哈喽,大家好!我是艺博东 ,是一个思科出身、专注于华为的网工;好了,话不多说,我们直接进入正题。
一、拓扑
二、配置与分析
(1)AS内运行IGP,互通 (2)把AS的LSP建立起来 (3)配置AS内的MP-IBGP架构/RR (4)ASBR之间的MP-EBGP邻居关系,互联接口启用MPLS (5)MPLS VPN业务接入
1.底层配置
AR1
[Huawei]sysname AR1 [AR1]int g0/0/0 [AR1-GigabitEthernet0/0/0]ip address 10.1.13.1 24 [AR1-GigabitEthernet0/0/0]int l0 [AR1-LoopBack0]ip address 1.1.1.1 32AR2
[Huawei]sysname AR2 [AR2]int g0/0/0 [AR2-GigabitEthernet0/0/0]ip address 10.1.23.2 24 [AR2-GigabitEthernet0/0/0]int l0 [AR2-LoopBack0]ip address 2.2.2.2 32AR3
[Huawei]sysname AR3 [AR3]int g0/0/0 [AR3-GigabitEthernet0/0/0]ip address 10.1.13.3 24 [AR3-GigabitEthernet0/0/0]int g0/0/1 [AR3-GigabitEthernet0/0/1]ip address 10.1.23.3 24 [AR3-GigabitEthernet0/0/1]int g0/0/2 [AR3-GigabitEthernet0/0/2]ip address 10.1.34.3 24 [AR3-GigabitEthernet0/0/2]int l0 [AR3-LoopBack0]ip address 3.3.3.3 32 [AR3-LoopBack0]q [AR3]rip [AR3-rip-1]v 2 [AR3-rip-1]network 10.0.0.0 [AR3-rip-1]network 3.0.0.0AR4
[Huawei]sysname AR4 [AR4]int g0/0/0 [AR4-GigabitEthernet0/0/0]ip address 10.1.34.4 24 [AR4-GigabitEthernet0/0/0]int g0/0/1 [AR4-GigabitEthernet0/0/1]ip address 10.1.45.4 24 [AR4-GigabitEthernet0/0/1]int l0 [AR4-LoopBack0]ip address 4.4.4.4 32 [AR4-LoopBack0]q [AR4]rip [AR4-rip-1]v 2 [AR4-rip-1]network 10.0.0.0 [AR4-rip-1]network 4.0.0.0AR5
[Huawei]sysname AR5 [AR5]int g0/0/0 [AR5-GigabitEthernet0/0/0]ip address 10.1.45.5 24 [AR5-GigabitEthernet0/0/0]int g0/0/1 [AR5-GigabitEthernet0/0/1]ip address 10.1.56.5 24 [AR5-GigabitEthernet0/0/1]int l0 [AR5-LoopBack0]ip address 5.5.5.5 32 [AR5-LoopBack0]q [AR5]rip [AR5-rip-1]v 2 [AR5-rip-1]network 10.0.0.0 [AR5-rip-1]network 5.0.0.0AR6、AR7、AR8、AR9、AR10底层配置类似
2.MPLS
AR3
[AR3]mpls lsr-id 3.3.3.3 [AR3]mpls [AR3-mpls]mpls ldp [AR3-mpls-ldp]int g0/0/2 [AR3-GigabitEthernet0/0/2]mpls [AR3-GigabitEthernet0/0/2]mpls ldpAR4
[AR4]mpls lsr-id 4.4.4.4 [AR4]mpls [AR4-mpls]mpls ldp [AR4-mpls-ldp]int g0/0/0 [AR4-GigabitEthernet0/0/0]mpls [AR4-GigabitEthernet0/0/0]mpls ldp [AR4-GigabitEthernet0/0/0]int g0/0/1 [AR4-GigabitEthernet0/0/1]mpls [AR4-GigabitEthernet0/0/1]mpls ldpAR5
[AR5]mpls lsr-id 5.5.5.5 [AR5]mpls [AR5-mpls]mpls ldp [AR5-mpls-ldp]int g0/0/0 [AR5-GigabitEthernet0/0/0]mpls [AR5-GigabitEthernet0/0/0]mpls ldp[AR5]dis mpls lsp
3.MP-IBGP
AR4( RR)
[AR4]bgp 10 [AR4-bgp]peer 3.3.3.3 as 10 [AR4-bgp]peer 3.3.3.3 connect-interface LoopBack 0 [AR4-bgp]peer 5.5.5.5 as 10 [AR4-bgp]peer 5.5.5.5 connect-interface LoopBack 0 [AR4-bgp]ipv4-family vpnv4 [AR4-bgp-af-vpnv4]peer 3.3.3.3 enable [AR4-bgp-af-vpnv4]peer 3.3.3.3 reflect-client [AR4-bgp-af-vpnv4]peer 5.5.5.5 enable [AR4-bgp-af-vpnv4]peer 5.5.5.5 reflect-client [AR4-bgp-af-vpnv4]undo policy vpn-targetAR5
[AR5]bgp 10 [AR5-bgp]peer 4.4.4.4 as 10 [AR5-bgp]peer 4.4.4.4 connect-interface LoopBack 0 [AR5-bgp]ipv4-family vpnv4 [AR5-bgp-af-vpnv4]peer 4.4.4.4 enable[AR4-rip-1]dis bgp peer
AR6、AR7、AR8、AR9、AR10的MP-IBGP、MPLS配置类似
4.MP-EBGP
AR5
[AR5]bgp 10 [AR5-bgp]peer 10.1.56.6 as 20 [AR5-bgp]ipv4-family vpnv4 [AR5-bgp-af-vpnv4]peer 10.1.56.6 enable [AR5-bgp-af-vpnv4]undo policy vpn-targetAR6
[AR6]bgp 20 [AR6-bgp]peer 10.1.56.5 as-number 10 [AR6-bgp]ipv4-family vpnv4 [AR6-bgp-af-vpnv4]peer 10.1.56.5 enable [AR6-bgp-af-vpnv4]undo policy vpn-target[AR6]dis bgp peer
5.MPLS VPN业务接入
配置号公网,然后是公司B访问公司D;
AR5,AR6的互联接口使能mpls
[AR5]int g0/0/1 [AR5-GigabitEthernet0/0/1]mpls [AR6]int g0/0/0 [AR6-GigabitEthernet0/0/0]mplsAR3
[AR3]ip vpn-instance ybd2 [AR3-vpn-instance-ybd2]route-distinguisher 10:1 [AR3-vpn-instance-ybd2-af-ipv4]vpn-target 10:1 both [AR3-vpn-instance-ybd2-af-ipv4]int g0/0/1 [AR3-GigabitEthernet0/0/1]ip binding vpn-instance ybd2 [AR3-GigabitEthernet0/0/1]ip address 10.1.23.3 24 [AR3-GigabitEthernet0/0/1]bgp 10 [AR3-bgp]peer 10.1.23.2 as 1 [AR3-bgp]ipv4-family vpn-instance ybd2 [AR3-bgp-ybd2]peer 10.1.23.2 as 1 [AR3-bgp-ybd2]peer 10.1.23.2 substitute-as //做AS号的伪装AR2
[AR2]bgp 1 [AR2-bgp]peer 10.1.23.3 as 10 [AR2-bgp]network 2.2.2.2 32[AR3-bgp]dis bgp vpnv4 all peer [AR3]dis bgp vpnv4 all routing-table AR8
[AR8]ip vpn-instance ybd10 [AR8-vpn-instance-ybd10]route-distinguisher 10:1 [AR8-vpn-instance-ybd10-af-ipv4]vpn-target 10:1 both [AR8-vpn-instance-ybd10-af-ipv4]int g0/0/2 [AR8-GigabitEthernet0/0/2]ip binding vpn-instance ybd10 [AR8-GigabitEthernet0/0/2]ip address 10.1.81.8 24 [AR8-GigabitEthernet0/0/2]bgp 20 [AR8-bgp]ipv4-family vpn-instance ybd10 [AR8-bgp-ybd10]peer 10.1.81.10 as 1 [AR8-bgp-ybd10]peer 10.1.81.10 substitute-asAR10]
[AR10]bgp 1 [AR10-bgp]peer 10.1.81.8 as 20 [AR10-bgp]network 10.10.10.10 32[AR10]dis ip routing-table
6.MPLS VPN业务接入
公司A访问公司C;
AR3
[AR3]ip vpn-instance ybd1 [AR3-vpn-instance-ybd1]route-distinguisher 20:1 [AR3-vpn-instance-ybd1-af-ipv4]vpn-target 20:1 both [AR3-vpn-instance-ybd1-af-ipv4]int g0/0/0 [AR3-GigabitEthernet0/0/0]ip binding vpn-instance ybd1 [AR3-GigabitEthernet0/0/0]ip address 10.1.13.3 24 [AR3-GigabitEthernet0/0/0]q [AR3]ospf 1 vpn-instance ybd1 [AR3-ospf-1]a 0 [AR3-ospf-1-area-0.0.0.0]network 10.1.13.3 0.0.0.0 [AR3-ospf-1-area-0.0.0.0]q [AR3-ospf-1]import-route bgp [AR3-ospf-1]bgp 10 [AR3-bgp]ip [AR3-bgp]ipv4-family vpn-instance ybd1 [AR3-bgp-ybd1]import-route ospf 1AR1
[AR1]ospf 1 router-id 1.1.1.1 [AR1-ospf-1]a 0 [AR1-ospf-1-area-0.0.0.0]network 10.1.13.1 0.0.0.0 [AR1-ospf-1-area-0.0.0.0]net 1.1.1.1 0.0.0.0AR8
[AR8]ip vpn-instance ybd9 [AR8-vpn-instance-ybd9]route-distinguisher 20:1 [AR8-vpn-instance-ybd9-af-ipv4]vpn-target 20:1 both [AR8-vpn-instance-ybd9-af-ipv4]int g0/0/1 [AR8-GigabitEthernet0/0/1]ip binding vpn-instance ybd9 [AR8-GigabitEthernet0/0/1]ip address 10.1.89.8 24 [AR8-GigabitEthernet0/0/1]q [AR8]isis 1 vpn-instance ybd9 [AR8-isis-1]import-route bgp [AR8-isis-1]network-entity 12.0001.0000.0000.0008.00 [AR8-isis-1]is-level level-2 [AR8-isis-1]int g0/0/1 [AR8-GigabitEthernet0/0/1]isis enable 1 [AR8-GigabitEthernet0/0/1]bgp 20 [AR8-bgp]ipv4-family vpn-instance ybd9 [AR8-bgp-ybd9]import-route isis 1AR9
[AR9]isis [AR9-isis-1]nrt [AR9-isis-1]network-entity 12.0001.0000.0000.0009.00 [AR9-isis-1]is-level level-2 [AR9-isis-1]int g0/0/0 [AR9-GigabitEthernet0/0/0]isis enable 1 [AR9]int l0 [AR9-LoopBack0]isis enable[AR9]dis ip routing-table [AR1]ping -a 1.1.1.1 9.9.9.9 公司A 1.1.1.1 访问公司C 9.9.9.9,标签是如何分配的?
封装为:
[AR1]dis ip routing-table 9.9.9.9 查看9.9.9.9路由,下一跳是10.1.13.3;
然后根据AR3的接口下绑定的实例ybd1的路由表,去查相关路由。
[AR3]dis ip routing-table vpn-instance ybd1 下一跳是5.5.5.5
[AR3]display bgp vpnv4 vpn-instance ybd1 routing-table 9.9.9.9 私网标签1031 打上标签封装成:
查看公网标签
[AR3]display mpls lsp 公网的标签是1025
打上标签封装成: 然后AR3根据G0/0/2接口发送出去
RR 查找标签
[AR4]dis mpls lsp
5.5.5.5出标签是3,然后进行弹出顶部标签,从G0/0/1接口发送出去。
AR5收到后,查看标签
收到的标签是1031的话,出标签是1031,
查看 bgp vpnv4路由表
[AR5]display bgp vpnv4 all routing-table
下一跳是10.1.56.6
[AR6]dis mpls lsp 进标签是1031,出标签是1028。
封装为 [AR6]dis bgp vpnv4 all routing-table 下一跳是8.8.8.8
[AR6]dis mpls lsp 出标签为1028,封装成: RR 查找标签
[AR7]dis mpls lsp
8.8.8.8出标签是3,然后进行弹出顶部标签,从G0/0/1接口发送出去。
[AR8]dis mpls lsp 收到1028的标签去掉,属于ybd6的实例报文
[AR8]dis ip routing-table vpn-instance ybd9 下一跳是10.1.89.9
重启进程,抓包查看,有两层标签。
三、跨域 VPN-OptionB 的特点
公网形成一个架构,后面有公司接入进来的话,只需要在PE设备上配置。
优点: 不受ASBR之间互连链路数目的限制;ASBR不需要配置VPN实例。
缺点: VPN的路由信息是通过AS之间的ASBR来保存和扩散的,当VPN路由较多时,ASBR负担重,容易成为故障点。因此在MP-EBGP方案中,需要维护VPN路由信息的ASBR一般不在负责公网转发。
名言警句 志不真则心不热,心不热则功不紧。——颜元
好了这期就到这里了,如果你喜欢这篇文章的话,请点赞评论分享收藏,如果你还能点击关注,那真的是对我最大的鼓励。谢谢大家,下期见!
免责声明:文章内容来自互联网,本站不对其真实性负责,也不承担任何法律责任,如有侵权等情况,请与本站联系删除。
转载请注明出处:华为 跨域VPN-OptionB方案 https://www.yhzz.com.cn/a/13174.html