目录
功能介绍
Option A和OptionB 两种方式都能够满足跨域VPN的组网需求,这两种方式的一个共同点就是ASBR 都需要参与VPN路由的维护和发布。当每个自治域内都有大量的跨域 VPN路由需要通告,ASBR 就可能成为阻碍网络进一步扩展的瓶颈。为了解决上述扩展性问题,提出了第三种解决方案:多跳MP-EBGP。多跳MP-EBGP 是指在跨域的情况下,不同自治域的PE之间建立多跳的MP-EBGP 会话,直接交互VPN路由,这种方式就不需要ASBR维护和分发VPN路由
一、组网需求
1、拓扑中的CE1,CE2分别用一台路由器用MCE技术进行模拟;
2、要求实现跨域的MPLS/VPN访问,即实现VPN-A的1.1.1.1和7.7.7.7互通,VPN-B的11.11.11.11和77.77.77.77互通;
3、该拓扑中在ASBR1 和ASBR2之间没有建立MP-BGP关系
4、RR(R3)和PE2(R6)之间建立MP-BGP关系,RR(R3)与ASBR1(R4)建立IPV4 的BGP,ASBR1(R4)与AS BR2(R5)之间建立IPV4的BGP关ASBR2(R5)与PE2(R6)建立IPV4的BGP关系
二、组网拓扑
三、配置要点
1、部署AS核心的IGP路由协议
2、部署AS核心的MPLS
1)全局开启MPLS转发功能
2)全局开启LDP标签分发协议
3)开启接口的标签交换能力
4)接口下开启LDP协议
5)接口下配置MTU
3、部署PE-PE的MP-BGP协议
1)启用BGP进程
2)进入VPNV4地址簇下激活VPNV4邻居关系
3)配置路由反射器RR
4、部署PE-CE的路由协议
1)创建VRF实例
2)将相关接口划入对应的VRF实例中
3)配置PE-CE的路由协议
5、将CE的路由重发布进MP-BGP
6、将MP-BGP的路由重发布进CE
//到第6步为止,是完整的域内VPN配置
7、跨域option C模式部署
1)ASBR间建立EBGP邻居
a)开启send-label标签分发功能
b)通告PE的loopback网段
2)跨域PE建立MP-EBGP多跳邻居
a)配置ebgp-multihop
b)配置next-hop-unchanged
3)ASBR将跨域PE的loopback网段从发布进IGP
//详细配置文件,参考”六、附件“
四、配置步骤
这个option C案例中,由于有RR设备的存在,PE设备与RR需要建立MP-IBGP关系,因此第1步--第6步,是配置域内VPN,参考”跨域option A“章节的前6步(参考:典型配置--->MPLS VPN--->跨域option A);
如果没有RR的存在,不需要建议MP-IBGP关系。
7、跨域option C模式的部署
1)ASBR间建立EBGP邻居关系(以R4为例)
router bgp 100
neighbor 45.4.4.5 remote-as 200
!
address-family ipv4
neighbor 45.4.4.5 activate //ASBR建立EBGP邻居,为了传递PE的loopback地址网段路由
neighbor 45.4.4.5 send-label //为PE的loopback地址网段路由分发标签
network 2.2.2.2 mask 255.255.255.255 //通告本域内的PE设备loopback地址网段
2)跨域PE建立MP-EBGP多跳邻居(R3是RR设备,以R3为例)
router bgp 100
neighbor 6.6.6.6 remote-as 200
neighbor 6.6.6.6 ebgp-multihop 255//R3与R6之间建立跨AS的多跳MP-EBGP邻居关系,需要配置多跳。
neighbor 6.6.6.6 update-source Loopback 0
!
address-family vpnv4 unicast
neighbor 6.6.6.6 activate
neighbor 6.6.6.6 next-hop-unchanged//从EBGP学习到的路由传递给IBGP时下一跳会改变。这里R3作为RR,不希望改变下一跳
neighbor 6.6.6.6 send-community extended
exit-address-family
3)ASBR将跨域PE的loopback网段重发布进IGP
router rip
version 2
passive-interface GigabitEthernet 3/1/0.45
network 4.0.0.0
network 34.0.0.0
no auto-summary
redistribute bgp metric 1
五、配置验证
1、通过Ping测试VPN间的路由连通性:
R1#ping vrf VPN-A 7.7.7.7 sou 1.1.1.1
Sending 5, 100-byte ICMP Echoes to 7.7.7.7, timeout is 2 seconds:
< press Ctrl+C to break >
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
R1#ping vrf VPN-B 77.77.77.77 sou 11.11.11.11
Sending 5, 100-byte ICMP Echoes to 77.77.77.77, timeout is 2 seconds:
< press Ctrl+C to break >
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
2、通过Traceroute测试路径:
R1#traceroute vrf VPN-A 7.7.7.7 source 1.1.1.1
< press Ctrl+C to break >
Tracing the route to 7.7.7.7
1 12.1.1.2 0 msec 0 msec 0 msec
2 * * *
3 * * *
4 * * *
5 56.5.5.6 0 msec 0 msec 0 msec
6 7.7.7.7 10 msec 10 msec 10 msec
R1#traceroute vrf VPN-B 77.77.77.77 source 11.11.11.11
< press Ctrl+C to break >
Tracing the route to 77.77.77.77
1 21.1.1.2 0 msec 0 msec 10 msec
2 * * *
3 * * *
4 * * *
5 56.5.5.6 0 msec 0 msec 0 msec
6 77.77.77.77 10 msec 10 msec 10 msec
3、LSP ping测试:
R2#ping mpls ipv4 4.4.4.4/32
Sending 5, 84-byte MPLS Echoes to 4.4.4.4/32,
timeout is 2 seconds, send interval is 0 msec:
Codes: '!' - success, 'Q' - request not sent, '.' - timeout,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC mismatch,
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no label entry,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index,
'X' - unknown return code, 'x' - return code 0
Press Ctrl+C to break.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
4、LSP traceroute测试
R2#traceroute mpls ipv4 4.4.4.4/32
Tracing MPLS Label Switched Path to 4.4.4.4/32, timeout is 2 seconds
Codes: '!' - success, 'Q' - request not sent, '.' - timeout,
'L' - labeled output interface, 'B' - unlabeled output interface,
'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC mismatch,
'M' - malformed request, 'm' - unsupported tlvs, 'N' - no label entry,
'P' - no rx intf label prot, 'p' - premature termination of LSP,
'R' - transit router, 'I' - unknown upstream index,
'X' - unknown return code, 'x' - return code 0
Press Ctrl+C to break.
0 23.2.2.2 MRU 1500 [Labels: 1025 Exp: 0]
L 1 23.2.2.3 MRU 1500 [Labels: implicit-null Exp: 0] <1 ms
! 2 34.3.3.4<1 ms
5、数据包走向分析
数据包走向分析,以VPN-A的1.1.1.1到7.7.7.7的流量为例。
1)CE1(R1)发送VPN-A的目的IP为7.7.7.7,源IP为1.1.1.1的流量,数据包到达PE1(R2),此时查看REF转发表。
R2#show ip ref route vrf VPN-A 7.0.0.0 255.0.0.0
Codes: * - default route
# - zero route
ipmaskweight path-id next-hopinterface
7.0.0.0255.0.0.0 0262140 0.0.0.0ftn nhlfe
2)进入MPLS转发表查询:
R2#show mpls forwarding-table ftn detail
Label Operation Code:
PH--PUSH label
PP--POP label
SW--SWAP label
SP--SWAP topmost label and push new label
DP--DROP packet
PC--POP label and continue lookup by IP or Label
PI--POP label and do ip lookup forward
PN--POP label and forward to nexthop
PM--POP label and do MAC lookup forward
PV--POP label and output to VC attach interface
IP--IP lookup forward
Local Outgoing OP FECOutgoingNexthop
label labelinterface
-- imp-null PH 3.3.3.3/32Gi0/0.2323.2.2.3
Added by Route(vrf Global), Tag Stack: { 3 }
-- 1025 PH 4.4.4.4/32Gi0/0.2323.2.2.3
Added by Route(vrf Global), Tag Stack: { 1025 }
-- 1026 PH 6.6.6.6/32Gi0/0.2323.2.2.3
Added by Route(vrf Global), Tag Stack: { 1026 }
-- imp-null PH 34.3.3.0/24Gi0/0.2323.2.2.3
Added by Route(vrf Global), Tag Stack: { 3 }
-- 1024 PH 7.0.0.0/8(V)Gi0/0.2323.2.2.3
Added by Route(vrf VPN-A), Tag Stack: { 1024 1026 }
-- 1024 PH 67.6.6.0/24(V)Gi0/0.2323.2.2.3
Added by Route(vrf VPN-A), Tag Stack: { 1024 1026 }
-- 1025 PH 76.6.6.0/24(V)Gi0/0.2323.2.2.3
Added by Route(vrf VPN-B), Tag Stack: { 1025 1026 }
-- 1025 PH 77.0.0.0/8(V)Gi0/0.2323.2.2.3
Added by Route(vrf VPN-B), Tag Stack: { 1025 1026 }
//此处针对7.0.0.0/8的FEC被分配了双层标签,顶层标签1026为R3为BGP下一跳分配的。底层标签1024为R6为VPN路由分配的。
3)标签包到达路由器R3,执行swap操作,将顶层标签1026置换成8196:
R3#sho mpls forwarding-table
Label Operation Code:
PH--PUSH label
PP--POP label
SW--SWAP label
SP--SWAP topmost label and push new label
DP--DROP packet
PC--POP label and continue lookup by IP or Label
PI--POP label and do ip lookup forward
PN--POP label and forward to nexthop
PM--POP label and do MAC lookup forward
PV--POP label and output to VC attach interface
IP--IP lookup forward
Local Outgoing OP FECOutgoingNexthop
label labelinterface
-- imp-null PH 2.2.2.2/32Gi0/0.2323.2.2.2
-- imp-null PH 4.4.4.4/32Gi0/0.3434.3.3.4
-- 8196 PH 6.6.6.6/32Gi0/0.3434.3.3.4
1024 imp-null PP 2.2.2.2/32Gi0/0.2323.2.2.2
1025 imp-null PP 4.4.4.4/32Gi0/0.3434.3.3.4
1026 8196 SW 6.6.6.6/32Gi0/0.3434.3.3.4
1537 1536 SW 12.1.1.0/24Gi0/0.2323.2.2.2
1538 1537 SW 21.1.1.0/24 Gi0/0.2323.2.2.2
4)标签包到达ASBR1(R4),继续查找标签转发表,将VPN标签8196置换成ASBR2(R5)为其分配的VPN标签1024;
R4#show mpls forwarding-table
Label Operation Code:
PH--PUSH label
PP--POP label
SW--SWAP label
SP--SWAP topmost label and push new label
DP--DROP packet
PC--POP label and continue lookup by IP or Label
PI--POP label and do ip lookup forward
PN--POP label and forward to nexthop
PM--POP label and do MAC lookup forward
PV--POP label and output to VC attach interface
IP--IP lookup forward
Local Outgoing OP FECOutgoingNexthop
label labelinterface
-- 1024 PH 2.2.2.2/32Gi3/1/0.3434.3.3.3
-- imp-null PH 3.3.3.3/32Gi3/1/0.34 34.3.3.3
-- 1024 PH 6.6.6.6/32Gi3/1/0.4545.4.4.5
-- imp-null PH 23.2.2.0/24Gi3/1/0.3434.3.3.3
8192 1024 SW 2.2.2.2/32Gi3/1/0.34 34.3.3.3
8193 imp-null PP 3.3.3.3/32Gi3/1/0.3434.3.3.3
8194 imp-null PP 23.2.2.0/24Gi3/1/0.3434.3.3.3
8195 imp-null PP 45.4.4.5/32 Gi3/1/0.4545.4.4.5
8196 1024 SW 6.6.6.6/32Gi3/1/0.4545.4.4.5
8704 1024 SW 2.2.2.2/32Gi3/1/0.3434.3.3.3
查看R4的LIB表:
R4#show mpls ldp bindings
Default VRF:
lib entry: 4.4.4.4/32
local binding: to lsr: 3.3.3.3:0, label: imp-null
remote binding: from lsr: 3.3.3.3:0, label: 1025 (not in FIB)
lib entry: 34.3.3.0/24
local binding: to lsr: 3.3.3.3:0, label: imp-null
remote binding: from lsr: 3.3.3.3:0, label: imp-null (not in FIB)
lib entry: 45.4.4.0/24
local binding: to lsr: 3.3.3.3:0, label: imp-null
lib entry: 2.2.2.2/32
local binding: to lsr: 3.3.3.3:0, label: 8192
remote binding: from lsr: 3.3.3.3:0, label: 1024
lib entry: 3.3.3.3/32
local binding: to lsr: 3.3.3.3:0, label: 8193
remote binding: from lsr: 3.3.3.3:0, label: imp-null
lib entry: 23.2.2.0/24
local binding: to lsr: 3.3.3.3:0, label: 8194
remote binding: from lsr: 3.3.3.3:0, label: imp-null
lib entry: 45.4.4.5/32
local binding: to lsr: 3.3.3.3:0, label: 8195
lib entry: 6.6.6.6/32
local binding: to lsr: 3.3.3.3:0, label: 8196
remote binding: from lsr: 3.3.3.3:0, label: 1026 (not in FIB)
//本端会为BGP的前缀6.6.6.6/32 分配标签8196,并通告给ASBR1(R4)使用。
5)标签包抵达ASBR2 (R5)路由器,执行POP操作,弹出顶层标签1024:
R5#show mpls forwarding-table
Label Operation Code:
PH--PUSH label
PP--POP label
SW--SWAP label
SP--SWAP topmost label and push new label
DP--DROP packet
PC--POP label and continue lookup by IP or Label
PI--POP label and do ip lookup forward
PN--POP label and forward to nexthop
PM--POP label and do MAC lookup forward
PV--POP label and output to VC attach interface
IP--IP lookup forward
Local Outgoing OP FECOutgoingNexthop
label labelinterface
-- 8704 PH 2.2.2.2/32Gi0/0.4545.4.4.4
-- imp-null PH 6.6.6.6/32Gi0/0.5656.5.5.6
1024 imp-null PP 6.6.6.6/32Gi0/0.5656.5.5.6
1536 imp-null PP 6.6.6.6/32Gi0/0.5656.5.5.6
1537 imp-null PP 45.4.4.4/32Gi0/0.4545.4.4.4
1538 8704 SW 2.2.2.2/32Gi0/0.4545.4.4.4
6)标签包到达PE2(R6)路由器,POP标签:
R6#sh mpls forwarding-table
Label Operation Code:
PH--PUSH label
PP--POP label
SW--SWAP label
SP--SWAP topmost label and push new label
DP--DROP packet
PC--POP label and continue lookup by IP or Label
PI--POP label and do ip lookup forward
PN--POP label and forward to nexthop
PM--POP label and do MAC lookup forward
PV--POP label and output to VC attach interface
IP--IP lookup forward
Local Outgoing OP FECOutgoingNexthop
label label interface
-- 1538 PH 2.2.2.2/32Gi0/0.5656.5.5.5
-- imp-null PH 5.5.5.5/32Gi0/0.5656.5.5.5
-- 1536 PH 1.1.1.1/32(V)Gi0/0.5656.5.5.5
-- 1536 PH 12.1.1.0/24(V)Gi0/0.5656.5.5.5
-- 1537 PH 11.11.11.11/32(V)Gi0/0.5656.5.5.5
-- 1537 PH 21.1.1.0/24(V)Gi0/0.5656.5.5.5
1024 -- PI VRF(VPN-A)----
1025 -- PI VRF(VPN-B)----
1536 1538 SW 2.2.2.2/32Gi0/0.5656.5.5.5
1537 -- PI 3.3.3.3/32Gi0/0.5656.5.5.5
1538 imp-null PP 5.5.5.5/32Gi0/0.5656.5.5.5
7)查找IP REF路由表,还原IP数据包,将数据包扔向GI0/0.67。
R6# show ip ref route vrf VPN-A 7.0.0.0 255.0.0.0
Codes: * - default route
# - zero route
ip maskweight path-id next-hopinterface
7.0.0.0 255.0.0.0 1 13 67.6.6.7 GigabitEthernet 0/0.67
8)R7的VPN-A的源IP7.7.7.7到目的IP的1.1.1.1,回包分析方式同上。
3275
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
