1、网络拓扑
2、实验需求
(1)SiteA两个站点跨域能正常通信(PC1 ping 通 PC3)
(2)SiteB两个站点跨域能正常通信(PC2 ping 通 PC4)
(3) 不同站点不能互相通信
(4)数据转发使用MPLS标签进行转发
(5)数据转发时不经过RR设备,RR路由器只传递路由,不转发数据
3、实验解析:
(1)各站点路由器按要求配置路由协议,使站点路由能通过路由协议告知PE(SiteA-1运行 OSPF,SiteB-1运行IS-IS,SiteA-2运行BGP 100,SiteB-2运行BGP 200)
(2)各AS内配置IGP协议使内部互通,配置MPLS/MPLS LDP使能标签转发
(3) PE、ASBR与RR建立MP-IBGP,ASBR与ASBR之间建立MP-EBGP,都传递VPNv4路由
(4)PE、ASBR均为RR的客户端
(5) 两个PE设置的VPN实例RT需要相匹配,才能正确识别同一站点的路由
4、配置步骤(AS 123):
4.1 SiteA-1配置:
#
interface GigabitEthernet0/0/0
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 172.16.1.254 255.255.255.0
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 172.16.1.254 0.0.0.0
network 192.168.100.1 0.0.0.0
#
4.2 SiteB-1配置:
#
isis 1
network-entity 49.0001.0002.0002.0002.00
#
interface GigabitEthernet0/0/1
ip address 192.168.100.1 255.255.255.0
isis enable 1
#
interface GigabitEthernet0/0/2
ip address 192.168.1.254 255.255.255.0
isis enable 1
#
4.3 PE-1配置:
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
#
ip vpn-instance SiteA //创建VPN实例SiteA,实例名称本地有效,本地唯一即可
ipv4-family
route-distinguisher 1:1 //设置RD值,建议全局唯一
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
ip vpn-instance SiteB //创建VPN实例SiteB
ipv4-family
route-distinguisher 1:2
vpn-target 100:2 export-extcommunity
vpn-target 100:2 import-extcommunity
#
mpls lsr-id 10.1.1.1 //配置LSR-ID,建议使用Loopback地址,LDP建立会话时的传输地址默认和LSR-ID一致
#
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0 //接口绑定VPN实例SiteA
ip binding vpn-instance SiteA
ip address 192.168.100.2 255.255.255.0
#
ospf 1 router-id 10.1.1.1 vpn-instance SiteA //创建VPN实例SiteA的OSPF进程,学习SiteA-1通告的路由
area 0.0.0.0
network 192.168.100.2 0.0.0.0
#
isis 1 vpn-instance SiteB //创建VPN实例SiteB的IS-IS进程,学习SiteB-1通告的路由
network-entity 49.0001.0010.0001.0001.00
#
interface GigabitEthernet0/0/1 //接口绑定VPN实例SiteB
ip binding vpn-instance SiteB
ip address 192.168.100.2 255.255.255.0
isis enable 1
#
interface GigabitEthernet0/0/2
ip address 10.0.12.1 255.255.255.0
mpls
mpls ldp
#
ospf 100 router-id 10.1.1.1 //创建OSPF 100进程,通告AS内直连接口及Loopback接口
area 0.0.0.0
network 10.0.12.1 0.0.0.0
network 10.1.1.1 0.0.0.0
#
4.4 P-1配置:
#
interface LoopBack0
ip address 10.2.2.2 255.255.255.255
#
mpls lsr-id 10.2.2.2
#
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
ip address 10.0.23.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1 //与RR连接的接口不需要启用MPLS,也不需要启用LDP,因为RR只传递VPNv4路由,IGP路由可达即可
ip address 10.0.24.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.0.12.2 255.255.255.0
mpls
mpls ldp
#
ospf 100 router-id 10.2.2.2 //创建OSPF 100进程,通告AS内直连接口及Loopback接口
area 0.0.0.0
network 10.0.12.2 0.0.0.0
network 10.0.23.2 0.0.0.0
network 10.0.24.2 0.0.0.0
network 10.2.2.2 0.0.0.0
#
4.5 ASBR-1配置:
#
interface LoopBack0
ip address 10.3.3.3 255.255.255.255
#
mpls lsr-id 10.3.3.3
#
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
ip address 10.0.23.3 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1 //与其它AS直连接口不需要启用LDP,只需要启用MPLS,使标签数据能传递
ip address 10.10.10.1 255.255.255.0
mpls
#
ospf 100 router-id 10.3.3.3 //创建OSPF 100进程,通告AS内直连接口及Loopback接口
area 0.0.0.0
network 10.0.23.3 0.0.0.0
network 10.3.3.3 0.0.0.0
#
4.6 RR-1配置:
#
interface LoopBack0
ip address 10.4.4.4 255.255.255.255
#
interface GigabitEthernet0/0/0
ip address 10.0.24.4 255.255.255.0
#
ospf 100 router-id 10.4.4.4
area 0.0.0.0
network 10.0.24.4 0.0.0.0
network 10.4.4.4 0.0.0.0
#
4.7 验证AS内OSPF 邻居\MPLS LDP会话\MPLS LSP是否正常
4.7.1 在P-1上查看
OSPF 邻居
MPLS LDP会话
MPLS LSP隧道
4.8 配置PE-1、ASBR-1与RR-1建立MP-IBGP邻居关系
4.8.1 PE-1上配置
#
bgp 123
router-id 10.1.1.1 //唯一标识一台BGP路由器
peer 10.4.4.4 as-number 123 //对等体RR-1
peer 10.4.4.4 connect-interface LoopBack0 //使用Loopback接口作为连接源
#
ipv4-family vpnv4
peer 10.4.4.4 enable
#
ipv4-family vpn-instance SiteA //创建VPN实例SiteA地址族
import-route ospf 1 //引入VPN实例SiteA OSPF 1路由
#
ipv4-family vpn-instance SiteB //创建VPN实例SiteB地址族
import-route isis 1 //引入VPN实例SiteB isis 1路由
#
ospf 1 router-id 10.1.1.1 vpn-instance SiteA
import-route bgp //将BGP路由引入到VPN实例SiteA OSPF路由中(当PE-1学习到SiteA其它站点的路由,可以将路由从BGP导入到OSPF中,这个过程叫路由交叉,即匹配RT值的过程)
#
isis 1 vpn-instance SiteB
import-route bgp //将BGP路由引入到VPN实例SiteB IS-IS路由中
#
4.8.2 ASBR-1上配置
bgp 123
router-id 10.3.3.3
peer 10.4.4.4 as-number 123
peer 10.4.4.4 connect-interface LoopBack0
#
ipv4-family vpnv4
undo policy vpn-target //删除默认策略,ASBR需要保存VPNv4路由
peer 10.4.4.4 enable
#
4.8.3 RR-1上配置
bgp 123
router-id 10.4.4.4
peer 10.1.1.1 as-number 123 //与PE-1建立对等体
peer 10.1.1.1 connect-interface LoopBack0
peer 10.3.3.3 as-number 123 //与ASBR-1建立对等体
peer 10.3.3.3 connect-interface LoopBack0
#
ipv4-family vpnv4
undo policy vpn-target //删除默认策略,RR需要保存VPNv4路由
peer 10.1.1.1 enable //使能对等体VPNv4能力
peer 10.1.1.1 reflect-client //将对等体设置为反射客户端
peer 10.3.3.3 enable
peer 10.3.3.3 reflect-client
#
4.9 验证
与PE-1、ASBR-1建立MP-IBGP对等体
RR-1收到PE-1通告的VPNv4路由
ASBR-1上收到RR-1反射的VPNv4路由
路由反射时携带的特有防环属性
5.0 配置步骤(AS 456 内)
5.1 SiteA-2配置:
#
interface GigabitEthernet0/0/0
ip address 192.168.200.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 172.16.2.254 255.255.255.0
#
bgp 100
router-id 3.3.3.3
peer 192.168.200.2 as-number 456
peer 192.168.200.2 connect-interface GigabitEthernet0/0/0
network 172.16.2.0 24
network 192.168.200.0 24
#
5.2 SiteB-2配置:
#
interface GigabitEthernet0/0/1
ip address 192.168.2.254 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 192.168.200.1 255.255.255.0
#
bgp 200
router-id 4.4.4.4
peer 192.168.200.2 as-number 456
peer 192.168.200.2 connect-interface GigabitEthernet0/0/2
network 192.168.2.0 24
network 192.168.200.0 24
#
5.3 PE-2配置:
#
interface LoopBack0
ip address 20.1.1.1 255.255.255.255
#
mpls lsr-id 20.1.1.1
#
mpls
#
mpls ldp
#
ip vpn-instance SiteA //配置VPN实例SiteA
ipv4-family
route-distinguisher 2:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
ip vpn-instance SiteB //配置VPN实例SiteB
ipv4-family
route-distinguisher 2:2
vpn-target 100:2 export-extcommunity
vpn-target 100:2 import-extcommunity
#
interface GigabitEthernet0/0/0 //接口绑定VPN实例
ip binding vpn-instance SiteA
ip address 192.168.200.2 255.255.255.0
#
interface GigabitEthernet0/0/1 //AS内直连接口启用MPLS,MPLS LDP
ip address 10.1.12.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/2 //接口绑定VPN实例
ip binding vpn-instance SiteB
ip address 192.168.200.2 255.255.255.0
#
bgp 456
router-id 20.1.1.1
#
ipv4-family vpn-instance SiteA //启用VPN实例SiteA地址族,与SiteA-2路由器进行EBGP对接
peer 192.168.200.1 as-number 100
peer 192.168.200.1 connect-interface GigabitEthernet0/0/0
#
ipv4-family vpn-instance SiteB //启用VPN实例SiteB地址族,与SiteB-2路由器进行EBGP对接
peer 192.168.200.1 as-number 200
peer 192.168.200.1 connect-interface GigabitEthernet0/0/2
#
ospf 100 router-id 20.1.1.1 //创建OSPF 100进程,AS内部互联
area 0.0.0.0
network 10.1.12.1 0.0.0.0
network 20.1.1.1 0.0.0.0
#
5.4 P-2配置:
#
interface LoopBack0
ip address 20.2.2.2 255.255.255.255
#
#
mpls lsr-id 20.2.2.2
#
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
ip address 10.1.23.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 10.1.12.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/2 //与RR直连的接口不需要启用MPLS和LDP协议,RR只做路由传递和反射用,不做数据转发
ip address 10.1.24.2 255.255.255.0
#
ospf 100 router-id 20.2.2.2 //OSPF 100,AS内互联
area 0.0.0.0
network 10.1.12.2 0.0.0.0
network 10.1.23.2 0.0.0.0
network 10.1.24.2 0.0.0.0
network 20.2.2.2 0.0.0.0
#
5.5 ASBR-2配置:
#
interface LoopBack0
ip address 20.3.3.3 255.255.255.255
#
mpls lsr-id 20.3.3.3
#
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
ip address 10.1.23.3 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1 //与ASBR-1接口
ip address 10.10.10.2 255.255.255.0
mpls
#
ospf 100 router-id 20.3.3.3
area 0.0.0.0
network 10.1.23.3 0.0.0.0
network 20.3.3.3 0.0.0.0
#
5.6 RR-2配置:
#
interface LoopBack0
ip address 20.4.4.4 255.255.255.255
#
interface GigabitEthernet0/0/0
ip address 10.1.24.4 255.255.255.0
#
ospf 100 router-id 20.4.4.4
area 0.0.0.0
network 10.1.24.4 0.0.0.0
network 20.4.4.4 0.0.0.0
#
5.7 验证OSPF邻居\MPLS LDP会话\MPLS LSP隧道
5.7.1 在P-2上查看
OSPF邻居关系
MPLS LDP会话
MPLS LSP隧道
6.0 PE-2、ASBR-2与RR-2建立MP-IBGP对等体
6.1 PE-2上配置
#
bgp 456
peer 20.4.4.4 as-number 456 //与RR-2建立对等体
peer 20.4.4.4 connect-interface LoopBack0
#
ipv4-family vpnv4 //VPNv4地址族
policy vpn-target
peer 20.4.4.4 enable //对等体使能
6.2 ASBR-2上配置
#
bgp 456
router-id 20.3.3.3
peer 20.4.4.4 as-number 456
peer 20.4.4.4 connect-interface LoopBack0
#
ipv4-family vpnv4
undo policy vpn-target //ASBR上需要保存VPNv4路由,删除默认策略
peer 20.4.4.4 enable
#
6.3 RR-2上配置
bgp 456
router-id 20.4.4.4
peer 20.1.1.1 as-number 456
peer 20.1.1.1 connect-interface LoopBack0
peer 20.3.3.3 as-number 456
peer 20.3.3.3 connect-interface LoopBack0
#
ipv4-family vpnv4
undo policy vpn-target //RR-2需要保存VPNv4路由,故删除默认策略
peer 20.1.1.1 enable
peer 20.1.1.1 reflect-client //PE-2作为RR客户端
peer 20.3.3.3 enable
peer 20.3.3.3 reflect-client //ASBR-2作为RR客户端
#
6.4 验证MP-IBGP、VPNv4路由
6.4.1 在RR-2上查看
BGP 对等体关系
RR-2收到PE-2发送的VPNv4路由
6.4.2 在ASBR-2上查看
ASBR-2收到RR-2反射的VPNv4路由
7.0 ASBR-1和ASBR-2建立MP-EBGP对等体,传递VPNv4路由
7.1 ASBR-1上配置
#
bgp 123
peer 10.10.10.2 as-number 456 //建立EBGP对等体
peer 10.10.10.2 connect-interface GigabitEthernet0/0/1 //使用直连接口
#
ipv4-family vpnv4
peer 10.10.10.2 enable //使能VPNv4能力
#
7.2 ASBR-2上配置
#
bgp 456
peer 10.10.10.1 as-number 123 //建立EBGP对等体
peer 10.10.10.1 connect-interface GigabitEthernet0/0/1 //使用直连接口
#
ipv4-family vpnv4
peer 10.10.10.1 enable //使能VPNv4能力
#
7.3 验证ASBR之间EBGP对等体关系,VPNv4路由是否传递
7.3.1 在ASBR-1上查看
MP-EBGP邻居关系建立
学习到ASBR-2发送的VPNv4路由
7.3.2 在ASBR-2上查看
学习到ASBR-1发过来的VPNv4路由
8.0 整体验证
8.1 在RR-1上查看VPNv4路由
RR-1收到来自AS 456的VPNv4路由
8.2 在PE-1上查看
PE-1收到其它站点的VPN路由,通过路由交叉(RT值匹配),路由器自动将匹配的VPNv4路由导入正确的VPN实例路由表
8.3 ping 测试
pc1 ping pc3 (SiteA同站点互访)
pc2 ping pc4
8.4 路由传递示意图
1:SiteA-1通过OSPF将路由传递给PE-1
2:SiteB-1通过IS-IS将路由传递给PE-1
3:PE-1将SiteA-1、SiteB-1发送的路由添加VPN实例的RD、RT值,组成VPNv4路由发送给IBGP对等体RR-1
4:RR-1将PE-1发送的VPNv4路由反射给ASBR-1(RD、RT值不变),携带反射路由属性(Originator ,Cluster)
5:ASBR-1将RR-1反射的VPNv4路由发送给ASBR-2(RD、RT值不变),不携带反射路由属性
6:ASBR-2将ASBR-1发送的VPNv4路由发送给RR-2(RD、RT值不变),不携带反射路由属性
7:RR-2将ASBR-2发送的VPNv4路由反射给PE-2(RD、RT值不变),携带反射路由属性(Originator ,Cluster)
8:PE-2对收到的VPNv4路由进行RT值匹配,将属于SiteA的路由导入VPN实例路由表,并发送给SiteA-2
9: PE-2对收到的VPNv4路由进行RT值匹配,将属于SiteaB的路由导入VPN实例路由表,并发送给SiteB-2
9.0 PC1 Ping PC3数据传递解析
9.0.1 SiteA收到PC1发送的ICMP报文,解析目的地址172.16.2.1,查转发表
路由器匹配到一条172.16.2.0路由,下一跳192.168.200.2,出接口G0/0/0
9.0.2 PE-1收到ICMP报文,解析目的地址172.16.2.1,由于是从绑定了VPN实例SiteA的接口收到的报文,需要查找SiteA转发表
SiteA路由表匹配一条路由,出接口G0/0/2,Tunel ID不为0,表示数据需要隧道转发或mpls转发
PE-1根据隧道ID,查询NHLFE,得知出标签为1025,出接口为G0/0/2
PE-1根据出标签1025,Tunnel ID 0x3,查找IML(入标签映射表),得知标签操作类型为PUSH(压入)
由于是从VPN接口收到的数据,还需要携带VPN标签(内层标签),VPN标签由BGP分配,PE-1查看BGP为172.16.2.0/24分配的标签
PE-1构造数据包,外层标签1025,内层标签1031,形成MPLS数据,从接口G0/0/2发出
9.0.4 P-1收到外层标签为1025的MPLS数据,查看IML
P-1由下表可知出标签为3(隐式空标签),动作为SWAP,出接口G0/0/0
P-1根据PHP特性,将数据的外层标签剥离,将仅剩1层标签(1031)的MPLS数据包从G0/0/0口发出
9.0.5 ASBR-1收到外层标签1031的MPLS报文,查看IML
ASBR-1由下表可知出标1027,标签操作类型为SWAPPUSH,隧道是由BGP为VPNv4路由建立的
ASBR-1查看BGP VPNv4路由表,由下表知隧道出接口G0/0/1,接口ID:0x5,不为零,隧道转发 (与上表的outingoing token关联)
根据token 0x5,查看NHLFE,路由器由下表知从本地mpls接口发出即可
ASBR-1将内层标签1031替换为1027后,从G0/0/1发出
9.0.6 ASBR-2收到标签为1027的MPLS数据,查看IML
ASBR-2由下表可知,出标签为1027,标签动作为SWAPPUSH,并且隧道为BGP为VPNv4路由建立的
ASBR-2查看VPNv4路由,去往172.16.2.0的出接口0x1,不为0,表示需要隧道转发(与上表的outgoing token关联)
ASBR-2 通过token ID查看NHLFE,隧道类型LSP,出标签1024
ASBR-2根据出标签1024,查找IML后知到标签动作为PUSH
ASBR-2将内层标签1027更换为1027(与入标签一致),添加外层标签1024,从G0/0/0接口发出
9.0.7 P-2收到外层标签为1024的MPLS数据,查找IML
P-2路由器由下表得知出标签为3,出接口为G0/0/1,动作为SWAP
P-2路由器根据PHP特性,将外层标签1024剥离,将剩余一层标签1027的数据从G0/0/1接口发出
9.0.8 PE-2收到标签为1027的mpls数据,查看IML
PE-2由下表知,数据属于VPN实例SiteA,标签动作为POP
PE-2剥离标签后,解析目的地址172.16.2.1, 在SiteA实例转发表查找
由下表可知PE-2将IP数据从G0/0/0口发出
9.0.9 SiteA-2收到数据报文,查表转发给PC3,完成通信(回程路由类似)
总结:
标签转发过程在ASBR处理时除了需要转换内层标签,还需要添加LDP为下一跳分配的外层标签,才能正确将数据发往下一跳
(通过Tunnel ID/Token/outing token这三个参数关联,路由器内部将所有表项关联)