配置双反射器优化VPN骨干层示例
组网需求
部署VPN时,为了提高可靠性,可配置带双反射器的VPN,即在骨干网相同AS内的P设备中选择两个作为路由反射器,互为备份,反射公网及VPNv4的路由。
如图2-67,设备PE1、PE2、RR1及RR2都在骨干网AS100内。CE1和CE2属于vpna。要求选择设备RR1和RR2作为反射器,配置带双反射器的VPN。
请确保该场景下互联接口的STP处于未使能状态。同时将互连接口退出VLAN1,避免形成环路。因为在使能STP的环形网络中,如果用交换机的VLANIF接口构建三层网络,会导致某个端口被阻塞,从而导致三层业务不能正常运行。
交换机 |
接口 |
对应的VLANIF |
IP地址 |
---|---|---|---|
PE1 |
GE1/0/0 |
VLANIF10 |
100.1.2.1/24 |
PE1 |
GE2/0/0 |
VLANIF60 |
10.1.1.2/24 |
PE1 |
GE3/0/0 |
VLANIF40 |
100.1.3.1/24 |
PE2 |
GE1/0/0 |
VLANIF30 |
100.3.4.2/24 |
PE2 |
GE2/0/0 |
VLANIF70 |
10.2.1.2/24 |
PE2 |
GE3/0/0 |
VLANIF50 |
100.2.4.2/24 |
RR1 |
GE1/0/0 |
VLANIF10 |
100.1.2.2/24 |
RR1 |
GE2/0/0 |
VLANIF20 |
100.2.3.1/24 |
RR1 |
GE3/0/0 |
VLANIF50 |
100.2.4.1/24 |
RR2 |
GE1/0/0 |
VLANIF20 |
100.2.3.2/24 |
RR2 |
GE2/0/0 |
VLANIF30 |
100.3.4.1/24 |
RR2 |
GE3/0/0 |
VLANIF40 |
100.1.3.2/24 |
配置思路
本例配置主要思路是:
- MPLS骨干网配置IGP,实现骨干网设备间的IP连通性。
- MPLS骨干网上配置MPLS基本能力和MPLS LDP,建立MPLS LSP公网隧道。
- PE1和PE2上配置VPN实例,接入CE。VPN实例配置相同的VPN-target属性,以实现VPN的互通。
- PE与CE之间建立EBGP连接,引入VPN路由。
- PE与RR之间建立MP-IBGP连接;PE之间不再建立MP-IBGP连接。
- RR1、RR2配置相同的反射器ID,实现相互备份。
- RR1、RR2需要保存所有VPNv4路由信息,以通告给PE。因此,RR1和RR2应接收所有的VPNv4路由信息,不对它们进行VPN-Target过滤。
带双反射器的VPN环境中,反射器到PE设备之间必须有至少两条不共用网段和节点的路径,否则配置双反射器没有意义。
操作步骤
- 配置各接口所属VLAN,并配置VLANIF接口和Loopback接口IP地址,具体数据如图2-67所示
# 配置PE1。PE2、RR1、RR2、CE1和CE2的配置与PE1类似,此处不再赘述。
<HUAWEI> system-view [HUAWEI] sysname PE1 [PE1] interface loopback 1 [PE1-LoopBack1] ip address 1.1.1.9 32 [PE1-LoopBack1] quit [PE1] vlan batch 10 40 60 [PE1] interface gigabitethernet 1/0/0 [PE1-GigabitEthernet1/0/0] port link-type trunk [PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 [PE1-GigabitEthernet1/0/0] quit [PE1] interface gigabitethernet 2/0/0 [PE1-GigabitEthernet2/0/0] port link-type trunk [PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 60 [PE1-GigabitEthernet2/0/0] quit [PE1] interface gigabitethernet 3/0/0 [PE1-GigabitEthernet3/0/0] port link-type trunk [PE1-GigabitEthernet3/0/0] port trunk allow-pass vlan 40 [PE1-GigabitEthernet3/0/0] quit [PE1] interface vlanif 10 [PE1-Vlanif10] ip address 100.1.2.1 24 [PE1-Vlanif10] quit [PE1] interface vlanif 40 [PE1-Vlanif40] ip address 100.1.3.1 24 [PE1-Vlanif40] quit
- 在MPLS骨干网配置IGP,实现骨干网的IP连通性
# 配置PE1。PE2、RR1和RR2的配置与PE1类似,此处不再赘述。
[PE1] ospf [PE1-ospf-1] area 0 [PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0 [PE1-ospf-1-area-0.0.0.0] network 100.1.2.0 0.0.0.255 [PE1-ospf-1-area-0.0.0.0] network 100.1.3.0 0.0.0.255 [PE1-ospf-1-area-0.0.0.0] quit [PE1-ospf-1] quit
需要将作为LSR ID的Loopback接口地址发布出去。
配置完成后,骨干网设备应能相互学到对方的Loopback接口地址。
以PE1的显示为例:
[PE1] display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 13 Routes : 15 Destination/Mask Proto Pre Cost Flags NextHop Interface 1.1.1.9/32 Direct 0 0 D 127.0.0.1 LoopBack1 2.2.2.9/32 OSPF 10 1 D 100.1.2.2 Vlanif10 3.3.3.9/32 OSPF 10 1 D 100.1.3.2 Vlanif40 4.4.4.9/32 OSPF 10 2 D 100.1.2.2 Vlanif10 OSPF 10 2 D 100.1.3.2 Vlanif40 100.1.2.0/24 Direct 0 0 D 100.1.2.1 Vlanif10 100.1.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif10 100.1.3.0/24 Direct 0 0 D 100.1.3.1 Vlanif40 100.1.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif40 100.2.3.0/24 OSPF 10 2 D 100.1.3.2 Vlanif40 OSPF 10 2 D 100.1.2.2 Vlanif10 100.2.4.0/24 OSPF 10 2 D 100.1.2.2 Vlanif10 100.3.4.0/24 OSPF 10 2 D 100.1.3.2 Vlanif40 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
- 在MPLS骨干网上配置MPLS基本能力和MPLS LDP,建立LDP LSP
# 配置PE1。PE2、RR1和RR2的配置与PE1类似,此处不再赘述。
[PE1] mpls lsr-id 1.1.1.9 [PE1] mpls [PE1-mpls] quit [PE1] mpls ldp [PE1-mpls-ldp] quit [PE1] interface vlanif 10 [PE1-Vlanif10] mpls [PE1-Vlanif10] mpls ldp [PE1-Vlanif10] quit [PE1] interface vlanif 40 [PE1-Vlanif40] mpls [PE1-Vlanif40] mpls ldp [PE1-Vlanif40] quit
配置结束,在各PE和RR设备上执行display mpls ldp session命令可以看到显示结果中Status项为“Operational”。
以PE1和RR1的显示为例:
[PE1] display mpls ldp session LDP Session(s) in Public Network Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM) A '*' before a session means the session is being deleted. ------------------------------------------------------------------------------ PeerID Status LAM SsnRole SsnAge KASent/Rcv ------------------------------------------------------------------------------ 2.2.2.9:0 Operational DU Passive 0000:00:01 8/8 3.3.3.9:0 Operational DU Passive 0000:00:00 4/4 ------------------------------------------------------------------------------ TOTAL: 2 session(s) Found.
[RR1] display mpls ldp session LDP Session(s) in Public Network Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM) A '*' before a session means the session is being deleted. ------------------------------------------------------------------------------ PeerID Status LAM SsnRole SsnAge KASent/Rcv ------------------------------------------------------------------------------ 1.1.1.9:0 Operational DU Active 000:00:02 11/11 3.3.3.9:0 Operational DU Passive 000:00:01 8/8 4.4.4.9:0 Operational DU Passive 000:00:00 4/4 ------------------------------------------------------------------------------ TOTAL: 3 session(s) Found.
- 在PE设备上配置VPN实例
# 配置PE1。PE2的配置与PE1类似,此处不再赘述。
[PE1] ip vpn-instance vpna [PE1-vpn-instance-vpna] ipv4-family [PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1 [PE1-vpn-instance-vpna-af-ipv4] vpn-target 1:1 both [PE1-vpn-instance-vpna-af-ipv4] quit [PE1-vpn-instance-vpna] quit [PE1] interface vlanif 60 [PE1-Vlanif60] ip binding vpn-instance vpna [PE1-Vlanif60] ip address 10.1.1.2 24 [PE1-Vlanif60] quit
- 在PE与CE之间建立EBGP对等体关系,引入VPN路由
# 配置CE1。CE2的配置与CE1类似,此处不再赘述。
[CE1] bgp 65410 [CE1-bgp] peer 10.1.1.2 as-number 100 [CE1-bgp] quit
# 配置PE1。PE2的配置与PE1类似,此处不再赘述。
[PE1] bgp 100 [PE1-bgp] ipv4-family vpn-instance vpna [PE1-bgp-vpna] peer 10.1.1.1 as-number 65410 [PE1-bgp-vpna] import-route direct [PE1-bgp-vpna] quit [PE1-bgp] quit
- 建立PE与反射器间的MP-IBGP对等体关系
# 配置PE1。PE2的配置与PE1类似,此处不再赘述。
[PE1] bgp 100 [PE1-bgp] peer 2.2.2.9 as-number 100 [PE1-bgp] peer 2.2.2.9 connect-interface loopback 1 [PE1-bgp] peer 3.3.3.9 as-number 100 [PE1-bgp] peer 3.3.3.9 connect-interface loopback 1 [PE1-bgp] ipv4-family vpnv4 [PE1-bgp-af-vpnv4] peer 2.2.2.9 enable [PE1-bgp-af-vpnv4] peer 3.3.3.9 enable [PE1-bgp-af-vpnv4] quit [PE1-bgp] quit
# 配置RR1。
[RR1] bgp 100 [RR1-bgp] group rr1 internal [RR1-bgp] peer rr1 connect-interface loopback 1 [RR1-bgp] peer 1.1.1.9 group rr1 [RR1-bgp] peer 3.3.3.9 group rr1 [RR1-bgp] peer 4.4.4.9 group rr1 [RR1-bgp] ipv4-family vpnv4 [RR1-bgp-af-vpnv4] peer rr1 enable [RR1-bgp-af-vpnv4] peer 1.1.1.9 group rr1 [RR1-bgp-af-vpnv4] peer 3.3.3.9 group rr1 [RR1-bgp-af-vpnv4] peer 4.4.4.9 group rr1 [RR1-bgp-af-vpnv4] quit [RR1-bgp] quit
# 配置RR2。
[RR2] bgp 100 [RR2-bgp] group rr2 internal [RR2-bgp] peer rr2 connect-interface loopback 1 [RR2-bgp] peer 1.1.1.9 group rr2 [RR2-bgp] peer 2.2.2.9 group rr2 [RR2-bgp] peer 4.4.4.9 group rr2 [RR2-bgp] ipv4-family vpnv4 [RR2-bgp-af-vpnv4] peer rr2 enable [RR2-bgp-af-vpnv4] peer 1.1.1.9 group rr2 [RR2-bgp-af-vpnv4] peer 2.2.2.9 group rr2 [RR2-bgp-af-vpnv4] peer 4.4.4.9 group rr2 [RR2-bgp-af-vpnv4] quit [RR2-bgp] quit
配置完此步骤后,在PE设备上执行display bgp vpnv4 all peer命令,可以看到PE与反射器之间的IBGP对等体关系已建立,并达到“Established”状态。PE与CE之间的EBGP对等体关系也已建立。
以PE1的显示为例。
[PE1] display bgp vpnv4 all peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 3 Peers in established state : 3 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 2.2.2.9 4 100 2 4 0 00:00:31 Established 0 3.3.3.9 4 100 3 5 0 00:01:23 Established 0 Peer of IPv4-family for vpn instance : VPN-Instance vpna, Router ID 1.1.1.9: 10.1.1.1 4 65410 79 82 0 01:13:29 Established 0
- 在RR1和RR2上配置反射功能
# 配置RR1。
[RR1] bgp 100 [RR1-bgp] ipv4-family vpnv4 [RR1-bgp-af-vpnv4] reflector cluster-id 100 [RR1-bgp-af-vpnv4] peer rr1 reflect-client [RR1-bgp-af-vpnv4] undo policy vpn-target [RR1-bgp-af-vpnv4] quit [RR1-bgp] quit
# 配置RR2。
[RR2] bgp 100 [RR2-bgp] ipv4-family vpnv4 [RR2-bgp-af-vpnv4] reflector cluster-id 100 [RR2-bgp-af-vpnv4] peer rr2 reflect-client [RR2-bgp-af-vpnv4] undo policy vpn-target [RR2-bgp-af-vpnv4] quit [RR2-bgp] quit
- 检验配置结果
在PE上查看VPN路由表,可发现有到远端CE的路由。
以PE1的显示为例:
[PE1] display ip routing-table vpn-instance vpna Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: vpna Destinations : 3 Routes : 3 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif60 10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif60 10.2.1.0/24 IBGP 255 0 RD 4.4.4.9 Vlanif10
CE1与CE2可以相互ping通,说明反射器配置成功。
在PE1上的VLANIF40和PE2的VLANIF50接口视图下执行shutdown命令后,CE1与CE2仍然可以相互ping通,说明双反射器配置成功。
配置文件
PE1的配置文件
# sysname PE1 # vlan batch 10 40 60 # ip vpn-instance vpna ipv4-family route-distinguisher 100:1 vpn-target 1:1 export-extcommunity vpn-target 1:1 import-extcommunity # mpls lsr-id 1.1.1.9 mpls # mpls ldp # interface Vlanif10 ip address 100.1.2.1 255.255.255.0 mpls mpls ldp # interface Vlanif40 ip address 100.1.3.1 255.255.255.0 mpls mpls ldp # interface Vlanif60 ip binding vpn-instance vpna ip address 10.1.1.2 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 60 # interface GigabitEthernet3/0/0 port link-type trunk port trunk allow-pass vlan 40 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # bgp 100 peer 2.2.2.9 as-number 100 peer 2.2.2.9 connect-interface LoopBack1 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 2.2.2.9 enable peer 3.3.3.9 enable # ipv4-family vpnv4 policy vpn-target peer 2.2.2.9 enable peer 3.3.3.9 enable # ipv4-family vpn-instance vpna import-route direct peer 10.1.1.1 as-number 65410 # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 100.1.2.0 0.0.0.255 network 100.1.3.0 0.0.0.255 # return
RR1的配置文件
# sysname RR1 # vlan batch 10 20 50 # mpls lsr-id 2.2.2.9 mpls # mpls ldp # interface Vlanif10 ip address 100.1.2.2 255.255.255.0 mpls mpls ldp # interface Vlanif20 ip address 100.2.3.1 255.255.255.0 mpls mpls ldp # interface Vlanif50 ip address 100.2.4.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet3/0/0 port link-type trunk port trunk allow-pass vlan 50 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # bgp 100 group rr1 internal peer rr1 connect-interface LoopBack1 peer 1.1.1.9 as-number 100 peer 1.1.1.9 group rr1 peer 3.3.3.9 as-number 100 peer 3.3.3.9 group rr1 peer 4.4.4.9 as-number 100 peer 4.4.4.9 group rr1 # ipv4-family unicast undo synchronization peer rr1 enable peer 1.1.1.9 enable peer 1.1.1.9 group rr1 peer 3.3.3.9 enable peer 3.3.3.9 group rr1 peer 4.4.4.9 enable peer 4.4.4.9 group rr1 # ipv4-family vpnv4 reflector cluster-id 100 undo policy vpn-target peer rr1 enable peer rr1 reflect-client peer 1.1.1.9 enable peer 1.1.1.9 group rr1 peer 3.3.3.9 enable peer 3.3.3.9 group rr1 peer 4.4.4.9 enable peer 4.4.4.9 group rr1 # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 100.1.2.0 0.0.0.255 network 100.2.3.0 0.0.0.255 network 100.2.4.0 0.0.0.255 # return
RR2的配置文件
# sysname RR2 # vlan batch 20 30 40 # mpls lsr-id 3.3.3.9 mpls # mpls ldp # interface Vlanif20 ip address 100.2.3.2 255.255.255.0 mpls mpls ldp # interface Vlanif30 ip address 100.3.4.1 255.255.255.0 mpls mpls ldp # interface Vlanif40 ip address 100.1.3.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 30 # interface GigabitEthernet3/0/0 port link-type trunk port trunk allow-pass vlan 40 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # bgp 100 group rr2 internal peer rr2 connect-interface LoopBack1 peer 1.1.1.9 as-number 100 peer 1.1.1.9 group rr2 peer 2.2.2.9 as-number 100 peer 2.2.2.9 group rr2 peer 4.4.4.9 as-number 100 peer 4.4.4.9 group rr2 # ipv4-family unicast undo synchronization peer rr2 enable peer 1.1.1.9 enable peer 1.1.1.9 group rr2 peer 2.2.2.9 enable peer 2.2.2.9 group rr2 peer 4.4.4.9 enable peer 4.4.4.9 group rr2 # ipv4-family vpnv4 reflector cluster-id 100 undo policy vpn-target peer rr2 enable peer rr2 reflect-client peer 1.1.1.9 enable peer 1.1.1.9 group rr2 peer 2.2.2.9 enable peer 2.2.2.9 group rr2 peer 4.4.4.9 enable peer 4.4.4.9 group rr2 # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 100.1.3.0 0.0.0.255 network 100.2.3.0 0.0.0.255 network 100.3.4.0 0.0.0.255 # return
PE2的配置文件
# sysname PE2 # vlan batch 30 50 70 # ip vpn-instance vpna ipv4-family route-distinguisher 100:1 vpn-target 1:1 export-extcommunity vpn-target 1:1 import-extcommunity # mpls lsr-id 4.4.4.9 mpls # mpls ldp # interface Vlanif30 ip address 100.3.4.2 255.255.255.0 mpls mpls ldp # interface Vlanif50 ip address 100.2.4.2 255.255.255.0 mpls mpls ldp # interface Vlanif70 ip binding vpn-instance vpna ip address 10.2.1.2 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 30 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 70 # interface GigabitEthernet3/0/0 port link-type trunk port trunk allow-pass vlan 50 # interface LoopBack1 ip address 4.4.4.9 255.255.255.255 # bgp 100 peer 2.2.2.9 as-number 100 peer 2.2.2.9 connect-interface LoopBack1 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 2.2.2.9 enable peer 3.3.3.9 enable # ipv4-family vpnv4 policy vpn-target peer 2.2.2.9 enable peer 3.3.3.9 enable # ipv4-family vpn-instance vpna import-route direct peer 10.2.1.1 as-number 65420 # ospf 1 area 0.0.0.0 network 4.4.4.9 0.0.0.0 network 100.2.4.0 0.0.0.255 network 100.3.4.0 0.0.0.255 # return
CE1的配置文件
# sysname CE1 # vlan batch 60 # interface Vlanif60 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 60 # bgp 65410 peer 10.1.1.2 as-number 100 # ipv4-family unicast undo synchronization peer 10.1.1.2 enable # return
CE2的配置文件
# sysname CE2 # vlan batch 70 # interface Vlanif70 ip address 10.2.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 70 # bgp 65420 peer 10.2.1.2 as-number 100 # ipv4-family unicast undo synchronization peer 10.2.1.2 enable # return