一般的交换机在 RIB 收到路由表后会直接安装进 FIB,这在通常情况下是非常合理的,可以立即通过收到的路由来转发数据包到对应的路径。但是在某些情况下,我们希望交换机收入 RIB 的路由条目不安装进 FIB,以达到节省硬件容量的目的。
典型的例子就是,客户有收全表的需求,而交换机是没有容纳全表的硬件空间的。而客户和路由器直接做 BGP session 则会引起环路。这时候我们就需要使用 FIB-filter 来控制交换机不要向 FIB 安装路由。
拓扑整图:
需求:
- 交换机 QFX FIB 容量极小,不可以安装上游 CSR 发过来的路由,仅可安装默认路由。
- 交换机需要将路由转发给 Customer Router
- 交换机需要将 Customer Router 发过来的路由安装进 FIB,以避免路由环路。
基本 ASN / IP 配置略过,我们直接先看配置好的结果。
root@vqfx-re> show route protocol bgp
inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[BGP/170] 00:00:49, localpref 100
AS path: 65533 I, validation-state: unverified
> to 192.1.2.1 via xe-0/0/2.0
10.10.10.10/32 *[BGP/170] 00:02:58, MED 0, localpref 100
AS path: 65533 I, validation-state: unverified
> to 192.1.2.1 via xe-0/0/2.0
10.11.11.11/32 *[BGP/170] 00:02:29, MED 0, localpref 100
AS path: 65533 I, validation-state: unverified
> to 192.1.2.1 via xe-0/0/2.0
10.12.12.12/32 *[BGP/170] 00:02:29, MED 0, localpref 100
AS path: 65533 I, validation-state: unverified
> to 192.1.2.1 via xe-0/0/2.0
10.13.13.13/32 *[BGP/170] 00:02:29, MED 0, localpref 100
AS path: 65533 I, validation-state: unverified
> to 192.1.2.1 via xe-0/0/2.0
10.14.14.14/32 *[BGP/170] 00:01:58, MED 0, localpref 100
AS path: 65533 I, validation-state: unverified
> to 192.1.2.1 via xe-0/0/2.0
192.168.192.168/32 *[BGP/170] 00:00:17, MED 0, localpref 100
AS path: 65535 I, validation-state: unverified
> to 192.0.1.2 via irb.1
root@vqfx-re> show route forwarding-table table default family inet Routing table: default.inet Internet: Destination Type RtRef Next hop Type Index NhRef Netif default user 0 50:0:0:1:0:1 ucst 1720 9 xe-0/0/2.0 default perm 0 rjct 51 1 0.0.0.0/32 perm 0 dscd 49 1 10.10.10.10/32 user 0 192.1.2.1 ucst 1720 9 xe-0/0/2.0 10.11.11.11/32 user 0 192.1.2.1 ucst 1720 9 xe-0/0/2.0 10.12.12.12/32 user 0 192.1.2.1 ucst 1720 9 xe-0/0/2.0 10.13.13.13/32 user 0 192.1.2.1 ucst 1720 9 xe-0/0/2.0 10.14.14.14/32 user 0 192.1.2.1 ucst 1720 9 xe-0/0/2.0 169.254.0.0/24 intf 0 rslv 323 1 em1.0 169.254.0.0/32 dest 0 169.254.0.0 recv 321 1 em1.0 169.254.0.1/32 dest 1 50:0:0:4:0:1 ucst 336 2 em1.0 169.254.0.2/32 intf 0 169.254.0.2 locl 322 2 169.254.0.2/32 dest 0 169.254.0.2 locl 322 2 169.254.0.255/32 dest 0 169.254.0.255 bcst 320 1 em1.0 192.0.1.0/24 intf 0 rslv 1710 1 irb.1 192.0.1.0/32 dest 0 192.0.1.0 recv 1708 1 irb.1 192.0.1.1/32 intf 0 192.0.1.1 locl 1709 2 192.0.1.1/32 dest 0 192.0.1.1 locl 1709 2 192.0.1.2/32 dest 1 50:0:0:5:0:0 ucst 1719 4 xe-0/0/1.0 192.0.1.255/32 dest 0 192.0.1.255 bcst 1707 1 irb.1 192.1.2.0/24 intf 0 rslv 1715 1 xe-0/0/2.0 192.1.2.0/32 dest 0 192.1.2.0 recv 1713 1 xe-0/0/2.0 192.1.2.1/32 dest 1 50:0:0:1:0:1 ucst 1720 9 xe-0/0/2.0 192.1.2.2/32 intf 0 192.1.2.2 locl 1714 2 192.1.2.2/32 dest 0 192.1.2.2 locl 1714 2 192.1.2.255/32 dest 0 192.1.2.255 bcst 1712 1 xe-0/0/2.0 192.168.192.168/32 user 0 192.0.1.2 ucst 1719 4 xe-0/0/1.0 224.0.0.0/4 perm 0 mdsc 50 1 224.0.0.1/32 perm 0 224.0.0.1 mcst 46 1 255.255.255.255/32 perm 0 bcst 47 1
customer#show ip b
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 192.0.1.1 0 65534 65533 i
*> 10.10.10.10/32 192.0.1.1 0 65534 65533 i
*> 10.11.11.11/32 192.0.1.1 0 65534 65533 i
*> 10.12.12.12/32 192.0.1.1 0 65534 65533 i
*> 10.13.13.13/32 192.0.1.1 0 65534 65533 i
*> 10.14.14.14/32 192.0.1.1 0 65534 65533 i
*> 192.168.192.168/32
0.0.0.0 0 32768 i
upstream#ping 192.168.192.168 source 10.10.10.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.192.168, timeout is 2 seconds: Packet sent with a source address of 10.10.10.10 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/49/101 ms
可见交换机和客户已经正常收到了上游发过来的路由,上游发过来的路由以及安装进了 FIB,且客户的路由已经通过 BGP 协议转发给了上游。通信测试一切正常。
但是交换机的转发表容量非常的小,安装了这么多路由会导致硬件不稳定等一大堆意外的因素,我们应该阻止这些路由安装进转发表。
于是现在我们开始配置 FIB-filter:
root@vqfx-re> show policy-options policy-statement customer-import
term customer-community-tag {
then {
community add customer;
accept;
}
}
// 定义收到的路由的community,将客户的路由打上 "customer" 社区属性。
root@vqfx-re> show policy-options policy-statement fib-policy
term default {
from {
route-filter 0.0.0.0/0 exact;
}
then accept;
}
term customer {
from {
protocol bgp;
community customer;
}
then accept;
}
term last {
then reject;
}
// 定义 FIB filter 规则,只接受默认路由,以及通过 BGP 发过来的客户路由。将这些路由安装进入转发表,其他路由拒绝。
root@vqfx-re> show configuration protocols bgp group external neighbor 192.0.1.2
import customer-import;
export accept-all;
peer-as 65535;
// 在 session 上应用上面写好的 import policy,为客户的路由打上社区属性。
root@vqfx-re> show configuration routing-options forwarding-table
export fib-policy;
// 为 FIB 配置 export filter
配置完成,我们来检查交换机的 forwarding-table:
root@vqfx-re> show route forwarding-table table default family inet Routing table: default.inet Internet: Destination Type RtRef Next hop Type Index NhRef Netif default user 0 50:0:0:1:0:1 ucst 1720 4 xe-0/0/2.0 default perm 0 rjct 51 1 0.0.0.0/32 perm 0 dscd 49 1 169.254.0.0/24 intf 0 rslv 323 1 em1.0 169.254.0.0/32 dest 0 169.254.0.0 recv 321 1 em1.0 169.254.0.1/32 dest 1 50:0:0:4:0:1 ucst 336 2 em1.0 169.254.0.2/32 intf 0 169.254.0.2 locl 322 2 169.254.0.2/32 dest 0 169.254.0.2 locl 322 2 169.254.0.255/32 dest 0 169.254.0.255 bcst 320 1 em1.0 192.0.1.0/24 intf 0 rslv 1710 1 irb.1 192.0.1.0/32 dest 0 192.0.1.0 recv 1708 1 irb.1 192.0.1.1/32 intf 0 192.0.1.1 locl 1709 2 192.0.1.1/32 dest 0 192.0.1.1 locl 1709 2 192.0.1.2/32 dest 1 50:0:0:5:0:0 ucst 1719 4 xe-0/0/1.0 192.0.1.255/32 dest 0 192.0.1.255 bcst 1707 1 irb.1 192.1.2.0/24 intf 0 rslv 1715 1 xe-0/0/2.0 192.1.2.0/32 dest 0 192.1.2.0 recv 1713 1 xe-0/0/2.0 192.1.2.1/32 dest 1 50:0:0:1:0:1 ucst 1720 4 xe-0/0/2.0 192.1.2.2/32 intf 0 192.1.2.2 locl 1714 2 192.1.2.2/32 dest 0 192.1.2.2 locl 1714 2 192.1.2.255/32 dest 0 192.1.2.255 bcst 1712 1 xe-0/0/2.0 192.168.192.168/32 user 0 192.0.1.2 ucst 1719 4 xe-0/0/1.0 224.0.0.0/4 perm 0 mdsc 50 1 224.0.0.1/32 perm 0 224.0.0.1 mcst 46 1 255.255.255.255/32 perm 0 bcst 47 1
可以见到,FIB 只安装了客户的 BGP 路由,以及从上游接收到的默认路由,大大节省了硬件空间。
测试通信状况以及路由表收发情况:
customer#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 192.0.1.1 0 65534 65533 i
*> 10.10.10.10/32 192.0.1.1 0 65534 65533 i
*> 10.11.11.11/32 192.0.1.1 0 65534 65533 i
*> 10.12.12.12/32 192.0.1.1 0 65534 65533 i
*> 10.13.13.13/32 192.0.1.1 0 65534 65533 i
*> 10.14.14.14/32 192.0.1.1 0 65534 65533 i
*> 192.168.192.168/32
0.0.0.0 0 32768 i
customer#ping 10.10.10.10 source 192.168.192.168
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.192.168
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 21/32/67 ms
customer#
客户通信正常,且路由收发正常,需求实现完成。
总结如下:
- FIB-filter 不会过滤本地机器产生的路由( 如 直连路由,本地路由 )
- 由于 BGP 的原则是发送 RIB 中的匹配 policy 的最佳路由,因此配置 FIB-filter 不会影响 BGP 路由发送。