配置IPv4 VPN over SRv6 BE示例
介绍通过SRv6 BE承载IPv4 VPN业务的配置过程。
组网需求
路由器PE1、P和PE2属于同一自治系统,要求它们之间通过IS-IS协议达到IPv6网络互连的目的。
PE1、P和PE2属于区域1,都是Level-1设备。
要求在PE1和PE2之间建立双向SRv6 BE路径,承载IPv4 VPN业务。
配置思路
采用如下的思路配置IPv4 VPN over SRv6 BE示例:
使能各路由器的IPv6转发能力,配置各接口的IPv6地址。
在各路由器上使能IS-IS,配置Level级别,指定网络实体。
在各路由器配置IS-IS的SRv6能力。
在PE1和PE2上配置VPN实例。
在PE和CE之间建立EBGP对等体关系。
在PE之间建立MP-IBGP对等体关系。
在PE1和PE2上配置SRv6。
数据准备
为完成此配置例,需准备如下的数据:
PE1、P和PE2各接口的IPv6地址。
PE1、P和PE2的区域号。
PE1、P和PE2的级别。
PE1和PE2上VPN实例名称,VPN实例的RD和RT。
操作步骤
- 使能IPv6转发能力,配置各接口的IPv6地址,以PE1为例,其他路由器的配置过程相同,不再赘述
<HUAWEI> system-view [~HUAWEI] sysname PE1 [*HUAWEI] commit [~PE1] interface gigabitethernet 0/1/0 [~PE1-GigabitEthernet0/1/0] ipv6 enable [*PE1-GigabitEthernet0/1/0] ipv6 address 2001::1 96 [*PE1-GigabitEthernet0/1/0] commit
- 配置IS-IS
# 配置PE1。
[~PE1] isis 1
[*PE1-isis-1] is-level level-1
[*PE1-isis-1] cost-style wide
[*PE1-isis-1] network-entity 10.0000.0000.0001.00
[*PE1-isis-1] ipv6 enable topology ipv6
[*PE1-isis-1] quit
[*PE1] interface gigabitethernet 0/1/0
[*PE1-GigabitEthernet0/1/0] isis ipv6 enable 1
[*PE1-GigabitEthernet0/1/0] commit
[~PE1-GigabitEthernet0/1/0] quit
[*PE1] interface loopback1
[*PE1-LoopBack1] isis ipv6 enable 1
[*PE1-LoopBack1] commit
[~PE1-LoopBack1] quit
# 配置P。
[~P] isis 1
[*P-isis-1] is-level level-1
[*P-isis-1] cost-style wide
[*P-isis-1] network-entity 10.0000.0000.0002.00
[*P-isis-1] ipv6 enable topology ipv6
[*P-isis-1] quit
[*P] interface gigabitethernet 0/1/0
[*P-GigabitEthernet0/1/0] isis ipv6 enable 1
[*P-GigabitEthernet0/1/0] commit
[~P-GigabitEthernet0/1/0] quit
[*P] interface gigabitethernet 0/2/0
[*P-GigabitEthernet0/2/0] isis ipv6 enable 1
[*P-GigabitEthernet0/2/0] commit
[~P-GigabitEthernet0/2/0] quit
[*P] interface loopback1
[*P-LoopBack1] isis ipv6 enable 1
[*P-LoopBack1] commit
[~P-LoopBack1] quit
# 配置PE2。
[~PE2] isis 1
[*PE2-isis-1] is-level level-1
[*PE2-isis-1] cost-style wide
[*PE2-isis-1] network-entity 10.0000.0000.0003.00
[*PE2-isis-1] ipv6 enable topology ipv6
[*PE2-isis-1] quit
[*PE2] interface gigabitethernet 0/1/0
[*PE2-GigabitEthernet0/1/0] isis ipv6 enable 1
[*PE2-GigabitEthernet0/1/0] commit
[*PE2-GigabitEthernet0/1/0] quit
[*PE2] interface loopback1
[*PE2-LoopBack1] isis ipv6 enable 1
[*PE2-LoopBack1] commit
[~PE2-LoopBack1] quit
配置完成后,可按如下指导检查IS-IS是否配置成功。
# 显示IS-IS邻居信息。以PE1为例。
[~PE1] display isis peer Peer information for ISIS(1) System Id Interface Circuit Id State HoldTime Type PRI -------------------------------------------------------------------------------- 0000.0000.0002 GE0/1/0 0000.0000.0002.01 Up 8s L1 64 Total Peer(s): 1
# 显示IS-IS路由表信息。以PE1为例。
[~PE1] display isis route Route information for ISIS(1) ----------------------------- ISIS(1) Level-1 Forwarding Table -------------------------------- IPV6 Dest. ExitInterface NextHop Cost Flags -------------------------------------------------------------------------------- 1::1/64 Loop1 Direct 0 D/-/L/- 2::2/64 GE0/1/0 FE80::3A92:6CFF:FE21:10 10 A/-/-/- 3::3/64 GE0/1/0 FE80::3A92:6CFF:FE41:13 10 A/-/-/- 2001::/96 GE0/1/0 Direct 10 D/-/L/- 2002::/96 GE0/1/0 FE80::3A92:6CFF:FE21:10 20 A/-/-/- GE0/1/0 FE80::3A92:6CFF:FE41:13 Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set, LP-Local Prefix-Sid
- 在PE设备上配置使能IPv4地址族的VPN实例,将CE接入PE
# 配置PE1。
[~PE1] ip vpn-instance vpna
[*PE1-vpn-instance-vpna] ipv4-family
[*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[*PE1-vpn-instance-vpna-af-ipv4] quit
[*PE1-vpn-instance-vpna] quit
[*PE1] interface gigabitethernet 0/2/0
[*PE1-GigabitEthernet0/2/0] ip binding vpn-instance vpna
[*PE1-GigabitEthernet0/2/0] ip address 10.1.1.1 24
[*PE1-GigabitEthernet0/2/0] quit
[*PE1] commit
# 配置PE2。
[~PE2] ip vpn-instance vpna
[*PE2-vpn-instance-vpna] ipv4-family
[*PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[*PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[*PE2-vpn-instance-vpna-af-ipv4] quit
[*PE2-vpn-instance-vpna] quit
[*PE2] interface gigabitethernet 0/2/0
[*PE2-GigabitEthernet0/2/0] ip binding vpn-instance vpna
[*PE2-GigabitEthernet0/2/0] ip address 10.2.1.1 24
[*PE2-GigabitEthernet0/2/0] commit
[*PE2-GigabitEthernet0/2/0] quit
[*PE2] commit
# 按图3-5配置各CE的接口IP地址,配置过程请参见后面的配置文件。
配置完成后,在PE设备上执行display ip vpn-instance verbose命令可以看到VPN实例的配置情况。各PE能ping通自己接入的CE。
当PE上有多个绑定了同一个VPN的接口,则使用ping -vpn-instance命令ping对端PE接入的CE时,要指定源IP地址,即要指定ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address命令中的参数-a source-ip-address,否则可能ping不通。
- 在PE与CE之间建立EBGP对等体关系
# 配置CE1。
[~CE1] interface loopback 1
[*CE1-LoopBack1] ip address 11.11.11.11 32
[*CE1-LoopBack1] quit
[*CE1] bgp 65410
[*CE1-bgp] peer 10.1.1.1 as-number 100
[*CE1-bgp] network 11.11.11.11 32
[*CE1-bgp] quit
[*CE1] commit
# 配置PE1。
[~PE1] bgp 100
[*PE1-bgp] router-id 1.1.1.1
[*PE1-bgp] ipv4-family vpn-instance vpna
[*PE1-bgp-vpna] peer 10.1.1.2 as-number 65410
[*PE1-bgp-vpna] import-route direct
[*PE1-bgp-vpna] commit
[*PE1-bgp-vpna] quit
[~PE1-bgp] quit
# 配置CE2。
[~CE2] interface loopback 1
[*CE2-LoopBack1] ip address 22.22.22.22 32
[*CE2-LoopBack1] quit
[*CE2] bgp 65420
[*CE2-bgp] peer 10.2.1.1 as-number 100
[*CE2-bgp] network 22.22.22.22 32
[*CE2-bgp] quit
[*CE2] commit
# 配置PE2。
[~PE2] bgp 100
[*PE2-bgp] router-id 2.2.2.2
[*PE2-bgp] ipv4-family vpn-instance vpna
[*PE2-bgp-vpna] peer 10.2.1.2 as-number 65420
[*PE2-bgp-vpna] import-route direct
[*PE2-bgp-vpna] commit
[*PE2-bgp-vpna] quit
[~PE2-bgp] quit
配置完成后,在PE设备上执行display bgp vpnv4 vpn-instance peer命令,可以看到PE与CE之间的BGP对等体关系已建立,并达到Established状态。
以PE1与CE1的对等体关系为例:
[~PE1] display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.1
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.2 4 65410 11 9 0 00:06:37 Established 1
- 在PE之间建立MP-IBGP对等体关系
# 配置PE1。
[~PE1] bgp 100
[~PE1-bgp] peer 3::3 as-number 100
[*PE1-bgp] peer 3::3 connect-interface loopback 1
[*PE1-bgp] ipv4-family vpnv4
[*PE1-bgp-af-vpnv4] peer 3::3 enable
[*PE1-bgp-af-vpnv4] commit
[~PE1-bgp-af-vpnv4] quit
[~PE1-bgp] quit
# 配置PE2。
[~PE2] bgp 100
[~PE2-bgp] peer 1::1 as-number 100
[*PE2-bgp] peer 1::1 connect-interface loopback 1
[*PE2-bgp] ipv4-family vpnv4
[*PE2-bgp-af-vpnv4] peer 1::1 enable
[*PE2-bgp-af-vpnv4] commit
[~PE2-bgp-af-vpnv4] quit
[~PE2-bgp] quit
配置完成后,在PE设备上执行display bgp vpnv4 all peer命令,可以看到PE之间的BGP对等体关系已建立,并达到Established状态。
- 在PE之间建立SRv6 BE路径
# 配置PE1。
[~PE1] segment-routing ipv6
[~PE1-segment-routing-ipv6] encapsulation source-address 1::1
[*PE1-segment-routing-ipv6] locator as1 ipv6-prefix 10::1 64 static 32
[*PE1-segment-routing-ipv6-locator] quit
[*PE1-segment-routing-ipv6] quit
[*PE1] bgp 100
[*PE1-bgp] ipv4-family vpnv4
[*PE1-bgp-af-vpnv4] peer 3::3 prefix-sid
[~PE1-bgp-af-vpnv4] quit
[*PE1-bgp] ipv4-family vpn-instance vpna
[*PE1-bgp-vpna] segment-routing ipv6 best-effort
[*PE1-bgp-vpna] segment-routing ipv6 locator as1
[*PE1-bgp-vpna] commit
[~PE1-bgp-vpna] quit
[~PE1-bgp] quit
[~PE1] isis 1
[*PE1-isis-1] segment-routing ipv6 locator as1
[*PE1-isis-1] commit
[~PE1-isis-1] quit
# 配置PE2。
[~PE2] segment-routing ipv6
[~PE2-segment-routing-ipv6] encapsulation source-address 3::3
[*PE2-segment-routing-ipv6] locator as1 ipv6-prefix 30::1 64 static 32
[*PE2-segment-routing-ipv6-locator] quit
[*PE2-segment-routing-ipv6] quit
[*PE2] bgp 100
[*PE2-bgp] ipv4-family vpnv4
[*PE2-bgp-af-vpnv4] peer 1::1 prefix-sid
[~PE2-bgp-af-vpnv4] quit
[*PE2-bgp] ipv4-family vpn-instance vpna
[*PE2-bgp-vpna] segment-routing ipv6 best-effort
[*PE2-bgp-vpna] segment-routing ipv6 locator as1
[*PE2-bgp-vpna] commit
[~PE2-bgp-vpna] quit
[~PE2-bgp] quit
[~PE2] isis 1
[*PE2-isis-1] segment-routing ipv6 locator as1
[*PE2-isis-1] commit
[~PE2-isis-1] quit
- 检查配置结果
执行命令display segment-routing ipv6 locator [ locator-name ] verbose查看SRv6的Locator信息。以PE1为例:
[~PE1] display segment-routing ipv6 locator verbose Locator Configuration Table --------------------------- LocatorName : as1 LocatorID : 1 IPv6Prefix : 10::1 PrefixLength: 64 StaticLength : 32 Reference : 2 Default : N ArgsLength : 0 AutoSIDBegin : 10::1:0:0 AutoSIDEnd : 10::FFFF:FFFF:FFFF:FFFF Total Locator(s): 1
执行命令display segment-routing ipv6 local-sid end-dt4 forwarding查看SRv6的Local SID表信息。以PE1为例:
[~PE1] display segment-routing ipv6 local-sid end-dt4 forwarding My Local-SID End.DT4 Forwarding Table ------------------------------------- SID : 10::1:0:0/128 FuncType : End.DT4 VPN Name : vpna VPN ID : 3 LocatorName: as1 LocatorID: 1 Total SID(s): 1
同一VPN的CE能够相互Ping通,例如:
[~CE1] ping -a 11.11.11.11 22.22.22.22 PING 22.22.22.22: 56 data bytes, press CTRL_C to break Reply from 22.22.22.22: bytes=56 Sequence=1 ttl=253 time=7 ms Reply from 22.22.22.22: bytes=56 Sequence=2 ttl=253 time=5 ms Reply from 22.22.22.22: bytes=56 Sequence=3 ttl=253 time=4 ms Reply from 22.22.22.22: bytes=56 Sequence=4 ttl=253 time=5 ms Reply from 22.22.22.22: bytes=56 Sequence=5 ttl=253 time=5 ms --- 22.22.22.22 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/5/7 ms
配置文件
PE1的配置文件
# sysname PE1 # ip vpn-instance vpna ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # segment-routing ipv6 encapsulation source-address 1::1 locator as1 ipv6-prefix 10::1 64 static 32 # isis 1 is-level level-1 cost-style wide network-entity 10.0000.0000.0001.00 # ipv6 enable topology ipv6 segment-routing ipv6 locator as1 # # interface GigabitEthernet0/1/0 undo shutdown ipv6 enable ipv6 address 2001::1/96 isis ipv6 enable 1 # interface GigabitEthernet0/2/0 undo shutdown ip binding vpn-instance vpna ip address 10.1.1.1 255.255.255.0 # interface LoopBack1 ipv6 enable ipv6 address 1::1/64 isis ipv6 enable 1 # bgp 100 router-id 1.1.1.1 peer 3::3 as-number 100 peer 3::3 connect-interface LoopBack1 # ipv4-family unicast undo synchronization # ipv6-family unicast undo synchronization # ipv4-family vpnv4 policy vpn-target peer 3::3 enable peer 3::3 prefix-sid # ipv4-family vpn-instance vpna import-route direct segment-routing ipv6 locator as1 segment-routing ipv6 best-effort peer 10.1.1.2 as-number 65410 # return
P的配置文件
# sysname P # isis 1 is-level level-1 cost-style wide network-entity 10.0000.0000.0002.00 # ipv6 enable topology ipv6 # # interface GigabitEthernet0/1/0 undo shutdown ipv6 enable ipv6 address 2001::2/96 isis ipv6 enable 1 # interface GigabitEthernet0/2/0 undo shutdown ipv6 enable ipv6 address 2002::1/96 isis ipv6 enable 1 # interface LoopBack1 ipv6 enable ipv6 address 2::2/64 isis ipv6 enable 1 # return
PE2的配置文件
# sysname PE2 # ip vpn-instance vpna ipv4-family route-distinguisher 200:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # segment-routing ipv6 encapsulation source-address 3::3 locator as1 ipv6-prefix 30::1 64 static 32 # isis 1 is-level level-1 cost-style wide network-entity 10.0000.0000.0003.00 # ipv6 enable topology ipv6 segment-routing ipv6 locator as1 # # interface GigabitEthernet0/1/0 undo shutdown ipv6 enable ipv6 address 2002::2/96 isis ipv6 enable 1 # interface GigabitEthernet0/2/0 undo shutdown ip binding vpn-instance vpna ip address 10.2.1.1 255.255.255.0 # interface LoopBack1 ipv6 enable ipv6 address 3::3/64 isis ipv6 enable 1 # bgp 100 router-id 2.2.2.2 peer 1::1 as-number 100 peer 1::1 connect-interface LoopBack1 # ipv4-family unicast undo synchronization # ipv6-family unicast undo synchronization # ipv4-family vpnv4 policy vpn-target peer 1::1 enable peer 1::1 prefix-sid # ipv4-family vpn-instance vpna import-route direct segment-routing ipv6 locator as1 segment-routing ipv6 best-effort peer 10.2.1.2 as-number 65420 # return
CE1的配置文件
# sysname CE1 # interface GigabitEthernet0/1/0 undo shutdown ip address 10.1.1.2 255.255.255.0 # interface LoopBack1 ip address 11.11.11.11 255.255.255.255 # bgp 65410 peer 10.1.1.1 as-number 100 # ipv4-family unicast undo synchronization network 11.11.11.11 255.255.255.255 peer 10.1.1.1 enable # return
CE2的配置文件
# sysname CE2 # interface GigabitEthernet0/1/0 undo shutdown ip address 10.2.1.2 255.255.255.0 # interface LoopBack1 ip address 22.22.22.22 255.255.255.255 # bgp 65420 peer 10.2.1.1 as-number 100 # ipv4-family unicast undo synchronization network 22.22.22.22 255.255.255.255 peer 10.2.1.1 enable # return