组网需求
分部1与分部2只能与总部通信,分部之间不能通信。根据图上信息进行正确配置,使总部的用户能正确访问各分部的用户。
配置思路
VPN进行通信,用户与运营商之间使用BGP协议传递路由。分部1被划分到VPN1中,使用的RD为1:1,Export Target=12:3,Import Target=3:12;分部2被划分到VPN2中,使用的RD为2:2,Export Target=12:3,Import Target=3:12;总部被划分到VPN3中,使用的RD为3:3,Export Target=3:12,Import Target=12:3。
如上图所示,配置MPLS VPN需要从以下两个方面考虑:
- 用户侧设备的配置:
- 主要考虑CE与PE之间使用何种协议将私网路由传递到运营商网络
- 运营商骨干网络的配置,运营商骨干网络的配置需要从以下三个方面考虑:
- 运营商骨干网络IGP协议的配置,保证运营商网络路由可达;
- VPN的配置,将私网路由通过运营商设备封装并传递;
- MP-BGP与MPLS协议的配置,实现私网路由的传递与标签隧道的建立。
操作步骤
配置各设备的IP地址
CE1
<Huawei>system-view [Huawei]sysname CE1 [CE1]interface GigabitEthernet0/0/0 [CE1-GigabitEthernet0/0/0]ip address 10.1.13.1 255.255.255.0 [CE1]interface LoopBack1 [CE1-LoopBack1]ip address 172.16.1.1 255.255.255.255
CE2
<Huawei>system-view [Huawei]sysname CE2 [CE2]interface GigabitEthernet0/0/0 [CE2-GigabitEthernet0/0/0]ip address 10.1.23.2 255.255.255.0 [CE2]interface LoopBack1 [CE2-LoopBack1]ip address 172.16.2.1 255.255.255.255
PE1
<Huawei>system-view [Huawei]sysname PE1 [PE1]interface GigabitEthernet0/0/0 [PE1-GigabitEthernet0/0/0]ip address 10.1.13.3 255.255.255.0 [PE1]interface GigabitEthernet0/0/1 [PE1-GigabitEthernet0/0/1]ip address 10.1.23.3 255.255.255.0 [PE1]interface GigabitEthernet0/0/2 [PE1-GigabitEthernet0/0/2]ip address 10.1.34.3 255.255.255.0 [PE1]interface LoopBack1 [PE1-LoopBack1]ip address 1.1.1.1 255.255.255.255
P
<Huawei>system-view [Huawei]sysname P [P]interface GigabitEthernet0/0/0 [P-GigabitEthernet0/0/0]ip address 10.1.34.4 255.255.255.0 [P]interface GigabitEthernet0/0/1 [P-GigabitEthernet0/0/1]ip address 10.1.45.4 255.255.255.0 [P]interface LoopBack1 [P-LoopBack1]ip address 2.2.2.2 255.255.255.255
PE2
<Huawei>system-view [Huawei]sysname PE2 [PE2]interface GigabitEthernet0/0/0 [PE2-GigabitEthernet0/0/0]ip address 10.1.56.5 255.255.255.0 [PE2]interface GigabitEthernet0/0/1 [PE2-GigabitEthernet0/0/1]ip address 10.1.45.5 255.255.255.0 [PE2]interface LoopBack1 [PE2-LoopBack1]ip address 3.3.3.3 255.255.255.255
CE3
<Huawei>system-view [Huawei]sysname CE3 [CE3]interface GigabitEthernet0/0/0 [CE3-GigabitEthernet0/0/0]ip address 10.1.56.6 255.255.255.0 [CE3]interface LoopBack1 [CE3-LoopBack1]ip address 172.16.3.1 255.255.255.255
MPLS域内互通(IP骨干网互通)
PE1
[PE1]ospf 1 [PE1-ospf-1]area 0.0.0.0 [PE1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0 [PE1-ospf-1-area-0.0.0.0]network 10.1.34.0 0.0.0.255
P
[P]ospf 1 [P-ospf-1]area 0.0.0.0 [P-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0 [P-ospf-1-area-0.0.0.0]network 10.1.34.0 0.0.0.255 [P-ospf-1-area-0.0.0.0]network 10.1.45.0 0.0.0.255
PE2
[PE2]ospf 1 [PE2-ospf-1]area 0.0.0.0 [PE2-ospf-1-area-0.0.0.0]network 3.3.3.3 0.0.0.0 [PE2-ospf-1-area-0.0.0.0]network 10.1.45.0 0.0.0.255
CE1
[CE1]bgp 1 [CE1-bgp]peer 10.1.13.3 as-number 5 [CE1-bgp]ipv4-family unicast [CE1-bgp-af-ipv4]network 172.16.1.1 255.255.255.255
CE2
[CE2]bgp 2 [CE2-bgp]peer 10.1.23.3 as-number 5 [CE2-bgp]ipv4-family unicast [CE2-bgp-af-ipv4]network 172.16.2.1 255.255.255.255
CE3
[CE3]bgp 3 [CE3-bgp]peer 10.1.56.5 as-number 5 [CE3-bgp]ipv4-family unicast [CE3-bgp-af-ipv4]network 172.16.3.1 255.255.255.255
配置PE上的VPN实例
PE1
#创建VPN实例,并进入VPN实例视图 [PE1]ip vpn-instance vpn1 #使能VPN实例IPv4地址族,并进入VPN实例IPv4地址族视图 [PE1-vpn-instance-vpn1]ipv4-family #配置VPN实例IPv4地址族的RD [PE1-vpn-instance-vpn1-af-ipv4]route-distinguisher 1:1 #为VPN实例IPv4地址族配置VPN-target扩展团体属性。VPN Target是BGP的扩展团体属性,用来控制VPN路由信息的接收和发布。一条vpn-target命令最多可以配置8个VPN Target。 [PE1-vpn-instance-vpn1-af-ipv4]vpn-target 12:3 export-extcommunity [PE1-vpn-instance-vpn1-af-ipv4]vpn-target 3:12 import-extcommunity [PE1]ip vpn-instance vpn2 [PE1-vpn-instance-vpn2]ipv4-family [PE1-vpn-instance-vpn2-af-ipv4]route-distinguisher 2:2 [PE1-vpn-instance-vpn2-af-ipv4]vpn-target 12:3 export-extcommunity [PE1-vpn-instance-vpn2-af-ipv4]vpn-target 3:12 import-extcommunity
PE2
[PE2]ip vpn-instance vpn3 [PE2-vpn-instance-vpn3]ipv4-family [PE2-vpn-instance-vpn3-af-ipv4]route-distinguisher 3:3 [PE2-vpn-instance-vpn3-af-ipv4]vpn-target 3:12 export-extcommunity [PE2-vpn-instance-vpn3-af-ipv4]vpn-target 12:3 import-extcommunity
配置接口与VPN实例绑定
PE1
[PE1]interface GigabitEthernet0/0/0 #将当前接口与VPN实例绑定 [PE1-GigabitEthernet0/0/0] ip binding vpn-instance vpn1 #绑定以后会删除IP配置,需重新配置 [PE1-GigabitEthernet0/0/0] ip address 10.1.13.3 255.255.255.0 [PE1]interface GigabitEthernet0/0/1 [PE1-GigabitEthernet0/0/1] ip binding vpn-instance vpn2 [PE1-GigabitEthernet0/0/1] ip address 10.1.23.3 255.255.255.0
PE2
[PE2]interface GigabitEthernet0/0/1 [PE2-GigabitEthernet0/0/1] ip binding vpn-instance vpn2 [PE2-GigabitEthernet0/0/1] ip address 10.1.56.5 255.255.255.0
配置PE与PE间使用MP-IBGP
PE1
#进入BGP视图 [PE1]bgp 5 #将对端PE配置为对等体 [PE1-bgp]peer 3.3.3.3 as-number 5 #指定BGP建立TCP 连接的接口 [PE1-bgp]peer 3.3.3.3 connect-interface LoopBack1 #进入BGP-VPNv4地址族视图 [PE1-bgp]ipv4-family vpnv4 #使能对等体交换VPN-IPv4路由信息的能力 [PE1-bgp-af-vpnv4]peer 3.3.3.3 enable
PE2
[PE2]bgp 5 [PE2-bgp]peer 1.1.1.1 as-number 5 [PE2-bgp]peer 1.1.1.1 connect-interface LoopBack1 [PE2-bgp]ipv4-family vpnv4 [PE2-bgp-af-vpnv4]peer 1.1.1.1 enable
配置PE和CE路由交换——PE1、PE2
PE1
#进入BGP视图 [PE1]bgp 5 #进入BGP-VPN实例IPv4地址族视图 [PE1-bgp]ipv4-family vpn-instance vpn1 #将CE配置为VPN私网对等体 [PE1-bgp-vpn1]peer 10.1.13.1 as-number 1 [PE1-bgp-vpn1]quit [PE1-bgp]ipv4-family vpn-instance vpn2 [PE1-bgp-vpn2]peer 10.1.23.2 as-number 2
PE2
[PE2-bgp]ipv4-family vpn-instance vpn3 [PE2-bgp-vpn3]peer 10.1.56.6 as-number 3
CE1
#进入BGP视图 [CE1]bgp 1 #将PE配置为对等体 [CE1-bgp]peer 10.1.13.3 as-number 5 #进入BGP-IPv4单播地址族视图 [CE1-bgp]ipv4-family unicast #指定BGP发布本地路由172.16.1.1/32 [CE1-bgp-af-ipv4]network 172.16.1.1 255.255.255.255
CE2
[CE2]bgp 2 [CE2-bgp]peer 10.1.23.3 as-number 5 [CE2-bgp]ipv4-family unicast [CE2-bgp-af-ipv4]network 172.16.2.1 255.255.255.255
CE3
[CE3]bgp 3 [CE3-bgp]peer 10.1.56.5 as-number 5 [CE3-bgp]ipv4-family unicast [CE3-bgp-af-ipv4]network 172.16.3.1 255.255.255.255
配置MPLS和MPLS LDP功能——PE1、PE2、P
PE1
#配置本节点的LSR ID [PE1]mpls lsr-id 1.1.1.1 #使能全局MPLS功能,并进入MPLS视图 [PE1]mpls [PE1-mpls]quit #使能全局的LDP功能,并进入MPLS-LDP视图。缺省情况下,LDP实例的LSR ID等于节点的LSR ID。推荐采用缺省值。 [PE1]mpls ldp [PE1-mpls-ldp]quit [PE1]interface GigabitEthernet0/0/2 #使能接口的MPLS能力 [PE1-GigabitEthernet0/0/2] mpls #使能接口的MPLS LDP能力 [PE1-GigabitEthernet0/0/2] mpls ldp
PE2
[PE2]mpls lsr-id 3.3.3.3 [PE2]mpls [PE2-mpls]quit [PE2]mpls ldp [PE2-mpls-ldp]quit [PE2]interface GigabitEthernet0/0/1 [PE2-GigabitEthernet0/0/1] mpls [PE2-GigabitEthernet0/0/1] mpls ldp
P
[P]mpls lsr-id 2.2.2.2 [P]mpls [P-mpls]quit [P]mpls ldp [P-mpls-ldp]quit [P]interface GigabitEthernet0/0/0 [P-GigabitEthernet0/0/0] mpls [P-GigabitEthernet0/0/0] mpls ldp [P]interface GigabitEthernet0/0/1 [P-GigabitEthernet0/0/1] mpls [P-GigabitEthernet0/0/1] mpls ldp [P]interface GigabitEthernet0/0/2 [P-GigabitEthernet0/0/2] mpls [P-GigabitEthernet0/0/2] mpls ldp
验证
在PE设备上执行display ip routing-table vpn-instance命令,可以看到去往对端CE的路由
以PE1的显示为例
[PE1]display ip routing-table vpn-instance vpn1 Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: vpn1 Destinations : 6 Routes : 6 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.13.0/24 Direct 0 0 D 10.1.13.3 GigabitEthernet0/0/0 10.1.13.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0 10.1.13.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0 172.16.1.1/32 EBGP 255 0 D 10.1.13.1 GigabitEthernet0/0/0 172.16.3.1/32 IBGP 255 0 RD 3.3.3.3 GigabitEthernet0/0/2 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 [PE1]display ip routing-table vpn-instance vpn2 Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: vpn2 Destinations : 6 Routes : 6 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.23.0/24 Direct 0 0 D 10.1.23.3 GigabitEthernet0/0/1 10.1.23.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1 10.1.23.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1 172.16.2.1/32 EBGP 255 0 D 10.1.23.2 GigabitEthernet0/0/1 172.16.3.1/32 IBGP 255 0 RD 3.3.3.3 GigabitEthernet0/0/2 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
同一VPN的CE能够相互Ping通,不同VPN的CE不能相互Ping通。
例如:CE1能够Ping通CE3(172.16.1.1),但不能Ping通CE2(172.16.2.1)
[CE1]ping -a 172.16.1.1 172.16.3.1 PING 172.16.3.1: 56 data bytes, press CTRL_C to break Reply from 172.16.3.1: bytes=56 Sequence=1 ttl=252 time=50 ms Reply from 172.16.3.1: bytes=56 Sequence=2 ttl=252 time=30 ms Reply from 172.16.3.1: bytes=56 Sequence=3 ttl=252 time=40 ms Reply from 172.16.3.1: bytes=56 Sequence=4 ttl=252 time=40 ms Reply from 172.16.3.1: bytes=56 Sequence=5 ttl=252 time=40 ms --- 172.16.3.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/40/50 ms [CE1]ping -a 172.16.1.1 172.16.2.1 PING 172.16.2.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 172.16.2.1 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
