MPLS VPN跨域A

1. 拓扑设计

1. 拓扑介绍

  如图，上海分公司与山东分公司之间为保证业务可以互通，需要使用MPLS VPN技术进行连接。中间R3与R4之间运行IGP，使用IGP传递路由，因为网络需要经过联通与移动两个AS域，所以使用MPLS VPN OptionA方案来进行配置。

1. 数据配置

R1配置

ip vpn-instance vpn1  ipv4-family   route-distinguisher 1:1   vpn-target 1:3 export-extcommunity   vpn-target 3:1 import-extcommunity # mpls lsr-id 1.1.1.1 mpls # mpls ldp isis 1  is-level level-2  cost-style wide  network-entity 49.0000.0000.0001.00 # firewall zone Local  priority 15 # interface GigabitEthernet0/0/0  ip binding vpn-instance vpn1  ip address 17.1.1.1 255.255.255.0  ospf enable 1 area 0.0.0.0 # interface GigabitEthernet0/0/1  ip address 12.1.1.1 255.255.255.0  isis enable 1  mpls  mpls ldp # interface LoopBack0  ip address 1.1.1.1 255.255.255.255  isis enable 1 # bgp 100  peer 3.3.3.3 as-number 100  peer 3.3.3.3 connect-interface LoopBack0  #  ipv4-family unicast   undo synchronization   peer 3.3.3.3 enable  #  ipv4-family vpnv4   policy vpn-target   peer 3.3.3.3 enable  #  ipv4-family vpn-instance vpn1   import-route ospf 1 # ospf 1 vpn-instance vpn1  import-route bgp  area 0.0.0.0 #

R2配置

mpls lsr-id 2.2.2.2 mpls # mpls ldp # # aaa  authentication-scheme default  authorization-scheme default  accounting-scheme default  domain default  domain default_admin  local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$  local-user admin service-type http # isis 1  is-level level-2  cost-style wide  network-entity 49.0000.0000.0002.00 # firewall zone Local  priority 15 # interface GigabitEthernet0/0/0  ip address 12.1.1.2 255.255.255.0  isis enable 1  mpls  mpls ldp # interface GigabitEthernet0/0/1  ip address 23.1.1.2 255.255.255.0  isis enable 1  mpls  mpls ldp # interface GigabitEthernet0/0/2 # interface NULL0 # interface LoopBack0  ip address 2.2.2.2 255.255.255.255  isis enable 1

R3配置

ip vpn-instance vpn1  ipv4-family   route-distinguisher 3:3   vpn-target 3:1 export-extcommunity   vpn-target 1:3 import-extcommunity # mpls lsr-id 3.3.3.3 mpls # mpls ldp # interface GigabitEthernet0/0/0  ip address 23.1.1.3 255.255.255.0  isis enable 1  mpls  mpls ldp # interface GigabitEthernet0/0/1  ip binding vpn-instance vpn1  ip address 34.1.1.3 255.255.255.0  ospf enable 1 area 0.0.0.0 # interface LoopBack0  ip address 3.3.3.3 255.255.255.255  isis enable 1 # bgp 100  peer 1.1.1.1 as-number 100  peer 1.1.1.1 connect-interface LoopBack0  #  ipv4-family unicast   undo synchronization   peer 1.1.1.1 enable  #  ipv4-family vpnv4   policy vpn-target   peer 1.1.1.1 enable  #  ipv4-family vpn-instance vpn1   import-route ospf 1 # ospf 1 vpn-instance vpn1  import-route bgp  dn-bit-check disable summary  dn-bit-check disable ase  dn-bit-check disable nssa  area 0.0.0.0

R4配置

ip vpn-instance vpn1  ipv4-family   route-distinguisher 4:4   vpn-target 4:6 export-extcommunity   vpn-target 6:4 import-extcommunity # mpls lsr-id 4.4.4.4 mpls # mpls ldp # isis 1  is-level level-2  cost-style wide  network-entity 50.0000.0000.0004.00 # interface GigabitEthernet0/0/0  ip binding vpn-instance vpn1  ip address 34.1.1.4 255.255.255.0  ospf enable 1 area 0.0.0.0 # interface GigabitEthernet0/0/1  ip address 45.1.1.4 255.255.255.0  isis enable 1  mpls  mpls ldp # interface LoopBack0  ip address 4.4.4.4 255.255.255.255  isis enable 1 # bgp 200  peer 6.6.6.6 as-number 200  peer 6.6.6.6 connect-interface LoopBack0  #  ipv4-family unicast   undo synchronization   peer 6.6.6.6 enable  #  ipv4-family vpnv4   policy vpn-target   peer 6.6.6.6 enable  #  ipv4-family vpn-instance vpn1   import-route ospf 1 # ospf 1 vpn-instance vpn1  import-route bgp  dn-bit-check disable summary  dn-bit-check disable ase  dn-bit-check disable nssa  area 0.0.0.0

R5配置

mpls lsr-id 5.5.5.5 mpls # mpls ldp # isis 1  is-level level-2  cost-style wide  network-entity 50.0000.0000.0005.00 # interface GigabitEthernet0/0/0  ip address 45.1.1.5 255.255.255.0  isis enable 1  mpls  mpls ldp # interface GigabitEthernet0/0/1  ip address 56.1.1.5 255.255.255.0  isis enable 1  mpls  mpls ldp # interface LoopBack0  ip address 5.5.5.5 255.255.255.255  isis enable 1

R6配置

ip vpn-instance vpn1  ipv4-family   route-distinguisher 6:6   vpn-target 6:4 export-extcommunity   vpn-target 4:6 import-extcommunity # mpls lsr-id 6.6.6.6 mpls # mpls ldp # isis 1  is-level level-2  cost-style wide  network-entity 50.0000.0000.0006.00 # firewall zone Local  priority 15 # interface GigabitEthernet0/0/0  ip address 56.1.1.6 255.255.255.0  isis enable 1  mpls  mpls ldp # interface GigabitEthernet0/0/1  ip binding vpn-instance vpn1  ip address 68.1.1.6 255.255.255.0  ospf enable 1 area 0.0.0.0 # interface LoopBack0  ip address 6.6.6.6 255.255.255.255  isis enable 1 # bgp 200  peer 4.4.4.4 as-number 200  peer 4.4.4.4 connect-interface LoopBack0  #  ipv4-family unicast   undo synchronization   peer 4.4.4.4 enable  #  ipv4-family vpnv4   policy vpn-target   peer 4.4.4.4 enable  #  ipv4-family vpn-instance vpn1   import-route ospf 1 # ospf 1 vpn-instance vpn1  import-route bgp  area 0.0.0.0

R7配置

interface GigabitEthernet0/0/0  ip address 17.1.1.7 255.255.255.0  ospf enable 1 area 0.0.0.0 # interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/2 # interface NULL0 # interface LoopBack0  ip address 7.7.7.7 255.255.255.255  ospf enable 1 area 0.0.0.0 # ospf 1

R8配置

interface GigabitEthernet0/0/0  ip address 68.1.1.8 255.255.255.0  ospf enable 1 area 0.0.0.0 # interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/2 # interface NULL0 # interface LoopBack0  ip address 8.8.8.8 255.255.255.255  ospf enable 1 area 0.0.0.0 # ospf 1  area 0.0.0.0

1. 查看现象

由此可见,VPN可以正常转发数据包

1. 注意事项

 接收不到OSPF的时候,需要考虑是否是dn位的问题

1. 转发平面

• R7的路由通过OSPF传递给R1,R1把路由通过MP-BGP传递给R3,此时R3上面有收方向实例,就会接收路由;R3会把R4当做CE设备,绑定到端口通过IGP协议传递给R4;R4收到路由后把路由变为VPNV4路由通过MP-BGP传递给R6,R6把路由交到实例里面传给R8设备。