CCIE SP—Inter-Provider VPN Option 3 未完
[昨天同事问了下关于Option3的一些问题,好久不看了,有些忘记了,上blog看发现没有option3的笔记,后来在草稿中找到了,呵呵,还没完全整理好,所以没发,虽然没有完全整理好,暂时先release出来,到时再改吧,要不总是从草稿中看比较费劲。后期我会对此笔记进行完善]
由于使用ASBR间多跳还是不能保证完全减少ASBR的压力,跨域用户很多的话,仍然会受到严重影响。又因为RR上已经有VPNv4的路由了,也就是说他已经承担了所有MPLS数据包转发,因此用RR建立跨域无疑是最合适的选择。但如果是两个不同的运营商,就难免会泄漏RR地址。
下面介绍具体的操作步骤:
1. 公布PE和RR的环回口
可以在PE和RR上单独network,但是为了不在骨干网上跑多余的全局BGP,所以只需在ASBR上network这些路由就可以了,然后再重分布到IGP中。
2. 关于底层vpn标签的断裂问题
由于MPLS不会为BGP路由分配标签,又因为在ASBR之间是ipv4 BGP的关系,所以默认路由是BGP路由,因此不会对对端的PE和RR的环回口打上标签。所以需要把BGP的路由重分布到IGP,使其路由为IGP,这样就可以打上标签了。
3. 关于底层标签和顶层标签的问题
通过RR传送路由并分配底层标签,也就是vpn标签;顶层标签是根据路由分配的,又因为在ASBR上,PE和环回口的路由仍然是BGP的,所以需要BGP send lable的特性。
这时需要注意分清每层标签具体是谁分配的,因为有些情况,顶层标签和底层标签分配的路径是不同的。数据的方向取决于顶层标签的交换!
2013.10.01 更新:IOX Option3, POP tag issue
在IOX下,默认行为跟IOS是不一样的,下面列出几点:
1. 没有单独的send-label命令,需要打label的neighbor需要写在“labeled-unicast”下,如:router bgp 100 bgp router-id 1.10.1.112 address-family ipv4 unicast network 1.10.1.112/32 allocate-label all ! address-family vpnv4 unicast ! neighbor 1.10.1.111 remote-as 100 update-source Loopback0 address-family ipv4 labeled-unicast route-policy pass-all in route-policy pass-all out ! ! neighbor 192.169.101.166 remote-as 200 address-family ipv4 labeled-unicast route-policy pass-all in route-policy pass-all out ! !2. 在option3中,必须用“ebgp-multihop 255 mpls”,后面必须加mpls,如果不加,在ASBR上用BGP分配的标签通过LDP传给PE后,会被PE默认生成一个POP标签替代(只要PE启动了VPNV4多跳,并且有路由,那么就会产生),标签断裂,通信失败。你会发现PE能收到正确的标签,但它就是不用,反而用了一个奇怪的POP,这个标签的优先级要高于LDP传来的标签。至于为什么这么设计,还没有找到很好的解释。
下面9k没有任何活动端口,仅仅是配了vpnv4,并且指了1条空路由。RP/0/RSP1/CPU0:9K-1(config)#router bgp 65247 RP/0/RSP1/CPU0:9K-1(config-bgp)# neighbor 1.10.1.211 RP/0/RSP1/CPU0:9K-1(config-bgp-nbr)# remote-as 200 RP/0/RSP1/CPU0:9K-1(config-bgp-nbr)# ebgp-multihop 255 RP/0/RSP1/CPU0:9K-1(config-bgp-nbr)# update-source Loopback0 RP/0/RSP1/CPU0:9K-1(config-bgp-nbr)# address-family ipv4 unicast RP/0/RSP1/CPU0:9K-1(config-bgp-nbr-af)# route-policy pass-all in RP/0/RSP1/CPU0:9K-1(config-bgp-nbr-af)# route-policy pass-all out RP/0/RSP1/CPU0:9K-1(config-bgp-nbr-af)# ! RP/0/RSP1/CPU0:9K-1(config-bgp-nbr-af)# address-family vpnv4 unicast RP/0/RSP1/CPU0:9K-1(config-bgp-nbr-af)# route-policy pass-all in RP/0/RSP1/CPU0:9K-1(config-bgp-nbr-af)# route-policy pass-all out RP/0/RSP1/CPU0:9K-1(config-bgp-nbr-af)# ! RP/0/RSP1/CPU0:9K-1(config-bgp-nbr-af)# ! RP/0/RSP1/CPU0:9K-1(config-bgp-nbr-af)# RP/0/RSP1/CPU0:9K-1(config-bgp-nbr-af)#exit RP/0/RSP1/CPU0:9K-1(config-bgp-nbr)#exit RP/0/RSP1/CPU0:9K-1(config-bgp)#exit RP/0/RSP1/CPU0:9K-1(config)#route route-policy router router-convergence RP/0/RSP1/CPU0:9K-1(config)#route-policy pass-all RP/0/RSP1/CPU0:9K-1(config-rpl)#pass RP/0/RSP1/CPU0:9K-1(config-rpl)#end RP/0/RSP1/CPU0:9K-1(config)#commit Mon Sep 23 10:43:10.706 UTC RP/0/RSP1/CPU0:9K-1(config)#end RP/0/RSP1/CPU0:9K-1# RP/0/RSP1/CPU0:9K-1#sh mpls for Mon Sep 23 10:43:15.246 UTC RP/0/RSP1/CPU0:9K-1# RP/0/RSP1/CPU0:9K-1#config ter Mon Sep 23 10:44:10.093 UTC RP/0/RSP1/CPU0:9K-1(config)#router static RP/0/RSP1/CPU0:9K-1(config-static)#address-family ipv4 unicast RP/0/RSP1/CPU0:9K-1(config-static-afi)#1.10.1.211/32 null 0 RP/0/RSP1/CPU0:9K-1(config-static-afi)#commit Mon Sep 23 10:44:27.486 UTC RP/0/RSP1/CPU0:9K-1(config-static-afi)#end RP/0/RSP1/CPU0:9K-1#sh mpls for Mon Sep 23 10:44:33.495 UTC Local Outgoing Prefix Outgoing Next Hop Bytes Label Label or ID Interface Switched ------ ----------- ------------------ ------------ --------------- ------------ 16001 Pop 1.10.1.211/32 1.10.1.211 0
4. Send lable 使用后可以对BGP的路由分配标签,就跟运行mpls的效果是一样的。这时可以挂个route-map,匹配原则才进行send lable,不是所有的BGP路由都需要分配标签。 5. BGP路由过滤 如果ASBR之间不转发VPN路由,就直接“bgp default rou fi”。只有在下一跳改变时才需要vpn路由并重新打签,所以在下一跳不改变的情况下可以打开过滤功能(默认开启)。 6. next-hot unchange 可以根据需要,配置此命令,这样VPN标签只会在PE上标记,经过RR也不会改变,因为下一跳没有改变,这样就可以达到完美转发。这也是为什么上面要把PE的路由公布到全局路由表中的意义! 7.检查底层标签分配 注意:在查看底层标签分配时,可以用“show ip bgp vpn all nei x.x.x.x rou/ad”来查看
实例分析
Topology:
+------+ +------+ | RR1 | /| RR2 | //+------+\ / +------+\ // \ / \ // \ / \ +--/--+ +--\--+ +--/--+ +--\--+ | PE1 | |ASBR1+--------+ASBR2| | PE2 | +--X--+ +-----+ +-----+ +--X--+ // \\ / \\ +--/-+ +-\--+ |CE1 | 11.11.11.11 66.66.66.66 |CE2 | +----+ +----+
PE1(R1)的配置及信息:
R1#sh ip bgp vpn all l Network Next Hop In label/Out label Route Distinguisher: 1:1 (a) 11.11.11.0/24 0.0.0.0 103/nolabel #103是R1本身分配的MP-BGP标签 66.66.66.66/32 6.6.6.6 nolabel/605 #605是PE2分配的标签,此时注意下一跳已是PE2的环回地址 Route Distinguisher: 1:2 66.66.66.66/32 6.6.6.6 nolabel/605 R1#sh mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 100 Pop Label 2.2.2.2/32 0 Se1/0 point2point 101 Pop Label 10.0.23.0/24 0 Se1/0 point2point 102 202 3.3.3.3/32 0 Se1/0 point2point 103 Aggregate 11.11.11.0/24[V] 0 a #关于Aggregate的解释可以查看《CCIE SP—MPLS Basic 1》 104 201 5.5.5.5/32 0 Se1/0 point2point 105 203 6.6.6.6/32 0 Se1/0 point2point #105是本地分配的标签(sh mpls ldp bin),203是下游分发的 R1#sh ip cef vrf a 66.66.66.66 de 66.66.66.66/32, epoch 0 recursive via 6.6.6.6 label 605 #递归查找得到路由是通过6.6.6.6学来的,并且vpn标签为605 nexthop 10.0.12.2 Serial1/0 label 203 #在这里可以看到是下游的10.0.12.2分发的标签203 O E2 5.5.5.5 [110/1] via 10.0.12.2, 00:10:00, Serial1/0 6.0.0.0/32 is subnetted, 1 subnets O E2 6.6.6.6 [110/1] via 10.0.12.2, 00:09:30, Serial1/0 10.0.0.0/24 is subnetted, 2 subnets
RR1(R2)的配置及信息:
R2#sh ip bgp vpn all la Network Next Hop In label/Out label Route Distinguisher: 1:1 11.11.11.0/24 1.1.1.1 nolabel/103 Route Distinguisher: 1:2 66.66.66.66/32 6.6.6.6 nolabel/605 R2#sh mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 200 Pop Label 1.1.1.1/32 0 Se1/0 point2point 201 304 5.5.5.5/32 0 Se1/1 point2point 202 Pop Label 3.3.3.3/32 0 Se1/1 point2point 203 305 6.6.6.6/32 0 Se1/1 point2point router bgp 100 bgp router-id 2.2.2.2 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 1.1.1.1 remote-as 100 neighbor 1.1.1.1 update-source Loopback0 neighbor 3.3.3.3 remote-as 100 neighbor 3.3.3.3 update-source Loopback0 neighbor 5.5.5.5 remote-as 200 neighbor 5.5.5.5 ebgp-multihop 255 neighbor 5.5.5.5 update-source Loopback0 ! address-family vpnv4 neighbor 1.1.1.1 activate neighbor 1.1.1.1 route-reflector-client neighbor 1.1.1.1 send-community extended neighbor 3.3.3.3 activate neighbor 3.3.3.3 route-reflector-client neighbor 3.3.3.3 send-community extended neighbor 5.5.5.5 activate neighbor 5.5.5.5 next-hop-unchanged #如果不打此命令,路由会变更下一跳为RR,因为是eBGP,所以MP-BGP会重新分配标签 neighbor 5.5.5.5 send-community extended exit-address-family R2#sh mpls ldp bindings 6.6.6.6 32 lib entry: 6.6.6.6/32, rev 19 local binding: label: 203 remote binding: lsr: 3.3.3.3:0, label: 305 remote binding: lsr: 1.1.1.1:0, label: 105 #此处可以看到RR收到了2个标签,但它只用305,为什么呢?
ASBR1(R3)的配置及信息:
R3#sh ip bgp la Network Next Hop In label/Out label 1.1.1.1/32 10.0.23.2 300(from LDP)/nolabel <<<---只有在SP版IOS中才有"from LDP" 2.2.2.2/32 10.0.23.2 301(from LDP)/nolabel #in标签是我发给别人的,可以在RR1上“sh mpls ldp bin”看到这些标签 5.5.5.5/32 10.0.34.4 306/403 6.6.6.6/32 10.0.34.4 305/405 R3#sh mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 300 200 1.1.1.1/32 0 Se1/1 point2point 301 Pop Label 2.2.2.2/32 2245 Se1/1 point2point 302 Pop Label 10.0.12.0/24 0 Se1/1 point2point 303 Pop Label 10.0.34.4/32 0 Se1/2 point2point 304 403 5.5.5.5/32 2016 Se1/2 point2point 305 405 6.6.6.6/32 0 Se1/2 point2point router ospf 1 router-id 3.3.3.3 log-adjacency-changes redistribute bgp 100 subnets route-map FR4 #只允许有label的bgp路由可以重分布到IGP中 network 3.3.3.3 0.0.0.0 area 0 network 10.0.23.0 0.0.0.255 area 0 ! router bgp 100 bgp router-id 3.3.3.3 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 2.2.2.2 remote-as 100 neighbor 2.2.2.2 update-source Loopback0 neighbor 10.0.34.4 remote-as 200 ! address-family ipv4 neighbor 10.0.34.4 activate neighbor 10.0.34.4 route-map TR4 out neighbor 10.0.34.4 send-label no auto-summary no synchronization network 1.1.1.1 mask 255.255.255.255 network 2.2.2.2 mask 255.255.255.255 exit-address-family ! ip prefix-list lable seq 10 permit 1.1.1.1/32 ip prefix-list lable seq 20 permit 2.2.2.2/32 ! route-map FR4 permit 10 match mpls-label ! route-map TR4 permit 10 match ip address prefix-list lable set mpls-label ! route-map TR4 permit 20
ASBR2(R4)的配置及信息:
R4#sh ip bgp la Network Next Hop In label/Out label 1.1.1.1/32 10.0.34.3 402/300 2.2.2.2/32 10.0.34.3 400/301 5.5.5.5/32 10.0.45.5 403(from LDP)/nolabel 6.6.6.6/32 10.0.45.5 405(from LDP)/nolabel R4#sh mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 400 301 2.2.2.2/32 565 Se1/2 point2point 401 Pop Label 10.0.34.3/32 0 Se1/2 point2point 402 300 1.1.1.1/32 0 Se1/2 point2point 403 Pop Label 5.5.5.5/32 6931 Se1/3 point2point 404 Pop Label 10.0.56.0/24 0 Se1/3 point2point 405 504 6.6.6.6/32 0 Se1/3 point2point router ospf 1 router-id 4.4.4.4 log-adjacency-changes redistribute bgp 200 subnets route-map FR3 network 4.4.4.4 0.0.0.0 area 0 network 10.0.45.0 0.0.0.255 area 0 ! router bgp 200 bgp router-id 4.4.4.4 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 5.5.5.5 remote-as 200 neighbor 5.5.5.5 update-source Loopback0 neighbor 10.0.34.3 remote-as 100 ! address-family ipv4 neighbor 10.0.34.3 activate neighbor 10.0.34.3 route-map TR3 out neighbor 10.0.34.3 send-label no auto-summary no synchronization network 5.5.5.5 mask 255.255.255.255 network 6.6.6.6 mask 255.255.255.255 exit-address-family ! access-list 1 permit 5.5.5.5 access-list 1 permit 6.6.6.6 ! route-map FR3 permit 10 match mpls-label ! route-map TR3 permit 10 match ip address 1 set mpls-label ! route-map TR3 permit 20
RR2(R5)的配置及信息:
R5#sh mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 500 Pop Label 4.4.4.4/32 0 Se1/3 point2point 501 402 1.1.1.1/32 0 Se1/3 point2point 502 400 2.2.2.2/32 0 Se1/3 point2point 504 Pop Label 6.6.6.6/32 0 Se1/0 point2point R5#sh ip bgp vpn all la Network Next Hop In label/Out label Route Distinguisher: 1:1 11.11.11.0/24 1.1.1.1 nolabel/103 Route Distinguisher: 1:2 66.66.66.66/32 6.6.6.6 nolabel/605
PE2(R6)的配置及信息:
R6#sh ip bgp vpn all la Network Next Hop In label/Out label Route Distinguisher: 1:1 11.11.11.0/24 1.1.1.1 nolabel/103 Route Distinguisher: 1:2 (b) 11.11.11.0/24 1.1.1.1 nolabel/103 66.66.66.66/32 0.0.0.0 605/nolabel R6#sh mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 600 500 4.4.4.4/32 0 Se1/0 point2point 601 Pop Label 5.5.5.5/32 0 Se1/0 point2point 602 Pop Label 10.0.45.0/24 0 Se1/0 point2point 603 501 1.1.1.1/32 0 Se1/0 point2point 604 502 2.2.2.2/32 0 Se1/0 point2point 605 Aggregate 66.66.66.66/32[V] 0 b
版权声明:
本文链接:CCIE SP—Inter-Provider VPN Option 3 未完
版权声明:本文为原创文章,仅代表个人观点,版权归 Frank Zhao 所有,转载时请注明本文出处及文章链接