哈嘍,大家好!我是藝博東 ,是一個思科出身、專注于華為的網工;好了,話不多說,我們直接進入正題,
文章目錄
- 一、拓撲
- 二、配置與分析
- 三、跨域 VP#-OptionA 的特點
由于特殊原因,所以把“N”字母替換為“#”符號,
一、拓撲
二、配置與分析
背景需求: 分公司A只能訪問分公司C, 不能訪問其他分公司;同樣分公司B只能訪問分公司D,
按照上圖配置;分以下步驟進行,
(1)在AS10,AS20分別配置公網的LSP隧道IGP, LDP;
(2)配置AS10,AS20中的MP-IBGP鄰居架構/反射器;
(3)PE上配置VP#實體的業務接入vp#實體創建和CE的介面系結,正確配置RD,RT正確的配置PE-CE之間的路由協議;
(4)為每個VP#在 ASBR-PE之間通過子介面實作互聯,并系結vp#實體,每個實體配置EBGP鄰居關系;
(5)PE上正確引入vp#v4路由的引入,IGP引入BGP,BGP引入IGP;
(6)檢測路由是否正常傳遞;
(7)測驗聯通性;
(8)熟悉路由傳遞的機制以及私網標簽和公網標簽的分配特點,
1、在AS10,AS20分別配置公網的LSP隧道IGP, LDP;配置AS10,AS20中的MP-IBGP鄰居架構/反射器,
AR1
[AR1]int g0/0/2
[AR1-GigabitEthernet0/0/2]ip address 10.1.12.1 24
[AR1-GigabitEthernet0/0/2]int l0
[AR1-LoopBack0]ip address 1.1.1.1 32
[AR1-LoopBack0]q
[AR1]rip
[AR1-rip-1]version 2
[AR1-rip-1]network 10.0.0.0
[AR1-rip-1]network 1.0.0.0
[AR1-rip-1]q
[AR1]mpls lsr-id 1.1.1.1
[AR1]mpls
[AR1-mpls]mpls ldp
[AR1-mpls-ldp]q
[AR1]int g0/0/2
[AR1-GigabitEthernet0/0/2]mpls
[AR1-GigabitEthernet0/0/2]mpls ldp
[AR1]bgp 10
[AR1-bgp]peer 2.2.2.2 as-number 10
[AR1-bgp]peer 2.2.2.2 connect-interface LoopBack0
[AR1-bgp]peer 2.2.2.2 next-hop-local
[AR1-bgp]ipv4-family vpnv4
[AR1-bgp-af-vpnv4]peer 2.2.2.2 enable
AR2
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip address 10.1.12.2 24
[AR2-GigabitEthernet0/0/0]int g0/0/1
[AR2-GigabitEthernet0/0/1]ip address 10.1.23.2 24
[AR2-GigabitEthernet0/0/1]int l0
[AR2-LoopBack0]ip address 2.2.2.2 32
[AR2-LoopBack0]q
[AR2]rip
[AR2-rip-1]version 2
[AR2-rip-1]network 10.0.0.0
[AR2-rip-1]network 2.0.0.0
[AR2]mpls lsr-id 2.2.2.2
[AR2]mpls
[AR2-mpls]mpls ldp
[AR2-mpls-ldp]q
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]mpls
[AR2-GigabitEthernet0/0/0]mpls ldp
[AR2-GigabitEthernet0/0/0]int g0/0/1
[AR2-GigabitEthernet0/0/1]mpls
[AR2-GigabitEthernet0/01]mpls ldp
[AR2-GigabitEthernet0/01]q
[AR2]bgp 10
[AR2-bgp]peer 1.1.1.1 as-number 10
[AR2-bgp]peer 1.1.1.1 connect-interface LoopBack0
[AR2-bgp]peer 1.1.1.1 next-hop-local
[AR2-bgp]peer 3.3.3.3 as-number 10
[AR2-bgp]peer 3.3.3.3 connect-interface LoopBack0
[AR2-bgp]peer 3.3.3.3 next-hop-local
[AR2-bgp]ipv4-family vpnv4
[AR2-bgp-af-vpnv4]undo policy vpn-target
[AR2-bgp-af-vpnv4]peer 1.1.1.1 enable
[AR2-bgp-af-vpnv4]peer 1.1.1.1 reflect-client
[AR2-bgp-af-vpnv4]peer 3.3.3.3 enable
[AR2-bgp-af-vpnv4]peer 3.3.3.3 reflect-client
AR3
[AR3]int g0/0/0
[AR3-GigabitEthernet0/0/0]ip address 10.1.23.3 24
[AR3-GigabitEthernet0/0/0]int l0
[AR3-LoopBack0]ip address 3.3.3.3 32
[AR3-LoopBack0]q
[AR3]rip
[AR3-rip-1]undo summary
[AR3-rip-1]version 2
[AR3-rip-1]network 10.0.0.0
[AR3-rip-1]network 3.0.0.0
[AR3-rip-1]q
[AR3]mpls lsr-id 3.3.3.3
[AR3]mpls
[AR3-mpls]mpls ldp
[AR3-mpls-ldp]q
[AR3]int g0/0/0
[AR3-GigabitEthernet0/0/0]mpls
[AR3-GigabitEthernet0/0/0]mpls ldp
AR4、AR5、AR6底層配置類似
2、PE上配置VP#實體的業務接入vp#實體創建和CE的介面系結,正確配置RD,RT正確的配置PE-CE之間的路由協議,
分公司A只能訪問分公司C, 不能訪問其他分公司
AR1
[AR1]ip vpn-instance ybd1
[AR1-vpn-instance-ybd1]route-distinguisher 10:1
[AR1-vpn-instance-ybd1]vpn-target 10:1 both
[AR1-vpn-instance-ybd1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip binding vpn-instance ybd1
[AR1-GigabitEthernet0/0/0]ip address 10.1.17.1 255.255.255.0
[AR1-GigabitEthernet0/0/0]bgp 10
[AR1-bgp]ipv4-family vpn-instance ybd1
[AR1-bgp-ybd1]peer 10.1.17.7 as-number 1
AR7
[AR79]int g0/0/0
[AR79-GigabitEthernet0/0/0]ip address 10.1.17.7 24
[AR79-GigabitEthernet0/0/0]bgp 1
[AR79-bgp]peer 10.1.17.1 as-number 10
[AR79-bgp]network 7.7.7.7 255.255.255.255
[AR79-bgp]peer 10.1.17.1 enable
[AR79-bgp]peer 10.1.17.1 allow-as-loop
[AR79]dis bgp peer
[AR1]dis bgp vp#v4 all peer
AR3
[AR3]ip vpn-instance ybd5
[AR3-vpn-instance-ybd5]route-distinguisher 10:1
[AR3-vpn-instance-ybd5]vpn-target 10:1 both
[AR3-vpn-instance-ybd5]int g0/0/1.10
[AR3-GigabitEthernet0/0/1.10]dot1q termination vid 10
[AR3-GigabitEthernet0/0/1.10]ip binding vpn-instance ybd5
[AR3-GigabitEthernet0/0/1.10]ip address 10.1.34.3 255.255.255.0
[AR3-GigabitEthernet0/0/1.10]arp broadcast enable
[AR3-GigabitEthernet0/0/1.10]bgp 10
[AR3-bgp]ipv4-family vpn-instance ybd5
[AR3-bgp-ybd5]peer 10.1.34.4 as-number 20
AR4
[AR4]ip vpn-instance ybd6
[AR4-vpn-instance-ybd6]route-distinguisher 20:1
[AR4-vpn-instance-ybd6]vpn-target 20:1 both
[AR4-vpn-instance-ybd6]int g0/0/0.20
[AR4-GigabitEthernet0/0/0.20]dot1q termination vid 10
[AR4-GigabitEthernet0/0/0.20]ip binding vpn-instance ybd6
[AR4-GigabitEthernet0/0/0.20]ip address 10.1.34.4 255.255.255.0
[AR4-GigabitEthernet0/0/0.20]arp broadcast enable
[AR4-GigabitEthernet0/0/0.20]bgp 20
[AR4-bgp]ipv4-family vpn-instance ybd6
[AR4-bgp-ybd6]peer 10.1.34.3 as-number 10
AR6
[AR6]ip vpn-instance ybd3
[AR6-vpn-instance-ybd3]route-distinguisher 20:1
[AR6-vpn-instance-ybd3]vpn-target 20:1
[AR6-vpn-instance-ybd3]int g0/0/1
[AR6-GigabitEthernet0/0/1]ip binding vpn-instance ybd3
[AR6-GigabitEthernet0/0/1]ip address 10.1.69.6 255.255.255.0
[AR6-GigabitEthernet0/0/1]bgp 20
[AR6-bgp]ipv4-family vpn-instance ybd3
[AR6-bgp-ybd3]peer 10.1.69.9 as-number 1
[AR6-bgp-ybd3]peer 10.1.69.9 substitute-as
AR97
[AR97]int g0/0/0
[AR97-GigabitEthernet0/0/0]ip address 10.1.69.9 255.255.255.0
[AR97-GigabitEthernet0/0/0]bgp 1
[AR97-bgp]peer 10.1.69.6 as-number 20
[AR97-bgp]network 9.9.9.9 255.255.255.255
[AR97]dis ip routing-table
[AR79]dis ip routing-table
公司A是如何訪問公司C的?
在 AR79 上查9.9.9.9路由,
[AR79]dis ip routing-table 9.9.9.9
以上輸出結果可知9.9.9.9路由的下一跳是10.1.17.1;
資料包封裝為:
然后根據AR1的介面下系結的實體ybd1的路由表,去查相關路由,
[AR1]dis ip routing-table vp#-instance ybd1
[AR1]dis bgp vp#v4 vpn-instance ybd1 routing-table 9.9.9.9
私網標簽1027
打上標簽封裝成:
[AR1]dis mpls lsp
出去的標簽是1024
打上標簽封裝成:
壓入了2個標簽
然后AR1根據G0/0/2介面發出去
RR 查找標簽
[AR2]dis mpls lsp
3.3.3.3的進標簽為1024,出標簽是3,然后進行彈出頂部標簽,從G0/0/1介面發送出去,
AR3收到后,查看lsp
[AR3]dis mpls lsp
通過BGP協議得到的標簽,收到的標簽如果是1027的話,就屬于ybd5路由表進行轉發的,
彈出標簽
[AR3]dis ip routing-table vp#-instance ybd5 9.9.9.9
下一跳為10.1.34.4,出介面g0/0/1.10發出;
這是一個IP報文;
下一跳為6.6.6.6,然后查找9.9.9.9的路由標簽,
[AR4]dis bgp vp#v4 all routing-table 9.9.9.9
AR6給它分配了一個私網標簽1026,然后打上1026的標簽,
查下一跳6.6.6.6的公網標簽
出標簽1024,出介面為G0/0/1
[AR5]dis mpls lsp
6.6.6.6的進標簽為1024,出標簽是3,然后進行彈出頂部標簽,從G0/0/1介面發送出去,
[AR6]dis mpls lsp
通過BGP協議得到的標簽,收到的標簽如果是1026的話,就屬于ybd3路由表進行轉發的,
彈出標簽
[AR6]dis ip routing-table vp#-instance ybd3 9.9.9.9
下一跳為10.1.69.9,出介面g0/0/1發出;
轉發層面OK;
[AR79]tracert -a 7.7.7.7 9.9.9.9
路徑
3、分公司B只能訪問分公司D
PE上正確引入vp#v4路由的引入,IGP引入BGP,BGP引入IGP
AR1
[AR1]ip vpn-instance ybd2
[AR1-vpn-instance-ybd2]route-distinguisher 10:2
[AR1-vpn-instance-ybd2]vpn-target 10:2 both
[AR1-vpn-instance-ybd2]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip binding vpn-instance ybd2
[AR1-GigabitEthernet0/0/1]ip address 10.1.18.1 255.255.255.0
[AR1-GigabitEthernet0/0/1]
[AR1]ospf 1 vpn-instance ybd2
[AR1-ospf-1]import-route bgp
[AR1-ospf-1]a 0
[AR1-ospf-1-area-0.0.0.0]network 10.1.18.1 0.0.0.0
[AR1-ospf-1-area-0.0.0.0]q
[AR1-ospf-1]q
[AR1]bgp 10
[AR1-bgp]ipv4-family vpn-instance ybd2
[AR1-bgp-ybd2]import-route ospf 1
AR18
[AR18]int g0/0/0
[AR18-GigabitEthernet0/0/0]ip address 10.1.18.8 255.255.255.0
[AR18-GigabitEthernet0/0/0]q
[AR18]int l0
[AR18-LoopBack0]ip address 8.8.8.8 32
[AR18-LoopBack0]q
[AR18]ospf 1 router-id 8.8.8.8
[AR18-ospf-1]a 0
[AR18-ospf-1-area-0.0.0.0]network 8.8.8.8 0.0.0.0
[AR18-ospf-1-area-0.0.0.0]network 10.1.18.8 0.0.0.0
AR6、AR81配置類似
[AR18]dis ip routing-table 
AR18路由器上沒有公司A、D的相關路由,
[AR18]ping 10.10.10.10
另外,bgp的實體指定的鄰居相同是不影響的,因為實體不同,
RD: 區分實體,標記路由,只在本地有效,區分不同站點的相同路由;
RT: 對路由進行控制,控制路由的匯入與匯出,
三、跨域 VP#-OptionA 的特點
背對背
優點: 配置比較簡單;
在ASBR上創建子介面,系結vpn實體,
在PE上配置vpn實體,系結介面,
缺點: 可擴展性差;
就是ASBR需要管理所有VP#路由,為每個VP#創建VP#實體,ASBR需要維護的VP#-IPv4路由數量過大,在需要跨域的VP#數量比較少的情況,可以優先考慮使用,
這里的兩個實體的路由ASBR都要管理,
[AR3]dis bgp vp#v4 all routing-table
名言警句時刻
世界如一面鏡子:皺眉視之,它也皺眉看你;笑著對它,它也笑著看你,
歡迎訪問我的易百納技術社區文章《華為 跨域VPN-OptionA》
https://www.ebaina.com/articles/140000005405
好了這期就到這里了,如果你喜歡這篇文章的話,請點贊評論分享收藏,如果你還能點擊關注,那真的是對我最大的鼓勵,謝謝大家,下期見!
CSDN認證博客專家
網路
路由交換
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/251669.html
標籤:AI
上一篇:硬體EMC測驗用例及測驗判據