实验拓扑:
配置思路
- PE和CE之间建立VPN实例,隔离业务流量;
- PE1、P、PE2之间运行IGP(此实验使用ISIS)协议,使其环回地址可达;
- PE1、P、PE2之间配置SR,为IGP扩展能力,使其分配标签,作为流量的转发层面;
- PE之间运行MP-BGP协议,关联VPN实例,并且与CE之间双向重分发。构建路由表建立控制层面;
配置步骤
1、PE和CE之间建立VPN实例,隔离业务流量
CE1:
ospf 10 router-id 1.1.1.1
area 0.0.0.0
#
interface GigabitEthernet0/0/0
ip address 192.168.10.10 255.255.255.0
ospf enable 10 area 0.0.0.0
PE1:
ospf 10 router-id 11.11.11.11 vpn-instance huawei
area 0.0.0.0
interface Ethernet1/0/1
ip binding vpn-instance huawei
ip address 192.168.10.1 255.255.255.0
ospf enable 10 area 0.0.0.0
PE2:
ospf 10 router-id 22.22.22.22 vpn-instance huawei
area 0.0.0.0
interface Ethernet1/0/1
ip binding vpn-instance huawei
ip address 192.168.20.1 255.255.255.0
ospf enable 10 area 0.0.0.0
CE2:
ospf 10 router-id 2.2.2.2
area 0.0.0.0
#
interface GigabitEthernet0/0/0
ip address 192.168.20.10 255.255.255.0
ospf enable 10 area 0.0.0.0
验证OSPF建立
<CE1>dis ospf peer brief
OSPF Process 10 with Router ID 1.1.1.1
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/0 11.11.11.11 Full
---------------------------------------------------------------------------
2、SR域中的3台骨干设备之间运行IGP;
PE1、P、PE2之间运行ISIS协议,使其环回地址可达,即用于后续建立BGP的更新源。
PE1:
isis 1
is-level level-2
cost-style wide
network-entity 49.1111.0000.0000.1111.00
is-name Pe1
interface Ethernet1/0/0
undo shutdown
ip address 12.12.12.1 255.255.255.0
isis enable 1
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
isis enable 1
P:
isis 1
is-level level-2
cost-style wide
network-entity 49.1111.0000.0000.2222.00
is-name p
interface Ethernet1/0/1
undo shutdown
ip address 23.23.23.2 255.255.255.0
isis enable 1
interface Ethernet1/0/0
undo shutdown
ip address 12.12.12.2 255.255.255.0
isis enable 1
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
isis enable 1
PE2:
isis 1
is-level level-2
cost-style wide
network-entity 49.1111.0000.0000.3333.00
is-name PE2
interface Ethernet1/0/0
undo shutdown
ip address 23.23.23.3 255.255.255.0
isis enable 1
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
isis enable 1
验证PE之间是否学习到环回地址
PE2]dis ip routing-table protocol isis
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole
route
------------------------------------------------------------------------------
_public_ Routing Table : IS-IS
Destinations : 5 Routes : 5
IS-IS routing table status : <Active>
Destinations : 3 Routes : 3
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.1/32 ISIS-L2 15 20 D 23.23.23.2 Ethernet1/0/0
2.2.2.2/32 ISIS-L2 15 10 D 23.23.23.2 Ethernet1/0/0
12.12.12.0/24 ISIS-L2 15 20 D 23.23.23.2 Ethernet1/0/0
IS-IS routing table status : <Inactive>
Destinations : 2 Routes : 2
Destination/Mask Proto Pre Cost Flags NextHop Interface
3.3.3.3/32 ISIS-L2 15 0 3.3.3.3 LoopBack0
23.23.23.0/24 ISIS-L2 15 0 23.23.23.3 Ethernet1/0/0
//在PE2上查看路由发现学习到了 1.1.1.1的路由
3、SR域中的三台NE之间配置SR,作为流量的数据转发层面
PE1、P、PE2之间全局使能Segment Route ,为IGP扩展能力,使其分配Prefix Segment标签。并通过Prefix Segment(IGP学习的)指导数据转发;
PE1:
[PE1]segment-routing //全局启用SR
isis 1
is-level level-2
segment-routing mpls //ISIS下开启SR MPLS
segment-routing global-block 16000 17000 //定义SRGB分配SID范围
interface LoopBack0
isis prefix-sid index 1 //配置SR的索引为1,故前缀段为16000+1=16001
P1:
[P]segment-routing //全局启用SR
isis 1
segment-routing mpls //ISIS下开启SR MPLS
segment-routing global-block 16000 17000 //定义SRGB分配SID范围
interface LoopBack0
isis prefix-sid index 2 //配置SR的索引为1,故前缀段为16000+2=16002
PE2:
[PE1]segment-routing //全局启用SR
isis 1
segment-routing mpls //ISIS下开启SR MPLS
segment-routing global-block 16000 17000 //定义SRGB分配SID范围
interface LoopBack0
isis prefix-sid index 3 //配置SR的索引为1,故前缀段为16000+3=16003
验证SR建立:
此时我们就为SR域中的三台设备定义了Prefix Segment;
[<PE1>dis segment-routing prefix mpls forwarding //查看前缀段,能够看到Prefix Segment的标签为SRGB+手工指定的index
Segment Routing Prefix MPLS Forwarding Information
--------------------------------------------------------------
Role : I-Ingress, T-Transit, E-Egress, I&T-Ingress And Transit
Prefix Label OutLabel Interface NextHop Role MPLSMtu Mtu State
-----------------------------------------------------------------------------------------------------------------
1.1.1.1/32 16001 NULL Loop0 127.0.0.1 E --- 1500 Active
2.2.2.2/32 16002 3 Eth1/0/0 10.1.12.2 I&T --- 1500 Active
3.3.3.3/32 16003 16003 Eth1/0/0 10.1.12.2 I&T --- 1500 Active
Total information(s): 3
[PE1]dis segment-routing adjacency mpls forwarding //查看邻接段,这里面的label是SRGB之外
Segment Routing Adjacency MPLS Forwarding Information
Label Interface NextHop Type MPLSMtu Mtu
-----------------------------------------------------------------------------
48120 Eth1/0/3 12.12.12.2 ISIS-V4 --- 1500
Total information(s): 1
[PE1]dis mpls lsp vpn-instance huawei verbose
-------------------------------------------------------------------------------
LSP Information: BGP LSP
-------------------------------------------------------------------------------
No : 1
VrfIndex : huawei
RD Value : 100:1
Fec : 192.168.10.0/24
Nexthop : 0.0.0.0
In-Label : 48181
Out-Label : NULL
In-Interface : ------
Out-Interface : ------
LspIndex : 16825397
Type : Primary
OutSegmentIndex : ------
LsrType : Egress
Outgoing TunnelID : 0x0
Label Operation : POP
Mpls-Mtu : ------
LspAge : ------
Exp-Mode : ---
//查看SR隧道建立状态
[PE2]dis tunnel-info all
Tunnel ID Type Destination Status
----------------------------------------------------------------------------------------
0x000000002900000003 srbe-lsp 2.2.2.2 UP
0x000000002900000004 srbe-lsp 1.1.1.1 UP
4、PE之间建立BGP协议,关联VPN实例。并且与CE之间双向重分发。
PE1、P、PE2之间运行MP-BGP,并与CE设备进行双向重分发来收取客户端的业务路由构建路由表,并通过MP-BGP的扩展团体属性为其业务路由分配内部标签。作为数据的控制层面;
PE1:
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable //在BGP VPNv4中指对端邻居
#
ipv4-family vpn-instance huawei
import-route ospf 10 //在BGP的VPN-instance 下面引入路由
#
ospf 10 router-id 11.11.11.11 vpn-instance huawei
import-route bgp
PE2:
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable //在BGP VPNv4中指对端邻居
#
ipv4-family vpn-instance huawei
import-route ospf 10 //在BGP的VPN-instance 下面引入路由
#
ospf 10 router-id 22.22.22.22 vpn-instance huawei
import-route bgp
测试连通性:
[CE1]tracert -v -a 192.168.10.10 192.168.20.10
traceroute to 192.168.20.10(19
2.168.20.10), max hops: 30 ,packet length: 40,press CTRL_C to break
1 192.168.10.1 20 ms 10 ms 10 ms
2 12.12.12.2[MPLS Label=16003/48120 Exp=0/0 S=0/1 TTL=1/1] 30 ms 20 ms 10 ms
3 192.168.20.1 20 ms 20 ms 10 ms
4 192.168.20.10 30 ms 30 ms 30 ms
//到达PE设备时,通过标签转发,前缀段交换标签
简单来说 MPLS SR TE就是基于Prefix Segment指导转发的,Prefix Segment是IGP扩展出来的,基于Prefix转发也就意味着由IGP指导转发;这就是BE(Best Effort)尽力而为,让IGP尽力而为的去转发路由;
扩展:
apply-label per-instance
关于vpn实例下的apply-label per-instance这条命令的作用:
ip vpn-instance sr
ipv4-family
route-distinguisher 10:10
apply-label per-instance //在VPN实例下配置,Per-Instace后,将会一个vpn实例分配一个标签去承载业务路由(对端的vpn实例也需要同样配置才生效)
vpn-target 10:10 export-extcommunity
vpn-target 10:10 import-extcommunity
验证:
[CE1]tracert -v -a 11.11.11.11 33.33.33.33
traceroute to 33.33.33.33(33.33.33.33), max hops: 30 ,packet length: 40,press CTRL_C to break
1 192.168.1.254 4 ms 4 ms 5 ms
2 10.1.12.2[MPLS Label=16003/48183 Exp=0/0 S=0/1 TTL=1/1] 8 ms 7 ms 7 ms
3 172.16.1.254 5 ms 7 ms 9 ms
4 33.33.33.33 11 ms 11 ms 10 ms
[CE1]tracert -v -a 11.11.11.11 22.22.22.22
traceroute to 22.22.22.22(22.22.22.22), max hops: 30 ,packet length: 40,press CTRL_C to break
1 192.168.1.254 4 ms 5 ms 3 ms
2 10.1.12.2[MPLS Label=16003/48183 Exp=0/0 S=0/1 TTL=1/1] 6 ms 6 ms 5 ms
3 172.16.1.254 6 ms 7 ms 5 ms
4 22.22.22.22 10 ms 8 ms 8 ms
//33和22同属一个VRF中,在配置了per-instance后,为业务路由分配的标签为同一个.
33和22同属一个VRF中,在配置了per-instance后,为业务路由分配的标签为同一个.,现在都是48183
也可以一条业务路由一个标签
apply-lable per-route
//对一一条路由分配一个标签
使用此命令 就会为一条业务路由分配一个标签;