Eve-ng lab with Frys-IX and Peering Manager

Lately I have been busy preparing and testing router configurations in my lab. Managing all your BGP peers or in particular Internet Exchange peers can be quite a job. A LACNIC video on youtube from Tomas Lynch got me into Peering Manager. Developed by network engineers and with help from DE-CIX it is a pretty impressive tool. So, let's try it in the lab!

I use EVE-NG as my network lab tool and some virtual Cisco and Juniper routers to create networks. I have created a reasonable large lab simulating an IP Transit network connected to other transits, peers and Internet Exchanges.

In Eve-ng it is quite easy to insert a Linux machine in your lab, check the link. So I installed a Ubuntu machine and followed the instructions to install Peering Manager. I have hooked up Peering Manager to my lab router and am able to reach my BR33 vMX Junos router.

The next thing is to enable NetConf on the BR33 router, so Peering Manager can send configurations to the router. This Juniper link will help you with that.

In Peering Manager, we now can add a router. Or better, add your ASN first. If you have a PeeringDB account you can create a API link, Peering Manager can already collect information about your ASN. The connected IX'es for example:

Let do this test with Frys-IX , because they are cool and Arend Brouwer is a top bloke! And he is always in the Fusix Networks BV podcast haha. (And I might be from Friesland as well ;)

For the home ASN I used Eurofiber 39686 because I did so many cool things there :D

Let's add the router. You can link it to a preconfigured platform type, so Peering Manager understands how to connect to the router, in this case Junos. Use the NAPALM username / password from the earlier created NetConf user.

We can now test the connectivity with the "ping" tool, success hurray!!

Verification, indeed something happened!

Now comes the most difficult part, creating the templates. These templates can be used to create configuration to send to the router. Luckily there are already some Cisco and Juniper examples. The templates are based on Jinja2, I never used Jinja so I had to take a good look. But if you know your Junos or Cisco config and you see the examples, for sure you will get there. Basically, I first created a target Junos config and templated that with Jinja variables.

For my target setup I used the Junos Day One Book, BGP security written by Melchior Aelmans as an inspiration. Be aware, it has some typos ;) The configuration uses chained policies. I wanted to do prefix filtering per neighbor so the policies could not be applied on BGP group level. The generic policy and the final reject-all can be applied to every neighbor. Only the peer-x policy needs to be created per peer. The generic policy filers bogan prefixes and ASN's. In my lab I yet don't have a RPKI validator but you should do this in production! The lab routes can not be validated by the RPKI validator, they will get the default Unknow status, which is accepted for now. The final generic term sets my wanted BGP community attributes as well the local-pref. The peer specific policy checks the peer prefix and uses some cool subroutine policies.

The BGP group, peer specific policy and prefix-list need to be templated. The generic policy is quite static so not needed. Here a small part of the template:

Now we can start building some new peers! If you check your IX you see all the connected peers, this info is all collected from PeeringDB, great stuff! Hey, I see Dirk Pol from i4Networks AS39637, let's peer with them, they do cool stuff all the time!

First I created a quick and dirty router for AS39637 in my lab, connected to Frys-IX and ready to connect with me.

Now AS39637 is ready and the peering is added in Peering Manager we can deploy the configuration. Head over to the router and hit Configuration. Peering Manager now generates the configuration, ready for deployment.

Configuration with the correct Junos markup, hit commit to send it to the router:

We cannot always have luck! But Junos/Peering Manager is giving good feedback to fix the issue.

BTW, Peering Manager is using BGPQ3 to generate prefix-lists. It automatically uses the AS-SET of a ASN, so customer prefixes of ASN-x are also in the list.

This time the commit worked! We now have our first Peering Manager deployed peering session on the Frys-IX!

The BGP session is established and the policies accepted the prefix. The prefix even has the correct community and local-pref attributes!

I think a only used the top of the iceberg functions of Peering Manager and I still have to learn a lot. But I already know it is a awesome tool! Thanks to the creators of Peering Manager!

If you have any questions do not hesitate to contact me!