本举例是在F1090的R8660P33版本上进行配置和验证的。
如下图所示,所有设备均运行BGP协议。要求Device A和Device B之间建立EBGP连接,Device B和Device C之间建立IBGP连接,使得Device C能够访问Device A直连的8.1.1.0/24网段。
图-1 BGP基本配置配置组网图
配置各接口的IP地址及Loopback接口的IPv4地址(略)
根据组网图中规划的信息,将Device B的各接口加入对应的安全域。
<DeviceB> system-view
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
配置安全策略
配置安全策略放行Untrust与Local安全域之间的流量,用于Device A与Device B之间建立EBGP会话。
# 配置名称为ebgplocalin的安全策略规则,使Device B可以接收来自Device A的BGP协议报文。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ebgplocalin
[DeviceB-security-policy-ip-0-ebgplocalin] source-zone untrust
[DeviceB-security-policy-ip-0-ebgplocalin] destination-zone local
[DeviceB-security-policy-ip-0-ebgplocalin] service bgp
[DeviceB-security-policy-ip-0-ebgplocalin] action pass
[DeviceB-security-policy-ip-0-ebgplocalin] quit
# 配置名称为ebgplocalout的安全策略规则,使Device B可以向Device A发送BGP协议报文。
[DeviceB-security-policy-ip] rule name ebgplocalout
[DeviceB-security-policy-ip-1-ebgplocalout] source-zone local
[DeviceB-security-policy-ip-1-ebgplocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ebgplocalout] service bgp
[DeviceB-security-policy-ip-1-ebgplocalout] action pass
[DeviceB-security-policy-ip-1-ebgplocalout] quit
配置安全策略放行Local与Trust安全域之间的流量,用于Device B与Device C之间建立IBGP会话。
# 配置名称为bgplocalout的安全策略规则,使Device B可以向Device C发送BGP和OSPF协议的报文。
[DeviceB-security-policy-ip] rule name bgplocalout
[DeviceB-security-policy-ip-2-bgplocalout] source-zone local
[DeviceB-security-policy-ip-2-bgplocalout] destination-zone trust
[DeviceB-security-policy-ip-2-bgplocalout] service bgp
[DeviceB-security-policy-ip-2-bgplocalout] service ospf
[DeviceB-security-policy-ip-2-bgplocalout] action pass
[DeviceB-security-policy-ip-2-bgplocalout] quit
# 配置名称为bgplocalin的安全策略规则,使Device B可以接收来自Device C的BGP和OSPF协议的报文。
[DeviceB-security-policy-ip] rule name bgplocalin
[DeviceB-security-policy-ip-3-bgplocalin] source-zone trust
[DeviceB-security-policy-ip-3-bgplocalin] destination-zone local
[DeviceB-security-policy-ip-3-bgplocalin] service bgp
[DeviceB-security-policy-ip-3-bgplocalin] service ospf
[DeviceB-security-policy-ip-3-bgplocalin] action pass
[DeviceB-security-policy-ip-3-bgplocalin] quit
配置安全策略放行Trust与Untrust安全域之间的流量,使得Device C可以访问Device A的直连网段8.1.1.0/24。
# 配置名称为trust-untrust的安全策略规则,使Trust安全域和Untrust安全域之间的流量可以互通。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-4-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-4-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-4-trust-untrust] source-ip-subnet 9.1.1.0 24
[DeviceB-security-policy-ip-4-trust-untrust] destination-ip-subnet 8.1.1.0 24
[DeviceB-security-policy-ip-4-trust-untrust] action pass
[DeviceB-security-policy-ip-4-trust-untrust] quit
[DeviceB-security-policy-ip] quit
配置IBGP连接
为了防止端口状态不稳定引起路由震荡,本举例使用Loopback接口来创建IBGP对等体。
使用Loopback接口创建IBGP对等体时,因为Loopback接口不是两对等体实际连接的接口,所以,必须使用peer connect-interface命令将Loopback接口配置为BGP连接的源接口。
在AS 65009内部,使用OSPF协议,保证Device B到Device C的Loopback接口路由可达。
# 配置Device B。
[DeviceB] bgp 65009
[DeviceB-bgp-default] router-id 2.2.2.2
[DeviceB-bgp-default] peer 3.3.3.3 as-number 65009
[DeviceB-bgp-default] peer 3.3.3.3 connect-interface loopback 0
[DeviceB-bgp-default] address-family ipv4 unicast
[DeviceB-bgp-default-ipv4] peer 3.3.3.3 enable
[DeviceB-bgp-default-ipv4] quit
[DeviceB-bgp-default] quit
[DeviceB] ospf 1
[DeviceB-ospf-1] area 0
[DeviceB-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[DeviceB-ospf-1-area-0.0.0.0] network 9.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] quit
[DeviceB-ospf-1] quit
# 配置Device C。
<DeviceC> system-view
[DeviceC] bgp 65009
[DeviceC-bgp-default] router-id 3.3.3.3
[DeviceC-bgp-default] peer 2.2.2.2 as-number 65009
[DeviceC-bgp-default] peer 2.2.2.2 connect-interface loopback 0
[DeviceC-bgp-default] address-family ipv4 unicast
[DeviceC-bgp-default-ipv4] peer 2.2.2.2 enable
[DeviceC-bgp-default-ipv4] quit
[DeviceC-bgp-default] quit
[DeviceC] ospf 1
[DeviceC-ospf-1] area 0
[DeviceC-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[DeviceC-ospf-1-area-0.0.0.0] network 9.1.1.0 0.0.0.255
[DeviceC-ospf-1-area-0.0.0.0] quit
[DeviceC-ospf-1] quit
[DeviceC] display bgp peer ipv4
BGP local router ID : 3.3.3.3
Local AS number : 65009
Total number of peers : 1 Peers in established state : 1
* - Dynamically created peer
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
2.2.2.2 65009 2 2 0 0 00:00:13 Established
以上显示信息表明Device B和Device C之间的IBGP连接已经建立。
配置EBGP连接
EBGP邻居关系的两台设备(通常属于两个不同运营商),处于不同的AS域,对端的Loopback接口一般路由不可达,所以一般使用直连地址建立EBGP邻居。
因为要求Device C能够访问Device A直连的8.1.1.0/24网段,所以,建立EBGP连接后,需要将8.1.1.0/24网段路由通告到BGP路由表中。
# 配置Device A。
<DeviceA> system-view
[DeviceA] bgp 65008
[DeviceA-bgp-default] router-id 1.1.1.1
[DeviceA-bgp-default] peer 3.1.1.1 as-number 65009
[DeviceA-bgp-default] address-family ipv4 unicast
[DeviceA-bgp-default-ipv4] peer 3.1.1.1 enable
[DeviceA-bgp-default-ipv4] network 8.1.1.0 24
[DeviceA-bgp-default-ipv4] quit
[DeviceA-bgp-default] quit
# 配置Device B。
[DeviceB] bgp 65009
[DeviceB-bgp-default] peer 3.1.1.2 as-number 65008
[DeviceB-bgp-default] address-family ipv4 unicast
[DeviceB-bgp-default-ipv4] peer 3.1.1.2 enable
[DeviceB-bgp-default-ipv4] quit
[DeviceB-bgp-default] quit
# 查看Device B的BGP对等体的连接状态。
[DeviceB] display bgp peer ipv4
BGP local router ID : 2.2.2.2
Local AS number : 65009
Total number of peers : 2 Peers in established state : 2
* - Dynamically created peer
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
3.3.3.3 65009 4 4 0 0 00:02:49 Established
3.1.1.2 65008 2 2 0 0 00:00:05 Established
可以看出,Device B与Device C、Device B与Device A之间的BGP连接均已建立。
# 查看Device A的BGP路由表。
[DeviceA] display bgp routing-table ipv4
Total number of routes: 1
BGP local router ID is 1.1.1.1
Status codes: * - valid, > - best, d - dampened, h - history,
s - suppressed, S - stale, i - internal, e - external
Origin: i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn
* > 8.1.1.0/24 8.1.1.1 0 32768 i
# 显示Device B的BGP路由表。
[DeviceB] display bgp routing-table ipv4
Total number of routes: 1
BGP local router ID is 2.2.2.2
Status codes: * - valid, > - best, d - dampened, h - history,
s - suppressed, S - stale, i - internal, e - external
Origin: i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn
* >e 8.1.1.0/24 3.1.1.2 0 0 65008i
# 显示Device C的BGP路由表。
[DeviceC] display bgp routing-table ipv4
Total number of routes: 1
BGP local router ID is 3.3.3.3
Status codes: * - valid, > - best, d - dampened, h - history,
s - suppressed, S - stale, i - internal, e - external
Origin: i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn
i 8.1.1.0/24 3.1.1.2 0 100 0 65008i
从路由表可以看出,Device A没有学到AS 65009内部的任何路由,Device C虽然学到了AS 65008中的8.1.1.0的路由,但因为下一跳3.1.1.2不可达,所以也不是有效路由。
配置BGP引入直连路由
# 在Device B上配置BGP引入直连路由,以便Device A能够获取到网段9.1.1.0/24的路由,Device C能够获取到网段3.1.1.0/24的路由。
[DeviceB] bgp 65009
[DeviceB-bgp-default] address-family ipv4 unicast
[DeviceB-bgp-default-ipv4] import-route direct
[DeviceB-bgp-default-ipv4] quit
[DeviceB-bgp-default] quit
# 显示Device A的BGP路由表。
[DeviceA] display bgp routing-table ipv4
Total number of routes: 4
BGP local router ID is 1.1.1.1
Status codes: * - valid, > - best, d - dampened, h - history,
s - suppressed, S - stale, i - internal, e - external
Origin: i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn
* >e 2.2.2.2/32 3.1.1.1 0 0 65009?
* >e 3.1.1.0/24 3.1.1.1 0 0 65009?
* > 8.1.1.0/24 8.1.1.1 0 32768 i
* >e 9.1.1.0/24 3.1.1.1 0 0 65009?
以上显示信息表明,在Device B上引入直连路由后,Device A新增了到达2.2.2.2/32和9.1.1.0/24的两条路由。
# 显示Device C的BGP路由表。
[DeviceC] display bgp routing-table ipv4
Total number of routes: 4
BGP local router ID is 3.3.3.3
Status codes: * - valid, > - best, d - dampened, h - history,
s - suppressed, S - stale, i - internal, e - external
Origin: i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn
* >i 2.2.2.2/32 2.2.2.2 0 100 0 ?
* >i 3.1.1.0/24 2.2.2.2 0 100 0 ?
* >i 8.1.1.0/24 3.1.1.2 0 100 0 65008i
* >i 9.1.1.0/24 2.2.2.2 0 100 0 ?
以上显示信息表明,到8.1.1.0的路由变为有效路由,下一跳为Device A的地址。
# 使用Ping进行验证,Device C能够访问Device A直连的8.1.1.0/24网段。
[DeviceC] ping 8.1.1.1
Ping 8.1.1.1 (8.1.1.1): 56 data bytes, press CTRL+C to break
56 bytes from 8.1.1.1: icmp_seq=0 ttl=255 time=2.000 ms
56 bytes from 8.1.1.1: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 8.1.1.1: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 8.1.1.1: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 8.1.1.1: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 8.1.1.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.600/2.000/0.800 ms
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 8.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 3.1.1.2 255.255.255.0
#
bgp 65008
router-id 1.1.1.1
peer 3.1.1.1 as-number 65009
#
address-family ipv4 unicast
network 8.1.1.0 255.255.255.0
peer 3.1.1.1 enable
#
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 9.1.1.0 0.0.0.255
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 3.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 9.1.1.1 255.255.255.0
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
bgp 65009
router-id 2.2.2.2
peer 3.1.1.2 as-number 65008
peer 3.3.3.3 as-number 65009
peer 3.3.3.3 connect-interface LoopBack0
#
address-family ipv4 unicast
import-route direct
peer 3.1.1.2 enable
peer 3.3.3.3 enable
#
security-policy ip
rule 0 name ebgplocalin
action pass
source-zone untrust
destination-zone local
service bgp
rule 1 name ebgplocalout
action pass
source-zone local
destination-zone untrust
service bgp
rule 2 name bgplocalout
action pass
source-zone local
destination-zone trust
service bgp
service ospf
rule 3 name bgplocalin
action pass
source-zone trust
destination-zone local
service bgp
service ospf
rule 4 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 9.1.1.0 255.255.255.0
destination-ip-subnet 8.1.1.0 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 9.1.1.0 0.0.0.255
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 9.1.1.2 255.255.255.0
#
bgp 65009
router-id 3.3.3.3
peer 2.2.2.2 as-number 65009
peer 2.2.2.2 connect-interface LoopBack0
#
address-family ipv4 unicast
peer 2.2.2.2 enable