如何使用 gshut 社区配置BGP优雅关闭
7846
Created On 07/02/20 23:10 PM - Last Modified 01/07/25 04:27 AM
Objective
- 当对等体正在重新加载时, BGP数据包/流量可能会在维护窗口期间被黑洞。
- 根据所通告的BGP路由/前缀的数量,中断的规模可能会造成破坏。
- 本文介绍了如何配置Palo Alto 以接受“gshut”社区,从而确保邻居的安全关闭。
Environment
- Palo Alto 防火墙
- 支持的 PAN OS
- BGP
- 知名的 gshut 社区
Procedure
The firewall can accept gshut community values from BGP speakers; it can then be configured to reconverge when it receives the well-known community.
- 验证BGP对等体是否正在发送“GSHUT”社区。
- 在下面的示例中,防火墙与路由器“BGP_AS100”对等。
- 该对等体“BGP_AS100”正在向防火墙(65535:0) 发送 GSHUT 社区,向防火墙发出信号,表示它正在关闭:
admin@PA-VM> show routing protocol bgp loc-rib-detail
VIRTUAL ROUTER: default (id 1)
==========
Prefix: 10.10.10.0/24 * <<====
Nexthop: 192.168.122.168
Received from: Peer BGP_AS100 (id 5)
Originator ID: 0.0.0.0
AS Path: 100
Origin: IGP
MED: 0
Local Preference: 100
Atomic aggregate: no
Aggregator AS: 0
Aggregator ID: 0.0.0.0
Weight: 0
Flap: value 0.00, count 0
Community: 65535:0 <<====
----------
Prefix: 10.10.10.0/24
Nexthop: 192.168.122.103
Originator ID: 0.0.0.0
AS Path: 200,100
Origin: IGP
MED: 0
Local Preference: 100
Atomic aggregate: no
Aggregator AS: 0
Aggregator ID: 0.0.0.0
Weight: 0
Flap: value 0.00, count 0
total routes shown: 2
- 配置防火墙,将其通过此社区接收的前缀的本地首选项设置为零:
GUI:网络 > 虚拟路由器 > BGP > 导入 > 添加:
- 提交配置更改。BGPBGP重新收敛:
admin@PA-VM> show routing protocol bgp loc-rib-detail
VIRTUAL ROUTER: default (id 1)
==========
----------
Prefix: 10.10.10.0/24
Nexthop: 192.168.122.168
Received from: Peer BGP_AS100 (id 5)
Originator ID: 0.0.0.0
AS Path: 100
Origin: N/A
MED: 0
Local Preference: 0
Atomic aggregate: no
Aggregator AS: 0
Aggregator ID: 0.0.0.0
Weight: 0
Flap: value 0.00, count 0
Community: 65535:0
----------
Prefix: 10.10.10.0/24 * <<====
Nexthop: 192.168.122.103
Originator ID: 0.0.0.0
AS Path: 200,100
Origin: IGP
MED: 0
Local Preference: 100
Atomic aggregate: no
Aggregator AS: 0
Aggregator ID: 0.0.0.0
Weight: 0
Flap: value 0.00, count 0
total routes shown: 2
- 重新收敛后,对等设备“ BGP_AS100”可以关闭进行维护,但不会中断BGP环境。
Additional Information
- 如果在维护期间防火墙关闭或重新加载,还可以将防火墙配置为使用导出规则将此社区值发送给其对等方。
- PAN-OS 以点符号显示 gshut 社区;其他供应商可能会按名称显示社区。以 Cisco IOS 上的输出为例:
Router#show bgp 10.10.10.10
BGP routing table entry for 10.10.10.0/24, version 2
Paths: (2 available, best #2, table default)
Advertised to update-groups:
5
Refresh Epoch 1
300 100
192.168.122.175 from 192.168.122.175 (1.1.1.1)
Origin IGP, localpref 100, valid, external
Community: gshut <<====
rx pathid: 0, tx pathid: 0
Refresh Epoch 1
100
192.168.122.168 from 192.168.122.168 (2.2.2.2)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: gshut <<====
rx pathid: 0, tx pathid: 0x0