Description
- How to manipulate the advertisement of BGP routes to F5 Silverline scrubbing centers from your BIP-IP CPE
- If you are not using your BIG-IP for GRE tunnels, then see this article for standard setup: GRE Tunnel Set-up Guide
Environment
- Silverline DDoS
- Routed
- BIG-IP
Procedure
Definitions
-
Route Domain - A route domain is a configuration object that isolates network traffic for a particular application on the network. Because route domains segment network traffic, you can assign the same IP address or subnet to multiple nodes on a network, provided that each instance of the IP address resides in a separate routing domain.
-
Route Domain ID’s - A route domain ID is a unique numerical identifier for a route-domain. You can assign objects with IP addresses (such as self IP addresses, virtual addresses, pool members, and gateway addresses) to a route domain by appending the %ID to the IP address.
-
VLANs & Tunnels for RD - You can assign one or more VLANs, VLAN groups, or tunnels to a route domain. The VLANs, VLAN groups, or tunnels that you assign to a route domain are those pertaining to the particular traffic that you want to isolate in that route domain. Each VLAN, VLAN group, or tunnel can be a member of one route domain only.
-
Dynamic Routing for RD - For each route domain that you configure, you can enable one or more dynamic routing protocols, BGP in our case.
Sample Tunnel Details
F5Silverline GRE SRC IP: 192.168.100.100/24
F5Silverline GRE DST IP: 192.168.200.200/24
F5Silverline GRE SRC IP: fd70:b364:3528:2b30::1/64
F5Silverline GRE DST IP: fd70:b364:3528:2b40::1/64
F5Silverline GRE IPV4: 10.10.10.1/30
F5Silverline GRE IPV6: fd70:b364:3528:2b51::1/64
Customer GRE SRC IP: 192.168.200.200/24
Customer GRE DST IP: 192.168.100.100/24
Customer GRE SRC IP: fd70:b364:3528:2b40::1/64
Customer GRE DST IP: fd70:b364:3528:2b30::1/64
Customer GRE IPV4: 10.10.10.2/30
Customer GRE IPV6: fd70:b364:3528:2b51::2/64
Customer IPV4 Prefix: 192.168.0.0/24
Customer IPV6 Prefix: fdbf:97bd:efd3:c087::/48
Stand Alone Setup on RD 0 (default)
1. Open Shell
[root@localhost:Active:Standalone] config # tmsh
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
2. Set Outer Self IP
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net self f5silverline-self traffic-group traffic-group-local-only vlan external allow-service add { icmp:any gre:any } address 192.168.200.200/24
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net self f5silverline6-self traffic-group traffic-group-local-only vlan external allow-service add { icmp:any gre:any } address fd70:b364:3528:2b40::1/64
3. Create GRE Tunnel
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net tunnels tunnel f5silverline-sjc1-tunnel { local-address 192.168.200.200 profile gre remote-address 192.168.100.100 }
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net tunnels tunnel f5silverline6-sjc1-tunnel { local-address fd70:b364:3528:2b40::1 profile gre remote-address fd70:b364:3528:2b30::1 }
4. Set Inner Self IP
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net self f5silverline-internal-self traffic-group traffic-group-local-only vlan f5silverline-sjc1 allow-service add { tcp:179 } address 10.10.10.2/30
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net self f5silverline6-internal-self traffic-group traffic-group-local-only vlan f5silverline6-sjc1 allow-service add { tcp:179 } address fd70:b364:3528:2b51::2/64
5. Confirm / Enable Dynamic Routing Protocol in RD
You MUST have a license for this feature. Contact F5 Sales if you don't see this feature.
Configure BGP in RD
1. Open IMI Shell
[root@localhost:Active:Standalone] config #
[root@localhost:Active:Standalone] config # tmsh run /util imish -r 0
localhost.localdomain[0]>
Enter Privilege Mode
localhost.localdomain[0]>enable
localhost.localdomain[0]#
localhost.localdomain[0]#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
localhost.localdomain[0](config)#
router bgp 65431
no synchronization
bgp log-neighbor-changes
no auto-summary
bgp router-id 192.168.200.200
bgp graceful-restart restart-time 120
redistribute kernel route-map route-to-f5-ipv4
neighbor f5 peer-group
neighbor f5 remote-as 55002
neighbor f5 description f5silverline-peer-group
neighbor f5 password yerfavpwhere
neighbor f5 soft-reconfiguration inbound
neighbor f5 version 4
neighbor f5 capability graceful-restart
neighbor f5 send-community
neighbor f5 prefix-list deny-all in
neighbor f5 prefix-list deny-all out
neighbor 10.10.10.1 peer-group f5
neighbor 10.10.10.1 description f5-neighbor-1
address-family ipv6
redistribute kernel route-map route-to-f5-ipv6
neighbor f5 activate
neighbor f5 soft-reconfiguration inbound
neighbor f5 capability graceful-restart
neighbor f5 prefix-list deny-all6 in
neighbor f5 prefix-list deny-all6 out
neighbor fd70:b364:3528:2b51::1 peer-group f5
neighbor fd70:b364:3528:2b51::1 description f5-neighbor6-1
exit-address-family
ip prefix-list deny-all deny 0.0.0.0/0 le 32
ip prefix-list route-to-f5-ipv4 permit 192.168.0.0/24
ipv6 prefix-list deny-all6 deny ::/0 le 128
ipv6 prefix-list route-to-f5-ipv6 permit fdbf:97bd:efd3:c087::/48
ip route 192.168.0.0 255.255.255.0 null0 201
ipv6 route fdbf:97bd:efd3:c087::/48 null0 201
route-map route-to-f5-ipv4 permit 10
match ip address prefix-list route-to-f5-ipv4
set origin igp
route-map route-to-f5-ipv6 permit 10
match ip address prefix-list route-to-f5-ipv6
set origin igp