Cisco IOS Cookbook 中文精简版

wade2007

9.1.  Configuring BGP

提问 在网络中启用BGPPAN>

回答

Route1在AS 65500中

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface Serial0

Router1(config-if)#ip address 192.168.55.6 255.255.255.252

Router1(config-if)#exit

Router1(config)#router bgp 65500

Router1(config-router)#network 192.168.1.0

Router1(config-router)#neighbor 192.168.55.5 remote-as 65501

Router1(config-router)#no synchronization

Router1(config-router)#exit

Router1(config)#end

Router1#

Router2在AS 65501中

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#interface Serial0

Router2(config-if)#ip address 192.168.55.5 255.255.255.252

Router2(config-if)#exit

Router2(config)#router bgp 65501

Router2(config-router)#network 172.25.17.0 mask 255.255.255.0

Router2(config-router)#neighbor 192.168.55.6 remote-as 65500

Router2(config-router)#no synchronization

Router2(config-router)#exit

Router2(config)#end

Router2#

注释 在对BGP验证的时候比较有用的命令是

Router1#show ip bgp summary

BGP router identifier 192.168.99.5, local AS number 65500

BGP table version is 7, main routing table version 7

4 network entries and 4 paths using 484 bytes of memory

2 BGP path attribute entries using 196 bytes of memory

BGP activity 11/7 prefixes, 11/7 paths



Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

192.168.55.5    4 65501      17      18        7    0    0 00:12:38        2

172.25.2.2      4 65531     527     526        0    0    0 21:05:23 Active

Router1#

需要注意的是理想状态是State里面是数字，尽管是Active也不代表是配置正常，反而是配置出现错误。通过neighbor 172.20.1.2 update-source Loopback0 命令来限制BGP数据包源地址为回环地址，但要确保此地址的连通性

9.2.  使用eBGP Multihop

提问 配置外部BGP，但是不是直连的路由器

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#ip route 172.20.1.2 255.255.255.255 192.168.1.5 2

Router1(config)#router bgp 65500

Router1(config-router)#neighbor 172.20.1.2 remote-as 65530

Router1(config-router)#neighbor 172.20.1.2 update-source Loopback0

Router1(config-router)#neighbor 172.20.1.2 ebgp-multihop 3

Router1(config-router)#exit

Router1(config)#end

Router1#

注释 缺省情况下eBGP的路由器必须是直连的，如果不是直连的就需要使用此命令。一种说法是此跳数越小越好，但是RFC 3682说为了安全还是越大越好，思科在12.3(7)T后也采用了这个建议，使用了neighbor 192.168.55.5 ttl-security hops 1 命令，此命令会丢弃所有TTL小于255-1＝254的BGP数据包，这时候如果对端eBGP邻居不支持此特性就必须使用下面的命令来配置neighbor 192.168.55.6 ebgp-multihop 255



9.3.  调整Next-Hop属性值

提问 在iBGP之间宣告路由时候修改下一跳属性值，使其指向内部AS的地址

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#router bgp 65500

Router1(config-router)#neighbor 192.168.1.6 remote-as 65500

Router1(config-router)#neighbor 192.168.1.6 next-hop-self

Router1(config-router)#exit

Router1(config)#end

Router1#

注释 正常情况下iBGP之间下一跳属性值是不会修改的，只会在eBGP时会进行修改，而此地址会指向eBGP邻居的地址，而往往内部AS的路由器没有到达此地址的路由。

9.4.  连接两个ISPs  

提问 一台路由器连接两个ISP，保证网络冗余

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface Serial0

Router1(config-if)#description connection to ISP #1, ASN 65510

Router1(config-if)#ip address 192.168.1.6 255.255.255.252

Router1(config-if)#exit

Router1(config)#interface Serial1

Router1(config-if)#description connection to ISP #2, ASN 65520

Router1(config-if)#ip address 192.168.2.6 255.255.255.252

Router1(config-if)#exit

Router1(config)#interface Ethernet0

Router1(config-if)#description connection to internal network, ASN 65500

Router1(config-if)#ip address 172.18.5.2 255.255.255.0

Router1(config-if)#exit

Router1(config)#router bgp 65500

Router1(config-router)#network 172.18.5.0 mask 255.255.255.0

Router1(config-router)#neighbor 192.168.1.5 remote-as 65510

Router1(config-router)#neighbor 192.168.2.5 remote-as 65520

Router1(config-router)#no synchronization

Router1(config-router)#exit

Router1(config)#end

Router1#

注释 注意此配置不是最佳配置，可能导致内部AS称为两个ISP的transit AS，同时导致自己路由器接收过多路由

9.5.  两台路由器分别连接两个ISP

提问 内部AS有两台路由器，分别连两个ISP保证网络冗余

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface Serial0

Router1(config-if)#description connection to ISP #1, ASN 65510

Router1(config-if)#ip address 192.168.1.6 255.255.255.252

Router1(config-if)#exit

Router1(config)#interface Ethernet0

Router1(config-if)#description connection to internal network, ASN 65500

Router1(config-if)#ip address 172.18.5.2 255.255.255.0

Router1(config-if)#exit

Router1(config)#ip as-path access-list 15 permit ^$

Router1(config)#router bgp 65500

Router1(config-router)#network 172.18.5.0 mask 255.255.255.0

Router1(config-router)#neighbor 172.18.5.3 remote-as 65500

Router1(config-router)#neighbor 172.18.5.3 next-hop-self

Router1(config-router)#neighbor 192.168.1.5 remote-as 65510

Router1(config-router)#neighbor 192.168.1.5 filter-list 15 out

Router1(config-router)#no synchronization

Router1(config-router)#exit

Router1(config)#end

Router1#

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#interface Serial1

Router2(config-if)#description connection to ISP #2, ASN 65520

Router2(config-if)#ip address 192.168.2.6 255.255.255.252

Router2(config-if)#exit

Router2(config)#interface Ethernet0

Router2(config-if)#description connection to internal network, ASN 65500

Router2(config-if)#ip address 172.18.5.3 255.255.255.0

Router2(config-if)#exit

Router2(config)#ip as-path access-list 15 permit ^$

Router2(config)#router bgp 65500

Router2(config-router)#network 172.18.5.0 mask 255.255.255.0

Router2(config-router)#neighbor 192.168.2.5 remote-as 65520

Router2(config-router)#neighbor 192.168.2.5 filter-list 15 out

Router2(config-router)#neighbor 172.18.5.2 remote-as 65500

Router2(config-router)#neighbor 172.18.5.2 next-hop-self

Router2(config-router)#no synchronization

Router2(config-router)#exit

Router2(config)#end

Router2#

注释

wade2007

9.6.  限制向BGP 对端的网络宣告

提问 限制特定的路由公告给对端的AS

回答

有三种方法，第一种是扩展ACL

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 105 deny ip host 172.25.0.0 host 255.255.0.0

Router1(config)#access-list 105 permit ip any any

Router1(config)#route-map ACL-RT-FILTER permit 10

Router1(config-route-map)#match ip address 105

Router1(config-route-map)#exit

Router1(config)#route-map ACL-RT-FILTER deny 20

Router1(config-route-map)#exit

Router1(config)#router bgp 65500

Router1(config-router)#neighbor 192.168.1.5 remote-as 65510

Router1(config-router)#neighbor 192.168.1.5 route-map ACL-RT-FILTER in

Router1(config-router)#exit

Router1(config)#end

Router1#

第二种是使用distribute-list:

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#access-list 106 deny ip host 172.25.0.0 host 255.255.0.0

Router1(config)#access-list 106 permit ip any any

Router1(config)#router bgp 65500

Router1(config-router)#neighbor 192.168.1.5 remote-as 65510

Router1(config-router)#neighbor 192.168.1.5 distribute-list 106 in

Router1(config-router)#exit

Router1(config)#end

Router1#

第三种也是最常用的是使用prefix lists

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#ip prefix-list PREFIX-FILTER seq 10 deny 172.25.0.0/16

Router1(config)#ip prefix-list PREFIX-FILTER seq 20 permit 0.0.0.0/0 le 32

Router1(config)#router bgp 65500

Router1(config-router)#neighbor 192.168.1.5 remote-as 65510

Router1(config-router)#neighbor 192.168.1.5 prefix-list PREFIX-FILTER in

Router1(config-router)#exit

Router1(config)#end

Router1#



注释 前两种使用的扩展ACL比较奇特，第一个host是子网，第二个host是子网掩码，而不是传统目的地址，所以host 172.25.0.0 host 255.255.0.0 就代表网络172.25.0.0/16，如果用正常的ACL就实现不了对无类网络的控制。所以推荐使用第三种方式prefixlist，此列表支持序列号，可以帮助你修改和插入新的条目 ge是大于，le是小于，控制子网掩码permit 0.0.0.0/0 le 32就是变相的permit any

9.7.  调整Local Preference属性值

提问 调整Local Preference属性值来控制路由选择

回答

第一种全局

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#router bgp 65500

Router1(config-router)#bgp default local-preference 200

Router1(config-router)#exit

Router1(config)#end

Router1#

第二种使用route map控制

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#ip prefix-list LOW_LP_PREFIXES seq 10 permit 172.22.0.0/16

Router1(config)#route-map LOCALPREF permit 10

Router1(config-route-map)#match ip address prefix-list LOW_LP_PREFIXES

Router1(config-route-map)#set local-preference 50

Router1(config-route-map)#exit

Router1(config)#route-map LOCALPREF permit 20

Router1(config-route-map)#exit

Router1(config)#router bgp 65500

Router1(config-router)#neighbor 192.168.1.5 remote-as 65510

Router1(config-router)#neighbor 192.168.1.5 route-map LOCALPREF in

Router1(config-router)#exit

Router1(config)#end

Router1#

注释 此local preference属性值只在内部AS有用，选路级别高于AS Path。此值越大优先级越高，缺省值为100。Show ip bgp命令可以看到各个路由的local preference属性值

9.8.  负载均衡

提问 在BGP邻居之间的多链路上负载均衡流量

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#router bgp 65500

Router1(config-router)#maximum-paths 4

Router1(config-router)#exit

Router1(config)#end

Router1#

注释 正常情况下BGP选路策略会保证只有一条路径，通过此命令可以增加到4条，不过要确保所有属性值相同，包括MED属性。同时注意此负载均衡只针对出流量而不适合入流量

9.9.  在AS Path属性值中清除私有ASNs

提问 避免内网中的私有ASN传播到互联网

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface Serial0

Router1(config-if)#description connection to ISP #1, ASN 1

Router1(config-if)#ip address 192.168.1.6 255.255.255.252

Router1(config-if)#exit

Router1(config)#interface Serial1

Router1(config-if)#description connection to private network, ASN 65500

Router1(config-if)#ip address 192.168.5.1 255.255.255.252

Router1(config-if)#exit

Router1(config)#router bgp 2

Router1(config-router)#neighbor 192.168.5.2 remote-as 65500

Router1(config-router)#neighbor 192.168.1.5 remote-as 1

Router1(config-router)#neighbor 192.168.1.5 remove-private-AS

Router1(config-router)#no synchronization

Router1(config-router)#exit

Router1(config)#end

Router1#

注释 注意此命令是不能删除那些在公共ASN之间的私有ASN

wade2007

9.10.  基于AS Path属性值的路由过滤  

提问 基于接收或者发送路由的AS Path属性值进行路由过滤

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#ip as-path access-list 15 permit ^65501$

Router1(config)#ip as-path access-list 25 permit _65530_

Router1(config)#ip as-path access-list 25 deny _65531$

Router1(config)#ip as-path access-list 25 permit .*

Router1(config)#router bgp 65500

Router1(config-router)#neighbor 192.168.1.5 remote-as 65510

Router1(config-router)#neighbor 192.168.1.5 filter-list 15 in

Router1(config-router)#neighbor 192.168.2.5 remote-as 65520

Router1(config-router)#neighbor 192.168.2.5 filter-list 25 out

Router1(config-router)#exit

Router1(config)#end

Router1#

注释 正则表达式过滤

9.11.  减少接收到的路由表大小

提问 通过汇总接收到路由的方式来减少所接收的路由表大小

回答

通过缺省路由的方式来过滤到过多的外部路由

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.101.0 1

Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.102.0 2

Router1(config)#ip prefix-list CREATE-DEFAULT seq 10 permit 192.168.101.0/24

Router1(config)#ip prefix-list CREATE-DEFAULT seq 20 permit 192.168.102.0/24

Router1(config)#router bgp 65500

Router1(config-router)#neighbor 192.168.1.5 remote-as 65520

Router1(config-router)#neighbor 192.168.1.5 prefix-list CREATE-DEFAULT in

Router1(config-router)#exit

Router1(config)#end

Router1#

注释

9.12.  出方向路由信息汇总

提问 在向下游路由器发送路由表之前进行路由汇总

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#router bgp 65500

Router1(config-router)#neighbor 192.168.1.5 remote-as 65520

Router1(config-router)#auto-summary

Router1(config-router)#exit

Router1(config)#end

Router1#

注释 这是缺省行为，但是是有类的汇总，并且只能针对再分发过来的路由，不能适用于network命令配置的路由。思科使用了如下命令对出方向路由进行汇总

Router3(config)#router bgp 65530

Router3(config-router)#aggregate-address 172.20.0.0 255.252.0.0 summary-only

Summaryonly选项只发布汇总路由，去掉后会发送汇总路由和子网路由，而为了避免回环建议添加as-set选项

9.13.  在AS Path属性值中添加更多ASN

提问 通过增加AS Path属性中ASN的数目来影响BGP选路

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#ip as-path access-list 15 permit ^$

Router1(config)#route-map PREPEND permit 10

Router1(config-route-map)#match as-path 15

Router1(config-route-map)#set as-path prepend 65500 65500 65500

Router1(config-route-map)#exit

Router1(config)#route-map PREPEND permit 20

Router1(config-route-map)#exit

Router1(config)#router bgp 65500

Router1(config-router)#neighbor 192.168.1.5 remote-as 65510

Router1(config-router)#neighbor 192.168.1.5 route-map PREPEND out

Router1(config-router)#exit

Router1(config)#end

Router1#

注释 通过这种方式来影响入流量

9.14.  再发布路由到BGP

提问 IGP和BGP之间的再分发

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#router ospf 100

Router1(config-router)#network 172.26.0.0 0.0.255.255 area 0

Router1(config-router)#redistribute bgp 65500 metric 500 subnets

Router1(config-router)#exit

Router1(config)#router bgp 65500

Router1(config-router)#neighbor 192.168.1.5 remote-as 65520

Router1(config-router)#network 172.26.0.0

Router1(config-router)#exit

Router1(config)#end

Router1#



Router2(config)#route-map REDIST permit 5

Router2(config-route-map)#match tag 123

Router2(config-route-map)#exit

Router2(config)#route-map REDIST deny 10

Router2(config-route-map)#match route-type external

Router2(config-route-map)#exit

Router2(config)#route-map REDIST permit 20

Router2(config-route-map)#exit

Router2(config)#router bgp 65520

Router2(config-router)#redistribute eigrp 99 route-map REDIST metric 500

注释

9.15. 使用Peer Groups

提问 使用组的形式来简化对多个相同属性邻居的配置

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#router bgp 65500

Router1(config-router)#neighbor EBGP-PEERS peer-group

Router1(config-router)#neighbor EBGP-PEERS prefix-list PRE-RTFILTER in

Router1(config-router)#neighbor EBGP-PEERS filter-list 15 out

Router1(config-router)#neighbor 192.168.1.5 remote-as 65520

Router1(config-router)#neighbor 192.168.1.5 peer-group EBGP-PEERS

Router1(config-router)#neighbor 192.168.1.9 remote-as 65521

Router1(config-router)#neighbor 192.168.1.9 peer-group EBGP-PEERS

Router1(config-router)#neighbor 192.168.1.13 remote-as 65522

Router1(config-router)#neighbor 192.168.1.13 peer-group EBGP-PEERS

Router1(config-router)#neighbor 192.168.1.17 remote-as 65523

Router1(config-router)#neighbor 192.168.1.17 peer-group EBGP-PEERS

Router1(config-router)#exit

Router1(config)#end

Router1#

注释 当然也可以针对iBGP邻居

Router1(config)#router bgp 6550

Router1(config-router)#neighbor IBGP-PEERS peer-group

Router1(config-router)#neighbor IBGP-PEERS update-source Loopback0

Router1(config-router)#neighbor IBGP-PEERS route-reflector-client

Router1(config-router)#neighbor 192.168.101.5 remote-as 65500

Router1(config-router)#neighbor 192.168.101.5 peer-group IBGP-PEERS

Router1(config-router)#neighbor 192.168.101.9 remote-as 65500

Router1(config-router)#neighbor 192.168.101.9 peer-group IBGP-PEERS



9.16.  BGP邻居认证

提问 使用认证增加安全性

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#router bgp 65500

Router1(config-router)#neighbor 192.168.55.5 remote-as 65501

Router1(config-router)#neighbor 192.168.55.5 password password-1234

Router1(config-router)#exit

Router1(config)#end

Router1#

注释

9.17.  使用BGP Communities

提问 使用BGP Communities来对路由进行控制

回答

首先要通过route map的方式针对邻居设定希望的Communities值

Router3#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router3(config)#ip prefix-list 10.101/16 seq 5 permit 10.101.0.0/16

Router3(config)#ip prefix-list 10.102/16 seq 5 permit 10.102.0.0/16

Router3(config)#ip prefix-list 10.103/16 seq 5 permit 10.103.0.0/16

Router3(config)#ip prefix-list 10.104/16 seq 5 permit 10.104.0.0/16

Router3(config)#ip prefix-list 10.105/16 seq 5 permit 10.105.0.0/16

Router3(config)#route-map APPLY_COMMUNITY_A permit 10

Router3(config-route-map)#match ip address prefix-list 10.101/16

Router3(config-route-map)#set community no-advertise

Router3(config-route-map)#exit

Router3(config)#route-map APPLY_COMMUNITY_A permit 20

Router3(config-route-map)#match ip address prefix-list 10.102/16

Router3(config-route-map)#set community no-export

Router3(config-route-map)#exit

Router3(config)#route-map APPLY_COMMUNITY_A permit 30

Router3(config-route-map)#match ip address prefix-list 10.103/16

Router3(config-route-map)#set community local-AS

Router3(config-route-map)#exit

Router3(config)#route-map APPLY_COMMUNITY_A permit 40

Router3(config-route-map)#match ip address prefix-list 10.104/16

Router3(config-route-map)#set community internet

Router3(config-route-map)#exit

Router3(config)#route-map APPLY_COMMUNITY_A permit 50

Router3(config-route-map)#match ip address prefix-list 10.105/16

Router3(config-route-map)#set community 4293328976

Router3(config-route-map)#exit

Router3(config)#route-map APPLY_COMMUNITY_A permit 100

Router3(config-route-map)#exit

Router3(config)#router bgp 65500

Router3(config-router)#no synchronization

Router3(config-router)#neighbor 172.18.5.3 remote-as 65500

Router3(config-router)#neighbor 172.18.5.3 next-hop-self

Router3(config-router)#neighbor 172.18.5.3 send-community both

Router3(config-router)#neighbor 172.18.5.10 remote-as 65500

Router3(config-router)#neighbor 172.18.5.10 next-hop-self

Router3(config-router)#neighbor 172.18.5.10 send-community both

Router3(config-router)#neighbor 192.168.1.9 remote-as 65520

Router3(config-router)#neighbor 192.168.1.9 send-community both

Router3(config-router)#neighbor 192.168.1.9 route-map APPLY_COMMUNITY_A in

Router3(config-router)#exit

Router3(config)#end

Router3#

在下游路由器上配置命令使其可以分发此Community值

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#router bgp 65500

Router2(config-router)#no synchronization

Router2(config-router)#neighbor 172.18.5.4 remote-as 65500

Router2(config-router)#neighbor 172.18.5.4 send-community both

Router2(config-router)#neighbor 172.18.5.10 remote-as 65500

Router2(config-router)#neighbor 172.18.5.10 send-community both

Router2(config-router)#no auto-summary

Router2(config-router)#exit

Router2(config)#end

Router2#

注释 通过定义local-as,no-advertise,no-export,internet四种不同community属性值的方式来限制路由公告的范围

wade2007

9.18.  使用BGP Route Reflectors

提问 通过路由反射器的方式来简化iBGP邻居关系

回答

只要针对三种不同角色路由器的配置

Router1是Client Peer:

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface Ethernet0/0

Router1(config-if)#ip address 172.18.5.2 255.255.255.0

Router1(config-if)#exit

Router1(config)#interface Serial0/0

Router1(config-if)#ip address 192.168.1.6 255.255.255.252

Router1(config-if)#exit

Router1(config)#interface Loopback0

Router1(config-if)#ip address 172.18.6.1 255.255.255.255

Router1(config-if)#exit

Router1(config)#router bgp 65500

Router1(config-router)#no synchronization

Router1(config-router)#neighbor 172.18.6.2 remote-as 65500

Router1(config-router)#neighbor 172.18.6.2 next-hop-self

Router1(config-router)#neighbor 172.18.6.2 update-source Loopback0

Router1(config-router)#neighbor 192.168.1.5 remote-as 65510

Router1(config-router)#exit

Router1(config)#ip route 172.18.6.2 255.255.255.255 172.18.5.3

Router1(config)#ip route 172.18.6.3 255.255.255.255 172.18.5.4

Router1(config)#ip route 172.18.6.4 255.255.255.255 172.18.5.10

Router1(config)#end

Router1#

Router4 是Nonclient Peer:

Router4#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router4(config)#interface Ethernet0

Router4(config-if)#ip address 172.18.5.10 255.255.255.0

Router4(config-if)#exit

Router4(config)#interface Loopback0

Router4(config-if)#ip address 172.18.6.4 255.255.255.255

Router4(config-if)#exit

Router4(config)#router bgp 65500

Router4(config-router)#no synchronization

Router4(config-router)#neighbor 172.18.6.2 remote-as 65500

Router4(config-router)#neighbor 172.18.6.2 update-source Loopback0

Router4(config-router)#exit

Router4(config)#ip route 172.18.6.1 255.255.255.255 172.18.5.2

Router4(config)#ip route 172.18.6.2 255.255.255.255 172.18.5.3

Router4(config)#ip route 172.18.6.3 255.255.255.255 172.18.5.4

Router4(config)#end

Router4#

R2是 Route Reflector

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#interface FastEthernet0/0

Router2(config-if)#ip address 172.18.5.3 255.255.255.0

Router2(config-if)#exit

Router2(config)#interface Loopback0

Router2(config-if)#ip address 172.18.6.2 255.255.255.255

Router2(config-if)#exit

Router2(config)#router bgp 65500

Router2(config-router)#no synchronization

Router2(config-router)#neighbor 172.18.6.1 remote-as 65500

Router2(config-router)#neighbor 172.18.6.1 route-reflector-client

Router2(config-router)#neighbor 172.18.6.1 update-source Loopback0

Router2(config-router)#neighbor 172.18.6.3 remote-as 65500

Router2(config-router)#neighbor 172.18.6.3 route-reflector-client

Router2(config-router)#neighbor 172.18.6.3 update-source Loopback0

Router2(config-router)#neighbor 172.18.6.4 remote-as 65500

Router2(config-router)#neighbor 172.18.6.4 update-source Loopback0

Router2(config-router)#no auto-summary

Router2(config-router)#exit

Router2(config)#ip route 172.18.6.1 255.255.255.255 172.18.5.2

Router2(config)#ip route 172.18.6.3 255.255.255.255 172.18.5.4

Router2(config)#ip route 172.18.6.4 255.255.255.255 172.18.5.10

Router2(config)#end

Router2#



注释 路由反射器是解决要求iBGP全互联的问题。不过为了保证冗余性还是要配置多个路由反射器，使用bgp cluster-id 1234命令来定义cluster

<!--[if !supportLists]-->9.19.       <!--[endif]-->汇总实验

提问 结合前面的方法，重新配置一台路由器两个冗余链路的情况

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface Serial0

Router1(config-if)#description connection to ISP #1, ASN 65510

Router1(config-if)#ip address 192.168.1.6 255.255.255.252

Router1(config-if)#exit

Router1(config)#interface Serial1

Router1(config-if)#description connection to ISP #2, ASN 65520

Router1(config-if)#ip address 192.168.2.6 255.255.255.252

Router1(config-if)#exit

Router1(config)#interface Ethernet0

Router1(config-if)#description connection to internal network, ASN 65500

Router1(config-if)#ip address 172.18.5.2 255.255.255.0

Router1(config-if)#exit

Router1(config)#ip as-path access-list 15 permit ^$

Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.101.0 1

Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.102.0 2

Router1(config)#ip prefix-list CREATE-DEFAULT seq 10 permit 192.168.101.0/24

Router1(config)#ip prefix-list CREATE-DEFAULT seq 20 permit 192.168.102.0/24

Router1(config)#ip prefix-list BLOCK-DEFAULT seq 10 permit 0.0.0.0/0 ge 1

Router1(config)#route-map PREPEND permit 10

Router1(config-route-map)#set as-path prepend 65500 65500

Router1(config-route-map)#exit

Router1(config)#route-map LOCALPREF permit 10

Router1(config-route-map)#set local-preference 75

Router1(config-route-map)#exit

Router1(config)#route-map DEFAULT-ROUTE permit 10

Router1(config-route-map)#match ip address prefix-list CREATE-DEFAULT

Router1(config-route-map)#exit

Router1(config)#router bgp 65500

Router1(config-router)#network 172.18.5.0 mask 255.255.255.0

Router1(config-router)#neighbor 172.18.5.3 remote-as 65500

Router1(config-router)#neighbor 172.18.5.3 password password_number1

Router1(config-router)#neighbor 172.18.5.3 default-origniate route-map DEFAULT-ROUTE

Router1(config-router)#neighbor 192.168.1.5 remote-as 65510

Router1(config-router)#neighbor 192.168.1.5 password password_number2

Router1(config-router)#neighbor 192.168.1.5 filter-list 15 out

Router1(config-router)#neighbor 192.168.1.5 prefix-list CREATE-DEFAULT in

Router1(config-router)#neighbor 192.168.1.5 prefix-list BLOCK-DEFAULT out

Router1(config-router)#neighbor 192.168.2.5 remote-as 65520

Router1(config-router)#neighbor 192.168.2.5 password password_number3

Router1(config-router)#neighbor 192.168.2.5 filter-list 15 out

Router1(config-router)#neighbor 192.168.2.5 prefix-list CREATE-DEFAULT in

Router1(config-router)#neighbor 192.168.2.5 prefix-list BLOCK-DEFAULT out

Router1(config-router)#neighbor 192.168.2.5 route-map PREPEND out

Router1(config-router)#neighbor 192.168.2.5 route-map LOCALPREF in

Router1(config-router)#no synchronization

Router1(config-router)#exit

Router1(config)#end

Router1#

wade2007

10.1.  使用点对点子接口的方式配置帧中继

提问 ">每个PVC归属特定子接口的方式来配置帧中继

回答

中心配置

Central#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Central(config)#interface Serial0

Central(config-if)#description Frame-Relay host circuit

Central(config-if)#no ip address

Central(config-if)#encapsulation frame-relay

Central(config-if)#exit

Central(config)#interface Serial0.1 point-to-point

Central(config-subif)#description PVC to first branch - DLCI 101

Central(config-subif)#ip address 192.168.1.5 255.255.255.252

Central(config-subif)#frame-relay interface-dlci 101

Central(config-fr-dlci)#exit

Central(config-subif)#exit

Central(config)#interface Serial0.2 point-to-point

Central(config-subif)#description PVC to second branch - DLCI 102

Central(config-subif)#ip address 192.168.1.9 255.255.255.252

Central(config-subif)#frame-relay interface-dlci 102

Central(config-fr-dlci)#exit

Central(config-subif)#exit

Central(config)#end

Central#

边缘配置

Branch1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Branch1(config)#interface Serial0

Branch1(config-if)#description Frame-Relay circuit

Branch1(config-if)#no ip address

Branch1(config-if)#encapsulation frame-relay

Branch1(config-if)#exit

Branch1(config)#interface Serial0.1 point-to-point

Branch1(config-subif)#description PVC to Central host - DLCI 50

Branch1(config-subif)#ip address 192.168.1.6 255.255.255.252

Branch1(config-subif)#frame-relay interface-dlci 50

Branch1(config-fr-dlci)#exit

Branch1(config-if)#exit

Branch1(config)#end

Branch1#

注释 点对点子接口方式应该是最简单的一种帧中继配置方式了。对于互联非思科设备时候可能需要人工指定包封装格式为标准的IETF格式(RFC1490),可以在接口下配置encapsulation frame-relay ietf 或者在子接口下配置frame-relay interface-dlci 101 ietf。当你启用帧中继的时候路由器会自动激活Inverse ARP，而通常都是自动配置映射关系，所以我们一般都不需要no frame-relay inverse-arp。还有要注意的是这里的interface Serial0.1 point-to-point，后面的子接口模式不能写错，否则需要删除错误的，然后重启才可以更改



10.2.  调整LMI 选项

提问 在帧中继电路上配置不同的LMI

回答

Branch1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Branch1(config)#interface Serial0

Branch1(config-if)#encapsulation frame-relay

Branch1(config-if)#frame-relay lmi-type ansi  （cisco，q933a）

Branch1(config-if)#exit

Branch1(config)#end

Branch1#

缺省情况下LMI的Keeplive包每十秒钟发一次，也可以调整此间隔

Branch1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Branch1(config)#interface Serial0

Branch1(config-if)#encapsulation frame-relay

Branch1(config-if)#keepalive 5

Branch1(config-if)#exit

Branch1(config)#end

Branch1#

对于不支持LMI的网络必须配置路由器宣告自己的DLCI

Branch1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Branch1(config)#interface Serial0

Branch1(config-if)#encapsulation frame-relay

Branch1(config-if)#frame-relay local-dlci 50

Branch1(config-if)#exit

Branch1(config)#end

Branch1#

注释 对于最后不支持LMI的例子中建议用no keepalive 来关闭LMI的轮询

wade2007

10.3.  使用MAP命令配置

提问 所有的PVC共享同一个接口

回答

Central#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Central(config)#interface Serial0

Central(config)#description Frame Relay to branches

Central(config-if)#ip address 192.168.1.1 255.255.255.0

Central(config-if)#encapsulation frame-relay

Central(config-if)#frame-relay map ip 192.168.1.10 101

Central(config-if)#frame-relay map ip 192.168.1.11 102

Central(config-if)#frame-relay map ip 192.168.1.12 103

Central(config-if)#exit

Central(config)#end

Central#

注释 在10.1中使用了点对点子接口的方式来配置，此小节MAP的方式和下节的多点子接口都是类似的实现方法，但是在网管中点对点可以生成各个PVC的trap，而后两种则无法针对每个链路产生告警。同时由于帧中继是NBMA网络，所以建议frame-relay map ip 192.168.1.10 101 broadcast 方式来允许广播包的传递

10.4.  使用多点子接口

提问 所有的PVC共享同一个接口

回答

Central#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Central(config)#interface Serial0.1 multipoint

Central(config-subif)#description Frame Relay to branches

Central(config-subif)#ip address 192.168.1.1 255.255.255.0

Central(config-subif)#frame-relay interface-dlci 101

Central(config-subif)#frame-relay interface-dlci 102

Central(config-subif)#frame-relay interface-dlci 103

Central(config-subif)#frame-relay interface-dlci 104

Central(config-subif)#exit

Central(config)#end

Central#

注释 这种配置方式最大的不同就是不需要配置映射，使用的Inverse ARP，所以在这种模式下不能禁用反向ARP。可以通过show frame-relay map命令来验证

10.5.  配置帧中继SVCs

提问 配置路由器使其支持帧中继SVC

回答

SVC子接口模式

Central#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Central(config)#interface Serial0

Central(config-if)#encapsulation frame-relay

Central(config-if)#frame-relay lmi-type q933a

Central(config-if)#frame-relay svc

Central(config-if)#exit

Central(config)#interface Serial0.10 point-to-point

Central(config-subif)#ip address 192.168.1.129 255.255.255.252

Central(config-subif)#frame-relay interface-dlci 100

Central(config-subif)#map-group SVCMAP

Central(config-fr-dlci)#class SVCclass

Central(config-fr-dlci)#exit

Central(config-subif)# exit

Central(config)#map-list SVCMAP source-addr X121 1234 dest-addr X121 4321

Central(config-map-list)#ip 192.168.55.6 class SVCclass ietf

Central(config-map-list)#exit

Central(config)#map-class frame-relay SVCclass

Central(config-map-class)#frame-relay traffic-rate 56000 128000

Central(config-map-class)#exit

Central(config)#end

Central#

SVC非子接口模式

Central#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Central(config)#interface Serial0

Central(config-if)#ip address 192.168.55.1 255.255.255.0

Central(config-if)#encapsulation frame-relay

Central(config-if)#frame-relay lmi-type q933a

Central(config-if)#frame-relay svc

Central(config-if)#map-group SVCMAP

Central(config-if)#frame-relay interface-dlci 50

Central(config-fr-dlci)#class SVCclass

Central(config-fr-dlci)#exit

Central(config-if)#exit

Central(config)#map-list SVCMAP source-addr X121 1234 dest-addr X121 4321

Central(config-map-list)#ip 192.168.55.6 class SVCclass ietf

Central(config-map-list)#exit

Central(config)#map-class frame-relay SVCclass

Central(config-map-class)#frame-relay traffic-rate 56000 128000

Central(config-map-class)#exit

Central(config)#end

Central#

注释 缺省情况下在空闲120秒后此SVC会被拆除，可以使用frame-relay idle-timer 命令来修改。通过show frame-relay svc maplist SVCMAP 来验证。一般网络中都使用PVC，SVC用于节省成本，但是增加了复杂性和管理难度，路由器可以自动增加或者删除链路

wade2007

10.6.  模拟帧中继云

提问 使用一台路由器来模拟帧中继交换机

回答

Cloud#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Cloud(config)#frame-relay switching

Cloud(config)#interface Serial0

Cloud(config-if)#description Frame-relay connection to Central - DLCI 50

Cloud(config-if)#encapsulation frame-relay

Cloud(config-if)#clock rate 125000

Cloud(config-if)#frame-relay lmi-type cisco

Cloud(config-if)#frame-relay intf-type dce

Cloud(config-if)#frame-relay route 101 interface Serial1 50

Cloud(config-if)#frame-relay route 102 interface Serial2 50

Cloud(config-if)#exit

Cloud(config)#interface Serial1

Cloud(config-if)#description Frame-relay connection to Branch1 - DLCI 101

Cloud(config-if)#encapsulation frame-relay

Cloud(config-if)#clock rate 125000

Cloud(config-if)#frame-relay lmi-type cisco

Cloud(config-if)#frame-relay intf-type dce

Cloud(config-if)#frame-relay route 50 interface Serial0 101

Cloud(config-if)#exit

Cloud(config)#interface Serial2

Cloud(config-if)#description Frame-relay connection to Branch2 - DLCI 102

Cloud(config-if)#encapsulation frame-relay

Cloud(config-if)#clock rate 125000

Cloud(config-if)#frame-relay lmi-type cisco

Cloud(config-if)#frame-relay intf-type dce

Cloud(config-if)#frame-relay route 50 interface Serial0 102

Cloud(config-if)#exit

Cloud(config)#end

Cloud#

注释 此种模拟不支持SVC，同时对于流量整形或者与BECN相关的特性的支持都不是很好。show frame-relay route 命令来查看当前的链路交换配置。

10.7.  子接口配置下的帧中继压缩

提问 在接口配置帧中继的压缩

回答

Central#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Central(config)#interface Serial0

Central(config-if)#encapsulation frame-relay

Central(config-if)#frame-relay ip tcp header-compression passive

Central(config-if)#frame-relay payload-compression frf9 stac （packet-by-packet）

Central(config-if)#exit

Central(config)#end

Central#



注释 passive参数的含义是只有收到了压缩的数据包才会采用压缩。压缩模式上建议使用FRF.9这个开放标准。使用命令show frame-relay ip tcp header-compression

可以看到压缩的统计数据

10.8.  MAP命令下的帧中继压缩

提问 配置MAP命令下的帧中继压缩

回答

Central#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Central(config)#interface Serial0

Central(config-if)#description Frame Relay to branches

Central(config-if)#ip address 192.168.1.1 255.255.255.0

Central(config-if)#encapsulation frame-relay

Central(config-if)#frame-relay map ip 192.168.1.10 101 payload-compression frf9 stac

Central(config-if)#exit

Central(config)#end

Central#

注释

10.9.  PPP over Frame Relay

提问 帧中继链路配置PPP封装

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface Loopback1

Router1(config-if)#ip address 10.1.200.5 255.255.255.252

Router1(config-if)#exit

Router1(config)#interface Virtual-Template1

Router1(config-if)#ip unnumbered Loopback1

Router1(config-if)#encapsulation ppp

Router1(config-if)#exit

Router1(config)#interface Serial0

Router1(config-if)#no ip address

Router1(config-if)#encapsulation frame-relay

Router1(config-if)#exit

Router1(config)#interface Serial0.1 point-to-point

Router1(config-subif)#frame-relay interface-dlci 104 ppp Virtual-Template1

Router1(config-fr-dlci)#exit

Router1(config-subif)#exit

Router1(config)#end

Router1#

注释 有点鬼…

<!--[if !supportLists]-->10.10.       <!--[endif]-->查看帧中继状态

提问 查看帧中继状态

回答

Central#show interfaces Serial0

Central#show frame-relay pvc

Central#show frame-relay lmi

wade2007

11.1.  Fast Switching和CEF

提问 <SPAN style="FONT-FAMILY: 宋体">给路由器配置最有效的包交换算法

回答

Fast Switching缺省是启用的

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#interface FastEthernet0/0

Router(config-if)#ip route-cache

Router(config-if)#exit

Router(config)#end

Router#

如果使用策略，需要下面的命令

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#interface FastEthernet0/0

Router(config-if)#ip route-cache policy

Router(config-if)#exit

Router(config)#end

Router#

CEF缺省是没有启用的，全局和端口启用

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#ip cef

Router(config)#interface FastEthernet0/0

Router(config-if)#ip route-cache cef

Router(config-if)#exit

Router(config)#end

Router#

注释 除了上面的policy参数以外，还有下面的参数来保证进出是同一物理接口

Router(config)#interface Serial0/0

Router(config-if)#ip route-cache same-interface

可以使用下面命令进行验证show cef interface show cef drop 和 show cef not-cef-switched show ip cef

wade2007

11.2.  设置DSCP 或者TOS位

提问 路由器标记特定数据包的DSCP或者TOS位

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 101 permit any eq ftp any

Router(config)#access-list 101 permit any any eq ftp

Router(config)#access-list 102 permit any eq ftp-data any

Router(config)#access-list 102 permit any any eq ftp-data

Router(config)#class-map match-all ser00-ftpcontrol

Router(config-cmap)#description branch ftp control traffic

Router(config-cmap)#match input-interface serial0/0

Router(config-cmap)#match access-group 101

Router(config-cmap)#exit

Router(config)#class-map match-all ser00-ftpdata

Router(config-cmap)#description branch ftp data traffic

Router(config-cmap)#match input-interface serial0/0

Router(config-cmap)#match access-group 102

Router(config-cmap)#exit

Router(config)#policy-map serialftppolicy

Router(config-pmap)#description branch ftp traffic policy

Router(config-pmap)#class ser00-ftpcontrol

Router(config-pmap-c)#set ip precedence immediate

Router(config-pmap-c)#exit

Router(config-pmap)#class ser00-ftpdata

Router(config-pmap-c)#set ip precedence priority

Router(config-pmap-c)#exit

Router(config-pmap)#exit

Router(config)#interface serial0/0

Router(config-if)#ip route-cache policy

Router(config-if)#service-policy input serialftppolicy

Router(config-if)#exit

Router(config)#end

Router#

注释 先使用classmap来定义特殊的数据流，然后使用policymap来对TOS位进行标记

wade2007

11.3.  使用优先级队列(Priority Queuing)

提问 使用优先级队列这种严格的方式来保证高优先级的数据先被处理

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 101 permit ip any any precedence 5 tos 12

Router(config)#access-list 102 permit ip any any precedence 4

Router(config)#access-list 103 permit ip any any precedence 3

Router(config)#priority-list 1 protocol ip high list 101

Router(config)#priority-list 1 protocol ip medium list 102

Router(config)#priority-list 1 protocol ip normal list 103

Router(config)#priority-list 1 default low

Router(config)#interface Ethernet0

Router(config-if)#priority-group 1

Router(config-if)#exit

Router(config)#end

Router#

注释 单纯使用优先级队列可能会导致高优先级的数据占用掉所有的带宽。precedence 5 tos 12 等同于dscp ef。缺省情况下会被不匹配的数据包归入到normal优先级队列，本例中特别配置其归入了low优先级队列。Show interface命令可以看到缺省各个队列大小（high优先级为20个，medium为40个，依次递增）

Output queue (queue priority: size/max/drops):

     high: 0/20/0, medium: 0/40/0, normal 0/60/0, low 0/80/0

可以使用Router(config)#priority-list 1 queue-limit 10 15 25 35 命令来修改。建议使用LLQ或者CBWFQ来替代单纯的优先级队列