Huawei Firewall ile Cisco router arasında BGP konfigürasyonu

Bu lab da cisco router ile huawei USG 6000 cihazları  arasında BGP konfigürasyonunun nasıl olduğunu gösterecegim.

bgpp

 

Cihazlarımızın genel yapılandırma ayarlarını yapalım ve ip addreslerini verelim.

Huawei :

[USG6300]sysname huawei-USG
[huawei-USG]interface GigabitEthernet 1/0/1
[huawei-USG-GigabitEthernet1/0/1]ip address 192.168.1.1 24
[huawei-USG-GigabitEthernet1/0/1]interface loopback0
[huawei-USG-LoopBack0]ip address 1.1.1.1 24
[huawei-USG-LoopBack0]interface loopback10
[huawei-USG-LoopBack10]ip address 10.10.10.10 24

Cisco:

Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname cisco-R2
cisco-R2(config)#interface gigabitEthernet 0/0
cisco-R2(config-if)#ip address 192.168.1.2 255.255.255.0
cisco-R2(config-if)#no sh
cisco-R2(config-if)#interface loopback0
cisco-R2(config-if)#ip address 2.2.2.2 255.255.255.0
Cihazların  haberleşebilmeleri için static route yazalım.
[huawei-USG]ip route-static 2.2.2.2 255.255.255.255 192.168.1.2
cisco-R2(config)#ip route 1.1.1.1 255.255.255.255 192.168.1.1
Fiziksel cihazlarımızın ip addresslerini kullanarak dogrudan BGP bağlantılarımızı  kuralım.
[huawei-USG]bgp 100
[huawei-USG-bgp]peer 2.2.2.2 as-number 200
[huawei-USG-bgp]peer 2.2.2.2 ebgp-max-hop 2
[huawei-USG-bgp]peer 2.2.2.2 connect-interface LoopBack 0

 

cisco-R2(config)#router bgp 200
cisco-R2(config-router)#no synchronization
cisco-R2(config-router)#bgp log-neighbor-changes
cisco-R2(config-router)#network 1.1.1.1 mask 255.255.255.255
cisco-R2(config-router)#neighbor 2.2.2.2 remote-as 100
cisco-R2(config-router)#neighbor 2.2.2.2 ebgp-multihop 2
cisco-R2(config-router)#neighbor 2.2.2.2 update-source loopback 0
Konfigürasyonu yazdıktan sonra BGP komşuluğu hemen gelmez.
[huawei-USG]display bgp peer
BGP local router ID : 192.168.1.1
Local AS number : 100
Total number of peers : 1                Peers in established state : 0
Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv
2.2.2.2         4         200        0        0     0 00:00:19        Idle       0
Firewall cihazımızda kullandıgımız interfaceyi untrust yapalım.

 

[huawei-USG]firewall zone untrust
[huawei-USG-zone-untrust] set priority 5
[huawei-USG-zone-untrust] add interface GigabitEthernet1/0/1

 

USG cihazımız da policiy oluşturalım komşulukların kurulabilmesi için.
[huawei-USG]security-policy
[huawei-USG-policy-security] rule name permit_any
[huawei-USG-policy-security-rule-permit_any]  action permit
Konfigürasyonu oluşturduktan sonra BGPyi kontrol edelim.

 

<huawei-USG> display bgp peer
BGP local router ID : 192.168.1.1
Local AS number : 100
Total number of peers : 1                Peers in established state : 1
Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv
2.2.2.2         4         200        8        7     0 00:03:14 Established       1
cisco-R2# show ip bgp
BGP table version is 5, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i – IGP, e – EGP, ? – incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network          Next Hop            Metric LocPrf Weight Path
*>  1.1.1.1/32       192.168.1.1              0         32768 i
*>  10.10.10.10/32   1.1.1.1                  0             0 100 i
İki cihazımızdada BGP komşulukları kurulmuş durumdadır.
AS-PATH görüntülemek  için cihazların BGP route tablolarına bakalım.
<huawei-R1>display bgp routing-table
BGP Local router ID is 192.168.1.1
Status codes: * – valid, > – best, d – damped,
h – history,  i – internal, s – suppressed, S – Stale
Origin : i – IGP, e – EGP, ? – incomplete
Total Number of Routes: 2
Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
*>   1.1.1.1/32         2.2.2.2         0                     0      200i
*>   10.10.10.10/32     0.0.0.0         0                     0      i
cisco-R2>sh ip bgp summary
BGP router identifier 2.2.2.2, local AS number 200
BGP table version is 5, main routing table version 5
2 network entries using 296 bytes of memory
2 path entries using 128 bytes of memory
2/2 BGP path/bestpath attribute entries using 272 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 720 total bytes of memory
BGP activity 3/1 prefixes, 3/1 paths, scan interval 60 secs
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.1         4          100       9      12        5    0    0 00:06:17        1

 

Son olarak cihazlarımızın ekran çıktılarına görüntüleyelim.
<huawei-R1> display current-configuration
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.0
alias 0
#
interface LoopBack10
ip address 10.10.10.10 255.255.255.255
alias 1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
bgp 100
peer 2.2.2.2 as-number 200
peer 2.2.2.2 ebgp-max-hop 2
peer 2.2.2.2 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
network 10.10.10.10 255.255.255.255
peer 2.2.2.2 enable
#
ip route-static 2.2.2.2 255.255.255.255 192.168.1.2
#
security-policy
rule name permit_any
action permit
nat-policy
#
Return
cisco-R2# show running-config
!
hostname cisco-R2
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
!
router bgp 200
bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.255
network 2.2.2.2 mask 255.255.255.255
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 ebgp-multihop 2
neighbor 1.1.1.1 update-source Loopback0
!
ip route 1.1.1.1 255.255.255.255 192.168.1.1
!
end