active,passive
dynamic neighbors
4-byte AS number
address-family
remove private AS
regexp
active,passive
实验环境中,BGP的TCP的主动响应默认是先开启的为active,响应是passive,这样不利于信网安全,所以可以设置为必须为active,这样即便是别人主动发起,也是不能建立关系的
active session
If the TCP session initiated by R1 is the one used between R1 & R2 then R1“actively” established the session
如果R1发起的TCP会话是R1和R2之间使用的会话,那么R1“主动地”建立会话
passive session
For the same scenario R2 “passively” established the session.
对于相同的场景,R2“被动地”建立了会话。
R1 actively opened the session
R2 passively accepted the session
可以命令配置为active或者passive
neighbor X.X.X.X transport connection-mode 【actively/passive】
dynamic neighbor
动态邻居,主要应用于XXX,hub-spoke端,增加spoke端路由器时候,hub不需要增加配置,能够自动建立维护BGP关系,并且信任spoke端
配置如下:
router bgp 100
bgp listen limit 100
bgp listen range 10.0.0.0/8 peer-group GRP1
bgp listen range 11.0.0.0/8 peer-group GRP1
bgp listen range 192.168.0.0/16 peer-group GRP2
neighbor GRP1 peer-group
neighbor GRP1 remote-as 100
neighbor GRP2 peer-group
neighbor GRP2 remote-as 100
!
address-family ipv4
neighbor GRP1 activate
neighbor GRP2 activate
4-byte AS number
RFC 4271将AS数字定义为2字节
私有AS number = 64512到65535
公有 AS Numbers = 1到64511
当AS号被分配完了,造成了AS号不够用,所以需要扩展AS号,变为4字节,也就是32位,RFC 5396,4294947295个AS号
ASplain:2字节与4字节使用十进制表示AS号
ASdot:2字节使用十进制表示,4字节使用点号分隔
例如:
65526是一个2-byte AS号码
65536005=1000.5
1000*65536+5
123=0.123 65536=1.0
R1(config)#router bgp 1.1
R1#show ip protocols
…
Routing Protocol is "bgp 65537”
R1(config)#router bgp 100.1
R1#show ip protocols
…
Routing Protocol is “bgp 6553601”
默认格式是ASplain
bgp进程下使用bgp asnotation dot 切换模式,接着clear ip route *
配置命令:
R1(config)#router bgp 100.1
R1#show ip protocols
…
Routing Protocol is "bgp 6553601”
R1(config)#router bgp 100.1
R1(config-router)#bgp asnotation dot
R1#show ip protocols
…
Routing Protocol is "bgp 100.1”
歧义性:
当一个使用旧路由器的AS连接到多个使用4字节AS号的AS上时,这个AS可能会错误的认为其只与一个AS(AS23456)相连,从而导致错误的路由策略
比如:200与65536建立,不能指定65536,必须为23456,这一对一是可以解决的,但是存在多个怎么办,这个时候就得考虑到4字节与2字节的兼容性问题。
new_aggregator
new_aspath
增加了两个可选传递属性,
从新设备收到了报问包含了4字节AS,会携带两个AS号,aspath和new aspath,收到加上自己识别的AS号,新的AS号不认识,直接传递,如果再传递给新设备,会进行两个AS号合并,替换之前的23456
具体步骤:
蓝色支持4字节,白色支持2字节
汇总情况下:
那到底怎么判定对方支不支持4字节显示AS号呢?
address-family
MP-BGP:BGP协议的扩展
承载多种网络层协议:
1.ipv4 unicast
2.ipv6 unicast
3.multicast(ipv4 and ipv6)
4.MPLS XXX等
1.ipv4 address-family
router bgp 2
bgp router-id 2.2.2.2
no bgp default ipv4-unicast /关闭缺省BGP承载IPv4单播路由的能力
neighbor 12.1.1.1 remote-as 65500
neighbor 23.1.1.3 remote-as 3
!
address-family ipv4
neighbor 12.1.1.1 activate
neighbor 23.1.1.3 activate
no auto-summary
no synchronization
exit-address-family
2.ipv6 address-family
MP-BGP对ipv6的特殊扩展
next-hop包含一个global ipv6地址或者一个link-local地址
next-hop使用ipv6地址表示
nlri使用ipv6前缀+前缀长度表示
TCP Interaction:either over IPv4 or IPv6
IPv6建立TCP连接,承载IPv6路由
IPv6建立TCP连接,承载IPv4路由
IPv4建立TCP连接,承载IPv6路由
(1)IPV6建立TCP连接,承载IPV6网络
R2
router bgp 2
bgp router-id 2.2.2.2
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2001:23::3 remote-as 3
address-family ipv6
neighbor 2001:23::3 activate
exit-address-family
R3
router bgp 3
bgp router-id 3.3.3.3
no bgp default ipv4-unicast
neighbor 2001:23::2 remote-as 2
!
address-family ipv6
neighbor 2001:23::2 activate
network 2001:3:3::/64
no synchronization
exit-address-family
R2# show bgp ipv6 unicast summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
2001:23::3 4 3 14 11 6 0 0 00:01:54 1
R2# show bgp ipv6 unicast
Network Next Hop Metric LocPrf Weight Path
*> 2001:3:3::/64 2001:23::3 0 0 3 I
R2#show ipv6 route bgp
B 2001:3:3::/64 [20/0]
via FE80::CE02:2FF:FE6E:1, FastEthernet0/1
(2)ipv6建立TCP连接,承载ipv4流量
R2
router bgp 2
bgp router-id 2.2.2.2
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2001:23::3 remote-as 3
address-family ipv4
neighbor 2001:23::3 activate
exit-address-family
R3
router bgp 3
bgp router-id 3.3.3.3
no bgp default ipv4-unicast
neighbor 2001:23::2 remote-as 2
!
address-family ipv4
neighbor 2001:23::2 activate
network 3.0.0.0 mask 255.0.0.0
no synchronization
exit-address-family
R2# show ip bgp summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
2001:23::3 4 3 40 28 1 0 0 00:02:43 1
R2# show ip bgp
Network Next Hop Metric LocPrf Weight Path
3.0.0.0 32.1.0.35 0 0 3 i
R2#show ip bgp 3.0.0.0
BGP routing table entry for 3.0.0.0/8, version 0
Paths: (1 available, no best path)
Not advertised to any peer
3
32.1.0.35 (inaccessible) from 2001:23::3 (3.3.3.3)
Origin IGP, metric 0, localpref 100, valid, external
出现问题:
下一跳地址是乱码的,不可达地址,需要设置route-map
R2
route-map NEXTHOP permit 10
set ip next-hop 23.1.1.3
router bgp 2
address-family ipv4
neighbor 2001:23::3 route-map NEXTHOP in
R2#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 3.0.0.0 23.1.1.3 0 0 3 i
R2#show ip route bgp
B 3.0.0.0/8 [20/0] via 23.1.1.3, 00:02:28
(3)ipv4建立TCP连接,承载IPV6路由
R2
router bgp 2
bgp router-id 2.2.2.2
no bgp default ipv4-unicast
neighbor 23.1.1.3 remote-as 3
!
address-family ipv6
neighbor 23.1.1.3 activate
exit-address-family
R3
router bgp 3
bgp router-id 3.3.3.3
no bgp default ipv4-unicast
neighbor 23.1.1.2 remote-as 2
!
address-family ipv6
neighbor 23.1.1.2 activate
network 2001:3:3::/128
exit-address-family
查看:
R2#show bgp ipv6 unicast summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
23.1.1.3 4 100 4 3 1 0 0 00:00:52 1
R2#show bgp ipv6 unicast
Network Next Hop Metric LocPrf Weight Path
i2001:3::3/128 ::FFFF:23.1.1.3 0 100 0 I
R2#show bgp ipv6 unicast 2001:3::3/128
BGP routing table entry for 2001:3::3/128, version 0
Paths: (1 available, no best path)
Not advertised to any peer
Local
::FFFF:23.1.1.3 (inaccessible) from 23.1.1.3 (3.3.3.3)
Origin IGP, metric 0, localpref 100, valid, internal
出现问题:下一跳乱码
R2:
route-map NEXTHOP permit 10
set ipv6 next-hop 2001:23::3
router bgp 100
address-family ipv6
neighbor 23.1.1.3 route-map NEXTHOP in
R2#show bgp ipv6 unicast
Network Next Hop Metric LocPrf Weight Path
*>i2001:3::3/128 2001:23::3 0 100 0 i
R2#show ipv6 route bgp
B 2001:3::3/128 [200/0]
via 2001:23::3
3.XXX address-family
R2:
router bgp 100
neighbor 4.4.4.4 remote-as 100
neighbor 4.4.4.4 update-source Loopback0
address-family XXXv4
neighbor 4.4.4.4 active
neighbor 4.4.4.4 send-community both
no synchronization
exit-address-family
address-family ipv4 vrf SITE2
no synchronization
exit-address-family
remove private AS
过滤私有的AS号
neighbor {ip-address | peer-group-name} remove-private-as
regexp
正则表达式
运营商中匹配路由,直接匹配AS的路由,以AS为单位,效率高
^100 表示匹配以100打头的字符串
100$ 表示以100结尾的字符串
.* 表示匹配任意
^123$ 表示只匹配AS 123
^$ 表示没有经过任何AS,即本地AS的路由
^12[0-3]$ 表示匹配 120 121 122 123
^12. 表示匹配 12 ,120 – 129 开始的AS号
Path filtering is defined with filters based on the autonomous system path:
ip as-path access-list acl-number [permit|deny] regexp
Additionally, based on BGP autonomous system paths, you can specify an access list filter on incoming updates from and outbound updates to neighbors by using filter lists or route maps.
实例:
Accept Only Prefixes Originated in Autonomous System 5044
只匹配起源于5044
router bgp 65022
no synchronization
neighbor 172.16.0.1 remote-as 4
neighbor 172.16.0.1 filter-list 1 in
no auto-summary
!
ip as-path access-list 1 permit _5044$
Deny All Prefixes Originated in Autonomous System 200
拒绝起源于AS200的
router bgp 100
neighbor 10.1.1.1 remote-as 65535
neighbor 10.1.1.1 route-map map1 in
!
route-map map1 permit 10
match as-path 1
!
ip as-path access-list 5 deny _200$
ip as-path access-list 5 permit .*
Only Announce Routes Originated from Autonomous System 100
只允许起源于AS100的,正好自己的100
router bgp 100
neighbor 10.1.1.1 remote-as 65535
neighbor 10.1.1.1 route-map map1 out
!
route-map map1 permit 10
match as-path 1
!
ip as-path access-list 1 permit ^$
2265
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
