【华三】MPLS VPN 跨域方案 Option B
跨域方案B解决办法
跨域方案B的主要解决方案:两个不同AS域相邻ASBR的BGP VPNv4地址族中,建立eBGP邻居,并且在ASBR上关闭基于RT值的路由选择和过滤功能,并开启MPLS功能。
业务规划
- 通过Option B方式实现CE1与CE2之间的互通
- PE1的RD为100:1
PE1的RT入方向为100:1,出方向为100:2 - PE2的RD为200:1
PE2的RT入方向为100:2,出方向为100:1 - MPLS的AS100中,ISIS区域为49.0001,AS200中,ISIS区域为49.0002,;并且开销方式都为wide
- PE1与ASBR1,PE2与ASBR2建立VPNv4的MP-iBGP邻居;ASBR1与ASBR2之间建立VPNv4的eBGP邻居
配置步骤
- 按照要求完成互联IP及loopback地址的配置
- 在MPLS骨干网上配置IGP协议,实现骨干网内互通
- 在MPLS骨千网上配置MPLS基本能力和MPLS LDP,建立LDP LSP
- 各AS内,PE、ASBR建立MP-iBGP对等体关系,交换VPNv4路由
- 各AS内,PE配置VPN实例,并将业务口与VPN实例关联
- PE与CE之间可采用OSPF对接
- ASBR和ASBR之间互联口分别使能MPLS,建立MP-EBGP对等体,由于两台
ASBR-PE上无须配置VPN实例,故不对接收的VPNv4路由进行VPN-Target过滤。
配置
CE1
[H3C]sysname CE1
[CE1]int g0/0
[CE1-GigabitEthernet0/0]ip address 10.1.1.1 30
[CE1-GigabitEthernet0/0]quit
[CE1]int LoopBack 1
[CE1-LoopBack1]ip address 172.16.1.1 32
[CE1-LoopBack1]int LoopBack 2
[CE1-LoopBack2]ip address 172.16.1.2 32
[CE1-LoopBack2]int LoopBack 3
[CE1-LoopBack3]ip address 172.16.1.3 32
[CE1-LoopBack3]qu
# 将业务路由宣告进OSPF中
[CE1]int range g0/0 lo1 lo2 lo3
[CE1-if-range]ospf 1 area 0
[CE1-if-range]quit
CE2
[H3C]sysname CE2
[CE2]int g0/0
[CE2-GigabitEthernet0/0]ip address 10.2.1.2 30
[CE2-GigabitEthernet0/0]qu
[CE2]int LoopBack 1
[CE2-LoopBack1]ip address 172.16.1.1 32
[CE2-LoopBack1]int LoopBack 2
[CE2-LoopBack2]ip address 172.16.1.2 32
[CE2-LoopBack2]int LoopBack 3
[CE2-LoopBack3]ip address 172.16.1.3 32
[CE2-LoopBack3]qu
[CE2]int range lo1 lo2 lo3 g0/0
[CE2-if-range]ospf 1 a 0
[CE2-if-range]qu
PE1
基础配置
[H3C]sysname PE1
# 用VPN实例将客户分离开
[PE1]ip vpn-instance A
[PE1-vpn-instance-A]route-distinguisher 100:1
[PE1-vpn-instance-A]vpn-target 100:1 import-extcommunity
[PE1-vpn-instance-A]vpn-target 100:2 export-extcommunity
[PE1-vpn-instance-A]address-family ipv4
[PE1-vpn-ipv4-A]quit
[PE1-vpn-instance-A]quit
[PE1]int g0/1
[PE1-GigabitEthernet0/1]ip binding vpn-instance A
[PE1-GigabitEthernet0/1]ip address 10.1.1.2 30
[PE1-GigabitEthernet0/1]ospf 1 area 0
[PE1-GigabitEthernet0/1]quit
# 内部用ISIS全互通
[PE1]isis 1
[PE1-isis-1]network-entity 49.0001.0000.0000.0001.00
[PE1-isis-1]cost-style wide
[PE1-isis-1]quit
[PE1]interface LoopBack 0
[PE1-LoopBack0]ip address 10.255.1.1 32
[PE1-LoopBack0]qu
[PE1]int g0/0
[PE1-GigabitEthernet0/0]ip address 10.1.2.1 30
[PE1-GigabitEthernet0/0]qu
[PE1]int range lo0 g0/0
[PE1-if-range]isis enable 1
[PE1-if-range]qu
MPLS LDP
[PE1]mpls lsr-id 10.255.1.1 # 这个lsr-id用的地址必须是存在且是/32位掩码的
[PE1]mpls ldp
[PE1-ldp]qu
[PE1]int g0/0
[PE1-GigabitEthernet0/0]mpls enable
[PE1-GigabitEthernet0/0]mpls ldp enable
[PE1-GigabitEthernet0/0]qu
MP-BGP
# 与ASBR1建立MP-iBGP VPNv4邻居
[PE1]bgp 100
[PE1-bgp-default]peer 10.255.3.3 as-number 100
[PE1-bgp-default]peer 10.255.3.3 connect-interface lo0
[PE1-bgp-default]address-family vpnv4
[PE1-bgp-default-vpnv4]peer 10.255.3.3 enable
[PE1-bgp-default-vpnv4]quit
[PE1-bgp-default]quit
# BGP和OSPF双向重分布
[PE1]bgp 100
[PE1-bgp-default]ip vpn-instance A
[PE1-bgp-default-A]address-family ipv4
[PE1-bgp-default-ipv4-A]import-route ospf
[PE1-bgp-default-ipv4-A]quit
[PE1-bgp-default-A]quit
[PE1-bgp-default]quit
[PE1]ospf 1
[PE1-ospf-1]import-route bgp
[PE1-ospf-1]qu
P1
基础配置
[H3C]sysname P1
[P1]int g0/0
[P1-GigabitEthernet0/0]ip address 10.1.2.2 30
[P1-GigabitEthernet0/0]quit
[P1]int g0/1
[P1-GigabitEthernet0/1]ip address 10.1.3.1 30
[P1-GigabitEthernet0/1]qu
[P1]int lo0
[P1-LoopBack0]ip address 10.255.2.2 32
[P1-LoopBack0]quit
[P1]isis 1
[P1-isis-1]network-entity 49.0001.0000.0000.0002.00
[P1-isis-1]cost-style wide
[P1-isis-1]qu
[P1]int range g0/0 g0/1 lo0
[P1-if-range]isis enable 1
[P1-if-range]quit
MPLS LDP
[P1]mpls lsr-id 10.255.2.2
[P1]mpls ldp
[P1-ldp]quit
[P1]int range g0/0 g0/1
[P1-if-range]mpls enable
[P1-if-range]mpls ldp enable
[P1-if-range]qu
ASBR1
基础配置
[H3C]sysname ASBR1
[ASBR1]int LoopBack 0
[ASBR1-LoopBack0]ip address 10.255.3.3 32
[ASBR1-LoopBack0]quit
[ASBR1]int g0/0
[ASBR1-GigabitEthernet0/0]ip address 10.1.3.2 30
[ASBR1-GigabitEthernet0/0]qu
[ASBR1]int g0/1
[ASBR1-GigabitEthernet0/1]ip address 10.0.0.1 30
[ASBR1-GigabitEthernet0/1]quit
[ASBR1]isis 1
[ASBR1-isis-1]network-entity 49.0001.0000.0000.0003.00
[ASBR1-isis-1]cost-style wide
[ASBR1-isis-1]qu
[ASBR1]int range lo0 g0/0
[ASBR1-if-range]isis en
[ASBR1-if-range]isis enable 1
Option A
# 与P1建立MPLS LDP邻居,防止IGP内部出现路由黑洞
[ASBR1]mpls lsr-id 10.255.3.3
[ASBR1]mpls ldp
[ASBR1-ldp]quit
[ASBR1]int g0/0
[ASBR1-GigabitEthernet0/0]mpls enable
[ASBR1-GigabitEthernet0/0]mpls ldp enable
[ASBR1-GigabitEthernet0/0]qu
# 与CE1建立BGP VPNv4邻居
[ASBR1]bgp 100
[ASBR1-bgp-default]peer 10.255.1.1 as-number 100
[ASBR1-bgp-default]peer 10.255.1.1 connect-interface LoopBack 0
[ASBR1-bgp-default]address-family vpnv4
[ASBR1-bgp-default-vpnv4]peer 10.255.1.1 enable
[ASBR1-bgp-default-vpnv4]quit
[ASBR1-bgp-default]quit
# OptionB的精髓
# 与ASBR2建立VPNv4的MP- eBGP邻居
# 使两个域能够互通
[ASBR1]bgp 100
[ASBR1-bgp-default]peer 10.0.0.2 as-number 200
[ASBR1-bgp-default]address-family vpnv4
[ASBR1-bgp-default-vpnv4]peer 10.0.0.2 enable
[ASBR1-bgp-default-vpnv4]undo policy vpn-target # 关闭基于RT的路由选择和过滤功能
[ASBR1-bgp-default-vpnv4]quit
[ASBR1-bgp-default]quit
# 只需要开启与ASBR2之间的MPLS功能
[ASBR1]int g0/1
[ASBR1-GigabitEthernet0/1]mpls enable
[ASBR1-GigabitEthernet0/1]quit
ASBR2
基础配置
[H3C]sysname ASBR2
[ASBR2]int g0/0
[ASBR2-GigabitEthernet0/0]ip address 10.0.0.2 30
[ASBR2-GigabitEthernet0/0]quit
[ASBR2]int LoopBack 0
[ASBR2-LoopBack0]ip address 10.255.4.4 32
[ASBR2-LoopBack0]quit
[ASBR2]int g0/1
[ASBR2-GigabitEthernet0/1]ip address 10.2.3.1 30
[ASBR2-GigabitEthernet0/1]quit
[ASBR2]isis 1
[ASBR2-isis-1]network-entity 49.0002.0000.0000.0001.00
[ASBR2-isis-1]cost-style wide
[ASBR2-isis-1]quit
[ASBR2]int range lo0 g0/1
[ASBR2-if-range]isis enable 1
[ASBR2-if-range]quit
OptionA
# 与P2建立MPLS LDP邻居,防止IGP内部出现路由黑洞
[ASBR2]mpls lsr-id 10.255.4.4
[ASBR2]mpls ldp
[ASBR2-ldp]quit
[ASBR2]int g0/1
[ASBR2-GigabitEthernet0/1]mpls enable
[ASBR2-GigabitEthernet0/1]mpls ldp enable
[ASBR2-GigabitEthernet0/1]qu
# 与CE2建立BGP VPNv4邻居
[ASBR2]bgp 200
[ASBR2-bgp-default]peer 10.255.6.6 as-number 200
[ASBR2-bgp-default]peer 10.255.6.6 connect-interface lo0
[ASBR2-bgp-default]address-family vpnv4
[ASBR2-bgp-default-vpnv4]peer 10.255.6.6 enable
[ASBR2-bgp-default-vpnv4]quit
[ASBR2-bgp-default]quit
# OptionB的精髓
# 与ASBR1建立VPNv4的MP- eBGP邻居
# 使两个域能够互通
[ASBR2]bgp 200
[ASBR2-bgp-default]peer 10.0.0.1 as-number 100
[ASBR2-bgp-default]address-family vpnv4
[ASBR2-bgp-default-vpnv4]peer 10.0.0.1 enable
[ASBR2-bgp-default-vpnv4]undo policy vpn-target
[ASBR2-bgp-default-vpnv4]quit
[ASBR2-bgp-default]quit
# 只需要开启与ASBR1之间的MPLS功能
[ASBR2]int g0/0
[ASBR2-GigabitEthernet0/0]mpls enable
[ASBR2-GigabitEthernet0/0]quit
P2
基础配置
[H3C]sysname P2
[P2]int lo
[P2]int LoopBack 0
[P2-LoopBack0]ip address 10.255.5.5 32
[P2-LoopBack0]quit
[P2]int g0/0
[P2-GigabitEthernet0/0]ip address 10.2.3.2 30
[P2-GigabitEthernet0/0]qu
[P2]int g0/1
[P2-GigabitEthernet0/1]ip address 10.2.2.1 30
[P2-GigabitEthernet0/1]quit
[P2]isis 1
[P2-isis-1]network-entity 49.0002.0000.0000.0002.00
[P2-isis-1]cost-style wide
[P2-isis-1]quit
[P2]int range g0/0 g0/1 lo0
[P2-if-range]isis enable 1
[P2-if-range]quit
MPLS LDP
[P2]mpls lsr-id 10.255.5.5
[P2]mpls ldp
[P2-ldp]quit
[P2]int range g0/0 g0/1
[P2-if-range]mpls enable
[P2-if-range]mpls ldp enable
[P2-if-range]qu
PE2
基础配置
[H3C]sysname PE2
# 用VPN实例将客户分离开
[PE2]ip vpn-instance A
[PE2-vpn-instance-A]route-distinguisher 200:1
[PE2-vpn-instance-A]vpn-target 100:2 import-extcommunity
[PE2-vpn-instance-A]vpn-target 100:1 export-extcommunity
[PE2-vpn-instance-A]address-family ipv4
[PE2-vpn-ipv4-A]qu
[PE2-vpn-instance-A]qu
# 与CE2建立OSPF邻居
[PE2]int g0/1
[PE2-GigabitEthernet0/1]ip binding vpn-instance A
[PE2-GigabitEthernet0/1]ip address 10.2.1.1 30
[PE2-GigabitEthernet0/1]ospf 1 area 0
[PE2-GigabitEthernet0/1]quit
# 内部用ISIS全互通
[PE2]isis 1
[PE2-isis-1]network-entity 49.0002.0000.0000.0003.00
[PE2-isis-1]cost-style wide
[PE2-isis-1]qu
[PE2]int g0/0
[PE2-GigabitEthernet0/0]ip address 10.2.2.2 30
[PE2-GigabitEthernet0/0]qu
[PE2]int lo0
[PE2-LoopBack0]ip address 10.255.6.6 32
[PE2-LoopBack0]quit
# 宣告进ISIS
[PE2]int range g0/0 lo0
[PE2-if-range]isis enable 1
[PE2-if-range]quit
MPLS LDP
[PE2]mpls lsr-id 10.255.6.6
[PE2]mpls ldp
[PE2-ldp]quit
[PE2]int g0/0
[PE2-GigabitEthernet0/0]mpls enable
[PE2-GigabitEthernet0/0]mpls ldp enable
[PE2-GigabitEthernet0/0]qu
MP-BGP
[PE2]bgp 200
[PE2-bgp-default]peer 10.255.4.4 as-number 200
[PE2-bgp-default]peer 10.255.4.4 connect-interface lo0
[PE2-bgp-default]address-family vpnv4
[PE2-bgp-default-vpnv4]peer 10.255.4.4 enable
[PE2-bgp-default-vpnv4]qu
[PE2-bgp-default]qu
# 双向重分布,让CE1学习到CE2的路由
[PE2]bgp 200
[PE2-bgp-default]ip vpn-instance A
[PE2-bgp-default-A]address-family ipv4
[PE2-bgp-default-ipv4-A]import-route ospf
[PE2-bgp-default-ipv4-A]qu
[PE2-bgp-default-A]qu
[PE2-bgp-default]qu
[PE2]ospf 1
[PE2-ospf-1]import-route bgp
[PE2-ospf-1]qu
剖析路径转发(标签值是随机分配)
CE1(纯IP路由)
CE1要去找CE2,从IP路由表中找到172.16.2.1的路由,发现从G0/0出去
[CE1]display ip routing-table
PE1(双标签)
当PE1收到IP路由,首先就在快速转发表中查找目标网段出接口,发现内层标签为24253,索引值为3
[PE1]display fib vpn-instance A
**第二次查表:**查索引值
【PE1】dis mpls forwarding nhlfe
这个时候就在这边发现出接口了,并且外层标签为24126
P1(双标签)
[P1]display mpls forwarding ilm
在这边发现,P1收到PE1发来的数据包中,外标签为24126,对应转发表的动作是SWAP,就是将外标签替换成标签3,而标签3又是属于影式空标签(倒二跳弹出,发送数据的时候看不到标签),此时标签值为3(外标签)/24253(内标签),后面ASBR1收到的数据包中,就剩下单标签24253
ASBR1(单标签)
ASBR1收到P1的数据包中,标签为24253,查看MPLS 的标签接收表,发现24253匹配的动作是“SWAP”,将标签24253换成24252标签,
第二次查表:查编号
**[ASBR1]display mpls forwarding nhlfe **,发现是编号7没有外标签,那么就以单标签24252从G0/1出接口发送给ASBR2
ASBR2(双标签)
收到ASBR1的数据包,发现数据包的标签为24252,那么查看mpls转发接收表,发现标签24252对应SWAP动作,转成24254标签,转发编号为5
[ASBR2]display fib vpn-instance A
第二次查表:查转发编号5
可以发现,转发编号5,对应的外标签为24127,从G0/1口转发数据出去
P2(双标签)
收到ASBR2的数据包,发现外标签为24127,查看MPLS的接收表,可以发现标签24127的动作是SWAP,换成特殊标签3,这个时候,发送给PE2就只有一个标签值,为24254
PE2(纯IP路由)
[PE2]display mpls forwarding ilm
[PE2]display ip vpn-instance
[PE2]display fib vpn-instance A
此时就是一次单次通信成功
那么CE2回复CE1的路径与上面同理,大家可以试试哦~
测试
配置文档
PE1
#
sysname PE1
#
ip vpn-instance A
route-distinguisher 100:1
vpn-target 100:1 import-extcommunity
vpn-target 100:2 export-extcommunity
#
address-family ipv4
#
isis 1
cost-style wide
network-entity 49.0001.0000.0000.0001.00
#
ospf 1 vpn-instance A
import-route bgp
area 0.0.0.0
#
mpls lsr-id 10.255.1.1
#
mpls ldp
#
interface LoopBack0
ip address 10.255.1.1 255.255.255.255
isis enable 1
#
interface GigabitEthernet0/0
ip address 10.1.2.1 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet0/1
ip binding vpn-instance A
ip address 10.1.1.2 255.255.255.252
ospf 1 area 0.0.0.0
#
bgp 100
peer 10.255.3.3 as-number 100
peer 10.255.3.3 connect-interface LoopBack0
#
address-family vpnv4
peer 10.255.3.3 enable
#
ip vpn-instance A
#
address-family ipv4 unicast
import-route ospf 1
#
P1
#
sysname P1
#
isis 1
cost-style wide
network-entity 49.0001.0000.0000.0002.00
#
mpls lsr-id 10.255.2.2
#
mpls ldp
#
interface LoopBack0
ip address 10.255.2.2 255.255.255.255
isis enable 1
#
interface GigabitEthernet0/0
ip address 10.1.2.2 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet0/1
ip address 10.1.3.1 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
ASBR1
#
sysname ASBR1
#
isis 1
cost-style wide
network-entity 49.0001.0000.0000.0003.00
#
mpls lsr-id 10.255.3.3
#
mpls ldp
#
interface LoopBack0
ip address 10.255.3.3 255.255.255.255
isis enable 1
#
interface GigabitEthernet0/0
ip address 10.1.3.2 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet0/1
ip address 10.0.0.1 255.255.255.252
mpls enable
#
bgp 100
peer 10.0.0.2 as-number 200
peer 10.255.1.1 as-number 100
peer 10.255.1.1 connect-interface LoopBack0
#
address-family vpnv4
undo policy vpn-target
peer 10.0.0.2 enable
peer 10.255.1.1 enable
#
ASBR2
sysname ASBR2
#
isis 1
cost-style wide
network-entity 49.0002.0000.0000.0001.00
#
mpls lsr-id 10.255.4.4
#
mpls ldp
#
interface LoopBack0
ip address 10.255.4.4 255.255.255.255
isis enable 1
#
interface GigabitEthernet0/0
ip address 10.0.0.2 255.255.255.252
mpls enable
#
interface GigabitEthernet0/1
ip address 10.2.3.1 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
bgp 200
peer 10.0.0.1 as-number 100
peer 10.255.6.6 as-number 200
peer 10.255.6.6 connect-interface LoopBack0
#
address-family vpnv4
undo policy vpn-target
peer 10.0.0.1 enable
peer 10.255.6.6 enable
#
P2
sysname P2
#
isis 1
cost-style wide
network-entity 49.0002.0000.0000.0002.00
#
mpls lsr-id 10.255.5.5
#
mpls ldp
#
interface LoopBack0
ip address 10.255.5.5 255.255.255.255
isis enable 1
#
interface GigabitEthernet0/0
ip address 10.2.3.2 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet0/1
ip address 10.2.2.1 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
PE2
#
sysname PE2
#
ip vpn-instance A
route-distinguisher 200:1
vpn-target 100:2 import-extcommunity
vpn-target 100:1 export-extcommunity
#
address-family ipv4
#
isis 1
cost-style wide
network-entity 49.0002.0000.0000.0003.00
#
ospf 1 vpn-instance A
import-route bgp
area 0.0.0.0
#
mpls lsr-id 10.255.6.6
#
mpls ldp
#
interface LoopBack0
ip address 10.255.6.6 255.255.255.255
isis enable 1
#
interface GigabitEthernet0/0
ip address 10.2.2.2 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet0/1
ip binding vpn-instance A
ip address 10.2.1.1 255.255.255.252
ospf 1 area 0.0.0.0
#
bgp 200
peer 10.255.4.4 as-number 200
peer 10.255.4.4 connect-interface LoopBack0
#
address-family vpnv4
peer 10.255.4.4 enable
#
ip vpn-instance A
#
address-family ipv4 unicast
import-route ospf 1
CE1
#
sysname CE1
#
ospf 1
area 0.0.0.0
#
interface LoopBack1
ip address 172.16.1.1 255.255.255.255
ospf 1 area 0.0.0.0
#
interface LoopBack2
ip address 172.16.1.2 255.255.255.255
ospf 1 area 0.0.0.0
#
interface LoopBack3
ip address 172.16.1.3 255.255.255.255
ospf 1 area 0.0.0.0
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 10.1.1.1 255.255.255.252
ospf 1 area 0.0.0.0
CE2
#
sysname CE2
#
ospf 1
area 0.0.0.0
#
interface LoopBack1
ip address 172.16.2.1 255.255.255.255
ospf 1 area 0.0.0.0
#
interface LoopBack2
ip address 172.16.2.2 255.255.255.255
ospf 1 area 0.0.0.0
#
interface LoopBack3
ip address 172.16.2.3 255.255.255.255
ospf 1 area 0.0.0.0
#
interface GigabitEthernet0/0
ip address 10.2.1.2 255.255.255.252
ospf 1 area 0.0.0.0