 成长值: 63400
|
一个大型企业或运营商网络遍布几个地域,不同地域间的不同部门不能进行互访,相同部门可以通过骨干网络进行互访。可依此建立BGP/MPLS IP VPN网络。
组网需求
如图1所示,某企业网络遍布省、地市和县三个地域,组网如下:
省、地市、县级的路由设备(使用USG)划分在骨干网上,彼此路由可达。
骨干网设备中,包含核心设备P和边界设备PE。企业包含两个一级部门,即部门1和部门2。骨干网的每台PE都连接着两个边缘设备(即CE),这两个CE划分到不同的部门。如,PE1设备连接着CE1和CE2,其中CE1属于部门1,CE2属于部门2。
使用USG作为其PE设备和CE设备。
该公司网络需实现以下需求:
省、地市、县级的骨干网设备之间可以相互通信。
相同部门间可以通过骨干网进行通信,不同部门之间不能通信。
图1 BGP/MPLS IP VPN组网图
网络规划
根据企业网络情况和需求,网络规划如下:
省、地市、县级的骨干网设备需要进行通信,可将在PE之间运行OSPF协议,并配置MP-IBGP对等体关系。
省、地市、县级PE连接的CE划分在不同的VPN中,并在PE与CE之间建立EBGP对等体关系,引入VPN路由。这样,划分在同一个VPN中的CE可以通过各自连接的PE进行通信,不同VPN中的CE不能通信。
由于PE1~PE6的配置基本相同,以PE1、PE2、PE3为例进行配置。
操作步骤
1 配置相关接口加入安全域,并配置域间包过滤规则。具体配置过程略。
2 在MPLS骨干网上配置IGP协议,实现骨干网PE和P的互通。这里使用OSPF协议。
# 配置PE1。
<USG> system-view
[USG] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] interface GigabitEthernet 0/0/1
[PE1-GigabitEthernet0/0/1] ip address 172.1.1.1 24
[PE1-GigabitEthernet0/0/1] quit
[PE1] ospf 1 router-id 1.1.1.9
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# 配置PE2。
<USG> system-view
[USG] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.9 32
[PE2-LoopBack1] quit
[PE2] interface GigabitEthernet 0/0/1
[PE2-GigabitEthernet0/0/1] ip address 172.1.1.2 24
[PE2-GigabitEthernet0/0/1] quit
[PE2] interface GigabitEthernet 0/0/3
[PE2-GigabitEthernet0/0/3] ip address 172.2.1.1 24
[PE2-GigabitEthernet0/0/3] quit
[PE2] ospf 1 router-id 2.2.2.9
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# 配置PE3。
<USG> system-view
[USG] sysname PE3
[PE3] interface loopback 1
[PE3-LoopBack1] ip address 3.3.3.9 32
[PE3-LoopBack1] quit
[PE3] interface GigabitEthernet0/0/1
[PE3-GigabitEthernet0/0/1] ip address 172.2.1.2 24
[PE3-GigabitEthernet0/0/1] quit
[PE3] ospf 1 router-id 3.3.3.9
[PE3-ospf-1] area 0
[PE3-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[PE3-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE3-ospf-1-area-0.0.0.0] quit
[PE3-ospf-1] quit
配置完成后,PE1、PE2、PE3之间应能建立OSPF邻居关系,执行display ospf peer命令可以看到邻居状态为Full。执行display ip routing-table命令可以看到PE之间学习到对方的Loopback1路由。
以PE1的显示为例:
[PE1] display ospf peer
OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 172.1.1.1(GigabitEthernet0/0/1)'s neighbors
Router ID: 2.2.2.9 Address: 172.1.1.2 GR State: Normal
State: Full Mode:Nbr is Master Priority: 1
DR: 172.1.1.1 BDR: 172.1.1.2 MTU: 1500
Dead timer due in 38 sec
Neighbor is up for 00:02:44
Authentication Sequence: [ 0 ]
[PE1] display ip routing-table
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0
2.2.2.9/32 OSPF 10 2 D 172.1.1.2 GigabitEthernet0/0/1
3.3.3.9/32 OSPF 10 3 D 172.1.1.2 GigabitEthernet0/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.1.1.0/24 Direct 0 0 D 172.1.1.1 GigabitEthernet0/0/1
172.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.1.1.2/32 Direct 0 0 D 172.1.1.2 GigabitEthernet0/0/1
172.2.1.0/24 OSPF 10 2 D 172.1.1.2 GigabitEthernet0/0/1
3 在MPLS骨干网上配置MPLS基本功能和MPLS LDP,建立LDP LSP。
# 配置PE1。
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] lsp-trigger all
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface GigabitEthernet 0/0/1
[PE1-GigabitEthernet0/0/1] mpls
[PE1-GigabitEthernet0/0/1] mpls ldp
[PE1-GigabitEthernet0/0/1] quit
# 配置PE2。
[PE2] mpls lsr-id 2.2.2.9
[PE2] mpls
[PE2-mpls] lsp-trigger all
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface GigabitEthernet 0/0/1
[PE2-GigabitEthernet0/0/1] mpls
[PE2-GigabitEthernet0/0/1] mpls ldp
[PE2-GigabitEthernet0/0/1] quit
[PE2] interface GigabitEthernet 0/0/3
[PE2-GigabitEthernet0/0/3] mpls
[PE2-GigabitEthernet0/0/3] mpls ldp
[PE2-GigabitEthernet0/0/3] quit
# 配置PE3。
[PE3] mpls lsr-id 3.3.3.9
[PE3] mpls
[PE3-mpls] lsp-trigger all
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
[PE3] interface GigabitEthernet 0/0/1
[PE3-GigabitEthernet0/0/1] mpls
[PE3-GigabitEthernet0/0/1] mpls ldp
[PE3-GigabitEthernet0/0/1] quit
上述配置完成后,PE1与PE2、PE2与PE3之间应能建立LDP会话,执行display mpls ldp session命令可以看到显示结果中Status项为“Operational”,即会话已经建立。执行display mpls ldp lsp命令,可以看到LDP LSP的建立情况。
以PE1的显示为例:
[PE1] display mpls ldp session
LDP Session(s) in Public Network
-------------------------------------------------------------------------
Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv
-------------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 000:00:01 5/5
-------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM
[PE1] display mpls ldp lsp
LDP LSP Information
------------------------------------------------------------------
SN DestAddress/Mask In/OutLabel Next-Hop In/Out-Interface
------------------------------------------------------------------
1 1.1.1.9/32 3/NULL 127.0.0.1 GE0/0/1/InLoop0
2 2.2.2.9/32 NULL/3 172.1.1.2 -------/GE0/0/1
3 3.3.3.9/32 NULL/1024 172.1.1.2 -------/GE0/0/1
------------------------------------------------------------------
TOTAL: 3 Normal LSP(s) Found.
TOTAL: 0 Liberal LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
4 在PE设备上配置VPN实例,将CE接入PE。
# 配置PE1。
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna] vpn-target 111:1 both
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 100:2
[PE1-vpn-instance-vpnb] vpn-target 222:2 both
[PE1-vpn-instance-vpnb] quit
[PE1] interface GigabitEthernet 0/0/2
[PE1-GigabitEthernet0/0/2] ip binding vpn-instance vpna
[PE1-GigabitEthernet0/0/2] ip address 10.1.1.2 24
[PE1-GigabitEthernet0/0/2] quit
[PE1] interface GigabitEthernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpnb
[PE1-GigabitEthernet2/0/0] ip address 10.2.1.2 24
[PE1-GigabitEthernet2/0/0] quit
# 配置PE2。
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna] vpn-target 111:1 both
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] route-distinguisher 200:2
[PE2-vpn-instance-vpnb] vpn-target 222:2 both
[PE2-vpn-instance-vpnb] quit
[PE2] interface GigabitEthernet 0/0/2
[PE2-GigabitEthernet0/0/2] ip binding vpn-instance vpna
[PE2-GigabitEthernet0/0/2] ip address 10.3.1.2 24
[PE2-GigabitEthernet0/0/2] quit
[PE2] interface GigabitEthernet 2/0/0
[PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpnb
[PE2-GigabitEthernet2/0/0] ip address 10.4.1.2 24
[PE2-GigabitEthernet2/0/0] quit
# 配置PE3。
[PE3] ip vpn-instance vpna
[PE3-vpn-instance-vpna] route-distinguisher 300:1
[PE3-vpn-instance-vpna] vpn-target 111:1 both
[PE3-vpn-instance-vpna] quit
[PE3] ip vpn-instance vpnb
[PE3-vpn-instance-vpnb] route-distinguisher 300:2
[PE3-vpn-instance-vpnb] vpn-target 222:2 both
[PE3-vpn-instance-vpnb] quit
[PE3] interface GigabitEthernet 0/0/2
[PE3-GigabitEthernet0/0/2] ip binding vpn-instance vpna
[PE3-GigabitEthernet0/0/2] ip address 10.5.1.2 24
[PE3-GigabitEthernet0/0/2] quit
[PE3] interface GigabitEthernet 2/0/0
[PE3-GigabitEthernet2/0/0] ip binding vpn-instance vpnb
[PE3-GigabitEthernet2/0/0] ip address 10.6.1.2 24
[PE3-GigabitEthernet2/0/0] quit
# 按图1配置各CE的接口IP地址,配置过程略。
配置完成后,在PE设备上执行display ip vpn-instance verbose命令可以看到VPN实例的配置情况。各PE能ping通自己接入的CE。
说明:
当PE上有多个绑定了同一个VPN的接口,则使用ping -vpn-instance命令ping对端PE接入的CE时,要指定源IP地址,即要指定ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address命令中的参数-a source-ip-address,否则可能ping不通。
以PE1和CE1为例:
[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1
Create date : 2010/03/21 11:30:35
Up time : 0 days, 00 hours, 05 minutes and 19 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label policy: label per route
Interfaces : GigabitEthernet0/0/2
VPN-Instance Name and ID : vpnb, 2
Create date : 2010/03/21 11:31:18
Up time : 0 days, 00 hours, 04 minutes and 36 seconds
Route Distinguisher : 100:2
Export VPN Targets : 222:2
Import VPN Targets : 222:2
Interfaces : GigabitEthernet2/0/0
[PE1] ping -vpn-instance vpna 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=56 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=4 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=4 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=52 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=3 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/23/56 ms
5 在PE与CE之间建立EBGP对等体关系,引入VPN路由。以PE1和CE1为例。PE2、CE2以及PE3、CE3的配置与此相同,不再重复。
# 配置CE1。
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# 配置PE1。
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
配置完成后,在PE设备上执行display bgp vpnv4 vpn-instance peer命令,可以看到PE与CE之间的BGP对等体关系已建立,并达到Established状态,即BGP对等体间可以交换报文信息。
以PE1与CE1的对等体关系为例:
[PE1] display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 11 9 0 00:06:37 Established 1
6 在PE之间建立MP-IBGP对等体关系。
# 配置PE1。
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp] quit
# 配置PE2。
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] peer 3.3.3.9 as-number 100
[PE2-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
# 配置PE3。
[PE3] bgp 100
[PE3-bgp] peer 1.1.1.9 as-number 100
[PE3-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE3-bgp] ipv4-family vpnv4
[PE3-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE3-bgp] peer 2.2.2.9 as-number 100
[PE3-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE3-bgp] ipv4-family vpnv4
[PE3-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE3-bgp-af-vpnv4] quit
[PE3-bgp] quit
配置完成后,在PE设备上执行display bgp peer或display bgp vpnv4 all peer命令,可以看到PE之间的BGP对等体关系已建立,并达到Established状态,即BGP对等体间可以交换报文信息。
[PE1] display bgp peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
3.3.3.9 4 100 2 6 0 00:00:12 Established 0
2.2.2.9 4 100 14 29 0 00:00:32 Established 0
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 3 Peers in established state : 3
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
3.3.3.9 4 100 12 18 0 00:09:38 Established 0
Peer of vpn instance:
vpn instance vpna :
10.1.1.1 4 65410 25 25 0 00:17:57 Established 1
vpn instance vpnb :
10.2.1.1 4 65420 21 22 0 00:17:10 Established 1
7 检查配置结果。
在PE设备上执行display ip routing-table vpn-instance命令,可以看到去往对端CE的路由。
以PE1的显示为例:
[PE1] display ip routing-table vpn-instance vpna
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 3 Routes : 3
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet0/0/2
10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.3.1.0/24 BGP 255 0 RD 3.3.3.9 GigabitEthernet0/0/1
[PE1] display ip routing-table vpn-instance vpnb
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpnb
Destinations : 3 Routes : 3
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.2.1.0/24 Direct 0 0 D 10.2.1.2 GigabitEthernet2/0/0
10.2.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.4.1.0/24 BGP 255 0 RD 3.3.3.9 GigabitEthernet0/0/1
同一VPN的CE能够相互Ping通,不同VPN的CE不能相互Ping通。
例如:CE1能够Ping通CE3(10.3.1.1),但不能Ping通CE4(10.4.1.1)。
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms
--- 10.3.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.4.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
|
|
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
发表于 2019-9-19 09:46:09
置顶卡
喧嚣卡
变色卡
千斤顶