03-MPLS L3VPN典型配置举例
本章节下载: 03-MPLS L3VPN典型配置举例 (483.63 KB)
目 录
本文介绍了通过MPLS L3VPN技术提供VPN服务的典型配置举例。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文档假设您已了解MPLS L3VPN特性。
如图1所示,Customer A和Customer B分别有位于两地的分支机构,现要求通过MPLS L3VPN技术,实现用户分支机构间路由信息的正常交互,且用户数据可以通过VPN方式在各站点间安全传输,不会发送至私网IP地址相同的其它用户站点中。
图1 MPLS L3VPN基本组网图
· 为了使报文能够通过MPLS网络传输,需要在MPLS骨干网络中配置IGP路由协议,并利用LDP分发公网标签,作为VPN报文的外层标签。
· 为区分不同用户的路由信息,需要在PE上分别创建两个VPN实例,并为VPN实例配置RD和RT,在各实例内通过BGP分别引入不同用户的私网路由。
· 在PE设备之间配置MP-BGP协议并建立对等体,用于传输VPN的私网路由信息并分发内层标签,即私网标签。
产品 |
软件版本 |
S6805系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
S6825系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
S6850系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
S9850系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
S9820-64H |
Release 6710Pxx版本,Release 6715及以上版本 |
S9820-8C |
Release 6710Pxx版本,Release 6715及以上版本 |
S6800系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
S6860系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
S6826系列 |
不支持 |
S9826系列 |
不支持 |
由于在配置接口与VPN实例绑定后,接口上的IP地址等配置会清除,因此先配置接口与VPN实例的绑定关系,再进行其他配置。
(1) 配置PE 1
# 配置骨干网接口以及环回口地址。
<PE1> system-view
[PE1] interface loopback 0
[PE1-LoopBack0] ip address 1.1.1.9 32
[PE1-LoopBack0] quit
[PE1] vlan 2
[PE1-vlan2] port ten-gigabitEthernet 1/0/2
[PE1-vlan2] quit
[PE1] interface vlan-interface 2
[PE1-Vlan-interface2] ip address 10.1.1.1 24
[PE1-Vlan-interface2] quit
# 配置OSPF协议发布骨干网侧路由。
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
(2) 配置P
# 配置骨干网接口以及环回口地址。
<P> system-view
[P] interface loopback 0
[P-LoopBack0] ip address 2.2.2.9 32
[P-LoopBack0] quit
[P] vlan 2
[P-vlan2] port ten-gigabitEthernet 1/0/2
[P-vlan2] quit
[P] vlan 5
[P-vlan5] port ten-gigabitEthernet 1/0/3
[P-vlan5] quit
[P] interface vlan-interface 2
[P-Vlan-interface2] ip address 10.1.1.2 24
[P-Vlan-interface2] quit
[P] interface vlan-interface 5
[P-Vlan-interface5] ip address 10.1.4.1 24
[P-Vlan-interface5] quit
# 配置OSPF协议发布骨干网侧路由。
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 10.1.4.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
(3) 配置PE 2
# 配置骨干网接口以及环回口地址。
<PE2> system-view
[PE2] interface loopback 0
[PE2-LoopBack0] ip address 3.3.3.9 32
[PE2-LoopBack0] quit
[PE2] vlan 5
[PE2-vlan5] port ten-gigabitEthernet 1/0/1
[PE2-vlan5] quit
[PE2] interface vlan-interface 5
[PE2-Vlan-interface5] ip address 10.1.4.2 24
[PE2-Vlan-interface5] quit
# 配置OSPF协议发布骨干网侧路由。
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 10.1.4.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
配置完成后,PE 1、P、PE 2之间应能建立OSPF邻居,执行display ospf peer命令可以看到邻居达到Full状态。执行display ip routing-table命令可以看到PE之间学习到对方的Loopback路由。
以PE 1为例:
[PE1] display ospf peer verbose
OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 10.1.1.1(Vlan-interface2)'s neighbors
Router ID: 2.2.2.9 Address: 10.1.1.2 GR State: Normal
State: Full Mode: Nbr is Master Priority: 1
DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
Options is 0x02 (-|-|-|-|-|-|E|-)
Dead timer due in 38 sec
Neighbor is up for 17:30:25
Authentication Sequence: [ 0 ]
Neighbor state change count: 6
BFD status: Disabled
[PE1] display ip routing-table protocol ospf
Summary Count : 5
OSPF Routing table Status : <Active>
Summary Count : 3
Destination/Mask Proto Pre Cost NextHop Interface
2.2.2.9/32 OSPF 10 1 10.1.1.2 Vlan2
3.3.3.9/32 OSPF 10 2 10.1.1.2 Vlan2
10.1.4.0/24 OSPF 10 2 10.1.1.2 Vlan2
OSPF Routing table Status : <Inactive>
Summary Count : 2
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.9/32 OSPF 10 0 1.1.1.9 Loop0
10.1.1.0/24 OSPF 10 1 10.1.1.1 Vlan2
(1) 配置PE 1
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls ldp
[PE1-ldp] quit
[PE1] interface vlan-interface 2
[PE1-Vlan-interface2] mpls enable
[PE1-Vlan-interface2] mpls ldp enable
[PE1-Vlan-interface2] quit
(2) 配置P
[P] mpls lsr-id 2.2.2.9
[P] mpls ldp
[P-ldp] quit
[P] interface vlan-interface 2
[P-Vlan-interface2] mpls enable
[P-Vlan-interface2] mpls ldp enable
[P-Vlan-interface2] quit
[P] interface vlan-interface 5
[P-Vlan-interface5] mpls enable
[P-Vlan-interface5] mpls ldp enable
[P-Vlan-interface5] quit
(3) 配置PE 2
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls ldp
[PE2-ldp] quit
[PE2] interface vlan-interface 5
[PE2-Vlan-interface5] mpls enable
[PE2-Vlan-interface5] mpls ldp enable
[PE2-Vlan-interface5] quit
上述配置完成后,PE 1、P、PE 2之间应能建立LDP会话,执行display mpls ldp peer命令可以看到LDP会话的状态为Operational。执行display mpls ldp lsp命令,可以看到LDP LSP的建立情况。
以PE 1为例:
[PE1] display mpls ldp peer
Total number of peers: 1
Peer LDP ID State Role GR MD5 KA Sent/Rcvd
2.2.2.9:0 Operational Passive Off Off 5/5
[PE1] display mpls ldp lsp
Status Flags: * - stale, L - liberal, B - backup
FECs: 4 Ingress: 1 Transit: 1 Egress: 3
FEC In/Out Label Nexthop OutInterface
1.1.1.9/32 3/-
-/1151(L)
2.2.2.9/32 -/3 10.1.1.2 Vlan2
1151/3 10.1.1.2 Vlan2
3.3.3.9/32 -/1150 10.1.1.2 Vlan2
1150/1150 10.1.1.2 Vlan2
(1) 配置PE 1
# 在PE 1上为Customer A创建VPN实例,名为“customerA”。
[PE1] ip vpn-instance customerA
# 为该实例配置RD为100:1,用于形成VPNv4路由,以便区分不同用户相同网段的路由。
[PE1-vpn-instance-customerA] route-distinguisher 100:1
# 为该VPN实例配置VPN Target属性,其中接收路由的属性为111:1,发布路由的属性为222:1。(此处为表示接收和发送属性的含义,取值有所不同,为便于管理,用户可以将接收和发送的属性配置为相同的值)
[PE1-vpn-instance-customerA] vpn-target 111:1 import-extcommunity
[PE1-vpn-instance-customerA] vpn-target 222:1 export-extcommunity
[PE1-vpn-instance-customerA] quit
# 按同样方式为Customer B创建VPN实例,名为“customerB”,并为其配置RD为200:1,接收和发送的VPN Target属性分别为333:1和444:1。
[PE1] ip vpn-instance customerB
[PE1-vpn-instance-customerB] route-distinguisher 200:1
[PE1-vpn-instance-customerB] vpn-target 333:1 import-extcommunity
[PE1-vpn-instance-customerB] vpn-target 444:1 export-extcommunity
[PE1-vpn-instance-customerB] quit
# 配置Vlan-interface100与VPN实例customerA进行绑定。
[PE1] vlan 100
[PE1-vlan100] port ten-gigabitEthernet 1/0/1
[PE1-vlan100] quit
[PE1] interface vlan-interface 100
[PE1-Vlan-interface100] ip binding vpn-instance customerA
[PE1-Vlan-interface100] ip address 100.1.1.2 24
[PE1-Vlan-interface100] quit
# 配置Vlan-interface200与VPN实例customerB进行绑定。
[PE1] vlan 200
[PE1-vlan200] port ten-gigabitEthernet 1/0/3
[PE1-vlan200] quit
[PE1] interface vlan-interface 200
[PE1-Vlan-interface200] ip binding vpn-instance customerB
[PE1-Vlan-interface200] ip address 200.1.1.2 24
[PE1-Vlan-interface200] quit
(2) 配置PE 2
# 在PE 2上为Customer A创建VPN实例,名为“customerA”。
[PE2] ip vpn-instance customerA
# 为该VPN实例配置RD,为便于识别,建议与PE 1上为该实例配置的RD保持一致。
[PE2-vpn-instance-customerA] route-distinguisher 100:1
# 为该VPN实例配置VPN Target,需要注意的是接收和发送的属性要分别与PE 1上配置的发送和接收的属性保持一致。
[PE2-vpn-instance-customerA] vpn-target 222:1 import-extcommunity
[PE2-vpn-instance-customerA] vpn-target 111:1 export-extcommunity
[PE2-vpn-instance-customerA] quit
# 按同样方式配置VPN实例“customerB”,并配置相应的RD和VPN Target。
[PE2] ip vpn-instance customerB
[PE2-vpn-instance-customerB] route-distinguisher 200:1
[PE2-vpn-instance-customerB] vpn-target 444:1 import-extcommunity
[PE2-vpn-instance-customerB] vpn-target 333:1 export-extcommunity
[PE2-vpn-instance-customerB] quit
# 分别将Vlan-interface101和Vlan-interface202与customerA和customerB实例进行绑定。
[PE2] vlan 101
[PE2-vlan101] port ten-gigabitEthernet 1/0/2
[PE2-vlan101] quit
[PE2] interface vlan-interface 101
[PE2-Vlan-interface101] ip binding vpn-instance customerA
[PE2-Vlan-interface101] ip address 101.1.1.1 24
[PE2-Vlan-interface101] quit
[PE2] vlan 202
[PE2-vlan202] port ten-gigabitEthernet 1/0/3
[PE2-vlan202] quit
[PE2] interface vlan-interface 202
[PE2-Vlan-interface202] ip binding vpn-instance customerB
[PE2-Vlan-interface202] ip address 202.1.1.2 24
[PE2-Vlan-interface202] quit
(3) 配置CE
按图1配置各CE的接口IP地址,配置过程略。
配置完成后,在PE设备上执行display ip vpn-instance命令可以看到VPN实例的配置情况。各PE能ping通自己接入的CE。
以PE 1和CE 1为例:
[PE1] display ip vpn-instance
Total VPN-Instances configured : 2
VPN-Instance Name RD Create time
customerA 100:1 2014/03/22 13:20:08
customerB 200:1 2014/03/22 13:20:20
[PE1] ping -vpn-instance customerA 100.1.1.1
Ping 100.1.1.1 (100.1.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 100.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 100.1.1.1: icmp_seq=1 ttl=255 time=2.000 ms
56 bytes from 100.1.1.1: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 100.1.1.1: icmp_seq=3 ttl=255 time=1.000 ms
56 bytes from 100.1.1.1: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 100.1.1.1 in VPN instance customerA ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.800/2.000/0.748 ms
(1) 配置PE 1
# 在PE 1上创建BGP进程100。
[PE1] bgp 100
# 将CE 1指定为对等体,并将PE 1的直连路由引入到BGP-VPN实例路由表中。
[PE1-bgp-default] ip vpn-instance customerA
[PE1-bgp-default-customerA] peer 100.1.1.1 as-number 65410
[PE1-bgp-default-customerA] address-family ipv4 unicast
[PE1-bgp-default-ipv4-customerA] peer 100.1.1.1 enable
[PE1-bgp-default-ipv4-customerA] import-route direct
[PE1-bgp-default-ipv4-customerA] quit
[PE1-bgp-default-customerA] quit
# 将CE 2指定为对等体,并将PE 1的直连路由引入到BGP-VPN实例路由表中。
[PE1-bgp-default] ip vpn-instance customerB
[PE1-bgp-default-customerB] peer 200.1.1.1 as-number 65410
[PE1-bgp-default-customerB] address-family ipv4 unicast
[PE1-bgp-default-ipv4-customerB] peer 200.1.1.1 enable
[PE1-bgp-default-ipv4-customerB] import-route direct
[PE1-bgp-default-ipv4-customerB] quit
[PE1-bgp-default-customerB] quit
[PE1-bgp-default] quit
(2) 配置PE 2
# 在PE 2上创建BGP进程100。
[PE2] bgp 100
# 将CE 3指定为对等体,并将PE 2的直连路由引入到BGP-VPN实例路由表中。
[PE2-bgp-default] ip vpn-instance customerA
[PE2-bgp-default-customerA] peer 101.1.1.2 as-number 65430
[PE2-bgp-default-customerA] address-family ipv4 unicast
[PE2-bgp-default-ipv4-customerA] peer 101.1.1.2 enable
[PE2-bgp-default-ipv4-customerA] import-route direct
[PE2-bgp-default-ipv4-customerA] quit
[PE2-bgp-default-customerA] quit
# 将CE 4指定为对等体,并将PE 2的直连路由引入到BGP-VPN实例路由表中。
[PE2-bgp-default] ip vpn-instance customerB
[PE2-bgp-default-customerB] peer 202.1.1.1 as-number 65430
[PE2-bgp-default-customerB] address-family ipv4 unicast
[PE2-bgp-default-ipv4-customerB] peer 202.1.1.1 enable
[PE2-bgp-default-ipv4-customerB] import-route direct
[PE2-bgp-default-ipv4-customerB] quit
[PE2-bgp-default-customerB] quit
[PE2-bgp-default] quit
(3) 配置CE1
# CE 1上创建BGP进程65410,并指定PE 1为对等体,对等体自治系统号为100。
<CE1> system-view
[CE1] bgp 65410
[CE1-bgp-default] peer 100.1.1.2 as-number 100
# 使能CE1与对等体100.1.1.2交换IPv4单播路由信息的能力。
[CE1-bgp-default] address-family ipv4 unicast
[CE1-bgp-default-ipv4] peer 100.1.1.2 enable
# 将CE 1上连接站点的直连接口路由引入EBGP。
[CE1-bgp-default-ipv4] import-route direct
[CE1-bgp-default-ipv4] quit
[CE1-bgp-default] quit
(4) 配置CE2
# CE 2上创建BGP进程65410,并指定PE 1为对等体,对等体自治系统号为100。
<CE2> system-view
[CE2] bgp 65410
[CE2-bgp-default] peer 200.1.1.2 as-number 100
# 使能CE2与对等体200.1.1.2交换IPv4单播路由信息的能力。
[CE2-bgp-default] address-family ipv4 unicast
[CE2-bgp-default-ipv4] peer 200.1.1.2 enable
# 将CE 2上连接站点的直连接口路由引入EBGP。
[CE2-bgp-default-ipv4] import-route direct
[CE2-bgp-default-ipv4] quit
[CE2-bgp-default] quit
(5) 配置CE3
# CE 3上创建BGP进程65430,并指定PE 2为对等体,对等体自治系统号为100。
<CE3> system-view
[CE3] bgp 65430
[CE3-bgp-default] peer 101.1.1.1 as-number 100
# 使能CE3与对等体101.1.1.1交换IPv4单播路由信息的能力。
[CE3-bgp-default] address-family ipv4 unicast
[CE3-bgp-default-ipv4] peer 101.1.1.1 enable
# 将CE 3上连接站点的直连接口路由引入EBGP。
[CE3-bgp-default-ipv4] import-route direct
[CE3-bgp-default-ipv4] quit
[CE3-bgp-default] quit
(6) 配置CE4
# CE4上创建BGP进程65430,并指定PE 2为对等体,对等体自治系统号为100。
<CE4> system-view
[CE4] bgp 65430
[CE4-bgp-default] peer 202.1.1.2 as-number 100
# 使能CE4与对等体202.1.1.2交换IPv4单播路由信息的能力。
[CE4-bgp-default] address-family ipv4 unicast
[CE4-bgp-default-ipv4] peer 202.1.1.2 enable
# 将CE 4上连接站点的直连接口路由引入EBGP。
[CE4-bgp-default-ipv4] import-route direct
[CE4-bgp-default-ipv4] quit
[CE4-bgp-default] quit
配置完成后,在PE设备上执行display bgp peer ipv4 vpn-instance命令,可以看到PE与CE之间的BGP对等体关系已建立,并达到Established状态。
以PE 1与CE 1的对等体关系为例:
[PE1] display bgp peer ipv4 vpn-instance customerA
BGP local router ID: 1.1.1.9
Local AS number: 100
Total number of peers: 1 Peers in established state: 1
* - Dynamically created peer
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
100.1.1.1 65410 4 4 0 2 13:35:25 Established
(1) 配置PE 1
# 在PE 1上配置PE 2为BGP对等体,并指定连接时使用的接口为Loopback0接口。
[PE1] bgp 100
[PE1-bgp-default] peer 3.3.3.9 as-number 100
[PE1-bgp-default] peer 3.3.3.9 connect-interface loopback 0
# 进入BGP-VPNv4地址族视图,指定PE 2为对等体。
[PE1-bgp-default] address-family vpnv4
[PE1-bgp-default-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-default-vpnv4] quit
[PE1-bgp-default] quit
(2) 配置PE 2
# 在PE 2上配置PE 1为BGP对等体,并指定连接时使用的接口为Loopback0接口。
[PE2] bgp 100
[PE2-bgp-default] peer 1.1.1.9 as-number 100
[PE2-bgp-default] peer 1.1.1.9 connect-interface loopback 0
# 进入BGP-VPNv4地址族视图,指定PE 1为对等体。
[PE2-bgp-default] address-family vpnv4
[PE2-bgp-default-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-default-vpnv4] quit
[PE2-bgp-default] quit
配置完成后,在PE设备上执行display bgp peer vpnv4命令,可以看到PE之间的BGP对等体关系已建立,并达到Established状态。
[PE1] display bgp peer vpnv4
BGP local router ID: 1.1.1.9
Local AS number: 100
Total number of peers: 1 Peers in established state: 1
* - Dynamically created peer
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
3.3.3.9 100 8 8 0 0 00:00:08 Established
在PE设备上执行display ip routing-table vpn-instance命令,可以看到去往对端CE的路由。
以PE 1上的customerA为例:
[PE1] display ip routing-table vpn-instance customerA
Destinations : 13 Routes : 13
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
100.1.1.0/24 Direct 0 0 100.1.1.2 Vlan100
100.1.1.0/32 Direct 0 0 100.1.1.2 Vlan100
100.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0
100.1.1.255/32 Direct 0 0 100.1.1.2 Vlan100
101.1.1.0/24 BGP 255 0 3.3.3.9 Vlan2
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
同一VPN的CE能够相互Ping通,不同VPN的CE不能相互Ping通。
例如:CE1能够Ping通CE 3(101.1.1.2),但不能Ping通CE 4(202.1.1.1)。
· PE 1
#
ip vpn-instance customerA
route-distinguisher 100:1
vpn-target 111:1 import-extcommunity
vpn-target 222:1 export-extcommunity
#
ip vpn-instance customerB
route-distinguisher 200:1
vpn-target 333:1 import-extcommunity
vpn-target 444:1 export-extcommunity
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
mpls lsr-id 1.1.1.9
#
vlan 2
#
vlan 100
#
vlan 200
#
mpls ldp
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
interface Vlan-interface2
ip address 10.1.1.1 255.255.255.0
mpls enable
mpls ldp enable
#
interface Vlan-interface100
ip binding vpn-instance customerA
ip address 100.1.1.2 255.255.255.0
#
interface Vlan-interface200
ip binding vpn-instance customerB
ip address 200.1.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 100
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 2
#
interface Ten-GigabitEthernet1/0/3
port link-mode bridge
port access vlan 200
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack0
#
address-family vpnv4
peer 3.3.3.9 enable
#
ip vpn-instance customerA
peer 100.1.1.1 as-number 65410
#
address-family ipv4 unicast
import-route direct
peer 100.1.1.1 enable
#
ip vpn-instance customerB
peer 200.1.1.1 as-number 65410
#
address-family ipv4 unicast
import-route direct
peer 200.1.1.1 enable
#
· P
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.4.0 0.0.0.255
#
mpls lsr-id 2.2.2.9
#
vlan 2
#
vlan 5
#
mpls ldp
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
interface Vlan-interface2
ip address 10.1.1.2 255.255.255.0
mpls enable
mpls ldp enable
#
interface Vlan-interface5
ip address 10.1.4.1 255.255.255.0
mpls enable
mpls ldp enable
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 2
#
interface Ten-GigabitEthernet1/0/3
port link-mode bridge
port access vlan 5
#
· PE 2
#
ip vpn-instance customerA
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 222:1 import-extcommunity
#
ip vpn-instance customerB
route-distinguisher 200:1
vpn-target 333:1 export-extcommunity
vpn-target 444:1 import-extcommunity
#
ospf 1
area 0.0.0.0
network 10.1.4.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
mpls lsr-id 3.3.3.9
#
vlan 5
#
vlan 101
#
vlan 202
#
mpls ldp
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
#
interface Vlan-interface5
ip address 10.1.4.2 255.255.255.0
mpls enable
mpls ldp enable
#
interface Vlan-interface101
ip binding vpn-instance customerA
ip address 101.1.1.1 255.255.255.0
#
interface Vlan-interface202
ip binding vpn-instance customerB
ip address 202.1.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 5
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 101
#
interface Ten-GigabitEthernet1/0/3
port link-mode bridge
port access vlan 202
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack0
#
address-family vpnv4
peer 1.1.1.9 enable
#
ip vpn-instance customerA
peer 101.1.1.2 as-number 65430
#
address-family ipv4 unicast
import-route direct
peer 101.1.1.2 enable
#
ip vpn-instance customerB
peer 202.1.1.1 as-number 65430
#
address-family ipv4 unicast
import-route direct
peer 202.1.1.1 enable
#
· CE 1
#
vlan 100
#
interface Vlan-interface100
ip address 100.1.1.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 100
#
bgp 65410
peer 100.1.1.2 as-number 100
#
address-family ipv4 unicast
import-route direct
peer 100.1.1.2 enable
#
· CE 2
#
vlan 200
#
interface Vlan-interface200
ip address 200.1.1.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 200
#
bgp 65410
peer 200.1.1.2 as-number 100
#
address-family ipv4 unicast
import-route direct
peer 200.1.1.2 enable
#
· CE 3
#
vlan 101
#
interface Vlan-interface101
ip address 101.1.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 101
#
bgp 65430
peer 101.1.1.1 as-number 100
#
address-family ipv4 unicast
import-route direct
peer 101.1.1.1 enable
#
· CE 4
#
vlan 202
#
interface Vlan-interface202
ip address 202.1.1.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 202
#
bgp 65430
peer 202.1.1.2 as-number 100
#
address-family ipv4 unicast
import-route direct
peer 202.1.1.2 enable
#
在MPLS L3VPN网络中,PE设备起到了最为关键的作用,不仅需要负责VPN用户的接入,同时也负责VPN路由的管理和维护,以及私网报文的转发工作。这就对PE设备的性能有了非常高的要求,从而导致网络的扩展性受到限制。
HoVPN(Hierarchy of VPN,分层VPN)将PE设备的功能分布到多台设备,多台设备承担不同的角色,并形成层次结构,共同完成一个PE的功能。HoVPN对不同角色的设备的性能要求也不相同,从而使网络具备了良好的可扩展性。
在HoVPN组网下,直接连结用户的设备称为UPE(Underlayer PE or User-end PE,下层PE或用户侧PE);连结UPE并位于网络内部的设备称为SPE(Superstratum PE or Service Provider-end PE,上层PE或运营商侧PE)。UPE与SPE构成分层式PE,共同完成传统上一个PE的功能。
SPE与UPE的分工是:
· UPE主要完成用户接入功能。UPE维护其直接相连的VPN Site的路由,但不维护VPN中其它远程Site的路由或仅维护它们的聚合路由;UPE为其直接相连的Site的路由分配内层标签,并通过MP-BGP随VPN路由发布此标签给SPE。
· SPE主要完成VPN路由的管理和发布。SPE维护其通过UPE连接的VPN所有路由,包括本地和远程Site的路由,SPE将路由信息发布给UPE,并携带标签。SPE发布的路由信息可以是VPN实例的缺省路由(或聚合路由),也可以是通过路由策略的路由信息。通过后者可以实现对同一VPN下不同站点之间互访的控制。
如图2所示,UPE与连接用户的CE设备相连,并与运营商内部的SPE设备相连,图中为路由和标签交换过程,其中,Lx和Lz为UPE与SPE之间的公网的标签,Ly为运营商骨干网的公网的标签。
图2 HoVPN组网路由和标签交换图
如图3所示,SPE设备处于AS100中,UPE设备处于AS200中,SPE为运营商骨干网设备,UPE为连接用户端CE的设备。UPE1和UPE2分别连接属于VPN1的CE1和CE2。CE1连接两个VLAN,分别为:VLAN 10(172.16.1.0/24)和VLAN 20(172.16.2.0/24);CE2下连一个VLAN:VLAN 30(172.16.3.0/24)。
现要求在用户网络中部署HoVPN服务,并通过配置路由策略,限制不同CE下连VLAN之间的互相访问权限,使得CE1的VLAN 10和CE2的VLAN 30可以相互访问,CE1的VLAN 20和CE2的VLAN 30不能相互访问。
图3 HoVPN典型配置举例组网图
此案例配置主要分为两部分:
· 在网络中配置HoVPN服务。
· 在SPE设备上配置路由策略,使得SPE2仅发布CE1的私网路由172.16.1.0/24给UPE2。
表2 适用产品及版本
产品 |
软件版本 |
S6805系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
S6825系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
S6850系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
S9850系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
S9820-64H |
Release 6710Pxx版本,Release 6715及以上版本 |
S9820-8C |
Release 6710Pxx版本,Release 6715及以上版本 |
S6800系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
S6860系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
S6826系列 |
不支持 |
S9826系列 |
不支持 |
· 只有在SPE设备上配置了路由策略,并允许向UPE设备发布路由时,SPE设备才会向UPE设备发布路由,即,在HoVPN组网中,路由策略为必选配置。
· 配置SPE与UPE之间建立EBGP对等体并发布标签时,仅使能与对等体交换标签的能力并不能进行标签的发布,还需配置路由策略才可为对等体发布标签。
· 由于在配置接口与VPN实例绑定后,接口上的IP地址等配置会清除,因此先配置接口与VPN实例的绑定关系,再进行其他配置。
(1) 配置SPE1
# 配置MPLS基本能力和MPLS LDP能力,建立LDP LSP。
<SPE1> system-view
[SPE1] interface loopback 0
[SPE1-LoopBack0] ip address 2.2.2.9 32
[SPE1-LoopBack0] quit
[SPE1] mpls lsr-id 2.2.2.9
[SPE1] mpls ldp
[SPE1-ldp] quit
[SPE1] interface vlan-interface 11
[SPE1-Vlan-interface11] ip address 172.1.1.2 24
[SPE1-Vlan-interface11] mpls enable
[SPE1-Vlan-interface11] quit
[SPE1] interface vlan-interface 12
[SPE1-Vlan-interface12] ip address 180.1.1.1 24
[SPE1-Vlan-interface12] mpls enable
[SPE1-Vlan-interface12] mpls ldp enable
[SPE1-Vlan-interface12] quit
# 配置OSPF作为IGP协议。
[SPE1] ospf
[SPE1-ospf-1] area 0
[SPE1-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[SPE1-ospf-1-area-0.0.0.0] network 180.1.1.0 0.0.0.255
[SPE1-ospf-1-area-0.0.0.0] quit
[SPE1-ospf-1] quit
(2) 配置SPE2
# 配置MPLS基本能力和MPLS LDP能力,建立LDP LSP。
<SPE2> system-view
[SPE2] interface loopback 0
[SPE2-LoopBack0] ip address 3.3.3.9 32
[SPE2-LoopBack0] quit
[SPE2] mpls lsr-id 3.3.3.9
[SPE2] mpls ldp
[SPE2-ldp] quit
[SPE2] interface vlan-interface 12
[SPE2-Vlan-interface12] ip address 180.1.1.2 24
[SPE2-Vlan-interface12] mpls enable
[SPE2-Vlan-interface12] mpls ldp enable
[SPE2-Vlan-interface12] quit
[SPE2] interface vlan-interface 11
[SPE2-Vlan-interface11] ip address 172.2.1.2 24
[SPE2-Vlan-interface11] mpls enable
[SPE2-Vlan-interface11] quit
# 配置OSPF作为IGP协议。
[SPE2] ospf
[SPE2-ospf-1] area 0
[SPE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[SPE2-ospf-1-area-0.0.0.0] network 180.1.1.0 0.0.0.255
[SPE2-ospf-1-area-0.0.0.0] quit
[SPE2-ospf-1] quit
配置完成后,在SPE设备上执行display mpls ldp peer命令可以看到LDP会话建立成功,LDP会话状态为Operational;执行display ospf peer命令可以看到OSPF邻居关系已建立,状态为FULL。
# 配置SPE 1与SPE 2建立MP-IBGP对等体,交换VPNv4路由。
[SPE1] bgp 100
[SPE1-bgp-default] peer 3.3.3.9 as-number 100
[SPE1-bgp-default] peer 3.3.3.9 connect-interface loopback 0
[SPE1-bgp-default] address-family vpnv4
[SPE1-bgp-default-vpnv4] peer 3.3.3.9 enable
[SPE1-bgp-default-vpnv4] quit
[SPE1-bgp-default] quit
# 配置SPE 2与SPE 1建立MP-IBGP对等体,交换VPNv4路由。
[SPE2] bgp 100
[SPE2-bgp-default] peer 2.2.2.9 as-number 100
[SPE2-bgp-default] peer 2.2.2.9 connect-interface loopback 0
[SPE2-bgp-default] address-family vpnv4
[SPE2-bgp-default-vpnv4] peer 2.2.2.9 enable
[SPE2-bgp-default-vpnv4] quit
[SPE2-bgp-default] quit
配置完成后,在SPE1和SPE2上执行display bgp peer vpnv4命令可以看到BGP对等体关系已建立,并达到Established状态。
(1) 配置UPE1
# 配置MPLS基本能力。
<UPE1> system-view
[UPE1] interface loopback 0
[UPE1-LoopBack0] ip address 1.1.1.9 32
[UPE1-LoopBack0] quit
[UPE1] mpls lsr-id 1.1.1.9
[UPE1] interface vlan-interface 11
[UPE1-Vlan-interface11] ip address 172.1.1.1 24
[UPE1-Vlan-interface11] mpls enable
[UPE1-Vlan-interface11] quit
(2) 配置UPE2
# 配置MPLS基本能力。
<UPE2> system-view
[UPE2] interface loopback 0
[UPE2-Loopback0] ip address 4.4.4.9 32
[UPE2-Loopback0] quit
[UPE2] mpls lsr-id 4.4.4.9
[UPE2] interface vlan-interface 11
[UPE2-Vlan-interface11] ip address 172.2.1.1 24
[UPE2-Vlan-interface11] mpls enable
[UPE2-Vlan-interface11] quit
(1) 配置SPE1
[SPE1] bgp 100
[SPE1-bgp-default] peer 172.1.1.1 as-number 200
[SPE1-bgp-default] address-family ipv4
[SPE1-bgp-default-ipv4] peer 172.1.1.1 enable
[SPE1-bgp-default-ipv4] peer 172.1.1.1 label-route-capability
[SPE1-bgp-default-ipv4] peer 172.1.1.1 route-policy policy1 export
[SPE1-bgp-default-ipv4] network 2.2.2.9 255.255.255.255
[SPE1-bgp-default-ipv4] quit
[SPE1-bgp-default] quit
# 配置路由策略,为路由分配标签。
[SPE1] route-policy policy1 permit node 0
[SPE1-route-policy-policy1-0] apply mpls-label
[SPE1-route-policy-policy1-0] quit
(2) 配置UPE1
[UPE1] bgp 200
[UPE1-bgp-default] peer 172.1.1.2 as-number 100
[UPE1-bgp-default] address-family ipv4
[UPE1-bgp-default-ipv4] peer 172.1.1.2 enable
[UPE1-bgp-default-ipv4] peer 172.1.1.2 label-route-capability
[UPE1-bgp-default-ipv4] peer 172.1.1.2 route-policy policy1 export
[UPE1-bgp-default-ipv4] network 1.1.1.9 255.255.255.255
[UPE1-bgp-default-ipv4] quit
[UPE1-bgp-default] quit
# 配置路由策略,为路由分配标签。
[UPE1] route-policy policy1 permit node 0
[UPE1-route-policy-policy1-0] apply mpls-label
[UPE1-route-policy-policy1-0] quit
(3) 配置SPE2
[SPE2] bgp 100
[SPE2-bgp-default] peer 172.2.1.1 as-number 200
[SPE2-bgp-default] address-family ipv4
[SPE2-bgp-default-ipv4] peer 172.2.1.1 enable
[SPE2-bgp-default-ipv4] peer 172.2.1.1 label-route-capability
[SPE2-bgp-default-ipv4] peer 172.2.1.1 route-policy policy1 export
[SPE2-bgp-default-ipv4] network 3.3.3.9 255.255.255.255
[SPE2-bgp-default-ipv4] quit
[SPE2-bgp-default] quit
[SPE2] route-policy policy1 permit node 0
[SPE2-route-policy-policy1-0] apply mpls-label
[SPE2-route-policy-policy1-0] quit
(4) 配置UPE2
[UPE2] bgp 200
[UPE2-bgp-default] peer 172.2.1.2 as-number 100
[UPE2-bgp-default] address-family ipv4
[UPE2-bgp-default-ipv4] peer 172.2.1.2 enable
[UPE2-bgp-default-ipv4] peer 172.2.1.2 label-route-capability
[UPE2-bgp-default-ipv4] peer 172.2.1.2 route-policy policy1 export
[UPE2-bgp-default-ipv4] network 4.4.4.9 255.255.255.255
[UPE2-bgp-default-ipv4] quit
[UPE2-bgp-default] quit
# 配置路由策略,为路由分配标签。
[UPE2] route-policy policy1 permit node 0
[UPE2-route-policy-policy1-0] apply mpls-label
[UPE2-route-policy-policy1-0] quit
配置完成后,在各设备上执行display mpls lsp命令可以看到已在SPE与UPE之间建立BGP LSP。
(1) 配置UPE1
# 配置UPE 1与SPE 1建立MP-EBGP对等体。
[UPE1] bgp 200
[UPE1-bgp-default] peer 2.2.2.9 as-number 100
[UPE1-bgp-default] peer 2.2.2.9 connect-interface loopback 0
[UPE1-bgp-default] address-family vpnv4
[UPE1-bgp-default-vpnv4] peer 2.2.2.9 enable
# 配置UPE1接受AS_PATH属性中已包含本地AS号的路由,以接收位于相同AS的UPE2的路由。
[UPE1-bgp-default-vpnv4] peer 2.2.2.9 allow-as-loop
[UPE1-bgp-default-vpnv4] quit
(2) 配置SPE1
# 配置VPN实例vpn1。
[SPE1] ip vpn-instance vpn1
[SPE1-vpn-instance-vpn1] route-distinguisher 100:1
[SPE1-vpn-instance-vpn1] vpn-target 100:1 both
[SPE1-vpn-instance-vpn1] quit
# 配置SPE 1与UPE 1建立MP-EBGP对等体,指定UPE 1,并引入VPN路由。
[SPE1] bgp 100
[SPE1-bgp-default] peer 1.1.1.9 as-number 200
[SPE1-bgp-default] peer 1.1.1.9 connect-interface loopback 0
[SPE1-bgp-default] address-family vpnv4
[SPE1-bgp-default-vpnv4] peer 1.1.1.9 enable
[SPE1-bgp-default-vpnv4] peer 1.1.1.9 upe
[SPE1-bgp-default-vpnv4] quit
[SPE1-bgp-default] ip vpn-instance vpn1
[SPE1-bgp-default-vpn1] quit
[SPE1-bgp-default] quit
(3) 配置UPE2
# 配置UPE 2与SPE 2建立MP-EBGP对等体。
[UPE2] bgp 200
[UPE2-bgp-default] peer 3.3.3.9 as-number 100
[UPE2-bgp-default] peer 3.3.3.9 connect-interface loopback 0
[UPE2-bgp-default] address-family vpnv4
[UPE2-bgp-default-vpnv4] peer 3.3.3.9 enable
# 配置UPE2接受AS_PATH属性中已包含本地AS号的路由,以接收位于相同AS的UPE1的路由。
[UPE2-bgp-default-vpnv4] peer 3.3.3.9 allow-as-loop
[UPE2-bgp-default-vpnv4] quit
(4) 配置SPE2
# 配置VPN实例vpn1。
[SPE2] ip vpn-instance vpn1
[SPE2-vpn-instance-vpn1] route-distinguisher 100:1
[SPE2-vpn-instance-vpn1] vpn-target 100:1 both
[SPE2-vpn-instance-vpn1] quit
# 配置SPE 2与UPE 2建立MP-EBGP对等体,指定UPE 2,并引入VPN路由。
[SPE2] bgp 100
[SPE2-bgp-default] peer 4.4.4.9 as-number 200
[SPE2-bgp-default] peer 4.4.4.9 connect-interface loopback 0
[SPE2-bgp-default] address-family vpnv4
[SPE2-bgp-default-vpnv4] peer 4.4.4.9 enable
[SPE2-bgp-default-vpnv4] peer 4.4.4.9 upe
[SPE2-bgp-default-vpnv4] quit
[SPE2-bgp-default] ip vpn-instance vpn1
[SPE2-bgp-default-vpn1] quit
[SPE2-bgp-default] quit
配置完成后,在SPE和UPE设备上执行display bgp peer vpnv4命令可以看到相互之间的BGP对等体关系已建立,并达到Established状态。
(1) 配置UPE1
# 配置VPN实例vpn1,将CE 1接入UPE 1。
[UPE1] ip vpn-instance vpn1
[UPE1-vpn-instance-vpn1] route-distinguisher 100:1
[UPE1-vpn-instance-vpn1] vpn-target 100:1 both
[UPE1-vpn-instance-vpn1] quit
[UPE1] interface vlan-interface 12
[UPE1-Vlan-interface12] ip binding vpn-instance vpn1
[UPE1-Vlan-interface12] ip address 10.1.1.2 24
[UPE1-Vlan-interface12] quit
# 配置UPE 1与CE 1建立EBGP对等体,并引入VPN路由。
[UPE1] bgp 200
[UPE1-bgp-default] ip vpn-instance vpn1
[UPE1-bgp-default-vpn1] peer 10.1.1.1 as-number 65410
[UPE1-bgp-default-vpn1] address-family ipv4 unicast
[UPE1-bgp-default-ipv4-vpn1] peer 10.1.1.1 enable
[UPE1-bgp-default-ipv4-vpn1] import-route direct
[UPE1-bgp-default-ipv4-vpn1] quit
[UPE1-bgp-default-vpn1] quit
(2) 配置CE1
配置CE1与UPE1建立EBGP对等体,并引入直连路由。
<CE1> system-view
[CE1] interface vlan-interface 12
[CE1-Vlan-interface12] ip address 10.1.1.1 255.255.255.0
[CE1-Vlan-interface12] quit
[CE1] bgp 65410
[CE1-bgp-default] peer 10.1.1.2 as-number 200
[CE1-bgp-default] address-family ipv4 unicast
[CE1-bgp-default-ipv4] peer 10.1.1.2 enable
[CE1-bgp-default-ipv4] import-route direct
[CE1-bgp-default-ipv4] quit
[CE1-bgp-default] quit
(3) 配置UPE2
# 配置VPN实例vpn1,将CE 2接入UPE 2。
[UPE2] ip vpn-instance vpn1
[UPE2-vpn-instance-vpn1] route-distinguisher 100:1
[UPE2-vpn-instance-vpn1] vpn-target 100:1 both
[UPE2-vpn-instance-vpn1] quit
[UPE2] interface vlan-interface 12
[UPE2-Vlan-interface12] ip binding vpn-instance vpn1
[UPE2-Vlan-interface12] ip address 10.2.1.2 24
[UPE2-Vlan-interface12] quit
# 配置UPE 2与CE 2建立EBGP对等体,并引入VPN路由。
[UPE2] bgp 200
[UPE2-bgp-default] ip vpn-instance vpn1
[UPE2-bgp-default-vpn1] peer 10.2.1.1 as-number 65420
[UPE2-bgp-default-vpn1] address-family ipv4 unicast
[UPE2-bgp-default-ipv4-vpn1] peer 10.2.1.1 enable
[UPE2-bgp-default-ipv4-vpn1] import-route direct
[UPE2-bgp-default-ipv4-vpn1] quit
[UPE2-bgp-default-vpn1] quit
(4) 配置CE2
配置CE2与UPE2建立EBGP对等体,并引入直连路由。
<CE2> system-view
[CE2] interface vlan-interface 12
[CE2-Vlan-interface12] ip address 10.2.1.1 255.255.255.0
[CE2-Vlan-interface12] quit
[CE2] bgp 65420
[CE2-bgp-default] peer 10.2.1.2 as-number 200
[CE2-bgp-default] address-family ipv4 unicast
[CE2-bgp-default-ipv4] peer 10.2.1.2 enable
[CE2-bgp-default-ipv4] import-route direct
[CE2-bgp-default-ipv4] quit
[CE2-bgp-default] quit
配置完成后,在UPE和CE设备上执行display bgp peer ipv4命令可以看到相互之间的BGP对等体关系已建立,并达到Established状态。
(1) 配置SPE1
# 配置SPE 1向UPE 1发送通过策略的路由信息,允许CE 2的路由发送给UPE 1。
[SPE1] ip prefix-list list1 index 10 permit 172.16.3.0 24
[SPE1] route-policy policy2 permit node 0
[SPE1-route-policy-policy2-0] if-match ip address prefix-list list1
[SPE1-route-policy-policy2-0] quit
[SPE1] bgp 100
[SPE1-bgp-default] address-family vpnv4
[SPE1-bgp-default-vpnv4] peer 1.1.1.9 upe route-policy policy2 export
(2) 配置SPE2
# 配置SPE 2向UPE 2发送通过策略的路由信息,允许CE 1的私网路由172.16.1.0/24发送给UPE 2。
[SPE2] ip prefix-list list1 index 10 permit 172.16.1.0 24
[SPE2] route-policy policy2 permit node 0
[SPE2-route-policy-policy2-0] if-match ip address prefix-list list1
[SPE2-route-policy-policy2-0] quit
[SPE2] bgp 100
[SPE2-bgp-default] address-family vpnv4
[SPE2-bgp-default-vpnv4] peer 4.4.4.9 upe route-policy policy2 export
配置完成后,可以看到CE1已经学习到CE2下连网段172.16.3.0/24,如下:
[CE1] display ip routing-table
Destinations : 25 Routes : 25
Destination/Mask Proto Pre Cost NextHop Interface
172.16.1.0/24 Direct 0 0 172.16.1.1 VLAN10
172.16.1.0/32 Direct 0 0 172.16.1.1 VLAN10
172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.255/32 Direct 0 0 172.16.1.1 VLAN10
172.16.2.0/24 Direct 0 0 172.16.2.1 VLAN20
172.16.2.0/32 Direct 0 0 172.16.2.1 VLAN20
172.16.2.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.2.255/32 Direct 0 0 172.16.2.1 VLAN20
172.16.3.0/24 BGP 255 0 10.1.1.2 VLAN12
CE2已经学习到CE1的下连网段172.16.1.0/24,但并未学习到CE1的下连网段172.16.2.0/24.如下:
[CE2] display ip routing-table
Destinations : 21 Routes : 21
Destination/Mask Proto Pre Cost NextHop Interface
172.16.1.0/24 BGP 255 0 10.2.1.2 VLAN13
172.16.3.0/24 Direct 0 0 172.16.3.1 VLAN30
172.16.3.0/32 Direct 0 0 172.16.3.1 VLAN30
172.16.3.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.3.255/32 Direct 0 0 172.16.3.1 VLAN30
CE1的VLAN 10:172.16.1.0/24可与CE2的VLAN 30:172.16.3.0/24互通;CE1的VLAN 20:172.16.2.0/24不能与CE2的VLAN 30:172.16.3.0/24互通。
· CE1
#
vlan 10
#
vlan 12
#
vlan 20
#
interface Vlan-interface10
ip address 172.16.1.1 255.255.255.0
#
interface Vlan-interface12
ip address 10.1.1.1 255.255.255.0
#
interface Vlan-interface20
ip address 172.16.2.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 10
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 20
#
interface Ten-GigabitEthernet1/0/3
port link-mode bridge
port access vlan 12
#
bgp 65410
peer 10.1.1.2 as-number 200
#
address-family ipv4 unicast
import-route direct
peer 10.1.1.2 enable
#
· CE2
#
vlan 13
#
vlan 30
#
interface Vlan-interface13
ip address 10.2.1.1 255.255.255.0
#
interface Vlan-interface30
ip address 172.16.3.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 30
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 13
#
bgp 65420
peer 10.2.1.2 as-number 200
#
address-family ipv4 unicast
import-route direct
peer 10.2.1.2 enable
#
· UPE1
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 100:1 import-extcommunity
vpn-target 100:1 export-extcommunity
#
mpls lsr-id 1.1.1.9
#
vlan 11 to 12
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
interface Vlan-interface11
ip address 172.1.1.1 255.255.255.0
mpls enable
#
interface Vlan-interface12
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 11
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 12
#
bgp 200
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack0
peer 172.1.1.2 as-number 100
#
address-family ipv4 unicast
import-route direct
network 1.1.1.9 255.255.255.255
network 172.1.1.0 255.255.255.0
peer 172.1.1.2 enable
peer 172.1.1.2 route-policy hope export
peer 172.1.1.2 label-route-capability
#
address-family vpnv4
peer 2.2.2.9 enable
peer 2.2.2.9 allow-as-loop 1
#
ip vpn-instance vpn1
peer 10.1.1.1 as-number 65410
#
address-family ipv4 unicast
import-route direct
peer 10.1.1.1 enable
#
route-policy hope permit node 0
apply mpls-label
#
· SPE1
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 100:1 import-extcommunity
vpn-target 100:1 export-extcommunity
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 180.1.1.0 0.0.0.255
#
mpls lsr-id 2.2.2.9
#
vlan 11 to 12
#
mpls ldp
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
interface Vlan-interface11
ip address 172.1.1.2 255.255.255.0
mpls enable
#
interface Vlan-interface12
ip address 180.1.1.1 255.255.255.0
mpls enable
mpls ldp enable
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 11
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 12
#
bgp 100
peer 1.1.1.9 as-number 200
peer 1.1.1.9 connect-interface LoopBack0
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack0
peer 172.1.1.1 as-number 200
#
address-family ipv4 unicast
network 2.2.2.9 255.255.255.255
peer 172.1.1.1 enable
peer 172.1.1.1 route-policy policy1 export
peer 172.1.1.1 label-route-capability
#
address-family vpnv4
peer 1.1.1.9 enable
peer 1.1.1.9 upe
peer 1.1.1.9 upe route-policy policy2 export
peer 3.3.3.9 enable
#
ip vpn-instance vpn1
#
route-policy policy1 permit node 0
apply mpls-label
#
route-policy policy2 permit node 0
if-match ip address prefix-list list1
#
ip prefix-list list1 index 10 permit 172.16.3.0 24
#
· UPE2
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 100:1 import-extcommunity
vpn-target 100:1 export-extcommunity
#
mpls lsr-id 4.4.4.9
#
vlan 11
#
vlan 13
#
interface LoopBack0
ip address 4.4.4.9 255.255.255.255
#
interface Vlan-interface11
ip address 172.2.1.1 255.255.255.0
mpls enable
#
interface Vlan-interface13
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 11
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 13
#
bgp 200
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack0
peer 172.2.1.2 as-number 100
#
address-family ipv4 unicast
network 4.4.4.9 255.255.255.255
peer 172.2.1.2 enable
peer 172.2.1.2 route-policy hope export
peer 172.2.1.2 label-route-capability
#
address-family vpnv4
peer 3.3.3.9 enable
peer 3.3.3.9 allow-as-loop 1
#
ip vpn-instance vpn1
peer 10.2.1.1 as-number 65420
#
address-family ipv4 unicast
import-route direct
peer 10.2.1.1 enable
#
route-policy hope permit node 0
apply mpls-label
#
· SPE2
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 100:1 import-extcommunity
vpn-target 100:1 export-extcommunity
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 180.1.1.0 0.0.0.255
#
mpls lsr-id 3.3.3.9
#
vlan 11 to 12
#
mpls ldp
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
#
interface Vlan-interface11
ip address 172.2.1.2 255.255.255.0
mpls enable
#
interface Vlan-interface12
ip address 180.1.1.2 255.255.255.0
mpls enable
mpls ldp enable
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 11
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 12
#
bgp 100
router-id 3.3.3.9
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack0
peer 4.4.4.9 as-number 200
peer 4.4.4.9 connect-interface LoopBack0
peer 172.2.1.1 as-number 200
#
address-family ipv4 unicast
network 3.3.3.9 255.255.255.255
peer 172.2.1.1 enable
peer 172.2.1.1 route-policy policy1 export
peer 172.2.1.1 label-route-capability
#
address-family vpnv4
peer 2.2.2.9 enable
peer 4.4.4.9 enable
peer 4.4.4.9 upe
peer 4.4.4.9 upe route-policy policy2 export
#
ip vpn-instance vpn1
#
route-policy policy1 permit node 0
apply mpls-label
#
route-policy policy2 permit node 0
if-match ip address prefix-list list1
#
ip prefix-list list1 index 10 permit 172.16.1.0 24
#
请参考对应产品和版本的如下手册:
· MPLS配置指导
· MPLS命令参考
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!