华为bgp之多级RR及团体属性、正则表达式多种应用案例

1、实现总部和分部的oa、财务网段互通

2、分部之间oa也能互通

3、分部之间不能互通财务

主要用到bgp自定义团体属性、一级二级RR配置、bgp正则表达式匹配规则

R1

router id 1.1.1.1 //配全局地址池，又可以给ospf用也可以给bgp用

interface GigabitEthernet0/0/0

ip address 10.0.12.1 255.255.255.0

ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/1

ip address 10.0.11.1 255.255.255.0

interface GigabitEthernet0/0/2

interface LoopBack0

ip address 1.1.1.1 255.255.255.255

ospf enable 1 area 0.0.0.0

bgp 65100

peer 10.0.11.2 as-number 65001

peer 10.0.11.2 password cipher admin

peer 10.0.11.2 valid-ttl-hops 255 //开启ttl最大限制，为了安全

group ibgp internal //igp设备太多了，用组省事

peer ibgp connect-interface LoopBack0

peer 2.2.2.2 as-number 65100

peer 2.2.2.2 group ibgp

peer 4.4.4.4 as-number 65100

peer 4.4.4.4 group ibgp

ipv4-family unicast

undo synchronization

peer 10.0.11.2 enable

peer 10.0.11.2 route-policy finance export //发去分公司路由进行策略匹配

peer 10.0.11.2 advertise-community //开启传递团队属性功能

peer ibgp enable

peer ibgp next-hop-local

peer ibgp advertise-community //开启传递团队属性功能

peer 2.2.2.2 enable

peer 2.2.2.2 group ibgp

peer 4.4.4.4 enable

peer 4.4.4.4 group ibgp

ospf 1

area 0.0.0.0

route-policy finance permit node 10 //先检测调用匹配到的oa包策略并放行

if-match community-filter oa

route-policy finance deny node 20 //再匹配财务的策略

if-match as-path-filter finance

route-policy finance permit node 30 //其它没有匹配的放行

ip as-path-filter finance permit 65002$ //把起源结尾标签bgp号是65002的财务给正则出来

ip community-filter basic oa permit 65002:2 //把带有这个标签的oa办公包给匹配出来

R2

router id 2.2.2.2

interface GigabitEthernet0/0/0

ip address 10.0.23.2 255.255.255.0

ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/1

ip address 10.0.12.2 255.255.255.0

ospf enable 1 area 0.0.0.0

interface LoopBack0

ip address 2.2.2.2 255.255.255.255

ospf enable 1 area 0.0.0.0

bgp 65100

group ibgp internal

peer ibgp connect-interface LoopBack0

peer 1.1.1.1 as-number 65100

peer 1.1.1.1 group ibgp

peer 3.3.3.3 as-number 65100

peer 3.3.3.3 group ibgp

peer 4.4.4.4 as-number 65100

peer 4.4.4.4 group ibgp

peer 5.5.5.5 as-number 65100

peer 5.5.5.5 group ibgp

ipv4-family unicast

undo synchronization

reflector cluster-id 24.24.24.24 //用于标识二级RR

peer ibgp enable

peer ibgp reflect-client //把学到的路由RR给所有的对等体

peer ibgp advertise-community //所有的IBGP对开启团体属性传递

peer 1.1.1.1 enable

peer 1.1.1.1 group ibgp

peer 3.3.3.3 enable

peer 3.3.3.3 group ibgp

peer 4.4.4.4 enable

peer 4.4.4.4 group ibgp

peer 5.5.5.5 enable

peer 5.5.5.5 group ibgp

ospf 1

area 0.0.0.0

R3

router id 3.3.3.3

interface GigabitEthernet0/0/0

ip address 10.0.23.3 255.255.255.0

ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/1

ip address 10.0.34.3 255.255.255.0

ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/2

ip address 10.0.33.3 255.255.255.0

interface LoopBack0

ip address 3.3.3.3 255.255.255.255

ospf enable 1 area 0.0.0.0

bgp 65100

peer 10.0.33.1 as-number 65003

peer 10.0.33.1 password cipher admin

peer 10.0.33.1 valid-ttl-hops 255

group ibgp internal

peer ibgp connect-interface LoopBack0

peer 2.2.2.2 as-number 65100

peer 2.2.2.2 group ibgp

peer 4.4.4.4 as-number 65100

peer 4.4.4.4 group ibgp

ipv4-family unicast

undo synchronization

peer 10.0.33.1 enable

peer 10.0.33.1 advertise-community //开启bgp团体属性传递功能

peer ibgp enable

peer ibgp reflect-client

peer ibgp next-hop-local

peer ibgp advertise-community //开启bgp团体属性传递功能

peer 2.2.2.2 enable

peer 2.2.2.2 group ibgp

peer 4.4.4.4 enable

peer 4.4.4.4 group ibgp

ospf 1

area 0.0.0.0

R4

router id 4.4.4.4

interface GigabitEthernet0/0/0

ip address 10.0.34.4 255.255.255.0

ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/1

ip address 10.0.45.4 255.255.255.0

ospf enable 1 area 0.0.0.0

interface LoopBack0

ip address 4.4.4.4 255.255.255.255

ospf enable 1 area 0.0.0.0

bgp 65100

group ibgp internal

peer ibgp connect-interface LoopBack0

peer 1.1.1.1 as-number 65100

peer 1.1.1.1 group ibgp

peer 2.2.2.2 as-number 65100

peer 2.2.2.2 group ibgp

peer 3.3.3.3 as-number 65100

peer 3.3.3.3 group ibgp

peer 5.5.5.5 as-number 65100

peer 5.5.5.5 group ibgp

ipv4-family unicast

undo synchronization

reflector cluster-id 24.24.24.24

peer ibgp enable

peer ibgp reflect-client

peer ibgp advertise-community

peer 1.1.1.1 enable

peer 1.1.1.1 group ibgp

peer 2.2.2.2 enable

peer 2.2.2.2 group ibgp

peer 3.3.3.3 enable

peer 3.3.3.3 group ibgp

peer 5.5.5.5 enable

peer 5.5.5.5 group ibgp

ospf 1

area 0.0.0.0

R5

router id 5.5.5.5

interface GigabitEthernet0/0/0

ip address 10.0.45.5 255.255.255.0

ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/1

ip address 10.0.52.5 255.255.255.0

interface LoopBack0

ip address 5.5.5.5 255.255.255.255

ospf enable 1 area 0.0.0.0

bgp 65100

peer 10.0.52.2 as-number 65002

peer 10.0.52.2 password cipher % % ;^^:7p'wdXiw4.Pc;G9+<*7i% %

peer 10.0.52.2 valid-ttl-hops 255

group ibgp internal

peer ibgp connect-interface LoopBack0

peer 2.2.2.2 as-number 65100

peer 2.2.2.2 group ibgp

peer 4.4.4.4 as-number 65100

peer 4.4.4.4 group ibgp

ipv4-family unicast

undo synchronization

peer 10.0.52.2 enable

peer 10.0.52.2 route-policy finance export

peer 10.0.52.2 advertise-community

peer ibgp enable

peer ibgp next-hop-local

peer ibgp advertise-community

peer 2.2.2.2 enable

peer 2.2.2.2 group ibgp

peer 4.4.4.4 enable

peer 4.4.4.4 group ibgp

ospf 1

area 0.0.0.0

route-policy finance permit node 10

if-match community-filter oa

route-policy finance deny node 20

if-match as-path-filter finance

route-policy finance permit node 30

ip as-path-filter finance permit 65001$

ip community-filter basic oa permit 65001:1

sw1

interface Vlanif1

ip address 10.0.11.2 255.255.255.0

interface GigabitEthernet0/0/1

port link-type access

interface LoopBack0

ip address 11.1.1.1 255.255.255.0

interface LoopBack1

ip address 21.1.1.1 255.255.255.0

bgp 65001

peer 10.0.11.1 as-number 65100

peer 10.0.11.1 password cipher admin

ipv4-family unicast

undo synchronization

network 11.0.0.0

network 11.1.1.0 255.255.255.0

network 21.1.1.0 255.255.255.0

peer 10.0.11.1 enable

peer 10.0.11.1 route-policy attr export //发出去对端时调用策略

peer 10.0.11.1 advertise-community //开启bgp团体属性传递功能

route-policy attr permit node 10 //调用匹配出的oa网段

if-match ip-prefix com

apply community 65001:1 //打上标签

route-policy attr permit node 20 //其它放行

ip ip-prefix com index 10 permit 11.1.1.0 24 //匹配出oa的数据网段

SW2

interface Vlanif1

ip address 10.0.52.2 255.255.255.0

interface MEth0/0/1

interface GigabitEthernet0/0/1

port link-type access

interface LoopBack0

ip address 22.1.1.1 255.255.255.0

interface LoopBack1

ip address 32.1.1.1 255.255.255.0

bgp 65002

peer 10.0.52.5 as-number 65100

peer 10.0.52.5 password cipher admin

ipv4-family unicast

undo synchronization

network 22.1.1.0 255.255.255.0

network 32.1.1.0 255.255.255.0

peer 10.0.52.5 enable

peer 10.0.52.5 route-policy attr export

peer 10.0.52.5 advertise-community

route-policy attr permit node 10

if-match ip-prefix com

apply community 65002:2

route-policy attr permit node 20

ip ip-prefix com index 10 permit 22.1.1.0 24

SW3

interface Vlanif1

ip address 10.0.33.1 255.255.255.0

interface MEth0/0/1

interface GigabitEthernet0/0/1

port link-type access

interface LoopBack0

ip address 33.1.1.1 255.255.255.0

interface LoopBack1

ip address 43.1.1.1 255.255.255.0

bgp 65003

peer 10.0.33.3 as-number 65100

peer 10.0.33.3 password cipher Q`OT=C0XP2sPddVIN=17t&I#

ipv4-family unicast

undo synchronization

network 33.1.1.0 255.255.255.0

network 43.1.1.0 255.255.255.0

peer 10.0.33.3 enable

peer 10.0.33.3 route-policy attr export

peer 10.0.33.3 advertise-community

route-policy attr permit node 10

if-match ip-prefix com

apply community 65003:3

route-policy attr permit node 20

ip ip-prefix com index 10 permit 33.1.1.0 24