配置ASA邊界網關協定
目錄
簡介
本檔案介紹啟用邊界閘道通訊協定(BGP)(eBGP/iBGP)路由所需的步驟和其他問題。
必要條件
需求
思科建議您瞭解以下主題:
- 動態路由通訊協定
- Cisco BGP概觀
- BGP 個案研究
採用元件
本文檔基於運行Cisco ASA軟體版本9.16的Cisco Firepower 2100系列防火牆
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
背景資訊
本文還將介紹如何建立BGP路由進程、配置常規BGP引數、自適應安全裝置(ASA)上的路由過濾以及解決鄰居關係相關問題。此功能是在ASA軟體版本9.2.1中引入的。
准則和限制
- BGP在IPv4和IPv6地址系列的單模式和多模式中都受支援。
- 多重模式相當於Cisco IOS® BGP VPNv4(VPN路由和轉送(VRF)位址系列)。根據上下文路由器,BGP類似於在Cisco IOS中每個VRF IPv4地址系列。
- 所有情景僅支援一個自治系統(AS)編號,與Cisco IOS中所有地址系列的一個全域性AS相似。
-
不支援透明防火牆模式。僅在路由模式下支援BGP。
-
系統不會在CP路由表中新增通過PPPoE接收的IP地址的路由條目。BGP會始終檢視CP路由表以發起TCP會話,因此BGP不會形成TCP會話。因此,不支援使用PPPoE的BGP。
-
要避免因路由更新大於鏈路上的最小MTU而丟棄的路由更新導致的鄰接擺動,請確保在鏈路兩端的介面上配置相同的MTU。
-
成員單元的BGP表與控制單元表不同步。只有其路由表與控制單元路由表同步。
- 可以使用router bgp <as_num>命令設定AS編號,可使用命令啟用每個內容位址系列。
- BGP有六個進程支援所有情景,詳細資訊可用於show process命令。這些進程包括BGP任務、BGP排程程式、BGP掃描器、BGP路由器、BGP I/O和BGP事件。
ASA-1(config)# show proc | in BGP
Mwe 0x00000000010120d0 0x00007ffecc8ca5c8 0x0000000006136380
0 0x00007ffecc8c27c0 29432/32768 BGP Task
Mwe 0x0000000000fb3acd 0x00007ffecba47b48 0x0000000006136380
11 0x00007ffecba3fd00 31888/32768 BGP Scheduler
Lwe 0x0000000000fd3e40 0x00007ffecd3373e8 0x0000000006136380
26 0x00007ffecd32f5f0 30024/32768 BGP Scanner
Mwe 0x0000000000fd70b9 0x00007ffecd378cd8 0x0000000006136380
10 0x00007ffecd370eb0 28248/32768 BGP Router
Mwe 0x0000000000fc9f84 0x00007ffecd32f3e8 0x0000000006136380
2 0x00007ffecd3275a0 30328/32768 BGP I/O
Mwe 0x000000000100c125 0x00007ffecd33f458 0x0000000006136380
0 0x00007ffecd337640 32032/32768 BGP Event - 系統上下文具有所有上下文的通用全域性配置,類似於具有所有地址系列的全域性配置的Cisco IOS。
- 控制最佳路徑計算、記錄鄰居、TCP路徑最大轉換單元(MTU)發現、保持連線的全域性計時器、保持時間等的配置在路由器BGP命令模式下的系統上下文中可用。
- BGP策略命令支援位於每個使用者的地址系列模式上下文下。
- 支援所有標準社群和路徑屬性。
- 使用靜態null0路由配置支援遠端觸發黑洞(RTBH)。
- 下一跳資訊已新增到網路處理器(NP)中的輸入路由表中。以前,這隻可用於輸出路由表。完成此更改是為了支援將BGP路由新增到NP轉發表中(由於BGP路由在CP中沒有標識的出口介面,因此無法確定使用哪個輸出路由表更新下一跳資訊)。
- 支援遞迴路由查詢。
- 支援使用其他協定(如連線、靜態、路由資訊協定(RIP)、開放最短路徑優先(OSPF)和增強型內部網關路由協定(EIGRP))進行重分發。
- no router bgp <as_no> [with confirmation prompt]命令刪除所有情景中的BGP配置。
- 路由控制資料庫(例如路由對映、訪問清單、字首清單、社群清單和as-path訪問清單)根據環境進行虛擬化並提供。
- 引入了新命令show asp table routing address <addr> resolved,以便在NP轉發表中顯示遞迴解析的BGP路由。
- 為了顯示系統情景BGP配置,在多模式下引入了新命令show bgp system-config。
-
適用於BGP流量的回送介面支援
-
適用於IPv6的BGP支援
-
適用於通告對映的BGP支援
-
適用於ASA集群的BGP支援
-
IPv6支援平穩重啟
BGP和記憶體使用情況
show route summary命令用於獲取各個路由協定的記憶體使用情況。
BGP和容錯移轉
- 主用/備用和主用/主用HA配置支援BGP。
- 只有活動單元在TCP埠179上偵聽來自對等體的BGP連線。
- 備用單元不參與BGP對等,因此不會偵聽TCP埠179,也不會維護BGP表。
- BGP路由新增和刪除操作將從主用裝置複製到備用裝置。
- 故障切換時,新的主用裝置會偵聽TCP埠179並啟動與對等體的BGP鄰接建立。
- 如果不使用無中斷轉發(NSF),則建立鄰接關係需要時間在故障轉移後再次與對等體建立鄰接關係,在此過程中不會從對等體獲取BGP路由。這取決於ASA通過恢復響應的對等裝置的下一個BGP keepalive(預設60秒),這將導致對等裝置端舊連線終止,然後建立下一個新連線。
- 在BGP重新融合期間,新的主用裝置將繼續使用以前複製的路由轉發流量。
- BGP重新收斂計時器週期當前設定為210秒(show route failover命令顯示計時器值),以便給BGP足夠的時間建立鄰接關係並與其對等體交換路由。
- BGP重新收斂計時器到期後,所有過時的BGP路由都會從路由資訊庫(RIB)中清除。
- BGP路由器ID從主用裝置同步到備用裝置。在備用裝置上禁用BGP路由器ID計算。
- 強烈建議不要使用write standby命令,因為在這種情況下不會發生批次同步,這會導致備用上的動態路由丟失。
遞迴路由解析
- BGP路由的出口介面資訊在CP中不可用(這是因為BGP鄰居與其他路由協定不同,可以相隔多跳)。
- 包含下一跳資訊的BGP路由會新增到NP輸入路由表中,但尚未解析這些路由。
- 當與BGP路由字首匹配的流的第一個資料包在慢速路徑中進入ASA時,將解析路由,並且遞迴地查詢NP輸入路由表來確定出口介面。
- 無論何時路由表更改(來自CP),環境特定的路由表時間戳都會遞增。
- 當與BGP路由匹配的流的下一個資料包在快速路徑中進入ASA時,ASA將路由條目的時間戳與情景特定的路由表時間戳進行比較。如果兩個時間戳不匹配,將再次啟動遞迴路由解析過程,並將路由條目時間戳更新為與路由表時間戳相同。您可以使用show asp table routing命令驗證時間戳。show asp table routing address <route>命令顯示特定路由條目的時間戳,show asp table routing命令顯示路由表時間戳。
- 當您輸入show asp table routing address <addr> resolved命令時,可以強制進行目標字首的遞迴路由解析過程。
- 遞迴路由查詢的深度當前限製為四個。需要在4次之後查詢的資料包被丟棄,丟棄原因為「沒有到主機的路由(無路由)」,並且遞迴查詢失敗沒有特殊的丟棄原因。
- 只有BGP路由(不是靜態路由)支援遞迴路由解析。
BGP有限狀態機操作
BGP對等體在成為相鄰鄰居並交換路由資訊之前經過多個狀態轉換。在每種狀態下,對等體必須傳送和接收消息、處理消息資料並初始化資源,才能繼續進入下一個狀態。此程式稱為BGP有限狀態機(FSM)。如果進程在任何時候失敗,會話會被關閉,對等體都會轉換回「空閒」狀態並再次開始進程。每次關閉會話時,都會從表中刪除來自未啟動的對等方的所有路由,從而導致停機。
- IDLE - ASA搜尋路由表,以檢視是否存在到達鄰居的路由。
- CONNECT - ASA找到通往鄰居的路由,並且已完成三向TCP握手。
- ACTIVE - ASA未收到有關建立引數的協定。
- OPEN SENT — 傳送Open消息,其中包含BGP會話的引數。
- OPEN CONFIRM - ASA已收到建立會話的引數協定。
- ESTABLISHED — 建立對等並開始路由。
設定
eBGP組態
BGP在不同的自治系統中的路由器之間運行。預設情況下,在eBGP(兩個不同的自治系統(AS)中的對等點)中,IP TTL設定為1,這表示對等點會假設為直接連線。在這種情況下,當封包經過一個路由器時,TTL會變為0,之後封包會被捨棄。如果兩個鄰居沒有直接連線(例如,與環回介面對等或在裝置有多個躍點距離時進行對等),則需要新增neighbor x.x.x.x ebgp-multihop <TTL>命令。否則,無法建立BGP鄰居關係。此外,eBGP對等體會通告其知道或已從其對等體(無論是eBGP對等體還是iBGP對等體)獲知的所有最佳路由,iBGP的情況並非如此。
網路圖表
ASA-1配置
router bgp 100
bgp log-neighbor-changes
bgp bestpath compare-routerid
address-family ipv4 unicast
neighbor 203.0.113.2 remote-as 200
neighbor 203.0.113.2 activate
network 192.168.10.0 mask 255.255.255.0
network 172.16.20.0 mask 255.255.255.0
network 10.106.44.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
!
ASA-2配置
router bgp 200
bgp log-neighbor-changes
bgp bestpath compare-routerid
address-family ipv4 unicast
neighbor 203.0.113.1 remote-as 100
neighbor 203.0.113.1 activate
network 10.10.10.0 mask 255.255.255.0
network 10.180.10.0 mask 255.255.255.0
network 172.16.30.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
!
iBGP組態
在iBGP中,沒有鄰居必須直接連線的限制。但是,iBGP對等體無法將其從iBGP對等體學習的字首通告給另一個iBGP對等體。之所以存在此限制,是為了避免同一AS內的環路。為了澄清這一點,當路由傳遞到eBGP對等體時,本地AS編號將新增到as-path的字首中,因此,如果我們收到相同的資料包返回,表明我們在as-path中的AS,則知道它是循環,該資料包將被丟棄。但是,當路由通告給iBGP對等體時,不會將本地AS編號新增到as-path,因為對等體在同一個AS中。
網路圖表
ASA-1配置
router bgp 100
bgp log-neighbor-changes
bgp bestpath compare-routerid
address-family ipv4 unicast
neighbor 203.0.113.2 remote-as 100
neighbor 203.0.113.2 activate
network 192.168.10.0 mask 255.255.255.0
network 172.16.20.0 mask 255.255.255.0
network 10.106.44.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
!
ASA-2配置
router bgp 100
bgp log-neighbor-changes
bgp bestpath compare-routerid
address-family ipv4 unicast
neighbor 203.0.113.1 remote-as 100
neighbor 203.0.113.1 activate
network 10.10.10.0 mask 255.255.255.0
network 10.180.10.0 mask 255.255.255.0
network 172.16.30.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
!
eBGP和iBGP之間的差異
- eBGP在兩個不同的AS之間對等,而iBGP在同一個AS之間。
- 從eBGP對等體獲知的路由會通告給其他對等體(eBGP或iBGP)。但是,從iBGP對等體獲知的路由不會通告給其他iBGP對等體。
- 預設情況下,eBGP對等體設定為TTL = 1,這意味著鄰居被假定為直接連線,而iBGP的情況則不同。若要變更eBGP的此行為,請輸入neighbor x.x.x.x ebgp-multihop <TTL>命令。「多重躍點」是僅用於eBGP中的術語。
- eBGP路由的管理距離為20,而iBGP為200。
- 當路由通告給iBGP對等體時,下一跳保持不變。但是,在預設情況下將其通告到eBGP對等體時,會對其進行更改。
eBGP-Multihop
一個具有BGP鄰居的ASA與另一個相距一跳的ASA相連。對於鄰居關係,您需要確保鄰居之間具有連通性。Ping以確認連線。確保在裝置之間的兩個方向上都允許TCP埠179。
ASA-1配置
router bgp 100
bgp log-neighbor-changes
bgp bestpath compare-routerid
address-family ipv4 unicast
neighbor 198.51.100.1 remote-as 200
neighbor 198.51.100.1 ebgp-multihop 2
neighbor 198.51.100.1 activate
network 192.168.10.0 mask 255.255.255.0
network 10.106.44.0 mask 255.255.255.0
network 172.16.20.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
!
ASA-2配置
router bgp 200
bgp log-neighbor-changes
bgp bestpath compare-routerid
address-family ipv4 unicast
neighbor 203.0.113.1 remote-as 100
neighbor 203.0.113.1 ebgp-multihop 2
neighbor 203.0.113.1 activate
network 10.10.10.0 mask 255.255.255.0
network 10.180.10.0 mask 255.255.255.0
network 172.16.30.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
!
BGP路由過濾
透過BGP,您可以控制傳送和接收的路由更新。在本示例中,對於ASA-2之後的網路字首172.16.30.0/24,路由更新被阻止。對於路由過濾,您只能使用標準ACL。
access-list bgp-in line 1 standard deny 172.16.30.0 255.255.255.0
access-list bgp-in line 2 standard permit any4
router bgp 100
bgp log-neighbor-changes
bgp bestpath compare-routerid
address-family ipv4 unicast
neighbor 203.0.113.2 remote-as 200
neighbor 203.0.113.2 activate
network 192.168.10.0 mask 255.255.255.0
network 172.16.20.0 mask 255.255.255.0
network 10.106.44.0 mask 255.255.255.0
distribute-list bgp-in in
no auto-summary
no synchronization
exit-address-family
!
檢驗路由表。
ASA-1(config)# show bgp cidr-only
BGP table version is 6, local router ID is 203.0.113.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.10.10.0/24 203.0.113.2 0 0 200 i
*> 10.106.44.0/24 0.0.0.0 0 32768 i
*> 10.180.10.0/24 203.0.113.2 0 0 200 i
*> 172.16.20.0/24 0.0.0.0 0 32768 i
*> 192.168.10.0/16 0.0.0.0 0 32768 i
驗證存取控制清單(ACL)命中次數。
ASA-1(config)# show access-list bgp-in
access-list bgp-in; 2 elements; name hash: 0x3f99de19
access-list bgp-in line 1 standard deny 172.16.30.0 255.255.255.0 (hitcnt=1) 0xb5abad25
access-list bgp-in line 2 standard permit any4 (hitcnt=4) 0x59d08160
同樣地,您可以使用ACL來過濾distribute-list命令中隨外傳送的內容。
多情景中的ASA BGP配置
多情景中支援BGP。在多情景的情況下,您首先需要在系統情景中定義BGP路由器進程。如果您嘗試建立一個BGP進程而不在系統上下文中定義它,您將收到此錯誤。
ASA-1/admin(config)# router bgp 100
%BGP process cannot be created in non-system context
ERROR: Unable to create router process
First we Need to define it in system context.
ASA-1/admin(config)#changeto context system
ASA-1(config)# router bgp 100
ASA-1(config-router)#exit
Now create bgp process in admin context.
ASA-1(config)#changeto context admin
ASA-1/admin(config)# router bgp 100
ASA-1/admin(config-router)#
驗證
驗證eBGP鄰居關係
驗證埠179上的TCP連線。
ASA-1(config)# show asp table socket
Protocol Socket State Local Address Foreign Address
SSL 00001478 LISTEN 172.16.20.1:443 0.0.0.0:*
TCP 000035e8 LISTEN 203.0.113.1:179 0.0.0.0:*
TCP 00005cd8 ESTAB 203.0.113.1:44368 203.0.113.2:179
SSL 00006658 LISTEN 10.106.44.221:443 0.0.0.0:*
顯示BGP鄰居。
ASA-1(config)# show bgp neighbors
BGP neighbor is 203.0.113.2, context single_vf, remote AS 200, external link >> eBGP
BGP version 4, remote router ID 203.0.113.2
BGP state = Established, up for 00:04:42
Last read 00:00:13, last write 00:00:17, hold time is 180, keepalive interval is
60 seconds
Neighbor sessions:
1 active, is not multisession capable (disabled)
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Multisession Capability:
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 2 2
Keepalives: 5 5
Route Refresh: 0 0
Total: 8 8
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
Session: 203.0.113.2
BGP table version 7, neighbor version 7/0
Output queue size : 0
Index 1
1 update-group member
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 3 3 (Consumes 240 bytes)
Prefixes Total: 3 3
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 3
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Bestpath from this peer: 3 n/a
Total: 3 0
Number of NLRIs in the update sent: max 3, min 0
Address tracking is enabled, the RIB does have a route to 203.0.113.2
Connections established 1; dropped 0
Last reset never
Transport(tcp) path-mtu-discovery is enabled
Graceful-Restart is disabled
BGP路由
ASA-1配置
ASA-1(config)# show route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.106.44.1 to network 0.0.0.0
B 10.10.10.0 255.255.255.0 [20/0] via 203.0.113.2, 00:05:48
B 10.180.10.0 255.255.255.0 [20/0] via 203.0.113.2, 00:05:48
B 172.16.30.0 255.255.255.0 [20/0] via 203.0.113.2, 00:05:48
ASA-2配置
ASA-2# show route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
B 10.106.44.0 255.255.255.0 [20/0] via 203.0.113.1, 00:36:32
B 172.16.20.0 255.255.255.0 [20/0] via 203.0.113.1, 00:36:32
B 192.168.10.0 255.255.255.0 [20/0] via 203.0.113.1, 00:36:32
要檢視特定ASA的路由,請輸入show route bgp <AS-No.>命令。
ASA-1(config)# show route bgp ?
exec mode commands/options:
100 Autonomous system number
| Output modifiers
<cr>
特定eBGP路由詳細資訊
ASA-1(config)# show route 172.16.30.0
Routing entry for 172.16.30.0 255.255.255.0
Known via "bgp 100", distance 20, metric 0
Tag 200, type external
Last update from 203.0.113.2 0:09:43 ago
Routing Descriptor Blocks:
* 203.0.113.2, from 203.0.113.2, 0:09:43 ago
Route metric is 0, traffic share count is 1
AS Hops 1-----------------------------------> ASA HOP is one
Route tag 200
MPLS label: no label string provided
ASA-1(config)# show bgp cidr-only
BGP table version is 7, local router ID is 203.0.113.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.10.10.0/24 203.0.113.2 0 0 200 i
*> 10.106.44.0/24 0.0.0.0 0 32768 i
*> 10.180.10.0/24 203.0.113.2 0 0 200 i
*> 172.16.20.0/24 0.0.0.0 0 32768 i
*> 172.16.30.0/24 203.0.113.2 0 0 200 i
BGP摘要
ASA-1(config)# show bgp summary
BGP router identifier 203.0.113.1, local AS number 100
BGP table version is 7, main routing table version 7
6 network entries using 1200 bytes of memory
6 path entries using 480 bytes of memory
2/2 BGP path/bestpath attribute entries using 416 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2120 total bytes of memory
BGP activity 6/0 prefixes, 6/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
203.0.113.2 4 200 16 17 7 0 0 00:14:19 3
ASA-1(config)# show route summary
IP routing table maximum-paths is 3
Route Source Networks Subnets Replicates Overhead Memory (bytes)
connected 0 8 0 704 2304
static 2 5 0 616 2016
ospf 1 0 0 0 0 0
Intra-area: 0 Inter-area: 0 External-1: 0 External-2: 0
NSSA External-1: 0 NSSA External-2: 0
bgp 100 0 3 0 264 864
External: 3 Internal: 0 Local: 0
internal 7 3176
Total 9 16 0 1584 8360
驗證iBGP鄰居關係
ASA-1(config)# show bgp neighbors
BGP neighbor is 203.0.113.2, context single_vf, remote AS 100, internal link >> iBGP
BGP version 4, remote router ID 203.0.113.2
BGP state = Established, up for 00:02:19
Last read 00:00:13, last write 00:00:17, hold time is 180, keepalive interval is
60 seconds
Neighbor sessions:
1 active, is not multisession capable (disabled)
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Multisession Capability:
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 2 2
Keepalives: 5 5
Route Refresh: 0 0
Total: 8 8
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
Session: 203.0.113.2
BGP table version 7, neighbor version 7/0
Output queue size : 0
Index 1
1 update-group member
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 3 3 (Consumes 240 bytes)
Prefixes Total: 3 3
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 3
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Bestpath from this peer: 3 n/a
Total: 3 0
Number of NLRIs in the update sent: max 3, min 0
Address tracking is enabled, the RIB does have a route to 203.0.113.2
Connections established 1; dropped 0
Last reset never
Transport(tcp) path-mtu-discovery is enabled
Graceful-Restart is disabled
特定iBGP路由詳細資訊
ASA-1(config)# show route 172.16.30.0
Routing entry for 172.16.30.0 255.255.255.0
Known via "bgp 100", distance 20, metric 0, type internal
Last update from 203.0.113.2 0:07:05 ago
Routing Descriptor Blocks:
* 203.0.113.2, from 203.0.113.2, 0:07:05 ago
Route metric is 0, traffic share count is 1
AS Hops 0 -------------------->> ASA HOP is 0 as it's internal route
MPLS label: no label string provided
BGP封包的TTL值
預設情況下,BGP鄰居必須直接連線。這是因為BGP封包的TTL值一律為1(預設值)。因此,如果BGP鄰居沒有直接連線,您需要定義BGP多跳值,該值取決於整個路徑中的跳數。
以下是直連的TTL值案例範例:
ASA-1(config)#show cap bgp detail
5: 06:30:19.789769 6c41.6a1f.25e3 a0cf.5b5c.5060 0x0800 Length: 70
203.0.113.1.44368 > 203.0.113.2.179: S [tcp sum ok] 3733850223:3733850223(0)
win 32768 <mss 1460,nop,nop,timestamp 15488246 0> (DF) [tos 0xc0] [ttl 1] (id 62822)
6: 06:30:19.792286 a0cf.5b5c.5060 6c41.6a1f.25e3 0x0800 Length: 58
203.0.113.22.179 > 203.0.113.1.44368: S [tcp sum ok] 1053711883:1053711883(0)
ack 3733850224 win 16384 <mss 1360> [tos 0xc0] [ttl 1] (id 44962)
7: 06:30:19.792302 6c41.6a1f.25e3 a0cf.5b5c.5060 0x0800 Length: 54
203.0.113.1.44368 > 203.0.113.22.179: . [tcp sum ok] 3733850224:3733850224(0)
ack 1053711884 win 32768 (DF) [tos 0xc0] [ttl 1] (id 52918)
如果鄰居沒有直接連線,則需要輸入bgp multihop命令,以定義鄰居要增加IP報頭中TTL值的HOPS數量。
以下範例顯示多重躍點情況下的TTL值(在此案例中,BGP鄰居是1個躍點以外的):
ASA-1(config)#show cap bgp detail
5: 13:10:04.059963 6c41.6a1f.25e3 a0cf.5b5c.5060 0x0800 Length: 70
203.0.113.1.63136 > 198.51.100.1.179: S [tcp sum ok] 979449598:979449598(0)
win 32768 <mss 1460,nop,nop,timestamp 8799571 0> (DF) [tos 0xc0] (ttl 2, id 62012)
6: 13:10:04.060681 a0cf.5b5c.5060 6c41.6a1f.25e3 0x0800 Length: 70 198.51.100.1.179 >
203.0.113.1.63136: S [tcp sum ok] 0:0(0) ack 979449599 win 32768 <mss 1460,nop,nop,
timestamp 6839704 8799571> (DF) [tos 0xac] [ttl 1] (id 60372)
7: 13:10:04.060696 6c41.6a1f.25e3 a0cf.5b5c.5060 0x0800 Length: 66
203.0.113.1.63136 >198.51.100.1.179: . [tcp sum ok] 979449599:979449599(0) ack 1
win 32768 <nop,nop,timestamp 8799571 6839704> (DF) [tos 0xc0] (ttl 2, id 53699)
遞迴路由解析過程
ASA-1(config)# show asp table routing
route table timestamp: 66
in 255.255.255.255 255.255.255.255 identity
in 203.0.113.1 255.255.255.255 identity
in 203.0.113.254 255.255.255.255 via 10.13.14.4, outside
in 192.0.2.78 255.255.255.255 via 10.16.17.4, DMZ
in 192.168.0.1 255.255.255.255 identity
in 172.16.20.1 255.255.255.255 identity
in 10.106.44.190 255.255.255.255 identity
in 10.10.10.0 255.255.255.0 via 203.0.113.2, outside (resolved, timestamp: 66)
in 172.16.30.0 255.255.255.0 via 203.0.113.2, outside (resolved, timestamp: 64)
in 10.180.10.0 255.255.255.0 via 203.0.113.2, outside (resolved, timestamp: 65)
in 203.0.113.0 255.255.255.0 outside
in 172.16.10.0 255.255.255.0 via 10.13.14.4, outside
in 192.168.10.0 255.255.255.0 via 10.13.14.20, outside
in 192.168.20.0 255.255.255.0 via 10.16.17.4, DMZ
in 172.16.20.0 255.255.255.0 inside
in 10.106.44.0 255.255.255.0 management
in 192.168.0.0 255.255.0.0 DMZ
ASA BGP和平滑重啟功能
BGP support for nonstop forwarding We added support for BGP Nonstop Forwarding. We introduced the following new commands: bgp graceful-restart, neighbor ha-mode graceful-restart
疑難排解
- 進行配置後,您需要確保兩台裝置都有連線。檢驗ICMP和TCP埠179的連線。
- 如果BGP對等點沒有直接連線,請確保您已設定eBGP多重躍點。
- 如果連線正確,在show asp table socket命令輸出中,TCP套接字可以處於ESTAB狀態。
ASA-1(config)# show asp table socket
Protocol Socket State Local Address Foreign Address
SSL 00001478 LISTEN 172.16.20.1:443 0.0.0.0:*
TCP 000035e8 LISTEN 203.0.113.1:179 0.0.0.0:*
TCP 00005cd8 ESTAB 203.0.113.1:44368 203.0.113.2:179
SSL 00006658 LISTEN 10.106.44.221:443 0.0.0.0:* - 進行三次握手後,兩個對等體都會交換BGP OPEN消息並協商引數。
- 引數交換後,兩個對等體都使用BGP UPDATE消息交換路由資訊。
%ASA-7-609001: Built local-host identity:203.0.113.1
%ASA-7-609001: Built local-host outside:203.0.113.2
%ASA-6-302013: Built outbound TCP connection 14 for outside:203.0.113.2/179
(203.0.113.2/179) to identity:203.0.113.1/43790 (203.0.113.1/43790)
%ASA-3-418018: neighbor 203.0.113.2 Up
如果即使在TCP三次成功握手之後仍未形成鄰居關係,則問題出在BGP FSM上。從ASA收集資料包捕獲和系統日誌,並驗證您遇到問題的狀態。
偵錯
輸入debug ip bgp命令以排解與鄰居關係和路由更新相關的問題。
ASA-1(config)# debug ip bgp ?
exec mode commands/options:
A.B.C.D BGP neighbor address
events BGP events
in BGP Inbound information
ipv4 Address family
keepalives BGP keepalives
out BGP Outbound information
range BGP dynamic range
rib-filter Next hop route watch filter events
updates BGP updates
<cr>
輸入debug ip bgp events命令以排解與鄰居關係相關的問題。
BGP: 203.0.113.2 active went from Idle to Active
BGP: 203.0.113.2 open active, local address 203.0.113.1
BGP: ses global 203.0.113.2 (0x00007ffec085c590:0) act Adding topology IPv4 Unicast:base
BGP: ses global 203.0.113.2 (0x00007ffec085c590:0) act Send OPEN
BGP: 203.0.113.2 active went from Active to OpenSent
BGP: 203.0.113.2 active sending OPEN, version 4, my as: 100, holdtime 180 seconds,
ID cb007101
BGP: 203.0.113.2 active rcv message type 1, length (excl. header) 34
BGP: ses global 203.0.113.2 (0x00007ffec085c590:0) act Receive OPEN
BGP: 203.0.113.2 active rcv OPEN, version 4, holdtime 180 seconds
BGP: 203.0.113.2 active rcv OPEN w/ OPTION parameter len: 24
BGP: 203.0.113.2 active rcvd OPEN w/ optional parameter type 2 (Capability) len 6
BGP: 203.0.113.2 active OPEN has CAPABILITY code: 1, length 4
BGP: 203.0.113.2 active OPEN has MP_EXT CAP for afi/safi: 1/1
BGP: 203.0.113.2 active rcvd OPEN w/ optional parameter type 2 (Capability) len 2
BGP: 203.0.113.2 active OPEN has CAPABILITY code: 128, length 0
BGP: 203.0.113.2 active OPEN has ROUTE-REFRESH capability(old) for all address-families
BGP: 203.0.113.2 active rcvd OPEN w/ optional parameter type 2 (Capability) len 2
BGP: 203.0.113.2 active OPEN has CAPABILITY code: 2, length 0
BGP: 203.0.113.2 active OPEN has ROUTE-REFRESH capability(new) for all address-families
BGP: 203.0.113.2 active rcvd OPEN w/ optional parameter type 2 (Capability) len 6
BGP: 203.0.113.2 active OPEN has CAPABILITY code: 65, length 4
BGP: 203.0.113.2 active OPEN has 4-byte ASN CAP for: 200
BGP: 203.0.113.2 active rcvd OPEN w/ remote AS 200, 4-byte remote AS 200
BGP: 203.0.113.2 active went from OpenSent to OpenConfirm
BGP: 203.0.113.2 active went from OpenConfirm to Established
輸入debug ip bgp updates命令以排解路由更新相關的問題。
BGP: TX IPv4 Unicast Mem global 203.0.113.2 Changing state from DOWN to WAIT
(pending advertised bit allocation).
BGP: TX IPv4 Unicast Grp global 4 Created.
BGP: TX IPv4 Unicast Wkr global 4 Cur Blocked (not in list).
BGP: TX IPv4 Unicast Wkr global 4 Ref Blocked (not in list).
BGP: TX IPv4 Unicast Rpl global 4 1 Created.
BGP: TX IPv4 Unicast Rpl global 4 1 Net bitfield index 0 allocated.
BGP: TX IPv4 Unicast Mem global 4 1 203.0.113.2 Added to group (now has 1 members).
BGP: TX IPv4 Unicast Mem global 4 1 203.0.113.2 Staying in WAIT state
(current walker waiting for net prepend).
BGP: TX IPv4 Unicast Top global Start net prepend.
BGP: TX IPv4 Unicast Top global Inserting initial marker.
BGP: TX IPv4 Unicast Top global Done net prepend (0 attrs).
BGP: TX IPv4 Unicast Grp global 4 Starting refresh after prepend completion.
BGP: TX IPv4 Unicast Wkr global 4 Cur Start at marker 1.
BGP: TX IPv4 Unicast Grp global 4 Message limit changed from 100 to 1000 (used 0 + 0).
BGP: TX IPv4 Unicast Wkr global 4 Cur Unblocked
BGP: TX IPv4 Unicast Mem global 4 1 203.0.113.2 Changing state from WAIT to ACTIVE
(ready).
BGP: TX IPv4 Unicast Mem global 4 1 203.0.113.2 No refresh required.
BGP: TX IPv4 Unicast Top global Collection done on marker 1 after 0 net(s).
BGP(0): 203.0.113.2 rcvd UPDATE w/ attr: nexthop 203.0.113.2, origin i, metric 0,
merged path 200, AS_PATH
BGP(0): 203.0.113.2 rcvd 10.10.10.0/24
BGP(0): 203.0.113.2 rcvd 172.16.30.0/24
BGP(0): 203.0.113.2 rcvd 10.180.10.0/24-----------------> Routes rcvd from peer
BGP: TX IPv4 Unicast Net global 10.10.10.1/32 Changed.
BGP: TX IPv4 Unicast Net global 172.16.30.0/24 Changed.
BGP: TX IPv4 Unicast Net global 10.180.10.0/24 Changed.
BGP(0): Revise route installing 1 of 1 routes for 10.10.10.0 255.255.255.0 ->
203.0.113.2(global) to main IP table
BGP: TX IPv4 Unicast Net global 10.10.10.0/24 RIB done.
BGP(0): Revise route installing 1 of 1 routes for 172.16.30.0 255.255.255.0 ->
203.0.113.2(global) to main IP table
BGP: TX IPv4 Unicast Net global 172.16.30.0/24 RIB done.
BGP(0): Revise route installing 1 of 1 routes for 10.180.10.0 255.255.255.0 ->
203.0.113.2(global) to main IP table
BGP: TX IPv4 Unicast Net global 10.180.10.0/24 RIB done.
BGP: TX IPv4 Unicast Tab RIB walk done version 4, added 1 topologies.
BGP: TX IPv4 Unicast Tab Ready in READ-WRITE.
BGP: TX IPv4 Unicast Tab RIB walk done version 4, added 1 topologies.
BGP: TX IPv4 Unicast Tab All topologies are EOR ready.
BGP: TX IPv4 Unicast Tab RIB walk done version 4, added 1 topologies.
BGP: TX IPv4 Unicast Tab Executing.
BGP: TX IPv4 Unicast Wkr global 4 Cur Processing.
BGP: TX IPv4 Unicast Wkr global 4 Cur Reached marker with version 1.
BGP: TX IPv4 Unicast Top global Appending nets from attr 0x00007ffecc9b7b88.
BGP: TX IPv4 Unicast Wkr global 4 Cur Attr change from 0x0000000000000000 to
0x00007ffecc9b7b88.
BGP: TX IPv4 Unicast Wkr global 4 Cur Net 10.10.10.0/24 Skipped.
BGP: TX IPv4 Unicast Wkr global 4 Cur Net 172.16.30.0/24 Skipped.
BGP: TX IPv4 Unicast Wkr global 4 Cur Net 10.180.10.0/24 Skipped.
BGP: TX IPv4 Unicast Top global No attributes with modified nets.
BGP: TX IPv4 Unicast Top global Added tail marker with version 4.
BGP: TX IPv4 Unicast Wkr global 4 Cur Reached marker with version 4.
BGP: TX IPv4 Unicast Top global No attributes with modified nets.
BGP: TX IPv4 Unicast Wkr global 4 Cur Done (end of list), processed 1 attr(s),
0/3 net(s), 0 pos.
BGP: TX IPv4 Unicast Grp global 4 Checking EORs (0/1).
BGP: TX IPv4 Unicast Mem global 4 1 203.0.113.2 Send EOR.
BGP: TX IPv4 Unicast Grp global 4 Converged.
BGP: TX IPv4 Unicast Tab Processed 1 walker(s).
BGP: TX IPv4 Unicast Tab Generation completed.
BGP: TX IPv4 Unicast Top global Deleting first marker with version 1.
BGP: TX IPv4 Unicast Top global Collection reached marker 1 after 0 net(s).
BGP: TX IPv4 Unicast Top global First convergence done.
BGP: TX IPv4 Unicast Top global Deleting first marker with version 1.
BGP: TX IPv4 Unicast Top global Collection reached marker 1 after 0 net(s).
BGP: TX IPv4 Unicast Top global Collection done on marker 4 after 3 net(s).
BGP: TX IPv4 Unicast Top global Collection done on marker 4 after 0 net(s).
BGP: TX IPv4 Unicast Net global 192.168.10.0/24 Changed.
BGP: TX IPv4 Unicast Net global 172.16.20.0/24 Changed.
BGP: TX IPv4 Unicast Net global 10.106.44.0/24 Changed.
BGP(0): nettable_walker 10.106.44.0/24 route sourced locally
BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 10.106.44.0/24
BGP: TX IPv4 Unicast Net global 10.106.44.0/24 RIB done.
BGP(0): nettable_walker 172.16.20.0/24 route sourced locally
BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 172.16.20.0/24
BGP: TX IPv4 Unicast Net global 172.16.20.0/24 RIB done.
BGP(0): nettable_walker 192.168.10.0/24 route sourced locally---------> Routes
advertised
BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 192.168.10.0/24
BGP: TX IPv4 Unicast Net global 192.168.10.0/24 RIB done.
BGP: TX IPv4 Unicast Tab RIB walk done version 8, added 1 topologies.
BGP: TX IPv4 Unicast Tab Executing.
BGP: TX IPv4 Unicast Wkr global 4 Cur Processing.
BGP: TX IPv4 Unicast Top global Appending nets from attr 0x00007ffecc9b7c70.
BGP: TX IPv4 Unicast Wkr global 4 Cur Attr change from 0x0000000000000000 to
0x00007ffecc9b7c70.
BGP: TX IPv4 Unicast Rpl global 4 1 Net 10.106.44.0/24 Set advertised bit (total 1).
BGP: TX IPv4 Unicast Wkr global 4 Cur Net 10.106.44.0/24 Formatted.
BGP: TX IPv4 Unicast Rpl global 4 1 Net 172.16.20.0/24 Set advertised bit (total 2).
BGP: TX IPv4 Unicast Wkr global 4 Cur Net 172.16.20.0/24 Formatted.
BGP: TX IPv4 Unicast Rpl global 4 1 Net 192.168.10.0/24 Set advertised bit (total 4).
BGP: TX IPv4 Unicast Wkr global 4 Cur Net 192.168.10.0/24 Formatted.
BGP: TX IPv4 Unicast Top global No attributes with modified nets.
BGP: TX IPv4 Unicast Top global Added tail marker with version 8.
BGP: TX IPv4 Unicast Wkr global 4 Cur Reached marker with version 8.
BGP: TX IPv4 Unicast Top global No attributes with modified nets.
BGP: TX IPv4 Unicast Wkr global 4 Cur Replicating.
BGP: TX IPv4 Unicast Wkr global 4 Cur Done (end of list), processed 1 attr(s),
4/4 net(s), 0 pos.
BGP: TX IPv4 Unicast Grp global 4 Start minimum advertisement timer (30 secs).
BGP: TX IPv4 Unicast Wkr global 4 Cur Blocked (minimum advertisement interval).
BGP: TX IPv4 Unicast Grp global 4 Converged.
BGP: TX IPv4 Unicast Tab Processed 1 walker(s).
BGP: TX IPv4 Unicast Tab Generation completed.
BGP: TX IPv4 Unicast Top global Deleting first marker with version 4.
BGP: TX IPv4 Unicast Top global Collection reached marker 4 after 0 net(s).
BGP: TX IPv4 Unicast Top global Collection done on marker 8 after 4 net(s).
BGP: TX IPv4 Unicast Top global Collection done on marker 8 after 0 net(s).
BGP: TX Member message pool under period (60 < 600).
BGP: TX IPv4 Unicast Tab RIB walk done version 8, added 1 topologies.
輸入以下命令可對此功能進行疑難排解:
- show asp table socket
- show bgp neighbor
- show bgp Summary
- show route bgp
- show bgp cidr-only
- 顯示路由摘要
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
3.0 |
29-Feb-2024 |
已更新思科內部資訊的格式和HTML代碼。 |
2.0 |
19-Jan-2023 |
更新技術內容,使其成為最新版本。
已刪除PII。
已新增Alt文本。
更新了簡介、動詞、機器翻譯、樣式要求和格式 |
1.0 |
11-Aug-2014 |
初始版本 |
意見