华为BGP路由的AS_Path过滤器配置示例
1、组网需求
图1 BGP路由AS_Path过滤器组网示例图
如上图1所示,SwitchA与SwitchB、SwitchB与SwitchC之间建立EBGP连接。用户希望AS10的设备和AS30的设备不能相互通信。
2、配置思路
2.1、在SwitchA和SwitchB之间、SwitchB和SwitchC之间分别配置EBGP连接,并引入直连路由,使AS之间通过EBGP连接实现相互通信。
2.2、在SwitchB上配置AS_Path过滤器,并应用该过滤规则,使AS20不向AS10发布AS30的路由,也不向AS30发布AS10的路由。
3、操作步骤
3.1、配置各接口所属的VLAN
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[SwitchA-GigabitEthernet1/0/2] quit
SwitchB和SwitchC的配置同SwitchA(略)
3.2、配置各VLANIF接口的IP地址
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ip address 10.0.1.1 24
[SwitchA-Vlanif10] quit
[SwitchA] interface vlanif 20
[SwitchA-Vlanif20] ip address 192.168.2.1 24
[SwitchA-Vlanif20] quit
SwitchB和SwitchC的配置同SwitchA(略)
3.3、配置EBGP
# 配置SwitchA。
[SwitchA] bgp 10
[SwitchA-bgp] router-id 172.16.1.1
[SwitchA-bgp] peer 192.168.2.2 as-number 20
[SwitchA-bgp] import-route direct
[SwitchA-bgp] quit
# 配置SwitchB。
[SwitchB] bgp 20
[SwitchB-bgp] router-id 172.16.2.2
[SwitchB-bgp] peer 192.168.2.1 as-number 10
[SwitchB-bgp] peer 192.168.3.2 as-number 30
[SwitchB-bgp] import-route direct
[SwitchB-bgp] quit
# 配置SwitchC。
[SwitchC] bgp 30
[SwitchC-bgp] router-id 172.16.3.3
[SwitchC-bgp] peer 192.168.3.1 as-number 20
[SwitchC-bgp] import-route direct
[SwitchC-bgp] quit
# 查看SwitchB的发布路由表。以SwitchB发布给SwitchC的路由表为例,可以看到SwitchB发布了AS10引入的直连路由:
[SwitchB] display bgp routing-table peer 192.168.3.2 advertised-routes
BGP Local router ID is 172.16.2.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 4
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.0.1.0/24 192.168.3.1 0 20 10?
*> 10.1.1.0/24 192.168.3.1 0 20 30?
*> 192.168.2.0 192.168.3.1 0 0 20?
*> 192.168.3.0 192.168.3.1 0 0 20?
同样,查看SwitchC的路由表,可以看到SwitchC也通过SwitchB学习到了这条路由,如下:
[SwitchC] display bgp routing-table
BGP Local router ID is 172.16.3.3
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 9
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.0.1.0/24 192.168.3.1 0 20 10?
*> 10.1.1.0/24 0.0.0.0 0 0 ?
*> 10.1.1.1/32 0.0.0.0 0 0 ?
*> 127.0.0.0 0.0.0.0 0 0 ?
*> 127.0.0.1/32 0.0.0.0 0 0 ?
*> 192.168.2.0 192.168.3.1 0 0 20?
*> 192.168.3.0 0.0.0.0 0 0 ?
192.168.3.1 0 0 20?
*> 192.168.3.2/32 0.0.0.0 0 0 ?
3.4、在SwitchB上配置AS_Path过滤器,并在SwitchB的出方向上应用该过滤器。
# 创建编号为1的AS_Path过滤器,拒绝包含AS号30的路由通过(正则表达式“_30_”表示任何包含AS30的AS列表,“.*”表示与任何字符匹配)。
[SwitchB] ip as-path-filter path-filter1 deny _30_
[SwitchB] ip as-path-filter path-filter1 permit .*
# 创建编号为2的AS_Path过滤器,拒绝包含AS号10的路由通过。
[SwitchB] ip as-path-filter path-filter2 deny _10_
[SwitchB] ip as-path-filter path-filter2 permit .*
# 分别在SwitchB的两个出方向上应用AS_Path过滤器。
[SwitchB] bgp 20
[SwitchB-bgp] peer 192.168.2.1 as-path-filter path-filter1 export
[SwitchB-bgp] peer 192.168.3.2 as-path-filter path-filter2 export
[SwitchB-bgp] quit
3.5、查看SwitchB的发布路由表。
查看SwitchB发往AS30的发布路由表。可以看到表中没有SwitchB发布的AS10引入的直连路由。
[SwitchB] display bgp routing-table peer 192.168.3.2 advertised-routes
BGP Local router ID is 172.16.2.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 192.168.2.0 192.168.3.1 0 0 20?
*> 192.168.3.0 192.168.3.1 0 0 20?
同样,SwitchC的BGP路由表里也没有这些路由。
[SwitchC] display bgp routing-table
BGP Local router ID is 172.16.3.3
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 8
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.1.1.0/24 0.0.0.0 0 0 ?
*> 10.1.1.1/32 0.0.0.0 0 0 ?
*> 127.0.0.0 0.0.0.0 0 0 ?
*> 127.0.0.1/32 0.0.0.0 0 0 ?
*> 192.168.2.0 192.168.3.1 0 0 20?
*> 192.168.3.0 0.0.0.0 0 0 ?
192.168.3.1 0 0 20?
*> 192.168.3.2/32 0.0.0.0 0 0 ?
查看SwitchB发往AS10的发布路由表。可以看到表中没有SwitchB发布的AS30引入的直连路由。
[SwitchB] display bgp routing-table peer 192.168.2.1 advertised-routes
BGP Local router ID is 172.16.2.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 192.168.2.0 192.168.2.2 0 0 20?
*> 192.168.3.0 192.168.2.2 0 0 20?
同样,SwitchA的BGP路由表里也没有这些路由。
[SwitchA] display bgp routing-table
BGP Local router ID is 172.16.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 8
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.0.1.0/24 0.0.0.0 0 0 ?
*> 10.0.1.1/32 0.0.0.0 0 0 ?
*> 127.0.0.0 0.0.0.0 0 0 ?
*> 127.0.0.1/32 0.0.0.0 0 0 ?
*> 192.168.2.0 0.0.0.0 0 0 ?
192.168.2.2 0 0 20?
*> 192.168.2.1/32 0.0.0.0 0 0 ?
*> 192.168.3.0 192.168.2.2 0 0 20?
4、配置文件
4.1、SwitchA的配置文件
#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.0.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
bgp 10
router-id 172.16.1.1
peer 192.168.2.2 as-number 20
#
ipv4-family unicast
undo synchronization
import-route direct
peer 192.168.2.2 enable
#
Return
4.2、SwitchB的配置文件
#
sysname SwitchB
#
vlan batch 20 30
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
bgp 20
router-id 172.16.2.2
peer 192.168.2.1 as-number 10
peer 192.168.3.2 as-number 30
#
ipv4-family unicast
undo synchronization
import-route direct
peer 192.168.2.1 enable
peer 192.168.2.1 as-path-filter path-filter1 export
peer 192.168.3.2 enable
peer 192.168.3.2 as-path-filter path-filter2 export
#
ip as-path-filter path-filter1 deny _30_
ip as-path-filter path-filter1 permit .*
ip as-path-filter path-filter2 deny _10_
ip as-path-filter path-filter2 permit .*
#
Return
4.3、SwitchC的配置文件
#
sysname SwitchC
#
vlan batch 30 40
#
interface Vlanif30
ip address 192.168.3.2 255.255.255.0
#
interface Vlanif40
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 40
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 30
#
bgp 30
router-id 172.16.3.3
peer 192.168.3.1 as-number 20
#
ipv4-family unicast
undo synchronization
import-route direct
peer 192.168.3.1 enable
#
return
您阅读这篇文章共花了: 
相关文章本文地址:http://www.023wg.com/lypz/203.html
版权声明:若无注明,本文皆为“Swiers思唯网络博客”原创,转载请保留文章出处。
-
enomothem 说:
是的,证书需要于你的实力匹配 -
墨殃 说:
谢谢楼主分享很详细 祝您工作愉快 -
冰尘 说:
我当年上学的时候也这么考虑过,不过没有你... -
你好 说:
在交换机B上ping 172.16.2网... -
随梦而追 说:
博主大人您好,我是2017年毕业的小伙子... -
燃灯大师 说:
我刚好参加此次比赛 -
曲别针 说:
多谢分享,赞! -
agony 说:
谢谢,受益匪浅 -
陈Huid 说:
谢谢分享 -
美股指数 说:
谢谢您的分享!
