发信人: hover (羽), 信区: TJU
标  题: ISP 网络技术谈  zz
发信站: 中国Cisco论坛 (2003年10月03日15:31:55 星期五), 站内信件

In this exciting column we'll actually walk through configuring a Cisco rout
er for BGP. It's very important, however, that you look through June's colum
n (which has 7 pages of background information on BGP) - and preferably May'
s column, which talks about multi-homing without BGP, before you think you'r
e ready to configure a router to speak BGP.
A BASIC REVIEW
BGP4, or Border Gateway Protocol 4, is a routing protocol that is used by pr
oviders to announce routing information. Routes are promises to carry inform
ation (IP packets) to a given range of destination IP addresses. BGP4 as we'
re studying it, is spoken over peering sessions between routers in different
 networks, or Autonomous Systems. Each Autonomous System (AS) has a globally
 unique Autonomous System Number (ASN).
AGAIN, A WARNING
This is dangerous stuff. It's always best if you can test BGP configurations
 in a "lab" made up of a few Cisco 2501s before implementing them in a live 
network connected to the Internet, or, if you can, post your network topolog
y and suggested configuration to the inet-access mailing list and get feedba
ck on it.
Making mistakes in BGP configuration can "blackhole" - or deny service - to 
remote parts of the Internet. It's very important that you understand basic 
IP routing, how to configure your router properly, and at least, the basics 
of BGP before you set out to configure your router.
Unfortunately, there's no good reference on using BGP to refer people to. Re
ading the RFCs (the Request For Comment documents that define the protocol a
t a low-to-mid-level), or even Cisco documentation (Cisco did not invent BGP
, but Cisco's BGP implementation is definitely the most widely used) does no
t really tell you enough. Many of the "routing gurus" out there got started 
by looking at and working on running networks, where the architecture and im
plementation were already done. Most of the rest, however, started with the 
basics, and expanded their knowledge and experience as their networks grew.
Providers should aggressively filter their downstream BGP-speaking customers
! The best way they can do this is to filter their announcements such that t
hey will only hear certain specific routes from their customers. You may rem
ember major network problems from late April that could have been avoided if
 any of a number of routers had strict filters installed.
BEING "CONNECTED" TO THE INTERNET: YET ANOTHER REVIEW
Throughout this discussion it's critical to think about what it means to be 
"connected" to the Internet. To be connected to the Internet, for each host 
that is "on the Internet," you need to be able to:
Send a packet out a path that will ultimately wind up at that host.
That host has to have a path back to you. This means that whoever provides "
Internet connectivity" to that host has to have a path to you - which, ultim
ately, means that they have to "hear a route" which covers the section of th
e IP space you're using, or you will not have connectivity to the host in qu
estion.
Look at Figure 1. We'll explain more of the details below, but note the "Hom
e Dial-up User." He's connected to AOL, which is served by ANS (AOL owns ANS
). We're using 192.204.4.0/24 as an example.
In this example, the reason that an AOL dial-up user can send a packet to 19
2.204.4.0/24 (for example) is that the ISP (AS 64512) advertised that route 
to the two upstream providers (AS 4969 and AS 701), who in turn advertised t
hat route to AS 1673 (ANS, which provides IP service for AOL).
Every IP address that you can get to on the Internet is reachable because so
meone, somewhere, has advertised a route that "covers" it. Similarly, if the
re is not a generally advertised route to cover an IP address, then no one o
n the Internet will be able to reach it.
AS-PATHS
Every time a route is advertised via BGP, it is "stamped" with the ASN of th
e router doing the advertising. As a route moves from Autonomous System to A
utonomous System (network to network), it builds up an "AS-PATH." Each route
 starts out with a "null AS-PATH," represented by the regular expression ^$.
 See Figure 1- the blocks that show the routes as they move from hop to hop 
show you the AS-PATH accumulating as the route moves from network to network
.
HOW BGP PEERING SESSIONS WORK
When a peering session is established, each router sends all of its BGP rout
ing information to the other router - unless "filters" are installed to rest
rict the information that gets passed. Then, once the initial routing inform
ation has been sent, "updates" (new routes being advertised and old, adverti
sed routes, being withdrawn) flow back and forth until the session dies.
AS-PATH FILTERS
We'll shortly give a complete explanation of "AS-PATH filters." For now, we'
ll just go over the basics and give you the three fundamental AS-PATH filter
s for basic BGP.
The purpose of AS-PATH filters is to whack out huge chunks of routing inform
ation - so that you only send exactly the routes that you want to send.
----------------------------------------------------------------------------
----
THE FUNDAMENTAL AS-PATH FILTERS
First, the filter that "permits everything."
ip as-path access-list 1 permit .*
Second, the filter that "denies everything."
ip as-path access-list 2 deny .*
----------------------------------------------------------------------------
----
Third, the filter that "permits only OUR routes."
ip as-path access-list 3 permit ^$
ip as-path access-list 3 deny .*
----------------------------------------------------------------------------
----
A few comments:
Don't play around with filters until you know more.
All filters have an implicit deny .* at the end, but it doesn't hurt to put 
one in for safety.
.* means "match any route."
^$ means "match every route with a NULL AS-PATH." The only routes with NULL 
(or "no") AS- PATHs are routes that are locally-generated.
BGP METRICS (ATTRIBUTES) AND ROUTE SELECTION: INTRODUCTION
Next month we'll go into BGP metrics and attributes, which are parameters as
sociated with BGP routes that allow you to select and change the selection o
f "the best BGP route" for a certain destination.
For now, keep in mind that unless you do any tuning on your own:
The most specific route always wins. Whether it's a BGP route or a static in
ternal route, the most specific route always wins.
If you have to choose between multiple BGP routes, the one with the shortest
 AS_PATH wins.
If you're multi-homed, then BGP will pick the route with the shortest AS_PAT
H if both providers offer you what is otherwise the same route to a given de
stination.
Once BGP picks the best route, it is then eligible to be installed in the IP
 Routing Table, which is the table that the router consults when making the 
actual packet-forwarding decisions.
WHAT TO KEEP IN MIND WHEN CONFIGURING BGP
When you're bringing up a new BGP session, or considering how to do BGP in g
eneral, the things to keep in mind for each peer are:
What routes do you want them to hear? The most important thing is to ensure 
that you do not redistribute routes to which you are not providing "Internet
 connectivity."
What do you want to do with the routes that you hear via the session? Do you
 want to "tune them"? Only take some? Take them all? Do you have the memory 
and CPU in your router to really do what you want?
For the example in this column we'll explicitly advertise only a few routes,
 and use AS-PATH filters to deny advertisement of any other BGP routes we ma
y have heard.
For now we'll either deny all incoming BGP routes and use load-balanced defa
ult routes, or we'll take the incoming BGP routes, if the BGP-speaking route
r is capable of it. The latter requires a Cisco with at least 64 MB of RAM.
MULTI-HOMING AND LOAD-BALANCING
Generally, the goal of multi-homing is to use both connections in a sane man
ner and "load-balance" them somehow. Ideally, you'd like roughly half the tr
affic to go in and out of each connection. You'd also like "fail-over" routi
ng, where if one connection goes down the other one keeps you connected to t
he Internet. In an ideal network, you'd be able to have any one of your conn
ections to the Net go down and still maintain connectivity and speed.
We'll talk in the next few months about how you load-balance incoming and ou
tgoing traffic to and from your network. Incoming traffic is controlled by h
ow you announce your routes to the world (packets will flow into your networ
k because someone heard of, and is using, a route announcement). Outgoing tr
affic is controlled by the routes that you allow to flow into your border ro
uter(s) - and is thus much easier to control and tune.
HOW TO ANNOUNCE YOUR NETWORKS: THE KEY TO BGP CONFIGURATION
Once you've decided what you want to do with BGP, it's time to translate tho
se decisions into a router configuration.
The safest way to announce your routes with BGP is to configure everything s
tatically. You can think of the process described below as turning internal 
routing statements into route announcements. To do this:
Identify every route that you "own" (or are "allowed to" announce).
Add a static route for it to the Interface Loopback0 with a weight higher th
an any other static route for that network. Higher numbers for static route 
weights mean that the routes are less preferred.
Configure a router BGP clause like the one below, with static network statem
ents to announce your routes, and "sanity filters" in place to make sure you
 only announce your routes and only take the routes you want.
For example, let's say you're routing the following networks (also called "n
etblocks" or "prefixes"):
170.40.0.0/16 (a /16 has a netmask of 255.255.0.0)
192.204.4.0/24 (a /24 has a netmask of 255.255.255.0)
207.106.96.0/20 (a /22 has a netmask of 255.255.252.0)
You'd first configure your router with:
int Loopback0
descr Loopback interface for routes to be nailed to. ip route 170.40.0.0 255
.255.0.0 Loopback0 10 ip route 192.204.4.0 255.255.255.0 Loopback0 10 ip rou
te 207.106.96.0 255.255.252.0 Loopback0 10
Then, put in your "as-path access-list filters".
ip as-path access-list 1 permit .*
ip as-path access-list 2 deny .*
ip as-path access-list 3 permit ^$
ip as-path access-list 3 deny .*
Then put in "router BGP" clause.
router bgp 64512
network 170.40.0.0 mask 255.255.0.0
network 192.204.4.0 mask 255.255.255.0
network 207.106.96.0 mask 255.255.252.0
neighbor remote-as
neighbor next-hop-self
neighbor filter-list 3 out
neighbor filter-list 2 in
WHAT THIS DOES: ANTI-FLAPPING MEASURES
One of our goals is to prevent the route advertisements from "flapping" if p
arts of your network die temporarily. If you are the upstream provider for a
nyone who's multi-homed, you shouldn't statically announce any routes for th
em unless you really understand what you're doing. Anyway, to prevent the ro
ute advertisements from flapping, we put in backup routes to the Loopback0 p
seudo-interface.
This method "statically nails down" the advertised BGP route announcements w
ith the network statements. To nail them down, there must be: (1) underlying
 static routes with the same netmask as each route being advertised with a n
etwork statement; and (2) those underlying static routes must not go away.
The purpose of the Loopback0 routes is to ensure that even if an existing pr
imary route which matches the netmask of the route being announced (and this
 is often not the case) goes away, the Loopback0 route (with a weight of 10,
 which means it's only a backup route to any route without a weight at the e
nd) will kick in and keep the BGP route advertisement stable. Loopback0 rout
es always stay installed since there's no physical interface to go down and 
cause the route to be withdrawn - the interface Loopback0 will always be up,
 so the routes pointed to them will always be installed. NOTE: If you are al
ready using Loopback0, then pick another Interface (Loopback1, Loopback2, et
c...)
WHAT THIS DOES: FILTERS
This example uses a "send only our local routes" outbound filter, so it won'
t accidentally re-advertise one of your upstream provider's routes to the ot
her.
Here we also use a "deny everything" incoming filter, which will only announ
ce routes and not accept any. If you want to accept all incoming routes, rep
lace the filter-list 2 in with filter-list 1 in. Actually, you could just no
t specify an inbound as-path filter, and the effect would be the same, but i
t's better by far to be explicit about these things.
ADDING MORE PEERS
To add more peers, just create another similar neighbor statement. Cisco rou
ters give you 30 seconds to finish typing the neighbor statement before tryi
ng to establish the session. It is critical that you get those neighbor some
body filter-li st xxx .. statements entered by then. The best way, by far, t
o do it is to either cut and paste or tftp in a complete neighbor statement 
to the router.
THE COMPLETED EXAMPLE
Here's an example of a completely filled-in BGP clause, based on Figure 1.
router bgp 64512
network 170.40.0.0 mask 255.255.0.0
network 192.204.4.0 mask 255.255.255.0
network 207.106.96.0 mask 255.255.252.0
neighbor 207.106.127.45 remote-as 4969
neighbor 207.106.127.45 next-hop-self
neighbor 207.106.127.45 filter-list 3 out
neighbor 207.106.127.45 filter-list 2 in
neighbor 137.10.10.121 remote-as 701
neighbor 137.10.10.121 next-hop-self
neighbor 137.10.10.121 filter-list 3 out
neighbor 137.10.10.121 filter-list 2 in
This says:
Announce the networks 170.40.0.0/16, 192.204.4.0/24, and 207.126.0.0/18.
Talk to Net Access (207.106.127.45) and give them only our routes (filter-li
st 3 out) and take no BGP routes in (filter-list 2 in).
Talk to UUNET (137.10.10.121) and give them only our routes (filter-list 3 o
ut) and take no BGP routes in (filter-list 2 in).
Please, even though it isn't required at all times, put inbound and outbound
 filters, of some sort, on every BGP neighbor session.
CONTROLLING OUTGOING DATA FLOW: "FULL ROUTING" AND OTHER OPTIONS
Next month we'll go into detail and give you examples of many different ways
 to use the routes you can hear via BGP to tune your outbound data flow.
Briefly, option one is "take everything." With a big enough router, you can 
take multiple views of the full routing table, and this should give you a so
mewhat better quality of Internet connectivity than just load- balancing def
ault routes. For each route where there are multiple views, your router will
 select the best one to use at any time, which is based on AS_PATH length, u
nless you tune other parameters.
Option two is "take customer routes from each provider." Who can get to Spri
ntLink customers better than SprintLink? No one, if SprintLink's built its n
etwork properly. You ask each provider to only send you routes for its custo
mers. If your two providers are not SprintLink and MCI, then you should be a
ble to store those routes and use them even on a Cisco 2501. These routes ar
e also called "peering routes" because the "routing load" that providers who
 have no customer-provider relationship (i.e. MCI to Sprint, UUNET to ANS) s
end to each other via BGP.
----------------------------------------------------------------------------
----
A SAMPLE ROUTER CONFIG
!
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname jacks-router
!
enable secret 5 $1$h7jsdf$k23jMhJ.u5jads0.otE.
enable password 7 145C1B020D1726
!
interface Ethernet0
ip address 207.106.96.0 255.255.255.0
!
interface Serial0
description T1 to Net Access
ip address 207.106.127.46 255.255.255.252
encapsulation ppp
!
interface Serial1
description T1 to UUNET
ip address 137.10.10.122 255.255.255.252
!
router bgp 64512
network 170.40.0.0 mask 255.255.0.0
network 192.204.4.0 mask 255.255.255.0
network 207.106.96.0 mask 255.255.252.0
neighbor 207.106.127.45 remote-as 4969
neighbor 207.106.127.45 next-hop-self
neighbor 207.106.127.45 filter-list 3 out
neighbor 207.106.127.45 filter-list 2 in
neighbor 137.10.10.121 remote-as 701
neighbor 137.10.10.121 next-hop-self
neighbor 137.10.10.121 filter-list 3 out
neighbor 137.10.10.121 filter-list 2 in
!
ip name-server 207.8.186.1
ip name-server137.39.1.3
!
ip subnet-zero
ip classless
!
ip route 0.0.0.0 0.0.0.0 207.106.127.46
ip route 0.0.0.0 0.0.0.0 Serial1
ip route 170.40.0.0 255.255.0.0 207.106.96.10
ip route 170.40.0.0 255.255.0.0 Null0 10
ip route 192.204.4.0 255.255.255.0 207.106.96.10
ip route 192.204.4.0 255.255.255.0 Null0 10
ip route 207.106.96.0 255.255.252.0 Null0 10
ip route 207.106.96.128 255.255.255.192 207.106.96.7
ip route 207.106.97.0 255.255.255.0 207.106.96.11
ip route 207.106.98.0 255.255.254.0 207.106.96.11
!
ip as-path access-list 1 permit .*
ip as-path access-list 2 deny .*
ip as-path access-list 3 permit ^$
ip as-path access-list 3 deny .*
!
line vty 0 4
password 7 0AB41A0C034907
exec-timeout 0 0

--

香草来自马达加斯加,咖啡来自巴西,草莓来自俄勒冈
巧克力来自比利时,坚果来自夏威夷...
我的理想...                来自你

※ 来源:·中国Cisco论坛 bbs.ccxx.net·[FROM: el océano profundo]