素材来源:华为路由器配置指南
一边学习一边整理试验笔记,并与大家分享,侵权即删,谢谢支持!
附上汇总贴:玩转华为ENSP模拟器系列 | 合集_COCOgsta的博客-CSDN博客_ensp实验大全
目标
配置BGP/MPLS IP VPN,相同VPN用户之间可以互访,不同VPN用户之间不能互相访问。
组网需求
CE1、CE3属于vpna。
CE2、CE4属于vpnb。
vpna使用的VPN-target属性为111:1,vpnb使用的VPN-target属性为222:2。
使相同VPN用户之间可以互访,不同VPN用户之间不能互相访问。
配置思路
- 骨干网上配置OSPF实现PE之间的互通。
- 骨干网上配置MPLS基本能力和MPLS LDP,建立MPLS LSP。
- PE上配置使能IPv4地址族VPN实例,并把与CE相连的接口和相应的VPN实例绑定。
- PE之间配置MP-IBGP交换VPN路由信息。
- CE与PE之间配置EBGP交换VPN路由信息。
操作步骤
- 在MPLS骨干网上配置IGP协议,实现骨干网PE和P的互通。本例中IGP为OSPF为例进行说明。
配置PE1
PE1:
sysname PE1
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
interface Ethernet1/0/1
ip address 172.1.1.1 255.255.255.0
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
配置P
P:
sysname P
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
interface Ethernet1/0/0
undo shutdown
ip address 172.1.1.2 255.255.255.0
interface Ethernet1/0/1
undo shutdown
ip address 172.2.1.1 255.255.255.0
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
配置PE2
PE2:
sysname PE2
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
interface Ethernet1/0/1
undo shutdown
ip address 172.2.1.2 255.255.255.0
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.2.1.0 0.0.0.255
配置完成后,PE1、P、PE2之间应能建立OSPF邻居关系,执行display ospf peer命令可以看到邻居状态为Full。执行display ip routing-table命令可以看到PE之间学习到对方的Loopback1路由。
<PE1>dis ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.9/32 Direct 0 0 D 127.0.0.1 LoopBack1
2.2.2.9/32 OSPF 10 1 D 172.1.1.2 Ethernet1/0/1
3.3.3.9/32 OSPF 10 2 D 172.1.1.2 Ethernet1/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.1.1.0/24 Direct 0 0 D 172.1.1.1 Ethernet1/0/1
172.1.1.1/32 Direct 0 0 D 127.0.0.1 Ethernet1/0/1
172.1.1.255/32 Direct 0 0 D 127.0.0.1 Ethernet1/0/1
172.2.1.0/24 OSPF 10 2 D 172.1.1.2 Ethernet1/0/1
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
<PE1>
<PE1>dis ospf peer
(M) Indicates MADJ neighbor
OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 172.1.1.1 (Eth1/0/1)'s neighbors
Router ID: 2.2.2.9 Address: 172.1.1.2
State: Full Mode:Nbr is Master Priority: 1
DR: 172.1.1.2 BDR: 172.1.1.1 MTU: 0
Dead timer due in 31 sec
Retrans timer interval: 5
Neighbor is up for 00h06m04s
Neighbor Up Time : 2019-10-19 14:38:42
Authentication Sequence: [ 0 ]
OSPF Process 65534 with Router ID 128.1.138.137
Neighbors
Area 0.0.0.0 interface 128.1.138.137 (Eth1/0/1.4094)'s neighbors
Router ID: 128.1.138.139 Address: 128.1.138.139
State: Full Mode:Nbr is Master Priority: 1
DR: None BDR: None MTU: 0
Dead timer due in 38 sec
Retrans timer interval: 5
Neighbor is up for 00h06m24s
Neighbor Up Time : 2019-10-19 14:38:22
Authentication Sequence: [ 0 ]
Area 0.0.0.0 interface 128.1.138.137 (Eth1/0/2.4094)'s neighbors
Router ID: 128.1.138.142 Address: 128.1.138.142
State: Full Mode:Nbr is Master Priority: 1
DR: None BDR: None MTU: 0
Dead timer due in 36 sec
Retrans timer interval: 5
Neighbor is up for 00h06m23s
Neighbor Up Time : 2019-10-19 14:38:23
Authentication Sequence: [ 0 ]
Area 0.0.0.0 interface 128.1.138.137 (DCN-Serial1/0/1:0)'s neighbors
Router ID: 128.1.138.139 Address: 128.1.138.139
State: Full Mode:Nbr is Master Priority: 1
DR: None BDR: None MTU: 0
Dead timer due in 33 sec
Retrans timer interval: 5
Neighbor is up for 00h06m14s
Neighbor Up Time : 2019-10-19 14:38:32
Authentication Sequence: [ 0 ]
<PE1>
- 在MPLS骨干网上配置MPLS基本能力和MPLS LDP,建立LDP LSP
配置PE1
PE1:
mpls lsr-id 1.1.1.9
mpls ldp
interface Ethernet1/0/1
mpls
mpls ldp
配置P
P:
mpls lsr-id 2.2.2.9
mpls
mpls ldp
interface Ethernet1/0/0
mpls
mpls ldp
interface Ethernet1/0/1
mpls
mpls ldp
配置PE2
PE2:
mpls lsr-id 3.3.3.9
mpls
mpls ldp
interface Ethernet1/0/1
mpls
mpls ldp
上述配置完成后,PE1与P、P与PE2之间应能建立LDP会话,执行display mpls ldp session命令可以看到显示结果中Status项为“Operational”。执行display mpls ldp lsp命令,可以看到LDP LSP的建立情况。
<PE1> dis mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
An asterisk (*) before a session means the session is being deleted.
--------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
--------------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 0000:00:06 27/27
--------------------------------------------------------------------------
TOTAL: 1 Session(s) Found.
<PE1>
<PE1>dis mpls ldp lsp
LDP LSP Information
-------------------------------------------------------------------------------
Flag after Out IF: (I) - RLFA Iterated LSP, (I*) - Normal and RLFA Iterated LSP
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 Loop1
*1.1.1.9/32 Liberal/48120 DS/2.2.2.9
2.2.2.9/32 NULL/3 - 172.1.1.2 Eth1/0/1
2.2.2.9/32 48120/3 2.2.2.9 172.1.1.2 Eth1/0/1
3.3.3.9/32 NULL/48121 - 172.1.1.2 Eth1/0/1
3.3.3.9/32 48123/48121 2.2.2.9 172.1.1.2 Eth1/0/1
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 FRR LSP(s) Found.
An asterisk (*) before an LSP means the LSP is not established
An asterisk (*) before a Label means the USCB or DSCB is stale
An asterisk (*) before an UpstreamPeer means the session is stale
An asterisk (*) before a DS means the session is stale
An asterisk (*) before a NextHop means the LSP is FRR LSP
<PE1>
- 在PE设备上配置使能IPv4地址族的VPN实例,将CE接入PE
配置PE1
PE1:
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
interface Ethernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
interface Ethernet1/0/2
undo shutdown
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
配置PE2
PE2:
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
ip vpn-instance vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
interface Ethernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
interface Ethernet1/0/2
undo shutdown
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
按图1配置各CE的接口IP地址
配置完成后,在PE设备上执行display ip vpn-instance verbose命令可以看到VPN实例的配置情况。各PE能ping通自己接入的CE。
说明:当PE上有多个绑定了同一个VPN的接口,则使用ping -vpn-instance命令ping对端PE接入的CE时,要指定源IP地址,即要指定ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address命令中的参数-a source-ip-address,否则可能ping不通。
以PE1为例
<PE1>dis ip vpn-instance verbose
Total VPN-Instances configured : 3
Total IPv4 VPN-Instances configured : 3
Total IPv6 VPN-Instances configured : 0
VPN-Instance Name and ID : __dcn_vpn__, 1
Interfaces : Ethernet1/0/0.4094,
Ethernet1/0/1.4094,
Ethernet1/0/2.4094,
Ethernet1/0/3.4094,
Ethernet1/0/4.4094,
Ethernet1/0/5.4094,
Ethernet1/0/6.4094,
Ethernet1/0/7.4094,
Ethernet1/0/8.4094,
Ethernet1/0/9.4094,
LoopBack2147483647
Address family ipv4
Create date : 2019-10-19 14:37:35+00:00
Up time : 0 days, 00 hours, 09 minutes and 02 seconds
Vrf Status : UP
Label Policy : label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : pipe
VPN-Instance Name and ID : vpna, 2
Interfaces : Ethernet1/0/0
Address family ipv4
Create date : 2019-10-19 14:37:35+00:00
Up time : 0 days, 00 hours, 09 minutes and 02 seconds
Vrf Status : UP
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label Policy : label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : pipe
VPN-Instance Name and ID : vpnb, 3
Interfaces : Ethernet1/0/2
Address family ipv4
Create date : 2019-10-19 14:37:35+00:00
Up time : 0 days, 00 hours, 09 minutes and 02 seconds
Vrf Status : UP
Route Distinguisher : 100:2
Export VPN Targets : 222:2
Import VPN Targets : 222:2
Label Policy : label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : pipe
<PE1>
<PE1> ping -vpn-instance vpna 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=6 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=4 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=4 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=4 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=4 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/4/6 ms
<PE1>
- 在PE与CE之间建立EBGP对等体关系
配置CE1
CE1:
interface LoopBack1
ip address 11.11.11.11 255.255.255.255
bgp 65410
peer 10.1.1.2 as-number 100
ipv4-family unicast
network 11.11.11.11 255.255.255.255
说明:CE2~CE4配置与CE1设备配置类似,配置过程请参见后面的配置文件。
配置PE1
PE1:
bgp 100
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
ipv4-family vpn-instance vpnb
peer 10.2.1.1 as-number 65420
说明:PE2的配置与PE1类似,配置过程请参见后面的配置文件。
配置完成后,在PE设备上执行display bgp vpnv4 vpn-instance peer命令,可以看到PE与CE之间的BGP对等体关系已建立,并达到Established状态。
以PE1与CE1的对等体关系为例:
<PE1>dis bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.9
Local AS number : 100
VPN-Instance vpna, Router ID 1.1.1.9:
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 14 14 0 00:08:33 Established 1
<PE1>
- 在PE之间建立MP-IBGP对等体关系
配置PE1
PE1:
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
ipv4-family vpnv4
peer 3.3.3.9 enable
配置PE2
PE2:
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
ipv4-family vpnv4
peer 1.1.1.9 enable
配置完成后,在PE设备上执行display bgp peer或display bgp vpnv4 all peer命令,可以看到PE之间的BGP对等体关系已建立,并达到Established状态。
<PE1>dis bgp peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
3.3.3.9 4 100 12 12 0 00:05:42 Established 0
<PE1>
<PE1>dis bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 3 Peers in established state : 3
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
3.3.3.9 4 100 12 12 0 00:05:53 Established 2
Peer of IPv4-family for vpn instance :
VPN-Instance vpna, Router ID 1.1.1.9:
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 14 14 0 00:08:57 Established 1
VPN-Instance vpnb, Router ID 1.1.1.9:
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.2.1.1 4 65420 14 15 0 00:09:21 Established 1
<PE1>
- 检查配置结果
在PE设备上执行display ip routing-table vpn-instance命令,可以看到去往CE上的Loopback口路由。
<PE1>dis ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : vpna
Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Ethernet1/0/0
10.1.1.2/32 Direct 0 0 D 127.0.0.1 Ethernet1/0/0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 Ethernet1/0/0
11.11.11.11/32 EBGP 255 0 RD 10.1.1.1 Ethernet1/0/0
33.33.33.33/32 IBGP 255 0 RD 3.3.3.9 Ethernet1/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
<PE1>
<PE1>dis ip routing-table vpn-instance vpnb
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : vpnb
Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.2.1.0/24 Direct 0 0 D 10.2.1.2 Ethernet1/0/2
10.2.1.2/32 Direct 0 0 D 127.0.0.1 Ethernet1/0/2
10.2.1.255/32 Direct 0 0 D 127.0.0.1 Ethernet1/0/2
22.22.22.22/32 EBGP 255 0 RD 10.2.1.1 Ethernet1/0/2
44.44.44.44/32 IBGP 255 0 RD 3.3.3.9 Ethernet1/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
<PE1>
同一VPN的CE能够相互Ping通,不同VPN的CE不能相互Ping通。
<CE1>ping -a 11.11.11.11 33.33.33.33
PING 33.33.33.33: 56 data bytes, press CTRL_C to break
Reply from 33.33.33.33: bytes=56 Sequence=1 ttl=252 time=17 ms
Reply from 33.33.33.33: bytes=56 Sequence=2 ttl=252 time=13 ms
Reply from 33.33.33.33: bytes=56 Sequence=3 ttl=252 time=13 ms
Reply from 33.33.33.33: bytes=56 Sequence=4 ttl=252 time=10 ms
Reply from 33.33.33.33: bytes=56 Sequence=5 ttl=252 time=12 ms
--- 33.33.33.33 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/13/17 ms
<CE1>
<CE1>ping -a 11.11.11.11 44.44.44.44
PING 44.44.44.44: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 44.44.44.44 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
<CE1>
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
