这次我们来使用华为 AR2240 来做 MPLS L3 的实验。
如果你想学习在 Debian Linux 平台搭建 MPLS L3 的方法,可以参考这篇文章:《[ Linux ] 使用 Debian Linux 构架 MPLS L3 网络》
拓扑整图如下:
我们首先将 VPNv4 domain 内的拓扑 IP地址,MPLS 和 OSPF 配置好,配置完成后检查 AR2 的 OSPF,LDP关系。
<AR2-P>display ospf peer brief OSPF Process 1 with Router ID 10.0.0.2 Peer Statistic Information ---------------------------------------------------------------------------- Area Id Interface Neighbor id State 0.0.0.0 GigabitEthernet4/0/1 10.0.0.3 Full 0.0.0.0 GigabitEthernet4/0/2 10.0.0.1 Full 0.0.0.0 GigabitEthernet4/0/3 10.0.0.10 Full ----------------------------------------------------------------------------
<AR2-P>dis mpls ldp session LDP Session(s) in Public Network Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM) A '*' before a session means the session is being deleted. ------------------------------------------------------------------------------ PeerID Status LAM SsnRole SsnAge KASent/Rcv ------------------------------------------------------------------------------ 10.0.0.1:0 Operational DU Active 0000:00:03 14/14 10.0.0.3:0 Operational DU Passive 0000:00:03 14/14 10.0.0.10:0 Operational DU Passive 0000:00:03 14/14 ------------------------------------------------------------------------------ TOTAL: 3 session(s) Found.
<AR2-P>display mpls lsp
-------------------------------------------------------------------------------
LSP Information: LDP LSP
-------------------------------------------------------------------------------
FEC In/Out Label In/Out IF Vrf Name
10.0.0.3/32 NULL/3 -/GE4/0/1
10.0.0.3/32 1024/3 -/GE4/0/1
10.0.0.2/32 3/NULL -/-
10.0.0.1/32 NULL/3 -/GE4/0/2
10.0.0.1/32 1025/3 -/GE4/0/2
10.0.0.10/32 NULL/3 -/GE4/0/3
10.0.0.10/32 1026/3 -/GE4/0/3
经检查,骨干网的 OSPF 和 MPLS LDP 均正常建立了邻居,且成功分发了标签。下一步我们来配置骨干网的 MBGP 协议。
AR8 ( BGP RR ):
[AR8-RR-bgp]dis this [V200R003C00] # bgp 65000 undo default ipv4-unicast peer 10.0.0.1 as-number 65000 peer 10.0.0.1 connect-interface LoopBack0 peer 10.0.0.3 as-number 65000 peer 10.0.0.3 connect-interface LoopBack0 # ipv4-family unicast undo synchronization peer 10.0.0.1 enable peer 10.0.0.1 reflect-client peer 10.0.0.1 advertise-community peer 10.0.0.3 enable peer 10.0.0.3 reflect-client peer 10.0.0.3 advertise-community # ipv4-family vpnv4 undo policy vpn-target peer 10.0.0.1 enable peer 10.0.0.1 reflect-client peer 10.0.0.1 advertise-community peer 10.0.0.3 enable peer 10.0.0.3 reflect-client peer 10.0.0.3 advertise-community
配置一定要写上 advertise-community,否则 inet-vpnv4 extended attribute 不会发送给 RR Client,会导致无路由条目。另外一定要注意一点,配置华为的路由器作为 RR,必须要删除 BGP config 里面的 policy vpn-target,否则会导致 RR 不收路由。
AR1 ( PE ):
<AR1-PE>dis current-configuration [V200R003C00] # ip vpn-instance green ipv4-family route-distinguisher 65001:100 vpn-target 65001:100 export-extcommunity vpn-target 65001:100 import-extcommunity # ip vpn-instance red ipv4-family route-distinguisher 65002:100 vpn-target 65002:100 export-extcommunity vpn-target 65002:100 import-extcommunity # interface GigabitEthernet4/0/0 ip binding vpn-instance green ip address 10.1.0.1 255.255.255.0 # interface GigabitEthernet4/0/2 ip binding vpn-instance red ip address 10.2.0.1 255.255.255.0 # bgp 65000 undo default ipv4-unicast peer 10.0.0.10 as-number 65000 peer 10.0.0.10 connect-interface LoopBack0 # ipv4-family unicast undo synchronization peer 10.0.0.10 enable peer 10.0.0.10 advertise-community # ipv4-family vpnv4 policy vpn-target peer 10.0.0.10 enable peer 10.0.0.10 advertise-community # ipv4-family vpn-instance green peer 10.1.0.2 as-number 65001 peer 10.1.0.2 substitute-as # ipv4-family vpn-instance red peer 10.2.0.2 as-number 65002 peer 10.2.0.2 substitute-as
这里加 substitute-as 的目的是替换掉末尾的 AS-PATH,防止 CE 因为 BGP split-horizon 机制不收内网路由。作用等同于 Cisco 的 as-override.
AR3 ( PE ):
<AR3-PE>dis current-configuration [V200R003C00] # ip vpn-instance green ipv4-family route-distinguisher 65001:100 vpn-target 65001:100 export-extcommunity vpn-target 65001:100 import-extcommunity # ip vpn-instance red ipv4-family route-distinguisher 65002:100 vpn-target 65002:100 export-extcommunity vpn-target 65002:100 import-extcommunity # interface GigabitEthernet4/0/0 ip binding vpn-instance red ip address 10.3.0.1 255.255.255.0 # interface GigabitEthernet4/0/2 ip binding vpn-instance green ip address 10.4.0.1 255.255.255.0 # bgp 65000 undo default ipv4-unicast peer 10.0.0.10 as-number 65000 peer 10.0.0.10 connect-interface LoopBack0 # ipv4-family unicast undo synchronization peer 10.0.0.10 enable peer 10.0.0.10 advertise-community # ipv4-family vpnv4 policy vpn-target peer 10.0.0.10 enable peer 10.0.0.10 advertise-community # ipv4-family vpn-instance green peer 10.4.0.2 as-number 65001 peer 10.4.0.2 substitute-as # ipv4-family vpn-instance red peer 10.3.0.2 as-number 65002 peer 10.3.0.2 substitute-as
然后在两端 CE 上配置好 IP 地址 以及 BGP 信息并宣告自己的下游网段,拓扑就算完成了。
现在让我们来测试路由收发情况:
<AR4-VRF-Green>dis bgp routing-table
BGP Local router ID is 10.1.0.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 192.168.0.0 0.0.0.0 0 0 i
*> 192.168.3.0 10.1.0.1 0 65000 65000i
<AR5-VRF-Red>dis bgp routing-table
BGP Local router ID is 192.168.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 192.168.1.0 0.0.0.0 0 0 i
*> 192.168.2.0 10.2.0.1 0 65000 65000i
可见路由已成功隔离,现在我们在各自的 PC 上 ping 同颜色 VRF / 不同颜色 VRF 做测试:
PC1-VRF-Green>ping 192.168.3.2 Ping 192.168.3.2: 32 data bytes, Press Ctrl_C to break Request timeout! <== This is an arp request From 192.168.3.2: bytes=32 seq=2 ttl=123 time=32 ms From 192.168.3.2: bytes=32 seq=3 ttl=123 time=47 ms From 192.168.3.2: bytes=32 seq=4 ttl=123 time=31 ms From 192.168.3.2: bytes=32 seq=5 ttl=123 time=31 ms --- 192.168.3.2 ping statistics --- 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 0/35/47 ms PC1-VRF-Green>ping 192.168.2.2 Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break Request timeout! Request timeout! Request timeout! Request timeout! Request timeout! --- 192.168.2.2 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
PC2-VRF-Red>ping 192.168.2.2 Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break Request timeout! From 192.168.2.2: bytes=32 seq=2 ttl=123 time=31 ms From 192.168.2.2: bytes=32 seq=3 ttl=123 time=31 ms From 192.168.2.2: bytes=32 seq=4 ttl=123 time=47 ms From 192.168.2.2: bytes=32 seq=5 ttl=123 time=31 ms --- 192.168.2.2 ping statistics --- 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 0/35/47 ms PC2-VRF-Red>ping 192.168.3.2 Ping 192.168.3.2: 32 data bytes, Press Ctrl_C to break Request timeout! Request timeout! Request timeout! Request timeout! Request timeout! --- 192.168.3.2 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
数据转发也成功隔离,网络搭建完成。
总结:
- 在配置总体上与 Cisco 差不多,但在一些细微的地方可能厂商有自己的实现,需要多加注意。
- 华为的 Cli 就等于是 Cisco Cli 的不同单词的版本…