JUNIPER:为什么在 OSPF 接口上启用 FBF 时 OSPF 邻接会中断?

网络工程 ospf 杜松 pbr
2021-07-12 21:10:16

我建立了一个测试实验室,用于测试基于过滤器的转发 (FBF),也就是基于策略的路由。问题将在下面进行,但首先是细节:

拓扑图如下:

在此处输入图片说明

目标:从站点 1 到暂存的任何流量都应通过链路 2 路由到 WAN 而不是通过链路 1。因为链路 1 将被两个数据中心之间的复制流量饱和。

  • SW-1 和 SW-2 是瞻博网络 EX4200 交换机
  • RTR-1 和 RTR-2 是瞻博网络 J4350
  • PE-1 和 PE-2 是 Cisco 1841 路由器,运行 ISIS 和 MPLS VPN 以模拟提供商 WAN 骨干网

SW-1、SW-2、RTR-1 和 RTR-2 都是区域 0 中的 OSPF 邻居。 RTR-1 和 RTR-2 都是 ASBR,将 BGP 学习到的路由注入 OSPF。每个路由器都将路由通告到其各自站点的 WAN 中(以及其他站点的预置路由以实现冗余)。

通过简单地将静态路由重新分配到 SW-2 上的 Staging 到具有更高度量的 OSPF,可以轻松地将流量从站点 1 路由到站点 2 的 Staging。由于该路由由 RTR-2 通告到 WAN,RTR-1 将获知该路由并将其重新分配到 OSPF 中,度量值为 0。在 SW-1 上从 SW-2 获知的 OSPF 路由将具有更高的度量,因此路由将优先于 WAN。

来自站点 2 的返回流量也需要以这种方式流动,以便我们避免非对称路由。FBF 应用于进入 SW-2 的入站接口(链路 4)。此过滤器将获取来自 Staging (10.100.190 /24) 的所有流量,并生成下一跳 RTR-2。正如我在实验室中测试过的那样,这部分 FBF 正在工作。

由于 RTR-2 返回站点 1 的首选路由是通过链路 1,我们需要在 RTR-2 的入站 LAN 接口(面向 SW-2)再次应用 FBF。

这就是问题所在...当 FBF 应用于该路由器时,与 SW-2 的 OSPF 邻接中断。

问题:为什么 RTR-2 和 SW-2 之间的 OSPF 邻接中断?

附上 RTR-2 和 SW-2 的配置:

RTR-2 配置

root@RTR-2> show configuration interfaces | display set    
set interfaces ge-0/0/0 unit 0 family inet filter input FBF-TEST
deactivate interfaces ge-0/0/0 unit 0 family inet filter
set interfaces ge-0/0/0 unit 0 family inet address 10.100.254.2/24
set interfaces ge-0/0/3 description "Uplink to WAN"
set interfaces ge-0/0/3 unit 0 family inet address 200.200.200.2/30
set interfaces lo0 unit 0 family inet address 10.100.199.4/32

root@RTR-2> show configuration routing-options | display set 
set routing-options interface-routes rib-group inet STAGING-RIB
set routing-options rib-groups STAGING-RIB import-rib inet.0
set routing-options rib-groups STAGING-RIB import-rib PATH-1.inet.0
set routing-options rib-groups STAGING-RIB import-rib PATH-2.inet.0
set routing-options router-id 200.200.200.2
set routing-options autonomous-system 1

root@RTR-2> show configuration routing-instances | display set  
set routing-instances PATH-1 instance-type forwarding
set routing-instances PATH-1 routing-options static route 10.100.30.0/24 next-hop 200.200.200.1
set routing-instances PATH-1 routing-options static route 10.100.30.0/24 qualified-next-hop 10.100.254.1 preference 100
set routing-instances PATH-2 instance-type forwarding
set routing-instances PATH-2 routing-options static route 10.100.30.0/24 next-hop 10.100.254.1
set routing-instances PATH-2 routing-options static route 10.100.30.0/24 qualified-next-hop 200.200.200.1 preference 100

root@RTR-2> show configuration firewall | display set             
set firewall family inet filter FBF-TEST term TERM-1 from source-address 10.100.190.0/24
set firewall family inet filter FBF-TEST term TERM-1 from source-address 10.100.191.0/24
set firewall family inet filter FBF-TEST term TERM-1 then routing-instance PATH-1
set firewall family inet filter FBF-TEST term DEFAULT then routing-instance PATH-2

root@RTR-2> show configuration protocols | display set 
set protocols bgp path-selection cisco-non-deterministic
set protocols bgp log-updown
set protocols bgp group TEST type external
set protocols bgp group TEST local-address 200.200.200.2
set protocols bgp group TEST import REJECT
set protocols bgp group TEST export ADVERTISED
set protocols bgp group TEST peer-as 65000
set protocols bgp group TEST neighbor 200.200.200.1 preference 20
set protocols ospf rib-group STAGING-RIB
set protocols ospf export BGP-to-OSPF
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 priority 150
set protocols ospf area 0.0.0.0 interface lo0.0 passive

SW-2 配置

root@SW-2> show configuration interfaces | display set 
set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.2/30
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members VLAN-254
set interfaces ge-0/0/11 description "Uplink to STAGING"
set interfaces ge-0/0/11 unit 0 family inet filter input FBF-TEST
set interfaces ge-0/0/11 unit 0 family inet address 10.100.100.1/30
set interfaces lo0 unit 0 family inet address 10.100.199.2/32
set interfaces vlan unit 2 family inet address 10.100.2.1/24
set interfaces vlan unit 251 family inet address 10.100.251.1/24
set interfaces vlan unit 254 family inet address 10.100.254.1/24

root@SW-2> show configuration routing-options | display set 
set routing-options nonstop-routing
set routing-options interface-routes rib-group inet STAGING-RIB
set routing-options static route 172.22.128.0/21 next-hop 10.22.76.1
set routing-options static route 10.22.20.0/24 next-hop 10.22.76.1
set routing-options static route 10.100.190.0/24 next-hop 10.100.100.2
set routing-options static route 10.100.191.0/24 next-hop 10.100.100.2
set routing-options rib-groups STAGING-RIB import-rib inet.0
set routing-options rib-groups STAGING-RIB import-rib PATH-1.inet.0
set routing-options rib-groups STAGING-RIB import-rib PATH-2.inet.0
set routing-options router-id 10.100.254.1

root@SW-2> show configuration routing-instances | display set  
set routing-instances PATH-1 instance-type forwarding
set routing-instances PATH-1 routing-options static route 10.100.30.0/24 next-hop 10.100.254.2
set routing-instances PATH-1 routing-options static route 10.100.30.0/24 qualified-next-hop 10.10.10.1 preference 100
set routing-instances PATH-2 instance-type forwarding
set routing-instances PATH-2 routing-options static route 10.100.30.0/24 next-hop 10.10.10.1
set routing-instances PATH-2 routing-options static route 10.100.30.0/24 qualified-next-hop 10.100.254.2 preference 100

root@SW-2> show configuration firewall | display set             
set firewall family inet filter FBF-TEST term TERM-1 from source-address 10.100.190.0/24
set firewall family inet filter FBF-TEST term TERM-1 from source-address 10.100.191.0/24
set firewall family inet filter FBF-TEST term TERM-1 then routing-instance PATH-1
set firewall family inet filter FBF-TEST term DEFAULT then routing-instance PATH-2

root@SW-2> show configuration protocols | display set   
set protocols ospf export ADVERTISED
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 interface-type p2p
set protocols ospf area 0.0.0.0 interface vlan.2 passive
set protocols ospf area 0.0.0.0 interface vlan.251 passive
set protocols ospf area 0.0.0.0 interface vlan.254 priority 250
1个回答

所以,在昨天与 JTAC 合作之后,“我”,因为我真的不需要 JTAC,因为我自己发现了这个问题......意识到我的防火墙过滤器有点多余,并且缺少“允许任何”声明.

OSPF 邻接中断,因为防火墙过滤器正在接收“其他”流量(术语 DEFAULT)并将其发送到路由实例 PATH-2,这对任何一种方式都没有帮助,因为它直接将流量发送回 SW-2,某些东西“然后接受”声明很容易完成

所以,为了修复这个问题..

新的 SW-2 和 RTR-2 更正配置:

delete routing-instances PATH-2
delete firewall family inet filter FBF-TEST term DEFAULT
set firewall family inet filter FBF-TEST term PERMIT-ANY then accept

SW-2 的新配置片段:

routing-options {
    nonstop-routing;
    interface-routes {
        rib-group inet STAGING-RIB;
    }
    static {
        route 10.100.190.0/24 next-hop 10.100.100.2;
        route 10.100.191.0/24 next-hop 10.100.100.2;
    }
    rib-groups {
        STAGING-RIB {
            import-rib [ inet.0 PATH-1.inet.0 ];
        }
    }
    router-id 10.100.254.1;
}
firewall {
    family inet {
        filter FBF-TEST {
            term TERM-1 {
                from {
                    source-address {
                        10.100.190.0/24;
                        10.100.191.0/24;
                    }
                }
                then {
                    routing-instance PATH-1;
                }
            }
            term PERMIT-ANY {
                then accept;
            }
        }
    }
}
routing-instances {
    PATH-1 {
        instance-type forwarding;
        routing-options {
            static {
                route 10.100.30.0/24 {
                    next-hop 10.100.254.2;
                    qualified-next-hop 10.10.10.1 {
                        preference 100;
                    }
                }
            }
        }
    }
}

RTR-2 的新配置片段:

routing-options {
    interface-routes {
        rib-group inet STAGING-RIB;
    }
    rib-groups {
        STAGING-RIB {
            import-rib [ inet.0 PATH-1.inet.0 ];
        }
    }
    router-id 200.200.200.2;
    autonomous-system 1;
}
firewall {
    family inet {
        filter FBF-TEST {
            term TERM-1 {
                from {
                    source-address {
                        10.100.190.0/24;
                        10.100.191.0/24;
                    }
                }
                then {
                    routing-instance PATH-1;
                }
            }
            term PERMIT-ANY {
                then accept;
            }
        }
    }
}
routing-instances {
    PATH-1 {
        instance-type forwarding;
        routing-options {
            static {
                route 10.100.30.0/24 {
                    next-hop 200.200.200.1;
                    qualified-next-hop 10.100.254.1 {
                        preference 100;
                    }
                }
            }
        }
    }
}
其它你可能感兴趣的问题
上一篇Cisco IPv6 BNG 半径属性 下一篇连接到无法使用 DHCP 的 Cisco 1262 的客户端上的 VM(但 IPv6 工作正常)