1.13k likes | 1.79k Views
Zebra/Quagga Routing Suite Anura Abayaratne MTT Network - Sri Lanka anuraa@iee.org APRICOT 2006 22 nd Feb – 3 rd Mar 2006 Perth Western Australia Agenda Overview Installation Basic commands Setting up BGP Filtering Daemon + Server What is a routing daemon?
E N D
Zebra/Quagga Routing Suite Anura Abayaratne MTT Network - Sri Lanka anuraa@iee.org APRICOT 2006 22nd Feb – 3rd Mar 2006 Perth Western Australia
Agenda • Overview • Installation • Basic commands • Setting up BGP • Filtering APRICOT 2006 - Perth Western Australia
Daemon + Server What is a routing daemon? • Software running on server • It maintains Routing Information Router APRICOT 2006 - Perth Western Australia
Daemons vs. commercial Routers • Routing daemons – Low-cost solution – Expertise required for set-up – Lack of support • Commercial routers – Pricy – Better performance – Fully supported APRICOT 2006 - Perth Western Australia
Routing Daemons • Zebra http://www.zebra.org • First daemon • Wide support: RIP,OSPF,BGP • Certain Vulnerabilities • Quagga http://www.quagga.net • Based on Zebra • Wide support: RIP,OSPF,BGP,ISIS • Development libraries APRICOT 2006 - Perth Western Australia
Overview • Distributed under the GNU General Public License • Zebra is a routing software package that provides TCP/IP based routing services with routing protocols support such as RIPv1, RIPv2, RIPng, OSPFv2, OSPFv3, BGP-4, and BGP-4+ • Support BGP Route Reflectors and Route server behavior • IPv6 Routing protocols • Zebra has interactive user interface for each routing protocol and supports common client commands. APRICOT 2006 - Perth Western Australia
About Zebra • Act as a dedicated server • Exchange routing information with other routers using routing protocols • Uses these information to update kernel routing table so that right data goes to the right place. • Can dynamically change the configuration and you may view routing table from Zebra terminal interface • If the network is small, Configuring Zebra is very easy : setup interfaces, Add static routes and/or default routes • If the network is rather large or structure change frequently, you may need to setup Zebra dynamic routing protocol : RIP,OSPF or BGP. • Support unicast routing protocols. • Zebra has different system administration mode : Normal mode and Enable mode • Unix account independent feature will be great help to the router administrator. APRICOT 2006 - Perth Western Australia
System Architecture Diagram ospfd ripd bgpd zebra Unix Kernel Routing Table APRICOT 2006 - Perth Western Australia
How Zebra/Quagga works • Collection of several daemons that work together to build the routing table. (protocol specific routing daemons: ripd,ospfd,bgpd + kernel routing manager: zebrad) • Zebra daemon is an IP routing manager. It provides kernel routing table updates, interface lookups, and redistribution of routes between different routing protocols. • Each daemon has its own configuration file • For example, Static route – in zebrad configuration file • BGP – in bgpd configuration file APRICOT 2006 - Perth Western Australia
Supported Platform • Linux 2.2.x and higher • FreeBSD 4.x and higher • NetBSD 1.6 and higher • OpenBSD 2.5 and higher • Solaris 2.6 and higher APRICOT 2006 - Perth Western Australia
How to get Zebra/Quagga • http://www.zebra.org/ • http://www.quagga.net/ APRICOT 2006 - Perth Western Australia
Steps • There are three steps for installing the software :Configuration, Compilation, Installation • First unzip/extract the software • gzip –d zebra-0.95a.tar.gz • tar –xvf zebra-0.95a.tar • cd zebra-0.95a APRICOT 2006 - Perth Western Australia
Configure the software • Zebra can detect the most host configuration automatically. There are additional configuration options • %./configure --help • eg. • %./configure • %./configure –-prefix=/home/zebra • %./configure –disable-ripd APRICOT 2006 - Perth Western Australia
Build the Software • After configuring the software, you will need to compile it for your system • Issue the command make in the root of the source directory. • %make APRICOT 2006 - Perth Western Australia
Install the Software • copying the compiled programs and supporting files to a standard location. • issue the following command at your shell prompt: make install. • %make install • default working directory: /usr/local/bin and /usr/local/etc APRICOT 2006 - Perth Western Australia
Install the Software Contd… • Zebra daemons have their own terminal interface or VTY. After installation, you have to setup each beast’s port number to connect to them. Please add the following entries to‘/etc/services’. zebrasrv 2600/tcp # zebra service zebra 2601/tcp # zebra vty ripd 2602/tcp # RIPd vty ripngd 2603/tcp # RIPngd vty ospfd 2604/tcp # OSPFd vty bgpd 2605/tcp # BGPd vty ospf6d 2606/tcp # OSPF6d vty Additionally for Quagga ospfapi 2607/tcp # ospfapi isisd 2608/tcp # ISISd vty APRICOT 2006 - Perth Western Australia
Access the Router • Telnet to the port • telnet <ipaddress> 2601 ports on zebra 2601 # zebra vty 2602p # RIPd vty 2603 # RIPngd vty 2604 # OSPFd vty 2605 # BGPd vty 2606 # OSPF6d vty Additionally quagga support: 2607 # ospfapi 2608 # ISISd vty • Use VTY shell • To use vtysh, specify —enable-vtysh to configure script. • Username stored in vtysh.conf file. • username testuser nopassword APRICOT 2006 - Perth Western Australia
Config Commands • Command common to all routing protocol • Config command are generally found in /usr/local/etc/*.conf or path specified in -–prefix option (eg. /home/zebra/etc/*.conf) • The daemon name + `.conf` is the default config file name (eg. /home/zebra/etc/zebra.conf) • Config file can be specified using –f or –config_file options when stating the daemon (eg. /home/zebra/sbin/zebra –d –f /home/zebra/etc/zebratest.conf) APRICOT 2006 - Perth Western Australia
Basic Config Commands • hostname hostname - Set hostname of the router. • password password - Set password for vty interface. If there is no password, a vty won’t accept connections. • enable password password -Set enable password. • log stdout - Set logging output to stdout. • no log stdout - APRICOT 2006 - Perth Western Australia
Basic Config Commands…. • log file filename - If you want to log into a file please specify filename as follows. (eg. log file /usr/local/etc/bgpd.log • log syslog - Set logging output to syslog. • no log syslog APRICOT 2006 - Perth Western Australia
Basic Config Commands… • write terminal - Displays the current configuration to the vty interface. • show running-config • write file - Write current configuration to configuration file. • copy running-config startup-config • configure terminal -Change to configuration mode. This command is the first step to configuration. APRICOT 2006 - Perth Western Australia
Basic Config Commands… • who, list – List command • service password-encryption – Encrypt password • show version - Show the current version of the Zebra and its build host information. • line vty - Enter vty configuration mode. • banner motd default - Set default motd string. • no banner motd - No motd banner string will be printed. APRICOT 2006 - Perth Western Australia
Basic Config Commands… • exec-timeout minute • exec-timeout minute second Set VTY connection timeout value. When only one argument is specified it is used for timeout value in minutes. Optional second argument is used for timeout value in seconds. Default timeout value is 10 minutes. When timeout value is zero, it means no timeout. • no exec-timeout - Do not perform timeout at all. This command is as same as exec-timeout 0 0. APRICOT 2006 - Perth Western Australia
Basic Config Commands… • access-class access-list - Restrict vty connections with an access list. Example: access-list log-in permit 192.168.1.0/24 line vty access-class log-in APRICOT 2006 - Perth Western Australia
Sample Config File • for the zebra daemon. hostname Router password zebra enable password zebra ! interface lo ! interface eth0 ip address 172.16.1.2/24 ! line vty APRICOT 2006 - Perth Western Australia
Sample Config File • ’ !’ and ’#’ are comment characters. If the first character of the word is one of thecomment characters then from the rest of the line forward will be ignored as a comment. • password zebra!password • If a comment character is not the first character of the word, it’s a normal character. So in the above example ’ !’ will not be regarded as a comment and the password is set to ’zebra!password’. APRICOT 2006 - Perth Western Australia
Common Invocation Options • Usage : zebra [OPTION...] • Daemon which manages kernel routing table management and redistribution between different routing protocols. • -b, --batch Runs in batch mode • -d, --daemon Runs in daemon mode • -f, --config_file Set configuration file name • -i, --pid_file Set process identifier file name • -k, --keep_kernel Don't delete old routes which installed by zebra. • -l, --log_mode Set verbose log mode flag • -A, --vty_addr Set vty's bind address • -P, --vty_port Set vty's port number • -r, --retain When program terminates, retain added route by zebra. • -v, --version Print program version • -h, --help Display this help and exit • Example: /home/zebra/sbin/zebra -d APRICOT 2006 - Perth Western Australia
Virtual Terminal Interfaces • VTY – Virtual Terminal Interface is a command line interface (CLI) for user interaction with the routing daemon. • To enable a VTY interface, you have to setup a VTY password. If there is no VTY password, one cannot connect to the VTY interface at all. APRICOT 2006 - Perth Western Australia
VTY Overview • % telnet 192.168.8.9 2601 Hello, this is zebra (version 0.95a). Copyright 1996-2004 Kunihiro Ishiguro. User Access Verification Password: Router> enable Password: XXXXX Router# configure terminal Router(config)#password zzzzzzz Router(config)# enable password yyyyyyy Router(config)# interface eth0 Router(config-if)# ip address 10.1.0.1/24 Router(config-if)# exit Router(config)#access-list log-in permit 192.168.1.0/24 Router(config)#line vty Router(config-line)# access-class log-in Router(config-line)# end Router#disable Router> APRICOT 2006 - Perth Western Australia
VTY Modes Three VTY modes • VTY View Mode : Read-Only access to the CLI • VTY Enable mode : Read-write access to the CLI • VTY Other modes APRICOT 2006 - Perth Western Australia
Interface Commands • interface ifname • shutdown , no shutdown – up or down the current interface • ip address address (e.g. 10.0.0.1/8) • description description …… • multicast , no multicast - Enable or disable multicast flag for the interface • bandwidth <1-10000000> Bandwidth in kilobits • no bandwidth <1-10000000> APRICOT 2006 - Perth Western Australia
Example Router> enable Password: XXXXX Router# configure terminal Router(config)# interface eth0 Router(config-if)# ip address 10.0.1.2/24 Router(config-if)# no ip address 10.0.2.2/24 Router(config-if)#end Router#exit APRICOT 2006 - Perth Western Australia
Static Route Commands • It defines static prefix and gateway. • ip route network gateway • ip route network netmask gateway ip route 10.0.0.0/8 10.0.0.2 ip route 10.0.0.0/8 ppp0 ip route 10.0.0.0 255.255.255.0 10.0.0.2 • ip route network gateway distance ip route 10.0.0.0 255.255.255.0 10.0.0.3 50 APRICOT 2006 - Perth Western Australia
Static Route C…… • Router# show ip route • Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, • B - BGP, > - selected route, * - FIB route • K>* 0.0.0.0/0 via 192.168.8.1, eth0 • S 10.0.0.0/24 [1/0] via 10.0.0.3 inactive • S>* 10.1.0.0/24 [100/0] via 192.168.8.3, eth0 • S>* 10.2.3.0/24 [10/0] via 192.168.8.1, eth0 • K * 127.0.0.0/8 is directly connected, lo • C>* 127.0.0.0/8 is directly connected, lo • K * 192.168.8.0/24 is directly connected, eth0 • C>* 192.168.8.0/24 is directly connected, eth0 APRICOT 2006 - Perth Western Australia
Zebra Terminal Mode Commands • show interface • show ip forward - Display whether the host’s IP forwarding function is enabled or not. Almost any UNIX kernel can be configured with IP forwarding disabled. If so, the box can’t work as a router. • cat /proc/sys/net/ipv4/ip_forward • To enable ip forward on Linux box sysctl -w net.ipv4.ip_forward=1 APRICOT 2006 - Perth Western Australia
BGP Border Gateway Protocol
Introduction to BGP • Routing Protocol used to exchange routing information between networks - Exterior gateway protocol • Path Vector Protocol • Incremental Updates • Many options for policy enforcement • Classless Inter Domain Routing (CIDR) • Widely used for Internet backbone • BGP used internally (iBGP) and externally (eBGP) APRICOT 2006 - Perth Western Australia
AS100 AS100 Autonomous System • It is used to uniquely identify networks with common routing policy • Usually under single ownership, trust and administrative control APRICOT 2006 - Perth Western Australia
Autonomous System Number • AS number is an identification of autonomous system. • BGP protocol uses the AS number for detecting whether the BGP connection is internal one or external one. • An ASN is a 16 bit number • Public AS numbers 1 - 64511 • Private AS numbers 64512 – 65535 • 0 and 65535 are reserved • ASNs are distributed by the Regional Internet Registries APRICOT 2006 - Perth Western Australia
Starting BGP • Default configuration file of bgpd is ‘bgpd.conf’. (eg. /home/zebra/etc/bgpd.conf) • /home/zebra/sbin/bgpd -d APRICOT 2006 - Perth Western Australia
Configuring the router • Enable BGP • Add the address to be announced • Add the address and AS numbers of neighboring routers (peers) • Apply policy with BGP • Allow only the routes that originate here to be announced to the neighboring AS • Announced routes • Receiving routes APRICOT 2006 - Perth Western Australia
BGP Router • Configure BGP router with router bgp command. To configure BGP router, you need AS number. • router bgp asn Enable a BGP protocol process with the specified asn. After this statement you can input any BGP Commands. You can not create different BGP process under different asn without specifying multiple-instance • no router bgp asn Destroy a BGP protocol process with the specified asn. APRICOT 2006 - Perth Western Australia
bgpd A bgpd B AS100 AS200 Configuration example • % telnet 192.168.8.139 2605 • Connected to 192.168.1.139 • Escape character is ’^]’. • Hello, this is zebra (version 0.95a) • User Access Verification • Password: XXXXX • RouterA> • RouterA> enable • RouterA#configure terminal • RouterA(config)#router bgp 100 • RouterA(config-router)# • RouterA(config-router)#exit • RouterA#exit APRICOT 2006 - Perth Western Australia
bgp router-id A.B.C.D This command specifies the router-ID. If bgpd connects to zebra it gets interface and address information. In that case default router ID value is selected as the largest IP Address of the interfaces. When router zebra is not enabled bgpd can’t get interface information so router-id is set to 0.0.0.0. So set router-id by hand. RouterA#configure terminal RouterA(config)#router bgp 100 RouterA(config-router)#bgp router-id 172.16.1.1 APRICOT 2006 - Perth Western Australia
Configuring the router • Enable BGP • Add the address to be announced • Add the address and AS numbers of neighboring routers (peers) • Apply policy with BGP • Allow only the routes that originate here to be announced to the neighboring AS • Announced routes • Receiving routes APRICOT 2006 - Perth Western Australia
Inserting prefixes into BGP • To add address prefix to be announced • Two ways : • redistributing internal routing protocol • network command • network A.B.C.D/M router bgp 100 network 10.1.0.0/16 no network 172.16.0.0/16 APRICOT 2006 - Perth Western Australia