cisco BGP

指定rid
(config-router)# bgp router-id < rid>

鄰居關係設定
(config)# router bgp < as>
(config-router)# neighbor < neighbor-ip> remote-as < neighbor-as>
若as與neighbor-as相同,則為iBGP鄰居,若不同則為eBGP鄰居
ps:
neighbor間必須互相可到達,必要時可用static route或igp設定如何到達鄰居

使用loopback設定鄰居關係
(config-router)# neighbor < neighbor-ip> update-source < interface>

主要用來提高鄰居容錯能力

設定ebgp multihop的ttl
(config-router)# neighbor ebgp-multihop < ttl>
eBGP TTL預設為1,若eBGP peer需經過多個hop才可扺達,則要設定適當的ttl,以讓訊號扺達並建立鄰居關係  
ex:若eBGP peer使用loopback介面,且該peer直接連結本設備,則ttl至少要設定2以上,訊號才可到達該loopback介面
ps:iBGP TTL預設非1

ex:
更新來源使用loopback介面,並加入對方eBGP鄰居r2(2.2.2.2, AS 2),r1(1.1.1.1, AS 1) 
r2(config)# router bgp 2
r2(config-router)# neighbor 1.1.1.1 remote-as 1
r2(config-router)# neighbor ebgp-multihop 2
r2(config-router)# neighbor 1.1.1.1 update-source loopback1
r2(config-router)# interface loopback1
r2(config-router)# ip address 2.2.2.2 255.255.255.255
r1(config)# router bgp 1
r1(config-router)# neighbor 2.2.2.2 remote-as 2
r1(config-router)# neighbor ebgp-multihop 2
r1(config-router)# neighbor 2.2.2.2 update-source loopback1
r1(config-router)# interface loopback2
r1(config-router)# ip address 1.1.1.1 255.255.255.255

 

以MD5做鄰居驗證
(config-router)# neighbor < neighbor-ip> password < key> 

停用bgp鄰居
(config-router)# neighbor < neighbor-ip> shutdown
要求鄰居進入idle狀態

在沒有bgp next hop的路徑下
給neighbor ibgp的route時,route的next-hop會修改成自己(預設不會),讓neighbor可透過自己到目地 
(config-router)# neighbor < neighbor-ip> next-hop-self
neighbor-ip 需指定鄰居ip
像是在hub-spoke network架構下,spoke route無法到達另一個spoke route問題,可在hub router設定該指令解決
ex:
假設show ip bgp中顯示該路徑的來源為1.1.1.1 from 10.1.2.1 (2.2.2.2)
則需下指令 neighbor 10.1.2.1 next-hop-self 以解決無法到達1.1.1.1的問題  

使用bgp同步解決迴圈 
(config-router)#BGP synchronization 
若IGP無法學到route(尚未redistribute到IGP),建議關閉,否則不會有任何route可用 
預設關閉
ps:早期預設是開啟

...

路徑通告 
會將多筆route都寫入bgp table 
方法有2
通告prefix將所有符合的路徑給ISP
使用redistrubute將所有符合的路徑給ISP

通告prefix將所有符合的路徑給ISP
(config)# bgp < as>
(config-router)# network < prefix> [ mask < mask>]

若沒加mask則使用預設的分級式mask,
ps:
若沒加mask,但若僅有部份無級式網路,則不會新增到BGP表
ex:
以下route不會被通告,因為network是指定192.168.0.0/24,與route192.168.0.0/16不符合 
(config-router)#network 192.168.0.0
(config)#ip route 192.168.0.0 255.255.0.0 null

若沒加mask,同時也啟用auto-summary,但若僅有部份無級式網路,則會新增分級式網路到BGP表

使用redistrubute將所有符合的路徑給ISP
ex:
將ospf學來路徑以redistribute方式給isp
(config)# ip prefix-list p1 permit 128.107.0.0/19 le 32
(config)# route-map m1 permit
(config-router-map)# match ip address prefix p1
(config)# router bgp 11
(config-router)# redistribute ospf 1 route-map m1

ps:
在此範例中,若ospf學到多個子網路,則會給isp多個子網路


路徑匯整
會將多筆route整理成一筆寫入到bgp table 
方法有3
 使用IGP路徑匯整
 使用丟棄路徑原理
 使用BGP路徑匯整

使用丟棄路徑原理
(config)#bgp < as>
(config-router)# network < prefix [mask < mask>]>
(config)#ip route < prefix [mask < mask>]> null0
ex:
讓router可以將200.52.1.192/27和200.52.192/24匯整成一筆後在通告
(config-router)# network 200.52.1.192 mask 255.255.255.224
(config)# ip route 200.52.1.0 255.255.255.0 null0

使用BGP路徑匯整
(config)# bgp < as>
(config-router)# aggregate-address < prefix> [summary-only]
若bgp table內符合該prefix(或含次級路徑),則通告該prefix 
summary-only:用來抑制通告部份的次級路徑,被抑制的次級路徑會以s表示
ex:
先將指定的路徑匯整成一筆後在通告給isp
(config-router)# network 128.107.0.0 mask 255.255.224.0
(config-router)# aggregate-address 128.107.0.0 255.255.224.0 summary-only

ex:
讓router可以將200.52.1.192/27和200.52.192/24匯整成一筆後在通告
(config-router)# network 200.52.1.192 mask 255.255.255.224
(config-router)# aggregate-address 200.52.1.0 255.255.255.0

 

...

 

清除鄰居關係
#clear ip bgp < neighbor-ip|*> [soft] [in|out]
預設更新類型為hard,會中斷鄰居,並清除鄰居學來的項目
*表示全部
[soft]表示公告(連入)及接收公告(連出)的更新重設,更新類型使用soft
[out]表示僅公告的更新重設,更新類型為soft
[in]表示僅接收公告的更新重設,更新類型為soft
ps:
clear ip bgp < neighbor-ip> soft in 較消耗運算資源
clear ip bgp < neighbor-ip> in 較不消耗運算資源 
ps:
一般情況下clean bgp會重新取得route,需消耗大量資源
常見的解決方法主要有兩種
1.soft-reconfiguration:需額外資源儲存route 
2.BGP Refresh Capabilites:該方案較佳,需設備有支援 

 

路徑過濾 
(config-router)# neighbor < neighbor-ip> < filte-option> out
可防止組織的AS為成Transit AS(中繼as) 
filte-option支援prefix-list,distribute-list,route-map

ps:需清除鄰居關係或重開設備,filte才會生效
ex:
指定鄰居1.1.1.1僅允許128.107.0.0/19的通告被發出
prefix-list做法如下
(config)# ip prefix-list only-public permit 128.107.0.0/19
(config)# router bgp 11
(config-router)# neighbor 1.1.1.1 prefix-list only-public out
distribute-list做法如下
(config)# access-list 101 permit ip host 128.107.0.0 host 255.255.224.0
(config)# router bgp 11
(config-router)# neighbor 1.1.1.1 distribute-list 101 out
route-map做法如下
(config)# ip prefix-list only-public seq 5 permit 128.107.0.0/19
(config)# route-map only-public-rmap permit 10
(config-router-map)# match ip address prefix-list only-public
(config)# router bgp 11
(config-router)# neighbor 1.1.1.1 route-map only-public-rmap out 

...

調整連到外部的路徑
主要可調整以下三種PA
weight
local_pref
as path

從鄰居學來的所有路徑設定weight
(config-router)# neighbor < neighbor-ip> weight < value>

該功能支援route-map
weight只支援in的方向,也就是僅對學來的路徑做調整
ps:weight為cisco專屬特性,因此不會在bgp update中
ex:
從鄰居1.1.1.1學來的所有路徑,將weight調為60
(config-router)# neighbor 1.1.1.1 weight 60

從鄰居學來的路徑中,設定local_pref 
支援route-map,使用set local-preference < value>

設定所有學來的路徑都使用
(config-router)# bgp default local-preference < value>

從鄰居學來的路徑中,在as path上前置as
支援route-map,使用set as-path prepend < as1 [ as1 []...]>
value需使用最接近as

ex:
從鄰居192.168.1.1學來的路徑,若為180.0.0.0/8,則
將weight調為50,
並在公告該路徑時將local_pref設為200
在as path前置3個最接近的as(例如as 2)
1.
E1(config)# ip prefix-list p permit 180.0.0.0/8
2.1
E1(config)# route-map m permit 10
E1(config-route-map)# match ip address prefix-list p
E1(config-route-map)# set weight 50
E1(config-route-map)# set local-preference 200
E1(config-route-map)# set as-path prepend 2 2 2
2.2允許所有路徑
E1(config)# route-map m permit 20
3.
E1(config-route-map)# router bgp 11
E1(config-router)# neighbor 192.168.1.1 route-map m in

ps:
上述指令若要生效,都需先清除鄰居關係

 

調整連到內部的路徑
利用MED(multi exit discriminator),告訴鄰居AS連入本地最佳的路徑
該方法支援route-map,使用 set metric < value>,metric預設為0

ex:告訴鄰居若要到128.100.0.0/16,優先走1.1.1.1,次優先為192.168.1.2
1
(config)# route-map med1 permit 10
(config-route-map)# match ip address prefix p
(config-route-map)# set metric 10
(config)# route-map med2 permit 10
(config-route-map)# match ip address prefix p
(config-route-map)# set metric 20
2
(config)# ip prefix-list p permit 128.100.0.0/16
3
(config)# router bgp 11
(config-router)# neighbor 1.1.1.1 route-map med1 out
(config-router)# neighbor 192.168.1.2 route-map med2 out

ps:
指令bgp always-compare-med 
強制該router比較從不同as來的router metrics

........................................................................................ 


#show ip route
[omit...]
Gateway of last resort is 192.168.1.6 to network 0.0.0.0
O 185.0.0.0/8 [20/2] via 10.1.1.77, 00:15:44, FastEthernet0/0 //使用ebgp(ad=20),手動指定metric=2

# show ip route 192.13.25.0 255.255.255.240
Routing entry for 192.13.25.0/28
 Known via "bgp 11", distance 20, metric 0  //路徑來源為bgp 11,也就是router本身的as為11
 Tag 3, type external             //此路徑為外部路徑
 Last update from 192.168.1.2 00:10:27 ago
 Routing Descriptor Blocks:
 * 192.168.1.2, from 192.168.1.2, 00:10:27 ago //next hop為192.168.1.2
  Route metric is 0, traffic share count is 1
  AS Hops 2                  //as path長為2
  Route tag 3

... 

顯示為何該路徑不加入routing table的原因
#show ip bgp rib-failure
Network Next Hop RIB-failure RIB-NH Matches
180.0.0.0/8 1.1.1.1 Higher admin distance n/a //因ad過高 

顯示BGP table
# show ip bgp

BGP table version is 78, local router ID is 11.11.11.11
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network NextHop Metric LocPrf Weight Path //network欄位表示NLRI,metric欄位表示MED,Path欄位表示AS_Path
* 0.0.0.0 192.168.1.2 0 0 3 i
*> 128.100.0.0/19 0.0.0.0  0 i     //next hop=0.0.0.0表示該路徑是被匯整的路徑
*>     1.1.1.1 0 0 1 i
*> 181.0.0.0/8 1.1.1.1  0  1 2 111 i   //要到達181.0.0.0/8則需先經過as1,2,111 
*> 182.0.0.0/8 1.1.1.1  0  1 2 222 i  //最早加入as的順序為222,2,1,也因此該鄰居的as會是1
*> 183.0.0.0/8 1.1.1.1  0  1 2 i
*> 184.0.0.0/8 1.1.1.1  0  1 2 i  //緊接在*>後沒有接i(internal),表示該路徑由eBGP學來
*> 185.0.0.0/8 1.1.1.1  0  1 2 i  // 符號 ">"表示此為到該目地的最佳路徑
* 192.135.250.0/28 1.1.1.1 0  1 2 3 4 i //到目地192.135.250.0/28有兩筆route,而越舊的路徑會放越下面 
*>     192.168.1.2  0  3 4 i    // 未列出NLRI,表示目地與上一筆192.135.250.0/28相同

顯示BGP table中指定的prefix
#show ip bgp < prefix> [mask]
畫面大致如下
# show ip bgp 192.135.250.0
BGP routing table entry for 192.135.250.0/28, version 78
Paths: (2 available, best #2, table Default-IP-Routing-Table)
Advertised to update-groups:
  1
 1 2 3 4 //as path
  1.1.1.1 from 10.1.2.1 (2.2.2.2) //next hop為1.1.1.1,該路徑從鄰居10.1.2.1學來,而鄰居rid=2.2.2.2
  Origin IGP, localpref 100, valid, internal     //internal表示從iBGP學到,origin igp表示從IGP學來的 
 3 4
  192.168.1.2 from 192.168.1.2 (3.3.3.3)
  Origin IGP, localpref 100, valid, external, best //表示最路徑,而且external表示從eBGP學到的 
ps:
若prefix和mask為0.0.0.0 0.0.0.0,則表示要列出可能的預設設徑


列出每個鄰居學到的prefix數量
# show ip bgp summary

BGP router identifier 11.11.11.11, local AS number 11 //bgp rid=11.11.11.11,asn=11
BGP table version is 26, main routing table version 26
6 network entries using 792 bytes of memory //memory的使用狀況
7 path entries using 364 bytes of memory
6/4 BGP path/bestpath attribute entries using 888 bytes of memory
5 BGP AS-PATH entries using 120 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 2) using 32 bytes of memory
BGP using 2196 total bytes of memory
BGP activity 12/6 prefixes, 38/31 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.1 4 1 60 61 26 0 0 00:45:01 6 //只要state為數字,表示鄰居已在established狀態,目前收到prefix的數量為6
192.168.1.2 4 3 153 159 26 0 0 00:38:13 Idle(Admin) //鄰居被手動指定進行idle狀態

 

... 

檢視bgp路徑過濾資訊及route map,以及notification,update,...等
#show ip bgp neighbor < neighbor-ip> [received-route|routes|advertised-routes]
其中
received-route:從neighbor-ip學來,但在inbound filter過濾之前的路徑  
routes: 目前bgp table,已經在inbound filter過濾後的路徑  
advertised-routes:公告給neighbor-ip,但已套用在outbound filter的路徑

ps:
從bgp更新的路徑會先經過inbound filter,才會到bgp table,
要準備發出bgp更新的路徑會先經過outbound filter,才會公告出去

#show ip bgp neighbors 1.1.1.1 routes
BGP table version is 78, local router ID is 11.11.11.11
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
 Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 1.1.1.1 0 0 1 i
*> 181.0.0.0/8 1.1.1.1 0 1 2 111 111 i
*> 182.0.0.0/8 1.1.1.1 0 1 2 222 i
*> 183.0.0.0/8 1.1.1.1 0 1 2 i
* 192.135.250.0/28 1.1.1.1 0 1 2 3 4 i

 

# show ip bgp neighbors 1.1.1.1
BGP neighbor is 1.1.1.1, remote AS 1, external link  //鄰居rid=1.1.1.1,且鄰居為external link(eBGP)
 BGP version 4, remote router ID 1.1.1.1
 BGP state = Established, up for 00:45:08  //目前狀態為established
 Last read 00:00:02, last write 00:00:38, hold time is 180, keepalive interval is 60 seconds
 Neighbor capabilities:
  Route refresh: advertised and received(new) //已啟用路徑更新
  Address family IPv4 Unicast: advertised and received
 Message statistics:
  InQ depth is 0
  OutQ depth is 0
          Sent Rcvd
  Opens: 2 2
  Notifications: 0 0
  Updates: 16 12
  Keepalives: 43 47
  Route Refresh: 0 0
  Total: 61 61
 Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
 BGP table version 26, neighbor version 26/0
 Output queue size : 0
 Index 1, Offset 0, Mask 0x2
 1 update-group member
          Sent Rcvd
 Prefix activity: -- --
  Prefixes Current: 6 6 (Consumes 312 bytes)
  Prefixes Total: 19 7
  Implicit Withdraw: 11 0
  Explicit Withdraw: 2 1
  Used as bestpath: n/a 5
  Used as multipath: n/a 0
          Outbound Inbound
 Local Policy Denied Prefixes: ---- ----
  AS_PATH loop: n/a 2
  Total: 0 2
 Number of NLRIs in the update sent: max 3, min 1
 Address tracking is enabled, the RIB does have a route to 1.1.1.1
 Connections established 2; dropped 1             //router已建立的tcp connection次數 
 Last reset 00:45:10, due to Peer closed the session
 External BGP neighbor may be up to 2 hops away.
 Transport(tcp) path-mtu-discovery is enabled
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Minimum incoming TTL 0, Outgoing TTL 2  //ebgp multihop的ttl設定為2
Local host: 11.11.11.11, Local port: 179              //router本身tcp通訊端資訊
Foreign host: 1.1.1.1, Foreign port: 28995             //遠端router的tcp通訊端資訊
Connection tableid (VRF): 0

Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0x8217A0):
Timer Starts Wakeups Next
Retrans 49 0 0x0
TimeWait 0 0 0x0
AckHold 49 46 0x0
SendWnd 0 0 0x0
KeepAlive 0 0 0x0
GiveUp 0 0 0x0
PmtuAger 0 0 0x0
DeadWait 0 0 0x0
Linger 0 0 0x0
ProcessQ 0 0 0x0
iss: 2070882650 snduna: 2070884280 sndnxt: 2070884280 sndwnd: 15890
irs: 3327995414 rcvnxt: 3327996693 rcvwnd: 16156 delrcvwnd: 228

SRTT: 300 ms, RTTO: 306 ms, RTV: 6 ms, KRTT: 0 ms
minRTT: 0 ms, maxRTT: 300 ms, ACK hold: 200 ms
Status Flags: passive open, gen tcbs
Option Flags: nagle, path mtu capable, md5
IP Precedence value : 6

Datagrams (max data segment is 516 bytes):
Rcvd: 98 (out of order: 0), with data: 50, total data bytes: 1278
Sent: 99 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0),
with data: 50, tot
al data bytes: 1629
 Packets received in fast path: 0, fast processed: 0, slow path: 0
 fast lock acquisition failures: 0, slow path: 0

 

... 

#debug ip bgp
當手動指定鄰居進入idle狀態時(bgp < neighbor-ip> shutdown)
會產生以下訊息
*Aug 11 20:23:01.335: BGPNSF state: 1.1.1.1 went from nsf_not_active to nsf_not_active
*Aug 11 20:23:01.335: BGP: 1.1.1.1 went from Established to Idle //從established狀態到idle狀態
*Aug 11 20:23:01.335: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down Admin. Shutdown

當手動指定鄰居離開idle狀態時(no bgp < neighbor-ip> shutdown)
會產生以下訊息
*Aug 11 20:23:26.571: BGP: 1.1.1.1 went from Idle to Active  //從idle狀態到active狀態
*Aug 11 20:23:26.571: BGP: 1.1.1.1 open active, local address 11.11.11.11
*Aug 11 20:23:26.575: BGP: 1.1.1.1 read request no-op
*Aug 11 20:23:26.575: BGP: 1.1.1.1 went from Active to OpenSent //從active狀態到opensent狀態
*Aug 11 20:23:26.575: BGP: 1.1.1.1 sending OPEN, version 4, my as: 11, holdtime 180 seconds
*Aug 11 20:23:26.579: BGP: 1.1.1.1 send message type 1, length (incl. header) 45
*Aug 11 20:23:26.583: BGP: 1.1.1.1 rcv message type 1, length (excl. header) 26
*Aug 11 20:23:26.587: BGP: 1.1.1.1 rcv OPEN, version 4, holdtime 180 seconds
*Aug 11 20:23:26.587: BGP: 1.1.1.1 rcv OPEN w/ OPTION parameter len: 16
*Aug 11 20:23:26.587: BGP: 1.1.1.1 rcvd OPEN w/ optional parameter type 2 (Capability) len 6
*Aug 11 20:23:26.587: BGP: 1.1.1.1 OPEN has CAPABILITY code: 1, length 4
*Aug 11 20:23:26.587: BGP: 1.1.1.1 OPEN has MP_EXT CAP for afi/safi: 1/1
*Aug 11 20:23:26.587: BGP: 1.1.1.1 rcvd OPEN w/ optional parameter type 2 (Capability) len 2
*Aug 11 20:23:26.587: BGP: 1.1.1.1 OPEN has CAPABILITY code: 128, length 0
*Aug 11 20:23:26.587: BGP: 1.1.1.1 OPEN has ROUTE-REFRESH capability(old) for all address-families
*Aug 11 20:23:26.587: BGP: 1.1.1.1 rcvd OPEN w/ optional parameter type 2 (Capability) len 2
*Aug 11 20:23:26.587: BGP: 1.1.1.1 OPEN has CAPABILITY code: 2, length 0
*Aug 11 20:23:26.587: BGP: 1.1.1.1 OPEN has ROUTE-REFRESH capability(new) for all address-families BGP: 1.1.1.1 rcvd OPEN w/ remote AS 1
*Aug 11 20:23:26.587: BGP: 1.1.1.1 went from OpenSent to OpenConfirm //從opensent狀態到openconfirm狀態
*Aug 11 20:23:26.591: BGP: 1.1.1.1 went from OpenConfirm to Established //從openconfirm狀態到established狀態
*Aug 11 20:23:26.591: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
*Aug 11 20:23:26.603: BGP_Router: unhandled major event code 128, minor 0

BGP neighbor10.0.0.2沒設password
會產生以下訊息
*Mar 1 05:29:00.821 %TCP-6-BADAUTH:No MD5 digest from 10.0.0.2:179 to 10.0.0.1:11031

BGP neighbor10.0.0.7已設password但不正確
會產生以下訊息
*Mar 1 05:30:00.831 %TCP-6-BADAUTH:Invalid MD5 digest from 10.0.0.7:179 to 10.0.0.6:11037

 

2012-08-21 23:20:21發表 2012-10-23 22:21:18修改   

數據分析
程式開發
計算機組織與結構
資料結構與演算法
Database and MySql
manage tool
windows
unix-like
linux service
network
network layer3
network layer2
network WAN
network service
作業系統
數位鑑識
資訊安全解決方案
資訊安全威脅
Cisco security
Cisco network
Cisco layer3

Cisco layer2



  登入      [牛的大腦] | [單字我朋友] Powered by systw.net