
一。bgp配制中的属性
2 t1 }5 @2 V z『19.0.0.0/8-RTa-ospf-RTb』- ebgp-2.2.2.28 R- ?2 X( Y3 b9 b
!!!!!!控制出站路由!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ L Y" w Q7 |- C# i! b% P已知某国政府官方网站只希望本国公民访问,不希望国外流量访问。该国的官方网站集中在181.194.33.0、24 网段内(在RTA与RTB间的AS里)5 u' G' w$ b3 s4 \4 D. u
access-list 1 deny 181.194.33.0 0.0.0.255: U, |: A# V( v* P1 W. R
access-list 1 permit any
4 H* s2 d' q- Q- r4 V& m
$ g6 A3 w5 _8 b; a( d5 i; v+ Vrouter bgp 1+ T- }# @9 g' ?5 O: \
nei 1.1.1.1 remote-as 27 ?, Y' k! |2 \ G: G0 U3 G
nei 1.1.1.1 router-map deny181 out" `1 X) o. I' d1 D: a' K7 \4 I8 S
9 G( c& I6 Q4 i, k
route-map deny181 permit 10
( u$ u- m" G1 T8 ^3 s. n/ kmatch ip address 19 @: \: W5 g# m2 h1 [: D
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
% C) W( J% W2 x& \! A!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!: _; P1 x( M; V: z3 g- A, q2 b3 f8 d
local-prefernce实例
: @. N1 o6 O% T5 P8 {, c% `【AS2】 【AS3】7 t5 O! w$ w! T7 \( {
、 ’
2 I; L; ? f6 X( t9 W4 f 【AS1】: K! h: E4 d. L, L
AS1有两个出站策略时候7 b6 m* a" N: Q& L5 ^0 k
Acces-list 1 permit any4 G+ |# }- b# a2 |8 q3 K
router bgp 1! ?4 W, a$ N) K a- q f
nei 2.2.2.2 remote-as 2
" a. u, r- z( U- v0 Q* p- r/ \nei 2.2.2.2 router-map set_local in
. j& d9 Y% s4 ~8 g" H [; gnei 3.3.3.3 remote-as 3
# L# i: f8 [( \* s0 ]7 g
2 _) ^: `3 [8 jroute-map set_local permit 10
0 _. m* L; h H7 _5 @& Z4 hmatch ip add address 1 C& p* a8 M7 R+ v, ~7 B. L3 P
set local-preference 200% H8 p+ D4 ~2 J# O3 b
local preference 的缺省值是100 值越大优先级越高- q! {3 C. X) N# U
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" A* ?' U( W" ?& F- {
' E$ Q8 ^- o& B P8 I
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!& H+ J7 I/ S! c4 b( B; O. T
MED实例
9 F, N0 U& q; _. Q
4 b i9 l5 t* F8 F! ?$ W* ^『AS200【A】【B】』+ [. T" c- l* T- {/ |' w6 f1 G
/
* C. ?2 E: m9 y! [! b5 ]0 f9 a [] []+ {$ y v* Y1 o9 {
" w, C! ^( a( X4 g- s[]网通两个国际出口,希望出流量负载均衡,入流量只通过右下的[]进来
- H# B. |2 h7 ^7 N6 ?( oip as-path access-list 10 permit ^$
, A6 {$ Z C, x! m. mip as-path access-list 10 deny *! `( r, t. u8 M
router bgp 1& H* D$ r; d5 a4 n" x5 p7 @
nei 2.2.2.2 remote-as 2) s- p5 p% X, R9 U5 B- [; Q
nei 2.2.2.2 route-map my_med out8 m/ a9 S6 N2 x5 x
router-map my_med permit 20
8 r6 }7 {+ h, j5 {6 z# o" Hmatch as-path 10
) _7 ]: M( [ e: X' Gset metric 2000
" n) T& M4 i1 o+ @+ ]: Pmed缺省值是0 值越小越优/ j' f6 Q5 @' ?5 u0 W
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!6 `1 g6 ?) z5 u& I8 C
AS path实例! r* ]! x6 D' e; O: a
某国政府不希望民众访问美国的站点,已经知道美国的AS是4009 c- H( W6 J8 G
Ip as-path access-list deny _400$, a# r* Z5 C4 F
ip as-path access-list 1 permit any
1 w% w# @2 t. a& b, yrouter bgp 1
% X& {" P$ \, M9 E ]7 ]nei 2.2.2.2 remote-as 2 阿富汉自治系统邻居配
- j ?; x% u8 o7 n1 f) e" |nei 2.2.2.2 router-map deny_usa in
( V& o% P: ~( F2 b# Z; o! ~route-map deny_usa permit 10
) X8 J9 N$ w6 ^/ l: nmatch as-path 16 ?! z$ s- ]3 o( V4 r. n
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!8 w+ ]! M7 U1 R0 f8 V; O4 |
community属性的实际应用 U( c7 \' Z# e0 t- g7 g _
一群路由的团体而不是路由器的团体。
: y: @( T3 H& q! h* `) H7 L5 u/ ~已知中国移动互联网中,每个省都有一台路由器运行BGP0' K6 I- u, F& S4 L& U# a
% I" y) o( ?. Z% X, s想知道某些网段来自哪个省。
! A1 S- {( X- F$ Baccess-list 1 permit any' l4 _/ E K6 A) l+ ]5 r, B
router bgp 65000
# v4 t$ k: m5 D# Rnet 202.24.0.0 255.255.0.0 route-map set-comm out
, {+ d! q) C) S6 x1 Onei 2.2.2.2 remote-as 65000国际出口路由
+ p: ?+ a [9 Q; Pnei 2.2.2.2 send-community
2 N. _ V8 R$ r0 `. Lrouter-map set_comm permit 103 Y8 \3 U+ z* l9 A& `. C
match ip add 1
5 S9 G c) ]6 O+ kset community 65000:24 additive9 y" |2 i" G. }0 F) @2 `. T
```````````````````````````````````````````````````````````` v+ n A$ Y N; Y
为了防止破坏或者是防: a" i7 s6 w5 G* b' `( O/ M$ D
止一些工程师错误配置对自己的影响我们访问列表拒绝掉从BGP学来的默认
& p/ r9 ^. C3 ^& i& RACces-list 1 deny 0
5 l2 ~: D6 |) `, vaccess-list 1 permit any
2 c/ d/ q% [( Q% srouter bgp 1
. B8 q- P8 |' ?+ E; ^8 S- z- h2 A3 {distribute-list 1 in& H) \& I. D, k/ a- j
每台运行EBGP的路由器上一定不会有一条指向其他EBGP邻居的缺省路由
% g z6 [7 z( t2 x; Y) u2 q不将无效的流量指向他人,是一台BGP路由器应尽到的义务 |
|