🐕

Cisco CSR 1000v を使って Azure Route Server と BGP peer を張る

2023/05/17に公開

Cisco CSR 1000v を使って Azure Route Server と BGP peer を張る

今までさんざん Azure Route Server と NVA (と称した FRRouting on Ubuntu) を使って検証を進めてきました。
ただ、実際のエンタープライズにおいては Cisco や Juniper、Fortinet などの製品を使うことが多いかとは思います。
そこで、今回は Cisco CSR 1000v を使って Azure Route Server と BGP peer を張ってみます。

Cisco CSR 1000v の deploy

まずは deploy するための Bicep file を用意していきます。
とりあえず Azure Portal から Azure VM としてデプロイする直前まで進め、ARM template を表示させます。
内容は以下のとおりです。

長いのでしまっちゃいますね
{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "location": {
            "type": "string"
        },
        "networkInterfaceName": {
            "type": "string"
        },
        "enableAcceleratedNetworking": {
            "type": "bool"
        },
        "networkSecurityGroupName": {
            "type": "string"
        },
        "networkSecurityGroupRules": {
            "type": "array"
        },
        "subnetName": {
            "type": "string"
        },
        "virtualNetworkId": {
            "type": "string"
        },
        "publicIpAddressName": {
            "type": "string"
        },
        "publicIpAddressType": {
            "type": "string"
        },
        "publicIpAddressSku": {
            "type": "string"
        },
        "pipDeleteOption": {
            "type": "string"
        },
        "virtualMachineName": {
            "type": "string"
        },
        "virtualMachineComputerName": {
            "type": "string"
        },
        "virtualMachineRG": {
            "type": "string"
        },
        "osDiskType": {
            "type": "string"
        },
        "osDiskDeleteOption": {
            "type": "string"
        },
        "virtualMachineSize": {
            "type": "string"
        },
        "nicDeleteOption": {
            "type": "string"
        },
        "adminUsername": {
            "type": "string"
        },
        "adminPublicKey": {
            "type": "secureString"
        },
        "autoShutdownStatus": {
            "type": "string"
        },
        "autoShutdownTime": {
            "type": "string"
        },
        "autoShutdownTimeZone": {
            "type": "string"
        },
        "autoShutdownNotificationStatus": {
            "type": "string"
        },
        "autoShutdownNotificationLocale": {
            "type": "string"
        }
    },
    "variables": {
        "nsgId": "[resourceId(resourceGroup().name, 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]",
        "vnetId": "[parameters('virtualNetworkId')]",
        "vnetName": "[last(split(variables('vnetId'), '/'))]",
        "subnetRef": "[concat(variables('vnetId'), '/subnets/', parameters('subnetName'))]"
    },
    "resources": [
        {
            "name": "[parameters('networkInterfaceName')]",
            "type": "Microsoft.Network/networkInterfaces",
            "apiVersion": "2021-08-01",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[concat('Microsoft.Network/networkSecurityGroups/', parameters('networkSecurityGroupName'))]",
                "[concat('Microsoft.Network/publicIpAddresses/', parameters('publicIpAddressName'))]"
            ],
            "properties": {
                "ipConfigurations": [
                    {
                        "name": "ipconfig1",
                        "properties": {
                            "subnet": {
                                "id": "[variables('subnetRef')]"
                            },
                            "privateIPAllocationMethod": "Dynamic",
                            "publicIpAddress": {
                                "id": "[resourceId(resourceGroup().name, 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName'))]",
                                "properties": {
                                    "deleteOption": "[parameters('pipDeleteOption')]"
                                }
                            }
                        }
                    }
                ],
                "enableAcceleratedNetworking": "[parameters('enableAcceleratedNetworking')]",
                "networkSecurityGroup": {
                    "id": "[variables('nsgId')]"
                }
            }
        },
        {
            "name": "[parameters('networkSecurityGroupName')]",
            "type": "Microsoft.Network/networkSecurityGroups",
            "apiVersion": "2019-02-01",
            "location": "[parameters('location')]",
            "properties": {
                "securityRules": "[parameters('networkSecurityGroupRules')]"
            }
        },
        {
            "name": "[parameters('publicIpAddressName')]",
            "type": "Microsoft.Network/publicIpAddresses",
            "apiVersion": "2020-08-01",
            "location": "[parameters('location')]",
            "properties": {
                "publicIpAllocationMethod": "[parameters('publicIpAddressType')]"
            },
            "sku": {
                "name": "[parameters('publicIpAddressSku')]"
            }
        },
        {
            "name": "[parameters('virtualMachineName')]",
            "type": "Microsoft.Compute/virtualMachines",
            "apiVersion": "2022-03-01",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[concat('Microsoft.Network/networkInterfaces/', parameters('networkInterfaceName'))]"
            ],
            "properties": {
                "hardwareProfile": {
                    "vmSize": "[parameters('virtualMachineSize')]"
                },
                "storageProfile": {
                    "osDisk": {
                        "createOption": "fromImage",
                        "managedDisk": {
                            "storageAccountType": "[parameters('osDiskType')]"
                        },
                        "deleteOption": "[parameters('osDiskDeleteOption')]"
                    },
                    "imageReference": {
                        "publisher": "cisco",
                        "offer": "cisco-csr-1000v",
                        "sku": "17_2_1-byol",
                        "version": "latest"
                    }
                },
                "networkProfile": {
                    "networkInterfaces": [
                        {
                            "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]",
                            "properties": {
                                "deleteOption": "[parameters('nicDeleteOption')]"
                            }
                        }
                    ]
                },
                "osProfile": {
                    "computerName": "[parameters('virtualMachineComputerName')]",
                    "adminUsername": "[parameters('adminUsername')]",
                    "linuxConfiguration": {
                        "disablePasswordAuthentication": true,
                        "ssh": {
                            "publicKeys": [
                                {
                                    "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]",
                                    "keyData": "[parameters('adminPublicKey')]"
                                }
                            ]
                        }
                    }
                },
                "diagnosticsProfile": {
                    "bootDiagnostics": {
                        "enabled": true
                    }
                }
            },
            "plan": {
                "name": "17_2_1-byol",
                "publisher": "cisco",
                "product": "cisco-csr-1000v"
            }
        },
        {
            "name": "[concat('shutdown-computevm-', parameters('virtualMachineName'))]",
            "type": "Microsoft.DevTestLab/schedules",
            "apiVersion": "2018-09-15",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[concat('Microsoft.Compute/virtualMachines/', parameters('virtualMachineName'))]"
            ],
            "properties": {
                "status": "[parameters('autoShutdownStatus')]",
                "taskType": "ComputeVmShutdownTask",
                "dailyRecurrence": {
                    "time": "[parameters('autoShutdownTime')]"
                },
                "timeZoneId": "[parameters('autoShutdownTimeZone')]",
                "targetResourceId": "[resourceId('Microsoft.Compute/virtualMachines', parameters('virtualMachineName'))]",
                "notificationSettings": {
                    "status": "[parameters('autoShutdownNotificationStatus')]",
                    "notificationLocale": "[parameters('autoShutdownNotificationLocale')]",
                    "timeInMinutes": "30"
                }
            }
        }
    ],
    "outputs": {
        "adminUsername": {
            "type": "string",
            "value": "[parameters('adminUsername')]"
        }
    }
}

大まかには Linux の Azure VM を作成するのと大差ないなと感じられたので、参考にしつつ library となる Bicep file を作成します。
Ubuntu Server の file と比べると、properties > storageProfile > imageReference の箇所を該当するものに変えたうえで、properties と並列する plan があるのが特徴的です。

imageReference に書く内容については、表示させた ARM template から拾ってくるのも一つの手ですが、そのほかの手としては Azure CLI で az vm image list --publisher cisco --offer cisco-csr-1000v --all --output table を実行して得られる一覧から決めてもよいかと思います。

https://learn.microsoft.com/cli/azure/vm/image#az-vm-image-list

作成した Bicep file は GitHub に置いてあります。

https://github.com/skmkzyk/bicep-templates/blob/main/lib/cisco1000v_17_2_1.bicep

では deploy、と思ったのですが、初めて作成することもあり、規約に同意していないという感じのエラーが出ました。

You have not accepted the legal terms on this subscription: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' for this plan. Before the subscription can be used, you need to accept the legal terms of the image. To read and accept legal terms, use the Azure CLI commands described at https://go.microsoft.com/fwlink/?linkid=2110637 or the PowerShell commands available at https://go.microsoft.com/fwlink/?linkid=862451. Alternatively, deploying via the Azure portal provides a UI experience for reading and accepting the legal terms. Offer details: publisher='cisco' offer = 'cisco-csr-1000v', sku = '17_2_1-byol', Correlation Id: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.

で、Azure Portal から同意してもいいのですが、せっかくなので Azure CLI でやってみます。

az vm image terms accept --publisher cisco --offer cisco-csr-1000v --plan 17_2_1-byol

結果はこんな感じのが返ってきます。
いろいろ書いてありますが、"accepted": true となっているので、同意できたんだろうと思って次に進めます。

{
  "accepted": true,
  "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.MarketplaceOrdering/offerTypes/Microsoft.MarketplaceOrdering/offertypes/publishers/cisco/offers/cisco-csr-1000v/plans/17_2_1-byol/agreements/current",
  "licenseTextLink": "https://mpcprodsa.blob.core.windows.net/legalterms/3E5ED_legalterms_CISCO%253a24CISCO%253a2DCSR%253a2D1000V%253a2417%253a5F2%253a5F1%253a2DBYOL%253a2477U6PNHCGQDDCTQQH4O5ORD4JNNMDI4KUNCXIWWEOQNAAWCLDHMSJ5TLU3M3P4OSOTTPRU2XUSYWPQJ3YQ5BIQKGDSJSI5AQTNYK55Q.txt",
  "marketplaceTermsLink": "https://mpcprodsa.blob.core.windows.net/marketplaceterms/3EDEF_marketplaceterms_VIRTUALMACHINE%253a24AAK2OAIZEAWW5H4MSP5KSTVB6NDKKRTUBAU23BRFTWN4YC2MQLJUB5ZEYUOUJBVF3YK34CIVPZL2HWYASPGDUY5O2FWEGRBYOXWZE5Y.txt",
  "name": "17_2_1-byol",
  "plan": "17_2_1-byol",
  "privacyPolicyLink": "http://www.cisco.com/web/siteassets/legal/privacy.html",
  "product": "cisco-csr-1000v",
  "publisher": "cisco",
  "retrieveDatetime": "2023-05-16T13:27:13.6256702Z",
  "signature": "<snip>",
  "systemData": {
    "createdAt": "2023-05-16T13:27:18.181496+00:00",
    "createdBy": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "createdByType": "ManagedIdentity",
    "lastModifiedAt": "2023-05-16T13:27:18.181496+00:00",
    "lastModifiedBy": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "lastModifiedByType": "ManagedIdentity"
  },
  "type": "Microsoft.MarketplaceOrdering/offertypes"
}

で、やっと deploy できます。
今回は Azure Route Server との BGP Peer を張りたいので、ついでに deploy しておいてください。

Cisco CSR 1000v の動作確認

まずは deploy しただけの状態で SSH でログインし、様子を見てみます。
一部を省きますが、sh runsh ip route はこのような感じです。
interface VirtualPortGroup0 というのが気になりますがいつか調べてみます。

sh run
vm-nva100#show run
Building configuration...

Current configuration : 4814 bytes
!
! Last configuration change at 13:34:51 UTC Tue May 16 2023
!
version 17.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname vm-nva100
!
boot-start-marker
boot-end-marker
!
!
vrf definition GS
 rd 100:100
 !
 address-family ipv4
 exit-address-family
!
logging persistent size 1000000 filesize 8192 immediate
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local none
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
ip domain name vm-nva100.cloudapp.net
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
!
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XX
        quit
!
license udi pid CSR1000V sn XXXXXXXXXXX
diagnostic bootup level minimal
memory free low-watermark processor 71873
!
!
spanning-tree extend system-id
!
username ikko privilege 15
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface VirtualPortGroup0
 vrf forwarding GS
 ip address 192.168.x.x 255.255.255.0
 ip nat inside
 no mop enabled
 no mop sysid
!
interface GigabitEthernet1
 ip address dhcp
 ip nat outside
 negotiation auto
 no mop enabled
 no mop sysid
!
iox
ip forward-protocol nd
ip tcp window-size 8192
ip http server
ip http secure-server
!
ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
ip route 0.0.0.0 0.0.0.0 10.100.0.1
ip route vrf GS 0.0.0.0 0.0.0.0 GigabitEthernet1 10.100.0.1 global
ip ssh rsa keypair-name sshkeys
ip ssh pubkey-chain
  username ikko
   key-hash ssh-rsa XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ip ssh server algorithm publickey ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-rsa x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp521
ip scp server enable
!
ip access-list standard GS_NAT_ACL
 10 permit 192.168.x.0 0.0.0.255
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 transport input ssh
line vty 5 20
 transport input ssh
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
!
!
!
!
!
app-hosting appid guestshell
 app-vnic gateway1 virtualportgroup 0 guest-interface 0
  guest-ipaddress 192.168.x.x netmask 255.255.255.0
 app-default-gateway 192.168.x.x guest-interface 0
 name-server0 8.8.8.8
end
sh ip route
vm-nva100#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 10.100.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.100.0.1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.100.0.0/24 is directly connected, GigabitEthernet1
L        10.100.0.10/32 is directly connected, GigabitEthernet1
      168.63.0.0/32 is subnetted, 1 subnets
S        168.63.129.16 [254/0] via 10.100.0.1
      169.254.0.0/32 is subnetted, 1 subnets
S        169.254.169.254 [254/0] via 10.100.0.1

Cisco CSR 1000v の設定

ということで BGP の設定を入れてきます。
基本的には以下の記事の内容に沿うような感じですが、FRRouting と Cisco の細かな差異があります。

https://zenn.dev/skmkzyk/articles/azure-route-server-frrouting

追加で投入する config は以下のとおりです。
たぶん ip as-path access-list を定義してから、route-map を定義したうえで、neighbor を入れる順番の方がいいかと思います。

!
router bgp 65001
 bgp log-neighbor-changes
 neighbor 10.100.210.4 remote-as 65515
 neighbor 10.100.210.4 ebgp-multihop 255
 neighbor 10.100.210.5 remote-as 65515
 neighbor 10.100.210.5 ebgp-multihop 255
 !
 address-family ipv4
  neighbor 10.100.210.4 activate
  neighbor 10.100.210.4 soft-reconfiguration inbound
  neighbor 10.100.210.4 route-map rmap-bogon-asns in
  neighbor 10.100.210.4 route-map rmap-azure-asns out
  neighbor 10.100.210.5 activate
  neighbor 10.100.210.5 soft-reconfiguration inbound
  neighbor 10.100.210.5 route-map rmap-bogon-asns in
  neighbor 10.100.210.5 route-map rmap-azure-asns out
 exit-address-family
!
ip as-path access-list 1 permit _65515_
ip as-path access-list 2 permit _0_
ip as-path access-list 2 permit _23456_
ip as-path access-list 2 permit _1310[0-6][0-9]_|_13107[0-1]_
ip as-path access-list 2 deny _65515_
ip as-path access-list 2 permit ^65
ip route 10.100.210.0 255.255.255.0 10.100.0.1
!
route-map rmap-bogon-asns deny 5
 match as-path 2
!
route-map rmap-bogon-asns permit 10
!
route-map rmap-azure-asns deny 5
 match as-path 1
!
route-map rmap-azure-asns permit 10
!
end

diff をとるとこんな感じです。

diff
$ diff -u before.txt after.txt
--- before.txt  2023-05-16 23:47:29.571995712 +0900
+++ after.txt   2023-05-16 23:47:47.468653373 +0900
@@ -1,9 +1,9 @@
 vm-nva100#show run
 Building configuration...

-Current configuration : 4814 bytes
+Current configuration : 5941 bytes
 !
-! Last configuration change at 13:34:51 UTC Tue May 16 2023
+! Last configuration change at 13:55:12 UTC Tue May 16 2023 by ikko
 !
 version 17.2
 service timestamps debug datetime msec
@@ -167,14 +167,39 @@
  no mop enabled
  no mop sysid
 !
+router bgp 65001
+ bgp log-neighbor-changes
+ neighbor 10.100.210.4 remote-as 65515
+ neighbor 10.100.210.4 ebgp-multihop 255
+ neighbor 10.100.210.5 remote-as 65515
+ neighbor 10.100.210.5 ebgp-multihop 255
+ !
+ address-family ipv4
+  neighbor 10.100.210.4 activate
+  neighbor 10.100.210.4 soft-reconfiguration inbound
+  neighbor 10.100.210.4 route-map rmap-bogon-asns in
+  neighbor 10.100.210.4 route-map rmap-azure-asns out
+  neighbor 10.100.210.5 activate
+  neighbor 10.100.210.5 soft-reconfiguration inbound
+  neighbor 10.100.210.5 route-map rmap-bogon-asns in
+  neighbor 10.100.210.5 route-map rmap-azure-asns out
+ exit-address-family
+!
 iox
 ip forward-protocol nd
 ip tcp window-size 8192
 ip http server
 ip http secure-server
 !
+ip as-path access-list 1 permit _65515_
+ip as-path access-list 2 permit _0_
+ip as-path access-list 2 permit _23456_
+ip as-path access-list 2 permit _1310[0-6][0-9]_|_13107[0-1]_
+ip as-path access-list 2 deny _65515_
+ip as-path access-list 2 permit ^65
 ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
 ip route 0.0.0.0 0.0.0.0 10.100.0.1
+ip route 10.100.210.0 255.255.255.0 10.100.0.1
 ip route vrf GS 0.0.0.0 0.0.0.0 GigabitEthernet1 10.100.0.1 global
 ip ssh rsa keypair-name sshkeys
 ip ssh pubkey-chain
@@ -189,6 +214,16 @@
 !
 !
 !
+route-map rmap-bogon-asns deny 5
+ match as-path 2
+!
+route-map rmap-bogon-asns permit 10
+!
+route-map rmap-azure-asns deny 5
+ match as-path 1
+!
+route-map rmap-azure-asns permit 10
+!
 !
 !
 !

BGP の動作確認

Azure Route Server 側の Peer 設定は済ませているとします。
そうすると上記の config を入れた時点から neighbor が上がるはずなのでもろもろ確認しておきます。

show ip bgp sum

Up/Down の箇所に時間が表示されていれば問題ないです。

vm-nva100#show ip bgp sum
BGP router identifier 10.100.0.10, local AS number 65001
BGP table version is 2, main routing table version 2
1 network entries using 248 bytes of memory
2 path entries using 272 bytes of memory
1/1 BGP path/bestpath attribute entries using 288 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 832 total bytes of memory
BGP activity 1/0 prefixes, 2/0 paths, scan interval 60 secs
1 networks peaked at 13:48:30 May 16 2023 UTC (01:08:35.683 ago)

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.100.210.4    4        65515      81      80        2    0    0 01:08:35        1
10.100.210.5    4        65515      80      80        2    0    0 01:08:29        1

show ip bgp nei 10.100.210.4 received-routes

VNet 全体のアドレス空間が経路広報されてきているはずです。

vm-nva100#show ip bgp nei 10.100.210.4 received-routes
BGP table version is 2, local router ID is 10.100.0.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
              t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>   10.100.0.0/16    10.100.210.4                           0 65515 i

Total number of prefixes 1

show ip bgp nei 10.100.210.4 advertised-routes

route-map を指定していないとなにか advertise しているかもしれません。

vm-nva100#show ip bgp nei 10.100.210.4 advertised-routes

Total number of prefixes 0

show ip route

行頭に B で表示される経路があればそれは BGP で受け取った経路なので正常です。

vm-nva100#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 10.100.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.100.0.1
      10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
B        10.100.0.0/16 [20/0] via 10.100.210.4, 01:09:08
C        10.100.0.0/24 is directly connected, GigabitEthernet1
L        10.100.0.10/32 is directly connected, GigabitEthernet1
S        10.100.210.0/24 [1/0] via 10.100.0.1
      168.63.0.0/32 is subnetted, 1 subnets
S        168.63.129.16 [254/0] via 10.100.0.1
      169.254.0.0/32 is subnetted, 1 subnets
S        169.254.169.254 [254/0] via 10.100.0.1

show ip bgp

BGP で扱っている経路は今のところ VNet 全体のアドレス空間のみのはずです。

vm-nva100#show ip bgp
BGP table version is 2, local router ID is 10.100.0.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
              t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *    10.100.0.0/16    10.100.210.5                           0 65515 i
 *>                    10.100.210.4                           0 65515 i

まとめ

ということで Cisco CSR 1000v を利用して Azure Route Server との BGP peer を張ることができました。
これからは FRRouting で検証していたものも一部 Cisco CSR 1000v を利用するものに置き換えていこうかと思います。

参考

  • BGP - ip as-path access-listと正規表現の解説

https://www.infraexpert.com/study/bgpz31.html

  • Azure Route Server と FRRouting の間で BGP ピアを張る

https://zenn.dev/skmkzyk/articles/azure-route-server-frrouting

  • Microsoft Azure上でCisco CSR 1000Vを動かしてみた!

https://www.softbank.jp/biz/blog/cloud-technology/articles/201910/azure-cisco-csr/

  • Cisco CSR 1000v Deployment Guide for Microsoft Azure

https://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/azu/b_csr1000config-azure.html

  • Cisco Cloud Services Router 1000v Data Sheet

https://www.cisco.com/c/en/us/products/collateral/routers/cloud-services-router-1000v-series/data_sheet-c78-733443.html

Microsoft (有志)

Discussion