Cisco CSR 1000v を使って Azure Route Server と BGP peer を張る
今までさんざん Azure Route Server と NVA (と称した FRRouting on Ubuntu) を使って検証を進めてきました。
ただ、実際のエンタープライズにおいては Cisco や Juniper、Fortinet などの製品を使うことが多いかとは思います。
そこで、今回は Cisco CSR 1000v を使って Azure Route Server と BGP peer を張ってみます。
Cisco CSR 1000v の deploy
まずは deploy するための Bicep file を用意していきます。
とりあえず Azure Portal から Azure VM としてデプロイする直前まで進め、ARM template を表示させます。
内容は以下のとおりです。
長いのでしまっちゃいますね
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"networkInterfaceName": {
"type": "string"
},
"enableAcceleratedNetworking": {
"type": "bool"
},
"networkSecurityGroupName": {
"type": "string"
},
"networkSecurityGroupRules": {
"type": "array"
},
"subnetName": {
"type": "string"
},
"virtualNetworkId": {
"type": "string"
},
"publicIpAddressName": {
"type": "string"
},
"publicIpAddressType": {
"type": "string"
},
"publicIpAddressSku": {
"type": "string"
},
"pipDeleteOption": {
"type": "string"
},
"virtualMachineName": {
"type": "string"
},
"virtualMachineComputerName": {
"type": "string"
},
"virtualMachineRG": {
"type": "string"
},
"osDiskType": {
"type": "string"
},
"osDiskDeleteOption": {
"type": "string"
},
"virtualMachineSize": {
"type": "string"
},
"nicDeleteOption": {
"type": "string"
},
"adminUsername": {
"type": "string"
},
"adminPublicKey": {
"type": "secureString"
},
"autoShutdownStatus": {
"type": "string"
},
"autoShutdownTime": {
"type": "string"
},
"autoShutdownTimeZone": {
"type": "string"
},
"autoShutdownNotificationStatus": {
"type": "string"
},
"autoShutdownNotificationLocale": {
"type": "string"
}
},
"variables": {
"nsgId": "[resourceId(resourceGroup().name, 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]",
"vnetId": "[parameters('virtualNetworkId')]",
"vnetName": "[last(split(variables('vnetId'), '/'))]",
"subnetRef": "[concat(variables('vnetId'), '/subnets/', parameters('subnetName'))]"
},
"resources": [
{
"name": "[parameters('networkInterfaceName')]",
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2021-08-01",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Network/networkSecurityGroups/', parameters('networkSecurityGroupName'))]",
"[concat('Microsoft.Network/publicIpAddresses/', parameters('publicIpAddressName'))]"
],
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"subnet": {
"id": "[variables('subnetRef')]"
},
"privateIPAllocationMethod": "Dynamic",
"publicIpAddress": {
"id": "[resourceId(resourceGroup().name, 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName'))]",
"properties": {
"deleteOption": "[parameters('pipDeleteOption')]"
}
}
}
}
],
"enableAcceleratedNetworking": "[parameters('enableAcceleratedNetworking')]",
"networkSecurityGroup": {
"id": "[variables('nsgId')]"
}
}
},
{
"name": "[parameters('networkSecurityGroupName')]",
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2019-02-01",
"location": "[parameters('location')]",
"properties": {
"securityRules": "[parameters('networkSecurityGroupRules')]"
}
},
{
"name": "[parameters('publicIpAddressName')]",
"type": "Microsoft.Network/publicIpAddresses",
"apiVersion": "2020-08-01",
"location": "[parameters('location')]",
"properties": {
"publicIpAllocationMethod": "[parameters('publicIpAddressType')]"
},
"sku": {
"name": "[parameters('publicIpAddressSku')]"
}
},
{
"name": "[parameters('virtualMachineName')]",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-03-01",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Network/networkInterfaces/', parameters('networkInterfaceName'))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('virtualMachineSize')]"
},
"storageProfile": {
"osDisk": {
"createOption": "fromImage",
"managedDisk": {
"storageAccountType": "[parameters('osDiskType')]"
},
"deleteOption": "[parameters('osDiskDeleteOption')]"
},
"imageReference": {
"publisher": "cisco",
"offer": "cisco-csr-1000v",
"sku": "17_2_1-byol",
"version": "latest"
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]",
"properties": {
"deleteOption": "[parameters('nicDeleteOption')]"
}
}
]
},
"osProfile": {
"computerName": "[parameters('virtualMachineComputerName')]",
"adminUsername": "[parameters('adminUsername')]",
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"ssh": {
"publicKeys": [
{
"path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]",
"keyData": "[parameters('adminPublicKey')]"
}
]
}
}
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true
}
}
},
"plan": {
"name": "17_2_1-byol",
"publisher": "cisco",
"product": "cisco-csr-1000v"
}
},
{
"name": "[concat('shutdown-computevm-', parameters('virtualMachineName'))]",
"type": "Microsoft.DevTestLab/schedules",
"apiVersion": "2018-09-15",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', parameters('virtualMachineName'))]"
],
"properties": {
"status": "[parameters('autoShutdownStatus')]",
"taskType": "ComputeVmShutdownTask",
"dailyRecurrence": {
"time": "[parameters('autoShutdownTime')]"
},
"timeZoneId": "[parameters('autoShutdownTimeZone')]",
"targetResourceId": "[resourceId('Microsoft.Compute/virtualMachines', parameters('virtualMachineName'))]",
"notificationSettings": {
"status": "[parameters('autoShutdownNotificationStatus')]",
"notificationLocale": "[parameters('autoShutdownNotificationLocale')]",
"timeInMinutes": "30"
}
}
}
],
"outputs": {
"adminUsername": {
"type": "string",
"value": "[parameters('adminUsername')]"
}
}
}
大まかには Linux の Azure VM を作成するのと大差ないなと感じられたので、参考にしつつ library となる Bicep file を作成します。
Ubuntu Server の file と比べると、properties > storageProfile > imageReference の箇所を該当するものに変えたうえで、properties と並列する plan があるのが特徴的です。
imageReference に書く内容については、表示させた ARM template から拾ってくるのも一つの手ですが、そのほかの手としては Azure CLI で az vm image list --publisher cisco --offer cisco-csr-1000v --all --output table を実行して得られる一覧から決めてもよいかと思います。
作成した Bicep file は GitHub に置いてあります。
では deploy、と思ったのですが、初めて作成することもあり、規約に同意していないという感じのエラーが出ました。
You have not accepted the legal terms on this subscription: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' for this plan. Before the subscription can be used, you need to accept the legal terms of the image. To read and accept legal terms, use the Azure CLI commands described at https://go.microsoft.com/fwlink/?linkid=2110637 or the PowerShell commands available at https://go.microsoft.com/fwlink/?linkid=862451. Alternatively, deploying via the Azure portal provides a UI experience for reading and accepting the legal terms. Offer details: publisher='cisco' offer = 'cisco-csr-1000v', sku = '17_2_1-byol', Correlation Id: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.
で、Azure Portal から同意してもいいのですが、せっかくなので Azure CLI でやってみます。
az vm image terms accept --publisher cisco --offer cisco-csr-1000v --plan 17_2_1-byol
結果はこんな感じのが返ってきます。
いろいろ書いてありますが、"accepted": true となっているので、同意できたんだろうと思って次に進めます。
{
"accepted": true,
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.MarketplaceOrdering/offerTypes/Microsoft.MarketplaceOrdering/offertypes/publishers/cisco/offers/cisco-csr-1000v/plans/17_2_1-byol/agreements/current",
"licenseTextLink": "https://mpcprodsa.blob.core.windows.net/legalterms/3E5ED_legalterms_CISCO%253a24CISCO%253a2DCSR%253a2D1000V%253a2417%253a5F2%253a5F1%253a2DBYOL%253a2477U6PNHCGQDDCTQQH4O5ORD4JNNMDI4KUNCXIWWEOQNAAWCLDHMSJ5TLU3M3P4OSOTTPRU2XUSYWPQJ3YQ5BIQKGDSJSI5AQTNYK55Q.txt",
"marketplaceTermsLink": "https://mpcprodsa.blob.core.windows.net/marketplaceterms/3EDEF_marketplaceterms_VIRTUALMACHINE%253a24AAK2OAIZEAWW5H4MSP5KSTVB6NDKKRTUBAU23BRFTWN4YC2MQLJUB5ZEYUOUJBVF3YK34CIVPZL2HWYASPGDUY5O2FWEGRBYOXWZE5Y.txt",
"name": "17_2_1-byol",
"plan": "17_2_1-byol",
"privacyPolicyLink": "http://www.cisco.com/web/siteassets/legal/privacy.html",
"product": "cisco-csr-1000v",
"publisher": "cisco",
"retrieveDatetime": "2023-05-16T13:27:13.6256702Z",
"signature": "<snip>",
"systemData": {
"createdAt": "2023-05-16T13:27:18.181496+00:00",
"createdBy": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"createdByType": "ManagedIdentity",
"lastModifiedAt": "2023-05-16T13:27:18.181496+00:00",
"lastModifiedBy": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"lastModifiedByType": "ManagedIdentity"
},
"type": "Microsoft.MarketplaceOrdering/offertypes"
}
で、やっと deploy できます。
今回は Azure Route Server との BGP Peer を張りたいので、ついでに deploy しておいてください。
Cisco CSR 1000v の動作確認
まずは deploy しただけの状態で SSH でログインし、様子を見てみます。
一部を省きますが、sh run と sh ip route はこのような感じです。
interface VirtualPortGroup0 というのが気になりますがいつか調べてみます。
sh run
vm-nva100#show run
Building configuration...
Current configuration : 4814 bytes
!
! Last configuration change at 13:34:51 UTC Tue May 16 2023
!
version 17.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname vm-nva100
!
boot-start-marker
boot-end-marker
!
!
vrf definition GS
rd 100:100
!
address-family ipv4
exit-address-family
!
logging persistent size 1000000 filesize 8192 immediate
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local none
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
ip domain name vm-nva100.cloudapp.net
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XX
quit
!
license udi pid CSR1000V sn XXXXXXXXXXX
diagnostic bootup level minimal
memory free low-watermark processor 71873
!
!
spanning-tree extend system-id
!
username ikko privilege 15
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface VirtualPortGroup0
vrf forwarding GS
ip address 192.168.x.x 255.255.255.0
ip nat inside
no mop enabled
no mop sysid
!
interface GigabitEthernet1
ip address dhcp
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
iox
ip forward-protocol nd
ip tcp window-size 8192
ip http server
ip http secure-server
!
ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
ip route 0.0.0.0 0.0.0.0 10.100.0.1
ip route vrf GS 0.0.0.0 0.0.0.0 GigabitEthernet1 10.100.0.1 global
ip ssh rsa keypair-name sshkeys
ip ssh pubkey-chain
username ikko
key-hash ssh-rsa XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ip ssh server algorithm publickey ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-rsa x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp521
ip scp server enable
!
ip access-list standard GS_NAT_ACL
10 permit 192.168.x.0 0.0.0.255
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input ssh
line vty 5 20
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
app-hosting appid guestshell
app-vnic gateway1 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.x.x netmask 255.255.255.0
app-default-gateway 192.168.x.x guest-interface 0
name-server0 8.8.8.8
end
sh ip route
vm-nva100#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 10.100.0.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.100.0.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.100.0.0/24 is directly connected, GigabitEthernet1
L 10.100.0.10/32 is directly connected, GigabitEthernet1
168.63.0.0/32 is subnetted, 1 subnets
S 168.63.129.16 [254/0] via 10.100.0.1
169.254.0.0/32 is subnetted, 1 subnets
S 169.254.169.254 [254/0] via 10.100.0.1
Cisco CSR 1000v の設定
ということで BGP の設定を入れてきます。
基本的には以下の記事の内容に沿うような感じですが、FRRouting と Cisco の細かな差異があります。
追加で投入する config は以下のとおりです。
たぶん ip as-path access-list を定義してから、route-map を定義したうえで、neighbor を入れる順番の方がいいかと思います。
!
router bgp 65001
bgp log-neighbor-changes
neighbor 10.100.210.4 remote-as 65515
neighbor 10.100.210.4 ebgp-multihop 255
neighbor 10.100.210.5 remote-as 65515
neighbor 10.100.210.5 ebgp-multihop 255
!
address-family ipv4
neighbor 10.100.210.4 activate
neighbor 10.100.210.4 soft-reconfiguration inbound
neighbor 10.100.210.4 route-map rmap-bogon-asns in
neighbor 10.100.210.4 route-map rmap-azure-asns out
neighbor 10.100.210.5 activate
neighbor 10.100.210.5 soft-reconfiguration inbound
neighbor 10.100.210.5 route-map rmap-bogon-asns in
neighbor 10.100.210.5 route-map rmap-azure-asns out
exit-address-family
!
ip as-path access-list 1 permit _65515_
ip as-path access-list 2 permit _0_
ip as-path access-list 2 permit _23456_
ip as-path access-list 2 permit _1310[0-6][0-9]_|_13107[0-1]_
ip as-path access-list 2 deny _65515_
ip as-path access-list 2 permit ^65
ip route 10.100.210.0 255.255.255.0 10.100.0.1
!
route-map rmap-bogon-asns deny 5
match as-path 2
!
route-map rmap-bogon-asns permit 10
!
route-map rmap-azure-asns deny 5
match as-path 1
!
route-map rmap-azure-asns permit 10
!
end
diff をとるとこんな感じです。
diff
$ diff -u before.txt after.txt
--- before.txt 2023-05-16 23:47:29.571995712 +0900
+++ after.txt 2023-05-16 23:47:47.468653373 +0900
@@ -1,9 +1,9 @@
vm-nva100#show run
Building configuration...
-Current configuration : 4814 bytes
+Current configuration : 5941 bytes
!
-! Last configuration change at 13:34:51 UTC Tue May 16 2023
+! Last configuration change at 13:55:12 UTC Tue May 16 2023 by ikko
!
version 17.2
service timestamps debug datetime msec
@@ -167,14 +167,39 @@
no mop enabled
no mop sysid
!
+router bgp 65001
+ bgp log-neighbor-changes
+ neighbor 10.100.210.4 remote-as 65515
+ neighbor 10.100.210.4 ebgp-multihop 255
+ neighbor 10.100.210.5 remote-as 65515
+ neighbor 10.100.210.5 ebgp-multihop 255
+ !
+ address-family ipv4
+ neighbor 10.100.210.4 activate
+ neighbor 10.100.210.4 soft-reconfiguration inbound
+ neighbor 10.100.210.4 route-map rmap-bogon-asns in
+ neighbor 10.100.210.4 route-map rmap-azure-asns out
+ neighbor 10.100.210.5 activate
+ neighbor 10.100.210.5 soft-reconfiguration inbound
+ neighbor 10.100.210.5 route-map rmap-bogon-asns in
+ neighbor 10.100.210.5 route-map rmap-azure-asns out
+ exit-address-family
+!
iox
ip forward-protocol nd
ip tcp window-size 8192
ip http server
ip http secure-server
!
+ip as-path access-list 1 permit _65515_
+ip as-path access-list 2 permit _0_
+ip as-path access-list 2 permit _23456_
+ip as-path access-list 2 permit _1310[0-6][0-9]_|_13107[0-1]_
+ip as-path access-list 2 deny _65515_
+ip as-path access-list 2 permit ^65
ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
ip route 0.0.0.0 0.0.0.0 10.100.0.1
+ip route 10.100.210.0 255.255.255.0 10.100.0.1
ip route vrf GS 0.0.0.0 0.0.0.0 GigabitEthernet1 10.100.0.1 global
ip ssh rsa keypair-name sshkeys
ip ssh pubkey-chain
@@ -189,6 +214,16 @@
!
!
!
+route-map rmap-bogon-asns deny 5
+ match as-path 2
+!
+route-map rmap-bogon-asns permit 10
+!
+route-map rmap-azure-asns deny 5
+ match as-path 1
+!
+route-map rmap-azure-asns permit 10
+!
!
!
!
BGP の動作確認
Azure Route Server 側の Peer 設定は済ませているとします。
そうすると上記の config を入れた時点から neighbor が上がるはずなのでもろもろ確認しておきます。
show ip bgp sum
Up/Down の箇所に時間が表示されていれば問題ないです。
vm-nva100#show ip bgp sum
BGP router identifier 10.100.0.10, local AS number 65001
BGP table version is 2, main routing table version 2
1 network entries using 248 bytes of memory
2 path entries using 272 bytes of memory
1/1 BGP path/bestpath attribute entries using 288 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 832 total bytes of memory
BGP activity 1/0 prefixes, 2/0 paths, scan interval 60 secs
1 networks peaked at 13:48:30 May 16 2023 UTC (01:08:35.683 ago)
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.100.210.4 4 65515 81 80 2 0 0 01:08:35 1
10.100.210.5 4 65515 80 80 2 0 0 01:08:29 1
show ip bgp nei 10.100.210.4 received-routes
VNet 全体のアドレス空間が経路広報されてきているはずです。
vm-nva100#show ip bgp nei 10.100.210.4 received-routes
BGP table version is 2, local router ID is 10.100.0.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.100.0.0/16 10.100.210.4 0 65515 i
Total number of prefixes 1
show ip bgp nei 10.100.210.4 advertised-routes
route-map を指定していないとなにか advertise しているかもしれません。
vm-nva100#show ip bgp nei 10.100.210.4 advertised-routes
Total number of prefixes 0
show ip route
行頭に B で表示される経路があればそれは BGP で受け取った経路なので正常です。
vm-nva100#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 10.100.0.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.100.0.1
10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
B 10.100.0.0/16 [20/0] via 10.100.210.4, 01:09:08
C 10.100.0.0/24 is directly connected, GigabitEthernet1
L 10.100.0.10/32 is directly connected, GigabitEthernet1
S 10.100.210.0/24 [1/0] via 10.100.0.1
168.63.0.0/32 is subnetted, 1 subnets
S 168.63.129.16 [254/0] via 10.100.0.1
169.254.0.0/32 is subnetted, 1 subnets
S 169.254.169.254 [254/0] via 10.100.0.1
show ip bgp
BGP で扱っている経路は今のところ VNet 全体のアドレス空間のみのはずです。
vm-nva100#show ip bgp
BGP table version is 2, local router ID is 10.100.0.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
* 10.100.0.0/16 10.100.210.5 0 65515 i
*> 10.100.210.4 0 65515 i
まとめ
ということで Cisco CSR 1000v を利用して Azure Route Server との BGP peer を張ることができました。
これからは FRRouting で検証していたものも一部 Cisco CSR 1000v を利用するものに置き換えていこうかと思います。
参考
- BGP - ip as-path access-listと正規表現の解説
- Azure Route Server と FRRouting の間で BGP ピアを張る
- Microsoft Azure上でCisco CSR 1000Vを動かしてみた!
- Cisco CSR 1000v Deployment Guide for Microsoft Azure
- Cisco Cloud Services Router 1000v Data Sheet
Discussion