SOO(Site of Origin)を使用する方法についてまとめます。ルーティングにおいて”教えたルートを教え返す”のは潜在的なルーティングループの危険性を秘めています。SOOはcommunityを付与する事で、ループを検出します。
概要
PE-CE BGP routingにおいて、SOO(Site of Origin)を使用する方法についてまとめます。ルーティングにおいて”教えたルートを教え返す”のは潜在的なルーティングループの危険性を秘めています。SOOは専用をSOO communityを付与する事で、ループを検知する機能です。一般的には、CEからPEへadvertiseされたprefixに対してSOO communityを付与し、SOOタグが重複していた場合はそのprefixを破棄します。
コマンド一覧
このシナリオで重要なコマンド一覧は以下の通りです。
Router(config)# router bgp <local_as>
Router(config-router)# neighbor <addr> allowas-in
Router(config)# router bgp <local_as>
Router(config-router)# address-family ipv4 vrf <vrf>
Router(config-router-af)# neighbor <addr> as-override
構成図
Internet Expertラックを用いて動作確認を行います。”Vol I MPLS”の初期設定を読み込ます。その後、R4, R5, R6をPEルータとして設定し、BB3, SW1. SW2をCEルータとして設定します。PE-CE間は、BGPによってルーティングします。
AS 54 AS 100 AS 78
<------------------><---------------------------------><------------------>
VPN VPN
f0/0 VL58
+--------+.5 .8+--------+
┌----+ R5 +----------+ SW2 |
│ +--------+ +---+----+
f0/0 │ 155.1.58.0/24 │f0/13 VPN
+--------+ .4+--------+ +-----+------+ │
| BB3 +----------+ R4 +----+ MPLS cloud | │ 155.1.78.0/24
+--------+ +--------+ +-----+------+ VPN VPN │
204.12.X.0/24 │ f0/0.146 VL67 │f0/13 VPN
│ .6+--------+.6 .7+---+----+
└----+ R6 +----------+ SW1 |
+--------+ +--------+
155.1.67.0/24
R4 Loopback0 R5 Loopback0 SW2 Loopback0
150.1.4.4/24 150.1.5.5/24 150.1.8.8/24
R6 Loopback0 SW1 Loopback0
150.1.6.6/24 150.1.7.7/24
[R4]
<omitted>
[R6]
router bgp 100
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 150.1.4.4 remote-as 100
neighbor 150.1.4.4 update-source Loopback0
!
address-family vpnv4
neighbor 150.1.4.4 activate
neighbor 150.1.4.4 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN
neighbor 155.1.67.7 remote-as 78
neighbor 155.1.67.7 activate
no synchronization
exit-address-family
[SW1]
router bgp 78
no synchronization
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf VPN
redistribute connected
neighbor 155.1.67.6 remote-as 100
neighbor 155.1.67.6 transport path-mtu-discovery
neighbor 155.1.67.6 activate
neighbor 155.1.67.6 allowas-in
neighbor 155.1.78.8 remote-as 78
neighbor 155.1.78.8 transport path-mtu-discovery
neighbor 155.1.78.8 activate
no synchronization
exit-address-family
[SW2]
<omitted>
[BB3]
<omitted>
設定全文は下記ファイルです。詳細設定は下記を参照ください。
R4
!
! Last configuration change at 03:28:05 UTC Tue Jan 8 2013
! NVRAM config last updated at 03:54:03 UTC Tue Jan 8 2013
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rack1R4
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable password cisco
!
no aaa new-model
dot11 syslog
ip source-route
!
!
ip vrf VPN
rd 100:1
route-target export 100:1
route-target import 100:1
!
!
!
ip cef
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface Loopback0
ip address 150.1.4.4 255.255.255.255
!
interface FastEthernet0/0
ip vrf forwarding VPN
ip address 204.12.1.4 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 155.1.146.4 255.255.255.0
duplex auto
speed auto
mpls ip
!
interface Serial0/0/0
no ip address
encapsulation frame-relay
!
interface Serial0/0/0.1 point-to-point
ip address 155.1.0.4 255.255.255.0
ip ospf network broadcast
mpls ip
frame-relay interface-dlci 405
!
interface Serial0/1/0
ip address 155.1.45.4 255.255.255.0
mpls ip
clock rate 2000000
!
router ospf 1
router-id 150.1.4.4
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 100
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 150.1.5.5 remote-as 100
neighbor 150.1.5.5 update-source Loopback0
neighbor 150.1.6.6 remote-as 100
neighbor 150.1.6.6 update-source Loopback0
!
address-family vpnv4
neighbor 150.1.5.5 activate
neighbor 150.1.5.5 send-community extended
neighbor 150.1.5.5 route-reflector-client
neighbor 150.1.6.6 activate
neighbor 150.1.6.6 send-community extended
neighbor 150.1.6.6 route-reflector-client
exit-address-family
!
address-family ipv4 vrf VPN
neighbor 204.12.1.254 remote-as 54
neighbor 204.12.1.254 activate
no synchronization
exit-address-family
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
mpls ldp router-id Loopback0 force
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous level 0 limit 20
line aux 0
exec-timeout 0 0
privilege level 15
line vty 0 4
password cisco
login
!
scheduler allocate 20000 1000
end
R5
!
! Last configuration change at 04:45:58 UTC Tue Jan 8 2013
! NVRAM config last updated at 04:46:01 UTC Tue Jan 8 2013
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rack1R5
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable password cisco
!
no aaa new-model
dot11 syslog
ip source-route
!
!
ip vrf VPN
rd 100:1
route-target export 100:1
route-target import 100:1
!
!
!
ip cef
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface Loopback0
ip address 150.1.5.5 255.255.255.255
!
interface FastEthernet0/0
ip vrf forwarding VPN
ip address 155.1.58.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 155.1.5.5 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 155.1.0.5 255.255.255.0
encapsulation frame-relay
ip ospf network broadcast
mpls ip
frame-relay map ip 155.1.0.1 501 broadcast
frame-relay map ip 155.1.0.2 502 broadcast
frame-relay map ip 155.1.0.3 503 broadcast
frame-relay map ip 155.1.0.4 504 broadcast
!
interface Serial0/1/0
ip address 155.1.45.5 255.255.255.0
mpls ip
!
router ospf 1
router-id 150.1.5.5
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 100
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 150.1.4.4 remote-as 100
neighbor 150.1.4.4 update-source Loopback0
!
address-family vpnv4
neighbor 150.1.4.4 activate
neighbor 150.1.4.4 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN
neighbor 155.1.58.8 remote-as 78
neighbor 155.1.58.8 activate
no synchronization
exit-address-family
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
mpls ldp router-id Loopback0 force
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous level 0 limit 20
line aux 0
exec-timeout 0 0
privilege level 15
line vty 0 4
password cisco
login
!
scheduler allocate 20000 1000
end
R6
!
! Last configuration change at 04:46:49 UTC Tue Jan 8 2013
! NVRAM config last updated at 04:46:51 UTC Tue Jan 8 2013
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rack1R6
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable password cisco
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip vrf VPN
rd 100:1
route-target export 100:1
route-target import 100:1
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface Loopback0
ip address 150.1.6.6 255.255.255.255
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.67
encapsulation dot1Q 67
ip vrf forwarding VPN
ip address 155.1.67.6 255.255.255.0
!
interface FastEthernet0/0.146
encapsulation dot1Q 146
ip address 155.1.146.6 255.255.255.0
mpls ip
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 54.1.1.6 255.255.255.0
encapsulation frame-relay
frame-relay map ip 54.1.1.254 101 broadcast
no frame-relay inverse-arp
!
router ospf 1
router-id 150.1.6.6
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 100
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 150.1.4.4 remote-as 100
neighbor 150.1.4.4 update-source Loopback0
!
address-family vpnv4
neighbor 150.1.4.4 activate
neighbor 150.1.4.4 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN
neighbor 155.1.67.7 remote-as 78
neighbor 155.1.67.7 activate
no synchronization
exit-address-family
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
mpls ldp router-id Loopback0 force
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous level 0 limit 20
line aux 0
exec-timeout 0 0
privilege level 15
line vty 0 4
password cisco
login
!
scheduler allocate 20000 1000
end
SW1
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rack1SW1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
ip subnet-zero
ip routing
no ip domain-lookup
!
!
ip vrf VPN
rd 100:1
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 7-10,22,43,58,67,79,146
!
!
!
!
interface Loopback0
ip vrf forwarding VPN
ip address 150.1.7.7 255.255.255.0
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
no switchport
ip address 155.1.37.7 255.255.255.0
!
interface FastEthernet0/4
!
interface FastEthernet0/5
switchport access vlan 58
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
no switchport
ip vrf forwarding VPN
ip address 155.1.78.7 255.255.255.0
!
interface FastEthernet0/14
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/15
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/17
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/18
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/19
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/21
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan7
ip address 155.1.7.7 255.255.255.0
!
interface Vlan67
ip vrf forwarding VPN
ip address 155.1.67.7 255.255.255.0
!
interface Vlan79
ip address 155.1.79.7 255.255.255.0
!
router bgp 78
no synchronization
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf VPN
redistribute connected
neighbor 155.1.67.6 remote-as 100
neighbor 155.1.67.6 transport path-mtu-discovery
neighbor 155.1.67.6 activate
neighbor 155.1.67.6 allowas-in
neighbor 155.1.78.8 remote-as 78
neighbor 155.1.78.8 transport path-mtu-discovery
neighbor 155.1.78.8 activate
no synchronization
exit-address-family
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous level 0 limit 20
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
end
SW2
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rack1SW2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
ip subnet-zero
ip routing
no ip domain-lookup
!
!
ip vrf VPN
rd 100:1
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 7-10,22,43,58,67,79,146
!
!
!
!
interface Loopback0
ip vrf forwarding VPN
ip address 150.1.8.8 255.255.255.0
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
no switchport
ip vrf forwarding VPN
ip address 155.1.78.8 255.255.255.0
!
interface FastEthernet0/14
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/15
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/16
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/17
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/18
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/19
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/21
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan8
ip address 155.1.8.8 255.255.255.0
!
interface Vlan58
ip vrf forwarding VPN
ip address 155.1.58.8 255.255.255.0
!
router bgp 78
no synchronization
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf VPN
redistribute connected
neighbor 155.1.58.5 remote-as 100
neighbor 155.1.58.5 transport path-mtu-discovery
neighbor 155.1.58.5 activate
neighbor 155.1.58.5 allowas-in
neighbor 155.1.78.7 remote-as 78
neighbor 155.1.78.7 transport path-mtu-discovery
neighbor 155.1.78.7 activate
no synchronization
exit-address-family
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous level 0 limit 20
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
end
仕様説明
SOO
以下のコマンドで指定したneighborから受信したprefixに対して、SOO communityを付与します。
Router(config)# router bgp <local_as>
Router(config-router)# address-family ipv4 vrf <vrf>
Router(config-router-af)# neighbor <addr> soo <tag>
allowas-in
デフォルトの動作確認
AS内障害に備えてallowas-inを使用することがあります。以下のようにSW1, SW2で障害が発生すると、AS78内で疎通不能になってしまいます。
[SW1]
interface FastEthernet0/13
shutdown
SW1, SW2間で疎通不能になった事を確認します。
[SW1]
Rack1SW1#ping vrf VPN 150.1.8.8 source Loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.8.8, timeout is 2 seconds:
Packet sent with a source address of 150.1.7.7
...
Success rate is 0 percent (0/3)
Rack1SW1#
設定投入
SW1, SW2にallowas-inを投入します。
[SW1]
router bgp 78
address-family ipv4 vrf VPN
neighbor 155.1.67.6 allowas-in
[SW2]
router bgp 78
address-family ipv4 vrf VPN
neighbor 155.1.58.5 allowas-in
疎通確認
再び疎通可能になった事を確認します。
[SW1]
Rack1SW1#ping vrf VPN 150.1.8.8 source Loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.8.8, timeout is 2 seconds:
Packet sent with a source address of 150.1.7.7
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 33/33/34 ms
Rack1SW1#
Rack1SW1#
Rack1SW1#
Rack1SW1#show ip bgp vpnv4 vrf VPN
BGP table version is 19, local router ID is 155.1.79.7
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf VPN)
*> 28.119.16.0/24 155.1.67.6 0 100 54 i
*> 28.119.17.0/24 155.1.67.6 0 100 54 i
*> 112.0.0.0 155.1.67.6 0 100 54 50 60 i
*> 113.0.0.0 155.1.67.6 0 100 54 50 60 i
*> 114.0.0.0 155.1.67.6 0 100 54 i
*> 115.0.0.0 155.1.67.6 0 100 54 i
*> 116.0.0.0 155.1.67.6 0 100 54 i
*> 117.0.0.0 155.1.67.6 0 100 54 i
*> 118.0.0.0 155.1.67.6 0 100 54 i
*> 119.0.0.0 155.1.67.6 0 100 54 i
*> 150.1.7.0/24 0.0.0.0 0 32768 ?
*> 150.1.8.0/24 155.1.67.6 0 100 78 ?
*> 155.1.58.0/24 155.1.67.6 0 100 78 ?
*> 155.1.67.0/24 0.0.0.0 0 32768 ?
Rack1SW1#
SOO
設定投入
allowas-inは便利な設定である反面、潜在的なrouting loopの危険性があります。SOOを使えば、AS 78から教えられたルートを敢えてAS 78に教え返さないようにする事ができます。以下のような設定を投入し、AS78から受信したprefixにSOO tag 78:1を付与するようにします。
[R5]
router bgp 100
address-family ipv4 vrf VPN
neighbor 155.1.58.8 soo 78:1
[R6]
router bgp 100
address-family ipv4 vrf VPN
neighbor 155.1.67.7 soo 78:1
動作確認
以下showコマンドにより、SOOタグが付与されている事を確認します。
[R6]
Rack1R6#show bgp vpnv4 unicast vrf VPN 150.1.7.0
BGP routing table entry for 100:1:150.1.7.0/24, version 172
Paths: (1 available, best #1, table VPN)
Flag: 0x820
Advertised to update-groups:
1
78
155.1.67.7 from 155.1.67.7 (155.1.79.7)
Origin incomplete, metric 0, localpref 100, valid, external, best
Extended Community: SoO:78:1 RT:100:1
mpls labels in/out 23/nolabel
Rack1R6#
SW1, SW2間が疎通不能になった事を確認します。
[SW1]
Rack1SW1#ping vrf VPN 150.1.8.8 source Loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.8.8, timeout is 2 seconds:
Packet sent with a source address of 150.1.7.7
...
Success rate is 0 percent (0/3)
Rack1SW1#show ip bgp vpnv4 vrf VPN 150.1.8.0
% Network not in table
Rack1SW1#