一、配置逻辑
图中IP地址规划中的x为网线连接两台路由器的编号(顺序为大小),y为1或2,路由器编号小者为1、大者为2。以R3/4之间的连线为例:R3的G0/0/1口IP地址为:10.1.43.1、R4的G0/0/0口的IP地址为10.1.43.2。
特殊的,R10/11之间使用10.2.110.0/24网段;R10/SW1使用10.2.101.0/24网段;R11/SW2使用10.2.112.0/24网段。
每台路由器均有一个10.a.b.b/32的环回接口,用于测试、OSPF router-id、MPLS LSR等等。其中a为区域编号,b为路由器编号。
下文中的配置命令为关键配置和具有差异性的配置,类似配置不重复记录。
二、中心AS的配置
2.1 VLAN的相关配置
接口聚合:SW1/2
流量负载模式选择默认的:src-dst-ip
[sw1]int Eth-Trunk 0
[sw1-Eth-Trunk0]trunkport g0/0/1
[sw1-Eth-Trunk0]trunkport g0/0/2
VLAN接口的划分:
连接主机的接口为设定为access默认,default vlan按照需求配置。其余接口均为trunk模式,允许所有VLAN通过。
所有交换机
[sw1]vlan batch 2 3
sw3/4连接终端的接口
[sw3]int e0/0/1
[sw3-Ethernet0/0/1]port link-type access
[sw3-Ethernet0/0/1]port default vlan 2
[sw3-Ethernet0/0/1]int e0/0/2
[sw3-Ethernet0/0/2]port link-type access
[sw3-Ethernet0/0/2]port default vlan 3
其余的trunk口
[sw1]int Eth-Trunk 0
[sw1-Eth-Trunk0]port link-type trunk
[sw1-Eth-Trunk0]port trunk allow-pass vlan all
2.2 生成树
在本拓扑环境中,模拟真实生产环境,采用多生成树。将Vlan 2/3的根网桥分别配置在sw1/2上,且互做备份,提高链路利用率。
所有交换机:
[sw2-mst-region]display this
#
stp region-configuration
region-name HW
revision-level 1
instance 1 vlan 2
instance 2 vlan 3
active region-configuration
#
return
调整根网桥的位置:
instance1 的根网桥在sw1,instance2的根网桥在sw2。且互做备份。
[sw1]stp instance 1 root primary
[sw1]stp instance 2 root secondary
[sw2]stp instance 1 root secondary
[sw2]stp instance 2 root primary
边缘端口
[sw3-Ethernet0/0/1]stp edged-port enable
端口安全
验证
[sw1]display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/3 ROOT FORWARDING NONE
0 GigabitEthernet0/0/4 DESI FORWARDING NONE
0 GigabitEthernet0/0/5 DESI FORWARDING NONE
0 Eth-Trunk0 ALTE DISCARDING NONE
1 GigabitEthernet0/0/3 DESI FORWARDING NONE
1 GigabitEthernet0/0/4 DESI FORWARDING NONE
1 Eth-Trunk0 DESI FORWARDING NONE
2 GigabitEthernet0/0/3 DESI FORWARDING NONE
2 GigabitEthernet0/0/4 DESI FORWARDING NONE
2 Eth-Trunk0 ROOT FORWARDING NONE
[sw2]display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/3 ROOT FORWARDING NONE
0 GigabitEthernet0/0/4 DESI FORWARDING NONE
0 GigabitEthernet0/0/5 DESI FORWARDING NONE
0 Eth-Trunk0 DESI FORWARDING NONE
1 GigabitEthernet0/0/3 DESI FORWARDING NONE
1 GigabitEthernet0/0/4 DESI FORWARDING NONE
1 Eth-Trunk0 ROOT FORWARDING NONE
2 GigabitEthernet0/0/3 DESI FORWARDING NONE
2 GigabitEthernet0/0/4 DESI FORWARDING NONE
2 Eth-Trunk0 DESI FORWARDING NONE
可以看到,在sw1上,MSTIP=1中所有接口为指定接口;在sw2上,MSTID=2中所有接口为指定接口。即sw1为instance 1的根网桥,sw2为instance 2的根网桥。
2.3 VRRP网关备份
在2.2中生成树配置的基础上。我们选择将vlan2/3的主网关与其根网桥对应,即vlan 2/3的主网关分别为sw1/2,且互做备份。
[sw1]int Vlanif 2
[sw1-Vlanif2]ip address 10.2.2.1 24
[sw1-Vlanif2]int vl3
[sw1-Vlanif3]ip address 10.2.3.1 24
[sw2]int Vlanif 2
[sw2-Vlanif2]ip address 10.2.2.2 24
[sw2-Vlanif2]int vl3
[sw2-Vlanif3]ip address 10.2.3.2 24
vlan2
[sw1]int Vlanif 2
[sw1-Vlanif2]vrrp vrid 1 virtual-ip 10.2.2.254
[sw1-Vlanif2]vrrp vrid 1 priority 120 sw1为vlan2的主网关,默认优先级100
[sw1-Vlanif2]vrrp vrid 1 preempt-mode timer delay 5 以防网络波动,设置抢占时延
[sw1-Vlanif2]vrrp vrid 1 authentication-mode md5 huawei
[sw1-Vlanif2]vrrp vrid 1 track interface g0/0/5 reduced 30 上行链路检测
[sw2]int Vlanif 2
[sw2-Vlanif2]vrrp vrid 1 virtual-ip 10.2.2.254
[sw2-Vlanif2]vrrp vrid 1 preempt-mode timer delay 5
[sw2-Vlanif2]vrrp vrid 1 authentication-mode md5 huawei
vlan3
[sw1]int Vlanif 3
[sw1-Vlanif3]vrrp vrid 2 virtual-ip 10.2.3.254
[sw1-Vlanif3]vrrp vrid 2 preempt-mode timer delay 5
[sw2]int Vlanif 3
[sw2-Vlanif3]vrrp vrid 2 virtual-ip 10.2.3.254
[sw2-Vlanif3]vrrp vrid 2 priority 120 sw2为vlan3的主网关
[sw2-Vlanif3]vrrp vrid 2 preempt-mode timer delay 5
[sw2-Vlanif3]vrrp vrid 2 track interface g0/0/5 reduced 30 上行链路检测
2.4 dhcp
基于2.3的VRRP网关备份。在dhcp部署过程中,需要将地址池划分为两段,均分给主备网关。以下给出vlan2的dhcp配置,vlan3与其类似
[sw1]dhcp enable
[sw1-ip-pool-vlan2]display this
#
ip pool vlan2
gateway-list 10.2.2.254
network 10.2.2.0 mask 255.255.255.0
excluded-ip-address 10.2.2.128 10.2.2.253
#
return
[sw1]int Vlanif 2
[sw1-Vlanif2]dhcp select global
[sw2-ip-pool-vlan2]display this
#
ip pool vlan2
gateway-list 10.2.2.254
network 10.2.2.0 mask 255.255.255.0
excluded-ip-address 10.2.2.3 10.2.2.127
#
return
[sw2]int Vlanif 2
[sw2-Vlanif2]dhcp select global
验证
DHCP
2.5 路由
R10/11、sw1/2起OSPF。鉴于华为模拟器无法实现交换机的三层接口,所以用vlan /101/112的svi接口来模拟实现。
R10/11之间使用10.2.110.0/24网段;R10/SW1使用10.2.101.0/24网段;R11/SW2使用10.2.112.0/24网段。
接口IP逻辑:
[r10]int g0/0/1
[r10-GigabitEthernet0/0/1]ip add
[r10-GigabitEthernet0/0/1]ip address 10.2.110.1 24
[r10-GigabitEthernet0/0/1]int g0/0/0
[r10-GigabitEthernet0/0/0]ip address 10.2.101.2 24
sw1上用svi接口模拟三层接口:sw2同理
[sw1]vlan batch 101
[sw1-Vlanif101]ip address 10.2.101.1 24
[sw1]int g0/0/5
[sw1-GigabitEthernet0/0/5]port link-type access
[sw1-GigabitEthernet0/0/5]port default vlan 101
OSPF
因为模拟环境较小,仅使用area 0即可。
[r10]ospf 1 router-id 10.2.10.10
[r10-ospf-1]area 0
[r10-ospf-1-area-0.0.0.0]network 10.2.0.0 0.0.255.255
查看ospf邻居
[sw1]display ospf peer brief
OSPF Process 1 with Router ID 10.2.1.1
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 Vlanif2 10.2.2.2 Full
0.0.0.0 Vlanif3 10.2.2.2 Full
0.0.0.0 Vlanif101 10.2.10.10 Full
----------------------------------------------------------------------------
可以看到由于宣告网段范围过大,出现了svi2/3重复建邻问题。解决办法:静默接口
[sw1]ospf 1
[sw1-ospf-1]silent-interface Vlanif 2
[sw1-ospf-1]silent-interface Vlanif3
在此处,sw1/2之间的聚合接口为二层接口。同时sw1/2向下连接sw3/4的线路也没有的收发ospf hello包的需求。所以,为了减少链路的带宽,这些接口也应该配置静默接口。
[sw1]ospf 1
[sw1-ospf-1]silent-interface g0/0/1
[sw1-ospf-1]silent-interface g0/0/2
[sw1-ospf-1]silent-interface g0/0/3
[sw1-ospf-1]silent-interface g0/0/4
2.6 验证 VRRP网关备份
PC1 tracert PC4:第一跳sw1
PC2 tracert PC1:第一跳为sw2
PC1长 ping R10的环回,且中间断开sw1的G0/0/5接口:
2.7 BGP
在拓扑中,中心和骨干属于不同的AS。所以需要配置BGP进行路由图通讯。
[r10]bgp 2
[r10-bgp]router-id 10.2.10.10
[r10-bgp]peer 10.2.11.11 as-number 2
[r10-bgp]peer 10.2.11.11 connect-interface LoopBack 0
验证
[r10]display bgp peer
BGP local router ID : 10.2.10.10
Local AS number : 2
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.2.11.11 4 2 2 3 0 00:00:19 Established 0
三、骨干网络AS1的配置
3.1 配置IP
3.2 配置IGP-OSPF
[r3]ospf 1 router-id 10.1.3.3
[r3-ospf-1]area 0
[r3-ospf-1-area-0.0.0.0]network 10.1.0.0 0.0.255.255
验证:
查看R3的OSPF路由表:
[r3]display ip routing-table protocol ospf
10.1.4.4/32 OSPF 10 1 D 10.1.43.2 GigabitEthernet0/0/1
10.1.5.5/32 OSPF 10 1 D 10.1.53.2 GigabitEthernet0/0/0
10.1.6.6/32 OSPF 10 2 D 10.1.53.2 GigabitEthernet0/0/0
10.1.7.7/32 OSPF 10 2 D 10.1.43.2 GigabitEthernet0/0/1
10.1.8.8/32 OSPF 10 2 D 10.1.53.2 GigabitEthernet0/0/0
10.1.9.9/32 OSPF 10 3 D 10.1.43.2 GigabitEthernet0/0/1
OSPF 10 3 D 10.1.53.2 GigabitEthernet0/0/0
10.1.65.0/24 OSPF 10 2 D 10.1.53.2 GigabitEthernet0/0/0
10.1.74.0/24 OSPF 10 2 D 10.1.43.2 GigabitEthernet0/0/1
10.1.76.0/24 OSPF 10 3 D 10.1.43.2 GigabitEthernet0/0/1
OSPF 10 3 D 10.1.53.2 GigabitEthernet0/0/0
10.1.85.0/24 OSPF 10 2 D 10.1.53.2 GigabitEthernet0/0/0
10.1.97.0/24 OSPF 10 3 D 10.1.43.2 GigabitEthernet0/0/1
10.1.98.0/24 OSPF 10 3 D 10.1.53.2 GigabitEthernet0/0/0
末节路由:R6
在本拓扑中,R6的作用是:主要承担控制层面,即做R3/4/8/9在BGP中的反射器;所以相应的应该弱化R6在数据层面的分担,即尽量不让数据流通路过R6。解决方法:OSPF的末节路由,经过该路由器路由起始cost值为65535。
[r6]ospf 1
[r6-ospf-1]stub-router
验证
[r6]display ip routing-table protocol ospf
10.1.3.3/32 OSPF 10 65536 D 10.1.65.1 GigabitEthernet0/0/0
10.1.4.4/32 OSPF 10 65536 D 10.1.76.2 GigabitEthernet0/0/1
10.1.5.5/32 OSPF 10 65535 D 10.1.65.1 GigabitEthernet0/0/0
10.1.7.7/32 OSPF 10 65535 D 10.1.76.2 GigabitEthernet0/0/1
10.1.8.8/32 OSPF 10 65536 D 10.1.65.1 GigabitEthernet0/0/0
10.1.9.9/32 OSPF 10 65536 D 10.1.76.2 GigabitEthernet0/0/1
10.1.43.0/24 OSPF 10 65537 D 10.1.65.1 GigabitEthernet0/0/0
OSPF 10 65537 D 10.1.76.2 GigabitEthernet0/0/1
10.1.53.0/24 OSPF 10 65536 D 10.1.65.1 GigabitEthernet0/0/0
10.1.74.0/24 OSPF 10 65536 D 10.1.76.2 GigabitEthernet0/0/1
10.1.85.0/24 OSPF 10 65536 D 10.1.65.1 GigabitEthernet0/0/0
10.1.97.0/24 OSPF 10 65536 D 10.1.76.2 GigabitEthernet0/0/1
10.1.98.0/24 OSPF 10 65537 D 10.1.65.1 GigabitEthernet0/0/0
OSPF 10 65537 D 10.1.76.2 GigabitEthernet0/0/1
3.3 配置MPLS-预防BGP的路由黑洞问题
[r3]mpls lsr-id 10.1.3.3
[r3]mpls
[r3-mpls]mpls ldp
[r3-mpls-ldp]quit
[r3]int g0/0/1
[r3-GigabitEthernet0/0/1]mpls
[r3-GigabitEthernet0/0/1]mpls ldp
[r3]int g0/0/0
[r3-GigabitEthernet0/0/0] mpls
[r3-GigabitEthernet0/0/0] mpls ldp
验证
查看R3的MPLS 标签表
[r3]display mpls lsp
-------------------------------------------------------------------------------
LSP Information: LDP LSP
-------------------------------------------------------------------------------
FEC In/Out Label In/Out IF Vrf Name
10.1.3.3/32 3/NULL -/-
10.1.4.4/32 NULL/3 -/GE0/0/1
10.1.4.4/32 1024/3 -/GE0/0/1
10.1.5.5/32 NULL/3 -/GE0/0/0
10.1.5.5/32 1025/3 -/GE0/0/0
10.1.6.6/32 NULL/1026 -/GE0/0/0
10.1.6.6/32 1026/1026 -/GE0/0/0
10.1.7.7/32 NULL/1026 -/GE0/0/1
10.1.7.7/32 1027/1026 -/GE0/0/1
10.1.8.8/32 NULL/1028 -/GE0/0/0
10.1.8.8/32 1028/1028 -/GE0/0/0
10.1.9.9/32 NULL/1030 -/GE0/0/0
10.1.9.9/32 1030/1030 -/GE0/0/0
10.1.9.9/32 NULL/1030 -/GE0/0/1
10.1.9.9/32 1030/1030 -/GE0/0/1
3.4 配置BGP
在该拓扑中,骨干网络用于连通各个分支。所以在骨干网中,需要运行BGP的设备只有R3/4/8/9。R6的设计意图是主要承担控制层面的工作,弱化数据层面的工作。所以R6也需要配置BGP且为R3/4/8/9的反射器。
R6:
BGP-IPV4
[r6]bgp 1
[r6-bgp]router-id 10.1.6.6
[r6-bgp]group IBGP internal
[r6-bgp]peer IBGP connect-interface LoopBack 0
[r6-bgp]peer IBGP reflect-client
[r6-bgp]peer 10.1.3.3 group IBGP
[r6-bgp]peer 10.1.4.4 group IBGP
[r6-bgp]peer 10.1.8.8 group IBGP
[r6-bgp]peer 10.1.9.9 group IBGP
BGP-VPNV4
[r6-bgp]ipv4-family vpnv4
[r6-bgp-af-vpnv4]peer IBGP enable
[r6-bgp-af-vpnv4]peer IBGP advertise-community
[r6-bgp-af-vpnv4]peer IBGP reflect-client
[r6-bgp-af-vpnv4]undo policy vpn-target
[r6-bgp-af-vpnv4] peer 10.1.3.3 enable
[r6-bgp-af-vpnv4] peer 10.1.4.4 enable
[r6-bgp-af-vpnv4] peer 10.1.8.8 enable
[r6-bgp-af-vpnv4] peer 10.1.9.9 enable
R3/4/8/9
[r3-bgp]display this
[V200R003C00]
#
bgp 1
router-id 10.1.3.3
peer 10.1.6.6 as-number 1
peer 10.1.6.6 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 10.1.6.6 enable
#
ipv4-family vpnv4
undo policy vpn-target
peer 10.1.6.6 enable
peer 10.1.6.6 advertise-community
#
return
验证
查看R6的BGP VPNV4邻居
[r6]display bgp peer
BGP local router ID : 10.1.6.6
Local AS number : 1
Total number of peers : 4 Peers in established state : 4
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.3.3 4 1 13 14 0 00:10:18 Established 0
10.1.4.4 4 1 2 3 0 00:00:49 Established 0
10.1.8.8 4 1 2 4 0 00:00:36 Established 0
10.1.9.9 4 1 2 3 0 00:00:27 Established 0
四、各个分支通讯
4.1 配置VRF
根据区域划分,R8/9/3/4上VRF name分别为2A、2B、3A、4A。根据区域和PE设备的编号。R8/9/3/4上VRF VPN-target分别为2:8、R9 2:9、R3 3:3、R4 4:4。避免出现错误,RD值与VPN-target一致。
注意:在当前,VPN-target仅配置export。import由下文的进一步规划决定。
[r8]ip vpn-instance 2A
[r8-vpn-instance-2A-af-ipv4]route-distinguisher 2:8
[r8-vpn-instance-2A-af-ipv4]vpn-target 2:8 export-extcommunity
[r8-vpn-instance-2A-af-ipv4]int g0/0/0
[r8-GigabitEthernet0/0/0]ip binding vpn-instance 2A
[r8-GigabitEthernet0/0/0]ip address 10.2.108.1 24
补全对应CE设备的接口IP地址。
4.2 分支与骨干网络建立EBGP关系
在本拓扑环境中。分支1/2由于模拟环境较小且分布在不同的AS内,所以需要配置BGP与骨干网AS1建立EBGP关系,进一步将路由宣告进BGP中。R10/11分别与R8/9建立EBGP关系,之后将IGP的OSPF路由重发布进BGP。
[r1]bgp 3
[r1-bgp]router-id 10.3.1.1
[r1-bgp]peer 10.3.31.2 as-number 1
[r3]bgp 1
[r3-bgp]ipv4-family vpn-instance 3A
[r3-bgp-3A]peer 10.3.31.1 as-number 3
验证
[r3]display bgp vpnv4 vpn-instance 3A peer
BGP local router ID : 10.1.3.3
Local AS number : 1
VPN-Instance 3A, Router ID 10.1.3.3:
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.3.31.1 4 3 2 2 0 00:00:08 Established
4.3 分支路由引入骨干网
AS2中心的网络由OSPF重发布完成(R10/11均需要配置重发布),AS3/4由于路由较少,直接宣告即可。
[r10]bgp 2
[r10-bgp]import-route ospf 1
[r11]bgp 2
[r11-bgp]import-route ospf 1
[r1]bgp 3
[r1-bgp]network 10.3.1.1 32
[r1-bgp]network 10.3.31.0 24
[r2]bgp 4
[r2-bgp]network 10.4.2.2 32
[r2-bgp]network 10.4.42.0 24
验证
查看R6的VPNV4的路由表
[r6]display bgp vpnv4 all routing-table
BGP Local router ID is 10.1.6.6
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 26
Route Distinguisher: 2:8
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.2.2.0/24 10.1.8.8 2 100 0 2?
*>i 10.2.2.254/32 10.1.8.8 2 100 0 2?
*>i 10.2.3.0/24 10.1.8.8 2 100 0 2?
*>i 10.2.3.254/32 10.1.8.8 3 100 0 2?
*>i 10.2.10.10/32 10.1.8.8 0 100 0 2?
*>i 10.2.11.11/32 10.1.8.8 1 100 0 2?
*>i 10.2.101.0/24 10.1.8.8 0 100 0 2?
*>i 10.2.108.0/24 10.1.8.8 0 100 0 2?
*>i 10.2.110.0/24 10.1.8.8 0 100 0 2?
*>i 10.2.112.0/24 10.1.8.8 2 100 0 2?
*>i 10.2.119.0/24 10.1.8.8 2 100 0 2?
Route Distinguisher: 2:9
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.2.2.0/24 10.1.9.9 2 100 0 2?
*>i 10.2.2.254/32 10.1.9.9 3 100 0 2?
*>i 10.2.3.0/24 10.1.9.9 2 100 0 2?
*>i 10.2.3.254/32 10.1.9.9 2 100 0 2?
*>i 10.2.10.10/32 10.1.9.9 1 100 0 2?
*>i 10.2.11.11/32 10.1.9.9 0 100 0 2?
*>i 10.2.101.0/24 10.1.9.9 2 100 0 2?
*>i 10.2.108.0/24 10.1.9.9 2 100 0 2?
*>i 10.2.110.0/24 10.1.9.9 0 100 0 2?
*>i 10.2.112.0/24 10.1.9.9 0 100 0 2?
*>i 10.2.119.0/24 10.1.9.9 0 100 0 2?
Route Distinguisher: 3:3
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.3.1.1/32 10.1.3.3 0 100 0 3i
*>i 10.3.31.0/24 10.1.3.3 0 100 0 3i
Route Distinguisher: 4:4
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.4.2.2/32 10.1.4.4 0 100 0 4i
*>i 10.4.42.0/24 10.1.4.4 0 100 0 4i
4.4 分支流量全部经过安全中心
按照需求,需要将所有分支的流量都要经过AS5安全中心。目的一是为了流量审查,二是日后分支拓扑变更无需做过多更改,只需要更改接入安全中心的配置即可。
配置VRF接收各个分支的流量:
通过子接口绑定各个接口分支流量的VRF,VPN-target import值为上文对应分支流量引入骨干的export值。其中接收2A/2B/3A/4A的VRF name分别为to2A/to2B/to3A/to4A,RD值分别为2:2/22:22/33:33/4:4,绑定的接口分别为G4/0/1.1/1.2/1.3/1.4。接口使用的IP分别为10.5.2.0/24、22.0/24、3.0/24、4.0/24。
[r3]ip vpn-instance to2A
[r3-vpn-instance-to2A-af-ipv4]route-distinguisher 2:2
[r3-vpn-instance-to2A-af-ipv4]vpn-target 2:8 import-extcommunity
[r3]int g4/0/1.1
[r3-GigabitEthernet4/0/1.1]dot1q termination vid 1
[r3-GigabitEthernet4/0/1.1]arp broadcast enable
[r3-GigabitEthernet4/0/1.1]ip binding vpn-instance to2A
[r3-GigabitEthernet4/0/1.1]ip address 10.5.2.1 24
[r3]bgp 1
[r3-bgp]ipv4-family vpn-instance to2A
[r3-bgp-to2A]peer 10.5.2.2 as-number 5
[r12]int g0/0/1.1
[r12-GigabitEthernet0/0/1.1]ip address 10.5.2.2 24
[r12-GigabitEthernet0/0/1.1]dot1q termination vid 1
[r12-GigabitEthernet0/0/1.1]arp broadcast enable
[r12]bgp 5
[r12-bgp]router-id 10.5.12.12
[r12-bgp]peer 10.5.2.1 as-number 1
验证
查看R12的BGP路由表
[r12]display bgp routing-table
BGP Local router ID is 10.5.12.12
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 26
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.2.2.0/24 10.5.2.1 0 1 2?
* 10.5.22.1 0 1 2?
*> 10.2.2.254/32 10.5.2.1 0 1 2?
* 10.5.22.1 0 1 2?
*> 10.2.3.0/24 10.5.2.1 0 1 2?
* 10.5.22.1 0 1 2?
*> 10.2.3.254/32 10.5.2.1 0 1 2?
* 10.5.22.1 0 1 2?
*> 10.2.10.10/32 10.5.2.1 0 1 2?
* 10.5.22.1 0 1 2?
*> 10.2.11.11/32 10.5.2.1 0 1 2?
* 10.5.22.1 0 1 2?
*> 10.2.101.0/24 10.5.2.1 0 1 2?
* 10.5.22.1 0 1 2?
*> 10.2.108.0/24 10.5.2.1 0 1 2?
* 10.5.22.1 0 1 2?
*> 10.2.110.0/24 10.5.2.1 0 1 2?
* 10.5.22.1 0 1 2?
*> 10.2.112.0/24 10.5.2.1 0 1 2?
* 10.5.22.1 0 1 2?
*> 10.2.119.0/24 10.5.2.1 0 1 2?
* 10.5.22.1 0 1 2?
*> 10.3.1.1/32 10.5.3.1 0 1 3i
*> 10.3.31.0/24 10.5.3.1 0 1 3i
*> 10.4.2.2/32 10.5.4.1 0 1 4i
*> 10.4.42.0/24 10.5.4.1 0 1 4i
4.5 安全中心的流量出方向
流量都流经安全中心后,需要将安全中心的路由信息分享给所有的分支,达到全网通的目的。
问题:安全中心的路由信息,都是由经过的骨干网AS1传递过来的。即BGP路由属性AS-Path都带有 1 (从上文可以看到)。这些路由信息传递出去再次经过AS 1 会遇到EBGP的防环问题。解决办法:在此处采用汇总路由洗掉AS-Path的特点。(其他方式后文再引述)
[r12]bgp 5
[r12-bgp]aggregate 10.2.0.0 16
[r12-bgp]aggregate 10.3.0.0 16
[r12-bgp]aggregate 10.4.0.0 16
VRF to2A、to2B、to3A、to4A设定VPN-target 5:5 export。将路由信息共享出去,随后通过VRF 2A、2B、3A、4A设定VPN-target 5:5 import 导入路由信息。
[r3]ip vpn-instance to2A
[r3-vpn-instance-to2A]vpn-target 5:5 export-extcommunity
[r8]ip vpn-instance 2A
[r8-vpn-instance-2A]vpn-target 5:5 import-extcommunity
验证
查看(AS3)R1的路由表。
[r1]display ip routing-table protocol bgp
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : BGP
Destinations : 3 Routes : 3
BGP routing table status : <Active>
Destinations : 3 Routes : 3
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.2.0.0/16 EBGP 255 0 D 10.3.31.2 GigabitEthernet0/0/0
10.3.0.0/16 EBGP 255 0 D 10.3.31.2 GigabitEthernet0/0/0
10.4.0.0/16 EBGP 255 0 D 10.3.31.2 GigabitEthernet0/0/0
4.6 验证各分支经过安全中心互连
AS2 R10 tracert AS3 R1和AS4 R2
[r10]tracert 10.3.1.1
traceroute to 10.3.1.1(10.3.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.2.108.1 20 ms 20 ms 20 ms
2 10.1.85.1 < AS=5 > 20 ms 30 ms 40 ms
3 10.5.2.1 < AS=5 > 40 ms 40 ms 30 ms
4 10.5.2.2 < AS=5 > 50 ms 40 ms 40 ms
5 10.5.3.1 < AS=5 > 40 ms 50 ms 40 ms
6 10.3.31.1 < AS=5 > 50 ms 40 ms 40 ms
[r10]tracert 10.4.2.2
traceroute to 10.4.2.2(10.4.2.2), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.2.108.1 20 ms 20 ms 20 ms
2 10.1.85.1 < AS=5 > 30 ms 50 ms 30 ms
3 10.5.2.1 < AS=5 > 30 ms 40 ms 30 ms
4 10.5.2.2 < AS=5 > 40 ms 30 ms 30 ms
5 10.5.4.1 < AS=5 > 40 ms 30 ms 50 ms
6 10.4.42.2 < AS=5 > 40 ms 40 ms 40 ms
7 10.4.42.1 < AS=5 > 50 ms 60 ms 50 ms
五、连接互联网
在R8上创建name为INT,vpn-target为6:8 export的VRF空间。R13与R8 INT空间建立EBGP邻居关系,并且向R8下放缺省。
[r8]ip vpn-instance INT
[r8-vpn-instance-INT]ipv4-family
[r8-vpn-instance-INT-af-ipv4]route-distinguisher 6:8
[r8-vpn-instance-INT-af-ipv4]vpn-target 6:8 export-extcommunity
[r8-vpn-instance-INT-af-ipv4]int g4/0/1
[r8-GigabitEthernet4/0/1]ip address 100.6.138.1 24
[r8]bgp 1
[r8-bgp]ipv4-family vpn-instance INT
[r8-bgp-INT]peer 100.6.138.2 as-number 6
[r13]bgp 6
[r13-bgp]router-id 100.6.13.13
[r13-bgp]peer 100.6.138.1 as-number 1
[r13-bgp]peer 100.6.138.1 default-route-advertise
将缺省路由指向安全中心
to2A/to2B/to3A/to4A
[r3]ip vpn-instance to2A
[r3-vpn-instance-to2A]vpn-target 6:8 import-extcommunity
在R12的BGP中,向邻居10.5.2.1/3.1/4.1/22.1下放缺省
[r12-bgp]peer 10.5.2.1 default-route-advertise
[r12-bgp]peer 10.5.3.1 default-route-advertise
[r12-bgp]peer 10.5.4.1 default-route-advertise
[r12-bgp]peer 10.5.22.1 default-route-advertise
5.1 回包方向
上文配置完成了,所有分支访问互联网方向的链路。接下来需要完成互联网到所有分支的回包。
[r8-vpn-instance-INT]display this
[V200R003C00]
#
ip vpn-instance INT
ipv4-family
route-distinguisher 6:8
vpn-target 6:8 export-extcommunity
vpn-target 8:8 import-extcommunity
#
return
[r3-vpn-instance-toINT]display this
[V200R003C00]
#
ip vpn-instance toINT
ipv4-family
route-distinguisher 8:8
vpn-target 8:8 export-extcommunity
vpn-target 6:8 import-extcommunity
#
return
[r3-GigabitEthernet4/0/1.6]display this
[V200R003C00]
#
interface GigabitEthernet4/0/1.6
dot1q termination vid 6
ip binding vpn-instance toINT
ip address 10.5.6.1 255.255.255.0
arp broadcast enable
#
return
[r12]int g0/0/1.6
[r12-GigabitEthernet0/0/1.6]ip address 10.5.6.2 24
[r12-GigabitEthernet0/0/1.6]dot1q termination vid 6
[r12-GigabitEthernet0/0/1.6]arp broadcast enable
NAT
在安全中心R12上配置,首先需要一个拥有公网IP的环回地址,将内网地址10.0.0.0/8与其一对多进行转换。
[r12]int lo 100
[r12-LoopBack100]ip address 100.5.12.12 32
[r12]acl 2000
[r12-acl-basic-2000]rule 5 permit source 10.0.0.0 0.255.255.255
[r12]int g0/0/1.6
[r12-GigabitEthernet0/0/1.6]nat outbound 2000 interface loopback 100
测试:
[r10]ping 100.6.13.13
PING 100.6.13.13: 56 data bytes, press CTRL_C to break
Reply from 100.6.13.13: bytes=56 Sequence=1 ttl=248 time=60 ms
Reply from 100.6.13.13: bytes=56 Sequence=2 ttl=248 time=50 ms
Reply from 100.6.13.13: bytes=56 Sequence=3 ttl=248 time=70 ms
Reply from 100.6.13.13: bytes=56 Sequence=4 ttl=248 time=60 ms
Reply from 100.6.13.13: bytes=56 Sequence=5 ttl=248 time=60 ms
[r10]tracert 100.6.13.13
traceroute to 100.6.13.13(100.6.13.13), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.2.108.1 30 ms 10 ms 10 ms
2 10.1.85.1 < AS=5 > 40 ms 30 ms 20 ms
3 10.5.2.1 < AS=5 > 20 ms 30 ms 30 ms
4 * * *
5 10.5.6.1 < AS=5 > 50 ms 50 ms 40 ms
6 10.1.53.2 < AS=5 > 40 ms 60 ms 50 ms
7 100.6.138.1 < AS=5 > 50 ms 60 ms 50 ms
8 100.6.138.2 < AS=5 > 60 ms 70 ms 60 ms
### 测试:
[r10]ping 100.6.13.13
PING 100.6.13.13: 56 data bytes, press CTRL_C to break
Reply from 100.6.13.13: bytes=56 Sequence=1 ttl=248 time=60 ms
Reply from 100.6.13.13: bytes=56 Sequence=2 ttl=248 time=50 ms
Reply from 100.6.13.13: bytes=56 Sequence=3 ttl=248 time=70 ms
Reply from 100.6.13.13: bytes=56 Sequence=4 ttl=248 time=60 ms
Reply from 100.6.13.13: bytes=56 Sequence=5 ttl=248 time=60 ms
[r10]tracert 100.6.13.13
traceroute to 100.6.13.13(100.6.13.13), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.2.108.1 30 ms 10 ms 10 ms
2 10.1.85.1 < AS=5 > 40 ms 30 ms 20 ms
3 10.5.2.1 < AS=5 > 20 ms 30 ms 30 ms
4 * * *
5 10.5.6.1 < AS=5 > 50 ms 50 ms 40 ms
6 10.1.53.2 < AS=5 > 40 ms 60 ms 50 ms
7 100.6.138.1 < AS=5 > 50 ms 60 ms 50 ms
8 100.6.138.2 < AS=5 > 60 ms 70 ms 60 ms