华为路由器MPLS VPN配置示例

1、-配置 BGP/MPLS IP VPN 示例图 1 配置 BGP/MPLS IP VPN 组网图组网需求配置思路操作步骤配置文件组网需求如图 1 所示：-优质资料-优质资料-优质资料P、PEP、PEOSPF，IP 连通性。PEP 上配置 MPLS 基本能力和 MPLS LDP，建立MPLS LSP 公网隧道，传输VPN 数据。PE1 和 PE2 上配置 VPN 实例，其中， 使用的 VPN-target 属性为 111:1，vpnb 使用的 VPN-target 属性为 222:2，以实现相同 VPN 间互通，不同 VPN 间隔离。同时， 与 CEVPNVPN 用户。PE1 和 PE2MP-I

2、BGPVPN 路由信息。CE 与 PE 之间配置EBGPVPN 路由信息。CE1CE3 和 CE3 属于 vpna；CE2CE4 和 CE4 属于 vpnb。公司要求通过部署 BGP/MPLS IP 非研发区间数据隔离。配置思路采用如下的思路配置 BGP/MPLS IP VPN：操作步骤1.在 MPLS 骨干网上配置 OSPF 协议，实现骨干网 PE 和 P 的互通操作步骤1.在 MPLS 骨干网上配置 OSPF 协议，实现骨干网 PE 和 P 的互通# 配置 PE1。 system-view Huawei sysname PE1 PE1 interface loopback 1PE1-Loo

3、pBack1 ip address 1.1.1.9 32 PE1-LoopBack1 quitPE1 interface gigabitethernet 3/0/0PE1-GigabitEthernet3/0/0 ip address 172.1.1.1 24 PE1-GigabitEthernet3/0/0 quitPE1 ospf 1PE1-ospf-1 area 0PE1-ospf-1-area-0.0.0.0 network 172.1.1.0 0.0.0.255PE1-ospf-1-area-0.0.0.0 network 1.1.1.9 0.0.0.0 PE1-ospf-1-are

4、a-0.0.0.0 quitPE1-ospf-1 quit# 配置P。 system-view Huawei sysname PP interface loopback 1P-LoopBack1 ip address 2.2.2.9 32 P-LoopBack1 quitP interface gigabitethernet 1/0/0P-GigabitEthernet1/0/0 ip address 172.1.1.2 24 P-GigabitEthernet1/0/0 quitP interface gigabitethernet 2/0/0P-GigabitEthernet2/0/0 i

5、p address 172.2.1.1 24 P-GigabitEthernet2/0/0 quitP ospfP-ospf-1 area 0P-ospf-1-area-0.0.0.0 network 172.1.1.00.0.0.255P-ospf-1-area-0.0.0.0 network 172.2.1.00.0.0.255P-ospf-1-area-0.0.0.0 network 2.2.2.9 0.0.0.0 P-ospf-1-area-0.0.0.0 quitP-ospf-1quit# 配置 PE2。 system-view Huawei sysname PE2 PE2 inte

6、rface loopback 1PE2-LoopBack1 ip address 3.3.3.9 32 PE2-LoopBack1 quitPE2 interface gigabitethernet 3/0/0PE2-GigabitEthernet3/0/0ip address 172.2.1.2PE2-GigabitEthernet3/0/0 quitPE2 ospfPE2-ospf-1 area 0PE2-ospf-1-area-0.0.0.0 network 172.2.1.0 0.0.0.255PE2-ospf-1-area-0.0.0.0 network 3.3.3.9 0.0.0.

7、0 PE2-ospf-1-area-0.0.0.0 quitPE2-ospf-1 quit配置完成后，PE1、P、PE2 之间应能建立 OSPF 邻居关系，执行display ospf peer 命令可以看到邻居状态为 Full。执行 display ip routing-table 命令可以看到 PE 之间学习到对方的 Loopback1 路由。以 PE1 的 显 示 为 例 ： PE1 display ip routing-table Route Flags: R - relay,D - download to fib-Routing Tables: PublicDestinations

8、: 11Destinations : 11Routes : 11Destination/MaskProtoPreCostFlags NextHopInterface1.1.1.9/322.2.2.9/32GigabitEthernet3/0/03.3.3.9/32GigabitEthernet3/0/0Direct 0OSPF0D127.0.0.1LoopBack1101D172.1.1.2OSPF102D172.1.1.2OSPF Process 1 with Router ID1.1.1.9NeighborsArea 0.0.0.0 interface 172.1.1.1(GigabitE

9、thernet3/0/0)sneighborsRouter ID: 2.2.2.9Address: 172.1.1.2State:FullMode:NbrisMasterDR:172.1.1.1BDR:172.1.1.2Priority: 1MTU: 0Dead timer duein37secRetrans timer interval: 5Neighbor is up for 00:16:21 Authentication Sequence: 0127.0.0.0/8Direct 00D127.0.0.1InLoopBack0127.0.0.1/32Direct 00D127.0.0.1I

10、nLoopBack0127.255.255.255/32Direct 00D127.0.0.1InLoopBack0172.1.1.0/24Direct 00D172.1.1.1GigabitEthernet3/0/0172.1.1.1/32Direct 00D127.0.0.1GigabitEthernet3/0/0172.1.1.255/32Direct 00D127.0.0.1GigabitEthernet3/0/0172.2.1.0/24GigabitEthernet3/0/0OSPF102D172.1.1.2255.255.255.255/32Direct 00D127.0.0.1I

11、nLoopBack0PE1 display ospf peer2.在 MPLS 骨干网上配置 MPLS 基本能力和 MPLS LDP，建立LDP LSP2.在 MPLS 骨干网上配置 MPLS 基本能力和 MPLS LDP，建立LDP LSP# 配置 PE1。PE1 mpls lsr-id 1.1.1.9 PE1 mplsPE1-mpls quit PE1 mpls ldpPE1-mpls-ldp quitPE1 interface gigabitethernetPE1-GigabitEthernet3/0/0 mplsPE1-GigabitEthernet3/0/0 mpls ldp PE1

12、-GigabitEthernet3/0/0 quit# 配置P。P mpls lsr-id 2.2.2.9P mplsP-mpls quitP mpls ldpP-mpls-ldp quitP interface gigabitethernet 1/0/0 P-GigabitEthernet1/0/0 mplsP-GigabitEthernet1/0/0 mpls ldp P-GigabitEthernet1/0/0 quitP interface gigabitethernet 2/0/0 P-GigabitEthernet2/0/0 mplsP-GigabitEthernet2/0/0 m

13、pls ldp P-GigabitEthernet2/0/0 quit# 配置 PE2。PE2 mpls lsr-id 3.3.3.9 PE2 mplsPE2-mpls quit PE2 mpls ldpPE2-mpls-ldp quitPE2 interface gigabitethernet 3/0/0 PE2-GigabitEthernet3/0/0 mpls PE2-GigabitEthernet3/0/0 mpls ldp PE2-GigabitEthernet3/0/0 quit上述配置完成后，PE1 与 P、P 与 PE2 之间应能建立LDP 会话，执行 display mpls

14、 ldpsession 命令可以看到显示结果中 Status 项为“Operational”。执行display mpls ldp lsp 命令，可以看到LDP LSP 的建立情况。以 PE1 的显示为例：PE1 display mpls ldp sessionLDP Session(s) in Public NetworkCodes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM) A * before a session means the session is being deleted.-PeerIDStatusLAMSsn

15、RoleSsnAgeKASent/Rcv-2.2.2.9:0Operational DUActive0000:00:016/6-TOTAL: 1 session(s) Found. PE1 display mpls ldp lspLDP LSP Information-DestAddress/MaskIn/OutLabelUpstreamPeerNextHopOutInterface-TOTAL: 5 Normal LSP(s)Found. TOTAL: 1 Liberal LSP(s) Found. TOTAL: 0 Frr LSP(s)Found.A * before an LSP mea

16、ns the LSP is not established A * before a Label means the USCB or DSCB is stale A*beforeaUpstreamPeermeansthesessionisstale A * before a DS means the session isstaleA * before a NextHop means the LSP is FRR LSP1.1.1.9/32*1.1.1.9/323/NULLLiberal/10242.2.2.9127.0.0.1DS/2.2.2.9InLoop02.2.2.9/32NULL/3-

17、172.1.1.2GE3/0/02.2.2.9/321024/32.2.2.9172.1.1.2GE3/0/03.3.3.9/32NULL/1025-172.1.1.2GE3/0/03.3.3.9/321025/10252.2.2.9172.1.1.2GE3/0/03.在 PE 设备上配置 VPN 实例，将 CE 接入 PE3.在 PE 设备上配置 VPN 实例，将 CE 接入 PE# 配置 PE1。PE1 ip vpn-instance vpnaPE1-vpn-instance-vpna ipv4-familyPE1-vpn-instance-vpna-af-ipv4 route-disti

18、nguisher 100:1 PE1-vpn-instance-vpna-af-ipv4 vpn-target 111:1 bothPE1-vpn-instance-vpna-af-ipv4 quit PE1-vpn-instance-vpna quitPE1 ip vpn-instance vpnbPE1-vpn-instance-vpnb ipv4-familyPE1-vpn-instance-vpnb-af-ipv4 route-distinguisher100:2 PE1-vpn-instance-vpnb-af-ipv4 vpn-target 222:2 both PE1-vpn-i

19、nstance-vpna-af-ipv4 quitPE1-vpn-instance-vpnb quit PE1 interface gigabitethernetPE1-GigabitEthernet1/0/0 ip binding vpn-instancevpna PE1-GigabitEthernet1/0/0 ip address 10.1.1.2 24PE1-GigabitEthernet1/0/0 quit PE1 interface gigabitethernetPE1-GigabitEthernet2/0/0 ip binding vpn-instancevpnb PE1-Gig

20、abitEthernet2/0/0 ip address 10.2.1.2 24PE1-GigabitEthernet2/0/0 quit# 配置 PE2。PE2 ip vpn-instance vpnaPE2-vpn-instance-vpna ipv4-familyPE2-vpn-instance-vpna-af-ipv4 route-distinguisher 200:1 PE2-vpn-instance-vpna-af-ipv4 vpn-target 111:1 both PE2-vpn-instance-vpna-af-ipv4 quitPE2-vpn-instance-vpna q

21、uit PE2 ip vpn-instance vpnbPE2-vpn-instance-vpnb ipv4-familyPE2-vpn-instance-vpnb-af-ipv4 route-distinguisher200:2 PE2-vpn-instance-vpnb-af-ipv4 vpn-target 222:2 both PE2-vpn-instance-vpnb-af-ipv4 quitPE2-vpn-instance-vpnb quit PE2 interface gigabitethernetPE2-GigabitEthernet1/0/0 ip binding vpn-in

22、stancevpna PE2-GigabitEthernet1/0/0 ip address 10.3.1.2 24PE2-GigabitEthernet1/0/0 quit PE2 interface gigabitethernetPE2-GigabitEthernet2/0/0 ip binding vpn-instancevpnb PE2-GigabitEthernet2/0/0 ip address 10.4.1.2 24PE2-GigabitEthernet2/0/0 quit# 按图 1 配置各 CE 的接口 IP 地址。# 配置 CE1。CE2、CE3 和 CE4 与 CE1 类

23、似，不再赘述。 system-view Huawei sysname CE1-CE1 interface gigabitethernet 1/0/0CE1-GigabitEthernet1/0/0 ip address 10.1.1.1 24 CE1-GigabitEthernet1/0/0 quit配置完成后，在 PE 设备上执行 display ip vpn-instance verbose 命令可以看到 VPN 实例的配置情况。各 PE 能 ping 通自己接入的 CE。说明：当 PE 上有多个接口绑定了同一个 VPN，则使用 ping -vpn-instance 命令ping 对端 P

24、E 接入的 CE 时，要指定源 IP 地址，即要指定 ping-vpn-instance source-ip-address s-a，否则可能 ping 不通。以 PE1 为例：PE1 display ip vpn-instance verbose Total VPN-Instances configured : 2 Total IPv4 VPN-Instances configured :2 Total IPv6 VPN-Instances configured :0VPN-Instance Name and ID : vpna, 1 Interfaces : GigabitEthernet

25、1/0/0 Address family ipv4Create date : 2012/07/25 00:58:17Up time : 0 days, 22 hours, 24 minutes and 53seconds Route Distinguisher : 100:1Export VPNTargets:111:1 Import VPNTargets:Label Policy : label per route Log Interval :5VPN-Instance Name and ID : vpnb, 2 Interfaces : GigabitEthernet2/0/0 Addre

26、ss family ipv4Create date : 2012/07/25 00:58:17Up time : 0 days, 22 hours, 24 minutes and 53seconds Route Distinguisher : 100:2Export VPNTargets:222:2 Import VPNTargets:Label Policy : label per route Log Interval :5PE1 ping -vpn-instance vpna 10.1.1.1PING10.1.1.1:56data bytes, press CTRL_C tobreakRe

27、ply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=5 ms令中的参数-优质资料-优质资料-优质资料4.在 PE 之间建立 MP-IBGP 对等体关系# 配置 PE1。4.在 PE 之间建立 MP-IBGP 对等体关系# 配置 PE1。PE1 bgp 100PE1-bgp peer 3.3.3.9 as-number 100PE1-bgp peer 3.3.3.9 connect-interface loopback 1 PE1-bgp ipv4-family vpnv4PE1-bgp-af-vpnv4 peer 3.3.3.9 enable

28、 PE1-bgp-af-vpnv4 quitPE1-bgp quit # 配置 PE2。PE2 bgp 100PE2-bgp peer 1.1.1.9 as-number 100PE2-bgp peer 1.1.1.9 connect-interface loopback 1 PE2-bgp ipv4-family vpnv4PE2-bgp-af-vpnv4 peer 1.1.1.9 enable PE2-bgp-af-vpnv4 quitPE2-bgp quit配置完成后，在 PE 设备上执行 display bgp peer 或 display bgp vpnv4 all peer 命令，

29、可以看到 PE 之间的 BGP 对等体关系已建立，并达到Established 状态。PE1 display bgp peerBGP local router ID : 1.1.1.9Local AS number : 100 Total number of peers : 1Peers in established state :1PeerVASMsgRcvdMsgSentOutQUp/DownState3.3.3.941001260 00:02:21Established0Replyfrom10.1.1.1:bytes=56Sequence=2ttl=255time=3msReplyfro

30、m10.1.1.1:bytes=56Sequence=3ttl=255time=3msReply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=3 ms Replyfrom10.1.1.1:bytes=56Sequence=5ttl=255time=16ms- 10.1.1.1 ping statistics -5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 3/6/16 msPE1 PE1 display bgp vpnv

31、4 allpeerBGP local router ID : 1.1.1.9Local AS number : 100 Total number of peers : 1Peers in established state :1PeerVASMsgRcvdMsgSentOutQUp/DownState3.3.3.941001218000:09:38Established05.5.在 PE 与 CE 之间建立EBGP 对等体关系，引入 VPN 路由# 配置 CE1。CE2、CE3 和 CE4 与 CE1 类似，不再赘述。CE1 bgp 65410CE1-bgp peer 10.1.1.2 as-

32、number100 CE1-bgp import-route directCE1-bgp quit# 配置 PE1。PE2 的配置与 PE1 类似，不再赘述。PE1 bgp 100PE1-bgp ipv4-family vpn-instance vpnaPE1-bgp-vpna peer 10.1.1.1 as-number65410 PE1-bgp-vpna import-route directPE1-bgp-vpna quitPE1-bgp ipv4-family vpn-instance vpnbPE1-bgp-vpnb peer 10.2.1.1 as-number65420 PE1

33、-bgp-vpnb import-route directPE1-bgp-vpnb quit PE1-bgp quit配置完成后，在 PE 设备上执行 display bgp vpnv4 vpn-instance peer 命令，可以看到 PE与 CE 之间的 BGP 对等体关系已建立，并达到Established 状态。以 PE1 与 CE1 的对等体关系为例：PE1 display bgp vpnv4 vpn-instance vpna peerBGP local router ID : 1.1.1.9 Local AS number : 100VPN-Instance vpna, Rou

34、ter ID 1.1.1.9:Total number of peers:1Peers in established state :1PeerVASMsgRcvdMsgSentOutQUp/DownPrefRcv# 在 PE 设备上执行 # 在 PE 设备上执行 display ip routing-table vpn-instance 命令，可以看到去往对端 CE的路由。# 以 PE1 的显示为例：PE1 display ip routing-table vpn-instance vpna Route Flags: R - relay,D - download to fib-Routing

35、Tables: vpnaDestinations : 5Routes : 5Destination/MaskProtoPreCostFlags NextHopInterfacePE1displayiprouting-tablevpn-instancevpnbRoute Flags: R - relay, D - download to fib-Routing Tables: vpnbDestinations : 5Routes : 5Destination/MaskProtoPreCostFlags NextHopInterface# 同一 VPN 的 CE 能够相互 Ping 通，不同 VP

36、N 的 CE 不能相互 Ping 通。# 例如：CE1 能够 Ping 通 CE3（10.3.1.1），但不能 Ping 通 CE4（10.4.1.1）。CE1 ping 10.3.1.16.验证配置结果6.验证配置结果10.1.1.1465410630 00:00:02 Established410.1.1.0/24Direct00D10.1.1.2GigabitEthernet1/0/010.1.1.2/32Direct00D127.0.0.1GigabitEthernet1/0/010.1.1.255/32Direct00D127.0.0.1GigabitEthernet1/0/010.

37、3.1.0/24GigabitEthernet3/0/0IBGP2550RD3.3.3.9255.255.255.255/32Direct00D127.0.0.1InLoopBack010.2.1.0/24Direct00D10.2.1.2GigabitEthernet2/0/010.2.1.2/32Direct00D127.0.0.1GigabitEthernet2/0/010.2.1.255/32Direct00D127.0.0.1GigabitEthernet2/0/010.4.1.0/24GigabitEthernet3/0/0IBGP2550RD3.3.3.9255.255.255.

38、255/32Direct00D127.0.0.1InLoopBack0PING 10.3.1.1: 56 data bytes, press CTRL_C to breakPING 10.3.1.1: 56 data bytes, press CTRL_C to breakReplyfrom10.3.1.1:bytes=56Sequence=1ttl=253time=72ms Replyfrom10.3.1.1:bytes=56Sequence=2ttl=253time=34ms Replyfrom10.3.1.1:bytes=56Sequence=3ttl=253time=50ms Repl

39、yfrom10.3.1.1:bytes=56Sequence=4ttl=253time=50ms Replyfrom10.3.1.1:bytes=56Sequence=5ttl=253time=34ms- 10.3.1.1 ping statistics- 5 packet(s)transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 34/48/72ms CE1 ping 10.4.1.1PING 10.4.1.1: 56 data bytes, press CTRL_C to break Request

40、 timeoutRequest timeout Request timeout Request timeout Request timeout- 10.4.1.1 ping statistics- 5 packet(s)transmitted0 packet(s) received100.00% packet loss配置文件配置文件PE1 的配置文件#sysname PE1#ip vpn-instance vpna ipv4-familyroute-distinguisher 100:1vpn-target 111:1export-extmunityvpn-target 111:1impor

41、t-extmunity#ip vpn-instance vpnb ipv4-familyroute-distinguisher 100:2vpn-target 222:2export-extmunityvpn-target 222:2import-extmunity#mpls lsr-id1.1.1.9mpls#mplsldp#interfaceGigabitEthernet1/0/0ip binding vpn-instancevpnaip address 10.1.1.2255.255.255.0#interfaceGigabitEthernet2/0/0ip binding vpn-in

42、stancevpnbip address 10.2.1.2255.255.255.0#interfaceGigabitEthernet3/0/0ip address 172.1.1.1255.255.255.0mplsmplsldp#interfaceLoopBack1ip address 1.1.1.9255.255.255.255#bgp100peer 3.3.3.9 as-number100peer 3.3.3.9 connect-interfaceLoopBack1#ipv4-familyunicastundosynchronizationpeer 3.3.3.9enable#ipv4

43、-familyvpnv4policyvpn-targetpeer 3.3.3.9enable#ipv4-family vpn-instancevpnaimport-routedirectpeer 10.1.1.1 as-number65410#ipv4-family vpn-instancevpnbimport-routedirectpeer 10.2.1.1 as-number65420#returnreturnospf 1area 0.0.0.0network 1.1.1.9 0.0.0.0network 172.1.1.0 0.0.0.255#P 的配置文件#sysname P#mpls

44、 lsr-id 2.2.2.9 mpls#mpls ldp #interface GigabitEthernet1/0/0ip address 172.1.1.2 255.255.255.0mpls mpls ldp #interface GigabitEthernet2/0/0ip address 172.2.1.1 255.255.255.0mpls mpls ldp #interface LoopBack1ip address 2.2.2.9 255.255.255.255#ospf 1area 0.0.0.0network 2.2.2.9 0.0.0.0network 172.1.1.

45、00.0.0.255network 172.2.1.00.0.0.255#PE2 的配置文件#sysname PE2#ip vpn-instancevpnaipv4-familyroute-distinguisher200:1vpn-target 111:1export-extmunityvpn-target 111:1import-extmunity#ip vpn-instancevpnbipv4-familyroute-distinguisher200:2vpn-target 222:2export-extmunityvpn-target 222:2import-extmunity#mpls lsr-id3.3.3.9mpls#mplsldp#interfaceGigabitEthernet1/0/0ip binding vpn-i