CCIE SP—MPLS VPN Basic 3

CE与PE之间的OSPF

CE2

router ospf 1
 router-id 10.1.6.6
 log-adjacency-changes
 network 10.1.6.6 0.0.0.0 area 0
 network 10.1.46.0 0.0.0.255 area 1
 !
CE2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 3 subnets
C       10.1.6.0 is directly connected, Loopback0
C       10.1.46.0 is directly connected, Ethernet0/0
O E2    10.1.38.0 [110/1] via 10.1.46.4, 02:11:33, Ethernet0/0

PE2

router ospf 1 vrf b
 log-adjacency-changes
 redistribute bgp 1 subnets
 network 10.1.46.0 0.0.0.255 area 1
!
router bgp 1
 bgp router-id 10.1.4.4
 bgp log-neighbor-changes
 neighbor 150.1.3.3 remote-as 1
 neighbor 150.1.3.3 update-source Loopback0
 !
 address-family ipv4 vrf b
  redistribute ospf 1 vrf b match internal external 1 external 2
  no auto-summary
  no synchronization
 exit-address-family
!
PE2#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.1.6.6          1   FULL/BDR        00:00:38    10.1.46.6       Ethernet0/0

PE2#sh ip route vrf b

Routing Table: PE2
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 2 subnets
C       10.1.46.0 is directly connected, Ethernet0/0
B       10.1.38.0 [200/0] via 150.1.3.3, 02:04:52

PE1

router ospf 1 vrf b
 log-adjacency-changes
 redistribute bgp 1 subnets
 network 10.1.38.0 0.0.0.255 area 1
!
router bgp 1
 no synchronization
 bgp router-id 150.1.3.3
 bgp log-neighbor-changes
 redistribute static
 neighbor 150.1.4.4 remote-as 1
 neighbor 150.1.4.4 update-source Loopback0
 neighbor 150.1.4.4 next-hop-self
 no auto-summary
 !
 address-family ipv4 vrf b
  redistribute ospf 1 vrf r6-sw2 match internal external 1 external 2
  no auto-summary
  no synchronization
 exit-address-family

PE1#sh ip route vrf b
Routing Table: b
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set
 
10.0.0.0/24 is subnetted, 2 subnets
B       10.1.46.0 [200/0] via 150.1.4.4, 02:09:24
C       10.1.38.0 is directly connected, Ethernet0/1

CE1

router ospf 1
 router-id 10.1.8.8
 log-adjacency-changes
 network 10.1.8.8 0.0.0.0 area 0
 network 10.1.38.0 0.0.0.255 area 1

CE1#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 3 subnets
C       10.1.8.0 is directly connected, Loopback0
O E2    10.1.46.0 [110/1] via 10.1.38.3, 02:13:12, FastEthernet1/3
C       10.1.38.0 is directly connected, FastEthernet1/3

从上面的配置实例中,可以发现在CE上network的环回地址没有进入OSPF路由,为什么呢?

其实整个MPLS域就相当于一个super area 0,在CE1和CE2上只有area1跟super area 0直连,所以有路由,但CE1和CE2上的area 0跟super area 0不是直连,所以PE是不会把从area 0发布的路由加入路由表的。

有很多种方法可以连接连接远程area和area0,为了做试验,此处就不多说,直接把area0改成area1就行了。以下是更改后PE都学到了CE的环回地址:

PE2#sh ip bgp vpn all 10.1.8.8
BGP routing table entry for 1:68:10.1.8.8/32, version 16
Paths: (1 available, best #1, table r6-sw2)
Not advertised to any peer
Local
150.1.3.3 (metric 130) from 150.1.3.3 (150.1.3.3)
Origin incomplete, metric 11, localpref 100, valid, internal, best
Extended Community: RT:1:68 OSPF DOMAIN ID:0x0005:0x000000010200
OSPF RT:0.0.0.1:2:0 OSPF ROUTER ID:10.1.38.3:512,
mpls labels in/out nolabel/24

此时看路由,如果CE两端的进程不一样,那么会看到他们学来的是E2的路由,这样就破坏了原有的拓扑,这时有两种方法改变E2的路由:

  • 更改进程号,使两端保持一致,只要进程号相同了,DOMAIN ID也相同了。
  • 如果客户无法更改进程号,那么直接修改DOMAIN ID就可以了,使DOMAIN ID保持一致。因此如果出现了异常的E2路由,那么首要检查的就是DOMAIN ID。

2012-09-06 更新:

在9k上默认是没有domain-id的,所以需要自己配置,配置时注意格式:
type (2 byte) + value(6 byte) + 0200
(config-ospf-vrf)#domain-id type 0005 value 0x000000010200
关于更详细的信息可以查看RFC4577: http://www.ietf.org/rfc/rfc4577.txt

1. TYPE
其中type分为几种,0005、0105、0205和8005都代表不同的作用,这些都是BGP扩展属性其中的一种,可以查看下面链接,里面包括所有BGP扩展属性及相应的RFC:Border Gateway Protocol (BGP) Extended Communities
2. VALUE
思科设备主要以process id体现,可以设置任意值。
3. 0200
本地管理,没有实际意义,思科的设备都是这个值,可以忽略。

OSPF 防环机制:

1. “downward”位

此特性是Sum的特性,默认是开启的。可以通过“sh ip ospf da sum”查看此特性。当PE收到IA路由时,会查找域间数据库,看是否有带有”downwrad“,如果带,那么PE就会知道此路由是从另外的PE发过来的,那么他就不会加入到VRF的路由表中。

PE2#sh ip ospf da sum

OSPF Router with ID (10.1.6.6) (Process ID 1)

Summary Net Link States (Area 1)

Routing Bit Set on this LSA
LS age: 778
Options: (No TOS-capability, DC, Downward)
LS Type: Summary Links(Network)
Link State ID: 10.1.8.8 (summary Network Number)
Advertising Router: 10.1.46.4
LS Seq Number: 80000001
Checksum: 0x7BDD
Length: 28
Network Mask: /32
TOS: 0  Metric: 11

2008-11-23 更新:

对于Downward的理解一定不要仅限于此,要记清他的原理。有些特殊情况,CE也会应用到VRF,不过仅仅是用于隔离路由表,记住只要在VRF下运行了OSPF,路由器本身就认为它自己跟MPLS骨干网相连(可以中“show ip ospf”来查看),这样他会检查对端收来的所有IA路由,所以这种情况下如果收到PE发来的带有Downward的路由,他就不会加入到路由表中。

2. OSPF Tag Field
类似”downward“,如果接收PE发现路由有设置OSPF Tag Field,并发现属于骨干区域,那么他会拒绝把此路由加入到VRF路由表中。当某台CE跨越了2端CE的DOMAIN,这样就不会产生LSA3,这时用Tag Field。如图

3. Sham Link

后门链路在划分区域时,需要划入同一个area,但从MPLS骨干网走时,会把骨干网看成是域间的,所以域内的路由肯定优于域间的,所以OSPF就不会走MPLS,而直接走后门链路。通过特定的命令,在PE之间建立虚链接,也就是Sham Link(假链路、伪链路),使路由保持同一个域。如果设置Sham Link,必须保证两端PE的AREA相同。

在PE1上正确的配置方法(PE2与之对应,配置相同):

interface Loopback1
 ip vrf forwarding b
 ip address 33.33.33.33 255.255.255.255
!
router ospf 1 vrf b
 router-id 33.33.33.33
 log-adjacency-changes
 area 1 sham-link 33.33.33.33 44.44.44.44
 redistribute bgp 1 subnets
 network 10.1.38.0 0.0.0.255 area 1
 !
 address-family ipv4 b
  redistribute ospf 1 vrf b match internal external 1 external 2
  no auto-summary
  no synchronization
  network 33.33.33.33 mask 255.255.255.255
 exit-address-family

CE1上的路由表情况:

CE1#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

33.0.0.0/32 is subnetted, 1 subnets
O E2    33.33.33.33 [110/1] via 10.1.38.3, 00:03:52, FastEthernet1/3
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C       10.1.8.0/24 is directly connected, Loopback0
O       10.1.6.6/32 [110/13] via 10.1.38.3, 00:03:52, FastEthernet1/3
O       10.1.46.0/24 [110/12] via 10.1.38.3, 00:03:52, FastEthernet1/3
C       10.1.38.0/24 is directly connected, FastEthernet1/3
44.0.0.0/32 is subnetted, 1 subnets
O E2    44.44.44.44 [110/1] via 10.1.38.3, 00:03:52, FastEthernet1/3

注意:shame-link flapping 的问题
当我如下配置时,会造成flapping

router ospf 1 vrf r6-sw2
 router-id 33.33.33.33
 log-adjacency-changes
 area 1 sham-link 33.33.33.33 44.44.44.44
  network 33.33.33.33 0.0.0.0 a 1
  network 10.1.38.0 0.0.0.255 area 1

原因:

当在建立sham-link之前,CE的路由是通过MPBGP学到到,是B的路由,但当sham-link建立好后,CE的路由直接通过sham-link学到的,而且是O的,这样BGP的路由就被拆除了,所以建立sham-link的连接点(连接点33.33.33.33 和44.44.44.44是通过重分布到BGP中后路由才通的,因此开始时sham-link才能建立起来)就断开了;因为没有路由了,sham-link无法建立,所以断开连接,这时路由又被MPBGP学到,如此flapping下去。

解决:

因此需要在BGP中network,区分ospf,有种说法说可以把连接点公布到不同的area中(区分主路由区域)就可以了,但是我做过测试,好像不行。

另外补充:

默认情况下,全局只能有32个进程,如果超过32个进程就不能再开启新的进程了。

Rack1R1#sh ip protocols sum
Index Process Name
0     connected
1     static
2     ospf 1
3     ospf 2
4     ospf 3

关于VRF中的进程数,早期的IOS版本,所有VRF只能启用32个进程,这样就限制了VRF的个数,但在新版本中,取消了这种限制,更新为每个VRF 32个进程,可以用“sh ip pro vrf XXX sum”来查看。详细内容可以查看这里

本文出自 Frank's Blog

版权声明:


本文链接:CCIE SP—MPLS VPN Basic 3
版权声明:本文为原创文章,仅代表个人观点,版权归 Frank Zhao 所有,转载时请注明本文出处及文章链接
你可以留言,或者trackback 从你的网站

No Responses to “CCIE SP—MPLS VPN Basic 3”

  1. 0x2142说道:

    顶你一个 很有帮助

留言哦

blonde teen swallows load.xxx videos