MPLS VPN
{Back to Index}

Table of Contents

1 概述 1

mpls_vpn.png

Figure 1: 控制面

mpls_vpn_data.png

Figure 2: 数据面

data_trans.png

Figure 3: 数据面 Cont.

1.1 VRF

不同客户的路由需要穿越运营商的 MPLS VPN Backbone ,而且这些路由可能拥有相同的 IPv4 地址空间。

PE 路由器 会为每一个 VPN 分配一个 VRF 。PE 除了维护全局 IP 路由表之外,还为每个 VRF 维护一张独立的 IP 路由表 即 VRF 路由表 。全局 IP 路由表,以及每个 VRF 的路由表之间是相互独立与隔离的。

因为 VRF 可以创建虚拟路由表,逻辑上可以将 VRF 看做是一个 虚拟路由器 ,该虚拟路由器的路由表即为 VRF 路由表。

因为每一个 VPN 都有一张独立的 VRF 路由表,所以 PE 上每一个 VPN 也会有一张独立的 CEF 表来转发这些报文,即 VRF CEF 表 。 一旦在 PE 路由器上创建了一个 VRF,就可以将特定的接口(物理或逻辑的)放入这个 VRF,那么这个接口将不再属于全局 IP 路由表或其他任何 VRF,只为该 VRF 服务。

1.2 RD

与 VRF 相关联 ,用于在 MP-BGP 运载 VRF 前缀时,确保这些前缀的唯一性。因此其本质是在 MP-BGP 中区分属于不同用户的相同路由前缀。

RD 并不会说明该前缀属于哪一个 VRF ,因为 RD 的功能并不是 VPN 标示符( 这是 RT 的职责 )。RD 主要两个功能:

  1. 与 32bits 的 Ipv4 前缀一起构成 96bits 的 VPNv4 前缀用于在 MP-BGP 中被运载
  2. 如果不同的 VPN 客户,存在相同的 IPv4 地址空间,那么可以通过设置不同的 RD 值从而保证前缀的唯一性

1.3 RT

与 VRF 相关联 ,用来区分不同的 VPN 客户,本质是 BGP community 的扩展属性,在 VRF 中进行配置, 它跟在 VPNv4 前缀后面被一起传递

一条路由可以附加多个 RT 值,接收方只要有一个匹配即可导入到 VRF 路由表。

2 基础实验

mpls_ex.png

Figure 4: 实验拓扑

R2,R3,R4 为运营商的设备,其中 R2 为 PE1 ,R4 为 PE2 。 R1 及 R5 分别是 CE1 及 CE2,代表同一个 VPN 客户的两个站点。

- CE1 与 PE1 之间运行的 PE-CE 路由协议是 EIGRP ,EIGRP AS 号是 CE(90)/PE(1)
- CE2 与 PE2 之间运行的 PE-CE 路由协议是 OSPF ,使用的 OSPF 进程号是 CE(110)/PE(1)
- MPLS VPN Backbone 内运行的全局 IGP 是 OSPF ,使用进程号 100
- PE1 与 PE2 之间维护 MP-iBGP 邻接关系,交互 VPNv4 路由,BGP 的 AS 号是 234
- R2、R3、R4 之间维护 LDP 邻接关系,交互 IGP 标签

2.1 实验配置

2.1.1 初始 IP 配置

配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 1.1.1.1 255.255.255.255
 exit
 int e0/0
  ip address 10.1.12.1 255.255.255.0
  no sh
 exit
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 2.2.2.2 255.255.255.255
 exit
 int e0/0
  ip address 10.1.12.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.23.2 255.255.255.0
  no sh
 exit
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 3.3.3.3 255.255.255.255
 exit
 int e0/0
  ip address 10.1.23.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 4.4.4.4 255.255.255.255
 exit
 int e0/0
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.45.4 255.255.255.0
  no sh
 exit
end

----------------- R5 ----------------------
en
conf t
 hostname R5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 5.5.5.5 255.255.255.255
 exit
 int e0/0
  ip address 10.1.45.5 255.255.255.0
  no sh
 exit
end

2.1.2 Backbone IGP 配置

配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 1.1.1.1 255.255.255.255
 exit
 int e0/0
  ip address 10.1.12.1 255.255.255.0
  no sh
 exit
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 2.2.2.2 255.255.255.255
 exit
 int e0/0
  ip address 10.1.12.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.23.2 255.255.255.0
  no sh
 exit
 
 router ospf 100
  router-id 2.2.2.2
  network 2.2.2.2 0.0.0.0 area 0
  network 10.1.23.2 0.0.0.0 area 0
 exit
 
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 3.3.3.3 255.255.255.255
 exit
 int e0/0
  ip address 10.1.23.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
 
 router ospf 100
  router-id 3.3.3.3
  network 3.3.3.3 0.0.0.0 area 0
  network 10.1.23.3 0.0.0.0 area 0
  network 10.1.34.3 0.0.0.0 area 0
 exit
 
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 4.4.4.4 255.255.255.255
 exit
 int e0/0
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.45.4 255.255.255.0
  no sh
 exit
 
 router ospf 100
  router-id 4.4.4.4
  network 4.4.4.4 0.0.0.0 area 0
  network 10.1.34.4 0.0.0.0 area 0
 exit
 
end

----------------- R5 ----------------------
en
conf t
 hostname R5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 5.5.5.5 255.255.255.255
 exit
 int e0/0
  ip address 10.1.45.5 255.255.255.0
  no sh
 exit
end

2.1.3 Backbone MPLS 配置

配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 1.1.1.1 255.255.255.255
 exit
 int e0/0
  ip address 10.1.12.1 255.255.255.0
  no sh
 exit
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 2.2.2.2 255.255.255.255
 exit
 int e0/0
  ip address 10.1.12.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.23.2 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 2.2.2.2
  network 2.2.2.2 0.0.0.0 area 0
  network 10.1.23.2 0.0.0.0 area 0
 exit
 
 ip cef
 mpls ldp router-id lo0
 mpls label range 200 299
 int e0/1
  mpls ip
 exit
 
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 3.3.3.3 255.255.255.255
 exit
 int e0/0
  ip address 10.1.23.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 3.3.3.3
  network 3.3.3.3 0.0.0.0 area 0
  network 10.1.23.3 0.0.0.0 area 0
  network 10.1.34.3 0.0.0.0 area 0
 exit
 
 ip cef
 mpls ldp router-id lo0
 mpls label range 300 399
 int range e0/0,e0/1
  mpls ip
 exit
 
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 4.4.4.4 255.255.255.255
 exit
 int e0/0
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.45.4 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 4.4.4.4
  network 4.4.4.4 0.0.0.0 area 0
  network 10.1.34.4 0.0.0.0 area 0
 exit
 
 ip cef
 mpls ldp router-id lo0
 mpls label range 400 499
 int e0/0
  mpls ip
 exit
 
end

----------------- R5 ----------------------
en
conf t
 hostname R5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 5.5.5.5 255.255.255.255
 exit
 int e0/0
  ip address 10.1.45.5 255.255.255.0
  no sh
 exit
end

2.1.4 PE VRF 配置

配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 1.1.1.1 255.255.255.255
 exit
 int e0/0
  ip address 10.1.12.1 255.255.255.0
  no sh
 exit
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 2.2.2.2 255.255.255.255
 exit
 int e0/0
  ip address 10.1.12.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.23.2 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 2.2.2.2
  network 2.2.2.2 0.0.0.0 area 0
  network 10.1.23.2 0.0.0.0 area 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 200 299
 int e0/1
  mpls ip
 exit
 
 ip vrf MY_VRF
  rd 234:100
  route-target both 100:100
 exit
 int e0/0
  ip vrf forwarding MY_VRF
  ip address 10.1.12.2 255.255.255.0
 exit
 
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 3.3.3.3 255.255.255.255
 exit
 int e0/0
  ip address 10.1.23.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 3.3.3.3
  network 3.3.3.3 0.0.0.0 area 0
  network 10.1.23.3 0.0.0.0 area 0
  network 10.1.34.3 0.0.0.0 area 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 300 399
 int range e0/0,e0/1
  mpls ip
 exit
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 4.4.4.4 255.255.255.255
 exit
 int e0/0
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.45.4 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 4.4.4.4
  network 4.4.4.4 0.0.0.0 area 0
  network 10.1.34.4 0.0.0.0 area 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 400 499
 int e0/0
  mpls ip
 exit
 
 ip vrf MY_VRF
  rd 234:100
  route-target both 100:100
 exit
 int e0/1
  ip vrf forwarding MY_VRF
  ip address 10.1.45.4 255.255.255.0
 exit
 
end

----------------- R5 ----------------------
en
conf t
 hostname R5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 5.5.5.5 255.255.255.255
 exit
 int e0/0
  ip address 10.1.45.5 255.255.255.0
  no sh
 exit
end

2.1.5 PE MP-IBGP 配置

配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 1.1.1.1 255.255.255.255
 exit
 int e0/0
  ip address 10.1.12.1 255.255.255.0
  no sh
 exit
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 2.2.2.2 255.255.255.255
 exit
 int e0/0
  ip address 10.1.12.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.23.2 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 2.2.2.2
  network 2.2.2.2 0.0.0.0 area 0
  network 10.1.23.2 0.0.0.0 area 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 200 299
 int e0/1
  mpls ip
 exit
 ip vrf MY_VRF
  rd 234:100
  route-target both 100:100
 exit
 int e0/0
  ip vrf forwarding MY_VRF
  ip address 10.1.12.2 255.255.255.0
 exit
 
 router bgp 234
  bgp router-id 2.2.2.2
  no bgp default ipv4-unicast
  neighbor 4.4.4.4 remote-as 234
  neighbor 4.4.4.4 update-source lo0
  address-family vpnv4
   neighbor 4.4.4.4 activate
   neighbor 4.4.4.4 send-community ! this is by default
  exit-address-family
 exit
 
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 3.3.3.3 255.255.255.255
 exit
 int e0/0
  ip address 10.1.23.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 3.3.3.3
  network 3.3.3.3 0.0.0.0 area 0
  network 10.1.23.3 0.0.0.0 area 0
  network 10.1.34.3 0.0.0.0 area 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 300 399
 int range e0/0,e0/1
  mpls ip
 exit
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 4.4.4.4 255.255.255.255
 exit
 int e0/0
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.45.4 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 4.4.4.4
  network 4.4.4.4 0.0.0.0 area 0
  network 10.1.34.4 0.0.0.0 area 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 400 499
 int e0/0
  mpls ip
 exit
 ip vrf MY_VRF
  rd 234:100
  route-target both 100:100
 exit
 int e0/1
  ip vrf forwarding MY_VRF
  ip address 10.1.45.4 255.255.255.0
 exit
 
 router bgp 234
  bgp router-id 4.4.4.4
  no bgp default ipv4-unicast
  neighbor 2.2.2.2 remote-as 234
  neighbor 2.2.2.2 update-source lo0
  address-family vpnv4
   neighbor 2.2.2.2 activate
   neighbor 2.2.2.2 send-community
  exit-address-family
 exit
 
end

----------------- R5 ----------------------
en
conf t
 hostname R5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 5.5.5.5 255.255.255.255
 exit
 int e0/0
  ip address 10.1.45.5 255.255.255.0
  no sh
 exit
end

2.1.6 CE-PE 路由协议配置

配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 1.1.1.1 255.255.255.255
 exit
 int e0/0
  ip address 10.1.12.1 255.255.255.0
  no sh
 exit
 
 router eigrp 90
  network 10.1.12.1 0.0.0.0
  network 1.1.1.1 0.0.0.0
 exit
 
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 2.2.2.2 255.255.255.255
 exit
 int e0/0
  ip address 10.1.12.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.23.2 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 2.2.2.2
  network 2.2.2.2 0.0.0.0 area 0
  network 10.1.23.2 0.0.0.0 area 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 200 299
 int e0/1
  mpls ip
 exit
 ip vrf MY_VRF
  rd 234:100
  route-target both 100:100
 exit
 int e0/0
  ip vrf forwarding MY_VRF
  ip address 10.1.12.2 255.255.255.0
 exit
 router bgp 234
  bgp router-id 2.2.2.2
  no bgp default ipv4-unicast
  neighbor 4.4.4.4 remote-as 234
  neighbor 4.4.4.4 update-source lo0
  address-family vpnv4
   neighbor 4.4.4.4 activate
   neighbor 4.4.4.4 send-community ! this is by default
  exit-address-family
 exit
 
 router eigrp 1
  address-family ipv4 vrf MY_VRF
   autonomous-system 90 ! must specify peer AS when configuring EIGRP under vrf
   network 10.1.12.2 0.0.0.0
  exit-address-family
 exit
 
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 3.3.3.3 255.255.255.255
 exit
 int e0/0
  ip address 10.1.23.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 3.3.3.3
  network 3.3.3.3 0.0.0.0 area 0
  network 10.1.23.3 0.0.0.0 area 0
  network 10.1.34.3 0.0.0.0 area 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 300 399
 int range e0/0,e0/1
  mpls ip
 exit
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 4.4.4.4 255.255.255.255
 exit
 int e0/0
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.45.4 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 4.4.4.4
  network 4.4.4.4 0.0.0.0 area 0
  network 10.1.34.4 0.0.0.0 area 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 400 499
 int e0/0
  mpls ip
 exit
 ip vrf MY_VRF
  rd 234:100
  route-target both 100:100
 exit
 int e0/1
  ip vrf forwarding MY_VRF
  ip address 10.1.45.4 255.255.255.0
 exit
 router bgp 234
  bgp router-id 4.4.4.4
  no bgp default ipv4-unicast
  neighbor 2.2.2.2 remote-as 234
  neighbor 2.2.2.2 update-source lo0
  address-family vpnv4
   neighbor 2.2.2.2 activate
   neighbor 2.2.2.2 send-community
  exit-address-family
 exit
 
 router ospf 1 vrf MY_VRF
  router-id 4.4.4.4
  network 10.1.45.4 0.0.0.0 area 0
 exit
 
end

----------------- R5 ----------------------
en
conf t
 hostname R5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 5.5.5.5 255.255.255.255
 exit
 int e0/0
  ip address 10.1.45.5 255.255.255.0
  no sh
 exit
 
 router ospf 110
  router-id 5.5.5.5
  network 10.1.45.5 0.0.0.0 area 0
  network 5.5.5.5 0.0.0.0 area 0
 exit
 
end

2.1.7 PE 路由重发布配置

配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 1.1.1.1 255.255.255.255
 exit
 int e0/0
  ip address 10.1.12.1 255.255.255.0
  no sh
 exit
 router eigrp 90
  network 10.1.12.1 0.0.0.0
  network 1.1.1.1 0.0.0.0
 exit
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 2.2.2.2 255.255.255.255
 exit
 int e0/0
  ip address 10.1.12.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.23.2 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 2.2.2.2
  network 2.2.2.2 0.0.0.0 area 0
  network 10.1.23.2 0.0.0.0 area 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 200 299
 int e0/1
  mpls ip
 exit
 ip vrf MY_VRF
  rd 234:100
  route-target both 100:100
 exit
 int e0/0
  ip vrf forwarding MY_VRF
  ip address 10.1.12.2 255.255.255.0
 exit
 router bgp 234
  bgp router-id 2.2.2.2
  no bgp default ipv4-unicast
  neighbor 4.4.4.4 remote-as 234
  neighbor 4.4.4.4 update-source lo0
  address-family vpnv4
   neighbor 4.4.4.4 activate
   neighbor 4.4.4.4 send-community ! this is by default
  exit-address-family
 exit
 router eigrp 1
  address-family ipv4 vrf MY_VRF
   autonomous-system 90 ! must specify peer AS when configuring EIGRP under vrf
   network 10.1.12.2 0.0.0.0
  exit-address-family
 exit
 
 router eigrp 1
  address-family ipv4 vrf MY_VRF
   redistribute bgp 234 metric 1 0 0 1 1
  exit-address-family
 exit
 router bgp 234
  address-family ipv4 vrf MY_VRF
   redistribute eigrp 90
  exit-address-family
 exit
 
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 3.3.3.3 255.255.255.255
 exit
 int e0/0
  ip address 10.1.23.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 3.3.3.3
  network 3.3.3.3 0.0.0.0 area 0
  network 10.1.23.3 0.0.0.0 area 0
  network 10.1.34.3 0.0.0.0 area 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 300 399
 int range e0/0,e0/1
  mpls ip
 exit
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 4.4.4.4 255.255.255.255
 exit
 int e0/0
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.45.4 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 4.4.4.4
  network 4.4.4.4 0.0.0.0 area 0
  network 10.1.34.4 0.0.0.0 area 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 400 499
 int e0/0
  mpls ip
 exit
 ip vrf MY_VRF
  rd 234:100
  route-target both 100:100
 exit
 int e0/1
  ip vrf forwarding MY_VRF
  ip address 10.1.45.4 255.255.255.0
 exit
 router bgp 234
  bgp router-id 4.4.4.4
  no bgp default ipv4-unicast
  neighbor 2.2.2.2 remote-as 234
  neighbor 2.2.2.2 update-source lo0
  address-family vpnv4
   neighbor 2.2.2.2 activate
   neighbor 2.2.2.2 send-community
  exit-address-family
 exit
 router ospf 1 vrf MY_VRF
  router-id 4.4.4.4
  network 10.1.45.4 0.0.0.0 area 0
 exit
 
 router ospf 1 vrf MY_VRF
  redistribute bgp 234 metric 1 subnets
 exit
 router bgp 234
  address-family ipv4 vrf MY_VRF
   redistribute ospf 1 metric 1 match internal external
  exit-address-family
 exit
 
end

----------------- R5 ----------------------
en
conf t
 hostname R5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 5.5.5.5 255.255.255.255
 exit
 int e0/0
  ip address 10.1.45.5 255.255.255.0
  no sh
 exit
 router ospf 110
  router-id 5.5.5.5
  network 10.1.45.5 0.0.0.0 area 0
  network 5.5.5.5 0.0.0.0 area 0
 exit
end

2.2 查看命令

2.2.1 查看 BGP vpnv4 邻居关系

R2#sh ip bgp vpnv4 all summary
BGP router identifier 2.2.2.2, local AS number 234
BGP table version is 1, main routing table version 1

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
4.4.4.4         4          234       5       5        1    0    0 00:02:22        0

2.2.2 查看 BGP vpnv4 路由

R2#sh ip bgp vpnv4 all
BGP table version is 7, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
              t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 234:100 (default for vrf MY_VRF)
 *>   1.1.1.1/32       10.1.12.1           409600         32768 ?
 *>i  5.5.5.5/32       4.4.4.4                  1    100      0 ?
 *>   10.1.12.0/24     0.0.0.0                  0         32768 ?
 *>i  10.1.45.0/24     4.4.4.4                  0    100      0 ?

2.2.3 查看 BGP vpnv4 分配标签

R2#sh ip bgp vpnv4 all labels
   Network          Next Hop      In label/Out label
Route Distinguisher: 234:100 (MY_VRF)
   1.1.1.1/32       10.1.12.1       203/nolabel
   5.5.5.5/32       4.4.4.4         nolabel/403
   10.1.12.0/24     0.0.0.0         204/nolabel(MY_VRF)
   10.1.45.0/24     4.4.4.4         nolabel/404

2.3 传输过程分析

当 R2 收到目标地址为 5.5.5.5 的数据包时,会在 VRF 空间中中查找 CEF 表,以确定 MPLS 标签: 

R2#sh ip cef vrf MY_VRF 5.5.5.5
5.5.5.5/32
  nexthop 10.1.23.3 Ethernet0/1 label 301-(local:200) 403 ! 内层标签是 403 ,外层标签是 301
R2#sh ip cef vrf MY_VRF 5.5.5.5 detail
5.5.5.5/32, epoch 0, flags [rib defined all labels]
  recursive via 4.4.4.4 label 403
    nexthop 10.1.23.3 Ethernet0/1 label 301-(local:200)

而内外层标签的选择逻辑大致是这样的:

内层标签是由 MP-IBGP 分配的: 

R2#sh ip bgp vpnv4 vrf MY_VRF 5.5.5.5
BGP routing table entry for 234:100:5.5.5.5/32, version 4
Paths: (1 available, best #1, table MY_VRF)
  Not advertised to any peer
  Refresh Epoch 1
  Local
    4.4.4.4 (metric 21) (via default) from 4.4.4.4 (4.4.4.4) ! via default 暗示了 4.4.4.4 的路由信息需要在全局路由表中查找
      Origin incomplete, metric 1, localpref 100, valid, internal, best
      Extended Community: RT:100:100 OSPF DOMAIN ID:0x0005:0x000000010200
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:10.1.45.4:0
        mpls labels in/out nolabel/403 ! 内层标签
      rx pathid: 0, tx pathid: 0x0

因为 5.5.5.5 这条路由信息来自 4.4.4.4 ,这必定是 MP-IBGP vpnv4 地址簇对端的地址,而 vpnv4 地址簇的 peer 只能在 全局路由空间 中建立,因此外层标签就是 Backbone 中 LDP 邻居所分配的标签: 

R2#sh mpls forwarding-table
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
200        301        4.4.4.4/32       0             Et0/1      10.1.23.3
201        Pop Label  3.3.3.3/32       0             Et0/1      10.1.23.3
202        Pop Label  10.1.34.0/24     0             Et0/1      10.1.23.3
205        No Label   1.1.1.1/32[V]    0             Et0/0      10.1.12.1
206        No Label   10.1.12.0/24[V]  0             aggregate/MY_VRF

3 Internet Access

3.1 Global Route Leak

ip route vrf vrf-name <dest_ip> <mask> <next_hop> global

global 关键字,我们可以让 VRF 表中的路由条目使用 全局路由表的 IP 作为下一跳

leak.png

Figure 5: 实验环境

配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 1.1.1.1 255.255.255.255
 exit
 int e0/0
  ip address 10.1.12.1 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 192.168.16.1 255.255.255.0
  no sh
 exit
 router ospf 1
  router-id 1.1.1.1
  network 1.1.1.1 0.0.0.0 a 0
  network 10.1.12.1 0.0.0.0 a 0
  network 192.168.16.1 0.0.0.0 a 0
 exit
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 2.2.2.2 255.255.255.255
 exit
 int e0/0
  ip address 10.1.12.2 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.23.2 255.255.255.0
  no sh
 exit
 router ospf 100 ! Core IGP
  router-id 2.2.2.2
  network 10.1.23.2 0.0.0.0 a 0
  network 2.2.2.2 0.0.0.0 a 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 200 299
 int e0/1
  mpls ip
 exit
 ip vrf CISCO
  rd 234:100
  route-target export 24:2
  route-target import 24:4
 exit
 int e0/0
  ip vrf forwarding CISCO
  ip add 10.1.12.2 255.255.255.0
 exit
 router bgp 234
  bgp router-id 2.2.2.2
  no bgp default ipv4-unicast
  neighbor 4.4.4.4 remote-as 234
  neighbor 4.4.4.4 update-source lo0
  address-family vpnv4
   neighbor 4.4.4.4 activate
   neighbor 4.4.4.4 send-community
  exit-address-family
 exit
 router ospf 1 vrf CISCO
  router-id 22.22.22.22
  network 10.1.12.2 0.0.0.0 a 0
 exit
 router bgp 234
  address-family ipv4 vrf CISCO
   redistribute ospf 1 metric 1 match internal external
  exit-address-family
 exit
 router ospf 1 vrf CISCO
  redistribute bgp 234 metric 1 subnets
 exit
 
 ip route vrf CISCO 0.0.0.0 0.0.0.0 3.3.3.3 global
 router ospf 1 vrf CISCO
  default-information originate
 exit
 ip access-list standard NAT_ACL
  permit 192.168.0.0 0.0.255.255
 exit
 int e0/1
  ip nat outside
 !
 int e0/0
  ip nat inside
 !
 ip nat inside source list NAT_ACL interface e0/1 vrf CISCO overload
 
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 3.3.3.3 255.255.255.255
 exit
 int lo1
  ip address 100.100.100.100 255.255.255.255
 exit
 int e0/0
  ip address 10.1.23.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 3.3.3.3
  network 3.3.3.3 0.0.0.0 a 0
  network 100.100.100.100 0.0.0.0 a 0
  network 10.1.23.3 0.0.0.0 a 0
  network 10.1.34.3 0.0.0.0 a 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 300 399
 int range e0/0,e0/1
  mpls ip
 exit
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 4.4.4.4 255.255.255.255
 exit
 int e0/0
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.45.4 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 4.4.4.4
  network 4.4.4.4 0.0.0.0 a 0
  network 10.1.34.4 0.0.0.0 a 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 400 499
 int e0/0
  mpls ip
 exit
 ip vrf CISCO
  rd 234:100
  route-target export 24:4
  route-target import 24:2
 exit
 int e0/1
  ip vrf forwarding CISCO
  ip add 10.1.45.4 255.255.255.0
 exit
 router bgp 234
  bgp router-id 4.4.4.4
  no bgp default ipv4-unicast
  neighbor 2.2.2.2 remote-as 234
  neighbor 2.2.2.2 update-source lo0
  address-family vpnv4
   neighbor 2.2.2.2 activate
   neighbor 2.2.2.2 send-community
  exit-address-family
 exit
 router ospf 1 vrf CISCO
  router-id 44.44.44.44
  network 10.1.45.4 0.0.0.0 a 0
 exit
 router bgp 234
  address-family ipv4 vrf CISCO
   redistribute ospf 1 metric 1 match internal external
  exit-address-family
 exit
 router ospf 1 vrf CISCO
  redistribute bgp 234 metric 1 subnets
 exit
end

----------------- R5 ----------------------
en
conf t
 hostname R5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 5.5.5.5 255.255.255.255
 exit
 int e0/0
  ip address 10.1.45.5 255.255.255.0
  no sh
 exit
 router ospf 1
  router-id 5.5.5.5
  network 5.5.5.5 0.0.0.0 a 0
  network 10.1.45.5 0.0.0.0 a 0
 exit
end

----------------- R6 ----------------------
en
conf t
 hostname R6
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip defult-gateway 192.168.16.1
 int e0/0
  ip address 192.168.16.6 255.255.255.0
  no sh
 exit
end

3.2 使用子接口

sub_ifc.png

Figure 6: 实验环境

配置清单 
----------------- R1 ----------------------
en
conf t
 hostname R1
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 1.1.1.1 255.255.255.255
 exit
 
 int e0/0
  no sh
 exit
 int e0/0.10
  encapsulation dot1q 10
  ip address 10.1.12.1 255.255.255.0
  no sh
 exit
 int e0/0.20
  encapsulation dot1q 20
  ip address 10.1.112.1 255.255.255.0
  no sh
 exit
 
 int e0/1
  ip address 192.168.16.1 255.255.255.0
  no sh
 exit
 router ospf 1
  router-id 1.1.1.1
  network 1.1.1.1 0.0.0.0 a 0
  network 10.1.12.1 0.0.0.0 a 0
  network 192.168.16.1 0.0.0.0 a 0
 exit
 ip route 0.0.0.0 0.0.0.0 10.1.112.2 ! route for internet
end

----------------- R2 ----------------------
en
conf t
 hostname R2
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 ip vrf CISCO
  rd 234:100
  route-target export 24:2
  route-target import 24:4
 exit
 int lo0
  ip address 2.2.2.2 255.255.255.255
 exit
 
 int e0/0
  no sh
 exit
 int e0/0.10
  encapsulation dot1q 10
  ip vrf forwarding CISCO
  ip address 10.1.12.2 255.255.255.0
 exit
 int e0/0.20
  encapsulation dot1q 20
  ip address 10.1.112.2 255.255.255.0
  ip nat inside
 exit
 
 int e0/1
  ip address 10.1.23.2 255.255.255.0
  ip nat outside
  no sh
 exit
 router ospf 100 ! Core IGP
  router-id 2.2.2.2
  network 10.1.23.2 0.0.0.0 a 0
  network 2.2.2.2 0.0.0.0 a 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 200 299
 int e0/1
  mpls ip
 exit
 router bgp 234
  bgp router-id 2.2.2.2
  no bgp default ipv4-unicast
  neighbor 4.4.4.4 remote-as 234
  neighbor 4.4.4.4 update-source lo0
  address-family vpnv4
   neighbor 4.4.4.4 activate
   neighbor 4.4.4.4 send-community
  exit-address-family
  !
  address-family ipv4 vrf CISCO
   redistribute ospf 1 metric 1 match internal external
  exit-address-family
 exit
 router ospf 1 vrf CISCO
  router-id 22.22.22.22
  network 10.1.12.2 0.0.0.0 a 0
  redistribute bgp 234 metric 1 subnets
  default-information originate
 exit
 ip access-list standard NAT_ACL
  permit 192.168.0.0 0.0.255.255
 exit
 ip nat inside source list NAT_ACL interface e0/1 overload
 ip route 0.0.0.0 0.0.0.0 10.1.112.1 ! must have this, or else ip nat translation for 192.168.16.0/24 will not be established because of being unable to find next hop
end

----------------- R3 ----------------------
en
conf t
 hostname R3
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 3.3.3.3 255.255.255.255
 exit
 int lo1
  ip address 100.100.100.100 255.255.255.255
 exit
 int e0/0
  ip address 10.1.23.3 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.34.3 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 3.3.3.3
  network 3.3.3.3 0.0.0.0 a 0
  network 100.100.100.100 0.0.0.0 a 0
  network 10.1.23.3 0.0.0.0 a 0
  network 10.1.34.3 0.0.0.0 a 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 300 399
 int range e0/0,e0/1
  mpls ip
 exit
end

----------------- R4 ----------------------
en
conf t
 hostname R4
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 4.4.4.4 255.255.255.255
 exit
 int e0/0
  ip address 10.1.34.4 255.255.255.0
  no sh
 exit
 int e0/1
  ip address 10.1.45.4 255.255.255.0
  no sh
 exit
 router ospf 100
  router-id 4.4.4.4
  network 4.4.4.4 0.0.0.0 a 0
  network 10.1.34.4 0.0.0.0 a 0
 exit
 ip cef
 mpls ldp router-id lo0
 mpls label range 400 499
 int e0/0
  mpls ip
 exit
 ip vrf CISCO
  rd 234:100
  route-target export 24:4
  route-target import 24:2
 exit
 int e0/1
  ip vrf forwarding CISCO
  ip add 10.1.45.4 255.255.255.0
 exit
 router bgp 234
  bgp router-id 4.4.4.4
  no bgp default ipv4-unicast
  neighbor 2.2.2.2 remote-as 234
  neighbor 2.2.2.2 update-source lo0
  address-family vpnv4
   neighbor 2.2.2.2 activate
   neighbor 2.2.2.2 send-community
  exit-address-family
 exit
 router ospf 1 vrf CISCO
  router-id 44.44.44.44
  network 10.1.45.4 0.0.0.0 a 0
 exit
 router bgp 234
  address-family ipv4 vrf CISCO
   redistribute ospf 1 metric 1 match internal external
  exit-address-family
 exit
 router ospf 1 vrf CISCO
  redistribute bgp 234 metric 1 subnets
 exit
end

----------------- R5 ----------------------
en
conf t
 hostname R5
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 int lo0
  ip address 5.5.5.5 255.255.255.255
 exit
 int e0/0
  ip address 10.1.45.5 255.255.255.0
  no sh
 exit
 router ospf 1
  router-id 5.5.5.5
  network 5.5.5.5 0.0.0.0 a 0
  network 10.1.45.5 0.0.0.0 a 0
 exit
end

----------------- R6 ----------------------
en
conf t
 hostname R6
 no ip do lo
 line con 0
  exec-timeout 0 0
  logging synchronous
 exit
 no ip routing
 ip defult-gateway 192.168.16.1
 int e0/0
  ip address 192.168.16.6 255.255.255.0
  no sh
 exit
end

Footnotes:

1

https://www.youtube.com/watch?v=qI-6JGNAGGo&list=PLAiWSnag4Y0PAJqUyAtbpLQ9a11Q8UL2R&index=8

Author: Hao Ruan (ruanhao1116@gmail.com)

Created: 2021-08-22 Sun 09:43

Updated: 2021-08-26 Thu 15:37

Emacs 27.1 (Org mode 9.3)