交换机
园区网交换机
数据中心与云计算交换机
中小网络精简型交换机
工业交换机
意图网络指挥官
无线
放装型无线接入点
墙面型无线接入点
智分无线接入点
室外无线接入点
场景化无线
无线控制器
小锐A系列
统一运维
身份管理
服务产品
运营商
政府
金融
互联网
电力能源
制造业
高教/职教
医疗卫生
交通
地产酒店文旅·连锁服务
公共安全
一、组网需求
1、拓扑中的CE1,CE2分别用一台路由器用MCE技术进行模拟;
2、要求实现跨域的MPLS/VPN访问,即实现VPN-A的1.1.1.1和7.7.7.7互通,VPN-B的11.11.11.11和77.77.77.77互通;
3、该拓扑中在ASBR1分别对RR,ASBR2将直连的32位主机路由重发布到各自AS的IGP,使得下一跳可达。
二、组网拓扑
三、配置要点
1、部署AS核心的IGP路由协议
2、部署AS核心的MPLS
1)全局开启MPLS转发功能
2)全局开启LDP标签分发协议
3)开启接口的标签交换能力
4)接口下开启LDP协议
5)接口下配置MTU
3、部署PE-PE的MP-BGP协议
1)启用BGP进程
2)进入VPNV4地址簇下激活VPNV4邻居关系
3)配置路由反射器RR
4、部署PE-CE的路由协议
1)创建VRF实例
2)将相关接口划入对应的VRF实例中
3)配置PE-CE的路由协议
5、将CE的路由重发布进MP-BGP
6、将MP-BGP的路由重发布进CE
//到第6步为止,是完整的域内VPN配置
7、跨域option B模式ASBR间的部署(不改变下一跳方式)
1)ASBR间建立MP-EBGP邻居关系
2)ASBR关闭RT过滤
//详细配置文件,参考”六、附件“
四、配置步骤
第1步--第6步,是配置域内VPN,参考”跨域option A“章节的前6步(参考:典型配置--->MPLS VPN--->跨域option A)
7、跨域option B模式ASBR间的部署(不改变下一跳方式)
ASBR1(R4)上的相关配置:
1)ASBR间建立MP-EBGP邻居关系
router bgp 100
bgp router-id 4.4.4.4
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 100
neighbor 3.3.3.3 update-source Loopback 0
neighbor 45.4.4.5 remote-as 200
//指定MP-EBGP邻居,注意这里不要配置”neighbor 45.4.4.5 update-source Loopback 0“;
//使用直连地址建立MP-EBGP邻居!
!
address-family vpnv4 unicast
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
neighbor 45.4.4.5 activate
neighbor 45.4.4.5 send-community extended
exit-address-family
2)ASBR关闭RT过滤
router bgp 100
no bgp default route-target filter
//缺省情况下,PE收到其他PE(或者ASBR)发送的VPN路由,如果该VPN路由不会被本设备上任何一个VRF导入,PE设备就拒绝该路由。可以通过如下两种方法解决:
A. 启用no bgp default route-target filter,PE设备会接受其他PE(或ASBR)发送过来的所有VPN路由,不管本地的VRF是否会导入该VPN路由。
B. 在ASBR上建立相关的VRF,并配置相关的路由目标,将路由导入到ASBR,此方法不推荐。
3)ASBR将MP-EBGP直连网段重发布进IGP
根据IGP使用的路由协议进行重发布,该案例IGP使用RIP。
a)定义prefix-list
ip prefix-list 1 seq 5 permit 45.4.4.5/32
b)定义route-map
route-map C permit 10
match ip address prefix-list 1
c)分别将对端32位的主机路由重发布进各自AS中的IGP
router rip
redistribute connected metric 1 route-map C
//可以直接重发布直连路由;这里为了精确控制,采用了route-map
五、配置验证
1、通过Ping测试VPN间的路由连通性:
R1#ping vrf VPN-A 7.7.7.7 sou 1.1.1.1
Sending 5, 100-byte ICMP Echoes to 7.7.7.7, timeout is 2 seconds:
< press Ctrl+C to break >
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
R1#ping vrf VPN-B 77.77.77.77 sou 11.11.11.11
Sending 5, 100-byte ICMP Echoes to 77.77.77.77, timeout is 2 seconds:
< press Ctrl+C to break >
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
2、通过Traceroute测试路径:
R1#traceroute vrf VPN-A 7.7.7.7 source 1.1.1.1
< press Ctrl+C to break >
Tracing the route to 7.7.7.7
1 12.1.1.2 0 msec 0 msec 0 msec
2 * * *
3 * * *
4 * * *
5 56.5.5.6 0 msec 0 msec 0 msec
6 7.7.7.7 10 msec 10 msec 10 msec
R1#traceroute vrf VPN-B 77.77.77.77 source 11.11.11.11
< press Ctrl+C to break >
Tracing the route to 77.77.77.77
1 21.1.1.2 0 msec 0 msec 10 msec
2 * * *
3 * * *
4 * * *
5 56.5.5.6 0 msec 0 msec 0 msec
6 77.77.77.77 10 msec 10 msec 10 msec
3、LSP ping测试:
R2#ping mpls ipv4 4.4.4.4/32
Sending 5, 84-byte MPLS Echoes to 4.4.4.4/32,
timeout is 2 seconds, send interval is 0 msec:
Codes: '!' - success, 'Q' - request not sent, '.' - timeout,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC mismatch,
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no label entry,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index,
'X' - unknown return code, 'x' - return code 0
Press Ctrl+C to break.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
4、LSP traceroute测试
R2#traceroute mpls ipv4 4.4.4.4/32
Tracing MPLS Label Switched Path to 4.4.4.4/32, timeout is 2 seconds
Codes: '!' - success, 'Q' - request not sent, '.' - timeout,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC mismatch,
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no label entry,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index,
'X' - unknown return code, 'x' - return code 0
Press Ctrl+C to break.
0 23.2.2.2 MRU 1500 [Labels: 1025 Exp: 0]
L 1 23.2.2.3 MRU 1500 [Labels: implicit-null Exp: 0] <1 ms
! 2 34.3.3.4 <1 ms
5、数据包走向分析
数据包走向分析,以VPN-A的1.1.1.1到7.7.7.7的流量为例。
1)CE1(R1)发送VPN-A的目的IP为7.7.7.7,源IP为1.1.1.1的流量,数据包到达PE1(R2),此时查看REF转发表。
R2#show ip ref route vrf VPN-A 7.0.0.0 255.0.0.0
Codes: * - default route
# - zero route
ip mask weight path-id next-hop interface
7.0.0.0 255.0.0.0 0 262140 0.0.0.0 ftn nhlfe
2)进入MPLS转发表查询:
R2#show mpls forwarding-table ftn detail
Label Operation Code:
PH--PUSH label
PP--POP label
SW--SWAP label
SP--SWAP topmost label and push new label
DP--DROP packet
PC--POP label and continue lookup by IP or Label
PI--POP label and do ip lookup forward
PN--POP label and forward to nexthop
PM--POP label and do MAC lookup forward
PV--POP label and output to VC attach interface
IP--IP lookup forward
Local Outgoing OP FEC Outgoing Nexthop
label label interface
-- imp-null PH 3.3.3.3/32 Gi0/0.23 23.2.2.3
Added by Route(vrf Global), Tag Stack: { 3 }
-- 1025 PH 4.4.4.4/32 Gi0/0.23 23.2.2.3
Added by Route(vrf Global), Tag Stack: { 1025 }
-- imp-null PH 34.3.3.0/24 Gi0/0.23 23.2.2.3
Added by Route(vrf Global), Tag Stack: { 3 }
-- 1026 PH 45.4.4.5/32 Gi0/0.23 23.2.2.3
Added by Route(vrf Global), Tag Stack: { 1026 }
-- 1024 PH 7.0.0.0/8(V) Gi0/0.23 23.2.2.3
Added by Route(vrf VPN-A), Tag Stack: { 1024 1026 }
-- 1025 PH 67.6.6.0/24(V) Gi0/0.23 23.2.2.3
Added by Route(vrf VPN-A), Tag Stack: { 1025 1026 }
-- 1026 PH 76.6.6.0/24(V) Gi0/0.23 23.2.2.3
Added by Route(vrf VPN-B), Tag Stack: { 1026 1026 }
-- 1031 PH 77.0.0.0/8(V) Gi0/0.23 23.2.2.3
Added by Route(vrf VPN-B), Tag Stack: { 1031 1026 }
//此处针对7.0.0.0/8的FEC被分配了双层标签,顶层标签1026为R3为BGP下一跳分配的。底层标签1024为ASBR2(R5)为VPN路由分配的。
3)标签包到达路由器R3,执行swap操作,将顶层标签1026置换成8195.
R3#show mpls forwarding-table
Label Operation Code:
PH--PUSH label
PP--POP label
SW--SWAP label
SP--SWAP topmost label and push new label
DP--DROP packet
PC--POP label and continue lookup by IP or Label
PI--POP label and do ip lookup forward
PN--POP label and forward to nexthop
PM--POP label and do MAC lookup forward
PV--POP label and output to VC attach interface
IP--IP lookup forward
Local Outgoing OP FEC Outgoing Nexthop
label label interface
-- imp-null PH 2.2.2.2/32 Gi0/0.23 23.2.2.2
-- imp-null PH 4.4.4.4/32 Gi0/0.34 34.3.3.4
-- 8195 PH 45.4.4.5/32 Gi0/0.34 34.3.3.4
1024 imp-null PP 2.2.2.2/32 Gi0/0.23 23.2.2.2
1025 imp-null PP 4.4.4.4/32 Gi0/0.34 34.3.3.4
1026 8195 SW 45.4.4.5/32 Gi0/0.34 34.3.3.4
4)标签包到达ASBR1(R4),继续查找标签转发表,弹出顶层标签,执行POP操作;
R4#show mpls forwarding-table
Label Operation Code:
PH--PUSH label
PP--POP label
SW--SWAP label
SP--SWAP topmost label and push new label
DP--DROP packet
PC--POP label and continue lookup by IP or Label
PI--POP label and do ip lookup forward
PN--POP label and forward to nexthop
PM--POP label and do MAC lookup forward
PV--POP label and output to VC attach interface
IP--IP lookup forward
Local Outgoing OP FEC Outgoing Nexthop
label label interface
-- 1024 PH 2.2.2.2/32 Gi3/1/0.34 34.3.3.3
-- imp-null PH 3.3.3.3/32 Gi3/1/0.34 34.3.3.3
-- imp-null PH 23.2.2.0/24 Gi3/1/0.34 34.3.3.3
8192 1024 SW 2.2.2.2/32 Gi3/1/0.34 34.3.3.3
8193 imp-null PP 3.3.3.3/32 Gi3/1/0.34 34.3.3.3
8194 imp-null PP 23.2.2.0/24 Gi3/1/0.34 34.3.3.3
8195 imp-null PP 45.4.4.5/32 Gi3/1/0.45 45.4.4.5
8704 1536 SP 1.1.1.1/32 Gi3/1/0.34 34.3.3.3
8705 1536 SP 12.1.1.0/24 Gi3/1/0.34 34.3.3.3
8706 1537 SP 11.11.11.11/32 Gi3/1/0.34 34.3.3.3
8707 1537 SP 21.1.1.0/24 Gi3/1/0.34 34.3.3.3
8708 1024 SW 7.0.0.0/8 Gi3/1/0.45 45.4.4.5
8709 1025 SW 67.6.6.0/24 Gi3/1/0.45 45.4.4.5
8710 1026 SW 76.6.6.0/24 Gi3/1/0.45 45.4.4.5
8711 1031 SW 77.0.0.0/8 Gi3/1/0.45 45.4.4.5
5)标签包抵达ASBR2 (R5)路由器,执行SWAP操作;
R5#show mpls forwarding-table detail
Label Operation Code:
PH--PUSH label
PP--POP label
SW--SWAP label
SP--SWAP topmost label and push new label
DP--DROP packet
PC--POP label and continue lookup by IP or Label
PI--POP label and do ip lookup forward
PN--POP label and forward to nexthop
PM--POP label and do MAC lookup forward
PV--POP label and output to VC attach interface
IP--IP lookup forward
Local Outgoing OP FEC Outgoing Nexthop
label label interface
-- imp-null PH 6.6.6.6/32 Gi0/0.56 56.5.5.6
Added by Route(vrf Global), Tag Stack: { 3 }
1024 1024 SW 7.0.0.0/8 Gi0/0.56 56.5.5.6
Added by Route(vrf Global), Tag Stack: { 1024 }
1025 1024 SW 67.6.6.0/24 Gi0/0.56 56.5.5.6
Added by Route(vrf Global), Tag Stack: { 1024 }
1026 1025 SW 76.6.6.0/24 Gi0/0.56 56.5.5.6
Added by Route(vrf Global), Tag Stack: { 1025 }
1027 8704 SW 1.1.1.1/32 Gi0/0.45 45.4.4.4
Added by Route(vrf Global), Tag Stack: { 8704 }
1028 8705 SW 12.1.1.0/24 Gi0/0.45 45.4.4.4
Added by Route(vrf Global), Tag Stack: { 8705 }
1029 8706 SW 11.11.11.11/32 Gi0/0.45 45.4.4.4
Added by Route(vrf Global), Tag Stack: { 8706 }
1030 8707 SW 21.1.1.0/24 Gi0/0.45 45.4.4.4
Added by Route(vrf Global), Tag Stack: { 8707 }
1031 1025 SW 77.0.0.0/8 Gi0/0.56 56.5.5.6
Added by Route(vrf Global), Tag Stack: { 1025 }
1536 imp-null PP 6.6.6.6/32 Gi0/0.56 56.5.5.6
Added by Route(vrf Global), Tag Stack: { 3 }
1537 imp-null PP 45.4.4.4/32 Gi0/0.45 45.4.4.4
Added by Route(vrf Global), Tag Stack: { 3 }
//此时标签包其实只有一层VPN标签1024了,ASBR2(R5)接着会发生一次标签的swap操作。按照情况来讲,此处会执行一个将VPN标签替换成两层的标签,鉴于本次试验环境的限制,此处只交换底层标签,就到PE2(R6)了。
6)标签包到达PE2(R6)路由器,POP标签:
R6#show mpls forwarding-table
Label Operation Code:
PH--PUSH label
PP--POP label
SW--SWAP label
SP--SWAP topmost label and push new label
DP--DROP packet
PC--POP label and continue lookup by IP or Label
PI--POP label and do ip lookup forward
PN--POP label and forward to nexthop
PM--POP label and do MAC lookup forward
PV--POP label and output to VC attach interface
IP--IP lookup forward
Local Outgoing OP FEC Outgoing Nexthop
label label interface
-- imp-null PH 5.5.5.5/32 Gi0/0.56 56.5.5.5
-- 1537 PH 45.4.4.4/32 Gi0/0.56 56.5.5.5
-- 8704 PH 1.1.1.1/32(V) Gi0/0.56 56.5.5.5
-- 8705 PH 12.1.1.0/24(V) Gi0/0.56 56.5.5.5
-- 8706 PH 11.11.11.11/32(V) Gi0/0.56 56.5.5.5
-- 8707 PH 21.1.1.0/24(V) Gi0/0.56 56.5.5.5
1024 -- PI VRF(VPN-A) -- --
1025 -- PI VRF(VPN-B) -- --
1536 imp-null PP 5.5.5.5/32 Gi0/0.56 56.5.5.5
1537 1537 SW 45.4.4.4/32 Gi0/0.56 56.5.5.5
7)查找IP REF路由表,还原IP数据包,将数据包扔向GI0/0.67。
R6# show ip ref route vrf VPN-A 7.0.0.0 255.0.0.0
Codes: * - default route
# - zero route
ip mask weight path-id next-hop interface
7.0.0.0 255.0.0.0 1 13 67.6.6.7 GigabitEthernet 0/0.67
8)R7的VPN-A的源IP7.7.7.7到目的IP的1.1.1.1,回包分析方式同上。
六、附件