Cisco で VRF + BGP を設定しつつ、RouteLeak で特定 VRF 間の経路だけ許可する
VRF を設定すると一台のルータのルーティングテーブルを論理的に分割して利用出来ます。これは「顧客ごとにルーティングテーブルを独立・分割して保持したい」という場合に便利です。別の表現をすると「異なる VRF 間では通信出来ない」とも言えます。しかし、「顧客ごとにルーティングテーブルは VRF で分割するものの、共通のサービス基盤は全ての顧客から参照させたい」というケースもあり得ます。こういった場合は RouteLeak の設定をすることで設定した VRF 間では通信を許可することが出来ます。
今回は VIRL 上の Cisco ルータで VRF を設定し、BGP で経路交換をさせつつ、「サービス基盤と顧客は通信出来る」「顧客同士は通信出来ない」という要件を満たすように RouteLeak 設定を行います。
構成
構成は以下の通りです。ルータは全て Cisco IOSv 15.4(1)T を使いました。
コンフィグ
各ルータのコンフィグは以下の通りです。
R1 のコンフィグ
まず、以下の VRF を定義します。
| VRF 名 |
RD |
Export RT |
Import RT 65001:1 |
Import RT 65001:2 |
Import RT 65001:3 |
| VRF-SERVICE |
65001:1 |
65001:1 |
○ Imort |
× |
× |
| VRF-CUSTOMER-A |
65001:2 |
65001:2 |
× |
○ Import |
× |
| VRF-CUSTOMER-B |
65001:3 |
65001:3 |
× |
× |
○ Import |
BGP の Neighbor 設定には as-override を指定します。これが無い場合、例えば VRF-CUSTOMER-A(AS65002)内の R2 と R3 の経路は「R2(AS65002)→ R1(AS65001)→ R3(AS65002)」となり、「AS65002 の経路が AS65002 に戻ってきた = ループしている」とみなされ、経路が伝搬しません。これを避ける為、as-override で AS 番号を上書きしています。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84 | hostname R1
!
ip vrf VRF-SERVICE
rd 65001:1
route-target export 65001:1
route-target import 65001:1
!
ip vrf VRF-CUSTOMER-A
rd 65001:2
route-target export 65001:2
route-target import 65001:2
!
ip vrf VRF-CUSTOMER-B
rd 65001:3
route-target export 65001:3
route-target import 65001:3
!
interface Loopback99
ip address 10.0.99.1 255.255.255.255
!
interface Ethernet0/0
ip vrf forwarding VRF-SERVICE
ip address 10.0.12.1 255.255.255.0
no shutdown
!
interface Ethernet0/1
ip vrf forwarding VRF-SERVICE
ip address 10.0.13.1 255.255.255.0
no shutdown
!
interface Ethernet0/2
ip vrf forwarding VRF-CUSTOMER-A
ip address 10.0.14.1 255.255.255.0
no shutdown
!
interface Ethernet0/3
ip vrf forwarding VRF-CUSTOMER-A
ip address 10.0.15.1 255.255.255.0
no shutdown
!
interface Ethernet1/0
ip vrf forwarding VRF-CUSTOMER-B
ip address 10.0.16.1 255.255.255.0
no shutdown
!
interface Ethernet1/1
ip vrf forwarding VRF-CUSTOMER-B
ip address 10.0.17.1 255.255.255.0
no shutdown
!
router bgp 65000
bgp log-neighbor-changes
!
address-family ipv4 vrf VRF-CUSTOMER-A
bgp router-id 10.2.99.1
neighbor 10.0.14.4 remote-as 65002
neighbor 10.0.14.4 activate
neighbor 10.0.14.4 as-override
neighbor 10.0.15.5 remote-as 65002
neighbor 10.0.15.5 activate
neighbor 10.0.15.5 as-override
exit-address-family
!
address-family ipv4 vrf VRF-CUSTOMER-B
bgp router-id 10.3.99.1
neighbor 10.0.16.6 remote-as 65003
neighbor 10.0.16.6 activate
neighbor 10.0.16.6 as-override
neighbor 10.0.17.7 remote-as 65003
neighbor 10.0.17.7 activate
neighbor 10.0.17.7 as-override
exit-address-family
!
address-family ipv4 vrf VRF-SERVICE
bgp router-id 10.1.99.1
neighbor 10.0.12.2 remote-as 65001
neighbor 10.0.12.2 activate
neighbor 10.0.12.2 as-override
neighbor 10.0.13.3 remote-as 65001
neighbor 10.0.13.3 activate
neighbor 10.0.13.3 as-override
exit-address-family
!
end
|
R2 のコンフィグ
R2 〜 R7 は「アドレス」「BGP の Neighbor」しか無い、簡素な設定です。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | hostname R2
!
interface Loopback99
ip address 10.0.99.2 255.255.255.255
!
interface Ethernet0/0
ip address 10.0.12.2 255.255.255.0
no shutdown
!
router bgp 65001
bgp router-id 10.0.99.2
bgp log-neighbor-changes
network 10.0.99.2 mask 255.255.255.255
neighbor 10.0.12.1 remote-as 65000
!
end
|
R3 のコンフィグ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | hostname R3
!
interface Loopback99
ip address 10.0.99.3 255.255.255.255
!
interface Ethernet0/0
ip address 10.0.13.3 255.255.255.0
no shutdown
!
router bgp 65001
bgp router-id 10.0.99.3
bgp log-neighbor-changes
network 10.0.99.3 mask 255.255.255.255
neighbor 10.0.13.1 remote-as 65000
!
end
|
R4 のコンフィグ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | hostname R4
!
interface Loopback99
ip address 10.0.99.4 255.255.255.255
!
interface Ethernet0/0
ip address 10.0.14.4 255.255.255.0
no shutdown
!
router bgp 65002
bgp router-id 10.0.99.4
bgp log-neighbor-changes
network 10.0.99.4 mask 255.255.255.255
neighbor 10.0.14.1 remote-as 65000
!
end
|
R5 のコンフィグ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | hostname R5
!
interface Loopback99
ip address 10.0.99.5 255.255.255.255
!
interface Ethernet0/0
ip address 10.0.15.5 255.255.255.0
no shutdown
!
router bgp 65002
bgp router-id 10.0.99.5
bgp log-neighbor-changes
network 10.0.99.5 mask 255.255.255.255
neighbor 10.0.15.1 remote-as 65000
!
end
|
R6 のコンフィグ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | hostname R6
!
interface Loopback99
ip address 10.0.99.6 255.255.255.255
!
interface Ethernet0/0
ip address 10.0.16.6 255.255.255.0
no shutdown
!
router bgp 65003
bgp router-id 10.0.99.6
bgp log-neighbor-changes
network 10.0.99.6 mask 255.255.255.255
neighbor 10.0.16.1 remote-as 65000
!
end
|
R7 のコンフィグ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | hostname R7
!
interface Loopback99
ip address 10.0.99.7 255.255.255.255
!
interface Ethernet0/0
ip address 10.0.17.7 255.255.255.0
no shutdown
!
router bgp 65003
bgp router-id 10.0.99.7
bgp log-neighbor-changes
network 10.0.99.7 mask 255.255.255.255
neighbor 10.0.17.1 remote-as 65000
!
end
|
状態確認
R1 での確認
show ip vrf で VRF の定義状態を確認します。
| R1# show ip vrf
Name Default RD Interfaces
VRF-CUSTOMER-A 65001:2 Et0/2
Et0/3
VRF-CUSTOMER-B 65001:3 Et1/0
Et1/1
VRF-SERVICE 65001:1 Et0/0
Et0/1
|
更に、show ip vrf detail で VRF の詳細状態を確認します。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51 | R1# show ip vrf detail
VRF VRF-CUSTOMER-A (VRF Id = 2); default RD 65001:2; default VPNID <not set>
Old CLI format, supports IPv4 only
Flags: 0xC
Interfaces:
Et0/2 Et0/3
VRF Table ID = 2
Flags: 0x0
Export VPN route-target communities
RT:65001:2
Import VPN route-target communities
RT:65001:2
No import route-map
No global export route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
VRF VRF-CUSTOMER-B (VRF Id = 3); default RD 65001:3; default VPNID <not set>
Old CLI format, supports IPv4 only
Flags: 0xC
Interfaces:
Et1/0 Et1/1
VRF Table ID = 3
Flags: 0x0
Export VPN route-target communities
RT:65001:3
Import VPN route-target communities
RT:65001:3
No import route-map
No global export route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
VRF VRF-SERVICE (VRF Id = 1); default RD 65001:1; default VPNID <not set>
Old CLI format, supports IPv4 only
Flags: 0xC
Interfaces:
Et0/0 Et0/1
VRF Table ID = 1
Flags: 0x0
Export VPN route-target communities
RT:65001:1
Import VPN route-target communities
RT:65001:1
No import route-map
No global export route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
|
show bgp vpnv4 unicast vrf [VRF-NAME] summary で VRF ごとの BGP Neighbor 状態を確認していきます。VRF-SERVICE の状態は以下の通りです。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | R1# show bgp vpnv4 unicast vrf VRF-SERVICE summary
BGP router identifier 10.1.99.1, local AS number 65000
BGP table version is 7, main routing table version 7
2 network entries using 304 bytes of memory
2 path entries using 160 bytes of memory
6/3 BGP path/bestpath attribute entries using 912 bytes of memory
3 BGP AS-PATH entries using 72 bytes of memory
3 BGP extended community entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1520 total bytes of memory
BGP activity 6/0 prefixes, 6/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.0.12.2 4 65001 13 13 7 0 0 00:07:25 1
10.0.13.3 4 65001 12 13 7 0 0 00:07:26 1
|
VRF-CUSTOMER-A の状態は以下の通りです。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | R1# show bgp vpnv4 unicast vrf VRF-CUSTOMER-A summary
BGP router identifier 10.2.99.1, local AS number 65000
BGP table version is 7, main routing table version 7
2 network entries using 304 bytes of memory
2 path entries using 160 bytes of memory
6/3 BGP path/bestpath attribute entries using 912 bytes of memory
3 BGP AS-PATH entries using 72 bytes of memory
3 BGP extended community entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1520 total bytes of memory
BGP activity 6/0 prefixes, 6/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.0.14.4 4 65002 13 13 7 0 0 00:07:18 1
10.0.15.5 4 65002 12 13 7 0 0 00:07:19 1
|
VRF-CUSTOMER-B の状態は以下の通りです。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | R1# show bgp vpnv4 unicast vrf VRF-CUSTOMER-B summary
BGP router identifier 10.3.99.1, local AS number 65000
BGP table version is 7, main routing table version 7
2 network entries using 304 bytes of memory
2 path entries using 160 bytes of memory
6/3 BGP path/bestpath attribute entries using 912 bytes of memory
3 BGP AS-PATH entries using 72 bytes of memory
3 BGP extended community entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1520 total bytes of memory
BGP activity 6/0 prefixes, 6/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.0.16.6 4 65003 13 13 7 0 0 00:07:24 1
10.0.17.7 4 65003 12 12 7 0 0 00:07:24 1
|
VRF-SERVICE での状態確認
R2 での確認
R1 で VRF 設定されている為、顧客(VRF-CUSTOMER-A / B)の経路は見えません。
1
2
3
4
5
6
7
8
9
10
11
12 | R2# show ip bgp
BGP table version is 27, local router ID is 10.0.99.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
* 10.0.99.2/32 10.0.12.1 0 65000 65000 i
*> 0.0.0.0 0 32768 i
*> 10.0.99.3/32 10.0.12.1 0 65000 65000 i
|
R3 での確認
1
2
3
4
5
6
7
8
9
10
11
12 | R3# show ip bgp
BGP table version is 27, local router ID is 10.0.99.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.0.99.2/32 10.0.13.1 0 65000 65000 i
* 10.0.99.3/32 10.0.13.1 0 65000 65000 i
*> 0.0.0.0 0 32768 i
|
VRF-CUSTOMER-A での状態確認
R4 での確認
1
2
3
4
5
6
7
8
9
10
11
12 | R4# show ip bgp
BGP table version is 19, local router ID is 10.0.99.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
* 10.0.99.4/32 10.0.14.1 0 65000 65000 i
*> 0.0.0.0 0 32768 i
*> 10.0.99.5/32 10.0.14.1 0 65000 65000 i
|
R5 での確認
1
2
3
4
5
6
7
8
9
10
11
12 | R5# show ip bgp
BGP table version is 19, local router ID is 10.0.99.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.0.99.4/32 10.0.15.1 0 65000 65000 i
* 10.0.99.5/32 10.0.15.1 0 65000 65000 i
*> 0.0.0.0 0 32768 i
|
VRF-CUSTOMER-B での状態確認
R6 での確認
1
2
3
4
5
6
7
8
9
10
11
12 | R6# show ip bgp
BGP table version is 19, local router ID is 10.0.99.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
* 10.0.99.6/32 10.0.16.1 0 65000 65000 i
*> 0.0.0.0 0 32768 i
*> 10.0.99.7/32 10.0.16.1 0 65000 65000 i
|
R7 での確認
1
2
3
4
5
6
7
8
9
10
11
12 | R7# show ip bgp
BGP table version is 19, local router ID is 10.0.99.7
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.0.99.6/32 10.0.17.1 0 65000 65000 i
* 10.0.99.7/32 10.0.17.1 0 65000 65000 i
*> 0.0.0.0 0 32768 i
|
RouteLeak の設定
以下の要件に添って設定していきます。
- サービス基盤(VRF-SERVICE)と顧客(VRF-CUSTOMER-A / B)は通信許可
- 顧客同士は通信拒否
この要件を満たす為には VRF の設定を以下のように修正します。赤字が修正箇所です。
| VRF 名 |
RD |
Export RT |
Import RT 65001:1 |
Import RT 65001:2 |
Import RT 65001:3 |
| VRF-SERVICE |
65001:1 |
65001:1 |
○ Import |
○ Import |
○ Import |
| VRF-CUSTOMER-A |
65001:2 |
65001:2 |
○ Import |
○ Import |
× |
| VRF-CUSTOMER-B |
65001:3 |
65001:3 |
○ Import |
× |
○ Import |
R1 に以下を設定し、この要件を反映します。
| ip vrf VRF-SERVICE
route-target import 65001:2
route-target import 65001:3
!
ip vrf VRF-CUSTOMER-A
route-target import 65001:1
!
ip vrf VRF-CUSTOMER-B
route-target import 65001:1
!
end
|
状態確認
R1 での状態確認
show ip vrf で確認する限り、変化は無いように見えます。
| R1# show ip vrf
Name Default RD Interfaces
VRF-CUSTOMER-A 65001:2 Et0/2
Et0/3
VRF-CUSTOMER-B 65001:3 Et1/0
Et1/1
VRF-SERVICE 65001:1 Et0/0
Et0/1
|
show ip vrf detail では追加設定した通りに「Import VPN route-target communities」が増えていることが分かります。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51 | R1# show ip vrf detail
VRF VRF-CUSTOMER-A (VRF Id = 2); default RD 65001:2; default VPNID <not set>
Old CLI format, supports IPv4 only
Flags: 0xC
Interfaces:
Et0/2 Et0/3
VRF Table ID = 2
Flags: 0x0
Export VPN route-target communities
RT:65001:2
Import VPN route-target communities
RT:65001:2 RT:65001:1
No import route-map
No global export route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
VRF VRF-CUSTOMER-B (VRF Id = 3); default RD 65001:3; default VPNID <not set>
Old CLI format, supports IPv4 only
Flags: 0xC
Interfaces:
Et1/0 Et1/1
VRF Table ID = 3
Flags: 0x0
Export VPN route-target communities
RT:65001:3
Import VPN route-target communities
RT:65001:3 RT:65001:1
No import route-map
No global export route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
VRF VRF-SERVICE (VRF Id = 1); default RD 65001:1; default VPNID <not set>
Old CLI format, supports IPv4 only
Flags: 0xC
Interfaces:
Et0/0 Et0/1
VRF Table ID = 1
Flags: 0x0
Export VPN route-target communities
RT:65001:1
Import VPN route-target communities
RT:65001:1 RT:65001:2 RT:65001:3
No import route-map
No global export route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
|
VRF-SERVICE での状態確認
R2 での確認
VRF-CUSTOMER-A(RT:65001:2)と VRF-CUSTOMER-B(RT:65001:3)を Import したことにより、Import した VRF の経路を学習していることが分かります。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | R2# show ip bgp
BGP table version is 37, local router ID is 10.0.99.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
* 10.0.99.2/32 10.0.12.1 0 65000 65000 i
*> 0.0.0.0 0 32768 i
*> 10.0.99.3/32 10.0.12.1 0 65000 65000 i
*> 10.0.99.4/32 10.0.12.1 0 65000 65002 i
*> 10.0.99.5/32 10.0.12.1 0 65000 65002 i
*> 10.0.99.6/32 10.0.12.1 0 65000 65003 i
*> 10.0.99.7/32 10.0.12.1 0 65000 65003 i
|
R3 での確認
R3 も同様です。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | R3# show ip bgp
BGP table version is 37, local router ID is 10.0.99.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.0.99.2/32 10.0.13.1 0 65000 65000 i
* 10.0.99.3/32 10.0.13.1 0 65000 65000 i
*> 0.0.0.0 0 32768 i
*> 10.0.99.4/32 10.0.13.1 0 65000 65002 i
*> 10.0.99.5/32 10.0.13.1 0 65000 65002 i
*> 10.0.99.6/32 10.0.13.1 0 65000 65003 i
*> 10.0.99.7/32 10.0.13.1 0 65000 65003 i
|
VRF-CUSTOMER-A での状態確認
R4 での確認
Import した VRF-SERVICE(RT:65001:1)の経路 "だけ" が増えています。
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | R4# show ip bgp
BGP table version is 31, local router ID is 10.0.99.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.0.99.2/32 10.0.14.1 0 65000 65001 i
*> 10.0.99.3/32 10.0.14.1 0 65000 65001 i
* 10.0.99.4/32 10.0.14.1 0 65000 65000 i
*> 0.0.0.0 0 32768 i
*> 10.0.99.5/32 10.0.14.1 0 65000 65000 i
|
R5 での確認
R4 同様です。
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | R5# show ip bgp
BGP table version is 31, local router ID is 10.0.99.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.0.99.2/32 10.0.15.1 0 65000 65001 i
*> 10.0.99.3/32 10.0.15.1 0 65000 65001 i
*> 10.0.99.4/32 10.0.15.1 0 65000 65000 i
* 10.0.99.5/32 10.0.15.1 0 65000 65000 i
*> 0.0.0.0 0 32768 i
|
VRF-CUSTOMER-B での状態確認
R6 での確認
Import した VRF-SERVICE(RT:65001:1)の経路 "だけ" が増えています。
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | R6# show ip bgp
BGP table version is 27, local router ID is 10.0.99.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.0.99.2/32 10.0.16.1 0 65000 65001 i
*> 10.0.99.3/32 10.0.16.1 0 65000 65001 i
* 10.0.99.6/32 10.0.16.1 0 65000 65000 i
*> 0.0.0.0 0 32768 i
*> 10.0.99.7/32 10.0.16.1 0 65000 65000 i
|
R7 での確認
R6 同様です。
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | R7# show ip bgp
BGP table version is 27, local router ID is 10.0.99.7
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.0.99.2/32 10.0.17.1 0 65000 65001 i
*> 10.0.99.3/32 10.0.17.1 0 65000 65001 i
*> 10.0.99.6/32 10.0.17.1 0 65000 65000 i
* 10.0.99.7/32 10.0.17.1 0 65000 65000 i
*> 0.0.0.0 0 32768 i
|
通信確認
Ping で疎通確認してみます。連番宛の連続 Ping は tclsh からワンライナーで書くことが出来ます。10.0.0.1 〜 10.0.0.2 まで順番に 1 発ずつ Ping するのであれば、以下のようになります。
| Router# tclsh
Router(tcl)# for {set i 1} {$i <= 10} {incr i} {ping ip 10.0.0.$i repeat 1}
・
・
・
Router(tcl)# tclquit
Router#
|
VRF-SERVICE での状態確認(R2)
VRF-CUSTOMER-A と VRF-CUSTOMER-B の両方を Import しているので、全てのルータに Ping が飛びます。
| 宛先 |
VRF |
OK / NG |
| R2 |
VRF-SERVICE |
OK |
| R3 |
VRF-SERVICE |
OK |
| R4 |
VRF-CUSTOMER-A |
OK |
| R5 |
VRF-CUSTOMER-A |
OK |
| R6 |
VRF-CUSTOMER-B |
OK |
| R7 |
VRF-CUSTOMER-B |
OK |
具体的な実行結果は以下の通りです。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32 | R2# tclsh
R2(tcl)# for {set i 2} {$i <= 7} {incr i} {ping ip 10.0.99.$i repeat 1 source Loopback99}
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.2
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.3, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.2
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 2/2/2 ms
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.4, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.2
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.5, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.2
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.6, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.2
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 2/2/2 ms
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.7, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.2
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 2/2/2 ms
|
VRF-CUSTOMER-A での状態確認(R4)
VRF-SERVICE を Import しているので VRF-SERVICE には Ping が飛びますが、VRF-CUSTOMER-B には Ping が飛びません。
| 宛先 |
VRF |
OK / NG |
| R2 |
VRF-SERVICE |
OK |
| R3 |
VRF-SERVICE |
OK |
| R4 |
VRF-CUSTOMER-A |
OK |
| R5 |
VRF-CUSTOMER-A |
OK |
| R6 |
VRF-CUSTOMER-B |
NG |
| R7 |
VRF-CUSTOMER-B |
NG |
実行結果は以下の通りです。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32 | R4# tclsh
R4(tcl)#$ 7} {incr i} {ping ip 10.0.99.$i repeat 1 source Loopback99}
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.4
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 2/2/2 ms
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.3, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.4
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.4, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.4
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.5, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.4
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.6, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.4
.
Success rate is 0 percent (0/1)
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.7, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.4
.
Success rate is 0 percent (0/1)
|
VRF-CUSTOMER-B での状態確認(R6)
VRF-SERVICE を Import しているので VRF-SERVICE には Ping が飛びますが、VRF-CUSTOMER-A には Ping が飛びません。
| 宛先 |
VRF |
OK / NG |
| R2 |
VRF-SERVICE |
OK |
| R3 |
VRF-SERVICE |
OK |
| R4 |
VRF-CUSTOMER-A |
NG |
| R5 |
VRF-CUSTOMER-A |
NG |
| R6 |
VRF-CUSTOMER-B |
OK |
| R7 |
VRF-CUSTOMER-B |
OK |
実行結果は以下の通りです。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32 | R6# tclsh
R6(tcl)#$ 7} {incr i} {ping ip 10.0.99.$i repeat 1 source Loopback99}
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.6
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.3, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.6
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.4, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.6
.
Success rate is 0 percent (0/1)
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.5, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.6
.
Success rate is 0 percent (0/1)
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.6, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.6
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 5/5/5 ms
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.99.7, timeout is 2 seconds:
Packet sent with a source address of 10.0.99.6
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms
|