与友商对接BGP Peer后路由转发不通问题的一个案例

发布时间:  2015-11-05 浏览次数:  305 下载次数:  0
问题描述

示意拓扑如下

 

客户网络中新接入了ISP,需要与客户现有网络对接EBGP,发布客户的公网IP网段,并且引入Internet路由。客户侧使用NE40E路由器,ISP侧为Cisco路由器,EBGP Peer建立正常,NE40E上路由学习正常,但是客户的公网IPInternet不通。

 

处理过程

1,  检查EBGP配置与Peer状态,能够正常建立,状态为Established

<*-NE40E-X8-01>display bgp vpnv4 all peer

 BGP local router ID : 10.240.224.1

 Local AS number : *.126

 Total number of peers : 2                Peers in established state : 2

 

  Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv

 

  Peer of IPv4-family for vpn instance :

 

 VPN-Instance vrfisp, Router ID 10.240.224.1:

  *.*.112.245  4       16422     4135     4133     0 0068h50m Established       1

  *.*.254.253  4       *.126   211165     2598     0 0034h14m Established  529574

2, 通过EBGP学习到了到Internet的默认路由

<* -NE40E-X8-01>display ip routing-table vpn-instance vrfisp

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: vrfisp

         Destinations : 529485   Routes : 529485  

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

        0.0.0.0/0   EBGP    255  0          RD   *.*.112.245  GigabitEthernet1/1/5

        1.0.0.0/24  IBGP    255  0          RD   *.*.245.221   GigabitEthernet1/1/7

3, ISP给的互联网段到Internet OK,客户发布的公网网段到Internet不通

[*-NE40E-X8-01]ping -vpn-instance vrfisp -a *.*.242.134 8.8.8.8

  PING 8.8.8.8: 56  data bytes, press CTRL_C to break

    Reply from 8.8.8.8: bytes=56 Sequence=1 ttl=55 time=605 ms

    Reply from 8.8.8.8: bytes=56 Sequence=2 ttl=55 time=539 ms

    Reply from 8.8.8.8: bytes=56 Sequence=3 ttl=55 time=538 ms

    Reply from 8.8.8.8: bytes=56 Sequence=4 ttl=55 time=570 ms

    Reply from 8.8.8.8: bytes=56 Sequence=5 ttl=55 time=541 ms

 

  --- 8.8.8.8 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 538/558/605 ms

 

[* -NE40E-X8-01]ping -vpn-instance vrfisp -a *.*.252.128 8.8.8.8

  PING 8.8.8.8: 56  data bytes, press CTRL_C to break

    Request time out

    Request time out

    Request time out

    Request time out

    Request time out

4,客户联系ISP,确认公网路由的学习发布情况,未获取到明确的信息。经客户批准,在NE40EISP互联的端口做端口镜像分析,发现有很多到客户公网网段的ARP请求。

5,在NE40EISP互联的端口使能ARP Proxy后问题解决,访问OK

#

interface GigabitEthernet1/1/5

 description To WAN ISP

 undo shutdown

 ip binding vpn-instance vrfisp

 ip address *.*.242.134 255.255.255.248

 arp-proxy enable

 undo dcn

#

[*-NE40E-X8-01]ping -vpn-instance vrfisp -a *.*.252.128 8.8.8.8

  PING 8.8.8.8: 56  data bytes, press CTRL_C to break

    Reply from 8.8.8.8: bytes=56 Sequence=1 ttl=55 time=545 ms

    Reply from 8.8.8.8: bytes=56 Sequence=2 ttl=55 time=539 ms

    Reply from 8.8.8.8: bytes=56 Sequence=3 ttl=55 time=542 ms

    Reply from 8.8.8.8: bytes=56 Sequence=4 ttl=55 time=540 ms

    Reply from 8.8.8.8: bytes=56 Sequence=5 ttl=55 time=544 ms

 

  --- 8.8.8.8 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 539/542/545 ms

 

根因

ISP路由器上认为发布的公网网段属于直连网段,直接发送ARP Request请求IP对应的MAC,未通过EBGP下一跳指导转发。

解决方案

接口下通过arp-proxy enable 使能路由式ARP代理。NE40E接口下ARP代理默认是关闭的,使能了路由式ARP代理功能后,收到这种ARP Request时路由器将检查是否存在到达目的主机的路由,如果有路由则将自己端口的MAC地址作为ARP Reply。这样报文将继续转发。

END