在Catalyst 9000系列交换机上为多个AF配置BGP DN
简介
本文档介绍Catalyst 9000系列交换机上EVPN和MVPN地址系列中的BGP动态邻居的EVPN简化CLI。
先决条件
要求
Cisco 建议您了解以下主题:
- 基本BGP配置
- BGP地址系列
使用的组件
本文档中的信息基于以下软件和硬件版本:
- Catalyst 9300
- Catalyst 9400
- Catalyst 9500
- Catalyst 9600
- Cisco IOS® XE 17.11.1及更高版本
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
背景信息
EVPN部署涉及与许多对等体的BGP邻居关系,通常在同一子网内。在引入BGP动态邻居(DN)功能之前,需要和维护至少255个配置行,以与/24子网中的所有对等体建立BGP会话。使用BGP DN时,仅需3条线路即可实现此目的。静态邻居配置和动态邻居配置之间的唯一功能差异是后者仅被动创建与其他BGP对等体的连接。因此,此功能只能由其中一个对等体配置。
将子网范围内的多个对等设备分组是非常理想的(如果不是必要的话),这样部署才可行,并且已广泛应用于IPv4、IPv6和VRF地址系列。此功能对于其他地址系列(尤其是EVPN)是理想的,因为它有助于避免在脊柱 — 枝叶拓扑中编写和维护大量复杂的配置(其中许多枝叶位于同一子网中)。
注:此功能不会引入任何新的CLI。它允许在以前不支持的地址系列下激活配置有“bgp listen range”的对等组。
术语
| DN |
动态邻居 |
被动模式,其中BGP侦听连接尝试并形成邻居 |
| AF |
地址系列 |
定义BGP处理哪些类型前缀和路由信息 |
| AS |
自治系统 |
一组互联网可路由IP前缀,它们属于一个网络或一组网络,由单个实体或组织管理、控制和监督 |
| EVPN |
以太网虚拟专用网络 |
允许BGP传输第2层MAC和第3层IP信息的扩展是EVPN和 使用多协议边界网关协议(MP-BGP)作为协议,以分发与VXLAN重叠网络相关的可达性信息。 |
| MVPN |
组播 虚拟专用网络 |
组播VPN(MVPN)功能支持第3层虚拟专用网络(VPN)上的组播 |
| VXLAN |
虚拟可扩展LAN(局域网) |
VXLAN旨在克服VLAN和STP的固有局限性。推荐的IETF标准[RFC 7348]提供与VLAN相同的以太网第2层网络服务,但灵活性更高。功能上,它是MAC-in-UDP封装协议,在第3层底层网络上作为虚拟重叠运行。 |
配置
网络图
底层(OSPF)
重叠(BGP)
主干–01
Spine-01#sh run | section r b router bgp 65001 bgp router-id 172.16.255.1 bgp log-neighbor-changes bgp listen range 172.16.255.0/29 peer-group DN-GROUP <-- Listen for connections from peers in this subnet
bgp listen block 172.16.255.2 <-- Excluded peer RR from DN subnet range to allow static peer bgp listen limit 4 <-- Limit the number of peerings allowed no bgp default ipv4-unicast neighbor DN-GROUP peer-group neighbor DN-GROUP remote-as 65001 <-- Peers only allowed in this AS neighbor DN-GROUP update-source Loopback0
neighbor 172.16.255.2 remote-as 65001 <-- Static Neighbor config
neighbor 172.16.255.2 update-source Loopback0 <-- Static Neighbor config
! address-family ipv4 exit-address-family ! address-family ipv4 mvpn neighbor DN-GROUP activate <--- Dynamic peer group must be activated in MVPN AF neighbor DN-GROUP send-community both neighbor DN-GROUP route-reflector-client
neighbor 172.16.255.2 activate <--- Static peering activation in MVPN AF
neighbor 172.16.255.2 send-community extended exit-address-family ! address-family l2vpn evpn neighbor DN-GROUP activate <--- Dynamic peer group must be activated in EVPN AF neighbor DN-GROUP send-community both neighbor DN-GROUP route-reflector-client
neighbor 172.16.255.2 activate <-- Static peering activation in EVPN AF
neighbor 172.16.255.2 send-community extended
exit-address-family
注意:可以将静态和动态邻居作为同一对等体组的一部分,但静态邻居需要单独激活。
提示:建议将对等体数量限制为您预期必须阻止意外对等体的邻居数量。尽可能严格地设置子网范围和侦听限制。
枝叶–01
Leaf-01#show run | sec r bgp router bgp 65001 bgp router-id 172.16.255.3 bgp log-neighbor-changes no bgp default ipv4-unicast neighbor 172.16.255.1 remote-as 65001 neighbor 172.16.255.1 update-source Loopback0 neighbor 172.16.255.2 remote-as 65001 neighbor 172.16.255.2 update-source Loopback0 ! address-family ipv4 exit-address-family ! address-family ipv4 mvpn neighbor 172.16.255.1 activate <-- Route Reflector 1 neighbor 172.16.255.1 send-community both neighbor 172.16.255.2 activate <-- Route Reflector 2 neighbor 172.16.255.2 send-community both exit-address-family ! address-family l2vpn evpn neighbor 172.16.255.1 activate <-- Route Reflector 2 neighbor 172.16.255.1 send-community both neighbor 172.16.255.2 activate <-- Route Reflector 2 neighbor 172.16.255.2 send-community both exit-address-family
注意:其他主干路由反射器和VTEP的配置相同,因此本节不重复
注意:要使用DN的对等RR,必须使用静态配置。它们处于被动模式,不会相互生成OPEN消息
可选配置
备用AS
允许与指定子网中列出了AS编号的对等体建立BGP会话(最多支持五个备用eBGP AS,共6个AS)。
Spine-01#show run | section r b router bgp 65001 bgp listen range 172.16.255.0/29 peer-group DN-GROUP bgp listen limit 20 neighbor DN-GROUP peer-group neighbor DN-GROUP remote-as 1 alternate-as 2 3 4 5 6<-- Allow peering with more than one AS neighbor DN-GROUP update-source Loopback0
注:这可能不足以替代大规模EVPN使用案例(每个动态邻居对等组可能需要多达1000个远程AS)。未来版本应增加此限制,以适应此类部署。
验证
主干(RR)
验证作为BGP侦听器的主干已形成动态对等体
- Spine-02看起来相同,因此仅在此示例输出中显示Spine-01
Spine-01#show ip bgp all summary For address family: L2VPN E-VPN <-- Address Family type EVPN BGP router identifier 172.16.255.1, local AS number 65001 BGP table version is 64, main routing table version 64 19 network entries using 7296 bytes of memory 24 path entries using 5568 bytes of memory 13/10 BGP path/bestpath attribute entries using 3848 bytes of memory 13 BGP extended community entries using 1670 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 18382 total bytes of memory BGP activity 22/3 prefixes, 56/32 paths, scan interval 60 secs 19 networks peaked at 19:07:48 May 10 2023 UTC (00:48:59.007 ago) Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd *172.16.255.3 4 65001 286 328 64 0 0 04:05:53 9 *172.16.255.4 4 65001 309 340 64 0 0 04:05:53 13 *172.16.255.5 4 65001 276 315 64 0 0 04:05:43 1 *172.16.255.6 4 65001 276 313 64 0 0 04:05:53 1 * Dynamically created based on a listen range command Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd Dynamically created neighbors: 4, Subnet ranges: 1 BGP peergroup DN-GROUP listen range group members: 172.16.255.0/29 <-- Peering subnet configured For address family: MVPNv4 Unicast <-- Address Family type MVPN BGP router identifier 172.16.255.1, local AS number 65001 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd *172.16.255.3 4 65001 286 328 1 0 0 04:05:53 0 *172.16.255.4 4 65001 309 340 1 0 0 04:05:54 0 *172.16.255.5 4 65001 276 315 1 0 0 04:05:43 0 *172.16.255.6 4 65001 276 313 1 0 0 04:05:53 0 * Dynamically created based on a listen range command Dynamically created neighbors: 4, Subnet ranges: 1 BGP peergroup DN-GROUP listen range group members: 172.16.255.0/29 <-- Peering subnet configured Total dynamically created neighbors: 4/(4 max), Subnet ranges: 1 <-- 4 total neighbors from the max of 4
注:您可以使用per-AF BGP命令仅查看单个AF的信息:
- show bgp l2vpn evpn summary
- show ip bgp ipv4 mvpn all summary
观察Spine-01(RR)TCP端口:
- 由于主干是被动的,其本地端口始终是固定BGP端口179,而VTEP显示临时端口
- 172.16.255.1 > 172.16.255.2被定义为静态对等体,但此RR恰好也接收了OPEN so used port 179
Spine-01#show tcp brief TCB Local Address Foreign Address (state) 72632453A5C0 172.16.255.1.179 172.16.255.5.15285 ESTAB <-- Dynamic peer (Leaf-03) 7263245C73C0 172.16.255.1.179 172.16.255.6.52693 ESTAB <-- Dynamic peer (Border Leaf) 7263245B3D30 172.16.255.1.179 172.16.255.4.44091 ESTAB <-- Dynamic peer (Leaf-02) 7263272DE460 172.16.254.1.22430 172.16.254.2.639 ESTAB <-- MSDP peer (Spine-02) 7263246DD3A8 172.16.255.1.179 172.16.255.2.21866 ESTAB <-- Static Peer (Spine-02 RR) 7263245BDAC0 172.16.255.1.179 172.16.255.3.31383 ESTAB <-- Dynamic peer (Leaf-01)
故障排除
DN对等
如果对等组添加在L2VPN EVPN地址系列下,则如果对等组在另一个AF下激活,则该组不会生效。
- 在这种情况下,对等组在MVPN下存在,然后在EVPN下激活。
- 直到执行硬清除,EVPN邻居才会形成。
Spine-01(config)#router bgp 65001
Spine-01(config-router)#address-family l2vpn evpn
Spine-01(config-router-af)#neighbor DN-GROUP activate
Spine-01(config-router-af)#end
% BGP: Dynamic peergroup DN-GROUP does not reset session by default and requires manual reset if this peer-group is also activated under another address-family
Spine-01#sh bgp l2vpn evpn summary
<--- Neighbor info missing
BGP peergroup DN-GROUP listen range group members:
172.16.255.0/29
Total dynamically created neighbors: 4/(4 max), Subnet ranges: 1
Spine-01#clear ip bgp * <-- Hard clear
%BGP-3-NOTIFICATION_MANY: sent to 5 sessions 6/4 (Administrative Reset) for all peers <-- Resetting all peers %BGP_SESSION-5-ADJCHANGE: neighbor *172.16.255.3 MVPNv4 Unicast topology base removed from session Neighbor deleted %BGP-5-ADJCHANGE: neighbor *172.16.255.3 Down User reset %BGP_SESSION-5-ADJCHANGE: neighbor *172.16.255.4 MVPNv4 Unicast topology base removed from session Neighbor deleted %BGP-5-ADJCHANGE: neighbor *172.16.255.4 Down User reset %BGP_SESSION-5-ADJCHANGE: neighbor *172.16.255.5 MVPNv4 Unicast topology base removed from session Neighbor deleted %BGP-5-ADJCHANGE: neighbor *172.16.255.5 Down User reset %BGP_SESSION-5-ADJCHANGE: neighbor *172.16.255.6 MVPNv4 Unicast topology base removed from session Neighbor deleted %BGP-5-ADJCHANGE: neighbor *172.16.255.6 Down User reset %BGP-5-ADJCHANGE: neighbor 172.16.255.2 Down User reset %BGP_SESSION-5-ADJCHANGE: neighbor 172.16.255.2 MVPNv4 Unicast topology base removed from session User reset
%BGP-5-ADJCHANGE: neighbor *172.16.255.3 Up <-- Peers coming back up for both MVPN and EVPN
%BGP-5-ADJCHANGE: neighbor *172.16.255.5 Up
%BGP-5-ADJCHANGE: neighbor *172.16.255.4 Up
%BGP-5-ADJCHANGE: neighbor *172.16.255.6 Up
Spine-01#sh bgp l2vpn evpn all summary BGP router identifier 172.16.255.1, local AS number 65001 BGP table version is 61, main routing table version 61 41 network entries using 15744 bytes of memory 48 path entries using 11136 bytes of memory 25/22 BGP path/bestpath attribute entries using 7400 bytes of memory 20 BGP extended community entries using 2120 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 36400 total bytes of memory BGP activity 145/104 prefixes, 22148/22100 paths, scan interval 60 secs 41 networks peaked at 21:07:01 May 11 2023 UTC (4d21h ago) Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd *172.16.255.3 4 65001 26 12 61 0 0 00:05:03 16 <-- Dynamic Peers now show up in EVPN (* = dynamically created) *172.16.255.4 4 65001 27 10 61 0 0 00:05:08 19 *172.16.255.5 4 65001 14 12 61 0 0 00:05:05 6 *172.16.255.6 4 65001 17 10 61 0 0 00:05:10 7 * Dynamically created based on a listen range command Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd Dynamically created neighbors: 4, Subnet ranges: 1 BGP peergroup DN-GROUP listen range group members: 172.16.255.0/29 Total dynamically created neighbors: 4/(4 max), Subnet ranges: 1
注意:要使配置更改生效,必须对邻居进行硬清除。这与支持BGP动态邻居的地址系列的当前行为一致。
DN调试
如果动态对等体存在问题,您可以使用调试查看有关问题的更多信息
Spine-01#debug bgp all range detail
Spine-01#sh debugging
IP routing:
BGP dynamic range debugging is on with detail (Dynamic neighbor details only) <-- Only debug DN type neighbors
Spine-01(config)#router bgp 65001
Spine-01(config-router)# address-family l2vpn evpn
Spine-01(config-router-af)# neighbor DN-GROUP activate
% BGP: Dynamic peergroup DN-GROUP does not reset session by default and requires manual reset if this peer-group is also activated under another address-family
*May 16 18:29:53.744: BGP:DN: Peergroup DN-GROUP is activated for Dynamic Neighbors for L2VPN E-VPN <-- Debug event
Spine-01#clear ip bgp *
*May 16 18:31:34.806: %BGP-3-NOTIFICATION_MANY: sent to 5 sessions 6/4 (Administrative Reset) for all peers
*May 16 18:31:34.806: BGP:DN: free: *172.16.255.3
*May 16 18:31:34.806: BGP:DN: free: *172.16.255.4
*May 16 18:31:34.806: BGP:DN: free: *172.16.255.5
*May 16 18:31:34.807: BGP:DN: free: *172.16.255.6
*May 16 18:31:43.855: BGP:DN: validating TCP SYN from 172.16.255.5: in range 172.16.255.0/29, val =0, peer-group = DN-GROUP <-- Validate a TCP SYN from peer (in DN Range?)
*May 16 18:31:43.856: BGP: 172.16.255.5 passive open to 172.16.255.1
*May 16 18:31:43.856: BGP:DN: passive open ACCEPT - TCP session : tcb=0x7263248098B8,context 0x726317305E20, ctx_group name 172.16.255.0/29, tcb->foreign=172.16.255.5, magic_cookie=0xFEEDFACE <-- Accept BGP OPEN
*May 16 18:31:43.856: BGP:DN: group->prefix_length=24, group->prefix=172.16.255.0
*May 16 18:31:43.856: BGP:DN: 172.16.255.5 get_rc_shim_transport_group: range group =172.16.255.0/29, group address = 0x726317305E20
*May 16 18:31:43.856: BGP:DN: init dynamic neighbor for peergroup DN-GROUP in L2VPN Evpn
*May 16 18:31:43.856: BGP:DN: Created a new neighbor *172.16.255.5 in range 172.16.255.0/29, peer-group DN-GROUP, count= 0 <-- Create this neighborship
*May 16 18:31:43.856: BGP:DN: accepted: nbr *172.16.255.5/7263245A3508 peer-grp: DN-GROUP/726317306460 <-- Peering is completed
注意:其他3个对等体具有相同的调试结果,因此未在此处显示。
静态邻居
如果以前动态创建邻居,则无法将其转换为静态。
Spine-01(config-router)#neighbor 172.16.255.3 remote-as 65001
% Cannot configure for dynamically created neighbor
您可以在路由器BGP模式下使用此命令排除DN范围内的邻居。这允许在DN子网范围内混合使用静态和动态对等体
router bgp 65001
bgp listen block 172.16.255.3
相关信息
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
1.0 |
17-May-2023 |
初始版本 |
反馈