评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置隧道选择器为HoVPN应用TE隧道示例
组网需求
BGP/MPLS IP VPN是一种平面模型,对网络中所有PE设备的性能要求相同,当网络中某些PE在性能和可扩展性方面存在问题时,整个网络的性能和可扩展性将受到影响。而目前的网络设计大多采用经典的分层结构,BGP/MPLS IP VPN的扩展性较差。为解决可扩展性问题,BGP/MPLS IP VPN必然要从平面模型转变为分层模型,这就提出了分层VPN(Hierarchy of VPN,简称HoVPN)的解决方案。
如图2-70,CE1、CE2和CE3属于同一个VPN;其中UPE设备的路由能力和转发性能较低,SPE和NPE较高,故采用HoVPN方式的组网来缓解UPE上的压力。同时,由于不同的VPN之间有大量的语音和在线视频等实时性业务,所以为了保证VPN的服务质量(QoS),运营商将这些数据都承载在TE隧道上。但是,在缺省情况下,SPE选择LSP类型的隧道,且不进行隧道的负载分担,这时如果使用缺省配置,SPE上的VPN业务将迭代不到隧道,造成转发中断。
为了解决上述问题,可以对SPE应用隧道选择器,保证SPE上的VPN业务能迭代到TE隧道。
配置思路
采用如下思路配置隧道选择器为HoVPN应用TE隧道功能:
先在骨干网上配置IGP协议实现互通,并且UPE、SPE和NPE之间能互相学习到对方的Loopback地址。
UPE、SPE和NPE上使能MPLS、MPLS TE能力,并建立去往邻近设备的MPLS TE隧道。
UPE与SPE、NPE与SPE之间建立MP-IBGP对等体关系。
UPE、NPE上创建VPN实例,并且与CE建立EBGP对等体关系。
在SPE上创建VPN实例,指定UPE为自己的下层PE(或称为用户层PE),并向UPE发布VPN实例的缺省路由。
配置隧道策略和隧道选择器,其中隧道策略应用在各设备的VPN实例下,隧道选择器应用在SPE的BGP-VPNv4地址族下。
操作步骤
- 配置HoVPN网络,并且在骨干网上建立TE隧道。具体配置步骤如下:
- 配置CE、UPE、SPE和NPE的各接口地址。
- 在MPLS骨干网上配置IGP,本例中使用OSPF。配置OSPF时,注意需要发布PE上作为LSR ID的32位Loopback接口地址。
- 在UPE与SPE之间、SPE与NPE之间建立MPLS TE隧道。
- 配置UPE与SPE、NPE与SPE的MP-IBGP对等体关系。
- 在UPE和NPE上配置VPN实例,并且与CE之间EBGP对等体关系。
- 在SPE上配置VPN实例,指定UPE1和UPE2为自己的下层PE(或称为用户层PE),并向UPE1和UPE2发布VPN实例的缺省路由。
配置过程略,具体请参后面的配置文件。
- 配置隧道策略和隧道选择器,其中隧道策略应用在各设备的VPN实例下,隧道选择器应用在SPE的BGP-VPNv4地址族下
# 配置UPE1。UPE2、NPE上的配置过程与UPE1类似,这里不再重复,具体配置请参见后面的配置文件。
[UPE1] interface tunnel 1 [UPE1-Tunnel1] mpls te reserved-for-binding [UPE1-Tunnel1] mpls te commit [UPE1-Tunnel1] quit [UPE1] tunnel-policy bindTE [UPE1-tunnel-policy-bindTE] tunnel binding destination 2.2.2.9 te tunnel1 [UPE1-tunnel-policy-bindTE] quit [UPE1] ip vpn-instance vpna [UPE1-vpn-instance-vpna] tnl-policy bindTE [UPE1-vpn-instance-vpna] quit
# 配置SPE上的隧道策略,并应用在VPN实例下。
[SPE] tunnel-policy bindTE [SPE-tunnel-policy-bindTE] tunnel binding destination 1.1.1.9 te tunnel1 [SPE-tunnel-policy-bindTE] tunnel binding destination 3.3.3.9 te tunnel2 [SPE-tunnel-policy-bindTE] tunnel binding destination 4.4.4.9 te tunnel3 [SPE-tunnel-policy-bindTE] quit [SPE] ip vpn-instance vpna [SPE-vpn-instance-vpna] tnl-policy bindTE [SPE-vpn-instance-vpna] quit
# 配置SPE上隧道选择器,并应用在BGP-VPNv4地址族下,使得VPNv4路由也可以根据隧道策略去迭代TE隧道。
[SPE] tunnel-selector bindTE permit node 10 [SPE-tunnel-selector] apply tunnel-policy bindTE [SPE-tunnel-selector] quit [SPE] bgp 100 [SPE-bgp] ipv4-family vpnv4 [SPE-bgp-af-vpnv4] tunnel-selector bindTE [SPE-bgp-af-vpnv4] quit [SPE-bgp] quit
配置完成后,可以通过执行命令display tunnel-policy和display tunnel-selector查看当前系统中隧道策略或者隧道选择器的配置信息。以SPE显示信息为例:
[SPE] display tunnel-policy Total tunnel policy num: 1 Sel-Seq tunnel policy num: 0 Binding tunnel policy num: 1 Invalid tunnel policy num: 0 Tunnel Policy Name Destination Tunnel Intf Ignore-dest-check Down switch ------------------------------------------------------------------------------------------------------------- bindTE 1.1.1.9 Tunnel1 Disable Enable 3.3.3.9 Tunnel2 Disable Enable 4.4.4.9 Tunnel3 Disable Enable[SPE] display tunnel-selector Tunnel-selector : bindTE permit : 10 (matched counts: 3) Apply clauses : apply tunnel-policy bindTE - 检查配置结果
配置完成后,CE1、CE2和CE3之间可以相互Ping通。以CE1显示信息为例:
[CE1] ping 10.2.1.1 PING 10.2.1.1: 56 data bytes, press CTRL_C to break Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=253 time=85 ms Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=253 time=70 ms Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=253 time=57 ms Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=253 time=66 ms Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=253 time=55 ms --- 10.2.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 55/66/85 ms在UPE1或者UPE2上执行display bgp vpnv4 all routing-table peer 2.2.2.9 received-routes命令,可以看到UPE只从SPE接收到了一条缺省路由。这样去往CE2、CE3所在站点的明细路由都被该缺省路由替代,节约了UPE上的路由表规模。以UPE1显示信息为例:
[UPE1] display bgp vpnv4 all routing-table peer 2.2.2.9 received-routes BGP Local router ID is 1.1.1.9 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Total Number of Routes: 1 Route Distinguisher: 100:10 Network NextHop MED LocPrf PrefVal Path/Ogn *>i 0.0.0.0 2.2.2.9 0 100 0 iSPE上执行命令display bgp vpnv4 all routing-table可以看到SPE从其他设备接收到的VPNv4路由,且这些路由都被优选。只有被优选的VPNv4路由才会向其他MP-IBGP对等体转发。
[SPE] display bgp vpnv4 all routing-table BGP Local router ID is 2.2.2.9 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Total number of routes from all PE: 3 Route Distinguisher: 100:1 Network NextHop MED LocPrf PrefVal Path/Ogn *>i10.1.1.0/24 1.1.1.9 0 100 0 ? Route Distinguisher: 100:2 Network NextHop MED LocPrf PrefVal Path/Ogn *>i10.2.1.0/24 3.3.3.9 0 100 0 ? Route Distinguisher: 100:3 Network NextHop MED LocPrf PrefVal Path/Ogn *>i10.3.1.0/24 4.4.4.9 0 100 0 ? VPN-Instance vpna, Router ID 2.2.2.9: Total Number of Routes: 3 Network NextHop MED LocPrf PrefVal Path/Ogn *>i 10.1.1.0/24 1.1.1.9 0 100 0 ? *>i 10.2.1.0/24 3.3.3.9 0 100 0 ? *>i 10.3.1.0/24 4.4.4.9 0 100 0 ?SPE上执行命令display bgp vpnv4 all routing-table x.x.x.x,可以查看该VPNv4路由的详细信息,包括为路由迭代到的隧道信息等。以10.3.1.0/24网段为例:
[SPE] display bgp vpnv4 all routing-table 10.3.1.0 BGP local router ID : 2.2.2.9 Local AS number : 100 Total routes of Route Distinguisher(100:3): 1 BGP routing table entry information of 10.3.1.0/24: Label information (Received/Applied): 1029/1043 From: 4.4.4.9 (4.4.4.9) Route Duration: 00h37m28s Relay IP Nexthop: 172.3.1.1 Relay IP Out-Interface: Vlanif10 Relay Tunnel Out-Interface: Tunnel3 Relay token: 0x9 Original nexthop: 4.4.4.9 Qos information : 0x0 Ext-Community:RT <1 : 1> AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, intern al, best, select, pre 255 Advertised to such 1 peers: 3.3.3.9 VPN-Instance vpna, Router ID 2.2.2.9: Total Number of Routes: 1 BGP routing table entry information of 10.3.1.0/24: Label information (Received/Applied): 1029/NULL From: 4.4.4.9 (4.4.4.9) Route Duration: 00h37m28s Relay Tunnel Out-Interface: Tunnel3 Relay token: 0x9 Original nexthop: 4.4.4.9 Qos information : 0x0 Ext-Community:RT <1 : 1> AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, intern al, best, select, active, pre 255 Not advertised to any peer yet从上面的显示信息可以看出,SPE去往10.3.1.0/24网段的路由迭代到的隧道出接口为Tunnel3, 隧道的Token为0x9,执行命令display tunnel-info tunnel-id可以查看该隧道的详细信息。
[SPE] display tunnel-info tunnel-id 9 Tunnel ID: 0x9 Tunnel Token: 9 Type: cr lsp Destination: 4.4.4.9 Out Slot: 0 Instance ID: 0 Interface: Tunnel3 Sub Tunnel ID: 0x0
综上所述,通过为HoVPN应用隧道策略和隧道选择器,UPE与SPE之间,SPE与NPE之间都可以使用TE隧道转发,满足了最初的组网需求。
配置文件
CE1的配置文件
# sysname CE1 # vlan batch 40 # interface Vlanif40 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 40 # bgp 65410 peer 10.1.1.2 as-number 100 # ipv4-family unicast undo synchronization peer 10.1.1.2 enable # return
UPE1的配置文件
# sysname UPE1 # vlan batch 20 40 # ip vpn-instance vpna ipv4-family route-distinguisher 100:1 tnl-policy bindTE vpn-target 1:1 export-extcommunity vpn-target 1:1 import-extcommunity # mpls lsr-id 1.1.1.9 mpls mpls te mpls rsvp-te mpls te cspf # interface Vlanif20 ip address 172.1.1.1 255.255.255.0 mpls mpls te mpls rsvp-te # interface Vlanif40 ip binding vpn-instance vpna ip address 10.1.1.2 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 40 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 20 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # interface Tunnel1 ip address unnumbered interface LoopBack1 tunnel-protocol mpls te destination 2.2.2.9 mpls te tunnel-id 100 mpls te reserved-for-binding mpls te commit # bgp 100 peer 2.2.2.9 as-number 100 peer 2.2.2.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 2.2.2.9 enable # ipv4-family vpnv4 policy vpn-target peer 2.2.2.9 enable # ipv4-family vpn-instance vpna import-route direct peer 10.1.1.1 as-number 65410 # ospf 1 opaque-capability enable area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 172.1.1.0 0.0.0.255 mpls-te enable # tunnel-policy bindTE tunnel binding destination 2.2.2.9 te Tunnel1 # return
CE3的配置文件
# sysname CE3 # vlan batch 50 # interface Vlanif50 ip address 10.3.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 50 # bgp 65430 peer 10.3.1.2 as-number 100 # ipv4-family unicast undo synchronization peer 10.3.1.2 enable # return
UPE2的配置文件
# sysname UPE2 # vlan batch 10 50 # ip vpn-instance vpna ipv4-family route-distinguisher 100:3 tnl-policy bindTE vpn-target 1:1 export-extcommunity vpn-target 1:1 import-extcommunity # mpls lsr-id 4.4.4.9 mpls mpls te mpls rsvp-te mpls te cspf # interface Vlanif10 ip address 172.3.1.1 255.255.255.0 mpls mpls te mpls rsvp-te # interface Vlanif50 ip binding vpn-instance vpna ip address 10.3.1.2 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 50 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 10 # interface LoopBack1 ip address 4.4.4.9 255.255.255.255 # interface Tunnel1 ip address unnumbered interface LoopBack1 tunnel-protocol mpls te destination 2.2.2.9 mpls te tunnel-id 100 mpls te reserved-for-binding mpls te commit # bgp 100 peer 2.2.2.9 as-number 100 peer 2.2.2.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 2.2.2.9 enable # ipv4-family vpnv4 policy vpn-target peer 2.2.2.9 enable # ipv4-family vpn-instance vpna import-route direct peer 10.3.1.1 as-number 65430 # ospf 1 opaque-capability enable area 0.0.0.0 network 4.4.4.9 0.0.0.0 network 172.3.1.0 0.0.0.255 mpls-te enable # tunnel-policy bindTE tunnel binding destination 2.2.2.9 te Tunnel1 # return
SPE的配置文件
# sysname SPE # vlan batch 10 20 30 # ip vpn-instance vpna ipv4-family route-distinguisher 100:10 tnl-policy bindTE vpn-target 1:1 export-extcommunity vpn-target 1:1 import-extcommunity # tunnel-selector bindTE permit node 10 apply tunnel-policy bindTE # mpls lsr-id 2.2.2.9 mpls mpls te mpls rsvp-te mpls te cspf # interface Vlanif10 ip address 172.3.1.2 255.255.255.0 mpls mpls te mpls rsvp-te # interface Vlanif20 ip address 172.1.1.2 255.255.255.0 mpls mpls te mpls rsvp-te # interface Vlanif30 ip address 172.2.1.1 255.255.255.0 mpls mpls te mpls rsvp-te # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 30 # interface GigabitEthernet3/0/0 port link-type trunk port trunk allow-pass vlan 10 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # interface Tunnel1 ip address unnumbered interface LoopBack1 tunnel-protocol mpls te destination 1.1.1.9 mpls te tunnel-id 100 mpls te reserved-for-binding mpls te commit # interface Tunnel2 ip address unnumbered interface LoopBack1 tunnel-protocol mpls te destination 3.3.3.9 mpls te tunnel-id 200 mpls te reserved-for-binding mpls te commit # interface Tunnel3 ip address unnumbered interface LoopBack1 tunnel-protocol mpls te destination 4.4.4.9 mpls te tunnel-id 300 mpls te reserved-for-binding mpls te commit # bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1 peer 4.4.4.9 as-number 100 peer 4.4.4.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable peer 3.3.3.9 enable peer 4.4.4.9 enable # ipv4-family vpnv4 policy vpn-target tunnel-selector bindTE peer 1.1.1.9 enable peer 1.1.1.9 upe peer 1.1.1.9 default-originate vpn-instance vpna peer 3.3.3.9 enable peer 4.4.4.9 enable peer 4.4.4.9 upe peer 4.4.4.9 default-originate vpn-instance vpna # ospf 1 opaque-capability enable area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 172.1.1.0 0.0.0.255 network 172.2.1.0 0.0.0.255 network 172.3.1.0 0.0.0.255 mpls-te enable # tunnel-policy bindTE tunnel binding destination 1.1.1.9 te Tunnel1 tunnel binding destination 3.3.3.9 te Tunnel2 tunnel binding destination 4.4.4.9 te Tunnel3 # return
NPE的配置文件
# sysname NPE # vlan batch 30 60 # ip vpn-instance vpna ipv4-family route-distinguisher 100:2 tnl-policy bindTE vpn-target 1:1 export-extcommunity vpn-target 1:1 import-extcommunity # mpls lsr-id 3.3.3.9 mpls mpls te mpls rsvp-te mpls te cspf # interface Vlanif30 ip address 172.2.1.2 255.255.255.0 mpls mpls te mpls rsvp-te # interface Vlanif60 ip binding vpn-instance vpna ip address 10.2.1.2 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 60 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 30 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # interface Tunnel1 ip address unnumbered interface LoopBack1 tunnel-protocol mpls te destination 2.2.2.9 mpls te tunnel-id 100 mpls te reserved-for-binding mpls te commit # bgp 100 peer 2.2.2.9 as-number 100 peer 2.2.2.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 2.2.2.9 enable # ipv4-family vpnv4 policy vpn-target peer 2.2.2.9 enable # ipv4-family vpn-instance vpna import-route direct peer 10.2.1.1 as-number 65420 # ospf 1 opaque-capability enable area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 172.2.1.0 0.0.0.255 mpls-te enable # tunnel-policy bindTE tunnel binding destination 2.2.2.9 te Tunnel1 # return
CE2的配置文件
# sysname CE2 # vlan batch 60 # interface Vlanif60 ip address 10.2.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 60 # bgp 65420 peer 10.2.1.2 as-number 100 # ipv4-family unicast undo synchronization peer 10.2.1.2 enable # return
