MPLS VPN知识点梳理与实战
- 项目拓扑与项目需求
项目需求:如图所示,某公司拥有总部和分支A、分支B。现在需要实现如下需求
- 总部和分支通过mpls 互联,运营商内部使用RR放射MP-bgp路由,运营商IGP协议选择ospf,企业内部的IGP选择ospf
- 2、分支A和分支B之间无法互访,分支A的PC1和分支B的PC3可以访问公司总部。PC2和PC4只能在分支内部通信
- 3、总部通过CE1连接internet,需要实现分支A和B的PC1和PC2能够通过总部访问internet,总部在CE1上使用BFD单臂回声检测链路故障。
- 实验步骤
步骤1:设备重命名以及IP地址的配置
| 设备 |
接口编号 |
IP地址 |
| CE1 |
G0/0/0 |
192.168.1.2/24 |
| G0/0/1 |
100.1.1.1/24 |
|
| Loop back0 |
10.10.10.10/32 |
|
| CE2 |
G0/0/0 |
192.168.2.2/24 |
| G0/0/1 |
10.1.1.254/24 |
|
| G0/0/2 |
20.1.1.254/24 |
|
| CE3 |
G0/0/0 |
192.168.3.3/24 |
| G0/0/1 |
30.1.1.254/24 |
|
| G0/0/2 |
40.1.1.254/24 |
|
| PC1 |
E0/0/1 |
10.1.1.1/24 |
| PC2 |
E0/0/1 |
20.1.1.1/24 |
| PC3 |
E0/0/1 |
30.1.1.1/24 |
| PC4 |
E0/0/1 |
40.1.1.1/24 |
| PE1 |
G0/0/0 |
192.168.1.1/24 |
| G0/0/1 |
10.0.12.1/24 |
|
| Loop back0 |
1.1.1.1/32 |
|
| PE3 |
G0/0/0 |
192.168.2.3/24 |
| G0/0/1 |
10.0.23.3/24 |
|
| Loop back0 |
3.3.3.3/32 |
|
| PE4 |
G0/0/0 |
192.168.3.4/24 |
| G0/0/1 |
10.0.24.4/24 |
|
| Loop back0 |
4.4.4.4/32 |
|
| RR |
G0/0/0 |
10.0.12.6/24 |
| G0/0/1 |
10.0.23.6/24 |
|
| G0/0/2 |
10.0.24.6/24 |
|
| Loop back0 |
2.2.2.2/32 |
|
| Internet |
G0/0/0 |
100.1.1.2/24 |
| Loop back0 |
100.100.100.100/32 |
步骤2:配置MPLS VPN 与IGP协议
配置运营商内部IGP
[PE1]ospf
[PE1-ospf-1]area 0
[PE1-ospf-1-area-0.0.0.0]net 10.0.12.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0]net 1.1.1.1 0.0.0.0
[RR]ospf
[RR-ospf-1]area 0
[RR-ospf-1-area-0.0.0.0]net 2.2.2.2 0.0.0.0
[RR-ospf-1-area-0.0.0.0]net 10.0.12.0 0.0.0.255
[RR-ospf-1-area-0.0.0.0]net 10.0.23.0 0.0.0.255
[RR-ospf-1-area-0.0.0.0]net 10.0.24.0 0.0.0.255
[PE3]ospf
[PE3-ospf-1]area 0
[PE3-ospf-1-area-0.0.0.0]net 3.3.3.3 0.0.0.0
[PE3-ospf-1-area-0.0.0.0]net 10.0.23.0 0.0.0.255
[PE4]ospf
[PE4-ospf-1]
[PE4-ospf-1]area 0
[PE4-ospf-1-area-0.0.0.0]net 4.4.4.4 0.0.0.0
[PE4-ospf-1-area-0.0.0.0]net 10.0.24.0 0.0.0.255
配置运营商内部的MPLS LDP协议:
[PE1]mpls lsr-id 1.1.1.1 //绑定环回口
[PE1]mpls //开启MPLS功能
Info: Mpls starting, please wait... OK!
[PE1]mpls ldp //开启MPLS LDP功能
[PE1-mpls-ldp]quit
[PE1]interface g0/0/1
[PE1-GigabitEthernet0/0/1]mpls
[PE1-GigabitEthernet0/0/1]mpls ldp
RR、PE3和PE4同理,配置不做赘述
查看隧道建立:
[PE1]display mpls lsp
-------------------------------------------------------------------------------
LSP Information: LDP LSP
-------------------------------------------------------------------------------
FEC In/Out Label In/Out IF Vrf Name
1.1.1.1/32 3/NUL -/-
2.2.2.2/32 NUL/3 -/GE0/0/1
2.2.2.2/32 1024/3 -/GE0/0/1
3.3.3.3/32 NUL/1025 -/GE0/0/1
3.3.3.3/32 1025/1025 -/GE0/0/1
4.4.4.4/32 NUL/1026 -/GE0/0/1
4.4.4.4/32 1026/1026 -/GE0/0/1
步骤3:为租户建立VPN实例,配置规划好的RD和RT值
PE1的配置:
[PE1]ip -instance 1
[PE1--instance-1]route-distinguisher 100:1 //RD值
[PE1--instance-1-af-ipv4]-target 1:1 import-extcommunity //入方向RT值
IVT Assignment result:
Info: VPN-Target assignment is Successful.
[PE1--instance-1-af-ipv4]-target 2:2 export-extcommunity //出方向RT值
EVT Assignment result:
Info: VPN-Target assignment is Successful.
PE3的配置:
[PE3]ip -instance 1
[PE3--instance-1-af-ipv4]route-distinguisher 100:3
[PE3--instance-1-af-ipv4]-target 1:1 export-extcommunity
[PE3--instance-1-af-ipv4]-target 2:2 import-extcommunity
PE4的配置:
[PE4]ip -instance 1
[PE4--instance-1]route-distinguisher 100:4
[PE4--instance-1-af-ipv4]-target 1:1 export-extcommunity
EVT Assignment result:
Info: VPN-Target assignment is Successful.
[PE4--instance-1-af-ipv4]-target 2:2 import-extcommunity
IVT Assignment result:
Info: VPN-Target assignment is Successful.
步骤4:将连接CE的接口绑定到VPN实例中,实现不同租户的隔离
PE1的配置:
[PE1-GigabitEthernet0/0/0]ip binding -instance 1
Info: AL IPv4 related configurations on this interface are removed!
Info: AL IPv6 related configurations on this interface are removed!
PE3的配置:
[PE3-GigabitEthernet0/0/1]ip binding -instance 1
PE4的配置:
[PE4-GigabitEthernet0/0/1]ip binding -instance 1
步骤5:将站内的路由通过CE设备传递给本端的PE(IPv4路由)
配置内部的IGP:
[CE1]ospf 100
[CE1-ospf-100]area 0
[CE1-ospf-100-area-0.0.0.0]net 192.168.1.0 0.0.0.255
[CE1-ospf-100-area-0.0.0.0]net 10.10.10.10 0.0.0.0
[PE1]ospf 100 -instance 1 //绑定实例1
[PE1-ospf-100]area 0
[PE1-ospf-100-area-0.0.0.0]net 192.168.1.0 0.0.0.255
[PE1-ospf-100-area-0.0.0.0]
查看路由学习情况:
[PE1]display ip routing-table -instance 1
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: 1
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.10.10.10/32 OSPF 10 1 D 192.168.1.2 GigabitEthernet
0/0/0
192.168.1.0/24 Direct 0 0 D 192.168.1.1 GigabitEthernet
0/0/0
192.168.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
192.168.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
可知运行成功,PE3与CE2、PE4与CE3同理运行OSPF,配置不做赘述
步骤6:通过MP-BGP传递VPNv4路由
PE1的配置
[PE1]bgp 100
[PE1-bgp]peer 2.2.2.2 as-number 100
[PE1-bgp]peer 2.2.2.2 connect-interface LoopBack 0
[PE1-bgp]ipv4-family v4
[PE1-bgp-af-v4]peer 2.2.2.2 enable
[PE1-bgp-af-v4]quit
[PE1-bgp]quit
[PE1]bgp 100
[PE1-bgp]ipv4-family -instance 1
[PE1-bgp-1]import-route ospf 100
查看是否引入路由
[PE1-bgp-1]display bgp v4 all routing-table
BGP Local router ID is 10.0.12.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 2
Route Distinguisher: 100:1
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.10.10.10/32 0.0.0.0 2 0 ?
*> 192.168.1.0 0.0.0.0 0 0 ?
VPN-Instance 1, Router ID 10.0.12.1:
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.10.10.10/32 0.0.0.0 2 0 ?
*> 192.168.1.0 0.0.0.0 0 0 ?
可以看到学习到10.10.10.10路由
PE3的配置
[PE3]bgp 100
[PE3-bgp]peer 2.2.2.2 as-number 100
[PE3-bgp]peer 2.2.2.2 connect-interface LoopBack 0
[PE3-bgp]ipv4-family v4
[PE3-bgp-af-v4]peer 2.2.2.2 enable
[PE3-bgp-af-v4]quit
[PE3-bgp]quit
[PE3]bgp 100
[PE3-bgp]ipv4-family -instance 1
[PE3-bgp-1]import-route ospf 100
PE4的配置
[PE4]bgp 100
[PE4-bgp]peer 2.2.2.2 as-number 100
[PE4-bgp]peer 2.2.2.2 connect-interface LoopBack 0
[PE4-bgp]ipv4-family v4
[PE4-bgp-af-v4]peer 2.2.2.2 enable
[PE4-bgp-af-v4]quit
[PE4-bgp]quit
[PE4]bgp 100
[PE4-bgp]ipv4-family -instance 1
[PE4-bgp-1]import-route ospf 100
RR的配置
[RR]bgp 100
[RR-bgp]peer 1.1.1.1 as-number 100
[RR-bgp]peer 1.1.1.1 connect-interface LoopBack 0
[RR-bgp]peer 3.3.3.3 as-number 100
[RR-bgp]peer 3.3.3.3 connect-interface LoopBack 0
[RR-bgp]peer 4.4.4.4 as-number 100
[RR-bgp]peer 4.4.4.4 connect-interface LoopBack 0
[RR-bgp]ipv4-family v4
[RR-bgp-af-v4]peer 1.1.1.1 enable
[RR-bgp-af-v4]peer 1.1.1.1 reflect-client
[RR-bgp-af-v4]peer 3.3.3.3 enable
[RR-bgp-af-v4]peer 3.3.3.3 reflect-client
[RR-bgp-af-v4]peer 4.4.4.4 enable
[RR-bgp-af-v4]peer 4.4.4.4 reflect-client
[RR]bgp 100
[RR-bgp]ipv4-family v4
[RR-bgp-af-v4]undo policy -target
由于RR不配置VPN实例,就没有RT,无法接收v4,因此需要配置这条命令,作用是接收VPNv4路由不检查RT值,直接接收。
步骤7:将BGP的VPNv4路由引入到OSPF里面传递给CE设备
[PE1]ospf 100
[PE1-ospf-100]import-route bgp
[PE3]ospf 100
[PE3-ospf-100]import-route bgp
[PE4]ospf 100
[PE4-ospf-100]import-route bgp
测试:PC1可以访问10.10.10.10 但不能访问PC3。
步骤8:将分支路由在PE设备进行过滤 20.1.1.0 40.1.1.0
PE1的配置
[PE1]ip ip-prefix 1 permit 10.1.1.0 24
[PE1]ip ip-prefix 1 permit 30.1.1.0 24
[PE1]ospf 100
[PE1-ospf-100]area 0
[PE1-ospf-100-area-0.0.0.0]filter ip-prefix 1 import
步骤9:配置NAT和缺省路由指向外网,并下发缺省路由
CE的配置
[CE]ip route-static 0.0.0.0 0 100.1.1.2
[CE]acl 2000
[CE-acl-basic-2000]rule permit source any
[CE-acl-basic-2000]interface g0/0/1
[CE-GigabitEthernet0/0/1]nat outbound 2000
[CE]ospf 100
[CE-ospf-100]de
[CE-ospf-100]default-route-advertise //下发缺省路由
PE的配置:
[PE1]bgp 100
[PE1-bgp]ipv4-family -instance 1
[PE1-bgp-1]default-route imported //允许引入缺省路由,使PE3与PE4学习到缺省路由
[PE3-ospf-100]default-route-advertise
[PE4-ospf-100]default-route-advertise
步骤10:配置单臂回声
[CE]bfd
[CE-bfd]quit
[CE]bfd 1 bind peer-ip 100.1.1.2 interface g0/0/1 one-arm-echo
[CE-bfd-session-1]discriminator local 100
[CE-bfd-session-1]commit
[CE]ip route-static 0.0.0.0 0 100.1.1.2 track bfd-session 1
Info: Succeeded in modifying route.