HCIE(MPLS VPN hub-spoke实验)
如下图
详述:
典型的hub-spoke结构
中间的粉色区域为公司搭建的骨干网,AS号为1
因为AS号比较稀少和昂贵,所以总部和分部共用了一个AS,AS号为2,即蓝色部分表示
橙色区域为互联网,AS号为3
要求:
分部到分部的流量需经过总部中转,且从R8进从R8出
分部到互联网也需要经过总部中转,且从R8进从R9出
这个现象在有些场景下是需要的: 分部互访的流量需要从总部中转,这样总部就可以对流量进行一些策略,比如说总部这里可以有个防火墙,用来阻止危险流量;还可以进行分部流量之间的监控和统计等等
但是, 流量到达骨干网连接总部的PE上时就会被VRF根据它自身的export值和import值进行路由的收与发,所以,流量并不会经过总部的路由器进行中转
解决办法
分析原因: 主要是因为骨干连接总部的PE设备上export和import在一个VRF中,这样导致流量到达PE后就会在同一个VRF匹配这两个值直接收发。所以解决的办法就是将export和import分开,即创建两个VRF:一个VRF(起名为spoke)负责import,另一个VRF(起名为hub)负责export,这样流量import进spoke,因为没有export,所以就会通过BGP传递给总部,当流量经过总部回去时,就会进入hub然后被hub给export出去,返回另一个分部。这样就可以解决分部互访流量不中转总部的问题
为什么骨干是这样的结构?中间的AR1有啥用?
因为在MPLS-BGP-VPN里面,边界的设备均为BGP设备,但是中间的AR2和AR3是普通设备,如果没有AR1,那么控制层面和数据层面的流量都要经过AR2和AR3,这样会使得AR2和AR3承受很大的压力。但是,如果有上一台AR1,由AR1和其余PE建立VPNV4邻居,并充当VPNV4路由的反射器,这样就会使得AR2和AR3的控制层面的压力转移到了AR1。这种让控制流量和数据流量分开的做法,有利于整个骨干的稳定性。
话不多说,上配置
AR1
mpls lsr-id 10.1.1.1
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
ip address 10.12.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 10.13.1.1 255.255.255.0
mpls
mpls ldp
#
interface NULL0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
#
bgp 1
router-id 10.1.1.1
group IBGP internal
peer IBGP connect-interface LoopBack0
peer 10.4.4.4 as-number 1
peer 10.4.4.4 group IBGP
peer 10.5.5.5 as-number 1
peer 10.5.5.5 group IBGP
peer 10.6.6.6 as-number 1
peer 10.6.6.6 group IBGP
peer 10.7.7.7 as-number 1
peer 10.7.7.7 group IBGP
#
ipv4-family unicast
undo synchronization
peer IBGP enable
peer IBGP reflect-client
peer 10.4.4.4 enable
peer 10.4.4.4 group IBGP
peer 10.5.5.5 enable
peer 10.5.5.5 group IBGP
peer 10.6.6.6 enable
peer 10.6.6.6 group IBGP
peer 10.7.7.7 enable
peer 10.7.7.7 group IBGP
#
ipv4-family v4
undo policy -target
peer IBGP enable
peer IBGP reflect-client
peer IBGP advertise-community
peer 10.4.4.4 enable
peer 10.4.4.4 group IBGP
peer 10.5.5.5 enable
peer 10.5.5.5 group IBGP
peer 10.6.6.6 enable
peer 10.6.6.6 group IBGP
peer 10.7.7.7 enable
peer 10.7.7.7 group IBGP
#
ospf 1 router-id 10.1.1.1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
R2(R3同)
mpls lsr-id 10.2.2.2
mpls
#
mpls ldp
interface GigabitEthernet0/0/0
ip address 10.12.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 10.26.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 10.24.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 10.2.2.2 255.255.255.255
#
ospf 1 router-id 10.2.2.2
area 0.0.0.0
network 10.0.0.0 0.255.255.255
AR4(AR5同)
ip -instance hub
ipv4-family
route-distinguisher 4:8
-target 4:5 export-extcommunity
#
ip -instance int
ipv4-family
route-distinguisher 12:4
#
ip -instance spoke
ipv4-family
route-distinguisher 8:4
-target 6:6 7:7 import-extcommunity
#
mpls lsr-id 10.4.4.4
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 10.45.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0.1
dot1q termination vid 1
ip binding -instance spoke
ip address 48.1.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet2/0/0.2
dot1q termination vid 2
ip binding -instance hub
ip address 48.1.2.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet2/0/0.3
dot1q termination vid 3
ip address 48.1.3.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet2/0/1
ip binding -instance int
ip address 100.124.1.1 255.255.255.0
#
interface LoopBack0
ip address 10.4.4.4 255.255.255.255
#
bgp 1
router-id 10.4.4.4
peer 10.1.1.1 as-number 1
peer 10.1.1.1 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 10.1.1.1 enable
#
ipv4-family v4
undo policy -target
peer 10.1.1.1 enable
peer 10.1.1.1 advertise-community
#
ipv4-family -instance hub
peer 48.1.2.1 as-number 2
peer 48.1.2.1 allow-as-loop 10
#
ipv4-family -instance int
import-route static
peer 100.124.1.2 as-number 3
#
ipv4-family -instance spoke
peer 48.1.1.1 as-number 2
peer 48.1.1.1 substitute-as
#
ospf 1 router-id 10.4.4.4
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 -instance int 100.124.1.2
ip route-static -instance int 20.0.0.0 255.0.0.0 48.1.3.1 public
AR6(AR7同)
ip -instance spoke
ipv4-family
route-distinguisher 10:6
-target 6:6 export-extcommunity
-target 4:5 import-extcommunity
#
mpls lsr-id 10.6.6.6
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
ip address 10.26.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 10.67.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding -instance spoke
ip address 106.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 10.6.6.6 255.255.255.255
#
bgp 1
router-id 10.6.6.6
peer 10.1.1.1 as-number 1
peer 10.1.1.1 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 10.1.1.1 enable
#
ipv4-family v4
undo policy -target
peer 10.1.1.1 enable
peer 10.1.1.1 advertise-community
#
ipv4-family -instance spoke
peer 106.1.1.2 as-number 2
peer 106.1.1.2 substitute-as
#
ospf 1 router-id 10.6.6.6
area 0.0.0.0
network 10.0.0.0 0.255.255.255
AR8
interface GigabitEthernet0/0/0.1
dot1q termination vid 1
ip address 48.1.1.1 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/0.2
dot1q termination vid 2
ip address 48.1.2.1 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/0.3
dot1q termination vid 3
ip address 48.1.3.1 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/1
ip address 20.3.89.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 20.3.48.2 255.255.255.0
#
interface LoopBack0
ip address 20.3.8.8 255.255.255.255
#
bgp 2
router-id 20.3.8.8
peer 20.3.9.9 as-number 2
peer 20.3.9.9 connect-interface LoopBack0
peer 48.1.1.2 as-number 1
peer 48.1.2.2 as-number 1
#
ipv4-family unicast
undo synchronization
network 20.3.48.0 255.255.255.0
peer 20.3.9.9 enable
peer 48.1.1.2 enable
peer 48.1.1.2 route-policy localpre import
peer 48.1.2.2 enable
#
ospf 1 router-id 20.3.8.8
area 0.0.0.0
network 20.0.0.0 0.255.255.255
#
route-policy localpre permit node 10
apply local-preference 200
#
route-policy localpre permit node 20
AR9
interface GigabitEthernet0/0/0.1
dot1q termination vid 1
ip address 59.1.1.1 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/0.2
dot1q termination vid 2
ip address 59.1.2.1 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/0.3
dot1q termination vid 3
ip address 59.1.3.1 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/1
ip address 20.3.89.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 20.3.59.2 255.255.255.0
bgp 2
router-id 20.3.9.9
peer 20.3.8.8 as-number 2
peer 20.3.8.8 connect-interface LoopBack0
peer 59.1.1.2 as-number 1
peer 59.1.2.2 as-number 1
#
ipv4-family unicast
undo synchronization
default-route imported
network 0.0.0.0
network 20.3.59.0 255.255.255.0
peer 20.3.8.8 enable
peer 59.1.1.2 enable
peer 59.1.2.2 enable
peer 59.1.2.2 route-policy med export
#
ospf 1 router-id 20.3.9.9
area 0.0.0.0
network 20.0.0.0 0.255.255.255
#
route-policy med permit node 10
apply cost 100
#
route-policy med permit node 20
#
ip route-static 0.0.0.0 0.0.0.0 59.1.3.2
ip route-static 0.0.0.0 0.0.0.0 20.3.89.1 preference 70
AR10(AR11同)
interface GigabitEthernet0/0/0
ip address 106.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 20.1.110.2 255.255.255.0
#
interface NULL0
#
interface LoopBack0
ip address 20.1.10.10 255.255.255.255
#
bgp 2
router-id 20.1.10.10
peer 106.1.1.1 as-number 1
#
ipv4-family unicast
undo synchronization
network 20.1.110.0 255.255.255.0
peer 106.1.1.1 enable
AR12
interface GigabitEthernet0/0/0
ip address 100.125.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 100.124.1.2 255.255.255.0
#
interface NULL0
#
interface LoopBack0
ip address 12.12.12.12 255.255.255.255
#
bgp 3
router-id 12.12.12.12
peer 100.124.1.1 as-number 1
peer 100.125.1.1 as-number 1
#
ipv4-family unicast
undo synchronization
network 12.12.12.12 255.255.255.255
peer 100.124.1.1 enable
peer 100.125.1.1 enable
peer 100.125.1.1 route-policy perval import
#
route-policy perval permit node 10
apply preferred-value 20
#
route-policy perval permit node 20
测试
分部互访
分部访问互联网
