MSR系列路由器MPLS多角色主机功能的典型配置举例

目  录

1 简介

2 配置前提

3 配置举例

3.1 组网需求

3.2 配置思路

3.3 使用版本

3.4 配置步骤

3.4.1 设备PE A配置

3.4.2 设备PE B的配置

3.5 验证配置

3.6 配置文件

4 相关资料

1  简介

本文档介绍使用多角色主机功能实现同一主机访问不同VPN实例的典型案例。

2  配置前提

本文档不严格与具体软、硬件版本对应，如果使用过程中与产品实际情况有差异，请参考相关产品手册，或以设备实际情况为准。

本文档中的配置均是在实验室环境下进行的配置和验证，配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置，为了保证配置效果，请确认现有配置和以下举例中的配置不冲突。

本文档假设您已了解多角色主机的特性。

3  配置举例

3.1  组网需求

如图1所示，PE A和PE B进行MP-IBGP连接，是VPN站点接入路由器，为VPN路由分发标签，主机Host连接PE A。现在PE A上为Host配置策略路由以实现：Host可以访问vpna和vpnb的各个站点。

图1 MSR系列路由器MPLS多角色主机功能的典型配置举例

3.2  配置思路

PE A需要对来自Host的报文进行辨识区别，因此需要PE A配置VPN实例并将VPN实例与对应的接口进行绑定；同时配置相应的策略路由，从而将符合匹配规则的报文通过对应的接口进行转发。

3.3  使用版本

本举例是在Release 2311版本上进行配置和验证的。

3.4  配置步骤

3.4.1  设备PE A配置

# 配置接口IP地址。

<PEA> system-view

[PEA] interface loopback 0

[PEA-LoopBack0] ip address 1.1.1.1 255.255.255.255

[PEA-LoopBack0] quit

[PEA] interface ethernet 0/0

[PEA-Ethernet0/0] port link-mode route

[PEA-Ethernet0/0] ip address 1.2.0.1 255.255.255.0

[PEA-Ethernet0/0] quit

[PEA] interface ethernet 0/1

[PEA-Ethernet0/1] port link-mode route

[PEA-Ethernet0/1] ip address 192.168.0.1 255.255.255.0

[PEA-Ethernet0/1] quit

[PEA] interface ethernet 0/2

[PEA-Ethernet0/2] port link-mode route

[PEA-Ethernet0/2] ip address 192.168.1.1 255.255.255.0

[PEA-Ethernet0/2] quit

[PEA] interface ethernet 0/3

[PEA-Ethernet0/3] port link-mode route

[PEA-Ethernet0/3] ip address 172.32.0.1 255.255.255.0

[PEA-Ethernet0/3] quit

# 配置OSPF协议使网络互通。

[PEA] ospf 1

[PEA-ospf-1] area 0.0.0.0

[PEA-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0

[PEA-ospf-1-area-0.0.0.0] network 1.2.0.0 0.0.0.255

[PEA-ospf-1-area-0.0.0.0] quit

[PEA-ospf-1] quit

# 配置路由器Router ID。

[PEA] router id 1.1.1.1

# 在PE A配置MPLS和MPLS LDP功能。

[PEA] mpls lsr-id 1.1.1.1

[PEA] mpls

[PEA-mpls] quit

[PEA] mpls ldp

[PEA-mpls-ldp] quit

# 在接口Ethernet0/0配置MPLS和MPLS LDP功能。

[PEA] interface ethernet 0/0

[PEA-Ethernet0/0] mpls

[PEA-Ethernet0/0] mpls ldp

[PEA-Ethernet0/0] quit

# 在PE A上创建VPN实例vpna和vpnb，并配置RD和VPN Target属性。

[PEA] ip vpn-instance vpna

[PEA-vpn-instance-vpna] route-distinguisher 1:1

[PEA-vpn-instance-vpna] vpn-target 1:1 export-extcommunity

[PEA-vpn-instance-vpna] vpn-target 1:1 import-extcommunity

[PEA-vpn-instance-vpna] quit

[PEA] ip vpn-instance vpnb

[PEA-vpn-instance-vpnb] route-distinguisher 1:2

[PEA-vpn-instance-vpnb] vpn-target 1:2 export-extcommunity

[PEA-vpn-instance-vpnb] vpn-target 1:2 import-extcommunity

[PEA-vpn-instance-vpnb] quit

# 将CE接入PE：接口Ethernet0/1，Ethernet0/2绑定到vpna上，接口Ethernet0/3绑定到vpnb上。

[PEA] interface ethernet 0/1

[PEA-Ethernet0/1] ip binding vpn-instance vpna

[PEA-Ethernet0/1] ip address 192.168.0.1 255.255.255.0

[PEA-Ethernet0/1] quit

[PEA] interface ethernet 0/2

[PEA-Ethernet0/2] ip binding vpn-instance vpna

[PEA-Ethernet0/2] ip address 192.168.1.1 255.255.255.0

[PEA-Ethernet0/2] quit

[PEA] interface ethernet 0/3

[PEA-Ethernet0/3] ip binding vpn-instance vpnb

[PEA-Ethernet0/3] ip address 172.32.0.1 255.255.255.0

[PEA-Ethernet0/3] quit

# 配置静态路由，使主机192.168.0.2/24访问vpnb的报文能够返回vpna中，回到Host。

[PEA] ip route-static vpn-instance vpnb 192.168.0.2 255.255.255.255 vpn-instance vpna 192.168.0.2

# 配置BGP协议，在PE间建立MP-BGP对等体，引入VPN路由。

[PEA] bgp 1

[PEA-bgp] undo synchronization

[PEA-bgp] peer 2.2.2.2 as-number 1

[PEA-bgp] peer 2.2.2.2 connect-interface loopback0

# 进入BGP-VPNv4子地址族视图，配置VPNv4对等体2.2.2.2。

[PEA-bgp] ipv4-family vpnv4

[PEA-bgp-af-vpnv4] peer 2.2.2.2 enable

[PEA-bgp-af-vpnv4] quit

# 进入BGP-VPN实例视图，将直连路由引入到vpna的路由表。

[PEA-bgp] ipv4-family vpn-instance vpna

[PEA-bgp-ipv4-vpna] import-route direct

[PEA-bgp-ipv4-vpna] quit

# 进入BGP-VPN实例视图，将直连路由和静态路由引入到vpnb的路由表。

[PEA-bgp] ipv4-family vpn-instance vpnb

[PEA-bgp-ipv4-vpnb] import-route direct

[PEA-bgp-ipv4-vpnb] import-route static

[PEA-bgp-ipv4-vpnb] quit

[PEA-bgp] quit

# 配置ACL，允许源地址为192.168.0.2的VPN实例通过。

[PEA] acl number 2000

[PEA-acl-basic-2000] rule 0 permit vpn-instance vpna source 192.168.0.2 0

[PEA-acl-basic-2000] rule 5 deny

[PEA-acl-basic-2000] quit

# 创建策略路由，对于匹配ACL 2000的报文，如果在所属的vpna中没有找到路由，就在vpnb实例中查找路由并转发。

[PEA] policy-based-route multirole permit node 0

[PEA-pbr-multirole-0] if-match acl 2000

[PEA-pbr-multirole-0] apply access-vpn vpn-instance vpna vpnb

[PEA-pbr-multirole-0] quit

# 在接口Ethernet0/1上应用定义的策略路由。

[PEA] interface ethernet 0/1

[PEA-Ethernet0/1] ip policy-based-route multirole

[PEA-Ethernet0/1] quit

3.4.2  设备PE B的配置

# 配置接口IP地址。

<PEB> system-view

[PEB] interface loopback 0

[PEB-LoopBack0] ip address 2.2.2.2 255.255.255.255

[PEB-LoopBack0] quit

[PEB] interface ethernet 0/0

[PEB-Ethernet0/0] port link-mode route

[PEB-Ethernet0/0] ip address 1.2.0.2 255.255.255.0

[PEB-Ethernet0/0] quit

[PEB] interface ethernet 0/1

[PEB-Ethernet0/1] port link-mode route

[PEB-Ethernet0/1] ip address 172.32.1.1 255.255.255.0

[PEB-Ethernet0/1] quit

# 配置OSPF协议使网络互通。

[PEB] ospf 1

[PEB-ospf-1] area 0.0.0.0

[PEB-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0

[PEB-ospf-1-area-0.0.0.0] network 1.2.0.0 0.0.0.255

[PEB-ospf-1-area-0.0.0.0] quit

[PEB-ospf-1] quit

# 配置路由器的Router ID。

[PEB] router id 2.2.2.2

# 在PE B配置MPLS和MPLS LDP功能。

[PEB] mpls lsr-id 2.2.2.2

[PEB] mpls

[PEB-mpls] quit

[PEB] mpls ldp

[PEB-mpls-ldp] quit

# 在接口Ethernet0/0配置MPLS和MPLS LDP功能。

[PEB] interface ethernet 0/0

[PEB-Ethernet0/0] mpls

[PEB-Ethernet0/0] mpls ldp

[PEB-Ethernet0/0] quit

# 在PE B上创建VPN实例vpnb，并配置RD和VPN Target属性。

[PEB] ip vpn-instance vpnb

[PEB-vpn-instance-vpnb] route-distinguisher 2:2

[PEB-vpn-instance-vpnb] vpn-target 1:2 export-extcommunity

[PEB-vpn-instance-vpnb] vpn-target 1:2 import-extcommunity

[PEB-vpn-instance-vpnb] quit

# 将接口Ethernet0/1绑定到vpnb上

[PEB] interface ethernet 0/1

[PEB-Ethernet0/1] ip binding vpn-instance vpnb

[PEB-Ethernet0/1] ip address 172.32.1.1 255.255.255.0

[PEB-Ethernet0/1] quit

# 配置BGP协议，在PE间建立MP-BGP对等体，引入VPN路由。

[PEB] bgp 1

[PEB-bgp] undo synchronization

[PEB-bgp] peer 1.1.1.1 as-number 1

[PEB-bgp] peer 1.1.1.1 connect-interface loopback0

# 进入BGP-VPNv4子地址族视图，配置VPNv4对等体1.1.1.1。

[PEB-bgp] ipv4-family vpnv4

[PEB-bgp-af-vpnv4] peer 1.1.1.1 enable

[PEB-bgp-af-vpnv4] quit

# 进入BGP-VPN实例视图，将直连路由引入到vpnb的路由表。

[PEB-bgp] ipv4-family vpn-instance vpnb

[PEB-bgp-ipv4-vpnb] import-route direct

[PEB-bgp-ipv4-vpnb] quit

[PEB-bgp] quit

3.5  验证配置

# 在Host主机ping vpna的Site 1的IP地址192.168.1.2/24，能够ping通。

C:\Documents and Settings\Administrator> ping -vpn-instance vpna 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

 Reply from  192.168.1.2: bytes=32  time=7 ms  ttl=127

 Reply from  192.168.1.2: bytes=32  time=1 ms  ttl=127

 Reply from  192.168.1.2: bytes=32  time=1 ms  ttl=127

 Reply from  192.168.1.2: bytes=32  time=1 ms  ttl=127

Ping statistics for 192.168.1.2:

    Packets: Sent =4, Received = 4,Lost = 0 (0% loss)

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 7ms, Average = 1ms

# 在Host主机ping vpnb的Site 2的IP地址172.32.0.2/24，能够ping通。

C:\Documents and Settings\Administrator> ping -vpn-instance vpnb 172.32.0.2

Pinging 172.32.0.2 with 32 bytes of data:

 Reply from  172.32.0.2: bytes=32  time=7 ms  ttl=127

 Reply from  172.32.0.2: bytes=32  time=1 ms  ttl=127

 Reply from  172.32.0.2: bytes=32  time=1 ms  ttl=127

 Reply from  172.32.0.2: bytes=32  time=1 ms  ttl=127

Ping statistics for 172.32.0.2:

    Packets: Sent =4, Received = 4,Lost = 0 (0% loss)

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 7ms, Average = 1ms

# 在Host主机ping vpnb的Site 3的IP地址172.32.1.2/24，能够ping通。

C:\Documents and Settings\Administrator> ping -vpn-instance vpnb 172.32.1.2

Pinging 172.32.1.2 with 32 bytes of data:

 Reply from  172.32.1.2: bytes=32  time=7 ms  ttl=126

 Reply from  172.32.1.2: bytes=32  time=1 ms  ttl=126

 Reply from  172.32.1.2: bytes=32  time=1 ms  ttl=126

 Reply from  172.32.1.2: bytes=32  time=1 ms  ttl=126

Ping statistics for 172.32.1.2:

    Packets: Sent =4, Received = 4,Lost = 0 (0% loss)

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 7ms, Average = 1ms

3.6  配置文件

·     PE A配置：

#

 router id 1.1.1.1

#

 mpls lsr-id 1.1.1.1

#

ip vpn-instance vpna

 route-distinguisher 1:1

 vpn-target 1:1 export-extcommunity

 vpn-target 1:1 import-extcommunity

#

ip vpn-instance vpnb

 route-distinguisher 1:2

 vpn-target 1:2 export-extcommunity

 vpn-target 1:2 import-extcommunity

#

acl number 2000

 rule 0 permit vpn-instance vpna source 192.168.0.2 0

 rule 5 deny

#

mpls

#

mpls ldp

#

policy-based-route multirole permit node 0

 if-match acl 2000

 apply access-vpn vpn-instance vpna vpnb

#

interface Ethernet0/0

 port link-mode route

 ip address 1.2.0.1 255.255.255.0

 mpls

 mpls ldp

#

interface Ethernet0/1

 port link-mode route

 ip binding vpn-instance vpna

 ip address 192.168.0.1 255.255.255.0

 ip policy-based-route multirole

#

interface Ethernet0/2

 port link-mode route

 ip binding vpn-instance vpna

 ip address 192.168.1.1 255.255.255.0

#

interface Ethernet0/3

 port link-mode route

 ip binding vpn-instance vpnb

 ip address 172.32.0.1 255.255.255.0

#

interface LoopBack0

 ip address 1.1.1.1 255.255.255.255

#

bgp 1

 undo synchronization

 peer 2.2.2.2 as-number 1

 peer 2.2.2.2 connect-interface LoopBack0

 #

 ipv4-family vpn-instance vpna

  import-route direct

 #

 ipv4-family vpn-instance vpnb

  import-route direct

  import-route static

 #

 ipv4-family vpnv4

  peer 2.2.2.2 enable

#

ospf 1

 area 0.0.0.0

  network 1.1.1.1 0.0.0.0

  network 1.2.0.0 0.0.0.255

#

 ip route-static vpn-instance vpnb 192.168.0.2 255.255.255.255 vpn-instance vpna 192.168.0.2

#

·     PE B配置：

#

 router id 2.2.2.2

#

 mpls lsr-id 2.2.2.2

#

ip vpn-instance vpnb

 route-distinguisher 2:2

 vpn-target 1:2 export-extcommunity

 vpn-target 1:2 import-extcommunity

#

mpls

#

mpls ldp

#

interface Ethernet0/0

 port link-mode route

 ip address 1.2.0.2 255.255.255.0

 mpls

 mpls ldp

#

interface Ethernet0/1

 port link-mode route

 ip binding vpn-instance vpnb

 ip address 172.16.1.1 255.255.255.0

#

interface LoopBack0

 ip address 2.2.2.2 255.255.255.255

#

bgp 1

 undo synchronization

 peer 1.1.1.1 as-number 1

 peer 1.1.1.1 connect-interface LoopBack0

 #

 ipv4-family vpn-instance vpnb

  import-route direct

 #

 ipv4-family vpnv4

  peer 1.1.1.1 enable

#

ospf 1

 area 0.0.0.0

  network 2.2.2.2 0.0.0.0

  network 1.2.0.0 0.0.0.255

#

4  相关资料

·     H3C MSR 系列路由器 命令参考(V5)-R2311

·     H3C MSR 系列路由器 配置指导(V5)-R2311