Vyos with BGP and vrf

Gert-JanAugust 15, 2024Tech

I’ve setup a vyos instance to communicate BGP to the upstream routers and using vrf’s to isolate the BGP from the management part.

Config

VRF

set vrf name BGP description 'BGP upstreams'
set vrf name BGP table '200'
set vrf name MGT description 'Management'
set vrf name MGT table '100'

This just creates 2 vrf’s. One for the BGP sessions and one for Management. This way from the Internet side only BGP is exposed and nothing else. All the management services like snmp, ntp, ssh etc will only be accessable from the MGT vrf.

Interfaces

set interfaces ethernet eth0 address '<IP eth0>/30'
set interfaces ethernet eth0 description 'ROUTER1'
set interfaces ethernet eth0 hw-id '<mac eth0>'
set interfaces ethernet eth0 vrf 'BGP'
set interfaces ethernet eth1 address '<IP eth1>/24'
set interfaces ethernet eth1 description 'MANAGEMENT'
set interfaces ethernet eth1 hw-id '<mac eth1>'
set interfaces ethernet eth1 vrf 'MGT'
set interfaces ethernet eth2 address '<IP eth2>/30'
set interfaces ethernet eth2 description 'ROUTER2'
set interfaces ethernet eth2 hw-id '<mac eth2>'
set interfaces ethernet eth2 vrf 'BGP'
set interfaces ethernet eth3 address '<IP eth3>/30'
set interfaces ethernet eth3 description 'PFSENSE'
set interfaces ethernet eth3 hw-id '<mac eth3>'
set interfaces ethernet eth3 vrf 'BGP'

This just defines all IP’s on all interfaces with descriptions. The mac address statements are there automaticly.

MGT

set protocols static
set service ntp allow-client address '0.0.0.0/0'
set service ntp allow-client address '::/0'
set service ntp listen-address '<IP eth1>'
set service ntp server time1.vyos.net
set service ntp server time2.vyos.net
set service ntp server time3.vyos.net
set service ntp vrf 'MGT'
set service snmp community <community>
set service snmp community <community> authorization 'ro'
set service snmp community <community> client '<snmp client>'
set service snmp contact '<snmp email>'
set service snmp listen-address <IP eth1> port '161'
set service snmp location '<snmp location>'
set service snmp vrf 'MGT'
set service ssh listen-address '<IP eth1>'
set service ssh vrf 'MGT'
set system config-management commit-archive location 'git+https://<gituser>:<gitpwd>@<gitlab host>/<git path>.git'
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name '<hostname>'
set system login user <user> authentication encrypted-password '<encrypted pw>'
set system login user <user> authentication otp
set system login user <user> full-name '<username>'
set system name-server '<nameserver>'
set system static-host-mapping host-name <gitlab host> inet '<gitlab ip>'
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
set system syslog vrf 'MGT'

This sets all the management services like snmp, smtp, ssh syslog and user management. An extra note regarding the git statement. This automatically uploads the committed config to gitlab. I use this to keep track of my changes. These “config-management” are optional statements and can be ommitted. More details about this can be found in this post.

Routing

set vrf name MGT protocols static route 0.0.0.0/0 next-hop <MGT gateway>

Setting a default router for the management vrf to the default gateway of the management lan. This enables updates and such.

BGP

set policy prefix-list DEFAULT-IN rule 10 action 'permit'
set policy prefix-list DEFAULT-IN rule 10 prefix '0.0.0.0/0'
set policy prefix-list NOTHING-OUT
set policy prefix-list UPLINK-OUT rule 10 action 'permit'
set policy prefix-list UPLINK-OUT rule 10 prefix '<announce prefix1>'
set policy prefix-list UPLINK-OUT rule 20 action 'permit'
set policy prefix-list UPLINK-OUT rule 20 prefix '<announce prefix2>'
set policy route-map DEFAULT-IN rule 10 action 'permit'
set policy route-map DEFAULT-IN rule 10 match ip address prefix-list 'DEFAULT-IN'
set policy route-map NOTHING-OUT rule 10 action 'permit'
set policy route-map NOTHING-OUT rule 10 match ip address prefix-list 'NOTHING-OUT'
set policy route-map UPLINK-OUT rule 10 action 'permit'
set policy route-map UPLINK-OUT rule 10 match ip address prefix-list 'UPLINK-OUT'
set vrf name BGP description 'BGP upstreams'
set vrf name BGP protocols bgp address-family ipv4-unicast network <prefix pfsense-vyos>
set vrf name BGP protocols bgp address-family ipv4-unicast network <prefix hosted subnet>
set vrf name BGP protocols bgp address-family ipv4-unicast redistribute connected
set vrf name BGP protocols bgp address-family ipv4-unicast redistribute static
set vrf name BGP protocols bgp neighbor <IP R1> address-family ipv4-unicast maximum-prefix '10'
set vrf name BGP protocols bgp neighbor <IP R1> address-family ipv4-unicast route-map export 'UPLINK-OUT'
set vrf name BGP protocols bgp neighbor <IP R1> address-family ipv4-unicast route-map import 'DEFAULT-IN'
set vrf name BGP protocols bgp neighbor <IP R1> address-family ipv4-unicast soft-reconfiguration inbound
set vrf name BGP protocols bgp neighbor <IP R1> description 'ROUTER1'
set vrf name BGP protocols bgp neighbor <IP R1> graceful-restart 'enable'
set vrf name BGP protocols bgp neighbor <IP R1> remote-as 'external'
set vrf name BGP protocols bgp neighbor <IP R1> timers holdtime '30'
set vrf name BGP protocols bgp neighbor <IP R1> timers keepalive '10'
set vrf name BGP protocols bgp neighbor <IP R1> update-source '<IP eth0>'
set vrf name BGP protocols bgp neighbor <IP R2> address-family ipv4-unicast maximum-prefix '10'
set vrf name BGP protocols bgp neighbor <IP R2> address-family ipv4-unicast route-map export 'NOTHING-OUT'
set vrf name BGP protocols bgp neighbor <IP R2> address-family ipv4-unicast route-map import 'DEFAULT-IN'
set vrf name BGP protocols bgp neighbor <IP R2> address-family ipv4-unicast soft-reconfiguration inbound
set vrf name BGP protocols bgp neighbor <IP R2> description 'ROUTER2'
set vrf name BGP protocols bgp neighbor <IP R2> graceful-restart 'enable'
set vrf name BGP protocols bgp neighbor <IP R2> remote-as 'external'
set vrf name BGP protocols bgp neighbor <IP R2> timers holdtime '30'
set vrf name BGP protocols bgp neighbor <IP R2> timers keepalive '10'
set vrf name BGP protocols bgp neighbor <IP R2> update-source '<IP eth2>'
set vrf name BGP protocols bgp system-as '<AS NUMBER>'
set vrf name BGP protocols static route <prefix hosted subnet> interface eth3
set vrf name BGP table '200'
set vrf name MGT protocols static route 0.0.0.0/0 next-hop <MGT gateway>

This is the BGP configuration with all the prefix lists and such. No MD5 hashes are defined here (yet), that is an option to add.

Handy commands

show bgp vrf BGP sum
This shows your bgp sum from the BGP vrf.
sudo ip vrf exec BGP ping X.X.X.X
This enables you to execute a ping from the BGP vrf.