BGP的连接状态(CONNECT)和激活状态(ACTIVE)

2018年7月15日23:37:00 发表评论 4,596 views

实验拓扑:

BGP的连接状态(CONNECT)和激活状态(ACTIVE)

实验要求:
  • 验证BGP建立过程中的CONNECT状态和ACTIVE状态
  • ACTIVE状态:在这种状态下,BGP过程会主动与邻居建立一个TCP连接,如果TCP连接成功,则继续下面的步骤,如果建立失败,则进入CONNECT状态
  • CONNECT状态:在这种状态下,BGP过程会等到邻居与自己建立TCP连接完成以后再决定后续的动作

实验配置:

R1:
router bgp 100
neighbor 192.168.23.2 remote-as 200
neighbor 192.168.23.2 ebgp-multihop 2
R3:

router bgp 200
neighbor 192.168.12.1 remote-as 100
neighbor 192.168.12.1 ebgp-multihop 2

R2:
interface Ethernet0/0
ip address 192.168.12.2 255.255.255.0
 ip access-group 101 in
access-list 101 deny   tcp any eq bgp any log
access-list 101 permit tcp any any eq bgp log

解释:

  • 现在在R3上clear ip bgp *,输入该命令的路由器会手工清除BGP邻居关系,并进入ACTIVE状态
  • 这个过程,R2上显示如下:

%SEC-6-IPACCESSLOGP: list 105 denied tcp 192.168.12.1(179) -> 192.168.23.2(21607), 1 packet
%SEC-6-IPACCESSLOGP: list 105 denied tcp 192.168.12.1(179) -> 192.168.23.2(27715), 1 packet
%SEC-6-IPACCESSLOGP: list 105 permitted tcp 192.168.12.1(62048) -> 192.168.23.2(179), 1 packet

  • R3的debug ip bgp输出:

BGPNSF state: 192.168.12.1 went from nsf_not_active to nsf_not_active
BGP: 192.168.12.1 went from Established to Idle
%BGP-5-ADJCHANGE: neighbor 192.168.12.1 Down User reset
BGP: 192.168.12.1 closing
BGP: 192.168.12.1 went from Idle to Active
BGP: 192.168.12.1 open active, local address 192.168.23.2
BGP: 192.168.12.1 open failed: Connection timed out; remote host not responding, open active delayed 290ms (850ms max, 87% jitter)
BGP: 192.168.12.1 open active, local address 192.168.23.2
BGP: 192.168.12.1 passive open to 192.168.23.2
BGP: 192.168.12.1 went from Active to Idle
BGP: 192.168.12.1 went from Idle to Connect
BGP: 192.168.12.1 rcv message type 1, length (excl. header) 26
BGP: 192.168.12.1 rcv OPEN, version 4, holdtime 180 seconds
BGP: 192.168.12.1 went from Connect to OpenSent
BGP: 192.168.12.1 sending OPEN, version 4, my as: 200, holdtime 180 seconds
BGP: 192.168.12.1 rcv OPEN w/ OPTION parameter len: 16
BGP: 192.168.12.1 rcvd OPEN w/ optional parameter type 2 (Capability) len 6
BGP: 192.168.12.1 OPEN has CAPABILITY code: 1, length 4
BGP: 192.168.12.1 OPEN has MP_EXT CAP for afi/safi: 1/1
BGP: 192.168.12.1 rcvd OPEN w/ optional parameter type 2 (Capability) len 2
BGP: 192.168.12.1 OPEN has CAPABILITY code: 128, length 0
BGP: 192.168.12.1 OPEN has ROUTE-REFRESH capability(old) for all address-families
BGP: 192.168.12.1 rcvd OPEN w/ optional parameter type 2 (Capability) len 2
BGP: 192.168.12.1 OPEN has CAPABILITY code: 2, length 0
BGP: 192.168.12.1 OPEN has ROUTE-REFRESH capability(new) for all address-families
BGP: 192.168.12.1 rcvd OPEN w/ remote AS 100
BGP: 192.168.12.1 went from OpenSent to OpenConfirm
BGP: 192.168.12.1 send message type 1, length (incl. header) 45
BGP: 192.168.12.1 went from OpenConfirm to Established
%BGP-5-ADJCHANGE: neighbor 192.168.12.1 Up

  • 这个过程说明,R3先使用随机端口主动的与R1的TCP端口179(BGP端口)建立TCP连接,但是由于R2的E0/0进站方向的ACL,阻塞了R1响应R3的数据包,所以TCP连接不成功,ACTIVE状态失败
  • 于是R3转入CONNECT状态,由R1主动建立TCP连接,R3等待TCP连接建立成功后,继续下面的过程

总结:

  • BGP的邻居形成过程分为主动和被动,所以如果要使用ACL来允许BGP数据包,则必须同时添加两条条目:
    access-list 101 permit tcp any eq bgp any
    access-list 101 permit tcp any any eq bgp
    只添加其中一条都是不完整的

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: