实验指南:BGP路由过滤 
版权声明:原创作品,谢绝转载!否则将追究法律责任。 |
实验指南
 BGP路由过滤
初始配置
R1 conf t int l 0 ip ad 1.1.1.1 255.255.255.255 int s2/0 ip ad 10.1.1.1 255.255.255.0 encap f no arp f no frame inver frame map ip 10.1.1.2 102 b no shut int s 2/1 encap f no arp f no frame inver frame map ip 10.1.4.4 114 b ip ad 10.1.4.1 255.255.255.0 no shut exit router rip ver 2 no au net 10.0.0.0 net 1.0.0.0 router bgp 1 bgp router-id 1.1.1.1 no au no sy nei 4.4.4.4 remote-as 654 nei 4.4.4.4 up l 0 nei 4.4.4.4 ebgp 255 nei 2.2.2.2 remote-as 11151 nei 2.2.2.2 up l 0 nei 2.2.2.2 ebgp 255 end R2 conf t int l 0 ip ad 2.2.2.2 255.255.255.255 interface Loopback1 ip address 20.1.1.1 255.255.255.0 interface Loopback2 ip address 20.1.2.1 255.255.255.0 interface Loopback3 ip address 20.1.3.1 255.255.255.0 interface Loopback4 ip address 20.1.4.1 255.255.255.0 interface Loopback5 ip address 20.1.5.1 255.255.255.0 int s2/0 ip ad 10.1.1.2 255.255.255.0 encap f no arp f no frame inver frame map ip 10.1.1.1 201 b no shut int s2/1 ip ad 10.1.2.2 255.255.255.0 encap f no arp f no frame inver frame map ip 10.1.2.3 213 b no shut router rip ver 2 no au net 10.0.0.0 net 2.0.0.0 router bgp 11151 no au no sy bgp router-id 2.2.2.2 nei 1.1.1.1 remote-as 1 nei 1.1.1.1 up l 0 nei 1.1.1.1 ebgp 255 nei 3.3.3.3 remote-as 65001 nei 3.3.3.3 up l 0 nei 3.3.3.3 ebgp 255 end R3
conf t int l 0 ip ad 3.3.3.3 255.255.255.255 int l 1 ip ad 23.75.18.1 255.255.255.0 int l 2 ip ad 23.75.19.1 255.255.255.0 int l 3 ip ad 23.75.20.1 255.255.255.0 int l 4 ip ad 23.75.21.1 255.255.255.0 int l 5 ip ad 23.75.22.1 255.255.255.0 int l 6 ip ad 23.75.23.1 255.255.255.0 int l 7 ip ad 23.75.24.1 255.255.255.0 int l 8 ip ad 23.75.25.1 255.255.255.0 int l 9 ip ad 23.75.26.1 255.255.255.0 int s 2/1 ip ad 10.1.2.3 255.255.255.0 encap f no arp f no frame inver frame map ip 10.1.2.2 312 b no shut router rip ver 2 no au net 10.0.0.0 net 3.0.0.0 router bgp 65001 no au no sy bgp router-id 3.3.3.3 nei 2.2.2.2 remote-as 11151 nei 2.2.2.2 up l 0 nei 2.2.2.2 e 255 net 23.75.18.0 mask 255.255.255.0 net 23.75.19.0 mask 255.255.255.0 net 23.75.20.0 mask 255.255.255.0 net 23.75.21.0 mask 255.255.255.0 net 23.75.22.0 mask 255.255.255.0 net 23.75.23.0 mask 255.255.255.0 net 23.75.24.0 mask 255.255.255.0 net 23.75.25.0 mask 255.255.255.0 net 23.75.26.0 mask 255.255.255.0 end R4 conf t int l 0 ip ad 4.4.4.4 255.255.255.255 int l 1 ip ad 189.168.56.1 255.255.254.0 int l 2 ip ad 189.168.58.1 255.255.254.0 int l3 ip ad 189.168.60.1 255.255.254.0 int l4 ip ad 189.168.62.1 255.255.254.0 int l5 ip ad 189.168.64.1 255.255.254.0 int l6 ip ad 189.168.66.1 255.255.254.0 int l7 ip ad 189.168.68.1 255.255.254.0 int l8 ip ad 189.168.70.1 255.255.254.0 int l9 ip ad 189.168.72.1 255.255.254.0 int l10 ip ad 189.168.74.1 255.255.254.0 int l11 ip ad 189.168.76.1 255.255.254.0 int l12 ip ad 189.168.78.1 255.255.254.0 int l13 ip ad 189.168.80.1 255.255.254.0 int l14 ip ad 189.168.82.1 255.255.254.0 int l15 ip ad 189.168.84.1 255.255.254.0 int l16 ip ad 189.168.86.1 255.255.254.0 int l17 ip ad 189.168.88.1 255.255.254.0 int s 2/1 ip ad 10.1.4.4 255.255.255.0 encap f no arp f no frame inver frame map ip 10.1.4.1 411 b no shut router rip ver 2 no au net 10.0.0.0 net 4.0.0.0 router bgp 654 no au no sy bgp router-id 4.4.4.4 nei 1.1.1.1 remote 1 nei 1.1.1.1 up l 0 nei 1.1.1.1 e 255 net 189.168.56.0 mask 255.255.254.0 net 189.168.58.0 mask 255.255.254.0 net 189.168.60.0 mask 255.255.254.0 net 189.168.62.0 mask 255.255.254.0 net 189.168.64.0 mask 255.255.254.0 net 189.168.66.0 mask 255.255.254.0 net 189.168.68.0 mask 255.255.254.0 net 189.168.70.0 mask 255.255.254.0 net 189.168.72.0 mask 255.255.254.0 net 189.168.74.0 mask 255.255.254.0 net 189.168.76.0 mask 255.255.254.0 net 189.168.78.0 mask 255.255.254.0 net 189.168.80.0 mask 255.255.254.0 net 189.168.82.0 mask 255.255.254.0 net 189.168.84.0 mask 255.255.254.0 net 189.168.86.0 mask 255.255.254.0 net 189.168.88.0 mask 255.255.254.0 end 1,过滤私有AS 在R1上BGP表的状态 R1(config-router)#do sh ip bgp BGP table version is 145, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path
*> 20.1.1.0/24 2.2.2.2 0 0 11151 i *> 20.1.2.0/24 2.2.2.2 0 0 11151 i *> 20.1.3.0/24 2.2.2.2 0 0 11151 i *> 20.1.4.0/24 2.2.2.2 0 0 11151 i *> 20.1.5.0/24 2.2.2.2 0 0 11151 i *> 23.75.18.0/24 2.2.2.2 0 11151 65001 i *> 23.75.19.0/24 2.2.2.2 0 11151 65001 i *> 23.75.20.0/24 2.2.2.2 0 11151 65001 i *> 23.75.21.0/24 2.2.2.2 0 11151 65001 i *> 23.75.22.0/24 2.2.2.2 0 11151 65001 i *> 23.75.23.0/24 2.2.2.2 0 11151 65001 i *> 23.75.24.0/24 2.2.2.2 0 11151 65001 i *> 23.75.25.0/24 2.2.2.2 0 11151 65001 i *> 23.75.26.0/24 2.2.2.2 0 11151 65001 i *> 189.168.56.0/23 4.4.4.4 0 0 654 i *> 189.168.58.0/23 4.4.4.4 0 0 654 i *> 189.168.60.0/23 4.4.4.4 0 0 654 i Network Next Hop Metric LocPrf Weight Path *> 189.168.62.0/23 4.4.4.4 0 0 654 i *> 189.168.64.0/23 4.4.4.4 0 0 654 i *> 189.168.66.0/23 4.4.4.4 0 0 654 i *> 189.168.68.0/23 4.4.4.4 0 0 654 i *> 189.168.70.0/23 4.4.4.4 0 0 654 i *> 189.168.72.0/23 4.4.4.4 0 0 654 i *> 189.168.74.0/23 4.4.4.4 0 0 654 i *> 189.168.76.0/23 4.4.4.4 0 0 654 i *> 189.168.78.0/23 4.4.4.4 0 0 654 i *> 189.168.80.0/23 4.4.4.4 0 0 654 i *> 189.168.82.0/23 4.4.4.4 0 0 654 i *> 189.168.84.0/23 4.4.4.4 0 0 654 i *> 189.168.86.0/23 4.4.4.4 0 0 654 i *> 189.168.88.0/23 4.4.4.4 0 0 654 i 因为65001是私有AS(范围64512~65535),有时并不希望把私有AS发布到对端,所以在R2上配置
router bgp 654 nei 1.1.1.1 remove-private-AS 然后R1 R1#clear ip bgp * s R1#sh ip bgp BGP table version is 45, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path
*> 23.75.18.0/24 2.2.2.2 0 11151 i *> 23.75.19.0/24 2.2.2.2 0 11151 i *> 23.75.20.0/24 2.2.2.2 0 11151 i *> 23.75.21.0/24 2.2.2.2 0 11151 i *> 23.75.22.0/24 2.2.2.2 0 11151 i *> 23.75.23.0/24 2.2.2.2 0 11151 i *> 23.75.24.0/24 2.2.2.2 0 11151 i *> 23.75.25.0/24 2.2.2.2 0 11151 i *> 23.75.26.0/24 2.2.2.2 0 11151 i (略去4.4.4.4发布的路由条目) 已经把AS65001过滤了 2,使用distribute-list 进行路由过滤 To filter all routes, except for routes to the prefix 23.75.0.0/16, you create an access list specifying the 23.75.0.0/16 network prefix and use that access list with a distribute list to filter all incoming routes R1
access-list 1 permit 23.75.0.0 0.0.255.255 router bgp 1 distribute-list 1 in R1上BGP表
R1(config-router)#do clear ip bgp * s R1(config-router)#do sh ip bgp BGP table version is 80, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path
*> 23.75.18.0/24 2.2.2.2 0 11151 i *> 23.75.19.0/24 2.2.2.2 0 11151 i *> 23.75.20.0/24 2.2.2.2 0 11151 i *> 23.75.21.0/24 2.2.2.2 0 11151 i *> 23.75.22.0/24 2.2.2.2 0 11151 i *> 23.75.23.0/24 2.2.2.2 0 11151 i *> 23.75.24.0/24 2.2.2.2 0 11151 i *> 23.75.25.0/24 2.2.2.2 0 11151 i *> 23.75.26.0/24 2.2.2.2 0 11151 i 已经过滤掉189.168.0.0/16网段的路由条目 也可以使用neighbor命令来过滤路由条目
R1 access-list 2 permit 189.168.56.0 0.0.1.255 access-list 2 permit 189.168.58.0 0.0.1.255 router bgp 1 nei 4.4.4.4 distribute-list 2 in end R1上BGP表状态
R1(config-router)#do clear ip bgp * s R1(config-router)#do sh ip bgp BGP table version is 82, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path
*> 20.1.1.0/24 2.2.2.2 0 0 11151 i *> 20.1.2.0/24 2.2.2.2 0 0 11151 i *> 20.1.3.0/24 2.2.2.2 0 0 11151 i *> 20.1.4.0/24 2.2.2.2 0 0 11151 i *> 20.1.5.0/24 2.2.2.2 0 0 11151 i *> 23.75.18.0/24 2.2.2.2 0 11151 i *> 23.75.19.0/24 2.2.2.2 0 11151 i *> 23.75.20.0/24 2.2.2.2 0 11151 i *> 23.75.21.0/24 2.2.2.2 0 11151 i *> 23.75.22.0/24 2.2.2.2 0 11151 i *> 23.75.23.0/24 2.2.2.2 0 11151 i *> 23.75.24.0/24 2.2.2.2 0 11151 i *> 23.75.25.0/24 2.2.2.2 0 11151 i *> 23.75.26.0/24 2.2.2.2 0 11151 i *> 189.168.56.0/23 4.4.4.4 0 0 654 i *> 189.168.58.0/23 4.4.4.4 0 0 654 i 3,使用prefix-list进行路由过滤 在R2上做路由过滤,发送20.1.1.0/24网段到R1 R2 ip prefix FILTER seq 10 permit 20.1.0.0/16 le 23 router bgp 11151 nei 1.1.1.1 prefix-list FILTER out end R1上BGP表状态
R1(config)#do clear ip bgp * s R1(config)#do sh ip bgp BGP table version is 188, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path
*> 20.1.1.0/24 2.2.2.2 0 0 11151 i *> 20.1.2.0/24 2.2.2.2 0 0 11151 i *> 20.1.3.0/24 2.2.2.2 0 0 11151 i *> 20.1.4.0/24 2.2.2.2 0 0 11151 i *> 20.1.5.0/24 2.2.2.2 0 0 11151 i (略去4.4.4.4发布的路由条目) 4,使用route-map进行路由过滤 在R1上做路由过滤,只发送189.168.56.0/23,189.168.68.0/23,189.168.86.0/23网段到R2 R1 access-list 1 permit 189.168.56.0 0.0.1.255 access-list 1 permit 189.168.68.0 0.0.1.255 access-list 1 permit 189.168.86.0 0.0.1.255 route-map FILTER permit 10 match ip ad 1 router bgp 1 nei 2.2.2.2 route-map FILTER out end 在做路由过滤前,R2上BGP表的状态
R2#sh ip bgp BGP table version is 168, local router ID is 2.2.2.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path
*> 20.1.1.0/24 0.0.0.0 0 32768 i *> 20.1.2.0/24 0.0.0.0 0 32768 i *> 20.1.3.0/24 0.0.0.0 0 32768 i *> 20.1.4.0/24 0.0.0.0 0 32768 i *> 20.1.5.0/24 0.0.0.0 0 32768 i *> 23.75.18.0/24 3.3.3.3 0 0 65001 i *> 23.75.19.0/24 3.3.3.3 0 0 65001 i *> 23.75.20.0/24 3.3.3.3 0 0 65001 i *> 23.75.21.0/24 3.3.3.3 0 0 65001 i *> 23.75.22.0/24 3.3.3.3 0 0 65001 i *> 23.75.23.0/24 3.3.3.3 0 0 65001 i *> 23.75.24.0/24 3.3.3.3 0 0 65001 i *> 23.75.25.0/24 3.3.3.3 0 0 65001 i *> 23.75.26.0/24 3.3.3.3 0 0 65001 i *> 189.168.56.0/23 1.1.1.1 0 1 654 i *> 189.168.58.0/23 1.1.1.1 0 1 654 i *> 189.168.60.0/23 1.1.1.1 0 1 654 i Network Next Hop Metric LocPrf Weight Path *> 189.168.62.0/23 1.1.1.1 0 1 654 i *> 189.168.64.0/23 1.1.1.1 0 1 654 i *> 189.168.66.0/23 1.1.1.1 0 1 654 i *> 189.168.68.0/23 1.1.1.1 0 1 654 i *> 189.168.70.0/23 1.1.1.1 0 1 654 i *> 189.168.72.0/23 1.1.1.1 0 1 654 i *> 189.168.74.0/23 1.1.1.1 0 1 654 i *> 189.168.76.0/23 1.1.1.1 0 1 654 i *> 189.168.78.0/23 1.1.1.1 0 1 654 i *> 189.168.80.0/23 1.1.1.1 0 1 654 i *> 189.168.82.0/23 1.1.1.1 0 1 654 i *> 189.168.84.0/23 1.1.1.1 0 1 654 i *> 189.168.86.0/23 1.1.1.1 0 1 654 i *> 189.168.88.0/23 1.1.1.1 0 1 654 i 做路由过滤后,R2上BGP表状态
R2#clear ip bgp * s R2#sh ip bgp BGP table version is 182, local router ID is 2.2.2.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path
*> 20.1.1.0/24 0.0.0.0 0 32768 i *> 20.1.2.0/24 0.0.0.0 0 32768 i *> 20.1.3.0/24 0.0.0.0 0 32768 i *> 20.1.4.0/24 0.0.0.0 0 32768 i *> 20.1.5.0/24 0.0.0.0 0 32768 i *> 23.75.18.0/24 3.3.3.3 0 0 65001 i *> 23.75.19.0/24 3.3.3.3 0 0 65001 i *> 23.75.20.0/24 3.3.3.3 0 0 65001 i *> 23.75.21.0/24 3.3.3.3 0 0 65001 i *> 23.75.22.0/24 3.3.3.3 0 0 65001 i *> 23.75.23.0/24 3.3.3.3 0 0 65001 i *> 23.75.24.0/24 3.3.3.3 0 0 65001 i *> 23.75.25.0/24 3.3.3.3 0 0 65001 i *> 23.75.26.0/24 3.3.3.3 0 0 65001 i *> 189.168.56.0/23 1.1.1.1 0 1 654 i *> 189.168.68.0/23 1.1.1.1 0 1 654 i *> 189.168.86.0/23 1.1.1.1 0 1 654 i 只有允许的路由条目发送到R2 route-map的功能十分强大,而且使用方法也十分灵活;不但可以做路由过滤,还可以做路由策略。在前面所讲的BGP路由汇聚中也用到过。关于route-map的使用方法,后续关于BGP的文章会陆续讲到。 本文出自 “穿过地狱去看海” 博客,谢绝转载! 本文出自 51CTO.COM技术博客 |
cj231210
博客统计信息
热门文章
最新评论
友情链接
