03二层加三层4G旁路集群牵引.docx
《03二层加三层4G旁路集群牵引.docx》由会员分享,可在线阅读,更多相关《03二层加三层4G旁路集群牵引.docx(15页珍藏版)》请在冰点文库上搜索。
03二层加三层4G旁路集群牵引
二层加三层4G旁路集群牵引实验总结
目录
实验拓扑图2
配置的是思路:
2
配置步骤3
-配置管理与集群3
-防护系统web上的三层牵引配置与二层牵引配置3
-防护系统IBGP的配置4
-核心上聚合组的配置6
-测试IBGP邻居的建立情况9
-测试手动防护,流量牵引10
配置要求:
要求架设一个4G的二层与三层同时牵引的旁路环境。
具体环境要求即:
主机192.168.4.64直连核心的主机与下层三层交换下的主机192.168.24.36受到攻击时,攻击流量都能被牵引到清洗器上进行过滤,然后回注到网络中去。
实验拓扑图
配置的是思路:
因为是要架设一个4G的二层与三层同时牵引的旁路,所以可以用2台2000+分别与核心交换各建立一个聚合组,但是要注意的是核心上的聚合组要配置成二层模式且要起trunk中继,这样做是为了方便2000+与核心交换之间三层BGP的交互与二层透传的实现。
配置步骤
-配置管理与集群
1.规划好各2000+的系统号并进行配置,为设备集群做好准备;
2.配置好各2000+的管理地址,以方便在网络中对设备进行管理;
3.连接好2台2000+之间的心跳线,进入2000+的web管理界面设置好同步设备与地址,启用步;
4.设置好同步,进行同步测试,检测设备是否已经同步。
-防护系统web上的三层牵引配置与二层牵引配置
1.进入web配置界面,配置好三层的牵引的相关配置,即只要配置好三层互联地址与下一跳路由即可,两台2000+的配置都如下;
2.在web配置界面配置好二层牵引的相关配置,即添加需要牵引的核心交换直连的主机,并填写好需要转发的vlan号与网关MAC(注意,下面的关闭互联vlan接口的arp代理就是与现在的配置结合在一起的),两台2000+的配置都如下;
-防护系统IBGP的配置
1.192.168.104.1上的IBGP配置如下图:
routerbgp7675//开启BGP并定义标示号
bgprouter-id192.168.104.1//定义BGP路由ID
bgpscan-time5//定义BGP收敛速度为5秒(0-60)
neighbor192.168.107.253remote-as7675//定义邻居及AS号
neighbor192.168.107.253soft-reconfigurationinbound//允许邻居变化时软置
neighbor192.168.107.253route-mapjdfw-outout//允许路由策略jdfw-out出
route-mapjdfw-outpermit10//定义jdfw-out允许策略
setcommunityno–exportno-advertise//BGP团体宣告时不允许向其他路由宣告和标示。
2.192.168.104.2上的IBGP配置:
routerbgp7675//开启BGP并定义标示号
bgprouter-id192.168.104.2//定义BGP路由ID
bgpscan-time5//定义BGP收敛速度为5秒(0-60)
neighbor192.168.108.253remote-as7675//定义邻居及AS号
neighbor192.168.108.253soft-reconfigurationinbound//允许邻居变化时软置
neighbor192.168.108.253route-mapjdfw-outout//允许路由策略jdfw-out出
route-mapjdfw-outpermit10//定义jdfw-out允许策略
setcommunityno–exportno-advertise//BGP团体宣告时不允许向其他路由宣告和标示。
-核心上聚合组的配置
1.添加端口G5/21与G5/22到聚合组port-channel17
C4506(config)#interfacerangegigabitEthernet5/21-22
C4506(config-if-range)#channel-group17modeon
2.添加端口G5/23与G5/24到聚合组port-channel18
C4506(config)#interfacerangegigabitEthernet5/23-24
C4506(config-if-range)#channel-group18modeon
-核心上聚合组起trunk,并添加好,允许本地可中继的vlan(最要是为了后面的BGP交换做准备,allowvlanall的方式,BGP邻居建立不起了)
C4506(config)#interfaceport-channel17
C4506(config-if)#switchport
C4506(config-if)#switchporttrunknativevlan107//注意在做二层的流量牵引时,为了后面BGP的邻居建立,一定要用本地vlan进行中继,否则可能会出现邻居建立不起来的问题。
C4506(config-if)#switchportmodetrunk
C4506(config)#interfaceport-channel18
C4506(config-if)#switchport
C4506(config-if)#switchporttrunknativevlan108
C4506(config-if)#switchportmodetrunk
-核心上IBGP的配置
interfaceVlan107
ipaddress192.168.107.253255.255.255.0
noipproxy-arp//关闭二层ARP中继
ippolicyroute-mapfrom-jdfw//定义vlan107接口使用策略from-jdfw
!
interfaceVlan108
ipaddress192.168.108.253255.255.255.0
noipproxy-arp
ippolicyroute-mapfrom-jdfw
routerbgp7675
nosynchronization//不同步
bgprouter-id192.168.100.83
bgplog-neighbor-changes//改变邻接路由器日志
bgpscan-time5
neighbor192.168.107.254remote-as7675
neighbor192.168.107.254soft-reconfigurationinbound
neighbor192.168.107.254distribute-listrouter_to_jdfwout
//根据策略router_to_jdfw定义向外宣告路由
neighbor192.168.107.254router-mapjdfw_inin//允许路由策略jdfw_in进
neighbor192.168.108.254remote-as7675
neighbor192.168.108.254soft-reconfigurationinbound
neighbor192.168.108.254distribute-listrouter_to_jdfwout
neighbor192.168.108.254router-mapjdfw_inin
maximum-pathsibgp2
noauto-summry
ipaccess-liststandardrouter_to_jdfw
denyany
!
Ipaccess-listextendednet24
Permitipany192.168.24.00.0.0.255
!
Route-mapfrom-jdfwpermit10//定义from-jdfw策略为允许
Matchipaddressnet24//from-jdfw策略匹配net24策略地址的
Setipnext-hop1.1.1.2//下一跳强制为1.1.1.2
!
ipbgp-communitynew-format//改变团体格式为通用格式
ipcommunity-listexpandedjdfw1000permitno-exportno-advertise//定义团体策略jdfw1000不向外宣告和标示
!
Route-mapjdfw_inpermit10
Matchcommunityjdfw1000exact_match//精确匹配团体列表信息,包括策略定义
-核心上路由策略的设置,防止三层牵引环路的形成;
-核心上关闭二层vlan的arp代理,eg:
intvlan18下的noipproxy-arp
配置如下:
interfaceVlan107
ipaddress192.168.107.253255.255.255.0
noipproxy-arp
ippolicyroute-mapfrom-jdfw
!
interfaceVlan108
ipaddress192.168.108.253255.255.255.0
noipproxy-arp
ippolicyroute-mapfrom-jdfw
-测试IBGP邻居的建立情况
1.检查192.168.104.1的bpg邻居的情况:
zxprotector-bgp#shipbgpneighbors
BGPneighboris192.168.107.253,remoteAS7675,localAS7675,internallink
BGPversion4,remoterouterID192.168.100.83
BGPstate=Established,upfor23:
29:
52
Lastread00:
00:
12,holdtimeis180,keepaliveintervalis60seconds
Neighborcapabilities:
4ByteAS:
advertised
Routerefresh:
advertisedandreceived(old&new)
AddressfamilyIPv4Unicast:
advertisedandreceived
Messagestatistics:
Inqdepthis0
Outqdepthis0
SentRcvd
Opens:
10
Notifications:
00
Updates:
41
Keepalives:
14111400
RouteRefresh:
00
Capability:
00
Total:
14161401
2.检查192.168.104.2的bpg邻居的情况:
zxprotector-bgp#shipbgpneighbors
BGPneighboris192.168.108.253,remoteAS7675,localAS7675,internallink
BGPversion4,remoterouterID192.168.100.83
BGPstate=Established,upfor23:
39:
12
Lastread00:
00:
25,holdtimeis180,keepaliveintervalis60seconds
Neighborcapabilities:
4ByteAS:
advertised
Routerefresh:
advertisedandreceived(old&new)
AddressfamilyIPv4Unicast:
advertisedandreceived
Messagestatistics:
Inqdepthis0
Outqdepthis0
SentRcvd
Opens:
139
Notifications:
34
Updates:
101
Keepalives:
14641446
RouteRefresh:
00
Capability:
00
Total:
14901460
Minimumtimebetweenadvertisementrunsis5seconds
-测试手动防护,流量牵引
1.进入webp配置界面,点击进入需要牵引的防护主机,勾选上保护选项,然后进入28065的BGP配置端口,检查bgp的路由是否有被保护的主机路由宣告。
*进入192.168.104.1bgp路由检查如下
zxprotector-bgp#shipbgp
BGPtableversionis0,localrouterIDis192.168.104.1
Statuscodes:
ssuppressed,ddamped,hhistory,*valid,>best,i-internal,
rRIB-failure,SStale,RRemoved
Origincodes:
i-IGP,e-EGP,?
-incomplete
NetworkNextHopMetricLocPrfWeightPath
*>192.168.4.64/320.0.0.0032768i
*>192.168.24.36/320.0.0.0032768i
Totalnumberofprefixes2
*进入192.168.104.2bgp路由检查如下
zxprotector-bgp#shipbgp
BGPtableversionis0,localrouterIDis192.168.104.2
Statuscodes:
ssuppressed,ddamped,hhistory,*valid,>best,i-internal,
rRIB-failure,SStale,RRemoved
Origincodes:
i-IGP,e-EGP,?
-incomplete
NetworkNextHopMetricLocPrfWeightPath
*>192.168.4.64/320.0.0.0032768i
*>192.168.24.36/320.0.0.0032768i
Totalnumberofprefixes2
2.进入核心交换,检查bgp是否有学习到相关的主机路由
*进入核心交换观察bgp的相关路由与路由表的相关路由
C4506#shipbgp
BGPtableversionis11,localrouterIDis192.168.100.83
Statuscodes:
ssuppressed,ddamped,hhistory,*valid,>best,i-internal,
rRIB-failure,SStale
Origincodes:
i-IGP,e-EGP,?
-incomplete
NetworkNextHopMetricLocPrfWeightPath
*i192.168.4.64/32192.168.108.25401000i
*>i192.168.107.25401000i
*>i192.168.24.36/32192.168.107.25401000i
*i192.168.108.25401000i
C4506#shiproute
Codes:
C-connected,S-static,R-RIP,M-mobile,B-BGP
D-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterarea
N1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2
E1-OSPFexternaltype1,E2-OSPFexternaltype2
i-IS-IS,su-IS-ISsummary,L1-IS-ISlevel-1,L2-IS-ISlevel-2
ia-IS-ISinterarea,*-candidatedefault,U-per-userstaticroute
o-ODR,P-periodicdownloadedstaticroute
Gatewayoflastresortis192.168.5.2tonetwork0.0.0.0
1.0.0.0/24issubnetted,1subnets
C1.1.1.0isdirectlyconnected,GigabitEthernet5/18
C192.168.107.0/24isdirectlyconnected,Vlan107
192.168.24.0/24isvariablysubnetted,2subnets,2masks
B192.168.24.36/32[200/0]via192.168.108.254,23:
33:
22
[200/0]via192.168.107.254,23:
33:
22
S192.168.24.0/24[1/0]via1.1.1.2
C192.168.108.0/24isdirectlyconnected,Vlan108
192.168.4.0/24isvariablysubnetted,2subnets,2masks
B192.168.4.64/32[200/0]via192.168.108.254,19:
46:
24
[200/0]via192.168.107.254,19:
46:
24
C192.168.4.0/24isdirectlyconnected,Vlan4
C192.168.20.0/24isdirectlyconnected,Vlan20
C192.168.5.0/24isdirectlyconnected,Vlan5
C192.168.6.0/24isdirectlyconnected,Loopback0
C192.168.18.0/24isdirectlyconnected,Vlan18
S*0.0.0.0/0[1/0]via192.168.5.2
由以上配置,可以看bgp学习到了去往目地主机的两条主机路由,并且是每条同时都有两个下一跳,且已连个下一跳的的方式写入了路由表当中,这样也就实现了BGP的路由负载。
3.进入web管理,观察被攻击的情况下,手动牵引的二三层主机流量是否实现了负载分担
192.168.104.1防护系统
192.168.104.2防护系统