评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置跨域IPv6 VPN-OptionA方式示例
组网需求
某公司总部和分部跨域不同的运营商,需实现跨域的BGP/MPLS IPv6 VPN业务的互通。如图3-6,CE1连接公司总部,通过AS100的PE1接入。CE2连接公司分部,通过AS200的PE2接入。CE1和CE2同属于VPN1。
配置思路
本例采用OptionA方式实现。配置主要思路是:
- 各AS内的MPLS骨干网上分别配置IGP协议,实现各自骨干网ASBR-PE和PE之间的互通。
- 各AS内的MPLS骨干网上分别配置MPLS基本能力和MPLS LDP,建立LDP LSP。
- 各AS内,PE与ASBR-PE之间建立MP-IBGP对等体关系,交换VPN路由信息。
- 各AS内,与CE相连的PE上需配置VPN实例,并把与CE相连的接口和相应的VPN实例绑定。
- 各AS内,PE与CE之间建立EBGP对等体关系,交换VPN路由信息。
- 在两个ASBR-PE上创建IPv6 VPN实例,并将此实例绑定到连接另一个ASBR-PE的接口(把一个ASBR-PE当成是自己的CE),并在ASBR-PE之间建立EBGP对等体关系传递VPN路由信息。
操作步骤
- 创建VLAN,配置各接口允许通过的VLAN,并配置VLANIF接口和Loopback接口IP地址,具体数据如图3-6所示。
# 配置PE1
<HUAWEI> system-view [HUAWEI] sysname PE1 [PE1] interface loopback 1 [PE1-LoopBack1] ip address 1.1.1.9 32 [PE1-LoopBack1] quit [PE1] ipv6 [PE1] vlan batch 10 11 [PE1] interface gigabitethernet 1/0/0 [PE1-GigabitEthernet1/0/0] port link-type trunk [PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 11 [PE1-GigabitEthernet1/0/0] quit [PE1] interface gigabitethernet 2/0/0 [PE1-GigabitEthernet2/0/0] port link-type trunk [PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 10 [PE1-GigabitEthernet2/0/0] quit [PE1] interface vlanif 11 [PE1-Vlanif11] ip address 172.1.1.2 24 [PE1-Vlanif11] quit [PE1] interface vlanif 10 [PE1-Vlanif10] ipv6 enable [PE1-Vlanif10] ipv6 address 2001::2 64 [PE1-Vlanif10] quit
PE2、CE1、CE2、ASBR-PE1、ASBR-PE2的配置同PE1类似,不再赘述。
- 在AS100和AS200的MPLS骨干网上分别配置IGP协议,实现各自骨干网ASBR-PE和PE之间的互通。
# 配置PE1。
[PE1] ospf [PE1-ospf-1] area 0 [PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0 [PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255 [PE1-ospf-1-area-0.0.0.0] quit [PE1-ospf-1] quit
PE2和ASBR-PE的配置同PE1(略)。
配置完成后,同一AS的ASBR-PE与PE之间应能建立OSPF邻居关系,执行display ospf peer命令可以看到邻居状态为Full。
同一AS的ASBR-PE和PE能学习到对方的Loopback1地址,并能够互相ping通。
- 在AS100和AS200的MPLS骨干网上分别配置MPLS基本能力和MPLS LDP,建立MPLS LDP LSP
# 配置PE1的MPLS基本能力,并在与ASBR-PE1相连的接口上使能LDP。
[PE1] mpls lsr-id 1.1.1.9 [PE1] mpls [PE1-mpls] quit [PE1] mpls ldp [PE1-mpls-ldp] quit [PE1] interface vlanif 11 [PE1-Vlanif11] mpls [PE1-Vlanif11] mpls ldp [PE1-Vlanif11] quit
# 配置ASBR-PE1的MPLS基本能力,并在与PE1相连的接口上使能LDP。
[ASBR-PE1] mpls lsr-id 2.2.2.9 [ASBR-PE1] mpls [ASBR-PE1-mpls] quit [ASBR-PE1] mpls ldp [ASBR-PE1-mpls-ldp] quit [ASBR-PE1] interface vlanif 11 [ASBR-PE1-Vlanif11] mpls [ASBR-PE1-Vlanif11] mpls ldp [ASBR-PE1-Vlanif11] quit
# 配置ASBR-PE2的MPLS基本能力,并在与PE2相连的接口上使能LDP。
[ASBR-PE2] mpls lsr-id 3.3.3.9 [ASBR-PE2] mpls [ASBR-PE2-mpls] quit [ASBR-PE2] mpls ldp [ASBR-PE2-mpls-ldp] quit [ASBR-PE2] interface vlanif 22 [ASBR-PE2-Vlanif22] mpls [ASBR-PE2-Vlanif22] mpls ldp [ASBR-PE2-Vlanif22] quit
# 配置PE2的MPLS基本能力,并在与ASBR-PE2相连的接口上使能LDP。
[PE2] mpls lsr-id 4.4.4.9 [PE2] mpls [PE2-mpls] lsp-trigger all [PE2-mpls] quit [PE2] mpls ldp [PE2-mpls-ldp] quit [PE2] interface vlanif 22 [PE2-Vlanif22] mpls [PE2-Vlanif22] mpls ldp [PE2-Vlanif22] quit
上述配置完成后,同一AS的PE和ASBR-PE之间应该建立起LDP对等体,在各设备上执行display mpls ldp session命令可以看到显示结果中State项为“Operational”。
- 为AS100和AS200分别配置基本BGP/MPLS IPv6 VPN
同一AS内的ASBR-PE与PE的IPv6 VPN实例的VPN-Target应能匹配,不同AS的PE的IPv6 VPN实例的VPN-Target则不需要匹配。
# 配置CE1。CE2的配置与CE1类似,此处不再赘述。
[CE1] interface vlanif 10 [CE1-Vlanif10] ipv6 enable [CE1-Vlanif10] ipv6 address 2001::1 64 [CE1-Vlanif10] quit [CE1] bgp 65001 [CE1-bgp] router-id 10.10.10.10 [CE1-bgp] peer 2001::2 as-number 100 [CE1-bgp] ipv6-family unicast [CE1-bgp-af-ipv6] peer 2001::2 enable [CE1-bgp-af-ipv6] import-route direct [CE1-bgp-af-ipv6] quit [CE1-bgp] quit
# 配置PE1:与CE1建立EBGP对等体关系。PE2的配置与PE1类似,此处不再赘述。
[PE1] ip vpn-instance vpn1 [PE1-vpn-instance-vpn1] ipv6-family [PE1-vpn-instance-vpn1-af-ipv6] route-distinguisher 100:1 [PE1-vpn-instance-vpn1-af-ipv6] vpn-target 1:1 both [PE1-vpn-instance-vpn1-af-ipv6] quit [PE1-vpn-instance-vpn1] quit [PE1] interface vlanif 10 [PE1-Vlanif10] ipv6 enable [PE1-Vlanif10] ip binding vpn-instance vpn1 [PE1-Vlanif10] ipv6 address 2001::2 64 [PE1-Vlanif10] quit [PE1] bgp 100 [PE1-bgp] ipv6-family vpn-instance vpn1 [PE1-bgp6-vpn1] peer 2001::1 as-number 65001 [PE1-bgp6-vpn1] import-route direct [PE1-bgp6-vpn1] quit [PE1-bgp] quit
# 配置PE1:与ASBR-PE1建立MP-IBGP对等体关系。PE2的配置与PE1类似,此处不再赘述。
[PE1] bgp 100 [PE1-bgp] peer 2.2.2.9 as-number 100 [PE1-bgp] peer 2.2.2.9 connect-interface loopback 1 [PE1-bgp] ipv6-family vpnv6 [PE1-bgp-af-vpnv6] peer 2.2.2.9 enable [PE1-bgp-af-vpnv6] quit [PE1-bgp] quit
# 配置ASBR-PE1:与PE1建立MP-IBGP对等体关系。ASBR-PE2的配置与ASBR-PE1类似,此处不再赘述。
[ASBR-PE1] bgp 100 [ASBR-PE1-bgp] peer 1.1.1.9 as-number 100 [ASBR-PE1-bgp] peer 1.1.1.9 connect-interface loopback 1 [ASBR-PE1-bgp] ipv6-family vpnv6 [ASBR-PE1-bgp-af-vpnv6] peer 1.1.1.9 enable [ASBR-PE1-bgp-af-vpnv6] quit [ASBR-PE1-bgp] quit
配置完成后,在PE设备上执行display bgp vpnv6 vpn-instance peer可以看到PE与CE之间的BGP对等体关系已建立,并达到Established状态。执行display bgp vpnv6 all peer命令,可以看到PE与CE之间、PE与ASBR-PE之间的BGP对等体关系已建立,并达到Established状态。
以PE1的显示为例:
[PE1] display bgp vpnv6 vpn-instance vpn1 peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 2001::1 4 65001 14 12 0 00:08:36 Established 1 [PE1] display bgp vpnv6 all peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 2 Peers in established state : 2 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 2.2.2.9 4 100 13 12 0 00:09:10 Established 0 Peer of IPv6-family for vpn instance : VPN-Instance vpn1 : 2001::1 4 65001 17 14 0 00:11:09 Established 1
- 配置Option A方式的跨域VPN
# 配置ASBR-PE1:创建IPv6 VPN实例,并将此实例绑定到连接ASBR-PE2的接口(ASBR-PE1认为ASBR-PE2是自己的CE)。
[ASBR-PE1] ip vpn-instance vpn1 [ASBR-PE1-vpn-instance-vpn1] ipv6-family [ASBR-PE1-vpn-instance-vpn1-af-ipv6] route-distinguisher 100:2 [ASBR-PE1-vpn-instance-vpn1-af-ipv6] vpn-target 1:1 both [ASBR-PE1-vpn-instance-vpn1-af-ipv6] quit [ASBR-PE1-vpn-instance-vpn1] quit [ASBR-PE1] interface vlanif 12 [ASBR-PE1-Vlanif12] ipv6 enable [ASBR-PE1-Vlanif12] ip binding vpn-instance vpn1 [ASBR-PE1-Vlanif12] ipv6 address 2003::1 64 [ASBR-PE1-Vlanif12] quit
# 配置ASBR-PE2:创建IPv6 VPN实例,并将此实例绑定到连接ASBR-PE1的接口(ASBR-PE2认为ASBR-PE1是自己的CE)。
[ASBR-PE2] ip vpn-instance vpn1 [ASBR-PE2-vpn-instance-vpn1] ipv6-family [ASBR-PE2-vpn-instance-vpn1-af-ipv6] route-distinguisher 200:2 [ASBR-PE2-vpn-instance-vpn1-af-ipv6] vpn-target 2:2 both [ASBR-PE2-vpn-instance-vpn1-af-ipv6] quit [ASBR-PE2-vpn-instance-vpn1] quit [ASBR-PE2] interface vlanif 12 [ASBR-PE2-Vlanif12] ipv6 enable [ASBR-PE2-Vlanif12] ip binding vpn-instance vpn1 [ASBR-PE2-Vlanif12] ipv6 address 2003::2 64 [ASBR-PE2-Vlanif12] quit
# 配置ASBR-PE1:与ASBR-PE2建立EBGP对等体关系。
[ASBR-PE1] bgp 100 [ASBR-PE1-bgp] ipv6-family vpn-instance vpn1 [ASBR-PE1-bgp6-vpn1] peer 2003::2 as-number 200 [ASBR-PE1-bgp6-vpn1] import-route direct [ASBR-PE1-bgp6-vpn1] quit [ASBR-PE1-bgp] quit
# 配置ASBR-PE2:与ASBR-PE1建立EBGP对等体关系。
[ASBR-PE2] bgp 200 [ASBR-PE2-bgp] ipv6-family vpn-instance vpn1 [ASBR-PE2-bgp6-vpn1] peer 2003::1 as-number 100 [ASBR-PE2-bgp6-vpn1] import-route direct [ASBR-PE2-bgp6-vpn1] quit [ASBR-PE2-bgp] quit
配置完成后,执行display bgp vpnv6 vpn-instance peer命令,可以看到ASBR PE间的BGP对等体关系已建立,并达到Established状态。
- 检查配置结果
上述配置完成后,CE之间能学习到对方的接口路由,CE1和CE2能够相互ping通。
[CE1] ping ipv6 2002::1 PING 2002::1 : 56 data bytes, press CTRL_C to break Reply from 2002::1 bytes=56 Sequence=1 hop limit=60 time = 94 ms Reply from 2002::1 bytes=56 Sequence=2 hop limit=60 time = 109 ms Reply from 2002::1 bytes=56 Sequence=3 hop limit=60 time = 110 ms Reply from 2002::1 bytes=56 Sequence=4 hop limit=60 time = 94 ms Reply from 2002::1 bytes=56 Sequence=5 hop limit=60 time = 110 ms --- 2002::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 94/103/110 ms在ASBR-PE上执行display ipv6 routing-table vpn-instance命令,可以看到ASBR-PE上为IPv6 VPN维护的路由表。
[ASBR1] display ipv6 routing-table vpn-instance vpn1 Routing Table : vpn1 Destinations : 5 Routes : 5 Destination : 2001:: PrefixLength : 64 NextHop : ::FFFF:1.1.1.9 Preference : 255 Cost : 0 Protocol : BGP RelayNextHop : :: TunnelID : 0xa0010082 Interface : Vlanif11 Flags : RD Destination : 2002:: PrefixLength : 64 NextHop : 2003::2 Preference : 255 Cost : 0 Protocol : BGP RelayNextHop : :: TunnelID : 0x0 Interface : Vlanif12 Flags : D Destination : 2003:: PrefixLength : 64 NextHop : 2003::1 Preference : 0 Cost : 0 Protocol : Direct RelayNextHop : :: TunnelID : 0x0 Interface : Vlanif12 Flags : D Destination : 2003::1 PrefixLength : 128 NextHop : ::1 Preference : 0 Cost : 0 Protocol : Direct RelayNextHop : :: TunnelID : 0x0 Interface : Vlanif12 Flags : D Destination : FE80:: PrefixLength : 10 NextHop : :: Preference : 0 Cost : 0 Protocol : Direct RelayNextHop : :: TunnelID : 0x0 Interface : NULL0 Flags : D在ASBR-PE上执行display bgp vpnv6 all routing-table命令,可以看到ASBR-PE上的VPN-IPv6路由。
[ASBR-PE1] display bgp vpnv6 all routing-table BGP Local router ID is 2.2.2.9 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Total number of routes from all PE: 4 Route Distinguisher: 100:1 *>i Network : 2001:: PrefixLen : 64 NextHop : ::FFFF:1.1.1.9 LocPrf : 100 MED : 0 PrefVal : 0 Label : 105472 Path/Ogn : ? Route Distinguisher: 100:2 *> Network : 2002:: PrefixLen : 64 NextHop : 2003::2 LocPrf : MED : PrefVal : 0 Label : NULL Path/Ogn : 200 ? *> Network : 2003:: PrefixLen : 64 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : NULL Path/Ogn : ? * NextHop : 2003::2 LocPrf : MED : 0 PrefVal : 0 Label : NULL Path/Ogn : 200 ? VPN-Instance vpn1 : Total Number of Routes: 4 *>i Network : 2001:: PrefixLen : 64 NextHop : ::FFFF:1.1.1.9 LocPrf : 100 MED : 0 PrefVal : 0 Label : 105472 Path/Ogn : ? *> Network : 2002:: PrefixLen : 64 NextHop : 2003::2 LocPrf : MED : PrefVal : 0 Label : NULL Path/Ogn : 200 ? *> Network : 2003:: PrefixLen : 64 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : NULL Path/Ogn : ? * NextHop : 2003::2 LocPrf : MED : 0 PrefVal : 0 Label : NULL Path/Ogn : 200 ?
配置文件
CE1的配置文件
# sysname CE1 # ipv6 # vlan batch 10 # interface Vlanif10 ipv6 enable ipv6 address 2001::1/64 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # bgp 65001 router-id 10.10.10.10 peer 2001::2 as-number 100 # ipv6-family unicast undo synchronization import-route direct peer 2001::2 enable # return
PE1的配置文件
# sysname PE1 # ipv6 # vlan batch 10 to 11 # ip vpn-instance vpn1 ipv6-family route-distinguisher 100:1 vpn-target 1:1 export-extcommunity vpn-target 1:1 import-extcommunity # mpls lsr-id 1.1.1.9 mpls # mpls ldp # interface Vlanif10 ip binding vpn-instance vpn1 ipv6 enable ipv6 address 2001::2/64 # interface Vlanif11 ip address 172.1.1.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 11 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 10 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # bgp 100 peer 2.2.2.9 as-number 100 peer 2.2.2.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 2.2.2.9 enable # ipv6-family vpnv6 policy vpn-target peer 2.2.2.9 enable # ipv6-family vpn-instance vpn1 import-route direct peer 2001::1 as-number 65001 # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 172.1.1.0 0.0.0.255 # return
ASBR-PE1的配置文件
# sysname ASBR-PE1 # ipv6 # vlan batch 11 to 12 # ip vpn-instance vpn1 ipv6-family route-distinguisher 100:2 vpn-target 1:1 export-extcommunity vpn-target 1:1 import-extcommunity # mpls lsr-id 2.2.2.9 mpls # mpls ldp # interface Vlanif11 ip address 172.1.1.1 255.255.255.0 mpls mpls ldp # interface Vlanif12 ipv6 enable ip binding vpn-instance vpn1 ipv6 address 2003::1/64 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 11 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 12 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization import-route direct peer 1.1.1.9 enable # ipv6-family vpnv6 policy vpn-target peer 1.1.1.9 enable # ipv6-family vpn-instance vpn1 import-route direct peer 2003::2 as-number 200 # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 172.1.1.0 0.0.0.255 # return
ASBR-PE2的配置文件
# sysname ASBR-PE2 # ipv6 # vlan batch 12 22 # ip vpn-instance vpn1 ipv6-family route-distinguisher 200:2 vpn-target 2:2 export-extcommunity vpn-target 2:2 import-extcommunity # mpls lsr-id 3.3.3.9 mpls # mpls ldp # interface Vlanif12 ipv6 enable ip binding vpn-instance vpn1 ipv6 address 2003::2/64 # interface Vlanif22 ip address 162.1.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 22 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 12 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # bgp 200 peer 4.4.4.9 as-number 200 peer 4.4.4.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 4.4.4.9 enable # ipv6-family vpnv6 policy vpn-target peer 4.4.4.9 enable # ipv6-family vpn-instance vpn1 import-route direct peer 2003::1 as-number 100 # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 162.1.1.0 0.0.0.255 # return
PE2的配置文件
# sysname PE2 # ipv6 # vlan batch 10 22 # ip vpn-instance vpn1 ipv6-family route-distinguisher 200:1 vpn-target 2:2 export-extcommunity vpn-target 2:2 import-extcommunity # mpls lsr-id 4.4.4.9 mpls # mpls ldp # interface Vlanif10 ipv6 enable ip binding vpn-instance vpn1 ipv6 address 2002::2/64 # interface Vlanif22 ip address 162.1.1.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 22 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 10 # interface LoopBack1 ip address 4.4.4.9 255.255.255.255 # bgp 200 peer 3.3.3.9 as-number 200 peer 3.3.3.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 3.3.3.9 enable # ipv6-family vpnv6 policy vpn-target peer 3.3.3.9 enable # ipv6-family vpn-instance vpn1 import-route direct peer 2002::1 as-number 65002 # ospf 1 area 0.0.0.0 network 4.4.4.9 0.0.0.0 network 162.1.1.0 0.0.0.255 # return
CE2的配置文件
# sysname CE2 # ipv6 # vlan batch 10 # interface Vlanif10 ipv6 enable ipv6 address 2002::1/64 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # bgp 65002 router-id 20.20.20.20 peer 2002::2 as-number 200 # ipv6-family unicast undo synchronization import-route direct peer 2002::2 enable # return
