评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置Extranet VPN示例
配置Extranet VPN,使得VPN用户可以访问其他VPN的站点。
组网需求
如图7-31,CE1、CE3所在站点属于vpna,CE2所在站点属于vpnb。默认情况下,不同的VPN之间不能互访。但为了满足部分需要,可以实现不同VPN之间的互访。要求对VPN-Target进行特殊配置,实现CE2所在站点能与CE3所在的站点互通。
配置注意事项
在配置过程中,需注意如下事项:
PE3上配置的入方向VPN-Target列表应包含PE1上和PE2上配置的出方向VPN-Target列表,出方向VPN-Target列表包含PE1和PE2上的入方向VPN-Target列表。
配置思路
采用如下思路配置Extranet VPN:
骨干网上配置IGP协议,使各PE之间路由可达。
骨干网上配置MPLS和MPLS LSP,使PE之间有LSP隧道可达。
PE1与PE3、PE2与PE3之间配置MP-IBGP对等体。
PE上创建VPN实例,PE3上的VPN实例的Import VPN-Targe包含其他PE上VPN实例的Export VPN-Target,Export VPN-Targe包含在其他PE上VPN实例的Import VPN-Target。
配置过程
配置MPLS骨干网IGP,使PE之间能够学习到各自的Loopback接口路由。本例以配置OSPF为例,具体配置请参见后面的配置文件。
配置完成后,PE之间应能建立OSPF邻居关系,执行display ospf peer命令可以看到邻居状态为Full。执行display ip routing-table命令可以看到PE之间学习到对方的Loopback路由。
在MPLS骨干网上建立LDP LSP
# 配置PE1。
[~PE1] mpls lsr-id 1.1.1.9[*PE1] mpls[*PE1-mpls] quit[*PE1] mpls ldp[*PE1-mpls-ldp] quit[*PE1] interface gigabitethernet 2/0/0
[*PE1-GigabitEthernet2/0/0] mpls
[*PE1-GigabitEthernet2/0/0] mpls ldp
[*PE1-GigabitEthernet2/0/0] commit
[~PE1-GigabitEthernet2/0/0] quit
# 配置PE2。
[~PE2] mpls lsr-id 3.3.3.9[*PE2] mpls[*PE2-mpls] quit[*PE2] mpls ldp[*PE2-mpls-ldp] quit[*PE2] interface gigabitethernet 2/0/0
[*PE2-GigabitEthernet2/0/0] mpls
[*PE2-GigabitEthernet2/0/0] mpls ldp
[*PE2-GigabitEthernet2/0/0] commit
[~PE2-GigabitEthernet2/0/0] quit
# 配置PE3。
[~PE3] mpls lsr-id 2.2.2.9[*PE3] mpls[*PE3-mpls] quit[*PE3] mpls ldp[*PE3-mpls-ldp] quit[*PE3] interface gigabitethernet 1/0/0
[*PE3-GigabitEthernet1/0/0] mpls
[*PE3-GigabitEthernet1/0/0] mpls ldp
[*PE3-GigabitEthernet1/0/0] commit
[*PE3-GigabitEthernet1/0/0] quit
[*PE3] interface gigabitethernet 2/0/0
[*PE3-GigabitEthernet2/0/0] mpls
[*PE3-GigabitEthernet2/0/0] mpls ldp
[*PE3-GigabitEthernet2/0/0] commit
[~PE3-GigabitEthernet2/0/0] quit
配置完成后,PE之间应该建立起LDP对等体关系,在各PE上执行display mpls ldp session命令可以看到显示结果中Session State项为“Operational”。以PE1的显示为例:
<PE1> display mpls ldp session
LDP Session(s) in Public Network Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM) An asterisk (*) before a session means the session is being deleted.-------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
-------------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 0000:00:01 5/5
3.3.3.9:0 Operational DU Passive 0000:00:01 5/5
-------------------------------------------------------------------------
TOTAL: 2 session(s) Found.
PE1与PE3、PE2与PE3之间建立MP-BGP对等体关系
# 配置PE1。
[~PE1] bgp 100[*PE1-bgp] peer 2.2.2.9 as-number 100[*PE1-bgp] peer 2.2.2.9 connect-interface loopback 1[*PE1-bgp] ipv4-family vpnv4[*PE1-bgp-af-vpnv4] peer 2.2.2.9 enable[*PE1-bgp-af-vpnv4] commit[~PE1-bgp-af-vpnv4] quit[~PE1-bgp] quit# 配置PE2。
[~PE2] bgp 100[*PE2-bgp] peer 2.2.2.9 as-number 100[*PE2-bgp] peer 2.2.2.9 connect-interface loopback 1[*PE2-bgp] ipv4-family vpnv4[*PE2-bgp-af-vpnv4] peer 2.2.2.9 enable[*PE2-bgp-af-vpnv4] commit[~PE2-bgp-af-vpnv4] quit[~PE2-bgp] quit# 配置PE3。
[~PE3] bgp 100[*PE3-bgp] peer 1.1.1.9 as-number 100[*PE3-bgp] peer 3.3.3.9 connect-interface loopback 1[*PE3-bgp] ipv4-family vpnv4[*PE3-bgp-af-vpnv4] peer 1.1.1.9 enable[*PE3-bgp-af-vpnv4] peer 3.3.3.9 enable[*PE3-bgp-af-vpnv4] commit[~PE3-bgp-af-vpnv4] quit[~PE3-bgp] quit配置完成后,在各PE上执行display bgp vpnv4 all peer命令,可以看到PE1与PE3、PE2与PE3之间的MP-IBGP对等体关系已建立,并达到Established状态。以PE1显示为例。
<PE1> display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 3
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 12 18 0 00:09:38 Established 0
各PE设备上配置VPN实例,其中PE3上的VPN实例的Import VPN-Targe包含其他PE上VPN实例的Export VPN-Target,Export VPN-Targe包含其他PE上VPN实例的Import VPN-Target
# 配置PE1。
[~PE1] ip vpn-instance vpna[*PE1-vpn-instance-vpna] ipv4-family[*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both[*PE1-vpn-instance-vpna-af-ipv4] commit[*PE1-vpn-instance-vpna-af-ipv4] quit[~PE1-vpn-instance-vpna] quit[*PE1] interface gigabitethernet 1/0/0
[*PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[*PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 24
[*PE1-GigabitEthernet1/0/0] commit
[~PE1-GigabitEthernet1/0/0] quit
# 配置PE2。
[~PE2] ip vpn-instance vpnb[*PE2-vpn-instance-vpnb] ipv4-family[*PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2[*PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both[*PE2-vpn-instance-vpnb-af-ipv4] commit[*PE2-vpn-instance-vpnb-af-ipv4] quit[*PE2-vpn-instance-vpnb] quit[*PE2] interface gigabitethernet 1/0/0
[*PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpnb
[*PE2-GigabitEthernet1/0/0] ip address 10.3.1.2 24
[*PE2-GigabitEthernet1/0/0] commit
[~PE2-GigabitEthernet1/0/0] quit
# 配置PE3。
[~PE3] ip vpn-instance vpna[*PE3-vpn-instance-vpna] ipv4-family[*PE3-vpn-instance-vpna-af-ipv4] route-distinguisher 100:3[*PE3-vpn-instance-vpna-af-ipv4] vpn-target 111:1 222:2 both[*PE3-vpn-instance-vpna-af-ipv4] commit[*PE3-vpn-instance-vpna-af-ipv4] quit[*PE3-vpn-instance-vpna] quit[*PE3] interface gigabitethernet 3/0/0
[*PE3-GigabitEthernet3/0/0] ip binding vpn-instance vpna
[*PE3-GigabitEthernet3/0/0] ip address 10.2.1.2 24
[*PE3-GigabitEthernet3/0/0] commit
[~PE3-GigabitEthernet3/0/0] quit
在PE与CE之间建立EBGP对等体关系,引入VPN路由
# 配置CE1。
[~CE1] interface loopback 1[*CE1-Loopback1] ip address 11.11.11.11 32[*CE1-Loopback1] quit[*CE1] bgp 65410[*CE1-bgp] peer 10.1.1.2 as-number 100[*CE1-bgp] network 11.11.11.11 32[*CE1-bgp] commitCE2、CE3配置与CE1类似,配置过程请参见后面的配置文件。
# 配置PE1。
[~PE1] bgp 100[*PE1-bgp] ipv4-family vpn-instance vpna[*PE1-bgp-vpna] peer 10.1.1.1 as-number 65410[*PE1-bgp-vpna] commit[~PE1-bgp-vpna] quitPE2、PE3的配置与PE1类似,配置过程请参见后面的配置文件。
配置完成后,在PE设备上执行display bgp vpnv4 vpn-instance peer命令,可以看到PE与CE之间的BGP对等体关系已建立,并达到Established状态。
以PE1与CE1的对等体关系为例:
<PE1> display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 11 9 0 00:06:37 Established 1
检查配置结果
在CE1设备上执行display ip routing-table命令,可以看到去往对端CE3的路由,但没有到CE2的路由。
<CE1> display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route------------------------------------------------------------------------------
Routing Tables: _public_
Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost Flags NextHop Interface
11.11.11.11/32 Direct 0 0 D 127.0.0.1 Loopback1
10.1.1.0/24 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/010.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/010.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/033.33.33.33/32 EBGP 255 0 RD 2.2.2.9 GigabitEthernet2/0/0127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
CE2能够Ping通CE3(33.33.33.33),但不能Ping通CE1(22.22.22.22)。
[*CE1] ping -a 11.11.11.11 33.33.33.33PING 33.33.33.33: 56 data bytes, press CTRL_C to break
Reply from 33.33.33.33: bytes=56 Sequence=1 ttl=253 time=72 ms
Reply from 33.33.33.33: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 33.33.33.33: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 33.33.33.33: bytes=56 Sequence=4 ttl=253 time=50 ms
Reply from 33.33.33.33: bytes=56 Sequence=5 ttl=253 time=34 ms
--- 33.33.33.33 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
[*CE1] ping -a 11.11.11.11 22.22.22.22PING 22.22.22.22: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 22.22.22.22 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
配置文件
CE1的配置文件
#
sysname CE1
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization peer 10.1.1.2 enable network 11.11.11.11 255.255.255.255
#
return
PE1的配置文件
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
apply-label per-instance
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0undo shutdown
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
PE2的配置文件
#
sysname PE2
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
apply-label per-instance
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip binding vpn-instance vpnb
ip address 10.3.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0undo shutdown
ip address 11.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpnb
peer 10.3.1.1 as-number 65420
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return
CE2的配置文件
#
sysname CE2
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.3.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65420
peer 10.3.1.2 as-number 100
#
ipv4-family unicast
undo synchronization peer 10.3.1.2 enable network 22.22.22.22 255.255.255.255
#
return
PE3的配置文件
#
sysname PE3
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:3
apply-label per-instance
vpn-target 111:1 222:2 import-extcommunity
vpn-target 111:1 222:2 export-extcommunity
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0undo shutdown
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet3/0/0undo shutdown
ip binding vpn-instance vpna
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
peer 10.2.1.1 as-number 65430
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return
CE3的配置文件
#
sysname CE3
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 33.33.33.33 255.255.255.255
#
bgp 65430
peer 10.2.1.2 as-number 100
network 33.33.33.33 255.255.255.255
#
ipv4-family unicast
undo synchronization peer 10.2.1.2 enable
#
return
