素材来源:华为路由器配置指南
一边学习一边整理试验笔记,并与大家分享,侵权即删,谢谢支持!
附上汇总贴:玩转华为ENSP模拟器系列 | 合集_COCOgsta的博客-CSDN博客_ensp实验大全
目标
配置L3VPN,保证相同VPN用户之间的安全互访。
组网需求
配置L3VPN迭代SR-BE隧道,保证相同VPN用户之间的安全互访。同时由于公网PE之间存在多条链路,要求数据流量在公网能够进行负载分担。
配置思路
- 配置L3VPN迭代SR-BE隧道示例
- 骨干网上配置IS-IS实现PE之间的互通。
- 骨干网上使能MPLS,配置Segment Routing,建立SR LSP。使能TI-LFA FRR。
- PE上配置使能IPv4地址族VPN实例,并把与CE相连的接口和相应的VPN实例绑定。
- PE之间配置MP-IBGP交换路由信息。
- CE与PE之间配置EBGP交换路由信息。
操作步骤
- 配置接口的IP地址
配置PE1
PE1:
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
interface Ethernet1/0/2
ip address 172.3.1.1 255.255.255.0
interface Ethernet1/0/1
ip address 172.1.1.1 255.255.255.0
配置P1
P1:
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
interface Ethernet1/0/0
ip address 172.1.1.2 255.255.255.0
interface Ethernet1/0/1
ip address 172.2.1.1 255.255.255.0
配置PE2
PE2:
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
interface Ethernet1/0/0
ip address 172.2.1.2 255.255.255.0
interface Ethernet1/0/1
ip address 172.4.1.2 255.255.255.0
配置P2
P2:
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
interface Ethernet1/0/1
ip address 172.3.1.2 255.255.255.0
interface Ethernet1/0/0
ip address 172.4.1.1 255.255.255.0
- 在骨干网上配置IGP协议,实现骨干网PE和P的互通。本例中以IS-IS为例进行说明。
配置PE1
PE1:
isis 1
is-level level-1
network-entity 10.0000.0000.0001.00
interface Ethernet1/0/1
isis enable 1
interface Ethernet1/0/2
isis enable 1
配置P1
P1:
isis 1
is-level level-1
network-entity 10.0000.0000.0002.00
interface Ethernet1/0/1
ip address 172.2.1.1 255.255.255.0
interface Ethernet1/0/0
isis enable 1
配置PE2
PE2:
isis 1
is-level level-1
network-entity 10.0000.0000.0003.00
interface Ethernet1/0/0
isis enable 1
interface Ethernet1/0/1
isis enable 1
配置P2
P2:
isis 1
is-level level-1
network-entity 10.0000.0000.0004.00
interface Ethernet1/0/1
isis enable 1
interface Ethernet1/0/0
isis enable 1
- 在骨干网上配置MPLS基本能力
配置PE1
PE1:
mpls lsr-id 1.1.1.9
mpls
配置P1
P1:
mpls lsr-id 2.2.2.9
mpls
配置PE2
PE2:
mpls lsr-id 3.3.3.9
mpls
配置P2
P2:
mpls lsr-id 4.4.4.9
mpls
- 在骨干网上配置Segment Routing,同时使能TI-LFA FRR功能
配置PE1
PE1:
segment-routing
isis 1
cost-style wide
segment-routing mpls
segment-routing global-block 160000 161000
frr
loop-free-alternate level-1
ti-lfa level-1
interface LoopBack1
isis prefix-sid index 10
配置P1
P1:
segment-routing
isis 1
cost-style wide
segment-routing mpls
segment-routing global-block 160000 161000
frr
loop-free-alternate level-1
ti-lfa level-1
interface LoopBack1
isis prefix-sid index 20
配置PE2
PE2:
segment-routing
isis 1
cost-style wide
segment-routing mpls
segment-routing global-block 160000 161000
frr
loop-free-alternate level-1
ti-lfa level-1
interface LoopBack1
isis prefix-sid index 30
配置P2
PE2:
segment-routing
isis 1
cost-style wide
segment-routing mpls
segment-routing global-block 160000 161000
frr
loop-free-alternate level-1
ti-lfa level-1
interface LoopBack1
isis prefix-sid index 40
- 配置完成后,在PE设备上执行display tunnel-info all命令,可以看到SR LSP已建立。以PE1的显示为例。
[~PE1-LoopBack1]dis tunnel-info all
Tunnel ID Type Destination
Status
--------------------------------------------------------------------------------
--------
0x000000002900000042 srbe-lsp 2.2.2.9
UP
0x000000002900000043 srbe-lsp 3.3.3.9
UP
0x000000002900000045 srbe-lsp 4.4.4.9
UP
[~PE1-LoopBack1]
- 在PE1上使用Ping检测SR LSP连通性,例如:
[~PE1-LoopBack1]ping lsp segment-routing ip 3.3.3.9 32 version draft2
LSP PING FEC: SEGMENT ROUTING IPV4 PREFIX 3.3.3.9/32 : 100 data bytes, press
CTRL_C to break
Reply from 3.3.3.9: bytes=100 Sequence=1 time=19 ms
Reply from 3.3.3.9: bytes=100 Sequence=2 time=6 ms
Reply from 3.3.3.9: bytes=100 Sequence=3 time=4 ms
Reply from 3.3.3.9: bytes=100 Sequence=4 time=7 ms
Reply from 3.3.3.9: bytes=100 Sequence=5 time=6 ms
--- FEC: SEGMENT ROUTING IPV4 PREFIX 3.3.3.9/32 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/8/19 ms
[~PE1-LoopBack1]
- 在PE之间建立MP-IBGP对等体关系
配置PE1
PE1:
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
ipv4-family vpnv4
peer 3.3.3.9 enable
配置PE2
PE2:
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
ipv4-family vpnv4
peer 1.1.1.9 enable
配置完成后,在PE设备上执行display bgp peer或display bgp vpnv4 all peer命令,可以看到PE之间的BGP对等体关系已建立,并达到Established状态。以PE1的显示为例。
[~PE1-bgp]dis bgp peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State Pr
efRcv
3.3.3.9 4 100 4 4 0 00:00:29 Established
0
[~PE1-bgp]dis bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State Pr
efRcv
3.3.3.9 4 100 4 4 0 00:00:49 Established
0
[~PE1-bgp]
- 在PE设备上配置使能IPv4地址族的VPN实例,将CE接入PE
配置PE1
PE1:
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
interface Ethernet1/0/0
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
配置PE2
PE2:
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
interface Ethernet1/0/2
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
- 在PE设备上配置隧道选择策略,优选SR LSP。
配置PE1
PE1:
tunnel-policy p1
tunnel select-seq sr-lsp load-balance-number 2
ip vpn-instance vpna
ipv4-family
tnl-policy p1
配置PE2
PE2:
tunnel-policy p1
tunnel select-seq sr-lsp load-balance-number 2
ip vpn-instance vpna
ipv4-family
tnl-policy p1
- 在PE与CE之间建立EBGP对等体关系
配置CE1
CE1:
interface LoopBack1
ip address 11.1.1.1 255.255.255.255
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0
bgp 65410
peer 10.1.1.2 as-number 100
ipv4-family unicast
network 11.1.1.1 255.255.255.255
配置CE2
CE2:
interface LoopBack1
ip address 22.2.2.2 255.255.255.255
interface Ethernet1/0/0
ip address 10.2.1.1 255.255.255.0
bgp 65420
peer 10.2.1.2 as-number 100
ipv4-family unicast
network 22.2.2.2 255.255.255.255
配置PE1
PE1:
bgp 100
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
配置PE2
PE2:
bgp 100
ipv4-family vpn-instance vpna
peer 10.2.1.1 as-number 65420
配置完成后,在PE设备上执行display bgp vpnv4 vpn-instance peer命令,可以看到PE与CE之间的BGP对等体关系已建立,并达到Established状态。
以PE1与CE1的对等体关系为例:
[~PE1-bgp]dis bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.9
Local AS number : 100
VPN-Instance vpna, Router ID 1.1.1.9:
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State Pr
efRcv
10.1.1.1 4 65410 5 5 0 00:01:09 Established
1
[~PE1-bgp]
- 检查配置结果
在PE设备上执行display ip routing-table vpn-instance命令,可以看到去往CE上的Loopback接口路由。
以PE1的显示为例:
[~PE1]dis ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole
route
------------------------------------------------------------------------------
Routing Table : vpna
Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Ethernet1/0/0
10.1.1.2/32 Direct 0 0 D 127.0.0.1 Ethernet1/0/0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 Ethernet1/0/0
11.1.1.1/32 EBGP 255 0 RD 10.1.1.1 Ethernet1/0/0
22.2.2.2/32 IBGP 255 0 RD 3.3.3.9 Ethernet1/0/1
IBGP 255 0 RD 3.3.3.9 Ethernet1/0/2
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[~PE1]
同一VPN的CE能够相互Ping通,例如:CE1能够Ping通CE2(22.2.2.2)。
[~CE1-bgp]ping -a 11.1.1.1 22.2.2.2
PING 22.2.2.2: 56 data bytes, press CTRL_C to break
Reply from 22.2.2.2: bytes=56 Sequence=1 ttl=252 time=13 ms
Reply from 22.2.2.2: bytes=56 Sequence=2 ttl=252 time=9 ms
Reply from 22.2.2.2: bytes=56 Sequence=3 ttl=252 time=13 ms
Reply from 22.2.2.2: bytes=56 Sequence=4 ttl=252 time=10 ms
Reply from 22.2.2.2: bytes=56 Sequence=5 ttl=252 time=11 ms
--- 22.2.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 9/11/13 ms
[~CE1-bgp]?
