Welcome back to my little tech blog. It’s been a few years since I last posted here.. :)
I’ve been playing around a lot with several DDoS mitigation techniques, be it in house or as a service and used many BGP implementations like classic Cisco IOS, Cisco IOS-XR(v), Bird and ExaBGP.
ExaBGP is a nice little BGP injector ExaBGP for things like s/dRTBH and injection of FlowSpec rules.
As I’ve had some starting issues with ExaBGP I thought I’d share just a very basic config to save others some time and will probably share some more complex examples later.
I switched from 3.4 to 4.0 (tracking -master) already, so this post will get you started with ExaBGP 4.0 only. 4.0 is still under heavy development and still has some issues as of the time of writing this post, but all in all it does what I need. Syntax might still change though.
Examples are available at https://github.com/Exa-Networks/exabgp/wiki but these are just snippets and I did not find them to be very well updated when syntax changes occurred.
To get ExaBGP running I just used a basic CentOS 7 installation:
1
2
|
git clone https://github.com/Exa-Networks/exabgp.git
git checkout master
|
My basic config looks like (place it in ./exabgp/etc/exabgp/exabgp.conf):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
# Control pipe
process announce-routes {
run /usr/bin/socat stdout pipe:/var/run/exabgp.cmd;
encoder json;
}
# IPv4 template
template INTERNET_EDGE_v4 {
local-as 64496;
peer-as 64496;
hold-time 180;
router-id 192.0.2.0;
group-updates false;
local-address 192.0.2.0;
capability {
graceful-restart 120;
}
family {
ipv4 unicast;
ipv4 flow;
}
api {
processes [ anounce-routes ];
}
}
# IPv6 template
template INTERNET_EDGE_v6 {
local-as 64496;
peer-as 64496;
hold-time 180;
router-id 192.0.2.0;
group-updates false;
local-address 2001:DB8::;
capability {
graceful-restart 120;
}
family {
ipv6 unicast;
ipv6 flow;
}
api {
processes [ announce-routes ];
}
}
# Neighbours
neighbor 192.0.2.101 {
inherit INTERNET_EDGE_v4;
description "r1";
}
neighbor 192.0.2.102 {
inherit INTERNET_EDGE_v4;
description "r2";
}
neighbor 192.0.2.103 {
inherit INTERNET_EDGE_v4;
description "r3";
}
neighbor 2001:DB8::101 {
inherit INTERNET_EDGE_v6;
description "r1";
}
neighbor 2001:DB8::102 {
inherit INTERNET_EDGE_v6;
description "r2";
}
neighbor 2001:DB8::103 {
inherit INTERNET_EDGE_v6;
description "r3";
}
|
To get ExaBGP started just run
1
|
./exabgp/sbin/exabgp ./exabgp/etc/exabgp/exabgp.conf
|
or in case you want to see debug output:
1
|
sudo env exabgp.daemon.daemonize=false ./exabgp/sbin/exabgp ./exabgp/etc/exabgp/exabgp.conf
|
Thomas Mangin (the author of ExaBGP) provides great support via Google Groups, GitHub issue tracker and Gitter. So in case you encounter any issues, you will find support! Also, theres a FAQ