论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2008-01-10 09:41 |只看该作者 |倒序浏览

Configuring BGP
提问在网络中启用BGP
回答
Route1在AS 65500中
Router1#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router1(config)#interface Serial0
Router1(config-if)#ip address 192.168.55.6 255.255.255.252
Router1(config-if)#exit
Router1(config)#router bgp 65500
Router1(config-router)#network 192.168.1.0
Router1(config-router)#neighbor 192.168.55.5 remote-as 65501
Router1(config-router)#no synchronization
Router1(config-router)#exit
Router1(config)#end
Router1#
Router2在AS 65501中
Router2#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router2(config)#interface Serial0
Router2(config-if)#ip address 192.168.55.5 255.255.255.252
Router2(config-if)#exit
Router2(config)#router bgp 65501
Router2(config-router)#network 172.25.17.0 mask 255.255.255.0
Router2(config-router)#neighbor 192.168.55.6 remote-as 65500
Router2(config-router)#no synchronization
Router2(config-router)#exit
Router2(config)#end
Router2#
注释在对BGP验证的时候比较有用的命令是
Router1#show ip bgp summary
BGP router identifier 192.168.99.5, local AS number 65500
BGP table version is 7, main routing table version 7
4 network entries and 4 paths using 484 bytes of memory
2 BGP path attribute entries using 196 bytes of memory
BGP activity 11/7 prefixes, 11/7 paths
Neighbor          V    AS MsgRcvd MsgSent    TblVer    InQ OutQ Up/Down    State/PfxRcd
192.168.55.5    4 65501       17       18          7    0    0 00:12:38          2
172.25.2.2       4 65531       527       526          0    0    0 21:05:23 Active
Router1#
需要注意的是理想状态是State里面是数字，尽管是Active也不代表是配置正常，反而是配置出现错误。通过neighbor 172.20.1.2 update-source Loopback0 命令来限制BGP数据包源地址为回环地址，但要确保此地址的连通性
9.2.    使用eBGP Multihop
提问配置外部BGP，但是不是直连的路由器
回答
Router1#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router1(config)#ip route 172.20.1.2 255.255.255.255 192.168.1.5 2
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 172.20.1.2 remote-as 65530
Router1(config-router)#neighbor 172.20.1.2 update-source Loopback0
Router1(config-router)#neighbor 172.20.1.2 ebgp-multihop 3
Router1(config-router)#exit
Router1(config)#end
Router1#
注释缺省情况下eBGP的路由器必须是直连的，如果不是直连的就需要使用此命令。一种说法是此跳数越小越好，但是RFC 3682说为了安全还是越大越好，思科在12.3(7)T后也采用了这个建议，使用了neighbor 192.168.55.5 ttl-security hops 1 命令，此命令会丢弃所有TTL小于255-1＝254的BGP数据包，这时候如果对端eBGP邻居不支持此特性就必须使用下面的命令来配置neighbor 192.168.55.6 ebgp-multihop 255
9.3.    调整Next-Hop属性值
提问在iBGP之间宣告路由时候修改下一跳属性值，使其指向内部AS的地址
回答
Router1#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.6 remote-as 65500
Router1(config-router)#neighbor 192.168.1.6 next-hop-self
Router1(config-router)#exit
Router1(config)#end
Router1#
注释正常情况下iBGP之间下一跳属性值是不会修改的，只会在eBGP时会进行修改，而此地址会指向eBGP邻居的地址，而往往内部AS的路由器没有到达此地址的路由。
9.4.    连接两个ISPs
提问一台路由器连接两个ISP，保证网络冗余
回答
Router1#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router1(config)#interface Serial0
Router1(config-if)#description connection to ISP #1, ASN 65510
Router1(config-if)#ip address 192.168.1.6 255.255.255.252
Router1(config-if)#exit
Router1(config)#interface Serial1
Router1(config-if)#description connection to ISP #2, ASN 65520
Router1(config-if)#ip address 192.168.2.6 255.255.255.252
Router1(config-if)#exit
Router1(config)#interface Ethernet0
Router1(config-if)#description connection to internal network, ASN 65500
Router1(config-if)#ip address 172.18.5.2 255.255.255.0
Router1(config-if)#exit
Router1(config)#router bgp 65500
Router1(config-router)#network 172.18.5.0 mask 255.255.255.0
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.2.5 remote-as 65520
Router1(config-router)#no synchronization
Router1(config-router)#exit
Router1(config)#end
Router1#
注释注意此配置不是最佳配置，可能导致内部AS称为两个ISP的transit AS，同时导致自己路由器接收过多路由
9.5.    两台路由器分别连接两个ISP
提问内部AS有两台路由器，分别连两个ISP保证网络冗余
回答
Router1#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router1(config)#interface Serial0
Router1(config-if)#description connection to ISP #1, ASN 65510
Router1(config-if)#ip address 192.168.1.6 255.255.255.252
Router1(config-if)#exit
Router1(config)#interface Ethernet0
Router1(config-if)#description connection to internal network, ASN 65500
Router1(config-if)#ip address 172.18.5.2 255.255.255.0
Router1(config-if)#exit
Router1(config)#ip as-path access-list 15 permit ^$
Router1(config)#router bgp 65500
Router1(config-router)#network 172.18.5.0 mask 255.255.255.0
Router1(config-router)#neighbor 172.18.5.3 remote-as 65500
Router1(config-router)#neighbor 172.18.5.3 next-hop-self
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 filter-list 15 out
Router1(config-router)#no synchronization
Router1(config-router)#exit
Router1(config)#end
Router1#
Router2#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router2(config)#interface Serial1
Router2(config-if)#description connection to ISP #2, ASN 65520
Router2(config-if)#ip address 192.168.2.6 255.255.255.252
Router2(config-if)#exit
Router2(config)#interface Ethernet0
Router2(config-if)#description connection to internal network, ASN 65500
Router2(config-if)#ip address 172.18.5.3 255.255.255.0
Router2(config-if)#exit
Router2(config)#ip as-path access-list 15 permit ^$
Router2(config)#router bgp 65500
Router2(config-router)#network 172.18.5.0 mask 255.255.255.0
Router2(config-router)#neighbor 192.168.2.5 remote-as 65520
Router2(config-router)#neighbor 192.168.2.5 filter-list 15 out
Router2(config-router)#neighbor 172.18.5.2 remote-as 65500
Router2(config-router)#neighbor 172.18.5.2 next-hop-self
Router2(config-router)#no synchronization
Router2(config-router)#exit
Router2(config)#end
Router2#
9.6.    限制向BGP 对端的网络宣告
提问限制特定的路由公告给对端的AS
回答
有三种方法，第一种是扩展ACL
Router1#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router1(config)#access-list 105 deny ip host 172.25.0.0 host 255.255.0.0
Router1(config)#access-list 105 permit ip any any
Router1(config)#route-map ACL-RT-FILTER permit 10
Router1(config-route-map)#match ip address 105
Router1(config-route-map)#exit
Router1(config)#route-map ACL-RT-FILTER deny 20
Router1(config-route-map)#exit
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 route-map ACL-RT-FILTER in
Router1(config-router)#exit
Router1(config)#end
Router1#
第二种是使用distribute-list:
Router1#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router1(config)#access-list 106 deny ip host 172.25.0.0 host 255.255.0.0
Router1(config)#access-list 106 permit ip any any
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 distribute-list 106 in
Router1(config-router)#exit
Router1(config)#end
Router1#
第三种也是最常用的是使用prefix lists
Router1#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router1(config)#ip prefix-list PREFIX-FILTER seq 10 deny 172.25.0.0/16
Router1(config)#ip prefix-list PREFIX-FILTER seq 20 permit 0.0.0.0/0 le 32
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 prefix-list PREFIX-FILTER in
Router1(config-router)#exit
Router1(config)#end
Router1#
注释前两种使用的扩展ACL比较奇特，第一个host是子网，第二个host是子网掩码，而不是传统目的地址，所以host 172.25.0.0 host 255.255.0.0 就代表网络172.25.0.0/16，如果用正常的ACL就实现不了对无类网络的控制。所以推荐使用第三种方式prefixlist，此列表支持序列号，可以帮助你修改和插入新的条目 ge是大于，le是小于，控制子网掩码permit 0.0.0.0/0 le 32就是变相的permit any
9.7.    调整Local Preference属性值
提问调整Local Preference属性值来控制路由选择
回答
第一种全局
Router1#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router1(config)#router bgp 65500
Router1(config-router)#bgp default local-preference 200
Router1(config-router)#exit
Router1(config)#end
Router1#
第二种使用route map控制
Router1#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router1(config)#ip prefix-list LOW_LP_PREFIXES seq 10 permit 172.22.0.0/16
Router1(config)#route-map LOCALPREF permit 10
Router1(config-route-map)#match ip address prefix-list LOW_LP_PREFIXES
Router1(config-route-map)#set local-preference 50
Router1(config-route-map)#exit
Router1(config)#route-map LOCALPREF permit 20
Router1(config-route-map)#exit
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 route-map LOCALPREF in
Router1(config-router)#exit
Router1(config)#end
Router1#
注释此local preference属性值只在内部AS有用，选路级别高于AS Path。此值越大优先级越高，缺省值为100。Show ip bgp命令可以看到各个路由的local preference属性值
9.8.    负载均衡
提问在BGP邻居之间的多链路上负载均衡流量
回答
Router1#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router1(config)#router bgp 65500
Router1(config-router)#maximum-paths 4
Router1(config-router)#exit
Router1(config)#end
Router1#
注释正常情况下BGP选路策略会保证只有一条路径，通过此命令可以增加到4条，不过要确保所有属性值相同，包括MED属性。同时注意此负载均衡只针对出流量而不适合入流量
9.9.    在AS Path属性值中清除私有ASNs
提问避免内网中的私有ASN传播到互联网
回答
Router1#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router1(config)#interface Serial0
Router1(config-if)#description connection to ISP #1, ASN 1
Router1(config-if)#ip address 192.168.1.6 255.255.255.252
Router1(config-if)#exit
Router1(config)#interface Serial1
Router1(config-if)#description connection to private network, ASN 65500
Router1(config-if)#ip address 192.168.5.1 255.255.255.252
Router1(config-if)#exit
Router1(config)#router bgp 2
Router1(config-router)#neighbor 192.168.5.2 remote-as 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 1
Router1(config-router)#neighbor 192.168.1.5 remove-private-AS
Router1(config-router)#no synchronization
Router1(config-router)#exit
Router1(config)#end
Router1#
注释注意此命令是不能删除那些在公共ASN之间的私有ASN
9.10.    基于AS Path属性值的路由过滤
提问基于接收或者发送路由的AS Path属性值进行路由过滤
回答
Router1#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router1(config)#ip as-path access-list 15 permit ^65501$
Router1(config)#ip as-path access-list 25 permit _65530_
Router1(config)#ip as-path access-list 25 deny _65531$
Router1(config)#ip as-path access-list 25 permit .*
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 filter-list 15 in
Router1(config-router)#neighbor 192.168.2.5 remote-as 65520
Router1(config-router)#neighbor 192.168.2.5 filter-list 25 out
Router1(config-router)#exit
Router1(config)#end
Router1#
注释正则表达式过滤
9.11.    减少接收到的路由表大小
提问通过汇总接收到路由的方式来减少所接收的路由表大小
回答
通过缺省路由的方式来过滤到过多的外部路由
Router1#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.101.0 1
Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.102.0 2
Router1(config)#ip prefix-list CREATE-DEFAULT seq 10 permit 192.168.101.0/24
Router1(config)#ip prefix-list CREATE-DEFAULT seq 20 permit 192.168.102.0/24
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65520
Router1(config-router)#neighbor 192.168.1.5 prefix-list CREATE-DEFAULT in
Router1(config-router)#exit
Router1(config)#end
Router1#
注释
9.12.    出方向路由信息汇总
提问在向下游路由器发送路由表之前进行路由汇总
回答
Router1#configure terminal
Enter configuration commands, one per line.    End with CNTL/Z.
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65520
Router1(config-router)#auto-summary
Router1(config-router)#exit
Router1(config)#end

本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/20074/showart_460765.html

网络管理, 网络管理

文库|博客

返回列表

Chinaunix › 论坛 › IT运维 › 网络技术 › 网络技术文档中心 › BGP配置

BGP配置 [复制链接]

浏览过的版块