基于Cisco技术的MPLS原理以及应用实现[二]

本部分将要讲述基本的MPLS VPN的基本架构和基本实现。仍然是基于frame-mode讲解MPLS VPN的实现。
如下图所示,虚拟路由器VRF在路由器IOS软件中的出现。VRF实现的虚拟路由器将会维护自身独立的路由表和转发表,这些是独立于全局路由表的。就好像一台物理上独立的路由器。这样一台边界路由器(PE)可以接入多台客户边界路由器(CE)而不存在复杂的部署和维护。
 
基于Cisco技术的MPLS原理以及应用实现[二]_第1张图片
 
 
下面的6台路由器构成的拓扑将是要讲解并实现MPLS-VPN的环境。
 
IPS1与Border1的VRF 12之间运行OSPF协议,Border1与Border2之间运行多协议BGP-VPN4(MBGP-VPN4),IPS2与Border2的VRF 56之间运行OSPF协议。Border1, Core1, Core2, Border2的接口之间运行LDP/TDP协议,并且这些接口之间还要运行OSPF协议。
基本配置如下所示:
r1#sh run
Building configuration...
Current configuration : 966 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
!
!
interface Loopback0
 ip address 10.10.10.10 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!        
interface Ethernet1/0
 ip address 172.16.1.1 255.255.0.0
 duplex half
!
interface Ethernet1/1
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/2
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/3
 no ip address
 shutdown
 duplex half
!
router ospf 1
 log-adjacency-changes
 network 10.10.10.10 0.0.0.0 area 0
 network 172.16.1.1 0.0.0.0 area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end
r1# 
r1#
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
r2#
r2#sh run
Building configuration...
Current configuration : 1860 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip vrf 12
 rd 12:12
 route-target export 12:12
 route-target import 56:56
!
ip cef
mpls label range 200 299
mpls label protocol ldp
tag-switching tdp router-id Loopback1
!
!        
interface Loopback0
 ip vrf forwarding 12
 ip address 20.20.20.20 255.255.255.255
!
interface Loopback1
 ip address 22.22.22.22 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/0
 ip vrf forwarding 12
 ip address 172.16.2.2 255.255.0.0
 duplex half
!
interface Ethernet1/1
 ip address 10.2.2.2 255.255.255.0
 duplex half
 tag-switching ip
!
interface Ethernet1/2
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/3
 no ip address
 shutdown
 duplex half
!
router ospf 2 vrf 12
 log-adjacency-changes
 redistribute bgp 200 subnets
 network 20.20.20.20 0.0.0.0 area 0
 network 172.16.2.2 0.0.0.0 area 0
!
router ospf 22
 log-adjacency-changes
 network 10.2.2.2 0.0.0.0 area 0
 network 22.22.22.22 0.0.0.0 area 0
!
router bgp 200
 bgp router-id 22.22.22.22
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 50.50.50.50 remote-as 200
 neighbor 50.50.50.50 update-source Loopback1
 !
 address-family vpnv4
 neighbor 50.50.50.50 activate
 neighbor 50.50.50.50 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf 12
 redistribute ospf 2 match internal external 1 external 2
 no auto-summary
 no synchronization
 exit-address-family
!
ip classless
no ip http server
no ip http secure-server
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end
r2#
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
r3#
r3#sh run
Building configuration...
Current configuration : 1130 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
mpls label range 300 399
mpls label protocol ldp
tag-switching tdp router-id Loopback0
!
!
interface Loopback0
 ip address 30.30.30.30 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/1
 ip address 10.2.2.3 255.255.255.0
 duplex half
 tag-switching ip
!
interface Ethernet1/2
 ip address 10.3.3.3 255.255.255.0
 duplex half
 tag-switching ip
!
interface Ethernet1/3
 no ip address
 shutdown
 duplex half
!        
router ospf 3
 log-adjacency-changes
 network 10.2.2.3 0.0.0.0 area 0
 network 10.3.3.3 0.0.0.0 area 0
 network 30.30.30.30 0.0.0.0 area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end
r3#
r3#
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
r4#
r4#sh run
Building configuration...
Current configuration : 1130 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
mpls label range 400 499
mpls label protocol ldp
tag-switching tdp router-id Loopback0
!
!
interface Loopback0
 ip address 40.40.40.40 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/1
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/2
 ip address 10.3.3.4 255.255.255.0
 duplex half
 tag-switching ip
!
interface Ethernet1/3
 ip address 10.4.4.4 255.255.255.0
 duplex half
 tag-switching ip
!        
router ospf 4
 log-adjacency-changes
 network 10.3.3.4 0.0.0.0 area 0
 network 10.4.4.4 0.0.0.0 area 0
 network 40.40.40.40 0.0.0.0 area 0
!
ip classless
no ip http server
no ip http secure-server
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end
r4# 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
r5#
r5#sh run
Building configuration...
Current configuration : 1860 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip vrf 56
 rd 56:56
 route-target export 56:56
 route-target import 12:12
!
ip cef
mpls label range 500 599
mpls label protocol ldp
tag-switching tdp router-id Loopback0
!
!        
interface Loopback0
 ip address 50.50.50.50 255.255.255.255
!
interface Loopback1
 ip vrf forwarding 56
 ip address 55.55.55.55 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/0
 ip vrf forwarding 56
 ip address 172.17.5.5 255.255.0.0
 duplex half
!
interface Ethernet1/1
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/2
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/3
 ip address 10.4.4.5 255.255.255.0
 duplex half
 tag-switching ip
!
router ospf 55
 log-adjacency-changes
 network 10.4.4.5 0.0.0.0 area 0
 network 50.50.50.50 0.0.0.0 area 0
!
router ospf 5 vrf 56
 log-adjacency-changes
 redistribute bgp 200 subnets
 network 55.55.55.55 0.0.0.0 area 0
 network 172.17.5.5 0.0.0.0 area 0
!
router bgp 200
 bgp router-id 50.50.50.50
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 22.22.22.22 remote-as 200
 neighbor 22.22.22.22 update-source Loopback0
 !
 address-family vpnv4
 neighbor 22.22.22.22 activate
 neighbor 22.22.22.22 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf 56
 redistribute ospf 5 match internal external 1 external 2
 no auto-summary
 no synchronization
 exit-address-family
!
ip classless
no ip http server
no ip http secure-server
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end
r5#
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
r6#
r6#sh run
Building configuration...
Current configuration : 938 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r6
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
!
interface Loopback0
 ip address 6.6.6.6 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/0
 ip address 172.17.6.6 255.255.0.0
 duplex half
!
interface Ethernet1/1
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/2
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/3
 no ip address
 shutdown
 duplex half
!
router ospf 6
 log-adjacency-changes
 network 6.6.6.6 0.0.0.0 area 0
 network 172.17.6.6 0.0.0.0 area 0
!        
ip classless
no ip http server
no ip http secure-server
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login   
!
!
end
r6#
重点我们首先可以看一下Border1(PE1)上的配置。
(1) vrf的配置
ip vrf 12
 rd 12:12
 route-target export 12:12
 route-target import 56:56
interface Loopback0
 ip vrf forwarding 12
 ip address 20.20.20.20 255.255.255.255
!
interface Ethernet1/0
 ip vrf forwarding 12
 ip address 172.16.2.2 255.255.0.0
 duplex half
vrf接口也需要挂在vrf下面。基本操作也必须挂vrf。比如,sh ip route vrf 12, ping 6.6.6.6 vrf 12, sh ip cef vrf 12等等.
(2) rd与rt的概念
rd是用于区分不同CE传递到PE1的相同网段路由。因此PE的vrf与CE之间路由是由rd与32位路由前缀构成。所以rd是本地unique的。
rt的动作有export和import。rt的作用在于控制路由的导入与导出。导出的概念是vrf路由可以导出到多协议BGP的ipv4 vrf协议族中。导入是指允许导入通过多协议BGP-VPNV4学习到的路由到MBGP-VPNV4路由表。rt是会随MBGP extended community传递的扩展属性。
r2#sh ip bgp vpnv4 rd 12:12 10.10.10.10
BGP routing table entry for 12:12:10.10.10.10/32, version 8
Paths: (1 available, best #1, table 12)
  Advertised to non peer-group peers:
  50.50.50.50
  Local
    172.16.1.1 from 0.0.0.0 (22.22.22.22)
      Origin incomplete, metric 11, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:12:12 OSPF DOMAIN ID:0x0005:0x000000020200 OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:20.20.20.20:512,
      mpls labels in/out 205/nolabel
r2#
r2#sh ip bgp vpnv4 *
BGP table version is 13, local router ID is 22.22.22.22
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 12:12 (default for vrf 12)
*>i6.6.6.6/32       50.50.50.50             11    100      0 ?
*> 10.10.10.10/32   172.16.1.1              11         32768 ?
*> 20.20.20.20/32   0.0.0.0                  0         32768 ?
*>i55.55.55.55/32   50.50.50.50              0    100      0 ?
*> 172.16.0.0       0.0.0.0                  0         32768 ?
*>i172.17.0.0       50.50.50.50              0    100      0 ?
Route Distinguisher: 56:56
*>i6.6.6.6/32       50.50.50.50             11    100      0 ?
*>i55.55.55.55/32   50.50.50.50              0    100      0 ?
*>i172.17.0.0       50.50.50.50              0    100      0 ?
(3) 多协议BGP-VPNV4给BGP路由分标签
Core1和Core2并没有运行BGP协议。根据次末跳弹出原则,Core2将去往IPS2的报文(由IPS2的vrf重分发到MBGP-ipv4-vrf),弹掉LDP/TDP标签发送到Border2。这个时候Border2如何判断并正确转发报文到IPS2呢?(可以考虑一下有多个CE的情况并且有overlapped路由的情况).
在实际的实现中,是通过MBGP为BGP路由分配的标签来进行标签转发的。因此,Core1,Core2中的报文有两层标签,顶层的为LDP/TDP标签,底层的为MBGP分配的标签。
这种实现的好处是Core1,Core2并不需要特别大的标签开销和转发计算开销,只是边界路由器PE上需要比较高的计算性能。
r2#show mpls ldp bindings    
  tib entry: 10.2.2.0/24, rev 2
        local binding:  tag: imp-null
        remote binding: tsr: 30.30.30.30:0, tag: imp-null
  tib entry: 10.3.3.0/24, rev 6
        local binding:  tag: 200
        remote binding: tsr: 30.30.30.30:0, tag: imp-null
  tib entry: 10.4.4.0/24, rev 8
        local binding:  tag: 201
        remote binding: tsr: 30.30.30.30:0, tag: 300
  tib entry: 22.22.22.22/32, rev 4
        local binding:  tag: imp-null
        remote binding: tsr: 30.30.30.30:0, tag: 303
  tib entry: 30.30.30.30/32, rev 10
        local binding:  tag: 202
        remote binding: tsr: 30.30.30.30:0, tag: imp-null
  tib entry: 40.40.40.40/32, rev 12
        local binding:  tag: 203
        remote binding: tsr: 30.30.30.30:0, tag: 301
  tib entry: 50.50.50.50/32, rev 14
        local binding:  tag: 204
        remote binding: tsr: 30.30.30.30:0, tag: 302
r2#
r2#show ip bgp vpnv4 rd 12:12 labels
   Network          Next Hop      In label/Out label
Route Distinguisher: 12:12 (12)
   6.6.6.6/32       50.50.50.50     nolabel/505
   10.10.10.10/32   172.16.1.1      205/nolabel
   20.20.20.20/32   0.0.0.0         206/aggregate(12)
   55.55.55.55/32   50.50.50.50     nolabel/506
   172.16.0.0       0.0.0.0         207/aggregate(12)
   172.17.0.0       50.50.50.50     nolabel/507
(4) CEF表
当包从CE转发到PE的时候,是一个IP报文,需要查询vrf的cef表。这个cef表由于标签的回灌机制,会进行压标签并转发的动作。
r2#show ip cef vrf 12 detail
IP CEF with switching (Table Version 21), flags=0x0
  15 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 0
  6 instant recursive resolutions, 0 used background process
  31 leaves, 51 nodes, 55336 bytes, 52 inserts, 21 invalidations
  0 load sharing elements, 0 bytes, 0 references
  universal per-destination load sharing algorithm, id 0FDE3D1C
  3(0) CEF resets, 0 revisions of existing leaves
  Resolution Timer: Exponential (currently 1s, peak 1s)
  0 in-place/0 aborted modifications
  refcounts:  13577 leaf, 13568 node
  Table epoch: 0 (15 entries at this epoch)
Adjacency Table has 3 adjacencies
0.0.0.0/0, version 0, epoch 0, attached, default route handler
0 packets, 0 bytes
  via 0.0.0.0, 0 dependencies
    valid no route adjacency
0.0.0.0/32, version 1, epoch 0, receive
6.6.6.6/32, version 18, epoch 0, cached adjacency 10.2.2.3
0 packets, 0 bytes
  tag information set
    local tag: VPN-route-head
    fast tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 505}
  via 50.50.50.50, 0 dependencies, recursive
    next hop 10.2.2.3, Ethernet1/1 via 50.50.50.50/32
    valid cached adjacency
    tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 505}
10.10.10.10/32, version 14, epoch 0, cached adjacency 172.16.1.1
0 packets, 0 bytes
  tag information set
    local tag: 205
  via 172.16.1.1, Ethernet1/0, 0 dependencies
    next hop 172.16.1.1, Ethernet1/0
    valid cached adjacency
    tag rewrite with Et1/0, 172.16.1.1, tags imposed: {}
20.20.20.20/32, version 10, epoch 0, connected, receive
  tag information set
    local tag: 206
55.55.55.55/32, version 19, epoch 0, cached adjacency 10.2.2.3
0 packets, 0 bytes
  tag information set
    local tag: VPN-route-head
    fast tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 506}
  via 50.50.50.50, 0 dependencies, recursive
    next hop 10.2.2.3, Ethernet1/1 via 50.50.50.50/32
    valid cached adjacency
    tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 506}
172.16.0.0/16, version 5, epoch 0, attached, connected
0 packets, 0 bytes
  tag information set
    local tag: 207
  via Ethernet1/0, 0 dependencies
    valid glean adjacency
    tag rewrite with , , tags imposed: {}
172.16.0.0/32, version 8, epoch 0, receive
172.16.1.1/32, version 13, epoch 0, connected, cached adjacency 172.16.1.1
0 packets, 0 bytes
  via 172.16.1.1, Ethernet1/0, 0 dependencies
    next hop 172.16.1.1, Ethernet1/0
    valid cached adjacency
172.16.2.2/32, version 7, epoch 0, receive
172.16.255.255/32, version 9, epoch 0, receive
172.17.0.0/16, version 20, epoch 0, cached adjacency 10.2.2.3
0 packets, 0 bytes
  tag information set
    local tag: VPN-route-head
    fast tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 507}
  via 50.50.50.50, 0 dependencies, recursive
    next hop 10.2.2.3, Ethernet1/1 via 50.50.50.50/32
    valid cached adjacency
    tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 507}
224.0.0.0/4, version 12, epoch 0
0 packets, 0 bytes, Precedence routine (0)
  via 0.0.0.0, 0 dependencies
    next hop 0.0.0.0
    valid drop adjacency
224.0.0.0/24, version 3, epoch 0, receive
255.255.255.255/32, version 2, epoch 0, receive
r2#
由上面的输出可以看出,从CE1访问CE2的环回口地址6.6.6.6需要压入两层标签。顶层标签是mpls ldp分配的标签,这个标签是借用的BGP路由的下一跳IBGP路由标签302。底层标签是MBGP分配的标签,在PE上做转发。
 
底层MBGP分配的标签是根据CE转递的每条路由分的,所以不同路由的底层标签都不一样。这样的设计有些奇怪,为什么不根据rd来分标签呢?这样所有从同一个vrf学来的路由都分配同样的标签就可以了。

你可能感兴趣的:(职场,休闲,BGP,MPLS,LDP,vpnv4)