所选语种没有对应资源,请选择:
企业业务网站
选择区域/语言
Huawei Global - English
技术支持 文档中心
NetEngine 8000 X V800R012C00SPC300 配置指南 - VPN 04
评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置策略路由到VPN示例

配置策略路由到VPN示例

VPN1中的PC1可以通过PE上配置的策略路由到VPN功能访问VPN2的主机。

组网需求

图7-60,CE1、CE3属于VPN1,CE2属于VPN2。

主机PC1和PC2通过CE1接入,PC1的IP地址为10.4.1.11,PC2的IP地址为10.4.1.12。PC1和PC2的缺省网关都设置为10.4.1.1/24。

要求PC1既可以访问VPN1,也可以通过策略路由访问VPN2。PC2只能访问VPN1。

图7-60 配置策略路由到VPN组网图

  • 本示例中interface1,inerface2,subinterface3分别代表GE1/0/0,GE2/0/0,GE3/0/0



配置思路

采用如下的思路配置策略路由到VPN的基本功能:

  1. 在PE1上配置VPN实例vpn1,接入CE1;在PE2上配置VPN实例vpn1和vpn2,分别接入CE3和CE2。

  2. 在PE1上创建VPN组,创建实例vpn2并将vpn2加入组中。

  3. 在PE1上配置并应用策略,对于PC1发出的目的地址是10.2.1.0/24的报文,重定向到VPN组中。

  4. 在PE上配置静态路由,使从vpn2返回的报文能够访问PC1。

数据准备

为完成此配置例,需准备如下的数据:

  • PE上的MPLS LSR-ID。

  • PE1和PE2上需创建的VPN实例名称、RD和VPN-Target。

  • 访问控制列表ACL标号和规则。

  • 流分类、流行为和流策略。

操作步骤

  1. 配置OSPF、MPLS和MPLS LDP基本功能

    # 配置PE1。

    <HUAWEI> system-view
    [~HUAWEI] sysname PE1
    [*HUAWEI] commit
    [~PE1] interface loopback 1
    [*PE1-LoopBack1] ip address 1.1.1.9 32
    [*PE1-LoopBack1] commit
    [~PE1-LoopBack1] quit
    [~PE1] mpls lsr-id 1.1.1.9
    [*PE1] commit
    [~PE1] mpls
    [*PE1-mpls] quit
    [*PE1] mpls ldp
    [*PE1-mpls-ldp] quit
    [*PE1] commit
    [~PE1] interface gigabitethernet2/0/0
    [*PE1-Gigabitethernet2/0/0] ip address 192.168.1.1 24
    [*PE1-Gigabitethernet2/0/0] mpls
    [*PE1-Gigabitethernet2/0/0] mpls ldp
    [*PE1-Gigabitethernet2/0/0] commit
    [~PE1-Gigabitethernet2/0/0] quit
    [~PE1] ospf
    [~PE1-ospf-1] area 0
    [*PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
    [*PE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
    [*PE1-ospf-1-area-0.0.0.0] quit
    [*PE1-ospf-1] commit
    [~PE1-ospf-1] quit

    # 配置PE2。

    <HUAWEI> system-view
    [~HUAWEI] sysname PE2
    [*HUAWEI] commit
    [~PE2] interface loopback 1
    [*PE2-LoopBack1] ip address 2.2.2.9 32
    [*PE2-LoopBack1] commit
    [~PE2-LoopBack1] quit
    [~PE2] mpls lsr-id 2.2.2.9
    [*PE2] commit
    [~PE2] mpls
    [*PE2-mpls] quit
    [*PE2] mpls ldp
    [*PE2-mpls-ldp] quit
    [*PE2] commit
    [~PE2] interface Gigabitethernet2/0/0
    [*PE2-Gigabitethernet2/0/0] ip address 192.168.1.2 24
    [*PE2-Gigabitethernet2/0/0] mpls
    [*PE2-Gigabitethernet2/0/0] mpls ldp
    [*PE2-Gigabitethernet2/0/0] commit
    [~PE2-Gigabitethernet2/0/0] quit
    [~PE2] ospf
    [~PE2-ospf-1] area 0
    [*PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
    [*PE2-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
    [*PE2-ospf-1-area-0.0.0.0] quit
    [*PE2-ospf-1] commit
    [~PE2-ospf-1] quit

  2. PE之间建立MP-IBGP对等体关系,发布VPN-IPv4路由

    # 配置PE1。

    [~PE1] bgp 100
    [*PE1-bgp] peer 2.2.2.9 as-number 100
    [*PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
    [*PE1-bgp] ipv4-family vpnv4
    [*PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
    [*PE1-bgp-af-vpnv4] quit
    [*PE1-bgp] commit
    [~PE1-bgp] quit

    # 配置PE2。

    [~PE2] bgp 100
    [*PE2-bgp] peer 1.1.1.9 as-number 100
    [*PE2-bgp] peer 1.1.1.9 connect-interface LoopBack 1
    [*PE2-bgp] ipv4-family vpnv4
    [*PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
    [*PE2-bgp-af-vpnv4] quit
    [*PE2-bgp] commit
    [~PE2-bgp] quit

  3. 配置VPN实例,接入CE

    在PE1上配置vpn1的VPN实例,接入CE1;在PE2上配置vpn1的VPN实例,接入CE3,并配置vpn2的VPN实例,接入CE2。并在CE1上配置默认路由,使其有到对端CE相连网段的路由。

    # 配置PE1。

    [~PE1] ip vpn-instance vpn1
    [*PE1-vpn-instance-vpn1] route-distinguisher 100:1
    [*PE1-vpn-instance-vpn1] vpn-target 1:1
    [*PE1-vpn-instance-vpn1] quit
    [*PE1] interface Gigabitethernet2/0/0
    [~PE1-Gigabitethernet2/0/0] ip binding vpn-instance vpn1
    [*PE1-Gigabitethernet2/0/0] ip address 10.1.1.2 24
    [*PE1-Gigabitethernet2/0/0] commit
    [~PE1-Gigabitethernet2/0/0] quit

    # 配置PE2。

    [~PE2] ip vpn-instance vpn1
    [*PE2-vpn-instance-vpn1] route-distinguisher 100:1
    [*PE2-vpn-instance-vpn1] vpn-target 1:1
    [*PE2-vpn-instance-vpn1] quit
    [~PE2] ip vpn-instance vpn2
    [*PE2-vpn-instance-vpn2] route-distinguisher 100:2
    [*PE2-vpn-instance-vpn2] vpn-target 2:2
    [*PE2-vpn-instance-vpn2] quit
    [~PE2] interface Gigabitethernet1/0/0
    [~PE2-Gigabitethernet1/0/0] ip binding vpn-instance vpn2
    [*PE2-Gigabitethernet1/0/0] ip address 10.2.1.2 24
    [*PE2-Gigabitethernet1/0/0] undo shutdown
    [~PE2-Gigabitethernet1/0/0] quit
    [~PE2] interface Gigabitethernet3/0/0
    [~PE2-Gigabitethernet3/0/0] ip binding vpn-instance vpn1
    [*PE2-Gigabitethernet3/0/0] ip address 10.3.1.2 24
    [*PE2-Gigabitethernet3/0/0] commit
    [~PE2-Gigabitethernet3/0/0] quit

    # 配置CE1。

    <CE1> system-view
    [~CE1] interface Gigabitethernet1/0/0
    [~CE1-Gigabitethernet1/0/0] ip address 10.1.1.1 24
    [*CE1-Gigabitethernet1/0/0] commit
    [~CE1-Gigabitethernet1/0/0] quit
    [~CE1] interface Gigabitethernet2/0/0
    [~CE1-Gigabitethernet2/0/0] ip address 10.4.1.1 24
    [*CE1-Gigabitethernet2/0/0] commit
    [~CE1-Gigabitethernet2/0/0] quit
    [~CE1] ip route-static 0.0.0.0 0 10.1.1.2
    [~CE1] commit

    # 配置CE2。

    <CE2> system-view
    [~CE2] interface Gigabitethernet1/0/0
    [~CE2-Gigabitethernet1/0/0] ip address 10.2.1.1 24
    [*CE2-Gigabitethernet1/0/0] commit
    [~CE2-Gigabitethernet1/0/0] quit

    # 配置CE3。

    <CE3> system-view
    [~CE3] interface Gigabitethernet1/0/0
    [~CE3-Gigabitethernet1/0/0] ip address 10.3.1.1 24
    [*CE3-Gigabitethernet1/0/0] commit
    [~CE3-Gigabitethernet1/0/0] quit

  4. 配置PE与CE之间的EBGP

    # 配置CE1。

    [~CE1] bgp 600
    [*CE1-bgp] peer 10.1.1.2 as-number 100
    [*CE1-bgp] import-route direct
    [*CE1-bgp] commit
    [~CE1-bgp] quit
    [~CE1] interface Gigabitethernet2/0/0
    [~CE1-Gigabitethernet2/0/0] ip address 10.4.1.1 24
    [*CE1-Gigabitethernet2/0/0] commit
    [~CE1-Gigabitethernet2/0/0] commit

    # 配置PE1。

    [~PE1] bgp 100
    [*PE1-bgp] ipv4-family vpn-instance vpn1
    [*PE1-bgp-vpn1] peer 10.1.1.1 as-number 600
    [*PE1-bgp-vpn1] import-route direct
    [*PE1-bgp-vpn1] quit
    [*PE1-bgp] commit
    [~PE1-bgp] quit

    # 配置CE2。

    [~CE2] bgp 700
    [*CE2-bgp] peer 10.2.1.2 as-number 100
    [*CE2-bgp] import-route direct
    [*CE2-bgp] commit
    [~CE2-bgp] quit

    # 配置CE3。

    [~CE3] bgp 800
    [*CE3-bgp] peer 10.3.1.2 as-number 100
    [*CE3-bgp] import-route direct
    [*CE3-bgp] commit
    [~CE3-bgp] quit

    # 配置PE2。

    [~PE2] bgp 100
    [*PE2-bgp] ipv4-family vpn-instance vpn1
    [*PE2-bgp-vpn1] peer 10.3.1.1 as-number 800
    [*PE2-bgp-vpn1] import-route direct
    [*PE2-bgp-vpn1] quit
    [*PE2-bgp-vpn1] quit
    [*PE2-bgp] ipv4-family vpn-instance vpn2
    [*PE2-bgp-vpn2] peer 10.2.1.1 as-number 700
    [*PE2-bgp-vpn2] import-route direct
    [*PE2-bgp-vpn2] quit
    [*PE2-bgp] commit
    [~PE2-bgp] quit

    完成上述配置后,CE1能够Ping通CE3,但Ping不通CE2。

    在PE2上执行命令display bgp vpnv4 all peer可以看到PE2的BGP对等体状态均为Established,显示信息如下:

    [~PE2] display bgp vpnv4 all peer
     BGP local router ID : 2.2.2.9
     Local AS number : 100
     Total number of peers : 3                 Peers in established state : 3
    Peer     V    AS  MsgRcvd  MsgSent    OutQ  Up/Down       State PrefRcv
    1.1.1.9  4   100       19       23       0 00:15:40 Established      14
    Peer of vpn instance :
    vpn instance vpn1 :
    10.3.1.1    4   800       14        7       0 00:03:51 Established      10
    vpn instance vpn2 :
    10.2.1.1    4   700       12       11       0 00:04:14 Established       5

  5. 在PE1上配置策略路由到VPN

    # 配置vpn2的VPN实例。

    [~PE1] ip vpn-instance vpn2
    [*PE1-vpn-instance-vpn2] route-distinguisher 100:22
    [*PE1-vpn-instance-vpn2] vpn-target 2:2
    [*PE1-vpn-instance-vpn2] commit
    [*PE1-vpn-instance-vpn2] quit

    # 配置ACL规则。

    [~PE1] acl 3000
    [*PE1-acl-adv-3000] rule 1 permit ip source 10.4.1.11 0 destination 10.2.1.0 0.0.0.255
    [*PE1-acl-adv-3000] commit
    [~PE1-acl-adv-3000] quit

    # 配置静态路由,使PC1访问vpn2的返回报文能够在PE1上vpn1的路由表中找到正确的路由,回到PC1。

    [~PE1] ip route-static vpn-instance vpn2 10.4.1.0 24 vpn-instance vpn1 10.1.1.1
    [*PE1] commit

    # 将配置的静态路由引入BGP,发布给PE2。

    [~PE1] bgp 100
    [*PE1-bgp] ipv4-family vpn-instance vpn2
    [*PE1-bgp-vpn2] import-route static
    [*PE1-bgp-vpn2] import-route direct
    [*PE1-bgp-vpn2] quit
    [*PE1-bgp] commit
    [~PE1-bgp] quit

    # 创建VPN组vg1。

    [~PE1] vpn-group vg1 vpn-instance vpn1 vpn2
    [*PE1] commit

    # 配置流量策略,对于PC1发出的报文,重定向到VPN组vg1中。

    [~PE1] traffic classifier c1
    [*PE1-classifier-c1] if-match acl 3000
    [*PE1-classifier-c1] quit
    [~PE1] traffic behavior b1
    [*PE1-behavior-b1] redirect vpn-group vg1
    [*PE1-behavior-b1] commit
    [~PE1-behavior-b1] quit
    [~PE1] traffic policy p1
    [*PE1-trafficpolicy-p1] classifier c1 behavior b1
    [*PE1-trafficpolicy-p1] commit
    [~PE1-trafficpolicy-p1] quit

    # 在接口Gigabitethernet1/0/0上应用定义的流量策略,并使策略生效。

    [~PE1] interface Gigabitethernet1/0/0
    [~PE1-Gigabitethernet1/0/0] traffic-policy p1 inbound
    [*PE1-Gigabitethernet1/0/0] commit
    [~PE1-Gigabitethernet1/0/0] quit

    # 在每台主机上配置缺省路由。

    <C:\> route add 0.0.0.0 mask 0.0.0.0 10.4.1.1

  6. 检查配置结果

    配置完成后,PC1能够Ping通CE2:

    C:\> ping 10.2.1.1
    Pinging 10.2.1.1 with 32 bytes of data:
    Reply from 10.2.1.1: bytes=32 time=4ms TTL=255
    Reply from 10.2.1.1: bytes=32 time=2ms TTL=255
    Reply from 10.2.1.1: bytes=32 time=2ms TTL=255
    Reply from 10.2.1.1: bytes=32 time=2ms TTL=255
    Ping statistics for 10.2.1.1:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 2ms, Maximum =  4ms, Average =  2ms

    PC2不能Ping通CE2:

    C:\>ping 10.2.1.1
    Pinging 10.2.1.1 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Ping statistics for 10.2.1.1:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum =  0ms, Average =  0ms

配置文件

  • CE1的配置文件

    #
 sysname CE1
#
interface GigabitEthernet2/0/0
 undo shutdown
 ip address 10.4.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
bgp 600
 peer 10.1.1.2 as-number 100
#
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.1.1.2 enable
#
ip route-static 0.0.0.0 0 10.1.1.2
#
return

  • PE1的配置文件

    #
 sysname PE1
#
vpn-group vg1 vpn-instance vpn1 vpn2
#
ip vpn-instance vpn1
 route-distinguisher 100:1
 apply-label per-instance
 vpn-target 1:1 export-extcommunity
 vpn-target 1:1 import-extcommunity
#
ip vpn-instance vpn2
 route-distinguisher 100:22
 apply-label per-instance
 vpn-target 2:2 export-extcommunity
 vpn-target 2:2 import-extcommunity
#
 mpls lsr-id 1.1.1.9
 mpls
#
mpls ldp
#
acl number 3000
 rule 1 permit ip source 10.4.1.11 0 destination 10.2.1.0 0.0.0.255
#
traffic classifier c1
 if-match acl 3000
#
traffic behavior b1
 redirect vpn-group vg1
#
traffic policy p1
share-mode
 classifier c1 behavior b1
#
interface GigabitEthernet2/0/0
 undo shutdown
 ip binding vpn-instance vpn1
 ip address 10.1.1.2 255.255.255.0
 traffic-policy p1 inbound
#
interface GigabitEthernet2/0/0
 undo shutdown
 ip address 192.168.1.1 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
#
bgp 100
 peer 2.2.2.9 as-number 100
 peer 2.2.2.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 2.2.2.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 2.2.2.9 enable
#
 ipv4-family vpn-instance vpn1
  peer 10.1.1.1 as-number 600
  import-route direct
#
 ipv4-family vpn-instance vpn2
  import-route static
  import-route direct
#
ospf 1
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 192.168.1.0 0.0.0.255
#
ip route-static vpn-instance vpn2 10.4.1.0 24 vpn-instance vpn1 10.1.1.1
#
return

  • PE2的配置文件

    #
 sysname PE2
#
ip vpn-instance vpn1
 route-distinguisher 200:1
 apply-label per-instance
 vpn-target 1:1 export-extcommunity
 vpn-target 1:1 import-extcommunity
#
ip vpn-instance vpn2
 route-distinguisher 200:2
 apply-label per-instance
 vpn-target 2:2 export-extcommunity
 vpn-target 2:2 import-extcommunity
#
 mpls lsr-id 2.2.2.9
 mpls
#
mpls ldp
#
interface Gigabitethernet1/0/0
 undo shutdown
 ip binding vpn-instance vpn2
 ip address 10.2.1.1 255.255.255.0
#
interface Gigabitethernet2/0/0
 undo shutdown
 ip address 192.168.1.2 255.255.255.0
 mpls
 mpls ldp
#
interface Gigabitethernet3/0/0
 undo shutdown
 ip binding vpn-instance vpn1
 ip address 10.3.1.1 255.255.255.0
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
#
bgp 100
 peer 1.1.1.9 as-number 100
 peer 1.1.1.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 1.1.1.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
  peer 10.3.1.1 as-number 800
  import-route direct
#
 ipv4-family vpn-instance vpn2
  peer 10.2.1.1 as-number 700
  import-route direct
#
ospf 1
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 192.168.1.0 0.0.0.255
#
return

  • CE2的配置文件

    #
 sysname CE2
interface Gigabitethernet1/0/0
 undo shutdown
 ip address 10.2.1.1 255.255.255.0
bgp 700
 peer 10.2.1.2 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.2.1.2 enable
#
return

  • CE3的配置文件

    #
 sysname CE3
#
interface Gigabitethernet1/0/0
 undo shutdown
 ip address 10.3.1.1 255.255.255.0
#
bgp 800
 peer 10.3.1.2 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.3.1.2 enable
#
return

  • 主机的配置文件

    route add 0.0.0.0 mask 0.0.0.0 10.4.1.1
翻译
English
下载文档
更新时间:2020-06-20

文档编号:EDOC1100143312

浏览量:60370

下载量:128

平均得分:
本文档适用于这些产品

相关版本

相关文档

分享
上一页 下一页
华为亿家APP下载 华为亿家APP下载

版权所有 © 华为技术有限公司 1998-2022。 保留一切权利。粤A2-20044005号

您正离开华为站点,前往: