目录
1)MPLS公网中的IGP路由不要做汇总或OSPF的末节区域等,确保路由的连续性。
功能介绍
option A 的特点是,两台ASBR彼此把对方看作自己的MCE设备。其他配置即为域内VPN配置。
也称为“VRF背靠背”, 这种方式实现较简单。自治域的ASBR 为有跨域需求的VPN各自建立一个VRF,分别为这些VRF绑定接口,ASBR 间的VRF利用这些接口互联交互VPN路由。 创建VRF并绑定接口,其目的是:
1. 用来接受本自治域的VPN路由
2. VRF和另外一个自治域上的VRF建立EBGP 连接,交互IPv4 路由
VRF-to-VRF 的实现方式的特点是实现简单,直接利用MP-IBGP就可以实现,业务部署相对简单,但是这种配置方案要求ASBR 上为每个跨域的VPN配置一个接口(通常是逻辑子接口)与之绑定,绑定接口的数量至少要和跨域的 VPN的数量相当,并在ASBR 上需要逐个对VPN进行配置,因而存在可扩展性问题。此外为每个 VPN单独创建子接口也提高了对ASBR 设备的要求。这种方案一般适用于跨域VPN数量较少的网络中。
一、组网需求
1、拓扑中的CE1,CE2分别用一台路由器用MCE技术进行模拟;
2、要求实现跨域的MPLS/VPN访问,即实现VPN-A的1.1.1.1和7.7.7.7互通,VPN-B的11.11.11.11和77.77.77.77互通;
3、该拓扑中在PE1(R2) 和RR(R3),ASBR2(R5) 和PE2(R6)之间建立MP-BGP关系
4、ASBR1(R4)和ASBR2(R5)之间起多VPN的VRF
二、组网拓扑
三、配置要点
1、部署AS核心的IGP路由协议
2、部署AS核心的MPLS
1)全局开启MPLS转发功能
2)全局开启LDP标签分发协议
3)开启接口的标签交换能力
4)接口下开启LDP协议
5)接口下配置MTU
3、部署PE-PE的MP-BGP协议
1)启用BGP进程
2)进入VPNV4地址簇下激活VPNV4邻居关系
3)配置路由反射器RR
4、部署PE-CE的路由协议
1)创建VRF实例
2)将相关接口划入对应的VRF实例中
3)配置PE-CE的路由协议
5、将CE的路由重发布进MP-BGP
6、将MP-BGP的路由重发布进CE
//到第6步为止,是完整的域内VPN配置
7、跨域option A模式ASBR间的部署
1)创建VRF,并将相关接口划入VRF
2)指定ASBR间的IGP协议
3)ASBR上将BGP路由重发布进IGP
4)ASBR上将IGP重发布进BGP
//详细配置文件,参考”六、附件“
四、配置步骤
1、部署AS核心的IGP路由协议
需要注意的两点
1)MPLS公网中的IGP路由不要做汇总或OSPF的末节区域等,确保路由的连续性。
2)loopback地址配置为32位掩码。
本案例AS 100和AS200的IGP路由协议均采用RIP
R2的配置如下:
router rip
version 2
network 2.0.0.0
network 23.0.0.0
no auto-summary //禁止自动汇总
R3的配置如下:
router rip
version 2
network 3.0.0.0
network 23.0.0.0
network 34.0.0.0
no auto-summary
R4的配置如下:
router rip
version 2
passive-interface GigabitEthernet 3/1/0.45
network 4.0.0.0
network 34.0.0.0
no auto-summary
R5的配置如下:
router rip
version 2
passive-interface GigabitEthernet 0/0.45
network 5.0.0.0
network 56.0.0.0
no auto-summary
R6的配置如下:
router rip
version 2
network 6.0.0.0
network 56.0.0.0
no auto-summary
2、部署AS核心的MPLS
此处的配置以R2的配置为例,介绍如何在RSR系列路由器上开启MPLS,并启动LDP标签分发协议。在其他路由器上的配置雷同。
1)全局开启MPLS转发功能
R2(config)#mpls ip
2)全局开启LDP标签分发协议
R2(config)#mpls router ldp
R2(config-mpls-router)#ldp router-id interface loopback 0 forc
//建议此处指定LDP的router-id的时候,使用loopback接口且使用force的强制属性。
3)开启接口的标签交换能力
R2(config)#int gigabitEthernet 0/0.23
R2(config-GigabitEthernet 0/0.23)#label-switching
//缺省情况下,三层接口只能识别IP数据包,如果不开启标签交换能力的话,是不能识别0x8847的标签包。
4)接口下开启LDP协议
R2(config)#int gigabitEthernet 0/0.23
R2(config-GigabitEthernet 0/0.23)#mpls ip
5)接口下配置MTU
在实施MPLS之后,由于封装了标签,如果不调整MTU,那么1500的大包在封装标签后将由于报文大于MTU限制,无法转发。
老版本(比如RSR50 10.4(2p2)):在实施MPLS后,需要在接口上配置MPLS MTU 1530。
新版本(比如RSR77 10.4(3b5)):在实施MPLS后,需要在接口配置MTU 1530;同时考虑到OSPF协议在邻居协商时需要检查IP MTU是否一致(我司软件版本已忽略该检查),如果与友商设备OSPF无法协商成功,那么建议配置IP MTU 1500 。
说明:新版本接口配置MTU 1530后,MPLS MTU 自动调整为 1530,所以配置MTU 1530后就不用再配置MPLS MTU 1530。
把握一个原则:如果你在接口直接敲MPLS MTU 1530 能敲得进去不报错,说明是旧版本的做法;如果直接敲MPLS MTU 1530 会报错,那么就是新版本的做法,要配置MTU 1530;
6)查看LDP邻居关系
R2#show mpls ldp neighbor
Default VRF:
Peer LDP Ident: 3.3.3.3:0; Local LDP Ident: 2.2.2.2:0
TCP connection: 3.3.3.3.1025 - 2.2.2.2.646
State: OPERATIONAL; Msgs sent/recv: 5532/5529; UNSOLICITED
Up time: 22:59:50
LDP discovery sources:
Link Peer on GigabitEthernet 0/0.23, Src IP addr: 23.2.2.3
Addresses bound to peer LDP Ident:
23.2.2.334.3.3.33.3.3.3
//LDP协议的运行是经过邻居发现和会话建立,维护阶段的。LDP会话建立的端口号是TCP的646端口。
3、部署PE-PE的MP-BGP协议
此处的配置以AS100中的R2,R3,R4的配置为例:
R2的配置如下:
1)启用BGP进程
router bgp 100
bgp router-id 2.2.2.2
no bgp default ipv4-unicast //此处要关闭缺省的IPV4单播的邻居建立过程
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 100
neighbor 3.3.3.3 update-source Loopback 0
2)进入VPNV4地址簇下激活VPNV4邻居关系
address-family vpnv4 unicast //多协议BGP是基于地址簇AFI结构的,建立VPNV4邻居关系需要在VPNV4的地址族下激活。
neighbor 3.3.3.3 activate //激活vpnv4邻居关系
neighbor 3.3.3.3 send-community extended //由于MPLS/VPN涉及到扩展的community属性RT,此命令虽说是默认,但是排错的时候一定要关注,如果没有明确的发送团体属性,它是不会传给任何一个邻居关系的。
exit-address-family
R3的配置如下:
router bgp 100
bgp router-id 3.3.3.3
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 update-source Loopback 0
neighbor 4.4.4.4 remote-as 100
neighbor 4.4.4.4 update-source Loopback 0
!
address-family vpnv4 unicast
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 route-reflector-client
neighbor 2.2.2.2 send-community extended
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 route-reflector-client
neighbor 4.4.4.4 send-community both
exit-address-family
!
3)配置路由反射器RR
//由于BGP的水平分割原则,此处为了优化BGP的session,采用路由反射器减少BGP的neighbor个数。R3在此处采用反射器的配置,不是必须配置。
//要接收VPNV4的路由,可以通过如下方法实现:1.配置RR 2.在该路由器上划分VRF 3.关闭RT的过滤功能。
R4的配置如下:
该命令和R2,R3处相类似,故不作解释。
router bgp 100
bgp router-id 4.4.4.4
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 100
neighbor 3.3.3.3 update-source Loopback 0
!
address-family ipv4
no bgp redistribute-internal
exit-address-family
!
address-family vpnv4 unicast
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
4)查看MP-BGP的邻居关系:
R3#show bgp vpnv4 unicast all summary
BGP router identifier 3.3.3.3, local AS number 100
BGP table version is 40
1 BGP AS-PATH entries
0 BGP Community entries
10 BGP Prefix entries (Maximum-prefix:4294967295)
NeighborV AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
2.2.2.24 100 1363 1388 40 0 0 19:40:18 4
4.4.4.44 100 1179 1166 23 0 0 16:54:59 6
Total number of neighbors 2
4、部署PE-CE的路由协议
此处的操作以R2为例:
1)创建VRF实例
ip vrf VPN-A//VRF实例的名称只具有本地意义
rd 100:1//配置RD和RT值,RT是控制VPN路由的关键
route-target both 100:1
!
ip vrf VPN-B
rd 200:1
route-target both 200:1
2)将相关接口划入对应的VRF实例中
interface GigabitEthernet 0/0.12
encapsulation dot1Q 12
ip vrf forwarding VPN-A//将接口划入到VRF中后,该接口上的IP地址等信息会被清除。因此建议现将结构划入VRF,再配置接口IP
ip address 12.1.1.2 255.255.255.0
!
interface GigabitEthernet 0/0.21
encapsulation dot1Q 21
ip vrf forwarding VPN-B
ip address 21.1.1.2 255.255.255.0
3)配置PE-CE的路由协议
本案例中:
AS100中的R2与R1启用的IGP路由协议采用OSPF;
AS200中的R7与R6启用的IGP路由协议采用RIP;
此处以R2与R1的OSPF为例:
router ospf 1 vrf VPN-A-------------启用VPN-A虚拟转发的OSPF进程
router-id 2.2.2.2
network 12.1.1.2 0.0.0.0 area 0
!
router ospf 2 vrf VPN-B-------------启用VPN-A虚拟转发的OSPF进程
router-id 22.22.22.22
network 21.1.1.2 0.0.0.0 area 0
4)查看VRF相关信息
R2#show ip vrf detail
VRF VPN-A; default RD 100:1------------配置的RD值
VRF Table ID = 1
Interfaces:
GigabitEthernet 0/0.12------------------哪些接口划入到该VRF
Export VPN route-target communities
RT:100:1--------------------------------设置导出的路由目标
Import VPN route-target communities
RT:100:1--------------------------------设置导入的路由目标
No import route-map
No export route-map
Alloc-label per-vrf:1536(platform)/aggregate(VPN-A)
VRF VPN-B; default RD 200:1
VRF Table ID = 2
Interfaces:
GigabitEthernet 0/0.21
Export VPN route-target communities
RT:200:1
Import VPN route-target communities
RT:200:1
No import route-map
No export route-map
Alloc-label per-vrf:1537(platform)/aggregate(VPN-B)
5)查看PE-CE的OSPF邻居关系
R2#show ip ospf neighbor
OSPF process 1, 1 Neighbors, 1 is Full:
Neighbor IDPri State BFD State Dead Time Address Interface
1.1.1.11 Full/DR - 00:00:32 12.1.1.1GigabitEthernet 0/0.12
OSPF process 2, 1 Neighbors, 1 is Full:
Neighbor IDPri State BFD State Dead Time AddressInterface
11.11.11.11 1 Full/DR -00:00:3421.1.1.1GigabitEthernet 0/0.21
5、将CE的路由重发布进MP-BGP
以R2为例:
router bgp 100
address-family ipv4 vrf VPN-A
maximum-prefix 10000
redistribute ospf 1 match internal external
exit-address-family
!
address-family ipv4 vrf VPN-B
maximum-prefix 10000
redistribute ospf 2 match internal external
exit-address-family
//在将VRF的路由重分布进MP-BGP时,默认情况下只能将O,OIA的路由重分布进BGP,OE1,OE2的路由是重分布不进BGP的,需要添加match external的参数
6、将MP-BGP的路由重发布进CE
以R2为例:
router ospf 1 vrf VPN-A
redistribute bgp subnets
!
router ospf 2 vrf VPN-B
redistribute bgp subnets
//此处和普通的BGP重发布OSPF协议一致,需要添加subnet属性。
7、跨域option A模式ASBR间的部署
option A的特点就是在域内VPN模式下,两个ASBR路由器把对端看成是自己的MCE设备。
ASBR1(R4)上的相关配置:
1)创建VRF,并将相关接口划入VRF
ip vrf A
rd 2:2
route-target both 100:1
!
ip vrf B
rd 3:3
route-target both 200:1
interface GigabitEthernet 3/1/0.45
encapsulation dot1Q 45
ip vrf forwarding A
ip address 45.4.4.4 255.255.255.0
!
interface GigabitEthernet 3/1/0.54
encapsulation dot1Q 54
ip vrf forwarding B
ip address 54.4.4.4 255.255.255.0
//在Option A模型中,有几个VPN,在ASBR间就需要创建几个接口
2)指定ASBR间的IGP协议
ASBR间的IGP路由,通常采用静态路由,配置复杂但理解和维护非常简单。
这个案例采用RIP:
router rip
version 2
passive-interface GigabitEthernet 3/1/0.45
network 4.0.0.0
network 34.0.0.0
no auto-summary
!
address-family ipv4 vrf A
network 45.0.0.0
exit-address-family
!
address-family ipv4 vrf B
network 54.0.0.0
exit-address-family
3)ASBR上将BGP路由重发布进IGP
address-family ipv4 vrf A
network 45.0.0.0
redistribute bgp metric 1
exit-address-family
!
address-family ipv4 vrf B
network 54.0.0.0
redistribute bgp metric 1
exit-address-family
4)ASBR上将IGP重发布进BGP
router bgp 100
address-family ipv4 vrf A
maximum-prefix 10000
redistribute rip
exit-address-family
!
address-family ipv4 vrf B
maximum-prefix 10000
redistribute rip
exit-address-family
ASBR2(R5)上的相关配置:
1)创建VRF,并将相关接口划入VRF
ip vrf A
rd 2:2
route-target both 100:1
!
ip vrf B
rd 3:3
route-target both 200:1
interface GigabitEthernet 0/0.45
encapsulation dot1Q 45
ip vrf forwarding A
ip address 45.4.4.5 255.255.255.0
!
interface GigabitEthernet 0/0.54
encapsulation dot1Q 54
ip vrf forwarding B
ip address 54.4.4.5 255.255.255.0
//在Option A模型中,有几个VPN,在ASBR间就需要创建几个接口
2)指定ASBR间的IGP协议
router rip
version 2
passive-interface GigabitEthernet 0/0.45
network 5.0.0.0
network 56.0.0.0
no auto-summary
!
address-family ipv4 vrf A
network 45.0.0.0
exit-address-family
!
address-family ipv4 vrf B
network 54.0.0.0
exit-address-family
3)ASBR上将BGP重发布进IGP
address-family ipv4 vrf A
network 45.0.0.0
redistribute bgp metric 1
exit-address-family
!
address-family ipv4 vrf B
network 54.0.0.0
redistribute bgp metric 1
exit-address-family
4)ASBR上将IGP重发布进BGP
router bgp 200
address-family ipv4 vrf A
maximum-prefix 10000
redistribute rip
exit-address-family
!
address-family ipv4 vrf B
maximum-prefix 10000
redistribute rip
exit-address-family
5)查看VPNV4的路由信息
查看R2的VPNV4路由信息
R2#show bgp vpnv4 unicast all
BGP table version is 4, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
NetworkNext HopMetricLocPrfWeight Path
Route Distinguisher: 1:1
*>i7.0.0.04.4.4.401000 200 ?
*>i67.6.6.0/24 4.4.4.401000 200 ?
Total number of prefixes 2
Route Distinguisher: 2:2
*>i76.6.6.0/24 4.4.4.40 1000 200 ?
*>i77.0.0.04.4.4.401000 200 ?
Total number of prefixes 2
Route Distinguisher: 100:1 (Default for VRF VPN-A)
*> 1.1.1.1/3212.1.1.1132768 ?
*>i7.0.0.04.4.4.401000 200 ?
*> 12.1.1.0/24 0.0.0.0132768?
*>i67.6.6.0/24 4.4.4.401000 200 ?
Total number of prefixes 4
Route Distinguisher: 200:1 (Default for VRF VPN-B)
*> 11.11.11.11/32 21.1.1.1132768?
*> 21.1.1.0/24 0.0.0.0132768?
*>i76.6.6.0/24 4.4.4.401000 200 ?
*>i77.0.0.04.4.4.401000 200 ?
Total number of prefixes 4
查看路由反射器R3的VPNV4路由信息
R3#show bgp vpnv4 unicast all
BGP table version is 45, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
NetworkNext HopMetricLocPrfWeight Path
Route Distinguisher: 1:1
*> 7.0.0.06.6.6.600 200 ?
*> 67.6.6.0/24 6.6.6.600 200 ?
Total number of prefixes 2
Route Distinguisher: 2:2
*> 76.6.6.0/24 6.6.6.600 200 ?
*> 77.0.0.06.6.6.600 200 ?
Total number of prefixes 2
Route Distinguisher: 100:1
*>i1.1.1.1/322.2.2.211000?
*>i12.1.1.0/24 2.2.2.211000?
Total number of prefixes 2
Route Distinguisher: 200:1
*>i11.11.11.11/32 2.2.2.2 11000?
*>i21.1.1.0/24 2.2.2.211000?
Total number of prefixes 2
五、配置验证
1、通过Ping测试VPN间的路由连通性:
R1#ping vrf VPN-A 7.7.7.7 sou 1.1.1.1
Sending 5, 100-byte ICMP Echoes to 7.7.7.7, timeout is 2 seconds:
< press Ctrl+C to break >
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
R1#ping vrf VPN-B 77.77.77.77 sou 11.11.11.11
Sending 5, 100-byte ICMP Echoes to 77.77.77.77, timeout is 2 seconds:
< press Ctrl+C to break >
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
2、通过Traceroute测试路径:
R1#trace vrf VPN-A 7.7.7.7 sou 1.1.1.1
< press Ctrl+C to break >
Tracing the route to 7.7.7.7
1 12.1.1.2 0 msec 0 msec 0 msec
2 * * *
3 45.4.4.4 0 msec 0 msec 0 msec
4 45.4.4.5 0 msec 10 msec 0 msec
5 56.5.5.6 0 msec 0 msec 10 msec
6 7.7.7.7 10 msec 10 msec 10 msec
R1#trace vrf VPN-B 77.77.77.77 sou 11.11.11.11
< press Ctrl+C to break >
Tracing the route to 77.77.77.77
1 21.1.1.2 0 msec 0 msec 10 msec
2 * * *
3 54.4.4.4 0 msec 0 msec 0 msec
4 54.4.4.5 0 msec 10 msec 0 msec
5 56.5.5.6 0 msec 0 msec 10 msec
6 77.77.77.77 10 msec 10 msec 10 msec
R1#
3、LSP ping测试:
R2#ping mpls ipv4 4.4.4.4/32
Sending 5, 84-byte MPLS Echoes to 4.4.4.4/32,
timeout is 2 seconds, send interval is 0 msec:
Codes: '!' - success, 'Q' - request not sent, '.' - timeout,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC mismatch,
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no label entry,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index,
'X' - unknown return code, 'x' - return code 0
Press Ctrl+C to break.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
4、LSP traceroute测试
R2#traceroute mpls ipv4 4.4.4.4/32
Tracing MPLS Label Switched Path to 4.4.4.4/32, timeout is 2 seconds
Codes: '!' - success, 'Q' - request not sent, '.' - timeout,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC mismatch,
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no label entry,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index,
'X' - unknown return code, 'x' - return code 0
Press Ctrl+C to break.
0 23.2.2.2 MRU 1500 [Labels: 1025 Exp: 0]
L 1 23.2.2.3 MRU 1500 [Labels: implicit-null Exp: 0] <1 ms
! 2 34.3.3.4<1 ms
5、数据包走向分析
数据包走向分析,以VPN-A的1.1.1.1到7.7.7.7的流量为例。
1)CE1(R1)发送VPN-A的目的IP为7.7.7.7,源IP为1.1.1.1的流量,数据包到达PE1(R2),此时查看REF转发表。
R2#show ip ref route vrf VPN-A 7.0.0.0 255.0.0.0
Codes: * - default route
# - zero route
ipmaskweight path-id next-hopinterface
7.0.0.0255.0.0.0 0262140 0.0.0.0ftn nhlfe
2)进入MPLS转发表查询:
R2#show mpls forwarding-table ftn detail
Label Operation Code:
PH--PUSH label
PP--POP label
SW--SWAP label
SP--SWAP topmost label and push new label
DP--DROP packet
PC--POP label and continue lookup by IP or Label
PI--POP label and do ip lookup forward
PN--POP label and forward to nexthop
PM--POP label and do MAC lookup forward
PV--POP label and output to VC attach interface
IP--IP lookup forward
Local Outgoing OP FECOutgoingNexthop
label labelinterface
-- imp-null PH 3.3.3.3/32Gi0/0.2323.2.2.3
Added by Route(vrf Global), Tag Stack: { 3 }
-- 1025 PH 4.4.4.4/32Gi0/0.2323.2.2.3
Added by Route(vrf Global), Tag Stack: { 1025 }
-- imp-null PH 34.3.3.0/24Gi0/0.2323.2.2.3
Added by Route(vrf Global), Tag Stack: { 3 }
-- 8704 PH 7.0.0.0/8(V)Gi0/0.2323.2.2.3
Added by Route(vrf VPN-A), Tag Stack: { 8704 1025 }
-- 8704 PH 45.4.4.0/24(V)Gi0/0.2323.2.2.3
Added by Route(vrf VPN-A), Tag Stack: { 8704 1025 }
-- 8704 PH 67.0.0.0/8(V)Gi0/0.2323.2.2.3
Added by Route(vrf VPN-A), Tag Stack: { 8704 1025 }
-- 8705 PH 54.4.4.0/24(V)Gi0/0.2323.2.2.3
Added by Route(vrf VPN-B), Tag Stack: { 8705 1025 }
-- 8705 PH 76.0.0.0/8(V)Gi0/0.2323.2.2.3
Added by Route(vrf VPN-B), Tag Stack: { 8705 1025 }
-- 8705 PH 77.0.0.0/8(V)Gi0/0.2323.2.2.3
Added by Route(vrf VPN-B), Tag Stack: { 8705 1025 }
//此处针对7.0.0.0/8的FEC被分配了双层标签,顶层标签1025为R3为BGP下一跳分配的。底层标签8704为ASBR1(R4)为VPN路由分配的。
3)标签包到达路由器R3,执行POP操作,弹出顶层标签
R3#show mpls forwarding-table
Label Operation Code:
PH--PUSH label
PP--POP label
SW--SWAP label
SP--SWAP topmost label and push new label
DP--DROP packet
PC--POP label and continue lookup by IP or Label
PI--POP label and do ip lookup forward
PN--POP label and forward to nexthop
PM--POP label and do MAC lookup forward
PV--POP label and output to VC attach interface
IP--IP lookup forward
Local Outgoing OP FECOutgoingNexthop
label label interface
-- imp-null PH 2.2.2.2/32Gi0/0.2323.2.2.2
-- imp-null PH 4.4.4.4/32Gi0/0.3434.3.3.4
1024 imp-null PP 2.2.2.2/32 Gi0/0.2323.2.2.2
1025 imp-null PP 4.4.4.4/32Gi0/0.3434.3.3.4
4)标签包到达ASBR1(R4),露出底层标签8704,然后执行IP查询;
R4#sh mpls forwarding-table
Label Operation Code:
PH--PUSH label
PP--POP label
SW--SWAP label
SP--SWAP topmost label and push new label
DP--DROP packet
PC--POP label and continue lookup by IP or Label
PI--POP label and do ip lookup forward
PN--POP label and forward to nexthop
PM--POP label and do MAC lookup forward
PV--POP label and output to VC attach interface
IP--IP lookup forward
Local Outgoing OP FECOutgoingNexthop
label labelinterface
-- 1024 PH 2.2.2.2/32Gi3/1/0.3434.3.3.3
-- imp-null PH 3.3.3.3/32Gi3/1/0.3434.3.3.3
-- imp-null PH 23.2.2.0/24Gi3/1/0.3434.3.3.3
-- 1536 PH 1.1.1.1/32(V)Gi3/1/0.34 34.3.3.3
-- 1536 PH 12.1.1.0/24(V)Gi3/1/0.3434.3.3.3
-- 1537 PH 11.11.11.11/32(V)Gi3/1/0.3434.3.3.3
-- 1537 PH 21.1.1.0/24(V)Gi3/1/0.3434.3.3.3
8192 1024 SW 2.2.2.2/32Gi3/1/0.3434.3.3.3
8193 imp-null PP 3.3.3.3/32Gi3/1/0.3434.3.3.3
8194 imp-null PP 23.2.2.0/24Gi3/1/0.3434.3.3.3
8704 -- PI VRF(A)----
8705 -- PI VRF(B)----
5)查看R4的FIB表,将IP数据包送入GI3/1/0.45接口;
R4#show ip ref route vrf A 7.0.0.0 255.0.0.0
Codes: * - default route
# - zero route
ipmaskweight path-id next-hopinterface
7.0.0.0255.0.0.0 1 15 45.4.4.5 GigabitEthernet 3/1/0.45
6)IP数据包抵达ASBR2 (R5)路由器,查FIB表:
R5#show ip ref route VRF A 7.0.0.0 255.0.0.0
Codes: * - default route
# - zero route
ipmaskweight path-id next-hopinterface
7.0.0.0255.0.0.0 0 1048575 0.0.0.0ftn nhlfe
7)进入MPLS的转发表查询:
R5#sh mpls forwarding-table ftn detail
Label Operation Code:
PH--PUSH label
PP--POP label
SW--SWAP label
SP--SWAP topmost label and push new label
DP--DROP packet
PC--POP label and continue lookup by IP or Label
PI--POP label and do ip lookup forward
PN--POP label and forward to nexthop
PM--POP label and do MAC lookup forward
PV--POP label and output to VC attach interface
IP--IP lookup forward
Local Outgoing OP FECOutgoingNexthop
label labelinterface
-- imp-null PH 6.6.6.6/32Gi0/0.5656.5.5.6
Added by Route(vrf Global), Tag Stack: { 3 }
-- 1024 PH 7.0.0.0/8(V) Gi0/0.5656.5.5.6
Added by Route(vrf A), Tag Stack: { 1024 }
-- 1024 PH 67.6.6.0/24(V)Gi0/0.5656.5.5.6
Added by Route(vrf A), Tag Stack: { 1024 }
-- 1025 PH 76.6.6.0/24(V)Gi0/0.5656.5.5.6
Added by Route(vrf B), Tag Stack: { 1025 }
-- 1025 PH 77.0.0.0/8(V)Gi0/0.5656.5.5.6
Added by Route(vrf B), Tag Stack: { 1025 }
R5#
8)标签包到达PE2(R6),查看MPLS的转发表:
R6#sh mpls forwarding-table
Label Operation Code:
PH--PUSH label
PP--POP label
SW--SWAP label
SP--SWAP topmost label and push new label
DP--DROP packet
PC--POP label and continue lookup by IP or Label
PI--POP label and do ip lookup forward
PN--POP label and forward to nexthop
PM--POP label and do MAC lookup forward
PV--POP label and output to VC attach interface
IP--IP lookup forward
Local Outgoing OP FECOutgoingNexthop
label labelinterface
-- imp-null PH 5.5.5.5/32Gi0/0.5656.5.5.5
-- 1024 PH 1.0.0.0/8(V)Gi0/0.5656.5.5.5
-- 1024 PH 12.0.0.0/8(V)Gi0/0.5656.5.5.5
-- 1024 PH 45.4.4.0/24(V)Gi0/0.5656.5.5.5
-- 1025 PH 11.0.0.0/8(V)Gi0/0.5656.5.5.5
-- 1025 PH 21.0.0.0/8(V)Gi0/0.5656.5.5.5
-- 1025 PH 54.4.4.0/24(V)Gi0/0.5656.5.5.5
1024 -- PI VRF(VPN-A)----
1025 -- PI VRF(VPN-B)----
1538 imp-null PP 5.5.5.5/32Gi0/0.5656.5.5.5
R6#
9)查找IP REF路由表,还原IP数据包,将数据包扔向GI0/0.67。
R6# show ip ref route vrf VPN-A 7.0.0.0 255.0.0.0
Codes: * - default route
# - zero route
ip maskweight path-id next-hopinterface
7.0.0.0 255.0.0.0 1 13 67.6.6.7 GigabitEthernet 0/0.67
10)R7的VPN-A的源IP7.7.7.7到目的IP的1.1.1.1,回包分析方式同上。
1340
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
