3. Network configuration

3.1. License

For each vRouter node of this setup, follow the Getting Started guide to provide a minimal Day-1 configuration and install a valid and relevant license.

A valid Turbo Router Network License is required. Using show license, make sure it is the case.

vrouter> show license
Active perpetual license for Turbo Router
Current activations 1/8
Connected to license server
Serial number is XXXXXXXXXXXXXXXX
Computer ID is OoBA4IqJDHTA7eQmwbRv
License was activated online
Support is valid until 2020-04-30 05:00:00 (standard mode)
Max throughput 20.0G (currently used 0.0G)
vrouter>

3.2. Hostname

Using the vRouter CLI, let us start with setting the hostname and then getting the interfaces configured.

To set the vRouter hostname, proceed as follows:

vrouter> edit running
vrouter running config# system hostname border1
vrouter running config# commit
border1 running config#

3.3. Interfaces

Allocate the ports that will be involved in data plane processing into the fast path:

border1> edit running
border1 running config# / system fast-path
border1 running fast-path#! port pci-b0s4
border1 running fast-path# port pci-b0s5
border1 running fast-path# port pci-b0s6

All physical and logical interfaces are configured under the ‘main’ VRF in this example.

border1 running fast-path# / vrf main

Create Ethernet interfaces and attach them to a port of a NIC:

border1 running vrf main# interface physical ntfp1
border1 running physical ntfp1#! port pci-b0s4
border1 running physical ntfp1# description "Border1_internal"
border1 running physical ntfp1# ipv4 address 172.16.100.1/24
border1 running physical ntfp1# ..

border1 running interface# physical ntfp2
border1 running physical ntfp2#! port pci-b0s5
border1 running physical ntfp2# ..

border1 running interface# physical ntfp3
border1 running physical ntfp3#! port pci-b0s6
border1 running physical ntfp3# ..

Add VLANs towards the ISP networks:

border1 running interface# vlan vlan1
border1 running vlan vlan1# description "Transit_1"
border1 running vlan vlan1# ipv4 address 1.1.1.2/24
border1 running vlan vlan1# vlan-id 1
border1 running vlan vlan1# link-interface ntfp3
border1 running vlan vlan1# ..

border1 running interface# vlan vlan2
border1 running vlan vlan2# description "Transit_2"
border1 running vlan vlan2# ipv4 address 2.2.2.2/24
border1 running vlan vlan2# vlan-id 2
border1 running vlan vlan2# link-interface ntfp3
border1 running vlan vlan2# ..

border1 running interface# vlan vlan3
border1 running vlan vlan3# description "Transit_3"
border1 running vlan vlan3# ipv4 address 3.3.3.2/24
border1 running vlan vlan3# vlan-id 3
border1 running vlan vlan3# link-interface ntfp2
border1 running vlan vlan3# ..

Add a loopback interface for OSPF to use as a BGP update-source:

border1 running interface# loopback loopback0
border1 running loopback loopback0# ipv4 address 172.16.200.1/32
border1 running loopback loopback0# ..

Add VRRP interfaces on top of each VLAN towards the ISP networks and on top of the internal network interface, and enable the VRRP service:

border1 running interface# vrrp vrrp1
border1 running vrrp vrrp1#! vrid 1
border1 running vrrp vrrp1#! link-interface vlan1
border1 running vrrp vrrp1# virtual-address 1.1.1.4/24
border1 running vrrp vrrp1# priority 150
border1 running vrrp vrrp1# track-fast-path true
border1 running vrrp vrrp1# preempt-delay 60
border1 running vrrp vrrp1# ..

border1 running interface# vrrp vrrp2
border1 running vrrp vrrp2#! vrid 2
border1 running vrrp vrrp2#! link-interface vlan2
border1 running vrrp vrrp2# virtual-address 2.2.2.4/24
border1 running vrrp vrrp2# priority 150
border1 running vrrp vrrp2# track-fast-path true
border1 running vrrp vrrp2# preempt-delay 60
border1 running vrrp vrrp2# ..

border1 running interface# vrrp vrrp3
border1 running vrrp vrrp3#! vrid 3
border1 running vrrp vrrp3#! link-interface vlan3
border1 running vrrp vrrp3# virtual-address 3.3.3.4/24
border1 running vrrp vrrp3# priority 150
border1 running vrrp vrrp3# track-fast-path true
border1 running vrrp vrrp3# preempt-delay 60
border1 running vrrp vrrp3# ..

border1 running interface# vrrp vrrp_internal
border1 running vrrp vrrp_internal#! vrid 200
border1 running vrrp vrrp_internal#! link-interface ntfp1
border1 running vrrp vrrp_internal# virtual-address 172.16.100.5/24
border1 running vrrp vrrp_internal# priority 150
border1 running vrrp vrrp_internal# track-fast-path true
border1 running vrrp vrrp_internal# preempt-delay 60
border1 running vrrp vrrp_internal# ..

border1 running interface# ..
border1 running vrf main# vrrp router-id border1
border1 running vrf main# vrrp group vrrp_group
border1 running group vrrp_group# instance vrrp1
border1 running group vrrp_group# instance vrrp2
border1 running group vrrp_group# instance vrrp3
border1 running group vrrp_group# instance vrrp_internal
border1 running group vrrp_group# /

Note

In order to direct traffic across a specific border router, we increase the priority of the VRRP interface on this router while leaving the default priority on border2, so that border1 holds the virtual addresses. The preemption delay ensures that border1 will have time to learn all routes after a reboot before performing a failback.

Review the configuration and commit it:

border1 running config# show config nodefault
interface
    physical ntfp1
        port pci-b0s4
[...]
border1 running config# commit
Configuration committed.

Be sure other routers of the setup (PE1, PE2) are configured correctly, then check connectivity using the ping command. Here we will simply ping 172.16.100.4 (PE1) as an example:

border1 running config# cmd ping 172.16.100.4

PING 172.16.100.4 (172.16.100.4) 56(84) bytes of data:
64 bytes from 172.16.100.4: icmp_seq=1 ttl=64 time=0.396 ms
64 bytes from 172.16.100.4: icmp_seq=2 ttl=64 time=0.326 ms
64 bytes from 172.16.100.4: icmp_seq=3 ttl=64 time=0.346 ms
^C
--- 172.16.100.4 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 3136 ms
rtt min/avg/max/mdev = 0.326/0.356/0.396/0.0.036ms

See also

See the User’s Guide for more information regarding:

• CLI basics

• Fast path configuration

• interfaces configuration

• ping command

3.4. OSPF

Next, we configure an interior routing protocol. This will be a very simple OSPF configuration with only neighbors on the 172.16.100.0 private network. We redistribute the loopback address configured earlier and make it a passive OSPF interface. The router-id will simply be set to the same IPv4 loopback address for ease of reading.

border1 running config# / routing
border1 running routing# ipv4-prefix-list BGP-endpoints
border1 running ipv4-prefix-list BGP-endpoints#! seq 1 address 172.16.200.0/24 policy permit le 32
border1 running ipv4-prefix-list BGP-endpoints# ..
border1 running routing# route-map FILTER-OSPF
border1 running route-map FILTER-OSPF#! seq 10
border1 running seq 10#! policy permit
border1 running seq 10# match ip address prefix-list BGP-endpoints
border1 running seq 10# / vrf main routing ospf
border1 running ospf# router-id 172.16.200.1
border1 running ospf# abr-type standard
border1 running ospf# log-adjacency-changes detail
border1 running ospf# network 172.16.100.0/24 area 0
border1 running ospf# passive-interface loopback0
border1 running ospf# redistribute connected route-map FILTER-OSPF
border1 running ospf# commit

At this time, it would be a good idea to check the OSPF adjacencies and routes. See the Troubleshooting section below.

See also

See the User’s Guide for more information regarding:

• OSPF

3.5. BGP

The key configuration item of this and most border routers is the exterior routing protocol BGP.

This configuration example will have iBGP/eBGP ipv4-unicast neighbors. Route-reflectors could easily have been used, but in this example we choose to create a full internal mesh using OSPF.

We will anchor the update-sources using the loopback addresses that was redistributed via OSPF in section 3.2.2.

3.5.1. iBGP

First we will peer with the internal network, i.e. the other border router and PEs. We start out by defining our own AS and router-id.

Configuring the local AS and router-id:

border1 running vrf main# routing bgp
border1 running bgp#! as 65200
border1 running bgp# router-id 172.16.200.1
border1 running bgp# address-family ipv4-unicast redistribute connected

Next, we configure BGP peering with the second Border Router:

border1 running bgp# neighbor 172.16.200.2
border1 running neighbor 172.16.200.2#! remote-as 65200
border1 running neighbor 172.16.200.2# neighbor-description border2
border1 running neighbor 172.16.200.2# update-source loopback0
border1 running neighbor 172.16.200.2# address-family ipv4-unicast soft-reconfiguration-inbound true
border1 running neighbor 172.16.200.2# ..
border1 running bgp# commit

Then finally, as part of our iBGP configuration, we configure BGP peering with the internal routers PE1 & PE2:

border1 running bgp# neighbor 172.16.200.3
border1 running neighbor 172.16.200.3#! remote-as 65200
border1 running neighbor 172.16.200.3# neighbor-description PE1
border1 running neighbor 172.16.200.3# update-source loopback0
border1 running neighbor 172.16.200.3# address-family ipv4-unicast nexthop-self force true
border1 running neighbor 172.16.200.3# address-family ipv4-unicast soft-reconfiguration-inbound true
border1 running neighbor 172.16.200.3# ..
border1 running bgp# neighbor 172.16.200.4
border1 running neighbor 172.16.200.4#! remote-as 65200
border1 running neighbor 172.16.200.4# neighbor-description PE2
border1 running neighbor 172.16.200.4# update-source loopback0
border1 running neighbor 172.16.200.4# address-family ipv4-unicast nexthop-self force true
border1 running neighbor 172.16.200.4# address-family ipv4-unicast soft-reconfiguration-inbound true
border1 running neighbor 172.16.200.4# ..

In order to improve the global failover and failback duration, we then declare and apply a route-map to update the source address of the routes that we redistribute to PE1 and PE2 with the virtual IP address of the internal VRRP interface:

border1 running bgp # / routing
border1 running routing# route-map BGP-REDISTRIBUTE-INTERNAL
border1 running route-map BGP-REDISTRIBUTE-INTERNAL#! seq 10
border1 running seq 10#! policy deny
border1 running seq 10# match ip address prefix-list BGP-endpoints
border1 running seq 10# .. seq 20
border1 running seq 20#! policy permit
border1 running seq 20# set ip next-hop 172.16.100.5
border1 running seq 20# / vrf main routing bgp
border1 running bgp # neighbor 172.16.200.3 address-family ipv4-unicast route-map out route-map-name BGP-REDISTRIBUTE-INTERNAL
border1 running bgp # neighbor 172.16.200.4 address-family ipv4-unicast route-map out route-map-name BGP-REDISTRIBUTE-INTERNAL
border1 running bgp # commit

3.5.2. eBGP

Configure peering with ISPs:

border1 running bgp# neighbor 1.1.1.1
border1 running neighbor 1.1.1.1#! remote-as 100
border1 running neighbor 1.1.1.1# neighbor-description Transit1-IPv4
border1 running neighbor 1.1.1.1# address-family ipv4-unicast soft-reconfiguration-inbound true
border1 running neighbor 1.1.1.1# ..

border1 running bgp# neighbor 2.2.2.1
border1 running neighbor 2.2.2.1#! remote-as 200
border1 running neighbor 2.2.2.1# neighbor-description Transit2-IPv4
border1 running neighbor 2.2.2.1# address-family ipv4-unicast soft-reconfiguration-inbound true
border1 running neighbor 2.2.2.1# ..

border1 running bgp# neighbor 3.3.3.1
border1 running neighbor 3.3.3.1#! remote-as 300
border1 running neighbor 3.3.3.1# neighbor-description Transit3-IPv4
border1 running neighbor 3.3.3.1# address-family ipv4-unicast soft-reconfiguration-inbound true
border1 running neighbor 3.3.3.1# ..

In order to direct traffic across a specific border router, we will update the source address of the locally originated prefixes to the external VRRP interfaces by way of a route-map:

border1 running config# / routing
border1 running routing# ipv4-prefix-list prefix-local-origin
border1 running ipv4-prefix-list prefix-local-origin#! seq 10 address 200.200.208.0/20 policy permit le 32
border1 running ipv4-prefix-list prefix-local-origin# / routing route-map TRANSIT-1-OUT
border1 running route-map TRANSIT-1-OUT#! seq 1 match ip address prefix-list prefix-local-origin
border1 running route-map TRANSIT-1-OUT#! seq 1 policy permit
border1 running route-map TRANSIT-1-OUT# seq 1 set ip next-hop 1.1.1.4
border1 running route-map TRANSIT-1-OUT# ..
border1 running routing# route-map TRANSIT-2-OUT
border1 running route-map TRANSIT-2-OUT#! seq 1 match ip address prefix-list prefix-local-origin
border1 running route-map TRANSIT-2-OUT#! seq 1 policy permit
border1 running route-map TRANSIT-2-OUT# seq 1 set ip next-hop 2.2.2.4
border1 running route-map TRANSIT-2-OUT# ..
border1 running routing# route-map TRANSIT-3-OUT
border1 running route-map TRANSIT-3-OUT#! seq 1 match ip address prefix-list prefix-local-origin
border1 running route-map TRANSIT-3-OUT#! seq 1 policy permit
border1 running route-map TRANSIT-3-OUT# seq 1 set ip next-hop 3.3.3.4
border1 running route-map TRANSIT-3-OUT# ..
border1 running routing# / vrf main routing bgp
border1 running bgp# neighbor 1.1.1.1 address-family ipv4-unicast route-map out route-map-name TRANSIT-1-OUT
border1 running bgp# neighbor 2.2.2.1 address-family ipv4-unicast route-map out route-map-name TRANSIT-2-OUT
border1 running bgp# neighbor 3.3.3.1 address-family ipv4-unicast route-map out route-map-name TRANSIT-3-OUT
border1 running bgp# commit

We can optimize the configuration further by filtering out possible bogus IP addresses we could receive:

border1 running config# / routing ipv4-prefix-list filter-bogons
border1 running ipv4-prefix-list filter-bogons#! seq 5 address 0.0.0.0/8 policy deny le 32
border1 running ipv4-prefix-list filter-bogons# seq 10 address 10.0.0.0/8 policy deny le 32
border1 running ipv4-prefix-list filter-bogons# seq 15 address 127.0.0.0/8 policy deny le 32
border1 running ipv4-prefix-list filter-bogons# seq 20 address 169.254.0.0/16 policy deny le 32
border1 running ipv4-prefix-list filter-bogons# seq 25 address 172.16.0.0/12 policy deny le 32
border1 running ipv4-prefix-list filter-bogons# seq 30 address 192.168.0.0/16 policy deny le 32
border1 running ipv4-prefix-list filter-bogons# seq 35 address 224.0.0.0/3 policy deny le 32
border1 running ipv4-prefix-list filter-bogons# seq 40 address 0.0.0.0/0 policy deny ge 25
border1 running ipv4-prefix-list filter-bogons# seq 45 address 0.0.0.0/0 policy permit le 32

border1 running ipv4-prefix-list filter-bogons# / vrf main routing bgp
border1 running bgp# neighbor 1.1.1.1 address-family ipv4-unicast prefix-list in prefix-list-name filter-bogons
border1 running bgp# neighbor 2.2.2.1 address-family ipv4-unicast prefix-list in prefix-list-name filter-bogons
border1 running bgp# neighbor 3.3.3.1 address-family ipv4-unicast prefix-list in prefix-list-name filter-bogons
border1 running bgp# commit

See also

See the User’s Guide for more information regarding:

• BGP

3.6. Route optimization through BGP FlowSpec and sFlow

The IRP monitoring station runs route optimization software that relies on sFlow for collecting traffic statistics from the border router and on BGP Flowspec to inject Policy-Based Routing rules to redirect a specific traffic through a transit router or another.

This section details the sFlow and BGP configuration on the border router for this purpose.

Configure sFlow on the loopback interface, reporting information from the VLAN interfaces connected to the transit routers:

border1 running config# / vrf main sflow
border1 running sflow#! agent-interface loopback0
border1 running sflow#! sflow-collector 172.16.100.253
border1 running sflow#! sflow-collector 172.16.100.254
border1 running sflow#! sflow-interface vlan1
border1 running sflow# sflow-interface vlan2
border1 running sflow# sflow-interface vlan3
border1 running sflow# sflow-sampling speed 40G
border1 running sflow# sflow-sampling speed 10G rate 10000
border1 running sflow# /
border1 running config# commit

Add the IRP monitoring station as a BGP Flowspec peer:

border1 running config# / vrf main routing bgp
border1 running bgp# neighbor 172.16.100.253
border1 running neighbor 172.16.100.253#! remote-as 65200
border1 running neighbor 172.16.100.253# neighbor-description IRP
border1 running neighbor 172.16.100.253# address-family ipv4-unicast soft-reconfiguration-inbound true
border1 running neighbor 172.16.100.253# address-family ipv4-unicast route-reflector-client true
border1 running neighbor 172.16.100.253# address-family ipv4-flowspec soft-reconfiguration-inbound true
border1 running neighbor 172.16.100.253# address-family ipv4-flowspec route-reflector-client true
border1 running neighbor 172.16.100.253# commit

See also

See the User’s Guide for more information regarding:

• sFlow

• Flowspec

3.7. Securing NETCONF server

By default, the NETCONF server listens on all interfaces of the main VRF, on port 830. In order to secure your Turbo Router, the default behaviour can be changed by binding the NETCONF server to a particular interface on a separate VRF, and on a particular port.

Let’s configure the NETCONF server so it starts in the mgmt VRF, on address 10.0.2.15, port 8030:

border1-vm running config# vrf mgmt netconf-server
border1-vm running netconf-server# enabled true
border1-vm running netconf-server# address 10.0.2.15 port 8030
border1-vm running netconf-server# commit
Configuration committed.

Let’s check its state:

border1-vm running config# show state / vrf mgmt netconf-server
netconf-server
    enabled true
    address 10.0.2.15 port 8030
    ..

See also

See the User’s Guide for more information regarding:

• NETCONF