2020-05-01  /2020/05/01/MPLS-VPN/ 99+   8 分钟   1.1 k  0次访问

MPLS VPN

MPLS VPN一般是运营商提供的虚拟专用网络服务,由于是运营商提供的服务,所以带宽和稳定性都是可以得到保障的。

MPLS VPN名词

  • PE
    • 运营商边缘设备
  • CE
    • 客户边缘设备
  • P
    • 运营商内部设备
  • VRF(虚拟路由转发)
    • 可以理解为虚拟路由器,有独立的路由表,有专属的接口
    • VRF是配置在PE上的
    • 可以将接口划入VRF中,然后连接客户网络
    • 客户网络的路由条目就回被VRF学习到,然后再由VRF包装成vpn专用的格式传递出去
  • RT
    • 可以理解为VRF的入场券,每个VPNv4的条目都必须携带一个RT
    • VRF只会放行允许进入VPNv4条目到VRF的路由表
    • 有出站RT,意味着从这个VRF出去的条目携带的RT值
    • 有入站RT,意味着想进入这个VRF,就必须携带的RT值
  • RD
    • 区别路由用的一个数值。ASN:NN
    • 和用户的路由条目组成VPNv4的条目,ASN:NN.x.x.x.x
    • 如果多个客户的IP网段是冲突的,RD可以避免

由于MPLS VPN一般是运营商提供的,所以主要的配置和研究设备是PE和P

MPLS VPN解决了两个站点之间的如下问题:

  • 两个站点之间路由条目的学习
  • 两个站点之间流量的传递

MPLS VPN基本配置

image-20200501111740013

运营商基础配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
R2
mpls label range 200 299
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip ospf 1 area 0
!
interface Ethernet0/0
 no ip address
 shutdown
!
interface Ethernet0/1
 ip address 192.168.23.2 255.255.255.0
 ip ospf 1 area 0
 mpls ip
==================================
R3
mpls label range 300 399
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
 ip ospf 1 area 0
!
interface Ethernet0/0
 ip address 192.168.23.3 255.255.255.0
 ip ospf 1 area 0
 mpls ip
!
interface Ethernet0/1
 ip address 192.168.34.3 255.255.255.0
 ip ospf 1 area 0
 mpls ip 
==================================
R4
mpls label range 400 499
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
 ip ospf 1 area 0
!
interface Ethernet0/0
 ip address 192.168.34.4 255.255.255.0
 ip ospf 1 area 0
 mpls ip
!
interface Ethernet0/1
 ip address 192.168.45.4 255.255.255.0
 ip ospf 1 area 0
 mpls ip
==================================
R5
mpls label range 500 599
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.255
 ip ospf 1 area 0
!
interface Ethernet0/0
 ip address 192.168.45.5 255.255.255.0
 ip ospf 1 area 0
 mpls ip

建立bgp vpnv4邻居

mpls vpn主要使用BGP来传递路由条目,解决两个站点之间条目学习的问题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
R2
router bgp 200
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 5.5.5.5 remote-as 200
 neighbor 5.5.5.5 update-source Loopback0
 !
 address-family vpnv4
  neighbor 5.5.5.5 activate
  neighbor 5.5.5.5 send-community extended
 exit-address-family
========================
R5
router bgp 200
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 2.2.2.2 remote-as 200
 neighbor 2.2.2.2 update-source Loopback0
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family

查看bgp vpnv4邻居关系

1
2
3
4
5
6
R2#sh ip bgp vpnv4 all summary 
BGP router identifier 1.1.1.1, local AS number 200
BGP table version is 1, main routing table version 1

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
5.5.5.5         4          200       5       5        1    0    0 00:01:51        0

分配给客户连接的VRF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
R2
ip vrf Blue
 rd 100:123
 route-target export 200:5
 route-target import 200:2
interface Ethernet0/0
 ip vrf forwarding Blue
 ip address 192.168.12.2 255.255.255.0
======================================
R5
ip vrf Blue
 rd 100:123
 route-target export 200:2
 route-target import 200:5
interface Ethernet0/1
 ip vrf forwarding Blue
 ip address 192.168.56.5 255.255.255.0

配置CE-PE之间的IGP协议

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
R1
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
 ip ospf 1 area 0
!
interface Ethernet0/0
 ip address 192.168.12.1 255.255.255.0
 ip ospf 1 area 0
=============================
R2
interface Ethernet0/0
 ip ospf 2 area 0
==============================
R5
interface Ethernet0/1
 ip ospf 2 area 0
=================================
interface Loopback0
 ip address 6.6.6.6 255.255.255.0
 ip ospf 1 area 0
!
interface Ethernet0/0
 ip address 192.168.56.6 255.255.255.0
 ip ospf 1 area 0

将vrf路由注入bgp vpnv4

1
2
3
4
5
6
7
8
9
10
11
12
13
R2
router bgp 200
 address-family ipv4 vrf Blue
  redistribute ospf 2 match internal external 1 external 2
router ospf 2 vrf Blue
 redistribute bgp 200 subnets
==========================
R5
router bgp 200
 address-family ipv4 vrf Blue
  redistribute ospf 2 match internal external 1 external 2
router ospf 2 vrf Blue
 redistribute bgp 200 subnets

最终检查

路由条目的传递

1
2
3
4
5
6
7
8
9
10
R1#sh ip route
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.1.0/24 is directly connected, Loopback0
L        1.1.1.1/32 is directly connected, Loopback0
      6.0.0.0/32 is subnetted, 1 subnets
O IA     6.6.6.6 [110/21] via 192.168.12.2, 00:01:54, Ethernet0/0
      192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.12.0/24 is directly connected, Ethernet0/0
L        192.168.12.1/32 is directly connected, Ethernet0/0
O IA  192.168.56.0/24 [110/11] via 192.168.12.2, 00:01:54, Ethernet0/0

数据流量的转发

1
2
3
4
5
R1#ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

MPLS VPN原理

路由层面

  • CE-PE

    • CE和PE之间运行正常的IGP协议
    • CE将路由传递给PE对应的接口
    • PE将路由学习到对应的VRF中

  • PE-P-PE

    • PE和PE之间建立BGP VPNv4邻居
    • 将VRF中的VPNv4条目重发布到BGP中
    • BGP更新给VPNv4邻居
    • 邻居收到之后,根据携带的RT值,将路由加入对应的VRF路由表中

  • PE-CE

    • 将BGP条目重发布进IGP

流量层面

  • CE-PE
    • 正常的路由转发
    • PE在收到CE的流量之后,会加上两层标签
    • 其中最底层的标签是BGP所提供
    • 顶层标签是LDP提供的
  • PE-P-PE
    • 通过最外层的LDP标签进行传递
    • 并且在最终到达PE之前弹出顶层标签
    • 只有底层标签的数据最终被PE收到,然后从对应的VRF接口发出
  • PE-CE
    • 正常的路由转发
评论

目录

关注我

最新评论

加载中,最新评论有1分钟缓存...

链接

最新文章

分类

归档

标签

cisco33
python28
云计算5
Docker3
mysql3
Linux3
tcp2
web2
文章分享2
编程2
devops1
docker1
git1
linux1
信息安全1
前端1
前端开发1
安全技术1
小技巧1
就业1
查看全部>>