As shown in a corporate network topology experiments, R4, R5, R6, R7 is a corporate headquarters router, R1 and R3 are two different company offices routers, R2 is the operator's network equipment, R1 and each provided with R3 different traffic network segments, wherein 192.168.10.0/24 and 172.16.10.0/24 of service a with the segments, 192.168.20.0/24 and 172.16.20.0/24 to service B segment used. Between two different branches and headquarters have a special line so that business segment on the two branches can be achieved either by the operator's access equipment, you can also line, for access via the headquarters of the device. Please be deployed on the network according to the following requirements:
1. According to the network topology to build, use direct interface to establish EBGP neighbor relationship between all AS
R1 to pay more two loopback interface
interface LoopBack2
ip address 192.168.10.1 255.255.255.0
#
interface LoopBack3
ip address 192.168.20.1 255.255.255.0
R3 pay more two loopback interface
interface LoopBack1
ip address 172.16.10.3 255.255.255.0
#
interface LoopBack2
ip address 172.16.20.3 255.255.255.0
R1<=>R2 /R1<=>R4/R2<=>R3/R3<=>R6(都做)
In Example R1 <=> R2:
R1:
#bgp 100
#peer 10.0.12.2 as-number 200
R2:
#bgp 200
#peer 10.0.12.1 as-number 100
2. In the company's headquarters in AS400, R4 and R5, R5 and R7, R7 and inter-R6, R6 and R4 make
Back Interface establish IBGP neighbor relationship with the ring, IGP protocol OSPF
Note the use of configuration commands require additional loopback interfaces to establish neighbor.
R4<=>R5/R5<=>R7/R7<=>R6/R6<=>R4(都做)
To R4 <=> R5 example:
R4:
ospf 1 router-id 10.0.4.4
area 0
net 10.0.4.4 0.0.0.0
net 10.0.45.4 0.0.0.0
net 10.0.46.4 0.0.0.0
bgp 400
peer 10.0.5.5 as-number 400
peer 10.0.5.5 connect-interface loopback 0
peer 10.0.6.6 as-number 400
peer 10.0.6.6 connect-interface loopback 0
peer 10.0.14.1 as-number 100
R5:
ospf 1 router-id 10.0.5.5
area 0.0.0.0
network 10.0.5.5 0.0.0.0
network 10.0.45.5 0.0.0.0
network 10.0.57.5 0.0.0.0
bgp 400
peer 10.0.4.4 as-number 400
peer 10.0.4.4 connect-interface LoopBack0
peer 10.0.7.7 as-number 400
peer 10.0.7.7 connect-interface LoopBack0
3. all business segments, with each segment can achieve access Loopback 0 on the device where all routes via BGP
Are disposed between the static route R1 and R4 / R3 and R6Z so EBGP interworking with Ibgp
In R1 and R4 Example
R1:
ip route-static 10.0.4.4 255.255.255.255 10.0.14.4
R4:
ip route-static 10.0.1.1 255.255.255.255 10.0.14.1
Only declared their own loopback interface segments:
R 1: (R 2 / R 3 /)
bgp 100
network 10.0.1.1 255.255.255.255
network 192.168.10.0
network 192.168.20.0
bgp ospf injection in
R4:
bgp 400
import-route ospf 1
R6:
bgp 400
import-route ospf 1
Modify the next hop on the R4 / R5 / R6 / R7
R4:
bgp 400
peer 10.0.5.5 next-hop-local
peer 10.0.6.6 next-hop-local
R5:
bgp 400
peer 10.0.4.4 next-hop-local
peer 10.0.7.7 next-hop-local
4. In order to make network resources can be fully utilized, the flow rate required by the service segment A carrier device forwards traffic segment B traffic forwarded by line
Understand BGP AS-path attribute principle, make the appropriate changes.
BGP MED for controlling the direction of the incoming flow when connected to an external AS, only the default comparison in the same AS, but may be modified to achieve MED comparison between different AS command. MED wherein the smaller the priority, BGP can send or receive neighbor routes to make appropriate changes.
I appreciated that the principles of BGP MED attribute correlation master configuration, and appropriate modifications.
R2:
acl number 2002
rule 5 permit source 172.16.20.0 0.0.0.255
route-policy as permit node 5
if-match acl 2002
apply as-path 300 additive (修改as-path)
route-policy as permit node 20
bgp 200
peer 10.0.12.1 route-policy as export
acl number 2004
rule 5 permit source 192.168.20.0 0.0.0.255
Policy in permit the Node-med route 10
IF-match acl 2004
the Apply cost 300 (modified med value)
bgp 200
peer 10.0.23.3 route-policy med export
Note:
In doing R2, modify MED value.
The introduction of compulsory only take effect :( R3 write this ACL inhibition of 192.168.20.0 172.16.20.0 is inhibited if it is forced to write in R1 R3)
[R3]compare-different-as-med
Med modified value R3
View as-path on R1
track:
The network administrator periodically checks the line, by appropriately adjusting the current IGP link cost such that all flow through the AS headquarters are forwarded along the R4-R5-R7-R6 path
IBGP segmentation based on the level of principle, R5 will not be able to learn this business segment 172.16.20.0, R7 192.168.20.0 will not be able to learn this business segment, then you can choose to BGP routes into OSPF, R5 and let through IGP. R7 learning business segment.
OSPF when introduced as an external BGP routes, other OSPF routers ASBR nearest distance is selected by default link, then the path can be modified by modifying the interface Cost, Cost is a default interface.
Note: When injected, do not inject into bgp ospf, the influential in step 6
Let 192.168.20.0/24 and 172.16.20.0/24 along the forward R4-R5-R7-R6 path
They were originally to go R4 R6
R4 and R6 modified cost value, do not list acl intake port configuration can
In R4:
interface GigabitEthernet0/0/1
ospf cost 100
In R6:
interface GigabitEthernet0/0/1
ospf cost 100
In R1:
6. The network administrator found in the inspection flow traffic segment B is very large, the individual forwarding decision (claim BGP route selection is consistent with the actual forwarding path) R4-R6 along a flow path of the service segment B
Since BGP IBGP split level, it is not IBGP neighbor normal delivery route, may be used herein or a full-mesh route reflector technology to achieve, commonly used as a route reflector.
Since the default BGP route priority of 255, 150 and OSPF, this time must be forced to reduce the priority of the BGP route for routing.
深入理解BGP选路规则与路由反射器的特性,分析路由表现象,结合路由策略进行配置.
反射器:
R5:
bgp 400
reflector cluster-id 1
peer 10.0.4.4 reflect-client
peer 10.0.7.7 reflect-client
R7:
bgp 400
reflector cluster-id 2
peer 10.0.5.5 reflect-client
peer 10.0.6.6 reflect-client
方法一:
R4:
acl number 2000
rule 5 permit source 192.168.20.0 0.0.0.255
route-policy local permit node 10
if-match acl 2000
apply ip-address next-hop 10.0.46.4
#
route-policy local permit node 20
bgp 400
peer 10.0.6.6 route-policy local export
R6:
acl number 2000
rule 5 permit source 172.16.20.0 0.0.0.255
route-policy local permit node 10
if-match acl 2000
apply ip-address next-hop 10.0.46.6
route-policy local permit node 20
bgp 400
peer 10.0.4.4 route-policy local export
方法二(此方法可能不太可行):
R4和R6都做
bgp 400
preference 100 100 100
7. 公司总部网络将进行改造,在不改变原有配置的基础上,通过增加少量配置实现,R5与R7不参与BGP路径选择
BGP在需要短暂中断邻居会话且该邻居配置量较大时,通过执行命令peer ignore可以避免重新配置的工作量。例如,在一段时间内,对端升级或调整链路导致邻居频繁建立连接时,为了避免路由或邻居关系频繁震荡,需要暂时中断BGP邻居,则可以在较稳定的一端使用该命令。
BGP是基于TCP的三次握手机制建立邻居的路由协议,在建立过程中会由一方主动发起TCP连接,如果双方都不主动发起请求,则TCP建立失败,邻居无法建立。
使用peer listen-only命令配置对等体的连接方式为对等体仅检测连接请求,而不主动发送连接请求,必须两端同时开启才生效。
R4:(R6)
bgp 400
peer 10.0.5.5(10.0.7.7) ignore
8. 通过配置团体属性使得AS 200中不接收192.168.20.0/24该业务网段的路由
这里可以通过设置BGP的公认属性来限制路由的传递,包括Internet、No-advertise、No-export、No-export-subconfed等。
9. 假设172.16.10.0/24该业务网段状态不稳定,时而出现网络中断现象,通过适当配置以减小其对整网的影响
BGP的Dampening 属性可以用来设置减少路由的震荡。
分析需求,增加合理配置,可通过实际测试来验证配置效果。
R3:
bgp 300
dampening route-policy damp
10. 为了提高BGP网络安全性,在EBGP邻居间配置认证
在两个EBGP邻居间分别配置认证,密钥可采用huawei。
注:
simple是明文认证
cipher是MD5认证
RI<=>R2/RI<=>R4/R2<=>R3/R3<=>R6
以RI<=>R2为例(md5认证)
R1:
bgp 100
peer 10.0.12.2 password cipher huawei
peer 10.0.14.4 password cipher huawei
R2:
bgp 200
peer 10.0.12.1 password cipher huawei
peer 10.0.23.3 password cipher huawei
11. 修改R2上BGP的存活时间为30s,同时适当调整保持时间
理解BGP计时器的工作原理,掌握修改方法。
BGP的保持激活时间Keepalive默认是60s一次,而保持时间Holdtime则是3倍的激活时间。
R2:
bgp 200
timer keepalive 30 hold 90