1、网络拓扑:
2、实验需求
(1)SiteA两个站点跨域能正常通信
(2)SiteB两个站点跨域能正常通信
(3) 不同站点不能互相通信
(4)数据转发使用MPLS标签进行转发
3、实验解析
1、SiteA-1站点配置OSPF,SiteB-1站点配置ISIS,通告接口网段
2、AS 123(AS 456)内:
(1)PE-1配置VPN实例,分配RD,RT,分别连接连个站点
(2)PE-1使能MPLS、LDP功能
(3)PE-1使用IGP(OSPF)使本AS路由器互通(互联接口、loopback接口)
(4)使能MP-BGP协议,将VPN实例路由导入BGP
(5)P路由器使能MPLS、LDP协议
(6)P路由器使用IGP(OSPF)通告互联接口、loopback接口
(7)ASBR路由器配置VPN实例,分配RD,RT,并配置在接口上
(8)PE-1和ASBR通过MP-BGP建立IBGP邻居关系,交换VPNv4路由
3、ASBR与ASBR
(1)建立VPN实例并绑定到接口上,双方建立EBGP关系,接收双方发送的IPv4路由
核心思想:VRF to VRF(VPN对VPN)
4、配置过程1:(AS 123内)
4.1 配置SiteA-1
#
interface GigabitEthernet0/0/0
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 172.16.1.254 255.255.255.0
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 172.16.1.254 0.0.0.0
network 192.168.100.1 0.0.0.0
#
4.2 配置SiteB-1
#
isis 1
network-entity 49.0001.0002.0002.0002.00
#
interface GigabitEthernet0/0/1
ip address 192.168.100.1 255.255.255.0
isis enable 1
#
interface GigabitEthernet0/0/2
ip address 192.168.1.254 255.255.255.0
isis enable 1
#
4.3 配置PE-1
ip vpn-instance SiteA //配置VPN实例(SiteA)
ipv4-family
route-distinguisher 1:1 //配置RD值
vpn-target 100:1 export-extcommunity //配置RT值,出方向携带
vpn-target 100:1 import-extcommunity //配置RT值,入方向匹配
#
ip vpn-instance SiteB //配置VPN实例(SiteB)
ipv4-family
route-distinguisher 1:2
vpn-target 100:2 export-extcommunity
vpn-target 100:2 import-extcommunity
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
#
interface GigabitEthernet0/0/0
ip binding vpn-instance SiteA //与SiteA-1直连接口绑定VPN实例
ip address 192.168.100.2 255.255.255.0
#
ospf 1 router-id 10.1.1.1 vpn-instance SiteA //建立OSPF进程1,与VPN实例绑定,用来与客户SiteA-1站点对接,接收SiteA路由
area 0.0.0.0
network 192.168.100.2 0.0.0.0
#
isis 1 vpn-instance SiteB //建立IS-IS进程1,与VPN实例绑定,用来与客户SiteB-1站点对接,接收SiteB路由
network-entity 49.0001.0010.0001.0001.00
#
interface GigabitEthernet0/0/1
ip binding vpn-instance SiteB //与SiteB-1直连接口绑定VPN实例
ip address 192.168.100.2 255.255.255.0
isis enable 1 //接口启动is-is进程
#
mpls lsr-id 10.1.1.1 //配置LSR ID,表示一台LSR路由器,建立LDP Session时默认携带LSR ID,建立TCP连接的Transport Address默认也是使用这个地址,建议使用某Loopback接口地址
#
mpls //全局使能MPLS
#
mpls ldp //全局使能LDP
#
interface GigabitEthernet0/0/2
ip address 10.0.12.1 255.255.255.0
mpls //接口使能MPLS
mpls ldp //接口使能LDP
#
ospf 100 router-id 10.1.1.1 //域内IBG协议互联,为了MPLS域内的路由器通过IGP互联互通(使LDP协议能分配标签)
area 0.0.0.0
network 10.0.12.1 0.0.0.0 //与P-1路由器互联接口
network 10.1.1.1 0.0.0.0 //自身Loopback接口协议
#
4.4 配置P-1路由器
#
interface LoopBack0
ip address 10.2.2.2 255.255.255.255
#
mpls lsr-id 10.2.2.2
#
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
ip address 10.0.23.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/2
ip address 10.0.12.2 255.255.255.0
mpls
mpls ldp
#
ospf 100 router-id 10.2.2.2
area 0.0.0.0
network 10.0.12.2 0.0.0.0
network 10.0.23.2 0.0.0.0
network 10.2.2.2 0.0.0.0
#
4.5 配置ASBR-1
interface LoopBack0
ip address 10.3.3.3 255.255.255.255
#
mpls lsr-id 10.3.3.3
#
mpls
#
mpls ldp
#
ip vpn-instance SiteA //建立VPN实例,用来接收PE-1发过来的VPN路由,同时与其它AS的ASBR传递VPN路由
ipv4-family
route-distinguisher 1:3 //RD值必须配置,因为ASBR接收对端ASBR发过来的IPv4路由后,再发给本AS的PE时会携带该值,形成VPNv4路由
vpn-target 100:1 export-extcommunity //出方向RT必须配置,因为从其它AS的ASBR收到的VPN路由在发给本AS的PE-1时需要携带该值(与PE-1配置的入方向RT值一致)
vpn-target 100:1 import-extcommunity //入方向RT必须配置,因为从PE-1接收的VPN路由需要在本地接收保存(与PE-1配置的出方向RT值一致)
#
ip vpn-instance SiteB //同SiteA原理
ipv4-family
route-distinguisher 1:4
vpn-target 100:2 export-extcommunity
vpn-target 100:2 import-extcommunity
#
interface GigabitEthernet0/0/1 //绑定VPN实例SiteA到与ASBR-2的接口
ip binding vpn-instance SiteA
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet0/0/2 //绑定VPN实例SiteB到与ASBR-2的接口
ip binding vpn-instance SiteB
ip address 10.10.20.1 255.255.255.0
#
interface GigabitEthernet0/0/0
ip address 10.0.23.3 255.255.255.0
mpls
mpls ldp
#
ospf 100 router-id 10.3.3.3
area 0.0.0.0
network 10.0.23.3 0.0.0.0
network 10.3.3.3 0.0.0.0
#
4.6 配置PE-1与ASBR-1建立MP-BGP,传递VPNv4路由
4.6.1 PE-1上配置
#
bgp 123 //创建BGP
router-id 10.1.1.1 //配置Route-ID
peer 10.3.3.3 as-number 123 //与ASBR-1建立BGP对等体关系
peer 10.3.3.3 connect-interface LoopBack0 //与ASBR-1使用LoopBack0地址作为连接源地址
#
ipv4-family vpnv4 //使能VPNV4能力
policy vpn-target
peer 10.3.3.3 enable //使能对等体VPNV4能力
#
ipv4-family vpn-instance SiteA //使能VPN实例SiteA地址族
import-route ospf 1 //引入SiteA-1站点的路由到BGP中,通过BGP传递给ASBR-1
#
ipv4-family vpn-instance SiteB //使能VPN实例SiteA地址族
import-route isis 1 //引入SiteB-1站点的路由到BGP中,通过BGP传递给ASBR-1
#
ospf 1 router-id 10.1.1.1 vpn-instance SiteA
import-route bgp //在VPN实例OSPF进程中引入BGP路由(目的是为了让ASBR-1传递过来的其它站点的VPN路由能导入VPN路由表中,使得SiteA-1路由器能学习到其它站点路由)
#
isis 1 vpn-instance SiteB
import-route bgp //在VPN实例ISIS进程中引入BGP路由,目的同上
#
//将BGP路由导入到VPN路由的操作叫路由交叉,在这个过程中PE-1路由器通过携带的RT值能正确区分众多VPN路由属于哪个站点,所以RT值的设置极其重要,同站点的RT值设置需要正确才能得到正确得路由
4.6.2 ASBR-1上配置
#
bgp 123
router-id 10.3.3.3
peer 10.1.1.1 as-number 123
peer 10.1.1.1 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 10.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 10.1.1.1 enable
#
4.7 验证
4.7.2 验证LDP会话、LSP标签、OSPF邻居是否正常:
在P-1路由器上验证LDP会话:
[P-1]display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
10.1.1.1:0 Operational DU Active 0000:00:00 2/2 //与10.1.1.1建立LDP会话,状态为Operational表示成功
10.3.3.3:0 Operational DU Passive 0000:00:00 2/2 //与10.3.3.3建立LDP会话,状态为Operational表示成功
------------------------------------------------------------------------------
TOTAL: 2 session(s) Found.
[P-1]
在P-1路由上验证OSPF邻居
[P-1]display ospf peer brief
OSPF Process 100 with Router ID 10.2.2.2
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/2 10.1.1.1 Full
0.0.0.0 GigabitEthernet0/0/0 10.3.3.3 Full
----------------------------------------------------------------------------
[P-1]
在P-1路由器上查看建立的LSP路径
[P-1]display mpls lsp
-------------------------------------------------------------------------------
LSP Information: LDP LSP
-------------------------------------------------------------------------------
FEC In/Out Label In/Out IF Vrf Name
10.2.2.2/32 3/NULL -/-
10.1.1.1/32 NULL/3 -/GE0/0/2
10.1.1.1/32 1024/3 -/GE0/0/2
10.3.3.3/32 NULL/3 -/GE0/0/0
10.3.3.3/32 1025/3 -/GE0/0/0
[P-1]
4.7.3 验证PE-1与ASBR-1建立BGP对等体是否正常:
<ASBR-1>display bgp vpnv4 all peer //查看邻居关系
BGP local router ID : 10.3.3.3
Local AS number : 123
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 123 184 180 0 02:58:49 Established 4
<ASBR-1>
<ASBR-1>display bgp vpnv4 all routing-table //查看接收的VPNv4路由
BGP Local router ID is 10.3.3.3
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 4
Route Distinguisher: 1:1 //RD为1:1的VPNv4路由
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 172.16.1.0/24 10.1.1.1 3 100 0 ?
*>i 192.168.100.0 10.1.1.1 0 100 0 ?
Route Distinguisher: 1:2 //RD为1:2的VPNv4路由
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 192.168.1.0 10.1.1.1 20 100 0 ?
*>i 192.168.100.0 10.1.1.1 0 100 0 ?
VPN-Instance SiteA, Router ID 10.3.3.3: //VPN实例SiteA路由表
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 172.16.1.0/24 10.1.1.1 3 100 0 ?
*>i 192.168.100.0 10.1.1.1 0 100 0 ?
VPN-Instance SiteB, Router ID 10.3.3.3://VPN实例SiteB路由表
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 192.168.1.0 10.1.1.1 20 100 0 ?
*>i 192.168.100.0 10.1.1.1 0 100 0 ?
<ASBR-1>
5、配置过程2(AS 456内)基本与AS 123类似
5.1 SiteA-2配置
#
interface GigabitEthernet0/0/0
ip address 192.168.200.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 172.16.2.254 255.255.255.0
#
bgp 100
router-id 3.3.3.3
peer 192.168.200.2 as-number 456
peer 192.168.200.2 connect-interface GigabitEthernet0/0/0
#
ipv4-family unicast
undo synchronization
network 172.16.2.0 24
network 192.168.200.0 24
peer 192.168.200.2 enable
#
5.2 SiteB-2配置
#
interface GigabitEthernet0/0/1
ip address 192.168.2.254 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 192.168.200.1 255.255.255.0
#
bgp 200
router-id 4.4.4.4
peer 192.168.200.2 as-number 456
peer 192.168.200.2 connect-interface GigabitEthernet0/0/2
#
ipv4-family unicast
undo synchronization
network 192.168.2.0 24
network 192.168.200.0 24
peer 192.168.200.2 enable
#
5.3 PE-2配置
#
ip vpn-instance SiteA //创建VPN实例SiteA,实例名称本地有效,本地唯一即可
ipv4-family
route-distinguisher 2:1 //设置VPN实例RD,建议全局唯一
vpn-target 200:1 export-extcommunity //设置VPN RT值
vpn-target 200:1 import-extcommunity
#
ip vpn-instance SiteB //创建VPN实例SiteB,实例名称本地有效,本地唯一即可
ipv4-family
route-distinguisher 2:2
vpn-target 200:2 export-extcommunity
vpn-target 200:2 import-extcommunity
#
interface LoopBack0
ip address 20.1.1.1 255.255.255.255
#
mpls lsr-id 20.1.1.1
#
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
ip binding vpn-instance SiteA //接口绑定VPN实例
ip address 192.168.200.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.12.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/2
ip binding vpn-instance SiteB //接口绑定VPN实例
ip address 192.168.200.2 255.255.255.0
#
ospf 100 router-id 20.1.1.1 //OSPF 100,使AS 456内路由器互通
area 0.0.0.0
network 10.1.12.1 0.0.0.0
network 20.1.1.1 0.0.0.0
#
bgp 456 //创建BGP进程
router-id 20.1.1.1
#
ipv4-family unicast
undo synchronization
#
ipv4-family vpn-instance SiteA //配置VPN实例地址族,与SiteA-2站点路由器建立EBGP对等体,目的为了接收来自SiteA-2站点的路由
peer 192.168.200.1 as-number 100
peer 192.168.200.1 connect-interface GigabitEthernet0/0/0 //连接源接口必须是绑定了VPN实例接口
#
ipv4-family vpn-instance SiteB //配置VPN实例地址族,与SiteB-2站点路由器建立EBGP对等体,目的为了接收来自SiteB-2站点的路由
peer 192.168.200.1 as-number 200
peer 192.168.200.1 connect-interface GigabitEthernet0/0/2 //连接源接口必须是绑定了VPN实例接口
#
5.4 P-2配置
#
interface LoopBack0
ip address 20.2.2.2 255.255.255.255
#
mpls lsr-id 20.2.2.2
#
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
ip address 10.1.23.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 10.1.12.2 255.255.255.0
mpls
mpls ldp
#
ospf 100 router-id 20.2.2.2
area 0.0.0.0
network 10.1.12.2 0.0.0.0
network 10.1.23.2 0.0.0.0
network 20.2.2.2 0.0.0.0
#
5.5 ASBR-2配置
#
interface LoopBack0
ip address 20.3.3.3 255.255.255.255
#
ip vpn-instance SiteA //配置VPN实例
ipv4-family
route-distinguisher 2:3
vpn-target 200:1 export-extcommunity //与PE-2的VPN实例SiteA配置的入方向RT一致
vpn-target 200:1 import-extcommunity //与PE-2的VPN实例SiteA配置的出方向RT一致
#
ip vpn-instance SiteB
ipv4-family
route-distinguisher 2:4
vpn-target 200:2 export-extcommunity //与PE-2的VPN实例SiteB配置的入方向RT一致
vpn-target 200:2 import-extcommunity //与PE-2的VPN实例SiteB配置的出方向RT一致
#
mpls lsr-id 20.3.3.3
#
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
ip address 10.1.23.3 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1 //与对端ASBR-1绑定同一个站点,例如:对端绑定的是属于站点A的实例,本端也必须绑定属于站点A的实例,即两端绑定需要互相通信的实例
ip binding vpn-instance SiteA //绑定VPN实例SiteA
ip address 10.10.10.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip binding vpn-instance SiteB //绑定VPN实例SiteB
ip address 10.10.20.2 255.255.255.0
#
ospf 100 router-id 20.3.3.3
area 0.0.0.0
network 10.1.23.3 0.0.0.0
network 20.3.3.3 0.0.0.0
#
5.6 配置PE-2与ASBR-2建立MP-BGP对等体
5.6.1 在PE-2上配置
bgp 456
peer 20.3.3.3 as-number 456
peer 20.3.3.3 connect-interface LoopBack0
#
ipv4-family vpnv4
policy vpn-target
peer 20.3.3.3 enable //使能对等体VPNv4路由能力
#
5.6.2 在ASBR-2上配置
bgp 456
router-id 20.3.3.3
peer 20.1.1.1 as-number 456
peer 20.1.1.1 connect-interface LoopBack0
#
ipv4-family vpnv4
policy vpn-target
peer 20.1.1.1 enable //使能对等体VPNv4路由能力
#
5.7 验证
5.7.1 验证LDP会话、LSP标签、OSPF邻居是否正常:
<P-2>display ospf peer brief //查看OSPF 邻居关系
OSPF Process 100 with Router ID 20.2.2.2
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/1 20.1.1.1 Full
0.0.0.0 GigabitEthernet0/0/0 20.3.3.3 Full
----------------------------------------------------------------------------
<P-2>
<P-2>display mpls ldp session //查看mpls ldp 会话
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
20.1.1.1:0 Operational DU Active 0000:00:24 98/98
20.3.3.3:0 Operational DU Passive 0000:00:16 67/67
------------------------------------------------------------------------------
TOTAL: 2 session(s) Found.
<P-2>
<P-2>display mpls lsp //查看隧道建立情况
-------------------------------------------------------------------------------
LSP Information: LDP LSP
-------------------------------------------------------------------------------
FEC In/Out Label In/Out IF Vrf Name
20.2.2.2/32 3/NULL -/-
20.1.1.1/32 NULL/3 -/GE0/0/1
20.1.1.1/32 1024/3 -/GE0/0/1
20.3.3.3/32 NULL/3 -/GE0/0/0
20.3.3.3/32 1025/3 -/GE0/0/0
<P-2>
5.7.2 验证PE-2与ASBR-2建立BGP对等体是否正常:
<ASBR-2>display bgp vpnv4 all peer
BGP local router ID : 20.3.3.3
Local AS number : 456
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
20.1.1.1 4 456 12 10 0 00:08:18 Established 4
<ASBR-2>
<ASBR-2>display bgp vpnv4 all routing-table //查看接收到的PE-2发送的VPNv4路由
BGP Local router ID is 20.3.3.3
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 4
Route Distinguisher: 2:1
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 172.16.2.0/24 20.1.1.1 0 100 0 100i
*>i 192.168.200.0 20.1.1.1 0 100 0 100i
Route Distinguisher: 2:2
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 192.168.2.0 20.1.1.1 0 100 0 200i
*>i 192.168.200.0 20.1.1.1 0 100 0 200i
VPN-Instance SiteA, Router ID 20.3.3.3:
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 172.16.2.0/24 20.1.1.1 0 100 0 100i
*>i 192.168.200.0 20.1.1.1 0 100 0 100i
VPN-Instance SiteB, Router ID 20.3.3.3:
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 192.168.2.0 20.1.1.1 0 100 0 200i
*>i 192.168.200.0 20.1.1.1 0 100 0 200i
<ASBR-2>
到这一步此时两个AS的ASBR均有了本AS的VPN路由,下一步就是将VPN路由相互传递学习
6、配置ASBR-1和ASBR-2建立EBGP对等体,交换普通IPv4(VPN)路由
6.1在ASBR-1上配置
bgp 123
ipv4-family vpn-instance SiteA //使能VPN地址族
import-route direct //引入本地BGP路由表中属于SiteA的路由
peer 10.10.10.2 as-number 456
peer 10.10.10.2 connect-interface GigabitEthernet0/0/1
#
ipv4-family vpn-instance SiteB
import-route direct //引入本地BGP路由表中属于SiteB的路由
peer 10.10.20.2 as-number 456
peer 10.10.20.2 connect-interface GigabitEthernet0/0/2
#
6.2 在ASBR-2上配置
bgp 456
ipv4-family vpn-instance SiteA //使能VPN地址族
import-route direct //引入本地BGP路由表中属于SiteA的路由
peer 10.10.10.1 as-number 123
peer 10.10.10.1 connect-interface GigabitEthernet0/0/1
#
ipv4-family vpn-instance SiteB
import-route direct
peer 10.10.20.1 as-number 123
peer 10.10.20.1 connect-interface GigabitEthernet0/0/2
#
6.3 验证
6.3.1 验证ASBR之间EBGP邻居关系
在ASBR-1上验证:
<ASBR-1>display bgp vpnv4 all peer
BGP local router ID : 10.3.3.3
Local AS number : 123
Total number of peers : 3 Peers in established state : 3
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 123 272 274 0 04:26:01 Established 4
Peer of IPv4-family for vpn instance :
VPN-Instance SiteA, Router ID 10.3.3.3: //VPN实例SiteA建立的对等体,建立成功
10.10.10.2 4 456 6 7 0 00:02:31 Established 3
VPN-Instance SiteB, Router ID 10.3.3.3: //VPN实例SiteB建立的对等体,建立成功
10.10.20.2 4 456 5 7 0 00:01:56 Established 3
<ASBR-1>
6.3.2 验证ASBR收到对端的VPN路由
在ASBR-1上验证:
<ASBR-1>display bgp vpnv4 all routing-table
BGP Local router ID is 10.3.3.3
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 14
Route Distinguisher: 1:1 //RD值为1:1的VPNv4路由(PE-1发过来的VPNv4路由)
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 172.16.1.0/24 10.1.1.1 3 100 0 ?
*>i 192.168.100.0 10.1.1.1 0 100 0 ?
Route Distinguisher: 1:2 //RD值为1:2的VPNv4路由(PE-1发过来的VPNv4路由)
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 192.168.1.0 10.1.1.1 20 100 0 ?
*>i 192.168.100.0 10.1.1.1 0 100 0 ?
Route Distinguisher: 1:3 //RD值为1:3的VPNv4路由,也就是自己本地的VPNv4路由(因为RD值1:3在本路由器配置)
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.10.10.0/24 0.0.0.0 0 0 ?
* 10.10.10.2 0 0 456?
*> 10.10.10.1/32 0.0.0.0 0 0 ?
*> 172.16.2.0/24 10.10.10.2 0 456 100i
*> 192.168.200.0 10.10.10.2 0 456 100i
Route Distinguisher: 1:4 //RD值为1:4的VPNv4路由,也就是自己本地的VPNv4路由(因为RD值1:4在本路由器配置)
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.10.20.0/24 0.0.0.0 0 0 ?
* 10.10.20.2 0 0 456?
*> 10.10.20.1/32 0.0.0.0 0 0 ?
*> 192.168.2.0 10.10.20.2 0 456 200i
*> 192.168.200.0 10.10.20.2 0 456 200i
VPN-Instance SiteA, Router ID 10.3.3.3: //VPN实例SiteA的路由表,这个表项是路由器通过RT值交叉匹配后得到的结果
Total Number of Routes: 7
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.10.10.0/24 0.0.0.0 0 0 ?
10.10.10.2 0 0 456?
*> 10.10.10.1/32 0.0.0.0 0 0 ?
*>i 172.16.1.0/24 10.1.1.1 3 100 0 ?
*> 172.16.2.0/24 10.10.10.2 0 456 100i //收到ASBR-2发送的SiteA的路由,AS-Path属性携带456,下一跳指向ASBR-2接口
*>i 192.168.100.0 10.1.1.1 0 100 0 ?
*> 192.168.200.0 10.10.10.2 0 456 100i //收到ASBR-2发送的SiteA的路由,AS-Path属性携带456,下一跳指向ASBR-2接口
VPN-Instance SiteB, Router ID 10.3.3.3: //VPN实例SiteB的路由表,这个表项是路由器通过RT值交叉匹配后得到的结果
Total Number of Routes: 7
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.10.20.0/24 0.0.0.0 0 0 ?
10.10.20.2 0 0 456?
*> 10.10.20.1/32 0.0.0.0 0 0 ?
*>i 192.168.1.0 10.1.1.1 20 100 0 ?
*> 192.168.2.0 10.10.20.2 0 456 200i //收到ASBR-2发送的SiteB的路由,AS-Path属性携带456,下一跳指向ASBR-2接口
*>i 192.168.100.0 10.1.1.1 0 100 0 ?
*> 192.168.200.0 10.10.20.2 0 456 200i //收到ASBR-2发送的SiteB的路由,AS-Path属性携带456,下一跳指向ASBR-2接口
<ASBR-1>
在ASBR-2上验证:
<ASBR-2>display bgp vpnv4 all routing-table
BGP Local router ID is 20.3.3.3
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 14
Route Distinguisher: 2:1 //RD值为2:1的VPNv4路由(PE-2发过来的VPNv4路由)
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 172.16.2.0/24 20.1.1.1 0 100 0 100i
*>i 192.168.200.0 20.1.1.1 0 100 0 100i
Route Distinguisher: 2:2 //RD值为2:2的VPNv4路由(PE-2发过来的VPNv4路由)
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 192.168.2.0 20.1.1.1 0 100 0 200i
*>i 192.168.200.0 20.1.1.1 0 100 0 200i
Route Distinguisher: 2:3 //RD值为2:3的VPNv4路由,也就是自己本地的VPNv4路由(因为RD值2:3在本路由器配置)
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.10.10.0/24 0.0.0.0 0 0 ?
* 10.10.10.1 0 0 123?
*> 10.10.10.2/32 0.0.0.0 0 0 ?
*> 172.16.1.0/24 10.10.10.1 0 123?
*> 192.168.100.0 10.10.10.1 0 123?
Route Distinguisher: 2:4 //RD值为2:4的VPNv4路由,也就是自己本地的VPNv4路由(因为RD值2:4在本路由器配置)
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.10.20.0/24 0.0.0.0 0 0 ?
* 10.10.20.1 0 0 123?
*> 10.10.20.2/32 0.0.0.0 0 0 ?
*> 192.168.1.0 10.10.20.1 0 123?
*> 192.168.100.0 10.10.20.1 0 123?
VPN-Instance SiteA, Router ID 20.3.3.3:
Total Number of Routes: 7
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.10.10.0/24 0.0.0.0 0 0 ?
10.10.10.1 0 0 123?
*> 10.10.10.2/32 0.0.0.0 0 0 ?
*> 172.16.1.0/24 10.10.10.1 0 123? //收到ASBR-1发送的SiteA的路由,AS-Path属性携带123,下一跳指向ASBR-1接口
*>i 172.16.2.0/24 20.1.1.1 0 100 0 100i
*> 192.168.100.0 10.10.10.1 0 123? //收到ASBR-1发送的SiteA的路由,AS-Path属性携带123,下一跳指向ASBR-1接口
*>i 192.168.200.0 20.1.1.1 0 100 0 100i
VPN-Instance SiteB, Router ID 20.3.3.3:
Total Number of Routes: 7
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.10.20.0/24 0.0.0.0 0 0 ?
10.10.20.1 0 0 123?
*> 10.10.20.2/32 0.0.0.0 0 0 ?
*> 192.168.1.0 10.10.20.1 0 123?
*>i 192.168.2.0 20.1.1.1 0 100 0 200i
*> 192.168.100.0 10.10.20.1 0 123?
*>i 192.168.200.0 20.1.1.1 0 100 0 200i
<ASBR-2>
7、整体验证
在PE-1上验证:
<PE-1>display bgp vpnv4 all routing-table
BGP Local router ID is 10.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 10
Route Distinguisher: 1:1
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 172.16.1.0/24 0.0.0.0 3 0 ?
*> 192.168.100.0 0.0.0.0 0 0 ?
Route Distinguisher: 1:2
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 192.168.1.0 0.0.0.0 20 0 ?
*> 192.168.100.0 0.0.0.0 0 0 ?
Route Distinguisher: 1:3
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.10.10.0/24 10.3.3.3 0 100 0 ?
*>i 172.16.2.0/24 10.3.3.3 100 0 456 100i
*>i 192.168.200.0 10.3.3.3 100 0 456 100i
Route Distinguisher: 1:4
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.10.20.0/24 10.3.3.3 0 100 0 ?
*>i 192.168.2.0 10.3.3.3 100 0 456 200i
*>i 192.168.200.0 10.3.3.3 100 0 456 200i
VPN-Instance SiteA, Router ID 10.1.1.1:
Total Number of Routes: 5
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.10.10.0/24 10.3.3.3 0 100 0 ?
*> 172.16.1.0/24 0.0.0.0 3 0 ?
*>i 172.16.2.0/24 10.3.3.3 100 0 456 100i //学习到SiteA-2站点的路由
*> 192.168.100.0 0.0.0.0 0 0 ?
*>i 192.168.200.0 10.3.3.3 100 0 456 100i
VPN-Instance SiteB, Router ID 10.1.1.1:
Total Number of Routes: 5
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.10.20.0/24 10.3.3.3 0 100 0 ?
*> 192.168.1.0 0.0.0.0 20 0 ?
*>i 192.168.2.0 10.3.3.3 100 0 456 200i //学习到SiteB-2站点的路由
*> 192.168.100.0 0.0.0.0 0 0 ?
*>i 192.168.200.0 10.3.3.3 100 0 456 200i
<PE-1>
在PE-2上验证:
<PE-2>display bgp vpnv4 all routing-table
BGP Local router ID is 20.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 10
Route Distinguisher: 2:1
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 172.16.2.0/24 192.168.200.1 0 0 100i
*> 192.168.200.0 192.168.200.1 0 0 100i
Route Distinguisher: 2:2
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 192.168.2.0 192.168.200.1 0 0 200i
*> 192.168.200.0 192.168.200.1 0 0 200i
Route Distinguisher: 2:3
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.10.10.0/24 20.3.3.3 0 100 0 ?
*>i 172.16.1.0/24 20.3.3.3 100 0 123?
*>i 192.168.100.0 20.3.3.3 100 0 123?
Route Distinguisher: 2:4
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.10.20.0/24 20.3.3.3 0 100 0 ?
*>i 192.168.1.0 20.3.3.3 100 0 123?
*>i 192.168.100.0 20.3.3.3 100 0 123?
VPN-Instance SiteA, Router ID 20.1.1.1:
Total Number of Routes: 5
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.10.10.0/24 20.3.3.3 0 100 0 ?
*>i 172.16.1.0/24 20.3.3.3 100 0 123? //学习到SiteA-1站点的路由
*> 172.16.2.0/24 192.168.200.1 0 0 100i
*>i 192.168.100.0 20.3.3.3 100 0 123?
192.168.200.0 192.168.200.1 0 0 100i
VPN-Instance SiteB, Router ID 20.1.1.1:
Total Number of Routes: 5
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.10.20.0/24 20.3.3.3 0 100 0 ?
*>i 192.168.1.0 20.3.3.3 100 0 123? //学习到SiteB-1站点的路由
*> 192.168.2.0 192.168.200.1 0 0 200i
*>i 192.168.100.0 20.3.3.3 100 0 123?
192.168.200.0 192.168.200.1 0 0 200i
<PE-2>
在SiteA-1上验证:
学习到两条OSPF外部路由(从BGP引入到OSPF中,所以为O_ASE),即SiteA-2站点的路由
使用电脑ping测试(PC1 Ping PC3),测试OK
抓包查看
8、数据流程分析:172.16.1.1 ping 172.16.2.1 过程:
(1)SiteA-1路由器接收到172.16.1.1去往172.16.2.1的ICMP包,SiteA-1查表转发,直接将数据从g0/0/0丢给PE-1(下一跳192.168.100.2是PE-1接口地址)
(2)PE-1路由器从G0/0/0(192.168.100.2)收到ICMP包,解析查看IP层目的地址172.16.2.1,由于是从VPN实例SiteA绑定的接口收到报文,查找SiteA路由转发表;
SiteA的fib转发表匹配到一条172.16.2.0的路由,下一跳10.0.12.2 ,Tunnel ID不为0的条目,路由器知道需要进行隧道转发(Tunnel ID不为0表示报文需要进行隧道转发或MPLS转发)
(3)PE-1根据Tunnel ID 3 查找NHLFE(下一跳标签转发表项,获取需要封装的标签或是其它隧道操作)
由下图可知出隧道类型为LSP,标签为1025,出接口为g0/0/2,需要进行MPLS隧道转发,但还未知标签处理动作(压入标签还是交换标签),
(4)PE-1根据出标签 1025,查找ILM表
下表可以关联到Tunnel ID(Token)一致,路由器知道标签操作类型为Push(压入)
(5)由于是VPN路由(VPNv4),转发数据时还需要携带由BGP为172.16.2.0路由分配的标签(内层标签,也称为VPN标签),查找BGP 标签表;
由下表可知VPN标签为1030,是10.3.3.3路由器(ASBR-1)分配的
(6)PE-1将IP报文封装, 内层VPN标签1030,外层标签1025,形成MPLS数据包,从G0/0/2接口发出去,就形成如下数据:
(7)数据通过PE-1到达P-1,P-1路由器收到MPLS数据,解析外层标签为1025,查看IML表,进行转发
由下表可知,出标签为3(隐式空标签),出接口g0/0/0,动作SWAP(交换)
P-1路由器根据PHP特性,P-1弹出外层标签再从g0/0/0发出,此时数据到达ASBR-1仅剩内层标签(VPN标签)
(8)ASBR-1收到仅剩内层标签1030的数据,查看IML(入标签映射表)
由下表可知携带1030的标签的数据属于VRF SiteA的,动作为POP(弹出),故ASBR-1将内层标签弹出,形成普通的IPv4数据,根据目的地址172.16.2.1查找SiteA路由表转发
ASBR-1查找SiteA路由表,得知去往172.16.2.0的数据下一跳给10.10.10.2(ASBR-2),出接口g0/0/1,(Tunnel ID为0,表示普通查表转发)
(9)ASBR-2收到IPv4报文,由于是从本地绑定了VPN实例SiteA的接口收到,故查找SiteA的路由表进行转发;
由下表可知,ASBR-2发往172.16.2.0的数据需要进行隧道转发或MPLS转发(Tunnel ID不为0)
(10)ASBR-2进一步通过Tunnel ID 查找NHLFE(下一跳标签转发表项)
由下表可知出标签为1024,出接口为g0/0/0,标签动作需要进一步查询,根据出标签查找IML(入标签映射表)
根据出标签1024,查找IML(入标签映射表),筛选Token 和Tunnel ID一致的标签,得知标签动作为PUSH(压入)
(11)由于是从VPN实例接口接收到的数据,还需要添加VPN标签(内层标签),查找BGP为VPNv4路由分配的标签
由下表可知VPN标签为1027,由20.1.1.1路由器分配的
(12)ASBR-2封装IPv4数据包,内层标签1027,外层标签1024,形成MPLS数据包,并通过g0/0/0口发出
(13)P-2收到外层标签为1024的MPLS数据,直接查找IML(入标签映射表)
由下表可知,出标签为3(隐式空标签),P-2直接将外层标签弹出,将仅剩一层标签的MPLS数据从G0/0/1接口发出
(14)PE-2收到一层标签的MPLS数据,标签为1027,查找IML
由下表可知,1027标签的数据属于SiteA,动作为POP,PE-2直接弹出VPN标签,查找SiteA路由表转发
(15)PE-2查找SiteA转发表,从接口G0/0/0发出,下一跳192.168.200.1(SiteA-2路由器)
(16)SiteA-2路由器收到数据后查表,得知172.16.2.0为直连路由,直接从接口发出给到PC3
(17)回程路由,同理
最后: 总结
路由器可能并不需要如上进行繁琐查找表项,路由器内部硬件/软件根据Tunnel ID 和 Token ID关联,表项信息就关联起来了
以上信息是给人们排查了解用的,方便人们进行学习和理解路由器处理MPLS VPN数据的过程。