BGP コミュニティ制御
マイクロソフトのクラウドサービスAzureを使用する際に、「Express Route」を使用する方法があるらしいけど、その際にはBGPが通信要件。
ただし、結構な数の経路がAzure側から転送されるみたい。 幸い、Express Routeが送出する経路にはcommunity値がついてくるらしいので、受け取る側で制御できないか検証。
AS 12076をAzure側のExpress Route。 (実際のサービスは使えないため、Ciscoで代用。)
まずは、R2のConfigが普通の場合
router bgp 65000
bgp log-neighbor-changes
neighbor 203.0.113.1 remote-as 12076
!
address-family ipv4
neighbor 203.0.113.1 activate
neighbor 203.0.113.1 send-community
neighbor 203.0.113.1 soft-reconfiguration inbound
no auto-summary
no synchronization
exit-address-family
!
!
ip bgp-community new-format
!
show ip bgp の結果
#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 203.0.113.1 0 0 12076 ?
*> 2.2.2.2/32 203.0.113.1 0 0 12076 ?
*> 3.3.3.3/32 203.0.113.1 0 0 12076 ?
*> 4.4.4.4/32 203.0.113.1 0 0 12076 ?
*> 5.5.5.5/32 203.0.113.1 0 0 12076 ?
R2#
当然、1.1.1.1~5.5.5.5までの経路は見えてる
では、community値を確認(1.1.1.1で確認)
R2#show ip bgp 1.1.1.1
BGP routing table entry for 1.1.1.1/32, version 2
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
12076, (received & used)
203.0.113.1 from 203.0.113.1 (5.5.5.5)
Origin incomplete, metric 0, localpref 100, valid, external, best
Community: 12076:5010
ここで、lo5(12076:5100)の経路だけを受け取る。
R2の追加Config
router bgp 65000
bgp log-neighbor-changes
neighbor 203.0.113.1 remote-as 12076
!
address-family ipv4
neighbor 203.0.113.1 activate
neighbor 203.0.113.1 send-community
neighbor 203.0.113.1 soft-reconfiguration inbound
neighbor 203.0.113.1 route-map community in
no auto-summary
no synchronization
exit-address-family
!
!
ip bgp-community new-format
ip community-list standard COMM permit 12076:5100
!
route-map community permit 10
match community COMM
!
clear ip bgpのあと
R2#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 5.5.5.5/32 203.0.113.1 0 0 12076 ?
とりあえず、ExpressRouteからの経路もフィルタできそう。
参考
<備忘>
ExpressRoute想定のConfig
router bgp 12076
bgp log-neighbor-changes
neighbor 203.0.113.2 remote-as 65000
!
address-family ipv4
redistribute connected
neighbor 203.0.113.2 activate
neighbor 203.0.113.2 send-community
neighbor 203.0.113.2 soft-reconfiguration inbound
neighbor 203.0.113.2 route-map community out
no auto-summary
no synchronization
exit-address-family
!
ip bgp-community new-format
!
ip prefix-list lo1 seq 5 permit 1.1.1.1/32
ip prefix-list lo2 seq 5 permit 2.2.2.2/32
ip prefix-list lo3 seq 5 permit 3.3.3.3/32
ip prefix-list lo4 seq 5 permit 4.4.4.4/32
ip prefix-list lo5 seq 5 permit 5.5.5.5/32
!
route-map community permit 10
match ip address prefix-list lo1
set community 12076:5010
!
route-map community permit 20
match ip address prefix-list lo2
set community 12076:5020
!
route-map community permit 30
match ip address prefix-list lo3
set community 12076:5030
!
route-map community permit 40
match ip address prefix-list lo4
set community 12076:5040
!
route-map community permit 50
match ip address prefix-list lo5
set community 12076:5100
!