Конфигурация BGP на Cisco роутере и Juniper SRX.
Введение.
У вас есть multihomed network (два и более ISPs) и вам необходим отказоустойчивый доступ в Интернет и фиксированное пространство IP адресов для развернутых сервисов.
Решение - BGP протокол, PI (Provider Independent) Подсеть, AS (Автономная Система).
Подготовка.
Для получения PI сети и AS необходимо отправить запрос к компанию, обладающую статусом LIR (Обычно ISP имеет статус LIR). Данный процесс займет 2-3 месяца.
Итак, вам выделили AS и PI Network. Для примера возьмем AS - 47668, PI NETWORK - 91.208.39.0/24 и два подключенных ISPs:
Далее необходимо отправить запрос к LIR (выдавшему вам AS и PI Network) и всем вашим ISPs на внесения import/export записей RIPE или ARIN базы данных. Все ISPs используют RIPE и ARIN базу данных записей import/export для создания фильтров маршрутов.
Вы можете проверить записи базы данных RIPE по ссылке набрав в строке поиска (например AS47668) и AS каждого ISPs (например AS8359, AS8629).
Вы должны увидеть следующие import/export записи:
aut-num: AS47668
as-name: SCANEX-AS
descr: LLC "R&D Center ScanEx"
org: ORG-SRaD1-RIPE
import: from AS8359 accept ANY
import: from AS8629 accept ANY
export: to AS8359 announce AS47668
export: to AS8629 announce AS47668
ISP-1:
aut-num: AS8359
as-name: MTS
descr: MTS OJSC
descr: former CJSC COMSTAR-Direct
descr: Smolenskaya-Sennaya Sq., 27 block 2
descr: 119121 Moscow, Russia
org: ORG-ZM1-RIPE
import: from AS47668 action pref=105; accept AS47668
export: to AS47668 announce ANY
ISP-2:
aut-num: AS8629
as-name: MCNTT-AS
descr: MCNTT Autonomous System
descr: Moscow Center of New Telecommunication Technologies
descr: Arbat 46, 121002 Moscow
import: from AS47668 action pref=300; accept AS47668
export: to AS47668 announce ANY
Теперь можно приступить к конфигурированию устройств.
Конфигурирование.
В данной статье будет рассматриваться процесс конфигурации BGP на Cisco 2911 и Juniper SRX 220H
Положим:
EXT_IP_1 - IP адрес интерфейса вашего роутера, подключенного к ISP-1
EXT_IP_2 - IP адрес интерфейса вашего роутера, подключенного к ISP-2
91.208.39.1/24 - IP адрес интерфейса вашего роутера, подключенного к вашей PI подсети
ISP_IP_1 - IP адрес роутера ISP-1
ISP_IP_2 - IP адрес роутера ISP-2
ISP-1 - основной ISP
ISP-2 - резервный ISP
Конфигурация BGP on Cisco роутере 2911
en
conf t
1. Access листы
ip access-list extended SCANEX_IN_ISP1_FILTER
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.255.255.255 any
permit tcp host ISP_IP_1 host EXT_ISP_IP_1 eq 179
permit tcp any host EXT_ISP_IP_1 established
permit icmp any any
deny ip any host 91.208.39.1
permit ip any 91.208.39.0 0.255.255.255
deny ip any any
exit
ip access-list extended SCANEX_IN_ISP2_FILTER
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.255.255.255 any
permit tcp host ISP_IP_2 host EXT_ISP_IP_2 eq 179
permit tcp any host EXT_ISP_IP_2 established
permit icmp any any
deny ip any host 91.208.39.1
permit ip any 91.208.39.0 0.255.255.255
deny ip any any
exit
ip access-list extended SCANEX_IN_GL_NET_FILTER
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.255.255.255 any
permit tcp any host 91.208.39.1 established
permit icmp any any
!don't forget to add ssh access to cisco
deny ip any host 91.208.39.1
permit ip 91.208.39.0 0.255.255.255 any
deny ip any any
exit
ip access-list standard ISP-in
deny 10.0.0.0 0.255.255.255
deny 172.16.0.0 0.15.255.255
deny 192.168.0.0 0.0.255.255
deny 91.208.39.0 0.0.0.255
permit any
exit
ip access-list standard ISP-out
permit 91.208.39.0 0.0.0.255
exit
2. Интерфейсы
int gi 0/0
ip address EXT_ISP_IP_1
ip access-group SCANEX_IN_ISP1_FILTER in
no shutdown
exit
int gi 0/1
ip address EXT_ISP_IP_2
ip access-group SCANEX_IN_ISP2_FILTER in
no shutdown
exit
int gi 0/2
ip address 91.208.39.1 255.255.255.0
ip access-group SCANEX_IN_GL_NET_FILTER in
no shutdown
exit
3. Статические маршруты
At starting or reloading of BGP the routing table is empty. The process of downloading full list of global routes takes about two minutes. Solution is set main ISP as static default gateway.
ip route 0.0.0.0 0.0.0.0 ISP_IP_1
4. Route maps
route-map set-as-path permit 10
match ip address ISP-out
set as-path prepend 47668 47668 47668 47668 47668
5. BGP
router bgp 47668
bgp router-id 91.208.39.1
network 91.208.39.0/24
neighbor ISP_IP_1 remote-as 8629
neighbor ISP_IP_1 weight 200
neighbor ISP_IP_1 distribute-list ISP-in in
neighbor ISP_IP_1 distribute-list ISP-out out
neighbor ISP_IP_2 remote-as 8359
neighbor ISP_IP_2 weight 100
neighbor ISP_IP_2 distribute-list ISP-in in
neighbor ISP_IP_2 distribute-list ISP-out out
neighbor ISP_IP_2 route-map set-as-path out
exit
6. Запись конфигурации
do wr
Конфигурация BGP на Juniper SRX 220H
1. Интерфейсы
set interfaces ge-0/0/1
set interfaces ge-0/0/1 unit 0 description ISP-1
set interfaces ge-0/0/1 unit 0 family inet address EXT_IP_1
set interfaces ge-0/0/1 unit 0 family inet filter input SCANEX_IN_ISP1_FILTER
set interfaces ge-0/0/2
set interfaces ge-0/0/2 unit 0 description ISP-2
set interfaces ge-0/0/2 unit 0 family inet address EXT_IP_2
set interfaces ge-0/0/2 unit 0 family inet filter input SCANEX_IN_ISP2_FILTER
set interfaces ge-0/0/3
set interfaces ge-0/0/3 unit 0 description My Global
set interfaces ge-0/0/3 unit 0 family inet address 91.208.39.1/24
set interfaces ge-0/0/3 unit 0 family inet filter input SCANEX_IN_GL_NET_FILTER
2. Статические маршруты
At starting or reloading of BGP the routing table is empty. The process of downloading full list of global routes takes about two minutes. Solution is set main ISP as static default gateway.
set routing-options static route 0.0.0.0/0 next-hop IP_ISP_1
3. Security Zones
set security zones security-zone ISPs host-inbound-traffic system-services ping
set security zones security-zone ISPs host-inbound-traffic protocols bgp
set security zones security-zone ISPs interfaces ge-0/0/1.0
set security zones security-zone ISPs interfaces ge-0/0/2.0
set security zones security-zone SCANEX_GL_NET_LAN host-inbound-traffic system-services ping
set security zones security-zone SCANEX_GL_NET_LAN interfaces ge-0/0/3.0
4. Security Polices
set security policies default-policy permit-all
5. Policy Options
## term 1 will be used to extend a return path (for secondary ISP)
set policy-options policy-statement ASPREPEND term 1 from route-filter 91.208.39.0/24 exact
set policy-options policy-statement ASPREPEND term 1 then as-path-prepend "47668 47668 47668 47668 47668 47668"
set policy-options policy-statement ASPREPEND term 1 then reject
set policy-options policy-statement ASPREPEND term 2 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement ASPREPEND term 2 then reject
set policy-options policy-statement ASPREPEND term 3 then reject
set policy-options policy-statement ISP-in term 1 from route-filter 91.208.39.0/24 exact
set policy-options policy-statement ISP-in term 1 then reject
## term 2-4 will be used to defend from possible ISPs mistakes
set policy-options policy-statement ISP-in term 2 from route-filter 192.168.0.0/16 exact
set policy-options policy-statement ISP-in term 2 then reject
set policy-options policy-statement ISP-in term 3 from route-filter 172.16.0.0/12 exact
set policy-options policy-statement ISP-in term 3 then reject
set policy-options policy-statement ISP-in term 4 from route-filter 10.0.0.0/8 exact
set policy-options policy-statement ISP-in term 4 then reject
set policy-options policy-statement ISP-in term 5 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement ISP-in term 5 then accept
set policy-options policy-statement ISP-out term 1 from route-filter 91.208.39.0/24 exact
set policy-options policy-statement ISP-out term 1 then accept
set policy-options policy-statement ISP-out term 2 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement ISP-out term 2 then reject
set policy-options policy-statement ISP-out term 3 then reject
6. BGP
set protocols bgp group MTS_BGP type external
## There is no BGP attribute of Weight in the Junos world, since Weight is Cisco proprietary.
set protocols bgp group MTS_BGP preference 180
set protocols bgp group MTS_BGP import ISP-in
set protocols bgp group MTS_BGP export ASPREPEND
set protocols bgp group MTS_BGP export ISP-out
set protocols bgp group MTS_BGP neighbor ISP_IP_2 peer-as 8359
set protocols bgp group MCNTT_BGP type external
set protocols bgp group MCNTT_BGP import ISP-in
set protocols bgp group MCNTT_BGP export ISP-out
set protocols bgp group MCNTT_BGP neighbor ISP_IP_1 peer-as 8629
7. Firewall
set firewall filter SCANEX_IN_ISP1_FILTER term 1 from source-address 10.0.0.0/8
set firewall filter SCANEX_IN_ISP1_FILTER term 1 from source-address 172.16.0.0/12
set firewall filter SCANEX_IN_ISP1_FILTER term 1 from source-address 192.168.0.0/16
set firewall filter SCANEX_IN_ISP1_FILTER term 1 then discard
set firewall filter SCANEX_IN_ISP1_FILTER term 2 from source-address ISP_IP_1
set firewall filter SCANEX_IN_ISP1_FILTER term 2 from destination-address EXT_ISP_IP_1
set firewall filter SCANEX_IN_ISP1_FILTER term 2 from protocol tcp
set firewall filter SCANEX_IN_ISP1_FILTER term 2 from destination-port 179
set firewall filter SCANEX_IN_ISP1_FILTER term 2 then accept
set firewall filter SCANEX_IN_ISP1_FILTER term 3 from tcp-established
set firewall filter SCANEX_IN_ISP1_FILTER term 3 then accept
set firewall filter SCANEX_IN_ISP1_FILTER term 4 from protocol icmp
set firewall filter SCANEX_IN_ISP1_FILTER term 4 then accept
set firewall filter SCANEX_IN_ISP1_FILTER term 5 from destination-address EXT_ISP_IP_1
set firewall filter SCANEX_IN_ISP1_FILTER term 5 from destination-address EXT_ISP_IP_2
set firewall filter SCANEX_IN_ISP1_FILTER term 5 from destination-address 91.208.39.1
set firewall filter SCANEX_IN_ISP1_FILTER term 5 then discard
set firewall filter SCANEX_IN_ISP1_FILTER term 100 from destination-address 91.208.39.0/24
set firewall filter SCANEX_IN_ISP1_FILTER term 100 then accept
set firewall filter SCANEX_IN_ISP1_FILTER term 200 then discard
set firewall filter SCANEX_IN_ISP2_FILTER term 1 from source-address 10.0.0.0/8
set firewall filter SCANEX_IN_ISP2_FILTER term 1 from source-address 172.16.0.0/12
set firewall filter SCANEX_IN_ISP2_FILTER term 1 from source-address 192.168.0.0/16
set firewall filter SCANEX_IN_ISP2_FILTER term 1 then discard
set firewall filter SCANEX_IN_ISP2_FILTER term 2 from source-address ISP_IP_2
set firewall filter SCANEX_IN_ISP2_FILTER term 2 from destination-address EXT_ISP_IP_2
set firewall filter SCANEX_IN_ISP2_FILTER term 2 from protocol tcp
set firewall filter SCANEX_IN_ISP2_FILTER term 2 from destination-port 179
set firewall filter SCANEX_IN_ISP2_FILTER term 2 then accept
set firewall filter SCANEX_IN_ISP2_FILTER term 3 from tcp-established
set firewall filter SCANEX_IN_ISP2_FILTER term 3 then accept
set firewall filter SCANEX_IN_ISP2_FILTER term 4 from protocol icmp
set firewall filter SCANEX_IN_ISP2_FILTER term 4 then accept
set firewall filter SCANEX_IN_ISP2_FILTER term 5 from destination-address EXT_ISP_IP_2
set firewall filter SCANEX_IN_ISP2_FILTER term 5 from destination-address EXT_ISP_IP_1
set firewall filter SCANEX_IN_ISP2_FILTER term 5 then discard
set firewall filter SCANEX_IN_ISP2_FILTER term 100 from destination-address 91.208.39.0/24
set firewall filter SCANEX_IN_ISP2_FILTER term 100 then accept
set firewall filter SCANEX_IN_ISP2_FILTER term 200 then discard
set firewall filter SCANEX_IN_GL_NET_FILTER term 1 from source-address 10.0.0.0/8
set firewall filter SCANEX_IN_GL_NET_FILTER term 1 from source-address 172.16.0.0/12
set firewall filter SCANEX_IN_GL_NET_FILTER term 1 from source-address 192.168.0.0/16
set firewall filter SCANEX_IN_GL_NET_FILTER term 1 then discard
set firewall filter SCANEX_IN_GL_NET_FILTER term 2 from tcp-established
set firewall filter SCANEX_IN_GL_NET_FILTER term 2 then accept
set firewall filter SCANEX_IN_GL_NET_FILTER term 3 from protocol icmp
set firewall filter SCANEX_IN_GL_NET_FILTER term 3 then accept
## don't forget to add ssh access to SRX
set firewall filter SCANEX_IN_GL_NET_FILTER term 4 from destination-address 91.208.39.1
set firewall filter SCANEX_IN_GL_NET_FILTER term 4 from destination-address EXT_ISP_IP_1
set firewall filter SCANEX_IN_GL_NET_FILTER term 4 from destination-address EXT_ISP_IP_2
set firewall filter SCANEX_IN_GL_NET_FILTER term 4 then discard
set firewall filter SCANEX_IN_GL_NET_FILTER term 100 then accept
8. Применение конфигурации
commit
Об авторе