HCIE-广域承载技术汇总
一.Underlay网络
ISIS
//场景6台路由器上下分别是三角两边连线
isis 1
//保证所有IS-IS路由器都运行在骨干区域
is-level level-2
//适应大规模网络
cost-style wide
//IS-IS网络在发生故障时,能够快速感知邻居中断
bfd all-interfaces enable
bfd all-interfaces min-tx-interval 999 min-rx-interval 999
//设备的RouterID地址形成
network-entity 49.0001.0060.0000.0006.00 //节点标识
domain-authentication-mode md5 cipher Huawei@123
//所有接口一致
interface GigabitEthernet0/0/0
isis enable 1
isis circuit-type p2p
//在形成邻居以及交互LSP时需要配置MD5认证
isis authentication-mode md5 cipher Huawei@123
//保证IS-IS路由器能快速建立邻居关系
isis ppp-negotiation 2-way
//转发路径规划
//配置IS-IS Cost值时需要保证流量同平面优先,在本平面基于最短路径转发,
//如果该路径失效,备份路径优先在PE上跨平面转发,以YPE1去往ZPE1的流量路径为例
//在跨平面互联接口下配置
int g0/0/0
isis cost (4 4 3)//从左到右
二.MPLS
//所有广域设备互联接口
mpls lsr-id 6.0.0.6
mpls
mpls ldp
inter g 0/0/0
mpls
mpls ldp
inter g 0/0/1
mpls
mpls ldp
inter g 0/0/2
mpls
mpls ldp
inter g 0/0/0
//MPLS 主路径上的链路恢复后,备用路径回切时,不会产生大量丢包
isis ldp-sync
inter g 0/0/1
isis ldp-sync
inter g 0/0/2
isis ldp-sync
isis 1
//确保当MPLS主路径发生故障时,流量能在50ms内切换到备路径
frr
loop-free-alternate level-2
三.部署广域骨干网 VPN
需求:
//hub-sopke
1)OA类业务:X园区以及Y园区的OA类业务可与Z数据中心的OA类业务互通, X园区可与Y园区互通,但流量必须绕行Z市数据中心的CE设备(Z_Export1)
//单域mpls vpn
2)R&D类业务:Y园区的R&D类业务可以与Z数据中心的R&D类业务互通。(实例 rd rt配置好 并绑定接口)
(1)hub-sopke实现
//RT-RD规划
//X园区广域网路由器 2个
ip vpn-instance OA
route-distinguisher 65001:11
vpn-target 1:1 export-extcommunity
vpn-target 2:2 import-extcommunity
//Y园区广域网路由器 2个
ip vpn-instance OA
route-distinguisher 65003:11
vpn-target 1:1 export-extcommunity
vpn-target 2:2 import-extcommunity
#
//Z园区广域网路由器
ip vpn-instance OA_Out
route-distinguisher 65004:12
vpn-target 2:2 export-extcommunity
#
ip vpn-instance OA_in
route-distinguisher 65004:11
vpn-target 1:1 import-extcommunity
#
(2)mpls单域实例配置
//RT-RD规划
//Y园区广域网路由器 2个
ip vpn-instance R&D
route-distinguisher 65003:21
vpn-target 3:3 export-extcommunity
vpn-target 3:3 import-extcommunity
#
//Z园区广域网路由器
ip vpn-instance R&D
route-distinguisher 65004:21
vpn-target 3:3 export-extcommunity
vpn-target 3:3 import-extcommunity
#
(3)将实例绑定接口
//子接口
//X园区
interface GigabitEthernet4/0/0
ip binding vpn-instance OA
ip address 10.20.1.2 255.255.255.252
//Y园区
interface GigabitEthernet4/0/0.10
dot1q termination vid 10
ip binding vpn-instance OA
ip address 10.20.2.2 255.255.255.252
arp broadcast enable
#
interface GigabitEthernet4/0/0.20
dot1q termination vid 20
ip binding vpn-instance R&D
ip address 10.20.2.6 255.255.255.252
arp broadcast enable
#
//Z园区
interface GigabitEthernet4/0/0.10
dot1q termination vid 10
ip binding vpn-instance OA_in
ip address 10.20.3.2 255.255.255.252
arp broadcast enable
#
interface GigabitEthernet4/0/0.11
dot1q termination vid 11
ip binding vpn-instance OA_Out
ip address 10.20.3.6 255.255.255.252
arp broadcast enable
#
interface GigabitEthernet4/0/0.20
dot1q termination vid 20
ip binding vpn-instance R&D
ip address 10.20.3.10 255.255.255.252
arp broadcast enable
(4)BGP VPNV4 邻居创建
//X广域路由器
bgp 65000
undo default ipv4-unicast
group ibgp internal
peer ibgp connect-interface LoopBack0
//防止非法的设备与PE 建立 BGP 邻居
peer ibgp password cipher Huawei@123
peer 3.0.0.3 as-number 65000
peer 3.0.0.3 group ibgp
peer 4.0.0.4 as-number 65000
peer 4.0.0.4 group ibgp
peer 5.0.0.5 as-number 65000
peer 5.0.0.5 group ibgp
peer 6.0.0.6 as-number 65000
peer 6.0.0.6 group ibgp
#
ipv4-family vpnv4
undo policy vpn-target
peer ibgp enable
//RR 为全网反射 VPN 路由
peer ibgp reflect-client
peer 3.0.0.3 group ibgp
peer 4.0.0.4 group ibgp
peer 5.0.0.5 group ibgp
peer 6.0.0.6 group ibgp
#
//Y园区广域路由器
bgp 65000
undo default ipv4-unicast
peer 1.0.0.1 as-number 65000
peer 1.0.0.1 connect-interface LoopBack0
//防止非法的设备与PE 建立 BGP 邻居
peer 1.0.0.1 password cipher Huawei@123
peer 2.0.0.2 as-number 65000
peer 2.0.0.2 connect-interface LoopBack0
peer 2.0.0.2 password cipher Huawei@123
ipv4-family vpnv4
policy vpn-target
peer 1.0.0.1 enable
peer 2.0.0.2 enable
#
//Z园区广域路由器
bgp 65000
undo default ipv4-unicast
peer 1.0.0.1 as-number 65000
peer 1.0.0.1 connect-interface LoopBack0
//防止非法的设备与PE 建立 BGP 邻居
peer 1.0.0.1 password cipher Huawei@123
peer 2.0.0.2 as-number 65000
peer 2.0.0.2 connect-interface LoopBack0
peer 2.0.0.2 password cipher Huawei@123
#
ipv4-family vpnv4
policy vpn-target
peer 1.0.0.1 enable
peer 2.0.0.2 enable
bgp实例对接时需要放行一次环路
peer x.x.x.x allow-as-loop
在Out方向
(5)CE-PE对接
//X园区
直接CE设备与PE 设备建立单播bgp邻居(CE普通-PE基于实例的bgp邻居)
//Y园区 Z园区类似
Y-PE设备
bgp 65000
ipv4-family vpn-instance OA
peer 10.20.2.1 as-number 65003
#
ipv4-family vpn-instance R&D
peer 10.20.2.5 as-number 65003
#
//先实例-在接口-配置基于实例的bgp邻居
Y-CE设备
ip vpn-instance vpn1
ipv4-family
route-distinguisher 65003:10
#
ip vpn-instance vpn2
ipv4-family
route-distinguisher 65003:2
interface GigabitEthernet0/0/2.10
dot1q termination vid 10
ip binding vpn-instance vpn1
ip address 10.20.2.1 255.255.255.252
arp broadcast enable
#
interface GigabitEthernet0/0/2.20
dot1q termination vid 20
ip binding vpn-instance vpn2
ip address 10.20.2.5 255.255.255.252
arp broadcast enable
#
bgp 65003
ipv4-family vpn-instance vpn1
network 10.2.31.0 255.255.255.0
peer 10.20.2.2 as-number 65000
peer 10.20.2.10 as-number 65000
#
ipv4-family vpn-instance vpn2
network 10.2.11.0 255.255.255.0
peer 10.20.2.6 as-number 65000
peer 10.20.2.14 as-number 65000
#
(6)路由传递
//只有X园区涉及不同协议引入问题 Y Z园区BGP对接无需引入
//ospf引入bgp
ospf 1
import-route bgp type 1 tag 2
//bgp引入ospf
bgp 65001
import-route ospf 1
(7)ospf 与 BGP双点双向引入问题
//当bgp传来路由时ospf 引入时打上2标签 在对端不会回传回去deny掉
ospf 1
import-route bgp type 1 tag 2
route-policy O2B deny node 10
if-match tag 2
#
route-policy O2B permit node 20
bgp 65001
import-route ospf 1 route-policy O2B
CE-bgp下
preference 140 255 255 //防止次优路径
(8)BGP选路
MED值修改选路
route-policy MED permit node 10
apply cost 10
//所有bgp对接只需要建立邻居时应用
peer 10.20.3.13 route-policy MED export
如果是ospf对接需要
ospf 1
default cost inherit-metric type 1
(9)vpn FRR
//路由策略
//为了增强OA类业务的可靠性,需保证当ZPE1出现故障,发往Z数据中心的OA类流量能迅速发往ZPE2。
route-policy vpnfrr permit node 10
apply backup-nexthop auto
ip vpn-instance OA
vpn frr route-policy vpnfrr
#
(10)MPLS MTU
//根据需求不同园区直接保证转发 只需要设置两个口
interface GigabitEthernet0/0/1
mpls mtu 1382
interface GigabitEthernet0/0/2
mpls mtu 1382
四.QOS
拥塞管理/拥塞避免/打标/标记/限速
(1)Y园区CE
//流分类
ACL number 2010
//description YF
rule 5 permit source 10.2.11.0 0.0.0.255
traffic classifier YF
if-match acl 2010
//流行为
traffic behavior YF
remark dscp af41(少丢包) EF(少时延)
//流策略
traffic policy MQC
classifier YF behavior YF
//接口下调用
interfact g0/0/1.20
traffic policy MQC outbound
(2)广域网PE
///广域网
//下一个pe设备
//流分类
//互联业务口信任
interface g4/0/0.20
trust dscp
//抓取流量
traffic classifer YF
if-match dscp af41
//流行为
//拥塞避免
drop-profile YF
wred dscp
dscp af41 low-limit 60 high-limit 100 discard-percentage 10
traffic behavior YF
//保证少时延
//属于拥塞管理
quque llq bandwidth 102400
//保证丢包率小
quque af bandwidth 307200
drop-profile YF
//流策略
traffic policy MQC
classifier YF behavior YF
//出接口调用
interface g0/0/0
traffic-policy MQC outbound
Z--PE设备同理