目次
はじめに
こんにちは。ネットワークエンジニアの「だいまる」です。
今回は、BGPに関するネットワーク設計の罠についてまとめていきたいと思います。
罠と言ってもBGPのベストパス選択を考えると当たり前の話ではあります。
よくあるネットワーク設計
どの通信事業者やコンテンツ事業者等で「Static経路やNetwork文(自己生成)によるインターネット向けの経路広報を行う」設計がよく見られると思います。
では、「なぜわざわざStatic経路やNetwork文(自己生成)でインターネット向けに広報するのか?」
それは、BGPハイジャック等の攻撃を防ぐためです。
このBGPハイジャックとは、悪意のある攻撃者が正規な事業者が広報するPublic IPを乗っ取り、自分のネットワーク等にアクセスさせる攻撃です。
そもそもなぜこの事象が発生するのか?
それは「正規な事業者が広報するPublic IPがインターネットから消えること」や「正規な事業者が広報しているPrefix長よりも長い経路で広報する」等が挙げられます。
このBGPハイジャックを防ぐために意図的に経路広報をしている事業者は多いと思います。
今回は、その自己生成されたBGP経路とAggregateで回ってきた経路のベストパス選択について触れていきたいと思います。
リンク
実際に動作確認してみよう
今回の検証構成
今回の動作確認のために利用した検証構成は以下の図のとおりとなります。
Router3でNetwork文(自己生成)とAggregate等で広報された経路のどちらがベストパスとなっているのか確認しました。
検証構成を説明したので、流れがざっくりわかったかと思います。
それでは、さっそく確認していきましょう。
Network文→Aggregateの順に広報した場合
まず、Network文で広報するルータ側のBGPピアを先にUPし、その後にAggregate側のピアをUPさせます。
事前状態では192.168.1.0/24の経路が存在しないことがわかると思います。
Router3#show ip bgp summary
BGP router identifier 10.1.0.3, local AS number 3
BGP table version is 11, main routing table version 11
2 network entries using 288 bytes of memory
2 path entries using 168 bytes of memory
6/2 BGP path/bestpath attribute entries using 960 bytes of memory
3 BGP AS-PATH entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1488 total bytes of memory
BGP activity 6/0 prefixes, 7/5 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.2.0.1 4 1 0 0 1 0 0 00:00:12 Idle
10.3.0.1 4 2 7 15 9 0 0 00:03:25 1
10.4.0.2 4 4 0 0 1 0 0 00:00:15 Idle
Router3#show ip bgp
BGP table version is 11, local router ID is 10.1.0.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.2/32 10.3.0.1 0 0 2 i
*> 10.1.0.3/32 0.0.0.0 0 32768 i
Router3#
Router3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
B 10.1.0.2/32 [20/0] via 10.3.0.1, 00:02:38
C 10.1.0.3/32 is directly connected, Loopback0
C 10.3.0.0/30 is directly connected, GigabitEthernet0/0
L 10.3.0.2/32 is directly connected, GigabitEthernet0/0
192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.11.0/24 is directly connected, GigabitEthernet0/3
L 192.168.11.202/32 is directly connected, GigabitEthernet0/3それでは、Network文側のルータとのピアをUPします。
Router3#show ip bgp summary
BGP router identifier 10.1.0.3, local AS number 3
BGP table version is 13, main routing table version 13
4 network entries using 576 bytes of memory
4 path entries using 336 bytes of memory
3/3 BGP path/bestpath attribute entries using 480 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1440 total bytes of memory
BGP activity 8/4 prefixes, 9/5 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.2.0.1 4 1 5 9 13 0 0 00:00:09 2
10.3.0.1 4 2 9 19 13 0 0 00:05:00 1
10.4.0.2 4 4 0 0 1 0 0 00:01:50 Idle
Router3#show ip bgp
BGP table version is 13, local router ID is 10.1.0.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.1/32 10.2.0.1 0 0 1 i
*> 10.1.0.2/32 10.3.0.1 0 0 2 i
*> 10.1.0.3/32 0.0.0.0 0 32768 i
*> 192.168.1.0 10.2.0.1 0 0 1 i
Router3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
B 10.1.0.1/32 [20/0] via 10.2.0.1, 00:00:14
B 10.1.0.2/32 [20/0] via 10.3.0.1, 00:04:13
C 10.1.0.3/32 is directly connected, Loopback0
C 10.2.0.0/30 is directly connected, GigabitEthernet0/2
L 10.2.0.2/32 is directly connected, GigabitEthernet0/2
C 10.3.0.0/30 is directly connected, GigabitEthernet0/0
L 10.3.0.2/32 is directly connected, GigabitEthernet0/0
B 192.168.1.0/24 [20/0] via 10.2.0.1, 00:00:14
192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.11.0/24 is directly connected, GigabitEthernet0/3
L 192.168.11.202/32 is directly connected, GigabitEthernet0/3
Router3#
Router3#show ip bgp 192.168.1.0
BGP routing table entry for 192.168.1.0/24, version 13
Paths: (1 available, best #1, table default)
Advertised to update-groups:
1
Refresh Epoch 1
1
10.2.0.1 from 10.2.0.1 (10.1.0.1)
Origin IGP, metric 0, localpref 100, valid, external, best
rx pathid: 0, tx pathid: 0x0
Router3#192.168.1.0/24の経路が見えました。
この時、nexthopは10.2.0.1(Router1のIF)になっています。
次にAggregate側のピアを上げた状態の確認をしたいと思います。
Router3#show ip bgp su
Router3#show ip bgp summary
BGP router identifier 10.1.0.3, local AS number 3
BGP table version is 15, main routing table version 15
6 network entries using 864 bytes of memory
7 path entries using 588 bytes of memory
6/5 BGP path/bestpath attribute entries using 960 bytes of memory
3 BGP AS-PATH entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2484 total bytes of memory
BGP activity 10/4 prefixes, 12/5 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.2.0.1 4 1 8 13 15 0 0 00:02:51 2
10.3.0.1 4 2 12 23 15 0 0 00:07:41 1
10.4.0.2 4 4 7 11 15 0 0 00:00:28 3
Router3#show ip bgp
BGP table version is 15, local router ID is 10.1.0.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.1/32 10.2.0.1 0 0 1 i
*> 10.1.0.2/32 10.3.0.1 0 0 2 i
*> 10.1.0.3/32 0.0.0.0 0 32768 i
*> 10.1.0.4/32 10.4.0.2 0 0 4 i
*> 10.1.0.5/32 10.4.0.2 2 0 4 ?
* 192.168.1.0 10.4.0.2 0 0 4 i
*> 10.2.0.1 0 0 1 i
Router3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
B 10.1.0.1/32 [20/0] via 10.2.0.1, 00:02:53
B 10.1.0.2/32 [20/0] via 10.3.0.1, 00:06:52
C 10.1.0.3/32 is directly connected, Loopback0
B 10.1.0.4/32 [20/0] via 10.4.0.2, 00:00:31
B 10.1.0.5/32 [20/2] via 10.4.0.2, 00:00:31
C 10.2.0.0/30 is directly connected, GigabitEthernet0/2
L 10.2.0.2/32 is directly connected, GigabitEthernet0/2
C 10.3.0.0/30 is directly connected, GigabitEthernet0/0
L 10.3.0.2/32 is directly connected, GigabitEthernet0/0
C 10.4.0.0/30 is directly connected, GigabitEthernet0/1
L 10.4.0.1/32 is directly connected, GigabitEthernet0/1
B 192.168.1.0/24 [20/0] via 10.2.0.1, 00:02:53
192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.11.0/24 is directly connected, GigabitEthernet0/3
L 192.168.11.202/32 is directly connected, GigabitEthernet0/3
Router3#show ip bgp 192.168.1.0
BGP routing table entry for 192.168.1.0/24, version 13
Paths: (2 available, best #2, table default)
Advertised to update-groups:
1
Refresh Epoch 1
4, (aggregated by 4 10.1.0.4)
10.4.0.2 from 10.4.0.2 (10.1.0.4)
Origin IGP, metric 0, localpref 100, valid, external, atomic-aggregate
rx pathid: 0, tx pathid: 0
Refresh Epoch 1
1
10.2.0.1 from 10.2.0.1 (10.1.0.1)
Origin IGP, metric 0, localpref 100, valid, external, best
rx pathid: 0, tx pathid: 0x0
Router3#上記の結果からもわかるとおり、NexthopはRouter1側の「10.2.0.1」に向いてることがわかると思います。
この状態で192.168.1.1にPingを送っても到達しません。
Router2#ping 192.168.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.0.2
U.U.U
Success rate is 0 percent (0/5)
Router2#traceroute 192.168.1.1 source lo0
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.3.0.2 1 msec 1 msec 1 msec
2 10.2.0.1 1 msec 1 msec 1 msec
3 10.2.0.1 !H * !HAggregate→Network文の順に広報した場合
次にAggragate側のピアを先に上げたパターンを確認していきましょう。
Router3#show ip bgp summary
BGP router identifier 10.1.0.3, local AS number 3
BGP table version is 22, main routing table version 22
5 network entries using 720 bytes of memory
5 path entries using 420 bytes of memory
5/5 BGP path/bestpath attribute entries using 800 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1988 total bytes of memory
BGP activity 13/8 prefixes, 15/10 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.2.0.1 4 1 0 0 1 0 0 00:02:23 Idle
10.3.0.1 4 2 22 37 22 0 0 00:16:56 1
10.4.0.2 4 4 7 11 22 0 0 00:00:14 3
Router3#show ip bgp
BGP table version is 22, local router ID is 10.1.0.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.2/32 10.3.0.1 0 0 2 i
*> 10.1.0.3/32 0.0.0.0 0 32768 i
*> 10.1.0.4/32 10.4.0.2 0 0 4 i
*> 10.1.0.5/32 10.4.0.2 2 0 4 ?
*> 192.168.1.0 10.4.0.2 0 0 4 i
Router3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
B 10.1.0.2/32 [20/0] via 10.3.0.1, 00:16:19
C 10.1.0.3/32 is directly connected, Loopback0
B 10.1.0.4/32 [20/0] via 10.4.0.2, 00:00:29
B 10.1.0.5/32 [20/2] via 10.4.0.2, 00:00:29
C 10.3.0.0/30 is directly connected, GigabitEthernet0/0
L 10.3.0.2/32 is directly connected, GigabitEthernet0/0
C 10.4.0.0/30 is directly connected, GigabitEthernet0/1
L 10.4.0.1/32 is directly connected, GigabitEthernet0/1
B 192.168.1.0/24 [20/0] via 10.4.0.2, 00:00:29
192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.11.0/24 is directly connected, GigabitEthernet0/3
L 192.168.11.202/32 is directly connected, GigabitEthernet0/3上記の状態から192.168.1.0/24のNexthopは先程と異なりRouter4側に向いてることがわかります。
この状態でRouter1側(Network文)のピアをあげていきます。
Router3#show ip bgp summary
BGP router identifier 10.1.0.3, local AS number 3
BGP table version is 23, main routing table version 23
6 network entries using 864 bytes of memory
7 path entries using 588 bytes of memory
6/6 BGP path/bestpath attribute entries using 960 bytes of memory
3 BGP AS-PATH entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2484 total bytes of memory
BGP activity 14/8 prefixes, 17/10 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.2.0.1 4 1 5 12 23 0 0 00:00:07 2
10.3.0.1 4 2 24 39 23 0 0 00:18:35 1
10.4.0.2 4 4 9 13 23 0 0 00:01:53 3
Router3#show ip bgp
BGP table version is 23, local router ID is 10.1.0.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.1/32 10.2.0.1 0 0 1 i
*> 10.1.0.2/32 10.3.0.1 0 0 2 i
*> 10.1.0.3/32 0.0.0.0 0 32768 i
*> 10.1.0.4/32 10.4.0.2 0 0 4 i
*> 10.1.0.5/32 10.4.0.2 2 0 4 ?
* 192.168.1.0 10.2.0.1 0 0 1 i
*> 10.4.0.2 0 0 4 i
Router3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
B 10.1.0.1/32 [20/0] via 10.2.0.1, 00:00:14
B 10.1.0.2/32 [20/0] via 10.3.0.1, 00:17:50
C 10.1.0.3/32 is directly connected, Loopback0
B 10.1.0.4/32 [20/0] via 10.4.0.2, 00:02:00
B 10.1.0.5/32 [20/2] via 10.4.0.2, 00:02:00
C 10.2.0.0/30 is directly connected, GigabitEthernet0/2
L 10.2.0.2/32 is directly connected, GigabitEthernet0/2
C 10.3.0.0/30 is directly connected, GigabitEthernet0/0
L 10.3.0.2/32 is directly connected, GigabitEthernet0/0
C 10.4.0.0/30 is directly connected, GigabitEthernet0/1
L 10.4.0.1/32 is directly connected, GigabitEthernet0/1
B 192.168.1.0/24 [20/0] via 10.4.0.2, 00:02:00
192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.11.0/24 is directly connected, GigabitEthernet0/3
L 192.168.11.202/32 is directly connected, GigabitEthernet0/3
Router3#先程とは異なり、Router1(Network文)側のピアをあげてもNexthopはRouter4(Aggregate側)になっていることがわかります。
このことから疎通可能な状態になっています。
Router2#ping 192.168.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms
Router2#traceroute 192.168.1.1 source loopback 0
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.3.0.2 [AS 3] 3 msec 3 msec 3 msec
2 10.4.0.2 [AS 3] 1 msec 3 msec 2 msec
3 10.5.0.2 3 msec * 4 msec
Router2#Clear BGPを実施するとどうなるのか?
では上記の状態でClear BGPを実施するとどうなるのか?
Router3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
B 10.1.0.1/32 [20/0] via 10.2.0.1, 00:30:02
B 10.1.0.2/32 [20/0] via 10.3.0.1, 00:47:38
C 10.1.0.3/32 is directly connected, Loopback0
B 10.1.0.4/32 [20/0] via 10.4.0.2, 00:31:48
B 10.1.0.5/32 [20/2] via 10.4.0.2, 00:31:48
C 10.2.0.0/30 is directly connected, GigabitEthernet0/2
L 10.2.0.2/32 is directly connected, GigabitEthernet0/2
C 10.3.0.0/30 is directly connected, GigabitEthernet0/0
L 10.3.0.2/32 is directly connected, GigabitEthernet0/0
C 10.4.0.0/30 is directly connected, GigabitEthernet0/1
L 10.4.0.1/32 is directly connected, GigabitEthernet0/1
B 192.168.1.0/24 [20/0] via 10.4.0.2, 00:31:48
192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.11.0/24 is directly connected, GigabitEthernet0/3
L 192.168.11.202/32 is directly connected, GigabitEthernet0/3
Router3#show ip bgp
BGP table version is 27, local router ID is 10.1.0.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.1/32 10.2.0.1 0 0 1 i
*> 10.1.0.2/32 10.3.0.1 0 0 2 i
*> 10.1.0.3/32 0.0.0.0 0 32768 i
*> 10.1.0.4/32 10.4.0.2 0 0 4 i
*> 10.1.0.5/32 10.4.0.2 2 0 4 ?
*> 10.2.0.0/30 0.0.0.0 0 32768 ?
*> 10.3.0.0/30 0.0.0.0 0 32768 ?
*> 10.4.0.0/30 0.0.0.0 0 32768 ?
* 192.168.1.0 10.2.0.1 0 0 1 i
*> 10.4.0.2 0 0 4 i
*> 192.168.11.0 0.0.0.0 0 32768 ?
Router3#clear bgp * ipv4 unicast *
Router3#
Router3#show ip bgp summary
BGP router identifier 10.1.0.3, local AS number 3
BGP table version is 11, main routing table version 11
10 network entries using 1440 bytes of memory
11 path entries using 924 bytes of memory
7/6 BGP path/bestpath attribute entries using 1120 bytes of memory
3 BGP AS-PATH entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 3556 total bytes of memory
BGP activity 28/18 prefixes, 32/21 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.2.0.1 4 1 5 8 6 0 0 00:00:07 2
10.3.0.1 4 2 5 8 6 0 0 00:00:07 1
10.4.0.2 4 4 7 8 6 0 0 00:00:07 3
Router3#show ip bgp
BGP table version is 11, local router ID is 10.1.0.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.1/32 10.2.0.1 0 0 1 i
*> 10.1.0.2/32 10.3.0.1 0 0 2 i
*> 10.1.0.3/32 0.0.0.0 0 32768 i
*> 10.1.0.4/32 10.4.0.2 0 0 4 i
*> 10.1.0.5/32 10.4.0.2 2 0 4 ?
*> 10.2.0.0/30 0.0.0.0 0 32768 ?
*> 10.3.0.0/30 0.0.0.0 0 32768 ?
*> 10.4.0.0/30 0.0.0.0 0 32768 ?
* 192.168.1.0 10.4.0.2 0 0 4 i
*> 10.2.0.1 0 0 1 i
*> 192.168.11.0 0.0.0.0 0 32768 ?
Router3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
B 10.1.0.1/32 [20/0] via 10.2.0.1, 00:00:13
B 10.1.0.2/32 [20/0] via 10.3.0.1, 00:00:13
C 10.1.0.3/32 is directly connected, Loopback0
B 10.1.0.4/32 [20/0] via 10.4.0.2, 00:00:13
B 10.1.0.5/32 [20/2] via 10.4.0.2, 00:00:13
C 10.2.0.0/30 is directly connected, GigabitEthernet0/2
L 10.2.0.2/32 is directly connected, GigabitEthernet0/2
C 10.3.0.0/30 is directly connected, GigabitEthernet0/0
L 10.3.0.2/32 is directly connected, GigabitEthernet0/0
C 10.4.0.0/30 is directly connected, GigabitEthernet0/1
L 10.4.0.1/32 is directly connected, GigabitEthernet0/1
B 192.168.1.0/24 [20/0] via 10.2.0.1, 00:00:13
192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.11.0/24 is directly connected, GigabitEthernet0/3
L 192.168.11.202/32 is directly connected, GigabitEthernet0/3
Router3#上記結果より、Network文側の経路がベストパスになることがわかりました。
つまり、BGPフラップが起きると必然的にブラックホールが発生することになります。
この結果からわかること
経路広報のタイミングでNexthopが変わるのはBGPの経路保持の仕組みであることがわかりました。
ここからわかるのは、一度ベストパスとして経路を保持すると安定している経路として認定され、後からベストパスになりうる経路が来た場合でも更新されないのでしょう。
そして、Clear bgp実施時にnetwork文側の経路がベストパスとなるのは、BGP ベストパス選択の仕組みのためだと推察されます。
| 優先度 | 項目 |
| 1 | Weight値が大きい経路(Cisco 独自) |
| 2 | Local Preference値が大きい経路 |
| 3 | 自己生成(Network文)による経路 |
| 4 | AS_PATH長が短い経路 |
| 5 | ORIGINが最も小さい経路(IGP < EGP < uncomplete) |
| 6 | MEDが小さい経路 |
| 7 | eBGP経路(※AD値によるものだが、Junosのルートプリファレンス値は同一) |
| 8 | IGPメトリックが最小な経路 |
| 9 | eBGP経路の中から最も古い経路 |
| 10 | 最小のルータID |
| 11 | 最小のIPアドレス |
Prefix長を変えてNetwork文→Aggregateの順で広報した場合
では、BGPフラップが発生してもブラックホールにならない状態を作るためにどうするか?
それはaggregate側のPrefix長を長くすればよいのです。(色々やり方はありますが)
上記の状態であれば、フラップやclear bgpを実施した場合でも疎通可能となります。
\Router3#show ip bgp summary
BGP router identifier 10.1.0.3, local AS number 3
BGP table version is 12, main routing table version 12
11 network entries using 1584 bytes of memory
11 path entries using 924 bytes of memory
7/7 BGP path/bestpath attribute entries using 1120 bytes of memory
3 BGP AS-PATH entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 3700 total bytes of memory
BGP activity 29/18 prefixes, 33/22 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.2.0.1 4 1 11 15 12 0 0 00:05:19 2
10.3.0.1 4 2 10 15 12 0 0 00:05:19 1
10.4.0.2 4 4 17 16 12 0 0 00:05:19 3
Router3#show ip bgp
BGP table version is 12, local router ID is 10.1.0.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.1/32 10.2.0.1 0 0 1 i
*> 10.1.0.2/32 10.3.0.1 0 0 2 i
*> 10.1.0.3/32 0.0.0.0 0 32768 i
*> 10.1.0.4/32 10.4.0.2 0 0 4 i
*> 10.1.0.5/32 10.4.0.2 2 0 4 ?
*> 10.2.0.0/30 0.0.0.0 0 32768 ?
*> 10.3.0.0/30 0.0.0.0 0 32768 ?
*> 10.4.0.0/30 0.0.0.0 0 32768 ?
*> 192.168.1.0/25 10.4.0.2 0 0 4 i
*> 192.168.1.0 10.2.0.1 0 0 1 i
*> 192.168.11.0 0.0.0.0 0 32768 ?
Router3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
B 10.1.0.1/32 [20/0] via 10.2.0.1, 00:05:22
B 10.1.0.2/32 [20/0] via 10.3.0.1, 00:05:22
C 10.1.0.3/32 is directly connected, Loopback0
B 10.1.0.4/32 [20/0] via 10.4.0.2, 00:05:22
B 10.1.0.5/32 [20/2] via 10.4.0.2, 00:05:22
C 10.2.0.0/30 is directly connected, GigabitEthernet0/2
L 10.2.0.2/32 is directly connected, GigabitEthernet0/2
C 10.3.0.0/30 is directly connected, GigabitEthernet0/0
L 10.3.0.2/32 is directly connected, GigabitEthernet0/0
C 10.4.0.0/30 is directly connected, GigabitEthernet0/1
L 10.4.0.1/32 is directly connected, GigabitEthernet0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
B 192.168.1.0/24 [20/0] via 10.2.0.1, 00:05:22
B 192.168.1.0/25 [20/0] via 10.4.0.2, 00:00:27
192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.11.0/24 is directly connected, GigabitEthernet0/3
L 192.168.11.202/32 is directly connected, GigabitEthernet0/3
Router3#clear bgp * ipv4 unicast *
Router3#show ip bgp summary
BGP router identifier 10.1.0.3, local AS number 3
BGP table version is 7, main routing table version 7
6 network entries using 864 bytes of memory
6 path entries using 504 bytes of memory
7/5 BGP path/bestpath attribute entries using 1120 bytes of memory
3 BGP AS-PATH entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2560 total bytes of memory
BGP activity 35/29 prefixes, 39/33 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.2.0.1 4 1 5 9 7 0 0 00:00:09 2
10.3.0.1 4 2 5 9 7 0 0 00:00:09 1
10.4.0.2 4 4 7 9 7 0 0 00:00:09 3
Router3#show ip bgp
BGP table version is 7, local router ID is 10.1.0.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.1/32 10.2.0.1 0 0 1 i
*> 10.1.0.2/32 10.3.0.1 0 0 2 i
*> 10.1.0.4/32 10.4.0.2 0 0 4 i
*> 10.1.0.5/32 10.4.0.2 2 0 4 ?
*> 192.168.1.0/25 10.4.0.2 0 0 4 i
*> 192.168.1.0 10.2.0.1 0 0 1 i
Router3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
B 10.1.0.1/32 [20/0] via 10.2.0.1, 00:00:13
B 10.1.0.2/32 [20/0] via 10.3.0.1, 00:00:13
C 10.1.0.3/32 is directly connected, Loopback0
B 10.1.0.4/32 [20/0] via 10.4.0.2, 00:00:13
B 10.1.0.5/32 [20/2] via 10.4.0.2, 00:00:13
C 10.2.0.0/30 is directly connected, GigabitEthernet0/2
L 10.2.0.2/32 is directly connected, GigabitEthernet0/2
C 10.3.0.0/30 is directly connected, GigabitEthernet0/0
L 10.3.0.2/32 is directly connected, GigabitEthernet0/0
C 10.4.0.0/30 is directly connected, GigabitEthernet0/1
L 10.4.0.1/32 is directly connected, GigabitEthernet0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
B 192.168.1.0/24 [20/0] via 10.2.0.1, 00:00:13
B 192.168.1.0/25 [20/0] via 10.4.0.2, 00:00:13
192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.11.0/24 is directly connected, GigabitEthernet0/3
L 192.168.11.202/32 is directly connected, GigabitEthernet0/3
Router3#上記の通り、clear bgpコマンドを実行しましたが、192.168.1.0/25経路が存在すると思います。
この時、Router2からの192.168.1.1へのPing/Tracerouteはどうなるか確認しましょう。
Router2#ping 192.168.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
Router2#traceroute 192.168.1.1 source loopback 0
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.3.0.2 [AS 3] 1 msec 1 msec 1 msec
2 10.4.0.2 [AS 3] 3 msec 3 msec 3 msec
3 10.5.0.2 3 msec * 2 msec
Router2#上記のとおり、疎通可能となりました。
この理由はLongest matchにより、nexthopが/25側の経路を選択するためとなります。
リンク
最後に
今回は、BGP経路の設計で意外と引っかかりそうな点について、動作確認を行ってみました。
次回もきまぐれでこういった確認をしていきたいと思います。
