评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置BGP/MPLS IP VPN地址空间重叠示例
组网需求
如图2-52:
- CE1连接公司总部研发区、CE2连接分支机构研发区,CE1和CE2属于vpna;
- CE3连接公司总部非研发区、CE4连接分支机构非研发区,CE3和CE4属于vpnb;
- 总部和分支机构的研发区和非研发区之间存在地址空间重叠;
企业希望在不改变网络部署的情况下,实现总部和分支机构间的安全互访、研发区和非研发区部间的隔离。
背景信息
采用如下的思路配置BGP/MPLS IP VPN:
- P、PE之间配置OSPF,实现骨干网的IP连通性。
- PE、P上配置MPLS基本能力和MPLS LDP,建立MPLS LSP公网隧道,传输VPN数据。
- PE1和PE2之间配置MP-IBGP,交换VPN路由信息。
- 在PE1和PE2上配置VPN实例,其中,vpna使用的VPN-target属性为100:100,vpnb使用的VPN-target属性为200:200,以实现相同VPN间互通,不同VPN间隔离。同时,与CE相连的接口和相应的VPN实例绑定,以接入VPN用户。
- CE与PE之间配置静态路由,交换VPN路由信息。
操作步骤
- 配置各接口所属VLAN,并配置VLANIF接口和Loopback接口IP地址,具体数据如图2-52所示。
# 配置PE1。PE2、P、CE1、CE2、CE3和CE4的配置与PE1类似,此处不再赘述。
<HUAWEI> system-view [HUAWEI] sysname PE1 [PE1] interface loopback 0 [PE1-LoopBack0] ip address 1.1.1.9 32 [PE1-LoopBack0] quit [PE1] vlan batch 10 100 101 [PE1] interface gigabitethernet 1/0/0 [PE1-GigabitEthernet1/0/0] port link-type trunk [PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 [PE1-GigabitEthernet1/0/0] quit [PE1] interface gigabitethernet 2/0/0 [PE1-GigabitEthernet2/0/0] port link-type trunk [PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 100 [PE1-GigabitEthernet2/0/0] quit [PE1] interface gigabitethernet 3/0/0 [PE1-GigabitEthernet3/0/0] port link-type trunk [PE1-GigabitEthernet3/0/0] port trunk allow-pass vlan 101 [PE1-GigabitEthernet3/0/0] quit [PE1] interface vlanif 10 [PE1-Vlanif10] ip address 12.1.1.1 24 [PE1-Vlanif10] quit
- 在MPLS骨干网上配置OSPF协议,实现骨干网PE和P的互通
# 配置PE1。
[PE1] ospf [PE1-ospf-1] area 0 [PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0 [PE1-ospf-1-area-0.0.0.0] network 12.1.1.0 0.0.0.255 [PE1-ospf-1-area-0.0.0.0] quit [PE1-ospf-1] quit
# 配置P。
[P] ospf [P-ospf-1] area 0 [P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0 [P-ospf-1-area-0.0.0.0] network 12.1.1.0 0.0.0.255 [P-ospf-1-area-0.0.0.0] network 23.1.1.0 0.0.0.255 [P-ospf-1-area-0.0.0.0] quit [P-ospf-1] quit
# 配置PE2。
[PE2] ospf [PE2-ospf-1] area 0 [PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0 [PE2-ospf-1-area-0.0.0.0] network 23.1.1.0 0.0.0.255 [PE2-ospf-1-area-0.0.0.0] quit [PE2-ospf-1] quit
配置完成后,PE1、P、PE2之间应能建立OSPF邻居关系,执行display ospf peer命令可以看到邻居状态为Full。执行display ip routing-table命令可以看到PE之间学习到对方的Loopback0路由。
以PE1的显示为例:
[PE1] display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 8 Routes : 8 Destination/Mask Proto Pre Cost Flags NextHop Interface 1.1.1.9/32 Direct 0 0 D 127.0.0.1 LoopBack0 2.2.2.9/32 OSPF 10 1 D 12.1.1.2 Vlanif10 3.3.3.9/32 OSPF 10 2 D 12.1.1.2 Vlanif10 12.1.1.0/24 Direct 0 0 D 12.1.1.1 Vlanif10 12.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10 23.1.1.0/24 OSPF 10 2 D 12.1.1.2 Vlanif10 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 - 在MPLS骨干网上配置MPLS基本能力和MPLS LDP,建立LDP LSP
# 配置PE1。
[PE1] mpls lsr-id 1.1.1.9 [PE1] mpls [PE1-mpls] quit [PE1] mpls ldp [PE1-mpls-ldp] quit [PE1] interface vlanif 10 [PE1-Vlanif10] mpls [PE1-Vlanif10] mpls ldp [PE1-Vlanif10] quit
# 配置P。
[P] mpls lsr-id 2.2.2.9 [P] mpls [P-mpls] quit [P] mpls ldp [P-mpls-ldp] quit [P] interface vlanif 10 [P-Vlanif10] mpls [P-Vlanif10] mpls ldp [P-Vlanif10] quit [P] interface vlanif 20 [P-Vlanif20] mpls [P-Vlanif20] mpls ldp [P-Vlanif20] quit
# 配置PE2。
[PE2] mpls lsr-id 3.3.3.9 [PE2] mpls [PE2-mpls] quit [PE2] mpls ldp [PE2-mpls-ldp] quit [PE2] interface vlanif 20 [PE2-Vlanif20] mpls [PE2-Vlanif20] mpls ldp [PE2-Vlanif20] quit
上述配置完成后,PE1与P、P与PE2之间应能建立LDP会话,执行display mpls ldp session命令可以看到显示结果中Status项为“Operational”。执行display mpls ldp lsp命令,可以看到LDP LSP的建立情况。
以PE1的显示为例:
[PE1] display mpls ldp session LDP Session(s) in Public Network Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM) A '*' before a session means the session is being deleted. ------------------------------------------------------------------------------ PeerID Status LAM SsnRole SsnAge KASent/Rcv ------------------------------------------------------------------------------ 2.2.2.9:0 Operational DU Passive 0000:00:01 6/6 ------------------------------------------------------------------------------ TOTAL: 1 session(s) Found.
[PE1] display mpls ldp lsp LDP LSP Information ------------------------------------------------------------------------------- Flag after Out IF: (I) - LSP Is Only Iterated by RLFA ------------------------------------------------------------------------------- DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface ------------------------------------------------------------------------------- 1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0 *1.1.1.9/32 Liberal/1024 DS/2.2.2.9 2.2.2.9/32 NULL/3 - 12.1.1.2 Vlanif10 2.2.2.9/32 1024/3 2.2.2.9 12.1.1.2 Vlanif10 3.3.3.9/32 NULL/1025 - 12.1.1.2 Vlanif10 3.3.3.9/32 1025/1025 2.2.2.9 12.1.1.2 Vlanif10 ------------------------------------------------------------------------------- TOTAL: 5 Normal LSP(s) Found. TOTAL: 1 Liberal LSP(s) Found. TOTAL: 0 Frr LSP(s) Found. A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale A '*' before a UpstreamPeer means the session is stale A '*' before a DS means the session is stale A '*' before a NextHop means the LSP is FRR LSP - 在PE设备上配置VPN实例,将CE接入PE
# 配置PE1。
[PE1] ip vpn-instance vpna [PE1-vpn-instance-vpna] ipv4-family [PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:100 [PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:100 export-extcommunity [PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:100 import-extcommunity [PE1-vpn-instance-vpna-af-ipv4] quit [PE1-vpn-instance-vpna] quit [PE1] ip vpn-instance vpnb [PE1-vpn-instance-vpnb] ipv4-family [PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 300:300 [PE1-vpn-instance-vpnb-af-ipv4] vpn-target 200:200 export-extcommunity [PE1-vpn-instance-vpnb-af-ipv4] vpn-target 200:200 import-extcommunity [PE1-vpn-instance-vpnb-af-ipv4] quit [PE1-vpn-instance-vpnb] quit [PE1] interface vlanif 100 [PE1-Vlanif100] ip binding vpn-instance vpna [PE1-Vlanif100] ip address 10.1.1.1 255.255.255.0 [PE1-Vlanif100] quit [PE1] interface vlanif 101 [PE1-Vlanif101] ip binding vpn-instance vpnb [PE1-Vlanif101] ip address 10.1.1.1 255.255.255.0 [PE1-Vlanif101] quit
# 配置PE2。
[PE2] ip vpn-instance vpna [PE2-vpn-instance-vpna] ipv4-family [PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:200 [PE2-vpn-instance-vpna-af-ipv4] vpn-target 100:100 export-extcommunity [PE2-vpn-instance-vpna-af-ipv4] vpn-target 100:100 import-extcommunity [PE2-vpn-instance-vpna-af-ipv4] quit [PE2-vpn-instance-vpna] quit [PE2] ip vpn-instance vpnb [PE2-vpn-instance-vpnb] ipv4-family [PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 400:400 [PE2-vpn-instance-vpnb-af-ipv4] vpn-target 200:200 export-extcommunity [PE2-vpn-instance-vpnb-af-ipv4] vpn-target 200:200 import-extcommunity [PE2-vpn-instance-vpnb-af-ipv4] quit [PE2-vpn-instance-vpnb] quit [PE2] interface vlanif 100 [PE2-Vlanif100] ip binding vpn-instance vpna [PE2-Vlanif100] ip address 10.2.1.1 255.255.255.0 [PE2-Vlanif100] quit [PE2] interface vlanif 101 [PE2-Vlanif101] ip binding vpn-instance vpnb [PE2-Vlanif101] ip address 10.2.1.1 255.255.255.0 [PE2-Vlanif101] quit
# 按图2-52配置各CE的接口IP地址,配置过程略。
配置完成后,在PE设备上执行display ip vpn-instance verbose命令可以看到VPN实例的配置情况。各PE能ping通自己接入的CE。
以PE1和CE1为例:
[PE1] display ip vpn-instance verbose Total VPN-Instances configured : 2 Total IPv4 VPN-Instances configured : 2 Total IPv6 VPN-Instances configured : 0 VPN-Instance Name and ID : vpna, 1 Interfaces : Vlanif100 Address family ipv4 Create date : 2014-11-03 02:39:34+00:00 Up time : 0 days, 22 hours, 24 minutes and 53 seconds Route Distinguisher : 100:100 Export VPN Targets : 100:100 Import VPN Targets : 100:100 Label Policy : label per instance Per-Instance Label : 4098 Log Interval : 5 VPN-Instance Name and ID : vpnb, 2 Interfaces : Vlanif101 Address family ipv4 Create date : 2014-11-03 02:39:34+00:00 Up time : 0 days, 22 hours, 24 minutes and 53 seconds Route Distinguisher : 300:300 Export VPN Targets : 200:200 Import VPN Targets : 200:200 Label Policy : label per instance Per-Instance Label : 4098 Log Interval : 5
[PE1] ping -vpn-instance vpna 10.1.1.2 PING 10.1.1.2: 56 data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=5 ms Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=3 ms Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=3 ms Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=3 ms Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=16 ms --- 10.1.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/6/16 ms - 在PE之间建立MP-IBGP对等体关系
# 配置PE1。
[PE1] bgp 100 [PE1-bgp] peer 3.3.3.9 as-number 100 [PE1-bgp] peer 3.3.3.9 connect-interface loopback0 [PE1-bgp] ipv4-family vpnv4 [PE1-bgp-af-vpnv4] peer 3.3.3.9 enable [PE1-bgp-af-vpnv4] quit [PE1-bgp] ipv4-family vpn-instance vpna [PE1-bgp-vpna] import-route direct [PE1-bgp-vpna] quit [PE1-bgp] ipv4-family vpn-instance vpnb [PE1-bgp-vpnb] import-route direct [PE1-bgp-vpnb] quit [PE1-bgp] quit
# 配置PE2。
[PE2] bgp 100 [PE2-bgp] peer 1.1.1.9 as-number 100 [PE2-bgp] peer 1.1.1.9 connect-interface loopback0 [PE2-bgp] ipv4-family vpnv4 [PE2-bgp-af-vpnv4] peer 1.1.1.9 enable [PE2-bgp-af-vpnv4] quit [PE2-bgp] ipv4-family vpn-instance vpna [PE2-bgp-vpna] import-route direct [PE2-bgp-vpna] quit [PE2-bgp] ipv4-family vpn-instance vpnb [PE2-bgp-vpnb] import-route direct [PE2-bgp-vpnb] quit [PE2-bgp] quit
配置完成后,在PE设备上执行display bgp peer命令,可以看到PE之间的BGP对等体关系已建立,并达到Established状态。
[PE1] display bgp peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 3.3.3.9 4 100 3 3 0 00:01:08 Established 0
- 在CE1、CE2、CE3、CE4设备上配置到各自连接PE的静态路由
# 配置CE1。CE2、CE3和CE4的配置与CE1类似,配置过程省略。
[CE1] ip route-static 0.0.0.0 0.0.0.0 vlanif 100 10.1.1.1
- 检查配置结果
在PE设备上执行display ip routing-table vpn-instance命令,可以看到去往对端CE的路由。
以PE1的显示为例:
[PE1] display ip routing-table vpn-instance vpna Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: vpna Destinations : 3 Routes : 3 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif100 10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100 10.2.1.0/24 IBGP 255 0 RD 3.3.3.9 Vlanif10[PE1] display ip routing-table vpn-instance vpnb Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: vpnb Destinations : 3 Routes : 3 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif101 10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif101 10.2.1.0/24 IBGP 255 0 RD 3.3.3.9 Vlanif10在CE1上执行先ping命令,PING 10.2.1.1可以PING通,执行display interface命令查看PE2上GE1/0/0和GE3/0/0的报文计数,可以看到GE1/0/0下有报文通过,GE3/0/0下没有报文通过,可以说明地址重叠,但是两个VPN不互通。
配置文件
PE1的配置文件
# sysname PE1 # vlan batch 10 100 to 101 # ip vpn-instance vpna ipv4-family route-distinguisher 100:100 vpn-target 100:100 export-extcommunity vpn-target 100:100 import-extcommunity # ip vpn-instance vpnb ipv4-family route-distinguisher 300:300 vpn-target 200:200 export-extcommunity vpn-target 200:200 import-extcommunity # mpls lsr-id 1.1.1.9 mpls # mpls ldp # interface Vlanif10 ip address 12.1.1.1 255.255.255.0 mpls mpls ldp # interface Vlanif100 ip binding vpn-instance vpna ip address 10.1.1.1 255.255.255.0 # interface Vlanif101 ip binding vpn-instance vpnb ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet3/0/0 port link-type trunk port trunk allow-pass vlan 101 # interface LoopBack0 ip address 1.1.1.9 255.255.255.255 # bgp 100 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack0 # ipv4-family unicast undo synchronization peer 3.3.3.9 enable # ipv4-family vpnv4 policy vpn-target peer 3.3.3.9 enable # ipv4-family vpn-instance vpna import-route direct # ipv4-family vpn-instance vpnb import-route direct # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 12.1.1.0 0.0.0.255 # return
P的配置文件
# sysname P # vlan batch 10 20 # mpls lsr-id 2.2.2.9 mpls # mpls ldp # interface Vlanif10 ip address 12.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif20 ip address 23.1.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 20 # interface LoopBack0 ip address 2.2.2.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 12.1.1.0 0.0.0.255 network 23.1.1.0 0.0.0.255 # return
PE2的配置文件
# sysname PE2 # vlan batch 20 100 to 101 # ip vpn-instance vpna ipv4-family route-distinguisher 200:200 vpn-target 100:100 export-extcommunity vpn-target 100:100 import-extcommunity # ip vpn-instance vpnb ipv4-family route-distinguisher 400:400 vpn-target 200:200 export-extcommunity vpn-target 200:200 import-extcommunity # mpls lsr-id 3.3.3.9 mpls # mpls ldp # interface Vlanif20 ip address 23.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif100 ip binding vpn-instance vpna ip address 10.2.1.1 255.255.255.0 # interface Vlanif101 ip binding vpn-instance vpnb ip address 10.2.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet3/0/0 port link-type trunk port trunk allow-pass vlan 101 # interface LoopBack0 ip address 3.3.3.9 255.255.255.255 # bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack0 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable # ipv4-family vpn-instance vpna import-route direct # ipv4-family vpn-instance vpnb import-route direct # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 23.1.1.0 0.0.0.255 # return
CE1的配置文件
# sysname CE1 # vlan batch 100 # interface Vlanif100 ip address 10.1.1.2 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 100 # ip route-static 0.0.0.0 0.0.0.0 Vlanif100 10.1.1.1 # return
CE2的配置文件
# sysname CE2 # vlan batch 100 # interface Vlanif100 ip address 10.2.1.2 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 100 # ip route-static 0.0.0.0 0.0.0.0 Vlanif100 10.2.1.1 # return
CE3的配置文件
# sysname CE3 # vlan batch 101 # interface Vlanif101 ip address 10.1.1.2 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 101 # ip route-static 0.0.0.0 0.0.0.0 Vlanif101 10.1.1.1 # return
CE4的配置文件
# sysname CE4 # vlan batch 101 # interface Vlanif101 ip address 10.2.1.2 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 101 # ip route-static 0.0.0.0 0.0.0.0 Vlanif101 10.2.1.1 # return
