基本MPLS VPN(PE与CE的5种路由方式)

实验环境

如图所示，由PE1、PE2、PE3和P构成的ISP骨干网，下接2个VPN用户，VPN01 RT值为100:1，VPN02的RT值为200:1，RD值全网唯一。

两家公司（红圈和橙圈）均使用192.168.1.0/24，192.168.2.0/24，192.168.3.0/24作为私网用户地址，使用192.168.10.0/30，192.168.10.4/30，192.168.10.8/30作为私网网间网地址。

CE1与PE1使用OSPF，CE2与PE2使用IS-IS，CE5与PE3使用基于OSPF的BGP建立EBGP对等体关系；CE3与PE1使用基于OSPF通信的BGP建立IBGP对等体，CE4与PE2使用配置静态路由方式，CE6与PE3使用基于OSPF的BGP建立EBGP对等体关系，其中除CE1与PE1之间使用OSPF通告私网用户地址，其余OSPF只用于学习网间网地址和loop back接口地址。要求两个公司通过骨干网访问自己的局域网，两家公司不相互干扰。

网络配置规则：以用户侧地址为小分配网间网地址。router id和mpls lsr-id均为1.1.1.X（X为ARX），在同一个广播域中router id 小的，所使用的网络地址小。

参考配置

骨干网（PE侧）的构建

基础IGP的构建

PE1的配置

#

 sysname PE1

#

router id 1.1.1.1

#

isis 1

 is-level level-2

 cost-style wide

 network-entity 49.0010.0100.1001.00

 is-name PE1

#

interface GigabitEthernet0/0/0

 ip address 10.1.1.1 255.255.255.252

 isis enable 1

#

interface LoopBack0

 ip address 1.1.1.1 255.255.255.255

 isis enable 1

#

PE2的配置

#

 sysname PE2

#

router id 1.1.1.2

#

isis 1

 is-level level-2

 cost-style wide

 network-entity 49.0010.0100.1002.00

 is-name PE2

#

interface GigabitEthernet0/0/0

 ip address 10.1.1.6 255.255.255.252

 isis enable 1

#

interface LoopBack0

 ip address 1.1.1.2 255.255.255.255

 isis enable 1

#

PE3的配置

#

 sysname PE3

#

router id 1.1.1.4

#

isis 1

 is-level level-2

 cost-style wide

 network-entity 49.0010.0100.1004.00

 is-name PE3

#

interface GigabitEthernet0/0/0

 ip address 10.1.1.9 255.255.255.252

 isis enable 1

#

interface LoopBack0

 ip address 1.1.1.4 255.255.255.255

 isis enable 1

#

P的配置

#

 sysname P

#

isis 1

 is-level level-2

 cost-style wide

 network-entity 49.0010.0100.1003.00

 is-name P

#

interface GigabitEthernet0/0/0

 ip address 10.1.1.2 255.255.255.252

 isis enable 1

 mpls

 mpls ldp

#

interface GigabitEthernet0/0/1

 ip address 10.1.1.5 255.255.255.252

 isis enable 1

#

interface GigabitEthernet0/0/2

 ip address 10.1.1.10 255.255.255.252

 isis enable 1

#

interface NULL0

#

interface LoopBack0

 ip address 1.1.1.3 255.255.255.255

 isis enable 1

#

MPLS LDP的建立

PE1的配置

#

mpls lsr-id 1.1.1.1

mpls

#

mpls ldp

#

interface GigabitEthernet0/0/0

 mpls

 mpls ldp

#

PE2的配置

#

mpls lsr-id 1.1.1.2

mpls

#

mpls ldp

#

interface GigabitEthernet0/0/0

 mpls

 mpls ldp

#

PE3的配置

#

mpls lsr-id 1.1.1.4

mpls

#

mpls ldp

#

interface GigabitEthernet0/0/0

 mpls

 mpls ldp

#

P的配置

#

mpls lsr-id 1.1.1.3

mpls

#

mpls ldp

#

interface GigabitEthernet0/0/0

 mpls

 mpls ldp

#

interface GigabitEthernet0/0/1

 mpls

 mpls ldp

#

interface GigabitEthernet0/0/2

 mpls

 mpls ldp

#

BGP关系的建立

PE1的配置

#

bgp 65001

 peer 1.1.1.2 as-number 65001

 peer 1.1.1.2 connect-interface LoopBack0

 peer 1.1.1.4 as-number 65001

 peer 1.1.1.4 connect-interface LoopBack0

 #

 ipv4-family unicast

  undo synchronization

  peer 1.1.1.2 enable

  peer 1.1.1.4 enable

 #

PE2的配置

#

bgp 65001

 peer 1.1.1.1 as-number 65001

 peer 1.1.1.1 connect-interface LoopBack0

 peer 1.1.1.4 as-number 65001

 peer 1.1.1.4 connect-interface LoopBack0

 #

 ipv4-family unicast

  undo synchronization

  peer 1.1.1.1 enable

  peer 1.1.1.4 enable

 #

PE3的配置

#

bgp 65001

 peer 1.1.1.1 as-number 65001

 peer 1.1.1.1 connect-interface LoopBack0

 peer 1.1.1.2 as-number 65001

 peer 1.1.1.2 connect-interface LoopBack0

 #

 ipv4-family unicast

  undo synchronization

  peer 1.1.1.1 enable

  peer 1.1.1.2 enable

 #

MPBGP关系的建立

PE1的配置

#

bgp 65001

#

 ipv4-family vpnv4

  policy vpn-target

  peer 1.1.1.2 enable

  peer 1.1.1.4 enable

#

PE2的配置

#

bgp 65001

#

 ipv4-family vpnv4

  policy vpn-target

  peer 1.1.1.1 enable

  peer 1.1.1.4 enable

#

PE3的配置

#

bgp 65001

#

ipv4-family vpnv4

  policy vpn-target

  peer 1.1.1.1 enable

  peer 1.1.1.2 enable

#

VPN实例的配置

PE1的配置

#

ip vpn-instance VPN01

 ipv4-family

  route-distinguisher 100:1

  vpn-target 100:1 export-extcommunity

  vpn-target 100:1 import-extcommunity

#

ip vpn-instance VPN02

 ipv4-family

  route-distinguisher 100:3

  vpn-target 200:1 export-extcommunity

  vpn-target 200:1 import-extcommunity

#

PE2的配置

#

ip vpn-instance VPN01

 ipv4-family

  route-distinguisher 100:2

  vpn-target 100:1 export-extcommunity

  vpn-target 100:1 import-extcommunity

#

ip vpn-instance VPN02

 ipv4-family

  route-distinguisher 100:4

  vpn-target 200:1 export-extcommunity

  vpn-target 200:1 import-extcommunity

#

PE3的配置

#

ip vpn-instance VPN01

 ipv4-family

  route-distinguisher 100:5

  vpn-target 100:1 export-extcommunity

  vpn-target 100:1 import-extcommunity

#

ip vpn-instance VPN02

 ipv4-family

  route-distinguisher 100:6

  vpn-target 200:1 export-extcommunity

  vpn-target 200:1 import-extcommunity

#

企业网（CE侧）的构建

使用OSPF

CE1的配置

#

 sysname CE1

#

#

router id 1.1.1.1

#

dhcp enable

#

ip pool ippool1

 gateway-list 192.168.1.1

 network 192.168.1.0 mask 255.255.255.0

 dns-list 114.114.114.114

#

interface GigabitEthernet0/0/0

 ip address 192.168.10.1 255.255.255.252

#

interface GigabitEthernet0/0/1

 ip address 192.168.1.1 255.255.255.0

 dhcp select global

#

interface LoopBack0

 ip address 1.1.1.1 255.255.255.255

 ospf enable 1 area 0.0.0.0

#

ospf 1 router-id 1.1.1.1

 area 0.0.0.0

  network 192.168.1.0 0.0.0.255

  network 192.168.10.1 0.0.0.0

#

PE1的配置

#

interface GigabitEthernet0/0/1

 ip binding vpn-instance VPN01

 ip address 192.168.10.2 255.255.255.252

 ospf enable 1 area 0.0.0.0

#

interface LoopBack1

 ip binding vpn-instance VPN01

 ip address 1.1.1.2 255.255.255.255

 ospf enable 1 area 0.0.0.0

#

bgp 65001

#

 ipv4-family vpn-instance VPN01

  import-route ospf 1

 #

ospf 1 router-id 1.1.1.2 vpn-instance VPN01

 import-route bgp

 area 0.0.0.0

#

使用IS-IS

CE2的配置

#

 sysname CE2

#

dhcp enable

#

ip pool ippool1

 gateway-list 192.168.2.1

 network 192.168.2.0 mask 255.255.255.0

 dns-list 114.114.114.114

#

isis 1

 is-level level-2

 network-entity 49.0010.0100.1003.00

 is-name 1.1.1.3

#

interface GigabitEthernet0/0/0

 ip address 192.168.10.5 255.255.255.252

 isis enable 1

#

interface GigabitEthernet0/0/1

 ip address 192.168.2.1 255.255.255.0

 isis enable 1

 dhcp select global

#

interface LoopBack0

 ip address 1.1.1.3 255.255.255.255

 isis enable 1

#

PE2的配置

#

isis 2 vpn-instance VPN01

 is-level level-2

 network-entity 49.0010.0100.1004.00

 is-name 1.1.1.4

 import-route bgp

#

interface GigabitEthernet0/0/1

 ip binding vpn-instance VPN01

 ip address 192.168.10.6 255.255.255.252

 isis enable 2

#

interface LoopBack1

 ip binding vpn-instance VPN01

 ip address 1.1.1.4 255.255.255.255

 isis enable 2

#

bgp 65001

#

 ipv4-family vpn-instance VPN01

  import-route isis 2

#

使用IBGP

CE3的配置

#

 sysname CE3

#

dhcp enable

#

ip pool ippool

 gateway-list 192.168.1.1

 network 192.168.1.0 mask 255.255.255.0

 dns-list 114.114.114.114

#

interface GigabitEthernet0/0/0

 ip address 192.168.10.1 255.255.255.252

#

interface GigabitEthernet0/0/1

 ip address 192.168.1.1 255.255.255.0

 dhcp select global

#

interface LoopBack0

 ip address 1.1.1.1 255.255.255.255

#

bgp 65001

 peer 1.1.1.2 as-number 65001

 peer 1.1.1.2 connect-interface LoopBack0

 #

 ipv4-family unicast

  undo synchronization

  network 192.168.1.0

  peer 1.1.1.2 enable

#

ospf 1 router-id 1.1.1.1

 area 0.0.0.0

  network 1.1.1.1 0.0.0.0

  network 192.168.10.1 0.0.0.0

#

PE1的配置

#

interface GigabitEthernet0/0/2

 ip binding vpn-instance VPN02

 ip address 192.168.10.2 255.255.255.252

#

interface LoopBack2

 ip binding vpn-instance VPN02

 ip address 1.1.1.2 255.255.255.255

#

bgp 65001

 ipv4-family vpn-instance VPN02

  router-id 1.1.1.2

  import-route static

  peer 1.1.1.1 as-number 65001

  peer 1.1.1.1 connect-interface LoopBack2

#

ospf 2 router-id 1.1.1.2 vpn-instance VPN02

 area 0.0.0.0

  network 1.1.1.2 0.0.0.0

  network 192.168.10.2 0.0.0.0

#

使用EBGP

CE5的配置

#

 sysname CE5

#

router id 1.1.1.5

#

dhcp enable

#

ip pool ippool1

 gateway-list 192.168.3.1

 network 192.168.3.0 mask 255.255.255.0

 dns-list 114.114.114.114

#

interface GigabitEthernet0/0/0

 ip address 192.168.10.9 255.255.255.252

#

interface GigabitEthernet0/0/1

 ip address 192.168.3.1 255.255.255.0

 dhcp select global

#

interface LoopBack0

 ip address 1.1.1.5 255.255.255.255

#

bgp 65002

 peer 1.1.1.6 as-number 65001

 peer 1.1.1.6 ebgp-max-hop 2

 peer 1.1.1.6 connect-interface LoopBack0

 #

 ipv4-family unicast

  undo synchronization

  network 192.168.3.0

  peer 1.1.1.6 enable

#

ospf 1 router-id 1.1.1.1

 area 0.0.0.0

  network 1.1.1.5 0.0.0.0

  network 192.168.10.9 0.0.0.0

#

CE6的配置

#

 sysname CE6

#

router id 1.1.1.5

#

dhcp enable

#

ip pool ippool1

 gateway-list 192.168.3.1

 network 192.168.3.0 mask 255.255.255.0

 dns-list 114.114.114.114

#

interface GigabitEthernet0/0/0

 ip address 192.168.10.9 255.255.255.252

#

interface GigabitEthernet0/0/1

 ip address 192.168.3.1 255.255.255.0

 dhcp select global

#

interface LoopBack0

 ip address 1.1.1.5 255.255.255.255

#

bgp 65002

 peer 1.1.1.6 as-number 65001

 peer 1.1.1.6 ebgp-max-hop 2

 peer 1.1.1.6 connect-interface LoopBack0

 #

 ipv4-family unicast

  undo synchronization

  network 192.168.3.0

  peer 1.1.1.6 enable

#

ospf 1 router-id 1.1.1.5

 area 0.0.0.0

  network 1.1.1.5 0.0.0.0

  network 192.168.10.9 0.0.0.0

#

PE3的配置

#

interface GigabitEthernet0/0/1

 ip binding vpn-instance VPN01

 ip address 192.168.10.10 255.255.255.252

#

interface GigabitEthernet0/0/2

 ip binding vpn-instance VPN02

 ip address 192.168.10.10 255.255.255.252

#

interface LoopBack1

 ip binding vpn-instance VPN01

 ip address 1.1.1.6 255.255.255.255

#

interface LoopBack2

 ip binding vpn-instance VPN02

 ip address 1.1.1.6 255.255.255.255

#

bgp 65001

 peer 1.1.1.1 as-number 65001

 peer 1.1.1.1 connect-interface LoopBack0

 peer 1.1.1.2 as-number 65001

 peer 1.1.1.2 connect-interface LoopBack0

 #

 ipv4-family vpnv4

  policy vpn-target

  peer 1.1.1.1 enable

  peer 1.1.1.2 enable

 #

 ipv4-family vpn-instance VPN01

  router-id 1.1.1.6

  peer 1.1.1.5 as-number 65002

  peer 1.1.1.5 ebgp-max-hop 2

  peer 1.1.1.5 connect-interface LoopBack1

 #

 ipv4-family vpn-instance VPN02

  router-id 1.1.1.6

  peer 1.1.1.5 as-number 65002

  peer 1.1.1.5 ebgp-max-hop 2

  peer 1.1.1.5 connect-interface LoopBack2

#

ospf 2 router-id 1.1.1.6 vpn-instance VPN01

 import-route bgp

 area 0.0.0.0

  network 1.1.1.6 0.0.0.0

  network 192.168.10.10 0.0.0.0

#

ospf 3 router-id 1.1.1.6 vpn-instance VPN02

 import-route bgp

 area 0.0.0.0

  network 1.1.1.6 0.0.0.0

  network 192.168.10.10 0.0.0.0

#

CE4的配置

#

ip route-static 192.168.3.0 255.255.255.0 192.168.10.6

#

使用静态路由

CE4的配置

#

 sysname CE4

#

dhcp enable

#

ip pool ippool1

 gateway-list 192.168.2.1

 network 192.168.2.0 mask 255.255.255.0

 dns-list 114.114.114.114

#

interface GigabitEthernet0/0/0

 ip address 192.168.10.5 255.255.255.252

#

interface GigabitEthernet0/0/1

 ip address 192.168.2.1 255.255.255.0

 dhcp select global

#

ip route-static 192.168.1.0 255.255.255.0 192.168.10.6

ip route-static 192.168.3.0 255.255.255.0 192.168.10.6

ip route-static 192.168.10.0 255.255.255.252 192.168.10.6

#

PE2的配置

#

interface GigabitEthernet0/0/2

 ip binding vpn-instance VPN02

 ip address 192.168.10.6 255.255.255.252

#

bgp 65001

#

 ipv4-family vpn-instance VPN02

  import-route static

#

ip route-static vpn-instance VPN02 192.168.1.0 255.255.255.0 192.168.10.2

ip route-static vpn-instance VPN02 192.168.2.0 255.255.255.0 192.168.10.5

#

PE1的配置

#

ip route-static vpn-instance VPN02 192.168.2.0 255.255.255.0 192.168.10.6

ip route-static vpn-instance VPN02 192.168.10.4 255.255.255.252 192.168.10.6

#

功能验证

使用PC1 ping PC2，在PE1 G0/0/0口获取报文：

私网标签为MPBGP分配：

公网标签为LDP分配：

所有LSP都会记录在MPLS LSP中：

总结

此时两家公司的私网在骨干网上的隧道已经完全打通，每个公司的分支都能自由的与其他分支通信，并保证不干扰其他公司。

RD值+IPv4路由构成全网唯一的VPNV4路由，用于选择不同的VPN隧道，RT值是MPBGP的扩展属性，用于选择接受方设备导入到哪一个VPN接口上。