一、先复习一下BGP选路规则:
二、实验拓扑如下图:
设备互联用xy.1.1.x<--->xy.1.1.y/24 如 ar1--ar2 :12.1.1.1<----->12.1.1.2
各设备环回口loop0 x.x.x.x/32
IBGP内部用ospf或IS-IS,邻居采用环回口建立,EBGP直接用互联地址。(我这边as100 用ospf ,as 400 用IS-IS)
三、设备基本配置:
AR1(列出两个设备,其它配置都差不多)
#
interface GigabitEthernet0/0/0
ip address 12.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 13.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.0.0.1 255.255.255.0
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
network 10.0.0.0 255.255.255.0
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 12.1.1.1 0.0.0.0
network 13.1.1.1 0.0.0.0
#
AR3
#
interface GigabitEthernet0/0/0
ip address 34.1.1.3 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 13.1.1.3 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 23.1.1.3 255.255.255.128
#
interface NULL0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0
peer 34.1.1.4 as-number 200
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
peer 2.2.2.2 enable
peer 34.1.1.4 enable
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 13.1.1.3 0.0.0.0
network 23.1.1.3 0.0.0.0
#
AR7
#
isis 1
network-entity 49.0000.0000.0007.00
#
interface GigabitEthernet0/0/0
ip address 67.1.1.7 255.255.255.0
isis enable 1
#
interface GigabitEthernet0/0/1
ip address 10.0.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 47.1.1.7 255.255.255.0
#
interface GigabitEthernet1/0/0
#
interface NULL0
#
interface LoopBack0
ip address 7.7.7.7 255.255.255.255
isis enable 1
#
bgp 400
peer 6.6.6.6 as-number 400
peer 6.6.6.6 connect-interface LoopBack0
peer 47.1.1.4 as-number 200
#
ipv4-family unicast
undo synchronization
network 10.0.1.0 255.255.255.0
peer 6.6.6.6 enable
peer 47.1.1.4 enable
#
3.1 next-hop-local的应用
全部设备配置结束后在R1上查看BGP路由可以学到R7,R8下的业务地址正常。但是 NextHop 是34 与24 这两个网段,因为下一跳不可达(选路规则1)所以该路由不会被放入到路由表中,需要在R2,及R3上增加 peer 1.1.1.1 next-hop-local 命令。让下一跳变成可达的IBGP的邻居地址。
<R1>dis bgp routing-table
BGP Local router ID is 12.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 5
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.0.0.0/24 0.0.0.0 0 0 i
i 10.0.1.0/24 34.1.1.4 100 0 200 400i
i 24.1.1.4 100 0 200 400i
i 10.0.2.0/24 34.1.1.4 100 0 200 400 500i
i 24.1.1.4 100 0 200 400 500i
修改后路由生效,选路规则前面的都相同,因R2的路由ID小,优选R2.
<R1>dis bgp routing-table
BGP Local router ID is 12.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 5
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.0.0.0/24 0.0.0.0 0 0 i
*>i 10.0.1.0/24 2.2.2.2 100 0 200 400i
* i 3.3.3.3 100 0 200 400i
*>i 10.0.2.0/24 2.2.2.2 100 0 200 400 500i
* i 3.3.3.3 100 0 200 400 500i
<R1>
3.2下面通过local_pref属性来影响出AS选路,让R1去往10.0.2.0/24选择R3作为出AS路径,在R2上配置。
#新增路由策略,匹配10.0.2.0/24 减小local-preference(默认100,值大优先)
route-policy 10 permit node 10
if-match ip-prefix 10
apply local-preference 50
#
route-policy 10 permit node 20
#
ip ip-prefix 10 index 10 permit 10.0.2.0 24
#
应用到24.1.1.4邻居进方向
bgp 100
peer 24.1.1.4 route-policy 10 import
查看R1上的路由表R2过来的LocPrf变为50所以优选R3
<R1>dis bgp routing-table
BGP Local router ID is 12.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 5
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.0.0.0/24 0.0.0.0 0 0 i
*>i 10.0.1.0/24 2.2.2.2 100 0 200 400i
* i 3.3.3.3 100 0 200 400i
*>i 10.0.2.0/24 3.3.3.3 100 0 200 400 500i
* i 2.2.2.2 50 0 200 400 500i
3.3通过MED影响进入AS的选路。R1到R7的往返路径不一致.并且非最优,需要在R6上配置,解决这个问题.
<R1>tracert -a 10.0.0.1 10.0.1.1
traceroute to 10.0.1.1(10.0.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break
1 12.1.1.2 30 ms 30 ms 20 ms
2 24.1.1.4 30 ms 30 ms 10 ms
3 46.1.1.6 30 ms 30 ms 20 ms
4 67.1.1.7 30 ms 30 ms 50 ms
<R7>tracert -a 10.0.1.1 10.0.0.1
traceroute to 10.0.0.1(10.0.0.1), max hops: 30 ,packet length: 40,press CTRL_C to break
1 47.1.1.4 40 ms 20 ms 20 ms
2 24.1.1.2 30 ms 30 ms 40 ms
3 12.1.1.1 40 ms 40 ms 30 ms
具体操作
#配置路由策略并应用
route-policy MED permit node 10
if-match ip-prefix 10
apply cost 100
#
route-policy MED permit node 20
#
ip ip-prefix 10 index 10 permit 10.0.1.0 24
bgp 400
peer 46.1.1.4 route-policy MED export
#查看R4上的路由表MED 小优先。
<R4>dis bgp routing-table
BGP Local router ID is 34.1.1.4
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 5
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.0.0.0/24 24.1.1.2 0 100i
* 34.1.1.3 0 100i
*> 10.0.1.0/24 47.1.1.7 0 0 400i
* 46.1.1.6 100 0 400i
*> 10.0.2.0/24 46.1.1.6 0 400 500i
#在R1上测试
<R1>tracert -a 10.0.0.1 10.0.1.1
traceroute to 10.0.1.1(10.0.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break
1 12.1.1.2 30 ms 10 ms 10 ms
2 24.1.1.4 20 ms 20 ms 20 ms
3 47.1.1.7 30 ms 40 ms 10 ms
3.4 团体属性的应用,在R8上新增了几个网段10.0.3.0/24 10.0.4.0/24,要求新增的10.0.3.0/24 不被AS 100 200 300 访问,在R8上配置。
增加两个Loopback接口,并在bgp500 network
LoopBack1 10.0.3.1/24 up up(s)
LoopBack2 10.0.4.1/24 up up(s)
bgp 500
network 10.0.3.0 255.255.255.0
network 10.0.4.0 255.255.255.0
#查看R1上的路由
*> 10.0.0.0/24 0.0.0.0 0 0 i
*>i 10.0.1.0/24 2.2.2.2 100 0 200 400i
* i 3.3.3.3 100 0 200 400i
*>i 10.0.2.0/24 3.3.3.3 100 0 200 400 500i
* i 2.2.2.2 50 0 200 400 500i
*>i 10.0.3.0/24 2.2.2.2 100 0 200 400 500i
* i 3.3.3.3 100 0 200 400 500i
*>i 10.0.4.0/24 2.2.2.2 100 0 200 400 500i
* i 3.3.3.3 100 0 200 400 500i
在R8上为10.0.3.0 配置团体属性community no-advertise,并应用在68.1.1.6的出方向。记得peer 68.1.1.6 advertise-community,不然不生效。配置完只有R6上能收到10.0.3.0 其它路由器都收不到。
#
route-policy COMM permit node 10
if-match ip-prefix 10
apply community no-advertise
#
route-policy COMM permit node 20
#
ip ip-prefix 10 index 10 permit 10.0.3.0 24
bgp 500
peer 68.1.1.6 route-policy COMM export
peer 68.1.1.6 advertise-community
3.5 as-path,在R5上过滤来自AS100与AS 400的路由,在R5上操作。
#
bgp 300
peer 45.1.1.4 as-path-filter 10 import
#
ip as-path-filter 10 deny _100|400$
ip as-path-filter 10 permit .*
#查看R5的路由表成功过滤掉100 及400结尾的路由
*> 10.0.2.0/24 45.1.1.4 0 200 400 500i
*> 10.0.4.0/24 45.1.1.4 0 200 400 500i
3.6为R5下发默认路由,在R4上操作。peer xxxx default-route-advertise命令用来设置给对等体(组)发布缺省路由
peer 45.1.1.5 default-route-advertise
查看R5路由表,多出默认路由
*> 0.0.0.0 45.1.1.4 0 0 200i
*> 10.0.2.0/24 45.1.1.4 0 200 400 500i
*> 10.0.4.0/24 45.1.1.4 0 200 400 500i
3.7负载分担,在R1上启用负载分担。
#启用前查看10.0.4.1路由表
[R1-bgp]dis ip routing-table 10.0.4.1
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.4.0/24 IBGP 255 0 RD 2.2.2.2 GigabitEthernet0/0/0
#启用
bgp 100
maximum load-balancing ibgp 2
#启用后路由表
10.0.4.0/24 IBGP 255 0 RD 2.2.2.2 GigabitEthernet0/0/0
IBGP 255 0 RD 3.3.3.3 GigabitEthernet0/0/1
3.8 认证,为as100 增加MD5 认证。
R1,R2 ,R3 ,相互间都要配置,以下是R1的配置
peer 3.3.3.3 password cipher huawei
peer 2.2.2.2 password cipher huawei
3.9 GTMS,在R6与R8上启用GTMS(防止非法BGP连接攻击)
#需要两边同时配置不然会报HOLD timer expired
Apr 13 2018 23:08:40-08:00 R6 %%01BGP/3/STATE_CHG_UPDOWN(l)[0]:The status of the peer 68.1.1.8 changed from ESTABLISHED to IDLE. (InstanceName=Public, StateChangeReason=Hold Timer Expired)
#R6
bgp 400
peer 68.1.1.8 valid-ttl-hops 1
#R8
bgp 500
peer 68.1.1.6 valid-ttl-hops 1