华为路由器MPLS-VPN配置示例

配置BGP/MPLSIPVPN示例组网图形图1

配置BGP/MPLSIPVPN组网图

组网需求配置思路操作步骤配置文件组网需求如图1所示：CE1连接公司总部研发区、CE3连接分支机构研发区，CE1和CE3属于vpna；CE2连接公司总部非研发区、CE4连接分支机构非研发区，CE2和CE4属于vpnb。公司要求通过部署BGP/MPLSIPVPN，实现总部和分支机构的安全互通，同时要求研发区和非研发区间数据隔离。配置思路采用如下的思路配置BGP/MPLSIPVPN：P、PE之间配置OSPF，实现骨干网的IP连通性。PE、P上配置MPLS基本能力和MPLSLDP，建立MPLSLSP公网隧道，传输VPN数据。PE1和PE2上配置VPN实例，其中，vpna使用的VPN-target属性为111:1，vpnb使用的VPN-target属性为222:2，以实现相同VPN间互通，不同VPN间隔离。同时，与CE相连的接口和相应的VPN实例绑定，以接入VPN用户。PE1和PE2之间配置MP-IBGP，交换VPN路由信息。CE与PE之间配置EBGP，交换VPN路由信息。操作步骤在MPLS骨干网上配置OSPF协议，实现骨干网PE和P的互通#配置PE1。<Huawei>system-view[Huawei]sysnamePE1[PE1]interfaceloopback1[PE1-LoopBack1]ipaddress32[PE1-LoopBack1]quit[PE1]interfacegigabitethernet3/0/0[PE1-GigabitEthernet3/0/0]ipaddress24[PE1-GigabitEthernet3/0/0]quit[PE1]ospf1[PE1-ospf-1]area0[PE1-ospf-1-area-]network55[PE1-ospf-1-area-]network[PE1-ospf-1-area-]quit[PE1-ospf-1]quit#配置P。<Huawei>system-view[Huawei]sysnameP[P]interfaceloopback1[P-LoopBack1]ipaddress32[P-LoopBack1]quit[P]interfacegigabitethernet1/0/0[P-GigabitEthernet1/0/0]ipaddress24[P-GigabitEthernet1/0/0]quit[P]interfacegigabitethernet2/0/0[P-GigabitEthernet2/0/0]ipaddress24[P-GigabitEthernet2/0/0]quit[P]ospf[P-ospf-1]area0[P-ospf-1-area-]network55[P-ospf-1-area-]network55[P-ospf-1-area-]network[P-ospf-1-area-]quit[P-ospf-1]quit#配置PE2。<Huawei>system-view[Huawei]sysnamePE2[PE2]interfaceloopback1[PE2-LoopBack1]ipaddress32[PE2-LoopBack1]quit[PE2]interfacegigabitethernet3/0/0[PE2-GigabitEthernet3/0/0]ipaddress24[PE2-GigabitEthernet3/0/0]quit[PE2]ospf[PE2-ospf-1]area0[PE2-ospf-1-area-]network55[PE2-ospf-1-area-]network[PE2-ospf-1-area-]quit[PE2-ospf-1]quit配置完成后，PE1、P、PE2之间应能建立OSPF邻居关系，执行displayospfpeer命令可以看到邻居状态为Full。执行displayiprouting-table命令可以看到PE之间学习到对方的Loopback1路由。以PE1的显示为例：[PE1]displayiprouting-tableRouteFlags:R-relay,D-downloadtofibRoutingTables:PublicDestinations:11Routes:11Destination/MaskProtoPreCostFlagsNextHopInterface/32Direct00DLoopBack1/32OSPF101DGigabitEthernet3/0/0/32OSPF102DGigabitEthernet3/0/0/8Direct00DInLoopBack0/32Direct00DInLoopBack055/32Direct00DInLoopBack0/24Direct00DGigabitEthernet3/0/0/32Direct00DGigabitEthernet3/0/055/32Direct00DGigabitEthernet3/0/0/24OSPF102DGigabitEthernet3/0/055/32Direct00DInLoopBack0[PE1]displayospfpeerOSPFProcess1withRouterIDNeighborsAreainterface(GigabitEthernet3/0/0)'sneighborsRouterID:Address:State:FullMode:NbrisMasterPriority:1DR:BDR:MTU:0Deadtimerduein37secRetranstimerinterval:5Neighborisupfor00:16:21AuthenticationSequence:[0]在MPLS骨干网上配置MPLS基本能力和MPLSLDP，建立LDPLSP#配置PE1。[PE1]mplslsr-id[PE1]mpls[PE1-mpls]quit[PE1]mplsldp[PE1-mpls-ldp]quit[PE1]interfacegigabitethernet3/0/0[PE1-GigabitEthernet3/0/0]mpls[PE1-GigabitEthernet3/0/0]mplsldp[PE1-GigabitEthernet3/0/0]quit#配置P。[P]mplslsr-id[P]mpls[P-mpls]quit[P]mplsldp[P-mpls-ldp]quit[P]interfacegigabitethernet1/0/0[P-GigabitEthernet1/0/0]mpls[P-GigabitEthernet1/0/0]mplsldp[P-GigabitEthernet1/0/0]quit[P]interfacegigabitethernet2/0/0[P-GigabitEthernet2/0/0]mpls[P-GigabitEthernet2/0/0]mplsldp[P-GigabitEthernet2/0/0]quit#配置PE2。[PE2]mplslsr-id[PE2]mpls[PE2-mpls]quit[PE2]mplsldp[PE2-mpls-ldp]quit[PE2]interfacegigabitethernet3/0/0[PE2-GigabitEthernet3/0/0]mpls[PE2-GigabitEthernet3/0/0]mplsldp[PE2-GigabitEthernet3/0/0]quit上述配置完成后，PE1与P、P与PE2之间应能建立LDP会话，执行displaymplsldpsession命令可以看到显示结果中Status项为“Operational”。执行displaymplsldplsp命令，可以看到LDPLSP的建立情况。以PE1的显示为例：[PE1]displaymplsldpsessionLDPSession(s)inPublicNetworkCodes:LAM(LabelAdvertisementMode),SsnAgeUnit(DDDD:HH:MM)A'*'beforeasessionmeansthesessionisbeingdeleted.PeerIDStatusLAMSsnRoleSsnAgeKASent/Rcv:0OperationalDUActive0000:00:016/6TOTAL:1session(s)Found.[PE1]displaymplsldplspLDPLSPInformationDestAddress/MaskIn/OutLabelUpstreamPeerNextHopOutInterface/323/NULLInLoop0*/32Liberal/1024DS//32NULL/3-GE3/0/0/321024/3GE3/0/0/32NULL/1025-GE3/0/0/321025/1025GE3/0/0TOTAL:5NormalLSP(s)Found.TOTAL:1LiberalLSP(s)Found.TOTAL:0FrrLSP(s)Found.A'*'beforeanLSPmeanstheLSPisnotestablishedA'*'beforeaLabelmeanstheUSCBorDSCBisstaleA'*'beforeaUpstreamPeermeansthesessionisstaleA'*'beforeaDSmeansthesessionisstaleA'*'beforeaNextHopmeanstheLSPisFRRLSP在PE设备上配置VPN实例，将CE接入PE#配置PE1。[PE1]ipvpn-instancevpna[PE1-vpn-instance-vpna]ipv4-family[PE1-vpn-instance-vpna-af-ipv4]route-distinguisher100:1[PE1-vpn-instance-vpna-af-ipv4]vpn-target111:1both[PE1-vpn-instance-vpna-af-ipv4]quit[PE1-vpn-instance-vpna]quit[PE1]ipvpn-instancevpnb[PE1-vpn-instance-vpnb]ipv4-family[PE1-vpn-instance-vpnb-af-ipv4]route-distinguisher100:2[PE1-vpn-instance-vpnb-af-ipv4]vpn-target222:2both[PE1-vpn-instance-vpna-af-ipv4]quit[PE1-vpn-instance-vpnb]quit[PE1]interfacegigabitethernet1/0/0[PE1-GigabitEthernet1/0/0]ipbindingvpn-instancevpna[PE1-GigabitEthernet1/0/0]ipaddress24[PE1-GigabitEthernet1/0/0]quit[PE1]interfacegigabitethernet2/0/0[PE1-GigabitEthernet2/0/0]ipbindingvpn-instancevpnb[PE1-GigabitEthernet2/0/0]ipaddress24[PE1-GigabitEthernet2/0/0]quit#配置PE2。[PE2]ipvpn-instancevpna[PE2-vpn-instance-vpna]ipv4-family[PE2-vpn-instance-vpna-af-ipv4]route-distinguisher200:1[PE2-vpn-instance-vpna-af-ipv4]vpn-target111:1both[PE2-vpn-instance-vpna-af-ipv4]quit[PE2-vpn-instance-vpna]quit[PE2]ipvpn-instancevpnb[PE2-vpn-instance-vpnb]ipv4-family[PE2-vpn-instance-vpnb-af-ipv4]route-distinguisher200:2[PE2-vpn-instance-vpnb-af-ipv4]vpn-target222:2both[PE2-vpn-instance-vpnb-af-ipv4]quit[PE2-vpn-instance-vpnb]quit[PE2]interfacegigabitethernet1/0/0[PE2-GigabitEthernet1/0/0]ipbindingvpn-instancevpna[PE2-GigabitEthernet1/0/0]ipaddress24[PE2-GigabitEthernet1/0/0]quit[PE2]interfacegigabitethernet2/0/0[PE2-GigabitEthernet2/0/0]ipbindingvpn-instancevpnb[PE2-GigabitEthernet2/0/0]ipaddress24[PE2-GigabitEthernet2/0/0]quit#按图1配置各CE的接口IP地址。#配置CE1。CE2、CE3和CE4与CE1类似，不再赘述。<Huawei>system-view[Huawei]sysnameCE1[CE1]interfacegigabitethernet1/0/0[CE1-GigabitEthernet1/0/0]ipaddress24[CE1-GigabitEthernet1/0/0]quit配置完成后，在PE设备上执行displayipvpn-instanceverbose命令可以看到VPN实例的配置情况。各PE能ping通自己接入的CE。

说明：当PE上有多个接口绑定了同一个VPN，则使用ping-vpn-instance命令ping对端PE接入的CE时，要指定源IP地址，即要指定ping-vpn-instance

vpn-instance-name

-a

source-ip-addressdest-ip-address命令中的参数-asource-ip-address，否则可能ping不通。以PE1为例：[PE1]displayipvpn-instanceverboseTotalVPN-Instancesconfigured:2TotalIPv4VPN-Instancesconfigured:2TotalIPv6VPN-Instancesconfigured:0VPN-InstanceNameandID:vpna,1Interfaces:GigabitEthernet1/0/0Addressfamilyipv4Createdate:2012/07/2500:58:17Uptime:0days,22hours,24minutesand53secondsRouteDistinguisher:100:1ExportVPNTargets:111:1ImportVPNTargets:111:1LabelPolicy:labelperrouteLogInterval:5VPN-InstanceNameandID:vpnb,2Interfaces:GigabitEthernet2/0/0Addressfamilyipv4Createdate:2012/07/2500:58:17Uptime:0days,22hours,24minutesand53secondsRouteDistinguisher:100:2ExportVPNTargets:222:2ImportVPNTargets:222:2LabelPolicy:labelperrouteLogInterval:5[PE1]ping-vpn-instancevpnaPING:56databytes,pressCTRL_CtobreakReplyfrom:bytes=56Sequence=1ttl=255time=5msReplyfrom:bytes=56Sequence=2ttl=255time=3msReplyfrom:bytes=56Sequence=3ttl=255time=3msReplyfrom:bytes=56Sequence=4ttl=255time=3msReplyfrom:bytes=56Sequence=5ttl=255time=16mspingstatistics5packet(s)transmitted5packet(s)received0.00%packetlossround-tripmin/avg/max=3/6/16ms在PE之间建立MP-IBGP对等体关系#配置PE1。[PE1]bgp100[PE1-bgp]peeras-number100[PE1-bgp]peerconnect-interfaceloopback1[PE1-bgp]ipv4-familyvpnv4[PE1-bgp-af-vpnv4]peerenable[PE1-bgp-af-vpnv4]quit[PE1-bgp]quit#配置PE2。[PE2]bgp100[PE2-bgp]peeras-number100[PE2-bgp]peerconnect-interfaceloopback1[PE2-bgp]ipv4-familyvpnv4[PE2-bgp-af-vpnv4]peerenable[PE2-bgp-af-vpnv4]quit[PE2-bgp]quit配置完成后，在PE设备上执行displaybgppeer或displaybgpvpnv4allpeer命令，可以看到PE之间的BGP对等体关系已建立，并达到Established状态。[PE1]displaybgppeerBGPlocalrouterID:LocalASnumber:100Totalnumberofpeers:1Peersinestablishedstate:1PeerVASMsgRcvdMsgSentOutQUp/DownStatePrefRcv4100126000:02:21Established0[PE1]displaybgpvpnv4allpeerBGPlocalrouterID:LocalASnumber:100Totalnumberofpeers:1Peersinestablishedstate:1PeerVASMsgRcvdMsgSentOutQUp/DownStatePrefRcv41001218000:09:38Established0在PE与CE之间建立EBGP对等体关系，引入VPN路由#配置CE1。CE2、CE3和CE4与CE1类似，不再赘述。[CE1]bgp65410[CE1-bgp]peeras-number100[CE1-bgp]import-routedirect[CE1-bgp]quit#配置PE1。PE2的配置与PE1类似，不再赘述。[PE1]bgp100[PE1-bgp]ipv4-familyvpn-instancevpna[PE1-bgp-vpna]peeras-number65410[PE1-bgp-vpna]import-routedirect[PE1-bgp-vpna]quit[PE1-bgp]ipv4-familyvpn-instancevpnb[PE1-bgp-vpnb]peeras-number65420[PE1-bgp-vpnb]import-routedirect[PE1-bgp-vpnb]quit[PE1-bgp]quit配置完成后，在PE设备上执行displaybgpvpnv4vpn-instancepeer命令，可以看到PE与CE之间的BGP对等体关系已建立，并达到Established状态。以PE1与CE1的对等体关系为例：[PE1]displaybgpvpnv4vpn-instancevpnapeerBGPlocalrouterID:LocalASnumber:100VPN-Instancevpna,RouterID:Totalnumberofpeers:1Peersinestablishedstate:1PeerVASMsgRcvdMsgSentOutQUp/DownStatePrefRcv46541063000:00:02Established4验证配置结果#在PE设备上执行displayiprouting-tablevpn-instance命令，可以看到去往对端CE的路由。#以PE1的显示为例：[PE1]displayiprouting-tablevpn-instancevpnaRouteFlags:R-relay,D-downloadtofibRoutingTables:vpnaDestinations:5Routes:5Destination/MaskProtoPreCostFlagsNextHopInterface/24Direct00DGigabitEthernet1/0/0/32Direct00DGigabitEthernet1/0/055/32Direct00DGigabitEthernet1/0/0/24IBGP2550RDGigabitEthernet3/0/055/32Direct00DInLoopBack0[PE1]displayiprouting-tablevpn-instancevpnbRouteFlags:R-relay,D-downloadtofibRoutingTables:vpnbDestinations:5Routes:5Destination/MaskProtoPreCostFlagsNextHopInterface/24Direct00DGigabitEthernet2/0/0/32Direct00DGigabitEthernet2/0/055/32Direct00DGigabitEthernet2/0/0/24IBGP2550RDGigabitEthernet3/0/055/32Direct00DInLoopBack0#同一VPN的CE能够相互Ping通，不同VPN的CE不能相互Ping通。#例如：CE1能够Ping通CE3（），但不能Ping通CE4（）。[CE1]pingPING:56databytes,pressCTRL_CtobreakReplyfrom:bytes=56Sequence=1ttl=253time=72msReplyfrom:bytes=56Sequence=2ttl=253time=34msReplyfrom:bytes=56Sequence=3ttl=253time=50msReplyfrom:bytes=56Sequence=4ttl=253time=50msReplyfrom:bytes=56Sequence=5ttl=253time=34mspingstatistics5packet(s)transmitted5packet(s)received0.00%packetlossround-tripmin/avg/max=34/48/72ms[CE1]pingPING:56databytes,pressCTRL_CtobreakRequesttimeoutRequesttimeoutRequesttimeoutRequesttimeoutRequesttimeoutpingstatistics5packet(s)transmitted0packet(s)received100.00%packetloss配置文件PE1的配置文件#sysnamePE1#ipvpn-instancevpnaipv4-familyroute-distinguisher100:1vpn-target111:1export-extcommunityvpn-target111:1import-extcommunity#ipvpn-instancevpnbipv4-familyroute-distinguisher100:2vpn-target222:2export-extcommunityvpn-target222:2import-extcommunity#mplslsr-idmpls#mplsldp#interfaceGigabitEthernet1/0/0ipbindingvpn-instancevpnaipaddress#interfaceGigabitEthernet2/0/0ipbindingvpn-instancevpnbipaddress#interfaceGigabitEthernet3/0/0ipaddressmplsmplsldp#interfaceLoopBack1ipaddress55#bgp100peeras-number100peerconnect-interfaceLoopBack1#ipv4-familyunicastundosynchronizationpeerenable#ipv4-familyvpnv4policyvpn-targetpeerenable#ipv4-familyvpn-instancevpnaimport-routedirectpeeras-number65410#ipv4-familyvpn-instancevpnbimport-routedirectpeeras-number65420#ospf1areanetworknetwork55#returnP的配置文件#sysnameP#mplslsr-idmpls#mplsldp#interfaceGigabitEthernet1/0/0ipaddressmplsmplsldp#interfaceGigabitEthernet2/0/0ipaddressmplsmplsldp#interfaceLoopBack1ipaddress55#ospf1areanetworknetwork55network55#returnPE2的配置文件#sysnamePE2#ipvpn-instancevpnaipv4-familyroute-distinguisher200:1vpn-target111:1export-e