PNETLab

BGP综合实验拓扑

在B站看了一个UP主(155和150 )上传的视频,感觉挺有意思的,就搭拓扑玩一玩。现在这个视频已经不见了,视频里使用的eNSP模拟器搭建的,我用PNET搭建,模拟器类型不关键。已经删减了一些内容,并加了一些实验需求。

实验主要涉及到的BGP技术的运用,包括有BGP邻居建立、路由加载、路由传递、BGP联盟、路由聚合、路由拆分、团体属性、路由选路、正则表达式、路由过滤、BGP特性、路由阻尼等。

拓扑如图:

实验需求

BGP邻居建立

  1. eBGP之间使用接口建立(联盟内部子AS eBGP除外),iBGP使用环回接口Lo0建立
  2. R2、R7、R9使用对等体组方式配置
  3. R4、R7、R9为路由反射器

BGP路由加载

  1. R5将ISIS重分布进BGP,R6、R7、R8将ISIS重分布进BGP

    R5
router bgp 64100
 redistribute isis level-1

R6、R7、R8
router bgp 64200
 redistribute isis level-2

  2. R5能够正常接收到100.1.1.X的路由,R4不能使用next-hop-self

    R4
route-map SET_NH permit 10
 set ip next-hop 120.1.4.4
router bgp 64100
 neighbor iBGP route-map SET_NH out

BGP路由传递

  1. 100.1.1.x之间可以通信

    R3
neighbor 200.1.103.10 as-override
R6
neighbor 200.1.116.11 as-override
R7
neighbor 200.1.127.12 as-override

  2. R3、R6、R7针对AS 64520移除私有AS号

    R3
router bgp 64100
 neighbor 200.1.103.10 remove-private-as all replace-as
R6
router bgp 64200
 neighbor 200.1.116.11 remove-private-as all replace-as
R7
router bgp 64200
 neighbor 200.1.127.12 remove-private-as all replace-as

  3. AS 64540 内部联邦配置

    R11
router bgp 64530
 bgp log-neighbor-changes
 bgp confederation identifier 64540
 bgp confederation peers 64531 
 neighbor 100.1.1.12 remote-as 64531
 neighbor 100.1.1.12 disable-connected-check
 neighbor 100.1.1.12 update-source Loopback0
 neighbor 100.1.1.12 next-hop-self
 neighbor 200.1.116.6 remote-as 64200

R12
router bgp 64531
 bgp log-neighbor-changes
 bgp confederation identifier 64540
 bgp confederation peers 64530 
 redistribute eigrp 90
 neighbor 100.1.1.11 remote-as 64530
 neighbor 100.1.1.11 disable-connected-check
 neighbor 100.1.1.11 update-source Loopback0
 neighbor 100.1.1.11 next-hop-self
 neighbor 100.1.1.13 remote-as 64531
 neighbor 100.1.1.13 update-source Loopback0
 neighbor 100.1.1.13 next-hop-self
 neighbor 200.1.127.7 remote-as 64200

R13
router bgp 64531
 bgp log-neighbor-changes
 bgp confederation identifier 64540
 network 111.1.2.0 mask 255.255.255.0
 network 111.1.3.0 mask 255.255.255.0
 aggregate-address 111.1.0.0 255.255.0.0 as-set summary-only
 neighbor 100.1.1.12 remote-as 64531
 neighbor 100.1.1.12 update-source Loopback0

BGP路由聚合、路由拆分

  1. R5、R6、R7、R8对AS内的互联地址与主机路由汇总为子网掩码为16位的聚合路由(例如:120.1.0.0/16),并防止路由回愦

    R5
router bgp 64100
 aggregate-address 123.1.0.0 255.255.0.0 as-set summary-only
 aggregate-address 120.1.0.0 255.255.0.0 as-set summary-only
R6、R7、R8
router bgp 64200
 aggregate-address 145.1.0.0 255.255.0.0 as-set summary-only
 aggregate-address 140.1.0.0 255.255.0.0 as-set summary-only

  2. R5的汇总主机路由,不抑制120.1.4.4/32和 120.1.5.5/32

    R5
ip prefix-list UNSUPPRESS seq 5 permit 120.1.4.4/32
ip prefix-list UNSUPPRESS seq 10 permit 120.1.5.5/32

route-map UNSUPPRESS permit 10
 match ip address prefix-list UNSUPPRESS

router bgp 64100
 neighbor 120.1.4.4 unsuppress-map UNSUPPRESS

  3. R6、R7、R8的汇总主机路由,仅抑制145.1.9.9/32 ,并调整聚合路由起源属性为 igp

    R6、R7、R8
ip prefix-list SUPPRESS seq 5 permit 140.1.9.9/32

route-map SUPPRESS permit 10
 match ip address prefix-list SUPPRESS
route-map SET_IGP permit 10
 set origin igp

router bgp 64200
 aggregate-address 140.1.0.0 255.255.0.0 as-set summary-only attribute-map SET_IGP suppress-map SUPPRESS

  4. R1去往111.1.0.0/24和111.1.1.0/24下一跳走R5;R2去往111.1.2.0/24和111.1.3.0/24下一跳走R8

    R1
ip prefix-list SOURCE_AS64100 seq 5 permit 200.1.15.5/32
ip prefix-list huizong seq 5 permit 111.1.0.0/16
ip prefix-list mingxi seq 5 permit 111.1.0.0/24
ip prefix-list mingxi seq 10 permit 111.1.1.0/24

route-map mingxi permit 10
 set ip address prefix-list mingxi
 set community no-export

route-map huizong permit 10
 match ip address prefix-list huizong
 match ip route-source prefix-list SOURCE_AS64100

router bgp 64520
 bgp inject-map mingxi exist-map huizong copy-attributes

R2
ip prefix-list SOURCE_AS64200 seq 5 permit 200.1.28.8/32
ip prefix-list huizong seq 5 permit 111.1.0.0/16
ip prefix-list mingxi seq 5 permit 111.1.2.0/24
ip prefix-list mingxi seq 10 permit 111.1.3.0/24

route-map mingxi permit 10
 set ip address prefix-list mingxi
 set community no-export
route-map huizong permit 10
 match ip address prefix-list huizong
 match ip route-source prefix-list SOURCE_AS64200

router bgp 64520
 bgp inject-map mingxi exist-map huizong copy-attributes

BGP选路(MED、AS-Path、Local-Pref)

  1. R8上配置,实现AS 64200访问 120.1.X.X,X为偶数,走R4和R8互联链路;X为奇数,走R3和R6互联链路

    R8
access-list 10 permit 120.1.0.0 0.0.254.254
access-list 20 permit 120.1.1.1 0.0.254.254

route-map SET_LP permit 10
 match ip address 10
 set local-preference 120
route-map SET_LP permit 20
 match ip address 20
 set local-preference 99
route-map SET_LP permit 30

router bgp 64200
 neighbor 200.1.48.4 route-map SET_LP in

  2. R6、R8上配置,实现AS 64100 访问 140.1.X.X/32,X为偶数,走R4和R8互联链路;X为奇数,走R3和R6互联链路

    R6
access-list 30 permit 140.1.0.0 0.0.254.254
access-list 40 permit 140.1.1.1 0.0.254.254

route-map SET_MED permit 10
 match ip address 30
 set metric 200
route-map SET_MED permit 20
 match ip address 40
 set metric 100
route-map SET_MED permit 30

router bgp 64200
 neighbor 200.1.36.3 route-map SET_MED out

R8
access-list 30 permit 140.1.0.0 0.0.254.254
access-list 40 permit 140.1.1.1 0.0.254.254

route-map SET_MED permit 10
 match ip address 30
 set metric 100
route-map SET_MED permit 20
 match ip address 40
 set metric 200
route-map SET_MED permit 30

router bgp 64200
 neighbor 200.1.48.4 route-map SET_MED out

  3. R1上对起始于AS 64540的任意前缀,AS 64520总是通过R2转发(路由拆分的明细条目除外)

    配置 ip as-path列表,匹配AS 64540 开头的路径路由条目,route-map 设置追加AS号使路径变长
R1
ip as-path access-list 100 permit _64540$

route-map AS_PREPEND permit 10
 match as-path 100
 set as-path prepend last-as 3

router bgp 64520
 neighbor 200.1.15.5 route-map AS_PREPEND in

BGP路由过滤

  1. R6、R7仅通告 200.1.XY.0/24 与 100.1.1.X/32的路由到 R11、R12

    route-map 设置匹配,向R11,R12通告路由进行过滤
R6
ip prefix-list ADV_TO_64540 seq 5 permit 200.1.0.0/16 le 24
ip prefix-list ADV_TO_64540 seq 10 permit 100.1.1.0/24 le 32

route-map ADV_TO_64540 permit 10
 match ip address prefix-list ADV_TO_64540

router bgp 64200
 neighbor 200.1.116.11 route-map ADV_TO_64540 out

R7
ip prefix-list ADV_TO_64540 seq 5 permit 200.1.0.0/16 le 24
ip prefix-list ADV_TO_64540 seq 10 permit 100.1.1.0/24 le 32

route-map ADV_TO_64540 permit 10
 match ip address prefix-list ADV_TO_64540

router bgp 64200
 neighbor 200.1.127.12 route-map ADV_TO_64540 out

  2. R3、R10上配置ORF,使AS 64100仅通告 200.1.XY.0/24 与 100.1.1.X/32的前缀到R10

    通过向对等体通告ORF能力可以激活这一feature。表示接受从对等体来的,前缀列表,并把这个前缀列表应用到针对对等体的出站方向。
R10
ip prefix-list FROM_64100 seq 5 permit 200.1.0.0/16 le 24
ip prefix-list FROM_64100 seq 10 permit 100.1.1.0/24 le 32

router bgp 64540
 neighbor 200.1.103.3 capability orf prefix-list send
 neighbor 200.1.103.3 prefix-list FROM_64100 in

R3
router bgp 64100
 neighbor 200.1.103.10 capability orf prefix-list receive

BGP 特性

  1. AS 64520 不作为传输型AS 不能使用BGP路由过滤

    no-export团体属性
R1
route-map SET_COMM permit 10
 set community no-export

router bgp 64520
 neighbor 10.1.2.2 send-community
 neighbor 10.1.2.2 route-map SET_COMM out

R2
route-map SET_COMM permit 10
 set community no-export

router bgp 64520
 neighbor 10.1.1.1 send-community
 neighbor 10.1.1.1 route-map SET_COMM out

  2. R1与R2之间的iBGP邻居启用MD5认证,密码为cisco

    R1
neighbor 10.1.1.1 password cisco

R2
neighbor 10.1.2.2 password cisco

  3. R3上配置,若100.1.1.10/32不稳定,震荡2次抑制传递,并在5min后自动恢复

    配置BGP路由惩罚
R3
ip prefix-list DAMPENING seq 5 permit 100.1.1.10/32

route-map DAMPENING permit 10
 match ip address prefix-list DAMPENING
 set dampening 4 750 2000 16

router bgp 64100
 bgp dampening route-map DAMPENING

  4. R1上配置,若100.1.1.10路由条目存在,通告默认路由到R2

    R1
ip prefix-list EXIST_10 seq 5 permit 100.1.1.10/32

route-map DEFAULT_CONDITION permit 10
 match ip address prefix-list EXIST_10
 set community no-export

router bgp 64520
 neighbor 10.1.2.2 default-originate route-map DEFAULT_CONDITION

Ending

  • 文中可能有些配置未提及或内容术语表述的不规范,请见谅。
  • 配置存阿里云盘了,这是链接:[分享的文件 ]
  • 欢迎“来电”来函探讨。