BGP路由传递+破除EBGP防环机制+破除IBGP防环机制

验证理论

BGP路由传递规则

1)接收到EBGP邻居的路由,传递到所有BGP邻居

2)本地加载的路由传递到所有BGP邻居

3)接收到IBGP邻居的路由不再传递到其他IBGP邻居,可以传递EBGP邻居

可能遇到的问题

1.BGP路由黑洞

  如何解决IBGP路由黑洞

    1)IBGP全互联

      存在的瓶颈

      1.1配置工作量大(维护成本高)

      1.2设备压力大(资源占用高)

      1.3改良方案

        1.3.1iBGP路由反射器(IBGP场景下)

        1.3.2iBGP联盟(IBGP场景下,联盟AS号仅本地IGP有效)

 

路由反射器原理:

路由器反射器相关角色

 

 通过指定某个IBGP邻居成为我的客户端,没有指定的自动成为非客户端,我自己自动成为反射器

路由反射器原理:

  从非客户机学到的路由,发布给所有客户机,不能反射给非客户机

  从客户机学到的路由,发布给所有非客户机和客户机(发起此路由的客户机除外)

  从EBGP对等体学到的路由,发布给所有的非客户机和客户机

 

多个路由反射器(网络庞大或者反射器冗余)可能产生的环路

1.集群内环路:

R1同时作为23的客户端。

 

 Originator ID由RR产生,使用的Router ID的值标识路由器的始发者,用于防止集群内产生路由环路

 

2.集群间环路:

反射器之间造成环路

 

 2,3,4之间互为客户端,R4作为R2的客户端,4进来的路由,被AR2反射出去之后,还会被反射回来

cluster-list:集群列表,记录沿途经过的反射器,如果接收的路由cluster list里面有自己,就认为存在环路,不再接收。默认是记录router-id,也可以手动修改reflecot cluster-id 3.3.3.3

 

总结:I到I不传;非到非不传

 

 

 

实验拓扑

 

 

初始配置

搭建基础架构,AS100内使用IGP协议ISIS打通

 

初始结果

[AR3]dis ip routing-table protocol isis
150.1.2.2/32 ISIS-L2 15 10 D 155.1.23.2 GigabitEthernet0/0/1

150.1.4.4/32 ISIS-L2 15 10 D 155.1.34.4 GigabitEthernet0/0/2

 

 

 

一.

实验目的:

利用环回口建立EBGP邻居,破除EBGP防环机制


实验步骤:

第一步:建立BGP邻居

AR1-2之间建立互联接口的EBGP邻居

[AR1-bgp]peer 155.1.12.2 as-number 100

[AR2-bgp]peer 155.1.12.1 as-number 200

AR2-4之间建立环回口的IBGP邻居

[AR2-bgp]peer 150.1.4.4 as-number 100
[AR2-bgp]peer 150.1.4.4 connect-interface lo 0

[AR4-bgp]peer 150.1.2.2 as-number 100
[AR4-bgp]peer 150.1.2.2 connect-interface lo 0

AR4-5之间建立环回口的EBGP邻居

一般情况下,IBGP可以跨路由器建,但是EBGP只能直连建。是因为EBGP ttl=1所以没法跨路由器建,如果要用环回口跨路由器的话就要加一条多跳命令:此时TTL从1变成255。如果EBGP邻居上存在冗余路径推荐使用环回口

首先添加路由,使得两个环回口之间可以互通

[AR4]ip route-static 150.1.5.5 32 155.1.45.5 

[AR5]ip route-static 150.1.4.4 32 155.1.45.4

[AR4-bgp]peer 150.1.5.5 as-number 200
[AR4-bgp]peer 150.1.5.5 connect-interface lo 0
[AR4-bgp]peer 150.1.5.5 ebgp-max-hop

[AR5-bgp]peer 150.1.4.4 as-number 100
[AR5-bgp]peer 150.1.4.4 connect-interface lo 1
[AR5-bgp]peer 150.1.4.4 ebgp-max-hop

现象:

[AR4]dis bgp peer

BGP local router ID : 155.1.34.4
Local AS number : 100
Total number of peers : 2 Peers in established state : 2

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

150.1.2.2 4 100 2 2 0 00:00:07 Established 0
150.1.5.5 4 200 3 5 0 00:01:21 Established

 

[AR2]dis bgp peer

BGP local router ID : 155.1.12.2
Local AS number : 100
Total number of peers : 2 Peers in established state : 2

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

150.1.4.4 4 100 2 3 0 00:00:03 Established 0
155.1.12.1 4 200 30 30 0 00:28:06 Established 0

 

 

第二步:破除EBGP防环机制,使得AR1可以接收来自AR5的路由信息

首先将10.1.5.5加入到BGP中

[AR5-bgp]network 10.1.5.5 32

[AR5]dis bgp routing-table

BGP Local router ID is 10.1.5.5
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete


Total Number of Routes: 1
Network NextHop MED LocPrf PrefVal Path/Ogn

*> 10.1.5.5/32 0.0.0.0 0 0 i

此时nexthop 0.0.0.0代表是本地的路由

此时AR4从EBGP邻居学到的10.1.5.5可以传递给IBGP邻居,AR2从IBGP邻居学到的10.1.5.5应该也可以传递给EBGP邻居AR1.当然,前提是在24上10.1.5.5都是带>的,bgp只传best路由

AR4上仍然带>没有问题

[AR4]dis bgp routing-table

BGP Local router ID is 155.1.34.4
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete


Total Number of Routes: 1
Network NextHop MED LocPrf PrefVal Path/Ogn

*> 10.1.5.5/32 150.1.5.5 0 0 200i
但是在AR2上因为没有150.1.5.5的路由所以没有>了,无法传递

[AR2]dis bgp routing-table

BGP Local router ID is 155.1.12.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete


Total Number of Routes: 1
Network NextHop MED LocPrf PrefVal Path/Ogn

i 10.1.5.5/32 150.1.5.5 0 100 0 200i

[AR2]dis ip routing-table 150.1.5.5
[AR2]

 

解决方法1:在AR2上写一个5.5的路由让AR2认为5.5可达就可以了

[AR2]ip route-static 150.1.5.5 32 null 0

此时10.1.5.5就又变成了最优路由

[AR2]dis bgp routing-table

*>i 10.1.5.5/32 150.1.5.5 0 100 0 200i

 

解决方法2:在AR4上路由引入5.5的路由

先删除上面的静态

[AR2]dis ip routing-table 150.1.5.5

150.1.5.5/32 ISIS-L2 15 84 D 155.1.23.3 GigabitEthernet0/0/1

[AR2]dis bgp routing-table

*>i 10.1.5.5/32 150.1.5.5 0 100 0 200i

 

解决方法3:设置IBGP传递路由更改下一跳

先删除上面的路由引入

在AR4上设置面对IBGP邻居150.1.2.2增加next-hop-local,使得4把路由传递给2的时候把路由的下一跳改成4.4

[AR4-bgp]peer 150.1.2.2 next-hop-local

[AR2]dis bgp routing-table

BGP Local router ID is 155.1.12.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete


Total Number of Routes: 1
Network NextHop MED LocPrf PrefVal Path/Ogn

*>i 10.1.5.5/32 150.1.4.4 0 100 0 200i

这个过程稍微有点慢,可以通过reflesh bgp all import/export加速收敛

<AR2>refresh bgp all ?
export Trigger outbound soft reconfiguration
import Trigger inbound soft reconfiguration

此时可以看到,AR2尝试向AR1发送了10.1.5.5 的路由

[AR2]dis bgp routing-table peer 155.1.12.1 advertised-routes

BGP Local router ID is 155.1.12.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete


Total Number of Routes: 1
Network NextHop MED LocPrf PrefVal Path/Ogn

*>i 10.1.5.5/32 155.1.12.2 0 100 200i
[AR2]

但是这个路由路径中存在AR200,EBGP出于防环机制是不会接受这个路由的

解决方法:

[AR1-bgp]peer 155.1.12.2 allow-as-loop 

允许传过来的路由出现本路由器的AS,但仅允许1次。当然可以手动设置次数

[AR1-bgp]peer 155.1.12.2 allow-as-loop ?
INTEGER<1-10> Number of repeating times of AS Path
<cr> Please press ENTER to execute command

此时AR1上已经有10.1.5.5了

[AR1]dis bgp routing-table

*> 10.1.5.5/32 155.1.12.2 0 100 200i
同样的步骤对10.1.1.1/32再来一次,先引入,然后再AR3上指定发往AR4的路由,下一条自己。再AR5上破除EBGP环路

[AR1-bgp]network 10.1.1.1 32

[AR2-bgp]peer 150.1.4.4 next-hop-local 

[AR5-bgp]peer 150.1.4.4 allow-as-loop 

[AR5]dis bgp routing-table

BGP Local router ID is 10.1.5.5
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete


Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn

*> 10.1.1.1/32 150.1.4.4 0 100 200i
*> 10.1.5.5/32 0.0.0.0 0 0 i
[AR5]

但是此时10.1.1.1和10.1.5.5还是通不了的。虽然AR5根据路由将数据传到了AR4,AR4上查询路由表得知了去往10.1.1.1的下一跳是从BGP学到的150.1.2.2,然后进行了一次路由迭代,要去往150.1.2.2,数据包转到了AR3,但是AR3是没有10.1.1.1和10.1.5.5的路由的。AR3没有使能BGP,所以并不会加载1.1或者5.5的路由。此时AR3成为BGP的路由黑洞

[AR5]ping -a 10.1.5.5 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out

 

 

 

 

 

二.路由黑洞解决方案

解决方法1:IBGP全互联

再AR3上使能BGP,因为同样存在IBGP不改吓一跳的问题,所以再AR24上要改成Local

[AR3-bgp]peer 150.1.2.2 as-n 100
[AR3-bgp]peer 150.1.2.2 connect-interface lo 0
[AR3-bgp]peer 150.1.4.4 as-n 100
[AR3-bgp]peer 150.1.4.4 connect-interface lo 0

 

[AR2-bgp]peer 150.1.3.3 as-number 100
[AR2-bgp]peer 150.1.3.3 connect-interface lo 0
[AR2-bgp]peer 150.1.3.3 next-hop-local

 

[AR4-bgp]peer 150.1.3.3 as-number 100
[AR4-bgp]peer 150.1.3.3 con lo 0
[AR4-bgp]peer 150.1.3.3 next-hop-local

此时,AR3作为AR2,4的IBGP邻居是可以收到2,4来自EBGP的路由的。但是由于从IBGP学到的路由不再发往IBGP邻居,所以不能删除AR24之间的IBGP邻居。如果删掉了,AR3从AR2过来的1.1路由不会传给AR4,5.5亦然

[AR3]dis bgp routing-table

BGP Local router ID is 155.1.23.3
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete


Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn

*>i 10.1.1.1/32 150.1.2.2 0 100 0 200i
*>i 10.1.5.5/32 150.1.4.4 0 100 0 200i

[AR1]ping -a 10.1.1.1 10.1.5.5
PING 10.1.5.5: 56 data bytes, press CTRL_C to break
Reply from 10.1.5.5: bytes=56 Sequence=1 ttl=252 time=60 ms
Reply from 10.1.5.5: bytes=56 Sequence=2 ttl=252 time=40 ms

 

 

解决方法2:路由反射器

先删除掉前面的24之间的IBGP邻居

此时3上面有1.1和5.5的邻居,但是1.1和5.5上已经没有对方的邻居了

[AR3]dis bgp routing-table

*>i 10.1.1.1/32 150.1.2.2 0 100 0 200i
*>i 10.1.5.5/32 150.1.4.4 0 100 0 200i

[AR1]dis bgp routing-table

*> 10.1.1.1/32 0.0.0.0 0 0 i

[AR1]ping -a 10.1.1.1 10.1.5.5
PING 10.1.5.5: 56 data bytes, press CTRL_C to break
Request time out
Request time out

指定客户端:

[AR3-bgp]peer 150.1.4.4  reflect-client 

根据非客户端过来的路由可以传递给客户端;客户端过来的路由可以传递给客户端和非客户端,仅指定一个路由器为客户端即可实现互通。

AR1的路由给到AR2,AR2把EBGP路由传递给IBGP AR3,3把非传给课AR4,4把IBGP来的路由给EBGP邻居AR5

AR5的路由给到AR4,AR4把EBGP路由传递给IBGP AR3,3把课传给非AR2,AR2把IBGP的路由传给EBGP邻居AR1

[AR3]DIS bgp routing-table peer 150.1.2.2 advertised-routes

BGP Local router ID is 155.1.23.3
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete


Total Number of Routes: 1
Network NextHop MED LocPrf PrefVal Path/Ogn

*>i 10.1.5.5/32 150.1.4.4 0 100 0 200i
[AR3]

[AR1]ping -a 10.1.1.1 10.1.5.5
PING 10.1.5.5: 56 data bytes, press CTRL_C to break
Reply from 10.1.5.5: bytes=56 Sequence=1 ttl=252 time=40 ms
Reply from 10.1.5.5: bytes=56 Sequence=2 ttl=252 time=50 ms

将AR2也设置为客户端,验证课到课可传

[AR3-bgp]peer 150.1.2.2 reflect-client 

[AR3]dis bgp routing-table peer 150.1.4.4 advertised-routes

BGP Local router ID is 155.1.23.3
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete


Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn

*>i 10.1.1.1/32 150.1.2.2 0 100 0 200i
*>i 10.1.5.5/32 150.1.4.4 0 100 0 200i

[AR1]ping -a 10.1.1.1 10.1.5.5
PING 10.1.5.5: 56 data bytes, press CTRL_C to break
Reply from 10.1.5.5: bytes=56 Sequence=1 ttl=252 time=50 ms
Reply from 10.1.5.5: bytes=56 Sequence=2 ttl=252 time=50 ms

为验证非到非不穿,在AR3旁边新增加一个路由器AR6,配置地址,用直连建立IBGP邻居

删除AR2的客户端指定。此时可以看到AR3向AR6发送的从客户端收到的5.5的路由了,但是没有从非客户端收到的1.1的路由了

[AR6]dis bgp peer

155.1.36.3 4 100 3 2 0 00:00:12 Established 1

[AR3]dis bgp routing-table peer 155.1.36.6 advertised-routes

BGP Local router ID is 155.1.23.3
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete


Total Number of Routes: 1
Network NextHop MED LocPrf PrefVal Path/Ogn

*>i 10.1.5.5/32 150.1.4.4 0 100 0 200i
[AR3]

 

验证Originator

AR4和AR3上都没有OID,过来AR3之后,再AR2上就能看到Originator为34.4.如果有一天2上面的5.5路由又绕回给AR4,4是不收的

[AR4]dis bgp routing-table 10.1.5.5

BGP local router ID : 155.1.34.4
Local AS number : 100
Paths: 1 available, 1 best, 1 select
BGP routing table entry information of 10.1.5.5/32:
From: 150.1.5.5 (10.1.5.5)
Route Duration: 04h36m28s
Relay IP Nexthop: 155.1.45.5
Relay IP Out-Interface: GigabitEthernet0/0/0
Original nexthop: 150.1.5.5
Qos information : 0x0
AS-path 200, origin igp, MED 0, pref-val 0, valid, external, best, select, active, pre 255
Advertised to such 1 peers:
150.1.3.3

 

[AR3]dis bgp routing-table 10.1.5.5

BGP local router ID : 155.1.23.3
Local AS number : 100
Paths: 1 available, 1 best, 1 select
BGP routing table entry information of 10.1.5.5/32:
RR-client route.
From: 150.1.4.4 (155.1.34.4)
Route Duration: 02h15m43s
Relay IP Nexthop: 155.1.34.4
Relay IP Out-Interface: GigabitEthernet0/0/2
Original nexthop: 150.1.4.4
Qos information : 0x0
AS-path 200, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, select, active, pre 255, IGP cost 10
Advertised to such 2 peers:
150.1.2.2
155.1.36.6

 

[AR2]dis bgp routing-table 10.1.5.5

BGP local router ID : 155.1.12.2
Local AS number : 100
Paths: 1 available, 1 best, 1 select
BGP routing table entry information of 10.1.5.5/32:
From: 150.1.3.3 (155.1.23.3)
Route Duration: 00h28m20s
Relay IP Nexthop: 155.1.23.3
Relay IP Out-Interface: GigabitEthernet0/0/1
Original nexthop: 150.1.4.4
Qos information : 0x0
AS-path 200, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, select, active, pre 255, IGP cost 20
Originator: 155.1.34.4
Cluster list: 155.1.23.3
Advertised to such 1 peers:
155.1.12.1

 

验证cluster-id

修改AR3上cluster-id

[AR3-bgp]reflector cluster-id  3.3.3.3

此时AR2上看到cluster list 就变成了3.3.3.3

[AR2]dis bgp routing-table 10.1.5.5

BGP local router ID : 155.1.12.2
Local AS number : 100
Paths: 1 available, 1 best, 1 select
BGP routing table entry information of 10.1.5.5/32:
From: 150.1.3.3 (155.1.23.3)
Route Duration: 00h00m23s
Relay IP Nexthop: 155.1.23.3
Relay IP Out-Interface: GigabitEthernet0/0/1
Original nexthop: 150.1.4.4
Qos information : 0x0
AS-path 200, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, select, active, pre 255, IGP cost 20
Originator: 155.1.34.4
Cluster list: 3.3.3.3
Advertised to such 1 peers:
155.1.12.1

 

 

 

解决方法3:IBGP联盟

先删除AR6,清空2,3,4BGP配置

子AS推荐使用私有AS,64512之后的。规划联盟如下拓扑

 

[AR2]bgp 65002 

[AR2-bgp]confederation id 100          //申明这个AS65002只是IBGP内部联盟AS,真实AS是100
[AR2-bgp]confederation peer-as 65034      //指定联盟的EBGP邻居关系。只有当存在联盟的EBGP邻居关系,才需要设置这条命令

然后开始指定邻居,因为是EBGP邻居,所以需要注意环回口互联要添加多跳

[AR2-bgp]peer 150.1.3.3 as-n 65034
[AR2-bgp]peer 150.1.3.3 connect-interface lo 0
[AR2-bgp]peer 150.1.3.3 ebgp-max-hop

 

[AR3]bgp 65034
[AR3-bgp]confederation id 100
[AR3-bgp]confederation peer-as 65002
[AR3-bgp]peer 150.1.2.2 as-number 65002
[AR3-bgp]peer 150.1.2.2 connect-interface LoopBack 0
[AR3-bgp]peer 150.1.2.2 ebgp-max-hop
[AR3-bgp]peer 150.1.4.4 as-number 65034
[AR3-bgp]peer 150.1.4.4 connect-interface lo0

仅设置IBGP内部邻居时,此时AR3和4之间是IBGP邻居关系,传递10.1.1.1路由的时候不修改吓一跳。所以AR4收到的10.1.1.1的吓一跳仍为150.1.2.2,但是因为底层ISIS,150.1.2.2和150.1.4.4本身就是可达的,所以无需在AR3上为AR4设置next-hop-local

当需要设置AR1的时候,因为AR3上并没有150.1.12段路由,所以如果要AR3可以访问AR1上的路由,还是要在AR2上面向AR3设置下一跳为自己next-hop-local

同理,为了10.1.5.5,AR4上也要面向AR3设置下一跳为自己next-hop-local

[AR4]bgp 65034
[AR4-bgp]confederation id 100
[AR4-bgp]peer 150.1.3.3 as-number 65034
[AR4-bgp]peer 150.1.3.3 connect-interface LoopBack 0

[AR4-bgp]peer 150.1.5.5 ebgp-max-hop

 

测试结果:

AR2收到的5.5路由经过了EGP 200和本IGP内的联盟AS65034,但是AR2把5.5传出本IGP的时候不携带联盟AS号,验证了联盟AS号仅本地IGP有效

[AR2]dis bgp routing-table

*> 10.1.1.1/32 155.1.12.1 0 0 200i
*>i 10.1.5.5/32 150.1.4.4 0 100 0 (65034) 200i

[AR2]dis bgp routing-table peer 155.1.12.1 advertised-routes

*>i 10.1.5.5/32 155.1.12.2 0 100 200i

 

[AR1]dis bgp routing-table

*> 10.1.1.1/32 0.0.0.0 0 0 i
*> 10.1.5.5/32 155.1.12.2 0 100 200i

 

posted @ 2021-06-18 13:26  xiaohuihui4956  阅读(2518)  评论(0编辑  收藏  举报