在这篇文章中,我们将研究在 Cisco ASA 中使用 BGP 来允许在来自同一 ISP 的 2 个以太网连接之间进行故障转移。
测试实验拓扑:
我们的 2 台路由器上将有镜像配置,并且它们都将向 ASA 通告默认路由。
router bgp 111
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 111
neighbor 2.2.2.2 update-source Loopback0
neighbor 2.2.2.2 next-hop-self
neighbor 11.11.11.2 remote-as 65000
neighbor 11.11.11.2 default-originate
非常基本的配置,这边使用了 IS-IS 在两个路由器之间共享环回信息。
首先是选择我们的宣告前缀,我使用的是 99.99.99.99/32,但请注意,此时它未附加到接口,我们可以通过使用 Null0 来解决这个问题
route Null0 99.99.99.99 255.255.255.255
现在我们可以设置一个前缀列表:
prefix-list MYIP seq 5 permit 99.99.99.99/32
最后是实际的 BGP 配置:
router bgp 65000
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 10.10.10.1 remote-as 111
neighbor 10.10.10.1 activate
neighbor 10.10.10.1 prefix-list MYIP out
neighbor 11.11.11.1 remote-as 111
neighbor 11.11.11.1 activate
neighbor 11.11.11.1 prefix-list MYIP out
network 99.99.99.99 mask 255.255.255.255
no auto-summary
no synchronization
exit-address-family
它的配置方式有点奇怪,但它工作正常。
第一个测试是 show bgp summ,在 ASA 语言中是:
ciscoasa# show bgp summ
BGP router identifier 192.168.192.1, local AS number 65000
BGP table version is 13, main routing table version 13
2 network entries using 400 bytes of memory
3 path entries using 240 bytes of memory
2/2 BGP path/bestpath attribute entries using 416 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1080 total bytes of memory
BGP activity 14/12 prefixes, 57/54 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.10.1 4 111 8 6 13 0 0 00:01:35 1
11.11.11.1 4 111 8 6 13 0 0 00:01:35 1
请注意,我们从每个对等方收到 1 条路由,这应该是默认路由,但我们可以测试一下:
ciscoasa# sh route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 11.11.11.1 to network 0.0.0.0
B* 0.0.0.0 0.0.0.0 [20/0] via 11.11.11.1, 00:03:44
以及更多信息……
ciscoasa# show bgp 0.0.0.0/0
BGP routing table entry for 0.0.0.0/0, version 2
Paths: (2 available, best #1, table default)
Not advertised to any peer
111
11.11.11.1 from 11.11.11.1 (1.1.1.1)
Origin IGP, localpref 100, valid, external, best
111
10.10.10.1 from 10.10.10.1 (2.2.2.2)
Origin IGP, localpref 100, valid, external
我们还应该检查我们是否向我们的同行宣告了 99.99.99.99/32 前缀
ciscoasa# show bgp neighbors 10.10.10.1 advertised-routes
BGP table version is 13, local router ID is 192.168.192.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 99.99.99.99/32 0.0.0.0 0 32768 i
Total number of prefixes 1
最后一部分是调整设置以使用主线路和备用线路,目前两条链路不受控制,默认路由以最长正常运行时间为准!
第一阶段是确保我们将流量发送到主连接之外,我们将使用本地偏好,但还有其他方式,例如权重,这是通过附加到 bap 邻居的路线图来完成的。
prefix-list DG seq 5 permit 0.0.0.0/0
route-map OUTMAP permit 10
match ip address prefix-list DG
set local-preference 200
router bgp 65000
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 11.11.11.1 remote-as 111
neighbor 11.11.11.1 activate
neighbor 11.11.11.1 prefix-list MYIP out
neighbor 11.11.11.1 route-map OUTMAP in
我们可以验证它正在使用以下输出:
ciscoasa# show bgp 0.0.0.0/0
BGP routing table entry for 0.0.0.0/0, version 17
Paths: (2 available, best #1, table default)
Not advertised to any peer
111
11.11.11.1 from 11.11.11.1 (1.1.1.1)
Origin IGP, localpref 200, valid, external, best
111
10.10.10.1 from 10.10.10.1 (2.2.2.2)
Origin IGP, localpref 100, valid, external
接下来,我们需要确保流量通过相同的主路由发回给我们,由于我们使用的是同一服务提供商,因此我们可以使用 MED,更可靠的方法是 as prepend 功能:
prefix-list MYIP seq 5 permit 99.99.99.99/32
route-map BAKMAP permit 10
match ip address prefix-list MYIP
set as-path prepend 65000 65000
router bgp 65000
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 10.10.10.1 remote-as 111
neighbor 10.10.10.1 activate
neighbor 10.10.10.1 prefix-list MYIP out
neighbor 10.10.10.1 route-map BAKMAP out
这可以在上游路由器上验证:
R2#sh ip bgp
BGP table version is 43, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
0.0.0.0 0.0.0.0 0 i
*>i 99.99.99.99/32 1.1.1.1 0 100 0 65000 i
* 10.10.10.2 0 0 65000 65000 65000 i