華為MPLS-VPN簡單配置例項
session 1 mpls-vpn華為
配置步驟思路如下:
1、客戶CE網路配置路由協議並宣告內網
2、ISP的PE與P之間配置IGP路由協議保證路由連通
3、ISP的PE針對每一個客戶配置一個VRF虛擬路由器,在華為裡面叫做vpn instance例項
4、ISP的客戶的site所連線的PE之間要建立MP-BGPvpnv4連線,用於傳輸VRF路由和RT屬性
5、PE之間有了MP-BGP_vpn路由後,要把PE上的客戶的VRF中的路由重分佈到MP-BGP中傳輸到對端PE
6、PE之間的MP-BGP路由中有了客戶的VRF的路由後,PE之間的VRF可以通訊,但是客戶的CE路由器不知道VRF路由,所以需要在PE上將MP-BGP的路由重分佈到客戶所使用的協議中去(在PE上配置),讓客戶的CE能夠從PE上學習到VPN的路由條目。達到兩端site通訊的目的。
配置例項和拓撲:本拓撲中只有一個客戶分別有兩個site,需要讓客戶的site之間進行通訊,使用mpls-vpn
第一步:客戶CE裝置配置路由,本例我採用靜態
左邊site1的CE1
interface GigabitEthernet0/0/0
ip address 12.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.1.10 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
#
右邊site2的CE2
interface GigabitEthernet0/0/0
ip address 45.1.1.5 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.2.30 255.255.255.0
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 45.1.1.4
#
CE端什麼都沒有,只有客戶自己的路由和一條到達ISP的預設路由
第二步:ISP內部的PE1-P-PE2之間使用IGP連通,並配置MPLS互通
左邊PE1的配置
interface GigabitEthernet0/0/0
ip address 23.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 12.1.1.2 255.255.255.0
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 23.1.1.2 0.0.0.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
ospf enable 1 area 0.0.0.0
#
中間的P路由器的配置
interface GigabitEthernet0/0/0
ip address 23.1.1.3 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 34.1.1.3 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
ospf enable 1 area 0.0.0.0
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 23.1.1.3 0.0.0.0
network 34.1.1.3 0.0.0.0
#
右邊PE2的配置
interface GigabitEthernet0/0/0
ip address 34.1.1.4 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 45.1.1.4 255.255.255.0
#
ospf 1 router-id 4.4.4.4
area 0.0.0.0
network 34.1.1.4 0.0.0.0
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
ospf enable 1 area 0.0.0.0
#
第三步:在PE配置針對於每個客戶的vrf虛擬路由表,在華為中是vpan-instance例項,並定義RD和RT
左邊PE1
ip vpn-instance 1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
右邊PE2
ip vpn-instance vpn1
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
第四步:PE之間建立vpnv4連線,用於相互傳遞本端vpn-instance中的客戶路由
左邊PE1的配置
bgp 1
router-id 2.2.2.2
peer 4.4.4.4 as-number 1
peer 4.4.4.4 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
undo peer 4.4.4.4 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.4 enable
#
ipv4-family vpn-instance vpn1
import-route static
#
右邊PE2的配置
bgp 1
router-id 4.4.4.4
peer 2.2.2.2 as-number 1
peer 2.2.2.2 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
undo peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpn1
import-route static
#
可以用<PE1>display bgp vpnv4 all peer 檢視vpnv4是否成功
BGP local router ID : 2.2.2.2
Local AS number : 1
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State Pre
fRcv
4.4.4.4 4 1 212 215 0 03:29:28 Established
1
<PE1>
第五步:mpls的vpnv4連線建立後,需要把客戶網路的路由通過MP-BGP傳遞到對端的PE中去形成vpn路由,因為這個時候在PE的vpn路由表中還沒有客戶的路由條目,可以使用<PE1>display ip routing-table vpn-instance vpn1 命令檢視vpn例項vpn1中的路由條目,所以這個時候PE1的vpn例項中並沒有CE1的路由,所以無法通過vpn傳遞給PE2裝置,所以CE1和CE2裝置就無法通訊。現在需要想辦法在PE1的vrf表中新增到達192.168.1.0/24的路由,可以使用靜態路由,也可以使用動態路由(使用動態路由,必須PE和CE都要配置相同的IGP路由),本例中使用靜態路由新增:
在PE1中:ip route-static vpn-instance vpn1 192.168.1.0 255.255.255.0 12.1.1.1 新增到vrf表
在PE1中檢視普通路由和vrf(vpn-instance)中的路由:
<PE1>display ip routing-table 普通路由表
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
2.2.2.2/32 Direct 0 0 D 127.0.0.1 LoopBack0
3.3.3.3/32 OSPF 10 1 D 23.1.1.3 GigabitEthernet
0/0/0
4.4.4.4/32 OSPF 10 2 D 23.1.1.3 GigabitEthernet
0/0/0
23.1.1.0/24 Direct 0 0 D 23.1.1.2 GigabitEthernet
0/0/0
23.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
23.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
34.1.1.0/24 OSPF 10 2 D 23.1.1.3 GigabitEthernet
0/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
<PE1>display ip routing-table vpn-instance vpn1 vrf路由表
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpn1
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
12.1.1.0/24 Direct 0 0 D 12.1.1.2 GigabitEthernet
0/0/1
12.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
12.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
192.168.1.0/24 Static 60 0 RD 12.1.1.1 GigabitEthernet
0/0/1
192.168.2.0/24 IBGP 255 0 RD 4.4.4.4 GigabitEthernet
0/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
<PE1>
同理PE2也一樣,需要:ip route-static vpn-instance vpn1 192.168.2.0 255.255.255.0 45.1.1.5 新增到達192.168.2.0/24的路由到vrf中
完成後,測試PC1與PC3的通訊
PC1>ping 192.168.2.100
Ping 192.168.2.100: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.2.100: bytes=32 seq=2 ttl=123 time=31 ms
From 192.168.2.100: bytes=32 seq=3 ttl=123 time=31 ms
From 192.168.2.100: bytes=32 seq=4 ttl=123 time=31 ms
From 192.168.2.100: bytes=32 seq=5 ttl=123 time=47 ms
--- 192.168.2.100 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/35/47 ms
PC1>
PC1>tracert 192.168.2.100
traceroute to 192.168.2.100, 8 hops max
(ICMP), press Ctrl+C to stop
1 192.168.1.10 16 ms 15 ms 16 ms
2 12.1.1.2 16 ms 15 ms 31 ms
3 23.1.1.3 16 ms 31 ms 31 ms
4 45.1.1.4 32 ms 31 ms 31 ms
5 45.1.1.5 47 ms 31 ms 47 ms
6 192.168.2.100 31 ms 31 ms 16 ms
PC1>