- 產品與解決方案
- 行業解決方案
- 服務
- 支持
- 合作夥伴
- 關於我們
32-MPLS L3VPN典型配置舉例
本章節下載: 32-MPLS L3VPN典型配置舉例 (323.94 KB)
|
Copyright © 2018bobty下载软件 版權所有,保留一切權利。 非經本公司書麵許可,任何單位和個人不得擅自摘抄、複製本文檔內容的部分或全部,並不得以任何形式傳播。本文檔中的信息可能變動,恕不另行通知。 |
|
目 錄
本文介紹了通過MPLS L3VPN技術提供VPN服務的典型配置舉例。
本文檔中的配置均是在實驗室環境下進行的配置和驗證,配置前設備的所有參數均采用出廠時的缺省配置。如果您已經對設備進行了配置,為了保證配置效果,請確認現有配置和以下舉例中的配置不衝突。
本文檔假設您已了解MPLS L3VPN特性。
如圖1所示,Customer A和Customer B分別有位於兩地的分支機構,現要求通過MPLS L3VPN技術,實現用戶分支機構間路由信息的正常交互,且用戶數據可以通過VPN方式在各站點間安全傳輸,不會發送至私網IP地址相同的其它用戶站點中。
圖1 MPLS L3VPN基本組網圖
· 為了使報文能夠通過MPLS網絡傳輸,需要在MPLS骨幹網絡中配置IGP路由協議,並利用LDP分發公網標簽,作為VPN報文的外層標簽。
· 為區分不同用戶的路由信息,需要在PE上分別創建兩個VPN實例,並為VPN實例配置RD和RT,在各實例內通過BGP分別引入不同用戶的私網路由。
· 在PE設備之間配置MP-BGP協議並建立對等體,用於傳輸VPN的私網路由信息並分發內層標簽,即私網標簽。
本舉例是在S6800-CMW710-R2609版本上進行配置和驗證的。
由於在配置接口與VPN實例綁定後,接口上的IP地址等配置會清除,因此先配置接口與VPN實例的綁定關係,再進行其他配置。
(1) 配置PE 1
# 配置骨幹網接口以及環回口地址。
<PE1> system-view
[PE1] interface loopback 0
[PE1-LoopBack0] ip address 1.1.1.9 32
[PE1-LoopBack0] quit
[PE1] vlan 2
[PE1-vlan2] port ten-gigabitethernet 1/0/2
[PE1-vlan2] quit
[PE1] interface vlan-interface 2
[PE1-Vlan-interface2] ip address 10.1.1.1 24
[PE1-Vlan-interface2] quit
# 配置OSPF協議發布骨幹網側路由。
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
(2) 配置P
# 配置骨幹網接口以及環回口地址。
<P> system-view
[P] interface loopback 0
[P-LoopBack0] ip address 2.2.2.9 32
[P-LoopBack0] quit
[P] vlan 2
[P-vlan2] port ten-gigabitethernet 1/0/2
[P-vlan2] quit
[P] vlan 5
[P-vlan5] port ten-gigabitethernet 1/0/3
[P-vlan5] quit
[P] interface vlan-interface 2
[P-Vlan-interface2] ip address 10.1.1.2 24
[P-Vlan-interface2] quit
[P] interface vlan-interface 5
[P-Vlan-interface5] ip address 10.1.4.1 24
[P-Vlan-interface5] quit
# 配置OSPF協議發布骨幹網側路由。
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 10.1.4.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
(3) 配置PE 2
# 配置骨幹網接口以及環回口地址。
<PE2> system-view
[PE2] interface loopback 0
[PE2-LoopBack0] ip address 3.3.3.9 32
[PE2-LoopBack0] quit
[PE2] vlan 5
[PE2-vlan5] port ten-gigabitethernet 1/0/1
[PE2-vlan5] quit
[PE2] interface vlan-interface 5
[PE2-Vlan-interface5] ip address 10.1.4.2 24
[PE2-Vlan-interface5] quit
# 配置OSPF協議發布骨幹網側路由。
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 10.1.4.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
配置完成後,PE 1、P、PE 2之間應能建立OSPF鄰居,執行display ospf peer命令可以看到鄰居達到Full狀態。執行display ip routing-table命令可以看到PE之間學習到對方的Loopback路由。
以PE 1為例:
[PE1] display ospf peer verbose
OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 10.1.1.1(Vlan-interface2)'s neighbors
Router ID: 2.2.2.9 Address: 10.1.1.2 GR State: Normal
State: Full Mode: Nbr is Master Priority: 1
DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
Options is 0x02 (-|-|-|-|-|-|E|-)
Dead timer due in 38 sec
Neighbor is up for 17:30:25
Authentication Sequence: [ 0 ]
Neighbor state change count: 6
BFD status: Disabled
[PE1] display ip routing-table protocol ospf
Summary Count : 5
OSPF Routing table Status : <Active>
Summary Count : 3
Destination/Mask Proto Pre Cost NextHop Interface
2.2.2.9/32 OSPF 10 1 10.1.1.2 Vlan2
3.3.3.9/32 OSPF 10 2 10.1.1.2 Vlan2
10.1.4.0/24 OSPF 10 2 10.1.1.2 Vlan2
OSPF Routing table Status : <Inactive>
Summary Count : 2
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.9/32 OSPF 10 0 1.1.1.9 Loop0
10.1.1.0/24 OSPF 10 1 10.1.1.1 Vlan2
(1) 配置PE 1
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls ldp
[PE1-ldp] quit
[PE1] interface vlan-interface 2
[PE1-Vlan-interface2] mpls enable
[PE1-Vlan-interface2] mpls ldp enable
[PE1-Vlan-interface2] quit
(2) 配置P
[P] mpls lsr-id 2.2.2.9
[P] mpls ldp
[P-ldp] quit
[P] interface vlan-interface 2
[P-Vlan-interface2] mpls enable
[P-Vlan-interface2] mpls ldp enable
[P-Vlan-interface2] quit
[P] interface vlan-interface 5
[P-Vlan-interface5] mpls enable
[P-Vlan-interface5] mpls ldp enable
[P-Vlan-interface5] quit
(3) 配置PE 2
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls ldp
[PE2-ldp] quit
[PE2] interface vlan-interface 5
[PE2-Vlan-interface5] mpls enable
[PE2-Vlan-interface5] mpls ldp enable
[PE2-Vlan-interface5] quit
上述配置完成後,PE 1、P、PE 2之間應能建立LDP會話,執行display mpls ldp peer命令可以看到LDP會話的狀態為Operational。執行display mpls ldp lsp命令,可以看到LDP LSP的建立情況。
以PE 1為例:
[PE1] display mpls ldp peer
Total number of peers: 1
Peer LDP ID State Role GR MD5 KA Sent/Rcvd
2.2.2.9:0 Operational Passive Off Off 5/5
[PE1] display mpls ldp lsp
Status Flags: * - stale, L - liberal, B - backup
FECs: 4 Ingress: 1 Transit: 1 Egress: 3
FEC In/Out Label Nexthop OutInterface
1.1.1.9/32 3/-
-/1151(L)
2.2.2.9/32 -/3 10.1.1.2 Vlan2
1151/3 10.1.1.2 Vlan2
3.3.3.9/32 -/1150 10.1.1.2 Vlan2
1150/1150 10.1.1.2 Vlan2
(1) 配置PE 1
# 在PE 1上為Customer A創建VPN實例,名為“customerA”。
[PE1] ip vpn-instance customerA
# 為該實例配置RD為100:1,用於形成VPNv4路由,以便區分不同用戶相同網段的路由。
[PE1-vpn-instance-customerA] route-distinguisher 100:1
# 為該VPN實例配置VPN Target屬性,其中接收路由的屬性為111:1,發布路由的屬性為222:1。(此處為表示接收和發送屬性的含義,取值有所不同,為便於管理,用戶可以將接收和發送的屬性配置為相同的值)
[PE1-vpn-instance-customerA] vpn-target 111:1 import-extcommunity
[PE1-vpn-instance-customerA] vpn-target 222:1 export-extcommunity
[PE1-vpn-instance-customerA] quit
# 按同樣方式為Customer B創建VPN實例,名為“customerB”,並為其配置RD為200:1,接收和發送的VPN Target屬性分別為333:1和444:1。
[PE1] ip vpn-instance customerB
[PE1-vpn-instance-customerB] route-distinguisher 200:1
[PE1-vpn-instance-customerB] vpn-target 333:1 import-extcommunity
[PE1-vpn-instance-customerB] vpn-target 444:1 export-extcommunity
[PE1-vpn-instance-customerB] quit
# 配置Vlan-interface100與VPN實例customerA進行綁定。
[PE1] vlan 100
[PE1-vlan100] port ten-gigabitethernet 1/0/1
[PE1-vlan100] quit
[PE1] interface vlan-interface 100
[PE1-Vlan-interface100] ip binding vpn-instance customerA
[PE1-Vlan-interface100] ip address 100.1.1.2 24
[PE1-Vlan-interface100] quit
# 配置Vlan-interface200與VPN實例customerB進行綁定。
[PE1] vlan 200
[PE1-vlan200] port ten-gigabitethernet 1/0/3
[PE1-vlan200] quit
[PE1] interface vlan-interface 200
[PE1-Vlan-interface200] ip binding vpn-instance customerB
[PE1-Vlan-interface200] ip address 200.1.1.2 24
[PE1-Vlan-interface200] quit
(2) 配置PE 2
# 在PE 2上為Customer A創建VPN實例,名為“customerA”。
[PE2] ip vpn-instance customerA
# 為該VPN實例配置RD,為便於識別,建議與PE 1上為該實例配置的RD保持一致。
[PE2-vpn-instance-customerA] route-distinguisher 100:1
# 為該VPN實例配置VPN Target,需要注意的是接收和發送的屬性要分別與PE 1上配置的發送和接收的屬性保持一致。
[PE2-vpn-instance-customerA] vpn-target 222:1 import-extcommunity
[PE2-vpn-instance-customerA] vpn-target 111:1 export-extcommunity
[PE2-vpn-instance-customerA] quit
# 按同樣方式配置VPN實例“customerB”,並配置相應的RD和VPN Target。
[PE2] ip vpn-instance customerB
[PE2-vpn-instance-customerB] route-distinguisher 200:1
[PE2-vpn-instance-customerB] vpn-target 444:1 import-extcommunity
[PE2-vpn-instance-customerB] vpn-target 333:1 export-extcommunity
[PE2-vpn-instance-customerB] quit
# 分別將Vlan-interface101和Vlan-interface202與customerA和customerB實例進行綁定。
[PE2] vlan 101
[PE2-vlan101] port ten-gigabitethernet 1/0/2
[PE2-vlan101] quit
[PE2] interface vlan-interface 101
[PE2-Vlan-interface101] ip binding vpn-instance customerA
[PE2-Vlan-interface101] ip address 101.1.1.1 24
[PE2-Vlan-interface101] quit
[PE2] vlan 202
[PE2-vlan202] port ten-gigabitethernet 1/0/3
[PE2-vlan202] quit
[PE2] interface vlan-interface 202
[PE2-Vlan-interface202] ip binding vpn-instance customerB
[PE2-Vlan-interface202] ip address 202.1.1.2 24
[PE2-Vlan-interface202] quit
(3) 配置CE
按圖1配置各CE的接口IP地址,配置過程略。
配置完成後,在PE設備上執行display ip vpn-instance命令可以看到VPN實例的配置情況。各PE能ping通自己接入的CE。
以PE 1和CE 1為例:
[PE1] display ip vpn-instance
Total VPN-Instances configured : 2
VPN-Instance Name RD Create time
customerA 100:1 2014/03/22 13:20:08
customerB 200:1 2014/03/22 13:20:20
[PE1] ping -vpn-instance customerA 100.1.1.1
Ping 10.1.1.1 (100.1.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 100.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 100.1.1.1: icmp_seq=1 ttl=255 time=2.000 ms
56 bytes from 100.1.1.1: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 100.1.1.1: icmp_seq=3 ttl=255 time=1.000 ms
56 bytes from 100.1.1.1: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 10.1.1.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.800/2.000/0.748 ms
(1) 配置PE 1
# 在PE 1上創建BGP進程100。
[PE1] bgp 100
# 將CE 1指定為對等體,並將PE 1的直連路由引入到BGP-VPN實例路由表中。
[PE1-bgp-default] ip vpn-instance customerA
[PE1-bgp-default-customerA] peer 100.1.1.1 as-number 65410
[PE1-bgp-default-customerA] address-family ipv4 unicast
[PE1-bgp-default-ipv4-customerA] peer 100.1.1.1 enable
[PE1-bgp-default-ipv4-customerA] import-route direct
[PE1-bgp-default-ipv4-customerA] quit
[PE1-bgp-default-customerA] quit
# 將CE 2指定為對等體,並將PE 1的直連路由引入到BGP-VPN實例路由表中。
[PE1-bgp-default] ip vpn-instance customerB
[PE1-bgp-default-customerB] peer 200.1.1.1 as-number 65410
[PE1-bgp-default-customerB] address-family ipv4 unicast
[PE1-bgp-default-ipv4-customerB] peer 200.1.1.1 enable
[PE1-bgp-default-ipv4-customerB] import-route direct
[PE1-bgp-default-ipv4-customerB] quit
[PE1-bgp-default-customerB] quit
[PE1-bgp-default] quit
(2) 配置PE 2
# 在PE 2上創建BGP進程100。
[PE2] bgp 100
# 將CE 3指定為對等體,並將PE 2的直連路由引入到BGP-VPN實例路由表中。
[PE2-bgp-default] ip vpn-instance customerA
[PE2-bgp-default-customerA] peer 101.1.1.2 as-number 65430
[PE2-bgp-default-customerA] address-family ipv4 unicast
[PE2-bgp-default-ipv4-customerA] peer 101.1.1.2 enable
[PE2-bgp-default-ipv4-customerA] import-route direct
[PE2-bgp-default-ipv4-customerA] quit
[PE2-bgp-default-customerA] quit
# 將CE 4指定為對等體,並將PE 2的直連路由引入到BGP-VPN實例路由表中。
[PE2-bgp-default] ip vpn-instance customerB
[PE2-bgp-default-customerB] peer 202.1.1.1 as-number 65430
[PE2-bgp-default-customerB] address-family ipv4 unicast
[PE2-bgp-default-ipv4-customerB] peer 202.1.1.1 enable
[PE2-bgp-default-ipv4-customerB] import-route direct
[PE2-bgp-default-ipv4-customerB] quit
[PE2-bgp-default-customerB] quit
[PE2-bgp-default] quit
(3) 配置CE1
# CE 1上創建BGP進程65410,並指定PE 1為對等體,對等體自治係統號為100。
<CE1> system-view
[CE1] bgp 65410
[CE1-bgp-default] peer 100.1.1.2 as-number 100
# 使能CE1與對等體100.1.1.2交換IPv4單播路由信息的能力。
[CE1-bgp-default] address-family ipv4 unicast
[CE1-bgp-default-ipv4] peer 100.1.1.2 enable
# 將CE 1上連接站點的直連接口路由引入EBGP。
[CE1-bgp-default-ipv4] import-route direct
[CE1-bgp-default-ipv4] quit
[CE1-bgp-default] quit
(4) 配置CE2
# CE 2上創建BGP進程65410,並指定PE 1為對等體,對等體自治係統號為100。
<CE2> system-view
[CE2] bgp 65410
[CE2-bgp-default] peer 200.1.1.2 as-number 100
# 使能CE2與對等體200.1.1.2交換IPv4單播路由信息的能力。
[CE2-bgp-default] address-family ipv4 unicast
[CE2-bgp-default-ipv4] peer 200.1.1.2 enable
# 將CE 2上連接站點的直連接口路由引入EBGP。
[CE2-bgp-default-ipv4] import-route direct
[CE2-bgp-default-ipv4] quit
[CE2-bgp-default] quit
(5) 配置CE3
# CE 3上創建BGP進程65430,並指定PE 2為對等體,對等體自治係統號為100。
<CE3> system-view
[CE3] bgp 65430
[CE3-bgp-default] peer 101.1.1.1 as-number 100
# 使能CE3與對等體101.1.1.1交換IPv4單播路由信息的能力。
[CE3-bgp-default] address-family ipv4 unicast
[CE3-bgp-default-ipv4] peer 101.1.1.1 enable
# 將CE 3上連接站點的直連接口路由引入EBGP。
[CE3-bgp-default-ipv4] import-route direct
[CE3-bgp-default-ipv4] quit
[CE3-bgp-default] quit
(6) 配置CE4
# CE4上創建BGP進程65430,並指定PE 2為對等體,對等體自治係統號為100。
<CE4> system-view
[CE4] bgp 65430
[CE4-bgp-default] peer 202.1.1.2 as-number 100
# 使能CE4與對等體202.1.1.2交換IPv4單播路由信息的能力。
[CE4-bgp-default] address-family ipv4 unicast
[CE4-bgp-default-ipv4] peer 202.1.1.2 enable
# 將CE 4上連接站點的直連接口路由引入EBGP。
[CE4-bgp-default-ipv4] import-route direct
[CE4-bgp-default-ipv4] quit
[CE4-bgp-default] quit
配置完成後,在PE設備上執行display bgp peer ipv4 vpn-instance命令,可以看到PE與CE之間的BGP對等體關係已建立,並達到Established狀態。
以PE 1與CE 1的對等體關係為例:
[PE1] display bgp peer ipv4 vpn-instance customerA
BGP local router ID: 1.1.1.9
Local AS number: 100
Total number of peers: 1 Peers in established state: 1
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
100.1.1.1 65410 4 4 0 2 13:35:25 Established
(1) 配置PE 1
# 在PE 1上配置PE 2為BGP對等體,並指定連接時使用的接口為Loopback0接口。
[PE1] bgp 100
[PE1-bgp-default] peer 3.3.3.9 as-number 100
[PE1-bgp-default] peer 3.3.3.9 connect-interface loopback 0
# 進入BGP-VPNv4地址族視圖,指定PE 2為對等體。
[PE1-bgp-default] address-family vpnv4
[PE1-bgp-default-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-default-vpnv4] quit
[PE1-bgp-default] quit
(2) 配置PE 2
# 在PE 2上配置PE 1為BGP對等體,並指定連接時使用的接口為Loopback0接口。
[PE2] bgp 100
[PE2-bgp-default] peer 1.1.1.9 as-number 100
[PE2-bgp-default] peer 1.1.1.9 connect-interface loopback 0
# 進入BGP-VPNv4地址族視圖,指定PE 1為對等體。
[PE2-bgp-default] address-family vpnv4
[PE2-bgp-default-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-default-vpnv4] quit
[PE2-bgp-default] quit
配置完成後,在PE設備上執行display bgp peer vpnv4命令,可以看到PE之間的BGP對等體關係已建立,並達到Established狀態。
[PE1] display bgp peer vpnv4
BGP local router ID: 1.1.1.9
Local AS number: 100
Total number of peers: 1 Peers in established state: 1
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
3.3.3.9 100 8 8 0 0 00:00:08 Established
在PE設備上執行display ip routing-table vpn-instance命令,可以看到去往對端CE的路由。
以PE 1上的customerA為例:
[PE1] display ip routing-table vpn-instance customerA
Destinations : 13 Routes : 13
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
100.1.1.0/24 Direct 0 0 100.1.1.2 Vlan100
100.1.1.0/32 Direct 0 0 100.1.1.2 Vlan100
100.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0
100.1.1.255/32 Direct 0 0 100.1.1.2 Vlan100
101.1.1.0/24 BGP 255 0 3.3.3.9 Vlan2
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
同一VPN的CE能夠相互Ping通,不同VPN的CE不能相互Ping通。
例如:CE1能夠Ping通CE 3(101.1.1.2),但不能Ping通CE 4(202.1.1.1)。
· PE 1
#
ip vpn-instance customerA
route-distinguisher 100:1
vpn-target 111:1 import-extcommunity
vpn-target 222:1 export-extcommunity
#
ip vpn-instance customerB
route-distinguisher 200:1
vpn-target 333:1 import-extcommunity
vpn-target 444:1 export-extcommunity
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
mpls lsr-id 1.1.1.9
#
vlan 2
#
vlan 100
#
vlan 200
#
mpls ldp
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
interface Vlan-interface2
ip address 10.1.1.1 255.255.255.0
mpls enable
mpls ldp enable
#
interface Vlan-interface100
ip binding vpn-instance customerA
ip address 100.1.1.2 255.255.255.0
#
interface Vlan-interface200
ip binding vpn-instance customerB
ip address 200.1.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 100
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 2
#
interface Ten-GigabitEthernet1/0/3
port link-mode bridge
port access vlan 200
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack0
#
address-family vpnv4
peer 3.3.3.9 enable
#
ip vpn-instance customerA
peer 100.1.1.1 as-number 65410
#
address-family ipv4 unicast
import-route direct
peer 100.1.1.1 enable
#
ip vpn-instance customerB
peer 200.1.1.1 as-number 65410
#
address-family ipv4 unicast
import-route direct
peer 200.1.1.1 enable
#
· P
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.4.0 0.0.0.255
#
mpls lsr-id 2.2.2.9
#
vlan 2
#
vlan 5
#
mpls ldp
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
interface Vlan-interface2
ip address 10.1.1.2 255.255.255.0
mpls enable
mpls ldp enable
#
interface Vlan-interface5
ip address 10.1.4.1 255.255.255.0
mpls enable
mpls ldp enable
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 2
#
interface Ten-GigabitEthernet1/0/3
port link-mode bridge
port access vlan 5
#
· PE 2
#
ip vpn-instance customerA
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 222:1 import-extcommunity
#
ip vpn-instance customerB
route-distinguisher 200:1
vpn-target 333:1 export-extcommunity
vpn-target 444:1 import-extcommunity
#
ospf 1
area 0.0.0.0
network 10.1.4.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
mpls lsr-id 3.3.3.9
#
vlan 5
#
vlan 101
#
vlan 202
#
mpls ldp
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
#
interface Vlan-interface5
ip address 10.1.4.2 255.255.255.0
mpls enable
mpls ldp enable
#
interface Vlan-interface101
ip binding vpn-instance customerA
ip address 101.1.1.1 255.255.255.0
#
interface Vlan-interface202
ip binding vpn-instance customerB
ip address 202.1.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 5
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 101
#
interface Ten-GigabitEthernet1/0/3
port link-mode bridge
port access vlan 202
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack0
#
address-family vpnv4
peer 1.1.1.9 enable
#
ip vpn-instance customerA
peer 101.1.1.2 as-number 65430
#
address-family ipv4 unicast
import-route direct
peer 101.1.1.2 enable
#
ip vpn-instance customerB
peer 202.1.1.1 as-number 65430
#
address-family ipv4 unicast
import-route direct
peer 202.1.1.1 enable
#
· CE 1
#
vlan 100
#
interface Vlan-interface100
ip address 100.1.1.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 100
#
bgp 65410
peer 100.1.1.2 as-number 100
#
address-family ipv4 unicast
import-route direct
peer 100.1.1.2 enable
#
· CE 2
#
vlan 200
#
interface Vlan-interface200
ip address 200.1.1.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 200
#
bgp 65410
peer 200.1.1.2 as-number 100
#
address-family ipv4 unicast
import-route direct
peer 200.1.1.2 enable
#
· CE 3
#
vlan 101
#
interface Vlan-interface101
ip address 101.1.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 101
#
bgp 65430
peer 101.1.1.1 as-number 100
#
address-family ipv4 unicast
import-route direct
peer 101.1.1.1 enable
#
· CE 4
#
vlan 202
#
interface Vlan-interface202
ip address 202.1.1.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 202
#
bgp 65430
peer 202.1.1.2 as-number 100
#
address-family ipv4 unicast
import-route direct
peer 202.1.1.2 enable
#
在MPLS L3VPN網絡中,PE設備起到了最為關鍵的作用,不僅需要負責VPN用戶的接入,同時也負責VPN路由的管理和維護,以及私網報文的轉發工作。這就對PE設備的性能有了非常高的要求,從而導致網絡的擴展性受到限製。
HoVPN(Hierarchy of VPN,分層VPN)將PE設備的功能分布到多台設備,多台設備承擔不同的角色,並形成層次結構,共同完成一個PE的功能。HoVPN對不同角色的設備的性能要求也不相同,從而使網絡具備了良好的可擴展性。
在HoVPN組網下,直接連結用戶的設備稱為UPE(Underlayer PE or User-end PE,下層PE或用戶側PE);連結UPE並位於網絡內部的設備稱為SPE(Superstratum PE or Service Provider-end PE,上層PE或運營商側PE)。UPE與SPE構成分層式PE,共同完成傳統上一個PE的功能。
SPE與UPE的分工是:
· UPE主要完成用戶接入功能。UPE維護其直接相連的VPN Site的路由,但不維護VPN中其它遠程Site的路由或僅維護它們的聚合路由;UPE為其直接相連的Site的路由分配內層標簽,並通過MP-BGP隨VPN路由發布此標簽給SPE。
· SPE主要完成VPN路由的管理和發布。SPE維護其通過UPE連接的VPN所有路由,包括本地和遠程Site的路由,SPE將路由信息發布給UPE,並攜帶標簽。SPE發布的路由信息可以是VPN實例的缺省路由(或聚合路由),也可以是通過路由策略的路由信息。通過後者可以實現對同一VPN下不同站點之間互訪的控製。
如圖2所示,UPE與連接用戶的CE設備相連,並與運營商內部的SPE設備相連,圖中為路由和標簽交換過程,其中,Lx和Lz為UPE與SPE之間的公網的標簽,Ly為運營商骨幹網的公網的標簽。
圖2 HoVPN組網路由和標簽交換圖
如圖3所示,SPE設備處於AS100中,UPE設備處於AS200中,SPE為運營商骨幹網設備,UPE為連接用戶端CE的設備。UPE1和UPE2分別連接屬於VPN1的CE1和CE2。CE1連接兩個VLAN,分別為:VLAN 10(172.16.1.0/24)和VLAN 20(172.16.2.0/24);CE2下連一個VLAN:VLAN 30(172.16.3.0/24)。
現要求在用戶網絡中部署HoVPN服務,並通過配置路由策略,限製不同CE下連VLAN之間的互相訪問權限,使得CE1的VLAN 10和CE2的VLAN 30可以相互訪問,CE1的VLAN 20和CE2的VLAN 30不能相互訪問。
圖3 HoVPN典型配置舉例組網圖
此案例配置主要分為兩部分:
· 在網絡中配置HoVPN服務。
· 在SPE設備上配置路由策略,使得SPE2僅發布CE1的私網路由172.16.1.0/24給UPE2。
本舉例是在S6800-CMW710-R2609版本上進行配置和驗證的。
· 隻有在SPE設備上配置了路由策略,並允許向UPE設備發布路由時,SPE設備才會向UPE設備發布路由,即,在HoVPN組網中,路由策略為必選配置。
· 配置SPE與UPE之間建立EBGP對等體並發布標簽時,僅使能與對等體交換標簽的能力並不能進行標簽的發布,還需配置路由策略才可為對等體發布標簽。
· 由於在配置接口與VPN實例綁定後,接口上的IP地址等配置會清除,因此先配置接口與VPN實例的綁定關係,再進行其他配置。
(1) 配置SPE1
# 配置MPLS基本能力和MPLS LDP能力,建立LDP LSP。
<SPE1> system-view
[SPE1] interface loopback 0
[SPE1-LoopBack0] ip address 2.2.2.9 32
[SPE1-LoopBack0] quit
[SPE1] mpls lsr-id 2.2.2.9
[SPE1] mpls ldp
[SPE1-ldp] quit
[SPE1] interface vlan-interface 11
[SPE1-Vlan-interface11] ip address 172.1.1.2 24
[SPE1-Vlan-interface11] mpls enable
[SPE1-Vlan-interface11] quit
[SPE1] interface vlan-interface 12
[SPE1-Vlan-interface12] ip address 180.1.1.1 24
[SPE1-Vlan-interface12] mpls enable
[SPE1-Vlan-interface12] mpls ldp enable
[SPE1-Vlan-interface12] quit
# 配置OSPF作為IGP協議。
[SPE1] ospf
[SPE1-ospf-1] area 0
[SPE1-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[SPE1-ospf-1-area-0.0.0.0] network 180.1.1.0 0.0.0.255
[SPE1-ospf-1-area-0.0.0.0] quit
[SPE1-ospf-1] quit
(2) 配置SPE2
# 配置MPLS基本能力和MPLS LDP能力,建立LDP LSP。
<SPE2> system-view
[SPE2] interface loopback 0
[SPE2-LoopBack0] ip address 3.3.3.9 32
[SPE2-LoopBack0] quit
[SPE2] mpls lsr-id 3.3.3.9
[SPE2] mpls ldp
[SPE2-ldp] quit
[SPE2] interface vlan-interface 12
[SPE2-Vlan-interface12] ip address 180.1.1.2 24
[SPE2-Vlan-interface12] mpls enable
[SPE2-Vlan-interface12] mpls ldp enable
[SPE2-Vlan-interface12] quit
[SPE2] interface vlan-interface 11
[SPE2-Vlan-interface11] ip address 172.2.1.2 24
[SPE2-Vlan-interface11] mpls enable
[SPE2-Vlan-interface11] quit
# 配置OSPF作為IGP協議。
[SPE2] ospf
[SPE2-ospf-1] area 0
[SPE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[SPE2-ospf-1-area-0.0.0.0] network 180.1.1.0 0.0.0.255
[SPE2-ospf-1-area-0.0.0.0] quit
[SPE2-ospf-1] quit
配置完成後,在SPE設備上執行display mpls ldp peer命令可以看到LDP會話建立成功,LDP會話狀態為Operational;執行display ospf peer命令可以看到OSPF鄰居關係已建立,狀態為FULL。
# 配置SPE 1與SPE 2建立MP-IBGP對等體,交換VPNv4路由。
[SPE1] bgp 100
[SPE1-bgp-default] peer 3.3.3.9 as-number 100
[SPE1-bgp-default] peer 3.3.3.9 connect-interface loopback 0
[SPE1-bgp-default] address-family vpnv4
[SPE1-bgp-default-vpnv4] peer 3.3.3.9 enable
[SPE1-bgp-default-vpnv4] quit
[SPE1-bgp-default] quit
# 配置SPE 2與SPE 1建立MP-IBGP對等體,交換VPNv4路由。
[SPE2] bgp 100
[SPE2-bgp-default] peer 2.2.2.9 as-number 100
[SPE2-bgp-default] peer 2.2.2.9 connect-interface loopback 0
[SPE2-bgp-default] address-family vpnv4
[SPE2-bgp-default-vpnv4] peer 2.2.2.9 enable
[SPE2-bgp-default-vpnv4] quit
[SPE2-bgp-default] quit
配置完成後,在SPE1和SPE2上執行display bgp peer vpnv4命令可以看到BGP對等體關係已建立,並達到Established狀態。
(1) 配置UPE1
# 配置MPLS基本能力。
<UPE1> system-view
[UPE1] interface loopback 0
[UPE1-LoopBack0] ip address 1.1.1.9 32
[UPE1-LoopBack0] quit
[UPE1] mpls lsr-id 1.1.1.9
[UPE1] interface vlan-interface 11
[UPE1-Vlan-interface11] ip address 172.1.1.1 24
[UPE1-Vlan-interface11] mpls enable
[UPE1-Vlan-interface11] quit
(2) 配置UPE2
# 配置MPLS基本能力。
<UPE2> system-view
[UPE2] interface loopback 0
[UPE2-Loopback0] ip address 4.4.4.9 32
[UPE2-Loopback0] quit
[UPE2] mpls lsr-id 4.4.4.9
[UPE2] interface vlan-interface 11
[UPE2-Vlan-interface11] ip address 172.2.1.1 24
[UPE2-Vlan-interface11] mpls enable
[UPE2-Vlan-interface11] quit
(1) 配置SPE1
[SPE1] bgp 100
[SPE1-bgp-default] peer 172.1.1.1 as-number 200
[SPE1-bgp-default] address-family ipv4
[SPE1-bgp-default-ipv4] peer 172.1.1.1 enable
[SPE1-bgp-default-ipv4] peer 172.1.1.1 label-route-capability
[SPE1-bgp-default-ipv4] peer 172.1.1.1 route-policy policy1 export
[SPE1-bgp-default-ipv4] network 2.2.2.9 255.255.255.255
[SPE1-bgp-default-ipv4] quit
[SPE1-bgp-default] quit
# 配置路由策略,為路由分配標簽。
[SPE1] route-policy policy1 permit node 0
[SPE1-route-policy-policy1-0] apply mpls-label
[SPE1-route-policy-policy1-0] quit
(2) 配置UPE1
[UPE1] bgp 200
[UPE1-bgp-default] peer 172.1.1.2 as-number 100
[UPE1-bgp-default] address-family ipv4
[UPE1-bgp-default-ipv4] peer 172.1.1.2 enable
[UPE1-bgp-default-ipv4] peer 172.1.1.2 label-route-capability
[UPE1-bgp-default-ipv4] peer 172.1.1.2 route-policy policy1 export
[UPE1-bgp-default-ipv4] network 1.1.1.9 255.255.255.255
[UPE1-bgp-default-ipv4] quit
[UPE1-bgp-default] quit
# 配置路由策略,為路由分配標簽。
[UPE1] route-policy policy1 permit node 0
[UPE1-route-policy-policy1-0] apply mpls-label
[UPE1-route-policy-policy1-0] quit
(3) 配置SPE2
[SPE2] bgp 100
[SPE2-bgp-default] peer 172.2.1.1 as-number 200
[SPE2-bgp-default] address-family ipv4
[SPE2-bgp-default-ipv4] peer 172.2.1.1 enable
[SPE2-bgp-default-ipv4] peer 172.2.1.1 label-route-capability
[SPE2-bgp-default-ipv4] peer 172.2.1.1 route-policy policy1 export
[SPE2-bgp-default-ipv4] network 3.3.3.9 255.255.255.255
[SPE2-bgp-default-ipv4] quit
[SPE2-bgp-default] quit
[SPE2] route-policy policy1 permit node 0
[SPE2-route-policy-policy1-0] apply mpls-label
[SPE2-route-policy-policy1-0] quit
(4) 配置UPE2
[UPE2] bgp 200
[UPE2-bgp-default] peer 172.2.1.2 as-number 100
[UPE2-bgp-default] address-family ipv4
[UPE2-bgp-default-ipv4] peer 172.2.1.2 enable
[UPE2-bgp-default-ipv4] peer 172.2.1.2 label-route-capability
[UPE2-bgp-default-ipv4] peer 172.2.1.2 route-policy policy1 export
[UPE2-bgp-default-ipv4] network 4.4.4.9 255.255.255.255
[UPE2-bgp-default-ipv4] quit
[UPE2-bgp-default] quit
# 配置路由策略,為路由分配標簽。
[UPE2] route-policy policy1 permit node 0
[UPE2-route-policy-policy1-0] apply mpls-label
[UPE2-route-policy-policy1-0] quit
配置完成後,在各設備上執行display mpls lsp命令可以看到已在SPE與UPE之間建立BGP LSP。
(1) 配置UPE1
# 配置UPE 1與SPE 1建立MP-EBGP對等體。
[UPE1] bgp 200
[UPE1-bgp-default] peer 2.2.2.9 as-number 100
[UPE1-bgp-default] peer 2.2.2.9 connect-interface loopback 0
[UPE1-bgp-default] address-family vpnv4
[UPE1-bgp-default-vpnv4] peer 2.2.2.9 enable
# 配置UPE1接受AS_PATH屬性中已包含本地AS號的路由,以接收位於相同AS的UPE2的路由。
[UPE1-bgp-default-vpnv4] peer 2.2.2.9 allow-as-loop
[UPE1-bgp-default-vpnv4] quit
(2) 配置SPE1
# 配置VPN實例vpn1。
[SPE1] ip vpn-instance vpn1
[SPE1-vpn-instance-vpn1] route-distinguisher 100:1
[SPE1-vpn-instance-vpn1] vpn-target 100:1 both
[SPE1-vpn-instance-vpn1] quit
# 配置SPE 1與UPE 1建立MP-EBGP對等體,指定UPE 1,並引入VPN路由。
[SPE1] bgp 100
[SPE1-bgp-default] peer 1.1.1.9 as-number 200
[SPE1-bgp-default] peer 1.1.1.9 connect-interface loopback 0
[SPE1-bgp-default] address-family vpnv4
[SPE1-bgp-default-vpnv4] peer 1.1.1.9 enable
[SPE1-bgp-default-vpnv4] peer 1.1.1.9 upe
[SPE1-bgp-default-vpnv4] quit
[SPE1-bgp-default] ip vpn-instance vpn1
[SPE1-bgp-default-vpn1] quit
[SPE1-bgp-default] quit
(3) 配置UPE2
# 配置UPE 2與SPE 2建立MP-EBGP對等體。
[UPE2] bgp 200
[UPE2-bgp-default] peer 3.3.3.9 as-number 100
[UPE2-bgp-default] peer 3.3.3.9 connect-interface loopback 0
[UPE2-bgp-default] address-family vpnv4
[UPE2-bgp-default-vpnv4] peer 3.3.3.9 enable
# 配置UPE2接受AS_PATH屬性中已包含本地AS號的路由,以接收位於相同AS的UPE1的路由。
[UPE2-bgp-default-vpnv4] peer 3.3.3.9 allow-as-loop
[UPE2-bgp-default-vpnv4] quit
(4) 配置SPE2
# 配置VPN實例vpn1。
[SPE2] ip vpn-instance vpn1
[SPE2-vpn-instance-vpn1] route-distinguisher 100:1
[SPE2-vpn-instance-vpn1] vpn-target 100:1 both
[SPE2-vpn-instance-vpn1] quit
# 配置SPE 2與UPE 2建立MP-EBGP對等體,指定UPE 2,並引入VPN路由。
[SPE2] bgp 100
[SPE2-bgp-default] peer 4.4.4.9 as-number 200
[SPE2-bgp-default] peer 4.4.4.9 connect-interface loopback 0
[SPE2-bgp-default] address-family vpnv4
[SPE2-bgp-default-vpnv4] peer 4.4.4.9 enable
[SPE2-bgp-default-vpnv4] peer 4.4.4.9 upe
[SPE2-bgp-default-vpnv4] quit
[SPE2-bgp-default] ip vpn-instance vpn1
[SPE2-bgp-default-vpn1] quit
[SPE2-bgp-default] quit
配置完成後,在SPE和UPE設備上執行display bgp peer vpnv4命令可以看到相互之間的BGP對等體關係已建立,並達到Established狀態。
(1) 配置UPE1
# 配置VPN實例vpn1,將CE 1接入UPE 1。
[UPE1] ip vpn-instance vpn1
[UPE1-vpn-instance-vpn1] route-distinguisher 100:1
[UPE1-vpn-instance-vpn1] vpn-target 100:1 both
[UPE1-vpn-instance-vpn1] quit
[UPE1] interface vlan-interface 12
[UPE1-Vlan-interface12] ip binding vpn-instance vpn1
[UPE1-Vlan-interface12] ip address 10.1.1.2 24
[UPE1-Vlan-interface12] quit
# 配置UPE 1與CE 1建立EBGP對等體,並引入VPN路由。
[UPE1] bgp 200
[UPE1-bgp-default] ip vpn-instance vpn1
[UPE1-bgp-default-vpn1] peer 10.1.1.1 as-number 65410
[UPE1-bgp-default-vpn1] address-family ipv4 unicast
[UPE1-bgp-default-ipv4-vpn1] peer 10.1.1.1 enable
[UPE1-bgp-default-ipv4-vpn1] import-route direct
[UPE1-bgp-default-ipv4-vpn1] quit
[UPE1-bgp-default-vpn1] quit
(2) 配置CE1
配置CE1與UPE1建立EBGP對等體,並引入直連路由。
<CE1> system-view
[CE1] interface vlan-interface 12
[CE1-Vlan-interface12] ip address 10.1.1.1 255.255.255.0
[CE1-Vlan-interface12] quit
[CE1] bgp 65410
[CE1-bgp-default] peer 10.1.1.2 as-number 200
[CE1-bgp-default] address-family ipv4 unicast
[CE1-bgp-default-ipv4] peer 10.1.1.2 enable
[CE1-bgp-default-ipv4] import-route direct
[CE1-bgp-default-ipv4] quit
[CE1-bgp-default] quit
(3) 配置UPE2
# 配置VPN實例vpn1,將CE 2接入UPE 2。
[UPE2] ip vpn-instance vpn1
[UPE2-vpn-instance-vpn1] route-distinguisher 100:1
[UPE2-vpn-instance-vpn1] vpn-target 100:1 both
[UPE2-vpn-instance-vpn1] quit
[UPE2] interface vlan-interface 12
[UPE2-Vlan-interface12] ip binding vpn-instance vpn1
[UPE2-Vlan-interface12] ip address 10.2.1.2 24
[UPE2-Vlan-interface12] quit
# 配置UPE 2與CE 2建立EBGP對等體,並引入VPN路由。
[UPE2] bgp 200
[UPE2-bgp-default] ip vpn-instance vpn1
[UPE2-bgp-default-vpn1] peer 10.2.1.1 as-number 65420
[UPE2-bgp-default-vpn1] address-family ipv4 unicast
[UPE2-bgp-default-ipv4-vpn1] peer 10.2.1.1 enable
[UPE2-bgp-default-ipv4-vpn1] import-route direct
[UPE2-bgp-default-ipv4-vpn1] quit
[UPE2-bgp-default-vpn1] quit
(4) 配置CE2
配置CE2與UPE2建立EBGP對等體,並引入直連路由。
<CE2> system-view
[CE2] interface vlan-interface 12
[CE2-Vlan-interface12] ip address 10.2.1.1 255.255.255.0
[CE2-Vlan-interface12] quit
[CE2] bgp 65420
[CE2-bgp-default] peer 10.2.1.2 as-number 200
[CE2-bgp-default] address-family ipv4 unicast
[CE2-bgp-default-ipv4] peer 10.2.1.2 enable
[CE2-bgp-default-ipv4] import-route direct
[CE2-bgp-default-ipv4] quit
[CE2-bgp-default] quit
配置完成後,在UPE和CE設備上執行display bgp peer ipv4命令可以看到相互之間的BGP對等體關係已建立,並達到Established狀態。
(1) 配置SPE1
# 配置SPE 1向UPE 1發送通過策略的路由信息,允許CE 2的路由發送給UPE 1。
[SPE1] ip prefix-list list1 index 10 permit 172.16.3.0 24
[SPE1] route-policy policy2 permit node 0
[SPE1-route-policy-policy2-0] if-match ip address prefix-list list1
[SPE1-route-policy-policy2-0] quit
[SPE1] bgp 100
[SPE1-bgp-default] address-family vpnv4
[SPE1-bgp-default-vpnv4] peer 1.1.1.9 upe route-policy policy2 export
(2) 配置SPE2
# 配置SPE 2向UPE 2發送通過策略的路由信息,允許CE 1的私網路由172.16.1.0/24發送給UPE 2。
[SPE2] ip prefix-list list1 index 10 permit 172.16.1.0 24
[SPE2] route-policy policy2 permit node 0
[SPE2-route-policy-policy2-0] if-match ip address prefix-list list1
[SPE2-route-policy-policy2-0] quit
[SPE2] bgp 100
[SPE2-bgp-default] address-family vpnv4
[SPE2-bgp-default-vpnv4] peer 4.4.4.9 upe route-policy policy2 export
配置完成後,可以看到CE1已經學習到CE2下連網段172.16.3.0/24,如下:
[CE1] display ip routing-table
Destinations : 25 Routes : 25
Destination/Mask Proto Pre Cost NextHop Interface
172.16.1.0/24 Direct 0 0 172.16.1.1 VLAN10
172.16.1.0/32 Direct 0 0 172.16.1.1 VLAN10
172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.255/32 Direct 0 0 172.16.1.1 VLAN10
172.16.2.0/24 Direct 0 0 172.16.2.1 VLAN20
172.16.2.0/32 Direct 0 0 172.16.2.1 VLAN20
172.16.2.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.2.255/32 Direct 0 0 172.16.2.1 VLAN20
172.16.3.0/24 BGP 255 0 10.1.1.2 VLAN12
CE2已經學習到CE1的下連網段172.16.1.0/24,但並未學習到CE1的下連網段172.16.2.0/24.如下:
[CE2] display ip routing-table
Destinations : 21 Routes : 21
Destination/Mask Proto Pre Cost NextHop Interface
172.16.1.0/24 BGP 255 0 10.2.1.2 VLAN13
172.16.3.0/24 Direct 0 0 172.16.3.1 VLAN30
172.16.3.0/32 Direct 0 0 172.16.3.1 VLAN30
172.16.3.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.3.255/32 Direct 0 0 172.16.3.1 VLAN30
CE1的VLAN 10:172.16.1.0/24可與CE2的VLAN 30:172.16.3.0/24互通;CE1的VLAN 20:172.16.2.0/24不能與CE2的VLAN 30:172.16.3.0/24互通。
· CE1
#
vlan 10
#
vlan 12
#
vlan 20
#
interface Vlan-interface10
ip address 172.16.1.1 255.255.255.0
#
interface Vlan-interface12
ip address 10.1.1.1 255.255.255.0
#
interface Vlan-interface20
ip address 172.16.2.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 10
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 20
#
interface Ten-GigabitEthernet1/0/3
port link-mode bridge
port access vlan 12
#
bgp 65410
peer 10.1.1.2 as-number 200
#
address-family ipv4 unicast
import-route direct
peer 10.1.1.2 enable
#
· CE2
#
vlan 13
#
vlan 30
#
interface Vlan-interface13
ip address 10.2.1.1 255.255.255.0
#
interface Vlan-interface30
ip address 172.16.3.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 30
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 13
#
bgp 65420
peer 10.2.1.2 as-number 200
#
address-family ipv4 unicast
import-route direct
peer 10.2.1.2 enable
#
· UPE1
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 100:1 import-extcommunity
vpn-target 100:1 export-extcommunity
#
mpls lsr-id 1.1.1.9
#
vlan 11 to 12
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
interface Vlan-interface11
ip address 172.1.1.1 255.255.255.0
mpls enable
#
interface Vlan-interface12
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 11
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 12
#
bgp 200
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack0
peer 172.1.1.2 as-number 100
#
address-family ipv4 unicast
import-route direct
network 1.1.1.9 255.255.255.255
network 172.1.1.0 255.255.255.0
peer 172.1.1.2 enable
peer 172.1.1.2 route-policy hope export
peer 172.1.1.2 label-route-capability
#
address-family vpnv4
peer 2.2.2.9 enable
peer 2.2.2.9 allow-as-loop 1
#
ip vpn-instance vpn1
peer 10.1.1.1 as-number 65410
#
address-family ipv4 unicast
import-route direct
peer 10.1.1.1 enable
#
route-policy hope permit node 0
apply mpls-label
#
· SPE1
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 100:1 import-extcommunity
vpn-target 100:1 export-extcommunity
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 180.1.1.0 0.0.0.255
#
mpls lsr-id 2.2.2.9
#
vlan 11 to 12
#
mpls ldp
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
interface Vlan-interface11
ip address 172.1.1.2 255.255.255.0
mpls enable
#
interface Vlan-interface12
ip address 180.1.1.1 255.255.255.0
mpls enable
mpls ldp enable
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 11
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 12
#
bgp 100
peer 1.1.1.9 as-number 200
peer 1.1.1.9 connect-interface LoopBack0
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack0
peer 172.1.1.1 as-number 200
#
address-family ipv4 unicast
network 2.2.2.9 255.255.255.255
peer 172.1.1.1 enable
peer 172.1.1.1 route-policy policy1 export
peer 172.1.1.1 label-route-capability
#
address-family vpnv4
peer 1.1.1.9 enable
peer 1.1.1.9 upe
peer 1.1.1.9 upe route-policy policy2 export
peer 3.3.3.9 enable
#
ip vpn-instance vpn1
#
route-policy policy1 permit node 0
apply mpls-label
#
route-policy policy2 permit node 0
if-match ip address prefix-list list1
#
ip prefix-list list1 index 10 permit 172.16.3.0 24
#
· UPE2
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 100:1 import-extcommunity
vpn-target 100:1 export-extcommunity
#
mpls lsr-id 4.4.4.9
#
vlan 11
#
vlan 13
#
interface LoopBack0
ip address 4.4.4.9 255.255.255.255
#
interface Vlan-interface11
ip address 172.2.1.1 255.255.255.0
mpls enable
#
interface Vlan-interface13
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 11
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 13
#
bgp 200
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack0
peer 172.2.1.2 as-number 100
#
address-family ipv4 unicast
network 4.4.4.9 255.255.255.255
peer 172.2.1.2 enable
peer 172.2.1.2 route-policy hope export
peer 172.2.1.2 label-route-capability
#
address-family vpnv4
peer 3.3.3.9 enable
peer 3.3.3.9 allow-as-loop 1
#
ip vpn-instance vpn1
peer 10.2.1.1 as-number 65420
#
address-family ipv4 unicast
import-route direct
peer 10.2.1.1 enable
#
route-policy hope permit node 0
apply mpls-label
#
· SPE2
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 100:1 import-extcommunity
vpn-target 100:1 export-extcommunity
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 180.1.1.0 0.0.0.255
#
mpls lsr-id 3.3.3.9
#
vlan 11 to 12
#
mpls ldp
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
#
interface Vlan-interface11
ip address 172.2.1.2 255.255.255.0
mpls enable
#
interface Vlan-interface12
ip address 180.1.1.2 255.255.255.0
mpls enable
mpls ldp enable
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 11
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 12
#
bgp 100
router-id 3.3.3.9
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack0
peer 4.4.4.9 as-number 200
peer 4.4.4.9 connect-interface LoopBack0
peer 172.2.1.1 as-number 200
#
address-family ipv4 unicast
network 3.3.3.9 255.255.255.255
peer 172.2.1.1 enable
peer 172.2.1.1 route-policy policy1 export
peer 172.2.1.1 label-route-capability
#
address-family vpnv4
peer 2.2.2.9 enable
peer 4.4.4.9 enable
peer 4.4.4.9 upe
peer 4.4.4.9 upe route-policy policy2 export
#
ip vpn-instance vpn1
#
route-policy policy1 permit node 0
apply mpls-label
#
route-policy policy2 permit node 0
if-match ip address prefix-list list1
#
ip prefix-list list1 index 10 permit 172.16.1.0 24
#
· H3C S6800係列以太網交換機 MPLS L3VPN配置指導-Release 26xx係列
· H3C S6800係列以太網交換機 MPLS L3VPN命令參考-Release 26xx係列
不同款型規格的資料略有差異, 詳細信息請向具體銷售和400谘詢。H3C保留在沒有任何通知或提示的情況下對資料內容進行修改的權利!
支持
