華為路由器MPLS-VPN配置示例

配置BGP/MPLSIPVPN示例組網(wǎng)圖形圖1

配置BGP/MPLSIPVPN組網(wǎng)圖

組網(wǎng)需求配置思路操作步驟配置文件組網(wǎng)需求如圖1所示：CE1連接公司總部研發(fā)區(qū)、CE3連接分支機(jī)構(gòu)研發(fā)區(qū)，CE1和CE3屬于vpna；CE2連接公司總部非研發(fā)區(qū)、CE4連接分支機(jī)構(gòu)非研發(fā)區(qū)，CE2和CE4屬于vpnb。公司要求通過部署B(yǎng)GP/MPLSIPVPN，實(shí)現(xiàn)總部和分支機(jī)構(gòu)的安全互通，同時要求研發(fā)區(qū)和非研發(fā)區(qū)間數(shù)據(jù)隔離。配置思路采用如下的思路配置BGP/MPLSIPVPN：P、PE之間配置OSPF，實(shí)現(xiàn)骨干網(wǎng)的IP連通性。PE、P上配置MPLS基本能力和MPLSLDP，建立MPLSLSP公網(wǎng)隧道，傳輸VPN數(shù)據(jù)。PE1和PE2上配置VPN實(shí)例，其中，vpna使用的VPN-target屬性為111:1，vpnb使用的VPN-target屬性為222:2，以實(shí)現(xiàn)相同VPN間互通，不同VPN間隔離。同時，與CE相連的接口和相應(yīng)的VPN實(shí)例綁定，以接入VPN用戶。PE1和PE2之間配置MP-IBGP，交換VPN路由信息。CE與PE之間配置EBGP，交換VPN路由信息。操作步驟在MPLS骨干網(wǎng)上配置OSPF協(xié)議，實(shí)現(xiàn)骨干網(wǎng)PE和P的互通#配置PE1。<Huawei>system-view[Huawei]sysnamePE1[PE1]interfaceloopback1[PE1-LoopBack1]ipaddress32[PE1-LoopBack1]quit[PE1]interfacegigabitethernet3/0/0[PE1-GigabitEthernet3/0/0]ipaddress24[PE1-GigabitEthernet3/0/0]quit[PE1]ospf1[PE1-ospf-1]area0[PE1-ospf-1-area-]network55[PE1-ospf-1-area-]network[PE1-ospf-1-area-]quit[PE1-ospf-1]quit#配置P。<Huawei>system-view[Huawei]sysnameP[P]interfaceloopback1[P-LoopBack1]ipaddress32[P-LoopBack1]quit[P]interfacegigabitethernet1/0/0[P-GigabitEthernet1/0/0]ipaddress24[P-GigabitEthernet1/0/0]quit[P]interfacegigabitethernet2/0/0[P-GigabitEthernet2/0/0]ipaddress24[P-GigabitEthernet2/0/0]quit[P]ospf[P-ospf-1]area0[P-ospf-1-area-]network55[P-ospf-1-area-]network55[P-ospf-1-area-]network[P-ospf-1-area-]quit[P-ospf-1]quit#配置PE2。<Huawei>system-view[Huawei]sysnamePE2[PE2]interfaceloopback1[PE2-LoopBack1]ipaddress32[PE2-LoopBack1]quit[PE2]interfacegigabitethernet3/0/0[PE2-GigabitEthernet3/0/0]ipaddress24[PE2-GigabitEthernet3/0/0]quit[PE2]ospf[PE2-ospf-1]area0[PE2-ospf-1-area-]network55[PE2-ospf-1-area-]network[PE2-ospf-1-area-]quit[PE2-ospf-1]quit配置完成后，PE1、P、PE2之間應(yīng)能建立OSPF鄰居關(guān)系，執(zhí)行displayospfpeer命令可以看到鄰居狀態(tài)為Full。執(zhí)行displayiprouting-table命令可以看到PE之間學(xué)習(xí)到對方的Loopback1路由。以PE1的顯示為例：[PE1]displayiprouting-tableRouteFlags:R-relay,D-downloadtofibRoutingTables:PublicDestinations:11Routes:11Destination/MaskProtoPreCostFlagsNextHopInterface/32Direct00DLoopBack1/32OSPF101DGigabitEthernet3/0/0/32OSPF102DGigabitEthernet3/0/0/8Direct00DInLoopBack0/32Direct00DInLoopBack055/32Direct00DInLoopBack0/24Direct00DGigabitEthernet3/0/0/32Direct00DGigabitEthernet3/0/055/32Direct00DGigabitEthernet3/0/0/24OSPF102DGigabitEthernet3/0/055/32Direct00DInLoopBack0[PE1]displayospfpeerOSPFProcess1withRouterIDNeighborsAreainterface(GigabitEthernet3/0/0)'sneighborsRouterID:Address:State:FullMode:NbrisMasterPriority:1DR:BDR:MTU:0Deadtimerduein37secRetranstimerinterval:5Neighborisupfor00:16:21AuthenticationSequence:[0]在MPLS骨干網(wǎng)上配置MPLS基本能力和MPLSLDP，建立LDPLSP#配置PE1。[PE1]mplslsr-id[PE1]mpls[PE1-mpls]quit[PE1]mplsldp[PE1-mpls-ldp]quit[PE1]interfacegigabitethernet3/0/0[PE1-GigabitEthernet3/0/0]mpls[PE1-GigabitEthernet3/0/0]mplsldp[PE1-GigabitEthernet3/0/0]quit#配置P。[P]mplslsr-id[P]mpls[P-mpls]quit[P]mplsldp[P-mpls-ldp]quit[P]interfacegigabitethernet1/0/0[P-GigabitEthernet1/0/0]mpls[P-GigabitEthernet1/0/0]mplsldp[P-GigabitEthernet1/0/0]quit[P]interfacegigabitethernet2/0/0[P-GigabitEthernet2/0/0]mpls[P-GigabitEthernet2/0/0]mplsldp[P-GigabitEthernet2/0/0]quit#配置PE2。[PE2]mplslsr-id[PE2]mpls[PE2-mpls]quit[PE2]mplsldp[PE2-mpls-ldp]quit[PE2]interfacegigabitethernet3/0/0[PE2-GigabitEthernet3/0/0]mpls[PE2-GigabitEthernet3/0/0]mplsldp[PE2-GigabitEthernet3/0/0]quit上述配置完成后，PE1與P、P與PE2之間應(yīng)能建立LDP會話，執(zhí)行displaymplsldpsession命令可以看到顯示結(jié)果中Status項(xiàng)為“Operational”。執(zhí)行displaymplsldplsp命令，可以看到LDPLSP的建立情況。以PE1的顯示為例：[PE1]displaymplsldpsessionLDPSession(s)inPublicNetworkCodes:LAM(LabelAdvertisementMode),SsnAgeUnit(DDDD:HH:MM)A'*'beforeasessionmeansthesessionisbeingdeleted.PeerIDStatusLAMSsnRoleSsnAgeKASent/Rcv:0OperationalDUActive0000:00:016/6TOTAL:1session(s)Found.[PE1]displaymplsldplspLDPLSPInformationDestAddress/MaskIn/OutLabelUpstreamPeerNextHopOutInterface/323/NULLInLoop0*/32Liberal/1024DS//32NULL/3-GE3/0/0/321024/3GE3/0/0/32NULL/1025-GE3/0/0/321025/1025GE3/0/0TOTAL:5NormalLSP(s)Found.TOTAL:1LiberalLSP(s)Found.TOTAL:0FrrLSP(s)Found.A'*'beforeanLSPmeanstheLSPisnotestablishedA'*'beforeaLabelmeanstheUSCBorDSCBisstaleA'*'beforeaUpstreamPeermeansthesessionisstaleA'*'beforeaDSmeansthesessionisstaleA'*'beforeaNextHopmeanstheLSPisFRRLSP在PE設(shè)備上配置VPN實(shí)例，將CE接入PE#配置PE1。[PE1]ipvpn-instancevpna[PE1-vpn-instance-vpna]ipv4-family[PE1-vpn-instance-vpna-af-ipv4]route-distinguisher100:1[PE1-vpn-instance-vpna-af-ipv4]vpn-target111:1both[PE1-vpn-instance-vpna-af-ipv4]quit[PE1-vpn-instance-vpna]quit[PE1]ipvpn-instancevpnb[PE1-vpn-instance-vpnb]ipv4-family[PE1-vpn-instance-vpnb-af-ipv4]route-distinguisher100:2[PE1-vpn-instance-vpnb-af-ipv4]vpn-target222:2both[PE1-vpn-instance-vpna-af-ipv4]quit[PE1-vpn-instance-vpnb]quit[PE1]interfacegigabitethernet1/0/0[PE1-GigabitEthernet1/0/0]ipbindingvpn-instancevpna[PE1-GigabitEthernet1/0/0]ipaddress24[PE1-GigabitEthernet1/0/0]quit[PE1]interfacegigabitethernet2/0/0[PE1-GigabitEthernet2/0/0]ipbindingvpn-instancevpnb[PE1-GigabitEthernet2/0/0]ipaddress24[PE1-GigabitEthernet2/0/0]quit#配置PE2。[PE2]ipvpn-instancevpna[PE2-vpn-instance-vpna]ipv4-family[PE2-vpn-instance-vpna-af-ipv4]route-distinguisher200:1[PE2-vpn-instance-vpna-af-ipv4]vpn-target111:1both[PE2-vpn-instance-vpna-af-ipv4]quit[PE2-vpn-instance-vpna]quit[PE2]ipvpn-instancevpnb[PE2-vpn-instance-vpnb]ipv4-family[PE2-vpn-instance-vpnb-af-ipv4]route-distinguisher200:2[PE2-vpn-instance-vpnb-af-ipv4]vpn-target222:2both[PE2-vpn-instance-vpnb-af-ipv4]quit[PE2-vpn-instance-vpnb]quit[PE2]interfacegigabitethernet1/0/0[PE2-GigabitEthernet1/0/0]ipbindingvpn-instancevpna[PE2-GigabitEthernet1/0/0]ipaddress24[PE2-GigabitEthernet1/0/0]quit[PE2]interfacegigabitethernet2/0/0[PE2-GigabitEthernet2/0/0]ipbindingvpn-instancevpnb[PE2-GigabitEthernet2/0/0]ipaddress24[PE2-GigabitEthernet2/0/0]quit#按圖1配置各CE的接口IP地址。#配置CE1。CE2、CE3和CE4與CE1類似，不再贅述。<Huawei>system-view[Huawei]sysnameCE1[CE1]interfacegigabitethernet1/0/0[CE1-GigabitEthernet1/0/0]ipaddress24[CE1-GigabitEthernet1/0/0]quit配置完成后，在PE設(shè)備上執(zhí)行displayipvpn-instanceverbose命令可以看到VPN實(shí)例的配置情況。各PE能ping通自己接入的CE。

說明：當(dāng)PE上有多個接口綁定了同一個VPN，則使用ping-vpn-instance命令ping對端PE接入的CE時，要指定源IP地址，即要指定ping-vpn-instance

vpn-instance-name

-a

source-ip-addressdest-ip-address命令中的參數(shù)-asource-ip-address，否則可能ping不通。以PE1為例：[PE1]displayipvpn-instanceverboseTotalVPN-Instancesconfigured:2TotalIPv4VPN-Instancesconfigured:2TotalIPv6VPN-Instancesconfigured:0VPN-InstanceNameandID:vpna,1Interfaces:GigabitEthernet1/0/0Addressfamilyipv4Createdate:2012/07/2500:58:17Uptime:0days,22hours,24minutesand53secondsRouteDistinguisher:100:1ExportVPNTargets:111:1ImportVPNTargets:111:1LabelPolicy:labelperrouteLogInterval:5VPN-InstanceNameandID:vpnb,2Interfaces:GigabitEthernet2/0/0Addressfamilyipv4Createdate:2012/07/2500:58:17Uptime:0days,22hours,24minutesand53secondsRouteDistinguisher:100:2ExportVPNTargets:222:2ImportVPNTargets:222:2LabelPolicy:labelperrouteLogInterval:5[PE1]ping-vpn-instancevpnaPING:56databytes,pressCTRL_CtobreakReplyfrom:bytes=56Sequence=1ttl=255time=5msReplyfrom:bytes=56Sequence=2ttl=255time=3msReplyfrom:bytes=56Sequence=3ttl=255time=3msReplyfrom:bytes=56Sequence=4ttl=255time=3msReplyfrom:bytes=56Sequence=5ttl=255time=16mspingstatistics5packet(s)transmitted5packet(s)received0.00%packetlossround-tripmin/avg/max=3/6/16ms在PE之間建立MP-IBGP對等體關(guān)系#配置PE1。[PE1]bgp100[PE1-bgp]peeras-number100[PE1-bgp]peerconnect-interfaceloopback1[PE1-bgp]ipv4-familyvpnv4[PE1-bgp-af-vpnv4]peerenable[PE1-bgp-af-vpnv4]quit[PE1-bgp]quit#配置PE2。[PE2]bgp100[PE2-bgp]peeras-number100[PE2-bgp]peerconnect-interfaceloopback1[PE2-bgp]ipv4-familyvpnv4[PE2-bgp-af-vpnv4]peerenable[PE2-bgp-af-vpnv4]quit[PE2-bgp]quit配置完成后，在PE設(shè)備上執(zhí)行displaybgppeer或displaybgpvpnv4allpeer命令，可以看到PE之間的BGP對等體關(guān)系已建立，并達(dá)到Established狀態(tài)。[PE1]displaybgppeerBGPlocalrouterID:LocalASnumber:100Totalnumberofpeers:1Peersinestablishedstate:1PeerVASMsgRcvdMsgSentOutQUp/DownStatePrefRcv4100126000:02:21Established0[PE1]displaybgpvpnv4allpeerBGPlocalrouterID:LocalASnumber:100Totalnumberofpeers:1Peersinestablishedstate:1PeerVASMsgRcvdMsgSentOutQUp/DownStatePrefRcv41001218000:09:38Established0在PE與CE之間建立EBGP對等體關(guān)系，引入VPN路由#配置CE1。CE2、CE3和CE4與CE1類似，不再贅述。[CE1]bgp65410[CE1-bgp]peeras-number100[CE1-bgp]import-routedirect[CE1-bgp]quit#配置PE1。PE2的配置與PE1類似，不再贅述。[PE1]bgp100[PE1-bgp]ipv4-familyvpn-instancevpna[PE1-bgp-vpna]peeras-number65410[PE1-bgp-vpna]import-routedirect[PE1-bgp-vpna]quit[PE1-bgp]ipv4-familyvpn-instancevpnb[PE1-bgp-vpnb]peeras-number65420[PE1-bgp-vpnb]import-routedirect[PE1-bgp-vpnb]quit[PE1-bgp]quit配置完成后，在PE設(shè)備上執(zhí)行displaybgpvpnv4vpn-instancepeer命令，可以看到PE與CE之間的BGP對等體關(guān)系已建立，并達(dá)到Established狀態(tài)。以PE1與CE1的對等體關(guān)系為例：[PE1]displaybgpvpnv4vpn-instancevpnapeerBGPlocalrouterID:LocalASnumber:100VPN-Instancevpna,RouterID:Totalnumberofpeers:1Peersinestablishedstate:1PeerVASMsgRcvdMsgSentOutQUp/DownStatePrefRcv46541063000:00:02Established4驗(yàn)證配置結(jié)果#在PE設(shè)備上執(zhí)行displayiprouting-tablevpn-instance命令，可以看到去往對端CE的路由。#以PE1的顯示為例：[PE1]displayiprouting-tablevpn-instancevpnaRouteFlags:R-relay,D-downloadtofibRoutingTables:vpnaDestinations:5Routes:5Destination/MaskProtoPreCostFlagsNextHopInterface/24Direct00DGigabitEthernet1/0/0/32Direct00DGigabitEthernet1/0/055/32Direct00DGigabitEthernet1/0/0/24IBGP2550RDGigabitEthernet3/0/055/32Direct00DInLoopBack0[PE1]displayiprouting-tablevpn-instancevpnbRouteFlags:R-relay,D-downloadtofibRoutingTables:vpnbDestinations:5Routes:5Destination/MaskProtoPreCostFlagsNextHopInterface/24Direct00DGigabitEthernet2/0/0/32Direct00DGigabitEthernet2/0/055/32Direct00DGigabitEthernet2/0/0/24IBGP2550RDGigabitEthernet3/0/055/32Direct00DInLoopBack0#同一VPN的CE能夠相互Ping通，不同VPN的CE不能相互Ping通。#例如：CE1能夠Ping通CE3（），但不能Ping通CE4（）。[CE1]pingPING:56databytes,pressCTRL_CtobreakReplyfrom:bytes=56Sequence=1ttl=253time=72msReplyfrom:bytes=56Sequence=2ttl=253time=34msReplyfrom:bytes=56Sequence=3ttl=253time=50msReplyfrom:bytes=56Sequence=4ttl=253time=50msReplyfrom:bytes=56Sequence=5ttl=253time=34mspingstatistics5packet(s)transmitted5packet(s)received0.00%packetlossround-tripmin/avg/max=34/48/72ms[CE1]pingPING:56databytes,pressCTRL_CtobreakRequesttimeoutRequesttimeoutRequesttimeoutRequesttimeoutRequesttimeoutpingstatistics5packet(s)transmitted0packet(s)received100.00%packetloss配置文件PE1的配置文件#sysnamePE1#ipvpn-instancevpnaipv4-familyroute-distinguisher100:1vpn-target111:1export-extcommunityvpn-target111:1import-extcommunity#ipvpn-instancevpnbipv4-familyroute-distinguisher100:2vpn-target222:2export-extcommunityvpn-target222:2import-extcommunity#mplslsr-idmpls#mplsldp#interfaceGigabitEthernet1/0/0ipbindingvpn-instancevpnaipaddress#interfaceGigabitEthernet2/0/0ipbindingvpn-instancevpnbipaddress#interfaceGigabitEthernet3/0/0ipaddressmplsmplsldp#interfaceLoopBack1ipaddress55#bgp100peeras-number100peerconnect-interfaceLoopBack1#ipv4-familyunicastundosynchronizationpeerenable#ipv4-familyvpnv4policyvpn-targetpeerenable#ipv4-familyvpn-instancevpnaimport-routedirectpeeras-number65410#ipv4-familyvpn-instancevpnbimport-routedirectpeeras-number65420#ospf1areanetworknetwork55#returnP的配置文件#sysnameP#mplslsr-idmpls#mplsldp#interfaceGigabitEthernet1/0/0ipaddressmplsmplsldp#interfaceGigabitEthernet2/0/0ipaddressmplsmplsldp#interfaceLoopBack1ipaddress55#ospf1areanetworknetwork55network55#returnPE2的配置文件#sysnamePE2#ipvpn-instancevpnaipv4-familyroute-distinguisher200:1vpn-target111:1export-e