|
|
<h1><center>BGP边界网关协议</center></h1>
|
|
|
|
|
|
> 作者:行癫
|
|
|
|
|
|
------
|
|
|
|
|
|
<h3>第一节:BGP</h3>
|
|
|
|
|
|
<h4>一:BGP基础</h4>
|
|
|
|
|
|
为方便管理规模不断扩大的网络,网络被分成了不同的AS(Autonomous System,自治系统)。早期,EGP(Exterior Gateway Protocol,外部网关协议)被用于实现在AS之间动态交换路由信息。但是EGP设计得比较简单,只发布网络可达的路由信息,而不对路由信息进行优选,同时也没有考虑环路避免等问题,很快就无法满足网络管理的要求
|
|
|
|
|
|
BGP是为取代最初的EGP而设计的另一种外部网关协议。不同于最初的EGP,BGP能够进行路由优选、避免路由环路、更高效率的传递路由和维护大量的路由信息
|
|
|
|
|
|
<h5>1.BGP概述</h5>
|
|
|
|
|
|
**AS**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211145759270.png" alt="image-20220211145759270" style="zoom:50%;" />
|
|
|
|
|
|
OSPF、IS-IS等IGP路由协议在组织机构网络内部广泛应用,随着网络规模扩大,网络中路由数量不断增长,IGP已无法管理大规模网络,AS的概念由此诞生
|
|
|
|
|
|
AS指的是在同一个组织管理下,使用统一选路策略的设备集合
|
|
|
|
|
|
不同AS通过AS号区分,AS号存在16bit、32bit两种表示方式。IANA负责AS号的分发
|
|
|
|
|
|
**使用IGP传递路由**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211150023971.png" alt="image-20220211150023971" style="zoom:50%;" />
|
|
|
|
|
|
AS之间需要直连链路,或通过VPN协议构造逻辑直连(例如GRE Tunnel)进行邻居建立
|
|
|
|
|
|
AS之间可能是不同的机构、公司,相互之间无法完全信任,使用IGP可能存在暴露AS内部的网络信息的风险
|
|
|
|
|
|
整个网络规模扩大,路由数量进一步增加,路由表规模变大,路由收敛变慢,设备性能消耗加大
|
|
|
|
|
|
注意:
|
|
|
|
|
|
VPN(virtual private network,虚拟专用网):使用虚拟专业网络技术可以从逻辑上建立一个直接连接的网络
|
|
|
|
|
|
**使用BGP传递路由**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211150201640.png" alt="image-20220211150201640" style="zoom:50%;" />
|
|
|
|
|
|
为此在AS之间专门使用BGP(Border Gateway Protocol,边界网关协议)协议进行路由传递,相较于传统的IGP协议:
|
|
|
|
|
|
BGP基于TCP,只要能够建立TCP连接即可建立BGP
|
|
|
|
|
|
只传递路由信息,不会暴露AS内的拓扑信息
|
|
|
|
|
|
触发式更新,而不是进行周期性更新
|
|
|
|
|
|
**BGP发展历史**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211150259656.png" alt="image-20220211150259656" style="zoom:50%;" />
|
|
|
|
|
|
目前关于BGP-4最新的RFC是4271,相比较于RFC1771,对于一些细节进行了进一步说明,如事件、状态机以及BGP路由决策流程等
|
|
|
|
|
|
**BGP在企业中的应用**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211150326672.png" alt="image-20220211150326672" style="zoom:50%;" />
|
|
|
|
|
|
<h5>2.BGP的基本概念</h5>
|
|
|
|
|
|
BGP是一种实现自治系统AS之间的路由可达,并选择最佳路由的矢量性协议。早期发布的三个版本分别是BGP-1(RFC1105)、BGP-2(RFC1163)和BGP-3(RFC1267),1994年开始使用BGP-4(RFC1771),2006年之后单播IPv4网络使用的版本是BGP-4(RFC4271),其他网络(如IPv6等)使用的版本是MP-BGP(RFC4760)
|
|
|
|
|
|
**BGP的特点:**
|
|
|
|
|
|
BGP使用TCP作为其传输层协议(端口号为179),使用触发式路由更新,而不是周期性路由更新
|
|
|
|
|
|
BGP能够承载大批量的路由信息,能够支撑大规模网络
|
|
|
|
|
|
BGP提供了丰富的路由策略,能够灵活的进行路由选路,并能指导对等体按策略发布路由
|
|
|
|
|
|
BGP能够支撑MPLS/VPN的应用,传递客户VPN路由
|
|
|
|
|
|
BGP提供了路由聚合和路由衰减功能用于防止路由振荡,通过这两项功能有效地提高了网络稳定性
|
|
|
|
|
|
**BGP特征**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211150507695.png" alt="image-20220211150507695" style="zoom:50%;" />
|
|
|
|
|
|
BGP使用TCP为传输层协议,TCP端口号179。路由器之间的BGP会话基于TCP连接而建立
|
|
|
|
|
|
运行BGP的路由器被称为BGP发言者(BGP Speaker),或BGP路由器
|
|
|
|
|
|
两个建立BGP会话的路由器互为对等体(Peer),BGP对等体之间交换BGP路由表
|
|
|
|
|
|
BGP路由器只发送增量的BGP路由更新,或进行触发式更新(不会周期性更新)
|
|
|
|
|
|
BGP能够承载大批量的路由前缀,可在大规模网络中应用
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211150541964.png" alt="image-20220211150541964" style="zoom:50%;" />
|
|
|
|
|
|
BGP通常被称为路径矢量路由协议(Path-Vector Routing Protocol)
|
|
|
|
|
|
每条BGP路由都携带多种路径属性(Path attribute),BGP可以通过这些路径属性控制路径选择,而不像IS-IS、OSPF只能通过Cost控制路径选择,因此在路径选择上,BGP具有丰富的可操作性,可以在不同场景下选择最合适的路径控制方式
|
|
|
|
|
|
**BGP对等体关系**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211150614495.png" alt="image-20220211150614495" style="zoom:50%;" />
|
|
|
|
|
|
与OSPF、IS-IS等协议不同,BGP的会话是基于TCP建立的。建立BGP对等体关系的两台路由器并不要求必须直连
|
|
|
|
|
|
**BGP存在两种对等体关系类型:EBGP及IBGP:**
|
|
|
|
|
|
EBGP(External BGP):位于不同自治系统的BGP路由器之间的BGP对等体关系。两台路由器之间要建立EBGP对等体关系,必须满足两个条件
|
|
|
|
|
|
两个路由器所属AS不同(即AS号不同)
|
|
|
|
|
|
在配置EBGP时,Peer命令所指定的对等体IP地址要求路由可达,并且TCP连接能够正确建立
|
|
|
|
|
|
IBGP(Internal BGP):位于相同自治系统的BGP路由器之间的BGP邻接关系
|
|
|
|
|
|
**BGP对等体关系建立**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211150914518.png" alt="image-20220211150914518" style="zoom:50%;" />
|
|
|
|
|
|
先启动BGP的一端先发起TCP连接,如左图所示,R1先启动BGP,R1使用随机端口号向R2的179端口发起TCP连接,完成TCP连接的建立
|
|
|
|
|
|
三次握手建立完成之后,R1、R2之间相互发送Open报文,携带参数用于对等体建立,参数协商正常之后双方相互发送Keepalive报文,收到对端发送的Keepalive报文之后对等体建立成功,同时双方定期发送Keepalive报文用于保持连接
|
|
|
|
|
|
**Open报文中携带:**
|
|
|
|
|
|
My Autonomous System:自身AS号
|
|
|
|
|
|
Hold Time:用于协商后续Keepalive报文发送时间
|
|
|
|
|
|
BGP Identifier:自身Router ID
|
|
|
|
|
|
**注意:**
|
|
|
|
|
|
BGP建立对等体的对等体都会发起TCP三次握手,所以会建立两个TCP连接,但是实际BGP只会保留其中一个TCP连接,从Open报文中获取对端BGP Identifier之后BGP对等体会比较本端的Router ID和对端的Router ID大小,如果本端Router ID小于对端Router ID,则会关闭本地建立的TCP连接,使用由对端主动发起创建的TCP连接进行后续的BGP报文交互
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211151102726.png" alt="image-20220211151102726" style="zoom:50%;" />
|
|
|
|
|
|
BGP对等体关系建立之后,BGP路由器发送BGP Update(更新)报文通告路由到对等体
|
|
|
|
|
|
**TCP连接源地址**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211151142472.png" alt="image-20220211151142472" style="zoom:50%;" />
|
|
|
|
|
|
一般而言在AS内部,网络具备一定的冗余性。在R1与R3之间,如果采用直连接口建IBGP邻居关系,那么一旦接口或者直连链路发生故障,BGP会话也就断了,但是事实上,由于冗余链路的存在,R1与R3之间的IP连通性其实并没有DOWN(仍然可以通过R4到达彼此)
|
|
|
|
|
|
缺省情况下,BGP使用报文出接口作为TCP连接的本地接口
|
|
|
|
|
|
在部署IBGP对等体关系时,建议使用Loopback地址作为更新源地址。Loopback接口非常稳定,而且可以借助AS内的IGP和冗余拓扑来保证可靠性
|
|
|
|
|
|
在部署EBGP对等体关系时,通常使用直连接口的IP地址作为源地址,如若使用Loopback接口建立EBGP对等体关系,则应注意EBGP多跳问题
|
|
|
|
|
|
**BGP报文类型**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211151257115.png" alt="image-20220211151257115" style="zoom:50%;" />
|
|
|
|
|
|
BGP存在5种类型的报文,不同类型的报文拥有相同的头部(header)
|
|
|
|
|
|
不同于常见的IGP协议,BGP使用TCP作为传输层协议,端口号179,这使得BGP支持在非直连的路由器之间建立对等体关系
|
|
|
|
|
|
| **报文名称** | **作用** | **发送时刻** |
|
|
|
| ------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
|
|
|
| Open | 协商BGP对等体参数,建立对等体关系 | BGP TCP连接建立成功之后 |
|
|
|
| Update | 发送BGP路由更新 | BGP对等体关系建立之后有路由需要发送或路由变化时向对等体发送Update报文 |
|
|
|
| Notification | 报告错误信息,中止对等体关系 | 当BGP在运行中发现错误时,发送Notification报文将错误通告给BGP对等体 |
|
|
|
| Keepalive | 标志对等体建立,维持BGP对等体关系 | BGP路由器收到对端发送的Keepalive报文,将对等体状态置为已建立,同时后续定期发送keepalive报文用于保持连接 |
|
|
|
| Route-refresh | 用于在改变路由策略后请求对等体重新发送路由信息。只有支持路由刷新能力的BGP设备会发送和响应此报文 | 当路由策略发生变化时,触发请求对等体重新通告路由 |
|
|
|
|
|
|
**BGP报文格式 - 报文头格式**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211151344723.png" alt="image-20220211151344723" style="zoom:50%;" />
|
|
|
|
|
|
BGP五种报文都拥有相同的报文头,格式如左侧所示,主要字段解释如下:
|
|
|
|
|
|
Marker:16Byte,用于标明BGP报文边界,所有bit均为“1”
|
|
|
|
|
|
Length:2Byte,BGP报文总长度(包括报文头在内),以Byte为单位
|
|
|
|
|
|
Type:1Byte,BGP报文的类型。其取值从1到5,分别表示Open、Update、Notification、Keepalive和Route-refresh 报文
|
|
|
|
|
|
**BGP报文格式 - Open**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211151445276.png" alt="image-20220211151445276" style="zoom:50%;" />
|
|
|
|
|
|
Open报文是TCP连接建立之后发送的第一个报文,用于建立BGP对等体之间的连接关系,主要字段解释如下:
|
|
|
|
|
|
Version:BGP的版本号。对于BGP 4来说,其值为4
|
|
|
|
|
|
My AS(autonomous system):本地AS号。通过比较两端的AS号可以判断对端是否和本端处于相同AS
|
|
|
|
|
|
Hold Time:保持时间。在建立对等体关系时两端要协商Hold Time,并保持一致。如果在这个时间内未收到对端发来的Keepalive报文或Update报文,则认为BGP连接中断
|
|
|
|
|
|
BGP Identifier:BGP标识符,以IP地址的形式表示,用来识别BGP路由器
|
|
|
|
|
|
**BGP报文格式 - Update**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211151544930.png" alt="image-20220211151544930" style="zoom:50%;" />
|
|
|
|
|
|
Update报文用于在对等体之间传递路由信息,可以用于发布、撤销路由
|
|
|
|
|
|
一个Update报文可以通告具有相同路径属性的多条路由,这些路由保存在NLRI(网络层可达信息)中。同时Update还可以携带多条不可达路由,用于告知对方撤销路由,这些保存在Withdrawn Routes字段中
|
|
|
|
|
|
主要字段解释如下:
|
|
|
|
|
|
Withdrawn routes:不可达路由的列表
|
|
|
|
|
|
Path attributes:与NLRI相关的所有路径属性列表,每个路径属性由一个TLV(Type-Length-Value)三元组构成
|
|
|
|
|
|
NLRI:可达路由的前缀和前缀长度二元组
|
|
|
|
|
|
**BGP报文格式 - Notification**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211151735003.png" alt="image-20220211151735003" style="zoom:50%;" />
|
|
|
|
|
|
当BGP检测到错误状态时(对等体关系建立时、建立之后都可能发生),就会向对等体发送Notification,告知对端错误原因。之后BGP连接将会立即中断
|
|
|
|
|
|
Error Code、Error subcode:差错码、差错子码,用于告知对端具体的错误类型
|
|
|
|
|
|
Data:用于辅助描述详细的错误内容,长度并不固定
|
|
|
|
|
|
**BGP报文格式 - Keepalive**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211151810415.png" alt="image-20220211151810415" style="zoom:50%;" />
|
|
|
|
|
|
BGP路由器收到对端发送的Keepalive报文,将对等体状态置为已建立,同时后续定期发送keepalive报文用于保持连接
|
|
|
|
|
|
Keepalive报文格式中只包含报文头,没有附加其他任何字段
|
|
|
|
|
|
**BGP报文格式 - Route-refresh**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211151958751.png" alt="image-20220211151958751" style="zoom:50%;" />
|
|
|
|
|
|
Route-refresh报文用来要求对等体重新发送指定地址族的路由信息,一般为本端修改了相关路由策略之后让对方重新发送Update报文,本端执行新的路由策略重新计算BGP路由
|
|
|
|
|
|
AFI:Address Family Identifier,地址族标识,如IPv4
|
|
|
|
|
|
Res.:保留,8个bit必须置0
|
|
|
|
|
|
SAFI:Subsequent Address Family Identifier,子地址族标识
|
|
|
|
|
|
**BGP状态机**
|
|
|
|
|
|
| **Peer状态名称** | **用途** |
|
|
|
| ---------------- | ------------------------------------------------------------ |
|
|
|
| Idle | 开始准备TCP的连接并监视远程对等体,启用BGP时,要准备足够的资源 |
|
|
|
| Connect | 正在进行TCP连接,等待完成中,认证都是在TCP建立期间完成的。如果TCP连接建立失败则进入Active状态,反复尝试连接 |
|
|
|
| Active | TCP连接没建立成功,反复尝试TCP连接 |
|
|
|
| OpenSent | TCP连接已经建立成功,开始发送Open包,Open包携带参数协商对等体的建立 |
|
|
|
| OpenConfirm | 参数、能力特性协商成功,自己发送Keepalive包,等待对方的Keepalive包 |
|
|
|
| Established | 已经收到对方的Keepalive包,双方能力特性经协商发现一致,开始使用Update通告路由信息 |
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211152137691.png" alt="image-20220211152137691" style="zoom:50%;" />
|
|
|
|
|
|
1.Idle状态是BGP初始状态。在Idle状态下,BGP拒绝对等体发送的连接请求。只有在收到本设备的Start事件后,BGP才开始尝试和其它BGP对等体进行TCP连接,并转至Connect状态
|
|
|
|
|
|
Start事件是由一个操作者配置一个BGP过程,或者重置一个已经存在的过程或者路由器软件重置BGP过程引起的
|
|
|
|
|
|
任何状态中收到Notification报文或TCP拆链通知等Error事件后,BGP都会转至Idle状态
|
|
|
|
|
|
2.在Connect状态下,BGP启动连接重传定时器(Connect Retry),等待TCP完成连接
|
|
|
|
|
|
如果TCP连接成功,那么BGP向对等体发送Open报文,并转至OpenSent状态
|
|
|
|
|
|
如果TCP连接失败,那么BGP转至Active状态
|
|
|
|
|
|
如果连接重传定时器超时,BGP仍没有收到BGP对等体的响应,那么BGP继续尝试和其它BGP对等体进行TCP连接,停留在Connect状态
|
|
|
|
|
|
3.在Active状态下,BGP总是在试图建立TCP连接
|
|
|
|
|
|
如果TCP连接成功,那么BGP向对等体发送Open报文,关闭连接重传定时器,并转至OpenSent状态
|
|
|
|
|
|
如果TCP连接失败,那么BGP停留在Active状态
|
|
|
|
|
|
如果连接重传定时器超时,BGP仍没有收到BGP对等体的响应,那么BGP转至Connect状态
|
|
|
|
|
|
4.在OpenSent状态下,BGP等待对等体的Open报文,并对收到的Open报文中的AS号、版本号、认证码等进行检查
|
|
|
|
|
|
如果收到的Open报文正确,那么BGP发送Keepalive报文,并转至OpenConfirm状态
|
|
|
|
|
|
如果发现收到的Open报文有错误,那么BGP发送Notification报文给对等体,并转至Idle状态
|
|
|
|
|
|
5.在OpenConfirm状态下,BGP等待Keepalive或Notification报文。如果收到Keepalive报文,则转至Established状态,如果收到Notification报文,则转至Idle状态
|
|
|
|
|
|
6.在Established状态下,BGP可以和对等体交换Update、Keepalive、Route-refresh报文和Notification报文
|
|
|
|
|
|
如果收到正确的Update或Keepalive报文,那么BGP就认为对端处于正常运行状态,将保持BGP连接
|
|
|
|
|
|
如果收到错误的Update或Keepalive报文,那么BGP发送Notification报文通知对端,并转至Idle状态
|
|
|
|
|
|
Route-refresh报文不会改变BGP状态
|
|
|
|
|
|
如果收到Notification报文,那么BGP转至Idle状态
|
|
|
|
|
|
如果收到TCP拆链通知,那么BGP断开连接,转至Idle状态
|
|
|
|
|
|
**BGP状态机详解**
|
|
|
|
|
|
![image-20220211152605702](https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211152605702.png)
|
|
|
|
|
|
![image-20220211152617184](https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211152617184.png)
|
|
|
|
|
|
**BGP对等体表**
|
|
|
|
|
|
```shell
|
|
|
<R1>display bgp peer
|
|
|
BGP local router ID : 10.0.1.1
|
|
|
Local AS number : 100
|
|
|
Total number of peers : 1 Peers in established state : 1
|
|
|
|
|
|
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
|
|
|
|
|
|
10.0.12.2 4 100 25719 25714 0 0428h32m Established 1
|
|
|
```
|
|
|
|
|
|
在设备上通过display bgp peer命令查看BGP对等体表,其中主要参数含义:
|
|
|
|
|
|
Peer:对等体地址
|
|
|
|
|
|
V:version,版本号
|
|
|
|
|
|
AS:对等体AS号
|
|
|
|
|
|
Up/Down:该对等体已经存在up或者down的时间
|
|
|
|
|
|
State:对等体状态,这里显示的为BGP状态机的状态
|
|
|
|
|
|
PrefRcv:prefix received,从该对等体收到的路由前缀数目
|
|
|
|
|
|
**BGP路由表**
|
|
|
|
|
|
```shell
|
|
|
<R1>display bgp routing-table
|
|
|
BGP Local router ID is 10.0.1.1
|
|
|
Status codes: * - valid, > - best, d - damped,
|
|
|
h - history, i - internal, s - suppressed, S - Stale
|
|
|
Origin : i - IGP, e - EGP, ? - incomplete
|
|
|
Total Number of Routes: 2
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
*>i 10.0.45.0/24 10.0.4.4 0 100 0 ?
|
|
|
* i 10.0.4.4 0 100 0 ?
|
|
|
```
|
|
|
|
|
|
在设备上通过display bgp routing-table查看BGP路由表:
|
|
|
|
|
|
Network:路由的目的网络地址以及网络掩码
|
|
|
|
|
|
NextHop:下一跳地址
|
|
|
|
|
|
如果想要查看某条路由更加详细的信息,可以通过查看,该命令会将匹配的BGP路由信息详细展示
|
|
|
|
|
|
```shell
|
|
|
display bgp routing-table ipv4-address { mask | mask-length}
|
|
|
```
|
|
|
|
|
|
```shell
|
|
|
<R1>display bgp routing-table 10.0.45.0 24
|
|
|
BGP local router ID : 10.0.1.1
|
|
|
Local AS number : 100
|
|
|
Paths: 2 available, 1 best, 1 select
|
|
|
BGP routing table entry information of 10.0.45.0/24:
|
|
|
From: 10.0.2.2 (10.0.2.2) #标明路由来源
|
|
|
Route Duration: 06h19m44s
|
|
|
Relay IP Nexthop: 10.0.12.2
|
|
|
Relay IP Out-Interface: GigabitEthernet0/0/0
|
|
|
Original nexthop: 10.0.4.4 #路由下一跳地址
|
|
|
Qos information : 0x0
|
|
|
AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, best, select, active, pre 255, IGP cost 2 #路径属性、是否被优选
|
|
|
Originator: 10.0.4.4
|
|
|
Cluster list: 10.0.2.2
|
|
|
Not advertised to any peer yet
|
|
|
```
|
|
|
|
|
|
**BGP路由的生成**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211153357320.png" alt="image-20220211153357320" style="zoom:50%;" />
|
|
|
|
|
|
不同于IGP路由协议,BGP自身并不会发现并计算产生路由,BGP将IGP路由表中的路由注入到BGP路由表中,并通过Update报文传递给BGP对等体
|
|
|
|
|
|
**BGP注入路由的方式有两种:**
|
|
|
|
|
|
Network
|
|
|
|
|
|
import-route
|
|
|
|
|
|
**Network注入路由**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211153111518.png" alt="image-20220211153111518" style="zoom:50%;" />
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211153732346.png" alt="image-20220211153732346" style="zoom:50%;" />
|
|
|
|
|
|
AS200内的BGP路由器已经通过IGP协议OSPF学习到了两条路由:10.1.0.0/24和10.2.0.0/24,在BGP进程内通过network命令注入这两条路由,这两条路由将会出现在本地的BGP路由表中
|
|
|
|
|
|
AS200内的BGP路由器通过Update报文将路由传递给AS300内的BGP路由器
|
|
|
|
|
|
AS300内的BGP路由器收到路由后,将这两条路由加入到本地的BGP路由表中
|
|
|
|
|
|
注意:
|
|
|
|
|
|
Network方式注入的路由必须是已经存在于IP路由表中的路由条目,否则不会被成功注入到BGP路由表中
|
|
|
|
|
|
**import-route方式注入路由**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211153810479.png" alt="image-20220211153810479" style="zoom:50%;" />
|
|
|
|
|
|
Network方式注入路由虽然是精确注入,但是只能一条条配置逐条注入IP路由表中的路由,如果注入的路由条目很多配置命令将会非常复杂,为此可以使用import-route方式
|
|
|
|
|
|
直连路由
|
|
|
|
|
|
静态路由
|
|
|
|
|
|
OSPF路由
|
|
|
|
|
|
IS-IS路由等协议的路由注入到BGP路由表中
|
|
|
|
|
|
**BGP聚合路由**
|
|
|
|
|
|
与众多IGP协议相同,BGP同样支持路由的手工聚合,在BGP配置视图中使用aggregate命令可以执行BGP路由手工聚合,在BGP已经学习到相应的明细路由情况下,设备会向BGP注入指定的聚合路由
|
|
|
|
|
|
![image-20220211153918170](https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211153918170.png)
|
|
|
|
|
|
执行聚合之后,在本地的BGP路由表中除了原本的明细路由条目之外,还会多出一条聚合的路由条目
|
|
|
|
|
|
如果在执行聚合时指定了detail-suppressed,则BGP只会向对等体通告聚合后的路由,而不通告聚合前的明细路由
|
|
|
|
|
|
在聚合时配置抑制明细路由的参数,R3上查看路由表,只能看到BGP路由:10.1.0.0/22,无法看到聚合前的明细路由
|
|
|
|
|
|
**通告原则**
|
|
|
|
|
|
BGP通过network、import-route、aggregate聚合方式生成BGP路由后,通过Update报文将BGP路由传递给对等体
|
|
|
|
|
|
BGP通告遵循以下原则:
|
|
|
|
|
|
只发布最优路由
|
|
|
|
|
|
从EBGP对等体获取的路由,会发布给所有对等体
|
|
|
|
|
|
IBGP水平分割:从IBGP对等体获取的路由,不会发送给IBGP对等体
|
|
|
|
|
|
**BGP路由通告原则一**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211154204358.png" alt="image-20220211154204358" style="zoom:50%;" />
|
|
|
|
|
|
第一条原则:只发布最优且有效(即下一跳地址可达)路由
|
|
|
|
|
|
通过display bgp routing-table命令可以查看BGP路由表
|
|
|
|
|
|
```
|
|
|
Total Number of Routes: 2
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
*>i 10.1.0.0/24 11.1.0.1 0 100 0 ?
|
|
|
*i 11.1.0.2 0 100 0 ?
|
|
|
```
|
|
|
|
|
|
在BGP路由表中同时存在以下两个标志的路由为最优、有效
|
|
|
|
|
|
* : 代表有效
|
|
|
|
|
|
> : 代表最优
|
|
|
|
|
|
**BGP路由通告原则二**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211154307855.png" alt="image-20220211154307855" style="zoom:50%;" />
|
|
|
|
|
|
第二条原则:从EBGP对等体获取的路由,会发布给所有对等体。R2从EBGP对等体获取的BGP路由,会发布给所有EBGP、IBGP对等体。
|
|
|
|
|
|
**BGP路由通告原则三**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211154349426.png" alt="image-20220211154349426" style="zoom:50%;" />
|
|
|
|
|
|
第三条原则:从IBGP对等体获取的BGP路由,不会再发送给其他IBGP对等体
|
|
|
|
|
|
该条原则也被称为“IBGP水平分割”
|
|
|
|
|
|
如果IBGP对等体学习到的路由会继续传递给其他的IBGP对等体:R2将一条路由传递给了IBGP对等体R3、R3收到路由之后传递给IBGP对等体R1、R1继续传递给IBGP对等体R2路由环路形成
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211154454686.png" alt="image-20220211154454686" style="zoom:50%;" />
|
|
|
|
|
|
第三条原则可能会带来新的问题,如左侧所示,当BGP路由器R2将路由传递给BGP路由器R1时,由于第三条原则限制,R1无法将BGP路由传递给R3,R3将无法学习到路由
|
|
|
|
|
|
为解决该问题可以采用AS内IBGP全互联的方式,即:R2、R3之间建立非直连的IBGP对等体关系,以此让BGP路由器R2将路由传递给BGP路由器 R3
|
|
|
|
|
|
**BGP路由通告原则四**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211154528589.png" alt="image-20220211154528589" style="zoom:50%;" />
|
|
|
|
|
|
第四条原则:当一台路由器从自己的IBGP对等体学习到一条BGP路由时(这类路由被称为IBGP路由),它将不能使用该条路由或把这条路由通告给自己的EBGP对等体,除非它又从IGP协议(例如OSPF等,此处也包含静态路由)学习到这条路由,该条规则也被称为BGP同步原则
|
|
|
|
|
|
BGP路由器R4上存在一条路由10.0.4.0/24,R4将其传递给了R2
|
|
|
|
|
|
R2将路由传递给非直连IBGP对等体R3
|
|
|
|
|
|
R3将路由传递给R5
|
|
|
|
|
|
之后R5向10.0.4.4发起访问
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211160636858.png" alt="image-20220211160636858" style="zoom:50%;" />
|
|
|
|
|
|
R5访问10.0.4.4:
|
|
|
|
|
|
R5查找路由表,将报文发送给R3
|
|
|
|
|
|
R3收到报文后查找路由表,匹配到一条BGP路由,其下一跳为R2,但是R2为非直连下一跳,需要进行路由迭代,通过IGP学习到的路由迭代出下一跳为R1。R3将报文发送给R1
|
|
|
|
|
|
R1收到报文后查找路由表,因为R1并非BGP路由器,未与R2建立IBGP对等体关系,因此R1上并无BGP路由10.0.4.0/24,路由查找失败,R1将报文丢弃
|
|
|
|
|
|
<h5>3.BGP的基本配置</h5>
|
|
|
|
|
|
![image-20220211163108702](https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220211163108702.png)
|
|
|
|
|
|
<h5>4.配置案例</h5>
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213132301393.png" alt="image-20220213132301393" style="zoom:50%;" />
|
|
|
|
|
|
BGP对等体关系、AS号、设备互联地址如图所示
|
|
|
|
|
|
所有设备的Loopback1接口地址为10.0.x.x/32,其中x为设备编号,所有设备都使用Loopback1地址作为Router ID
|
|
|
|
|
|
R1、R2、R3之间建立OSPF,并使R1和R3的loopback建立TCP连接
|
|
|
|
|
|
R1、R3之间使用Loopback1地址作为更新源地址建立IBGP对等体关系,R3、R4之间使用互联接口地址作为更新源地址建立EBGP对等体关系
|
|
|
|
|
|
**R1的配置如下:**
|
|
|
|
|
|
```shell
|
|
|
[R1] bgp 100
|
|
|
[R1-bgp] router-id 10.0.1.1
|
|
|
[R1-bgp] peer 10.0.3.3 as-number 100
|
|
|
[R1-bgp] peer 10.0.3.3 connect-interface LoopBack1
|
|
|
```
|
|
|
|
|
|
**R3的配置如下:**
|
|
|
|
|
|
```shell
|
|
|
[R3] bgp 100
|
|
|
[R3-bgp] router-id 10.0.3.3
|
|
|
[R3-bgp] peer 10.0.1.1 as-number 100
|
|
|
[R3-bgp] peer 10.0.1.1 connect-interface LoopBack1
|
|
|
[R3-bgp] peer 10.0.34.4 as-number 200
|
|
|
```
|
|
|
|
|
|
**R4的配置如下:**
|
|
|
|
|
|
```shell
|
|
|
[R4] bgp 200
|
|
|
[R4-bgp] router-id 10.0.4.4
|
|
|
[R4-bgp] peer 10.0.34.3 as-number 100
|
|
|
```
|
|
|
|
|
|
**在R3上查看BGP对等体状态:**
|
|
|
|
|
|
```shell
|
|
|
<R3> display bgp peer
|
|
|
BGP Local router ID : 10.0.3.3
|
|
|
local AS number : 100
|
|
|
Total number of peers : 2
|
|
|
Peers in established state : 2
|
|
|
|
|
|
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
|
|
|
|
|
|
10.0.1.1 4 100 0 0 0 00:00:07 Established 0
|
|
|
10.0.34.4 4 200 32 35 0 00:17:49 Established 0
|
|
|
```
|
|
|
|
|
|
<h3>第二节:BGP路径属性与路由反射器</h3>
|
|
|
|
|
|
<h4>一:BGP路径属性</h4>
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213134050784.png" alt="image-20220213134050784" style="zoom:50%;" />
|
|
|
|
|
|
任何一条BGP路由都拥有多个路径属性
|
|
|
|
|
|
当路由器将BGP路由通告给它的对等体时,一并被通告的还有路由所携带的各个路径属性
|
|
|
|
|
|
BGP的路径属性将影响路由优选
|
|
|
|
|
|
<h5>1.路径属性分类</h5>
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213134145268.png" alt="image-20220213134145268" style="zoom:50%;" />
|
|
|
|
|
|
公认属性是所有BGP路由器都必须能够识别的属性,公认属性可以分为两类:
|
|
|
|
|
|
公认必遵(Well-known Mandatory):必须包括在每个Update消息里
|
|
|
|
|
|
公认任意(Well-known Discretionary):可能包括在某些Update消息里
|
|
|
|
|
|
可选属性不需要都被BGP路由器所识别,可选属性可以分为两类:
|
|
|
|
|
|
可选过渡(Optional Transitive):BGP设备不识别此类属性依然会接受该类属性并通告给其他对等体
|
|
|
|
|
|
可选非过渡(Optional Non-transitive):BGP设备不识别此类属性会忽略该属性,且不会通告给其他对等体
|
|
|
|
|
|
**BGP Update报文举例**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213134331807.png" alt="image-20220213134331807" style="zoom:50%;" />
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213134425890.png" alt="image-20220213134425890" style="zoom:50%;" />
|
|
|
|
|
|
该属性为公认必遵属性,是前往目标网络的路由经过的AS号列表
|
|
|
|
|
|
作用:确保路由在EBGP对等体之间传递无环;另外也作为路由优选的衡量标准之一
|
|
|
|
|
|
路由在被通告给EBGP对等体时,路由器会在该路由的AS_Path中追加上本地的AS号;路由被通告给IBGP对等体时,AS_Path不会发生改变
|
|
|
|
|
|
**AS_Path防止环路**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213134537954.png" alt="image-20220213134537954" style="zoom:50%;" />
|
|
|
|
|
|
R1从R4收到的BGP路由更新中AS_Path属性数值为:400 300 200 100,存在自身AS号,不接收该路由,从而防止了路由环路的产生
|
|
|
|
|
|
**AS_Path影响路由优选**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213134625579.png" alt="image-20220213134625579" style="zoom:50%;" />
|
|
|
|
|
|
AS_Path的重要作用之一便是影响BGP路由的优选,在上图中,R5同时从R2及R4学习到去往10.0.1.0/24网段的BGP路由,在其他条件相同的情况下,R5会优选R2通告的路由,因为该条路由的AS_Path属性值较短,也即AS号的个数更少
|
|
|
|
|
|
**AS_Path类型**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213134920074.png" alt="image-20220213134920074" style="zoom:50%;" />
|
|
|
|
|
|
路由聚合解决了两类问题,一是减轻了设备的负担,二是隐藏了明细的路由信息,减少了路由震荡的影响。但是路由聚合后,AS_Path属性丢失,存在产生环路的风险,为此可以通过AS_SET类型的AS_Path属性携带聚合前的AS路径信息
|
|
|
|
|
|
当发生路由聚合后,如果需要聚合路由携带所有明细路由中AS_Path属性携带的AS号防止环路,则在配置聚合的命令中增加as-set参数
|
|
|
|
|
|
在AS_SET的示例中AS 300内发生了路由聚合并配置了as-set参数,则聚合路由会将明细路由的AS_Path信息用一个AS-Set集表示(放在中括号{}里的AS号信息,该集合内的AS号没有先后顺序),在聚合路由中携带用以防止环路
|
|
|
|
|
|
除了AS_SET、AS_AS_SEQENCE之外,AS_Path还存在另外两种类型:AS_Confed_Sequence、AS_Confed_Set,这两种类型应用于BGP联邦中
|
|
|
|
|
|
**修改AS_Path**
|
|
|
|
|
|
使用Route-Policy修改BGP路由的AS_Path属性时,可以使用以下三种方式:
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213135117825.png" alt="image-20220213135117825" style="zoom:50%;" />
|
|
|
|
|
|
<h5>2.Origin</h5>
|
|
|
|
|
|
| **起源名称** | **标记** | **描述** |
|
|
|
| ------------ | -------- | ------------------------------------------------------------ |
|
|
|
| IGP | i | 如果路由是由始发的BGP路由器使用network命令注入到BGP的,那么该BGP路由的Origin属性为IGP |
|
|
|
| EGP | e | 如果路由是通过EGP学习到的,那么该BGP路由的Origin属性为EGP |
|
|
|
| Incomplete | ? | 如果路由是通过其他方式学习到的,则Origin属性为Incomplete(不完整的)。例如通过import-route命令引入到BGP的路由 |
|
|
|
|
|
|
该属性为公认必遵属性,它标识了BGP路由的起源。如上表所示,根据路由被引入BGP的方式不同,存在三种类型的Origin
|
|
|
|
|
|
当去往同一个目的地存在多条不同Origin属性的路由时,在其他条件都相同的情况下,BGP将按如Origin的下顺序优选路由:IGP > EGP > Incomplete
|
|
|
|
|
|
**Origin在BGP表中的显示**
|
|
|
|
|
|
```shell
|
|
|
[R2] display bgp routing-table
|
|
|
BGP Local router ID is 10.0.2.2
|
|
|
Status codes: * - valid, > - best, d - damped,
|
|
|
h - history, i - internal, s - suppressed, S - Stale
|
|
|
Origin : i - IGP, e - EGP, ? - incomplete
|
|
|
|
|
|
|
|
|
Total Number of Routes: 4
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
|
|
|
*>i 10.0.1.0/24 10.0.12.1 0 200 0 i
|
|
|
* i 10.0.23.3 0 100 0 i
|
|
|
```
|
|
|
|
|
|
<h5>3.Next_Hop</h5>
|
|
|
|
|
|
该属性是一个公认必遵属性,用于指定到达目标网络的下一跳地址
|
|
|
|
|
|
当路由器学习到BGP路由后,需对BGP路由的Next_Hop属性值进行检查,该属性值(IP地址)必须在本地路由可达,如果不可达,则这条BGP路由不可用
|
|
|
|
|
|
在不同的场景中,设备对BGP路由的缺省Next_Hop属性值的设置规则如下:
|
|
|
|
|
|
BGP路由器在向EBGP对等体发布某条路由时,会把该路由信息的下一跳属性设置为本地与对端建立BGP邻居关系的接口地址
|
|
|
|
|
|
BGP路由器将本地始发路由发布给IBGP对等体时,会把该路由信息的下一跳属性设置为本地与对端建立BGP邻居关系的接口地址
|
|
|
|
|
|
路由器在收到EBGP对等体所通告的BGP路由后,在将路由传递给自己的IBGP对等体时,会保持路由的Next_Hop属性值不变
|
|
|
|
|
|
如果路由器收到某条BGP路由,该路由的Next_Hop属性值与EBGP对等体(更新对象)同属一个网段,那么该条路由的Next_Hop地址将保持不变并传递给它的BGP对等体
|
|
|
|
|
|
**Next_Hop的缺省操作**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213135740114.png" alt="image-20220213135740114" style="zoom:50%;" />
|
|
|
|
|
|
路由器将BGP路由通告给自己的EBGP对等体时,将该路由的Next_Hop设置为自己的TCP连接源地址
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213135834341.png" alt="image-20220213135834341" style="zoom:50%;" />
|
|
|
|
|
|
路由器在收到EBGP对等体所通告的BGP路由后,在将路由传递给自己的IBGP对等体时,会保持路由的Next_Hop属性值不变
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213135850400.png" alt="image-20220213135850400" style="zoom:50%;" />
|
|
|
|
|
|
如果路由器收到某条BGP路由,该路由的Next_Hop属性值与EBGP对等体(更新对象)同属一个网段,那么该条路由的Next_Hop地址将保持不变并传递给它的BGP对等体
|
|
|
|
|
|
**修改Next_hop属性**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213140152334.png" alt="image-20220213140152334" style="zoom:50%;" />
|
|
|
|
|
|
使用peer next-hop-local命令可以在设置向IBGP对等体(组)通告路由时,把下一跳属性设为自身的TCP连接源地址
|
|
|
|
|
|
缺省情况下,R2通告给R3的BGP路由10.0.1.0/24的NextHop属性值为10.0.12.1,若R2未将到达10.0.12.0/24的路由发布到AS200的IGP协议中,那么R3将无法获知到达10.0.12.1的路由,此时BGP路由10.0.1.0/24的NextHop不可达,该路由将被视为无效
|
|
|
|
|
|
<h5>4.Local_Preference</h5>
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213140245592.png" alt="image-20220213140245592" style="zoom:50%;" />
|
|
|
|
|
|
在R1及R3上分别对R2部署路由策略,使得R1发送给R2的10.0.45.0/24路由的Local_Preference为200,而R3则保持缺省,那么对于R2而言,会优选R1传递过来的10.0.45.0/24路由
|
|
|
|
|
|
Local_Preference即本地优先级属性,是公认任意属性,可以用于告诉AS中的路由器,哪条路径是离开本AS的首选路径
|
|
|
|
|
|
Local_Preference属性值越大则BGP路由越优。缺省的Local_Preference值为100
|
|
|
|
|
|
该属性只能被传递给IBGP对等体,而不能传递给EBGP对等体
|
|
|
|
|
|
**在BGP路由表中查看Local_Preference**
|
|
|
|
|
|
```shell
|
|
|
[R2] display bgp routing-table
|
|
|
BGP Local router ID is 10.0.2.2
|
|
|
Status codes: * - valid, > - best, d - damped,
|
|
|
h - history, i - internal, s - suppressed, S - Stale
|
|
|
Origin : i - IGP, e - EGP, ? - incomplete
|
|
|
|
|
|
|
|
|
Total Number of Routes: 4
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
|
|
|
*>i 10.0.45.0/24 10.0.12.1 0 200 0 i
|
|
|
* i 10.0.23.3 0 100 0 i
|
|
|
```
|
|
|
|
|
|
Local_Preference为200的BGP路由优于Local_Preference为100的BGP路由,在BGP路由表中来自10.0.12.1的BGP路由为最优
|
|
|
|
|
|
**Local_Preference注意事项**
|
|
|
|
|
|
Local_Preference属性只能在IBGP对等体间传递(除非做了策略否则Local_Preference值在IBGP对等体间传递过程中不会丢失),而不能在EBGP对等体间传递,如果在EBGP对等体间收到的路由的路径属性中携带了Local_Preference,则会进行错误处理
|
|
|
|
|
|
但是可以在AS边界路由器上使用Import方向的策略来修改Local_Preference属性值。也就是在收到路由之后,在本地为路由赋予Local_Preference
|
|
|
|
|
|
使用bgp default local-preference命令修改缺省Local_Preference值,该值缺省为100
|
|
|
|
|
|
路由器在向其EBGP对等体发送路由更新时,不能携带Local_Preference属性,但是对方接收路由之后,会在本地为这条路由赋一个缺省Local_Preference值(100),然后再将路由传递给自己的IBGP对等体
|
|
|
|
|
|
本地使用network命令及import-route命令引入的路由, Local_Preference为缺省值100,并能在AS内向其他IBGP对等体传递,传递过程中除非受路由策略影响,否则Local_Preference不变
|
|
|
|
|
|
<h5>5.Community</h5>
|
|
|
|
|
|
**Community技术背景**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213141342499.png" alt="image-20220213141342499" style="zoom:50%;" />
|
|
|
|
|
|
AS100内有大量的路由被引入BGP,这些路由分别用于生产及办公网络。现在AS200的BGP路由器需要分别针对这些路由执行不同的策略,如果使用ACL、IP Prefix-list这样的工具,效率就非常低下了
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213141427003.png" alt="image-20220213141427003" style="zoom:50%;" />
|
|
|
|
|
|
有了Community属性,我们可以为不同种类的路由打上不同的Community属性值,这些属性值会随着BGP路由更新给AS200,那么在AS200内的BGP路由器上,只需要根据Community属性值来执行差异化的策略即可,而不用去关心具体的路由前缀
|
|
|
|
|
|
**Community属性**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213141545848.png" alt="image-20220213141545848" style="zoom:50%;" />
|
|
|
|
|
|
Community(团体)属性为可选过渡属性,是一种路由标记,用于简化路由策略的执行
|
|
|
|
|
|
可以将某些路由分配一个特定的Community属性值,之后就可以基于Community值而不是网络前缀/掩码信息来匹配路由并执行相应的策略了
|
|
|
|
|
|
**Community属性格式**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213141614306.png" alt="image-20220213141614306" style="zoom:50%;" />
|
|
|
|
|
|
Community属性值长度为32bit,也就是4Byte。可使用两种形式呈现:
|
|
|
|
|
|
十进制整数格式
|
|
|
|
|
|
AA:NN格式,其中AA表示AS号,NN是自定义的编号
|
|
|
|
|
|
**公认Community属性**
|
|
|
|
|
|
| **团体属性名称** | **团体属性号** | **说明** |
|
|
|
| ------------------- | ------------------------ | ------------------------------------------------------------ |
|
|
|
| Internet | 0(0x00000000) | 设备在收到具有此属性的路由后,可以向任何BGP对等体发送该路由。缺省情况下,所有的路由都属于Internet团体 |
|
|
|
| No_Advertise | 4294967042(0xFFFFFF02) | 设备收到具有此属性的路由后,将不向任何BGP对等体发送该路由 |
|
|
|
| No_Export | 4294967041(0xFFFFFF01) | 设备收到具有此属性的路由后,将不向AS外发送该路由 |
|
|
|
| No_Export_Subconfed | 4294967043(0xFFFFFF03) | 设备收到具有此属性的路由后,将不向AS外发送该路由,也不向AS内其他子AS发布此路由 |
|
|
|
|
|
|
<h5>6.MED</h5>
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213141734160.png" alt="image-20220213141734160" style="zoom:50%;" />
|
|
|
|
|
|
在R2、R3上部署路由策略,使得R2通告给R4的BGP路由MED值为10,而R3通告的路由MED值为20。当其他条件相同时,R4将优选R2传递过来的BGP路由
|
|
|
|
|
|
MED(Multi-Exit Discriminator,多出口鉴别器)是可选非过渡属性,是一种度量值,用于向外部对等体指出进入本AS的首选路径,即当进入本AS的入口有多个时,AS可以使用MED动态地影响其他AS选择进入的路径
|
|
|
|
|
|
MED属性值越小则BGP路由越优
|
|
|
|
|
|
MED主要用于在AS之间影响BGP的选路。MED被传递给EBGP对等体后,对等体在其AS内传递路由时,携带该MED值,但将路由再次传递给其EBGP对等体时,缺省不会携带MED属性
|
|
|
|
|
|
**关于MED的一些注意事项**
|
|
|
|
|
|
缺省情况下,路由器只比较来自同一相邻AS的BGP路由的MED值,也就是说如果去往同一个目的地的两条路由来自不同的相邻AS,则不进行MED值的比较
|
|
|
|
|
|
一台BGP路由器将路由通告给EBGP对等体时,是否携带MED属性,需要根据以下条件进行判断:
|
|
|
|
|
|
如果该BGP路由是本地始发(本地通过network或import-route命令引入)的,则缺省携带MED属性发送给EBGP对等体
|
|
|
|
|
|
如果该BGP路由为从BGP对等体学习到,那么该路由传递给EBGP对等体时缺省不会携带MED属性
|
|
|
|
|
|
在IBGP对等体之间传递路由时,MED值会被保留并传递,除非部署了策略,否则MED值在传递过程中不发生改变也不会丢失
|
|
|
|
|
|
**MED的默认操作**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213141855655.png" alt="image-20220213141855655" style="zoom:50%;" />
|
|
|
|
|
|
如果路由器通过IGP学习到一条路由,并通过network或import-route的方式将路由引入BGP,产生的BGP路由的MED值继承路由在IGP中的metric。例如上图中如果R2通过OSPF学习到了10.0.1.0/24路由,并且该路由在R2的全局路由表中OSPF Cost=100,那么当R2将路由network进BGP后,产生的BGP路由的MED值为100
|
|
|
|
|
|
如果路由器将本地直连、静态路由通过network或import-route的方式引入BGP,那么这条BGP路由的MED为0,因为直连、静态路由cost为0
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213141917565.png" alt="image-20220213141917565" style="zoom:50%;" />
|
|
|
|
|
|
如果路由器通过BGP学习到其他对等体传递过来的路由,那么将路由更新给自己的EBGP对等体时,默认是不携带MED的。这就是所谓的:“MED不会跨AS传递”。例如在上图中,如果R3从R2学习到一条携带了MED属性的BGP路由,则它将该路由通告给R4时,缺省是不会携带MED属性的
|
|
|
|
|
|
可以使用default med命令修改缺省的MED值,default med命令只对本设备上用import-route命令引入的路由和BGP的聚合路由生效。例如在R2上配置default med 999,那么R2通过import-route及aggregate命令产生的路由传递给R3时,路由携带的MED为999
|
|
|
|
|
|
<h5>7.Atomic_Aggregate及Aggregator</h5>
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213142001062.png" alt="image-20220213142001062" style="zoom:50%;" />
|
|
|
|
|
|
Atomic_Aggregate属于公认任意属性,而Aggregator属性属于可选过渡属性
|
|
|
|
|
|
R3上通过aggregate命令将BGP路由10.0.1.0/24、10.0.2.0/24、10.0.3.0/24、10.0.4.0/24聚合成了10.0.0.0/16,并使用detail-suppressed抑制了明细路由的对外发布,R3只会将聚合后的BGP路由传递给R4,而不传递聚合前的明细路由
|
|
|
|
|
|
Atomic_Aggregate是一个公认自由决定属性,它只相当于一种预警标记,而并不承载任何信息。当路由器收到一条BGP路由更新且发现该条路由携带Atomic_Aggregate属性时,它便知道该条路由可能出现了路径属性的丢失,此时该路由器把这条路由再通告给其他对等体时,需保留路由的Atomic_Aggregate属性。另外,收到该路由更新的路由器不能将这条路由再度明细化
|
|
|
|
|
|
另一个重要的属性是Aggregator,这是一个可选传递属性,当路由聚合被执行时,执行路由聚合操作的路由器可以为该聚合路由添加Aggregator属性,并在该属性中记录本地AS号及自己的Router-ID,因此Aggregator属性用于标记路由聚合行为发生在哪个AS及哪台BGP路由器上
|
|
|
|
|
|
**查看聚合之后的路由**
|
|
|
|
|
|
```shell
|
|
|
[R4]display bgp routing-table 10.0.0.0 16
|
|
|
BGP local router ID : 10.0.4.4
|
|
|
Local AS number : 400
|
|
|
Paths: 1 available, 1 best, 1 select
|
|
|
BGP routing table entry information of 10.0.0.0/16:
|
|
|
From: 10.0.34.3 (10.0.3.3)
|
|
|
Route Duration: 00h00m21s
|
|
|
Direct Out-interface: GigabitEthernet0/0/0
|
|
|
Original nexthop: 10.0.34.3
|
|
|
Qos information : 0x0
|
|
|
AS-path 300, origin igp, pref-val 0, valid, external, best, select, active, pre 255
|
|
|
Aggregator: AS 300, Aggregator ID 10.0.3.3, Atomic-aggregate
|
|
|
Not advertised to any peer yet
|
|
|
```
|
|
|
|
|
|
在BGP路由详细信息中可与看到Aggregator属性记录了聚合设备的AS号、Router ID,同时通过Atomic-Aggregate属性标明该路由为聚合路由
|
|
|
|
|
|
<h5>8.Preferred-Value介绍</h5>
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213142127556.png" alt="image-20220213142127556" style="zoom:50%;" />
|
|
|
|
|
|
在R2上部署路由策略(Import策略),将R1传递过来的10.0.13.0/24路由的Preferred-Value值设定为300,而R3传递过来的路由的Preferred-Value值设置为200。如此一来关于10.0.13.0/24,R2会优选R1传递过来的路由
|
|
|
|
|
|
Preferred-Value(协议首选值)是华为设备的特有属性,该属性仅在本地有效。当BGP路由表中存在到相同目的地的路由时,将优先选择Preferred-Value值高的路由
|
|
|
|
|
|
取值范围:0~65535;该值越大,则路由越优先
|
|
|
|
|
|
Preferred-Value只能在路由器本地配置,而且只影响本设备的路由优选。该属性不会传递给任何BGP对等体
|
|
|
|
|
|
**在BGP路由表中查看Preferred-Value**
|
|
|
|
|
|
```shell
|
|
|
[R2] display bgp routing-table
|
|
|
BGP Local router ID is 10.0.2.2
|
|
|
Status codes: * - valid, > - best, d - damped,
|
|
|
h - history, i - internal, s - suppressed, S - Stale
|
|
|
Origin : i - IGP, e - EGP, ? - incomplete
|
|
|
|
|
|
Total Number of Routes: 4
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
*> 10.0.13.0/24 10.0.12.1 0 300 100 i
|
|
|
* 10.0.23.3 0 200 100 i
|
|
|
```
|
|
|
|
|
|
Preferred-Value为300的BGP路由优于Preferred-Value为0的路由,在BGP路由表中来自10.0.12.1的BGP路由为最优
|
|
|
|
|
|
Preferred-value在路由表中简写为PrefVal
|
|
|
|
|
|
<h4>二:BGP路由反射器</h4>
|
|
|
|
|
|
<h5>1.中转AS中的IBGP问题</h5>
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213142428093.png" alt="image-20220213142428093" style="zoom:50%;" />
|
|
|
|
|
|
由于水平分割的原因,为了保证中转AS200所有的BGP路由器都能学习到完整的BGP路由,就必须在AS内实现IBGP全互联。然而实现IBGP全互联存在诸多短板:
|
|
|
|
|
|
路由器需维护大量的TCP及BGP连接,尤其在路由器数量较多时
|
|
|
|
|
|
AS内BGP网络的可扩展性较差
|
|
|
|
|
|
为此可以采用路由反射器技术
|
|
|
|
|
|
<h5>2.路由反射器角色</h5>
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213142531294.png" alt="image-20220213142531294" style="zoom:50%;" />
|
|
|
|
|
|
引入路由反射器之后存在两种角色:
|
|
|
|
|
|
RR(Route Reflector):路由反射器
|
|
|
|
|
|
Client:RR客户端
|
|
|
|
|
|
RR会将学习的路由反射出去,从而使得IBGP路由在AS内传播无需建立IBGP全互联
|
|
|
|
|
|
将一台BGP路由器指定为RR的同时,还需要指定其Client。至于Client本身,无需做任何配置,它并不知晓网络中存在RR
|
|
|
|
|
|
<h5>3.路由反射规则</h5>
|
|
|
|
|
|
**RR在接收BGP路由时:**
|
|
|
|
|
|
如果路由反射器从自己的非客户对等体学习到一条IBGP路由,则它会将该路由反射给所有客户
|
|
|
|
|
|
如果路由反射器从自己的客户学习到一条IBGP路由,则它会将该路由反射给所有非客户,以及除了该客户之外的其他所有客户
|
|
|
|
|
|
如果路由学习自EBGP对等体,则发送给所有客户、非客户IBGP对等体
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213142705169.png" alt="image-20220213142705169" style="zoom:50%;" />
|
|
|
|
|
|
如果路由反射器从自己的非客户对等体学习到一条IBGP路由,则它会将该路由反射给所有客户
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213142721076.png" alt="image-20220213142721076" style="zoom:50%;" />
|
|
|
|
|
|
如果路由反射器从自己的客户学习到一条IBGP路由,则它会将该路由反射给所有非客户,以及除了该客户之外的其他所有客户
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213142739927.png" alt="image-20220213142739927" style="zoom:50%;" />
|
|
|
|
|
|
如果路由学习自EBGP对等体,则发送给所有客户、非客户IBGP对等体
|
|
|
|
|
|
**注意:**
|
|
|
|
|
|
RR将路由反射时不会修改以下的BGP路径属性:Next_Hop、AS_Path、 Local_Preference、MED,如果反射器修改这几个路径属性的值则有可能产生路由环路
|
|
|
|
|
|
<h5>4.RR场景下的路由防环</h5>
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213142834508.png" alt="image-20220213142834508" style="zoom:50%;" />
|
|
|
|
|
|
RR的设定使得IBGP水平分割原则失效,这就可能导致环路的产生,为此RR会为BGP路由添加两个特殊的路径属性来避免出现环路:Originator_ID、Cluster_List
|
|
|
|
|
|
Originator_ID、Cluster_List属性都属于可选过渡类型
|
|
|
|
|
|
**Originator ID**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213142922701.png" alt="image-20220213142922701" style="zoom:50%;" />
|
|
|
|
|
|
R3收到来自R2的BGP路由10.0.2.0/24,在反射给R1时会添加上Originator_ID:10.0.2.2,R1收到之后再次反射给其客户端R2时携带Originator_ID属性,R2收到之后查看Originator_ID属性值存在自身的Router ID,忽略该路由更新
|
|
|
|
|
|
RR将一条BGP路由进行反射时会在反射出去的路由中增加Originator_ID,其值为本地AS中通告该路由的BGP路由器Router ID
|
|
|
|
|
|
若AS内存在多个RR,则Originator_ID属性由第一个RR创建,并且不被后续的RR(若有)所更改
|
|
|
|
|
|
当BGP路由器收到一条携带Originator_ID属性的IBGP路由,并且Originator_ID属性值与自身的Router ID相同,则它会忽略关于该条路由的更新
|
|
|
|
|
|
**路由反射簇 (Cluster)**
|
|
|
|
|
|
路由反射簇包括反射器RR及其Client。一个AS内允许存在多个路由反射簇
|
|
|
|
|
|
每一个簇都有唯一的簇ID(Cluster_ID,缺省时为RR的BGP Router ID )
|
|
|
|
|
|
当一条路由被反射器反射后,该RR(该簇)的Cluster_ID就会被添加至路由的Cluster_list属性中
|
|
|
|
|
|
当RR收到一条携带Cluster_list属性的BGP路由,且该属性值中包含该簇的Cluster_ID时,RR认为该条路由存在环路,因此将忽略关于该条路由的更新
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213143028180.png" alt="image-20220213143028180" style="zoom:50%;" />
|
|
|
|
|
|
**Cluster_List**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213143043437.png" alt="image-20220213143043437" style="zoom:80%;" />
|
|
|
|
|
|
R2发送给R1的路由,经过R1反射给R3时除了添加Originator_ID之外还会添加Cluster_List:10.0.1.1。R3再次反射给R4时, Cluster_List值为:10.0.3.3 10.0.1.1,R4再次反射给R1时Cluster_List值为:10.0.4.4 10.0.3.3 10.0.1.1
|
|
|
|
|
|
当R4将路由反射给R1时,R1发现Cluster_List包含了自身Cluster_ID,判断存在环路,从而忽略该路由更新
|
|
|
|
|
|
<h5>5.RR应用举例</h5>
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213143135049.png" alt="image-20220213143135049" style="zoom:50%;" />
|
|
|
|
|
|
R1向BGP发布了10.0.1.0/24路由,R2会从R1学习到该路由并且将其通告给R3,但是R3从R2学习到的这条IBGP路由由于水平分割规则的存在故而不能够再被通告给R4及R5,为此可以将R3设置为RR,R4、R5作为其客户端,这样R4、R5即可正常学习到BGP路由10.0.1.0/24
|
|
|
|
|
|
**配置**
|
|
|
|
|
|
![image-20220213143200131](https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213143200131.png)
|
|
|
|
|
|
<h5>6.配置案例</h5>
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213143243308.png" alt="image-20220213143243308" style="zoom:50%;" />
|
|
|
|
|
|
所有设备Loopback0地址为10.0.x.x/32,其中x为设备编号,所有设备都使用Loopback0地址作为BGP Router ID
|
|
|
|
|
|
R1、R2、R3属于AS100,AS100内运行OSPF,将所有直连接口宣告进OSPF
|
|
|
|
|
|
AS100内使用环回口作为发送IBGP报文的源接口,R2作为路由反射器,R3为其客户端
|
|
|
|
|
|
R4属于AS200,与R3使用互联接口地址建立EBGP对等体,R4将10.4.4.0/24宣告进BGP
|
|
|
|
|
|
**R1的配置如下:**
|
|
|
|
|
|
```shell
|
|
|
[R1] bgp 100
|
|
|
[R1-bgp] router-id 10.0.1.1
|
|
|
[R1-bgp] peer 10.0.2.2 as-number 100
|
|
|
[R1-bgp] peer 10.0.2.2 connect-interface LoopBack0
|
|
|
```
|
|
|
|
|
|
**R2的配置如下:**
|
|
|
|
|
|
```shell
|
|
|
[R2] bgp 100
|
|
|
[R2-bgp] router-id 10.0.2.2
|
|
|
[R2-bgp] peer 10.0.1.1 as-number 100
|
|
|
[R2-bgp] peer 10.0.1.1 connect-interface LoopBack0
|
|
|
[R2-bgp] peer 10.0.3.3 as-number 100
|
|
|
[R2-bgp] peer 10.0.3.3 connect-interface LoopBack0
|
|
|
[R2-bgp] peer 10.0.3.3 reflect-client
|
|
|
```
|
|
|
|
|
|
**R3的配置如下:**
|
|
|
|
|
|
```shell
|
|
|
[R3] bgp 100
|
|
|
[R3-bgp] router-id 10.0.3.3
|
|
|
[R3-bgp] peer 10.0.2.2 as-number 100
|
|
|
[R3-bgp] peer 10.0.2.2 connect-interface LoopBack0
|
|
|
[R3-bgp] peer 10.0.34.4 as-number 200
|
|
|
```
|
|
|
|
|
|
**R4的配置如下:**
|
|
|
|
|
|
```shell
|
|
|
[R4] bgp 200
|
|
|
[R4-bgp] router-id 10.0.4.4
|
|
|
[R4-bgp] peer 10.0.34.3 as-number 100
|
|
|
[R4-bgp] network 10.4.4.0 24
|
|
|
```
|
|
|
|
|
|
**分别在R3、R1查看BGP路由10.4.4.0/24**
|
|
|
|
|
|
```shell
|
|
|
[R3-bgp]display bgp routing-table 10.4.4.0 24
|
|
|
BGP local router ID : 10.0.3.3
|
|
|
Local AS number : 100
|
|
|
Paths: 1 available, 1 best, 1 select
|
|
|
BGP routing table entry information of 10.4.4.0/24:
|
|
|
From: 10.0.34.4 (10.0.4.4)
|
|
|
Route Duration: 00h04m36s
|
|
|
Direct Out-interface: GigabitEthernet0/0/1
|
|
|
Original nexthop: 10.0.34.4
|
|
|
Qos information : 0x0
|
|
|
AS-path 200, origin igp, MED 0, pref-val 0, valid, external, best, select, active, pre 255
|
|
|
Advertised to such 1 peers:
|
|
|
10.0.2.2
|
|
|
```
|
|
|
|
|
|
```shell
|
|
|
[R1]display bgp routing-table 10.4.4.0 24
|
|
|
……….
|
|
|
BGP routing table entry information of 10.4.4.0/24:
|
|
|
From: 10.0.2.2 (10.0.2.2) #来自R2
|
|
|
Route Duration: 00h00m19s
|
|
|
Relay IP Nexthop: 10.0.12.2
|
|
|
Relay IP Out-Interface: GigabitEthernet0/0/0
|
|
|
Original nexthop: 10.0.34.4 #下一跳地址未改变
|
|
|
Qos information : 0x0
|
|
|
AS-path 200, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, select, active, pre 255, IGP cost 3
|
|
|
Originator: 10.0.3.3 #路由来自10.0.3.3
|
|
|
Cluster list: 10.0.2.2 #Cluster_ID为R2的Router ID
|
|
|
Not advertised to any peer yet
|
|
|
```
|
|
|
|
|
|
<h3>第三节:BGP路由优选</h3>
|
|
|
|
|
|
<h4>一:路由优先</h4>
|
|
|
|
|
|
<h5>1.BGP路由优选规则</h5>
|
|
|
|
|
|
**当到达同一个目的网段存在多条路由时,BGP通过如下的次序进行路由优选:**丢弃下一跳不可达的路由
|
|
|
|
|
|
优选Preferred-Value属性值最大的路由
|
|
|
|
|
|
优选Local_Preference属性值最大的路由
|
|
|
|
|
|
本地始发的BGP路由优于从其他对等体学习到的路由,本地始发的路由优先级:优选手动聚合>自动聚合>network>import>从对等体学到的
|
|
|
|
|
|
优选AS_Path属性值最短的路由
|
|
|
|
|
|
优选Origin属性最优的路由。Origin属性值按优先级从高到低的排列是:IGP、EGP及Incomplete
|
|
|
|
|
|
优选MED属性值最小的路由
|
|
|
|
|
|
优选从EBGP对等体学来的路由(EBGP路由优先级高于IBGP路由)
|
|
|
|
|
|
优选到Next_Hop的IGP度量值最小的路由
|
|
|
|
|
|
优选Cluster_List最短的路由
|
|
|
|
|
|
优选Router ID(Orginator_ID)最小的设备通告的路由
|
|
|
|
|
|
优选具有最小IP地址的对等体通告的路
|
|
|
|
|
|
**注意:**
|
|
|
|
|
|
前两条取值越大越优,剩余的取值越小越优
|
|
|
|
|
|
上述规则依序排列,BGP进行路由优选时,从第一条规则开始执行,如果根据第一条规则无法作出判断,例如路由的Preferred-Value属性值相同,则继续执行下一条规则,如果根据当前的规则,BGP能够决策出最优的路由,则不再继续往下执行
|
|
|
|
|
|
<h5>2.拓扑说明</h5>
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213165945577.png" alt="image-20220213165945577" style="zoom:50%;" />
|
|
|
|
|
|
AS、设备互联地址如图所示,所有设备均创建Loopback0接口,IP地址为10.0.x.x(x为设备编号),所有设备使用环回口地址作为Router ID
|
|
|
|
|
|
AS200内运行OSPF,在内部互联接口(不包含连接外部AS的接口)、Loopback接口上激活OSPF
|
|
|
|
|
|
**注意:**
|
|
|
|
|
|
通过import-router命令引入到BGP路由表中的路由的ORIGIN(起点)属性为Incomplete
|
|
|
|
|
|
使用network命令发布到BGP路由表中的网段路由的ORIGIN属性为IGP
|
|
|
|
|
|
```shell
|
|
|
[Huawei]ip ip-prefix 1 permit 10.0.45.0 24
|
|
|
[Huawei-bgp]import-route direct route-policy 1
|
|
|
```
|
|
|
|
|
|
**丢弃下一跳不可达的路由**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213180106425.png" alt="image-20220213180106425" style="zoom:50%;" />
|
|
|
|
|
|
```shell
|
|
|
Total Number of Routes: 2
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
|
|
|
i 10.0.45.0/24 10.0.24.4 0 100 0 100?
|
|
|
i 10.0.35.5 0 100 0 300?
|
|
|
```
|
|
|
|
|
|
R4、R5将BGP路由10.0.45.0/24通告给AS200时Next_Hop属性值为10.0.24.4、10.0.34.5
|
|
|
|
|
|
R2、R3将路由通告给R1时不修改Next_Hop属性值,R1学习到的两条BGP路由10.0.45.0/24下一跳为10.0.24.4、10.0.35.5
|
|
|
|
|
|
R1进行BGP路由下一跳迭代查询时,由于R2、R3未在连接外部AS的接口上激活OSPF,导致路由迭代失败,R1上的BGP路由10.0.45.0/24下一跳不可达
|
|
|
|
|
|
在R1上通过display bgp routing查看BGP路由表,此时BGP路由10.0.45.0/24为非有效路由条目
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213180630621.png" alt="image-20220213180630621" style="zoom:50%;" />
|
|
|
|
|
|
如无特殊说明,后续所有案例的初始配置都为基础配置加R2、R3开启了next-hop-local
|
|
|
|
|
|
在R2、R3上通过next-hop-local命令修改Next_Hop属性值为本地更新源地址
|
|
|
|
|
|
R2、R3向R1通告BGP路由时Next_Hop属性值将会变为:10.0.2.2、10.0.3.3
|
|
|
|
|
|
这两个下一跳地址在R1上能够成功进行路由迭代,BGP路由的下一跳地址将会变成可达
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213181019884.png" alt="image-20220213181019884" style="zoom:50%;" />
|
|
|
|
|
|
两条BGP路由下一跳都可达的情况下,为什么下一跳为10.0.2.2的BGP路由为最优?
|
|
|
|
|
|
**修改Preferred-Value**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213181202095.png" alt="image-20220213181202095" style="zoom:50%;" />
|
|
|
|
|
|
使用preferred-value命令修改R3通告的BGP路由其Preferred-Value为100 ,优于R2通告BGP路由的默认Preferred-Value ,R1将会优选R3通告的BGP路由10.0.45.0/24
|
|
|
|
|
|
```shell
|
|
|
bgp 200
|
|
|
peer 10.0.3.3 preferred-value 100
|
|
|
```
|
|
|
|
|
|
查看R1 BGP路由表:
|
|
|
|
|
|
```shell
|
|
|
[R1] display bgp routing-table
|
|
|
BGP Local router ID is 10.0.1.1
|
|
|
Status codes: * - valid, > - best, d - damped,
|
|
|
h - history, i - internal, s - suppressed, S - Stale
|
|
|
Origin : i - IGP, e - EGP, ? - incomplete
|
|
|
|
|
|
Total Number of Routes: 4
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
*>i 10.0.45.0/24 10.0.3.3 0 100 300 i
|
|
|
* i 10.0.2.2 0 0 100 i
|
|
|
```
|
|
|
|
|
|
R3(10.0.3.3)通告的BGP路由拥有更高的Preferred-Value(100),因此R1将会优选R3通告的BGP路由10.0.45.0/24
|
|
|
|
|
|
**修改Local_Preference**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213181540309.png" alt="image-20220213181540309" style="zoom:50%;" />
|
|
|
|
|
|
R3上执行如下操作:
|
|
|
|
|
|
```shell
|
|
|
ip ip-prefix local_pref index 10 permit 10.0.45.0 24
|
|
|
#
|
|
|
route-policy local_pref permit node 10
|
|
|
if-match ip-prefix local_pref
|
|
|
apply local-preference 200
|
|
|
route-policy local_pref permit node 20
|
|
|
#
|
|
|
bgp 200
|
|
|
peer 10.0.1.1 route-policy local_pref export
|
|
|
```
|
|
|
|
|
|
R3上通过路由策略修改通告给R1的BGP路由10.0.45.0/24其Local_Preference属性值
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213182323822.png" alt="image-20220213182323822" style="zoom:50%;" />
|
|
|
|
|
|
```sehll
|
|
|
Total Number of Routes: 2
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
|
|
|
*>i 10.0.45.0/24 10.0.3.3 0 200 0 300?
|
|
|
* i 10.0.2.2 0 100 0 100?
|
|
|
```
|
|
|
|
|
|
下一跳可达、相同Preferred-Value的情况下将会比较Local_Preference,R3通告的BGP路由Local_Preference值为200,高于R2通告的BGP路由,R1将会优选R3通告的BGP路由
|
|
|
|
|
|
**本地优先**
|
|
|
|
|
|
本条规则可以概括为在相同条件下,优选本地生成的路由,从对等体学习到的路由条目为次优
|
|
|
|
|
|
同时本地生成的路由也可能存在多种途径,当本地存在多种途径学习到相同路由时,从高到低优先级如下:
|
|
|
|
|
|
手动聚合:手动通过aggregate命令在BGP视图内聚合生成的聚合路由
|
|
|
|
|
|
自动聚合:Summary automatic命令生成的自动聚合路由
|
|
|
|
|
|
Network方式注入的路由
|
|
|
|
|
|
Import-route方式注入的路由
|
|
|
|
|
|
**手动聚合**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213182811975.png" alt="image-20220213182811975" style="zoom:50%;" />
|
|
|
|
|
|
R3上执行如下操作:
|
|
|
|
|
|
```shell
|
|
|
ip route-static 10.0.45.0 255.255.255.128 null0
|
|
|
ip route-static 10.0.45.128 255.255.255.128 null0
|
|
|
bgp 200
|
|
|
aggregate 10.0.45.0 255.255.255.0 detail-suppressed
|
|
|
import-route static
|
|
|
```
|
|
|
|
|
|
为了在R3上进行手动聚合,在R3上配置两条指向null0的静态路由,用于注入到BGP
|
|
|
|
|
|
R3上配置两条静态路由,将静态路由通过import-route注入到BGP,并通过aggregate命令进行手动聚合,同时增加关键字detail-suppressed抑制明细路由的对外通告
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213183308268.png" alt="image-20220213183308268" style="zoom:50%;" />
|
|
|
|
|
|
R3上查看BGP路由表存在两条BGP路由10.0.45.0/24:
|
|
|
|
|
|
本地产生的:静态路由注入到BGP中,由手动聚合产生
|
|
|
|
|
|
对等体通告:由对等体R5(10.0.35.5)通告
|
|
|
|
|
|
在R3上这两条路由都不存在local_preference、Preferred-Value值,此时比较路由来源:手动聚合最优,R3将会优选本地手动聚合产生的BGP路由
|
|
|
|
|
|
BGP路由表中“s”标志代表该路由条目被抑制
|
|
|
|
|
|
```shell
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
|
|
|
*> 10.0.45.0/24 127.0.0.1 0 ?
|
|
|
* 10.0.35.5 0 0 300?
|
|
|
s> 10.0.45.0/25 0.0.0.0 0 0 ?
|
|
|
s> 10.0.45.128/25 0.0.0.0 0 0 ?
|
|
|
```
|
|
|
|
|
|
```shell
|
|
|
[R3]display bgp routing-table 10.0.45.0 24
|
|
|
BGP local router ID : 10.0.3.3
|
|
|
Local AS number : 200
|
|
|
Paths: 2 available, 1 best, 1 select
|
|
|
BGP routing table entry information of 10.0.45.0/24:
|
|
|
Aggregated route.
|
|
|
Route Duration: 00h00m14s
|
|
|
Direct Out-interface: NULL0
|
|
|
Original nexthop: 127.0.0.1
|
|
|
Qos information : 0x0
|
|
|
AS-path Nil, origin incomplete, pref-val 0, valid, local, best, select, active,
|
|
|
pre 255
|
|
|
Aggregator: AS 200, Aggregator ID 10.0.3.3, Atomic-aggregate
|
|
|
Advertised to such 2 peers:
|
|
|
10.0.35.5
|
|
|
10.0.1.1
|
|
|
```
|
|
|
|
|
|
R3上通过display bgp routing-table 10.0.45.0 24查看BGP路由10.0.45.0/24的详细信息,存在两条有效路由,其中最优的为手动聚合产生的路由
|
|
|
|
|
|
**自动聚合**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213183709182.png" alt="image-20220213183709182" style="zoom:50%;" />
|
|
|
|
|
|
R3上执行如下操作:
|
|
|
|
|
|
```shell
|
|
|
ip route-static 10.0.45.0 255.255.255.128 null0
|
|
|
ip route-static 10.0.45.128 255.255.255.128 null0
|
|
|
|
|
|
bgp 200
|
|
|
summary automatic
|
|
|
import-route static
|
|
|
```
|
|
|
|
|
|
R3上配置两条静态路由,将静态路由通过import-route注入到BGP,并开启自动聚合,BGP将按照自然网段聚合路由(例如非自然网段A类地址10.1.1.1/24和10.2.1.1/24将聚合为自然网段A类地址10.0.0.0/8),并且BGP只向对等体通告聚合后的路由
|
|
|
|
|
|
在R3上将会看到路由被聚合为10.0.0.0/8
|
|
|
|
|
|
R5上又注入了路由10.0.0.0/8,并通告给了R3
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213184150988.png" alt="image-20220213184150988" style="zoom:50%;" />
|
|
|
|
|
|
```shell
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
|
|
|
*> 10.0.0.0 127.0.0.1 0 ?
|
|
|
* 10.0.35.5 0 0 300?
|
|
|
```
|
|
|
|
|
|
R3上查看BGP路由表存在两条BGP路由10.0.0.0:
|
|
|
|
|
|
本地产生:静态路由注入到BGP中,自动聚合产生
|
|
|
|
|
|
对等体通告:由对等体R5(10.0.35.5)通告
|
|
|
|
|
|
在R3上这两条路由都不存在local_preference、Preferred-Value值,此时比较路由来源:本地产生优于从对等体学习到的,R3将会优选本地自动聚合产生的BGP路由
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213184530008.png" alt="image-20220213184530008" style="zoom:50%;" />
|
|
|
|
|
|
在R3上执行手动聚合:
|
|
|
|
|
|
```shell
|
|
|
bgp 200
|
|
|
aggregate 10.0.0.0 255.0.0.0 detail-suppressed
|
|
|
```
|
|
|
|
|
|
查看R3的BGP路由表:
|
|
|
|
|
|
```shell
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
|
|
|
*> 10.0.0.0 127.0.0.1 0 ?
|
|
|
* 127.0.0.1 0 ?
|
|
|
* 10.0.35.5 0 0 300?
|
|
|
```
|
|
|
|
|
|
优选的依旧是本地产生的BGP路由,但是可以看到本地产生的BGP路由有两条,从该表项无法判断出优选的为手动聚合还是自动聚合产生的BGP路由
|
|
|
|
|
|
```shell
|
|
|
BGP local router ID : 10.0.3.3
|
|
|
Local AS number : 200
|
|
|
Paths: 3 available, 1 best, 1 select
|
|
|
BGP routing table entry information of 10.0.0.0/8:
|
|
|
Aggregated route.
|
|
|
Route Duration: 00h08m17s
|
|
|
Direct Out-interface: NULL0
|
|
|
Original nexthop: 127.0.0.1
|
|
|
Qos information : 0x0
|
|
|
AS-path Nil, origin incomplete, pref-val 0, valid, local, best, select, active,
|
|
|
pre 255
|
|
|
Aggregator: AS 200, Aggregator ID 10.0.3.3, Atomic-aggregate
|
|
|
Advertised to such 2 peers:
|
|
|
10.0.35.5
|
|
|
10.0.1.1
|
|
|
```
|
|
|
|
|
|
R3上通过display bgp routing-table 10.0.0.0 查看BGP路由10.0.0.0/8的详细信息,存在三条有效路由,其中最优的条目由聚合产生,并且存在Atomic-aggregate属性,由此可以看出该聚合条目为手动聚合产生的条目
|
|
|
|
|
|
R3上相同的BGP聚合路由:手动聚合 > 自动聚合
|
|
|
|
|
|
在该案例中我们验证了手动聚合产生的BGP路由优于自动聚合产生的BGP路由
|
|
|
|
|
|
**优选AS_Path最短**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213184802632.png" alt="image-20220213184802632" style="zoom:50%;" />
|
|
|
|
|
|
R2上通过路由策略修改通告给R1的BGP路由其AS_Path属性值
|
|
|
|
|
|
```shell
|
|
|
ip ip-prefix as_path index 10 permit 10.0.45.0 24
|
|
|
#
|
|
|
route-policy as_path permit node 10
|
|
|
if-match ip-prefix as_path
|
|
|
apply as-path 400 additive
|
|
|
route-policy as_path permit node 20
|
|
|
#
|
|
|
bgp 200
|
|
|
peer 10.0.1.1 route-policy local_pref export
|
|
|
```
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213185639293.png" alt="image-20220213185639293" style="zoom:50%;" />
|
|
|
|
|
|
```shell
|
|
|
Total Number of Routes: 2
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
|
|
|
*>i 10.0.45.0/24 10.0.3.3 0 100 0 300?
|
|
|
* i 10.0.2.2 0 100 0 400 100?
|
|
|
```
|
|
|
|
|
|
R3通告的BGP路由拥有更短的AS_Path,在前几条优选规则一致的情况下,R1优选R3通告的BGP路由
|
|
|
|
|
|
**Origin属性验证 **
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213185757569.png" alt="image-20220213185757569" style="zoom:50%;" />
|
|
|
|
|
|
```shell
|
|
|
Total Number of Routes: 2
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
|
|
|
*>i 10.0.45.0/24 10.0.2.2 0 100 0 100?
|
|
|
* i 10.0.3.3 0 100 0 300?
|
|
|
```
|
|
|
|
|
|
R4、R5上默认采用import-route方式将路由10.0.45.0/24注入到BGP,R1的BGP路由表中两条BGP路由10.0.45.0/24其Origin属性都是“?”,此时R1优选R4注入的BGP路由
|
|
|
|
|
|
在R5上修改注入路由的方式为network,之后在R1上再次查看BGP路由表
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213190023969.png" alt="image-20220213190023969" style="zoom:50%;" />
|
|
|
|
|
|
此时R5注入的BGP路由10.0.45.0/24其Origin属性为“i”,在前几条优选规则相同情况下,起源类型为“i”的BGP路由成为优选路由
|
|
|
|
|
|
```shell
|
|
|
Total Number of Routes: 2
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
|
|
|
*>i 10.0.45.0/24 10.0.3.3 0 100 0 300i
|
|
|
* i 10.0.2.2 0 100 0 100?
|
|
|
```
|
|
|
|
|
|
**优选MED最小**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213190359185.png" alt="image-20220213190359185" style="zoom:50%;" />
|
|
|
|
|
|
R2上通过路由策略修改通告给R1的BGP路由其MED属性值
|
|
|
|
|
|
```shell
|
|
|
ip ip-prefix med index 10 permit 10.0.45.0 24
|
|
|
#
|
|
|
route-policy med permit node 10
|
|
|
if-match ip-prefix med
|
|
|
apply cost 20
|
|
|
route-policy med permit node 20
|
|
|
#
|
|
|
bgp 200
|
|
|
peer 10.0.1.1 route-policy med export
|
|
|
compare-different-as-med
|
|
|
```
|
|
|
|
|
|
默认情况下BGP只会对来自同一个AS的相同路由比较MED值,可以通过命令开启来自不同AS的相同路由也比较MED值
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213190826909.png" alt="image-20220213190826909" style="zoom:50%;" />
|
|
|
|
|
|
R4发布的BGP路由MED值为20,R5发布的BGP路由不携带MED值(不携带默认为0),R5发布的BGP路由拥有更小的MED值,R1优选R5发布的BGP路由
|
|
|
|
|
|
```shell
|
|
|
Total Number of Routes: 2
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
|
|
|
*>i 10.0.45.0/24 10.0.3.3 0 100 0 300?
|
|
|
* i 10.0.2.2 20 100 0 100?
|
|
|
```
|
|
|
|
|
|
**优选从EBGP对等体学来的路由**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213191121948.png" alt="image-20220213191121948" style="zoom:50%;" />
|
|
|
|
|
|
**R1上执行如下操作:**
|
|
|
|
|
|
```shell
|
|
|
ip route-static 10.0.45.0 255.255.255.0 null0
|
|
|
ip ip-prefix ebgp index 10 permit 10.0.45.0 24
|
|
|
#
|
|
|
route-policy ebgp permit node 10
|
|
|
if-match ip-prefix ebgp
|
|
|
apply as-path 500 additive
|
|
|
route-policy ebgp permit node 20
|
|
|
#
|
|
|
bgp 200
|
|
|
import-route static
|
|
|
peer 10.0.3.3 route-policy ebgp export
|
|
|
```
|
|
|
|
|
|
在R1上创建一条10.0.45.0/24的静态路由(指向null0),将该条路由发布到BGP,同时为了保证R1、R5通告给R3的BGP路由AS_Path长度相同,使用路由策略为R1通告给R3的路由加上AS_Path属性,其值为:500
|
|
|
|
|
|
R3上将会同时收到R1、R5通告的BGP路由10.0.45.0/24,并且前面的优选规则无法比较出优选路由
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213191209692.png" alt="image-20220213191209692" style="zoom:50%;" />
|
|
|
|
|
|
```shell
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
|
|
|
*> 10.0.45.0/24 10.0.35.5 0 0 300?
|
|
|
* i 10.0.1.1 0 100 0 500?
|
|
|
```
|
|
|
|
|
|
此时比较通告路由的对等体类型,R5为EBGP对等体,R1为IBGP对等体,EBGP对等体通告的BGP路由优于IBGP对等体通告的BGP路由,R3优选R5通告的BGP路由
|
|
|
|
|
|
```shell
|
|
|
BGP routing table entry information of 10.0.45.0/24:
|
|
|
From: 10.0.1.1 (10.0.1.1)
|
|
|
Route Duration: 00h06m43s
|
|
|
Relay IP Nexthop: 10.0.13.1
|
|
|
Relay IP Out-Interface: GigabitEthernet0/0/0
|
|
|
Original nexthop: 10.0.1.1
|
|
|
Qos information : 0x0
|
|
|
AS-path 500, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, pre 255, IGP cost 1, not preferred for peer type
|
|
|
Not advertised to any peer yet
|
|
|
```
|
|
|
|
|
|
R3上通过display bgp routing-table 10.0.45.0 24查看BGP路由的详细信息,可以看到如下内容:
|
|
|
|
|
|
not preferred for peer type;表明该路由因为对等体类型没有被优选
|
|
|
|
|
|
**IGP Cost **
|
|
|
|
|
|
```shell
|
|
|
BGP local router ID : 10.0.1.1
|
|
|
Local AS number : 200
|
|
|
Paths: 2 available, 1 best, 1 select
|
|
|
BGP routing table entry information of 10.0.45.0/24:
|
|
|
From: 10.0.3.3 (10.0.3.3)
|
|
|
Route Duration: 00h22m35s
|
|
|
Relay IP Nexthop: 10.0.13.3
|
|
|
Relay IP Out-Interface: GigabitEthernet0/0/1
|
|
|
Original nexthop: 10.0.3.3
|
|
|
Qos information : 0x0
|
|
|
AS-path 300, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, best, select, active, pre 255, IGP cost 1
|
|
|
Not advertised to any peer yet
|
|
|
```
|
|
|
|
|
|
在BGP路由详细信息中存在IGP cost值这一内容,该值为本地IP路由表中去往Original nexthop地址的路由Cost值
|
|
|
|
|
|
```shell
|
|
|
Destination/Mask Proto Pre Cost NextHop Interface
|
|
|
10.0.3.3/32 OSPF 10 1 10.0.13.3 GigabitEthernet0/0/1
|
|
|
```
|
|
|
|
|
|
当前7条优选规则无法比较出优选BGP路由时将会比较前往下一跳地址的IGP cost值
|
|
|
|
|
|
优选IGP Cost值最小:
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213191516950.png" alt="image-20220213191516950" style="zoom:50%;" />
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220213191539842.png" alt="image-20220213191539842" style="zoom:50%;" />
|
|
|
|
|
|
```shell
|
|
|
BGP routing table entry information of 10.0.45.0/24:
|
|
|
From: 10.0.2.2 (10.0.2.2)
|
|
|
Route Duration: 00h24m07s
|
|
|
Relay IP Nexthop: 10.0.12.2
|
|
|
Relay IP Out-Interface: GigabitEthernet0/0/0
|
|
|
Original nexthop: 10.0.2.2
|
|
|
Qos information : 0x0
|
|
|
AS-path 100, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, pre 255, IGP cost 10, not preferred for IGP cost
|
|
|
Not advertised to any peer yet
|
|
|
```
|
|
|
|
|
|
R1上通过display bgp routing-table 10.0.45.0 24 查看BGP路由的详细信息,下一跳10.0.2.2的BGP路由其IGP cost值变为了10,而下一跳为10.0.3.3的BGP路由其IGP cost为默认值1,所以R1优选下一跳为10.0.3.3的路由
|
|
|
|
|
|
在R1的路由详细信息中可以看到如下内容:not preferred for IGP cost;表明该路由因为IGP cost未被优选
|
|
|
|
|
|
<h5>BGP路由等价负载分担</h5>
|
|
|
|
|
|
在大型网络中,到达同一目的地通常会存在多条有效BGP路由,设备只会优选一条最优的BGP路由,将该路由加载到路由表中使用,这一特点往往会造成很多流量负载不均衡的情况
|
|
|
|
|
|
通过配置BGP负载分担,可以使得设备同时将多条等代价的BGP路由加载到路由表,实现流量负载均衡,减少网络拥塞
|
|
|
|
|
|
值得注意的是,尽管配置了BGP负载分担,设备依然只会在多条到达同一目的地的BGP路由中优选一条路由,并只将这条路由通告给其他对等体
|
|
|
|
|
|
在设备上使能BGP负载分担功能后,只有满足条件的多条BGP路由才会成为等价路由,进行负载分担
|
|
|
|
|
|
注意:
|
|
|
|
|
|
默认情况下设备只会对AS_Path完全相同的路由进行负载分担,可以使用load-balancing as-path-ignore忽略AS_Path路径不一致
|
|
|
|
|
|
在公网中到达同一目的地的路由形成负载分担时,系统会首先判断最优路由的类型。若最优路由为IBGP路由则只是IBGP路由参与负载分担,若最优路由为EBGP路由则只是EBGP路由参与负载分担,即公网中到达同一目的地的IBGP和EBGP路由不能形成负载分担
|
|
|
|
|
|
**形成BGP路由等价负载分担的条件**
|
|
|
|
|
|
Preferred-Value属性值相同
|
|
|
|
|
|
Local_Preference属性值相同
|
|
|
|
|
|
都是聚合路由或者非聚合路由
|
|
|
|
|
|
AS_Path属性长度相同
|
|
|
|
|
|
Origin类型(IGP、EGP、Incomplete)相同
|
|
|
|
|
|
MED属性值相同
|
|
|
|
|
|
都是EBGP路由或都是IBGP路由
|
|
|
|
|
|
AS内部IGP的Metric相同
|
|
|
|
|
|
AS_Path属性完全相同
|
|
|
|
|
|
**配置BGP路由负载分担**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214095414614.png" alt="image-20220214095414614" style="zoom:50%;" />
|
|
|
|
|
|
以左侧拓扑为例,R1上两条BGP路由在不做任何路由策略、配置的情况下,前8条优选规则无法比较出优选路由。因此可以配置IBGP路由的负载分担
|
|
|
|
|
|
**配置BGP路由负载分担后**
|
|
|
|
|
|
IP路由表中出现了到达10.0.45.0/24的等价路由
|
|
|
|
|
|
```shell
|
|
|
[R1]display ip routing-table 10.0.45.0 24
|
|
|
Route Flags: R - relay, D - download to fib
|
|
|
-------------------------------------------------------------------------------------------------------------------
|
|
|
Routing Table : Public
|
|
|
Summary Count : 2
|
|
|
Destination/Mask Proto Pre Cost Flags NextHop Interface
|
|
|
10.0.45.0/24 IBGP 255 0 RD 10.0.2.2 GigabitEthernet0/0/0
|
|
|
IBGP 255 0 RD 10.0.3.3 GigabitEthernet0/0/1
|
|
|
```
|
|
|
|
|
|
BGP路由表中依旧只有一条最优的路由
|
|
|
|
|
|
```shell
|
|
|
[R1]display bgp routing-table
|
|
|
|
|
|
BGP Local router ID is 10.0.1.1
|
|
|
Status codes: * - valid, > - best, d - damped,
|
|
|
h - history, i - internal, s - suppressed, S - Stale
|
|
|
Origin : i - IGP, e - EGP, ? - incomplete
|
|
|
Total Number of Routes: 2
|
|
|
Network NextHop MED LocPrf PrefVal Path/Ogn
|
|
|
*>i 10.0.45.0/24 10.0.2.2 0 100 0 45?
|
|
|
* i 10.0.3.3 0 100 0 45?
|
|
|
```
|
|
|
|
|
|
**优选Cluster_List最短案例**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214100405685.png" alt="image-20220214100405685" style="zoom:50%;" />
|
|
|
|
|
|
对拓扑做如下修改:
|
|
|
|
|
|
只在R5上将10.0.45.0/24发布到BGP
|
|
|
|
|
|
配置R1为RR,R3为R1的客户端
|
|
|
|
|
|
R2、R3之间基于环回口建立IBGP对等体关系
|
|
|
|
|
|
R2上将收到R3通告的BGP路由10.0.45.0/24、R1反射的BGP路由10.0.45.0/24
|
|
|
|
|
|
默认配置下,前面介绍的规则无法比较出优选路由,此时将根据Cluster_List进行优选
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214100507749.png" alt="image-20220214100507749" style="zoom:50%;" />
|
|
|
|
|
|
从BGP路由表中无法看出优选的是R1反射的BGP路由还是R3通告的BGP路由,此时可以通过命令display bgp routing 10.0.45.0 24查看BGP路由详细信息
|
|
|
|
|
|
```shell
|
|
|
BGP routing table entry information of 10.0.45.0/24:
|
|
|
From: 10.0.1.1 (10.0.1.1)
|
|
|
Route Duration: 00h03m10s
|
|
|
Relay IP Nexthop: 10.0.12.1
|
|
|
Relay IP Out-Interface: GigabitEthernet0/0/0
|
|
|
Original nexthop: 10.0.3.3
|
|
|
Qos information : 0x0
|
|
|
AS-path 300, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, pre 255, IGP cost 2, not preferred for Cluster List
|
|
|
Originator: 10.0.3.3
|
|
|
Cluster list: 10.0.1.1
|
|
|
Not advertised to any peer yet
|
|
|
```
|
|
|
|
|
|
经由R1反射的路由不是最优路由,原因也被标出:not preferred for Cluster List
|
|
|
|
|
|
R3直接通告给R2的BGP路由因为没有经过路由反射器,不存在Cluster_List属性,即被认为Cluster_List长度为0,小于由R1反射的BGP路由其Cluster_List长度(1),所以R3通告的BGP路由为优选路由
|
|
|
|
|
|
**优选Router ID最小**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214100610262.png" alt="image-20220214100610262" style="zoom:50%;" />
|
|
|
|
|
|
在我们的讲解拓扑中,默认配置下R1从R2、R3都会收到BGP路由10.0.45.0/24,并且前面的优选规则无法比较出优选路由,最终将会根据本条规则,优选Router ID最小的对等体通告的BGP路由,在本案例中也就是R2通告的BGP路由
|
|
|
|
|
|
```shell
|
|
|
BGP routing table entry information of 10.0.45.0/24:
|
|
|
From: 10.0.3.3 (10.0.3.3)
|
|
|
Route Duration: 00h40m15s
|
|
|
Relay IP Nexthop: 10.0.13.3
|
|
|
Relay IP Out-Interface: GigabitEthernet0/0/1
|
|
|
Original nexthop: 10.0.3.3
|
|
|
Qos information : 0x0
|
|
|
AS-path 300, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, pre 255, IGP cost 1, not preferred for router ID
|
|
|
Not advertised to any peer yet
|
|
|
```
|
|
|
|
|
|
查看R1的BGP路由表详细信息,来自10.0.3.3的BGP路由因Router ID原因没有被优选:not preferred for router ID
|
|
|
|
|
|
**优选Orginator_ID最小**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214100712555.png" alt="image-20220214100712555" style="zoom:50%;" />
|
|
|
|
|
|
如果BGP路由携带Originator_ID属性,则在本条规则的优选过程中,将比较Originator_ID的大小,并优选Originator_ID最小的BGP路由
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214100729453.png" alt="image-20220214100729453" style="zoom:50%;" />
|
|
|
|
|
|
```shell
|
|
|
BGP routing table entry information of 10.0.45.0/24:
|
|
|
From: 10.0.3.3 (10.0.3.3)
|
|
|
Route Duration: 00h33m15s
|
|
|
Relay IP Nexthop: 10.0.13.3
|
|
|
Relay IP Out-Interface: GigabitEthernet0/0/1
|
|
|
Original nexthop: 10.0.5.5
|
|
|
Qos information : 0x0
|
|
|
AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, pre 255, IGP cost 2, not preferred for router ID
|
|
|
Originator: 10.0.5.5
|
|
|
Cluster list: 10.0.3.3
|
|
|
Not advertised to any peer yet
|
|
|
```
|
|
|
|
|
|
R3反射过来的BGP路由未被优选,原因标注的还是Router ID,这里的Router ID其实是指Originator ID(其中携带的内容为原始路由发布者的Router ID)
|
|
|
|
|
|
**优选具有最小IP地址的对等体**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214100814562.png" alt="image-20220214100814562" style="zoom:50%;" />
|
|
|
|
|
|
当前面所有规则都无法比较出优选路由时,此时会根据对等体地址大小来进行优选,对等体地址较小者发送的路由较优
|
|
|
|
|
|
修改前一条规则的验证拓扑,R2、R3都与R4相连,R4作为RR客户端,只在R4上将路由发布到BGP,此时R2、R3反射的BGP路由将拥有相同的Originator ID:10.0.4.4
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214100839883.png" alt="image-20220214100839883" style="zoom:50%;" />
|
|
|
|
|
|
```shell
|
|
|
BGP routing table entry information of 10.0.45.0/24:
|
|
|
From: 10.0.3.3 (10.0.3.3)
|
|
|
Route Duration: 00h01m07s
|
|
|
Relay IP Nexthop: 10.0.12.2
|
|
|
Relay IP Out-Interface: GigabitEthernet0/0/0
|
|
|
Original nexthop: 10.0.4.4
|
|
|
Qos information : 0x0
|
|
|
AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, intern
|
|
|
al, pre 255, IGP cost 2, not preferred for peer address
|
|
|
Originator: 10.0.4.4
|
|
|
Cluster list: 10.0.3.3
|
|
|
Not advertised to any peer yet
|
|
|
```
|
|
|
|
|
|
R3反射过来的BGP路由未被优选,原因为对等体地址较大:来自R2反射的路由对等体地址为10.0.2.2,而R3反射的路由对等体地址为10.0.3.3,因此未被优选
|
|
|
|
|
|
<h3>第四节:BGP EVPN基础</h3>
|
|
|
|
|
|
<h4>一:MP-BGP</h4>
|
|
|
|
|
|
MP-BGP(Multiprotocol Extensions for BGP-4)在RFC4760中被定义,用于实现BGP-4的扩展以允许BGP携带多种网络层协议(例如IPv6、L3VPN、EVPN等)。这种扩展有很好的后向兼容性,即一个支持MP-BGP的路由器可以和一个仅支持BGP-4的路由器交互
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214101250549.png" alt="image-20220214101250549" style="zoom:50%;" />
|
|
|
|
|
|
<h5>1.BGP-4扩展</h5>
|
|
|
|
|
|
BGP-4中IPv4特有的三个信息是NEXT_HOP属性、AGGREGATOR和IPv4 NLRI。因此为了支持多种网络层协议,BGP-4需要增加两种能力:关联其他网络层协议下一跳信息的能力、关联其他网络层协议NLRI的能力
|
|
|
|
|
|
这种两种能力被互联网数字分配机构(IANA)统称为地址族(Address Family,AF)
|
|
|
|
|
|
为了实现后向兼容性,协议规定MP-BGP增加两种新的属性,MP_REACH_NLRI和MP_UNREACH_NLRI,分别用于表示可达的目的信息和不可达的目的信息。这两种属性都属于可选非过渡(optional and non-transitive)
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214101358995.png" alt="image-20220214101358995" style="zoom:50%;" />
|
|
|
|
|
|
BGP-4规定IPv4的NEXT_HOP和AGGREGATOR属于Path attributes字段,IPv4的NLRI中携带IPv4的路由条目
|
|
|
|
|
|
MP-BGP新增Path attributes的字段,将对应的网络层协议的NEXT_HOP字段和NLRI归属于MP_REACH_NLRI。MP_REACH_NLRI为Path attributes的新增字段
|
|
|
|
|
|
**MP_REACH_NLRI**
|
|
|
|
|
|
MP_REACH_NLRI被携带于BGP Update报文中,有以下作用:
|
|
|
|
|
|
通告可达的路由给BGP邻居
|
|
|
|
|
|
通告可达路的路由的下一跳给BGP邻居
|
|
|
|
|
|
其详细字段如下:
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214101546653.png" alt="image-20220214101546653" style="zoom:50%;" />
|
|
|
|
|
|
**MP_UNREACH_NLRI**
|
|
|
|
|
|
MP_UNREACH_NLRI被携带于BGP Update报文中,用于撤销不可达的路由
|
|
|
|
|
|
其详细字段如下:
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214101617706.png" alt="image-20220214101617706" style="zoom:50%;" />
|
|
|
|
|
|
<h4>二:EVPN</h4>
|
|
|
|
|
|
<h5>1.EVPN简介</h5>
|
|
|
|
|
|
**MPLS简介**
|
|
|
|
|
|
MPLS (Multiprotocol Label Switching,多协议标记交换)位于TCP/IP协议栈中的数据链路层和网络层之间,在两层之间增加了额外的MPLS头部。报文转发直接基于MPLS头部。MPLS头部又被称为MPLS标签(Label);MPLS以标签交换替代IP转发,实现了基于标签的快速转发
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214101731111.png" alt="image-20220214101731111" style="zoom:50%;" />
|
|
|
|
|
|
MPLS起源于IPv4(Internet Protocol version 4),其核心技术可扩展到多种网络协议,包括IPv6(Internet Protocol version 6)、IPX(Internet Packet Exchange)、Appletalk、DECnet、CLNP(Connectionless Network Protocol)等。MPLS中的“Multiprotocol”指的就是支持多种网络协议
|
|
|
|
|
|
MPLS以标签交换替代IP转发。标签是一个短而定长的、只具有本地意义的连接标识符,与ATM的VPI/VCI以及Frame Relay的DLCI类似
|
|
|
|
|
|
MPLS域(MPLS Domain):一系列连续的运行MPLS的网络设备构成了一个MPLS域
|
|
|
|
|
|
**VPLS简介**
|
|
|
|
|
|
VPLS(Virtual Private LAN Service)是一种基于以太网的二层VPN技术,它在MPLS网络上提供了类似LAN的业务,允许用户可以从多个地址位置接入网络、相互访问
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214101833140.png" alt="image-20220214101833140" style="zoom:50%;" />
|
|
|
|
|
|
**传统L2VPN**
|
|
|
|
|
|
传统的L2VPN业务例如VPLS(Virtual Private LAN Service),提供用户远程站点之间二层连接服务。它组建二层交换网,像二层交换机一样透传以太报文。本例中PE1和PE2组建的VPLS网络透传CE1和CE2之间的VLAN流量
|
|
|
|
|
|
因此在传统L2VPN中对于远端MAC地址的学习依靠ARP广播泛洪,PE设备将需要承载广播流量。广播占用较多的接口带宽,这是传统L2VPN的一个典型问题
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214101914378.png" alt="image-20220214101914378" style="zoom:50%;" />
|
|
|
|
|
|
**EVPN的诞生**
|
|
|
|
|
|
随着新技术和新场景对网络需求,VPLS被暴露出更多的问题无法满足二层VPN的需求。业界重新审视了对Ethernet VPN的需求(RFC 7209),提出新的解决方案EVPN(Ethernet VPN)
|
|
|
|
|
|
EVPN最初在RFC 7432中被定义,EVPN引入控制平面,用于更好的控制MAC地址学习过程
|
|
|
|
|
|
EVPN的控制平面采用MP-BGP,数据平面支持MPLS LSPs或者IP/GRE tunneling
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214101947745.png" alt="image-20220214101947745" style="zoom:50%;" />
|
|
|
|
|
|
**EVPN的优势**
|
|
|
|
|
|
EVPN颠覆了传统L2 VPN数据面学习的方式,引入控制面学习MAC和IP指导数据转发,实现了转控分离
|
|
|
|
|
|
EVPN解决传统L2 VPN的典型问题,带来双活,快速收敛,简化运维等更多的价值
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214102025087.png" alt="image-20220214102025087" style="zoom:50%;" />
|
|
|
|
|
|
EVPN其他优势:
|
|
|
|
|
|
支持CE多活接入PE
|
|
|
|
|
|
支持PE成员自动发现
|
|
|
|
|
|
环路避免
|
|
|
|
|
|
广播流量优化
|
|
|
|
|
|
支持ECMP
|
|
|
|
|
|
<h5>2.EVPN常见路由</h5>
|
|
|
|
|
|
**EVPN NLRI**
|
|
|
|
|
|
EVPN定义了一种新的BGP NLRI(Network Layer Reachable Information)来承载所有的EVPN路由,被称为EVPN NLRI
|
|
|
|
|
|
EVPN NLRI是MP-BGP的新型扩展,被包含于MP_REACH_NLRI中,定义了新的NLRI。它规定了EVPN的AFI(Address Family Identifier)是25,SAFI(Subsequent Address Family Identifier)是70
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214102215683.png" alt="image-20220214102215683" style="zoom:50%;" />
|
|
|
|
|
|
**EVPN路由**
|
|
|
|
|
|
EVPN NLRI格式采用TLV(Type-Length-Value)三元组结构,使得报文具有很强的灵活性和扩展性:
|
|
|
|
|
|
Route Type定义了不同的EVPN路由。RFC 7432中首先定义了四类路由
|
|
|
|
|
|
Length定义了字段的长度
|
|
|
|
|
|
Route Type Specifc则表示不同的路由类型有不同的字段填充
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214102256990.png" alt="image-20220214102256990" style="zoom:50%;" />
|
|
|
|
|
|
**EVPN更多类型路由及作用**
|
|
|
|
|
|
EVPN不仅限于二层VPN的应用,随着其EVPN路由类型的增加,支持更多的应用例如L3 VPN功能
|
|
|
|
|
|
| **路由类型** | **作用** | **RFC** |
|
|
|
| ----------------------------------- | ---------------------------------------------- | ----------------------------------------- |
|
|
|
| (Type 1) Ethernet A-D Route | • 别名• MAC地址批量撤销• 多活指示• 通告ESI标签 | RFC 7432 |
|
|
|
| (Type 2) MAC/IP Advertisement Route | • MAC地址学习通告• MAC/IP绑定• MAC地址移动性 | |
|
|
|
| (Type 3) Inclusive Multicast Route | 组播隧道端点自动发现&组播类型自动发现 | |
|
|
|
| (Type 4) Ethernet Segment Route | ES成员自动发现DF选举 | |
|
|
|
| (Type 5) IP Prefix Route | IP Prefix通告(支持L3 VPN) | draft-ietf-bess-evpn-prefix-advertisement |
|
|
|
|
|
|
**EVPN协议标准**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214102438115.png" alt="image-20220214102438115" style="zoom:50%;" />
|
|
|
|
|
|
<h5>3.EVPN典型应用场景</h5>
|
|
|
|
|
|
**EVPN在广域IP承载网的应用**
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214102541931.png" alt="image-20220214102541931" style="zoom:50%;" />
|
|
|
|
|
|
**EVPN在数据中心网络的应用**
|
|
|
|
|
|
在云数据中心采用EVPN的NVO(Network Virtualization Overlay)解决方案(RFC 8365)
|
|
|
|
|
|
推荐数据平面使用VXLAN封装与控制平面EVPN结合,构建灵活的数据中心Overlay网络
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214102613347.png" alt="image-20220214102613347" style="zoom:50%;" />
|
|
|
|
|
|
**EVPN在园区网的应用**
|
|
|
|
|
|
园区网虚拟化园区解决方案同在云数据中心相同,采用EVPN的NVO解决方案(RFC 8365)
|
|
|
|
|
|
在不同的底层组网上使用VXLAN封装与控制平面EVPN结合,构建灵活的数据中心Overlay网络
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214102642985.png" alt="image-20220214102642985" style="zoom:50%;" />
|
|
|
|
|
|
**EVPN在SD-WAN的应用**
|
|
|
|
|
|
SD-WAN是新一代的企业分支互联解决方案,支持智能动态选路、ZTP和可视化等特性
|
|
|
|
|
|
SD-WAN解决方案中,在RR与CPE之间部署EVPN用于在控制平面传播SD-WAN的Overlay VPN路由,数据平面采用IPSec VPN构建安全的转发通道
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214102721347.png" alt="image-20220214102721347" style="zoom:50%;" />
|
|
|
|
|
|
<h4>三:企业级部署BGP/MPLS IP VPN实现互通 </h4>
|
|
|
|
|
|
<h5>1. MPLS VPN技术原理与配置</h5>
|
|
|
|
|
|
连接客户的边缘设备叫做PE 设备
|
|
|
|
|
|
在运营商网络中除了PE设备就是P设备
|
|
|
|
|
|
客户连接运营商的设备叫做CE设备
|
|
|
|
|
|
在PE设备和CE设备间运行BGP
|
|
|
|
|
|
VRF叫做VPN实例表:解决地址重叠问题
|
|
|
|
|
|
**VPN 配置解释**
|
|
|
|
|
|
**路由传递**
|
|
|
|
|
|
```
|
|
|
1.保证PE 能学到本地CE的路由。
|
|
|
*创建VRF表
|
|
|
#ip vpn-instance 1 建立一个VPN实例列表。PE设备为每个CE设备创建一个路由表,表里有CE设备的路由。
|
|
|
#ipv4-family 开启IPV4功能。
|
|
|
#route-distinguisher 100:100 rd是一个和ipv4地址绑定的标识。传送过程中地址不能重叠。解决在传送过程中地址重叠问题
|
|
|
#vpn-target 100:100 export target 出 import target 入,标识应该收那些路由
|
|
|
解决对端设备在收路由时应该放入那个实例表的问题
|
|
|
*接口加入VRF
|
|
|
进入接口——ip binding vpn-instance 1 接口ip绑定vpn实例。(配完后接口命令全部清空??将原接口的路由本身在全局路由表内,现将全部配置到VRF表中,所以需要清空)。
|
|
|
dis ip routing-table vpn-instance 1 验证一下路由表与dis ip routing-table作比较
|
|
|
]ping -vpn-instance 1 +ip地址
|
|
|
*在PE和CE之间运行IGP协议。
|
|
|
ospf 1 vpn-instance 1 isis 1 vpn-instance 2
|
|
|
display ospf peer brief display Isis peer vpn-instance 2
|
|
|
2.保证PE 能从对方PE 学到路由
|
|
|
配置IGP
|
|
|
*display ospf peer 查看ospf邻居
|
|
|
*display ip routing-table 查看ip路由表
|
|
|
配置MPLS
|
|
|
*display mpls ldp session 检查ldp邻居
|
|
|
*验证lsp:display mpls lsp
|
|
|
配置BGP VPNV4
|
|
|
*bgp 100
|
|
|
*peer 4.4.4.4 as 100 peer IGP 邻居
|
|
|
*peer 4.4.4.4 connect-int loopback 0
|
|
|
*peer 4.4.4.4 ne
|
|
|
*ipv4-family vpnv4
|
|
|
*peer 4.4.4.4 enable
|
|
|
*验证:display bgp vpnv4 all peer 查看bgp vpnv4邻居
|
|
|
配置DR
|
|
|
*ip vpn-instance 1
|
|
|
*route-distinguisher 100:100
|
|
|
*vpn-target 100:100
|
|
|
将VRF内的IGP引入BGP
|
|
|
ipv4-family vpn-instance 1
|
|
|
peer 12.1.1.1 as-number 200
|
|
|
import-route ospf 2
|
|
|
配置RT
|
|
|
*ip vpn-instance 1
|
|
|
*vpn-target 100:100
|
|
|
检查PE是否受到PC的路由表display bgp vpnv4 vpn-instance 3 routing-table
|
|
|
检查IP的路由表 display ip routing-table vpn-instance 3
|
|
|
保证CE能学到对方CE的路由
|
|
|
import-route bgp
|
|
|
```
|
|
|
|
|
|
<img src="https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/image-20220214104236177.png" alt="image-20220214104236177" style="zoom:50%;" />
|
|
|
|
|
|
**组网需求:**
|
|
|
|
|
|
CE1、CE3属于vpna
|
|
|
|
|
|
CE2、CE4属于vpnb
|
|
|
|
|
|
vpna使用的VPN-target属性为111:1,vpnb为222:2
|
|
|
|
|
|
不同VPN用户之间不能互相访问
|
|
|
|
|
|
PE之间必须使用32位掩码的Loopback接口地址来建立MP-IBGP对等体关系,以便能够迭代到隧道
|
|
|
|
|
|
**配置PE1**
|
|
|
|
|
|
```
|
|
|
sysname PE1
|
|
|
#
|
|
|
ip vpn-instance vpna //创建VPN实例vpna
|
|
|
ipv4-family
|
|
|
route-distinguisher 100:1 //路由标识符
|
|
|
vpn-target 111:1 export-extcommunity
|
|
|
vpn-target 111:1 import-extcommunity
|
|
|
#
|
|
|
ip vpn-instance vpnb //创建VPN实例vpnb
|
|
|
ipv4-family //开启IPV4功能
|
|
|
route-distinguisher 100:2
|
|
|
vpn-target 222:2 export-extcommunity
|
|
|
vpn-target 222:2 import-extcommunity
|
|
|
#
|
|
|
mpls lsr-id 1.1.1.9 //配置MPLS
|
|
|
mpls
|
|
|
#
|
|
|
mpls ldp //建立LDP
|
|
|
#
|
|
|
interface GE0/0/0 //绑定VPN实例
|
|
|
ip binding vpn-instance vpna
|
|
|
ip address 10.1.1.2 255.255.255.0
|
|
|
#
|
|
|
interface GE0/0/1
|
|
|
ip binding vpn-instance vpnb //绑定VPN实例
|
|
|
ip address 10.2.1.2 255.255.255.0
|
|
|
#
|
|
|
interface GE0/0/2 //接口使能MPLS
|
|
|
ip address 172.1.1.1 255.255.255.0
|
|
|
mpls
|
|
|
mpls ldp
|
|
|
#
|
|
|
interface LoopBack1
|
|
|
ip address 1.1.1.9 255.255.255.255
|
|
|
#
|
|
|
bgp 100 //配置MP-IBGP对等体
|
|
|
peer 3.3.3.9 as-number 100
|
|
|
peer 3.3.3.9 connect-interface LoopBack1
|
|
|
#
|
|
|
ipv4-family unicast
|
|
|
undo synchronization
|
|
|
peer 3.3.3.9 enable
|
|
|
#
|
|
|
ipv4-family vpnv4 //使能对等体交换VPNv4路由信息的能力
|
|
|
policy vpn-target
|
|
|
peer 3.3.3.9 enable
|
|
|
#
|
|
|
ipv4-family vpn-instance vpna //配置PE与CE之间建立EBGP对等体关系, 引入VPN路由
|
|
|
peer 10.1.1.1 as-number 65410
|
|
|
import-route direct
|
|
|
#
|
|
|
ipv4-family vpn-instance vpnb //配置PE与CE之间建立EBGP对等体关系, 引入VPN路由
|
|
|
peer 10.2.1.1 as-number 65420
|
|
|
import-route direct
|
|
|
#
|
|
|
ospf 1 //配置公网路由
|
|
|
area 0.0.0.0
|
|
|
network 172.1.1.0 0.0.0.255 network 1.1.1.9 0.0.0.0
|
|
|
```
|
|
|
|
|
|
**配置P**
|
|
|
|
|
|
```
|
|
|
sysname P
|
|
|
#
|
|
|
mpls lsr-id 2.2.2.9 //配置MPLS mpls
|
|
|
#
|
|
|
mpls ldp
|
|
|
#
|
|
|
interface GE0/0/0
|
|
|
ip address 172.1.1.2 255.255.255.0 mpls
|
|
|
mpls ldp
|
|
|
#
|
|
|
interface GE0/0/1
|
|
|
ip address 172.2.1.1 255.255.255.0 mpls
|
|
|
mpls ldp
|
|
|
#
|
|
|
interface LoopBack1
|
|
|
ip address 2.2.2.9 255.255.255.255
|
|
|
#
|
|
|
ospf 1 //配置公网路由
|
|
|
area 0.0.0.0
|
|
|
network 172.1.1.0 0.0.0.255 network 172.2.1.0 0.0.0.255 network 2.2.2.9 0.0.0.0
|
|
|
#
|
|
|
```
|
|
|
|
|
|
**配置PE2**
|
|
|
|
|
|
```
|
|
|
sysname PE2
|
|
|
#
|
|
|
ip vpn-instance vpna
|
|
|
ipv4-family
|
|
|
route-distinguisher
|
|
|
//创建VPN实例vpna
|
|
|
200:1
|
|
|
vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity
|
|
|
#
|
|
|
ip vpn-instance vpnb ipv4-family
|
|
|
route-distinguisher //创建VPN实例vpnb
|
|
|
200:2
|
|
|
vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity
|
|
|
#
|
|
|
mpls lsr-id 3.3.3.9 //配置MPLS LSR
|
|
|
mpls
|
|
|
#
|
|
|
mpls ldp
|
|
|
#
|
|
|
interface Ethernet1/0/0 //绑定VPN实例
|
|
|
ip binding vpn-instance vpna
|
|
|
ip address 10.3.1.2 255.255.255.0
|
|
|
#
|
|
|
interface Ethernet2/0/0 //绑定VPN实例
|
|
|
ip binding vpn-instance vpnb
|
|
|
ip address 10.4.1.2 255.255.255.0
|
|
|
#
|
|
|
interface Ethernet2/0/1 //接口使能MPLS
|
|
|
ip address 172.2.1.2 255.255.255.0
|
|
|
mpls
|
|
|
mpls ldp
|
|
|
#
|
|
|
interface LoopBack1
|
|
|
ip address 3.3.3.9 255.255.255.255
|
|
|
#
|
|
|
bgp 100 //配置MP-IBGP对等体
|
|
|
peer 1.1.1.9 as-number 100
|
|
|
peer 1.1.1.9 connect-interface LoopBack1
|
|
|
#
|
|
|
ipv4-family unicast
|
|
|
undo synchronization
|
|
|
peer 1.1.1.9 enable
|
|
|
#
|
|
|
ipv4-family vpnv4 //使能对等体交换VPNv4路由信息的能力
|
|
|
policy vpn-target
|
|
|
peer 1.1.1.9 enable
|
|
|
#
|
|
|
ipv4-family vpn-instance vpna //配置PE与CE之间建立EBGP对等体关系, 引入VPN路由
|
|
|
peer 10.3.1.1 as-number 65430
|
|
|
import-route direct
|
|
|
#
|
|
|
ipv4-family vpn-instance vpnb //配置PE与CE之间建立EBGP对等体关系, 引入VPN路由
|
|
|
peer 10.4.1.1 as-number 65440
|
|
|
import-route direct
|
|
|
#
|
|
|
ospf 1 //配置公网路由
|
|
|
area 0.0.0.0
|
|
|
network 172.2.1.0 0.0.0.255
|
|
|
network 3.3.3.9 0.0.0.0
|
|
|
#
|
|
|
```
|
|
|
|
|
|
**配置CE1**
|
|
|
|
|
|
```
|
|
|
sysname CE1
|
|
|
#
|
|
|
interface GE0/0/0
|
|
|
ip address 10.1.1.1 255.255.255.0
|
|
|
#
|
|
|
bgp 65410 //在PE与CE之间建立EBGP对等体关系
|
|
|
peer 10.1.1.2 as-number 100
|
|
|
#
|
|
|
ipv4-family unicast
|
|
|
undo synchronization
|
|
|
import-route direct //引入直连路由
|
|
|
peer 10.1.1.2 enable
|
|
|
#
|
|
|
```
|
|
|
|
|
|
**配置CE2**
|
|
|
|
|
|
```
|
|
|
sysname CE2
|
|
|
#
|
|
|
interface GE0/0/0
|
|
|
ip address 10.2.1.1 255.255.255.0
|
|
|
#
|
|
|
bgp 65420 //在PE与CE之间建立EBGP对等体关系
|
|
|
peer 10.2.1.2 as-number 100
|
|
|
#
|
|
|
ipv4-family unicast
|
|
|
undo synchronization
|
|
|
import-route direct //引入直连路由
|
|
|
peer 10.2.1.2 enable
|
|
|
```
|
|
|
|
|
|
**配置CE3**
|
|
|
|
|
|
```
|
|
|
sysname CE3
|
|
|
#
|
|
|
interface GE0/0/0
|
|
|
ip address 10.3.1.1 255.255.255.0
|
|
|
#
|
|
|
bgp 65430 //在PE与CE之间建立EBGP对等体关系
|
|
|
peer 10.3.1.2 as-number 100
|
|
|
#
|
|
|
ipv4-family unicast
|
|
|
undo synchronization
|
|
|
import-route direct //引入直连路由
|
|
|
peer 10.3.1.2 enable
|
|
|
#
|
|
|
```
|
|
|
|
|
|
**配置CE4**
|
|
|
|
|
|
```
|
|
|
sysname CE4
|
|
|
#
|
|
|
interface GE0/0/0
|
|
|
ip address 10.4.1.1 255.255.255.0
|
|
|
#
|
|
|
bgp 65440 //在PE与CE之间建立EBGP对等体关系
|
|
|
peer 10.4.1.2 as-number 100
|
|
|
#
|
|
|
ipv4-family unicast
|
|
|
undo synchronization
|
|
|
import-route direct //引入直连路由
|
|
|
peer 10.4.1.2 enable
|
|
|
```
|
|
|
|
|
|
**测试**
|
|
|
|
|
|
属于同一个VPN实例的路由器之间可以实现互相通信
|
|
|
|
|
|
保证PE 能从对方PE 学到路由
|
|
|
|
|
|
display ospf peer 查看ospf邻居
|
|
|
|
|
|
```
|
|
|
OSPF Process 1 with Router ID 1.1.1.9
|
|
|
Neighbors
|
|
|
Area 0.0.0.0 interface 172.1.1.1(GigabitEthernet0/0/2)'s neighbors
|
|
|
Router ID: 172.1.1.2 Address: 172.1.1.2
|
|
|
State: Full Mode:Nbr is Master Priority: 1
|
|
|
DR: 172.1.1.1 BDR: 172.1.1.2 MTU: 0
|
|
|
Dead timer due in 40 sec
|
|
|
Retrans timer interval: 5
|
|
|
Neighbor is up for 01:24:54
|
|
|
Authentication Sequence: [ 0 ]
|
|
|
```
|
|
|
|
|
|
display ip routing-table 查看ip路由表
|
|
|
|
|
|
display mpls ldp session 检查ldp邻居
|
|
|
|
|
|
display mpls lsp 验证lsp
|
|
|
|
|
|
```
|
|
|
LSP Information: BGP LSP
|
|
|
-------------------------------------------------------------------------------
|
|
|
FEC In/Out Label In/Out IF Vrf Name
|
|
|
10.1.1.0/24 1026/NULL -/- vpna
|
|
|
10.2.1.0/24 1027/NULL -/- vpnb
|
|
|
-------------------------------------------------------------------------------
|
|
|
LSP Information: LDP LSP
|
|
|
-------------------------------------------------------------------------------
|
|
|
FEC In/Out Label In/Out IF Vrf Name
|
|
|
2.2.2.9/32 NULL/3 -/GE0/0/2
|
|
|
2.2.2.9/32 1024/3 -/GE0/0/2
|
|
|
1.1.1.9/32 3/NULL -/-
|
|
|
3.3.3.9/32
|
|
|
3.3.3.9/32 NULL/1025 1025/1025 -/GE0/0/2 -/GE0/0/2
|
|
|
```
|
|
|
|
|
|
VRF叫做VPN实例表: 解决地址重叠问题
|
|
|
|
|
|
转发等价类(FEC) 是一个用在多协议标签交换(MPLS)中的术语
|
|
|
|
|
|
display bgp vpnv4 vpn-instance vpnb routing-table
|
|
|
|
|
|
display ip routing-table vpn-instance vpnb
|