- 拓扑设计
- 拓扑介绍
如图,上海分公司与山东分公司之间为保证业务可以互通,需要使用MPLS VPN技术进行连接。中间R3与R4之间运行IGP,使用IGP传递路由,因为网络需要经过联通与移动两个AS域,所以使用MPLS VPN OptionA方案来进行配置。
- 数据配置
R1配置
ip vpn-instance vpn1 ipv4-family route-distinguisher 1:1 vpn-target 1:3 export-extcommunity vpn-target 3:1 import-extcommunity # mpls lsr-id 1.1.1.1 mpls # mpls ldp isis 1 is-level level-2 cost-style wide network-entity 49.0000.0000.0001.00 # firewall zone Local priority 15 # interface GigabitEthernet0/0/0 ip binding vpn-instance vpn1 ip address 17.1.1.1 255.255.255.0 ospf enable 1 area 0.0.0.0 # interface GigabitEthernet0/0/1 ip address 12.1.1.1 255.255.255.0 isis enable 1 mpls mpls ldp # interface LoopBack0 ip address 1.1.1.1 255.255.255.255 isis enable 1 # bgp 100 peer 3.3.3.3 as-number 100 peer 3.3.3.3 connect-interface LoopBack0 # ipv4-family unicast undo synchronization peer 3.3.3.3 enable # ipv4-family vpnv4 policy vpn-target peer 3.3.3.3 enable # ipv4-family vpn-instance vpn1 import-route ospf 1 # ospf 1 vpn-instance vpn1 import-route bgp area 0.0.0.0 #
R2配置
mpls lsr-id 2.2.2.2 mpls # mpls ldp # # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http # isis 1 is-level level-2 cost-style wide network-entity 49.0000.0000.0002.00 # firewall zone Local priority 15 # interface GigabitEthernet0/0/0 ip address 12.1.1.2 255.255.255.0 isis enable 1 mpls mpls ldp # interface GigabitEthernet0/0/1 ip address 23.1.1.2 255.255.255.0 isis enable 1 mpls mpls ldp # interface GigabitEthernet0/0/2 # interface NULL0 # interface LoopBack0 ip address 2.2.2.2 255.255.255.255 isis enable 1
R3配置
ip vpn-instance vpn1 ipv4-family route-distinguisher 3:3 vpn-target 3:1 export-extcommunity vpn-target 1:3 import-extcommunity # mpls lsr-id 3.3.3.3 mpls # mpls ldp # interface GigabitEthernet0/0/0 ip address 23.1.1.3 255.255.255.0 isis enable 1 mpls mpls ldp # interface GigabitEthernet0/0/1 ip binding vpn-instance vpn1 ip address 34.1.1.3 255.255.255.0 ospf enable 1 area 0.0.0.0 # interface LoopBack0 ip address 3.3.3.3 255.255.255.255 isis enable 1 # bgp 100 peer 1.1.1.1 as-number 100 peer 1.1.1.1 connect-interface LoopBack0 # ipv4-family unicast undo synchronization peer 1.1.1.1 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.1 enable # ipv4-family vpn-instance vpn1 import-route ospf 1 # ospf 1 vpn-instance vpn1 import-route bgp dn-bit-check disable summary dn-bit-check disable ase dn-bit-check disable nssa area 0.0.0.0
R4配置
ip vpn-instance vpn1 ipv4-family route-distinguisher 4:4 vpn-target 4:6 export-extcommunity vpn-target 6:4 import-extcommunity # mpls lsr-id 4.4.4.4 mpls # mpls ldp # isis 1 is-level level-2 cost-style wide network-entity 50.0000.0000.0004.00 # interface GigabitEthernet0/0/0 ip binding vpn-instance vpn1 ip address 34.1.1.4 255.255.255.0 ospf enable 1 area 0.0.0.0 # interface GigabitEthernet0/0/1 ip address 45.1.1.4 255.255.255.0 isis enable 1 mpls mpls ldp # interface LoopBack0 ip address 4.4.4.4 255.255.255.255 isis enable 1 # bgp 200 peer 6.6.6.6 as-number 200 peer 6.6.6.6 connect-interface LoopBack0 # ipv4-family unicast undo synchronization peer 6.6.6.6 enable # ipv4-family vpnv4 policy vpn-target peer 6.6.6.6 enable # ipv4-family vpn-instance vpn1 import-route ospf 1 # ospf 1 vpn-instance vpn1 import-route bgp dn-bit-check disable summary dn-bit-check disable ase dn-bit-check disable nssa area 0.0.0.0
R5配置
mpls lsr-id 5.5.5.5 mpls # mpls ldp # isis 1 is-level level-2 cost-style wide network-entity 50.0000.0000.0005.00 # interface GigabitEthernet0/0/0 ip address 45.1.1.5 255.255.255.0 isis enable 1 mpls mpls ldp # interface GigabitEthernet0/0/1 ip address 56.1.1.5 255.255.255.0 isis enable 1 mpls mpls ldp # interface LoopBack0 ip address 5.5.5.5 255.255.255.255 isis enable 1
R6配置
ip vpn-instance vpn1 ipv4-family route-distinguisher 6:6 vpn-target 6:4 export-extcommunity vpn-target 4:6 import-extcommunity # mpls lsr-id 6.6.6.6 mpls # mpls ldp # isis 1 is-level level-2 cost-style wide network-entity 50.0000.0000.0006.00 # firewall zone Local priority 15 # interface GigabitEthernet0/0/0 ip address 56.1.1.6 255.255.255.0 isis enable 1 mpls mpls ldp # interface GigabitEthernet0/0/1 ip binding vpn-instance vpn1 ip address 68.1.1.6 255.255.255.0 ospf enable 1 area 0.0.0.0 # interface LoopBack0 ip address 6.6.6.6 255.255.255.255 isis enable 1 # bgp 200 peer 4.4.4.4 as-number 200 peer 4.4.4.4 connect-interface LoopBack0 # ipv4-family unicast undo synchronization peer 4.4.4.4 enable # ipv4-family vpnv4 policy vpn-target peer 4.4.4.4 enable # ipv4-family vpn-instance vpn1 import-route ospf 1 # ospf 1 vpn-instance vpn1 import-route bgp area 0.0.0.0
R7配置
interface GigabitEthernet0/0/0 ip address 68.1.1.8 255.255.255.0 ospf enable 1 area 0.0.0.0 # interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/2 # interface NULL0 # interface LoopBack0 ip address 8.8.8.8 255.255.255.255 ospf enable 1 area 0.0.0.0 # ospf 1 area 0.0.0.0
R8配置
interface GigabitEthernet0/0/0 ip address 68.1.1.8 255.255.255.0 ospf enable 1 area 0.0.0.0 # interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/2 # interface NULL0 # interface LoopBack0 ip address 8.8.8.8 255.255.255.255 ospf enable 1 area 0.0.0.0 # ospf 1 area 0.0.0.0
- 查看现象
由此可见,VPN可以正常转发数据包
- 注意事项
接收不到OSPF的时候,需要考虑是否是dn位的问题
- 转发平面
- R7的路由通过OSPF传递给R1,R1把路由通过MP-BGP传递给R3,此时R3上面有收方向实例,就会接收路由;R3会把R4当做CE设备,绑定到端口通过IGP协议传递给R4;R4收到路由后把路由变为VPNV4路由通过MP-BGP传递给R6,R6把路由交到实例里面传给R8设备。