Hi Wido, Thanks for the feedback, comments below:
> I would suggest that the upstream router (Juniper, Frr, etc) should then use > Dynamic BGP neihbors. That's the plan. > I do suggest we add BGP passwords/encryption from the start for safety > reasons. That's very likely to be there from day one. > On the VR you just need to make sure you properly configure the BGP daemon > and it points to the right upstream routers. Indeed, and we plan to use FRR for that. Thanks for the link to the doc, I'll review it. Cheers Alex -----Original Message----- From: Wido den Hollander <w...@widodh.nl> Sent: Friday, May 17, 2024 5:24 PM To: d...@cloudstack.apache.org; Alex Mattioli <alex.matti...@shapeblue.com>; users@cloudstack.apache.org Subject: Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks My apologies! I totally missed this one. Commments inline. Op 15/05/2024 om 14:55 schreef Alex Mattioli: > Hi all, > > Does anyone have an opinion on the implementation of dynamic routing in > Isolated networks and VPCs? > > So far the design is: > > 1 - Operator configures one or more BGP peers for a given Zone (with > different metrics) > 2 - Operator presents a pool of Private AS numbers to the Zone (just > like we do for VLANs) > 3 - When a network is created with an offering which has dynamic > routing enabled an AS number is allocated to the network > 4 - ACS configures the BGP session on the VR (using FRR), advertising > all its connected networks > I would suggest that the upstream router (Juniper, Frr, etc) should then use Dynamic BGP neihbors. On JunOS this is the "allow" statement [0]. The VR would indeed get an AS assigned by ACS and the network should know the 1, 2 or X upstream routers it can peer with. I do suggest we add BGP passwords/encryption from the start for safety reasons. "allow 192.168.1.0/24" On JunOS this allows any router within that subnet to establish a BGP sessions (and when the BGP password matches). On the VR you just need to make sure you properly configure the BGP daemon and it points to the right upstream routers. [0]: https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/allow-edit-protocols-bgp.html > Any and all input will be very welcome. > > Cheers, > Alex > > > > > From: Alex Mattioli > Sent: Wednesday, April 17, 2024 3:25 AM > To: users@cloudstack.apache.org; d...@cloudstack.apache.org > Subject: Dynamic routing for routed mode IPv6 and IPv4 Isolated and > VPC networks > > Hi all, > > I'd like to brainstorm dynamic routing in ACS (yes, again... for the > newcomers to this mailing list - this has been discussed multiple > times in the past 10+ years) > > ACS 4.17 has introduced routed mode for IPv6 in Isolated networks and VPCs, > we are currently working on extending that to IPv4 as well, which will > support the current NAT'ed mode and also a routed mode (inspired by the NSX > integration https://www.youtube.com/watch?v=f7ao-vv7Ahk). > > With stock ACS (i.e. without NSX or OpenSDN) this routing is purely static, > with the operator being responsible to add static routes to the Isolated > network or VPC tiers via the "public" (outside) IP of the virtual router. > > The next step on this journey is to add some kind of dynamic routing. One way > that I have in mind is using dynamic BGP: > > 1 - Operator configures one or more BGP peers for a given Zone (with > different metrics) > 2 - Operator presents a pool of Private AS numbers to the Zone (just > like we do for VLANs) > 3 - When a network is created with an offering which has dynamic > routing enabled an AS number is allocated > 4 - ACS configures the BGP session on the VR, advertising all its > connected networks > > This way there's no need to reconfigure the upstream router for each > new ACS network (it just needs to allow dynamic BGP peering from the > pool of AS numbers presented to the zone) > > This implementation could also be used for Shared Networks, in which case the > destination advertised via BGP is to the gateway of the shared network. > > There could also be an offering where we allow for end users to setup the BGP > parameters for their Isolated or VPC networks, which can then peer with > upstream VNF(s). > > Any and all input is very welcome... > > Taking the liberty to tag some of you: @Wei > Zhou<mailto:wei.z...@shapeblue.com> @Wido den > Hollander<mailto:w...@widodh.nl> @Kristaps > ÄŒudars<mailto:kristaps.cud...@telia.lv> > > Cheers, > Alex >
