华为MPLS V&N Instance 配置实验
一、实验要求
1、在ISP创建MPLS V&N Instance
2、CE1的SiteA和CE3的SiteA可以互通路由,但不能访问ISP各网段
3、CE2的SiteB和CE34的SiteB可以互通路由,但不能访问ISP各网段
4、CE1和PE1之间跑IS-IS,CE3和PE2之间跑OSPF
5、CE2和PE1之间跑BGP,CE4和PE2之间跑BGP
6、抓包观察双层MPLS包头
二、网络拓扑
三、各路由器配置
AR1 Configuration
sysname AR1
#
isis 1
is-level level-2
network-entity 10.0000.0000.0001.00
#
interface GigabitEthernet0/0/0
ip address 15.1.1.1 255.255.255.0
isis enable 1
isis circuit-level level-2
interface LoopBack0
ip address 192.168.1.1 255.255.255.0
isis enable 1
isis circuit-level level-2
AR2 Configuration
sysname AR2
#
interface GigabitEthernet0/0/0
ip address 25.1.1.2 255.255.255.0
interface LoopBack0
ip address 192.168.1.1 255.255.255.0
#
bgp 2
peer 25.1.1.5 as-number 5678
network 192.168.1.0
AR3 Configuration
sysname AR3
#
interface GigabitEthernet0/0/0
ip address 38.1.1.3 255.255.255.0
interface LoopBack0
ip address 172.16.1.1 255.255.255.0
#
ospf 2 router-id 3.3.3.3
area 0.0.0.0
network 38.1.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
AR4 Configuration
sysname AR4
#
interface GigabitEthernet0/0/0
ip address 48.1.1.4 255.255.255.0
interface LoopBack0
ip address 172.16.1.1 255.255.255.0
#
bgp 4
peer 48.1.1.8 as-number 5678
network 172.16.1.0 255.255.255.0
AR5 Configuration
sysname AR5
#
interface GigabitEthernet0/0/0
ip binding vpn-instance SiteA
ip address 15.1.1.5 255.255.255.0
isis enable 1
isis circuit-level level-2
interface GigabitEthernet0/0/1
ip binding vpn-instance SiteB
ip address 25.1.1.5 255.255.255.0
interface GigabitEthernet0/0/2
ip address 56.1.1.5 255.255.255.0
mpls
mpls ldp
interface LoopBack5
ip address 5.5.5.5 255.255.255.255
#
ospf 1 router-id 5.5.5.5
area 0.0.0.0
network 5.5.5.5 0.0.0.0
network 56.1.1.0 0.0.0.255
#
isis 1 vpn-instance SiteA
is-level level-2
network-entity 10.0000.0000.0005.00
import-route bgp
#
mpls lsr-id 5.5.5.5
mpls
mpls ldp
#
ip vpn-instance SiteA
ipv4-family
route-distinguisher 1:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
ip vpn-instance SiteB
ipv4-family
route-distinguisher 2:2
vpn-target 200:2 export-extcommunity
vpn-target 200:2 import-extcommunity
#
acl number 2000
rule 5 permit source 192.168.1.0 0.0.0.255
#
route-policy AAA permit node 10
if-match acl 2000
#
bgp 5678
peer 6.6.6.6 as-number 5678
peer 6.6.6.6 connect-interface LoopBack5
peer 8.8.8.8 as-number 5678
peer 8.8.8.8 connect-interface LoopBack5
peer 6.6.6.6 next-hop-local
#
ipv4-family vpnv4
peer 8.8.8.8 enable
#
ipv4-family vpn-instance SiteA
import-route isis 1 route-policy AAA
#
ipv4-family vpn-instance SiteB
peer 25.1.1.2 as-number 2
AR6 Configuration
sysname AR6
#
interface GigabitEthernet0/0/0
ip address 67.1.1.6 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 56.1.1.6 255.255.255.0
mpls
mpls ldp
#
interface LoopBack6
ip address 6.6.6.6 255.255.255.255
#
mpls lsr-id 6.6.6.6
mpls
mpls ldp
#
bgp 5678
peer 5.5.5.5 as-number 5678
peer 5.5.5.5 connect-interface LoopBack6
peer 5.5.5.5 next-hop-local
peer 7.7.7.7 as-number 5678
peer 7.7.7.7 connect-interface LoopBack6
peer 7.7.7.7 next-hop-local
#
ospf 1 router-id 6.6.6.6
area 0.0.0.0
network 6.6.6.6 0.0.0.0
network 56.1.1.0 0.0.0.255
network 67.1.1.0 0.0.0.255
#
AR7 Configuration
sysname AR7
#
interface GigabitEthernet0/0/0
ip address 67.1.1.7 255.255.255.0
mpls
mpls ldp
interface GigabitEthernet0/0/1
ip address 78.1.1.7 255.255.255.0
mpls
mpls ldp
interface LoopBack7
ip address 7.7.7.7 255.255.255.255
#
mpls lsr-id 7.7.7.7
mpls
mpls ldp
#
bgp 5678
peer 6.6.6.6 as-number 5678
peer 6.6.6.6 connect-interface LoopBack7
peer 6.6.6.6 next-hop-local
peer 8.8.8.8 as-number 5678
peer 8.8.8.8 connect-interface LoopBack7
peer 8.8.8.8 next-hop-local
#
ospf 1 router-id 7.7.7.7
area 0.0.0.0
network 7.7.7.7 0.0.0.0
network 67.1.1.0 0.0.0.255
network 78.1.1.0 0.0.0.255
AR8 Configuration
sysname AR8
#
interface GigabitEthernet0/0/0
ip binding vpn-instance SiteA
ip address 38.1.1.8 255.255.255.0
interface GigabitEthernet0/0/1
ip binding vpn-instance SiteB
ip address 48.1.1.8 255.255.255.0
interface GigabitEthernet0/0/2
ip address 78.1.1.8 255.255.255.0
mpls
mpls ldp
interface LoopBack8
ip address 8.8.8.8 255.255.255.255
#
ospf 1 router-id 8.8.8.8
area 0.0.0.0
network 8.8.8.8 0.0.0.0
network 78.1.1.0 0.0.0.255
#
ospf 2 router-id 8.8.8.8 vpn-instance SiteA
import-route bgp
area 0.0.0.0
network 38.1.1.0 0.0.0.255
#
mpls lsr-id 8.8.8.8
mpls
mpls ldp
#
acl number 2000
rule 5 permit source 172.16.1.0 0.0.0.255
#
route-policy AAA permit node 10
if-match acl 2000
#
ip vpn-instance SiteA
ipv4-family
route-distinguisher 1:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
ip vpn-instance SiteB
ipv4-family
route-distinguisher 2:2
vpn-target 200:2 export-extcommunity
vpn-target 200:2 import-extcommunity
#
bgp 5678
peer 7.7.7.7 as-number 5678
peer 7.7.7.7 connect-interface LoopBack8
peer 7.7.7.7 next-hop-local
peer 5.5.5.5 as-number 5678
peer 5.5.5.5 connect-interface LoopBack8
#
ipv4-family vpnv4
peer 5.5.5.5 enable
#
ipv4-family vpn-instance SiteA
import-route ospf 2 route-policy AAA
#
ipv4-family vpn-instance SiteB
peer 48.1.1.4 as-number 4
#
四、查看验证路由表
可以在AR1路由表看到172.16.1.1的路由条目了
[AR1]dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
15.1.1.0/24 Direct 0 0 D 15.1.1.1 GigabitEthernet0/0/0
15.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
15.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.16.1.1/32 ISIS-L2 15 74 D 15.1.1.5 GigabitEthernet0/0/0
192.168.1.0/24 Direct 0 0 D 192.168.1.1 LoopBack0
192.168.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
192.168.1.255/32 Direct 0 0 D 127.0.0.1 LoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[AR1]
[AR1]
[AR1]ping -a 192.168.1.1 172.16.1.1
PING 172.16.1.1: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.1: bytes=56 Sequence=1 ttl=251 time=70 ms
Reply from 172.16.1.1: bytes=56 Sequence=2 ttl=251 time=60 ms
Reply from 172.16.1.1: bytes=56 Sequence=3 ttl=251 time=50 ms
Reply from 172.16.1.1: bytes=56 Sequence=4 ttl=251 time=60 ms
Reply from 172.16.1.1: bytes=56 Sequence=5 ttl=251 time=40 ms
--- 172.16.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/56/70 ms
五、查看验证v&n Instance
可以看到两个v&n实例,实例名称、ID、接口、RD、RT等信息
[AR5]dis ip vpn-instance verbose
Total VPN-Instances configured : 2
Total IPv4 VPN-Instances configured : 2
Total IPv6 VPN-Instances configured : 0
VPN-Instance Name and ID : SiteA, 1
Interfaces : GigabitEthernet0/0/0
Address family ipv4
Create date : 2021/11/06 12:37:00 UTC-08:00
Up time : 0 days, 03 hours, 08 minutes and 12 seconds
Route Distinguisher : 1:1
Export VPN Targets : 100:1
Import VPN Targets : 100:1
Label Policy : label per route
Log Interval : 5
VPN-Instance Name and ID : SiteB, 2
Interfaces : GigabitEthernet0/0/1
Address family ipv4
Create date : 2021/11/06 12:39:36 UTC-08:00
Up time : 0 days, 03 hours, 05 minutes and 36 seconds
Route Distinguisher : 2:2
Export VPN Targets : 200:2
Import VPN Targets : 200:2
Label Policy : label per route
Log Interval : 5
六、抓包验证MPLS双层包头
抓包可以看到两个MPLS包头及本地标签