BGP on Huawei

  • Introduction
  • Enable IPv6 on your computer
  • Define the IP addresses of your interfaces for IP transit, Perú IX (PIT Peru sac) (pitperu.net) and your internal network
  • Define the ASN of your company (the ASN granted by LACNIC)
  • Create the Routing Filters for the OUT filters and IN filters
  • Create the BGP Peer with your IP transit Provider
  • Create the BGP Peers with the Route Servers of the Perú IX (PIT Peru sac) (pitperu.net)
  • Define the prefixes that you are going to announce
  • Check operation

Introduction

At Perú IX (PIT Peru sac) we promote the use of IPv6, and our first advice is to lose your fear of it. Although at first it may seem somewhat difficult since the addresses are long and not only consider numbers but also some letters and the use of the colon, once you understand it it is very simple since it has great similarities with IPv4. In case you still do not have any contact with IPv6, I recommend you review this explanatory video about the basic concepts of IPv6https://www.youtube.com/watch?v=43VBLzwWwxU

In this example we are going to configure both IPv4 and IPv6 addresses, as well as BGP sessions for IPv4 and IPv6.

In order to exemplify the configurations, we will make use of some assumptions, which should be replaced with the IP addresses assigned by the IP transit provider, Perú IX (PIT Peru sac) and LACNIC.

Disclaimer: I am not an expert in Huawei equipment but I thank José de Liber for his help with the commands for Huawei equipment.

In order to exemplify the configurations, we will make use of some assumptions, which should be replaced with the IP addresses assigned by the IP transit provider, Perú IX (PIT Peru sac) and LACNIC.

Enable IPv6 on your computer

The first thing we will do is enable IPv6 on our Huawei equipment\

This block contains unexpected or invalid content Try block recovery

 system-view
[~HUAWEI] ipv6

Define the IPv4 and IPv6 addresses of your interfaces for IP transit, Perú IX (PIT Peru sac) (pitperu.net) and your internal network

Assumptions for the example:

  • The ASN granted by LACNIC to our organization is the AS123456
  • IPv4 block assigned by LACNIC is the100.100.100.0/22
  • IPv6 block assigned by LACNIC is the2803:cd10::/32
  • IPv4 address for the point-to-point IP transit provider198.51.100.2/30 (where the equipment on the IP transit Provider side against which we will do the BGP is 198.51.100.1)
  • IPv6 address for the point-to-point IP transit provider2803:dd99:1111::2/126 (where the equipment on the IP transit Provider side against which we will do the BGP is 2803: dd99: 1111 :: 1)
  • IPv4 address assigned by Perú IX (PIT Peru sac) (pitperu.net) is the45.183.47.254/24
  • IPv6 address assigned by Perú IX (PIT Peru sac) (pitperu.net) is the2803:cd60:6411:5::ff/64
  • Configure the IPv4 and IPv6 addresses granted by LACNIC on a loopback interface

    This is a fairly simple way to get the new segment running, as I can then sub-assign smaller prefixes to the other routers or computers on my network.

    The first thing will be to create a loopback interface and assign it the IPv4 and IPv6 addresses granted by LACNIC.

    If you want to connect it directly to the interface for example 10ge 0/0/2, then we change loopback for that interface.

     system-view
    [~HUAWEI] interface loopback
    [~HUAWEI-loopback] ip address 100.100.100.1 255.255.252.0
    [~HUAWEI-loopback] ipv6 enable
    [~HUAWEI-loopback] ipv6 address 2803:cd10::/32

    Then we are going to define the IPv4 and IPv6 addresses of the IP transit provider, which gives us the connection via the interface 10ge 0/0/0

     system-view
    [~HUAWEI] interface 10ge 0/0/0
    [~HUAWEI-10GE0/0/0] ip address 198.51.100.2 255.255.255.252
    [~HUAWEI-10GE0/0/0] ipv6 enable
    [~HUAWEI-10GE0/0/0] ipv6 address 2803:dd99:1111::2/126

    Finally, we are going to configure the IP addresses granted by Perú IX (PIT Peru sac) that we connect on port 10ge 0/0/1

     system-view
    [~HUAWEI] interface 10ge 0/0/1
    [~HUAWEI-10GE0/0/1] ip address 45.183.47.254 255.255.255.0
    [~HUAWEI-10GE0/0/1] ipv6 enable
    [~HUAWEI-10GE0/0/1] ipv6 address 2803:cd60:6411:5::ff/64

    Define the ASN of your company (the ASN granted by LACNIC)

    In our example, we are going to assume that LACNIC granted us ASN 123456, in router-id we are going to put our first public IPv4 address.

    [~HUAWEI] bgp 123456
    [~HUAWEI-bgp] router-id 45.183.47.254
    [~HUAWEI-bgp] undo check-first-as

    It is important to mark the undo check-first-as, since although the BGP session is against the AS 64115, the routes will NOT have the 64115 as the first AS, since the Route Server only acts in the route control plane, not in the routing per-se, which occurs directly between member routers.

    A good practice, although not mandatory, is to configure a loopback interface with a private IP range and then use it as router-id in the BGP configuration in order to avoid route flapping that occurs when the IP address of an interface it changes.

    Create the Routing Filters for the OUT and IN chains

    Before starting the BGP sessions, it is VERY IMPORTANT to create the security filters, both inbound and outbound.

    Important: in the filters the order of the factors does matter, that is, the first lines must have the lowest index (this in the case that they have multiple previous lines of ip-prefix in the same chain)

    IPv4 output filters (OUT)

    #In this case, the chain for the outbound filter to the IP transit provider is IP_TRANSIT_AS1200_OUT, and what it allows is to send our IPv4 prefix as / 22 and not send anything else #
    [~HUAWEI] ip ip-prefix IP_TRANSIT_AS1200_OUT permit 100.100.100.0 22 le 22
    [~HUAWEI] ip ip-prefix IP_TRANSIT_AS1200_OUT deny 0.0.0.0 0 le 32
     
    # In this case the chain for the output filter to the PIT Peru sac provider is PIT_PERU_sac_RS_OUT, and what it allows is to send our IPv4 prefix as / 22 and as / 24 and not send anything else #
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_OUT permit 100.100.100.0 22 le 24
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_OUT deny 0.0.0.0 0 le 32

    IPv6 output filters (OUT)

     #In this case we will use the chain IP_TRANSIT_AS1200_IPv6_OUT for our IP transit provider in IPv6 prefixes #
    [~HUAWEI] ip ipv6-prefix IP_TRANSIT_AS1200_IPv6_OUT permit 2803:cd10:: 32 le 64
    [~HUAWEI] ip ipv6-prefix IP_TRANSIT_AS1200_IPv6_OUT deny :: 0 le 128
     
    #In this case we will use the chain PIT_PERU_sac_RS_IPv6_OUT for our filters to the PIT Peru sac (pitperu.net) for IPv6 prefixes #
    [~HUAWEI] ip ipv6-prefix PIT_PERU_sac_RS_IPv6_OUT permit 2803:cd10:: 32 le 64
    [~HUAWEI] ip ipv6-prefix PIT_PERU_sac_RS_IPv6_OUT deny :: 0 le 128

    This is important to ensure that the path via the Perú IX (PIT Peru sac) is preferred over the IP transit, and thus prevent traffic that could be served via Perú IX (PIT Peru sac) from being served via IP transit instead.


    Why do we advertise to the IP transit Provider / 22 (a less specific prefix) and to Perú IX (PIT Peru sac) multiple / 24 (more specific)?

    This is important to ensure that the path via the Perú IX (PIT Peru sac) is preferred over the IP transit, and thus prevent traffic that could be served via Perú IX (PIT Peru sac) from being served via IP transit instead.

    IPv4 input (IN) filters

    In this case, due to the limitations of the size of IPv4 routes that Huawei’s upper-mid-range switches can handle, we will allow the IP transit Provider only to announce the default route to us. In the case that we have a switch model that supports 1,000,000 IPv4 routes, we can accept the complete table of routes

    #filters that only allow receiving default route from IP transit provider #
    [~HUAWEI] ip ip-prefix IP_TRANSIT_AS1200_IN permit 0.0.0.0 0
    v[~HUAWEI] ip ip-prefix IP_TRANSIT_AS1200_IN deny 0.0.0.0 0 le 32
     
    #filters that allow you to filter default routes, bogons and martians and allow everything else #
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN deny 0.0.0.0 0             // that is, we do not accept the default route
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN deny 45.183.47.0 24 le 32  // that is, we do not accept the LAN route of the PIT Peru sac, since it must only be reachable through the assigned interface and not through another path
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN deny 10.0.0.0 8 le 32      // rfc1918
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN deny 100.64.0.0 10 le 32   // rfc6598
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN deny 127.0.0.0 8 le 32     // rfc1122
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN deny 169.254.0.0 16 le 32  // rfc3927
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN deny 172.16.0.0 12 le 32   // rfc1918
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN deny 192.0.8.0 24 le 32    // rfc5737
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN deny 192.88.99.0 24 le 32  // rfc7526
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN deny 192.168.0.0 16 le 32  // rfc1918
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN deny 198.18.0.0 15 le 32   // rfc2544
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN deny 198.51.0.0 24 le 32   // rfc5737
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN deny 203.0.113.0 24 le 32  // rfc5737
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN deny 224.0.0.0 4 le 32     // multicast
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN deny 240.0.0.0 4 le 32     // reservadas
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN deny 0.0.0.0 0 greater-equal 25 // bogons filters prefixes smaller than a / 24
    [~HUAWEI] ip ip-prefix PIT_PERU_sac_RS_IN permit 0.0.0.0 0 le 32     // allow all the rest

    Ingress Filters (IN) IPv6

    Here we must accept all the prefixes that the Perú IX (PIT Peru sac) sends us except those that are recommended in the filtering of good practices.

     #filters that only allow receiving IPv6 route by default from the IP transit provider #
    [~HUAWEI] ip ipv6-prefix IP_TRANSIT_AS1200_IPv6_IN permit :: 0
    [~HUAWEI] ip ipv6-prefix IP_TRANSIT_AS1200_IPv6_IN deny :: 0 le 128
     
     
    [~HUAWEI] ip ipv6-prefix PIT_PERU_sac_RS_IPv6_IN deny 0100:: 64 le 128        // RFC6666
    [~HUAWEI] ip ipv6-prefix PIT_PERU_sac_RS_IPv6_IN deny 2001:2:: 48 le 128      // RFC5180
    [~HUAWEI] ip ipv6-prefix PIT_PERU_sac_RS_IPv6_IN deny 2001:10:: 28 le 128     // RFC4843
    [~HUAWEI] ip ipv6-prefix PIT_PERU_sac_RS_IPv6_IN deny 2001:db8:: 32 le 128    // RFC3849
    [~HUAWEI] ip ipv6-prefix PIT_PERU_sac_RS_IPv6_IN deny 2002:: 16 le 128        // RFC7526
    [~HUAWEI] ip ipv6-prefix PIT_PERU_sac_RS_IPv6_IN deny 3ffe:: 16 le 128        // RFC3701
    [~HUAWEI] ip ipv6-prefix PIT_PERU_sac_RS_IPv6_IN deny fc00:: 7 le 128         // RFC4193
    [~HUAWEI] ip ipv6-prefix PIT_PERU_sac_RS_IPv6_IN deny fe80:: 10 le 128        // RFC4291
    [~HUAWEI] ip ipv6-prefix PIT_PERU_sac_RS_IPv6_IN deny fec0:: 10 le 128        // RFC3879
    [~HUAWEI] ip ipv6-prefix PIT_PERU_sac_RS_IPv6_IN deny ff00:: 8 le 128         // RFC4291
    [~HUAWEI] ip ipv6-prefix PIT_PERU_sac_RS_IPv6_IN deny :: 0 greater-equal 65  // Remove prefixes larger than / 64
    [~HUAWEI] ip ipv6-prefix PIT_PERU_sac_RS_IPv6_IN permit :: 0 le 64            // Allow all the rest

    Create the BGP Peers with your IP transit Provider

    In our example our IP transit Provider has the ASN 1200, who in our example will use

    • the IP 198.51.100.1 for the Peer IPv4. Replace 1200 with the ASN of your IP transit provider and 198.51.100.1 with IPv4 for the BGP of the gateway that your IP transit provider gives you.
    • the IP 2803: dd99: 1111 :: 1 for the Peer IPv6. 1200 should be replaced by the ASN of your IP transit provider and 2803: dd99: 1111 :: 1 by IPv6 for the BGP of the gateway that your IP transit provider gives you.
    #Define the IPv4 BGP session to the IP transit provider #
    [~HUAWEI] bgp 123456
    [~HUAWEI-bgp] peer 198.51.100.1 as-number 1200 
    [~HUAWEI-bgp] peer 198.51.100.1 description BGP_IP_TRANSIT_IPv4_AS1200
    [~HUAWEI-bgp] peer 198.51.100.1 connect-interface interface 10ge 0/0/0
    [~HUAWEI-bgp] peer 198.51.100.1 ip-prefix IP_TRANSIT_AS1200_OUT export
    [~HUAWEI-bgp] peer 198.51.100.1 ip-prefix IP_TRANSIT_AS1200_IN import
     
    #Definir la sesion IPv6 BGP al proveedor de IP transit#
    [~HUAWEI-bgp] peer 2803:dd99:1111::1 as-number 1200
    [~HUAWEI-bgp] peer 2803:dd99:1111::1 description BGP_IP_TRANSIT_IPv6_AS1200
    [~HUAWEI-bgp] peer 2803:dd99:1111::1 connect-interface interface 10ge 0/0/0
    [~HUAWEI-bgp] peer 2803:dd99:1111::1 ipv6-prefix IP_TRANSIT_AS1200_IPv6_OUT export
    [~HUAWEI-bgp] peer 2803:dd99:1111::1 ipv6-prefix IP_TRANSIT_AS1200_IPv6_IN import

    If the BGP sessions have a password, use this command in addition, in our example the password is “my_IP_transit_password”.

    [~HUAWEI-bgp] peer 198.51.100.1 password simple my_IP_transit_password
    [~HUAWEI-bgp] peer 2803:dd99:1111::1 password simple my_IP_transit_password

    Create the BGP Peers with the Route Servers of the Perú IX (PIT Peru sac) (pitperu.net)

    In this example we are going to configure both Route Server IPv4 and IPv6 of Perú IX (PIT Peru sac), that is, RS1 and RS2, in our example we were assigned the BGP password “peeringinperu”

    #Define the BGP session to the two Route Servers of PIT Peru sac #
    [~HUAWEI] bgp 123456
    v[~HUAWEI-bgp] peer 45.183.47.1 as-number 64115 
    [~HUAWEI-bgp] peer 45.183.47.1 description PIT_PERU_sac_RS1_IPv4
    [~HUAWEI-bgp] peer 45.183.47.1 password simple peeringinperu
    [~HUAWEI-bgp] peer 45.183.47.1 connect-interface interface 10ge 0/0/1
    [~HUAWEI-bgp] peer 45.183.47.1 ip-prefix PIT_PERU_sac_RS_OUT export
    [~HUAWEI-bgp] peer 45.183.47.1 ip-prefix PIT_PERU_sac_RS_IN import
     
    [~HUAWEI-bgp] peer 45.183.47.2 as-number 64115 
    [~HUAWEI-bgp] peer 45.183.47.2 description PIT_PERU_sac_RS2_IPv4
    [~HUAWEI-bgp] peer 45.183.47.2 password simple peeringinperu
    [~HUAWEI-bgp] peer 45.183.47.2 connect-interface interface 10ge 0/0/1
    [~HUAWEI-bgp] peer 45.183.47.2 ip-prefix PIT_PERU_sac_RS_OUT export
    [~HUAWEI-bgp] peer 45.183.47.2 ip-prefix PIT_PERU_sac_RS_IN import
     
     
    [~HUAWEI-bgp] peer 2803:cd60:6411:5::1 as-number 64115
    [~HUAWEI-bgp] peer 2803:cd60:6411:5::1 description PIT_PERU_sac_RS1_IPv6
    [~HUAWEI-bgp] peer 2803:cd60:6411:5::1 password simple peeringinperu
    [~HUAWEI-bgp] peer 2803:cd60:6411:5::1 connect-interface interface 10ge 0/0/1
    [~HUAWEI-bgp] peer 2803:cd60:6411:5::1 ipv6-prefix PIT_PERU_sac_RS_IPv6_OUT export
    [~HUAWEI-bgp] peer 2803:cd60:6411:5::1 ipv6-prefix PIT_PERU_sac_RS_IPv6_IN import
     
    [~HUAWEI-bgp] peer 2803:cd60:6411:5::2 as-number 64115
    [~HUAWEI-bgp] peer 2803:cd60:6411:5::2 description PIT_PERU_sac_RS2_IPv6
    [~HUAWEI-bgp] peer 2803:cd60:6411:5::2 password simple peeringinperu
    [~HUAWEI-bgp] peer 2803:cd60:6411:5::2 connect-interface interface 10ge 0/0/1
    [~HUAWEI-bgp] peer 2803:cd60:6411:5::2 ipv6-prefix PIT_PERU_sac_RS_IPv6_OUT export
    [~HUAWEI-bgp] peer 2803:cd60:6411:5::2 ipv6-prefix PIT_PERU_sac_RS_IPv6_IN import

    Define the prefixes that you are going to announce

    [~HUAWEI] bgp 123456
    [~HUAWEI-bgp] ipv4-family unicast
    [~HUAWEI-bgp-af-ipv4] network 100.100.100.0 22
    [~HUAWEI-bgp-af-ipv4] network 100.100.100.0 24
    [~HUAWEI-bgp-af-ipv4] network 100.100.101.0 24
    [~HUAWEI-bgp-af-ipv4] network 100.100.102.0 24
    [~HUAWEI-bgp-af-ipv4] network 100.100.103.0 24
    [~HUAWEI-bgp-af-ipv4] quit
     
    [~HUAWEI-bgp] ipv6-family unicast
    [~HUAWEI-bgp-af-ipv6] network 2803:cd10:: 32
    [~HUAWEI-bgp-af-ipv6] quit
    

    Check operation

    Check the status of the BGP Peers, if they are operational they should say status Established, if it says Connect or Idle it means that something is not well configured on your side or that of the provider. And In PrefRcv we can see the number of routes that we are receiving from each BGP Peer.

    View BGP Peers at IPv4 level

    [~HUAWEI] display bgp peer
    

    View BGP Peers at IPv6 level

    [~HUAWEI] display bgp ipv6 peer
    

    See IPv4 Prefixes that we advertise to a Peer

    Showing the prefixes that we are currently advertising to a particular BGP Peer, this helps us to ensure that we are only advertising our own prefixes.

    [~HUAWEI] display bgp routing-table peer 45.183.47.1 advertised-routes

    See IPv6 Prefixes that we advertise to a Peer

    Showing the prefixes that we are currently advertising to a particular BGP Peer, this helps us to ensure that we are only advertising our own prefixes.

    [~HUAWEI] display ipv6 bgp routing-table peer 2803:CD60:6411:5::1 advertised-routes