CCNP BGP用Route-Map过滤路由--罪恶的温柔
思科CCNP认证BGP的建邻配置与属性详解
思科CCNP认证BGP的建邻配置与属性详解本⽂讲述了思科CCNP认证BGP的建邻配置与属性。
分享给⼤家供⼤家参考,具体如下:BGP建邻配置BGP的宣告是依赖路由表的,宣告需要满⾜:1:被宣告的路由必须在路由表中。
2:被宣告的路由必须和路由表中的前缀掩码⼀致。
⽆论本地路由表中的条⽬是通过何种⽅式获取的,均可宣告到BGP协议中。
BGP协议宣告时必须和本地路由表中的记录完全⼀致。
宣告:r1(config-router)#network 100.1.1.1 mask 255.255.255.255路由表:IBGP默认使⽤回环建邻,EBGP默认使⽤直连建邻。
r2(config)#router bgp 1r2(config-router)#bgp router-id 100.2.2.2r2(config-router)#neighbor 100.5.5.5 remote-as 2r2(config-router)#neighbor 100.5.5.5 ebgp-multihopEBGP⾮直连建邻修改跳数:EBGP建邻没有特殊情况⼀般使⽤直连建邻,如果使⽤⾮直连建邻需要修改跳数,默认情况下跳数为1(不修改跳数直接使⽤⾮直连建邻会失败)。
BGP的路由传递,传递的是BGP路由表中的路由信息。
BGP的路由表在收到路由以后需要检验该路由的下⼀跳是否可达,如果不可达该路由⼀定不优。
使⽤对等体组建邻BGP邻居:(可以减少建邻过程的重复操作步骤)r1(config)#router bgp 1r1(config-router)#bgp router-id 100.1.1.1r1(config-router)#neighbor a peer-groupr1(config-router)#neighbor a remote-as 1r1(config-router)#neighbor a update-source lo0r1(config-router)#neighbor 100.2.2.2 peer-group ar1(config-router)#neighbor 100.3.3.3 peer-group aBGP属性1:weightcisco私有属性,对于离开AS的路由在路由器选择哪⼀条最优,本台路由器产⽣的路由weight值为32768,学习到的路由的weight值为0,不能传递。
Route-map的使用方法详解
Route-mapCCNP学习笔记关于route-map的配置讨论,1.Passive-interface被动接口RIP中的被动接口是只收不发,EIGRP中的被动接口是不收不发。
配置,路由进程中,Passive-interface default 关闭所有接口No passive-interface s1/1 打开s1/1接口2.Distribute-list分发列表配置,利用ACL来抓取路由条目,Access-list 1 permit 4.4.4.0 0.0.0.255(路由条目)在路由进程中应用分发列表,Router eigrp 100Distribute-list 1 in/out 接口这个就代表只允许4.4.4.0的路由条目通过,其他路由条目不允许通过。
In后面不能跟协议,只有out后面可以跟。
Out后面不可以跟接口。
3.Prefix-list前缀列表,设计用于专抓路由,不仅可以抓网络号,还可以抓掩码。
配置,利用prefix-list来抓取路由条目,Ip prefix-list 1 permit 2.2.2.0/24(代表必须严格匹配网络号必须是2.2.2.0,掩码必须是24位的。
)在路由进程中应用prefix-list,Router eigrp 100Distribute-list prefix 1 out 接口Prefix-list的其他写法:Ip prefix-list 1 permit 2.2.2.0/24 (匹配前24位:2.2.2.*,掩码必须为24位)Ip prefix-list 1 permit 2.2.2.0/24 le 32 (匹配前24位:2.2.2.*,掩码必须为24—32位)Ip prefix-list 1 permit 2.2.2.0/24 ge 26 (匹配前24位:2.2.2.*,掩码必须为26---32位)Ip prefix-list 1 permit 2.2.2.0/24 ge 25 le 30 (匹配前24位:2.2.2.*,掩码必须为25---32位)Ip prefix-list 1 permit 0.0.0.0/0 le 32 (匹配所有,不可以写any)Show ip prefix-list可以用查看。
【CCNP】BGP路由汇聚配置案例
【CCNP】BGP路由汇聚配置案例版本V1.0密级☑开放☐内部☐机密类型☐讨论版☐测试版☑正式版1案例配置拓扑2案例配置需求1、如上图所示,IP地址规划方面,R1上有一环回接口loopback 0,地址为172.16.1.1/24,R2上有一环回接口loopback 0,地址为172.16.2.1/24,路由器互连的接口为172.8.AB.X/24(其中AB为路由器编号叠加,X为路由器编号,如R1连接R3的接口S0/0的地址为172.8.13.1/24);2、图中有4个AS,分别是AS 100,AS 200,AS 300,AS 400,R1/R3、R2/R3、R3/R4采用物理接口之间建立eBGP邻居关系;3、将R1/R2的loopback 0接口发布到BGP中,在R3上将这两条BGP路由汇聚给R4,并解析汇SPOTO 全球培训●项目●人才 1SPOTO 全球 培训 ● 项目 ● 人才2 3 案例配置思路1、 R1上的关键配置:router bgp 100no synchronizationbgp log-neighbor-changesnetwork 172.16.1.0 mask 255.255.255.0neighbor 172.8.13.3 remote-as 300no auto-summary2、 R2上的关键配置:router bgp 200no synchronizationbgp log-neighbor-changesnetwork 172.16.2.0 mask 255.255.255.0neighbor 172.8.23.3 remote-as 300no auto-summary3、 R3上的关键配置:router bgp 300no synchronizationbgp log-neighbor-changesaggregate-address 172.16.0.0 255.255.252.0 /BGP 路由汇聚,汇总命令后的参数将在“案例检验结果出分析”/ 雏鹰论坛CCNPneighbor 172.8.13.1 remote-as 100neighbor 172.8.23.2 remote-as 200neighbor 172.8.34.4 remote-as 400no auto-summary4、 R4上的关键配置:router bgp 400no synchronizationbgp log-neighbor-changesneighbor 172.8.34.3 remote-as 300no auto-summarySPOTO 全球 培训 ● 项目 ● 人才3 4 案例检验结果1、 配置汇总命令aggregate-address 172.16.0.0 255.255.252.0后,在R3和R4关于汇总路由和细路由的显示情况:R3#show ip bgpBGP table version is 11, local router ID is 172.8.34.3Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP , e - EGP , ? - incompleteNetwork Next Hop Metric LocPrf Weight Path*> 172.16.0.0/22 0.0.0.0 32768 i*> 172.16.1.0/24 172.8.13.1 0 0 100 i*> 172.16.2.0/24 172.8.23.2 0 0 200 i/从R1/R2学习到的两条BGP 路由汇总为/22的路由/R4#show ip bgpBGP table version is 11, local router ID is 172.8.34.4Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP , e - EGP , ? - incompleteNetwork Next Hop Metric LocPrf Weight Path*> 172.16.0.0/22 172.8.34.3 0 0 300 i*> 172.16.1.0/24 172.8.34.3 0 300 100 i*> 172.16.2.0/24 172.8.34.3 0 300 200 i/从R3学习到了/22的汇总路由,同时也学习了两条细路由,在R3上汇总,所以汇总路由只包含R3所在的AS 300,路由源的AS 丢失/ 雏鹰论坛CCNPR4#show ip bgp 172.16.0.0 255.255.252.0BGP routing table entry for 172.16.0.0/22, version 11Paths: (1 available, best #1, table Default-IP-Routing-Table)Not advertised to any peerSPOTO 全球 培训 ● 项目 ● 人才4 300, (aggregated by 300 172.8.34.3)172.8.34.3 from 172.8.34.3 (172.8.34.3)Origin IGP , metric 0, localpref 100, valid, external, atomic-aggregate , best/atomic-aggregate 属性表明发生了路由属性的丢失,aggregator 属性表明在哪里丢失属性,从上面的show 命令可以看出,R3在AS 300执行了路由汇总/2、 配置汇总命令aggregate-address 172.16.0.0 255.255.252.0 as-set ,加上as-set 参数后,在R3和R4显示的关于汇总路由和细路由的情况:R3#show ip bgpBGP table version is 12, local router ID is 172.8.34.3Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP , e - EGP , ? - incompleteNetwork Next Hop Metric LocPrf Weight Path*> 172.16.0.0/22 0.0.0.0 100 32768 {100,200} i*> 172.16.1.0/24 172.8.13.1 0 0 100 i*> 172.16.2.0/24 172.8.23.2 0 0 200 iR4#show ip bgpBGP table version is 12, local router ID is 172.8.34.4Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP , e - EGP , ? - incompleteNetwork Next Hop Metric LocPrf Weight Path*> 172.16.0.0/22 172.8.34.3 0 0 300 {100,200} i*> 172.16.1.0/24 172.8.34.3 0 300 100 i*> 172.16.2.0/24 172.8.34.3 0 300 200 i/汇总路由的AS PATH 列表中携带上了路由源的AS {100,200},不过在做路径选择时,花括号{}内的AS 只能当一个AS 计算/ 雏鹰论坛CCNPR4#show ip bg 172.16.0.0 255.255.252.0BGP routing table entry for 172.16.0.0/22, version 12Paths: (1 available, best #1, table Default-IP-Routing-Table)SPOTO 全球 培训 ● 项目 ● 人才5 Flag: 0x820Not advertised to any peer300 {100,200}, (aggregated by 300 172.8.34.3)172.8.34.3 from 172.8.34.3 (172.8.34.3)Origin IGP , metric 0, localpref 100, valid, external, best/在R3的汇聚命令后加上了AS-SET 参数,则AS 属性不会出现丢失的情况,那么在这里atomic-aggregate 属性就没有了,由此可以看出,AS-SET 和atomic-aggregate 属性互斥,AS-SET 参数是将所有细路由的属性复制到汇总路由/3、 配置汇总命令aggregate-address 172.16.0.0 255.255.252.0 as-set summar-only ,再加上summary-only 参数后,在R3和R4显示的关于汇总路由和细路由的情况:R3#show ip bgpBGP table version is 14, local router ID is 172.8.34.3Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP , e - EGP , ? - incompleteNetwork Next Hop Metric LocPrf Weight Path*> 172.16.0.0/22 0.0.0.0 100 32768 {100,200} is > 172.16.1.0/24 172.8.13.1 0 0 100 is > 172.16.2.0/24 172.8.23.2 0 0 200 i/添加了summary-only 参数后,细路由前面出现了“s ”标志,表明被抑制掉了,抑制的路由不会发送给它的邻居/R4#show ip bgpBGP table version is 14, local router ID is 172.8.34.4Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP , e - EGP , ? - incompleteNetwork Next Hop Metric LocPrf Weight Path*> 172.16.0.0/22 172.8.34.3 0 0 300 {100,200} i/只存在汇总路由/4、 抑制单条细路由的汇总命令:SPOTO 全球 培训 ● 项目 ● 人才6 ip prefix-list supp seq 5 permit 172.16.1.0/24!route-map supp permit 10match ip address prefix-list supp! aggregate-address 172.16.0.0 255.255.252.0 as-set suppress-map suppR3#show ip bgpBGP table version is 5, local router ID is 172.8.34.3Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP , e - EGP , ? - incompleteNetwork Next Hop Metric LocPrf Weight Path*> 172.16.0.0/22 0.0.0.0 100 32768 {100,200} is > 172.16.1.0/24 172.8.13.1 0 0 100 i*> 172.16.2.0/24 172.8.23.2 0 0 200 i/只有172.16.1.0/24被抑制,此路由不会发送给它的BGP 邻居/R4#show ip bgpBGP table version is 19, local router ID is 172.8.34.4Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP , e - EGP , ? - incompleteNetwork Next Hop Metric LocPrf Weight Path*> 172.16.0.0/22 172.8.34.3 0 0 300 {100,200} i*> 172.16.2.0/24 172.8.34.3 0 300 200 i/没有收到172.16.1.0/24的路由/5、 查看R3的ip 路由表:R3# sh ip routeCodes: C - connected, S - static, R - RIP , M - mobile, B - BGPD - EIGRP , EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2SPOTO 全球 培训 ● 项目 ● 人才7 E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is not set172.8.0.0/24 is subnetted, 3 subnetsC 172.8.34.0 is directly connected, Serial0/2C 172.8.13.0 is directly connected, Serial0/0C 172.8.23.0 is directly connected, Serial0/1172.16.0.0/16 is variably subnetted, 3 subnets, 2 masksB 172.16.0.0/22 [200/0] via 0.0.0.0, 00:00:04, Null0 /汇总路由指向Null0/B 172.16.1.0/24 [20/0] via 172.8.13.1, 00:00:36 雏鹰论坛CCNPB 172.16.2.0/24 [20/0] via 172.8.23.2, 00:45:055 案例配置文件6 案例总结及其它1、 BGP 汇总命令aggregate-address 后面的参数比较丰富,大家可以根据需要添加合适的参数;SPOTO 全球 培训 ● 项目 ● 人才8SPOTO 全球 培训 ● 项目 ● 人才9/advertise-map 和as-set 结合,表示路由器根据某些细路由的属性复制到汇总路由,advertise-map 后跟的是route-map/ip prefix-list supp seq 5 permit 172.16.1.0/24!route-map supp permit 10match ip address prefix-list supp!router bgp 300aggregate-address 172.16.0.0 255.255.252.0 as-set advertise-map supp效果:R3#show ip bgpBGP table version is 19, local router ID is 172.8.34.3Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP , e - EGP , ? - incompleteNetwork Next Hop Metric LocPrf Weight Path*> 172.16.0.0/22 0.0.0.0 100 32768 100 i*> 172.16.1.0/24 172.8.13.1 0 0 100 i*> 172.16.2.0/24 172.8.23.2 0 0 200 iR3#show ip bgp 172.16.1.0BGP routing table entry for 172.16.1.0/24, version 2SPOTO 全球 培训 ● 项目 ● 人才10 Paths: (1 available, best #1, table Default-IP-Routing-Table)Advertised to update-groups:1100172.8.13.1 from 172.8.13.1 (172.16.1.1)Origin IGP , metric 0, localpref 100, valid, external, bestR3#show ip bgp 172.16.0.0BGP routing table entry for 172.16.0.0/22, version 18Paths: (1 available, best #1, table Default-IP-Routing-Table)Advertised to update-groups:1100, (aggregated by 300 172.8.34.3)0.0.0.0 from 0.0.0.0 (172.8.34.3)Origin IGP , localpref 100, weight 32768, valid, aggregated, local, atomic-aggregate, best/按照上面的配置,汇总路由复制了细路由172.16.1.0/24的BGP 属性/R4#show ip bgpBGP table version is 31, local router ID is 172.8.34.4Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP , e - EGP , ? - incompleteNetwork Next Hop Metric LocPrf Weight Path*> 172.16.0.0/22 172.8.34.3 0 0 300 100 i*> 172.16.1.0/24 172.8.34.3 0 300 100 i*> 172.16.2.0/24 172.8.34.3 0 300 200 i/attribute-map 和as-set 结合,手动设置汇总路由的属性,attribute-map 后跟的是route-map/ route-map supp permit 10set origin incomplete!router bgp 300aggregate-address 172.16.0.0 255.255.252.0 as-set attribute-map suppCCNP BGP路由汇聚配置案例SPOTO 全球培训●项目●人才WEB: BBS: (网络) ●11效果:R3#show ip bgpBGP table version is 5, local router ID is 172.8.34.3Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path *> 172.16.0.0/22 0.0.0.0 100 32768 {100,200} ?*> 172.16.1.0/24 172.8.13.1 0 0 100 i*> 172.16.2.0/24 172.8.23.2 0 0 200 i/采用attribute-map手动设定汇总路由的属性/R4#show ip bgpBGP table version is 51, local router ID is 172.8.34.4Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path *> 172.16.0.0/22 172.8.34.3 0 0 300 {100,200} ?*> 172.16.1.0/24 172.8.34.3 0 300 100 i*> 172.16.2.0/24 172.8.34.3 0 300 200 i2、参见欢迎来雏鹰论坛参与讨论。
BGP路由的route-map逻辑确认试验
BGP路由的route-map逻辑确认试验BGP路由的route-map逻辑确认试验知识要点:bgp的route-map的几种方式:route-map permit/match permit -〉permit/permit 这里说明一下route-map permit是在acl里面的permitroute-map permit/match deny -〉permit/denyroute-map deny/match permit -〉deny/permitroute-map deny/match deny -〉deny/deny思科对几种方式的逻辑的描述:permit/permitif a match is made, accept the route, set the attribute (if you're using a set clause), and exit the route map. Otherwise, continue to the next route-map statement:如果配对上,接受这条路由,设置属性(如果你有设置的话),然后离开这个route-map。
否则继续下一个route-map条目。
按个人的理解,如果配对成功,应该不会继续其他的route-map 了。
petmit/denyIf a match is made, deny the route and exit the route map.如果配对上,禁用这条路由,离开这个route-map。
否则继续下一个route-map条目。
按个人的理解,如果配对成功,应该不会继续其他的route-map了。
deny/permitIf a match is made, deny the route and exit the route map如果配对上,禁用这条路由,离开这个route-map。
否则继续下一个route-map条目。
路由过滤命令详解route-map,distribute-list, prefix-list, ip as-path access-list
! interfaceSerial1 ipaddress10.34.16.83.255.255.255.252 ip policy route-map sense ! access-list1permit172.16.0.0 0.0.255.255 access-list110permittcp any eq www any ! route-map sense permit10 matchipaddress1 110 set ip precedence critical ! route-mapsensepermit20 setiptos2 //正对所有上面 route-map 语句不匹配的其他流量
<1> Standard ACL interfaceSerial0 ipaddress172.16.5.1255.255.255.0 ippolicyroute-mapsense ! access-list1permit172.16.6.00.0.0.255 access-list2permit172.16.7.00.0.0.255 ! route-mapsensepermit10 matchipaddress1 setipnext-hop172.16.4.2 ! route-mapsensepermit20 matchipaddress2
matchipaddress120 ! route-mapsensepermit20 matchlength10001600 setipnext-hop172.16.2.1 ! route-mapsensepermit30 matchlength0400 setipnext-hop172.16.3.1 注:如果没有第一个 route-map 条目,router 本身的 Packets 及 OSPF 的 Packets 都会由于后两个 route-map 语句被转发到错误的地址。 Case Study: Policy Routing and Quality of Service Routing PolicyRouting 结合 ip 包头的 Precedence 和 Type of Service(TOS)可以实现基 于 QOS 的策略路由。 注:Precedence 和 TOS 的配置既可使用 Number 字段,也可以使用 Keyword. 针对 IP 包头中的 TOS 字段(8bit)(如下图),根据 RFC1349 的规定,第 0,1,2 三 bit 作为 ip precedence 使用,而第 3,4,5,6 四个字段作为 Type of Service(ToS) 使用.
思科CCNP认证PBR策略路由与BGP协议详解
思科CCNP认证PBR策略路由与BGP协议详解本⽂讲述了思科CCNP认证PBR策略路由与BGP协议。
分享给⼤家供⼤家参考,具体如下:PBR——策略路由定义:通过流量策略来执⾏选路的⼀种转发⼿段。
控制层⾯——给路由的转发做指导数据层⾯——在路由表中找到路由的出接⼝或者下⼀跳传统的路由表转发只能通过数据的⽬标地址做策略。
策略路由可以根据源地址、⽬的地址、源端⼝、⽬的端⼝、协议、TOS等流量特征来做决策提供路由——灵活性⾼,但速度慢,需要⼀个⼀个抓,操作相对⿇烦。
路由表与策略路由的关系:策略路由是先于路由表执⾏的,策略路由没有捕获的流量依然会去执⾏路由表。
两种配置:1:接⼝下配置access-list 100 permit ip host 1.1.1.1 any //⽤ACL捕获流量route-map pbr permit 10 //定义route-mapnatch ip address 10 //调⽤被ACL捕获的流量set ip next-hop 10.1.1.1 //设置下⼀跳int f0/1ip policy route-map pbr //接⼝下调⽤只能捕获该接⼝的⼊接⼝流量做策略(不能处理本路由器产⽣的流量)。
2:全局配置access-list 100 permit ip host 1.1.1.1 any //⽤ACL捕获流量route-map pbr permit 10 //定义route-mapmatch ip address 10 //调⽤被ACL捕获的流量set ip next-hop 10.1.1.1 //设置下⼀跳ip local policy route-map pbr能够捕获所有接⼝⼊接⼝流量以及本路由器产⽣的流量(源地址是本路由器地址)3:策略路由的冗余设置route-map pbr permit 10match ip address 1ip next-hop verify-availability 10.1.24.2 1 track 1 //track 成功则本条⽣效,track失败则执⾏下⼀条set语句track ip next-hop 10.1.34.3track 1 ip sla 1 //定义⼀个track监控sla的探测结果ip sla 1 //定义⼀个slaip icmp-echo 10.1.12.1 source-ip 10.4.4.4 //设置其探针ip sla schedule 1 life forever start-time now //设置sla 1的执⾏时间4:default 语句在route-map的set ip default这个位置输⼊,定义被捕获的流量为先查路由表。
【CCNP 4-3】BGP属性
•BGP属性公认属性Well-Known•公认强制属性Well-known mandatory•公认自由属性Well-known discretionary可选属性Optional•可选传递的Optional transitive•可选非传递的Optional non-transitive报文•Origin —公认强制属性•指出了路径信息的源头,有下列3种可能:•IGP:用network通告路由时,用i表示•EGP:路由通过EGP获悉,用e表示•Incomplete:路由的源头未知或是通过其他方法获悉的,用?表示。
例如重发布•路由优选顺序:IGP > EGP > Incomplete•NEXT_HOP —公认强制属性•指出了用于前往目的地的下一跳IP地址。
•对EBGP会话来说,NEXT-HOP就是通告该路径的EBGP邻居的接口IP。
•对IBGP,起源AS内部的路由的NEXT-HOP就是通告该路径的邻居的IP。
(如果有设定更新源,则为更新源地址),而从EBGP学到的路由的NEXT-HOP,在IBGP内传递时不变,始终指向的是下一个AS(本AS对端的EBGP邻居接口IP)。
•COMMUNITY —可选传递属性•用于简化路由策略的执行•可以将某些路由分配一个特定的COMMUNITY属性,之后就可以基于COMMUNITY值而不是每条路由进行BGP属性的设置了route-map bgp permit 10set community ?<1-4294967295> community numberaa:nn community number in aa:nn format // 路由所属as:nn标识additive Add to the existing communityinternet Internet (well-known community) // 默认所有路由都属于该团体local-AS Do not send outside local AS (well-known community)不把这条路由传出本AS(联邦as中的小联邦)。
CCNP路由_课堂笔记以及相关知识点整合
课程安排:D1,路由基础汇总,EIGRP协议介绍及配置D2,OSPF协议介绍及基本配置D3,OSPF协议介绍及高级配置D4,多协议互操作及路由控制(收发过滤)D5,BGP协议介绍及配置资料推荐:模拟器,Packet Tracer、GNS3(调用IOS)远程登录,cmd、putty、secureCRT路由基础:路由,一条路由表示一个网段路由器,运行路由协议、生成路由表、根据路由表转发报文。
路由协议,共享路由信息的方式路由表,收集不同方式获取的路由,组成路由表路由协议:作用范围:自治系统AS(1-65535)IGP,一个AS内传递路由。
RIP EIGRP OSPFEGP,AS间传递路由。
BGP传递路由方式:距离矢量路由协议,路由器间分享路由表RIP EIGRP BGP链路状态路由协议,路由器间分享直连链路信息(确保可达,可靠)OSPF路由传递是否携带掩码:有类,RIPv1 IGRP不携带掩码,自动汇总无类,RIPv2 EIGRP OSPF BGP携带掩码,支持VLSM,支持手动汇总路由注入路由表:管理距离值小,度量值小管理距离值,衡量协议(路由获取方式)优劣直连0,静态1,EIGRP5\90\170,OSPF110,BGP20\200 RIP120 度量值,衡量路径优劣RIP,跳数hop,1-15EIGRP,带宽、延时、可靠性、负载OSPF,开销(与带宽成反比)查找路由表:最长匹配,掩码最长递归查找,找到出接口Show ip route192.168.1.0/24 serial 1/0 //递归查找10.0.0.0/8 serial 1/210.0.0.0/9 serial 1/310.1.0.0/16 serial 1/310.1.1.0/24 192.168.1.1 //最长匹配0.0.0.0/0 172.16.1.1172.16.1.0/24 serial 1/1收到报文的目的IP地址为10.1.1.1,从serial1/0发出路由协议:建立邻居→分析路由信息→算法→生成路由表→维护路由表以太网Dst:0100.5e00.0009 Src:aaaa.aaaa.aaaa type/length:0x0800 IPSrc:1.1.1.1Dst:224.0.0.9Pro:17TTL:1UDPSrc:xDst :520RIPupdate192.168.1.0/24hop:3以太网Dst:bbbb.bbbb.bbbb Src:aaaa.aaaa.aaaa type/length:0x0800 IPSrc:1.1.1.1Dst:2.2.2.2Pro:6TTL:xTCPSrc:xDst:179BGPupdate192.168.1.0/24属性以太网Dst:bbbb.bbbb.bbbbSrc:aaaa.aaaa.aaaatype/length:0x0800IPSrc :1.1.1.1Dst :224.0.0.5|10Pro :89|88TTL :1OSPF|EIGRP hello浮动静态路由:手动修改静态路由的管理距离值,使其不出现在路由表中 RIP 高级配置:手动汇总 R2(config)#interface Ethernet 0/0//连接R1的接口R2(config-if)#ip summary-address rip 10.1.1.2 255.255.255.254R1#show ip route ripR 10.1.1.2/31 [120/1] via 10.1.12.2, 00:00:28, Ethernet0/0 R 10.1.23.0/24 [120/1] via 10.1.12.2, 00:00:28, Ethernet0/0 路由验证验证模式:明文、MD5;KeyIDinterface Xip rip authentication mode text //开启明文验证ip rip authentication mode md5 //开启密文验证ip rip authentication key-chain xx //调用钥匙链(密码库)key chain xx //创建密码库,命名为xxkey 1 //创建第一组密码key-string ccna //密码设置为ccnaaccept-lifetime //开门密码,当前密码key用于解锁接收到的RIP 报文时,时效性是多少send-lifetime //关门密码,用当前密码key加密RIP报文时,时效性key 2key-string ccnpkey 3key-string ccieshow ip route ripdebug ip rip被动接口:设置为被动的接口不向外发送组播(目的IP地址为224.0.0.9)的RIP报文R2(config)#router ripR2(config-router)#passive-interface Ethernet 0/1R3#show ip routeC 10.1.1.3/32 is directly connected, Loopback0C 10.1.23.0/24 is directly connected, Ethernet0/1R1#show ip routeC 10.1.12.0/24 is directly connected, Ethernet0/0R 10.1.1.2/32 [120/1] via 10.1.12.2, 00:00:12, Ethernet0/0 R 10.1.1.3/32 [120/2] via 10.1.12.2, 00:00:12, Ethernet0/0C 10.1.1.1/32 is directly connected, Loopback0R 10.1.23.0/24 [120/1] via 10.1.12.2, 00:00:12, Ethernet0/0 EIGRP,Cisco特点:1、邻居机制,Hello报文,发现、建立、维护邻居2、可靠传输机制a)显式可靠,专用的ACK报文(已收回执)b)隐式可靠,其余报文内包含ACK字段3、扩散更新算法DUAL,防环。
6-5-使用route-map控制基本的BGP路径
Route Maps to Manipulate Basic BGP Paths
使用Route-map控制基 本的BGP路径选择
BGP Is Designed to Implement Policy Routing BGP,设计用来执行策略路由
BGP is designed for manipulating routing paths.
* i
* i192.168.25.0 *>i * i192.168.26.0 *>i
192.168.28.2
172.20.50.2 192.168.28.2 172.20.50.2 192.168.28.2
200
200 100 200 100
100
100 100 100 100
0 65001 i
0 65001 i 0 65001 i 0 65001 i 0 65001 i
路由器A
路由器B 路由器A 路由器B 路由器A
• Examine the networks that have been learned from AS 65001 on Router Z in AS 65004.
• For all networks: Weight is equal (0); local preference is equal (100); routes are not originated in this AS; AS path is equal (65001); origin code is equal (i).
*>i
*>i172.24.0.0 * i *>i172.30.0.0 * i
192.168.28.1
ACL和Route-Map中permit,deny对路由过滤的动作
ACL和Route-Map中permit,deny对路由过滤的动作此实验讨论route-map中acl permit和any动作对路由过滤影响。
拓扑如图:验证一.R2access-list 10 permit 192.168.4.0 0.0.0.255access-list 10 permit 192.168.6.0 0.0.0.255!route-map kk permit 10match ip address 10!router eigrp 90redistribute ospf 110 metric 10000 100 255 1 1500 route-map kknetwork 23.1.1.2 0.0.0.0no auto-summaryeigrp router-id 1.1.1.1R3R3#sh ip routeGateway of last resort is not set23.0.0.0/24 is subnetted, 1 subnetsC 23.1.1.0 is directly connected, FastEthernet0/1192.168.4.0/32 is subnetted, 1 subnetsD EX 192.168.4.1 [170/307200] via 23.1.1.2, 01:24:13, FastEthernet0/1192.168.6.0/32 is subnetted, 1 subnetsD EX 192.168.6.1 [170/307200] via 23.1.1.2, 01:23:50, FastEthernet0/1从R3的路由表可知,Route-map 仅仅重分发了192.168.4.0/24和192.168.6.0/24的路由,过滤了其他的路由。
Route-map 末尾有一条隐含的deny any子句,这个子句拒绝了其他的路由,并不是acl 的隐含deny any 拒绝掉的。
【CCNP 4-4】BGP选路
BGP选路规则前提:路由下一跳不可达或没有解决同步问题,则不能参与路由选择:1.选择Weight值最高的路由——思科私有2.选择Local-Preference较大的路由3.选择network或aggregate或重分布获得的本地路由4.选择AS路径较短的路由5.依次选择Origin属性为IGP、EGP和INCOMPLETE类型的路由6.选择MED较小的路由7.优选EBGP而不是IBGP8.选择下一跳IGP度量值较小的路由9.负载均衡,BGP默认不启用负载均衡。
若配置负载均衡,则不比较后面的参数(maximum-paths n)10.如果都是EBGP路由,则选择先收到的那条(最老的)11.选择BGP Router ID小的BGP对等体通告的路由12.优先选择最短的cluster-list13.优先选择邻居IP地址最小的路由(neighbor指定的地址)BGP属性补充说明:•第3点:本地发起的路由有多种方式,如在BGP进程下用network命令,或将其它路由协议重分布进BGP,或者手工聚合(汇总)。
通过network和重分布的优先于手工聚合。
•第4点:在做聚合路由时,使用as-set后产生的AS-Path列表中{ }里的AS号长度只算一个AS号的长度,在联盟内的AS-Path列表中()的AS号长度不做计算依据。
•第9点:等价负载均衡,当前面8条选路原则都无法优选出最优路由时,并且在BGP进程下面配置了maximum-paths,那么将执行负载均衡。
•第10条,第11条:如果BGP进程下使用bgp bestpath compare-routerid命令,则忽略第10条,进行第11条的比较。
C去往65004优选谁?BGP选路案例默认情况下的BGP表修改BGP默认本地优先级Router A配置route-map调整后的BGP表修改BGP的MED属性使用Route-Map调整MED效果。
CCNP课件2.路由部分(瑞琪教育)101BGP操纵
BGP路由操纵一.权重属性CISCO定义, 当路由器有多个离开AS的出口, 根据权重选择出口.分析:R4访问170.1.1.1 时, 正常选择R3 AS路径最短R5但若R3线路繁忙, 希望走R5,则可以通过权重.默认本地32768 越大越好其它0若将从R5学到的路由权重设为2000,则选择走R5.R4(config)# router bgp 300# neighbors 45.1.1.5 weight 2000但问题是: 对从R5学来的所有信息的权重都将被设为2000, 都走R5, 不合要求. 解决办法:路由映射1.建立路由映射表R4(config)# access-list 50 permit 170.1.0.0 0.0.255.255R(config)# router-map weitht-170 permit 10# match ip add 50# set weitht 2000R(config)# router-map weitht-170 permit 202.将映射与BGP相关联.R4(config)# router bgp 300# neigh 45.1.1.5 router-map weitht-170 in分析:权重影响数据如何离开本AS 访问外部网络. 适用于单R 多出口.二.本地优先级公认自由属性, 是另一种影响数据离开本AS的方式, 适用于多R多出口环境.分析:AS100访问171.1.1.0时, 正常选择R2 AS路径最短R4但若R2 线路繁忙, 希望走R4, 则可以通过本地优先级来影响.本地优先级默认100 越大越好R5(config)# router bgp 100# bgp default local-preference 200但问题是, 前往外部的所有路径都将走R4. 解决办法, 通过路由映射:1. 建立路由映射表R5(config)# access-list 20 permit 171.1.0.0 0.0.255.255R5(config)# router-map local-171 permit 10# match ip add 20# set local-preference 200R5(config)# router-map local-171 permit 202. 将映射与BGP相关联.R5(config)# router bgp 100# neith 45.1.1.4 router-map local-171in三.多出口鉴别器MED本例中, R1和R5都向AS300通告110.0.0.0, 因AS路径相同, 默认R4会选择ID最小的邻居, 则会选择走R5.假设R5线路繁忙,AS希望R4从R1进入. 则R1可以用一个较小的度量值进行通告.默认度量值:用Network 通告时,度量值为0.当OSPF 重分发到BGP时, 直连为0, 非直连为OSPF 度量值。
CCNP实验总结-路由策略
CCNP实验总结(路由策略部分)一.路由重分布1.最佳路由重分布解决方案R1下配置:inter loo 0ip add 1.1.1.1 255.255.255.0inter s0/0ip add 192.168.0.1 255.255.255.0no shurouter ripver 2no aunet 1.1.1.0net 192.168.0.0R2下配置:inter s0/0ip add 192.168.0.2 255.255.255.0no shuinter s0/1ip add 192.168.1.1 255.255.255.0no shuip route 0.0.0.0 0.0.0.0 192.168.1.2router ripver 2no aunet 192.168.0.0redistribute static metric 1router ospf 100net 192.168.1.1 0.0.0.0 a 0redistribute rip subnetsR3下配置:inter s0/1ip add 192.168.1.2 255.255.255.0no shuinter loo 0ip add 3.3.3.3 255.255.255.0ip ospf net point-to-prouter ospf 100net 192.168.1.2 0.0.0.0 a 0net 3.3.3.0 0.0.0.255 a 02.RIP下分布OSPFredistribute ospf 100 metric 1-153.EIGRP下分布OSPFredistribute ospf 100 metric 1544 200 255 1 15004.OSPF下分布RIP/EIGRPreidistribute rip/eigrp 100 subnets5.EIGRP下分布IS-ISredistribute isis level-1/-1-2/-2 metric 1544 200 255 1 15006.IS-IS下分布EIGRPredistribute eigrp 100 level-1/-1-2/-2二.被动接口RIP下只接受更新不发送更新,OSPF/IS-IS/EIGRP下不向外发送hello包,不建立邻居关系router eigrp 100passive-interface s0/0passive-interface default (全部接口)三.控制路由更新1.出向router eigrp 100distribute-list acl out interface/process路由重分布只能用出向列表(能加路由进程)2.入向router eigrp 100distribute-list acl in interface3.prefix-listip prefix-list 1 permit 1.1.1.0/24 ge 25 le 30所有B类地址的子网路由,长度不超过24ip prefix-list 1 permit 128.0.0.0/2 ge 17 le 244.加入网关distribute-list gateway prefix-list…gateway:距离矢量,到达目的网段的下一跳链路状态,通告这条路由的路由器5.基于时间的ACLtime-range aaaabsolute (绝对)/periodicperiodic Monday-Sunday 9:00 to 12:00dailyweekdays (Monday to Friday)weekend (Saturday to Sunday)access-list 100 permit tcp any any eq 80 time-range aaa6.OSPF中的分布列表不允许用出向(同一区域内LSDB要同步),入向数据库中有条目,不加路由表7.双向多点重分布时的路由回馈问题R2先于R3配置好R3会认为1.0-3.0网段是从R4发来的(管理距离问题)解决办法:1.修改R1-R3 RIP的管理距离2.去掉R38.策略路由access-list 1 permit 1.1.1.0 0.0.0.255route-map name permit num(从小往大写)match ip address address/acl num/prefix-list numset (e.g. metric 100)router ospf 100redistribute rip route-map name subnets9.IS-IS的被重分布问题需要重分布直连链路:redistribute connected10.管理距离的修改router eigrp 100distance eigrp num(内部) num(外部)distance 1 1.1.1.0 255.255.255.0/aclrouter ospf 100distance 1 1.1.1.0/acl gateway acl num11.现网不用debug,流量过大,慎用no语句12.DHCP交换信息用broadcast,每到周期的一半,再申请一次,如此循环。
CCNP知识:使用route-map控制路由重分发的方法
CCNP知识:使用route-map控制路由重分发的方法最近在学习CCNP的相关课程和知识要点,总结出来的一些东西未必是正确的,不过先发表出来,共大家参考和讨论。
先说说使用route-map控制路由重分发的方法、组网和配置,以4个路由器组成一个链式网络。
至于这些命令是在什么模式下打出来的,有基础的应该都能看出来的,就不要纠结于这些命令是在全局模式还是在路由模式抑或是在接口模式下打出来的。
废话不多说了,进入正题。
以上是拓扑图,下面上配置以及简单的介绍。
有时候我们想控制路由协议重分发时哪些路由条目应该通告,哪些路由条目不应该通告。
这样做可能是为了保密,也可能是为了别的目地,管他呢,反正有些人就是有一些奇奇怪怪的需求。
而要达到这个目的的有两种工具,通过分发列表控制哪些路由条目应该被重分发,哪些不应该被重分发。
而另一种工具为路由映射表,而我今天讲的就是利用路由映射表来经行路由重分发控制。
简单介绍下什么是路由映射表。
路由映射表是一种逻辑化的语言,就像程序语言中的if-then-else,满足某种条件就执行某项动作。
而路由映射表的功能就太强大了,像我前面做的pbr用到了路由映射表,而做bgp路径控制更要用到路由映射表,而今天讲控制重分发又用到了。
废话不多说了,先讲讲拓扑结构。
4台路由器,其中r1和r4运行ripv2,在r1上有4个环回接口。
r2为asbr路由器,分别运行着ripv2和ospf,r3也为ospf。
r4:in e1/0ip add 192.168.1.1 255.255.255.0no shin loop 1ip add 4.4.4.4 255.0.0.0router ripversion 2net 192.168.1.0net 4.0.0.0r1:in e1/1ip add 192.168.1.2 255.255.255.0 no shin e1/0ip add 192.168.2.1 255.255.255.0 no shin loop 1ip add 172.16.0.1 255.255.255.0 in loop 2ip add 172.16.1.1 255.255.255.0 in loop 3ip add 172.16.2.1 255.255.255.0 in loop 4ip add 172.16.3.1 255.255.255.0 router ripversion 2no aunet 192.168.1.0net 192.168.2.0net 172.16.0.0r2:in e1/1ip add 192.168.2.2 255.255.255.0no shin e1/0ip add 192.168.3.1 255.255.255.0no shrouter ripversion 2net 192.168.2.0redistribute ospf 1 metric 2 重分发ospf路由到riprouter ospf 1net 192.168.3.1 0.0.0.0 a 0redistribute rip route-map test subnets 这条命令引用路由映射表test将rip重分发到ospfaccess-list 1 permit 172.16.1.0 0.0.0.255access-list 1 permit 172.16.2.0 0.0.0.255 这3条acl控制匹配哪些路由条目,允许的将会被重分发access-list 1 permit 192.168.1.0 0.0.0.255route-map test permit 10 定义路由映射表名字为test,采取的行为为允许match ip add 1 匹配的acl为access-list 1set metric-type type-1 行为为将分发类型改为1类r3:in e1/1/14427/ip add 192.168.3.2 255.255.255.0no ship ospf 1 a 0看看效果,在r3上我们只重分发了匹配acl1的3条路由条目,而且把分发类型改为了1类,而默认是2类。
思科CCNP认证OSPF之认证、虚链路及过滤案例分析
思科CCNP认证OSPF之认证、虚链路及过滤案例分析本⽂讲述了思科CCNP认证OSPF之认证、虚链路及过滤。
分享给⼤家供⼤家参考,具体如下:认证1:链路认证 //防⽌链路接⼊⾮法路由器(⽆授权),在链路的所有设备都需要开启1> 明⽂认证 //不安全在IOS15.2的版本中的配置:int e0/0 //进⼊需要做认证的接⼝ip ospf authentication //开启明⽂认证ip ospf authentication key-chain k //k为key-chain的名字,⾃⾏决定key chain kkey 1key-string cisco //输⼊明⽂认证的密钥在IOS15.4版本中的配置:int e0/0 //进⼊需要认证的接⼝ip ospf authentication //开启明⽂认证ip ospf authentication-key cisco //(密钥,可不写)将密钥进⾏⽐对,若⽐对成功则认证成功。
PS:开启明⽂认证后,本地的hello包中认证类型的字段发⽣变化。
未认证时为0,开启认证后将0置位为1。
做认证的邻居间必须保持⼀致。
若仅链路的⼀端开启认证,则整条链路的路由不互通。
同时明⽂认证若仅开启认证,不输⼊密钥,则丧失了认证的安全性,容易被他⼈窃取数据。
2> md5认证 //安全int e0/0 //进⼊需要做md5认证的接⼝ip ospf authentication message-digest //开启认证ip ospf authentication message-digest-key 1 md5 cisco //输⼊密钥PS:与明⽂认证⼀样,邻居间的md5认证密钥必须保持⼀致,否则不能进⾏通信。
2:区域认证 //防⽌区域接⼊⾮法路由器,区域内所有设备都需要开启1> 明⽂认证router ospf 1area 0 authenticationint e0/0ip ospf authentication-key cisco //接⼝写⼊认证密钥2> md5认证router ospf 1area 0 authentication message-digest //区域0开启md5认证int e0/0ip ospf message-digest-key 1 md5 cisco //接⼝写⼊md5认证密钥PS:在路由器上开启关于某个区域的明⽂或密⽂认证,实际上是将该路由上⼯作与此区域的接⼝修改认证类型字段为明⽂或密⽂,密钥需要在各个接⼝逐⼀配置。
CCNP BGP协议配置 (全)
培训Bgp 协议基本bgp配置router bgp 300no synchronization //默认配置bgp router-id 5.5.5.5bgp log-neighbor-changesneighbor 3.3.3.3 remote-as 100neighbor 3.3.3.3 update-source Loopback0如果不指明更新的接口,那么路由更新是从直连的接口出去而对端指的是你的环回接口,那么对端路由器要做一个校验,看看路由更新的源接口和用neighbor命令指的接口是否一致,如果不一致,就扔掉数据包no auto-summaryr2#sh ip bgp sur2#sh ip bgp summaryBGP router identifier 2.2.2.2, local AS number 100 BGP table version is 1, main routing table version 1Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd3.3.3.3 4 100 15 16 1 0 0 00:12:44 04.4.4.4 4 200 0 0 0 0 0 never Idle路由解决了,但是有一个问题,ebgp的多跳问题r2(config)#router bgp 100r2(config-router)#neighbor 4.4.4.4 ebgr2(config-router)#neighbor 4.4.4.4 ebgp-multihop 2r4(config)#router bgp 200r4(config-router)#neighbor 2.2.2.2 ebgpr4(config-router)#neighbor 2.2.2.2 ebgp-multihop 2不用环回口,就不存在整个问题结果Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd3.3.3.3 4 100 19 21 3 0 0 00:16:28 04.4.4.4 4 200 5 4 3 0 0 00:00:09 1r2#sh ip bgpBGP table version is 3, local router ID is 2.2.2.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Pathr> 4.4.4.0/24 4.4.4.4 0 0 200 i这个r3学来了没有?r3#sh ip bgpBGP table version is 1, local router ID is 3.3.3.3Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path* i4.4.4.0/24 4.4.4.4 0 100 0 200 iR5 ?r5#sh ip bgp空一个路由要向其他的as发送,要满足两个条件1.igp有这条路由(可以用关闭同步解决,现在默认都是no synchronization )2.下一条应该可达可以用 next-hop-self或者加路由如果这两个条件满足,路由条目前面会出现一个>号(路由最优)r2(config-router)#neighbor 3.3.3.3 next-hop-selfr3#clear ip bgp * softr3#sh ip bgpBGP table version is 2, local router ID is 3.3.3.3Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path*>i4.4.4.0/24 2.2.2.2 0 100 0 200 ir5#sh ip bgpBGP table version is 2, local router ID is 5.5.5.5Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path*> 4.4.4.0/24 3.3.3.3 0 100 200 iPing 测试结果?r5#ping 4.4.4.4Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:.....Success rate is 0 percent (0/5)Ping测试1)数据包能否倒台目的地R1 没有运行bgp,所以说出现了路由黑洞问题解决方法把4.4.4.0 发到ospf里面去,或者做静态路由(不可取)1.直接把bgp发到ospf里面去,但是一定要做过滤2.做一条这个路由的静态路由,指向空接口,然后把整个静态路发进去3.2)数据包能否返回r2#sh ip bgpBGP table version is 3, local router ID is 2.2.2.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Pathr> 4.4.4.0/24 4.4.4.4 0 0 200 ir就代表有更好的igp路由因为4.4.4.0 有一条静态路由,所以不重发bgp了,直接就发静态路由算了router ospf 1log-adjacency-changesredistribute static subnetsredistribute bgp 100 subnets route-map to-igpnetwork 2.2.2.2 0.0.0.0 area 0network 12.1.1.2 0.0.0.0 area 0!router bgp 100no synchronizationbgp router-id 2.2.2.2bgp log-neighbor-changesneighbor 3.3.3.3 remote-as 100neighbor 3.3.3.3 update-source Loopback0neighbor 3.3.3.3 next-hop-selfneighbor 4.4.4.4 remote-as 200neighbor 4.4.4.4 ebgp-multihop 2neighbor 4.4.4.4 update-source Loopback0no auto-summaryip route 4.4.4.0 255.255.255.0 24.1.1.4!!!access-list 10 permit 4.4.4.0!route-map to-igp permit 10match ip address 10r1O E2 4.4.4.0 [110/20] via 12.1.1.2, 00:00:39, Serial1/0还需要做r3(config-router)#redistribute connected subnetsr4(config)#ip route 35.0.0.0 255.0.0.0 24.1.1.2再测试一下r5#ping 4.4.4.4Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 124/135/156 ms1.更新接口问题2.ebgp的多跳问题3.bgp的条目要正常的通告要满足两个条件igp路由可达下一跳可达4.路由黑洞同步/路由黑洞路由反射器R1 运行bgprouter bgp 100no synchronizationbgp router-id 1.1.1.1bgp log-neighbor-changesneighbor 2.2.2.2 remote-as 100neighbor 3.3.3.3 remote-as 100r2router bgp 100no synchronizationbgp router-id 2.2.2.2bgp log-neighbor-changesneighbor 1.1.1.1 remote-as 100neighbor 1.1.1.1 update-source Loopback0neighbor 4.4.4.4 remote-as 200neighbor 4.4.4.4 ebgp-multihop 2neighbor 4.4.4.4 update-source Loopback0r3router bgp 100no synchronizationbgp router-id 3.3.3.3bgp log-neighbor-changesneighbor 1.1.1.1 remote-as 100neighbor 1.1.1.1 update-source Loopback0neighbor 5.5.5.5 remote-as 300neighbor 5.5.5.5 ebgp-multihop 2neighbor 5.5.5.5 update-source Loopback0no auto-summary问题?R3 或者说R5还能学到4.4..4.4 这个路由吗?r2#sh ip bgpBGP table version is 3, local router ID is 2.2.2.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path r> 4.4.4.0/24 4.4.4.4 0 0 200 ir1#sh ip bgpBGP table version is 3, local router ID is 1.1.1.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path r>i4.4.4.0/24 4.4.4.4 0 100 0 200 ir3#sh ip bgpr3#r3为什么没有路由?Ibgp 路由只能传递一跳一个ibgp路由器不会把从一个ibgp对等体学来的路由再传给其他的对等体叫做ibgp的水平分割注意:防止路由环路(bgp防止环路的机制是靠AS,但是在一个as里面,as就失去了意义)解决方法:1.全互联2.路由反射器3.联盟路由反射器把r1配置成路由反射器从路由反射器的客户端来的路由可以反给客户端和非客户端从路由反射器的非客户端来的路由可以反给客户端router bgp 100no synchronizationbgp router-id 1.1.1.1bgp log-neighbor-changesneighbor 2.2.2.2 remote-as 100neighbor 2.2.2.2 route-reflector-clientneighbor 3.3.3.3 remote-as 100再到R3看一看r3#sh ip bgpBGP table version is 7, local router ID is 3.3.3.3Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Pathr>i4.4.4.0/24 4.4.4.4 0 100 0 200 i下一跳Ebgp的下一跳进入as的时候保留Ibgp的下一跳出as的时候改变联盟把一个大的as分成许多小的as对外是大的as,小的as只是在区域内有作用R1router bgp 65001no synchronizationbgp router-id 1.1.1.1bgp log-neighbor-changesbgp confederation identifier 100bgp confederation peers 65002neighbor 2.2.2.2 remote-as 65001 neighbor 3.3.3.3 remote-as 65002 neighbor 3.3.3.3 ebgp-multihop 2 neighbor 3.3.3.3 update-source Loopback0R2router bgp 65001no synchronizationbgp router-id 2.2.2.2bgp log-neighbor-changesbgp confederation identifier 100 neighbor 1.1.1.1 remote-as 65001 neighbor 1.1.1.1 update-source Loopback0 neighbor 4.4.4.4 remote-as 200 neighbor 4.4.4.4 ebgp-multihop 2 neighbor 4.4.4.4 update-source Loopback0 no auto-summaryrouter bgp 65002no synchronizationbgp router-id 3.3.3.3bgp log-neighbor-changesbgp confederation identifier 100bgp confederation peers 65001neighbor 1.1.1.1 remote-as 65001 neighbor 1.1.1.1 ebgp-multihop 2 neighbor 1.1.1.1 update-source Loopback0 neighbor 5.5.5.5 remote-as 300 neighbor 5.5.5.5 ebgp-multihop 2 neighbor 5.5.5.5 update-source Loopback0r4router bgp 200no synchronizationbgp router-id 4.4.4.4bgp log-neighbor-changesnetwork 4.4.4.0 mask 255.255.255.0 neighbor 2.2.2.2 remote-as 100 neighbor 2.2.2.2 ebgp-multihop 2 neighbor 2.2.2.2 update-source Loopback0 no auto-summaryr5no synchronizationbgp router-id 5.5.5.5bgp log-neighbor-changesneighbor 3.3.3.3 remote-as 100neighbor 3.3.3.3 ebgp-multihop 2neighbor 3.3.3.3 update-source Loopback0no auto-summary注意:下一跳这个属性不理会联盟的asr3#sh ip bgpBGP table version is 3, local router ID is 3.3.3.3Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Pathr> 4.4.4.0/24 4.4.4.4 0 100 0 (65001) 200 i 对等体组R1router bgp 100no synchronizationbgp router-id 1.1.1.1bgp log-neighbor-changesneighbor aaa peer-group //创建一个对等体组neighbor aaa remote-as 100neighbor aaa update-source Loopback0neighbor aaa route-reflector-clientneighbor 2.2.2.2 peer-group aaaneighbor 3.3.3.3 peer-group aaar2router bgp 100no synchronizationbgp router-id 2.2.2.2bgp log-neighbor-changesneighbor 1.1.1.1 remote-as 100neighbor 1.1.1.1 update-source Loopback0r3no synchronizationbgp router-id 3.3.3.3bgp log-neighbor-changesneighbor 1.1.1.1 remote-as 100neighbor 1.1.1.1 update-source Loopback0no auto-summary联盟社团属性知名的社团属性一种有特殊意义的标记Community一种是知名社团,大家一看到这种标记,就知道他的特殊意义Local-as不传给本as之外的对等体(对联盟中的对等体有作用)route-map com permit 10set community local-ASr2# clear ip bgp * sr2#sh ip bgp commr2#sh ip bgp community lor2#sh ip bgp community local-ASBGP table version is 6, local router ID is 2.2.2.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path r> 4.4.4.0/24 4.4.4.4 0 0 200 iNo-Export不传给本as之外的对等体(不会理会联盟的as)R2router bgp 100no synchronizationbgp router-id 2.2.2.2bgp log-neighbor-changesneighbor 1.1.1.1 remote-as 100neighbor 1.1.1.1 update-source Loopback0neighbor 1.1.1.1 send-communityneighbor 4.4.4.4 remote-as 200neighbor 4.4.4.4 ebgp-multihop 2neighbor 4.4.4.4 update-source Loopback0neighbor 4.4.4.4 route-map com inroute-map com permit 10set community no-exportr1r1(config-router)#neighbor aaa send-communityr1#sh ip bgp communityBGP table version is 4, local router ID is 1.1.1.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path r>i4.4.4.0/24 4.4.4.4 0 100 0 200 iNo-advertisement不传给任何对等体route-map com permit 10set community no-advertiser2#sh ip bgp community no-adr2#sh ip bgp community no-advertiseBGP table version is 5, local router ID is 2.2.2.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path r> 4.4.4.0/24 4.4.4.4 0 0 200 i社团列表自己定义社团有些时候需要没有特殊意义,只是标记而已配置r2(config-route-map)#set community 100:88显示route-map com permit 10set community 6553688r2(config)#ip bgp-community new-format然后route-map com permit 10set community 100:88r1#sh ip bgp community 6553688BGP table version is 8, local router ID is 1.1.1.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Path r>i4.4.4.0/24 4.4.4.4 0 100 0 200 i在r3对community 进行控制r3#sh ip bgp 4.4.4.0BGP routing table entry for 4.4.4.0/24, version 8Paths: (1 available, best #1, table Default-IP-Routing-Table, RIB-failure(17)) Advertised to update-groups:22004.4.4.4 (metric 20) from 1.1.1.1 (1.1.1.1)Origin IGP, metric 0, localpref 100, valid, internal, bestCommunity: 6553688Originator: 2.2.2.2, Cluster list: 1.1.1.1r3(config)#ip bgp-community new-formatr3#sh ip bgp 4.4.4.0BGP routing table entry for 4.4.4.0/24, version 8Paths: (1 available, best #1, table Default-IP-Routing-Table, RIB-failure(17)) Advertised to update-groups:22004.4.4.4 (metric 20) from 1.1.1.1 (1.1.1.1)Origin IGP, metric 0, localpref 100, valid, internal, bestCommunity: 100:88Originator: 2.2.2.2, Cluster list: 1.1.1.1router bgp 100no synchronizationbgp router-id 3.3.3.3bgp log-neighbor-changesneighbor 1.1.1.1 remote-as 100neighbor 1.1.1.1 update-source Loopback0neighbor 1.1.1.1 route-map addas inneighbor 5.5.5.5 remote-as 300neighbor 5.5.5.5 ebgp-multihop 2neighbor 5.5.5.5 update-source Loopback0neighbor 5.5.5.5 route-map asadd outip bgp-community new-formatip community-list 20 permit 100:88!route-map addas permit 10match community 20set local-preference 666set as-path prepend 88 //进来的时候不起作用!route-map asadd permit 10match community 20set as-path prepend 8888路由过滤Prefix-listrouter bgp 100no synchronizationbgp router-id 2.2.2.2bgp log-neighbor-changesneighbor 1.1.1.1 update-source Loopback0neighbor 1.1.1.1 send-communityneighbor 4.4.4.4 remote-as 200neighbor 4.4.4.4 ebgp-multihop 2neighbor 4.4.4.4 update-source Loopback0neighbor 4.4.4.4 prefix-list to-r2 inneighbor 4.4.4.4 route-map com inip prefix-list to-r2 seq 5 permit 4.4.4.0/24Route-map(as-path的修改)route-map to-r2 permit 10match ip address prefix-list to-r2set tag 1111set local-preference 8888set weight 7777set as-path prepend 6666neighbor 4.4.4.4 route-map to-r2 inr2#sh ip bgpBGP table version is 10, local router ID is 2.2.2.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight Pathr> 4.4.4.0/24 4.4.4.4 0 8888 7777 6666 200 i Distribute-list他还要调用访问控制列表,或者前缀列表Filter-list对as进行一个过滤和控制R2ip as-path access-list 100 permit ^200$正则表达式改天再讲路径控制router bgp 100no synchronizationbgp router-id 1.1.1.1bgp log-neighbor-changesneighbor aaa peer-groupneighbor aaa remote-as 100 neighbor aaa update-source Loopback0 neighbor aaa route-reflector-client neighbor aaa send-community neighbor 2.2.2.2 peer-group aaar2router bgp 100no synchronizationbgp router-id 2.2.2.2bgp log-neighbor-changesnetwork 2.2.2.0 mask 255.255.255.0 neighbor 1.1.1.1 remote-as 100 neighbor 1.1.1.1 update-source Loopback0 neighbor 1.1.1.1 send-community neighbor 4.4.4.4 remote-as 200 neighbor 4.4.4.4 ebgp-multihop 2 neighbor 4.4.4.4 update-source Loopback0 neighbor 4.4.4.4 route-map to-r4 out neighbor 4.4.4.4 filter-list 100 inip prefix-list to-r2 seq 5 permit 4.4.4.0/24 access-list 10 permit 4.4.4.0access-list 30 permit 3.3.3.0!route-map to-igp permit 10match ip address 10!route-map com permit 10set community 100:88!route-map to-r4 permit 10match ip address 30set metric 300!route-map to-r4 permit 20r3router bgp 100no synchronizationbgp router-id 3.3.3.3bgp log-neighbor-changesnetwork 3.3.3.0 mask 255.255.255.0 neighbor 1.1.1.1 remote-as 100 neighbor 1.1.1.1 update-source Loopback0 neighbor 5.5.5.5 remote-as 200 neighbor 5.5.5.5 ebgp-multihop 2neighbor 5.5.5.5 update-source Loopback0 neighbor 5.5.5.5 route-map to-r5 outno auto-summaryaccess-list 20 permit 2.2.2.0!route-map to-r5 permit 10match ip address 20set metric 200!route-map to-r5 permit 20r4router bgp 200no synchronizationbgp router-id 4.4.4.4bgp log-neighbor-changesneighbor 2.2.2.2 remote-as 100 neighbor 2.2.2.2 ebgp-multihop 2 neighbor 2.2.2.2 update-source Loopback0 neighbor 2.2.2.2 route-map from-r2 in neighbor 2.2.2.2 route-map to-r2 out neighbor 8.8.8.8 remote-as 200 neighbor 8.8.8.8 update-source Loopback0access-list 30 permit 3.3.3.0access-list 40 permit 4.4.4.0!route-map to-r2 permit 10match ip address 40set as-path prepend 888!route-map to-r2 permit 20!route-map from-r2 permit 10match ip address 30set local-preference 666!route-map from-r2 permit 20router bgp 200no synchronizationbgp router-id 5.5.5.5bgp log-neighbor-changesneighbor 3.3.3.3 remote-as 100 neighbor 3.3.3.3 ebgp-multihop 2 neighbor 3.3.3.3 update-source Loopback0 neighbor 3.3.3.3 route-map from-r3 in neighbor 8.8.8.8 remote-as 200 neighbor 8.8.8.8 update-source Loopback0 no auto-summaryaccess-list 20 permit 2.2.2.0!route-map from-r3 permit 10match ip address 20set local-preference 666!route-map from-r3 permit 20r6router ospf 1log-adjacency-changesnetwork 0.0.0.0 255.255.255.255 area 0 router ospf 1log-adjacency-changesnetwork 0.0.0.0 255.255.255.255 area 0r7router bgp 200no synchronizationbgp router-id 8.8.8.8bgp log-neighbor-changesneighbor 4.4.4.4 remote-as 200 neighbor 4.4.4.4 update-source Loopback0 neighbor 4.4.4.4 route-reflector-client neighbor 4.4.4.4 route-map wei in neighbor 5.5.5.5 remote-as 200 neighbor 5.5.5.5 update-source Loopback0 neighbor 5.5.5.5 route-reflector-client neighbor 5.5.5.5 route-map wei2 inno auto-summaryaccess-list 20 permit 2.2.2.0access-list 30 permit 3.3.3.0!route-map wei2 permit 10match ip address 30set weight 1000!route-map wei2 permit 20!route-map wei permit 10match ip address 20set weight 1000!route-map wei permit 20 Weight思科私有的优先级是第一位的只能在一个路由器上比较不能传播到其他的路由器上去Med类似于我们说的metric值Multi-exit-descriptorlocal–prefence 可以传播其他as欺骗路由聚合Bgp进程下做的汇总就是igp里面做的WeightLocal-preferenceAs-pathMedRouter-id路由抑制Bgp bestpath as-path ignoreBgp负载均衡Bgp默认路由router bgp 20YYnetwork 0.0.0.0 mask 0.0.0.0ip route 0.0.0.0 0.0.0.0 null0bgp可选路由发布outer bgp 20YYnetwork 0.0.0.0 mask 0.0.0.0nei external advertise-map ADVER exist-map EXIST ip route 0.0.0.0 0.0.0.0 null0R3:access 10 per 0.0.0.0 0.0.0.0route-map DEFAULT deny 10match ip addr 10route-map DEFAULT per 20router bgp 20YYnei internal route-map DEFAULT in。
ccnp route-map
Route-map 重分发路由过滤实验日期:2015.6.2关键字:route-map ospf rip eigrp 过滤实验拓扑:R1:配置interface Loopback0ip address 10.0.1.1 255.255.255.0!interface Loopback1ip address 10.0.10.1 255.255.255.0!interface Loopback2ip address 10.0.11.1 255.255.255.0!interface Loopback3ip address 10.0.9.1 255.255.255.0interface Serial1/0ip address 10.0.12.1 255.255.255.0router ospf 110router-id 1.1.1.1log-adjacency-changesnetwork 10.0.1.1 0.0.0.0 area 0network 10.0.12.1 0.0.0.0 area 0network 10.0.0.0 0.255.255.255 area 0R2配置:interface Loopback0ip address 10.0.2.2 255.255.255.0!interface Serial1/0ip address 10.0.12.2 255.255.255.0serial restart-delay 0no dce-terminal-timing-enable!interface Serial1/1ip address 10.0.23.2 255.255.255.0serial restart-delay 0no dce-terminal-timing-enable!interface Serial1/2ip address 10.0.24.2 255.255.255.0serial restart-delay 0no dce-terminal-timing-enable!router eigrp 90network 10.0.0.0redistribute rip metric 10000 100 10 10 1500redistribute ospf 110 metric 10000 100 10 10 1500 route-map ccnp no auto-summary!router ospf 110router-id 2.2.2.2log-adjacency-changesredistribute rip subnetsredistribute eigrp 90 subnetsnetwork 10.0.2.2 0.0.0.0 area 0network 10.0.12.2 0.0.0.0 area 0!router ripversion 2redistribute eigrp 90 metric 1redistribute ospf 110 metric 1 route-map ccie network 10.0.0.0no auto-summary!router eigrp 90network 10.0.0.0distribute-list 13 out Serial1/2no auto-summary!access-list 1 permit 10.0.1.0 0.0.0.255 access-list 2 permit 10.0.9.0 0.0.0.255 access-list 3 deny 10.0.10.0 0.0.0.255 access-list 4 permit 10.0.11.0 0.0.0.255 access-list 11 permit 10.0.9.0 0.0.0.255 access-list 12 permit 10.0.1.0 0.0.0.255 access-list 13 deny 10.0.11.0 0.0.0.255 access-list 13 permit anyno cdp log mismatch duplex!route-map ccie permit 10match ip address 1!route-map ccie permit 15match ip address 2!route-map ccie permit 20match ip address 3!route-map ccie permit 25match ip address 4!route-map ccnp permit 10match ip address 11!route-map ccnp permit 15match ip address 12!route-map ccnp permit 25R3配置:interface Loopback0ip address 10.0.3.3 255.255.255.0!interface Serial1/1ip address 10.0.23.3 255.255.255.0serial restart-delay 0no dce-terminal-timing-enable!router ripversion 2network 10.0.0.0no auto-summary注意:路由表中没有10.0.10.0网段的路由原因是在R2上通过route-map CCIE过滤点了。
10CCNP第十天 路由策略
路由策略1路由策略1.1匹配路由工具1.1.1ACL(access-list)标准列表:匹配目标网络号,通配符用于精确匹配该网络号例:access-list 1 deny 1.1.1.0 0.0.0.0acl只能匹配网络号,不能匹配掩码长度扩展列表: 源地址匹配网络号,目标地址匹配掩码只限于bgp和重分布使用,同一协议无效例:access-list 100 permit ip host 192.168.1.0 host 255.255.255.0图1-1 ACL匹配路由实验拓扑图1-2 R1路由表R1(config)#access-list 1 deny 192.168.1.0 0.0.0.127R1(config)#access-list 1 permit anyR1(config)#router eigrp 100R1(config-router)#distribute-list 1 in f0/0图1-3 R1路由表说明acl只能匹配网络号,将192.168.1.0/24和192.168.1.0/25的路由都过滤掉了。
1.1.2前缀列表前缀列表只用于匹配路由条目,精确定义网络号,前缀长度。
相关参数:前缀长度:精确匹配网络号ge:大于等于le:小于等于说明:前缀长度<ge<=le例:ip prefix-list 1 permit 192.168.1.0/24 ge 25 le 32表示网络号前24位固定为192.168.1.0,掩码长度为25到32的路由被匹配。
前缀列表举例说明:ip prefix-list 1 permit 192.168.1.0/24表示网络号前24位固定为192.168.1.0,掩码为24位的路由被匹配。
ip prefix-list 1 permit 0.0.0.0/0表示匹配默认路由,网络号为0.0.0.0,掩码为0.0.0.0ip prefix-list 1 permit 0.0.0.0/0 le 32表示匹配任意路由,等于acl中permit any利用前缀列表解决上述实验问题:R1(config)#ip prefix-list 1 deny 192.168.1.0/24 ge 25 le 25R1(config)#ip prefix-list 1 permit 0.0.0.0/0 le 32R1(config)#router eigrp 100R1(config-router)#distribute-list prefix 1 in f0/0图1-4 R1路由表1.2过滤路由工具1.2.1分发列表通过acl或prefix-list定义流量进行路由的过滤1.2.2路由映射(route-map)用于重分发,策略路由,BGP属性。