r2(config)#acce-list 1 per 192.168.1.0 0.0.0.255
r2(config)#route-map aaa per 10 r2(config-route-map)#match ip add 1
r2(config)#router bgp 100 r2(config-router)#nei 1.1.1.1 route-map aaa in 只从1.1.1.1接受192.168.1.0的路由
acce-list 1 deny
192.168.1.0 0.0.0.255 acce-list 1 permit any
route-map aaa permit 10 match ip addre 1
router bgp 200 aggregate-addre 192.168.0.0 255.255.248.0 suppre-map aaa summary-only as-set
聚合过程中过滤,ACL的permit做聚合,deny不做聚合放行明细,即使加上summary-only也会放行192.168.1.0
acce-list 1 permit 192.168.1.0 0.0.0.255
route-map aaa permit 10 match ip addre 1
router bgp 200 aggregate-addre 192.168.0.0 255.255.248.0 summary-only neighbor 4.4.4.4 unsuppre-map aaa 把我本地抑制的路由传给4.4.4.4邻居,且是active
! route-map aaa permit 10 set local-preference 120
router bgp 200 aggregate-addre 192.168.0.0 255.255.248.0 summary-only attribute-map aaa 聚合中修改汇总路由属性,注意尽量不和ACL连用 注意:聚合时候route-map 和att…map是同一个意思
acce-list 1 deny
192.168.1.0 0.0.0.255 acce-list 1 permit any ! ! route-map aaa permit 10 match ip addre 1 set metric 66
router bgp 200 neighbor 4.4.4.4 route-map aaa out 不向4.4.4.4通告192.168.1.0,但通告其他的且同时修改metric为66
acce-list 1 permit 192.168.1.0 0.0.0.255 router bgp 200 distribute-list 1 in 只允许192.168.1.0的路由进来
acce-list 1 permit 192.168.1.0 0.0.0.255
router bgp 200 nei 4.4.4.4 distribute-list 1 in 只允许从4.4.4.4收满足ACL的permit流量路由
?????????????????????????????????? Acce-list 1 per 172.168.1.0 0.0.0.255 Ace-list 1 per 172.168.2.0 0.0.0.255 Route-map aaa per 10 Match add 1 Aggregate-add 172.168.1.0 255.255.255.0 as-set advertise-map aaa 只通告ACL匹配的路由,且保留AS号码
?????????????????????????????????
Prefix-list过滤:
Ip prefix-list aaa se 5 per 192.168.1.0/24 ge小于等于 le大于等于 Router bgp 100
Nei 1.1.1.1 prefix-list aaa in/out
过滤优先级
出方向:route-map过滤-----filter-list----------prefix-list 进方向:prefix-list -------filte-list -------route-map
BGP过滤表达式
1、字和元字符特殊字符
一个典型的AS_PATH过滤器如下所示:
ip as-path acce-list 83 permit ^1_701_(_5646_|_1240).*
在关键字permit后面的字符串是一个正则表达式。
2、
表1 关于AS_PATH访问列表的正则表达式元字符特殊字符
元字符特殊字符
匹配内容
.
任何单一字符,包括空格
[ ]
在方括弧中罗列的任何字符
[^]
除了在方括弧中罗列的字符外任何字符(^必须放置在字符列表之前)
internal,
r RIB-failure, S Stale Origin codes: iEGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path *> 192.168.1.0
13.1.1.1
0
7777 100 i *> 192.168.2.0
13.1.1.1
0
8888 100 i r3(config)#
*正常route-map 下面可以同时match很多个条件在执行一个set语句
R1: Ip as-path acce-list 1 per _200$ 路由源自于200 Ip prefix-list aaa per 0.0.0.0/0
我只收默认路由
Route-map aaa per 10 Match as-path 1 Match ip add prefix-list aaa Set weight 200
Route-map aaa per 20 Match ip add prefix-list aaa Set weight 100
Router bgp 213
Nei r2 route-map aaa in
Nei r3 route-map aaa in
温和刷新
R1:
Router bgp 1` Nei 1.1.1.1 soft-reconfig inbound-------从1.1.1.1学到的路由放进自己内存,确保内存够大,只针对EBGP邻居生效
Clear ip bgp nei 1.1.1.1------这时不去1.1.1.1要路由了,从自己内存拿出来即可
Show ip bgp nei 1.1.1.1发现有type=2(soft) type=128(老的硬清)
Nsf技术
控制层重启,数据转发层继续转发数据,我要重启前告诉对方这段时间我不给你发keeplive报文了,你把你我之间的TCP保持住
Router bgp 100 Bgp graceful-restart restart-time--------你等我多长时间,我在这个时间重启完成
NSR技术-----我制造假象让对方认为我控制层没有问题
SSO GRES
实现两块引擎热备
BGP优化
1,bgp的keeplive调整
router bgp 100 time bgp 10 30
2,如何确定收敛已完成
r3#show ip bgp nei 13.1.1.1 BGP neighbor is 13.1.1.1, remote AS 100, external link
BGP version 4, remote router ID 1.1.1.1
BGP state = Established, up for 00:01:19
Last read 00:00:19, last write 00:00:19, hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received(old & new)
Addre family IPv4 Unicast: advertised and received
Meage statistics:
InQ depth is 0
OutQ depth is 0
Sent
Rcvd
Opens:
Notifications:
0
0
Updates:
0
Keepalives:
Route Refresh:
0
0
Total:
Default minimum time between advertisement runs is 30 seconds
For addre family: IPv4 Unicast
BGP table version 2, neighbor version 2/0-------如果相同则说明收敛完成
Output queue size: 0
Index 1, Offset 0, Mask 0x2
1 update-group member
Sent
Rcvd
Prefix activity:
----
----
Prefixes Current:
0
1 (Consumes 52 bytes)
Prefixes Total:
0
Implicit Withdraw:
0
0
Explicit Withdraw:
0
0
Used as bestpath:
n/a
Used as multipath:
n/a
0
Outbound
Inbound
Local Policy Denied Prefixes:
--------
-------
Bestpath from this peer:
n/a
Total:
0
Number of NLRIs in the update sent: max 0, min 0
Connections established 1; dropped 0
Last reset never Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 1 Local host: 13.1.1.3, Local port: 59918 Foreign host: 13.1.1.1, Foreign port: 179 Connection tableid (VRF): 0
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0x31D68): Timer
Starts
Wakeups
Next Retrans
0x0 TimeWait
0
0
0x0 AckHold
0x0 SendWnd
0
0
0x0 KeepAlive
0
0
0x0 GiveUp
0
0
0x0 PmtuAger
0
0
0x0 DeadWait
0
0
0x0 Linger
0
0
0x0 ProceQ
0
0
0x0
i: 368904907 snduna: 368905010 sndnxt: 368905010
sndwnd: irs: 257648202 rcvnxt: 257648357 rcvwnd:
16230 delrcvwnd:
154 16282
SRTT: 125 ms, RTTO: 1409 ms, RTV: 1284 ms, KRTT: 0 ms minRTT: 128 ms, maxRTT: 308 ms, ACK hold: 200 ms Status Flags: active open Option Flags: nagle IP Precedence value : 6
Datagrams (max data segment is 1460 bytes): Rcvd: 7 (out of order: 0), with data: 4, total data bytes: 154 Sent: 7 (retransmit: 1, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 4, total d ata bytes: 102 Packets received in fast path: 0, fast proceed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0
r3#show int f0/0 FastEthernet0/0 is up, line protocol is up
Hardware is DEC21140, addre is ca00.0c1c.0000 (bia ca00.0c1c.0000)
Internet addre is 13.1.1.3/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:54, output 00:00:05, output hang never
Last clearing of \"show interface\" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)-----如果都是0说明没有更新流量,收敛完成
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
26 packets input, 3764 bytes
Received 7 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
73 packets output, 7439 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
3修改MSS为1460,双方都要配置
Ip tcp path-mtu-discovery age-timer 30------得到的数值可以保留多久,没有这个参数默认10分钟
5, 接口队列长度,防止ACK回来时候优于接口队列太小引起丢弃,接口丢弃5%的包,TCP性能下降50%,建议设置1000 Int f0/0 Hold-queue 1000 in Hold-queue 1000 out
6,bgp scanner扫描时间,每60秒检查下一条可达性,检查条件通告路由是不是满足条件,执行BGP惩罚机制,不建议修改
Rouer bgp 100
Bgp scan-time 50 r3(config)#do show ip bgp sum BGP router identifier 3.3.3.3, local AS number 200 BGP table version is 3, main routing table version 3 2 network entries using 240 bytes of memory
2 path entries using 104 bytes of memory 3/2 BGP path/bestpath attribute entries using 372 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory BGP using 772 total bytes of memory BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs Neighbor
V
AS MsgRcvd MsgSent
TblVer InQ OutQ Up/Down State/PfxRcd 13.1.1.1
100
34
34
0
0 00:30:14
7,EBGP通告时间,如果bgp路由表很大尽量不要修改,虽然可以增加收敛,但是CPU很快耗尽;ibgp默认0秒,EBGP默认30秒
r3(config)#router bgp 200 r3(config-router)#nei 13.1.1.1 advertisement-interval 30
r3#show ip bgp nei 13.1.1.1 BGP neighbor is 13.1.1.1, remote AS 100, external link
BGP version 4, remote router ID 1.1.1.1
BGP state = Established, up for 00:02:31
Last read 00:00:31, last write 00:00:31, hold time is 180, keepalive inter
Neighbor capabilities:
Route refresh: advertised and received(old & new)
Addre family IPv4 Unicast: advertised and received
Meage statistics:
InQ depth is 0
OutQ depth is 0
Sent
Rcvd
Opens:
Notifications:
0
0
Updates:
Keepalives:
49
48
Route Refresh:
0
0
Total:
53
52
Default minimum time between advertisement runs is 30 seconds
For addre family: IPv4 Unicast
BGP table version 3, neighbor version 3/0
Output queue size: 0
Index 1, Offset 0, Mask 0x2
1 update-group member
Sent
Rcvd
Prefix activity:
----
----
Prefixes Current:
1 (Consumes 52 bytes)
Prefixes Total:
Implicit Withdraw:
0
0
Explicit Withdraw:
0
0
Used as bestpath:
n/a
Used as multipath:
n/a
0
Outbound
Inbound
Local Policy Denied Prefixes:
--------
-------
Bestpath from this peer:
n/a
Total:
0
Number of NLRIs in the update sent: max 1, min 1
Minimum time between advertisement runs is 600 seconds
Connections established 2; dropped 1
Last reset 00:02:33, due to User reset Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 1 Local host: 13.1.1.3, Local port: 45132
Foreign host: 13.1.1.1, Foreign port: 179 Connection tableid (VRF): 0
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0x2A3D30): Timer
Starts
Wakeups
Next Retrans
0
0x0 TimeWait
0
0
0x0 AckHold
0
0x0 SendWnd
0
0
0x0 KeepAlive
0
0
0x0 GiveUp
0
0
0x0 PmtuAger
0
0
0x0 DeadWait
0
0
0x0 Linger
0
0
0x0 ProceQ
0
0
0x0
i: 665239953 snduna: 665240146 sndnxt: 665240146
sndwnd: 16192 irs: 3831860571 rcvnxt: 3831860764 rcvwnd:
16192 delrcvwnd:
192
SRTT: 182 ms, RTTO: 1073 ms, RTV: 891 ms, KRTT: 0 ms minRTT: 48 ms, maxRTT: 300 ms, ACK hold: 200 ms Status Flags: active open Option Flags: nagle IP Precedence value : 6
Datagrams (max data segment is 1460 bytes): Rcvd: 10 (out of order: 0), with data: 5, total data bytes: 192 Sent: 8 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: ata bytes: 192
Packets received in fast path: 0, fast proceed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 r3#
限制从邻居收到的路与条目:
r1(config-router)#nei 1.1.1.1 maximum-prefix 10000 warning-only
超过10000条告警一次
r1(config-router)#nei 1.1.1.1 maximum-prefix 10000 restart 5
超过10000条,断开邻居5分钟
r1(config-router)#nei 1.1.1.1 maximum-prefix 10000 70
默认收到75%告警一次
Peer group 加快收敛 简化配置
一个的边界连接多个邻居,使用统一的策略,如不用这个特性,IOS为每一个邻居做单个的update更新,建立一个group将多个邻居放进一个group,一个update可为peer group所有邻居生效
限制:出去的update是一致的
IBGP和EBGP不能合起来用
创建一份:属性值通告,update-source的IP地址,EBGP多跳,MED5认证,邻居的权重值,filter-list和前缀列表过滤,route-map策略集合,通告给邻居
R7:
Router bgp 100 Nei ebgp
peer-group Nei ibgp
peer-group
Nei 17.1.1.1 peer-group ebgp
Nei 27.1.1.2 peer-group ebgp
Nei ebgp remote 200
Nei ebgp route-map aaa out/in
Nei ibgp remote-as 100 Nei ibgp up lo 1 Nei ibgp next-hop-seif Nei 88.1.1.1 peer-group ibgp
