1、测试拓扑
图中,DC2-PE1和DC1-P1通过连接到第三方IP网络进行IP层面的互通,不是通过申请运营商专线实现设备之间的点对点互通。
R1模拟第三方IP网络环境,配置简单静态路由,实现DC1-P1和DC2-PE1之间loopback0地址能够互通。
DC2-PE1、DC1-P1、DC1-PE1均运行SRv6,此时,通过在DC2-PE1和DC1-P1之间建立GRE隧道,通过SRv6 over GRE,实现DC2-PE1和DC1-P1的SRv6网络连接。在最终效果上等同于DC2-PE1和DC1-P1专线连接。
2、数据准备
2.1 IPv4/IPv6地址
IPv4 IPv6 Loopback地址: DC1-PE1 192.168.1.1/32 2001:1::1/128 DC1-P1 192.168.2.1/32 2001:2::1/128 DC2-PE1 192.168.3.1/32 2001:3::1/128 设备互联地址 DC1-PE1/DC1-P1 192.168.12.1/24
192.168.12.2/24
2001:12::1/64
2001:12::2/64
DC1-P1/DC2-PE1 GRE 192.168.23.2/24
192.168.23.3/24
2001:23::2/64
2001:23::3/64
终端地址 DC1-CE1 172.20.1.10/24 172:20:1::10 DC2-CE1 172.10.1.10/24 172:10:1::10 第三方IP网络 R1 10.1.1.0/24
10.2.1.0/24
2.2 SRv6 SID地址
DC1-PE1 DC1-P1 DC2-PE1 Locator 3001:1::/80 3001:2::/80 3001:3::/80 Locator name DC1-PE1 DC1-P1 DC2-PE1 end ::10 ::10 ::10 end-x ::AB 注 ::AB ::AB end-dt4 ::4001 ::4001 end-dt6 ::6001 ::6001 end-op ::7001 ::7001 ::7001 注:比如DC1-PE1上,针对DC1-PE1和DC1-P1互联端口end-x为::12
2.3 VPN规划
RD RT VPN1 DC1-PE1: 100:1
DC2-PE1: 100:2
100:100
3、设备配置
3.1 端口基础配置
DC1-PE1配置,其他类似:
sysnam DC1-PE1 # int lo0 ipv6 enable ip add 192.168.1.1 32 ipv6 add 2001:1::1 128 # int ether3/0/2 ipv6 enable ip add 192.168.12.1 24 ipv6 add 2001:12::1 64 #
3.2 GRE配置
DC1-P1配置! # interface LoopBack0 binding tunnel gre # interface Tunnel10 ipv6 enable ipv6 address 2001:23::2/64 tunnel-protocol gre source 192.168.2.1 destination 192.168.3.1 #
DC2-PE1配置 ! #interface LoopBack0 binding tunnel gre # interface Tunnel10 ipv6 enable ipv6 address 2001:23::3/64 tunnel-protocol gre source 192.168.3.1 destination 192.168.2.1 # 配置第三方网络:
R1: # ip route-static 192.168.2.1 255.255.255.255 10.1.1.2 ip route-static 192.168.3.1 255.255.255.255 10.2.1.2 #
DC1-P1: ip route-static 192.168.3.1 255.255.255.255 10.1.1.1
DC2-PE1:
ip route-static 192.168.2.1 255.255.255.255 10.2.1.1
检查命令:
dis tunnel-info all
3.3 ISIS基础配置
DC1-PE1配置: # isis 100 is-level level-2 cost-style wide network-entity 49.0001.0001.0001.0001.00 is-name DC1-PE1 # ipv6 enable topology ipv6 # int lo0 isis enable 100 isis ipv6 enable 100 # # int ether3/0/2 isis enable 100 isis ipv6 enable 100 isis circuit-type p2p #
DC1-P1配置: # isis 100 is-level level-2 cost-style wide network-entity 49.0001.0002.0002.0002.00 is-name DC1-P1 # ipv6 enable topology ipv6 # int lo0 isis enable 100 isis ipv6 enable 100 # # int ether3/0/2 isis enable 100 isis ipv6 enable 100 isis circuit-type p2p # #int tunnel10 isis ipv6 enable 100 #
DC2-PE1配置: # isis 100 is-level level-2 cost-style wide network-entity 49.0001.0003.0003.0003.00 is-name DC2-PE1 # ipv6 enable topology ipv6 # int lo0 isis enable 100 isis ipv6 enable 100# int tunnel10 isis ipv6 enable 100 #
3.4 VPN基础配置
DC1-PE1配置,DC2-PE1类似: # ip vpn-instance vpn1 ipv4-family route-distinguisher 100:1 vpn-target 100:100 both evpn ipv6-family route-distinguisher 100:1 vpn-target 100:100 both evpn # int ether 3/0/0 ip binding vpn-instance vpn1 ip add 172.20.1.1 24 ipv6 enable ipv6 add 172:20:1::1 64 #
3.5 BGP基础配置
DC1-PE1配置,DC2-PE1类似: # bgp 100 router-id 192.168.1.1 undo default ipv4-unicast peer 2001:3::1 as-number 100 (直接和DC2-PE1建立IBGP) peer 2001:3::1 connect-interface Lo0 # l2vpn-family evpn policy vpn-target peer 2001:3::1 enable # ipv4-family vpn-instance vpn1 #将vpn端口直连路由引入为bgp vpnv4路由 import-route direct #将vpnv4路由转为evpn type 5路由发布给evpn邻居 advertise l2vpn evpn # ipv6-family vpn-instance vpn1 import-route direct advertise l2vpn evpn
3.6 SRv6基础配置
3.6.1 配置SRv6 SID
DC1-PE1配置: # segment-routing ipv6 encapsulation source-address 2001:1::1 locator DC1-PE1 ipv6-prefix 3001:1:: 80 static 15 args 16 opcode ::10 end psp opcode ::12 end-x interface ether 3/0/2 nexthop 2001:12::2 psp opcode ::4001 end-dt4 vpn-instance vpn1 evpn opcode ::6001 end-dt6 vpn-instance vpn1 evpn opcode ::7001 end-op#配置SRv6 TE Policy关联Segment Routing IPv6下的一个Locator,并在关联Locator范围内指定SRv6 TE Policy的Binding SID srv6-te-policy locator DC1-PE1#使能所有SRv6 TE Policy故障感知功能 srv6-te-policy path verification enable #
DC1-P1配置: # segment-routing ipv6 encapsulation source-address 2001:2::1 locator DC1-P1 ipv6-prefix 3001:2:: 80 static 15 args 16 opcode ::10 end psp opcode ::21 end-x interface ether 3/0/2 nexthop 2001:12::1 psp opcode ::23 end-x interface tunnel 10 nexthop 2001:23::3 psp(实验中为了观察SRH,修改为了no-flavor) opcode ::7001 end-op srv6-te-policy locator DC1-P1 #
DC2-PE1配置: # segment-routing ipv6 encapsulation source-address 2001:3::1 locator DC2-PE1 ipv6-prefix 3001:3:: 80 static 15 args 16 opcode ::10 end psp opcode ::32 end-x interface tunnel 10 nexthop 2001:23::2 psp opcode ::4001 end-dt4 vpn-instance vpn1 evpn opcode ::6001 end-dt6 vpn-instance vpn1 evpn opcode ::7001 end-op srv6-te-policy locator DC2-PE1 srv6-te-policy path verification enable #
检查命令: display segment-routing ipv6 locator verbose display segment-routing ipv6 local-sid forwarding display segment-routing ipv6 local-sid end forwarding (ProtocolType: STATIC就是这里分配的)
3.6.2 配置ISIS发送SID
DC1-PE1配置,其他类似,注意locator name不同: isis 100 segment-routing ipv6 locator DC1-PE1
3.6.3 配置私网路由发送和迭代属性
DC1-PE1配置,DC2-PE1类似: # bgp 100 # ipv4-family vpn-instance vpn1 segment-routing ipv6 locator DC1-PE1 evpn segment-routing ipv6 traffic-engineer best-effort evpn
ipv6-family vpn-instance vpn1 segment-routing ipv6 locator DC1-PE1 evpn segment-routing ipv6 traffic-engineer best-effort evpn #
3.6.4 配置EVPN发送SRv6封装的EVPN路由
DC1-PE1配置,DC2-PE1类似: # bgp 100 l2vpn-family evpn peer 2001:3::1 advertise encap-type srv6
3.7 配置结果验证
1、检查ISIS邻居关系是否建立
dis isis peer
2、检查BGP EVPN邻居关系是否建立
dis bgp evpn peer
3、检查SRv6 本地Locator和SID信息
dis segment-routing ipv6 locator DC1-PE1 verbose
dis segment-routing ipv6 local-sid forwarding
4、检查ISIS通过LSP发送的SID信息
dis isis lsdb is-name DC1-PE1 verbose
5、检查vpn路由在以evpn路由方式发送时携带的相关end.dt4或者end.dt6信息
dis bgp evpn all routing-table
dis bgp evpn all routing-table prefix-route 0:172.20.1.0:24
6、检查bgp evpn发送SRv6封装的evpn路由(可选)
抓包分析。
4、SRv6 BE over GRE测试
4.1 测试拓扑
4.2 测试说明
前面的配置完成后,由于还没有进行SRv6 TE Policy相关配置,此时DC1-CE1 ping DC2-CE1的流量将迭代到SRv6 BE。
DC1-PE1检查vpn路由172.10.1.0/24和172:10:1::0/64已经迭代到SRv6 BE,并且直接以end.dt4/end.dt6为下一跳地址。
4.3 报文查看
DC1-CE1 ping DC2-CE1时,在DC2-PE1,抓取DC2-PE1和R1连接的端口报文,并通过Wireshark查看SRv6 BE over GRE报文格式。
5、SRv6 TE Policy over GRE测试
5.1 测试拓扑
5.2 测试说明
DC1-PE1配置1条SRv6 TE Policy,命名为policy1
DC1-PE1配置: # segment-routing ipv6 segment-list list1 index 5 sid ipv6 3001:1::12:0 index 10 sid ipv6 3001:2::23:0 srv6-te policy policy1 endpoint 2001:3::1 color 10 candidate-path preference 100 segment-list list1 #
DC1-PE1接收EVPN路由172.10.1.0时对此路由进行染色,通过Color引流的方式,将DC1-CE1 ping DC2-CE1的业务流量引入SRv6 TE Policy policy1 。
在DC1-PE1,对172.10.1.0/24 BGP 路由染色,color为10 # #配置对BGP VPN路由进行染色 # route-policy p1 permit node 10 if-match ip-prefix 1 apply extcommunity color 0:10 # route-policy p1 permit node 20 # ip ip-prefix 1 index 10 permit 172.10.1.0 24 # bgp 100 # l2vpn-family evpn peer 2001:3::1 route-policy p1 import # #配置隧道策略 # tunnel-policy tnl-1 tunnel select-seq ipv6 srv6-te-policy load-balance-number 1 # #把隧道策略部署到VPN实例中 # ip vpn-instance vpn1 ipv4-family tnl-policy tnl-1 evpn ipv6-family tnl-policy tnl-1 evpn #
查看VPN实例IPv4路由表信息,可以看到私网路由已经成功迭代到SRv6 TE Policy。
5.3 报文查看
DC1-CE1 ping DC2-CE1时,在DC2-PE1,抓取DC2-PE1和R1连接的端口报文,并通过Wireshark查看SRv6 TE Policy over GRE报文格式: