配置基本或高级VPN-Target扩展团体属性过滤器的示例
通过配置基本和高级VPN-Target扩展团体属性过滤器,可以对私网或VPNv4路由进行过滤。
组网需求
如图12-4,PE1和PE2之间建立MP-IBGP邻居,PE2从PE1接收到两条BGP VPNv4路由3.3.3.3/32和4.4.4.4/32,通过配置基本或高级VPN-Target扩展团体属性过滤器,对PE2接收到的VPNv4路由进行过滤,让路由4.4.4.4/32被过滤掉。
配置思路
采用如下的思路配置基本或高级VPN-Target扩展团体属性过滤器:
配置各接口的IP地址。
配置MPLS基本能力和MPLS LDP,建立MPLS LSP。
在PE上配置使能IPv4地址族VPN实例。
在PE之间配置MP-IBGP。
在PE1上配置静态路由并引入私网。
在PE2上配置基本或高级VPN-Target扩展团体属性过滤器,两者配置其中之一即可。
在PE2上配置Route-Policy。
在PE2上配置BGP路由接收时应用Route-Policy。
操作步骤
- 配置各接口的IP地址,具体配置请参见配置文件。
- 配置MPLS基本能力和MPLS LDP,建立MPLS LSP。
# 配置PE1。
[~PE1] mpls lsr-id 1.1.1.1
[*PE1] mpls
[*PE1-mpls] commit
[~PE1-mpls] quit
[~PE1] mpls ldp
[*PE1-mpls-ldp] commit
[~PE1-mpls-ldp] quit
[~PE1] interface gigabitethernet 0/1/0
[~PE1-GigabitEthernet0/1/0] mpls
[*PE1-GigabitEthernet0/1/0] mpls ldp
[*PE1-GigabitEthernet0/1/0] commit
[~PE1-GigabitEthernet0/1/0] quit
# 配置PE2。
[~PE2] mpls lsr-id 2.2.2.2
[*PE2] mpls
[*PE2-mpls] commit
[~PE2-mpls] quit
[~PE2] mpls ldp
[*PE2-mpls-ldp] commit
[~PE2-mpls-ldp] quit
[~PE2] interface gigabitethernet 0/1/0
[~PE2-GigabitEthernet0/1/0] mpls
[*PE2-GigabitEthernet0/1/0] mpls ldp
[*PE2-GigabitEthernet0/1/0] commit
[~PE2-GigabitEthernet0/1/0] quit
- 在PE上配置使能IPv4地址族VPN实例。
# 配置PE1。
[~PE1] ip vpn-instance vpna
[*PE1-vpn-instance-vpna] ipv4-family
[*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 1:100
[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 1:100 both
[*PE1-vpn-instance-vpna-af-ipv4] quit
[*PE1-vpn-instance-vpna] quit
[*PE1] ip vpn-instance vpnb
[*PE1-vpn-instance-vpnb] ipv4-family
[*PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 2:100
[*PE1-vpn-instance-vpnb-af-ipv4] vpn-target 2:100 both
[*PE1-vpn-instance-vpnb-af-ipv4] quit
[*PE1-vpn-instance-vpnb] quit
[*PE1] commit
# 配置PE2。
[~PE2] ip vpn-instance vpnc
[*PE2-vpn-instance-vpnc] ipv4-family
[*PE2-vpn-instance-vpnc-af-ipv4] route-distinguisher 1:100
[*PE2-vpn-instance-vpnc-af-ipv4] vpn-target 3:100 export-extcommunity
[*PE2-vpn-instance-vpnc-af-ipv4] vpn-target 1:100 import-extcommunity
[*PE2-vpn-instance-vpnc-af-ipv4] vpn-target 2:100 import-extcommunity
[*PE2-vpn-instance-vpnc-af-ipv4] quit
[*PE2-vpn-instance-vpnc] quit
[*PE2] commit
- 在PE之间配置MP-IBGP。
# 配置PE1。
[~PE1] bgp 100
[~PE1-bgp] peer 2.2.2.2 as-number 100
[*PE1-bgp] peer 2.2.2.2 connect-interface loopback 1
[*PE1-bgp] ipv4-family vpnv4
[*PE1-bgp-af-vpnv4] peer 2.2.2.2 enable
[*PE1-bgp-af-vpnv4] commit
[~PE1-bgp-af-vpnv4] quit
[~PE1-bgp] quit
# 配置PE2。
[~PE2] bgp 100
[~PE2-bgp] peer 1.1.1.1 as-number 100
[*PE2-bgp] peer 1.1.1.1 connect-interface loopback 1
[*PE2-bgp] ipv4-family vpnv4
[*PE2-bgp-af-vpnv4] peer 1.1.1.1 enable
[*PE2-bgp-af-vpnv4] commit
[~PE2-bgp-af-vpnv4] quit
[~PE2-bgp] quit
- 在PE1上配置静态路由并引入私网。
[~PE1] ip route-static vpn-instance vpna 3.3.3.3 32 NULL0
[*PE1] ip route-static vpn-instance vpnb 4.4.4.4 32 NULL0
[*PE1] commit
[~PE1] bgp 100
[*PE1-bgp] ipv4-family vpn-instance vpna
[*PE1-bgp-vpna] import-route static
[*PE1-bgp-vpna] quit
[*PE1-bgp] ipv4-family vpn-instance vpnb
[*PE1-bgp-vpnb] import-route static
[*PE1-bgp-vpnb] quit
[*PE1-bgp] quit
[*PE1] commit
# 在PE2上执行display bgp vpnv4 all routing-table命令查看BGP VPNv4路由信息,可以看到vpnc下收到两条路由3.3.3.3/32和4.4.4.4/32。
[~PE2] display bgp vpnv4 all routing-table 3.3.3.3
BGP local router ID : 10.1.1.2 Local AS number : 100 Total routes of Route Distinguisher(1:100): 1 BGP routing table entry information of 3.3.3.3/32: Label information (Received/Applied): 32905/NULL From: 1.1.1.1 (1.1.1.1) Route Duration: 0d00h06m19s Relay IP Nexthop: 10.1.1.1 Relay IP Out-Interface: GigabitEthernet0/1/0 Relay Tunnel Out-Interface: GigabitEthernet0/1/0 Original nexthop: 1.1.1.1 Qos information : 0x0 Ext-Community: RT <1 : 100> AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, best, select, pre 255 Not advertised to any peer yet VPN-Instance vpnc, Router ID 10.1.1.2: Total Number of Routes: 1 BGP routing table entry information of 3.3.3.3/32: Route Distinguisher: 1:100 Remote-Cross route Label information (Received/Applied): 32905/NULL From: 1.1.1.1 (1.1.1.1) Route Duration: 0d00h06m19s Relay Tunnel Out-Interface: GigabitEthernet0/1/0 Original nexthop: 1.1.1.1 Qos information : 0x0 Ext-Community: RT <1 : 100> AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, best, select, pre 255 Not advertised to any peer yet
[~PE2] display bgp vpnv4 all routing-table 4.4.4.4
BGP local router ID : 10.1.1.2 Local AS number : 100 Total routes of Route Distinguisher(2:100): 1 BGP routing table entry information of 4.4.4.4/32: Label information (Received/Applied): 32906/NULL From: 1.1.1.1 (1.1.1.1) Route Duration: 0d00h06m24s Relay IP Nexthop: 10.1.1.1 Relay IP Out-Interface: GigabitEthernet0/1/0 Relay Tunnel Out-Interface: GigabitEthernet0/1/0 Original nexthop: 1.1.1.1 Qos information : 0x0 Ext-Community: RT <2 : 100> AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, best, select, pre 255 Not advertised to any peer yet VPN-Instance vpnc, Router ID 10.1.1.2: Total Number of Routes: 1 BGP routing table entry information of 4.4.4.4/32: Route Distinguisher: 2:100 Remote-Cross route Label information (Received/Applied): 32906/NULL From: 1.1.1.1 (1.1.1.1) Route Duration: 0d00h06m24s Relay Tunnel Out-Interface: GigabitEthernet0/1/0 Original nexthop: 1.1.1.1 Qos information : 0x0 Ext-Community: RT <2 : 100> AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, best, select, pre 255 Not advertised to any peer yet
- 在PE2上配置基本或高级VPN-Target扩展团体属性过滤器,两者配置其中之一即可。
配置基本VPN-Target扩展团体属性过滤器。
[~PE2] ip extcommunity-filter 1 index 10 permit rt 1:100
[*PE2] commit
配置高级VPN-Target扩展团体属性过滤器。
[~PE2] ip extcommunity-filter advanced test index 10 permit ^1:100$
[*PE2] commit
- 在PE2上配置Route-Policy。
对于基本VPN-Target扩展团体属性过滤器:
[~PE2] route-policy test permit node 10
[*PE2-route-policy] if-match extcommunity-filter 1
[*PE2-route-policy] quit
[*PE2] route-policy test deny node 20
[*PE2] commit
对于高级VPN-Target扩展团体属性过滤器:
[~PE2] route-policy test permit node 10
[*PE2-route-policy] if-match extcommunity-filter test
[*PE2-route-policy] quit
[*PE2] route-policy test deny node 20
[*PE2] commit
- 在PE2上配置BGP路由接收时应用Route-Policy。
[~PE2] bgp 100
[*PE2-bgp] ipv4-family vpnv4
[*PE2-bgp-af-vpnv4] peer 1.1.1.1 route-policy test import
[*PE2-bgp-af-vpnv4] quit
[*PE2-bgp] quit
[*PE2] commit
# 在PE2上执行display bgp vpnv4 all routing-table命令查看BGP VPNv4路由信息,可以看到路由4.4.4.4/32被过滤掉了。
[~PE2] display bgp vpnv4 all routing-table 3.3.3.3
BGP local router ID : 10.1.1.2 Local AS number : 100 Total routes of Route Distinguisher(1:100): 1 BGP routing table entry information of 3.3.3.3/32: Label information (Received/Applied): 32905/NULL From: 1.1.1.1 (1.1.1.1) Route Duration: 0d00h05m41s Relay IP Nexthop: 10.1.1.1 Relay IP Out-Interface: GigabitEthernet0/1/0 Relay Tunnel Out-Interface: GigabitEthernet0/1/0 Original nexthop: 1.1.1.1 Qos information : 0x0 Ext-Community: RT <1 : 100> AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, best, select, pre 255 Not advertised to any peer yet VPN-Instance vpnc, Router ID 10.1.1.2: Total Number of Routes: 1 BGP routing table entry information of 3.3.3.3/32: Route Distinguisher: 1:100 Remote-Cross route Label information (Received/Applied): 32905/NULL From: 1.1.1.1 (1.1.1.1) Route Duration: 0d00h37m42s Relay Tunnel Out-Interface: GigabitEthernet0/1/0 Original nexthop: 1.1.1.1 Qos information : 0x0 Ext-Community: RT <1 : 100> AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, best, select, pre 255 Not advertised to any peer yet
[~PE2] display bgp vpnv4 all routing-table 4.4.4.4
Info: The network does not exist.
配置文件
PE1的配置文件
# sysname PE1 # ip vpn-instance vpna ipv4-family route-distinguisher 1:100 vpn-target 1:100 export-extcommunity vpn-target 1:100 import-extcommunity # ip vpn-instance vpnb ipv4-family route-distinguisher 2:100 vpn-target 2:100 export-extcommunity vpn-target 2:100 import-extcommunity # mpls lsr-id 1.1.1.1 # mpls # mpls ldp # interface GigabitEthernet0/1/0 undo shutdown ip address 10.1.1.1 255.255.255.0 mpls mpls ldp # interface LoopBack1 ip address 1.1.1.1 255.255.255.255 # bgp 100 peer 2.2.2.2 as-number 100 peer 2.2.2.2 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 2.2.2.2 enable # ipv4-family vpnv4 policy vpn-target peer 2.2.2.2 enable # ipv4-family vpn-instance vpna import-route static # ipv4-family vpn-instance vpnb import-route static # ip route-static 2.2.2.2 255.255.255.255 GigabitEthernet0/1/0 10.1.1.2 ip route-static vpn-instance vpna 3.3.3.3 255.255.255.255 NULL0 ip route-static vpn-instance vpnb 4.4.4.4 255.255.255.255 NULL0 # return
PE2的配置文件
# sysname PE2 # ip vpn-instance vpnc ipv4-family route-distinguisher 1:100 vpn-target 3:100 export-extcommunity vpn-target 1:100 import-extcommunity vpn-target 2:100 import-extcommunity # mpls lsr-id 2.2.2.2 # mpls # mpls ldp # interface GigabitEthernet0/1/0 undo shutdown ip address 10.1.1.2 255.255.255.0 mpls mpls ldp # interface LoopBack1 ip address 2.2.2.2 255.255.255.255 # bgp 100 peer 1.1.1.1 as-number 100 peer 1.1.1.1 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.1 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.1 enable peer 1.1.1.1 route-policy test import # route-policy test permit node 10 if-match extcommunity-filter 1 # route-policy test deny node 20 # ip extcommunity-filter 1 index 10 permit rt 1:100 # ip route-static 1.1.1.1 255.255.255.255 GigabitEthernet0/1/0 10.1.1.1 # return