MPLS VPN 跨域C1方案
目录
MPLS VPN跨域C1方案,第一步是就是图中标识的2,3和6建立MP EBGP关系。图中标识的五是打标签的方式传递IPV4路由,然后双方在同一个AS号里面建立,lDP隧道防止路由黑洞的产生。和打标签传递IPV4的路由。使3和6的MP EBGP建立成功。
目前使用C方案是一般在城域网和骨干网,政务网或者运行商之间的方案
National Petroleum and Customs一般使用C1方案
State Grid使用C2方案
配置思路
1我们首先第一步建立MP EBGP的关系,就是R3和R6建立MP EBGP的关系。我们思路如下:
- 3和1之间要有LDP隧道/作用是避免了路由黑洞的产生。
- 3和1之间传递IPV4路由的同时要带标签。(使用策略标签)
- 1和4之间建立ebgp关系,同时在1上宣告3.3.3.3的地址或者是引入。在我们现网中不能直接引入,1.路由太多2.不安全/我们采用前缀列表配合router -policy进行精准引入,同时接口要带标签传递功能。g0/0/2 注意:华为特性EBGP中间建立是不需要配置next-hop-local
- 4和6之间传递IPV4路由的同时要带标签。(使用策略标签)
- 1和6之间配置MP EBGP关系。
配置脚本
R7:
R3:
<AS100-3>DIS current-configuration
[V200R003C00]
#
sysname AS100-3
#
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:200
vpn-target 100:200 export-extcommunity
vpn-target 100:200 import-extcommunity
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
#
isis 100
is-level level-2
cost-style wide
network-entity 49.0001.0000.0000.0003.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
ip address 100.1.23.3 255.255.255.0
isis enable 100
mpls
mpls ldp
#
interface GigabitEthernet0/0/2
ip binding vpn-instance vpn1
ip address 192.168.100.3 255.255.255.0
ospf enable 1 area 0.0.0.0
#
interface NULL0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
isis enable 100
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0
peer 6.6.6.6 as-number 200
peer 6.6.6.6 ebgp-max-hop 255
peer 6.6.6.6 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
peer 1.1.1.1 label-route-capability
peer 6.6.6.6 enable
#
ipv4-family vpnv4
policy vpn-target
peer 6.6.6.6 enable
#
ipv4-family vpn-instance vpn1
import-route ospf 1
#
ospf 1 router-id 3.3.3.3 vpn-instance vpn1
import-route bgp
area 0.0.0.0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
R2:
[AS100-2]DIS current-configuration
[V200R003C00]
#
sysname AS100-2
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
isis 100
is-level level-2
cost-style wide
network-entity 49.0001.0000.0000.0002.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 100.1.12.2 255.255.255.0
isis enable 100
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 100.1.23.2 255.255.255.0
isis enable 100
mpls
mpls ldp
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
isis enable 100
R1:
<AS100-1>DIS current-configuration
[V200R003C00]
#
sysname AS100-1
#
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
#
isis 100
is-level level-2
cost-style wide
network-entity 49.0001.0000.0000.0001.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 100.1.12.1 255.255.255.0
isis enable 100
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
ip address 120.1.14.1 255.255.255.0
mpls
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
isis enable 100
#
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack0
peer 120.1.14.4 as-number 200
#
ipv4-family unicast
undo synchronization
import-route isis 100 route-policy 1
peer 3.3.3.3 enable
peer 3.3.3.3 route-policy 2 export
peer 3.3.3.3 label-route-capability
peer 120.1.14.4 enable
peer 120.1.14.4 route-policy 1 export
peer 120.1.14.4 label-route-capability
#
route-policy 1 permit node 5
if-match ip-prefix 1
apply mpls-label
#
route-policy 1 permit node 15
#
route-policy 2 permit node 15
if-match mpls-label
apply mpls-label
#
ip ip-prefix 1 index 10 permit 3.3.3.3 32
#
R4:
<AS200-4>dis current-configuration
[V200R003C00]
#
sysname AS200-4
#
#
mpls lsr-id 4.4.4.4
mpls
#
mpls ldp
#
#
isis 200
is-level level-2
cost-style wide
network-entity 49.0002.0000.0000.0004.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 200.1.45.4 255.255.255.0
isis enable 200
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
ip address 120.1.14.4 255.255.255.0
mpls
#
interface NULL0
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
isis enable 200
#
bgp 200
peer 6.6.6.6 as-number 200
peer 6.6.6.6 connect-interface LoopBack0
peer 120.1.14.1 as-number 100
#
ipv4-family unicast
undo synchronization
import-route isis 200 route-policy 1
peer 6.6.6.6 enable
peer 6.6.6.6 route-policy 2 export
peer 6.6.6.6 label-route-capability
peer 120.1.14.1 enable
peer 120.1.14.1 route-policy 1 export
peer 120.1.14.1 label-route-capability
#
route-policy 2 permit node 5
if-match mpls-label
apply mpls-label
#
route-policy 1 permit node 5
if-match ip-prefix 1
apply mpls-label
#
ip ip-prefix 1 index 10 permit 6.6.6.6 32
R5:
<AS200-5>DIS current-configuration
[V200R003C00]
#
sysname AS200-5
#
s#
mpls lsr-id 5.5.5.5
mpls
#
mpls ldp
#
isis 200
is-level level-2
cost-style wide
network-entity 49.0002.0000.0000.0005.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 200.1.45.5 255.255.255.0
isis enable 200
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 200.1.56.5 255.255.255.0
isis enable 200
mpls
mpls ldp
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
isis enable 200
#
R6:
[AS200-6]DIS current-configuration
[V200R003C00]
#
sysname AS200-6
#
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:200
vpn-target 100:200 export-extcommunity
vpn-target 100:200 import-extcommunity
#
mpls lsr-id 6.6.6.6
mpls
#
mpls ldp
#
isis 200
is-level level-2
cost-style wide
network-entity 49.0002.0000.0000.0006.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
ip address 200.1.56.6 255.255.255.0
isis enable 200
mpls
mpls ldp
#
interface GigabitEthernet0/0/2
ip binding vpn-instance vpn1
ip address 192.168.200.6 255.255.255.0
ospf enable 1 area 0.0.0.0
#
interface NULL0
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
isis enable 200
#
bgp 200
peer 3.3.3.3 as-number 100
peer 3.3.3.3 ebgp-max-hop 255
peer 3.3.3.3 connect-interface LoopBack0
peer 4.4.4.4 as-number 200
peer 4.4.4.4 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
peer 4.4.4.4 enable
peer 4.4.4.4 label-route-capability
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
ipv4-family vpn-instance vpn1
import-route ospf 1
#
ospf 1 router-id 6.6.6.6 vpn-instance vpn1
import-route bgp
area 0.0.0.0
#
R8:
[V200R003C00]
##
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
ip address 192.168.200.8 255.255.255.0
ospf enable 1 area 0.0.0.0
#
interface NULL0
#
interface LoopBack0
ip address 8.8.8.8 255.255.255.255
ospf enable 1 area 0.0.0.0
#
ospf 1 router-id 8.8.8.8
area 0.0.0.0
#
配置总结
- 现网里面在R1进行引入的时候是不能全部引入的,我们配置前缀列表配合使用,策略标签。
ip ip-prefix 1 index 10 permit 3.3.3.3 32
标记策略标记。两边bgp还需要引用和支持策略标签的功能。
R4类似的操作。就是三层标签
报文的走向以及流程:
我们来分析一下报文的流程走向:
我们构建一个8.8.8.8访问7.7.7.7的icmp报文,进入R6的vrf中打上内层标签,他们的吓一跳是R3.从而进入R3的vrf实例路由表。我们来分析一下去往R3的迭代部分,进入R6有一个内层标签,去往4.4.4.4中是策略标签。但是R5不识别策略标签。会造成路由黑瞳的产生,所以我们需要在策略标签头部在打一个LDP的标签。这个时候去往R5的时候,会次莫跳弹出LDP标签到达R4,这个时候R4的标签是策略标签知道如何去往R3,进行一个SWAP标签替换工作到达R1.R1也会替换策略路由标签,去发送目的为R3.重新封装LDP的头部,然后进行三层标签传递。到达R2次莫跳弹出LDP标签,到达R3时候通过内层MPBGP标签需要vrf实力路由表中。通过互相引入到达R7的过程。