BGP Overview¶
Overview¶
To scale the Cloud-Native Network Functions (CNFs) Traffic Management Microkernel (TMM), learn and announce routing prefixes between networks, and to advertise subscriber NAT IP addresses to downstream routers, Border Gateway Protocol (BGP) sessions must be established on TMM’s upstream and downstream interfaces. The TMM Proxy Pod’s f5-tmm-routing container can be enabled and configured when installing the BIG-IP Controller. By default, the f5-tmm-routing container is disabled.
Review the sections below for BGP configuration assistance:
- Enabling ECMP for Load Balancing Traffic
- Advertising IP addresses
- Filtering IP addresses
- Enabling BFD
- Troubleshooting
Note: Review CNF BGP topology for a high-level overview.
ZebOS ConfigMaps¶
The CNFs f5-tmm-routing container can reference native ZebOS.conf files as ConfigMaps using the BIG-IP Controller Helm values. One of the benefits of referencing the ZebOS.conf file as a ConfigMap is the ability to modify BGP configurations while the CNFs F5ingress and TMM Proxy Pods are running. The CNFs Controller detects modifications made to the ConfigMap file, and applies the updates the running f5-tmm-routing container. Refer to the ZebOS ConfigMaps overview.
BGP Parameters¶
The tables below describe the BIG-IP Controller’s tmm.dynamicRouting.tmmRouting.config
Helm parameters.
tmm.dynamicRouting¶
Parameter | Description |
---|---|
enabled |
Enables the f5-tmm-routing container: true or false (default). |
exportZebosLogs |
Enables sending f5-tmm-routing logs to Fluentd Logging: true (default) or false. |
tmm.dynamicRouting.tmmRouting.config.bgp¶
Configure and establish BGP peering relationships.
Parameter | Description |
---|---|
asn |
The AS number of the f5-tmm-routing container. |
hostname |
The hostname of the f5-tmm-routing container. |
logFile |
Specifies a file used to capture BGP logging events: /var/log/zebos.log. |
debugs |
Sets the BGP logging level to debug for troublshooting purposes: ["bgp"]. It is not recommended to run in debug level for extended periods. |
secret |
Set the name of the Kubernetes secret containing the BGP neighbor password. See the BGP Secret section below. |
neighbors.ip |
The IPv4 or IPv6 address of the BGP peer. |
neighbors.asn |
The AS number of the BGP peer. |
neighbors.nodeLookup |
Reference the ConfigMap holding the IP addresses. For more infor, refer to Top of Rack BGP. |
neighbors.password |
The BGP peer MD5 authentication password. Note: The password is stored in the f5-tmm-dynamic-routing configmap unencrypted. |
neighbors.ebgpMultihop |
Enables connectivity between external peers that do not have a direct connection (1-255). |
neighbors.acceptsIPv4 |
Enables advertising IPv4 virtual server addresses to the peer (true / false). The default is false. |
neighbors.acceptsIPv6 |
Enables advertising IPv6 virtual server addresses to the peer (true / false). The default is false. |
neighbors.softReconf |
Enables BGP4 policies to be activated without clearing the BGP session. |
neighbors.maxPathsEbgp |
The number of parallel application (downstream) eBGP neighbours installed as Gateways or Next hops. The configurable range is 2 to 64. |
neighbors.maxPathsIbgp |
The number of parallel subscriber (upstream) iBGP neighbours installed as Gateways or Next hops. The configurable range is 2 to 64. |
neighbors.fallover |
Enables bidrectional forwarding detection (BFD) between neighbors (true / false). The default is false. |
neighbors.routeMap |
References the routeMaps.name parameter, and applies the filter to the BGP neighbor. |
tmm.dynamicRouting.tmmRouting.config.prefixList¶
Create prefix lists to filter specified IP address subnets.
Parameter | Description |
---|---|
name |
The name of the prefixList entry. |
seq |
The order of the prefixList entry. |
deny |
Allow or deny the prefixList entry. |
prefix |
The IP address subnet to filter. |
tmm.dynamicRouting.tmmRouting.config.routeMaps¶
Create route maps that apply to BGP neighbors, referencing specified prefix lists.
Parameter | Description |
---|---|
name |
The name of the routeMaps object applied to the BGP neighbor. |
seq |
The order of the routeMaps entry. |
deny |
Allow or deny routeMaps entry. |
match |
The name of the referenced prefixList . |
tmm.dynamicRouting.tmmRouting.config.bfd¶
Enable BFD and configure the control packet intervals.
Parameter | Description |
---|---|
interface |
Selects the BFD peering interface if specified. |
interval |
Sets the minimum transmission interval in milliseconds: 50 (default) - 999. |
minrx |
Sets the minimum receive interval in milliseconds: 50 (default) - 999. |
multiplier |
Sets the Hello multiplier value 3 - 50. The default is 10. |
multihop_peer |
Enables multi-hop BFD to BGP neighbor: true or false (default). |
BGP Secrets¶
BGP neighbor passwords can be stored as Kubernetes secrets using the bgpSecret
parameter described in the BGP Parameters section above. When using Secrets, the value must be the neighbor.ip
, and the data must be the base64 encoded password. When using IPv6, replace any colon : characters, with dash *- characters. For example:
apiVersion: v1
kind: Secret
metadata:
name: bgp-secret
namespace: cnf-gateway
data:
10.1.2.3: c3dvcmRmaXNo
2002--10-1-2-3: cGFzc3dvcmQK
Enabling ECMP for Load Balancing Traffic¶
Currently, tmrouted only selects the first route configured before sending it to TMM/ZebOS. With this setup, it will accept multiple routes (instead of just one) and enable ECMP across upstream or downstream paths. Since ECMP is a round-robin load balancing method, traffic will load balance across all available ECMP routes.
When installing the BIG-IP Contoller, set the
maxPathsEbgp
parameter to the maxiumum number of ECMP paths you intend to use:Note: In this example, set the
maxpathsEbgp
ormaxpathsIbgp
parameter to number of paths for load balancing traffic.f5-tmm: tmm: dynamicRouting: enabled: true tmmRouting: config: bgp: asn: 100 maxPathsEbgp: 2 maxPathsIbgp: 2 hostname: cnf-bgp neighbors: - ip: 10.10.10.200 asn: 200 ebgpMultihop: 10 - ip: 192.168.10.200 asn: 400 ebgpMultihop: 10
Advertising IP addresses¶
To ensure upstream routers use TMM as a gatway, and to ensure downstream routers correclty route back through TMM, BGP peering relationships should be established on TMM’s upstream and downstream interfaces. With BGP relationships, TMM can advertise routes learned from the downstream router, and any destination IP addresses defined in the Traffic Management CNF CRs to the upstream router. TMM will also advertise IP addresses defined in the F5BigNatPolicy CR, to ensure the downstream router sends connections back through TMM.
When installing the BIG-IP Contoller, set the
acceptsIPv4
and theacceptsIPv6
parameters to advertise IPv4 and IPv6 destination addresses:Note: In this example, the
acceptsIPv4
andacceptsIPv6
parameters are set on the upstream BGP peer:f5-tmm: tmm dynamicRouting: enabled: true tmmRouting: config: bgp: asn: 100 maxPathsEbgp: 4 maxPathsIbgp: 'null' hostname: cnf-bgp neighbors: - ip: 10.10.10.200 asn: 200 ebgpMultihop: 10 acceptsIPv4: true acceptsIPv6: true - ip: 192.168.10.200 asn: 400 ebgpMultihop: 10
Once the BIG-IP Controller is installed, log in to the peer router and verify the advertised routing prefixes are being advertised with the TMM self-IPs as next hops:
show ip bgp
In this example, the TMM replicas with self IP addresses 10.10.10.250 and 10.10.10.251 are advertising the CR destination address 192.168.10.100:
show ip bgp
Network Next Hop Metric Path 192.168.10.100/32 10.10.10.250 0 200 10.10.10.251 0 200
Filtering IP addresses¶
By default, all F5BigNatPolicy IP addresses are advertised (redistributed) to BGP neighbors. To advertise specific NAT IP addresses, configure a prefixList
defining the IP addresses to advertise, and apply a routeMap
to the BGP neighbor configuration referencing the prefexList
. In the example below, only the 10.244.10.0/24 and 10.244.20.0/24 IP address subnets will be advertised to the BGP neighbor:
f5-tmm:
tmm:
dynamicRouting:
enabled: true
tmmRouting:
config:
prefixList:
- name: 10pod
seq: 10
deny: false
prefix: 10.244.10.0/24 le 32
- name: 20pod
seq: 10
deny: false
prefix: 10.244.20.0/24 le 32
routeMaps:
- name: snatpoolroutemap
seq: 10
deny: false
match: 10pod
- name: snatpoolroutemap
seq: 11
deny: false
match: 20pod
bgp:
asn: 100
hostname: cnf-bgp
neighbors:
- ip: 10.10.10.200
asn: 200
routeMap: snatpoolroutemap
Once the BIG-IP Controller is installed, verify the expected SNAT pool IP addresses are being advertised.
Install the F5BigNatPolicy Custom Resource (CR).
Log in to the f5-tmm-routing container:
oc exec -it deploy/f5-tmm -c f5-tmm-routing -n <project> -- bash
In this example, the f5-tmm-routing container is in the cnf-gateway Project:
oc exec -it deploy/f5-tmm -c f5-tmm-routing -n cnf-gateway -- bash
Log in IMI shell and turn on privileged mode:
imish en
(A). Verify the SNAT pool IP addresses are being advertised:
show bgp ipv4 neighbors <ip address> advertised-routes
In this example, the NAT pool IP addresse lists are being advertised, and TMM’s external interface is the next hop:
show bgp ipv4 neighbors 10.10.10.200 advertised-routes Network Next Hop Metric LocPrf Weight *> 10.244.10.1/32 10.20.2.207 0 100 32768 *> 10.244.10.2/32 10.20.2.207 0 100 32768 *> 10.244.20.1/32 10.20.2.207 0 100 32768 *> 10.244.20.2/32 10.20.2.207 0 100 32768 Total number of prefixes 4
(B). Verify the ECMP running configuration:
show running-config bgp router bgp 65201 bgp router-id 1.2.3.4 no bgp default ipv4-unicast bgp log-neighbor-changes bgp graceful-restart restart-time 380 max-paths ebgp 2 max-paths ibgp 2 redistribute kernel
Enabling BFD¶
Bidirectional Forwarding Detection (BFD) rapidly detects loss of connectivity between BGP neighbors by exchanging periodic BFD control packets on the network link. After a specified interval, if a control packet is not received, the connection is considered down, enabling fast network convergence. The BFD configuration requires the interface name of the external BGP peer. Use the following command to obtain the external interface name:
oc get ingressroutevlan <external vlan> -o "custom-columns=VLAN Name:.spec.name"
When installing the BIG-IP Contoller, configure the
bfd
for the interface to monitor:Note: In this example, BFD is enabled on TMM’s external interface:
f5-tmm tmm: dynamicRouting: enabled: true tmmRouting: config: bgp: asn: 100 maxPathsEbgp: 4 maxPathsIbgp: 'null' hostname: cnf-bgp neighbors: - ip: 10.10.10.200 asn: 200 ebgpMultihop: 10 acceptsIPv4: true acceptsIPv6: true - ip: 192.168.10.200 asn: 400 ebgpMultihop: 10 bfd: interface: external interval: 100 minrx: 100 multiplier: 3
Once the BIG-IP Controller is installed, verify the BFD configuration is working.
In this example, the f5-tmm-routing container is in the cnf-gateway Namespace:
oc exec -it deploy/f5-tmm -c f5-tmm-routing -n cnf-gateway -- bash
Log in IMI shell and turn on privileged mode:
imish en
View the bfd session status:
Note: You can append the detail argument for verbose session information.
show bfd session
In this example, the Sess-State is Up:
BFD process for VRF: (DEFAULT VRF) ===================================================================================== Sess-Idx Remote-Disc Lower-Layer Sess-Type Sess-State UP-Time Remote-Addr 2 1 IPv4 Single-Hop Up 00:03:16 10.10.10.200/32 Number of Sessions: 1
BGP should now quickly detect link failures between neighbors.
Troubleshooting¶
When BGP neighbor relationships fail to establish, begin troubleshooting by reviewing BGP log events to gather useful diagnostic data. If you installed the Fluentd logging collector, review the Log file locations and Viewing logs sections of the FLuentd Logging guide before proceeding to the steps below. If the Fluentd logging collector is not installed, use the steps below to verify the current BGP state, and enable and review log events to resolve a simple connectivity issue.
Note: BGP connectivity is established over TCP port 179.
Run the following command to verify the BGP state:
oc exec -it deploy/f5-tmm -c f5-tmm-routing -n cnf-gateway \ -- imish -e 'show bgp neighbors' | grep state
In this example, the BGP state is Active, indicating neighbor relationships are not currently established:
BGP state = Active BGP state = Active
To enable BGP logging, log in to the f5-tmm-routing container:
oc exec -it deploy/f5-tmm -c f5-tmm-routing -n cnf-gateway \ -- bash
Run the following commands to enter configuration mode:
imish en config t
Enable BGP logging:
log file /var/log/zebos.log
Exit configuration mode, and return to the shell:
exit exit exit
View the BGP log file events as they occur:
tail -f /var/log/zebos.log
In this example, the log messages indicate the peers (neighbors), are not reachable:
Jan 01 12:00:00 : BGP : ERROR [SOCK CB] Could not find peer for FD - 11 (error:107) Jan 01 12:00:01 : BGP : INFO 10.20.2.206-Outgoing [FSM] bpf_timer_conn_retry: Peer down, Jan 01 12:00:02 : BGP : ERROR [SOCK CB] Could not find peer for FD - 11 (error:107) Jan 01 12:00:01 : BGP : INFO 10.30.2.206-Outgoing [FSM] bpf_timer_conn_retry: Peer down,
Fix: The tag ID on the F5BigNetVlan was set to the correct ID value:
The messages indicate the neighbors are now Up. It can take up to two minutes for the relationships to establish:
Jan 01 12:00:05 : BGP : ERROR [SOCK CB] Could not find peer for FD - 13 (error:107) Jan 01 12:00:06 : BGP : INFO %BGP-5-ADJCHANGE: neighbor 10.20.2.206 Up Jan 01 12:00:07 : BGP : ERROR [SOCK CB] Could not find peer for FD - 11 (error:107) Jan 01 12:00:08 : BGP : INFO %BGP-5-ADJCHANGE: neighbor 10.30.2.206 Up
The BGP state should now be Established:
imish -e 'show bgp neighbors' | grep state
BGP state = Established, up for 00:00:36 BGP state = Established, up for 00:00:19
If the BGP state is still not established, and there are issues other than connectivity, set BGP logging to debug, and continue reviewing the lower-level log events:
debug bgp all
Once the BGP troubleshooting is complete, remove the BGP log and debug configurations:
no log file
no debug bgp
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.
Supplemental¶
- Top of Rack BGP enables TMM Pods to peer with neighbors based on the cluster node they run on.