华为 跨域VPN-OptionC1方案

哈喽,大家好!我是艺博东 ,是一个思科出身、专注于华为的网工;好了,话不多说,我们直接进入正题。

一、拓扑

华为 跨域VPN-OptionC1方案

二、配置

(1)AS内LSP lable分发跟LDP相关 (2)ASBR之间发布PE路由器的BGP lable (3)PE之间发布vpnv4路由的私网标签

1.底层配置

AR1

[Huawei]sysname AR1 [AR1]int g0/0/0 [AR1-GigabitEthernet0/0/0]ip address 10.1.13.1 24 [AR1-GigabitEthernet0/0/0]int l0 [AR1-LoopBack0]ip address 1.1.1.1 32

AR2

[Huawei]sysname AR2 [AR2]int g0/0/0 [AR2-GigabitEthernet0/0/0]ip address 10.1.23.2 24 [AR2-GigabitEthernet0/0/0]int l0 [AR2-LoopBack0]ip address 2.2.2.2 32

AR3

[Huawei]sysname AR3 [AR3]int g0/0/0 [AR3-GigabitEthernet0/0/0]ip address 10.1.13.3 24 [AR3-GigabitEthernet0/0/0]int g0/0/1 [AR3-GigabitEthernet0/0/1]ip address 10.1.23.3 24 [AR3-GigabitEthernet0/0/1]int g0/0/2 [AR3-GigabitEthernet0/0/2]ip address 10.1.34.3 24 [AR3-GigabitEthernet0/0/2]int l0 [AR3-LoopBack0]ip address 3.3.3.3 32 [AR3-LoopBack0]q [AR3]rip [AR3-rip-1]v 2 [AR3-rip-1]network 10.0.0.0 [AR3-rip-1]network 3.0.0.0

AR4

[Huawei]sysname AR4 [AR4]int g0/0/0 [AR4-GigabitEthernet0/0/0]ip address 10.1.34.4 24 [AR4-GigabitEthernet0/0/0]int g0/0/1 [AR4-GigabitEthernet0/0/1]ip address 10.1.45.4 24 [AR4-GigabitEthernet0/0/1]int l0 [AR4-LoopBack0]ip address 4.4.4.4 32 [AR4-LoopBack0]q [AR4]rip [AR4-rip-1]v 2 [AR4-rip-1]network 10.0.0.0 [AR4-rip-1]network 4.0.0.0

AR5

[Huawei]sysname AR5 [AR5]int g0/0/0 [AR5-GigabitEthernet0/0/0]ip address 10.1.45.5 24 [AR5-GigabitEthernet0/0/0]int g0/0/1 [AR5-GigabitEthernet0/0/1]ip address 10.1.56.5 24 [AR5-GigabitEthernet0/0/1]int l0 [AR5-LoopBack0]ip address 5.5.5.5 32 [AR5-LoopBack0]q [AR5]rip [AR5-rip-1]v 2 [AR5-rip-1]undo summary [AR5-rip-1]network 10.0.0.0 [AR5-rip-1]network 5.0.0.0 [AR5-rip-1]q [AR5]int g0/0/1 [AR5-GigabitEthernet0/0/1]undo rip output [AR5-GigabitEthernet0/0/1]undo rip input

AR6、AR7、AR8、AR9、AR10底层配置类似

2.MPLS

AR3

[AR3]mpls lsr-id 3.3.3.3 [AR3]mpls [AR3-mpls]mpls ldp [AR3-mpls-ldp]int g0/0/2 [AR3-GigabitEthernet0/0/2]mpls [AR3-GigabitEthernet0/0/2]mpls ldp

AR4

[AR4]mpls lsr-id 4.4.4.4 [AR4]mpls [AR4-mpls]mpls ldp [AR4-mpls-ldp]int g0/0/0 [AR4-GigabitEthernet0/0/0]mpls [AR4-GigabitEthernet0/0/0]mpls ldp [AR4-GigabitEthernet0/0/0]int g0/0/1 [AR4-GigabitEthernet0/0/1]mpls [AR4-GigabitEthernet0/0/1]mpls ldp

AR5

[AR5]mpls lsr-id 5.5.5.5 [AR5]mpls [AR5-mpls]mpls ldp [AR5-mpls-ldp]int g0/0/0 [AR5-GigabitEthernet0/0/0]mpls [AR5-GigabitEthernet0/0/0]mpls ldp [AR5-GigabitEthernet0/0/0]int g0/0/1 [AR5-GigabitEthernet0/0/1]mpls

3.MP-IBGP、MP-EBGP、标签、VPNV4

AR3

[AR3]bgp 10 [AR3-bgp]peer 4.4.4.4 as-number 10 [AR3-bgp]peer 4.4.4.4 connect-interface LoopBack0 [AR3-bgp]peer 4.4.4.4 label-route-capability [AR3-bgp]ipv4-family vpnv4 [AR3-bgp-af-vpnv4]peer 4.4.4.4 enable

AR4( RR)

[AR4]bgp 10 [AR4-bgp]peer 3.3.3.3 as 10 [AR4-bgp]peer 3.3.3.3 connect-interface LoopBack 0 [AR4-bgp]peer 5.5.5.5 as 10 [AR4-bgp]peer 5.5.5.5 connect-interface LoopBack 0 [AR4-bgp]peer 7.7.7.7 as-number 20 [AR4-bgp]peer 7.7.7.7 ebgp-max-hop 66 [AR4-bgp]peer 7.7.7.7 connect-interface LoopBack0 [AR4-bgp]peer 3.3.3.3 reflect-client [AR4-bgp]peer 3.3.3.3 label-route-capability [AR4-bgp]peer 5.5.5.5 reflect-client [AR4-bgp]peer 5.5.5.5 label-route-capability [AR4-bgp]ipv4-family vpnv4 [AR4-bgp-af-vpnv4]undo policy vpn-target [AR4-bgp-af-vpnv4]peer 3.3.3.3 reflect-client [AR4-bgp-af-vpnv4]peer 3.3.3.3 enable [AR4-bgp-af-vpnv4]peer 7.7.7.7 enable [AR4-bgp-af-vpnv4]peer 7.7.7.7 next-hop-invariable

AR5

[AR5]route-policy asbr permit node 10 [AR5-route-policy]apply mpls-label [AR5-route-policy]q [AR5]route-policy pe permit node 10 [AR5-route-policy]if-match mpls-label [AR5-route-policy]apply mpls-label [AR5-route-policy]q [AR5]bgp 10 [AR5-bgp]peer 4.4.4.4 as 10 [AR5-bgp]peer 4.4.4.4 connect-interface LoopBack 0 [AR5-bgp]peer 10.1.56.6 as-number 20 [AR5-bgp]peer 4.4.4.4 route-policy pe export [AR5-bgp]peer 4.4.4.4 label-route-capability [AR5-bgp]peer 10.1.56.6 route-policy asbr export [AR5-bgp]peer 10.1.56.6 label-route-capability [AR5-bgp]network 3.3.3.3 255.255.255.255 [AR5-bgp]network 4.4.4.4 255.255.255.255 [AR5-bgp]q

[AR4-rip-1]dis bgp peer

华为 跨域VPN-OptionC1方案

AR6、AR7、AR8、AR9、AR10的MP-IBGP、MPLS配置类似

5.MPLS VPN业务接入

配置好公网,然后是公司BB访问公司DD;

AR3

[AR3]ip vpn-instance ybd2 [AR3-vpn-instance-ybd2]route-distinguisher 10:1 [AR3-vpn-instance-ybd2-af-ipv4]vpn-target 10:1 both [AR3-vpn-instance-ybd2-af-ipv4]int g0/0/1 [AR3-GigabitEthernet0/0/1]ip binding vpn-instance ybd2 [AR3-GigabitEthernet0/0/1]ip address 10.1.23.3 24 [AR3-GigabitEthernet0/0/1]bgp 10 [AR3-bgp]peer 10.1.23.2 as 1 [AR3-bgp]ipv4-family vpn-instance ybd2 [AR3-bgp-ybd2]peer 10.1.23.2 as 1 [AR3-bgp-ybd2]peer 10.1.23.2 substitute-as //做AS号的伪装

AR2

[AR2]bgp 1 [AR2-bgp]peer 10.1.23.3 as 10 [AR2-bgp]network 2.2.2.2 32

[AR3-bgp]dis bgp vpnv4 all peer 华为 跨域VPN-OptionC1方案

[AR3]dis bgp vpnv4 all routing-table 华为 跨域VPN-OptionC1方案 AR8

[AR8]ip vpn-instance ybd10 [AR8-vpn-instance-ybd10]route-distinguisher 10:1 [AR8-vpn-instance-ybd10-af-ipv4]vpn-target 10:1 both [AR8-vpn-instance-ybd10-af-ipv4]int g0/0/2 [AR8-GigabitEthernet0/0/2]ip binding vpn-instance ybd10 [AR8-GigabitEthernet0/0/2]ip address 10.1.81.8 24 [AR8-GigabitEthernet0/0/2]bgp 20 [AR8-bgp]ipv4-family vpn-instance ybd10 [AR8-bgp-ybd10]peer 10.1.81.10 as 1 [AR8-bgp-ybd10]peer 10.1.81.10 substitute-as

AR10]

[AR10]bgp 1 [AR10-bgp]peer 10.1.81.8 as 20 [AR10-bgp]network 10.10.10.10 32

[AR2]dis ip routing-table 华为 跨域VPN-OptionC1方案

6.MPLS VPN业务接入

公司AA访问公司CC;

AR3

[AR3]ip vpn-instance ybd66 [AR3-vpn-instance-ybd1]route-distinguisher 20:1 [AR3-vpn-instance-ybd1-af-ipv4]vpn-target 20:1 both [AR3-vpn-instance-ybd1-af-ipv4]int g0/0/0 [AR3-GigabitEthernet0/0/0]ip binding vpn-instance ybd66 [AR3-GigabitEthernet0/0/0]ip address 10.1.13.3 24 [AR3-GigabitEthernet0/0/0]q [AR3]ospf 1 router-id 3.3.3.3 vpn-instance ybd66 [AR3-ospf-1]a 0 [AR3-ospf-1-area-0.0.0.0]network 10.1.13.3 0.0.0.0 [AR3-ospf-1-area-0.0.0.0]q [AR3-ospf-1]import-route bgp [AR3-ospf-1]bgp 10 [AR3-bgp]ip [AR3-bgp]ipv4-family vpn-instance ybd66 [AR3-bgp-ybd1]import-route ospf 1

AR1

[AR1]ospf 1 [AR1-ospf-1]a 0 [AR1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0 [AR1-ospf-1-area-0.0.0.0]network 10.1.13.1 0.0.0.0

AR8

[AR8]ip vpn-instance ybd99 [AR8-vpn-instance-ybd9]route-distinguisher 20:1 [AR8-vpn-instance-ybd9-af-ipv4]vpn-target 20:1 both [AR8-vpn-instance-ybd9-af-ipv4]int g0/0/1 [AR8-GigabitEthernet0/0/1]ip binding vpn-instance ybd99 [AR8-GigabitEthernet0/0/1]ip address 10.1.89.8 24 [AR8-GigabitEthernet0/0/1]q [AR8]isis 1 vpn-instance ybd99 [AR8-isis-1]import-route bgp [AR8-isis-1]network-entity 12.0001.0000.0000.0008.00 [AR8-isis-1]is-level level-2 [AR8-isis-1]int g0/0/1 [AR8-GigabitEthernet0/0/1]isis enable 1 [AR8-GigabitEthernet0/0/1]bgp 20 [AR8-bgp]ipv4-family vpn-instance ybd99 [AR8-bgp-ybd9]import-route isis 1

AR9

[AR9]isis [AR9-isis-1]network-entity 12.0001.0000.0000.0009.00 [AR9-isis-1]is-level level-2 [AR9-isis-1]int g0/0/0 [AR9-GigabitEthernet0/0/0]isis enable 1 [AR9]int l0 [AR9-LoopBack0]isis enable

[AR9]dis ip routing-table 华为 跨域VPN-OptionC1方案 公司 CC 9.9.9.9 访问公司 AA1.1.1.1

[AR1]ping -a 1.1.1.1 9.9.9.9 华为 跨域VPN-OptionC1方案 AR3的G0/0/2接口上进行抓包

华为 跨域VPN-OptionC1方案 标签为三层标签。

公司 AA 到公司 CC 的路由传递

(1)AR1 上的 IPv4 路由传递到 AR3

[AR1]dis ip routing-table 9.9.9.9 华为 跨域VPN-OptionC1方案 封装为:

查看9.9.9.9路由,下一跳是10.1.13.3;

华为 跨域VPN-OptionC1方案 然后根据AR3的接口下G0/0/0绑定的实例ybd66的路由表,去查相关路由。

(2)AR3 将其引入 VPNv4 路由表后,携带私网标签、RT、下一跳等单播传递给 AR8。

华为 跨域VPN-OptionC1方案 下一跳是 8.8.8.8

[AR3]dis bgp vpnv4 vpn-instance ybd66 routing-table 9.9.9.9 华为 跨域VPN-OptionC1方案 私网标签1028 打上标签封装成:华为 跨域VPN-OptionC1方案 然后查看公网标签

[AR3]dis mpls lsp 华为 跨域VPN-OptionC1方案 打上标签封装成: [AR3]dis ip routing-table 8.8.8.8 华为 跨域VPN-OptionC1方案 [AR3]dis mpls lsp 华为 跨域VPN-OptionC1方案 从G0/0/2接口发出。 打上标签封装成:华为 跨域VPN-OptionC1方案 华为 跨域VPN-OptionC1方案 华为 跨域VPN-OptionC1方案

5.5.5.5出标签是3,然后进行弹出顶部标签,从G0/0/1接口发送出去。

封装成:

[AR5]dis mpls lsp

封装成:

[AR6]dis mpls lsp 从G0/0/1接口发送出去。

封装成:

[AR7]dis mpls lsp

8.8.8.8出标签是3,然后进行弹出顶部标签,从G0/0/1接口发送出去。 封装成:

(3)AR8 匹配 RT 值后,剥离 RD 和私网标签引入实例 ybd99

[AR8]dis mpls lsp 封装成: [AR8]dis ip routing-table vpn-instance ybd99

下一跳是10.1.89.9

标签

R5分配的标签 3.3.3.3/32 1029/NULL -/- 4.4.4.4/32 1026/NULL -/-

R6收到的标签 4.4.4.4/32 NULL/1026 -/-

3.3.3.3/32 NULL/1029 -/-

收到再为其分配的标签 4.4.4.4/32 1027/1026 -/-

3.3.3.3/32 1028/1029 -/-

这两个标签是为其分配的空口标签,即IPv4路由在R6上可以进行标签传输 4.4.4.4/32 NULL/1026 -/-

3.3.3.3/32 NULL/1029 -/-

R7上作为RR,不修改标签,也不分配标签 4.4.4.4/32 NULL/1027 -/-

3.3.3.3/32 NULL/1028 -/-

R8收到的反射的标签路由 4.4.4.4/32 NULL/1027 -/-

3.3.3.3/32 NULL/1028 -/-

三、跨域VPN-OptionC1方案的特点

公网形成了一个架构,后面如果有公司接入进来的话,只需要在PE设备上配置接入VPN业务,公网不需要配置。

优点: VPN 路由在入口 PE 和出口 PE 之间直接交换,不需要中间设备的保存和转发。VPN 的路由信息出现在 PE 和 RR设备上,而 ASBR 只负责报文的转发,使得中间域的设备可以不支持 MPLS VPN 业务,只需支持 MPLS 转发,ASBR 设备不再成为性能瓶颈。因此跨域 VPN-OptionC更适合在跨越多个 AS 时使用。更适合支持 MPLS VPN 的负载分担。

缺点: 维护一条端到端的 PE 连接管理代价较大。

名言: 不要把最美好的时光都浪费在睡觉上。

好了这期就到这里了,如果你喜欢这篇文章的话,请点赞评论分享收藏,如果你还能点击关注,那真的是对我最大的鼓励。谢谢大家,下期见!

免责声明:文章内容来自互联网,本站不对其真实性负责,也不承担任何法律责任,如有侵权等情况,请与本站联系删除。
转载请注明出处:华为 跨域VPN-OptionC1方案 https://www.yhzz.com.cn/a/13162.html

上一篇 2023-05-11 19:15:53
下一篇 2023-05-11 19:19:51

相关推荐

联系云恒

在线留言: 我要留言
客服热线:400-600-0310
工作时间:周一至周六,08:30-17:30,节假日休息。