评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置CE使用穿越VPN的GRE隧道接入VPN示例
组网需求
如图1-16所示:
PE1和PE2位于一级运营商的MPLS骨干网。
vpn2属于二级运营商的一个VPN,其CE1与一级运营商的PE1直连。
CE2和CE3属于用户设备,CE2与一级运营商的PE2直连,CE3与二级运营商的CE1直连。CE2与CE3属于同一个vpn1,要求它们之间能互通。
配置思路
PE1上没有与CE3直连的接口,无法将VPN实例与物理接口进行绑定。通过在CE3与PE1之间建立一条GRE隧道穿越其他的VPN,在PE1上将VPN与GRE隧道绑定,实现CE3通过GRE隧道接入到VPN中。
配置CE使用穿越VPN的GRE隧道接入VPN的思路如下:
在一级运营商的骨干网设备PE1和PE2上运行OSPF路由协议实现互通,并使能MPLS,OSPF进程为10。
在PE1上配置vpn2,在PE1、CE1和CE3上运行OSPF路由协议,进程为20,完成用户CE3、二级运营商CE1和一级运营商PE1之间的互通。
在CE3和PE1之间建立GRE隧道。需要注意,CE3通过vpn2与PE1互连,在PE1上与CE1直连的接口已经绑定到vpn2,因此CE3与CE1直连的接口以及PE1与CE1直连的接口都属于vpn2。在PE1上配置到CE3的GRE隧道时,需要指定的隧道目的地址属于vpn2。
在PE1和PE2上建立vpn1实例,并在PE1上将vpn1与GRE隧道接口进行绑定,在PE2上将vpn1与连接CE2的物理接口绑定。
配置CE和PE间的路由,本示例使用IS-IS。
在PE之间配置BGP,完成CE2和CE3之间的互通。
操作步骤
- 配置各接口IP地址
# 配置CE3。
<HUAWEI> system-view [HUAWEI] sysname CE3 [CE3] vlan batch 10 20 [CE3] interface gigabitethernet 1/0/0 [CE3-GigabitEthernet1/0/0] port link-type access [CE3-GigabitEthernet1/0/0] port default vlan 10 [CE3-GigabitEthernet1/0/0] quit [CE3] interface gigabitethernet 2/0/0 [CE3-GigabitEthernet2/0/0] port link-type trunk [CE3-GigabitEthernet2/0/0] port trunk allow-pass vlan 20 [CE3-GigabitEthernet2/0/0] quit [CE3] interface vlanif 10 [CE3-Vlanif10] ip address 10.1.1.2 24 [CE3-Vlanif10] quit [CE3] interface vlanif 20 [CE3-Vlanif20] ip address 30.1.1.1 24 [CE3-Vlanif20] quit
# 配置CE1。
<HUAWEI> system-view [HUAWEI] sysname CE1 [CE1] vlan batch 10 20 [CE1] interface gigabitethernet 1/0/0 [CE1-GigabitEthernet1/0/0] port link-type trunk [CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 20 [CE1-GigabitEthernet1/0/0] quit [CE1] interface gigabitethernet 2/0/0 [CE1-GigabitEthernet2/0/0] port link-type trunk [CE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 10 [CE1-GigabitEthernet2/0/0] quit [CE1] interface vlanif 10 [CE1-Vlanif10] ip address 50.1.1.1 24 [CE1-Vlanif10] quit [CE1] interface vlanif 20 [CE1-Vlanif20] ip address 30.1.1.2 24 [CE1-Vlanif20] quit
# 配置PE1,需要绑定VPN实例的接口,先不要配置IP地址,绑定时会将接口下所有配置删除。
<HUAWEI> system-view [HUAWEI] sysname PE1 [PE1] vlan batch 10 20 [PE1] interface gigabitethernet 1/0/0 [PE1-GigabitEthernet1/0/0] port link-type trunk [PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 [PE1-GigabitEthernet1/0/0] quit [PE1] interface gigabitethernet 2/0/0 [PE1-GigabitEthernet2/0/0] port link-type trunk [PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 20 [PE1-GigabitEthernet2/0/0] quit [PE1] interface vlanif 20 [PE1-Vlanif20] ip address 110.1.1.1 24 [PE1-Vlanif20] quit [PE1] interface loopback 1 [PE1-LoopBack1] ip address 1.1.1.9 32 [PE1-LoopBack1] quit
# 配置PE2,需要绑定VPN实例的接口,先不要配置IP地址,绑定时会将接口下所有配置删除。
<HUAWEI> system-view [HUAWEI] sysname PE2 [PE2] vlan batch 10 20 [PE2] interface gigabitethernet 1/0/0 [PE2-GigabitEthernet1/0/0] port link-type trunk [PE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 20 [PE2-GigabitEthernet1/0/0] quit [PE2] interface gigabitethernet 2/0/0 [PE2-GigabitEthernet2/0/0] port link-type trunk [PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 10 [PE2-GigabitEthernet2/0/0] quit [PE2] interface vlanif 20 [PE2-Vlanif20] ip address 110.1.1.2 24 [PE2-Vlanif20] quit [PE2] interface loopback 1 [PE2-LoopBack1] ip address 3.3.3.9 32 [PE2-LoopBack1] quit
# 配置CE2。
<HUAWEI> system-view [HUAWEI] sysname CE2 [CE2] vlan batch 10 20 [CE2] interface gigabitethernet 1/0/0 [CE2-GigabitEthernet1/0/0] port link-type trunk [CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 [CE2-GigabitEthernet1/0/0] quit [CE2] interface gigabitethernet 2/0/0 [CE2-GigabitEthernet2/0/0] port link-type access [CE2-GigabitEthernet2/0/0] port default vlan 20 [CE2-GigabitEthernet2/0/0] quit [CE2] interface vlanif 10 [CE2-Vlanif10] ip address 11.1.1.1 24 [CE2-Vlanif10] quit [CE2] interface vlanif 20 [CE2-Vlanif20] ip address 10.2.1.2 24 [CE2-Vlanif20] quit
- 配置骨干网PE的路由及MPLS
# 配置PE1,使能MPLS LDP,并使用进程为10的OSPF路由,使PE间路由可达,自动建立LSP。
[PE1] mpls lsr-id 1.1.1.9 [PE1] mpls [PE1-mpls] lsp-trigger all [PE1-mpls] quit [PE1] mpls ldp [PE1-mpls-ldp] quit [PE1] ospf 10 [PE1-ospf-10] area 0 [PE1-ospf-10-area-0.0.0.0] network 1.1.1.9 0.0.0.0 [PE1-ospf-10-area-0.0.0.0] network 110.1.1.0 0.0.0.255 [PE1-ospf-10-area-0.0.0.0] quit [PE1-ospf-10] quit [PE1] interface vlanif 20 [PE1-Vlanif20] mpls [PE1-Vlanif20] mpls ldp [PE1-Vlanif20] quit
# 配置PE2,使能MPLS LDP,并使用进程为10的OSPF路由,使PE间路由可达,自动建立LSP。
[PE2] mpls lsr-id 3.3.3.9 [PE2] mpls [PE2-mpls] lsp-trigger all [PE2-mpls] quit [PE2] mpls ldp [PE2-mpls-ldp] quit [PE2] ospf 10 [PE2-ospf-10] area 0 [PE2-ospf-10-area-0.0.0.0] network 3.3.3.9 0.0.0.0 [PE2-ospf-10-area-0.0.0.0] network 110.1.1.0 0.0.0.255 [PE2-ospf-10-area-0.0.0.0] quit [PE2-ospf-10] quit [PE2] interface vlanif 20 [PE2-Vlanif20] mpls [PE2-Vlanif20] mpls ldp [PE2-Vlanif20] quit
- 在PE1创建VPN实例vpn2并于二级运营商侧接口绑定
[PE1] ip vpn-instance vpn2 [PE1-vpn-instance-vpn2] route-distinguisher 100:2 [PE1-vpn-instance-vpn2-af-ipv4] vpn-target 222:2 export-extcommunity [PE1-vpn-instance-vpn2-af-ipv4] vpn-target 222:2 import-extcommunity [PE1-vpn-instance-vpn2-af-ipv4] quit [PE1-vpn-instance-vpn2] quit [PE1] interface vlanif 10 [PE1-Vlanif10] ip binding vpn-instance vpn2 [PE1-Vlanif10] ip address 50.1.1.2 255.255.255.0 [PE1-Vlanif10] quit
- 在PE1创建VPN实例vpn1并与GRE隧道绑定
[PE1] ip vpn-instance vpn1 [PE1-vpn-instance-vpn1] route-distinguisher 100:1 [PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 export-extcommunity [PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 import-extcommunity [PE1-vpn-instance-vpn1-af-ipv4] quit [PE1-vpn-instance-vpn1] quit [PE1] interface tunnel 1 [PE1-Tunnel1] ip binding vpn-instance vpn1 [PE1-Tunnel1] ip address 2.2.2.2 255.255.255.0 [PE1-Tunnel1] quit
- 在PE2创建VPN实例vpn1并与用户侧接口绑定
[PE2] ip vpn-instance vpn1 [PE2-vpn-instance-vpn1] route-distinguisher 200:1 [PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 export-extcommunity [PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 import-extcommunity [PE2-vpn-instance-vpn1-af-ipv4] quit [PE2-vpn-instance-vpn1] quit [PE2] interface vlanif 10 [PE2-Vlanif10] ip binding vpn-instance vpn1 [PE2-Vlanif10] ip address 11.1.1.2 255.255.255.0 [PE2-Vlanif10] quit
- 配置GRE隧道的Tunnel接口
# 配置CE3。
[CE3] interface tunnel 1 [CE3-Tunnel1] tunnel-protocol gre [CE3-Tunnel1] source 30.1.1.1 [CE3-Tunnel1] destination 50.1.1.2 [CE3-Tunnel1] ip address 2.2.2.1 24 [CE3-Tunnel1] quit
# 配置PE1。
[PE1] interface tunnel 1 [PE1-Tunnel1] tunnel-protocol gre [PE1-Tunnel1] source 50.1.1.2 [PE1-Tunnel1] destination vpn-instance vpn2 30.1.1.1 [PE1-Tunnel1] quit
- 配置CE3、CE1和PE1之间的路由协议
# 配置CE3。
[CE3] ospf 20 [CE3-ospf-20] area 0 [CE3-ospf-20-area-0.0.0.0] network 30.1.1.0 0.0.0.255 [CE3-ospf-20-area-0.0.0.0] quit [CE3-ospf-20] quit
# 配置CE1。
[CE1] ospf 20 [CE1-ospf-20] area 0 [CE1-ospf-20-area-0.0.0.0] network 30.1.1.0 0.0.0.255 [CE1-ospf-20-area-0.0.0.0] network 50.1.1.0 0.0.0.255 [CE1-ospf-20-area-0.0.0.0] quit [CE1-ospf-20] quit
# 配置PE1。
[PE1] ospf 20 vpn-instance vpn2 [PE1-ospf-20] area 0 [PE1-ospf-20-area-0.0.0.0] network 50.1.1.0 0.0.0.255 [PE1-ospf-20-area-0.0.0.0] quit [PE1-ospf-20] quit
- 配置CE3与PE1之间的IS-IS路由
# 在CE3上配置。
[CE3] isis 50 [CE3-isis-50] network-entity 50.0000.0000.0001.00 [CE3-isis-50] quit [CE3] interface vlanif 10 [CE3-Vlanif10] isis enable 50 [CE3-Vlanif10] quit [CE3] interface tunnel 1 [CE3-Tunnel1] isis enable 50 [CE3-Tunnel1] quit
# 在PE1上配置。
[PE1] isis 50 vpn-instance vpn1 [PE1-isis-50] network-entity 50.0000.0000.0002.00 [PE1-isis-50] quit [PE1] interface tunnel 1 [PE1-Tunnel1] isis enable 50 [PE1-Tunnel1] quit
- 配置CE2与PE2之间的IS-IS路由
# 在CE2上配置。
[CE2] isis 50 [CE2-isis-50] network-entity 50.0000.0000.0004.00 [CE2-isis-50] quit [CE2] interface vlanif 10 [CE2-Vlanif10] isis enable 50 [CE2-Vlanif10] quit [CE2] interface vlanif 20 [CE2-Vlanif20] isis enable 50 [CE2-Vlanif20] quit
# 在PE2上配置。
[PE2] isis 50 vpn-instance vpn1 [PE2-isis-50] network-entity 50.0000.0000.0003.00 [PE2-isis-50] quit [PE2] interface vlanif 10 [PE2-Vlanif10] isis enable 50 [PE2-Vlanif10] quit
- 在PE之间建立MP-IBGP对等体
# 配置PE1,指定PE2为IBGP对等体,使用Loopback接口建立IBGP连接,启动对等体交换VPN-IPv4路由信息。
[PE1] bgp 100 [PE1-bgp] peer 3.3.3.9 as-number 100 [PE1-bgp] peer 3.3.3.9 connect-interface loopback 1 [PE1-bgp] ipv4-family vpnv4 [PE1-bgp-af-vpnv4] peer 3.3.3.9 enable [PE1-bgp-af-vpnv4] quit
# 进入BGP的vpn1实例,引入IS-IS路由。
[PE1-bgp] ipv4-family vpn-instance vpn1 [PE1-bgp-vpn1] import-route isis 50 [PE1-bgp-vpn1] quit [PE1-bgp] quit
# 配置PE2,指定PE1为IBGP对等体,使用loopback接口建立IBGP连接,启动对等体交换VPN-IPv4路由信息。
[PE2] bgp 100 [PE2-bgp] peer 1.1.1.9 as-number 100 [PE2-bgp] peer 1.1.1.9 connect-interface loopback 1 [PE2-bgp] ipv4-family vpnv4 [PE2-bgp-af-vpnv4] peer 1.1.1.9 enable [PE2-bgp-af-vpnv4] quit
# 进入BGP的vpn1实例,引入IS-IS路由。
[PE2-bgp] ipv4-family vpn-instance vpn1 [PE2-bgp-vpn1] import-route isis 50 [PE2-bgp-vpn1] quit [PE2-bgp] quit
- 在IS-IS中引入BGP路由
# 配置PE1。
[PE1] isis 50 [PE1-isis-50] import-route bgp [PE1-isis-50] quit
# 配置PE2。
[PE2] isis 50 [PE2-isis-50] import-route bgp [PE2-isis-50] quit
- 检查配置结果
# 以上配置完成后,CE3和CE2建立到达对端的路由,以CE3为例:
[CE3] display isis peer Peer information for ISIS(50) System Id Interface Circuit Id State HoldTime Type PRI ------------------------------------------------------------------------------- 0000.0000.0002 Tun1 0000000001 Up 26s L1L2 -- Total Peer(s): 1[CE3] display ip routing-table 10.2.1.0 Proto: Protocol Pre: Preference Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Table : Public Summary Count : 1 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.2.1.0/24 ISIS-L2 15 74 D 2.2.2.2 Tunnel1
配置文件
CE3的配置文件
# sysname CE3 # vlan batch 10 20 # isis 50 network-entity 50.0000.0000.0001.00 # interface Vlanif10 ip address 10.1.1.2 255.255.255.0 isis enable 50 # interface Vlanif20 ip address 30.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type access port default vlan 10 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 20 # interface Tunnel1 ip address 2.2.2.1 255.255.255.0 tunnel-protocol gre source 30.1.1.1 destination 50.1.1.2 isis enable 50 # ospf 20 area 0.0.0.0 network 30.1.1.0 0.0.0.255 # return
CE1的配置文件
# sysname CE1 # vlan batch 10 20 # interface Vlanif10 ip address 50.1.1.1 255.255.255.0 # interface Vlanif20 ip address 30.1.1.2 255.255.255.0 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 10 # ospf 20 area 0.0.0.0 network 30.1.1.0 0.0.0.255 network 50.1.1.0 0.0.0.255 # return
PE1的配置文件
# sysname PE1 # vlan batch 10 20 # ip vpn-instance vpn1 ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # ip vpn-instance vpn2 ipv4-family route-distinguisher 100:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity # mpls lsr-id 1.1.1.9 mpls lsp-trigger all # mpls ldp # isis 50 vpn-instance vpn1 network-entity 50.0000.0000.0002.00 import-route bgp # interface Vlanif10 ip binding vpn-instance vpn2 ip address 50.1.1.2 255.255.255.0 # interface Vlanif20 ip address 110.1.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 20 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # interface Tunnel1 ip binding vpn-instance vpn1 ip address 2.2.2.2 255.255.255.0 tunnel-protocol gre source 50.1.1.2 destination vpn-instance vpn2 30.1.1.1 isis enable 50 # bgp 100 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 3.3.3.9 enable # ipv4-family vpnv4 policy vpn-target peer 3.3.3.9 enable # ipv4-family vpn-instance vpn1 import-route isis 50 # ospf 10 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 110.1.1.0 0.0.0.255 # ospf 20 vpn-instance vpn2 area 0.0.0.0 network 50.1.1.0 0.0.0.255 # return
PE2的配置文件
# sysname PE2 # vlan batch 10 20 # ip vpn-instance vpn1 ipv4-family route-distinguisher 200:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # mpls lsr-id 3.3.3.9 mpls lsp-trigger all # mpls ldp # isis 50 vpn-instance vpn1 network-entity 50.0000.0000.0003.00 import-route bgp # interface Vlanif10 ip binding vpn-instance vpn1 ip address 11.1.1.2 255.255.255.0 isis enable 50 # interface Vlanif20 ip address 110.1.1.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 10 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable # ipv4-family vpn-instance vpn1 import-route isis 50 # ospf 10 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 110.1.1.0 0.0.0.255 # return
CE2的配置文件
# sysname CE2 # vlan batch 10 20 # isis 50 network-entity 50.0000.0000.0004.00 # interface Vlanif10 ip address 11.1.1.1 255.255.255.0 isis enable 50 # interface Vlanif20 ip address 10.2.1.2 255.255.255.0 isis enable 50 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet2/0/0 port link-type access port default vlan 20 # return
