了解安全防火墙SD-WAN部署中的路由控制并对其进行故障排除
简介
本文档介绍在安全防火墙上使用思科SD-WAN的基于路由的VPN在BGP中的路由控制。
先决条件
要求
Cisco 建议您了解以下主题:
- IKEv2
- 基于路由的VPN
- 虚拟隧道接口(VTI)
- IPsec
- 调试输出中显示“BGP
- BGP属性,如社区标签和路由反射器
- 安全防火墙上的SD-WAN功能
使用的组件
本文档中的信息基于:
- 思科安全防火墙威胁防御7.7.10
- 思科安全防火墙管理中心7.7.10
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
功能信息
随着针对站点到站点、基于路由的VPN的新SD-WAN部署为重叠启用BGP,思科专注于关键BGP属性,以实施无环和安全重叠路由,从而确保底层网络和重叠网络在整个拓扑中保持分离。此部署还确保无需手动干预即可调整相关属性。
部署方案
选择在中心点和分支点之间同时包含iBGP和eBGP连接的拓扑。此方法可最大程度地查看作为SD-WAN解决方案一部分在思科安全防火墙上实施的路由控制。
双ISP的双中心辐射型
底层拓扑
重叠拓扑
配置
由于本文档的主要目的是清楚地了解在安全防火墙上部署SD-WAN时实施的路由控制,因此不再重复介绍部署拓扑所需的基础配置步骤。有关初始设置的详细指导,请参阅我们之前发布的文档为通过安全防火墙的站点到站点VPN配置SD-WAN。
CLI部分中的所有配置均通过SD-WAN配置向导进行应用。不会单独对BGP配置或任何路由映射配置进行更改或修改。
验证与故障排除
社区列表负责过滤传入和传出前缀。有关详细说明,请参阅Cisco Secure Firewall Management Center Device Configuration Guide中cisco文档的社区列表部分。
所有设备的通用配置
firepower# show running-config community-list
community-list standard FMC_VPN_COMMUNITY_101010 permit 101010 <<<<<<<<<<
community-list standard FMC_VPN_COMMUNITY_202020 permit 202020 <<<<<<<<<<
请注意,每个拓扑有一对入站和出站路由映射,尽管两个拓扑的配置相同,但每个拓扑的命名约定是唯一的。在我们的方案中,FMC_VPN_RMAP_COMMUNITY_IN_858939614和FMC_VPN_RMAP_COMMUNITY_OUT_858939614用于拓扑1,而FMC_VPN_RMAP_COMMUNITY_IN_85894200和FMC_VPN Rmap_COMMUNITY_OUT_858942200用于拓扑2。
firepower# show running-config route-map
Topology 1
Inbound
route-map FMC_VPN_RMAP_COMMUNITY_IN_8589939614 permit 10
match community FMC_VPN_COMMUNITY_101010 exact-match
set community 202020
route-map FMC_VPN_RMAP_COMMUNITY_IN_8589939614 permit 20
match community FMC_VPN_COMMUNITY_202020 exact-match
Outbound
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589939614 permit 10
match community FMC_VPN_COMMUNITY_101010 exact-match
set metric 1
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589939614 permit 20
match community FMC_VPN_COMMUNITY_202020 exact-match
set metric 100
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589939614 deny 100
Topology 2
Inbound
route-map FMC_VPN_RMAP_COMMUNITY_IN_8589942200 permit 10
match community FMC_VPN_COMMUNITY_101010 exact-match
set community 202020
route-map FMC_VPN_RMAP_COMMUNITY_IN_8589942200 permit 20
match community FMC_VPN_COMMUNITY_202020 exact-match
Outbound
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589942200 permit 10
match community FMC_VPN_COMMUNITY_101010 exact-match
set metric 1
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589942200 permit 20
match community FMC_VPN_COMMUNITY_202020 exact-match
set metric 100
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589942200 deny 100
Common Across All The Hubs & Spokes Wherever Redistribution Of Inside Network Is Present
route-map FMC_VPN_CONNECTED_DIST_RMAP_101010 permit 10
match interface inside
set community 101010
拓扑中设备间的BGP配置如下所示:
Spoke1和2(使用HUB1的IBGP和使用HUB2的EBGP)
firepower# show running-config router bgp
router bgp 65500
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 198.51.100.1 remote-as 65500 <<<<< tunnel from spokes to HUB 1 via ISP1
neighbor 198.51.100.1 activate
neighbor 198.51.100.1 send-community
neighbor 198.51.100.1 route-map FMC_VPN_RMAP_COMMUNITY_IN_8589939614 in
neighbor 198.51.100.1 route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589939614 out
neighbor 198.51.100.2 remote-as 65510 <<<<< tunnel from spokes to HUB 2 via ISP1
neighbor 198.51.100.2 ebgp-multihop 2
neighbor 198.51.100.2 activate
neighbor 198.51.100.2 send-community
neighbor 198.51.100.2 route-map FMC_VPN_RMAP_COMMUNITY_IN_8589939614 in
neighbor 198.51.100.2 route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589939614 out
neighbor 198.51.100.3 remote-as 65500 <<<<< tunnel from spokes to HUB 1 via ISP2
neighbor 198.51.100.3 activate
neighbor 198.51.100.3 send-community
neighbor 198.51.100.3 route-map FMC_VPN_RMAP_COMMUNITY_IN_8589942200 in
neighbor 198.51.100.3 route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589942200 out
neighbor 198.51.100.4 remote-as 65510 <<<<< tunnel from spokes to HUB 2 via ISP2
neighbor 198.51.100.4 ebgp-multihop 2
neighbor 198.51.100.4 activate
neighbor 198.51.100.4 send-community
neighbor 198.51.100.4 route-map FMC_VPN_RMAP_COMMUNITY_IN_8589942200 in
neighbor 198.51.100.4 route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589942200 out
redistribute connected route-map FMC_VPN_CONNECTED_DIST_RMAP_101010 <<<<<<< route-map to redistribute inside network into BGP
maximum-paths 8
maximum-paths ibgp 8
no auto-summary
no synchronization
exit-address-family
HUB1(与辐射点的IBGP对等)
firepower# show running-config router bgp
router bgp 65500
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 198.51.100.10 remote-as 65500 <<<<< tunnel from HUB 1 to Spoke 1 via ISP 1
neighbor 198.51.100.10 activate
neighbor 198.51.100.10 send-community
neighbor 198.51.100.10 route-reflector-client
neighbor 198.51.100.10 next-hop-self
neighbor 198.51.100.10 route-map FMC_VPN_RMAP_COMMUNITY_IN_8589939614 in
neighbor 198.51.100.10 route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589939614 out
neighbor 198.51.100.11 remote-as 65500 <<<<< tunnel from HUB 1 to Spoke 2 via ISP 1
neighbor 198.51.100.11 activate
neighbor 198.51.100.11 send-community
neighbor 198.51.100.11 route-reflector-client
neighbor 198.51.100.11 next-hop-self
neighbor 198.51.100.11 route-map FMC_VPN_RMAP_COMMUNITY_IN_8589939614 in
neighbor 198.51.100.11 route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589939614 out
neighbor 198.51.100.70 remote-as 65500 <<<<< tunnel from HUB 1 to Spoke 1 via ISP 2
neighbor 198.51.100.70 activate
neighbor 198.51.100.70 send-community
neighbor 198.51.100.70 route-reflector-client
neighbor 198.51.100.70 next-hop-self
neighbor 198.51.100.70 route-map FMC_VPN_RMAP_COMMUNITY_IN_8589942200 in
neighbor 198.51.100.70 route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589942200 out
neighbor 198.51.100.71 remote-as 65500 <<<<< tunnel from HUB 1 to Spoke 2 via ISP 2
neighbor 198.51.100.71 activate
neighbor 198.51.100.71 send-community
neighbor 198.51.100.71 route-reflector-client
neighbor 198.51.100.71 next-hop-self
neighbor 198.51.100.71 route-map FMC_VPN_RMAP_COMMUNITY_IN_8589942200 in
neighbor 198.51.100.71 route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589942200 out
no auto-summary
no synchronization
exit-address-family
HUB2(与辐条的EBGP对等)
firepower# show running-config router bgp
router bgp 65510
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 198.51.100.40 remote-as 65500 <<<<< tunnel from HUB 2 to Spoke 1 via ISP 1
neighbor 198.51.100.40 ebgp-multihop 2
neighbor 198.51.100.40 activate
neighbor 198.51.100.40 send-community
neighbor 198.51.100.40 next-hop-self
neighbor 198.51.100.40 as-override
neighbor 198.51.100.40 route-map FMC_VPN_RMAP_COMMUNITY_IN_8589939614 in
neighbor 198.51.100.40 route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589939614 out
neighbor 198.51.100.41 remote-as 65500 <<<<< tunnel from HUB 2 to Spoke 2 via ISP 1
neighbor 198.51.100.41 ebgp-multihop 2
neighbor 198.51.100.41 activate
neighbor 198.51.100.41 send-community
neighbor 198.51.100.41 next-hop-self
neighbor 198.51.100.41 as-override
neighbor 198.51.100.41 route-map FMC_VPN_RMAP_COMMUNITY_IN_8589939614 in
neighbor 198.51.100.41 route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589939614 out
neighbor 198.51.100.100 remote-as 65500 <<<<< tunnel from HUB 2 to Spoke 1 via ISP 2
neighbor 198.51.100.100 ebgp-multihop 2
neighbor 198.51.100.100 activate
neighbor 198.51.100.100 send-community
neighbor 198.51.100.100 next-hop-self
neighbor 198.51.100.100 as-override
neighbor 198.51.100.100 route-map FMC_VPN_RMAP_COMMUNITY_IN_8589942200 in
neighbor 198.51.100.100 route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589942200 out
neighbor 198.51.100.101 remote-as 65500 <<<<< tunnel from HUB 2 to Spoke 2 via ISP 2
neighbor 198.51.100.101 ebgp-multihop 2
neighbor 198.51.100.101 activate
neighbor 198.51.100.101 send-community
neighbor 198.51.100.101 next-hop-self
neighbor 198.51.100.101 as-override
neighbor 198.51.100.101 route-map FMC_VPN_RMAP_COMMUNITY_IN_8589942200 in
neighbor 198.51.100.101 route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589942200 out
no auto-summary
no synchronization
exit-address-family
路由拓扑
-
分支使用其特定社区标记101010将其内部网络192.0.2.8/29通告到BGP,如route-map FMC_VPN_CONNECTED_DIST_RMAP_1010中所配置。
分支1
Spoke1# show bgp community 101010 exact-match <<<< to verify the exact network redistributed into BGP
BGP table version is 4, local router ID is 203.0.113.35
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 192.0.2.8/29 0.0.0.0 0 32768 ? <<<<<<<<<<< local inside network-
辐条会修改其内部网络192.0.2.8/29的度量值,并将其通告到集线器,如路由映射FMC_VPN_RMAP_COMMUNITY_OUT_858939614和FMC_VPN_RMAP_COMMUNITY_OUT_85894200中所配置。
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589942200 permit 10
match community FMC_VPN_COMMUNITY_101010 exact-match
set metric 1
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589942200 permit 20
match community FMC_VPN_COMMUNITY_202020 exact-match
set metric 100
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589942200 deny 100
-
HUB1使用社区标记101010获知分支1网络192.0.2.8/29,并将社区标记更改为202020,同时按照配置的路由映射中的定义保留度量,然后将其转发到其他分支。
集线器1
Route-Map for ISP1 DVTI
Inbound
route-map FMC_VPN_RMAP_COMMUNITY_IN_8589939614 permit 10
match community FMC_VPN_COMMUNITY_101010 exact-match
set community 202020
route-map FMC_VPN_RMAP_COMMUNITY_IN_8589939614 permit 20
match community FMC_VPN_COMMUNITY_202020 exact-match
Outbound
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589939614 permit 10
match community FMC_VPN_COMMUNITY_101010 exact-match
set metric 1
set ip next-hop 198.51.100.1 <<<<<<<<<< only next-hop is changed in ISP2 tunnel route-map with ISP2 DVTI IP
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589939614 permit 20
match community FMC_VPN_COMMUNITY_202020 exact-match
set metric 100
set ip next-hop 198.51.100.1 <<<<<<<<<< only next-hop is changed in ISP2 tunnel route-map with ISP2 DVTI IP
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589939614 deny 100
Route-Map for ISP2 DVTI
Inbound
route-map FMC_VPN_RMAP_COMMUNITY_IN_8589942200 permit 10
match community FMC_VPN_COMMUNITY_101010 exact-match
set community 202020
route-map FMC_VPN_RMAP_COMMUNITY_IN_8589942200 permit 20
match community FMC_VPN_COMMUNITY_202020 exact-match
Outbound
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589942200 permit 10
match community FMC_VPN_COMMUNITY_101010 exact-match
set metric 1
set ip next-hop 198.51.100.3 <<<<<<<<<< only next-hop is changed in ISP2 tunnel route-map with ISP2 DVTI IP
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589942200 permit 20
match community FMC_VPN_COMMUNITY_202020 exact-match
set metric 100
set ip next-hop 198.51.100.3 <<<<<<<<<< only next-hop is changed in ISP2 tunnel route-map with ISP2 DVTI IP
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589942200 deny 100
HUB1# show bgp community 202020 exact-match <<<< this will confirm if received prefixes have community tags flipped
BGP table version is 5, local router ID is 198.51.100.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * i192.0.2.8/29 198.51.100.70 1 100 0 ? *>i 198.51.100.10 1 100 0 ? * i192.0.2.16/29 198.51.100.71 1 100 0 ? *>i 198.51.100.11 1 100 0 ?
HUB1# show bgp 192.0.2.8 <<<< this will display available paths in BGP for the network
BGP routing table entry for 192.0.2.8/29, version 4 Paths: (2 available, best #2, table default) Advertised to update-groups: 1 2 Local, (Received from a RR-client) 198.51.100.70 from 198.51.100.70 (203.0.113.35) <<<<< spoke 1 ISP 2 tunnel to HUB 1 Origin incomplete, metric 1, localpref 100, valid, internal Community: 202020 Local, (Received from a RR-client) 198.51.100.10 from 198.51.100.10 (203.0.113.35) <<<<< spoke 1 ISP 1 tunnel to HUB 1 Origin incomplete, metric 1, localpref 100, valid, internal, best Community: 202020 <<<<< community updated as per the route-map configured on spoke side
HUB1# show route 192.0.2.8
Routing entry for 192.0.2.8 255.255.255.248
Known via "bgp 65500", distance 200, metric 1, type internal
Last update from 198.51.100.10 0:09:18 ago
Routing Descriptor Blocks:
* 198.51.100.10, from 198.51.100.10, 0:09:18 ago
Route metric is 1, traffic share count is 1
AS Hops 0
MPLS label: no label string providedHUB1# show bgp ipv4 unicast neighbors 198.51.100.10 routes <<<<<< to check specific prefixes learnt via ISP1 spoke1 tunnel
BGP table version is 5, local router ID is 198.51.100.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i192.0.2.8/29 198.51.100.10 1 100 0 ? <<< preferred route
Total number of prefixes 1 HUB1# show bgp ipv4 unicast neighbors 198.51.100.70 routes <<<<<< to check specific prefixes learnt via ISP2 spoke1 tunnel
BGP table version is 5, local router ID is 198.51.100.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i192.0.2.8/29 198.51.100.70 1 100 0 ?
Total number of prefixes 1 -
HUB2还使用社区标记101010获取分支1网络192.0.2.8/29,并将社区标记更改为202020,并将度量更新为100,然后将其转发到其他分支,如配置的路由映射中所指定。此指标更改由于eBGP对等而生效。这是因为MED(Multi-Exit Discriminator)是一个可选的非传递BGP属性,用于通过建议一个首选入口点进入AS来影响入站流量。MED通常不会在同一AS内的iBGP对等体之间传播,而是通告给不同自治系统中的外部BGP(eBGP)对等体。
集线器2
HUB2# show bgp community 202020 exact-match <<<< this will confirm if receieved prefixes have community tags flipped
BGP table version is 5, local router ID is 198.51.100.4 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * 192.0.2.8/29 198.51.100.1 100 0 65500 ? <<<<<< advertised back by spoke 2 ISP1 to HUB2 previously learnt via HUB1 iBGP * 198.51.100.1 100 0 65500 ? <<<<<< advertised back by spoke 2 ISP2 to HUB2 previously learnt via HUB1 iBGP * 198.51.100.100 1 0 65500 ? <<<<<< advertised by spoke 2 ISP tunnel *> 198.51.100.40 1 0 65500 ? <<<<<< advertised and preferred by spoke 1 ISP 1 tunnel * 192.0.2.16/29 198.51.100.1 100 0 65500 ? * 198.51.100.1 100 0 65500 ? * 198.51.100.101 1 0 65500 ? *> 198.51.100.41 1 0 65500 ?
HUB2# show bgp 192.0.2.8 <<<< this will display available paths in BGP for the network
BGP routing table entry for 192.0.2.8/29, version 4 Paths: (4 available, best #4, table default) Advertised to update-groups: 1 2 65500 198.51.100.1 (inaccessible) from 198.51.100.41 (203.0.113.36) <<<<<< advertised back by spoke 2 ISP1 to HUB2 previously learnt via HUB1 iBGP Origin incomplete, metric 100, localpref 100, valid, external Community: 202020 65500 198.51.100.1 (inaccessible) from 198.51.100.101 (203.0.113.36) <<<<<< advertised back by spoke 2 ISP2 to HUB2 previously learnt via HUB1 iBGP Origin incomplete, metric 100, localpref 100, valid, external Community: 202020 65500 198.51.100.100 from 198.51.100.100 (203.0.113.35) <<<<<< advertised by spoke 1 ISP 2 tunnel Origin incomplete, metric 1, localpref 100, valid, external Community: 202020 65500 198.51.100.40 from 198.51.100.40 (203.0.113.35) <<<<<< advertised and preferred by spoke 1 ISP 1 tunnel Origin incomplete, metric 1, localpref 100, valid, external, best Community: 202020
HUB2# show bgp ipv4 unicast neighbors 198.51.100.40 routes <<<<<< to check specific prefixes learnt via ISP1 spoke1 tunnel
BGP table version is 5, local router ID is 198.51.100.4 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 192.0.2.8/29 198.51.100.40 1 0 65500 ? <<<< preferred * 192.0.2.16/29 198.51.100.1 100 0 65500 ? Total number of prefixes 2
HUB2# show bgp ipv4 unicast neighbors 198.51.100.41 routes <<<<<< to check specific prefixes learnt via ISP1 spoke2 tunnel
BGP table version is 5, local router ID is 198.51.100.4 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * 192.0.2.8/29 198.51.100.1 100 0 65500 ? <<<<<< *> 192.0.2.16/29 198.51.100.41 1 0 65500 ? Total number of prefixes 2
HUB2# show bgp ipv4 unicast neighbors 198.51.100.100 routes <<<<<< to check specific prefixes learnt via ISP2 spoke1 tunnel
BGP table version is 5, local router ID is 198.51.100.4 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * 192.0.2.8/29 198.51.100.100 1 0 65500 ? <<<<<< * 192.0.2.16/29 198.51.100.1 100 0 65500 ? Total number of prefixes 2
HUB2# show bgp ipv4 unicast neighbors 198.51.100.101 routes <<<<<< to check specific prefixes learnt via ISP2 spoke2 tunnel
BGP table version is 5, local router ID is 198.51.100.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 192.0.2.8/29 198.51.100.1 100 0 65500 ? <<<<<<
* 192.0.2.16/29 198.51.100.101 1 0 65500 ?
Total number of prefixes 2 -
分支2从HUB1 ISP1和HUB1 ISP2隧道接收分支1网络192.0.2.8/29,度量为1,同时从HUB2 ISP1和HUB2 ISP2隧道接收同一网络,且其下一跳更新为HUB1。
分支2
Spoke2# show bgp community 202020 exact-match <<<< this will confirm if receieved prefixes have community tags flipped
BGP table version is 8, local router ID is 203.0.113.36 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *mi192.0.2.8/29 198.51.100.3 1 100 0 ? *>i 198.51.100.1 1 100 0 ? <<<< HUB1 ISP1 route preferred * 198.51.100.2 100 0 65510 65510 ? * 198.51.100.4 100 0 65510 65510 ? * 192.0.2.16/29 198.51.100.4 100 0 65510 65510 ? * 198.51.100.2 100 0 65510 65510 ?
route-map FMC_VPN_RMAP_COMMUNITY_IN_8589939614 permit 10
match community FMC_VPN_COMMUNITY_101010 exact-match
set community 202020
route-map FMC_VPN_RMAP_COMMUNITY_IN_8589956263 permit 20
match community FMC_VPN_COMMUNITY_202020 exact-match
-
分支2还会使用更新的度量将从HUB1获知的网络通告回HUB2(如配置的出站路由映射所定义)。
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589939614 permit 10
match community FMC_VPN_COMMUNITY_101010 exact-match
set metric 1
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589939614 permit 20
match community FMC_VPN_COMMUNITY_202020 exact-match
set metric 100 <<<<<
route-map FMC_VPN_RMAP_COMMUNITY_OUT_8589939614 deny 100
Spoke2# show bgp ipv4 unicast neighbors 198.51.100.2 advertised-routes <<<<< to check specific prefixes advertised via ISP1 HUB2 tunnel back to HUB2
BGP table version is 8, local router ID is 203.0.113.36
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i192.0.2.8/29 198.51.100.1 1 100 0 ? <<<<<<<
*> 192.0.2.16/29 0.0.0.0 0 32768 ?
Total number of prefixes 2 Spoke2# show bgp ipv4 unicast neighbors 198.51.100.4 advertised-routes <<<<< to check specific prefixes advertised via ISP2 HUB2 tunnel back to HUB2
BGP table version is 8, local router ID is 203.0.113.36
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i192.0.2.8/29 198.51.100.1 1 100 0 ? <<<<<<<
*> 192.0.2.16/29 0.0.0.0 0 32768 ?
Total number of prefixes 2结论
本文档旨在介绍后端路由部署,重点介绍在BGP内实施的路由控制,以确保应急和冗余。
总之,分支2和拓扑中的任何其他分支在将其网络通告到BGP域时都使用相同的方法。在这种情况下,最重要的路由控制是社区列表过滤,它确保仅将此拓扑中的网络通告给其他对等体,防止意外的网络传播。
此外,MED Multi-exit Discriminator属性用于影响eBGP对等体的路由选择,确保通过配置为主HUB的iBGP对等体获知的路由优先于通过eBGP从辅助HUB获知的前缀。
通过进行拓扑调整(例如为辅助HUB配置iBGP),可以消除在将同一网络通告到其他分支之前对翻转社区标记的MED操作和入站路由映射的需要。
相关信息
- 如需更多帮助,请联系TAC。需要有效的支持合同:思科全球支持联系人。
- 您还可以访问Cisco VPN社区,了解更多见解和趋势讨论。
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
1.0 |
01-Oct-2025
|
初始版本 |
反馈