本次通过华为ENSP模拟器为大家分享的是MPLS VPN的真实案例
组网需求:
拓扑结构如下:
1.CE1连接公司总部研发区、CE2连接分支机构研发区,CE1和CE2属于vpna;
2,CE3连接公司总部非研发区、CE4连接分支机构非研发区,CE3和CE4属于vpnb;
3.总部和分支机构的研发区和非研发区之间存在地址空间重叠;
4.企业希望在不改变网络部署的情况下,实现总部和分支机构间的安全互访、研发区和非研发区部间的隔离。
解决方案:
采用如下的思路配置BGP/MPLS IP VPN:
1.P、PE之间配置OSPF,实现骨干网的IP连通性。
2.PE、P上配置MPLS基本能力和MPLS LDP,建立MPLS LSP公网隧道,传输VPN数据。
3.PE1和PE2之间配置MP-IBGP,交换VPN路由信息。
4.在PE1和PE2上配置VPN实例,其中,vpna使用的VPN-target属性为100:100,vpnb使用的VPN-target属性为200:200,以实现相同VPN间互通,不同VPN间隔离。同时,与CE相连的接口和相应的VPN实例绑定,以接入VPN用户。
5.CE与PE之间配置静态路由,交换VPN路由信息。
配置过程:
1. 在MPLS骨干网上配置OSPF协议,实现骨干网PE和P的互通
配置PE1:
- interface GigabitEthernet0/0/2
- ip address 100.1.1.1 255.255.255.252
- interface LoopBack0
- ip address 1.1.1.1 255.255.255.255
- ospf 100 router-id 1.1.1.1
- area 0.0.0.0
- network 1.1.1.1 0.0.0.0
- network 100.1.1.0 0.0.0.3
- 配置P:
- interface GigabitEthernet0/0/0
- ip address 100.1.1.2 255.255.255.252
- interface GigabitEthernet0/0/1
- ip address 101.1.1.1 255.255.255.252
- interface LoopBack0
- ip address 2.2.2.2 255.255.255.255
- ospf 100 router-id 2.2.2.2
- area 0.0.0.0
- network 2.2.2.2 0.0.0.0
- network 100.1.1.0 0.0.0.3
- network 101.1.1.0 0.0.0.3
- 配置PE2:
- interface GigabitEthernet0/0/0
- ip address 101.1.1.2 255.255.255.252
- interface LoopBack0
- ip address 3.3.3.3 255.255.255.255
- ospf 100 router-id 3.3.3.3
- area 0.0.0.0
- network 3.3.3.3 0.0.0.0
- network 101.1.1.0 0.0.0.3
2.在MPLS骨干网上配置MPLS基本能力和MPLS LDP,建立LDP LSP
- 配置PE1:
- mpls lsr-id 1.1.1.1 //配置LSR的ID
- mpls
- mpls ldp
- interface GigabitEthernet0/0/2
- mpls
- mpls ldp
- 配置P:
- mpls lsr-id 2.2.2.2
- mpls
- mpls ldp
- interface GigabitEthernet0/0/0
- mpls
- mpls ldp
- interface GigabitEthernet0/0/1
- mpls
- mpls ldp
- 配置PE2:
- mpls lsr-id 3.3.3.3
- mpls
- mpls ldp
- interface GigabitEthernet0/0/0
- mpls
- mpls ldp
3. 在PE设备上配置VPN实例,将CE接入PE
- 配置PE1:
- ip vpn-instance vpna
- ipv4-family
- route-distinguisher 100:100
- vpn-target 100:100 export-extcommunity
- vpn-target 100:100 import-extcommunity
- ip vpn-instance vpnb
- ipv4-family
- route-distinguisher 200:200
- vpn-target 200:200 export-extcommunity
- vpn-target 200:200 import-extcommunity
- interface GigabitEthernet0/0/0
- ip binding vpn-instance vpna
- ip address 192.168.1.1 255.255.255.0
- interface GigabitEthernet0/0/1
- ip binding vpn-instance vpnb
- ip address 192.168.1.1 255.255.255.0
- 配置PE2:
- ip vpn-instance vpna
- ipv4-family
- route-distinguisher 100:100
- vpn-target 100:100 export-extcommunity
- vpn-target 100:100 import-extcommunity
- ip vpn-instance vpnb
- ipv4-family
- route-distinguisher 200:200
- vpn-target 200:200 export-extcommunity
- vpn-target 200:200 import-extcommunity
- interface GigabitEthernet0/0/1
- ip binding vpn-instance vpna
- ip address 172.16.1.1 255.255.255.0
- interface GigabitEthernet0/0/2
- ip binding vpn-instance vpnb
- ip address 172.16.1.1 255.255.255.0
4.在PE之间建立MP-IBGP对等体关系
- 配置PE1:
- bgp 100
- peer 3.3.3.3 as-number 100
- peer 3.3.3.3 connect-interface LoopBack0
- ipv4-family unicast
- undo synchronization
- peer 3.3.3.3 enable
- ipv4-family vpnv4
- policy vpn-target
- peer 3.3.3.3 enable
- ipv4-family vpn-instance vpna
- import-route direct
- import-route static
- ipv4-family vpn-instance vpnb
- import-route direct
- import-route static
- 配置PE2:
- bgp 100
- peer 1.1.1.1 as-number 100
- peer 1.1.1.1 connect-interface LoopBack0
- ipv4-family unicast
- undo synchronization
- peer 1.1.1.1 enable
- ipv4-family vpnv4
- policy vpn-target
- peer 1.1.1.1 enable
- ipv4-family vpn-instance vpna
- import-route direct
- import-route static
- ipv4-family vpn-instance vpnb
- import-route direct
- import-route static
5.在CE1、CE2、CE3、CE4设备上配置到各自连接PE的静态路由
ip route-static 0.0.0.0 0.0.0.0 192.168.1.1
6.配置检查
在PE上检查路由信息是否齐全
<PE1>display ip routing-table
Route Flags: R - relay, D - download to fib
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
2.2.2.2/32 OSPF 10 1 D 100.1.1.2 GigabitEthernet
0/0/2
3.3.3.3/32 OSPF 10 2 D 100.1.1.2 GigabitEthernet
0/0/2
100.1.1.0/30 Direct 0 0 D 100.1.1.1 GigabitEthernet
0/0/2
100.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/2
100.1.1.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/2
101.1.1.0/30 OSPF 10 2 D 100.1.1.2 GigabitEthernet
0/0/2
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
<PE1>display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib
Routing Tables: vpna
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
172.16.1.0/24 IBGP 255 0 RD 3.3.3.3 GigabitEthernet
0/0/2
192.168.1.0/24 Direct 0 0 D 192.168.1.1 GigabitEthernet
0/0/0
192.168.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
192.168.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
检查LDP会话建立是否成功:
<PE1>display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
PeerID Status LAM SsnRole SsnAge KASent/Rcv
2.2.2.2:0 Operational DU Passive 0000:01:07 271/271
TOTAL: 1 session(s) Found.
检查LDP LSP的建立情况:
<PE1>display mpls ldp lsp
LDP LSP Information
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 InLoop0
*1.1.1.1/32 Liberal/1024 DS/2.2.2.2
2.2.2.2/32 NULL/3 - 100.1.1.2 GE0/0/2
2.2.2.2/32 1024/3 2.2.2.2 100.1.1.2 GE0/0/2
3.3.3.3/32 NULL/1025 - 100.1.1.2 GE0/0/2
3.3.3.3/32 1025/1025 2.2.2.2 100.1.1.2 GE0/0/2
检查PE之间的BGP对等体关系是否建立:
<PE1>display bgp peer
BGP local router ID : 100.1.1.1
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State Pre
fRcv
3.3.3.3 4 100 74 75 0 01:10:55** Established **
0
版权归原作者 木 易 杨 所有, 如有侵权,请联系我们删除。