HUB&SPOKE架构

小趴菜鑫

已于 2024-08-22 21:18:29 修改

阅读量70

点赞数 2

文章标签：网络

于 2024-05-02 18:22:32 首次发布

本文链接：https://blog.csdn.net/weixin_64597693/article/details/138396810

版权

Hub&Spoke架构MPLS VPN

一、实验设想

当采用Hub&Spoke方案时，可以将多个站点中的一个站点设置为Hub站点，其余站点为Spoke站点。站点间的互访必须通过Hub站点，通过Hub站点集中管控站点间的数据传输。我们的目的是R5访问R6的流量数据经过HUB站点R4. 分支之间可以互相访问，但是必须经过HUB总部节点。我们采用EBGP的方法。也可以使用OSPF。公网底层我们采用ISIS作为底层。49.0001.0000.0000.000X.00

二、实验拓扑

我们规划PE所在的AS为123，CE所在的AS为26200. R4为HUB CE. R5和R6为SPOKE 流量的访问走向为R5 到R1走到R4在去到R6的流量走向。我们的思路是HUB PE上去配置两个VRF，一个是INT，一个是OUT。我们根据规划R5的业务RD为5：5 in RT为55:55 out RT为54:54.R6的业务RD为6:6，in RT为66:66 out RT为64:64.这样我们在HUB PE上的INT 为 54:54 65:65. OUT为55:55. 66:66.

三、配置脚本

HUB CE (r4):

<R4>DIS CU

[V200R003C00]

sysname R4

snmp-agent local-engineid 800007DB03000000000000

snmp-agent

clock timezone China-Standard-Time minus 08:00:00

portal local-server load flash:/portalpage.zip

drop illegal-mac alarm

wlan ac-global carrier id other ac id 0

set cpu-usage threshold 80 restore 75

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

local-user admin service-type http

firewall zone Local

priority 15

interface GigabitEthernet0/0/0

interface GigabitEthernet0/0/0.100

description vpn_in

dot1q termination vid 100

ip address 14.1.1.4 255.255.255.0

arp broadcast enable

interface GigabitEthernet0/0/0.200

description vpn_out

dot1q termination vid 200

ip address 41.1.1.4 255.255.255.0

arp broadcast enable

interface GigabitEthernet0/0/1

interface GigabitEthernet0/0/2

interface NULL0

bgp 26200

peer 14.1.1.1 as-number 123

peer 14.1.1.1 ebgp-max-hop 255

peer 41.1.1.1 as-number 123

peer 41.1.1.1 ebgp-max-hop 255

ipv4-family unicast

undo synchronization

peer 14.1.1.1 enable

peer 41.1.1.1 enable

user-interface con 0

authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

wlan ac

2. HUB PE(R1):

[R1]dis current-configuration

[V200R003C00]

sysname R1

ip vpn-instance vpn_in

ipv4-family

route-distinguisher 11:11

vpn-target 54:54 65:65 import-extcommunity

ip vpn-instance vpn_out

ipv4-family

route-distinguisher 22:22

vpn-target 55:55 66:66 export-extcommunity

mpls lsr-id 1.1.1.1

mpls

mpls ldp

# #

isis 1

is-level level-2

cost-style wide

network-entity 49.0001.0000.0000.0001.00

interface GigabitEthernet0/0/0

ip address 12.1.1.1 255.255.255.0

isis enable 1

mpls

mpls ldp

interface GigabitEthernet0/0/1

ip address 13.1.1.1 255.255.255.0

isis enable 1

mpls

mpls ldp

interface GigabitEthernet0/0/2

interface GigabitEthernet0/0/2.100

description vpn_in

dot1q termination vid 100

ip binding vpn-instance vpn_in

ip address 14.1.1.1 255.255.255.0

arp broadcast enable

interface GigabitEthernet0/0/2.200

description vpn_out

dot1q termination vid 200

ip binding vpn-instance vpn_out

ip address 41.1.1.1 255.255.255.0

arp broadcast enable

interface NULL0

interface LoopBack0

ip address 1.1.1.1 255.255.255.255

isis enable 1

bgp 123

peer 2.2.2.2 as-number 123

peer 2.2.2.2 connect-interface LoopBack0

peer 3.3.3.3 as-number 123

peer 3.3.3.3 connect-interface LoopBack0

ipv4-family unicast

undo synchronization

peer 2.2.2.2 enable

peer 3.3.3.3 enable

ipv4-family vpnv4

policy vpn-target

peer 2.2.2.2 enable

peer 3.3.3.3 enable

ipv4-family vpn-instance vpn_in

peer 14.1.1.4 as-number 26200

peer 14.1.1.4 ebgp-max-hop 255

peer 14.1.1.4 substitute-as

ipv4-family vpn-instance vpn_out

peer 41.1.1.4 as-number 26200

peer 41.1.1.4 ebgp-max-hop 255

peer 41.1.1.4 substitute-as // ;#启用 AS 号码替换功能，令 PE 使用本地 AS 号码替换收到的私网路由中 CE 所在 VPN 站点的 AS 号码

peer 41.1.1.4 allow-as-loop 2 //本地AS号允许重复两次

user-interface con 0

authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

wlan ac

return

3. PE1(R2):

[R2]DIS current-configuration

[V200R003C00]

sysname R2

snmp-agent local-engineid 800007DB03000000000000

snmp-agent

clock timezone China-Standard-Time minus 08:00:00

portal local-server load flash:/portalpage.zip

drop illegal-mac alarm

wlan ac-global carrier id other ac id 0

set cpu-usage threshold 80 restore 75

ip vpn-instance vpn_spoke1

ipv4-family

route-distinguisher 55:55

vpn-target 54:54 export-extcommunity

vpn-target 55:55 import-extcommunity

mpls lsr-id 2.2.2.2

mpls

mpls ldp

isis 1

is-level level-2

cost-style wide

network-entity 49.0001.0000.0000.0002.00

firewall zone Local

priority 15

interface GigabitEthernet0/0/0

ip address 12.1.1.2 255.255.255.0

isis enable 1

mpls

mpls ldp

interface GigabitEthernet0/0/1

ip binding vpn-instance vpn_spoke1

ip address 25.1.1.2 255.255.255.0

interface GigabitEthernet0/0/2

interface NULL0

interface LoopBack0

ip address 2.2.2.2 255.255.255.255

isis enable 1

bgp 123

peer 1.1.1.1 as-number 123

peer 1.1.1.1 connect-interface LoopBack0

ipv4-family unicast

undo synchronization

peer 1.1.1.1 enable

ipv4-family vpnv4

policy vpn-target

peer 1.1.1.1 enable

ipv4-family vpn-instance vpn_spoke1

peer 25.1.1.5 as-number 26200

peer 25.1.1.5 ebgp-max-hop 255

peer 25.1.1.5 substitute-as

peer 25.1.1.5 allow-as-loop 2

user-interface con 0

authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

wlan ac

Return

4. PE2(R3):

<R3>DIS current-configuration

[V200R003C00]

sysname R3

snmp-agent local-engineid 800007DB03000000000000

snmp-agent

clock timezone China-Standard-Time minus 08:00:00

portal local-server load flash:/portalpage.zip

drop illegal-mac alarm

wlan ac-global carrier id other ac id 0

set cpu-usage threshold 80 restore 75

ip vpn-instance spoke2

ipv4-family

route-distinguisher 6:6

vpn-target 65:65 export-extcommunity

vpn-target 66:66 import-extcommunity

mpls lsr-id 3.3.3.3

mpls

mpls ldp

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

local-user admin service-type http

isis 1

is-level level-2

cost-style wide

network-entity 49.0001.0000.0000.0003.00

firewall zone Local

priority 15

interface GigabitEthernet0/0/0

ip address 13.1.1.3 255.255.255.0

isis enable 1

mpls

mpls ldp

interface GigabitEthernet0/0/1

ip binding vpn-instance spoke2

ip address 36.1.1.3 255.255.255.0

interface GigabitEthernet0/0/2

interface NULL0

interface LoopBack0

ip address 3.3.3.3 255.255.255.255

isis enable 1

bgp 123

peer 1.1.1.1 as-number 123

peer 1.1.1.1 connect-interface LoopBack0

ipv4-family unicast

undo synchronization

peer 1.1.1.1 enable

ipv4-family vpnv4

policy vpn-target

peer 1.1.1.1 enable

ipv4-family vpn-instance spoke2

peer 36.1.1.6 as-number 26200

peer 36.1.1.6 ebgp-max-hop 255

peer 36.1.1.6 substitute-as

peer 36.1.1.6 allow-as-loop 2

user-interface con 0

authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

5. CE1(R5)：

<R5>DIS current-configuration

[V200R003C00]

sysname R5

snmp-agent local-engineid 800007DB03000000000000

snmp-agent

clock timezone China-Standard-Time minus 08:00:00

portal local-server load flash:/portalpage.zip

drop illegal-mac alarm

wlan ac-global carrier id other ac id 0

set cpu-usage threshold 80 restore 75

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

local-user admin service-type http

firewall zone Local

priority 15

interface GigabitEthernet0/0/0

ip address 25.1.1.5 255.255.255.0

interface GigabitEthernet0/0/1

interface GigabitEthernet0/0/2

interface NULL0

interface LoopBack0

ip address 5.5.5.5 255.255.255.255

bgp 26200

peer 25.1.1.2 as-number 123

peer 25.1.1.2 ebgp-max-hop 255

ipv4-family unicast

undo synchronization

network 5.5.5.5 255.255.255.255

peer 25.1.1.2 enable

user-interface con 0

authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

wlan ac

6. CE2(R6)

<R6>DIS current-configuration

[V200R003C00]

firewall zone Local

priority 15

interface GigabitEthernet0/0/0

ip address 36.1.1.6 255.255.255.0

interface GigabitEthernet0/0/1

interface GigabitEthernet0/0/2

interface NULL0

interface LoopBack0

ip address 6.6.6.6 255.255.255.255

bgp 26200

peer 36.1.1.3 as-number 123

peer 36.1.1.3 ebgp-max-hop 255

ipv4-family unicast

undo synchronization

network 6.6.6.6 255.255.255.255

peer 36.1.1.3 enable

user-interface con 0

authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

wlan ac

四、总结现象

我们来进行实验验证

我们可以看到6访问5的流量走向经过HUB点R4，才去访问的R5.

我们的流量走向是这样的。我们需要注意AS_path会防环，会导致我们的路由无法被传递，我们需要配置AS替换,PE本地的AS会替换私网CE的AS号和允许本地AS号出现两次。从而使得路由正确转发。HUB PE和HUB CE.我们采用子接口的方式用互联。

小趴菜鑫

关注

2
点赞
踩
2

收藏

觉得还不错? 一键收藏
0
评论
HUB&SPOKE架构

我们规划PE所在的AS为123，CE所在的AS为26200. R4为HUB CE. R5和R6为SPOKE 流量的访问走向为R5 到R1走到R4在去到R6的流量走向。我们根据规划R5的业务RD为5：5 in RT为55:55 out RT为54:54.R6的业务RD为6:6，in RT为66:66 out RT为64:64.这样我们在HUB PE上的INT 为 54:54 65:65. OUT为55:55. 66:66.站点间的互访必须通过Hub站点，通过Hub站点集中管控站点间的数据传输。
复制链接

扫一扫