CCIE SP—Inter-Provider VPN Option 3 未完
December 22nd, 2011
[昨天同事问了下关于Option3的一些问题,好久不看了,有些忘记了,上blog看发现没有option3的笔记,后来在草稿中找到了,呵呵,还没完全整理好,所以没发,虽然没有完全整理好,暂时先release出来,到时再改吧,要不总是从草稿中看比较费劲。后期我会对此笔记进行完善]
由于使用ASBR间多跳还是不能保证完全减少ASBR的压力,跨域用户很多的话,仍然会受到严重影响。
又因为RR上已经有VPNv4的路由了,也就是说他已经承担了所有MPLS数据包转发,因此用RR建立跨域无疑是最合适的选择。但如果是两个不同的运营商,就难免会泄漏RR地址。
下面介绍具体的操作步骤:
1. 公布PE和RR的环回口
可以在PE和RR上单独network,但是为了不在骨干网上跑多余的全局BGP,所以只需在ASBR上network这些路由就可以了,然后再重分布到IGP中。
2. 关于底层vpn标签的断裂问题
由于MPLS不会为BGP路由分配标签,又因为在ASBR之间是ipv4 BGP的关系,所以默认路由是BGP路由,因此不会对对端的PE和RR的环回口打上标签。所以需要把BGP的路由重分布到IGP,使其路由为IGP,这样就可以打上标签了。
3. 关于底层标签和顶层标签的问题
通过RR传送路由并分配底层标签,也就是vpn标签;顶层标签是根据路由分配的,又因为在ASBR上,PE和环回口的路由仍然是BGP的,所以需要BGP send lable的特性。
这时需要注意分清每层标签具体是谁分配的,因为有些情况,顶层标签和底层标签分配的路径是不同的。数据的方向取决于顶层标签的交换!
4. Send lable
使用后可以对BGP的路由分配标签,就跟运行mpls的效果是一样的。这时可以挂个route-map,匹配原则才进行send lable,不是所有的BGP路由都需要分配标签。
5. BGP路由过滤
如果ASBR之间不转发VPN路由,就直接“bgp default rou fi”。只有在下一跳改变时才需要vpn路由并重新打签,所以在下一跳不改变的情况下可以打开过滤功能(默认开启)。
6. next-hot unchange
可以根据需要,配置此命令,这样VPN标签只会在PE上标记,经过RR也不会改变,因为下一跳没有改变,这样就可以达到完美转发。这也是为什么上面要把PE的路由公布到全局路由表中的意义!
7.检查底层标签分配
注意:在查看底层标签分配时,可以用“show ip bgp vpn all nei x.x.x.x rou/ad”来查看
实例分析
Topology:
+------+ +------+
| RR1 | /| RR2 |
//+------+\ / +------+\
// \ / \
// \ / \
+--/--+ +--\--+ +--/--+ +--\--+
| PE1 | |ASBR1+--------+ASBR2| | PE2 |
+--X--+ +-----+ +-----+ +--X--+
// \\
/ \\
+--/-+ +-\--+
|CE1 | 11.11.11.11 66.66.66.66 |CE2 |
+----+ +----+
PE1(R1)的配置及信息:
R1#sh ip bgp vpn all l Network Next Hop In label/Out label Route Distinguisher: 1:1 (a) 11.11.11.0/24 0.0.0.0 103/nolabel #103是R1本身分配的MP-BGP标签 66.66.66.66/32 6.6.6.6 nolabel/605 #605是PE2分配的标签,此时注意下一跳已是PE2的环回地址 Route Distinguisher: 1:2 66.66.66.66/32 6.6.6.6 nolabel/605 R1#sh mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 100 Pop Label 2.2.2.2/32 0 Se1/0 point2point 101 Pop Label 10.0.23.0/24 0 Se1/0 point2point 102 202 3.3.3.3/32 0 Se1/0 point2point 103 Aggregate 11.11.11.0/24[V] 0 a #关于Aggregate的解释可以查看《CCIE SP—MPLS Basic 1》 104 201 5.5.5.5/32 0 Se1/0 point2point 105 203 6.6.6.6/32 0 Se1/0 point2point #105是本地分配的标签(sh mpls ldp bin),203是下游分发的 R1#sh ip cef vrf a 66.66.66.66 de 66.66.66.66/32, epoch 0 recursive via 6.6.6.6 label 605 #递归查找得到路由是通过6.6.6.6学来的,并且vpn标签为605 nexthop 10.0.12.2 Serial1/0 label 203 #在这里可以看到是下游的10.0.12.2分发的标签203 O E2 5.5.5.5 [110/1] via 10.0.12.2, 00:10:00, Serial1/0 6.0.0.0/32 is subnetted, 1 subnets O E2 6.6.6.6 [110/1] via 10.0.12.2, 00:09:30, Serial1/0 10.0.0.0/24 is subnetted, 2 subnets
RR1(R2)的配置及信息:
R2#sh ip bgp vpn all la Network Next Hop In label/Out label Route Distinguisher: 1:1 11.11.11.0/24 1.1.1.1 nolabel/103 Route Distinguisher: 1:2 66.66.66.66/32 6.6.6.6 nolabel/605 R2#sh mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 200 Pop Label 1.1.1.1/32 0 Se1/0 point2point 201 304 5.5.5.5/32 0 Se1/1 point2point 202 Pop Label 3.3.3.3/32 0 Se1/1 point2point 203 305 6.6.6.6/32 0 Se1/1 point2point router bgp 100 bgp router-id 2.2.2.2 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 1.1.1.1 remote-as 100 neighbor 1.1.1.1 update-source Loopback0 neighbor 3.3.3.3 remote-as 100 neighbor 3.3.3.3 update-source Loopback0 neighbor 5.5.5.5 remote-as 200 neighbor 5.5.5.5 ebgp-multihop 255 neighbor 5.5.5.5 update-source Loopback0 ! address-family vpnv4 neighbor 1.1.1.1 activate neighbor 1.1.1.1 route-reflector-client neighbor 1.1.1.1 send-community extended neighbor 3.3.3.3 activate neighbor 3.3.3.3 route-reflector-client neighbor 3.3.3.3 send-community extended neighbor 5.5.5.5 activate neighbor 5.5.5.5 next-hop-unchanged #如果不打此命令,路由会变更下一跳为RR,因为是eBGP,所以MP-BGP会重新分配标签 neighbor 5.5.5.5 send-community extended exit-address-family R2#sh mpls ldp bindings 6.6.6.6 32 lib entry: 6.6.6.6/32, rev 19 local binding: label: 203 remote binding: lsr: 3.3.3.3:0, label: 305 remote binding: lsr: 1.1.1.1:0, label: 105 #此处可以看到RR收到了2个标签,但它只用305,为什么呢?
ASBR1(R3)的配置及信息:
R3#sh ip bgp la Network Next Hop In label/Out label 1.1.1.1/32 10.0.23.2 300(from LDP)/nolabel <<<---只有在SP版IOS中才有"from LDP" 2.2.2.2/32 10.0.23.2 301(from LDP)/nolabel #in标签是我发给别人的,可以在RR1上“sh mpls ldp bin”看到这些标签 5.5.5.5/32 10.0.34.4 306/403 6.6.6.6/32 10.0.34.4 305/405 R3#sh mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 300 200 1.1.1.1/32 0 Se1/1 point2point 301 Pop Label 2.2.2.2/32 2245 Se1/1 point2point 302 Pop Label 10.0.12.0/24 0 Se1/1 point2point 303 Pop Label 10.0.34.4/32 0 Se1/2 point2point 304 403 5.5.5.5/32 2016 Se1/2 point2point 305 405 6.6.6.6/32 0 Se1/2 point2point router ospf 1 router-id 3.3.3.3 log-adjacency-changes redistribute bgp 100 subnets route-map FR4 #只允许有label的bgp路由可以重分布到IGP中 network 3.3.3.3 0.0.0.0 area 0 network 10.0.23.0 0.0.0.255 area 0 ! router bgp 100 bgp router-id 3.3.3.3 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 2.2.2.2 remote-as 100 neighbor 2.2.2.2 update-source Loopback0 neighbor 10.0.34.4 remote-as 200 ! address-family ipv4 neighbor 10.0.34.4 activate neighbor 10.0.34.4 send-label no auto-summary no synchronization network 1.1.1.1 mask 255.255.255.255 network 2.2.2.2 mask 255.255.255.255 exit-address-family ! ip prefix-list lable seq 10 permit 1.1.1.1/32 ip prefix-list lable seq 20 permit 2.2.2.2/32 ! route-map FR4 permit 10 match mpls-label ! route-map TR4 permit 10 match ip address prefix-list lable set mpls-label ! route-map TR4 permit 20
ASBR2(R4)的配置及信息:
R4#sh ip bgp la Network Next Hop In label/Out label 1.1.1.1/32 10.0.34.3 402/300 2.2.2.2/32 10.0.34.3 400/301 5.5.5.5/32 10.0.45.5 403(from LDP)/nolabel 6.6.6.6/32 10.0.45.5 405(from LDP)/nolabel R4#sh mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 400 301 2.2.2.2/32 565 Se1/2 point2point 401 Pop Label 10.0.34.3/32 0 Se1/2 point2point 402 300 1.1.1.1/32 0 Se1/2 point2point 403 Pop Label 5.5.5.5/32 6931 Se1/3 point2point 404 Pop Label 10.0.56.0/24 0 Se1/3 point2point 405 504 6.6.6.6/32 0 Se1/3 point2point router ospf 1 router-id 4.4.4.4 log-adjacency-changes redistribute bgp 200 subnets route-map FR3 network 4.4.4.4 0.0.0.0 area 0 network 10.0.45.0 0.0.0.255 area 0 ! router bgp 200 bgp router-id 4.4.4.4 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 5.5.5.5 remote-as 200 neighbor 5.5.5.5 update-source Loopback0 neighbor 10.0.34.3 remote-as 100 ! address-family ipv4 neighbor 10.0.34.3 activate neighbor 10.0.34.3 route-map TR3 out neighbor 10.0.34.3 send-label no auto-summary no synchronization network 5.5.5.5 mask 255.255.255.255 network 6.6.6.6 mask 255.255.255.255 exit-address-family ! access-list 1 permit 5.5.5.5 access-list 1 permit 6.6.6.6 ! route-map FR3 permit 10 match mpls-label ! route-map TR3 permit 10 match ip address 1 set mpls-label ! route-map TR3 permit 20
RR2(R5)的配置及信息:
R5#sh mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 500 Pop Label 4.4.4.4/32 0 Se1/3 point2point 501 402 1.1.1.1/32 0 Se1/3 point2point 502 400 2.2.2.2/32 0 Se1/3 point2point 504 Pop Label 6.6.6.6/32 0 Se1/0 point2point R5#sh ip bgp vpn all la Network Next Hop In label/Out label Route Distinguisher: 1:1 11.11.11.0/24 1.1.1.1 nolabel/103 Route Distinguisher: 1:2 66.66.66.66/32 6.6.6.6 nolabel/605
PE2(R6)的配置及信息:
R6#sh ip bgp vpn all la Network Next Hop In label/Out label Route Distinguisher: 1:1 11.11.11.0/24 1.1.1.1 nolabel/103 Route Distinguisher: 1:2 (b) 11.11.11.0/24 1.1.1.1 nolabel/103 66.66.66.66/32 0.0.0.0 605/nolabel R6#sh mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 600 500 4.4.4.4/32 0 Se1/0 point2point 601 Pop Label 5.5.5.5/32 0 Se1/0 point2point 602 Pop Label 10.0.45.0/24 0 Se1/0 point2point 603 501 1.1.1.1/32 0 Se1/0 point2point 604 502 2.2.2.2/32 0 Se1/0 point2point 605 Aggregate 66.66.66.66/32[V] 0 b
| anyShare分享到: | |
| |
