评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置基本BGP/MPLS IPv6 VPN示例
组网需求
某公司的总部与分支机构分别位于地理位置较远的IPv6孤岛中,如图3-3所示:
- CE1连接公司总部研发区、CE3连接分支机构研发区,CE1和CE3属于vpna;
- CE2连接公司总部非研发区、CE4连接分支机构非研发区,CE2和CE4属于vpnb。
公司要求通过部署BGP/MPLS IPv6 VPN,实现总部和分支机构的安全互通,同时要求研发区和非研发区间数据隔离。
配置思路
采用如下的思路配置基本BGP/MPLS IPv6 VPN:
在IPv4公网上配置IS-IS,实现骨干网的互通。
在各PE和P设备上配置MPLS和MPLS LDP,即VPN使用IPv4公网上的LDP LSP隧道,传输VPN数据。
在PE1和PE2上配置MP-IBGP,即PE间用BGP来交换VPN-IPv6路由。
PE1和PE2上配置VPN实例,配置合适的VPN-target属性,以实现相同VPN间互通,不同VPN间隔离。同时,与CE相连的接口和相应的VPN实例绑定,以接入VPN用户。
在各PE和CE上配置IPv6路由协议,使PE和CE能交换各自学到的IPv6路由。
操作步骤
- 配置各CE和各PE的IPv6报文转发能力
# 使能CE1的IPv6转发能力
<HUAWEI> system-view [HUAWEI] sysname CE1 [CE1] ipv6
CE2~CE4、PE1和PE2的配置与此相同,不再赘述。
- 创建VLAN,配置各接口允许通过的VLAN及VLANIF接口的IP地址(PE上连接CE的接口除外),具体数据如图3-3所示
- 配置骨干网IGP协议,实现骨干网互通,本例中使用IS-IS协议
# 在PE1上配置IPv4 IGP路由协议,此例中采用IS-IS。
[PE1] isis 1 [PE1-isis-1] network-entity 10.1111.1111.1111.00 [PE1-isis-1] quit [PE1] interface vlanif 10 [PE1-Vlanif10] isis enable 1 [PE1-Vlanif10] quit [PE1] interface loopback 1 [PE1-LoopBack1] isis enable 1 [PE1-LoopBack1] quit
P、PE2上的配置过程与此类似,不再赘述。
配置完成后,PE1、P和PE2之间应能学习到相互的路由,包括接口Loopback1的路由,可通过display ip routing-table命令查看。
- 配置PE1和PE2之间的隧道
本例中使用MPLS LDP LSP隧道。
# 使能PE1的MPLS和MPLS LDP。
[PE1] mpls lsr-id 1.1.1.9 [PE1] mpls [PE1-mpls] quit [PE1] mpls ldp [PE1-mpls-ldp] quit [PE1] interface vlanif 10 [PE1-Vlanif10] mpls [PE1-Vlanif10] mpls ldp [PE1-Vlanif10] quit
# 使能P的MPLS和MPLS LDP。
[P] mpls lsr-id 2.2.2.9 [P] mpls [P-mpls] quit [P] mpls ldp [P-mpls-ldp] quit [P] interface vlanif 10 [P-Vlanif10] mpls [P-Vlanif10] mpls ldp [P-Vlanif10] quit [P] interface vlanif 20 [P-Vlanif20] mpls [P-Vlanif20] mpls ldp [P-Vlanif20] quit
# 使能PE2的MPLS和MPLS LDP。
[PE2] mpls lsr-id 3.3.3.9 [PE2] mpls [PE2-mpls] quit [PE2] mpls ldp [PE2-mpls-ldp] quit [PE2] interface vlanif 20 [PE2-Vlanif20] mpls [PE2-Vlanif20] mpls ldp [PE2-Vlanif20] quit
上述配置完成后,PE1与PE2之间应能建立LDP LSP。执行display mpls ldp lsp命令,可以看到LDP LSP的建立情况。
- 配置PE1、PE2上的VPN实例
# PE1上配置VPN实例vpna。
[PE1] ip vpn-instance vpna [PE1-vpn-instance-vpna] ipv6-family [PE1-vpn-instance-vpna-af-ipv6] route-distinguisher 100:1 [PE1-vpn-instance-vpna-af-ipv6] vpn-target 22:22 export-extcommunity [PE1-vpn-instance-vpna-af-ipv6] vpn-target 33:33 import-extcommunity [PE1-vpn-instance-vpna-af-ipv6] quit [PE1-vpn-instance-vpna] quit
# 将PE1上直连CE1的接口与VPN实例vpna相绑定。
[PE1] interface vlanif 100 [PE1-Vlanif100] ipv6 enable [PE1-Vlanif100] ip binding vpn-instance vpna [PE1-Vlanif100] ipv6 address 2001::2 64 [PE1-Vlanif100] quit
# PE1上配置VPN实例vpnb。
[PE1] ip vpn-instance vpnb [PE1-vpn-instance-vpnb] ipv6-family [PE1-vpn-instance-vpnb-af-ipv6] route-distinguisher 200:1 [PE1-vpn-instance-vpnb-af-ipv6] vpn-target 44:44 export-extcommunity [PE1-vpn-instance-vpnb-af-ipv6] vpn-target 55:55 import-extcommunity [PE1-vpn-instance-vpnb-af-ipv6] quit [PE1-vpn-instance-vpnb] quit
# 将PE1上直连CE2的接口与VPN实例vpnb相绑定。
[PE1] interface vlanif 101 [PE1-Vlanif101] ipv6 enable [PE1-Vlanif101] ip binding vpn-instance vpnb [PE1-Vlanif101] ipv6 address 2003::2 64 [PE1-Vlanif101] quit
# 在PE2上配置VPN实例vpna。
[PE2] ip vpn-instance vpna [PE2-vpn-instance-vpna] ipv6-family [PE2-vpn-instance-vpna-af-ipv6] route-distinguisher 300:1 [PE2-vpn-instance-vpna-af-ipv6] vpn-target 33:33 export-extcommunity [PE2-vpn-instance-vpna-af-ipv6] vpn-target 22:22 import-extcommunity [PE2-vpn-instance-vpna-af-ipv6] quit [PE2-vpn-instance-vpna] quit
# 将PE2上直连CE3的接口与VPN实例vpna相绑定。
[PE2] interface vlanif 100 [PE2-Vlanif100] ipv6 enable [PE2-Vlanif100] ip binding vpn-instance vpna [PE2-Vlanif100] ipv6 address 2004::2 64 [PE2-Vlanif100] quit
# 在PE2上配置VPN实例vpnb。
[PE2] ip vpn-instance vpnb [PE2-vpn-instance-vpnb] ipv6-family [PE2-vpn-instance-vpnb-af-ipv6] route-distinguisher 400:1 [PE2-vpn-instance-vpnb-af-ipv6] vpn-target 55:55 export-extcommunity [PE2-vpn-instance-vpnb-af-ipv6] vpn-target 44:44 import-extcommunity [PE2-vpn-instance-vpnb-af-ipv6] quit [PE2-vpn-instance-vpnb] quit
# 将PE2上直连CE4的接口与VPN实例vpnb相绑定。
[PE2] interface vlanif 101 [PE2-Vlanif101] ipv6 enable [PE2-Vlanif101] ip binding vpn-instance vpnb [PE2-Vlanif101] ipv6 address 2005::2 64 [PE2-Vlanif101] quit
上述配置完成后,在各PE上可通过display ip vpn-instance verbose命令查看VPN实例的配置信息;各PE能ping通自己接入的CE。以PE1的显示为例:
[PE1] display ip vpn-instance verbose Total VPN-Instances configured : 2 Total IPv4 VPN-Instances configured : 0 Total IPv6 VPN-Instances configured : 2 VPN-Instance Name and ID : vpna, 3 Interfaces : Vlanif100 Address family ipv6 Create date : 2012-09-05 15:51:15+00:00 Up time : 0 days, 00 hours, 00 minutes and 22 seconds Route Distinguisher : 100:1 Export VPN Targets : 22:22 Import VPN Targets : 33:33 Label Policy : label per instance Per-Instance Label : 4096 Log Interval : 5 VPN-Instance Name and ID : vpnb, 4 Interfaces : Vlanif101 Address family ipv6 Create date : 2012-09-05 15:12:49+00:00 Up time : 0 days, 00 hours, 38 minutes and 48 seconds Route Distinguisher : 200:1 Export VPN Targets : 44:44 Import VPN Targets : 55:55 Label Policy : label per instance Per-Instance Label : 4097 Log Interval : 5[PE1] ping ipv6 vpn-instance vpna 2001::1 PING 2001::1 : 56 data bytes, press CTRL_C to break Reply from 2001::1 bytes=56 Sequence=1 hop limit=64 time = 47 ms Reply from 2001::1 bytes=56 Sequence=2 hop limit=64 time = 31 ms Reply from 2001::1 bytes=56 Sequence=3 hop limit=64 time = 62 ms Reply from 2001::1 bytes=56 Sequence=4 hop limit=64 time = 62 ms Reply from 2001::1 bytes=56 Sequence=5 hop limit=64 time = 31 ms --- 2001::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 31/46/62 ms - 建立PE1与PE2之间的VPNv6对等体关系
# 在PE1上配置BGP。
[PE1] bgp 100 [PE1-bgp] peer 3.3.3.9 as-number 100 [PE1-bgp] peer 3.3.3.9 connect-interface loopback 1 [PE1-bgp] ipv6-family vpnv6 [PE1-bgp-af-vpnv6] peer 3.3.3.9 enable [PE1-bgp-af-vpnv6] quit
# 在PE2上配置BGP。
[PE2] bgp 100 [PE2-bgp] peer 1.1.1.9 as-number 100 [PE2-bgp] peer 1.1.1.9 connect-interface loopback 1 [PE2-bgp] ipv6-family vpnv6 [PE2-bgp-af-vpnv6] peer 1.1.1.9 enable [PE2-bgp-af-vpnv6] quit
以上配置完成后,在PE上可通过display bgp vpnv6 all peer查看VPNv6对等体的建立情况。以PE1的显示为例:
[PE1] display bgp vpnv6 all peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 3.3.3.9 4 100 3 3 0 00:02:19 Established 0
可以看到,PE1和PE2的VPNv6对等体关系已建立。
- 在PE1和CE1之间配置BGP4+
# 在PE1上配置EBGP。
[PE1] bgp 100 [PE1-bgp] ipv6-family vpn-instance vpna [PE1-bgp6-vpna] peer 2001::1 as-number 65410 [PE1-bgp6-vpna] import-route direct [PE1-bgp6-vpna] quit [PE1-bgp] quit
# 在CE1上配置EBGP。
[CE1] bgp 65410 [CE1-bgp] router-id 10.10.10.10 [CE1-bgp] peer 2001::2 as-number 100 [CE1-bgp] ipv6-family unicast [CE1-bgp-af-ipv6] peer 2001::2 enable [CE1-bgp-af-ipv6] import-route direct [CE1-bgp-af-ipv6] quit [CE1-bgp] quit
以上配置完成后,可在PE1上通过命令display bgp vpnv6 all peer查看对等体的建立情况。
[PE1] display bgp vpnv6 all peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 0 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 2001::1 4 65410 0 0 0 00:24:31 Established 0也可在CE1上通过命令display bgp ipv6 peer查看对等体的建立情况。
[CE1] display bgp ipv6 peer BGP local router ID : 10.10.10.10 Local AS number : 65410 Total number of peers : 1 Peers in established state : 0 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 2001::2 4 100 0 0 0 00:35:04 Established 0可以看到,PE1和CE1的EBGP连接已建立。
- 在PE1和CE2上配置静态路由
# 在PE1上为VPN实例vpnb配置IPv6静态路由。
[PE1] ipv6 route-static vpn-instance vpnb fc00:1:: 64 2003::1
# 在PE1上把静态路由和直连路由引入BGP。
[PE1] bgp 100 [PE1-bgp] ipv6-family vpn-instance vpnb [PE1-bgp6-vpnb] import-route static [PE1-bgp6-vpnb] import-route direct [PE1-bgp6-vpnb] quit [PE1-bgp] quit
# 在CE2配置IPv6缺省路由。
[CE2] ipv6 route-static :: 0 2003::2
- 在PE2和CE3上配置IS-ISv6
# 在PE2上配置IS-ISv6。
[PE2] isis 10 vpn-instance vpna [PE2-isis-10] network-entity 30.4444.4444.4444.4444.00 [PE2-isis-10] ipv6 enable [PE2-isis-10] ipv6 import-route bgp [PE2-isis-10] quit [PE2] interface vlanif 100 [PE2-Vlanif100] isis ipv6 enable 10 [PE2-Vlanif100] quit
# 在PE2上把IS-ISv6引入BGP。
[PE2] bgp 100 [PE2-bgp] ipv6-family vpn-instance vpna [PE2-bgp6-vpna] import-route isis 10 [PE2-bgp6-vpna] quit [PE2-bgp] quit
# 在CE3上配置IS-ISv6。
[CE3] isis 10 [CE3-isis-10] network-entity 30.2222.2222.2222.00 [CE3-isis-10] ipv6 enable [CE3-isis-10] quit [CE3] interface vlanif 100 [CE3-Vlanif100] isis ipv6 enable 10 [CE3-Vlanif100] quit [CE3] interface vlanif 1001 [CE3-Vlanif1001] isis ipv6 enable 10 [CE3-Vlanif1001] quit
- 在PE2和CE4上配置RIPng
# 在PE2配置RIPng。
[PE2] ripng 100 vpn-instance vpnb [PE2-ripng-100] import-route bgp [PE2-ripng-100] quit [PE2] interface vlanif 101 [PE2-Vlanif101] ripng 100 enable [PE2-Vlanif101] quit
# 在PE2上把RIPng引入BGP。
[PE2] bgp 100 [PE2-bgp] ipv6-family vpn-instance vpnb [PE2-bgp6-vpnb] import-route ripng 100 [PE2-bgp6-vpnb] quit [PE2-bgp] quit
# 在CE4上配置RIPng。
[CE4] ripng 100 [CE4-ripng-100] quit [CE4] interface vlanif 101 [CE4-Vlanif101] ripng 100 enable [CE4-Vlanif101] quit [CE4] interface vlanif 1011 [CE4-Vlanif1011] ripng 100 enable [CE4-Vlanif1011] quit
- 检查配置结果
完成以上配置后,允许互通的CE之间应该能学习到彼此的路由。可在各PE上用display ipv6 routing-table vpn-instance查看相应VPN实例的路由,或用ping或tracert命令进行验证。也可在各CE上用命令display ipv6 routing-table查看,或用ping或tracert命令进行验证。以PE1和CE1的显示为例:
[PE1] ping ipv6 vpn-instance vpna fc00:2::1 PING FC00:2::1 : 56 data bytes, press CTRL_C to break Reply from FC00:2::1 bytes=56 Sequence=1 hop limit=63 time = 94 ms Reply from FC00:2::1 bytes=56 Sequence=2 hop limit=63 time = 94 ms Reply from FC00:2::1 bytes=56 Sequence=3 hop limit=63 time = 94 ms Reply from FC00:2::1 bytes=56 Sequence=4 hop limit=63 time = 94 ms Reply from FC00:2::1 bytes=56 Sequence=5 hop limit=63 time = 94 ms --- FC00:2::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 94/94/94 ms [CE1] tracert ipv6 fc00:2::1 traceroute to FC00:2::1 30 hops max,60 bytes packet 1 2001::2 62 ms 31 ms 32 ms 2 2004::2 101 ms 94 ms 98 ms 3 FC00:2::1 156 ms 157 ms 171 ms由于CE4上也同样存在fc00:2::1/64,在CE3和CE4上用display ipv6 statistics检查接收/发送ICMPv6报文的数量变化,可知报文的确被发送到正确的接口,不允许互通的站点间已实现了隔离。
配置文件
PE1配置文件
# sysname PE1 # ipv6 # vlan batch 10 100 101 # ip vpn-instance vpna ipv6-family route-distinguisher 100:1 vpn-target 22:22 export-extcommunity vpn-target 33:33 import-extcommunity # ip vpn-instance vpnb ipv6-family route-distinguisher 200:1 vpn-target 44:44 export-extcommunity vpn-target 55:55 import-extcommunity # mpls lsr-id 1.1.1.9 mpls # mpls ldp # isis 1 network-entity 10.1111.1111.1111.00 # interface Vlanif100 ipv6 enable ip binding vpn-instance vpna ipv6 address 2001::2/64 # interface Vlanif101 ipv6 enable ip binding vpn-instance vpnb ipv6 address 2003::2/64 # interface Vlanif10 ip address 8.8.1.1 255.255.255.0 isis enable 1 mpls mpls ldp # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 101 # interface GigabitEthernet3/0/0 port link-type trunk port trunk allow-pass vlan 10 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 isis enable 1 # bgp 100 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 3.3.3.9 enable # ipv6-family vpnv6 policy vpn-target peer 3.3.3.9 enable # ipv6-family vpn-instance vpna import-route direct peer 2001::1 as-number 65410 # ipv6-family vpn-instance vpnb import-route direct import-route static # ipv6 route-static vpn-instance vpnb fc00:1:: 64 2003::1 # return
P的配置文件
# sysname P # vlan batch 10 20 # mpls lsr-id 2.2.2.9 mpls # mpls ldp # isis 1 network-entity 10.2222.2222.2222.00 # interface Vlanif10 ip address 8.8.1.2 255.255.255.0 isis enable 1 mpls mpls ldp # interface Vlanif20 ip address 8.8.2.1 255.255.255.0 isis enable 1 mpls mpls ldp # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 20 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 isis enable 1 # return
PE2的配置文件
# sysname PE2 # ipv6 # vlan batch 20 100 101 # ip vpn-instance vpna ipv6-family route-distinguisher 300:1 vpn-target 33:33 export-extcommunity vpn-target 22:22 import-extcommunity # ip vpn-instance vpnb ipv6-family route-distinguisher 400:1 vpn-target 55:55 export-extcommunity vpn-target 44:44 import-extcommunity # mpls lsr-id 3.3.3.9 mpls # mpls ldp # isis 1 network-entity 10.3333.3333.3333.00 # isis 10 vpn-instance vpna network-entity 30.4444.4444.4444.4444.00 # ipv6 enable topology standard ipv6 import-route bgp # # interface Vlanif20 ip address 8.8.2.2 255.255.255.0 isis enable 1 mpls mpls ldp # interface Vlanif100 ip binding vpn-instance vpna ipv6 enable ipv6 address 2004::2/64 isis ipv6 enable 10 # interface Vlanif101 ip binding vpn-instance vpnb ipv6 enable ipv6 address 2005::2/64 ripng 100 enable # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 101 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet3/0/0 port link-type trunk port trunk allow-pass vlan 20 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 isis enable 1 # bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv6-family vpnv6 policy vpn-target peer 1.1.1.9 enable # ipv6-family vpn-instance vpna import-route isis 10 # ipv6-family vpn-instance vpnb import-route ripng 100 # ripng 100 vpn-instance vpnb import-route bgp # return
连接总部研发区的CE1的配置文件
# sysname CE1 # ipv6 # vlan batch 100 1001 # interface Vlanif100 ipv6 enable ipv6 address 2001::1/64 # interface Vlanif1001 ipv6 enable ipv6 address FC00:1::1/64 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 1001 # bgp 65410 router-id 10.10.10.10 peer 2001::2 as-number 100 # ipv6-family unicast undo synchronization import-route direct peer 2001::2 enable # return
连接总部非研发区的CE2的配置文件
# sysname CE2 # ipv6 # vlan batch 101 1011 # interface Vlanif101 ipv6 enable ipv6 address 2003::1/64 # interface Vlanif1011 ipv6 enable ipv6 address FC00:1::1/64 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 101 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 1011 # ipv6 route-static :: 0 2003::2 # return
连接分支研发区的CE3的配置文件
# sysname CE3 # ipv6 # vlan batch 100 1001 # isis 10 network-entity 30.2222.2222.2222.00 # ipv6 enable topology standard # # interface Vlanif100 ipv6 enable ipv6 address 2004::1/64 isis ipv6 enable 10 # interface Vlanif1001 ipv6 enable ipv6 address FC00:2::1/64 isis ipv6 enable 10 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 1001 # return
连接分支非研发区的CE4的配置文件
# sysname CE4 # ipv6 # vlan batch 101 1011 # interface Vlanif101 ipv6 enable ipv6 address 2005::1/64 ripng 100 enable # interface Vlanif1011 ipv6 enable ipv6 address FC00:2::1/64 ripng 100 enable # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 101 # interface GigabitEthernet2/0/0 port link-type trunk1 port trunk allow-pass vlan 1011 # ripng 100 # return
