BGP 路由策略工具
{Back to Index}
Table of Contents
1 使用正则表达式匹配 AS_PATH
1.1 匹配示例
Figure 1: 匹配示例
1.2 常用命令
R3#show ip bgp
BGP table version is 4, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 10.1.13.1 0 0 100 i
*> 2.2.2.2/32 10.1.23.2 0 0 200 i
*> 22.22.22.22/32 10.1.23.2 0 0 200 600 i
R3#show ip as-path-access-list # 查看配置的 as-path access-list
AS path access list 1
deny _600$
permit .*
AS path access list 2
permit _600$
R3#show ip bgp filter-list 2 # 显示表中所有被指定 access-list-num 匹配的路由
BGP table version is 4, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 22.22.22.22/32 10.1.23.2 0 0 200 600 i
R3#show ip bgp regexp 200.* # 可用于测试正则表达式
BGP table version is 4, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 2.2.2.2/32 10.1.23.2 0 0 200 i
*> 22.22.22.22/32 10.1.23.2 0 0 200 600 i
1.3 实验之路由过滤(filter-list)
Figure 2: 实验需求
Figure 3: 实验拓扑
R2 上的配置:
router bgp 200 bgp router-id 2.2.2.2 bgp log-neighbor-changes network 2.2.2.2 mask 255.255.255.255 network 22.22.22.22 mask 255.255.255.255 neighbor 10.1.23.3 remote-as 300 neighbor 10.1.23.3 route-map RTMAP_OUT_TO_R3 out # 出口方向做策略 ! ip prefix-list PFX_L1 seq 5 permit 22.22.22.22/32 ! route-map RTMAP_OUT_TO_R3 permit 10 match ip address prefix-list PFX_L1 set as-path prepend 600 # 通过这种方式添加 AS_PATH ! route-map RTMAP_OUT_TO_R3 permit 20
此时 R3 的状态是:
R3(config-router)#do show ip b
BGP table version is 14, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 10.1.13.1 0 0 100 i
*> 2.2.2.2/32 10.1.23.2 0 0 200 i
*> 22.22.22.22/32 10.1.23.2 0 0 200 600 i
对 R3 进行进入方向的路由过滤设置:
router bgp 300 bgp router-id 3.3.3.3 bgp log-neighbor-changes neighbor 10.1.13.1 remote-as 100 neighbor 10.1.23.2 remote-as 200 neighbor 10.1.23.2 filter-list 1 in ! ip as-path access-list 1 deny _600$ # 始于 AS600 的路由 ip as-path access-list 1 permit .*
再观察 R3 的路由信息:
R3#show ip b
BGP table version is 3, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 10.1.13.1 0 0 100 i
*> 2.2.2.2/32 10.1.23.2 0 0 200 i
Figure 4: 抓包还是能看到这条路由,只是被入接口的策略过滤掉了
1.4 实验之结合 route-map 设置路由属性
Figure 5: 实验需求
在 R3 上设置:
router bgp 300 bgp router-id 3.3.3.3 bgp log-neighbor-changes neighbor 10.1.13.1 remote-as 100 neighbor 10.1.23.2 remote-as 200 neighbor 10.1.23.2 route-map RTMAP_LOCAL_AS in ! ip as-path access-list 2 permit _600$ ! route-map RTMAP_LOCAL_AS permit 10 match as-path 2 set community local-AS ! route-map RTMAP_LOCAL_AS permit 20
可以观察到:
R3#sh ip b
BGP table version is 4, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 10.1.13.1 0 0 100 i
*> 2.2.2.2/32 10.1.23.2 0 0 200 i
*> 22.22.22.22/32 10.1.23.2 0 0 200 600 i
R3#sh ip b 22.22.22.22
BGP routing table entry for 22.22.22.22/32, version 4
Paths: (1 available, best #1, table default, not advertised outside local AS)
Not advertised to any peer
Refresh Epoch 1
200 600
10.1.23.2 from 10.1.23.2 (2.2.2.2)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: local-AS
rx pathid: 0, tx pathid: 0x0
R3#sh ip b 2.2.2.2
BGP routing table entry for 2.2.2.2/32, version 3
Paths: (1 available, best #1, table default)
Advertised to update-groups:
4
Refresh Epoch 1
200
10.1.23.2 from 10.1.23.2 (2.2.2.2)
Origin IGP, metric 0, localpref 100, valid, external, best
# 这条路由没有设置 Local AS 属性
rx pathid: 0, tx pathid: 0x0
2 基于 Community 的路由操控
2.1 实验之 Community 的设置
Figure 6: 实验拓扑
2.1.1 实验需求
- R1 出口方向为 11.11.11.0/24 和 12.12.12.0/24 的路由分别设置 community 值为 100:11 和 100:12
- R2 出口方向为 11.11.11.0/24 添加 no-export ,为 12.12.12.0/24 添加 no-advertise
- R3 入口方向针对 12.12.12.0/24 删除所有 community 值
2.1.2 设备配置
R1
router bgp 100 bgp router-id 1.1.1.1 bgp log-neighbor-changes network 11.11.11.0 mask 255.255.255.0 network 12.12.12.0 mask 255.255.255.0 neighbor 10.1.12.2 remote-as 200 neighbor 10.1.12.2 send-community neighbor 10.1.12.2 route-map RM_OUT_SET_COMM out ip bgp-community new-format ! ip prefix-list PL_11 seq 5 permit 11.11.11.0/24 ! ip prefix-list PL_12 seq 5 permit 12.12.12.0/24 ! route-map RM_OUT_SET_COMM permit 10 match ip address prefix-list PL_11 set community 100:11 ! route-map RM_OUT_SET_COMM permit 20 match ip address prefix-list PL_12 set community 100:12 ! route-map RM_OUT_SET_COMM permit 30
R2
router bgp 200 bgp router-id 2.2.2.2 bgp log-neighbor-changes neighbor 10.1.12.1 remote-as 100 neighbor 10.1.23.3 remote-as 300 neighbor 10.1.23.3 send-community neighbor 10.1.23.3 route-map RM_OUT_ADD_COMM out ! ip bgp-community new-format ip community-list standard COMM_100_11 permit 100:11 ip community-list standard COMM_100_12 permit 100:12 ! route-map RM_OUT_ADD_COMM permit 10 match community COMM_100_11 set community no-export additive ! route-map RM_OUT_ADD_COMM permit 20 match community COMM_100_12 set community no-advertise additive ! route-map RM_OUT_ADD_COMM permit 30
R3
router bgp 300 bgp router-id 3.3.3.3 bgp log-neighbor-changes neighbor 10.1.23.2 remote-as 200 neighbor 10.1.23.2 route-map RM_IN_DEL_COMM_FOR_100_12 in ! ip bgp-community new-format ip community-list standard COMM_100_12 permit 100:12 ip community-list standard COMM_DEL permit 100:12 ip community-list standard COMM_DEL permit no-advertise ! route-map RM_IN_DEL_COMM_FOR_100_12 permit 10 match community COMM_100_12 set comm-list COMM_DEL delete ! route-map RM_IN_DEL_COMM_FOR_100_12 permit 20
2.1.3 实验结果
R2#show ip bgp detail
BGP routing table entry for 11.11.11.0/24, version 2
Paths: (1 available, best #1, table default)
Advertised to update-groups:
7
Refresh Epoch 1
100
10.1.12.1 from 10.1.12.1 (1.1.1.1)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: 100:11
rx pathid: 0, tx pathid: 0x0
BGP routing table entry for 12.12.12.0/24, version 3
Paths: (1 available, best #1, table default)
Advertised to update-groups:
7
Refresh Epoch 1
100
10.1.12.1 from 10.1.12.1 (1.1.1.1)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: 100:12
rx pathid: 0, tx pathid: 0x0
R3#show ip bgp detail
BGP routing table entry for 11.11.11.0/24, version 2
Paths: (1 available, best #1, table default, not advertised to EBGP peer)
Not advertised to any peer
Refresh Epoch 1
200 100
10.1.23.2 from 10.1.23.2 (2.2.2.2)
Origin IGP, localpref 100, valid, external, best
Community: 100:11 no-export
rx pathid: 0, tx pathid: 0x0
BGP routing table entry for 12.12.12.0/24, version 3
Paths: (1 available, best #1, table default)
Not advertised to any peer
Refresh Epoch 1
200 100
10.1.23.2 from 10.1.23.2 (2.2.2.2)
Origin IGP, localpref 100, valid, external, best # community 被删了
rx pathid: 0, tx pathid: 0x0
Figure 7: 抓包仍然可以看到发送过来的 communities
3 过滤工具
Figure 8: 各种过滤器作用点
3.1 prefix-list
3.1.1 配置示例
Figure 9: 配置拓扑(要求 R2 上,过滤掉 12.12.12.0/24 路由,其他放行)
R2 的配置:
router bgp 120 bgp router-id 2.2.2.2 bgp log-neighbor-changes neighbor 10.1.12.1 remote-as 120 neighbor 10.1.23.3 remote-as 300 neighbor 10.1.23.3 prefix-list PFX_DENY_12 out ! ip prefix-list PFX_DENY_12 seq 5 deny 12.12.12.0/24 ip prefix-list PFX_DENY_12 seq 10 permit 0.0.0.0/0 le 32 # permit any other
3.2 distribute-list
3.2.1 配置示例
Figure 10: 配置拓扑(要求 R2 上,过滤掉 12.12.12.0/24 路由,其他放行)
R2 上的配置:
router bgp 120 bgp router-id 2.2.2.2 bgp log-neighbor-changes neighbor 10.1.12.1 remote-as 120 neighbor 10.1.23.3 remote-as 300 neighbor 10.1.23.3 distribute-list ACL_DENY_12 out ! ip access-list standard ACL_DENY_12 deny 12.12.12.0 # ACL 匹配路由时不要用反掩码 permit any !
3.2.1.1 直接在 router-config 模式下配置
router bgp 120
bgp router-id 2.2.2.2
bgp log-neighbor-changes
neighbor 10.1.12.1 remote-as 120
neighbor 10.1.23.3 remote-as 300
distribute-list prefix PFX_DENY_12 out
!
ip prefix-list PFX_DENY_12 seq 5 deny 12.12.12.0/24
ip prefix-list PFX_DENY_12 seq 10 permit 0.0.0.0/0 le 32
3.3 route-map
3.4 advertise-map (条件通告)
R1(config-router)#neighbor 10.1.12.2 advertise-map ? WORD advertise route-map name R1(config-router)#neighbor 10.1.12.2 advertise-map RM1 ? exist-map advertise prefix only if prefix is in the condition exists non-exist-map advertise prefix only if prefix in the condition does not exist R1(config-router)#neighbor 10.1.12.2 advertise-map RM1 non-exist-map ? WORD condition route-map name
Figure 11: 配置拓扑
R1 上的配置:
router bgp 100 bgp router-id 1.1.1.1 bgp log-neighbor-changes network 1.1.1.10 mask 255.255.255.255 network 1.1.1.20 mask 255.255.255.255 network 1.1.1.30 mask 255.255.255.255 network 1.1.1.40 mask 255.255.255.255 neighbor 10.1.12.2 remote-as 200 neighbor 10.1.12.2 advertise-map RM1 non-exist-map RM2 # 如果 RM2 有匹配则使用 RM2 ,否则使用 RM1 ! ip prefix-list PFX_10_20 seq 5 permit 1.1.1.10/32 ip prefix-list PFX_10_20 seq 10 permit 1.1.1.20/32 ! ip prefix-list PFX_30_40 seq 5 permit 1.1.1.30/32 ip prefix-list PFX_30_40 seq 10 permit 1.1.1.40/32 ! route-map RM2 permit 10 match ip address prefix-list PFX_30_40 ! route-map RM1 permit 10 match ip address prefix-list PFX_10_20
R2 上的路由:
R2#sh ip b
BGP table version is 7, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.30/32 10.1.12.1 0 0 100 i
*> 1.1.1.40/32 10.1.12.1 0 0 100 i
当把 R1 上的 lo3/lo4 shutdown 后,再次观察 R2 的路由:
R2#sh ip b
BGP table version is 11, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.10/32 10.1.12.1 0 0 100 i
*> 1.1.1.20/32 10.1.12.1 0 0 100 i
3.5 ORF
即下游路由器将 in 方向上部署的策略 (prefix-list) 发送给上游路由器,这样上游路由器只会发出下游路由器需要的条目,以此减少不必要的网络传输和计算。
3.5.1 实验
Figure 12: 实验拓扑
3.5.1.1 初始配置
R1
router bgp 120 bgp router-id 1.1.1.1 bgp log-neighbor-changes network 1.1.1.1 mask 255.255.255.255 network 11.11.11.11 mask 255.255.255.255 network 111.111.111.111 mask 255.255.255.255 neighbor 10.1.12.2 remote-as 120
R2
router bgp 120 bgp router-id 2.2.2.2 bgp log-neighbor-changes neighbor 10.1.12.1 remote-as 120 neighbor 10.1.12.1 prefix-list PFX_IN in ! ip prefix-list PFX_IN seq 5 deny 11.11.11.11/32 ip prefix-list PFX_IN seq 10 permit 0.0.0.0/0 le 32
3.5.1.2 初始状态
R2
R2#show ip bgp BGP table version is 5, local router ID is 2.2.2.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, t secondary path, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *>i 1.1.1.1/32 10.1.12.1 0 100 0 i *>i 111.111.111.111/32 10.1.12.1 0 100 0 i # 由于 in 方向的策略作用,11.11.11.11/32 路由被过滤了R1
R1#show ip bgp neighbors 10.1.12.2 advertised-routes # 查看向 R2 发送的路由信息 BGP table version is 4, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, t secondary path, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 1.1.1.1/32 0.0.0.0 0 32768 i *> 11.11.11.11/32 0.0.0.0 0 32768 i # R1 仍向外发送此路由 *> 111.111.111.111/32 0.0.0.0 0 32768 i Total number of prefixes 3
3.5.1.3 配置ORF
R1
router bgp 120 bgp router-id 1.1.1.1 bgp log-neighbor-changes neighbor 10.1.12.2 remote-as 120 ! address-family ipv4 network 1.1.1.1 mask 255.255.255.255 network 11.11.11.11 mask 255.255.255.255 network 111.111.111.111 mask 255.255.255.255 neighbor 10.1.12.2 activate neighbor 10.1.12.2 capability orf prefix-list receive exit-address-family !R2
router bgp 120 bgp router-id 2.2.2.2 bgp log-neighbor-changes neighbor 10.1.12.1 remote-as 120 ! address-family ipv4 neighbor 10.1.12.1 activate neighbor 10.1.12.1 capability orf prefix-list send neighbor 10.1.12.1 prefix-list PFX_IN in exit-address-family ! ip prefix-list PFX_IN seq 5 deny 11.11.11.11/32 ip prefix-list PFX_IN seq 10 permit 0.0.0.0/0 le 32
3.5.1.4 配置后的状态
R1
R1#show ip bgp neighbors | include ORF Outbound Route Filter (ORF) type (128) Prefix-list: Outbound Route Filter (ORF): received (2 entries) ORF prefix-list: 1 n/a R1#show ip b neighbors 10.1.12.2 advertised-routes BGP table version is 4, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, t secondary path, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 1.1.1.1/32 0.0.0.0 0 32768 i *> 111.111.111.111/32 0.0.0.0 0 32768 i # 收到 ORF 后,11.11.11.11/32 就不再发送了 Total number of prefixes 2