Juniper配置MPLS VPN

2514235 · 发表于 2014-12-21 20:46:28

1. Topology :

2. Configurations :

2.1 基于RSVP信令的MPLS VPN ：

[edit]
root# show
## Last changed: 2014-12-21 17:24:04 UTC
version 12.1R1.9;
system {
root-authentication {
      encrypted-password "$1$gDKWWpPP$rMM1GQd/..oyEkYJjtat51"; ## SECRET-DATA
}
}
logical-systems {
R1 {
      interfaces {
         em1 {
            unit 12 {
                  vlan-id 12;
                  family inet {
                     address 192.168.12.1/24;
                  }
                  family mpls;    //给接口封装MPLS；
            }
            unit 13 {
                  vlan-id 13;
                  family inet {
                     address 192.168.13.1/24;
                  }
                  family mpls;
            }
            unit 16 {
                  vlan-id 16;
                  family inet {
                     address 192.168.16.1/24;
                  }
            }
            unit 17 {
                  vlan-id 17;
                  family inet {
                     address 192.168.17.1/24;
                  }
            }
         }
         lo0 {
            unit 1 {
                  family inet {
                     address 1.1.1.1/32;
                  }
            }
         }
      }
      protocols {
         rsvp {                                  //定义RSVP接口；
            interface em1.12;
            interface em1.13;
         }
         mpls {
            label-switched-path r1-r2 {
                  to 2.2.2.2;
                  no-cspf;
            }
            label-switched-path r1-r3 {    //在PE之间建立LSP Path ；
                  to 3.3.3.3;
                  no-cspf;
            }
            interface em1.12;
            interface em1.13;
         }
         bgp {
            group ibgp {
                  type internal;
                  local-address 1.1.1.1;
                  neighbor 2.2.2.2 {                      //需要在PE路由器上开始BGP协议对VPN地址簇的支持；
                     family inet {
                        unicast;
                     }
                     family inet-vpn {
                        unicast;
                     }
                  }
                  neighbor 3.3.3.3 {
                     family inet {
                        unicast;
                     }
                     family inet-vpn {
                        unicast;
                     }
                  }
            }
         }
         ospf {
            traffic-engineering;          //在PE上开启OSPF对MPLS TE的支持；
            area 0.0.0.0 {
                  interface em1.12;
                  interface em1.13;
                  interface lo0.1 {
                     passive;
                  }
            }
         }
      }
      policy-options {
         policy-statement bgp-to-vpn-a {    //默认Junos不会将BGP路由重发布到IGA，所以PE需要定义策略将路由发布给CE；
            term 1 {
                  from {
                     protocol bgp;
                     community vpn-a;    //将来自BGP协议并且带vpn-a community值的路由重发布给CE ；
                  }
                  then accept;
            }
            term 2 {
                  then reject;
            }
         }
         policy-statement bgp-to-vpn-b {
            term 1 {
                  from {
                     protocol bgp;
                     community vpn-b;
                  }
                  then accept;
            }
            term 2 {
                  then reject;
            }
         }
         policy-statement vpn-a-export {    //定义VRF-Export策略；
            term 1 {
                  from protocol ospf;
                  then {
                     community add vpn-a; //将从OSPF收到的CE路由打上Community值并通告给其他PE；
                     accept;
                  }
            }
            term 2 {
                  then reject;
            }
         }
         policy-statement vpn-a-import { //定义VRF-Import策略；             term 1 {
                  from {
                     protocol bgp;
                     community vpn-a;          //将通过BGP收到的带有特定 community值得路由发布给相关的CE；
                  }
            }
            then accept;
         }
         policy-statement vpn-b-export {
            term 1 {
                  from protocol ospf;
                  then {
                     community add vpn-b;
                     accept;
                  }
            }
            term 2 {
                  then reject;
            }
         }
         policy-statement vpn-b-import {
            term 1 {
                  from {
                     protocol bgp;
                     community vpn-b;
                  }
                  then accept;
            }
         }
         community vpn-a members target:100:1; //community其实也就定义了RT值；
         community vpn-b members target:100:2;
      }
      routing-instances {    //在PE上配置CE VRF , 每个CE都属于一个单独的VRF ，通过routing-instance来隔离不同的VRF ；
         VPN-A {
            instance-type vrf;       //设置instance的类型为VRF ；
            interface em1.16;       //设置此VRF所包含的接口；
            route-distinguisher 100:1; //设置route-distinguisher ；             vrf-import vpn-a-import; // import策略是将从其他PE学到的路由导入到CE ；
            vrf-export vpn-a-export; // import策略是将从CE学到的路由通告给其他PE ；             vrf-table-label;    //在Olive模拟器中必须配置此命令，否则CE之间无法Ping通，在真实设备上则不用；
            protocols {          //配置与CE建立的OSPF ；
                  ospf {
                     export bgp-to-vpn-a;    //
                     area 0.0.0.0 {
                        interface em1.16;
                     }
                  }
            }
         }
         VPN-B {
            instance-type vrf;
            interface em1.17;
            route-distinguisher 100:2;
            vrf-import vpn-b-import;
            vrf-export vpn-b-export;
            vrf-table-label;
            protocols {
                  ospf {
                     export bgp-to-vpn-b;
                     area 0.0.0.0 {
                        interface em1.17;
                     }
                  }
            }
         }
      }
      routing-options {
         autonomous-system 100;
      }
}
R2 {
      interfaces {
         em2 {
            unit 12 {
                  vlan-id 12;
                  family inet {
                     address 192.168.12.2/24;
                  }
                  family mpls;
            }
            unit 23 {
                  vlan-id 23;
                  family inet {
                     address 192.168.23.2/24;
                  }
                  family mpls;
            }
            unit 24 {
                  vlan-id 24;
                  family inet {
                     address 192.168.24.2/24;
                  }
            }
         }
         lo0 {
            unit 2 {
                  family inet {
                     address 2.2.2.2/32;
                  }
            }
         }
      }
      protocols {
         rsvp {
            interface em2.12;
            interface em2.23;
         }
         mpls {
            label-switched-path r2-r1 {
                  to 1.1.1.1;
                  no-cspf;
            }
            label-switched-path r2-r3 {
                  to 3.3.3.3;
                  no-cspf;
            }
            interface em2.12;
            interface em2.23;
         }
         bgp {
            group ibgp {
                  type internal;
                  local-address 2.2.2.2;
                  neighbor 1.1.1.1 {
                     family inet {
                        unicast;
                     }
                     family inet-vpn {
                        unicast;
                     }
                  }
                  neighbor 3.3.3.3 {
                     family inet {
                        unicast;
                     }
                     family inet-vpn {
                        unicast;
                     }
                  }
            }
         }
         ospf {
            traffic-engineering;
            area 0.0.0.0 {
                  interface em2.12;
                  interface em2.23;
                  interface lo0.2 {
                     passive;
                  }
            }
         }
      }
      policy-options {
         policy-statement bgp-to-vpn-a {
            term 1 {
                  from {
                     protocol bgp;
                     community vpn-a;
                  }
                  then accept;
            }
            term 2 {
                  then reject;
            }
         }
         policy-statement vpn-a-export {
            term 1 {
                  from protocol ospf;
                  then {
                     community add vpn-a;
                     accept;
                  }
            }
            term 2 {
                  then reject;
            }
         }
         policy-statement vpn-a-import {
            term 1 {
                  from {
                     protocol bgp;
                     community vpn-a;
                  }
                  then accept;
            }
         }
         community vpn-a members target:100:1;
      }
      routing-instances {
         VPN-A {
            instance-type vrf;
            interface em2.24;
            route-distinguisher 100:1;
            vrf-import vpn-a-import;
            vrf-export vpn-a-export;
            vrf-table-label;
            protocols {
                  ospf {
                     export bgp-to-vpn-a;
                     area 0.0.0.0 {
                        interface em2.24;
                     }
                  }
            }
         }
      }
      routing-options {
         autonomous-system 100;
      }
}
R3 {
      interfaces {
         em1 {
            unit 23 {
                  vlan-id 23;
                  family inet {
                     address 192.168.23.3/24;
                  }
                  family mpls;
            }
         }
         em2 {
            unit 13 {
                  vlan-id 13;
                  family inet {
                     address 192.168.13.3/24;
                  }
                  family mpls;
            }
            unit 35 {
                  vlan-id 35;
                  family inet {
                     address 192.168.35.3/24;
                  }
            }
         }
         lo0 {
            unit 3 {
                  family inet {
                     address 3.3.3.3/32;
                  }
            }
         }
      }
      protocols {
         rsvp {
            interface em2.13;
            interface em1.23;
         }
         mpls {
            label-switched-path r3-r1 {
                  to 1.1.1.1;
                  no-cspf;
            }
            label-switched-path r3-r2 {
                  to 2.2.2.2;
                  no-cspf;
            }
            interface em1.23;
            interface em2.13;
         }
         bgp {
            group ibgp {
                  type internal;
                  local-address 3.3.3.3;
                  neighbor 1.1.1.1 {
                     family inet {
                        unicast;
                     }
                     family inet-vpn {
                        unicast;
                     }
                  }
                  neighbor 2.2.2.2 {
                     family inet {
                        unicast;
                     }
                     family inet-vpn {
                        unicast;
                     }
                  }
            }
         }
         ospf {
            traffic-engineering;
            area 0.0.0.0 {
                  interface em2.13;
                  interface em1.23;
                  interface lo0.3 {
                     passive;
                  }
            }
         }
      }
      policy-options {
         policy-statement bgp-to-vpn-b {
            term 1 {
                  from {
                     protocol bgp;
                     community vpn-b;
                  }
                  then accept;
            }
            term 2 {
                  then reject;
            }
         }
         policy-statement vpn-b-export {
            term 1 {
                  from protocol ospf;
                  then {
                     community add vpn-b;
                     accept;
                  }
            }
            term 2 {
                  then reject;
            }
         }
         policy-statement vpn-b-import {
            term 1 {
                  from {
                     protocol bgp;
                     community vpn-b;
                  }
                  then accept;
            }
         }
         community vpn-b members target:100:2;
      }
      routing-instances {
         VPN-B {
            instance-type vrf;
            interface em2.35;
            route-distinguisher 100:2;
            vrf-import vpn-b-import;
            vrf-export vpn-b-export;
            vrf-table-label;
            protocols {
                  ospf {
                     export bgp-to-vpn-b;
                     area 0.0.0.0 {
                        interface em2.35;
                     }
                  }
            }
         }
      }
      routing-options {
         autonomous-system 100;
      }
}
R4 {
      interfaces {
         em1 {
            unit 24 {
                  vlan-id 24;
                  family inet {
                     address 192.168.24.4/24;
                  }
            }
         }
         lo0 {
            unit 4 {
                  family inet {
                     address 4.4.4.4/32;
                  }
            }
         }
      }
      protocols {
         ospf {
            area 0.0.0.0 {
                  interface all;
            }
         }
      }
}
R5 {
      interfaces {
         em1 {
            unit 35 {
                  vlan-id 35;
                  family inet {
                     address 192.168.35.5/24;
                  }
            }
         }
         lo0 {
            unit 5 {
                  family inet {
                     address 5.5.5.5/32;
                  }
            }
         }
      }
      protocols {
         ospf {
            area 0.0.0.0 {
                  interface all;
            }
         }
      }
}
R6 {
      interfaces {
         em2 {
            unit 16 {
                  vlan-id 16;
                  family inet {
                     address 192.168.16.6/24;
                  }
            }
         }
         lo0 {
            unit 6 {
                  family inet {
                     address 6.6.6.6/32;
                  }
            }
         }
      }
      protocols {
         ospf {
            area 0.0.0.0 {
                  interface all;
            }
         }
      }
}
R7 {
      interfaces {
         em2 {
            unit 17 {
                  vlan-id 17;
                  family inet {
                     address 192.168.17.7/24;
                  }
            }
         }
         lo0 {
            unit 7 {
                  family inet {
                     address 7.7.7.7/32;
                  }
            }
         }
      }
      protocols {
         ospf {
            area 0.0.0.0 {
                  interface all;
            }
         }
      }
}
}
interfaces {
em1 {
      vlan-tagging;
}
em2 {
      vlan-tagging;
}
em3 {
      vlan-tagging;
}
}

[edit]
root#

2.2 基于LDP 信令的MPLS VPN ：

[edit]
root# show
## Last changed: 2014-12-21 20:15:59 UTC
version 12.1R1.9;
system {
root-authentication {
      encrypted-password "$1$3TIjammQ$.HMvE6GglT3IubGDMWjA5."; ## SECRET-DATA
}
}
logical-systems {
R1 {
      interfaces {
         em1 {
            unit 12 {
                  vlan-id 12;
                  family inet {
                     address 192.168.12.1/24;
                  }
                  family mpls;
            }
            unit 13 {
                  vlan-id 13;
                  family inet {
                     address 192.168.13.1/24;
                  }
                  family mpls;
            }
            unit 16 {
                  vlan-id 16;
                  family inet {
                     address 192.168.16.1/24;
                  }
            }
            unit 17 {
                  vlan-id 17;
                  family inet {
                     address 192.168.17.1/24;
                  }
            }
         }
         lo0 {
            unit 1 {
                  family inet {
                     address 1.1.1.1/32;
                  }
            }
         }
      }
      protocols {
         mpls {
            interface em1.12;
            interface em1.13;
         }
         bgp {
            group ibgp {
                  type internal;
                  local-address 1.1.1.1;
                  neighbor 2.2.2.2;
                  neighbor 3.3.3.3;
            }
         }
         ospf {
            area 0.0.0.0 {
                  interface em1.12;
                  interface em1.13;
                  interface lo0.1 {
                     passive;
                  }
            }
         }
         ldp {
            interface em1.12;
            interface em1.13;
         }
      }
      policy-options {
         policy-statement bgp-to-vpn-a {
            term 1 {
                  from {
                     protocol bgp;
                     community vpn-a;
                  }
                  then accept;
            }
            term 2 {
                  then reject;
            }
         }
         policy-statement bgp-to-vpn-b {
            term 1 {
                  from {
                     protocol bgp;
                     community vpn-b;
                  }
                  then accept;
            }
            term 2 {
                  then reject;
            }
         }
         policy-statement vpn-a-export {
            term 1 {
                  from protocol ospf;
                  then {
                     community add vpn-a;
                     accept;
                  }
            }
            term 2 {
                  then reject;
            }
         }
         policy-statement vpn-a-import {
            term 1 {
                  from {
                     protocol bgp;
                     community vpn-a;
                  }
                  then accept;
            }
         }
         policy-statement vpn-b-export {
            term 1 {
                  from protocol ospf;
                  then {
                     community add vpn-b;
                     accept;
                  }
            }
            term 2 {
                  then reject;
            }
         }
         policy-statement vpn-b-import {
            term 1 {
                  from {
                     protocol bgp;
                     community vpn-b;
                  }
                  then accept;
            }
         }
         community vpn-a members target:100:1;
         community vpn-b members target:100:2;
      }
      routing-instances {
         VPN-A {
            instance-type vrf;
            interface em1.16;
            route-distinguisher 100:1;
            vrf-import vpn-a-import;
            vrf-export vpn-a-export;
            vrf-table-label;
            protocols {
                  ospf {
                     export bgp-to-vpn-a;
                     area 0.0.0.0 {
                        interface em1.16;
                     }
                  }
            }
         }
         VPN-B {
            instance-type vrf;
            interface em1.17;
            route-distinguisher 100:2;
            vrf-import vpn-b-import;
            vrf-export vpn-b-export;
            vrf-table-label;
            protocols {
                  ospf {
                     export bgp-to-vpn-b;
                     area 0.0.0.0 {
                        interface em1.17;
                     }
                  }
            }
         }
      }
      routing-options {
         autonomous-system 100;
      }
} R2 {
      interfaces {
         em2 {
            unit 12 {
                  vlan-id 12;
                  family inet {
                     address 192.168.12.2/24;
                  }
                  family mpls;
            }
            unit 23 {
                  vlan-id 23;
                  family inet {
                     address 192.168.23.2/24;
                  }
                  family mpls;
            }
            unit 24 {
                  vlan-id 24;
                  family inet {
                     address 192.168.24.2/24;
                  }
            }
         }
         lo0 {
            unit 2 {
                  family inet {
                     address 2.2.2.2/32;
                  }
            }
         }
      }
      protocols {
         mpls {
            interface em2.12;
            interface em2.23;
         }
         bgp {
            group ibgp {
                  type internal;
                  local-address 2.2.2.2;
                  neighbor 1.1.1.1;
                  neighbor 3.3.3.3;
            }
         }
         ospf {
            area 0.0.0.0 {
                  interface em2.12;
                  interface em2.23;
                  interface lo0.2 {
                     passive;
                  }
            }
         }
         ldp {
            interface em2.12;
            interface em2.23;
         }
      }
      policy-options {
         policy-statement bgp-to-vpn-a {
            term 1 {
                  from {
                     protocol bgp;
                     community vpn-a;
                  }
                  then accept;
            }
            term 2 {
                  then reject;
            }
         }
         policy-statement vpn-a-export {
            term 1 {
                  from protocol ospf;
                  then {
                     community add vpn-a;
                     accept;
                  }
            }
            term 2 {
                  then reject;
            }
         }
         policy-statement vpn-a-import {
            term 1 {
                  from {
                     protocol bgp;
                     community vpn-a;
                  }
                  then accept;
            }
         }
         community vpn-a members target:100:1;
      }
      routing-instances {
         VPN-A {
            instance-type vrf;
            interface em2.24;
            route-distinguisher 100:1;
            vrf-import vpn-a-import;
            vrf-export vpn-a-export;
            vrf-table-label;
            protocols {
                  ospf {
                     export bgp-to-vpn-a;
                     area 0.0.0.0 {
                        interface em2.24;
                     }
                  }
            }
         }
      }
      routing-options {
         autonomous-system 100;
      }
}
R3 {
      interfaces {
         em1 {
            unit 23 {
                  vlan-id 23;
                  family inet {
                     address 192.168.23.3/24;
                  }
                  family mpls;
            }
         }
         em2 {
            unit 13 {
                  vlan-id 13;
                  family inet {
                     address 192.168.13.3/24;
                  }
                  family mpls;
            }
            unit 35 {
                  vlan-id 35;
                  family inet {
                     address 192.168.35.3/24;
                  }
            }
         }
         lo0 {
            unit 3 {
                  family inet {
                     address 3.3.3.3/32;
                  }
            }
         }
      }
      protocols {
         mpls {
            interface em2.13;
            interface em1.23;
         }
         bgp {
            group ibgp {
                  type internal;
                  local-address 3.3.3.3;
                  neighbor 1.1.1.1;
                  neighbor 2.2.2.2;
            }
         }
         ospf {
            area 0.0.0.0 {
                  interface em2.13;
                  interface em1.23;
                  interface lo0.3 {
                     passive;
                  }
            }
         }
         ldp {
            interface em1.23;
            interface em2.13;
         }
      }
      policy-options {
         policy-statement bgp-to-vpn-b {
            term 1 {
                  from {
                     protocol bgp;
                     community vpn-b;
                  }
                  then accept;
            }
            term 2 {
                  then reject;
            }
         }
         policy-statement vpn-b-export {
            term 1 {
                  from protocol ospf;
                  then {
                     community add vpn-b;
                     accept;
                  }
            }
            term 2 {
                  then reject;
            }
         }
         policy-statement vpn-b-import {
            term 1 {
                  from {
                     protocol bgp;
                     community vpn-b;
                  }
                  then accept;
            }
         }
         community vpn-b members target:100:2;
      }
      routing-instances {
         VPN-B {
            instance-type vrf;
            interface em2.35;
            route-distinguisher 100:2;
            vrf-import vpn-b-import;
            vrf-export vpn-b-export;
            vrf-table-label;
            protocols {
                  ospf {
                     export bgp-to-vpn-b;
                     area 0.0.0.0 {
                        interface em2.35;
                     }
                  }
            }
         }
      }
      routing-options {
         autonomous-system 100;
      }
}
R4 {
      interfaces {
         em1 {
            unit 24 {
                  vlan-id 24;
                  family inet {
                     address 192.168.24.4/24;
                  }
            }
         }
         lo0 {
            unit 4 {
                  family inet {
                     address 4.4.4.4/32;
                  }
            }
         }
      }
      protocols {
         ospf {
            area 0.0.0.0 {
                  interface all;
            }
         }
      }
}
R5 {
      interfaces {
         em1 {
            unit 35 {
                  vlan-id 35;
                  family inet {
                     address 192.168.35.5/24;
                  }
            }
         }
         lo0 {
            unit 5 {
                  family inet {
                     address 5.5.5.5/32;
                  }
            }
         }
      }
      protocols {
         ospf {
            area 0.0.0.0 {
                  interface all;
            }
         }
      }
}
R6 {
      interfaces {
         em2 {
            unit 16 {
                  vlan-id 16;
                  family inet {
                     address 192.168.16.6/24;
                  }
            }
         }
         lo0 {
            unit 6 {
                  family inet {
                     address 6.6.6.6/32;
                  }
            }
         }
      }
      protocols {
         ospf {
            area 0.0.0.0 {
                  interface all;
            }
         }
      }
}
R7 {
      interfaces {
         em2 {
            unit 17 {
                  vlan-id 17;
                  family inet {
                     address 192.168.17.7/24;
                  }
            }
         }
         lo0 {
            unit 7 {
                  family inet {
                     address 7.7.7.7/32;
                  }
            }
         }
      }
      protocols {
         ospf {
            area 0.0.0.0 {
                  interface all;
            }
         }
      }
}
}
interfaces {
em1 {
      vlan-tagging;
}
em2 {
      vlan-tagging;
}
em3 {
      vlan-tagging;
}
}

3. Show

3.1 查看PE和CE之间的OSPF邻居关系状态：

3.2 查看PE从CE学到了哪些路由：

3.3 查看CE从PE学到了哪些路由：

3.4 查看从其他的PE学到了哪些路由：

duilie1111 · 发表于 2014-12-21 21:17:37

好贴好贴

账号		自动登录	找回密码
密码			论坛注册

Juniper配置MPLS VPN

客服中心

投诉建议