CCIE学习笔记——BGP

CCIE 学习笔记 BGP( 文档 + 实验 ) Editor:Edison E-mail:shilianwang@sohu.com QQ:21478604 如有疏漏之处请不吝赐教如有转载请注明作者及出处 耗时一个多礼拜, 终于 BGP 整理完毕,BGP 之庞大, 查了很多资料, 才完成这个笔记 实力有限, 包涵 BGP 还有很多更细的内容, 需要大家自己去研究, 还是多看书, 多实验, 多问, 多想 感谢 56CTO, 让我们这些学 cisco 的有了藏身之地, 感谢尾巴, 感谢小孩子 ( 及时指正我的错误 ) 还有,blog 地址更改为 www.ciscoer.com 易么我 ^_^ 金融这么危机, 我还跑去银行代款注册域名, 我容 参考资料 : <<IP 路由协议疑难解析 >> << 房智勇 CCIE-BGP 学习笔记 >> <<TCP/IP 路由技术 卷二 >> <<IEWB 实验手册 >> <<BGP 命令与配置手册 >>

一. 什么是 BGP 路由协议按照内部和外部, 可以分为内部网关协议 (IGP) 和外部网关协议 (EGP) 内部网关协议 : 用于在 AS 内部交换路由信息, 典型的有 RIP EIGRP OSPF ISIS( 目前 R&S 已不考 ) 外部网关协议 : 用于连接不同 AS 的路由选择协议, 典型的是 BGP-4( 版本 4, 以下简称为 BGP) BGP 是一种路径矢量协议, 用于传输自治系统之间的路由信息,BGP 在启动的时候传播整张路由表, 以后只传播网络变化的部分, 触发更新 采用 TCP 连接传送信息, 端口号为 179 BGP 因为使用 TCP, 所以显然就会具有可靠的传送机制,TCP 可以提供滑动窗口机制, 使得 BGP 可以不断发送分组, 不用像 OSPF 或 EIGRP 那样停止发送等待确认 当 BGP 运行在一个 AS 内的时候, 被称为内部 BGP(IBGP), 当 BGP 运行在 AS 之间的时候, 称为外部 BGP(EBGP) BGP 支持 :VLSM 和 CIDR AS 的经典定义 : 一组被统一管理的路由器, 它们使用相同的内部网关协议和统一的度量值来决定如何在 AS 内部路由分组, 并使用 AS 间路由协议来决定如何分组路由到其他 AS AS 号码的范围 :1~65535 其中 64512~65535 为私有 AS, 后面的联邦配置将会用到这些私有 AS, 私有的概念与私有 IP 地址类似 BGP 是一种 policy-based routing, 它让 AS 能够根据多种 BGP 属性来控制数据流的传输 使用 BGP 一般有如下情况 : 1. 一个 AS 允许包穿越, 到达其它 AS 2. 一个 AS 连接多个 AS 3. 必须对数据流进入和离开 AS 进行控制 不使用 BGP 的情况 : 1. AS 只有一个出口 2. 路由器性能不高, 内存小,CPU 较慢, 带宽不大 3. 对路由过滤和 BGP 路径选择过程的了解有限 (cisco 又说了句废话 ) BGP 看不到 AS 域内的拓扑结构,BGP 只能看到 AS 树, 而 IGP 只能看到 AS 内拓扑结构 二.BGP 的消息类型 BGP 定义了四中消息类型 : 1. Open 路由器之间建立 TCP 连接之后, 双方开始发 open( 这里包含自己的信息以及运行 BGP 的参数 ), 若收到的 open 没问题, 则发送 keepalive, 用来确认 open

版本 :8 位, 指明发送者所使用的 BGP 版本号, 缺省为 4, 可通过 nei ver 修改, 若双方版本号不同, 路由器将自动降低版本号并重新发送 open 消息, 直到版本号一致 AS 号 :16 位, 用来确认 EBGP 还是 IBGP 保持时间 :16 位,cisco 默认 180 秒, 表示自己必须收到一个 keepalive 或者更新之前所允许等待的最大时间 BGP ID:32 位, 概念同 OSPF Router-id, 选最大环回口, 若无, 选择最大活动物理接口 ; 可手工配置 可选参数 : 比如会话身份验证, 多协议支持 2. Keepalive 用来确认 OPEN 消息及维持链路状态, 默认 60 秒一次或为保持时间的 1/3 3. Update Update 消息只包含一条路径的信息, 也就是说, 多条路径需要多个 update 撤消路径 (withdrawn routes): 描述已经变成不可达并要撤消的路由 路径属性 (path attributes): 为 BGP 提供了选择最短路径, 检查到路由环路以及决定路由策略的信息 NLRI: 公布可以通过该路径到达的 IP 地址前缀 4. Notification 一旦检测到错误, 就会发送 notification, 通常导致 BGP 连接终止, 列如使用 notification 进行 BGP 版本协商 三.BGP 的邻居关系运行 BGP 的路由器, 被称为 BGP 发言者 (speaker) BGP 对等体 =BGP 邻居 ( 通过 TCP 建立邻接关系, 并开始交换路由信息的两个 speaker) 邻居关系 ( 内部 ) 不要求必须直连, 只要 TCP 可达就行

1. 外部 BGP 邻居 运行在不同 AS 之间的 EBGP 邻居关系, 必须要求直连 2. 内部 BGP 邻居 运行在同一 AS 内部的 IBGP 邻居关系, 不要求直连, 只要可建立 TCP 连接 四.BGP 的有限状态机 IE 描述 1 BGP 开始 2 BGP 结束

3 BGP 传输连接打开 4 BGP 传输连接终止 5 BGP 传输连接打开失败 6 BGP 传输致命差错 7 重试连接计时器超时 8 持续时间终止 9 Keepalive 计时器终止 10 收到 Open 消息 11 收到 Keepalive 消息 12 收到 Update 消息 13 收到 Notification 消息 Idle State 1. BGP 通常以 Idle State 开始 ( 此时拒绝接收所有入连接 ) 当一个开始事件出现,BGP 过程初始化所有 BGP 资源打开重试连接 (ConnectRetry) 计时器, 初始化到邻居的 TCP 连接, 接听来自邻居的 TCP 初始化消息并将它的状态转到 Connect 状态 2. 开始事件是由一个操作者配置一个 BGP 过程, 或者重置一个已经存在的过程或者路由器软件重置 BGP 过程引起 3. 一个差错的出现会将 BGP 过程的状态转为 Idle. 路由器可能会试图发起另外一个开始事件. 为了防止在持续差错条件下导致的摆动, 在第一次转回到空闲状态后, 路由器会自动开启重试连接计时器, 当计时器终止后, 路由器就会放弃重新开始 BGP. 重试计时器第一次的时间为 60s, 下一次为前一次的 2 倍 120s, 成指数形式增加 Connect State 此状态下 BGP 过程会等到 TCP 连接完成以后再决定后续的动作 1. 如果 TCP 连接建立成功,BGP 连接将 ConnectRetry 清零, 完成初始化并给邻居发送一个 Open 消息, 转移到 Open 状态 2. 如果 TCP 连接建立失败,BGP 继续监听由邻居发起的连接, 重置 ConnectRetry 计时器并转移到 Active 状态 3. 如果在连接状态下,ConnectRetry 超时, 计时器将重新开始, 并再一次试图与邻居建立 TCP 连接,BGP 保持 Connect 状态, 此时如果有任何其他输入事件, 转入 Idle 状态 Active State 在此状态,BGP 过程试图与邻居建立一个 TCP 连接 1. 如果连接成功,BGP 过程将 ConnectRetry 计时器清零, 完成初始化, 给邻居发送一个 Open 消息并转移到发送 Open 消息状态,Hold 计时器设置为 4mins 2. 如果在激活状态,ConnectRelay 计时器超时, 将回到 ConnectState 并且重置 ConnectRelay 计时器. 也发起一个到对等的 TCP 连接并继续监听来自对等体的连接 3. 如果邻居试图与一个未知 IP 建立 TCP 会话, 同时 ConnectRelay 计时器重置, 连接被拒绝并保持在 Active 状态 4. 任何一个事件 ( 除开始事件 ) 都回导致状态转向 idle Open send State 在此状态下, 已经发送了 Open 消息,BGP 等待邻居发来的 Open 消息 1. 当收到一个 Open 消息, 如果发现差错, 将给邻居发一个 Notification 消息并转入 Idle 状态

2. 如果收到的 Open 消息没有差错, 将给邻居发送一个 Keepalive 消息并将 Keepalive 计时器清零, 此时协商一个较短的 holdtime, 如果为 0, 则没有启动 Hold 和 keepalive 计时器, 根据 AS 号选择 IBGP 或者 EBGP, 同时将状态转移到 OpenConfirm 状态 3. 如果收到一个 TCP 断开消息, 本地断开 BGP 连接, 重置 ConnectRetry 计时器, 并转入 Active 状态 Open Confirm State 此状态下 BGP 会等待一个 Keepalive 消息或者 Notification 消息 1. 如果收到一个 Keepalive 消息, 转移到 Establish 状态 2. 如果收到一个 Notification 消息, 转入 Idle 状态, 并断开 TCP 连接 3. 如果 Hold 计时器超时, 检测到一个差错或出现 stop 事件,BGP 将给邻居发送一个 Notification 并断开连接转入 Idle 状态 Establish State 此状态下,BGP 对等体间的连接已经完全建立, 可以交换 Update Keepalive 和 Notification 消息, 如果收到 Notification 自动转入 Idle, 并中断连接 五.BGP 的属性 BGP 路径属性分为 4 类 : 1. 公认强制 所有的 BGP 路由器必须识别 2. 公认可遵 所有 BGP 路由器都能识别, 但不一定需要 3. 可选传递 不是所有 BGP 路由器都能识别, 但所有 BGP 路由器都能传递 4. 可选非传递 不是所有 BGP 路由器都能识别, 不能识别的 BGP 路由器则丢弃 常用 BGP 属性 : 1. Local_pref 属性 : 本地优先级属性是 BGP 更新分组中的一个 32 位非负整数值, 表示在一个 AS 内部, 选择哪个路由器出本 AS, 越大越优先, 该属性仅在本地 AS 有用, 在本 AS 之外没有任何意义, 仅影响来自一个 AS 的出站流量, 它只向 IBGP 邻居传播 ( 默认 100) 上图中, 将选择 A 路由器为出口 2. MED 属性 :

定义了一个在同一 AS 的多个出口点之间做出选择的方法,MED 是 BGP 的非传递属性, 即如果 MED 是从 EBGP 邻居收到, 那么它将发往 IBGP 邻居, 而不传播给其他的 EBGP 邻居 选择较低的 MED,cisco 默认只比较来自同一 AS 的 MED, 为了在来自不同 AS 的更新之间比较 MED, 可以加上命令 bgp always-compare-med 3. AS_PATH 属性 : BGP 更新必须携带的一个强制属性, 而且只有当 BGP 更新被送到 EBGP 邻居时它才会被改变, 它描述了一个路由传递过程中经过哪些 AS( 不算自己, 从离自己最近的 AS 开始, 以目的网段的 AS 结束 ), 为了避免 AS 环路, 如果从外部收到一条包含自己 AS 的路由, 就说明有了环路, 此时 BGP 将丢弃该路由 一般 AS_PATH 用来做策略路由, 如上图, 可以增长从 AS100 到 AS300 的 AS_PATH, 让路由走 AS200-AS500 4. NEXT_HOP 属性 : 该属性描述了到公布目的地址的路径的下一跳路由器的 IP 地址 A. 如果正在进行路由通告的路由器和接收的路由器在不同的 AS 中,Next_Hop 为正在宣告的路由器接口的 ip B. 如果正在宣告的路由器和接收的路由器在同一个 AS 内, 并且更新消息中 NLRI 目的地也在同一个 AS 中, 则 next_hop 为一宣告的路由的邻居的 ip

C. 如果正在宣告的路由器和接收的路由器是内部对等体, 并且更新消息的 NLRI 指向不同 AS, 则 Next_hop 为学习到路由的外部对等实体的 ip 5. Origin 属性 : BGP 更新分组的产生者生成 origin 属性, 并定义原始属性是如何被生成的 每个前缀都有一个 origin 属性 接受含有 origin 属性的更新分组的路由器应该向所有 BGP 邻居原样转发 origin 属性 IGP--- 从 AS 内部学到,ORIGIN 为 0 EGP---NLRI 从 EGP 学到,ORIGIN 为 1 Incomplete---NLRI 通过其他手段获得,ORIGIN 为 3 一般来说具有较低 ORIGIN 值的前缀被优先选取, IGP>BGP> 重分布例如通过重分布进入 BGP,ORIGIN 属性为 3, 通过 Network 命令注入其 ORIGIN 为 0 6. Weight 属性 :

它是 cisco 的专有属性, 所以自然高于一切其他 BGP 属性 ( 可想而知 ), 只在本地路由器有作用, 不向 邻居传递, 缺省情况下, 从对等体学到的所有路由器的 weight=0, 由本地路由器产生的等于 32768 选路时, 选择 weight 最高的路径 7. Community 属性 : 使可以向一组源路由使用相同的策略, 即一个目的地作为一些目的地团体中的一个成员, 这些目的地共享一个或多个共同特性 它有 4 个字节 前面两个字节的 AS 号, 后面两个字节的管理上定义表示符, 而 Cisco 正好反过来, 用 ip bgpcommuity new-format 改过来当对团体路由进行聚合时, 聚合路由继承了所有路由的全部团体属性 NO_EXPORT 携带该属性的路由允许在邻居 AS 内公布但不允许邻居 AS 把路由公布其他 AS NONE 删除现存的团体属性 NO_ADVERTISE 指不在 IBGP 邻居间传递带有该属性的路由 DELETE 用于只删除匹配特定团体列表的属性 8.ORIGINATOR_ID 属性 : 由路由反射器 (RR) 使用, 它是有路由发起者产生的一个 32 比特的值, 该值是本地 AS 里路由发起者的 RID, 如果路由器发起者从该属性值中看到了自己的 RID, 就说明有环路, 该路由忽略 9.Cluster_LIST 属性 : 由路由反射器使用, 它是路由经过反射器簇 ID 的一个序号 如果路由反射器在该属性值中发现自己的本地簇 ID, 就说明有环路, 忽略掉 如果一个簇里不止一个 RR, 要在进程下用 bgp cluster-id 手工指定簇 ID, 因为默认 RR 将自己的 RID 当成 cluster-id 六.BGP 最优路径抉择顺序 : Consider only (synchronized) routes with no AS loops and a valid next hop, and then: 1. Prefer highest weight (local to router). 2. Prefer highest local preference (global within AS). 3. Prefer route originated by the local router (next hop = 0.0.0.0). 4. Prefer shortest AS path. 5. Prefer lowest origin code (IGP < EGP < incomplete). 6. Prefer lowest MED (exchanged between autonomous systems). 7. Prefer EBGP path over IBGP path. 8. Prefer the path through the closest IGP neighbor. 9. Prefer oldest route for EBGP paths. 10. Prefer the path with the lowest neighbor BGP router ID.

11. Prefer the path with the lowest neighbor IP address. 七.BGP 同步同步指的是, 我要是想用 IBGP 学来的路由或是将它通告给其他邻居, 必须满足一个条件, 就是我已经通过 IGP 或者本地获得 以前的做法是将 BGP 路由重发布到自主系统内的 IGP, 这样就不用在中转 AS 内的每台路由器上运行 BGP, 但是现在由于 internet 的增大,IGP 已经无法处理 BGP 表中的路由, 所以现在的做法是, 在中转 AS 内的所有路由器上运行 IBGP, 这样的话, 就可以关闭同步 当一个中转 AS 内部的所有路由器都运行 IBGP 的时候, 会产生一个问题, 就是每一个路由器都要与其他所有路由器建立对等关系, 这样会使得网络十分复杂并且十分耗时, 于是变有了联盟和路由反射器, 他们可以减少路由器两两之间的连接数量, 做到不用物理上的全互连 ( 路由反射器, 我觉得就有点类似 OSPF 的 DR 概念 ) 当然, 也会碰到并不是所有路由器都互连且没有使用联盟和路由反射器的情况 ( 后面实验会介绍 ), 这时如果关闭同步, 就会产生路由黑洞的问题 所以当一个 AS 中 如果存在没有运行 BGP 的路由器, 而且它还处在 BGP 邻居的传输路径上, 同步就不能关闭, 此时 BGP 就必须在 IGP 中进行重发布 ( 或者可以起 Tunel, 跨过没有运行 BGP 的路由器 ) 八.BGP 表运行 BGP 的路由器有一个独立的表, 用于存储从其他路由器那里收到的信息, 并将这些信息发送给其他路由器 BGP 还保存了一个邻居表, 其中包含与之建立了 BGP 连接的邻居 要让 BGP 建立邻接关系, 必须显示地配置每个邻居 BGP 同每个指定的邻居连接 TCP 关系, 并通过定期地发送 BGP/TCP 存活消息来跟踪这些关系的状态 ( 默认 60 秒发一次 ) 建立了邻接关系后, 便开始交换 IP 路由选择表中的 BGP 信息, 每个路由器接收之后先放到 BGP 转发数据库中, 而不是直接加表, 然后再通过 BGP 路由选择进程从转发数据库中选出前往目的地的最优路径并提供给 IP 路由表 ( 选择过程见第六点 ) 路由器将提供的 BGP 路由同路由选择表中前往同一个网络的其他路径进行比较, 并根据管理距离确定它是否是最佳路由, 如果是, 则将其加入到 IP 路由选择表中 EBGP 的管理距离为 20,IBGP 为 200 九.BGP 的抖动 BGP 的路由抖动是 BGP 的一个 feature, 它是为了减少不稳定路由的公布, 每条路由都会被分配一个度量数字来反映稳定程度, 一但出现抖动, 就会被惩罚, 当超过惩罚临界值时, 此条路由被抑制, 一段时间不抖动, 惩罚值会自动降低, 当降到一个可以重新使用的临界点时, 才会被重新使用 缺省下 : 惩罚值 每次摆动 1000 抑制界限 2000 重新使用界限 750 半衰期 15 分钟最大抑制时间 60 分钟, 或者半衰期的 4 倍 BGP Route Dampening Terms: Flap A route whose availability alternates repeatedly History state After a route flaps once, it is assigned a penalty and put into history state, meaning the router does not have the best path, based on historical information.

Penalty Each time a route flaps, the router configured for route dampening in another autonomous system assigns the route a penalty of 1000. Penalties are cumulative. The penalty for the route is stored in the BGP routing table until the penalty exceeds the suppress limit. At that point, the route state changes from history to damp. Damp state In this state, the route has flapped so often that the router will not advertise this route to BGP neighbors Suppress limit A route is suppressed when its penalty exceeds this limit. The default value is 2000 Half-life Once the route has been assigned a penalty, the penalty is decreased by half after the half-life period (which is 15 minutes by default). The process of reducing the penalty happens every 5 seconds. Reuse limit As the penalty for a flapping route decreases and falls below this reuse limit, the route is unsuppressed. That is, the route is added back to the BGP table and once again used for forwarding. The default reuse limit is 750. The process of unsuppressing routes occurs at 10-second increments. Every 10 seconds, the router finds out which routes are now unsuppressed and advertises them to the world Maximum suppress limit This value is the maximum amount of time a route can be suppressed. The default value is four times the half-life. 十. RR 和 Confederations 在大型网络中, 要想 IBGP 全互连必然是一个庞大的任务, 也不可能, 也没必要, 有两种解决方法可以解决 1.Route reflectors 在大型的 AS 中, 全互连带来极大的工作量, 通过路由反射器 (RR) 可以建立一种 C/S 结构, 如一个含有 N 个路由器的 AS 内, 全互连将使用对等会话数目为 (N-2)N/2, 如果选取一个 RR, 则对等会话数目将降为 N-1 对一个 C/S 结构称其为一个 RR-Cluster RR 公布路由的规则 : 1, 如果路由是从非客户的 IBGP 对等学习到的, 只将它反射给客户 2, 如果路由是从客户处学习到的, 将它反射给除了发起该路由的客户外所有的客户以及非客户 3, 如果路由是从 EBGP 邻居学来的, 将它反射给所有的客户和非客户将一个路由器配置成路由反射器 (RR), 用 neigbhor route-reflect-client 把自己配成反射器, 由该命令所定

义的 IBGP 邻居路由器当成客户机, 这些客户机只与 RR 建立对等关系 RR 不能改动它从客户处收到的路由的属性 在一个 AS 内可以做 RR 冗余, 因为客户并不知道自己是客户, 所有一个 RR 可以是另一个路由反射器的客户 只需要 RR 支持路由反射, 客户不需要支持 RR 使用了 2 个 BGP 路径属性 : ORIGINATOR_ID: 由路由反射器 (RR) 使用, 它是有路由发起者产生的一个 32 比特的值, 该值是本地 AS 里路由发起者的 RID, 如果路由器发起者从该属性值中看到了自己的 RID, 就说明有环路, 该路由忽略 Cluster_LIST: 由路由反射器使用, 它是路由经过反射器簇 ID 的一个序号 如果路由反射器在该属性值中发现自己的本地簇 ID, 就说明有环路, 忽略掉 如果一个簇里不止一个 RR, 要在进程下用 bgp cluster-id 手工指定簇 ID, 因为默认 RR 将自己的 RID 当成 cluster-id 3. Confedarations 联盟 (confederations) 是一组分成子自治系统组的 AS, 如上图 1. 每一个联盟分配一个联盟 ID, 对于外端而言, 此联盟 ID 代表的是整个联盟的 AS 号. 联盟其实质是对自治系统的再次细分 2. AS_PATH 中加入了 AS_CONFED_SEQUENCE 和 AS_CONFED_SET 用法和 AS_SEQUENCE 及 AS_SET 完全相同, 3. 在联盟环境下, 所有路由器必须支持联盟 4. 用预留 AS(64512~65535) 作为联盟中的 AS 编号 5. 选路优先级 : 联盟的外部 EBGP>AS 成员的 EBGP>IBGP 6. 联盟相对于标准的 AS,Next_hops MED 可以不加修改的公布给联盟中的其他 AS 成员的 EBGP 对端, 而且可以发送 Local_Pref 属性 7. 大型系统中, 联盟和 RR 同时使用可以更好的控制 IBGP 对等关系 我想, 大概的理论就这些了吧, 再多的, 我也写不出来拉, 其他的内容, 以后再补充吧, 呵呵 blog 中, 有 房智勇 CCIE-BGP 学习笔记 的精华部分, 可以参阅 下面开始解释 IEWB 的实验, 所有的实验, 我都一一敲过, 由于自己的 PC 是个老古董,CPU 散热不好, 每次开到第 5 台路由器, 都要自动关机 能把敲完, 不容易 ^_^ 实验中, 碰到不会的知识点, 如果上面没有解释, 那么最好的方法当然是上 cisco 查文档

实验都较容易, 覆盖了 BGP 大部分的点 实验中需要注意的地方, 已用红色标出, 若有任何疑问, 联系我 实验一. BGP Update Source Mismatch Objective: Configure a BGP peering relationship between R1 and R3. R1 should peer with R3's Ethernet interface, while R3 should peer with R1'sSerial interface Directions Configure the IP addressing per the diagram Configure R1 and R3 in BGP AS 1 Configure R1 to peer with R3's interface Ethernet0/0 Configure R3 to peer with R1's interface Serial1/2 Ask Yourself What source IP address does a BGP speaker use for peering? How does this affect the establishment of a peering relationship? Can this address be modified? Is so, how? What are the advantages of modifying this address? Final Configuration R1: interface Ethernet0/0 ip address 13.0.0.1 255.0.0.0

interface Serial0/1 ip address 31.0.0.1 255.0.0.0 clockrate 64000 router bgp 1 neighbor 13.0.0.3 remote-as 1 R3: interface Ethernet0/0 ip address 13.0.0.3 255.0.0.0 interface Serial1/2 ip address 31.0.0.3 255.0.0.0 router bgp 1 neighbor 31.0.0.1 remote-as 1 Verification R1#debug ip packet detail IP packet debugging is on (detailed) R1#debug ip bgp BGP debugging is on R3 sends R1 a TCP SYN to start a BGP session IP: s=31.0.0.3 (Serial1/2/1), d=31.0.0.1 (Serial1/2/1), len 44, rcvd 3 TCP src=11009, dst=179, seq=3354450520, ack=0, win=16384 SYN R1 rejects the connection with ACK RST, it has no peering to 31.0.0.3 IP: tableid=0, s=31.0.0.1 (local), d=31.0.0.3 (Serial1/2/1), routed via RIB IP: s=31.0.0.1 (local), d=31.0.0.3 (Serial1/2/1), len 40, sending TCP src=179, dst=11009, seq=0, ack=3354450521, win=0 ACK RST R1 tries to start a BGP session with R3 BGP: 13.0.0.3 went from Idle to Active BGP: 13.0.0.3 open active, delay 6880ms BGP: 13.0.0.3 open active, local address 13.0.0.1 IP: tableid=0, s=13.0.0.1 (local), d=13.0.0.3 (Ethernet0/0), routed via RIB R3 rejects the connection with ACK RST, it has no peering to 13.0.0.1

IP: tableid=0, s=13.0.0.3 (Ethernet0/0), d=13.0.0.1 (Ethernet0/0), routed via RIB IP: s=13.0.0.3 (Ethernet0/0), d=13.0.0.1 (Ethernet0/0), len 40, rcvd 3 TCP src=179, dst=11020, seq=0, ack=123733113, win=0 ACK RST BGP: 13.0.0.3 open failed: Connection refused by remote host R3#debug ip packet detail IP packet debugging is on (detailed) R3#debug ip bgp BGP debugging is on R3 tries to start a BGP session with R1 BGP: 31.0.0.1 went from Idle to Active BGP: 31.0.0.1 open active, delay 8928ms BGP: 31.0.0.1 open active, local address 31.0.0.3 IP: tableid=0, s=31.0.0.3 (local), d=31.0.0.1 (Serial1/2), routed via RIB R1 rejects the connection with ACK RST, it has no peering to 31.0.0.3 IP: tableid=0, s=31.0.0.1 (Serial1/2), d=31.0.0.3 (Serial1/2), routed via RIB IP: s=31.0.0.1 (Serial1/2), d=31.0.0.3 (Serial1/2), len 40, rcvd 3 TCP src=179, dst=11009, seq=0, ack=3354450521, win=0 ACK RST BGP: 31.0.0.1 open failed: Connection refused by remote host 注释 : 在建立 BGP 对等关系的时候, 源 IP 地址默认是那个用于到达目的地的出接口 IP, 在此例中, 当 R1 准备发送一个 BGP 包给 R3 的时候, 使用的源 IP 是 13.0.0.1, 而 R3 本地配置的 neighbor 指的是 31.0.0.1 这个地址, 所以当 R1 初始化一个 TCP 会话的时候, 被 R3 拒绝, 反过来也一样 解决方法 : 可以在 R1 上加上这么一条命令 neighbor 13.0.0.3 update-source Serial0/1, 这样你就会看见我们最喜欢的 UP 了 实验二. ibgp Synchronization Objective: Configure BGP per the diagram to obtain connectivity from AS 1 to R4 and R5's loopback interfaces. R4 and R5 should have static default routes pointing towards R1 and R2 respectively. BGP synchronization should be enabled on R1 and R2

Directions Configure the IP addressing on R1, R2, R3, R4, and R5 per the diagram Configure OSPF area 0 on the Serial links between R1 and R3 & R2 and R3 Advertise VLAN A and VLAN B into OSPF on R1 and R2 respectively Configure static default routes on R4 and R5 pointing to R1 and R2 respectively Configure R1 and R2 in BGP AS 1 Configure R4 in BGP AS 4 Configure R5 in BGP AS 5 Configure an ibgp peering between R1 and R2 Configure an EBGP peering R1 and R4 Configure an EBGP peering between R2 and R5 Advertise R4's Loopback0 into BGP Advertise R5's Loopback0 into BGP Disable synchronization on R1 and R2, what happens? Redistribute R4 and R5's loopback interfaces into OSPF on R1 and R2 respectively, what happens? Ask Yourself What is BGP synchronization? What problem is it designed to prevent? How does meeting the synchronization rule prevent this problem? When can you safely disable synchronization? Why would you want to disable synchronization? Final Configuration R1: interface Ethernet0/0 ip address 14.0.0.1 255.0.0.0 interface Serial0/1

ip address 13.0.0.1 255.0.0.0 router ospf 1 network 13.0.0.1 0.0.0.0 area 0 network 14.0.0.1 0.0.0.0 area 0 router bgp 1 synchronization neighbor 14.0.0.4 remote-as 4 neighbor 23.0.0.2 remote-as 1 R2: interface Ethernet0/0 ip address 25.0.0.2 255.0.0.0 interface Serial0/1 ip address 23.0.0.2 255.0.0.0 router ospf 1 network 23.0.0.2 0.0.0.0 area 0 network 25.0.0.2 0.0.0.0 area 0 router bgp 1 synchronization neighbor 13.0.0.1 remote-as 1 neighbor 25.0.0.5 remote-as 5 R3: interface Serial1/2 ip address 13.0.0.3 255.0.0.0 clock rate 64000 interface Serial1/3 ip address 23.0.0.3 255.0.0.0 clock rate 64000 router ospf 1 network 13.0.0.3 0.0.0.0 area 0 network 23.0.0.3 0.0.0.0 area 0 R4: interface Loopback0 ip address 4.4.4.4 255.255.255.255 interface Ethernet0/0 ip address 14.0.0.4 255.0.0.0

router bgp 4 network 4.4.4.4 mask 255.255.255.255 宣告自己的环回 neighbor 14.0.0.1 remote-as 1 ip route 0.0.0.0 0.0.0.0 14.0.0.1 用于回包的路由 R5: interface Loopback0 ip address 5.5.5.5 255.255.255.255 interface Ethernet0/0 ip address 25.0.0.5 255.0.0.0 router bgp 5 network 5.5.5.5 mask 255.255.255.25 一样宣告环回 neighbor 25.0.0.2 remote-as 1 ip route 0.0.0.0 0.0.0.0 255.0.0.2 用于回包的路由 Verification Synchronization On, Before Redistribution R1#show ip bgp BGP table version is 4, local router ID is 14.0.0.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> 4.4.4.4/32 14.0.0.4 0 4.4.4.4 可以直接优化, 因为是通过 EBGP 学到的 0 4 i * i5.5.5.5/32 25.0.0.5 0 100 BGP 表中没优化, 因为 IGP 中没有关于 5.5.5.5/32 的路由 0 5 i R1#show ip bgp 5.5.5.5 BGP routing table entry for 5.5.5.5/32, version 4 Paths: (1 available, no best path) Flag: 0x820 Not advertised to any peer 5 25.0.0.5 (metric 855) from 23.0.0.2 (25.0.0.2) Origin IGP, metric 0, localpref 100, valid, internal, not synchronized---- 没有同步 R2#show ip bgp BGP table version is 4, local router ID is 25.0.0.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP,? - incomplete * i4.4.4.4/32 14.0.0.4 0 100 0 4 i *> 5.5.5.5/32 25.0.0.5 0 0 5 i R2#show ip bgp 4.4.4.4 BGP routing table entry for 4.4.4.4/32, version 4 Paths: (1 available, no best path) Not advertised to any peer 4 14.0.0.4 (metric 855) from 13.0.0.1 (14.0.0.1) Origin IGP, metric 0, localpref 100, valid, internal, not synchronized Synchronization Off, Before Redistribution R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#router bgp 1 R1(config-router)#no synchronization 手动关闭同步,IOS12.2(8)T 之后已经是默认配置了 R1(config-router)#end R1#show ip bgp BGP table version is 5, local router ID is 14.0.0.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> 4.4.4.4/32 14.0.0.4 0 0 4 i *>i5.5.5.5/32 25.0.0.5 0 100 关闭同步之后, 发现 5.5.5.5/32 优化了 0 5 i R1#show ip bgp neighbors 14.0.0.4 advertised-routes 显示向 R4 发送的 BGP 路由信息 BGP table version is 5, local router ID is 14.0.0.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *>i5.5.5.5/32 25.0.0.5 0 100

0 5 i R4#show ip route 5.5.5.5 Routing entry for 5.5.5.5/32 Known via "bgp 4", distance 20, metric 0 (distance 20 表示从 EBGP 学到 ) Tag 1, type external Last update from 14.0.0.1 00:02:16 ago Routing Descriptor Blocks: * 14.0.0.1, from 14.0.0.1, 00:02:16 ago Route metric is 0, traffic share count is 1 AS Hops 2 这时,ping 一下看看, 会有什么现象 R4#debug ip icmp ICMP packet debugging is on R4#ping 5.5.5.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds: U.U.U 收到了不可达 Success rate is 0 percent (0/5) ICMP: dst (14.0.0.4) host unreachable rcv from 13.0.0.3 从 R3 收到了不可达信息, 因为此时的 R3 并不知道如何到达 5.5.5.5 R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#router bgp 1 R2(config-router)#no synchronization R2#show ip bgp BGP table version is 5, local router ID is 25.0.0.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? incomplete *>i4.4.4.4/32 14.0.0.4 0 100 0 4 i *> 5.5.5.5/32 25.0.0.5 0 0 5 i R2#show ip bgp neighbors 25.0.0.5 advertised-routes BGP table version is 5, local router ID is 25.0.0.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP,? - incomplete *>i4.4.4.4/32 14.0.0.4 0 100 0 4 i R5#show ip route 4.4.4.4 Routing entry for 4.4.4.4/32 Known via "bgp 5", distance 20, metric 0 Tag 1, type external Last update from 25.0.0.2 00:03:47 ago Routing Descriptor Blocks: * 25.0.0.2, from 25.0.0.2, 00:03:47 ago Route metric is 0, traffic share count is 1 AS Hops 2 R5#debug ip icmp ICMP packet debugging is on R5#ping 4.4.4.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) ICMP: dst (25.0.0.5) host unreachable rcv from 23.0.0.3 Synchronization On, After Redistribution 再次开启同步, 并进行重发布 R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip prefix-list R4_LOOPBACK permit 4.4.4.4/32 匹配住 R4 的环回 R1(config)#route-map R4_LOOPBACK permit 10 R1(config-route-map)#match ip address prefix-list R4_LOOPBACK R1(config-route-map)#router ospf 1 R1(config-router)#redistribute bgp 1 subnets route-map R4_LOOPBACK OSPF 进程下, 将 R4 的环回重发布进来 R1(config-router)#router bgp 1 R1(config-router)#synchronization R1(config-router)#end R1# R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ip prefix-list R5_LOOPBACK permit 5.5.5.5/32 R2(config)#route-map R5_LOOPBACK permit 10

R2(config-route-map)#match ip address prefix-list R5_LOOPBACK R2(config-route-map)#router ospf 1 R2(config-router)#redistribute bgp 1 subnets route-map R5_LOOPBACK R2(config-router)#router bgp 1 R2(config-router)#synchronization R2(config-router)#end R2# R1#show ip route 5.5.5.5 Routing entry for 5.5.5.5/32 Known via "ospf 1", distance 110, metric 1 ( 红色字体表明,R1 已经通过 OSPF 学到 R5 的环回 ) Tag 5, type extern 2, forward metric 855 Last update from 13.0.0.3 on Serial0/1, 00:01:43 ago Routing Descriptor Blocks: * 13.0.0.3, from 25.0.0.2, 00:01:43 ago, via Serial0/1 Route metric is 1, traffic share count is 1 R1#show ip bgp BGP table version is 8, local router ID is 14.0.0.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> 4.4.4.4/32 14.0.0.4 0 0 4 i r>i5.5.5.5/32 25.0.0.5 0 100 0 5 i (R1 已经将 5.5.5.5/32 优化了, 但是发现前面有个一 r, 这是因为 5.5.5.5/32 通过 OSPF 学到的管理距离是 110, 比从 R2 学到的 IBGP 管理距离 200 小, 所以显示为 r, 通过 sh ip bgp rib 可以查看原因, 将会看到 high ad ) R1#show ip bgp 5.5.5.5 BGP routing table entry for 5.5.5.5/32, version 8 Paths: (1 available, best #1, table Default-IP-Routing- Table, RIB-failure(17)) Advertised to non peer-group peers: 14.0.0.4 5 25.0.0.5 (metric 855) from 23.0.0.2 (25.0.0.2) Origin IGP, metric 0, localpref 100, valid, internal,

synchronized, best R4#show ip route 5.5.5.5 Routing entry for 5.5.5.5/32 Known via "bgp 4", distance 20, metric 0 Tag 1, type external Last update from 14.0.0.1 00:00:57 ago Routing Descriptor Blocks: * 14.0.0.1, from 14.0.0.1, 00:00:57 ago Route metric is 0, traffic share count is 1 AS Hops 2 R4#ping 5.5.5.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 60/61/69 ms R2#show ip route 4.4.4.4 Routing entry for 4.4.4.4/32 Known via "ospf 1", distance 110, metric 1 Tag 4, type extern 2, forward metric 855 Last update from 23.0.0.3 on Serial0/1, 00:03:23 ago Routing Descriptor Blocks: * 23.0.0.3, from 14.0.0.1, 00:03:23 ago, via Serial0/1 Route metric is 1, traffic share count is 1 R2#show ip bgp BGP table version is 7, local router ID is 25.0.0.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete r>i4.4.4.4/32 14.0.0.4 0 100 0 4 i *> 5.5.5.5/32 25.0.0.5 0 0 5 i R2#show ip bgp 4.4.4.4 BGP routing table entry for 4.4.4.4/32, version 7 Paths: (1 available, best #1, table Default-IP-Routing- Table, RIB-failure(17)) Advertised to non peer-group peers: 25.0.0.5 自己优化了之后, 才会传给 R5

4 14.0.0.4 (metric 855) from 13.0.0.1 (14.0.0.1) Origin IGP, metric 0, localpref 100, valid, internal, synchronized, best R5#show ip route 4.4.4.4 Routing entry for 4.4.4.4/32 Known via "bgp 5", distance 20, metric 0 Tag 1, type external Last update from 25.0.0.2 00:12:21 ago Routing Descriptor Blocks: * 25.0.0.2, from 25.0.0.2, 00:12:21 ago Route metric is 0, traffic share count is 1 AS Hops 2 R5#ping 4.4.4.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 60/61/68 ms 注释 : 当一个 AS 内部, 如果有路由器没有 BGP 的话, 重发布是一种方法, 但显然如今的网络, 这种方法已经行不通, 下面这个实验, 我个人至少要比重发布好 实验三. Transiting Non-BGP Speaking Devices Tunneling Objective: Configure the network so that hosts on VLAN 5 can reach hosts on VLAN 43. R3 will not participate in BGP routing. Configure a GRE tunnel between R1 and R2 to accomplish this

Directions Configure the topology per the diagram Configure EIGRP AS 2 on the links between R1 & R3 and R2 & R3 Configure a tunnel between R1 and R2 using the subnet 155.X.12.0/24 Configure BGP on R1, R2, R4, and R5 per the diagram R1 and R2 should peer with each other over the tunnel interface R1 should peer with R4 R2 should peer with R5 Advertise VLAN 5 into BGP on R5 Advertise VLAN 43 into BGP on R4 Final Configuration R1: interface Tunnel0 起 tunnel 口 (tunnel 就是一个隧道 ) ip address 155.1.12.1 255.255.255.0 给 tunnel 口一个 IP tunnel source 155.1.13.1 配置 tunnel 口的源 IP tunnel destination 155.1.23.2 配置 tunnel 口的目的 IP interface FastEthernet0/0 ip address 155.1.146.1 255.255.255.0 interface Serial0/1 ip address 155.1.13.1 255.255.255.0 router eigrp 2 network 155.1.13.1 0.0.0.0 no auto-summary router bgp 2 neighbor 155.1.12.2 remote-as 2 直接在 tunnel 上指邻居 neighbor 155.1.12.2 next-hop-self 这个不用多说了吧? neighbor 155.1.146.4 remote-as 3 R2: interface Tunnel0 ip address 155.1.12.2 255.255.255.0 tunnel source 155.1.23.2 tunnel destination 155.1.13.1 interface FastEthernet0/0 ip address 192.10.1.2 255.255.255.0 interface Serial0/0 encapsulation frame-relay interface Serial0/0.1 point-to-point

ip address 155.1.0.2 255.255.255.0 frame-relay interface-dlci 205 interface Serial0/1 ip address 155.1.23.2 255.255.255.0 router eigrp 2 network 155.1.23.2 0.0.0.0 no auto-summary router bgp 2 neighbor 155.1.0.5 remote-as 1 neighbor 155.1.12.1 remote-as 2 neighbor 155.1.12.1 next-hop-self R3: interface Serial1/2 ip address 155.1.13.3 255.255.255.0 clockrate 64000 interface Serial1/3 ip address 155.1.23.3 255.255.255.0 clockrate 64000 router eigrp 2 network 155.1.13.3 0.0.0.0 network 155.1.23.3 0.0.0.0 no auto-summary R4: interface Ethernet0/0 ip address 204.12.1.4 255.255.255.0 interface Ethernet0/1 ip address 155.1.146.4 255.255.255.0 router bgp 3 network 204.12.1.0 mask 255.255.255.0 neighbor 155.1.146.1 remote-as 2 R5: interface Serial0/0 ip address 155.1.0.5 255.255.255.0 encapsulation frame-relay frame-relay map ip 155.1.0.2 502 broadcast interface Ethernet0/1

ip address 155.1.5.5 255.255.255.0 router bgp 1 network 155.1.5.0 mask 255.255.255.0 neighbor 155.1.0.2 remote-as 2 Verification R4#ping 155.1.5.5 source 204.12.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 155.1.5.5, timeout is 2 seconds: Packet sent with a source address of 204.12.1.4 Success rate is 100 percent (5/5), round-trip min/avg/max = 88/88/92 ms R4#traceroute 155.1.5.5 source 204.12.1.4 Type escape sequence to abort. Tracing the route to 155.1.5.5 1 155.1.146.1 0 msec 4 msec 4 msec 2 155.1.12.2 44 msec 40 msec 44 msec 直接跨过了 R3, 通过隧道 tunnel 传给了 R2 3 155.1.0.5 56 msec * 56 msec R1#show ip bgp <output omitted> *>i155.1.5.0/24 155.1.12.2 0 100 0 1 i *> 204.12.1.0 155.1.146.4 0 0 3 i R2#show ip bgp <output omitted> *> 155.1.5.0/24 155.1.0.5 0 0 1 i *>i204.12.1.0 155.1.12.1 0 100 0 3 i R4#show ip bgp <output omitted> *> 155.1.5.0/24 155.1.146.1 0 2 1 i *> 204.12.1.0 0.0.0.0 0

32768 i R5#show ip bgp <output omitted> *> 155.1.5.0/24 0.0.0.0 0 32768 i *> 204.12.1.0 155.1.0.2 0 2 3 i R1#show ip route <output omitted> B 204.12.1.0/24 [20/0] via 155.1.146.4, 00:05:09 155.1.0.0/24 is subnetted, 4 subnets C 155.1.146.0 is directly connected, FastEthernet0/0 D 155.1.23.0 [90/21024000] via 155.1.13.3, 00:45:07, Serial0/1 C 155.1.13.0 is directly connected, Serial0/1 D EX 155.1.5.0 [170/2561024256] via 155.1.13.3, 00:16:11, Serial0/1 R2#show ip route <output omitted> D EX 204.12.1.0/24 [170/2561024256] via 155.1.23.3, 00:04:57, Serial0/1 155.1.0.0/24 is subnetted, 4 subnets C 155.1.23.0 is directly connected, Serial0/1 D 155.1.13.0 [90/21024000] via 155.1.23.3, 00:45:11, Serial0/1 C 155.1.0.0 is directly connected, Serial0/0.1 B 155.1.5.0 [20/0] via 155.1.0.5, 00:20:59 R3#show ip route <output omitted> D EX 204.12.1.0/24 [170/2560512256] via 155.1.13.1, 00:05:09, Serial1/2 155.1.0.0/24 is subnetted, 3 subnets C 155.1.23.0 is directly connected, Serial1/3 C 155.1.13.0 is directly connected, Serial1/2 D EX 155.1.5.0 [170/2560512256] via 155.1.23.2, 00:16:35, Serial1/3 R4#show ip route <output omitted> C 204.12.1.0/24 is directly connected, Ethernet0/0 155.1.0.0/24 is subnetted, 2 subnets

C 155.1.146.0 is directly connected, Ethernet0/1 B 155.1.5.0 [20/0] via 155.1.146.1, 00:03:34 R5#show ip route <output omitted> B 204.12.1.0/24 [20/0] via 155.1.0.2, 00:04:12 155.1.0.0/24 is subnetted, 2 subnets C 155.1.0.0 is directly connected, Serial0/0 C 155.1.5.0 is directly connected, Ethernet0/1 注释 : 好象也没什么注释的, 都能看懂 实验四. BGP Bestpath Selection Weight Objective: Configure the BGP Weight attribute on R3 so that traffic from R3 s Ethernet segment going to VLAN 5 is first sent to R1 Directions Configure the topology per the diagram Configure BGP on R1, R3, R4, and R5 per the diagram R1 should peer with R3 and R4 R5 should peer with R3 and R5 Advertise R3 s Ethernet segment into BGP Advertise R5 s Ethernet segment into BGP Configure BGP weight on R3 so that routes coming from R1 are preferred over those coming from R5 Final Configuration R1: interface FastEthernet0/0 ip address 155.1.146.1 255.255.255.0 interface Serial0/1

ip address 155.1.13.1 255.255.255.0 router bgp 2 neighbor 155.1.13.3 remote-as 2 neighbor 155.1.13.3 next-hop-self neighbor 155.1.146.4 remote-as 1 R3: interface Serial1/2 ip address 155.1.13.3 255.255.255.0 clockrate 64000 router bgp 2 network 155.1.37.0 mask 255.255.255.0 neighbor 155.1.0.5 remote-as 1 neighbor 155.1.13.1 remote-as 2 neighbor 155.1.13.1 next-hop-self neighbor 155.1.13.1 route-map WEIGHT in route-map 用来做策略, 默认从对等体学来的路由的 weight 为 0, 此时将 R1 的 weight 改为 100, 当然会优选 R1 route-map WEIGHT permit 10 set weight 100 R4: interface Ethernet0/1 ip address 155.1.146.4 255.255.255.0 half-duplex interface Serial0/1 ip address 155.1.45.4 255.255.255.0 router bgp 1 neighbor 155.1.45.5 remote-as 1 neighbor 155.1.45.5 next-hop-self neighbor 155.1.146.1 remote-as 2 R5: interface Serial0/0 ip address 155.1.0.5 255.255.255.0 encapsulation frame-relay frame-relay map ip 155.1.0.3 503 broadcast no frame-relay inverse-arp interface Ethernet0/1 ip address 155.1.5.5 255.255.255.0 interface Serial0/1

ip address 155.1.45.5 255.255.255.0 clockrate 64000 router bgp 1 network 155.1.5.0 mask 255.255.255.0 neighbor 155.1.0.3 remote-as 2 neighbor 155.1.45.4 remote-as 1 neighbor 155.1.45.4 next-hop-self Verification Rack1R3#traceroute 155.1.5.5 source 155.1.37.3 Type escape sequence to abort. Tracing the route to 155.1.5.5 1 155.1.13.1 16 msec 16 msec 16 msec 走 R1 2 155.1.146.4 16 msec 16 msec 16 msec 3 155.1.45.5 32 msec * 28 msec Rack1R3#show ip bgp 155.1.5.0 255.255.255.0 BGP routing table entry for 155.1.5.0/24, version 6 Paths: (2 available, best #1, table Default-IP-Routing- Table) Flag: 0x800 Advertised to update-groups: 2 1 155.1.13.1 from 155.1.13.1 (155.1.146.1) Origin IGP, metric 0, localpref 100, weight 100, valid, internal, best 1 155.1.0.5 from 155.1.0.5 (155.1.45.5) Origin IGP, metric 0, localpref 100, valid, external Rack1R1#show ip bgp <output omitted> *> 155.1.5.0/24 155.1.146.4 0 1 i *>i155.1.37.0/24 155.1.13.3 0 100 0 i Rack1R3#show ip bgp *>i155.1.5.0/24 155.1.13.1 0 100 100 1 i * 155.1.0.5 0

0 1 i *> 155.1.37.0/24 0.0.0.0 0 32768 i Rack1R4#show ip bgp <output omitted> *>i155.1.5.0/24 155.1.45.5 0 100 0 i *> 155.1.37.0/24 155.1.146.1 0 2 i * i 155.1.45.5 0 100 0 2 i Rack1R5#show ip bgp <output omitted> *> 155.1.5.0/24 0.0.0.0 0 32768 i * i155.1.37.0/24 155.1.45.4 0 100 0 2 i *> 155.1.0.3 0 0 2 i Rack1R1#show ip route <output omitted> 155.1.0.0/24 is subnetted, 4 subnets C 155.1.146.0 is directly connected, FastEthernet0/0 C 155.1.13.0 is directly connected, Serial0/1 B 155.1.5.0 [20/0] via 155.1.146.4, 00:02:39 B 155.1.37.0 [200/0] via 155.1.13.3, 00:02:39 Rack1R3#show ip route <output omitted> 155.1.0.0/24 is subnetted, 4 subnets C 155.1.13.0 is directly connected, Serial1/2 C 155.1.0.0 is directly connected, Serial1/0.1 B 155.1.5.0 [200/0] via 155.1.13.1, 00:02:16 C 155.1.37.0 is directly connected, Ethernet0/0 Rack1R4#show ip route <output omitted> 155.1.0.0/24 is subnetted, 4 subnets C 155.1.146.0 is directly connected, Ethernet0/1 B 155.1.5.0 [200/0] via 155.1.45.5, 00:09:03 C 155.1.45.0 is directly connected, Serial0/1 B 155.1.37.0 [20/0] via 155.1.146.1, 00:08:44

Rack1R5#show ip route <output omitted> 155.1.0.0/24 is subnetted, 4 subnets C 155.1.0.0 is directly connected, Serial0/0 C 155.1.5.0 is directly connected, Ethernet0/1 C 155.1.45.0 is directly connected, Serial0/1 B 155.1.37.0 [20/0] via 155.1.0.3, 00:04:47 为了减少篇幅, 以下一些实验, 会只写关键配置, 基础配置同前面一样 实验五. BGP Bestpath Selection Local Preference Objective: Configure the BGP Local Preference attribute in AS 2 so that traffic from R3 s Ethernet segment going to VLAN 5 is first sent to R1 Directions Configure the topology per the diagram Configure BGP on R1, R3, R4, and R5 per the diagram R1 should peer with R3 and R4 R5 should peer with R3 and R5 Advertise R3 s Ethernet segment into BGP Advertise R5 s Ethernet segment into BGP Configure BGP Local Preference on R3 so that routes coming from R1 are preferred over those coming from R5 R3: router bgp 2 network 155.1.37.0 mask 255.255.255.0 neighbor 155.1.0.5 remote-as 1 neighbor 155.1.13.1 remote-as 2 neighbor 155.1.13.1 next-hop-self neighbor 155.1.13.1 route-map LOCAL_PREFERENCE in route-map LOCAL_PREFERENCE permit 10 set local-preference 200 默认为 100

Verification Rack1R3#traceroute 155.1.5.5 source 155.1.37.3 Type escape sequence to abort. Tracing the route to 155.1.5.5 1 155.1.13.1 16 msec 16 msec 16 msec 2 155.1.146.4 16 msec 16 msec 16 msec 3 155.1.45.5 32 msec * 28 msec Rack1R3#show ip bgp 155.1.5.0 BGP routing table entry for 155.1.5.0/24, version 5 Paths: (2 available, best #1, table Default-IP-Routing- Table) Advertised to update-groups: 2 1 155.1.13.1 from 155.1.13.1 (155.1.146.1) Origin IGP, metric 0, localpref 200, valid, internal, best 1 155.1.0.5 from 155.1.0.5 (155.1.45.5) Origin IGP, metric 0, localpref 100, valid, external Rack1R3#show ip bgp <output omitted> *>i155.1.5.0/24 155.1.13.1 0 200 0 1 i * 155.1.0.5 0 100 1 i *>155.1.37.0/24 0.0.0.0 0 32768 i 实验六. BGP Bestpath Selection MED Objective: Configure the BGP MED in AS 1 so that traffic from R3 s Ethernet segment going to VLAN 5 is first sent to R1

Directions Configure the topology per the diagram Configure BGP on R1, R3, R4, and R5 per the diagram R1 should peer with R3 and R4 R5 should peer with R3 and R5 Advertise R3 s Ethernet segment into BGP Advertise R5 s Ethernet segment into BGP Configure BGP MED outbound on R4 and R5 towards AS 2 当路由器收到两个来自同一 AS 的具有不同 MED 值的相同路由条目时, 在高优先级属性值相等的情况下它将选择 MED 值小的路由作为最优路径 只需在 R4 和 R5 上配置 : R4: interface Ethernet0/1 ip address 155.1.146.4 255.255.255.0 half-duplex interface Serial0/1 ip address 155.1.45.4 255.255.255.0 router bgp 1 neighbor 155.1.45.5 remote-as 1 neighbor 155.1.45.5 next-hop-self neighbor 155.1.146.1 remote-as 2 neighbor 155.1.146.1 route-map MED out route-map MED permit 10 set metric 100 R5: interface Serial0/0 ip address 155.1.0.5 255.255.255.0 encapsulation frame-relay frame-relay map ip 155.1.0.3 503 broadcast no frame-relay inverse-arp interface Ethernet0/1 ip address 155.1.5.5 255.255.255.0 interface Serial0/1 ip address 155.1.45.5 255.255.255.0 clockrate 64000 router bgp 1 network 155.1.5.0 mask 255.255.255.0 neighbor 155.1.0.3 remote-as 2

neighbor 155.1.0.3 route-map MED out neighbor 155.1.45.4 remote-as 1 neighbor 155.1.45.4 next-hop-self route-map MED permit 10 set metric 200 Verification Rack1R3#traceroute 155.1.5.5 source 155.1.37.3 Type escape sequence to abort. Tracing the route to 155.1.5.5 1 155.1.13.1 16 msec 16 msec 16 msec 走 R1 2 155.1.146.4 16 msec 16 msec 16 msec 3 155.1.45.5 32 msec * 28 msec Rack1R3#show ip bgp 155.1.5.0 255.255.255.0 BGP routing table entry for 155.1.5.0/24, version 8 Paths: (2 available, best #1, table Default-IP-Routing- Table) Flag: 0x800 Advertised to update-groups: 2 1 155.1.13.1 from 155.1.13.1 (155.1.146.1) Origin IGP, metric 100, localpref 100, valid,internal, best 1 155.1.0.5 from 155.1.0.5 (155.1.45.5) Origin IGP, metric 200, localpref 100, valid, external Rack1R3#show ip bgp <output omitted> *>i155.1.5.0/24 155.1.13.1 100 100 0 1 i * 155.1.0.5 200 0 1 i *> 155.1.37.0/24 0.0.0.0 0 32768 i Rack1R3#show ip route <output omitted> 155.1.0.0/24 is subnetted, 4 subnets C 155.1.13.0 is directly connected, Serial1/2 C 155.1.0.0 is directly connected, Serial1/0.1 B 155.1.5.0 [200/100] via 155.1.13.1, 00:05:53 C 155.1.37.0 is directly connected, Ethernet0/0

实验七. BGP Bestpath Selection Origin Objective: Modify the BGP Origin code in AS 2 so that traffic from R3 s Ethernet segment going to VLAN 5 is first sent to R1 Directions Configure the topology per the diagram Configure BGP on R1, R3, R4, and R5 per the diagram R1 should peer with R3 and R4 R5 should peer with R3 and R5 Advertise R3 s Ethernet segment into BGP Advertise R5 s Ethernet segment into BGP Configure R3 so that the Origin of the route learned from R1 is preferred over the one learned from R5 IGP--- 从 AS 内部学到,ORIGIN 为 0 EGP---NLRI 从 EGP 学到,ORIGIN 为 1 Incomplete---NLRI 通过其他手段获得,ORIGIN 为 3 具有较低 ORIGIN 值的前缀被优先选取, IGP>BGP> 重分布 R3: interface Serial1/2 ip address 155.1.13.3 255.255.255.0 clockrate 64000 router bgp 2 network 155.1.37.0 mask 255.255.255.0 neighbor 155.1.0.5 remote-as 1 neighbor 155.1.0.5 route-map ORIGIN in neighbor 155.1.13.1 remote-as 2 neighbor 155.1.13.1 next-hop-self route-map ORIGIN permit 10 set origin incomplete * 注释 *: 这个要说一下,R5 发送来的 BGP 分组, 也就是关于 VLAN5 的信息, 会包含一个 origin 属性,R5

会向 R3 转发, 也会向 R4 转发,R4 收到之后, 依然会向 R1 转发, 其中依然包含这个 origin 属性, 这时改变从 R5 学来的路由的 origin 为 incomplete, 也就意味着会优先选择从 R1 去 R5 的 vlan5 Verification Rack1R3#traceroute 155.1.5.5 source 155.1.37.3 Type escape sequence to abort. Tracing the route to 155.1.5.5 1 155.1.13.1 16 msec 16 msec 16 msec 走 R1 2 155.1.146.4 16 msec 16 msec 16 msec 3 155.1.45.5 32 msec * 28 msec Rack1R3#show ip bgp 155.1.5.0 255.255.255.0 BGP routing table entry for 155.1.5.0/24, version 9 Paths: (2 available, best #1, table Default-IP-Routing- Table) Advertised to update-groups: 2 1 155.1.13.1 from 155.1.13.1 (155.1.146.1) Origin IGP, metric 0, localpref 100, valid, internal,best 1 155.1.0.5 from 155.1.0.5 (155.1.45.5) Origin incomplete, metric 0, localpref 100, valid,external Rack1R3#show ip bgp <output omitted> Origin codes: i - IGP, e - EGP,? incomplete *>i155.1.5.0/24 155.1.13.1 0 100 0 1 i * 155.1.0.5 0 0 1? *> 155.1.37.0/24 0.0.0.0 0 32768( 本地 ) i Rack1R3#show ip route <output omitted> 155.1.0.0/24 is subnetted, 4 subnets C 155.1.13.0 is directly connected, Serial1/2 C 155.1.0.0 is directly connected, Serial1/0.1 B 155.1.5.0 [200/0] via 155.1.13.1, 00:05:53 C 155.1.37.0 is directly connected, Ethernet0/0 介绍几个常用的 BGP community 属性 : 实验八. BGP Communites No-Export Objective: Configure AS 2 using the community No-Export so that hosts on R3 s Ethernet have access to VLANs 5 and 43 but AS 1 and AS 3 cannot reach VLANs 43 and 5 respectively

Directions Configure the topology per the diagram Configure EIGRP AS 2 on the links between R1 & R3 and R2 & R3 Configure BGP on R1, R2, R3, R4, and R5 per the diagram R1 should peer with R4 R2 should peer with R5 R1, R2, and R3 should all peer with each other Advertise R3 s Ethernet into BGP on R3 Advertise VLAN 5 into BGP on R5 Advertise VLAN 43 into BGP on R4 Configure the community No-Export on R1 and R2 so that routes coming from AS 1 are not passed to AS 3 and vice-versa R1: router bgp 2 neighbor 155.1.13.3 remote-as 2 neighbor 155.1.13.3 next-hop-self neighbor 155.1.23.2 remote-as 2 neighbor 155.1.23.2 next-hop-self neighbor 155.1.23.2 send-community 默认情况下, 并不把 BGP 的 community 属性广播给对等体, 所以需要使用 neighbor send-community 命令启动这项功能, 即发送 BGP 的 community 属性给它的对等体 ( 如果配置的是 no-advertise 属性, 则不需要这条命令 ) neighbor 155.1.146.4 remote-as 3 neighbor 155.1.146.4 route-map NO_EXPORT in route-map NO_EXPORT permit 10 set community no-export R2: router bgp 2 neighbor 155.1.0.5 remote-as 1 neighbor 155.1.0.5 route-map NO_EXPORT in neighbor 155.1.13.1 remote-as 2

neighbor 155.1.13.1 next-hop-self neighbor 155.1.13.1 send-community neighbor 155.1.23.3 remote-as 2 neighbor 155.1.23.3 next-hop-self route-map NO_EXPORT permit 10 set community no-export 当 R1 和 R2 收到带有 no-export 属性的路由时, 允许在邻居 AS 内公布但不允许邻居 AS 把路由公布其他 AS, 即 R2 不会将 VLAN43 的路由转发给 R5,R1 不会将 VLAN5 的路由转发给 R4, 我们需要达到的效果是, 只有 R3 的以太口可以 ping 通 VLAN43 和 VLAN5, 而 VLAN43 和 VLAN5 不能互通 Verification Rack1R3#ping 155.1.5.5 source 155.1.37.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 155.1.5.5, timeout is 2 seconds: Packet sent with a source address of 155.1.37.3 Success rate is 100 percent (5/5), round-trip min/avg/max = 84/86/88 ms Rack1R3#ping 204.12.1.4 source 155.1.37.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 204.12.1.4, timeout is 2 seconds: Packet sent with a source address of 155.1.37.3 Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms Rack1R4#show ip bgp BGP table version is 3, local router ID is 150.1.4.4 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> 155.1.37.0/24 155.1.146.1 0 2 i *> 204.12.1.0 0.0.0.0 0 32768 i *R4 学不到 R5 的 VLAN5

Rack1R5#show ip bgp BGP table version is 3, local router ID is 150.1.5.5 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> 155.1.5.0/24 0.0.0.0 0 32768 i *> 155.1.37.0/24 155.1.0.2 0 2 i *R5 学不到 R4 的 VLAN43 Rack1R1#show ip bgp 155.1.5.0 BGP routing table entry for 155.1.5.0/24, version 3 Paths: (1 available, best #1, table Default-IP-Routing- Table, not advertised to EBGP peer) Not advertised to any peer 1 155.1.23.2 (metric 21024000) from 155.1.23.2 (150.1.2.2) Origin IGP, metric 0, localpref 100, valid, internal, best Community: no-export Rack1R2#show ip bgp 204.12.1.0 BGP routing table entry for 204.12.1.0/24, version 2 Paths: (1 available, best #1, table Default-IP-Routing- Table, not advertised to EBGP peer) Not advertised to any peer 3 155.1.13.1 (metric 21024000) from 155.1.13.1 (150.1.1.1) Origin IGP, metric 0, localpref 100, valid, internal, best Community: no-export 实验九. BGP Communites No-Advertise Objective: Configure R2 using the community No-Advertise so that hosts on R3 s Ethernet, VLAN 5, and VLAN 43 all have access to each other but only R2 has access to VLAN 58

Directions Configure the topology per the diagram Configure EIGRP AS 2 on the links between R1 & R3 and R2 & R3 Configure BGP on R1, R2, R3, R4, and R5 per the diagram R1 should peer with R4 R2 should peer with R5 R1, R2, and R3 should all peer with each other Advertise R3 s Ethernet into BGP on R3 Advertise VLANs 5 and 58 into BGP on R5 Advertise VLAN 43 into BGP on R4 Configure the community No-Advertise on R2 so that VLAN 58 is not advertised to any neighbor R2: router bgp 2 neighbor 155.1.0.5 remote-as 1 neighbor 155.1.0.5 route-map NO_ADVERTISE in 不需要 neighbor send-community neighbor 155.1.13.1 remote-as 2 neighbor 155.1.13.1 next-hop-self neighbor 155.1.23.3 remote-as 2 neighbor 155.1.23.3 next-hop-self ip prefix-list VLAN58 permit 155.1.58.0/24 匹配住 R5 的 VLAN58, 目的是只有 R2 可以到达 R5 的 VLAN58 route-map NO_ADVERTISE permit 10 match ip address prefix-list VLAN58 set community no-advertise 设置 community 属性 route-map NO_ADVERTISE permit 20

Verification Rack1R2#show ip bgp 155.1.58.0 BGP routing table entry for 155.1.58.0/24, version 4 Paths: (1 available, best #1, table Default-IP-Routing- Table, not advertised to any peer) Not advertised to any peer 1 155.1.0.5 from 155.1.0.5 (150.1.5.5) Origin IGP, metric 0, localpref 100, valid, external, best Community: no-advertise Rack1R2#ping 155.1.58.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 155.1.58.5, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms * 其他路由器全 ping 不通 Rack1R2#show ip bgp BGP table version is 5, local router ID is 150.1.2.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> 155.1.5.0/24 155.1.0.5 0 0 1 i *>i155.1.37.0/24 155.1.23.3 0 100 0 i *> 155.1.58.0/24 155.1.0.5 0 0 1 i *>i204.12.1.0 155.1.13.1 0 100 0 3 i * 其他路由器没有关于 155.1.58.0/24 的路由 * 还有一个 community 属性, 叫做 local-as, 介绍完 confederation 之后再介绍 为了避免 IBGP 全互连, 我们可以通过 RR 和 confedaration 来管理 实验十. BGP Route Reflection Objective: Configure R3 as a route reflector for R1 and R2 so that hosts on R3 s Ethernet, VLAN 5, and VLAN 43 all have access to each other

Directions Configure the topology per the diagram Configure EIGRP AS 2 on the links between R1 & R3 and R2 & R3 Configure BGP on R1, R2, R3, R4, and R5 per the diagram R1 should peer with R4 R2 should peer with R5 R3 should peer with and be a route reflector for R1 and R2 Advertise R3 s Ethernet into BGP on R3 Advertise VLAN 5 into BGP on R5 Advertise VLAN 43 into BGP on R4 配置 R3 为路由反射器 : R3: router bgp 2 network 155.1.37.0 mask 255.255.255.0 neighbor 155.1.13.1 remote-as 2 neighbor 155.1.13.1 route-reflector-client neighbor 155.1.23.2 remote-as 2 neighbor 155.1.23.2 route-reflector-client 注释 : 一个路由反射器由一个或多个路由器担当, 可以使用一个或多个路由器作为路由反射器, 并把其他路由器作为这个路由反射器的客户 路由反射器把从一个路由反射器客户得到的路由反射给另一个客户 当使用多个路由反射器时, 必须给同一个集群中的路由反射器配置相同的 ID, 叫做集群 ID 集群由路由反射器和他们的客户组成 当使用集群路由反射器时, 把包含在集群列表中的集群 ID 用于本地 AS 的循环检测 配置命令 :bgp cluster-id 32-bit_id 实验十一. BGP Confederation Objective: Configure R1, R2, and R3 in confederation so that AS 1 and AS 3 see them as all belonging to AS 2

Directions Configure the topology per the diagram Configure BGP on R1, R2, R3, R4, and R5 per the diagram R1 and R3 should use the private AS 65013 and the public AS 2 R2 should use the private AS 65002 and the public AS 2 R1 should peer with R3 and R4 R2 should peer with R3 and R5 Advertise R3 s Ethernet into BGP on R3 Advertise VLAN 5 into BGP on R5 Advertise VLAN 43 into BGP on R4 R1: interface FastEthernet0/0 ip address 155.1.146.1 255.255.255.0 interface Serial0/1 ip address 155.1.13.1 255.255.255.0 router eigrp 2 network 155.1.13.1 0.0.0.0 no auto-summary router bgp 65013 配置子 AS 号码 (64512~65535) bgp confederation identifier 2 表明, 我对于 EBGP 邻居来说, 我还是 AS2 neighbor 155.1.13.3 remote-as 65013 neighbor 155.1.13.3 next-hop-self neighbor 155.1.146.4 remote-as 3 R2: interface FastEthernet0/0 ip address 192.10.1.2 255.255.255.0

interface Serial0/0 encapsulation frame-relay interface Serial0/0.1 point-to-point ip address 155.1.0.2 255.255.255.0 frame-relay interface-dlci 205 interface Serial0/1 ip address 155.1.23.2 255.255.255.0 router eigrp 2 network 155.1.23.2 0.0.0.0 no auto-summary router bgp 65002 bgp confederation identifier 2 bgp confederation peers 65013 不同的子 AS 中, 也相当与 EBGP 的关系, 这里要配置子 AS 的对等关系 neighbor 155.1.0.5 remote-as 1 neighbor 155.1.23.3 remote-as 65013 R3: interface Ethernet0/0 ip address 155.1.37.3 255.255.255.0 interface Serial1/2 ip address 155.1.13.3 255.255.255.0 clockrate 64000 interface Serial1/3 ip address 155.1.23.3 255.255.255.0 clockrate 64000 router eigrp 2 network 155.1.13.3 0.0.0.0 network 155.1.23.3 0.0.0.0 no auto-summary router bgp 65013 bgp confederation identifier 2 bgp confederation peers 65002 network 155.1.37.0 mask 255.255.255.0 neighbor 155.1.13.1 remote-as 65013 neighbor 155.1.13.1 next-hop-self

neighbor 155.1.23.2 remote-as 65002 R4: interface Ethernet0/0 ip address 204.12.1.4 255.255.255.0 interface Ethernet0/1 ip address 155.1.146.4 255.255.255.0 router bgp 3 network 204.12.1.0 neighbor 155.1.146.1 remote-as 2 这里 neighbor 不指子 AS 号, 注意 R5: interface Serial0/0 ip address 155.1.0.5 255.255.255.0 encapsulation frame-relay frame-relay map ip 155.1.0.2 502 broadcast interface Ethernet0/0 ip address 155.1.58.5 255.255.255.0 interface Ethernet0/1 ip address 155.1.5.5 255.255.255.0 router bgp 1 network 155.1.5.0 mask 255.255.255.0 neighbor 155.1.0.2 remote-as 2 Verification Rack1R1#show ip bgp BGP table version is 4, local router ID is 150.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *>i155.1.5.0/24 155.1.13.3 0 100 0 (65002) 1 i *>i155.1.37.0/24 155.1.13.3 0 100 0 i *> 204.12.1.0 155.1.146.4 0 0 3 i Rack1R2#show ip bgp BGP table version is 4, local router ID is 150.1.2.2

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> 155.1.5.0/24 155.1.0.5 0 0 1 i *> 155.1.37.0/24 155.1.23.3 0 100 0 (65013) i *> 204.12.1.0 155.1.13.1 0 100 0 (65013) 3 i Rack1R3#show ip bgp BGP table version is 4, local router ID is 150.1.3.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> 155.1.5.0/24 155.1.0.5 0 100 0 (65002) 1 i *> 155.1.37.0/24 0.0.0.0 0 32768 i *>i204.12.1.0 155.1.13.1 0 100 0 3 i Rack1R4#show ip bgp BGP table version is 14, local router ID is 150.1.4.4 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> 155.1.5.0/24 155.1.146.1 0 2 1 i *> 155.1.37.0/24 155.1.146.1 0 2 i *> 204.12.1.0 0.0.0.0 0 32768 i 实验十二. BGP Communities Local AS Objective: Configure the community Local-AS on R1 so that only R3 s Ethernet segment has reachability to VLAN 43

Directions Configure the topology per the diagram Configure BGP on R1, R2, R3, R4, and R5 per the diagram R1 and R3 should use the private AS 65013 and the public AS 2 R2 should use the private AS 65002 and the public AS 2 R1 should peer with R3 and R4 R2 should peer with R3 and R5 Advertise R3 s Ethernet into BGP on R3 Advertise VLAN 5 into BGP on R5 Advertise VLAN 43 into BGP on R4 Configure R1 to set VLAN 43 to the community Local-AS as it is received from R4 Final Configuration R1: router bgp 65013 bgp confederation identifier 2 neighbor 155.1.13.3 remote-as 65013 neighbor 155.1.13.3 next-hop-self neighbor 155.1.13.3 send-community neighbor 155.1.146.4 remote-as 3 neighbor 155.1.146.4 route-map LOCAL_AS in route-map LOCAL_AS permit 10 set community local-as 携带该属性的路由, 只在子 AS 内传递, 所以 R3 收到之后不会传递给 R2 Verification Rack1R1#show ip bgp 204.12.1.0 BGP routing table entry for 204.12.1.0/24, version 5 Paths: (1 available, best #1, table Default-IP-Routing- Table, not advertised outside local AS) Advertised to non peer-group peers: 155.1.13.3 3

155.1.146.4 from 155.1.146.4 (150.1.4.4) Origin IGP, metric 0, localpref 100, valid, external, best Community: local-as Rack1R3#show ip bgp 204.12.1.0 BGP routing table entry for 204.12.1.0/24, version 5 Paths: (1 available, best #1, table Default-IP-Routing- Table, not advertised outside local AS) Not advertised to any peer 3 155.1.13.1 from 155.1.13.1 (150.1.1.1) Origin IGP, metric 0, localpref 100, valid, confedinternal, best Community: local-as 通过 sh ip bgp, 发现只有 R1 和 R3 学到了 204.12.1.0/24 的路由,R2 和 R5 并没有学到 原因是携带了 local-as 属性的路由在 R3 处被停止 实验十三. BGP Regular Expressions Objective: Configure AS-Path access-list filtering on R1 and R2 in such a way that hosts on R3 s Ethernet have access to VLAN 5 and VLAN 43 but hosts on VLANs 5 and 43 do not have access to each other Directions Configure the topology per the diagram Configure EIGRP AS 2 on the links between R1 & R3 and R2 & R3 Configure BGP on R1, R2, R3, R4, and R5 per the diagram R1 should peer with R4 R2 should peer with R5

R1, R2, and R3 should all peer with each other Advertise R3 s Ethernet into BGP on R3 Advertise VLAN 5 into BGP on R5 Advertise VLAN 43 into BGP on R4 Configure an AS-Path access-list on R1 and R2 to only advertise routes originated in AS 2 out to AS 1 and AS 3 实验目的 : 通过在 R1 和 R2 上配置路径过滤列表, 使得只有 AS2 的路由器可以 ping 通 VLAN43 和 VLAN5, 而 R4 和 R5 分别 ping 不通 VLAN5 和 VLAN43 Final Configuration R1: router bgp 2 neighbor 155.1.13.3 remote-as 2 neighbor 155.1.13.3 next-hop-self neighbor 155.1.23.2 remote-as 2 neighbor 155.1.23.2 next-hop-self neighbor 155.1.146.4 remote-as 3 neighbor 155.1.146.4 filter-list 1 out ip as-path access-list 1 permit ^$ R2: router bgp 2 neighbor 155.1.0.5 remote-as 1 neighbor 155.1.0.5 filter-list 1 out neighbor 155.1.13.1 remote-as 2 neighbor 155.1.13.1 next-hop-self neighbor 155.1.23.3 remote-as 2 neighbor 155.1.23.3 next-hop-self ip as-path access-list 1 permit ^$ Verification 表明 AS2 内部的 R3 可以 ping 通 VLAN43 和 VLAN5: Rack1R3#ping 155.1.5.5 source 155.1.37.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 155.1.5.5, timeout is 2 seconds: Packet sent with a source address of 155.1.37.3 Success rate is 100 percent (5/5), round-trip min/avg/max = 84/86/88 ms Rack1R3#ping 204.12.1.4 source 155.1.37.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 204.12.1.4, timeout is 2 seconds:

Packet sent with a source address of 155.1.37.3 而 R4 和 R5 却 ping 不通对方的地址 : Rack1R4#ping 155.1.5.5 source 204.12.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 155.1.5.5, timeout is 2 seconds: Packet sent with a source address of 204.12.1.4... Success rate is 0 percent (0/5) R1 并没有向 R4 通告 VLAN5: Rack1R1#show ip bgp neighbors 155.1.146.4 advertised-routes BGP table version is 4, local router ID is 150.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *>i155.1.37.0/24 155.1.13.3 0 100 0 i R2 也没有向 R5 通告 VLAN43: Rack1R2#show ip bgp neighbors 155.1.0.5 advertised-routes BGP table version is 4, local router ID is 150.1.2.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *>i155.1.37.0/24 155.1.23.3 0 100 0 i R4 只学到 R3 的以太口地址, 本该收到的 VLAN5 被路径过滤掉了 : Rack1R4#show ip bgp BGP table version is 17, local router ID is 150.1.4.4 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> 155.1.37.0/24 155.1.146.1 0 2 i *> 204.12.1.0 0.0.0.0 0

32768 i 同样 R5 的结果一样 : Rack1R5#show ip bgp BGP table version is 11, local router ID is 150.1.5.5 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> 155.1.5.0/24 0.0.0.0 0 32768 i *> 155.1.37.0/24 155.1.0.2 0 2 i AS-PATH 过滤采用正则表达式, 正则表达式解释如下 : 元字符特殊字符匹配内容. 任何单一字符, 包括空格 [] 在方括号中罗列的任何字符 [^] 除了在方括号中所罗列字符外的任何字符 (^ 必须放在字符列表之前 ) - ( 连字符 ) 在由连字符所分配的两个字符之间的任意字符? 字符或模式出现 0 次或 1 次 * 字符或模式出现 0 次或多次 + 字符或模式出现 1 次或多次 ^ 一行的开始 $ 一行的结束 由元字符特殊字符分隔的字之一 _ ( 下划线 ) 一个逗号, 行的开始, 行的结束或空格 实验十四. BGP Aggregation Objective: Configure AS 2 so that AS 1 sees an aggregate route representing the 10.0.0.0/16, 10.1.0.0/16, 10.2.0.0/16, and 10.3.0.0/16 networks

Directions Configure the topology per the diagram Configure BGP on R1, R3, R4, and R5 per the diagram R1 should peer with R3 and R4 R5 should peer with R3 and R4 Advertise VLAN 5 and 43 into BGP on R5 and R4 respectively Create the Loopback networks 10.0.0.1/16 and 10.1.0.1/16 on R1 and advertise them into BGP Create the Loopback networks 10.2.0.1/16 and 10.3.0.1/16 on R3 and advertise them into BGP Configure BGP aggregation on R1 for all four of these networks Final Configuration R1: interface Loopback0 ip address 10.0.0.1 255.255.0.0 interface Loopback1 ip address 10.1.0.1 255.255.0.0 interface FastEthernet0/0 ip address 155.1.146.1 255.255.255.0 interface Serial0/1 ip address 155.1.13.1 255.255.255.0 router bgp 2 network 10.0.0.0 mask 255.255.0.0 network 10.1.0.0 mask 255.255.0.0 aggregate-address 10.0.0.0 255.252.0.0 neighbor 155.1.13.3 remote-as 2 neighbor 155.1.13.3 next-hop-self neighbor 155.1.146.4 remote-as 1 R3: interface Loopback0 ip address 10.2.0.1 255.255.0.0 interface Loopback1 ip address 10.3.0.1 255.255.0.0 interface Serial1/0 encapsulation frame-relay interface Serial1/0.1 point-to-point ip address 155.1.0.3 255.255.255.0 frame-relay interface-dlci 305

interface Serial1/2 ip address 155.1.13.3 255.255.255.0 clockrate 64000 router bgp 2 network 10.2.0.0 mask 255.255.0.0 network 10.3.0.0 mask 255.255.0.0 neighbor 155.1.13.1 remote-as 2 neighbor 155.1.13.1 next-hop-self neighbor 155.1.0.5 remote-as 1 Verification Rack1R1#show ip bgp BGP table version is 8, local router ID is 10.1.0.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> 10.0.0.0/16 0.0.0.0 0 32768 i *> 10.0.0.0/14 0.0.0.0 ( 汇总了路由,R3 上也一样结果 ) 32768 i *> 10.1.0.0/16 0.0.0.0 0 32768 i *>i10.2.0.0/16 155.1.13.3 0 100 0 i *>i10.3.0.0/16 155.1.13.3 0 100 0 i * i155.1.5.0/24 155.1.13.3 0 100 0 1 i *> 155.1.146.4 0 1 i * i204.12.1.0 155.1.13.3 0 100 0 1 i *> 155.1.146.4 0 0 1 i Rack1R5#show ip bgp BGP table version is 13, local router ID is 150.1.5.5 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete

*> 10.0.0.0/16 155.1.0.3 0 2 i * i 155.1.45.4 0 100 0 2 i *> 10.0.0.0/14 155.1.0.3 (R5 上不仅收到了汇总路由, 还收到了明细路由,R4 也一样 ) 0 2 i * i 155.1.45.4 0 100 0 2 i *> 10.1.0.0/16 155.1.0.3 0 2 i * i 155.1.45.4 0 100 0 2 i *> 10.2.0.0/16 155.1.0.3 0 0 2 i * i 155.1.45.4 0 100 0 2 i *> 10.3.0.0/16 155.1.0.3 0 0 2 i * i 155.1.45.4 0 100 0 2 i *> 155.1.5.0/24 0.0.0.0 0 32768 i *>i204.12.1.0 155.1.45.4 0 100 0 i 注释 : 只有在 BGP 表中, 存在一条明细路由的时候,aggregate-address 才起作用, 还可以在此命令后加上 as-set, 保留 AS 路径信息 另外, 可以在该条命令后面加上 summary-only, 用来抑制明细路由的传递,EBGP 邻居只能收到汇总路由 若加上 advertise-map 则可以决定在这个聚合路由中保留哪个 AS 路径信息 实验十五. BGP Aggregation Suppress Map Objective: Configure AS 2 so that AS 1 sees an aggregate route representing 10.0.0.0/16,10.1.0.0/16, 10.2.0.0/16, and 10.3.0.0/16 networks along with the subnets 10.0.0.0/16 and 10.3.0.0/16

Directions Configure the topology per the diagram Configure BGP on R1, R3, R4, and R5 per the diagram R1 should peer with R3 and R4 R5 should peer with R3 and R4 Advertise VLAN 5 and 43 into BGP on R5 and R4 respectively Create the Loopback networks 10.0.0.1/16 and 10.1.0.1/16 on R1 and advertise them into BGP Create the Loopback networks 10.2.0.1/16 and 10.3.0.1/16 on R3 and advertise them into BGP Configure BGP aggregation on R1 and R3 for all four of these networks R1 should suppress only the 10.1.0.0/16 network R3 should suppress only the 10.2.0.0/16 network Final Configuration R1: router bgp 2 network 10.0.0.0 mask 255.255.0.0 network 10.1.0.0 mask 255.255.0.0 aggregate-address 10.0.0.0 255.252.0.0 suppress-map SUPPRESS neighbor 155.1.13.3 remote-as 2 neighbor 155.1.13.3 next-hop-self neighbor 155.1.146.4 remote-as 1 ip prefix-list 10.1.0.0 seq 5 permit 10.1.0.0/16 定义想要抑制的明细路由 route-map SUPPRESS permit 10 match ip address prefix-list 10.1.0.0 R3: router bgp 2 network 10.2.0.0 mask 255.255.0.0 network 10.3.0.0 mask 255.255.0.0 aggregate-address 10.0.0.0 255.252.0.0 suppress-map SUPPRESS neighbor 155.1.13.1 remote-as 2

neighbor 155.1.13.1 next-hop-self neighbor 155.1.0.5 remote-as 1 ip prefix-list 10.2.0.0 seq 5 permit 10.2.0.0/16 定义想要抑制的明确路由 route-map SUPPRESS permit 10 match ip address prefix-list 10.2.0.0 Verification Rack1R1#show ip bgp BGP table version is 9, local router ID is 10.1.0.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> 10.0.0.0/16 0.0.0.0 0 32768 i * i10.0.0.0/14 155.1.13.3 0 100 0 i *> 0.0.0.0 32768 i s> 10.1.0.0/16 0.0.0.0 0 10.1.0.0/16 被抑制 32768 i *>i10.3.0.0/16 155.1.13.3 0 100 0 i * i155.1.5.0/24 155.1.13.3 0 100 0 1 i *> 155.1.146.4 0 1 i * i204.12.1.0 155.1.13.3 0 100 0 1 i *> 155.1.146.4 0 0 1 i Rack1R3#show ip bgp BGP table version is 9, local router ID is 10.3.0.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *>i10.0.0.0/16 155.1.13.1 0 100 0 i

*> 10.0.0.0/14 0.0.0.0 32768 i * i 155.1.13.1 0 100 0 i s> 10.2.0.0/16 0.0.0.0 0 10.2.0.0/16 被抑制 32768 i *> 10.3.0.0/16 0.0.0.0 0 32768 i * i155.1.5.0/24 155.1.13.1 0 100 0 1 i *> 155.1.0.5 0 0 1 i * i204.12.1.0 155.1.13.1 0 100 0 1 i *> 155.1.0.5 0 1 i Rack1R4#show ip route bgp 155.1.0.0/24 is subnetted, 3 subnets B 155.1.5.0 [200/0] via 155.1.45.5, 01:01:24 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks B 10.3.0.0/16 [20/0] via 155.1.146.1, 00:03:51 B 10.0.0.0/16 [20/0] via 155.1.146.1, 00:05:04 B 10.0.0.0/14 [20/0] via 155.1.146.1, 00:05:04 Rack1R5#show ip route bgp B 204.12.1.0/24 [200/0] via 155.1.45.4, 01:01:30 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks B 10.3.0.0/16 [20/0] via 155.1.0.3, 00:03:57 B 10.0.0.0/16 [20/0] via 155.1.0.3, 00:03:57 B 10.0.0.0/14 [20/0] via 155.1.0.3, 00:03:57 Sh ip rou bgp 已经看不见被抑制的那两条路由了 注释 :aggregate-address suppress-map 命令, 是用来抑制形成汇总路由的某个明细路由, 而与之相对的还有一条命令,unsuppress-map, 但是这条命令的用法有点不一样,upsuppress-map 需要敲在 neighbor 后面, 并且需要 aggregate-address summary-only 实验十六. BGP Allow AS In Objective: Configure R5 to advertise the aggregate 150.X.0.0/21 without any specific subnet information. Devices receiving the aggregate should know that it is comprised of prefixes that passed through ASs 1, 2, 3, and 5. Ensure that R1, R2, and R3 are able to install this aggregate in their BGP tables

Directions Configure the topology per the diagram Configure BGP on R1, R2, R3, and R5 per the diagram R5 should peer with R1, R2, and R3 Create the Loopback 150.X.1.1/24 on R1 and advertise it into BGP Create the Loopback 150.X.2.2/24 on R2 and advertise it into BGP Create the Loopback 150.X.3.3/24 on R3 and advertise it into BGP Create the Loopback 150.X.5.5/24 on R5 and advertise it into BGP Configure the BGP aggregate 150.X.0.0/21 on R5 Include the originating AS-Path information with this aggregate Configure R1, R2, and R3 to accept prefixes with their own AS in the path in order to receive the aggregate Final Configuration R1: interface Loopback0 ip address 150.1.1.1 255.255.0.0 interface Serial0/0 encapsulation frame-relay interface Serial0/0.1 point-to-point ip address 155.1.0.1 255.255.255.0 frame-relay interface-dlci 105 router bgp 1 network 150.1.1.0 mask 255.255.255.0 neighbor 155.1.0.5 remote-as 5 neighbor 155.1.0.5 allowas-in 1 R2:

interface Loopback0 ip address 150.1.2.2 255.255.0.0 interface Serial0/0 encapsulation frame-relay interface Serial0/0.1 point-to-point ip address 155.1.0.2 255.255.255.0 frame-relay interface-dlci 205 router bgp 2 network 150.1.2.0 mask 255.255.255.0 neighbor 155.1.0.5 remote-as 5 neighbor 155.1.0.5 allowas-in 1 R3: interface Loopback0 ip address 150.1.3.3 255.255.255.0 interface Serial1/0 encapsulation frame-relay interface Serial1/0.1 point-to-point ip address 155.1.0.3 255.255.255.0 frame-relay interface-dlci 305 router bgp 3 network 150.1.3.0 mask 255.255.255.0 neighbor 155.1.0.5 remote-as 5 neighbor 155.1.0.5 allowas-in 1 R5: interface Loopback0 ip address 150.1.5.5 255.255.0.0 interface Serial0/0 ip address 155.1.0.5 255.255.255.0 encapsulation frame-relay frame-relay map ip 155.1.0.1 501 broadcast frame-relay map ip 155.1.0.2 502 broadcast frame-relay map ip 155.1.0.3 503 broadcast router bgp 5 network 150.1.5.0 mask 255.255.255.0 aggregate-address 150.1.0.0 255.255.248.0 as-set summary-only neighbor 155.1.0.1 remote-as 1

neighbor 155.1.0.2 remote-as 2 neighbor 155.1.0.3 remote-as 3 Verification Rack1R1#show ip bgp BGP table version is 8, local router ID is 150.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> 150.1.0.0/21 155.1.0.5 0 0 5 {1,2,3} i *> 150.1.1.0/24 0.0.0.0 0 32768 i Rack1R2#show ip bgp BGP table version is 7, local router ID is 150.1.2.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> 150.1.0.0/21 155.1.0.5 0 0 5 {1,2,3} i *> 150.1.2.0/24 0.0.0.0 0 32768 i Rack1R3#show ip bgp BGP table version is 11, local router ID is 10.3.0.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete *> 150.1.0.0/21 155.1.0.5 0 0 5 {1,2,3} i *> 150.1.3.0/24 0.0.0.0 0 32768 i Rack1R5#show ip bgp BGP table version is 22, local router ID is 150.1.5.5 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP,? - incomplete *> 150.1.0.0/21 0.0.0.0 100 32768 {1,2,3} i s> 150.1.1.0/24 155.1.0.1 0 0 1 i s> 150.1.2.0/24 155.1.0.2 0 0 2 i s> 150.1.3.0/24 155.1.0.3 0 0 3 i s> 150.1.5.0/24 0.0.0.0 0 32768 i 注释 : 本实验主要说明了一条命令的作用 Neighbor ip-addr allowas-in [num-of-occrrences], 用于修改 AS_Path 属性, 更改路由允许 IOS 在接收 BGP 更新的时候最多接收几次本地 AS 号码重复的路由 ( 最多是 10 次 ) 通常情况下,BGP 会通过 AS-PATH 属性来判断是否有环路, 如果收到的路由更新中, 发现自己的 AS 号码在这个 AS-PATH 里面, 就说明有环路, 则会丢弃该路由, 而这条命令就是用来打破这个环路检测机制, 主要用在 MPLS 领域, 有兴趣, 可以查阅相关文档 neighbor allowas-in Description: Specifies the number of times that the AS path of a received route may contain the recipient BGP speaker's AS number and still be accepted. The no version restores the default state, which is to reject as a loop any route whose path contains the speaker's AS number. IBGP peers in the VPNv4 address family always accept these routes, regardless of the command configuration. Syntax: [ no ] neighbor { ipaddress peergroupname } allowas-in number ipaddress Neighbor's IP address peergroupname Name of a BGP peer group. If you specify a BGP peer group by using the peergroupname argument, all the members of the peer group inherit the characteristic configured with this command, unless it is overridden for a specific peer. number Number in the range 1-10