第七章EIGRP
7.1. 配置EIGRP
提问 ONT-FAMILY: 宋体">配置网络使用EIGRP路由协议
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Ethernet0
Router1(config-if)#ip address 192.168.20.1 255.255.255.0
Router1(config-if)#exit
Router1(config)#interface Serial0.1 point-to-point
Router1(config-subif)#ip address 172.25.2.2 255.255.255.252
Router1(config-subif)#exit
Router1(config)#router eigrp 55
Router1(config-router)#network 172.25.0.0
Router1(config-router)#network 192.168.20.0
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 要确保启用此路由协议的所有路由器配置的EIGRP后面的进程号相同,可以使用show ip eigrp neighbors 来验证邻居关系。同时支持network 192.168.20.0 0.0.0.255 来定义发布的网络
7.2. 路由过滤
提问 对EIGRP学到或者宣告的路由进行过滤
回答
入方向过滤
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#access-list 34 deny 192.168.30.0
Router2(config)#access-list 34 permit any
Router2(config)#router eigrp 55
Router2(config-router)#distribute-list 34 in Serial0.1
Router2(config-router)#exit
Router2(config)#end
Router2#
出方向过滤
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 57 permit 172.25.1.0
Router1(config)#access-list 57 deny any
Router1(config)#router eigrp 55
Router1(config-router)#distribute-list 57 out Serial0/0.2
Router1(config-router)#exit
Router1(config)#end
Router1#
使用prefix方式过滤,并且支持gateway 选项
Router9#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router9(config)#ip prefix-list ALLOWED-PREFIXES permit 10.0.0.0/8 le 32
Router9(config)#ip prefix-list ALLOWED-PREFIXES deny 0.0.0.0/0 le 32
Router9(config)#ip prefix-list ALLOWED-NEIGHBORS permit 172.18.19.1/32
Router9(config)#ip prefix-list ALLOWED-NEIGHBORS permit 172.18.19.4/32
Router9(config)#ip prefix-list ALLOWED-NEIGHBORS deny 0.0.0.0/0 le 32
Router9(config)#router eigrp 55
Router9(config-router)#distribute-list prefix ALLOWED-PREFIXES gateway ALLOWED-NEIGHBORS in
Router9(config-router)#exit
Router9(config)#end
Router9#
注释 在路由过滤时推荐使用prefix方式而不用ACL形式。Gateway参数只能用于入方向控制,同时建议不用和interface混和使用
7.3. 再发布路由到EIGRP
提问 再发布其他方式学到的路由到EIGRP路由进程
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router eigrp 55
Router1(config-router)#redistribute rip
Router1(config-router)#default-metric 1000 100 250 100 1500
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 如果再发布的是静态路由可以不用配置default-metric命令,对于其他协议都必须配置此命令否则无法成功再发布。再发布之前也可以使用过滤列表进行路由过滤,从而只再发布特定路由
Router1(config)#router eigrp 55
Router1(config-router)#redistribute ospf 99
Router1(config-router)#distribute-list 7 out ospf 99
7.4. 使用Route Map方式来配置再发布
提问 使用控制粒度更好的Route Map方式来配置再发布
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip route 192.168.10.0 255.255.255.0 172.22.1.4
Router1(config)#ip route 192.168.11.0 255.255.255.0 172.22.1.4
Router1(config)#ip route 192.168.12.0 255.255.255.0 172.22.1.4
Router1(config)#access-list 20 permit 192.168.10.0
Router1(config)#access-list 21 permit 192.168.11.0
Router1(config)#route-map STATIC permit 10
Router1(config-route-map)#match ip address 20
Router1(config-route-map)#set metric 56 100 255 1 1500
Router1(config-route-map)#set tag 2
Router1(config-route-map)#exit
Router1(config)#route-map STATIC permit 20
Router1(config-route-map)#match ip address 21
Router1(config-route-map)#set metric 128 200 255 1 1500
Router1(config-route-map)#exit
Router1(config)#route-map STATIC deny 30
Router1(config-route-map)#exit
Router1(config)#router eigrp 55
Router1(config-router)#redistribute static route-map STATIC
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 此处配置和前面6.3的配置差不多,唯一需要注意的就是前面提到的必须要加上metric的设置
7.5. 特定接口禁止EIGRP
提问 禁止某个端口参与EIGRP
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router eigrp 55
Router1(config-router)#passive-interface Serial0/1
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 这里的被动接口和RIP不同,由于结果是不能形成邻居在此接口所以使用该命令以后就不能发送也不能接收路由信息
7.6. 调整EIGRP度量值
提问 修改学到的EIGRP路由器度量值
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 22 permit 192.168.30.0
Router1(config)#access-list 33 permit 192.168.30.0
Router1(config)#router eigrp 55
Router1(config-router)#offset-list 33 out 10000 Serial0.1
Router1(config-router)#offset-list 22 in 10000 Serial0.1
Router1(config-router)#exit
Router1(config)#end
Router1#
注释
7.7. 定时器调整
提问 调整定时器优化收敛
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Serial0.1
Router1(config-subif)#ip hello-interval eigrp 55 3
Router1(config-subif)#ip hold-time eigrp 55 9
Router1(config-subif)#exit
Router1(config)#end
Router1#
注释 EIGRP的一个特性就是定时器的调整可以基于端口,并且不用保持整个网络中所有设备的定时器设置一致,各个定时器都是独立的
7.8. 启用EIGRP认证
提问 增强路由信息安全性
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#key chain ORA
Router1(config-keychain)#key 1
Router1(config-keychain-key)#key-string oreilly
Router1(config-keychain-key)#exit
Router1(config-keychain)#exit
Router1(config)#interface Serial0/1
Router1(config-if)#ip authentication mode eigrp 55 md5
Router1(config-if)#ip authentication key-chain eigrp 55 ORA
Router1(config-if)#exit
Router1(config)#end
Router1#
注释 注意这里只是认证不是加密路由信息包。下面提供一种更改key方法,帮助网络平稳过渡到新的key
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#key chain Mars
Router1(config-keychain)#key 1
Router1(config-keychain-key)#key-string rocket
Router1(config-keychain-key)#accept-lifetime 00:00:00 Jan 1 1993 00:15:00 Nov 1 2006
Router1(config-keychain-key)#send-lifetime 00:00:00 Jan 1 1993 00:00:00 Nov 1 2006
Router1(config-keychain-key)#key 2
Router1(config-keychain-key)#key-string martian
Router1(config-keychain-key)#accept-lifetime 23:45:00 Oct 31 2006 infinite
Router1(config-keychain-key)#send-lifetime 00:00:00 Nov 1 2006 infinite
Router1(config-keychain-key)#end
Router1#
7.9. 配置EIGRP路由汇总
提问 通过路由汇总来减少路由表大小和增强稳定性
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Serial0/0.2
Router1(config-subif)#ip summary-address eigrp 55 172.25.0.0 255.255.0.0
Router1(config-subif)#exit
Router1(config)#end
Router1#
缺省会自动路由汇总,使用no auto-summary关闭(12.2(8)T后自动关闭)
同时可以配置汇总路由的同时,宣告部分子网路由
Router9# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router9(config)#ip prefix-list 10.5.5/24 permit 10.5.5.0/24
Router9(config)#route-map LEAK10-5-5 permit 10
Router9(config-route-map)#match ip address prefix-list 10.5.5/24
Router9(config-route-map)#exit
Router9(config)#interface Serial0/0
Router9(config-if)#ip summary-address eigrp 55 10.5.0.0 255.255.0.0 leak-map LEAK10-5-5
Router9(config-if)#exit
Router9(config)#end
Router9#
注释 路由汇总也是EIGRP的特性之一,可以配置在任意路由器的接口进行汇总,不象OSPF那样只能在ABR汇总。汇总路由的度量值和所汇总路由中的最好的子网路由的度量值一致。Leakmap特性在12.3(14)T后引入,可以在汇总路由的同时发布某些更匹配的路由
7.10. 记录邻居状态变化
提问 记录邻居状态变化
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router eigrp 55
Router1(config-router)#eigrp log-neighbor-changes
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 缺省开启
<!--[if !supportLists]-->7.11. <!--[endif]-->限制EIGRP路由更新占用带宽
提问 限制EIGRP路由更新占用带宽的百分比
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Serial0.1
Router1(config-subif)#ip bandwidth-percent eigrp 55 40
Router1(config-subif)#exit
Router1(config)#end
Router1#
注释 这里的百分比可以大于100%,当我们人为的设定了某端口带宽用于计算度量值时
7.12. EIGRP Stub路由
提问 向边缘网络发布较小的路由表
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router eigrp 55
Router1(config-router)#eigrp stub
Router1(config-router)#exit
Router1(config)#end
Router1#
注释
7.13. 路由标签
提问 通过对特定路由进行标签,防止再分发时出现路由回环
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip route 0.0.0.0 0.0.0.0 172.25.1.1
Router1(config)#access-list 7 permit 0.0.0.0
Router1(config)#route-map TAGGING permit 10
Router1(config-route-map)#match ip address 7
Router1(config-route-map)#set tag 5
Router1(config-route-map)#exit
Router1(config)#router eigrp 55
Router1(config-router)#redistribute static route-map TAGGING
Router1(config-router)#exit
Router1(config)#end
Router1#
注释
<!--[if !supportLists]-->7.14. <!--[endif]-->查看EIGRP状态
提问 查看状态命令
回答
Router1#show ip protocols
Router1#show ip route eigrp
Router1#show ip eigrp neighbors
Router1#show ip eigrp interfaces
Router9#show ip eigrp accounting
Router1#show ip eigrp topology
注释 12.3(14)T引入了show ip eigrp accounting
Router9#show ip eigrp accounting
IP-EIGRP accounting for AS(55)/ID(172.18.5.9)
Total Prefix Count: 50 States: A-Adjacency, P-Pending, D-Down
State Address/Source Interface Prefix Restart Restart/
Count Count Reset(s)
A 172.20.10.1 Se0/0 1 0 0
A 172.18.19.1 Fa0/0 39 0 0
A 172.18.19.4 Fa0/0 1 0 0
A 172.18.19.6 Fa0/0 6 0 0
Router9#
Router1#show ip eigrp topology
IP-EIGRP Topology Table for AS(55)/ID(172.25.25.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 0.0.0.0/0, 1 successors, FD is 28160, tag is 5
via Rstatic (28160/0)
via Summary (28160/0), Null0
P 10.2.2.0/24, 1 successors, FD is 156160
via 172.22.1.4 (156160/128256), FastEthernet0/1
P 10.1.1.0/30, 1 successors, FD is 3845120
via Connected, Serial0/1
P 192.168.10.0/24, 1 successors, FD is 28160, tag is 5
via Rstatic (28160/0)
P 192.168.30.0/24, 1 successors, FD is 156160
via 172.22.1.4 (156160/128256), FastEthernet0/1
P 192.168.20.0/24, 1 successors, FD is 2195456
via 172.25.2.2 (2195456/281600), Serial0/0.2
P 172.25.25.6/32, 1 successors, FD is 156160
via 172.25.1.7 (156160/128256), FastEthernet0/0.1
P 172.25.25.1/32, 1 successors, FD is 128256
via Connected, Loopback0
P 172.25.25.2/32, 1 successors, FD is 2297856
via 172.25.2.2 (2297856/128256), Serial0/0.2
P 172.25.1.0/24, 1 successors, FD is 28160
via Connected, FastEthernet0/0.1
P 172.25.2.0/30, 1 successors, FD is 2169856
via Connected, Serial0/0.2
P 172.22.1.0/24, 1 successors, FD is 28160
via Connected, FastEthernet0/1
Router1#
第八章OSPF
8.1. 配置OSPF
提问 NT-FAMILY: 宋体">在网络中启用OSPF
回答
Router5#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router5(config)#router ospf 87
Router5(config-router)#network 0.0.0.0 255.255.255.255 area 0
Router5(config-router)#exit
Router5(config)#end
Router5#
注释 这里OSPF的进程号是本地使用,不需要像EIGRP一样整个网络保持一致。在12.3(11)T以后有一个专门的命令来指定端口加入OSPF 区域,而不需要用network的命令
Router9#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router9(config)#router ospf 87
Router9(config-router)#exit
Router9(config)#interface FastEthernet0/0
Router9(config-if)#ip address 172.18.5.9 255.255.255.0
Router9(config-if)#ip ospf 87 area 10
Router9(config-if)#exit
Router9(config)#end
Router9#
8.2. 路由过滤
提问 进行路由过滤,只允许OSPF宣告特定路由进入路由表
回答
入方向
Router5#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router5(config)#access-list 1 deny 172.20.10.0
Router5(config)#access-list 1 permit any
Router5(config)#router ospf 87
Router5(config-router)#distribute-list 1 in Ethernet0/0
Router5(config-router)#exit
Router5(config)#end
Router5#
注释 根据OSPF的机制,所有区域内的路由器LSA数据库内容必须保持一致,所以正常情况下不能对出方向进行过滤,入方向过滤也是防止其进入路由表,在本地的LSA数据库还是有此路由。当然如果确实需要对出方向进行过滤就必须对出方向所有的LSA进行过滤,这样会导致下游路由器的LSA数据库不完整,一般不推荐使用。
点对多点链路出方向过滤
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router ospf 87
Router1(config-router)#neighbor 192.168.1.3 database-filter all out
Router1(config-router)#exit
Router1(config)#end
Router1#
广播,点到点链路出方向过滤
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Serial0/0
Router1(config-if)#encapsulation frame-relay
Router1(config-if)#exit
Router1(config)#interface Serial0/0.10 multipoint
Router1(config-subif)#ip address 192.168.1.1 255.255.255.0
Router1(config-subif)#ip ospf network broadcast
Router1(config-subif)#ip ospf database-filter all out
Router1(config-subif)#frame-relay map ip 192.168.1.3 101 broadcast
Router1(config-subif)#frame-relay map ip 192.168.1.5 109 broadcast
Router1(config-subif)#exit
Router1(config)#router ospf 1
Router1(config-router)#network 0.0.0.0 255.255.255.255 area 10
Router1(config-router)#exit
Router1(config)#end
Router1#
8.3. 调整OSPF代价值
提问 调整OSPF链路的代价值
回答
全局调整
Router5#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router5(config)#router ospf 87
Router5(config-router)#auto-cost reference-bandwidth 1000
Router5(config-router)#exit
Router5(config)#end
Router5#
接口调整
Router5#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router5(config)#interface Ethernet0
Router5(config-if)#ip ospf cost 31
Router5(config-if)# exit
Router5(config)#end
Router5#
注释
8.4. 宣告缺省路由到OSPF
提问 宣告缺省路由到OSPF网络
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip route 0.0.0.0 0.0.0.0 172.25.1.1
Router1(config)#router ospf 55
Router1(config-router)#default-information originate metric 30 metric-type 1
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 在这里不能使用再发布静态路由得命令来发布缺省路由
8.5. 再发布静态路由到OSPF
提问 宣告一条或者多条静态路由到OSPF
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip route 192.168.10.0 255.255.255.0 172.22.1.4
Router1(config)#ip route 172.24.1.0 255.255.255.0 172.22.1.4
Router1(config)#ip route 10.100.1.0 255.255.255.0 172.22.1.4
Router1(config)#router ospf 55
Router1(config-router)#redistribute static
% Only classful networks will be redistributed
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 根据上面得命令提示可以看到缺省情况下OSPF只再发布有类得路由,所以按照例子上虽然三条静态路由但是只有192.168.10.0/24是有类路由,能够发布出去,其它两个就不行。这时候就需要配置redistribute static subnets命令来发布子网,当然也可以添加metric等选项
8.6. 再发布外部路由到OSPF
提问 再发布其它路由协议得路由信息到OSPF
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router ospf 55
Router1(config-router)#redistribute eigrp 11 subnets
Router1(config-router)#exit
Router1(config)#end
Router1#
在12.3(2)T以后增加了下面得命令对再发布过来得条目做了限制
Router1(config-router)#redistribute maximum-prefix 1000 80
注释 这里还是要注意subnet得参数。对于最后一个条目限制得命令,第一个1000是路由条目数,第二个80是百分比
8.7. DR选举
提问 对DR选举做人为控制
回答
Router5#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router5(config)#interface Ethernet0
Router5(config-if)#ip ospf priority 10
Router5(config-if)#exit
Router5(config)#end
Router5#
注释 DR选举人工控制最重要得两种情况是MOSPF和NBMA网络。在MOSPF网络中,MOSPF得DR和正常OSPF得DR是相同得,而如果DR不是一个MOSPF得路由器那么所有组播得路由就不能转发,思科路由器是不支持MOPSF得,所以在这种情况下必须使用ip ospf priority 0得命令来禁止其称为BDR或者DR。在NBMA得网络中要不DR设置在Hub路由器上。还有一个重要得问题是DR是不能强占得,如果网络中已经有了DR,这时即使新加入得路由器有更高得优先级他也不能称为DR,必须等待现在得DR出了问题才可以重新选举为DR。
8.8. 设置OSPF RID
提问 人工设定路由器得Router ID
回答
一种是Loopback地址方式
Router5#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router5(config)#interface Loopback0
Router5(config-if)#ip address 172.25.25.6 255.255.255.255
Router5(config-if)#exit
Router5(config)#end
Router5#
一种是Router ID命令方式
Router5#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router5(config)#router ospf 87
Router5(config-router)#router-id 172.25.1.7
Router5(config-if)#exit
Router5(config)#end
Router5#
注释 缺省会用最大IP地址作为Router ID。Router id命令后面得IP地址可以随意,不需要必须是存在得地址。另外router id一旦定下来以后,即使重新修改了地址也不能变更,必须通过clear
ip ospf process得方式或者reload得方式来改变
8.9. 启用OSPF鉴权
提问 对邻居关系建立启用鉴权从而保证网络设备得安全性
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Serial0/1
Router1(config-if)#ip ospf message-digest-key 1 md5 oreilly
Router1(config-if)#exit
Router1(config)#router ospf 55
Router1(config-router)#area 2 authentication message-digest
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 注意得是不同厂商得OPSF MD5加密认证互联可能会有问题,因为RFC没有规范。对于新老密码替换得问题,通过配置新旧两个密码得方式来解决
8.10. 选择合适得区域类型
提问 不同得区域有不同得链路状态数据库,通过不同区域得选择来节省路由器资源和更快收敛
回答
Stubby Area
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router ospf 55
Router1(config-router)#area 100 stub
Router1(config-router)#exit
Router1(config)#end
Router1#
Totally Stubby Area
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router ospf 55
Router1(config-router)#area 100 stub no-summary
Router1(config-router)#exit
Router1(config)#end
Router1#
Not So Stubby Areas (NSSA), 同时生成一条缺省路由
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router ospf 55
Router1(config-router)#area 100 nssa default-information-originate
Router1(config-router)#exit
Router1(config)#end
Router1#
Totally Stubby, Not So Stubby Area.
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router ospf 55
Router1(config-router)#area 100 nssa no-summary
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 这些都是在ABR上的配置,对于区域里面其它的路由器就是只有NSSA和stub的配置没有必要配置是否为totally stubby。
8.11. 在拨号接口上配置OSPF
提问 在拨号接口上启用OSPF,但又不想让OSPF的协议数据一直保持拨号链路处于激活状态
回答
下面例子是R4只能拨号到R1
Router4#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router4(config)#username Router1 password 0 cisco
Router4(config)#interface BRI0
Router4(config-if)#ip address 192.168.15.4 255.255.255.0
Router4(config-if)#encapsulation ppp
Router4(config-if)#ip ospf demand-circuit
Router4(config-if)#dialer map ip 192.168.15.1 broadcast 4165550000
Router4(config-if)#dialer-group 1
Router4(config-if)#isdn switch-type basic-ni
Router4(config-if)#isdn spid1 416555001000 4165550010
Router4(config-if)#isdn spid2 416555001100 4165550011
Router4(config-if)#ppp authentication chap
Router4(config-if)#ppp multilink
Router4(config-if)#exit
Router4(config)#dialer-list 1 protocol ip permit
Router4(config)#router ospf 87
Router4(config-router)#network 192.168.15.0 0.0.0.255 area 10
Router4(config-router)#exit
Router4(config)#end
Router4#
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#username Router4 password 0 cisco
Router1(config)#interface BRI0/0
Router1(config-if)#ip address 192.168.15.1 255.255.255.0
Router1(config-if)#encapsulation ppp
Router1(config-if)#dialer-group 1
Router1(config-if)#isdn switch-type basic-ni
Router1(config-if)#isdn spid1 416555000000 4165550000
Router1(config-if)#isdn spid2 416555000100 4165550001
Router1(config-if)#ppp authentication chap
Router1(config-if)#ppp multilink
Router1(config-if)#exit
Router1(config)#dialer-list 1 protocol ip permit
Router1(config)#router ospf 87
Router1(config-router)#network 192.168.15.0 0.0.0.255 area 10
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 使用ip ospf demand-circuit 的命令可以保持邻居关系一直是FULL状态,而不管链路是否激活
8.12. 路由汇总
提问 减少路由表大小
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router ospf 55
Router1(config-router)#area 100 range 172.20.0.0 255.255.0.0
Router1(config-router)#area 0 range 172.25.0.0 255.255.0.0
Router1(config-router)#area 2 range 10.0.0.0 255.0.0.0
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 OSPF的路由汇总只能配置在ABR上。生成的汇总路由代价值缺省情况下和子网路由中最小的一致,也就是说汇总路由的稳定状态和代价值最小的那个路由条目相关,这也是RFC1583上的定义,在新的RFC中定义了汇总路由代价值和最大的那个路由条目相关,所以一定要确定所有路由器采用相同的计算方法,思科缺省使用RFC1583的方法,禁用可以使用no compatible rfc1583。在ABR上启用汇总以后会自动生成一条汇总路由的丢弃路由(12.1(6))来避免路由回环
8.13. 在特定端口禁用OSPF
提问 禁止某个端口参与OSPF
回答
Router3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router3(config)#router ospf 44
Router3(config-router)#network 0.0.0.0 255.255.255.255 area 100
Router3(config-router)#passive-interface Ethernet0
Router3(config-router)#exit
Router3(config)#end
Router3#
注释 OSPF也是通过配置被动接口的方式来不生成邻居关系从而避免参与OSPF。当然也可以通过不在network命令中包含此端口来禁止,下面就是另外一种很好的配置方法,network了所有接口,但是缺省所有端口是被动接口,对于需要的接口再使用no的命令才参与OSPF:
Router3(config)#router ospf 44
Router3(config-router)#network 0.0.0.0 255.255.255.255 area 100
Router3(config-router)#passive-interface default
Router3(config-router)#no passive-interface Ethernet0
Router3(config-router)#exit
Router3(config)#end
Router3#
8.14. 修改接口的网络类型
提问 修改某个端口缺省的网络类型
回答
Router9#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router9(config)#interface FastEthernet0/0
Router9(config-if)#ip ospf network ?
broadcast Specify OSPF broadcast multi-access network
non-broadcast Specify OSPF NBMA network
point-to-multipoint Specify OSPF point-to-multipoint network
point-to-point Specify OSPF point-to-point network
Router9(config-if)#
注释 上述四个关键词主要定义媒介是否支持广播或者组播数据包,是否需要选举DR。对于Broadcast网络,支持组播,DR可以自动选择,不需要配置。对于nonbroadcast网络,不支持组播,必须人工使用neighbor命令配置邻居关系。对于point-to-multipoint网络,不需要DR选举,也不需要neighbor命令,这时候需要注意的是framerelay配置中要允许broadcast:
Router9(config)#interface Serial0/0
Router9(config-if)#ip address 192.168.10.9 255.255.255.0
Router9(config-if)#encapsulation frame-relay
Router9(config-if)#frame-relay map ip 192.168.10.2 123 broadcast
Router9(config-if)#ip ospf network point-to-multipoint
Router9(config-if)#exit
Router9(config)#router ospf 1
Router9(config-router)#network 192.168.10.0 0.0.0.255 area 0
Router9(config-router)#exit
否则必须配置neighbor
Router9(config)#interface Serial0/0
Router9(config-if)#ip address 192.168.10.9 255.255.255.0
Router9(config-if)#encapsulation frame-relay
Router9(config-if)#frame-relay map ip 192.168.10.2 123
Router9(config-if)#ip ospf network point-to-multipoint non-broadcast
Router9(config-if)#exit
Router9(config)#router ospf 1
Router9(config-router)#network 192.168.10.0 0.0.0.255 area 0
Router9(config-router)#neighbor 192.168.10.2
Router9(config-router)#exit
最后一种point-to-point网络不需要DR,但必须支持组播来建立邻居,否则需要配置neighbor命令。
还有一个特殊的回环地址,缺省情况OSPF会宣告回环地址为/32的网络,但是你可以在回环接口上配置其为ip ospf network point-to-point,来强制他宣告正确的网络掩码
8.15. 路由标签
提问 对特定的路由打标签避免互相再发布出现路由回环
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router ospf 55
Router1(config-router)#redistribute eigrp 11 metric-type 1 subnets tag 67
Router1(config-router)#exit
Router1(config)#end
Router1#
注释
8.16. 记录OSPF邻居状态变化
提问 记录OSPF邻居状态变化信息
回答
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#router ospf 12
Router2(config-router)#log-adjacency-changes
Router2(config-router)#exit
Router2(config)#end
Router2#
注释 12.1后对上面命令增加了detail参数可以看到更多邻居状态变化的信息
8.17. OSPF定时器
提问 调整定时器,加快收敛
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Serial0/1
Router1(config-if)#ip ospf hello-interval 5
Router1(config-if)#ip ospf dead-interval 20
Router1(config-if)#exit
Router1(config)#end
Router1#
注释 要保证和此端口相连的设备采用相同的定时器值,否则邻居关系不能建立
8.18. 减少OSPF协议流量
提问 在稳定的网络要不需要LSA的过多数据包传递
回答
Router9#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router9(config)#interface Serial0/0
Router9(config-if)#ip address 192.168.10.9 255.255.255.0
Router9(config-if)#ip ospf flood-reduction
Router9(config-if)#exit
Router9(config)#end
Router9#
注释 正常情况下OSPF会每隔一小时进行所有的LSA泛洪,在稳定网络里面一般不需要,所以通过这种方式设定LSA的DoNotAge位,避免过多流量
8.19. OSPF虚拟链路
提问 把两个分开的路由器通过虚拟链路的方式相连
回答
Router9#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router9(config)#router ospf 1
Router9(config-router)#area 10 virtual-link 10.54.0.1
Router9(config-router)#exit
Router9(config)#end
Router9#
注释 通过show ip ospf virtual-links来验证。需要注意的是这个需要两个路由器都进行配置,IP地址是对方的Router ID,要确保这个地址是通的,area后面跟的是穿越的Area
8.20. 使用域名查看OSPF状态
提问 在OSPF的show命令中现实设备域名而不是地址
回答
Router3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router3(config)#ip ospf name-lookup
Router3(config)#end
Router3#
注释 无
8.21. OSPF排错
提问 对OSPF进行排错
回答
Router3#debug ip ospf adj
OSPF adjacency events debugging is on
Router3#
注释 OSPF排错命令很多,这里只提供了对邻居关系的排错命令,因为邻居是OSPF的基础
第九章 BGP
9.1. Configuring BGP
提问 在网络中启用BGPPAN>
回答
Route1在AS 65500中
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Serial0
Router1(config-if)#ip address 192.168.55.6 255.255.255.252
Router1(config-if)#exit
Router1(config)#router bgp 65500
Router1(config-router)#network 192.168.1.0
Router1(config-router)#neighbor 192.168.55.5 remote-as 65501
Router1(config-router)#no synchronization
Router1(config-router)#exit
Router1(config)#end
Router1#
Router2在AS 65501中
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#interface Serial0
Router2(config-if)#ip address 192.168.55.5 255.255.255.252
Router2(config-if)#exit
Router2(config)#router bgp 65501
Router2(config-router)#network 172.25.17.0 mask 255.255.255.0
Router2(config-router)#neighbor 192.168.55.6 remote-as 65500
Router2(config-router)#no synchronization
Router2(config-router)#exit
Router2(config)#end
Router2#
注释 在对BGP验证的时候比较有用的命令是
Router1#show ip bgp summary
BGP router identifier 192.168.99.5, local AS number 65500
BGP table version is 7, main routing table version 7
4 network entries and 4 paths using 484 bytes of memory
2 BGP path attribute entries using 196 bytes of memory
BGP activity 11/7 prefixes, 11/7 paths
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.55.5 4 65501 17 18 7 0 0 00:12:38 2
172.25.2.2 4 65531 527 526 0 0 0 21:05:23 Active
Router1#
需要注意的是理想状态是State里面是数字,尽管是Active也不代表是配置正常,反而是配置出现错误。通过neighbor 172.20.1.2 update-source Loopback0 命令来限制BGP数据包源地址为回环地址,但要确保此地址的连通性
9.2. 使用eBGP Multihop
提问 配置外部BGP,但是不是直连的路由器
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip route 172.20.1.2 255.255.255.255 192.168.1.5 2
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 172.20.1.2 remote-as 65530
Router1(config-router)#neighbor 172.20.1.2 update-source Loopback0
Router1(config-router)#neighbor 172.20.1.2 ebgp-multihop 3
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 缺省情况下eBGP的路由器必须是直连的,如果不是直连的就需要使用此命令。一种说法是此跳数越小越好,但是RFC 3682说为了安全还是越大越好,思科在12.3(7)T后也采用了这个建议,使用了neighbor 192.168.55.5 ttl-security hops 1 命令,此命令会丢弃所有TTL小于255-1=254的BGP数据包,这时候如果对端eBGP邻居不支持此特性就必须使用下面的命令来配置neighbor 192.168.55.6 ebgp-multihop 255
9.3. 调整Next-Hop属性值
提问 在iBGP之间宣告路由时候修改下一跳属性值,使其指向内部AS的地址
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.6 remote-as 65500
Router1(config-router)#neighbor 192.168.1.6 next-hop-self
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 正常情况下iBGP之间下一跳属性值是不会修改的,只会在eBGP时会进行修改,而此地址会指向eBGP邻居的地址,而往往内部AS的路由器没有到达此地址的路由。
9.4. 连接两个ISPs
提问 一台路由器连接两个ISP,保证网络冗余
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Serial0
Router1(config-if)#description connection to ISP #1, ASN 65510
Router1(config-if)#ip address 192.168.1.6 255.255.255.252
Router1(config-if)#exit
Router1(config)#interface Serial1
Router1(config-if)#description connection to ISP #2, ASN 65520
Router1(config-if)#ip address 192.168.2.6 255.255.255.252
Router1(config-if)#exit
Router1(config)#interface Ethernet0
Router1(config-if)#description connection to internal network, ASN 65500
Router1(config-if)#ip address 172.18.5.2 255.255.255.0
Router1(config-if)#exit
Router1(config)#router bgp 65500
Router1(config-router)#network 172.18.5.0 mask 255.255.255.0
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.2.5 remote-as 65520
Router1(config-router)#no synchronization
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 注意此配置不是最佳配置,可能导致内部AS称为两个ISP的transit AS,同时导致自己路由器接收过多路由
9.5. 两台路由器分别连接两个ISP
提问 内部AS有两台路由器,分别连两个ISP保证网络冗余
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Serial0
Router1(config-if)#description connection to ISP #1, ASN 65510
Router1(config-if)#ip address 192.168.1.6 255.255.255.252
Router1(config-if)#exit
Router1(config)#interface Ethernet0
Router1(config-if)#description connection to internal network, ASN 65500
Router1(config-if)#ip address 172.18.5.2 255.255.255.0
Router1(config-if)#exit
Router1(config)#ip as-path access-list 15 permit ^$
Router1(config)#router bgp 65500
Router1(config-router)#network 172.18.5.0 mask 255.255.255.0
Router1(config-router)#neighbor 172.18.5.3 remote-as 65500
Router1(config-router)#neighbor 172.18.5.3 next-hop-self
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 filter-list 15 out
Router1(config-router)#no synchronization
Router1(config-router)#exit
Router1(config)#end
Router1#
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#interface Serial1
Router2(config-if)#description connection to ISP #2, ASN 65520
Router2(config-if)#ip address 192.168.2.6 255.255.255.252
Router2(config-if)#exit
Router2(config)#interface Ethernet0
Router2(config-if)#description connection to internal network, ASN 65500
Router2(config-if)#ip address 172.18.5.3 255.255.255.0
Router2(config-if)#exit
Router2(config)#ip as-path access-list 15 permit ^$
Router2(config)#router bgp 65500
Router2(config-router)#network 172.18.5.0 mask 255.255.255.0
Router2(config-router)#neighbor 192.168.2.5 remote-as 65520
Router2(config-router)#neighbor 192.168.2.5 filter-list 15 out
Router2(config-router)#neighbor 172.18.5.2 remote-as 65500
Router2(config-router)#neighbor 172.18.5.2 next-hop-self
Router2(config-router)#no synchronization
Router2(config-router)#exit
Router2(config)#end
Router2#
注释
9.6. 限制向BGP 对端的网络宣告
提问 限制特定的路由公告给对端的AS
回答
有三种方法,第一种是扩展ACL
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 105 deny ip host 172.25.0.0 host 255.255.0.0
Router1(config)#access-list 105 permit ip any any
Router1(config)#route-map ACL-RT-FILTER permit 10
Router1(config-route-map)#match ip address 105
Router1(config-route-map)#exit
Router1(config)#route-map ACL-RT-FILTER deny 20
Router1(config-route-map)#exit
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 route-map ACL-RT-FILTER in
Router1(config-router)#exit
Router1(config)#end
Router1#
第二种是使用distribute-list:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 106 deny ip host 172.25.0.0 host 255.255.0.0
Router1(config)#access-list 106 permit ip any any
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 distribute-list 106 in
Router1(config-router)#exit
Router1(config)#end
Router1#
第三种也是最常用的是使用prefix lists
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip prefix-list PREFIX-FILTER seq 10 deny 172.25.0.0/16
Router1(config)#ip prefix-list PREFIX-FILTER seq 20 permit 0.0.0.0/0 le 32
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 prefix-list PREFIX-FILTER in
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 前两种使用的扩展ACL比较奇特,第一个host是子网,第二个host是子网掩码,而不是传统目的地址,所以host 172.25.0.0 host 255.255.0.0 就代表网络172.25.0.0/16,如果用正常的ACL就实现不了对无类网络的控制。所以推荐使用第三种方式prefixlist,此列表支持序列号,可以帮助你修改和插入新的条目 ge是大于,le是小于,控制子网掩码permit 0.0.0.0/0 le 32就是变相的permit any
9.7. 调整Local Preference属性值
提问 调整Local Preference属性值来控制路由选择
回答
第一种全局
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router bgp 65500
Router1(config-router)#bgp default local-preference 200
Router1(config-router)#exit
Router1(config)#end
Router1#
第二种使用route map控制
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip prefix-list LOW_LP_PREFIXES seq 10 permit 172.22.0.0/16
Router1(config)#route-map LOCALPREF permit 10
Router1(config-route-map)#match ip address prefix-list LOW_LP_PREFIXES
Router1(config-route-map)#set local-preference 50
Router1(config-route-map)#exit
Router1(config)#route-map LOCALPREF permit 20
Router1(config-route-map)#exit
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 route-map LOCALPREF in
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 此local preference属性值只在内部AS有用,选路级别高于AS Path。此值越大优先级越高,缺省值为100。Show ip bgp命令可以看到各个路由的local preference属性值
9.8. 负载均衡
提问 在BGP邻居之间的多链路上负载均衡流量
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router bgp 65500
Router1(config-router)#maximum-paths 4
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 正常情况下BGP选路策略会保证只有一条路径,通过此命令可以增加到4条,不过要确保所有属性值相同,包括MED属性。同时注意此负载均衡只针对出流量而不适合入流量
9.9. 在AS Path属性值中清除私有ASNs
提问 避免内网中的私有ASN传播到互联网
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Serial0
Router1(config-if)#description connection to ISP #1, ASN 1
Router1(config-if)#ip address 192.168.1.6 255.255.255.252
Router1(config-if)#exit
Router1(config)#interface Serial1
Router1(config-if)#description connection to private network, ASN 65500
Router1(config-if)#ip address 192.168.5.1 255.255.255.252
Router1(config-if)#exit
Router1(config)#router bgp 2
Router1(config-router)#neighbor 192.168.5.2 remote-as 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 1
Router1(config-router)#neighbor 192.168.1.5 remove-private-AS
Router1(config-router)#no synchronization
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 注意此命令是不能删除那些在公共ASN之间的私有ASN
9.10. 基于AS Path属性值的路由过滤
提问 基于接收或者发送路由的AS Path属性值进行路由过滤
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip as-path access-list 15 permit ^65501$
Router1(config)#ip as-path access-list 25 permit _65530_
Router1(config)#ip as-path access-list 25 deny _65531$
Router1(config)#ip as-path access-list 25 permit .*
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 filter-list 15 in
Router1(config-router)#neighbor 192.168.2.5 remote-as 65520
Router1(config-router)#neighbor 192.168.2.5 filter-list 25 out
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 正则表达式过滤
9.11. 减少接收到的路由表大小
提问 通过汇总接收到路由的方式来减少所接收的路由表大小
回答
通过缺省路由的方式来过滤到过多的外部路由
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.101.0 1
Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.102.0 2
Router1(config)#ip prefix-list CREATE-DEFAULT seq 10 permit 192.168.101.0/24
Router1(config)#ip prefix-list CREATE-DEFAULT seq 20 permit 192.168.102.0/24
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65520
Router1(config-router)#neighbor 192.168.1.5 prefix-list CREATE-DEFAULT in
Router1(config-router)#exit
Router1(config)#end
Router1#
注释
9.12. 出方向路由信息汇总
提问 在向下游路由器发送路由表之前进行路由汇总
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65520
Router1(config-router)#auto-summary
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 这是缺省行为,但是是有类的汇总,并且只能针对再分发过来的路由,不能适用于network命令配置的路由。思科使用了如下命令对出方向路由进行汇总
Router3(config)#router bgp 65530
Router3(config-router)#aggregate-address 172.20.0.0 255.252.0.0 summary-only
Summaryonly选项只发布汇总路由,去掉后会发送汇总路由和子网路由,而为了避免回环建议添加as-set选项
9.13. 在AS Path属性值中添加更多ASN
提问 通过增加AS Path属性中ASN的数目来影响BGP选路
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip as-path access-list 15 permit ^$
Router1(config)#route-map PREPEND permit 10
Router1(config-route-map)#match as-path 15
Router1(config-route-map)#set as-path prepend 65500 65500 65500
Router1(config-route-map)#exit
Router1(config)#route-map PREPEND permit 20
Router1(config-route-map)#exit
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 route-map PREPEND out
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 通过这种方式来影响入流量
9.14. 再发布路由到BGP
提问 IGP和BGP之间的再分发
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router ospf 100
Router1(config-router)#network 172.26.0.0 0.0.255.255 area 0
Router1(config-router)#redistribute bgp 65500 metric 500 subnets
Router1(config-router)#exit
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65520
Router1(config-router)#network 172.26.0.0
Router1(config-router)#exit
Router1(config)#end
Router1#
Router2(config)#route-map REDIST permit 5
Router2(config-route-map)#match tag 123
Router2(config-route-map)#exit
Router2(config)#route-map REDIST deny 10
Router2(config-route-map)#match route-type external
Router2(config-route-map)#exit
Router2(config)#route-map REDIST permit 20
Router2(config-route-map)#exit
Router2(config)#router bgp 65520
Router2(config-router)#redistribute eigrp 99 route-map REDIST metric 500
注释
9.15. 使用Peer Groups
提问 使用组的形式来简化对多个相同属性邻居的配置
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router bgp 65500
Router1(config-router)#neighbor EBGP-PEERS peer-group
Router1(config-router)#neighbor EBGP-PEERS prefix-list PRE-RTFILTER in
Router1(config-router)#neighbor EBGP-PEERS filter-list 15 out
Router1(config-router)#neighbor 192.168.1.5 remote-as 65520
Router1(config-router)#neighbor 192.168.1.5 peer-group EBGP-PEERS
Router1(config-router)#neighbor 192.168.1.9 remote-as 65521
Router1(config-router)#neighbor 192.168.1.9 peer-group EBGP-PEERS
Router1(config-router)#neighbor 192.168.1.13 remote-as 65522
Router1(config-router)#neighbor 192.168.1.13 peer-group EBGP-PEERS
Router1(config-router)#neighbor 192.168.1.17 remote-as 65523
Router1(config-router)#neighbor 192.168.1.17 peer-group EBGP-PEERS
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 当然也可以针对iBGP邻居
Router1(config)#router bgp 6550
Router1(config-router)#neighbor IBGP-PEERS peer-group
Router1(config-router)#neighbor IBGP-PEERS update-source Loopback0
Router1(config-router)#neighbor IBGP-PEERS route-reflector-client
Router1(config-router)#neighbor 192.168.101.5 remote-as 65500
Router1(config-router)#neighbor 192.168.101.5 peer-group IBGP-PEERS
Router1(config-router)#neighbor 192.168.101.9 remote-as 65500
Router1(config-router)#neighbor 192.168.101.9 peer-group IBGP-PEERS
9.16. BGP邻居认证
提问 使用认证增加安全性
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.55.5 remote-as 65501
Router1(config-router)#neighbor 192.168.55.5 password password-1234
Router1(config-router)#exit
Router1(config)#end
Router1#
注释
9.17. 使用BGP Communities
提问 使用BGP Communities来对路由进行控制
回答
首先要通过route map的方式针对邻居设定希望的Communities值
Router3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router3(config)#ip prefix-list 10.101/16 seq 5 permit 10.101.0.0/16
Router3(config)#ip prefix-list 10.102/16 seq 5 permit 10.102.0.0/16
Router3(config)#ip prefix-list 10.103/16 seq 5 permit 10.103.0.0/16
Router3(config)#ip prefix-list 10.104/16 seq 5 permit 10.104.0.0/16
Router3(config)#ip prefix-list 10.105/16 seq 5 permit 10.105.0.0/16
Router3(config)#route-map APPLY_COMMUNITY_A permit 10
Router3(config-route-map)#match ip address prefix-list 10.101/16
Router3(config-route-map)#set community no-advertise
Router3(config-route-map)#exit
Router3(config)#route-map APPLY_COMMUNITY_A permit 20
Router3(config-route-map)#match ip address prefix-list 10.102/16
Router3(config-route-map)#set community no-export
Router3(config-route-map)#exit
Router3(config)#route-map APPLY_COMMUNITY_A permit 30
Router3(config-route-map)#match ip address prefix-list 10.103/16
Router3(config-route-map)#set community local-AS
Router3(config-route-map)#exit
Router3(config)#route-map APPLY_COMMUNITY_A permit 40
Router3(config-route-map)#match ip address prefix-list 10.104/16
Router3(config-route-map)#set community internet
Router3(config-route-map)#exit
Router3(config)#route-map APPLY_COMMUNITY_A permit 50
Router3(config-route-map)#match ip address prefix-list 10.105/16
Router3(config-route-map)#set community 4293328976
Router3(config-route-map)#exit
Router3(config)#route-map APPLY_COMMUNITY_A permit 100
Router3(config-route-map)#exit
Router3(config)#router bgp 65500
Router3(config-router)#no synchronization
Router3(config-router)#neighbor 172.18.5.3 remote-as 65500
Router3(config-router)#neighbor 172.18.5.3 next-hop-self
Router3(config-router)#neighbor 172.18.5.3 send-community both
Router3(config-router)#neighbor 172.18.5.10 remote-as 65500
Router3(config-router)#neighbor 172.18.5.10 next-hop-self
Router3(config-router)#neighbor 172.18.5.10 send-community both
Router3(config-router)#neighbor 192.168.1.9 remote-as 65520
Router3(config-router)#neighbor 192.168.1.9 send-community both
Router3(config-router)#neighbor 192.168.1.9 route-map APPLY_COMMUNITY_A in
Router3(config-router)#exit
Router3(config)#end
Router3#
在下游路由器上配置命令使其可以分发此Community值
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#router bgp 65500
Router2(config-router)#no synchronization
Router2(config-router)#neighbor 172.18.5.4 remote-as 65500
Router2(config-router)#neighbor 172.18.5.4 send-community both
Router2(config-router)#neighbor 172.18.5.10 remote-as 65500
Router2(config-router)#neighbor 172.18.5.10 send-community both
Router2(config-router)#no auto-summary
Router2(config-router)#exit
Router2(config)#end
Router2#
注释 通过定义local-as,no-advertise,no-export,internet四种不同community属性值的方式来限制路由公告的范围
9.18. 使用BGP Route Reflectors
提问 通过路由反射器的方式来简化iBGP邻居关系
回答
只要针对三种不同角色路由器的配置
Router1是Client Peer:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Ethernet0/0
Router1(config-if)#ip address 172.18.5.2 255.255.255.0
Router1(config-if)#exit
Router1(config)#interface Serial0/0
Router1(config-if)#ip address 192.168.1.6 255.255.255.252
Router1(config-if)#exit
Router1(config)#interface Loopback0
Router1(config-if)#ip address 172.18.6.1 255.255.255.255
Router1(config-if)#exit
Router1(config)#router bgp 65500
Router1(config-router)#no synchronization
Router1(config-router)#neighbor 172.18.6.2 remote-as 65500
Router1(config-router)#neighbor 172.18.6.2 next-hop-self
Router1(config-router)#neighbor 172.18.6.2 update-source Loopback0
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#exit
Router1(config)#ip route 172.18.6.2 255.255.255.255 172.18.5.3
Router1(config)#ip route 172.18.6.3 255.255.255.255 172.18.5.4
Router1(config)#ip route 172.18.6.4 255.255.255.255 172.18.5.10
Router1(config)#end
Router1#
Router4 是Nonclient Peer:
Router4#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router4(config)#interface Ethernet0
Router4(config-if)#ip address 172.18.5.10 255.255.255.0
Router4(config-if)#exit
Router4(config)#interface Loopback0
Router4(config-if)#ip address 172.18.6.4 255.255.255.255
Router4(config-if)#exit
Router4(config)#router bgp 65500
Router4(config-router)#no synchronization
Router4(config-router)#neighbor 172.18.6.2 remote-as 65500
Router4(config-router)#neighbor 172.18.6.2 update-source Loopback0
Router4(config-router)#exit
Router4(config)#ip route 172.18.6.1 255.255.255.255 172.18.5.2
Router4(config)#ip route 172.18.6.2 255.255.255.255 172.18.5.3
Router4(config)#ip route 172.18.6.3 255.255.255.255 172.18.5.4
Router4(config)#end
Router4#
R2是 Route Reflector
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#interface FastEthernet0/0
Router2(config-if)#ip address 172.18.5.3 255.255.255.0
Router2(config-if)#exit
Router2(config)#interface Loopback0
Router2(config-if)#ip address 172.18.6.2 255.255.255.255
Router2(config-if)#exit
Router2(config)#router bgp 65500
Router2(config-router)#no synchronization
Router2(config-router)#neighbor 172.18.6.1 remote-as 65500
Router2(config-router)#neighbor 172.18.6.1 route-reflector-client
Router2(config-router)#neighbor 172.18.6.1 update-source Loopback0
Router2(config-router)#neighbor 172.18.6.3 remote-as 65500
Router2(config-router)#neighbor 172.18.6.3 route-reflector-client
Router2(config-router)#neighbor 172.18.6.3 update-source Loopback0
Router2(config-router)#neighbor 172.18.6.4 remote-as 65500
Router2(config-router)#neighbor 172.18.6.4 update-source Loopback0
Router2(config-router)#no auto-summary
Router2(config-router)#exit
Router2(config)#ip route 172.18.6.1 255.255.255.255 172.18.5.2
Router2(config)#ip route 172.18.6.3 255.255.255.255 172.18.5.4
Router2(config)#ip route 172.18.6.4 255.255.255.255 172.18.5.10
Router2(config)#end
Router2#
注释 路由反射器是解决要求iBGP全互联的问题。不过为了保证冗余性还是要配置多个路由反射器,使用bgp cluster-id 1234命令来定义cluster
<!--[if !supportLists]-->9.19. <!--[endif]-->汇总实验
提问 结合前面的方法,重新配置一台路由器两个冗余链路的情况
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Serial0
Router1(config-if)#description connection to ISP #1, ASN 65510
Router1(config-if)#ip address 192.168.1.6 255.255.255.252
Router1(config-if)#exit
Router1(config)#interface Serial1
Router1(config-if)#description connection to ISP #2, ASN 65520
Router1(config-if)#ip address 192.168.2.6 255.255.255.252
Router1(config-if)#exit
Router1(config)#interface Ethernet0
Router1(config-if)#description connection to internal network, ASN 65500
Router1(config-if)#ip address 172.18.5.2 255.255.255.0
Router1(config-if)#exit
Router1(config)#ip as-path access-list 15 permit ^$
Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.101.0 1
Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.102.0 2
Router1(config)#ip prefix-list CREATE-DEFAULT seq 10 permit 192.168.101.0/24
Router1(config)#ip prefix-list CREATE-DEFAULT seq 20 permit 192.168.102.0/24
Router1(config)#ip prefix-list BLOCK-DEFAULT seq 10 permit 0.0.0.0/0 ge 1
Router1(config)#route-map PREPEND permit 10
Router1(config-route-map)#set as-path prepend 65500 65500
Router1(config-route-map)#exit
Router1(config)#route-map LOCALPREF permit 10
Router1(config-route-map)#set local-preference 75
Router1(config-route-map)#exit
Router1(config)#route-map DEFAULT-ROUTE permit 10
Router1(config-route-map)#match ip address prefix-list CREATE-DEFAULT
Router1(config-route-map)#exit
Router1(config)#router bgp 65500
Router1(config-router)#network 172.18.5.0 mask 255.255.255.0
Router1(config-router)#neighbor 172.18.5.3 remote-as 65500
Router1(config-router)#neighbor 172.18.5.3 password password_number1
Router1(config-router)#neighbor 172.18.5.3 default-origniate route-map DEFAULT-ROUTE
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 password password_number2
Router1(config-router)#neighbor 192.168.1.5 filter-list 15 out
Router1(config-router)#neighbor 192.168.1.5 prefix-list CREATE-DEFAULT in
Router1(config-router)#neighbor 192.168.1.5 prefix-list BLOCK-DEFAULT out
Router1(config-router)#neighbor 192.168.2.5 remote-as 65520
Router1(config-router)#neighbor 192.168.2.5 password password_number3
Router1(config-router)#neighbor 192.168.2.5 filter-list 15 out
Router1(config-router)#neighbor 192.168.2.5 prefix-list CREATE-DEFAULT in
Router1(config-router)#neighbor 192.168.2.5 prefix-list BLOCK-DEFAULT out
Router1(config-router)#neighbor 192.168.2.5 route-map PREPEND out
Router1(config-router)#neighbor 192.168.2.5 route-map LOCALPREF in
Router1(config-router)#no synchronization
Router1(config-router)#exit
Router1(config)#end
Router1#