提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档
文章目录
–
70.配置部署MPLS L3VPN 跨域Option A
前言
提示:这里可以添加本文要记录的大概内容:
相比于域内MPLS VPN,跨域场景下VPN的工作原理不变,但是因为跨越了不同的AS,产生了以下问题:
1、AS之间不会运行LDP协议,因此AS之间无法建立外层隧道
2、PE之间没有运行IGP协议,缺省情况下无法建立BGP邻居关系,进而无法直接传递VPNv4路由
针对以上问题可以有以下几种解决思路:
2.1、ASBR之间交换IPv4路由,采用IPv4数据包转发数据【该方式易于理解】—— Option-A
2.2、ASBR之间交换VPNv4路由,采用携带一层MPLS标签的方式转发数据包 —— Option-B
2.3、PE之间交换VPNv4路由,采用携带多层MPLS标签的方式转发数据包 —— Option-C
跨域VPN-Option-B【Inter-Provider Backbones Option-B】方式:
ASBR间通过MP-EBGP发布标签VPNv4路由,也称为EBGP redistribution of labeled VPNv4 routes
1、相比于Option-A,Option-B无需在ASBR-PE创建VPN实例,无需绑定任何接口
2、在Option-B方式中,两个ASBR通过MP-EBGP交换它们从各自AS的PE设备接收的VPNv4路由
3、缺省情况下,PE上只保存与本地VPN实例的VPN Target相匹配的VPN路由;因此,可以在ASBR上配置不做RT过滤来传递路由
4、网络规模较大时,可部署RR设备,专门负责客户侧VPN路由的传递
一、基础IP配置
1.接口地址+测试地址 (直接黏贴方便敲别的)
CE1
防止弹出+
sys
us co 0
id 0 0
q
interface GigabitEthernet0/0/0
ip address 10.1.1.2 255.255.255.252
interface LoopBack0
ip address 7.7.7.7 255.255.255.255
interface LoopBack1
ip address 192.168.1.1 255.255.255.0
PE1
sys
sysname PE1
interface GigabitEthernet0/0/0
ip address 12.1.1.1 255.255.255.252
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.252
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
P1
sys
sysname P1
interface GigabitEthernet0/0/0
ip address 23.1.1.1 255.255.255.252
interface GigabitEthernet0/0/1
ip address 12.1.1.2 255.255.255.252
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
ASBR-PE1
G0/0/2 的地址可以不敲反正配置VRF的时候地址会消失= =
sys
sysname ASBR-PE1
interface GigabitEthernet0/0/1
ip address 23.1.1.2 255.255.255.252
interface GigabitEthernet0/0/2
ip address 202.106.0.1 255.255.255.252
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
ASBR-PE2
sys
sysname ASBR-PE2
interface GigabitEthernet0/0/1
ip address 45.1.1.1 255.255.255.252
interface GigabitEthernet0/0/2
ip address 202.106.0.2 255.255.255.252
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
P2
sys
sysname P2
interface GigabitEthernet0/0/0
ip address 45.1.1.2 255.255.255.252
interface GigabitEthernet0/0/1
ip address 56.1.1.1 255.255.255.252
interface GigabitEthernet0/0/2
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
PE2
sys
sysname P2
interface GigabitEthernet0/0/0
ip address 56.1.1.2 255.255.255.252
interface GigabitEthernet0/0/1
ip address 20.1.1.1 255.255.255.252
interface GigabitEthernet0/0/2
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
CE2
sys
sysname CE2
interface GigabitEthernet0/0/0
ip address 20.1.1.2 255.255.255.252
interface LoopBack0
ip address 8.8.8.8 255.255.255.255
interface LoopBack1
ip address 192.168.2.1 255.255.255.0
1.2.基础路由协议配置(IGP:IS-IS、开启MPLS LDP)
PE1
isis 1
is-level level-2
network-entity 10.0000.0000.0001.00
mpls lsr-id 1.1.1.1
mpls
mpls ldp
int g0/0/0
mpls
mpls ldp
isis enable
int lo 0
isis en
P1
isis 1
is-level level-2
network-entity 10.0000.0000.0002.00
mpls lsr-id 2.2.2.2
mpls
mpls ldp
int g0/0/0
mpls
mpls ldp
isis enable
int g0/0/1
mpls
mpls ldp
isis enable
int lo 0
isis en
ASBR-PE1
isis 1
is-level level-2
network-entity 10.0000.0000.0003.00
mpls lsr-id 3.3.3.3
mpls
mpls ldp
int g0/0/1
mpls
mpls ldp
isis enable
int lo 0
isis en
确认状态
[P1]dis isis peer
Peer information for ISIS(1)
System Id Interface Circuit Id State HoldTime Type PRI
-------------------------------------------------------------------------------
0000.0000.0003 GE0/0/0 0000.0000.0003.01 Up 8s L2 64
0000.0000.0001 GE0/0/1 0000.0000.0001.01 Up 9s L2 64
1.2.基础配置(PE-VRF、PE-PE BGP、ASBR-ASBR bgp)
PE1:
建立vpn-instance、绑定端口
ip vpn-instance PE1
route-distinguisher 100:1
vpn-target 100:1 both
int g0/0/0
ip binding vpn-instance PE1
ip add 10.1.1.1 30
开启BGP
bgp 100
peer 3.3.3.3 as 100
peer 3.3.3.3 co lo 0
ipv4-family vpnv4
peer 3.3.3.3 enable
ASBR-PE1:
开启BGP
bgp 100
peer 1.1.1.1 as 100
peer 1.1.1.1 connect-interface lo 0
peer 202.106.0.2 as 200
peer 202.106.0.2 connect-interface g0/0/2
ipv4-family vpnv4
peer 1.1.1.1 en
peer 202.106.0.2 enable
[ASBR-PE1-bgp]dis bgp vpnv4 all peer
BGP local router ID : 23.1.1.2
Local AS number : 100
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State Pre
fRcv
1.1.1.1 4 100 13 13 0 00:11:26 Established
0
202.106.0.2 4 200 3 5 0 00:01:51 Established
0
1.3.基础配置 CE-PE
CE1
ospf 1 router-id 7.7.7.7
net 7.7.7.7 0.0.0.0
net 10.1.1.0 0.0.0.3
net 192.168.1.1 0.0.0.255
PE1
ospf vpn-instance PE1 1 router-id 1.1.1.1
net 1.1.1.1 0.0.0.0
net 10.1.1.0 0.0.0.3
PE1 路由引入
[PE1-ospf-1]import-route bgp
[PE1-ospf-1]bgp 100
[PE1-bgp-PE1]import-route ospf 1
查看状态
[PE1-bgp-PE1]display ospf peer
OSPF Process 1 with Router ID 1.1.1.1
Neighbors
Area 0.0.0.0 interface 10.1.1.1(GigabitEthernet0/0/1)'s neighbors
Router ID: 7.7.7.7 Address: 10.1.1.2
State: Full Mode:Nbr is Master Priority: 1
DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
Dead timer due in 36 sec
Retrans timer interval: 5
Neighbor is up for 00:02:53
Authentication Sequence: [ 0 ]
[PE1]dis ip routing-table vpn-instance PE1 p o
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
PE1 routing table : OSPF
Destinations : 2 Routes : 2
OSPF routing table status : <Active>
Destinations : 2 Routes : 2
Destination/Mask Proto Pre Cost Flags NextHop Interface
7.7.7.7/32 OSPF 10 1 D 10.1.1.2 GigabitEthernet
0/0/1
192.168.1.1/32 OSPF 10 1 D 10.1.1.2 GigabitEthernet
0/0/1
可以看到 已经给测试地址分配了 LSP ,有正常收到该路由
[ASBR-PE1]dis mpls lsp
-------------------------------------------------------------------------------
LSP Information: L3VPN LSP
-------------------------------------------------------------------------------
FEC In/Out Label In/Out IF Vrf Name
10.1.1.0/30 1030/1029 -/- ASBR LSP
192.168.1.1/32 1031/1030 -/- ASBR LSP
7.7.7.7/32 1032/1028 -/- ASBR LSP
-------------------------------------------------------------------------------
LSP Information: LDP LSP
-------------------------------------------------------------------------------
FEC In/Out Label In/Out IF Vrf Name
3.3.3.3/32 3/NULL -/-
1.1.1.1/32 NULL/1026 -/GE0/0/1
1.1.1.1/32 1026/1026 -/GE0/0/1
2.2.2.2/32 NULL/3 -/GE0/0/1
2.2.2.2/32 1025/3 -/GE0/0/1
二、解决路由无法从PE-PE
1.查看PE1 路由表
没有收到 对端2.1的路由
[PE1]dis ip routing-table vpn-instance PE1
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: PE1
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
7.7.7.7/32 OSPF 10 1 D 10.1.1.2 GigabitEthernet
0/0/1
10.1.1.0/30 Direct 0 0 D 10.1.1.1 GigabitEthernet
0/0/1
10.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
10.1.1.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
192.168.1.1/32 OSPF 10 1 D 10.1.1.2 GigabitEthernet
0/0/1
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
2.让ASBR可以传递VPNv4 标签
ipv4-family vpnv4
undo policy vpn-target
仍然收不到路由
因为ASBR之间需要传输标签
打开 MPLS
[ASBR-PE1]int g0/0/2
[ASBR-PE1-GigabitEthernet0/0/2]mpls
重新查看CE路由表
[Huawei-ospf-1-area-0.0.0.0]dis ip routing-table p o
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 3 Routes : 3
OSPF routing table status : <Active>
Destinations : 3 Routes : 3
Destination/Mask Proto Pre Cost Flags NextHop Interface
8.8.8.8/32 OSPF 10 2 D 10.1.1.1 GigabitEthernet
0/0/0
20.1.1.0/30 O_ASE 150 1 D 10.1.1.1 GigabitEthernet
0/0/0
192.168.2.1/32 OSPF 10 2 D 10.1.1.1 GigabitEthernet
0/0/0
[Huawei-ospf-1-area-0.0.0.0]ping 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=249 time=80 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=249 time=60 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=249 time=80 ms
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=249 time=60 ms
Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=249 time=50 ms
总结 排障思路
1、PE-PE建立关系后
查看isis peer、bgp peer、VPN4 peer、LDP session
做一步查一步先保证基础配置
1.1、isis没有起来查看端口地址、端口是否开启isis
1.2、bgp peer 确认as是否填写正确,能否ping通,ping不通查看P上接口IP 地址、是否开启sisi
1.3、VPN4 peer 确认bgp vpnv4 是否重新建立邻居关系
1.4、LDP session 查看P上就可以,基本是因为MPLS LDP没有开启,或者isis 没有在lo 0下开启
2、做完CE-PE OSPF 关系后
在PE、CE的路由,确认路由引入正常
3、一步步查看路由学习过程
PE1、ASBR因为没有路由接受的位置,查看LSP是否为测试地址分配标签
4、查看对端ASBR 如果没有LSP 一般是私网路由没有传递过来
确认是否关闭 对 VPNv4 路由的 VPN Target 过滤,即:接收所有 VPNv4 路由
并且互联端口因为需要传递VPNV4路由去要开始 MPLS (MPLS标签的分配 有LDP 、MP- BGP因为不需要LDP分配依靠 MPBGP)
右边配置(全部配置)
1、ASBR PE2
mpls lsr-id 4.4.4.4
mpls
mpls ldp
isis 1
is-level level-2
network-entity 20.0000.0000.0004.00
interface GigabitEthernet0/0/1
ip address 45.1.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
interface GigabitEthernet0/0/2
ip address 202.106.0.2 255.255.255.252
mpls
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
isis enable 1
bgp 200
peer 6.6.6.6 as-number 200
peer 6.6.6.6 connect-interface LoopBack0
peer 202.106.0.1 as-number 100
peer 202.106.0.1 ebgp-max-hop 2
peer 202.106.0.1 connect-interface GigabitEthernet0/0/2
ipv4-family unicast
undo synchronization
peer 6.6.6.6 enable
peer 202.106.0.1 enable
ipv4-family vpnv4
undo policy vpn-target
peer 6.6.6.6 enable
peer 202.106.0.1 enable
user-interface con 0
authentication-mode password
idle-timeout 0 0
2、P2
mpls lsr-id 5.5.5.5
mpls
mpls ldp
isis 1
is-level level-2
network-entity 20.0000.0000.0005.00
interface GigabitEthernet0/0/0
ip address 45.1.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
interface GigabitEthernet0/0/1
ip address 56.1.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
isis enable 1
3、PE2
ip vpn-instance PE2
ipv4-family
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
mpls lsr-id 6.6.6.6
mpls
mpls ldp
isis 1
is-level level-2
network-entity 20.0000.0000.0006.00
interface GigabitEthernet0/0/0
ip address 56.1.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
interface GigabitEthernet0/0/1
ip binding vpn-instance PE2
ip address 20.1.1.1 255.255.255.252
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
isis enable
bgp 200
peer 4.4.4.4 as-number 200
peer 4.4.4.4 connect-interface LoopBack0
ipv4-family unicast
undo synchronization
peer 4.4.4.4 enable
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.4 enable
ipv4-family vpn-instance PE2
import-route ospf 1
ospf 1 router-id 6.6.6.6 vpn-instance PE2
import-route bgp
area 0.0.0.0
network 6.6.6.6 0.0.0.0
network 20.1.1.0 0.0.0.3
user-interface con 0
idle-timeout 0 0
4、CE2
interface GigabitEthernet0/0/0
ip address 20.1.1.2 255.255.255.252
interface LoopBack0
ip address 8.8.8.8 255.255.255.255
interface LoopBack1
ip address 192.168.2.1 255.255.255.0
ospf 1 router-id 8.8.8.8
area 0.0.0.0
network 8.8.8.8 0.0.0.0
network 20.1.1.0 0.0.0.3
network 192.168.2.0 0.0.0.255
user-interface con 0
authentication-mode password
idle-timeout 0 0