Cisco Hub-Spoke
三层×××配置指导
引言
在BGP/MPLS三层×××网络中,通过×××的Route Target属性来控制×××路由信息在各Site 之间的发布和接收。××× Export Route Target和Import Route Target的设置相互独立,并且可以通过设置多个值,可以实现灵活的×××间的互访控制,这里我首先通过Cisco的设备讲解Hub-Spoke方式的三层×××的配置以及一些关键点。
应用场景
Hub-Spoke ×××的核心思想是在×××中设置中心访问控制设备,其它用户的互访都通过中心访问控制设备进行。上图是一个典型的Hub-Spoke网络,其中的元素分别为Hub-PE、Hub-CE、Spoke-PE和Spoke-CE,一般情况下Spoke-PE均与Hub-PE互联,Spoke-PE之间无需互联。在这里Hub-PE看上去有点类似于路由反射器RR的功能,其实并不是这样的,可以通过后面的配置中我们可以看到,在Hub-PE上并没有配置任何RR的功能,这里是通过Hub-PE和Spoke-PE互联,组成以Hub-PE为核心的星形网络,然后通过Hub-CE将两个×××之间的路由信息导通,并且进行互访控制,在这里,我就不对具体做那些互访控制进行详细的阐述了,在配好Hub-Spoke的×××之后,通过Hub-CE进行互访控制其实是件很简单的事情。
Hub-Spoke组网的优点主要体现在可以方便的实现×××间的受限访问,比如不同企业间的互访,不可能是完全互访的,所以受限访问是很典型并且很实际的应用,这也是基于安全这一前提的。
配置要点
对于Hub-Spoke的组网,需要设置两个Route Target,其一表示用于接收从Spoke-PE发布的路由信息,其二表示用于向Spoke-PE发布路由信息。各Site在PE上的vrf的Route Target设置原则大致为:
Spoke-PE上设置Import Target和Export Target分别对应上面提到的两个Route Target;
Hub-PE上需要使用两个接口(可以是一个CE,也可以是两个或多个CE),其一只用来接收Spoke-PE发布的路由信息,其二只用来向Spoke-PE发布路由信息,与Spoke-PE上的Import和Export Route Target正好相反。
从上图可以看出:Spoke Site之间的通信通过Hub Site进行:
Hub-PE能够接收所有Spoke-PE发布的×××-IPv4路由信息;
Hub-PE发布的×××-IPv4路由能够为所有Spoke-PE接收;
Hub-PE将从Spoke-PE学到的路由信息发布给其他Spoke-PE,因此,Spoke Site之间可以通过Hub Site互访,而Hub Site正好通过在自身上设置互访控制策略对Spoke Site之间的互访进行控制和管理;
任意Spoke-PE的Import Route Target属性不与其它Spoke-PE的Export Route Target属性相同。因此,任意两个Spoke-PE之间不直接发布×××-IPv4路由,Spoke Site之间不能直接互访。这里我们配置的是域内三层×××,由于Spoke-PE均是只和Hub-PE建立IBGP邻居关系,故根据BGP路由信息发布的原则,IBGP邻居不会把自己从IBGP邻居学到的路由信息向其他IBGP邻居发布,所以从这一点上来看Spoke-PE之间也不会直接发布×××-IPv4路由。
由于在PE-CE之间互联会采用EBGP的方式,那么Hub-Spoke组网中就会出现as-path有环的问题,所以这里我们在配置时必须在Hub-PE和Spoke-PE上配置可以接收自治系统号重复的路由通过。
数据设计
由于一般的跨域×××配置示例都是两个AS,这里我故意调整成了三个AS,其实也没什么变化,就是多配置一些EBGP邻居而已。
Loopback地址:202.1.1.X/32,X=1、2、3、4、5、6,即路由器序号;
接口地址:80.X.Y.Z/24,X/Y=路由器序号,Z=1、2,路由器序号小的为1,大的为2;
IGP:PE-PE之间部署ISIS-L2和LDP,PE-CE之间采用EBGP互联;
AS:R1 AS号为1,R5 AS号为500,R6 AS号为600,R2、R3和R4的AS号为100;
详细配置
为了节约版本,只罗列出6台路由器的相关配置,其他无关配置均不贴出来。
[R1]
R1#show run
!
version 12.4
!
hostname R1
!
ip cef
!
interface Loopback0
ip address 202.1.1.1 255.255.255.255
!
interface Ethernet4/0
ip address 80.1.2.1 255.255.255.0
duplex half
!
router bgp 1
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor 80.1.2.2 remote-as 100
no auto-summary
!
end
R1#
[R2]
R2#show run
!
version 12.4
!
hostname R2
!
ip cef
!
ip vrf vrf10
rd 200:1
route-target export 100:1
route-target import 200:1
!
interface Loopback0
ip address 202.1.1.2 255.255.255.255
ip router isis
isis circuit-type level-2-only
!
interface Ethernet4/0
ip vrf forwarding vrf10
ip address 80.1.2.2 255.255.255.0
duplex half
!
interface Ethernet4/1
ip address 80.2.3.1 255.255.255.0
ip router isis
duplex half
mpls ip
isis circuit-type level-2-only
!
router isis
net 49.0000.0000.0000.2222.00
is-type level-2-only
metric-style wide
!
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 202.1.1.3 remote-as 100
neighbor 202.1.1.3 update-source Loopback0
no auto-summary
!
address-family ***v4
neighbor 202.1.1.3 activate
neighbor 202.1.1.3 send-community extended
neighbor 202.1.1.3 allowas-in
exit-address-family
!
address-family ipv4 vrf vrf10
redistribute connected
neighbor 80.1.2.1 remote-as 1
neighbor 80.1.2.1 activate
no synchronization
exit-address-family
!
end
R2#
[R3]
R3#show run
!
version 12.4
!
hostname R3
!
ip cef
!
ip vrf vrf_in
rd 300:1
route-target import 100:1
!
ip vrf vrf_out
rd 300:2
route-target export 200:1
!
interface Loopback0
ip address 202.1.1.3 255.255.255.255
ip router isis
isis circuit-type level-2-only
!
interface Ethernet4/0
ip vrf forwarding vrf_in
ip address 80.3.6.1 255.255.255.0
duplex half
!
interface Ethernet4/1
ip address 80.2.3.2 255.255.255.0
ip router isis
duplex half
mpls ip
isis circuit-type level-2-only
!
interface Ethernet4/2
ip address 80.3.4.1 255.255.255.0
ip router isis
duplex half
mpls ip
isis circuit-type level-2-only
!
interface Ethernet4/3
ip vrf forwarding vrf_out
ip address 80.6.3.1 255.255.255.0
duplex half
!
router isis
net 49.0000.0000.0000.3333.00
is-type level-2-only
metric-style wide
!
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 202.1.1.2 remote-as 100
neighbor 202.1.1.2 update-source Loopback0
neighbor 202.1.1.4 remote-as 100
neighbor 202.1.1.4 update-source Loopback0
no auto-summary
!
address-family ***v4
neighbor 202.1.1.2 activate
neighbor 202.1.1.2 send-community extended
neighbor 202.1.1.4 activate
neighbor 202.1.1.4 send-community extended
exit-address-family
!
address-family ipv4 vrf vrf_out
redistribute connected
neighbor 80.6.3.2 remote-as 600
neighbor 80.6.3.2 activate
neighbor 80.6.3.2 allowas-in
no synchronization
exit-address-family
!
address-family ipv4 vrf vrf_in
redistribute connected
neighbor 80.3.6.2 remote-as 600
neighbor 80.3.6.2 activate
no synchronization
exit-address-family
!
end
R3#
[R4]
R4#show run
!
version 12.4
!
hostname R4
!
ip cef
!
ip vrf vrf10
rd 400:1
route-target export 100:1
route-target import 200:1
!
interface Loopback0
ip address 202.1.1.4 255.255.255.255
ip router isis
isis circuit-type level-2-only
!
interface Ethernet4/2
ip address 80.3.4.2 255.255.255.0
ip router isis
duplex half
mpls ip
isis circuit-type level-2-only
!
interface Ethernet4/3
ip vrf forwarding vrf10
ip address 80.4.5.1 255.255.255.0
duplex half
!
router isis
net 49.0000.0000.0000.4444.00
is-type level-2-only
metric-style wide
!
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 202.1.1.3 remote-as 100
neighbor 202.1.1.3 update-source Loopback0
no auto-summary
!
address-family ***v4
neighbor 202.1.1.3 activate
neighbor 202.1.1.3 send-community extended
neighbor 202.1.1.3 allowas-in
exit-address-family
!
address-family ipv4 vrf vrf10
redistribute connected
neighbor 80.4.5.2 remote-as 500
neighbor 80.4.5.2 activate
no synchronization
exit-address-family
!
end
R4#
[R5]
R5#show run
!
version 12.4
!
hostname R5
!
ip cef
!
interface Loopback0
ip address 202.1.1.5 255.255.255.255
!
interface Ethernet4/3
ip address 80.4.5.2 255.255.255.0
duplex half
!
router bgp 500
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor 80.4.5.1 remote-as 100
no auto-summary
!
end
R5#
[R6]
R6#show run
!
version 12.4
!
hostname R6
!
ip cef
!
interface Loopback0
ip address 202.1.1.6 255.255.255.255
!
interface Ethernet4/0
ip address 80.3.6.2 255.255.255.0
duplex half
!
interface Ethernet4/3
ip address 80.6.3.2 255.255.255.0
duplex half
!
router bgp 600
no synchronization
bgp log-neighbor-changes
neighbor 80.3.6.1 remote-as 100
neighbor 80.6.3.1 remote-as 100
no auto-summary
!
end
R6#