MPLS_VPN

稚 发布于 2024-08-26 42 次阅读

Intranet VPN组网方式

一个VPN中的所有用户形成闭合用户群,相互之间能够进行流量转发,VPN中的用户不能与任何本VPN以外的用户通信。这种组网方式的VPN叫做Intranet VPN,其站点通常是属于同一个组织。

ar1只能与AR7互访 AR2 只能与AR6互访

实验

基础配置

sys
sysn ar1
int g 0/0/0
ip add 10.0.13.1 24
int loo0 
ip add 1.1.1.1 32

sys
sysn ar2
int g 0/0/0
ip add 10.0.23.2 24
int loo0 
ip add 1.1.1.1 32

sys
sysn ar3
int g 0/0/0
ip add 10.0.13.3 24
int g 0/0/1 
ip add 10.0.23.3 24
int g 0/0/2
ip add 10.0.34.3 24
int loo0
ip add 3.3.3.3 32

sys
sysn ar4
int g 0/0/0
ip add 10.0.34.4 24
int g 0/0/1 
ip add 10.0.45.34 24
int loo0 
ip add 4.4.4.4 32

sys
sysn ar5
int g 0/0/0
ip add 10.0.45.5 24
int g 0/0/1 
ip add 10.0.56.5 24
int g 0/0/2
ip add 10.0.57.5 24
int loo0
ip add 5.5.5.5 32 

sys
sysn ar6
int g 0/0/0
ip add 10.0.56.6 24
int loo0 
ip add 6.6.6.6 32

sys
sysn ar7
int g 0/0/0
ip add 10.0.57.7 24
int loo0 
ip add 6.6.6.6 32

对于CE设备只需要与PE设备建立相应的关系来使路由和数据可以传递

AR1

ospf 
ar 0 
net 10.0.13.0 0.0.0.255
net 1.1.1.1 0.0.0.0

AR2

isis 
net 49.0001.0000.0000.0002.00
int g0/0/0
isis en
int loo0
isis en

AR6

bgp 200
peer 10.0.56.5 as 100
net 5.5.5.5  32

AR7

ip route-st 0.0.0.0 0 10.0.56.5

MPLS配置

AR3

## 首先配置VPN实例 并将接口绑定到vpn实例
ip vpn ar1
route-d 100:1
vpn-t 300:1 im
vpn-t 300:2 ex
int g 0/0/0
ip bind vpn ar1
ip add 10.0.13.3 24

ip vpn ar2 
route-d 200:1
vpn- 200:1 im
vpn- 200:1 ex
int g 0/0/1
dis th
ip bind vpn ar2
ip add 10.0.23.3 24

## 与CE设备之间的协议 要在vpn实例里来配置

ospf 1 vpn ar1
ar 0 
net 10.0.13.0 0.0.0.255
default-route-advertise always   ## 让AR1产生缺省路由到达对端 

isis vpn- ar2
net 49.0001.0000.0000.0003.00
int g 0/0/1
isis en 

## 配置MPLS内部的IGP协议
ospf 2  ### 1已经被使用所以使用2
ar 0
net 10.0.34.0 0.0.0.255
net 3.3.3.3 0.0.0.0 

## 配置MPLS 

mpls lsr 3.3.3.3  # LSR 需要在MPLS域内能够ping通
mpls
mpls ldp 

int g 0/0/2
mpls
mpls ldp

## 配置 MP-BGP 传递路由

bgp 100 
### 首先先正常配置BGP邻居关系
peer 5.5.5.5 as 100
peer 5.5.5.5 con loo0
### 然后在VPNv4视图下开启peer功能
ipv4 vpnv4 
peer 5.5.5.5 en
q
### 引入实例的路由用于MP-BGP传递
ipv4 vpn-in ar1
import ospf 1
q
ipv4 vpn-n ar2
import isis 1

## 让ISIS内学习到BGP的路由保证能够通信
isis 1 vpn-instance ar2
import-route bgp level-2

AR4

ospf 1
ar 0
net 4.4.4.4 0.0.0.0 
net 10.0.34.0 0.0.0.255
net 10.0.45.0 0.0.0.255

mpls lsr 4.4.4.4 
mpls
mpls ldp

int g 0/0/0
mpls
mpls ldp
int g 0/0/1
mpls 
mpls ldp

AR5

## 创建实例 并绑定接口
ip vpn ar6
route-d 300:1
vpn-t 300:2 im
vpn-t 300:1 ex
int g 0/0/1 
ip bind vpn ar6
ip add 10.0.56.5 24

## 创建实例并绑定接口
ip vpn ar7
route-d 200:1
vpn-t 200:1
int g 0/0/2
ip bind vpn ar7
ip add 10.0.57.5 24

## 配置静态路由让其能到大6.6.6.6
ip route-static vpn-instance ar7 6.6.6.6 32 10.0.57.7

## 配置内部ospf
ospf 
ar 0 
net 5.5.5.5 0.0.0.0
net 10.0.45.0 0.0.0.255

## 配置mpls
mpls lsr 5.5.5.5
mpls 
mpls ldp
int g 0/0/0
mpls 
mpls ldp

## 配置mp-BGP
bgp 100
peer 3.3.3.3 as 100
peer 3.3.3.3 con loo0
ipv4 vpnv4 
peer 3.3.3.3 en
ipv4 vpn ar6
peer 10.0.56.6 as 200
ipv4-family vpn-instance ar7
import-route static

对此 在AR1上ping 6.6.6.6 只能在AR6上抓到数据 ping一定要看自己的源地址在对端是否可达

在AR2上ping只能在ar7接口抓到
img

Extranet VPN组网方式

如果一个VPN用户希望访问其他VPN中的某些站点,可以使用Extranet组网方案。

对于此种情况只能使ar1 与ar6互通 ar2与ar6互通而ar1与ar2无法互通

Hub and Spoke

AR1和AR2可以进行互访但是流量必须经过AR6进行转发

实验

AR1

interface GigabitEthernet0/0/0
 ip address 10.0.13.1 255.255.255.0 
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255 
bgp 100
 peer 10.0.13.3 as-number 300 
 ipv4-family unicast
  undo synchronization
  network 1.1.1.1 255.255.255.255 
  peer 10.0.13.3 enable

AR2

interface GigabitEthernet0/0/0
 ip address 10.0.24.2 255.255.255.0 
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255 
bgp 200
 peer 10.0.24.4 as-number 300 
 ipv4-family unicast
  undo synchronization
  network 2.2.2.2 255.255.255.255 
  peer 10.0.24.4 enable

AR3

ip vpn-instance 100:1
 ipv4-family
  route-distinguisher 100:1
  vpn-target 200:1 export-extcommunity
  vpn-target 100:1 import-extcommunity

mpls lsr-id 3.3.3.3
mpls
mpls ldp

interface GigabitEthernet0/0/0
 ip binding vpn-instance 100:1
 ip address 10.0.13.3 255.255.255.0 

interface GigabitEthernet0/0/2
 ip address 10.0.35.3 255.255.255.0 
 mpls
 mpls ldp

interface LoopBack0
 ip address 3.3.3.3 255.255.255.255 

bgp 300
 peer 5.5.5.5 as-number 300 
 peer 5.5.5.5 connect-interface LoopBack0
 ipv4-family unicast
  undo synchronization
  peer 5.5.5.5 enable
 ipv4-family vpnv4
  policy vpn-target
  peer 5.5.5.5 enable
 ipv4-family vpn-instance 100:1 
  peer 10.0.13.1 as-number 100

ospf 1 
 area 0.0.0.0 
  network 3.3.3.3 0.0.0.0 
  network 10.0.35.0 0.0.0.255

AR4

ip vpn-instance 400:1
 ipv4-family
  route-distinguisher 400:1
  vpn-target 200:1 export-extcommunity
  vpn-target 100:1 import-extcommunity
mpls lsr-id 4.4.4.4
mpls
mpls ldp
interface GigabitEthernet0/0/0
 ip binding vpn-instance 400:1
 ip address 10.0.24.4 255.255.255.0 

interface GigabitEthernet0/0/1
 ip address 10.0.45.4 255.255.255.0 
 mpls
 mpls ldp

interface LoopBack0
 ip address 4.4.4.4 255.255.255.255 

bgp 300
 peer 5.5.5.5 as-number 300 
 peer 5.5.5.5 connect-interface LoopBack0
 ipv4-family unicast
  undo synchronization
  peer 5.5.5.5 enable

 ipv4-family vpnv4
  policy vpn-target
  peer 5.5.5.5 enable

 ipv4-family vpn-instance 400:1 
  peer 10.0.24.2 as-number 200 

ospf 1 
 area 0.0.0.0 
  network 4.4.4.4 0.0.0.0 
  network 10.0.45.0 0.0.0.255

AR5

实例绑定哪个子接口无所谓但是必须 export方向要对应import的RT值 Import的import值要对应export RT值

ip vpn-instance 200:1
ip vpn-instance ex
 ipv4-family
  route-distinguisher 200:1
  vpn-target 100:1 export-extcommunity

ip vpn-instance im
 ipv4-family
  route-distinguisher 300:1
  vpn-target 200:1 import-extcommunity

mpls lsr-id 5.5.5.5
mpls
mpls ldp

interface GigabitEthernet0/0/0.10
 dot1q termination vid 10  ## 子接口 打上标签用于区分
 ip binding vpn-instance ex
 ip address 10.0.10.5 255.255.255.0  
 arp broadcast enable ## 开启arp

interface GigabitEthernet0/0/0.20
 dot1q termination vid 20
 ip binding vpn-instance im
 ip address 10.0.20.5 255.255.255.0 
 arp broadcast enable

interface GigabitEthernet0/0/1
 ip address 10.0.45.5 255.255.255.0 
 mpls
 mpls ldp

interface GigabitEthernet0/0/2
 ip address 10.0.35.5 255.255.255.0 
 mpls
 mpls ldp

interface LoopBack0
 ip address 5.5.5.5 255.255.255.255 

bgp 300
 peer 3.3.3.3 as-number 300 
 peer 3.3.3.3 connect-interface LoopBack0
 peer 4.4.4.4 as-number 300 
 peer 4.4.4.4 connect-interface LoopBack0

 ipv4-family unicast
  undo synchronization
  peer 3.3.3.3 enable
  peer 3.3.3.3 reflect-client
  peer 4.4.4.4 enable
  peer 4.4.4.4 reflect-client

 ipv4-family vpnv4
  policy vpn-target
  peer 3.3.3.3 enable
  peer 4.4.4.4 enable

 ipv4-family vpn-instance ex 
  peer 10.0.10.6 as-number 400 
  peer 10.0.10.6 allow-as-loop 2  ## 设置ex实例中允许出现两次重复的as号

 ipv4-family vpn-instance im 
  peer 10.0.20.6 as-number 400 

ospf 1 
 area 0.0.0.0 
  network 5.5.5.5 0.0.0.0 
  network 10.0.35.0 0.0.0.255 
  network 10.0.45.0 0.0.0.255

AR6

interface GigabitEthernet0/0/0.10
 dot1q termination vid 10
 ip address 10.0.10.6 255.255.255.0 
 arp broadcast enable

interface GigabitEthernet0/0/0.20
 dot1q termination vid 20
 ip address 10.0.20.6 255.255.255.0 
 arp broadcast enable

interface LoopBack0
 ip address 6.6.6.6 255.255.255.255 

bgp 400
 peer 10.0.10.5 as-number 300 
 peer 10.0.20.5 as-number 300 

 ipv4-family unicast
  undo synchronization
  peer 10.0.10.5 enable
  peer 10.0.20.5 enable

结果