On Mon, May 24, 2010 at 05:23:00PM +0700, Insan Praja SW wrote:
> Hi Misc@,
> Before I begin to test OpenBGPD mpls VPN support on current, is
> there any hints on route-leaking, and an example/hints to make a
> complete setup MPLS cloud and MPLS/VPN on a network.
>
> In my later experiences using OpenBSD, I use pf with rtable to make
> a VPN-like network without isolation on the network. Now I need to
> know if there are ways to have a semi-isolated network when using
> rdomain or anything like it.
Passing traffic between VPNs is either done in pf(4) by setting the rtable
on a rule or by importing routes in BGP (import/export-target).
The first method is much more flexible but more static.
First of all you need the attached diff to play with the kernel MPLS part.
With that in you can start playing with the various parts.
1. You need to MPLS enable the interfaces that do MPLS
In my test I use a vlan for this:
# more /etc/hostname.vlan2003
vlan 2003 vlandev sis0
inet 10.83.128.26 255.255.255.248 NONE
mpls
2. Then it is best to have a loopback interface:
# more /etc/hostname.lo1
inet 10.83.66.23 255.255.255.255 NONE
3. LDP config:
router-id 10.83.66.23
distribution independent
retention liberal
advertisement unsolicited
interface lo1 {
}
interface vlan2003 {
}
4. I use ospfd as IGP, there is nothing special needed here.
5. create a rdomain 1:
# more /etc/hostname.vlan2017
rdomain 1
vlan 2017 vlandev sis0
inet 192.168.220.1 255.255.255.0
6. create a mpe(4) in rdomain 1:
# more /etc/hostname.mpe0
rdomain 1 mplslabel 543
inet 10.83.66.129 255.255.255.255
Note: it is necessary to have an IP on mpe(4) but it does not matter which
one you pick. I normaly use the loopback IP but maybe using the vlan2017
IP would be smarter.
7. BGP config:
AS 65003
router-id 10.83.66.23
listen on 10.83.66.23
rdomain 1 {
descr "CUSTOMER1"
rd 65003:1
import-target rt 65003:1
export-target rt 65003:1
depend on mpe0
network 192.168.220/24
}
group ibgp {
announce IPv4 unicast
announce IPv4 vpn
remote-as 65003
local-address 10.83.66.23
neighbor 10.83.66.2 {
descr c2
}
}
Start ospfd, bgpd, and ldpd and hope for the best (check that all sessions
come up). Setup something similar on a second system.
Use e.g. ping -V1 -I 192.168.220.1 192.168.221.1 to test the VPN.
It is possible to use gif/gre instead of LDP -- just use a gre interface
in point 1 and skip everyting that needs LDP.
--
:wq Claudio
Index: sbin/ifconfig/ifconfig.8
===
RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v
retrieving revision 1.200
diff -u -p -r1.200 ifconfig.8
--- sbin/ifconfig/ifconfig.87 May 2010 06:17:34 - 1.200
+++ sbin/ifconfig/ifconfig.824 May 2010 12:48:34 -
@@ -347,6 +347,11 @@ this directive is used to select between
and 802.11g
.Pq Dq 11g
operating modes.
+.It Cm mpls
+Enable Multiprotocol Label Switching (MPLS) on the interface. It will be
+able to send and receive MPLS traffic.
+.It Fl mpls
+Disable MPLS on the interface.
.It Cm mtu Ar value
Set the MTU for this device to the given
.Ar value .
Index: sbin/ifconfig/ifconfig.c
===
RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v
retrieving revision 1.232
diff -u -p -r1.232 ifconfig.c
--- sbin/ifconfig/ifconfig.c6 May 2010 12:58:40 - 1.232
+++ sbin/ifconfig/ifconfig.c6 May 2010 20:34:51 -
@@ -191,6 +191,7 @@ voidunsetmediaopt(const char *, int);
void setmediainst(const char *, int);
void settimeslot(const char *, int);
void timeslot_status(void);
+void setifmpls(const char *, int);
void setmpelabel(const char *, int);
void setvlantag(const char *, int);
void setvlanprio(const char *, int);
@@ -346,6 +347,8 @@ const structcmd {
{ "-rtlabel", -1, 0, setifrtlabel },
{ "range", NEXTARG,0, setatrange },
{ "phase", NEXTARG,0, setatphase },
+ { "mpls", IFXF_MPLS, 0, setifxflags },
+ { "-mpls", -IFXF_MPLS, 0, setifxflags },
{ "mplslabel", NEXTARG,0, setmpelabel },
{ "advbase",NEXTARG,0, setcarp_advbase },
{ "advskew",NEXTARG,0, setcarp_advskew },
@@ -3252,6 +3255,7 @@ mpe_status(void)
printf("\tmpls label: %d\n", shim.shim_label);
}
+/* ARGSUSED */
void
setmpelabel(const char *val, int d)
{
Index:
