跨域 MPLS VPN 方案B 模拟配置实验公司A审计部门计划通过运营商MPLSVPN接入某银行B系统PC2征信系统

网络拓扑

图片.png

网络需求

PCA为公司A审计部门计划接入某银行B系统PC2征信系统以便于查询客户信息审计公司A与银行B属于不同的地理区域公司A接入的ISP区域号为100 银行B接入的ISP区域号为200 工程师小张在实施MPLSVPN时遇到了跨域问题请参考OptionB的形式帮助张工完成私网对接

主要思路

Option-B 主要思路是AS区域之间传递MPLS标签 ASBR之间建立MP-BGP邻居将原有的MPLS标签保留并传递以实现跨域问题 ASBR不需要了解VPN实例只需要传递VPN标签即可

配置步骤

完成骨干网网络基本互通
配置PE设备 VRF RD RT
配置PE与CE之间的路由协议
配置IGP与BGP的路由引入
配置PE与ASBR间MP-BGP
配置ASBR间的MP-BGP

配置命令

PE1配置

#
 sysname PE1

# 创建VPN实例 RD RT
ip vpn-instance siteA
 route-distinguisher 100:1
 vpn-target 100:1 200:1 import-extcommunity
 vpn-target 100:1 export-extcommunity

# 创建isis进程 配置标识符
isis 1
 network-entity 10.0001.0001.0001.00

# 配置PE与CE之间的路由协议
rip 1 vpn-instance siteA
 undo summary
 version 2
 network 15.1.1.0 0.0.0.255
 import-route bgp

# 配置mpls lsr-id
 mpls lsr-id 1.1.1.1

# 使能mpls ldp 
mpls ldp

# 配置各接口地址 使能isis
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
 isis enable 1
#
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 12.1.1.1 255.255.255.0
 isis enable 1
 mpls enable
 mpls ldp enable

# 接口绑定VPN实例
interface GigabitEthernet0/2
 port link-mode route
 combo enable copper
 ip binding vpn-instance siteA
 ip address 15.1.1.1 255.255.255.0

# 配置BGP
bgp 100
 peer 2.2.2.2 as-number 100
 peer 2.2.2.2 connect-interface LoopBack0
 #
 address-family ipv4 unicast
  peer 2.2.2.2 enable
 #
 address-family vpnv4
  peer 2.2.2.2 enable
 # 在VPN实例中引入私网路由
 ip vpn-instance siteA
  #
  address-family ipv4 unicast
   import-route rip 1

ASBR1配置

#
 sysname ASBR1
#
isis 1
 network-entity 10.0002.0002.0002.00

#
 mpls lsr-id 2.2.2.2
#
mpls ldp

#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255
 isis enable 1
# 
interface GigabitEthernet0/0
 port link-mode route
 combo enable copper
 ip address 23.1.1.1 255.255.255.0
 mpls enable  // 边界出接口使能mpls即可
#
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 12.1.1.2 255.255.255.0
 isis enable 1
 mpls enable
 mpls ldp enable

#
bgp 100
 peer 1.1.1.1 as-number 100
 peer 1.1.1.1 connect-interface LoopBack0
 peer 23.1.1.2 as-number 200
 #
 address-family ipv4 unicast
  import-route isis 1
  peer 1.1.1.1 enable
  peer 1.1.1.1 next-hop-local
  peer 23.1.1.2 enable
 #
 address-family vpnv4
  undo policy vpn-target   // 取消对接收的VPN路由或者标签块进行VPN-Target过滤
  peer 1.1.1.1 enable
  peer 1.1.1.1 next-hop-local
  peer 23.1.1.2 enable    // 边界设备建立VPN邻居

ASBR2配置

#
 sysname ASBR2
#
ospf 1 router-id 3.3.3.3
 area 0.0.0.0
#
 mpls lsr-id 3.3.3.3

#
mpls ldp

#
interface LoopBack0
 ip address 3.3.3.3 255.255.255.255
 ospf 1 area 0.0.0.0
#
interface GigabitEthernet0/0
 port link-mode route
 combo enable copper
 ip address 23.1.1.2 255.255.255.0
 mpls enable
#
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 34.1.1.1 255.255.255.0
 ospf 1 area 0.0.0.0
 mpls enable
 mpls ldp enable
 
#
bgp 200
 peer 4.4.4.4 as-number 200
 peer 4.4.4.4 connect-interface LoopBack0
 peer 23.1.1.1 as-number 100
 #
 address-family ipv4 unicast
  import-route ospf 1
  peer 4.4.4.4 enable
  peer 23.1.1.1 enable
 #
 address-family vpnv4
  undo policy vpn-target   // 取消对接收的VPN路由或者标签块进行VPN-Target过滤
  peer 4.4.4.4 enable
  peer 4.4.4.4 next-hop-local
  peer 23.1.1.1 enable    // 边界设备建立VPN邻居

PE2配置

#
 sysname PE2
#
ip vpn-instance siteB
 route-distinguisher 200:1
 vpn-target 100:1 200:1 import-extcommunity
 vpn-target 200:1 export-extcommunity
#
ospf 1 router-id 4.4.4.4
 area 0.0.0.0
#
 mpls lsr-id 4.4.4.4

#
mpls ldp

#
interface LoopBack0
 ip address 4.4.4.4 255.255.255.255
 ospf 1 area 0.0.0.0

#
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 34.1.1.2 255.255.255.0
 ospf 1 area 0.0.0.0
 mpls enable
 mpls ldp enable
#              
interface GigabitEthernet0/2
 port link-mode route
 combo enable copper
 ip binding vpn-instance siteB
 ip address 46.1.1.1 255.255.255.0

#
bgp 200        
 peer 3.3.3.3 as-number 200
 peer 3.3.3.3 connect-interface LoopBack0
 #
 address-family ipv4 unicast
  peer 3.3.3.3 enable
 #
 address-family vpnv4
  peer 3.3.3.3 enable
 #
 ip vpn-instance siteB
  peer 46.1.1.2 as-number 65530
  #
  address-family ipv4 unicast
   peer 46.1.1.2 enable

CE1配置 [RIP]

#
rip 1
 undo summary
 version 2
 network 15.1.1.0 0.0.0.255
 network 192.168.1.0
#
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 192.168.1.254 255.255.255.0
#
interface GigabitEthernet0/2
 port link-mode route
 combo enable copper
 ip address 15.1.1.2 255.255.255.0

CE2配置 [BGP]

#
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 192.168.2.254 255.255.255.0
#
interface GigabitEthernet0/2
 port link-mode route
 combo enable copper
 ip address 46.1.1.2 255.255.255.0
#
bgp 65530
 peer 46.1.1.1 as-number 200
 #
 address-family ipv4 unicast
  network 192.168.2.0 255.255.255.0
  peer 46.1.1.1 enable

连通性验证

图片.png