Mpls
-***实验一
对于
***,大家应该不会陌生吧。其技术理念简单的地说是利用公网去传输私网数据与路由。对于数据传输来说,公网应该是不安全的。但是×××可以利用隧道,加密,认证等技术来确保数据的透传,所经过的公网外界是很难窥视加密后的数据内容的,形象地说从源到目的端就形成了一条数据安全传输的隧道。但不同的×××技术,安全程度也是不同的,比如GRE ×××来说,可以说其安全性非常弱。***技术也有很多种,有层二的,层三的。按应用来分也分:intranet ***,extranet ***,access ***.层二的***种类:l2tp-***,pptp-***,l2f-***。层三的×××主要是ipsec ***(site-to-site ***,ez***,dm***等),还有安全性最高的基于SSL(security socket lay)协议的×××以及今天要给大家介绍的MPLS-×××。
现在
×××技术应用范围非常广了,其优越性也毋庸置疑。企业之间如果要真正的去实施安全非常高的网络,申请专线可以是一种有效方法。但×××来解决这样的问题就更会拥有更多的好处了,它省线,有QOS保障机制,解决了企业之间地址重叠的问题等。好,我相信大家对这×××这方面有很多的了解,我在此也不大加宣传,今天我们要做的实验top如下:
需求再写下:
A. A公司总部
centerA与分部siteA之间能够连通,centerB与siteB也一样
B. A公司总部与
B公司总部可以连通,但A总部与B分部,B总部与A分部不能连通。
C. 各公司总部分部与总部运行的动态路由协议为
RIPV2
D. 中间模拟
ISP的部分IGP运行OSPF,EGP为BGP,×××类型为MPLS-×××,ISP需要运行MPLS来进行数据转发,基于Label的数据转发效率更高,但×××的建立需要借助MP-BGP。
解题思路:
1,对于各公司的连通性的解决方案,由于各总部需要与分部互连,那么
route-target可以对于进入或出去的全部打上同样的标签即可实现。
2,对于总部与总部之间的互连,也可以使用两个总部之间
both同样的rt值.
3,对于
ISP部分需要借助MP-BGP来传送×××V4的路由也就是两个私网的路由,global路由表里面是看不到,路由就好像在隧道中传输一样,数据包从PE进来,然后查找VRF路由表,每个公司在PE上都有自己网络的VRF表,然后再查找LFIB,进行lable 的MPLS交换。到了PE的另一端标签弹出变成普通数据包,再查找相应的VRF路由进行转发,是如何区分每个×××的数据的呢,如果有地址重叠怎办呢?不用怕,RD的作用就是用来区分不同×××客户的数据的。
配置如下:
CE端:
centerA:
hostname ceneterA
!
ip cef/开启
CEF,默认开启,用于形成FIB,标签协议TDP,LDP在此基础上形成TFIB,LFIB表,以进行标签交换。
no ip domain lookup
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
!
interface Serial1/0
ip address 192.168.1.1 255.255.255.0
serial restart-delay 0
interface Serial1/6
router rip
version 2
network 1.0.0.0
network 192.168.1.0
no auto-summary
!
centerB:
ip cef
no ip domain lookup
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
!
interface Serial1/1
ip address 192.168.2.1 255.255.255.0
serial restart-delay 0
!
!
router rip
version 2
network 2.0.0.0
network 192.168.1.0
network 192.168.2.0
no auto-summary
PE1:
!
hostname PE1
!
!
!
ip cef
no ip domain lookup
!
!
ip vrf A//创建VRF表,定义RD,RT值,标识不同×××客户数据,防止地址重叠等。
rd 1:1
route-target export 100:100
route-target export 100:101
route-target import 100:100
route-target import 100:101
!
ip vrf B
rd 2:2
route-target export 100:101
route-target export 200:200
route-target import 100:101
route-target import 200:200
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
!
interface Serial1/0
ip vrf forwarding A//加入VRF A路由器
ip address 192.168.1.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip vrf forwarding B
ip address 192.168.2.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
ip address 192.168.3.1 255.255.255.0
mpls ip
serial restart-delay 0
!
router ospf 1
log-adjacency-changes
redistribute bgp 100 subnets//把BGP重发布进OSPF
network 3.3.3.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
!!
router rip
version 2
no auto-summary
!
address-family ipv4 vrf B//构建VRF B的RIP动态路由 PE-CE之间
redistribute bgp 100 metric 3//把MP-BGP里面的×××V4传输的私网路由重发布进公网的VRF路由表。
network 192.168.2.0
no auto-summary
version 2
exit-address-family
!
address-family ipv4 vrf A
redistribute bgp 100 metric 3
network 192.168.1.0
no auto-summary
version 2
exit-address-family
!
router bgp 100//开启BGP路由协议,ISP里面走的是普通BGP路由,但PE端还要运行MP-BGP去承载×××V4的私网路由
no synchronization
bgp router-id 3.3.3.3
bgp log-neighbor-changes
network 3.3.3.0 mask 255.255.255.255
network 192.168.3.0
neighbor 4.4.4.4 remote-as 100
neighbor 4.4.4.4 update-source Loopback0
neighbor 5.5.5.5 remote-as 100
neighbor 5.5.5.5 update-source Loopback0
no auto-summary
!
address-family ***v4//指定×××V4的邻居,并激活
neighbor 5.5.5.5 activate
neighbor 5.5.5.5
send-community both
exit-address-family
!
address-family ipv4 vrf B
redistribute rip metric 3
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf A
redistribute rip metric 3
no auto-summary
no synchronization
exit-address-family
PE:
hostname PE
!
!
ip cef
no ip domain lookup
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
!
interface Serial1/0
ip address 192.168.4.1 255.255.255.0
mpls ip
serial restart-delay 0
!
!
interface Serial1/2
ip address 192.168.3.2 255.255.255.0
mpls ip
serial restart-delay 0
!
!
router ospf 1
log-adjacency-changes
network 4.4.4.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
network 192.168.4.0 0.0.0.255 area 0
!
router bgp 100
no synchronization
bgp router-id 4.4.4.4
bgp log-neighbor-changes
network 192.168.3.0
network 192.168.4.0
neighbor 3.3.3.3 remote-as 100
neighbor 3.3.3.3 update-source Loopback0
neighbor 5.5.5.5 remote-as 100
neighbor 5.5.5.5 update-source Loopback0
no auto-summary
!
PE2;
hostname PE2
!
ip cef
no ip domain lookup
!
!
ip vrf A
rd 1:1
route-target export 100:100
route-target import 100:100
!
ip vrf B
rd 2:2
route-target export 200:200
route-target import 200:200
!
interface Loopback0
ip address 5.5.5.5 255.255.255.255
!
interface Serial1/0
ip address 192.168.4.2 255.255.255.0
mpls ip
serial restart-delay 0
!
interface Serial1/1
ip vrf forwarding A
ip address 192.168.5.1 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
ip vrf forwarding B
ip address 192.168.6.1 255.255.255.0
serial restart-delay 0
!
router ospf 1
log-adjacency-changes
redistribute bgp 100 subnets
network 5.5.5.0 0.0.0.255 area 0
network 192.168.4.0 0.0.0.255 area 0
!
router rip
version 2
no auto-summary
!
address-family ipv4 vrf B
redistribute bgp 100 metric 3
network 192.168.6.0
no auto-summary
version 2
exit-address-family
!
address-family ipv4 vrf A
redistribute bgp 100 metric 3
network 192.168.5.0
no auto-summary
version 2
exit-address-family
!
router bgp 100
no synchronization
bgp router-id 5.5.5.5
bgp log-neighbor-changes
network 5.5.5.5 mask 255.255.255.255
network 192.168.4.0
neighbor 3.3.3.3 remote-as 100
neighbor 3.3.3.3 update-source Loopback0
neighbor 4.4.4.4 remote-as 100
neighbor 4.4.4.4 update-source Loopback0
no auto-summary
!
address-family ***v4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community both
exit-address-family
!
address-family ipv4 vrf B
redistribute rip metric 3
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf A
redistribute rip metric 3
no auto-summary
no synchronization
exit-address-family
SiteA:
hostname siteA
ip cef
no ip domain lookup\\
interface Loopback0
ip address 6.6.6.6 255.255.255.0
!
interface Serial1/1
ip address 192.168.5.2 255.255.255.0
serial restart-delay 0
!
i
router rip
version 2
network 6.0.0.0
network 192.168.5.0
no auto-summary
!
SiteB:
!
hostname siteB
!
ip cef
no ip domain lookup
interface Loopback0
ip address 7.7.7.7 255.255.255.0
interface Serial1/2
ip address 192.168.6.2 255.255.255.0
serial restart-delay 0
!
!
router rip
version 2
network 7.0.0.0
network 192.168.6.0
no auto-summary
!
以上是此实验的完整配置命令。
做好后我们可以测试下效果:
centerA:
只能与总部B通信和分部A通信:
ceneterA#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms
ceneterA#ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 212/335/428 ms
ceneterA#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/176/212 ms
ceneterA#ping 7.7.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
.....
Success rate is 0 percent (0/
centerB也只能同centerA与siteB通信
centerB#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/213/432 ms
centerB#ping 7.7.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 336/383/456 ms
centerB#ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
centerB#
siteA#
ping 7.7.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SiteA只能与总部A之间通信:
siteA#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 288/407/720 ms
siteA#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
siteA#
SiteB只能与总部通信:
siteB#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 312/364/476 ms
siteB#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
siteB#ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
实验进行到这里,可能诸位会问ISP公网上是否经过MPLS交换?
PE1#traceroute 5.5.5.5 source lo 0
Type escape sequence to abort.
Tracing the route to 5.5.5.5
1 192.168.3.2 [MPLS: Label 18 Exp 0] 148 msec 144 msec 192 msec
2 192.168.4.2 192 msec * 192 msec
PE1#
PE2#traceroute 3.3.3.3 source lo 0
Type escape sequence to abort.
Tracing the route to 3.3.3.3
1 192.168.4.1 [MPLS: Label 17 Exp 0] 172 msec 168 msec 144 msec
2 192.168.3.1 120 msec * 500 msec
PE2#
经过×××之后,公网可以传输私网路由,但公网看不到路由信息:
PE2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
3.0.0.0/32 is subnetted, 1 subnets
O
3.3.3.3 [110/129] via 192.168.4.1, 00:06:07, Serial1/0
4.0.0.0/32 is subnetted, 1 subnets
O
4.4.4.4 [110/65] via 192.168.4.1, 00:06:07, Serial1/0
5.0.0.0/32 is subnetted, 1 subnets
C
5.5.5.5 is directly connected, Loopback0
C
192.168.4.0/24 is directly connected, Serial1/0
O
192.168.3.0/24 [110/128] via 192.168.4.1, 00:06:07, Serial1/0
CE端可以接收到从ISP公网处×××传来的路由条目:
ceneterA#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C
1.1.1.0 is directly connected, Loopback0
2.0.0.0/24 is subnetted, 1 subnets
R
2.2.2.0 [120/3] via 192.168.1.2, 00:00:16, Serial1/0
6.0.0.0/24 is subnetted, 1 subnets
R
6.6.6.0 [120/3] via 192.168.1.2, 00:00:16, Serial1/0
R
192.168.5.0/24 [120/3] via 192.168.1.2, 00:00:16, Serial1/0
C
192.168.1.0/24 is directly connected, Serial1/0
R
192.168.2.0/24 [120/3] via 192.168.1.2, 00:00:16, Serial1/0
――――――――――――――――――――――――――――――――――
MP-BGP的一些条目:
PE2#show ip bgp all
For address family: IPv4 Unicast
BGP table version is 24, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 5.5.5.5/32
0.0.0.0 0 32768 i
r i192.168.3.0
3.3.3.3 0 100 0 i
r>i
4.4.4.4 0 100 0 i
* i192.168.4.0
4.4.4.4 0 100 0 i
*>
0.0.0.0 0 32768 i
For address family: IPv6 Unicast
For address family: ×××v4 Unicast
BGP table version is 58, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf A)
*>i1.1.1.0/24
3.3.3.3 3 100 0 ?
*> 6.6.6.0/24
192.168.5.2 3 32768 ?
*>i192.168.1.0
3.3.3.3 0 100 0 ?
*> 192.168.5.0
0.0.0.0 0 32768 ?
Route Distinguisher: 2:2 (default for vrf B)
*>i2.2.2.0/24
3.3.3.3 3 100 0 ?
*> 7.7.7.0/24
192.168.6.2 3 32768 ?
*>i192.168.2.0
3.3.3.3 0 100 0 ?
*> 192.168.6.0
0.0.0.0 0 32768 ?
For address family: IPv4 Multicast
For address family: IPv6 Multicast
在里面我们可以看到×××V4,VRF的一些条目。
下面是一些MPLS里的CEF和TFIB表的信息:
PE2#show tag tdp bind
tib entry: 3.3.3.3/32, rev 10
local binding: tag: 18
remote binding: tsr: 4.4.4.4:0, tag: 17
tib entry: 4.4.4.4/32, rev 13
local binding: tag: 24
remote binding: tsr: 4.4.4.4:0, tag: imp-null
tib entry: 5.5.5.5/32, rev 4
local binding: tag: imp-null
remote binding: tsr: 4.4.4.4:0, tag: 18
tib entry: 192.168.3.0/24, rev 8
local binding: tag: 17
remote binding: tsr: 4.4.4.4:0, tag: imp-null
tib entry: 192.168.4.0/24, rev 6
local binding: tag: imp-null
remote binding: tsr: 4.4.4.4:0, tag: imp-null
PE2#
PE2#show ip cef
Prefix
Next Hop Interface
0.0.0.0/0
drop Null0 (default route handler entry)
0.0.0.0/32
receive
3.3.3.3/32
192.168.4.1 Serial1/0
4.4.4.4/32
192.168.4.1 Serial1/0
5.5.5.5/32
receive
192.168.3.0/24
192.168.4.1 Serial1/0
192.168.4.0/24
attached Serial1/0
192.168.4.0/32
receive
192.168.4.2/32
receive
192.168.4.255/32
receive
224.0.0.0/4
drop
224.0.0.0/24
receive
255.255.255.255/32 receive
PE2#
到这,那么今天MPLS-×××实验一就结束,不妥之处,还望各位博友告知我,我会诚恳接受诸位的指正。
注意:1,在各公司×××的VRF中,RD要一致,VRF名字要一致。
2,为什么要用VRF?在企业与ISP的交接PE处,如果一个PE路由器下接了许多的公司,而现实情况来说,每个公司的路由条目之间的管理就会造成问题,有可能造成本来A公司原则不准B公司接入,但B公司通过PE上的路由进入了A也不是不可能,只是管理起来没有VRF这么有效,VRF通过为每个×××公司划分一个虚拟的路由器去存储各自公司的路由条目,把PE上的路由条目划分成了许多VRF路由与global路由来处理了。
转载于:https://blog.51cto.com/zenfei/544278