Using OpenBGPD as a route-server

[Hans Vosbergen]

Hi Misc,

I am trying to make OpenBGPD work as a route-server for a little hobby
project I am working on.

As it's very hard to find configuration examples for this usage on the web i
have to turn here.

What I am trying to achieve:
- A route-server acting as a transparent route distributor.
- Control by neighbours who their prefixes are announced to, based on
communities.

Making OpenBGP work as a transparent AS was the easy part. However I'm stuck
in the communities control part.

How it is supposed to work, my route-server has AS1234 in my test
environment.

If a neighbour announces:
1. { community 1234:1234 } -- Their prefixes will be announced to EVERY
other neighbour.
2. { community 1234:<as>} -- Their prefixes will ONLY be announced to <AS>,
ie: 1234:8943 will only send the prefixes to AS8943.
3. { community 1234:1234 1234:<AS> } -- Their prefixes will be announced to
every other neighbour EXCEPT <AS>.

I have been able to achieve the first 2 ways the prefix control should work,
but I can't manage to get the 3rd to work. Before moving to OpenBGPD I
managed to produce the way I want it to work in Quagga but I simply do not
want to use that.

Would anyone have an idea on how to make OpenBGPD not announce prefixes to
specific neighbours if they appear in the 1234:1234 1234:<AS> list?

My configuration:
--
AS 1234
router-id 10.0.0.60
fib-update no
log updates
listen on 10.0.0.60

nexthop qualify via bgp
transparent-as yes

group "peers-rs-v4" {
    announce IPv4 unicast
    softreconfig in yes
    enforce neighbor-as yes

    neighbor 10.0.0.61 {
        descr "juniperm5"
        remote-as 65501
    announce all
    passive
    }
    neighbor 10.0.0.64 {
        descr "foundryxmr"
        remote-as 65502
    announce all
    passive
    }
    neighbor 10.0.0.63 {
        descr "cisco7200"
        remote-as 65503
        announce all
        passive
    }
}

deny from any
deny from any prefix 0.0.0.0/0
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix { 192.168.0.0/16 169.254.0.0/16 } prefixlen >= 16
deny from any prefix 169.254.0.0/16 prefixlen <= 32

deny from any community *:*
deny to any community *:*

# Community 1234:65502 goes to AS65502
allow from any community 1234:65502
allow to 10.0.0.64 community 1234:65502

# Community 1234:1234 goes to everyone
allow from any community 1234:1234
allow to any community 1234:1234