评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置Hub and Spoke示例
组网需求
某银行希望通过MPLS VPN实现总行和各分行的安全互访,同时要求分行的VPN流量必须通过总行转发,以实现对流量的监控。如图2-54,Spoke-CE连接分支机构,Hub-CE连接公司总部,实现Spoke-CE之间的流量经过Hub-CE转发。
请确保该场景下互联接口的STP处于未使能状态。同时将互连接口退出VLAN1,避免形成环路。因为在使能STP的环形网络中,如果用交换机的VLANIF接口构建三层网络,会导致某个端口被阻塞,从而导致三层业务不能正常运行。
配置思路
本例配置主要思路是:
- 骨干网上配置IGP协议,实现骨干网Hub-PE和Spoke-PE的互通。
- 骨干网上配置MPLS基本能力和MPLS LDP,建立LDP LSP公网隧道。
Hub-PE与Spoke-PE间建立MP-IBGP对等体关系;Spoke-PE之间不建立MP-IBGP对等体关系,不交换VPN路由信息。
Hub-PE上创建两个VPN实例,一个用于接收Spoke-PE发来的路由,其Import Target为100:1;另一个用于向Spoke-PE发布路由,其VPN实例的Export Target为200:1。
Spoke-PE上创建一个VPN实例,其Export Target为100:1,Import Target为200:1。
CE和PE之间使用EBGP交换VPN路由信息。Hub-PE上配置允许接收AS重复1次的路由,以接收Hub-CE发布的路由。
操作步骤
- 配置各接口所属VLAN,并配置VLANIF接口和Loopback接口IP地址,具体数据如图2-54所示
# 配置Spoke-PE1。
<HUAWEI> system-view [HUAWEI] sysname Spoke-PE1 [Spoke-PE1] interface loopback 1 [Spoke-PE1-LoopBack1] ip address 1.1.1.9 32 [Spoke-PE1-LoopBack1] quit [Spoke-PE1] vlan batch 10 50 [Spoke-PE1] interface gigabitethernet 1/0/1 [Spoke-PE1-GigabitEthernet1/0/1] port link-type trunk [Spoke-PE1-GigabitEthernet1/0/1] port trunk allow-pass vlan 50 [Spoke-PE1-GigabitEthernet1/0/1] quit [Spoke-PE1] interface gigabitethernet 2/0/2 [Spoke-PE1-GigabitEthernet2/0/2] port link-type trunk [Spoke-PE1-GigabitEthernet2/0/2] port trunk allow-pass vlan 10 [Spoke-PE1-GigabitEthernet2/0/2] quit [Spoke-PE1] interface vlanif 10 [Spoke-PE1-Vlanif10] ip address 22.1.1.1 255.255.255.0 [Spoke-PE1-Vlanif10] quit
Hub-CE、Hub-PE、Spoke-PE2、Spoke-CE1、Spoke-CE2的配置同PE1(略)。
- 在骨干网上配置OSPF协议,实现骨干网Hub-PE和Spoke-PE的互通
# 配置Spoke-PE1。
[Spoke-PE1] ospf 1 [Spoke-PE1-ospf-1] area 0 [Spoke-PE1-ospf-1-area-0.0.0.0] network 22.1.1.0 0.0.0.255 [Spoke-PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0 [Spoke-PE1-ospf-1-area-0.0.0.0] quit [Spoke-PE1-ospf-1] quit
Hub-PE和Spoke-PE2的配置同Spoke-PE1(略)。
配置完成,Hub-PE和Spoke-PE之间建立OSPF邻居关系后,执行display ospf peer命令可以看到邻居状态为Full。执行display ip routing-table命令可以看到Hub-PE和Spoke-PE之间学习到对方的Loopback路由。
- 在骨干网上配置MPLS基本能力和MPLS LDP,建立LDP LSP
# 配置Hub-PE。
[Hub-PE] mpls lsr-id 2.2.2.9 [Hub-PE] mpls [Hub-PE-mpls] label advertise non-null [Hub-PE-mpls] quit [Hub-PE] mpls ldp [Hub-PE-mpls-ldp] quit [Hub-PE] interface vlanif 10 [Hub-PE-Vlanif10] mpls [Hub-PE-Vlanif10] mpls ldp [Hub-PE-Vlanif10] quit [Hub-PE] interface vlanif 20 [Hub-PE-Vlanif20] mpls [Hub-PE-Vlanif20] mpls ldp [Hub-PE-Vlanif20] quit
# Spoke-PE上的配置同Hub-PE(略)。
配置完成后,Hub-PE和Spoke-PE之间应该建立起LDP对等体关系,执行display mpls ldp session命令可以看到显示结果中Session State项为“Operational”。执行display mpls ldp lsp命令,可以看到LDP LSP的建立情况。
- 在各PE设备上配置VPN实例,将CE接入PE
Hub-PE的两个VPN实例接收的VPN-target分别为两个Spoke-PE发布的VPN-target,且发布的VPN-target与接收的VPN-target不同。Spoke-PE的VPN实例引入的VPN-target为Hub-PE发布的VPN-target。
# 配置Spoke-PE1。
[Spoke-PE1] ip vpn-instance vpna [Spoke-PE1-vpn-instance-vpna] ipv4-family [Spoke-PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1 [Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:1 export-extcommunity [Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 200:1 import-extcommunity [Spoke-PE1-vpn-instance-vpna-af-ipv4] quit [Spoke-PE1-vpn-instance-vpna] quit [Spoke-PE1] interface vlanif 50 [Spoke-PE1-Vlanif50] ip binding vpn-instance vpna [Spoke-PE1-Vlanif50] ip address 100.1.1.2 24 [Spoke-PE1-Vlanif50] quit
# 配置Spoke-PE2。
[Spoke-PE2] ip vpn-instance vpna [Spoke-PE2-vpn-instance-vpna] ipv4-family [Spoke-PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 100:3 [Spoke-PE2-vpn-instance-vpna-af-ipv4] vpn-target 100:1 export-extcommunity [Spoke-PE2-vpn-instance-vpna-af-ipv4] vpn-target 200:1 import-extcommunity [Spoke-PE2-vpn-instance-vpna-af-ipv4] quit [Spoke-PE2-vpn-instance-vpna] quit [Spoke-PE2] interface vlanif 60 [Spoke-PE2-Vlanif60] ip binding vpn-instance vpna [Spoke-PE2-Vlanif60] ip address 120.1.1.2 24 [Spoke-PE2-Vlanif60] quit
# 配置Hub-PE。
[Hub-PE] ip vpn-instance vpn_in [Hub-PE-vpn-instance-vpn_in] ipv4-family [Hub-PE-vpn-instance-vpn_in-af-ipv4] route-distinguisher 100:21 [Hub-PE-vpn-instance-vpn_in-af-ipv4] vpn-target 100:1 import-extcommunity [Hub-PE-vpn-instance-vpn_in-af-ipv4] quit [Hub-PE-vpn-instance-vpn_in] quit [Hub-PE] ip vpn-instance vpn_out [Hub-PE-vpn-instance-vpn_out] ipv4-family [Hub-PE-vpn-instance-vpn_out-af-ipv4] route-distinguisher 100:22 [Hub-PE-vpn-instance-vpn_out-af-ipv4] vpn-target 200:1 export-extcommunity [Hub-PE-vpn-instance-vpn_out-af-ipv4] quit [Hub-PE-vpn-instance-vpn_out] quit [Hub-PE] interface vlanif 30 [Hub-PE-Vlanif30] ip binding vpn-instance vpn_in [Hub-PE-Vlanif30] ip address 110.1.1.2 24 [Hub-PE-Vlanif30] quit [Hub-PE] interface vlanif 40 [Hub-PE-Vlanif40] ip binding vpn-instance vpn_out [Hub-PE-Vlanif40] ip address 110.2.1.2 24 [Hub-PE-Vlanif40] quit
# 配置各CE的接口IP地址,配置过程略。
配置完成后,在PE设备上执行display ip vpn-instance verbose命令可以看到VPN实例的配置情况。各PE能ping通自己接入的CE。
当PE上有多个接口绑定了同一个VPN,则使用ping -vpn-instance 命令ping对端PE接入的CE时,要指定源IP地址,即要指定ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address命令中的参数-a source-ip-address,否则可能ping不通。
- 在PE与CE之间建立EBGP对等体关系,引入VPN路由
Hub-PE上需要配置允许AS号重复一次,以接收Hub-CE发布的路由。
# 配置Spoke-CE1。
[Spoke-CE1] bgp 65410 [Spoke-CE1-bgp] peer 100.1.1.2 as-number 100 [Spoke-CE1-bgp] import-route direct [Spoke-CE1-bgp] quit
# 配置Spoke-PE1。
[Spoke-PE1] bgp 100 [Spoke-PE1-bgp] ipv4-family vpn-instance vpna [Spoke-PE1-bgp-vpna] peer 100.1.1.1 as-number 65410 [Spoke-PE1-bgp-vpna] import-route direct [Spoke-PE1-bgp-vpna] quit [Spoke-PE1-bgp] quit
# 配置Spoke-CE2。
[Spoke-CE2] bgp 65420 [Spoke-CE2-bgp] peer 120.1.1.2 as-number 100 [Spoke-CE2-bgp] import-route direct [Spoke-CE2-bgp] quit
# 配置Spoke-PE2。
[Spoke-PE2] bgp 100 [Spoke-PE2-bgp] ipv4-family vpn-instance vpna [Spoke-PE2-bgp-vpna] peer 120.1.1.1 as-number 65420 [Spoke-PE2-bgp-vpna] import-route direct [Spoke-PE2-bgp-vpna] quit [Spoke-PE2-bgp] quit
# 配置Hub-CE。
[Hub-CE] bgp 65430 [Hub-CE-bgp] peer 110.1.1.2 as-number 100 [Hub-CE-bgp] peer 110.2.1.2 as-number 100 [Hub-CE-bgp] import-route direct [Hub-CE-bgp] quit
# 配置Hub-PE。
[Hub-PE] bgp 100 [Hub-PE-bgp] ipv4-family vpn-instance vpn_in [Hub-PE-bgp-vpn_in] peer 110.1.1.1 as-number 65430 [Hub-PE-bgp-vpn_in] import-route direct [Hub-PE-bgp-vpn_in] quit [Hub-PE-bgp] ipv4-family vpn-instance vpn_out [Hub-PE-bgp-vpn_out] peer 110.2.1.1 as-number 65430 [Hub-PE-bgp-vpn_out] peer 110.2.1.1 allow-as-loop 1 [Hub-PE-bgp-vpn_out] import-route direct [Hub-PE-bgp-vpn_out] quit [Hub-PE-bgp] quit
配置完成后,在各PE设备上执行display bgp vpnv4 all peer命令,可以看到PE与CE之间的BGP对等体关系已建立,并达到Established状态。
- 在Spoke-PE与Hub-PE之间建立MP-IBGP对等体关系
Spoke-PE上不需要配置允许AS号重复一次,因为交换机接收IBGP对等体发布的路由时并不检查其中的AS-PATH属性。
# 配置Spoke-PE1。
[Spoke-PE1] bgp 100 [Spoke-PE1-bgp] peer 2.2.2.9 as-number 100 [Spoke-PE1-bgp] peer 2.2.2.9 connect-interface loopback 1 [Spoke-PE1-bgp] ipv4-family vpnv4 [Spoke-PE1-bgp-af-vpnv4] peer 2.2.2.9 enable [Spoke-PE1-bgp-af-vpnv4] quit [Spoke-PE1-bgp] quit
# 配置Spoke-PE2。
[Spoke-PE2] bgp 100 [Spoke-PE2-bgp] peer 2.2.2.9 as-number 100 [Spoke-PE2-bgp] peer 2.2.2.9 connect-interface loopback 1 [Spoke-PE2-bgp] ipv4-family vpnv4 [Spoke-PE2-bgp-af-vpnv4] peer 2.2.2.9 enable [Spoke-PE2-bgp-af-vpnv4] quit [Spoke-PE2-bgp] quit
# 配置Hub-PE。
[Hub-PE] bgp 100 [Hub-PE-bgp] peer 1.1.1.9 as-number 100 [Hub-PE-bgp] peer 1.1.1.9 connect-interface loopback 1 [Hub-PE-bgp] peer 3.3.3.9 as-number 100 [Hub-PE-bgp] peer 3.3.3.9 connect-interface loopback 1 [Hub-PE-bgp] ipv4-family vpnv4 [Hub-PE-bgp-af-vpnv4] peer 1.1.1.9 enable [Hub-PE-bgp-af-vpnv4] peer 3.3.3.9 enable [Hub-PE-bgp-af-vpnv4] quit [Hub-PE-bgp] quit
配置完成后,在各PE设备上执行display bgp peer或display bgp vpnv4 all peer命令,可以看到Spoke-PE与Hub-PE之间的BGP对等体关系已建立,并达到Established状态。
- 检查配置结果
完成上述配置后,Spoke-CE之间可以相互Ping通,使用Tracert可以看到Spoke-CE之间的流量经过Hub-CE转发,也可以通过Ping结果中的TTL值推算Spoke-CE之间经过的转发设备数目。
以Spoke-CE1的显示为例:
[Spoke-CE1] ping 120.1.1.1 PING 120.1.1.1: 56 data bytes, press CTRL_C to break Reply from 120.1.1.1: bytes=56 Sequence=1 ttl=250 time=80 ms Reply from 120.1.1.1: bytes=56 Sequence=2 ttl=250 time=129 ms Reply from 120.1.1.1: bytes=56 Sequence=3 ttl=250 time=132 ms Reply from 120.1.1.1: bytes=56 Sequence=4 ttl=250 time=92 ms Reply from 120.1.1.1: bytes=56 Sequence=5 ttl=250 time=126 ms --- 120.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 80/111/132 ms[Spoke-CE1] tracert 120.1.1.1 traceroute to 120.1.1.1(120.1.1.1), max hops: 30 ,packet length: 40,press CTRL _C to break 1 100.1.1.2 10 ms 2 ms 1 ms 2 110.2.1.2 < AS=100 > 10 ms 2 ms 2 ms 3 110.2.1.1 < AS=100 > 10 ms 2 ms 2 ms 4 110.1.1.2 < AS=65430 > 10 ms 2 ms 2 ms 5 120.1.1.2 < AS=100 > 10 ms 2 ms 2 ms 6 120.1.1.1 < AS=100 > 10 ms 2 ms 5 ms
在Spoke-CE上执行display bgp routing-table命令,可以看到去往对端Spoke-CE的BGP路由的AS路径中存在重复的AS号。
以Spoke-CE1的显示为例:
[Spoke-CE1] display bgp routing-table BGP Local router ID is 100.1.1.1 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Total Number of Routes: 8 Network NextHop MED LocPrf PrefVal Path/Ogn *> 100.1.1.0/24 0.0.0.0 0 0 ? 100.1.1.2 0 0 100? *> 100.1.1.1/32 0.0.0.0 0 0 ? *> 110.1.1.0/24 100.1.1.2 0 100 65430? *> 110.2.1.0/24 100.1.1.2 0 100? *> 120.1.1.0/24 100.1.1.2 0 100 65430 100? *> 127.0.0.0 0.0.0.0 0 0 ? *> 127.0.0.1/32 0.0.0.0 0 0 ?
配置文件
Spoke-CE1的配置文件
# sysname Spoke-CE1 # vlan batch 50 # interface Vlanif50 ip address 100.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 50 # bgp 65410 peer 100.1.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 100.1.1.2 enable # return
Spoke-PE1的配置文件
# sysname Spoke-PE1 # vlan batch 10 50 # ip vpn-instance vpna ipv4-family route-distinguisher 100:1 vpn-target 100:1 export-extcommunity vpn-target 200:1 import-extcommunity # mpls lsr-id 1.1.1.9 mpls label advertise non-null # mpls ldp # interface Vlanif10 ip address 22.1.1.1 255.255.255.0 mpls mpls ldp # interface Vlanif50 ip binding vpn-instance vpna ip address 100.1.1.2 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 50 # interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 10 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # bgp 100 peer 2.2.2.9 as-number 100 peer 2.2.2.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 2.2.2.9 enable # ipv4-family vpnv4 policy vpn-target peer 2.2.2.9 enable # ipv4-family vpn-instance vpna peer 100.1.1.1 as-number 65410 import-route direct # ospf 1 area 0.0.0.0 network 22.1.1.0 0.0.0.255 network 1.1.1.9 0.0.0.0 # return
Spoke-PE2的配置文件
# sysname Spoke-PE2 # vlan batch 20 60 # ip vpn-instance vpna ipv4-family route-distinguisher 100:3 vpn-target 100:1 export-extcommunity vpn-target 200:1 import-extcommunity # mpls lsr-id 3.3.3.9 mpls label advertise non-null # mpls ldp # interface Vlanif20 ip address 11.1.1.1 255.255.255.0 mpls mpls ldp # interface Vlanif60 ip binding vpn-instance vpna ip address 120.1.1.2 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 60 # interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # bgp 100 peer 2.2.2.9 as-number 100 peer 2.2.2.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 2.2.2.9 enable # ipv4-family vpnv4 policy vpn-target peer 2.2.2.9 enable # ipv4-family vpn-instance vpna peer 120.1.1.1 as-number 65420 import-route direct # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 11.1.1.0 0.0.0.255 # return
Spoke-CE2的配置文件
# sysname Spoke-CE2 # vlan batch 60 # interface Vlanif60 ip address 120.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 60 # bgp 65420 peer 120.1.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 120.1.1.2 enable # return
Hub-CE的配置文件
# sysname Hub-CE # vlan batch 30 40 # interface Vlanif30 ip address 110.1.1.1 255.255.255.0 # interface Vlanif40 ip address 110.2.1.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 30 # interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 40 # bgp 65430 peer 110.1.1.2 as-number 100 peer 110.2.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 110.2.1.2 enable peer 110.1.1.2 enable # return
Hub-PE的配置文件
# sysname Hub-PE # vlan batch 10 20 30 40 # ip vpn-instance vpn_in ipv4-family route-distinguisher 100:21 vpn-target 100:1 import-extcommunity # ip vpn-instance vpn_out ipv4-family route-distinguisher 100:22 vpn-target 200:1 export-extcommunity # mpls lsr-id 2.2.2.9 mpls label advertise non-null # mpls ldp # interface Vlanif10 ip address 22.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif20 ip address 11.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif30 ip binding vpn-instance vpn_in ip address 110.1.1.2 255.255.255.0 # interface Vlanif40 ip binding vpn-instance vpn_out ip address 110.2.1.2 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet3/0/3 port link-type trunk port trunk allow-pass vlan 30 # interface GigabitEthernet4/0/4 port link-type trunk port trunk allow-pass vlan 40 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable peer 3.3.3.9 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable peer 3.3.3.9 enable # ipv4-family vpn-instance vpn_in peer 110.1.1.1 as-number 65430 import-route direct # ipv4-family vpn-instance vpn_out peer 110.2.1.1 as-number 65430 peer 110.2.1.1 allow-as-loop import-route direct # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 22.1.1.0 0.0.0.255 network 11.1.1.0 0.0.0.255 # return
