華為路由器MPLS VPN配置示例

1、-配置 BGP/MPLS IP VPN 示例圖 1 配置 BGP/MPLS IP VPN 組網(wǎng)圖組網(wǎng)需求配置思路操作步驟配置文件組網(wǎng)需求如圖 1 所示：-優(yōu)質(zhì)資料-優(yōu)質(zhì)資料-優(yōu)質(zhì)資料P、PEP、PEOSPF，IP 連通性。PEP 上配置 MPLS 基本能力和 MPLS LDP，建立MPLS LSP 公網(wǎng)隧道，傳輸VPN 數(shù)據(jù)。PE1 和 PE2 上配置 VPN 實(shí)例，其中， 使用的 VPN-target 屬性為 111:1，vpnb 使用的 VPN-target 屬性為 222:2，以實(shí)現(xiàn)相同 VPN 間互通，不同 VPN 間隔離。同時， 與 CEVPNVPN 用戶。PE1 和 PE2MP-I

2、BGPVPN 路由信息。CE 與 PE 之間配置EBGPVPN 路由信息。CE1CE3 和 CE3 屬于 vpna；CE2CE4 和 CE4 屬于 vpnb。公司要求通過部署 BGP/MPLS IP 非研發(fā)區(qū)間數(shù)據(jù)隔離。配置思路采用如下的思路配置 BGP/MPLS IP VPN：操作步驟1.在 MPLS 骨干網(wǎng)上配置 OSPF 協(xié)議，實(shí)現(xiàn)骨干網(wǎng) PE 和 P 的互通操作步驟1.在 MPLS 骨干網(wǎng)上配置 OSPF 協(xié)議，實(shí)現(xiàn)骨干網(wǎng) PE 和 P 的互通# 配置 PE1。 system-view Huawei sysname PE1 PE1 interface loopback 1PE1-Loo

3、pBack1 ip address 1.1.1.9 32 PE1-LoopBack1 quitPE1 interface gigabitethernet 3/0/0PE1-GigabitEthernet3/0/0 ip address 172.1.1.1 24 PE1-GigabitEthernet3/0/0 quitPE1 ospf 1PE1-ospf-1 area 0PE1-ospf-1-area-0.0.0.0 network 172.1.1.0 0.0.0.255PE1-ospf-1-area-0.0.0.0 network 1.1.1.9 0.0.0.0 PE1-ospf-1-are

4、a-0.0.0.0 quitPE1-ospf-1 quit# 配置P。 system-view Huawei sysname PP interface loopback 1P-LoopBack1 ip address 2.2.2.9 32 P-LoopBack1 quitP interface gigabitethernet 1/0/0P-GigabitEthernet1/0/0 ip address 172.1.1.2 24 P-GigabitEthernet1/0/0 quitP interface gigabitethernet 2/0/0P-GigabitEthernet2/0/0 i

5、p address 172.2.1.1 24 P-GigabitEthernet2/0/0 quitP ospfP-ospf-1 area 0P-ospf-1-area-0.0.0.0 network 172.1.1.00.0.0.255P-ospf-1-area-0.0.0.0 network 172.2.1.00.0.0.255P-ospf-1-area-0.0.0.0 network 2.2.2.9 0.0.0.0 P-ospf-1-area-0.0.0.0 quitP-ospf-1quit# 配置 PE2。 system-view Huawei sysname PE2 PE2 inte

6、rface loopback 1PE2-LoopBack1 ip address 3.3.3.9 32 PE2-LoopBack1 quitPE2 interface gigabitethernet 3/0/0PE2-GigabitEthernet3/0/0ip address 172.2.1.2PE2-GigabitEthernet3/0/0 quitPE2 ospfPE2-ospf-1 area 0PE2-ospf-1-area-0.0.0.0 network 172.2.1.0 0.0.0.255PE2-ospf-1-area-0.0.0.0 network 3.3.3.9 0.0.0.

7、0 PE2-ospf-1-area-0.0.0.0 quitPE2-ospf-1 quit配置完成后，PE1、P、PE2 之間應(yīng)能建立 OSPF 鄰居關(guān)系，執(zhí)行display ospf peer 命令可以看到鄰居狀態(tài)為 Full。執(zhí)行 display ip routing-table 命令可以看到 PE 之間學(xué)習(xí)到對方的 Loopback1 路由。以 PE1 的 顯 示 為 例 ： PE1 display ip routing-table Route Flags: R - relay,D - download to fib-Routing Tables: PublicDestinations

8、: 11Destinations : 11Routes : 11Destination/MaskProtoPreCostFlags NextHopInterface1.1.1.9/322.2.2.9/32GigabitEthernet3/0/03.3.3.9/32GigabitEthernet3/0/0Direct 0OSPF0D127.0.0.1LoopBack1101D172.1.1.2OSPF102D172.1.1.2OSPF Process 1 with Router ID1.1.1.9NeighborsArea 0.0.0.0 interface 172.1.1.1(GigabitE

9、thernet3/0/0)sneighborsRouter ID: 2.2.2.9Address: 172.1.1.2State:FullMode:NbrisMasterDR:172.1.1.1BDR:172.1.1.2Priority: 1MTU: 0Dead timer duein37secRetrans timer interval: 5Neighbor is up for 00:16:21 Authentication Sequence: 0127.0.0.0/8Direct 00D127.0.0.1InLoopBack0127.0.0.1/32Direct 00D127.0.0.1I

10、nLoopBack0127.255.255.255/32Direct 00D127.0.0.1InLoopBack0172.1.1.0/24Direct 00D172.1.1.1GigabitEthernet3/0/0172.1.1.1/32Direct 00D127.0.0.1GigabitEthernet3/0/0172.1.1.255/32Direct 00D127.0.0.1GigabitEthernet3/0/0172.2.1.0/24GigabitEthernet3/0/0OSPF102D172.1.1.2255.255.255.255/32Direct 00D127.0.0.1I

11、nLoopBack0PE1 display ospf peer2.在 MPLS 骨干網(wǎng)上配置 MPLS 基本能力和 MPLS LDP，建立LDP LSP2.在 MPLS 骨干網(wǎng)上配置 MPLS 基本能力和 MPLS LDP，建立LDP LSP# 配置 PE1。PE1 mpls lsr-id 1.1.1.9 PE1 mplsPE1-mpls quit PE1 mpls ldpPE1-mpls-ldp quitPE1 interface gigabitethernetPE1-GigabitEthernet3/0/0 mplsPE1-GigabitEthernet3/0/0 mpls ldp PE1

12、-GigabitEthernet3/0/0 quit# 配置P。P mpls lsr-id 2.2.2.9P mplsP-mpls quitP mpls ldpP-mpls-ldp quitP interface gigabitethernet 1/0/0 P-GigabitEthernet1/0/0 mplsP-GigabitEthernet1/0/0 mpls ldp P-GigabitEthernet1/0/0 quitP interface gigabitethernet 2/0/0 P-GigabitEthernet2/0/0 mplsP-GigabitEthernet2/0/0 m

13、pls ldp P-GigabitEthernet2/0/0 quit# 配置 PE2。PE2 mpls lsr-id 3.3.3.9 PE2 mplsPE2-mpls quit PE2 mpls ldpPE2-mpls-ldp quitPE2 interface gigabitethernet 3/0/0 PE2-GigabitEthernet3/0/0 mpls PE2-GigabitEthernet3/0/0 mpls ldp PE2-GigabitEthernet3/0/0 quit上述配置完成后，PE1 與 P、P 與 PE2 之間應(yīng)能建立LDP 會話，執(zhí)行 display mpls

14、 ldpsession 命令可以看到顯示結(jié)果中 Status 項(xiàng)為“Operational”。執(zhí)行display mpls ldp lsp 命令，可以看到LDP LSP 的建立情況。以 PE1 的顯示為例：PE1 display mpls ldp sessionLDP Session(s) in Public NetworkCodes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM) A * before a session means the session is being deleted.-PeerIDStatusLAMSsn

15、RoleSsnAgeKASent/Rcv-2.2.2.9:0Operational DUActive0000:00:016/6-TOTAL: 1 session(s) Found. PE1 display mpls ldp lspLDP LSP Information-DestAddress/MaskIn/OutLabelUpstreamPeerNextHopOutInterface-TOTAL: 5 Normal LSP(s)Found. TOTAL: 1 Liberal LSP(s) Found. TOTAL: 0 Frr LSP(s)Found.A * before an LSP mea

16、ns the LSP is not established A * before a Label means the USCB or DSCB is stale A*beforeaUpstreamPeermeansthesessionisstale A * before a DS means the session isstaleA * before a NextHop means the LSP is FRR LSP1.1.1.9/32*1.1.1.9/323/NULLLiberal/10242.2.2.9127.0.0.1DS/2.2.2.9InLoop02.2.2.9/32NULL/3-

17、172.1.1.2GE3/0/02.2.2.9/321024/32.2.2.9172.1.1.2GE3/0/03.3.3.9/32NULL/1025-172.1.1.2GE3/0/03.3.3.9/321025/10252.2.2.9172.1.1.2GE3/0/03.在 PE 設(shè)備上配置 VPN 實(shí)例，將 CE 接入 PE3.在 PE 設(shè)備上配置 VPN 實(shí)例，將 CE 接入 PE# 配置 PE1。PE1 ip vpn-instance vpnaPE1-vpn-instance-vpna ipv4-familyPE1-vpn-instance-vpna-af-ipv4 route-disti

18、nguisher 100:1 PE1-vpn-instance-vpna-af-ipv4 vpn-target 111:1 bothPE1-vpn-instance-vpna-af-ipv4 quit PE1-vpn-instance-vpna quitPE1 ip vpn-instance vpnbPE1-vpn-instance-vpnb ipv4-familyPE1-vpn-instance-vpnb-af-ipv4 route-distinguisher100:2 PE1-vpn-instance-vpnb-af-ipv4 vpn-target 222:2 both PE1-vpn-i

19、nstance-vpna-af-ipv4 quitPE1-vpn-instance-vpnb quit PE1 interface gigabitethernetPE1-GigabitEthernet1/0/0 ip binding vpn-instancevpna PE1-GigabitEthernet1/0/0 ip address 10.1.1.2 24PE1-GigabitEthernet1/0/0 quit PE1 interface gigabitethernetPE1-GigabitEthernet2/0/0 ip binding vpn-instancevpnb PE1-Gig

20、abitEthernet2/0/0 ip address 10.2.1.2 24PE1-GigabitEthernet2/0/0 quit# 配置 PE2。PE2 ip vpn-instance vpnaPE2-vpn-instance-vpna ipv4-familyPE2-vpn-instance-vpna-af-ipv4 route-distinguisher 200:1 PE2-vpn-instance-vpna-af-ipv4 vpn-target 111:1 both PE2-vpn-instance-vpna-af-ipv4 quitPE2-vpn-instance-vpna q

21、uit PE2 ip vpn-instance vpnbPE2-vpn-instance-vpnb ipv4-familyPE2-vpn-instance-vpnb-af-ipv4 route-distinguisher200:2 PE2-vpn-instance-vpnb-af-ipv4 vpn-target 222:2 both PE2-vpn-instance-vpnb-af-ipv4 quitPE2-vpn-instance-vpnb quit PE2 interface gigabitethernetPE2-GigabitEthernet1/0/0 ip binding vpn-in

22、stancevpna PE2-GigabitEthernet1/0/0 ip address 10.3.1.2 24PE2-GigabitEthernet1/0/0 quit PE2 interface gigabitethernetPE2-GigabitEthernet2/0/0 ip binding vpn-instancevpnb PE2-GigabitEthernet2/0/0 ip address 10.4.1.2 24PE2-GigabitEthernet2/0/0 quit# 按圖 1 配置各 CE 的接口 IP 地址。# 配置 CE1。CE2、CE3 和 CE4 與 CE1 類

23、似，不再贅述。 system-view Huawei sysname CE1-CE1 interface gigabitethernet 1/0/0CE1-GigabitEthernet1/0/0 ip address 10.1.1.1 24 CE1-GigabitEthernet1/0/0 quit配置完成后，在 PE 設(shè)備上執(zhí)行 display ip vpn-instance verbose 命令可以看到 VPN 實(shí)例的配置情況。各 PE 能 ping 通自己接入的 CE。說明：當(dāng) PE 上有多個接口綁定了同一個 VPN，則使用 ping -vpn-instance 命令ping 對端 P

24、E 接入的 CE 時，要指定源 IP 地址，即要指定 ping-vpn-instance source-ip-address s-a，否則可能 ping 不通。以 PE1 為例：PE1 display ip vpn-instance verbose Total VPN-Instances configured : 2 Total IPv4 VPN-Instances configured :2 Total IPv6 VPN-Instances configured :0VPN-Instance Name and ID : vpna, 1 Interfaces : GigabitEthernet

25、1/0/0 Address family ipv4Create date : 2012/07/25 00:58:17Up time : 0 days, 22 hours, 24 minutes and 53seconds Route Distinguisher : 100:1Export VPNTargets:111:1 Import VPNTargets:Label Policy : label per route Log Interval :5VPN-Instance Name and ID : vpnb, 2 Interfaces : GigabitEthernet2/0/0 Addre

26、ss family ipv4Create date : 2012/07/25 00:58:17Up time : 0 days, 22 hours, 24 minutes and 53seconds Route Distinguisher : 100:2Export VPNTargets:222:2 Import VPNTargets:Label Policy : label per route Log Interval :5PE1 ping -vpn-instance vpna 10.1.1.1PING10.1.1.1:56data bytes, press CTRL_C tobreakRe

27、ply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=5 ms令中的參數(shù)-優(yōu)質(zhì)資料-優(yōu)質(zhì)資料-優(yōu)質(zhì)資料4.在 PE 之間建立 MP-IBGP 對等體關(guān)系# 配置 PE1。4.在 PE 之間建立 MP-IBGP 對等體關(guān)系# 配置 PE1。PE1 bgp 100PE1-bgp peer 3.3.3.9 as-number 100PE1-bgp peer 3.3.3.9 connect-interface loopback 1 PE1-bgp ipv4-family vpnv4PE1-bgp-af-vpnv4 peer 3.3.3.9 enable

28、 PE1-bgp-af-vpnv4 quitPE1-bgp quit # 配置 PE2。PE2 bgp 100PE2-bgp peer 1.1.1.9 as-number 100PE2-bgp peer 1.1.1.9 connect-interface loopback 1 PE2-bgp ipv4-family vpnv4PE2-bgp-af-vpnv4 peer 1.1.1.9 enable PE2-bgp-af-vpnv4 quitPE2-bgp quit配置完成后，在 PE 設(shè)備上執(zhí)行 display bgp peer 或 display bgp vpnv4 all peer 命令，

29、可以看到 PE 之間的 BGP 對等體關(guān)系已建立，并達(dá)到Established 狀態(tài)。PE1 display bgp peerBGP local router ID : 1.1.1.9Local AS number : 100 Total number of peers : 1Peers in established state :1PeerVASMsgRcvdMsgSentOutQUp/DownState3.3.3.941001260 00:02:21Established0Replyfrom10.1.1.1:bytes=56Sequence=2ttl=255time=3msReplyfro

30、m10.1.1.1:bytes=56Sequence=3ttl=255time=3msReply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=3 ms Replyfrom10.1.1.1:bytes=56Sequence=5ttl=255time=16ms- 10.1.1.1 ping statistics -5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 3/6/16 msPE1 PE1 display bgp vpnv

31、4 allpeerBGP local router ID : 1.1.1.9Local AS number : 100 Total number of peers : 1Peers in established state :1PeerVASMsgRcvdMsgSentOutQUp/DownState3.3.3.941001218000:09:38Established05.5.在 PE 與 CE 之間建立EBGP 對等體關(guān)系，引入 VPN 路由# 配置 CE1。CE2、CE3 和 CE4 與 CE1 類似，不再贅述。CE1 bgp 65410CE1-bgp peer 10.1.1.2 as-

32、number100 CE1-bgp import-route directCE1-bgp quit# 配置 PE1。PE2 的配置與 PE1 類似，不再贅述。PE1 bgp 100PE1-bgp ipv4-family vpn-instance vpnaPE1-bgp-vpna peer 10.1.1.1 as-number65410 PE1-bgp-vpna import-route directPE1-bgp-vpna quitPE1-bgp ipv4-family vpn-instance vpnbPE1-bgp-vpnb peer 10.2.1.1 as-number65420 PE1

33、-bgp-vpnb import-route directPE1-bgp-vpnb quit PE1-bgp quit配置完成后，在 PE 設(shè)備上執(zhí)行 display bgp vpnv4 vpn-instance peer 命令，可以看到 PE與 CE 之間的 BGP 對等體關(guān)系已建立，并達(dá)到Established 狀態(tài)。以 PE1 與 CE1 的對等體關(guān)系為例：PE1 display bgp vpnv4 vpn-instance vpna peerBGP local router ID : 1.1.1.9 Local AS number : 100VPN-Instance vpna, Rou

34、ter ID 1.1.1.9:Total number of peers:1Peers in established state :1PeerVASMsgRcvdMsgSentOutQUp/DownPrefRcv# 在 PE 設(shè)備上執(zhí)行 # 在 PE 設(shè)備上執(zhí)行 display ip routing-table vpn-instance 命令，可以看到去往對端 CE的路由。# 以 PE1 的顯示為例：PE1 display ip routing-table vpn-instance vpna Route Flags: R - relay,D - download to fib-Routing

35、Tables: vpnaDestinations : 5Routes : 5Destination/MaskProtoPreCostFlags NextHopInterfacePE1displayiprouting-tablevpn-instancevpnbRoute Flags: R - relay, D - download to fib-Routing Tables: vpnbDestinations : 5Routes : 5Destination/MaskProtoPreCostFlags NextHopInterface# 同一 VPN 的 CE 能夠相互 Ping 通，不同 VP

36、N 的 CE 不能相互 Ping 通。# 例如：CE1 能夠 Ping 通 CE3（10.3.1.1），但不能 Ping 通 CE4（10.4.1.1）。CE1 ping 10.3.1.16.驗(yàn)證配置結(jié)果6.驗(yàn)證配置結(jié)果10.1.1.1465410630 00:00:02 Established410.1.1.0/24Direct00D10.1.1.2GigabitEthernet1/0/010.1.1.2/32Direct00D127.0.0.1GigabitEthernet1/0/010.1.1.255/32Direct00D127.0.0.1GigabitEthernet1/0/010.

37、3.1.0/24GigabitEthernet3/0/0IBGP2550RD3.3.3.9255.255.255.255/32Direct00D127.0.0.1InLoopBack010.2.1.0/24Direct00D10.2.1.2GigabitEthernet2/0/010.2.1.2/32Direct00D127.0.0.1GigabitEthernet2/0/010.2.1.255/32Direct00D127.0.0.1GigabitEthernet2/0/010.4.1.0/24GigabitEthernet3/0/0IBGP2550RD3.3.3.9255.255.255.

38、255/32Direct00D127.0.0.1InLoopBack0PING 10.3.1.1: 56 data bytes, press CTRL_C to breakPING 10.3.1.1: 56 data bytes, press CTRL_C to breakReplyfrom10.3.1.1:bytes=56Sequence=1ttl=253time=72ms Replyfrom10.3.1.1:bytes=56Sequence=2ttl=253time=34ms Replyfrom10.3.1.1:bytes=56Sequence=3ttl=253time=50ms Repl

39、yfrom10.3.1.1:bytes=56Sequence=4ttl=253time=50ms Replyfrom10.3.1.1:bytes=56Sequence=5ttl=253time=34ms- 10.3.1.1 ping statistics- 5 packet(s)transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 34/48/72ms CE1 ping 10.4.1.1PING 10.4.1.1: 56 data bytes, press CTRL_C to break Request

40、 timeoutRequest timeout Request timeout Request timeout Request timeout- 10.4.1.1 ping statistics- 5 packet(s)transmitted0 packet(s) received100.00% packet loss配置文件配置文件PE1 的配置文件#sysname PE1#ip vpn-instance vpna ipv4-familyroute-distinguisher 100:1vpn-target 111:1export-extmunityvpn-target 111:1impor

41、t-extmunity#ip vpn-instance vpnb ipv4-familyroute-distinguisher 100:2vpn-target 222:2export-extmunityvpn-target 222:2import-extmunity#mpls lsr-id1.1.1.9mpls#mplsldp#interfaceGigabitEthernet1/0/0ip binding vpn-instancevpnaip address 10.1.1.2255.255.255.0#interfaceGigabitEthernet2/0/0ip binding vpn-in

42、stancevpnbip address 10.2.1.2255.255.255.0#interfaceGigabitEthernet3/0/0ip address 172.1.1.1255.255.255.0mplsmplsldp#interfaceLoopBack1ip address 1.1.1.9255.255.255.255#bgp100peer 3.3.3.9 as-number100peer 3.3.3.9 connect-interfaceLoopBack1#ipv4-familyunicastundosynchronizationpeer 3.3.3.9enable#ipv4

43、-familyvpnv4policyvpn-targetpeer 3.3.3.9enable#ipv4-family vpn-instancevpnaimport-routedirectpeer 10.1.1.1 as-number65410#ipv4-family vpn-instancevpnbimport-routedirectpeer 10.2.1.1 as-number65420#returnreturnospf 1area 0.0.0.0network 1.1.1.9 0.0.0.0network 172.1.1.0 0.0.0.255#P 的配置文件#sysname P#mpls

44、 lsr-id 2.2.2.9 mpls#mpls ldp #interface GigabitEthernet1/0/0ip address 172.1.1.2 255.255.255.0mpls mpls ldp #interface GigabitEthernet2/0/0ip address 172.2.1.1 255.255.255.0mpls mpls ldp #interface LoopBack1ip address 2.2.2.9 255.255.255.255#ospf 1area 0.0.0.0network 2.2.2.9 0.0.0.0network 172.1.1.

45、00.0.0.255network 172.2.1.00.0.0.255#PE2 的配置文件#sysname PE2#ip vpn-instancevpnaipv4-familyroute-distinguisher200:1vpn-target 111:1export-extmunityvpn-target 111:1import-extmunity#ip vpn-instancevpnbipv4-familyroute-distinguisher200:2vpn-target 222:2export-extmunityvpn-target 222:2import-extmunity#mpls lsr-id3.3.3.9mpls#mplsldp#interfaceGigabitEthernet1/0/0ip binding vpn-i