由ITAA zmjjtu 作
BGP
有条件通告的配置和验证
BGP
有条件通告特性对所通告的路由提供了额外的控制,其依赖于
BGP
表中存在的其他前缀。
一般地,路由是否通告与存在的不同路径没有必然的联系。
BGP
有条件通告特性使用了命令
neighbor advertise-map
中
non-exist-map
和
advertise-map
两个关键字依赖路由前缀来追踪路由。如果路由前缀没有出现在命令
non-exist-map
所指定的外出路由中那么在命令
advertise-map
中被指定的路由就会通告出去。此特性在多宿主(
multihomed)
网络中很有作用,如果没有接收到来自其他服务提供商的某些信息(可能是对等体会话失败或只存在局部可达性)那么一些指定的前缀将被通告给其中一个服务提供商。
top
图如下:
在上图中,
R103
的
loopback
口用来将
192.168.50.0/24
通告给
R102
。默认情况下
R102
向其两个
eBGP
对等体
R101
和
R103
通告网络
128.16.16.0/24
。
通过
BGP
有条件通告特性可以在
R102
上完成以下两个任务:
①
如果
192.168.50.0/24
存在于
R102
的
BGP
表中,那么不将
128.16.16.0/24
通告给
R101
。
②
如果
192.168.50.0/24
不存在于
R102
的
BGP
表中,那么将
128.16.16.0/24
通告给
R101
。
配置如下:
|
R101
|
|
R101(config)#int s1/2
R101(config-if)#ip add 10.10.10.1 255.255.255.0
R101(config-if)#no sh
R101(config-if)#int lo0
R101(config-if)#ip add 200.200.200.1 255.255.255.0
R101(config-if)#router bgp 1
R101(config-router)#bgp log-neighbor-changes
R101(config-router)#network 200.200.200.0
R101(config-router)#neighbor 10.10.10.2 remote-as 2
R101(config-router)#end
|
|
R102
|
|
R102(config)#int s1/0
R102(config-if)#ip add 10.10.10.2 255.255.255.0
R102(config-if)#no sh
R102(config-if)#int s1/2
R102(config-if)#ip add 10.10.20.2 255.255.255.0
R102(config-if)#no sh
R102(config)#int lo0
R102(config-if)#ip add 128.16.16.1 255.255.255.0
R102(config)#router bgp 2
R102(config-router)#bgp log-neighbor-changes
R102(config-router)#network 128.16.16.0 mask 255.255.255.0
R102(config-router)#network 130.130.0.0
R102(config-router)#neighbor 10.10.10.1 remote-as 1
R102(config-router)#neighbor 10.10.10.1 advertise-map ADVERTISE non-exist-map NON-EXIST
如果
BGP
表中不存在
route-map NON-EXIST
所指定的路由
(192.168.50.0/24)
那么就通告
route-map ADVERTISE
中指定的路由
(128.16.16.0/24)
R102(config-router)#neighbor 10.10.20.3 remote-as 3
R102(config-router)#exit
R102(config)#ip route 130.130.0.0 255.255.0.0 null 0
R102(config)#access-list 60 permit 128.16.16.0 0.0.0.255
R102(config)#access-list 65 permit 192.168.50.0 0.0.0.255
R102(config)#route-map NON-EXIST permit 10
R102(config-route-map)#match ip address 65
R102(config-route-map)#route-map ADVERTISE permit 10
R102(config-route-map)#match ip address 60
R102(config-route-map)#end
|
|
R103
|
|
R103(config)#int s1/2
R103(config-if)#ip add 10.10.20.3 255.255.255.0
R103(config-if)#no sh
R103(config-if)#int lo0
R103(config-if)#ip add 192.168.50.1 255.255.255.0
R103(config-if)#router bgp 3
R103(config-router)#bgp log-neighbor-changes
R103(config-router)#network 192.168.50.0
R103(config-router)#neighbor 10.10.20.2 remote-as 2
|
1.验证当192.168.50.0/24在R102的BGP表中存在时的情况:
`````````````````````````````````````````````````````````````````````````````````````````````````````````````
查看R102的BGP表
R102# sh ip bgp
BGP table version is 6, local router ID is 128.16.16.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 128.16.16.0/24 0.0.0.0 0 32768 i
*> 130.130.0.0 0.0.0.0 0 32768 i
*> 192.168.50.0 10.10.20.3 0 0 3 i
*> 200.200.200.0 10.10.10.1 0 0 1 i
只要192.168.50.0/24在R102的BGP表中存在那么R102就一定不会向R101通告128.16.16.0/24
R102#sh ip bgp neighbors 10.10.10.1 advertised-routes
BGP table version is 6, local router ID is 128.16.16.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 130.130.0.0 0.0.0.0 0 32768 i
*> 192.168.50.0 10.10.20.3 0 0 3 i
注意没有向邻居10.10.10.1通告128.16.16.0/24
R102#sh ip bgp 128.16.16.0
BGP routing table entry for 128.16.16.0/24, version 5
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
10.10.20.3
Local
0.0.0.0 from 0.0.0.0 (128.16.16.1)
Origin IGP, metric 0, localpref 100, weight 32768, valid, sourced, local, best
没有通告给R101
``````````````````````````````````````````````````````````````````````````````````````````````````````````````
检查R102上有条件通告的情况:
R102#sh ip bgp neighbors 10.10.10.1
BGP neighbor is 10.10.10.1, remote AS 1, external link
BGP version 4, remote router ID 200.200.200.1
BGP state = Established, up for 00:29:26
Last read 00:00:26, hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received(old & new)
Address family IPv4 Unicast: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 2 1
Keepalives: 32 32
Route Refresh: 0 0
Total: 35 34
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
BGP table version 6, neighbor version 6
Index 1, Offset 0, Mask 0x2
Condition-map NON-EXIST, Advertise-map ADVERTISE, status: Withdraw
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 2 1 (Consumes 36 bytes)
Prefixes Total: 2 1
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 1
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
advertise-map: 1 n/a
Bestpath from this peer: 1 n/a
Total: 2 0
Number of NLRIs in the update sent: max 1, min 0
(以下输出省略)
以上输出显示了有条件通告状态为“withdrawn”,与路由图ADVERTISE相匹配的网络没有向对等体10.10.10.1通告
`````````````````````````````````````````````````````````````````````````````````````````````````````````````````
为了证实和route-map“ADVERTISE”相匹配的路由没有向R101通告,现在来检查R101的BGP表
R101#sh ip bgp 128.16.16.0
% Network not in table
````````````````````````````````````````````````````````````````````````````````````````````````````````````````
2.接下来验证当192.168.50.0/24在R102的BGP表中不存在时的情况:
首先关闭
R103
上的
loopback0
使其不再向
R102
通告
192.168.50.0/24
R103(config)#int lo0
R103(config-if)#sh
R103(config-if)#
01:05:13: %LINK-5-CHANGED: Interface Loopback0, changed state to administratively down
`````````````````````````````````````````````````````````````````````````````````````````````````````
查看R102的BGP表验证其没有学到192.168.50.0/24
R102# sh ip bgp
BGP table version is 8, local router ID is 128.16.16.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 128.16.16.0/24 0.0.0.0 0 32768 i
*> 130.130.0.0 0.0.0.0 0 32768 i
*> 200.200.200.0 10.10.10.1 0 0 1 i
BGP表中不存在192.168.50.0/24
````````````````````````````````````````````````````````````````````````````````````````````````````````
查看有条件通告要多长时间才能生效:
R102#debug ip bgp updates
BGP updates debugging is on
01:19:49: BGP(0): 10.10.20.3 rcv UPDATE about 192.168.50.0/24 -- withdrawn
01:19:49: BGP(0): no valid path for 192.168.50.0/24
R102#
01:19:49: BGP(0): nettable_walker 192.168.50.0/24 no best path
R102#
01:20:15: BGP(0): 10.10.20.3 computing updates, afi 0, neighbor version 12, table version 13, starting at 0.0.0.0
01:20:15: BGP(0): 10.10.20.3 update run completed, afi 0, ran for 4ms, neighbor version 12, start version 13, throttled to 13
R102#
01:20:18: BGP(0): 10.10.10.1 computing updates, afi 0, neighbor version 12, table version 13, starting at 0.0.0.0
01:20:18: BGP(0): 10.10.10.1 send unreachable 192.168.50.0/24
01:20:18: BGP(0): 10.10.10.1 send UPDATE 192.168.50.0/24 -- unreachable
01:20:18: BGP(0): 10.10.10.1 1 updates enqueued (average=27, maximum=27)
01:20:18: BGP(0): 10.10.10.1 update run completed, afi 0, ran for 0ms, neighbor version 12, start version 13, throttled to 13
R102#
01:20:28: BPG(0): Condition NON-EXIST changes to Advertise
01:20:28: BGP(0): net 128.16.16.0/24 matches ADV MAP ADVERTISE: bump version to 14
01:20:29: BGP(0): nettable_walker 128.16.16.0/24 route sourced locally
R102#
01:20:42: BGP(0): 10.10.20.3 computing updates, afi 0, neighbor version 13, table version 14, starting at 0.0.0.0
01:20:42: BGP(0): 10.10.20.3 skip UPDATE 128.16.16.0/24 (chgflags: 0x0), next 0.0.0.0, path
01:20:42: BGP(0): 10.10.20.3 update run completed, afi 0, ran for 0ms, neighbor version 13, start version 14, throttled to 14
R102#
01:20:47: BGP(0): 10.10.10.1 computing updates, afi 0, neighbor version 13, table version 14, starting at 0.0.0.0
01:20:47: BGP(0): 10.10.10.1 128.16.16.0/24 matches advertise map ADVERTISE, state: Advertise
01:20:47: BGP(0): 10.10.10.1 send UPDATE (format) 128.16.16.0/24, next 10.10.10.2, metric 0, path
01:20:47: BGP(0): 10.10.10.1 1 updates enqueued (average=52, maximum=52)
01:20:47: BGP(0): 10.10.10.1 update run completed, afi 0, ran for 8ms, neighbor version 13, start version 14, throttled to 14
有条件通告由BGP扫描进程触发,其每60s运行一次。这意味着有条件通告的最大生效时间为60s。有条件通告能很快的起到作用就依赖于追踪路由是否从BGP表中移除。
`````````````````````````````````````````````````````````````````````````````````````````````````````````````````
下面验证
R102
对邻居
10.10.10.1
有条件通告的情况:
R102#sh ip bgp neighbors 10.10.10.1
BGP neighbor is 10.10.10.1, remote AS 1, external link
BGP version 4, remote router ID 200.200.200.1
BGP state = Established, up for 01:00:43
Last read 00:00:43, hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received(old & new)
Address family IPv4 Unicast: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 6 1
Keepalives: 63 63
Route Refresh: 0 0
Total: 70 65
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
BGP table version 10, neighbor version 10
Index 1, Offset 0, Mask 0x2
Condition-map NON-EXIST, Advertise-map ADVERTISE, status: Advertise
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 2 1 (Consumes 36 bytes)
Prefixes Total: 4 1
Implicit Withdraw: 0 0
Explicit Withdraw: 2 0
Used as bestpath: n/a 1
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
advertise-map: 1 n/a
Bestpath from this peer: 1 n/a
Total: 2 0
Number of NLRIs in the update sent: max 1, min 0
(以下输出省略)
现在
R101
的
BGP
表中有
128.16.16.0/24
的信息
R101#sh ip bgp
BGP table version is 18, local router ID is 200.200.200.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 128.16.16.0/24 10.10.10.2 0 0 2 i
*> 130.130.0.0 10.10.10.2 0 0 2 i
*> 200.200.200.0 0.0.0.0 0 32768 i
R101#sh ip rout bgp
128.16.0.0/24 is subnetted, 1 subnets
B 128.16.16.0 [20/0] via 10.10.10.2, 00:20:40
B 130.130.0.0/16 [20/0] via 10.10.10.2, 01:30:32
```````````````````````````````````````````````````````````````````````````````````````````````````````````````
3.
将
192.168.50.0/24
重新装入
R102
查看
BGP
中的路由如何从
“Advertise”
转换到
“Withdraw”
重新打开
R103
的接口
loopback0
R103(config)#int lo0
R103(config-if)#no sh
R103(config-if)#
01:55:46: %LINK-3-UPDOWN: Interface Loopback0, changed state to up
01:55:47: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
`````````````````````````````````````````````````````````````````````````````````````````````````````````````````
查看
R102
的
BGP
更新消息
R102#debug ip bgp updates
BGP updates debugging is on
R102#
01:55:42: BGP(0): 10.10.20.3 rcvd UPDATE w/ attr: nexthop 10.10.20.3, origin i, metric 0, path 3
01:55:42: BGP(0):
10.10.20.3 rcvd 192.168.50.0/24
01:55:42: BGP(0): Revise route installing 192.168.50.0/24 -> 10.10.20.3 to main IP table
01:55:42: BGP(0): 10.10.10.1 computing updates, afi 0, neighbor version 20, table version 21, starting at 0.0.0.0
01:55:42: BGP(0):
10.10.10.1 send UPDATE (format) 192.168.50.0/24, next 10.10.10.2, metric 0, path 3
01:55:42: BGP(0): 10.10.10.1 1 updates enqueued (average=47, maximum=47)
01:55:42: BGP(0): 10.10.10.1 update run completed, afi 0, ran for 8ms, neighbor version 20, start version 21, throttled to 21
R102#
01:55:42: BGP(0): 10.10.20.3 computing updates, afi 0, neighbor version 20, table version 21, starting at 0.0.0.0
01:55:42: BGP(0): 10.10.20.3 update run completed, afi 0, ran for 0ms, neighbor version 20, start version 21, throttled to 21
R102#
01:56:29: BPG(0):
Condition NON-EXIST changes to Withdraw
01:56:29: BGP(0):
net 128.16.16.0/24 matches ADV MAP ADVERTISE: bump version to 22
01:56:29: BGP(0): nettable_walker 128.16.16.0/24 route sourced locally
01:56:29: BGP(0): 10.10.10.1 computing updates, afi 0, neighbor version 21, table version 22, starting at 0.0.0.0
01:56:29: BGP(0):
10.10.10.1 128.16.16.0/24 matches advertise map ADVERTISE, state: Withdraw
01:56:29: BGP(0):
10.10.10.1 send unreachable 128.16.16.0/24
01:56:29: BGP(0):
10.10.10.1 send UPDATE 128.16.16.0/24 -- unreachable
01:56:29: BGP(0): 10.10.10.1 1 updates enqueued (average=27, maximum=27)
R102#
01:56:29: BGP(0): 10.10.10.1 update run completed, afi 0, ran for 12ms, neighbor version 21, start version 22, throttled to 22
01:56:29: BGP(0): 10.10.20.3 computing updates, afi 0, neighbor version 21, table version 22, starting at 0.0.0.0
01:56:29: BGP(0): 10.10.20.3 skip UPDATE 128.16.16.0/24 (chgflags: 0x0), next 0.0.0.0, path
01:56:29: BGP(0): 10.10.20.3 update run completed, afi 0, ran for 4ms, neighbor version 21, start version 22, throttled to 22
```````````````````````````````````````````````````````````````````````````
R102
不再向
R101
通告
128.16.16.0/24
R102#sh ip bgp nei 10.10.10.1 advertised-routes
BGP table version is 22, local router ID is 128.16.16.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 130.130.0.0 0.0.0.0 0 32768 i
*> 192.168.50.0 10.10.20.3 0 0 3 i
R102#sh ip bgp nei 10.10.10.1
BGP neighbor is 10.10.10.1, remote AS 1, external link
BGP version 4, remote router ID 200.200.200.1
BGP state = Established, up for 02:00:03
Last read 00:00:52, hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received(old & new)
Address family IPv4 Unicast: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 18 1
Keepalives: 123 122
Route Refresh: 0 0
Total: 142 124
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
BGP table version 22, neighbor version 22
Index 1, Offset 0, Mask 0x2
Condition-map NON-EXIST, Advertise-map ADVERTISE, status: Withdraw
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 2 1 (Consumes 36 bytes)
Prefixes Total: 10 1
Implicit Withdraw: 0 0
Explicit Withdraw: 8 0
Used as bestpath: n/a 1
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
advertise-map: 4 n/a
Bestpath from this peer: 1 n/a
Total: 5 0
Number of NLRIs in the update sent: max 1, min 0
`````````````````````````````````````````````````````````````````````````````````````````````````````````````````
注意,在真实的环境中,
AS1
和
AS3
都连接到
Internet
(
Global BGP
)。因此通过
global bgp mesh
从
AS3
学来的网络
192.168.50.0/24
可能会通告给
AS1
(
R101
),而
AS1
又可能会将其通告给
R102
。这样的话如果不在
non-exist map
中增加额外的检查那么有条件通告就会失败。考虑以下场景。
AS1
通过
global bgp mesh
学得
192.168.50.0/24
并将其通告给
AS2
(
R102
)。而
R102
也从其直连对等体
R103
处学得了网络前缀
192.168.50.0/24
。当
R102
和
R103
之间的链路
down
掉后也许你会认为
192.168.50.0/24
不会出现在
R102
的
BGP
表中有条件通告会生效前缀
128.16.16.0/24
会通告给
R101
。但是,前缀
192.168.50.0/24
仍然存在于
R102
的
BGP
表中(从
R101
学得),那么有条件通告就会失败。为了使有条件通告能够正确执行就要确保前缀
192.168.50.0/24
必须是从其直连
AS3
所学得。在
non-exist map
下添加
match as-path
语句匹配来自
AS3
的前缀
192.168.50.0/24
。这样以来就必须既匹配前缀又要匹配前缀的
AS
路径。
配置如下:
R102
ip as-path access-list 1 permit ^3$
!
access-list 60 permit 128.16.16.0 0.0.0.255
access-list 65 permit 192.168.50.0 0.0.0.255
route-map NON-EXIST permit 10
match ip address 65
match as-path 1
更多精华帖 请见:[url]www.one-tom.com[/url]
QQ:401466262