簡介
本檔案介紹執行NX-OS作業系統的Cisco Nexus系列交換器上的邊界閘道通訊協定(BGP)中的disable-peer-as-check命令。
必要條件
需求
思科建議您瞭解以下主題:
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- Cisco Nexus 7000
- NXOS 7.3(0)D1(1)版
本檔案所述內容不限於特定軟體和硬體版本。本檔案中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
設定
當網路首碼通告給eBGP對等點時,其自治系統(AS)一律會排在BGP的AS_PATH屬性清單之前。
預設情況下,基於Cisco Nexus NX-OS的交換機不會將網路字首通告給在BGP的網路字首AS_PATH屬性中最後找到AS的eBGP對等體。
此行為與基於Cisco IOS®(和Cisco IOS®-XE)的路由器和交換機不同,在這些路由器和交換機中,即使對等體的AS已經位於網路字首AS_PATH屬性中,網路字首仍會通告給eBGP對等體。
在這種情況下,BGP環路防護機制會捨棄接收方對等路由器上的網路字首(預設情況下),並觸發類似於「DENIED due to:AS-PATH僅包含我們自己的AS"(僅當啟用了相應的調試時)。
附註:預設情況下,基於Cisco IOS® XR的路由器的行為與NX-OS類似。在Cisco IOS® XR中,as-path-loopcheck out disable命令可用於修改此行為。
網路圖表
組態
R1 - Cisco IOS® |
configure terminal
!
hostname R1
!
interface Loopback0
ip address 10.255.255.1 255.255.255.255
!
interface GigabitEthernet0/1
ip address 10.1.2.1 255.255.255.0
no shutdown
!
router bgp 64512
bgp log-neighbor-changes
network 10.255.255.1 mask 255.255.255.255
neighbor 10.1.2.2 remote-as 65535
!
end |
N7K-2 - Nexus NX-OS |
configure terminal
!
hostname N7K-2
!
feature bgp
!
interface Ethernet2/1
no switchport
ip address 10.1.2.2/24
no shutdown
interface Ethernet2/2
no switchport
ip address 10.2.3.2/24
no shutdown
!
router bgp 65535
address-family ipv4 unicast
neighbor 10.1.2.1
remote-as 64512
address-family ipv4 unicast
neighbor 10.2.3.3
remote-as 64512
address-family ipv4 unicast ! end |
R3 - Cisco IOS® |
configure terminal
!
hostname R3
!
interface GigabitEthernet0/1
ip address 10.2.3.3 255.255.255.0
no shutdown
!
router bgp 64512
bgp log-neighbor-changes
neighbor 10.2.3.2 remote-as 65535
!
end |
驗證
使用本節內容,確認您的組態是否正常運作。
沒有disable-peer-as-check命令會阻止運行NX-OS的N7K-2將字首10.255.255.1/32通告給路由器R3,因為R3的AS(64512)在AS_PATH屬性中是最後找到的。
附註:預設情況下,配置中會禁用disable-peer-as-check命令。您必須手動新增命令才能啟用該功能。
當N7K-2將10.255.255.1/32通告給R3時,它會將最後一個AS 64512包含在AS_PATH屬性中。
此AS64512置與R3中配置的AS相同。
N7K-2 - Nexus NX-OS |
N7K-2# show bgp ipv4 unicast
BGP routing table information for VRF default, address family IPv4 Unicast
BGP table version is 17, local router ID is 10.1.2.2
Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best
Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-i
njected
Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup
Network Next Hop Metric LocPrf Weight Path
*>e10.255.255.1/32 10.1.2.1 0 0 64512 i
N7K-2# |
觀察到,在R3上,debug命令debug bgp ipv4 unicast已啟用。
為了進一步確認未收到路由,會執行命令clear bgp ipv4 unicast * soft,強制再次交換路由。R3路由沒有收到該路由。
R3 - Cisco IOS® |
R3#debug bgp ipv4 unicast BGP debugging is on for address family: IPv4 Unicast R3# R3#clear bgp ipv4 unicast * soft
R3#
*Jul 15 19:22:36.427: BGP: 10.2.3.2 sending REFRESH_REQ(5) for afi/safi: 1/1, refresh code is 0
R3# |
必須在N7K-2上啟用disable-peer-as-check命令,以便該命令可以將網路字首通告給R3。
N7K-2 - Nexus NX-OS |
N7K-2# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N7K-2(config)# router bgp 65535
N7K-2(config-router)# neighbor 10.2.3.3
N7K-2(config-router-neighbor)# address-family ipv4 unicast
N7K-2(config-router-neighbor-af)# disable-peer-as-check
N7K-2(config-router-neighbor-af)# |
在N7K-2上實施disable-peer-as-check後,該路由將通告給R3,但被預期的BGP環路預防機制丟棄。
觀察「DENIED DUE to:AS-PATH包含我們自己的AS」,如調試輸出所示。
R3 - Cisco IOS® |
R3#
*Jul 15 19:29:06.440: BGP(0): 10.2.3.2 rcv UPDATE w/ attr: nexthop 10.2.3.2, origin i, originator 0.0.0.0, merged path 65535 64512, AS_PATH , community , extended community , SSA attribute
*Jul 15 19:29:06.442: BGPSSA ssacount is 0
*Jul 15 19:29:06.442: BGP(0): 10.2.3.2 rcv UPDATE about 10.255.255.1/32 -- DENIED due to: AS-PATH contains our own AS;
R3# |
附註:如果在AS_PATH屬性中最後找不到R3的AS,則N7K-2不需要命令來通告路由。
在本示例中,使用route-map和set as-path prepend命令在AS_PATH屬性中最後預置另一個AS。現在,在R3的AS路徑中有另一個AS。
AS_PATH列出6530064512。
N7K-2 - Nexus NX-OS |
configure terminal
!
route-map TEST permit 10
set as-path prepend 65300
!
N7K-2# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N7K-2(config)# router bgp 65535
N7K-2(config-router)# neighbor 10.1.2.1
N7K-2(config-router-neighbor)# address-family ipv4 unicast
N7K-2(config-router-neighbor-af)# route-map TEST in
N7K-2(config-router-neighbor-af)#
N7K-2#
N7K-2# show bgp ipv4 unicast
BGP routing table information for VRF default, address family IPv4 Unicast
BGP table version is 18, local router ID is 10.1.2.2
Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best
Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-injected
Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup
Network Next Hop Metric LocPrf Weight Path
*>e10.255.255.1/32 10.1.2.1 0 0 65300 64512 i
N7K-2# |
觀察N7K-2在此情況下如何在不需要disable-peer-as-check的情況下通告路由。
N7K-2 - Nexus NX-OS |
N7K-2# sh run bgp
!Command: show running-config bgp
!Time: Mon Jul 15 21:28:59 2019
version 7.3(0)D1(1)
feature bgp
router bgp 65535
address-family ipv4 unicast
neighbor 10.1.2.1
remote-as 64512
address-family ipv4 unicast
route-map TEST in
neighbor 10.2.3.3
remote-as 64512
address-family ipv4 unicast
N7K-2# |
通知「由於以下原因被拒絕:AS-PATH包含我們自己的AS」,可從R3的調試輸出中看到。
R3 - Cisco IOS® |
R3#show debug
IP routing:
BGP debugging is on for address family: IPv4 Unicast
BGP updates debugging is on for address family: IPv4 Unicast
R3#
R3#clear bgp ipv4 unicast * soft
R3#
*Jul 15 21:33:11.309: BGP: 10.2.3.2 sending REFRESH_REQ(5) for afi/safi: 1/1, refresh code is 0
*Jul 15 21:33:12.312: BGP(0): 10.2.3.2 rcv UPDATE w/ attr: nexthop 10.2.3.2, origin i, originator 0.0.0.0, merged path 65535 65300 64512, AS_PATH , community , extended community , SSA attribute
*Jul 15 21:33:12.313: BGPSSA ssacount is 0
*Jul 15 21:33:12.313: BGP(0): 10.2.3.2 rcv UPDATE about 10.255.255.1/32 -- DENIED due to: AS-PATH contains our own AS;
R3# |
疑難排解
本節提供的資訊可用於對組態進行疑難排解。
若要確認BGP配置需要NX-OS上的disable-peer-as-check命令,請開啟這些調試。
debug-filter bgp neighbor <eBGP_NEIGHBOR>
debug-filter bgp prefix <ROUTE_TO_BE_ADVERTISED>
debug bgp updates
debug logfile <FILE_NAME>
請注意,類似「10.2.3.3 10.255.255.1/32 path-id 1」的消息由於以下原因未傳送到對等體:當存在重新傳送路由的請求時,將生成通告AS。
N7K-2 - Nexus NX-OS |
N7K-2# debug-filter bgp neighbor 10.2.3.3 N7K-2# debug-filter bgp prefix 10.255.255.1/32 N7K-2# debug bgp updates N7K-2# N7K-2# debug logfile bgpdebug.log
N7K-2# show debug logfile bgpdebug.log 2019 Jul 15 21:38:12.586085 bgp: 65535 [7848] (default) UPD: [IPv4 Unicast] Continuing update run for peer 10.2.3.3 (#0) 2019 Jul 15 21:38:12.586129 bgp: 65535 [7848] (default) UPD: [IPv4 Unicast] consider sending 10.255.255.1/32 to peer 10.2.3.3, path-id 1, best-ext is off 2019 Jul 15 21:38:12.586145 bgp: 65535 [7848] (default) UPD: [IPv4 Unicast] 10.2.3.3 10.255.255.1/32 path-id 1 not sent to peer due to: advertising AS 2019 Jul 15 21:38:12.586160 bgp: 65535 [7848] (default) UPD: [IPv4 Unicast] 10.2.3.3: walked 0 nodes and packed 0/0 prefixes 2019 Jul 15 21:38:12.586177 bgp: 65535 [7848] (default) UPD: [IPv4 Unicast] Found marker dest 0xf35349f0 on xmitlist for peer 10.2.3.3 (sent prefixes: 0) 2019 Jul 15 21:38:12.586200 bgp: 65535 [7848] (default) UPD: [IPv4 Unicast] Created EOR marker UPDATE msg (len 23) to peer 10.2.3.3 afer sending 0 routes 2019 Jul 15 21:38:12.586213 bgp: 65535 [7848] (default) UPD: [IPv4 Unicast] (#24) Suspending update run for peer 10.2.3.3 (#24) N7K-2# |
完成後,使用以下命令禁用調試:
undebug all
no debug-filter all
clear debug logfile <FILE_NAME>