分享

实战ASR9922

目 录
项目背景 2
神器的长相： 3
引擎： 4
网络拓扑 5
基础篇 5
板卡的顺序 5
不支持MPLS？ 6
如何升级补丁SMU？ 7
静态路由条目数量有限制吗？ 7
有路由，traceroute为什么没有下一跳？ 8
格式害死人！ 8
MTU让你感到的痛苦！ 9
NETFLOW 9
时间策略的脚本样本 10
控制远程访问 12
事后监督 12
进阶篇 12
演示拓扑 12
演示配置 12
路由说明 19
路由分析 22
ASR常用命令 23
实际配置 26

项目背景
某运营商互联网通过前期工程的建设，网络覆盖全省若干个地市，主要承载拨号接入、宽带接入（XDSL、LAN等）、专线接入、MPLS VPN、IDC等互联网业务。
随着“助推社会信息化、做精互联网服务”的总体发展思路实施，近年来互联网业务迅速发展，用户数量快速增加。原来的省干核心已经不能承担日益增长的业务需求，同时地市城域网核心BR的Ge 链路及POS链路全都改成双10G上联到省干核心CR路由器。
笔者有幸作为项目技术负责人，参与了国内第一台思科ASR9922的实施，负责替换国内某厂商的省干核心路由器。
需要说明的是作者的本意不是想写成产品手册，也不是操作指南，所以不会涉及系统的设备配置（系统配置可以参看www.cisco.com），作者主要从项目中遇到的问题，感觉应该特别说明的方面加以阐述和分析，希望对再做类似项目的同行有所帮助。

神器的长相：

引擎：

网络拓扑

基础篇
板卡的顺序
考虑到多机箱结构，思科ASR9922的板卡命名: 0/1/2/3
0：机箱号
1：板卡号
2：子卡号
3：端口号
机箱上面一排接口卡从左到右分别是包板卡0-9，机箱下面一排从左到右分别是包板卡10-19，需要注意的是10-19卡的端口号是从下往上的顺序，看看下图就明白了。
引擎在机箱的中部的左右两边，交换矩阵也在机箱中部共可插7块.

不支持MPLS？
是的，缺省不支持ＭＰＬＳ，这也是ASR跟IOS的区别之一，从软件上看不需要的功能模块就可以不装，如果需要的话，需要安装相应的功能模块。比如对MPLS的支持，我装的是disk0:asr9k-mpls-px-4.2.3 ，当然路由模块是必须的：disk0:asr9k-mini-px-4.2.3
下面是国内第一台IOS-XR软件构成：

RP/0/RP0/CPU0:(admin)#sh install active summ
Default Profile:
SDRs:
Owner
Active Packages:
disk0:asr9k-px-4.2.3.CSCud29892-1.0.0
disk0:asr9k-px-4.2.3.CSCuc84257-1.0.0
disk0:asr9k-px-4.2.3.CSCuc59492-1.0.0
disk0:asr9k-mini-px-4.2.3
disk0:asr9k-mpls-px-4.2.3
disk0:asr9k-px-4.2.3.CSCud07536-1.0.0
disk0:asr9k-px-4.2.3.CSCuc47831-1.0.0
disk0:asr9k-fpd-px-4.2.3
如何升级补丁SMU？
需要在admin模式下执行的命令：
1. 检查文件系统和磁盘空间
router(admin)#cfs check
showfilesystem | in “Free|disk0:”
升级4.2.3至少要700m空余空间
下载到cisco网站下载大版本号的IOS XR，解包得到pie；
RP/0/RSP0/CPU0:router(admin)#
2. 把pie添加到设备
Install add source tftp://61.236.127.11 asr9k-mini-p.pie-4.2.3 asr9k-mpls-p.pie-4.2.3 sync
激活pie
3. install activate disk0:*4.2.3* sync
此步骤完成后，ASR9010会重启
4. 安装确认
install commit
5. 检查Firmware是否需要升级：（最后一项是yes的要升级）
Show hw-module fpd location all
6. 升级Firmware的命令（要安装asr9k-upgrade-p.pie-4.2.3）：
upgradehw-module fpd alllocation all
需要重启，可以和SMU一起重启
7. 升级SMU
Install-add-source-tftp://61.236.127.11asr9k-p-4.2.3.CSCuc84257.pie asr9k-p-4.2.3.CSCud07536.pie asr9k-p-4.2.3.CSCud29892.pie sync
8. 激活升级包
install activate disk0:*4.2.3* sync
此步会重启
9. 升级确认（必须）
install commit
10.升级验证
show install active summary

静态路由条目数量有限制吗？
有！
静态路由超过3000条console上会提醒出错，好在有改正的方法，在静态路由设置下：
maximum path ipv4 100000
最大静态路由数量为15万条
有路由，traceroute为什么没有下一跳？
一般出现这样的情况原因是下一跳设备是防火墙，但是在我这个项目中，没有防火墙，ASR9922接到NE80E再连接到地市BR，在ASR9922上显示有路由，trace却下一跳都不可达！！！
中间的绞尽脑汁的过程就不说了，由于省内都启用ＭＰＬＳ标签交换，最后发现ＮＥ８０Ｅ（ME60支持的标签转发数量更少）上居然是部分路由没有标签转发表，最后ＨＷ的解释是他们家的设备标签转发表满引起，清除标签转发表暂时解决问题，由于很快ＮＥ８０Ｅ就要换掉，所以客户也没有继续追究。
命令：
DSABR1#trace
PTBR1#traceroute X.X.X.X

Type escape sequence to abort.
Tracing the route to X..X.X.X

1 * * *
2 * * *
3 * * *
格式害死人！
ASR系列采用IOS-XR软件，命令格式跟IOS有所不同，在编写BGP相关属性的时候尤其要注意，举例如下：
as-path-set 110
ios-regex ‘_1394$’,
ios-regex ‘^1394_65235$’,
ios-regex ‘^1394_9531$’
end-set

ommunity-set Test
1394:135,
9394:137
end-set

route-policy TEST
if destination in BGP-PERMIT then
pass
elseif destination in BGP-DENY then
drop
endif
end-policy

详细格式可参看本文附加的配置案例
MTU让你感到的痛苦！
正如我在黑龙江联通做的时候一样，新的ＡＳＲ设备上线后，有些业务正常，有些业务不正常，这取决于不同应用软件对延时的敏感性。

OSI 第三层网络层协议的包头是在第二层帧头之上的，也就是说在封装二层帧头的时候，是将数据内容和三层包头全部作为数据封装在里面的，对于二层来说，之前的数据最大是多少，就是由MTU来决定的，所以正常情况下MTU就是第三层数据和包头的最大尺寸，这时无需分段就能传输，如果比MTU大，就得分段后传输。

MPLS 的标签是在二层帧头之后的，所以二层帧头将标签的大小和三层包的内容累加到一起作为数据封装的，因为三层包的所有内容正好和MTU 一样大，在此基础上加上MPLS标签的话，就肯定比额定的MTU要大，所以这时MPLS的标签数据是会被分段后传输的，如果不想被分段，就得更新MTU 的大小

在有MPLS的网络环境下，MTU需要特别的设置，所有IPv4地址有一个甚至多个对应的标签，但这并不意味你可以随意加几个字节，由于标签占用4字节，所以在mpls的网络中增加的包数量是4乘以N的整数倍。本项目目前最多是2层标签，所以最低加8个字节，即1508。

由于不同的应用软件对包大小有不同的要求，适合的MTU值使得应用效率最好，而不适当的MTU值可能造成业务的不稳定现象，甚至完全中断。对网络维护的工程师来说，要知道确切的软件需求MTU值就需要跟软件开放商联系确定。

ASR9922的MTU缺省值是1514，对IEEE 802.1Q的数据包建议值为1518，对QinQ的数据包MTU建议值为1522

NETFLOW
基本步骤：
1. 创建一个exporter map
2. 创建一个monitor map
3. 创建一个sampler map
4. 在接口里调用monitor map和sampler map
下面是实例：
flow exporter-map FEM1
version v9
options interface-table
template data timeout 600
!
dscp 10
transport udp 50040
source Loopback0
destination 21.1.1.1
!
flow monitor-map FMM1
record ipv4
exporter FEM1
cache entries 10000
cache timeout active 5
cache timeout inactive 5
!
sampler-map FSM1
random 1 out-of 5000
!
interface TenGigE0/0/1/1
ipv4 address 22.9.9.1 255.255.255.252
flow ipv4 monitor FMM1 sampler FSM1 ingress
时间策略的脚本样本
时间策略的脚本是招人对ASR最鄙视的一点，时间策略的控制会相当的麻烦：
基本的思路是先把命令写成不同文件存在设备的某个存储设备中，在不同时间会对不同脚本文件进行调用执行，下面是定义一个在时间段00:00-08:00执行的命令实例：

在ASR9K上输入：
aaa authorization eventmanager default local
event manager environment _cron_entry1 00 00 * * *
event manager environment _cron_entry2 00 08 * * *
event manager directory user policy disk0:
event manager policy acl-1.tcl username CISCO persist-time 28800 type user
event manager policy acl-2.tcl username CISCO persist-time 57600 type user

下面是需要上传到设备DISK0的两个文件：
acl-1.tcl
::cisco::eem::event_register_timer cron name crontimer1 cron_entry $_cron_entry1
#::cisco::eem::event_register_none
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if {[catch {cli_open} result]} {
action_syslog priority info msg “CLI Open Failed: $result”
exit
}
set t_acl “ipv4 access-list TEST
10 permit ipv4 222.72.74.0/24 183.61.190.0/24 nexthop1 ipv4 21.198.0.60
20 permit ipv4 122.172.74.0/24 211.151.181.0/24 nexthop1 ipv4 21.198.0.60
!”
array set cli1 $result
action_syslog priority info msg “Starting ACl script”
cli_exec $cli1(fd) “conf t
$t_acl
commit”
action_syslog priority info msg “ACl ScriptEnd ”
if {[catch {cli_close $cli1(fd) $cli1(tty_id)} result]} {
action_syslog priority info msg $result
}

下面是 acl-2.tcl

# List of event manager environment variables
# _cron_entry – cron value
#

::cisco::eem::event_register_timer cron name crontimer2 cron_entry $_cron_entry2
#::cisco::eem::event_register_none

namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if {[catch {cli_open} result]} {
action_syslog priority info msg “CLI Open Failed: $result”
exit
}
set t_acl “ipv4 access-list TEST
no 10 permit ipv4 222.72.74.0/24 183.61.190.0/24 nexthop1 ipv4 21.198.0.60
no 20 permit ipv4 122.172.74.0/24 211.151.181.0/24 nexthop1 ipv4 21.198.0.60
!”
array set cli1 $result
action_syslog priority info msg “Starting ACl script”
cli_exec $cli1(fd) “conf t
$t_acl
commit”
action_syslog priority info msg “ACl ScriptEnd ”
if {[catch {cli_close $cli1(fd) $cli1(tty_id)} result]} {
action_syslog priority info msg $result
}

控制远程访问
line default
access-class ingress LOGIN-LIMIT

ipv4 access-list LOGIN-LIMIT
20 permit ipv4 host 161.234.206.2 any 只允许源地址是161.234.206.2访问该设备

事后监督
看已经递交的命令列表：
show configuration commit list
查看已经递交的命令的内容：
show configuration commit changes 1000000808

进阶篇
为什么静态路由不生效？由于无法在ASR9922测试，作者用IOS模拟软件演示其过程。
演示拓扑：

演示配置：
R2#sh run
Building configuration…
hostname R2
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface Serial1/0
ip address 192.168.2.2 255.255.255.252
mpls label protocol ldp
mpls ip
serial restart-delay 0

interface Serial1/2
ip address 192.168.2.10 255.255.255.252
mpls label protocol ldp
mpls ip
serial restart-delay 0
interface Serial1/4
ip address 192.168.2.14 255.255.255.252
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
redistribute connected subnets
network 192.168.2.0 0.0.0.3 area 0
network 192.168.2.8 0.0.0.3 area 0
network 192.168.2.12 0.0.0.3 area 0
!
router bgp 65532
no synchronization
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 65532
neighbor 3.3.3.3 update-source Loopback0
no auto-summary
!
R3#sh run
Building configuration…
hostname R3
ip vrf vpn-oa
rd 451:103
route-target export 451:103
route-target import 451:103
!
no ip domain lookup
!
multilink bundle-name authenticated
mpls label protocol ldp
interface Loopback0
ip address 3.3.3.3 255.255.255.255
ip ospf network point-to-point
!
interface Loopback1
ip vrf forwarding vpn-oa
ip address 3.3.3.4 255.255.255.255
interface Serial1/2
ip address 192.168.2.9 255.255.255.252
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/3
ip address 192.168.4.1 255.255.255.252
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/7
ip address 192.168.8.1 255.255.255.252
mpls label protocol ldp
mpls ip
serial restart-delay 0
router ospf 1
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 192.168.2.8 0.0.0.3 area 0
network 192.168.4.0 0.0.0.3 area 0
network 192.168.8.0 0.0.0.3 area 0
default-information originate always
!
router bgp 65532
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 65532
neighbor 2.2.2.2 update-source Loopback0
neighbor 5.5.5.5 remote-as 9394
neighbor 5.5.5.5 ebgp-multihop 3
neighbor 5.5.5.5 update-source Loopback0
neighbor 6.6.6.6 remote-as 65532
neighbor 6.6.6.6 update-source Loopback0
neighbor 10.10.10.10 remote-as 65532
neighbor 10.10.10.10 update-source Loopback0
!
address-family ipv4
redistribute connected
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 next-hop-self
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 route-map cisco in
neighbor 6.6.6.6 activate
neighbor 6.6.6.6 next-hop-self
neighbor 10.10.10.10 activate
neighbor 10.10.10.10 next-hop-self
no auto-summary
no synchronization
network 10.10.10.10 mask 255.255.255.255
network 192.168.2.0 mask 255.255.255.252
exit-address-family
!
address-family vpnv4
neighbor 6.6.6.6 activate
neighbor 6.6.6.6 send-community extended
neighbor 6.6.6.6 next-hop-self
neighbor 10.10.10.10 activate
neighbor 10.10.10.10 send-community extended
neighbor 10.10.10.10 next-hop-self
exit-address-family
!
address-family ipv4 vrf vpn-oa
redistribute connected
no synchronization
exit-address-family
!
ip route 5.5.5.5 255.255.255.255 192.168.4.2
ip route 5.5.5.8 255.255.255.255 192.168.8.2
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 100 permit ip 192.168.2.8 0.0.0.3 any
!
!
!
route-map test permit 10
match ip address 100
set ip next-hop 192.168.4.2 192.168.8.2
!
route-map cisco permit 10
set ip next-hop 8.8.8.8
!
!
!
!
control-plane
!
R5#sh run
Building configuration…
hostname R5
ip vrf vpn-oa
rd 451:103
route-target export 451:103
route-target import 451:103
!
no ip domain lookup
!
multilink bundle-name authenticated
mpls label protocol ldp
interface Loopback0
ip address 5.5.5.5 255.255.255.255
!
interface Loopback1
ip vrf forwarding vpn-oa
ip address 5.5.5.6 255.255.255.255
!
interface Loopback3
ip address 5.5.5.3 255.255.255.255
!
interface Loopback8
ip address 5.5.5.8 255.255.255.255
!
interface Serial1/3
ip address 192.168.4.2 255.255.255.252
serial restart-delay 0
!
interface Serial1/5
ip address 192.168.8.6 255.255.255.252
serial restart-delay 0

router ospf 1
log-adjacency-changes
network 5.5.5.5 0.0.0.0 area 0
network 192.168.4.0 0.0.0.3 area 0
network 192.168.4.4 0.0.0.3 area 0
!
router bgp 9394
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 65532
neighbor 3.3.3.3 ebgp-multihop 3
neighbor 3.3.3.3 update-source Loopback0
!
address-family ipv4
neighbor 3.3.3.3 activate
no auto-summary
no synchronization
network 5.5.5.3 mask 255.255.255.255
network 5.5.5.5 mask 255.255.255.255
network 5.5.5.8 mask 255.255.255.255
network 10.101.10.10 mask 255.255.255.255
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 192.168.8.5
ip route 3.3.3.3 255.255.255.255 192.168.4.1
ip route 5.5.5.3 255.255.255.255 Null0
ip route 5.5.5.8 255.255.255.255 Null0
ip route 10.101.10.10 255.255.255.255 Null0
no ip http server
no ip http secure-server

R8#sh run
Building configuration…

Current configuration : 1658 bytes
hostname R8
interface Loopback0
ip address 8.8.8.8 255.255.255.255
interface Serial1/5
ip address 192.168.8.5 255.255.255.252
serial restart-delay 0
!
interface Serial1/7
ip address 192.168.8.2 255.255.255.252
mpls label protocol ldp
mpls ip
serial restart-delay 0
router ospf 1
log-adjacency-changes
redistribute connected subnets
network 192.168.8.0 0.0.0.3 area 0
!
ip route 0.0.0.0 0.0.0.0 192.168.8.6
no ip http server
no ip http secure-server

R2#
R2#sh ip int b
Interface IP-Address OK? Method Status Prot
Serial1/0 192.168.2.2 YES NVRAM up down
Serial1/2 192.168.2.10 YES NVRAM up up
FastEthernet2/1 172.1.1.5 YES manual up up
Loopback0 2.2.2.2 YES NVRAM up up
Loopback1

R3#sh ip int bri
Interface IP-Address OK? Method Status Prot
Serial1/2 192.168.2.9 YES NVRAM up up
Serial1/3 192.168.4.1 YES NVRAM up up
Serial1/7 192.168.8.1 YES NVRAM up up
Loopback0 3.3.3.3 YES NVRAM up up
Loopback1 3.3.3.4 YES NVRAM up up
R3#

R5#sh ip int bri
Interface IP-Address OK? Method Status Pro
Serial1/1 unassigned YES NVRAM up dow
Serial1/2 192.168.1.1 YES manual up dow
Serial1/3 192.168.4.2 YES NVRAM up up
Serial1/4 unassigned YES NVRAM administratively down dow
Serial1/5 192.168.8.6 YES NVRAM up up
Loopback0 5.5.5.5 YES NVRAM up up
Loopback1 5.5.5.6 YES NVRAM up up
Loopback3 5.5.5.3 YES manual up up
Loopback8 5.5.5.8 YES manual up up
R5#

R8#sh ip int b
Interface IP-Address OK? Method Status Prot
Serial1/5 192.168.8.5 YES NVRAM up up
Serial1/6 unassigned YES NVRAM administratively down down
Serial1/7 192.168.8.2 YES NVRAM up up
Loopback0 8.8.8.8 YES NVRAM up up
R8#

路由说明：
R2相当于某地市BR路由器
R3相当于省干核心CR 路由器
R5相当于总部路由器
R8相当于出口路由器
R2，R3，R8运行OSPF，在同一个AREA0里。
R3对总部运行EBGP，对地市BR R2运行IBGP，R8出口路由器走缺省路由到R5
R2#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 192.168.2.9 to network 0.0.0.0

2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/65] via 192.168.2.9, 03:54:11, Serial1/2
192.168.8.0/30 is subnetted, 2 subnets
O 192.168.8.0 [110/128] via 192.168.2.9, 03:54:11, Serial1/2
O E2 192.168.8.4 [110/20] via 192.168.2.9, 03:54:11, Serial1/2
5.0.0.0/32 is subnetted, 3 subnets
O 5.5.5.5 [110/129] via 192.168.2.9, 03:54:11, Serial1/2
B 5.5.5.3 [200/0] via 8.8.8.8, 00:57:54
B 5.5.5.8 [200/0] via 8.8.8.8, 00:57:54
8.0.0.0/32 is subnetted, 1 subnets
O E2 8.8.8.8 [110/20] via 192.168.2.9, 03:54:11, Serial1/2
192.168.4.0/30 is subnetted, 1 subnets
O 192.168.4.0 [110/128] via 192.168.2.9, 03:54:12, Serial1/2
10.0.0.0/32 is subnetted, 2 subnets
O 10.10.10.10 [110/65] via 192.168.2.1, 03:54:12, Serial1/0
B 10.101.10.10 [200/0] via 8.8.8.8, 00:57:54
C 192.168.16.0/24 is directly connected, FastEthernet2/1
192.168.2.0/30 is subnetted, 2 subnets
C 192.168.2.8 is directly connected, Serial1/2
C 192.168.2.0 is directly connected, Serial1/0
O*E2 0.0.0.0/0 [110/1] via 192.168.2.9, 03:54:12, Serial1/2
R2#

R3#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

B 200.200.200.0/24 [200/0] via 10.10.10.10, 02:11:17
2.0.0.0/32 is subnetted, 1 subnets
O E2 2.2.2.2 [110/20] via 192.168.2.10, 03:52:52, Serial1/2
3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback0
192.168.8.0/30 is subnetted, 2 subnets
C 192.168.8.0 is directly connected, Serial1/7
B 192.168.8.4 [20/0] via 8.8.8.8, 02:09:34
5.0.0.0/32 is subnetted, 3 subnets
S 5.5.5.5 [1/0] via 192.168.4.2
B 5.5.5.3 [20/0] via 8.8.8.8, 02:09:34
S 5.5.5.8 [1/0] via 192.168.4.2
8.0.0.0/32 is subnetted, 1 subnets
O E2 8.8.8.8 [110/20] via 192.168.8.2, 03:52:53, Serial1/7
192.168.4.0/30 is subnetted, 1 subnets
C 192.168.4.0 is directly connected, Serial1/3
10.0.0.0/32 is subnetted, 2 subnets
O 10.10.10.10 [110/129] via 192.168.2.10, 03:52:53, Serial1/2
B 10.101.10.10 [20/0] via 8.8.8.8, 02:09:35
O E2 192.168.16.0/24 [110/20] via 192.168.2.10, 03:52:53, Serial1/2
192.168.2.0/30 is subnetted, 2 subnets
C 192.168.2.8 is directly connected, Serial1/2
O 192.168.2.0 [110/128] via 192.168.2.10, 03:52:53, Serial1/2
R3#
R3#
R3#
R3#traceroute 5.5.5.3

Type escape sequence to abort.
Tracing the route to 5.5.5.3

1 192.168.8.2 28 msec 56 msec 48 msec
2 192.168.8.6 [AS 9394] 64 msec * 36 msec
R3#traceroute 5.5.5.8
Type escape sequence to abort.
Tracing the route to 5.5.5.8

1 192.168.4.2 76 msec * 44 msec 注意：这里静态路由生效
R3#

R2#traceroute 5.5.5.3

Type escape sequence to abort.
Tracing the route to 5.5.5.3

1 192.168.2.9 [MPLS: Label 22 Exp 0] 124 msec 92 msec 20 msec
2 192.168.8.2 60 msec 48 msec 32 msec
3 192.168.8.6 100 msec * 116 msec
R2#traceroute 5.5.5.8

Type escape sequence to abort.
Tracing the route to 5.5.5.8 但是在R2上没有走R3–>R5R8,而是R3R8R5，R3的静态路由没有生效，为什么？

1 192.168.2.9 [MPLS: Label 22 Exp 0] 104 msec 36 msec 64 msec
2 192.168.8.2 68 msec 128 msec 64 msec
3 192.168.8.6 56 msec * 104 msec
R2#
路由分析
R3从R5收到的路由受到route-map cisco影响下一跳已经改为8.8.8.8，由于R3对R2 BGP没有设置neighbor 2.2.2.2 next-hop-self，所以R2接收到的5.5.5.X路由下一跳为8.8.8.8，这样在R2上到R5的路由不受R3的策略路由和静态路由影响！！！

如果希望R3的策略路由和静态路由生效，需要在R3上对R2的BGP设置上加上：
neighbor 2.2.2.2 next-hop-self
下面是修改后的路由和traceroute结果：
R2#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 192.168.2.9 to network 0.0.0.0

2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/65] via 192.168.2.9, 04:12:32, Serial1/2
192.168.8.0/30 is subnetted, 2 subnets
O 192.168.8.0 [110/128] via 192.168.2.9, 04:12:32, Serial1/2
O E2 192.168.8.4 [110/20] via 192.168.2.9, 04:12:32, Serial1/2
5.0.0.0/32 is subnetted, 3 subnets
O 5.5.5.5 [110/129] via 192.168.2.9, 04:12:32, Serial1/2
B 5.5.5.3 [200/0] via 3.3.3.3, 00:01:07
B 5.5.5.8 [200/0] via 3.3.3.3, 00:01:07 这里到5.5.5.8下一跳已经变为R3的loopback地址
8.0.0.0/32 is subnetted, 1 subnets
O E2 8.8.8.8 [110/20] via 192.168.2.9, 04:12:32, Serial1/2
192.168.4.0/30 is subnetted, 1 subnets
O 192.168.4.0 [110/128] via 192.168.2.9, 04:12:34, Serial1/2
10.0.0.0/32 is subnetted, 2 subnets
O 10.10.10.10 [110/65] via 192.168.2.1, 04:12:34, Serial1/0
B 10.101.10.10 [200/0] via 3.3.3.3, 00:01:10
C 192.168.16.0/24 is directly connected, FastEthernet2/1
192.168.2.0/30 is subnetted, 2 subnets
C 192.168.2.8 is directly connected, Serial1/2
C 192.168.2.0 is directly connected, Serial1/0
O*E2 0.0.0.0/0 [110/1] via 192.168.2.9, 04:12:35, Serial1/2
R2#
R2#
R2#traceroute 5.5.5.3

Type escape sequence to abort.
Tracing the route to 5.5.5.3

1 192.168.2.9 96 msec 76 msec 28 msec
2 192.168.4.2 44 msec * 88 msec
R2#traceroute 5.5.5.8

Type escape sequence to abort.
Tracing the route to 5.5.5.8

1 192.168.2.9 88 msec 52 msec 52 msec
2 192.168.4.2 44 msec * 76 msec 这里的静态路由生效了!
R2#
ASR常用命令
maximum path ipv4 100000 修改最大静态条目
sh bgp community 9394:136 查看该BGP属性下的路由
sh bgp regexp _9394$ 查看该BGP属性下的路由
sh bgp community 9394:135 查看该BGP属性下的路由

sh access-lists cttfj hardware ingress location 0/12/cpu0看端口策略条目数
commit label fz10 comment 定义一个回退点
sh access-lists cttfj hardware ingress detail location 0/12/CPU0 | include 222.47.62.1看每个策略（源地址，目的地址）是否生效，下一跳是是什么

show install act summ 查看当前的PIE
需要在admin模式下才有的命令

ASR9K补丁升级：
第一步 下载相关补丁：disk0:asr9k-mpls-px-4.2.12i
第二步 TFTP上传到DISK0
第三步 install add
Install active
验证
Install commit

hw-module service offline location 0/10/0 是某个子卡业务下线
RP/0/RP0/CPU0:(config)#hw-module subslot 0/0/0 shutdown unpowered 给某个子卡下电
RP/0/RP0/CPU0:ios#clock set 11:19:20 23 november 2012 在admin下不可以
RP/0/RP0/CPU0:ios(admin)#show platform summ location 0/RP1/CPU0查看单个引擎情况
RP/0/RP0/CPU0:ios(admin)#show platform summ 看所有板卡状态

RP/0/RP0/CPU0:ios#sh ospf summ 查看OSPF路由
RP/0/RP0/CPU0:ios#sh bgp summ 查看BGP路由
RP/0/RP0/CPU0:ios#debug ospf 1 adj 检修OSPF邻居
RP/0/RP0/CPU0:ios#terminal length 40 修改每次显示的长度
RP/0/RP0/CPU0:ios(config)#no hw-module subslot 0/0/1 shutdown 必须在config模式下，不是admin模式下才能有效

RP/0/RP0/CPU0:ios(config)#username ciscocisco 想要某个账号有效，必须放在管理组里
RP/0/RP0/CPU0:ios(config-un)#group root-system
RP/0/RP0/CPU0:ios(config-un)#password ciscocisco
RP/0/RP0/CPU0:ios(config-un)#commit
Fri Nov 30 19:14:43.968 UTC

s#sh bgp vpnv4 unicast 在ASK9K上看VPN路由
RP/0/RP0/CPU0:ios#sh controllers tenGigE 0/2/1/2 phy 查看接口物理收发功率
RP/0/RP0/CPU0:ios#sh bgp 看BGP路由

RP/0/RP0/CPU0:ios#sh bgp summ 看BGP邻居是否建立
RP/0/RP0/CPU0:ios#sh ospf nei 看ospf邻居是否建立
RP/0/RP0/CPU0:ios#sh route summary 看总体路由条目数

如何删除一条BGP邻居：进到router bgp 655532下，no neighbor 1.1.1.1就可以了，要commit
copy disk0a:/usr/asr9k-config tftp://10.1.1.100/asr9k-config 如何备份配置文件到电脑TFTP
clear bgp ipv4 unicast 10.1.1.200 soft 不中断BGP邻居关系的情况下刷新路由表

把ASR9K的管理口参与路由进程：rp mgm forwarding

sh run router static | include 0.0.0.0 查看静态路由表里匹配所有0.0.0.0项的条目

TFTP备份文件格式：
RP/0/RP0/CPU0:FJFZ-ASR#copy running-config tftp://172.16.2.6/
Host name or IP address (control-c to abort): [172.16.2.6;default]?172.16.2.6
Destination file name (control-c to abort): [/]?9922cfg
Building configuration.
3285 lines built in 1 second
[OK]

查看标签转发表命令
RP/0/RP0/CPU0:FJFZ-ASR#sh mpls forwarding
查看32位标签转发表命令
RP/0/RP0/CPU0:FJFZ-ASR#sh mpls forwarding | include /32
查看某条路由的标签转发情况：
RP/0/RP0/CPU0:FJFZ-ASR#sh mpls forwarding prefix XX.XX.XX.XX/XX

看最经递交的列表：
show configuration commit list
查看已经递交的命令的内容：
show configuration commit changes 1000000808

修改一个prefix-set，as-path-set，community-set需要先做一个完整的脚本，然后一下全部替换：
prefix-set SET-NAME
221.175.4.0/24,
222.47.0.0/16 ge 16 le 32,
122.90.0.0/16 ge 16 le 32,
36.192.176.0/21 ge 21 le 32
end-set

查看路由转发表
RP/0/RP0/CPU0:XM#sh cef x.x.x.x

RP/0/RP0/CPU0:FZ(config-ldp)#interface ? ASR9K不支持MPLS在MGM口上
ATM ATM Network Interface(s)
Bundle-Ether Aggregated Ethernet interface(s)
Bundle-POS Aggregated POS interface(s)
FastEthernet FastEthernet/IEEE 802.3 interface(s)
FortyGigE FortyGigabitEthernet/IEEE 802.3 interface(s)
GigabitEthernet GigabitEthernet/IEEE 802.3 interface(s)
HundredGigE HundredGigabitEthernet/IEEE 802.3 interface(s)
IMA ATM Network Interface(s)
Multilink Multilink network interface(s)
POS Packet over SONET/SDH network interface(s)
SRP SRP interface(s)
Serial Serial network interface(s)
TenGigE TenGigabitEthernet/IEEE 802.3 interface(s)
tunnel-gte MPLS Traffic Engineering GMPLS Tunnel interface
tunnel-ip GRE/IPinIP Tunnel Interface(s)
tunnel-te MPLS Traffic Engineering Tunnel interface(s)

如何建立一个低级别的账号：
RP/0/RP0/CPU0:XM(config)#interface TenGigE0/12/0/0
% This command is not authorized
第一步 建立权限：
taskgroup priv1
task read bgp
task read rib
task read ipv4
task read sysmgr
task read system
task read logging
task read network
task read fault-mgr
task read interface
task read basic-services
第二步:建立一个用户组
usergroup priv1
taskgroup priv1
taskgroup operator

第三步：把一个账号放到权限组里
username ciscocisco
group priv1
第四步：新建一个账号：
Username ciscocisco password ciscocisco

实际配置
为了减少篇幅，作者删掉一些相似的配置。
RP/0/RP0/CPU0:SP–ASR#sh run
Building configuration…
[K!! IOS XR Configuration 4.2.3
!! Last configuration change at Fri Jan 25 21:31:12 2013 by CORE
!
hostname SP–ASR
logging buffered 4096000
logging 61.237.13.254 vrf default
logging source-interface Loopback0
telnet vrf default ipv4 server max-servers 15
taskgroup priv1
task read bgp
task read rib
task read ipv4
task read sysmgr
task read system
task read logging
task read network
task read fault-mgr
task read interface
task read basic-services
!
usergroup priv1
taskgroup priv1
taskgroup operator
!
username CORE
group netadmin
group operator
group sysadmin
group root-system
group serviceadmin
group cisco-support
password 7 15340118100A7669306374
!
username ciscocisco
group priv1
password 7 05080F1C22434D000A0618
!
cdp
vrf cww
address-family ipv4 unicast
import route-target
5523:900
5523:901
!
export route-target
5523:900
!
!
!
vrf ip-pbx
address-family ipv4 unicast
import route-target
5523:0
5523:6000
!
export route-target
5523:8
5523:6000
!
!
!
vrf PORT-POLICY-oa
address-family ipv4 unicast
import route-target
5523:590
5523:5919
!
export route-target
5523:590
!
!
!
vrf softswitch
address-family ipv4 unicast
import route-target
5523:2001
!
export route-target
5523:2000
!
!
!
line console
exec-timeout 0 0
length 0
!
line default
timestamp disable
exec-timeout 15 0
!
vty-pool default 0 15
snmp-server ifindex persist
snmp-server trap link ietf
snmp-server engineID local 123456789
snmp-server host 22.147.23.2 traps solarwinds@CORE
snmp-server host 22.147.23.4 traps solarwinds@CORE
snmp-server host 22.147.26.9 traps solarwinds@CORE
snmp-server host 22.147.26.10 traps solarwinds@CORE
snmp-server community solarwinds@CORE RO
snmp-server community solarwinds@CORE50160 RW
snmp-server traps snmp
snmp-server traps config
snmp-server traps entity
snmp-server traps syslog
snmp-server correlator buffer-size 4096
snmp-server trap-source Loopback0
ipv4 access-list test
10 permit ipv4 221.175.124.0/24 any nexthop1 ipv4 11.158.10.1
20 permit ipv4 any any
!
ipv4 access-list PORT-POLICY
100 permit ipv4 any 110.124.0.0 0.0.255.255
105 permit ipv4 any 10.0.0.0 0.255.255.255
110 permit ipv4 any 22.147.0.0 0.0.255.255
。。。。。。

5000 permit ipv4 any any
!
ipv4 access-list TEST
20 permit ipv4 host 61.234.206.2 any
30 permit ipv4 host 61.234.206.8 any
200 deny ipv4 any any
!
ipv4 access-list testping
100 permit ipv4 host 22.147.62.58 any
120 permit ipv4 any any
!
ipv4 access-list PORT-POLICY-001
1620 permit ipv4 host 22.147.62.58 any nexthop1 ipv4 22.9.14.37
5000 permit ipv4 any any
!
flow exporter-map FEM1
version v9
options interface-table
template data timeout 600
!
dscp 10
transport udp 8881
source Loopback0
destination 22.147.23.3
!
flow exporter-map FEM2
version v9
options interface-table
template data timeout 600
!
dscp 10
transport udp 50040
source Loopback0
destination 218.207.150.66
!
flow monitor-map FMM2
record ipv4
exporter FEM1
exporter FEM2
cache entries 900000
cache timeout active 5
cache timeout inactive 5
!
sampler-map FSM1
random 1 out-of 5000
!
interface Bundle-Ether1
description Connect to DSAS9306
mtu 1540
bundle maximum-active links 2
!
interface Bundle-Ether1.1
ipv4 address 22.9.18.141 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
encapsulation dot1q 8
ipv4 access-group PORT-POLICY ingress
!
!
interface Bundle-Ether1.1200
description to-DSAoa
vrf PORT-POLICY-oa
ipv4 address 192.168.1.5 255.255.255.0
encapsulation dot1q 1200
!
interface Bundle-Ether1.1201
description to fjoa-ma5200f
vrf PORT-POLICY-oa
ipv4 address 192.168.101.1 255.255.255.0
encapsulation dot1q 1201
!
interface Bundle-Ether1.1211
description cww
vrf cww
ipv4 address 172.16.35.1 255.255.255.224
encapsulation dot1q 1211
!
interface Bundle-Ether2
description Connect to IDC9306
mtu 1540
bundle maximum-active links 4
!
interface Bundle-Ether2.26
ipv4 address 22.9.18.153 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
encapsulation dot1q 26
ipv4 access-group PORT-POLICY ingress
!
interface Bundle-Ether2.27
ipv4 address 22.9.18.157 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
encapsulation dot1q 27
ipv4 access-group PORT-POLICY ingress
!
interface Bundle-Ether2.28
ipv4 address 22.9.18.161 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
encapsulation dot1q 28
ipv4 access-group PORT-POLICY ingress
!
interface Loopback0
ipv4 address 22.147.3.11 255.255.255.255
!

interface MgmtEth0/RP0/CPU0/0
ipv4 address 10.0.0.120 255.255.255.0
!
interface MgmtEth0/RP0/CPU0/1
ipv4 address 172.16.2.5 255.255.255.252
!
interface MgmtEth0/RP1/CPU0/0
shutdown
!
interface MgmtEth0/RP1/CPU0/1
shutdown

!
interface TenGigE0/0/0/0
description connect-to-NE5000 1/1/0
mtu 1540
ipv4 address 22.9.9.2 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
!
interface TenGigE0/0/0/1
description Connect to DSAS9306
bundle id 1 mode on
bundle port-priority 10
!
interface TenGigE0/0/0/2
description to_jq9306_G1/1/0/0
bundle id 2 mode on
!
interface TenGigE0/0/0/3
description to SP-10G-02-yichang
ipv4 address 22.9.14.145 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/0/1/0
description to SP_05-hudong
ipv4 address 211.138.159.149 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
transport-mode wan
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/0/1/1
description to 7609-3/0/0
ipv4 address 22.147.3.222 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
!
interface TenGigE0/0/1/2
description connect to DSB-ASR9K Teng 0/0/1/2
mtu 1540
ipv4 address 22.9.18.85 255.255.255.252
!
interface TenGigE0/0/1/3
description connect to DSA7609 Teng 2/3
ipv4 address 22.9.18.230 255.255.255.252
!
interface TenGigE0/1/0/0
description connect-to-NE5000 1/1/1
mtu 1540
ipv4 address 22.9.9.234 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
!
interface TenGigE0/1/0/1
description connect to 9306 XG 1/0/1
bundle id 1 mode on
bundle port-priority 10
!
interface TenGigE0/1/0/2
description to_9306-G1/1/0/1
bundle id 2 mode on
!
interface TenGigE0/1/0/3
description to_SP_10g_03-yichang
ipv4 address 22.9.22.49 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/1/1/0
description to SP-10G-01 hudong
ipv4 address 22.9.13.241 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/1/1/1
description to 7609 14/0/0
ipv4 address 22.9.14.93 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
!
interface TenGigE0/1/1/2
description connect to DSB-ASR9K Teng 0/1/1/2
mtu 1540
ipv4 address 22.9.18.89 255.255.255.252
!
interface TenGigE0/1/1/3
shutdown
!
interface TenGigE0/2/0/0
description connect-to-NE5000 2/0/0
mtu 1540
ipv4 address 22.9.14.38 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
!
interface TenGigE0/2/0/1
description to_9306-G2/1/0/0
bundle id 2 mode on
!
interface TenGigE0/2/0/2
description to_9306-G2/1/0/2
bundle id 2 mode on
!
interface TenGigE0/2/0/3
description to_SP-10G-04-yichang
ipv4 address 22.9.13.121 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/2/1/0
description to NE80E 3/0/0
mtu 1540
ipv4 address 22.9.18.121 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/2/1/1
description to NE80E 14/0/0
mtu 1540
ipv4 address 22.9.18.125 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/2/1/2
description connect to DSB-ASR9K Teng 0/2/1/2
mtu 1540
ipv4 address 22.9.18.93 255.255.255.252
!
interface TenGigE0/2/1/3
shutdown
!
interface TenGigE0/10/0/0
description connect-to-NE80E 4/0/0
mtu 1540
ipv4 address 22.9.18.62 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!

!
interface TenGigE0/10/1/1
description to qz7609-1 Teng 4/1
ipv4 address 22.9.13.5 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/10/1/2
description to DSBbr1 Teng9/4
ipv4 address 22.9.14.17 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/10/1/3
description to DSA-ne80e(1)-g1/0/0
mtu 1540
ipv4 address 22.9.9.241 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/11/0/0
description connect-to-NE80E 11/0/0
mtu 1540
ipv4 address 22.9.18.66 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
!
interface TenGigE0/11/1/2
description to DSBbr2 Teng13/3
ipv4 address 22.9.14.245 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/11/1/3
description to DSA-ne80e-2-10G 1/0/0
mtu 1540
ipv4 address 22.9.9.245 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/12/0/0
description connect-to-NE80E 12/0/0
mtu 1540
ipv4 address 22.9.18.70 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/12/0/1
description to-DSCbr1-7/1
ipv4 address 22.9.18.185 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/12/0/2
description to-DCHbr1-7/1
ipv4 address 22.9.18.241 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/12/0/3
ipv4 address 172.16.255.17 255.255.255.252
!
interface TenGigE0/12/1/0
description to-DCFbr1-NE40E 5/0/0
mtu 1540
ipv4 address 22.9.18.193 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/12/1/1
description to qz7609-2 Teng 4/2
ipv4 address 22.9.18.209 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/12/1/2
description to-DCDbr1- 7/1
ipv4 address 22.9.18.177 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
interface TenGigE0/12/1/3
description to-DSCbr1-NE40E 4/0/0
mtu 1540
ipv4 address 22.9.14.29 255.255.255.252
flow ipv4 monitor FMM2 sampler FSM1 ingress
ipv4 access-group PORT-POLICY ingress
!
prefix-set any
0.0.0.0/0 le 32
end-set
!
prefix-set PERMIT-deny
221.175.4.0/23,
0.0.0.0/0 le 32
end-set
!
prefix-set 1314to5523deny
22.147.0.0/16 ge 16 le 32,

12.147.0.0/16 ge 16 le 32
end-set
!
prefix-set redirect_to_cnc
221.217.0.0/18 ge 18 le 32
end-set
!
prefix-set PERMIT-permit
22.147.0.0/16 ge 16 le 32,

12.147.0.0/16 ge 16 le 32
end-set
!
prefix-set AS-PERMIT
0.0.0.0/0 le 32
end-set
!
prefix-set OSPF-DENY
0.0.0.0/0 le 32
end-set
!
prefix-set redirect_to_chinanet
121.56.0.0/15 ge 15 le 32,
113.108.64.0/19 ge 19 le 32,
222.73.0.0/16
end-set
!
prefix-set OSPF-PER
12.142.180.0/22,

12.147.0.0/16 ge 16 le 32
end-set
!
as-path-set 21
ios-regex ‘_1314$’,

ios-regex ‘^1314_9831$’
end-set
!
community-set MF
1314:135,
1314:136,
1314:137
end-set
!
community-set WN
1314:50100,

1314:50600,
1314:50700
end-set
!
route-policy bgp2
apply 1314to5523
if community matches-any wangnei then
done
elseif community matches-any mianfei then
done
elseif as-path in 210 then
done
elseif destination in redirect_to_chinanet then
set next-hop 22.147.3.12
set local-preference 150
elseif destination in redirect_to_cnc then
set next-hop 22.147.3.12
set local-preference 150
elseif destination in any then
set next-hop 22.147.3.12
endif
end-policy
!
route-policy pass-all
pass
end-policy
!
route-policy PERMIT
if destination in PERMIT-permit then
pass
elseif destination in PERMIT-deny then
drop
endif
end-policy
!
route-policy 1314to5523
if destination in 1314to5523deny then
drop
elseif destination in AS-PERMIT then
pass
endif
end-policy
!
route-policy NDC-SPT
if community matches-any wangnei then
pass
elseif as-path in 210 then
pass
endif
end-policy
!
route-policy ospf-in-static
if destination in OSPF-PER then
done
elseif destination in OSPF-DENY then
drop
endif
end-policy
!
router static
maximum path ipv4 100000
address-family ipv4 unicast
0.0.0.0/0 22.147.3.221 100
0.0.0.0/0 TenGigE0/0/0/0 22.9.9.1 10
0.0.0.0/0 TenGigE0/1/0/0 22.9.9.233 10
0.0.0.0/0 TenGigE0/2/0/0 22.9.14.37 10
。。。
中间的几千条静态路由就删掉了，免得浪费篇幅
。。。
119.188.75.147/32 11.158.10.1 description NDC-56
119.188.75.148/32 11.158.10.1 description NDC-56
119.188.75.149/32 11.158.10.1 description NDC-56
119.188.75.150/32 11.158.10.1 description NDC-56
222.191.228.101/32 11.158.10.1 description NDC-qiyi
!
vrf cww
address-family ipv4 unicast
0.0.0.0/0 172.16.36.1
!
!
vrf PORT-POLICY-oa
address-family ipv4 unicast
0.0.0.0/0 192.168.101.2
!
!
!
router ospf 1
nsr
router-id 22.147.3.11
default-information originate always metric-type 1
redistribute static metric-type 1 route-policy ospf-in-static
address-family ipv4 unicast
area 0
interface Bundle-Ether1.1
!
interface Bundle-Ether2.26
!
interface Bundle-Ether4
cost 20
!
!
interface TenGigE0/10/1/1
cost 20
!
interface TenGigE0/10/1/2
cost 30
!
interface TenGigE0/10/1/3
cost 30

!
interface TenGigE0/12/1/3
cost 20
!
!
!
router bgp 5523
nsr
bgp router-id 22.147.3.11
bgp cluster-id 22.147.3.11
address-family ipv4 unicast
network 36.192.176.0/21
network 36.192.184.0/21
network 58.61.39.0/25
network 22.147.192.0/18
network 22.147.224.0/19
!
address-family vpnv4 unicast
!
neighbor-group CORE
remote-as 5523
update-source Loopback0
address-family ipv4 unicast
route-policy pass-all in
route-reflector-client
route-policy pass-all out
next-hop-self
!
!
neighbor 22.19.20.3
remote-as 5523
update-source Loopback0
address-family ipv4 unicast
route-policy pass-all in
route-policy pass-all out
!
address-family vpnv4 unicast
route-policy pass-all in
route-reflector-client
route-policy pass-all out
next-hop-self
!
neighbor 22.90.1.33
remote-as 5523
description to-NDC
update-source Loopback0
address-family ipv4 unicast
route-reflector-client
route-policy NDC-TIETONG out
next-hop-self

neighbor 11.98.10.16
remote-as 39
ebgp-multihop 3
description Connect to ZongbuNE5000
update-source Loopback0
address-family ipv4 unicast
route-policy bgp2 in
route-policy bgppermit out
!
!
vrf cww
rd 5523:500
address-family ipv4 unicast
network 0.0.0.0/0
redistribute connected
redistribute static
!
!
vrf ip-pbx
rd 5523:6000
address-family ipv4 unicast
redistribute connected
redistribute static
!
!
vrf PORT-POLICY-oa
rd 5523:201
address-family ipv4 unicast
network 0.0.0.0/0
redistribute connected
redistribute static
!
!
vrf softswitch
rd 5523:2000
address-family ipv4 unicast
redistribute connected
redistribute static
!
!
!
mpls ldp
router-id 22.147.3.11
nsr
interface Bundle-Ether4
!
interface Bundle-Ether5
!
interface TenGigE0/0/1/2
!
interface TenGigE0/1/1/2
!
interface TenGigE0/2/1/0

!
!
end

[KRP/0/RP0/CPU0:SP–ASR#
RP/0/RP0/CPU0:SP–ASR#

分享