一、先复习一下BGP选路规则：

二、实验拓扑如下图：

设备互联用xy.1.1.x<--->xy.1.1.y/24 如 ar1--ar2 :12.1.1.1<----->12.1.1.2
各设备环回口loop0 x.x.x.x/32
IBGP内部用ospf或IS-IS,邻居采用环回口建立,EBGP直接用互联地址。（我这边as100 用ospf ,as 400 用IS-IS）

三、设备基本配置：

AR1(列出两个设备,其它配置都差不多)

#
interface GigabitEthernet0/0/0
 ip address 12.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 13.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.0.0.1 255.255.255.0 
#
interface NULL0
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255 
#
bgp 100
 peer 2.2.2.2 as-number 100 
 peer 2.2.2.2 connect-interface LoopBack0
 peer 3.3.3.3 as-number 100 
 peer 3.3.3.3 connect-interface LoopBack0
 #                                        
 ipv4-family unicast
  undo synchronization
  network 10.0.0.0 255.255.255.0 
  peer 2.2.2.2 enable
  peer 3.3.3.3 enable
#
ospf 1 router-id 1.1.1.1 
 area 0.0.0.0 
  network 1.1.1.1 0.0.0.0 
  network 12.1.1.1 0.0.0.0 
  network 13.1.1.1 0.0.0.0 
#

AR3

#
interface GigabitEthernet0/0/0
 ip address 34.1.1.3 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 13.1.1.3 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 23.1.1.3 255.255.255.128 
#
interface NULL0
#
interface LoopBack0
 ip address 3.3.3.3 255.255.255.255 
#
bgp 100
 peer 1.1.1.1 as-number 100 
 peer 1.1.1.1 connect-interface LoopBack0
 peer 2.2.2.2 as-number 100 
 peer 2.2.2.2 connect-interface LoopBack0
 peer 34.1.1.4 as-number 200              
 #
 ipv4-family unicast
  undo synchronization
  peer 1.1.1.1 enable
  peer 2.2.2.2 enable
  peer 34.1.1.4 enable
#
ospf 1 router-id 3.3.3.3 
 area 0.0.0.0 
  network 3.3.3.3 0.0.0.0 
  network 13.1.1.3 0.0.0.0 
  network 23.1.1.3 0.0.0.0 
#

AR7

#
isis 1
 network-entity 49.0000.0000.0007.00
#
interface GigabitEthernet0/0/0
 ip address 67.1.1.7 255.255.255.0 
 isis enable 1
#
interface GigabitEthernet0/0/1
 ip address 10.0.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 47.1.1.7 255.255.255.0 
#
interface GigabitEthernet1/0/0
#
interface NULL0
#
interface LoopBack0
 ip address 7.7.7.7 255.255.255.255 
 isis enable 1                            
#
bgp 400
 peer 6.6.6.6 as-number 400 
 peer 6.6.6.6 connect-interface LoopBack0
 peer 47.1.1.4 as-number 200 
 #
 ipv4-family unicast
  undo synchronization
  network 10.0.1.0 255.255.255.0 
  peer 6.6.6.6 enable
  peer 47.1.1.4 enable
#

3.1 next-hop-local的应用

全部设备配置结束后在R1上查看BGP路由可以学到R7,R8下的业务地址正常。但是 NextHop 是34 与24 这两个网段，因为下一跳不可达（选路规则1）所以该路由不会被放入到路由表中，需要在R2，及R3上增加 peer 1.1.1.1 next-hop-local 命令。让下一跳变成可达的IBGP的邻居地址。

<R1>dis bgp routing-table   

 BGP Local router ID is 12.1.1.1 
 Status codes: * - valid, > - best, d - damped,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP, ? - incomplete


 Total Number of Routes: 5
      Network            NextHop        MED        LocPrf    PrefVal Path/Ogn

 *>   10.0.0.0/24        0.0.0.0         0                     0      i
   i  10.0.1.0/24        34.1.1.4                   100        0      200 400i
   i                     24.1.1.4                   100        0      200 400i
   i  10.0.2.0/24        34.1.1.4                   100        0      200 400 500i
   i                     24.1.1.4                   100        0      200 400 500i

修改后路由生效,选路规则前面的都相同，因R2的路由ID小，优选R2.

<R1>dis bgp routing-table

 BGP Local router ID is 12.1.1.1 
 Status codes: * - valid, > - best, d - damped,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP, ? - incomplete


 Total Number of Routes: 5
      Network            NextHop        MED        LocPrf    PrefVal Path/Ogn

 *>   10.0.0.0/24        0.0.0.0         0                     0      i
 *>i  10.0.1.0/24        2.2.2.2                    100        0      200 400i
 * i                     3.3.3.3                    100        0      200 400i
 *>i  10.0.2.0/24        2.2.2.2                    100        0      200 400 500i
 * i                     3.3.3.3                    100        0      200 400 500i
<R1>

3.2下面通过local_pref属性来影响出AS选路，让R1去往10.0.2.0/24选择R3作为出AS路径，在R2上配置。

#新增路由策略，匹配10.0.2.0/24 减小local-preference(默认100，值大优先)
route-policy 10 permit node 10 
 if-match ip-prefix 10 
 apply local-preference 50 
#
route-policy 10 permit node 20 
#
ip ip-prefix 10 index 10 permit 10.0.2.0 24
#
应用到24.1.1.4邻居进方向
bgp 100
 peer 24.1.1.4 route-policy 10 import

查看R1上的路由表R2过来的LocPrf变为50所以优选R3

<R1>dis bgp routing-table

 BGP Local router ID is 12.1.1.1 
 Status codes: * - valid, > - best, d - damped,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP, ? - incomplete


 Total Number of Routes: 5
      Network            NextHop        MED        LocPrf    PrefVal Path/Ogn

 *>   10.0.0.0/24        0.0.0.0         0                     0      i
 *>i  10.0.1.0/24        2.2.2.2                    100        0      200 400i
 * i                     3.3.3.3                    100        0      200 400i
 *>i  10.0.2.0/24        3.3.3.3                    100        0      200 400 500i
 * i                     2.2.2.2                    50         0      200 400 500i

3.3通过MED影响进入AS的选路。R1到R7的往返路径不一致.并且非最优,需要在R6上配置,解决这个问题.

<R1>tracert -a 10.0.0.1 10.0.1.1
 traceroute to  10.0.1.1(10.0.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break 
 1 12.1.1.2 30 ms  30 ms  20 ms 
 2 24.1.1.4 30 ms  30 ms  10 ms 
 3 46.1.1.6 30 ms  30 ms  20 ms 
 4 67.1.1.7 30 ms  30 ms  50 ms 
<R7>tracert -a 10.0.1.1 10.0.0.1
 traceroute to  10.0.0.1(10.0.0.1), max hops: 30 ,packet length: 40,press CTRL_C to break 
 1 47.1.1.4 40 ms  20 ms  20 ms 
 2 24.1.1.2 30 ms  30 ms  40 ms 
 3 12.1.1.1 40 ms  40 ms  30 ms

具体操作

#配置路由策略并应用
route-policy MED permit node 10 
 if-match ip-prefix 10 
 apply cost 100 
#
route-policy MED permit node 20 
#
ip ip-prefix 10 index 10 permit 10.0.1.0 24

bgp 400
  peer 46.1.1.4 route-policy MED export

#查看R4上的路由表MED 小优先。
<R4>dis bgp routing-table

 BGP Local router ID is 34.1.1.4 
 Status codes: * - valid, > - best, d - damped,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP, ? - incomplete


 Total Number of Routes: 5
      Network            NextHop        MED        LocPrf    PrefVal Path/Ogn

 *>   10.0.0.0/24        24.1.1.2                              0      100i
 *                       34.1.1.3                              0      100i
 *>   10.0.1.0/24        47.1.1.7        0                     0      400i
 *                       46.1.1.6        100                   0      400i
 *>   10.0.2.0/24        46.1.1.6                              0      400 500i

#在R1上测试
<R1>tracert -a 10.0.0.1 10.0.1.1
 traceroute to  10.0.1.1(10.0.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break 
 1 12.1.1.2 30 ms  10 ms  10 ms 
 2 24.1.1.4 20 ms  20 ms  20 ms 
 3 47.1.1.7 30 ms  40 ms  10 ms 

3.4 团体属性的应用，在R8上新增了几个网段10.0.3.0/24 10.0.4.0/24,要求新增的10.0.3.0/24 不被AS 100 200 300 访问，在R8上配置。

增加两个Loopback接口，并在bgp500 network
LoopBack1                         10.0.3.1/24          up         up(s)     
LoopBack2                         10.0.4.1/24          up         up(s)    

bgp 500
  network 10.0.3.0 255.255.255.0 
  network 10.0.4.0 255.255.255.0
#查看R1上的路由
 *>   10.0.0.0/24        0.0.0.0         0                     0      i
 *>i  10.0.1.0/24        2.2.2.2                    100        0      200 400i
 * i                     3.3.3.3                    100        0      200 400i
 *>i  10.0.2.0/24        3.3.3.3                    100        0      200 400 500i
 * i                     2.2.2.2                    50         0      200 400 500i
 *>i  10.0.3.0/24        2.2.2.2                    100        0      200 400 500i
 * i                     3.3.3.3                    100        0      200 400 500i
 *>i  10.0.4.0/24        2.2.2.2                    100        0      200 400 500i
 * i                     3.3.3.3                    100        0      200 400 500i

在R8上为10.0.3.0 配置团体属性community no-advertise,并应用在68.1.1.6的出方向。记得peer 68.1.1.6 advertise-community，不然不生效。配置完只有R6上能收到10.0.3.0 其它路由器都收不到。

#
route-policy COMM permit node 10 
 if-match ip-prefix 10 
 apply community no-advertise 
#
route-policy COMM permit node 20 
#
ip ip-prefix 10 index 10 permit 10.0.3.0 24
bgp 500 
  peer 68.1.1.6 route-policy COMM export
  peer 68.1.1.6 advertise-community

3.5 as-path,在R5上过滤来自AS100与AS 400的路由，在R5上操作。

#
bgp 300
peer 45.1.1.4 as-path-filter 10 import 
#
ip as-path-filter 10 deny _100|400$
ip as-path-filter 10 permit .*

#查看R5的路由表成功过滤掉100 及400结尾的路由
 *>   10.0.2.0/24        45.1.1.4                              0      200 400 500i
 *>   10.0.4.0/24        45.1.1.4                              0      200 400 500i

3.6为R5下发默认路由，在R4上操作。peer xxxx default-route-advertise命令用来设置给对等体（组）发布缺省路由

peer 45.1.1.5 default-route-advertise
查看R5路由表，多出默认路由

 *>   0.0.0.0            45.1.1.4        0                     0      200i
 *>   10.0.2.0/24        45.1.1.4                              0      200 400 500i
 *>   10.0.4.0/24        45.1.1.4                              0      200 400 500i

3.7负载分担,在R1上启用负载分担。

#启用前查看10.0.4.1路由表
 [R1-bgp]dis ip routing-table 10.0.4.1     
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

       10.0.4.0/24  IBGP    255  0          RD   2.2.2.2         GigabitEthernet0/0/0
#启用
bgp 100
maximum load-balancing ibgp 2
#启用后路由表
10.0.4.0/24  IBGP    255  0          RD   2.2.2.2         GigabitEthernet0/0/0
                    IBGP    255  0          RD   3.3.3.3         GigabitEthernet0/0/1

3.8 认证，为as100 增加MD5 认证。

R1,R2 ,R3 ,相互间都要配置，以下是R1的配置
peer 3.3.3.3 password cipher huawei
peer 2.2.2.2 password cipher huawei

3.9 GTMS,在R6与R8上启用GTMS(防止非法BGP连接攻击)

#需要两边同时配置不然会报HOLD timer expired
Apr 13 2018 23:08:40-08:00 R6 %%01BGP/3/STATE_CHG_UPDOWN(l)[0]:The status of the peer 68.1.1.8 changed from ESTABLISHED to IDLE. (InstanceName=Public, StateChangeReason=Hold Timer Expired)
#R6
bgp 400
peer 68.1.1.8 valid-ttl-hops 1 
#R8
bgp 500 
peer 68.1.1.6 valid-ttl-hops 1