项目背景
随着A公司网络规模的增长和新业务对互联网接入速度及稳定性需求的提升,公司决定升级其网络设施。为此,A公司向运营商B租用了两条线路以接入网络,旨在提高网络资源的利用率,并增强网络的安全性、稳定性和可靠性,从而为用户提供更优质的服务和体验
在这一背景下,正在A公司实习的小李同学被项目经理安排在实验室环境中模拟企业边界设备接入运营商网络的操作,以提高工作准确性和效率,并为项目实施和技术储备打下坚实基础。小李使用一台路由器模拟运营商的网络,并配置了两台边界路由器来接入运营商B的网络。在企业内部,网络通过运行OSPF协议实现互联
实验拓扑
项目目标
前期准备
**配置IP地址:**公司内部之间及环回接口使用私有地址,公司业务网段和与ISP设备互联使用公网地址
**配置OSPF:**内部网络路由器AR1、AR2、AR3上配置OSPF路由协议,以便建立IBGP邻居时提供发送BGP报文源地址的连通性
项目核心**配置BGP基本功能:**启动BGP进程,配置BGP路由器ID,创建IBGP和EBGP对等体,指定BGP报文发送源地址,配置IBGP的next-hop-local和通告网络等
**配置BGP验证:**为了提高网络安全性,在AR1到ISP的链路上,配置BGP MD5验证。在AR3到ISP的链路上,配置BGP Keychain验证
**配置路由反射器:**IBGP对等体之间不需要建立全连接关系,将路由器AR2配置为BGP路由反射器,AR1和AR3作为客户机
**配置BGP路由聚合:**在边界路由器AR1和AR3上分别配置BGP路由聚合,减少路由器ISP路由表大小
**配置BGP团体属性:**在边界路由器AR1和AR3上分别配置BGP团体属性,实现聚合路由发布给ISP路由器时携带团体属性
**配置BGP Damping:**在路由器AR1对4.4.4.4路由配置Damping功能,抑制不稳定的路由
|-----|--------|---------------|------------|
| 设备 | 接口 | 接口所在网段 | 对端设备及接口 |
| AR1 | G0/0/0 | 10.12.12.0/24 | AR2 G0/0/0 |
| AR1 | G0/0/2 | 201.1.4.0/30 | ISP G0/0/0 |
| AR2 | G0/0/0 | 10.12.12.0/24 | AR1 G0/0/0 |
| AR2 | G0/0/1 | 10.23.23.0/24 | AR3 G0/0/1 |
| AR3 | G0/0/1 | 10.23.23.0/24 | AR2 G0/0/1 |
| AR3 | G0/0/2 | 201.1.4.4/30 | ISP G0/0/1 |
| ISP | G0/0/0 | 201.1.4.0/30 | AR2 G0/0/2 |
| ISP | G0/0/1 | 201.1.4.4/30 | AR3 G0/0/2 |
[设备接口连接规划表]
|-----|-------------|---------------|---------------|
| 设备 | 接口 | IP地址 | 备注 |
| AR1 | G0/0/0 | 10.12.12.1/24 | |
| | G0/0/2 | 201.1.4.1/30 | |
| | Loopback 0 | 10.1.1.1/32 | 建立IBGP邻居更新源地址 |
| AR2 | G0/0/0 | 10.12.12.2/24 | |
| | G0/0/1 | 10.23.23.2/24 | |
| | Loopback 0 | 10.2.2.2/24 | 建立IBGP邻居更新源地址 |
| | Loopback 10 | 201.1.0.1/24 | 模拟公司内部网络主机 |
| | Loopback 11 | 201.1.1.1/24 | 模拟公司内部网络主机 |
| | Loopback 12 | 201.1.2.1/24 | 模拟公司内部网络主机 |
| | Loopback 13 | 201.1.3.1/24 | 模拟公司内部网络主机 |
| AR3 | G0/0/1 | 10.23.23.3/24 | |
| | G0/0/2 | 201.1.4.5/30 | |
| | Loopback 0 | 10.3.3.3/32 | 建立IBGP邻居更新源地址 |
| ISP | G0/0/0 | 201.1.4.2/30 | 建立IBGP邻居更新源地址 |
| | G0/0/1 | 201.1.4.6/30 | 建立IBGP邻居更新源地址 |
| | Loopback 0 | 4.4.4.4/24 | 模拟ISP主机 |
[设备接口IP地址规划表]
项目步骤
准备工作
(1)配置IP地址
公司内部网络设备之间及其环回接口使用私有地址,公司业务网段和与ISP设备互联的网络使用公网地址,业务网段在路由器AR2和ISP上分别使用环回接口模拟。配置路由器接口的IP地址
# AR1配置
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 10.12.12.1 24
[AR1-GigabitEthernet0/0/0]q
[AR1]interface GigabitEthernet 0/0/2
[AR1-GigabitEthernet0/0/2]ip address 201.1.4.1 30
[AR1-GigabitEthernet0/0/2]q
[AR1]interface LoopBack 0
[AR1-LoopBack0]ip address 10.1.1.1 32
[AR1-LoopBack0]q
[AR1]
# AR2配置
[AR2]interface GigabitEthernet 0/0/0
[AR2-GigabitEthernet0/0/0]ip address 10.12.12.2 24
[AR2-GigabitEthernet0/0/0]q
[AR2]interface GigabitEthernet 0/0/1
[AR2-GigabitEthernet0/0/1]ip address 10.23.23.2 24
[AR2-GigabitEthernet0/0/1]q
[AR2]interface LoopBack 0
[AR2-LoopBack0]ip address 10.2.2.2 32
[AR2-LoopBack0]q
[AR2]interface LoopBack 10
[AR2-LoopBack10]ip address 201.1.0.1 24
[AR2-LoopBack10]q
[AR2]interface LoopBack 11
[AR2-LoopBack11]ip address 201.1.1.1 24
[AR2-LoopBack11]q
[AR2]interface LoopBack 12
[AR2-LoopBack12]ip address 201.1.2.1 24
[AR2-LoopBack12]q
[AR2]interface LoopBack 13
[AR2-LoopBack13]ip address 201.1.3.1 24
[AR2-LoopBack13]q
[AR2]
# AR3配置
[AR3]interface GigabitEthernet 0/0/1
[AR3-GigabitEthernet0/0/1]ip address 10.23.23.3 24
[AR3-GigabitEthernet0/0/1]q
[AR3]interface GigabitEthernet 0/0/2
[AR3-GigabitEthernet0/0/2]ip address 201.1.4.5 30
[AR3-GigabitEthernet0/0/2]q
[AR3]interface LoopBack 0
[AR3-LoopBack0]ip address 10.3.3.3 32
[AR3-LoopBack0]q
[AR3]
# ISP配置
[ISP]interface GigabitEthernet 0/0/0
[ISP-GigabitEthernet0/0/0]ip address 201.1.4.2 30
[ISP-GigabitEthernet0/0/0]q
[ISP]interface GigabitEthernet 0/0/1
[ISP-GigabitEthernet0/0/1]ip address 201.1.4.6 30
[ISP-GigabitEthernet0/0/1]q
[ISP]interface LoopBack 0
[ISP-LoopBack0]ip address 4.4.4.4 32
[ISP-LoopBack0]q
[ISP]
查看配置效果(以AR1为例)
[AR1]display ip interface brief | exclude unassigned
(2)配置OSPF
内部网络路由器AR1、AR2、AR3之间配置OSPF路由协议,以便建立IBGP邻居时提供发送BGP报文源地址的连通性
# AR1配置
[AR1]ospf 1 router-id 1.1.1.1
[AR1-ospf-1]bandwidth-reference 1000
Info: Reference bandwidth is changed. Please ensure that the reference bandwidth
that is configured for all the routers are the same.
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 10.1.1.1 0.0.0.0
[AR1-ospf-1-area-0.0.0.0]network 10.12.12.1 0.0.0.0
[AR1-ospf-1-area-0.0.0.0]q
[AR1-ospf-1]q
[AR1]
# AR2配置
[AR2]ospf 1 router-id 2.2.2.2
[AR2-ospf-1]bandwidth-reference 1000
Info: Reference bandwidth is changed. Please ensure that the reference bandwidth
that is configured for all the routers are the same.
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 10.2.2.2 0.0.0.0
[AR2-ospf-1-area-0.0.0.0]network 10.12.12.2 0.0.0.0
[AR2-ospf-1-area-0.0.0.0]network 10.23.23.2 0.0.0.0
[AR2-ospf-1-area-0.0.0.0]q
[AR2-ospf-1]q
[AR2]
# AR3配置
[AR3]ospf 1 router-id 3.3.3.3
[AR3-ospf-1]bandwidth-reference 1000
Info: Reference bandwidth is changed. Please ensure that the reference bandwidth
that is configured for all the routers are the same.
[AR3-ospf-1]area 0
[AR3-ospf-1-area-0.0.0.0]network 10.3.3.3 0.0.0.0
[AR3-ospf-1-area-0.0.0.0]network 10.23.23.3 0.0.0.0
[AR3-ospf-1-area-0.0.0.0]q
[AR3-ospf-1]q
[AR3]
验证OSPF配置
<AR1>display ip routing-table protocol ospf
项目核心
(1)配置BGP基本功能
启动BGP进程,配置BGP路由器ID,创建IBGP和EBGP对等体,指定BGP报文发送源地址,配置IBGP的next-hop-local,修改keepalive计时器和通告网络等
# AR1配置
[AR1]bgp 65100
[AR1-bgp]router-id 1.1.1.1
[AR1-bgp]peer 10.2.2.2 as-number 65100
[AR1-bgp]peer 10.2.2.2 connect-interface LoopBack 0
[AR1-bgp]peer 10.2.2.2 enable
[AR1-bgp]peer 10.2.2.2 next-hop-local
[AR1-bgp]peer 201.1.4.2 as-number 65200
[AR1-bgp]peer 201.1.4.2 enable
[AR1-bgp]timer keepalive 60 hold 180
[AR1-bgp]q
[AR1]
# AR2配置
[AR2]bgp 65100
[AR2-bgp]router-id 2.2.2.2
[AR2-bgp]peer 10.1.1.1 as-number 65100
[AR2-bgp]peer 10.1.1.1 connect-interface LoopBack 0
[AR2-bgp]peer 10.1.1.1 enable
[AR2-bgp]peer 10.3.3.3 as-number 65100
[AR2-bgp]peer 10.3.3.3 connect-interface LoopBack 0
[AR2-bgp]peer 10.3.3.3 enable
[AR2-bgp]network 201.1.0.0 24
[AR2-bgp]network 201.1.1.0 24
[AR2-bgp]network 201.1.2.0 24
[AR2-bgp]network 201.1.3.0 24
[AR2-bgp]q
# AR3配置
[AR3]bgp 65100
[AR3-bgp]router-id 3.3.3.3
[AR3-bgp]peer 10.2.2.2 as-number 65100
[AR3-bgp]peer 10.2.2.2 connect-interface LoopBack 0
[AR3-bgp]peer 10.2.2.2 enable
[AR3-bgp]peer 10.2.2.2 next-hop-local
[AR3-bgp]peer 201.1.4.6 as-number 65200
[AR3-bgp]peer 201.1.4.6 enable
[AR3-bgp]q
[AR3]
# ISP配置
[ISP]bgp 65200
[ISP-bgp]router-id 4.4.4.4
[ISP-bgp]peer 201.1.4.1 as-number 65100
[ISP-bgp]peer 201.1.4.1 enable
[ISP-bgp]peer 201.1.4.5 as-number 65100
[ISP-bgp]peer 201.1.4.5 enable
[ISP-bgp]network 4.4.4.4 255.255.255.255
[ISP-bgp]q
[ISP]
(2)配置BGP验证
为了提高网络安全性,在AR1到ISP的链路上,配置BGP MD5验证,在AR3到ISP的链路上,配置BGP Keychain验证
配置BGP MD5验证
# AR1配置
[AR1]bgp 65100
[AR1-bgp]peer 201.1.4.2 password cipher ren123456
[AR1-bgp]q
[AR1]
# ISP配置
[ISP]bgp 65200
[ISP-bgp]peer 201.1.4.1 password cipher ren123456
[ISP-bgp]q
[ISP]
配置BGP Keychain验证
# AR3配置
[AR3]keychain toISP mode periodic daily
[AR3-keychain]key-id 1
[AR3-keychain-keyid-1]algorithm md5
[AR3-keychain-keyid-1]key-string cipher ren123456
[AR3-keychain-keyid-1]send-time daily 00:00 to 23:59
[AR3-keychain-keyid-1]receive-time daily 00:00 to 23:59
[AR3-keychain-keyid-1]q
[AR3-keychain]q
[AR3]bgp 65100
[AR3-bgp]peer 201.1.4.6 keychain toISP
[AR3-bgp]q
[AR3]
# ISP配置
[ISP]keychain toAR3 mode periodic daily
[ISP-keychain]key-id 1
[ISP-keychain-keyid-1]algorithm md5
[ISP-keychain-keyid-1]key-string cipher ren123456
[ISP-keychain-keyid-1]send-time daily 00:00 to 23:59
[ISP-keychain-keyid-1]receive-time daily 00:00 to 23:59
[ISP-keychain-keyid-1]q
[ISP-keychain]q
[ISP]bgp 65200
[ISP-bgp]peer 201.1.4.5 keychain toAR3
[ISP-bgp]q
[ISP]
(3)配置路由反射器
IBGP对等体之间不需要建立全连接关系,将路由器AR2配置为BGP路由反射器,AR1和AR3作为客户机
[AR2]bgp 65100
[AR2-bgp]undo reflect between-clients
[AR2-bgp]reflector cluster-id 123
[AR2-bgp]peer 10.1.1.1 reflect-client
[AR2-bgp]peer 10.3.3.3 reflect-client
[AR2-bgp]q
[AR2]
(4)配置BGP路由聚合
在边界路由器AR1和AR3上分别配置BGP路由聚合,减少路由ISP路由表大小
# AR1配置
[AR1]bgp 65100
[AR1-bgp]aggregate 201.1.0.0 255.255.252.0 as-set detail-suppressed
[AR1-bgp]q
[AR1]
# AR3配置
[AR3]bgp 65100
[AR3-bgp]aggregate 201.1.0.0 255.255.252.0 as-set detail-suppressed
[AR3-bgp]q
[AR3]
(5)配置BGP团体属性
在边界路由器AR1和AR3上分别配置BGP团体属性,实现聚合路由发布给ISP路由器时携带团体属性
# AR1配置
[AR1]ip ip-prefix AR1 index 10 permit 201.1.0.0 22
[AR1]route-policy AR1 permit node 10
Info: New Sequence of this List.
[AR1-route-policy]if-match ip-prefix AR1
[AR1-route-policy]apply community 65100:123
[AR1-route-policy]q
[AR1]route-policy AR1 permit node 20
Info: New Sequence of this List.
[AR1-route-policy]q
[AR1]bgp 65100
[AR1-bgp]peer 201.1.4.2 route-policy AR1 export
[AR1-bgp]peer 201.1.4.2 advertise-community
[AR1-bgp]q
[AR1]
# AR3配置
[AR3]ip ip-prefix AR3 index 10 permit 201.1.0.0 22
[AR3]route-policy AR3 permit node 10
Info: New Sequence of this List.
[AR3-route-policy]if-match ip-prefix AR3
[AR3-route-policy]apply community 65100:123
[AR3-route-policy]q
[AR3]route-policy AR3 permit node 20
Info: New Sequence of this List.
[AR3-route-policy]q
[AR3]bgp 65100
[AR3-bgp]peer 201.1.4.6 route-policy AR3 export
[AR3-bgp]peer 201.1.4.6 advertise-community
[AR3-bgp]q
[AR3]
(6)配置BGP Damping
在路由器AR1上对4.4.4.4路由配置Damping功能,抑制不稳定路由
[AR1]ip ip-prefix 4 index 10 permit 4.4.4.4 32
[AR1]route-policy formISP permit node 10
Info: New Sequence of this List.
[AR1-route-policy]if-match ip-prefix 4
[AR1-route-policy]apply dampening 15 750 2000 3000
[AR1-route-policy]q
[AR1]route-policy formISP permit node 20
Info: New Sequence of this List.
[AR1-route-policy]q
[AR1]bgp 65100
[AR1-bgp]dampening route-policy formISP
[AR1-bgp]q
[AR1]
验证
(1)查看TCP连接状态信息
<ISP>display tcp status | include 179
<AR2>display tcp status | include 179
(2)查看四个设备的BGP对等体信息
<AR1>display bgp peer
AR1
AR2
AR3
ISP
(3)查看BGP对等体详细信息
<AR3>display bgp peer 201.1.4.6 verbose
(4)查看BGP初始化默认配置
[AR2]display default-parameter bgp
(5)查看AR1的BGP路由信息
<AR1>display bgp routing-table
(6)查看BGP路由详细信息
[AR2]display bgp routing-table 4.4.4.4 32
(7)查看BGP路由表中携带团体属性的路由
<ISP>display bgp routing-table community
https://www.alipan.com/s/ogaqitQfUwo