在B站看了一个UP主(155和150)上传的视频,感觉挺有意思的,就搭拓扑玩一玩。现在这个视频已经不见了,视频里使用的eNSP模拟器搭建的,我用PNET搭建,模拟器类型不关键。已经删减了一些内容,并加了一些实验需求。
实验主要涉及到的BGP技术的运用,包括有BGP邻居建立、路由加载、路由传递、BGP联盟、路由聚合、路由拆分、团体属性、路由选路、正则表达式、路由过滤、BGP特性、路由阻尼等。
拓扑如图:
实验需求
BGP邻居建立
- eBGP之间使用接口建立(联盟内部子AS eBGP除外),iBGP使用环回接口Lo0建立
- R2、R7、R9使用对等体组方式配置
- R4、R7、R9为路由反射器
BGP路由加载
R5将ISIS重分布进BGP,R6、R7、R8将ISIS重分布进BGP
1
2
3
4
5
6
7R5
router bgp 64100
redistribute isis level-1
R6、R7、R8
router bgp 64200
redistribute isis level-2R5能够正常接收到100.1.1.X的路由,R4不能使用next-hop-self
1
2
3
4
5R4
route-map SET_NH permit 10
set ip next-hop 120.1.4.4
router bgp 64100
neighbor iBGP route-map SET_NH out
BGP路由传递
100.1.1.x之间可以通信
1
2
3
4
5
6R3
neighbor 200.1.103.10 as-override
R6
neighbor 200.1.116.11 as-override
R7
neighbor 200.1.127.12 as-overrideR3、R6、R7针对AS 64520移除私有AS号
1
2
3
4
5
6
7
8
9R3
router bgp 64100
neighbor 200.1.103.10 remove-private-as all replace-as
R6
router bgp 64200
neighbor 200.1.116.11 remove-private-as all replace-as
R7
router bgp 64200
neighbor 200.1.127.12 remove-private-as all replace-asAS 64540 内部联邦配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35R11
router bgp 64530
bgp log-neighbor-changes
bgp confederation identifier 64540
bgp confederation peers 64531
neighbor 100.1.1.12 remote-as 64531
neighbor 100.1.1.12 disable-connected-check
neighbor 100.1.1.12 update-source Loopback0
neighbor 100.1.1.12 next-hop-self
neighbor 200.1.116.6 remote-as 64200
R12
router bgp 64531
bgp log-neighbor-changes
bgp confederation identifier 64540
bgp confederation peers 64530
redistribute eigrp 90
neighbor 100.1.1.11 remote-as 64530
neighbor 100.1.1.11 disable-connected-check
neighbor 100.1.1.11 update-source Loopback0
neighbor 100.1.1.11 next-hop-self
neighbor 100.1.1.13 remote-as 64531
neighbor 100.1.1.13 update-source Loopback0
neighbor 100.1.1.13 next-hop-self
neighbor 200.1.127.7 remote-as 64200
R13
router bgp 64531
bgp log-neighbor-changes
bgp confederation identifier 64540
network 111.1.2.0 mask 255.255.255.0
network 111.1.3.0 mask 255.255.255.0
aggregate-address 111.1.0.0 255.255.0.0 as-set summary-only
neighbor 100.1.1.12 remote-as 64531
neighbor 100.1.1.12 update-source Loopback0
BGP路由聚合、路由拆分
R5、R6、R7、R8对AS内的互联地址与主机路由汇总为子网掩码为16位的聚合路由(例如:120.1.0.0/16),并防止路由回愦
1
2
3
4
5
6
7
8R5
router bgp 64100
aggregate-address 123.1.0.0 255.255.0.0 as-set summary-only
aggregate-address 120.1.0.0 255.255.0.0 as-set summary-only
R6、R7、R8
router bgp 64200
aggregate-address 145.1.0.0 255.255.0.0 as-set summary-only
aggregate-address 140.1.0.0 255.255.0.0 as-set summary-onlyR5的汇总主机路由,不抑制120.1.4.4/32和 120.1.5.5/32
1
2
3
4
5
6
7
8
9R5
ip prefix-list UNSUPPRESS seq 5 permit 120.1.4.4/32
ip prefix-list UNSUPPRESS seq 10 permit 120.1.5.5/32
route-map UNSUPPRESS permit 10
match ip address prefix-list UNSUPPRESS
router bgp 64100
neighbor 120.1.4.4 unsuppress-map UNSUPPRESSR6、R7、R8的汇总主机路由,仅抑制145.1.9.9/32 ,并调整聚合路由起源属性为 igp
1
2
3
4
5
6
7
8
9
10R6、R7、R8
ip prefix-list SUPPRESS seq 5 permit 140.1.9.9/32
route-map SUPPRESS permit 10
match ip address prefix-list SUPPRESS
route-map SET_IGP permit 10
set origin igp
router bgp 64200
aggregate-address 140.1.0.0 255.255.0.0 as-set summary-only attribute-map SET_IGP suppress-map SUPPRESSR1去往111.1.0.0/24和111.1.1.0/24下一跳走R5;R2去往111.1.2.0/24和111.1.3.0/24下一跳走R8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32R1
ip prefix-list SOURCE_AS64100 seq 5 permit 200.1.15.5/32
ip prefix-list huizong seq 5 permit 111.1.0.0/16
ip prefix-list mingxi seq 5 permit 111.1.0.0/24
ip prefix-list mingxi seq 10 permit 111.1.1.0/24
route-map mingxi permit 10
set ip address prefix-list mingxi
set community no-export
route-map huizong permit 10
match ip address prefix-list huizong
match ip route-source prefix-list SOURCE_AS64100
router bgp 64520
bgp inject-map mingxi exist-map huizong copy-attributes
R2
ip prefix-list SOURCE_AS64200 seq 5 permit 200.1.28.8/32
ip prefix-list huizong seq 5 permit 111.1.0.0/16
ip prefix-list mingxi seq 5 permit 111.1.2.0/24
ip prefix-list mingxi seq 10 permit 111.1.3.0/24
route-map mingxi permit 10
set ip address prefix-list mingxi
set community no-export
route-map huizong permit 10
match ip address prefix-list huizong
match ip route-source prefix-list SOURCE_AS64200
router bgp 64520
bgp inject-map mingxi exist-map huizong copy-attributes
BGP选路(MED、AS-Path、Local-Pref)
R8上配置,实现AS 64200访问 120.1.X.X,X为偶数,走R4和R8互联链路;X为奇数,走R3和R6互联链路
1
2
3
4
5
6
7
8
9
10
11
12
13
14R8
access-list 10 permit 120.1.0.0 0.0.254.254
access-list 20 permit 120.1.1.1 0.0.254.254
route-map SET_LP permit 10
match ip address 10
set local-preference 120
route-map SET_LP permit 20
match ip address 20
set local-preference 99
route-map SET_LP permit 30
router bgp 64200
neighbor 200.1.48.4 route-map SET_LP inR6、R8上配置,实现AS 64100 访问 140.1.X.X/32,X为偶数,走R4和R8互联链路;X为奇数,走R3和R6互联链路
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29R6
access-list 30 permit 140.1.0.0 0.0.254.254
access-list 40 permit 140.1.1.1 0.0.254.254
route-map SET_MED permit 10
match ip address 30
set metric 200
route-map SET_MED permit 20
match ip address 40
set metric 100
route-map SET_MED permit 30
router bgp 64200
neighbor 200.1.36.3 route-map SET_MED out
R8
access-list 30 permit 140.1.0.0 0.0.254.254
access-list 40 permit 140.1.1.1 0.0.254.254
route-map SET_MED permit 10
match ip address 30
set metric 100
route-map SET_MED permit 20
match ip address 40
set metric 200
route-map SET_MED permit 30
router bgp 64200
neighbor 200.1.48.4 route-map SET_MED outR1上对起始于AS 64540的任意前缀,AS 64520总是通过R2转发(路由拆分的明细条目除外)
1
2
3
4
5
6
7
8
9
10配置 ip as-path列表,匹配AS 64540 开头的路径路由条目,route-map 设置追加AS号使路径变长
R1
ip as-path access-list 100 permit _64540$
route-map AS_PREPEND permit 10
match as-path 100
set as-path prepend last-as 3
router bgp 64520
neighbor 200.1.15.5 route-map AS_PREPEND in
BGP路由过滤
R6、R7仅通告 200.1.XY.0/24 与 100.1.1.X/32的路由到 R11、R12
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20route-map 设置匹配,向R11,R12通告路由进行过滤
R6
ip prefix-list ADV_TO_64540 seq 5 permit 200.1.0.0/16 le 24
ip prefix-list ADV_TO_64540 seq 10 permit 100.1.1.0/24 le 32
route-map ADV_TO_64540 permit 10
match ip address prefix-list ADV_TO_64540
router bgp 64200
neighbor 200.1.116.11 route-map ADV_TO_64540 out
R7
ip prefix-list ADV_TO_64540 seq 5 permit 200.1.0.0/16 le 24
ip prefix-list ADV_TO_64540 seq 10 permit 100.1.1.0/24 le 32
route-map ADV_TO_64540 permit 10
match ip address prefix-list ADV_TO_64540
router bgp 64200
neighbor 200.1.127.12 route-map ADV_TO_64540 outR3、R10上配置ORF,使AS 64100仅通告 200.1.XY.0/24 与 100.1.1.X/32的前缀到R10
1
2
3
4
5
6
7
8
9
10
11
12通过向对等体通告ORF能力可以激活这一feature。表示接受从对等体来的,前缀列表,并把这个前缀列表应用到针对对等体的出站方向。
R10
ip prefix-list FROM_64100 seq 5 permit 200.1.0.0/16 le 24
ip prefix-list FROM_64100 seq 10 permit 100.1.1.0/24 le 32
router bgp 64540
neighbor 200.1.103.3 capability orf prefix-list send
neighbor 200.1.103.3 prefix-list FROM_64100 in
R3
router bgp 64100
neighbor 200.1.103.10 capability orf prefix-list receive
BGP 特性
AS 64520 不作为传输型AS 不能使用BGP路由过滤
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16no-export团体属性
R1
route-map SET_COMM permit 10
set community no-export
router bgp 64520
neighbor 10.1.2.2 send-community
neighbor 10.1.2.2 route-map SET_COMM out
R2
route-map SET_COMM permit 10
set community no-export
router bgp 64520
neighbor 10.1.1.1 send-community
neighbor 10.1.1.1 route-map SET_COMM outR1与R2之间的iBGP邻居启用MD5认证,密码为cisco
1
2
3
4
5R1
neighbor 10.1.1.1 password cisco
R2
neighbor 10.1.2.2 password ciscoR3上配置,若100.1.1.10/32不稳定,震荡2次抑制传递,并在5min后自动恢复
1
2
3
4
5
6
7
8
9
10配置BGP路由惩罚
R3
ip prefix-list DAMPENING seq 5 permit 100.1.1.10/32
route-map DAMPENING permit 10
match ip address prefix-list DAMPENING
set dampening 4 750 2000 16
router bgp 64100
bgp dampening route-map DAMPENINGR1上配置,若100.1.1.10路由条目存在,通告默认路由到R2
1
2
3
4
5
6
7
8
9R1
ip prefix-list EXIST_10 seq 5 permit 100.1.1.10/32
route-map DEFAULT_CONDITION permit 10
match ip address prefix-list EXIST_10
set community no-export
router bgp 64520
neighbor 10.1.2.2 default-originate route-map DEFAULT_CONDITION
Ending
- 文中可能有些配置未提及或内容术语表述的不规范,请见谅。
- 配置存阿里云盘了,这是链接:[分享的文件]
- 欢迎“
来电”来函探讨。
