Follow

How to Configure GRE / BGP Peering from BIG-IP

Description

  • How to manipulate the advertisement of BGP routes to F5 Silverline scrubbing centers from your BIP-IP CPE
  • If you are not using your BIG-IP for GRE tunnels, then see this article for standard setup: GRE Tunnel Set-up Guide

Environment

  • Silverline DDoS
    • Routed
  • BIG-IP

 

Procedure

Definitions

  • Route Domain - A route domain is a configuration object that isolates network traffic for a particular application on the network. Because route domains segment network traffic, you can assign the same IP address or subnet to multiple nodes on a network, provided that each instance of the IP address resides in a separate routing domain.

  • Route Domain ID’s - A route domain ID is a unique numerical identifier for a route-domain. You can assign objects with IP addresses (such as self IP addresses, virtual addresses, pool members, and gateway addresses) to a route domain by appending the %ID to the IP address.

  • VLANs & Tunnels for RD - You can assign one or more VLANs, VLAN groups, or tunnels to a route domain. The VLANs, VLAN groups, or tunnels that you assign to a route domain are those pertaining to the particular traffic that you want to isolate in that route domain. Each VLAN, VLAN group, or tunnel can be a member of one route domain only.

  • Dynamic Routing for RD - For each route domain that you configure, you can enable one or more dynamic routing protocols, BGP in our case.

 

Sample Tunnel Details

F5Silverline GRE SRC IP: 192.168.100.100/24
F5Silverline GRE DST IP: 192.168.200.200/24
F5Silverline GRE SRC IP: fd70:b364:3528:2b30::1/64
F5Silverline GRE DST IP: fd70:b364:3528:2b40::1/64
F5Silverline GRE IPV4: 10.10.10.1/30
F5Silverline GRE IPV6: fd70:b364:3528:2b51::1/64

Customer GRE SRC IP: 192.168.200.200/24
Customer GRE DST IP: 192.168.100.100/24
Customer GRE SRC IP: fd70:b364:3528:2b40::1/64
Customer GRE DST IP: fd70:b364:3528:2b30::1/64
Customer GRE IPV4: 10.10.10.2/30
Customer GRE IPV6: fd70:b364:3528:2b51::2/64
Customer IPV4 Prefix: 192.168.0.0/24
Customer IPV6 Prefix: fdbf:97bd:efd3:c087::/48

 

Stand Alone Setup on RD 0 (default)

1. Open Shell

[root@localhost:Active:Standalone] config # tmsh
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#

 

2. Set Outer Self IP

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net self f5silverline-self traffic-group traffic-group-local-only vlan external allow-service add { icmp:any gre:any } address 192.168.200.200/24

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net self f5silverline6-self traffic-group traffic-group-local-only vlan external allow-service add { icmp:any gre:any } address fd70:b364:3528:2b40::1/64

 

 

 

3. Create GRE Tunnel

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net tunnels tunnel f5silverline-sjc1-tunnel { local-address 192.168.200.200 profile gre remote-address 192.168.100.100 }

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net tunnels tunnel f5silverline6-sjc1-tunnel { local-address fd70:b364:3528:2b40::1 profile gre remote-address fd70:b364:3528:2b30::1 }

 

 

4. Set Inner Self IP

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net self f5silverline-internal-self traffic-group traffic-group-local-only vlan f5silverline-sjc1 allow-service add { tcp:179 } address 10.10.10.2/30

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net self f5silverline6-internal-self traffic-group traffic-group-local-only vlan f5silverline6-sjc1 allow-service add { tcp:179 } address fd70:b364:3528:2b51::2/64

 

 

5. Confirm / Enable Dynamic Routing Protocol in RD

 You MUST have a license for this feature. Contact F5 Sales if you don't see this feature.

 

Configure BGP in RD

1. Open IMI Shell

[root@localhost:Active:Standalone] config #
[root@localhost:Active:Standalone] config # tmsh run /util imish -r 0
localhost.localdomain[0]>

Enter Privilege Mode
localhost.localdomain[0]>enable
localhost.localdomain[0]#
localhost.localdomain[0]#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
localhost.localdomain[0](config)#




router bgp 65431
no synchronization
bgp log-neighbor-changes
no auto-summary
bgp router-id 192.168.200.200
bgp graceful-restart restart-time 120
redistribute kernel route-map route-to-f5-ipv4

neighbor f5 peer-group
neighbor f5 remote-as 55002
neighbor f5 description f5silverline-peer-group
neighbor f5 password yerfavpwhere
neighbor f5 soft-reconfiguration inbound
neighbor f5 version 4
neighbor f5 capability graceful-restart
neighbor f5 send-community
neighbor f5 prefix-list deny-all in
neighbor f5 prefix-list deny-all out
neighbor 10.10.10.1 peer-group f5
neighbor 10.10.10.1 description f5-neighbor-1

address-family ipv6
redistribute kernel route-map route-to-f5-ipv6
neighbor f5 activate
neighbor f5 soft-reconfiguration inbound
neighbor f5 capability graceful-restart
neighbor f5 prefix-list deny-all6 in
neighbor f5 prefix-list deny-all6 out
neighbor fd70:b364:3528:2b51::1 peer-group f5
neighbor fd70:b364:3528:2b51::1 description f5-neighbor6-1
exit-address-family

ip prefix-list deny-all deny 0.0.0.0/0 le 32
ip prefix-list route-to-f5-ipv4 permit 192.168.0.0/24
ipv6 prefix-list deny-all6 deny ::/0 le 128
ipv6 prefix-list route-to-f5-ipv6 permit fdbf:97bd:efd3:c087::/48

ip route 192.168.0.0 255.255.255.0 null0 201
ipv6 route fdbf:97bd:efd3:c087::/48 null0 201

route-map route-to-f5-ipv4 permit 10
 match ip address prefix-list route-to-f5-ipv4
 set origin igp

route-map route-to-f5-ipv6 permit 10
 match ip address prefix-list route-to-f5-ipv6
 set origin igp


 

Related Content

Was this article helpful?
0 out of 1 found this helpful
Have more questions? Submit a request