评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置OptionA方式跨域VPN示例
通过在ASBR上配置VPN实例,实现VRF-to-VRF方式管理VPN路由的OptionA方案。
组网需求
如图7-35,CE1和CE2属于同一个VPN。CE1接入AS100的PE1,CE2接入AS200的PE2。
采用OptionA方式实现跨域的BGP/MPLS IP VPN,即,采用VRF-to-VRF方式管理VPN路由。
配置思路
采用如下思路配置OptionA方式跨域VPN:
PE与CE之间建立EBGP对等体关系;PE与ASBR之间建立MP-IBGP对等体关系。
在两个ASBR上创建VPN实例,并将此实例绑定到连接另一ASBR的接口,并在ASBR之间建立EBGP对等体关系。
操作步骤
- 在AS100和AS200的MPLS骨干网上分别配置IGP协议,实现各自骨干网ASBR和PE之间的互通。
本例中采用OSPF,具体配置过程请参见后面的配置文件。
需要将作为LSR ID的LoopBack接口的32位地址通过OSPF发布出去。
配置完成后,同一AS的ASBR与PE之间应能建立OSPF邻居关系,执行display ospf peer命令可以看到邻居状态为Full。
同一AS的ASBR和PE能学习到对方的Loopback地址,并能够互相ping通。
- 在AS100和AS200的MPLS骨干网上分别配置MPLS基本能力和MPLS LDP,建立MPLS LDP LSP。
# 配置PE1的MPLS基本能力,并在与ASBR1相连的接口上使能LDP。
<PE1> system-view
[~PE1] mpls lsr-id 1.1.1.9[*PE1] mpls[*PE1-mpls] quit[*PE1] mpls ldp[*PE1-mpls-ldp] quit[*PE1] interface gigabitethernet1/0/0
[*PE1-GigabitEthernet1/0/0] mpls
[*PE1-GigabitEthernet1/0/0] mpls ldp
[*PE1-GigabitEthernet1/0/0] commit
[~PE1-GigabitEthernet1/0/0] quit
# 配置ASBR1的MPLS基本能力,并在与PE1相连的接口上使能LDP。
<ASBR1> system-view
[~ASBR1] mpls lsr-id 2.2.2.9[*ASBR1] mpls[*ASBR1-mpls] quit[*ASBR1] mpls ldp[*ASBR1-mpls-ldp] quit[*ASBR1] interface gigabitethernet1/0/0
[*ASBR1-GigabitEthernet1/0/0] mpls
[*ASBR1-GigabitEthernet1/0/0] mpls ldp
[*ASBR1-GigabitEthernet1/0/0] commit
[~ASBR1-GigabitEthernet1/0/0] quit
# 配置ASBR2的MPLS基本能力,并在与PE2相连的接口上使能LDP。
<ASBR2> system-view
[~ASBR2] mpls lsr-id 3.3.3.9[*ASBR2] mpls[*ASBR2-mpls] quit[*ASBR2] mpls ldp[*ASBR2-mpls-ldp] quit[*ASBR2] interface gigabitethernet1/0/0
[*ASBR2-GigabitEthernet1/0/0] mpls
[*ASBR2-GigabitEthernet1/0/0] mpls ldp
[*ASBR2-GigabitEthernet1/0/0] commit
[~ASBR2-GigabitEthernet1/0/0] quit
# 配置PE2的MPLS基本能力,并在与ASBR2相连的接口上使能LDP。
<PE2> system-view
[~PE2] mpls lsr-id 4.4.4.9[*PE2] mpls[*PE2-mpls] quit[*PE2] mpls ldp[*PE2-mpls-ldp] quit[*PE2] interface gigabitethernet1/0/0
[*PE2-GigabitEthernet1/0/0] mpls
[*PE2-GigabitEthernet1/0/0] mpls ldp
[*PE2-GigabitEthernet1/0/0] commit
[~PE2-GigabitEthernet1/0/0] quit
上述配置完成后,同一AS的PE和ASBR之间应该建立起LDP对等体,在各PE或者ASBR上执行display mpls ldp session命令可以看到显示结果中Session State项为“Operational”。
以PE1为例:
<PE1> display mpls ldp session
LDP Session(s) in Public Network Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDD:HH:MM) An asterisk (*) before a session means the session is being deleted. ------------------------------------------------------------------------- PeerID Status LAM SsnRole SsnAge KASent/Rcv -------------------------------------------------------------------------- 2.2.2.9:0 Operational DU Passive 0000:02:30 604/604 -------------------------------------------------------------------------- TOTAL: 1 Session(s) Found. - 为AS100和AS200分别配置基本BGP/MPLS IP VPN
同一AS内的ASBR与PE的VPN实例的VPN-Target应能匹配,不同AS的PE的VPN实例的VPN-Target则不需要匹配。
# 配置CE1。
<CE1> system-view
[~CE1] interface gigabitethernet 1/0/0
[~CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[*CE1-GigabitEthernet1/0/0] quit
[*CE1] interface loopback 1[*CE1-Loopback1] ip address 11.11.11.11 32[*CE1-Loopback1] quit[*CE1] bgp 65001[*CE1-bgp] peer 10.1.1.2 as-number 100[*CE1-bgp] network 11.11.11.11 32[*CE1-bgp] quit[*CE1] commit# 配置PE1:与CE1建立EBGP对等体关系。
[~PE1] ip vpn-instance vpn1[*PE1-vpn-instance-vpn1] ipv4-family[*PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1[*PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both[*PE1-vpn-instance-vpn1-af-ipv4] quit[*PE1-vpn-instance-vpn1] quit[*PE1] interface gigabitethernet 2/0/0
[*PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[*PE1-GigabitEthernet2/0/0] ip address 10.1.1.2 24
[*PE1-GigabitEthernet2/0/0] quit
[*PE1] bgp 100[*PE1-bgp] ipv4-family vpn-instance vpn1[*PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001[*PE1-bgp-vpn1] commit[*PE1-bgp-vpn1] quit[*PE1-bgp] quit[*PE1] commit# 配置PE1:与ASBR1建立MP-IBGP对等体关系。
[~PE1] bgp 100[*PE1-bgp] peer 2.2.2.9 as-number 100[*PE1-bgp] peer 2.2.2.9 connect-interface loopback 1[*PE1-bgp] ipv4-family vpnv4[*PE1-bgp-af-vpnv4] peer 2.2.2.9 enable[*PE1-bgp-af-vpnv4] commit[~PE1-bgp-af-vpnv4] quit# 配置ASBR1:与PE1建立MP-IBGP对等体关系。
[~ASBR1] bgp 100[*ASBR1-bgp] peer 1.1.1.9 as-number 100[*ASBR1-bgp] peer 1.1.1.9 connect-interface loopback 1[*ASBR1-bgp] ipv4-family vpnv4[*ASBR1-bgp-af-vpnv4] peer 1.1.1.9 enable[*ASBR1-bgp-af-vpnv4] commit[~ASBR1-bgp-af-vpnv4] quit[~ASBR1-bgp] quitCE2、PE2、ASBR2上的配置分别与CE1、PE1、ASBR1类似,此处不再详述。
配置完成后,在PE设备上执行display bgp vpnv4 vpn-instance vpn-instance-name peer可以看到PE与CE之间的BGP对等体关系已建立,并达到Established状态。执行display bgp vpnv4 all peer命令,可以看到PE与CE之间、PE与ASBR之间的BGP对等体关系已建立,并达到Established状态。
以PE1的显示为例:
<PE1> display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 10.10.1.2 Local AS number : 100 VPN-Instance vpn1, Router ID 10.10.1.2: Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 10.1.1.1 4 65001 79 80 0 01:05:48 Established 1
<PE1> display bgp vpnv4 all peer
BGP local router ID : 10.10.1.2 Local AS number : 100 Total number of peers : 2 Peers in established state : 2 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 2.2.2.9 4 100 180 180 0 02:33:25 Established 1 Peer of IPv4-family for vpn instance : VPN-Instance vpn1, Router ID 10.10.1.2: Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 10.1.1.1 4 65001 80 80 0 01:06:34 Established 1
- 配置VRF-to-VRF方式的跨域VPN
# 配置ASBR1:创建VPN实例,并将此实例绑定到连接ASBR2的接口(ASBR1认为ASBR2是自己的CE)。
[~ASBR1] ip vpn-instance vpn1[*ASBR1-vpn-instance-vpn1] ipv4-family[*ASBR1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2[*ASBR1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both[*ASBR1-vpn-instance-vpn1-af-ipv4] quit[*ASBR1-vpn-instance-vpn1] quit[*ASBR1] interface gigabitethernet 2/0/0
[*ASBR1-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[*ASBR1-GigabitEthernet2/0/0] ip address 12.12.12.1 24
[*ASBR1-GigabitEthernet2/0/0] quit
[*ASBR1] commit# 配置ASBR2:创建VPN实例,并将此实例绑定到连接ASBR1的接口(ASBR2认为ASBR1是自己的CE)。
[~ASBR2] ip vpn-instance vpn1[*ASBR2-vpn-instance-vpn1] ipv4-family[*ASBR2-vpn-instance-vpn1-af-ipv4] route-distinguisher 200:2[*ASBR2-vpn-instance-vpn1-af-ipv4] vpn-target 2:2 both[*ASBR2-vpn-instance-vpn1-af-ipv4] commit[*ASBR2-vpn-instance-vpn1-af-ipv4] quit[*ASBR2-vpn-instance-vpn1] quit[*ASBR2] interface gigabitethernet 2/0/0
[*ASBR2-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[*ASBR2-GigabitEthernet2/0/0] ip address 12.12.12.2 24
[*ASBR2-GigabitEthernet2/0/0] commit
[~ASBR2-GigabitEthernet2/0/0] quit
# 配置ASBR1:与ASBR2建立EBGP对等体关系。
[~ASBR1] bgp 100[*ASBR1-bgp] ipv4-family vpn-instance vpn1[*ASBR1-bgp-vpn1] peer 12.12.12.2 as-number 200[*ASBR1-bgp-vpn1] commit[*ASBR1-bgp-vpn1] quit[*ASBR1-bgp] quit# 配置ASBR2:与ASBR1建立EBGP对等体关系。
[*ASBR2] bgp 200[*ASBR2-bgp] ipv4-family vpn-instance vpn1[*ASBR2-bgp-vpn1] peer 12.12.12.1 as-number 100[*ASBR2-bgp-vpn1] commit[~ASBR2-bgp-vpn1] quit[~ASBR2-bgp] quit配置完成后,在ASBR上执行display bgp vpnv4 vpn-instance vpn-instance-name peer命令,可以看到ASBR间的BGP对等体关系已建立,并达到Established状态。
- 检查配置结果
上述配置完成后,CE之间能学习到对方的接口路由,CE1和CE2能够相互ping通。
以CE1的显示为例:
<CE1> display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route ------------------------------------------------------------------------------ Routing Table : _public_ Destinations : 9 Routes : 9 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.1 GigabitEthernet1/0/0 10.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0 10.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0 11.11.11.11/32 Direct 0 0 D 127.0.0.1 LoopBack1 22.22.22.22/32 EBGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
<CE1> ping -a 11.11.11.11 22.22.22.22
PING 22.22.22.22: 56 data bytes, press CTRL_C to break Reply from 22.22.22.22: bytes=56 Sequence=1 ttl=251 time=46 ms Reply from 22.22.22.22: bytes=56 Sequence=2 ttl=251 time=4 ms Reply from 22.22.22.22: bytes=56 Sequence=3 ttl=251 time=4 ms Reply from 22.22.22.22: bytes=56 Sequence=4 ttl=251 time=4 ms Reply from 22.22.22.22: bytes=56 Sequence=5 ttl=251 time=4 ms --- 22.22.22.22 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/12/46 ms在ASBR上执行display ip routing-table vpn-instance命令,可以看到ASBR上为VPN维护的路由表。
<ASBR1> display ip routing-table vpn-instance vpn1
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route ------------------------------------------------------------------------------ Routing Table : vpn1 Destinations : 6 Routes : 6 Destination/Mask Proto Pre Cost Flags NextHop Interface 11.11.11.11/32 IBGP 255 0 RD 1.1.1.9 GigabitEthernet1/0/0 22.22.22.22/32 EBGP 255 0 RD 12.12.12.2 GigabitEthernet2/0/0 12.12.12.0/24 Direct 0 0 D 12.12.12.1 GigabitEthernet2/0/0 12.12.12.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0 12.12.12.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
在ASBR上执行display bgp vpnv4 all routing-table命令,可以看到ASBR上的VPNv4路由。
<ASBR1> display bgp vpnv4 all routing-table
BGP Local router ID is 10.10.1.1 Status codes: * - valid, > - best, d - damped, x - best external, a - add path, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete RPKI validation codes: V - valid, I - invalid, N - not-found Total number of routes from all PE: 2 Route Distinguisher: 100:1 Network NextHop MED LocPrf PrefVal Path/Ogn *>i 11.11.11.11/32 1.1.1.9 0 100 0 65001i Route Distinguisher: 100:2 Network NextHop MED LocPrf PrefVal Path/Ogn *> 22.22.22.22/32 12.12.12.2 0 200 65002i VPN-Instance vpn1, Router ID 10.10.1.1: Total Number of Routes: 2 Network NextHop MED LocPrf PrefVal Path/Ogn *>i 11.11.11.11/32 1.1.1.9 0 100 0 65001i *> 22.22.22.22/32 12.12.12.2 0 200 65002i
配置文件
CE1的配置文件
#
sysname CE1
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization peer 10.1.1.2 enable network 11.11.11.11 255.255.255.255
#
return
PE1的配置文件
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
apply-label per-instance
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.10.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0undo shutdown
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65001
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.10.1.0 0.0.0.255
#
return
ASBR1的配置文件
#
sysname ASBR1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:2
apply-label per-instance
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.10.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0undo shutdown
ip binding vpn-instance vpn1
ip address 12.12.12.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
peer 12.12.12.2 as-number 200
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.10.1.0 0.0.0.255
#
return
ASBR2的配置文件
#
sysname ASBR2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:2
apply-label per-instance
vpn-target 2:2 export-extcommunity
vpn-target 2:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.40.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0undo shutdown
ip binding vpn-instance vpn1
ip address 12.12.12.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 200
peer 4.4.4.9 as-number 200
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization peer 4.4.4.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.9 enable
#
ipv4-family vpn-instance vpn1
peer 12.12.12.1 as-number 100
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.40.1.0 0.0.0.255
#
return
PE2的配置文件
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
apply-label per-instance
vpn-target 2:2 export-extcommunity
vpn-target 2:2 import-extcommunity
#
mpls lsr-id 4.4.4.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet2/0/0undo shutdown
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.40.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
peer 3.3.3.9 as-number 200
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65002
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 10.40.1.0 0.0.0.255
#
return
CE2的配置文件
#
sysname CE2
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65002
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization peer 10.2.1.2 enable network 22.22.22.22 255.255.255.255
#
return
