哈喽,大家好!我是艺博东 ,是一个思科出身、专注于华为的网工;好了,话不多说,我们直接进入正题。
一、无 RR 的拓扑
二、无 RR 的简单配置与测试
2.1 底层配置
AR1
[Huawei]sysname AR1 [AR1]int g0/0/0 [AR1-GigabitEthernet0/0/0]ip address 10.1.13.1 24 [AR1-GigabitEthernet0/0/0]int l0 [AR1-LoopBack0]ip address 1.1.1.1 32AR2
[Huawei]sysname AR2 [AR2]int g0/0/0 [AR2-GigabitEthernet0/0/0]ip address 10.1.23.2 24 [AR2-GigabitEthernet0/0/0]int l0 [AR2-LoopBack0]ip address 2.2.2.2 32AR3
[Huawei]sysname AR3 [AR3]int g0/0/0 [AR3-GigabitEthernet0/0/0]ip address 10.1.13.3 24 [AR3-GigabitEthernet0/0/0]int g0/0/1 [AR3-GigabitEthernet0/0/1]ip address 10.1.23.3 24 [AR3-GigabitEthernet0/0/1]int g0/0/2 [AR3-GigabitEthernet0/0/2]ip address 10.1.34.3 24 [AR3-GigabitEthernet0/0/2]int l0 [AR3-LoopBack0]ip address 3.3.3.3 32 [AR3-LoopBack0]q [AR3]rip [AR3-rip-1]v 2 [AR3-rip-1]network 10.0.0.0 [AR3-rip-1]network 3.0.0.0AR4
[Huawei]sysname AR4 [AR4]int g0/0/0 [AR4-GigabitEthernet0/0/0]ip address 10.1.34.4 24 [AR4-GigabitEthernet0/0/0]int g0/0/1 [AR4-GigabitEthernet0/0/1]ip address 10.1.45.4 24 [AR4-GigabitEthernet0/0/1]int l0 [AR4-LoopBack0]ip address 4.4.4.4 32 [AR4-LoopBack0]q [AR4]rip [AR4-rip-1]v 2 [AR4-rip-1]network 10.0.0.0 [AR4-rip-1]network 4.0.0.0AR5
[Huawei]sysname AR5 [AR5]int g0/0/0 [AR5-GigabitEthernet0/0/0]ip address 10.1.45.5 24 [AR5-GigabitEthernet0/0/0]int g0/0/1 [AR5-GigabitEthernet0/0/1]ip address 10.1.56.5 24 [AR5-GigabitEthernet0/0/1]int l0 [AR5-LoopBack0]ip address 5.5.5.5 32 [AR5-LoopBack0]q [AR5]rip [AR5-rip-1]v 2 [AR5-rip-1]undo summary [AR5-rip-1]network 10.0.0.0 [AR5-rip-1]network 5.0.0.0 [AR5-rip-1]q [AR5]int g0/0/1 [AR5-GigabitEthernet0/0/1]undo rip output [AR5-GigabitEthernet0/0/1]undo rip inputAR6、AR7、AR8、AR9、AR10底层配置类似
2.2 MPLS LDP
AR3
[AR3]mpls lsr-id 3.3.3.3 [AR3]mpls [AR3-mpls]mpls ldp [AR3-mpls-ldp]int g0/0/2 [AR3-GigabitEthernet0/0/2]mpls [AR3-GigabitEthernet0/0/2]mpls ldpAR4
[AR4]mpls lsr-id 4.4.4.4 [AR4]mpls [AR4-mpls]mpls ldp [AR4-mpls-ldp]int g0/0/0 [AR4-GigabitEthernet0/0/0]mpls [AR4-GigabitEthernet0/0/0]mpls ldp [AR4-GigabitEthernet0/0/0]int g0/0/1 [AR4-GigabitEthernet0/0/1]mpls [AR4-GigabitEthernet0/0/1]mpls ldpAR5
[AR5]mpls lsr-id 5.5.5.5 [AR5]mpls [AR5-mpls]mpls ldp [AR5-mpls-ldp]int g0/0/0 [AR5-GigabitEthernet0/0/0]mpls [AR5-GigabitEthernet0/0/0]mpls ldp [AR5-GigabitEthernet0/0/0]int g0/0/1 [AR5-GigabitEthernet0/0/1]mpls2.4 AR3和AR5建立MP-IBGP,AR6和AR8建立MP-IBGP;AR5和AR6建立MP-EBGP;AR3和AR8EBGP VPNv4 邻居关系;配置标签能力。
AR3
[AR3]bgp 10 [AR3-bgp]peer 5.5.5.5 as-number 10 [AR3-bgp]peer 5.5.5.5 connect-interface LoopBack0 [AR3-bgp]peer 8.8.8.8 as-number 20 [AR3-bgp]peer 8.8.8.8 ebgp-max-hop 66 [AR3-bgp]peer 8.8.8.8 connect-interface LoopBack0 [AR3-bgp]ipv4-family vpnv4 [AR3-bgp-af-vpnv4]peer 8.8.8.8 enableAR5
[AR5]route-policy asbr permit node 10 [AR5-route-policy]apply mpls-label [AR5-route-policy]q [AR5]bgp 10 [AR5-bgp]peer 3.3.3.3 as-number 10 [AR5-bgp]peer 3.3.3.3 connect-interface LoopBack0 [AR5-bgp]peer 10.1.56.6 as-number 20 [AR5-bgp]network 3.3.3.3 255.255.255.255 [AR5-bgp]peer 10.1.56.6 route-policy asbr export [AR5-bgp]peer 10.1.56.6 label-route-capability [AR5-bgp]q [AR5]mpls [AR5-mpls]lsp-trigger bgp-label-route //用来配置LDP为带标签的公网BGP路由分标签的能力 [AR5-mpls]quit [AR5]rip [AR5-rip-1]import-route bgpAR6
[AR6]route-policy asbr permit node 10 [AR6-route-policy]apply mpls-label [AR6-route-policy]q [AR6]bgp 20 [AR6-bgp]peer 8.8.8.8 as-number 20 [AR6-bgp]peer 8.8.8.8 connect-interface LoopBack0 [AR6-bgp]peer 10.1.56.5 as-number 10 [AR6-bgp]network 8.8.8.8 255.255.255.255 [AR6-bgp]peer 10.1.56.5 route-policy asbr export [AR6-bgp]peer 10.1.56.5 label-route-capability [AR6-bgp]q [AR6]mpls [AR6-mpls]lsp-trigger bgp-label-route [AR6-mpls]quit [AR6]rip [AR6-rip-1]import-route bgpAR8
[AR8]bgp 20 [AR8-bgp]peer 3.3.3.3 as-number 10 [AR8-bgp]peer 3.3.3.3 ebgp-max-hop 66 [AR8-bgp]peer 3.3.3.3 connect-interface LoopBack0 [AR8-bgp]peer 6.6.6.6 as-number 20 [AR8-bgp]peer 6.6.6.6 connect-interface LoopBack0 [AR8-bgp]ipv4-family vpnv4 [AR8-bgp-af-vpnv4]peer 3.3.3.3 enable2.5 测试
[AR3]display bgp peer 
[AR6]display bgp peer [AR8]display mpls lsp AR8已经有AR3的3.3.3.3的标签了。
[AR8]ping -a 8.8.8.8 3.3.3.3 
2.6 MPLS VPN业务接入
配置好公网之后,接下来是配置公司B和公司D,让他们可以互访;
AR3
[AR3]ip vpn-instance ybd2 [AR3-vpn-instance-ybd2]route-distinguisher 10:1 [AR3-vpn-instance-ybd2-af-ipv4]vpn-target 10:1 both [AR3-vpn-instance-ybd2-af-ipv4]int g0/0/1 [AR3-GigabitEthernet0/0/1]ip binding vpn-instance ybd2 [AR3-GigabitEthernet0/0/1]ip address 10.1.23.3 24 [AR3-GigabitEthernet0/0/1]bgp 10 [AR3-bgp]peer 10.1.23.2 as 1 [AR3-bgp]ipv4-family vpn-instance ybd2 [AR3-bgp-ybd2]peer 10.1.23.2 as 1 [AR3-bgp-ybd2]peer 10.1.23.2 substitute-as //做AS号的伪装AR2
[AR2]bgp 1 [AR2-bgp]peer 10.1.23.3 as 10 [AR2-bgp]network 2.2.2.2 32AR8
[AR8]ip vpn-instance ybd6 [AR8-vpn-instance-ybd10]route-distinguisher 10:1 [AR8-vpn-instance-ybd10-af-ipv4]vpn-target 10:1 both [AR8-vpn-instance-ybd10-af-ipv4]int g0/0/2 [AR8-GigabitEthernet0/0/2]ip binding vpn-instance ybd10 [AR8-GigabitEthernet0/0/2]ip address 10.1.81.8 24 [AR8-GigabitEthernet0/0/2]bgp 20 [AR8-bgp]ipv4-family vpn-instance ybd6 [AR8-bgp-ybd10]peer 10.1.81.10 as 1 [AR8-bgp-ybd10]peer 10.1.81.10 substitute-asAR10
[AR10]bgp 1 [AR10-bgp]peer 10.1.81.8 as 20 [AR10-bgp]network 10.10.10.10 32[AR10]display ip routing-table protocol bgp 
[AR2]ping -a 2.2.2.2 10.10.10.10
公司 B 2.2.2.2 访问公司 AD10.10.10.10
AR2 上的 IPv4 路由传递到 AR3
[AR2]dis ip routing-table 10.10.10.10 
封装为:
查看10.10.10.10路由,下一跳是10.1.23.3;
然后根据AR3的接口下G0/0/0绑定的实例ybd2的路由表,去查相关路由。
[AR3]display ip routing-table vpn-instance ybd2 10.10.10.10 
下一跳是 8.8.8.8
[AR3]display bgp vpnv4 vpn-instance ybd2 routing-table 10.10.10.10 
私网标签1027 打上标签封装成:
接着是查看公网标签
[AR3]display mpls lsp 
公网标签1026 打上标签封装成:
从G0/0/2接口出发
[AR4]dis mpls lsp 进来标签是1026,出标签为1027,从G0/0/1接口发出
打上标签封装成:
[AR5]dis mpls lsp 进来标签是1027,出标签为1026,
封装为:
[AR7]display mpls lsp
8.8.8.8出标签是3,然后进行弹出顶部标签,从G0/0/1接口发送出去。
[AR8]dis mpls lsp
[AR8]dis bgp vpnv4 vpn-instance ybd6 routing-table 下一跳是10.1.81.10
三、有 RR 的拓扑
四、配置与分析
4.1 概括
(1)AS内IGP和LDP配置好 (2)ASBR之间建立EBGP邻居,并启动传递标签ipv4路由能力,互联接口启动mpls(3)在ASBR向对端ASBR发布本端PE/RR的标签ipv4路由,通过产生标签策略完成 (4)在ASBR上开启LSP触发策略,为BGP路由产生LDP的LSP (5)在ASBR上引入PE/RR的BGP路由到IGP协议中 (6)PE和RR之间建立mp-ibgp邻居关系,传递vpnv4路由,并保证路由传递到对端PE下一跳不变 (7)RR之间建立MP-EBGP邻居关系,传递vpnv4路由,并保证路由传递到对端下一跳不变 目的:是建立一条PE到PE之间的LSP,方便PE之间建立MP-EBGP传递vpnv4路由。
4.2 删除
删除掉 AR3和AR5的MP-IBGP邻居、AR6和AR8的MP-IBGP邻居、AR3和AR8的EBGP VPNv4 邻居关系;
4.3 然后建立AR4(RR)与AR3、AR7(RR)与AR8建立邻居关系并且下一跳不变,AR4与AR7建立EBGP VPN4的邻居关系。
AR3
[AR3]bgp 10 [AR3-bgp]peer 4.4.4.4 as 10 [AR3-bgp]peer 4.4.4.4 connect-interface LoopBack 0 [AR3-bgp]ipv4-family vpnv4 [AR3-bgp-af-vpnv4]peer 4.4.4.4 enable [AR3-bgp-af-vpnv4]peer 4.4.4.4 next-hop-invariableAR4
[AR4]bgp 10 [AR4-bgp]peer 3.3.3.3 as 10 [AR4-bgp]peer 3.3.3.3 connect-interface LoopBack 0 [AR4-bgp]ipv4-family vpnv4 [AR4-bgp-af-vpnv4]peer 3.3.3.3 enable [AR4-bgp-af-vpnv4]peer 3.3.3.3 reflect-client [AR4-bgp-af-vpnv4]peer 3.3.3.3 next-hop-invariable [AR4-bgp-af-vpnv4]undo policy vpn-target [AR4-bgp-af-vpnv4]q [AR4-bgp]peer 7.7.7.7 as 20 [AR4-bgp]peer 7.7.7.7 connect-interface LoopBack 0 [AR4-bgp]peer 7.7.7.7 ebgp-max-hop 66 [AR4-bgp]ipv4-family vpnv4 [AR4-bgp-af-vpnv4]peer 7.7.7.7 enable [AR4-bgp-af-vpnv4]peer 7.7.7.7 next-hop-invariableAR7
[AR7]bgp 20 [AR7-bgp]peer 8.8.8.8 as 20 [AR7-bgp]peer 8.8.8.8 connect-interface LoopBack 0 [AR7-bgp]ipv4-family vpnv4 [AR7-bgp-af-vpnv4]peer 8.8.8.8 enable [AR7-bgp-af-vpnv4]peer 8.8.8.8 reflect-client [AR7-bgp-af-vpnv4]peer 8.8.8.8 next-hop-invariable [AR7-bgp-af-vpnv4]undo policy vpn-target [AR7-bgp-af-vpnv4]q [AR7-bgp]peer 4.4.4.4 as 10 [AR7-bgp]peer 4.4.4.4 connect-interface LoopBack 0 [AR7-bgp]peer 4.4.4.4 ebgp-max-hop 66 [AR7-bgp]ipv4-family vpnv4 [AR7-bgp-af-vpnv4]peer 4.4.4.4 enable [AR7-bgp-af-vpnv4]peer 4.4.4.4 next-hop-invariableAR8
[AR8]bgp 20 [AR8-bgp]peer 7.7.7.7 as 20 [AR8-bgp]peer 7.7.7.7 connect-interface LoopBack 0 [AR8-bgp]ipv4-family vpnv4 [AR8-bgp-af-vpnv4]peer 7.7.7.7 enable [AR8-bgp-af-vpnv4]peer 7.7.7.7 next-hop-invariable4.4 宣告RR的网段LOOPBACK 0
AR5
[AR5]bgp 10 [AR5-bgp]network 4.4.4.4 32AR6
[AR6]bgp 20 [AR6-bgp]network 7.7.7.7 324.5 测试
[AR4]dis bgp peer [AR7]dis bgp peer 4.6 MPLS VPN业务接入,公司A访问公司C
AR3
[AR3]ip vpn-instance ybd66 [AR3-vpn-instance-ybd1]route-distinguisher 20:1 [AR3-vpn-instance-ybd1-af-ipv4]vpn-target 20:1 both [AR3-vpn-instance-ybd1-af-ipv4]int g0/0/0 [AR3-GigabitEthernet0/0/0]ip binding vpn-instance ybd66 [AR3-GigabitEthernet0/0/0]ip address 10.1.13.3 24 [AR3-GigabitEthernet0/0/0]q [AR3]ospf 1 router-id 3.3.3.3 vpn-instance ybd66 [AR3-ospf-1]a 0 [AR3-ospf-1-area-0.0.0.0]network 10.1.13.3 0.0.0.0 [AR3-ospf-1-area-0.0.0.0]q [AR3-ospf-1]import-route bgp [AR3-ospf-1]bgp 10 [AR3-bgp]ip [AR3-bgp]ipv4-family vpn-instance ybd66 [AR3-bgp-ybd1]import-route ospf 1AR1
[AR1]ospf 1 [AR1-ospf-1]a 0 [AR1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0 [AR1-ospf-1-area-0.0.0.0]network 10.1.13.1 0.0.0.0AR8
[AR8]ip vpn-instance ybd99 [AR8-vpn-instance-ybd9]route-distinguisher 20:1 [AR8-vpn-instance-ybd9-af-ipv4]vpn-target 20:1 both [AR8-vpn-instance-ybd9-af-ipv4]int g0/0/1 [AR8-GigabitEthernet0/0/1]ip binding vpn-instance ybd99 [AR8-GigabitEthernet0/0/1]ip address 10.1.89.8 24 [AR8-GigabitEthernet0/0/1]q [AR8]isis 1 vpn-instance ybd99 [AR8-isis-1]import-route bgp [AR8-isis-1]network-entity 12.0001.0000.0000.0008.00 [AR8-isis-1]is-level level-2 [AR8-isis-1]int g0/0/1 [AR8-GigabitEthernet0/0/1]isis enable 1 [AR8-GigabitEthernet0/0/1]bgp 20 [AR8-bgp]ipv4-family vpn-instance ybd99 [AR8-bgp-ybd9]import-route isis 1AR9
[AR9]isis [AR9-isis-1]network-entity 12.0001.0000.0000.0009.00 [AR9-isis-1]is-level level-2 [AR9-isis-1]int g0/0/0 [AR9-GigabitEthernet0/0/0]isis enable 1 [AR9]int l0 [AR9-LoopBack0]isis enable[AR1]dis ip routing-table protocol ospf [AR9]ping -a 9.9.9.9 1.1.1.1 1031是私网标签,1026是公网标签。
[AR3]display bgp vpnv4 vpn-instance ybd66 routing-table 9.9.9.9 OK
五、特点
跨域VPN-OptionC2的优缺点和跨域VPN-OptionC1一样,只是在配置方面稍微有些不一样。
特点:公网形成了一个架构,后面如果有公司接入进来的话,只需要在PE设备上配置接入MPLS VPN业务即可,公网不需要配置。
重要并且特别的配置,在ASBR上的MPLS视图下需要配置lsp-trigger bgp-label-route命令,把BGP协议引入到RIP(从逻辑的角度来看,多个AS域形成了一个AS域);AR4(RR)与AR3建立MP-IBGP邻居关系,AR(RR)与AR7建立EBGP VPNV4邻居,把PE和RR的Looback 0网段宣告进BGP进程。
名言: 勤学如春起之苗,不见其增,日有所长;—陶渊明
好了这期就到这里了,如果你喜欢这篇文章的话,请点赞评论分享收藏,如果你还能点击关注,那真的是对我最大的鼓励。谢谢大家,下期见!
免责声明:文章内容来自互联网,本站不对其真实性负责,也不承担任何法律责任,如有侵权等情况,请与本站联系删除。
转载请注明出处:华为 跨域VPN-OptionC2方案 https://www.yhzz.com.cn/a/13132.html