CCIE SP—MPLS VPN Basic 3
CE与PE之间的OSPF
CE2
router ospf 1
router-id 10.1.6.6
log-adjacency-changes
network 10.1.6.6 0.0.0.0 area 0
network 10.1.46.0 0.0.0.255 area 1
!
CE2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 3 subnets
C 10.1.6.0 is directly connected, Loopback0
C 10.1.46.0 is directly connected, Ethernet0/0
O E2 10.1.38.0 [110/1] via 10.1.46.4, 02:11:33, Ethernet0/0
PE2
router ospf 1 vrf b
log-adjacency-changes
redistribute bgp 1 subnets
network 10.1.46.0 0.0.0.255 area 1
!
router bgp 1
bgp router-id 10.1.4.4
bgp log-neighbor-changes
neighbor 150.1.3.3 remote-as 1
neighbor 150.1.3.3 update-source Loopback0
!
address-family ipv4 vrf b
redistribute ospf 1 vrf b match internal external 1 external 2
no auto-summary
no synchronization
exit-address-family
!
PE2#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
10.1.6.6 1 FULL/BDR 00:00:38 10.1.46.6 Ethernet0/0
PE2#sh ip route vrf b
Routing Table: PE2
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.46.0 is directly connected, Ethernet0/0
B 10.1.38.0 [200/0] via 150.1.3.3, 02:04:52
PE1
router ospf 1 vrf b
log-adjacency-changes
redistribute bgp 1 subnets
network 10.1.38.0 0.0.0.255 area 1
!
router bgp 1
no synchronization
bgp router-id 150.1.3.3
bgp log-neighbor-changes
redistribute static
neighbor 150.1.4.4 remote-as 1
neighbor 150.1.4.4 update-source Loopback0
neighbor 150.1.4.4 next-hop-self
no auto-summary
!
address-family ipv4 vrf b
redistribute ospf 1 vrf r6-sw2 match internal external 1 external 2
no auto-summary
no synchronization
exit-address-family
PE1#sh ip route vrf b
Routing Table: b
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 2 subnets
B 10.1.46.0 [200/0] via 150.1.4.4, 02:09:24
C 10.1.38.0 is directly connected, Ethernet0/1
CE1
router ospf 1
router-id 10.1.8.8
log-adjacency-changes
network 10.1.8.8 0.0.0.0 area 0
network 10.1.38.0 0.0.0.255 area 1
CE1#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 3 subnets
C 10.1.8.0 is directly connected, Loopback0
O E2 10.1.46.0 [110/1] via 10.1.38.3, 02:13:12, FastEthernet1/3
C 10.1.38.0 is directly connected, FastEthernet1/3
从上面的配置实例中,可以发现在CE上network的环回地址没有进入OSPF路由,为什么呢?
其实整个MPLS域就相当于一个super area 0,在CE1和CE2上只有area1跟super area 0直连,所以有路由,但CE1和CE2上的area 0跟super area 0不是直连,所以PE是不会把从area 0发布的路由加入路由表的。
有很多种方法可以连接连接远程area和area0,为了做试验,此处就不多说,直接把area0改成area1就行了。以下是更改后PE都学到了CE的环回地址:
PE2#sh ip bgp vpn all 10.1.8.8
BGP routing table entry for 1:68:10.1.8.8/32, version 16
Paths: (1 available, best #1, table r6-sw2)
Not advertised to any peer
Local
150.1.3.3 (metric 130) from 150.1.3.3 (150.1.3.3)
Origin incomplete, metric 11, localpref 100, valid, internal, best
Extended Community: RT:1:68 OSPF DOMAIN ID:0x0005:0x000000010200
OSPF RT:0.0.0.1:2:0 OSPF ROUTER ID:10.1.38.3:512,
mpls labels in/out nolabel/24
此时看路由,如果CE两端的进程不一样,那么会看到他们学来的是E2的路由,这样就破坏了原有的拓扑,这时有两种方法改变E2的路由:
- 更改进程号,使两端保持一致,只要进程号相同了,DOMAIN ID也相同了。
- 如果客户无法更改进程号,那么直接修改DOMAIN ID就可以了,使DOMAIN ID保持一致。因此如果出现了异常的E2路由,那么首要检查的就是DOMAIN ID。
2012-09-06 更新:
在9k上默认是没有domain-id的,所以需要自己配置,配置时注意格式:
type (2 byte) + value(6 byte) + 0200;
(config-ospf-vrf)#domain-id type 0005 value 0x000000010200
关于更详细的信息可以查看RFC4577: http://www.ietf.org/rfc/rfc4577.txt1. TYPE
其中type分为几种,0005、0105、0205和8005都代表不同的作用,这些都是BGP扩展属性其中的一种,可以查看下面链接,里面包括所有BGP扩展属性及相应的RFC:Border Gateway Protocol (BGP) Extended Communities
2. VALUE
思科设备主要以process id体现,可以设置任意值。
3. 0200
本地管理,没有实际意义,思科的设备都是这个值,可以忽略。
OSPF 防环机制:
1. “downward”位
此特性是Sum的特性,默认是开启的。可以通过“sh ip ospf da sum”查看此特性。当PE收到IA路由时,会查找域间数据库,看是否有带有”downwrad“,如果带,那么PE就会知道此路由是从另外的PE发过来的,那么他就不会加入到VRF的路由表中。
PE2#sh ip ospf da sum
OSPF Router with ID (10.1.6.6) (Process ID 1)
Summary Net Link States (Area 1)
Routing Bit Set on this LSA
LS age: 778
Options: (No TOS-capability, DC, Downward)
LS Type: Summary Links(Network)
Link State ID: 10.1.8.8 (summary Network Number)
Advertising Router: 10.1.46.4
LS Seq Number: 80000001
Checksum: 0x7BDD
Length: 28
Network Mask: /32
TOS: 0 Metric: 11
2008-11-23 更新:
对于Downward的理解一定不要仅限于此,要记清他的原理。有些特殊情况,CE也会应用到VRF,不过仅仅是用于隔离路由表,记住只要在VRF下运行了OSPF,路由器本身就认为它自己跟MPLS骨干网相连(可以中“show ip ospf”来查看),这样他会检查对端收来的所有IA路由,所以这种情况下如果收到PE发来的带有Downward的路由,他就不会加入到路由表中。
2. OSPF Tag Field
类似”downward“,如果接收PE发现路由有设置OSPF Tag Field,并发现属于骨干区域,那么他会拒绝把此路由加入到VRF路由表中。当某台CE跨越了2端CE的DOMAIN,这样就不会产生LSA3,这时用Tag Field。如图
3. Sham Link
后门链路在划分区域时,需要划入同一个area,但从MPLS骨干网走时,会把骨干网看成是域间的,所以域内的路由肯定优于域间的,所以OSPF就不会走MPLS,而直接走后门链路。通过特定的命令,在PE之间建立虚链接,也就是Sham Link(假链路、伪链路),使路由保持同一个域。如果设置Sham Link,必须保证两端PE的AREA相同。
在PE1上正确的配置方法(PE2与之对应,配置相同):
interface Loopback1
ip vrf forwarding b
ip address 33.33.33.33 255.255.255.255
!
router ospf 1 vrf b
router-id 33.33.33.33
log-adjacency-changes
area 1 sham-link 33.33.33.33 44.44.44.44
redistribute bgp 1 subnets
network 10.1.38.0 0.0.0.255 area 1
!
address-family ipv4 b
redistribute ospf 1 vrf b match internal external 1 external 2
no auto-summary
no synchronization
network 33.33.33.33 mask 255.255.255.255
exit-address-family
CE1上的路由表情况:
CE1#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set
33.0.0.0/32 is subnetted, 1 subnets
O E2 33.33.33.33 [110/1] via 10.1.38.3, 00:03:52, FastEthernet1/3
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 10.1.8.0/24 is directly connected, Loopback0
O 10.1.6.6/32 [110/13] via 10.1.38.3, 00:03:52, FastEthernet1/3
O 10.1.46.0/24 [110/12] via 10.1.38.3, 00:03:52, FastEthernet1/3
C 10.1.38.0/24 is directly connected, FastEthernet1/3
44.0.0.0/32 is subnetted, 1 subnets
O E2 44.44.44.44 [110/1] via 10.1.38.3, 00:03:52, FastEthernet1/3
注意:shame-link flapping 的问题
当我如下配置时,会造成flapping
router ospf 1 vrf r6-sw2
router-id 33.33.33.33
log-adjacency-changes
area 1 sham-link 33.33.33.33 44.44.44.44
network 33.33.33.33 0.0.0.0 a 1
network 10.1.38.0 0.0.0.255 area 1
原因:
当在建立sham-link之前,CE的路由是通过MPBGP学到到,是B的路由,但当sham-link建立好后,CE的路由直接通过sham-link学到的,而且是O的,这样BGP的路由就被拆除了,所以建立sham-link的连接点(连接点33.33.33.33 和44.44.44.44是通过重分布到BGP中后路由才通的,因此开始时sham-link才能建立起来)就断开了;因为没有路由了,sham-link无法建立,所以断开连接,这时路由又被MPBGP学到,如此flapping下去。
解决:
因此需要在BGP中network,区分ospf,有种说法说可以把连接点公布到不同的area中(区分主路由区域)就可以了,但是我做过测试,好像不行。
另外补充:
默认情况下,全局只能有32个进程,如果超过32个进程就不能再开启新的进程了。
Rack1R1#sh ip protocols sum
Index Process Name
0 connected
1 static
2 ospf 1
3 ospf 2
4 ospf 3
关于VRF中的进程数,早期的IOS版本,所有VRF只能启用32个进程,这样就限制了VRF的个数,但在新版本中,取消了这种限制,更新为每个VRF 32个进程,可以用“sh ip pro vrf XXX sum”来查看。详细内容可以查看这里。
顶你一个 很有帮助