Route Servers

What's a route server and what's it good for?

A route server is a device collecting BGP routes from everybody who peers with it and redistributing those routes to all other peers on the route server.  Thus by peering with a route server you can avoid having to track and configure individual sessions with each peer at SwissIX. Furthermore, you'll get a lot of routes and traffic from day one.

Route Servers at SwissIX

SwissIX runs two OpenBSD/OpenBGPd-based route servers on the peering LAN. All SwissIX participants are strongly encouraged to peer with both route servers. We operate two independent route servers to allow for uninterrupted traffic flow even during maintenance.

Our route servers work transparently, meaning they don't insert their ASN into the AS path of the redistributed routes. At least on some Cisco IOS versions you have to allow this explicitly.

To peer with our route servers just set up BGP sessions with them as you would for any other peering. Please peer with both of them from all your connections. If you use IPv6, please don't forget to also setup IPv6 sessions. The route servers are both using ASN 42476

 

rs1.swissix.ch IPv4 91.206.52.251
IPv6 2001:7f8:24::fb
rs2.swissix.ch IPv4 91.206.52.252
IPv6 2001:7f8:24::fc

Route Security

SwissIX Route Servers provide route security by filtering announcements. Please find below a list of filters and features available on our route servers.

  • Filters:
    • NEXT_HOP enforcement (strict / same AS - RFC7948 section 4.8)
    • minimum and maximum IPv4/IPv6 prefix length
    • maximum AS_PATH length
    • reject invalid AS_PATHs (containing private/invalid ASNs)
    • reject AS_PATHs containing transit-free ASNs
    • reject bogons
    • max-prefix limit
  • Prefixes and origin ASNs validation:
  • Graceful shutdown support
    • honor the GRACEFUL_SHUTDOWN BGP community received from clients (draft-ietf-grow-bgp-gshut-11)
    • allow to perform a graceful shutdown of the route server itself

 

Configuration Updates

The configuration of the Route Servers is rebuilt at 02:00h (LT/CE(S)T) and 16:00h (LT/CE(S)T) daily. If you announce new prefixes or change your IRRDB objects please take a possible delay into account.

BGP Communities

The SwissIX Route Server accepts the following communities:

Function Standard Large
Do not announce to any client 0:42476 42476:0:0
Announce to peer, even if tagged with the previous community 42476:peer_as 42476:1:peer_as
Do not announce to peer 0:peer_as 42476:0:peer_as
Prepend the announcing ASN once to peer 65511:peer_as 42476:101:peer_as
Prepend the announcing ASN twice to peer 65512:peer_as 42476:102:peer_as
Prepend the announcing ASN thrice to peer 65513:peer_as 42476:103:peer_as
Prepend the announcing ASN once to any 65501:42476 42476:101:0
Prepend the announcing ASN twice to any 65502:42476 42476:102:0
Prepend the announcing ASN thrice to any 65502:42476 42476:103:0
Add NO_EXPORT to peer 65281:peer_as 42476:65281_peer_as
Add NO_ADVERTISE to peer 65282:peer_as 42476:65282_peer_as

 

BGP Reject Community 65520.*

Prefixes that are rejected by the filers will be tagged with the community 65520 and the below listed ID to document the reject reason. You can use the Looking Glass (rs1.swissix.ch / rs2.swissix.ch) to lookup these communities and understand why some of your prefixes have been rejected.

ID Reason
0 Special meaning: the route must be treated as rejected. *
1 Invalid AS_PATH length
2 Prefix is bogon
3 Prefix is in global blacklist
4 Invalid AFI
5 Invalid NEXT_HOP
6 Invalid left-most ASN
7 Invalid ASN in AS_PATH
8 Transit-free ASN in AS_PATH
9 Origin ASN not in IRRDB AS-SETs
10 IPv6 prefix not in global unicast space
11 Prefix is in client blacklist
12 Prefix not in IRRDB AS-SETs
13 Invalid prefix length
14 RPKI INVALID route
65535 Unknown

 

max-prefix recommendations

We recommend you set a max-prefix limit on your side of the route server BGP session. At the moment we suggest to allow 100'000 IPv4 prefixes and 40'000 IPv6 prefixes.

On our side we have also implemented a max-prefix limits on each peer. We use PeeringDB to calculate this max-prefix limit.

Configuration Examples

Here are some cookbook examples for configuring your Route Server sessions. (Parts in italics need to be adapted by you. Bear in mind, these are just basic examples.)

 

First, an example for Cisco:

! router bgp yourASNumber no bgp enforce-first-as neighbor 2001:7F8:24::FB remote-as 42476 neighbor 2001:7F8:24::FB description Peer Route Server 2 neighbor 2001:7F8:24::FC remote-as 42476 neighbor 2001:7F8:24::FC description Peer Route Server 1 neighbor 91.206.52.251 remote-as 42476 neighbor 91.206.52.251 description Peer Route Server 2 neighbor 91.206.52.252 remote-as 42476 neighbor 91.206.52.252 description Peer Route Server 1 ! address-family ipv4 no neighbor 2001:7F8:24::FB activate no neighbor 2001:7F8:24::FC activate neighbor 91.206.52.251 activate neighbor 91.206.52.251 prefix-list limit_my_outbound_v4_prefixes out neighbor 91.206.52.251 maximum-prefix 100000 restart 60 neighbor 91.206.52.252 activate neighbor 91.206.52.252 prefix-list limit_my_outbound_v4_prefixes out neighbor 91.206.52.252 maximum-prefix 100000 restart 60 exit-address-family ! address-family ipv6 neighbor 2001:7F8:24::FB activate neighbor 2001:7F8:24::FB prefix-list limit_my_outbound_v6_prefixes out neighbor 2001:7F8:24::FB maximum-prefix 40000 restart 60 neighbor 2001:7F8:24::FC activate neighbor 2001:7F8:24::FC prefix-list limit_my_outbound_v6_prefixes out neighbor 2001:7F8:24::FC maximum-prefix 40000 restart 60 exit-address-family !


And here a Juniper example:

protocols { bgp { group swissix-v4-peers { type external; local-address mySwissIXv4IP; export limit_my_outbound_v4_prefixes; remove-private; neighbor 91.206.52.251 { description "Peer Route Server 2"; family inet { unicast { prefix-limit { maximum 100000; teardown 75 idle-timeout 60; } } } peer-as 42476; } neighbor 91.206.52.252 { description "Peer Route Server 1"; family inet { unicast { prefix-limit { maximum 100000; teardown 75 idle-timeout 60; } } } peer-as 42476; } } group swissix-v6-peers { type external; local-address mySwissIXv6IP; export limit_my_outbound_v6_prefixes; remove-private; neighbor 2001:7f8:24::fb { description "Peer Route Server 2"; family inet6 { unicast { prefix-limit { maximum 40000; teardown 75 idle-timeout 60; } } } peer-as 42476; } neighbor 2001:7f8:24::fc { description "Peer Route Server 1"; family inet6 { unicast { prefix-limit { maximum 40000; teardown 75 idle-timeout 60; } } } peer-as 42476; } } } }