MPLS_VPN

拓扑结构

配置思路：

1.首先配置ISP内部的IGP协议，一般使用OSPF、ISIS路由协议。

2.配置ISP内部的mpls、ldp协议。

3.为PE设备创建VRF，把连接CE的接口划分进VRF（vpn、RD、RT）。

4.配置PE和CE之间的路由协议（静态路由、默认路由、OSPF、RIP、ISIS等，OSPF用的较多）。

5.PE之间创建MP-BGP邻居

6.PE路由器上做路由双向引入（如ospf引入bgp、bgp引入ospf）

接口ip地址配置忽略。

1、配置AS100内ISIS为IGP协议

[R1]isis 1

[R1-isis-1]network-entity49.0001.1111.1111.1111.00

[R1-isis-1]int lo0

[R1-LoopBack0]isis enable 1

[R1-LoopBack0]int g0/0/2

[R1-GigabitEthernet0/0/2]isis enable 1

[R2]isis 1

[R2-isis-1]network-entity49.0001.2222.2222.2222.00

[R2-isis-1]int lo0

[R2-LoopBack0]isis enable 1

[R2-LoopBack0]int g0/0/2

[R2-GigabitEthernet0/0/2]isis enable 1

[R2-GigabitEthernet0/0/2]int g0/0/1

[R2-GigabitEthernet0/0/1]isis enable 1

[R3]isis 1

[R3-isis-1]network-entity49.0001.3333.3333.3333.00

[R3-isis-1]int lo0

[R3-LoopBack0]isis enable 1

[R3-LoopBack0]int g0/0/1

[R3-GigabitEthernet0/0/1]isis enable 1

[R1]ping -a 10.0.1.1 10.0.3.3

PING 10.0.3.3: 56data bytes,press CTRL_C to break

Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=70 ms

2、配置运营商网络AS100的MPLS和LDP

[R1]mpls lsr-id 10.0.1.1

[R1]mpls

[R1-mpls]mpls ldp

[R1-mpls-ldp]int g0/0/2

[R1-GigabitEthernet0/0/2]mpls

[R1-GigabitEthernet0/0/2]mpls ldp

[R2]mpls lsr-id 10.0.2.2

[R2]mpls

[R2-mpls]mpls ldp

[R2-mpls-ldp]int g0/0/2

[R2-GigabitEthernet0/0/2]mpls

[R2-GigabitEthernet0/0/2]mpls ldp

[R2-GigabitEthernet0/0/2]int g0/0/1

[R2-GigabitEthernet0/0/1]mpls

[R2-GigabitEthernet0/0/1]mpls ldp

[R3]mpls lsr-id 10.0.3.3

[R3]mpls

[R3-mpls]mpls ldp

[R3-mpls-ldp]int g0/0/1

[R3-GigabitEthernet0/0/1]mpls

[R3-GigabitEthernet0/0/1]mpls ldp

3、配置PE设备之间的MP-BGP

[R1]bgp 100

[R1-bgp]peer 10.0.3.3 as-number 100

[R1-bgp]peer 10.0.3.3 connect-interface lo0

[R1-bgp]peer 10.0.3.3 next-hop-local

[R1-bgp]ipv4-family vpnv4 unicast

[R1-bgp-af-vpnv4]peer 10.0.3.3 enable

[R1-bgp-af-vpnv4]peer 10.0.3.3 advertise-community

[R3]bgp 100

[R3-bgp]router-id 10.0.3.3

[R3-bgp]peer 10.0.1.1 as-number 100

[R3-bgp]peer 10.0.1.1 connect-interface lo0

[R3-bgp]peer 10.0.1.1 next-hop-local

[R3-bgp]ipv4-family vpnv4

[R3-bgp-af-vpnv4]peer 10.0.1.1 enable

[R3-bgp-af-vpnv4]peer 10.0.1.1advertise-community

4、在PE上创建VPN实例并与接口进行绑定

[R1]ip vpn-instance vpna

[R1-vpn-instance-vpna]ipv4-family

[R1-vpn-instance-vpna-af-ipv4]route-distinguisher1:4

[R1-vpn-instance-vpna-af-ipv4]vpn-target4:6

[R1-vpn-instance-vpna-af-ipv4]int g0/0/0

[R1-GigabitEthernet0/0/0]ip bindingvpn-instance vpna

[R1-GigabitEthernet0/0/0]ip add 10.0.14.124

[R1]ip vpn-instance vpnb

[R1-vpn-instance-vpnb]ipv4-family

[R1-vpn-instance-vpnb-af-ipv4]route-distinguisher1:5

[R1-vpn-instance-vpnb-af-ipv4]vpn-target5:7

[R1-vpn-instance-vpnb-af-ipv4]int g0/0/1

[R1-GigabitEthernet0/0/1]ip bindingvpn-instance vpnb

[R1-GigabitEthernet0/0/1]ip add 10.0.15.124

[R3]ip vpn-instance vpna

[R3-vpn-instance-vpna]ipv4-family

[R3-vpn-instance-vpna-af-ipv4]route-distinguisher3:6

[R3-vpn-instance-vpna-af-ipv4]vpn-target4:6

[R3-vpn-instance-vpna-af-ipv4]int g0/0/0

[R3-GigabitEthernet0/0/0]ip bindingvpn-instance vpna

[R3-GigabitEthernet0/0/0]ip add 10.0.36.324

[R3]ip vpn-instance vpnb

[R3-vpn-instance-vpnb]ipv4-family

[R3-vpn-instance-vpnb-af-ipv4]route-distinguisher3:7

[R3-vpn-instance-vpnb-af-ipv4]vpn-target5:7

[R3-vpn-instance-vpnb-af-ipv4]int g0/0/2

[R3-GigabitEthernet0/0/2]ip bindingvpn-instance vpnb

[R3-GigabitEthernet0/0/2]ip add 10.0.37.324

5、为公司A配置基于BGP的PE-CE连通性

[R4]bgp 10

[R4-bgp]peer 10.0.14.1 as-number 100

[R4-bgp]network 10.0.4.4 32

[R1]bgp 100

[R1-bgp]ipv4-family vpn-instance vpna

[R1-bgp-vpna]peer 10.0.14.4 as-number 10

[R6]bgp 20

[R6-bgp]peer 10.0.36.3 as-number 100

[R6-bgp]network 10.0.6.6 32

[R3]bgp 100

[R3-bgp]ipv4-family vpn-instance vpna

[R3-bgp-vpna]peer 10.0.36.6 as-number 20

[R4]ping -c 1 -a 10.0.4.4 10.0.6.6

PING 10.0.6.6: 56data bytes,press CTRL_C to break

Reply from 10.0.6.6: bytes=56 Sequence=1 ttl=252 time=50 ms

R4\R6能够正常通信。

6、为公司B配置基于静态路由及OSPF协议的PE-CE连通性。

在R1上为VPN实例为vpnb创建静态路由

[R1]ip route-static vpn-instance vpnb10.0.5.5 32 10.0.15.5

在R5上创建缺省路由

[R5]ip route-static 0.0.0.0 0 10.0.15.1

在R1的BGP视图下使用ipv4-family vpn-instance vpnb命令进入VPN实例vpnb视图，然后将VPN实例vpnb的静态路由引入BGP

[R1]bgp 100

[R1-bgp]ipv4-family vpn-instance vpnb

[R1-bgp-vpnb]import-route static

至此，R5和R1之间的PE-CE连通性配置完成。

配置R3和R7之间的连通性，在R7上进行普通的OSPF配置

[R7]ospf 1 router-id 10.0.7.7

[R7-ospf-1]area 0

[R7-ospf-1-area-0.0.0.0]network 10.0.37.00.0.0.255

[R7-ospf-1-area-0.0.0.0]network 10.0.7.70.0.0.0

在R3上为VPN实例vpnb创建OSPF进程

[R3]ospf 1 vpn-instance vpnb

[R3-ospf-1]area 0

[R3-ospf-1-area-0.0.0.0]network 10.0.37.00.0.0.255

在R3的OSPF视图下使用import-route bgp命令将VPN实例vpnb的BGP路由引入OSPF

[R3]ospf 1

[R3-ospf-1]import-route bgp

在R3的BGP视图下使用ipv4-family vpn-instance vpnb命令进入VPN实例vpnb的视图，然后将VPN实例vpnb的OSPF路由引入BGP

[R3]bgp 100

[R3-bgp]ipv4-family vpn-instance vpnb

[R3-bgp-vpnb]import-route ospf 1

至此，R3和R7之间的连通性已经配置完成。

[R3]dis bgp vpnv4 vpn-instance vpnbrouting-table

*>i10.0.5.5/3210.0.1.101000?

*>10.0.7.7/320.0.0.020?

*>10.0.37.0/240.0.0.000?

可以看到此时还引入了10.0.37.0的路由，使用路由过滤可去掉此路由。

[R3]ip ip-prefix 1 deny 10.0.37.0 24

[R3]ip ip-prefix 1 permit 0.0.0.0 32

[R3]route-policy 10 permit node 10

[R3-route-policy]if-match ip-prefix 1

[R3-route-policy]bgp 100

[R3-bgp]ipv4-family vpn-instance vpnb

[R3-bgp-vpnb]import-route ospf 1route-policy 10

[R3]dis bgp vpnv4 vpn-instance vpnbrouting-table

*>i10.0.5.5/3210.0.1.101000?

*>10.0.7.7/320.0.0.020?

发现已经过滤了相应路由。

ping -c 1 -a 10.0.7.7 10.0.5.5

PING 10.0.5.5: 56data bytes,press CTRL_C to break

Reply from 10.0.5.5: bytes=56 Sequence=1 ttl=252 time=40 ms

发现仅有10.0.5.5能够ping通，实现了vpnb的互通！