评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置Hub and Spoke示例(Hub-PE和Hub-CE双链路接入)
Hub and Spoke是在VPN中设置中心访问控制设备,其它用户的互访都通过中心访问控制设备进行。
组网需求
如图7-27所示,Spoke-CE之间的通信通过中心站点Hub-CE控制,即Spoke-CE之间的流量经过Hub-CE转发,而不是只经过Hub-PE转发。同时,Hub-PE和Hub-CE双链路接入。
配置注意事项
在配置过程中,需注意以下事项:
Spoke-PE上配置的Import Target和Export Target应不同。
Hub-PE上创建两个VPN实例(vpn_in,vpn_out)。其中,vpn_in接收的VPN-target团体属性为两个Spoke-PE发布的VPN-target团体属性值;vpn_out发布的VPN-target团体属性值与接收的VPN-target团体属性不同,且为两个Spoke-PE接收的VPN-target团体属性值。
Hub-PE上配置允许接收AS_Path中AS号重复1次的路由。
配置思路
采用如下思路配置Hub and Spoke:
Hub-PE与Spoke-PE建立MP-IBGP对等体关系。(Spoke-PE之间不建立MP-IBGP对等体关系,不交换VPN路由信息)
PE上创建VPN实例,并配置VPN-Target。
CE和PE之间配置EBGP连接。
操作步骤
- 在骨干网上配置IGP协议,实现骨干网Hub-PE和Spoke-PE的互通
本例中采用OSPF,具体配置过程请参见后面的配置文件。
配置完成后,Hub-PE和Spoke-PE之间应能建立OSPF邻居关系,执行display ospf peer命令可以看到邻居状态为Full。执行display ip routing-table命令可以看到Hub-PE和Spoke-PE之间学习到对方的Loopback路由。
- 在骨干网上配置MPLS基本能力和MPLS LDP,建立LDP LSP
具体配置过程请参见后面的配置文件。
配置完成后,Hub-PE和Spoke-PE之间应该建立起LDP对等体关系,在各路由器上执行display mpls ldp session命令可以看到显示结果中Session State项为“Operational”。
- 在各PE设备上配置使能IPv4地址族的VPN实例,将CE接入PE
Hub-PE上其中一个VPN的Import-Target列表必须包含所有Spoke-PE的Export-Target属性。
Hub-PE上另一个VPN的Export-Target列表必须包含所有Spoke-PE的Import-Target属性。
# 配置Spoke-PE1。
<Spoke-PE1> system-view
[~Spoke-PE1] ip vpn-instance vpna[*Spoke-PE1-vpn-instance-vpna] ipv4-family[*Spoke-PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1[*Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:1 export-extcommunity[*Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 200:1 import-extcommunity[*Spoke-PE1-vpn-instance-vpna-af-ipv4] commit[*Spoke-PE1-vpn-instance-vpna-af-ipv4] quit[*Spoke-PE1] interface gigabitethernet 1/0/0
[*Spoke-PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[*Spoke-PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 24
[*Spoke-PE1-GigabitEthernet1/0/0] commit
[~Spoke-PE1-GigabitEthernet1/0/0] quit
# 配置Spoke-PE2。
<Spoke-PE2> system-view
[~Spoke-PE2] ip vpn-instance vpna[*Spoke-PE2-vpn-instance-vpna] ipv4-family[*Spoke-PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 100:3[*Spoke-PE2-vpn-instance-vpna-af-ipv4] vpn-target 100:1 export-extcommunity[*Spoke-PE2-vpn-instance-vpna-af-ipv4] vpn-target 200:1 import-extcommunity[*Spoke-PE2-vpn-instance-vpna-af-ipv4] commit[*Spoke-PE2-vpn-instance-vpna-af-ipv4] quit[*Spoke-PE2] interface gigabitethernet 1/0/0
[*Spoke-PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[*Spoke-PE2-GigabitEthernet1/0/0] ip address 10.4.1.2 24
[*Spoke-PE2-GigabitEthernet1/0/0] commit
[~Spoke-PE2-GigabitEthernet1/0/0] quit
# 配置Hub-PE。
<Hub-PE> system-view
[~Hub-PE] ip vpn-instance vpn_in[*Hub-PE-vpn-instance-vpn_in] ipv4-family[*Hub-PE-vpn-instance-vpn_in-af-ipv4] route-distinguisher 100:21[*Hub-PE-vpn-instance-vpn_in-af-ipv4] vpn-target 100:1 import-extcommunity[*Hub-PE-vpn-instance-vpn_in-af-ipv4] commit[*Hub-PE-vpn-instance-vpn_in-af-ipv4] quit[*Hub-PE-vpn-instance-vpn_in] quit[*Hub-PE] ip vpn-instance vpn_out[*Hub-PE-vpn-instance-vpn_out] ipv4-family[*Hub-PE-vpn-instance-vpn_out-af-ipv4] route-distinguisher 100:22[*Hub-PE-vpn-instance-vpn_out-af-ipv4] vpn-target 200:1 export-extcommunity[*Hub-PE-vpn-instance-vpn_out-af-ipv4] commit[*Hub-PE-vpn-instance-vpn_out-af-ipv4] quit[*Hub-PE-vpn-instance-vpn_out] quit[*Hub-PE] interface gigabitethernet 3/0/0
[*Hub-PE-GigabitEthernet3/0/0] ip binding vpn-instance vpn_in
[*Hub-PE-GigabitEthernet3/0/0] ip address 10.2.1.2 24
[*Hub-PE-GigabitEthernet3/0/0] commit
[*Hub-PE-GigabitEthernet3/0/0] quit
[*Hub-PE] interface gigabitethernet 4/0/0
[*Hub-PE-GigabitEthernet4/0/0] ip binding vpn-instance vpn_out
[*Hub-PE-GigabitEthernet4/0/0] ip address 10.3.1.2 24
[*Hub-PE-GigabitEthernet4/0/0] commit
[~Hub-PE-GigabitEthernet4/0/0] quit
# 按图7-27配置各CE的接口IP地址,配置过程请参见后面的配置文件。
配置完成后,在PE设备上执行display ip vpn-instance verbose命令可以看到VPN实例的配置情况。各PE能用ping -vpn-instance vpn-name ip-address 命令ping通自己接入的CE。
当PE上有多个绑定了同一个VPN的接口,则使用ping -vpn-instance 命令ping对端PE接入的CE时,要指定源IP地址,即要指定ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address命令中的参数-a source-ip-address,否则可能ping不通。
- 在PE与CE之间建立EBGP对等体关系,引入VPN路由
Hub-PE上需要配置允许AS号重复一次,以接收Hub-CE发布的路由。
Spoke-PE上不需要配置允许AS号重复一次,因为路由器接收IBGP对等体发布的路由时并不检查其中的AS-PATH属性。
# 配置Spoke-CE1。
[~Spoke-CE1] interface loopback 1[*Spoke-CE1-Loopback1] ip address 11.11.11.11 32[*Spoke-CE1-Loopback1] quit[*Spoke-CE1] bgp 65410[*Spoke-CE1-bgp] peer 10.1.1.2 as-number 100[*Spoke-CE1-bgp] network 11.11.11.11 32[*Spoke-CE1-bgp] quit[*Spoke-CE1] commit# 配置Spoke-PE1。
[~Spoke-PE1] bgp 100[*Spoke-PE1-bgp] ipv4-family vpn-instance vpna[*Spoke-PE1-bgp-vpna] peer 10.1.1.1 as-number 65410[*Spoke-PE1-bgp-vpna] commit[~Spoke-PE1-bgp-vpna] quit[~Spoke-PE1-bgp] quit# 配置Spoke-CE2。
[~Spoke-CE2] interface loopback 1[*Spoke-CE2-Loopback1] ip address 22.22.22.22 32[*Spoke-CE2-Loopback1] quit[*Spoke-CE2] bgp 65420[*Spoke-CE2-bgp] peer 10.4.1.2 as-number 100[*Spoke-CE2-bgp] network 22.22.22.22 32[*Spoke-CE2-bgp] commit[~Spoke-CE2-bgp] quit# 配置Spoke-PE2。
[~Spoke-PE2] bgp 100[*Spoke-PE2-bgp] ipv4-family vpn-instance vpna[*Spoke-PE2-bgp-vpna] peer 10.4.1.1 as-number 65420[*Spoke-PE2-bgp-vpna] commit[~Spoke-PE2-bgp-vpna] quit[~Spoke-PE2-bgp] quit# 配置Hub-CE。
[~Hub-CE] interface loopback 1[*Hub-CE-Loopback1] ip address 33.33.33.33 32[*Hub-CE-Loopback1] quit[*Hub-CE] bgp 65430[*Hub-CE-bgp] peer 10.2.1.2 as-number 100[*Hub-CE-bgp] peer 10.3.1.2 as-number 100[*Hub-CE-bgp] network 33.33.33.33 32[*Hub-CE-bgp] quit[*Hub-CE] commit# 配置Hub-PE。
[~Hub-PE] bgp 100[*Hub-PE-bgp] ipv4-family vpn-instance vpn_in[*Hub-PE-bgp-vpn_in] peer 10.2.1.1 as-number 65430[*Hub-PE-bgp-vpn_in] commit[*Hub-PE-bgp-vpn_in] quit[*Hub-PE-bgp] ipv4-family vpn-instance vpn_out[*Hub-PE-bgp-vpn_out] peer 10.3.1.1 as-number 65430[*Hub-PE-bgp-vpn_out] peer 10.3.1.1 allow-as-loop 1[*Hub-PE-bgp-vpn_out] commit[~Hub-PE-bgp-vpn_out] quit[~Hub-PE-bgp] quit配置完成后,在各PE设备上执行display bgp vpnv4 all peer命令,可以看到PE与CE之间的BGP对等体关系已建立,并达到Established状态。
- 在PE之间建立MP-IBGP对等体关系
# 配置Spoke-PE1。
[~Spoke-PE1] bgp 100[~Spoke-PE1-bgp] peer 2.2.2.9 as-number 100[*Spoke-PE1-bgp] peer 2.2.2.9 connect-interface loopback 1[*Spoke-PE1-bgp] ipv4-family vpnv4[*Spoke-PE1-bgp-af-vpnv4] peer 2.2.2.9 enable[*Spoke-PE1-bgp-af-vpnv4] commit[~Spoke-PE1-bgp-af-vpnv4] quit# 配置Spoke-PE2。
[~Spoke-PE2] bgp 100[~Spoke-PE2-bgp] peer 2.2.2.9 as-number 100[*Spoke-PE2-bgp] peer 2.2.2.9 connect-interface loopback 1[*Spoke-PE2-bgp] ipv4-family vpnv4[*Spoke-PE2-bgp-af-vpnv4] peer 2.2.2.9 enable[*Spoke-PE2-bgp-af-vpnv4] commit[~Spoke-PE2-bgp-af-vpnv4] quit# 配置Hub-PE。
[~Hub-PE] bgp 100[~Hub-PE-bgp] peer 1.1.1.9 as-number 100[*Hub-PE-bgp] peer 1.1.1.9 connect-interface loopback 1[*Hub-PE-bgp] peer 3.3.3.9 as-number 100[*Hub-PE-bgp] peer 3.3.3.9 connect-interface loopback 1[*Hub-PE-bgp] ipv4-family vpnv4[*Hub-PE-bgp-af-vpnv4] peer 1.1.1.9 enable[*Hub-PE-bgp-af-vpnv4] peer 3.3.3.9 enable[*Hub-PE-bgp-af-vpnv4] commit[~Hub-PE-bgp-af-vpnv4] quit配置完成后,在各PE设备上执行display bgp peer或display bgp vpnv4 all peer命令,可以看到PE之间的BGP对等体关系已建立,并达到Established状态。
- 检查配置结果
完成上述配置后,Spoke-CE之间可以相互Ping通,使用Tracert可以看到Spoke-CE之间的流量经过Hub-CE转发,也可以通过Ping结果中的TTL值推算Spoke-CE之间经过的转发设备数目。
以Spoke-CE1的显示为例:
<Spoke-CE1> ping -a 11.11.11.11.11 22.22.22.22
PING 22.22.22.22: 56 data bytes, press CTRL_C to break
Reply from 22.22.22.22: bytes=56 Sequence=1 ttl=250ime=80 ms
Reply from 22.22.22.22: bytes=56 Sequence=2 ttl=250ime=129 ms
Reply from 22.22.22.22: bytes=56 Sequence=3 ttl=250 time=132 ms
Reply from 22.22.22.22: bytes=56 Sequence=4 ttl=250 time=92 ms
Reply from 22.22.22.22: bytes=56 Sequence=5 ttl=250 time=126 ms
--- 22.22.22.22 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 80/111/132 ms
<Spoke-CE1> tracert -a 11.11.11.11 22.22.22.22
traceroute to 22.22.22.22(22.22.22.22), max hops: 30 ,packet length: 40
1 10.1.1.2 8 ms 2 ms 2 ms 2 10.2.1.2 < AS=100 > 3 ms 2 ms 2 ms 3 10.2.1.1 < AS=100 > 3 ms 2 ms 2 ms 4 10.3.1.2 < AS=65430 > 3 ms 2 ms 2 ms 5 10.4.1.2 < AS=100 > 6 ms 6 ms 6 ms 6 22.22.22.22 < AS=65420 > 6 ms 6 ms 6 ms
在Spoke-CE上执行display bgp routing-table命令,可以看到去往对端Spoke-CE的BGP路由的AS路径中存在重复的AS号。
以Spoke-CE1的显示为例:
<Spoke-CE1> display bgp routing-table
BGP Local router ID is 11.11.11.11
Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 5
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.1.1.0/24 0.0.0.0 0 0 ?
* 10.1.1.2 0 0 100?
*> 10.1.1.1/32 0.0.0.0 0 0 ?
*>33.33.33.33/32 10.1.1.2 0 100 65430?
*> 22.22.22.22/32 10.1.1.2 0 100 65430 100 65420?
配置文件
Spoke-CE1的配置文件
#
sysname Spoke-CE1
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization peer 10.1.1.2 enable network 11.11.11.11 255.255.255.255
#
return
Spoke-PE1的配置文件
#
sysname Spoke-PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
apply-label per-instance
vpn-target 100:1 export-extcommunity
vpn-target 200:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0undo shutdown
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
Spoke-PE2的配置文件
#
sysname Spoke-PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:3
apply-label per-instance
vpn-target 100:1 export-extcommunity
vpn-target 200:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip binding vpn-instance vpna
ip address 10.4.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0undo shutdown
ip address 11.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 10.4.1.1 as-number 65420
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return
Spoke-CE2的配置文件
#
sysname Spoke-CE2
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.4.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65420
peer 10.4.1.2 as-number 100
#
ipv4-family unicast
undo synchronization peer 10.4.1.2 enable network 22.22.22.22 255.255.255.255
#
return
Hub-CE的配置文件
#
sysname Hub-CE
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0undo shutdown
ip address 10.3.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 33.33.33.33 255.255.255.255
#
bgp 65430
peer 10.2.1.2 as-number 100
peer 10.3.1.2 as-number 100
network 33.33.33.33 255.255.255.255
#
ipv4-family unicast
undo synchronization peer 10.3.1.2 enable
peer 10.2.1.2 enable
#
return
Hub-PE的配置文件
#
sysname Hub-PE
#
ip vpn-instance vpn_in
ipv4-family
route-distinguisher 100:21
apply-label per-instance
vpn-target 100:1 import-extcommunity
#
ip vpn-instance vpn_out
ipv4-family
route-distinguisher 100:22
apply-label per-instance
vpn-target 200:1 export-extcommunity
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0undo shutdown
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet3/0/0undo shutdown
ip binding vpn-instance vpn_in
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet4/0/0undo shutdown
ip binding vpn-instance vpn_out
ip address 10.3.1.2 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn_in
peer 10.2.1.1 as-number 65430
#
ipv4-family vpn-instance vpn_out
peer 10.3.1.1 as-number 65430
peer 10.3.1.1 allow-as-loop
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return
