In this post we’ll have a look at how to automate a typical BGP setup. This is where configuration may get particularly messy especially in presence of backdoor links and complex routing failover policies. However, as I will show, it is still possible to create a standard set of routing manipulation policies and selectively apply them to the required adjacencies to achieve the desired effect.
Requirements and assumptions
The new office network is designed with several layers of WAN redundancy. Primary WAN link is the preferred option to reach all other WAN destination except for the Main office which is connected via a dedicated high-throughput link. Secondary WAN link should only be used in case both primary and backdoor links are unavailable.
All routed devices within Branch-2 will be running iBGP AS#3 with BR2-CORE playing a role of route-reflector for the two WAN routers. iBGP convergence timers should rely on IGP’s timers (OSPF default timers of 10 and 40 seconds). Site’s core switch should originate a site summary prefix as well as any other non-standard prefixes falling outside of the standard site summary (e.g. links to 3rd Parties, DMZ etc.). All prefixes originated by the site should be tagged with specific community values in order to be easily identifiable at the remote end.
eBGP configuration automation
Each site will have a unique set of eBGP peers, hence, it is logical to put all eBGP-related variables into a site-specific directory
group_vars/branch-2/. In order to understand how to configure each eBGP neighbor the following values need to be defined for each eBGP neighbor:
- IP addresses
- AS number
- (optional) Routing manipulation policies
The above values correspond to the following Ansible variables:
1 2 3 4 5 6 7 8 9 10 11
ebgp_peers variable contains a mapping between network devices and their eBGP neighbors identified by their IP addresses. BGP path manipulation policies ideally should belong to global variables and are defined under the company-wide
All information defined above will be reused by the
bgp template of the
routing ansible roles:
1 2 3 4 5 6 7 8 9 10 11 12 13
iBGP configuration automation
Each site will be running a simple iBGP topology with a single route-reflector with two clients. Each routed device within the new branch will need to have it’s iBGP role defined (server or client).
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Special variables that start with
bgp_originate_ define which subnets should be originated by which router. RR-server will originate site-wide summary and any 3rd party subnets while WAN routers will inject their own loopbacks in order to be remotely accessible even if BR2-CORE goes down. Specific route maps responsible for prefix origination should be defined in the global scope:
1 2 3 4 5 6 7
The resulting configuration for BR2-CORE will looks like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
This post concludes the series of articles describing how to automate enteprise network configuration. We first looked at how to automate legacy network configuration, interface and OSPF configuration for the new network build and, finally, BGP configuration. Full version of files and scripts can be found in my github repository.