什么是路由黑洞? 简单的说,它会默默的将数据包丢弃,使所有数据包有去无回,下面来看一个案例:
如图所示:
R1和R2建立EBGP邻居关系
R2和R5建立IBGP邻居关系
R5和R7建立EBGP邻居关系
R2、R3、R5之间运行RIPv2
首先看配置:
hostname r1
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface Serial1/0
ip address 192.168.12.1 255.255.255.0
serial restart-delay 0
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface Serial1/0
ip address 192.168.12.1 255.255.255.0
serial restart-delay 0
router bgp 100
no synchronization
bgp router-id 1.1.1.1
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.0
network 192.168.12.0
neighbor 2.2.2.2 remote-as 200
neighbor 2.2.2.2 ebgp-multihop 255
neighbor 2.2.2.2 update-source Loopback0
no auto-summary
!
ip route 2.2.2.0 255.255.255.0 192.168.12.2
no synchronization
bgp router-id 1.1.1.1
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.0
network 192.168.12.0
neighbor 2.2.2.2 remote-as 200
neighbor 2.2.2.2 ebgp-multihop 255
neighbor 2.2.2.2 update-source Loopback0
no auto-summary
!
ip route 2.2.2.0 255.255.255.0 192.168.12.2
hostname r2
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Serial1/0
ip address 192.168.23.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 192.168.12.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
ip address 192.168.24.2 255.255.255.0
serial restart-delay 0
!
router rip
version 2
network 2.0.0.0
network 192.168.23.0
no auto-summary
!
router bgp 200
no synchronization
bgp log-neighbor-changes
network 192.168.12.0
network 192.168.23.0
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 ebgp-multihop 255
neighbor 1.1.1.1 update-source Loopback0
neighbor 5.5.5.5 remote-as 200
neighbor 5.5.5.5 update-source Loopback0
neighbor 5.5.5.5 next-hop-self
no auto-summary
!
ip route 1.1.1.0 255.255.255.0 192.168.12.1
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Serial1/0
ip address 192.168.23.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 192.168.12.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
ip address 192.168.24.2 255.255.255.0
serial restart-delay 0
!
router rip
version 2
network 2.0.0.0
network 192.168.23.0
no auto-summary
!
router bgp 200
no synchronization
bgp log-neighbor-changes
network 192.168.12.0
network 192.168.23.0
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 ebgp-multihop 255
neighbor 1.1.1.1 update-source Loopback0
neighbor 5.5.5.5 remote-as 200
neighbor 5.5.5.5 update-source Loopback0
neighbor 5.5.5.5 next-hop-self
no auto-summary
!
ip route 1.1.1.0 255.255.255.0 192.168.12.1
hostname r3
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Serial1/0
ip address 192.168.35.3 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 192.168.23.3 255.255.255.0
serial restart-delay 0
router rip
version 2
network 3.0.0.0
network 192.168.23.0
network 192.168.35.0
no auto-summary
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Serial1/0
ip address 192.168.35.3 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 192.168.23.3 255.255.255.0
serial restart-delay 0
router rip
version 2
network 3.0.0.0
network 192.168.23.0
network 192.168.35.0
no auto-summary
hostname r5
interface Loopback0
ip address 5.5.5.5 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 192.168.57.5 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 192.168.35.5 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
ip address 192.168.45.5 255.255.255.0
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router rip
version 2
network 5.0.0.0
network 192.168.35.0
no auto-summary
!
router bgp 200
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 200
neighbor 3.3.3.3 remote-as 200
neighbor 7.7.7.7 remote-as 300
neighbor 7.7.7.7 ebgp-multihop 255
neighbor 7.7.7.7 update-source Loopback0
no auto-summary
!
ip route 7.7.7.0 255.255.255.0 192.168.57.7
interface Loopback0
ip address 5.5.5.5 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 192.168.57.5 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 192.168.35.5 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
ip address 192.168.45.5 255.255.255.0
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router rip
version 2
network 5.0.0.0
network 192.168.35.0
no auto-summary
!
router bgp 200
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 200
neighbor 3.3.3.3 remote-as 200
neighbor 7.7.7.7 remote-as 300
neighbor 7.7.7.7 ebgp-multihop 255
neighbor 7.7.7.7 update-source Loopback0
no auto-summary
!
ip route 7.7.7.0 255.255.255.0 192.168.57.7
interface Serial1/1
ip address 192.168.57.7 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router bgp 300
no synchronization
bgp log-neighbor-changes
neighbor 5.5.5.5 remote-as 200
neighbor 5.5.5.5 ebgp-multihop 255
no auto-summary
!
ip route 5.5.5.0 255.255.255.0 192.168.57.5
ip address 192.168.57.7 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router bgp 300
no synchronization
bgp log-neighbor-changes
neighbor 5.5.5.5 remote-as 200
neighbor 5.5.5.5 ebgp-multihop 255
no auto-summary
!
ip route 5.5.5.0 255.255.255.0 192.168.57.5
现在查看R1的路由表
r7#sh ip route
B 1.1.1.0 [20/0] via 5.5.5.5, 00:02:54 //为节约篇幅未完整显示
B 1.1.1.0 [20/0] via 5.5.5.5, 00:02:54 //为节约篇幅未完整显示
可见R7学到了R1的路由,从表面上看这个实验很完美,达了目的, 然而这时问题出现了,作个测试,在R7上PING R1
r7#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 0-byte ICMP Echos to 7.7.7.7, timeout:
Sending 5, 0-byte ICMP Echos to 7.7.7.7, timeout:
.....
这究竟是怎么回事呢?原来,我们在R5上关闭了同步,这时它会将一条并没有
优化的路由传送给R7,当R7要发向R1发包时,它看到R5是它的下一跳,于是将包发给R5,然后R5又查看它的路由表,发现到R1的下一跳是R2,并继续查找,发现在通过R3可以达到R2,于是它将数据送给R3,这时问题出现了,因为R3没有运行BGP,它不知道R1怎么走,于是它将数据包丢弃,从而造成路由黑洞。由此可见,BGP与IGP同步的重要性,什么是同步?在上一篇我已经提到了,不再多阐述。(同理R1无法访问R7,但有R7的路由条目)
(优化的条件:1、下一跳可达,题中满足;2、同步,题中不满足)
既然问题出现了,那到底该怎么去解决呢?
首先,如果在R5上开启同步,这样的情况就不会发生了,因为R5从R2收到关于R1的路由条目后,它会的查找它的IGP路由表,看是否有这样一条路由可以到达R1,如果没有,它就不会将这条路由传递给R7,此时可避免黑洞问题。但R7学到R1的路由才是我们真正的目的,那该怎么做呢?我们可以将BGP的路由重发布到RIP中,这样IGP和BGP就可以完成同步,但是这样做并不好,在实验环境中我们当然可以这样做,但试想现在INTERNET中有多达20几万条路由条目,如果重发布到我们的IGP路由器中,很显然大多数路由器是无法支撑的。
解决方法一:Full Mesh
分别在R2和R3,R3和R5上运行BGP ,这样R3就可以学到到达R1的路由,这时你需要在R1、R2、R3之间分别建立邻居关系,当路由器很多的时候,全互联要求建立n*(n-1)/2个邻居关系,这显然是很麻烦。(略)
解决方法二:Foute-Reflector
路由反射器,我们可以将R3做成一个路由反射器,使它能将从R1学的路由条目反射给R5,正常情况下为了防止环路,从IBGP学到的路由不会再传给其它IBGP邻居。 现在只需要在路由反射客户和路由反射器间建立邻居关系,邻居关系减少到n-1条。
路由反射器(RR)的条件:
1、如果路由是从非客户的IBGP学到的只反射给客户
2、如果路由是从客户学到的,将它反射给发起该路由的客户以外的所有非客户及客户
3、如果路由是从EBGP对等体学到的,将它反射给所有客户和非客户
做法:清除R2与R5的邻居关系,只在R2与R3、R3与R5之间建立IBGP关系
然后在R3的路由配置模式下:
neighbor 2.2.2.2 route-reflector-client
neighbor 5.5.5.5 route-reflector-client //将R2和R5作为RR的客户
此时R5上能收到关于R1的路由,它也会传给R7
解决方法三 :Confederation
联邦是将整个大的AS区域再划分成多个小的AS区域,比如现在有AS200就相当于中国,而整个中国显然可以再分为若干个省分,现在AS65012和AS65003 就是划分出来的“小AS”,意思这里的AS号是私有的,在出AS200时它将自动被去掉(64512--65535可用),这样划分后,R3和R5就为联邦EBGP邻居了,这时它关于R 1的路由条目就可以传给R5了。
R2:
router bgp 65012
//指定的联邦AS号
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 200 //R2对外宣称自己的AS号为200,它会告诉R1它的AS号为200,因为65012是私有的
network 192.168.12.0
network 192.168.23.0
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 ebgp-multihop 255
neighbor 1.1.1.1 update-source Loopback0
neighbor 3.3.3.3 remote-as 65012
neighbor 3.3.3.3 update-source Loopback0
neighbor 3.3.3.3 next-hop-self
no auto-summary
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 200 //R2对外宣称自己的AS号为200,它会告诉R1它的AS号为200,因为65012是私有的
network 192.168.12.0
network 192.168.23.0
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 ebgp-multihop 255
neighbor 1.1.1.1 update-source Loopback0
neighbor 3.3.3.3 remote-as 65012
neighbor 3.3.3.3 update-source Loopback0
neighbor 3.3.3.3 next-hop-self
no auto-summary
R3:
r3#sh run | b r b
router bgp 65012
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 200 //对R5稳定自己的AS号为200,它不会对R2宣称,因为它们属于同一个联邦AS
neighbor 2.2.2.2 remote-as 65012
neighbor 2.2.2.2 update-source Loopback0
neighbor 5.5.5.5 remote-as 65003
neighbor 5.5.5.5 ebgp-multihop 255
neighbor 5.5.5.5 update-source Loopback0
no auto-summary
!
router bgp 65012
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 200 //对R5稳定自己的AS号为200,它不会对R2宣称,因为它们属于同一个联邦AS
neighbor 2.2.2.2 remote-as 65012
neighbor 2.2.2.2 update-source Loopback0
neighbor 5.5.5.5 remote-as 65003
neighbor 5.5.5.5 ebgp-multihop 255
neighbor 5.5.5.5 update-source Loopback0
no auto-summary
!
R5:
router bgp 65003
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 200 //对R3和R7宣称自己的AS号为200
neighbor 3.3.3.3 remote-as 65012
neighbor 3.3.3.3 ebgp-multihop 255
neighbor 7.7.7.7 remote-as 300
neighbor 7.7.7.7 ebgp-multihop 255
neighbor 7.7.7.7 update-source Loopback0
no auto-summary
!
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 200 //对R3和R7宣称自己的AS号为200
neighbor 3.3.3.3 remote-as 65012
neighbor 3.3.3.3 ebgp-multihop 255
neighbor 7.7.7.7 remote-as 300
neighbor 7.7.7.7 ebgp-multihop 255
neighbor 7.7.7.7 update-source Loopback0
no auto-summary
!
这时查看R3和R5的邻居关系
r3#sh ip bgp su
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
2.2.2.2 4 65012 10 9 1 0 0 00:06:26 2
5.5.5.5 4 65003 1 1 0 0 0 never Active
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
2.2.2.2 4 65012 10 9 1 0 0 00:06:26 2
5.5.5.5 4 65003 1 1 0 0 0 never Active
发现在它们始终处于Active状态,不能完成邻居的建立,这又是为什么呢?
分析一下:
R5和R3都打了这条命令,bgp confederation identifier 200
又因为他们处于不同的联邦AS,所以它们都会宣称自己的AS号为200,然而我们看到它们的Neighbor却不是这样通告的
R3上:neighbor 5.5.5.5 remote-as 65003
R5上:neighbor 3.3.3.3 remote-as 65012
所以这时会报一个错误:AS号错误,如下
所以这时会报一个错误:AS号错误,如下
r5#
*Oct 19 12:20:10.311: %SYS-5-CONFIG_I: Configured from console by console
r5#
*Oct 19 12:20:19.155: %BGP-3-NOTIFICATION: sent to neighbor 3.3.3.3 2/2 (peer in wrong AS) 2 bytes 00C8
r5# FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 002D 0104 00C8 00B4 0303 0303 1002 0601 0400 0100 0102 0280 0002 0202 00
*Oct 19 12:20:10.311: %SYS-5-CONFIG_I: Configured from console by console
r5#
*Oct 19 12:20:19.155: %BGP-3-NOTIFICATION: sent to neighbor 3.3.3.3 2/2 (peer in wrong AS) 2 bytes 00C8
r5# FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 002D 0104 00C8 00B4 0303 0303 1002 0601 0400 0100 0102 0280 0002 0202 00
解决方法:
R3上:bgp confederation peer 65003 // // 不对65003宣称自己的AS为200
R5上:bgp confederation peer 65012 // 不对65012宣称自己的AS为200
验证
r5#sh ip bgp
BGP table version is 13, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
BGP table version is 13, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.0/24 2.2.2.2 0 100 0 (65012) 100 i
r> 7.7.7.0/24 7.7.7.7 0 0 300 i
*> 192.168.12.0 2.2.2.2 0 100 0 (65012) i
r> 192.168.23.0 3.3.3.3 0 100 0 (65012) i
*> 192.168.35.0 0.0.0.0 0 32768 i
* 3.3.3.3 0 100 0 (65012) i //括号中的是私有AS号,在出R5时会被去掉,在看7上可以看到效果
*> 192.168.57.0 0.0.0.0 0 32768 i
* 7.7.7.7 0 0 300 i
*> 1.1.1.0/24 2.2.2.2 0 100 0 (65012) 100 i
r> 7.7.7.0/24 7.7.7.7 0 0 300 i
*> 192.168.12.0 2.2.2.2 0 100 0 (65012) i
r> 192.168.23.0 3.3.3.3 0 100 0 (65012) i
*> 192.168.35.0 0.0.0.0 0 32768 i
* 3.3.3.3 0 100 0 (65012) i //括号中的是私有AS号,在出R5时会被去掉,在看7上可以看到效果
*> 192.168.57.0 0.0.0.0 0 32768 i
* 7.7.7.7 0 0 300 i
r7#sh ip bgp
BGP table version is 12, local router ID is 7.7.7.7
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
BGP table version is 12, local router ID is 7.7.7.7
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.0/24 5.5.5.5 0 200 100 i
*> 7.7.7.0/24 0.0.0.0 0 32768 i
*> 192.168.12.0 5.5.5.5 0 200 i
*> 192.168.23.0 5.5.5.5 0 200 i
*> 192.168.35.0 5.5.5.5 0 0 200 i
* 192.168.57.0 5.5.5.5 0 0 200 i
*> 0.0.0.0 0 32768 i
*> 1.1.1.0/24 5.5.5.5 0 200 100 i
*> 7.7.7.0/24 0.0.0.0 0 32768 i
*> 192.168.12.0 5.5.5.5 0 200 i
*> 192.168.23.0 5.5.5.5 0 200 i
*> 192.168.35.0 5.5.5.5 0 0 200 i
* 192.168.57.0 5.5.5.5 0 0 200 i
*> 0.0.0.0 0 32768 i
实验完毕!
注:由于开了过多的设备,CPU实在难以支撑,没办法拷下所有配置过程,只作了总结性讲解,请见谅! 有需要的我们可以再作交流。