评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置IPv4 VPN over SRv6 BE示例
介绍通过SRv6 BE承载IPv4 VPN业务的配置过程。
组网需求
如图3-5所示:
路由器PE1、P和PE2属于同一自治系统,要求它们之间通过IS-IS协议达到IPv6网络互连的目的。
PE1、P和PE2属于区域1,都是Level-1设备。
要求在PE1和PE2之间建立双向SRv6 BE路径,承载IPv4 VPN业务。
配置思路
采用如下的思路配置IPv4 VPN over SRv6 BE示例:
使能各路由器的IPv6转发能力,配置各接口的IPv6地址。
在各路由器上使能IS-IS,配置Level级别,指定网络实体。
在各路由器配置IS-IS的SRv6能力。
在PE1和PE2上配置VPN实例。
在PE和CE之间建立EBGP对等体关系。
在PE之间建立MP-IBGP对等体关系。
在PE1和PE2上配置SRv6。
数据准备
为完成此配置例,需准备如下的数据:
PE1、P和PE2各接口的IPv6地址。
PE1、P和PE2的区域号。
PE1、P和PE2的级别。
PE1和PE2上VPN实例名称,VPN实例的RD和RT。
操作步骤
- 使能IPv6转发能力,配置各接口的IPv6地址,以PE1为例,其他路由器的配置过程相同,不再赘述
<HUAWEI> system-view [~HUAWEI] sysname PE1 [*HUAWEI] commit [~PE1] interface gigabitethernet 0/1/0 [~PE1-GigabitEthernet0/1/0] ipv6 enable [*PE1-GigabitEthernet0/1/0] ipv6 address 2001::1 96 [*PE1-GigabitEthernet0/1/0] commit
- 配置IS-IS
# 配置PE1。
[~PE1] isis 1[*PE1-isis-1] is-level level-1[*PE1-isis-1] cost-style wide[*PE1-isis-1] network-entity 10.0000.0000.0001.00[*PE1-isis-1] ipv6 enable topology ipv6[*PE1-isis-1] quit[*PE1] interface gigabitethernet 0/1/0
[*PE1-GigabitEthernet0/1/0] isis ipv6 enable 1
[*PE1-GigabitEthernet0/1/0] commit
[~PE1-GigabitEthernet0/1/0] quit
[*PE1] interface loopback1[*PE1-LoopBack1] isis ipv6 enable 1[*PE1-LoopBack1] commit[~PE1-LoopBack1] quit# 配置P。
[~P] isis 1[*P-isis-1] is-level level-1[*P-isis-1] cost-style wide[*P-isis-1] network-entity 10.0000.0000.0002.00[*P-isis-1] ipv6 enable topology ipv6[*P-isis-1] quit[*P] interface gigabitethernet 0/1/0
[*P-GigabitEthernet0/1/0] isis ipv6 enable 1
[*P-GigabitEthernet0/1/0] commit
[~P-GigabitEthernet0/1/0] quit
[*P] interface gigabitethernet 0/2/0
[*P-GigabitEthernet0/2/0] isis ipv6 enable 1
[*P-GigabitEthernet0/2/0] commit
[~P-GigabitEthernet0/2/0] quit
[*P] interface loopback1[*P-LoopBack1] isis ipv6 enable 1[*P-LoopBack1] commit[~P-LoopBack1] quit# 配置PE2。
[~PE2] isis 1[*PE2-isis-1] is-level level-1[*PE2-isis-1] cost-style wide[*PE2-isis-1] network-entity 10.0000.0000.0003.00[*PE2-isis-1] ipv6 enable topology ipv6[*PE2-isis-1] quit[*PE2] interface gigabitethernet 0/1/0
[*PE2-GigabitEthernet0/1/0] isis ipv6 enable 1
[*PE2-GigabitEthernet0/1/0] commit
[*PE2-GigabitEthernet0/1/0] quit
[*PE2] interface loopback1[*PE2-LoopBack1] isis ipv6 enable 1[*PE2-LoopBack1] commit[~PE2-LoopBack1] quit配置完成后,可按如下指导检查IS-IS是否配置成功。
# 显示IS-IS邻居信息。以PE1为例。
[~PE1] display isis peer Peer information for ISIS(1) System Id Interface Circuit Id State HoldTime Type PRI -------------------------------------------------------------------------------- 0000.0000.0002 GE0/1/0 0000.0000.0002.01 Up 8s L1 64 Total Peer(s): 1
# 显示IS-IS路由表信息。以PE1为例。
[~PE1] display isis route Route information for ISIS(1) ----------------------------- ISIS(1) Level-1 Forwarding Table -------------------------------- IPV6 Dest. ExitInterface NextHop Cost Flags -------------------------------------------------------------------------------- 1::1/64 Loop1 Direct 0 D/-/L/- 2::2/64 GE0/1/0 FE80::3A92:6CFF:FE21:10 10 A/-/-/- 3::3/64 GE0/1/0 FE80::3A92:6CFF:FE41:13 10 A/-/-/- 2001::/96 GE0/1/0 Direct 10 D/-/L/- 2002::/96 GE0/1/0 FE80::3A92:6CFF:FE21:10 20 A/-/-/- GE0/1/0 FE80::3A92:6CFF:FE41:13 Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set, LP-Local Prefix-Sid
- 在PE设备上配置使能IPv4地址族的VPN实例,将CE接入PE
# 配置PE1。
[~PE1] ip vpn-instance vpna[*PE1-vpn-instance-vpna] ipv4-family[*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both[*PE1-vpn-instance-vpna-af-ipv4] quit[*PE1-vpn-instance-vpna] quit[*PE1] interface gigabitethernet 0/2/0
[*PE1-GigabitEthernet0/2/0] ip binding vpn-instance vpna
[*PE1-GigabitEthernet0/2/0] ip address 10.1.1.1 24
[*PE1-GigabitEthernet0/2/0] quit
[*PE1] commit# 配置PE2。
[~PE2] ip vpn-instance vpna[*PE2-vpn-instance-vpna] ipv4-family[*PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1[*PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both[*PE2-vpn-instance-vpna-af-ipv4] quit[*PE2-vpn-instance-vpna] quit[*PE2] interface gigabitethernet 0/2/0
[*PE2-GigabitEthernet0/2/0] ip binding vpn-instance vpna
[*PE2-GigabitEthernet0/2/0] ip address 10.2.1.1 24
[*PE2-GigabitEthernet0/2/0] commit
[*PE2-GigabitEthernet0/2/0] quit
[*PE2] commit# 按图3-5配置各CE的接口IP地址,配置过程请参见后面的配置文件。
配置完成后,在PE设备上执行display ip vpn-instance verbose命令可以看到VPN实例的配置情况。各PE能ping通自己接入的CE。
当PE上有多个绑定了同一个VPN的接口,则使用ping -vpn-instance命令ping对端PE接入的CE时,要指定源IP地址,即要指定ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address命令中的参数-a source-ip-address,否则可能ping不通。
- 在PE与CE之间建立EBGP对等体关系
# 配置CE1。
[~CE1] interface loopback 1[*CE1-LoopBack1] ip address 11.11.11.11 32[*CE1-LoopBack1] quit[*CE1] bgp 65410[*CE1-bgp] peer 10.1.1.1 as-number 100[*CE1-bgp] network 11.11.11.11 32[*CE1-bgp] quit[*CE1] commit# 配置PE1。
[~PE1] bgp 100[*PE1-bgp] router-id 1.1.1.1[*PE1-bgp] ipv4-family vpn-instance vpna[*PE1-bgp-vpna] peer 10.1.1.2 as-number 65410[*PE1-bgp-vpna] import-route direct[*PE1-bgp-vpna] commit[*PE1-bgp-vpna] quit[~PE1-bgp] quit# 配置CE2。
[~CE2] interface loopback 1[*CE2-LoopBack1] ip address 22.22.22.22 32[*CE2-LoopBack1] quit[*CE2] bgp 65420[*CE2-bgp] peer 10.2.1.1 as-number 100[*CE2-bgp] network 22.22.22.22 32[*CE2-bgp] quit[*CE2] commit# 配置PE2。
[~PE2] bgp 100[*PE2-bgp] router-id 2.2.2.2[*PE2-bgp] ipv4-family vpn-instance vpna[*PE2-bgp-vpna] peer 10.2.1.2 as-number 65420[*PE2-bgp-vpna] import-route direct[*PE2-bgp-vpna] commit[*PE2-bgp-vpna] quit[~PE2-bgp] quit配置完成后,在PE设备上执行display bgp vpnv4 vpn-instance peer命令,可以看到PE与CE之间的BGP对等体关系已建立,并达到Established状态。
以PE1与CE1的对等体关系为例:
[~PE1] display bgp vpnv4 vpn-instance vpna peerBGP local router ID : 1.1.1.1
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.2 4 65410 11 9 0 00:06:37 Established 1
- 在PE之间建立MP-IBGP对等体关系
# 配置PE1。
[~PE1] bgp 100[~PE1-bgp] peer 3::3 as-number 100[*PE1-bgp] peer 3::3 connect-interface loopback 1[*PE1-bgp] ipv4-family vpnv4[*PE1-bgp-af-vpnv4] peer 3::3 enable[*PE1-bgp-af-vpnv4] commit[~PE1-bgp-af-vpnv4] quit[~PE1-bgp] quit# 配置PE2。
[~PE2] bgp 100[~PE2-bgp] peer 1::1 as-number 100[*PE2-bgp] peer 1::1 connect-interface loopback 1[*PE2-bgp] ipv4-family vpnv4[*PE2-bgp-af-vpnv4] peer 1::1 enable[*PE2-bgp-af-vpnv4] commit[~PE2-bgp-af-vpnv4] quit[~PE2-bgp] quit配置完成后,在PE设备上执行display bgp vpnv4 all peer命令,可以看到PE之间的BGP对等体关系已建立,并达到Established状态。
- 在PE之间建立SRv6 BE路径
# 配置PE1。
[~PE1] segment-routing ipv6[~PE1-segment-routing-ipv6] encapsulation source-address 1::1[*PE1-segment-routing-ipv6] locator as1 ipv6-prefix 10::1 64 static 32
[*PE1-segment-routing-ipv6-locator] quit[*PE1-segment-routing-ipv6] quit[*PE1] bgp 100[*PE1-bgp] ipv4-family vpnv4[*PE1-bgp-af-vpnv4] peer 3::3 prefix-sid[~PE1-bgp-af-vpnv4] quit[*PE1-bgp] ipv4-family vpn-instance vpna[*PE1-bgp-vpna] segment-routing ipv6 best-effort[*PE1-bgp-vpna] segment-routing ipv6 locator as1[*PE1-bgp-vpna] commit[~PE1-bgp-vpna] quit[~PE1-bgp] quit[~PE1] isis 1[*PE1-isis-1] segment-routing ipv6 locator as1[*PE1-isis-1] commit[~PE1-isis-1] quit# 配置PE2。
[~PE2] segment-routing ipv6[~PE2-segment-routing-ipv6] encapsulation source-address 3::3[*PE2-segment-routing-ipv6] locator as1 ipv6-prefix 30::1 64 static 32
[*PE2-segment-routing-ipv6-locator] quit[*PE2-segment-routing-ipv6] quit[*PE2] bgp 100[*PE2-bgp] ipv4-family vpnv4[*PE2-bgp-af-vpnv4] peer 1::1 prefix-sid[~PE2-bgp-af-vpnv4] quit[*PE2-bgp] ipv4-family vpn-instance vpna[*PE2-bgp-vpna] segment-routing ipv6 best-effort[*PE2-bgp-vpna] segment-routing ipv6 locator as1[*PE2-bgp-vpna] commit[~PE2-bgp-vpna] quit[~PE2-bgp] quit[~PE2] isis 1[*PE2-isis-1] segment-routing ipv6 locator as1[*PE2-isis-1] commit[~PE2-isis-1] quit - 检查配置结果
执行命令display segment-routing ipv6 locator [ locator-name ] verbose查看SRv6的Locator信息。以PE1为例:
[~PE1] display segment-routing ipv6 locator verbose Locator Configuration Table --------------------------- LocatorName : as1 LocatorID : 1 IPv6Prefix : 10::1 PrefixLength: 64 StaticLength : 32 Reference : 2 Default : N ArgsLength : 0 AutoSIDBegin : 10::1:0:0 AutoSIDEnd : 10::FFFF:FFFF:FFFF:FFFF Total Locator(s): 1执行命令display segment-routing ipv6 local-sid end-dt4 forwarding查看SRv6的Local SID表信息。以PE1为例:
[~PE1] display segment-routing ipv6 local-sid end-dt4 forwarding My Local-SID End.DT4 Forwarding Table ------------------------------------- SID : 10::1:0:0/128 FuncType : End.DT4 VPN Name : vpna VPN ID : 3 LocatorName: as1 LocatorID: 1 Total SID(s): 1同一VPN的CE能够相互Ping通,例如:
[~CE1] ping -a 11.11.11.11 22.22.22.22 PING 22.22.22.22: 56 data bytes, press CTRL_C to break Reply from 22.22.22.22: bytes=56 Sequence=1 ttl=253 time=7 ms Reply from 22.22.22.22: bytes=56 Sequence=2 ttl=253 time=5 ms Reply from 22.22.22.22: bytes=56 Sequence=3 ttl=253 time=4 ms Reply from 22.22.22.22: bytes=56 Sequence=4 ttl=253 time=5 ms Reply from 22.22.22.22: bytes=56 Sequence=5 ttl=253 time=5 ms --- 22.22.22.22 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/5/7 ms
配置文件
PE1的配置文件
# sysname PE1 # ip vpn-instance vpna ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # segment-routing ipv6 encapsulation source-address 1::1 locator as1 ipv6-prefix 10::1 64 static 32 # isis 1 is-level level-1 cost-style wide network-entity 10.0000.0000.0001.00 # ipv6 enable topology ipv6 segment-routing ipv6 locator as1 # # interface GigabitEthernet0/1/0 undo shutdown ipv6 enable ipv6 address 2001::1/96 isis ipv6 enable 1 # interface GigabitEthernet0/2/0 undo shutdown ip binding vpn-instance vpna ip address 10.1.1.1 255.255.255.0 # interface LoopBack1 ipv6 enable ipv6 address 1::1/64 isis ipv6 enable 1 # bgp 100 router-id 1.1.1.1 peer 3::3 as-number 100 peer 3::3 connect-interface LoopBack1 # ipv4-family unicast undo synchronization # ipv6-family unicast undo synchronization # ipv4-family vpnv4 policy vpn-target peer 3::3 enable peer 3::3 prefix-sid # ipv4-family vpn-instance vpna import-route direct segment-routing ipv6 locator as1 segment-routing ipv6 best-effort peer 10.1.1.2 as-number 65410 # return
P的配置文件
# sysname P # isis 1 is-level level-1 cost-style wide network-entity 10.0000.0000.0002.00 # ipv6 enable topology ipv6 # # interface GigabitEthernet0/1/0 undo shutdown ipv6 enable ipv6 address 2001::2/96 isis ipv6 enable 1 # interface GigabitEthernet0/2/0 undo shutdown ipv6 enable ipv6 address 2002::1/96 isis ipv6 enable 1 # interface LoopBack1 ipv6 enable ipv6 address 2::2/64 isis ipv6 enable 1 # return
PE2的配置文件
# sysname PE2 # ip vpn-instance vpna ipv4-family route-distinguisher 200:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # segment-routing ipv6 encapsulation source-address 3::3 locator as1 ipv6-prefix 30::1 64 static 32 # isis 1 is-level level-1 cost-style wide network-entity 10.0000.0000.0003.00 # ipv6 enable topology ipv6 segment-routing ipv6 locator as1 # # interface GigabitEthernet0/1/0 undo shutdown ipv6 enable ipv6 address 2002::2/96 isis ipv6 enable 1 # interface GigabitEthernet0/2/0 undo shutdown ip binding vpn-instance vpna ip address 10.2.1.1 255.255.255.0 # interface LoopBack1 ipv6 enable ipv6 address 3::3/64 isis ipv6 enable 1 # bgp 100 router-id 2.2.2.2 peer 1::1 as-number 100 peer 1::1 connect-interface LoopBack1 # ipv4-family unicast undo synchronization # ipv6-family unicast undo synchronization # ipv4-family vpnv4 policy vpn-target peer 1::1 enable peer 1::1 prefix-sid # ipv4-family vpn-instance vpna import-route direct segment-routing ipv6 locator as1 segment-routing ipv6 best-effort peer 10.2.1.2 as-number 65420 # return
CE1的配置文件
# sysname CE1 # interface GigabitEthernet0/1/0 undo shutdown ip address 10.1.1.2 255.255.255.0 # interface LoopBack1 ip address 11.11.11.11 255.255.255.255 # bgp 65410 peer 10.1.1.1 as-number 100 # ipv4-family unicast undo synchronization network 11.11.11.11 255.255.255.255 peer 10.1.1.1 enable # returnCE2的配置文件
# sysname CE2 # interface GigabitEthernet0/1/0 undo shutdown ip address 10.2.1.2 255.255.255.0 # interface LoopBack1 ip address 22.22.22.22 255.255.255.255 # bgp 65420 peer 10.2.1.1 as-number 100 # ipv4-family unicast undo synchronization network 22.22.22.22 255.255.255.255 peer 10.2.1.1 enable # return
