Skip to main content

跨域MPLS VPN Option A配置案例(IOS XR)

·1135 words·6 mins
Rs
Rory
Author
Rory
Step by step the ladder is ascended

alt text

跨域 VPN 的解决方案主要是为了解决客户不同 AS 之间的站点的互通问题,即客户的 VPN 路由可以在两个 AS 之间进行传递。RFC4364 介绍了三种解决方案,我会在接下来的文章中一一介绍。本文先说第一种解决方案:Option A,这种解决方案需要在两个 AS 之间的 ASBR 上使用专门的接口去传递路由信息,所以我们也称这种为 VRF-to-VRF。

写在最前面
#

配置步骤如下:

  • 配置 IP 地址以及 VRF
  • 配置两个 AS 中的 IGP 协议_ISIS
  • 配置 AS 中的标签分配协议(LDP)
  • 配置 CE 与 PE,PE 与 ASBR 之间的 BGP 邻居
  • 配置 ASRB 之间路由互相引入
  • 验证连通性

配置 IP 地址以及 VRF
#

R1:
interface Loopback0
ipv4 address 10.1.1.1 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.12.1 255.255.255.0
R2:
vrf VIP
address-family ipv4 unicast
import route-target
100:100
export route-target
100:100

interface Loopback0
ipv4 address 10.1.2.2 255.255.255.255
interface GigabitEthernet0/0/0/0
vrf VIP
ipv4 address 10.1.12.2 255.255.255.0
interface GigabitEthernet0/0/0/1
ipv4 address 10.1.23.2 255.255.255.0

R3:
interface Loopback0
ipv4 address 10.1.3.3 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.34.3 255.255.255.0
interface GigabitEthernet0/0/0/1
ipv4 address 10.1.23.3 255.255.255.0

R4:
vrf VIP
address-family ipv4 unicast
import route-target
100:100
export route-target
100:100

interface Loopback0
ipv4 address 10.1.4.4 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.34.4 255.255.255.0
interface GigabitEthernet0/0/0/1 <<<这个就是前文所说的 ASBR 上特殊的接口
vrf VIP
ipv4 address 10.1.45.4 255.255.255.0

R5:
vrf VIP
address-family ipv4 unicast
import route-target
100:100
export route-target
100:100

interface Loopback0
ipv4 address 10.1.5.5 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.56.5 255.255.255.0
interface GigabitEthernet0/0/0/1
vrf VIP
ipv4 address 10.1.45.5 255.255.255.0

R6:
interface Loopback0
ipv4 address 10.1.6.6 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.56.6 255.255.255.0
interface GigabitEthernet0/0/0/1
ipv4 address 10.1.67.6 255.255.255.0

R7:
vrf VIP
address-family ipv4 unicast
import route-target
100:100
export route-target
100:100

interface Loopback0
ipv4 address 10.1.7.7 255.255.255.255
interface GigabitEthernet0/0/0/0
vrf VIP
ipv4 address 10.1.78.7 255.255.255.0
interface GigabitEthernet0/0/0/1
ipv4 address 10.1.67.7 255.255.255.0

R8:
interface Loopback0
ipv4 address 10.1.8.8 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.78.8 255.255.255.0

配置两个 AS 中的 IGP 协议_ISIS
#



R2:
router isis 1
is-type level-2-only
net 49.0000.0000.0000.0001.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv4 unicast
!

R3:
router isis 1
is-type level-2-only
net 49.0000.0000.0000.0002.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv4 unicast
!
!
!

R4:
router isis 1
is-type level-2-only
net 49.0000.0000.0000.0004.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv4 unicast
!
!
!

R5:
router isis 1
is-type level-2-only
net 49.0001.0000.0000.0005.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv4 unicast
!
!
!

R6:
router isis 1
is-type level-2-only
net 49.0001.0000.0000.0006.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv4 unicast
!
!
!

R7:
router isis 1
is-type level-2-only
net 49.0001.0000.0000.0007.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv4 unicast
!
!
!

配置 AS 中的标签分配协议(LDP)
#



R2:
mpls ldp
log
neighbor
!
router-id 10.1.2.2
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/1
!
!

R3:
mpls ldp
log
neighbor
!
router-id 10.1.3.3
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/0
!
interface GigabitEthernet0/0/0/1
!
!

R4:
mpls ldp
log
neighbor
!
router-id 10.1.4.4
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/0
!
!

R5:
mpls ldp
log
neighbor
!
router-id 10.1.5.5
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/0
!
!

R6:
mpls ldp
log
neighbor
!
router-id 10.1.6.6
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/0
!
interface GigabitEthernet0/0/0/1
!
!

R7:
mpls ldp
log
neighbor
!
router-id 10.1.7.7
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/1
!
!

配置 CE 与 PE,PE 与 ASBR 之间的 BGP 邻居
#

需要提前了解到的是,在 IOS XR 中, IBGP 可以不用配置 router-policy,但是对于 EBGP,一定需要配置 router-policy,入向和出向都需要配置,即使 router-policy 只有一个关键字 pass.入向不配置,会 drop 对端发来的 update;出向不配置,不会发布 update



R1:
route-policy EBGP_PASS
pass
end-policy
!
router bgp 65000
bgp router-id 10.1.1.1
address-family ipv4 unicast
network 10.1.1.1/32
!
neighbor 10.1.12.2
remote-as 1
address-family ipv4 unicast
route-policy EBGP_PASS in
route-policy EBGP_PASS out
!
!
!

R2:
router bgp 1
bgp router-id 10.1.2.2
address-family vpnv4 unicast
!
neighbor 10.1.4.4
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
next-hop-self
!
!
vrf VIP
rd auto
address-family ipv4 unicast
!
neighbor 10.1.12.1
remote-as 65000
address-family ipv4 unicast
route-policy EBGP_PASS in
route-policy EBGP_PASS out
!
!
!
!

R4
router bgp 1
bgp router-id 10.1.4.4
address-family vpnv4 unicast
!
neighbor 10.1.2.2
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
next-hop-self
!
!
vrf VIP <<<配置 VRF 的原因是为了能让受到的 VPNv4 路由加入路由表,否则我们只会在 BGP 路由表中看到
rd auto
address-family ipv4 unicast
!
!
!

R5:
router bgp 2
bgp router-id 10.1.5.5
address-family vpnv4 unicast
!
neighbor 10.1.7.7
remote-as 2
update-source Loopback0
address-family vpnv4 unicast
next-hop-self
!
!
vrf VIP
rd auto
address-family ipv4 unicast
!
!
!

R7:
router bgp 2
bgp router-id 10.1.7.7
address-family vpnv4 unicast
!
neighbor 10.1.5.5
remote-as 2
update-source Loopback0
address-family vpnv4 unicast
next-hop-self
!
!
vrf VIP
rd auto
address-family ipv4 unicast
!
neighbor 10.1.78.8
remote-as 65001
address-family ipv4 unicast
route-policy EBGP_PASS in
route-policy EBGP_PASS out
!
!
!
!

R8:
router bgp 65001
bgp router-id 10.1.8.8
address-family ipv4 unicast
network 10.1.8.8/32
!
neighbor 10.1.78.7
remote-as 2
address-family ipv4 unicast
route-policy EBGP_PASS in
route-policy EBGP_PASS out
!
!
!

配置 ASRB 之间路由互相引入
#


R4:
router ospf VIP
vrf VIP
capability vrf-lite
redistribute bgp 1
area 0
interface GigabitEthernet0/0/0/1
!
!
!
!
router bgp 1
vrf VIP
rd auto
address-family ipv4 unicast
redistribute ospf VIP
!
!
!

R5:
router ospf VIP
vrf VIP
capability vrf-lite
redistribute bgp 2
area 0
interface GigabitEthernet0/0/0/1
!
!
!
!
router bgp 2
vrf VIP
rd auto
address-family ipv4 unicast
redistribute ospf VIP
!
!
!

验证连通性
#



RP/0/0/CPU0:R1#traceroute 10.1.8.8 source 10.1.1.1
Mon Jun 24 01:24:28.393 UTC

Type escape sequence to abort.
Tracing the route to 10.1.8.8

1 10.1.12.2 0 msec 0 msec 0 msec
2 10.1.23.3 [MPLS: Labels 24001/24002 Exp 0] 9 msec 19 msec 9 msec
3 10.1.34.4 [MPLS: Label 24002 Exp 0] 19 msec 19 msec 9 msec
4 10.1.45.5 9 msec 9 msec 9 msec
5 10.1.56.6 [MPLS: Labels 24000/24002 Exp 0] 29 msec 19 msec 29 msec
6 10.1.67.7 [MPLS: Label 24002 Exp 0] 29 msec 19 msec 29 msec
7 10.1.78.8 29 msec \* 19 msec
RP/0/0/CPU0:R1#

Q&A
#

为什么需要配置这个命令"capability vrf-lite"? 主要目的是为了能将收到的路由顺利加表,原理如下:R4 对于 R5 而言是个 PE 设备,PE 在决定将 Type3, 5, 7 的 LSA 发布给对端的 CE 时,都会置为一个 DN bit,如下所示,对端 CE 收到 DN bit 的 LSA 是不会加表的,主要目的是为了防止环路。所以在这种情景下,使用这条命令可以不产生 DN bit,使收到的路由能顺利的加表.



RP/0/0/CPU0:R4#show ospf vrf VIP database external
Sat Jun 22 13:53:37.752 UTC

            OSPF Router with ID (10.1.4.4) (Process ID VIP, VRF VIP)

                Type-5 AS External Link States

LS age: 28
Options: (No TOS-capability, DC, DN)
LS Type: AS External Link
Link State ID: 10.1.1.1 (External Network Number)
Advertising Router: 10.1.4.4
LS Seq Number: 80000004
Checksum: 0xaf8e
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 1
Forward Address: 0.0.0.0
External Route Tag: 3489660929

配置文件:

[https://mega.nz/#F!xKg1VSJQ!MOGudG5349kecCxBY52LRA](http:// https://mega.nz/#F!xKg1VSJQ!MOGudG5349kecCxBY52LRA )