安全 : Cisco ASA 5500 系列自适应安全设备

ASA边界网关协议配置示例

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 23 日) | 反馈

简介

本文描述要求的步骤启用路由的边界网关协议(BGP) (eBGP/iBGP),设立BGP路由进程,配置一般BGP参数,在可适应安全工具(ASA)的路由过滤和排除故障结邻相关问题。此功能在ASA软件版本9.2.1介绍。

贡献用莫哈末Alhyari,马格纳斯Mortensen和Dinkar夏尔马, Cisco TAC工程师。

先决条件

要求

Cisco 建议您了解以下主题:

使用的组件

本文根据运行Cisco ASA软件版本9.2.1的Cisco ASA 5500-X系列防火墙。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

背景信息

指南和限制

  • 单模支持BGP IPv4地址家族和多模式。
  • 多模式与Cisco IOS BGP Vpnv4 (VPN路由与转发(VRF)地址家族)是等同的。每个上下文路由器, BGP类似于每个VRF IPv4在Cisco IOS的地址家族。
  • 仅一个自治系统(AS)编号为所有上下文支持类似于所有地址家族的一个全局AS在Cisco IOS。
  • 应该配置AS编号与可以用于为了每个上下文地址家族启用的使用router bgp <as_num>命令。
  • BGP有支持所有上下文的六进程,并且详细信息用show process命令是可用的。这些进程是BGP任务、BGP调度器、BGP扫描程序、BGP路由器、BGP I/O和BGP事件。
    ASA-1(config)# show proc | in BGP
    Mwe 0x00000000010120d0 0x00007ffecc8ca5c8 0x0000000006136380
    0 0x00007ffecc8c27c0 29432/32768 BGP Task
    Mwe 0x0000000000fb3acd 0x00007ffecba47b48 0x0000000006136380
    11 0x00007ffecba3fd00 31888/32768 BGP Scheduler
    Lwe 0x0000000000fd3e40 0x00007ffecd3373e8 0x0000000006136380
    26 0x00007ffecd32f5f0 30024/32768 BGP Scanner
    Mwe 0x0000000000fd70b9 0x00007ffecd378cd8 0x0000000006136380
    10 0x00007ffecd370eb0 28248/32768 BGP Router
    Mwe 0x0000000000fc9f84 0x00007ffecd32f3e8 0x0000000006136380
    2 0x00007ffecd3275a0 30328/32768 BGP I/O
    Mwe 0x000000000100c125 0x00007ffecd33f458 0x0000000006136380
    0 0x00007ffecd337640 32032/32768 BGP Event
  • 有所有地址家族的全局配置的系统上下文有全局配置普通对所有上下文类似于Cisco IOS。
  • 掌握最佳路径计算的配置,记录的邻居, TCP路径最大转换单元(MTU)发现, Keepalive的全局计时器,保持时间,等是可用的在系统上下文在router bgp命令模式下。
  • BGP policy命令支持在地址家族模式下每用户上下文。
  • 支持所有标准的社区和路径属性。
  • 远程被触发的黑洞(RTBH)使用静态null0路由配置,支持。
  • 下个跳越信息被添加了到在网络处理器(NP)的输入路由表。以前这是仅可用的在输出路由表里。此更改完成为了支持BGP路由的新增内容到NP转发表(因为BGP路由没有在CP识别的一出口接口,没有办法确定哪张输出路由表更新下个跳越信息与)。
  • 支持递归路由查找。
  • 例如已连接,静态,路由信息协议(RIP)、开放最短路径优先(OSPF)和增强的内部网关路由选择协议(EIGRP)支持与其他协议的再分配。
  • router bgp <as_no> [with confirmation prompt]命令不在所有上下文删除BGP配置。
  • 路由控制数据库例如route-map, access-list,前缀列表,属性列表,并且AS路径访问列表每上下文虚拟化并且提供。
  • new命令,在NP转发表里显示asp表路由被解决的地址<addr>,介绍为了显示递归被解决的BGP路由。
  • new命令, show bgp系统设置,在多模式为了显示系统上下文BGP配置方面介绍。
  • ASA仍然不支持与IPv6的BGP。
  • 集群不支持BGP。

BGP和内存使用

summary命令的show route用于为了获得各自的路由协议内存使用。

BGP和故障切换

  • 活动/等待和主动/主动HA配置方面支持BGP。
  • 仅活动装置在BGP连接的TCP端口179侦听从对等体。
  • 备用装置在TCP端口179不参加并列的BGP,并且不侦听和不维护BGP表。
  • BGP路由新增内容和删除从激活复制到备用装置。
  • 在故障切换,新的活动装置在TCP端口179侦听并且发起与对等体的BGP邻接建立。
  • 没有Nonstop Forwarding (NSF),邻接建立在故障切换以后再花费与对等体的时间,在内BGP路由没有从对等体了解。这取决于下BGP Keepalive (默认60秒)从ASA回应恢复的对等体(RST),导致旧有连接终止在对等体末端,并且一个下个新连接随后被建立。
  • 在BGP再收敛期限,新的活动装置继续转发流量用以前复制的路由。
  • BGP再收敛计时器周期当前设置为210秒(failover命令的show route显示计时器值)为了提供BGP的充足的时间能设立邻接和交换路由有其对等体的。
  • 在BGP再收敛计时器超时后,所有过时的BGP路由从路由信息库(RIB)清除。
  • BGP路由器号从活动装置被同步到备用装置。BGP路由器号计算在备用装置禁用。
  • write standby命令强烈劝阻,因为大批同步不发生在那种情况下,导致动态路由损耗在待机的。

递归路由解决方法

  • BGP路由的出口接口信息不是可用的在CP (事实的一种直接结果BGP邻居也许是多跳离开不同于其他路由协议)。
  • 有下一跳信息的BGP路由被添加到NP输入路由表,但是没有解决他们。
  • 当匹配BGP路由前缀时流的第一数据包在慢路径输入ASA,路由是解决和递归查寻取决于的出口接口NP输入路由表。
  • 每当路由表更改(从CP),上下文特定路由表时间戳被增加。
  • 当匹配BGP路由时流的下一个信息包在快速路径输入ASA, ASA路由条目的时间戳与上下文特定路由表时间戳比较。如果两时间戳不配比,递归路由问题解决进程再开始,并且路由条目时间戳更新是相同的象路由表时间戳。您能验证与routing命令显示asp的表的时间戳。显示asp表路由地址<route>命令显示特定路由条目的时间戳,并且routing命令显示asp的表显示路由表时间戳。
  • 当您输入显示asp表路由地址<addr>被解决的命令时,目的地前缀的递归路由问题解决进程也许是牵强的。
  • 递归路由查找的深度当前限制到四。要求查找的数据包,在四下降与丢弃原因“没有路由主机(NO-路由)后”,并且那里是递归查找失败的没有特殊丢弃原因。
  • 递归路由解决方法为BGP路由(静态路由)仅支持。

BGP有限状态机机器操作

在他们变为邻接的邻居并且交换路由信息前, BGP对等体通过几状态过渡。在其中每一,在他们继续到下状态前,状态,对等体必须传送和收到信息,进程消息数据,并且初始化资源。此进程叫作BGP有限状态机(FSM)。如果进程在任意时候发生故障,会话被切断,并且对等体过渡回到空闲状态并且再开始进程。每次会话被切断,从不是的对等体的所有路由从表删除,导致停机时间。

  1. IDLE - ASA搜索路由表为了发现路由是否存在到达邻居。
  2. 连接- ASA查找一个路由给邻居和完成三向交握。
  3. 激活- ASA没有接收在建立参数的协议。
  4. 发送的开放-开放消息用BGP会话的参数传送。
  5. 打开确认-在established参数的ASA接收的协议会话。
  6. 已建立-同位体设立,并且路由开始。

配置

eBGP 配置

在路由器之间的BGP运行不同自治系统的。默认情况下,在eBGP (在两个不同自治系统(AS)的)同位体IP TTL设置到含义的1对等体假设直接地连接。在这种情况下,当数据包交叉一个路由器时, TTL变为0数据包然后丢弃那边。在两个邻居没有直接地连接(例如,并列与回环接口或并列处,当设备是离开多的跳)您需要添加邻接x.x.x.x ebgp-multihop <TTL>命令。否则, BGP结邻不会设立。另外, eBGP对等体通告它知道的所有最佳路由或从其对等体了解(是否eBGP对等体或iBGP对等体),不是一旦iBGP。

网络图

ASA-1 配置

router bgp 100
 bgp log-neighbor-changes
 bgp bestpath compare-routerid
 address-family ipv4 unicast
  neighbor 203.0.113.2 remote-as 200
  neighbor 203.0.113.2 activate
  network 192.168.10.0 mask 255.255.255.0
  network 172.16.20.0 mask 255.255.255.0
  network 10.106.44.0 mask 255.255.255.0
  no auto-summary
  no synchronization
 exit-address-family
!

ASA-2 配置

router bgp 200
 bgp log-neighbor-changes
 bgp bestpath compare-routerid
 address-family ipv4 unicast
  neighbor 203.0.113.1 remote-as 100
  neighbor 203.0.113.1 activate
  network 10.10.10.0 mask 255.255.255.0
  network 10.180.10.0 mask 255.255.255.0
  network 172.16.30.0 mask 255.255.255.0
  no auto-summary
  no synchronization
 exit-address-family
!

iBGP 配置

在iBGP,没有限制邻居必须直接地连接。然而, iBGP对等体不会通告它从iBGP对等体了解给另一iBGP对等体的前缀。此限制在那里避免在同一样内的环路。为了澄清此,当路由通过给eBGP对等体时,本地AS编号添加到前缀在AS路径,因此,如果我们接收在AS路径陈述我们的AS的同一数据包上一步,我们知道它是环路,并且数据包被撤销。然而,当路由通告给iBGP对等体时,本地AS编号没有被添加到AS路径,因为对等体是在同一样。

网络图

ASA-1 配置

router bgp 100
 bgp log-neighbor-changes
 bgp bestpath compare-routerid
 address-family ipv4 unicast
  neighbor 203.0.113.2 remote-as 100
  neighbor 203.0.113.2 activate
  network 192.168.10.0 mask 255.255.255.0
  network 172.16.20.0 mask 255.255.255.0
  network 10.106.44.0 mask 255.255.255.0
  no auto-summary
  no synchronization
 exit-address-family
!

ASA-2 配置

router bgp 100
 bgp log-neighbor-changes
 bgp bestpath compare-routerid
 address-family ipv4 unicast
  neighbor 203.0.113.1 remote-as 100
  neighbor 203.0.113.1 activate
  network 10.10.10.0 mask 255.255.255.0
  network 10.180.10.0 mask 255.255.255.0
  network 172.16.30.0 mask 255.255.255.0
  no auto-summary
  no synchronization
 exit-address-family
!

在eBGP和iBGP之间的区别

  • eBGP并列两区别AS之间,而iBGP在同一样之间。
  • 从eBGP对等体的获知的路由通告给其他对等体(eBGP或iBGP)。然而,从iBGP对等体的获知的路由没有通告给其他iBGP对等体。
  • 默认情况下, eBGP对等体设置TTL=1,含义邻居假设直接地连接不是一旦iBGP。为了更改eBGP的此行为,请输入邻接x.x.x.x ebgp-multihop <TTL>命令。多跳跃是在仅eBGP的此术语用于。
  • eBGP路由有管理距离20,而iBGP是200。
  • 当路由通告给iBGP对等体时,下一跳保持不可更改。然而,默认情况下时,当通告给eBGP对等体它更改。

ebgp-multihop

与是离开一的跳的BGP结邻的ASA与另一个ASA。对于结邻您需要确保您有邻居之间的连接。Ping为了确认连接。保证TCP端口179中间允许在设备的两个方向。

ASA-1 配置

router bgp 100
 bgp log-neighbor-changes
 bgp bestpath compare-routerid
 address-family ipv4 unicast
  neighbor 198.51.100.1 remote-as 200
neighbor 198.51.100.1 ebgp-multihop 2
neighbor 198.51.100.1 activate
  network 192.168.10.0 mask 255.255.255.0
  network 10.106.44.0 mask 255.255.255.0
  network 172.16.20.0 mask 255.255.255.0
  no auto-summary
  no synchronization
 exit-address-family
!

ASA-2 配置

router bgp 200
 bgp log-neighbor-changes
 bgp bestpath compare-routerid
 address-family ipv4 unicast
  neighbor 203.0.113.1 remote-as 100
neighbor 203.0.113.1 ebgp-multihop 2
neighbor 203.0.113.1 activate
  network 10.10.10.0 mask 255.255.255.0
  network 10.180.10.0 mask 255.255.255.0
  network 172.16.30.0 mask 255.255.255.0
  no auto-summary
  no synchronization
 exit-address-family
!

BGP路由过滤

使用BGP您能控制被发送并且接收的路由更新。在本例中,路由更新为是在ASA-2后的网络前缀172.16.30.0/24阻塞。对于路由过滤,您能只使用标准ACL

access-list bgp-in line 1 standard deny 172.16.30.0 255.255.255.0
access-list bgp-in line 2 standard permit any4


router bgp 100
bgp log-neighbor-changes
bgp bestpath compare-routerid
address-family ipv4 unicast
neighbor 203.0.113.2 remote-as 200
neighbor 203.0.113.2 activate
network 192.168.10.0 mask 255.255.255.0
network 172.16.20.0 mask 255.255.255.0
network 10.106.44.0 mask 255.255.255.0
distribute-list bgp-in in
no auto-summary
no synchronization
exit-address-family
!

检查路由表。

ASA-1(config)# show bgp cidr-only

BGP table version is 6, local router ID is 203.0.113.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 10.10.10.0/24 203.0.113.2 0 0 200 i
*> 10.106.44.0/24 0.0.0.0 0 32768 i
*> 10.180.10.0/24 203.0.113.2 0 0 200 i
*> 172.16.20.0/24 0.0.0.0 0 32768 i
*> 192.168.10.0/16 0.0.0.0 0 32768 i

验证访问控制表(ACL) hitcounts。

ASA-1(config)# show access-list bgp-in
access-list bgp-in; 2 elements; name hash: 0x3f99de19
access-list bgp-in line 1 standard deny 172.16.30.0 255.255.255.0 (hitcnt=1) 0xb5abad25
access-list bgp-in line 2 standard permit any4 (hitcnt=4) 0x59d08160

同样地,您能使用ACL为了过滤什么传送用“”在distribute-list命令

ASA BGP配置在多个上下文

多个上下文支持BGP。一旦多个上下文您在系统上下文首先需要定义BGP路由器进程。如果在系统上下文设法创建BGP进程,无需定义它,您收到此错误。

ASA-1/admin(config)# router bgp 100
%BGP process cannot be created in non-system context
ERROR: Unable to create router process

First we Need to define it in system context.

ASA-1/admin(config)#changeto context system
ASA-1(config)# router bgp 100
ASA-1(config-router)#exit

Now create bgp process in admin context.

ASA-1(config)#changeto context admin
ASA-1/admin(config)# router bgp 100
ASA-1/admin(config-router)#

验证

验证eBGP结邻

验证在端口179的TCP连接。

ASA-1(config)# show asp table socket

Protocol  Socket    State      Local Address                    Foreign Address
SSL       00001478  LISTEN     172.16.20.1:443                  0.0.0.0:*
TCP       000035e8  LISTEN     203.0.113.1:179                  0.0.0.0:*
TCP       00005cd8  ESTAB      203.0.113.1:44368                203.0.113.2:179
SSL       00006658  LISTEN     10.106.44.221:443                0.0.0.0:*

显示BGP邻居。

ASA-1(config)# show bgp neighbors

BGP neighbor is 203.0.113.2,  context single_vf,  remote AS 200, external link >> eBGP
  BGP version 4, remote router ID 203.0.113.2
  BGP state = Established, up for 00:04:42
  Last read 00:00:13, last write 00:00:17, hold time is 180, keepalive interval is
60 seconds

  Neighbor sessions:
    1 active, is not multisession capable (disabled)
  Neighbor capabilities:
    Route refresh: advertised and received(new)
    Four-octets ASN Capability: advertised and received
    Address family IPv4 Unicast: advertised and received
    Multisession Capability:
  Message statistics:
    InQ depth is 0
    OutQ depth is 0

                   Sent       Rcvd
    Opens:         1          1
    Notifications: 0          0
    Updates:       2          2
    Keepalives:    5          5
    Route Refresh: 0          0
    Total:         8          8
  Default minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast
  Session: 203.0.113.2
  BGP table version 7, neighbor version 7/0
  Output queue size : 0
  Index 1
  1 update-group member
                           Sent       Rcvd
  Prefix activity:         ----       ----
    Prefixes Current:      3          3          (Consumes 240 bytes)
    Prefixes Total:        3          3
    Implicit Withdraw:     0          0
    Explicit Withdraw:     0          0
    Used as bestpath:      n/a        3
    Used as multipath:     n/a        0

                                Outbound    Inbound
  Local Policy Denied Prefixes: --------    -------
    Bestpath from this peer:     3          n/a
    Total:                       3          0
  Number of NLRIs in the update sent: max 3, min 0

  Address tracking is enabled, the RIB does have a route to 203.0.113.2
  Connections established 1; dropped 0
  Last reset never
  Transport(tcp) path-mtu-discovery is enabled
  Graceful-Restart is disabled

BGP路由

ASA-1 配置

ASA-1(config)# show route bgp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 10.106.44.1 to network 0.0.0.0

B        10.10.10.0 255.255.255.0 [20/0] via 203.0.113.2, 00:05:48
B        10.180.10.0 255.255.255.0 [20/0] via 203.0.113.2, 00:05:48
B        172.16.30.0 255.255.255.0 [20/0] via 203.0.113.2, 00:05:48

ASA-2 配置

ASA-2# show route bgp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

B 10.106.44.0 255.255.255.0 [20/0] via 203.0.113.1, 00:36:32
B 172.16.20.0 255.255.255.0 [20/0] via 203.0.113.1, 00:36:32
B 192.168.10.0 255.255.255.0 [20/0] via 203.0.113.1, 00:36:32

为了为specfic ASA看到路由,请输入show route bgp <AS-No.>命令。

ASA-1(config)# show route bgp ?

exec mode commands/options:
  100  Autonomous system number
  |    Output modifiers
  <cr>

特定eBGP路由的详细信息

ASA-1(config)# show route 172.16.30.0

Routing entry for 172.16.30.0 255.255.255.0
  Known via "bgp 100", distance 20, metric 0
  Tag 200, type external
  Last update from 203.0.113.2 0:09:43 ago
  Routing Descriptor Blocks:
  * 203.0.113.2, from 203.0.113.2, 0:09:43 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1-----------------------------------> ASA HOP is one
      Route tag 200
      MPLS label: no label string provided
ASA-1(config)# show bgp cidr-only

BGP table version is 7, local router ID is 203.0.113.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*> 10.10.10.0/24    203.0.113.2          0             0  200 i
*> 10.106.44.0/24   0.0.0.0              0         32768  i
*> 10.180.10.0/24   203.0.113.2          0             0  200 i
*> 172.16.20.0/24   0.0.0.0              0         32768  i
*> 172.16.30.0/24   203.0.113.2          0             0  200 i

BGP摘要

ASA-1(config)# show bgp summary
BGP router identifier 203.0.113.1, local AS number 100
BGP table version is 7, main routing table version 7
6 network entries using 1200 bytes of memory
6 path entries using 480 bytes of memory
2/2 BGP path/bestpath attribute entries using 416 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2120 total bytes of memory
BGP activity 6/0 prefixes, 6/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
203.0.113.2     4          200 16      17             7    0    0 00:14:19  3

在版本9.2, new命令, show route摘要,介绍。

ASA-1(config)# show route summary

IP routing table maximum-paths is 3
Route Source    Networks    Subnets     Replicates  Overhead    Memory (bytes)
connected       0           8           0           704         2304
static          2           5           0           616         2016
ospf 1          0           0           0           0           0
  Intra-area: 0 Inter-area: 0 External-1: 0 External-2: 0
  NSSA External-1: 0 NSSA External-2: 0
bgp 100         0           3           0           264         864
  External: 3 Internal: 0 Local: 0
internal        7                                               3176
Total           9           16          0           1584        8360

验证iBGP结邻

ASA-1(config)# show bgp neighbors

BGP neighbor is 203.0.113.2,  context single_vf,  remote AS 100, internal link >> iBGP
  BGP version 4, remote router ID 203.0.113.2
  BGP state = Established, up for 00:02:19
  Last read 00:00:13, last write 00:00:17, hold time is 180, keepalive interval is
60 seconds
  Neighbor sessions:
    1 active, is not multisession capable (disabled)
  Neighbor capabilities:
    Route refresh: advertised and received(new)
    Four-octets ASN Capability: advertised and received
    Address family IPv4 Unicast: advertised and received
    Multisession Capability:
  Message statistics:
    InQ depth is 0
    OutQ depth is 0

                   Sent       Rcvd
    Opens:         1          1
    Notifications: 0          0
    Updates:       2          2
    Keepalives:    5          5
    Route Refresh: 0          0
    Total:         8          8
  Default minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast
  Session: 203.0.113.2
  BGP table version 7, neighbor version 7/0
  Output queue size : 0
  Index 1
  1 update-group member
                           Sent       Rcvd
  Prefix activity:         ----       ----
    Prefixes Current:      3          3          (Consumes 240 bytes)
    Prefixes Total:        3          3
    Implicit Withdraw:     0          0
    Explicit Withdraw:     0          0
    Used as bestpath:      n/a        3
    Used as multipath:     n/a        0

                                Outbound    Inbound
  Local Policy Denied Prefixes: --------    -------
    Bestpath from this peer:     3          n/a
    Total:                       3          0
  Number of NLRIs in the update sent: max 3, min 0

  Address tracking is enabled, the RIB does have a route to 203.0.113.2
  Connections established 1; dropped 0
  Last reset never
  Transport(tcp) path-mtu-discovery is enabled
  Graceful-Restart is disabled

特定iBGP路由详细信息

ASA-1(config)# show route 172.16.30.0

Routing entry for 172.16.30.0 255.255.255.0
Known via "bgp 100", distance 20, metric 0, type internal
Last update from 203.0.113.2 0:07:05 ago
Routing Descriptor Blocks:
* 203.0.113.2, from 203.0.113.2, 0:07:05 ago
Route metric is 0, traffic share count is 1
AS Hops 0 -------------------->> ASA HOP is 0 as it's internal route
MPLS label: no label string provided

TTL为BGP数据包重视

默认情况下, BGP邻居必须直接地连接。那是因为BGP数据包的TTL值总是1 (默认)。因此,万一BGP邻居没有直接地连接,您需要定义取决于的BGP多跳跃值多少跳在路径中。

这是TTL值事例的示例直接地连接:

ASA-1(config)#show cap bgp detail
 
  5: 06:30:19.789769 6c41.6a1f.25e3 a0cf.5b5c.5060 0x0800 Length: 70
      203.0.113.1.44368 > 203.0.113.2.179: S [tcp sum ok] 3733850223:3733850223(0)
win 32768 <mss 1460,nop,nop,timestamp 15488246 0> (DF) [tos 0xc0]  [ttl 1] (id 62822)

  6: 06:30:19.792286 a0cf.5b5c.5060 6c41.6a1f.25e3 0x0800 Length: 58
      203.0.113.22.179 > 203.0.113.1.44368: S [tcp sum ok] 1053711883:1053711883(0)
ack 3733850224 win 16384 <mss 1360> [tos 0xc0]  [ttl 1] (id 44962)

  7: 06:30:19.792302 6c41.6a1f.25e3 a0cf.5b5c.5060 0x0800 Length: 54
      203.0.113.1.44368 > 203.0.113.22.179: . [tcp sum ok] 3733850224:3733850224(0)
ack 1053711884 win 32768 (DF) [tos 0xc0]  [ttl 1] (id 52918)

如果邻居然后没有直接地连接您需要输入bgp多跳跃命令为了定义多少跳邻居是增加在IP报头的TTL值。

这是TTL值的示例在多跳跃的情况下(在这种情况下BGP邻居是离开1的跳) :

ASA-1(config)#show cap bgp detail

5: 13:10:04.059963 6c41.6a1f.25e3 a0cf.5b5c.5060 0x0800 Length: 70
      203.0.113.1.63136 > 198.51.100.1.179: S [tcp sum ok] 979449598:979449598(0)
win 32768 <mss 1460,nop,nop,timestamp 8799571 0> (DF) [tos 0xc0]  (ttl 2, id 62012)


   6: 13:10:04.060681 a0cf.5b5c.5060 6c41.6a1f.25e3 0x0800 Length: 70 198.51.100.1.179 >
203.0.113.1.63136: S [tcp sum ok] 0:0(0) ack 979449599 win 32768 <mss 1460,nop,nop,
timestamp 6839704 8799571> (DF) [tos 0xac]  [ttl 1] (id 60372)


   7: 13:10:04.060696 6c41.6a1f.25e3 a0cf.5b5c.5060 0x0800 Length: 66
      203.0.113.1.63136 >198.51.100.1.179: . [tcp sum ok] 979449599:979449599(0) ack 1
win 32768 <nop,nop,timestamp 8799571 6839704> (DF) [tos 0xc0]  (ttl 2, id 53699)

递归路由问题解决进程 

ASA-1(config)# show asp table routing
route table timestamp: 66
in 255.255.255.255 255.255.255.255 identity
in 203.0.113.1 255.255.255.255 identity
in 203.47.198.254 255.255.255.255 via 12.13.14.4, outside
in 106.10.199.78 255.255.255.255 via 15.16.17.4, DMZ
in 192.168.0.1 255.255.255.255 identity
in 172.16.20.1 255.255.255.255 identity
in 10.106.44.190 255.255.255.255 identity
in 10.10.10.0 255.255.255.0 via 203.0.113.2, outside (resolved, timestamp: 66)
in 172.16.30.0 255.255.255.0 via 203.0.113.2, outside (resolved, timestamp: 64)
in 10.180.10.0 255.255.255.0 via 203.0.113.2, outside (resolved, timestamp: 65)

in 203.0.113.0 255.255.255.0 outside
in 172.16.10.0 255.255.255.0 via 12.13.14.4, outside
in 192.168.10.0 255.255.255.0 via 12.13.14.20, outside
in 192.168.20.0 255.255.255.0 via 15.16.17.4, DMZ
in 172.16.20.0 255.255.255.0 inside
in 10.106.44.0 255.255.255.0 management
in 192.168.0.0 255.255.0.0 DMZ

ASA BGP和优美的再起动能力

在ASA版本9.2.1的BGP功能不支持在BGP开放消息协商的优美的重新启动选项。当对等设备传送BGP开放信息时, ASA丢弃更新数据包并且传送BGP通知消息。这些系统消息在ASA被看到:

%ASA-3-418018: neighbor 192.168.1.10 Down BGP Notification sent
%ASA-3-418019: sent to neighbor 192.168.1.10/11 (invalid or corrupt AS path) 9 bytes
40020602 010 000 fc08
%ASA-3-418040: unsupported or mal-formatted message received from 192.168.1.10:

AS_PATH属性没有错。这是因为ASA不支持在版本9.2.1的优美的再起动能力。默认情况下,当他们协商优美的再起动能力这用连结设备观察了。调整此问题的应急方案是禁用在对等设备的优美的再起动能力。参见显示的示例此处。在连结5000,请输入这些命令:

inside-N5K(config)# router bgp 64520
inside-N5K(config-router)# no graceful-restar

故障排除

命令输出解释程序工具仅限注册用户)支持某些 show 命令。请使用Output Interpreter Tool为了查看show命令输出分析。

  • 在您需要保证的配置后两个设备有连接。验证ICMP和TCP端口179连接。
  • 如果BGP对等体没有直接地连接,则请保证您安排EBGP多跳配置。
  • 如果连接正确, TCP socket将是在设立状态在显示asp表里socket命令输出。
    ASA-1(config)# show asp table socket

    Protocol  Socket    State      Local Address                    Foreign Address
    SSL       00001478  LISTEN     172.16.20.1:443                  0.0.0.0:*
    TCP       000035e8  LISTEN     203.0.113.1:179                  0.0.0.0:*
    TCP       00005cd8  ESTAB      203.0.113.1:44368                203.0.113.2:179
    SSL       00006658  LISTEN     10.106.44.221:443                0.0.0.0:*
  • 在三通的握手以后,两个对等体交换BGP开放消息和协商参数。

  • 在参数交换,两对等体交换与BGP更新消息后的路由信息。

     

    %ASA-7-609001: Built local-host identity:203.0.113.1
    %ASA-7-609001: Built local-host outside:203.0.113.2
    %ASA-6-302013: Built outbound TCP connection 14 for outside:203.0.113.2/179
    (203.0.113.2/179) to identity:203.0.113.1/43790 (203.0.113.1/43790)
    %ASA-3-418018: neighbor 203.0.113.2 Up

如果结邻没有在成功的TCP三通的握手以后形成,则问题是BGP FSM。收集一陈述的数据包捕获和Syslog从ASA并且验证您有问题与。

调试

注意:使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

输入debug ip bgp命令为了排除故障结邻和路由更新相关问题。

ASA-1(config)# debug ip bgp ?

exec mode commands/options:
A.B.C.D BGP neighbor address
events BGP events
in BGP Inbound information
ipv4 Address family
keepalives BGP keepalives
out BGP Outbound information
range BGP dynamic range
rib-filter Next hop route watch filter events
updates BGP updates
<cr>

输入event命令的debug ip bgp为了排除故障结邻相关问题。

BGP: 203.0.113.2 active went from Idle to Active
BGP: 203.0.113.2 open active, local address 203.0.113.1

BGP: ses global 203.0.113.2 (0x00007ffec085c590:0) act Adding topology IPv4 Unicast:base
BGP: ses global 203.0.113.2 (0x00007ffec085c590:0) act Send OPEN
BGP: 203.0.113.2 active went from Active to OpenSent
BGP: 203.0.113.2 active sending OPEN, version 4, my as: 100, holdtime 180 seconds,
ID cb007101

BGP: 203.0.113.2 active rcv message type 1, length (excl. header) 34
BGP: ses global 203.0.113.2 (0x00007ffec085c590:0) act Receive OPEN
BGP: 203.0.113.2 active rcv OPEN, version 4, holdtime 180 seconds
BGP: 203.0.113.2 active rcv OPEN w/ OPTION parameter len: 24
BGP: 203.0.113.2 active rcvd OPEN w/ optional parameter type 2 (Capability) len 6
BGP: 203.0.113.2 active OPEN has CAPABILITY code: 1, length 4
BGP: 203.0.113.2 active OPEN has MP_EXT CAP for afi/safi: 1/1
BGP: 203.0.113.2 active rcvd OPEN w/ optional parameter type 2 (Capability) len 2
BGP: 203.0.113.2 active OPEN has CAPABILITY code: 128, length 0
BGP: 203.0.113.2 active OPEN has ROUTE-REFRESH capability(old) for all address-families
BGP: 203.0.113.2 active rcvd OPEN w/ optional parameter type 2 (Capability) len 2
BGP: 203.0.113.2 active OPEN has CAPABILITY code: 2, length 0
BGP: 203.0.113.2 active OPEN has ROUTE-REFRESH capability(new) for all address-families
BGP: 203.0.113.2 active rcvd OPEN w/ optional parameter type 2 (Capability) len 6
BGP: 203.0.113.2 active OPEN has CAPABILITY code: 65, length 4
BGP: 203.0.113.2 active OPEN has 4-byte ASN CAP for: 200
BGP: 203.0.113.2 active rcvd OPEN w/ remote AS 200, 4-byte remote AS 200
BGP: 203.0.113.2 active went from OpenSent to OpenConfirm
BGP: 203.0.113.2 active went from OpenConfirm to Established

输入debug ip bgp update命令为了排除故障路由更新相关问题。

BGP: TX IPv4 Unicast Mem global 203.0.113.2 Changing state from DOWN to WAIT
(pending advertised bit allocation).
BGP: TX IPv4 Unicast Grp global 4 Created.
BGP: TX IPv4 Unicast Wkr global 4 Cur Blocked (not in list).
BGP: TX IPv4 Unicast Wkr global 4 Ref Blocked (not in list).
BGP: TX IPv4 Unicast Rpl global 4 1 Created.
BGP: TX IPv4 Unicast Rpl global 4 1 Net bitfield index 0 allocated.
BGP: TX IPv4 Unicast Mem global 4 1 203.0.113.2 Added to group (now has 1 members).
BGP: TX IPv4 Unicast Mem global 4 1 203.0.113.2 Staying in WAIT state
(current walker waiting for net prepend).
BGP: TX IPv4 Unicast Top global Start net prepend.
BGP: TX IPv4 Unicast Top global Inserting initial marker.
BGP: TX IPv4 Unicast Top global Done net prepend (0 attrs).
BGP: TX IPv4 Unicast Grp global 4 Starting refresh after prepend completion.
BGP: TX IPv4 Unicast Wkr global 4 Cur Start at marker 1.
BGP: TX IPv4 Unicast Grp global 4 Message limit changed from 100 to 1000 (used 0 + 0).
BGP: TX IPv4 Unicast Wkr global 4 Cur Unblocked
BGP: TX IPv4 Unicast Mem global 4 1 203.0.113.2 Changing state from WAIT to ACTIVE
(ready).
BGP: TX IPv4 Unicast Mem global 4 1 203.0.113.2 No refresh required.
BGP: TX IPv4 Unicast Top global Collection done on marker 1 after 0 net(s).
BGP(0): 203.0.113.2 rcvd UPDATE w/ attr: nexthop 203.0.113.2, origin i, metric 0,
merged path 200, AS_PATH

BGP(0): 203.0.113.2 rcvd 10.10.10.0/24
BGP(0): 203.0.113.2 rcvd 172.16.30.0/24
BGP(0): 203.0.113.2 rcvd 10.180.10.0/24
-----------------> Routes rcvd from peer
BGP: TX IPv4 Unicast Net global 10.10.10.1/32 Changed.
BGP: TX IPv4 Unicast Net global 172.16.30.0/24 Changed.
BGP: TX IPv4 Unicast Net global 10.180.10.0/24 Changed.
BGP(0): Revise route installing 1 of 1 routes for 10.10.10.0 255.255.255.0 ->
203.0.113.2(global) to main IP table
BGP: TX IPv4 Unicast Net global 10.10.10.0/24 RIB done.
BGP(0): Revise route installing 1 of 1 routes for 172.16.30.0 255.255.255.0 ->
203.0.113.2(global) to main IP table
BGP: TX IPv4 Unicast Net global 172.16.30.0/24 RIB done.
BGP(0): Revise route installing 1 of 1 routes for 10.180.10.0 255.255.255.0 ->
203.0.113.2(global) to main IP table
BGP: TX IPv4 Unicast Net global 10.180.10.0/24 RIB done.

BGP: TX IPv4 Unicast Tab RIB walk done version 4, added 1 topologies.
BGP: TX IPv4 Unicast Tab Ready in READ-WRITE.
BGP: TX IPv4 Unicast Tab RIB walk done version 4, added 1 topologies.
BGP: TX IPv4 Unicast Tab All topologies are EOR ready.
BGP: TX IPv4 Unicast Tab RIB walk done version 4, added 1 topologies.
BGP: TX IPv4 Unicast Tab Executing.
BGP: TX IPv4 Unicast Wkr global 4 Cur Processing.
BGP: TX IPv4 Unicast Wkr global 4 Cur Reached marker with version 1.
BGP: TX IPv4 Unicast Top global Appending nets from attr 0x00007ffecc9b7b88.
BGP: TX IPv4 Unicast Wkr global 4 Cur Attr change from 0x0000000000000000 to
0x00007ffecc9b7b88.
BGP: TX IPv4 Unicast Wkr global 4 Cur Net 10.10.10.0/24 Skipped.
BGP: TX IPv4 Unicast Wkr global 4 Cur Net 172.16.30.0/24 Skipped.
BGP: TX IPv4 Unicast Wkr global 4 Cur Net 10.180.10.0/24 Skipped.
BGP: TX IPv4 Unicast Top global No attributes with modified nets.
BGP: TX IPv4 Unicast Top global Added tail marker with version 4.
BGP: TX IPv4 Unicast Wkr global 4 Cur Reached marker with version 4.
BGP: TX IPv4 Unicast Top global No attributes with modified nets.
BGP: TX IPv4 Unicast Wkr global 4 Cur Done (end of list), processed 1 attr(s),
0/3 net(s), 0 pos.
BGP: TX IPv4 Unicast Grp global 4 Checking EORs (0/1).
BGP: TX IPv4 Unicast Mem global 4 1 203.0.113.2 Send EOR.
BGP: TX IPv4 Unicast Grp global 4 Converged.
BGP: TX IPv4 Unicast Tab Processed 1 walker(s).
BGP: TX IPv4 Unicast Tab Generation completed.
BGP: TX IPv4 Unicast Top global Deleting first marker with version 1.
BGP: TX IPv4 Unicast Top global Collection reached marker 1 after 0 net(s).
BGP: TX IPv4 Unicast Top global First convergence done.
BGP: TX IPv4 Unicast Top global Deleting first marker with version 1.
BGP: TX IPv4 Unicast Top global Collection reached marker 1 after 0 net(s).
BGP: TX IPv4 Unicast Top global Collection done on marker 4 after 3 net(s).
BGP: TX IPv4 Unicast Top global Collection done on marker 4 after 0 net(s).
BGP: TX IPv4 Unicast Net global 192.168.10.0/24 Changed.
BGP: TX IPv4 Unicast Net global 172.16.20.0/24 Changed.
BGP: TX IPv4 Unicast Net global 10.106.44.0/24 Changed.
BGP(0): nettable_walker 10.106.44.0/24 route sourced locally
BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 10.106.44.0/24
BGP: TX IPv4 Unicast Net global 10.106.44.0/24 RIB done.
BGP(0): nettable_walker 172.16.20.0/24 route sourced locally
BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 172.16.20.0/24
BGP: TX IPv4 Unicast Net global 172.16.20.0/24 RIB done.
BGP(0): nettable_walker 192.168.10.0/24 route sourced locally
---------> Routes
advertised

BGP: topo global:IPv4 Unicast:base Remove_fwdroute for 192.168.10.0/24
BGP: TX IPv4 Unicast Net global 192.168.10.0/24 RIB done.
BGP: TX IPv4 Unicast Tab RIB walk done version 8, added 1 topologies.
BGP: TX IPv4 Unicast Tab Executing.
BGP: TX IPv4 Unicast Wkr global 4 Cur Processing.
BGP: TX IPv4 Unicast Top global Appending nets from attr 0x00007ffecc9b7c70.
BGP: TX IPv4 Unicast Wkr global 4 Cur Attr change from 0x0000000000000000 to
0x00007ffecc9b7c70.
BGP: TX IPv4 Unicast Rpl global 4 1 Net 10.106.44.0/24 Set advertised bit (total 1).
BGP: TX IPv4 Unicast Wkr global 4 Cur Net 10.106.44.0/24 Formatted.
BGP: TX IPv4 Unicast Rpl global 4 1 Net 172.16.20.0/24 Set advertised bit (total 2).
BGP: TX IPv4 Unicast Wkr global 4 Cur Net 172.16.20.0/24 Formatted.
BGP: TX IPv4 Unicast Rpl global 4 1 Net 192.168.10.0/24 Set advertised bit (total 4).
BGP: TX IPv4 Unicast Wkr global 4 Cur Net 192.168.10.0/24 Formatted.

BGP: TX IPv4 Unicast Top global No attributes with modified nets.
BGP: TX IPv4 Unicast Top global Added tail marker with version 8.
BGP: TX IPv4 Unicast Wkr global 4 Cur Reached marker with version 8.
BGP: TX IPv4 Unicast Top global No attributes with modified nets.
BGP: TX IPv4 Unicast Wkr global 4 Cur Replicating.
BGP: TX IPv4 Unicast Wkr global 4 Cur Done (end of list), processed 1 attr(s),
4/4 net(s), 0 pos.
BGP: TX IPv4 Unicast Grp global 4 Start minimum advertisement timer (30 secs).
BGP: TX IPv4 Unicast Wkr global 4 Cur Blocked (minimum advertisement interval).
BGP: TX IPv4 Unicast Grp global 4 Converged.
BGP: TX IPv4 Unicast Tab Processed 1 walker(s).
BGP: TX IPv4 Unicast Tab Generation completed.
BGP: TX IPv4 Unicast Top global Deleting first marker with version 4.
BGP: TX IPv4 Unicast Top global Collection reached marker 4 after 0 net(s).
BGP: TX IPv4 Unicast Top global Collection done on marker 8 after 4 net(s).
BGP: TX IPv4 Unicast Top global Collection done on marker 8 after 0 net(s).
BGP: TX Member message pool under period (60 < 600).
BGP: TX IPv4 Unicast Tab RIB walk done version 8, added 1 topologies.

输入这些命令为了排除故障此功能:

  • 显示asp表socket
  • show bgp邻居
  • show bgp摘要
  • show route bgp
  • CIDR的show bgp
  • show route摘要

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


Document ID: 118050