评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置OptionB方式跨域VPN示例(ASBR间存在P设备)
ASBR之间通过部署IGP+LDP建立一条LSP,跨越不支持VPN的MPLS网络(存在P设备)。
组网需求
如图7-39,CE1和CE2属于同一个VPN。CE1接入AS100的PE1,CE2接入AS200的PE2。ASBR之间需要跨过不支持VPN的MPLS网络,即ASBR之间存在P设备。通过为域间建立一条LSP,实现OptionB方式的跨域VPN。
配置注意事项
在配置过程中,需注意如下事项:
ASBR上不必创建VPN实例,且对接收的VPNv4路由不进行VPN-Target过滤。
ASBR之间需要部署IGP+LDP。
ASBR之间建立MP-EBGP需要配置多跳。
配置思路
采用如下思路配置OptionB方式跨域VPN(ASBR间存在P设备):
在骨干网上运行IGP协议实现同一AS的ASBR与PE之间的互通,并且同一AS的ASBR与PE之间要建立MPLS LDP LSP。
PE与CE之间建立EBGP对等体关系;PE与ASBR之间建立MP-IBGP对等体关系。
在PE上需配置VPN实例(在ASBR上无需配置VPN实例)。
在ASBR之间建立EBGP邻居,并建立MPLS LDP LSP。
数据准备
为完成此配置例,需准备如下的数据:
PE及ASBR上的MPLS LSR-ID分别为10.31.1.9、10.32.2.9、10.33.3.9、10.34.4.9、10.35.5.9
PE上创建的VPN实例名称为vpn1,RD值为100:1和200:1,出方向和入方向的VPN-Target值为1:1
操作步骤
- 在AS100和AS200的MPLS骨干网上分别配置IGP协议,实现各自骨干网PE与ASBR之间的互通
本例中采用OSPF,具体配置过程请参见后面的配置文件。
需要将作为LSR ID的LoopBack接口的32位地址通过OSPF发布出去。
配置完成后,同一AS的ASBR与PE之间应能建立OSPF邻居关系,执行display ospf peer命令可以看到邻居状态为Full。
同一AS的ASBR和PE能学习到对方的Loopback地址,并能够互相ping通。
- 在AS100和AS200的MPLS骨干网上分别配置MPLS基本能力和MPLS LDP,建立LDP LSP
具体配置步骤请参见后面的配置文件,此处不再赘述。
- 为PE1和PE2配置基本BGP/MPLS IP VPN
PE1和PE2上的VPN实例的VPN-Target需匹配。
具体配置步骤请参见后面的配置文件,此处不再赘述。
- ASBR之间建立MPLS LDP LSP,并配置MP-EBGP邻居
配置ASBR之间的IGP,这里以OSPF为例。
# 配置ASBR1。
<ASBR1> system-view
[~ASBR1] interface gigabitethernet 2/0/0
[~ASBR1-GigabitEthernet2/0/0] ip address 192.168.1.1 24
[*ASBR1-GigabitEthernet2/0/0] commit
[~ASBR1-GigabitEthernet2/0/0] quit
[~ASBR1] ospf 2[*ASBR1-ospf-2] area 0[*ASBR1-ospf-2-area-0.0.0.0] network 10.32.2.10 0.0.0.0[*ASBR1-ospf-2-area-0.0.0.0] network 192.168.1.0 0.0.0.255[*ASBR1-ospf-2-area-0.0.0.0] quit[*ASBR1-ospf-2] commit[~ASBR1-ospf-2] quit[~ASBR1] quitASBR之间运行的OSPF协议的进程号和各AS内的OSPF协议进程号应不同。
P、ASBR2的配置与ASBR1类似,配置过程请参见后面的配置文件。
# 配置ASBR之间建立MPLS LDP LSP。
<ASBR1> system-view
[~ASBR1] mpls lsr-id 10.32.2.9[*ASBR1] mpls[*ASBR1-mpls] quit[*ASBR1] mpls ldp[*ASBR1-mpls-ldp] quit[*ASBR1] interface gigabitethernet2/0/0
[*ASBR1-GigabitEthernet2/0/0] mpls
[*ASBR1-GigabitEthernet2/0/0] mpls ldp
[*ASBR1-GigabitEthernet2/0/0] commit
[~ASBR1-GigabitEthernet2/0/0] quit
P、ASBR2的配置与ASBR1类似,配置过程请参见后面的配置文件。
配置完成后,在ASBR上运行display mpls ldp lsp命令,可以看到ASBR之间建立了一条MPLS LDP LSP。
<ASBR1>display mpls ldp lsp
LDP LSP Information ------------------------------------------------------------------------------- DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface ------------------------------------------------------------------------------- 10.32.2.9/32 3/NULL 10.35.5.9 127.0.0.1 Loop1 *10.32.2.9/32 Liberal/16 DS/5.5.5.5 10.33.3.9/32 NULL/19 - 192.168.1.1 GE2/0/0 10.33.3.9/32 16/19 10.35.5.9 192.168.1.1 GE2/0/0 10.35.5.9/32 NULL/3 - 192.168.1.1 GE2/0/0 10.35.5.9/32 17/3 10.35.5.9 192.168.1.1 GE2/0/0 ------------------------------------------------------------------------------- TOTAL: 5 Normal LSP(s) Found. TOTAL: 1 Liberal LSP(s) Found. TOTAL: 0 Frr LSP(s) Found. An asterisk (*) before an LSP means the LSP is not established An asterisk (*) before a Label means the USCB or DSCB is stale An asterisk (*) before an UpstreamPeer means the session is stale An asterisk (*) before a DS means the session is stale An asterisk (*) before a NextHop means the LSP is FRR LSP
# 配置ASBR1与ASBR2建立MP-EBGP对等体关系,并且不对接收的VPNv4路由进行VPN-target过滤。
[~ASBR1] bgp 100[*ASBR1-bgp] peer 10.33.3.10 as-number 200[*ASBR1-bgp] peer 10.33.3.10 connect-interface loopback2[*ASBR1-bgp] peer 10.33.3.10 ebgp-max-hop 3[*ASBR1-bgp] ipv4-family vpnv4[*ASBR1-bgp-af-vpnv4] peer 10.33.3.10 enable[*ASBR1-bgp-af-vpnv4] undo policy vpn-target[*ASBR1-bgp-af-vpnv4] commit[~ASBR1-bgp-af-vpnv4] quit[~ASBR1-bgp] quit - 检查配置结果
上述配置完成后,CE之间能学习到对方的接口路由,CE1和CE2能够相互ping通。
以CE1的显示为例:
<CE1> display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route------------------------------------------------------------------------------
Routing Tables: _public_
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.1 GigabitEthernet1/0/010.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/010.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/010.22.22.22/32 EBGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
<CE1> ping -a 10.11.11.11 10.22.22.22
PING 10.22.22.22: 56 data bytes, press CTRL_C to break
Reply from 10.22.22.22: bytes=56 Sequence=1 ttl=252 time=120 ms
Reply from 10.22.22.22: bytes=56 Sequence=2 ttl=252 time=73 ms
Reply from 10.22.22.22: bytes=56 Sequence=3 ttl=252 time=111 ms
Reply from 10.22.22.22: bytes=56 Sequence=4 ttl=252 time=86 ms
Reply from 10.22.22.22: bytes=56 Sequence=5 ttl=252 time=110 ms
--- 22.22.22.22 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 73/100/120 ms
在ASBR上执行display bgp vpnv4 all routing-table命令,可以看到ASBR上的VPNv4路由。
以ASBR1的显示为例:
<ASBR1> display bgp vpnv4 all routing-table
BGP Local router ID is 10.32.2.9 Status codes: * - valid, > - best, d - damped, x - best external, a - add path, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete RPKI validation codes: V - valid, I - invalid, N - not-found Total number of routes from all PE: 2 Route Distinguisher: 100:1 Network NextHop MED LocPrf PrefVal Path/Ogn *>i 10.11.11.11/32 10.31.1.9 0 100 0 ? Route Distinguisher: 200:1 Network NextHop MED LocPrf PrefVal Path/Ogn *> 10.22.22.22/24 192.168.1.2 0 200?
配置文件
CE1的配置文件
#
sysname CE1
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 10.11.11.11 255.255.255.255
#
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization peer 10.1.1.2 enable network 10.11.11.11 255.255.255.255
return
PE1的配置文件
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
apply-label per-instance
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 10.31.1.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip address 172.16.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0undo shutdown
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 10.31.1.9 255.255.255.255
#
bgp 100
peer 10.32.2.9 as-number 100
peer 10.32.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization peer 10.32.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 10.32.2.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65001
#
ospf 1
area 0.0.0.0
network 10.31.1.9 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return
ASBR1的配置文件
#
sysname ASBR1
#
mpls lsr-id 10.32.2.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip address 172.16.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0undo shutdown
ip address 192.168.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.32.2.9 255.255.255.255
#
interface LoopBack2
ip address 10.32.2.10 255.255.255.255
#
bgp 100
peer 10.31.1.9 as-number 100
peer 10.31.1.9 connect-interface LoopBack1
peer 10.33.3.10 as-number 200
peer 10.33.3.10 connect-interface LoopBack2
peer 10.33.3.10 ebgp-max-hop 3
#
ipv4-family unicast
undo synchronization peer 10.33.3.10 enable
peer 10.31.1.9 enable
#
ipv4-family vpnv4
undo policy vpn-target
peer 10.31.1.9 enable
peer 10.33.3.10 enable
#
ospf 1
area 0.0.0.0
network 10.32.2.9 0.0.0.0
network 172.16.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0
network 10.32.2.10 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return
P的配置文件
#
sysname P
#
mpls lsr-id 10.35.5.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip address 192.168.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0undo shutdown
ip address 192.168.2.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.35.5.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.35.5.9 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
ASBR2的配置文件
#
sysname ASBR2
#
mpls lsr-id 10.33.3.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.162.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0undo shutdown
ip address 192.168.2.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.33.3.9 255.255.255.255
#
interface LoopBack2
ip address 10.33.3.10 255.255.255.255
#
bgp 200
peer 10.32.2.10 as-number 100
peer 10.32.2.10 connect-interface LoopBack2
peer 10.32.2.10 ebgp-max-hop 3
peer 10.34.4.9 as-number 200
peer 10.34.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization peer 10.32.2.10 enable
peer 10.34.4.9 enable
#
ipv4-family vpnv4
undo policy vpn-target
peer 10.34.4.9 enable
peer 10.32.2.10 enable
#
ospf 1
area 0.0.0.0
network 10.33.3.9 0.0.0.0
network 10.162.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0
network 10.33.3.10 0.0.0.0
network 192.168.2.0 0.0.0.255
#
return
PE2的配置文件
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
apply-label per-instance
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 10.34.4.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.162.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0undo shutdown
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 10.34.4.9 255.255.255.255
#
bgp 200
peer 10.33.3.9 as-number 200
peer 10.33.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization peer 10.33.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 10.33.3.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65002
#
ospf 1
area 0.0.0.0
network 10.34.4.9 0.0.0.0
network 10.162.1.0 0.0.0.255
#
return
CE2的配置文件
#
sysname CE2
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 10.22.22.22 255.255.255.255
#
bgp 65002
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization peer 10.2.1.2 enable network 10.22.22.22 255.255.255.255
#
return
