Quagga is an open source routing package for TCP/IP networks. It has evolved out of the Zebra routing code formally Kunishiro Ishiguro’s zebra routing package. You can implement IP routing protocols such as RIP, RIPng, OSPF and ISIS and uses the standard Linux kernel for forwarding.
Add user and group quagga
groupadd quagga useradd -g quagga -s /bin/false quagga
Before installing quagga, it is necessary to prepare the quagga directories and files; and change ownership:
mkdir /etc/quagga mkdir /var/state/quagga touch /var/log/zebra.log touch /var/log/ospfd.log touch /var/log/bgpd.log chown quagga:quagga /etc/quagga chown quagga:quagga /var/state/quagga
Install quagga :
./configure --enable-user=quagga --enable-group=quagga --enable-vty-group=quagga \ --prefix=/usr --sysconfdir=/etc/quagga -localstatedir=/var/state/quagga make make install ldconfig
2) Configuring and running Zebra
Run Zebra daemon. Flags: -d – run as daemon, -A listen to 127.0.0.1, –retain – if quagga crashes don’t remove routes learned form it(can be dangerous).
zebra -d -A 127.0.0.1 --retain
Login to zebra VTY. Default password is zebra
telnet 127.0.0.1 2601
After logging in change to read-write mode. Password is also zebra
Configure the basics. Remove comments before pasting
conf t #enter configuration mode hostname Quagga-zebra #change hostname enable password your_enable_password #enable password, 8 alphanums MAX! password your_vty_password #VTY(ro) password is 8 alphanums MAX! service password-encryption #encrypts password (weak encryption - protect anyway!) access list 1 permit 127.0.0.1 #create ACL allowing only localhost log file /var/log/zebra.log debugging #configure logging log record-priority #includes severity to log messages line vty #configure terminal lines login #enforrce loging access-class 1 #allow only ACL 1 to login end #exit configuration wr mem #write configuration
3) Configuring and running Ospfd
Allow other OSPF routers’s to pass data to ospfd daemon. Since OSPF doesn’t use TCP nor UDP only working ruleset I could think of is(add to the end of the INPUT chain):
iptables -A INPUT -i ethX -s PEER_IP -p tcp -j DROP iptables -A INPUT -i ethX -s PEER_IP -p udp -j DROP iptables -A INPUT -i ethX -s PEER_IP -j ACCEPT
Where ethX is the interface connecting to the OSPF speaker and PEER_IP is its IP address.
Start the ospfd daemonand login to read-write mode. Password is zebra.
ospfd -d -A 127.0.0.1 telnet 127.0.0.1 2604 enable
Configure the basics, copy/paste from zebra config. Remember to change hostname and log file form zebra to ospfd!
Configure OSPF related settings. Remove comments and replace keywords before pasting.
conf t router ospf #configure ospf process passive-interface default #disable OSPF on all interfaces no passive-interface ethX #enable OSPF on int ethX log-adjacency-changes detail #log some fancy stuff network X.X.X.X/prefix area 0 #announce network X.X.X.X/prefix and enable ospf on that interface area 0 authentication message-digest #configure md5 authentication between peers exit int ethX #configure interface ethX ip ospf message-digest-key 1 md5 ospf_peer_password #configure peer password, max 16 alphanums
Remember that every interface you wan’t to use must have it’s primary network configured with network statement or secondary IPs won’t be announced.
3) Configuring and running Bgpd
BGP listens on port 179, but like FTP it must also listen to other ports for connections from port 179. First, we must allow that packet through. Repeat for every BGP peer:
iptables -A INPUT -p tcp -s neighbor_ip --dport 179 -i neighbor_interface -j ACCEPT iptables -A INPUT -p tcp -s neighbor_ip --sport 179 -i neighbor_interface -j ACCEPT
bgpd -d -A 127.0.0.1
Configure the basics, copy/paste from zebra config. Remember to change hostname and log file form zebra to bgpd!
Configure your AS(remove comments):
configure terminal router bgp your_as_number bgp log-neighbor-changes //usefull for debuging bgp always-compare-med //compares MED from different peers bgp graceful-restart //makes reseting bgp sessions less invasive network x.x.x.x/prefix //announces our network over BGP end
NOTE: Quagga doesn’t care if network specified in network statement in BGP is present in routing table. It announces it anyway, unlike other routers like Cisco.
Next we need to prepare inbound and outbound filters because we don’t want to be transit AS or recive crappy routes.
We announce only our AS:
ip as-path access-list 1 permit ^$
Now, lets filter crappy and bogous routes. We will also create simple MED based route selector(Remember bgp always-compare-med?):
First create matches to use with a route-map:
! matches any local routes - we don't want that! ip prefix-list no_local seq 5 permit 10.0.0.0/8 le 32 ip prefix-list no_local seq 10 permit 192.168.0.0/16 le 32 ip prefix-list no_local seq 15 permit 172.16.0.0/12 le 32 ip prefix-list no_local seq 20 permit 169.254.0.0/16 le 32 ip prefix-list no_local seq 25 permit your_prefix le 32
! matches multicast and reserved address space ip prefix-list no_multi seq 5 permit 18.104.22.168/4 le 32 ip prefix-list no_multi seq 10 permit 240.0.0.0/4 le 32
!matches a route going through our AS - bad ip as-path access-list with_our_as permit _yourASnumber_
And the route-map itself
route-map peer_1_in deny 10 match ip address prefix-list no_local
route-map peer_1_in deny 20 match ip address prefix-list no_multi
route-map peer_1_in deny 30 match as-path with_our_as
route-map peer_1_in permit 65535 set metric 50
Numbers on the end of lines above are sequence numbers – lower numbers gets processed first. Exception is the last line, it sets MED to 50. If we have multiple peers, and routes to same destinations are of same length, routes with lower MED will be used .
And now for peers themselves:
neighbor neighbor_ip remote-as neighbor_as neighbor neighbor_ip description neighbor_name neighbor neighbor_ip capability dynamic neighbor neighbor_ip soft-reconfiguration inbound neighbor neighbor_ip maximum-prefix 1000000 neighbor neighbor_ip route-map peer_1_in in neighbor neighbor_ip filter-list 1 out
You should be set by now. Verify by checking: sh ip bgp neighbors(look for established status)