多自治系统之间MPLS VPN 实施详解
实验拓扑入上如图所示:
基础配置说明:
所有设备都配置lo 0 地址,地址为设备序列号如R1(1.1.1.1/32);
设备互联地址使用10.1.R1R2.R1,如R1和R2互联地址就为10.1.12.1;
AS100 配置ospf进程100,AS200配置OSPF进程200,lo 0接口通告进OSPF进程;
基本配置:
在AS100和AS200中配置OSPF进程100和200
在AS100和AS200中配置mpls
PE-CE路由器之间配置OSPF,并在PE路由器上相互重分发
配置思路:
PE路由器PE1、PE2分别和RR路由器RR1、RR2之间建立MP-iBGP邻居关系,从而使得RR1和RR2能够学习到去往CE1和CE2的VPNV4路由条目;
此时,只要两个RR之间能互相交换VPNV4路由条目,就可以实现CE1和CE2网络互通;
为了使得RR1和RR2之间能够互相学习VPNV4路由,需要在RR1和RR2之间配置MP-EBGP邻居关系,使用各自的LO 0地址;
为了使得RR1和RR2的lo 0 接口能够互相学习到彼此的路由,在ASBR1和ASBR2之间配置普通EBGP邻居关系,并将RR1和RR2的lo 0 接口路由通告进BGP进程100和200,从而使得RR1和RR2能够学习到彼此的lo 0网络;
通过以上配置,MP-EBGP邻居关系已经能够建立,并且能够互相学习到彼此的VPNV4路由:
在R1和R6上分别查看VPNV4路由,如下:
R1#show ip bgp vpnv4 all
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf cisco)
*> 7.7.7.7/32 10.1.17.7 11 32768 ?
*> 10.1.17.0/24 0.0.0.0 0 32768 ?
Route Distinguisher: 100:6
* i8.8.8.8/32 5.5.5.5 0 100 0 200 ?
* i10.1.68.0/24 5.5.5.5 0 100 0 200 ?
R6#show ip bgp vpnv4 all
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100:1
* i7.7.7.7/32 2.2.2.2 0 100 0 100 ?
* i10.1.17.0/24 2.2.2.2 0 100 0 100 ?
Route Distinguisher: 100:6 (default for vrf cisco)
*> 8.8.8.8/32 10.1.68.8 11 32768 ?
*> 10.1.68.0/24 0.0.0.0 0 32768 ?
可以看到相互学习到的路由为不优路由,这是因为路由的下一跳2.2.2.2和5.5.5.5不可达的原因造成的。因为PE1和PE2没有和RR建立普通BGP邻居关系,并且RR也不是普通BGP的路由反射器;
BGP路由不优就会导致在重分发时,不能将路由重分发进CE和PE间的OSPF,所以R7和R8学习不到互相的路由,如下:
R7#show ip route
7.0.0.0/32 is subnetted, 1 subnets
C 7.7.7.7 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.17.0 is directly connected, Ethernet0/0
R8#show ip route
8.0.0.0/32 is subnetted, 1 subnets
C 8.8.8.8 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.68.0 is directly connected, Ethernet0/0
为了解决以上问题,在RR上分别针对PE路由器配置next-hop-self,如下:
R2(config)#router bgp 100
R2(config-router)#address-family vpnv4
R2(config-router-af)#neighbor 1.1.1.1 next-hop-self
R2(config)#router bgp 100
R2(config-router)#address-family vpnv4
R2(config-router-af)#neighbor 1.1.1.1 next-hop-self
然后在R7和R8上查看路由,如下:
R7#show ip route
7.0.0.0/32 is subnetted, 1 subnets
C 7.7.7.7 is directly connected, Loopback0
8.0.0.0/32 is subnetted, 1 subnets
O IA 8.8.8.8 [110/11] via 10.1.17.1, 00:02:00, Ethernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.17.0 is directly connected, Ethernet0/0
O IA 10.1.68.0 [110/11] via 10.1.17.1, 00:02:00, Ethernet0/0
R8#show ip route
7.0.0.0/32 is subnetted, 1 subnets
O IA 7.7.7.7 [110/11] via 10.1.68.6, 00:01:44, Ethernet0/0
8.0.0.0/32 is subnetted, 1 subnets
C 8.8.8.8 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 2 subnets
O IA 10.1.17.0 [110/11] via 10.1.68.6, 00:01:44, Ethernet0/0
C 10.1.68.0 is directly connected, Ethernet0/0
可以看到,R7和R8已经互相学习到了彼此的路由,进行ping测试如下:
R7#ping 8.8.8.8 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 7.7.7.7
.....
Success rate is 0 percent (0/5)
可以看到,虽然已经学习到了彼此的路由,但是并不能实现数据通信。
数据转发分析:
1、当R7 ping 8.8.8.8 source 7.7.7.7是,数据被送往先一条10.1.17.1,进入PE1的VRF中;
2、进入PE1VFR后,数据需要进行标签转发,查看8.8.8.8的标签在PE1中,如下:
R1#show ip bgp vpnv4 rd 100:6 labels
Network Next Hop In label/Out label
Route Distinguisher: 100:6
8.8.8.8/32 2.2.2.2 nolabel/205
10.1.68.0/24 2.2.2.2 nolabel/204
可以看到8.8.8.8的出站标签为205,此时ip数据包头就会封装VPN标签205,然后查找路由下一跳为2.2.2.2;
3、然后进入标签转发,查看2.2.2.2的标签,如下:
R1# show mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
100 Pop tag 2.2.2.2/32 0 Et0/1 10.1.12.2
101 201 3.3.3.3/32 0 Et0/1 10.1.12.2
102 Pop tag 10.1.23.0/24 0 Et0/1 10.1.12.2
103 Untagged 7.7.7.7/32[V] 1140 Et0/0 10.1.17.7
104 Aggregate 10.1.17.0/24[V] 0
因为2.2.2.2的标签由RR1通告,所以为隐式空标签,数据在PE1上将只被VPN标签205封装后发送给RR1,然后RR1,根据vpn标签205进行标签转发,RR1的标签如下:
R2#show ip bgp vpnv4 rd 100:6 labels
Network Next Hop In label/Out label
Route Distinguisher: 100:6
8.8.8.8/32 5.5.5.5 205/503
10.1.68.0/24 5.5.5.5 204/504
所以数据包的vpn标签将被交换为503后由下一跳5.5.5.5转发,查看5.5.5.5的标签:
R2#show mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
200 Pop tag 1.1.1.1/32 0 Et0/1 10.1.12.1
201 Pop tag 3.3.3.3/32 0 Et0/0 10.1.23.3
202 103 100:1:7.7.7.7/32 1180 Et0/1 10.1.12.1
203 104 100:1:10.1.17.0/24 \
0 Et0/1 10.1.12.1
204 504 100:6:10.1.68.0/24 \
0 Et0/0 10.1.23.3
205 503 100:6:8.8.8.8/32 1770 Et0/0 10.1.23.3
可以看到,LDP没有给5.5.5.5分发标签,因为5.5.5.5是BGP路由,LDP是不会给BGP路由分发标签的,所以数据在此丢弃!
通过分析,可以看到数据在PE上封装了一层VPN标签,这肯定不合理,在一个AS域中,数据交换应该是按照LDP分发的标签进行交换的,所以针对8.8.8.8路由的下一跳保持不变为5.5.5.5
将上面配置的next-hop-self删除
为了使得LDP能给BGP路由5.5.5.5和2.2.2.2分配标签,我们将5.5.5.5和2.2.2.2的BGP路由在ASBR1和ASBR2上重分发进ospf 100和200,如下:
R3(config)#router ospf 100
R3(config-router)#redistribute bgp 100 subnets
R4(config)#router ospf 200
R4(config-router)#redistribute bgp 200 subnets
再次测试:
R7#ping 8.8.8.8 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 7.7.7.7
.....
Success rate is 0 percent (0/5)
还是不通,
再次进行数据转发分析:
R7将目的8.8.8.8 源7.7.7.7的IP数据包路由给R1后,R1根据如下的VPNV4标签表和LFIB表,对数据进行封装
R1#show ip bgp vpnv4 rd 100:6 labels
Network Next Hop In label/Out label
Route Distinguisher: 100:6
8.8.8.8/32 2.2.2.2 nolabel/205
10.1.68.0/24 2.2.2.2 nolabel/204
R1#show mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
100 Pop tag 2.2.2.2/32 0 Et0/1 10.1.12.2
101 201 3.3.3.3/32 0 Et0/1 10.1.12.2
102 Pop tag 10.1.23.0/24 0 Et0/1 10.1.12.2
103 Untagged 7.7.7.7/32[V] 1140 Et0/0 10.1.17.7
104 Aggregate 10.1.17.0/24[V] 0
105 206 5.5.5.5/32 0 Et0/1 10.1.12.2
可以看到数据将被封装底层VPN标签205,顶层IGP标签206,然后转发给RR1;
RR1收到数据包后,查看LFIB表,如下,进行转发:
R2#show mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
200 Pop tag 1.1.1.1/32 0 Et0/1 10.1.12.1
201 Pop tag 3.3.3.3/32 0 Et0/0 10.1.23.3
202 103 100:1:7.7.7.7/32 1180 Et0/1 10.1.12.1
203 104 100:1:10.1.17.0/24 \
0 Et0/1 10.1.12.1
206 Untagged 5.5.5.5/32 0 Et0/0 10.1.23.3
可以看到,标签206被交换后,将Untagged ,所以数据还是不能转发。
分析原因如下:
因为ASBR1和ASBR2依然不能给自己路由表里的BGP路由5.5.5.5和2.2.2.2分发标签,此时就会用到BGP扩展功能,就是配置让普通BGP可以发送标签,在ASBR1和ASBR2上分别配置,如下:
R3(config)#router bgp 100
R3(config-router)#neighbor 10.1.34.4 send-label
R4(config)#router bgp 200
R4(config-router)#neighbor 10.1.34.3 send-label
在此查看RR1的标签转发数据库,如下:
R2#show mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
200 Pop tag 1.1.1.1/32 0 Et0/1 10.1.12.1
201 Pop tag 3.3.3.3/32 0 Et0/0 10.1.23.3
202 103 100:1:7.7.7.7/32 1180 Et0/1 10.1.12.1
203 104 100:1:10.1.17.0/24 \
0 Et0/1 10.1.12.1
204 304 100:6:10.1.68.0/24 \
0 Et0/0 10.1.23.3
205 304 100:6:8.8.8.8/32 1770 Et0/0 10.1.23.3
207 304 5.5.5.5/32 0 Et0/0 10.1.23.3
在R7上进行联通性测试:
R7#ping 8.8.8.8 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 7.7.7.7
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/141/156 ms
可以看到数据已经可以通行了!!!
VPN标签传递分析:
R6#show ip bgp vpnv4 rd 100:6 labels
Network Next Hop In label/Out label
Route Distinguisher: 100:6 (cisco)
7.7.7.7/32 5.5.5.5 nolabel/502
8.8.8.8/32 10.1.68.8 604/nolabel
10.1.17.0/24 5.5.5.5 nolabel/505
10.1.68.0/24 0.0.0.0 605/aggregate(cisco)
R5#show ip bgp vpnv4 RD 100:6 LAbels
Network Next Hop In label/Out label
Route Distinguisher: 100:6
8.8.8.8/32 6.6.6.6 503/604
10.1.68.0/24 6.6.6.6 504/605
R2#SHOw IP BGp VPnv4 RD 100:6 LAbels
Network Next Hop In label/Out label
Route Distinguisher: 100:6
8.8.8.8/32 5.5.5.5 205/503
10.1.68.0/24 5.5.5.5 204/504
R1#SHOw IP BGp VPnv4 RD 100:6 LAbels
Network Next Hop In label/Out label
Route Distinguisher: 100:6
8.8.8.8/32 5.5.5.5 nolabel/503
10.1.68.0/24 5.5.5.5 nolabel/504
以上就是VPNV4标签飞分发路径,可以自己分析一下。。。。。。。。可以看到R1和R2对路由8.8.8.8的标签都为503
未完待续。。
