本文复习了BGP策略,包括Prefix-list(基于网络的过滤)、Filter-list(基于AS的过滤)和Route-map(条件动作组合)。通过这些工具,可以控制路由接受与拒绝,影响选路。文章提供了丰富的配置示例,详细解释了各工具的使用方法和优先级顺序。
BGP Policy 基于 AS path, community 或者prefix, 使用BGP路由策略的目的是为了拒绝/接受选定的路由,通过对属性 attributes的设置来影响选路。常用的工具有:
Prefix-list (filters prefixes)
Filter-list (filters ASes)
Route-maps and communities
一、先说prefix list, 基于网络(IP地址/掩码)的格式,可以应用与Inbound和Outbound,思科的prefix-list结束默认是deny。 顺便说一句, ACL方式(access-list)在思科的IOS里早就弃用了。
语法如下:
[no] ip[v6] prefix-list list-name [seq value] permit|deny
network/len [ge value] [le value]
network/len: The prefix and its length
ge value: “greater than or equal to”
le value: “less than or equal to”
Both “ge” and “le” are optional
--Used to specify the range of the prefix length to be matched for prefixes that are more specific than network/len
Sequence number is also optional
--[no] ip[v6]prefix-listsequence-number to disable display of sequence numbers
写几个示例:
1、拒绝IPV4/IPV6默认路由
ip prefix-list EG deny 0.0.0.0/0
ipv6 prefix-list EG-v6 deny ::/0
2、允许网络 36.0.0.0/8, IPV6网络 2001:DD8::/32
ip prefix-list EG permit 36.0.0.0/8
ipv6 prefix-list EG-v6 permit 2001:DD8::/32
3、拒绝网络 172.16.0.0/12 IPV6 3FFE::16
ip prefix-list EG deny 172.16.0.0/12
ipv6 prefix-list EG-v6 deny 3FFE::/16
4、允许192/8以上 /24以下网络 (除掩码/25,/26,/26,/28,/29,/30,/31,/32以外所有掩码高于192.0.0.0/8的网络)
允许IPV6 2000::/3 到 /48
ip prefix-list EG permit 192.0.0.0/8 le 24
ipv6 prefix-list EG-v6 permit 2000::/3 le 48
5、允许193/8 网络里从/12到 /20的网络 (允许 /12,/13,/14,/15,/16,/17,/18,/19,/20)
ip prefix-list EG permit 193.0.0.0/8 ge 12 le 20
6、允许所有
ip prefix-list EG permit 0.0.0.0/0 le 32
贴一段配置案例:
router bgp 100
address-family ipv4
network 105.7.0.0 mask 255.255.0.0
neighbor 102.10.1.1 remote-as 110
neighbor 102.10.1.1 prefix-list AS110-IN in
neighbor 102.10.1.1 prefix-list AS110-OUT out
!
ip prefix-list AS110-IN deny 218.10.0.0/16
ip prefix-list AS110-IN permit 0.0.0.0/0 le 32
!
ip prefix-list AS110-OUT permit 105.7.0.0/16
ip prefix-list AS110-OUT deny 0.0.0.0/0 le 32
二、Filter List
Filter list基于AS,可以应用于Inbound或Outbound, 配置在BGP neighbor处, 语法如下:
neighbor <addr> filter-list <N> [in|out]
ip as-path access-list <N> [permit|deny] ...
思科IOS as-path access-list结束也是默认deny
配置范例:
router bgp 100
address-family ipv4
network 105.7.0.0 mask 255.255.0.0
neighbor 102.10.1.1 filter-list 5 out
neighbor 102.10.1.1 filter-list 6 in
!
ip as-path access-list 5 permit ^200$ !
ip as-path access-list 6 permit ^150$
这里我们可以看到,语法类似Linux的正则表达式:
. Match one character
* Match any number of preceding expression
+ Match at least one of preceding expression
^ Beginning of line
$ End of line
\ Escape a regular expression character
_ Beginning, end, white-space, brace
| Or
() brackets to contain expression
[] brackets to contain number ranges
放一些实例:
.* match anything
.+ match at least one character
^$ match routes local to this AS
_1800$ originated by AS1800
^1800_ received from AS1800
_1800_ via AS1800
_790_1800_ via AS1800 and AS790
_(1800_)+ multiple AS1800 in sequence
(used to match AS-PATH prepends)
_\(65530\)_ via AS65530 (联邦confederations)
比较复杂一点的:
^[0-9]+$ Match AS_PATH length of one
^[0-9]+_[0-9]+$ Match AS_PATH length of two
^[0-9]*_[0-9]+$ Match AS_PATH length of one or two
^[0-9]*_[0-9]*$ Match AS_PATH length of one or two
(will also match zero)
^[0-9]+_[0-9]+_[0-9]+$ Match AS_PATH length of three
_(701|1800)_ Match anything which has gone through AS701 or AS1800
_1849(_.+_)12163$ Match anything of origin AS12163 and passed through AS1849
三、Route Maps
Route Map分行写,每行表明不同的条件/动作。 大致是这个逻辑:
if match (符合条件) then do expression (执行) and exit (结束)
else 否则
if match (符合条件) then do expression (执行) and exit (结束)
中间如果加上 “continue”则表示在一个route-map里执行不同条件语句。
每一行可以执行多个动作,如:
route-map SAMPLE permit 10
set community 300:1
set local-preference 120
!
这里的两条set命令都会执行。
每一行也可以写上多个条件,如:
route-map SAMPLE permit 10
match community 1
match ip address prefix-list MY-LIST
set local-preference 300
!
这里的所有条件都要match才能执行set命令。
或者这样写:
route-map SAMPLE permit 10
match ip address prefix-list MY-LIST OTHER-LIST
set community 300:10
!
这样的话只要match一个条件就会执行。
如果我们在route-map里只写一个match会发生什么情况?
route-map SAMPLE permit 10
match ip address prefix-list MY-LIST
!
你会发现只有match条件的被放行,其他的都dorp掉了,即是说,遵循惯例,结束默认也是deny。因此为了避免这种情况,最后要加一条空的permit语句,示例如下:
route-map SAMPLE permit 10
match ip address prefix-list LIST-ONE
set local-preference 120
!
route-map SAMPLE permit 20
match ip address prefix-list LIST-TWO
set local-preference 80
!
route-map SAMPLE permit 30
remark Don’t forget this
!
route-map可以匹配prefixes,也可以匹配AS号。
先说匹配prefix,我们来看一个配置范例,在下面配置里,10.0.0.0/8 的local-preference设高,20.0.0.0/8的local-preference设低,其他统统丢弃。
router bgp 100
address-family ipv4
neighbor 1.1.1.1 route-map INFILTER in
!
route-map INFILTER permit 10
match ip address prefix-list HIGH-PREF
set local-preference 120
!
route-map INFILTER permit 20
match ip address prefix-list LOW-PREF
set local-preference 80
!
ip prefix-list HIGH-PREF permit 10.0.0.0/8
ip prefix-list LOW-PREF permit 20.0.0.0/8
匹配AS路径:以下配置范例,如果有来自AS150(originated)的数据,local-pref设为80。然后下一条, AS路径包含210的(transited),local-pref设为200。其他统统丢弃。
router bgp 100
address-family ipv4
neighbor 102.10.1.2 remote-as 200
neighbor 102.10.1.2 route-map FILTER-ON-ASPATH in
!
route-map FILTER-ON-ASPATH permit 10
match as-path 1
set local-preference 80
!
route-map FILTER-ON-ASPATH permit 20
match as-path 2
set local-preference 200
!
ip as-path access-list 1 permit _150$
ip as-path access-list 2 permit _210_
AS-PATH prepends,修改AS附加,也称“AS PATH poisoning"。 选路机制认为,AS号多,即途经的AS比较多,路由优先级就比较低。也用于避免环路。
router bgp 100
address-family ipv4
network 105.7.0.0 mask 255.255.0.0
neighbor 102.10.1.2 remote-as 300
neighbor 102.10.1.2 route-map SETPATH out
!
route-map SETPATH permit 10
set as-path prepend 100 100
!
必须要注意的是,插入的AS号一定要用你自己的,否则BGP环路检测机制可能认为你是环路然后中断。
匹配团体属性:下面配置案例要实现的是,prefix属于communities 150:3和200:5,local-pref设为50; prefix属于且仅属于community 88:6的,local-pref设为200;其他的统统丢弃。
router bgp 100
address-family ipv4
neighbor 102.10.1.2 remote-as 200
neighbor 102.10.1.2 route-map FILTER-ON-COMMUNITY in !
route-map FILTER-ON-COMMUNITY permit 10
match community 1
set local-preference 50
!
route-map FILTER-ON-COMMUNITY permit 20
match community 2 exact-match
set local-preference 200
!
ip community-list 1 permit 150:3 200:5
ip community-list 2 permit 88:6
还有一点要注意的是,如果写成一行:
ip community-list 1 permit 150:3 200:5
这里150:3和200:5是and(且)的关系,而如果写成两行,就是or(或)的关系
ip community-list 1 permit 150:3
ip community-list 1 permit 200:5
设置团体(communities)的配置范例如下:
router bgp 100
address-family ipv4
network 105.7.0.0 mask 255.255.0.0
neighbor 102.10.1.1 remote-as 200
neighbor 102.10.1.1 send-community
neighbor 102.10.1.1 route-map SET-COMMUNITY out
!
route-map SET-COMMUNITY permit 10
match ip address prefix-list NO-ANNOUNCE
set community no-export
!
route-map SET-COMMUNITY permit 20
match ip address prefix-list AGGREGATE
!
ip prefix-list NO-ANNOUNCE permit 105.7.0.0/16 ge 17
ip prefix-list AGGREGATE permit 105.7.0.0/16
我们刚才还说到”continue“,下面配置范例里,permit 10如果符合,正常会去执行下一条permit 20,但我们加入continue 30之后,就跳转去执行permit 30去了。
route-map PEER-FILTER permit 10
match ip address prefix-list GROUP-ONE
continue 30
set metric 2000
!
route-map PEER-FILTER permit 20
match ip address prefix-list GROUP-TWO
set community no-export
!
route-map PEER-FILTER permit 30
match ip address prefix-list GROUP-THREE
set as-path prepend 100 100
!
最后总结一下,我们列举了三种方式,Route-map, Filter-list, Prefix-list,那它们的优先级是怎么排的,谁先谁后?
实际上,对于入流量(Inbound),顺序是
Route-map > Filter-list > Prefix-list
对于出流量(Outbound),顺序反过来:
Prefix-list > Filter-list > Route-map
策略配好之后,要执行一下软清BGP的命令以使其生效:
clear ip bgp <neighbour-addr> in|out
但是注意一定要加上 in或out,否则就成hard reset BGP session了。
扫一扫
2430
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
