BGP路由过滤实现原理

·掌握如何使用as-path-acl来过滤BGP路由。

·掌握如何使用ip-prefix来过滤BGP路由。

拓扑图：

过程：

IP地址配置：

[H3C]sys RTA

[RTA]int g0/0

[RTA-GigabitEthernet0/0]ip add 10.10.10.1 30

[RTA-GigabitEthernet0/0]int s1/0

[RTA-Serial1/0]ip add 10.10.20.1 30

[RTA-Serial1/0]int loop 0

[RTA-LoopBack0]ip add 1.1.1.1 32

[RTA-LoopBack0]qu

[H3C]sys RTB

[RTB]INT G0/0

[RTB-GigabitEthernet0/0]ip add 10.10.10.2 30

[RTB-GigabitEthernet0/0]int g0/1

[RTB-GigabitEthernet0/1]ip add 10.10.10.6 30

[RTB-GigabitEthernet0/1]int loop 0

[RTB-LoopBack0]ip add 2.2.2.2 32

[RTB-LoopBack0]qu

[H3C]sys RTC

[RTC]int g0/1

[RTC-GigabitEthernet0/1]ip add 10.10.10.5 30

[RTC-GigabitEthernet0/1]int g0/0

[RTC-GigabitEthernet0/0]ip add 10.10.10.9 30

[RTC-GigabitEthernet0/0]int loop 0

[RTC-LoopBack0]ip add 3.3.3.3 32

[RTC-LoopBack0]qu

[H3C]sys RTD

[RTD]INT G0/0

[RTD-GigabitEthernet0/0]ip add 10.10.10.10 30

[RTD-GigabitEthernet0/0]int s1/0

[RTD-Serial1/0]ip add 10.10.20.2 30

[RTD-Serial1/0]int loop0

[RTD-LoopBack0]ip add 4.4.4.4 32

[RTD-LoopBack0]qu

BGP基本配置：

[RTA]bgp 65000

[RTA-bgp]rou

[RTA-bgp]router-id 1.1.1.1

[RTA-bgp]imp

[RTA-bgp]peer 10.10.10.2 as

[RTA-bgp]peer 10.10.10.2 as-number 65002

[RTA-bgp]peer 10.10.20.2 as-number 65002

[RTA-bgp]add

[RTA-bgp]address-family ip

[RTA-bgp]address-family ipv4 un

[RTA-bgp]address-family ipv4 unicast

[RTA-bgp-ipv4]imp

[RTA-bgp-ipv4]import-route dir

[RTA-bgp-ipv4]import-route direct

[RTA-bgp-ipv4]peer 10.10.10.2 en

[RTA-bgp-ipv4]peer 10.10.20.2 en

[RTB]bgp 65002

[RTB-bgp]rou

[RTB-bgp]router-id 2.2.2.2

[RTB-bgp]peer 10.10.10.1 as

[RTB-bgp]peer 10.10.10.1 as-number 65000

[RTB-bgp]peer 10.10.10.5 as-number 65003

[RTB-bgp]add

[RTB-bgp]address-family ip

[RTB-bgp]address-family ipv4 un

[RTB-bgp]address-family ipv4 unicast

[RTB-bgp-ipv4]imp

[RTB-bgp-ipv4]import-route di

[RTB-bgp-ipv4]import-route direct

[RTB-bgp-ipv4]peer 10.10.10.1 en

[RTB-bgp-ipv4]peer 10.10.10.5 en

[RTC]bgp 65003

[RTC-bgp]rou

[RTC-bgp]router-id 3.3.3.3

[RTC-bgp]peer 10.10.10.6 as

[RTC-bgp]peer 10.10.10.6 as-number 65002

[RTC-bgp]peer 10.10.10.10 as-number 65002

[RTC-bgp-ipv4]address-family ipv4 un

[RTC-bgp-ipv4]imp

[RTC-bgp-ipv4]import-route di

[RTC-bgp-ipv4]import-route direct

[RTC-bgp-ipv4]peer 10.10.10.6 en

[RTC-bgp-ipv4]peer 10.10.10.10 en

[RTD]bgp 65002

[RTD-bgp]ro

[RTD-bgp]router-id 4.4.4.4

[RTD-bgp]peer

[RTD-bgp]peer 10.10.10.9 as

[RTD-bgp]peer 10.10.10.9 as-number 65003

[RTD-bgp]pe 10.10.20.1 as

[RTD-bgp]pe 10.10.20.1 as-number 65000

[RTD-bgp]peer

[RTD-bgp]add ipv4 un

[RTD-bgp-ipv4]imp

[RTD-bgp-ipv4]import-route dis

[RTD-bgp-ipv4]import-route die

[RTD-bgp-ipv4]import-route di

[RTD-bgp-ipv4]import-route direct

[RTD-bgp-ipv4]peer 10.10.10.9 en

[RTD-bgp-ipv4]peer 10.10.20.1 en

静态路由：

[RTA]ip route-static 10.10.10.4 30 10.10.10.2

[RTA]ip route-static 10.10.10.8 30 10.10.10.2

[RTB]ip route-static 10.10.10.8 30 10.10.10.5

[RTC]ip route-static 10.10.10.0 30 10.10.10.6

[RTD]ip route-static 10.10.10.0 30 10.10.10.9

[RTD]ip route-static 10.10.10.4 30 10.10.10.9

配置完成后RTA BGP邻居表：

[RTA]dis bgp peer ipv4

BGP local router ID: 1.1.1.1

Local AS number: 65000

Total number of peers: 2 Peers in established state: 2

* - Dynamically created peer

Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

10.10.10.2 65002 12 14 0 5 00:04:40 Established

10.10.20.2 65002 11 13 0 6 00:03:11 Established

配置as-path-acl过滤路由：

配置之前RTA上的IP路由表里3.3.3.3/32和10.10.10.4/30的下一跳是10.10.10.2

[RTA]dis ip routing-table

Destinations : 23 Routes : 23

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.2/32 BGP 255 0 10.10.10.2 GE0/0

3.3.3.3/32 BGP 255 0 10.10.10.2 GE0/0

4.4.4.4/32 BGP 255 0 10.10.20.2 Ser1/0

10.10.10.0/30 Direct 0 0 10.10.10.1 GE0/0

10.10.10.0/32 Direct 0 0 10.10.10.1 GE0/0

10.10.10.1/32 Direct 0 0 127.0.0.1 InLoop0

10.10.10.3/32 Direct 0 0 10.10.10.1 GE0/0

10.10.10.4/30 Static 60 0 10.10.10.2 GE0/0

10.10.10.8/30 Static 60 0 10.10.10.2 GE0/0

10.10.20.0/30 Direct 0 0 10.10.20.1 Ser1/0

10.10.20.0/32 Direct 0 0 10.10.20.1 Ser1/0

10.10.20.1/32 Direct 0 0 127.0.0.1 InLoop0

10.10.20.2/32 Direct 0 0 10.10.20.2 Ser1/0

10.10.20.3/32 Direct 0 0 10.10.20.1 Ser1/0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

过滤路由：

[RTB-bgp-ipv4]peer 10.10.10.1 as

[RTB-bgp-ipv4]peer 10.10.10.1 as-path-acl 2 imp

[RTB-bgp-ipv4]peer 10.10.10.1 as-path-acl 2 import

[RTB-bgp-ipv4]peer 10.10.10.5 as-path-acl 2 import

[RTB-bgp-ipv4]ip as

[RTB-bgp-ipv4]qu

[RTB-bgp]ip as

[RTB-bgp]qu

[RTB]ip as-path 2 deny 65003$

[RTB]ip as-path 2 permit .*

配置之后的RTA路由表

[RTA]dis ip routing-table

Destinations : 23 Routes : 23

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.2/32 BGP 255 0 10.10.10.2 GE0/0

3.3.3.3/32 BGP 255 0 10.10.20.2 Ser1/0

4.4.4.4/32 BGP 255 0 10.10.20.2 Ser1/0

10.10.10.0/30 Direct 0 0 10.10.10.1 GE0/0

10.10.10.0/32 Direct 0 0 10.10.10.1 GE0/0

10.10.10.1/32 Direct 0 0 127.0.0.1 InLoop0

10.10.10.3/32 Direct 0 0 10.10.10.1 GE0/0

10.10.10.4/30 Static 60 0 10.10.20.2 GE0/0

10.10.10.8/30 Static 60 0 10.10.10.2 GE0/0

10.10.20.0/30 Direct 0 0 10.10.20.1 Ser1/0

10.10.20.0/32 Direct 0 0 10.10.20.1 Ser1/0

10.10.20.1/32 Direct 0 0 127.0.0.1 InLoop0

10.10.20.2/32 Direct 0 0 10.10.20.2 Ser1/0

10.10.20.3/32 Direct 0 0 10.10.20.1 Ser1/0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

可以看到3.3.3.3/32和10.10.10.4/30的路由下一跳变为10.10.20.2

配置ip-prefix过滤路由：

在RTA上配置过滤路由使RTD不向RTA发布4.4.4.4/32的路由

[RTA]ip prefix-list abc index 100 deny 4.4.4.4 32

配置完成后RTA的IP路由表和BGP路由表：

[RTA]dis ip routing-table

Destinations : 23 Routes : 23

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.2/32 BGP 255 0 10.10.10.2 GE0/0

3.3.3.3/32 BGP 255 0 10.10.20.2 Ser1/0

4.4.4.4/32 BGP 255 0 10.10.20.2 Ser1/0

10.10.10.0/30 Direct 0 0 10.10.10.1 GE0/0

10.10.10.0/32 Direct 0 0 10.10.10.1 GE0/0

10.10.10.1/32 Direct 0 0 127.0.0.1 InLoop0

10.10.10.3/32 Direct 0 0 10.10.10.1 GE0/0

10.10.10.4/30 Static 60 0 10.10.10.2 GE0/0

10.10.10.8/30 Static 60 0 10.10.10.2 GE0/0

10.10.20.0/30 Direct 0 0 10.10.20.1 Ser1/0

10.10.20.0/32 Direct 0 0 10.10.20.1 Ser1/0

10.10.20.1/32 Direct 0 0 127.0.0.1 InLoop0

10.10.20.2/32 Direct 0 0 10.10.20.2 Ser1/0

10.10.20.3/32 Direct 0 0 10.10.20.1 Ser1/0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

[RTA]dis bgp routing-table ipv4

Total number of routes: 15

BGP local router ID is 1.1.1.1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* > 1.1.1.1/32 127.0.0.1 0 32768 ?

* >e 2.2.2.2/32 10.10.10.2 0 0 65002?

* >e 3.3.3.3/32 10.10.20.2 0 65002

65003?

* >e 4.4.4.4/32 10.10.20.2 0 0 65002?

* > 10.10.10.0/30 10.10.10.1 0 32768 ?

* e 10.10.10.2 0 0 65002?

* > 10.10.10.1/32 127.0.0.1 0 32768 ?

* >e 10.10.10.4/30 10.10.10.2 0 0 65002?

* e 10.10.20.2 0 65002

65003?

* >e 10.10.10.8/30 10.10.20.2 0 0 65002?

* > 10.10.20.0/30 10.10.20.1 0 32768 ?

* e 10.10.20.2 0 0 65002?

* > 10.10.20.1/32 127.0.0.1 0 32768 ?

* e 10.10.20.2 0 0 65002?

* > 10.10.20.2/32 10.10.20.2 0 32768 ?

此时RTB的IP路由表里已经没有4.4.4.4/32的路由了

[RTB]dis ip routing-table

Destinations : 21 Routes : 21

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.1/32 BGP 255 0 10.10.10.1 GE0/0

2.2.2.2/32 Direct 0 0 127.0.0.1 InLoop0

10.10.10.0/30 Direct 0 0 10.10.10.2 GE0/0

10.10.10.0/32 Direct 0 0 10.10.10.2 GE0/0

10.10.10.2/32 Direct 0 0 127.0.0.1 InLoop0

10.10.10.3/32 Direct 0 0 10.10.10.2 GE0/0

10.10.10.4/30 Direct 0 0 10.10.10.6 GE0/1

10.10.10.4/32 Direct 0 0 10.10.10.6 GE0/1

10.10.10.6/32 Direct 0 0 127.0.0.1 InLoop0

10.10.10.7/32 Direct 0 0 10.10.10.6 GE0/1

10.10.10.8/30 Static 60 0 10.10.10.5 GE0/1

10.10.20.0/30 BGP 255 0 10.10.10.1 GE0/0

10.10.20.2/32 BGP 255 0 10.10.10.1 GE0/0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

路由器BGP配置：

RTA:

bgp 65000

router-id 1.1.1.1

peer 10.10.10.2 as-number 65002

peer 10.10.20.2 as-number 65002

address-family ipv4 unicast

import-route direct

peer 10.10.10.2 enable

peer 10.10.20.2 enable

ip prefix-list abc index 100 deny 4.4.4.4 32

ip route-static 10.10.10.4 30 10.10.10.2

ip route-static 10.10.10.8 30 10.10.10.2

RTB：

bgp 65002

router-id 2.2.2.2

peer 10.10.10.1 as-number 65000

peer 10.10.10.5 as-number 65003

address-family ipv4 unicast

import-route direct

peer 10.10.10.1 enable

peer 10.10.10.1 as-path-acl 2 import

peer 10.10.10.5 enable

peer 10.10.10.5 as-path-acl 2 import

ip as-path 2 deny 65003$

ip as-path 2 permit .*

ip route-static 10.10.10.8 30 10.10.10.5

RTC:

bgp 65003

router-id 3.3.3.3

peer 10.10.10.6 as-number 65002

peer 10.10.10.10 as-number 65002

address-family ipv4 unicast

import-route direct

peer 10.10.10.6 enable

peer 10.10.10.10 enable

ip route-static 10.10.10.0 30 10.10.10.6

RTD：

bgp 65002

router-id 4.4.4.4

peer 10.10.10.9 as-number 65003

peer 10.10.20.1 as-number 65000

address-family ipv4 unicast

import-route direct

peer 10.10.10.9 enable

peer 10.10.20.1 enable

ip route-static 10.10.10.0 30 10.10.10.9

ip route-static 10.10.10.4 30 10.10.10.9

BGP路由过滤实现原理

猜你喜欢