MPLS VPN實驗（分支之間可以互通）

1、MPLS VPN實驗（分支之間可以互通）

實驗要求：

1、A1和A2可以通過MPLS VPN打通，B1和B2可以打通，A不能訪問B。
2、R2爲ISP
3、R6可以telnetR4，R7可以TelnetR5

配置步驟：

1. 骨幹網絡做通IGP打通
2. 配置公網的LSP隧道，PE,P設備的loopack的主機路由建立LSP
3. PE之間配置MP-IBGP鄰居關係（可以通過RR簡化MP——IBGP全互聯鄰居關係）
4. VPN業務接入配置，在PE上創建VPN實例（VRF空間）

1、骨幹網底層使用OSPF打通

[R1]ospf 1 router-id 1.1.1.1
[R1-ospf-1]a 0
[R1-ospf-1-area-0.0.0.0]network 10.1.12.1 0.0.0.0	
[R1-ospf-1-area-0.0.0.0]network  1.1.1.1 0.0.0.0

[R2]ospf 1 router-id  2.2.2.2
[R2-ospf-1]a 0
[R2-ospf-1-area-0.0.0.0]network  10.1.12.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.1.23.2 0.0.0.0

[R3]ospf 1 router-id  3.3.3.3
[R3-ospf-1]a 0	
[R3-ospf-1-area-0.0.0.0]network 10.1.23.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]network  3.3.3.3 0.0.0.0

查看鄰居關係的建立情況

2、配置公網的LSP隧道。（全局和接口都要配置）

[R1]mpls lsr-id 1.1.1.1 
[R1]mpls 
Info: Mpls starting, please wait... OK!
[R1-mpls]mpls ldp
[R1-mpls-ldp]q
[R1]int g0/0/2	
[R1-GigabitEthernet0/0/2]mpls 
[R1-GigabitEthernet0/0/2]mpls ldp 

[R2]mpls lsr-id 2.2.2.2
[R2]mpls 
Info: Mpls starting, please wait... OK!
[R2-mpls]mpls ldp
[R2-mpls-ldp]int g0/0/0	
[R2-GigabitEthernet0/0/0]mpls 	
[R2-GigabitEthernet0/0/0]mpls ldp 
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]mpls 
[R2-GigabitEthernet0/0/1]mpls ldp 

[R3]mpls lsr-id 3.3.3.3
[R3]mpls 
Info: Mpls starting, please wait... OK!
[R3-mpls]mpls ldp
[R3-mpls-ldp]int g0/0/0
[R3-GigabitEthernet0/0/0]mpls 
[R3-GigabitEthernet0/0/0]mpls ldp 

華爲設備默認只爲32位主機路由分配標籤

3、骨幹網鋪設MP-BGP（R1和R3爲IBGP鄰居關係）

[R1]bgp 1
[R1-bgp]peer 3.3.3.3 as-number 1
[R1-bgp]peer 3.3.3.3 connect-interface loo0


[R3]bgp 1
[R3-bgp]peer 1.1.1.1 as-number 1
[R3-bgp]peer 1.1.1.1 connect-interface loo0

開啓VPNV4路由

[R1]bgp 1
[R1-bgp]ipv4-family vpnv4
[R1-bgp-af-vpnv4]peer 3.3.3.3 enable

[R3]bgp 1
[R3-bgp]ipv4-family vpnv4
[R3-bgp-af-vpnv4]peer 1.1.1.1 enable

查看BGP的VPNV4鄰居關係狀態

4、VPN業務的接入，創建VPN實例。

A公司之間

[R1]ip vpn-instance A1
[R1-vpn-instance-A1]route-distinguisher 1:1
[R1-vpn-instance-A1-af-ipv4]vpn-target 1:100 both 
 IVT Assignment result: 
Info: VPN-Target assignment is successful.
 EVT Assignment result: 
Info: VPN-Target assignment is successful.
[R1-vpn-instance-A1]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip binding vpn-instance A1
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
[R1-GigabitEthernet0/0/0]ip add 10.1.14.1 24

[R3]ip vpn-instance A2
[R3-vpn-instance-A2]route-distinguisher 1:2
[R3-vpn-instance-A2-af-ipv4]vpn-target 1:100 both 
 IVT Assignment result: 
Info: VPN-Target assignment is successful.
 EVT Assignment result: 
Info: VPN-Target assignment is successful.
[R3-vpn-instance-A2]q
[R3]int g0/0/1
[R3-GigabitEthernet0/0/1]ip binding vpn-instance A2
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!	
[R3-GigabitEthernet0/0/1]ip address 10.1.36.3 24

B公司之間

[R1]ip vpn-instance B1
[R1-vpn-instance-B1]route-distinguisher 1:3 
[R1-vpn-instance-B1-af-ipv4]vpn-target 2:100 both 
 IVT Assignment result: 
Info: VPN-Target assignment is successful.
 EVT Assignment result: 
Info: VPN-Target assignment is successful.
[R1-vpn-instance-B1-af-ipv4]int g0/0/1
[R1-GigabitEthernet0/0/1]ip binding vpn-instance B1
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
[R1-GigabitEthernet0/0/1]ip add 10.1.15.1 24

[R3]ip vpn-instance B2
[R3-vpn-instance-B2]route-distinguisher 1:4
[R3-vpn-instance-B2-af-ipv4]vpn-target 2:100 both 
 IVT Assignment result: 
Info: VPN-Target assignment is successful.
 EVT Assignment result: 
Info: VPN-Target assignment is successful.
[R3-vpn-instance-B2-af-ipv4]int g0/0/2
[R3-GigabitEthernet0/0/2]ip binding vpn-instance B2
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
[R3-GigabitEthernet0/0/2]ip add 10.1.37.3 24

1、RD的作用的爲了防止在同一個PE不同實例中發送相同路由時難以區分是那個實例出來的路由

例如：在A1裏有192.168.1.0/24的路由，在B1裏也有192.168.1.0/24的路由 通過RD得以區分，同一個PE上RD值保持唯一，不能一樣

2、RT則是選擇興趣愛好，eRT表示發出去的路由，iRT表示自己接受的路由。故可以將不同的路由區分開 進入正確的實例中。

5、PE上起相對應實例的OSPF協議

[R1]ospf 2 router-id 1.1.1.1 vpn-instance A1
[R1-ospf-2]a 0
[R1-ospf-2-area-0.0.0.0]network 10.1.14.1 0.0.0.0

[R3]ospf 3 router-id 3.3.3.3 vpn-instance A2
[R3-ospf-3]a 0	
[R3-ospf-3-area-0.0.0.0]network 10.1.36.3 0.0.0.0


[R1]ospf 4 router-id 1.1.1.1 vpn-instance B1
[R1-ospf-4]a 0
[R1-ospf-4-area-0.0.0.0]network 10.1.15.1 0.0.0.0

[R3]ospf 5 router-id 3.3.3.3 vpn-instance B2
[R3-ospf-3]a 0	
[R3-ospf-3-area-0.0.0.0]network 10.1.37.3 0.0.0.0

R4/R5/R6/R7上正常起相對應進程的OSPF協議即可

測試：

在R1不能直接ping的原因是R1上有兩張路由表，故要指明那張路由表中的路由

6、路由引入

[R1]ospf 2 
[R1-ospf-2]import-route bgp 
[R1]bgp  1
[R1-bgp]ipv4-family vpn-instance A1
[R1-bgp-A1]import-route ospf  2

[R3]bgp 1
[R3-bgp]ipv4-family vpn-instance A2
[R3-bgp-A2]import-route ospf 3
[R3]ospf 3
[R3-ospf-3]import-route bgp 

測試：

此過程中流量有兩層標籤來進行轉發（外層1025，內層1028）

查看標籤轉發表

7、開啓Telnet功能

[R4]aaa
[R4-aaa]local-user ccna password cipher huawei@123
Info: Add a new user.
[R4-aaa]local-user ccna service-type telnet 
[R4]user-interface vty 0 4
[R4-ui-vty0-4]user privilege level 15	
[R4-ui-vty0-4]authentication-mode aaa

[R5]aaa
[R5-aaa]local-user ccnp password cipher cisco123
Info: Add a new user.
[R5-aaa]local-user ccnp service-type telnet
[R5]user-interface vty 0 4
[R5-ui-vty0-4]user privilege level 15

測試：

擴展：將R2變成RR

[R1]bgp 1
[R1-bgp]peer 2.2.2.2 as-number 1
[R1-bgp]peer 2.2.2.2 connect-interface loo0
[R1-bgp]ipv4-family vpnv4
[R1-bgp-af-vpnv4]peer 2.2.2.2 enable 

[R2]bgp 1
[R2-bgp]peer 1.1.1.1 as-number 1
[R2-bgp]peer 1.1.1.1 connect-interface loo0
[R2-bgp]peer 3.3.3.3 as-number 1
[R2-bgp]peer 3.3.3.3 connect-interface loo0
[R2-bgp]ipv4-family vpnv4
[R2-bgp-af-vpnv4]peer 1.1.1.1 enable 
[R2-bgp-af-vpnv4]peer 1.1.1.1 reflect-client 
[R2-bgp-af-vpnv4]peer 3.3.3.3 enable 
[R2-bgp-af-vpnv4]peer 3.3.3.3 reflect-client 

[R3]bgp 1
[R3-bgp]undo peer 1.1.1.1
[R3-bgp]peer 2.2.2.2 as-number 1
[R3-bgp]peer 2.2.2.2 connect-interface loo0
[R3-bgp]ipv4-family vpnv4
[R3-bgp-af-vpnv4]peer 2.2.2.2 enable 

查看BGP的VPNV4鄰居關係狀態

當出現RR時，存在一個問題，VPNV4路由傳到RR上後被過濾。

policy vpn-target 默認開啓基於RT屬性VPNV4路由的過濾

1、如果本路由器沒有VPN實例業務的接入，則丟棄所有的VPNV4路由
2、如果本路由器存在VPN實例業務的接入，則對eRT和本段所有VPN實例的iRT做匹配，如果eRT沒有和任何一個本段VPN實例的iRT匹配，則丟棄。

解決方案：undo policy vpn-target 關閉基於RT屬性VPNV4路由的過濾

[R2-bgp-af-vpnv4]undo policy vpn-target 

注：本次實驗只能讓公司之間互訪並不能訪問ISP，使用的是私網IP。
若想訪問ISP必須再拉線到運營商 並且使用公網IP