如何应用AS_Path Filter和Community Filter实现BGP路由控制(BGP高级特性|网路学习)
AS_Path Filter
AS_Path Filter是将BGP中的AS_Path属性作为匹配条件的过滤器,利用BGP路由携带的AS_Path列表对路由进行过滤。
在不希望接受某些AS的路由时,可以利用AS_Path Filter对携带这些AS号的路由进行过滤,从而实现拒绝某些路由。
AS_Path属性是BGP的公认必遵属性,所有的BGP路由都必须携带该属性。这个属性记录了BGP路由在传递过程中所经历过的所有AS的号码。AS_Path属性值可以是0个,1个或多个AS号码的集合。
路由选择工具-常用的正则表达式
| 表达式 | 含义 |
|---|---|
| ^$ | 表示本地AS始发 |
| .* | 表示所用 |
| 10 | 表示必须经过AS10 |
| ^10_ | 表示只接受来自AS10的路由 |
| _10$ | 从AS10始发的所有路由 |
组网背景
组网需求
配置各接口的IP地址,配置EBGP
查看AS20区域的路由器发布的路由表,从AS20到AS30的路由表可看出,AS20内的路由发布了AS10引入的真连路由:
[Huawei]display bgp routing-table peer 10.0.13.3 advertised-routes
BGP Local router ID is 2.2.2.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 4
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 9.1.1.0/24 10.0.13.2 0 20 10?
*> 10.0.12.0/24 10.0.13.2 0 0 20?
*> 10.0.13.0/24 10.0.13.2 0 0 20?
*> 10.2.2.0/24 10.0.13.2 0 20 30?查看AS30的路由表,AS30的路由器也通过AS20路由器学到了这条路由
[Huawei-bgp]display bgp routing-table
BGP Local router ID is 3.3.3.3
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 9
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 9.1.1.0/24 10.0.13.2 0 20 10?
*> 10.0.12.0/24 10.0.13.2 0 0 20?
*> 10.0.13.0/24 0.0.0.0 0 0 ?
10.0.13.2 0 0 20?
*> 10.0.13.3/32 0.0.0.0 0 0 ?
*> 10.2.2.0/24 0.0.0.0 0 0 ?
*> 10.2.2.2/32 0.0.0.0 0 0 ?
*> 127.0.0.0 0.0.0.0 0 0 ?
*> 127.0.0.1/32 0.0.0.0 0 0 ?在AS20路由器上配置AS_Path过滤器,并在出方向上应用该过滤器。
创建编号为1的AS_Path过滤器,拒绝包含AS号30的路由通过。
ip as-path-filter path-filter1 deny _30_
ip as-path-filter path-filter1 permit .*创建编号为2的AS_Path过滤器,拒绝包含AS号10的路由通过。
ip as-path-filter path-filter2 deny _10_
ip as-path-filter path-filter2 permit .*分别在RouterB的两个出方向上应用AS_Path过滤器。
bgp 20
peer 10.0.12.1 as-path-filter path-filter1 export
peer 10.0.13.3 as-path-filter path-filter2 export到此路由过滤就完成了,现在看看AS10和AS30的路由表。
查看AS20发往AS30的发布路由表,可以看到表中没有AS20发不的AS10引入的直连路由。
[Huawei]dis bgp routing-table peer 10.0.13.3 advertised-routes
BGP Local router ID is 2.2.2.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.0.12.0/24 10.0.13.2 0 0 20?
*> 10.0.13.0/24 10.0.13.2 0 0 20?当然,AS30的BGP路由表里也没有这些路由。
<Huawei>dis bgp routing-table
BGP Local router ID is 3.3.3.3
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 8
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.0.12.0/24 10.0.13.2 0 0 20?
*> 10.0.13.0/24 0.0.0.0 0 0 ?
10.0.13.2 0 0 20?
*> 10.0.13.3/32 0.0.0.0 0 0 ?
*> 10.2.2.0/24 0.0.0.0 0 0 ?
*> 10.2.2.2/32 0.0.0.0 0 0 ?
*> 127.0.0.0 0.0.0.0 0 0 ?
*> 127.0.0.1/32 0.0.0.0 0 0 ?查看AS20发往AS10的发布路由表,可以看到表中没有AS20发不的AS10引入的直连路由。
<Huawei>dis bgp routing-table peer 10.0.12.1 advertised-routes
BGP Local router ID is 2.2.2.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.0.12.0/24 10.0.12.2 0 0 20?
*> 10.0.13.0/24 10.0.12.2 0 0 20?同样,AS10的BGP路由表里也没有这些路由。
<Huawei>display bgp routing-table
BGP Local router ID is 1.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 8
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 9.1.1.0/24 0.0.0.0 0 0 ?
*> 9.1.1.1/32 0.0.0.0 0 0 ?
*> 10.0.12.0/24 0.0.0.0 0 0 ?
10.0.12.2 0 0 20?
*> 10.0.12.1/32 0.0.0.0 0 0 ?
*> 10.0.13.0/24 10.0.12.2 0 0 20?
*> 127.0.0.0 0.0.0.0 0 0 ?
*> 127.0.0.1/32 0.0.0.0 0 0 ?配置文件
AS20
[V200R003C00]
#
interface GigabitEthernet0/0/0
ip address 10.0.12.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.0.13.2 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
bgp 20
router-id 2.2.2.2
peer 10.0.12.1 as-number 10
peer 10.0.13.2 as-number 30
peer 10.0.13.3 as-number 30
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.0.12.1 enable
peer 10.0.12.1 as-path-filter path-filter1 export
peer 10.0.13.2 enable
peer 10.0.13.3 enable
peer 10.0.13.3 as-path-filter path-filter2 export
#
ip as-path-filter path-filter1 deny _30_
ip as-path-filter path-filter1 permit .*
ip as-path-filter path-filter2 deny _10_
ip as-path-filter path-filter2 permit .*
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
returnAS10
[V200R003C00]
#
interface GigabitEthernet0/0/0
ip address 10.0.12.1 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
interface LoopBack0
ip address 9.1.1.1 255.255.255.0
#
bgp 10
router-id 1.1.1.1
peer 10.0.12.2 as-number 20
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.0.12.2 enable
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
returnAS30
[V200R003C00]
interface GigabitEthernet0/0/0
ip address 200.1.3.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
bgp 30
router-id 3.3.3.3
peer 200.1.3.1 as-number 20
#
ipv4-family unicast
undo synchronization
import-route direct
peer 200.1.3.1 enable
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
returnCommunity Filter
Community Filter与Community属性配合使用,可以在不便使用IP Prefix List和AS_Path Filter时,降低路由管理难度。
团体属性过滤器有两种类型:
基本Community Filter。匹配团体号或公认Community属性。
高级Community Filter。使用正则表达式匹配团体号。
Community属性为可选过渡属性,可以标识具有相同特征的路由,而不用考虑零散路由前缀和繁多的AS号。即可以将某些路由分配特定的Community属性值,之后就可以基于Community值而不是网络号/掩码来匹配路由并执行相应的路由策略。
Community属性
公认Community属性
| 团体属性名称 | 团体属性号 | 说明 |
|---|---|---|
| Internet | 0 (0x00000000) | 设备在收到具有此属性的路由后,可以向任何BGP对等体发送该路由。 |
| No Advertise | 4294967042 (0xFFFFFF02) | 设备收到具有此属性的路由后,将不向任何BGP对等体发送该路由。 |
| No Export | 4294967041 (0xFFFFFF01) | 设备收到具有此属性的路由后,将不向外发送该路由。 |
| No_Export_Subconfed | 4294967043(0xFFFFFF03 | 设备收到具有此属性的路由后,将不向AS外发送该路由。如果使用了联盟,也不向联盟内其他子AS发布此路由。 |
Community属性格式:
一个Community属性值的长度为32 bit,可使用两种形式呈现:
- 十进制整数格式。
- AA:NN格式,其中AA表示AS号,NN是自定义的编号
网络拓扑
网络拓扑
R1上部署路由策略为路由添加Community属性,并允许将Community属性传给EBGP对等体R2。
[R1] ip ip-prefix 1 permit 10.1.1.1 32
[R1] route-policy Community permit node 10
[R1-route-policy] if-match ip-prefix 1
[R1-route-policy] apply community 101:1
[R1-route-policy] quit
[R1] route-policy Community permit node 20
[R1-route-policy] quit
[R1] bgp 101
[R1-bgp] peer 10.0.12.2 as-number 102
[R1-bgp] peer 10.0.12.2 route-policy Community export
[R1-bgp] peer 10.0.12.2 advertise-community
[R1-bgp] network 10.1.1.1 32
[R1-bgp] network 10.1.2.2 32R2配置允许将团体属性传给EBGP对等体R3。
[R2] ip ip-prefix 1 permit 10.1.1.1 32
[R2] route-policy Community permit node 10
[R2-route-policy] if-match ip-prefix 1
[R2-route-policy] apply community no-expert additive
[R2-route-policy] quit
[R2] route-policy Community permit node 20
[R2-route-policy] quit
[R2] bgp 102
[R2-bgp] peer 10.0.12.1 as-number 101
[R2-bgp] peer 10.0.23.3 as-number 102
[R2-bgp] peer 10.0.23.3 advertise-community
[R2-bgp] peer 10.0.23.3 route-policy Community export在R3上查看BGP路由信息。
<Huawei>dis bgp routing-table 10.1.1.1
BGP local router ID : 3.3.3.3
Local AS number : 103
Paths: 1 available, 1 best, 1 select
BGP routing table entry information of 10.1.1.1/32:
From: 10.0.23.2 (2.2.2.2)
Route Duration: 00h00m13s
Direct Out-interface: GigabitEthernet0/0/0
Original nexthop: 10.0.23.2
Qos information : 0x0
Community:<101:1>, no-export
AS-path 102 101, origin igp, pref-val 0, valid, external, best, select, active,
pre 255
Not advertised to any peer yetR2传递路由给EBGP对等体R3,在R2上部署路由策略,过滤掉携带101:1的Community属性值的路由。
配置Community Filter,匹配Community中包含101:1的路由。
[R2] ip community-filter 1 permit 101:1调用Community Filter。
[R2] route-policy Community deny node 10
[R2-route-policy] if-match community-filter 1
[R2-route-policy] quit
[R2] route-policy Community permit node 20
[R2-route-policy] quit
[R2] bgp 102
[R2-bgp] peer 10.0.23.3 route-policy Community export查看R2的Community Filter信息。
[Huawei]dis ip community-filter 1
Community filter Number: 1
permit 101:1查看R2的BGP路由信息。
[Huawei]dis bgp routing-table 10.1.1.1
BGP local router ID : 2.2.2.2
Local AS number : 102
Paths: 1 available, 1 best, 1 select
BGP routing table entry information of 10.1.1.1/32:
From: 10.0.12.1 (1.1.1.1)
Route Duration: 00h22m13s
Direct Out-interface: GigabitEthernet0/0/0
Original nexthop: 10.0.12.1
Qos information : 0x0
Community:<101:1>
AS-path 101, origin igp, MED 0, pref-val 0, valid, external, best, select, acti
ve, pre 255
Not advertised to any peer yet查看R3的路由表项。
<Huawei>dis bgp routing-table
BGP Local router ID is 3.3.3.3
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 6
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.0.12.0/24 10.0.23.2 0 0 102?
*> 10.0.23.0/24 0.0.0.0 0 0 ?
10.0.23.2 0 0 102?
*> 10.0.23.3/32 0.0.0.0 0 0 ?
*> 127.0.0.0 0.0.0.0 0 0 ?
*> 127.0.0.1/32 0.0.0.0 0 0 ?R3接收不到10.1.1.1/32的BGP路由信息。
微信
支付宝本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。