案例精解:BGP路由黑洞
BGP路由黑洞
案例精解:BGP路由黑洞2008-10-19 15:05:37标签:路由反射器路由黑洞同步BGP联邦什么是路由黑洞?简单的说,它会默默的将数据包丢弃,使所有数据包有去无回,下面来看一个案例:如图所示:R1和R2建立EBGP邻居关系R2和R5建立IBGP邻居关系R5和R7建立EBGP邻居关系R2、R3、R5之间运行RIPv2首先看配置:hostname r1interface Loopback0ip address 1.1.1.1 255.255.255.0interface Serial1/0ip address 192.168.12.1 255.255.255.0serial restart-delay 0router bgp 100no synchronizationbgp router-id 1.1.1.1bgp log-neighbor-changesnetwork 1.1.1.0 mask 255.255.255.0network 192.168.12.0neighbor 2.2.2.2 remote-as 200neighbor 2.2.2.2 ebgp-multihop 255neighbor 2.2.2.2 update-source Loopback0 no auto-summary!ip route 2.2.2.0 255.255.255.0 192.168.12.2hostname r2interface Loopback0ip address 2.2.2.2 255.255.255.0!interface Serial1/0ip address 192.168.23.2 255.255.255.0serial restart-delay 0!interface Serial1/1ip address 192.168.12.2 255.255.255.0serial restart-delay 0!interface Serial1/2ip address 192.168.24.2 255.255.255.0serial restart-delay 0!router ripversion 2network 2.0.0.0network 192.168.23.0no auto-summary!router bgp 200no synchronizationbgp log-neighbor-changesnetwork 192.168.12.0network 192.168.23.0neighbor 1.1.1.1 remote-as 100neighbor 1.1.1.1 ebgp-multihop 255neighbor 1.1.1.1 update-source Loopback0 neighbor 5.5.5.5 remote-as 200neighbor 5.5.5.5 update-source Loopback0 neighbor 5.5.5.5 next-hop-selfno auto-summary!ip route 1.1.1.0 255.255.255.0 192.168.12.1hostname r3interface Loopback0ip address 3.3.3.3 255.255.255.0!interface Serial1/0ip address 192.168.35.3 255.255.255.0serial restart-delay 0!interface Serial1/1ip address 192.168.23.3 255.255.255.0 serial restart-delay 0router ripversion 2network 3.0.0.0network 192.168.23.0network 192.168.35.0no auto-summaryhostname r5interface Loopback0ip address 5.5.5.5 255.255.255.0!interface FastEthernet0/0no ip addressshutdownduplex half!interface Serial1/0ip address 192.168.57.5 255.255.255.0 serial restart-delay 0!interface Serial1/1ip address 192.168.35.5 255.255.255.0 serial restart-delay 0!interface Serial1/2ip address 192.168.45.5 255.255.255.0 serial restart-delay 0!interface Serial1/3no ip addressshutdownserial restart-delay 0!router ripversion 2network 5.0.0.0network 192.168.35.0no auto-summary!router bgp 200no synchronizationbgp log-neighbor-changesbgp confederation identifier 200neighbor 3.3.3.3 remote-as 200neighbor 7.7.7.7 remote-as 300neighbor 7.7.7.7 ebgp-multihop 255neighbor 7.7.7.7 update-source Loopback0 no auto-summary!ip route 7.7.7.0 255.255.255.0 192.168.57.7interface Serial1/1ip address 192.168.57.7 255.255.255.0serial restart-delay 0!interface Serial1/2no ip addressshutdownserial restart-delay 0!interface Serial1/3no ip addressshutdownserial restart-delay 0!router bgp 300no synchronizationbgp log-neighbor-changesneighbor 5.5.5.5 remote-as 200neighbor 5.5.5.5 ebgp-multihop 255no auto-summary!ip route 5.5.5.0 255.255.255.0 192.168.57.5现在查看R1的路由表r7#sh ip routeB 1.1.1.0 [20/0] via 5.5.5.5, 00:02:54 //为节约篇幅未完整显示可见R7学到了R1的路由,从表面上看这个实验很完美,达了目的,然而这时问题出现了,作个测试,在R7上PING R1r7#ping 1.1.1.1Type escape sequence to abort.Sending 5, 0-byte ICMP Echos to 7.7.7.7, timeout:.....这究竟是怎么回事呢?原来,我们在R5上关闭了同步,这时它会将一条并没有优化的路由传送给R7,当R7要发向R1发包时,它看到R5是它的下一跳,于是将包发给R5,然后R5又查看它的路由表,发现到R1的下一跳是R2,并继续查找,发现在通过R3可以达到R2,于是它将数据送给R3,这时问题出现了,因为R3没有运行BGP,它不知道R1怎么走,于是它将数据包丢弃,从而造成路由黑洞。
BGP路由黑洞
BGP路由黑洞一、实验目标:分析路由黑洞,并给出路由黑洞的解决方法二、网络拓扑图:三、配置:R1#router ospf 1log-adjacency-changesredistribute connected metric 1000 metric-type 1 subnets 重发布直连路由到OSPF network 10.0.1.4 0.0.0.3 area 0公布该网段,在该10.0.1.4/30网段接口运行OSPF,与R3建立OSPF邻居关系,注,只是重发布不会建立OSPF邻居,必须在接口运行OSPF,建立OSPF邻居ip route 10.0.0.0 255.255.0.0 Null0ip route 10.3.0.0 255.255.0.0 Null0 静态路由汇总router bgp 65000no synchronization 关闭同步bgp log-neighbor-changesnetwork 10.0.0.0 mask 255.255.0.0 汇总路由注入BGP network 10.3.0.0 mask 255.255.0.0neighbor 10.0.0.2 remote-as 65000 AS65000邻居10.0.0.2 neighbor 10.0.0.2 update-source Loopback0neighbor 10.0.0.2 next-hop-selfneighbor 10.0.15.2 remote-as 65001 AS65001邻居10.0.15.2 no auto-summaryR2# R2配置与R1相似router ospf 1log-adjacency-changesredistribute connected metric 1000 metric-type 1 subnets network 10.0.1.8 0.0.0.3 area 0ip route 10.0.0.0 255.255.0.0 Null0ip route 10.3.0.0 255.255.0.0 Null0router bgp 65000no synchronizationbgp log-neighbor-changesnetwork 10.0.0.0 mask 255.255.0.0network 10.3.0.0 mask 255.255.0.0neighbor 10.0.0.1 remote-as 65000neighbor 10.0.0.1 update-source Loopback0neighbor 10.0.0.1 next-hop-selfneighbor 10.0.26.2 remote-as 65002no auto-summaryR3# 公布业务网段,建立OSPF邻居,实现IGP路由可达router ospf 1log-adjacency-changesnetwork 10.0.0.3 0.0.0.0 area 0network 10.0.1.0 0.0.0.3 area 0network 10.0.1.4 0.0.0.3 area 0network 10.3.3.0 0.0.0.255 area 0R4# 公布业务网段,建立OSPF邻居,实现IGP路由可达router ospf 1log-adjacency-changesnetwork 10.0.0.4 0.0.0.0 area 0network 10.0.1.0 0.0.0.3 area 0network 10.0.1.8 0.0.0.3 area 0network 10.3.4.0 0.0.0.255 area 0R5#ip route 10.5.0.0 255.255.0.0 Null0router bgp 65001no synchronization 同步关闭bgp log-neighbor-changesnetwork 10.5.0.0 mask 255.255.0.0 汇总路由注入neighbor 10.0.15.1 remote-as 65000 与R1建立邻居no auto-summaryR6# 相似R5ip route 10.6.0.0 255.255.0.0 Null0router bgp 65002no synchronizationbgp log-neighbor-changesnetwork 10.6.0.0 mask 255.255.0.0neighbor 10.0.26.1 remote-as 65000no auto-summary路由黑洞分析RT6#ping 10.5.5.1 source 10.6.6.1 不能实现连通Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.5.5.1, timeout is 2 seconds: Packet sent with a source address of 10.6.6.1.....Success rate is 0 percent (0/5)查看各个路由器路由表因为关闭同步,所以R5,R6能够相互学到到达对方网段的路由RT5#show ip route10.0.0.0/8 is variably subnetted, 7 subnets, 4 masksC 10.0.15.0/30 is directly connected, Serial0/0B 10.3.0.0/16 [20/0] via 10.0.15.1, 00:14:47B 10.0.0.0/16 [20/0] via 10.0.15.1, 00:14:47B 10.6.0.0/16 [20/0] via 10.0.15.1, 00:11:44 R5学到到达R6的路由,来自R1 R5查看路由表,将数据交给R1R1经过路由递归查找,数据交给R3RT1#show ip routeC 10.0.4.0/30 is directly connected, Serial0/0O E1 10.0.0.2/32 [110/1300] via 10.0.1.5, 00:25:23, Serial0/0B 10.6.0.0/16 [200/0] via 10.0.0.2, 00:11:10B 10.5.0.0/16 [20/0] via 10.0.15.2, 00:14:13RT3# R3经过查找路由表,没有对应条目,丢弃数据包从R6到R5的过程与上类似RT6#show ip route10.0.0.0/8 is variably subnetted, 7 subnets, 4 masksB 10.3.0.0/16 [20/0] via 10.0.26.1, 00:11:52B 10.0.0.0/16 [20/0] via 10.0.26.1, 00:11:52B 10.5.0.0/16 [20/0] via 10.0.26.1, 00:11:52 R6学到到达R5的路由,来自R2C 10.0.26.0/30 is directly connected, Serial0/0RT2#show ip routeO E1 10.0.0.1/32 [110/1300] via 10.0.1.9, 00:25:30, Serial0/0B 10.6.0.0/16 [20/0] via 10.0.26.2, 00:11:16B 10.5.0.0/16 [200/0] via 10.0.0.1, 00:12:06C 10.0.26.0/30 is directly connected, Serial0/1RT4#解决方法1、关闭同步,内网BGP全连接使用peer-group命令简化BGP配置RT1(config)#router bgp 65000RT1(config-router)#neighbor 65000 peer-group 创建peer-groupRT1(config-router)#neighbor 65000 remote-as 65000RT1(config-router)#neighbor 65000 update-source loopback 0RT1(config-router)#neighbor 65000 next-hop-self peer-group的BGP邻居配置RT1(config-router)#neighbor 10.0.0.3 peer-group 65000RT1(config-router)#neighbor 10.0.0.4 peer-group 65000 加入peer-groupRT2(config)#router bgp 65000 参见R1RT2(config-router)#neighbor 65000 peer-groupRT2(config-router)#neighbor 65000 remote-as 65000RT2(config-router)#neighbor 65000 update-source loopback 0RT2(config-router)#neighbor 65000 next-hop-selfRT2(config-router)#neighbor 10.0.0.3 peer-group 65000RT2(config-router)#neighbor 10.0.0.4 peer-group 65000RT3(config)#router bgp 65000 R3运行BGP,与AS65000中所有路由器建立邻居RT3(config-router)#neighbor 65000 peer-groupRT3(config-router)#neighbor 65000 remote-as 65000RT3(config-router)#neighbor 65000 next-hop-selfRT3(config-router)#neighbor 65000 update-source lo0RT3(config-router)#neighbor 10.0.0.1 peer-group 65000RT3(config-router)#neighbor 10.0.0.2 peer-group 65000RT3(config-router)#neighbor 10.0.0.4 peer-group 65000RT4(config)#router bgp 65000 R4运行BGP,与AS65000中所有路由器建立邻居RT4(config-router)#neighbor 65000 peer-groupRT4(config-router)#neighbor 65000 remote-as 65000RT4(config-router)#neighbor 65000 next-hop-selfRT4(config-router)#neighbor 65000 update-source lo0RT4(config-router)#neighbor 10.0.0.1 peer-group 65000RT4(config-router)#neighbor 10.0.0.2 peer-group 65000RT4(config-router)#neighbor 10.0.0.3 peer-group 65000查看BGP邻居表,实现BGP全连接RT1#show ip bgp summaryNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.0.0.2 4 65000 45 44 5 0 0 00:38:55 310.0.0.3 4 65000 13 15 5 0 0 00:09:13 010.0.0.4 4 65000 10 12 5 0 0 00:06:30 010.0.15.2 4 65001 46 47 5 0 0 00:41:08 1RT2#show ip bgp summaryNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.0.0.1 4 65000 45 46 5 0 0 00:39:04 310.0.0.3 4 65000 13 15 5 0 0 00:09:21 010.0.0.4 4 65000 10 12 5 0 0 00:06:16 010.0.26.2 4 65002 43 44 5 0 0 00:38:14 1RT3#show ip bgp summaryNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd10.0.0.1 4 65000 15 13 5 0 0 00:09:28 310.0.0.2 4 65000 15 13 5 0 0 00:09:27 310.0.0.4 4 65000 10 10 5 0 0 00:06:34 0RT4#show ip bgp summaryNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.0.0.1 4 65000 12 10 7 0 0 00:06:49 310.0.0.2 4 65000 12 10 7 0 0 00:06:26 310.0.0.3 4 65000 10 10 7 0 0 00:06:38 0R3和R4学到全部的BGP路由RT3#show ip bgpNetwork Next Hop Metric LocPrf Weight Path* i10.0.0.0/16 10.0.0.2 0 100 0 i*>i 10.0.0.1 0 100 0 i* i10.3.0.0/16 10.0.0.2 0 100 0 i*>i 10.0.0.1 0 100 0 i*>i10.5.0.0/16 10.0.0.1 0 100 0 65001 i*>i10.6.0.0/16 10.0.0.2 0 100 0 65002 iRT4#show ip bgpNetwork Next Hop Metric LocPrf Weight Path*>i10.0.0.0/16 10.0.0.2 0 100 0 i* i 10.0.0.1 0 100 0 i*>i10.3.0.0/16 10.0.0.2 0 100 0 i* i 10.0.0.1 0 100 0 i*>i10.5.0.0/16 10.0.0.1 0 100 0 65001 i*>i10.6.0.0/16 10.0.0.2 0 100 0 65002 iRT3#show ip route10.0.0.0/8 is variably subnetted, 16 subnets, 4 masksO 10.0.1.8/30 [110/200] via 10.0.1.2, 00:15:55, FastEthernet1/0O E1 10.0.15.0/30 [110/1100] via 10.0.1.6, 00:15:55, Serial0/0O E1 10.0.1.12/30 [110/1100] via 10.0.1.6, 00:15:55, Serial0/0O E1 10.0.0.2/32 [110/1200] via 10.0.1.2, 00:15:55, FastEthernet1/0B 10.3.0.0/16 [200/0] via 10.0.0.1, 00:13:49C 10.0.0.3/32 is directly connected, Loopback0C 10.3.3.0/24 is directly connected, Ethernet3/0B 10.0.0.0/16 [200/0] via 10.0.0.1, 00:13:49C 10.0.1.0/30 is directly connected, FastEthernet1/0O E1 10.0.0.1/32 [110/1100] via 10.0.1.6, 00:15:55, Serial0/0B 10.6.0.0/16 [200/0] via 10.0.0.2, 00:13:49O 10.3.4.0/24 [110/110] via 10.0.1.2, 00:15:55, FastEthernet1/0O 10.0.0.4/32 [110/101] via 10.0.1.2, 00:15:56, FastEthernet1/0B 10.5.0.0/16 [200/0] via 10.0.0.1, 00:13:49C 10.0.1.4/30 is directly connected, Serial0/0O E1 10.0.26.0/30 [110/1200] via 10.0.1.2, 00:15:56, FastEthernet1/0RT4#show ip route10.0.0.0/8 is variably subnetted, 16 subnets, 4 masksC 10.0.1.8/30 is directly connected, Serial0/0O E1 10.0.15.0/30 [110/1200] via 10.0.1.1, 00:58:11, FastEthernet1/0O E1 10.0.1.12/30 [110/1100] via 10.0.1.10, 00:58:11, Serial0/0O E1 10.0.0.2/32 [110/1100] via 10.0.1.10, 00:58:11, Serial0/0B 10.3.0.0/16 [200/0] via 10.0.0.2, 00:11:59O 10.0.0.3/32 [110/101] via 10.0.1.1, 00:58:11, FastEthernet1/0O 10.3.3.0/24 [110/110] via 10.0.1.1, 00:58:11, FastEthernet1/0B 10.0.0.0/16 [200/0] via 10.0.0.2, 00:11:59C 10.0.1.0/30 is directly connected, FastEthernet1/0O E1 10.0.0.1/32 [110/1200] via 10.0.1.1, 00:58:11, FastEthernet1/0B 10.6.0.0/16 [200/0] via 10.0.0.2, 00:11:59C 10.3.4.0/24 is directly connected, Ethernet3/0C 10.0.0.4/32 is directly connected, Loopback0B 10.5.0.0/16 [200/0] via 10.0.0.1, 00:12:22O 10.0.1.4/30 [110/200] via 10.0.1.1, 00:58:11, FastEthernet1/0O E1 10.0.26.0/30 [110/1100] via 10.0.1.10, 00:58:11, Serial0/0RT5#ping 10.6.6.1 source 10.5.5.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.6.6.1, timeout is 2 seconds:Packet sent with a source address of 10.5.5.1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 128/190/280 msR3,R4之间不需要建立BGP邻居关系BGP全连接虽然能实现R5和R6相互访问,但是每个路由器都要与其他路由器建立BGP 邻居,加重了路由器负担2、开启同步,重发布BGP路由到IGP中RT4(config)#no router bgp 65000 还原R3,R4配置,关闭BGPRT3(config)#no router bgp 65000R1和R2上看,邻居R3,R4状态为Active,TCP建立不成功RT1#show ip bgp summaryNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.0.0.2 4 65000 54 53 5 0 0 00:47:23 310.0.0.3 4 65000 20 22 0 0 0 00:01:09 Active10.0.0.4 4 65000 18 20 0 0 0 00:00:48 Active10.0.15.2 4 65001 54 55 5 0 0 00:49:37 1RT2#show ip bgp summaryNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.0.0.1 4 65000 54 55 5 0 0 00:48:06 310.0.0.3 4 65000 20 22 0 0 0 00:01:52 Active10.0.0.4 4 65000 17 19 0 0 0 00:01:30 Active10.0.26.2 4 65002 52 53 5 0 0 00:47:16 1在R1,R2上开启同步RT1(config)#router bgp 65000RT1(config-router)#synchronizationRT2(config)#router bgp 65000RT2(config-router)#synchronizationRT1(config)#do show ip bgpNetwork Next Hop Metric LocPrf Weight Path* i10.0.0.0/16 10.0.0.2 0 100 0 i 未同步,丢弃*> 0.0.0.0 0 32768 i* i10.3.0.0/16 10.0.0.2 0 100 0 i 未同步,丢弃*> 0.0.0.0 0 32768 i*> 10.5.0.0/16 10.0.15.2 0 0 65001 i* i10.6.0.0/16 10.0.0.2 0 100 0 65002 i 丢弃未同步路由丢弃来自IBGP宣告的未达到同步的路由所以,R1不会把该路由通告给R5RT2(config)#do show ip bgpNetwork Next Hop Metric LocPrf Weight Path* i10.0.0.0/16 10.0.0.1 0 100 0 i*> 0.0.0.0 0 32768 i* i10.3.0.0/16 10.0.0.1 0 100 0 i*> 0.0.0.0 0 32768 i* i10.5.0.0/16 10.0.0.1 0 100 0 65001 i 丢弃未同步路由*> 10.6.0.0/16 10.0.26.2 0 0 65002 iR5和R6不学到相互的路由RT5#show ip bgpNetwork Next Hop Metric LocPrf Weight Path*> 10.0.0.0/16 10.0.15.1 0 0 65000 i*> 10.3.0.0/16 10.0.15.1 0 0 65000 i*> 10.5.0.0/16 0.0.0.0 0 32768 iRT6#show ip bgpNetwork Next Hop Metric LocPrf Weight Path*> 10.0.0.0/16 10.0.26.1 0 0 65000 i*> 10.3.0.0/16 10.0.26.1 0 0 65000 i*> 10.6.0.0/16 0.0.0.0 0 32768 i把BGP路由重发布到OSPF中,实现IGP路由同步RT1(config)#router ospf 1RT1(config-router)#redistribute bgp 65000 subnetsRT2(config)#router ospf 1RT2(config-router)#redistribute bgp 65000 subnetsR1与R2通过IGP路由,实现同步RT1#show ip routeO E2 10.6.0.0/16 [110/1] via 10.0.1.5, 00:05:03, Serial0/0RT2#show ip routeO E2 10.5.0.0/16 [110/1] via 10.0.1.9, 00:10:17, Serial0/0RT1#show ip bgpNetwork Next Hop Metric LocPrf Weight Path* i10.0.0.0/16 10.0.0.2 0 100 0 i*> 0.0.0.0 0 32768 i* i10.3.0.0/16 10.0.0.2 0 100 0 i*> 0.0.0.0 0 32768 i*> 10.5.0.0/16 10.0.15.2 0 0 65001 ir>i10.6.0.0/16 10.0.0.2 0 100 0 65002 iR表示该路由已经通过BGP路由学到,但是不能进入全局路由表RT2#show ip bgpNetwork Next Hop Metric LocPrf Weight Path* i10.0.0.0/16 10.0.0.1 0 100 0 i*> 0.0.0.0 0 32768 i* i10.3.0.0/16 10.0.0.1 0 100 0 i*> 0.0.0.0 0 32768 ir>i10.5.0.0/16 10.0.0.1 0 100 0 65001 i*> 10.6.0.0/16 10.0.26.2 0 0 65002 iR5,R6各自通过EBGP学到相互的路由RT5#show ip bgpNetwork Next Hop Metric LocPrf Weight Path*> 10.0.0.0/16 10.0.15.1 0 0 65000 i*> 10.3.0.0/16 10.0.15.1 0 0 65000 i*> 10.5.0.0/16 0.0.0.0 0 32768 i*> 10.6.0.0/16 10.0.15.1 0 65000 65002 iRT6#show ip bgpNetwork Next Hop Metric LocPrf Weight Path*> 10.0.0.0/16 10.0.26.1 0 0 65000 i*> 10.3.0.0/16 10.0.26.1 0 0 65000 i*> 10.5.0.0/16 10.0.26.1 0 65000 65001 i *> 10.6.0.0/16 0.0.0.0 0 32768 iRT3#show ip route10.0.0.0/8 is variably subnetted, 16 subnets, 4 masksO 10.0.1.8/30 [110/200] via 10.0.1.2, 00:19:10, FastEthernet1/0O E1 10.0.15.0/30 [110/1100] via 10.0.1.6, 00:19:10, Serial0/0O E1 10.0.1.12/30 [110/1100] via 10.0.1.6, 00:19:10, Serial0/0O E1 10.0.0.2/32 [110/1200] via 10.0.1.2, 00:19:10, FastEthernet1/0O E2 10.3.0.0/16 [110/1] via 10.0.1.6, 00:09:52, Serial0/0C 10.0.0.3/32 is directly connected, Loopback0C 10.3.3.0/24 is directly connected, Ethernet3/0O E2 10.0.0.0/16 [110/1] via 10.0.1.6, 00:09:52, Serial0/0C 10.0.1.0/30 is directly connected, FastEthernet1/0O E1 10.0.0.1/32 [110/1100] via 10.0.1.6, 00:19:10, Serial0/0O E2 10.6.0.0/16 [110/1] via 10.0.1.2, 00:09:52, FastEthernet1/0O 10.3.4.0/24 [110/110] via 10.0.1.2, 00:19:10, FastEthernet1/0O 10.0.0.4/32 [110/101] via 10.0.1.2, 00:19:10, FastEthernet1/0O E2 10.5.0.0/16 [110/1] via 10.0.1.6, 00:12:01, Serial0/0C 10.0.1.4/30 is directly connected, Serial0/0O E1 10.0.26.0/30 [110/1200] via 10.0.1.2, 00:19:10, FastEthernet1/0RT4#show ip route10.0.0.0/8 is variably subnetted, 16 subnets, 4 masksC 10.0.1.8/30 is directly connected, Serial0/0O E1 10.0.15.0/30 [110/1200] via 10.0.1.1, 00:18:53, FastEthernet1/0O E1 10.0.1.12/30 [110/1100] via 10.0.1.10, 00:18:53, Serial0/0O E1 10.0.0.2/32 [110/1100] via 10.0.1.10, 00:18:53, Serial0/0O E2 10.3.0.0/16 [110/1] via 10.0.1.10, 00:09:57, Serial0/0O 10.0.0.3/32 [110/101] via 10.0.1.1, 00:18:53, FastEthernet1/0O 10.3.3.0/24 [110/110] via 10.0.1.1, 00:18:53, FastEthernet1/0O E2 10.0.0.0/16 [110/1] via 10.0.1.10, 00:09:57, Serial0/0C 10.0.1.0/30 is directly connected, FastEthernet1/0O E1 10.0.0.1/32 [110/1200] via 10.0.1.1, 00:18:53, FastEthernet1/0O E2 10.6.0.0/16 [110/1] via 10.0.1.10, 00:09:57, Serial0/0C 10.3.4.0/24 is directly connected, Ethernet3/0C 10.0.0.4/32 is directly connected, Loopback0O E2 10.5.0.0/16 [110/1] via 10.0.1.1, 00:12:06, FastEthernet1/0O 10.0.1.4/30 [110/200] via 10.0.1.1, 00:18:53, FastEthernet1/0O E1 10.0.26.0/30 [110/1100] via 10.0.1.10, 00:18:53, Serial0/0RT6#ping 10.5.5.1 source 10.6.6.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.5.5.1, timeout is 2 seconds:Packet sent with a source address of 10.6.6.1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 140/184/236 ms重发布BGP路由进入IGP路由虽然能解决路由同步问题,但是因特网上路由有十几万条,该方法不可行3、路由反射器使用路由反射技术,代替BGP互连接RT1(config-router)#no synchronization 关闭同步RT2(config-router)#no synchronizationR1作路由反射器,其他路由器都是客户端RT1(config)#router bgp 65000RT1(config-router)#neighbor 10.0.0.2 route-reflector-clientRT1(config-router)#neighbor rr peer-groupRT1(config-router)#neighbor rr update-source lo0RT1(config-router)#neighbor rr remote-as 65000RT1(config-router)#neighbor rr next-hop-selfRT1(config-router)#neighbor rr route-reflector-clientRT1(config-router)#neighbor 10.0.0.3 peer-group rrRT1(config-router)#neighbor 10.0.0.4 peer-group rrRT1(config-router)#RT3(config)#router bgp 65000RT3(config-router)#neighbor 10.0.0.1 remote-as 65000RT3(config-router)#neighbor 10.0.0.1 update-source lo0RT3(config-router)#neighbor 10.0.0.1 next-hop-selfRT4(config)#router bgp 65000RT4(config-router)#neighbor 10.0.0.1 remote-as 65000RT4(config-router)#neighbor 10.0.0.1 update-source lo0RT4(config-router)#neighbor 10.0.0.1 next-hop-selfRT1#show ip bgpNetwork Next Hop Metric LocPrf Weight Path*> 10.0.0.0/16 0.0.0.0 0 32768 i* i 10.0.0.2 0 100 0 i*> 10.3.0.0/16 0.0.0.0 0 32768 i* i 10.0.0.2 0 100 0 i*> 10.5.0.0/16 10.0.15.2 0 0 65001 i*>i10.6.0.0/16 10.0.0.2 0 100 0 65002 iRT2#show ip bgpNetwork Next Hop Metric LocPrf Weight Path* i10.0.0.0/16 10.0.0.1 0 100 0 i*> 0.0.0.0 0 32768 i* i10.3.0.0/16 10.0.0.1 0 100 0 i*> 0.0.0.0 0 32768 i*>i10.5.0.0/16 10.0.0.1 0 100 0 65001 i*> 10.6.0.0/16 10.0.26.2 0 0 65002 iR1,R2关于10.6.0.0/16的下一跳指向10.0.0.2 ,因为该路由是通过路由反射得到RT3#show ip bgpNetwork Next Hop Metric LocPrf Weight Path*>i10.0.0.0/16 10.0.0.1 0 100 0 i*>i10.3.0.0/16 10.0.0.1 0 100 0 i*>i10.5.0.0/16 10.0.0.1 0 100 0 65001 i*>i10.6.0.0/16 10.0.0.2 0 100 0 65002 iRT4#show ip bgpNetwork Next Hop Metric LocPrf Weight Path*>i10.0.0.0/16 10.0.0.1 0 100 0 i*>i10.3.0.0/16 10.0.0.1 0 100 0 i*>i10.5.0.0/16 10.0.0.1 0 100 0 65001 i*>i10.6.0.0/16 10.0.0.2 0 100 0 65002 iRT5#show ip bgpNetwork Next Hop Metric LocPrf Weight Path*> 10.0.0.0/16 10.0.15.1 0 0 65000 i*> 10.3.0.0/16 10.0.15.1 0 0 65000 i*> 10.5.0.0/16 0.0.0.0 0 32768 i*> 10.6.0.0/16 10.0.15.1 0 65000 65002 iRT6#show ip bgpNetwork Next Hop Metric LocPrf Weight Path*> 10.0.0.0/16 10.0.26.1 0 0 65000 i*> 10.3.0.0/16 10.0.26.1 0 0 65000 i*> 10.5.0.0/16 10.0.26.1 0 65000 65001 i*> 10.6.0.0/16 0.0.0.0 0 32768 i四、总结:路由同步的概念,来自IBGP的BGP路由条目不会无效,并且不会发给EBGP邻居,除非该路由能通过IGP路由学到。
BGP路由黑洞与反射器(第二次)
RR的几个关键概念: 簇(cluster):一个或者多个RR和它们的RRC的集合 Originator_ID属性:一个路由器的RID,这个RID是由RR产生的。
蓝狐网络技术培训学校
路由反射器的冗余
单RR容易给整个系统带来单点故障。如果RR失效, 所有的客户都将失去他们唯一的NLRL源,从冗余 的角度考虑,一个簇中可以拥有多台RR,客户与每台 RR都有物理接连,而且每台RR也都建立了对等关 系,在其中一台RR出现故障的情况下,客户仍有一 条去往另一台RR的连接,因而不会丢失任何可达性 信息
蓝狐网络技术培训学校
路由反射器冗余
一个自治系统中可以创建多个路由发射簇
路由反射器是一种放宽了该规则的BGP路由器,因而为了防止出现路由环路,路由反射器必须使用两种 BGP路径属性:originator_id 和cluster_list 1.originator_id:是一种由路由反射器创建的可选非传递性属性,是本地AS中路由发起者的路由器ID。 路由发射器不会将某路由宣告回该路由的发起者。即便如此,如果发起者接受到的 update消息中包含了其自己的RID,则忽略该update消息 2.cluster_list:是一种可选非传递性属性,用于记录簇ID,就像AS-PATH记录AS号一样,当RR将来自客户 的路由反射给给客户时,同时将其簇ID附加到cluster_list中,如果cluster_list为空,则RR 将创建一个cluster_list。RR接受到update消息后,就会检查cluster_list,如果发现其簇ID 位于簇列表中,则知道已经出现了路由环路,从而忽略该update消息
思考: 1.省节点之间为什么需要一条物理链路相连?如果没有该链路,对邻居的建立 会不会有什么影响? 2.为什么不省节点路由器和核心节点多增一条物理链路以提供备份? 2.如何考虑市级的路由器部署?为什么?
巧用黑洞路由
网络边缘设计巧用黑洞路由当今园区网组建的潮流中ospf已经成为大型企业网的首选路由协议,然而ospf本身的复杂性使其使用起来会带来很多潜在的问题。
对于一个健康的企业网来说ospf应该限定在汇聚的上行端口,如果把接入区域的网段直接network命令宣告到ospf区域中,那么接入区的网络动荡将直接影响整个网络的核心,而且从网络安全的角度来说把接入区域宣告进去更是直接将企业网的核心暴露出来,不法分子甚至可以伪造ospf报文直接对公司网络进行攻击。
因此接入区域与核心保持有效隔离的情况下把接入网段发布出去成为解决问题的关键。
ospf末梢区域可以减小本区域内的链路状态数据库,从而减小设备压力。
但是末梢区域内的动荡还是会影响到核心。
所以末梢区域并不能解决这个问题。
ospf引入黑洞路由的方式刚好可以达到预期的效果,同时黑洞路由很能防止路由环路的产生。
下面对此方法进行分析。
注释:1.路由信息传递情况1ospf引入静态黑洞路由发布到区域0 ,区域0中的路由器便能学习到到达接入的路径。
2.用户业务报文转发情况2用户直接将数据发送到网关所在地也就是汇聚层。
3汇聚根据静态默认路由发送到下一跳到达核心,核心向目的地转发。
4下行数据根据第五类lsa把数据送到汇聚网关。
5汇聚根据直连路由把数据发送到接入用户。
汇聚并不会根据此条黑洞路由转发,因为直连路由的优先级要比静态路由的高。
这样配置办公接入网段的路由震荡将不会影响到所配置的静态黑洞路由,进而也影响不到核心区域的ospf。
1具体实施方法通过ospf引入静态黑洞路由的方式,具体优化方法如下:(1)在配置一条静态黑洞路由路由子网掩码扩大要包含所有接入网段。
iproute-static 10.6.0.0 255.255.240.0 null0 配置掩码扩大是因为防止直连路由优先级大于静态使静态路由不生效的情况发生,同时黑洞路由能够防止环路。
(2)在ospf中引入次条静态路由因为配置的静态黑洞路由掩码要大所以这条静态路由会成为有效的路由。
BGP路由黑洞之路由反射器(Router Reflector)解决
BGP路由黑洞之路由反射器(Router Reflector)解决【实验环境】C3640-IK9O3S-M Version 12.4(10)【实验目的】采用路由反射器(Router Reflector)解决由IBGP水平分割导致的BGP路由黑洞问题【实验拓扑】【实验描述】R1、R2、R4、R5跑BGP协议,R2、R3、R4跑OSPF协议。
目标是使1.1.1.1<->5.5.5.5可以互相访问IBGP邻居关系采用回环口进行建立R1<->R2、R4<->R5之间使用直连接口建立EBGP关系数据层面的BGP路由黑洞问题:由于R3没有跑BGP,因此R2和R4均不会将路由条目传给R3,因此R3没有1.1.1.1和5.5.5.5的路由,导致路由黑洞。
如果在R3上跑BGP,与R2和R4建立IBGP关系,又会因为IBGP水平分割导致R2、R4路由学习不完整。
解决方法:利用路由反射器,将R3作为反射器(RR),其余IBGP路由器作为客户端(C),路由反射器和其客户端共同组成路由反射簇,客户端只需要与路由反射器建立邻居即可,不需要与每台IBGP路由器建立邻居。
路由反射器的规则:1、RR从EBGP收到的路由,会反射给客户端和非客户端;2、从客户端收到的路由,会反射给客户端、非客户端及EBGP邻居;3、从非客户端收到的路由,只会反射给客户端和EBGP邻居,不会反射给其他非客户端。
【实验步骤】1、R1基本配置,端口:!interface Loopback0ip address 1.1.1.1 255.255.255.0!interface Serial0/0ip address 12.0.0.1 255.255.255.0clock rate 64000!2、R2基本配置,端口,OSPF:!interface Loopback0ip address 2.2.2.2 255.255.255.0!interface Serial0/0ip address 12.0.0.2 255.255.255.0 !interface Serial0/1ip address 23.0.0.1 255.255.255.0 clock rate 64000!router ospf 110router-id 2.2.2.2network 2.2.2.0 0.0.0.255 area 0 network 23.0.0.1 0.0.0.0 area 0 !3、R3基本配置,端口,OSPF:!interface Loopback0ip address 3.3.3.3 255.255.255.0 !interface Serial0/0ip address 34.0.0.1 255.255.255.0 clock rate 64000!interface Serial0/1ip address 23.0.0.2 255.255.255.0 !router ospf 110router-id 3.3.3.3network 3.3.3.0 0.0.0.255 area 0 network 23.0.0.2 0.0.0.0 area 0network 34.0.0.1 0.0.0.0 area 0 !4、R4基本配置,端口,OSPF:!interface Loopback0ip address 4.4.4.4 255.255.255.0 !interface Serial0/0ip address 34.0.0.2 255.255.255.0 !interface Serial0/1ip address 45.0.0.1 255.255.255.0 clock rate 64000!router ospf 110router-id 4.4.4.4network 4.4.4.0 0.0.0.255 area 0 network 34.0.0.2 0.0.0.0 area 0 !5、R5基本配置,端口:!interface Loopback0ip address 5.5.5.5 255.255.255.0 !interface Serial0/1ip address 45.0.0.2 255.255.255.0 !6、配置R1与R2之间的EBGP//R1配置AS 1router bgp 1no synchronizationbgp router-id 1.1.1.1network 1.1.1.0 mask 255.255.255.0 neighbor 12.0.0.2 remote-as 3no auto-summary//R2配置AS 3router bgp 3no synchronizationbgp router-id 2.2.2.2neighbor 12.0.0.1 remote-as 1no auto-summary7、配置R4与R5之间的EBGP//R4配置AS 3router bgp 3no synchronizationbgp router-id 4.4.4.4neighbor 45.0.0.2 remote-as 5no auto-summary//R5配置AS 5router bgp 5no synchronizationbgp router-id 5.5.5.5network 5.5.5.0 mask 255.255.255.0 neighbor 45.0.0.1 remote-as 3no auto-summary8、使用回环接口配置R2、R3、R4之间的IBGP关系//R3配置router bgp 3no synchronizationbgp router-id 3.3.3.3neighbor 2.2.2.2 remote-as 3neighbor 2.2.2.2 update-source Loopback0neighbor 4.4.4.4 remote-as 3neighbor 4.4.4.4 update-source Loopback0no auto-summary//R2配置router bgp 3neighbor 3.3.3.3 remote-as 3neighbor 3.3.3.3 update-source Loopback0nei 3.3.3.3 next-hop-self//R4配置router bgp 3neighbor 3.3.3.3 remote-as 3neighbor 3.3.3.3 update-source Loopback0nei 3.3.3.3 next-hop-self9、在R3上开启路由反射器,指定客户端router bgp 3neighbor 2.2.2.2 route-reflector-clientneighbor 4.4.4.4 route-reflector-client10、查看R3的路由表R3#sh ip bgpBGP table version is 3, local router ID is 3.3.3.3Network Next Hop Metric LocPrf Weight Path*>i1.1.1.0/24 2.2.2.2 0 100 0 1 i*>i5.5.5.0/24 4.4.4.4 0 100 0 5 i11、验证R1与R5回环口连通性R1#ping 5.5.5.5 so 1.1.1.1Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:Packet sent with a source address of 1.1.1.1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 188/325/496 ms 12、在R2上查看反射路由条目5.5.5.0/24R2#sh ip bgp 5.5.5.0/24BGP routing table entry for 5.5.5.0/24, version 3Paths: (1 available, best #1, table Default-IP-Routing-Table)4.4.4.4 (metric 129) from 3.3.3.3 (3.3.3.3)Origin IGP, metric 0, localpref 100, valid, internal, bestOriginator: 4.4.4.4, Cluster list: 3.3.3.313、在R4上查看反射路由条目1.1.1.0/24R4#sh ip bgp 1.1.1.0/24BGP routing table entry for 1.1.1.0/24, version 3Paths: (1 available, best #1, table Default-IP-Routing-Table)2.2.2.2 (metric 129) from3.3.3.3 (3.3.3.3)Origin IGP, metric 0, localpref 100, valid, internal, bestOriginator: 2.2.2.2, Cluster list: 3.3.3.314、评价路由反射器相对于邻居全互联来说,简化了配置和数量,因为IBGP邻居关系只需要在客户端与RR之间建立即可。
mpls解决BGP路由黑洞
MPLS 解决BGP路由黑洞问题R1R1>enR1#conf tR1(config)#no ip domain-lookupR1(config)#line console 0R1(config-line)#logg sR1(config-line)#no exec-tR1(config-line)#exitR1(config)#interface s1/0R1(config-if)#ip addR1(config-if)#ip address 12.1.1.1 255.255.255.0R1(config-if)#no shR1(config-if)#no shutdownR1(config-if)#interface s1/1R1(config-if)#ip add 13.1.1.1 255.255.255.0R1(config-if)#no shR1(config-if)#no shutdownR1(config-if)#interface lo 0R1(config-if)#ip add 1.1.1.1 255.255.255.0R1(config-if)#exitR1(config)#router eigrp 90R1(config-router)#no auto-summaryR1(config-router)#network 0.0.0.0*Mar 1 00:21:40.919: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 90: Neighbor 12.1.1.2 (Serial1/0) is up: new adjacencyR1(config-router)#*Mar 1 00:22:19.859: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 90: Neighbor 13.1.1.3 (Serial1/1) is up: new adjacencyR1(config-router)#do show ip route1.0.0.0/24 is subnetted, 1 subnetsC 1.1.1.0 is directly connected, Loopback02.0.0.0/24 is subnetted, 1 subnetsD 2.2.2.0 [90/2297856] via 12.1.1.2, 00:00:56, Serial1/03.0.0.0/24 is subnetted, 1 subnetsD 3.3.3.0 [90/2297856] via 13.1.1.3, 00:00:14, Serial1/112.0.0.0/24 is subnetted, 1 subnetsC 12.1.1.0 is directly connected, Serial1/013.0.0.0/24 is subnetted, 1 subnetsC 13.1.1.0 is directly connected, Serial1/1R1(config-router)#exitR1(config)#interface s1/0R1(config-if)#mpls ip*Mar 1 01:13:49.207: %LDP-5-NBRCHG: LDP Neighbor 2.2.2.2:0 (1) is UPR1(config-if)#interface s1/1R1(config-if)#mpls ipR1(config-if)#*Mar 1 01:14:10.571: %LDP-5-NBRCHG: LDP Neighbor 3.3.3.3:0 (2) is UPR2R2>enR1#conf tR2(config)#no ip domain-lookupR2(config)#line console 0R2(config-line)#logg sR2(config-line)#no exec-tR2(config-line)#exitR2(config)#interface s1/0R2(config-if)#ip addR2(config-if)#ip address 12.1.1.2 255.255.255.0R2(config-if)#no shR2(config-if)#no shutdownR2(config-if)#interface s1/1R2(config-if)# ip add 24.1.1.2 255.255.255.0R2(config-if)#no shR2(config-if)#no shutdownR2(config-if)#interface lo 0R2(config-if)#ip add 2.2.2.2 255.255.255.0R2(config-if)#exitR2(config)#router eigrp 90R2(config-router)#no auto-summaryR2(config-router)#network 12.1.1.0 0.0.0.255R2(config-router)#network 2.2.2.0 0.0.0.255R2(config-router)exitR2(config)#router bgp 123R2(config-router)#no auto-summaryR2(config-router)#no synchronizationR2(config-router)#bgp router-id 2.2.2.2R2(config-router)#neighbor 24.1.1.4 remote-as 4R2(config-router)#neighbor 3.3.3.3 remote-as 123R2(config-router)#neighbor 3.3.3.3 update-source lo 0R2(config-router)#*Mar 1 00:27:58.535: %BGP-5-ADJCHANGE: neighbor 3.3.3.3 UpR2(config-router)#*Mar 1 00:29:08.071: %BGP-5-ADJCHANGE: neighbor 24.1.1.4 UpR2(config-router)#endR2#shw*Mar 1 00:33:29.527: %SYS-5-CONFIG_I: Configured from console by consoleR2#show ip bgp summaryNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 3.3.3.3 4 123 9 9 3 0 0 00:05:45 1 24.1.1.4 4 4 9 9 3 0 0 00:04:35 1R2#show ip routeGateway of last resort is not set1.0.0.0/24 is subnetted, 1 subnetsD 1.1.1.0 [90/2297856] via 12.1.1.1, 00:23:59, Serial1/02.0.0.0/24 is subnetted, 1 subnetsC 2.2.2.0 is directly connected, Loopback03.0.0.0/24 is subnetted, 1 subnetsD 3.3.3.0 [90/2809856] via 12.1.1.1, 00:23:10, Serial1/04.0.0.0/24 is subnetted, 1 subnetsB 4.4.4.0 [20/0] via 24.1.1.4, 00:16:375.0.0.0/24 is subnetted, 1 subnetsB 5.5.5.0 [200/0] via 3.3.3.3, 00:12:0924.0.0.0/24 is subnetted, 1 subnetsC 24.1.1.0 is directly connected, Serial1/112.0.0.0/24 is subnetted, 1 subnetsC 12.1.1.0 is directly connected, Serial1/013.0.0.0/24 is subnetted, 1 subnetsD 13.1.1.0 [90/2681856] via 12.1.1.1, 00:24:29, Serial1/0R2#show ip bgpBGP table version is 3, local router ID is 2.2.2.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path *> 4.4.4.0/24 24.1.1.4 0 0 4 i *>i5.5.5.0/24 3.3.3.3 0 100 0 5 iR2#conf tEnter configuration commands, one per line. End with CNTL/Z.R2(config)#router bgp 123R2(config-router)#neighbor 3.3.3.3 next-hop-selfR2(config-router)#exitR2(config)#interface s1/0R2(config-if)#mpls ipR3R3>enR3#conf tEnter configuration commands, one per line. End with CNTL/Z.R3(config)#no ip domain-lookupR3(config)#line console 0R3(config-line)#logg sR3(config-line)#no exec-tR3(config-line)#exitR3(config)#interface s1/1R3(config-if)#ip add 13.1.1.3 255.255.255.0R3(config-if)#no shR3(config-if)#no shutdownR3(config-if)#interface s1/0R3(config-if)#ip add 35.1.1.3 255.255.255.0R3(config-if)#no shR3(config-if)#no shutdownR3(config-if)#interface lo 0R3(config-if)#ip add 3.3.3.3 255.255.255.0R3(config-if)#exitR3(config)#router eigrp 90R3(config-router)#no auto-summaryR3(config-router)#network 13.1.1.0 0.0.0.255*Mar 1 00:22:28.539: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 90: Neighbor 13.1.1.1 (Serial1/1) is up: new adjacencyR3(config-router)#network 3.3.3.0 0.0.0.255R3(config-router)#exitR3(config)#router bgp 123R3(config-router)#no auto-summaryR3(config-router)#no synchronizationR3(config-router)#bgp router-id 3.3.3.3R3(config-router)#neighbor 35.1.1.5 remote-as 5R3(config-router)#neighbor 2.2.2.2 remote-as 123R3(config-router)#neighbor 2.2.2.2 UPdate-source LO 0*Mar 1 00:27:58.267: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 UpR3(config-router)#neighbor 2.2.2.2 next-hop-self*Mar 1 00:33:39.699: %BGP-5-ADJCHANGE: neighbor 35.1.1.5 UpR3(config-router)#endR3#show ip*Mar 1 00:45:27.479: %SYS-5-CONFIG_I: Configured from console by consoleR3#show ip route1.0.0.0/24 is subnetted, 1 subnetsD 1.1.1.0 [90/2297856] via 13.1.1.1, 00:23:06, Serial1/135.0.0.0/24 is subnetted, 1 subnetsC 35.1.1.0 is directly connected, Serial1/02.0.0.0/24 is subnetted, 1 subnetsD 2.2.2.0 [90/2809856] via 13.1.1.1, 00:23:06, Serial1/13.0.0.0/24 is subnetted, 1 subnetsC 3.3.3.0 is directly connected, Loopback05.0.0.0/24 is subnetted, 1 subnetsB 5.5.5.0 [20/0] via 35.1.1.5, 00:11:5512.0.0.0/24 is subnetted, 1 subnetsD 12.1.1.0 [90/2681856] via 13.1.1.1, 00:23:06, Serial1/113.0.0.0/24 is subnetted, 1 subnetsC 13.1.1.0 is directly connected, Serial1/1R3#show ip bgpBGP table version is 2, local router ID is 3.3.3.3Network Next Hop Metric LocPrf Weight Path* i4.4.4.0/24 24.1.1.4 0 100 0 4 i(R2在IBGP中未更改下一跳,所以次优)*> 5.5.5.0/24 35.1.1.5 0 0 5 iR3#show ip bgpNetwork Next Hop Metric LocPrf Weight Path*>i4.4.4.0/24 2.2.2.2 0 100 0 4 i(更改后,最优)*> 5.5.5.0/24 35.1.1.5 0 0 5 iR3#show ip route1.0.0.0/24 is subnetted, 1 subnetsD 1.1.1.0 [90/2297856] via 13.1.1.1, 00:46:09, Serial1/135.0.0.0/24 is subnetted, 1 subnetsC 35.1.1.0 is directly connected, Serial1/02.0.0.0/24 is subnetted, 1 subnetsD 2.2.2.0 [90/2809856] via 13.1.1.1, 00:46:09, Serial1/13.0.0.0/24 is subnetted, 1 subnetsC 3.3.3.0 is directly connected, Loopback04.0.0.0/24 is subnetted, 1 subnetsB 4.4.4.0 [200/0] via 2.2.2.2, 00:09:095.0.0.0/24 is subnetted, 1 subnetsB 5.5.5.0 [20/0] via 35.1.1.5, 00:34:5812.0.0.0/24 is subnetted, 1 subnetsD 12.1.1.0 [90/2681856] via 13.1.1.1, 00:46:10, Serial1/113.0.0.0/24 is subnetted, 1 subnetsC 13.1.1.0 is directly connected, Serial1/1R3#conf tR3(config)#interface s1/1R3(config-if)#mpls ipR4R4>enR4#conf tEnter configuration commands, one per line. End with CNTL/Z.R4(config)#no ip domain-lookupR4(config)#line console 0R4(config-line)#logg sR4(config-line)#exitR4(config)#interface s1/1R4(config-if)#ip addR4(config-if)#ip address 24.1.1.4 255.255.255.0R4(config-if)#no shR4(config-if)#no shutdownR4(config-if)#interface lo 0R4(config-if)#ip add 4.4.4.4 255.255.255.0R4(config-if)#exitR4(config)#*Mar 1 00:20:12.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to upR4(config)#*Mar 1 00:20:13.339: %LINK-3-UPDOWN: Interface Serial1/1, changed state to upR4(config)#*Mar 1 00:20:14.343: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to upR4(config)#router bgp 4R4(config-router)#no auto-summaryR4(config-router)#no synchronizationR4(config-router)#bgp router-id 4.4.4.4R4(config-router)#neighbor 24.1.1.2 remotR4(config-router)#neighbor 24.1.1.2 remote-as 123*Mar 1 00:29:07.415: %BGP-5-ADJCHANGE: neighbor 24.1.1.2 UpR4(config-router)#network 4.4.4.0 mask 255.255.255.0R4(config-router)#exitR5R5>enR5#conf tEnter configuration commands, one per line. End with CNTL/Z.R5(config)#no ip domain-lookupR5(config)#line console 0R5(config-line)#logg sR5(config-line)#no exec-tR5(config-line)#exitR5(config)#interface s1/0R5(config-if)#ip add 35.1.1.5 255.255.255.0R5(config-if)#no shR5(config-if)#interface lo 0R5(config-if)#ip add 5.5.5.5 255.255.255.0R5(config-if)#exit*Mar 1 00:20:19.819: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to upR5(config-if)#exit*Mar 1 00:20:20.627: %LINK-3-UPDOWN: Interface Serial1/0, changed state to upR5(config-if)#exit*Mar 1 00:20:21.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to upR5(config-if)#exitR5(config)#router bgp 5R5(config-router)#no auto-summaryR5(config-router)#no synchronizationR5(config-router)#bgp router-id 5.5.5.5R5(config-router)#neighbor 35.1.1.3 remote-as 123R5(config-router)#network 5.5.5.0 mask 255.255.255.0R5(config-router)#exit*Mar 1 00:33:38.979: %BGP-5-ADJCHANGE: neighbor 35.1.1.3 UpR5(config)#do show ip routeGateway of last resort is not set35.0.0.0/24 is subnetted, 1 subnetsC 35.1.1.0 is directly connected, Serial1/04.0.0.0/24 is subnetted, 1 subnetsB 4.4.4.0 [20/0] via 35.1.1.3, 00:15:505.0.0.0/24 is subnetted, 1 subnetsC 5.5.5.0 is directly connected, Loopback0R5#ping 4.4.4.4 soR5#ping 4.4.4.4 source lo 0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:Packet sent with a source address of 5.5.5.5!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 112/134/172 msR5#R5#R5>。
BGP路由黑洞问题,同步、IBGP全接
26、BGP路由黑洞问题,同步、IBGP全接一、实验拓扑图(一)二、组网要求三、基本连通性调试四、实验关键配置RT1:router ospf 1router-id 10.0.0.1redistribute connected metric 1000 metric-type 1 subnets passive-interface defaultno passive-interface Serial0/0network 10.0.0.1 0.0.0.0 area 0network 10.0.1.4 0.0.0.3 area 0default-information originate always metric 2000 metric-type 1 !router bgp 65000no synchronizationbgp log-neighbor-changesnetwork 10.0.0.0 mask 255.255.0.0neighbor 10.0.0.2 remote-as 65000neighbor 10.0.0.2 update-source Loopback0neighbor 10.0.0.2 next-hop-selfneighbor 10.0.15.2 remote-as 65001no auto-summary!ip route 10.0.0.0 255.255.0.0 Null0ip route 10.3.0.0 255.255.0.0 Null0!RT2:router ospf 1router-id 10.0.0.2redistribute connected metric 1000 metric-type 1 subnets passive-interface defaultno passive-interface Serial0/0network 10.0.0.2 0.0.0.0 area 0network 10.0.1.8 0.0.0.3 area 0default-information originate always metric 2000 metric-type 1 !router bgp 65000no synchronizationnetwork 10.3.0.0 mask 255.255.0.0 neighbor 10.0.0.1 remote-as 65000 neighbor 10.0.0.1 update-source Loopback0 neighbor 10.0.0.1 next-hop-selfneighbor 10.0.26.2 remote-as 65002no auto-summary!ip route 10.0.0.0 255.255.0.0 Null0ip route 10.3.0.0 255.255.0.0 Null0!RT3:router ospf 1router-id 10.0.0.3passive-interface defaultno passive-interface Serial0/0no passive-interface FastEthernet1/0 network 10.0.0.3 0.0.0.0 area 0network 10.0.1.0 0.0.0.3 area 0network 10.0.1.4 0.0.0.3 area 0network 10.3.3.0 0.0.0.255 area 0RT4:router ospf 1router-id 10.0.0.4log-adjacency-changesnetwork 10.0.0.4 0.0.0.0 area 0 network 10.0.1.0 0.0.0.3 area 0 network 10.0.1.8 0.0.0.3 area 0 network 10.3.4.0 0.0.0.255 area 0 !RT5:router bgp 65001no synchronizationnetwork 10.5.0.0 mask 255.255.0.0 neighbor 10.0.15.1 remote-as 65000 no auto-summary!ip route 10.5.0.0 255.255.0.0 Null0 !RT6:router bgp 65002no synchronizationnetwork 10.6.0.0 mask 255.255.0.0neighbor 10.0.26.1 remote-as 65000no auto-summary!ip route 10.6.0.0 255.255.0.0 Null0!五、实验连通性及其调试:Ping测试:10.6.6.1去往10.5.5.1..................由于rt3、rt4没有运行BGP,学习不到as外的路由。
BGP路由黑洞与解决方案
1、通过建立 IBGP 全互联对等体(繁琐) 2、通过 MPLS VPN BGP(配置复杂) 3、通过 GRE 隧道
Generic Routing Encapsulation,通用路由封装 如图,可在 R2 和 R4 之间建立 GRE 隧道 [R2] # interface Tunnel0/0/0 ip address 10.0.2.2 255.255.255.0 tunnel-protocol gre source 10.0.23.2 destination 10.0.34.4 # ip route-static 5.5.5.5 255.255.255.255 Tunnel0/0/0 [RGP:R1—R2;R4—R5 | IBGP:R2—R4
(1)什么是路由黑洞
当 IBGP 对等体之间不是直连关系时(如图中的 R2 和 R4),就可能导致路由 黑洞问题
黑洞案例 R1 将 1.1.1.1 的路由依次传递给 R2、R4、R5 在 R2 上配置 next-hop-local,保证 R4 对于 1.1.1.1 的下一跳可达 然而实际上,R4 会通过 R3 来转发报文 R3 上并没有到达 1.1.1.1 的路由,最终导致通信失败
<R1>tracert -a 1.1.1.1 5.5.5.5 1 10.0.12.2 40 ms 50 ms 50 ms 2 10.0.4.4 80 ms 70 ms 100 ms 3 10.0.45.5 110 ms 70 ms 110 ms <R1>
interface Tunnel0/0/0 ip address 10.0.4.4 255.255.255.0 tunnel-protocol gre source 10.0.34.4 destination 10.0.23.2 # ip route-static 1.1.1.1 255.255.255.255 Tunnel0/0/0
浅谈BGP路由黑洞与解决策略
浅谈BGP路由黑洞与解决策略作者:刘炎火来源:《电脑知识与技术》2020年第17期摘要:在网络配置中,路由黑洞是比较常见的故障,特别是在边界配置BGP路由时,经常出现路由黑洞,为了更好解决由于BGP配置而产生的路由黑洞,在本文中列举了多种解决策略。
關键词:路由黑洞;BGP;EBGP;IBGP;邻居关系中图分类号:TP393 ; ; ; ;文献标识码:A文章编号:1009-3044(2020)17-0056-03Abstract: In the network configuration, routing black hole is a common failure. A routing black hole often appears especially in BGP routing. In order to better solve the routing black hole caused by BGP configuration, this paper lists a variety of solutions.Key words: routing black hole;BGP;ebgp; iBGP;neighbor relationship在配置BGP的时候,最容易遇到的问题就是路由黑洞,那么什么是路由黑洞?简单地说,它会默默地将数据包丢弃,使数据包有去无回。
我们知道传统的IP路由,它是通过逐跳查找路由信息,根据路由信息转发数据包,通俗地说就是当数据包到达路由设备的时候,路由设备首先查找路由表,然后根据路由信息转发数据包,当然,路由设备转发数据包的前提是存在下一跳路由。
对BGP来说,由于存在IBGP水平分割规则,这是一种防止环路机制,所以在BGP的设计上有些设备就不会运行BGP。
BGP是一种TCP的连接或者说是一种host-to-host的连接,可以跨越设备进行连接,所以路由传递是没有问题的,但是数据包的路由却是有问题的。
路由黑洞和黑洞路由
一。
黑洞就是做路由汇总时候引入的一个概念比如你有好多个c类地址:192.168.1.0/24 - 192.168.200.0/24那么对外公告路由的时候你可以选择进行路由汇总。
汇总为192.168.0.0/16的路由但是路由汇总会产生“路由黑洞”问题因为192.168.201.0/24 - 192.168.254.0/24这段路由存在但却没有对应的主机。
因此可能造成目的地址为192.168.201.0/24 - 192.168.254.0/24往你的路由器上转发但地址却不可达的情况(理论上要发送回icmp unreachable的)一个可行的办法是在汇总路由时就写好一条黑洞路由丢弃这些垃圾流量ip route 192.168.0.0 255.255.0.0 null 0二。
一般是在路由汇总的时候,有可能把一些本来没有的路由条目汇总了进来路由器处理这些本来不存在的路由条目的数据包的时候会占用路由器本身的资源这个时候如果大量的数据包涌向路由器,有可能变成DOS攻击所以就自动写出一条通往NULL0接口的路由,然后把那些垃圾数据包直接丢往NULL0,不要进行其他处理。
黑洞路由与路由黑洞这两个概念容易混淆,为了方便区别,在此做了一下比较。
黑洞路由,便是将所有无关路由吸入其中,使它们有来无回的路由。
黑洞路由最大的好处是充分利用了路由器的包转发能力,对系统负载影响非常小。
如果同样的功能用ACL(地址访问控制列表)实现,则流量增大时CPU利用率会明显增加。
所以,一直是解决固定DOS 攻击的最好办法。
相当于洪水来临时,在洪水途经的路上附近挖一个不见底的巨大深坑,然后将洪水引入其中。
当然,这只是个比喻,真要是洪水来的时候,正确的方法是―――跑!在路由器中配置路由黑洞完全是出于安全因素,设有黑洞的路器会默默地抛弃掉数据包而不指明原因。
一个黑洞路由器是指一个不支持PMTU且被配置为不发送“Destination Unreachable--目的不可达”回应消息的路由器。
bgp路由实验一
BGP实验-验证路由黑洞测试目标工作过程经常遇到路由黑洞的问题,此实验还原bgp造成的路由黑洞,加强对路由黑洞的理解。
拓扑概述1、 R1、R2、R3为IBGP路由器。
2、R4为EBGP路由器。
测试拓扑测试报告AR1学习到10.1.4.4的路由但是ping不通,造成路由黑洞现象建立IBGP全互联主要设备配置:[AR1]dis cur[V200R003C00]#sysname AR1#snmp-agent local-engineid 800007DB03000000000000snmp-agent#clock timezone China-Standard-Time minus 08:00:00#portal local-server load portalpage.zip#drop illegal-mac alarm#set cpu-usage threshold 80 restore 75#aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http#firewall zone Localpriority 15#interface GigabitEthernet0/0/0ip address 10.1.12.1 255.255.255.0#interface GigabitEthernet0/0/1#interface GigabitEthernet0/0/2#interface NULL0#interface LoopBack0ip address 10.1.1.1 255.255.255.255#interface LoopBack100ip address 100.1.1.1 255.255.255.255#bgp 100router-id 1.1.1.1peer 10.1.2.2 as-number 100peer 10.1.2.2 connect-interface LoopBack0 peer 10.1.3.3 as-number 100peer 10.1.3.3 connect-interface LoopBack0 #ipv4-family unicastundo synchronizationnetwork 100.1.1.1 255.255.255.255peer 10.1.2.2 enablepeer 10.1.3.3 enable#ospf 1 router-id 1.1.1.1area 0.0.0.0network 10.1.1.1 0.0.0.0network 10.1.12.1 0.0.0.0#user-interface con 0authentication-mode passworduser-interface vty 0 4user-interface vty 16 20#wlan ac#return[AR1]bgp 100[AR1-bgp]ne[AR1-bgp]network 10.1.23.0 255.255.255.0 [AR1-bgp]quit[AR1]bgp 100[AR1-bgp]net[AR1-bgp]undo net[AR1-bgp]undo network 10.1.23.0 255.255.255.0[AR1-bgp]net[AR1-bgp]network 10.1.12.0 255.255.255.0[AR1-bgp]quit[AR1]dis ip int brief*down: administratively down^down: standby(l): loopback(s): spoofingThe number of interface that is UP in Physical is 4The number of interface that is DOWN in Physical is 2The number of interface that is UP in Protocol is 4The number of interface that is DOWN in Protocol is 2Interface IP Address/Mask Physical Protocol GigabitEthernet0/0/0 10.1.12.1/24 up up GigabitEthernet0/0/1 unassigned down down GigabitEthernet0/0/2 unassigned down down LoopBack0 10.1.1.1/32 up up(s) LoopBack100 100.1.1.1/32 up up(s) NULL0 unassigned up up(s) [AR1]ping -a 10.1.12.1 10.1.4.4PING 10.1.4.4: 56 data bytes, press CTRL_C to breakReply from 10.1.4.4: bytes=56 Sequence=1 ttl=253 time=30 msReply from 10.1.4.4: bytes=56 Sequence=2 ttl=253 time=50 msReply from 10.1.4.4: bytes=56 Sequence=3 ttl=253 time=40 msReply from 10.1.4.4: bytes=56 Sequence=4 ttl=253 time=40 msReply from 10.1.4.4: bytes=56 Sequence=5 ttl=253 time=50 ms--- 10.1.4.4 ping statistics ---5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 30/42/50 ms[AR1]quit<AR1>dis cu[V200R003C00]#sysname AR1#snmp-agent local-engineid 800007DB03000000000000snmp-agent#clock timezone China-Standard-Time minus 08:00:00#portal local-server load portalpage.zip#drop illegal-mac alarm#set cpu-usage threshold 80 restore 75#aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http#firewall zone Localpriority 15#interface GigabitEthernet0/0/0ip address 10.1.12.1 255.255.255.0#interface GigabitEthernet0/0/1#interface GigabitEthernet0/0/2#interface NULL0#interface LoopBack0ip address 10.1.1.1 255.255.255.255#interface LoopBack100ip address 100.1.1.1 255.255.255.255#bgp 100router-id 1.1.1.1peer 10.1.2.2 as-number 100peer 10.1.2.2 connect-interface LoopBack0peer 10.1.3.3 as-number 100peer 10.1.3.3 connect-interface LoopBack0#ipv4-family unicastundo synchronizationnetwork 10.1.12.0 255.255.255.0network 100.1.1.1 255.255.255.255peer 10.1.2.2 enablepeer 10.1.3.3 enable#ospf 1 router-id 1.1.1.1area 0.0.0.0network 10.1.1.1 0.0.0.0network 10.1.12.1 0.0.0.0#user-interface con 0authentication-mode passworduser-interface vty 0 4user-interface vty 16 20#wlan ac#return<AR1><AR2>dis cur[V200R003C00]#sysname AR2#snmp-agent local-engineid 800007DB03000000000000 snmp-agent#clock timezone China-Standard-Time minus 08:00:00 #portal local-server load portalpage.zip#drop illegal-mac alarm#set cpu-usage threshold 80 restore 75#aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http#firewall zone Localpriority 15#interface GigabitEthernet0/0/0ip address 10.1.12.2 255.255.255.0#interface GigabitEthernet0/0/1ip address 10.1.23.2 255.255.255.0#interface GigabitEthernet0/0/2#interface NULL0#interface LoopBack0ip address 10.1.2.2 255.255.255.255#bgp 100router-id 2.2.2.2peer 10.1.1.1 as-number 100peer 10.1.1.1 connect-interface LoopBack0peer 10.1.3.3 as-number 100peer 10.1.3.3 connect-interface LoopBack0#ipv4-family unicastundo synchronizationpeer 10.1.1.1 enablepeer 10.1.3.3 enable#ospf 1 router-id 2.2.2.2area 0.0.0.0network 10.1.2.2 0.0.0.0network 10.1.12.2 0.0.0.0network 10.1.23.2 0.0.0.0#user-interface con 0authentication-mode passworduser-interface vty 0 4user-interface vty 16 20#wlan ac#return<AR2><AR3>dis cur[V200R003C00]#sysname AR3#snmp-agent local-engineid 800007DB03000000000000snmp-agent#clock timezone China-Standard-Time minus 08:00:00#portal local-server load portalpage.zip#drop illegal-mac alarm#set cpu-usage threshold 80 restore 75#aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http#firewall zone Localpriority 15#interface GigabitEthernet0/0/0ip address 10.1.34.3 255.255.255.0#interface GigabitEthernet0/0/1ip address 10.1.23.3 255.255.255.0#interface GigabitEthernet0/0/2#interface NULL0#interface LoopBack0ip address 10.1.3.3 255.255.255.255#bgp 100router-id 3.3.3.3peer 10.1.1.1 as-number 100peer 10.1.1.1 connect-interface LoopBack0 peer 10.1.2.2 as-number 100peer 10.1.2.2 connect-interface LoopBack0 peer 10.1.34.4 as-number 200#ipv4-family unicastundo synchronizationpeer 10.1.1.1 enablepeer 10.1.1.1 next-hop-localpeer 10.1.2.2 enablepeer 10.1.2.2 next-hop-localpeer 10.1.34.4 enable#ospf 1 router-id 3.3.3.3area 0.0.0.0network 10.1.3.3 0.0.0.0network 10.1.23.3 0.0.0.0#ospf 100#user-interface con 0authentication-mode passworduser-interface vty 0 4user-interface vty 16 20#wlan ac#return<AR3><AR4>dis cur[V200R003C00]#sysname AR4#snmp-agent local-engineid 800007DB03000000000000snmp-agent#clock timezone China-Standard-Time minus 08:00:00#portal local-server load portalpage.zip#drop illegal-mac alarm#set cpu-usage threshold 80 restore 75#aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http#firewall zone Localpriority 15#interface GigabitEthernet0/0/0ip address 10.1.34.4 255.255.255.0#interface GigabitEthernet0/0/1#interface GigabitEthernet0/0/2#interface NULL0#interface LoopBack0ip address 10.1.4.4 255.255.255.255 #bgp 200router-id 4.4.4.4peer 10.1.34.3 as-number 100#ipv4-family unicastundo synchronizationnetwork 10.1.4.4 255.255.255.255peer 10.1.34.3 enable#user-interface con 0authentication-mode passworduser-interface vty 0 4user-interface vty 16 20#wlan ac#return<AR4>。
H3C BGP路由黑洞实验
一、实验步骤配置各台设备的ip地址测试直连的连通性配置OSPF 路由协议配置BGP路由协议宣告BGP网络测试网络的连通性二、配置命令及其实验结果配置物理接口IP地址和loopback地址,并测试直连的连通性--------------略配置OSPF路由协议wcg-RT2:ospf 1 router-id 2.2.2.2area 0.0.0.0network 192.168.23.1 0.0.0.0network 2.2.2.2 0.0.0.0wcg-RT3:ospf 1 router-id 3.3.3.3area 0.0.0.0network 192.168.23.2 0.0.0.0network 3.3.3.3 0.0.0.0network 192.168.34.1 0.0.0.0wcg-RT4:ospf 1 router-id 4.4.4.4area 0.0.0.0network 4.4.4.4 0.0.0.0network 192.168.34.2 0.0.0.0在wcg-RT2和wcg-RT4上查看IP路由表配置BGP路由协议wcg-RT1:bgp 100router-id 1.1.1.1peer 192.168.12.2 as-number 200net 192.168.100.1 32wcg-RT2:bgp 200router-id 2.2.2.2peer 192.168.12.1 as-number 100peer 4.4.4.4 as-number 200peer 4.4.4.4 connect-interface LoopBack0wcg-RT4:bgp 200router-id 4.4.4.4peer 192.168.45.1 as-number 300peer 2.2.2.2 as-number 200peer 2.2.2.2 connect-interface LoopBack0wcg-RT5:bgp 300router-id 5.5.5.5peer 192.168.45.2 as-number 200network 192.168.200.1 255.255.255.255在wcg-RT2和wcg-RT4上查看BGP路由表查看wcg-RT1和wcg-RT5的BGP路由表从上面的实验结果我们可以看出在wcg-RT2和wcg-RT4产生了BGP的路由黑洞解决此现象的方法开启BGP的同步,并且IGP中引入BGP路由wcg-RT2:bgp 200synchronizationquitospfimport-route bgpwcg-RT4:bgp 200synchronizationquitospfimport-route bgp在wcg-RT2和wcg-RT4上查看BGP路由表在wcg-RT2和wcg-RT4上查看IP路由表在wcg-RT1和wcg-RT5上查看IP路由表在wcg-RT1 ping -a 192.168.100.1 192.168.200.1。
BGP路由黑洞
BGP路由黑洞理论以及演示1、BGP路由黑洞概念、产生的原因针对传统IP路由查找,它是逐跳查找,通俗一点就是当数据包到达路由设备的时候,每一台设备都要查找路由表,并且在路由设备有路由的前提下才能转发报文对BGP来说由于存在iBGP水平分割规则-只把路由传递一跳(如本例拓扑所以,如果AS200内的三台设备都运行BGP,现在的邻居关系是R2和R3有BGP论据,R3和R4有BGP邻居,如果有路由从R2传递给R3,但是R3不会再传递路由给R4,这是一种防环机制)。
所以在BGP的设计上有些设备就不会运行BGP,如本例,为了演示BGP路由黑洞,除了R3都运行了BGP。
BGP是一种TCP的连接或者说是一种host-to-host的连接(可以跨越设备进行连接),所以路由传递是没有问题的,但是数据包的路由却是有问题的2、拓扑描述拓扑如下图所示。
老规矩老习惯,R1上s1/0地址为12.1.1.1(符合XY.1.1.X的规则,XY代表设备号),R2上s1/0=12.1.1.2。
同时每个设备上有一个环回口=XX.1.1.1,如R1的环回口=11.1.1.1/243、实验步骤A、完成AS200内的IGP(本例采用eigrp)需要注意的是不要把R2的s1/0和R4的s1/0宣告到IGP内去,这是一种通常的网络设计,不要把边界的直连网络宣告到IGPR2(config-router)#router eigrp 90R2(config-router)#network 22.1.1.1 0.0.0.0R2(config-router)# network 23.1.1.2 0.0.0.0R2(config-router)# no auto-summary!R3(config)#router eigrp 90R3(config-router)# network 0.0.0.0-----------------R3上可以把所有接口都宣告到IGPR3(config-router)# no auto-summary!R4(config)#router eigrp 90R4(config-router)#network 34.1.1.4 0.0.0.0R4(config-router)# network 44.1.1.1 0.0.0.0R4(config-router)# no auto-summary养成验证的好习惯:R3#sh ip eigrp neighborsIP-EIGRP neighbors for process 90H Address Interface Hold Uptime SRTT RTO Q Seq(sec) (ms) Cnt Num1 34.1.1.4 Et0/1 11 03:18:02 62 372 0 90 23.1.1.2 Et0/0 11 03:18:17 469 2814 0 9----R3上已经有两个邻居R2上的路由情况,也是正常的:R2#sh ip route eigrp34.0.0.0/24 is subnetted, 1 subnetsD 34.1.1.0 [90/307200] via 23.1.1.3, 03:18:56, Ethernet0/033.0.0.0/24 is subnetted, 1 subnetsD 33.1.1.0 [90/409600] via 23.1.1.3, 03:18:56, Ethernet0/044.0.0.0/24 is subnetted, 1 subnetsD 44.1.1.0 [90/435200] via 23.1.1.3, 03:18:37, Ethernet0/0B、完成AS200内的iBGP(注意R2和R4有BGP邻居,R3不运行BGP),通过环回口完成iBGP邻居TCP是一种点到点的连接,两个设备一定要相互路由可达,为此检验一下路由是非常有必要的:R2#ping 44.1.1.1 source loopback 0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 44.1.1.1, timeout is 2 seconds:Packet sent with a source address of 22.1.1.1!!!!!R2:R2(config)#router bgp 200R2(config-router)# no synchronizationR2(config-router)# bgp router-id 2.2.2.2R2(config-router)# neighbor 44.1.1.1 remote-as 200R2(config-router)# neighbor 44.1.1.1 update-source Loopback0R2(config-router)# no auto-summaryR4:R4(config)#router bgp 200R4(config-router)# no synchronizationR4(config-router)# neighbor 22.1.1.1 remote-as 200R4(config-router)# neighbor 22.1.1.1 update-source Loopback0R4(config-router)# no auto-summary验证邻居状态:R4#sh ip bgp summaryBGP router identifier 44.1.1.1, local AS number 200BGP table version is 8, main routing table version 82 network entries using 234 bytes of memory2 path entries using 104 bytes of memory3/2 BGP path/bestpath attribute entries using 372 bytes of memory2 BGP AS-PATH entries using 48 bytes of memory0 BGP route-map cache entries using 0 bytes of memory0 BGP filter-list cache entries using 0 bytes of memoryBGP using 758 total bytes of memoryBGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secsNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 22.1.1.1 4 200 199 200 8 0 0 02:16:57 0C、完成R2和R1的eBGP以及R4和R5的eBGP,同时生成路由R1(config)#router bgp 100R1(config-router)# no synchronizationR1(config-router)# network 11.1.1.0 mask 255.255.255.0-------------通告路由R1(config-router)# neighbor 12.1.1.2 remote-as 200R1(config-router)# no auto-summary!R2(config)#router bgp 200R2(config-router)# neighbor 12.1.1.1 remote-as 100!R2(config)#router bgp 200R4(config-router)# neighbor 45.1.1.5 remote-as 300!router bgp 300no synchronizationnetwork 55.1.1.0 mask 255.255.255.0------------------通告路由neighbor 45.1.1.4 remote-as 200no auto-summary验证邻居情况:R2#sh ip bgp summaryBGP router identifier 2.2.2.2, local AS number 200BGP table version is 8, main routing table version 82 network entries using 234 bytes of memory2 path entries using 104 bytes of memory3/2 BGP path/bestpath attribute entries using 372 bytes of memory2 BGP AS-PATH entries using 48 bytes of memory0 BGP route-map cache entries using 0 bytes of memory0 BGP filter-list cache entries using 0 bytes of memoryBGP using 758 total bytes of memoryBGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secsNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 12.1.1.1 4 100 125 127 8 0 0 01:49:54 144.1.1.1 4 200 212 211 8 0 0 02:20:41 1-----R2上同R1和R4已经建立了BGP的邻居关系,同时从两个设备收到了一条前缀(路由)注意此时路由情况并不是完整的,以R4为例R4#sh ip bgpBGP table version is 8, local router ID is 44.1.1.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path* i11.1.1.0/24 12.1.1.1 0 100 0 100 i------关于这条路由,我们注意下一跳为12.1.1.1,但是此时去往下一跳的路由在R4的路由表中不存在,所以该条路由不优化,即没有>标识,而BGP只对邻居传递最优的路由*> 55.1.1.0/24 45.1.1.5 0 0 300 i我们来解决下一跳不可达的问题,用最简单的方法,我们在R2和R4上分别针对R4和R2做下一跳自我(把路由的下一跳变成路由可达):R2(config)#router bgp 200R2(config-router)#neighbor 44.1.1.1 next-hop-self!R4(config)#router bgp 200R4(config-router)#neighbor 22.1.1.1 next-hop-self查看路由情况:R4#sh ip bgpBGP table version is 10, local router ID is 44.1.1.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Pathr>i11.1.1.0/24 22.1.1.1 0 100 0 100 i *> 55.1.1.0/24 45.1.1.5 0 0 300 i 11.1.1.0/24的路由已经优化,会传递给R5R4#show ip bgp neighbors 45.1.1.5 advertised-routesBGP table version is 10, local router ID is 44.1.1.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Pathr>i11.1.1.0/24 22.1.1.1 0 100 0 100 iTotal number of prefixes 1验证R5和R1的路由R5#sh ip bgpBGP table version is 6, local router ID is 55.1.1.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path *> 55.1.1.0/24 0.0.0.0 0 32768 iR5#sh ip route bgp11.0.0.0/24 is subnetted, 1 subnetsB 11.1.1.0 [20/0] via 45.1.1.4, 00:01:50!R1:R1#sh ip bgpBGP table version is 5, local router ID is 11.1.1.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path *> 11.1.1.0/24 0.0.0.0 0 32768 i*> 55.1.1.0/24 12.1.1.2 0 200 300 i R1#sh ip route bgp55.0.0.0/24 is subnetted, 1 subnetsB 55.1.1.0 [20/0] via 12.1.1.2, 01:42:16分析:此时R1和R5上都已经存在了BGP的路由条目,那么数据包是可以路由出去的,R2和R4上同样有路由表,可以进行路由。
用MPLS避免BGP路由黑洞
用MPLS避免BGP路由黑洞安阳师范学院计算机科学系史创明摘要:BGP 是唯一一个用来处理像因特网大小的网络的协议,也是唯一能够妥善处理好多路连接的协议。
但由于该技术存在普遍的安全漏洞,研发和使用更安全的BGP又需要极高的代价,所以本文探讨了一种用MPLS协议避免BGP路由黑洞的方法。
关键字:MPLS、BGP、网络黑洞Avoiding BGP Security Holes by Use of MPLSShi Chuangming(Department of Computer and Sc ience, AnYang Teacher’s College, Henan 455000) Abstract:The border gateway protocol, a widely used technology for efficiently routing data through the Internet, is rife with security holes. There'll only be an improvement if the majority of routers use a secure protocol--but the high cost of implementing Secure BGP means that few companies will adopt it.This paper put forward a simple method for avoiding BGP security holes by use of MPLS.Keyword:MPLS、BGP、security holes[中图分类号]TP393.08 [文献标识码]A [文章编号]一、前言BGP协议路由器能够和他们的邻居进行通信,并且告诉他们哪条路可以高效地传送数据。
但错误配置的或者是被网络入侵者利用的路由器能够引起网络的混乱,它们只要虚报自己是效率最高的路径从而把数据转向无关的网络就可以做到这一点。
黑洞路由防环
debug ip pa2 ping F10的icmp包的时候,通过查找路由表,发现该数据包同时匹配黑洞路由表项和默认路由表项,此时,根据路由表掩码最长匹配规则,黑洞路由表项的掩码为255.255.0.0,16位,而默认路由表项的掩码为0.0.0.0,0位,最短,所以依据黑洞路由表项转发,即丢弃。
5、R4上show路由表
6、举一反三,从R1 ping F12,R1查找自己的路由表,匹配静态路由表项172.16.0.0/16,数据包发送到R4。
R4收到数据包后,查找路由表,发现该数据包同时匹配默认路由表项0.0.0.0/0、黑洞路由表项172.16.0.0/16、以及静态路由表项172.16.1.0/24,根据掩码最长匹配规则,R4选择静态路由表项172.16.1.0/24作为转发依据。
黑洞路由防环:
1、继续在R4上配置,增加一个NULL接口(即“黑洞”),再继续增加一条静态黑洞路由,所谓黑洞路由,就是凡是匹配该路由条目的数据包都将被丢弃,就像宇宙中的黑洞一样,吞噬着所有匹配的数据包。
ip route 172.16.0.0 255.255.0.0 null 0
debug ip icmp
BGP路由黑洞的形成和处置
BGP路由黑洞的形成和处置摘要:BGP路由作为当下应用最为广泛的AS之间动态路由协议,其水平分割机制有效避免路由环路的出现,但会产生路由黑洞问题。
本文以实例介绍BGP路由黑洞的形成,详细介绍了三种解决方案并分析三种方案的优缺点。
关键词:BGP; IGP; 路由;黑洞引言BGP(Border Gateway Protocol,边界网关协议)是目前最为常用的,也是唯一能够妥善处理好不相关路由域间的多路连接的协议。
目前全球范围内的因特网骨干节点正是依靠BGP协议实现不同AS之间的路由交互。
目前在IPv4环境中,BGP版本4(BGPv4)应用最为广泛。
据IETF官网介绍,BGPv4的详细描述文档为RFC4271,该文档1995年6月发布,最近一次更新是2006年1月。
BGP使用TCP作为传输层协议,TCP目的端口为179,两台BGP路由器只要具备IP连通性且可以建立TCP连接即可建立BGP对等体关系,也就是说BGP路由器对等体之间无需直接互联。
BGP基于TCP即可传递路由的特性让BGP协议非常灵活,然而,就像硬币有正面反面一样,此灵活特性也是BGP路由黑洞的产生背景。
本文基于RFC4271文档,通过BGP应用实际案例,使用华为eNSP(版本1.2.00.510)模拟路由器及路由协议运行,通过Wireshark(版本1.4.3)数据抓包对比分析等手段,分析BGP路由黑洞的产生背景及处置措施。
1 BGP路由黑洞的形成在图1中,路由器接口ip地址配置为10.0.xy.x,其中x为接口所属路由器的设备编号,y为该接口对端接口路由器的设备编号,例如R2路由器G0/0/0和G0/0/1两个端口配置的IP地址分别为10.0.12.2和10.0.23.2,部分接口IP地址配置如图标注。
所有路由器启用了Loopback0接口并为其分配了x.x.x.x/32的ip地址,AS200内运行OSPF协议。
通过路由器Loop back0接口,R1与R2、R5和R7建立EBGP对等体关系,R2和R5建立IBGP关系。
BGP选路循环导致路由震荡排错案例
b) 登录193.168.100.1(Router_B),发现这些路由频繁flapping的原因是其BGP在进行选路时最 优路径在不停切换。(在195.168.100.1 和192.168.100.1之间),从而导致不停此路由在不停 被更新。
Community: 1025:32007 1025:32412 1025:32502 1025:60952 Originator:
1025:32412 1025:32502 1025:60952 Path #2: Received by speaker 0 1002 17888 45932
55945 198.168.100.1 from 198.168.100.1 (203.192.169.249) Origin uter_B#show bgp 101.101.96.0/22
BGP routing table entry for 101.101.96.0/22
Versions:
Process
bRIB/RIB SendTblVer
Speaker
188363313 188363313 Last Modified: Mar 8 09:04:45.207 for 00:00:00
1. 确定flapping路由的来源
a) 由于RIB表里面的条目刷新的同时会刷新该条目的计时器,如果BGP路由flapping,这些路由在 RIB里面也会被频繁的刷新,因此可以通过RIB表找出flapping的路由。命令是"show ip route | in _00:00"
如何对黑洞路由器问题进行故障排除
如何对黑洞路由器问题进行故障排除在基于TCP/IP 的广域网(WAN) 中,如果某个中间网段的最大数据包大小小于通讯主机的最大数据包大小,并且路由器无法在这种情况下发送适当的Internet 控制消息协议(ICMP) 响应,则某些路由上的通讯可能会失败。
这样的路由器有时称为“黑洞”路由器。
可以通过使用Ping 实用工具找到黑洞路由器,该实用工具是随Microsoft Windows TCP/IP 协议一起安装的标准实用工具。
然后,可以使用三种方法之一来修复或解决黑洞路由器问题。
如果网络路由器收到的数据包大于下一个通讯网段的最大传输单位(MTU) 的大小,并且该数据包的IP 层“don't fragment”位(不分段)进行了标记时,该路由器应当向发送主机发回一个ICMP“destination unreachable”(无法到达目标)消息。
如果路由器不发送此消息,数据包可能被丢弃,并随通过失败链接进行通讯的程序的不同而导致多种不同的错误。
(如果程序连接到本地子网上的计算机,则不会发生这些错误。
)这种情况可能看上去是间歇发生的,但如果进一步研究,能够发现这种情况可以重现,例如,通过让客户端读取从远程主机发送的大型文件,就可以做到这一点。
回到顶端客户端错误客户端无法建立与远程计算机的连接。
造成这一错误的最可能的原因是:∙无法在远程计算机上启用远程连接。
∙远程计算机上超出了最大连接数。
∙建立连接期间发生网络错误。
服务器端错误:事件ID 1004来源:TermService说明:“The terminal server cannot issue a client license.It was unable to issue thelicense due to a changed (mismatched) client license, insufficient memory, or aninternal error.Further details for this problem may have been reported at the client'scomputer.”(终端服务器无法颁发客户端许可证,原因是客户端许可证已更改(不匹配)、内存不足或者存在内部错误。
tunnel去解决路由黑洞问题
interface Serial1/3 no ip address shutdown serial restart-delay 0
! router eigrp 100
network 2.2.2.2 0.0.0.0 network 192.168.23.0 no auto-summary ! router bgp 200 no synchronization bgp router-id 2.2.2.2 bgp log-neighbor-changes neighbor 1.1.1.1 remote-as 100 neighbor 1.1.1.1 ebgp-multihop 255 neighbor 1.1.1.1 update-source Loopback0 neighbor 4.4.4.4 remote-as 200 neighbor 4.4.4.4 update-source Loopback0 neighbor 4.4.4.4 next-hop-self no auto-summary ! ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 192.168.12.1 -----R3: interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface Serial1/0 ip address 192.168.34.3 255.255.255.0 serial restart-delay 0 ! interface Serial1/1 ip address 192.168.23.3 255.255.255.0 serial restart-delay 0
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
案例精解:BGP路由黑洞什么是路由黑洞?简单的说,它会默默的将数据包丢弃,使所有数据包有去无回,下面来看一个案如图所示:R1和R2建立EBGP邻居关系R2和R5建立IBGP邻居关系R5和R7建立EBGP邻居关系R2、R3、R5之间运行RIPv2首先看配置:sysname route-1#router id 1.1.1.1#interface Ethernet0/0ip address 192.168.12.1 255.255.255.252#interface Ethernet0/1ip address dhcp-alloc#interface LoopBack0ip address 1.1.1.1 255.255.255.255#bgp 100undo synchronizationgroup 1 externalpeer 192.168.12.2 group 1 as-number 200#ip route-static 2.2.2.2 255.255.255.255 192.168.12.2 preference 60#sysname route-2#router id 2.2.2.2#interface Ethernet0/0ip address 192.168.12.2 255.255.255.252#interface Ethernet0/1ip address 192.168.23.1 255.255.255.252#interface LoopBack0ip address 2.2.2.2 255.255.255.255#bgp 200undo synchronizationgroup 1 externalpeer 192.168.12.1 group 1 as-number 100group 2 internalpeer 192.168.35.2 group 2#ospf 1import-route directimport-route staticarea 0.0.0.0network 2.2.2.2 0.0.0.0network 192.168.23.0 0.0.0.3#ip route-static 1.1.1.1 255.255.255.255 192.168.12.1 preference 60 #sysname route-3#router id 3.3.3.3#interface Ethernet0/0ip address 192.168.35.1 255.255.255.252#interface Ethernet0/1ip address 192.168.23.2 255.255.255.252#interface LoopBack0ip address 3.3.3.3 255.255.255.255#ospf 1import-route directimport-route staticarea 0.0.0.0network 3.3.3.3 0.0.0.0network 192.168.23.0 0.0.0.3network 192.168.35.0 0.0.0.3#sysname route-5#router id 5.5.5.5#interface Ethernet0/0ip address 192.168.35.2 255.255.255.252#interface Ethernet0/1ip address 192.168.57.1 255.255.255.252#interface LoopBack0ip address 5.5.5.5 255.255.255.255#bgp 200undo synchronizationgroup 2 internalpeer 192.168.23.1 group 2group 1 externalpeer 192.168.57.2 group 1 as-number 300#ospf 1import-route directimport-route staticarea 0.0.0.0network 5.5.5.5 0.0.0.0network 192.168.35.0 0.0.0.3#ip route-static 7.7.7.7 255.255.255.255 192.168.57.2 preference 60sysname route-7#router id 7.7.7.7#interface Ethernet0/0ip address dhcp-alloc#interface Ethernet0/1ip address 192.168.57.2 255.255.255.252#interface LoopBack0ip address 7.7.7.7 255.255.255.255#bgp 300undo synchronizationgroup 1 externalpeer 192.168.57.1 group 1 as-number 200#ip route-static 1.1.1.1 255.255.255.255 192.168.57.1 preference 60ip route-static 5.5.5.5 255.255.255.255 192.168.57.1 preference 60现在查看R7的路由表<route-7>disp ip rouRouting Table: public netDestination/Mask Protocol Pre Cost Nexthop Interface1.1.1.1/32 STA TIC 60 0 192.168.57.1 Ethernet0/15.5.5.5/32 STA TIC 60 0 192.168.57.1 Ethernet0/17.7.7.7/32 DIRECT 0 0 127.0.0.1 InLoopBack0127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0192.168.57.0/30 DIRECT 0 0 192.168.57.2 Ethernet0/1192.168.57.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0可见R7学到了R1的路由,从表面上看这个实验很完美,达了目的,然而这时问题出现了,作个测试,在R7上PING R1<route-7> ping 1.1.1.1PING 1.1.1.1: 56 data bytes, press CTRL_C to breakRequest time outRequest time outRequest time outRequest time outRequest time out--- 1.1.1.1 ping statistics ---5 packet(s) transmitted0 packet(s) received100.00% packet loss.....这究竟是怎么回事呢?原来,我们在R5上关闭了同步,这时它会将一条并没有优化的路由传送给R7,当R7要发向R1发包时,它看到R5是它的下一跳,于是将包发给R5,然后R5又查看它的路由表,发现到R1的下一跳是R2,并继续查找,发现在通过R3可以达到R2,于是它将数据送给R3,这时问题出现了,因为R3没有运行BGP,它不知道R1怎么走,于是它将数据包丢弃,从而造成路由黑洞。
由此可见,BGP与IGP同步的重要性,什么是同步?在上一篇我已经提到了,不再多阐述。
(同理R1无法访问R7,但有R7的路由条目)(优化的条件:1、下一跳可达,题中满足;2、同步,题中不满足)既然问题出现了,那到底该怎么去解决呢?首先,如果在R5上开启同步,这样的情况就不会发生了,因为R5从R2收到关于R1的路由条目后,它会的查找它的IGP路由表,看是否有这样一条路由可以到达R1,如果没有,它就不会将这条路由传递给R7,此时可避免黑洞问题。
但R7学到R1的路由才是我们真正的目的,那该怎么做呢?我们可以将BGP的路由重发布到RIP中,这样IGP和BGP就可以完成同步,但是这样做并不好,在实验环境中我们当然可以这样做,但试想现在INTERNET 中有多达20几万条路由条目,如果重发布到我们的IGP路由器中,很显然大多数路由器是无法支撑的。
解决方法一:Full Mesh分别在R2和R3,R3和R5上运行BGP ,这样R3就可以学到到达R1的路由,这时你需要在R1、R2、R3之间分别建立邻居关系,当路由器很多的时候,全互联要求建立n*(n-1)/2个邻居关系,这显然是很麻烦。
(略)解决方法二:Foute-Reflector路由反射器,我们可以将R3做成一个路由反射器,使它能将从R1学的路由条目反射给R5,正常情况下为了防止环路,从IBGP学到的路由不会再传给其它IBGP邻居。
现在只需要在路由反射客户和路由反射器间建立邻居关系,邻居关系减少到n-1条。
路由反射器(RR)的条件:1、如果路由是从非客户的IBGP学到的只反射给客户2、如果路由是从客户学到的,将它反射给发起该路由的客户以外的所有非客户及客户3、如果路由是从EBGP对等体学到的,将它反射给所有客户和非客户做法:清除R2与R5的邻居关系,只在R2与R3、R3与R5之间建立IBGP关系然后在R3的路由配置模式下:neighbor 2.2.2.2 route-reflector-clientneighbor 5.5.5.5 route-reflector-client //将R2和R5作为RR的客户此时R5上能收到关于R1的路由,它也会传给R7联邦是将整个大的AS区域再划分成多个小的AS区域,比如现在有AS200就相当于中国,而整个中国显然可以再分为若干个省分,现在AS65012和AS65003 就是划分出来的“小AS”,意思这里的AS号是私有的,在出AS200时它将自动被去掉(64512--65535可用),这样划分后,R3和R5就为联邦EBGP邻居了,这时它关于R 1的路由条目就可以传给R5了。
R2:router bgp 65012 //指定的联邦AS号no synchronizationbgp log-neighbor-changesbgp confederation identifier 200 //R2对外宣称自己的AS号为200,它会告诉R1它的AS号为200,因为65012是私有的network 192.168.12.0network 192.168.23.0neighbor 1.1.1.1 remote-as 100neighbor 1.1.1.1 ebgp-multihop 255neighbor 1.1.1.1 update-source Loopback0neighbor 3.3.3.3 remote-as 65012neighbor 3.3.3.3 update-source Loopback0neighbor 3.3.3.3 next-hop-selfno auto-summaryR3:r3#sh run | b r brouter bgp 65012no synchronizationbgp log-neighbor-changesbgp confederation identifier 200 //对R5稳定自己的AS号为200,它不会对R1宣称,因为它们属于同一个联邦ASneighbor 2.2.2.2 remote-as 65012neighbor 2.2.2.2 update-source Loopback0neighbor 5.5.5.5 remote-as 65003neighbor 5.5.5.5 ebgp-multihop 255neighbor 5.5.5.5 update-source Loopback0no auto-summary!R5:router bgp 65003no synchronizationbgp log-neighbor-changesbgp confederation identifier 200 //对R3和R7宣称自己的AS号为200neighbor 3.3.3.3 remote-as 65012neighbor 3.3.3.3 ebgp-multihop 255neighbor 7.7.7.7 remote-as 300neighbor 7.7.7.7 ebgp-multihop 255neighbor 7.7.7.7 update-source Loopback0no auto-summary!这时查看R3和R5的邻居关系r3#sh ip bgp suNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd2.2.2.2 4 65012 10 9 1 0 0 00:06:26 25.5.5.5 4 65003 1 1 0 0 0 never Active发现在它们始终处于Active状态,不能完成邻居的建立,这又是为什么呢?分析一下:R5和R3都打了这条命令,bgp confederation identifier 200又因为他们处于不同的联邦AS,所以它们都会宣称自己的AS号为200,然而我们看到它们的Neighbor却不是这样通告的R3上:neighbor 5.5.5.5 remote-as 65003R5上:neighbor 3.3.3.3 remote-as 65012所以这时会报一个错误:AS号错误,如下r5#*Oct 19 12:20:10.311: %SYS-5-CONFIG_I: Configured from console by consoler5#*Oct 19 12:20:19.155: %BGP-3-NOTIFICATION: sent to neighbor 3.3.3.3 2/2 (peer in wrong AS) 2 bytes 00C8r5# FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 002D 0104 00C8 00B4 0303 0303 1002 0601 0400 0100 0102 0280 0002 0202 00解决方法:R3上:bgp confederation peer 65003 // // 不对65003宣称自己的AS为200R5上:bgp confederation peer 65012 // 不对65012宣称自己的AS为200验证r5#sh ip bgpBGP table version is 13, local router ID is 5.5.5.5Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path*> 1.1.1.0/24 2.2.2.2 0 100 0 (65012) 100 ir> 7.7.7.0/24 7.7.7.7 0 0 300 i*> 192.168.12.0 2.2.2.2 0 100 0 (65012) ir> 192.168.23.0 3.3.3.3 0 100 0 (65012) i*> 192.168.35.0 0.0.0.0 0 32768 i* 3.3.3.3 0 100 0 (65012) i //括号中的是私有AS号,在出R5时会被去掉,在看7上可以看到效果*> 192.168.57.0 0.0.0.0 0 32768 i* 7.7.7.7 0 0 300 ir7#sh ip bgpBGP table version is 12, local router ID is 7.7.7.7Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path*> 1.1.1.0/24 5.5.5.5 0 200 100 i*> 7.7.7.0/24 0.0.0.0 0 32768 i*> 192.168.12.0 5.5.5.5 0 200 i*> 192.168.23.0 5.5.5.5 0 200 i*> 192.168.35.0 5.5.5.5 0 0 200 i* 192.168.57.0 5.5.5.5 0 0 200 i*> 0.0.0.0 0 32768 i。