gobgp policy
使用gobgp添加路由时会向所有的peer发送路由更新消息,如果想在指定peer发送指定路由应该怎么实现呢?
可以使用gobgp的policy功能实现,本文通过实验验证如何设置policy。
环境
环境信息见下图
在两台server上启动gobgpd进程,10.10.10.56和10.10.10.57是一对peer,10.10.20.56和10.10.20.57是一对peer。
没指定policy时路由信息
server1配置
[global.config]
as = 65501
router-id = "192.168.56.2"
[global.apply-policy.config]
export-policy-list = ["policy1", "policy2"]
[[neighbors]]
[neighbors.config]
neighbor-address = "10.10.10.57"
local-as = 65501
peer-as = 65101
[[neighbors]]
[neighbors.config]
neighbor-address = "10.10.20.57"
local-as = 65501
peer-as = 65101
server2配置
[global.config]
as = 65101
router-id = "192.168.56.3"
#[global.apply-policy.config]
#export-policy-list = ["policy1"]
[[neighbors]]
[neighbors.config]
neighbor-address = "10.10.10.56"
local-as = 65101
peer-as = 65501
[[neighbors]]
[neighbors.config]
neighbor-address = "10.10.20.56"
local-as = 65101
peer-as = 65501
在两台server执行如下命令启动gobgpd进程
./gobgpd -f ./gobgpd.conf -l debug -p
在server1上查看neigh信息
[root@localhost gobgp]# ./gobgp neigh
Peer AS Up/Down State |#Received Accepted
10.10.10.57 65101 00:00:01 Establ | 0 0
10.10.20.57 65101 00:00:02 Establ | 0 0
在server2上查看neigh信息
root@test:~/gobgp# ./gobgp neigh
Peer AS Up/Down State |#Received Accepted
10.10.10.56 65501 00:16:38 Establ | 0 0
10.10.20.56 65501 00:16:34 Establ | 2 2
在server1上发布如下两条路由
./gobgp global rib add 10.208.13.20/32 -a ipv4 origin egp
./gobgp global rib add 10.208.13.21/32 -a ipv4 origin egp
在server2上查看路由信息,可看到两条路由都通过两对peer发布出去了
root@test:~/gobgp# ./gobgp g r
Network Next Hop AS_PATH Age Attrs
*> 10.208.13.20/32 10.10.10.56 65501 00:00:16 [{Origin: e}]
* 10.208.13.20/32 10.10.20.56 65501 00:00:16 [{Origin: e}]
*> 10.208.13.21/32 10.10.10.56 65501 00:00:15 [{Origin: e}]
* 10.208.13.21/32 10.10.20.56 65501 00:00:15 [{Origin: e}]
配置policy
下面通过在server1上配置policy达到如下目的:
10.208.13.20/32只能发布给peer 10.10.10.57,而10.208.13.21/32不能发布给peer 10.10.10.57。
a. 通过配置文件配置policy
server1配置
[global.config]
as = 65501
router-id = "192.168.56.2"
[global.apply-policy.config]
export-policy-list = ["policy1", "policy2"] -->全局配置中指定export-policy-list,意思为当发布路由时,会以此匹配policy1和policy2,
-->如果匹配成功,则执行action。如果匹配到多个policy,则会执行多个action
[[neighbors]]
[neighbors.config]
neighbor-address = "10.10.10.57"
local-as = 65501
peer-as = 65101
[[neighbors]]
[neighbors.config]
neighbor-address = "10.10.20.57"
local-as = 65501
peer-as = 65101
[[defined-sets.prefix-sets]]
prefix-set-name = "ps1"
[[defined-sets.prefix-sets.prefix-list]]
ip-prefix = "10.208.13.20/32"
[[defined-sets.prefix-sets]]
prefix-set-name = "ps2"
[[defined-sets.prefix-sets.prefix-list]]
ip-prefix = "10.208.13.21/32"
[[defined-sets.neighbor-sets]]
neighbor-set-name = "ns1"
neighbor-info-list = ["10.10.10.57"]
[[policy-definitions]]
name = "policy1" -->此条policy意思为不能向除了ns1的neigh发布ps1路由
[[policy-definitions.statements]]
name = "statement1"
[policy-definitions.statements.conditions.match-prefix-set]
prefix-set = "ps1"
[policy-definitions.statements.conditions.match-neighbor-set]
neighbor-set = "ns1"
match-set-options = "invert" -->invert意思为不匹配ns1
[policy-definitions.statements.actions]
route-disposition = "reject-route"
[[policy-definitions]]
name = "policy2"
[[policy-definitions.statements]]
name = "statement2"
[policy-definitions.statements.conditions.match-prefix-set]
prefix-set = "ps2"
[policy-definitions.statements.conditions.match-neighbor-set]
neighbor-set = "ns1"
[policy-definitions.statements.actions]
route-disposition = "reject-route"
server2配置
[global.config]
as = 65101
router-id = "192.168.56.3"
#[global.apply-policy.config]
#export-policy-list = ["policy1"]
[[neighbors]]
[neighbors.config]
neighbor-address = "10.10.10.56"
local-as = 65101
peer-as = 65501
[[neighbors]]
[neighbors.config]
neighbor-address = "10.10.20.56"
local-as = 65101
peer-as = 65501
重启server1上的gobgp后,重新发布两个路由
./gobgp global rib add 10.208.13.20/32 -a ipv4 origin egp
./gobgp global rib add 10.208.13.21/32 -a ipv4 origin egp
server1上查看policy配置
[root@localhost gobgp]# ./gobgp global policy export
Export policy:
Default: ACCEPT
Name policy1:
StatementName statement1:
Conditions:
PrefixSet: any ps1
NeighborSet: invert ns1
Actions:
reject
Name policy2:
StatementName statement2:
Conditions:
PrefixSet: any ps2
NeighborSet: any ns1
Actions:
reject
在server2上查看路由信息,10.208.13.20发给了10.10.10.57,10.208.13.21发给了10.10.20.57
root@test:~/gobgp# ./gobgp g r
Network Next Hop AS_PATH Age Attrs
*> 10.208.13.20/32 10.10.10.56 65501 00:00:03 [{Origin: e}]
*> 10.208.13.21/32 10.10.20.56 65501 00:00:03 [{Origin: e}]
b. 通过命令行指定policy
在server1上执行如下命令即可
./gobgp policy neighbor add neigh-test 10.10.10.57
./gobgp policy prefix add prefix-test1 10.208.13.20/32
./gobgp policy prefix add prefix-test2 10.208.13.21/32
./gobgp policy statement state-test1 add condition prefix prefix-test1 any
./gobgp policy statement state-test1 add condition neighbor neigh-test invert
./gobgp policy statement state-test1 add action reject
./gobgp policy statement state-test2 add condition prefix prefix-test2 any
./gobgp policy statement state-test2 add condition neighbor neigh-test any
./gobgp policy statement state-test2 add action reject
./gobgp policy add pl-test1 state-test1
./gobgp policy add pl-test2 state-test2
./gobgp global policy export add pl-test1
./gobgp global policy export add pl-test2
查看policy配置
[root@localhost gobgp]# ./gobgp global policy export
Export policy:
Default: ACCEPT
Name pl-test1:
StatementName state-test1:
Conditions:
PrefixSet: any prefix-test1
NeighborSet: invert neigh-test
Actions:
reject
Name pl-test2:
StatementName state-test2:
Conditions:
PrefixSet: any prefix-test2
NeighborSet: any neigh-test
Actions:
reject
参考
https://github.com/osrg/gobgp/blob/master/docs/sources/cli-command-syntax.md
https://github.com/osrg/gobgp/blob/master/docs/sources/policy.md