好消息,超酷的在线虚拟网络实验室上线了!点击开始实验

为获得更好的浏览效果,建议您使用 Firefox 或者 Chrome 浏览器



 

6.1.1 基本L3VPN配置举例

 

组网需求

lCE 1CE 3属于VPN 1CE 2CE 4属于VPN 2

lVPN 1使用的VPN Target属性为111:1VPN 2使用的VPN Target属性为222:2。不同VPN用户之间不能互相访问;

lCEPE之间配置EBGP交换VPN路由信息;

lPEPE之间配置OSPF实现PE内部的互通、配置MP-IBGP交换VPN路由信息。

 

 

配置步骤

1、MPLS骨干网上配置IGP协议,实现骨干网PE和P的互通

# 配置PE 1。

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] interface pos 2/1/1

[PE1-POS2/1/1] ip address 172.1.1.1 24

[PE1-POS2/1/1] quit

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

 

# 配置P。

<P> system-view

[P] interface loopback 0

[P-LoopBack0] ip address 2.2.2.9 32

[P-LoopBack0] quit

[P] interface pos 2/1/1

[P-POS2/1/1] clock master

[P-POS2/1/1] ip address 172.1.1.2 24

[P-POS2/1/1] quit

[P] interface pos 2/1/2

[P-POS2/1/2] clock master

[P-POS2/1/2] ip address 172.2.1.1 24

[P-POS2/1/2] quit

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

 

# 配置PE 2。

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 3.3.3.9 32

[PE2-LoopBack0] quit

[PE2] interface pos 2/1/1

[PE2-POS2/1/1] ip address 172.2.1.2 24

[PE2-POS2/1/1] quit

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

 

配置完成后,PE 1、P、PE 2之间应能建立OSPF邻居,执行display ospf peer verbose命令可以看到邻居达到FULL状态。执行display ip routing-table命令可以看到PE之间学习到对方的Loopback路由。

 

PE 1为例:

[PE1] display ip routing-table

Routing Tables: Public

         Destinations : 9        Routes : 9

Destination/Mask  Proto  Pre  Cost     NextHop         Interface

1.1.1.9/32        Direct 0    0        127.0.0.1       InLoop0

2.2.2.9/32        OSPF   10   1        172.1.1.2       POS2/1/1

3.3.3.9/32        OSPF   10   2        172.1.1.2       POS2/1/1

127.0.0.0/8       Direct 0    0        127.0.0.1       InLoop0

127.0.0.1/32      Direct 0    0        127.0.0.1       InLoop0

172.1.1.0/24      Direct 0    0        172.1.1.1       POS2/1/1

172.1.1.1/32      Direct 0    0        127.0.0.1       InLoop0

172.1.1.2/32      Direct 0    0        172.1.1.2       POS2/1/1

172.2.1.0/24      OSPF   10   1        172.1.1.2       POS2/1/1

[PE1] display ospf peer verbose

          OSPF Process 1 with Router ID 1.1.1.9

                  Neighbors

 Area 0.0.0.0 interface 172.1.1.1(POS2/1/1)'s neighbors

 Router ID: 172.1.1.2        Address: 172.1.1.2        GR State: Normal

   State: Full  Mode:Nbr is  Master  Priority: 1

   DR: None   BDR: None   MTU: 1500

   Dead timer due in 38  sec

   Neighbor is up for 00:02:44

   Authentication Sequence: [ 0 ]

 

2、MPLS骨干网上配置MPLS基本能力和MPLS LDP,建立LDP LSP

# 配置PE 1。

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls

[PE1-mpls] lsp-trigger all

[PE1-mpls] quit

[PE1] mpls ldp

[PE1-mpls-ldp] quit

[PE1] interface pos 2/1/1

[PE1-POS2/1/1] mpls

[PE1-POS2/1/1] mpls ldp

[PE1-POS2/1/1] quit

 

# 配置P。

[P] mpls lsr-id 2.2.2.9

[P] mpls

[P-mpls] lsp-trigger all

[P-mpls] quit

[P] mpls ldp

[P-mpls-ldp] quit

[P] interface pos 2/1/1

[P-POS2/1/1] mpls

[P-POS2/1/1] mpls ldp

[P-POS2/1/1] quit

[P] interface pos 2/1/2

[P-POS2/1/2] mpls

[P-POS2/1/2] mpls ldp

[P-POS2/1/2] quit

 

# 配置PE 2。

[PE2] mpls lsr-id 3.3.3.9

[PE2] mpls

[PE2-mpls] lsp-trigger all

[PE2-mpls] quit

[PE2] mpls ldp

[PE2-mpls-ldp] quit

[PE2] interface pos 2/1/1

[PE2-POS2/1/1] mpls

[PE2-POS2/1/1] mpls ldp

[PE2-POS2/1/1] quit

 

上述配置完成后,PE 1、P、PE 2之间应能建立LDP会话,执行display mpls ldp session命令可以看到显示结果中Session State项为Operational。执行display mpls ldp lsp命令,可以看到LDP LSP的建立情况。

PE 1为例:

[PE1] display mpls ldp session

               LDP Session(s) in Public Network

----------------------------------------------------------------

 Peer-ID         Status        LAM  SsnRole  FT   MD5  KA-Sent/Rcv

 ---------------------------------------------------------------

 2.2.2.9:0       Operational   DU   Passive  Off  Off  5/5

 ---------------------------------------------------------------

 LAM : Label Advertisement Mode         FT  : Fault Tolerance

 

[PE1] display mpls ldp lsp

                              LDP LSP Information

 ------------------------------------------------------------------

 SN  DestAddress/Mask   In/OutLabel  Next-Hop     In/Out-Interface

 ------------------------------------------------------------------

 1   1.1.1.9/32         3/NULL       127.0.0.1     POS2/1/1/InLoop0

 2   2.2.2.9/32         NULL/3       172.1.1.2     -------/POS2/1/1

 3   3.3.3.9/32         NULL/1024    172.1.1.2     -------/POS2/1/1

 4   172.2.1.0/24       NULL/3       172.1.1.2     -------/POS2/1/1

 ------------------------------------------------------------------

 A '*' before an LSP means the LSP is not established

 A '*' before a Label means the USCB or DSCB is stale

 

3、PE设备上配置VPN实例,将CE接入PE

# 配置PE 1。

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 111:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 100:2

[PE1-vpn-instance-vpn2] vpn-target 222:2

[PE1-vpn-instance-vpn2] quit

[PE1] interface GigabitEthernet 4/1/1

[PE1-GigabitEthernet4/1/1] ip binding vpn-instance vpn1

[PE1-GigabitEthernet4/1/1] ip address 10.1.1.2 24

[PE1-GigabitEthernet4/1/1] quit

[PE1] interface GigabitEthernet4/1/2

[PE1-GigabitEthernet4/1/2] ip binding vpn-instance vpn2

[PE1-GigabitEthernet4/1/2] ip address 10.2.1.2 24

[PE1-GigabitEthernet4/1/2] quit

 

# 配置PE 2。

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 200:1

[PE2-vpn-instance-vpn1] vpn-target 111:1

[PE2-vpn-instance-vpn1] quit

[PE2] ip vpn-instance vpn2

[PE2-vpn-instance-vpn2] route-distinguisher 200:2

[PE2-vpn-instance-vpn2] vpn-target 222:2

[PE2-vpn-instance-vpn2] quit

[PE2] interface GigabitEthernet 4/1/1

[PE2-GigabitEthernet4/1/1] ip binding vpn-instance vpn1

[PE2-GigabitEthernet4/1/1] ip address 10.3.1.2 24

[PE2-GigabitEthernet4/1/1] quit

[PE2] interface GigabitEthernet 4/1/2

[PE2-GigabitEthernet4/1/2] ip binding vpn-instance vpn2

[PE2-GigabitEthernet4/1/2] ip address 10.4.1.2 24

[PE2-GigabitEthernet4/1/2] quit

 

#配置各CE的接口IP地址,配置过程略。

 

配置完成后,在PE设备上执行display ip vpn-instance命令可以看到VPN实例的配置情况。各PE能ping通自己接入的CE。

 

PE 1和CE 1为例:

[PE1] display ip vpn-instance

  Total VPN-Instances configured : 2

  VPN-Instance Name      RD          Create Time

  vpn1                  100:1        2006/08/13 09:32:45

  vpn2                  100:2        2006/08/13 09:42:59

 

[PE1] ping -vpn-instance vpn1 10.1.1.1

  PING 10.1.1.1: 56  data bytes, press CTRL_C to break

    Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=56 ms

    Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=4 ms

    Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=4 ms

    Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=52 ms

    Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=3 ms

  --- 10.1.1.1 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 3/23/56 ms

 

 

4、PE与CE之间建立EBGP对等体,引入VPN路由

# 配置CE 1。

<CE1> system-view

[CE1] bgp 65410

[CE1-bgp] peer 10.1.1.2 as-number 100

[CE1-bgp] import-route direct

[CE1-bgp] quit

 

&  说明:

另外3个CE设备(CE 2~CE 4)配置与CE 1设备配置类似,配置过程省略。

 

# 配置PE 1。

[PE1] bgp 100

[PE1-bgp] ipv4-family vpn-instance vpn1

[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410

[PE1-bgp-vpn1] import-route direct

[PE1-bgp-vpn1] quit

[PE1-bgp] ipv4-family vpn-instance vpn2

[PE1-bgp-vpn2] peer 10.2.1.1 as-number 65420

[PE1-bgp-vpn2] import-route direct

[PE1-bgp-vpn2] quit

[PE1-bgp] quit

 

&  说明:

PE 2的配置与PE 1类似,配置过程省略。

 

 

配置完成后,在PE设备上执行display bgp vpnv4 vpn-instance peer命令,可以看到PE与CE之间的BGP对等体关系已建立,并达到Established状态。

 

PE 1与CE 1的对等体关系为例:

[PE1] display bgp vpnv4 vpn-instance vpn1 peer

 BGP local router ID : 1.1.1.9

 Local AS number : 100

 Total number of peers : 1            Peers in established state : 1

 

  Peer     V  AS   MsgRcvd MsgSent OutQ  PrefRcv   Up/Down    State

  10.1.1.1 4 65410 11      9       0     1         00:06:37   Established

 

 

5、PE之间建立MP-IBGP对等体

# 配置PE 1。

[PE1] bgp 100

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] ipv4-family vpnv4

[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable

[PE1-bgp-af-vpnv4] quit

[PE1-bgp] quit

 

# 配置PE 2。

[PE2] bgp 100

[PE2-bgp] peer 1.1.1.9 as-number 100

[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp] ipv4-family vpnv4

[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable

[PE2-bgp-af-vpnv4] quit

[PE2-bgp] quit

 

配置完成后,在PE设备上执行display bgp peer或display bgp vpnv4 all peer命令,可以看到PE之间的BGP对等体关系已建立,并达到Established状态。

 

[PE1] display bgp peer

 BGP local router ID : 1.1.1.9

 Local AS number : 100

 Total number of peers : 1          Peers in established state : 1

  Peer     V   AS  MsgRcvd  MsgSent  OutQ   PrefRcv   Up/Down  State

  3.3.3.9  4  100        2        6     0         0   00:00:12 Established

 

 

结果检验

PE设备上执行display ip routing-table vpn-instance命令,可以看到去往对端CE的路由。

 

PE 1为例:

[PE1] display ip routing-table vpn-instance vpn1

Routing Tables: vpn1

         Destinations : 3        Routes : 3

Destination/Mask  Proto  Pre  Cost     NextHop         Interface

10.1.1.0/24       Direct 0    0        10.1.1.2        GE4/1/1

10.1.1.2/32       Direct 0    0        127.0.0.1       InLoop0

10.3.1.0/24       BGP    255  0        3.3.3.9         NULL0

 

[PE1] display ip routing-table vpn-instance vpn2

Routing Tables: vpn2

         Destinations : 3        Routes : 3

Destination/Mask  Proto  Pre  Cost      NextHop         Interface

10.2.1.0/24       Direct 0    0         10.2.1.2        GE4/1/2

10.2.1.2/32       Direct 0    0         127.0.0.1       InLoop0

10.4.1.0/24       BGP    255  0         3.3.3.9         NULL0

 

同一VPN的CE能够相互Ping通,不同VPN的CE不能相互Ping通。

 

例如:CE 1能够Ping通CE 3(10.3.1.1),但不能Ping通CE 4(10.4.1.1)。

 

[CE1] ping 10.3.1.1

  PING 10.3.1.1: 56  data bytes, press CTRL_C to break

    Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms

    Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms

    Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms

    Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms

    Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms

  --- 10.3.1.1 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 34/48/72 ms 

 

[CE1] ping 10.4.1.1

  PING 10.4.1.1: 56  data bytes, press CTRL_C to break

    Request time out

    Request time out

    Request time out

    Request time out

    Request time out

  --- 10.4.1.1 ping statistics ---

    5 packet(s) transmitted

    0 packet(s) received

    100.00% packet loss

 

配置文件

1、PE 1配置

#

ip vpn-instance vpn1

route-distinguisher 100:1

vpn-target 111:1 export-extcommunity

vpn-target 111:1 import-extcommunity

#

ip vpn-instance vpn2

route-distinguisher 100:2

vpn-target 222:2 export-extcommunity

vpn-target 222:2 import-extcommunity

#

mpls lsr-id 1.1.1.9

#

mpls

lsp-trigger all

#

mpls ldp

#

interface pos 2/1/1

link-protocol ppp

ip address 172.1.1.1 255.255.255.0

mpls

mpls ldp

#

interface loopback 0

ip address 1.1.1.9 255.255.255.255

#

interface GigabitEthernet 4/1/1

ip binding vpn-instance vpn1

ip address 10.1.1.2 255.255.255.0

#

interface GigabitEthernet4/1/2

ip binding vpn-instance vpn2

ip address 10.2.1.2 255.255.255.0

#

bgp 100

peer 3.3.3.9 as-number 100

peer 3.3.3.9 connect-interface loopback 0

#

ipv4-family vpnv4

peer 3.3.3.9 enable

#

ipv4-family vpn-instance vpn1

import-route direct

peer 10.1.1.1 as-number 65410

#

ipv4-family vpn-instance vpn2

import-route direct

peer 10.2.1.1 as-number 65420

#

ospf 1

area 0.0.0.0

network 172.1.1.0 0.0.0.255

network 1.1.1.9 0.0.0.0

#

2、PE 2配置

#

ip vpn-instance vpn1

route-distinguisher 200:1

vpn-target 111:1 export-extcommunity

vpn-target 111:1 import-extcommunity

#

ip vpn-instance vpn2

route-distinguisher 200:2

vpn-target 222:2 export-extcommunity

vpn-target 222:2 import-extcommunity

#

mpls lsr-id 3.3.3.9

#

mpls

lsp-trigger all

#

mpls ldp

#

interface pos 2/1/1

link-protocol ppp

ip address 172.2.1.2 255.255.255.0

mpls

mpls ldp

#

interface loopback 0

ip address 3.3.3.9 255.255.255.255

#

interface GigabitEthernet 4/1/1

ip binding vpn-instance vpn1

ip address 10.3.1.2 255.255.255.0

#

interface GigabitEthernet4/1/2

ip binding vpn-instance vpn2

ip address 10.4.1.2 255.255.255.0

#

bgp 100

peer 1.1.1.9 as-number 100

peer 1.1.1.9 connect-interface loopback 0

#

ipv4-family vpnv4

peer 1.1.1.9 enable

#

ipv4-family vpn-instance vpn1

import-route direct

peer 10.3.1.1 as-number 65430

#

ipv4-family vpn-instance vpn2

import-route direct

peer 10.4.1.1 as-number 65440

#

ospf 1

area 0.0.0.0

network 172.2.1.0 0.0.0.255

network 3.3.3.9 0.0.0.0

#

3、P 配置

#

mpls lsr-id 2.2.2.9

#

mpls

lsp-trigger all

#

mpls ldp

#

interface pos 2/1/1

clock master

link-protocol ppp

ip address 172.1.1.2 255.255.255.0

mpls

mpls ldp

#

interface pos 2/1/2

clock master

link-protocol ppp

ip address 172.2.1.1 255.255.255.0

mpls

mpls ldp

#

interface loopback 0

ip address 2.2.2.9 255.255.255.255

#

ospf 1

area 0.0.0.0

network 172.1.1.0 0.0.0.255

network 172.2.1.0 0.0.0.255

network 2.2.2.9 0.0.0.0

#

4、CE1 配置

#

interface GigabitEthernet 4/1/1

ip address 10.1.1.1 255.255.255.0

#

bgp 65410

import-route direct

peer 10.1.1.2 as-number 100

#

5、CE2 配置

#

interface GigabitEthernet 4/1/1

ip address 10.2.1.1 255.255.255.0

#

bgp 65420

import-route direct

peer 10.2.1.2 as-number 100

#

6、CE3 配置

#

interface GigabitEthernet 4/1/1

ip address 10.3.1.1 255.255.255.0

#

bgp 65430

import-route direct

peer 10.3.1.2 as-number 100

#

7、CE4 配置

#

interface GigabitEthernet 4/1/1

ip address 10.4.1.1 255.255.255.0

#

bgp 65440

import-route direct

peer 10.3.1.2 as-number 100

#

 

 

X Close
X Close