首页 > 精选文章>通过MPLS VPN专线上internet模拟实验3:运营商双出口数据分流

通过MPLS VPN专线上internet模拟实验3:运营商双出口数据分流

发布时间:2007年5月26日           作者:  黄紫东
        文章出自:http://bbs.tech-lab.cn/viewthread.php?tid=11316    (转载请注明出处)
 

1.实验说明
11客户要求:1.用户VPNA可以通过该MPLS VPN专线连通两个站点之间的内网172.16.10.0/24172.16.20.0/24.
2..用户可以通过该专线访问internet.
1.2.局方要求:
运营商有两个internet出口,希望通过MPLS VPN专线上internet的流量通过这两个internet出口数据分流,某些客户访问internet通过出口1,某些客户访问internet通过出口2,某些客户的某些站点访问internet通过出口1,某些客户的另外一些站点访问internet通过出口2
1.3实验环境:
1R1R2R3R6为运营商的路由器并且同时为RRR1PR2R3R6PER1R2R3R4之间运行ISIS,做为运营商内部IGP;运营商的BGPAS1
2PE R6有两个internet出口,用R9R10loopback地址来模拟internet路由。
3.有一个租用MPLS VPN专线的用户为VPNAR4VPNA站点1CER4上的loopback地址用来模拟客户的内网;在R3上建立一个loopback接口,用来模拟VPNA的站点2
4Loopback地址和设备的互联地址与泰克实验课的IP设置规则类似。
本实验的拓扑如下:

VPN客户之间互访和客户访问internet的数据流如下:

客户VPNA站点1访问站点2通过的LSPR4-R2-R1-R3-模拟CE
客户VPNA站点1访问internet通过的LSPR4-R2-R6-R9-模拟internet
客户VPNA站点2访问internet通过的LSPR4-R2-R6-R10-模拟internet
注意:这里的访问internet的流量是VPN路由,这里介绍的方法跟把VPN缺省路由泄露到全局路由表的方法不一样。前者访问internet的流量是在运营商的全局路由表中路由的,而这里介绍的方法是在VPN中路由的。
实现方法:
把两个internet出口各放到一个VRF中,通过设置VRFRTimportexport来使得客户的VRF能够学到缺省路由。

2.具体实验步骤
2.1配置运营商内部IGP
运营商的IGPISIS,并且所有路由器只运营ISIS ,类型为level-2,完成之后确保每台路由器能够学到其他路由器的loopback地址。
R1
clns routing

interface Loopback0
ip address 1.1.1.1 255.255.255.255

interface Serial1/0
ip address 1.1.12.1 255.255.255.0
ip router isis
!         
interface Serial1/1
ip address 1.1.13.1 255.255.255.0
ip router isis
!
interface Serial1/2
ip address 1.1.16.1 255.255.255.0
ip router isis

router isis
net 49.0001.0000.0000.0001.00
is-type level-2-only
passive-interface Loopback0

R2
clns routing
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Serial1/0
ip address 1.1.12.2 255.255.255.0
ip router isis

router isis
net 49.0001.0000.0000.0002.00
is-type level-2-only
passive-interface Loopback0

R3
clns routing

interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Serial1/0
ip address 1.1.13.3 255.255.255.0
ip router isis

router isis
net 49.0001.0000.0000.0003.00
is-type level-2-only
passive-interface Loopback0

R6
clns routing

interface Loopback0
ip address 6.6.6.6 255.255.255.255

interface Serial1/0
ip address 1.1.16.6 255.255.255.0
ip router isis
   
   router isis
    net 49.0001.0000.0000.0006.00
    is-type level-2-only
passive-interface Loopback0

配置完成后在R1上查看是否学到了R2R3R6loopback地址。
r1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C       1.1.1.1/32 is directly connected, Loopback0
C       1.1.12.0/24 is directly connected, Serial1/0
C       1.1.13.0/24 is directly connected, Serial1/1
C       1.1.16.0/24 is directly connected, Serial1/2
     2.0.0.0/32 is subnetted, 1 subnets
i L2    2.2.2.2 [115/10] via 1.1.12.2, Serial1/0
     3.0.0.0/32 is subnetted, 1 subnets
i L2    3.3.3.3 [115/10] via 1.1.13.3, Serial1/1
     6.0.0.0/32 is subnetted, 1 subnets
i L2    6.6.6.6 [115/10] via 1.1.16.6, Serial1/2

2.2配置运营商内部MPLS
R1
r1(config)#ip cef
r1(config)#int s1/0
r1(config-if)#mpls ip
r1(config-if)#int s1/1
r1(config-if)#mpls ip
r1(config-if)#int s1/2
r1(config-if)#mpls ip

R2
r2(config)#ip cef
r2(config)#int s1/0
r2(config-if)#mpls ip

R3
r3(config)#ip cef
r3(config)#int s1/0
r3(config-if)#mpls ip

R6
r6(config)#ip cef
r6(config)#int s1/0
r6(config-if)#mpls ip

配置完之后在R1上检查各是否看到各对等体
R1:
r1#sh mpls ldp neighbor all
    Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 1.1.1.1:0
        TCP connection: 2.2.2.2.19621 - 1.1.1.1.646
        State: Oper; Msgs sent/rcvd: 10/10; Downstream
        Up time: 00:00:37
        LDP discovery sources:
          Serial1/0, Src IP addr: 1.1.12.2
        Addresses bound to peer LDP Ident:
          1.1.12.2        2.2.2.2         
    Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 1.1.1.1:0
        TCP connection: 3.3.3.3.64406 - 1.1.1.1.646
        State: Oper; Msgs sent/rcvd: 10/10; Downstream
        Up time: 00:00:27
        LDP discovery sources:
          Serial1/1, Src IP addr: 1.1.13.3
        Addresses bound to peer LDP Ident:
          1.1.13.3        3.3.3.3         
    Peer LDP Ident: 6.6.6.6:0; Local LDP Ident 1.1.1.1:0
        TCP connection: 6.6.6.6.30802 - 1.1.1.1.646
        State: Oper; Msgs sent/rcvd: 10/10; Downstream
        Up time: 00:00:13
        LDP discovery sources:
          Serial1/2, Src IP addr: 1.1.16.6
        Addresses bound to peer LDP Ident:
          1.1.16.6        6.6.6.6      
2.3配置运营商内部MP-BGP
运营商的AS1R1MPBGPRRR2R3R6RRclient。配置完成后,RR与运营商内部的所有路由器建立neighbor
R1:
router bgp 1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 1
neighbor 2.2.2.2 update-source Loopback0
neighbor 3.3.3.3 remote-as 1
neighbor 3.3.3.3 update-source Loopback0
neighbor 6.6.6.6 remote-as 1
neighbor 6.6.6.6 update-source Loopback0
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
neighbor 2.2.2.2 route-reflector-client
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
neighbor 3.3.3.3 route-reflector-client
neighbor 6.6.6.6 activate
neighbor 6.6.6.6 send-community extended
neighbor 6.6.6.6 route-reflector-client
exit-address-family
!
R2:
router bgp 1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
R3:
router bgp 1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
R6:
router bgp 1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
R1上检查与各路由器是否建立了neighbor
r1#sh ip bgp vpnv4 all sum
BGP router identifier 1.1.1.1, local AS number 1
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
2.2.2.2         4     1       4       4        1    0    0 00:01:25        0
3.3.3.3         4     1       4       4        1    0    0 00:00:38        0
6.6.6.6         4     1       4       4        1    0    0 00:00:22        0
r1#
2.4在运营商配置客户VPNAVRF
R2
ip vrf vpna
rd 1:100
route-target export 1:100
route-target import 1:100

interface Serial1/1
ip vrf forwarding vpna
ip address 1.1.24.2 255.255.255.0
mpls ip

ip route vrf vpna 172.16.10.0 255.255.255.0 1.1.24.4 //*到客户内网的VPN路由。
!
router bgp 1
address-family ipv4 vrf vpna
redistribute connected   //*通过MPBGP,使得其他站点可以学到PE-CE间的地址。
redistribute static       //*通过MPBGP,使得其他站点可以学到到VPNA内网的VPN静态路由。
no synchronization
exit-address-family

R3
R3loopback 1来模拟一个CE,既客户VPNA的站点2
ip vrf vpna
rd 1:100
route-target export 1:100
route-target import 1:100

interface Loopback1           //*loopback1来模拟客户VPNA的站点2
ip vrf forwarding vpna   
ip address 172.16.20.1 255.255.255.0

router bgp 1
address-family ipv4 vrf vpna
redistribute connected        //*通过MPBGP,使得其他站点可以学到loopback1的地址。
no synchronization
exit-address-family
2.5配置CE
R4
interface Loopback0
ip address 172.16.10.1 255.255.255.0    //*CEloopback地址模拟客户的内网
!
interface Serial1/0
ip address 1.1.24.4 255.255.255.0

ip route 0.0.0.0 0.0.0.0 1.1.24.2          //*所有的路由下一跳为PE连接CE的接口地址

2.6测试客户VPNA的互通性
通过sh ip bgp vpnv4 allsh ip route vrf vpna查看PE R2MPBGP路由表,学到了VPNA站点2的地址172.16.20.0/24
r2#sh ip bgp vpnv4 all
BGP table version is 5, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:100 (default for vrf vpna)
*> 1.1.24.0/24      0.0.0.0                  0         32768 ?
*> 172.16.10.0/24   1.1.24.4                 0         32768 ?
*>i172.16.20.0/24   3.3.3.3                  0    100      0 ?
r2#
!
r2#sh ip route  vrf vpna

Routing Table: vpna
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.24.0 is directly connected, Serial1/1
     172.16.0.0/24 is subnetted, 2 subnets
B       172.16.20.0 [200/0] via 3.3.3.3, 00:03:03
S       172.16.10.0 [1/0] via 1.1.24.4

R4上以172.16.10.1为源pingVPNA站点2的地址172.16.20.1
r4#ping 172.16.20.1 source 172.16.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.10.1
!!!!!
OK,ping通了,到这里为止,这个实验的第一步已经完成了。
2.7配置双internet出口
R9:
interface Loopback0
ip address 11.11.11.11 255.255.255.255 //*模拟internet地址
!
interface Ethernet0/0
ip address 1.1.69.9 255.255.255.0
!
Ip route 1.1.0.0 255.255.0.0 1.1.69.6
ip route 172.16.0.0 255.255.0.0 1.1.69.6 //*使得从VPNA站点访问internet地址的流量有回路由。
!
R10:
interface Loopback0
ip address 11.11.11.11 255.255.255.255  //*模拟internet地址

!
interface Ethernet0/0
ip address 1.1.61.10 255.255.255.0
half-duplex
!
Ip route 1.1.0.0 255.255.0.0 1.1.61.6
ip route 172.16.0.0 255.255.0.0 1.1.61.6       //*使得从VPNA站点访问internet地址的流量有回路由。

R6:
ip vrf internet       //*internet出口1VRF
rd 1:111
route-target export 1:111
route-target import 1:111
!
ip vrf internet2      //*internet出口2VRF
rd 1:222
route-target export 1:222
route-target import 1:222
!
interface Ethernet0/1   //*e0/1放到VRF internet
ip vrf forwarding internet
ip address 1.1.69.6 255.255.255.0
half-duplex
mpls ip
!
interface Ethernet0/2   //*e0/2放到VRF internet
ip vrf forwarding internet2
ip address 1.1.61.6 255.255.255.0
half-duplex
mpls ip
!
ip route vrf internet 0.0.0.0 0.0.0.0 1.1.69.9 //*缺省路由,next-hopinternet出口1
ip route vrf internet2 0.0.0.0 0.0.0.0 1.1.61.10 //*缺省路由,next-hopinternet出口2

address-family ipv4 vrf internet2 //*internet出口2对应的vrf
redistribute connected
redistribute static
no synchronization
network 0.0.0.0 mask 0.0.0.0  //*通告缺省路由
exit-address-family
!
address-family ipv4 vrf internet //*internet出口1对应的VRF
redistribute connected
redistribute static
no synchronization
network 0.0.0.0 mask 0.0.0.0  //*通告缺省路由
2.8配置PE,使PE学到缺省路由
先配置R2,使得VRF vpna能从R6vrf internet 学到缺省路由,使得从VPNA站点1访问internet的流量从出口1
ip vrf vpna
route-target export 1:111   //*通过exportimport控制发送给R6和接受R6的路由。
route-target import 1:111
!
R2上查看VPN路由表,是否学到R6传来的缺省路由。
         
r2#sh ip bgp vpnv4 all
BGP table version is 91, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:100 (default for vrf vpna)
*>i0.0.0.0          6.6.6.6                  0    100      0 i
*> 1.1.24.0/24      0.0.0.0                  0         32768 ?
*>i1.1.69.0/24      6.6.6.6                  0    100      0 ?
*> 172.16.10.0/24   1.1.24.4                 0         32768 ?
*>i172.16.20.0/24   3.3.3.3                  0    100      0 ?
Route Distinguisher: 1:111
*>i0.0.0.0          6.6.6.6                  0    100      0 i
*>i1.1.69.0/24      6.6.6.6                  0    100      0 ?
r2#
r2#sh ip route vrf vpna

Routing Table: vpna
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 6.6.6.6 to network 0.0.0.0

     1.0.0.0/24 is subnetted, 2 subnets
C       1.1.24.0 is directly connected, Serial1/1
B       1.1.69.0 [200/0] via 6.6.6.6, 02:23:23
     172.16.0.0/24 is subnetted, 2 subnets
B       172.16.20.0 [200/0] via 3.3.3.3, 00:14:23
S       172.16.10.0 [1/0] via 1.1.24.4
B*   0.0.0.0/0 [200/0] via 6.6.6.6, 00:16:12
r2#
!
配置R2,使得VRF vpna能从R6vrf internet 学到缺省路由,使得从VPNA站点1访问internet的流量从出口1
ip vrf vpna
route-target export 1:111   //*通过exportimport控制发送给R6和接受R6的路由。
route-target import 1:111
!
R3上查看VPN路由表,是否学到R6传来的缺省路由。
r3#sh ip bgp vpnv4 all
BGP table version is 87, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:100 (default for vrf vpna)
*>i0.0.0.0          6.6.6.6                  0    100      0 i
*>i1.1.24.0/24      2.2.2.2                  0    100      0 ?
*>i1.1.61.0/24      6.6.6.6                  0    100      0 ?
*>i172.16.10.0/24   2.2.2.2                  0    100      0 ?
*> 172.16.20.0/24   0.0.0.0                  0         32768 ?
Route Distinguisher: 1:222
*>i0.0.0.0          6.6.6.6                  0    100      0 i
*>i1.1.61.0/24      6.6.6.6                  0    100      0 ?
r3#
r3#sh ip route vrf vpna

Routing Table: vpna
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 6.6.6.6 to network 0.0.0.0

     1.0.0.0/24 is subnetted, 2 subnets
B       1.1.24.0 [200/0] via 2.2.2.2, 00:19:10
B       1.1.61.0 [200/0] via 6.6.6.6, 00:00:18
     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.20.0 is directly connected, Loopback1
B       172.16.10.0 [200/0] via 2.2.2.2, 00:19:10
B*   0.0.0.0/0 [200/0] via 6.6.6.6, 00:00:18
r3#
!
R6上查看VPN路由表,是否学到R2R3传来的VPN路由。
r6#SH IP BGP VPNV4 ALL
BGP table version is 114, local router ID is 6.6.6.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:100
*>i1.1.24.0/24      2.2.2.2                  0    100      0 ?
*>i172.16.10.0/24   2.2.2.2                  0    100      0 ?
*>i172.16.20.0/24   3.3.3.3                  0    100      0 ?
Route Distinguisher: 1:111 (default for vrf internet)
*> 0.0.0.0          1.1.69.9                 0         32768 i
*>i1.1.24.0/24      2.2.2.2                  0    100      0 ?
*> 1.1.69.0/24      0.0.0.0                  0         32768 ?
*>i172.16.10.0/24   2.2.2.2                  0    100      0 ?
Route Distinguisher: 1:222 (default for vrf internet2)
*> 0.0.0.0          1.1.61.10                0         32768 i
*> 1.1.61.0/24      0.0.0.0                  0         32768 ?
*>i172.16.20.0/24   3.3.3.3                  0    100      0 ?
!
2.9最后测试
R4ping internet路由11.11.11.11
r4#ping 11.11.11.11 so 172.16.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
Packet sent with a source address of 172.16.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 312/428/796 ms
r4#
R9R10上打开debug ip icmp,可以证明,访问11.11.11.11的数据流是通过R9(internet出口1)
R9
r9#debug ip icmp
ICMP packet debugging is on
r9#
02:16:21: ICMP: echo reply sent, src 11.11.11.11, dst 172.16.10.1
02:16:21: ICMP: echo reply sent, src 11.11.11.11, dst 172.16.10.1
02:16:22: ICMP: echo reply sent, src 11.11.11.11, dst 172.16.10.1
02:16:22: ICMP: echo reply sent, src 11.11.11.11, dst 172.16.10.1
02:16:22: ICMP: echo reply sent, src 11.11.11.11, dst 172.16.10.1
!
R10
r10# debug ip icmp
ICMP packet debugging is on
r10#
!
R3ping internet路由11.11.11.11
r3#ping vrf vpna 11.11.11.11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 332/1077/1920 ms

R9R10上打开debug ip icmp,可以证明,访问11.11.11.11的数据流是通过R10internet出口2)的
r10#debug ip icmp
ICMP packet debugging is on
r10#
02:19:02: ICMP: echo reply sent, src 11.11.11.11, dst 172.16.20.1
02:19:03: ICMP: echo reply sent, src 11.11.11.11, dst 172.16.20.1
02:19:03: ICMP: echo reply sent, src 11.11.11.11, dst 172.16.20.1
02:19:04: ICMP: echo reply sent, src 11.11.11.11, dst 172.16.20.1
02:19:04: ICMP: echo reply sent, src 11.11.11.11, dst 172.16.20.1
!
r9#debug ip icmp
ICMP packet debugging is on
r9#
到次为止,实验完成.

 

 

泰克实验室 版权所有 法律公告