一、介绍
传统的VPN一般是通过GRE、L2TP、PPTP、IPSec协议等隧道协议来实现私有网络间数据流在公网上的传送。而LSP本身就是公网上的隧道,所以用MPLS来实现VPN有天然的优势。
基于MPLS的VPN就是通过LSP将私有网络的不同分支联结起来,形成一个统一的网络。基于MPLS的VPN还支持对不同VPN间的互通控制。
CE:是用户边缘设备,可以是路由器,也可以是交换机或主机。
PE:是服务商边缘路由器,位于骨干网络。
在骨干网络中,还存在Provider,是服务提供商网络中的骨干路由器,不与CE直接相连。P设备只需要具备基本MPLS转发能力,可以将其配置为M-BGP的路由反射器,不维护VPN信息。
基于MPLS的VPN具有以下特点:
1、PE负责对VPN用户进行管理、建立各PE间LSP连接、同一VPN用户各分支间路由分派。
2、PE间的路由分派通常是用LDP或扩展的BGP协议实现。 3、支持不同分支间IP地址复用和不同VPN间互通。
4、减化了寻路步骤,提高了设备性能,加快了报文转发。
二、仿真软件
eNSP
三、仿真要求
1、AR1 与 AR5在同一 MPLS、VPN,能互通
2、AR6 与 AR7在同一 MPLS、VPN,能互通
3、AR2、 AR3、AR4形成环路,AR7可以访问这个环路
四、拓扑图
五、实验配置
(一)规划
AR2/3/4的环回均为x.x.x.x
AR1/5环回分别为192.168.1.1/192.168.4.1
AR6/7环回分别为192.168.1.2/192.168.4.2
AR7的公网分配地址为47.1.1.2
(二)配置思路
1、搭建实验,配置公网地址
3、在AR2/3/4上配置MPLS
4、在AR2/4上配置bgp
5、运用静态路由 AR2/4上重发布
6、AR2/6上开启RIP,AR4/7上开启OSPF
7、AR2/4上再进行重发布
(三)配置
AR1:
#
interface GigabitEthernet0/0/0
ip address 192.168.2.1 255.255.255.0
#
interface LoopBack0
ip address 192.168.1.1 255.255.255.0
#
ip route-static 192.168.3.0 255.255.255.0 192.168.2.2
ip route-static 192.168.4.0 255.255.255.0 192.168.2.2
AR2:
#
ip vpn-instance a
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
ip vpn-instance b
ipv4-family
route-distinguisher 2:2
vpn-target 2:2 export-extcommunity
vpn-target 2:2 import-extcommunity
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
ip address 23.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip binding vpn-instance a
ip address 192.168.2.2 255.255.255.0
mpls
#
interface GigabitEthernet0/0/2
ip binding vpn-instance b
ip address 192.168.2.2 255.255.255.0
mpls
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.0
#
bgp 1
peer 4.4.4.4 as-number 1
peer 4.4.4.4 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 4.4.4.4 enable
peer 4.4.4.4 next-hop-local
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.4 enable
#
ipv4-family vpn-instance a
import-route direct
import-route static
#
ipv4-family vpn-instance b
import-route rip 1
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 23.1.0.0 0.0.255.255
#
rip 1 vpn-instance b
undo summary
version 2
network 192.168.2.0
import-route bgp
#
ip route-static vpn-instance a 192.168.1.0 255.255.255.0 192.168.2.1
#
route recursive-lookup tunnel
AR3:
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
ip address 34.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 23.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.0
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 23.1.0.0 0.0.255.255
network 34.1.0.0 0.0.255.255
#
route recursive-lookup tunnel
AR4:
#
ip vpn-instance a
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
ip vpn-instance b
ipv4-family
route-distinguisher 2:2
vpn-target 2:2 export-extcommunity
vpn-target 2:2 import-extcommunity
#
mpls lsr-id 4.4.4.4
mpls
lsp-trigger all
#
mpls ldp
#
acl number 2000
rule 5 permit source 47.1.1.0 0.0.0.255
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip binding vpn-instance a
ip address 192.168.3.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 34.1.1.2 255.255.255.0
mpls
mpls ldp
nat outbound 2000
#
interface GigabitEthernet0/0/2
ip binding vpn-instance b
ip address 192.168.3.2 255.255.255.0
mpls
#
interface GigabitEthernet4/0/0
ip address 47.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.0
#
bgp 1
peer 2.2.2.2 as-number 1
peer 2.2.2.2 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
peer 2.2.2.2 next-hop-local
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance a
import-route direct
import-route static
#
ipv4-family vpn-instance b
import-route ospf 2
#
ospf 1 router-id 4.4.4.4
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 34.1.0.0 0.0.255.255
#
ospf 2 vpn-instance b
import-route bgp
area 0.0.0.0
network 192.168.3.0 0.0.0.255
#
ip route-static vpn-instance a 192.168.4.0 255.255.255.0 192.168.3.1
#
route recursive-lookup tunnel
AR5:
#
interface GigabitEthernet0/0/1
ip address 192.168.3.1 255.255.255.0
#
interface LoopBack0
ip address 192.168.4.1 255.255.255.0
#
ip route-static 192.168.1.0 255.255.255.0 192.168.3.2
ip route-static 192.168.2.0 255.255.255.0 192.168.3.2
AR6:
#
interface GigabitEthernet0/0/1
ip address 192.168.2.1 255.255.255.0
#
interface LoopBack0
ip address 192.168.1.1 255.255.255.0
#
rip 1
undo summary
version 2
network 192.168.1.0
network 192.168.2.0
AR7:
#
interface GigabitEthernet0/0/0
ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 47.1.1.2 255.255.255.0
#
interface LoopBack0
ip address 192.168.4.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 47.1.1.1
至此配置完成!
六、实验结果验证
AR1 能ping通AR5,不能ping通AR7。
AR6能ping通AR7,不能ping通AR5。
AR7能ping通环AR2/3/4环回。