 via 192.168.20.50 dev if7  proto zebra 
192.168.40.0/24 via 192.168.20.50 dev if7  proto zebra 
[root@bigip01:Active:Standalone] config # 

疎通確認

server10からserver30へ疎通可能である事を確認します。

[server10:RockyLinux8.4]
[root@server010 ~]# traceroute -n 192.168.30.30
traceroute to 192.168.30.30 (192.168.30.30), 30 hops max, 60 byte packets
 1  192.168.10.1  0.609 ms  0.567 ms  0.548 ms
 2  192.168.20.50  1.108 ms  0.755 ms  1.039 ms
 3  192.168.40.1  0.984 ms  1.246 ms  1.226 ms
 4  192.168.30.30  1.455 ms  2.990 ms  3.632 ms
[root@server010 ~]# 
[root@server010 ~]# 
[root@server010 ~]# ping -c 3 192.168.30.30
PING 192.168.30.30 (192.168.30.30) 56(84) bytes of data.
64 bytes from 192.168.30.30: icmp_seq=1 ttl=61 time=1.92 ms
64 bytes from 192.168.30.30: icmp_seq=2 ttl=61 time=1.61 ms
64 bytes from 192.168.30.30: icmp_seq=3 ttl=61 time=1.69 ms

--- 192.168.30.30 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.614/1.739/1.917/0.129 ms
[root@server010 ~]#