评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置VPN FRR示例
组网需求
如图2-63所示,要求在PE1上配置备份下一跳,使PE3为PE2的备份,PE2出现故障时可以快速切换到PE3上。
请确保该场景下互联接口的STP处于未使能状态。同时将互连接口退出VLAN1,避免形成环路。因为在使能STP的环形网络中,如果用交换机的VLANIF接口构建三层网络,会导致某个端口被阻塞,从而导致三层业务不能正常运行。
配置思路
采用如下的思路配置VPN FRR功能。
在MPLS骨干网上(PE1、PE2和PE3)配置OSPF,实现骨干网互通。
在MPLS骨干网上配置MPLS基本能力,使能MPLS LDP,建立LDP LSP。
分别在各PE设备(PE1、PE2和PE3)上配置VPN实例,将CE1接入PE2和PE3。
在各PE与CE1之间建立EBGP对等体,引入VPN路由;在各PE之间建立MP-IBGP对等体。
在PE1上配置VPN FRR路由策略,配置备份下一跳,使能VPN FRR;当不需要VPN FRR功能时,用undo vpn frr命令进行去使能操作。
在PE1上配置备份下一跳,使PE3为PE2的备份,PE2出现故障时可以快速切换到PE3上。
操作步骤
- 配置各接口所属VLAN,并配置VLANIF接口和Loopback接口IP地址,具体数据如图2-63所示。
# 配置PE1。PE2、PE3和CE1的配置与PE1类似,此处不再赘述。
<HUAWEI> system-view [HUAWEI] sysname PE1 [PE1] interface loopback 1 [PE1-LoopBack1] ip address 1.1.1.1 32 [PE1-LoopBack1] quit [PE1] vlan batch 10 30 [PE1] interface gigabitethernet 2/0/2 [PE1-GigabitEthernet2/0/2] port link-type trunk [PE1-GigabitEthernet2/0/2] port trunk allow-pass vlan 10 [PE1-GigabitEthernet2/0/2] quit [PE1] interface gigabitethernet 3/0/3 [PE1-GigabitEthernet3/0/3] port link-type trunk [PE1-GigabitEthernet3/0/3] port trunk allow-pass vlan 30 [PE1-GigabitEthernet3/0/3] quit [PE1] interface vlanif 10 [PE1-Vlanif10] ip address 100.1.1.1 30 [PE1-Vlanif10] quit [PE1] interface vlanif 30 [PE1-Vlanif30] ip address 100.2.1.1 30 [PE1-Vlanif30] quit
- 在MPLS骨干网上配置OSPF协议,实现骨干网PE互通。
# 配置PE1。PE2和PE3的配置与PE1类似,此处不再赘述。
[PE1] ospf [PE1-ospf-1] area 0 [PE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.3 [PE1-ospf-1-area-0.0.0.0] network 100.2.1.0 0.0.0.3 [PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0 [PE1-ospf-1-area-0.0.0.0] quit [PE1-ospf-1] quit
- 在MPLS骨干网上配置MPLS基本能力和MPLS LDP,建立LDP LSP
# 配置PE1。
[PE1] mpls lsr-id 1.1.1.1 [PE1] mpls [PE1-mpls] label advertise non-null [PE1-mpls] quit [PE1] mpls ldp [PE1-mpls-ldp] quit [PE1] interface vlanif 10 [PE1-Vlanif10] mpls [PE1-Vlanif10] mpls ldp [PE1-Vlanif10] quit [PE1] interface vlanif 30 [PE1-Vlanif30] mpls [PE1-Vlanif30] mpls ldp [PE1-Vlanif30] quit
# 配置PE2。
[PE2] mpls lsr-id 2.2.2.2 [PE2] mpls [PE2-mpls] label advertise non-null [PE2-mpls] quit [PE2] mpls ldp [PE2-mpls-ldp] quit [PE2] interface vlanif 10 [PE2-Vlanif10] mpls [PE2-Vlanif10] mpls ldp [PE2-Vlanif10] quit
# 配置PE3。
[PE3] mpls lsr-id 3.3.3.3 [PE3] mpls [PE3-mpls] label advertise non-null [PE3-mpls] quit [PE3] mpls ldp [PE3-mpls-ldp] quit [PE3] interface vlanif 30 [PE3-Vlanif30] mpls [PE3-Vlanif30] mpls ldp [PE3-Vlanif30] quit
此时在PE上执行命令display mpls lsp,可看到PE1与PE2、PE1与PE3之间的LSP建立成功。以PE1的显示为例:
[PE1] display mpls lsp Flag after Out IF: (I) - LSP Is Only Iterated by RLFA ------------------------------------------------------------------------------- LSP Information: LDP LSP ------------------------------------------------------------------------------- FEC In/Out Label In/Out IF Vrf Name 1.1.1.1/32 1024/NULL -/- 2.2.2.2/32 NULL/1025 -/Vlanif10 2.2.2.2/32 1025/1025 -/Vlanif10 3.3.3.3/32 NULL/1026 -/Vlanif30 3.3.3.3/32 1026/1026 -/Vlanif30 - 在PE设备上配置VPN实例,将CE接入PE
# 配置PE1。
[PE1] ip vpn-instance vpn1 [PE1-vpn-instance-vpn1] ipv4-family [PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1 [PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 [PE1-vpn-instance-vpn1-af-ipv4] quit [PE1-vpn-instance-vpn1] quit
# 配置PE2。
[PE2] ip vpn-instance vpn1 [PE2-vpn-instance-vpn1] ipv4-family [PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2 [PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 [PE2-vpn-instance-vpn1-af-ipv4] quit [PE2-vpn-instance-vpn1] quit [PE2] interface vlanif 20 [PE2-Vlanif20] ip binding vpn-instance vpn1 [PE2-Vlanif20] ip address 10.1.1.2 30 [PE2-Vlanif20] quit
# 配置PE3。
[PE3] ip vpn-instance vpn1 [PE3-vpn-instance-vpn1] ipv4-family [PE3-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:3 [PE3-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 [PE3-vpn-instance-vpn1-af-ipv4] quit [PE3-vpn-instance-vpn1] quit [PE3] interface vlanif 40 [PE3-Vlanif40] ip binding vpn-instance vpn1 [PE3-Vlanif40] ip address 10.2.1.2 30 [PE3-Vlanif40] quit
- 在PE1上引入直连VPN路由;在PE2与CE1,及PE3与CE1之间建立EBGP对等体,引入VPN路由
# 配置PE1。
[PE1] bgp 100 [PE1-bgp] ipv4-family vpn-instance vpn1 [PE1-bgp-vpn1] import-route direct [PE1-bgp-vpn1] quit [PE1-bgp] quit
# 配置PE2。
[PE2] bgp 100 [PE2-bgp] ipv4-family vpn-instance vpn1 [PE2-bgp-vpn1] peer 10.1.1.1 as-number 65410 [PE2-bgp-vpn1] import-route direct [PE2-bgp-vpn1] quit [PE2-bgp] quit
# 配置PE3。
[PE3] bgp 100 [PE3-bgp] ipv4-family vpn-instance vpn1 [PE3-bgp-vpn1] peer 10.2.1.1 as-number 65410 [PE3-bgp-vpn1] import-route direct [PE3-bgp-vpn1] quit [PE3-bgp] quit
# 配置CE1。
[CE1] bgp 65410 [CE1-bgp] peer 10.1.1.2 as-number 100 [CE1-bgp] peer 10.2.1.2 as-number 100 [CE1-bgp] import-route direct [CE1-bgp] network 10.3.1.0 24 [CE1-bgp] quit
完成此步骤后,在PE2和PE3上执行display bgp vpnv4 all peer命令,可看到PE2和CE1、PE3和CE1之间的EBGP对等体建立成功,其状态为“Established”。
以PE2的显示为例:
[PE2] display bgp vpnv4 all peer BGP local router ID : 2.2.2.2 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv Peer of IPv4-family for vpn instance : VPN-Instance vpn1, Router ID 2.2.2.2: 10.1.1.1 4 65410 1 1 0 00:00:57 Established 1
- 在PE之间建立MP-IBGP对等体
# 配置PE1。
[PE1] bgp 100 [PE1-bgp] peer 2.2.2.2 as-number 100 [PE1-bgp] peer 2.2.2.2 connect-interface loopback 1 [PE1-bgp] peer 3.3.3.3 as-number 100 [PE1-bgp] peer 3.3.3.3 connect-interface loopback 1 [PE1-bgp] ipv4-family vpnv4 [PE1-bgp-af-vpnv4] peer 2.2.2.2 enable [PE1-bgp-af-vpnv4] peer 3.3.3.3 enable [PE1-bgp-af-vpnv4] quit [PE1-bgp] quit
# 配置PE2。
[PE2] bgp 100 [PE2-bgp] peer 1.1.1.1 as-number 100 [PE2-bgp] peer 1.1.1.1 connect-interface loopback 1 [PE2-bgp] ipv4-family vpnv4 [PE2-bgp-af-vpnv4] peer 1.1.1.1 enable [PE2-bgp-af-vpnv4] quit [PE2-bgp] quit
# 配置PE3。
[PE3] bgp 100 [PE3-bgp] peer 1.1.1.1 as-number 100 [PE3-bgp] peer 1.1.1.1 connect-interface loopback 1 [PE3-bgp] ipv4-family vpnv4 [PE3-bgp-af-vpnv4] peer 1.1.1.1 enable [PE3-bgp-af-vpnv4] quit [PE3-bgp] quit
完成此步骤后,在PE上执行display bgp vpnv4 all peer命令,可看到MP-IBGP对等体建立成功,其状态为“Established”。
以PE1的显示为例:
[PE1] display bgp vpnv4 all peer BGP local router ID : 1.1.1.1 Local AS number : 100 Total number of peers : 2 Peers in established state : 2 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 2.2.2.2 4 100 3 4 0 00:00:26 Established 1 3.3.3.3 4 100 5 4 0 00:00:24 Established 4
- 配置VPN FRR路由策略
[PE1] ip ip-prefix vpn_frr_list permit 2.2.2.2 32 [PE1] route-policy vpn_frr_rp permit node 10 [PE1-route-policy] if-match ip next-hop ip-prefix vpn_frr_list [PE1-route-policy] apply backup-nexthop 3.3.3.3 [PE1-route-policy] quit
- 使能VPN FRR
[PE1] ip vpn-instance vpn1 [PE1-vpn-instance-vpn1] vpn frr route-policy vpn_frr_rp [PE1-vpn-instance-vpn1] quit
# 查看备份下一跳、备份标签和备份Tunnel ID的信息。
[PE1] display ip routing-table vpn-instance vpn1 10.3.1.0 verbose Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Table : vpn1 Summary Count : 1 Destination: 10.3.1.0/24 Protocol: IBGP Process ID: 0 Preference: 255 Cost: 0 NextHop: 2.2.2.2 Neighbour: 2.2.2.2 State: Active Adv Relied Age: 00h00m56s Tag: 0 Priority: low Label: 1026 QoSInfo: 0x0 IndirectID: 0x1b RelayNextHop: 100.1.1.2 Interface: Vlanif10 TunnelID: 0x4800009a Flags: RD BkNextHop: 3.3.3.3 BkInterface: Vlanif30 BkLabel: 1027 SecTunnelID: 0x0 BkPETunnelID: 0x4800009c BkPESecTunnelID: 0x0 BkIndirectID: 0x1e本例中,PE2和PE3都会向PE1发布10.3.1.0/24这条路由,而且路由的BGP属性都一样,只是由于PE2的Router ID较小,所以PE1优选了PE2发布的路由,也就是链路Link_A。如果在实际应用中PE2的Router ID大于PE3的Router ID,那么PE1会选择Link_B作为主链路,这时如果依旧按照上面的配置,会导致VPN FRR失效。为了防止这种情况出现,可以在BGP-VPNv4地址族下修改VPNv4路由的属性,保证PE1优选链路Link_A。修改VPNv4路由的属性的方法较多,以下是常用的两种。- 可以在PE1的BGP-VPNv4地址族下为PE2发来的路由设置较高的协议首选值(PrefVal),相关配置如下:
route-policy policy1 permit node 10 apply preferred-value 100 # bgp 100 # ipv4-family vpnv4 peer 2.2.2.2 route-policy policy1 import
- 也可以在PE2的BGP-VPNv4地址族下为发布的路由设置较高的本地优先级(Local_Pref),相关配置如下:
route-policy policy2 permit node 10 apply local-preference 200 # bgp 100 # ipv4-family vpnv4 peer 1.1.1.1 route-policy policy2 export
- 可以在PE1的BGP-VPNv4地址族下为PE2发来的路由设置较高的协议首选值(PrefVal),相关配置如下:
配置文件
PE1的配置文件
# sysname PE1 # vlan batch 10 30 # ip vpn-instance vpn1 ipv4-family route-distinguisher 100:1 vpn frr route-policy vpn_frr_rp vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # mpls lsr-id 1.1.1.1 mpls label advertise non-null # mpls ldp # interface Vlanif10 ip address 100.1.1.1 255.255.255.252 mpls mpls ldp # interface Vlanif30 ip address 100.2.1.1 255.255.255.252 mpls mpls ldp # interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet3/0/3 port link-type trunk port trunk allow-pass vlan 30 # interface LoopBack1 ip address 1.1.1.1 255.255.255.255 # bgp 100 peer 2.2.2.2 as-number 100 peer 2.2.2.2 connect-interface LoopBack1 peer 3.3.3.3 as-number 100 peer 3.3.3.3 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 2.2.2.2 enable peer 3.3.3.3 enable # ipv4-family vpnv4 policy vpn-target peer 2.2.2.2 enable peer 3.3.3.3 enable # ipv4-family vpn-instance vpn1 import-route direct # ospf 1 area 0.0.0.0 network 1.1.1.1 0.0.0.0 network 100.1.1.0 0.0.0.3 network 100.2.1.0 0.0.0.3 # route-policy vpn_frr_rp permit node 10 if-match ip next-hop ip-prefix vpn_frr_list apply backup-nexthop 3.3.3.3 # ip ip-prefix vpn_frr_list index 10 permit 2.2.2.2 32 # return
PE2的配置文件
# sysname PE2 # vlan batch 10 20 # ip vpn-instance vpn1 ipv4-family route-distinguisher 100:2 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # mpls lsr-id 2.2.2.2 mpls label advertise non-null # mpls ldp # interface Vlanif10 ip address 100.1.1.2 255.255.255.252 mpls mpls ldp # interface Vlanif20 ip binding vpn-instance vpn1 ip address 10.1.1.2 255.255.255.252 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface LoopBack1 ip address 2.2.2.2 255.255.255.255 # bgp 100 peer 1.1.1.1 as-number 100 peer 1.1.1.1 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.1 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.1 enable # ipv4-family vpn-instance vpn1 import-route direct peer 10.1.1.1 as-number 65410 # ospf 1 area 0.0.0.0 network 2.2.2.2 0.0.0.0 network 100.1.1.0 0.0.0.3 # return
PE3的配置文件
# sysname PE3 # vlan batch 30 40 # ip vpn-instance vpn1 ipv4-family route-distinguisher 100:3 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # mpls lsr-id 3.3.3.3 mpls label advertise non-null # mpls ldp # interface Vlanif30 ip address 100.2.1.2 255.255.255.252 mpls mpls ldp # interface Vlanif40 ip binding vpn-instance vpn1 ip address 10.2.1.2 255.255.255.252 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 30 # interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 40 # interface LoopBack1 ip address 3.3.3.3 255.255.255.255 # bgp 100 peer 1.1.1.1 as-number 100 peer 1.1.1.1 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.1 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.1 enable # ipv4-family vpn-instance vpn1 import-route direct peer 10.2.1.1 as-number 65410 # ospf 1 area 0.0.0.0 network 3.3.3.3 0.0.0.0 network 100.2.1.0 0.0.0.3 # return
CE1的配置文件
# sysname CE1 # vlan batch 20 40 50 # interface Vlanif20 ip address 10.1.1.1 255.255.255.252 # interface Vlanif40 ip address 10.2.1.1 255.255.255.252 # interface Vlanif50 ip address 10.3.1.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 40 # interface GigabitEthernet3/0/3 port link-type trunk port trunk allow-pass vlan 50 # bgp 65410 peer 10.1.1.2 as-number 100 peer 10.2.1.2 as-number 100 # ipv4-family unicast undo synchronization network 10.3.1.0 255.255.255.0 import-route direct peer 10.1.1.2 enable peer 10.2.1.2 enable # return
