菜单

[ Juniper ] 使用 Juniper FIB-filter 来控制向转发表内安装的路由

2020年3月14日 - Juniper

一般的交换机在 RIB 收到路由表后会直接安装进 FIB,这在通常情况下是非常合理的,可以立即通过收到的路由来转发数据包到对应的路径。但是在某些情况下,我们希望交换机收入 RIB 的路由条目不安装进 FIB,以达到节省硬件容量的目的。

典型的例子就是,客户有收全表的需求,而交换机是没有容纳全表的硬件空间的。而客户和路由器直接做 BGP session 则会引起环路。这时候我们就需要使用 FIB-filter 来控制交换机不要向 FIB 安装路由。

拓扑整图:

需求:

基本 ASN / IP 配置略过,我们直接先看配置好的结果。

root@vqfx-re> show route protocol bgp

inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[BGP/170] 00:00:49, localpref 100
                      AS path: 65533 I, validation-state: unverified
                    > to 192.1.2.1 via xe-0/0/2.0
10.10.10.10/32     *[BGP/170] 00:02:58, MED 0, localpref 100
                      AS path: 65533 I, validation-state: unverified
                    > to 192.1.2.1 via xe-0/0/2.0
10.11.11.11/32     *[BGP/170] 00:02:29, MED 0, localpref 100
                      AS path: 65533 I, validation-state: unverified
                    > to 192.1.2.1 via xe-0/0/2.0
10.12.12.12/32     *[BGP/170] 00:02:29, MED 0, localpref 100
                      AS path: 65533 I, validation-state: unverified
                    > to 192.1.2.1 via xe-0/0/2.0
10.13.13.13/32     *[BGP/170] 00:02:29, MED 0, localpref 100
                      AS path: 65533 I, validation-state: unverified
                    > to 192.1.2.1 via xe-0/0/2.0
10.14.14.14/32     *[BGP/170] 00:01:58, MED 0, localpref 100
                      AS path: 65533 I, validation-state: unverified
                    > to 192.1.2.1 via xe-0/0/2.0
192.168.192.168/32 *[BGP/170] 00:00:17, MED 0, localpref 100
                      AS path: 65535 I, validation-state: unverified
                    > to 192.0.1.2 via irb.1
root@vqfx-re> show route forwarding-table table default family inet
Routing table: default.inet
Internet:
Destination        Type RtRef Next hop           Type Index    NhRef Netif
default            user     0 50:0:0:1:0:1       ucst     1720     9 xe-0/0/2.0
default            perm     0                    rjct       51     1
0.0.0.0/32         perm     0                    dscd       49     1
10.10.10.10/32     user     0 192.1.2.1          ucst     1720     9 xe-0/0/2.0
10.11.11.11/32     user     0 192.1.2.1          ucst     1720     9 xe-0/0/2.0
10.12.12.12/32     user     0 192.1.2.1          ucst     1720     9 xe-0/0/2.0
10.13.13.13/32     user     0 192.1.2.1          ucst     1720     9 xe-0/0/2.0
10.14.14.14/32     user     0 192.1.2.1          ucst     1720     9 xe-0/0/2.0
169.254.0.0/24     intf     0                    rslv      323     1 em1.0
169.254.0.0/32     dest     0 169.254.0.0        recv      321     1 em1.0
169.254.0.1/32     dest     1 50:0:0:4:0:1       ucst      336     2 em1.0
169.254.0.2/32     intf     0 169.254.0.2        locl      322     2
169.254.0.2/32     dest     0 169.254.0.2        locl      322     2
169.254.0.255/32   dest     0 169.254.0.255      bcst      320     1 em1.0
192.0.1.0/24       intf     0                    rslv     1710     1 irb.1
192.0.1.0/32       dest     0 192.0.1.0          recv     1708     1 irb.1
192.0.1.1/32       intf     0 192.0.1.1          locl     1709     2
192.0.1.1/32       dest     0 192.0.1.1          locl     1709     2
192.0.1.2/32       dest     1 50:0:0:5:0:0       ucst     1719     4 xe-0/0/1.0
192.0.1.255/32     dest     0 192.0.1.255        bcst     1707     1 irb.1
192.1.2.0/24       intf     0                    rslv     1715     1 xe-0/0/2.0
192.1.2.0/32       dest     0 192.1.2.0          recv     1713     1 xe-0/0/2.0
192.1.2.1/32       dest     1 50:0:0:1:0:1       ucst     1720     9 xe-0/0/2.0
192.1.2.2/32       intf     0 192.1.2.2          locl     1714     2
192.1.2.2/32       dest     0 192.1.2.2          locl     1714     2
192.1.2.255/32     dest     0 192.1.2.255        bcst     1712     1 xe-0/0/2.0
192.168.192.168/32 user     0 192.0.1.2          ucst     1719     4 xe-0/0/1.0
224.0.0.0/4        perm     0                    mdsc       50     1
224.0.0.1/32       perm     0 224.0.0.1          mcst       46     1
255.255.255.255/32 perm     0                    bcst       47     1
customer#show ip b


     Network          Next Hop            Metric LocPrf Weight Path
 *>   0.0.0.0          192.0.1.1                              0 65534 65533 i
 *>   10.10.10.10/32   192.0.1.1                              0 65534 65533 i
 *>   10.11.11.11/32   192.0.1.1                              0 65534 65533 i
 *>   10.12.12.12/32   192.0.1.1                              0 65534 65533 i
 *>   10.13.13.13/32   192.0.1.1                              0 65534 65533 i
 *>   10.14.14.14/32   192.0.1.1                              0 65534 65533 i
 *>   192.168.192.168/32
                      0.0.0.0                  0         32768 i
upstream#ping 192.168.192.168 source 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.192.168, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/49/101 ms

可见交换机和客户已经正常收到了上游发过来的路由,上游发过来的路由以及安装进了 FIB,且客户的路由已经通过 BGP 协议转发给了上游。通信测试一切正常。

但是交换机的转发表容量非常的小,安装了这么多路由会导致硬件不稳定等一大堆意外的因素,我们应该阻止这些路由安装进转发表。

于是现在我们开始配置 FIB-filter:

root@vqfx-re> show policy-options policy-statement customer-import
term customer-community-tag {
    then {
        community add customer;
        accept;
    }
}
// 定义收到的路由的community,将客户的路由打上 "customer" 社区属性。

root@vqfx-re> show policy-options policy-statement fib-policy
term default {
    from {
        route-filter 0.0.0.0/0 exact;
    }
    then accept;
}
term customer {
    from {
        protocol bgp;
        community customer;
    }
    then accept;
}
term last {
    then reject;
}
// 定义 FIB filter 规则,只接受默认路由,以及通过 BGP 发过来的客户路由。将这些路由安装进入转发表,其他路由拒绝。

root@vqfx-re> show configuration protocols bgp group external neighbor 192.0.1.2
import customer-import;
export accept-all;
peer-as 65535;
// 在 session 上应用上面写好的 import policy,为客户的路由打上社区属性。

root@vqfx-re> show configuration routing-options forwarding-table
export fib-policy;
// 为 FIB 配置 export filter

配置完成,我们来检查交换机的 forwarding-table:

root@vqfx-re> show route forwarding-table table default family inet
Routing table: default.inet
Internet:
Destination        Type RtRef Next hop           Type Index    NhRef Netif
default            user     0 50:0:0:1:0:1       ucst     1720     4 xe-0/0/2.0
default            perm     0                    rjct       51     1
0.0.0.0/32         perm     0                    dscd       49     1
169.254.0.0/24     intf     0                    rslv      323     1 em1.0
169.254.0.0/32     dest     0 169.254.0.0        recv      321     1 em1.0
169.254.0.1/32     dest     1 50:0:0:4:0:1       ucst      336     2 em1.0
169.254.0.2/32     intf     0 169.254.0.2        locl      322     2
169.254.0.2/32     dest     0 169.254.0.2        locl      322     2
169.254.0.255/32   dest     0 169.254.0.255      bcst      320     1 em1.0
192.0.1.0/24       intf     0                    rslv     1710     1 irb.1
192.0.1.0/32       dest     0 192.0.1.0          recv     1708     1 irb.1
192.0.1.1/32       intf     0 192.0.1.1          locl     1709     2
192.0.1.1/32       dest     0 192.0.1.1          locl     1709     2
192.0.1.2/32       dest     1 50:0:0:5:0:0       ucst     1719     4 xe-0/0/1.0
192.0.1.255/32     dest     0 192.0.1.255        bcst     1707     1 irb.1
192.1.2.0/24       intf     0                    rslv     1715     1 xe-0/0/2.0
192.1.2.0/32       dest     0 192.1.2.0          recv     1713     1 xe-0/0/2.0
192.1.2.1/32       dest     1 50:0:0:1:0:1       ucst     1720     4 xe-0/0/2.0
192.1.2.2/32       intf     0 192.1.2.2          locl     1714     2
192.1.2.2/32       dest     0 192.1.2.2          locl     1714     2
192.1.2.255/32     dest     0 192.1.2.255        bcst     1712     1 xe-0/0/2.0
192.168.192.168/32 user     0 192.0.1.2          ucst     1719     4 xe-0/0/1.0
224.0.0.0/4        perm     0                    mdsc       50     1
224.0.0.1/32       perm     0 224.0.0.1          mcst       46     1
255.255.255.255/32 perm     0                    bcst       47     1

可以见到,FIB 只安装了客户的 BGP 路由,以及从上游接收到的默认路由,大大节省了硬件空间。

测试通信状况以及路由表收发情况:

customer#show ip bgp

     Network          Next Hop            Metric LocPrf Weight Path
 *>   0.0.0.0          192.0.1.1                              0 65534 65533 i
 *>   10.10.10.10/32   192.0.1.1                              0 65534 65533 i
 *>   10.11.11.11/32   192.0.1.1                              0 65534 65533 i
 *>   10.12.12.12/32   192.0.1.1                              0 65534 65533 i
 *>   10.13.13.13/32   192.0.1.1                              0 65534 65533 i
 *>   10.14.14.14/32   192.0.1.1                              0 65534 65533 i
 *>   192.168.192.168/32
                      0.0.0.0                  0         32768 i

customer#ping 10.10.10.10 source 192.168.192.168
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.192.168
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 21/32/67 ms
customer#

客户通信正常,且路由收发正常,需求实现完成。

总结如下:

如果您对文章有什么建议或者意见,欢迎发邮件到 bGl1Y2hlbjk1ODYoYXQpZ21haWwuY29t

发表评论

电子邮件地址不会被公开。 必填项已用*标注