BGP
※ Peer State ※
| State | Local | Remote |
|---|---|---|
| IDLE | 查Routing Table找neighbor -> | |
| CONNECT | 完成3-way handshake | 完成3-way handshake |
| OPEN SENT | BGP OPEN -> | |
| OPEN CONFIRM | BGP OPEN -> | <- BGP CONFIRM |
| ESTABLISHED | Peer | Peer |
| ACTIVE | BGP OPEN -> | 無回應 |
※ 用Loopback 來做Peer ※
因Loopback是不會down的, 拿Loopback來做BGP Peer是穩定的
R2(config)#router bgp 65000
R2(config-router)#neighbor 1.1.1.1 remote as 65000
R2(config-router)#neighbor 1.1.1.1 update-source lo0
※ eBGP Multihop ※
R3(config)#router bgp 65000
R3(config-router)# neighbor 5.5.5.5 remote as 65100
R3(config-router)# neighbor 5.5.5.5 ebgp-multihop 2
※ Peer Group ※
為簡化BGP configuration
傳統BGP configuration:
router bgp 65000
neighbor 2.2.2.2 remtoe-as 65000
neighbor 2.2.2.2 password cisco
neighbor 2.2.2.2 update-source Loopback0
neighbor 3.3.3.3 remtoe-as 65000
neighbor 3.3.3.3 password cisco
neighbor 3.3.3.3 update-source Loopback0
neighbor 4.4.4.4 remtoe-as 65000
neighbor 4.4.4.4 password cisco
neighbor 4.4.4.4 update-source Loopback0
Peer Group BGP configuration:
router bgp 65000
neighbor iBGPnei peer-group
neighbor iBGPnei remote-as 65000
neighbor iBGPnei password cisco
neighbor iBGPnei update-source Loopback0
neighbor 2.2.2.2 peer-group iBGPnei
neighbor 3.3.3.3 peer-group iBGPnei
neighbor 4.4.4.4 peer-group iBGPnei
※ 發佈network ※
R6(config)#router bgp 65300
R6(config-router)#neighbor 5.5.5.5 remote-as 65100
R6(config-router)# network 6.6.6.6 mask 255.255.255.255
※ Next-hop-self指令 ※
R3(config)#router bgp 65000
R3(config-router)#neighbor 1.1.1.1 remote-as 65000
R3(config-router)#neighbor 5.5.5.5 remote-as 65100
R3(config-router)#neighbor 1.1.1.1 next-hop-self
※ Synchronisation 同步 ※
R3(config)#router bgp 65000
R3(config-router)#neighbor 1.1.1.1 remote-as 65000
R3(config-router)#neighbor 5.5.5.5 remote-as 65100
R3(config)#router ospf 1
R3(config)#redistribute bgp 65000 subnets
※ Route Reflector ※
從ibgp收回來的route不會轉發, 除非用了Route Reflector
R1(config)#router bgp 65000
R1(config-router)#neighbor 3.3.3.3 remote-as 65000
R1(config-router)#neighbor 2.2.2.2 remote-as 65000
R1(config-router)#neighbor 2.2.2.2 route-reflector-client
※ Confederation ※
R3(config)#router bgp 10
R3(config-router)#bgp confederation identifier 65000
R3(config-router)#bgp confederation peers 20
R3(config-router)#neighbor 1.1.1.1 remote-as 10
R3(config-router)#neighbor 2.2.2.2 remote-as 20
R3(config-router)#neighbor 5.5.5.5 remote-as 65100
※ Community ※
R3(config)#access-list 1 permit1.1.1.0 0.0.0.255
R3(config)#route-map SetComm permit 10
R3(config-route-map)#match ip address 1
R3(config-route-map)#set community 1000
R3(config-router)# set community 1000
R5(config)#ip community-list 1 permit 1000
R5(config)#route-map SetLocal permit 10
R5(config-router)#match community 1
R5(config-router)#set local-preference 500
R5(config-router)#neighbor 3.3.3.3 route-map SetComm in
R3(config)# access-list 1 permit 1.1.1.0 0.0.0.255
R3(config)# access-list 2 permit 2.2.2.0 0.0.0.255
R3(config)# access-list 3 permit 3.3.3.0 0.0.0.255
R3(config)# access-list 4 permit 4.4.4.4.0 0.0.0.255
R3(config)#route-map TuneComm permit 10
R3(config-route-map)#match ip address 1
R3(config-route-map)#set community no-advertise //no-advertise
R3(config)#route-map TuneComm permit 20
R3(config-route-map)#match ip address 2
R3(config-route-map)#set community local-AS //local-AS
R3(config)#route-map TuneComm permit 30
R3(config-route-map)#match ip address 3
R3(config-route-map)#set community no-export //no-export
R3(config)#route-map TuneComm permit 40
R3(config-route-map)#match ip address 4
R3(config-route-map)#set community internet //internet
R3(config-router)#neighbor 1.1.1.1 send-community
R3(config-router)#neighbor 1.1.1.1 route-map TuneComm out
R3(config-router)#neighbor 2.2.2.2 send-community
R3(config-router)#neighbor 2.2.2.2 route-map TuneComm out
※ 選擇Best Path ※
0. 基本條件
- Network 可達
- AS Path 沒自身Path
- 合符Synchronisation
1. Weight (local) 大
R1(config)#router bgp 65000
R1(config-router)#neighbor 192.168.13.3 weight 1000
2. Local Preference 大
R3(config)#ip access-list extended RouteMatch
R3(config-ext-nacl)#permit ip 6.6.6.0 0.0.0.255 any
R3(config)#route-map TuningLocPrf permit 10
R3(config-route-map)#match ip address RouteMatch
R3(config-route-map)#set local-preference 500
R3(config)#router bgp 65000
R3(config-router)#neighbor 192.168.35.5 route-map TuningLocPrf in
3. Locally Originated 大
- Network
- Aggregate-address
- IGP Redistribute to BGP
比其他地方接回來的route好
4. AS Path 短
R4(config)#ip prefix-list MatchNetwork seq 5 permit 6.6.6.0/24
R4(config)#route-map TuningAsPath
R4(config-router-map)#match ip address prefix-list MatchNetwork
R4(config-router-map)#set as-path prepend 65200
R4(config)#router bgp 65200
R4(config-router)#neighbor 192.168.24.2 route-map TuningAsPath out
R4# clear ip bgp *
5. Origin Type (i > e > ?)
R4(config)#ip route 6.6.6.0 255.255.255.0 null 0
R4(config)#route bgp 65200
R4(config-router)#redistribute static
- i: Network
- i: Aggregate-address
- ?: IGP Redistribute to BGP
6. MED (AS) 小
R4(config)#ip prefix-list MatchNetwork seq 5 permit 6.6.6.0/24
R4(config)#route-map TuningAsPath permit 10
R4(config-route-map)#match ip address prefix-list MatchNetwork
R4(config-route-map)#set metric 100
R4(config)#router bgp 65100
R4(config-router)#neighbor 192.168.24.2 route-map TuningMetric out
7. eBGP > iBGP (1-6相同後, 可Multipath)
8. Next hop 的 IGP Metric 小
9. Multipath
R1(config)#router bgp 65000
R1(config-router)#maximum-paths 3
R1#show ip route 6.6.6.0
192.168.15.5, traffic share count is 1
192.168.17.7, traffic share count is 1
192.168.14.4, traffic share count is 1
R1(config)#router bgp 65000
R1(config-router)#neighbor 192.168.15.5 dmzlink-bw
R1(config-router)#neighbor 192.168.17.7 dmzlink-bw
R1(config-router)#neighbor 192.168.14.4 dmzlink-bw
//根據interface bandwidth定義share count
R1#show ip route 6.6.6.0
192.168.15.5, traffic share count is 37
192.168.17.7, traffic share count is 240
192.168.14.4, traffic share count is 240
※ Aggregate-Address ※
R2(config-router)#aggregate-address 10.0.0.0 255.255.254.0
R2(config-router)#aggregate-address 10.0.0.0 255.255.254.0 summary-only
R2(config)# ip prefix-list P1 seq 5 permit 10.0.1.0/24
R2(config)# route-map SUPP permit 10
R2(config-route-map)# match ip address prefix-list P1
R2(config-router)#aggregate-address 10.0.0.0 255.255.254.0 summary-only suppress-map SUPP
R2(config)# router bgp 65000
R2(config-router)#aggregate-address 10.0.0.0 255.255.254.0 summary-only as-set
R2(config)# ip prefix-list P1 seq 5 permit 10.0.0.0/24 //要提取屬性的小route加到sum route
R2(config)# router-map ADV permit 10
R2(config-route-map)# match ip address prefix-list P1
R2(config)# router bgp 65012
R2(config-router)# aggregate-address 10.0.0.0 255.255.254.0 as-set advertise-map ADV
R2(config)# router-map ATTR permit 10
R2(config-route-map)# set metric 9999
R2(config-route-map)# set local-preference 999
R2(config-route-map)# set community internet
R2(config)# router bgp 65012
R2(config-router)# aggregate-address 10.0.0.0 255.255.254.0 as-set attribute-map ATTR
※ Route Injection ※
和Aggregate-address相反, 把大route分拆成細routes
R1(config)#ip prefix-list P24 permit 10.0.0.0/24
R1(config)#ip prefix-list P25 permit 10.0.0.0/25
R1(config)#ip prefix-list P25 permit 10.0.0.128/25
R1(config)#ip prefix-list PSOURCE permit 192.168.23.3/32
R1(config)#route-map EXIST permit 10
R1(config-route-map)#match ip address prefix-list P24
R1(config-route-map)#match ip route-source prefix-list PSOURCE
route-map INJECT permit 10
set ip address prefix-list P25
R1(config)#router bgp 60512
R1(config-router)#bgp inject-map INJECT exist-map EXIST //EXIST驗證Sum Route的存在
※ Backdoor ※
告訴Router這bgp route只是用來做後備路徑, 不用先選, 請選擇行eigrp/ospf先。
R1(config)# router bgp 65000
R1(config-router)# network 2.2.2.0 mask 255.255.255.0 backdoor
※ Dampening ※
Dampening啟動後, Route Update/Withdraw 那Penalty加1000, Attribute 改變Penalty加500
R1(config)#router bgp 65001
R1(config-router)#bgp dampening
R1(config-router)#bgp dampening 10 1000 2000 30 //Half-life, Reuse Penalty, Suppress Penalty, Max Suppress Time
R1#show ip bgp dampening parameters
Half-life time : 15mins //減半Penalty的時間
Max suppress penalty : 12000 //Penalty最大值
Suppress penalty : 2000 //大過suppress penalty便不發佈此Route
Decay Time : 2320 secs
Max suppress time : 60 mins //最多suppress 60mins, 之後一定要立即發佈
Reuse penalty : 750 //細過此值便可再發佈suppressed route
※ Tips ※
neighbor 169.254.20.205 default-originate, Give neighbour a B* 0.0.0.0 default route to yourself