Leveraging Hyperglass and NSX-T!

calendar May 9, 2021 · 3 min read · eBGP Datacenter Networking FOSS/Linux BGP Design Patterns Network Automation  ·
Share on: linkedin copy

For this example deployment, I'll be using my NSX-T Lab as the fabric, VyOS for the Overloaded Router role, and trying out hyperglass:

Looking Glass Concept

Installation (VyOS)

I already have a base image for VyOS with its management VRF set up - and updating the base image prior to deployment is a breeze due to the vSphere 7 VM Template Check Out Feature.

In this case, I'll deploy to an NSX-T External Port and peer up, with fully implemented ingress filtering:

Interfaces

Export Filters - Permit all prefixes:

Export Filters - Prefix List

Import Filters - don't trust any prefixes from this router:

Import Filters - Prefix List

Set in the correct directions:

Route Filters

Configure the BGP Neighbors:

BGP Neighbors

From here, we build the VNF, by adding the following configuration:

 1protocols {  
 2    bgp 64932 {  
 3        address-family {  
 4            ipv4-unicast {  
 5                maximum-paths {  
 6                    ebgp 4  
 7                }  
 8            }  
 9            ipv6-unicast {  
10                maximum-paths {  
11                    ebgp 4  
12                }  
13            }  
14        }  
15        neighbor 10.7.2.1 {  
16            remote-as 64902  
17        }  
18        neighbor 10.7.2.2 {  
19            remote-as 64902  
20        }  
21        neighbor x:x:x:dea::1 {  
22            address-family {  
23                ipv6-unicast {  
24                }  
25            }  
26            remote-as 64902  
27        }  
28        neighbor x:x:x:dea::2 {  
29            address-family {  
30                ipv6-unicast {  
31                }  
32            }  
33            remote-as 64902  
34        }  
35        timers {  
36            holdtime 12  
37            keepalive 4  
38        }  
39    }  
40}

Then, let's verify that BGP is working:

 1  
 2vyos@vyos-lg-01:~$ show ip bgp summary  
 3  
 4IPv4 Unicast Summary:  
 5BGP router identifier 10.7.2.254, local AS number 64932 vrf-id 0  
 6BGP table version 156  
 7RIB entries 75, using 14 KiB of memory  
 8Peers 4, using 85 KiB of memory  
 9  
10Neighbor             V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd   PfxSnt  
1110.7.2.1             4      64902       278       272        0    0    0 00:11:31           40       42  
1210.7.2.2             4      64902        16        13        0    0    0 00:00:16           39       42  
13x:x:x:dea::1 		 4      64902       234       264        0    0    0 00:11:43 NoNeg  
14x:x:x:dea::2 		 4      64902       283       368        0    0    0 00:11:43 NoNeg  
15  
16Total number of neighbors 4

The VNF is configured! Now, we'll follow the application maintainer's instructions for installation: https://hyperglass.io/docs/getting-started

The documentation for install is pretty good - but some customization is still required. I built the following configuration files out - hyperglass leverages YAML as a configuration file format, examples are here. I did make some changes:

  • Some combination of VyOS 1.4, MP-BGP, and/or VRF-lite changed the syntax for the BGP views around. Setting a commands file fixes this.
  • VyOS driver is appending a host mask (/32, /128) on routes with no prefix specified.
  • NB: I reached out to the maintainer (Matt Love) and he informed me that this was configurable per-VRF using the force-cidr option.

This particular tool has been extremely useful to me, as NSX-T still lacks comprehensive BGP visibility without CLI access - and even if it didn't, this will provide consumers an easy way to validate that prefixes have propagated, and where.