评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
独立标签地址族下配置OptionC方式跨域VPN示例(方案一)
通过在不同AS的PE之间建立多跳的MP-EBGP对等体,实现跨域的VPN OptionC方案。
配置思路
本例配置主要思路是:
在不同AS间的PE间建立MP-EBGP对等体关系,并配置PE之间的最大跳数。
在ASBR上配置路由策略:对从本AS的PE接收的Loopback路由,在向对端ASBR发布时,分配MPLS标签;对于向本AS的PE发布的路由,如果是带标签的IPv4路由,为其分配新的MPLS标签。
PE与本AS的ASBR之间能够交换带标签的IPv4路由。
ASBR与对端ASBR之间能够交换带标签的IPv4路由。
数据准备
为完成此配置例,需准备如下的数据:
PE及ASBR上的MPLS LSR-ID分别为1.1.1.9、2.2.2.9、3.3.3.9、4.4.4.9
PE上创建的VPN实例名为vpn1、路由标志RD为100:1,出方向和入方向的VPN-Target值为1:1
ASBR上配置的路由策略
操作步骤
- 在AS100和AS200的MPLS骨干网上分别配置OSPF协议,实现各自骨干网内部PE和ASBR的互通
需要将作为LSR ID的LoopBack接口的32位地址通过OSPF发布出去。
# 配置PE1的MPLS基本能力,并在与ASBR1相连的接口上使能LDP。
[~PE1] ospf [*PE1-ospf-1] area 0 [*PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0 [*PE1-ospf-1-area-0.0.0.0] network 10.10.1.0 0.0.0.255 [*PE1-ospf-1-area-0.0.0.0] quit [*PE1-ospf-1] commit
# 配置ASBR1的MPLS基本能力,并在与PE1相连的接口上使能LDP。
[~ASBR1] ospf [*ASBR1-ospf-1] area 0 [*ASBR1-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0 [*ASBR1-ospf-1-area-0.0.0.0] network 10.10.1.0 0.0.0.255 [*ASBR1-ospf-1-area-0.0.0.0] quit [*ASBR1-ospf-1] commit
PE2、ASBR2上的配置分别与PE1、ASBR1类似,此处不再详述。
配置完成后,同一AS的ASBR与PE之间应能建立OSPF邻居关系,执行display ospf peer命令可以看到邻居状态为Full。
以PE1为例:
<PE1> display ospf peer
OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 10.10.1.2(GigabitEthernet1/0/0)'s neighborsRouter ID: 2.2.2.9 Address: 10.10.1.1
State: Full Mode:Nbr is Master Priority: 1
DR: 2.2.2.9 BDR: 2.2.2.9 MTU: 0
Dead timer due in 31 sec
Retrans timer interval: 5
Neighbor is up for 00:28:11
Authentication Sequence: [ 0 ]
同一AS的ASBR和PE能学习到对方的Loopback1的IP地址,并能够互相ping通。
- 在AS100和AS200的MPLS骨干网上分别配置MPLS基本能力和MPLS LDP,建立LDP LSP
# 配置PE1的MPLS基本能力,并在与ASBR1相连的接口上使能LDP。
[~PE1] mpls lsr-id 1.1.1.9 [*PE1] mpls [*PE1-mpls] quit [*PE1] mpls ldp [*PE1-mpls-ldp] quit [*PE1] interface gigabitethernet 1/0/0 [*PE1-GigabitEthernet1/0/0] mpls [*PE1-GigabitEthernet1/0/0] mpls ldp [*PE1-GigabitEthernet1/0/0] quit [*PE1] commit
# 配置ASBR1的MPLS基本能力,并在与PE1相连的接口上使能LDP。
[~ASBR1] mpls lsr-id 2.2.2.9 [*ASBR1] mpls [*ASBR1-mpls] quit [*ASBR1] mpls ldp [*ASBR1-mpls-ldp] quit [*ASBR1] interface gigabitethernet 1/0/0 [*ASBR1-GigabitEthernet1/0/0] mpls [*ASBR1-GigabitEthernet1/0/0] mpls ldp [*ASBR1-GigabitEthernet1/0/0] quit [*ASBR1] commit
# 配置ASBR2的MPLS基本能力,并在与PE2相连的接口上使能LDP。
[~ASBR2] mpls lsr-id 3.3.3.9 [*ASBR2] mpls [*ASBR2-mpls] quit [*ASBR2] mpls ldp [*ASBR2-mpls-ldp] quit [*ASBR2] interface gigabitethernet 1/0/0 [*ASBR2-GigabitEthernet1/0/0] mpls [*ASBR2-GigabitEthernet1/0/0] mpls ldp [*ASBR2-GigabitEthernet1/0/0] quit [*ASBR2] commit
# 配置PE2的MPLS基本能力,并在与ASBR2相连的接口上使能LDP。
[~PE2] mpls lsr-id 4.4.4.9 [*PE2] mpls [*PE2-mpls] quit [*PE2] mpls ldp [*PE2-mpls-ldp] quit [*PE2] interface gigabitethernet 1/0/0 [*PE2-GigabitEthernet1/0/0] mpls [*PE2-GigabitEthernet1/0/0] mpls ldp [*PE2-GigabitEthernet1/0/0] quit [*PE2] commit
上述配置完成后,PE1与ASBR1、ASBR2与PE2之间应能建立LDP会话,执行display mpls ldp session命令可以看到显示结果中Status项为“Operational”。执行display mpls ldp lsp命令,可以看到LDP LSP的建立情况。
以PE1为例:
[~PE1] display mpls ldp session LDP Session(s) in Public Network Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM) An asterisk (*) before a session means the session is being deleted. ------------------------------------------------------------------------------ PeerID Status LAM SsnRole SsnAge KASent/Rcv ------------------------------------------------------------------------------ 2.2.2.9:0 Operational DU Passive 0000:00:01 5/5 ------------------------------------------------------------------------------ TOTAL: 1 session(s) Found.
[~PE1] display mpls ldp lsp LDP LSP Information ------------------------------------------------------------------------------- Flag after Out IF: (I) - RLFA Iterated LSP, (I*) - Normal and RLFA Iterated LSP ------------------------------------------------------------------------------- DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface ------------------------------------------------------------------------------- 1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0 *1.1.1.9/32 Liberal 2.2.2.9/32 NULL/3 - 172.16.1.1 GE1/0/0 2.2.2.9/32 1024/3 2.2.2.9 172.16.1.1 GE1/0/0 ------------------------------------------------------------------------------- TOTAL: 3 Normal LSP(s) Found. TOTAL: 1 Liberal LSP(s) Found. TOTAL: 0 Frr LSP(s) Found. An asterisk (*) before an LSP means the LSP is not established An asterisk (*) before a Label means the USCB or DSCB is stale An asterisk (*) before an UpstreamPeer means the session is stale An asterisk (*) before a DS means the session is stale An asterisk (*) before a NextHop means the LSP is FRR LSP
- 为AS100和AS200分别配置IPv4地址族的IBGP对等体关系
# 配置PE1。
[~PE1] bgp 100[*PE1-bgp] peer 2.2.2.9 as-number 100[*PE1-bgp] peer 2.2.2.9 connect-interface LoopBack1[*PE1-bgp] commit# 配置ASBR1。
[~ASBR1] bgp 100[*ASBR1-bgp] peer 1.1.1.9 as-number 100[*ASBR1-bgp] peer 1.1.1.9 connect-interface LoopBack1[*ASBR1-bgp] commitPE2、ASBR2上的配置分别与PE1、ASBR1类似,此处不再详述。
- 在PE上配置VPN实例,并接入CE。
PE1的VPN实例的import VPN-Target需要匹配PE2的VPN实例的export VPN-Target;PE2的VPN实例的import VPN-Target需要匹配PE1的VPN实例的export VPN-Target。
# 配置PE1。
[~PE1] ip vpn-instance vpn1 [*PE1-vpn-instance-vpn1] route-distinguisher 100:1 [*PE1-vpn-instance-vpn1] vpn-target 1:1 export-extcommunity [*PE1-vpn-instance-vpn1] vpn-target 1:1 import-extcommunity [*PE1-vpn-instance-vpn1] quit
[*PE1] interface gigabitethernet 2/0/0 [*PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpn1 [*PE1-GigabitEthernet2/0/0] ip address 10.1.1.2 24 [*PE1-GigabitEthernet2/0/0] quit [*PE1] commit
# 配置PE2。
[~PE2] ip vpn-instance vpn1 [*PE2-vpn-instance-vpn1] route-distinguisher 200:1 [*PE2-vpn-instance-vpn1] vpn-target 1:1 export-extcommunity [*PE2-vpn-instance-vpn1] vpn-target 1:1 import-extcommunity [*PE2-vpn-instance-vpn1] quit
[*PE2] interface gigabitethernet 2/0/0 [*PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpn1 [*PE2-GigabitEthernet2/0/0] ip address 10.2.1.2 24 [*PE2-GigabitEthernet2/0/0] quit [*PE2] commit
配置完成后,在PE设备上执行display ip vpn-instance verbose命令可以看到VPN实例的配置情况。各PE能ping通自己接入的CE。
以PE1为例:
[~PE1] display ip vpn-instance verbose Total VPN-Instances configured : 1 Total IPv4 VPN-Instances configured : 1 Total IPv6 VPN-Instances configured : 0 VPN-Instance Name and ID : vpn1, 1 Interfaces : GigabitEthernet2/0/0 Address family ipv4 Create date : 2012/05/14 07:31:56 Up time : 0 days, 08 hours, 26 minutes and 31 seconds Vrf Status : UP Route Distinguisher : 100:1 Export VPN Targets : 1:1 Import VPN Targets : 1:1 Label Policy : label per instance Per-Instance Label : 48060 The diffserv-mode Information is : uniform The ttl-mode Information is : pipe
- 配置标签IPv4路由交换
# 配置PE1:使能与ASBR1交换标签IPv4路由的能力,将PE的Loopback路由发布给ASBR2。
[~PE1] bgp 100[*PE1-bgp] ipv4-family labeled-unicast[*PE1-bgp-af-ipv4-labeled] peer 2.2.2.9 enable[*PE1-bgp-af-ipv4-labeled] network 1.1.1.9 32[*PE1-bgp] quit[*PE1] commit# 配置ASBR1:在与ASBR2相连的接口GE2/0/0上使能MPLS。
[~ASBR1] interface gigabitethernet 2/0/0
[*ASBR1-GigabitEthernet2/0/0] ip address 10.21.1.1 24
[*ASBR1-GigabitEthernet2/0/0] mpls
[*ASBR1-GigabitEthernet2/0/0] quit
[*ASBR1] commit# 配置ASBR1:使能交换标签IPv4路由的能力。
[~ASBR1] bgp 100[*ASBR1-bgp] ipv4-family labeled-unicast[*ASBR1-bgp-af-ipv4-labeled] peer 1.1.1.9 enable[*ASBR1-bgp-af-ipv4-labeled] peer 10.21.1.2 enable[*ASBR1-bgp] quit[*ASBR1] commitPE2、ASBR2上的配置分别与PE1、ASBR1类似,此处不再详述。
配置完成后,在ASBR上执行display bgp routing-table label命令,可以看到BGP路由的标签信息。在ASBR1从ASBR2学到这些带标签的BGP公网路由后,自动分配标签并发布给支持标签能力的PE1,从而建立一条完整的公网LSP。
以ASBR1为例:
[~ASBR1] display bgp labeled routing-table labelBGP Local router ID is 10.10.1.1
Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2
Network NextHop In/Out Label
*> 1.1.1.9 1.1.1.9 48090/48080
*> 4.4.4.9 10.21.1.2 48091/48095
- PE1与PE2建立MP-EBGP对等体关系
# 配置PE1。
[~PE1] bgp 100[*PE1-bgp] router-id 1.1.1.1[*PE1-bgp] peer 4.4.4.9 as-number 200[*PE1-bgp] peer 4.4.4.9 connect-interface LoopBack 1[*PE1-bgp] peer 4.4.4.9 ebgp-max-hop 10[*PE1-bgp] import-rib public labeled-unicast[*PE1-bgp] ipv4-family vpnv4[*PE1-bgp-af-vpnv4] peer 4.4.4.9 enable[*PE1-bgp-af-vpnv4] quit[*PE1-bgp] quit[*PE1] commit# 配置PE2。
[~PE2] bgp 200[*PE2-bgp] router-id 4.4.4.4[*PE2-bgp] peer 1.1.1.9 as-number 100[*PE2-bgp] peer 1.1.1.9 connect-interface LoopBack 1[*PE2-bgp] peer 1.1.1.9 ebgp-max-hop 10[*PE2-bgp] import-rib public labeled-unicast[*PE2-bgp] ipv4-family vpnv4[*PE2-bgp-af-vpnv4] peer 1.1.1.9 enable[*PE2-bgp-af-vpnv4] quit[*PE2-bgp] quit[*PE2] commit - 检查配置结果
上述配置完成后,CE之间能学习到对方的接口路由,CE1和CE2能够相互ping通。
以CE1的显示为例:
[~CE1] display ip routing-table 10.2.1.1 verboseRoute Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route ------------------------------------------------------------------------------ Routing Table : _public_ Summary Count : 1 Destination: 10.2.1.0/24 Protocol: EBGP Process ID: 0 Preference: 255 Cost: 0 NextHop: 10.1.1.2 Neighbour: 10.1.1.2 State: Active Adv Relied Age: 07h11m59s Tag: 0 Priority: low Label: NULL QoSInfo: 0x0 IndirectID: 0x10000CC Instance: RelayNextHop: 10.1.1.2 Interface: GigabitEthernet1/0/0 TunnelID: 0x0 Flags: RD[~CE1] ping 10.2.1.1PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=252 time=102 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=252 time=89 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=252 time=106 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=252 time=104 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=252 time=56 ms
--- 10.2.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 56/91/106 ms
配置文件
CE1的配置文件
#
sysname CE1
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.1.1.1 255.255.255.0
#
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization import-route direct
peer 10.1.1.2 enable
#
return
PE1的配置文件
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
apply-label per-instance
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.10.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0undo shutdown
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100 router-id 1.1.1.1 peer 2.2.2.9 as-number 100 peer 2.2.2.9 connect-interface LoopBack1
peer 4.4.4.9 as-number 200
peer 4.4.4.9 ebgp-max-hop 10
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
import-rib public labeled-unicast
peer 2.2.2.9 enable
peer 4.4.4.9 enable
#
ipv4-family labeled-unicast
network 1.1.1.9 255.255.255.255
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65001
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.10.1.0 0.0.0.255
#
return
ASBR1的配置文件
#
sysname ASBR1
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.10.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0undo shutdown
ip address 10.21.1.1 255.255.255.0
mpls
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 10.21.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 10.21.1.2 enable
#
ipv4-family labeled-unicast
peer 1.1.1.9 enable
peer 10.21.1.2 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.10.1.0 0.0.0.255
#
return
ASBR2的配置文件
#
sysname ASBR2
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.40.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0undo shutdown
ip address 10.21.1.2 255.255.255.0
mpls
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 200
peer 4.4.4.9 as-number 200
peer 4.4.4.9 connect-interface LoopBack1
peer 10.21.1.1 as-number 100
#
ipv4-family unicast
undo synchronization
peer 4.4.4.9 enable
peer 10.21.1.1 enable
#
ipv4-family labeled-unicast
peer 4.4.4.9 enable
peer 10.21.1.1 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.40.1.0 0.0.0.255
#
return
PE2的配置文件
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
apply-label per-instance
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 4.4.4.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.40.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0undo shutdown
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
router-id 4.4.4.4
peer 1.1.1.9 as-number 100
peer 1.1.1.9 ebgp-max-hop 10
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 200
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
import-rib public labeled-unicast
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family labeled-unicast
network 4.4.4.9 255.255.255.255
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65002
import-route direct
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 10.40.1.0 0.0.0.255
#
return
CE2的配置文件
#
sysname CE2
#
interface GigabitEthernet1/0/0undo shutdown
ip address 10.2.1.1 255.255.255.0
#
bgp 65002
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
