1、MPLS VPN實驗(分支之間可以互通)
實驗要求:
1、A1和A2可以通過MPLS VPN打通,B1和B2可以打通,A不能訪問B。
2、R2爲ISP
3、R6可以telnetR4,R7可以TelnetR5
配置步驟:
- 骨幹網絡做通IGP打通
- 配置公網的LSP隧道,PE,P設備的loopack的主機路由建立LSP
- PE之間配置MP-IBGP鄰居關係(可以通過RR簡化MP——IBGP全互聯鄰居關係)
- VPN業務接入配置,在PE上創建VPN實例(VRF空間)
1、骨幹網底層使用OSPF打通
[R1]ospf 1 router-id 1.1.1.1
[R1-ospf-1]a 0
[R1-ospf-1-area-0.0.0.0]network 10.1.12.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]a 0
[R2-ospf-1-area-0.0.0.0]network 10.1.12.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.1.23.2 0.0.0.0
[R3]ospf 1 router-id 3.3.3.3
[R3-ospf-1]a 0
[R3-ospf-1-area-0.0.0.0]network 10.1.23.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]network 3.3.3.3 0.0.0.0
查看鄰居關係的建立情況
2、配置公網的LSP隧道。(全局和接口都要配置)
[R1]mpls lsr-id 1.1.1.1
[R1]mpls
Info: Mpls starting, please wait... OK!
[R1-mpls]mpls ldp
[R1-mpls-ldp]q
[R1]int g0/0/2
[R1-GigabitEthernet0/0/2]mpls
[R1-GigabitEthernet0/0/2]mpls ldp
[R2]mpls lsr-id 2.2.2.2
[R2]mpls
Info: Mpls starting, please wait... OK!
[R2-mpls]mpls ldp
[R2-mpls-ldp]int g0/0/0
[R2-GigabitEthernet0/0/0]mpls
[R2-GigabitEthernet0/0/0]mpls ldp
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]mpls
[R2-GigabitEthernet0/0/1]mpls ldp
[R3]mpls lsr-id 3.3.3.3
[R3]mpls
Info: Mpls starting, please wait... OK!
[R3-mpls]mpls ldp
[R3-mpls-ldp]int g0/0/0
[R3-GigabitEthernet0/0/0]mpls
[R3-GigabitEthernet0/0/0]mpls ldp
華爲設備默認只爲32位主機路由分配標籤
3、骨幹網鋪設MP-BGP(R1和R3爲IBGP鄰居關係)
[R1]bgp 1
[R1-bgp]peer 3.3.3.3 as-number 1
[R1-bgp]peer 3.3.3.3 connect-interface loo0
[R3]bgp 1
[R3-bgp]peer 1.1.1.1 as-number 1
[R3-bgp]peer 1.1.1.1 connect-interface loo0
開啓VPNV4路由
[R1]bgp 1
[R1-bgp]ipv4-family vpnv4
[R1-bgp-af-vpnv4]peer 3.3.3.3 enable
[R3]bgp 1
[R3-bgp]ipv4-family vpnv4
[R3-bgp-af-vpnv4]peer 1.1.1.1 enable
查看BGP的VPNV4鄰居關係狀態
4、VPN業務的接入,創建VPN實例。
A公司之間
[R1]ip vpn-instance A1
[R1-vpn-instance-A1]route-distinguisher 1:1
[R1-vpn-instance-A1-af-ipv4]vpn-target 1:100 both
IVT Assignment result:
Info: VPN-Target assignment is successful.
EVT Assignment result:
Info: VPN-Target assignment is successful.
[R1-vpn-instance-A1]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip binding vpn-instance A1
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
[R1-GigabitEthernet0/0/0]ip add 10.1.14.1 24
[R3]ip vpn-instance A2
[R3-vpn-instance-A2]route-distinguisher 1:2
[R3-vpn-instance-A2-af-ipv4]vpn-target 1:100 both
IVT Assignment result:
Info: VPN-Target assignment is successful.
EVT Assignment result:
Info: VPN-Target assignment is successful.
[R3-vpn-instance-A2]q
[R3]int g0/0/1
[R3-GigabitEthernet0/0/1]ip binding vpn-instance A2
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
[R3-GigabitEthernet0/0/1]ip address 10.1.36.3 24
B公司之間
[R1]ip vpn-instance B1
[R1-vpn-instance-B1]route-distinguisher 1:3
[R1-vpn-instance-B1-af-ipv4]vpn-target 2:100 both
IVT Assignment result:
Info: VPN-Target assignment is successful.
EVT Assignment result:
Info: VPN-Target assignment is successful.
[R1-vpn-instance-B1-af-ipv4]int g0/0/1
[R1-GigabitEthernet0/0/1]ip binding vpn-instance B1
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
[R1-GigabitEthernet0/0/1]ip add 10.1.15.1 24
[R3]ip vpn-instance B2
[R3-vpn-instance-B2]route-distinguisher 1:4
[R3-vpn-instance-B2-af-ipv4]vpn-target 2:100 both
IVT Assignment result:
Info: VPN-Target assignment is successful.
EVT Assignment result:
Info: VPN-Target assignment is successful.
[R3-vpn-instance-B2-af-ipv4]int g0/0/2
[R3-GigabitEthernet0/0/2]ip binding vpn-instance B2
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
[R3-GigabitEthernet0/0/2]ip add 10.1.37.3 24
1、RD的作用的爲了防止在同一個PE不同實例中發送相同路由時難以區分是那個實例出來的路由
例如:在A1裏有192.168.1.0/24的路由,在B1裏也有192.168.1.0/24的路由 通過RD得以區分,同一個PE上RD值保持唯一,不能一樣
2、RT則是選擇興趣愛好,eRT表示發出去的路由,iRT表示自己接受的路由。故可以將不同的路由區分開 進入正確的實例中。
5、PE上起相對應實例的OSPF協議
[R1]ospf 2 router-id 1.1.1.1 vpn-instance A1
[R1-ospf-2]a 0
[R1-ospf-2-area-0.0.0.0]network 10.1.14.1 0.0.0.0
[R3]ospf 3 router-id 3.3.3.3 vpn-instance A2
[R3-ospf-3]a 0
[R3-ospf-3-area-0.0.0.0]network 10.1.36.3 0.0.0.0
[R1]ospf 4 router-id 1.1.1.1 vpn-instance B1
[R1-ospf-4]a 0
[R1-ospf-4-area-0.0.0.0]network 10.1.15.1 0.0.0.0
[R3]ospf 5 router-id 3.3.3.3 vpn-instance B2
[R3-ospf-3]a 0
[R3-ospf-3-area-0.0.0.0]network 10.1.37.3 0.0.0.0
R4/R5/R6/R7上正常起相對應進程的OSPF協議即可
測試:
在R1不能直接ping的原因是R1上有兩張路由表,故要指明那張路由表中的路由
6、路由引入
[R1]ospf 2
[R1-ospf-2]import-route bgp
[R1]bgp 1
[R1-bgp]ipv4-family vpn-instance A1
[R1-bgp-A1]import-route ospf 2
[R3]bgp 1
[R3-bgp]ipv4-family vpn-instance A2
[R3-bgp-A2]import-route ospf 3
[R3]ospf 3
[R3-ospf-3]import-route bgp
測試:
此過程中流量有兩層標籤來進行轉發(外層1025,內層1028)
查看標籤轉發表
7、開啓Telnet功能
[R4]aaa
[R4-aaa]local-user ccna password cipher huawei@123
Info: Add a new user.
[R4-aaa]local-user ccna service-type telnet
[R4]user-interface vty 0 4
[R4-ui-vty0-4]user privilege level 15
[R4-ui-vty0-4]authentication-mode aaa
[R5]aaa
[R5-aaa]local-user ccnp password cipher cisco123
Info: Add a new user.
[R5-aaa]local-user ccnp service-type telnet
[R5]user-interface vty 0 4
[R5-ui-vty0-4]user privilege level 15
測試:
擴展:將R2變成RR
[R1]bgp 1
[R1-bgp]peer 2.2.2.2 as-number 1
[R1-bgp]peer 2.2.2.2 connect-interface loo0
[R1-bgp]ipv4-family vpnv4
[R1-bgp-af-vpnv4]peer 2.2.2.2 enable
[R2]bgp 1
[R2-bgp]peer 1.1.1.1 as-number 1
[R2-bgp]peer 1.1.1.1 connect-interface loo0
[R2-bgp]peer 3.3.3.3 as-number 1
[R2-bgp]peer 3.3.3.3 connect-interface loo0
[R2-bgp]ipv4-family vpnv4
[R2-bgp-af-vpnv4]peer 1.1.1.1 enable
[R2-bgp-af-vpnv4]peer 1.1.1.1 reflect-client
[R2-bgp-af-vpnv4]peer 3.3.3.3 enable
[R2-bgp-af-vpnv4]peer 3.3.3.3 reflect-client
[R3]bgp 1
[R3-bgp]undo peer 1.1.1.1
[R3-bgp]peer 2.2.2.2 as-number 1
[R3-bgp]peer 2.2.2.2 connect-interface loo0
[R3-bgp]ipv4-family vpnv4
[R3-bgp-af-vpnv4]peer 2.2.2.2 enable
查看BGP的VPNV4鄰居關係狀態
當出現RR時,存在一個問題,VPNV4路由傳到RR上後被過濾。
policy vpn-target 默認開啓基於RT屬性VPNV4路由的過濾
1、如果本路由器沒有VPN實例業務的接入,則丟棄所有的VPNV4路由
2、如果本路由器存在VPN實例業務的接入,則對eRT和本段所有VPN實例的iRT做匹配,如果eRT沒有和任何一個本段VPN實例的iRT匹配,則丟棄。
解決方案:undo policy vpn-target 關閉基於RT屬性VPNV4路由的過濾
[R2-bgp-af-vpnv4]undo policy vpn-target
注:本次實驗只能讓公司之間互訪並不能訪問ISP,使用的是私網IP。
若想訪問ISP必須再拉線到運營商 並且使用公網IP