I just got a new circuit (fract DS3) and I need some help with BGP. The new circuit is from a new provider so I'm now mutihomed, at least for a while. My current connections are 3 T1's coming through a Cisco 3640 router which immediately connects to a PC running Star-os. The PC does most of our routing and fw. I got a ASN (36159) and the ASN of the new connection is 10835. Eventually, I will get rid of the current connections (3 T1's) but my current IP's are attached to them (ASN 209). I don't really care whether I run anything over the T1's as long as I can route all traffic over to the new circuit. Can I use the Star-os pc and configure BGP on it and route out that way? Or do I have to put some entries in the Cisco. I have plenty of free ethernet ports but it has no where near the HP that the PC does.

I started setting this up 6 months ago but the old DS3 provider discontinued service in our area. I think I have most of the necessary entries in the Cisco but I'd prefer to just bypass it if possible and eventually get rid of it.

If you're multihomed, you're going to have to run BGP on whichever device connects to your ISPs, which I would assume would be the Cisco(s). You *could* run EBGP multihop if your ISPs will let you, and then run BGP on StarOS, but really, I don't know how you'll ever replace the Ciscos with StarOS, since StarOS doesn't have any drivers for T1 cards or for DS3.

Craig

My connect to the new connection is via ethernet. I have it connected to a StarOS PC server now running masq on some of my subnets. I have the commands for a Cisco but the tech guy up stream isn't familiar with StarOS. I assume the command structure is similar?

I have only used internal BGP to date with staros.
your best starting point would be the quagga manual (http://www.quagga.net/docs/quagga.html)
BGP is fairly easy to setup
.brendan

Thanks for the help. So far, I have pretty much figured and input all the lines except for the password. Here is the line he wanted input:

neighbor x.x.x.x pass T68iRF99bdgI8106

I can't get the command editor to accept it. The phrase has been changed to protect the innocent. I tried send-community, pass, password, etc to no avail.

It appears you can't use an MD5 password in Quagga BGP. See the following for details:

http://bgphints.ruud.org/articles/bgp-md5.html

At the bottom of that page, it says there is a patch for Quagga to support it, but I'm sure that patch hasn't been included in the StarOS implementation.

If you want to use StarOS to talk BGP with your provider, you're probably going to have to ask them to configure it without a password.

Craig

The link is broken.

The link in the article, to the patch that is.

Are there plans to patch the StarOS BGP implementation to support RC2385 soon? I could use it yesterday, and so could a client of mine! Having RFC2385 support would mean that StarOS would be a viable alternative to any base Cisco/Foundry/Riverstone/Extreme router.

Most of the service providers are requesting TCP MD5 header encryption on all BGP sessions since the vulnerability of non-encrypted sessions was announced by Cisco a while back.

A StarOS BGP implementation with 512MB-1GB of RAM and a 1GHz+ processor running good Ethernet cards will outperform most base Cisco routers by a long margin.

My latest build was an Intel 2.8GHz, 1GB RAM, Intel PRO/100 copper and PRO/1000 GigE optical NIC's, running FreeBSD 5.X with Quagga. Traffic over the aggregated 1G interface ran as high as 170Mbps, routed out to three different providers on the 100Mbps interfaces. Around the 200Mbps threshold I upgraded to a Foundry box because the small packet routing performance of the box was reaching the limit, but I ran 6000+ customers basically for two years on "free" boxes.

We use Quagga and we do not dig into it for extension or repair. We work on the driver and User Interface.

An update and couple of questions. I have a PC running Star-OS 4693 with an AMD 2800+ processor and 512meg of ram. Says it does 4140 bogomips in the test. Other than the standard items, I am running BGP, NAT, NTP and FW. My connection to the Internet is through 100meg ethernet and my pipe is 10 meg. I have 5 class C's announced. Static routing with 50 defined routes. Lots of FW rules but no level7 ones. So far, the highest throughput I've seen has been 720kB. The CPU load seems to stay in single digits. Overall, the box seems pretty stable. This is my first endeavor into the world of BGP. I have a Cisco 3640 that I could put into the loop but I think this setup works better. I run Pingplotter from a couple different locations and ping times stay below 200 with occasional (3-4 per hr) spikes up to 3-500ms.

Is this enough PC to run what I am asking? Anything I can beef up?

Will this setup outperform a Cisco 3640?

I can't run BGP with a pw but don't know what impact that has or how significant? How would I know if the system was under attack?

I believe the occasional spike is due to outbound traffic but haven't confirmed that absolutely yet. I don't have any idea how many resources are required for NAT, FW or BGP. I could offload the FW duties to another PC though it didn't seem to have much impact when I pulled them all out for 15 mins to test.

What are you pinging that is 200 msec? Are you saying this system cannot exceed 720 kbps?

Is this enough PC to run what I am asking? Anything I can beef up?

Will this setup outperform a Cisco 3640?
I'm guessing it would.

I can't run BGP with a pw but don't know what impact that has or how significant? How would I know if the system was under attack?
Here is the vulnerability in question:

http://www.kb.cert.org/vuls/id/415294

Basically, an attacker can inject packets into the BGP session between you and your upstream. If they sent a certain type of packet, at just the right time, with just the right sequence number, they could cause your BGP session to reset, causing a short DoS (probably one minute or less). Your BGP session would have to re-establish, and your router would have to rebuild its BGP routing table, and then everything would be fine again. Of course, if an attacker did it once, they could probably do it twice. The big risk would be from repeated attacks. If it happened several times during a short interval, your route would likely get dampened which would make you unavailable to the Internet for a while.

The risk could probably be mitigated, even without MD5 if your upstream provider has measures in place to prevent spoofing, since an attacker would have to spoof the IP of your BGP peer. By the same token, to protect your upstream's router from getting hit with this same thing, you could make sure that you don't allow machines on your network to spoof the IP of your BGP router (or to spoof anything at all, for that matter).


I believe the occasional spike is due to outbound traffic but haven't confirmed that absolutely yet. I don't have any idea how many resources are required for NAT, FW or BGP. I could offload the FW duties to another PC though it didn't seem to have much impact when I pulled them all out for 15 mins to test.
What is it you're trying to ping? If you just ping your upstream's router, what do you get?

Craig

I'm running a tool/program called Pingplotter. Pretty slick, it pings and graphs each hop to the destination. I ping google.com or download.com but focus primary on my BGP router and the next hop to my upstream.

I believe it's capable of much more than 720mB, just haven't had the demand yet. I've been graphing the connection for a about 3 days. Also, tweaking and trying to plug some of the holes. It looks like the p2p traffic is the problem. *sigh*