diff options
| author | Eugene Bogomazov <eb@qrator.net> | 2022-06-17 12:14:46 +0200 |
|---|---|---|
| committer | Eugene Bogomazov <eb@qrator.net> | 2022-06-17 12:14:46 +0200 |
| commit | d864dd9eb182eefaa4d08717bd2837f9182956a6 (patch) | |
| tree | c60b9a1f8d0d4d8a9630d0a218b265cb743e8869 /doc/user/bgp.rst | |
| parent | Merge pull request #11422 from opensourcerouting/feature/autoclose_stale_issu... (diff) | |
| download | frr-d864dd9eb182eefaa4d08717bd2837f9182956a6.tar.xz frr-d864dd9eb182eefaa4d08717bd2837f9182956a6.zip | |
bgpd: Add RFC9234 implementation
RFC9234 is a way to establish correct connection roles (Customer/
Provider, Peer or with RS) between bgp speakers. This patch:
- Add a new configuration/terminal option to set the appropriate local
role;
- Add a mechanism for checking used roles, implemented by exchanging
the corresponding capabilities in OPEN messages;
- Add strict mode to force other party to use this feature;
- Add basic support for a new transitive optional bgp attribute - OTC
(Only to Customer);
- Add logic for default setting OTC attribute and filtering routes with
this attribute by the edge speakers, if the appropriate conditions are
met;
- Add two test stands to check role negotiation and route filtering
during role usage.
Signed-off-by: Eugene Bogomazov <eb@qrator.net>
Diffstat (limited to 'doc/user/bgp.rst')
| -rw-r--r-- | doc/user/bgp.rst | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/doc/user/bgp.rst b/doc/user/bgp.rst index d4abf2c34..76af844b3 100644 --- a/doc/user/bgp.rst +++ b/doc/user/bgp.rst @@ -2643,6 +2643,65 @@ Large Communities in Route Map Note that the large expanded community is only used for `match` rule, not for `set` actions. +.. _bgp-roles-and-only-to-customers: + +BGP Roles and Only to Customers +------------------------------- + +BGP roles are defined in :rfc:`9234` and provide an easy way to route leaks +prevention, detection and mitigation. + +To enable its mechanics, you must set your local role to reflect your type of +peering relationship with your neighbor. Possible values of ``LOCAL-ROLE`` are: +<provider|rs-server|rs-client|customer|peer>. + +The local Role value is negotiated with the new BGP Role capability with a +built-in check of the corresponding value. In case of mismatch the new OPEN +Roles Mismatch Notification <2, 11> would be sent. + +The correct Role pairs are: + +* Provider - Customer +* Peer - Peer +* RS-Server - RS-Client + +.. code-block:: shell + + ~# vtysh -c 'show bgp neighbor' | grep 'Role' + Local Role: customer + Neighbor Role: provider + Role: advertised and received + +If strict-mode is set BGP session won't become established until BGP neighbor +set local Role on its side. This configuratoin parameter is defined in +:rfc:`9234` and used to enforce corresponding configuration at your +conter-part side. Default value - disabled. + +Routes that sent from provider, rs-server, or peer local-role (or if received +by customer, rs-clinet, or peer local-role) will be marked with a new +Only to Customer (OTC) attribute. + +Routes with this attribute can only be sent to your neighbor if your +local-role is provider or rs-server. Routes with this attribute can be +received only if your local-role is customer or rs-client. + +In case of peer-peer relaitonship routes can be received only if +OTC value is equal to your neighbor AS number. + +All these rules with OTC help to detect and mitigate route leaks and +happened automatically if local-role is set. + +.. clicmd:: neighbor PEER local-role LOCAL-ROLE [strict-mode] + + This command set your local-role to ``LOCAL-ROLE``: + <provider|rs-server|rs-client|customer|peer>. + + This role help to detect and prevent route leaks. + + If ``strict-mode`` is set, your neighbor must send you Capability with the + value of his role (by setting local-role on his side). Otherwise, a Role + Mismatch Notification will be sent. + .. _bgp-l3vpn-vrfs: L3VPN VRFs |