MPLS VPN高级特性——子接口VRF访问互联网和MCE

MCE概念

MCE是一种通过单台设备实现多VPN业务隔离的解决方案。传统VPN架构中，每个VPN需独立部署CE设备，导致成本高且管理复杂。而MCE通过在CE设备上为不同业务配置独立的VPN实例，每个实例维护独立的路由转发表，实现数据隔离与安全。

作者理解：MCE设备可以不设置RT，RD值，MPLS VPN区域设备需要设置，注意区分MCE设备。既是MPLS VPN设备，也是MCE设备的S1需要设置RT、RD值。

实验环境

要求： 

1、学生网VRF名称为XS，RD值为1:1、RT值自定义；教师网VRF名称为JY，RD值为1:2、RT值自定义；校长专线VRF名称为XZ，RD值为1:3、RT值自定义。
2、通过MPLS VPN技术实现，学生网与教师网隔离，校长专线可以与学生网和教师网互通，只有校长专线通过G0/1.18子接口通过NAPT方式访问互联网Loopback 10。
3、R2、S1间运行OSPF 20区域0；S1、S2间运行OSPF 区域0，基于学生网、教师网、校长专线定义进程号为6、7、8
4、学生网专线VLAN 6 终端VALN 10 ; 教师网专线VLAN 7 终端VLAN 20 ；校长专线VLAN 8 终端VLAN 30;

5、二层口VLAN修剪

R1配置

interface GigabitEthernet 0/1
 no switchport
 ip address 10.0.1.1 255.255.255.252
!
interface GigabitEthernet 0/1.18
 encapsulation dot1Q 18
 ip address 18.1.1.1 255.255.255.248 
！
interface Loopback 10
 ip address 10.10.10.10 255.255.255.252

R2配置

ip vrf JY
 rd 1:2
 route-target export 1:2
 route-target import 1:3
!
ip vrf XS
 rd 1:1
 route-target export 1:1
 route-target import 1:3
!
ip vrf XZ
 rd 1:3
 route-target export 1:3
 route-target import 1:2
 route-target import 1:1
!
interface GigabitEthernet 0/0
 no switchport
 ip address 10.0.0.1 255.255.255.252
 ip ospf network point-to-point
 mpls ip
 label-switching
 ip nat inside
!         
interface GigabitEthernet 0/1
 no switchport
 ip address 10.0.1.2 255.255.255.252
!
interface GigabitEthernet 0/1.18
 encapsulation dot1Q 18
 ip vrf forwarding XZ
 ip address 18.1.1.2 255.255.255.248
 ip nat outside
!
interface Loopback 0
 ip address 10.2.2.2 255.255.255.255
!
router bgp 130
 no bgp default ipv4-unicast
 neighbor 10.2.1.1 remote-as 130
 neighbor 10.2.1.1 update-source Loopback 0
 address-family vpnv4 unicast
  neighbor 10.2.1.1 activate
  neighbor 10.2.1.1 send-community extended
  !
 address-family ipv4 vrf XZ
  network 0.0.0.0        ---宣告默认路由
!
router ospf 20
 network 10.0.0.1 0.0.0.0 area 0
 network 10.2.2.2 0.0.0.0 area 0
!
mpls router ldp
 ldp router-id interface Loopback 0 force
!
ip nat inside source list 100 interface GigabitEthernet 0/1.18 overload vrf XZ
!
ip route vrf XZ 0.0.0.0 0.0.0.0 18.1.1.1     ---子接口校长专线默认路由
!

S1配置

ip vrf JY
 rd 1:2
 route-target export 1:2
 route-target import 1:3
!
ip vrf XS
 rd 1:1
 route-target export 1:1
 route-target import 1:3
!
ip vrf XZ
 rd 1:3
 route-target export 1:3
 route-target import 1:2
 route-target import 1:1
!
vlan range 6-8
!
interface GigabitEthernet 0/0
 switchport mode trunk
 switchport trunk allowed vlan only 6-8
!
interface GigabitEthernet 0/1
 no switchport
 ip address 10.0.0.2 255.255.255.252
 ip ospf network point-to-point
 mpls ip  
 label-switching
！
interface VLAN 6
 ip vrf forwarding XS
 ip address 10.1.1.1 255.255.255.252
 ip ospf network point-to-point
!         
interface VLAN 7
 ip vrf forwarding JY
 ip address 10.1.2.1 255.255.255.252
 ip ospf network point-to-point
!
interface VLAN 8
 ip vrf forwarding XZ
 ip address 10.1.3.1 255.255.255.252
 ip ospf network point-to-point
!
router bgp 130
 no bgp default ipv4-unicast
 neighbor 10.2.2.2 remote-as 130
 neighbor 10.2.2.2 update-source Loopback 0
 address-family vpnv4 unicast
  neighbor 10.2.2.2 activate
  neighbor 10.2.2.2 send-community extended
  !
 address-family ipv4 vrf XS       ---BGP下的VRF用于接收发送路由
  redistribute ospf 6 match internal（域内） external（域外）      ---将OSPF6的域内和域外的路由重发布MPLS域内，只有导入值与XS导出值一致才会接收路由
  !
 address-family ipv4 vrf JY
  redistribute ospf 7 match internal external
  !
 address-family ipv4 vrf XZ
  redistribute ospf 8 match internal external
!
router ospf 6 vrf XS
 redistribute bgp metric-type 1 subnets    ---将接收到的BGP路由重发布进OSPF，传递给下联设备
 network 10.1.1.1 0.0.0.0 area 0
!
router ospf 7 vrf JY
 redistribute bgp metric-type 1 subnets
 network 10.1.2.1 0.0.0.0 area 0
!         
router ospf 8 vrf XZ
 redistribute bgp metric-type 1 subnets
 network 10.1.3.1 0.0.0.0 area 0
 default-information originate always metric-type 1    ---强制下发默认路由可使校长专线终端到达本设备，再走BGP路由表到达出口路由器
!
router ospf 20
 router-id 10.2.1.1
 network 10.0.0.2 0.0.0.0 area 0
 network 10.2.1.1 0.0.0.0 area 0
!
mpls router ldp
 ldp router-id interface Loopback 0 force
!

S2配置

ip vrf JY     ---MCE设备不需要设备RD、RT值即可接收路由
!
ip vrf XS
!
ip vrf XZ
！
vlan range 1,6-8,10,20,30
!
interface GigabitEthernet 0/0
 switchport mode trunk
 switchport trunk allowed vlan only 6-8
!
interface GigabitEthernet 0/1
 switchport mode trunk
 switchport trunk allowed vlan only 1,10,20,30
!
interface VLAN 1
 ip address 172.19.1.254 255.255.255.0
!
interface VLAN 6
 ip vrf forwarding XS
 ip address 10.1.1.2 255.255.255.252
 ip ospf network point-to-point
!
interface VLAN 7
 ip vrf forwarding JY
 ip address 10.1.2.2 255.255.255.252
 ip ospf network point-to-point
!
interface VLAN 8
 ip vrf forwarding XZ
 ip address 10.1.3.2 255.255.255.252
 ip ospf network point-to-point
!
interface VLAN 10
 ip vrf forwarding XS
 ip address 172.16.10.254 255.255.255.0
!
interface VLAN 20
 ip vrf forwarding JY
 ip address 172.16.20.254 255.255.255.0
!
interface VLAN 30
 ip vrf forwarding XZ
 ip address 172.16.30.254 255.255.255.0
!
router ospf 6 vrf XS
 router-id 10.1.1.2
 graceful-restart
 network 10.1.1.2 0.0.0.0 area 0
 network 172.16.10.0 0.0.0.255 area 0
!
router ospf 7 vrf JY
 router-id 10.1.2.2
 graceful-restart
 network 10.1.2.2 0.0.0.0 area 0
 network 172.16.20.0 0.0.0.255 area 0
!
router ospf 8 vrf XZ
 router-id 10.1.3.2
 graceful-restart
 network 10.1.3.2 0.0.0.0 area 0
 network 172.16.30.0 0.0.0.255 area 0
!

S3配置

vlan range 1,10,20,30
!
interface GigabitEthernet 0/0
 switchport mode trunk
 switchport trunk allowed vlan only 1,10,20,30
！
interface VLAN 1
 ip address 172.19.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 172.19.1.254

验证校长专线访问互联网 

S2追踪

R2查看转换表

作者声明：实验仅供娱乐，作者对实验理解不够地方还望海涵，一些责任行为与本人无关！！！