AI 助理
备案控制台
开发者社区 云计算 文章 正文

配置OptionC方式跨域VPN示例

2025-06-06 154
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介: 本文介绍了跨域BGP/MPLS IP VPN的配置方法。公司总部(CE1)与分部(CE2)分别通过不同运营商AS10和AS20接入,同属vpn1。配置思路包括:1) 配置IGP协议实现骨干网互通;2) 配置MPLS基本能力和LDP建立LSP;3) 配置VPN实例并绑定接口;4) 建立EBGP对等体交换路由;5) 在ASBR-PE上发布带标签的路由;6) 配置MP-EBGP对等体关系。操作步骤涵盖IP地址配置、MPLS骨干网互通、VPN实例接入及路由验证,确保跨域通信正常。

组网需求

公司总部和分部跨域不同的运营商,需实现跨域的BGP/MPLS IP VPN业务的互通。如图,CE1连接公司总部,通过AS10的PE1接入。CE2连接公司分部,通过AS20的PE2接入。CE1和CE2同属于vpn1。公众号同名

配置思路

  1. 各AS内的MPLS骨干网上分别配置IGP协议,实现各自骨干网ASBR-PE和PE之间的互通。
  2. 各AS内的MPLS骨干网上分别配置MPLS基本能力和MPLS LDP,建立LDP LSP。
  3. 各AS内,与CE相连的PE上需配置VPN实例,并把与CE相连的接口和相应的VPN实例绑定。
  4. 各AS内,PE与CE之间建立EBGP对等体关系,交换VPN路由信息。
  5. 将域内PE的路由发布给对端PE:先在本端ASBR-PE上通过BGP将域内PE的路由发布给对端ASBR-PE,在远端ASBR-PE上将BGP路由引入到IGP,则远端PE就依靠IGP学到了本端域内PE的路由。
  6. 在ASBR-PE上配置路由策略:对于向对端ASBR-PE发布的路由,分配MPLS标签。
  7. ASBR-PE与对端ASBR-PE之间能够交换带标签的IPv4路由。
  8. 在ASBR-PE上配置为带标签的公网BGP路由建立LDP LSP。
  9. 在不同AS间的PE间建立MP-EBGP对等体关系;不同AS间的PE通常不是直连的,为了在它们之间建立EBGP连接,需要配置PE之间允许的最大跳数。

操作步骤

配置IP地址

PE1

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys PE1
[PE1]int g0/0/0
[PE1-GigabitEthernet0/0/0]ip add 10.1.1.1 24
May 12 2022 13:28:07-08:00 PE1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
 on the interface GigabitEthernet0/0/0 has entered the UP state. 
[PE1-GigabitEthernet0/0/0]q
[PE1]int g0/0/1
[PE1-GigabitEthernet0/0/1]ip add 172.1.1.1 24
May 12 2022 13:29:56-08:00 PE1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
 on the interface GigabitEthernet0/0/1 has entered the UP state. 
[PE1-GigabitEthernet0/0/1]q
[PE1]int lo1
[PE1-LoopBack1]ip add 1.1.1.1 32
[PE1-LoopBack1]q
[PE1]

ASBP-PE1

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys ASBR-PE1
[ASBR-PE1]int g0/0/1
[ASBR-PE1-GigabitEthernet0/0/1]ip add 172.1.1.2 24
[ASBR-PE1-GigabitEthernet0/0/1]
May 12 2022 13:32:23-08:00 ASBR-PE1 %%01IFNET/4/LINK_STATE(l)[0]:The line protoc
ol IP on the interface GigabitEthernet0/0/1 has entered the UP state. 
[ASBR-PE1-GigabitEthernet0/0/1]q
[ASBR-PE1]int g0/0/0
[ASBR-PE1-GigabitEthernet0/0/0]ip add 192.1.1.2 24
May 12 2022 13:32:34-08:00 ASBR-PE1 %%01IFNET/4/LINK_STATE(l)[1]:The line protoc
ol IP on the interface GigabitEthernet0/0/0 has entered the UP state. 
[ASBR-PE1-GigabitEthernet0/0/0]q
[ASBR-PE1]int lo1
[ASBR-PE1-LoopBack1]ip add 2.2.2.2 32
[ASBR-PE1-LoopBack1]q
[ASBR-PE1]

ASBP-PE2

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys ASBR-PE2
[ASBR-PE2]int g0/0/0
[ASBR-PE2-GigabitEthernet0/0/0]ip add 192.1.1.1 24
[ASBR-PE2-GigabitEthernet0/0/0]
May 12 2022 13:34:04-08:00 ASBR-PE2 %%01IFNET/4/LINK_STATE(l)[0]:The line protoc
ol IP on the interface GigabitEthernet0/0/0 has entered the UP state. 
[ASBR-PE2-GigabitEthernet0/0/0]q
[ASBR-PE2]int  g0/0/1
[ASBR-PE2-GigabitEthernet0/0/1]ip add 162.1.1.2 24
May 12 2022 13:34:17-08:00 ASBR-PE2 %%01IFNET/4/LINK_STATE(l)[1]:The line protoc
ol IP on the interface GigabitEthernet0/0/1 has entered the UP state. 
[ASBR-PE2-GigabitEthernet0/0/1]q
[ASBR-PE2]int lo1
[ASBR-PE2-LoopBack1]ip add 3.3.3.3 32
[ASBR-PE2-LoopBack1]q
[ASBR-PE2]

PE2

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 10.2.1.1 24
May 12 2022 13:36:35-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[0]:The line protocol
 IP on the interface GigabitEthernet0/0/0 has entered the UP state. 
[Huawei-GigabitEthernet0/0/0]q
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 162.1.1.1 24
May 12 2022 13:36:55-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[1]:The line protocol
 IP on the interface GigabitEthernet0/0/1 has entered the UP state. 
[Huawei-GigabitEthernet0/0/1]q
[Huawei]int lo1
[Huawei-LoopBack1]ip add 4.4.4.4 32
[Huawei-LoopBack1]q
[Huawei]

CE1

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys CE1
[CE1]int g0/0/0
[CE1-GigabitEthernet0/0/0]ip add 10.1.1.2 24
May 12 2022 13:37:53-08:00 CE1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
 on the interface GigabitEthernet0/0/0 has entered the UP state. 
[CE1-GigabitEthernet0/0/0]q
[CE1]

CE2

<Huawei>sys 
Enter system view, return user view with Ctrl+Z.
[Huawei]sys CE2
[CE2]int g0/0/0
[CE2-GigabitEthernet0/0/0]ip add 10.2.1.2 24
May 12 2022 13:38:31-08:00 CE2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
 on the interface GigabitEthernet0/0/0 has entered the UP state. 
[CE2-GigabitEthernet0/0/0]q
[CE2]公众号同名

配置MPLS骨干网中ASBR-PE和PE之间的互通与MPLS

PE1

[PE1]ospf 1 
[PE1-ospf-1]ara 
[PE1-ospf-1]are 
[PE1-ospf-1]area 0
[PE1-ospf-1-area-0.0.0.0]ne 
[PE1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0 
[PE1-ospf-1-area-0.0.0.0]ne 
[PE1-ospf-1-area-0.0.0.0]network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0]q
[PE1-ospf-1]q
[PE1]mpls lsr-id 1.1.1.1 
[PE1]mpls
Info: Mpls starting, please wait... OK!
[PE1-mpls]q
[PE1]mpls ldp
[PE1-mpls-ldp]q
[PE1]int g0/0/1
[PE1-GigabitEthernet0/0/1]mpls
[PE1-GigabitEthernet0/0/1]mpls ldp
[PE1-GigabitEthernet0/0/1]q
[PE1]

PE2

[Huawei]ospf
[Huawei-ospf-1]ar 
[Huawei-ospf-1]arp-ping
[Huawei-ospf-1]area 0
[Huawei-ospf-1-area-0.0.0.0]ne  
[Huawei-ospf-1-area-0.0.0.0]network 4.4.4.4 0.0.0.0 
[Huawei-ospf-1-area-0.0.0.0]ne  
[Huawei-ospf-1-area-0.0.0.0]network 162.1.1.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]q
[Huawei-ospf-1]q
[Huawei]mpls lsr-id 4.4.4.4
[Huawei]mpls
Info: Mpls starting, please wait... OK!
[Huawei-mpls]q
[Huawei]mpls ldp
[Huawei-mpls-ldp]q
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]mpls 
[Huawei-GigabitEthernet0/0/1]mpls ldp
[Huawei-GigabitEthernet0/0/1]q

ASBP-PE1

[ASBR-PE1]ospf
[ASBR-PE1-ospf-1]area 0
[ASBR-PE1-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0 
[ASBR-PE1-ospf-1-area-0.0.0.0]network 172.1.1.0 0.0.0.255
[ASBR-PE1-ospf-1-area-0.0.0.0]q
[ASBR-PE1-ospf-1]q
[ASBR-PE1]route-policy 1 permit node 1
Info: New Sequence of this List.
[ASBR-PE1-route-policy]apply mpls-label 
[ASBR-PE1-route-policy]q
[ASBR-PE1]bgp 100
[ASBR-PE1-bgp]peer 192.1.1.1 as-number 200
[ASBR-PE1-bgp]peer 192.1.1.1 route-policy 1 export 
[ASBR-PE1-bgp]peer 192.1.1.1 label-route-capability 
[ASBR-PE1-bgp]ipv4-family unicast 
[ASBR-PE1-bgp-af-ipv4]network 1.1.1.1 32
[ASBR-PE1-bgp-af-ipv4]q
[ASBR-PE1-bgp]q
[ASBR-PE1]ospf
[ASBR-PE1-ospf-1]import-route bgp 
[ASBR-PE1-ospf-1]q
[ASBR-PE1]mpls lsr-id 2.2.2.2
[ASBR-PE1]mpls
Info: Mpls starting, please wait... OK!
[ASBR-PE1-mpls]lsp-trigger bgp-label-route
[ASBR-PE1-mpls]q
[ASBR-PE1]mpls ldp
[ASBR-PE1-mpls-ldp]q
[ASBR-PE1]int g0/0/0
[ASBR-PE1-GigabitEthernet0/0/0]mpls
[ASBR-PE1-GigabitEthernet0/0/0]q
[ASBR-PE1]int g0/0/1
[ASBR-PE1-GigabitEthernet0/0/1]mpls 
[ASBR-PE1-GigabitEthernet0/0/1]mpls ldp
[ASBR-PE1-GigabitEthernet0/0/1]q
[ASBR-PE1]

ASBP-PE2

[ASBR-PE2]os  
[ASBR-PE2]ospf 
[ASBR-PE2-ospf-1]area 0
[ASBR-PE2-ospf-1-area-0.0.0.0]network 3.3.3.3 0.0.0.0 
[ASBR-PE2-ospf-1-area-0.0.0.0]network 162.1.1.0 0.0.0.255
[ASBR-PE2-ospf-1-area-0.0.0.0]q
[ASBR-PE2-ospf-1]q
[ASBR-PE2]route-policy 1 permit node 1
Info: New Sequence of this List.
[ASBR-PE2-route-policy]apply mpls-label 
[ASBR-PE2-route-policy]q
[ASBR-PE2]bgp 200
[ASBR-PE2-bgp]peer 192.1.1.2 as-number 100
[ASBR-PE2-bgp]peer 192.1.1.2 route-policy 1 export 
[ASBR-PE2-bgp]peer 192.1.1.2 label-route-capability 
[ASBR-PE2-bgp-af-ipv4]network 4.4.4.4 32
[ASBR-PE2-bgp-af-ipv4]q
[ASBR-PE2-bgp]q
[ASBR-PE2]ospf 
[ASBR-PE2-ospf-1]import-route bgp 
[ASBR-PE2-ospf-1]q
[ASBR-PE2]mpls lsr-id 3.3.3.3
[ASBR-PE2]mpls 
Info: Mpls starting, please wait... OK!
[ASBR-PE2-mpls]lsp-trigger bgp-label-route
[ASBR-PE2-mpls]q
[ASBR-PE2]mpls ldp
[ASBR-PE2-mpls-ldp]q
[ASBR-PE2]int g0/0/0
[ASBR-PE2-GigabitEthernet0/0/0]mpls
[ASBR-PE2-GigabitEthernet0/0/0]q
[ASBR-PE2]int g0/0/1
[ASBR-PE2-GigabitEthernet0/0/1]mpls 
[ASBR-PE2-GigabitEthernet0/0/1]mpls ldp
[ASBR-PE2-GigabitEthernet0/0/1]q

在PE上配置VPN实例,并接入CE

PE1

[PE1]ip vpn-instance vpn1
[PE1-vpn-instance-vpn1]ipv4-family 
[PE1-vpn-instance-vpn1-af-ipv4]route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4]vpn-target 1:1 export-extcommunity 
 EVT Assignment result: 
Info: VPN-Target assignment is successful.
[PE1-vpn-instance-vpn1-af-ipv4]vpn-target 1:1 import-extcommunity 
 IVT Assignment result: 
Info: VPN-Target assignment is successful.
[PE1-vpn-instance-vpn1-af-ipv4]q
[PE1-vpn-instance-vpn1]q
[PE1]int g0/0/0
[PE1-GigabitEthernet0/0/0]ip binding vpn-instance vpn1
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
May 12 2022 14:05:00-08:00 PE1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
 on the interface GigabitEthernet0/0/0 has entered the DOWN state. 
[PE1-GigabitEthernet0/0/0]ip add 10.1.1.1 24
May 12 2022 14:05:22-08:00 PE1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
 on the interface GigabitEthernet0/0/0 has entered the UP state. 
[PE1-GigabitEthernet0/0/0]q
[PE1]

PE2

[Huawei]ip vpn-instance vpn1
[Huawei-vpn-instance-vpn1]ipv4-family 
[Huawei-vpn-instance-vpn1-af-ipv4]route-distinguisher 100:1
[Huawei-vpn-instance-vpn1-af-ipv4]vpn-target 1:1 export-extcommunity
 EVT Assignment result: 
Info: VPN-Target assignment is successful.
[Huawei-vpn-instance-vpn1-af-ipv4]vpn-target 1:1 import-extcommunity
 IVT Assignment result: 
Info: VPN-Target assignment is successful.
[Huawei-vpn-instance-vpn1-af-ipv4]q
[Huawei-vpn-instance-vpn1]q
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip binding vpn-instance vpn1
May 12 2022 14:06:27-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[0]:The line protocol
 IP on the interface GigabitEthernet0/0/0 has entered the DOWN state. 
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
[Huawei-GigabitEthernet0/0/0]
[Huawei-GigabitEthernet0/0/0]ip add 10.2.1.1 24
[Huawei-GigabitEthernet0/0/0]q

PE1与PE2之间建立MP-EBGP对等体关系,PE与CE之间建立EBGP对等体关系,引入VPN路由

CE1

[CE1]bgp 65001
[CE1-bgp]peer 10.1.1.1 as-number 100
[CE1-bgp]ipv4-family unicast 
[CE1-bgp-af-ipv4]import-route direct 
[CE1-bgp-af-ipv4]q
[CE1-bgp]

CE2

[CE2]bgp 65002
[CE2-bgp]pe 
[CE2-bgp]peer 10.2.1.1 as 
[CE2-bgp]peer 10.2.1.1 as-number 200
[CE2-bgp]ipv4-family u  
[CE2-bgp]ipv4-family unicast 
[CE2-bgp-af-ipv4]im 
[CE2-bgp-af-ipv4]import-route d 
[CE2-bgp-af-ipv4]import-route direct 
[CE2-bgp-af-ipv4]q
[CE2-bgp]q
[CE2]

PE1

缺省情况下,只能在物理直连链路上建立EBGP连接。peer ebgp-max-hop命令用来配置允许BGP同非直连网络上的对等体建立EBGP连接,并同时可以指定允许的最大跳数。

[PE1]bgp 100
[PE1-bgp]peer 4.4.4.4 as-number 200
[PE1-bgp]peer 4.4.4.4 ebgp-max-hop 10
[PE1-bgp]peer 4.4.4.4 connect-interface lo1
[PE1-bgp]ipv4-family vpnv4
[PE1-bgp-af-vpnv4]peer 4.4.4.4 enable 
[PE1-bgp-af-vpnv4]q
[PE1-bgp]ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1]peer  10.1.1.2 as-number 65001
[PE1-bgp-vpn1]import-route direct 
[PE1-bgp-vpn1]q
[PE1-bgp]q

PE2

[Huawei]bgp 200
[Huawei-bgp]pe  
[Huawei-bgp]peer 1.1.1.1 as 
[Huawei-bgp]peer 1.1.1.1 as-number 100
[Huawei-bgp]pe  
[Huawei-bgp]peer 1.1.1.1 e  
[Huawei-bgp]peer 1.1.1.1 ebgp-max-hop 10
[Huawei-bgp]pe  
[Huawei-bgp]peer 1.1.1.1 co 
[Huawei-bgp]peer 1.1.1.1 connect-interface lo1
[Huawei-bgp]inv 
[Huawei-bgp]ipv 
[Huawei-bgp]ipv4-family v 
[Huawei-bgp]ipv4-family vpnv4
[Huawei-bgp-af-vpnv4]peer 1.1.1.1 enable 
[Huawei-bgp-af-vpnv4]q
[Huawei-bgp]ipv4-family vpn-instance vpn1
[Huawei-bgp-vpn1]peer 10.2.1.2 as-number 65002
[Huawei-bgp-vpn1]import-route direct 
[Huawei-bgp-vpn1]q
[Huawei-bgp]q

验证配置结果

CE1

<CE1>display ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 8        Routes : 8        
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
       10.1.1.0/24  Direct  0    0           D   10.1.1.2        GigabitEthernet
0/0/0
       10.1.1.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
0/0/0
     10.1.1.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
0/0/0
       10.2.1.0/24  EBGP    255  0           D   10.1.1.1        GigabitEthernet
0/0/0
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
<CE1>ping 10.2.1.2
  PING 10.2.1.2: 56  data bytes, press CTRL_C to break
    Reply from 10.2.1.2: bytes=56 Sequence=1 ttl=251 time=60 ms
    Reply from 10.2.1.2: bytes=56 Sequence=2 ttl=251 time=60 ms
    Reply from 10.2.1.2: bytes=56 Sequence=3 ttl=251 time=50 ms
    Reply from 10.2.1.2: bytes=56 Sequence=4 ttl=251 time=40 ms
    Reply from 10.2.1.2: bytes=56 Sequence=5 ttl=251 time=40 ms
  --- 10.2.1.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/50/60 ms
文章标签:
VPN网关
网络虚拟化
关键词:
配置VPN网关
配置VPN网关示例
跨域VPN网关
VPN网关示例
刘俊辉个人博客
目录
相关文章
刘俊辉个人博客
|
4月前
|
网络协议 网络虚拟化 Python
配置BGP/MPLS IP VPN示例——详解版
本文介绍了BGP/MPLS IP VPN的配置示例,分部1与分部2只能和总部通信,不能互相通信。通过MPLS VPN实现分部与总部间的通信,使用BGP协议传递路由。配置包括接口IP地址设置、OSPF域内互通、PE上的VPN实例配置、MP-IBGP配置、PE与CE间EBGP对等体关系建立、MPLS及MPLS LDP功能配置,并验证了配置结果。最终测试显示,同一VPN下的CE设备可相互Ping通,不同VPN下的CE设备则不能。
刘俊辉个人博客
370 8
配置BGP/MPLS IP VPN示例——详解版
刘俊辉个人博客
|
9月前
|
网络虚拟化
配置BGP/MPLS IP VPN示例
本文介绍了通过配置MPLS VPN实现分部与总部之间的通信需求。具体要求为分部1和分部2只能与总部通信,而分部之间不能通信。配置思路包括使用BGP协议传递路由,并将各分部分别划分到不同的VPN实例中(VPN1、VPN2、VPN3),通过设置RD和Target属性确保路由隔离。操作步骤涵盖设备IP地址配置、MPLS域内互通、PE上的VPN实例配置、接口绑定、MP-IBGP配置、CE与PE间的路由交换及MPLS LDP功能配置。最终验证显示,同一VPN内的CE设备可以相互通信,不同VPN的CE设备则无法通信,满足了组网需求。
刘俊辉个人博客
695 4
配置BGP/MPLS IP VPN示例
工程师阿龙
|
安全 算法 网络安全
干货!ER系列路由器 IPSEC VPN配置方法!
干货!ER系列路由器 IPSEC VPN配置方法!
工程师阿龙
609 7
游客mldfis24krfue
|
监控 安全 Linux
在Linux中,如何配置VPN服务?
在Linux中,如何配置VPN服务?
游客mldfis24krfue
3326 2
游客mldfis24krfue
|
Ubuntu Linux 网络安全
在Linux中,如何配置VPN连接?
在Linux中,如何配置VPN连接?
游客mldfis24krfue
8299 0
工程师阿龙
|
网络协议 Shell 网络虚拟化
手把手教你玩MPLS VPN如何配置
手把手教你玩MPLS VPN如何配置
工程师阿龙
1146 0
墨渊04
|
网络虚拟化
MPLS VPN跨域C2 RR反射器方案(二)
MPLS VPN跨域C2 RR反射器方案
墨渊04
237 0
游客4izf2mxjh3yn4
|
网络协议 网络虚拟化 网络架构
MPLS VPN协议高级应用
MPLS VPN协议高级应用
游客4izf2mxjh3yn4
388 1
游客4izf2mxjh3yn4
|
网络协议 网络虚拟化 虚拟化
MPLS VPN
MPLS VPN
游客4izf2mxjh3yn4
415 0