所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

S1720, S2700, S5700, S6720 V200R010C00 配置指南-IP单播路由

本文档介绍了设备支持的IP单播路由相关配置。主要内容包括IP路由概述,静态路由、RIP、RIPng、OSPF、OSPFv3、IS-IS(IPv4)、IS-IS(IPv6)、BGP、路由策略以及策略路由的基本原理和配置过程,并提供相关的配置案例。
评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置BGP GTSM示例

配置BGP GTSM示例

组网需求

图1所示,SwitchA属于AS10,SwitchB、SwitchC、SwitchD属于AS20。在下面的网络中运行BGP协议,为防止攻击者模拟真实的BGP协议报文对设备进行攻击,可以配置GTSM功能检测IP报文头中的TTL值。

图10-31  配置BGP GTSM特性组网图

配置思路

采用如下的思路配置BGP的GTSM功能:

  1. 在AS20的交换机SwitchB、SwitchC、SwitchD上配置OSPF协议,实现AS20内部互通。

  2. SwitchA和SwitchB之间建立EBGP连接,在SwitchB、SwitchC和SwitchD之间使用Loopback接口建立IBGP全连接,实现各AS互通。

  3. SwitchA、SwitchB、SwitchC和SwitchD上配置GTSM功能,保障SwitchB免受CPU利用类型的攻击。

操作步骤

  1. 配置各接口所属VLAN

    # 配置SwitchA。SwitchB、SwitchC和SwitchD的配置与SwitchA类似。

    <HUAWEI> system-view
    [HUAWEI] sysname SwitchA
    [SwitchA] vlan batch 10
    [SwitchA] interface gigabitethernet 0/0/1
    [SwitchA-GigabitEthernet0/0/1] port link-type trunk
    [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
    [SwitchA-GigabitEthernet0/0/1] quit

  2. 配置各接口的IP地址

    # 配置SwitchB。SwitchA、SwitchC和SwitchD的配置与SwitchB类似。

    [SwitchB] interface vlanif 10
    [SwitchB-Vlanif10] ip address 10.1.1.2 24
    [SwitchB-Vlanif10] quit
    [SwitchB] interface vlanif 20
    [SwitchB-Vlanif20] ip address 10.2.1.2 24
    [SwitchB-Vlanif20] quit
    [SwitchB] interface loopback 0
    [SwitchB-LoopBack0] ip address 172.16.2.9 32
    [SwitchB-LoopBack0] quit

  3. 配置OSPF

    # 配置SwitchB。SwitchC和SwitchD的配置与SwitchB类似。

    [SwitchB] ospf
    [SwitchB-ospf-1] area 0.0.0.0
    [SwitchB-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255
    [SwitchB-ospf-1-area-0.0.0.0] network 172.16.2.9 0.0.0.0
    [SwitchB-ospf-1-area-0.0.0.0] quit
    [SwitchB-ospf-1] quit

  4. 配置IBGP全连接

    # 配置SwitchB。

    [SwitchB] bgp 20
    [SwitchB-bgp] router-id 172.16.2.9
    [SwitchB-bgp] peer 172.16.3.9 as-number 20
    [SwitchB-bgp] peer 172.16.3.9 connect-interface LoopBack0
    [SwitchB-bgp] peer 172.16.3.9 next-hop-local
    [SwitchB-bgp] peer 172.16.4.9 as-number 20
    [SwitchB-bgp] peer 172.16.4.9 connect-interface LoopBack0
    [SwitchB-bgp] peer 172.16.4.9 next-hop-local

    # 配置SwitchC。

    [SwitchC] bgp 20
    [SwitchC-bgp] router-id 172.16.3.9
    [SwitchC-bgp] peer 172.16.2.9 as-number 20
    [SwitchC-bgp] peer 172.16.2.9 connect-interface LoopBack0
    [SwitchC-bgp] peer 172.16.4.9 as-number 20
    [SwitchC-bgp] peer 172.16.4.9 connect-interface LoopBack0

    # 配置SwitchD。

    [SwitchD] bgp 20
    [SwitchD-bgp] router-id 172.16.4.9
    [SwitchD-bgp] peer 172.16.2.9 as-number 20
    [SwitchD-bgp] peer 172.16.2.9 connect-interface LoopBack0
    [SwitchD-bgp] peer 172.16.3.9 as-number 20
    [SwitchD-bgp] peer 172.16.3.9 connect-interface LoopBack0

  5. 配置EBGP连接

    # 配置SwitchA。

    [SwitchA] bgp 10
    [SwitchA-bgp] router-id 172.16.1.9
    [SwitchA-bgp] peer 10.1.1.2 as-number 20
    

    # 配置SwitchB。

    [SwitchB-bgp] peer 10.1.1.1 as-number 10
    [SwitchB-bgp] quit

    # 查看对等体的连接状态。

    [SwitchB] display bgp peer
    
     BGP local router ID : 172.16.2.9
     Local AS number : 20
     Total number of peers : 3                 Peers in established state : 3
    
      Peer            V    AS  MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv
    
      172.16.3.9      4    20        8        7     0 00:05:06 Established       0
      172.16.4.9      4    20        8       10     0 00:05:33 Established       0
      10.1.1.1        4    10        7        7     0 00:04:09 Established       0

    可以看出,SwitchB到其他交换机的BGP连接均已建立。

  6. SwitchA和SwitchB之间配置GTSM功能。由于两台交换机直连,因此TTL到达对方的有效范围是[255, 255]。所以此处的valid-ttl-hops值取1。

    # 在SwitchA上配置GTSM功能。

    [SwitchA-bgp] peer 10.1.1.2 valid-ttl-hops 1

    # 在SwitchB上配置EBGP连接的GTSM功能。

    [SwitchB-bgp] peer 10.1.1.1 valid-ttl-hops 1

    # 查看GTSM功能配置情况。

    [SwitchB] display bgp peer 10.1.1.1 verbose
    
             BGP Peer is 10.1.1.1,  remote AS 10
             Type: EBGP link
             BGP version 4, Remote router ID 172.16.1.9
             Update-group ID : 0
             BGP current state: Established, Up for 00h49m35s
             BGP current event: RecvKeepalive
             BGP last state: OpenConfirm
             BGP Peer Up count: 1
             Received total routes: 0
             Received active routes total: 0
             Advertised total routes: 0
             Port:  Local - 179      Remote - 52876
             Configured: Connect-retry Time: 32 sec
             Configured: Min Hold Time: 0 sec
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Address family IPv4 Unicast: advertised and received
     Received: Total 59 messages
                      Update messages                0
                      Open messages                  2
                      KeepAlive messages             57
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 79 messages
                      Update messages                5
                      Open messages                  2
                      KeepAlive messages             71
                      Notification messages          1
                      Refresh messages               0
     Authentication type configured: None
     Last keepalive received: 2012/03/06 19:17:37
     Last keepalive sent    : 2012/03/06 19:17:37
     Last update    received: 2012/03/06 19:17:43
     Last update    sent    : 2012/03/06 19:17:37
     Minimum route advertisement interval is 30 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     GTSM has been enabled, valid-ttl-hops: 1
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

    可见GTSM功能已经使能,有效跳数为1。BGP连接状态为“Established”。

  7. SwitchB和SwitchC之间配置GTSM功能。由于两台交换机直连,因此TTL到达对方的有效范围是[255, 255]。所以此处的valid-ttl-hops值取1。

    # 在SwitchB上配置GTSM功能。

    [SwitchB-bgp] peer 172.16.3.9 valid-ttl-hops 1

    # 在SwitchC上配置IBGP连接的GTSM功能。

    [SwitchC-bgp] peer 172.16.2.9 valid-ttl-hops 1

    # 查看GTSM功能配置情况。

    [SwitchB] display bgp peer 172.16.3.9 verbose
    
             BGP Peer is 172.16.3.9,  remote AS 20
             Type: IBGP link
             BGP version 4, Remote router ID 172.16.3.9
             Update-group ID : 1
             BGP current state: Established, Up for 00h54m36s
             BGP current event: KATimerExpired
             BGP last state: OpenConfirm
             BGP Peer Up count: 2
             Received total routes: 0
             Received active routes total: 0
             Advertised total routes: 0
             Port:  Local - 54998    Remote - 179
             Configured: Connect-retry Time: 32 sec
             Configured: Min Hold Time: 0 sec
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Address family IPv4 Unicast: advertised and received
     Received: Total 63 messages
                      Update messages                0
                      Open messages                  1
                      KeepAlive messages             62
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 69 messages
                      Update messages                10
                      Open messages                  1
                      KeepAlive messages             58
                      Notification messages          0
                      Refresh messages               0
     Authentication type configured: None
     Last keepalive received: 2012/03/06 19:18:37
     Last keepalive sent    : 2012/03/06 19:18:37
     Last update    received: 2012/03/06 19:18:43
     Last update    sent    : 2012/03/06 19:18:37
     Minimum route advertisement interval is 15 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     Nexthop self has been configured
     Connect-interface has been configured
     GTSM has been enabled, valid-ttl-hops: 1
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

    可见GTSM功能已经使能,有效跳数为1。BGP连接状态为“Established”。

  8. SwitchC和SwitchD之间配置GTSM功能。由于两台交换机直连,因此TTL到达对方的有效范围是[255, 255]。所以此处的valid-ttl-hops值取1。

    # 在SwitchC上配置IBGP连接的GTSM功能。

    [SwitchC-bgp] peer 172.16.4.9 valid-ttl-hops 1

    # 在SwitchD上配置IBGP连接的GTSM功能。

    [SwitchD-bgp] peer 172.16.3.9 valid-ttl-hops 1

    # 查看GTSM功能配置情况。

    [SwitchC] display bgp peer 172.16.4.9 verbose
    
             BGP Peer is 172.16.4.9,  remote AS 20
             Type: IBGP link
             BGP version 4, Remote router ID 172.16.4.9
             Update-group ID : 1
             BGP current state: Established, Up for 00h56m06s
             BGP current event: KATimerExpired
             BGP last state: OpenConfirm
             BGP Peer Up count: 2
             Received total routes: 0
             Received active routes total: 0
             Advertised total routes: 0
             Port:  Local - 179      Remote - 53758
             Configured: Connect-retry Time: 32 sec
             Configured: Min Hold Time: 0 sec
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Address family IPv4 Unicast: advertised and received
     Received: Total 63 messages
                      Update messages                0
                      Open messages                  1
                      KeepAlive messages             62
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 63 messages
                      Update messages                0
                      Open messages                  2
                      KeepAlive messages             61
                      Notification messages          0
                      Refresh messages               0
     Authentication type configured: None
     Last keepalive received: 2012/03/06 19:19:37
     Last keepalive sent    : 2012/03/06 19:19:37
     Last update    received: 2012/03/06 19:19:43
     Last update    sent    : 2012/03/06 19:19:37
     Minimum route advertisement interval is 15 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     Connect-interface has been configured
     GTSM has been enabled, valid-ttl-hops: 1
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

    可见GTSM功能已经使能,有效跳数为1。BGP连接状态为“Established”。

  9. SwitchB和SwitchD之间配置GTSM功能。由于两台交换机经过SwitchC连接,经过一跳后,TTL到达对方的有效范围是[254, 255],所以此处的valid-ttl-hops值取2。

    # 在SwitchB上配置IBGP连接的GTSM功能。

    [SwitchB-bgp] peer 172.16.4.9 valid-ttl-hops 2

    # 在SwitchD上配置GTSM功能。

    [SwitchD-bgp] peer 172.16.2.9 valid-ttl-hops 2

    # 查看GTSM功能配置情况。

    [SwitchB] display bgp peer 172.16.4.9 verbose
    
             BGP Peer is 172.16.4.9,  remote AS 20
             Type: IBGP link
             BGP version 4, Remote router ID 172.16.4.9
             Update-group ID : 1
             BGP current state: Established, Up for 00h57m48s
             BGP current event: RecvKeepalive
             BGP last state: OpenConfirm
             BGP Peer Up count: 2
             Received total routes: 0
             Received active routes total: 0
             Advertised total routes: 0
             Port:  Local - 53714    Remote - 179
             Configured: Connect-retry Time: 32 sec
             Configured: Min Hold Time: 0 sec
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Address family IPv4 Unicast: advertised and received
     Received: Total 72 messages
                      Update messages                0
                      Open messages                  1
                      KeepAlive messages             71
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 82 messages
                      Update messages                10
                      Open messages                  1
                      KeepAlive messages             71
                      Notification messages          0
                      Refresh messages               0
     Authentication type configured: None
     Last keepalive received: 2012/03/06 19:20:37
     Last keepalive sent    : 2012/03/06 19:20:37
     Last update    received: 2012/03/06 19:20:43
     Last update    sent    : 2012/03/06 19:20:37
     Minimum route advertisement interval is 15 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     Nexthop self has been configured
     Connect-interface has been configured
     GTSM has been enabled, valid-ttl-hops: 2
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

    可见GTSM功能已经使能,TLL有效跳数为2。BGP连接状态为“Established”。

    说明:
    • 此例中如果SwitchB和SwitchD中任意一个交换机的valid-ttl-hops值小于2,则此IBGP连接无法建立。

    • GTSM功能需要在BGP连接的两端同时使能。

  10. 检查配置结果

    # 在SwitchB上执行display gtsm statistics all,查看SwitchB的GTSM统计信息,在缺省动作是通过且没有非法报文的情况下,丢弃的报文数是0。

    [SwitchB] display gtsm statistics all
    GTSM Statistics Table                                                           
    ----------------------------------------------------------------                
    SlotId  Protocol  Total Counters  Drop Counters  Pass Counters                  
    ----------------------------------------------------------------                
     0      BGP       17              0              17                              
     0      BGPv6     0               0              0                              
     0      OSPF      0               0              0                              
     0      LDP       0               0              0                              
     0      OSPFv3    0               0              0                              
     0      RIP       0               0              0       
    ----------------------------------------------------------------                

    此时如果主机PC模拟SwitchA的BGP报文对SwitchB进行攻击,由于该报文到达SwitchB时,TTL值不是255,所以被丢弃,在SwitchB的GTSM统计信息中丢弃的报文数也会相应的增加。

配置文件

  • SwitchA的配置文件

    #
    sysname SwitchA
    #
    vlan batch 10
    #
    interface Vlanif10
     ip address 10.1.1.1 255.255.255.0
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    bgp 10
     router-id 172.16.1.9
     peer 10.1.1.2 as-number 20
     peer 10.1.1.2 valid-ttl-hops 1
     #
     ipv4-family unicast
      undo synchronization
      peer 10.1.1.2 enable
    #
    return
  • SwitchB的配置文件

    #
    sysname SwitchB
    #
    vlan batch 10 20
    #
    interface Vlanif10
     ip address 10.1.1.2 255.255.255.0
    #
    interface Vlanif20
     ip address 10.2.1.1 255.255.255.0
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    interface GigabitEthernet0/0/2
     port link-type trunk
     port trunk allow-pass vlan 20 
    #
    interface LoopBack0
     ip address 172.16.2.9 255.255.255.255
    #
    bgp 20
     router-id 172.16.2.9
     peer 172.16.3.9 as-number 20
     peer 172.16.3.9 connect-interface LoopBack0
     peer 172.16.3.9 valid-ttl-hops 1
     peer 172.16.4.9 as-number 20
     peer 172.16.4.9 connect-interface LoopBack0
     peer 172.16.4.9 valid-ttl-hops 2
     peer 10.1.1.1 as-number 10
     peer 10.1.1.1 valid-ttl-hops 1
     #
     ipv4-family unicast
      undo synchronization
      import-route ospf 1
      peer 172.16.3.9 enable
      peer 172.16.3.9 next-hop-local
      peer 172.16.4.9 enable
      peer 172.16.4.9 next-hop-local
      peer 10.1.1.1 enable
    #
    ospf 1
     area 0.0.0.0
      network 172.16.2.9 0.0.0.0
      network 10.2.1.0 0.0.0.255
    #
    return
  • SwitchC的配置文件

    #
    sysname SwitchC
    #
    vlan batch 20 30
    #
    interface Vlanif20
     ip address 10.2.1.2 255.255.255.0
    #
    interface Vlanif30
     ip address 10.2.2.1 255.255.255.0
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 20
    #
    interface GigabitEthernet0/0/2
     port link-type trunk
     port trunk allow-pass vlan 30 
    #
    interface LoopBack0
     ip address 172.16.3.9 255.255.255.255
    #
    bgp 20
     router-id 172.16.3.9
     peer 172.16.2.9 as-number 20
     peer 172.16.2.9 connect-interface LoopBack0
     peer 172.16.2.9 valid-ttl-hops 1
     peer 172.16.4.9 as-number 20
     peer 172.16.4.9 connect-interface LoopBack0
     peer 172.16.4.9 valid-ttl-hops 1
     #
     ipv4-family unicast
      undo synchronization
      peer 172.16.2.9 enable
      peer 172.16.4.9 enable
    #
    ospf 1
     area 0.0.0.0
      network 172.16.3.9 0.0.0.0
      network 10.2.1.0 0.0.0.255
      network 10.2.2.0 0.0.0.255
    #
    return
  • SwitchD的配置文件

    #
    sysname SwitchD
    #
    vlan batch 30
    #
    interface Vlanif30
     ip address 10.2.2.2 255.255.255.0
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 30
    #
    interface LoopBack0
     ip address 172.16.4.9 255.255.255.255
    #
    bgp 20
     router-id 172.16.4.9
     peer 172.16.2.9 as-number 20
     peer 172.16.2.9 connect-interface LoopBack0
     peer 172.16.2.9 valid-ttl-hops 2
     peer 172.16.3.9 as-number 20
     peer 172.16.3.9 connect-interface LoopBack0
     peer 172.16.3.9 valid-ttl-hops 1
     #
     ipv4-family unicast
      undo synchronization
      peer 172.16.2.9 enable
      peer 172.16.3.9 enable
    #
    ospf 1
     area 0.0.0.0
      network 172.16.4.9 0.0.0.0
      network 10.2.2.0 0.0.0.255
    #
    return
翻译
下载文档
更新时间:2019-04-17

文档编号:EDOC1000141402

浏览量:22575

下载量:1345

平均得分:
本文档适用于这些产品
相关文档
相关版本
分享
上一页 下一页