实验要求:
1、A1和A2可以通过MPLS VPN打通,B1和B2可以打通,A不能访问B。
2、R2为ISP
3、R6可以telnetR4,R7可以TelnetR5
配置步骤:
[R1]ospf 1 router-id 1.1.1.1
[R1-ospf-1]a 0
[R1-ospf-1-area-0.0.0.0]network 10.1.12.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]a 0
[R2-ospf-1-area-0.0.0.0]network 10.1.12.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.1.23.2 0.0.0.0
[R3]ospf 1 router-id 3.3.3.3
[R3-ospf-1]a 0
[R3-ospf-1-area-0.0.0.0]network 10.1.23.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]network 3.3.3.3 0.0.0.0
查看邻居关系的建立情况
[R1]mpls lsr-id 1.1.1.1
[R1]mpls
Info: Mpls starting, please wait... OK!
[R1-mpls]mpls ldp
[R1-mpls-ldp]q
[R1]int g0/0/2
[R1-GigabitEthernet0/0/2]mpls
[R1-GigabitEthernet0/0/2]mpls ldp
[R2]mpls lsr-id 2.2.2.2
[R2]mpls
Info: Mpls starting, please wait... OK!
[R2-mpls]mpls ldp
[R2-mpls-ldp]int g0/0/0
[R2-GigabitEthernet0/0/0]mpls
[R2-GigabitEthernet0/0/0]mpls ldp
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]mpls
[R2-GigabitEthernet0/0/1]mpls ldp
[R3]mpls lsr-id 3.3.3.3
[R3]mpls
Info: Mpls starting, please wait... OK!
[R3-mpls]mpls ldp
[R3-mpls-ldp]int g0/0/0
[R3-GigabitEthernet0/0/0]mpls
[R3-GigabitEthernet0/0/0]mpls ldp
[R1]bgp 1
[R1-bgp]peer 3.3.3.3 as-number 1
[R1-bgp]peer 3.3.3.3 connect-interface loo0
[R3]bgp 1
[R3-bgp]peer 1.1.1.1 as-number 1
[R3-bgp]peer 1.1.1.1 connect-interface loo0
开启VPNV4路由
[R1]bgp 1
[R1-bgp]ipv4-family v4
[R1-bgp-af-v4]peer 3.3.3.3 enable
[R3]bgp 1
[R3-bgp]ipv4-family v4
[R3-bgp-af-v4]peer 1.1.1.1 enable
A公司之间
[R1]ip -instance A1
[R1--instance-A1]route-distinguisher 1:1
[R1--instance-A1-af-ipv4]-target 1:100 both
IVT Assignment result:
Info: VPN-Target assignment is successful.
EVT Assignment result:
Info: VPN-Target assignment is successful.
[R1--instance-A1]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip binding -instance A1
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
[R1-GigabitEthernet0/0/0]ip add 10.1.14.1 24
[R3]ip -instance A2
[R3--instance-A2]route-distinguisher 1:2
[R3--instance-A2-af-ipv4]-target 1:100 both
IVT Assignment result:
Info: VPN-Target assignment is successful.
EVT Assignment result:
Info: VPN-Target assignment is successful.
[R3--instance-A2]q
[R3]int g0/0/1
[R3-GigabitEthernet0/0/1]ip binding -instance A2
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
[R3-GigabitEthernet0/0/1]ip address 10.1.36.3 24
B公司之间
[R1]ip -instance B1
[R1--instance-B1]route-distinguisher 1:3
[R1--instance-B1-af-ipv4]-target 2:100 both
IVT Assignment result:
Info: VPN-Target assignment is successful.
EVT Assignment result:
Info: VPN-Target assignment is successful.
[R1--instance-B1-af-ipv4]int g0/0/1
[R1-GigabitEthernet0/0/1]ip binding -instance B1
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
[R1-GigabitEthernet0/0/1]ip add 10.1.15.1 24
[R3]ip -instance B2
[R3--instance-B2]route-distinguisher 1:4
[R3--instance-B2-af-ipv4]-target 2:100 both
IVT Assignment result:
Info: VPN-Target assignment is successful.
EVT Assignment result:
Info: VPN-Target assignment is successful.
[R3--instance-B2-af-ipv4]int g0/0/2
[R3-GigabitEthernet0/0/2]ip binding -instance B2
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
[R3-GigabitEthernet0/0/2]ip add 10.1.37.3 24
1、RD的作用的为了防止在同一个PE不同实例中发送相同路由时难以区分是那个实例出来的路由
例如:在A1里有192.168.1.0/24的路由,在B1里也有192.168.1.0/24的路由 通过RD得以区分,同一个PE上RD值保持唯一,不能一样
2、RT则是选择兴趣爱好,eRT表示发出去的路由,iRT表示自己接受的路由。故可以将不同的路由区分开 进入正确的实例中。
[R1]ospf 2 router-id 1.1.1.1 -instance A1
[R1-ospf-2]a 0
[R1-ospf-2-area-0.0.0.0]network 10.1.14.1 0.0.0.0
[R3]ospf 3 router-id 3.3.3.3 -instance A2
[R3-ospf-3]a 0
[R3-ospf-3-area-0.0.0.0]network 10.1.36.3 0.0.0.0
[R1]ospf 4 router-id 1.1.1.1 -instance B1
[R1-ospf-4]a 0
[R1-ospf-4-area-0.0.0.0]network 10.1.15.1 0.0.0.0
[R3]ospf 5 router-id 3.3.3.3 -instance B2
[R3-ospf-3]a 0
[R3-ospf-3-area-0.0.0.0]network 10.1.37.3 0.0.0.0
R4/R5/R6/R7上正常起相对应进程的OSPF协议即可
在R1不能直接ping的原因是R1上有两张路由表,故要指明那张路由表中的路由
[R1]ospf 2
[R1-ospf-2]import-route bgp
[R1]bgp 1
[R1-bgp]ipv4-family -instance A1
[R1-bgp-A1]import-route ospf 2
[R3]bgp 1
[R3-bgp]ipv4-family -instance A2
[R3-bgp-A2]import-route ospf 3
[R3]ospf 3
[R3-ospf-3]import-route bgp
此过程中流量有两层标签来进行转发(外层1025,内层1028)
[R4]aaa
[R4-aaa]local-user ccna password cipher huawei@123
Info: Add a new user.
[R4-aaa]local-user ccna service-type telnet
[R4]user-interface vty 0 4
[R4-ui-vty0-4]user privilege level 15
[R4-ui-vty0-4]authentication-mode aaa
[R5]aaa
[R5-aaa]local-user ccnp password cipher cisco123
Info: Add a new user.
[R5-aaa]local-user ccnp service-type telnet
[R5]user-interface vty 0 4
[R5-ui-vty0-4]user privilege level 15
测试:
[R1]bgp 1
[R1-bgp]peer 2.2.2.2 as-number 1
[R1-bgp]peer 2.2.2.2 connect-interface loo0
[R1-bgp]ipv4-family v4
[R1-bgp-af-v4]peer 2.2.2.2 enable
[R2]bgp 1
[R2-bgp]peer 1.1.1.1 as-number 1
[R2-bgp]peer 1.1.1.1 connect-interface loo0
[R2-bgp]peer 3.3.3.3 as-number 1
[R2-bgp]peer 3.3.3.3 connect-interface loo0
[R2-bgp]ipv4-family v4
[R2-bgp-af-v4]peer 1.1.1.1 enable
[R2-bgp-af-v4]peer 1.1.1.1 reflect-client
[R2-bgp-af-v4]peer 3.3.3.3 enable
[R2-bgp-af-v4]peer 3.3.3.3 reflect-client
[R3]bgp 1
[R3-bgp]undo peer 1.1.1.1
[R3-bgp]peer 2.2.2.2 as-number 1
[R3-bgp]peer 2.2.2.2 connect-interface loo0
[R3-bgp]ipv4-family v4
[R3-bgp-af-v4]peer 2.2.2.2 enable
查看BGP的VPNV4邻居关系状态
当出现RR时,存在一个问题,VPNV4路由传到RR上后被过滤。
policy -target 默认开启基于RT属性VPNV4路由的过滤
1、如果本路由器没有VPN实例业务的接入,则丢弃所有的VPNV4路由
2、如果本路由器存在VPN实例业务的接入,则对eRT和本段所有VPN实例的iRT做匹配,如果eRT没有和任何一个本段VPN实例的iRT匹配,则丢弃。
解决方案:undo policy -target 关闭基于RT属性VPNV4路由的过滤
[R2-bgp-af-v4]undo policy -target
注:本次实验只能让公司之间互访并不能访问ISP,使用的是私网IP。
若想访问ISP必须再拉线到运营商 并且使用公网IP