admin 管理员组文章数量: 887021
2024年1月17日发(作者:updatesql使用方法)
广东省内三层MPLS VPN配置规范
1、 PE路由器用户数据
华为设备:
(1)建立VPN FullMesh结构实例
ip vpn-instance GDSHW_IPMAN_ OptionBTestHS1 //新建一个vpn实例
description GDSHW_IPMAN_ OptionBTestHS1
ipv4-family
apply-label per-instance
route-distinguisher 56040:1130000 //按资源分配规范分配RD
vpn-target 56040:113000000 export-extcommunity
vpn-target 56040:113000000 import-extcommunity
(2)建立VPN Hub&Spoke结构实例
HUB总站配置:
ip vpn-instance GDSHW_IPMAN_ OptionBTestHS1 //新建一个vpn实例
description GDSHW_IPMAN_ OptionBTestHS1
ipv4-family
apply-label per-instance
route-distinguisher 56040:1130000 //按资源分配规范分配RD
vpn-target 56040:113000000 export-extcommunity
vpn-target 56040:113000001 import-extcommunity
SPOKE分站配置:
ip vpn-instance GDSHW_IPMAN_ OptionBTestHS1 //新建一个vpn实例
description GDSHW_IPMAN_ OptionBTestHS1
ipv4-family
apply-label per-instance
route-distinguisher 56040:1130000 //按资源分配规范分配RD
vpn-target 56040:113000001 export-extcommunity
vpn-target 56040:113000002 import-extcommunity
(3)配置用户接口
interface GigabitEthernet3/0/4 //与CE互联的端口
description To_GDSHW_IPMAN_ OptionBTestHS1
ip binding vpn-instance GDSHW_IPMAN_ OptionBTestHS1
ip address 192.168.103.1 30
(4)配置用户路由(静态路由)
Ip route-stactic vpn-instance GDSHW_IPMAN_ OptionBTestHS1 192.168.1.0 24 10.1.0.2
ipv4-family vpn-instance GDSHW_IPMAN_ OptionBTestHS1
import-route direct
import-route static route-policy GDSHW_IPMAN_ OptionBTestHS1_import
route-policy GDSHW_IPMAN_ OptionBTestHS1_import permit node 10 //需要跨域时接收用户路由时打标识,不跨域不需配置
apply community 56040:199 //对用户所有路由打跨域标识,用户有额外要求的,也可根据用户要求对个别IP地址段打标识。
(5)配置用户路由(BGP与策略)
bgp 65286
ipv4-family vpn-instance GDSHW_IPMAN_ OptionBTestHS1
import-route direct
import-route static route-policy GDSHW_IPMAN_ OptionBTestHS1_import
peer 10.1.0.2 as_number 65001 //单链路使用接口地址,多链路使用loopback管理地址
Peer 10.1.0.2 route-policy GDSHW_IPMAN_ OptionBTestHS1_import import
Peer 10.1.0.2 route-policy GDSHW_IPMAN_ OptionBTestHS1_export export //根据客户要求配置策略
route-policy GDSHW_IPMAN_ OptionBTestHS1_import permit node 10 //需要跨域时接收用户路由时打标识
apply community 56040:199 //对用户所有路由打标识,用户有额外要求的,也可根据用户要求对个别IP地址段打标识。
阿朗设备:
(1) 建立VPN FullMesh结构实例与接口配置:
vprn 20000300 customer 1 create
route-distinguisher target:56040: 1130000
auto-bind ldp
vrf-target target: target:56040: 113000000
interface "to-loop-lag10" create
address 192.168.101.1/30
sap 1/2/13:10.100 create
exit
exit
(2)建立VPN Hub&Spoke结构实例与接口配置:
总站配置:
community "GDGZ_IPMAN_ OptionBTestHS1-export-1" members "target:56040: 113000000" “target:56040:199”
community " GDGZ_IPMAN_ OptionBTestHS1-import-1" members "target:56040: 113000001" //分站1
community " GDGZ_IPMAN_ OptionBTestHS1-import-2" members "target: 56040: 113000002” //分站2
--------------------------------------
policy-statement " GDGZ_IPMAN_ OptionBTestHS1-export"
entry 10
to
protocol bgp-vpn
exit
action accept
community add " GDGZ_IPMAN_ OptionBTestHS1-export-1"
exit
exit
exit
policy-statement " GDGZ_IPMAN_ OptionBTestHS1-import"
entry 10
from
protocol bgp-vpn
community " GDGZ_IPMAN_ OptionBTestHS1-import-1"
exit
action accept
exit
exit
entry 20
//所有分站点
exit
default-action reject
exit
vprn 20000300 customer 1 create
route-distinguisher 56040: 1130000
auto-bind ldp
vrf-import " GDGZ_IPMAN_ OptionBTestHS1-import"
vrf-export " GDGZ_IPMAN_ OptionBTestHS1-export"
interface "to-loop-lag10" create
address 192.168.101.1/30
sap 1/2/13:10.100 create
exit
exit
分站配置:
community " GDGZ_IPMAN_ OptionBTestHS1-export-1" members "target:56040: 113000001"
"56040:199” //分站1
community " GDGZ_IPMAN_ OptionBTestHS1-import-1" members "target:56040: 113000000"
//总站
policy-statement " GDGZ_IPMAN_ OptionBTestHS1-export"
entry 10
to
protocol bgp-vpn
exit
action accept
community add " GDGZ_IPMAN_ OptionBTestHS1-export-1"
exit
exit
exit
policy-statement " GDGZ_IPMAN_ OptionBTestHS1-import"
entry 10
from
protocol bgp-vpn
community " GDGZ_IPMAN_ OptionBTestHS1-import-1"
exit
action accept
exit
exit
default-action reject
exit
VPN业务定义
vprn 20000300 customer 1 create
route-distinguisher 56040: 1130000
auto-bind ldp
vrf-import " GDGZ_IPMAN_ OptionBTestHS1-import"
vrf-export " GDGZ_IPMAN_ OptionBTestHS1-export"
interface "to-loop-lag10" create
address 192.168.101.1/30
sap 1/2/13:10.100 create
exit
exit
(3) 配置用户路由(静态路由):
static-route 0.0.0.0/0 next-hop 1.1.1.1
(4)配置用户路由(BGP路由):
configure service vprn 20000300
bgp
router-id 192.168.1.1
group "TO-VPN1"
export "TO-VPN1"
peer-as ***
neighbor 192.168.101.2
exit
exit
no shutdown
exit
2、PE路由器骨干数据
华为设备:
(1)相关内部互联接口:启用MPLS与LDP协议。
interface GigabitEthernet3/0/5 //城域网内部链路都需要启用mpls
description GD-DOG-CMNET_CR1
mtu 4470
mpls
mpls LDP
(2)配置与城域网RR之间的VPNV4邻居关系
bgp 65292
group To_RR internal //与RR的邻居,增加VPNV4的地址簇,以城域网标准为准
ipv4-family unicast
undo synchronization
peer To_RR enable
enable
group To_RR
advertise-community
#
ipv4-family vpnv4
undo policy vpn-target
Peer To_RR enable
peer To_RR advertise-community
enable
group To_RR //与城域网RR1反射器建立VPNV4邻居关系
enable
group To_RR //与城域网RR2反射器建立VPNV4邻居关系
阿朗设备:
(1)相关内部互联接口:启用MPLS与LDP协议
configure router mpls
interface "system"
exit
interface "ge-10/2/1"
exit
interface "pos-1/1/1"
exit
interface "pos-10/1/1"
exit
no shutdown
peer-parameters
peer 120.196.27.1
authentication-key "2HF7KswjUwX1dYGVVq4DZqKjAXXjYzA" hash2
exit
peer 120.196.27.2
authentication-key "1IWqKYQuT2yHP0zi7XBMDASmt7GIIX3o" hash2
exit
peer 120.196.27.19
exit
exit
interface-parameters
keepalive 45 15
interface "ge-10/2/1"
exit
interface "pos-1/1/1"
exit
interface "pos-10/1/1"
exit
exit
targeted-session
keepalive 45 3
exit
no shutdown
(2)配置与城域网RR之间的VPNV4邻居关系
group "ibgp-man-cr"
family ipv4 vpn-ipv4
authentication-key "IvXv69uKOi3RkL7jq9B/" hash2
next-hop-self
type internal
preference 200
export "Export_Direct_Route" "Export_Static_Route" "Export_Submgmt_Route" "Export_BGP_Route" "Export_OSPF_15_Route"
peer-as 65270
local-address 120.196.27.31
neighbor 120.196.27.1
description "GDGZ-MC-IPMAN-QHD-RT01-CRS"
exit
neighbor 120.196.27.2
description "GDGZ-MC-IPMAN-XDS-RT01-CRS"
exit
exit
3、ASBR路由器跨域数据
华为设备:
(1)接口配置与MPLS配置
interface GigabitEthernet x/x/x.101 //CMNET与IP城域网互联的VPN专用端口,统一使用101子接口和vlanid 101
mtu 4470
mpls //需要开启mpls,不需要开mpls ldp
#
(2)配置ASBR之间的BGP邻居关系
bgp 56292
as-number 56040 //与对端ASBR1建立EBGP邻居
password cipher gmcc@10086
description To_XX
#
ipv4-family unicast
undo enable // CMNET_ASBR与IPMAN_ASBR不建立IPV4邻居关系
#
ipv4-family vpnv4
undo policy vpn-target
enable
advertise-community
route-policy MPLS-VPN-OptionB-export export
peer route-policy MPLS-VPN-OptionB-import import
#
(3)配置策略:只收发标识为56040:199的路由
ip community-filter 1 permit 56040:199
route-policy route-policy MPLS-VPN-OptionB-export permit node 0
if-match community-filter 1
route-policy route-policy MPLS-VPN-OptionB-import permit node 0
if-match community-filter 1
阿朗设备:
(1)、接口配置
port 10/1/1 //POS 接口
sonet-sdh
framing sdh
hold-time up 1 down 1
path
mtu 4472
load-balancing-algorithm include-l4
scramble
report-alarm pais prdi prei
network
queue-policy "gmcc-ipman-queue"
exit
no shutdown
exit
exit
port 1/1/2 //GE 接口
ethernet
mtu 4470
load-balancing-algorithm include-l4
network
queue-policy "gmcc-ipman-queue"
exit
hold-time up 1 down 1
no autonegotiate
exit
no shutdown
(2)、配置ASBR之间的BGP邻居关系
config>router>bgp#
enable-inter-as-vpn
group "ebgp"
family vpn-ipv4
authentication-key gmcc@10086
type external
vpn-apply-export
vpn-apply-import
export " MPLS-VPN-OptionB -export"
import " MPLS-VPN-OptionB -import"
peer-as 56040 //CMNET AS号
local-address 10.24.72.29/30 //使用互联接口建立bgp邻居
neighbor 10.24.72.30
med-out 100 //主用配置MED50,备用配置100
local-address 120.196.39.17 //多条链路时使用系统地址建bgp邻居
neighbor 120.196.39.1
next-hop-self
exit
exit
(3)、配置策略:只收发标识为56040:199的路由
configure router policy-options
community " MPLS-VPN-OptionB " members "56040:199”
begin
policy-statement " MPLS-VPN-OptionB -export"
from
family vpn-ipv4
community " MPLS-VPN-OptionB "
to
protocol bgp-vpn
exit
action accept
policy-statement " MPLS-VPN-OptionB -import"
entry 1
from
protocol bgp-vpn
community " MPLS-VPN-OptionB "
exit
action accept
exit
exit
default-action reject
Juniper设备:
(1)接口配置与MPLS配置
Interface ge-1/0/0.1{
Family mpls;
}
protocols {
mpls {
interface ge-1/0/0.1; ##互连链路开启MPLS标签交换协议
}
(2)配置ASBR之间的BGP邻居关系:
protocols {
bgp {
group GD_CMNET_CMCC_MPLS-OptionBtest {
type external;
local-address 211.136.199.129;
import MPLS-VPN-OptionB-import;
family inet-vpn {
unicast;
}
export MPLS-VPN-OptionB-export;
peer-as 65270;
neighbor 211.136.199.130 {
authentication-key gmcc@10086
}
}
}
}
(3)配置策略:只收发标识为56040:199的路由
Policy-options{
policy-statement MPLS-VPN-OptionB-import {
term 10 {
from community MPLS-VPN-OptionB;
then accept;
}
term last {
then reject;
}
}
policy-statement MPLS-VPN-OptionB-export {
term 10 {
from community MPLS-VPN-OptionB;
then accept;
}
term last {
then reject;
}
}
community MPLS-VPN-OptionB members 56040:199;
}
4、VPN的RR路由反射器(CR兼任)
华为设备:
bgp 65286
as-number 65286 //与PE建立IBGP邻居
password cipher xxxx
description To_XX
connect_interface loopback0
ipv4-family vpnv4
undo policy vpn-target
enable
reflect-client //PE作为RR的reflect-client。
advertise-community
思科设备:
router bgp 65270
neighbor-group ibgp-man-rrclient
remote-as 65270
password encrypted 00031E05077B5A565F791A
update-source Loopback0
address-family vpnv4 unicast
route-policy default_policy_pass_all in
route-reflector-client
route-policy default_policy_pass_all out
!
!
版权声明:本文标题:广东移动省级三层MPLS VPN配置规范-v1.0 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.freenas.com.cn/jishu/1705474311h486252.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论