03二层加三层4G旁路集群牵引.docx

1、03二层加三层4G旁路集群牵引二层加三层4G旁路集群牵引实验总结目录实验拓扑图 2配置的是思路： 2配置步骤 3- 配置管理与集群 3- 防护系统web上的三层牵引配置与二层牵引配置 3- 防护系统IBGP的配置 4- 核心上聚合组的配置 6- 测试IBGP邻居的建立情况 9- 测试手动防护，流量牵引 10配置要求：要求架设一个4G的二层与三层同时牵引的旁路环境。具体环境要求即：主机192.168.4.64直连核心的主机与下层三层交换下的主机192.168.24.36受到攻击时，攻击流量都能被牵引到清洗器上进行过滤，然后回注到网络中去。实验拓扑图配置的是思路：因为是要架设一个4G的二层与三层同

2、时牵引的旁路，所以可以用2台2000+分别与核心交换各建立一个聚合组，但是要注意的是核心上的聚合组要配置成二层模式且要起trunk中继，这样做是为了方便2000+与核心交换之间三层BGP的交互与二层透传的实现。配置步骤 - 配置管理与集群1. 规划好各2000+的系统号并进行配置，为设备集群做好准备；2. 配置好各2000+的管理地址，以方便在网络中对设备进行管理；3. 连接好2台2000+之间的心跳线，进入2000+的web管理界面设置好同步设备与地址，启用步；4. 设置好同步，进行同步测试，检测设备是否已经同步。 - 防护系统web上的三层牵引配置与二层牵引配置1. 进入web配置界面，配

3、置好三层的牵引的相关配置，即只要配置好三层互联地址与下一跳路由即可，两台2000+的配置都如下；2. 在web配置界面配置好二层牵引的相关配置，即添加需要牵引的核心交换直连的主机，并填写好需要转发的vlan号与网关MAC（注意，下面的关闭互联vlan接口的arp代理就是与现在的配置结合在一起的），两台2000+的配置都如下； - 防护系统IBGP的配置1. 192.168.104.1 上的IBGP配置如下图：router bgp 7675 /开启BGP并定义标示号 bgp router-id 192.168.104.1 /定义BGP 路由IDbgp scan-time 5 /定义BGP收敛速度

4、为5秒（0-60）neighbor 192.168.107.253 remote-as 7675 /定义邻居及AS号neighbor 192.168.107.253 soft-reconfiguration inbound /允许邻居变化时软置neighbor 192.168.107.253 route-map jdfw-out out /允许路由策略jdfw-out出route-map jdfw-out permit 10 /定义jdfw-out允许策略set community no export no-advertise /BGP团体宣告时不允许向其他路由宣告和标示。2. 192.168

5、.104.2上的IBGP配置：router bgp 7675 /开启BGP并定义标示号 bgp router-id 192.168.104.2 /定义BGP 路由IDbgp scan-time 5 /定义BGP收敛速度为5秒（0-60）neighbor 192.168.108.253 remote-as 7675 /定义邻居及AS号neighbor 192.168.108.253 soft-reconfiguration inbound /允许邻居变化时软置neighbor 192.168.108.253 route-map jdfw-out out /允许路由策略jdfw-out出route

6、-map jdfw-out permit 10 /定义jdfw-out允许策略set community no export no-advertise /BGP团体宣告时不允许向其他路由宣告和标示。- 核心上聚合组的配置1. 添加端口G5/21与G5/22到聚合组port-channel 17C4506(config)#interface range gigabitEthernet 5/21 -22C4506(config-if-range)# channel-group 17 mode on 2. 添加端口G5/23与G5/24到聚合组port-channel 18C4506(config)

7、#interface range gigabitEthernet 5/23 -24C4506(config-if-range)# channel-group 18 mode on - 核心上聚合组起trunk，并添加好，允许本地可中继的vlan(最要是为了后面的BGP交换做准备，allow vlan all 的方式，BGP邻居建立不起了)C4506(config)#interface port-channel 17C4506(config-if)#switchportC4506(config-if)#switchport trunk native vlan 107 /注意在做二层的流量牵引时，

8、为了后面BGP的邻居建立，一定要用本地vlan进行中继，否则可能会出现邻居建立不起来的问题。C4506(config-if)#switchport mode trunkC4506(config)#interface port-channel 18C4506(config-if)#switchportC4506(config-if)#switchport trunk native vlan 108 C4506(config-if)#switchport mode trunk - 核心上IBGP的配置interface Vlan107 ip address 192.168.107.253 255.

9、255.255.0 no ip proxy-arp /关闭二层ARP中继 ip policy route-map from-jdfw /定义vlan107接口使用策略from-jdfw!interface Vlan108 ip address 192.168.108.253 255.255.255.0 no ip proxy-arp ip policy route-map from-jdfwrouter bgp 7675 no synchronization /不同步 bgp router-id 192.168.100.83 bgp log-neighbor-changes /改变邻接路由器日

10、志 bgp scan-time 5 neighbor 192.168.107.254 remote-as 7675 neighbor 192.168.107.254 soft-reconfiguration inbound neighbor 192.168.107.254 distribute-list router_to_jdfw out /根据策略router_to_jdfw定义向外宣告路由 neighbor 192.168.107.254 router-map jdfw_in in /允许路由策略jdfw_in 进 neighbor 192.168.108.254 remote-as 7

11、675 neighbor 192.168.108.254 soft-reconfiguration inbound neighbor 192.168.108.254 distribute-list router_to_jdfw out neighbor 192.168.108.254 router-map jdfw_in in maximum-paths ibgp 2 no auto-summry ip access-list standard router_to_jdfw deny any!Ip access-list extended net24 Permit ip any 192.168

12、.24.0 0.0.0.255!Route-map from-jdfw permit 10 /定义from-jdfw策略为允许 Match ip address net24 /from-jdfw策略匹配net24策略地址的 Set ip next-hop 1.1.1.2 /下一跳强制为1.1.1.2!ip bgp-community new-format /改变团体格式为通用格式ip community-list expanded jdfw1000 permit no-export no-advertise /定义团体策略jdfw1000不向外宣告和标示!Route-map jdfw_in p

13、ermit 10 Match community jdfw1000 exact_match /精确匹配团体列表信息，包括策略定义 - 核心上路由策略的设置，防止三层牵引环路的形成；- 核心上关闭二层vlan的arp代理，eg: int vlan 18 下的no ip proxy-arp配置如下：interface Vlan107 ip address 192.168.107.253 255.255.255.0 no ip proxy-arp ip policy route-map from-jdfw!interface Vlan108 ip address 192.168.108.253 25

14、5.255.255.0 no ip proxy-arp ip policy route-map from-jdfw- 测试IBGP邻居的建立情况1. 检查192.168.104.1的bpg邻居的情况：zxprotector-bgp# sh ip bgp neighborsBGP neighbor is 192.168.107.253, remote AS 7675, local AS 7675, internal link BGP version 4, remote router ID 192.168.100.83 BGP state = Established, up for 23:29:5

15、2 Last read 00:00:12, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: 4 Byte AS: advertised Route refresh: advertised and received(old & new) Address family IPv4 Unicast: advertised and received Message statistics: Inq depth is 0 Outq depth is 0 Sent Rcvd Opens: 1 0 Notific

16、ations: 0 0 Updates: 4 1 Keepalives: 1411 1400 Route Refresh: 0 0 Capability: 0 0Total: 1416 14012. 检查192.168.104.2 的bpg 邻居的情况：zxprotector-bgp# sh ip bgp neighborsBGP neighbor is 192.168.108.253, remote AS 7675, local AS 7675, internal link BGP version 4, remote router ID 192.168.100.83 BGP state =

17、Established, up for 23:39:12 Last read 00:00:25, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: 4 Byte AS: advertised Route refresh: advertised and received(old & new) Address family IPv4 Unicast: advertised and received Message statistics: Inq depth is 0 Outq depth is 0 S

18、ent Rcvd Opens: 13 9 Notifications: 3 4 Updates: 10 1 Keepalives: 1464 1446 Route Refresh: 0 0 Capability: 0 0 Total: 1490 1460 Minimum time between advertisement runs is 5 seconds- 测试手动防护，流量牵引1. 进入webp配置界面，点击进入需要牵引的防护主机，勾选上保护选项，然后进入28065的BGP配置端口，检查bgp的路由是否有被保护的主机路由宣告。* 进入192.168.104.1 bgp 路由检查如下zxp

19、rotector-bgp# sh ip bgpBGP table version is 0, local router ID is 192.168.104.1Status codes: s suppressed, d damped, h history, * valid, best, i - internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path* 192.168.4.64/32 0.0

20、.0.0 0 32768 i* 192.168.24.36/32 0.0.0.0 0 32768 iTotal number of prefixes 2* 进入192.168.104.2 bgp 路由检查如下zxprotector-bgp# sh ip bgpBGP table version is 0, local router ID is 192.168.104.2Status codes: s suppressed, d damped, h history, * valid, best, i - internal, r RIB-failure, S Stale, R RemovedOri

21、gin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path* 192.168.4.64/32 0.0.0.0 0 32768 i* 192.168.24.36/32 0.0.0.0 0 32768 i Total number of prefixes 22. 进入核心交换，检查bgp 是否有学习到相关的主机路由* 进入核心交换观察bgp 的相关路由与路由表的相关路由C4506#sh ip bgpBGP table version is 11, local router ID is

22、192.168.100.83Status codes: s suppressed, d damped, h history, * valid, best, i - internal, r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path* i192.168.4.64/32 192.168.108.254 0 100 0 i*i 192.168.107.254 0 100 0 i*i192.168.24.36/32 192.16

23、8.107.254 0 100 0 i* i 192.168.108.254 0 100 0 iC4506#sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external

24、type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static routeGateway of last resort is 192.168.5.2 to network 0.0.0.0 1.0.0.0/24 is subnetted, 1 subnetsC 1.1.1.0 is di

25、rectly connected, GigabitEthernet5/18C 192.168.107.0/24 is directly connected, Vlan107 192.168.24.0/24 is variably subnetted, 2 subnets, 2 masksB 192.168.24.36/32 200/0 via 192.168.108.254, 23:33:22 200/0 via 192.168.107.254, 23:33:22S 192.168.24.0/24 1/0 via 1.1.1.2C 192.168.108.0/24 is directly co

26、nnected, Vlan108 192.168.4.0/24 is variably subnetted, 2 subnets, 2 masksB 192.168.4.64/32 200/0 via 192.168.108.254, 19:46:24 200/0 via 192.168.107.254, 19:46:24C 192.168.4.0/24 is directly connected, Vlan4C 192.168.20.0/24 is directly connected, Vlan20C 192.168.5.0/24 is directly connected, Vlan5C 192.168.6.0/24 is directly connected, Loopback0C 192.168.18.0/24 is directly connected, Vlan18S* 0.0.0.0/0 1/0 via 192.168.5.2由以上配置，可以看bgp学习到了去往目地主机的两条主机路由，并且是每条同时都有两个下一跳，且已连个下一跳的的方式写入了路由表当中，这样也就实现了BGP的路由负载。3. 进入web管理，观察被攻击的情况下，手动牵引的二三层主机流量是否实现了负载分担192.168.104.1 防护系统192.168.104.2 防护系统