CCIE学习笔记——BGP

Transcription

1 CCIE 学习笔记 BGP( 文档 + 实验 ) Editor:Edison shilianwang@sohu.com QQ: 如有疏漏之处请不吝赐教如有转载请注明作者及出处 耗时一个多礼拜, 终于 BGP 整理完毕,BGP 之庞大, 查了很多资料, 才完成这个笔记 实力有限, 包涵 BGP 还有很多更细的内容, 需要大家自己去研究, 还是多看书, 多实验, 多问, 多想 感谢 56CTO, 让我们这些学 cisco 的有了藏身之地, 感谢尾巴, 感谢小孩子 ( 及时指正我的错误 ) 还有,blog 地址更改为 易么我 ^_^ 金融这么危机, 我还跑去银行代款注册域名, 我容 参考资料 : <<IP 路由协议疑难解析 >> << 房智勇 CCIE-BGP 学习笔记 >> <<TCP/IP 路由技术 卷二 >> <<IEWB 实验手册 >> <<BGP 命令与配置手册 >>

2 一. 什么是 BGP 路由协议按照内部和外部, 可以分为内部网关协议 (IGP) 和外部网关协议 (EGP) 内部网关协议 : 用于在 AS 内部交换路由信息, 典型的有 RIP EIGRP OSPF ISIS( 目前 R&S 已不考 ) 外部网关协议 : 用于连接不同 AS 的路由选择协议, 典型的是 BGP-4( 版本 4, 以下简称为 BGP) BGP 是一种路径矢量协议, 用于传输自治系统之间的路由信息,BGP 在启动的时候传播整张路由表, 以后只传播网络变化的部分, 触发更新 采用 TCP 连接传送信息, 端口号为 179 BGP 因为使用 TCP, 所以显然就会具有可靠的传送机制,TCP 可以提供滑动窗口机制, 使得 BGP 可以不断发送分组, 不用像 OSPF 或 EIGRP 那样停止发送等待确认 当 BGP 运行在一个 AS 内的时候, 被称为内部 BGP(IBGP), 当 BGP 运行在 AS 之间的时候, 称为外部 BGP(EBGP) BGP 支持 :VLSM 和 CIDR AS 的经典定义 : 一组被统一管理的路由器, 它们使用相同的内部网关协议和统一的度量值来决定如何在 AS 内部路由分组, 并使用 AS 间路由协议来决定如何分组路由到其他 AS AS 号码的范围 :1~65535 其中 64512~65535 为私有 AS, 后面的联邦配置将会用到这些私有 AS, 私有的概念与私有 IP 地址类似 BGP 是一种 policy-based routing, 它让 AS 能够根据多种 BGP 属性来控制数据流的传输 使用 BGP 一般有如下情况 : 1. 一个 AS 允许包穿越, 到达其它 AS 2. 一个 AS 连接多个 AS 3. 必须对数据流进入和离开 AS 进行控制 不使用 BGP 的情况 : 1. AS 只有一个出口 2. 路由器性能不高, 内存小,CPU 较慢, 带宽不大 3. 对路由过滤和 BGP 路径选择过程的了解有限 (cisco 又说了句废话 ) BGP 看不到 AS 域内的拓扑结构,BGP 只能看到 AS 树, 而 IGP 只能看到 AS 内拓扑结构 二.BGP 的消息类型 BGP 定义了四中消息类型 : 1. Open 路由器之间建立 TCP 连接之后, 双方开始发 open( 这里包含自己的信息以及运行 BGP 的参数 ), 若收到的 open 没问题, 则发送 keepalive, 用来确认 open

3 版本 :8 位, 指明发送者所使用的 BGP 版本号, 缺省为 4, 可通过 nei ver 修改, 若双方版本号不同, 路由器将自动降低版本号并重新发送 open 消息, 直到版本号一致 AS 号 :16 位, 用来确认 EBGP 还是 IBGP 保持时间 :16 位,cisco 默认 180 秒, 表示自己必须收到一个 keepalive 或者更新之前所允许等待的最大时间 BGP ID:32 位, 概念同 OSPF Router-id, 选最大环回口, 若无, 选择最大活动物理接口 ; 可手工配置 可选参数 : 比如会话身份验证, 多协议支持 2. Keepalive 用来确认 OPEN 消息及维持链路状态, 默认 60 秒一次或为保持时间的 1/3 3. Update Update 消息只包含一条路径的信息, 也就是说, 多条路径需要多个 update 撤消路径 (withdrawn routes): 描述已经变成不可达并要撤消的路由 路径属性 (path attributes): 为 BGP 提供了选择最短路径, 检查到路由环路以及决定路由策略的信息 NLRI: 公布可以通过该路径到达的 IP 地址前缀 4. Notification 一旦检测到错误, 就会发送 notification, 通常导致 BGP 连接终止, 列如使用 notification 进行 BGP 版本协商 三.BGP 的邻居关系运行 BGP 的路由器, 被称为 BGP 发言者 (speaker) BGP 对等体 =BGP 邻居 ( 通过 TCP 建立邻接关系, 并开始交换路由信息的两个 speaker) 邻居关系 ( 内部 ) 不要求必须直连, 只要 TCP 可达就行

4 1. 外部 BGP 邻居 运行在不同 AS 之间的 EBGP 邻居关系, 必须要求直连 2. 内部 BGP 邻居 运行在同一 AS 内部的 IBGP 邻居关系, 不要求直连, 只要可建立 TCP 连接 四.BGP 的有限状态机 IE 描述 1 BGP 开始 2 BGP 结束

5 3 BGP 传输连接打开 4 BGP 传输连接终止 5 BGP 传输连接打开失败 6 BGP 传输致命差错 7 重试连接计时器超时 8 持续时间终止 9 Keepalive 计时器终止 10 收到 Open 消息 11 收到 Keepalive 消息 12 收到 Update 消息 13 收到 Notification 消息 Idle State 1. BGP 通常以 Idle State 开始 ( 此时拒绝接收所有入连接 ) 当一个开始事件出现,BGP 过程初始化所有 BGP 资源打开重试连接 (ConnectRetry) 计时器, 初始化到邻居的 TCP 连接, 接听来自邻居的 TCP 初始化消息并将它的状态转到 Connect 状态 2. 开始事件是由一个操作者配置一个 BGP 过程, 或者重置一个已经存在的过程或者路由器软件重置 BGP 过程引起 3. 一个差错的出现会将 BGP 过程的状态转为 Idle. 路由器可能会试图发起另外一个开始事件. 为了防止在持续差错条件下导致的摆动, 在第一次转回到空闲状态后, 路由器会自动开启重试连接计时器, 当计时器终止后, 路由器就会放弃重新开始 BGP. 重试计时器第一次的时间为 60s, 下一次为前一次的 2 倍 120s, 成指数形式增加 Connect State 此状态下 BGP 过程会等到 TCP 连接完成以后再决定后续的动作 1. 如果 TCP 连接建立成功,BGP 连接将 ConnectRetry 清零, 完成初始化并给邻居发送一个 Open 消息, 转移到 Open 状态 2. 如果 TCP 连接建立失败,BGP 继续监听由邻居发起的连接, 重置 ConnectRetry 计时器并转移到 Active 状态 3. 如果在连接状态下,ConnectRetry 超时, 计时器将重新开始, 并再一次试图与邻居建立 TCP 连接,BGP 保持 Connect 状态, 此时如果有任何其他输入事件, 转入 Idle 状态 Active State 在此状态,BGP 过程试图与邻居建立一个 TCP 连接 1. 如果连接成功,BGP 过程将 ConnectRetry 计时器清零, 完成初始化, 给邻居发送一个 Open 消息并转移到发送 Open 消息状态,Hold 计时器设置为 4mins 2. 如果在激活状态,ConnectRelay 计时器超时, 将回到 ConnectState 并且重置 ConnectRelay 计时器. 也发起一个到对等的 TCP 连接并继续监听来自对等体的连接 3. 如果邻居试图与一个未知 IP 建立 TCP 会话, 同时 ConnectRelay 计时器重置, 连接被拒绝并保持在 Active 状态 4. 任何一个事件 ( 除开始事件 ) 都回导致状态转向 idle Open send State 在此状态下, 已经发送了 Open 消息,BGP 等待邻居发来的 Open 消息 1. 当收到一个 Open 消息, 如果发现差错, 将给邻居发一个 Notification 消息并转入 Idle 状态

6 2. 如果收到的 Open 消息没有差错, 将给邻居发送一个 Keepalive 消息并将 Keepalive 计时器清零, 此时协商一个较短的 holdtime, 如果为 0, 则没有启动 Hold 和 keepalive 计时器, 根据 AS 号选择 IBGP 或者 EBGP, 同时将状态转移到 OpenConfirm 状态 3. 如果收到一个 TCP 断开消息, 本地断开 BGP 连接, 重置 ConnectRetry 计时器, 并转入 Active 状态 Open Confirm State 此状态下 BGP 会等待一个 Keepalive 消息或者 Notification 消息 1. 如果收到一个 Keepalive 消息, 转移到 Establish 状态 2. 如果收到一个 Notification 消息, 转入 Idle 状态, 并断开 TCP 连接 3. 如果 Hold 计时器超时, 检测到一个差错或出现 stop 事件,BGP 将给邻居发送一个 Notification 并断开连接转入 Idle 状态 Establish State 此状态下,BGP 对等体间的连接已经完全建立, 可以交换 Update Keepalive 和 Notification 消息, 如果收到 Notification 自动转入 Idle, 并中断连接 五.BGP 的属性 BGP 路径属性分为 4 类 : 1. 公认强制 所有的 BGP 路由器必须识别 2. 公认可遵 所有 BGP 路由器都能识别, 但不一定需要 3. 可选传递 不是所有 BGP 路由器都能识别, 但所有 BGP 路由器都能传递 4. 可选非传递 不是所有 BGP 路由器都能识别, 不能识别的 BGP 路由器则丢弃 常用 BGP 属性 : 1. Local_pref 属性 : 本地优先级属性是 BGP 更新分组中的一个 32 位非负整数值, 表示在一个 AS 内部, 选择哪个路由器出本 AS, 越大越优先, 该属性仅在本地 AS 有用, 在本 AS 之外没有任何意义, 仅影响来自一个 AS 的出站流量, 它只向 IBGP 邻居传播 ( 默认 100) 上图中, 将选择 A 路由器为出口 2. MED 属性 :

7 定义了一个在同一 AS 的多个出口点之间做出选择的方法,MED 是 BGP 的非传递属性, 即如果 MED 是从 EBGP 邻居收到, 那么它将发往 IBGP 邻居, 而不传播给其他的 EBGP 邻居 选择较低的 MED,cisco 默认只比较来自同一 AS 的 MED, 为了在来自不同 AS 的更新之间比较 MED, 可以加上命令 bgp always-compare-med 3. AS_PATH 属性 : BGP 更新必须携带的一个强制属性, 而且只有当 BGP 更新被送到 EBGP 邻居时它才会被改变, 它描述了一个路由传递过程中经过哪些 AS( 不算自己, 从离自己最近的 AS 开始, 以目的网段的 AS 结束 ), 为了避免 AS 环路, 如果从外部收到一条包含自己 AS 的路由, 就说明有了环路, 此时 BGP 将丢弃该路由 一般 AS_PATH 用来做策略路由, 如上图, 可以增长从 AS100 到 AS300 的 AS_PATH, 让路由走 AS200-AS NEXT_HOP 属性 : 该属性描述了到公布目的地址的路径的下一跳路由器的 IP 地址 A. 如果正在进行路由通告的路由器和接收的路由器在不同的 AS 中,Next_Hop 为正在宣告的路由器接口的 ip B. 如果正在宣告的路由器和接收的路由器在同一个 AS 内, 并且更新消息中 NLRI 目的地也在同一个 AS 中, 则 next_hop 为一宣告的路由的邻居的 ip

8 C. 如果正在宣告的路由器和接收的路由器是内部对等体, 并且更新消息的 NLRI 指向不同 AS, 则 Next_hop 为学习到路由的外部对等实体的 ip 5. Origin 属性 : BGP 更新分组的产生者生成 origin 属性, 并定义原始属性是如何被生成的 每个前缀都有一个 origin 属性 接受含有 origin 属性的更新分组的路由器应该向所有 BGP 邻居原样转发 origin 属性 IGP--- 从 AS 内部学到,ORIGIN 为 0 EGP---NLRI 从 EGP 学到,ORIGIN 为 1 Incomplete---NLRI 通过其他手段获得,ORIGIN 为 3 一般来说具有较低 ORIGIN 值的前缀被优先选取, IGP>BGP> 重分布例如通过重分布进入 BGP,ORIGIN 属性为 3, 通过 Network 命令注入其 ORIGIN 为 0 6. Weight 属性 :

9 它是 cisco 的专有属性, 所以自然高于一切其他 BGP 属性 ( 可想而知 ), 只在本地路由器有作用, 不向 邻居传递, 缺省情况下, 从对等体学到的所有路由器的 weight=0, 由本地路由器产生的等于 选路时, 选择 weight 最高的路径 7. Community 属性 : 使可以向一组源路由使用相同的策略, 即一个目的地作为一些目的地团体中的一个成员, 这些目的地共享一个或多个共同特性 它有 4 个字节 前面两个字节的 AS 号, 后面两个字节的管理上定义表示符, 而 Cisco 正好反过来, 用 ip bgpcommuity new-format 改过来当对团体路由进行聚合时, 聚合路由继承了所有路由的全部团体属性 NO_EXPORT 携带该属性的路由允许在邻居 AS 内公布但不允许邻居 AS 把路由公布其他 AS NONE 删除现存的团体属性 NO_ADVERTISE 指不在 IBGP 邻居间传递带有该属性的路由 DELETE 用于只删除匹配特定团体列表的属性 8.ORIGINATOR_ID 属性 : 由路由反射器 (RR) 使用, 它是有路由发起者产生的一个 32 比特的值, 该值是本地 AS 里路由发起者的 RID, 如果路由器发起者从该属性值中看到了自己的 RID, 就说明有环路, 该路由忽略 9.Cluster_LIST 属性 : 由路由反射器使用, 它是路由经过反射器簇 ID 的一个序号 如果路由反射器在该属性值中发现自己的本地簇 ID, 就说明有环路, 忽略掉 如果一个簇里不止一个 RR, 要在进程下用 bgp cluster-id 手工指定簇 ID, 因为默认 RR 将自己的 RID 当成 cluster-id 六.BGP 最优路径抉择顺序 : Consider only (synchronized) routes with no AS loops and a valid next hop, and then: 1. Prefer highest weight (local to router). 2. Prefer highest local preference (global within AS). 3. Prefer route originated by the local router (next hop = ). 4. Prefer shortest AS path. 5. Prefer lowest origin code (IGP < EGP < incomplete). 6. Prefer lowest MED (exchanged between autonomous systems). 7. Prefer EBGP path over IBGP path. 8. Prefer the path through the closest IGP neighbor. 9. Prefer oldest route for EBGP paths. 10. Prefer the path with the lowest neighbor BGP router ID.

10 11. Prefer the path with the lowest neighbor IP address. 七.BGP 同步同步指的是, 我要是想用 IBGP 学来的路由或是将它通告给其他邻居, 必须满足一个条件, 就是我已经通过 IGP 或者本地获得 以前的做法是将 BGP 路由重发布到自主系统内的 IGP, 这样就不用在中转 AS 内的每台路由器上运行 BGP, 但是现在由于 internet 的增大,IGP 已经无法处理 BGP 表中的路由, 所以现在的做法是, 在中转 AS 内的所有路由器上运行 IBGP, 这样的话, 就可以关闭同步 当一个中转 AS 内部的所有路由器都运行 IBGP 的时候, 会产生一个问题, 就是每一个路由器都要与其他所有路由器建立对等关系, 这样会使得网络十分复杂并且十分耗时, 于是变有了联盟和路由反射器, 他们可以减少路由器两两之间的连接数量, 做到不用物理上的全互连 ( 路由反射器, 我觉得就有点类似 OSPF 的 DR 概念 ) 当然, 也会碰到并不是所有路由器都互连且没有使用联盟和路由反射器的情况 ( 后面实验会介绍 ), 这时如果关闭同步, 就会产生路由黑洞的问题 所以当一个 AS 中 如果存在没有运行 BGP 的路由器, 而且它还处在 BGP 邻居的传输路径上, 同步就不能关闭, 此时 BGP 就必须在 IGP 中进行重发布 ( 或者可以起 Tunel, 跨过没有运行 BGP 的路由器 ) 八.BGP 表运行 BGP 的路由器有一个独立的表, 用于存储从其他路由器那里收到的信息, 并将这些信息发送给其他路由器 BGP 还保存了一个邻居表, 其中包含与之建立了 BGP 连接的邻居 要让 BGP 建立邻接关系, 必须显示地配置每个邻居 BGP 同每个指定的邻居连接 TCP 关系, 并通过定期地发送 BGP/TCP 存活消息来跟踪这些关系的状态 ( 默认 60 秒发一次 ) 建立了邻接关系后, 便开始交换 IP 路由选择表中的 BGP 信息, 每个路由器接收之后先放到 BGP 转发数据库中, 而不是直接加表, 然后再通过 BGP 路由选择进程从转发数据库中选出前往目的地的最优路径并提供给 IP 路由表 ( 选择过程见第六点 ) 路由器将提供的 BGP 路由同路由选择表中前往同一个网络的其他路径进行比较, 并根据管理距离确定它是否是最佳路由, 如果是, 则将其加入到 IP 路由选择表中 EBGP 的管理距离为 20,IBGP 为 200 九.BGP 的抖动 BGP 的路由抖动是 BGP 的一个 feature, 它是为了减少不稳定路由的公布, 每条路由都会被分配一个度量数字来反映稳定程度, 一但出现抖动, 就会被惩罚, 当超过惩罚临界值时, 此条路由被抑制, 一段时间不抖动, 惩罚值会自动降低, 当降到一个可以重新使用的临界点时, 才会被重新使用 缺省下 : 惩罚值 每次摆动 1000 抑制界限 2000 重新使用界限 750 半衰期 15 分钟最大抑制时间 60 分钟, 或者半衰期的 4 倍 BGP Route Dampening Terms: Flap A route whose availability alternates repeatedly History state After a route flaps once, it is assigned a penalty and put into history state, meaning the router does not have the best path, based on historical information.

11 Penalty Each time a route flaps, the router configured for route dampening in another autonomous system assigns the route a penalty of Penalties are cumulative. The penalty for the route is stored in the BGP routing table until the penalty exceeds the suppress limit. At that point, the route state changes from history to damp. Damp state In this state, the route has flapped so often that the router will not advertise this route to BGP neighbors Suppress limit A route is suppressed when its penalty exceeds this limit. The default value is 2000 Half-life Once the route has been assigned a penalty, the penalty is decreased by half after the half-life period (which is 15 minutes by default). The process of reducing the penalty happens every 5 seconds. Reuse limit As the penalty for a flapping route decreases and falls below this reuse limit, the route is unsuppressed. That is, the route is added back to the BGP table and once again used for forwarding. The default reuse limit is 750. The process of unsuppressing routes occurs at 10-second increments. Every 10 seconds, the router finds out which routes are now unsuppressed and advertises them to the world Maximum suppress limit This value is the maximum amount of time a route can be suppressed. The default value is four times the half-life. 十. RR 和 Confederations 在大型网络中, 要想 IBGP 全互连必然是一个庞大的任务, 也不可能, 也没必要, 有两种解决方法可以解决 1.Route reflectors 在大型的 AS 中, 全互连带来极大的工作量, 通过路由反射器 (RR) 可以建立一种 C/S 结构, 如一个含有 N 个路由器的 AS 内, 全互连将使用对等会话数目为 (N-2)N/2, 如果选取一个 RR, 则对等会话数目将降为 N-1 对一个 C/S 结构称其为一个 RR-Cluster RR 公布路由的规则 : 1, 如果路由是从非客户的 IBGP 对等学习到的, 只将它反射给客户 2, 如果路由是从客户处学习到的, 将它反射给除了发起该路由的客户外所有的客户以及非客户 3, 如果路由是从 EBGP 邻居学来的, 将它反射给所有的客户和非客户将一个路由器配置成路由反射器 (RR), 用 neigbhor route-reflect-client 把自己配成反射器, 由该命令所定

12 义的 IBGP 邻居路由器当成客户机, 这些客户机只与 RR 建立对等关系 RR 不能改动它从客户处收到的路由的属性 在一个 AS 内可以做 RR 冗余, 因为客户并不知道自己是客户, 所有一个 RR 可以是另一个路由反射器的客户 只需要 RR 支持路由反射, 客户不需要支持 RR 使用了 2 个 BGP 路径属性 : ORIGINATOR_ID: 由路由反射器 (RR) 使用, 它是有路由发起者产生的一个 32 比特的值, 该值是本地 AS 里路由发起者的 RID, 如果路由器发起者从该属性值中看到了自己的 RID, 就说明有环路, 该路由忽略 Cluster_LIST: 由路由反射器使用, 它是路由经过反射器簇 ID 的一个序号 如果路由反射器在该属性值中发现自己的本地簇 ID, 就说明有环路, 忽略掉 如果一个簇里不止一个 RR, 要在进程下用 bgp cluster-id 手工指定簇 ID, 因为默认 RR 将自己的 RID 当成 cluster-id 3. Confedarations 联盟 (confederations) 是一组分成子自治系统组的 AS, 如上图 1. 每一个联盟分配一个联盟 ID, 对于外端而言, 此联盟 ID 代表的是整个联盟的 AS 号. 联盟其实质是对自治系统的再次细分 2. AS_PATH 中加入了 AS_CONFED_SEQUENCE 和 AS_CONFED_SET 用法和 AS_SEQUENCE 及 AS_SET 完全相同, 3. 在联盟环境下, 所有路由器必须支持联盟 4. 用预留 AS(64512~65535) 作为联盟中的 AS 编号 5. 选路优先级 : 联盟的外部 EBGP>AS 成员的 EBGP>IBGP 6. 联盟相对于标准的 AS,Next_hops MED 可以不加修改的公布给联盟中的其他 AS 成员的 EBGP 对端, 而且可以发送 Local_Pref 属性 7. 大型系统中, 联盟和 RR 同时使用可以更好的控制 IBGP 对等关系 我想, 大概的理论就这些了吧, 再多的, 我也写不出来拉, 其他的内容, 以后再补充吧, 呵呵 blog 中, 有 房智勇 CCIE-BGP 学习笔记 的精华部分, 可以参阅 下面开始解释 IEWB 的实验, 所有的实验, 我都一一敲过, 由于自己的 PC 是个老古董,CPU 散热不好, 每次开到第 5 台路由器, 都要自动关机 能把敲完, 不容易 ^_^ 实验中, 碰到不会的知识点, 如果上面没有解释, 那么最好的方法当然是上 cisco 查文档

13 实验都较容易, 覆盖了 BGP 大部分的点 实验中需要注意的地方, 已用红色标出, 若有任何疑问, 联系我 实验一. BGP Update Source Mismatch Objective: Configure a BGP peering relationship between R1 and R3. R1 should peer with R3's Ethernet interface, while R3 should peer with R1'sSerial interface Directions Configure the IP addressing per the diagram Configure R1 and R3 in BGP AS 1 Configure R1 to peer with R3's interface Ethernet0/0 Configure R3 to peer with R1's interface Serial1/2 Ask Yourself What source IP address does a BGP speaker use for peering? How does this affect the establishment of a peering relationship? Can this address be modified? Is so, how? What are the advantages of modifying this address? Final Configuration R1: interface Ethernet0/0 ip address

14 interface Serial0/1 ip address clockrate router bgp 1 neighbor remote-as 1 R3: interface Ethernet0/0 ip address interface Serial1/2 ip address router bgp 1 neighbor remote-as 1 Verification R1#debug ip packet detail IP packet debugging is on (detailed) R1#debug ip bgp BGP debugging is on R3 sends R1 a TCP SYN to start a BGP session IP: s= (Serial1/2/1), d= (Serial1/2/1), len 44, rcvd 3 TCP src=11009, dst=179, seq= , ack=0, win=16384 SYN R1 rejects the connection with ACK RST, it has no peering to IP: tableid=0, s= (local), d= (Serial1/2/1), routed via RIB IP: s= (local), d= (Serial1/2/1), len 40, sending TCP src=179, dst=11009, seq=0, ack= , win=0 ACK RST R1 tries to start a BGP session with R3 BGP: went from Idle to Active BGP: open active, delay 6880ms BGP: open active, local address IP: tableid=0, s= (local), d= (Ethernet0/0), routed via RIB R3 rejects the connection with ACK RST, it has no peering to

15 IP: tableid=0, s= (Ethernet0/0), d= (Ethernet0/0), routed via RIB IP: s= (Ethernet0/0), d= (Ethernet0/0), len 40, rcvd 3 TCP src=179, dst=11020, seq=0, ack= , win=0 ACK RST BGP: open failed: Connection refused by remote host R3#debug ip packet detail IP packet debugging is on (detailed) R3#debug ip bgp BGP debugging is on R3 tries to start a BGP session with R1 BGP: went from Idle to Active BGP: open active, delay 8928ms BGP: open active, local address IP: tableid=0, s= (local), d= (Serial1/2), routed via RIB R1 rejects the connection with ACK RST, it has no peering to IP: tableid=0, s= (Serial1/2), d= (Serial1/2), routed via RIB IP: s= (Serial1/2), d= (Serial1/2), len 40, rcvd 3 TCP src=179, dst=11009, seq=0, ack= , win=0 ACK RST BGP: open failed: Connection refused by remote host 注释 : 在建立 BGP 对等关系的时候, 源 IP 地址默认是那个用于到达目的地的出接口 IP, 在此例中, 当 R1 准备发送一个 BGP 包给 R3 的时候, 使用的源 IP 是 , 而 R3 本地配置的 neighbor 指的是 这个地址, 所以当 R1 初始化一个 TCP 会话的时候, 被 R3 拒绝, 反过来也一样 解决方法 : 可以在 R1 上加上这么一条命令 neighbor update-source Serial0/1, 这样你就会看见我们最喜欢的 UP 了 实验二. ibgp Synchronization Objective: Configure BGP per the diagram to obtain connectivity from AS 1 to R4 and R5's loopback interfaces. R4 and R5 should have static default routes pointing towards R1 and R2 respectively. BGP synchronization should be enabled on R1 and R2

16 Directions Configure the IP addressing on R1, R2, R3, R4, and R5 per the diagram Configure OSPF area 0 on the Serial links between R1 and R3 & R2 and R3 Advertise VLAN A and VLAN B into OSPF on R1 and R2 respectively Configure static default routes on R4 and R5 pointing to R1 and R2 respectively Configure R1 and R2 in BGP AS 1 Configure R4 in BGP AS 4 Configure R5 in BGP AS 5 Configure an ibgp peering between R1 and R2 Configure an EBGP peering R1 and R4 Configure an EBGP peering between R2 and R5 Advertise R4's Loopback0 into BGP Advertise R5's Loopback0 into BGP Disable synchronization on R1 and R2, what happens? Redistribute R4 and R5's loopback interfaces into OSPF on R1 and R2 respectively, what happens? Ask Yourself What is BGP synchronization? What problem is it designed to prevent? How does meeting the synchronization rule prevent this problem? When can you safely disable synchronization? Why would you want to disable synchronization? Final Configuration R1: interface Ethernet0/0 ip address interface Serial0/1

17 ip address router ospf 1 network area 0 network area 0 router bgp 1 synchronization neighbor remote-as 4 neighbor remote-as 1 R2: interface Ethernet0/0 ip address interface Serial0/1 ip address router ospf 1 network area 0 network area 0 router bgp 1 synchronization neighbor remote-as 1 neighbor remote-as 5 R3: interface Serial1/2 ip address clock rate interface Serial1/3 ip address clock rate router ospf 1 network area 0 network area 0 R4: interface Loopback0 ip address interface Ethernet0/0 ip address

18 router bgp 4 network mask 宣告自己的环回 neighbor remote-as 1 ip route 用于回包的路由 R5: interface Loopback0 ip address interface Ethernet0/0 ip address router bgp 5 network mask 一样宣告环回 neighbor remote-as 1 ip route 用于回包的路由 Verification Synchronization On, Before Redistribution R1#show ip bgp BGP table version is 4, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> / 可以直接优化, 因为是通过 EBGP 学到的 0 4 i * i / BGP 表中没优化, 因为 IGP 中没有关于 /32 的路由 0 5 i R1#show ip bgp BGP routing table entry for /32, version 4 Paths: (1 available, no best path) Flag: 0x820 Not advertised to any peer (metric 855) from ( ) Origin IGP, metric 0, localpref 100, valid, internal, not synchronized---- 没有同步 R2#show ip bgp BGP table version is 4, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale

19 Origin codes: i - IGP, e - EGP,? - incomplete * i / i *> / i R2#show ip bgp BGP routing table entry for /32, version 4 Paths: (1 available, no best path) Not advertised to any peer (metric 855) from ( ) Origin IGP, metric 0, localpref 100, valid, internal, not synchronized Synchronization Off, Before Redistribution R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#router bgp 1 R1(config-router)#no synchronization 手动关闭同步,IOS12.2(8)T 之后已经是默认配置了 R1(config-router)#end R1#show ip bgp BGP table version is 5, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> / i *>i / 关闭同步之后, 发现 /32 优化了 0 5 i R1#show ip bgp neighbors advertised-routes 显示向 R4 发送的 BGP 路由信息 BGP table version is 5, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *>i /

20 0 5 i R4#show ip route Routing entry for /32 Known via "bgp 4", distance 20, metric 0 (distance 20 表示从 EBGP 学到 ) Tag 1, type external Last update from :02:16 ago Routing Descriptor Blocks: * , from , 00:02:16 ago Route metric is 0, traffic share count is 1 AS Hops 2 这时,ping 一下看看, 会有什么现象 R4#debug ip icmp ICMP packet debugging is on R4#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: U.U.U 收到了不可达 Success rate is 0 percent (0/5) ICMP: dst ( ) host unreachable rcv from 从 R3 收到了不可达信息, 因为此时的 R3 并不知道如何到达 R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#router bgp 1 R2(config-router)#no synchronization R2#show ip bgp BGP table version is 5, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? incomplete *>i / i *> / i R2#show ip bgp neighbors advertised-routes BGP table version is 5, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale

21 Origin codes: i - IGP, e - EGP,? - incomplete *>i / i R5#show ip route Routing entry for /32 Known via "bgp 5", distance 20, metric 0 Tag 1, type external Last update from :03:47 ago Routing Descriptor Blocks: * , from , 00:03:47 ago Route metric is 0, traffic share count is 1 AS Hops 2 R5#debug ip icmp ICMP packet debugging is on R5#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) ICMP: dst ( ) host unreachable rcv from Synchronization On, After Redistribution 再次开启同步, 并进行重发布 R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip prefix-list R4_LOOPBACK permit /32 匹配住 R4 的环回 R1(config)#route-map R4_LOOPBACK permit 10 R1(config-route-map)#match ip address prefix-list R4_LOOPBACK R1(config-route-map)#router ospf 1 R1(config-router)#redistribute bgp 1 subnets route-map R4_LOOPBACK OSPF 进程下, 将 R4 的环回重发布进来 R1(config-router)#router bgp 1 R1(config-router)#synchronization R1(config-router)#end R1# R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ip prefix-list R5_LOOPBACK permit /32 R2(config)#route-map R5_LOOPBACK permit 10

22 R2(config-route-map)#match ip address prefix-list R5_LOOPBACK R2(config-route-map)#router ospf 1 R2(config-router)#redistribute bgp 1 subnets route-map R5_LOOPBACK R2(config-router)#router bgp 1 R2(config-router)#synchronization R2(config-router)#end R2# R1#show ip route Routing entry for /32 Known via "ospf 1", distance 110, metric 1 ( 红色字体表明,R1 已经通过 OSPF 学到 R5 的环回 ) Tag 5, type extern 2, forward metric 855 Last update from on Serial0/1, 00:01:43 ago Routing Descriptor Blocks: * , from , 00:01:43 ago, via Serial0/1 Route metric is 1, traffic share count is 1 R1#show ip bgp BGP table version is 8, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> / i r>i / i (R1 已经将 /32 优化了, 但是发现前面有个一 r, 这是因为 /32 通过 OSPF 学到的管理距离是 110, 比从 R2 学到的 IBGP 管理距离 200 小, 所以显示为 r, 通过 sh ip bgp rib 可以查看原因, 将会看到 high ad ) R1#show ip bgp BGP routing table entry for /32, version 8 Paths: (1 available, best #1, table Default-IP-Routing- Table, RIB-failure(17)) Advertised to non peer-group peers: (metric 855) from ( ) Origin IGP, metric 0, localpref 100, valid, internal,

23 synchronized, best R4#show ip route Routing entry for /32 Known via "bgp 4", distance 20, metric 0 Tag 1, type external Last update from :00:57 ago Routing Descriptor Blocks: * , from , 00:00:57 ago Route metric is 0, traffic share count is 1 AS Hops 2 R4#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 60/61/69 ms R2#show ip route Routing entry for /32 Known via "ospf 1", distance 110, metric 1 Tag 4, type extern 2, forward metric 855 Last update from on Serial0/1, 00:03:23 ago Routing Descriptor Blocks: * , from , 00:03:23 ago, via Serial0/1 Route metric is 1, traffic share count is 1 R2#show ip bgp BGP table version is 7, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete r>i / i *> / i R2#show ip bgp BGP routing table entry for /32, version 7 Paths: (1 available, best #1, table Default-IP-Routing- Table, RIB-failure(17)) Advertised to non peer-group peers: 自己优化了之后, 才会传给 R5

24 (metric 855) from ( ) Origin IGP, metric 0, localpref 100, valid, internal, synchronized, best R5#show ip route Routing entry for /32 Known via "bgp 5", distance 20, metric 0 Tag 1, type external Last update from :12:21 ago Routing Descriptor Blocks: * , from , 00:12:21 ago Route metric is 0, traffic share count is 1 AS Hops 2 R5#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 60/61/68 ms 注释 : 当一个 AS 内部, 如果有路由器没有 BGP 的话, 重发布是一种方法, 但显然如今的网络, 这种方法已经行不通, 下面这个实验, 我个人至少要比重发布好 实验三. Transiting Non-BGP Speaking Devices Tunneling Objective: Configure the network so that hosts on VLAN 5 can reach hosts on VLAN 43. R3 will not participate in BGP routing. Configure a GRE tunnel between R1 and R2 to accomplish this

25 Directions Configure the topology per the diagram Configure EIGRP AS 2 on the links between R1 & R3 and R2 & R3 Configure a tunnel between R1 and R2 using the subnet 155.X.12.0/24 Configure BGP on R1, R2, R4, and R5 per the diagram R1 and R2 should peer with each other over the tunnel interface R1 should peer with R4 R2 should peer with R5 Advertise VLAN 5 into BGP on R5 Advertise VLAN 43 into BGP on R4 Final Configuration R1: interface Tunnel0 起 tunnel 口 (tunnel 就是一个隧道 ) ip address 给 tunnel 口一个 IP tunnel source 配置 tunnel 口的源 IP tunnel destination 配置 tunnel 口的目的 IP interface FastEthernet0/0 ip address interface Serial0/1 ip address router eigrp 2 network no auto-summary router bgp 2 neighbor remote-as 2 直接在 tunnel 上指邻居 neighbor next-hop-self 这个不用多说了吧? neighbor remote-as 3 R2: interface Tunnel0 ip address tunnel source tunnel destination interface FastEthernet0/0 ip address interface Serial0/0 encapsulation frame-relay interface Serial0/0.1 point-to-point

26 ip address frame-relay interface-dlci 205 interface Serial0/1 ip address router eigrp 2 network no auto-summary router bgp 2 neighbor remote-as 1 neighbor remote-as 2 neighbor next-hop-self R3: interface Serial1/2 ip address clockrate interface Serial1/3 ip address clockrate router eigrp 2 network network no auto-summary R4: interface Ethernet0/0 ip address interface Ethernet0/1 ip address router bgp 3 network mask neighbor remote-as 2 R5: interface Serial0/0 ip address encapsulation frame-relay frame-relay map ip broadcast interface Ethernet0/1

27 ip address router bgp 1 network mask neighbor remote-as 2 Verification R4#ping source Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: Packet sent with a source address of Success rate is 100 percent (5/5), round-trip min/avg/max = 88/88/92 ms R4#traceroute source Type escape sequence to abort. Tracing the route to msec 4 msec 4 msec msec 40 msec 44 msec 直接跨过了 R3, 通过隧道 tunnel 传给了 R msec * 56 msec R1#show ip bgp <output omitted> *>i / i *> i R2#show ip bgp <output omitted> *> / i *>i i R4#show ip bgp <output omitted> *> / i *>

28 32768 i R5#show ip bgp <output omitted> *> / i *> i R1#show ip route <output omitted> B /24 [20/0] via , 00:05: /24 is subnetted, 4 subnets C is directly connected, FastEthernet0/0 D [90/ ] via , 00:45:07, Serial0/1 C is directly connected, Serial0/1 D EX [170/ ] via , 00:16:11, Serial0/1 R2#show ip route <output omitted> D EX /24 [170/ ] via , 00:04:57, Serial0/ /24 is subnetted, 4 subnets C is directly connected, Serial0/1 D [90/ ] via , 00:45:11, Serial0/1 C is directly connected, Serial0/0.1 B [20/0] via , 00:20:59 R3#show ip route <output omitted> D EX /24 [170/ ] via , 00:05:09, Serial1/ /24 is subnetted, 3 subnets C is directly connected, Serial1/3 C is directly connected, Serial1/2 D EX [170/ ] via , 00:16:35, Serial1/3 R4#show ip route <output omitted> C /24 is directly connected, Ethernet0/ /24 is subnetted, 2 subnets

29 C is directly connected, Ethernet0/1 B [20/0] via , 00:03:34 R5#show ip route <output omitted> B /24 [20/0] via , 00:04: /24 is subnetted, 2 subnets C is directly connected, Serial0/0 C is directly connected, Ethernet0/1 注释 : 好象也没什么注释的, 都能看懂 实验四. BGP Bestpath Selection Weight Objective: Configure the BGP Weight attribute on R3 so that traffic from R3 s Ethernet segment going to VLAN 5 is first sent to R1 Directions Configure the topology per the diagram Configure BGP on R1, R3, R4, and R5 per the diagram R1 should peer with R3 and R4 R5 should peer with R3 and R5 Advertise R3 s Ethernet segment into BGP Advertise R5 s Ethernet segment into BGP Configure BGP weight on R3 so that routes coming from R1 are preferred over those coming from R5 Final Configuration R1: interface FastEthernet0/0 ip address interface Serial0/1

30 ip address router bgp 2 neighbor remote-as 2 neighbor next-hop-self neighbor remote-as 1 R3: interface Serial1/2 ip address clockrate router bgp 2 network mask neighbor remote-as 1 neighbor remote-as 2 neighbor next-hop-self neighbor route-map WEIGHT in route-map 用来做策略, 默认从对等体学来的路由的 weight 为 0, 此时将 R1 的 weight 改为 100, 当然会优选 R1 route-map WEIGHT permit 10 set weight 100 R4: interface Ethernet0/1 ip address half-duplex interface Serial0/1 ip address router bgp 1 neighbor remote-as 1 neighbor next-hop-self neighbor remote-as 2 R5: interface Serial0/0 ip address encapsulation frame-relay frame-relay map ip broadcast no frame-relay inverse-arp interface Ethernet0/1 ip address interface Serial0/1

31 ip address clockrate router bgp 1 network mask neighbor remote-as 2 neighbor remote-as 1 neighbor next-hop-self Verification Rack1R3#traceroute source Type escape sequence to abort. Tracing the route to msec 16 msec 16 msec 走 R msec 16 msec 16 msec msec * 28 msec Rack1R3#show ip bgp BGP routing table entry for /24, version 6 Paths: (2 available, best #1, table Default-IP-Routing- Table) Flag: 0x800 Advertised to update-groups: from ( ) Origin IGP, metric 0, localpref 100, weight 100, valid, internal, best from ( ) Origin IGP, metric 0, localpref 100, valid, external Rack1R1#show ip bgp <output omitted> *> / i *>i / i Rack1R3#show ip bgp *>i / i *

32 0 1 i *> / i Rack1R4#show ip bgp <output omitted> *>i / i *> / i * i i Rack1R5#show ip bgp <output omitted> *> / i * i / i *> i Rack1R1#show ip route <output omitted> /24 is subnetted, 4 subnets C is directly connected, FastEthernet0/0 C is directly connected, Serial0/1 B [20/0] via , 00:02:39 B [200/0] via , 00:02:39 Rack1R3#show ip route <output omitted> /24 is subnetted, 4 subnets C is directly connected, Serial1/2 C is directly connected, Serial1/0.1 B [200/0] via , 00:02:16 C is directly connected, Ethernet0/0 Rack1R4#show ip route <output omitted> /24 is subnetted, 4 subnets C is directly connected, Ethernet0/1 B [200/0] via , 00:09:03 C is directly connected, Serial0/1 B [20/0] via , 00:08:44

33 Rack1R5#show ip route <output omitted> /24 is subnetted, 4 subnets C is directly connected, Serial0/0 C is directly connected, Ethernet0/1 C is directly connected, Serial0/1 B [20/0] via , 00:04:47 为了减少篇幅, 以下一些实验, 会只写关键配置, 基础配置同前面一样 实验五. BGP Bestpath Selection Local Preference Objective: Configure the BGP Local Preference attribute in AS 2 so that traffic from R3 s Ethernet segment going to VLAN 5 is first sent to R1 Directions Configure the topology per the diagram Configure BGP on R1, R3, R4, and R5 per the diagram R1 should peer with R3 and R4 R5 should peer with R3 and R5 Advertise R3 s Ethernet segment into BGP Advertise R5 s Ethernet segment into BGP Configure BGP Local Preference on R3 so that routes coming from R1 are preferred over those coming from R5 R3: router bgp 2 network mask neighbor remote-as 1 neighbor remote-as 2 neighbor next-hop-self neighbor route-map LOCAL_PREFERENCE in route-map LOCAL_PREFERENCE permit 10 set local-preference 200 默认为 100

34 Verification Rack1R3#traceroute source Type escape sequence to abort. Tracing the route to msec 16 msec 16 msec msec 16 msec 16 msec msec * 28 msec Rack1R3#show ip bgp BGP routing table entry for /24, version 5 Paths: (2 available, best #1, table Default-IP-Routing- Table) Advertised to update-groups: from ( ) Origin IGP, metric 0, localpref 200, valid, internal, best from ( ) Origin IGP, metric 0, localpref 100, valid, external Rack1R3#show ip bgp <output omitted> *>i / i * i *> / i 实验六. BGP Bestpath Selection MED Objective: Configure the BGP MED in AS 1 so that traffic from R3 s Ethernet segment going to VLAN 5 is first sent to R1

35 Directions Configure the topology per the diagram Configure BGP on R1, R3, R4, and R5 per the diagram R1 should peer with R3 and R4 R5 should peer with R3 and R5 Advertise R3 s Ethernet segment into BGP Advertise R5 s Ethernet segment into BGP Configure BGP MED outbound on R4 and R5 towards AS 2 当路由器收到两个来自同一 AS 的具有不同 MED 值的相同路由条目时, 在高优先级属性值相等的情况下它将选择 MED 值小的路由作为最优路径 只需在 R4 和 R5 上配置 : R4: interface Ethernet0/1 ip address half-duplex interface Serial0/1 ip address router bgp 1 neighbor remote-as 1 neighbor next-hop-self neighbor remote-as 2 neighbor route-map MED out route-map MED permit 10 set metric 100 R5: interface Serial0/0 ip address encapsulation frame-relay frame-relay map ip broadcast no frame-relay inverse-arp interface Ethernet0/1 ip address interface Serial0/1 ip address clockrate router bgp 1 network mask neighbor remote-as 2

36 neighbor route-map MED out neighbor remote-as 1 neighbor next-hop-self route-map MED permit 10 set metric 200 Verification Rack1R3#traceroute source Type escape sequence to abort. Tracing the route to msec 16 msec 16 msec 走 R msec 16 msec 16 msec msec * 28 msec Rack1R3#show ip bgp BGP routing table entry for /24, version 8 Paths: (2 available, best #1, table Default-IP-Routing- Table) Flag: 0x800 Advertised to update-groups: from ( ) Origin IGP, metric 100, localpref 100, valid,internal, best from ( ) Origin IGP, metric 200, localpref 100, valid, external Rack1R3#show ip bgp <output omitted> *>i / i * i *> / i Rack1R3#show ip route <output omitted> /24 is subnetted, 4 subnets C is directly connected, Serial1/2 C is directly connected, Serial1/0.1 B [200/100] via , 00:05:53 C is directly connected, Ethernet0/0

37 实验七. BGP Bestpath Selection Origin Objective: Modify the BGP Origin code in AS 2 so that traffic from R3 s Ethernet segment going to VLAN 5 is first sent to R1 Directions Configure the topology per the diagram Configure BGP on R1, R3, R4, and R5 per the diagram R1 should peer with R3 and R4 R5 should peer with R3 and R5 Advertise R3 s Ethernet segment into BGP Advertise R5 s Ethernet segment into BGP Configure R3 so that the Origin of the route learned from R1 is preferred over the one learned from R5 IGP--- 从 AS 内部学到,ORIGIN 为 0 EGP---NLRI 从 EGP 学到,ORIGIN 为 1 Incomplete---NLRI 通过其他手段获得,ORIGIN 为 3 具有较低 ORIGIN 值的前缀被优先选取, IGP>BGP> 重分布 R3: interface Serial1/2 ip address clockrate router bgp 2 network mask neighbor remote-as 1 neighbor route-map ORIGIN in neighbor remote-as 2 neighbor next-hop-self route-map ORIGIN permit 10 set origin incomplete * 注释 *: 这个要说一下,R5 发送来的 BGP 分组, 也就是关于 VLAN5 的信息, 会包含一个 origin 属性,R5

38 会向 R3 转发, 也会向 R4 转发,R4 收到之后, 依然会向 R1 转发, 其中依然包含这个 origin 属性, 这时改变从 R5 学来的路由的 origin 为 incomplete, 也就意味着会优先选择从 R1 去 R5 的 vlan5 Verification Rack1R3#traceroute source Type escape sequence to abort. Tracing the route to msec 16 msec 16 msec 走 R msec 16 msec 16 msec msec * 28 msec Rack1R3#show ip bgp BGP routing table entry for /24, version 9 Paths: (2 available, best #1, table Default-IP-Routing- Table) Advertised to update-groups: from ( ) Origin IGP, metric 0, localpref 100, valid, internal,best from ( ) Origin incomplete, metric 0, localpref 100, valid,external Rack1R3#show ip bgp <output omitted> Origin codes: i - IGP, e - EGP,? incomplete *>i / i * ? *> / ( 本地 ) i Rack1R3#show ip route <output omitted> /24 is subnetted, 4 subnets C is directly connected, Serial1/2 C is directly connected, Serial1/0.1 B [200/0] via , 00:05:53 C is directly connected, Ethernet0/0 介绍几个常用的 BGP community 属性 : 实验八. BGP Communites No-Export Objective: Configure AS 2 using the community No-Export so that hosts on R3 s Ethernet have access to VLANs 5 and 43 but AS 1 and AS 3 cannot reach VLANs 43 and 5 respectively

39 Directions Configure the topology per the diagram Configure EIGRP AS 2 on the links between R1 & R3 and R2 & R3 Configure BGP on R1, R2, R3, R4, and R5 per the diagram R1 should peer with R4 R2 should peer with R5 R1, R2, and R3 should all peer with each other Advertise R3 s Ethernet into BGP on R3 Advertise VLAN 5 into BGP on R5 Advertise VLAN 43 into BGP on R4 Configure the community No-Export on R1 and R2 so that routes coming from AS 1 are not passed to AS 3 and vice-versa R1: router bgp 2 neighbor remote-as 2 neighbor next-hop-self neighbor remote-as 2 neighbor next-hop-self neighbor send-community 默认情况下, 并不把 BGP 的 community 属性广播给对等体, 所以需要使用 neighbor send-community 命令启动这项功能, 即发送 BGP 的 community 属性给它的对等体 ( 如果配置的是 no-advertise 属性, 则不需要这条命令 ) neighbor remote-as 3 neighbor route-map NO_EXPORT in route-map NO_EXPORT permit 10 set community no-export R2: router bgp 2 neighbor remote-as 1 neighbor route-map NO_EXPORT in neighbor remote-as 2

40 neighbor next-hop-self neighbor send-community neighbor remote-as 2 neighbor next-hop-self route-map NO_EXPORT permit 10 set community no-export 当 R1 和 R2 收到带有 no-export 属性的路由时, 允许在邻居 AS 内公布但不允许邻居 AS 把路由公布其他 AS, 即 R2 不会将 VLAN43 的路由转发给 R5,R1 不会将 VLAN5 的路由转发给 R4, 我们需要达到的效果是, 只有 R3 的以太口可以 ping 通 VLAN43 和 VLAN5, 而 VLAN43 和 VLAN5 不能互通 Verification Rack1R3#ping source Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: Packet sent with a source address of Success rate is 100 percent (5/5), round-trip min/avg/max = 84/86/88 ms Rack1R3#ping source Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: Packet sent with a source address of Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms Rack1R4#show ip bgp BGP table version is 3, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> / i *> i *R4 学不到 R5 的 VLAN5

41 Rack1R5#show ip bgp BGP table version is 3, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> / i *> / i *R5 学不到 R4 的 VLAN43 Rack1R1#show ip bgp BGP routing table entry for /24, version 3 Paths: (1 available, best #1, table Default-IP-Routing- Table, not advertised to EBGP peer) Not advertised to any peer (metric ) from ( ) Origin IGP, metric 0, localpref 100, valid, internal, best Community: no-export Rack1R2#show ip bgp BGP routing table entry for /24, version 2 Paths: (1 available, best #1, table Default-IP-Routing- Table, not advertised to EBGP peer) Not advertised to any peer (metric ) from ( ) Origin IGP, metric 0, localpref 100, valid, internal, best Community: no-export 实验九. BGP Communites No-Advertise Objective: Configure R2 using the community No-Advertise so that hosts on R3 s Ethernet, VLAN 5, and VLAN 43 all have access to each other but only R2 has access to VLAN 58

42 Directions Configure the topology per the diagram Configure EIGRP AS 2 on the links between R1 & R3 and R2 & R3 Configure BGP on R1, R2, R3, R4, and R5 per the diagram R1 should peer with R4 R2 should peer with R5 R1, R2, and R3 should all peer with each other Advertise R3 s Ethernet into BGP on R3 Advertise VLANs 5 and 58 into BGP on R5 Advertise VLAN 43 into BGP on R4 Configure the community No-Advertise on R2 so that VLAN 58 is not advertised to any neighbor R2: router bgp 2 neighbor remote-as 1 neighbor route-map NO_ADVERTISE in 不需要 neighbor send-community neighbor remote-as 2 neighbor next-hop-self neighbor remote-as 2 neighbor next-hop-self ip prefix-list VLAN58 permit /24 匹配住 R5 的 VLAN58, 目的是只有 R2 可以到达 R5 的 VLAN58 route-map NO_ADVERTISE permit 10 match ip address prefix-list VLAN58 set community no-advertise 设置 community 属性 route-map NO_ADVERTISE permit 20

43 Verification Rack1R2#show ip bgp BGP routing table entry for /24, version 4 Paths: (1 available, best #1, table Default-IP-Routing- Table, not advertised to any peer) Not advertised to any peer from ( ) Origin IGP, metric 0, localpref 100, valid, external, best Community: no-advertise Rack1R2#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms * 其他路由器全 ping 不通 Rack1R2#show ip bgp BGP table version is 5, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> / i *>i / i *> / i *>i i * 其他路由器没有关于 /24 的路由 * 还有一个 community 属性, 叫做 local-as, 介绍完 confederation 之后再介绍 为了避免 IBGP 全互连, 我们可以通过 RR 和 confedaration 来管理 实验十. BGP Route Reflection Objective: Configure R3 as a route reflector for R1 and R2 so that hosts on R3 s Ethernet, VLAN 5, and VLAN 43 all have access to each other

44 Directions Configure the topology per the diagram Configure EIGRP AS 2 on the links between R1 & R3 and R2 & R3 Configure BGP on R1, R2, R3, R4, and R5 per the diagram R1 should peer with R4 R2 should peer with R5 R3 should peer with and be a route reflector for R1 and R2 Advertise R3 s Ethernet into BGP on R3 Advertise VLAN 5 into BGP on R5 Advertise VLAN 43 into BGP on R4 配置 R3 为路由反射器 : R3: router bgp 2 network mask neighbor remote-as 2 neighbor route-reflector-client neighbor remote-as 2 neighbor route-reflector-client 注释 : 一个路由反射器由一个或多个路由器担当, 可以使用一个或多个路由器作为路由反射器, 并把其他路由器作为这个路由反射器的客户 路由反射器把从一个路由反射器客户得到的路由反射给另一个客户 当使用多个路由反射器时, 必须给同一个集群中的路由反射器配置相同的 ID, 叫做集群 ID 集群由路由反射器和他们的客户组成 当使用集群路由反射器时, 把包含在集群列表中的集群 ID 用于本地 AS 的循环检测 配置命令 :bgp cluster-id 32-bit_id 实验十一. BGP Confederation Objective: Configure R1, R2, and R3 in confederation so that AS 1 and AS 3 see them as all belonging to AS 2

45 Directions Configure the topology per the diagram Configure BGP on R1, R2, R3, R4, and R5 per the diagram R1 and R3 should use the private AS and the public AS 2 R2 should use the private AS and the public AS 2 R1 should peer with R3 and R4 R2 should peer with R3 and R5 Advertise R3 s Ethernet into BGP on R3 Advertise VLAN 5 into BGP on R5 Advertise VLAN 43 into BGP on R4 R1: interface FastEthernet0/0 ip address interface Serial0/1 ip address router eigrp 2 network no auto-summary router bgp 配置子 AS 号码 (64512~65535) bgp confederation identifier 2 表明, 我对于 EBGP 邻居来说, 我还是 AS2 neighbor remote-as neighbor next-hop-self neighbor remote-as 3 R2: interface FastEthernet0/0 ip address

46 interface Serial0/0 encapsulation frame-relay interface Serial0/0.1 point-to-point ip address frame-relay interface-dlci 205 interface Serial0/1 ip address router eigrp 2 network no auto-summary router bgp bgp confederation identifier 2 bgp confederation peers 不同的子 AS 中, 也相当与 EBGP 的关系, 这里要配置子 AS 的对等关系 neighbor remote-as 1 neighbor remote-as R3: interface Ethernet0/0 ip address interface Serial1/2 ip address clockrate interface Serial1/3 ip address clockrate router eigrp 2 network network no auto-summary router bgp bgp confederation identifier 2 bgp confederation peers network mask neighbor remote-as neighbor next-hop-self

47 neighbor remote-as R4: interface Ethernet0/0 ip address interface Ethernet0/1 ip address router bgp 3 network neighbor remote-as 2 这里 neighbor 不指子 AS 号, 注意 R5: interface Serial0/0 ip address encapsulation frame-relay frame-relay map ip broadcast interface Ethernet0/0 ip address interface Ethernet0/1 ip address router bgp 1 network mask neighbor remote-as 2 Verification Rack1R1#show ip bgp BGP table version is 4, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *>i / (65002) 1 i *>i / i *> i Rack1R2#show ip bgp BGP table version is 4, local router ID is

48 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> / i *> / (65013) i *> (65013) 3 i Rack1R3#show ip bgp BGP table version is 4, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> / (65002) 1 i *> / i *>i i Rack1R4#show ip bgp BGP table version is 14, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> / i *> / i *> i 实验十二. BGP Communities Local AS Objective: Configure the community Local-AS on R1 so that only R3 s Ethernet segment has reachability to VLAN 43

49 Directions Configure the topology per the diagram Configure BGP on R1, R2, R3, R4, and R5 per the diagram R1 and R3 should use the private AS and the public AS 2 R2 should use the private AS and the public AS 2 R1 should peer with R3 and R4 R2 should peer with R3 and R5 Advertise R3 s Ethernet into BGP on R3 Advertise VLAN 5 into BGP on R5 Advertise VLAN 43 into BGP on R4 Configure R1 to set VLAN 43 to the community Local-AS as it is received from R4 Final Configuration R1: router bgp bgp confederation identifier 2 neighbor remote-as neighbor next-hop-self neighbor send-community neighbor remote-as 3 neighbor route-map LOCAL_AS in route-map LOCAL_AS permit 10 set community local-as 携带该属性的路由, 只在子 AS 内传递, 所以 R3 收到之后不会传递给 R2 Verification Rack1R1#show ip bgp BGP routing table entry for /24, version 5 Paths: (1 available, best #1, table Default-IP-Routing- Table, not advertised outside local AS) Advertised to non peer-group peers:

50 from ( ) Origin IGP, metric 0, localpref 100, valid, external, best Community: local-as Rack1R3#show ip bgp BGP routing table entry for /24, version 5 Paths: (1 available, best #1, table Default-IP-Routing- Table, not advertised outside local AS) Not advertised to any peer from ( ) Origin IGP, metric 0, localpref 100, valid, confedinternal, best Community: local-as 通过 sh ip bgp, 发现只有 R1 和 R3 学到了 /24 的路由,R2 和 R5 并没有学到 原因是携带了 local-as 属性的路由在 R3 处被停止 实验十三. BGP Regular Expressions Objective: Configure AS-Path access-list filtering on R1 and R2 in such a way that hosts on R3 s Ethernet have access to VLAN 5 and VLAN 43 but hosts on VLANs 5 and 43 do not have access to each other Directions Configure the topology per the diagram Configure EIGRP AS 2 on the links between R1 & R3 and R2 & R3 Configure BGP on R1, R2, R3, R4, and R5 per the diagram R1 should peer with R4 R2 should peer with R5

51 R1, R2, and R3 should all peer with each other Advertise R3 s Ethernet into BGP on R3 Advertise VLAN 5 into BGP on R5 Advertise VLAN 43 into BGP on R4 Configure an AS-Path access-list on R1 and R2 to only advertise routes originated in AS 2 out to AS 1 and AS 3 实验目的 : 通过在 R1 和 R2 上配置路径过滤列表, 使得只有 AS2 的路由器可以 ping 通 VLAN43 和 VLAN5, 而 R4 和 R5 分别 ping 不通 VLAN5 和 VLAN43 Final Configuration R1: router bgp 2 neighbor remote-as 2 neighbor next-hop-self neighbor remote-as 2 neighbor next-hop-self neighbor remote-as 3 neighbor filter-list 1 out ip as-path access-list 1 permit ^$ R2: router bgp 2 neighbor remote-as 1 neighbor filter-list 1 out neighbor remote-as 2 neighbor next-hop-self neighbor remote-as 2 neighbor next-hop-self ip as-path access-list 1 permit ^$ Verification 表明 AS2 内部的 R3 可以 ping 通 VLAN43 和 VLAN5: Rack1R3#ping source Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: Packet sent with a source address of Success rate is 100 percent (5/5), round-trip min/avg/max = 84/86/88 ms Rack1R3#ping source Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:

52 Packet sent with a source address of 而 R4 和 R5 却 ping 不通对方的地址 : Rack1R4#ping source Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: Packet sent with a source address of Success rate is 0 percent (0/5) R1 并没有向 R4 通告 VLAN5: Rack1R1#show ip bgp neighbors advertised-routes BGP table version is 4, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *>i / i R2 也没有向 R5 通告 VLAN43: Rack1R2#show ip bgp neighbors advertised-routes BGP table version is 4, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *>i / i R4 只学到 R3 的以太口地址, 本该收到的 VLAN5 被路径过滤掉了 : Rack1R4#show ip bgp BGP table version is 17, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> / i *>

53 32768 i 同样 R5 的结果一样 : Rack1R5#show ip bgp BGP table version is 11, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> / i *> / i AS-PATH 过滤采用正则表达式, 正则表达式解释如下 : 元字符特殊字符匹配内容. 任何单一字符, 包括空格 [] 在方括号中罗列的任何字符 [^] 除了在方括号中所罗列字符外的任何字符 (^ 必须放在字符列表之前 ) - ( 连字符 ) 在由连字符所分配的两个字符之间的任意字符? 字符或模式出现 0 次或 1 次 * 字符或模式出现 0 次或多次 + 字符或模式出现 1 次或多次 ^ 一行的开始 $ 一行的结束 由元字符特殊字符分隔的字之一 _ ( 下划线 ) 一个逗号, 行的开始, 行的结束或空格 实验十四. BGP Aggregation Objective: Configure AS 2 so that AS 1 sees an aggregate route representing the /16, /16, /16, and /16 networks

54 Directions Configure the topology per the diagram Configure BGP on R1, R3, R4, and R5 per the diagram R1 should peer with R3 and R4 R5 should peer with R3 and R4 Advertise VLAN 5 and 43 into BGP on R5 and R4 respectively Create the Loopback networks /16 and /16 on R1 and advertise them into BGP Create the Loopback networks /16 and /16 on R3 and advertise them into BGP Configure BGP aggregation on R1 for all four of these networks Final Configuration R1: interface Loopback0 ip address interface Loopback1 ip address interface FastEthernet0/0 ip address interface Serial0/1 ip address router bgp 2 network mask network mask aggregate-address neighbor remote-as 2 neighbor next-hop-self neighbor remote-as 1 R3: interface Loopback0 ip address interface Loopback1 ip address interface Serial1/0 encapsulation frame-relay interface Serial1/0.1 point-to-point ip address frame-relay interface-dlci 305

55 interface Serial1/2 ip address clockrate router bgp 2 network mask network mask neighbor remote-as 2 neighbor next-hop-self neighbor remote-as 1 Verification Rack1R1#show ip bgp BGP table version is 8, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> / i *> / ( 汇总了路由,R3 上也一样结果 ) i *> / i *>i / i *>i / i * i / i *> i * i i *> i Rack1R5#show ip bgp BGP table version is 13, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete

56 *> / i * i i *> / (R5 上不仅收到了汇总路由, 还收到了明细路由,R4 也一样 ) 0 2 i * i i *> / i * i i *> / i * i i *> / i * i i *> / i *>i i 注释 : 只有在 BGP 表中, 存在一条明细路由的时候,aggregate-address 才起作用, 还可以在此命令后加上 as-set, 保留 AS 路径信息 另外, 可以在该条命令后面加上 summary-only, 用来抑制明细路由的传递,EBGP 邻居只能收到汇总路由 若加上 advertise-map 则可以决定在这个聚合路由中保留哪个 AS 路径信息 实验十五. BGP Aggregation Suppress Map Objective: Configure AS 2 so that AS 1 sees an aggregate route representing /16, /16, /16, and /16 networks along with the subnets /16 and /16

57 Directions Configure the topology per the diagram Configure BGP on R1, R3, R4, and R5 per the diagram R1 should peer with R3 and R4 R5 should peer with R3 and R4 Advertise VLAN 5 and 43 into BGP on R5 and R4 respectively Create the Loopback networks /16 and /16 on R1 and advertise them into BGP Create the Loopback networks /16 and /16 on R3 and advertise them into BGP Configure BGP aggregation on R1 and R3 for all four of these networks R1 should suppress only the /16 network R3 should suppress only the /16 network Final Configuration R1: router bgp 2 network mask network mask aggregate-address suppress-map SUPPRESS neighbor remote-as 2 neighbor next-hop-self neighbor remote-as 1 ip prefix-list seq 5 permit /16 定义想要抑制的明细路由 route-map SUPPRESS permit 10 match ip address prefix-list R3: router bgp 2 network mask network mask aggregate-address suppress-map SUPPRESS neighbor remote-as 2

58 neighbor next-hop-self neighbor remote-as 1 ip prefix-list seq 5 permit /16 定义想要抑制的明确路由 route-map SUPPRESS permit 10 match ip address prefix-list Verification Rack1R1#show ip bgp BGP table version is 9, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> / i * i / i *> i s> / /16 被抑制 i *>i / i * i / i *> i * i i *> i Rack1R3#show ip bgp BGP table version is 9, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *>i / i

59 *> / i * i i s> / /16 被抑制 i *> / i * i / i *> i * i i *> i Rack1R4#show ip route bgp /24 is subnetted, 3 subnets B [200/0] via , 01:01: /8 is variably subnetted, 3 subnets, 2 masks B /16 [20/0] via , 00:03:51 B /16 [20/0] via , 00:05:04 B /14 [20/0] via , 00:05:04 Rack1R5#show ip route bgp B /24 [200/0] via , 01:01: /8 is variably subnetted, 3 subnets, 2 masks B /16 [20/0] via , 00:03:57 B /16 [20/0] via , 00:03:57 B /14 [20/0] via , 00:03:57 Sh ip rou bgp 已经看不见被抑制的那两条路由了 注释 :aggregate-address suppress-map 命令, 是用来抑制形成汇总路由的某个明细路由, 而与之相对的还有一条命令,unsuppress-map, 但是这条命令的用法有点不一样,upsuppress-map 需要敲在 neighbor 后面, 并且需要 aggregate-address summary-only 实验十六. BGP Allow AS In Objective: Configure R5 to advertise the aggregate 150.X.0.0/21 without any specific subnet information. Devices receiving the aggregate should know that it is comprised of prefixes that passed through ASs 1, 2, 3, and 5. Ensure that R1, R2, and R3 are able to install this aggregate in their BGP tables

60 Directions Configure the topology per the diagram Configure BGP on R1, R2, R3, and R5 per the diagram R5 should peer with R1, R2, and R3 Create the Loopback 150.X.1.1/24 on R1 and advertise it into BGP Create the Loopback 150.X.2.2/24 on R2 and advertise it into BGP Create the Loopback 150.X.3.3/24 on R3 and advertise it into BGP Create the Loopback 150.X.5.5/24 on R5 and advertise it into BGP Configure the BGP aggregate 150.X.0.0/21 on R5 Include the originating AS-Path information with this aggregate Configure R1, R2, and R3 to accept prefixes with their own AS in the path in order to receive the aggregate Final Configuration R1: interface Loopback0 ip address interface Serial0/0 encapsulation frame-relay interface Serial0/0.1 point-to-point ip address frame-relay interface-dlci 105 router bgp 1 network mask neighbor remote-as 5 neighbor allowas-in 1 R2: