评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置基本或高级VPN-Target扩展团体属性过滤器的示例
通过配置基本和高级VPN-Target扩展团体属性过滤器,可以对私网或VPNv4路由进行过滤。
组网需求
如图12-4,PE1和PE2之间建立MP-IBGP邻居,PE2从PE1接收到两条BGP VPNv4路由3.3.3.3/32和4.4.4.4/32,通过配置基本或高级VPN-Target扩展团体属性过滤器,对PE2接收到的VPNv4路由进行过滤,让路由4.4.4.4/32被过滤掉。
配置思路
采用如下的思路配置基本或高级VPN-Target扩展团体属性过滤器:
配置各接口的IP地址。
配置MPLS基本能力和MPLS LDP,建立MPLS LSP。
在PE上配置使能IPv4地址族VPN实例。
在PE之间配置MP-IBGP。
在PE1上配置静态路由并引入私网。
在PE2上配置基本或高级VPN-Target扩展团体属性过滤器,两者配置其中之一即可。
在PE2上配置Route-Policy。
在PE2上配置BGP路由接收时应用Route-Policy。
操作步骤
- 配置各接口的IP地址,具体配置请参见配置文件。
- 配置MPLS基本能力和MPLS LDP,建立MPLS LSP。
# 配置PE1。
[~PE1] mpls lsr-id 1.1.1.1[*PE1] mpls[*PE1-mpls] commit[~PE1-mpls] quit[~PE1] mpls ldp[*PE1-mpls-ldp] commit[~PE1-mpls-ldp] quit[~PE1] interface gigabitethernet 0/1/0
[~PE1-GigabitEthernet0/1/0] mpls
[*PE1-GigabitEthernet0/1/0] mpls ldp
[*PE1-GigabitEthernet0/1/0] commit
[~PE1-GigabitEthernet0/1/0] quit
# 配置PE2。
[~PE2] mpls lsr-id 2.2.2.2[*PE2] mpls[*PE2-mpls] commit[~PE2-mpls] quit[~PE2] mpls ldp[*PE2-mpls-ldp] commit[~PE2-mpls-ldp] quit[~PE2] interface gigabitethernet 0/1/0
[~PE2-GigabitEthernet0/1/0] mpls
[*PE2-GigabitEthernet0/1/0] mpls ldp
[*PE2-GigabitEthernet0/1/0] commit
[~PE2-GigabitEthernet0/1/0] quit
- 在PE上配置使能IPv4地址族VPN实例。
# 配置PE1。
[~PE1] ip vpn-instance vpna[*PE1-vpn-instance-vpna] ipv4-family[*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 1:100[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 1:100 both[*PE1-vpn-instance-vpna-af-ipv4] quit[*PE1-vpn-instance-vpna] quit[*PE1] ip vpn-instance vpnb[*PE1-vpn-instance-vpnb] ipv4-family[*PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 2:100[*PE1-vpn-instance-vpnb-af-ipv4] vpn-target 2:100 both[*PE1-vpn-instance-vpnb-af-ipv4] quit[*PE1-vpn-instance-vpnb] quit[*PE1] commit# 配置PE2。
[~PE2] ip vpn-instance vpnc[*PE2-vpn-instance-vpnc] ipv4-family[*PE2-vpn-instance-vpnc-af-ipv4] route-distinguisher 1:100[*PE2-vpn-instance-vpnc-af-ipv4] vpn-target 3:100 export-extcommunity[*PE2-vpn-instance-vpnc-af-ipv4] vpn-target 1:100 import-extcommunity[*PE2-vpn-instance-vpnc-af-ipv4] vpn-target 2:100 import-extcommunity[*PE2-vpn-instance-vpnc-af-ipv4] quit[*PE2-vpn-instance-vpnc] quit[*PE2] commit - 在PE之间配置MP-IBGP。
# 配置PE1。
[~PE1] bgp 100[~PE1-bgp] peer 2.2.2.2 as-number 100[*PE1-bgp] peer 2.2.2.2 connect-interface loopback 1[*PE1-bgp] ipv4-family vpnv4[*PE1-bgp-af-vpnv4] peer 2.2.2.2 enable[*PE1-bgp-af-vpnv4] commit[~PE1-bgp-af-vpnv4] quit[~PE1-bgp] quit# 配置PE2。
[~PE2] bgp 100[~PE2-bgp] peer 1.1.1.1 as-number 100[*PE2-bgp] peer 1.1.1.1 connect-interface loopback 1[*PE2-bgp] ipv4-family vpnv4[*PE2-bgp-af-vpnv4] peer 1.1.1.1 enable[*PE2-bgp-af-vpnv4] commit[~PE2-bgp-af-vpnv4] quit[~PE2-bgp] quit - 在PE1上配置静态路由并引入私网。
[~PE1] ip route-static vpn-instance vpna 3.3.3.3 32 NULL0[*PE1] ip route-static vpn-instance vpnb 4.4.4.4 32 NULL0[*PE1] commit[~PE1] bgp 100[*PE1-bgp] ipv4-family vpn-instance vpna[*PE1-bgp-vpna] import-route static[*PE1-bgp-vpna] quit[*PE1-bgp] ipv4-family vpn-instance vpnb[*PE1-bgp-vpnb] import-route static[*PE1-bgp-vpnb] quit[*PE1-bgp] quit[*PE1] commit# 在PE2上执行display bgp vpnv4 all routing-table命令查看BGP VPNv4路由信息,可以看到vpnc下收到两条路由3.3.3.3/32和4.4.4.4/32。
[~PE2] display bgp vpnv4 all routing-table 3.3.3.3BGP local router ID : 10.1.1.2 Local AS number : 100 Total routes of Route Distinguisher(1:100): 1 BGP routing table entry information of 3.3.3.3/32: Label information (Received/Applied): 32905/NULL From: 1.1.1.1 (1.1.1.1) Route Duration: 0d00h06m19s Relay IP Nexthop: 10.1.1.1 Relay IP Out-Interface: GigabitEthernet0/1/0 Relay Tunnel Out-Interface: GigabitEthernet0/1/0 Original nexthop: 1.1.1.1 Qos information : 0x0 Ext-Community: RT <1 : 100> AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, best, select, pre 255 Not advertised to any peer yet VPN-Instance vpnc, Router ID 10.1.1.2: Total Number of Routes: 1 BGP routing table entry information of 3.3.3.3/32: Route Distinguisher: 1:100 Remote-Cross route Label information (Received/Applied): 32905/NULL From: 1.1.1.1 (1.1.1.1) Route Duration: 0d00h06m19s Relay Tunnel Out-Interface: GigabitEthernet0/1/0 Original nexthop: 1.1.1.1 Qos information : 0x0 Ext-Community: RT <1 : 100> AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, best, select, pre 255 Not advertised to any peer yet
[~PE2] display bgp vpnv4 all routing-table 4.4.4.4BGP local router ID : 10.1.1.2 Local AS number : 100 Total routes of Route Distinguisher(2:100): 1 BGP routing table entry information of 4.4.4.4/32: Label information (Received/Applied): 32906/NULL From: 1.1.1.1 (1.1.1.1) Route Duration: 0d00h06m24s Relay IP Nexthop: 10.1.1.1 Relay IP Out-Interface: GigabitEthernet0/1/0 Relay Tunnel Out-Interface: GigabitEthernet0/1/0 Original nexthop: 1.1.1.1 Qos information : 0x0 Ext-Community: RT <2 : 100> AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, best, select, pre 255 Not advertised to any peer yet VPN-Instance vpnc, Router ID 10.1.1.2: Total Number of Routes: 1 BGP routing table entry information of 4.4.4.4/32: Route Distinguisher: 2:100 Remote-Cross route Label information (Received/Applied): 32906/NULL From: 1.1.1.1 (1.1.1.1) Route Duration: 0d00h06m24s Relay Tunnel Out-Interface: GigabitEthernet0/1/0 Original nexthop: 1.1.1.1 Qos information : 0x0 Ext-Community: RT <2 : 100> AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, best, select, pre 255 Not advertised to any peer yet
- 在PE2上配置基本或高级VPN-Target扩展团体属性过滤器,两者配置其中之一即可。
配置基本VPN-Target扩展团体属性过滤器。
[~PE2] ip extcommunity-filter 1 index 10 permit rt 1:100[*PE2] commit配置高级VPN-Target扩展团体属性过滤器。
[~PE2] ip extcommunity-filter advanced test index 10 permit ^1:100$[*PE2] commit - 在PE2上配置Route-Policy。
对于基本VPN-Target扩展团体属性过滤器:
[~PE2] route-policy test permit node 10[*PE2-route-policy] if-match extcommunity-filter 1[*PE2-route-policy] quit[*PE2] route-policy test deny node 20[*PE2] commit对于高级VPN-Target扩展团体属性过滤器:
[~PE2] route-policy test permit node 10[*PE2-route-policy] if-match extcommunity-filter test[*PE2-route-policy] quit[*PE2] route-policy test deny node 20[*PE2] commit - 在PE2上配置BGP路由接收时应用Route-Policy。
[~PE2] bgp 100[*PE2-bgp] ipv4-family vpnv4[*PE2-bgp-af-vpnv4] peer 1.1.1.1 route-policy test import[*PE2-bgp-af-vpnv4] quit[*PE2-bgp] quit[*PE2] commit# 在PE2上执行display bgp vpnv4 all routing-table命令查看BGP VPNv4路由信息,可以看到路由4.4.4.4/32被过滤掉了。
[~PE2] display bgp vpnv4 all routing-table 3.3.3.3BGP local router ID : 10.1.1.2 Local AS number : 100 Total routes of Route Distinguisher(1:100): 1 BGP routing table entry information of 3.3.3.3/32: Label information (Received/Applied): 32905/NULL From: 1.1.1.1 (1.1.1.1) Route Duration: 0d00h05m41s Relay IP Nexthop: 10.1.1.1 Relay IP Out-Interface: GigabitEthernet0/1/0 Relay Tunnel Out-Interface: GigabitEthernet0/1/0 Original nexthop: 1.1.1.1 Qos information : 0x0 Ext-Community: RT <1 : 100> AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, best, select, pre 255 Not advertised to any peer yet VPN-Instance vpnc, Router ID 10.1.1.2: Total Number of Routes: 1 BGP routing table entry information of 3.3.3.3/32: Route Distinguisher: 1:100 Remote-Cross route Label information (Received/Applied): 32905/NULL From: 1.1.1.1 (1.1.1.1) Route Duration: 0d00h37m42s Relay Tunnel Out-Interface: GigabitEthernet0/1/0 Original nexthop: 1.1.1.1 Qos information : 0x0 Ext-Community: RT <1 : 100> AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, best, select, pre 255 Not advertised to any peer yet
[~PE2] display bgp vpnv4 all routing-table 4.4.4.4Info: The network does not exist.
配置文件
PE1的配置文件
# sysname PE1 # ip vpn-instance vpna ipv4-family route-distinguisher 1:100 vpn-target 1:100 export-extcommunity vpn-target 1:100 import-extcommunity # ip vpn-instance vpnb ipv4-family route-distinguisher 2:100 vpn-target 2:100 export-extcommunity vpn-target 2:100 import-extcommunity # mpls lsr-id 1.1.1.1 # mpls # mpls ldp # interface GigabitEthernet0/1/0 undo shutdown ip address 10.1.1.1 255.255.255.0 mpls mpls ldp # interface LoopBack1 ip address 1.1.1.1 255.255.255.255 # bgp 100 peer 2.2.2.2 as-number 100 peer 2.2.2.2 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 2.2.2.2 enable # ipv4-family vpnv4 policy vpn-target peer 2.2.2.2 enable # ipv4-family vpn-instance vpna import-route static # ipv4-family vpn-instance vpnb import-route static # ip route-static 2.2.2.2 255.255.255.255 GigabitEthernet0/1/0 10.1.1.2 ip route-static vpn-instance vpna 3.3.3.3 255.255.255.255 NULL0 ip route-static vpn-instance vpnb 4.4.4.4 255.255.255.255 NULL0 # return
PE2的配置文件
# sysname PE2 # ip vpn-instance vpnc ipv4-family route-distinguisher 1:100 vpn-target 3:100 export-extcommunity vpn-target 1:100 import-extcommunity vpn-target 2:100 import-extcommunity # mpls lsr-id 2.2.2.2 # mpls # mpls ldp # interface GigabitEthernet0/1/0 undo shutdown ip address 10.1.1.2 255.255.255.0 mpls mpls ldp # interface LoopBack1 ip address 2.2.2.2 255.255.255.255 # bgp 100 peer 1.1.1.1 as-number 100 peer 1.1.1.1 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.1 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.1 enable peer 1.1.1.1 route-policy test import # route-policy test permit node 10 if-match extcommunity-filter 1 # route-policy test deny node 20 # ip extcommunity-filter 1 index 10 permit rt 1:100 # ip route-static 1.1.1.1 255.255.255.255 GigabitEthernet0/1/0 10.1.1.1 # return
