跨域 VPN 的解决方案主要是为了解决客户不同 AS 之间的站点的互通问题,即客户的 VPN 路由可以在两个 AS 之间进行传递。RFC4364 介绍了三种解决方案,我会在接下来的文章中一一介绍。本文先说第一种解决方案:Option A,这种解决方案需要在两个 AS 之间的 ASBR 上使用专门的接口去传递路由信息,所以我们也称这种为 VRF-to-VRF。
写在最前面 #
配置步骤如下:
- 配置 IP 地址以及 VRF
- 配置两个 AS 中的 IGP 协议_ISIS
- 配置 AS 中的标签分配协议(LDP)
- 配置 CE 与 PE,PE 与 ASBR 之间的 BGP 邻居
- 配置 ASRB 之间路由互相引入
- 验证连通性
配置 IP 地址以及 VRF #
R1:
interface Loopback0
ipv4 address 10.1.1.1 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.12.1 255.255.255.0
R2:
vrf VIP
address-family ipv4 unicast
import route-target
100:100
export route-target
100:100
interface Loopback0
ipv4 address 10.1.2.2 255.255.255.255
interface GigabitEthernet0/0/0/0
vrf VIP
ipv4 address 10.1.12.2 255.255.255.0
interface GigabitEthernet0/0/0/1
ipv4 address 10.1.23.2 255.255.255.0
R3:
interface Loopback0
ipv4 address 10.1.3.3 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.34.3 255.255.255.0
interface GigabitEthernet0/0/0/1
ipv4 address 10.1.23.3 255.255.255.0
R4:
vrf VIP
address-family ipv4 unicast
import route-target
100:100
export route-target
100:100
interface Loopback0
ipv4 address 10.1.4.4 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.34.4 255.255.255.0
interface GigabitEthernet0/0/0/1 <<<这个就是前文所说的 ASBR 上特殊的接口
vrf VIP
ipv4 address 10.1.45.4 255.255.255.0
R5:
vrf VIP
address-family ipv4 unicast
import route-target
100:100
export route-target
100:100
interface Loopback0
ipv4 address 10.1.5.5 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.56.5 255.255.255.0
interface GigabitEthernet0/0/0/1
vrf VIP
ipv4 address 10.1.45.5 255.255.255.0
R6:
interface Loopback0
ipv4 address 10.1.6.6 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.56.6 255.255.255.0
interface GigabitEthernet0/0/0/1
ipv4 address 10.1.67.6 255.255.255.0
R7:
vrf VIP
address-family ipv4 unicast
import route-target
100:100
export route-target
100:100
interface Loopback0
ipv4 address 10.1.7.7 255.255.255.255
interface GigabitEthernet0/0/0/0
vrf VIP
ipv4 address 10.1.78.7 255.255.255.0
interface GigabitEthernet0/0/0/1
ipv4 address 10.1.67.7 255.255.255.0
R8:
interface Loopback0
ipv4 address 10.1.8.8 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.78.8 255.255.255.0
配置两个 AS 中的 IGP 协议_ISIS #
R2:
router isis 1
is-type level-2-only
net 49.0000.0000.0000.0001.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv4 unicast
!
R3:
router isis 1
is-type level-2-only
net 49.0000.0000.0000.0002.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv4 unicast
!
!
!
R4:
router isis 1
is-type level-2-only
net 49.0000.0000.0000.0004.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv4 unicast
!
!
!
R5:
router isis 1
is-type level-2-only
net 49.0001.0000.0000.0005.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv4 unicast
!
!
!
R6:
router isis 1
is-type level-2-only
net 49.0001.0000.0000.0006.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv4 unicast
!
!
!
R7:
router isis 1
is-type level-2-only
net 49.0001.0000.0000.0007.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv4 unicast
!
!
!
配置 AS 中的标签分配协议(LDP) #
R2:
mpls ldp
log
neighbor
!
router-id 10.1.2.2
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/1
!
!
R3:
mpls ldp
log
neighbor
!
router-id 10.1.3.3
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/0
!
interface GigabitEthernet0/0/0/1
!
!
R4:
mpls ldp
log
neighbor
!
router-id 10.1.4.4
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/0
!
!
R5:
mpls ldp
log
neighbor
!
router-id 10.1.5.5
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/0
!
!
R6:
mpls ldp
log
neighbor
!
router-id 10.1.6.6
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/0
!
interface GigabitEthernet0/0/0/1
!
!
R7:
mpls ldp
log
neighbor
!
router-id 10.1.7.7
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/1
!
!
配置 CE 与 PE,PE 与 ASBR 之间的 BGP 邻居 #
需要提前了解到的是,在 IOS XR 中, IBGP 可以不用配置 router-policy,但是对于 EBGP,一定需要配置 router-policy,入向和出向都需要配置,即使 router-policy 只有一个关键字 pass.入向不配置,会 drop 对端发来的 update;出向不配置,不会发布 update
R1:
route-policy EBGP_PASS
pass
end-policy
!
router bgp 65000
bgp router-id 10.1.1.1
address-family ipv4 unicast
network 10.1.1.1/32
!
neighbor 10.1.12.2
remote-as 1
address-family ipv4 unicast
route-policy EBGP_PASS in
route-policy EBGP_PASS out
!
!
!
R2:
router bgp 1
bgp router-id 10.1.2.2
address-family vpnv4 unicast
!
neighbor 10.1.4.4
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
next-hop-self
!
!
vrf VIP
rd auto
address-family ipv4 unicast
!
neighbor 10.1.12.1
remote-as 65000
address-family ipv4 unicast
route-policy EBGP_PASS in
route-policy EBGP_PASS out
!
!
!
!
R4
router bgp 1
bgp router-id 10.1.4.4
address-family vpnv4 unicast
!
neighbor 10.1.2.2
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
next-hop-self
!
!
vrf VIP <<<配置 VRF 的原因是为了能让受到的 VPNv4 路由加入路由表,否则我们只会在 BGP 路由表中看到
rd auto
address-family ipv4 unicast
!
!
!
R5:
router bgp 2
bgp router-id 10.1.5.5
address-family vpnv4 unicast
!
neighbor 10.1.7.7
remote-as 2
update-source Loopback0
address-family vpnv4 unicast
next-hop-self
!
!
vrf VIP
rd auto
address-family ipv4 unicast
!
!
!
R7:
router bgp 2
bgp router-id 10.1.7.7
address-family vpnv4 unicast
!
neighbor 10.1.5.5
remote-as 2
update-source Loopback0
address-family vpnv4 unicast
next-hop-self
!
!
vrf VIP
rd auto
address-family ipv4 unicast
!
neighbor 10.1.78.8
remote-as 65001
address-family ipv4 unicast
route-policy EBGP_PASS in
route-policy EBGP_PASS out
!
!
!
!
R8:
router bgp 65001
bgp router-id 10.1.8.8
address-family ipv4 unicast
network 10.1.8.8/32
!
neighbor 10.1.78.7
remote-as 2
address-family ipv4 unicast
route-policy EBGP_PASS in
route-policy EBGP_PASS out
!
!
!
配置 ASRB 之间路由互相引入 #
R4:
router ospf VIP
vrf VIP
capability vrf-lite
redistribute bgp 1
area 0
interface GigabitEthernet0/0/0/1
!
!
!
!
router bgp 1
vrf VIP
rd auto
address-family ipv4 unicast
redistribute ospf VIP
!
!
!
R5:
router ospf VIP
vrf VIP
capability vrf-lite
redistribute bgp 2
area 0
interface GigabitEthernet0/0/0/1
!
!
!
!
router bgp 2
vrf VIP
rd auto
address-family ipv4 unicast
redistribute ospf VIP
!
!
!
验证连通性 #
RP/0/0/CPU0:R1#traceroute 10.1.8.8 source 10.1.1.1
Mon Jun 24 01:24:28.393 UTC
Type escape sequence to abort.
Tracing the route to 10.1.8.8
1 10.1.12.2 0 msec 0 msec 0 msec
2 10.1.23.3 [MPLS: Labels 24001/24002 Exp 0] 9 msec 19 msec 9 msec
3 10.1.34.4 [MPLS: Label 24002 Exp 0] 19 msec 19 msec 9 msec
4 10.1.45.5 9 msec 9 msec 9 msec
5 10.1.56.6 [MPLS: Labels 24000/24002 Exp 0] 29 msec 19 msec 29 msec
6 10.1.67.7 [MPLS: Label 24002 Exp 0] 29 msec 19 msec 29 msec
7 10.1.78.8 29 msec \* 19 msec
RP/0/0/CPU0:R1#
Q&A #
为什么需要配置这个命令"capability vrf-lite"? 主要目的是为了能将收到的路由顺利加表,原理如下:R4 对于 R5 而言是个 PE 设备,PE 在决定将 Type3, 5, 7 的 LSA 发布给对端的 CE 时,都会置为一个 DN bit,如下所示,对端 CE 收到 DN bit 的 LSA 是不会加表的,主要目的是为了防止环路。所以在这种情景下,使用这条命令可以不产生 DN bit,使收到的路由能顺利的加表.
RP/0/0/CPU0:R4#show ospf vrf VIP database external
Sat Jun 22 13:53:37.752 UTC
OSPF Router with ID (10.1.4.4) (Process ID VIP, VRF VIP)
Type-5 AS External Link States
LS age: 28
Options: (No TOS-capability, DC, DN)
LS Type: AS External Link
Link State ID: 10.1.1.1 (External Network Number)
Advertising Router: 10.1.4.4
LS Seq Number: 80000004
Checksum: 0xaf8e
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 1
Forward Address: 0.0.0.0
External Route Tag: 3489660929
配置文件:
[https://mega.nz/#F!xKg1VSJQ!MOGudG5349kecCxBY52LRA](http:// https://mega.nz/#F!xKg1VSJQ!MOGudG5349kecCxBY52LRA )