OptionC简要说明:
VPN路由在入口PE和出口PE之间直接交换,不需要中间设备的保存和转发。
VPN的路由信息只出现在PE设备上,而P和ASBR路由器只负责报文的转发,使得中间域的设备可以不支持MPLS VPN业务,只需支持MPLS转发,ASBR设备不再成为性能瓶颈。因此跨域VPN-OptionC更适合在跨越多个AS时使用。
更适合支持MPLS VPN的负载分担。
缺点是维护一条端到端的BGP LSP连接,管理代价较大。
背景:
总部A1和分部A2——CE1和CE3属于同一个VPN
总部B1和分部B2——CE2和CE4属于同一个VPN
配置过程:
一.CE1~CE4基础配置: LoopBack 、ospf、BGP和端口
[Huawei]sysname CE1
[CE1]interface LoopBack 0
[CE1-LoopBack0]ip address 7.7.7.7 32
[CE1]ospf 2
[CE1-ospf-2]area 0
[CE1-ospf-2-area-0.0.0.0]network 7.7.7.7 0.0.0.0
[CE1-ospf-2-area-0.0.0.0]network 192.168.1.0 0.0.0.255
[CE1]interface GigabitEthernet 0/0/0
[CE1-GigabitEthernet0/0/0]ip ad
[CE1-GigabitEthernet0/0/0]ip address 192.168.1.2 24[Huawei]sysname CE2
[CE2]interface LoopBack 0
[CE2-LoopBack0]ip address 8.8.8.8 32
[CE2]ospf 3
[CE2-ospf-3]area 0
[CE2-ospf-3-area-0.0.0.0]network 8.8.8.8 0.0.0.0
[CE2-ospf-3-area-0.0.0.0]network 172.16.1.0 0.0.0.255
[CE2]interface GigabitEthernet 0/0/0
[CE2-GigabitEthernet0/0/0]ip address 172.16.1.2 24
[CE3]interface LoopBack 0
[CE3-LoopBack0]ip address 9.9.9.9 32[Huawei]sysname CE3
[CE3]interface LoopBack 0
[CE3-LoopBack0]ip ad
[CE3-LoopBack0]ip address 9.9.9.9 32
[CE3]interface GigabitEthernet 0/0/0
[CE3-GigabitEthernet0/0/0]ip address 192.168.2.2 24
[CE3]bgp 110
[CE3-bgp]peer 192.168.2.1 as-number 200
[CE3-bgp]ipv4-family unicast
[CE3-bgp-af-ipv4]network 9.9.9.9 255.255.255.255
[CE3-bgp-af-ipv4]network 192.168.2.0 [Huawei]sysname CE4
[CE4]interface LoopBack 0
[CE4-LoopBack0]ip address 10.10.10.10 32
[CE4]interface GigabitEthernet 0/0/0
[CE4-GigabitEthernet0/0/0]ip address 172.16.2.2 24
[CE4]bgp 310
[CE4-bgp]peer 172.16.2.1 as-number 200
[CE4-bgp]ipv4-family unicast
[CE4-bgp-af-ipv4]network 10.10.10.10 32
[CE4-bgp-af-ipv4]network 172.19.2.0 24二.各AS内的MPLS骨干网上分别配置MPLS基本能力和MPLS LDP,建立LDP LSP
[Huawei]sysname PE1
[PE1]interface LoopBack 0
[PE1-LoopBack0]ip address 1.1.1.1 32
[PE1]mpls lsr-id 1.1.1.1
[PE1]mpls
[PE1-mpls]mpls ldp
[PE1]interface GigabitEthernet 0/0/0
[PE1-GigabitEthernet0/0/0]mpls
[PE1-GigabitEthernet0/0/0]mpls ldp
[PE1-GigabitEthernet0/0/0]ip address 10.1.12.1 24
[PE1]ospf 1
[PE1-ospf-1]area 0
[PE1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0]network 10.1.12.0 0.0.0.255[Huawei]sysname P1
[P1]interface LoopBack 0
[P1-LoopBack0]ip address 2.2.2.2 32
[P1]mpls lsr-id 2.2.2.2
[P1]mpls
[P1-mpls]mpls
[P1-mpls]mpls ldp
[P1]interface GigabitEthernet 0/0/0
[P1-GigabitEthernet0/0/0]mpls
[P1-GigabitEthernet0/0/0]mpls ldp
[P1-GigabitEthernet0/0/0]ip address 10.1.12.2 24
[P1]interface GigabitEthernet 0/0/1
[P1-GigabitEthernet0/0/1]mpls
[P1-GigabitEthernet0/0/1]mpls ldp
[P1-GigabitEthernet0/0/1]ip address 10.1.23.2 24
[P1]ospf 1
[P1-ospf-1]area 0
[P1-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[P1-ospf-1-area-0.0.0.0]network 10.1.12.0 0.0.0.255
[P1-ospf-1-area-0.0.0.0]network 10.1.23.0 0.0.0.255[Huawei]sysname ASBR1
[ASBR1]interface LoopBack 0
[ASBR1-LoopBack0]ip address 3.3.3.3 32
[ASBR1]mpls lsr-id 3.3.3.3
[ASBR1]mpls
[ASBR1-mpls]mpls ldp
[ASBR1]ospf 1
[ASBR1-ospf-1]area 0
[ASBR1-ospf-1-area-0.0.0.0]network 3.3.3.3 0.0.0.0
[ASBR1-ospf-1-area-0.0.0.0]network 10.1.23.0 0.0.0.255
[ASBR1]interface GigabitEthernet 0/0/0
[ASBR1-GigabitEthernet0/0/0]mpls
[ASBR1-GigabitEthernet0/0/0]mpls ldp
[ASBR1-GigabitEthernet0/0/0]ip address 10.1.23.1 24
[ASBR1]interface GigabitEthernet 0/0/1
[ASBR1-GigabitEthernet0/0/1]mpls
[ASBR1-GigabitEthernet0/0/1]ip address 10.1.34.3 24[Huawei]sysname ASBR2
[ASBR2]interface LoopBack 0
[ASBR2-LoopBack0]ip address 4.4.4.4 32
[ASBR2]mpls lsr-id 4.4.4.4
[ASBR2]mpls
[ASBR2-mpls]mpls ldp
[ASBR2]ospf 1
[ASBR2-ospf-1]area 0
[ASBR2-ospf-1-area-0.0.0.0]network 4.4.4.4 0.0.0.0
[ASBR2-ospf-1-area-0.0.0.0]network 10.1.45.0 0.0.0.255
[ASBR2]interface GigabitEthernet 0/0/0
[ASBR2-GigabitEthernet0/0/0]mpls
[ASBR2-GigabitEthernet0/0/0]ip address 10.1.34.4 24
[ASBR2]interface GigabitEthernet 0/0/1
[ASBR2-GigabitEthernet0/0/1]mpls
[ASBR2-GigabitEthernet0/0/1]mpls ldp
[ASBR2-GigabitEthernet0/0/1]ip address 10.1.45.1 24[Huawei]sysname P2
[P2]mpls lsr-id 5.5.5.5
[P2]mpls
[P2-mpls]mpls ldp
[P2]interface LoopBack 0
[P2-LoopBack0]ip address 5.5.5.5 32
[P2]ospf 1
[P2-ospf-1]area 0
[P2-ospf-1-area-0.0.0.0]network 5.5.5.5 0.0.0.0
[P2-ospf-1-area-0.0.0.0]network 10.1.45.0 0.0.0.255
[P2-ospf-1-area-0.0.0.0]network 10.1.56.0 0.0.0.255
[P2]interface GigabitEthernet 0/0/0
[P2-GigabitEthernet0/0/0]ip address 10.1.45.2 24
[P2-GigabitEthernet0/0/0]mpls
[P2-GigabitEthernet0/0/0]mpls ldp
[P2]interface GigabitEthernet 0/0/1
[P2-GigabitEthernet0/0/1]ip address 10.1.56.2 24
[P2-GigabitEthernet0/0/1]mpls
[P2-GigabitEthernet0/0/1]mpls ldp 三.各AS内,与CE相连的PE上需配置VPN实例,PE与CE之间建立EBGP对等体关系,交换VPN路由信息
[Huawei]sysname PE2
[PE2]interface LoopBack 0
[PE2-LoopBack0]ip address 6.6.6.6 32
[PE2]mpls lsr-id 6.6.6.6
[PE2]mpls
[PE2-mpls]mpls ldp
[PE2]ospf 1
[PE2-ospf-1]area 0
[PE2-ospf-1-area-0.0.0.0]network 6.6.6.6 0.0.0.0
[PE2-ospf-1-area-0.0.0.0]network 10.1.56.0 0.0.0.255
[PE2]interface GigabitEthernet 0/0/0
[PE2-GigabitEthernet0/0/0]mpls
[PE2-GigabitEthernet0/0/0]mpls ldp
[PE2-GigabitEthernet0/0/0]ip address 10.1.56.1 24
[PE2]interface GigabitEthernet 0/0/1
[PE2-GigabitEthernet0/0/1]ip address 192.168.2.1 24
[PE2]interface GigabitEthernet 0/0/2
[PE2-GigabitEthernet0/0/2]ip address 172.16.2.1 24[PE1]ip vpn-instance A1
[PE1-vpn-instance-A1]route-distinguisher 100:1
[PE1-vpn-instance-A1-af-ipv4]vpn-target 1:1 both
[PE1]ip vpn-instance A2
[PE1-vpn-instance-A2]route-distinguisher 100:2
[PE1-vpn-instance-A2-af-ipv4]vpn-target 2:2 both
[PE1]ospf 2 vpn-instance A1
[PE1-ospf-2]import-route bgp
[PE1-ospf-2]area 0
[PE1-ospf-2-area-0.0.0.0]network 192.168.1.0 0.0.0.255
[PE1]ospf 3 vpn-instance A2
[PE1-ospf-3]import-route bgp
[PE1-ospf-3]area 0
[PE1-ospf-3-area-0.0.0.0]network 172.16.1.0 0.0.0.255
[PE1]bgp 100
[PE1-bgp]peer 3.3.3.3 as-number 100
[PE1-bgp]peer 3.3.3.3 connect-interface LoopBack 0
[PE1-bgp]peer 6.6.6.6 as-number 200
[PE1-bgp]peer 6.6.6.6 ebgp-max-hop 25
#在不同AS间的PE间建立MP-EBGP对等体关系,并配置PE之间的最大跳数#25
[PE1-bgp]peer 6.6.6.6 connect-interface LoopBack 0
[PE1-bgp]ipv4-family vpnv4
[PE1-bgp-af-vpnv4]peer 6.6.6.6 enable
[PE1-bgp]ipv4-family vpn-instance A1
[PE1-bgp-A1]import-route ospf 2
#引入 ospf 2 路由表
[PE1-bgp]ipv4-family vpn-instance A2
[PE1-bgp-A2]import-route ospf 3
#引入 ospf 3 路由表
PE1对内接口如果配置了IP 配置VPN需要重新配置IP
[PE1]interface GigabitEthernet 0/0/1
[PE1-GigabitEthernet0/0/1]ip binding vpn-instance A1
[PE1-GigabitEthernet0/0/1]ip address 192.168.1.1 24
[PE1]interface GigabitEthernet 0/0/2
[PE1-GigabitEthernet0/0/2]ip binding vpn-instance A2
[PE1-GigabitEthernet0/0/2]ip address 172.16.1.1 24四.各AS内,PE与ASBR-PE之间建立MP-IBGP对等体关系,能够交换带标签的IPv4路由
[ASBR1]bgp 100
[ASBR1-bgp]peer 1.1.1.1 as-number 100
[ASBR1-bgp]peer 1.1.1.1 connect-interface LoopBack 0
[ASBR1-bgp]peer 10.1.34.4 as-number 200
#启用了与IP地址为10.1.34.4的对等体之间的BGP会话
[ASBR1-bgp] ipv4-family unicast
[ASBR1-bgp-af-ipv4]network 1.1.1.1 255.255.255.255
[ASBR1-bgp-af-ipv4]peer 1.1.1.1 route-policy ASBR2-ASBR1 export
#指向到达1.1.1.1路由策略
[ASBR1-bgp-af-ipv4]peer 1.1.1.1 label-route-capability
[ASBR1-bgp-af-ipv4]peer 10.1.34.4 route-policy ASBR1-ASBR2 export
#是在向对等体10.1.34.4发送路由更新时应用名为ASBR1-ASBR2的路由策略
[ASBR1-bgp-af-ipv4]peer 10.1.34.4 label-route-capability
#这条命令也启用了与10.1.34.4对等体之间的标签路由能力,支持MPLS标签交换路径上的路由传递
以ASBR-PE1为例,创建路由策略(peer 1.1.1.1 )
[ASBR1]route-policy ASBR1-ASBR2 permit node 1
[ASBR1-route-policy]apply mpls-label
[ASBR1]route-policy ASBR2-ASBR1 permit node 1
[ASBR1-route-policy]if-match mpls-label
[ASBR1-route-policy]apply mpls-label
#是一种专门用于 MPLS 网络的路由策略匹配条件,主要用于筛选携带 MPLS 标签的路由。它在 MPLS VPN、
流量工程以及 BGP 标签路由等场景中非常有用,可以帮助网络管理员对特定类型的路由进行精细化控制。
[ASBR1]ospf 1
[ASBR1-ospf-1]import-route bgp
#OSPF路由引入BGP[ASBR2]bgp 200
[ASBR2-bgp]peer 6.6.6.6 as-number 200
[ASBR2-bgp]peer 6.6.6.6 connect-interface LoopBack 0
[ASBR2-bgp]peer 10.1.34.3 as-number 100
ASBR-PE与对端ASBR-PE之间能够交换带标签的IPv4路由
[ASBR1-bgp]peer 10.1.34.4 as-number 200
[ASBR2-bgp]peer 10.1.34.3 as-number 100
[ASBR2-bgp]network 6.6.6.6 255.255.255.255
[ASBR2-bgp-af-ipv4]peer 6.6.6.6 route-policy ASBR1-ASBR2 export
[ASBR2-bgp-af-ipv4]peer 6.6.6.6 label-route-capability
[ASBR2-bgp-af-ipv4]peer 10.1.34.3 route-policy ASBR2-ASBR1 export
[ASBR2-bgp-af-ipv4]peer 10.1.34.3 label-route-capability
[ASBR2]route-policy ASBR2-ASBR1 permit node 1
[ASBR2-route-policy] apply mpls-label
[ASBR2]route-policy ASBR1-ASBR2 permit node 1
[ASBR2-route-policy]if-match mpls-label
[ASBR2-route-policy]apply mpls-label
[ASBR2]ospf 1
[ASBR2-ospf-1]import-route bgp
#OSPF路由引入BGP[PE2]ip vpn-instance B1
[PE2-vpn-instance-B1]route-distinguisher 200:1
[PE2-vpn-instance-B1-af-ipv4]vpn-target 1:1
[PE2]ip vpn-instance B2
[PE2-vpn-instance-B2]route-distinguisher 200:2
[PE2-vpn-instance-B2-af-ipv4]vpn-target 2:2
[PE2-bgp]peer 4.4.4.4 as-number 200
[PE2-bgp]peer 4.4.4.4 connect-interface LoopBack 0
[PE2-bgp]peer 1.1.1.1 as-number 100
[PE2-bgp]peer 1.1.1.1 connect-interface LoopBack 0
[PE2-bgp]peer 1.1.1.1 ebgp-max-hop 10
[PE2-bgp]ipv4-family vpnv4
[PE2-bgp-af-vpnv4]peer 1.1.1.1 enable
[PE2-bgp]ipv4-family vpn-instance B1
[PE2-bgp-B1]peer 192.168.2.2 as-number 110
[ASBR2]route-policy ASBR2-ASBR1 permit node 2
[ASBR2-route-policy] if-match mpls-label
[ASBR2-route-policy] apply mpls-label
[PE2]interface GigabitEthernet 0/0/1
[PE2-GigabitEthernet0/0/1]ip binding vpn-instance B1
[PE2-GigabitEthernet0/0/1]ip address 192.168.2.1 24
[PE2]interface GigabitEthernet 0/0/2
[PE2-GigabitEthernet0/0/2]ip binding vpn-instance B2
[PE2-GigabitEthernet0/0/2]ip address 172.16.2.1 24[ASBR1]mpls
[ASBR1-mpls] lsp-trigger bgp-label-rout
# 配置基于 BGP 标签路由触发 LSP
[ASBR2]mpls
[ASBR2-mpls] lsp-trigger bgp-label-route验证
display bgp peer 
tracert -a 7.7.7.7 9.9.9.9
结尾:
OptionA:ASBR之间不需要运行MPLS,优点是配置简单,适合VPN数量比较少的场景。
OptionB:优点是不需要为每个跨域的VPN创建接口,所有的流量都经过ASBR转发,流量的可控性较好,但ASBR的负担重。当VPN路由较多时,ASBR负担重,容易成为瓶颈点。
OptionC:ASBR不维护或发布VPNv4路由,PE之间直接交换VPNv4路由。该方式更适合在跨越多个AS时使用。缺点是维护一条端到端的BGP LSP连接,管理代价较大。