目录
第三章 BGP协议特性与配置
实验 3-4 BGP属性与路径选择2(选做)
学习目的
·掌握通过修改团体属性来影响路径选择的配置方法
·掌握使用Route-policy来过滤BGP路由信息的配置方法
拓扑图
图3-4 BGP属性与路径选择2
场景
你是公司的网络管理员。公司的网络采用了BGP进行互联,BGP的AS号规划如拓扑图中所示。为了公司网络的安全,并非所有分支机构之间的所有部门都能互访。为了控制路由信息的传递,现在你需要使用BGP的团体属性对BGP的路由进行过滤。
学习任务
步骤一.基础配置与IP编址
给所有路由器配置物理接口及Loopback 0接口的IP地址和掩码。注意各Loopback 0接口地址均使用32位掩码。
<R1>system-view
Enter system view, return user view with Ctrl+Z.
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]ip address 10.0.12.1 255.255.255.0
[R1-Serial1/0/0]quit
[R1]interface Serial 3/0/0
[R1-Serial3/0/0]ip address 10.0.14.1 255.255.255.0
[R1-Serial3/0/0]quit
[R1]interface loopback 0
[R1-LoopBack0]ip address 10.0.1.1 255.255.255.255
[R1-LoopBack0]quit
<R2>system-view
Enter system view, return user view with Ctrl+Z.
[R2]interface Serial 1/0/0
[R2-Serial1/0/0]ip address 10.0.12.2 255.255.255.0
[R2-Serial1/0/0]quit
[R2]interface Serial 2/0/0
[R2-Serial2/0/0]ip address 10.0.23.2 255.255.255.0
[R2-Serial2/0/0]quit
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip address 10.0.25.2 255.255.255.0
[R2-GigabitEthernet0/0/0]quit
[R2]interface loopback 0
[R2-LoopBack0]ip address 10.0.2.2 255.255.255.255
[R2-LoopBack0]quit
<R3>system-view
Enter system view, return user view with Ctrl+Z.
[R3]interface Serial 2/0/0
[R3-Serial2/0/0]ip address 10.0.23.3 255.255.255.0
[R3-Serial2/0/0]
[R3]interface loopback 0
[R3-LoopBack0]ip address 10.0.3.3 255.255.255.255
[R3-LoopBack0]quit
<R4>system-view
Enter system view, return user view with Ctrl+Z.
[R4]interface Serial 1/0/0
[R4-Serial1/0/0]ip address 10.0.14.4 255.255.255.0
[R4-Serial1/0/0]quit
[R4]interface loopback 0
[R4-LoopBack0]ip address 10.0.4.4 255.255.255.255
[R4-LoopBack0]quit
<R5>system-view
Enter system view, return user view with Ctrl+Z.
[R5]interface GigabitEthernet 0/0/0
[R5-GigabitEthernet0/0/0]ip address 10.0.25.5 255.255.255.0
[R5-GigabitEthernet0/0/0]quit
[R5]interface loopback 0
[R5-LoopBack0]ip address 10.0.5.5 255.255.255.255
[R5-LoopBack0]quit
配置完成后,测试直连链路的连通性。
<R1>ping -c 1 10.0.12.2
PING 10.0.12.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.12.2: bytes=56 Sequence=1 ttl=255 time=40 ms
--- 10.0.12.2 ping statistics ---
1 packet(s) transmitted
1 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/40/40 ms
<R1>ping -c 1 10.0.14.4
PING 10.0.14.4: 56 data bytes, press CTRL_C to break
Reply from 10.0.14.4: bytes=56 Sequence=1 ttl=255 time=61 ms
--- 10.0.14.4 ping statistics ---
1 packet(s) transmitted
1 packet(s) received
0.00% packet loss
round-trip min/avg/max = 61/61/61 ms
<R2>ping -c 1 10.0.25.5
PING 10.0.25.5: 56 data bytes, press CTRL_C to break
Reply from 10.0.25.5: bytes=56 Sequence=1 ttl=255 time=14 ms
--- 10.0.25.5 ping statistics ---
1 packet(s) transmitted
1 packet(s) received
0.00% packet loss
round-trip min/avg/max = 14/14/14 ms
<R2>ping -c 1 10.0.23.3
PING 10.0.23.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=255 time=2 ms
--- 10.0.23.3 ping statistics ---
1 packet(s) transmitted
1 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/2/2 ms
步骤二.配置BGP
R1与R2之间为IBGP邻居关系,其他路由器之间均为EBGP邻居关系,
[R1]router id 10.0.1.1
[R1]bgp 64513
[R1-bgp]peer 10.0.12.2 as-number 64513
[R1-bgp]peer 10.0.14.4 as-number 64512
[R1-bgp]quit
[R2]router id 10.0.2.2
[R2]bgp 64513
[R2-bgp]peer 10.0.12.1 as-number 64513
[R2-bgp]peer 10.0.23.3 as-number 64514
[R2-bgp]peer 10.0.25.5 as-number 64515
[R2-bgp]quit
[R3]router id 10.0.3.3
[R3]bgp 64514
[R3-bgp]peer 10.0.23.2 as-number 64513
[R3-bgp]quit
[R4]router id 10.0.4.4
[R4]bgp 64512
[R4-bgp]peer 10.0.14.1 as-number 64513
[R4-bgp]quit
[R5]router id 10.0.5.5
[R5]bgp 64515
[R5-bgp]peer 10.0.25.2 as-number 64513
[R5-bgp]quit
在配置完BGP之后检查路由器之间的邻居关系建立情况,
[R1]display bgp peer
BGP local router ID : 10.0.1.1
Local AS number : 64513
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.0.12.2 4 64513 5 6 0 00:03:28 Established 0
10.0.14.4 4 64512 2 3 0 00:00:39 Established 0
[R2]display bgp peer
BGP local router ID : 10.0.2.2
Local AS number : 64513
Total number of peers : 3 Peers in established state : 3
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.0.12.1 4 64513 6 5 0 00:04:00 Established 0
10.0.23.3 4 64514 4 6 0 00:02:44 Established 0
10.0.25.5 4 64515 2 3 0 00:00:41 Established 0
[R3]display bgp peer
BGP local router ID : 10.0.3.3
Local AS number : 64514
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.0.23.2 4 64513 4 4 0 00:02:59 Established 0
[R4]display bgp peer
BGP local router ID : 10.0.4.4
Local AS number : 64512
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.0.14.1 4 64513 3 3 0 00:01:40 Established 0
[R5]display bgp peer
BGP local router ID : 10.0.5.5
Local AS number : 64515
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.0.25.2 4 64513 3 3 0 00:01:23 Established 0
此时BGP邻居状态全部都是Established状态。
步骤三.配置普通的团体属性
在R5上创建Loopback1、Loopback2和Loopback3,地址分别为10.1.5.5/24、10.2.5.5/24、10.3.5.5/24,并通过network命令发布到BGP中。
[R5]interface loopback 1
[R5-LoopBack1]ip address 10.1.5.5 255.255.255.0
[R5-LoopBack1]quit
[R5]interface loopback 2
[R5-LoopBack2]ip address 10.2.5.5 255.255.255.0
[R5-LoopBack2]quit
[R5]interface loopback 3
[R5-LoopBack3]ip address 10.3.5.5 255.255.255.0
[R5-LoopBack3]quit
[R5]bgp 64515
[R5-bgp]network 10.1.5.5 255.255.255.0
[R5-bgp]network 10.2.5.5 255.255.255.0
[R5-bgp]network 10.3.5.5 255.255.255.0
[R5-bgp]quit
[R2]bgp 64513
[R2-bgp]peer 10.0.12.1 next-hop-local
[R2-bgp]quit
在R2和R4上检查该路由信息是否被正确传递。
[R2]display bgp routing-table
BGP Local router ID is 10.0.2.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 3
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.1.5.0/24 10.0.25.5 0 0 64515i
*> 10.2.5.0/24 10.0.25.5 0 0 64515i
*> 10.3.5.0/24 10.0.25.5 0 0 64515i
[R4]display bgp routing-table
BGP Local router ID is 10.0.4.4
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 3
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.1.5.0/24 10.0.14.1 0 64513 64515i
*> 10.2.5.0/24 10.0.14.1 0 64513 64515i
*> 10.3.5.0/24 10.0.14.1 0 64513 64515i
在R5上创建路由策略comm_r5,对10.1.5.0/24这条路由添加团体属性为100。
[R5]acl number 2000
[R5-acl-basic-2000]rule 0 permit source 10.1.5.0 0.0.0.255
[R5-acl-basic-2000]quit
[R5]route-policy comm_r5 permit node 10
[R5-route-policy]if-match acl 2000
[R5-route-policy]apply community 100
[R5-route-policy]quit
[R5]bgp 64515
[R5-bgp]peer 10.0.25.2 route-policy comm_r5 export
[R5-bgp]quit
为了后面实验的需要,需要允许路由器之间通告团体属性,配置所有BGP邻居之间通告Community属性。
[R1]bgp 64513
[R1-bgp]peer 10.0.14.4 advertise-community
[R1-bgp]peer 10.0.12.2 advertise-community
[R1-bgp]quit
[R2]bgp 64513
[R2-bgp]peer 10.0.12.1 advertise-community
[R2-bgp]peer 10.0.23.3 advertise-community
[R2-bgp]peer 10.0.25.5 advertise-community
[R2-bgp]quit
[R3]bgp 64514
[R3-bgp]peer 10.0.23.2 advertise-community
[R3-bgp]quit
[R4]bgp 64512
[R4-bgp]peer 10.0.14.1 advertise-community
[R4-bgp]quit
[R5]bgp 64515
[R5-bgp]peer 10.0.25.2 advertise-community
[R5-bgp]quit
在R2和R4上查看该属性是否被正常传递。
<R2>display bgp routing-table community
BGP Local router ID is 10.0.2.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 5
Network NextHop MED LocPrf PrefVal Community
*> 10.1.5.0/24 10.0.25.5 0 0 <0:100>
<R4>display bgp routing-table community
BGP Local router ID is 10.0.4.4
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 5
Network NextHop MED LocPrf PrefVal Community
*> 10.1.5.0/24 10.0.25.5 0 0 <0:100>
步骤四.配置特殊的团体属性值
在R5上使用路由策略为路由10.2.5.0/24添加特殊的团体属性no-export,使用路由策略为10.3.5.0/24添加特殊的团体属性no-advertise。
这时只需要在R5已创建的路由策略comm_r5的基础上添加入两个新节点语句即可。
[R5]acl 2001
[R5-acl-basic-2001]rule 0 permit source 10.2.5.0 0.0.0.255
[R5-acl-basic-2001]quit
[R5]route-policy comm_r5 permit node 20
[R5-route-policy]if-match acl 2001
[R5-route-policy]apply community no-export
[R5-route-policy]quit
[R5]acl number 2002
[R5-acl-basic-2002]rule 0 permit source 10.3.5.0 0.0.0.255
[R5-acl-basic-2002]quit
[R5]route-policy comm_r5 permit node 30
[R5-route-policy]if-match acl 2002
[R5-route-policy]apply community no-advertise
[R5-route-policy]quit
在R2上使用查看学习到的路由的团体属性信息。
<R2>dis bgp routing-table community
BGP Local router ID is 10.0.2.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 4
Network NextHop MED LocPrf PrefVal Community
*> 10.1.5.0/24 10.0.25.5 0 0 <0:100>
*> 10.2.5.0/24 10.0.25.5 0 0 no-export
*> 10.3.5.0/24 10.0.25.5 0 0 no-advertise
在R2、R1、R4上分别观察BGP路由表观察这几条路由的传递情况。
<R2>display bgp routing-table
BGP Local router ID is 10.0.2.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 3
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.1.5.0/24 10.0.25.5 0 0 64515i
*> 10.2.5.0/24 10.0.25.5 0 0 64515i
*> 10.3.5.0/24 10.0.25.5 0 0 64515i
<R1>display bgp routing-table
BGP Local router ID is 10.0.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.1.5.0/24 10.0.12.2 0 100 0 64515i
*>i 10.2.5.0/24 10.0.12.2 0 100 0 64515i
[R4]display bgp routing-table
BGP Local router ID is 10.0.4.4
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 1
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.1.5.0/24 10.0.14.1 0 64513 64515i
对于使用了特殊团体属性no-export后的BGP路由10.2.5.0/24,R2不向其AS外发送,但会发布给其AS内的R1。而对于使用no-advertise属性的BGP路由10.3.5.0/24,R2则不向任何对等体发送。
步骤五.配置团体属性在地址汇总中的应用
在R3上创建Loopback 1和Loopback2,地址分别配置为10.1.3.3/24和10.2.3.3/24,并通过network命令发布到BGP中。
[R3]interface LoopBack 1
[R3-LoopBack1]ip address 10.1.3.3 255.255.255.0
[R3-LoopBack1]quit
[R3]interface loopback 2
[R3-LoopBack2]ip address 10.2.3.3 255.255.255.0
[R3-LoopBack2]quit
[R3]bgp 64514
[R3-bgp]network 10.1.3.3 255.255.255.0
[R3-bgp]network 10.2.3.3 255.255.255.0
[R3-bgp]quit
现在有一个需求,我们需要将R5发布的10.1.5.0/24和R3发布的10.2.3.0/24汇总成一个A类网段10.0.0.0/8。通告时抑制明细路由,并且该汇总路由最后通告给R4时携带的团体属性为200。对路由10.1.3.0/24保留明细通告给R4。
为了实现这个需求,我们在R3上创建一个名为comm_r3的路由策略,对R3发布的路由10.2.3.0/24加上100的团体属性。
[R3]acl number 2001
[R3-acl-basic-2001]rule 0 permit source 10.2.3.0 0.0.0.255
[R3-acl-basic-2001]quit
[R3]route-policy comm_r3 permit node 10
[R3-route-policy]if-match acl 2001
[R3-route-policy]apply community 100
[R3-route-policy]quit
[R3]route-policy comm_r3 permit node 20
[R3-route-policy]quit
[R3]bgp 64514
[R3-bgp]peer 10.0.23.2 route-policy comm_r3 export
[R3-bgp]quit
在R1上观察学习到的10.1.5.0/24和10.2.3.0/24是否都带上了100的团体属性。
<R1>display bgp routing-table community
BGP Local router ID is 10.0.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 3
Network NextHop MED LocPrf PrefVal Community
*>i 10.1.5.0/24 10.0.12.2 0 100 0 <0:100>
*>i 10.2.3.0/24 10.0.12.2 0 100 0 <0:100>
*>i 10.2.5.0/24 10.0.12.2 0 100 0 no-export
创建一个团体属性过滤列表,过滤出团体属性为100的路由。
[R1]ip community-filter 1 permit 100
创建一个名为match_comm的路由策略,匹配团体属性为100的路由。
[R1]route-policy match_comm permit node 10
[R1-route-policy]if-match community-filter 1
[R1-route-policy]quit
创建一个名为add_comm的路由策略,为汇总后路由添加团体属性为200:1。
[R1]route-policy add_comm permit node 10
[R1-route-policy]apply community 200:1 additive
[R1-route-policy]quit
在R1上进行地址汇总,定义对匹配策略match_comm的路由进行汇总,并使用策略add_comm添加团体属性。
[R1]bgp 64513
[R1-bgp]aggregate 10.0.0.0 255.0.0.0 detail-suppressed origin-policy match_comm attribute-policy add_comm
[R1-bgp]quit
在R4上查看BGP路由表。
<R4>display bgp routing-table
BGP Local router ID is 10.0.4.4
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.0.0.0 10.0.14.1 0 64513i
*> 10.1.3.0/24 10.0.14.1 0 64513 64514i
在R4上观察汇总路由的团体属性。
<R4>display bgp routing-table community
BGP Local router ID is 10.0.4.4
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 1
Network NextHop MED LocPrf PrefVal Community
*> 10.0.0.0 10.0.14.1 0 <200:1>
附加实验: 思考并验证
在步骤四中,如果将10.2.5.0/24这条路由的属性也改成no advertise,思考此时在R2、R1、R4上再分别查看BGP路由表,这几条路由的传递情况。
思考如何在R4上实现同时保留10.1.3.0/24和10.2.3.0/24这两条路由的明细,仅抑制路由10.1.5.0/24的明细。
最终设备配置
<R1>display current-configuration
[V200R007C00SPC600]
#
sysname R1
#
router id 10.0.1.1
#
interface Serial1/0/0
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
#
interface Serial3/0/0
link-protocol ppp
ip address 10.0.14.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.255
#
bgp 64513
peer 10.0.12.2 as-number 64513
peer 10.0.14.4 as-number 64512
#
ipv4-family unicast
undo synchronization
aggregate 10.0.0.0 255.0.0.0 detail-suppressed origin-policy match_comm attribute-policy add_comm
peer 10.0.12.2 enable
peer 10.0.12.2 advertise-community
peer 10.0.14.4 enable
peer 10.0.14.4 advertise-community
#
route-policy match_comm permit node 10
if-match community-filter 1
#
route-policy add_comm permit node 10
apply community 200:1 additive
#
ip community-filter 1 permit 100
#
return
<R2>display current-configuration
[V200R007C00SPC600]
#
sysname R2
#
router id 10.0.2.2
#
interface Serial1/0/0
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
#
interface Serial2/0/0
link-protocol ppp
ip address 10.0.23.2 255.255.255.0
#
interface GigabitEthernet0/0/0
ip address 10.0.25.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.255
#
bgp 64513
peer 10.0.12.1 as-number 64513
peer 10.0.23.3 as-number 64514
peer 10.0.25.5 as-number 64515
#
ipv4-family unicast
undo synchronization
peer 10.0.12.1 enable
peer 10.0.12.1 next-hop-local
peer 10.0.12.1 advertise-community
peer 10.0.23.3 enable
peer 10.0.23.3 advertise-community
peer 10.0.25.5 enable
peer 10.0.25.5 advertise-community
#
return
<R3>display current-configuration
[V200R007C00SPC600]
#
sysname R3
#
router id 10.0.3.3
#
acl number 2001
rule 0 permit source 10.2.3.0 0.0.0.255
#
interface Serial2/0/0
link-protocol ppp
ip address 10.0.23.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.255
#
interface LoopBack1
ip address 10.1.3.3 255.255.255.0
#
interface LoopBack2
ip address 10.2.3.3 255.255.255.0
#
bgp 64514
peer 10.0.23.2 as-number 64513
#
ipv4-family unicast
undo synchronization
network 10.1.3.0 255.255.255.0
network 10.2.3.0 255.255.255.0
peer 10.0.23.2 enable
peer 10.0.23.2 route-policy comm_r3 export
peer 10.0.23.2 advertise-community
#
route-policy comm_r3 permit node 10
if-match acl 2001
apply community 100
#
route-policy comm_r3 permit node 20
#
return
<R4>display current-configuration
[V200R007C00SPC600]
#
sysname R4
#
router id 10.0.4.4
#
interface Serial1/0/0
link-protocol ppp
ip address 10.0.14.4 255.255.255.0
#
interface LoopBack0
ip address 10.0.4.4 255.255.255.255
#
bgp 64512
peer 10.0.14.1 as-number 64513
#
ipv4-family unicast
undo synchronization
peer 10.0.14.1 enable
peer 10.0.14.1 advertise-community
#
Return
<R5>display current-configuration
[V200R007C00SPC600]
#
sysname R5
#
router id 10.0.5.5
#
interface GigabitEthernet0/0/0
ip address 10.0.25.5 255.255.255.0
#
interface LoopBack0
ip address 10.0.5.5 255.255.255.255
#
interface LoopBack1
ip address 10.1.5.5 255.255.255.0
#
interface LoopBack2
ip address 10.2.5.5 255.255.255.0
#
interface LoopBack3
ip address 10.3.5.5 255.255.255.0
#
bgp 64515
peer 10.0.25.2 as-number 64513
#
ipv4-family unicast
undo synchronization
network 10.1.5.0 255.255.255.0
network 10.2.5.0 255.255.255.0
network 10.3.5.0 255.255.255.0
peer 10.0.25.2 enable
peer 10.0.25.2 route-policy comm_r5 export
peer 10.0.25.2 advertise-community
#
route-policy comm_r5 permit node 10
if-match acl 2000
apply community 100
#
route-policy comm_r5 permit node 20
if-match acl 2001
apply community no-export
#
route-policy comm_r5 permit node 30
if-match acl 2002
apply community no-advertise
#
return