admin 管理员组

文章数量: 887021


2024年1月17日发(作者:updatesql使用方法)

广东省内三层MPLS VPN配置规范

1、 PE路由器用户数据

华为设备:

(1)建立VPN FullMesh结构实例

ip vpn-instance GDSHW_IPMAN_ OptionBTestHS1 //新建一个vpn实例

description GDSHW_IPMAN_ OptionBTestHS1

ipv4-family

apply-label per-instance

route-distinguisher 56040:1130000 //按资源分配规范分配RD

vpn-target 56040:113000000 export-extcommunity

vpn-target 56040:113000000 import-extcommunity

(2)建立VPN Hub&Spoke结构实例

HUB总站配置:

ip vpn-instance GDSHW_IPMAN_ OptionBTestHS1 //新建一个vpn实例

description GDSHW_IPMAN_ OptionBTestHS1

ipv4-family

apply-label per-instance

route-distinguisher 56040:1130000 //按资源分配规范分配RD

vpn-target 56040:113000000 export-extcommunity

vpn-target 56040:113000001 import-extcommunity

SPOKE分站配置:

ip vpn-instance GDSHW_IPMAN_ OptionBTestHS1 //新建一个vpn实例

description GDSHW_IPMAN_ OptionBTestHS1

ipv4-family

apply-label per-instance

route-distinguisher 56040:1130000 //按资源分配规范分配RD

vpn-target 56040:113000001 export-extcommunity

vpn-target 56040:113000002 import-extcommunity

(3)配置用户接口

interface GigabitEthernet3/0/4 //与CE互联的端口

description To_GDSHW_IPMAN_ OptionBTestHS1

ip binding vpn-instance GDSHW_IPMAN_ OptionBTestHS1

ip address 192.168.103.1 30

(4)配置用户路由(静态路由)

Ip route-stactic vpn-instance GDSHW_IPMAN_ OptionBTestHS1 192.168.1.0 24 10.1.0.2

ipv4-family vpn-instance GDSHW_IPMAN_ OptionBTestHS1

import-route direct

import-route static route-policy GDSHW_IPMAN_ OptionBTestHS1_import

route-policy GDSHW_IPMAN_ OptionBTestHS1_import permit node 10 //需要跨域时接收用户路由时打标识,不跨域不需配置

apply community 56040:199 //对用户所有路由打跨域标识,用户有额外要求的,也可根据用户要求对个别IP地址段打标识。

(5)配置用户路由(BGP与策略)

bgp 65286

ipv4-family vpn-instance GDSHW_IPMAN_ OptionBTestHS1

import-route direct

import-route static route-policy GDSHW_IPMAN_ OptionBTestHS1_import

peer 10.1.0.2 as_number 65001 //单链路使用接口地址,多链路使用loopback管理地址

Peer 10.1.0.2 route-policy GDSHW_IPMAN_ OptionBTestHS1_import import

Peer 10.1.0.2 route-policy GDSHW_IPMAN_ OptionBTestHS1_export export //根据客户要求配置策略

route-policy GDSHW_IPMAN_ OptionBTestHS1_import permit node 10 //需要跨域时接收用户路由时打标识

apply community 56040:199 //对用户所有路由打标识,用户有额外要求的,也可根据用户要求对个别IP地址段打标识。

阿朗设备:

(1) 建立VPN FullMesh结构实例与接口配置:

vprn 20000300 customer 1 create

route-distinguisher target:56040: 1130000

auto-bind ldp

vrf-target target: target:56040: 113000000

interface "to-loop-lag10" create

address 192.168.101.1/30

sap 1/2/13:10.100 create

exit

exit

(2)建立VPN Hub&Spoke结构实例与接口配置:

总站配置:

community "GDGZ_IPMAN_ OptionBTestHS1-export-1" members "target:56040: 113000000" “target:56040:199”

community " GDGZ_IPMAN_ OptionBTestHS1-import-1" members "target:56040: 113000001" //分站1

community " GDGZ_IPMAN_ OptionBTestHS1-import-2" members "target: 56040: 113000002” //分站2

--------------------------------------

policy-statement " GDGZ_IPMAN_ OptionBTestHS1-export"

entry 10

to

protocol bgp-vpn

exit

action accept

community add " GDGZ_IPMAN_ OptionBTestHS1-export-1"

exit

exit

exit

policy-statement " GDGZ_IPMAN_ OptionBTestHS1-import"

entry 10

from

protocol bgp-vpn

community " GDGZ_IPMAN_ OptionBTestHS1-import-1"

exit

action accept

exit

exit

entry 20

//所有分站点

exit

default-action reject

exit

vprn 20000300 customer 1 create

route-distinguisher 56040: 1130000

auto-bind ldp

vrf-import " GDGZ_IPMAN_ OptionBTestHS1-import"

vrf-export " GDGZ_IPMAN_ OptionBTestHS1-export"

interface "to-loop-lag10" create

address 192.168.101.1/30

sap 1/2/13:10.100 create

exit

exit

分站配置:

community " GDGZ_IPMAN_ OptionBTestHS1-export-1" members "target:56040: 113000001"

"56040:199” //分站1

community " GDGZ_IPMAN_ OptionBTestHS1-import-1" members "target:56040: 113000000"

//总站

policy-statement " GDGZ_IPMAN_ OptionBTestHS1-export"

entry 10

to

protocol bgp-vpn

exit

action accept

community add " GDGZ_IPMAN_ OptionBTestHS1-export-1"

exit

exit

exit

policy-statement " GDGZ_IPMAN_ OptionBTestHS1-import"

entry 10

from

protocol bgp-vpn

community " GDGZ_IPMAN_ OptionBTestHS1-import-1"

exit

action accept

exit

exit

default-action reject

exit

VPN业务定义

vprn 20000300 customer 1 create

route-distinguisher 56040: 1130000

auto-bind ldp

vrf-import " GDGZ_IPMAN_ OptionBTestHS1-import"

vrf-export " GDGZ_IPMAN_ OptionBTestHS1-export"

interface "to-loop-lag10" create

address 192.168.101.1/30

sap 1/2/13:10.100 create

exit

exit

(3) 配置用户路由(静态路由):

static-route 0.0.0.0/0 next-hop 1.1.1.1

(4)配置用户路由(BGP路由):

configure service vprn 20000300

bgp

router-id 192.168.1.1

group "TO-VPN1"

export "TO-VPN1"

peer-as ***

neighbor 192.168.101.2

exit

exit

no shutdown

exit

2、PE路由器骨干数据

华为设备:

(1)相关内部互联接口:启用MPLS与LDP协议。

interface GigabitEthernet3/0/5 //城域网内部链路都需要启用mpls

description GD-DOG-CMNET_CR1

mtu 4470

mpls

mpls LDP

(2)配置与城域网RR之间的VPNV4邻居关系

bgp 65292

group To_RR internal //与RR的邻居,增加VPNV4的地址簇,以城域网标准为准

ipv4-family unicast

undo synchronization

peer To_RR enable

enable

group To_RR

advertise-community

#

ipv4-family vpnv4

undo policy vpn-target

Peer To_RR enable

peer To_RR advertise-community

enable

group To_RR //与城域网RR1反射器建立VPNV4邻居关系

enable

group To_RR //与城域网RR2反射器建立VPNV4邻居关系

阿朗设备:

(1)相关内部互联接口:启用MPLS与LDP协议

configure router mpls

interface "system"

exit

interface "ge-10/2/1"

exit

interface "pos-1/1/1"

exit

interface "pos-10/1/1"

exit

no shutdown

peer-parameters

peer 120.196.27.1

authentication-key "2HF7KswjUwX1dYGVVq4DZqKjAXXjYzA" hash2

exit

peer 120.196.27.2

authentication-key "1IWqKYQuT2yHP0zi7XBMDASmt7GIIX3o" hash2

exit

peer 120.196.27.19

exit

exit

interface-parameters

keepalive 45 15

interface "ge-10/2/1"

exit

interface "pos-1/1/1"

exit

interface "pos-10/1/1"

exit

exit

targeted-session

keepalive 45 3

exit

no shutdown

(2)配置与城域网RR之间的VPNV4邻居关系

group "ibgp-man-cr"

family ipv4 vpn-ipv4

authentication-key "IvXv69uKOi3RkL7jq9B/" hash2

next-hop-self

type internal

preference 200

export "Export_Direct_Route" "Export_Static_Route" "Export_Submgmt_Route" "Export_BGP_Route" "Export_OSPF_15_Route"

peer-as 65270

local-address 120.196.27.31

neighbor 120.196.27.1

description "GDGZ-MC-IPMAN-QHD-RT01-CRS"

exit

neighbor 120.196.27.2

description "GDGZ-MC-IPMAN-XDS-RT01-CRS"

exit

exit

3、ASBR路由器跨域数据

华为设备:

(1)接口配置与MPLS配置

interface GigabitEthernet x/x/x.101 //CMNET与IP城域网互联的VPN专用端口,统一使用101子接口和vlanid 101

mtu 4470

mpls //需要开启mpls,不需要开mpls ldp

#

(2)配置ASBR之间的BGP邻居关系

bgp 56292

as-number 56040 //与对端ASBR1建立EBGP邻居

password cipher gmcc@10086

description To_XX

#

ipv4-family unicast

undo enable // CMNET_ASBR与IPMAN_ASBR不建立IPV4邻居关系

#

ipv4-family vpnv4

undo policy vpn-target

enable

advertise-community

route-policy MPLS-VPN-OptionB-export export

peer route-policy MPLS-VPN-OptionB-import import

#

(3)配置策略:只收发标识为56040:199的路由

ip community-filter 1 permit 56040:199

route-policy route-policy MPLS-VPN-OptionB-export permit node 0

if-match community-filter 1

route-policy route-policy MPLS-VPN-OptionB-import permit node 0

if-match community-filter 1

阿朗设备:

(1)、接口配置

port 10/1/1 //POS 接口

sonet-sdh

framing sdh

hold-time up 1 down 1

path

mtu 4472

load-balancing-algorithm include-l4

scramble

report-alarm pais prdi prei

network

queue-policy "gmcc-ipman-queue"

exit

no shutdown

exit

exit

port 1/1/2 //GE 接口

ethernet

mtu 4470

load-balancing-algorithm include-l4

network

queue-policy "gmcc-ipman-queue"

exit

hold-time up 1 down 1

no autonegotiate

exit

no shutdown

(2)、配置ASBR之间的BGP邻居关系

config>router>bgp#

enable-inter-as-vpn

group "ebgp"

family vpn-ipv4

authentication-key gmcc@10086

type external

vpn-apply-export

vpn-apply-import

export " MPLS-VPN-OptionB -export"

import " MPLS-VPN-OptionB -import"

peer-as 56040 //CMNET AS号

local-address 10.24.72.29/30 //使用互联接口建立bgp邻居

neighbor 10.24.72.30

med-out 100 //主用配置MED50,备用配置100

local-address 120.196.39.17 //多条链路时使用系统地址建bgp邻居

neighbor 120.196.39.1

next-hop-self

exit

exit

(3)、配置策略:只收发标识为56040:199的路由

configure router policy-options

community " MPLS-VPN-OptionB " members "56040:199”

begin

policy-statement " MPLS-VPN-OptionB -export"

from

family vpn-ipv4

community " MPLS-VPN-OptionB "

to

protocol bgp-vpn

exit

action accept

policy-statement " MPLS-VPN-OptionB -import"

entry 1

from

protocol bgp-vpn

community " MPLS-VPN-OptionB "

exit

action accept

exit

exit

default-action reject

Juniper设备:

(1)接口配置与MPLS配置

Interface ge-1/0/0.1{

Family mpls;

}

protocols {

mpls {

interface ge-1/0/0.1; ##互连链路开启MPLS标签交换协议

}

(2)配置ASBR之间的BGP邻居关系:

protocols {

bgp {

group GD_CMNET_CMCC_MPLS-OptionBtest {

type external;

local-address 211.136.199.129;

import MPLS-VPN-OptionB-import;

family inet-vpn {

unicast;

}

export MPLS-VPN-OptionB-export;

peer-as 65270;

neighbor 211.136.199.130 {

authentication-key gmcc@10086

}

}

}

}

(3)配置策略:只收发标识为56040:199的路由

Policy-options{

policy-statement MPLS-VPN-OptionB-import {

term 10 {

from community MPLS-VPN-OptionB;

then accept;

}

term last {

then reject;

}

}

policy-statement MPLS-VPN-OptionB-export {

term 10 {

from community MPLS-VPN-OptionB;

then accept;

}

term last {

then reject;

}

}

community MPLS-VPN-OptionB members 56040:199;

}

4、VPN的RR路由反射器(CR兼任)

华为设备:

bgp 65286

as-number 65286 //与PE建立IBGP邻居

password cipher xxxx

description To_XX

connect_interface loopback0

ipv4-family vpnv4

undo policy vpn-target

enable

reflect-client //PE作为RR的reflect-client。

advertise-community

思科设备:

router bgp 65270

neighbor-group ibgp-man-rrclient

remote-as 65270

password encrypted 00031E05077B5A565F791A

update-source Loopback0

address-family vpnv4 unicast

route-policy default_policy_pass_all in

route-reflector-client

route-policy default_policy_pass_all out

!

!


本文标签: 配置 用户 路由