华为MPLS VPN应用场景之HUB-SPOKE模型

跨域VPN（HUB-SPOKE）

文章目录

• 实验拓扑
• 实验要求
• HUB-SPOKE基本原理
• 实验配置
  一、实验拓扑
  

二、实验要求
要求分部1CE设备访问分部2CE设备路由经过总部传递

1. 为实现所有PE设备与RR设备互通，需要部署ISIS协议。区域号为49.0001，systemID采用loopback0口地址填充
2. 为保证设备之间有去往彼此的公网标签，需要在PE及RR设备上开启MPLS及LDP，LSR-ID用loopback0地址填充
3. 在所有PE设备上创建VPN实例
4. SPOKE中PE与CE之间采用OSPF协议进行对接
5. 所有PE设备与RR建立VPNv4的邻居关系，AS号为100，且RR注意取消RT值检测
6. PE的BGP进程下创建VPN实例，并在OSPF与BGP之间相互引入。在Hub-Out实例OSPF进程下忽略DN位与Tag的检测
7. 测试spoke站点之间是否能正常访问，且采用tracert命令测试其互访路径

三、HUB-SPOKE模型实现基本原理
通过修改PE之间RT值实现

1. SPOKE1-PE出RT值匹配HUB-PE入RT
2. HUB-PE出RT匹配SPOKE2-PE入RT
3. 相反也是如此

注意：
1.如果HUB站点PE与CE建立EBGP邻居关系的话数据经过HUB-PE会打上AS-PATH100的标签，数据经过HUB-CE返回HUB-PE设备时会丢弃路由，需要在HUB-PE设备中BGP HUB-OUT实例忽略AS-PATH检查
2.如果HUB站点PE与CE建立OSPF邻居的话需要注意OSPF防环D/N位检查，TAG检查

四、实验配置

SPOKE1 CE1配置

#
interface LoopBack0
 ip address 10.2.1.1 255.255.255.255 
#
#
ospf 1 
 area 0.0.0.0 
  network 10.2.1.1 0.0.0.0 
  network 10.2.0.2 0.0.0.0 
#

Spoke1-PE配置

#
ip vpn-instance spoke1
 ipv4-family
  route-distinguisher 1:1
  vpn-target 20:1 export-extcommunity
  vpn-target 10:1 import-extcommunity
#
mpls lsr-id 10.1.1.1
mpls
#
mpls ldp
#
isis 1
 is-level level-2
 cost-style wide
 network-entity 49.0001.0100.1001.00
#
interface GigabitEthernet0/0/0
 ip address 10.1.0.1 255.255.255.252 
 isis enable 1
 mpls
 mpls ldp
#
interface GigabitEthernet0/0/1
 ip binding vpn-instance spoke1
 ip address 10.2.0.1 255.255.255.252 
#
interface LoopBack0
 ip address 10.1.1.1 255.255.255.255 
 isis enable 1
#
bgp 100
 peer 10.1.1.2 as-number 100 
 peer 10.1.1.2 connect-interface LoopBack0
 #
 ipv4-family unicast
  undo synchronization
  undo peer 10.1.1.2 enable
 # 
 ipv4-family vpnv4
  policy vpn-target
  peer 10.1.1.2 enable
 #
 ipv4-family vpn-instance spoke1 
  import-route ospf 1
#
ospf 1 vpn-instance spoke1
 import-route bgp
 area 0.0.0.0 
  network 10.2.0.1 0.0.0.0 
#

RR配置
#
mpls lsr-id 10.1.1.2
mpls
#
mpls ldp
#
isis 1
 is-level level-2
 cost-style wide
 network-entity 49.0001.0100.0100.1002.00
#
interface GigabitEthernet0/0/0
 ip address 10.1.0.9 255.255.255.252 
 isis enable 1
 mpls
 mpls ldp
#
interface GigabitEthernet0/0/1
 ip address 10.1.0.2 255.255.255.252 
 isis enable 1
 mpls
 mpls ldp
#
interface GigabitEthernet0/0/2
 ip address 10.1.0.5 255.255.255.252 
 isis enable 1
 mpls
 mpls ldp
#
interface LoopBack0
 ip address 10.1.1.2 255.255.255.255 
 isis enable 1
#
bgp 100
 undo default ipv4-unicast
 peer 10.1.1.1 as-number 100 
 peer 10.1.1.1 connect-interface LoopBack0
 peer 10.1.1.3 as-number 100 
 peer 10.1.1.3 connect-interface LoopBack0
 peer 10.1.1.4 as-number 100 
 peer 10.1.1.4 connect-interface LoopBack0
 #
 ipv4-family unicast
  undo synchronization
  undo peer 10.1.1.1 enable
  undo peer 10.1.1.3 enable
  undo peer 10.1.1.4 enable
 #
 ipv4-family vpnv4
  undo policy vpn-target    #关闭RT值检查
  peer 10.1.1.1 enable
  peer 10.1.1.1 reflect-client
  peer 10.1.1.3 enable
  peer 10.1.1.3 reflect-client
  peer 10.1.1.4 enable
  peer 10.1.1.4 reflect-client
#

Spoke2-PE配置
#
 sysname Spoke2-PE
#
ip vpn-instance spoke2
 ipv4-family
  route-distinguisher 2:2
  vpn-target 20:1 export-extcommunity
  vpn-target 10:1 import-extcommunity
#
mpls lsr-id 10.1.1.3
mpls
#
mpls ldp
#
isis 1
 is-level level-2
 cost-style wide
 network-entity 49.0001.0100.0100.1003.00
#
interface GigabitEthernet0/0/0
 ip address 10.1.0.6 255.255.255.252 
 isis enable 1
 mpls
 mpls ldp
#
interface GigabitEthernet0/0/1
 ip binding vpn-instance spoke2
 ip address 10.2.0.5 255.255.255.252 
#
interface LoopBack0
 ip address 10.1.1.3 255.255.255.255 
 isis enable 1
#
bgp 100
 peer 10.1.1.2 as-number 100 
 peer 10.1.1.2 connect-interface LoopBack0
 #
 ipv4-family unicast
  undo synchronization
  peer 10.1.1.2 enable
 # 
 ipv4-family vpnv4
  policy vpn-target
  peer 10.1.1.2 enable
 #
 ipv4-family vpn-instance spoke2 
  import-route ospf 1
#
ospf 1 router-id 10.1.1.3 vpn-instance spoke2
 import-route bgp
 area 0.0.0.0 
  network 10.2.0.5 0.0.0.0 

Spoke2-CE配置
#
 sysname Spoke2-CE
#
interface GigabitEthernet0/0/0
 ip address 10.2.0.6 255.255.255.252 
#
interface LoopBack0
 ip address 10.2.1.2 255.255.255.255 
#
ospf 1 router-id 10.2.1.2 
 area 0.0.0.0 
  network 10.2.0.6 0.0.0.0 
  network 10.2.1.2 0.0.0.0 

Hub-PE配置
#
 sysname Hub-PE
#
ip vpn-instance hub-in
 ipv4-family
  route-distinguisher 3:3
  vpn-target 20:1 import-extcommunity
#
ip vpn-instance hub-out
 ipv4-family
  route-distinguisher 4:4
  vpn-target 10:1 export-extcommunity
#
mpls lsr-id 10.1.1.4
mpls
#
mpls ldp
#
isis 1
 is-level level-2
 cost-style wide
 network-entity 49.0001.0100.0100.1004.00
#
interface GigabitEthernet0/0/0
 ip address 10.1.0.10 255.255.255.252 
 isis enable 1
 mpls
 mpls ldp
#
interface GigabitEthernet0/0/1.10
 dot1q termination vid 10
 ip binding vpn-instance hub-in
 ip address 10.2.0.9 255.255.255.252 
#
interface GigabitEthernet0/0/1.20
 dot1q termination vid 20
 ip binding vpn-instance hub-out
 ip address 10.2.0.13 255.255.255.252 
#
interface LoopBack0
 ip address 10.1.1.4 255.255.255.255 
 isis enable 1
#
bgp 100
 peer 10.1.1.2 as-number 100 
 peer 10.1.1.2 connect-interface LoopBack0
 #
 ipv4-family unicast
  undo synchronization
  peer 10.1.1.2 enable
 # 
 ipv4-family vpnv4
  policy vpn-target
  peer 10.1.1.2 enable
 #
 ipv4-family vpn-instance hub-out 
  import-route ospf 2
#
ospf 1 vpn-instance hub-in
 import-route bgp
 area 0.0.0.0 
  network 10.2.0.9 0.0.0.0 
#
ospf 2 vpn-instance hub-out
 dn-bit-check disable summary     #关闭3LSA DN位检查
 dn-bit-check disable ase         #关闭5LSA DN位检查
 route-tag disable                #关闭TAG位检查
 area 0.0.0.0 
  network 10.2.0.13 0.0.0.0 

Hub-CE配置
#
 sysname Hub-CE
#
interface GigabitEthernet0/0/0
 ip address 10.1.0.10 255.255.255.252 
#
interface GigabitEthernet0/0/0.10
 dot1q termination vid 10
 ip address 10.2.0.10 255.255.255.252 
#
interface GigabitEthernet0/0/0.20
 dot1q termination vid 20
 ip address 10.2.0.14 255.255.255.252 
#
interface LoopBack0
 ip address 10.2.1.3 255.255.255.255 
#
ospf 1 router-id 10.2.1.3 
 area 0.0.0.0 
  network 10.2.0.10 0.0.0.0 
  network 10.2.0.14 0.0.0.0 
#

tracert测试可以看到CE1访问CE2经过了总部