驗證BGP的AS間路由轉發及同步
2014-04-29 00:44:03吳剛
計算機時代 2014年3期
吳剛
摘 要: 邊界網關協議BGP適合在多個AS自治系統間交換路由信息,對運營管理系統的集成和協調起著重要作用,通常對配置多個AS之間的路由轉發及IBGP的路由同步存在諸多問題。通過搭建多自治系統的實驗環境,在BGP網絡中采用路由重發布、內部鄰居設定、指定IBGP的next-hop、啟用路由同步、路由匯總等方法,給出了針對所存在問題的解決方案并給予了論證。
關鍵詞: BGP; IBGP; 自治系統; 路由重發布; 路由同步
中圖分類號:TP393.2 文獻標志碼:A 文章編號:1006-8228(2014)03-14-03
0 引言
BGP協議適合在大的自治系統間交換路由信息,應用在這樣幾種環境:AS允許數據包穿過它到達其他AS;有到其他AS的多條連接;必須對進入和離開AS的數據流進行控制;典型的環境是ISP[1]。
BGP路由選擇的前提條件是:路由同步、無環路、下一跳可達(優化)。
BGP路由選擇判斷條件比較多,判斷優先順序依如下步驟:
⑴ 選擇最高的本地優先級;
⑵ 選擇本路由器始發的路由(next hop=0.0.0.0);
⑶ 選擇最短的AS路徑;
⑷ 選擇最小的起源code (IGP ⑸ 選擇最小的MED; ⑹ 選擇從EBGP鄰居學到的路由; ⑺ 選擇到達BGP下一跳最短的路由(根據IGP路由選擇); ⑻ 選擇從EBGP鄰居學到最老的路由(oldest route:意為鄰居計時器的值更大); ⑼ 選擇最小的鄰居路由器Router ID; ⑽ 選擇最小的鄰居路由器IP地址(BGP neighbor配置那個地址)[1]。 1 實驗環境 用一個實驗環境來驗證BGP的配置、IBGP和IGP的同步、AS系統間的轉發及穿透,如圖1所示。 圖1 BGP系統拓撲 在圖1所示的實驗環境中,包含三個自治系統,其中AS65100含有R2、R3、R4三臺路由器,R2和R4創建IBGP鄰居關系,同時,這三臺路由器運行OSPF的IGP內部路由協議;為了便于路由匯總,減少AS之間的路由信息條目,AS65100內部規劃的網絡地址范圍可以匯總為60.100.0.0/16地址段。 R1和R2是兩個不同自治系統的邊界網關,建立EBGP鄰居關系; R4和R5是兩個不同自治系統的邊界網關,建立EBGP鄰居關系。 2 設備配置命令序列及功能 2.1 R1配置 interface Loopback0 ip address 60.202.11.1 255.255.255.0 interface FastEthernet0/0 ip address 60.200.12.1 255.255.255.0 router bgp 65202 synchronization network 60.202.11.0 mask 255.255.255.0 !!通告本系統中的網絡段,不通告AS外部連接網絡段 neighbor 60.200.12.2 remote-as 65100 no auto-summary[3] 2.2 R2配置 interface FastEthernet0/0 ip address 60.100.23.2 255.255.255.0 interface FastEthernet0/1 ip address 60.200.12.2 255.255.255.0 router ospf 1 !!AS65100系統內部使用OSPF路由協議 redistribute bgp 65100 metric 1000 subnets !!為了使EBGP傳播的路由信息和IBGP保持同步,需要把EBGP路由再發布到OSPF路由信息中。 network 60.100.23.0 0.0.0.255 area 0 ! router bgp 65100 bgp log-neighbor-changes neighbor 60.100.34.4 remote-as 65100 neighbor 60.200.12.1 remote-as 65202 neighbor 60.100.34.4 next-hop-self !!IBGP保持路由條目的下一跳信息,IBGP鄰居收到的路由下一跳是不可達的外部AS網關,所以通告IBGP鄰居,EBGP的下一跳路由指向自己,這是可達的路由條目。 no auto-summary synchronization !!啟用同步功能,防止路由黑洞 network 60.100.0.0 mask 255.255.0.0 !!向外部AS系統通告一條匯總的網段 ip route 60.100.0.0 255.255.0.0 Null0 !!需要在IGP表中構造一條對應的匯總網段路由,不然就不能用network通告匯總路由[2]。
2.3 R3配置
interface FastEthernet0/0
ip address 60.100.34.3 255.255.255.0
interface FastEthernet0/1
ip address 60.100.23.3 255.255.255.0
router ospf 1
network 60.100.23.0 0.0.0.255 area 0
network 60.100.34.0 0.0.0.255 area 0
R3中不需要運行BGP協議建立網狀的IBGP鄰居關系,BGP協議運行在TCP協議中,可以通過IGP路由傳遞,只要本AS中的邊界網關互相建立IBGP鄰居關系就可。
2.4 R4配置
interface FastEthernet0/0
ip address 60.100.34.4 255.255.255.0
interface FastEthernet0/1
ip address 60.201.45.4 255.255.255.0
router ospf 1
log-adjacency-changes
redistribute bgp 65100 metric 1000 subnets
network 60.100.34.0 0.0.0.255 area 0
router bgp 65100
bgp log-neighbor-changes
neighbor 60.100.23.2 remote-as 65100
neighbor 60.201.45.5 remote-as 65203
neighbor 60.100.23.2 next-hop-self
no auto-summary
synchronization
network 60.100.0.0 mask 255.255.0.0
ip route 60.100.0.0 255.255.0.0 Null0
2.5 R5配置
interface Loopback0
ip address 60.203.55.5 255.255.255.0
interface FastEthernet0/0
ip address 60.201.45.5 255.255.255.0
router bgp 65203
synchronization
network 60.203.55.0 mask 255.255.255.0
neighbor 60.201.45.4 remote-as 65100
no auto-summary
3 實驗結果輸出信息
3.1 R4輸出信息
R4上顯示TCP連接:
R4#show tcp brief
TCB Local Address Foreign Address (state)
66702968 60.100.34.4.179 60.100.23.2.45640 ESTAB
675625E0 60.201.45.4.46746 60.201.45.5.179 ESTAB
標明BGP通過TCP的179端口建立了連接。
R4上顯示BGP鄰居信息:
R4#show ip bgp neighbor
BGP neighbor is 60.100.23.2, remote AS 65100, internal link
BGP version 4, remote router ID 60.200.12.2
BGP state=Established, up for 00:41:03
BGP neighbor is 60.201.45.5, remote AS 65203, external link
BGP version 4, remote router ID 60.203.55.5
BGP state=Established, up for 00:41:06
IBGP鄰居和EBGP鄰居都已經建立起來了。
顯示鄰居摘要信息:
R4#show ip bgp summary
BGP router identifier 60.201.45.4, local AS number 65100
BGP table version is 5, main routing table version 5
3 network entries using 360 bytes of memory
4 path entries using 208 bytes of memory
5/3 BGP path/bestpath attribute entries using 620 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
60.100.23.2 4 65100 51 51 5 0 0 00:45:05 2
60.201.45.5 4 65203 49 49 5 0 0 00:44:56 1
查看BGP表信息:
R4#show ip bgp
BGP table version is 5, local router ID is 60.201.45.4
Status codes: s suppressed, d damped, h history,
* valid, > best, i - internal, r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i60.100.0.0/16 60.100.23.2 0 100 0 i
*> 0.0.0.0 0 32768 i
r>i60.202.11.0/24 60.100.23.2 0 100 0 65202 i
*> 60.203.55.0/24 60.201.45.5 0 0 65203 i
r>i60.202.11.0/24這一項中,“r”表明選用了IGP的路由,BGP路由加入路由表失效,但是“>”表示是最優路由,仍然可以傳遞給外部EBGP。緊接著的“i”表示是IBGP傳遞過來的路由[4]。
R4#show ip route
60.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
O 60.100.23.0/24 [110/20] via 60.100.34.3, 00:49:10,
FastEthernet0/0
S 60.100.0.0/16 is directly connected, Null0
C 60.100.34.0/24 is directly connected, FastEthernet0/0
B 60.203.55.0/24 [20/0] via 60.201.45.5, 00:48:29
C 60.201.45.0/24 is directly connected, FastEthernet0/1
O E2 60.202.11.0/24 [110/1000] via 60.100.34.3, 00:49:10,
FastEthernet0/0
R4#
3.2 R1輸出信息
R1#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*>60.100.0.0/16 60.200.12.2 0 0 65100 i
*>60.202.11.0/24 0.0.0.0 0 32768 i
*>60.203.55.0/24 60.200.12.2 0 65100 65203 i
R1#show ip route
60.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
B 60.100.0.0/16 [20/0] via 60.200.12.2, 01:01:53
B 60.203.55.0/24 [20/0] via 60.200.12.2, 01:00:25
C 60.200.12.0/24 is directly connected, FastEthernet0/0
C 60.202.11.0/24 is directly connected, Loopback0
R1#ping 60.203.55.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 60.203.55.5,
timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
缺省情況下,R1去ping AS65203的網段,是用物理接口地址60.200.12.1,而這個網段在另外兩個AS系統中是沒有路由條目的,也不必要去通告這條AS系統間的網段,所以是ping 不通的。
R1#ping 60.203.55.5 source 60.202.11.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 60.203.55.5,
timeout is 2 seconds:
Packet sent with a source address of 60.202.11.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max
=172/258/332 ms
根據source來指定的源地址是AS65202內部的網段,這是BGP對外通告的網段,在另外兩個AS是有BGP路由,可以順利ping通。
3.3 R2輸出信息
R2#show ip bgp
Network Next Hop Metric LocPrf Weight Path
* i60.100.0.0/16 60.100.34.4 0 100 0 i
*> 0.0.0.0 0 32768 i
*> 60.202.11.0/24 60.200.12.1 0 0 65202 i
r>i60.203.55.0/24 60.100.34.4 0 100 0 65203 i
可以獲取兩個EBGP的路由。
R2#show ip route
60.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 60.100.23.0/24 is directly connected, FastEthernet0/0
S 60.100.0.0/16 is directly connected, Null0
O 60.100.34.0/24 [110/20] via 60.100.23.3, 01:02:29,
FastEthernet0/0
O E2 60.203.55.0/24 [110/1000] via 60.100.23.3,
01:01:36, FastEthernet0/0
C 60.200.12.0/24 is directly connected, FastEthernet0/1
B 60.202.11.0/24 [20/0] via 60.200.12.1, 01:03:04
R2#
3.4 R3輸出信息
R3#show ip route
60.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 60.100.23.0/24 is directly connected, FastEthernet0/1
O E2 60.100.0.0/16 [110/1000] via 60.100.34.4, 01:04:22,
FastEthernet0/0
[110/1000] via 60.100.23.2, 01:04:22, FastEthernet0/1
C 60.100.34.0/24 is directly connected, FastEthernet0/0
O E2 60.203.55.0/24 [110/1000] via 60.100.34.4,
01:03:30, FastEthernet0/0
O E2 60.202.11.0/24 [110/1000] via 60.100.23.2,
01:04:22, FastEthernet0/1
R3#
3.5 R5輸出信息
R5#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 60.100.0.0/16 60.201.45.4 0 0 65100 i
*> 60.202.11.0/24 60.201.45.4 0 65100 65202 i
*> 60.203.55.0/24 0.0.0.0 0 32768 i
可以正常獲得AS65202的路由信息,并加入到路由表中。
R5#show ip route
B 60.100.0.0/16 [20/0] via 60.201.45.4, 01:04:56
C 60.203.55.0/24 is directly connected, Loopback0
C 60.201.45.0/24 is directly connected, FastEthernet0/0
B 60.202.11.0/24 [20/0] via 60.201.45.4, 01:04:56
4 結束語
本文對BGP的多AS系統路由配置方案解決了如下問題:AS系統內的IGP和IBGP的同步;AS系統間的路由轉發;ping 通各AS內部網絡。因為BGP不同的自治系統可能分屬于不同的運營商,所以路由轉發需要控制過濾,不同的自治系統還需要認證。對于多種屬性靈活控制選路,以及BGP的路由黑洞解決辦法等技術還有待進一步研究論證。
參考文獻:
[1] 程慶梅.創建高級路由型互聯網[M].機械工業出版社,2012.
[2] 程慶梅.創建高級路由型互聯網實訓手冊[M].機械工業出版社,2012.
[3] 斯桃枝.路由協議與交換技術[M].清華大學出版社,2012.
[4] 龐玲.邊界路由器BGP協議的脆弱性[J].計算機系統應用,2013.22
(1):157-161
