华为 BGP/MPLS VPN实验

哈喽,大家好!我是艺博东 ,是一个思科出身、专注于华为的网工;好了,话不多说,我们直接进入正题。

一、拓扑

二、基础配置与分析

1、将骨干网络打通IGP 2、配置公网的LSP隧道,PE,P设备的loopack的主机路由建立LSP 3、PE之间配置MP-IBGP邻居关系(可以通过RR简化MP-IBGP全互联邻居关系) 4、VPN业务接入配置,在PE上创建VPN实例,接入用户私网路由

IS-IS

AR2

[Huawei]sysname AR2 [AR2]int l0 [AR2-LoopBack0]ip address 2.2.2.2 32 [AR2-LoopBack0]int g0/0/0 [AR2-GigabitEthernet0/0/0]ip address 10.1.23.2 24 [AR2-GigabitEthernet0/0/0]q [AR2]isis [AR2-isis-1]network-entity 12.0001.0000.0000.0002.00 [AR2-isis-1]is-level level-2 [AR2-isis-1]int g0/0/0 [AR2-GigabitEthernet0/0/0]isis enable [AR2-GigabitEthernet0/0/0]int l0 [AR2-LoopBack0]isis enable [AR2-LoopBack0]q [AR2]int g0/0/1 [AR2-GigabitEthernet0/0/1]ip address 10.1.12.2 24

AR3

[Huawei]sysname AR3 [AR3]int l0 [AR3-LoopBack0]ip address 3.3.3.3 32 [AR3-LoopBack0]int g0/0/0 [AR3-GigabitEthernet0/0/0]ip address 10.1.34.3 24 [AR3-GigabitEthernet0/0/0]int g0/0/1 [AR3-GigabitEthernet0/0/1]ip address 10.1.23.3 24 [AR3-GigabitEthernet0/0/1]q [AR3]isis [AR3-isis-1]network-entity 12.0001.0000.0000.0003.00 [AR3-isis-1]is-level level-2 [AR3-isis-1]int l0 [AR3-LoopBack0]isis enable [AR3-LoopBack0]int g0/0/0 [AR3-GigabitEthernet0/0/0]isis enable [AR3-GigabitEthernet0/0/0]int g0/0/1 [AR3-GigabitEthernet0/0/1]isis enable [AR3-GigabitEthernet0/0/1]q

AR4

[Huawei]sysname AR4 [AR4]int l0 [AR4-LoopBack0]ip address 4.4.4.4 32 [AR4-LoopBack0]int g0/0/1 [AR4-GigabitEthernet0/0/1]ip address 10.1.34.4 24 [AR4-GigabitEthernet0/0/1]q [AR4]isis [AR4-isis-1]network-entity 12.0001.0000.0000.0004.00 [AR4-isis-1]is-level level-2 [AR4-isis-1]int l0 [AR4-LoopBack0]isis enable [AR4-LoopBack0]q [AR4]int g0/0/1 [AR4-GigabitEthernet0/0/1]isis enable [AR4-GigabitEthernet0/0/1]int g0/0/0 [AR4-GigabitEthernet0/0/1q [AR4]int g0/0/0 [AR4-GigabitEthernet0/0/0]ip address 10.1.45.4 24

[AR3]dis isis peer

MPLS

AR2

[AR2]mpls lsr-id 2.2.2.2 [AR2]mpls [AR2-mpls]mpls ldp [AR2-mpls-ldp]int g0/0/0 [AR2-GigabitEthernet0/0/0]mpls [AR2-GigabitEthernet0/0/0]mpls ldp

AR3、AR4配置类似

[AR3]dis mpls ldp session

[AR3]dis mpls lsp BGP

AR3

[AR3]bgp 100 [AR3-bgp]peer 2.2.2.2 as-number 100 [AR3-bgp]peer 2.2.2.2 connect-interface LoopBack 0 [AR3-bgp]peer 2.2.2.2 next-hop-local [AR3-bgp]peer 4.4.4.4 as-number 100 [AR3-bgp]peer 4.4.4.4 connect-interface LoopBack 0 [AR3-bgp]peer 4.4.4.4 next-hop-local [AR3-bgp]peer 2.2.2.2 reflect-client [AR3-bgp]peer 4.4.4.4 reflect-client [AR3-bgp]ipv4-family vpnv4 [AR3-bgp-af-vpnv4]peer 2.2.2.2 enable [AR3-bgp-af-vpnv4]peer 2.2.2.2 reflect-client [AR3-bgp-af-vpnv4]peer 4.4.4.4 enable [AR3-bgp-af-vpnv4]peer 4.4.4.4 reflect-client

AR2

[AR2]bgp 100 [AR2-bgp]peer 3.3.3.3 as-number 100 [AR2-bgp]peer 3.3.3.3 connect-interface LoopBack 0 [AR2-bgp]peer 3.3.3.3 next-hop-local [AR2-bgp]ipv4-family vpnv4 [AR2-bgp-af-vpnv4]peer 3.3.3.3 enable

AR4

[AR4]bgp 100 [AR4-bgp]peer 3.3.3.3 as-number 100 [AR4-bgp]peer 3.3.3.3 connect-interface LoopBack 0 [AR4-bgp]peer 3.3.3.3 next-hop-local [AR4-bgp]ipv4-family vpnv4 [AR4-bgp-af-vpnv4]peer 3.3.3.3 enable

[AR3]dis bgp peer verbose

VPNv4

AR2

[AR2]bgp 100 [AR2-bgp]ipv4-family unicast [AR2-bgp-af-ipv4]undo peer 3.3.3.3 enable

AR3

[AR3]bgp 100 [AR3-bgp]ipv4-family unicast [AR3-bgp-af-ipv4]undo peer 2.2.2.2 enable [AR3-bgp-af-ipv4]undo peer 4.4.4.4 enable

AR4

[AR4]bgp 100 [AR4-bgp]ipv4-family unicast [AR4-bgp-af-ipv4]undo peer 3.3.3.3 enable

查看vpnv4地址族的BGP邻居关系 [AR3]dis bgp vpnv4 all peer dis bgp

[AR3]dis bgp vpnv4 all peer verbose VPN业务接入配置

AR2

[AR2]ip vpn-instance ybd [AR2-vpn-instance-ybd]route-distinguisher 10:1 [AR2-vpn-instance-ybd-af-ipv4]vpn-target 100:1 both [AR2]int g0/0/1 [AR2-GigabitEthernet0/0/1]ip binding vpn-instance ybd [AR2-GigabitEthernet0/0/1]ip address 10.1.12.2 24

[AR2]dis ip routing-table vpn-instance ybd [AR2]ping -vpn-instance ybd 10.1.12.1 OSPF

AR1

[AR1]ospf 1 router-id 1.1.1.1 [AR1-ospf-1]a 0 [AR1-ospf-1-area-0.0.0.0]network 192.168.1.1 0.0.0.0 [AR1-ospf-1-area-0.0.0.0]network 10.1.12.1 0.0.0.0

AR2

[AR2]ospf 1 vpn-instance ybd [AR2-ospf-1]a 0 [AR2-ospf-1-area-0.0.0.0]network 10.1.12.2 0.0.0.0

[AR2]dis ospf peer brief [AR2]dis ip routing-table vpn-instance ybd

AR1、AR2 [AR1]int l10 [AR1-LoopBack10]ip address 192.168.10.1 32 [AR2]ip route-static vpn-instance ybd 192.168.10.0 24 10.1.12.1

[AR2]dis ip routing-table vpn-instance ybd RIP

AR4

[AR4]ip vpn-instance ybd6 [AR4-vpn-instance-ybd6]route-distinguisher 10:2 [AR4-vpn-instance-ybd6-af-ipv4]vpn-target 100:1 both [AR4-vpn-instance-ybd6-af-ipv4]q [AR4-vpn-instance-ybd6]q [AR4]int g0/0/0 [AR4-GigabitEthernet0/0/0]ip binding vpn-instance ybd6 [AR4-GigabitEthernet0/0/0]ip address 10.1.45.4 24 [AR4-GigabitEthernet0/0/0]q [AR4]rip 1 vpn-instance ybd6 [AR4-rip-1]version 2 [AR4-rip-1]network 10.0.0.0

AR5

[AR5]rip 1 [AR5-rip-1]version 2 [AR5-rip-1]network 10.0.0.0 [AR5-rip-1]network 192.168.2.0

[AR4]dis ip routing-table vpn-instance ybd6 VPN业务接入配置

vpn-instacen ybd 路由 —> vpn-instance vpnv4 路由 —> vpn-insance Ai vpnv4 BGP路由

AR2

[AR2]bgp 100 [AR2-bgp]ipv4-family vpn-instance ybd [AR2-bgp-ybd]import-route ospf 1 [AR2-bgp-ybd]import-route static

[AR2]display bgp vpnv4 all routing-table 在AR2的G0/0/0接口进行抓包

policy vpn-target 开启基于RT属性VPNv4路由的过滤

1、如果本路由器没有VPN实例业务接入,则丢弃所有vpnv4路由 2、如果本路由器存在VPN实例业务接口,则对ert和本端所有VPN实例的irt做匹配,如果ert没有和任何一个本端vpn实例的irt匹配,则丢弃。

[AR3-bgp]dis bgp vpnv4 all routing-table 没bgp vpnv4路由

RR上

[AR3-bgp]ipv4-family vpnv4 [AR3-bgp-af-vpnv4]undo policy vpn-target

[AR3-bgp-af-vpnv4]dis bgp vpnv4 all routing-table [AR4]dis bgp vpnv4 all routing-table AR4已接收相应的路由。

[AR4]dis ip routing-table vpn-instance ybd6 protocol bgp 最有路由。

AR4

[AR4]bgp 100 [AR4-bgp]ipv4-family vpn-instance ybd6 [AR4-bgp-ybd6]import-route rip 1 [AR4-rip-1]import-route bgp

[AR5]dis ip routing-table protocol rip [AR4]dis ip routing-table vpn-instance ybd6

AR2

[AR2]ospf [AR2-ospf-1]import-route bgp

[AR2]dis ip routing-table vpn-instance ybd [AR1]dis ip routing-table 192.168.2.5

下面说一下AR5的192.168.2.5是怎么访问AR1的192.168.1.1的路由。

AR5查找路由表192.168.1.1,发现下一跳是10.1.45.4 然后 然后根据AR4的接口下绑定的ybd6路由表,去查相关路由。

[AR4]dis bgp vpnv4 vpn-instance ybd6 routing-table 192.168.1.1 数据封装成

出去的标签是1024

然后数据封装成这样了

压入标签为2个。

然后AR4根据G0/0/1接口发出去,

RR 查找标签

2.2.2.2的进标签1024,出标签是3,然后进行弹出顶部标签,从G0/0/1接口发送出去。

AR2收到后,查看lsp

通过BGP协议得到的标签,收到的标签如果是1027的话,就属于ybd路由表进行转发的。

弹出标签 192.168.1.1属于ybd本地的报文

从接口g0/0/1发出,下一跳是10.1.12.1。

反过来也是一样的。

创建一个telnet

AR5

[AR5]user-interface vty 0 4 [AR5-ui-vty0-4]set authentication password cipher ybd666666 [AR5-ui-vty0-4]user privilege level 15

telnet -a 192.168.1.1 192.168.2.5

模拟内网冲突的场景,路由冲突的时候怎么区分?

拓扑

本地路由一样是可以通过VPN实例来进行区分的。

RD:区分实例,标记路由,只在本地有效,区分不同站点的相同路由; RT:对路由进行控制,控制路由的导入与导出。

注意:可以是相同的DR的

AR2

[AR2]int g0/0/2 [AR2-GigabitEthernet0/0/2]ip address 10.1.26.2 24 [AR2]ip vpn-instance ybd99 [AR2-vpn-instance-ybd99]route-distinguisher 20:3 [AR2-vpn-instance-ybd99]vpn-target 200:1 both [AR2]int g0/0/2 [AR2-GigabitEthernet0/0/2]ip binding vpn-instance ybd99 [AR2-GigabitEthernet0/0/2]ip address 10.1.26.2 24 [AR2]isis 10 vpn-instance ybd99 [AR2-isis-10]is-level level-2 [AR2-isis-10]network-entity 12.0099.0000.0000.0002.00 [AR2-isis-10]int g0/0/2 [AR2-GigabitEthernet0/0/2]isis enable 10

AR6

[Huawei]sysname AR6 [AR6]int g0/0/0 [AR6-GigabitEthernet0/0/0]ip address 10.1.26.6 24 [AR6-LoopBack0]ip address 192.168.1.1 32 [AR6]isis [AR6-isis-1]network-entity 12.0099.0000.0000.0006.00 [AR6-isis-1]is-level level-2 [AR6-isis-1]int g0/0/0 [AR6-GigabitEthernet0/0/0]isis enable [AR6-GigabitEthernet0/0/0]int l0 [AR6-LoopBack0]isis enable [AR2]bgp 100 [AR2-bgp]ipv4-family vpn-instance ybd99 [AR2-bgp-ybd99]import-route isis 10

[AR6]dis isis peer [AR2]dis isis peer vpn-instance ybd99

AR4

[AR4]ip vpn-instance ybd666 [AR4-vpn-instance-ybd666]route-distinguisher 20:3 [AR4-vpn-instance-ybd666-af-ipv4]vpn-target 200:1 both [AR4-vpn-instance-ybd666-af-ipv4]int g0/0/2 [AR4-GigabitEthernet0/0/2]ip binding vpn-instance ybd666 [AR4-GigabitEthernet0/0/2]ip address 10.1.47.4 24 [AR4]bgp 100 [AR4-bgp]ipv4-family vpn-instance ybd666 [AR4-bgp-ybd666]peer 10.1.47.7 as 64523

华为设备当将BGP路由引入到IGP时,只将EBGP路由引入。

AR7

[Huawei]sysname AR7 [AR7]int l0 [AR7-LoopBack0]ip address 192.168.10.1 32 [AR7-LoopBack0]int g0/0/0 [AR7-GigabitEthernet0/0/0]ip address 10.1.47.7 24 [AR7]bgp 64523 [AR7-bgp]peer 10.1.47.4 as 100 [AR7-bgp]network 192.168.10.1 32

[AR4]dis bgp vpnv4 all peer

[AR2]isis 10 [AR2-isis-10]import-route bgp

[AR4]dis bgp vpnv4 all routing-table

RD、RT不一样。

[AR2]dis mpls lsp

192.168.10.1 PING测 192.168.1.1 已学到192.168.1.1/32的路由,下一跳是10.1.47.4;

然后根据AR4的接口下绑定的ybd666路由表,去查找相关的路由。

由以上输出结果可知,下一跳是2.2.2.2。

[AR4]dis bgp vpnv4 vpn-instance ybd666 routing-table 192.168.1.1

压入公网标签1024

弹出标签

通过BGP协议得到的标签,收到的标签如果是1037的话,就属于ybd99路由表进行转发的。

192.168.1.1属于ybd99本地的报文

有以上输出结果可知,下一跳是10.1.26.6。

温故而知新,可以为师矣。

好了这期就到这里了,如果你喜欢这篇文章的话,请点赞评论分享收藏,如果你还能点击关注,那真的是对我最大的鼓励。谢谢大家,下期见!

免责声明:文章内容来自互联网,本站不对其真实性负责,也不承担任何法律责任,如有侵权等情况,请与本站联系删除。
转载请注明出处:华为 BGP/MPLS VPN实验 https://www.yhzz.com.cn/a/17211.html

上一篇 2023-05-19
下一篇 2023-05-19

相关推荐

联系云恒

在线留言: 我要留言
客服热线:400-600-0310
工作时间:周一至周六,08:30-17:30,节假日休息。