华为 跨域虚拟专用网络-OptionC2方案

艺博东

共 10090字,需浏览 21分钟

 ·

2021-03-01 12:31

d9a2347472666d0e212366a5f6190839.webp

点击上方蓝字“艺博东”关注我们

哈喽,大家好!我是艺博东 ,是一个思科出身、专注于华为的网工;好了,话不多说,我们直接进入正题。

文章目录


    • 一、无 RR 的拓扑

    • 二、无 RR 的简单配置与测试

    • 三、有 RR 的拓扑

    • 四、配置与分析

    • 五、特点


f7d9f73ff96fe3ce646ccb1911f441fa.webp


由于特殊原因,所以把“N”字母替换为“#”符号。






一、无 RR 的拓扑






f48ec4254bde2bcac6818b010773fe64.webp





二、无 RR 的简单配置与测试







2.1 底层配置

AR1

[Huawei]sysname AR1
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip address 10.1.13.1 24
[AR1-GigabitEthernet0/0/0]int l0
[AR1-LoopBack0]ip address 1.1.1.1 32

AR2

[Huawei]sysname AR2
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip address 10.1.23.2 24
[AR2-GigabitEthernet0/0/0]int l0
[AR2-LoopBack0]ip address 2.2.2.2 32

AR3

[Huawei]sysname AR3
[AR3]int g0/0/0
[AR3-GigabitEthernet0/0/0]ip address 10.1.13.3 24
[AR3-GigabitEthernet0/0/0]int g0/0/1
[AR3-GigabitEthernet0/0/1]ip address 10.1.23.3 24
[AR3-GigabitEthernet0/0/1]int g0/0/2
[AR3-GigabitEthernet0/0/2]ip address 10.1.34.3 24
[AR3-GigabitEthernet0/0/2]int l0
[AR3-LoopBack0]ip address 3.3.3.3 32
[AR3-LoopBack0]q
[AR3]rip
[AR3-rip-1]v 2
[AR3-rip-1]network 10.0.0.0
[AR3-rip-1]network 3.0.0.0

AR4

[Huawei]sysname AR4
[AR4]int g0/0/0
[AR4-GigabitEthernet0/0/0]ip address 10.1.34.4 24
[AR4-GigabitEthernet0/0/0]int g0/0/1
[AR4-GigabitEthernet0/0/1]ip address 10.1.45.4 24
[AR4-GigabitEthernet0/0/1]int l0
[AR4-LoopBack0]ip address 4.4.4.4 32
[AR4-LoopBack0]q
[AR4]rip
[AR4-rip-1]v 2
[AR4-rip-1]network 10.0.0.0
[AR4-rip-1]network 4.0.0.0

AR5

[Huawei]sysname AR5
[AR5]int g0/0/0
[AR5-GigabitEthernet0/0/0]ip address 10.1.45.5 24
[AR5-GigabitEthernet0/0/0]int g0/0/1
[AR5-GigabitEthernet0/0/1]ip address 10.1.56.5 24
[AR5-GigabitEthernet0/0/1]int l0
[AR5-LoopBack0]ip address 5.5.5.5 32
[AR5-LoopBack0]q
[AR5]rip
[AR5-rip-1]v 2
[AR5-rip-1]undo summary
[AR5-rip-1]network 10.0.0.0
[AR5-rip-1]network 5.0.0.0
[AR5-rip-1]q
[AR5]int g0/0/1
[AR5-GigabitEthernet0/0/1]undo rip output
[AR5-GigabitEthernet0/0/1]undo rip input

AR6、AR7、AR8、AR9、AR10底层配置类似

2.2 MPLS LDP

AR3

[AR3]mpls lsr-id 3.3.3.3
[AR3]mpls
[AR3-mpls]mpls ldp
[AR3-mpls-ldp]int g0/0/2
[AR3-GigabitEthernet0/0/2]mpls
[AR3-GigabitEthernet0/0/2]mpls ldp

AR4

[AR4]mpls lsr-id 4.4.4.4
[AR4]mpls
[AR4-mpls]mpls ldp
[AR4-mpls-ldp]int g0/0/0
[AR4-GigabitEthernet0/0/0]mpls
[AR4-GigabitEthernet0/0/0]mpls ldp
[AR4-GigabitEthernet0/0/0]int g0/0/1
[AR4-GigabitEthernet0/0/1]mpls
[AR4-GigabitEthernet0/0/1]mpls ldp

AR5

[AR5]mpls lsr-id 5.5.5.5
[AR5]mpls
[AR5-mpls]mpls ldp
[AR5-mpls-ldp]int g0/0/0
[AR5-GigabitEthernet0/0/0]mpls
[AR5-GigabitEthernet0/0/0]mpls ldp
[AR5-GigabitEthernet0/0/0]int g0/0/1
[AR5-GigabitEthernet0/0/1]mpls

2.4 AR3和AR5建立MP-IBGP,AR6和AR8建立MP-IBGP;AR5和AR6建立MP-EBGP;AR3和AR8EBGP VP#v4 邻居关系;配置标签能力。

AR3

[AR3]bgp 10
[AR3-bgp]peer 5.5.5.5 as-number 10
[AR3-bgp]peer 5.5.5.5 connect-interface LoopBack0
[AR3-bgp]peer 8.8.8.8 as-number 20
[AR3-bgp]peer 8.8.8.8 ebgp-max-hop 66
[AR3-bgp]peer 8.8.8.8 connect-interface LoopBack0
[AR3-bgp]ipv4-family vpnv4
[AR3-bgp-af-vpnv4]peer 8.8.8.8 enable

AR5

[AR5]route-policy asbr permit node 10
[AR5-route-policy]apply mpls-label
[AR5-route-policy]q
[AR5]bgp 10
[AR5-bgp]peer 3.3.3.3 as-number 10
[AR5-bgp]peer 3.3.3.3 connect-interface LoopBack0
[AR5-bgp]peer 10.1.56.6 as-number 20
[AR5-bgp]network 3.3.3.3 255.255.255.255
[AR5-bgp]peer 10.1.56.6 route-policy asbr export
[AR5-bgp]peer 10.1.56.6 label-route-capability
[AR5-bgp]q
[AR5]mpls
[AR5-mpls]lsp-trigger bgp-label-route //用来配置LDP为带标签的公网BGP路由分标签的能力
[AR5-mpls]quit
[AR5]rip
[AR5-rip-1]import-route bgp

AR6

[AR6]route-policy asbr permit node 10
[AR6-route-policy]apply mpls-label
[AR6-route-policy]q
[AR6]bgp 20
[AR6-bgp]peer 8.8.8.8 as-number 20
[AR6-bgp]peer 8.8.8.8 connect-interface LoopBack0
[AR6-bgp]peer 10.1.56.5 as-number 10
[AR6-bgp]network 8.8.8.8 255.255.255.255
[AR6-bgp]peer 10.1.56.5 route-policy asbr export
[AR6-bgp]peer 10.1.56.5 label-route-capability
[AR6-bgp]q
[AR6]mpls
[AR6-mpls]lsp-trigger bgp-label-route
[AR6-mpls]quit
[AR6]rip
[AR6-rip-1]import-route bgp

AR8

[AR8]bgp 20
[AR8-bgp]peer 3.3.3.3 as-number 10
[AR8-bgp]peer 3.3.3.3 ebgp-max-hop 66
[AR8-bgp]peer 3.3.3.3 connect-interface LoopBack0
[AR8-bgp]peer 6.6.6.6 as-number 20
[AR8-bgp]peer 6.6.6.6 connect-interface LoopBack0
[AR8-bgp]ipv4-family vpnv4
[AR8-bgp-af-vpnv4]peer 3.3.3.3 enable

2.5 测试

[AR3]display bgp peer
3c44e21f6d458edf615334d03f93d27f.webp
[AR6]display bgp peer
65493a3aab1621e0e49ea3ce1429a41f.webp
[AR8]display mpls lsp
921d5542c9fb4209d02f98b7ca455cae.webp
AR8已经有AR3的3.3.3.3的标签了。

[AR8]ping -a 8.8.8.8 3.3.3.3
00ee179b949ab043381ff71142c3529e.webp
2.6 MPLS VP#业务接入

配置好公网之后,接下来是配置公司B和公司D,让他们可以互访;

AR3

[AR3]ip vpn-instance ybd2
[AR3-vpn-instance-ybd2]route-distinguisher 10:1
[AR3-vpn-instance-ybd2-af-ipv4]vpn-target 10:1 both
[AR3-vpn-instance-ybd2-af-ipv4]int g0/0/1
[AR3-GigabitEthernet0/0/1]ip binding vpn-instance ybd2
[AR3-GigabitEthernet0/0/1]ip address 10.1.23.3 24
[AR3-GigabitEthernet0/0/1]bgp 10
[AR3-bgp]peer 10.1.23.2 as 1
[AR3-bgp]ipv4-family vpn-instance ybd2
[AR3-bgp-ybd2]peer 10.1.23.2 as 1
[AR3-bgp-ybd2]peer 10.1.23.2 substitute-as //做AS号的伪装

AR2

[AR2]bgp 1
[AR2-bgp]peer 10.1.23.3 as 10
[AR2-bgp]network 2.2.2.2 32

AR8

[AR8]ip vpn-instance ybd6
[AR8-vpn-instance-ybd10]route-distinguisher 10:1
[AR8-vpn-instance-ybd10-af-ipv4]vpn-target 10:1 both
[AR8-vpn-instance-ybd10-af-ipv4]int g0/0/2
[AR8-GigabitEthernet0/0/2]ip binding vpn-instance ybd10
[AR8-GigabitEthernet0/0/2]ip address 10.1.81.8 24
[AR8-GigabitEthernet0/0/2]bgp 20
[AR8-bgp]ipv4-family vpn-instance ybd6
[AR8-bgp-ybd10]peer 10.1.81.10 as 1
[AR8-bgp-ybd10]peer 10.1.81.10 substitute-as

AR10

[AR10]bgp 1
[AR10-bgp]peer 10.1.81.8 as 20
[AR10-bgp]network 10.10.10.10 32

[AR10]display ip routing-table protocol bgp
748dfd9866292b69a768e80aa4aaa436.webp
[AR2]ping -a 2.2.2.2 10.10.10.10
13fe8e1e8e047a91ce0b7a697c576b3b.webp

公司 B 2.2.2.2 访问公司 AD10.10.10.10

bb76ce35bc707c51a2203194414d7bea.webp
AR2 上的 IPv4 路由传递到 AR3

[AR2]dis ip routing-table 10.10.10.10
85542b600925a556a917b2e1b63a36bf.webp
封装为:85eea682b57b6ead11b0c5661862d21c.webp

查看10.10.10.10路由,下一跳是10.1.23.3;

030bc2aebb803d8e6ea59803bb5e83cb.webp
然后根据AR3的接口下G0/0/0绑定的实例ybd2的路由表,去查相关路由。

[AR3]display ip routing-table vpn-instance ybd2 10.10.10.10

87ba937e6402dec319c68cc9d93553ea.webp
下一跳是 8.8.8.8

[AR3]display bgp vpnv4 vpn-instance ybd2 routing-table 10.10.10.10

1520bfe78d797c1fb69651ce63765a47.webp
私网标签1027 打上标签封装成:2d7b757e7ea0def4eef2eb8fcd7d5efa.webp

接着是查看公网标签

[AR3]display mpls lsp
82272f88009157a4f0d0ebabb2cc1c95.webp
公网标签1026 打上标签封装成:c8b5296bc7d746f92e36afb2629c322f.webp

从G0/0/2接口出发

1cc9f8ee4f35ac5cd829fa8a26afedc5.webp
[AR4]dis mpls lsp
3e3e4816c25452f7f06a9c0e08d0e09c.webp
进来标签是1026,出标签为1027,从G0/0/1接口发出

打上标签封装成:bc853535d93cf1591711d78a55df3454.webp

a7da151c3725728f1ada079c5a2748db.webp
78864c9e8c940fe3db3c13633c93da4e.webp
[AR5]dis mpls lsp
c5711ab46962b742cebe109098b15654.webp
进来标签是1027,出标签为1026,

封装为:a94cd23cfacb48ce73da9ace5f77857b.webp
6bbe80a84e1715cd9e3486126b688c6f.webp
bdbebb4970ff1584d1468d8556980b8b.webp

81592428b8f8957bbfe65c4d892ff736.webp
6e2714755131e22798be4e71424a9d8c.webp
[AR7]display mpls lsp
c53002b8ef5e599e1242ed0690294879.webp

8.8.8.8出标签是3,然后进行弹出顶部标签,从G0/0/1接口发送出去。

4dd7a5819f237a652717e37f565cb97d.webp
[AR8]dis mpls lsp
f8bd109d801b83f795415533660ff3e8.webp

[AR8]dis bgp vpnv4 vpn-instance ybd6 routing-table 

d07c6b7a6ac228472f868228818dc4d2.webp
下一跳是10.1.81.10

9802e07c686d890499113bef729b2967.webp





三、有 RR 的拓扑






a313aaecfdd09ca6c3a077b37f600979.webp





四、配置与分析






4.1 概括

(1)AS内IGP和LDP配置好
(2)ASBR之间建立EBGP邻居,并启动传递标签ipv4路由能力,互联接口启动mpls(3)在ASBR向对端ASBR发布本端PE/RR的标签ipv4路由,通过产生标签策略完成
(4)在ASBR上开启LSP触发策略,为BGP路由产生LDP的LSP
(5)在ASBR上引入PE/RR的BGP路由到IGP协议中
(6)PE和RR之间建立mp-ibgp邻居关系,传递vp#v4路由,并保证路由传递到对端PE下一跳不变
(7)RR之间建立MP-EBGP邻居关系,传递vp#v4路由,并保证路由传递到对端下一跳不变
目的:是建立一条PE到PE之间的LSP,方便PE之间建立MP-EBGP传递vp#v4路由。

4.2 删除

删除掉 AR3和AR5的MP-IBGP邻居、AR6和AR8的MP-IBGP邻居、AR3和AR8的EBGP VP#v4 邻居关系;

4.3 然后建立AR4(RR)与AR3、AR7(RR)与AR8建立邻居关系并且下一跳不变,AR4与AR7建立EBGP VP#4的邻居关系。

AR3

[AR3]bgp 10
[AR3-bgp]peer 4.4.4.4 as 10
[AR3-bgp]peer 4.4.4.4 connect-interface LoopBack 0
[AR3-bgp]ipv4-family vpnv4
[AR3-bgp-af-vpnv4]peer 4.4.4.4 enable
[AR3-bgp-af-vpnv4]peer 4.4.4.4 next-hop-invariable

AR4

[AR4]bgp 10
[AR4-bgp]peer 3.3.3.3 as 10
[AR4-bgp]peer 3.3.3.3 connect-interface LoopBack 0
[AR4-bgp]ipv4-family vpnv4
[AR4-bgp-af-vpnv4]peer 3.3.3.3 enable
[AR4-bgp-af-vpnv4]peer 3.3.3.3 reflect-client
[AR4-bgp-af-vpnv4]peer 3.3.3.3 next-hop-invariable
[AR4-bgp-af-vpnv4]undo policy vpn-target
[AR4-bgp-af-vpnv4]q
[AR4-bgp]peer 7.7.7.7 as 20
[AR4-bgp]peer 7.7.7.7 connect-interface LoopBack 0
[AR4-bgp]peer 7.7.7.7 ebgp-max-hop 66
[AR4-bgp]ipv4-family vpnv4
[AR4-bgp-af-vpnv4]peer 7.7.7.7 enable
[AR4-bgp-af-vpnv4]peer 7.7.7.7 next-hop-invariable

AR7

[AR7]bgp 20 
[AR7-bgp]peer 8.8.8.8 as 20
[AR7-bgp]peer 8.8.8.8 connect-interface LoopBack 0
[AR7-bgp]ipv4-family vpnv4
[AR7-bgp-af-vpnv4]peer 8.8.8.8 enable
[AR7-bgp-af-vpnv4]peer 8.8.8.8 reflect-client
[AR7-bgp-af-vpnv4]peer 8.8.8.8 next-hop-invariable
[AR7-bgp-af-vpnv4]undo policy vpn-target
[AR7-bgp-af-vpnv4]q
[AR7-bgp]peer 4.4.4.4 as 10
[AR7-bgp]peer 4.4.4.4 connect-interface LoopBack 0
[AR7-bgp]peer 4.4.4.4 ebgp-max-hop 66
[AR7-bgp]ipv4-family vpnv4
[AR7-bgp-af-vpnv4]peer 4.4.4.4 enable
[AR7-bgp-af-vpnv4]peer 4.4.4.4 next-hop-invariable

AR8

[AR8]bgp 20   
[AR8-bgp]peer 7.7.7.7 as 20
[AR8-bgp]peer 7.7.7.7 connect-interface LoopBack 0
[AR8-bgp]ipv4-family vpnv4
[AR8-bgp-af-vpnv4]peer 7.7.7.7 enable
[AR8-bgp-af-vpnv4]peer 7.7.7.7 next-hop-invariable

4.4 宣告RR的网段LOOPBACK 0

AR5

[AR5]bgp 10
[AR5-bgp]network 4.4.4.4 32

AR6

[AR6]bgp 20
[AR6-bgp]network 7.7.7.7 32

4.5 测试

[AR4]dis bgp peer
336920f0574552b3e433aab001832cba.webp
[AR7]dis bgp peer
a05673d237ef617f7a9de8d35f4b544d.webp
4.6 MPLS VP#业务接入,公司A访问公司C

AR3

[AR3]ip vpn-instance ybd66
[AR3-vpn-instance-ybd1]route-distinguisher 20:1
[AR3-vpn-instance-ybd1-af-ipv4]vpn-target 20:1 both
[AR3-vpn-instance-ybd1-af-ipv4]int g0/0/0
[AR3-GigabitEthernet0/0/0]ip binding vpn-instance ybd66
[AR3-GigabitEthernet0/0/0]ip address 10.1.13.3 24
[AR3-GigabitEthernet0/0/0]q
[AR3]ospf 1 router-id 3.3.3.3 vpn-instance ybd66
[AR3-ospf-1]a 0
[AR3-ospf-1-area-0.0.0.0]network 10.1.13.3 0.0.0.0
[AR3-ospf-1-area-0.0.0.0]q
[AR3-ospf-1]import-route bgp
[AR3-ospf-1]bgp 10
[AR3-bgp]ip
[AR3-bgp]ipv4-family vpn-instance ybd66
[AR3-bgp-ybd1]import-route ospf 1

AR1

[AR1]ospf 1 
[AR1-ospf-1]a 0
[AR1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[AR1-ospf-1-area-0.0.0.0]network 10.1.13.1 0.0.0.0

AR8

[AR8]ip vpn-instance ybd99
[AR8-vpn-instance-ybd9]route-distinguisher 20:1
[AR8-vpn-instance-ybd9-af-ipv4]vpn-target 20:1 both
[AR8-vpn-instance-ybd9-af-ipv4]int g0/0/1
[AR8-GigabitEthernet0/0/1]ip binding vpn-instance ybd99
[AR8-GigabitEthernet0/0/1]ip address 10.1.89.8 24
[AR8-GigabitEthernet0/0/1]q
[AR8]isis 1 vpn-instance ybd99
[AR8-isis-1]import-route bgp
[AR8-isis-1]network-entity 12.0001.0000.0000.0008.00
[AR8-isis-1]is-level level-2
[AR8-isis-1]int g0/0/1
[AR8-GigabitEthernet0/0/1]isis enable 1
[AR8-GigabitEthernet0/0/1]bgp 20
[AR8-bgp]ipv4-family vpn-instance ybd99
[AR8-bgp-ybd9]import-route isis 1

AR9

[AR9]isis
[AR9-isis-1]network-entity 12.0001.0000.0000.0009.00
[AR9-isis-1]is-level level-2
[AR9-isis-1]int g0/0/0
[AR9-GigabitEthernet0/0/0]isis enable 1
[AR9]int l0
[AR9-LoopBack0]isis enable

[AR1]dis ip routing-table protocol ospf
01b8cdb77efaa6e1ad3e95412f41ad36.webp
[AR9]ping -a 9.9.9.9 1.1.1.1
f66e4d848f30260b4b05f1af02d8a652.webp
e77cf1bfe55fa492f3411db5c110a80e.webp
1031是私网标签,1026是公网标签。

[AR3]display bgp vpnv4 vpn-instance ybd66 routing-table 9.9.9.9

529a2ac6716e7b8a5f501f6cb1a6247d.webp
OK





五、特点







跨域VP#-OptionC2的优缺点和跨域VP#-OptionC1一样,只是在配置方面稍微有些不一样。

特点:公网形成了一个架构,后面如果有公司接入进来的话,只需要在PE设备上配置接入MPLS VP#业务即可,公网不需要配置。

重要并且特别的配置,在ASBR上的MPLS视图下需要配置lsp-trigger bgp-label-route命令,把BGP协议引入到RIP(从逻辑的角度来看,多个AS域形成了一个AS域);AR4(RR)与AR3建立MP-IBGP邻居关系,AR(RR)与AR7建立EBGP VP#V4邻居,把PE和RR的Looback 0网段宣告进BGP进程。

勤学如春起之苗,不见其增,日有所长;—陶渊明


c0deecb11dda05e15a94a9fb871a0110.webp

好了这期就到这里了,如果你喜欢这篇文章的话,请点赞评论分享收藏,如果你还能点击关注,那真的是对我最大的鼓励。谢谢大家,下期见!


d68e1a4f0fac81634b9deaef44762b6f.webp


往期推荐:

华为 MPLS的数据转发流程

2021-02-15

eb6fc1bf73d29430522afeef98860dcc.webp

华为 Python网络自动化

2021-02-08

1465ac6d309a2cb49ca9795637176122.webp

华为 LDP回话建立的过程

2021-01-27

d2b479c4b211d16a17b3077e2f1a7df8.webp


关注 艺博东 公众号,与你一起学习共同进步。秀秀秀秀秀~

dbae8286618a1cef5555d326f766f822.webp54b01ce3dd8a458c3648dccd93d42a00.webp

点赞在看养成习惯

浏览 90
点赞
评论
收藏
分享

手机扫一扫分享

分享
举报
评论
图片
表情
推荐
点赞
评论
收藏
分享

手机扫一扫分享

分享
举报