1. NETCONFクライアント側の環境設定

SDNオーケストレーションなどの自動制御を担う動作環境で、NETCONFを動作させるには、
オープンソースの"ncclient: Python library for NETCONF clients"が活用されることが多いようです。
github.com

ncclientは、次のような多種多様なNETCONF装置に対応しているようです。

Supported device handlers

• Juniper: device_params={'name':'junos'}
• Cisco CSR: device_params={'name':'csr'}
• Cisco Nexus: device_params={'name':'nexus'}
• Huawei: device_params={'name':'huawei'}
• Alcatel Lucent: device_params={'name':'alu'}
• H3C: device_params={'name':'h3c'}
• HP Comware: device_params={'name':'hpcomware'}

ncclient/README.rst at master · ncclient/ncclient · GitHub

$ pip install ncclient

from ncclient import manager
from ncclient.xml_ import *
import time

def connect(host, port, user, password, config):
    conn = manager.connect(host=host,
            port=port,
            username=user,
            password=password,
            timeout=30,
            device_params = {'name':'junos'},
            hostkey_verify=False)

    print "------------"
    print "1. conn.lock"
    print "------------"
    try:
        lock = conn.lock('candidate')
        print lock.tostring
    except Exception as e:
        print ("Error in 'conn.lock': type=[%s], message=[%s]"%(type(e), e.message))
        raise

    print "--------------------------"
    print "2. conn.load_configuration"
    print "--------------------------"
    try:
        load_conf = conn.load_configuration(target="candidate",
                                            config=config["routing_options"],
                                            format='xml')
        print load_conf.tostring
        load_conf = conn.load_configuration(target="candidate",
                                            config=config["protocols"],
                                            format='xml')
        print load_conf.tostring
    except Exception as e:
        print ("Error in 'conn.load_configuration': type=[%s], message=[%s]"%(type(e), e.message))
        raise

    print "----------------"
    print "3. conn.validate"
    print "----------------"
    try:
        validate = conn.validate()
        print validate.tostring
    except Exception as e:
        print ("Error in 'conn.validate': type=[%s], message=[%s]"%(type(e), e.message))
        raise

    print "-----------------------------"
    print "4. conn.compare_configuration"
    print "-----------------------------"
    try:
        compare = conn.compare_configuration()
        print compare.tostring
    except Exception as e:
        print ("Error in 'conn.compare_configuration': type=[%s], message=[%s]"%(type(e), e.message))
        raise

    print "---------------"
    print "5. conn.commit"
    print "---------------"
    try:
        commit = conn.commit()
        print commit.tostring
    except Exception as e:
        print ("Error in 'conn.commit': type=[%s], message=[%s]"%(type(e), e.message))
        raise

    print "---------------"
    print "6. conn.unlock"
    print "---------------"
    try:
        unlock = conn.unlock()
        print unlock.tostring
    except Exception as e:
        print ("Error in 'conn.unlock': type=[%s], message=[%s]"%(type(e), e.message))
        raise


if __name__ == '__main__':

    protocols = new_ele('protocols')
    bgp = sub_ele(protocols, 'bgp')
    group = sub_ele(bgp, 'group')
    group_name = sub_ele(group, 'name').text = 'INTERNAL'
    sub_ele(group, 'type').text = 'internal'
    sub_ele(group, 'export').text = 'export-bgp'
    sub_ele(group, 'neighbor').text = '192.168.0.2'

    routing_options = new_ele('routing-options')
    sub_ele(routing_options, 'router-id').text = '10.0.0.1'
    sub_ele(routing_options, 'autonomous-system').text = '65000'

    config = {}
    config["routing_options"] = routing_options
    config["protocols"] = protocols

    connect('192.168.100.101', 830, 'tsubo', 'xxxxxxx', config)

from ncclient import manager
from ncclient.xml_ import *
import time

def connect(host, port, user, password):
    conn = manager.connect(host=host,
            port=port,
            username=user,
            password=password,
            timeout=30,
            device_params = {'name':'junos'},
            hostkey_verify=False)

    print "-------------------------------------"
    print "1. conn.get_configuration 'protocols'"
    print "-------------------------------------"
    config_filter = new_ele('configuration')
    sub_ele(config_filter, 'routing-options')
    sub_ele(config_filter, 'protocols')
    get_conf = conn.get_configuration(format='text', filter=config_filter)
    print get_conf.tostring

    print "----------------------------------"
    print "2. conn.command 'show bgp summary'"
    print "----------------------------------"
    time.sleep(10)
    print "root@SRX> show bgp summary"
    result = conn.command(command='show bgp summary', format='text')
    print result.xpath('output')[0].text

    print "-------------------------------------------------------------"
    print "3. conn.command 'show route receive-protocol bgp 192.168.0.2'"
    print "-------------------------------------------------------------"
    print "root@SRX> show route receive-protocol bgp 192.168.0.2"
    result = conn.command(command='show route receive-protocol bgp 192.168.0.2', format='text')
    print result.xpath('output')[0].text


if __name__ == '__main__':

    connect('192.168.100.101', 830, 'tsubo', 'xxxxxxx')

2. NETCONFサーバ側の環境設定

NETCONFサーバ環境として、JUNOS搭載のNW機器が活用されることが多いと思います、
そこで、今回は、JUNOS搭載のNETCONFサーバ環境として、SRX実機を採用しました。

root@SRX> configure 
Entering configuration mode

[edit]
root@SRX# set system services netconf ssh port 830

root@SRX> show configuration |display set    
set version 12.1X44-D35.5
set system host-name SRX
set system time-zone Asia/Tokyo
set system root-authentication encrypted-password "$1$kAd32lTR$F7o4dwAbW9vY1CIV.a9kt."
set system login user tsubo uid 2000
set system login user tsubo class super-user
set system login user tsubo authentication encrypted-password "$1$eT7nqVkt$uCwT9W8WuBhrEhBcyKoQ5/"
set system services ssh root-login allow
set system services netconf ssh port 830
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp
set interfaces fe-0/0/0 unit 0 family inet address 192.168.100.101/24
set interfaces fe-0/0/1 unit 0 family inet address 192.168.0.1/24
set interfaces fe-0/0/2 unit 0 family inet address 172.16.0.1/24
set interfaces lo0 unit 0 family inet address 10.0.0.1/32
set policy-options policy-statement export-bgp term 1 from route-filter 172.16.0.0/24 exact
set policy-options policy-statement export-bgp term 1 then accept
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based

1. BGP設定を行う

まずは、NETCONFを活用して、"routing-options"と"protocols"のコンフィグ設定を行います。

$ python create-bgp.py 
------------
1. conn.lock
------------
<rpc-reply message-id="urn:uuid:06ced48c-03d4-11e6-81aa-a45e60ba8c55">
  <ok/>
</rpc-reply>

--------------------------
2. conn.load_configuration
--------------------------
<rpc-reply message-id="urn:uuid:06e4c133-03d4-11e6-ab26-a45e60ba8c55">
  <load-configuration-results>
    <ok/>
  </load-configuration-results>
</rpc-reply>

<rpc-reply message-id="urn:uuid:06f798fd-03d4-11e6-afa3-a45e60ba8c55">
  <load-configuration-results>
    <ok/>
  </load-configuration-results>
</rpc-reply>

----------------
3. conn.validate
----------------
<rpc-reply message-id="urn:uuid:070b022b-03d4-11e6-bca1-a45e60ba8c55">
  <commit-results>
</commit-results>
  <ok/>
</rpc-reply>

-----------------------------
4. conn.compare_configuration
-----------------------------
<rpc-reply message-id="urn:uuid:0a753c47-03d4-11e6-8b4f-a45e60ba8c55">
  <configuration-information>
    <configuration-output>
[edit]
+  routing-options {
+      router-id 10.0.0.1;
+      autonomous-system 65000;
+  }
+  protocols {
+      bgp {
+          group INTERNAL {
+              type internal;
+              export export-bgp;
+              neighbor 192.168.0.2;
+          }
+      }
+  }
</configuration-output>
  </configuration-information>
</rpc-reply>

---------------
5. conn.commit
---------------
<rpc-reply message-id="urn:uuid:0b0273cc-03d4-11e6-a844-a45e60ba8c55">
  <ok/>
</rpc-reply>

---------------
6. conn.unlock
---------------
<rpc-reply message-id="urn:uuid:1663174f-03d4-11e6-bf75-a45e60ba8c55">
  <ok/>
</rpc-reply>

特に、エラーも発生せずに、BGP設定を行うことができたようです。

2. BGP動作を確認してみる

それでは、NETCONFを活用して、"routing-options"と"protocols"のコンフィグ設定が正しく行われたことを確認してみます。

$ python show-bgp.py 
-------------------------------------
1. conn.get_configuration 'protocols'
-------------------------------------
<rpc-reply message-id="urn:uuid:2119510a-03d4-11e6-9a47-a45e60ba8c55">
  <configuration-text>
## Last changed: 2016-04-16 22:06:42 JST
routing-options {
    router-id 10.0.0.1;
    autonomous-system 65000;
}
## Last changed: 2016-04-16 22:06:42 JST
protocols {
    bgp {
        group INTERNAL {
            type internal;
            export export-bgp;
            neighbor 192.168.0.2;
        }
    }
}
</configuration-text>
</rpc-reply>

----------------------------------
2. conn.command 'show bgp summary'
----------------------------------
root@SRX> show bgp summary

Groups: 1 Peers: 1 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet.0                 1          1          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
192.168.0.2           65000          3          4       0       0          18 1/1/1/0              0/0/0/0

-------------------------------------------------------------
3. conn.command 'show route receive-protocol bgp 192.168.0.2'
-------------------------------------------------------------
root@SRX> show route receive-protocol bgp 192.168.0.2


inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
  Prefix		  Nexthop	       MED     Lclpref    AS path
* 172.16.1.0/24           192.168.0.2          0       100        I

さらに、対向BGPルータにて、SRXから配布されたBGP経路が受信できたことを確認してみます。

Quagga-3# show ip bgp
BGP table version is 0, local router ID is 10.0.1.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i172.16.0.0/24    192.168.0.1                   100      0 i
*> 172.16.1.0/24    0.0.0.0                  0         32768 i

Total number of prefixes 2

以上より、NETCONFを活用することにより、NW機器への各種コンフィグ設定／確認が自動的に実施できるよう、Pythonスクリプト化することができました。

事例１「他ユーザが、コンフィグ処理中のとき」

例えば、lo0インタフェースのDescriptionの設定に関わるコンフィグ設定が完了しないときに、NETCONFを活用して、BGP設定を行ってみます。

root@SRX# set interfaces lo0 description lo0_description 

[edit]
root@SRX# show |compare 
[edit interfaces lo0]
+   description lo0_description;

[edit]

$ python create-bgp.py 
------------
1. conn.lock
------------
Error in 'conn.lock': type=[<class 'ncclient.operations.rpc.RPCError'>], message=[
configuration database modified
]
Traceback (most recent call last):
  File "create-bgp.py", line 99, in <module>
    connect('192.168.100.101', 830, 'tsubo', 'xxxxxxxx', config)
  File "create-bgp.py", line 18, in connect
    lock = conn.lock('candidate')
  File "/usr/local/lib/python2.7/site-packages/ncclient/manager.py", line 158, in wrapper
    return self.execute(op_cls, *args, **kwds)
  File "/usr/local/lib/python2.7/site-packages/ncclient/manager.py", line 228, in execute
    raise_mode=self._raise_mode).request(*args, **kwds)
  File "/usr/local/lib/python2.7/site-packages/ncclient/operations/lock.py", line 35, in request
    return self._request(node)
  File "/usr/local/lib/python2.7/site-packages/ncclient/operations/rpc.py", line 336, in _request
    raise self._reply.error
ncclient.operations.rpc.RPCError: 
configuration database modified

事例２「事前設定のコンフィグ不備のとき」

BGP設定サンプルアプリ[create-bgp.py]では、事前にpolicy-statement "export-bgp"を設定しておく必要があります。
ここでは、あえて、事前に、policy-statementを削除してみます。

root@SRX# delete policy-options 

[edit]
root@SRX# show |compare 
[edit]
-  policy-options {
-      policy-statement export-bgp {
-          term 1 {
-              from {
-                  route-filter 172.16.0.0/24 exact;
-              }
-              then accept;
-          }
-      }
-  }

[edit]
root@SRX# commit 
commit complete

[edit]

$ python create-bgp.py 
------------
1. conn.lock
------------
<rpc-reply message-id="urn:uuid:8853948f-0454-11e6-975b-a45e60ba8c55">
  <ok/>
</rpc-reply>

--------------------------
2. conn.load_configuration
--------------------------
<rpc-reply message-id="urn:uuid:88685466-0454-11e6-a6e1-a45e60ba8c55">
  <load-configuration-results>
    <ok/>
  </load-configuration-results>
</rpc-reply>

<rpc-reply message-id="urn:uuid:887ab21c-0454-11e6-bdd1-a45e60ba8c55">
  <load-configuration-results>
    <ok/>
  </load-configuration-results>
</rpc-reply>

----------------
3. conn.validate
----------------
Error in 'conn.validate': type=[<class 'ncclient.operations.rpc.RPCError'>], message=[error: Policy error: Policy export-bgp referenced but not defined
error: BGP: export list not applied
error: configuration check-out failed]
Traceback (most recent call last):
  File "create-bgp.py", line 99, in <module>
    connect('192.168.100.101', 830, 'tsubo', 'xxxxxxxx', config)
  File "create-bgp.py", line 44, in connect
    validate = conn.validate()
  File "/usr/local/lib/python2.7/site-packages/ncclient/manager.py", line 158, in wrapper
    return self.execute(op_cls, *args, **kwds)
  File "/usr/local/lib/python2.7/site-packages/ncclient/manager.py", line 228, in execute
    raise_mode=self._raise_mode).request(*args, **kwds)
  File "/usr/local/lib/python2.7/site-packages/ncclient/operations/edit.py", line 123, in request
    return self._request(node)
  File "/usr/local/lib/python2.7/site-packages/ncclient/operations/rpc.py", line 334, in _request
    raise RPCError(to_ele(self._reply._raw), errs=errors)
ncclient.operations.rpc.RPCError: error: Policy error: Policy export-bgp referenced but not defined
error: BGP: export list not applied
error: configuration check-out failed

(0) 事前準備

前回の記事で設定したBGP関連のコンフィグ設定を、全て削除しておきます。
ただし、OSPF, LDPのコンフィグ設定は、前回のまま活用することとします。

root@vSRX-1# delete protocols bgp     
root@vSRX-1# delete policy-options 

[edit]
root@vSRX-1# show | compare 
[edit protocols]
-   bgp {
-       group INTERNAL {
-           type internal;
-           local-address 10.0.0.1;
-           export export-bgp;
-           neighbor 10.0.0.3;
-       }
-   }
[edit]
-  policy-options {
-      policy-statement export-bgp {
-          term 1 {
-              from {
-                  route-filter 172.16.0.0/30 exact;
-              }
-              then accept;
-          }
-      }
-  }

root@vSRX-1# commit 

vSRX-3では、スタティック経路の設定も削除しておきます。

root@vSRX-3# delete routing-options static

(1) mpBGP / MPLS-VPN基本設定

1. routing-instancesを設定する

root@vSRX-1# set routing-instances VPN-A instance-type vrf  
root@vSRX-1# set routing-instances VPN-A interface ge-0/0/0.0 
root@vSRX-1# set routing-instances VPN-A route-distinguisher 65000:101 
root@vSRX-1# set routing-instances VPN-A vrf-target target:65000:101
root@vSRX-1# show | compare                                            
[edit]
+  routing-instances {
+      VPN-A {
+          instance-type vrf;
+          interface ge-0/0/0.0;
+          route-distinguisher 65000:101;
+          vrf-target target:65000:101;
+      }
+  }

root@vSRX-1# commit

2. protocolsを設定する

root@vSRX-1# set protocols bgp group L3VPN type internal
root@vSRX-1# set protocols bgp group L3VPN local-address 10.0.0.1
root@vSRX-1# set protocols bgp group L3VPN neighbor 10.0.0.3
root@vSRX-1# set protocols bgp group L3VPN family inet-vpn unicast
root@vSRX-1# show | compare 
[edit protocols]
+   bgp {
+       group L3VPN {
+           type internal;
+           local-address 10.0.0.1;
+           family inet-vpn {
+               unicast;
+           }
+           neighbor 10.0.0.3;
+       }
+   }

root@vSRX-1# commit 

3. static routeを設定する
vSRX-3側では、pc2配下のスタティック経路をエントリしておく必要があります。

set routing-instances VPN-A routing-options static route 10.0.0.0/24 next-hop 172.16.1.2
set routing-instances VPN-A routing-options static route 10.0.1.0/24 next-hop 172.16.1.2
set routing-instances VPN-A routing-options static route 10.0.2.0/24 next-hop 172.16.1.2
root@vSRX-3# show | compare                                                                              
[edit routing-instances VPN-A routing-options static]
+      route 10.0.0.0/24 next-hop 172.16.1.2;
+      route 10.0.1.0/24 next-hop 172.16.1.2;
+      route 10.0.2.0/24 next-hop 172.16.1.2;

root@vSRX-3# commit

4. BGP Peerの状態を確認しておく

root@vSRX-1> show bgp neighbor 
Peer: 10.0.0.3+50824 AS 65000  Local: 10.0.0.1+179 AS 65000
  Type: Internal    State: Established    Flags: <Sync>
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: None
  Options: <Preference LocalAddress AddressFamily Rib-group Refresh>
  Address families configured: inet-vpn-unicast
  Local Address: 10.0.0.1 Holdtime: 90 Preference: 170
  Number of flaps: 0
  Peer ID: 10.0.0.3        Local ID: 10.0.0.1          Active Holdtime: 90
  Keepalive Interval: 30         Group index: 0    Peer index: 0   
  BFD: disabled, down
  NLRI for restart configured on peer: inet-vpn-unicast
  NLRI advertised by peer: inet-vpn-unicast
  NLRI for this session: inet-vpn-unicast
  Peer supports Refresh capability (2)
  Stale routes from peer are kept for: 300
  Peer does not support Restarter functionality
  NLRI that restart is negotiated for: inet-vpn-unicast
  NLRI of received end-of-rib markers: inet-vpn-unicast
  NLRI of all end-of-rib markers sent: inet-vpn-unicast
  Peer supports 4 byte AS extension (peer-as 65000)
  Peer does not support Addpath
  Table bgp.l3vpn.0
    RIB State: BGP restart is complete
    RIB State: VPN restart is complete
    Send state: not advertising
    Active prefixes:              4
    Received prefixes:            4
    Accepted prefixes:            4
    Suppressed due to damping:    0
  Table VPN-A.inet.0 Bit: 20000
    RIB State: BGP restart is complete
    RIB State: VPN restart is complete
    Send state: in sync
    Active prefixes:              4
    Received prefixes:            4
    Accepted prefixes:            4
    Suppressed due to damping:    0
    Advertised prefixes:          1
  Last traffic (seconds): Received 16   Sent 22   Checked 32  
  Input messages:  Total 137    Updates 8       Refreshes 0     Octets 2973
  Output messages: Total 136    Updates 7       Refreshes 0     Octets 2913
  Output Queue[1]: 0            (VPN-A.inet.0, inet-vpn-unicast)

5. VPN-Aのアドバタイズ経路を確認しておく
通常のBGP設定と異なり、mpBGP/MPLS-VPN設定の場合は、vSRX-3ルータ側でExport policy適用せずとも、アドバタイズされるようです。
対向側（vSRX-3ルータ）からアドバタイズされた経路を受信できるようになりました。

root@vSRX-1> show route receive-protocol bgp 10.0.0.3 table bgp.l3vpn.0    

bgp.l3vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
  65000:101:10.0.0.0/24                    
*                         10.0.0.3                     100        I
  65000:101:10.0.1.0/24                    
*                         10.0.0.3                     100        I
  65000:101:10.0.2.0/24                    
*                         10.0.0.3                     100        I
  65000:101:172.16.1.0/30                    
*                         10.0.0.3                     100        I

つづいて、対向側（vSRX-3ルータ）へのアドバイズを確認してみました。
しかしながら、"172.16.0.0/30"は、アドバタイズされていないようです。

root@vSRX-1> show route advertising-protocol bgp 10.0.0.3                  

VPN-A.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 172.16.0.0/30           Not advertised               100        I

ここでのトラブル解析として、各々のvSRXルータでのVRFテーブルの保持状態を確認してみます。
まずは、vSRX-1側から確認します。

root@vSRX-1> show route table VPN-A.inet.0                                 

VPN-A.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.0/24        *[BGP/170] 00:43:58, localpref 100, from 10.0.0.3
                      AS path: I, validation-state: unverified
                    > to 192.168.0.2 via ge-0/0/1.0, Push 299808, Push 299792(top)
10.0.1.0/24        *[BGP/170] 00:17:30, localpref 100, from 10.0.0.3
                      AS path: I, validation-state: unverified
                    > to 192.168.0.2 via ge-0/0/1.0, Push 299808, Push 299792(top)
10.0.2.0/24        *[BGP/170] 00:17:30, localpref 100, from 10.0.0.3
                      AS path: I, validation-state: unverified
                    > to 192.168.0.2 via ge-0/0/1.0, Push 299808, Push 299792(top)
172.16.0.0/30      *[Direct/0] 01:21:51
                    > via ge-0/0/0.0
172.16.0.2/32      *[Local/0] 01:21:51
                      Local via ge-0/0/0.0
172.16.1.0/30      *[BGP/170] 00:43:58, localpref 100, from 10.0.0.3
                      AS path: I, validation-state: unverified
                    > to 192.168.0.2 via ge-0/0/1.0, Push 299808, Push 299792(top)

問題なく、VRFテーブルは構築できているようです。

つづいて、vSRX-3側でも確認してみます。

root@vSRX-3> show route table VPN-A.inet.0    

VPN-A.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.0/24        *[Static/5] 00:46:45
                    > to 172.16.1.2 via ge-0/0/1.0
10.0.1.0/24        *[Static/5] 00:20:17
                    > to 172.16.1.2 via ge-0/0/1.0
10.0.2.0/24        *[Static/5] 00:20:17
                    > to 172.16.1.2 via ge-0/0/1.0
172.16.1.0/30      *[Direct/0] 01:12:49
                    > via ge-0/0/1.0
172.16.1.1/32      *[Local/0] 01:12:49
                      Local via ge-0/0/1.0

やはり、vSRX-1側でのダイレクト接続経路"172.16.0.0/30"が、VRFテーブルに保持されておりませんね。
どうやら、pc1側では、スタティック経路が存在しないので、next-hopに該当するダイレクト接続経路"172.16.0.0/30"を、敢えて、BGP経路としてアドバタイズしていないようです。

6. ダイレクト接続経路"172.16.0.0/30"を再配布するには、
CiscoのIOSの"redistribute connected"コマンドのように、BGP経路に再配布する方法をいろいろ試行錯誤してみましたが、うまく行きません。そこで、不本意ながら、default-routeを再配布する方法で、問題回避を試みました。

root@vSRX-1# set routing-instances VPN-A routing-options static route 0.0.0.0/0 next-hop 172.16.0.1    

[edit]
root@vSRX-1# show | compare 
[edit routing-instances VPN-A]
+    routing-options {
+        static {
+            route 0.0.0.0/0 next-hop 172.16.0.1;
+        }
+    }

root@vSRX-1# commit 

とりあえず、vSRX-1側で、ダイレクト接続経路"172.16.0.0/30"をアドバタイズするようになりました。

root@vSRX-1> show route advertising-protocol bgp 10.0.0.3                  

VPN-A.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 0.0.0.0/0               Self                         100        I
* 172.16.0.0/30           Self                         100        I

改めて、vSRX-3側でのVRFテーブルの保持状態を確認してみます。

root@vSRX-3> show route table VPN-A.inet.0    

VPN-A.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[BGP/170] 00:03:03, localpref 100, from 10.0.0.1
                      AS path: I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/0.0, Push 299824, Push 299776(top)
10.0.0.0/24        *[Static/5] 00:57:51
                    > to 172.16.1.2 via ge-0/0/1.0
10.0.1.0/24        *[Static/5] 00:31:23
                    > to 172.16.1.2 via ge-0/0/1.0
10.0.2.0/24        *[Static/5] 00:31:23
                    > to 172.16.1.2 via ge-0/0/1.0
172.16.0.0/30      *[BGP/170] 00:03:03, localpref 100, from 10.0.0.1
                      AS path: I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/0.0, Push 299824, Push 299776(top)
172.16.1.0/30      *[Direct/0] 01:23:55
                    > via ge-0/0/1.0
172.16.1.1/32      *[Local/0] 01:23:55
                      Local via ge-0/0/1.0

今回は、問題なく、VRFテーブルは構築できているようです。

(2) エンド端末間での疎通確認

エンドエンド端末間でpingをうってみましょう。

1. "172.16.1.2"宛にpingをうってみる

tsubo@pc1:~$ ping 172.16.1.2
PING 172.16.1.2 (172.16.1.2) 56(84) bytes of data.
64 bytes from 172.16.1.2: icmp_seq=1 ttl=61 time=0.849 ms
64 bytes from 172.16.1.2: icmp_seq=2 ttl=61 time=0.905 ms
64 bytes from 172.16.1.2: icmp_seq=3 ttl=61 time=0.829 ms
64 bytes from 172.16.1.2: icmp_seq=4 ttl=61 time=0.759 ms
64 bytes from 172.16.1.2: icmp_seq=5 ttl=61 time=0.960 ms
^C
--- 172.16.1.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 0.759/0.860/0.960/0.073 ms

pingが成功しました！

この時、pc2側でtcpdumpを動作させて、パケットモニタリングしておきます。

root@pc2:~# tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
23:04:48.390124 IP 172.16.0.1 > 172.16.1.2: ICMP echo request, id 2594, seq 1, length 64
23:04:48.390160 IP 172.16.1.2 > 172.16.0.1: ICMP echo reply, id 2594, seq 1, length 64
23:04:49.390956 IP 172.16.0.1 > 172.16.1.2: ICMP echo request, id 2594, seq 2, length 64
23:04:49.390985 IP 172.16.1.2 > 172.16.0.1: ICMP echo reply, id 2594, seq 2, length 64
23:04:50.390871 IP 172.16.0.1 > 172.16.1.2: ICMP echo request, id 2594, seq 3, length 64
23:04:50.390901 IP 172.16.1.2 > 172.16.0.1: ICMP echo reply, id 2594, seq 3, length 64
23:04:51.390847 IP 172.16.0.1 > 172.16.1.2: ICMP echo request, id 2594, seq 4, length 64
23:04:51.390876 IP 172.16.1.2 > 172.16.0.1: ICMP echo reply, id 2594, seq 4, length 64
23:04:52.391451 IP 172.16.0.1 > 172.16.1.2: ICMP echo request, id 2594, seq 5, length 64
23:04:52.391480 IP 172.16.1.2 > 172.16.0.1: ICMP echo reply, id 2594, seq 5, length 64
23:04:53.393256 ARP, Request who-has 172.16.1.1 tell 172.16.1.2, length 28
23:04:53.394175 ARP, Reply 172.16.1.1 is-at 00:0c:29:70:81:a6 (oui Unknown), length 46
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel

期待通り、ICMP Echo Request / Replyが観測できました。

2. "10.0.0.1"宛にpingをうってみる

tsubo@pc1:~$ ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=61 time=1.68 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=61 time=1.10 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=61 time=0.794 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=61 time=0.975 ms
64 bytes from 10.0.0.1: icmp_seq=5 ttl=61 time=0.763 ms
^C
--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 0.763/1.064/1.685/0.334 ms

こちらも、pingが成功しましたね！

この時、pc2側でtcpdumpを動作させて、パケットモニタリングしておきます。

root@pc2:~# tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
23:07:52.149141 IP 172.16.0.1 > 10.0.0.1: ICMP echo request, id 2595, seq 1, length 64
23:07:52.149182 IP 10.0.0.1 > 172.16.0.1: ICMP echo reply, id 2595, seq 1, length 64
23:07:53.150952 IP 172.16.0.1 > 10.0.0.1: ICMP echo request, id 2595, seq 2, length 64
23:07:53.150983 IP 10.0.0.1 > 172.16.0.1: ICMP echo reply, id 2595, seq 2, length 64
23:07:54.152578 IP 172.16.0.1 > 10.0.0.1: ICMP echo request, id 2595, seq 3, length 64
23:07:54.152607 IP 10.0.0.1 > 172.16.0.1: ICMP echo reply, id 2595, seq 3, length 64
23:07:55.151633 IP 172.16.0.1 > 10.0.0.1: ICMP echo request, id 2595, seq 4, length 64
23:07:55.151664 IP 10.0.0.1 > 172.16.0.1: ICMP echo reply, id 2595, seq 4, length 64
23:07:56.153395 IP 172.16.0.1 > 10.0.0.1: ICMP echo request, id 2595, seq 5, length 64
23:07:56.153424 IP 10.0.0.1 > 172.16.0.1: ICMP echo reply, id 2595, seq 5, length 64
23:07:57.152492 ARP, Request who-has 172.16.1.1 tell 172.16.1.2, length 28
23:07:57.153588 ARP, Reply 172.16.1.1 is-at 00:0c:29:70:81:a6 (oui Unknown), length 46
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel

こちらも、期待通り、ICMP Echo Request / Replyが観測できましたね！
ただし、pc1拠点相当を、さらに追加する場合には、default-routeを再配布する方法は採用できません。
CiscoのIOSの"redistribute connected"コマンド相当をサルベージする必要があるのかもしれません。

(1) vSRXの初期設定

1. rootパスワードを設定する
初期状態では、rootユーザのパスワードは設定されていないので、パスワードを設定する

root# set system root-authentication plain-text-password 
New password:
Retype new password:

2. ホスト名を設定する

root# set system host-name vSRX-1
root# commit

3. タイムゾーンを設定する

root@vSRX-1# set system time-zone Asia/Tokyo 
root@vSRX-1# commit

4. 一般ユーザを作成する

root@vSRX-1# set system login user tsubo class super-user 
root@vSRX-1# set system login user tsubo authentication plain-text-password 
New password:
Retype new password:

5. vSRXの動作モードを変更する
vSRXは、通常、Flow-based forwardingモードで動作しているので、packet-based forwardingモードに変更しておきます。
動作モードの変更を有効にするために、vSRXを再起動します。

root@vSRX-1# delete security 
root@vSRX-1# set security forwarding-options family mpls mode packet-based    
root@vSRX-1# set security forwarding-options family inet6 mode packet-based
root@vSRX-1# commit
root@vSRX-1# exit 
Exiting configuration mode

root@vSRX-1> request system reboot
Reboot the system ? [yes,no] (no) yes 

Shutdown NOW!

すると、packet basedに変更されたことが確認できるようになります。

root@vSRX-1> show security flow status 
  Flow forwarding mode:
    Inet forwarding mode: packet based
    Inet6 forwarding mode: packet based
    MPLS forwarding mode: packet based
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware

6. rootユーザでのsshログインを許可する

root@vSRX-1# set system services ssh root-login allow

7. ge-0/0/0.0にアドレスを付与する

root@vSRX-1# set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.1/24
root@vSRX-1# commit

root@vSRX-1# run show interfaces ge-0/0/0.0 brief 
  Logical interface ge-0/0/0.0 
    Flags: Up SNMP-Traps 0x4000 Encapsulation: ENET2
    Security: Zone: Null
    inet  192.168.0.1/24  

8. ループバックを設定する

root@vSRX-1# set interfaces lo0 unit 0 family inet address 10.0.0.1 
root@vSRX-1# commit

root@vSRX-1# run show interfaces lo0.0 brief  
  Logical interface lo0.0 
    Flags: Down SNMP-Traps Encapsulation: Unspecified
    Security: Zone: Null
    inet  10.0.0.1         --> 0/0

(2) BGP基本設定

1. 対向vSRXとの疎通性を確認しておく

root@vSRX-1# run ping 192.168.0.2 count 5   
PING 192.168.0.2 (192.168.0.2): 56 data bytes
64 bytes from 192.168.0.2: icmp_seq=0 ttl=64 time=3.993 ms
64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=1.605 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=1.101 ms
64 bytes from 192.168.0.2: icmp_seq=3 ttl=64 time=3.063 ms
64 bytes from 192.168.0.2: icmp_seq=4 ttl=64 time=1.969 ms

--- 192.168.0.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.101/2.346/3.993/1.046 ms

2. routing-optionを設定する

root@vSRX-1# set routing-options router-id 10.0.0.1 autonomous-system 65000 
root@vSRX-1# show | compare 
[edit]
+  routing-options {
+      router-id 10.0.0.1;
+      autonomous-system 65000;
+  }

root@vSRX-1# commit

3. protocolsを設定する

root@vSRX-1# set protocols bgp group INTERNAL type internal neighbor 192.168.0.2
root@vSRX-1# show | compare                                                 
[edit]
+  protocols {
+      bgp {
+          group INTERNAL {
+              type internal;
+              neighbor 192.168.0.2;
+          }
+      }
+  }

root@vSRX-1# commit  

4. BGP Peerの状態を確認しておく

root@vSRX-1> show bgp neighbor    
Peer: 192.168.0.2+55175 AS 65000 Local: 192.168.0.1+179 AS 65000
  Type: Internal    State: Established    Flags: <Sync>
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: Open Message Error
  Options: <Preference Refresh>
  Holdtime: 90 Preference: 170
  Number of flaps: 0
  Error: 'Open Message Error' Sent: 3 Recv: 0
  Peer ID: 10.0.0.2        Local ID: 10.0.0.1          Active Holdtime: 90
  Keepalive Interval: 30         Group index: 0    Peer index: 0   
  BFD: disabled, down
  NLRI for restart configured on peer: inet-unicast
  NLRI advertised by peer: inet-unicast
  NLRI for this session: inet-unicast
  Peer supports Refresh capability (2)
  Stale routes from peer are kept for: 300
  Peer does not support Restarter functionality
  NLRI that restart is negotiated for: inet-unicast
  NLRI of received end-of-rib markers: inet-unicast
  NLRI of all end-of-rib markers sent: inet-unicast
  Peer supports 4 byte AS extension (peer-as 65000)
  Peer does not support Addpath
  Table inet.0 Bit: 10000
    RIB State: BGP restart is complete
    Send state: in sync
    Active prefixes:              0
    Received prefixes:            0
    Accepted prefixes:            0
    Suppressed due to damping:    0
    Advertised prefixes:          0
  Last traffic (seconds): Received 3    Sent 3    Checked 83  
  Input messages:  Total 6      Updates 1       Refreshes 0     Octets 158
  Output messages: Total 6      Updates 0       Refreshes 0     Octets 177
  Output Queue[0]: 0            (inet.0, inet-unicast)

(3) down-link側の設定

1. ge-0/0/1.0にアドレスを付与する

root@vSRX-1# set interfaces ge-0/0/1 unit 0 family inet address 172.16.0.1/24 
root@vSRX-1# show | compare                                                      
[edit interfaces]
+   ge-0/0/1 {
+       unit 0 {
+           family inet {
+               address 172.16.0.1/24;
+           }
+       }
+   }

root@vSRX-1# commit 

2. Export policy作成と適用
自分が保持している経路を、BGP Peerに対して、アドバタイズするには、Export policyを作成して、BGPピアのGroupに適用する必要があるようです。

root@vSRX-1# set policy-options policy-statement export-bgp term 1 from route-filter 172.16.0.0/24 exact    
root@vSRX-1# set policy-options policy-statement export-bgp term 1 then accept 
root@vSRX-1# set protocols bgp group INTERNAL export export-bgp  
root@vSRX-1# show | compare 
[edit protocols bgp group INTERNAL]
+    export export-bgp;
[edit]
+  policy-options {
+      policy-statement export-bgp {
+          term 1 {
+              from {
+                  route-filter 172.16.0.0/24 exact;
+              }
+              then accept;
+          }
+      }
+  }

root@vSRX-1# commit 

すると、自分が保持している経路をアドバタイズするようになりました。

root@vSRX-1> show route advertising-protocol bgp 192.168.0.2 

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 172.16.0.0/24           Self                         100        I

さらに、対向側でもExport policy作成と適用してみると、アドバタイズされた経路を受信できるようになりました。

root@vSRX-1> show route receive-protocol bgp 192.168.0.2 

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 172.16.1.0/24           192.168.0.2                  100        I

(4) エンド端末間での疎通確認

tsubo@pc1:~$ ping 172.16.1.2
PING 172.16.1.2 (172.16.1.2) 56(84) bytes of data.
64 bytes from 172.16.1.2: icmp_seq=1 ttl=62 time=83.3 ms
64 bytes from 172.16.1.2: icmp_seq=2 ttl=62 time=0.584 ms
64 bytes from 172.16.1.2: icmp_seq=3 ttl=62 time=0.701 ms
64 bytes from 172.16.1.2: icmp_seq=4 ttl=62 time=0.634 ms
64 bytes from 172.16.1.2: icmp_seq=5 ttl=62 time=0.678 ms
^C
--- 172.16.1.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 0.584/17.194/83.377/33.091 ms

(1) BGP経路監視ツール"bgpSimulator"

BGP経路監視ツール"bgpSimulator"は、”BMP処理部"と"BGPパス計算部"から構成されております。
前者は、Ryu BMP Serverを活用した実装コードになっております。また、後者は、Ryu BGPコードを改造して実現しております。

なお、動作としては、以下のような処理の流れによって実現しております。
1. まず、BGP経路監視ツール"bgpSimulator"の起動時に、CSR1000vのBGP構成をシミュレーション面として構築する
2. CSR1000vで、adj-RIB-inが変化したタイミングで、BGP UpdateメッセージをBMP情報として通知する
3. bgpSimulatorは、受信したBMP情報からBGP Updateメッセージを抽出する
4. bgpSimulatorは、"BGP1"のBGPシミュレーション面のadj-RIB-inに、BGP Ipdateメッセージを注入する
5. bgpSimulatorは、BGPシミュレーション面のadj-RIB-inの更新を契機に、BGPパス計算を行い、RIB-localに保持する
6. オペレータは、bgpSimulatorのコマンド上から、RIB-local情報を参照する

(2) BGP検証環境

全体のNWトポロジは、こんな感じです。CSR1000vは、BGP1の箇所に配備しております。

ちなみに、bgpSimulatorツールを起動した後に、"BGP6"ルータで、プレフィックス"172.16.0.0/24"を追加した上で、BGP経路監視の様子を確認しております。

(3) 動作結果の確認

まずは、bgpSimulatorツール起動後に、BMP情報を受信した様子を確認しておきます。

$ sudo ryu-manager bgpSimulator.py
loading app bgpSimulator.py
creating context wsgi
instantiating app None of SimpleBGPSpeaker
creating context bgps
instantiating app bgpSimulator.py of BgpSimulator
(3684) wsgi starting up on http://0.0.0.0:8080/
(3684) accepted ('127.0.0.1', 50301)

... (snip)

BMP client connected, ip=192.168.100.1, port=14855
Start BMP session!! [192.168.100.1]
Received BMPPeerUpNotification, peer=[10.0.0.1]
Received BMPRouteMonitoring=[{'received_time': '2015/12/10 23:33:44', 'message_type': 'BGP_RouteRefresh'}], peer=[10.0.0.1]
Received BMPRouteMonitoring=[{'received_time': '2015/12/10 23:33:44', 'message_type': 'BGP_RouteRefresh'}], peer=[10.0.0.1]
Received BMPPeerUpNotification, peer=[10.0.1.2]
Received BMPRouteMonitoring=[{'path_attributes': {'ORIGIN': '?', 'EXTENDED_COMMUNITIES': ['65010:101'], 'AS_PATH': [[65010]], 'MP_REACH_NLRI': {'nexthop': '192.168.101.101', 'nlri': [{'prefix': '192.168.2.0/24', 'label_list': [20], 'route_dist': '65010:101'}, {'prefix': '172.16.0.0/24', 'label_list': [22], 'route_dist': '65010:101'}]}}, 'received_time': '2015/12/10 23:33:44', 'message_type': 'BGP_Update'}], peer=[10.0.0.1]
Received BMPRouteMonitoring=[{'received_time': '2015/12/10 23:33:44', 'message_type': 'BGP_RouteRefresh'}], peer=[10.0.0.1]
Received BMPRouteMonitoring=[{'received_time': '2015/12/10 23:33:44', 'message_type': 'BGP_RouteRefresh'}], peer=[10.0.0.1]
Received BMPRouteMonitoring=[{'received_time': '2015/12/10 23:33:44', 'message_type': 'BGP_RouteRefresh'}], peer=[10.0.1.2]
Received BMPRouteMonitoring=[{'received_time': '2015/12/10 23:33:44', 'message_type': 'BGP_RouteRefresh'}], peer=[10.0.1.2]
Received BMPPeerUpNotification, peer=[10.0.1.3]
Received BMPRouteMonitoring=[{'received_time': '2015/12/10 23:33:44', 'message_type': 'BGP_RouteRefresh'}], peer=[10.0.1.2]
Received BMPRouteMonitoring=[{'path_attributes': {'ORIGIN': '?', 'MP_REACH_NLRI': {'nexthop': '192.168.104.102', 'nlri': [{'prefix': '192.168.2.0/24', 'label_list': [20], 'route_dist': '65010:101'}, {'prefix': '172.16.0.0/24', 'label_list': [22], 'route_dist': '65010:101'}]}, 'AS_PATH': [[65010]], 'MULTI_EXIT_DISC': 0, 'LOCAL_PREF': 100, 'EXTENDED_COMMUNITIES': ['65010:101']}, 'received_time': '2015/12/10 23:33:44', 'message_type': 'BGP_Update'}], peer=[10.0.1.2]
Received BMPRouteMonitoring=[{'received_time': '2015/12/10 23:33:44', 'message_type': 'BGP_RouteRefresh'}], peer=[10.0.1.2]
Received BMPRouteMonitoring=[{'received_time': '2015/12/10 23:33:44', 'message_type': 'BGP_RouteRefresh'}], peer=[10.0.1.3]
Received BMPRouteMonitoring=[{'received_time': '2015/12/10 23:33:44', 'message_type': 'BGP_RouteRefresh'}], peer=[10.0.1.3]
Received BMPRouteMonitoring=[{'received_time': '2015/12/10 23:33:44', 'message_type': 'BGP_RouteRefresh'}], peer=[10.0.1.3]
Received BMPRouteMonitoring=[{'path_attributes': {'ORIGIN': '?', 'MP_REACH_NLRI': {'nexthop': '192.168.105.102', 'nlri': [{'prefix': '192.168.1.0/24', 'label_list': [18], 'route_dist': '65010:101'}]}, 'AS_PATH': [], 'MULTI_EXIT_DISC': 0, 'LOCAL_PREF': 100, 'EXTENDED_COMMUNITIES': ['65010:101']}, 'received_time': '2015/12/10 23:33:44', 'message_type': 'BGP_Update'}], peer=[10.0.1.3]
Received BMPRouteMonitoring=[{'received_time': '2015/12/10 23:33:44', 'message_type': 'BGP_RouteRefresh'}], peer=[10.0.1.3]

さらに、CSR1000v上のBGPテーブルと、bgpSimulatorル上のBGPテーブルを比較してみます。

CSR1000v上のBGPテーブル

BGP1>show bgp vpnv4 unicast all
BGP table version is 68, local router ID is 10.0.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65010:101
 *>  172.16.0.0/24    192.168.101.101                        0 65010 ?
 * i                  192.168.104.102          0    100      0 65010 ?
 *>i 192.168.1.0      192.168.105.102          0    100      0 ?
 *>  192.168.2.0      192.168.101.101                        0 65010 ?
 * i                  192.168.104.102          0    100      0 65010 ?

bgpSimulator上のBGPテーブル

$ ./get_rib.sh

Status codes: * valid, > best
Origin codes: i - IGP, e - EGP, ? - incomplete
     Network                          Labels   Next Hop             Reason          Metric LocPrf Path
 *>  65010:101:192.168.2.0/24         [20]     192.168.101.101      ASN                           65010 ?
 *                                    [20]     192.168.104.102                      0      100    65010 ?
 *>  65010:101:172.16.0.0/24          [22]     192.168.101.101      ASN                           65010 ?
 *                                    [22]     192.168.104.102                      0      100    65010 ?
 *>  65010:101:192.168.1.0/24         [18]     192.168.105.102      Only Path       0      100    ?

CSR1000vのBGPテーブルと、bgpSimulatorのBGPテーブルは、同じBGPパス情報を保持しています。

(4) BGP Peerダウン時の動作結果の確認

今度は、BGP4〜１BGP1との間のBGP Peerがダウンさせてみます。

bgpSimulatorツールを起動したターミナル上には、BMPPeerDownNotificationを受信した旨が表示されます。

$ sudo rya-manager bgpSimulator.py

... (snip)

Received BMPPeerDownNotification, peer=[10.0.0.1]

つづいて、CSR1000v上のBGPテーブルと、bgpSimulatorル上のBGPテーブルを比較してみます。

CSR1000v上のBGPテーブル
CSR1000vのBGPテーブルでは、BGP4〜１BGP1との間のBGP Peerがダウンに基づき、BGPパス再計算が行われたため、nexthopが変化している様子がわかります。

BGP1>show bgp vpnv4 unicast all
BGP table version is 70, local router ID is 10.0.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65010:101
 *>i 172.16.0.0/24    192.168.104.102          0    100      0 65010 ?
 *>i 192.168.1.0      192.168.105.102          0    100      0 ?
 *>i 192.168.2.0      192.168.104.102          0    100      0 65010 ?

bgpSimulator上のBGPテーブル
一方、BGP経路監視ツール"bgpSimulator"では、”PeerDownNotification”を受信した場合ても、BGPパス再計算を実施するようには実装しておりません。
よって、 bgpSimulatorのBGPテーブルは、BGP4〜１BGP1との間のBGP Peerがダウン前のBGPパス情報からnexthopの変化は観測されません。

$ ./get_rib.sh 

Status codes: * valid, > best
Origin codes: i - IGP, e - EGP, ? - incomplete
     Network                          Labels   Next Hop             Reason          Metric LocPrf Path
 *>  65010:101:192.168.2.0/24         [20]     192.168.101.101      ASN                           65010 ?
 *                                    [20]     192.168.104.102                      0      100    65010 ?
 *>  65010:101:172.16.0.0/24          [22]     192.168.101.101      ASN                           65010 ?
 *                                    [22]     192.168.104.102                      0      100    65010 ?
 *>  65010:101:192.168.1.0/24         [18]     192.168.105.102      Only Path       0      100    ?

BGP Peerダウンが発生すると、CSR1000vのBGPテーブルと、bgpSimulatorのBGPテーブルは、同じBGPパス情報を保持しないという特徴をうまく活用してあげれば、BGP経路監視の観点で、早期にBGP障害を検知することが可能になるかもしれません。

以上より、BGP動作履歴を管理するには、BMPが有効であることが確認できました。