additional-path
2025/12/2动态路由7.X.X大约 13 分钟
additional-path
功能简介
在 Hub-Spoke 场景中,每个 Spoke 往往通过多个链路(如 ISP1、ISP2、MPLS)与 Hub 建立多条 VPN 隧道。当 BGP 建立后,Hub 在向 Spoke 反射其他 Spoke 的路由时,可能只向 Spoke 通告单一路径,使得 Spoke 无法基于多路径进行更优的路径选择或负载分担。
通过启用 BGP Additional Path 机制:additional-path-select 与 adv-additional-path,Hub 可以向 Spoke 通告多个等价路径,使 Spoke 能够正确学习多条路由,提升 Hub-Spoke 的性能与稳定性。
网络拓扑
- IPSec VPN:
- Hub 有 3 条 ISP,每条上线 1 条 dynamic 模式 IPSec,供 Spoke 拨入。
- Spoke1、Spoke2 各有 3 条对应 ISP,与 Hub 的 3 条 IPSec 隧道一一对应连接。
- BGP:
- Spoke 通过 3 条 IPSec 隧道分别与 Hub 的 3 条隧道建立 iBGP 邻居,并发布各自内网路由。
- Hub 作为 BGP RR,在 Spoke 之间反射 iBGP 路由。
- Hub 需要在 3 个 IPSec 隧道上负载去往 Spoke 的路由,Spoke 需要在 3 个 IPSec 隧道上负载去往 Hub 与其他 Spoke 的路由。
配置步骤
基础网络与安全策略配置(略)。
Hub
配置 Hub 的 3 条 IPSec VPN dynamic 模式隧道,用于 Spoke 拨入。开启
exchange-interface-ip用于交换 Tunnel 接口 IP,关闭add-route功能。config vpn ipsec phase1-interface edit "vpn_line1" set type dynamic set interface "port2" set ike-version 2 set peertype any set net-device disable set exchange-interface-ip enable set proposal aes128-sha256 set add-route disable set dpd on-idle set psksecret xxxxxx set dpd-retryinterval 60 next edit "vpn_line2" set type dynamic set interface "port3" set ike-version 2 set peertype any set net-device disable set exchange-interface-ip enable set proposal aes128-sha256 set add-route disable set dpd on-idle set psksecret xxxxxx set dpd-retryinterval 60 next edit "vpn_line3" set type dynamic set interface "port4" set ike-version 2 set peertype any set net-device disable set exchange-interface-ip enable set proposal aes128-sha256 set add-route disable set dpd on-idle set psksecret xxxxxx set dpd-retryinterval 60 next end config vpn ipsec phase2-interface edit "vpn_line1" set phase1name "vpn_line1" set proposal aes128-sha1 set keepalive enable next edit "vpn_line2" set phase1name "vpn_line2" set proposal aes128-sha1 set keepalive enable next edit "vpn_line3" set phase1name "vpn_line3" set proposal aes128-sha1 set keepalive enable next end根据拓扑中的信息配置 Hub 的 IPSec 隧道 IP 地址,用于与 Spoke 建立 IBGP 邻居。
config system interface edit "vpn_line1" set ip 169.254.10.254 255.255.255.255 set allowaccess ping set remote-ip 169.254.10.254 255.255.255.0 next edit "vpn_line2" set ip 169.254.20.254 255.255.255.255 set allowaccess ping set remote-ip 169.254.20.254 255.255.255.0 next edit "vpn_line3" set ip 169.254.30.254 255.255.255.255 set allowaccess ping set remote-ip 169.254.30.254 255.255.255.0 next end在 Hub 的 3 个 IPSec 隧道上分别配置 BGP 邻居组和邻居范围,用于接受 Spoke 的 iBGP 邻居建立,在每个邻居组中开启 RR 功能,并发布自身内网路由。
提示
由于需要多线路负载 iBGP 路由,需要开启
ibgp-multipath,原理请参考 路由 → 动态路由 → BGP → BGP 多路径章节。config router bgp set as 10086 set router-id 169.254.10.254 set ibgp-multipath enable config neighbor-group edit "vpn_line1" set soft-reconfiguration enable set interface "vpn_line1" set remote-as 10086 set route-reflector-client enable next edit "vpn_line2" set soft-reconfiguration enable set interface "vpn_line2" set remote-as 10086 set route-reflector-client enable next edit "vpn_line3" set soft-reconfiguration enable set interface "vpn_line3" set remote-as 10086 set route-reflector-client enable next end config neighbor-range edit 1 set prefix 169.254.10.0 255.255.255.0 set neighbor-group "vpn_line1" next edit 2 set prefix 169.254.20.0 255.255.255.0 set neighbor-group "vpn_line2" next edit 3 set prefix 169.254.30.0 255.255.255.0 set neighbor-group "vpn_line3" next end config network edit 1 set prefix 10.10.254.0 255.255.255.0 next end end
Spoke1
配置 Spoke1 的 3 条 IPSec VPN 隧道,分别对接 Hub 的 3 条 IPSec 隧道。开启
exchange-interface-ip用于交换 Tunnel 接口 IP。config vpn ipsec phase1-interface edit "vpn_line1" set interface "port2" set ike-version 2 set peertype any set exchange-interface-ip enable set proposal aes128-sha256 set dpd on-idle set remote-gw 202.103.7.2 set psksecret xxxxxx next edit "vpn_line2" set interface "port3" set ike-version 2 set peertype any set exchange-interface-ip enable set proposal aes128-sha256 set dpd on-idle set remote-gw 202.103.8.2 set psksecret xxxxxx next edit "vpn_line3" set interface "port4" set ike-version 2 set peertype any set exchange-interface-ip enable set proposal aes128-sha256 set dpd on-idle set remote-gw 202.103.9.2 set psksecret xxxxxx next end config vpn ipsec phase2-interface edit "vpn_line1" set phase1name "vpn_line1" set proposal aes128-sha1 set auto-negotiate enable next edit "vpn_line2" set phase1name "vpn_line2" set proposal aes128-sha1 set auto-negotiate enable next edit "vpn_line3" set phase1name "vpn_line3" set proposal aes128-sha1 set auto-negotiate enable next end根据拓扑中的信息配置 Spoke1 的 IPSec 隧道 IP 地址,用于与 Hub 建立 iBGP 邻居。
config system interface edit "vpn_line1" set ip 169.254.10.1 255.255.255.255 set allowaccess ping set remote-ip 169.254.10.254 255.255.255.0 next edit "vpn_line2" set ip 169.254.20.1 255.255.255.255 set allowaccess ping set remote-ip 169.254.20.254 255.255.255.0 next edit "vpn_line3" set ip 169.254.30.1 255.255.255.255 set allowaccess ping set remote-ip 169.254.30.254 255.255.255.0 next end在 Spoke1 的 3 个 IPSec 隧道上分别配置 BGP 邻居,用于向 Hub 发起 iBGP 邻居建立,发布自身内网路由。
提示
由于需要多线路负载 iBGP 路由,需要开启
ibgp-multipath,原理请参考 路由 → 动态路由 → BGP → BGP 多路径章节。config router bgp set as 10086 set router-id 169.254.10.1 set ibgp-multipath enable config neighbor edit "169.254.10.254" set soft-reconfiguration enable set interface "vpn_line1" set remote-as 10086 set update-source "vpn_line1" next edit "169.254.20.254" set soft-reconfiguration enable set interface "vpn_line2" set remote-as 10086 set update-source "vpn_line2" next edit "169.254.30.254" set soft-reconfiguration enable set interface "vpn_line3" set remote-as 10086 set update-source "vpn_line3" next end config network edit 1 set prefix 10.10.1.0 255.255.255.0 next end end
Spoke2
与 Spoke1 基本一致,点击展开查看。
配置 Spoke2 的 3 条 IPSec VPN 隧道,分别对接 Hub 的 3 条 IPSec 隧道。开启
exchange-interface-ip用于交换 Tunnel 接口 IP。config vpn ipsec phase1-interface edit "vpn_line1" set interface "port2" set ike-version 2 set peertype any set exchange-interface-ip enable set proposal aes128-sha256 set dpd on-idle set remote-gw 202.103.7.2 set psksecret xxxxxx next edit "vpn_line2" set interface "port3" set ike-version 2 set peertype any set exchange-interface-ip enable set proposal aes128-sha256 set dpd on-idle set remote-gw 202.103.8.2 set psksecret xxxxxx next edit "vpn_line3" set interface "port4" set ike-version 2 set peertype any set exchange-interface-ip enable set proposal aes128-sha256 set dpd on-idle set remote-gw 202.103.9.2 set psksecret xxxxxx next end config vpn ipsec phase2-interface edit "vpn_line1" set phase1name "vpn_line1" set proposal aes128-sha1 set auto-negotiate enable next edit "vpn_line2" set phase1name "vpn_line2" set proposal aes128-sha1 set auto-negotiate enable next edit "vpn_line3" set phase1name "vpn_line3" set proposal aes128-sha1 set auto-negotiate enable next end根据拓扑中的信息配置 Spoke2 的 IPSec 隧道 IP 地址,用于与 Hub 建立 iBGP 邻居。
config system interface edit "vpn_line1" set ip 169.254.10.2 255.255.255.255 set allowaccess ping set remote-ip 169.254.10.254 255.255.255.0 next edit "vpn_line2" set ip 169.254.20.2 255.255.255.255 set allowaccess ping set remote-ip 169.254.20.254 255.255.255.0 next edit "vpn_line3" set ip 169.254.30.2 255.255.255.255 set allowaccess ping set remote-ip 169.254.30.254 255.255.255.0 next end在 Spoke2 的 3 个 IPSec 隧道上分别配置 BGP 邻居,用于向 Hub 发起 iBGP 邻居建立,发布自身内网路由。
提示
由于需要多线路负载 iBGP 路由,需要开启
ibgp-multipath,原理请参考 路由 → 动态路由 → BGP → BGP 多路径章节。config router bgp set as 10086 set router-id 169.254.10.2 set ibgp-multipath enable config neighbor edit "169.254.10.254" set soft-reconfiguration enable set interface "vpn_line1" set remote-as 10086 set update-source "vpn_line1" next edit "169.254.20.254" set soft-reconfiguration enable set interface "vpn_line2" set remote-as 10086 set update-source "vpn_line2" next edit "169.254.30.254" set soft-reconfiguration enable set interface "vpn_line3" set remote-as 10086 set update-source "vpn_line3" next end config network edit 1 set prefix 10.10.2.0 255.255.255.0 next end end
初始状态
在 Hub 查看路由表中的 BGP 路由,可以看到从 Spoke1 和 Spoke2 的 3 条路径分别学到了 Spoke1 和 Spoke2 发布的 BGP 路由,符合预期。
Hub # get router info routing-table all Routing table for VRF=0 B 10.10.1.0/24 [200/0] via 169.254.10.1 (recursive is directly connected, vpn_line1), 10:31:39, [1/0] [200/0] via 169.254.20.1 (recursive is directly connected, vpn_line2), 10:31:39, [1/0] [200/0] via 169.254.30.1 (recursive is directly connected, vpn_line3), 10:31:39, [1/0] B 10.10.2.0/24 [200/0] via 169.254.10.2 (recursive is directly connected, vpn_line1), 10:31:19, [1/0] [200/0] via 169.254.20.2 (recursive is directly connected, vpn_line2), 10:31:19, [1/0] [200/0] via 169.254.30.2 (recursive is directly connected, vpn_line3), 10:31:19, [1/0] ...... S 169.254.10.0/24 [5/0] via vpn_line1 tunnel 202.103.7.2, [1/0] C 169.254.10.1/32 is directly connected, vpn_line1 ......在 Spoke1 的路由表中查看 BGP 路由,从 Hub 学到的 3 条 Hub 内网路由可以在 3 条 IPSec 隧道负载分担,符合预期。但经过 Hub 反射的 Spoke2 的 3 条 BGP 路由(10.10.2.0/24,
[3]),只有一个下一跳(169.254.10.2,Spoke2 的 vpn_line1)。(Spoke2 也是一样的情况)Spoke1 # get router info routing-table bgp Routing table for VRF=0 B 10.10.254.0/24 [200/0] via 169.254.10.254 (recursive via vpn_line1 tunnel 202.103.7.2), 00:00:17, [1/0] [200/0] via 169.254.20.254 (recursive via vpn_line2 tunnel 202.103.8.2), 00:00:17, [1/0] [200/0] via 169.254.30.254 (recursive via vpn_line3 tunnel 202.103.9.2), 00:00:17, [1/0] B 10.10.2.0/24 [200/0] via 169.254.10.2 [3] (recursive via vpn_line1 tunnel 202.103.7.2), 00:00:43, [1/0]从 Spoke1 的 BGP 路由状态中可以看到,虽然 Spoke1 确实从 3 个隧道分别收到了 Hub 反射的 Spoke2 路由,但下一跳均是 Spoke2 vpn_line1 的 IP,导致路由在递归时全部递归到 vpn_line1。
Spoke1 # get router info bgp network 10.10.2.0 VRF 0 BGP routing table entry for 10.10.2.0/24 Paths: (3 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer Original VRF 0 Local 169.254.10.2 from 169.254.10.254 (169.254.10.2) Origin IGP distance 200 metric 0, localpref 100, valid, internal, best Originator: 169.254.10.2, Cluster list: 169.254.10.254 Last update: Wed Dec 3 16:23:58 2025 Original VRF 0 Local 169.254.10.2 from 169.254.30.254 (169.254.10.2) Origin IGP distance 200 metric 0, localpref 100, valid, internal Originator: 169.254.10.2, Cluster list: 169.254.10.254 Last update: Wed Dec 3 16:23:57 2025 Original VRF 0 Local 169.254.10.2 from 169.254.20.254 (169.254.10.2) Origin IGP distance 200 metric 0, localpref 100, valid, internal Originator: 169.254.10.2, Cluster list: 169.254.10.254 Last update: Wed Dec 3 16:23:57 2025在 Hub 查看 3 条隧道上向 Spoke1 的 3 个邻居反射的 Spoke2 的 BGP 路由(10.10.2.0/24),下一跳均为 169.254.10.2(Spoke2 的 vpn_line1)。
Hub # get router info bgp neighbors 169.254.10.1 advertised-routes | grep 10.10.2.0/24 *>i10.10.2.0/24 169.254.10.2 100 0 0 i <-/-> Hub # get router info bgp neighbors 169.254.20.1 advertised-routes | grep 10.10.2.0/24 *>i10.10.2.0/24 169.254.10.2 100 0 0 i <-/-> Hub # get router info bgp neighbors 169.254.30.1 advertised-routes | grep 10.10.2.0/24 *>i10.10.2.0/24 169.254.10.2 100 0 0 i <-/->这是由于当前配置下,虽然 Hub 的路由表里可看到 3 条来自 Spoke2 的 BGP 路由,但 Hub 仅向 Spoke1 通告最佳路径(Best Path,169.254.10.2),导致 Spoke1 学习到 3 条 Spoke2 的同一个下一跳路由。
Hub # get router info bgp network 10.10.2.0 VRF 0 BGP routing table entry for 10.10.2.0/24 Paths: (3 available, best #3, table Default-IP-Routing-Table) Advertised to peer-groups: Hub_line1 Hub_line2 Hub_line3 Original VRF 0 Local, (Received from a RR-client) 169.254.30.2 from 169.254.30.2 (169.254.10.2) Origin IGP distance 200 metric 0, localpref 100, valid, internal Last update: Tue Dec 2 14:56:56 2025 Original VRF 0 Local, (Received from a RR-client) 169.254.20.2 from 169.254.20.2 (169.254.10.2) Origin IGP distance 200 metric 0, localpref 100, valid, internal Last update: Tue Dec 2 14:56:40 2025 Original VRF 0 Local, (Received from a RR-client) 169.254.10.2 from 169.254.10.2 (169.254.10.2) Origin IGP distance 200 metric 0, localpref 100, valid, internal, best Last update: Tue Dec 2 14:56:35 2025
开启 additional-path
启用 BGP Additional Path 机制,使 Hub 和 Spoke 均能通告与学习多个 BGP 等价路径。
在 Hub 上配置 BGP additional-path。
config router bgp set additional-path enable set additional-path-select 3 config neighbor-group edit "Hub_line1" set additional-path send set adv-additional-path 3 next edit "Hub_line2" set additional-path send set adv-additional-path 3 next edit "Hub_line3" set additional-path send set adv-additional-path 3 next end endset additional-path enable:BGP additional-path 路由学习的总开关,在 Hub(RR)上需要开启。set additional-path-select 3:默认值为 2。相同 BGP 属性但下一跳不一样的路由,最多选取(select)3 条作为best路由。set additional-path send:在 BGP 协商时,向 BGP 邻居通告在发送方向启用IPv4 additional-path capability,也就是自身具有发送 additional-path 路由的能力,也可以使用both。set adv-additional-path 3:默认值为 2。向每个邻居通告的 IPv4 路由最大路径数量。仅在set additional-path send或set additional-path both时可以配置。
在 Spoke1 和 Spoke2 上配置 BGP additional-path,仅需要在邻居配置中配置
set additional-path receive。config router bgp config neighbor edit "169.254.10.254" set additional-path receive next edit "169.254.20.254" set additional-path receive next edit "169.254.30.254" set additional-path receive next end endset additional-path send:在 BGP 协商时,向 BGP 邻居通告在接收方向启用IPv4 additional-path capability,也就是自身具有接收 additional-path 路由的能力,也可以使用both。重要
additional-path send/receive/both为 BGP 邻居协商时交换的 BGP capability,需要 BGP 邻居两端同时开启才能生效,可以根据实际需求进行模式选择:- 一端配置为
send,另一端配置为receive/both。 - 一端配置为
both,另一端配置为send/receive。 - 两端均配置为
both。
- 一端配置为
等待 Hub 的 BGP 路由重新收敛,查看 Hub 从 3 条 IPSec 隧道上学到的 Spoke2 的 3 条 BGP 路由,均变为具有
best标记的路由(Hub 上配置的set additional-path-select 3作用效果)。Hub # get router info bgp network 10.10.2.0 VRF 0 BGP routing table entry for 10.10.2.0/24 Paths: (3 available, best #3, table Default-IP-Routing-Table) Advertised to peer-groups: Hub_line1 Hub_line2 Hub_line3 Original VRF 0 Local, (Received from a RR-client) 169.254.30.2 from 169.254.30.2 (169.254.10.2) Origin IGP distance 200 metric 0, localpref 100, valid, internal, best Advertised Path ID: 3 Last update: Tue Dec 2 16:21:36 2025 Original VRF 0 Local, (Received from a RR-client) 169.254.20.2 from 169.254.20.2 (169.254.10.2) Origin IGP distance 200 metric 0, localpref 100, valid, internal, best Advertised Path ID: 2 Last update: Tue Dec 2 16:21:26 2025 Original VRF 0 Local, (Received from a RR-client) 169.254.10.2 from 169.254.10.2 (169.254.10.2) Origin IGP distance 200 metric 0, localpref 100, valid, internal, best Advertised Path ID: 1 Last update: Tue Dec 2 16:21:09 2025在 Hub 查看 3 条隧道上向 Spoke1 的 3 个邻居反射的 Spoke2 的 BGP 路由(10.10.2.0/24),可以看到 Hub 在每个邻居上都反射了 3 个路径的路由(Hub 上配置的
set adv-additional-path 3作用效果)。Hub # get router info bgp neighbors 169.254.10.1 advertised-routes | grep 10.10.2.0 *>i10.10.2.0/24 169.254.30.2 100 0 0 i <-/3> *>i10.10.2.0/24 169.254.20.2 100 0 0 i <-/2> *>i10.10.2.0/24 169.254.10.2 100 0 0 i <-/1> Hub # get router info bgp neighbors 169.254.20.1 advertised-routes | grep 10.10.2.0 *>i10.10.2.0/24 169.254.30.2 100 0 0 i <-/3> *>i10.10.2.0/24 169.254.20.2 100 0 0 i <-/2> *>i10.10.2.0/24 169.254.10.2 100 0 0 i <-/1> Hub # get router info bgp neighbors 169.254.30.1 advertised-routes | grep 10.10.2.0 *>i10.10.2.0/24 169.254.30.2 100 0 0 i <-/3> *>i10.10.2.0/24 169.254.20.2 100 0 0 i <-/2> *>i10.10.2.0/24 169.254.10.2 100 0 0 i <-/1>在 Spoke1 查看路由表中的 BGP 路由,可以看到 Spoke1 在每个隧道上都学到了 3 条路径的 Spoke2 发布的 BGP 路由(Spoke 上配置的
set additional-path receive作用效果)。Spoke1 # get router info routing-table bgp Routing table for VRF=0 B 10.10.2.0/24 [200/0] via 169.254.10.2 [3] (recursive via vpn_line1 tunnel 202.103.7.2), 00:17:34, [1/0] [200/0] via 169.254.20.2 [3] (recursive via vpn_line2 tunnel 202.103.8.2), 00:17:34, [1/0] [200/0] via 169.254.30.2 [3] (recursive via vpn_line3 tunnel 202.103.9.2), 00:17:34, [1/0] ......在 Hub 上查看邻居 Spoke1 的状态,可以看到邻居 Spoke1 具有“Additional Path”的接收能力,而 Hub 自身具有“Additional Path”的发送能力。
Hub # get router info bgp neighbors 169.254.10.1 | grep Additional -A 2 Additional Path: Send-mode: advertised Receive-mode: received提示
如果 Hub 配置为
set additional-path both,则会显示:Hub # get router info bgp neighbors 169.254.10.1 | grep Additional -A 2 Additional Path: Send-mode: advertised Receive-mode: advertised, received在 Spoke1 上查看邻居 Spoke1 的状态,可以看到邻居 Hub 具有“Additional Path”的发送能力,而 Spoke1 自身具有“Additional Path”的接收能力。
Spoke1 # get router info bgp neighbors 169.254.10.254 | grep Additional -A 2 Additional Path: Send-mode: received Receive-mode: advertised
注意事项
BGP 只有在这些关键属性完全一致时,才会把路径视为 ECMP 等价路径:
- Weight
- Local Preference
- AS Path
- Origin
- MED
- IGP Metric
配置 additional-path 后,如 Spoke 仍只学到一个路径,可启用 BGP 调试。若看到
Duplicate route ignored,则说明多路径属性不一致,需要检查以上字段是否完全相同。diagnose ip router bgp all enable diagnose ip router bgp level info diagnose debug enable
附件
Hub 与 Spoke1 BGP 邻居协商 additional-path capability 的报文,如下所示,Hub 向 Spoke1 宣告的IPv4 additional-path capability为send(bgp_additional_path.pcap)。
总结
config router bgp:additional-path enable:开启全局 additional-path 能力,使 RR 本地 BGP 路由表可以同时保留多条等价路径,通常在 RR(Hub)上开启。additional-path-select <n>:默认值为 2。依赖additional-path enable,指定最多从多少条等价路径中“选取(select)”并标记为 best,用于控制本地路由表中可保留的等价路径数量,通常在 RR 上配置为与实际链路数一致。
config neighbor-group / neighbor:set additional-path send / receive / both:定义在 BGP capability 协商中,本端是否向对端通告具备发送或接收additional-path能力。只有双方能力匹配(send ↔ receive/both)后,多路径通告才会生效。典型用法是:RR 使用send,RR Client 使用receive。adv-additional-path <n>:默认值为 2。决定 RR 本端针对单个邻居最多反射多少条路径。通常与additional-path-select数量相同,使 RR 可以将多条等价路径同时反射给下游 Spoke。