在Cisco Nexus交换机上配置BGP中的disable-peer-as-check
简介
本文档介绍运行NX-OS操作系统的Cisco Nexus系列交换机的边界网关协议(BGP)中的disable-peer-as-check命令。
先决条件
要求
Cisco 建议您了解以下主题:
- Nexus NX-OS 软件。
- BGP路由协议。
使用的组件
本文档中的信息基于以下软件和硬件版本:
- Cisco Nexus 7000
- NXOS版本7.3(0)D1(1)
本文档不限于特定软件和硬件版本。本文档中的信息是从特定实验环境中的设备创建的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
配置
当网络前缀通告给eBGP对等体时,其自治系统(AS)始终在BGP的AS_PATH属性列表的最后一个前面附加。
默认情况下,基于Cisco Nexus NX-OS的交换机不向eBGP对等体通告网络前缀,其AS在BGP的网络前缀AS_PATH属性中已找到最后一个。
此行为与基于Cisco IOS®(和基于Cisco IOS®-XE)的路由器和交换机不同,即使对等体的AS已在网络前缀AS_PATH属性中,网络前缀仍会通告给eBGP对等体。
在这种情况下,BGP环路预防机制会丢弃接收方对等体上的网络前缀(默认)并触发类似于“由于以下原因而拒绝”的错误消息:AS-PATH仅在启用适当的调试时包含我们自己的AS”。
网络图
配置
| R1 - Cisco IOS® |
|---|
configure terminal ! hostname R1 ! interface Loopback0 ip address 10.255.255.1 255.255.255.255 ! interface GigabitEthernet0/1 ip address 10.1.2.1 255.255.255.0 no shutdown ! router bgp 64512 bgp log-neighbor-changes network 10.255.255.1 mask 255.255.255.255 neighbor 10.1.2.2 remote-as 65535 ! end |
| N7K-2 - Nexus NX-OS |
|---|
configure terminal
!
hostname N7K-2
!
feature bgp
!
interface Ethernet2/1
no switchport
ip address 10.1.2.2/24
no shutdown
interface Ethernet2/2
no switchport
ip address 10.2.3.2/24
no shutdown
!
router bgp 65535
address-family ipv4 unicast
neighbor 10.1.2.1
remote-as 64512
address-family ipv4 unicast
neighbor 10.2.3.3
remote-as 64512
address-family ipv4 unicast |
| R3 - Cisco IOS® |
|---|
configure terminal ! hostname R3 ! interface GigabitEthernet0/1 ip address 10.2.3.3 255.255.255.0 no shutdown ! router bgp 64512 bgp log-neighbor-changes neighbor 10.2.3.2 remote-as 65535 ! end |
验证
使用本部分可确认配置能否正常运行。
由于R3的AS(64512)在AS_PATH属性中最后找到,因此缺少disable-peer-as-check命令会阻止运行NX-OS的N7K-2向路由器R3通告前缀10.255.255.1/32。
当N7K-2将10.255.255.1/32通告给R3时,它在AS_PATH属性中最后包含AS 64512。
此AS 64512与R3中配置的AS相同。
| N7K-2 - Nexus NX-OS |
|---|
N7K-2# show bgp ipv4 unicast BGP routing table information for VRF default, address family IPv4 Unicast BGP table version is 17, local router ID is 10.1.2.2 Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-i njected Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup Network Next Hop Metric LocPrf Weight Path *>e10.255.255.1/32 10.1.2.1 0 0 64512 i N7K-2# |
观察在R3上,debug命令debug bgp ipv4 unicast已启用。
为了进一步确认未收到路由,执行命令clear bgp ipv4 unicast * soft以强制再次交换路由。R3路由不接收该路由。
| R3 - Cisco IOS® |
|---|
R3#debug bgp ipv4 unicast |
必须在N7K-2上启用disable-peer-as-check命令,以便它可以向R3通告网络前缀。
| N7K-2 - Nexus NX-OS |
|---|
N7K-2# conf t Enter configuration commands, one per line. End with CNTL/Z. N7K-2(config)# router bgp 65535 N7K-2(config-router)# neighbor 10.2.3.3 N7K-2(config-router-neighbor)# address-family ipv4 unicast N7K-2(config-router-neighbor-af)# disable-peer-as-check N7K-2(config-router-neighbor-af)# |
在N7K-2上启用disable-peer-as-check后,路由将通告给R3,但被预期的BGP环路预防机制丢弃。
观察“由于以下原因而被拒绝:AS-PATH包含我们自己的AS”,在调试输出中可见。
| R3 - Cisco IOS® |
|---|
R3# *Jul 15 19:29:06.440: BGP(0): 10.2.3.2 rcv UPDATE w/ attr: nexthop 10.2.3.2, origin i, originator 0.0.0.0, merged path 65535 64512, AS_PATH , community , extended community , SSA attribute *Jul 15 19:29:06.442: BGPSSA ssacount is 0 *Jul 15 19:29:06.442: BGP(0): 10.2.3.2 rcv UPDATE about 10.255.255.1/32 -- DENIED due to: AS-PATH contains our own AS; R3# |
在本例中,另一个AS在AS_PATH属性中的最后一个前置,并使用route-map和set as-path prepend命令进行。现在,在R3的AS之前,AS_PATH中还有另一个AS。
AS_PATH列出65300 64512。
| N7K-2 - Nexus NX-OS |
|---|
configure terminal ! route-map TEST permit 10 set as-path prepend 65300 ! N7K-2# conf t Enter configuration commands, one per line. End with CNTL/Z. N7K-2(config)# router bgp 65535 N7K-2(config-router)# neighbor 10.1.2.1 N7K-2(config-router-neighbor)# address-family ipv4 unicast N7K-2(config-router-neighbor-af)# route-map TEST in N7K-2(config-router-neighbor-af)# N7K-2# N7K-2# show bgp ipv4 unicast BGP routing table information for VRF default, address family IPv4 Unicast BGP table version is 18, local router ID is 10.1.2.2 Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-injected Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup Network Next Hop Metric LocPrf Weight Path *>e10.255.255.1/32 10.1.2.1 0 0 65300 64512 i N7K-2# |
观察N7K-2在本例中如何通告路由,而无需禁用对等检查。
| N7K-2 - Nexus NX-OS |
|---|
N7K-2# sh run bgp
!Command: show running-config bgp
!Time: Mon Jul 15 21:28:59 2019
version 7.3(0)D1(1)
feature bgp
router bgp 65535
address-family ipv4 unicast
neighbor 10.1.2.1
remote-as 64512
address-family ipv4 unicast
route-map TEST in
neighbor 10.2.3.3
remote-as 64512
address-family ipv4 unicast
N7K-2# |
请注意“由于以下原因而被拒绝:AS-PATH包含我们自己的AS”,如R3的调试输出所示。
| R3 - Cisco IOS® |
|---|
R3#show debug IP routing: BGP debugging is on for address family: IPv4 Unicast BGP updates debugging is on for address family: IPv4 Unicast R3# R3#clear bgp ipv4 unicast * soft R3# *Jul 15 21:33:11.309: BGP: 10.2.3.2 sending REFRESH_REQ(5) for afi/safi: 1/1, refresh code is 0 *Jul 15 21:33:12.312: BGP(0): 10.2.3.2 rcv UPDATE w/ attr: nexthop 10.2.3.2, origin i, originator 0.0.0.0, merged path 65535 65300 64512, AS_PATH , community , extended community , SSA attribute *Jul 15 21:33:12.313: BGPSSA ssacount is 0 *Jul 15 21:33:12.313: BGP(0): 10.2.3.2 rcv UPDATE about 10.255.255.1/32 -- DENIED due to: AS-PATH contains our own AS; R3# |
故障排除
本部分提供了可用于对配置进行故障排除的信息。
要确认BGP配置需要在NX-OS上使用disable-peer-as-check命令,请打开这些调试。
debug-filter bgp neighbor <eBGP_NEIGHBOR> debug-filter bgp prefix <ROUTE_TO_BE_ADVERTISED> debug bgp updates debug logfile <FILE_NAME>
请注意,类似于“10.2.3.3 10.255.255.1/32 path-id 1”的消息未发送到对等体,原因如下:通告AS”,当有重新发送路由的请求时生成。
| N7K-2 - Nexus NX-OS |
|---|
N7K-2# debug-filter bgp neighbor 10.2.3.3 |
完成后,使用以下命令禁用调试:
undebug all no debug-filter all clear debug logfile <FILE_NAME>
反馈