Linux / GRE / Netplan - Using Path IP Addresses
This setup would be used when configuring a Linux distro using netplan. This will create the GRE tunnel, the bridge, and the policy-based route to ensure you can route traffic symmetrically over the tunnel for Path provided IP addresses.
network:
version: 2
renderer: networkd
ethernets:
enp33s0:
addresses:
- {gre_endpont}/32
routes:
- on-link: true
to: 0.0.0.0/0
via: {carrier_next_hop}
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
- 1.0.0.1
- 8.8.4.4
bridges:
br0:
addresses:
- {path_subnet}/{path_subnet_size}
routing-policy:
- from: {path_subnet}/{path_subnet_size}
table: 100
tunnels:
path0:
mode: gre
local: {gre_endpoint}
remote: {path_gre_endpoint}
addresses:
- {customer_inner_addr}/30
routes:
- to: 0.0.0.0/0
via: {path_inner_addr}
table: 100
Linux / GRE / Networkd - Using Path IP Addresses
auto path
iface path inet tunnel
address { inner address}
netmask 255.255.255.252
mode gre
mtu 1440
endpoint {path outer addresss}
local { customer endpoint}
ttl 255
post-up ip route add 0.0.0.0/0 via {path inner address} table 123
post-up ip rule add from { protected ip}/32 table 123
post-up ip address add { protected ip}/32 dev path
pre-down ip route del 0.0.0.0/0 via {path inner address} table 123
pre-down ip rule del from { protected ip}/32 table 123
Linux / IP6TNL - Using Path IP Addresses
This example will create a IP6TNL and a bridge to allow you to use Path provided public network and route traffic symmetrically. NOTE this setup will not persist upon reboot, please create a startup script to run at boot to apply the configuration.
ip link add name path-tunnel type ip6tnl local {{ client_gre_endpoint_v6 }} remote {{ path_gre_endpoint_v6 }} mode any
ip addr add {{ customer_inner_addr_v4 }}/30 dev path-tunnel
ip link set path-tunnel up
echo 100 custom >> /etc/iproute2/rt_table
ip link add name br0 type bridge
ip link set br0 up
ip link set mtu 1452 dev path-tunnel
ip route add 0.0.0.0/0 via {{ path_inner_addr_v4 }} dev path-tunnel table 123
ip rule add from {{ path_public_network_v4 }}/{{ subnet_length }} table 123
ip route add {{ path_public_network_v4 }}/{{ subnet_length }} dev br0 table 123
ip addr add {{ path_public_network_firstip_v4 }}/{{ subnet_length }} dev br0
Cisco ASR's with PBR
neighbor {path_inner_addr} soft-reconfiguration inbound
neighbor {path_inner_addr} route-map PATH_NETWORK in
neighbor {path_inner_addr} route-map Path-Network-396998 out
interface Tunnel2
description Path Network
ip address {customer_inner_addr} 255.255.255.252
ip mtu 1476
ip tcp adjust-mss 1360
tunnel source {customer_gre_endpoint}
tunnel destination {path_gre_endpoint}
tunnel path-mtu-discovery
ip access-list extended acl-path
permit ip {customer_prefix} 0.0.0.255 any
route-map rmap-path
match ip address acl-path
set ip next-hop {path_inner_addr}
int FortyGigabitEthernet0/2/0
ip policy route-map rmap-path
Arista EOS
interface Tunnel0
mtu 1436
ip address {customer_inner}/30
tunnel mode gre
tunnel source {customer_gre_endpoint}
tunnel destination {path_gre_endpoint}
tunnel ttl 255
Juniper MX
set chassis fpc 1 pic 1 tunnel-services
set interfaces gr-1/3/0 description "GRE :: PATH :: Remote Anti-DDoS"
set interfaces gr-1/3/0 unit 11 tunnel source {carrier_ip}
set interfaces gr-1/3/0 unit 11 tunnel destination {path_gre_endpoint}
set interfaces gr-1/3/0 unit 11 family inet address {customer_gre_inner}
set protocols bgp group PATHNETWORK type external
set protocols bgp group PATHNETWORK import POL-REJECT-ALL
set protocols bgp group PATHNETWORK export POL-PATH-ANTIDDOS-EXPORT
set protocols bgp group PATHNETWORK peer-as 396998
set protocols bgp group PATHNETWORK neighbor {path_inner_addr}
set policy-options policy-statement POL-PATHNETWORK-EXPORT term 5-T-TEMP from protocol aggregate
set policy-options policy-statement POL-PATHNETWORK-EXPORT term 5-T-TEMP then next term
set policy-options policy-statement POL-PATHNETWORK-EXPORT term 10-T-LAUNDRY from prefix-list PL-UNDERATTACK
set policy-options policy-statement POL-PATHNETWORK-EXPORT term 10-T-LAUNDRY then accept
set policy-options policy-statement POL-PATHNETWORK-EXPORT term LAST then reject
VYOS
set interfaces tunnel tun0 address {customer_inner}
set interfaces tunnel tun0 description 'Path.net tunnel'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 mode gre
set interfaces tunnel tun0 source-address {wan_addr}
set interfaces tunnel tun0 remote {customer_anycast_ip}
set interfaces tunnel tun0 mtu 1460
set interfaces {wan interface} address {wan_addr}
set protocols static route 0.0.0.0/0 next-hop {path_inner}
set protocols static route {customer_anycast_ip}/32 next-hop {carrier_gateway}
set protocols bgp local-as {customer_asn}
set protocols bgp neighbor {provider_inner_32} ebgp-multihop '2'
set protocols bgp neighbor {provider_inner_32} remote-as '396998'
set protocols bgp neighbor {provider_inner_32} update-source '{customer_inner_32}'
set protocols bgp address-family ipv4-unicast network '{customer_provided_network}'
set protocols bgp parameters router-id '{customer_inner_32}'
set policy prefix-list {customer_asn}-IN rule 10 action 'deny'
set policy prefix-list {customer_asn}-IN rule 10 prefix '{provider_learned_networks}'
set policy prefix-list {customer_asn}-OUT rule 10 action 'permit'
set policy prefix-list {customer_asn}-OUT rule 10 prefix '{customer_advertised_networks}'
set policy route-map {customer_asn}-IN rule 10 action 'deny'
set policy route-map {customer_asn}-IN rule 10 match ip address prefix-list '{customer_asn}-IN'
set policy route-map {customer_asn}-OUT rule 10 action 'permit'
set policy route-map {customer_asn}-OUT rule 10 match ip address prefix-list '{customer_asn}-OUT'
set protocols bgp local-as {customer_asn}
set protocols bgp neighbor {provider_inner_32} address-family ipv4-unicast route-map export '{customer_asn}-OUT'
set protocols bgp neighbor {provider_inner_32} address-family ipv4-unicast route-map import '{customer_asn}-IN'
set protocols static route {customer_advertised_networks} blackhole distance '254'
commit
save
Bird
log syslog all;
router id {customer_inner};
protocol static {
ipv4;
route {customer_prefix} blackhole;
}
protocol bgp pathtunnel {
local {customer_inner} as {customer_asn};
neighbor {path_inner} as 396998;
multihop;
ipv4 {
import all;
export all;
};
}
Netgate / PFSense
The first thing you have to check when working with a Netgate Router running PFSense is the Package Manager. In order to do BGP you need to install package FRR; FRR Routing Daemon for BGP, OSPF and OSPF6.
NOTE: This Package conflicts with the following:
- Quagga OSPF
- OpenBGPD
1. After the package is installed go to Interfaces and create a new GRE Tunnel. The Parent Interface should be the WAN interface. Remote Address is the Public IP of the interface at Path the GRE tunnel is configured on. Under IPv4 Set the local and remote internal tunnel addresses and their subnet. Set the Description to “path Tunnel”
2. Then Navigate to Services/FRR/BGP
3. Under BGP do the following; enable BGP, set the local AS and then specify the networks to distribute at the bottom and any route maps that need to be set. Then hit Save.
4. Navigate to /Services/FRR/Global Settings/Prefix Lists and add a new one. IP Type is IPv4, Name PathOutACL and Prefix List Entries are as follows; Sequence 10, Action Permit, Network being announced if applicable. Then hit save.
5. Now you must select and configure Route Maps. The first one you create is as follows Name PathInRmap, Action Deny, Sequence 10, and save the Route Map. The next route map you add is as follows; Name PathOutRmap, Action Permit, and Sequence 10, and then Match Prefix List IPv4: PathOutACL and save. Once again the BGP session will reset as changes are written to memory.
6. Next navigate to Neighbors and add a new neighbor entry. In General Options set the Name/Address to the path tunnel endpoint (Should be RFC 1918) In the description mark it as “Path Tunnel” Set the peer group if needed. Next go to basic options and set the Remote AS (Path ASN 396998) Set the Update source to IPv4 and the Local Source of BGP Updates to the “Path Tunnel” GRE Interface. Enable the send community if there is one, and Enable Next Hop Self. Set the Route Map Filters to Inbound PathInRmap and Outbound PathOutRmap. Lastly check “Enforce EBGP neighbors perform multihop”. Click save and the BGP session will reset after the changes are written to memory.
7. The last thing you must do before you begin testing and trouble shooting is to setup several rules on the fire wall for the PATH Tunnel Interface: The first one should be; Action Pass, Interface PATH, Address IPv4, Protocol TCP, Source Single host or alias and IP of Internal Path GRE Tunnel End Point. The Destination is single host/alias Internal client side IP of GRE tunnel, port is BGP179 both from and to. Description can be set as Overlay BGP. Click save and move on to the next Rule. The next rule will allow ICMP over the tunnel for testing; Action is Pass, Interface PATH, Address Family IPv4 and Protocol ICMP with sub protocol Echo Request. Source is going to be path internal GRE tunnel IP, and Destination is customer internal GRE tunnel IP. Set the Description to “Overlay Ping” and then save. You may need to configure a rule to whatever end points are needed on the Path GRE tunnel if the customer is behind a NAT.
8. Once you have completed the configuration you can trouble shoot by choosing status and viewing the different logs on BGP. You can also go to Diagnostics/Ping and try to ping the other side of the GRE Tunnel.
Comments
0 comments
Article is closed for comments.