这篇文章介绍一下 sham-link,并提供一个 sham-link 在 XR 平台下的配置案例(ASR9000)
写在最前面 #
拓扑请看图,使用的是 virl 模拟器
拓扑介绍 #
Core 使用常用的 IGP ISIS 协议,标签分发没有选择使用 LDP,而是使用的 SR,PE-R2 于 PE-R4 直接起 VPNv4 的邻居.以下是主要的配置:
R2:
router isis 1
is-type level-2-only
net 49.0000.0000.0002.00
address-family ipv4 unicast
metric-style wide
segment-routing mpls
!
interface Loopback0
address-family ipv4 unicast
prefix-sid index 2
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv4 unicast
router bgp 1
bgp router-id 10.1.2.2
address-family vpnv4 unicast
!
neighbor 10.1.4.4
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
next-hop-self
R3
router isis 1
is-type level-2-only
net 49.0000.0000.0003.00
address-family ipv4 unicast
metric-style wide
segment-routing mpls
!
interface Loopback0
address-family ipv4 unicast
prefix-sid index 3
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv4 unicast
R4
router isis 1
is-type level-2-only
net 49.0000.0000.0004.00
address-family ipv4 unicast
metric-style wide
segment-routing mpls
!
interface Loopback0
address-family ipv4 unicast
prefix-sid index 4
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv4 unicast
router bgp 1
bgp router-id 10.1.4.4
address-family vpnv4 unicast
!
neighbor 10.1.2.2
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
next-hop-self
默认为 SR 分配的标签块是 16000-23999,为 R4 配置 prefix-sid 是 index 4,所以我们在其它设备上去往 R4 loopback 接口的数据包会压 16004 的标签.
RP/0/0/CPU0:R2#show mpls forwarding
Fri Jul 5 07:57:52.647 UTC
Local Outgoing Prefix Outgoing Next Hop Bytes
Label Label or ID Interface Switched
------ ----------- ------------------ ------------ --------------- ------------
16003 Pop SR Pfx (idx 3) Gi0/0/0/1 10.1.23.3 0
16004 16004 SR Pfx (idx 4) Gi0/0/0/1 10.1.23.3 987559 <<<<
24000 Aggregate VIP: Per-VRF Aggr[V] \
VIP 8300
24001 Unlabelled 10.1.1.1/32[V] Gi0/0/0/0 10.1.12.1 0
24002 Unlabelled 10.1.15.0/24[V] Gi0/0/0/0 10.1.12.1 0
24003 Pop SR Adj (idx 1) Gi0/0/0/1 10.1.23.3 0
24004 Pop SR Adj (idx 3) Gi0/0/0/1 10.1.23.3 0
RP/0/0/CPU0:R2#traceroute 10.1.4.4 source 10.1.2.2
Fri Jul 5 07:58:32.184 UTC
Type escape sequence to abort.
Tracing the route to 10.1.4.4
1 10.1.23.3 [MPLS: Label 16004 Exp 0] 9 msec 0 msec 0 msec
2 10.1.34.4 0 msec * 0 msec
RP/0/0/CPU0:R2#
PE 与 CE 之间的路由-OSPF #
R1 Same with R5
router ospf 1
router-id 10.1.1.1
address-family ipv4 unicast
area 0
interface Loopback0
passive enable
!
interface GigabitEthernet0/0/0/0
R2 Same with R4
router ospf 1
vrf VIP
router-id 10.1.24.2
redistribute bgp 1 <<<<<
address-family ipv4 unicast
area 0
interface GigabitEthernet0/0/0/0
router bgp 1
bgp router-id 10.1.2.2
address-family vpnv4 unicast
!
neighbor 10.1.4.4
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
next-hop-self
!
!
vrf VIP
rd auto
address-family ipv4 unicast
network 10.1.24.2/32
redistribute ospf 1 <<<<路由互相引入,必须配置
!
Sham-link #
Sham-link 的由来,主要是由于 CE 与远端 CE 之间存在一条后门链路并使能了 OSPF,这样就会造成本端 CE 会优选 OSPF 的区域内或区域间的路由,从后门链路走;而不会优选从 PE 学来的重分发的 BGP 路由。但往往这条后面链路只是作为一个备份路径使用,而不是用来在正常情况下跑流量的,因为 Core 的链路环境往往由运营商维护,更稳定一些.那如何解决这样的次优选路问题,这就引进的 sham-link.
Sham-link 的目的是将在 PE 上起一个虚拟的 OSPF 邻居关系,让远端 CE 的路由可以通过 OSPF 传递到 PE 上;
配置 sham-link 有以下的注意点:
- shan-link 的源地址和目的地址必须是 32 位的掩码的 loopback 地址
- 必须绑定加入 VPN 示例即配置 vrf
- 必须通过 BGP 进行路由通告,不能使用 ospf 进行路由通告
在后门链路上配置 OSPF 属于 area 0,在 CE1 上检查一下路由表:
增加后门链路前:
RP/0/0/CPU0:R1#show route
L 10.1.1.1/32 is directly connected, 04:47:18, Loopback0
O IA 10.1.5.5/32 [110/3] via 10.1.12.2, 00:01:37, GigabitEthernet0/0/0/0 <<<<
C 10.1.12.0/24 is directly connected, 04:47:18, GigabitEthernet0/0/0/0
L 10.1.12.1/32 is directly connected, 04:47:18, GigabitEthernet0/0/0/0
C 10.1.15.0/24 is directly connected, 00:06:03, GigabitEthernet0/0/0/1
L 10.1.15.1/32 is directly connected, 00:06:03, GigabitEthernet0/0/0/1
O E2 10.1.24.4/32 [110/1] via 10.1.12.2, 00:04:28, GigabitEthernet0/0/0/0
O IA 10.1.45.0/24 [110/2] via 10.1.12.2, 00:01:38, GigabitEthernet0/0/0/0
增加后门链路后:
L 10.1.1.1/32 is directly connected, 04:50:46, Loopback0
O 10.1.5.5/32 [110/2] via 10.1.15.5, 00:00:01, GigabitEthernet0/0/0/1 <<<
C 10.1.12.0/24 is directly connected, 04:50:46, GigabitEthernet0/0/0/0
L 10.1.12.1/32 is directly connected, 04:50:46, GigabitEthernet0/0/0/0
C 10.1.15.0/24 is directly connected, 00:09:30, GigabitEthernet0/0/0/1
L 10.1.15.1/32 is directly connected, 00:09:30, GigabitEthernet0/0/0/1
O E2 10.1.24.2/32 [110/1] via 10.1.15.5, 00:00:01, GigabitEthernet0/0/0/1
O E2 10.1.24.4/32 [110/1] via 10.1.12.2, 00:07:56, GigabitEthernet0/0/0/0
O 10.1.45.0/24 [110/2] via 10.1.15.5, 00:00:01, GigabitEthernet0/0/0/1
对于去往对端 CE 环回口地址的路由由域间换成域内路由,走后门链路,与我们需求不符和,下面我们开始添加 sham-link 的配置:
1. shan-link的源地址和目的地址必须是32位的掩码的loopback地址
2. 必须绑定加入VPN示例即配置vrf
RP/0/0/CPU0:R2#show run int lo1
Mon Jul 8 06:22:15.998 UTC
interface Loopback1
vrf VIP
ipv4 address 10.1.24.2 255.255.255.255
3. 必须通过BGP进行路由通告,不能使用ospf进行路由通告
router bgp 1
vrf VIP
address-family ipv4 unicast
network 10.1.24.2/32
为什么这里需要使用BGP去重分发该路由?原因:如果使用的是ospf发布该loopback接口,对端CE学到的是O的路由会优选后门链路走,就不会经过骨干,sham-link就建立不起来
4. 配置sham-link
RP/0/0/CPU0:R2(config)#router ospf 1
RP/0/0/CPU0:R2(config-ospf)#vrf VIP
RP/0/0/CPU0:R2(config-ospf-vrf)#area 0
RP/0/0/CPU0:R2(config-ospf-vrf-ar)#sham-link 10.2.24.2 10.2.24.4
RP/0/0/CPU0:R2(config-ospf-vrf-ar-sl)#
RP/0/0/CPU0:R2(config-ospf-vrf-ar-sl)#commit
5. 检查sham-link邻接关系:
RP/0/0/CPU0:R2#show ospf vrf VIP sham-links
Mon Jul 8 06:34:38.668 UTC
Sham Links for OSPF 1, VRF VIP
Sham Link OSPF_SL0 to address 10.1.24.4 is up
Area 0, source address 10.1.24.2
IfIndex = 2
Run as demand circuit
DoNotAge LSA allowed., Cost of using 1
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:03:904
Adjacency State FULL (Hello suppressed)
Number of DBD retrans during last exchange 0
Index 2/2, retransmission queue length 1, number of retransmission 0
First 0x15143ed0(5)/0(0) Next 0x15143ed0(5)/0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
Link State retransmission due in 3975 msec
RP/0/0/CPU0:R2#
RP/0/0/CPU0:R2#show ospf vrf VIP neighbor
Mon Jul 8 06:55:10.553 UTC
* Indicates MADJ interface
# Indicates Neighbor awaiting BFD session up
Neighbors for OSPF 1, VRF VIP
Neighbor ID Pri State Dead Time Address Interface
10.1.24.4 1 FULL/ - - 10.1.24.4 OSPF_SL0
Neighbor is up for 00:20:32
10.1.1.1 1 FULL/DR 00:00:31 10.1.12.1 GigabitEthernet0/0/0/0
Neighbor is up for 00:43:47
Total neighbor count: 2
检查一下增加 sham-link 后的路由表:
RP/0/0/CPU0:R1#show route
L 10.1.1.1/32 is directly connected, 05:27:56, Loopback0
O 10.1.5.5/32 [110/2] via 10.1.15.5, 00:00:12, GigabitEthernet0/0/0/1
C 10.1.12.0/24 is directly connected, 05:27:56, GigabitEthernet0/0/0/0
L 10.1.12.1/32 is directly connected, 05:27:56, GigabitEthernet0/0/0/0
C 10.1.15.0/24 is directly connected, 00:46:40, GigabitEthernet0/0/0/1
L 10.1.15.1/32 is directly connected, 00:46:40, GigabitEthernet0/0/0/1
O E2 10.1.24.2/32 [110/1] via 10.1.12.2, 00:00:12, GigabitEthernet0/0/0/0
[110/1] via 10.1.15.5, 00:00:12, GigabitEthernet0/0/0/1
O E2 10.1.24.4/32 [110/1] via 10.1.12.2, 00:45:06, GigabitEthernet0/0/0/0
O 10.1.45.0/24 [110/2] via 10.1.15.5, 00:00:12, GigabitEthernet0/0/0/1
修改一下后门链路的cost:
router ospf 1
area 0
interface GigabitEthernet0/0/0/1
cost 100
修改后的路由表:(符合我们预期走骨干网)
RP/0/0/CPU0:R1# show route
L 10.1.1.1/32 is directly connected, 05:25:14, Loopback0
O 10.1.5.5/32 [110/4] via 10.1.12.2, 00:16:40, GigabitEthernet0/0/0/0 <<< Get from sham-link
C 10.1.12.0/24 is directly connected, 05:25:14, GigabitEthernet0/0/0/0
L 10.1.12.1/32 is directly connected, 05:25:14, GigabitEthernet0/0/0/0
C 10.1.15.0/24 is directly connected, 00:43:58, GigabitEthernet0/0/0/1
L 10.1.15.1/32 is directly connected, 00:43:58, GigabitEthernet0/0/0/1
O E2 10.1.24.2/32 [110/1] via 10.1.12.2, 00:16:40, GigabitEthernet0/0/0/0
O E2 10.1.24.4/32 [110/1] via 10.1.12.2, 00:42:23, GigabitEthernet0/0/0/0
O 10.1.45.0/24 [110/3] via 10.1.12.2, 00:16:40, GigabitEthernet0/0/0/0
Sham-link 抓包 #
配置文件+抓包: