衝動買いで購入したCiscoルータの機能点検もかねてSRX100とIBGPの基本設定および確認をしてみました~
構成は以下の通りです!
以下実施した手順です。
① CISCOルータにIPアドレスの登録
② SRX100B(VR1)においてIPアドレスおよびバーチャルルータ(VR1)への登録
③ SRX100からのPING確認
④ CISCOルータにおいてSSHの設定
⑤ SRX100(VR1)→CISCOへSSH接続確認
⑥ SRX100(VR1)でIBGPの設定
⑦ CISCOでIBGPの設定
⑧ IBGP確認(CISCO)
⑨ IBGP確認(Juniper)
では始めます~(^^;)
① CISCOルータにIPアドレスの設定
interface GigabitEthernet1
ip address 172.16.210.1 255.255.255.0
② SRX100B(VR1)においてIPアドレスおよびバーチャルルータ(VR1)への登録
#delete interfaces fe-0/0/5 unit 0 family ethernet-switching
#set interfaces fe-0/0/5 unit 0 family inet address 172.16.210.254/24
#set routing-instances VR1 interface fe-0/0/5.0
③ SRX100からのPING確認
自分のインターフェスへPING
admin@SRX100B> ping 172.16.210.254 routing-instance VR1
PING 172.16.210.254 (172.16.210.254): 56 data bytes
64 bytes from 172.16.210.254: icmp_seq=0 ttl=64 time=3.334 ms
64 bytes from 172.16.210.254: icmp_seq=1 ttl=64 time=0.906 ms
^C
--- 172.16.210.254 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.906/2.120/3.334/1.214 ms
CISCOへPING
admin@SRX100B> ping 172.16.210.1 routing-instance VR1
PING 172.16.210.1 (172.16.210.1): 56 data bytes
64 bytes from 172.16.210.1: icmp_seq=0 ttl=255 time=32.140 ms
64 bytes from 172.16.210.1: icmp_seq=1 ttl=255 time=3.309 ms
^C
--- 172.16.210.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.309/17.724/32.140/14.416 ms
admin@SRX100B>
④ CISCOルータにおいてSSHの設定
IBGP-R(config)#enable secret admin
IBGP-R(config)#username admin password root123
IBGP-R(config)#ip domain-name cisco.local
IBGP-R(config)#ip ssh version 2
Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).
IBGP-R(config)#crypto key generate rsa
The name for the keys will be: IBGP-R.cisco.local
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
IBGP-R(config)#
*Feb 6 06:45:07.851: %SSH-5-ENABLED: SSH 2.0 has been enabled
IBGP-R(config)#lin
IBGP-R(config)#line vty 0 4
IBGP-R(config-line)#login local
IBGP-R(config-line)#transport input ssh
IBGP-R(config-line)#
⑤ SRX100(VR1)→CISCOへSSH接続確認
admin@SRX100B> ssh admin@172.16.210.1 routing-instance VR1
The authenticity of host '172.16.210.1 (172.16.210.1)' can't be established.
RSA key fingerprint is 03:7c:7b:63:03:6e:3b:1d:4e:c9:0b:f3:d8:54:9c:9d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.210.1' (RSA) to the list of known hosts.
Password:
IBGP-R>
⑥ SRX100(VR1)でIBGPの設定
⑦ CISCOでIBGPの設定
⑧ IBGP確認(CISCO)
IBGP-R#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 172.16.210.254 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.16.210.254
1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 [200/0] via 1.1.1.1, 00:00:25
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.210.0/24 is directly connected, GigabitEthernet1
L 172.16.210.1/32 is directly connected, GigabitEthernet1
200.200.200.0/24 is variably subnetted, 2 subnets, 2 masks
C 200.200.200.0/24 is directly connected, Loopback0
L 200.200.200.1/32 is directly connected, Loopback0
210.210.210.0/24 is variably subnetted, 2 subnets, 2 masks
C 210.210.210.0/24 is directly connected, Loopback1
L 210.210.210.1/32 is directly connected, Loopback1
220.220.220.0/24 is variably subnetted, 2 subnets, 2 masks
C 220.220.220.0/24 is directly connected, Loopback2
L 220.220.220.1/32 is directly connected, Loopback2
IBGP-R#
IBGP-R#show ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 172.16.210.254 to network 0.0.0.0
1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 [200/0] via 1.1.1.1, 00:00:48
IBGP-R#
IBGP-R#show ip bgp su
IBGP-R#show ip bgp summary
BGP router identifier 220.220.220.1, local AS number 65100
BGP table version is 5, main routing table version 5
4 network entries using 576 bytes of memory
4 path entries using 320 bytes of memory
3/3 BGP path/bestpath attribute entries using 432 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1328 total bytes of memory
BGP activity 13/9 prefixes, 26/22 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.1 4 65100 6 8 5 0 0 00:01:06 1
IBGP-R#
⑧ IBGP確認(Juniper)
admin@SRX100B> show bgp summary
Groups: 1 Peers: 1 Down peers: 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
200.200.200.1 65100 129 195 0 17 2 Establ
VR1.inet.0: 2/3/3/0
admin@SRX100B>
admin@SRX100B> show route protocol bgp
inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
VR1.inet.0: 10 destinations, 11 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
200.200.200.0/24 [BGP/170] 00:00:43, MED 0, localpref 100, from 200.200.200.1
AS path: ?
> to 172.16.210.1 via fe-0/0/5.0
210.210.210.0/24 *[BGP/170] 00:00:43, MED 0, localpref 100, from 200.200.200.1
AS path: I
> to 172.16.210.1 via fe-0/0/5.0
220.220.220.0/24 *[BGP/170] 00:00:43, MED 0, localpref 100, from 200.200.200.1
AS path: ?
> to 172.16.210.1 via fe-0/0/5.0
VR2.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
admin@SRX100B>
admin@SRX100B> show route advertising-protocol bgp 200.200.200.1
VR1.inet.0: 10 destinations, 11 routes (10 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 1.1.1.1/32 Self 100 I
admin@SRX100B>
admin@SRX100B> show route receive-protocol bgp 200.200.200.1
inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
VR1.inet.0: 10 destinations, 11 routes (10 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
200.200.200.0/24 200.200.200.1 0 100 ?
* 210.210.210.0/24 200.200.200.1 0 100 I
* 220.220.220.0/24 200.200.200.1 0 100 ?
VR2.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
admin@SRX100B>
〇 AS path: ? ってなんでしたっけ・・
参考サイト:https://www.infraexpert.com/study/bgpz09.html
RIGIN( タイプコード 1:Well-known mandatory )
ORIGINは、BGPルートの生成元( 起源 )を示しているアトリビュートです。
このアトリビュート値はBGPのupdateメッセージに必ず含まれます。
ORIGINアトリビュートで示される値には以下があります。
BGPテーブルでは「Path」の項目に、以下の「i」「e」「?」いずれかが表示
されます。
なお、ORIGINアトリビュートに優先度があり最も小さい値の「i」が優先ルートに
なります。
0 IGP i
AS内部でIGPにより生成されたBGPルート。このルートはBGPの設定で
networkコマンドまたはaggregate-addressコマンドによって発生する。
1 EGP e
AS外部からEGPにより生成されたBGPルート。このルートは、レガシー
プロトコルのEGP経由で学習されることによって発生する。先ずない表示。
2 Incomplete ?
ルートの生成元が不明なルート、または別の方法で学習されたルート。
通常は、AS内部のIGPルートBGPへ再配布することによって発生する。
→ CISCO側で直接接続を再配送している経路
200.200.200.0/24 200.200.200.1 0 100 ?
220.220.220.0/24 200.200.200.1 0 100 ?
は以上の2つになるので?になっていると思います~
⑨ その他
〇 BGPのステータスが確立していない例
(Juniperでの確認例)
admin@SRX100B> show bgp summary
Groups: 1 Peers: 1 Down peers: 1
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
200.200.200.1 65100 0 0 0 0 6:15 Idle
admin@SRX100B> show bgp summary
Groups: 1 Peers: 1 Down peers: 1
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
200.200.200.1 65100 0 0 0 0 20:40 Active
admin@SRX100B> show bgp summary
Groups: 1 Peers: 1 Down peers: 1
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
200.200.200.1 65100 0 0 0 0 21:16 Active
admin@SRX100B> show bgp summary
Groups: 1 Peers: 1 Down peers: 1
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
200.200.200.1 65100 0 0 0 0 21:18 Active
admin@SRX100B> show bgp summary
Groups: 1 Peers: 1 Down peers: 1
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
200.200.200.1 65100 0 0 0 0 21:20 Active
admin@SRX100B> show bgp summary
Groups: 1 Peers: 1 Down peers: 1
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
200.200.200.1 65100 0 0 0 0 21:21 Active
********************************************************************************
BGPでは「 OPEN、UPDATE、KEEPALIVE、NOTIFICATION 」メッセージを
やりとりすることによって、以下の6つのいずれかの状態になります。
Established状態に遷移すればBGPネイバーは完全に確立します。
show ip bgp neighborsコマンドの3行目の「BGP state」項目で、
以下の状態を確認することができます。
idle :
BGPの設定直後の状態。BGPネイバーへのIP到達性があればTCP接続を開始する状態。
BGPネイバーへのIP到達性があれば「Connect」状態へ遷移する。
active :
TCP接続を試行している状態。ネイバーのIPアドレス、AS番号、認証パスワードの設定
ミスがある場合、Active状態のままとなるか「idle→Active→idle」という状態を繰り返す。
引用サイト:ネットワークエンジニアとして
https://www.infraexpert.com/study/bgpz02.html
〇 CISCOでのBGP関連ログの確認
bgp log-neighbor-changesを設定していれば以下のようにログを確認できますね~
IBGP-R#show logging | include BGP
*Feb 6 09:43:18.575: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
*Feb 6 10:01:25.811: %BGP-3-NOTIFICATION: received from neighbor 1.1.1.1 6/4 (Administrative Reset) 0 bytes
*Feb 6 10:01:25.811: %BGP-5-NBR_RESET: Neighbor 1.1.1.1 reset (BGP Notification received)
*Feb 6 10:01:25.811: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down BGP Notification received
*Feb 6 10:01:25.811: %BGP_SESSION-5-ADJCHANGE: neighbor 1.1.1.1 IPv4 Unicast topology base removed from session BGP Notification received
*Feb 6 10:01:57.859: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
*Feb 6 10:02:10.279: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down User reset
*Feb 6 10:02:10.279: %BGP_SESSION-5-ADJCHANGE: neighbor 1.1.1.1 IPv4 Unicast topology base removed from session User reset
*Feb 6 10:02:42.303: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
*Feb 6 10:04:12.371: %BGP-5-NBR_RESET: Neighbor 1.1.1.1 reset (Peer closed the session)
*Feb 6 10:04:12.371: %BGP-3-NOTIFICATION: received from neighbor 1.1.1.1 4/0 (hold time expired) 0 bytes
*Feb 6 10:04:12.375: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down Peer closed the session
*Feb 6 10:04:12.375: %BGP_SESSION-5-ADJCHANGE: neighbor 1.1.1.1 IPv4 Unicast topology base removed from session Peer closed the session
*Feb 6 10:04:44.403: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
*Feb 6 10:06:14.419: %BGP-5-NBR_RESET: Neighbor 1.1.1.1 reset (Peer closed the session)
*Feb 6 10:06:14.419: %BGP-3-NOTIFICATION: received from neighbor 1.1.1.1 4/0 (hold time expired) 0 bytes
*Feb 6 10:06:14.419: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down Peer closed the session
*Feb 6 10:06:14.419: %BGP_SESSION-5-ADJCHANGE: neighbor 1.1.1.1 IPv4 Unicast topology base removed from session Peer closed the session
*Feb 6 10:06:46.479: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
*Feb 6 10:08:16.491: %BGP-5-NBR_RESET: Neighbor 1.1.1.1 reset (Peer closed the session)
*Feb 6 10:08:16.491: %BGP-3-NOTIFICATION: received from neighbor 1.1.1.1 4/0 (hold time expired) 0 bytes
*Feb 6 10:08:16.491: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down Peer closed the session
*Feb 6 10:08:16.491: %BGP_SESSION-5-ADJCHANGE: neighbor 1.1.1.1 IPv4 Unicast topology base removed from session Peer closed the session
*Feb 6 10:08:48.523: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
*Feb 6 10:10:18.543: %BGP-5-NBR_RESET: Neighbor 1.1.1.1 reset (Peer closed the session)
*Feb 6 10:10:18.543: %BGP-3-NOTIFICATION: received from neighbor 1.1.1.1 4/0 (hold time expired) 0 bytes
*Feb 6 10:10:18.547: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down Peer closed the session
*Feb 6 10:10:18.547: %BGP_SESSION-5-ADJCHANGE: neighbor 1.1.1.1 IPv4 Unicast topology base removed from session Peer closed the session
*Feb 6 10:10:50.567: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
IBGP-R#
久しぶりにCisco実機触りました。。(^^;)
次はBGPのパケットキャプチャを実施しよう!と思います~